isabelle: changeset 48966:6e15de7dd871

--- a/doc-src/ROOT	Tue Aug 28 13:15:15 2012 +0200
+++ b/doc-src/ROOT	Tue Aug 28 14:37:57 2012 +0200
@@ -278,9 +278,7 @@
     "document/root.tex"
 
 session Tutorial (doc) in "TutorialI" = HOL +
-  options [browser_info = false, document = false,
-    document_dump = document, document_dump_mode = "tex",
-    print_mode = "brackets"]
+  options [document_variants = "tutorial", print_mode = "brackets"]
   theories [thy_output_indent = 5]
     "ToyList/ToyList"
     "Ifexpr/Ifexpr"
@@ -317,7 +315,7 @@
   theories
     "Protocol/NS_Public"
     "Documents/Documents"
-  theories [document_dump = ""]
+  theories [document = ""]
     "Types/Setup"
   theories [pretty_margin = 64, thy_output_indent = 0]
     "Types/Numbers"
@@ -338,8 +336,15 @@
     "Sets/Functions"
     "Sets/Relations"
     "Sets/Recur"
+  files
+    "ToyList/ToyList1"
+    "ToyList/ToyList2"
+    "../pdfsetup.sty"
+    "../proof.sty"
+    "../ttbox.sty"
+    "../manual.bib"
+    "document/pghead.eps"
+    "document/pghead.pdf"
+    "document/build"
+    "document/root.tex"
 
-session "HOL-ToyList2" (doc) in "TutorialI/ToyList2" = HOL +
-  options [browser_info = false, document = false, print_mode = "brackets"]
-  theories ToyList
-

--- a/doc-src/TutorialI/Advanced/advanced.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-\chapter{Advanced Simplification and Induction}
-
-Although we have already learned a lot about simplification and
-induction, there are some advanced proof techniques that we have not covered
-yet and which are worth learning. The sections of this chapter are
-independent of each other and can be read in any order.
-
-\input{document/simp2.tex}
-
-\section{Advanced Induction Techniques}
-\label{sec:advanced-ind}
-\index{induction|(}
-\input{document/AdvancedInd.tex}
-\input{document/CTLind.tex}
-\index{induction|)}
-
-%\section{Advanced Forms of Recursion}
-%\index{recdef@\isacommand {recdef} (command)|(}
-
-%This section introduces advanced forms of
-%\isacommand{recdef}: how to establish termination by means other than measure
-%functions, how to define recursive functions over nested recursive datatypes
-%and how to deal with partial functions.
-%
-%If, after reading this section, you feel that the definition of recursive
-%functions is overly complicated by the requirement of
-%totality, you should ponder the alternatives.  In a logic of partial functions,
-%recursive definitions are always accepted.  But there are many
-%such logics, and no clear winner has emerged. And in all of these logics you
-%are (more or less frequently) required to reason about the definedness of
-%terms explicitly. Thus one shifts definedness arguments from definition time to
-%proof time. In HOL you may have to work hard to define a function, but proofs
-%can then proceed unencumbered by worries about undefinedness.
-
-%\subsection{Beyond Measure}
-%\label{sec:beyond-measure}
-%\input{document/WFrec.tex}
-%
-%\subsection{Recursion Over Nested Datatypes}
-%\label{sec:nested-recdef}
-%\input{document/Nested0.tex}
-%\input{document/Nested1.tex}
-%\input{document/Nested2.tex}
-%
-%\subsection{Partial Functions}
-%\index{functions!partial}
-%\input{document/Partial.tex}
-%
-%\index{recdef@\isacommand {recdef} (command)|)}

--- a/doc-src/TutorialI/CTL/ctl.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,6 +0,0 @@
-\index{model checking example|(}%
-\index{lfp@{\texttt{lfp}}!applications of|see{CTL}}
-\input{document/Base.tex}
-\input{document/PDL.tex}
-\input{document/CTL.tex}
-\index{model checking example|)}

--- a/doc-src/TutorialI/Datatype/Nested.thy	Tue Aug 28 13:15:15 2012 +0200
+++ b/doc-src/TutorialI/Datatype/Nested.thy	Tue Aug 28 14:37:57 2012 +0200
@@ -30,7 +30,7 @@
 would be something like
 \medskip
 
-\input{document/unfoldnested.tex}
+\input{unfoldnested.tex}
 \medskip
 
 \noindent

--- a/doc-src/TutorialI/Documents/documents.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-
-\chapter{Presenting Theories}
-\label{ch:thy-present}
-
-By now the reader should have become sufficiently acquainted with elementary
-theory development in Isabelle/HOL\@.  The following interlude describes
-how to present theories in a typographically
-pleasing manner.  Isabelle provides a rich infrastructure for concrete syntax
-of the underlying $\lambda$-calculus language (see
-{\S}\ref{sec:concrete-syntax}), as well as document preparation of theory texts
-based on existing PDF-{\LaTeX} technology (see
-{\S}\ref{sec:document-preparation}).
-
-As pointed out by Leibniz\index{Leibniz, Gottfried Wilhelm} more than 300
-years ago, \emph{notions} are in principle more important than
-\emph{notations}, but suggestive textual representation of ideas is vital to
-reduce the mental effort to comprehend and apply them.
-
-\input{document/Documents.tex}
-
-%%% Local Variables: 
-%%% mode: latex
-%%% TeX-master: t
-%%% End:

--- a/doc-src/TutorialI/Inductive/inductive.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,31 +0,0 @@
-\chapter{Inductively Defined Sets} \label{chap:inductive}
-\index{inductive definitions|(}
-
-This chapter is dedicated to the most important definition principle after
-recursive functions and datatypes: inductively defined sets.
-
-We start with a simple example: the set of even numbers.  A slightly more
-complicated example, the reflexive transitive closure, is the subject of
-{\S}\ref{sec:rtc}. In particular, some standard induction heuristics are
-discussed. Advanced forms of inductive definitions are discussed in
-{\S}\ref{sec:adv-ind-def}. To demonstrate the versatility of inductive
-definitions, the chapter closes with a case study from the realm of
-context-free grammars. The first two sections are required reading for anybody
-interested in mathematical modelling.
-
-\begin{warn}
-Predicates can also be defined inductively.
-See {\S}\ref{sec:ind-predicates}.
-\end{warn}
-
-\input{document/Even}
-\input{document/Mutual}
-\input{document/Star}
-
-\section{Advanced Inductive Definitions}
-\label{sec:adv-ind-def}
-\input{document/Advanced}
-
-\input{document/AB}
-
-\index{inductive definitions|)}

--- a/doc-src/TutorialI/Protocol/protocol.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,135 +0,0 @@
-\chapter{Case Study: Verifying a Security Protocol}
-\label{chap:crypto}
-
-\index{protocols!security|(}
-
-%crypto primitives 
-\def\lbb{\mathopen{\{\kern-.30em|}}
-\def\rbb{\mathclose{|\kern-.32em\}}}
-\def\comp#1{\lbb#1\rbb}
-
-Communications security is an ancient art.  Julius Caesar is said to have
-encrypted his messages, shifting each letter three places along the
-alphabet.  Mary Queen of Scots was convicted of treason after a cipher used
-in her letters was broken.  Today's postal system
-incorporates security features.  The envelope provides a degree of
-\emph{secrecy}.  The signature provides \emph{authenticity} (proof of
-origin), as do departmental stamps and letterheads.
-
-Networks are vulnerable: messages pass through many computers, any of which
-might be controlled by an adversary, who thus can capture or redirect
-messages.  People who wish to communicate securely over such a network can
-use cryptography, but if they are to understand each other, they need to
-follow a
-\emph{protocol}: a pre-arranged sequence of message formats. 
-
-Protocols can be attacked in many ways, even if encryption is unbreakable. 
-A \emph{splicing attack} involves an adversary's sending a message composed
-of parts of several old messages.  This fake message may have the correct
-format, fooling an honest party.  The adversary might be able to masquerade
-as somebody else, or he might obtain a secret key.
-
-\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
-random number. Each message that requires a reply incorporates a nonce. The
-reply must include a copy of that nonce, to prove that it is not a replay of
-a past message.  The nonce in the reply must be cryptographically
-protected, since otherwise an adversary could easily replace it by a
-different one. You should be starting to see that protocol design is
-tricky!
-
-Researchers are developing methods for proving the correctness of security
-protocols.  The Needham-Schroeder public-key
-protocol~\cite{needham-schroeder} has become a standard test case. 
-Proposed in 1978, it was found to be defective nearly two decades
-later~\cite{lowe-fdr}.  This toy protocol will be useful in demonstrating
-how to verify protocols using Isabelle.
-
-
-\section{The Needham-Schroeder Public-Key Protocol}\label{sec:ns-protocol}
-
-\index{Needham-Schroeder protocol|(}%
-This protocol uses public-key cryptography. Each person has a private key, known only to
-himself, and a public key, known to everybody. If Alice wants to send Bob a secret message, she
-encrypts it using Bob's public key (which everybody knows), and sends it to Bob. Only Bob has the
-matching private key, which is needed in order to decrypt Alice's message.
-
-The core of the Needham-Schroeder protocol consists of three messages:
-\begin{alignat*}{2}
-  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
-  &2.&\quad  B\to A  &: \comp{Na,Nb}\sb{Ka} \\
-  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
-\end{alignat*}
-First, let's understand the notation. In the first message, Alice
-sends Bob a message consisting of a nonce generated by Alice~($Na$)
-paired  with Alice's name~($A$) and encrypted using Bob's public
-key~($Kb$). In the second message, Bob sends Alice a message
-consisting of $Na$ paired with a nonce generated by Bob~($Nb$), 
-encrypted using Alice's public key~($Ka$). In the last message, Alice
-returns $Nb$ to Bob, encrypted using his public key.
-
-When Alice receives Message~2, she knows that Bob has acted on her
-message, since only he could have decrypted
-$\comp{Na,A}\sb{Kb}$ and extracted~$Na$.  That is precisely what
-nonces are for.  Similarly, message~3 assures Bob that Alice is
-active.  But the protocol was widely believed~\cite{ban89} to satisfy a
-further property: that
-$Na$ and~$Nb$ were secrets shared by Alice and Bob.  (Many
-protocols generate such shared secrets, which can be used
-to lessen the reliance on slow public-key operations.)  
-Lowe\index{Lowe, Gavin|(} found this
-claim to be false: if Alice runs the protocol with someone untrustworthy
-(Charlie say), then he can start a new run with another agent (Bob say). 
-Charlie uses Alice as an oracle, masquerading as
-Alice to Bob~\cite{lowe-fdr}.
-\begin{alignat*}{4}
-  &1.&\quad  A\to C  &: \comp{Na,A}\sb{Kc}   &&
-      \qquad 1'.&\quad  C\to B  &: \comp{Na,A}\sb{Kb} \\
-  &2.&\quad  B\to A  &: \comp{Na,Nb}\sb{Ka} \\
-  &3.&\quad  A\to C  &: \comp{Nb}\sb{Kc}  &&
-      \qquad 3'.&\quad  C\to B  &: \comp{Nb}\sb{Kb}
-\end{alignat*}
-In messages~1 and~3, Charlie removes the encryption using his private
-key and re-encrypts Alice's messages using Bob's public key. Bob is
-left thinking he has run the protocol with Alice, which was not
-Alice's intention, and Bob is unaware that the ``secret'' nonces are
-known to Charlie.  This is a typical man-in-the-middle attack launched
-by an insider.
-
-Whether this counts as an attack has been disputed.  In protocols of this
-type, we normally assume that the other party is honest.  To be honest
-means to obey the protocol rules, so Alice's running the protocol with
-Charlie does not make her dishonest, just careless.  After Lowe's
-attack, Alice has no grounds for complaint: this protocol does not have to
-guarantee anything if you run it with a bad person.  Bob does have
-grounds for complaint, however: the protocol tells him that he is
-communicating with Alice (who is honest) but it does not guarantee
-secrecy of the nonces.
-
-Lowe also suggested a correction, namely to include Bob's name in
-message~2:
-\begin{alignat*}{2}
-  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
-  &2.&\quad  B\to A  &: \comp{Na,Nb,B}\sb{Ka} \\
-  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
-\end{alignat*}
-If Charlie tries the same attack, Alice will receive the message
-$\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive
-$\comp{Na,Nb,C}\sb{Ka}$.  She will abandon the run, and eventually so
-will Bob.  Below, we shall look at parts of this protocol's correctness
-proof. 
-
-In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
-showed how such attacks
-could be found automatically using a model checker.  An alternative,
-which we shall examine below, is to prove protocols correct.  Proofs
-can be done under more realistic assumptions because our model does
-not have to be finite.  The strategy is to formalize the operational
-semantics of the system and to prove security properties using rule
-induction.%
-\index{Needham-Schroeder protocol|)}
-
-
-\input{document/Message}
-\input{document/Event}
-\input{document/Public}
-\input{document/NS_Public}

--- a/doc-src/TutorialI/Recdef/document/Induction.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,121 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Induction}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-Assuming we have defined our function such that Isabelle could prove
-termination and that the recursion equations (or some suitable derived
-equations) are simplification rules, we might like to prove something about
-our function. Since the function is recursive, the natural proof principle is
-again induction. But this time the structural form of induction that comes
-with datatypes is unlikely to work well --- otherwise we could have defined the
-function by \isacommand{primrec}. Therefore \isacommand{recdef} automatically
-proves a suitable induction rule $f$\isa{{\isachardot}induct} that follows the
-recursion pattern of the particular function $f$. We call this
-\textbf{recursion induction}. Roughly speaking, it
-requires you to prove for each \isacommand{recdef} equation that the property
-you are trying to establish holds for the left-hand side provided it holds
-for all recursive calls on the right-hand side. Here is a simple example
-involving the predefined \isa{map} functional on lists:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isachardoublequoteopen}map\ f\ {\isacharparenleft}sep{\isacharparenleft}x{\isacharcomma}xs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep{\isacharparenleft}f\ x{\isacharcomma}\ map\ f\ xs{\isacharparenright}{\isachardoublequoteclose}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-Note that \isa{map\ f\ xs}
-is the result of applying \isa{f} to all elements of \isa{xs}. We prove
-this lemma by recursion induction over \isa{sep}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}induct{\isacharunderscore}tac\ x\ xs\ rule{\isacharcolon}\ sep{\isachardot}induct{\isacharparenright}%
-\begin{isamarkuptxt}%
-\noindent
-The resulting proof state has three subgoals corresponding to the three
-clauses for \isa{sep}:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}a{\isachardot}\ map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}{\isacharbrackright}{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharbrackleft}{\isacharbrackright}{\isacharparenright}\isanewline
-\ {\isadigit{2}}{\isachardot}\ {\isasymAnd}a\ x{\isachardot}\ map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}x{\isacharbrackright}{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharbrackleft}x{\isacharbrackright}{\isacharparenright}\isanewline
-\ {\isadigit{3}}{\isachardot}\ {\isasymAnd}a\ x\ y\ zs{\isachardot}\isanewline
-\isaindent{\ {\isadigit{3}}{\isachardot}\ \ \ \ }map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharparenleft}y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}\ {\isasymLongrightarrow}\isanewline
-\isaindent{\ {\isadigit{3}}{\isachardot}\ \ \ \ }map\ f\ {\isacharparenleft}sep\ {\isacharparenleft}a{\isacharcomma}\ x\ {\isacharhash}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ sep\ {\isacharparenleft}f\ a{\isacharcomma}\ map\ f\ {\isacharparenleft}x\ {\isacharhash}\ y\ {\isacharhash}\ zs{\isacharparenright}{\isacharparenright}%
-\end{isabelle}
-The rest is pure simplification:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ simp{\isacharunderscore}all\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Try proving the above lemma by structural induction, and you find that you
-need an additional case distinction. What is worse, the names of variables
-are invented by Isabelle and have nothing to do with the names in the
-definition of \isa{sep}.
-
-In general, the format of invoking recursion induction is
-\begin{quote}
-\isacommand{apply}\isa{{\isacharparenleft}induct{\isacharunderscore}tac} $x@1 \dots x@n$ \isa{rule{\isacharcolon}} $f$\isa{{\isachardot}induct{\isacharparenright}}
-\end{quote}\index{*induct_tac (method)}%
-where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
-name of a function that takes an $n$-tuple. Usually the subgoal will
-contain the term $f(x@1,\dots,x@n)$ but this need not be the case. The
-induction rules do not mention $f$ at all. Here is \isa{sep{\isachardot}induct}:
-\begin{isabelle}
-{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
-~~{\isasymAnd}a~x.~P~a~[x];\isanewline
-~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
-{\isasymLongrightarrow}~P~u~v%
-\end{isabelle}
-It merely says that in order to prove a property \isa{P} of \isa{u} and
-\isa{v} you need to prove it for the three cases where \isa{v} is the
-empty list, the singleton list, and the list with at least two elements.
-The final case has an induction hypothesis:  you may assume that \isa{P}
-holds for the tail of that list.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Recdef/document/Nested0.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Nested{\isadigit{0}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\index{datatypes!nested}%
-In \S\ref{sec:nested-datatype} we defined the datatype of terms%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isacharparenleft}{\isacharprime}a{\isacharcomma}{\isacharprime}b{\isacharparenright}{\isachardoublequoteopen}term{\isachardoublequoteclose}\ {\isacharequal}\ Var\ {\isacharprime}a\ {\isacharbar}\ App\ {\isacharprime}b\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a{\isacharcomma}{\isacharprime}b{\isacharparenright}term\ list{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-and closed with the observation that the associated schema for the definition
-of primitive recursive functions leads to overly verbose definitions. Moreover,
-if you have worked exercise~\ref{ex:trev-trev} you will have noticed that
-you needed to declare essentially the same function as \isa{rev}
-and prove many standard properties of list reversal all over again. 
-We will now show you how \isacommand{recdef} can simplify
-definitions and proofs about nested recursive datatypes. As an example we
-choose exercise~\ref{ex:trev-trev}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ trev\ \ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a{\isacharcomma}{\isacharprime}b{\isacharparenright}term\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a{\isacharcomma}{\isacharprime}b{\isacharparenright}term{\isachardoublequoteclose}%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Recdef/document/Nested1.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,75 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Nested{\isadigit{1}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-Although the definition of \isa{trev} below is quite natural, we will have
-to overcome a minor difficulty in convincing Isabelle of its termination.
-It is precisely this difficulty that is the \textit{raison d'\^etre} of
-this subsection.
-
-Defining \isa{trev} by \isacommand{recdef} rather than \isacommand{primrec}
-simplifies matters because we are now free to use the recursion equation
-suggested at the end of \S\ref{sec:nested-datatype}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{recdef}\isamarkupfalse%
-\ trev\ {\isachardoublequoteopen}measure\ size{\isachardoublequoteclose}\isanewline
-\ {\isachardoublequoteopen}trev\ {\isacharparenleft}Var\ x{\isacharparenright}\ \ \ \ {\isacharequal}\ Var\ x{\isachardoublequoteclose}\isanewline
-\ {\isachardoublequoteopen}trev\ {\isacharparenleft}App\ f\ ts{\isacharparenright}\ {\isacharequal}\ App\ f\ {\isacharparenleft}rev{\isacharparenleft}map\ trev\ ts{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-Remember that function \isa{size} is defined for each \isacommand{datatype}.
-However, the definition does not succeed. Isabelle complains about an
-unproved termination condition
-\begin{isabelle}%
-\ \ \ \ \ t\ {\isasymin}\ set\ ts\ {\isasymlongrightarrow}\ size\ t\ {\isacharless}\ Suc\ {\isacharparenleft}term{\isacharunderscore}list{\isacharunderscore}size\ ts{\isacharparenright}%
-\end{isabelle}
-where \isa{set} returns the set of elements of a list
-and \isa{term{\isacharunderscore}list{\isacharunderscore}size\ {\isacharcolon}{\isacharcolon}\ term\ list\ {\isasymRightarrow}\ nat} is an auxiliary
-function automatically defined by Isabelle
-(while processing the declaration of \isa{term}).  Why does the
-recursive call of \isa{trev} lead to this
-condition?  Because \isacommand{recdef} knows that \isa{map}
-will apply \isa{trev} only to elements of \isa{ts}. Thus the 
-condition expresses that the size of the argument \isa{t\ {\isasymin}\ set\ ts} of any
-recursive call of \isa{trev} is strictly less than \isa{size\ {\isacharparenleft}App\ f\ ts{\isacharparenright}},
-which equals \isa{Suc\ {\isacharparenleft}term{\isacharunderscore}list{\isacharunderscore}size\ ts{\isacharparenright}}.  We will now prove the termination condition and
-continue with our definition.  Below we return to the question of how
-\isacommand{recdef} knows about \isa{map}.
-
-The termination condition is easily proved by induction:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Recdef/document/Nested2.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,152 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Nested{\isadigit{2}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-\isanewline
-%
-\endisadelimtheory
-\isacommand{lemma}\isamarkupfalse%
-\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}t\ {\isasymin}\ set\ ts\ {\isasymlongrightarrow}\ size\ t\ {\isacharless}\ Suc{\isacharparenleft}term{\isacharunderscore}list{\isacharunderscore}size\ ts{\isacharparenright}{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isacharparenleft}induct{\isacharunderscore}tac\ ts{\isacharcomma}\ auto{\isacharparenright}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-By making this theorem a simplification rule, \isacommand{recdef}
-applies it automatically and the definition of \isa{trev}
-succeeds now. As a reward for our effort, we can now prove the desired
-lemma directly.  We no longer need the verbose
-induction schema for type \isa{term} and can use the simpler one arising from
-\isa{trev}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isachardoublequoteopen}trev{\isacharparenleft}trev\ t{\isacharparenright}\ {\isacharequal}\ t{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}induct{\isacharunderscore}tac\ t\ rule{\isacharcolon}\ trev{\isachardot}induct{\isacharparenright}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ trev\ {\isacharparenleft}trev\ {\isacharparenleft}Var\ x{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ Var\ x\isanewline
-\ {\isadigit{2}}{\isachardot}\ {\isasymAnd}f\ ts{\isachardot}\isanewline
-\isaindent{\ {\isadigit{2}}{\isachardot}\ \ \ \ }{\isasymforall}x{\isachardot}\ x\ {\isasymin}\ set\ ts\ {\isasymlongrightarrow}\ trev\ {\isacharparenleft}trev\ x{\isacharparenright}\ {\isacharequal}\ x\ {\isasymLongrightarrow}\isanewline
-\isaindent{\ {\isadigit{2}}{\isachardot}\ \ \ \ }trev\ {\isacharparenleft}trev\ {\isacharparenleft}App\ f\ ts{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ App\ f\ ts%
-\end{isabelle}
-Both the base case and the induction step fall to simplification:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{by}\isamarkupfalse%
-{\isacharparenleft}simp{\isacharunderscore}all\ add{\isacharcolon}\ rev{\isacharunderscore}map\ sym{\isacharbrackleft}OF\ map{\isacharunderscore}compose{\isacharbrackright}\ cong{\isacharcolon}\ map{\isacharunderscore}cong{\isacharparenright}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-If the proof of the induction step mystifies you, we recommend that you go through
-the chain of simplification steps in detail; you will probably need the help of
-\isa{trace{\isacharunderscore}simp}. Theorem \isa{map{\isacharunderscore}cong} is discussed below.
-%\begin{quote}
-%{term[display]"trev(trev(App f ts))"}\\
-%{term[display]"App f (rev(map trev (rev(map trev ts))))"}\\
-%{term[display]"App f (map trev (rev(rev(map trev ts))))"}\\
-%{term[display]"App f (map trev (map trev ts))"}\\
-%{term[display]"App f (map (trev o trev) ts)"}\\
-%{term[display]"App f (map (%x. x) ts)"}\\
-%{term[display]"App f ts"}
-%\end{quote}
-
-The definition of \isa{trev} above is superior to the one in
-\S\ref{sec:nested-datatype} because it uses \isa{rev}
-and lets us use existing facts such as \hbox{\isa{rev\ {\isacharparenleft}rev\ xs{\isacharparenright}\ {\isacharequal}\ xs}}.
-Thus this proof is a good example of an important principle:
-\begin{quote}
-\emph{Chose your definitions carefully\\
-because they determine the complexity of your proofs.}
-\end{quote}
-
-Let us now return to the question of how \isacommand{recdef} can come up with
-sensible termination conditions in the presence of higher-order functions
-like \isa{map}. For a start, if nothing were known about \isa{map}, then
-\isa{map\ trev\ ts} might apply \isa{trev} to arbitrary terms, and thus
-\isacommand{recdef} would try to prove the unprovable \isa{size\ t\ {\isacharless}\ Suc\ {\isacharparenleft}term{\isacharunderscore}list{\isacharunderscore}size\ ts{\isacharparenright}}, without any assumption about \isa{t}.  Therefore
-\isacommand{recdef} has been supplied with the congruence theorem
-\isa{map{\isacharunderscore}cong}:
-\begin{isabelle}%
-\ \ \ \ \ {\isasymlbrakk}xs\ {\isacharequal}\ ys{\isacharsemicolon}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ set\ ys\ {\isasymLongrightarrow}\ f\ x\ {\isacharequal}\ g\ x{\isasymrbrakk}\isanewline
-\isaindent{\ \ \ \ \ }{\isasymLongrightarrow}\ map\ f\ xs\ {\isacharequal}\ map\ g\ ys%
-\end{isabelle}
-Its second premise expresses that in \isa{map\ f\ xs},
-function \isa{f} is only applied to elements of list \isa{xs}.  Congruence
-rules for other higher-order functions on lists are similar.  If you get
-into a situation where you need to supply \isacommand{recdef} with new
-congruence rules, you can append a hint after the end of
-the recursion equations:\cmmdx{hints}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}cong{\isacharcolon}\ map{\isacharunderscore}cong{\isacharparenright}%
-\begin{isamarkuptext}%
-\noindent
-Or you can declare them globally
-by giving them the \attrdx{recdef_cong} attribute:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ map{\isacharunderscore}cong{\isacharbrackleft}recdef{\isacharunderscore}cong{\isacharbrackright}%
-\begin{isamarkuptext}%
-The \isa{cong} and \isa{recdef{\isacharunderscore}cong} attributes are
-intentionally kept apart because they control different activities, namely
-simplification and making recursive definitions.
-%The simplifier's congruence rules cannot be used by recdef.
-%For example the weak congruence rules for if and case would prevent
-%recdef from generating sensible termination conditions.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Recdef/document/examples.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,133 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{examples}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-Here is a simple example, the \rmindex{Fibonacci function}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ fib\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ fib\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}n{\isachardot}\ n{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}fib\ {\isadigit{0}}\ {\isacharequal}\ {\isadigit{0}}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}fib\ {\isacharparenleft}Suc\ {\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ {\isadigit{1}}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}fib\ {\isacharparenleft}Suc{\isacharparenleft}Suc\ x{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ fib\ x\ {\isacharplus}\ fib\ {\isacharparenleft}Suc\ x{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-\index{measure functions}%
-The definition of \isa{fib} is accompanied by a \textbf{measure function}
-\isa{{\isasymlambda}n{\isachardot}\ n} which maps the argument of \isa{fib} to a
-natural number. The requirement is that in each equation the measure of the
-argument on the left-hand side is strictly greater than the measure of the
-argument of each recursive call. In the case of \isa{fib} this is
-obviously true because the measure function is the identity and
-\isa{Suc\ {\isacharparenleft}Suc\ x{\isacharparenright}} is strictly greater than both \isa{x} and
-\isa{Suc\ x}.
-
-Slightly more interesting is the insertion of a fixed element
-between any two elements of a list:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ sep\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ list{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ sep\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}a{\isacharcomma}xs{\isacharparenright}{\isachardot}\ length\ xs{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}{\isacharbrackright}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ {\isacharbrackleft}{\isacharbrackright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}x{\isacharbrackright}{\isacharparenright}\ \ \ \ {\isacharequal}\ {\isacharbrackleft}x{\isacharbrackright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isacharparenleft}a{\isacharcomma}\ x{\isacharhash}y{\isacharhash}zs{\isacharparenright}\ {\isacharequal}\ x\ {\isacharhash}\ a\ {\isacharhash}\ sep{\isacharparenleft}a{\isacharcomma}y{\isacharhash}zs{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-This time the measure is the length of the list, which decreases with the
-recursive call; the first component of the argument tuple is irrelevant.
-The details of tupled $\lambda$-abstractions \isa{{\isasymlambda}{\isacharparenleft}x\isactrlsub {\isadigit{1}}{\isacharcomma}{\isasymdots}{\isacharcomma}x\isactrlsub n{\isacharparenright}} are
-explained in \S\ref{sec:products}, but for now your intuition is all you need.
-
-Pattern matching\index{pattern matching!and \isacommand{recdef}}
-need not be exhaustive:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ last\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ last\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}xs{\isachardot}\ length\ xs{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}last\ {\isacharbrackleft}x{\isacharbrackright}\ \ \ \ \ \ {\isacharequal}\ x{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}last\ {\isacharparenleft}x{\isacharhash}y{\isacharhash}zs{\isacharparenright}\ {\isacharequal}\ last\ {\isacharparenleft}y{\isacharhash}zs{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-Overlapping patterns are disambiguated by taking the order of equations into
-account, just as in functional programming:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ sep{\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ list{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ sep{\isadigit{1}}\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}a{\isacharcomma}xs{\isacharparenright}{\isachardot}\ length\ xs{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isadigit{1}}{\isacharparenleft}a{\isacharcomma}\ x{\isacharhash}y{\isacharhash}zs{\isacharparenright}\ {\isacharequal}\ x\ {\isacharhash}\ a\ {\isacharhash}\ sep{\isadigit{1}}{\isacharparenleft}a{\isacharcomma}y{\isacharhash}zs{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isadigit{1}}{\isacharparenleft}a{\isacharcomma}\ xs{\isacharparenright}\ \ \ \ \ {\isacharequal}\ xs{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-To guarantee that the second equation can only be applied if the first
-one does not match, Isabelle internally replaces the second equation
-by the two possibilities that are left: \isa{sep{\isadigit{1}}\ {\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}{\isacharbrackright}{\isacharparenright}\ {\isacharequal}\ {\isacharbrackleft}{\isacharbrackright}} and
-\isa{sep{\isadigit{1}}\ {\isacharparenleft}a{\isacharcomma}\ {\isacharbrackleft}x{\isacharbrackright}{\isacharparenright}\ {\isacharequal}\ {\isacharbrackleft}x{\isacharbrackright}}.  Thus the functions \isa{sep} and
-\isa{sep{\isadigit{1}}} are identical.
-
-\begin{warn}
-  \isacommand{recdef} only takes the first argument of a (curried)
-  recursive function into account. This means both the termination measure
-  and pattern matching can only use that first argument. In general, you will
-  therefore have to combine several arguments into a tuple. In case only one
-  argument is relevant for termination, you can also rearrange the order of
-  arguments as in the following definition:
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ sep{\isadigit{2}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a\ list{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ sep{\isadigit{2}}\ {\isachardoublequoteopen}measure\ length{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isadigit{2}}\ {\isacharparenleft}x{\isacharhash}y{\isacharhash}zs{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}{\isasymlambda}a{\isachardot}\ x\ {\isacharhash}\ a\ {\isacharhash}\ sep{\isadigit{2}}\ {\isacharparenleft}y{\isacharhash}zs{\isacharparenright}\ a{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}sep{\isadigit{2}}\ xs\ \ \ \ \ \ \ {\isacharequal}\ {\isacharparenleft}{\isasymlambda}a{\isachardot}\ xs{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-Because of its pattern-matching syntax, \isacommand{recdef} is also useful
-for the definition of non-recursive functions, where the termination measure
-degenerates to the empty set \isa{{\isacharbraceleft}{\isacharbraceright}}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ swap{\isadigit{1}}{\isadigit{2}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a\ list{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ swap{\isadigit{1}}{\isadigit{2}}\ {\isachardoublequoteopen}{\isacharbraceleft}{\isacharbraceright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}swap{\isadigit{1}}{\isadigit{2}}\ {\isacharparenleft}x{\isacharhash}y{\isacharhash}zs{\isacharparenright}\ {\isacharequal}\ y{\isacharhash}x{\isacharhash}zs{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}swap{\isadigit{1}}{\isadigit{2}}\ zs\ \ \ \ \ \ \ {\isacharequal}\ zs{\isachardoublequoteclose}\isanewline
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Recdef/document/simplification.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,171 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{simplification}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-Once we have proved all the termination conditions, the \isacommand{recdef} 
-recursion equations become simplification rules, just as with
-\isacommand{primrec}. In most cases this works fine, but there is a subtle
-problem that must be mentioned: simplification may not
-terminate because of automatic splitting of \isa{if}.
-\index{*if expressions!splitting of}
-Let us look at an example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ gcd\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ gcd\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}{\isachardot}n{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}gcd\ {\isacharparenleft}m{\isacharcomma}\ n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ n{\isacharequal}{\isadigit{0}}\ then\ m\ else\ gcd{\isacharparenleft}n{\isacharcomma}\ m\ mod\ n{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-According to the measure function, the second argument should decrease with
-each recursive call. The resulting termination condition
-\begin{isabelle}%
-\ \ \ \ \ n\ {\isasymnoteq}\ {\isadigit{0}}\ {\isasymLongrightarrow}\ m\ mod\ n\ {\isacharless}\ n%
-\end{isabelle}
-is proved automatically because it is already present as a lemma in
-HOL\@.  Thus the recursion equation becomes a simplification
-rule. Of course the equation is nonterminating if we are allowed to unfold
-the recursive call inside the \isa{else} branch, which is why programming
-languages and our simplifier don't do that. Unfortunately the simplifier does
-something else that leads to the same problem: it splits 
-each \isa{if}-expression unless its
-condition simplifies to \isa{True} or \isa{False}.  For
-example, simplification reduces
-\begin{isabelle}%
-\ \ \ \ \ gcd\ {\isacharparenleft}m{\isacharcomma}\ n{\isacharparenright}\ {\isacharequal}\ k%
-\end{isabelle}
-in one step to
-\begin{isabelle}%
-\ \ \ \ \ {\isacharparenleft}if\ n\ {\isacharequal}\ {\isadigit{0}}\ then\ m\ else\ gcd\ {\isacharparenleft}n{\isacharcomma}\ m\ mod\ n{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ k%
-\end{isabelle}
-where the condition cannot be reduced further, and splitting leads to
-\begin{isabelle}%
-\ \ \ \ \ {\isacharparenleft}n\ {\isacharequal}\ {\isadigit{0}}\ {\isasymlongrightarrow}\ m\ {\isacharequal}\ k{\isacharparenright}\ {\isasymand}\ {\isacharparenleft}n\ {\isasymnoteq}\ {\isadigit{0}}\ {\isasymlongrightarrow}\ gcd\ {\isacharparenleft}n{\isacharcomma}\ m\ mod\ n{\isacharparenright}\ {\isacharequal}\ k{\isacharparenright}%
-\end{isabelle}
-Since the recursive call \isa{gcd\ {\isacharparenleft}n{\isacharcomma}\ m\ mod\ n{\isacharparenright}} is no longer protected by
-an \isa{if}, it is unfolded again, which leads to an infinite chain of
-simplification steps. Fortunately, this problem can be avoided in many
-different ways.
-
-The most radical solution is to disable the offending theorem
-\isa{split{\isacharunderscore}if},
-as shown in \S\ref{sec:AutoCaseSplits}.  However, we do not recommend this
-approach: you will often have to invoke the rule explicitly when
-\isa{if} is involved.
-
-If possible, the definition should be given by pattern matching on the left
-rather than \isa{if} on the right. In the case of \isa{gcd} the
-following alternative definition suggests itself:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ gcd{\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ gcd{\isadigit{1}}\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}{\isachardot}n{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}gcd{\isadigit{1}}\ {\isacharparenleft}m{\isacharcomma}\ {\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ m{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}gcd{\isadigit{1}}\ {\isacharparenleft}m{\isacharcomma}\ n{\isacharparenright}\ {\isacharequal}\ gcd{\isadigit{1}}{\isacharparenleft}n{\isacharcomma}\ m\ mod\ n{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-The order of equations is important: it hides the side condition
-\isa{n\ {\isasymnoteq}\ {\isadigit{0}}}.  Unfortunately, in general the case distinction
-may not be expressible by pattern matching.
-
-A simple alternative is to replace \isa{if} by \isa{case}, 
-which is also available for \isa{bool} and is not split automatically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ gcd{\isadigit{2}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ gcd{\isadigit{2}}\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}{\isachardot}n{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}gcd{\isadigit{2}}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}case\ n{\isacharequal}{\isadigit{0}}\ of\ True\ {\isasymRightarrow}\ m\ {\isacharbar}\ False\ {\isasymRightarrow}\ gcd{\isadigit{2}}{\isacharparenleft}n{\isacharcomma}m\ mod\ n{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-This is probably the neatest solution next to pattern matching, and it is
-always available.
-
-A final alternative is to replace the offending simplification rules by
-derived conditional ones. For \isa{gcd} it means we have to prove
-these lemmas:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}gcd\ {\isacharparenleft}m{\isacharcomma}\ {\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ m{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}simp{\isacharparenright}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\isanewline
-%
-\endisadelimproof
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\ {\isachardoublequoteopen}n\ {\isasymnoteq}\ {\isadigit{0}}\ {\isasymLongrightarrow}\ gcd{\isacharparenleft}m{\isacharcomma}\ n{\isacharparenright}\ {\isacharequal}\ gcd{\isacharparenleft}n{\isacharcomma}\ m\ mod\ n{\isacharparenright}{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}simp{\isacharparenright}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Simplification terminates for these proofs because the condition of the \isa{if} simplifies to \isa{True} or \isa{False}.
-Now we can disable the original simplification rule:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ gcd{\isachardot}simps\ {\isacharbrackleft}simp\ del{\isacharbrackright}\isanewline
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Recdef/document/termination.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,121 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{termination}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-When a function~$f$ is defined via \isacommand{recdef}, Isabelle tries to prove
-its termination with the help of the user-supplied measure.  Each of the examples
-above is simple enough that Isabelle can automatically prove that the
-argument's measure decreases in each recursive call. As a result,
-$f$\isa{{\isachardot}simps} will contain the defining equations (or variants derived
-from them) as theorems. For example, look (via \isacommand{thm}) at
-\isa{sep{\isachardot}simps} and \isa{sep{\isadigit{1}}{\isachardot}simps} to see that they define
-the same function. What is more, those equations are automatically declared as
-simplification rules.
-
-Isabelle may fail to prove the termination condition for some
-recursive call.  Let us try to define Quicksort:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ qs\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ list\ {\isasymRightarrow}\ nat\ list{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ qs\ {\isachardoublequoteopen}measure\ length{\isachardoublequoteclose}\isanewline
-\ {\isachardoublequoteopen}qs\ {\isacharbrackleft}{\isacharbrackright}\ {\isacharequal}\ {\isacharbrackleft}{\isacharbrackright}{\isachardoublequoteclose}\isanewline
-\ {\isachardoublequoteopen}qs{\isacharparenleft}x{\isacharhash}xs{\isacharparenright}\ {\isacharequal}\ qs{\isacharparenleft}filter\ {\isacharparenleft}{\isasymlambda}y{\isachardot}\ y{\isasymle}x{\isacharparenright}\ xs{\isacharparenright}\ {\isacharat}\ {\isacharbrackleft}x{\isacharbrackright}\ {\isacharat}\ qs{\isacharparenleft}filter\ {\isacharparenleft}{\isasymlambda}y{\isachardot}\ x{\isacharless}y{\isacharparenright}\ xs{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent where \isa{filter} is predefined and \isa{filter\ P\ xs}
-is the list of elements of \isa{xs} satisfying \isa{P}.
-This definition of \isa{qs} fails, and Isabelle prints an error message
-showing you what it was unable to prove:
-\begin{isabelle}%
-\ \ \ \ \ length\ {\isacharparenleft}filter\ {\isachardot}{\isachardot}{\isachardot}\ xs{\isacharparenright}\ {\isacharless}\ Suc\ {\isacharparenleft}length\ xs{\isacharparenright}%
-\end{isabelle}
-We can either prove this as a separate lemma, or try to figure out which
-existing lemmas may help. We opt for the second alternative. The theory of
-lists contains the simplification rule \isa{length\ {\isacharparenleft}filter\ P\ xs{\isacharparenright}\ {\isasymle}\ length\ xs},
-which is what we need, provided we turn \mbox{\isa{{\isacharless}\ Suc}}
-into
-\isa{{\isasymle}} so that the rule applies. Lemma
-\isa{less{\isacharunderscore}Suc{\isacharunderscore}eq{\isacharunderscore}le} does just that: \isa{{\isacharparenleft}m\ {\isacharless}\ Suc\ n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}m\ {\isasymle}\ n{\isacharparenright}}.
-
-Now we retry the above definition but supply the lemma(s) just found (or
-proved). Because \isacommand{recdef}'s termination prover involves
-simplification, we include in our second attempt a hint: the
-\attrdx{recdef_simp} attribute says to use \isa{less{\isacharunderscore}Suc{\isacharunderscore}eq{\isacharunderscore}le} as a
-simplification rule.\cmmdx{hints}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{recdef}\isamarkupfalse%
-\ qs\ {\isachardoublequoteopen}measure\ length{\isachardoublequoteclose}\isanewline
-\ {\isachardoublequoteopen}qs\ {\isacharbrackleft}{\isacharbrackright}\ {\isacharequal}\ {\isacharbrackleft}{\isacharbrackright}{\isachardoublequoteclose}\isanewline
-\ {\isachardoublequoteopen}qs{\isacharparenleft}x{\isacharhash}xs{\isacharparenright}\ {\isacharequal}\ qs{\isacharparenleft}filter\ {\isacharparenleft}{\isasymlambda}y{\isachardot}\ y{\isasymle}x{\isacharparenright}\ xs{\isacharparenright}\ {\isacharat}\ {\isacharbrackleft}x{\isacharbrackright}\ {\isacharat}\ qs{\isacharparenleft}filter\ {\isacharparenleft}{\isasymlambda}y{\isachardot}\ x{\isacharless}y{\isacharparenright}\ xs{\isacharparenright}{\isachardoublequoteclose}\isanewline
-{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}simp{\isacharcolon}\ less{\isacharunderscore}Suc{\isacharunderscore}eq{\isacharunderscore}le{\isacharparenright}%
-\begin{isamarkuptext}%
-\noindent
-This time everything works fine. Now \isa{qs{\isachardot}simps} contains precisely
-the stated recursion equations for \isa{qs} and they have become
-simplification rules.
-Thus we can automatically prove results such as this one:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isachardoublequoteopen}qs{\isacharbrackleft}{\isadigit{2}}{\isacharcomma}{\isadigit{3}}{\isacharcomma}{\isadigit{0}}{\isacharbrackright}\ {\isacharequal}\ qs{\isacharbrackleft}{\isadigit{3}}{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{2}}{\isacharbrackright}{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}simp{\isacharparenright}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-More exciting theorems require induction, which is discussed below.
-
-If the termination proof requires a lemma that is of general use, you can
-turn it permanently into a simplification rule, in which case the above
-\isacommand{hint} is not necessary. But in the case of
-\isa{less{\isacharunderscore}Suc{\isacharunderscore}eq{\isacharunderscore}le} this would be of dubious value.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/Rules/rules.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,2641 +0,0 @@
-%!TEX root = ../tutorial.tex
-\chapter{The Rules of the Game}
-\label{chap:rules}
- 
-This chapter outlines the concepts and techniques that underlie reasoning
-in Isabelle.  Until now, we have proved everything using only induction and
-simplification, but any serious verification project requires more elaborate
-forms of inference.  The chapter also introduces the fundamentals of
-predicate logic.  The first examples in this chapter will consist of
-detailed, low-level proof steps.  Later, we shall see how to automate such
-reasoning using the methods
-\isa{blast},
-\isa{auto} and others.  Backward or goal-directed proof is our usual style,
-but the chapter also introduces forward reasoning, where one theorem is
-transformed to yield another.
-
-\section{Natural Deduction}
-
-\index{natural deduction|(}%
-In Isabelle, proofs are constructed using inference rules. The 
-most familiar inference rule is probably \emph{modus ponens}:%
-\index{modus ponens@\emph{modus ponens}} 
-\[ \infer{Q}{P\imp Q & P} \]
-This rule says that from $P\imp Q$ and $P$ we may infer~$Q$.  
-
-\textbf{Natural deduction} is an attempt to formalize logic in a way 
-that mirrors human reasoning patterns. 
-For each logical symbol (say, $\conj$), there 
-are two kinds of rules: \textbf{introduction} and \textbf{elimination} rules. 
-The introduction rules allow us to infer this symbol (say, to 
-infer conjunctions). The elimination rules allow us to deduce 
-consequences from this symbol. Ideally each rule should mention 
-one symbol only.  For predicate logic this can be 
-done, but when users define their own concepts they typically 
-have to refer to other symbols as well.  It is best not to be dogmatic.
-
-Natural deduction generally deserves its name.  It is easy to use.  Each
-proof step consists of identifying the outermost symbol of a formula and
-applying the corresponding rule.  It creates new subgoals in
-an obvious way from parts of the chosen formula.  Expanding the
-definitions of constants can blow up the goal enormously.  Deriving natural
-deduction rules for such constants lets us reason in terms of their key
-properties, which might otherwise be obscured by the technicalities of its
-definition.  Natural deduction rules also lend themselves to automation.
-Isabelle's
-\textbf{classical reasoner} accepts any suitable  collection of natural deduction
-rules and uses them to search for proofs automatically.  Isabelle is designed around
-natural deduction and many of its tools use the terminology of introduction
-and elimination rules.%
-\index{natural deduction|)}
-
-
-\section{Introduction Rules}
-
-\index{introduction rules|(}%
-An introduction rule tells us when we can infer a formula 
-containing a specific logical symbol. For example, the conjunction 
-introduction rule says that if we have $P$ and if we have $Q$ then 
-we have $P\conj Q$. In a mathematics text, it is typically shown 
-like this:
-\[  \infer{P\conj Q}{P & Q} \]
-The rule introduces the conjunction
-symbol~($\conj$) in its conclusion.  In Isabelle proofs we
-mainly  reason backwards.  When we apply this rule, the subgoal already has
-the form of a conjunction; the proof step makes this conjunction symbol
-disappear. 
-
-In Isabelle notation, the rule looks like this:
-\begin{isabelle}
-\isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P\ \isasymand\ ?Q\rulenamedx{conjI}
-\end{isabelle}
-Carefully examine the syntax.  The premises appear to the
-left of the arrow and the conclusion to the right.  The premises (if 
-more than one) are grouped using the fat brackets.  The question marks
-indicate \textbf{schematic variables} (also called
-\textbf{unknowns}):\index{unknowns|bold} they may
-be replaced by arbitrary formulas.  If we use the rule backwards, Isabelle
-tries to unify the current subgoal with the conclusion of the rule, which
-has the form \isa{?P\ \isasymand\ ?Q}.  (Unification is discussed below,
-{\S}\ref{sec:unification}.)  If successful,
-it yields new subgoals given by the formulas assigned to 
-\isa{?P} and \isa{?Q}.
-
-The following trivial proof illustrates how rules work.  It also introduces a
-style of indentation.  If a command adds a new subgoal, then the next
-command's indentation is increased by one space; if it proves a subgoal, then
-the indentation is reduced.  This provides the reader with hints about the
-subgoal structure.
-\begin{isabelle}
-\isacommand{lemma}\ conj_rule:\ "\isasymlbrakk P;\
-Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\
-(Q\ \isasymand\ P)"\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ assumption
-\end{isabelle}
-At the start, Isabelle presents 
-us with the assumptions (\isa{P} and~\isa{Q}) and with the goal to be proved,
-\isa{P\ \isasymand\
-(Q\ \isasymand\ P)}.  We are working backwards, so when we
-apply conjunction introduction, the rule removes the outermost occurrence
-of the \isa{\isasymand} symbol.  To apply a  rule to a subgoal, we apply
-the proof method \isa{rule} --- here with \isa{conjI}, the  conjunction
-introduction rule. 
-\begin{isabelle}
-%\isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\ Q\
-%\isasymand\ P\isanewline
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
-\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\ \isasymand\ P
-\end{isabelle}
-Isabelle leaves two new subgoals: the two halves of the original conjunction. 
-The first is simply \isa{P}, which is trivial, since \isa{P} is among 
-the assumptions.  We can apply the \methdx{assumption} 
-method, which proves a subgoal by finding a matching assumption.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ 
-Q\ \isasymand\ P
-\end{isabelle}
-We are left with the subgoal of proving  
-\isa{Q\ \isasymand\ P} from the assumptions \isa{P} and~\isa{Q}.  We apply
-\isa{rule conjI} again. 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\isanewline
-\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P
-\end{isabelle}
-We are left with two new subgoals, \isa{Q} and~\isa{P}, each of which can be proved
-using the \isa{assumption} method.%
-\index{introduction rules|)}
-
-
-\section{Elimination Rules}
-
-\index{elimination rules|(}%
-Elimination rules work in the opposite direction from introduction 
-rules. In the case of conjunction, there are two such rules. 
-From $P\conj Q$ we infer $P$. also, from $P\conj Q$  
-we infer $Q$:
-\[ \infer{P}{P\conj Q} \qquad \infer{Q}{P\conj Q}  \]
-
-Now consider disjunction. There are two introduction rules, which resemble inverted forms of the
-conjunction elimination rules:
-\[ \infer{P\disj Q}{P} \qquad \infer{P\disj Q}{Q}  \]
-
-What is the disjunction elimination rule?  The situation is rather different from 
-conjunction.  From $P\disj Q$ we cannot conclude  that $P$ is true and we
-cannot conclude that $Q$ is true; there are no direct
-elimination rules of the sort that we have seen for conjunction.  Instead,
-there is an elimination  rule that works indirectly.  If we are trying  to prove
-something else, say $R$, and we know that $P\disj Q$ holds,  then we have to consider
-two cases.  We can assume that $P$ is true  and prove $R$ and then assume that $Q$ is
-true and prove $R$ a second  time.  Here we see a fundamental concept used in natural
-deduction:  that of the \textbf{assumptions}. We have to prove $R$ twice, under
-different assumptions.  The assumptions are local to these subproofs and are visible 
-nowhere else. 
-
-In a logic text, the disjunction elimination rule might be shown 
-like this:
-\[ \infer{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}} \]
-The assumptions $[P]$ and $[Q]$ are bracketed 
-to emphasize that they are local to their subproofs.  In Isabelle 
-notation, the already-familiar \isa{\isasymLongrightarrow} syntax serves the
-same  purpose:
-\begin{isabelle}
-\isasymlbrakk?P\ \isasymor\ ?Q;\ ?P\ \isasymLongrightarrow\ ?R;\ ?Q\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{disjE}
-\end{isabelle}
-When we use this sort of elimination rule backwards, it produces 
-a case split.  (We have seen this before, in proofs by induction.)  The following  proof
-illustrates the use of disjunction elimination.  
-\begin{isabelle}
-\isacommand{lemma}\ disj_swap:\ "P\ \isasymor\ Q\ 
-\isasymLongrightarrow\ Q\ \isasymor\ P"\isanewline
-\isacommand{apply}\ (erule\ disjE)\isanewline
-\ \isacommand{apply}\ (rule\ disjI2)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (rule\ disjI1)\isanewline
-\isacommand{apply}\ assumption
-\end{isabelle}
-We assume \isa{P\ \isasymor\ Q} and
-must prove \isa{Q\ \isasymor\ P}\@.  Our first step uses the disjunction
-elimination rule, \isa{disjE}\@.  We invoke it using \methdx{erule}, a
-method designed to work with elimination rules.  It looks for an assumption that
-matches the rule's first premise.  It deletes the matching assumption,
-regards the first premise as proved and returns subgoals corresponding to
-the remaining premises.  When we apply \isa{erule} to \isa{disjE}, only two
-subgoals result.  This is better than applying it using \isa{rule}
-to get three subgoals, then proving the first by assumption: the other
-subgoals would have the redundant assumption 
-\hbox{\isa{P\ \isasymor\ Q}}.
-Most of the time, \isa{erule} is  the best way to use elimination rules, since it
-replaces an assumption by its subformulas; only rarely does the original
-assumption remain useful.
-
-\begin{isabelle}
-%P\ \isasymor\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
-\ 1.\ P\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
-\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
-\end{isabelle}
-These are the two subgoals returned by \isa{erule}.  The first assumes
-\isa{P} and the  second assumes \isa{Q}.  Tackling the first subgoal, we
-need to  show \isa{Q\ \isasymor\ P}\@.  The second introduction rule
-(\isa{disjI2}) can reduce this  to \isa{P}, which matches the assumption.
-So, we apply the
-\isa{rule}  method with \isa{disjI2} \ldots
-\begin{isabelle}
-\ 1.\ P\ \isasymLongrightarrow\ P\isanewline
-\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
-\end{isabelle}
-\ldots and finish off with the \isa{assumption} 
-method.  We are left with the other subgoal, which 
-assumes \isa{Q}.  
-\begin{isabelle}
-\ 1.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
-\end{isabelle}
-Its proof is similar, using the introduction 
-rule \isa{disjI1}. 
-
-The result of this proof is a new inference rule \isa{disj_swap}, which is neither 
-an introduction nor an elimination rule, but which might 
-be useful.  We can use it to replace any goal of the form $Q\disj P$
-by one of the form $P\disj Q$.%
-\index{elimination rules|)}
-
-
-\section{Destruction Rules: Some Examples}
-
-\index{destruction rules|(}%
-Now let us examine the analogous proof for conjunction. 
-\begin{isabelle}
-\isacommand{lemma}\ conj_swap:\ "P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P"\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ \isacommand{apply}\ (drule\ conjunct2)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (drule\ conjunct1)\isanewline
-\isacommand{apply}\ assumption
-\end{isabelle}
-Recall that the conjunction elimination rules --- whose Isabelle names are 
-\isa{conjunct1} and \isa{conjunct2} --- simply return the first or second half
-of a conjunction.  Rules of this sort (where the conclusion is a subformula of a
-premise) are called \textbf{destruction} rules because they take apart and destroy
-a premise.%
-\footnote{This Isabelle terminology has no counterpart in standard logic texts, 
-although the distinction between the two forms of elimination rule is well known. 
-Girard \cite[page 74]{girard89},\index{Girard, Jean-Yves|fnote}
-for example, writes ``The elimination rules 
-[for $\disj$ and $\exists$] are very
-bad.  What is catastrophic about them is the parasitic presence of a formula [$R$]
-which has no structural link with the formula which is eliminated.''}
-
-The first proof step applies conjunction introduction, leaving 
-two subgoals: 
-\begin{isabelle}
-%P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P\isanewline
-\ 1.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\isanewline
-\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
-\end{isabelle}
-
-To invoke the elimination rule, we apply a new method, \isa{drule}. 
-Think of the \isa{d} as standing for \textbf{destruction} (or \textbf{direct}, if
-you prefer).   Applying the 
-second conjunction rule using \isa{drule} replaces the assumption 
-\isa{P\ \isasymand\ Q} by \isa{Q}. 
-\begin{isabelle}
-\ 1.\ Q\ \isasymLongrightarrow\ Q\isanewline
-\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
-\end{isabelle}
-The resulting subgoal can be proved by applying \isa{assumption}.
-The other subgoal is similarly proved, using the \isa{conjunct1} rule and the 
-\isa{assumption} method.
-
-Choosing among the methods \isa{rule}, \isa{erule} and \isa{drule} is up to 
-you.  Isabelle does not attempt to work out whether a rule 
-is an introduction rule or an elimination rule.  The 
-method determines how the rule will be interpreted. Many rules 
-can be used in more than one way.  For example, \isa{disj_swap} can 
-be applied to assumptions as well as to goals; it replaces any
-assumption of the form
-$P\disj Q$ by a one of the form $Q\disj P$.
-
-Destruction rules are simpler in form than indirect rules such as \isa{disjE},
-but they can be inconvenient.  Each of the conjunction rules discards half 
-of the formula, when usually we want to take both parts of the conjunction as new
-assumptions.  The easiest way to do so is by using an 
-alternative conjunction elimination rule that resembles \isa{disjE}\@.  It is
-seldom, if ever, seen in logic books.  In Isabelle syntax it looks like this: 
-\begin{isabelle}
-\isasymlbrakk?P\ \isasymand\ ?Q;\ \isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{conjE}
-\end{isabelle}
-\index{destruction rules|)}
-
-\begin{exercise}
-Use the rule \isa{conjE} to shorten the proof above. 
-\end{exercise}
-
-
-\section{Implication}
-
-\index{implication|(}%
-At the start of this chapter, we saw the rule \emph{modus ponens}.  It is, in fact,
-a destruction rule. The matching introduction rule looks like this 
-in Isabelle: 
-\begin{isabelle}
-(?P\ \isasymLongrightarrow\ ?Q)\ \isasymLongrightarrow\ ?P\
-\isasymlongrightarrow\ ?Q\rulenamedx{impI}
-\end{isabelle}
-And this is \emph{modus ponens}\index{modus ponens@\emph{modus ponens}}:
-\begin{isabelle}
-\isasymlbrakk?P\ \isasymlongrightarrow\ ?Q;\ ?P\isasymrbrakk\
-\isasymLongrightarrow\ ?Q
-\rulenamedx{mp}
-\end{isabelle}
-
-Here is a proof using the implication rules.  This 
-lemma performs a sort of uncurrying, replacing the two antecedents 
-of a nested implication by a conjunction.  The proof illustrates
-how assumptions work.  At each proof step, the subgoals inherit the previous
-assumptions, perhaps with additions or deletions.  Rules such as
-\isa{impI} and \isa{disjE} add assumptions, while applying \isa{erule} or
-\isa{drule} deletes the matching assumption.
-\begin{isabelle}
-\isacommand{lemma}\ imp_uncurry:\
-"P\ \isasymlongrightarrow\ (Q\
-\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
-\isasymand\ Q\ \isasymlongrightarrow\
-R"\isanewline
-\isacommand{apply}\ (rule\ impI)\isanewline
-\isacommand{apply}\ (erule\ conjE)\isanewline
-\isacommand{apply}\ (drule\ mp)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (drule\ mp)\isanewline
-\ \ \isacommand{apply}\ assumption\isanewline
-\ \isacommand{apply}\ assumption
-\end{isabelle}
-First, we state the lemma and apply implication introduction (\isa{rule impI}), 
-which moves the conjunction to the assumptions. 
-\begin{isabelle}
-%P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R\ \isasymLongrightarrow\ P\
-%\isasymand\ Q\ \isasymlongrightarrow\ R\isanewline
-\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P\ \isasymand\ Q\isasymrbrakk\ \isasymLongrightarrow\ R
-\end{isabelle}
-Next, we apply conjunction elimination (\isa{erule conjE}), which splits this
-conjunction into two  parts. 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P;\
-Q\isasymrbrakk\ \isasymLongrightarrow\ R
-\end{isabelle}
-Now, we work on the assumption \isa{P\ \isasymlongrightarrow\ (Q\
-\isasymlongrightarrow\ R)}, where the parentheses have been inserted for
-clarity.  The nested implication requires two applications of
-\textit{modus ponens}: \isa{drule mp}.  The first use  yields the
-implication \isa{Q\
-\isasymlongrightarrow\ R}, but first we must prove the extra subgoal 
-\isa{P}, which we do by assumption. 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
-\ 2.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\ \isasymLongrightarrow\ R
-\end{isabelle}
-Repeating these steps for \isa{Q\
-\isasymlongrightarrow\ R} yields the conclusion we seek, namely~\isa{R}.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\
-\isasymLongrightarrow\ R
-\end{isabelle}
-
-The symbols \isa{\isasymLongrightarrow} and \isa{\isasymlongrightarrow}
-both stand for implication, but they differ in many respects.  Isabelle
-uses \isa{\isasymLongrightarrow} to express inference rules; the symbol is
-built-in and Isabelle's inference mechanisms treat it specially.  On the
-other hand, \isa{\isasymlongrightarrow} is just one of the many connectives
-available in higher-order logic.  We reason about it using inference rules
-such as \isa{impI} and \isa{mp}, just as we reason about the other
-connectives.  You will have to use \isa{\isasymlongrightarrow} in any
-context that requires a formula of higher-order logic.  Use
-\isa{\isasymLongrightarrow} to separate a theorem's preconditions from its
-conclusion.%
-\index{implication|)}
-
-\medskip
-\index{by@\isacommand{by} (command)|(}%
-The \isacommand{by} command is useful for proofs like these that use
-\isa{assumption} heavily.  It executes an
-\isacommand{apply} command, then tries to prove all remaining subgoals using
-\isa{assumption}.  Since (if successful) it ends the proof, it also replaces the 
-\isacommand{done} symbol.  For example, the proof above can be shortened:
-\begin{isabelle}
-\isacommand{lemma}\ imp_uncurry:\
-"P\ \isasymlongrightarrow\ (Q\
-\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
-\isasymand\ Q\ \isasymlongrightarrow\
-R"\isanewline
-\isacommand{apply}\ (rule\ impI)\isanewline
-\isacommand{apply}\ (erule\ conjE)\isanewline
-\isacommand{apply}\ (drule\ mp)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{by}\ (drule\ mp)
-\end{isabelle}
-We could use \isacommand{by} to replace the final \isacommand{apply} and
-\isacommand{done} in any proof, but typically we use it
-to eliminate calls to \isa{assumption}.  It is also a nice way of expressing a
-one-line proof.%
-\index{by@\isacommand{by} (command)|)}
-
-
-
-\section{Negation}
- 
-\index{negation|(}%
-Negation causes surprising complexity in proofs.  Its natural 
-deduction rules are straightforward, but additional rules seem 
-necessary in order to handle negated assumptions gracefully.  This section
-also illustrates the \isa{intro} method: a convenient way of
-applying introduction rules.
-
-Negation introduction deduces $\lnot P$ if assuming $P$ leads to a 
-contradiction. Negation elimination deduces any formula in the 
-presence of $\lnot P$ together with~$P$: 
-\begin{isabelle}
-(?P\ \isasymLongrightarrow\ False)\ \isasymLongrightarrow\ \isasymnot\ ?P%
-\rulenamedx{notI}\isanewline
-\isasymlbrakk{\isasymnot}\ ?P;\ ?P\isasymrbrakk\ \isasymLongrightarrow\ ?R%
-\rulenamedx{notE}
-\end{isabelle}
-%
-Classical logic allows us to assume $\lnot P$ 
-when attempting to prove~$P$: 
-\begin{isabelle}
-(\isasymnot\ ?P\ \isasymLongrightarrow\ ?P)\ \isasymLongrightarrow\ ?P%
-\rulenamedx{classical}
-\end{isabelle}
-
-\index{contrapositives|(}%
-The implications $P\imp Q$ and $\lnot Q\imp\lnot P$ are logically
-equivalent, and each is called the
-\textbf{contrapositive} of the other.  Four further rules support
-reasoning about contrapositives.  They differ in the placement of the
-negation symbols: 
-\begin{isabelle}
-\isasymlbrakk?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulename{contrapos_pp}\isanewline
-\isasymlbrakk?Q;\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\
-\isasymnot\ ?P%
-\rulename{contrapos_pn}\isanewline
-\isasymlbrakk{\isasymnot}\ ?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulename{contrapos_np}\isanewline
-\isasymlbrakk{\isasymnot}\ ?Q;\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ \isasymnot\ ?P%
-\rulename{contrapos_nn}
-\end{isabelle}
-%
-These rules are typically applied using the \isa{erule} method, where 
-their effect is to form a contrapositive from an 
-assumption and the goal's conclusion.%
-\index{contrapositives|)}
-
-The most important of these is \isa{contrapos_np}.  It is useful
-for applying introduction rules to negated assumptions.  For instance, 
-the assumption $\lnot(P\imp Q)$ is equivalent to the conclusion $P\imp Q$ and we 
-might want to use conjunction introduction on it. 
-Before we can do so, we must move that assumption so that it 
-becomes the conclusion. The following proof demonstrates this 
-technique: 
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk{\isasymnot}(P{\isasymlongrightarrow}Q);\
-\isasymnot(R{\isasymlongrightarrow}Q)\isasymrbrakk\ \isasymLongrightarrow\
-R"\isanewline
-\isacommand{apply}\ (erule_tac\ Q = "R{\isasymlongrightarrow}Q"\ \isakeyword{in}\
-contrapos_np)\isanewline
-\isacommand{apply}\ (intro\ impI)\isanewline
-\isacommand{by}\ (erule\ notE)
-\end{isabelle}
-%
-There are two negated assumptions and we need to exchange the conclusion with the
-second one.  The method \isa{erule contrapos_np} would select the first assumption,
-which we do not want.  So we specify the desired assumption explicitly
-using a new method, \isa{erule_tac}.  This is the resulting subgoal: 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\
-R\isasymrbrakk\ \isasymLongrightarrow\ R\ \isasymlongrightarrow\ Q%
-\end{isabelle}
-The former conclusion, namely \isa{R}, now appears negated among the assumptions,
-while the negated formula \isa{R\ \isasymlongrightarrow\ Q} becomes the new
-conclusion.
-
-We can now apply introduction rules.  We use the \methdx{intro} method, which
-repeatedly applies the given introduction rules.  Here its effect is equivalent
-to \isa{rule impI}.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\ R;\
-R\isasymrbrakk\ \isasymLongrightarrow\ Q%
-\end{isabelle}
-We can see a contradiction in the form of assumptions \isa{\isasymnot\ R}
-and~\isa{R}, which suggests using negation elimination.  If applied on its own,
-\isa{notE} will select the first negated assumption, which is useless.  
-Instead, we invoke the rule using the
-\isa{by} command.
-Now when Isabelle selects the first assumption, it tries to prove \isa{P\
-\isasymlongrightarrow\ Q} and fails; it then backtracks, finds the 
-assumption \isa{\isasymnot~R} and finally proves \isa{R} by assumption.  That
-concludes the proof.
-
-\medskip
-
-The following example may be skipped on a first reading.  It involves a
-peculiar but important rule, a form of disjunction introduction:
-\begin{isabelle}
-(\isasymnot \ ?Q\ \isasymLongrightarrow \ ?P)\ \isasymLongrightarrow \ ?P\ \isasymor \ ?Q%
-\rulenamedx{disjCI}
-\end{isabelle}
-This rule combines the effects of \isa{disjI1} and \isa{disjI2}.  Its great
-advantage is that we can remove the disjunction symbol without deciding
-which disjunction to prove.  This treatment of disjunction is standard in sequent
-and tableau calculi.
-
-\begin{isabelle}
-\isacommand{lemma}\ "(P\ \isasymor\ Q)\ \isasymand\ R\
-\isasymLongrightarrow\ P\ \isasymor\ (Q\ \isasymand\ R)"\isanewline
-\isacommand{apply}\ (rule\ disjCI)\isanewline
-\isacommand{apply}\ (elim\ conjE\ disjE)\isanewline
-\ \isacommand{apply}\ assumption
-\isanewline
-\isacommand{by}\ (erule\ contrapos_np,\ rule\ conjI)
-\end{isabelle}
-%
-The first proof step to applies the introduction rules \isa{disjCI}.
-The resulting subgoal has the negative assumption 
-\hbox{\isa{\isasymnot(Q\ \isasymand\ R)}}.  
-
-\begin{isabelle}
-\ 1.\ \isasymlbrakk(P\ \isasymor\ Q)\ \isasymand\ R;\ \isasymnot\ (Q\ \isasymand\
-R)\isasymrbrakk\ \isasymLongrightarrow\ P%
-\end{isabelle}
-Next we apply the \isa{elim} method, which repeatedly applies 
-elimination rules; here, the elimination rules given 
-in the command.  One of the subgoals is trivial (\isa{\isacommand{apply} assumption}),
-leaving us with one other:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymnot}\ (Q\ \isasymand\ R);\ R;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P%
-\end{isabelle}
-%
-Now we must move the formula \isa{Q\ \isasymand\ R} to be the conclusion.  The
-combination 
-\begin{isabelle}
-\ \ \ \ \ (erule\ contrapos_np,\ rule\ conjI)
-\end{isabelle}
-is robust: the \isa{conjI} forces the \isa{erule} to select a
-conjunction.  The two subgoals are the ones we would expect from applying
-conjunction introduction to
-\isa{Q~\isasymand~R}:  
-\begin{isabelle}
-\ 1.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\
-Q\isanewline
-\ 2.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\ R%
-\end{isabelle}
-They are proved by assumption, which is implicit in the \isacommand{by}
-command.%
-\index{negation|)}
-
-
-\section{Interlude: the Basic Methods for Rules}
-
-We have seen examples of many tactics that operate on individual rules.  It
-may be helpful to review how they work given an arbitrary rule such as this:
-\[ \infer{Q}{P@1 & \ldots & P@n} \]
-Below, we refer to $P@1$ as the \bfindex{major premise}.  This concept
-applies only to elimination and destruction rules.  These rules act upon an
-instance of their major premise, typically to replace it by subformulas of itself.
-
-Suppose that the rule above is called~\isa{R}\@.  Here are the basic rule
-methods, most of which we have already seen:
-\begin{itemize}
-\item 
-Method \isa{rule\ R} unifies~$Q$ with the current subgoal, replacing it
-by $n$ new subgoals: instances of $P@1$, \ldots,~$P@n$. 
-This is backward reasoning and is appropriate for introduction rules.
-\item 
-Method \isa{erule\ R} unifies~$Q$ with the current subgoal and
-simultaneously unifies $P@1$ with some assumption.  The subgoal is 
-replaced by the $n-1$ new subgoals of proving
-instances of $P@2$,
-\ldots,~$P@n$, with the matching assumption deleted.  It is appropriate for
-elimination rules.  The method
-\isa{(rule\ R,\ assumption)} is similar, but it does not delete an
-assumption.
-\item 
-Method \isa{drule\ R} unifies $P@1$ with some assumption, which it
-then deletes.  The subgoal is 
-replaced by the $n-1$ new subgoals of proving $P@2$, \ldots,~$P@n$; an
-$n$th subgoal is like the original one but has an additional assumption: an
-instance of~$Q$.  It is appropriate for destruction rules. 
-\item 
-Method \isa{frule\ R} is like \isa{drule\ R} except that the matching
-assumption is not deleted.  (See {\S}\ref{sec:frule} below.)
-\end{itemize}
-
-Other methods apply a rule while constraining some of its
-variables.  The typical form is
-\begin{isabelle}
-\ \ \ \ \ \methdx{rule_tac}\ $v@1$ = $t@1$ \isakeyword{and} \ldots \isakeyword{and}
-$v@k$ =
-$t@k$ \isakeyword{in} R
-\end{isabelle}
-This method behaves like \isa{rule R}, while instantiating the variables
-$v@1$, \ldots,
-$v@k$ as specified.  We similarly have \methdx{erule_tac}, \methdx{drule_tac} and
-\methdx{frule_tac}.  These methods also let us specify which subgoal to
-operate on.  By default it is the first subgoal, as with nearly all
-methods, but we can specify that rule \isa{R} should be applied to subgoal
-number~$i$:
-\begin{isabelle}
-\ \ \ \ \ rule_tac\ [$i$] R
-\end{isabelle}
-
-
-
-\section{Unification and Substitution}\label{sec:unification}
-
-\index{unification|(}%
-As we have seen, Isabelle rules involve schematic variables, which begin with
-a question mark and act as
-placeholders for terms.  \textbf{Unification} --- well known to Prolog programmers --- is the act of
-making two terms identical, possibly replacing their schematic variables by
-terms.  The simplest case is when the two terms are already the same. Next
-simplest is \textbf{pattern-matching}, which replaces variables in only one of the
-terms.  The
-\isa{rule} method typically  matches the rule's conclusion
-against the current subgoal.  The
-\isa{assumption} method matches the current subgoal's conclusion
-against each of its assumptions.   Unification can instantiate variables in both terms; the \isa{rule} method can do this if the goal
-itself contains schematic variables.  Other occurrences of the variables in
-the rule or proof state are updated at the same time.
-
-Schematic variables in goals represent unknown terms.  Given a goal such
-as $\exists x.\,P$, they let us proceed with a proof.  They can be 
-filled in later, sometimes in stages and often automatically. 
-
-\begin{pgnote}
-If unification fails when you think it should succeed, try setting the Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
-\pgmenu{Trace Unification},
-which makes Isabelle show the cause of unification failures (in Proof
-General's \pgmenu{Trace} buffer).
-\end{pgnote}
-\noindent
-For example, suppose we are trying to prove this subgoal by assumption:
-\begin{isabelle}
-\ 1.\ P\ (a,\ f\ (b,\ g\ (e,\ a),\ b),\ a)\ \isasymLongrightarrow \ P\ (a,\ f\ (b,\ g\ (c,\ a),\ b),\ a)
-\end{isabelle}
-The \isa{assumption} method having failed, we try again with the flag set:
-\begin{isabelle}
-\isacommand{apply} assumption
-\end{isabelle}
-In this trivial case, the output clearly shows that \isa{e} clashes with \isa{c}:
-\begin{isabelle}
-Clash: e =/= c
-\end{isabelle}
-
-Isabelle uses
-\textbf{higher-order} unification, which works in the
-typed $\lambda$-calculus.  The procedure requires search and is potentially
-undecidable.  For our purposes, however, the differences from ordinary
-unification are straightforward.  It handles bound variables
-correctly, avoiding capture.  The two terms
-\isa{{\isasymlambda}x.\ f(x,z)} and \isa{{\isasymlambda}y.\ f(y,z)} are
-trivially unifiable because they differ only by a bound variable renaming.  The two terms \isa{{\isasymlambda}x.\ ?P} and
-\isa{{\isasymlambda}x.\ t x}  are not unifiable; replacing \isa{?P} by
-\isa{t x} is forbidden because the free occurrence of~\isa{x} would become
-bound.  Unfortunately, even if \isa{trace_unify_fail} is set, Isabelle displays no information about this type of failure.
-
-\begin{warn}
-Higher-order unification sometimes must invent
-$\lambda$-terms to replace function  variables,
-which can lead to a combinatorial explosion. However,  Isabelle proofs tend
-to involve easy cases where there are few possibilities for the
-$\lambda$-term being constructed. In the easiest case, the
-function variable is applied only to bound variables, 
-as when we try to unify \isa{{\isasymlambda}x\ y.\ f(?h x y)} and
-\isa{{\isasymlambda}x\ y.\ f(x+y+a)}.  The only solution is to replace
-\isa{?h} by \isa{{\isasymlambda}x\ y.\ x+y+a}.  Such cases admit at most
-one unifier, like ordinary unification.  A harder case is
-unifying \isa{?h a} with~\isa{a+b}; it admits two solutions for \isa{?h},
-namely \isa{{\isasymlambda}x.~a+b} and \isa{{\isasymlambda}x.~x+b}. 
-Unifying \isa{?h a} with~\isa{a+a+b} admits four solutions; their number is
-exponential in the number of occurrences of~\isa{a} in the second term.
-\end{warn}
-
-
-
-\subsection{Substitution and the {\tt\slshape subst} Method}
-\label{sec:subst}
-
-\index{substitution|(}%
-Isabelle also uses function variables to express \textbf{substitution}. 
-A typical substitution rule allows us to replace one term by 
-another if we know that two terms are equal. 
-\[ \infer{P[t/x]}{s=t & P[s/x]} \]
-The rule uses a notation for substitution: $P[t/x]$ is the result of
-replacing $x$ by~$t$ in~$P$.  The rule only substitutes in the positions
-designated by~$x$.  For example, it can
-derive symmetry of equality from reflexivity.  Using $x=s$ for~$P$
-replaces just the first $s$ in $s=s$ by~$t$:
-\[ \infer{t=s}{s=t & \infer{s=s}{}} \]
-
-The Isabelle version of the substitution rule looks like this: 
-\begin{isabelle}
-\isasymlbrakk?t\ =\ ?s;\ ?P\ ?s\isasymrbrakk\ \isasymLongrightarrow\ ?P\
-?t
-\rulenamedx{ssubst}
-\end{isabelle}
-Crucially, \isa{?P} is a function 
-variable.  It can be replaced by a $\lambda$-term 
-with one bound variable, whose occurrences identify the places 
-in which $s$ will be replaced by~$t$.  The proof above requires \isa{?P}
-to be replaced by \isa{{\isasymlambda}x.~x=s}; the second premise will then
-be \isa{s=s} and the conclusion will be \isa{t=s}.
-
-The \isa{simp} method also replaces equals by equals, but the substitution
-rule gives us more control.  Consider this proof: 
-\begin{isabelle}
-\isacommand{lemma}\
-"\isasymlbrakk x\ =\ f\ x;\ odd(f\ x)\isasymrbrakk\ \isasymLongrightarrow\
-odd\ x"\isanewline
-\isacommand{by}\ (erule\ ssubst)
-\end{isabelle}
-%
-The assumption \isa{x\ =\ f\ x}, if used for rewriting, would loop, 
-replacing \isa{x} by \isa{f x} and then by
-\isa{f(f x)} and so forth. (Here \isa{simp} 
-would see the danger and would re-orient the equality, but in more complicated
-cases it can be fooled.) When we apply the substitution rule,  
-Isabelle replaces every
-\isa{x} in the subgoal by \isa{f x} just once. It cannot loop.  The
-resulting subgoal is trivial by assumption, so the \isacommand{by} command
-proves it implicitly. 
-
-We are using the \isa{erule} method in a novel way. Hitherto, 
-the conclusion of the rule was just a variable such as~\isa{?R}, but it may
-be any term. The conclusion is unified with the subgoal just as 
-it would be with the \isa{rule} method. At the same time \isa{erule} looks 
-for an assumption that matches the rule's first premise, as usual.  With
-\isa{ssubst} the effect is to find, use and delete an equality 
-assumption.
-
-The \methdx{subst} method performs individual substitutions. In simple cases,
-it closely resembles a use of the substitution rule.  Suppose a
-proof has reached this point:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \ \isasymLongrightarrow \ f\ z\ =\ x\ *\ y%
-\end{isabelle}
-Now we wish to apply a commutative law:
-\begin{isabelle}
-?m\ *\ ?n\ =\ ?n\ *\ ?m%
-\rulename{mult_commute}
-\end{isabelle}
-Isabelle rejects our first attempt:
-\begin{isabelle}
-apply (simp add: mult_commute)
-\end{isabelle}
-The simplifier notices the danger of looping and refuses to apply the
-rule.%
-\footnote{More precisely, it only applies such a rule if the new term is
-smaller under a specified ordering; here, \isa{x\ *\ y}
-is already smaller than
-\isa{y\ *\ x}.}
-%
-The \isa{subst} method applies \isa{mult_commute} exactly once.  
-\begin{isabelle}
-\isacommand{apply}\ (subst\ mult_commute)\isanewline
-\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \
-\isasymLongrightarrow \ f\ z\ =\ y\ *\ x%
-\end{isabelle}
-As we wanted, \isa{x\ *\ y} has become \isa{y\ *\ x}.
-
-\medskip
-This use of the \methdx{subst} method has the same effect as the command
-\begin{isabelle}
-\isacommand{apply}\ (rule\ mult_commute [THEN ssubst])
-\end{isabelle}
-The attribute \isa{THEN}, which combines two rules, is described in 
-{\S}\ref{sec:THEN} below. The \methdx{subst} method is more powerful than
-applying the substitution rule. It can perform substitutions in a subgoal's
-assumptions. Moreover, if the subgoal contains more than one occurrence of
-the left-hand side of the equality, the \methdx{subst} method lets us specify which occurrence should be replaced.
-
-
-\subsection{Unification and Its Pitfalls}
-
-Higher-order unification can be tricky.  Here is an example, which you may
-want to skip on your first reading:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\
-f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
-\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{apply}\ (erule\ ssubst)\isanewline
-\isacommand{back}\isanewline
-\isacommand{back}\isanewline
-\isacommand{back}\isanewline
-\isacommand{back}\isanewline
-\isacommand{apply}\ assumption\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-By default, Isabelle tries to substitute for all the 
-occurrences.  Applying \isa{erule\ ssubst} yields this subgoal:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ (f\ x)
-\end{isabelle}
-The substitution should have been done in the first two occurrences 
-of~\isa{x} only. Isabelle has gone too far. The \commdx{back}
-command allows us to reject this possibility and demand a new one: 
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ (f\ x)\ (f\ x)
-\end{isabelle}
-%
-Now Isabelle has left the first occurrence of~\isa{x} alone. That is 
-promising but it is not the desired combination. So we use \isacommand{back} 
-again:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ x\ (f\ x)
-\end{isabelle}
-%
-This also is wrong, so we use \isacommand{back} again: 
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ x\ (f\ x)
-\end{isabelle}
-%
-And this one is wrong too. Looking carefully at the series 
-of alternatives, we see a binary countdown with reversed bits: 111,
-011, 101, 001.  Invoke \isacommand{back} again: 
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ x%
-\end{isabelle}
-At last, we have the right combination!  This goal follows by assumption.%
-\index{unification|)}
-
-\medskip
-This example shows that unification can do strange things with
-function variables.  We were forced to select the right unifier using the
-\isacommand{back} command.  That is all right during exploration, but \isacommand{back}
-should never appear in the final version of a proof.  You can eliminate the
-need for \isacommand{back} by giving Isabelle less freedom when you apply a rule.
-
-One way to constrain the inference is by joining two methods in a 
-\isacommand{apply} command. Isabelle  applies the first method and then the
-second. If the second method  fails then Isabelle automatically backtracks.
-This process continues until  the first method produces an output that the
-second method can  use. We get a one-line proof of our example: 
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
-\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{apply}\ (erule\ ssubst,\ assumption)\isanewline
-\isacommand{done}
-\end{isabelle}
-
-\noindent
-The \isacommand{by} command works too, since it backtracks when
-proving subgoals by assumption:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
-\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{by}\ (erule\ ssubst)
-\end{isabelle}
-
-
-The most general way to constrain unification is 
-by instantiating variables in the rule.  The method \isa{rule_tac} is
-similar to \isa{rule}, but it
-makes some of the rule's variables  denote specified terms.  
-Also available are {\isa{drule_tac}}  and \isa{erule_tac}.  Here we need
-\isa{erule_tac} since above we used \isa{erule}.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\ \isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{by}\ (erule_tac\ P = "\isasymlambda u.\ triple\ u\ u\ x"\ 
-\isakeyword{in}\ ssubst)
-\end{isabelle}
-%
-To specify a desired substitution 
-requires instantiating the variable \isa{?P} with a $\lambda$-expression. 
-The bound variable occurrences in \isa{{\isasymlambda}u.\ P\ u\
-u\ x} indicate that the first two arguments have to be substituted, leaving
-the third unchanged.  With this instantiation, backtracking is neither necessary
-nor possible.
-
-An alternative to \isa{rule_tac} is to use \isa{rule} with a theorem
-modified using~\isa{of}, described in
-{\S}\ref{sec:forward} below.   But \isa{rule_tac}, unlike \isa{of}, can 
-express instantiations that refer to 
-\isasymAnd-bound variables in the current subgoal.%
-\index{substitution|)}
-
-
-\section{Quantifiers}
-
-\index{quantifiers!universal|(}%
-Quantifiers require formalizing syntactic substitution and the notion of 
-arbitrary value.  Consider the universal quantifier.  In a logic
-book, its introduction  rule looks like this: 
-\[ \infer{\forall x.\,P}{P} \]
-Typically, a proviso written in English says that $x$ must not
-occur in the assumptions.  This proviso guarantees that $x$ can be regarded as
-arbitrary, since it has not been assumed to satisfy any special conditions. 
-Isabelle's  underlying formalism, called the
-\bfindex{meta-logic}, eliminates the  need for English.  It provides its own
-universal quantifier (\isasymAnd) to express the notion of an arbitrary value.
-We have already seen  another operator of the meta-logic, namely
-\isa\isasymLongrightarrow, which expresses  inference rules and the treatment
-of assumptions. The only other operator in the meta-logic is \isa\isasymequiv,
-which can be used to define constants.
-
-\subsection{The Universal Introduction Rule}
-
-Returning to the universal quantifier, we find that having a similar quantifier
-as part of the meta-logic makes the introduction rule trivial to express:
-\begin{isabelle}
-(\isasymAnd x.\ ?P\ x)\ \isasymLongrightarrow\ {\isasymforall}x.\ ?P\ x\rulenamedx{allI}
-\end{isabelle}
-
-
-The following trivial proof demonstrates how the universal introduction 
-rule works. 
-\begin{isabelle}
-\isacommand{lemma}\ "{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ x"\isanewline
-\isacommand{apply}\ (rule\ allI)\isanewline
-\isacommand{by}\ (rule\ impI)
-\end{isabelle}
-The first step invokes the rule by applying the method \isa{rule allI}. 
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ P\ x\ \isasymlongrightarrow\ P\ x
-\end{isabelle}
-Note  that the resulting proof state has a bound variable,
-namely~\isa{x}.  The rule has replaced the universal quantifier of
-higher-order  logic by Isabelle's meta-level quantifier.  Our goal is to
-prove
-\isa{P\ x\ \isasymlongrightarrow\ P\ x} for arbitrary~\isa{x}; it is 
-an implication, so we apply the corresponding introduction rule (\isa{impI}). 
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow\ P\ x
-\end{isabelle}
-This last subgoal is implicitly proved by assumption. 
-
-\subsection{The Universal Elimination Rule}
-
-Now consider universal elimination. In a logic text, 
-the rule looks like this: 
-\[ \infer{P[t/x]}{\forall x.\,P} \]
-The conclusion is $P$ with $t$ substituted for the variable~$x$.  
-Isabelle expresses substitution using a function variable: 
-\begin{isabelle}
-{\isasymforall}x.\ ?P\ x\ \isasymLongrightarrow\ ?P\ ?x\rulenamedx{spec}
-\end{isabelle}
-This destruction rule takes a 
-universally quantified formula and removes the quantifier, replacing 
-the bound variable \isa{x} by the schematic variable \isa{?x}.  Recall that a
-schematic variable starts with a question mark and acts as a
-placeholder: it can be replaced by any term.  
-
-The universal elimination rule is also
-available in the standard elimination format.  Like \isa{conjE}, it never
-appears in logic books:
-\begin{isabelle}
-\isasymlbrakk \isasymforall x.\ ?P\ x;\ ?P\ ?x\ \isasymLongrightarrow \ ?R\isasymrbrakk \ \isasymLongrightarrow \ ?R%
-\rulenamedx{allE}
-\end{isabelle}
-The methods \isa{drule~spec} and \isa{erule~allE} do precisely the
-same inference.
-
-To see how $\forall$-elimination works, let us derive a rule about reducing 
-the scope of a universal quantifier.  In mathematical notation we write
-\[ \infer{P\imp\forall x.\,Q}{\forall x.\,P\imp Q} \]
-with the proviso ``$x$ not free in~$P$.''  Isabelle's treatment of
-substitution makes the proviso unnecessary.  The conclusion is expressed as
-\isa{P\
-\isasymlongrightarrow\ ({\isasymforall}x.\ Q\ x)}. No substitution for the
-variable \isa{P} can introduce a dependence upon~\isa{x}: that would be a
-bound variable capture.  Let us walk through the proof.
-\begin{isabelle}
-\isacommand{lemma}\ "(\isasymforall x.\ P\ \isasymlongrightarrow \ Q\ x)\
-\isasymLongrightarrow \ P\ \isasymlongrightarrow \ (\isasymforall x.\ Q\
-x)"
-\end{isabelle}
-First we apply implies introduction (\isa{impI}), 
-which moves the \isa{P} from the conclusion to the assumptions. Then 
-we apply universal introduction (\isa{allI}).  
-\begin{isabelle}
-\isacommand{apply}\ (rule\ impI,\ rule\ allI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymforall}x.\ P\ \isasymlongrightarrow\ Q\
-x;\ P\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
-\end{isabelle}
-As before, it replaces the HOL 
-quantifier by a meta-level quantifier, producing a subgoal that 
-binds the variable~\isa{x}.  The leading bound variables
-(here \isa{x}) and the assumptions (here \isa{{\isasymforall}x.\ P\
-\isasymlongrightarrow\ Q\ x} and \isa{P}) form the \textbf{context} for the
-conclusion, here \isa{Q\ x}.  Subgoals inherit the context,
-although assumptions can be added or deleted (as we saw
-earlier), while rules such as \isa{allI} add bound variables.
-
-Now, to reason from the universally quantified 
-assumption, we apply the elimination rule using the \isa{drule} 
-method.  This rule is called \isa{spec} because it specializes a universal formula
-to a particular term.
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ P\ \isasymlongrightarrow\ Q\ (?x2\
-x)\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
-\end{isabelle}
-Observe how the context has changed.  The quantified formula is gone,
-replaced by a new assumption derived from its body.  We have
-removed the quantifier and replaced the bound variable
-by the curious term 
-\isa{?x2~x}.  This term is a placeholder: it may become any term that can be
-built from~\isa{x}.  (Formally, \isa{?x2} is an unknown of function type, applied
-to the argument~\isa{x}.)  This new assumption is an implication, so we can  use
-\emph{modus ponens} on it, which concludes the proof. 
-\begin{isabelle}
-\isacommand{by}\ (drule\ mp)
-\end{isabelle}
-Let us take a closer look at this last step.  \emph{Modus ponens} yields
-two subgoals: one where we prove the antecedent (in this case \isa{P}) and
-one where we may assume the consequent.  Both of these subgoals are proved
-by the
-\isa{assumption} method, which is implicit in the
-\isacommand{by} command.  Replacing the \isacommand{by} command by 
-\isa{\isacommand{apply} (drule\ mp, assumption)} would have left one last
-subgoal:
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ Q\ (?x2\ x)\isasymrbrakk\
-\isasymLongrightarrow\ Q\ x
-\end{isabelle}
-The consequent is \isa{Q} applied to that placeholder.  It may be replaced by any
-term built from~\isa{x}, and here 
-it should simply be~\isa{x}.  The assumption need not
-be identical to the conclusion, provided the two formulas are unifiable.%
-\index{quantifiers!universal|)}  
-
-
-\subsection{The Existential Quantifier}
-
-\index{quantifiers!existential|(}%
-The concepts just presented also apply
-to the existential quantifier, whose introduction rule looks like this in
-Isabelle: 
-\begin{isabelle}
-?P\ ?x\ \isasymLongrightarrow\ {\isasymexists}x.\ ?P\ x\rulenamedx{exI}
-\end{isabelle}
-If we can exhibit some $x$ such that $P(x)$ is true, then $\exists x.
-P(x)$ is also true.  It is a dual of the universal elimination rule, and
-logic texts present it using the same notation for substitution.
-
-The existential
-elimination rule looks like this
-in a logic text: 
-\[ \infer{Q}{\exists x.\,P & \infer*{Q}{[P]}} \]
-%
-It looks like this in Isabelle: 
-\begin{isabelle}
-\isasymlbrakk{\isasymexists}x.\ ?P\ x;\ \isasymAnd x.\ ?P\ x\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?Q\rulenamedx{exE}
-\end{isabelle}
-%
-Given an existentially quantified theorem and some
-formula $Q$ to prove, it creates a new assumption by removing the quantifier.  As with
-the universal introduction  rule, the textbook version imposes a proviso on the
-quantified variable, which Isabelle expresses using its meta-logic.  It is
-enough to have a universal quantifier in the meta-logic; we do not need an existential
-quantifier to be built in as well.
- 
-
-\begin{exercise}
-Prove the lemma
-\[ \exists x.\, P\conj Q(x)\Imp P\conj(\exists x.\, Q(x)). \]
-\emph{Hint}: the proof is similar 
-to the one just above for the universal quantifier. 
-\end{exercise}
-\index{quantifiers!existential|)}
-
-
-\subsection{Renaming a Bound Variable: {\tt\slshape rename_tac}}
-
-\index{assumptions!renaming|(}\index{*rename_tac (method)|(}%
-When you apply a rule such as \isa{allI}, the quantified variable
-becomes a new bound variable of the new subgoal.  Isabelle tries to avoid
-changing its name, but sometimes it has to choose a new name in order to
-avoid a clash.  The result may not be ideal:
-\begin{isabelle}
-\isacommand{lemma}\ "x\ <\ y\ \isasymLongrightarrow \ \isasymforall x\ y.\ P\ x\
-(f\ y)"\isanewline
-\isacommand{apply}\ (intro allI)\isanewline
-\ 1.\ \isasymAnd xa\ ya.\ x\ <\ y\ \isasymLongrightarrow \ P\ xa\ (f\ ya)
-\end{isabelle}
-%
-The names \isa{x} and \isa{y} were already in use, so the new bound variables are
-called \isa{xa} and~\isa{ya}.  You can rename them by invoking \isa{rename_tac}:
-
-\begin{isabelle}
-\isacommand{apply}\ (rename_tac\ v\ w)\isanewline
-\ 1.\ \isasymAnd v\ w.\ x\ <\ y\ \isasymLongrightarrow \ P\ v\ (f\ w)
-\end{isabelle}
-Recall that \isa{rule_tac}\index{*rule_tac (method)!and renaming} 
-instantiates a
-theorem with specified terms.  These terms may involve the goal's bound
-variables, but beware of referring to  variables
-like~\isa{xa}.  A future change to your theories could change the set of names
-produced at top level, so that \isa{xa} changes to~\isa{xb} or reverts to~\isa{x}.
-It is safer to rename automatically-generated variables before mentioning them.
-
-If the subgoal has more bound variables than there are names given to
-\isa{rename_tac}, the rightmost ones are renamed.%
-\index{assumptions!renaming|)}\index{*rename_tac (method)|)}
-
-
-\subsection{Reusing an Assumption: {\tt\slshape frule}}
-\label{sec:frule}
-
-\index{assumptions!reusing|(}\index{*frule (method)|(}%
-Note that \isa{drule spec} removes the universal quantifier and --- as
-usual with elimination rules --- discards the original formula.  Sometimes, a
-universal formula has to be kept so that it can be used again.  Then we use a new
-method: \isa{frule}.  It acts like \isa{drule} but copies rather than replaces
-the selected assumption.  The \isa{f} is for \emph{forward}.
-
-In this example, going from \isa{P\ a} to \isa{P(h(h~a))}
-requires two uses of the quantified assumption, one for each~\isa{h}
-in~\isa{h(h~a)}.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);
-\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P(h\ (h\ a))"
-\end{isabelle}
-%
-Examine the subgoal left by \isa{frule}:
-\begin{isabelle}
-\isacommand{apply}\ (frule\ spec)\isanewline
-\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ ?x\ \isasymlongrightarrow\ P\ (h\ ?x)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
-\end{isabelle}
-It is what \isa{drule} would have left except that the quantified
-assumption is still present.  Next we apply \isa{mp} to the
-implication and the assumption~\isa{P\ a}:
-\begin{isabelle}
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
-\end{isabelle}
-%
-We have created the assumption \isa{P(h\ a)}, which is progress.  To
-continue the proof, we apply \isa{spec} again.  We shall not need it
-again, so we can use
-\isa{drule}.
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec)\isanewline
-\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ ?x2\ 
-\isasymlongrightarrow \ P\ (h\ ?x2)\isasymrbrakk \ \isasymLongrightarrow \
-P\ (h\ (h\ a))
-\end{isabelle}
-%
-The new assumption bridges the gap between \isa{P(h\ a)} and \isa{P(h(h\ a))}.
-\begin{isabelle}
-\isacommand{by}\ (drule\ mp)
-\end{isabelle}
-
-\medskip
-\emph{A final remark}.  Replacing this \isacommand{by} command with
-\begin{isabelle}
-\isacommand{apply}\ (drule\ mp,\ assumption)
-\end{isabelle}
-would not work: it would add a second copy of \isa{P(h~a)} instead
-of the desired assumption, \isa{P(h(h~a))}.  The \isacommand{by}
-command forces Isabelle to backtrack until it finds the correct one.
-Alternatively, we could have used the \isacommand{apply} command and bundled the
-\isa{drule mp} with \emph{two} calls of \isa{assumption}.  Or, of course,
-we could have given the entire proof to \isa{auto}.%
-\index{assumptions!reusing|)}\index{*frule (method)|)}
-
-
-
-\subsection{Instantiating a Quantifier Explicitly}
-\index{quantifiers!instantiating}
-
-We can prove a theorem of the form $\exists x.\,P\, x$ by exhibiting a
-suitable term~$t$ such that $P\,t$ is true.  Dually, we can use an
-assumption of the form $\forall x.\,P\, x$ to generate a new assumption $P\,t$ for
-a suitable term~$t$.  In many cases, 
-Isabelle makes the correct choice automatically, constructing the term by
-unification.  In other cases, the required term is not obvious and we must
-specify it ourselves.  Suitable methods are \isa{rule_tac}, \isa{drule_tac}
-and \isa{erule_tac}.
-
-We have seen (just above, {\S}\ref{sec:frule}) a proof of this lemma:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk \isasymforall x.\ P\ x\
-\isasymlongrightarrow \ P\ (h\ x);\ P\ a\isasymrbrakk \
-\isasymLongrightarrow \ P(h\ (h\ a))"
-\end{isabelle}
-We had reached this subgoal:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\
-x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
-\end{isabelle}
-%
-The proof requires instantiating the quantified assumption with the
-term~\isa{h~a}.
-\begin{isabelle}
-\isacommand{apply}\ (drule_tac\ x\ =\ "h\ a"\ \isakeyword{in}\
-spec)\isanewline
-\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ (h\ a)\ \isasymlongrightarrow \
-P\ (h\ (h\ a))\isasymrbrakk \ \isasymLongrightarrow \ P\ (h\ (h\ a))
-\end{isabelle}
-We have forced the desired instantiation.
-
-\medskip
-Existential formulas can be instantiated too.  The next example uses the 
-\textbf{divides} relation\index{divides relation}
-of number theory: 
-\begin{isabelle}
-?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
-\rulename{dvd_def}
-\end{isabelle}
-
-Let us prove that multiplication of natural numbers is monotone with
-respect to the divides relation:
-\begin{isabelle}
-\isacommand{lemma}\ mult_dvd_mono:\ "{\isasymlbrakk}i\ dvd\ m;\ j\ dvd\
-n\isasymrbrakk\ \isasymLongrightarrow\ i*j\ dvd\ (m*n\ ::\ nat)"\isanewline
-\isacommand{apply}\ (simp\ add:\ dvd_def)
-\end{isabelle}
-%
-Unfolding the definition of divides has left this subgoal:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk \isasymexists k.\ m\ =\ i\ *\ k;\ \isasymexists k.\ n\
-=\ j\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\
-n\ =\ i\ *\ j\ *\ k
-\end{isabelle}
-%
-Next, we eliminate the two existential quantifiers in the assumptions:
-\begin{isabelle}
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd k.\ \isasymlbrakk \isasymexists k.\ n\ =\ j\ *\ k;\ m\ =\
-i\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\
-=\ i\ *\ j\ *\ k%
-\isanewline
-\isacommand{apply}\ (erule\ exE)
-\isanewline
-\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
-ka\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\
-*\ j\ *\ k
-\end{isabelle}
-%
-The term needed to instantiate the remaining quantifier is~\isa{k*ka}.  But
-\isa{ka} is an automatically-generated name.  As noted above, references to
-such variable names makes a proof less resilient to future changes.  So,
-first we rename the most recent variable to~\isa{l}:
-\begin{isabelle}
-\isacommand{apply}\ (rename_tac\ l)\isanewline
-\ 1.\ \isasymAnd k\ l.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\ l\isasymrbrakk \
-\isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\ *\ j\ *\ k%
-\end{isabelle}
-
-We instantiate the quantifier with~\isa{k*l}:
-\begin{isabelle}
-\isacommand{apply}\ (rule_tac\ x="k*l"\ \isakeyword{in}\ exI)\ \isanewline
-\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
-ka\isasymrbrakk \ \isasymLongrightarrow \ m\ *\ n\ =\ i\
-*\ j\ *\ (k\ *\ ka)
-\end{isabelle}
-%
-The rest is automatic, by arithmetic.
-\begin{isabelle}
-\isacommand{apply}\ simp\isanewline
-\isacommand{done}\isanewline
-\end{isabelle}
-
-
-
-\section{Description Operators}
-\label{sec:SOME}
-
-\index{description operators|(}%
-HOL provides two description operators.
-A \textbf{definite description} formalizes the word ``the,'' as in
-``the greatest divisior of~$n$.''
-It returns an arbitrary value unless the formula has a unique solution.
-An \textbf{indefinite description} formalizes the word ``some,'' as in
-``some member of~$S$.''  It differs from a definite description in not
-requiring the solution to be unique: it uses the axiom of choice to pick any
-solution. 
-
-\begin{warn}
-Description operators can be hard to reason about.  Novices
-should try to avoid them.  Fortunately, descriptions are seldom required.
-\end{warn}
-
-\subsection{Definite Descriptions}
-
-\index{descriptions!definite}%
-A definite description is traditionally written $\iota x.  P(x)$.  It denotes
-the $x$ such that $P(x)$ is true, provided there exists a unique such~$x$;
-otherwise, it returns an arbitrary value of the expected type.
-Isabelle uses \sdx{THE} for the Greek letter~$\iota$.  
-
-%(The traditional notation could be provided, but it is not legible on screen.)
-
-We reason using this rule, where \isa{a} is the unique solution:
-\begin{isabelle}
-\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \ 
-\isasymLongrightarrow \ (THE\ x.\ P\ x)\ =\ a%
-\rulenamedx{the_equality}
-\end{isabelle}
-For instance, we can define the
-cardinality of a finite set~$A$ to be that
-$n$ such that $A$ is in one-to-one correspondence with $\{1,\ldots,n\}$.  We can then
-prove that the cardinality of the empty set is zero (since $n=0$ satisfies the
-description) and proceed to prove other facts.
-
-A more challenging example illustrates how Isabelle/HOL defines the least number
-operator, which denotes the least \isa{x} satisfying~\isa{P}:%
-\index{least number operator|see{\protect\isa{LEAST}}}
-\begin{isabelle}
-(LEAST\ x.\ P\ x)\ = (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\
-P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))
-\end{isabelle}
-%
-Let us prove the analogue of \isa{the_equality} for \sdx{LEAST}\@.
-\begin{isabelle}
-\isacommand{theorem}\ Least_equality:\isanewline
-\ \ \ \ \ "\isasymlbrakk P\ (k::nat);\ \ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ (LEAST\ x.\ P\ x)\ =\ k"\isanewline
-\isacommand{apply}\ (simp\ add:\ Least_def)\isanewline
-\isanewline
-\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))\ =\ k%
-\end{isabelle}
-The first step has merely unfolded the definition.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ the_equality)\isanewline
-\isanewline
-\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\
-\isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ P\ k\ \isasymand \
-(\isasymforall y.\ P\ y\ \isasymlongrightarrow \ k\ \isasymle \ y)\isanewline
-\ 2.\ \isasymAnd x.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x;\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y)\isasymrbrakk \isanewline
-\ \ \ \ \ \ \ \ \isasymLongrightarrow \ x\ =\ k%
-\end{isabelle}
-As always with \isa{the_equality}, we must show existence and
-uniqueness of the claimed solution,~\isa{k}.  Existence, the first
-subgoal, is trivial.  Uniqueness, the second subgoal, follows by antisymmetry:
-\begin{isabelle}
-\isasymlbrakk x\ \isasymle \ y;\ y\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ x\ =\ y%
-\rulename{order_antisym}
-\end{isabelle}
-The assumptions imply both \isa{k~\isasymle~x} and \isa{x~\isasymle~k}.  One
-call to \isa{auto} does it all: 
-\begin{isabelle}
-\isacommand{by}\ (auto\ intro:\ order_antisym)
-\end{isabelle}
-
-
-\subsection{Indefinite Descriptions}
-
-\index{Hilbert's $\varepsilon$-operator}%
-\index{descriptions!indefinite}%
-An indefinite description is traditionally written $\varepsilon x. P(x)$ and is
-known as Hilbert's $\varepsilon$-operator.  It denotes
-some $x$ such that $P(x)$ is true, provided one exists.
-Isabelle uses \sdx{SOME} for the Greek letter~$\varepsilon$.
-
-Here is the definition of~\cdx{inv},\footnote{In fact, \isa{inv} is defined via a second constant \isa{inv_into}, which we ignore here.} which expresses inverses of
-functions:
-\begin{isabelle}
-inv\ f\ \isasymequiv \ \isasymlambda y.\ SOME\ x.\ f\ x\ =\ y%
-\rulename{inv_def}
-\end{isabelle}
-Using \isa{SOME} rather than \isa{THE} makes \isa{inv~f} behave well
-even if \isa{f} is not injective.  As it happens, most useful theorems about
-\isa{inv} do assume the function to be injective.
-
-The inverse of \isa{f}, when applied to \isa{y}, returns some~\isa{x} such that
-\isa{f~x~=~y}.  For example, we can prove \isa{inv~Suc} really is the inverse
-of the \isa{Suc} function 
-\begin{isabelle}
-\isacommand{lemma}\ "inv\ Suc\ (Suc\ n)\ =\ n"\isanewline
-\isacommand{by}\ (simp\ add:\ inv_def)
-\end{isabelle}
-
-\noindent
-The proof is a one-liner: the subgoal simplifies to a degenerate application of
-\isa{SOME}, which is then erased.  In detail, the left-hand side simplifies
-to \isa{SOME\ x.\ Suc\ x\ =\ Suc\ n}, then to \isa{SOME\ x.\ x\ =\ n} and
-finally to~\isa{n}.  
-
-We know nothing about what
-\isa{inv~Suc} returns when applied to zero.  The proof above still treats
-\isa{SOME} as a definite description, since it only reasons about
-situations in which the value is described uniquely.  Indeed, \isa{SOME}
-satisfies this rule:
-\begin{isabelle}
-\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \ 
-\isasymLongrightarrow \ (SOME\ x.\ P\ x)\ =\ a%
-\rulenamedx{some_equality}
-\end{isabelle}
-To go further is
-tricky and requires rules such as these:
-\begin{isabelle}
-P\ x\ \isasymLongrightarrow \ P\ (SOME\ x.\ P\ x)
-\rulenamedx{someI}\isanewline
-\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ Q\
-x\isasymrbrakk \ \isasymLongrightarrow \ Q\ (SOME\ x.\ P\ x)
-\rulenamedx{someI2}
-\end{isabelle}
-Rule \isa{someI} is basic: if anything satisfies \isa{P} then so does
-\hbox{\isa{SOME\ x.\ P\ x}}.  The repetition of~\isa{P} in the conclusion makes it
-difficult to apply in a backward proof, so the derived rule \isa{someI2} is
-also provided. 
-
-\medskip
-For example, let us prove the \rmindex{axiom of choice}:
-\begin{isabelle}
-\isacommand{theorem}\ axiom_of_choice:
-\ "(\isasymforall x.\ \isasymexists y.\ P\ x\ y)\ \isasymLongrightarrow \
-\isasymexists f.\ \isasymforall x.\ P\ x\ (f\ x)"\isanewline
-\isacommand{apply}\ (rule\ exI,\ rule\ allI)\isanewline
-
-\ 1.\ \isasymAnd x.\ \isasymforall x.\ \isasymexists y.\ P\ x\ y\
-\isasymLongrightarrow \ P\ x\ (?f\ x)
-\end{isabelle}
-%
-We have applied the introduction rules; now it is time to apply the elimination
-rules.
-
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec,\ erule\ exE)\isanewline
-
-\ 1.\ \isasymAnd x\ y.\ P\ (?x2\ x)\ y\ \isasymLongrightarrow \ P\ x\ (?f\ x)
-\end{isabelle}
-
-\noindent
-The rule \isa{someI} automatically instantiates
-\isa{f} to \hbox{\isa{\isasymlambda x.\ SOME y.\ P\ x\ y}}, which is the choice
-function.  It also instantiates \isa{?x2\ x} to \isa{x}.
-\begin{isabelle}
-\isacommand{by}\ (rule\ someI)\isanewline
-\end{isabelle}
-
-\subsubsection{Historical Note}
-The original purpose of Hilbert's $\varepsilon$-operator was to express an
-existential destruction rule:
-\[ \infer{P[(\varepsilon x. P) / \, x]}{\exists x.\,P} \]
-This rule is seldom used for that purpose --- it can cause exponential
-blow-up --- but it is occasionally used as an introduction rule
-for the~$\varepsilon$-operator.  Its name in HOL is \tdxbold{someI_ex}.%%
-\index{description operators|)}
-
-
-\section{Some Proofs That Fail}
-
-\index{proofs!examples of failing|(}%
-Most of the examples in this tutorial involve proving theorems.  But not every 
-conjecture is true, and it can be instructive to see how  
-proofs fail. Here we attempt to prove a distributive law involving 
-the existential quantifier and conjunction. 
-\begin{isabelle}
-\isacommand{lemma}\ "({\isasymexists}x.\ P\ x)\ \isasymand\ 
-({\isasymexists}x.\ Q\ x)\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\
-\isasymand\ Q\ x"
-\end{isabelle}
-The first steps are  routine.  We apply conjunction elimination to break
-the assumption into two existentially quantified assumptions. 
-Applying existential elimination removes one of the quantifiers. 
-\begin{isabelle}
-\isacommand{apply}\ (erule\ conjE)\isanewline
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymexists}x.\ Q\ x;\ P\ x\isasymrbrakk\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
-\end{isabelle}
-%
-When we remove the other quantifier, we get a different bound 
-variable in the subgoal.  (The name \isa{xa} is generated automatically.)
-\begin{isabelle}
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
-\isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
-\end{isabelle}
-The proviso of the existential elimination rule has forced the variables to
-differ: we can hardly expect two arbitrary values to be equal!  There is
-no way to prove this subgoal.  Removing the
-conclusion's existential quantifier yields two
-identical placeholders, which can become  any term involving the variables \isa{x}
-and~\isa{xa}.  We need one to become \isa{x}
-and the other to become~\isa{xa}, but Isabelle requires all instances of a
-placeholder to be identical. 
-\begin{isabelle}
-\isacommand{apply}\ (rule\ exI)\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
-\isasymLongrightarrow\ P\ (?x3\ x\ xa)\isanewline
-\ 2.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\ \isasymLongrightarrow\ Q\ (?x3\ x\ xa)
-\end{isabelle}
-We can prove either subgoal 
-using the \isa{assumption} method.  If we prove the first one, the placeholder
-changes into~\isa{x}. 
-\begin{isabelle}
-\ \isacommand{apply}\ assumption\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
-\isasymLongrightarrow\ Q\ x
-\end{isabelle}
-We are left with a subgoal that cannot be proved.  Applying the \isa{assumption}
-method results in an error message:
-\begin{isabelle}
-*** empty result sequence -- proof command failed
-\end{isabelle}
-When interacting with Isabelle via the shell interface,
-you can abandon a proof using the \isacommand{oops} command.
-
-\medskip 
-
-Here is another abortive proof, illustrating the interaction between 
-bound variables and unknowns.  
-If $R$ is a reflexive relation, 
-is there an $x$ such that $R\,x\,y$ holds for all $y$?  Let us see what happens when
-we attempt to prove it. 
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymforall y.\ R\ y\ y\ \isasymLongrightarrow 
-\ \isasymexists x.\ \isasymforall y.\ R\ x\ y"
-\end{isabelle}
-First,  we remove the existential quantifier. The new proof state has  an
-unknown, namely~\isa{?x}. 
-\begin{isabelle}
-\isacommand{apply}\ (rule\ exI)\isanewline
-\ 1.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ \isasymforall y.\ R\ ?x\ y%
-\end{isabelle}
-It looks like we can just apply \isa{assumption}, but it fails.  Isabelle
-refuses to substitute \isa{y}, a bound variable, for~\isa{?x}; that would be
-a bound variable capture.  We can still try to finish the proof in some
-other way. We remove the universal quantifier  from the conclusion, moving
-the bound variable~\isa{y} into the subgoal.  But note that it is still
-bound!
-\begin{isabelle}
-\isacommand{apply}\ (rule\ allI)\isanewline
-\ 1.\ \isasymAnd y.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ R\ ?x\ y%
-\end{isabelle}
-Finally, we try to apply our reflexivity assumption.  We obtain a 
-new assumption whose identical placeholders may be replaced by 
-any term involving~\isa{y}. 
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec)\isanewline
-\ 1.\ \isasymAnd y.\ R\ (?z2\ y)\ (?z2\ y)\ \isasymLongrightarrow\ R\ ?x\ y
-\end{isabelle}
-This subgoal can only be proved by putting \isa{y} for all the placeholders,
-making the assumption and conclusion become \isa{R\ y\ y}.  Isabelle can
-replace \isa{?z2~y} by \isa{y}; this involves instantiating
-\isa{?z2} to the identity function.  But, just as two steps earlier,
-Isabelle refuses to substitute~\isa{y} for~\isa{?x}.
-This example is typical of how Isabelle enforces sound quantifier reasoning. 
-\index{proofs!examples of failing|)}
-
-\section{Proving Theorems Using the {\tt\slshape blast} Method}
-
-\index{*blast (method)|(}%
-It is hard to prove many theorems using the methods 
-described above. A proof may be hundreds of steps long.  You 
-may need to search among different ways of proving certain 
-subgoals. Often a choice that proves one subgoal renders another 
-impossible to prove.  There are further complications that we have not
-discussed, concerning negation and disjunction.  Isabelle's
-\textbf{classical reasoner} is a family of tools that perform such
-proofs automatically.  The most important of these is the 
-\isa{blast} method. 
-
-In this section, we shall first see how to use the classical 
-reasoner in its default mode and then how to insert additional 
-rules, enabling it to work in new problem domains. 
-
- We begin with examples from pure predicate logic. The following 
-example is known as Andrew's challenge. Peter Andrews designed 
-it to be hard to prove by automatic means.
-It is particularly hard for a resolution prover, where 
-converting the nested biconditionals to
-clause form produces a combinatorial
-explosion~\cite{pelletier86}. However, the
-\isa{blast} method proves it in a fraction  of a second. 
-\begin{isabelle}
-\isacommand{lemma}\
-"(({\isasymexists}x.\
-{\isasymforall}y.\
-p(x){=}p(y))\
-=\
-(({\isasymexists}x.\
-q(x))=({\isasymforall}y.\
-p(y))))\
-\ \ =\ \ \ \ \isanewline
-\ \ \ \ \ \ \ \
-(({\isasymexists}x.\
-{\isasymforall}y.\
-q(x){=}q(y))\ =\ (({\isasymexists}x.\ p(x))=({\isasymforall}y.\ q(y))))"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-The next example is a logic problem composed by Lewis Carroll. 
-The \isa{blast} method finds it trivial. Moreover, it turns out 
-that not all of the assumptions are necessary. We can  
-experiment with variations of this formula and see which ones 
-can be proved. 
-\begin{isabelle}
-\isacommand{lemma}\
-"({\isasymforall}x.\
-honest(x)\ \isasymand\
-industrious(x)\ \isasymlongrightarrow\
-healthy(x))\
-\isasymand\ \ \isanewline
-\ \ \ \ \ \ \ \ \isasymnot\ ({\isasymexists}x.\
-grocer(x)\ \isasymand\
-healthy(x))\
-\isasymand\ \isanewline
-\ \ \ \ \ \ \ \ ({\isasymforall}x.\
-industrious(x)\ \isasymand\
-grocer(x)\ \isasymlongrightarrow\
-honest(x))\
-\isasymand\ \isanewline
-\ \ \ \ \ \ \ \ ({\isasymforall}x.\
-cyclist(x)\ \isasymlongrightarrow\
-industrious(x))\
-\isasymand\ \isanewline
-\ \ \ \ \ \ \ \ ({\isasymforall}x.\
-{\isasymnot}healthy(x)\ \isasymand\
-cyclist(x)\ \isasymlongrightarrow\
-{\isasymnot}honest(x))\
-\ \isanewline
-\ \ \ \ \ \ \ \ \isasymlongrightarrow\
-({\isasymforall}x.\
-grocer(x)\ \isasymlongrightarrow\
-{\isasymnot}cyclist(x))"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-The \isa{blast} method is also effective for set theory, which is
-described in the next chapter.  The formula below may look horrible, but
-the \isa{blast} method proves it in milliseconds. 
-\begin{isabelle}
-\isacommand{lemma}\ "({\isasymUnion}i{\isasymin}I.\ A(i))\ \isasyminter\ ({\isasymUnion}j{\isasymin}J.\ B(j))\ =\isanewline
-\ \ \ \ \ \ \ \ ({\isasymUnion}i{\isasymin}I.\ {\isasymUnion}j{\isasymin}J.\ A(i)\ \isasyminter\ B(j))"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-Few subgoals are couched purely in predicate logic and set theory.
-We can extend the scope of the classical reasoner by giving it new rules. 
-Extending it effectively requires understanding the notions of
-introduction, elimination and destruction rules.  Moreover, there is a
-distinction between  safe and unsafe rules. A 
-\textbf{safe}\indexbold{safe rules} rule is one that can be applied 
-backwards without losing information; an
-\textbf{unsafe}\indexbold{unsafe rules} rule loses  information, perhaps
-transforming the subgoal into one that cannot be proved.  The safe/unsafe
-distinction affects the proof search: if a proof attempt fails, the
-classical reasoner backtracks to the most recent unsafe rule application
-and makes another choice. 
-
-An important special case avoids all these complications.  A logical 
-equivalence, which in higher-order logic is an equality between 
-formulas, can be given to the classical 
-reasoner and simplifier by using the attribute \attrdx{iff}.  You 
-should do so if the right hand side of the equivalence is  
-simpler than the left-hand side.  
-
-For example, here is a simple fact about list concatenation. 
-The result of appending two lists is empty if and only if both 
-of the lists are themselves empty. Obviously, applying this equivalence 
-will result in a simpler goal. When stating this lemma, we include 
-the \attrdx{iff} attribute. Once we have proved the lemma, Isabelle 
-will make it known to the classical reasoner (and to the simplifier). 
-\begin{isabelle}
-\isacommand{lemma}\
-[iff]:\ "(xs{\isacharat}ys\ =\ [])\ =\
-(xs=[]\ \isasymand\ ys=[])"\isanewline
-\isacommand{apply}\ (induct_tac\ xs)\isanewline
-\isacommand{apply}\ (simp_all)\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-This fact about multiplication is also appropriate for 
-the \attrdx{iff} attribute:
-\begin{isabelle}
-(\mbox{?m}\ *\ \mbox{?n}\ =\ 0)\ =\ (\mbox{?m}\ =\ 0\ \isasymor\ \mbox{?n}\ =\ 0)
-\end{isabelle}
-A product is zero if and only if one of the factors is zero.  The
-reasoning  involves a disjunction.  Proving new rules for
-disjunctive reasoning  is hard, but translating to an actual disjunction
-works:  the classical reasoner handles disjunction properly.
-
-In more detail, this is how the \attrdx{iff} attribute works.  It converts
-the equivalence $P=Q$ to a pair of rules: the introduction
-rule $Q\Imp P$ and the destruction rule $P\Imp Q$.  It gives both to the
-classical reasoner as safe rules, ensuring that all occurrences of $P$ in
-a subgoal are replaced by~$Q$.  The simplifier performs the same
-replacement, since \isa{iff} gives $P=Q$ to the
-simplifier.  
-
-Classical reasoning is different from
-simplification.  Simplification is deterministic.  It applies rewrite rules
-repeatedly, as long as possible, transforming a goal into another goal.  Classical
-reasoning uses search and backtracking in order to prove a goal outright.%
-\index{*blast (method)|)}%
-
-
-\section{Other Classical Reasoning Methods}
- 
-The \isa{blast} method is our main workhorse for proving theorems 
-automatically. Other components of the classical reasoner interact 
-with the simplifier. Still others perform classical reasoning 
-to a limited extent, giving the user fine control over the proof. 
-
-Of the latter methods, the most useful is 
-\methdx{clarify}.
-It performs 
-all obvious reasoning steps without splitting the goal into multiple 
-parts. It does not apply unsafe rules that could render the 
-goal unprovable. By performing the obvious 
-steps, \isa{clarify} lays bare the difficult parts of the problem, 
-where human intervention is necessary. 
-
-For example, the following conjecture is false:
-\begin{isabelle}
-\isacommand{lemma}\ "({\isasymforall}x.\ P\ x)\ \isasymand\
-({\isasymexists}x.\ Q\ x)\ \isasymlongrightarrow\ ({\isasymforall}x.\ P\ x\
-\isasymand\ Q\ x)"\isanewline
-\isacommand{apply}\ clarify
-\end{isabelle}
-The \isa{blast} method would simply fail, but \isa{clarify} presents 
-a subgoal that helps us see why we cannot continue the proof. 
-\begin{isabelle}
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk{\isasymforall}x.\ P\ x;\ Q\
-xa\isasymrbrakk\ \isasymLongrightarrow\ P\ x\ \isasymand\ Q\ x
-\end{isabelle}
-The proof must fail because the assumption \isa{Q\ xa} and conclusion \isa{Q\ x}
-refer to distinct bound variables.  To reach this state, \isa{clarify} applied
-the introduction rules for \isa{\isasymlongrightarrow} and \isa{\isasymforall}
-and the elimination rule for \isa{\isasymand}.  It did not apply the introduction
-rule for  \isa{\isasymand} because of its policy never to split goals.
-
-Also available is \methdx{clarsimp}, a method
-that interleaves \isa{clarify} and \isa{simp}.  Also there is  \methdx{safe},
-which like \isa{clarify} performs obvious steps but even applies those that
-split goals.
-
-The \methdx{force} method applies the classical
-reasoner and simplifier  to one goal. 
-Unless it can prove the goal, it fails. Contrast 
-that with the \isa{auto} method, which also combines classical reasoning 
-with simplification. The latter's purpose is to prove all the 
-easy subgoals and parts of subgoals. Unfortunately, it can produce 
-large numbers of new subgoals; also, since it proves some subgoals 
-and splits others, it obscures the structure of the proof tree. 
-The \isa{force} method does not have these drawbacks. Another 
-difference: \isa{force} tries harder than {\isa{auto}} to prove 
-its goal, so it can take much longer to terminate.
-
-Older components of the classical reasoner have largely been 
-superseded by \isa{blast}, but they still have niche applications. 
-Most important among these are \isa{fast} and \isa{best}. While \isa{blast} 
-searches for proofs using a built-in first-order reasoner, these 
-earlier methods search for proofs using standard Isabelle inference. 
-That makes them slower but enables them to work in the 
-presence of the more unusual features of Isabelle rules, such 
-as type classes and function unknowns. For example, recall the introduction rule
-for Hilbert's $\varepsilon$-operator: 
-\begin{isabelle}
-?P\ ?x\ \isasymLongrightarrow\ ?P\ (SOME\ x.\ ?P x)
-\rulename{someI}
-\end{isabelle}
-%
-The repeated occurrence of the variable \isa{?P} makes this rule tricky 
-to apply. Consider this contrived example: 
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\isanewline
-\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ P\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)\
-\isasymand\ Q\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)"\isanewline
-\isacommand{apply}\ (rule\ someI)
-\end{isabelle}
-%
-We can apply rule \isa{someI} explicitly.  It yields the 
-following subgoal: 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P\ ?x\
-\isasymand\ Q\ ?x%
-\end{isabelle}
-The proof from this point is trivial.  Could we have
-proved the theorem with a single command? Not using \isa{blast}: it
-cannot perform  the higher-order unification needed here.  The
-\methdx{fast} method succeeds: 
-\begin{isabelle}
-\isacommand{apply}\ (fast\ intro!:\ someI)
-\end{isabelle}
-
-The \methdx{best} method is similar to
-\isa{fast} but it uses a  best-first search instead of depth-first search.
-Accordingly,  it is slower but is less susceptible to divergence.
-Transitivity  rules usually cause \isa{fast} to loop where \isa{best} 
-can often manage.
-
-Here is a summary of the classical reasoning methods:
-\begin{itemize}
-\item \methdx{blast} works automatically and is the fastest
-
-\item \methdx{clarify} and \methdx{clarsimp} perform obvious steps without
-splitting the goal;  \methdx{safe} even splits goals
-
-\item \methdx{force} uses classical reasoning and simplification to prove a goal;
- \methdx{auto} is similar but leaves what it cannot prove
-
-\item \methdx{fast} and \methdx{best} are legacy methods that work well with rules
-involving unusual features
-\end{itemize}
-A table illustrates the relationships among four of these methods. 
-\begin{center}
-\begin{tabular}{r|l|l|}
-           & no split   & split \\ \hline
-  no simp  & \methdx{clarify}    & \methdx{safe} \\ \hline
-     simp  & \methdx{clarsimp}   & \methdx{auto} \\ \hline
-\end{tabular}
-\end{center}
-
-\section{Finding More Theorems}
-\label{sec:find2}
-\input{document/find2.tex}
-
-
-\section{Forward Proof: Transforming Theorems}\label{sec:forward}
-
-\index{forward proof|(}%
-Forward proof means deriving new facts from old ones.  It is  the
-most fundamental type of proof.  Backward proof, by working  from goals to
-subgoals, can help us find a difficult proof.  But it is
-not always the best way of presenting the proof thus found.  Forward
-proof is particularly good for reasoning from the general
-to the specific.  For example, consider this distributive law for
-the greatest common divisor:
-\[ k\times\gcd(m,n) = \gcd(k\times m,k\times n)\]
-
-Putting $m=1$ we get (since $\gcd(1,n)=1$ and $k\times1=k$) 
-\[ k = \gcd(k,k\times n)\]
-We have derived a new fact; if re-oriented, it might be
-useful for simplification.  After re-orienting it and putting $n=1$, we
-derive another useful law: 
-\[ \gcd(k,k)=k \]
-Substituting values for variables --- instantiation --- is a forward step. 
-Re-orientation works by applying the symmetry of equality to 
-an equation, so it too is a forward step.  
-
-\subsection{Modifying a Theorem using {\tt\slshape of},  {\tt\slshape where}
- and {\tt\slshape THEN}}
-
-\label{sec:THEN}
-
-Let us reproduce our examples in Isabelle.  Recall that in
-{\S}\ref{sec:fun-simplification} we declared the recursive function
-\isa{gcd}:\index{*gcd (constant)|(}
-\begin{isabelle}
-\isacommand{fun}\ gcd\ ::\ "nat\ \isasymRightarrow \ nat\ \isasymRightarrow \ nat"\ \isakeyword{where}\isanewline
-\ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
-\end{isabelle}
-%
-From this definition, it is possible to prove the distributive law.  
-That takes us to the starting point for our example.
-\begin{isabelle}
-?k\ *\ gcd\ ?m\ ?n\ =\ gcd\ (?k\ *\ ?m)\ (?k\ *\ ?n)
-\rulename{gcd_mult_distrib2}
-\end{isabelle}
-%
-The first step in our derivation is to replace \isa{?m} by~1.  We instantiate the
-theorem using~\attrdx{of}, which identifies variables in order of their
-appearance from left to right.  In this case, the variables  are \isa{?k}, \isa{?m}
-and~\isa{?n}. So, the expression
-\hbox{\texttt{[of k 1]}} replaces \isa{?k} by~\isa{k} and \isa{?m}
-by~\isa{1}.
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_mult_0\ =\ gcd_mult_distrib2\ [of\ k\ 1]
-\end{isabelle}
-%
-The keyword \commdx{lemmas} declares a new theorem, which can be derived
-from an existing one using attributes such as \isa{[of~k~1]}.
-The command 
-\isa{thm gcd_mult_0}
-displays the result:
-\begin{isabelle}
-\ \ \ \ \ k\ *\ gcd\ 1\ ?n\ =\ gcd\ (k\ *\ 1)\ (k\ *\ ?n)
-\end{isabelle}
-Something is odd: \isa{k} is an ordinary variable, while \isa{?n} 
-is schematic.  We did not specify an instantiation 
-for \isa{?n}.  In its present form, the theorem does not allow 
-substitution for \isa{k}.  One solution is to avoid giving an instantiation for
-\isa{?k}: instead of a term we can put an underscore~(\isa{_}).  For example,
-\begin{isabelle}
-\ \ \ \ \ gcd_mult_distrib2\ [of\ _\ 1]
-\end{isabelle}
-replaces \isa{?m} by~\isa{1} but leaves \isa{?k} unchanged.  
-
-An equivalent solution is to use the attribute \isa{where}. 
-\begin{isabelle}
-\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1]
-\end{isabelle}
-While \isa{of} refers to
-variables by their position, \isa{where} refers to variables by name. Multiple
-instantiations are separated by~\isa{and}, as in this example:
-\begin{isabelle}
-\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1\ and\ k=1]
-\end{isabelle}
-
-We now continue the present example with the version of \isa{gcd_mult_0}
-shown above, which has \isa{k} instead of \isa{?k}.
-Once we have replaced \isa{?m} by~1, we must next simplify
-the theorem \isa{gcd_mult_0}, performing the steps 
-$\gcd(1,n)=1$ and $k\times1=k$.  The \attrdx{simplified}
-attribute takes a theorem
-and returns the result of simplifying it, with respect to the default
-simplification rules:
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_mult_1\ =\ gcd_mult_0\
-[simplified]%
-\end{isabelle}
-%
-Again, we display the resulting theorem:
-\begin{isabelle}
-\ \ \ \ \ k\ =\ gcd\ k\ (k\ *\ ?n)
-\end{isabelle}
-%
-To re-orient the equation requires the symmetry rule:
-\begin{isabelle}
-?s\ =\ ?t\
-\isasymLongrightarrow\ ?t\ =\
-?s%
-\rulenamedx{sym}
-\end{isabelle}
-The following declaration gives our equation to \isa{sym}:
-\begin{isabelle}
-\ \ \ \isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_1\ [THEN\ sym]
-\end{isabelle}
-%
-Here is the result:
-\begin{isabelle}
-\ \ \ \ \ gcd\ k\ (k\ *\ ?n)\ =\ k%
-\end{isabelle}
-\isa{THEN~sym}\indexbold{*THEN (attribute)} gives the current theorem to the
-rule \isa{sym} and returns the resulting conclusion.  The effect is to
-exchange the two operands of the equality. Typically \isa{THEN} is used
-with destruction rules.  Also useful is \isa{THEN~spec}, which removes the
-quantifier from a theorem of the form $\forall x.\,P$, and \isa{THEN~mp},
-which converts the implication $P\imp Q$ into the rule
-$\vcenter{\infer{Q}{P}}$. Similar to \isa{mp} are the following two rules,
-which extract  the two directions of reasoning about a boolean equivalence:
-\begin{isabelle}
-\isasymlbrakk?Q\ =\ ?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulenamedx{iffD1}%
-\isanewline
-\isasymlbrakk?P\ =\ ?Q;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulenamedx{iffD2}
-\end{isabelle}
-%
-Normally we would never name the intermediate theorems
-such as \isa{gcd_mult_0} and \isa{gcd_mult_1} but would combine
-the three forward steps: 
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym]%
-\end{isabelle}
-The directives, or attributes, are processed from left to right.  This
-declaration of \isa{gcd_mult} is equivalent to the
-previous one.
-
-Such declarations can make the proof script hard to read.  Better   
-is to state the new lemma explicitly and to prove it using a single
-\isa{rule} method whose operand is expressed using forward reasoning:
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_mult\ [simp]:\ "gcd\ k\ (k*n)\ =\ k"\isanewline
-\isacommand{by}\ (rule\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym])
-\end{isabelle}
-Compared with the previous proof of \isa{gcd_mult}, this
-version shows the reader what has been proved.  Also, the result will be processed
-in the normal way.  In particular, Isabelle generalizes over all variables: the
-resulting theorem will have {\isa{?k}} instead of {\isa{k}}.
-
-At the start  of this section, we also saw a proof of $\gcd(k,k)=k$.  Here
-is the Isabelle version:\index{*gcd (constant)|)}
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_self\ [simp]:\ "gcd\ k\ k\ =\ k"\isanewline
-\isacommand{by}\ (rule\ gcd_mult\ [of\ k\ 1,\ simplified])
-\end{isabelle}
-
-\begin{warn}
-To give~\isa{of} a nonatomic term, enclose it in quotation marks, as in
-\isa{[of "k*m"]}.  The term must not contain unknowns: an
-attribute such as 
-\isa{[of "?k*m"]} will be rejected.
-\end{warn}
-
-%Answer is now included in that section! Is a modified version of this
-%  exercise worth including? E.g. find a difference between the two ways
-%  of substituting.
-%\begin{exercise}
-%In {\S}\ref{sec:subst} the method \isa{subst\ mult_commute} was applied.  How
-%can we achieve the same effect using \isa{THEN} with the rule \isa{ssubst}?
-%% answer  rule (mult_commute [THEN ssubst])
-%\end{exercise}
-
-\subsection{Modifying a Theorem using {\tt\slshape OF}}
-
-\index{*OF (attribute)|(}%
-Recall that \isa{of} generates an instance of a
-rule by specifying values for its variables.  Analogous is \isa{OF}, which
-generates an instance of a rule by specifying facts for its premises.  
-
-We again need the divides relation\index{divides relation} of number theory, which
-as we recall is defined by 
-\begin{isabelle}
-?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
-\rulename{dvd_def}
-\end{isabelle}
-%
-Suppose, for example, that we have proved the following rule.  
-It states that if $k$ and $n$ are relatively prime
-and if $k$ divides $m\times n$ then $k$ divides $m$.
-\begin{isabelle}
-\isasymlbrakk gcd ?k ?n {=} 1;\ ?k\ dvd\ ?m * ?n\isasymrbrakk\
-\isasymLongrightarrow\ ?k\ dvd\ ?m
-\rulename{relprime_dvd_mult}
-\end{isabelle}
-We can use \isa{OF} to create an instance of this rule.
-First, we
-prove an instance of its first premise:
-\begin{isabelle}
-\isacommand{lemma}\ relprime\_20\_81:\ "gcd\ 20\ 81\ =\ 1"\isanewline
-\isacommand{by}\ (simp\ add:\ gcd.simps)
-\end{isabelle}
-We have evaluated an application of the \isa{gcd} function by
-simplification.  Expression evaluation involving recursive functions is not
-guaranteed to terminate, and it can be slow; Isabelle
-performs arithmetic by  rewriting symbolic bit strings.  Here,
-however, the simplification takes less than one second.  We can
-give this new lemma to \isa{OF}.  The expression
-\begin{isabelle}
-\ \ \ \ \ relprime_dvd_mult [OF relprime_20_81]
-\end{isabelle}
-yields the theorem
-\begin{isabelle}
-\ \ \ \ \ 20\ dvd\ (?m\ *\ 81)\ \isasymLongrightarrow\ 20\ dvd\ ?m%
-\end{isabelle}
-%
-\isa{OF} takes any number of operands.  Consider 
-the following facts about the divides relation: 
-\begin{isabelle}
-\isasymlbrakk?k\ dvd\ ?m;\
-?k\ dvd\ ?n\isasymrbrakk\
-\isasymLongrightarrow\ ?k\ dvd\
-?m\ +\ ?n
-\rulename{dvd_add}\isanewline
-?m\ dvd\ ?m%
-\rulename{dvd_refl}
-\end{isabelle}
-Let us supply \isa{dvd_refl} for each of the premises of \isa{dvd_add}:
-\begin{isabelle}
-\ \ \ \ \ dvd_add [OF dvd_refl dvd_refl]
-\end{isabelle}
-Here is the theorem that we have expressed: 
-\begin{isabelle}
-\ \ \ \ \ ?k\ dvd\ (?k\ +\ ?k)
-\end{isabelle}
-As with \isa{of}, we can use the \isa{_} symbol to leave some positions
-unspecified:
-\begin{isabelle}
-\ \ \ \ \ dvd_add [OF _ dvd_refl]
-\end{isabelle}
-The result is 
-\begin{isabelle}
-\ \ \ \ \ ?k\ dvd\ ?m\ \isasymLongrightarrow\ ?k\ dvd\ ?m\ +\ ?k
-\end{isabelle}
-
-You may have noticed that \isa{THEN} and \isa{OF} are based on 
-the same idea, namely to combine two rules.  They differ in the
-order of the combination and thus in their effect.  We use \isa{THEN}
-typically with a destruction rule to extract a subformula of the current
-theorem.  We use \isa{OF} with a list of facts to generate an instance of
-the current theorem.%
-\index{*OF (attribute)|)}
-
-Here is a summary of some primitives for forward reasoning:
-\begin{itemize}
-\item \attrdx{of} instantiates the variables of a rule to a list of terms
-\item \attrdx{OF} applies a rule to a list of theorems
-\item \attrdx{THEN} gives a theorem to a named rule and returns the
-conclusion 
-%\item \attrdx{rule_format} puts a theorem into standard form
-%  by removing \isa{\isasymlongrightarrow} and~\isa{\isasymforall}
-\item \attrdx{simplified} applies the simplifier to a theorem
-\item \isacommand{lemmas} assigns a name to the theorem produced by the
-attributes above
-\end{itemize}
-
-
-\section{Forward Reasoning in a Backward Proof}
-
-We have seen that the forward proof directives work well within a backward 
-proof.  There are many ways to achieve a forward style using our existing
-proof methods.  We shall also meet some new methods that perform forward
-reasoning.  
-
-The methods \isa{drule}, \isa{frule}, \isa{drule_tac}, etc.,
-reason forward from a subgoal.  We have seen them already, using rules such as
-\isa{mp} and
-\isa{spec} to operate on formulae.  They can also operate on terms, using rules
-such as these:
-\begin{isabelle}
-x\ =\ y\ \isasymLongrightarrow \ f\ x\ =\ f\ y%
-\rulenamedx{arg_cong}\isanewline
-i\ \isasymle \ j\ \isasymLongrightarrow \ i\ *\ k\ \isasymle \ j\ *\ k%
-\rulename{mult_le_mono1}
-\end{isabelle}
-
-For example, let us prove a fact about divisibility in the natural numbers:
-\begin{isabelle}
-\isacommand{lemma}\ "2\ \isasymle \ u\ \isasymLongrightarrow \ u*m\ \isasymnoteq
-\ Suc(u*n)"\isanewline
-\isacommand{apply}\ (intro\ notI)\isanewline
-\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ =\ Suc\ (u\ *\ n)\isasymrbrakk \ \isasymLongrightarrow \ False%
-\end{isabelle}
-%
-The key step is to apply the function \ldots\isa{mod\ u} to both sides of the
-equation
-\isa{u*m\ =\ Suc(u*n)}:\index{*drule_tac (method)}
-\begin{isabelle}
-\isacommand{apply}\ (drule_tac\ f="\isasymlambda x.\ x\ mod\ u"\ \isakeyword{in}\
-arg_cong)\isanewline
-\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ mod\ u\ =\ Suc\ (u\ *\ n)\ mod\
-u\isasymrbrakk \ \isasymLongrightarrow \ False
-\end{isabelle}
-%
-Simplification reduces the left side to 0 and the right side to~1, yielding the
-required contradiction.
-\begin{isabelle}
-\isacommand{apply}\ (simp\ add:\ mod_Suc)\isanewline
-\isacommand{done}
-\end{isabelle}
-
-Our proof has used a fact about remainder:
-\begin{isabelle}
-Suc\ m\ mod\ n\ =\isanewline
-(if\ Suc\ (m\ mod\ n)\ =\ n\ then\ 0\ else\ Suc\ (m\ mod\ n))
-\rulename{mod_Suc}
-\end{isabelle}
-
-\subsection{The Method {\tt\slshape insert}}
-
-\index{*insert (method)|(}%
-The \isa{insert} method
-inserts a given theorem as a new assumption of all subgoals.  This
-already is a forward step; moreover, we may (as always when using a
-theorem) apply
-\isa{of}, \isa{THEN} and other directives.  The new assumption can then
-be used to help prove the subgoals.
-
-For example, consider this theorem about the divides relation.  The first
-proof step inserts the distributive law for
-\isa{gcd}.  We specify its variables as shown. 
-\begin{isabelle}
-\isacommand{lemma}\ relprime\_dvd\_mult:\ \isanewline
-\ \ \ \ \ \ "\isasymlbrakk \ gcd\ k\ n\ =\ 1;\ k\ dvd\ m*n\ \isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ m"\isanewline
-\isacommand{apply}\ (insert\ gcd_mult_distrib2\ [of\ m\ k\ n])
-\end{isabelle}
-In the resulting subgoal, note how the equation has been 
-inserted: 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ 1;\ k\ dvd\ m\ *\ n;\ m\ *\ gcd\ k\ n\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
-\end{isabelle}
-The next proof step utilizes the assumption \isa{gcd\ k\ n\ =\ 1}
-(note that \isa{Suc\ 0} is another expression for 1):
-\begin{isabelle}
-\isacommand{apply}(simp)\isanewline
-\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ Suc\ 0;\ k\ dvd\ m\ *\ n;\ m\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
-\end{isabelle}
-Simplification has yielded an equation for~\isa{m}.  The rest of the proof
-is omitted.
-
-\medskip
-Here is another demonstration of \isa{insert}.  Division and
-remainder obey a well-known law: 
-\begin{isabelle}
-(?m\ div\ ?n)\ *\ ?n\ +\ ?m\ mod\ ?n\ =\ ?m
-\rulename{mod_div_equality}
-\end{isabelle}
-
-We refer to this law explicitly in the following proof: 
-\begin{isabelle}
-\isacommand{lemma}\ div_mult_self_is_m:\ \isanewline
-\ \ \ \ \ \ "0{\isacharless}n\ \isasymLongrightarrow\ (m*n)\ div\ n\ =\
-(m::nat)"\isanewline
-\isacommand{apply}\ (insert\ mod_div_equality\ [of\ "m*n"\ n])\isanewline
-\isacommand{apply}\ (simp)\isanewline
-\isacommand{done}
-\end{isabelle}
-The first step inserts the law, specifying \isa{m*n} and
-\isa{n} for its variables.  Notice that non-trivial expressions must be
-enclosed in quotation marks.  Here is the resulting 
-subgoal, with its new assumption: 
-\begin{isabelle}
-%0\ \isacharless\ n\ \isasymLongrightarrow\ (m\
-%*\ n)\ div\ n\ =\ m\isanewline
-\ 1.\ \isasymlbrakk0\ \isacharless\
-n;\ \ (m\ *\ n)\ div\ n\ *\ n\ +\ (m\ *\ n)\ mod\ n\
-=\ m\ *\ n\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ (m\ *\ n)\ div\ n\
-=\ m
-\end{isabelle}
-Simplification reduces \isa{(m\ *\ n)\ mod\ n} to zero.
-Then it cancels the factor~\isa{n} on both
-sides of the equation \isa{(m\ *\ n)\ div\ n\ *\ n\ =\ m\ *\ n}, proving the
-theorem.
-
-\begin{warn}
-Any unknowns in the theorem given to \methdx{insert} will be universally
-quantified in the new assumption.
-\end{warn}%
-\index{*insert (method)|)}
-
-\subsection{The Method {\tt\slshape subgoal_tac}}
-
-\index{*subgoal_tac (method)}%
-A related method is \isa{subgoal_tac}, but instead
-of inserting  a theorem as an assumption, it inserts an arbitrary formula. 
-This formula must be proved later as a separate subgoal. The 
-idea is to claim that the formula holds on the basis of the current 
-assumptions, to use this claim to complete the proof, and finally 
-to justify the claim. It gives the proof 
-some structure.  If you find yourself generating a complex assumption by a
-long series of forward steps, consider using \isa{subgoal_tac} instead: you can
-state the formula you are aiming for, and perhaps prove it automatically.
-
-Look at the following example. 
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk(z::int)\ <\ 37;\ 66\ <\ 2*z;\ z*z\
-\isasymnoteq\ 1225;\ Q(34);\ Q(36)\isasymrbrakk\isanewline
-\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ Q(z)"\isanewline
-\isacommand{apply}\ (subgoal_tac\ "z\ =\ 34\ \isasymor\ z\ =\
-36")\isanewline
-\isacommand{apply}\ blast\isanewline
-\isacommand{apply}\ (subgoal_tac\ "z\ \isasymnoteq\ 35")\isanewline
-\isacommand{apply}\ arith\isanewline
-\isacommand{apply}\ force\isanewline
-\isacommand{done}
-\end{isabelle}
-The first assumption tells us 
-that \isa{z} is no greater than~36. The second tells us that \isa{z} 
-is at least~34. The third assumption tells us that \isa{z} cannot be 35, since
-$35\times35=1225$.  So \isa{z} is either 34 or~36, and since \isa{Q} holds for
-both of those  values, we have the conclusion. 
-
-The Isabelle proof closely follows this reasoning. The first 
-step is to claim that \isa{z} is either 34 or 36. The resulting proof 
-state gives us two subgoals: 
-\begin{isabelle}
-%\isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\
-%Q\ 34;\ Q\ 36\isasymrbrakk\ \isasymLongrightarrow\ Q\ z\isanewline
-\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36;\isanewline
-\ \ \ \ \ z\ =\ 34\ \isasymor\ z\ =\ 36\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ Q\ z\isanewline
-\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36
-\end{isabelle}
-The first subgoal is trivial (\isa{blast}), but for the second Isabelle needs help to eliminate
-the case
-\isa{z}=35.  The second invocation  of {\isa{subgoal_tac}} leaves two
-subgoals: 
-\begin{isabelle}
-\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\
-1225;\ Q\ 34;\ Q\ 36;\isanewline
-\ \ \ \ \ z\ \isasymnoteq\ 35\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36\isanewline
-\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ z\ \isasymnoteq\ 35
-\end{isabelle}
-
-Assuming that \isa{z} is not 35, the first subgoal follows by linear arithmetic
-(\isa{arith}). For the second subgoal we apply the method \isa{force}, 
-which proceeds by assuming that \isa{z}=35 and arriving at a contradiction.
-
-
-\medskip
-Summary of these methods:
-\begin{itemize}
-\item \methdx{insert} adds a theorem as a new assumption
-\item \methdx{subgoal_tac} adds a formula as a new assumption and leaves the
-subgoal of proving that formula
-\end{itemize}
-\index{forward proof|)}
-
-
-\section{Managing Large Proofs}
-
-Naturally you should try to divide proofs into manageable parts.  Look for lemmas
-that can be proved separately.  Sometimes you will observe that they are
-instances of much simpler facts.  On other occasions, no lemmas suggest themselves
-and you are forced to cope with a long proof involving many subgoals.  
-
-\subsection{Tacticals, or Control Structures}
-
-\index{tacticals|(}%
-If the proof is long, perhaps it at least has some regularity.  Then you can
-express it more concisely using \textbf{tacticals}, which provide control
-structures.  Here is a proof (it would be a one-liner using
-\isa{blast}, but forget that) that contains a series of repeated
-commands:
-%
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\
-Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \
-\isasymLongrightarrow \ S"\isanewline
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\isacommand{apply}\ (assumption)\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-Each of the three identical commands finds an implication and proves its
-antecedent by assumption.  The first one finds \isa{P\isasymlongrightarrow Q} and
-\isa{P}, concluding~\isa{Q}; the second one concludes~\isa{R} and the third one
-concludes~\isa{S}.  The final step matches the assumption \isa{S} with the goal to
-be proved.
-
-Suffixing a method with a plus sign~(\isa+)\index{*"+ (tactical)}
-expresses one or more repetitions:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\ Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \ \isasymLongrightarrow \ S"\isanewline
-\isacommand{by}\ (drule\ mp,\ assumption)+
-\end{isabelle}
-%
-Using \isacommand{by} takes care of the final use of \isa{assumption}.  The new
-proof is more concise.  It is also more general: the repetitive method works
-for a chain of implications having any length, not just three.
-
-Choice is another control structure.  Separating two methods by a vertical
-% we must use ?? rather than "| as the sorting item because somehow the presence
-% of | (even quoted) stops hyperref from putting |hyperpage at the end of the index
-% entry.
-bar~(\isa|)\index{??@\texttt{"|} (tactical)}  gives the effect of applying the
-first method, and if that fails, trying the second.  It can be combined with
-repetition, when the choice must be made over and over again.  Here is a chain of
-implications in which most of the antecedents are proved by assumption, but one is
-proved by arithmetic:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ x<5\isasymlongrightarrow P;\
-Suc\ x\ <\ 5\isasymrbrakk \ \isasymLongrightarrow \ R"\ \isanewline
-\isacommand{by}\ (drule\ mp,\ (assumption|arith))+
-\end{isabelle}
-The \isa{arith}
-method can prove $x<5$ from $x+1<5$, but it cannot duplicate the effect of
-\isa{assumption}.  Therefore, we combine these methods using the choice
-operator.
-
-A postfixed question mark~(\isa?)\index{*"? (tactical)} expresses zero or one
-repetitions of a method.  It can also be viewed as the choice between executing a
-method and doing nothing.  It is useless at top level but can be valuable
-within other control structures; for example, 
-\isa{($m$+)?} performs zero or more repetitions of method~$m$.%
-\index{tacticals|)}
-
-
-\subsection{Subgoal Numbering}
-
-Another problem in large proofs is contending with huge
-subgoals or many subgoals.  Induction can produce a proof state that looks
-like this:
-\begin{isabelle}
-\ 1.\ bigsubgoal1\isanewline
-\ 2.\ bigsubgoal2\isanewline
-\ 3.\ bigsubgoal3\isanewline
-\ 4.\ bigsubgoal4\isanewline
-\ 5.\ bigsubgoal5\isanewline
-\ 6.\ bigsubgoal6
-\end{isabelle}
-If each \isa{bigsubgoal} is 15 lines or so, the proof state will be too big to
-scroll through.  By default, Isabelle displays at most 10 subgoals.  The 
-\commdx{pr} command lets you change this limit:
-\begin{isabelle}
-\isacommand{pr}\ 2\isanewline
-\ 1.\ bigsubgoal1\isanewline
-\ 2.\ bigsubgoal2\isanewline
-A total of 6 subgoals...
-\end{isabelle}
-
-\medskip
-All methods apply to the first subgoal.
-Sometimes, not only in a large proof, you may want to focus on some other
-subgoal.  Then you should try the commands \isacommand{defer} or \isacommand{prefer}.
-
-In the following example, the first subgoal looks hard, while the others
-look as if \isa{blast} alone could prove them:
-\begin{isabelle}
-\ 1.\ hard\isanewline
-\ 2.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
-\ 3.\ Q\ \isasymLongrightarrow \ Q%
-\end{isabelle}
-%
-The \commdx{defer} command moves the first subgoal into the last position.
-\begin{isabelle}
-\isacommand{defer}\ 1\isanewline
-\ 1.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
-\ 2.\ Q\ \isasymLongrightarrow \ Q\isanewline
-\ 3.\ hard%
-\end{isabelle}
-%
-Now we apply \isa{blast} repeatedly to the easy subgoals:
-\begin{isabelle}
-\isacommand{apply}\ blast+\isanewline
-\ 1.\ hard%
-\end{isabelle}
-Using \isacommand{defer}, we have cleared away the trivial parts of the proof so
-that we can devote attention to the difficult part.
-
-\medskip
-The \commdx{prefer} command moves the specified subgoal into the
-first position.  For example, if you suspect that one of your subgoals is
-invalid (not a theorem), then you should investigate that subgoal first.  If it
-cannot be proved, then there is no point in proving the other subgoals.
-\begin{isabelle}
-\ 1.\ ok1\isanewline
-\ 2.\ ok2\isanewline
-\ 3.\ doubtful%
-\end{isabelle}
-%
-We decide to work on the third subgoal.
-\begin{isabelle}
-\isacommand{prefer}\ 3\isanewline
-\ 1.\ doubtful\isanewline
-\ 2.\ ok1\isanewline
-\ 3.\ ok2
-\end{isabelle}
-If we manage to prove \isa{doubtful}, then we can work on the other
-subgoals, confident that we are not wasting our time.  Finally we revise the
-proof script to remove the \isacommand{prefer} command, since we needed it only to
-focus our exploration.  The previous example is different: its use of
-\isacommand{defer} stops trivial subgoals from cluttering the rest of the
-proof.  Even there, we should consider proving \isa{hard} as a preliminary
-lemma.  Always seek ways to streamline your proofs.
- 
-
-\medskip
-Summary:
-\begin{itemize}
-\item the control structures \isa+, \isa? and \isa| help express complicated proofs
-\item the \isacommand{pr} command can limit the number of subgoals to display
-\item the \isacommand{defer} and \isacommand{prefer} commands move a 
-subgoal to the last or first position
-\end{itemize}
-
-\begin{exercise}
-Explain the use of \isa? and \isa+ in this proof.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk P\isasymand Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ R"\isanewline
-\isacommand{by}\ (drule\ mp,\ (intro conjI)?,\ assumption+)+
-\end{isabelle}
-\end{exercise}
-
-
-
-\section{Proving the Correctness of Euclid's Algorithm}
-\label{sec:proving-euclid}
-
-\index{Euclid's algorithm|(}\index{*gcd (constant)|(}\index{divides relation|(}%
-A brief development will demonstrate the techniques of this chapter,
-including \isa{blast} applied with additional rules.  We shall also see
-\isa{case_tac} used to perform a Boolean case split.
-
-Let us prove that \isa{gcd} computes the greatest common
-divisor of its two arguments.  
-%
-We use induction: \isa{gcd.induct} is the
-induction rule returned by \isa{fun}.  We simplify using
-rules proved in {\S}\ref{sec:fun-simplification}, since rewriting by the
-definition of \isa{gcd} can loop.
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_dvd\_both:\ "(gcd\ m\ n\ dvd\ m)\ \isasymand \ (gcd\ m\ n\ dvd\ n)"
-\end{isabelle}
-The induction formula must be a conjunction.  In the
-inductive step, each conjunct establishes the other. 
-\begin{isabelle}
-\ 1.\ \isasymAnd m\ n.\ (n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n)\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
-\end{isabelle}
-
-The conditional induction hypothesis suggests doing a case
-analysis on \isa{n=0}.  We apply \methdx{case_tac} with type
-\isa{bool} --- and not with a datatype, as we have done until now.  Since
-\isa{nat} is a datatype, we could have written
-\isa{case_tac~n} instead of \isa{case_tac~"n=0"}.  However, the definition
-of \isa{gcd} makes a Boolean decision:
-\begin{isabelle}
-\ \ \ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
-\end{isabelle}
-Proofs about a function frequently follow the function's definition, so we perform
-case analysis over the same formula.
-\begin{isabelle}
-\isacommand{apply}\ (case_tac\ "n=0")\isanewline
-\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n\isanewline
-\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
-\end{isabelle}
-%
-Simplification leaves one subgoal: 
-\begin{isabelle}
-\isacommand{apply}\ (simp_all)\isanewline
-\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }0\ <\ n\isasymrbrakk \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ n\ (m\ mod\ n)\ dvd\ m%
-\end{isabelle}
-%
-Here, we can use \isa{blast}.  
-One of the assumptions, the induction hypothesis, is a conjunction. 
-The two divides relationships it asserts are enough to prove 
-the conclusion, for we have the following theorem at our disposal: 
-\begin{isabelle}
-\isasymlbrakk?k\ dvd\ (?m\ mod\ ?n){;}\ ?k\ dvd\ ?n\isasymrbrakk\ \isasymLongrightarrow\ ?k\ dvd\ ?m%
-\rulename{dvd_mod_imp_dvd}
-\end{isabelle}
-%
-This theorem can be applied in various ways.  As an introduction rule, it
-would cause backward chaining from  the conclusion (namely
-\isa{?k~dvd~?m}) to the two premises, which 
-also involve the divides relation. This process does not look promising
-and could easily loop.  More sensible is  to apply the rule in the forward
-direction; each step would eliminate an occurrence of the \isa{mod} symbol, so the
-process must terminate.  
-\begin{isabelle}
-\isacommand{apply}\ (blast\ dest:\ dvd_mod_imp_dvd)\isanewline
-\isacommand{done}
-\end{isabelle}
-Attaching the \attrdx{dest} attribute to \isa{dvd_mod_imp_dvd} tells
-\isa{blast} to use it as destruction rule; that is, in the forward direction.
-
-\medskip
-We have proved a conjunction.  Now, let us give names to each of the
-two halves:
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_dvd1\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct1]\isanewline
-\isacommand{lemmas}\ gcd_dvd2\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct2]%
-\end{isabelle}
-Here we see \commdx{lemmas}
-used with the \attrdx{iff} attribute, which supplies the new theorems to the
-classical reasoner and the simplifier.  Recall that \attrdx{THEN} is
-frequently used with destruction rules; \isa{THEN conjunct1} extracts the
-first half of a conjunctive theorem.  Given \isa{gcd_dvd_both} it yields
-\begin{isabelle}
-\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?m1
-\end{isabelle}
-The variable names \isa{?m1} and \isa{?n1} arise because
-Isabelle renames schematic variables to prevent 
-clashes.  The second \isacommand{lemmas} declaration yields
-\begin{isabelle}
-\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?n1
-\end{isabelle}
-
-\medskip
-To complete the verification of the \isa{gcd} function, we must 
-prove that it returns the greatest of all the common divisors 
-of its arguments.  The proof is by induction, case analysis and simplification.
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_greatest\ [rule\_format]:\isanewline
-\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
-\end{isabelle}
-%
-The goal is expressed using HOL implication,
-\isa{\isasymlongrightarrow}, because the induction affects the two
-preconditions.  The directive \isa{rule_format} tells Isabelle to replace
-each \isa{\isasymlongrightarrow} by \isa{\isasymLongrightarrow} before
-storing the eventual theorem.  This directive can also remove outer
-universal quantifiers, converting the theorem into the usual format for
-inference rules.  It can replace any series of applications of
-\isa{THEN} to the rules \isa{mp} and \isa{spec}.  We did not have to
-write this:
-\begin{isabelle}
-\isacommand{lemma}\ gcd_greatest\
-[THEN mp, THEN mp]:\isanewline
-\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
-\end{isabelle}
-
-Because we are again reasoning about \isa{gcd}, we perform the same
-induction and case analysis as in the previous proof:
-\begingroup\samepage
-\begin{isabelle}
-\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n\isanewline
-\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n%
-\end{isabelle}
-\endgroup
-
-\noindent Simplification proves both subgoals. 
-\begin{isabelle}
-\isacommand{apply}\ (simp_all\ add:\ dvd_mod)\isanewline
-\isacommand{done}
-\end{isabelle}
-In the first, where \isa{n=0}, the implication becomes trivial: \isa{k\ dvd\
-gcd\ m\ n} goes to~\isa{k\ dvd\ m}.  The second subgoal is proved by
-an unfolding of \isa{gcd}, using this rule about divides:
-\begin{isabelle}
-\isasymlbrakk ?f\ dvd\ ?m;\ ?f\ dvd\ ?n\isasymrbrakk \
-\isasymLongrightarrow \ ?f\ dvd\ ?m\ mod\ ?n%
-\rulename{dvd_mod}
-\end{isabelle}
-
-
-\medskip
-The facts proved above can be summarized as a single logical 
-equivalence.  This step gives us a chance to see another application
-of \isa{blast}.
-\begin{isabelle}
-\isacommand{theorem}\ gcd\_greatest\_iff\ [iff]:\ \isanewline
-\ \ \ \ \ \ \ \ "(k\ dvd\ gcd\ m\ n)\ =\ (k\ dvd\ m\ \isasymand \ k\ dvd\ n)"\isanewline
-\isacommand{by}\ (blast\ intro!:\ gcd_greatest\ intro:\ dvd_trans)
-\end{isabelle}
-This theorem concisely expresses the correctness of the \isa{gcd} 
-function. 
-We state it with the \isa{iff} attribute so that 
-Isabelle can use it to remove some occurrences of \isa{gcd}. 
-The theorem has a one-line 
-proof using \isa{blast} supplied with two additional introduction 
-rules. The exclamation mark 
-({\isa{intro}}{\isa{!}})\ signifies safe rules, which are 
-applied aggressively.  Rules given without the exclamation mark 
-are applied reluctantly and their uses can be undone if 
-the search backtracks.  Here the unsafe rule expresses transitivity  
-of the divides relation:
-\begin{isabelle}
-\isasymlbrakk?m\ dvd\ ?n;\ ?n\ dvd\ ?p\isasymrbrakk\ \isasymLongrightarrow\ ?m\ dvd\ ?p%
-\rulename{dvd_trans}
-\end{isabelle}
-Applying \isa{dvd_trans} as 
-an introduction rule entails a risk of looping, for it multiplies 
-occurrences of the divides symbol. However, this proof relies 
-on transitivity reasoning.  The rule {\isa{gcd\_greatest}} is safe to apply 
-aggressively because it yields simpler subgoals.  The proof implicitly
-uses \isa{gcd_dvd1} and \isa{gcd_dvd2} as safe rules, because they were
-declared using \isa{iff}.%
-\index{Euclid's algorithm|)}\index{*gcd (constant)|)}\index{divides relation|)}

--- a/doc-src/TutorialI/Sets/sets.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1069 +0,0 @@
-\chapter{Sets, Functions and Relations}
-
-This chapter describes the formalization of typed set theory, which is
-the basis of much else in HOL\@.  For example, an
-inductive definition yields a set, and the abstract theories of relations
-regard a relation as a set of pairs.  The chapter introduces the well-known
-constants such as union and intersection, as well as the main operations on relations, such as converse, composition and
-transitive closure.  Functions are also covered.  They are not sets in
-HOL, but many of their properties concern sets: the range of a
-function is a set, and the inverse image of a function maps sets to sets.
-
-This chapter will be useful to anybody who plans to develop a substantial
-proof.  Sets are convenient for formalizing  computer science concepts such
-as grammars, logical calculi and state transition systems.  Isabelle can
-prove many statements involving sets automatically.
-
-This chapter ends with a case study concerning model checking for the
-temporal logic CTL\@.  Most of the other examples are simple.  The
-chapter presents a small selection of built-in theorems in order to point
-out some key properties of the various constants and to introduce you to
-the notation. 
-
-Natural deduction rules are provided for the set theory constants, but they
-are seldom used directly, so only a few are presented here.  
-
-
-\section{Sets}
-
-\index{sets|(}%
-HOL's set theory should not be confused with traditional,  untyped set
-theory, in which everything is a set.  Our sets are typed. In a given set,
-all elements have the same type, say~$\tau$,  and the set itself has type
-$\tau$~\tydx{set}. 
-
-We begin with \textbf{intersection}, \textbf{union} and
-\textbf{complement}. In addition to the
-\textbf{membership relation}, there  is a symbol for its negation. These
-points can be seen below.  
-
-Here are the natural deduction rules for \rmindex{intersection}.  Note
-the  resemblance to those for conjunction.  
-\begin{isabelle}
-\isasymlbrakk c\ \isasymin\ A;\ c\ \isasymin\ B\isasymrbrakk\ 
-\isasymLongrightarrow\ c\ \isasymin\ A\ \isasyminter\ B%
-\rulenamedx{IntI}\isanewline
-c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ A
-\rulenamedx{IntD1}\isanewline
-c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ B
-\rulenamedx{IntD2}
-\end{isabelle}
-
-Here are two of the many installed theorems concerning set
-complement.\index{complement!of a set}
-Note that it is denoted by a minus sign.
-\begin{isabelle}
-(c\ \isasymin\ -\ A)\ =\ (c\ \isasymnotin\ A)
-\rulenamedx{Compl_iff}\isanewline
--\ (A\ \isasymunion\ B)\ =\ -\ A\ \isasyminter\ -\ B
-\rulename{Compl_Un}
-\end{isabelle}
-
-Set \textbf{difference}\indexbold{difference!of sets} is the intersection
-of a set with the  complement of another set. Here we also see the syntax
-for the  empty set and for the universal set. 
-\begin{isabelle}
-A\ \isasyminter\ (B\ -\ A)\ =\ \isacharbraceleft\isacharbraceright
-\rulename{Diff_disjoint}\isanewline
-A\ \isasymunion\ -\ A\ =\ UNIV%
-\rulename{Compl_partition}
-\end{isabelle}
-
-The \bfindex{subset relation} holds between two sets just if every element 
-of one is also an element of the other. This relation is reflexive.  These
-are its natural deduction rules:
-\begin{isabelle}
-({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ x\ \isasymin\ B)\ \isasymLongrightarrow\ A\ \isasymsubseteq\ B%
-\rulenamedx{subsetI}%
-\par\smallskip%          \isanewline didn't leave enough space
-\isasymlbrakk A\ \isasymsubseteq\ B;\ c\ \isasymin\
-A\isasymrbrakk\ \isasymLongrightarrow\ c\
-\isasymin\ B%
-\rulenamedx{subsetD}
-\end{isabelle}
-In harder proofs, you may need to apply \isa{subsetD} giving a specific term
-for~\isa{c}.  However, \isa{blast} can instantly prove facts such as this
-one: 
-\begin{isabelle}
-(A\ \isasymunion\ B\ \isasymsubseteq\ C)\ =\
-(A\ \isasymsubseteq\ C\ \isasymand\ B\ \isasymsubseteq\ C)
-\rulenamedx{Un_subset_iff}
-\end{isabelle}
-Here is another example, also proved automatically:
-\begin{isabelle}
-\isacommand{lemma}\ "(A\
-\isasymsubseteq\ -B)\ =\ (B\ \isasymsubseteq\ -A)"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-%
-This is the same example using \textsc{ascii} syntax, illustrating a pitfall: 
-\begin{isabelle}
-\isacommand{lemma}\ "(A\ <=\ -B)\ =\ (B\ <=\ -A)"
-\end{isabelle}
-%
-The proof fails.  It is not a statement about sets, due to overloading;
-the relation symbol~\isa{<=} can be any relation, not just  
-subset. 
-In this general form, the statement is not valid.  Putting
-in a type constraint forces the variables to denote sets, allowing the
-proof to succeed:
-
-\begin{isabelle}
-\isacommand{lemma}\ "((A::\ {\isacharprime}a\ set)\ <=\ -B)\ =\ (B\ <=\
--A)"
-\end{isabelle}
-Section~\ref{sec:axclass} below describes overloading.  Incidentally,
-\isa{A~\isasymsubseteq~-B} asserts that the sets \isa{A} and \isa{B} are
-disjoint.
-
-\medskip
-Two sets are \textbf{equal}\indexbold{equality!of sets} if they contain the
-same elements.   This is
-the principle of \textbf{extensionality}\indexbold{extensionality!for sets}
-for sets. 
-\begin{isabelle}
-({\isasymAnd}x.\ (x\ {\isasymin}\ A)\ =\ (x\ {\isasymin}\ B))\
-{\isasymLongrightarrow}\ A\ =\ B
-\rulenamedx{set_ext}
-\end{isabelle}
-Extensionality can be expressed as 
-$A=B\iff (A\subseteq B)\conj (B\subseteq A)$.  
-The following rules express both
-directions of this equivalence.  Proving a set equation using
-\isa{equalityI} allows the two inclusions to be proved independently.
-\begin{isabelle}
-\isasymlbrakk A\ \isasymsubseteq\ B;\ B\ \isasymsubseteq\
-A\isasymrbrakk\ \isasymLongrightarrow\ A\ =\ B
-\rulenamedx{equalityI}
-\par\smallskip%          \isanewline didn't leave enough space
-\isasymlbrakk A\ =\ B;\ \isasymlbrakk A\ \isasymsubseteq\ B;\ B\
-\isasymsubseteq\ A\isasymrbrakk\ \isasymLongrightarrow\ P\isasymrbrakk\
-\isasymLongrightarrow\ P%
-\rulenamedx{equalityE}
-\end{isabelle}
-
-
-\subsection{Finite Set Notation} 
-
-\indexbold{sets!notation for finite}
-Finite sets are expressed using the constant \cdx{insert}, which is
-a form of union:
-\begin{isabelle}
-insert\ a\ A\ =\ \isacharbraceleft a\isacharbraceright\ \isasymunion\ A
-\rulename{insert_is_Un}
-\end{isabelle}
-%
-The finite set expression \isa{\isacharbraceleft
-a,b\isacharbraceright} abbreviates
-\isa{insert\ a\ (insert\ b\ \isacharbraceleft\isacharbraceright)}.
-Many facts about finite sets can be proved automatically: 
-\begin{isabelle}
-\isacommand{lemma}\
-"\isacharbraceleft a,b\isacharbraceright\
-\isasymunion\ \isacharbraceleft c,d\isacharbraceright\ =\
-\isacharbraceleft a,b,c,d\isacharbraceright"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-
-Not everything that we would like to prove is valid. 
-Consider this attempt: 
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ \isacharbraceleft b,c\isacharbraceright\ =\
-\isacharbraceleft b\isacharbraceright"\isanewline
-\isacommand{apply}\ auto
-\end{isabelle}
-%
-The proof fails, leaving the subgoal \isa{b=c}. To see why it 
-fails, consider a correct version: 
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ 
-\isacharbraceleft b,c\isacharbraceright\ =\ (if\ a=c\ then\
-\isacharbraceleft a,b\isacharbraceright\ else\ \isacharbraceleft
-b\isacharbraceright)"\isanewline
-\isacommand{apply}\ simp\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-Our mistake was to suppose that the various items were distinct.  Another
-remark: this proof uses two methods, namely {\isa{simp}}  and
-{\isa{blast}}. Calling {\isa{simp}} eliminates the
-\isa{if}-\isa{then}-\isa{else} expression,  which {\isa{blast}}
-cannot break down. The combined methods (namely {\isa{force}}  and
-\isa{auto}) can prove this fact in one step. 
-
-
-\subsection{Set Comprehension}
-
-\index{set comprehensions|(}%
-The set comprehension \isa{\isacharbraceleft x.\
-P\isacharbraceright} expresses the set of all elements that satisfy the
-predicate~\isa{P}.  Two laws describe the relationship between set 
-comprehension and the membership relation:
-\begin{isabelle}
-(a\ \isasymin\
-\isacharbraceleft x.\ P\ x\isacharbraceright)\ =\ P\ a
-\rulename{mem_Collect_eq}\isanewline
-\isacharbraceleft x.\ x\ \isasymin\ A\isacharbraceright\ =\ A
-\rulename{Collect_mem_eq}
-\end{isabelle}
-
-\smallskip
-Facts such as these have trivial proofs:
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\ \isasymor\
-x\ \isasymin\ A\isacharbraceright\ =\
-\isacharbraceleft x.\ P\ x\isacharbraceright\ \isasymunion\ A"
-\par\smallskip
-\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\
-\isasymlongrightarrow\ Q\ x\isacharbraceright\ =\
--\isacharbraceleft x.\ P\ x\isacharbraceright\
-\isasymunion\ \isacharbraceleft x.\ Q\ x\isacharbraceright"
-\end{isabelle}
-
-\smallskip
-Isabelle has a general syntax for comprehension, which is best 
-described through an example: 
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft p*q\ \isacharbar\ p\ q.\ 
-p{\isasymin}prime\ \isasymand\ q{\isasymin}prime\isacharbraceright\ =\ 
-\isanewline
-\ \ \ \ \ \ \ \ \isacharbraceleft z.\ \isasymexists p\ q.\ z\ =\ p*q\
-\isasymand\ p{\isasymin}prime\ \isasymand\
-q{\isasymin}prime\isacharbraceright"
-\end{isabelle}
-The left and right hand sides
-of this equation are identical. The syntax used in the 
-left-hand side abbreviates the right-hand side: in this case, all numbers
-that are the product of two primes.  The syntax provides a neat
-way of expressing any set given by an expression built up from variables
-under specific constraints.  The drawback is that it hides the true form of
-the expression, with its existential quantifiers. 
-
-\smallskip
-\emph{Remark}.  We do not need sets at all.  They are essentially equivalent
-to predicate variables, which are allowed in  higher-order logic.  The main
-benefit of sets is their notation;  we can write \isa{x{\isasymin}A}
-and
-\isa{\isacharbraceleft z.\ P\isacharbraceright} where predicates would
-require writing
-\isa{A(x)} and
-\isa{{\isasymlambda}z.\ P}. 
-\index{set comprehensions|)}
-
-
-\subsection{Binding Operators}
-
-\index{quantifiers!for sets|(}%
-Universal and existential quantifications may range over sets, 
-with the obvious meaning.  Here are the natural deduction rules for the
-bounded universal quantifier.  Occasionally you will need to apply
-\isa{bspec} with an explicit instantiation of the variable~\isa{x}:
-%
-\begin{isabelle}
-({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ P\ x)\ \isasymLongrightarrow\ {\isasymforall}x\isasymin
-A.\ P\ x%
-\rulenamedx{ballI}%
-\isanewline
-\isasymlbrakk{\isasymforall}x\isasymin A.\
-P\ x;\ x\ \isasymin\
-A\isasymrbrakk\ \isasymLongrightarrow\ P\
-x%
-\rulenamedx{bspec}
-\end{isabelle}
-%
-Dually, here are the natural deduction rules for the
-bounded existential quantifier.  You may need to apply
-\isa{bexI} with an explicit instantiation:
-\begin{isabelle}
-\isasymlbrakk P\ x;\
-x\ \isasymin\ A\isasymrbrakk\
-\isasymLongrightarrow\
-\isasymexists x\isasymin A.\ P\
-x%
-\rulenamedx{bexI}%
-\isanewline
-\isasymlbrakk\isasymexists x\isasymin A.\
-P\ x;\ {\isasymAnd}x.\
-{\isasymlbrakk}x\ \isasymin\ A;\
-P\ x\isasymrbrakk\ \isasymLongrightarrow\
-Q\isasymrbrakk\ \isasymLongrightarrow\ Q%
-\rulenamedx{bexE}
-\end{isabelle}
-\index{quantifiers!for sets|)}
-
-\index{union!indexed}%
-Unions can be formed over the values of a given  set.  The syntax is
-\mbox{\isa{\isasymUnion x\isasymin A.\ B}} or 
-\isa{UN x:A.\ B} in \textsc{ascii}. Indexed union satisfies this basic law:
-\begin{isabelle}
-(b\ \isasymin\
-(\isasymUnion x\isasymin A. B\ x)) =\ (\isasymexists x\isasymin A.\
-b\ \isasymin\ B\ x)
-\rulenamedx{UN_iff}
-\end{isabelle}
-It has two natural deduction rules similar to those for the existential
-quantifier.  Sometimes \isa{UN_I} must be applied explicitly:
-\begin{isabelle}
-\isasymlbrakk a\ \isasymin\
-A;\ b\ \isasymin\
-B\ a\isasymrbrakk\ \isasymLongrightarrow\
-b\ \isasymin\
-(\isasymUnion x\isasymin A. B\ x)
-\rulenamedx{UN_I}%
-\isanewline
-\isasymlbrakk b\ \isasymin\
-(\isasymUnion x\isasymin A. B\ x);\
-{\isasymAnd}x.\ {\isasymlbrakk}x\ \isasymin\
-A;\ b\ \isasymin\
-B\ x\isasymrbrakk\ \isasymLongrightarrow\
-R\isasymrbrakk\ \isasymLongrightarrow\ R%
-\rulenamedx{UN_E}
-\end{isabelle}
-%
-The following built-in abbreviation (see {\S}\ref{sec:abbreviations})
-lets us express the union over a \emph{type}:
-\begin{isabelle}
-\ \ \ \ \
-({\isasymUnion}x.\ B\ x)\ {\isasymequiv}\
-({\isasymUnion}x{\isasymin}UNIV. B\ x)
-\end{isabelle}
-
-We may also express the union of a set of sets, written \isa{Union\ C} in
-\textsc{ascii}: 
-\begin{isabelle}
-(A\ \isasymin\ \isasymUnion C)\ =\ (\isasymexists X\isasymin C.\ A\
-\isasymin\ X)
-\rulenamedx{Union_iff}
-\end{isabelle}
-
-\index{intersection!indexed}%
-Intersections are treated dually, although they seem to be used less often
-than unions.  The syntax below would be \isa{INT
-x:\ A.\ B} and \isa{Inter\ C} in \textsc{ascii}.  Among others, these
-theorems are available:
-\begin{isabelle}
-(b\ \isasymin\
-(\isasymInter x\isasymin A. B\ x))\
-=\
-({\isasymforall}x\isasymin A.\
-b\ \isasymin\ B\ x)
-\rulenamedx{INT_iff}%
-\isanewline
-(A\ \isasymin\
-\isasymInter C)\ =\
-({\isasymforall}X\isasymin C.\
-A\ \isasymin\ X)
-\rulenamedx{Inter_iff}
-\end{isabelle}
-
-Isabelle uses logical equivalences such as those above in automatic proof. 
-Unions, intersections and so forth are not simply replaced by their
-definitions.  Instead, membership tests are simplified.  For example,  $x\in
-A\cup B$ is replaced by $x\in A\lor x\in B$.
-
-The internal form of a comprehension involves the constant  
-\cdx{Collect},
-which occasionally appears when a goal or theorem
-is displayed.  For example, \isa{Collect\ P}  is the same term as
-\isa{\isacharbraceleft x.\ P\ x\isacharbraceright}.  The same thing can
-happen with quantifiers:   \hbox{\isa{All\ P}}\index{*All (constant)}
-is 
-\isa{{\isasymforall}x.\ P\ x} and 
-\hbox{\isa{Ex\ P}}\index{*Ex (constant)} is \isa{\isasymexists x.\ P\ x}; 
-also \isa{Ball\ A\ P}\index{*Ball (constant)} is 
-\isa{{\isasymforall}x\isasymin A.\ P\ x} and 
-\isa{Bex\ A\ P}\index{*Bex (constant)} is 
-\isa{\isasymexists x\isasymin A.\ P\ x}.  For indexed unions and
-intersections, you may see the constants 
-\cdx{UNION} and  \cdx{INTER}\@.
-The internal constant for $\varepsilon x.P(x)$ is~\cdx{Eps}.
-
-We have only scratched the surface of Isabelle/HOL's set theory, which provides
-hundreds of theorems for your use.
-
-
-\subsection{Finiteness and Cardinality}
-
-\index{sets!finite}%
-The predicate \sdx{finite} holds of all finite sets.  Isabelle/HOL
-includes many familiar theorems about finiteness and cardinality 
-(\cdx{card}). For example, we have theorems concerning the
-cardinalities of unions, intersections and the
-powerset:\index{cardinality}
-%
-\begin{isabelle}
-{\isasymlbrakk}finite\ A;\ finite\ B\isasymrbrakk\isanewline
-\isasymLongrightarrow\ card\ A\ \isacharplus\ card\ B\ =\ card\ (A\ \isasymunion\ B)\ \isacharplus\ card\ (A\ \isasyminter\ B)
-\rulenamedx{card_Un_Int}%
-\isanewline
-\isanewline
-finite\ A\ \isasymLongrightarrow\ card\
-(Pow\ A)\  =\ 2\ \isacharcircum\ card\ A%
-\rulenamedx{card_Pow}%
-\isanewline
-\isanewline
-finite\ A\ \isasymLongrightarrow\isanewline
-card\ \isacharbraceleft B.\ B\ \isasymsubseteq\
-A\ \isasymand\ card\ B\ =\
-k\isacharbraceright\ =\ card\ A\ choose\ k%
-\rulename{n_subsets}
-\end{isabelle}
-Writing $|A|$ as $n$, the last of these theorems says that the number of
-$k$-element subsets of~$A$ is \index{binomial coefficients}
-$\binom{n}{k}$.
-
-%\begin{warn}
-%The term \isa{finite\ A} is defined via a syntax translation as an
-%abbreviation for \isa{A {\isasymin} Finites}, where the constant
-%\cdx{Finites} denotes the set of all finite sets of a given type.  There
-%is no constant \isa{finite}.
-%\end{warn}
-\index{sets|)}
-
-
-\section{Functions}
-
-\index{functions|(}%
-This section describes a few concepts that involve
-functions.  Some of the more important theorems are given along with the 
-names. A few sample proofs appear. Unlike with set theory, however, 
-we cannot simply state lemmas and expect them to be proved using
-\isa{blast}. 
-
-\subsection{Function Basics}
-
-Two functions are \textbf{equal}\indexbold{equality!of functions}
-if they yield equal results given equal
-arguments.  This is the principle of
-\textbf{extensionality}\indexbold{extensionality!for functions} for
-functions:
-\begin{isabelle}
-({\isasymAnd}x.\ f\ x\ =\ g\ x)\ {\isasymLongrightarrow}\ f\ =\ g
-\rulenamedx{ext}
-\end{isabelle}
-
-\indexbold{updating a function}%
-Function \textbf{update} is useful for modelling machine states. It has 
-the obvious definition and many useful facts are proved about 
-it.  In particular, the following equation is installed as a simplification
-rule:
-\begin{isabelle}
-(f(x:=y))\ z\ =\ (if\ z\ =\ x\ then\ y\ else\ f\ z)
-\rulename{fun_upd_apply}
-\end{isabelle}
-Two syntactic points must be noted.  In
-\isa{(f(x:=y))\ z} we are applying an updated function to an
-argument; the outer parentheses are essential.  A series of two or more
-updates can be abbreviated as shown on the left-hand side of this theorem:
-\begin{isabelle}
-f(x:=y,\ x:=z)\ =\ f(x:=z)
-\rulename{fun_upd_upd}
-\end{isabelle}
-Note also that we can write \isa{f(x:=z)} with only one pair of parentheses
-when it is not being applied to an argument.
-
-\medskip
-The \bfindex{identity function} and function 
-\textbf{composition}\indexbold{composition!of functions} are
-defined:
-\begin{isabelle}%
-id\ \isasymequiv\ {\isasymlambda}x.\ x%
-\rulenamedx{id_def}\isanewline
-f\ \isasymcirc\ g\ \isasymequiv\
-{\isasymlambda}x.\ f\
-(g\ x)%
-\rulenamedx{o_def}
-\end{isabelle}
-%
-Many familiar theorems concerning the identity and composition 
-are proved. For example, we have the associativity of composition: 
-\begin{isabelle}
-f\ \isasymcirc\ (g\ \isasymcirc\ h)\ =\ f\ \isasymcirc\ g\ \isasymcirc\ h
-\rulename{o_assoc}
-\end{isabelle}
-
-\subsection{Injections, Surjections, Bijections}
-
-\index{injections}\index{surjections}\index{bijections}%
-A function may be \textbf{injective}, \textbf{surjective} or \textbf{bijective}: 
-\begin{isabelle}
-inj_on\ f\ A\ \isasymequiv\ {\isasymforall}x\isasymin A.\
-{\isasymforall}y\isasymin  A.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\
-=\ y%
-\rulenamedx{inj_on_def}\isanewline
-surj\ f\ \isasymequiv\ {\isasymforall}y.\
-\isasymexists x.\ y\ =\ f\ x%
-\rulenamedx{surj_def}\isanewline
-bij\ f\ \isasymequiv\ inj\ f\ \isasymand\ surj\ f
-\rulenamedx{bij_def}
-\end{isabelle}
-The second argument
-of \isa{inj_on} lets us express that a function is injective over a
-given set. This refinement is useful in higher-order logic, where
-functions are total; in some cases, a function's natural domain is a subset
-of its domain type.  Writing \isa{inj\ f} abbreviates \isa{inj_on\ f\
-UNIV}, for when \isa{f} is injective everywhere.
-
-The operator \isa{inv} expresses the 
-\textbf{inverse}\indexbold{inverse!of a function}
-of a function. In 
-general the inverse may not be well behaved.  We have the usual laws,
-such as these: 
-\begin{isabelle}
-inj\ f\ \ \isasymLongrightarrow\ inv\ f\ (f\ x)\ =\ x%
-\rulename{inv_f_f}\isanewline
-surj\ f\ \isasymLongrightarrow\ f\ (inv\ f\ y)\ =\ y
-\rulename{surj_f_inv_f}\isanewline
-bij\ f\ \ \isasymLongrightarrow\ inv\ (inv\ f)\ =\ f
-\rulename{inv_inv_eq}
-\end{isabelle}
-%
-%Other useful facts are that the inverse of an injection 
-%is a surjection and vice versa; the inverse of a bijection is 
-%a bijection. 
-%\begin{isabelle}
-%inj\ f\ \isasymLongrightarrow\ surj\
-%(inv\ f)
-%\rulename{inj_imp_surj_inv}\isanewline
-%surj\ f\ \isasymLongrightarrow\ inj\ (inv\ f)
-%\rulename{surj_imp_inj_inv}\isanewline
-%bij\ f\ \isasymLongrightarrow\ bij\ (inv\ f)
-%\rulename{bij_imp_bij_inv}
-%\end{isabelle}
-%
-%The converses of these results fail.  Unless a function is 
-%well behaved, little can be said about its inverse. Here is another 
-%law: 
-%\begin{isabelle}
-%{\isasymlbrakk}bij\ f;\ bij\ g\isasymrbrakk\ \isasymLongrightarrow\ inv\ (f\ \isasymcirc\ g)\ =\ inv\ g\ \isasymcirc\ inv\ f%
-%\rulename{o_inv_distrib}
-%\end{isabelle}
-
-Theorems involving these concepts can be hard to prove. The following 
-example is easy, but it cannot be proved automatically. To begin 
-with, we need a law that relates the equality of functions to 
-equality over all arguments: 
-\begin{isabelle}
-(f\ =\ g)\ =\ ({\isasymforall}x.\ f\ x\ =\ g\ x)
-\rulename{fun_eq_iff}
-\end{isabelle}
-%
-This is just a restatement of
-extensionality.\indexbold{extensionality!for functions}
-Our lemma
-states  that an injection can be cancelled from the left  side of
-function composition: 
-\begin{isabelle}
-\isacommand{lemma}\ "inj\ f\ \isasymLongrightarrow\ (f\ o\ g\ =\ f\ o\ h)\ =\ (g\ =\ h)"\isanewline
-\isacommand{apply}\ (simp\ add:\ fun_eq_iff\ inj_on_def)\isanewline
-\isacommand{apply}\ auto\isanewline
-\isacommand{done}
-\end{isabelle}
-
-The first step of the proof invokes extensionality and the definitions 
-of injectiveness and composition. It leaves one subgoal:
-\begin{isabelle}
-\ 1.\ {\isasymforall}x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\ =\ y\
-\isasymLongrightarrow\isanewline
-\ \ \ \ ({\isasymforall}x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ ({\isasymforall}x.\ g\ x\ =\ h\ x)
-\end{isabelle}
-This can be proved using the \isa{auto} method. 
-
-
-\subsection{Function Image}
-
-The \textbf{image}\indexbold{image!under a function}
-of a set under a function is a most useful notion.  It
-has the obvious definition: 
-\begin{isabelle}
-f\ `\ A\ \isasymequiv\ \isacharbraceleft y.\ \isasymexists x\isasymin
-A.\ y\ =\ f\ x\isacharbraceright
-\rulenamedx{image_def}
-\end{isabelle}
-%
-Here are some of the many facts proved about image: 
-\begin{isabelle}
-(f\ \isasymcirc\ g)\ `\ r\ =\ f\ `\ g\ `\ r
-\rulename{image_compose}\isanewline
-f`(A\ \isasymunion\ B)\ =\ f`A\ \isasymunion\ f`B
-\rulename{image_Un}\isanewline
-inj\ f\ \isasymLongrightarrow\ f`(A\ \isasyminter\
-B)\ =\ f`A\ \isasyminter\ f`B
-\rulename{image_Int}
-%\isanewline
-%bij\ f\ \isasymLongrightarrow\ f\ `\ (-\ A)\ =\ -\ f\ `\ A%
-%\rulename{bij_image_Compl_eq}
-\end{isabelle}
-
-
-Laws involving image can often be proved automatically. Here 
-are two examples, illustrating connections with indexed union and with the
-general syntax for comprehension:
-\begin{isabelle}
-\isacommand{lemma}\ "f`A\ \isasymunion\ g`A\ =\ ({\isasymUnion}x{\isasymin}A.\ \isacharbraceleft f\ x,\ g\
-x\isacharbraceright)"
-\par\smallskip
-\isacommand{lemma}\ "f\ `\ \isacharbraceleft(x,y){.}\ P\ x\ y\isacharbraceright\ =\ \isacharbraceleft f(x,y)\ \isacharbar\ x\ y.\ P\ x\
-y\isacharbraceright"
-\end{isabelle}
-
-\medskip
-\index{range!of a function}%
-A function's \textbf{range} is the set of values that the function can 
-take on. It is, in fact, the image of the universal set under 
-that function. There is no constant \isa{range}.  Instead,
-\sdx{range}  abbreviates an application of image to \isa{UNIV}: 
-\begin{isabelle}
-\ \ \ \ \ range\ f\
-{\isasymrightleftharpoons}\ f`UNIV
-\end{isabelle}
-%
-Few theorems are proved specifically 
-for {\isa{range}}; in most cases, you should look for a more general
-theorem concerning images.
-
-\medskip
-\textbf{Inverse image}\index{inverse image!of a function} is also  useful.
-It is defined as follows: 
-\begin{isabelle}
-f\ -`\ B\ \isasymequiv\ \isacharbraceleft x.\ f\ x\ \isasymin\ B\isacharbraceright
-\rulenamedx{vimage_def}
-\end{isabelle}
-%
-This is one of the facts proved about it:
-\begin{isabelle}
-f\ -`\ (-\ A)\ =\ -\ f\ -`\ A%
-\rulename{vimage_Compl}
-\end{isabelle}
-\index{functions|)}
-
-
-\section{Relations}
-\label{sec:Relations}
-
-\index{relations|(}%
-A \textbf{relation} is a set of pairs.  As such, the set operations apply
-to them.  For instance, we may form the union of two relations.  Other
-primitives are defined specifically for relations. 
-
-\subsection{Relation Basics}
-
-The \bfindex{identity relation}, also known as equality, has the obvious 
-definition: 
-\begin{isabelle}
-Id\ \isasymequiv\ \isacharbraceleft p.\ \isasymexists x.\ p\ =\ (x,x){\isacharbraceright}%
-\rulenamedx{Id_def}
-\end{isabelle}
-
-\indexbold{composition!of relations}%
-\textbf{Composition} of relations (the infix \sdx{O}) is also
-available: 
-\begin{isabelle}
-r\ O\ s\ \isasymequiv\ \isacharbraceleft(x,z).\ \isasymexists y.\ (x,y)\ \isasymin\ s\ \isasymand\ (y,z)\ \isasymin\ r\isacharbraceright
-\rulenamedx{rel_comp_def}
-\end{isabelle}
-%
-This is one of the many lemmas proved about these concepts: 
-\begin{isabelle}
-R\ O\ Id\ =\ R
-\rulename{R_O_Id}
-\end{isabelle}
-%
-Composition is monotonic, as are most of the primitives appearing 
-in this chapter.  We have many theorems similar to the following 
-one: 
-\begin{isabelle}
-\isasymlbrakk r\isacharprime\ \isasymsubseteq\ r;\ s\isacharprime\
-\isasymsubseteq\ s\isasymrbrakk\ \isasymLongrightarrow\ r\isacharprime\ O\
-s\isacharprime\ \isasymsubseteq\ r\ O\ s%
-\rulename{rel_comp_mono}
-\end{isabelle}
-
-\indexbold{converse!of a relation}%
-\indexbold{inverse!of a relation}%
-The \textbf{converse} or inverse of a
-relation exchanges the roles  of the two operands.  We use the postfix
-notation~\isa{r\isasyminverse} or
-\isa{r\isacharcircum-1} in ASCII\@.
-\begin{isabelle}
-((a,b)\ \isasymin\ r\isasyminverse)\ =\
-((b,a)\ \isasymin\ r)
-\rulenamedx{converse_iff}
-\end{isabelle}
-%
-Here is a typical law proved about converse and composition: 
-\begin{isabelle}
-(r\ O\ s)\isasyminverse\ =\ s\isasyminverse\ O\ r\isasyminverse
-\rulename{converse_rel_comp}
-\end{isabelle}
-
-\indexbold{image!under a relation}%
-The \textbf{image} of a set under a relation is defined
-analogously  to image under a function: 
-\begin{isabelle}
-(b\ \isasymin\ r\ ``\ A)\ =\ (\isasymexists x\isasymin
-A.\ (x,b)\ \isasymin\ r)
-\rulenamedx{Image_iff}
-\end{isabelle}
-It satisfies many similar laws.
-
-\index{domain!of a relation}%
-\index{range!of a relation}%
-The \textbf{domain} and \textbf{range} of a relation are defined in the 
-standard way: 
-\begin{isabelle}
-(a\ \isasymin\ Domain\ r)\ =\ (\isasymexists y.\ (a,y)\ \isasymin\
-r)
-\rulenamedx{Domain_iff}%
-\isanewline
-(a\ \isasymin\ Range\ r)\
-\ =\ (\isasymexists y.\
-(y,a)\
-\isasymin\ r)
-\rulenamedx{Range_iff}
-\end{isabelle}
-
-Iterated composition of a relation is available.  The notation overloads 
-that of exponentiation.  Two simplification rules are installed: 
-\begin{isabelle}
-R\ \isacharcircum\ \isadigit{0}\ =\ Id\isanewline
-R\ \isacharcircum\ Suc\ n\ =\ R\ O\ R\isacharcircum n
-\end{isabelle}
-
-\subsection{The Reflexive and Transitive Closure}
-
-\index{reflexive and transitive closure|(}%
-The \textbf{reflexive and transitive closure} of the
-relation~\isa{r} is written with a
-postfix syntax.  In ASCII we write \isa{r\isacharcircum*} and in
-symbol notation~\isa{r\isactrlsup *}.  It is the least solution of the
-equation
-\begin{isabelle}
-r\isactrlsup *\ =\ Id\ \isasymunion \ (r\ O\ r\isactrlsup *)
-\rulename{rtrancl_unfold}
-\end{isabelle}
-%
-Among its basic properties are three that serve as introduction 
-rules:
-\begin{isabelle}
-(a,\ a)\ \isasymin \ r\isactrlsup *
-\rulenamedx{rtrancl_refl}\isanewline
-p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup *
-\rulenamedx{r_into_rtrancl}\isanewline
-\isasymlbrakk (a,b)\ \isasymin \ r\isactrlsup *;\ 
-(b,c)\ \isasymin \ r\isactrlsup *\isasymrbrakk \ \isasymLongrightarrow \
-(a,c)\ \isasymin \ r\isactrlsup *
-\rulenamedx{rtrancl_trans}
-\end{isabelle}
-%
-Induction over the reflexive transitive closure is available: 
-\begin{isabelle}
-\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup *;\ P\ a;\ \isasymAnd y\ z.\ \isasymlbrakk (a,\ y)\ \isasymin \ r\isactrlsup *;\ (y,\ z)\ \isasymin \ r;\ P\ y\isasymrbrakk \ \isasymLongrightarrow \ P\ z\isasymrbrakk \isanewline
-\isasymLongrightarrow \ P\ b%
-\rulename{rtrancl_induct}
-\end{isabelle}
-%
-Idempotence is one of the laws proved about the reflexive transitive 
-closure: 
-\begin{isabelle}
-(r\isactrlsup *)\isactrlsup *\ =\ r\isactrlsup *
-\rulename{rtrancl_idemp}
-\end{isabelle}
-
-\smallskip
-The transitive closure is similar.  The ASCII syntax is
-\isa{r\isacharcircum+}.  It has two  introduction rules: 
-\begin{isabelle}
-p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup +
-\rulenamedx{r_into_trancl}\isanewline
-\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup +;\ (b,\ c)\ \isasymin \ r\isactrlsup +\isasymrbrakk \ \isasymLongrightarrow \ (a,\ c)\ \isasymin \ r\isactrlsup +
-\rulenamedx{trancl_trans}
-\end{isabelle}
-%
-The induction rule resembles the one shown above. 
-A typical lemma states that transitive closure commutes with the converse
-operator: 
-\begin{isabelle}
-(r\isasyminverse )\isactrlsup +\ =\ (r\isactrlsup +)\isasyminverse 
-\rulename{trancl_converse}
-\end{isabelle}
-
-\subsection{A Sample Proof}
-
-The reflexive transitive closure also commutes with the converse
-operator.  Let us examine the proof. Each direction of the equivalence
-is  proved separately. The two proofs are almost identical. Here 
-is the first one: 
-\begin{isabelle}
-\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \
-(r\isasyminverse)\isactrlsup *\ \isasymLongrightarrow \ (y,x)\ \isasymin
-\ r\isactrlsup *"\isanewline
-\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
-\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
-\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-The first step of the proof applies induction, leaving these subgoals: 
-\begin{isabelle}
-\ 1.\ (x,\ x)\ \isasymin \ r\isactrlsup *\isanewline
-\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \
-(r\isasyminverse)\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\
-(y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline
-\ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (z,x)\ \isasymin \ r\isactrlsup *
-\end{isabelle}
-%
-The first subgoal is trivial by reflexivity. The second follows 
-by first eliminating the converse operator, yielding the
-assumption \isa{(z,y)\
-\isasymin\ r}, and then
-applying the introduction rules shown above.  The same proof script handles
-the other direction: 
-\begin{isabelle}
-\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isactrlsup *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isasyminverse)\isactrlsup *"\isanewline
-\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
-\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
-\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
-\isacommand{done}
-\end{isabelle}
-
-
-Finally, we combine the two lemmas to prove the desired equation: 
-\begin{isabelle}
-\isacommand{lemma}\ rtrancl_converse:\ "(r\isasyminverse)\isactrlsup *\ =\ (r\isactrlsup *)\isasyminverse"\isanewline
-\isacommand{by}\ (auto\ intro:\ rtrancl_converseI\ dest:\
-rtrancl_converseD)
-\end{isabelle}
-
-\begin{warn}
-This trivial proof requires \isa{auto} rather than \isa{blast} because
-of a subtle issue involving ordered pairs.  Here is a subgoal that
-arises internally after  the rules
-\isa{equalityI} and \isa{subsetI} have been applied:
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ x\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ x\ \isasymin \ (r\isactrlsup
-*)\isasyminverse
-%ignore subgoal 2
-%\ 2.\ \isasymAnd x.\ x\ \isasymin \ (r\isactrlsup *)\isasyminverse \
-%\isasymLongrightarrow \ x\ \isasymin \ (r\isasyminverse )\isactrlsup *
-\end{isabelle}
-\par\noindent
-We cannot apply \isa{rtrancl_converseD}\@.  It refers to
-ordered pairs, while \isa{x} is a variable of product type.
-The \isa{simp} and \isa{blast} methods can do nothing, so let us try
-\isa{clarify}:
-\begin{isabelle}
-\ 1.\ \isasymAnd a\ b.\ (a,b)\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ (b,a)\ \isasymin \ r\isactrlsup
-*
-\end{isabelle}
-Now that \isa{x} has been replaced by the pair \isa{(a,b)}, we can
-proceed.  Other methods that split variables in this way are \isa{force},
-\isa{auto}, \isa{fast} and \isa{best}.  Section~\ref{sec:products} will discuss proof
-techniques for ordered pairs in more detail.
-\end{warn}
-\index{relations|)}\index{reflexive and transitive closure|)}
-
-
-\section{Well-Founded Relations and Induction}
-\label{sec:Well-founded}
-
-\index{relations!well-founded|(}%
-A well-founded relation captures the notion of a terminating
-process. Complex recursive functions definitions must specify a
-well-founded relation that justifies their
-termination~\cite{isabelle-function}. Most of the forms of induction found
-in mathematics are merely special cases of induction over a
-well-founded relation.
-
-Intuitively, the relation~$\prec$ is \textbf{well-founded} if it admits no
-infinite  descending chains
-\[ \cdots \prec a@2 \prec a@1 \prec a@0. \]
-Well-foundedness can be hard to show. The various 
-formulations are all complicated.  However,  often a relation
-is well-founded by construction.  HOL provides
-theorems concerning ways of constructing  a well-founded relation.  The
-most familiar way is to specify a 
-\index{measure functions}\textbf{measure function}~\isa{f} into
-the natural numbers, when $\isa{x}\prec \isa{y}\iff \isa{f x} < \isa{f y}$;
-we write this particular relation as
-\isa{measure~f}.
-
-\begin{warn}
-You may want to skip the rest of this section until you need to perform a
-complex recursive function definition or induction.  The induction rule
-returned by
-\isacommand{fun} is good enough for most purposes.  We use an explicit
-well-founded induction only in {\S}\ref{sec:CTL-revisited}.
-\end{warn}
-
-Isabelle/HOL declares \cdx{less_than} as a relation object, 
-that is, a set of pairs of natural numbers. Two theorems tell us that this
-relation  behaves as expected and that it is well-founded: 
-\begin{isabelle}
-((x,y)\ \isasymin\ less_than)\ =\ (x\ <\ y)
-\rulenamedx{less_than_iff}\isanewline
-wf\ less_than
-\rulenamedx{wf_less_than}
-\end{isabelle}
-
-The notion of measure generalizes to the 
-\index{inverse image!of a relation}\textbf{inverse image} of
-a relation. Given a relation~\isa{r} and a function~\isa{f}, we express  a
-new relation using \isa{f} as a measure.  An infinite descending chain on
-this new relation would give rise to an infinite descending chain
-on~\isa{r}.  Isabelle/HOL defines this concept and proves a
-theorem stating that it preserves well-foundedness: 
-\begin{isabelle}
-inv_image\ r\ f\ \isasymequiv\ \isacharbraceleft(x,y).\ (f\ x,\ f\ y)\
-\isasymin\ r\isacharbraceright
-\rulenamedx{inv_image_def}\isanewline
-wf\ r\ \isasymLongrightarrow\ wf\ (inv_image\ r\ f)
-\rulenamedx{wf_inv_image}
-\end{isabelle}
-
-A measure function involves the natural numbers.  The relation \isa{measure
-size} justifies primitive recursion and structural induction over a
-datatype.  Isabelle/HOL defines
-\isa{measure} as shown: 
-\begin{isabelle}
-measure\ \isasymequiv\ inv_image\ less_than%
-\rulenamedx{measure_def}\isanewline
-wf\ (measure\ f)
-\rulenamedx{wf_measure}
-\end{isabelle}
-
-Of the other constructions, the most important is the
-\bfindex{lexicographic product} of two relations. It expresses the
-standard dictionary  ordering over pairs.  We write \isa{ra\ <*lex*>\
-rb}, where \isa{ra} and \isa{rb} are the two operands.  The
-lexicographic product satisfies the usual  definition and it preserves
-well-foundedness: 
-\begin{isabelle}
-ra\ <*lex*>\ rb\ \isasymequiv \isanewline
-\ \ \isacharbraceleft ((a,b),(a',b')).\ (a,a')\ \isasymin \ ra\
-\isasymor\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \,a=a'\ \isasymand \ (b,b')\
-\isasymin \ rb\isacharbraceright 
-\rulenamedx{lex_prod_def}%
-\par\smallskip
-\isasymlbrakk wf\ ra;\ wf\ rb\isasymrbrakk \ \isasymLongrightarrow \ wf\ (ra\ <*lex*>\ rb)
-\rulenamedx{wf_lex_prod}
-\end{isabelle}
-
-%These constructions can be used in a
-%\textbf{recdef} declaration ({\S}\ref{sec:recdef-simplification}) to define
-%the well-founded relation used to prove termination.
-
-The \bfindex{multiset ordering}, useful for hard termination proofs, is
-available in the Library~\cite{HOL-Library}.
-Baader and Nipkow \cite[{\S}2.5]{Baader-Nipkow} discuss it. 
-
-\medskip
-Induction\index{induction!well-founded|(}
-comes in many forms,
-including traditional mathematical  induction, structural induction on
-lists and induction on size.  All are instances of the following rule,
-for a suitable well-founded relation~$\prec$: 
-\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \]
-To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for
-arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$. 
-Intuitively, the well-foundedness of $\prec$ ensures that the chains of
-reasoning are finite.
-
-\smallskip
-In Isabelle, the induction rule is expressed like this:
-\begin{isabelle}
-{\isasymlbrakk}wf\ r;\ 
-  {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\
-\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
-\isasymLongrightarrow\ P\ a
-\rulenamedx{wf_induct}
-\end{isabelle}
-Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded.
-
-Many familiar induction principles are instances of this rule. 
-For example, the predecessor relation on the natural numbers 
-is well-founded; induction over it is mathematical induction. 
-The ``tail of'' relation on lists is well-founded; induction over 
-it is structural induction.%
-\index{induction!well-founded|)}%
-\index{relations!well-founded|)}
-
-
-\section{Fixed Point Operators}
-
-\index{fixed points|(}%
-Fixed point operators define sets
-recursively.  They are invoked implicitly when making an inductive
-definition, as discussed in Chap.\ts\ref{chap:inductive} below.  However,
-they can be used directly, too. The
-\emph{least}  or \emph{strongest} fixed point yields an inductive
-definition;  the \emph{greatest} or \emph{weakest} fixed point yields a
-coinductive  definition.  Mathematicians may wish to note that the
-existence  of these fixed points is guaranteed by the Knaster-Tarski
-theorem. 
-
-\begin{warn}
-Casual readers should skip the rest of this section.  We use fixed point
-operators only in {\S}\ref{sec:VMC}.
-\end{warn}
-
-The theory applies only to monotonic functions.\index{monotone functions|bold} 
-Isabelle's definition of monotone is overloaded over all orderings:
-\begin{isabelle}
-mono\ f\ \isasymequiv\ {\isasymforall}A\ B.\ A\ \isasymle\ B\ \isasymlongrightarrow\ f\ A\ \isasymle\ f\ B%
-\rulenamedx{mono_def}
-\end{isabelle}
-%
-For fixed point operators, the ordering will be the subset relation: if
-$A\subseteq B$ then we expect $f(A)\subseteq f(B)$.  In addition to its
-definition, monotonicity has the obvious introduction and destruction
-rules:
-\begin{isabelle}
-({\isasymAnd}A\ B.\ A\ \isasymle\ B\ \isasymLongrightarrow\ f\ A\ \isasymle\ f\ B)\ \isasymLongrightarrow\ mono\ f%
-\rulename{monoI}%
-\par\smallskip%          \isanewline didn't leave enough space
-{\isasymlbrakk}mono\ f;\ A\ \isasymle\ B\isasymrbrakk\
-\isasymLongrightarrow\ f\ A\ \isasymle\ f\ B%
-\rulename{monoD}
-\end{isabelle}
-
-The most important properties of the least fixed point are that 
-it is a fixed point and that it enjoys an induction rule: 
-\begin{isabelle}
-mono\ f\ \isasymLongrightarrow\ lfp\ f\ =\ f\ (lfp\ f)
-\rulename{lfp_unfold}%
-\par\smallskip%          \isanewline didn't leave enough space
-{\isasymlbrakk}a\ \isasymin\ lfp\ f;\ mono\ f;\isanewline
-  \ {\isasymAnd}x.\ x\
-\isasymin\ f\ (lfp\ f\ \isasyminter\ \isacharbraceleft x.\ P\
-x\isacharbraceright)\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
-\isasymLongrightarrow\ P\ a%
-\rulename{lfp_induct}
-\end{isabelle}
-%
-The induction rule shown above is more convenient than the basic 
-one derived from the minimality of {\isa{lfp}}.  Observe that both theorems
-demand \isa{mono\ f} as a premise.
-
-The greatest fixed point is similar, but it has a \bfindex{coinduction} rule: 
-\begin{isabelle}
-mono\ f\ \isasymLongrightarrow\ gfp\ f\ =\ f\ (gfp\ f)
-\rulename{gfp_unfold}%
-\isanewline
-{\isasymlbrakk}mono\ f;\ a\ \isasymin\ X;\ X\ \isasymsubseteq\ f\ (X\
-\isasymunion\ gfp\ f)\isasymrbrakk\ \isasymLongrightarrow\ a\ \isasymin\
-gfp\ f%
-\rulename{coinduct}
-\end{isabelle}
-A \textbf{bisimulation}\index{bisimulations} 
-is perhaps the best-known concept defined as a
-greatest fixed point.  Exhibiting a bisimulation to prove the equality of
-two agents in a process algebra is an example of coinduction.
-The coinduction rule can be strengthened in various ways.
-\index{fixed points|)}
-
-%The section "Case Study: Verified Model Checking" is part of this chapter
-\input{CTL/ctl}  
-\endinput

--- a/doc-src/TutorialI/ToyList/ToyList.thy	Tue Aug 28 13:15:15 2012 +0200
+++ b/doc-src/TutorialI/ToyList/ToyList.thy	Tue Aug 28 14:37:57 2012 +0200
@@ -2,6 +2,17 @@
 imports Datatype
 begin
 
+(*<*)
+ML {*
+  let
+    val texts =
+      map (File.read o Path.append (Thy_Load.master_directory @{theory}) o Path.explode)
+        ["ToyList1", "ToyList2"];
+    val trs = Outer_Syntax.parse Position.start (implode texts);
+  in @{assert} (Toplevel.is_toplevel (fold Toplevel.command trs Toplevel.toplevel)) end;
+*}
+(*>*)
+
 text{*\noindent
 HOL already has a predefined theory of lists called @{text List} ---
 @{text ToyList} is merely a small fragment of it chosen as an example. In

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/ToyList/ToyList1	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,16 @@
+theory ToyList
+imports Datatype
+begin
+
+datatype 'a list = Nil                          ("[]")
+                 | Cons 'a "'a list"            (infixr "#" 65)
+
+(* This is the append function: *)
+primrec app :: "'a list => 'a list => 'a list"  (infixr "@" 65)
+where
+"[] @ ys       = ys" |
+"(x # xs) @ ys = x # (xs @ ys)"
+
+primrec rev :: "'a list => 'a list" where
+"rev []        = []" |
+"rev (x # xs)  = (rev xs) @ (x # [])"

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/ToyList/ToyList2	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,21 @@
+lemma app_Nil2 [simp]: "xs @ [] = xs"
+apply(induct_tac xs)
+apply(auto)
+done
+
+lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)"
+apply(induct_tac xs)
+apply(auto)
+done
+
+lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)"
+apply(induct_tac xs)
+apply(auto)
+done
+
+theorem rev_rev [simp]: "rev(rev xs) = xs"
+apply(induct_tac xs)
+apply(auto)
+done
+
+end

--- a/doc-src/TutorialI/ToyList2/ToyList.thy	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,37 +0,0 @@
-theory ToyList
-imports Datatype
-begin
-
-datatype 'a list = Nil                          ("[]")
-                 | Cons 'a "'a list"            (infixr "#" 65)
-
-(* This is the append function: *)
-primrec app :: "'a list => 'a list => 'a list"  (infixr "@" 65)
-where
-"[] @ ys       = ys" |
-"(x # xs) @ ys = x # (xs @ ys)"
-
-primrec rev :: "'a list => 'a list" where
-"rev []        = []" |
-"rev (x # xs)  = (rev xs) @ (x # [])"
-lemma app_Nil2 [simp]: "xs @ [] = xs"
-apply(induct_tac xs)
-apply(auto)
-done
-
-lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)"
-apply(induct_tac xs)
-apply(auto)
-done
-
-lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)"
-apply(induct_tac xs)
-apply(auto)
-done
-
-theorem rev_rev [simp]: "rev(rev xs) = xs"
-apply(induct_tac xs)
-apply(auto)
-done
-
-end

--- a/doc-src/TutorialI/ToyList2/ToyList1	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-theory ToyList
-imports Datatype
-begin
-
-datatype 'a list = Nil                          ("[]")
-                 | Cons 'a "'a list"            (infixr "#" 65)
-
-(* This is the append function: *)
-primrec app :: "'a list => 'a list => 'a list"  (infixr "@" 65)
-where
-"[] @ ys       = ys" |
-"(x # xs) @ ys = x # (xs @ ys)"
-
-primrec rev :: "'a list => 'a list" where
-"rev []        = []" |
-"rev (x # xs)  = (rev xs) @ (x # [])"

--- a/doc-src/TutorialI/ToyList2/ToyList2	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-lemma app_Nil2 [simp]: "xs @ [] = xs"
-apply(induct_tac xs)
-apply(auto)
-done
-
-lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)"
-apply(induct_tac xs)
-apply(auto)
-done
-
-lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)"
-apply(induct_tac xs)
-apply(auto)
-done
-
-theorem rev_rev [simp]: "rev(rev xs) = xs"
-apply(induct_tac xs)
-apply(auto)
-done
-
-end

--- a/doc-src/TutorialI/Types/numerics.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,543 +0,0 @@
-\section{Numbers}
-\label{sec:numbers}
-
-\index{numbers|(}%
-Until now, our numerical examples have used the type of \textbf{natural
-numbers},
-\isa{nat}.  This is a recursive datatype generated by the constructors
-zero  and successor, so it works well with inductive proofs and primitive
-recursive function definitions.  HOL also provides the type
-\isa{int} of \textbf{integers}, which lack induction but support true
-subtraction.  With subtraction, arithmetic reasoning is easier, which makes
-the integers preferable to the natural numbers for
-complicated arithmetic expressions, even if they are non-negative.  There are also the types
-\isa{rat}, \isa{real} and \isa{complex}: the rational, real and complex numbers.  Isabelle has no 
-subtyping,  so the numeric
-types are distinct and there are functions to convert between them.
-Most numeric operations are overloaded: the same symbol can be
-used at all numeric types. Table~\ref{tab:overloading} in the appendix
-shows the most important operations, together with the priorities of the
-infix symbols. Algebraic properties are organized using type classes
-around algebraic concepts such as rings and fields;
-a property such as the commutativity of addition is a single theorem 
-(\isa{add_commute}) that applies to all numeric types.
-
-\index{linear arithmetic}%
-Many theorems involving numeric types can be proved automatically by
-Isabelle's arithmetic decision procedure, the method
-\methdx{arith}.  Linear arithmetic comprises addition, subtraction
-and multiplication by constant factors; subterms involving other operators
-are regarded as variables.  The procedure can be slow, especially if the
-subgoal to be proved involves subtraction over type \isa{nat}, which 
-causes case splits.  On types \isa{nat} and \isa{int}, \methdx{arith}
-can deal with quantifiers---this is known as Presburger arithmetic---whereas on type \isa{real} it cannot.
-
-The simplifier reduces arithmetic expressions in other
-ways, such as dividing through by common factors.  For problems that lie
-outside the scope of automation, HOL provides hundreds of
-theorems about multiplication, division, etc., that can be brought to
-bear.  You can locate them using Proof General's Find
-button.  A few lemmas are given below to show what
-is available.
-
-\subsection{Numeric Literals}
-\label{sec:numerals}
-
-\index{numeric literals|(}%
-The constants \cdx{0} and \cdx{1} are overloaded.  They denote zero and one,
-respectively, for all numeric types.  Other values are expressed by numeric
-literals, which consist of one or more decimal digits optionally preceeded by a minus sign (\isa{-}).  Examples are \isa{2}, \isa{-3} and
-\isa{441223334678}.  Literals are available for the types of natural
-numbers, integers, rationals, reals, etc.; they denote integer values of
-arbitrary size.
-
-Literals look like constants, but they abbreviate 
-terms representing the number in a two's complement binary notation. 
-Isabelle performs arithmetic on literals by rewriting rather 
-than using the hardware arithmetic. In most cases arithmetic 
-is fast enough, even for numbers in the millions. The arithmetic operations 
-provided for literals include addition, subtraction, multiplication, 
-integer division and remainder.  Fractions of literals (expressed using
-division) are reduced to lowest terms.
-
-\begin{warn}\index{overloading!and arithmetic}
-The arithmetic operators are 
-overloaded, so you must be careful to ensure that each numeric 
-expression refers to a specific type, if necessary by inserting 
-type constraints.  Here is an example of what can go wrong:
-\par
-\begin{isabelle}
-\isacommand{lemma}\ "2\ *\ m\ =\ m\ +\ m"
-\end{isabelle}
-%
-Carefully observe how Isabelle displays the subgoal:
-\begin{isabelle}
-\ 1.\ (2::'a)\ *\ m\ =\ m\ +\ m
-\end{isabelle}
-The type \isa{'a} given for the literal \isa{2} warns us that no numeric
-type has been specified.  The problem is underspecified.  Given a type
-constraint such as \isa{nat}, \isa{int} or \isa{real}, it becomes trivial.
-\end{warn}
-
-\begin{warn}
-\index{function@\isacommand {function} (command)!and numeric literals}  
-Numeric literals are not constructors and therefore
-must not be used in patterns.  For example, this declaration is
-rejected:
-\begin{isabelle}
-\isacommand{function}\ h\ \isakeyword{where}\isanewline
-"h\ 3\ =\ 2"\isanewline
-\isacharbar "h\ i\ \ =\ i"
-\end{isabelle}
-
-You should use a conditional expression instead:
-\begin{isabelle}
-"h\ i\ =\ (if\ i\ =\ 3\ then\ 2\ else\ i)"
-\end{isabelle}
-\index{numeric literals|)}
-\end{warn}
-
-
-\subsection{The Type of Natural Numbers, {\tt\slshape nat}}
-
-\index{natural numbers|(}\index{*nat (type)|(}%
-This type requires no introduction: we have been using it from the
-beginning.  Hundreds of theorems about the natural numbers are
-proved in the theories \isa{Nat} and \isa{Divides}.  
-Basic properties of addition and multiplication are available through the
-axiomatic type class for semirings (\S\ref{sec:numeric-classes}).
-
-\subsubsection{Literals}
-\index{numeric literals!for type \protect\isa{nat}}%
-The notational options for the natural  numbers are confusing.  Recall that an
-overloaded constant can be defined independently for each type; the definition
-of \cdx{1} for type \isa{nat} is
-\begin{isabelle}
-1\ \isasymequiv\ Suc\ 0
-\rulename{One_nat_def}
-\end{isabelle}
-This is installed as a simplification rule, so the simplifier will replace
-every occurrence of \isa{1::nat} by \isa{Suc\ 0}.  Literals are obviously
-better than nested \isa{Suc}s at expressing large values.  But many theorems,
-including the rewrite rules for primitive recursive functions, can only be
-applied to terms of the form \isa{Suc\ $n$}.
-
-The following default  simplification rules replace
-small literals by zero and successor: 
-\begin{isabelle}
-2\ +\ n\ =\ Suc\ (Suc\ n)
-\rulename{add_2_eq_Suc}\isanewline
-n\ +\ 2\ =\ Suc\ (Suc\ n)
-\rulename{add_2_eq_Suc'}
-\end{isabelle}
-It is less easy to transform \isa{100} into \isa{Suc\ 99} (for example), and
-the simplifier will normally reverse this transformation.  Novices should
-express natural numbers using \isa{0} and \isa{Suc} only.
-
-\subsubsection{Division}
-\index{division!for type \protect\isa{nat}}%
-The infix operators \isa{div} and \isa{mod} are overloaded.
-Isabelle/HOL provides the basic facts about quotient and remainder
-on the natural numbers:
-\begin{isabelle}
-m\ mod\ n\ =\ (if\ m\ <\ n\ then\ m\ else\ (m\ -\ n)\ mod\ n)
-\rulename{mod_if}\isanewline
-m\ div\ n\ *\ n\ +\ m\ mod\ n\ =\ m%
-\rulenamedx{mod_div_equality}
-\end{isabelle}
-
-Many less obvious facts about quotient and remainder are also provided. 
-Here is a selection:
-\begin{isabelle}
-a\ *\ b\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
-\rulename{div_mult1_eq}\isanewline
-a\ *\ b\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
-\rulename{mod_mult_right_eq}\isanewline
-a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
-\rulename{div_mult2_eq}\isanewline
-a\ mod\ (b*c)\ =\ b * (a\ div\ b\ mod\ c)\ +\ a\ mod\ b%
-\rulename{mod_mult2_eq}\isanewline
-0\ <\ c\ \isasymLongrightarrow \ (c\ *\ a)\ div\ (c\ *\ b)\ =\ a\ div\ b%
-\rulename{div_mult_mult1}\isanewline
-(m\ mod\ n)\ *\ k\ =\ (m\ *\ k)\ mod\ (n\ *\ k)
-\rulenamedx{mod_mult_distrib}\isanewline
-m\ \isasymle \ n\ \isasymLongrightarrow \ m\ div\ k\ \isasymle \ n\ div\ k%
-\rulename{div_le_mono}
-\end{isabelle}
-
-Surprisingly few of these results depend upon the
-divisors' being nonzero.
-\index{division!by zero}%
-That is because division by
-zero yields zero:
-\begin{isabelle}
-a\ div\ 0\ =\ 0
-\rulename{DIVISION_BY_ZERO_DIV}\isanewline
-a\ mod\ 0\ =\ a%
-\rulename{DIVISION_BY_ZERO_MOD}
-\end{isabelle}
-In \isa{div_mult_mult1} above, one of
-the two divisors (namely~\isa{c}) must still be nonzero.
-
-The \textbf{divides} relation\index{divides relation}
-has the standard definition, which
-is overloaded over all numeric types: 
-\begin{isabelle}
-m\ dvd\ n\ \isasymequiv\ {\isasymexists}k.\ n\ =\ m\ *\ k
-\rulenamedx{dvd_def}
-\end{isabelle}
-%
-Section~\ref{sec:proving-euclid} discusses proofs involving this
-relation.  Here are some of the facts proved about it:
-\begin{isabelle}
-\isasymlbrakk m\ dvd\ n;\ n\ dvd\ m\isasymrbrakk \ \isasymLongrightarrow \ m\ =\ n%
-\rulenamedx{dvd_antisym}\isanewline
-\isasymlbrakk k\ dvd\ m;\ k\ dvd\ n\isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ (m\ +\ n)
-\rulenamedx{dvd_add}
-\end{isabelle}
-
-\subsubsection{Subtraction}
-
-There are no negative natural numbers, so \isa{m\ -\ n} equals zero unless 
-\isa{m} exceeds~\isa{n}. The following is one of the few facts
-about \isa{m\ -\ n} that is not subject to
-the condition \isa{n\ \isasymle \  m}. 
-\begin{isabelle}
-(m\ -\ n)\ *\ k\ =\ m\ *\ k\ -\ n\ *\ k%
-\rulenamedx{diff_mult_distrib}
-\end{isabelle}
-Natural number subtraction has few
-nice properties; often you should remove it by simplifying with this split
-rule.
-\begin{isabelle}
-P(a-b)\ =\ ((a<b\ \isasymlongrightarrow \ P\
-0)\ \isasymand \ (\isasymforall d.\ a\ =\ b+d\ \isasymlongrightarrow \ P\
-d))
-\rulename{nat_diff_split}
-\end{isabelle}
-For example, splitting helps to prove the following fact.
-\begin{isabelle}
-\isacommand{lemma}\ "(n\ -\ 2)\ *\ (n\ +\ 2)\ =\ n\ *\ n\ -\ (4::nat)"\isanewline
-\isacommand{apply}\ (simp\ split:\ nat_diff_split,\ clarify)\isanewline
-\ 1.\ \isasymAnd d.\ \isasymlbrakk n\ <\ 2;\ n\ *\ n\ =\ 4\ +\ d\isasymrbrakk \ \isasymLongrightarrow \ d\ =\ 0
-\end{isabelle}
-The result lies outside the scope of linear arithmetic, but
- it is easily found
-if we explicitly split \isa{n<2} as \isa{n=0} or \isa{n=1}:
-\begin{isabelle}
-\isacommand{apply}\ (subgoal_tac\ "n=0\ |\ n=1",\ force,\ arith)\isanewline
-\isacommand{done}
-\end{isabelle}%%%%%%
-\index{natural numbers|)}\index{*nat (type)|)}
-
-
-\subsection{The Type of Integers, {\tt\slshape int}}
-
-\index{integers|(}\index{*int (type)|(}%
-Reasoning methods for the integers resemble those for the natural numbers, 
-but induction and
-the constant \isa{Suc} are not available.  HOL provides many lemmas for
-proving inequalities involving integer multiplication and division, similar
-to those shown above for type~\isa{nat}. The laws of addition, subtraction
-and multiplication are available through the axiomatic type class for rings
-(\S\ref{sec:numeric-classes}).
-
-The \rmindex{absolute value} function \cdx{abs} is overloaded, and is 
-defined for all types that involve negative numbers, including the integers.
-The \isa{arith} method can prove facts about \isa{abs} automatically, 
-though as it does so by case analysis, the cost can be exponential.
-\begin{isabelle}
-\isacommand{lemma}\ "abs\ (x+y)\ \isasymle \ abs\ x\ +\ abs\ (y\ ::\ int)"\isanewline
-\isacommand{by}\ arith
-\end{isabelle}
-
-For division and remainder,\index{division!by negative numbers}
-the treatment of negative divisors follows
-mathematical practice: the sign of the remainder follows that
-of the divisor:
-\begin{isabelle}
-0\ <\ b\ \isasymLongrightarrow \ 0\ \isasymle \ a\ mod\ b%
-\rulename{pos_mod_sign}\isanewline
-0\ <\ b\ \isasymLongrightarrow \ a\ mod\ b\ <\ b%
-\rulename{pos_mod_bound}\isanewline
-b\ <\ 0\ \isasymLongrightarrow \ a\ mod\ b\ \isasymle \ 0
-\rulename{neg_mod_sign}\isanewline
-b\ <\ 0\ \isasymLongrightarrow \ b\ <\ a\ mod\ b%
-\rulename{neg_mod_bound}
-\end{isabelle}
-ML treats negative divisors in the same way, but most computer hardware
-treats signed operands using the same rules as for multiplication.
-Many facts about quotients and remainders are provided:
-\begin{isabelle}
-(a\ +\ b)\ div\ c\ =\isanewline
-a\ div\ c\ +\ b\ div\ c\ +\ (a\ mod\ c\ +\ b\ mod\ c)\ div\ c%
-\rulename{zdiv_zadd1_eq}
-\par\smallskip
-(a\ +\ b)\ mod\ c\ =\ (a\ mod\ c\ +\ b\ mod\ c)\ mod\ c%
-\rulename{mod_add_eq}
-\end{isabelle}
-
-\begin{isabelle}
-(a\ *\ b)\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
-\rulename{zdiv_zmult1_eq}\isanewline
-(a\ *\ b)\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
-\rulename{zmod_zmult1_eq}
-\end{isabelle}
-
-\begin{isabelle}
-0\ <\ c\ \isasymLongrightarrow \ a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
-\rulename{zdiv_zmult2_eq}\isanewline
-0\ <\ c\ \isasymLongrightarrow \ a\ mod\ (b*c)\ =\ b*(a\ div\ b\ mod\
-c)\ +\ a\ mod\ b%
-\rulename{zmod_zmult2_eq}
-\end{isabelle}
-The last two differ from their natural number analogues by requiring
-\isa{c} to be positive.  Since division by zero yields zero, we could allow
-\isa{c} to be zero.  However, \isa{c} cannot be negative: a counterexample
-is
-$\isa{a} = 7$, $\isa{b} = 2$ and $\isa{c} = -3$, when the left-hand side of
-\isa{zdiv_zmult2_eq} is $-2$ while the right-hand side is~$-1$.
-The prefix~\isa{z} in many theorem names recalls the use of $\mathbb{Z}$ to
-denote the set of integers.%
-\index{integers|)}\index{*int (type)|)}
-
-Induction is less important for integers than it is for the natural numbers, but it can be valuable if the range of integers has a lower or upper bound.  There are four rules for integer induction, corresponding to the possible relations of the bound ($\geq$, $>$, $\leq$ and $<$):
-\begin{isabelle}
-\isasymlbrakk k\ \isasymle \ i;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk k\ \isasymle \ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_ge_induct}\isanewline
-\isasymlbrakk k\ <\ i;\ P(k+1);\ \isasymAnd i.\ \isasymlbrakk k\ <\ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_gr_induct}\isanewline
-\isasymlbrakk i\ \isasymle \ k;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk i\ \isasymle \ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_le_induct}\isanewline
-\isasymlbrakk i\ <\ k;\ P(k-1);\ \isasymAnd i.\ \isasymlbrakk i\ <\ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_less_induct}
-\end{isabelle}
-
-
-\subsection{The Types of Rational, Real and Complex Numbers}
-\label{sec:real}
-
-\index{rational numbers|(}\index{*rat (type)|(}%
-\index{real numbers|(}\index{*real (type)|(}%
-\index{complex numbers|(}\index{*complex (type)|(}%
-These types provide true division, the overloaded operator \isa{/}, 
-which differs from the operator \isa{div} of the 
-natural numbers and integers. The rationals and reals are 
-\textbf{dense}: between every two distinct numbers lies another.
-This property follows from the division laws, since if $x\not=y$ then $(x+y)/2$ lies between them:
-\begin{isabelle}
-a\ <\ b\ \isasymLongrightarrow \ \isasymexists r.\ a\ <\ r\ \isasymand \ r\ <\ b%
-\rulename{dense}
-\end{isabelle}
-
-The real numbers are, moreover, \textbf{complete}: every set of reals that
-is bounded above has a least upper bound.  Completeness distinguishes the
-reals from the rationals, for which the set $\{x\mid x^2<2\}$ has no least
-upper bound.  (It could only be $\surd2$, which is irrational.) The
-formalization of completeness, which is complicated, 
-can be found in theory \texttt{RComplete}.
-
-Numeric literals\index{numeric literals!for type \protect\isa{real}}
-for type \isa{real} have the same syntax as those for type
-\isa{int} and only express integral values.  Fractions expressed
-using the division operator are automatically simplified to lowest terms:
-\begin{isabelle}
-\ 1.\ P\ ((3\ /\ 4)\ *\ (8\ /\ 15))\isanewline
-\isacommand{apply} simp\isanewline
-\ 1.\ P\ (2\ /\ 5)
-\end{isabelle}
-Exponentiation can express floating-point values such as
-\isa{2 * 10\isacharcircum6}, which will be simplified to integers.
-
-\begin{warn}
-Types \isa{rat}, \isa{real} and \isa{complex} are provided by theory HOL-Complex, which is
-Main extended with a definitional development of the rational, real and complex
-numbers.  Base your theory upon theory \thydx{Complex_Main}, not the
-usual \isa{Main}.%
-\end{warn}
-
-Available in the logic HOL-NSA is the
-theory \isa{Hyperreal}, which define the type \tydx{hypreal} of 
-\rmindex{non-standard reals}.  These
-\textbf{hyperreals} include infinitesimals, which represent infinitely
-small and infinitely large quantities; they facilitate proofs
-about limits, differentiation and integration~\cite{fleuriot-jcm}.  The
-development defines an infinitely large number, \isa{omega} and an
-infinitely small positive number, \isa{epsilon}.  The 
-relation $x\approx y$ means ``$x$ is infinitely close to~$y$.''
-Theory \isa{Hyperreal} also defines transcendental functions such as sine,
-cosine, exponential and logarithm --- even the versions for type
-\isa{real}, because they are defined using nonstandard limits.%
-\index{rational numbers|)}\index{*rat (type)|)}%
-\index{real numbers|)}\index{*real (type)|)}%
-\index{complex numbers|)}\index{*complex (type)|)}
-
-
-\subsection{The Numeric Type Classes}\label{sec:numeric-classes}
-
-Isabelle/HOL organises its numeric theories using axiomatic type classes.
-Hundreds of basic properties are proved in the theory \isa{Ring_and_Field}.
-These lemmas are available (as simprules if they were declared as such)
-for all numeric types satisfying the necessary axioms. The theory defines
-dozens of type classes, such as the following:
-\begin{itemize}
-\item 
-\tcdx{semiring} and \tcdx{ordered_semiring}: a \emph{semiring}
-provides the associative operators \isa{+} and~\isa{*}, with \isa{0} and~\isa{1}
-as their respective identities. The operators enjoy the usual distributive law,
-and addition (\isa{+}) is also commutative.
-An \emph{ordered semiring} is also linearly
-ordered, with addition and multiplication respecting the ordering. Type \isa{nat} is an ordered semiring.
-\item 
-\tcdx{ring} and \tcdx{ordered_ring}: a \emph{ring} extends a semiring
-with unary minus (the additive inverse) and subtraction (both
-denoted~\isa{-}). An \emph{ordered ring} includes the absolute value
-function, \cdx{abs}. Type \isa{int} is an ordered ring.
-\item 
-\tcdx{field} and \tcdx{ordered_field}: a field extends a ring with the
-multiplicative inverse (called simply \cdx{inverse} and division~(\isa{/})).
-An ordered field is based on an ordered ring. Type \isa{complex} is a field, while type \isa{real} is an ordered field.
-\item 
-\tcdx{division_by_zero} includes all types where \isa{inverse 0 = 0}
-and \isa{a / 0 = 0}. These include all of Isabelle's standard numeric types.
-However, the basic properties of fields are derived without assuming
-division by zero.
-\end{itemize}
-
-Hundreds of basic lemmas are proved, each of which
-holds for all types in the corresponding type class. In most
-cases, it is obvious whether a property is valid for a particular type. No
-abstract properties involving subtraction hold for type \isa{nat};
-instead, theorems such as
-\isa{diff_mult_distrib} are proved specifically about subtraction on
-type~\isa{nat}. All abstract properties involving division require a field.
-Obviously, all properties involving orderings required an ordered
-structure.
-
-The class \tcdx{ring_no_zero_divisors} of rings without zero divisors satisfies a number of natural cancellation laws, the first of which characterizes this class:
-\begin{isabelle}
-(a\ *\ b\ =\ (0::'a))\ =\ (a\ =\ (0::'a)\ \isasymor \ b\ =\ (0::'a))
-\rulename{mult_eq_0_iff}\isanewline
-(a\ *\ c\ =\ b\ *\ c)\ =\ (c\ =\ (0::'a)\ \isasymor \ a\ =\ b)
-\rulename{mult_cancel_right}
-\end{isabelle}
-\begin{pgnote}
-Setting the flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
-\pgmenu{Show Sorts} will display the type classes of all type variables.
-\end{pgnote}
-\noindent
-Here is how the theorem \isa{mult_cancel_left} appears with the flag set.
-\begin{isabelle}
-((c::'a::ring_no_zero_divisors)\ *\ (a::'a::ring_no_zero_divisors) =\isanewline
-\ c\ *\ (b::'a::ring_no_zero_divisors))\ =\isanewline
-(c\ =\ (0::'a::ring_no_zero_divisors)\ \isasymor\ a\ =\ b)
-\end{isabelle}
-
-
-\subsubsection{Simplifying with the AC-Laws}
-Suppose that two expressions are equal, differing only in 
-associativity and commutativity of addition.  Simplifying with the
-following equations sorts the terms and groups them to the right, making
-the two expressions identical.
-\begin{isabelle}
-a\ +\ b\ +\ c\ =\ a\ +\ (b\ +\ c)
-\rulenamedx{add_assoc}\isanewline
-a\ +\ b\ =\ b\ +\ a%
-\rulenamedx{add_commute}\isanewline
-a\ +\ (b\ +\ c)\ =\ b\ +\ (a\ +\ c)
-\rulename{add_left_commute}
-\end{isabelle}
-The name \isa{add_ac}\index{*add_ac (theorems)} 
-refers to the list of all three theorems; similarly
-there is \isa{mult_ac}.\index{*mult_ac (theorems)} 
-They are all proved for semirings and therefore hold for all numeric types.
-
-Here is an example of the sorting effect.  Start
-with this goal, which involves type \isa{nat}.
-\begin{isabelle}
-\ 1.\ Suc\ (i\ +\ j\ *\ l\ *\ k\ +\ m\ *\ n)\ =\
-f\ (n\ *\ m\ +\ i\ +\ k\ *\ j\ *\ l)
-\end{isabelle}
-%
-Simplify using  \isa{add_ac} and \isa{mult_ac}.
-\begin{isabelle}
-\isacommand{apply}\ (simp\ add:\ add_ac\ mult_ac)
-\end{isabelle}
-%
-Here is the resulting subgoal.
-\begin{isabelle}
-\ 1.\ Suc\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))\
-=\ f\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))%
-\end{isabelle}
-
-
-\subsubsection{Division Laws for Fields}
-
-Here is a selection of rules about the division operator.  The following
-are installed as default simplification rules in order to express
-combinations of products and quotients as rational expressions:
-\begin{isabelle}
-a\ *\ (b\ /\ c)\ =\ a\ *\ b\ /\ c
-\rulename{times_divide_eq_right}\isanewline
-b\ /\ c\ *\ a\ =\ b\ *\ a\ /\ c
-\rulename{times_divide_eq_left}\isanewline
-a\ /\ (b\ /\ c)\ =\ a\ *\ c\ /\ b
-\rulename{divide_divide_eq_right}\isanewline
-a\ /\ b\ /\ c\ =\ a\ /\ (b\ *\ c)
-\rulename{divide_divide_eq_left}
-\end{isabelle}
-
-Signs are extracted from quotients in the hope that complementary terms can
-then be cancelled:
-\begin{isabelle}
--\ (a\ /\ b)\ =\ -\ a\ /\ b
-\rulename{minus_divide_left}\isanewline
--\ (a\ /\ b)\ =\ a\ /\ -\ b
-\rulename{minus_divide_right}
-\end{isabelle}
-
-The following distributive law is available, but it is not installed as a
-simplification rule.
-\begin{isabelle}
-(a\ +\ b)\ /\ c\ =\ a\ /\ c\ +\ b\ /\ c%
-\rulename{add_divide_distrib}
-\end{isabelle}
-
-
-\subsubsection{Absolute Value}
-
-The \rmindex{absolute value} function \cdx{abs} is available for all 
-ordered rings, including types \isa{int}, \isa{rat} and \isa{real}.
-It satisfies many properties,
-such as the following:
-\begin{isabelle}
-\isasymbar x\ *\ y\isasymbar \ =\ \isasymbar x\isasymbar \ *\ \isasymbar y\isasymbar 
-\rulename{abs_mult}\isanewline
-(\isasymbar a\isasymbar \ \isasymle \ b)\ =\ (a\ \isasymle \ b\ \isasymand \ -\ a\ \isasymle \ b)
-\rulename{abs_le_iff}\isanewline
-\isasymbar a\ +\ b\isasymbar \ \isasymle \ \isasymbar a\isasymbar \ +\ \isasymbar b\isasymbar 
-\rulename{abs_triangle_ineq}
-\end{isabelle}
-
-\begin{warn}
-The absolute value bars shown above cannot be typed on a keyboard.  They
-can be entered using the X-symbol package.  In \textsc{ascii}, type \isa{abs x} to
-get \isa{\isasymbar x\isasymbar}.
-\end{warn}
-
-
-\subsubsection{Raising to a Power}
-
-Another type class, \tcdx{ordered\_idom}, specifies rings that also have 
-exponentation to a natural number power, defined using the obvious primitive
-recursion. Theory \thydx{Power} proves various theorems, such as the 
-following.
-\begin{isabelle}
-a\ \isacharcircum \ (m\ +\ n)\ =\ a\ \isacharcircum \ m\ *\ a\ \isacharcircum \ n%
-\rulename{power_add}\isanewline
-a\ \isacharcircum \ (m\ *\ n)\ =\ (a\ \isacharcircum \ m)\ \isacharcircum \ n%
-\rulename{power_mult}\isanewline
-\isasymbar a\ \isacharcircum \ n\isasymbar \ =\ \isasymbar a\isasymbar \ \isacharcircum \ n%
-\rulename{power_abs}
-\end{isabelle}%%%%%%%%%%%%%%%%%%%%%%%%%
-\index{numbers|)}

--- a/doc-src/TutorialI/Types/types.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-\chapter{More about Types}
-\label{ch:more-types}
-
-So far we have learned about a few basic types (for example \isa{bool} and
-\isa{nat}), type abbreviations (\isacommand{types}) and recursive datatypes
-(\isacommand{datatype}). This chapter will introduce more
-advanced material:
-\begin{itemize}
-\item Pairs ({\S}\ref{sec:products}) and records ({\S}\ref{sec:records}),
-and how to reason about them.
-\item Type classes: how to specify and reason about axiomatic collections of
-  types ({\S}\ref{sec:axclass}). This section leads on to a discussion of
-  Isabelle's numeric types ({\S}\ref{sec:numbers}).  
-\item Introducing your own types: how to define types that
-  cannot be constructed with any of the basic methods
-  ({\S}\ref{sec:adv-typedef}).
-\end{itemize}
-
-The material in this section goes beyond the needs of most novices.
-Serious users should at least skim the sections as far as type classes.
-That material is fairly advanced; read the beginning to understand what it
-is about, but consult the rest only when necessary.
-
-\index{pairs and tuples|(}
-\input{document/Pairs}    %%%Section "Pairs and Tuples"
-\index{pairs and tuples|)}
-
-\input{document/Records}  %%%Section "Records"
-
-
-\section{Type Classes} %%%Section
-\label{sec:axclass}
-\index{axiomatic type classes|(}
-\index{*axclass|(}
-
-The programming language Haskell has popularized the notion of type
-classes: a type class is a set of types with a
-common interface: all types in that class must provide the functions
-in the interface.  Isabelle offers a similar type class concept: in
-addition, properties (\emph{class axioms}) can be specified which any
-instance of this type class must obey.  Thus we can talk about a type
-$\tau$ being in a class $C$, which is written $\tau :: C$.  This is the case
-if $\tau$ satisfies the axioms of $C$. Furthermore, type classes can be
-organized in a hierarchy.  Thus there is the notion of a class $D$
-being a subclass\index{subclasses} of a class $C$, written $D
-< C$. This is the case if all axioms of $C$ are also provable in $D$.
-
-In this section we introduce the most important concepts behind type
-classes by means of a running example from algebra.  This should give
-you an intuition how to use type classes and to understand
-specifications involving type classes.  Type classes are covered more
-deeply in a separate tutorial \cite{isabelle-classes}.
-
-\subsection{Overloading}
-\label{sec:overloading}
-\index{overloading|(}
-
-\input{document/Overloading}
-
-\index{overloading|)}
-
-\input{document/Axioms}
-
-\index{type classes|)}
-\index{*class|)}
-
-\input{Types/numerics}             %%%Section "Numbers"
-
-\input{document/Typedefs}    %%%Section "Introducing New Types"

--- a/doc-src/TutorialI/appendix.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,190 +0,0 @@
-\appendix
-
-\chapter{Appendix}
-\label{sec:Appendix}
-
-\begin{table}[htbp]
-\begin{center}
-\begin{tabular}{|l|l|l|}
-\hline
-\indexboldpos{\isasymlbrakk}{$Isabrl} &
-\texttt{[|}\index{$Isabrl@\ttlbr|bold} &
-\verb$\<lbrakk>$ \\
-\indexboldpos{\isasymrbrakk}{$Isabrr} &
-\texttt{|]}\index{$Isabrr@\ttrbr|bold} &
-\verb$\<rbrakk>$ \\
-\indexboldpos{\isasymImp}{$IsaImp} &
-\ttindexboldpos{==>}{$IsaImp} &
-\verb$\<Longrightarrow>$ \\
-\isasymAnd\index{$IsaAnd@\isasymAnd|bold}&
-\texttt{!!}\index{$IsaAnd@\ttAnd|bold} &
-\verb$\<And>$ \\
-\indexboldpos{\isasymequiv}{$IsaEq} &
-\ttindexboldpos{==}{$IsaEq} &
-\verb$\<equiv>$ \\
-\indexboldpos{\isasymrightleftharpoons}{$IsaEqTrans} &
-\ttindexboldpos{==}{$IsaEq} &
-\verb$\<rightleftharpoons>$ \\
-\indexboldpos{\isasymrightharpoonup}{$IsaEqTrans1} &
-\ttindexboldpos{=>}{$IsaFun} &
-\verb$\<rightharpoonup>$ \\
-\indexboldpos{\isasymleftharpoondown}{$IsaEqTrans2} &
-\ttindexboldpos{<=}{$IsaFun2} &
-\verb$\<leftharpoondown>$ \\
-\indexboldpos{\isasymlambda}{$Isalam} &
-\texttt{\%}\indexbold{$Isalam@\texttt{\%}} &
-\verb$\<lambda>$ \\
-\indexboldpos{\isasymFun}{$IsaFun} &
-\ttindexboldpos{=>}{$IsaFun} &
-\verb$\<Rightarrow>$ \\
-\indexboldpos{\isasymand}{$HOL0and} &
-\texttt{\&}\indexbold{$HOL0and@{\texttt{\&}}} &
-\verb$\<and>$ \\
-\indexboldpos{\isasymor}{$HOL0or} &
-\texttt{|}\index{$HOL0or@\ttor|bold} &
-\verb$\<or>$ \\
-\indexboldpos{\isasymimp}{$HOL0imp} &
-\ttindexboldpos{-->}{$HOL0imp} &
-\verb$\<longrightarrow>$ \\
-\indexboldpos{\isasymnot}{$HOL0not} &
-\verb$~$\index{$HOL0not@\verb$~$|bold} &
-\verb$\<not>$ \\
-\indexboldpos{\isasymnoteq}{$HOL0noteq} &
-\verb$~=$\index{$HOL0noteq@\verb$~=$|bold} &
-\verb$\<noteq>$ \\
-\indexboldpos{\isasymforall}{$HOL0All} &
-\ttindexbold{ALL}, \texttt{!}\index{$HOL0All@\ttall|bold} &
-\verb$\<forall>$ \\
-\indexboldpos{\isasymexists}{$HOL0Ex} &
-\ttindexbold{EX}, \texttt{?}\index{$HOL0Ex@\texttt{?}|bold} &
-\verb$\<exists>$ \\
-\isasymuniqex\index{$HOL0ExU@\isasymuniqex|bold} &
-\ttEXU\index{EXX@\ttEXU|bold}, \ttuniquex\index{$HOL0ExU@\ttuniquex|bold} &
-\verb$\<exists>!$\\
-\indexboldpos{\isasymepsilon}{$HOL0ExSome} &
-\ttindexbold{SOME}, \isa{\at}\index{$HOL2list@\isa{\at}} &
-\verb$\<epsilon>$\\
-\indexboldpos{\isasymcirc}{$HOL1} &
-\ttindexbold{o} &
-\verb$\<circ>$\\
-\indexboldpos{\isasymbar~\isasymbar}{$HOL2arithfun}&
-\ttindexbold{abs}&
-\verb$\<bar> \<bar>$\\
-\indexboldpos{\isasymle}{$HOL2arithrel}&
-\isadxboldpos{<=}{$HOL2arithrel}&
-\verb$\<le>$\\
-\indexboldpos{\isasymtimes}{$Isatype}&
-\ttindexboldpos{*}{$HOL2arithfun} &
-\verb$\<times>$\\
-\indexboldpos{\isasymin}{$HOL3Set0a}&
-\ttindexboldpos{:}{$HOL3Set0b} &
-\verb$\<in>$\\
-\isasymnotin\index{$HOL3Set0c@\isasymnotin|bold} &
-\verb$~:$\index{$HOL3Set0d@\verb$~:$|bold} &
-\verb$\<notin>$\\
-\indexboldpos{\isasymsubseteq}{$HOL3Set0e}&
-\verb$<=$ & \verb$\<subseteq>$\\
-\indexboldpos{\isasymsubset}{$HOL3Set0f}&
-\verb$<$ & \verb$\<subset>$\\
-\indexboldpos{\isasymunion}{$HOL3Set1}&
-\ttindexbold{Un} &
-\verb$\<union>$\\
-\indexboldpos{\isasyminter}{$HOL3Set1}&
-\ttindexbold{Int} &
-\verb$\<inter>$\\
-\isasymUnion\index{$HOL3Set2@\isasymUnion|bold}&
-\ttindexbold{UN}, \ttindexbold{Union} &
-\verb$\<Union>$\\
-\isasymInter\index{$HOL3Set2@\isasymInter|bold}&
-\ttindexbold{INT}, \ttindexbold{Inter} &
-\verb$\<Inter>$\\
-\isactrlsup{\isacharasterisk}\index{$HOL4star@\isactrlsup{\isacharasterisk}|bold}&
-\verb$^*$\index{$HOL4star@\verb$^$\texttt{*}|bold} &
-\verb$\<^sup>*$\\
-\isasyminverse\index{$HOL4inv@\isasyminverse|bold}&
-\verb$^-1$\index{$HOL4inv@\verb$^-1$|bold} &
-\verb$\<inverse>$\\
-\hline
-\end{tabular}
-\end{center}
-\caption{Mathematical Symbols, Their \textsc{ascii}-Equivalents and Internal Names}
-\label{tab:ascii}
-\end{table}\indexbold{ASCII@\textsc{ascii} symbols}
-
-\input{document/appendix.tex}
-
-\begin{table}[htbp]
-\begin{center}
-\begin{tabular}{@{}|lllllllll|@{}}
-\hline
-\texttt{ALL} &
-\texttt{BIT} &
-\texttt{CHR} &
-\texttt{EX} &
-\texttt{GREATEST} &
-\texttt{INT} &
-\texttt{Int} &
-\texttt{LEAST} &
-\texttt{O} \\
-\texttt{OFCLASS} &
-\texttt{PI} &
-\texttt{PROP} &
-\texttt{SIGMA} &
-\texttt{SOME} &
-\texttt{THE} &
-\texttt{TYPE} &
-\texttt{UN} &
-\texttt{Un} \\
-\texttt{WRT} &
-\texttt{case} &
-\texttt{choose} &
-\texttt{div} &
-\texttt{dvd} &
-\texttt{else} &
-\texttt{funcset} &
-\texttt{if} &
-\texttt{in} \\
-\texttt{let} &
-\texttt{mem} &
-\texttt{mod} &
-\texttt{o} &
-\texttt{of} &
-\texttt{op} &
-\texttt{then} &&\\
-\hline
-\end{tabular}
-\end{center}
-\caption{Reserved Words in HOL Terms}
-\label{tab:ReservedWords}
-\end{table}
-
-
-%\begin{table}[htbp]
-%\begin{center}
-%\begin{tabular}{|lllll|}
-%\hline
-%\texttt{and} &
-%\texttt{binder} &
-%\texttt{concl} &
-%\texttt{congs} \\
-%\texttt{distinct} &
-%\texttt{files} &
-%\texttt{in} &
-%\texttt{induction} &
-%\texttt{infixl} \\
-%\texttt{infixr} &
-%\texttt{inject} &
-%\texttt{intrs} &
-%\texttt{is} &
-%\texttt{monos} \\
-%\texttt{output} &
-%\texttt{where} &
-% &
-% &
-% \\
-%\hline
-%\end{tabular}
-%\end{center}
-%\caption{Minor Keywords in HOL Theories}
-%\label{tab:keywords}
-%\end{table}

--- a/doc-src/TutorialI/basics.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,350 +0,0 @@
-\chapter{The Basics}
-
-\section{Introduction}
-
-This book is a tutorial on how to use the theorem prover Isabelle/HOL as a
-specification and verification system. Isabelle is a generic system for
-implementing logical formalisms, and Isabelle/HOL is the specialization
-of Isabelle for HOL, which abbreviates Higher-Order Logic. We introduce
-HOL step by step following the equation
-\[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]
-We do not assume that you are familiar with mathematical logic. 
-However, we do assume that
-you are used to logical and set theoretic notation, as covered
-in a good discrete mathematics course~\cite{Rosen-DMA}, and
-that you are familiar with the basic concepts of functional
-programming~\cite{Bird-Haskell,Hudak-Haskell,paulson-ml2,Thompson-Haskell}.
-Although this tutorial initially concentrates on functional programming, do
-not be misled: HOL can express most mathematical concepts, and functional
-programming is just one particularly simple and ubiquitous instance.
-
-Isabelle~\cite{paulson-isa-book} is implemented in ML~\cite{SML}.  This has
-influenced some of Isabelle/HOL's concrete syntax but is otherwise irrelevant
-for us: this tutorial is based on
-Isabelle/Isar~\cite{isabelle-isar-ref}, an extension of Isabelle which hides
-the implementation language almost completely.  Thus the full name of the
-system should be Isabelle/Isar/HOL, but that is a bit of a mouthful.
-
-There are other implementations of HOL, in particular the one by Mike Gordon
-\index{Gordon, Mike}%
-\emph{et al.}, which is usually referred to as ``the HOL system''
-\cite{mgordon-hol}. For us, HOL refers to the logical system, and sometimes
-its incarnation Isabelle/HOL\@.
-
-A tutorial is by definition incomplete.  Currently the tutorial only
-introduces the rudiments of Isar's proof language. To fully exploit the power
-of Isar, in particular the ability to write readable and structured proofs,
-you should start with Nipkow's overview~\cite{Nipkow-TYPES02} and consult
-the Isabelle/Isar Reference Manual~\cite{isabelle-isar-ref} and Wenzel's
-PhD thesis~\cite{Wenzel-PhD} (which discusses many proof patterns)
-for further details. If you want to use Isabelle's ML level
-directly (for example for writing your own proof procedures) see the Isabelle
-Reference Manual~\cite{isabelle-ref}; for details relating to HOL see the
-Isabelle/HOL manual~\cite{isabelle-HOL}. All manuals have a comprehensive
-index.
-
-\section{Theories}
-\label{sec:Basic:Theories}
-
-\index{theories|(}%
-Working with Isabelle means creating theories. Roughly speaking, a
-\textbf{theory} is a named collection of types, functions, and theorems,
-much like a module in a programming language or a specification in a
-specification language. In fact, theories in HOL can be either. The general
-format of a theory \texttt{T} is
-\begin{ttbox}
-theory T
-imports B\(@1\) \(\ldots\) B\(@n\)
-begin
-{\rmfamily\textit{declarations, definitions, and proofs}}
-end
-\end{ttbox}\cmmdx{theory}\cmmdx{imports}
-where \texttt{B}$@1$ \dots\ \texttt{B}$@n$ are the names of existing
-theories that \texttt{T} is based on and \textit{declarations,
-    definitions, and proofs} represents the newly introduced concepts
-(types, functions etc.) and proofs about them. The \texttt{B}$@i$ are the
-direct \textbf{parent theories}\indexbold{parent theories} of~\texttt{T}\@.
-Everything defined in the parent theories (and their parents, recursively) is
-automatically visible. To avoid name clashes, identifiers can be
-\textbf{qualified}\indexbold{identifiers!qualified}
-by theory names as in \texttt{T.f} and~\texttt{B.f}. 
-Each theory \texttt{T} must
-reside in a \textbf{theory file}\index{theory files} named \texttt{T.thy}.
-
-This tutorial is concerned with introducing you to the different linguistic
-constructs that can fill the \textit{declarations, definitions, and
-    proofs} above.  A complete grammar of the basic
-constructs is found in the Isabelle/Isar Reference
-Manual~\cite{isabelle-isar-ref}.
-
-\begin{warn}
-  HOL contains a theory \thydx{Main}, the union of all the basic
-  predefined theories like arithmetic, lists, sets, etc.  
-  Unless you know what you are doing, always include \isa{Main}
-  as a direct or indirect parent of all your theories.
-\end{warn}
-HOL's theory collection is available online at
-\begin{center}\small
-    \url{http://isabelle.in.tum.de/library/HOL/}
-\end{center}
-and is recommended browsing. In subdirectory \texttt{Library} you find
-a growing library of useful theories that are not part of \isa{Main}
-but can be included among the parents of a theory and will then be
-loaded automatically.
-
-For the more adventurous, there is the \emph{Archive of Formal Proofs},
-a journal-like collection of more advanced Isabelle theories:
-\begin{center}\small
-    \url{http://afp.sourceforge.net/}
-\end{center}
-We hope that you will contribute to it yourself one day.%
-\index{theories|)}
-
-
-\section{Types, Terms and Formulae}
-\label{sec:TypesTermsForms}
-
-Embedded in a theory are the types, terms and formulae of HOL\@. HOL is a typed
-logic whose type system resembles that of functional programming languages
-like ML or Haskell. Thus there are
-\index{types|(}
-\begin{description}
-\item[base types,] 
-in particular \tydx{bool}, the type of truth values,
-and \tydx{nat}, the type of natural numbers.
-\item[type constructors,]\index{type constructors}
- in particular \tydx{list}, the type of
-lists, and \tydx{set}, the type of sets. Type constructors are written
-postfix, e.g.\ \isa{(nat)list} is the type of lists whose elements are
-natural numbers. Parentheses around single arguments can be dropped (as in
-\isa{nat list}), multiple arguments are separated by commas (as in
-\isa{(bool,nat)ty}).
-\item[function types,]\index{function types}
-denoted by \isasymFun\indexbold{$IsaFun@\isasymFun}.
-  In HOL \isasymFun\ represents \emph{total} functions only. As is customary,
-  \isa{$\tau@1$ \isasymFun~$\tau@2$ \isasymFun~$\tau@3$} means
-  \isa{$\tau@1$ \isasymFun~($\tau@2$ \isasymFun~$\tau@3$)}. Isabelle also
-  supports the notation \isa{[$\tau@1,\dots,\tau@n$] \isasymFun~$\tau$}
-  which abbreviates \isa{$\tau@1$ \isasymFun~$\cdots$ \isasymFun~$\tau@n$
-    \isasymFun~$\tau$}.
-\item[type variables,]\index{type variables}\index{variables!type}
-  denoted by \ttindexboldpos{'a}{$Isatype}, \isa{'b} etc., just like in ML\@. They give rise
-  to polymorphic types like \isa{'a \isasymFun~'a}, the type of the identity
-  function.
-\end{description}
-\begin{warn}
-  Types are extremely important because they prevent us from writing
-  nonsense.  Isabelle insists that all terms and formulae must be
-  well-typed and will print an error message if a type mismatch is
-  encountered. To reduce the amount of explicit type information that
-  needs to be provided by the user, Isabelle infers the type of all
-  variables automatically (this is called \bfindex{type inference})
-  and keeps quiet about it. Occasionally this may lead to
-  misunderstandings between you and the system. If anything strange
-  happens, we recommend that you ask Isabelle to display all type
-  information via the Proof General menu item \pgmenu{Isabelle} $>$
-  \pgmenu{Settings} $>$ \pgmenu{Show Types} (see \S\ref{sec:interface}
-  for details).
-\end{warn}%
-\index{types|)}
-
-
-\index{terms|(}
-\textbf{Terms} are formed as in functional programming by
-applying functions to arguments. If \isa{f} is a function of type
-\isa{$\tau@1$ \isasymFun~$\tau@2$} and \isa{t} is a term of type
-$\tau@1$ then \isa{f~t} is a term of type $\tau@2$. HOL also supports
-infix functions like \isa{+} and some basic constructs from functional
-programming, such as conditional expressions:
-\begin{description}
-\item[\isa{if $b$ then $t@1$ else $t@2$}]\index{*if expressions}
-Here $b$ is of type \isa{bool} and $t@1$ and $t@2$ are of the same type.
-\item[\isa{let $x$ = $t$ in $u$}]\index{*let expressions}
-is equivalent to $u$ where all free occurrences of $x$ have been replaced by
-$t$. For example,
-\isa{let x = 0 in x+x} is equivalent to \isa{0+0}. Multiple bindings are separated
-by semicolons: \isa{let $x@1$ = $t@1$;\dots; $x@n$ = $t@n$ in $u$}.
-\item[\isa{case $e$ of $c@1$ \isasymFun~$e@1$ |~\dots~| $c@n$ \isasymFun~$e@n$}]
-\index{*case expressions}
-evaluates to $e@i$ if $e$ is of the form $c@i$.
-\end{description}
-
-Terms may also contain
-\isasymlambda-abstractions.\index{lambda@$\lambda$ expressions}
-For example,
-\isa{\isasymlambda{}x.~x+1} is the function that takes an argument \isa{x} and
-returns \isa{x+1}. Instead of
-\isa{\isasymlambda{}x.\isasymlambda{}y.\isasymlambda{}z.~$t$} we can write
-\isa{\isasymlambda{}x~y~z.~$t$}.%
-\index{terms|)}
-
-\index{formulae|(}%
-\textbf{Formulae} are terms of type \tydx{bool}.
-There are the basic constants \cdx{True} and \cdx{False} and
-the usual logical connectives (in decreasing order of priority):
-\indexboldpos{\protect\isasymnot}{$HOL0not}, \indexboldpos{\protect\isasymand}{$HOL0and},
-\indexboldpos{\protect\isasymor}{$HOL0or}, and \indexboldpos{\protect\isasymimp}{$HOL0imp},
-all of which (except the unary \isasymnot) associate to the right. In
-particular \isa{A \isasymimp~B \isasymimp~C} means \isa{A \isasymimp~(B
-  \isasymimp~C)} and is thus logically equivalent to \isa{A \isasymand~B
-  \isasymimp~C} (which is \isa{(A \isasymand~B) \isasymimp~C}).
-
-Equality\index{equality} is available in the form of the infix function
-\isa{=} of type \isa{'a \isasymFun~'a
-  \isasymFun~bool}. Thus \isa{$t@1$ = $t@2$} is a formula provided $t@1$
-and $t@2$ are terms of the same type. If $t@1$ and $t@2$ are of type
-\isa{bool} then \isa{=} acts as \rmindex{if-and-only-if}.
-The formula
-\isa{$t@1$~\isasymnoteq~$t@2$} is merely an abbreviation for
-\isa{\isasymnot($t@1$ = $t@2$)}.
-
-Quantifiers\index{quantifiers} are written as
-\isa{\isasymforall{}x.~$P$} and \isa{\isasymexists{}x.~$P$}. 
-There is even
-\isa{\isasymuniqex{}x.~$P$}, which
-means that there exists exactly one \isa{x} that satisfies \isa{$P$}. 
-Nested quantifications can be abbreviated:
-\isa{\isasymforall{}x~y~z.~$P$} means
-\isa{\isasymforall{}x.\isasymforall{}y.\isasymforall{}z.~$P$}.%
-\index{formulae|)}
-
-Despite type inference, it is sometimes necessary to attach explicit
-\bfindex{type constraints} to a term.  The syntax is
-\isa{$t$::$\tau$} as in \isa{x < (y::nat)}. Note that
-\ttindexboldpos{::}{$Isatype} binds weakly and should therefore be enclosed
-in parentheses.  For instance,
-\isa{x < y::nat} is ill-typed because it is interpreted as
-\isa{(x < y)::nat}.  Type constraints may be needed to disambiguate
-expressions
-involving overloaded functions such as~\isa{+}, 
-\isa{*} and~\isa{<}.  Section~\ref{sec:overloading} 
-discusses overloading, while Table~\ref{tab:overloading} presents the most
-important overloaded function symbols.
-
-In general, HOL's concrete \rmindex{syntax} tries to follow the conventions of
-functional programming and mathematics.  Here are the main rules that you
-should be familiar with to avoid certain syntactic traps:
-\begin{itemize}
-\item
-Remember that \isa{f t u} means \isa{(f t) u} and not \isa{f(t u)}!
-\item
-Isabelle allows infix functions like \isa{+}. The prefix form of function
-application binds more strongly than anything else and hence \isa{f~x + y}
-means \isa{(f~x)~+~y} and not \isa{f(x+y)}.
-\item Remember that in HOL if-and-only-if is expressed using equality.  But
-  equality has a high priority, as befitting a relation, while if-and-only-if
-  typically has the lowest priority.  Thus, \isa{\isasymnot~\isasymnot~P =
-    P} means \isa{\isasymnot\isasymnot(P = P)} and not
-  \isa{(\isasymnot\isasymnot P) = P}. When using \isa{=} to mean
-  logical equivalence, enclose both operands in parentheses, as in \isa{(A
-    \isasymand~B) = (B \isasymand~A)}.
-\item
-Constructs with an opening but without a closing delimiter bind very weakly
-and should therefore be enclosed in parentheses if they appear in subterms, as
-in \isa{(\isasymlambda{}x.~x) = f}.  This includes 
-\isa{if},\index{*if expressions}
-\isa{let},\index{*let expressions}
-\isa{case},\index{*case expressions}
-\isa{\isasymlambda}, and quantifiers.
-\item
-Never write \isa{\isasymlambda{}x.x} or \isa{\isasymforall{}x.x=x}
-because \isa{x.x} is always taken as a single qualified identifier. Write
-\isa{\isasymlambda{}x.~x} and \isa{\isasymforall{}x.~x=x} instead.
-\item Identifiers\indexbold{identifiers} may contain the characters \isa{_} 
-and~\isa{'}, except at the beginning.
-\end{itemize}
-
-For the sake of readability, we use the usual mathematical symbols throughout
-the tutorial. Their \textsc{ascii}-equivalents are shown in table~\ref{tab:ascii} in
-the appendix.
-
-\begin{warn}
-A particular problem for novices can be the priority of operators. If
-you are unsure, use additional parentheses. In those cases where
-Isabelle echoes your input, you can see which parentheses are dropped
---- they were superfluous. If you are unsure how to interpret
-Isabelle's output because you don't know where the (dropped)
-parentheses go, set the Proof General flag \pgmenu{Isabelle} $>$
-\pgmenu{Settings} $>$ \pgmenu{Show Brackets} (see \S\ref{sec:interface}).
-\end{warn}
-
-
-\section{Variables}
-\label{sec:variables}
-\index{variables|(}
-
-Isabelle distinguishes free and bound variables, as is customary. Bound
-variables are automatically renamed to avoid clashes with free variables. In
-addition, Isabelle has a third kind of variable, called a \textbf{schematic
-  variable}\index{variables!schematic} or \textbf{unknown}\index{unknowns}, 
-which must have a~\isa{?} as its first character.  
-Logically, an unknown is a free variable. But it may be
-instantiated by another term during the proof process. For example, the
-mathematical theorem $x = x$ is represented in Isabelle as \isa{?x = ?x},
-which means that Isabelle can instantiate it arbitrarily. This is in contrast
-to ordinary variables, which remain fixed. The programming language Prolog
-calls unknowns {\em logical\/} variables.
-
-Most of the time you can and should ignore unknowns and work with ordinary
-variables. Just don't be surprised that after you have finished the proof of
-a theorem, Isabelle will turn your free variables into unknowns.  It
-indicates that Isabelle will automatically instantiate those unknowns
-suitably when the theorem is used in some other proof.
-Note that for readability we often drop the \isa{?}s when displaying a theorem.
-\begin{warn}
-  For historical reasons, Isabelle accepts \isa{?} as an ASCII representation
-  of the \(\exists\) symbol.  However, the \isa{?} character must then be followed
-  by a space, as in \isa{?~x. f(x) = 0}.  Otherwise, \isa{?x} is
-  interpreted as a schematic variable.  The preferred ASCII representation of
-  the \(\exists\) symbol is \isa{EX}\@. 
-\end{warn}%
-\index{variables|)}
-
-\section{Interaction and Interfaces}
-\label{sec:interface}
-
-The recommended interface for Isabelle/Isar is the (X)Emacs-based
-\bfindex{Proof General}~\cite{proofgeneral,Aspinall:TACAS:2000}.
-Interaction with Isabelle at the shell level, although possible,
-should be avoided. Most of the tutorial is independent of the
-interface and is phrased in a neutral language. For example, the
-phrase ``to abandon a proof'' corresponds to the obvious
-action of clicking on the \pgmenu{Undo} symbol in Proof General.
-Proof General specific information is often displayed in paragraphs
-identified by a miniature Proof General icon. Here are two examples:
-\begin{pgnote}
-Proof General supports a special font with mathematical symbols known
-as ``x-symbols''. All symbols have \textsc{ascii}-equivalents: for
-example, you can enter either \verb!&!  or \verb!\<and>! to obtain
-$\land$. For a list of the most frequent symbols see table~\ref{tab:ascii}
-in the appendix.
-
-Note that by default x-symbols are not enabled. You have to switch
-them on via the menu item \pgmenu{Proof-General} $>$ \pgmenu{Options} $>$
-\pgmenu{X-Symbols} (and save the option via the top-level
-\pgmenu{Options} menu).
-\end{pgnote}
-
-\begin{pgnote}
-Proof General offers the \pgmenu{Isabelle} menu for displaying
-information and setting flags. A particularly useful flag is
-\pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgdx{Show Types} which
-causes Isabelle to output the type information that is usually
-suppressed. This is indispensible in case of errors of all kinds
-because often the types reveal the source of the problem. Once you
-have diagnosed the problem you may no longer want to see the types
-because they clutter all output. Simply reset the flag.
-\end{pgnote}
-
-\section{Getting Started}
-
-Assuming you have installed Isabelle and Proof General, you start it by typing
-\texttt{Isabelle} in a shell window. This launches a Proof General window.
-By default, you are in HOL\footnote{This is controlled by the
-\texttt{ISABELLE_LOGIC} setting, see \emph{The Isabelle System Manual}
-for more details.}.
-
-\begin{pgnote}
-You can choose a different logic via the \pgmenu{Isabelle} $>$
-\pgmenu{Logics} menu.
-\end{pgnote}

--- a/doc-src/TutorialI/cl2emono-modified.sty	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1371 +0,0 @@
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%  This is cl2emono.sty version 2.2
-%%  (intermediate fix also for springer.sty for the use of
-%%  LaTeX2e and NFSS2)
-%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%  This is ucgreek
-%  the definition of versal greek characters
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\mathchardef\Gamma="0100
-\mathchardef\Delta="0101
-\mathchardef\Theta="0102
-\mathchardef\Lambda="0103
-\mathchardef\Xi="0104
-\mathchardef\Pi="0105
-\mathchardef\Sigma="0106
-\mathchardef\Upsilon="0107
-\mathchardef\Phi="0108
-\mathchardef\Psi="0109
-\mathchardef\Omega="010A
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is referee.tex
-%
-% It defines the style option "referee"
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newif\if@referee \@refereefalse
-\def\ds@referee{\@refereetrue
-\typeout{A referee's copy will be produced.}%
-\def\baselinestretch{2}\small
-\normalsize\rm
-\newbox\refereebox
-\setbox\refereebox=\vbox to0pt{\vskip0.5cm%
-  \hbox to\textwidth{\normalsize\tt\hrulefill\lower0.5ex
-        \hbox{\kern5pt referee's copy\kern5pt}\hrulefill}\vss}%
-\def\@oddfoot{\copy\refereebox}\let\@evenfoot=\@oddfoot}
-% This is footinfo.tex
-% it provides an informatory line on every page
-%
-\def\SpringerMacroPackageNameA{\springerstylefile}
-% \thetime, \thedate and \timstamp are macros to include
-% time, date (or both) of the TeX run in the document
-\def\maketimestamp{\count255=\time
-\divide\count255 by 60\relax
-\edef\thetime{\the\count255:}%
-\multiply\count255 by-60\relax
-\advance\count255 by\time
-\edef\thetime{\thetime\ifnum\count255<10 0\fi\the\count255}
-\edef\thedate{\number\day-\ifcase\month\or Jan\or Feb\or Mar\or
-             Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or
-             Nov\or Dec\fi-\number\year}
-\def\timstamp{\hbox to\hsize{\tt\hfil\thedate\hfil\thetime\hfil}}}
-\maketimestamp
-%
-% \footinfo generates a info footline on every page containing
-% pagenumber, jobname, macroname, and timestamp
-\def\ds@footinfo{\maketimestamp
-   \def\@oddfoot{\footnotesize\tt Page: \thepage\hfil job: \jobname\hfil
-                 macro: \SpringerMacroPackageNameA\hfil
-                 date/time: \thedate/\thetime}%
-   \let\@evenfoot=\@oddfoot}
-\def\footinfo{\maketimestamp
-   \ds@footinfo
-   \typeout{You ordered a foot-info line. }}
-\def\nofootinfo{%
-   \def\@oddfoot{}\def\@evenfoot{}%
-   \typeout{Foot-info has been disabled. }}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is vector.tex
-%
-% It redefines the plain TeX \vec command
-% and adds a \tens command for tensors
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% ##### (changed by RB)
-\def\vec@style{\relax} % hook to change style of vector
-                       % default yields boldface italic
-% \def\vec@style{\bf}  % hook to change style of vector
-%                      % default yields mathstyle i.e. boldface upright
-
-\def\vec#1{\relax\ifmmode\mathchoice
-{\mbox{\boldmath$\vec@style\displaystyle#1$}}
-{\mbox{\boldmath$\vec@style\textstyle#1$}}
-{\mbox{\boldmath$\vec@style\scriptstyle#1$}}
-{\mbox{\boldmath$\vec@style\scriptscriptstyle#1$}}\else
-\hbox{\boldmath$\vec@style\textstyle#1$}\fi}
-
-\def\tens#1{\relax\ifmmode\mathchoice{\mbox{$\sf\displaystyle#1$}}
-{\mbox{$\sf\textstyle#1$}}
-{\mbox{$\sf\scriptstyle#1$}}
-{\mbox{$\sf\scriptscriptstyle#1$}}\else
-\hbox{$\sf\textstyle#1$}\fi}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is vecstyle.tex
-%
-% It enables documentstyle options vecmath and vecphys
-% to change the vectors to upright bold face or
-% to math italic bold respectively
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\ds@vecmath{\def\vec@style{\bf}\typeout{Vectors are now represented
-in mathematics style as boldface upright characters.}}
-\def\ds@vecphys{\let\vec@style\relax\typeout{Vectors are now represented
-in physics style as boldface italics.}}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is defaults.tex
-%
-% It sets the switches for twoside printing, numbering
-% of equations and kind of citation.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\@twosidetrue                       % twoside is default
-\newif\if@bibay    \@bibayfalse     % citation with numbers
-                                    % is default
-\newif\if@numart   \@numartfalse    % numbering with chapternumbers
-                                    % is default
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is misc.xxx
-%
-% It defines various commands not available in "plain LaTeX"
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newcommand{\ts}{\thinspace{}}
-\newcommand{\sq}{\hbox{\rlap{$\sqcap$}$\sqcup$}}
-\newcommand{\qed}{\ifmmode\sq\else{\unskip\nobreak\hfil
-  \penalty50\hskip1em\null\nobreak\hfil\sq
-  \parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi{}}
-\def\D{{\rm d}}
-\def\E{{\rm e}}
-\let\eul=\E
-\def\I{{\rm i}}
-\let\imag=\I
-\def\strich{\vskip0.5cm\hrule\vskip3ptplus12pt\null}
-
-% Frame for paste-in figures or tables
-%\def\mpicplace#1#2{%#1 = width   #2 = height
-%\vbox{\@tempdima=#2\advance\@tempdima by-2\fboxrule
-%\hrule\@height \fboxrule\@width #1
-%\hbox to #1{\vrule\@width \fboxrule\@height\@tempdima\hfil
-%\vrule\@width \fboxrule\@height\@tempdima}\hrule\@height
-%\fboxrule\@width #1}}
-
-% #####
-% Frame for paste-in figures or tables
-\def\mpicplace#1#2{%  #1 =width   #2 =height
-\vbox{\hbox to #1{\vrule width \fboxrule height #2\hfill}}}
-
-\def\picplace#1{\mpicplace{\hsize}{#1}}
-% Ragged bottom for the actual page
-\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil
-\global\let\@textbottom\relax}}
-\flushbottom
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is layout.m01
-%
-% It defines various sizes and settings for books
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\topmargin=0cm
-\textwidth=11.7cm
-\textheight=18.9cm
-\oddsidemargin=0.7cm
-\evensidemargin=0.7cm
-\headsep=12pt
-
-\baselineskip=12pt
-\parindent=15pt
-\parskip=0pt plus 1pt
-\hfuzz=2pt
-\frenchspacing
-
-\tolerance=500
-
-\abovedisplayskip=3mm plus6pt minus 4pt
-\belowdisplayskip=3mm plus6pt minus 4pt
-\abovedisplayshortskip=0mm plus6pt minus 2pt
-\belowdisplayshortskip=2mm plus4pt minus 4pt
-
-\predisplaypenalty=0
-\clubpenalty=10000
-\widowpenalty=10000
-
-\newdimen\betweenumberspace          % dimension for space between
-\betweenumberspace=5pt               % number and text of titles.
-\newdimen\headlineindent             % dimension for space between
-\headlineindent=2.5cc                % number and text of headings.
-
-\intextsep 20pt plus 2pt minus 2pt
-
-\setcounter{topnumber}{4}
-\def\topfraction{.9}
-\setcounter{bottomnumber}{2}
-\def\bottomfraction{.5}
-\setcounter{totalnumber}{6}
-\def\textfraction{.2}
-\def\floatpagefraction{.5}
-
-% Figures and tables are processed in small print
-\def \@floatboxreset {%
-        \reset@font
-        \small
-        \@setnobreak
-        \@setminipage
-}
-\def\figure{\@float{figure}}
-\@namedef{figure*}{\@dblfloat{figure}}
-\def\table{\@float{table}}
-\@namedef{table*}{\@dblfloat{table}}
-\def\fps@figure{htbp}
-\def\fps@table{htbp}
-
-\labelsep=5\p@                       % measures for lists
-\leftmargini=17.777\p@
-\labelwidth\leftmargini\advance\labelwidth-\labelsep
-\leftmarginii=\leftmargini
-\leftmarginiii=\leftmargini
-\parsep=\parskip
-
-\def\@listI{\leftmargin\leftmargini
-        \parsep=\parskip
-        \topsep=\medskipamount
-        \itemsep=\parskip \advance\itemsep by -\parsep}
-\let\@listi\@listI
-\@listi
-
-\def\@listii{\leftmargin\leftmarginii
-        \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
-        \parsep=\parskip
-        \topsep=\z@
-        \itemsep=\parskip \advance\itemsep by -\parsep}
-\def\@listiii{\leftmargin\leftmarginiii
-        \labelwidth\leftmarginiii\advance\labelwidth by -\labelsep
-        \parsep=\parskip
-        \topsep=\z@
-        \itemsep=\parskip \advance\itemsep by -\parsep}
-%
-\def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt
-\abovedisplayskip=3mm plus6pt minus 4pt
-\belowdisplayskip=3mm plus6pt minus 4pt
-\abovedisplayshortskip=0mm plus6pt minus 2pt
-\belowdisplayshortskip=2mm plus4pt minus 4pt
-\let\@listi\@listI}   % Setting of \@listi added 9 Jun 87
-%
-\def\small{\@setsize\small{10pt}\ixpt\@ixpt
-\abovedisplayskip 8.5\p@ plus3\p@ minus4\p@
-\belowdisplayskip \abovedisplayskip
-\abovedisplayshortskip \z@ plus2\p@
-\belowdisplayshortskip 4\p@ plus2\p@ minus2\p@
-\def\@listi{\leftmargin\leftmargini
-\topsep 4pt plus 2pt minus 2pt\parsep\parskip
-\itemsep\parskip}}
-%
-\def\itemize{\ifnum \@itemdepth >3 \@toodeep\else \advance\@itemdepth \@ne
-\ifnum \@itemdepth=1 \leftmargini=10\p@
-\labelwidth\leftmargini\advance\labelwidth-\labelsep
-\leftmarginii=\leftmargini \leftmarginiii=\leftmargini \fi
-\edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
-\list{\csname\@itemitem\endcsname}{\def\makelabel##1{\rlap{##1}\hss}}\fi}
-%
-\newdimen\verbatimindent \verbatimindent\parindent
-\def\verbatim{\advance\@totalleftmargin by\verbatimindent
-\@verbatim \frenchspacing\@vobeyspaces \@xverbatim}
-%
-\let\footnotesize=\small
-%
-\def\petit{\par\addvspace{6pt}\small}
-\def\endpetit{\par\addvspace{6pt}}
-%
-\raggedbottom
-\normalsize  % Choose the normalsize font.
-% This is texte.tex
-% it defines various texts and their translations
-% called up with documentstyle options
-\def\abstractname{Summary.}
-\def\ackname{Acknowledgement.}
-\def\andname{and}
-\def\lastandname{, and}
-\def\appendixname{Appendix}
-\def\chaptername{Chapter}
-\def\claimname{Claim}
-\def\conjecturename{Conjecture}
-\def\contentsname{Table of Contents}
-\def\corollaryname{Corollary}
-\def\definitionname{Definition}
-\def\examplename{Example}
-\def\exercisename{Exercise}
-\def\figurename{Fig.}
-\def\keywordname{{\bf Key words:}}
-\def\indexname{Index}
-\def\lemmaname{Lemma}
-\def\contriblistname{List of Contributors}
-\def\listfigurename{List of Figures}
-\def\listtablename{List of Tables}
-\def\mailname{{\it Correspondence to\/}:}
-\def\noteaddname{Note added in proof}
-\def\notename{Note}
-\def\partname{Part}
-\def\problemname{Problem}
-\def\proofname{Proof}
-\def\propertyname{Property}
-\def\propositionname{Proposition}
-\def\questionname{Question}
-\def\remarkname{Remark}
-\def\seename{see}
-\def\solutionname{Solution}
-\def\subclassname{{\it Subject Classifications\/}:}
-\def\tablename{Table}
-\def\theoremname{Theorem}
-% Names of theorem like environments are already defined
-% but must be translated if another language is chosen
-%
-% French section
-\def\ds@francais{\typeout{On parle francais.}%
- \def\abstractname{R\'esum\'e.}%
- \def\ackname{Remerciements.}%
- \def\andname{et}%
- \def\lastandname{ et}%
- \def\appendixname{Appendice}
- \def\chaptername{Chapitre}%
- \def\claimname{Pr\'etention}%
- \def\conjecturename{Hypoth\`ese}%
- \def\contentsname{Table des mati\`eres}%
- \def\corollaryname{Corollaire}%
- \def\definitionname{D\'efinition}%
- \def\examplename{Exemple}%
- \def\exercisename{Exercice}%
- \def\figurename{Fig.}%
- \def\keywordname{{\bf Mots-cl\'e:}}
- \def\indexname{Index}
- \def\lemmaname{Lemme}%
- \def\contriblistname{Liste des contributeurs}
- \def\listfigurename{Liste des figures}%
- \def\listtablename{Liste des tables}%
- \def\mailname{{\it Correspondence to\/}:}
- \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
- \def\notename{Remarque}%
- \def\partname{Partie}%
- \def\problemname{Probl\`eme}%
- \def\proofname{\'Epreuve}%
- \def\propertyname{Caract\'eristique}%
-%\def\propositionname{Proposition}%
- \def\questionname{Question}%
- \def\remarkname{Remarque}%
- \def\seename{voir}
- \def\solutionname{Solution}%
- \def\subclassname{{\it Subject Classifications\/}:}
- \def\tablename{Tableau}%
- \def\theoremname{Th\'eor\`eme}%
-}
-%
-% German section
-\def\ds@deutsch{\typeout{Man spricht deutsch.}%
- \def\abstractname{Zusammenfassung.}%
- \def\ackname{Danksagung.}%
- \def\andname{und}%
- \def\lastandname{ und}%
- \def\appendixname{Anhang}%
- \def\chaptername{Kapitel}%
- \def\claimname{Behauptung}%
- \def\conjecturename{Hypothese}%
- \def\contentsname{Inhaltsverzeichnis}%
- \def\corollaryname{Korollar}%
-%\def\definitionname{Definition}%
- \def\examplename{Beispiel}%
- \def\exercisename{\"Ubung}%
- \def\figurename{Abb.}%
- \def\keywordname{{\bf Schl\"usselw\"orter:}}
- \def\indexname{Index}
-%\def\lemmaname{Lemma}%
- \def\contriblistname{Mitarbeiter}
- \def\listfigurename{Abbildungsverzeichnis}%
- \def\listtablename{Tabellenverzeichnis}%
- \def\mailname{{\it Correspondence to\/}:}
- \def\noteaddname{Nachtrag}%
- \def\notename{Anmerkung}%
- \def\partname{Teil}%
-%\def\problemname{Problem}%
- \def\proofname{Beweis}%
- \def\propertyname{Eigenschaft}%
-%\def\propositionname{Proposition}%
- \def\questionname{Frage}%
- \def\remarkname{Anmerkung}%
- \def\seename{siehe}
- \def\solutionname{L\"osung}%
- \def\subclassname{{\it Subject Classifications\/}:}
- \def\tablename{Tabelle}%
-%\def\theoremname{Theorem}%
-}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is titneu.xxx
-%
-% It redefines titles. Usage is like Lamport described.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\setcounter{secnumdepth}{2}           % depth of the highest-level
-                                      % sectioning command
-\newcounter{chapter}                  % to use chapter together with
-\@addtoreset{section}{chapter}        % article.sty
-\@addtoreset{footnote}{chapter}
-
-\def\thechapter{\arabic{chapter}}     % how titles will be typeset
-\def\thesection{\thechapter.\arabic{section}}
-\def\thesubsection{\thesection.\arabic{subsection}}
-\def\thesubsubsection{\thesubsection.\arabic{subsubsection}}
-\def\theparagraph{\thesubsubsection.\arabic{paragraph}}
-\def\thesubparagraph{\theparagraph.\arabic{subparagraph}}
-\def\chaptermark#1{}
-\def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
-      \hangindent \z@\noindent\box\@tempboxa}
-
-% definition of chapter
-
-\def\@chapapp{\chaptername}
-
-\def\@makechapterhead#1{{\parindent0pt\raggedright
-  \hyphenpenalty \@M
-  \Large\bf\boldmath
-  \sec@hangfrom{\thechapter\thechapterend\hskip\betweenumberspace}%!!!
-  \ignorespaces#1\par
-  \ifdim\pagetotal>118pt
-     \vskip 24pt
-  \else
-     \@tempdima=118pt\advance\@tempdima by-\pagetotal
-     \vskip\@tempdima
-  \fi}}
-
-\def\@makeschapterhead#1{{\parindent0pt\raggedright
-  \hyphenpenalty \@M
-  \Large\bf\boldmath
-  \ignorespaces#1\par
-  \ifdim\pagetotal>118pt
-     \vskip 24pt
-  \else
-     \@tempdima=118pt\advance\@tempdima by-\pagetotal
-     \vskip\@tempdima
-  \fi}}
-
-\newcommand{\clearemptydoublepage}{%
-        \newpage{\pagestyle{empty}\cleardoublepage}}
-
-\def\chapter{\clearemptydoublepage\thispagestyle{empty}
-   \global\@topnum\z@\@afterindentfalse
-   \secdef\@chapter\@schapter}
-
-\def\@chapter[#1]#2{\ifnum\c@secnumdepth>\m@ne
-   \refstepcounter{chapter}
-   \typeout{\@chapapp\space\thechapter}
-   \addcontentsline{toc}{chapter}{\protect
-      \numberline{\thechapter\thechapterend}#1}\else %!!!
-      \addcontentsline{toc}{chapter}{#1}
-   \fi
-   \chaptermark{#1}
-   \addtocontents{lof}{\protect\addvspace{10pt}}
-   \addtocontents{lot}{\protect\addvspace{10pt}}
-   \if@twocolumn
-       \@topnewpage[\@makechapterhead{#2}]
-   \else \@makechapterhead{#2}
-           \@afterheading
-   \fi}
-
-\def\@schapter#1{\if@twocolumn\@topnewpage[\@makeschapterhead{#1}]
-        \else \@makeschapterhead{#1}
-              \@afterheading\fi}
-
-% Appendix
-\def\appendix{\par
-  \setcounter{chapter}{0}%
-  \setcounter{section}{0}%
-  \def\@chapapp{\appendixname}%
-  \def\thechapter{\Alph{chapter}}}
-
-%  definition of sections
-%  \hyphenpenalty and \raggedright added, so that there is no
-%  hyphenation and the text is set ragged-right in sectioning
-
-\def\runinsep{.}
-\def\aftertext{\unskip\runinsep}
-
-\def\@sect#1#2#3#4#5#6[#7]#8{\ifnum #2>\c@secnumdepth
-   \let\@svsec\@empty\else
-   \refstepcounter{#1}\edef\@svsec{\csname the#1\endcsname
-                                   \hskip\betweenumberspace
-                                   \ignorespaces}\fi
-   \@tempskipa #5\relax
-    \ifdim \@tempskipa>\z@
-      \begingroup #6\relax
-        \sec@hangfrom{\hskip #3\relax\@svsec}{%
-        \raggedright
-        \hyphenpenalty \@M
-        \interlinepenalty \@M #8\par}%
-      \endgroup
-     \csname #1mark\endcsname{#7}\addcontentsline
-       {toc}{#1}{\ifnum #2>\c@secnumdepth \else
-                    \protect\numberline{\csname the#1\endcsname}\fi
-                  #7}\else
-     \def\@svsechd{#6\hskip #3\relax
-                \@svsec #8\aftertext\ignorespaces
-                    \csname #1mark\endcsname
-                    {#7}\addcontentsline
-                         {toc}{#1}{\ifnum #2>\c@secnumdepth \else
-                           \protect\numberline{\csname the#1\endcsname}\fi
-                     #7}}\fi
-   \@xsect{#5}}
-
-% measures and setting of sections
-
-\def\section{\@startsection{section}{1}{\z@}%
-    {-25pt plus-4pt minus-4pt}{12.5pt plus4pt
-     minus4pt}{\large\bf\boldmath}}
-\def\subsection{\@startsection{subsection}{2}{\z@}%
-    {-17pt plus-4pt minus-4pt}{10pt plus4pt
-     minus4pt}{\normalsize\bf\boldmath}}
-\def\subsubsection{\@startsection{subsubsection}{3}{\z@}%
-    {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\bf\boldmath}}
-\def\paragraph{\@startsection{paragraph}{4}{\z@}%
-    {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
-\def\subparagraph{\@startsection{subparagraph}{5}{\z@}%
-    {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
-
-%  definition of \part
-\def\thepart{\Roman{part}}
-\def\part{\clearemptydoublepage   % Starts new page.
-   \thispagestyle{empty}     % Page style of part page is empty
-  \if@twocolumn              % IF two-column style
-     \onecolumn              %  THEN \onecolumn
-     \@tempswatrue           %       @tempswa := true
-    \else \@tempswafalse     %  ELSE @tempswa := false
-  \fi                        % FI
-% \hbox{}\vfil               % Add fil glue to center title
-%%  \bgroup  \centering      % BEGIN centering %% Removed 19 Jan 88
-  \secdef\@part\@spart}
-
-
-\def\@part[#1]#2{\ifnum \c@secnumdepth >-2\relax  % IF secnumdepth > -2
-        \refstepcounter{part}                     %   THEN step part counter
-        \addcontentsline{toc}{part}{\partname\    %        add toc line
-        \thepart. #1}\else                        %   ELSE add unnumbered line
-        \addcontentsline{toc}{part}{#1}\fi        % FI
-   \markboth{}{}
-   {\raggedleft                      % added 8.1.92 FUH
-    \ifnum \c@secnumdepth >-2\relax  % IF secnumdepth > -2
-      \Large\partname\ \thepart      %   THEN Print 'Part' and number
-    \par                             %         in \Large
-    \vskip 103.3pt \fi               %        Add space before title.
-    \bf\boldmath                     % FI
-    #2\par}\@endpart}                % Print Title in \Large bold.
-
-
-% \@endpart finishes the part page
-%
-\def\@endpart{\vfil\newpage   % End page with 1fil glue.
-   \if@twoside                % IF twoside printing
-       \hbox{}                %   THEN Produce totally blank page
-       \thispagestyle{empty}
-       \newpage
-   \fi                        % FI
-   \if@tempswa                % IF @tempswa = true
-     \twocolumn               %   THEN \twocolumn
-   \fi}                       % FI
-
-\def\@spart#1{{\raggedleft     % added 8 Jan 92 FUH
-   \Large\bf\boldmath          % Print title in \Large-boldface
-   #1\par}\@endpart}
-
-\def\subtitle#1{\gdef\@subtitle{#1}}
-\def\@subtitle{}
-
-\def\maketitle{\par
- \begingroup
-   \def\thefootnote{\fnsymbol{footnote}}%
-   \def\@makefnmark{\hbox
-       to\z@{$\m@th^{\@thefnmark}$\hss}}%
-   \if@twocolumn
-     \twocolumn[\@maketitle]%
-     \else \newpage
-     \global\@topnum\z@   % Prevents figures from going at top of page.
-     \@maketitle \fi\thispagestyle{empty}\@thanks
-     \par\penalty -\@M
- \endgroup
- \setcounter{footnote}{0}%
- \let\maketitle\relax
- \let\@maketitle\relax
- \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
-
-\def\@maketitle{\newpage
- \null
- \vskip 2em                 % Vertical space above title.
-\begingroup
-  \def\and{\unskip, }
-  \parindent=\z@
-  \pretolerance=10000
-  \rightskip=0pt plus 3cm
-  {\LARGE                   % each author set in \LARGE
-   \lineskip .5em
-   \@author
-   \par}%
-  \vskip 2cm                % Vertical space after author.
-  {\Huge \@title \par}%     % Title set in \Huge size.
-  \vskip 1cm                % Vertical space after title.
-  \if!\@subtitle!\else
-   {\LARGE\ignorespaces\@subtitle \par}
-   \vskip 1cm                % Vertical space after subtitle.
-  \fi
-  \if!\@date!\else
-    {\large \@date}%          % Date set in \large size.
-    \par
-    \vskip 1.5em               % Vertical space after date.
-  \fi
- \vfill
- {\Large Springer-\kern-0.1em Verlag\par}
- \vskip 5pt
- \large
-   Berlin\enspace Heidelberg\enspace New\kern0.1em York\\
-   London\enspace Paris\enspace Tokyo\\
-   Hong\thinspace Kong\enspace Barcelona\\
-   Budapest\par
-\endgroup}
-
-\def\abstract{\if@twocolumn
-\section*{\abstractname}%
-\else \small
-\begin{center}%
-{\bf \abstractname\vspace{-.5em}\vspace{\z@}}%
-\end{center}%
-\quotation
-\fi}
-
-\def\endabstract{\if@twocolumn\else\endquotation\fi}
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is toc.xxx
-%
-% it modifies the appearence of the table of contents
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\def\tableofcontents{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\contentsname \@mkboth{{\contentsname}}{{\contentsname}}}
- \@starttoc{toc}\if@restonecol\twocolumn\fi}
-
-\setcounter{tocdepth}{2}
-
-\def\l@part#1#2{\addpenalty{\@secpenalty}%
-   \addvspace{2em plus\p@}%  % space above part line
-   \begingroup
-     \parindent \z@
-     \rightskip \z@ plus 5em
-     \hrule\vskip5pt
-     \bf\boldmath        % set line in boldface
-     \leavevmode          % TeX command to enter horizontal mode.
-     #1\par
-     \vskip5pt
-     \hrule
-     \vskip1pt
-     \nobreak             % Never break after part entry
-   \endgroup}
-
-\def\@dotsep{2}
-
-\def\l@chapter#1#2{\addpenalty{-\@highpenalty}
- \vskip 1.0em plus 1pt \@tempdima \tocchpnum \begingroup
- \parindent \z@ \rightskip \@pnumwidth
- \parfillskip -\@pnumwidth
- \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
- {\bf\boldmath#1}\nobreak
- \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
- \@dotsep mu$}\hfill
- \nobreak\hbox to\@pnumwidth{\hss #2}\par
- \penalty\@highpenalty \endgroup}
-
-\newdimen\tocchpnum
-\newdimen\tocsecnum
-\newdimen\tocsectotal
-\newdimen\tocsubsecnum
-\newdimen\tocsubsectotal
-\newdimen\tocsubsubsecnum
-\newdimen\tocsubsubsectotal
-\newdimen\tocparanum
-\newdimen\tocparatotal
-\newdimen\tocsubparanum
-\tocchpnum=20\p@            % chapter {\bf 88.} plus 5.3pt
-\tocsecnum=22.5\p@          % section 88.8. plus 4.722pt
-\tocsubsecnum=30.5\p@       % subsection 88.8.8 plus 4.944pt
-\tocsubsubsecnum=38\p@      % subsubsection 88.8.8.8 plus 4.666pt
-\tocparanum=45\p@           % paragraph 88.8.8.8.8 plus 3.888pt
-\tocsubparanum=53\p@        % subparagraph 88.8.8.8.8.8 plus 4.11pt
-\def\calctocindent{%
-\tocsectotal=\tocchpnum
-\advance\tocsectotal by\tocsecnum
-\tocsubsectotal=\tocsectotal
-\advance\tocsubsectotal by\tocsubsecnum
-\tocsubsubsectotal=\tocsubsectotal
-\advance\tocsubsubsectotal by\tocsubsubsecnum
-\tocparatotal=\tocsubsubsectotal
-\advance\tocparatotal by\tocparanum}
-\calctocindent
-
-\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
-\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
-\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
-\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
-\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
-
-\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}}
- \@starttoc{lof}\if@restonecol\twocolumn\fi}
-\def\l@figure{\@dottedtocline{1}{0em}{\tocsecnum}}
-
-\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}}
- \@starttoc{lot}\if@restonecol\twocolumn\fi}
-\let\l@table\l@figure
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is runnhead.xxx
-%
-% It redefines the headings of a text. There are two
-% pagestyles possible: "\pagestyle{headings}" and
-% "\pagestyle{myheadings}". "\pagestyle{headings}" is
-% default.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-\@ifundefined{thechapterend}{\def\thechapterend{.}}{}
-\if@twoside
-\def\ps@headings{\let\@mkboth\markboth
-   \def\@oddfoot{}\def\@evenfoot{}
-   \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
-                  \leftmark\hfil}
-   \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
-                  \llap{\thepage}}
-   \def\chaptermark##1{\markboth{{\ifnum\c@secnumdepth>\m@ne
-      \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}{{\ifnum %!!!
-      \c@secnumdepth>\m@ne\thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}%!!!
-   \def\sectionmark##1{\markright{{\ifnum\c@secnumdepth>\z@
-      \thesection\hskip\betweenumberspace\fi ##1}}}}
-\else \def\ps@headings{\let\@mkboth\markboth
-   \def\@oddfoot{}\def\@evenfoot{}
-   \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
-                 \llap{\thepage}}
-   \def\chaptermark##1{\markright{{\ifnum\c@secnumdepth>\m@ne
-      \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}} %!!!
-\fi
-\def\ps@myheadings{\let\@mkboth\@gobbletwo
-   \def\@oddfoot{}\def\@evenfoot{}
-   \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
-                  \leftmark\hfil}
-   \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
-                  \llap{\thepage}}
-   \def\chaptermark##1{}
-   \def\sectionmark##1{}%
-   \def\subsectionmark##1{}}
-\ps@headings
-
-% Definition of the "\spnewtheorem" command.
-%
-% Usage:
-%
-%     \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
-% or  \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
-% or  \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
-%
-% New is "cap_font" and "body_font". It stands for
-% fontdefinition of the caption and the text itself.
-%
-% "\spnewtheorem*" gives a theorem without number.
-%
-% A defined spnewthoerem environment is used as described
-% by Lamport.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\let\if@envcntreset\iffalse % environment counter is reset each chapter
-\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue}
-\let\if@envcntsame\iffalse  % NOT all environments like "Theorem",
-                            % each using its own counter
-\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
-\def\envankh{section}       % show \thesection along with theorem number
-\DeclareOption{envcountchap}{\def\envankh{chapter}%
-\ExecuteOptions{envcountsect}}
-\let\if@envcntsect\iftrue   % show \csname the\envankh\endcsname along
-                            % with environment number
-\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue}
-\ProcessOptions
-
-\def\@thmcountersep{.}
-\def\@thmcounterend{.}
-
-\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
-
-% definition of \spnewtheorem with number
-
-\def\@spnthm#1#2{%
-  \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
-\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
-
-\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
-   {\@definecounter{#1}\@addtoreset{#1}{#3}%
-   \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
-     \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
-   \expandafter\xdef\csname #1name\endcsname{#2}%
-   \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
-                              \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
-   {\@definecounter{#1}%
-   \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
-   \expandafter\xdef\csname #1name\endcsname{#2}%
-   \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
-                               \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@spothm#1[#2]#3#4#5{%
-  \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
-  {\expandafter\@ifdefinable\csname #1\endcsname
-  {\global\@namedef{the#1}{\@nameuse{the#2}}%
-  \expandafter\xdef\csname #1name\endcsname{#3}%
-  \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}%
-  \global\@namedef{end#1}{\@endtheorem}}}}
-
-\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
-\refstepcounter{#1}%
-\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
-
-\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
-                    \ignorespaces}
-
-\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
-       the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
-
-\def\@spbegintheorem#1#2#3#4{\trivlist
-                 \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4}
-
-\def\@spopargbegintheorem#1#2#3#4#5{\trivlist
-      \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5}
-
-% definition of \spnewtheorem* without number
-
-\def\@sthm#1#2{\@Ynthm{#1}{#2}}
-
-\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
-   {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
-    \expandafter\xdef\csname #1name\endcsname{#2}%
-    \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
-\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
-
-\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
-
-\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
-       {#4}{#2}{#3}\ignorespaces}
-
-\def\@Begintheorem#1#2#3{#3\trivlist
-                           \item[\hskip\labelsep{#2#1\@thmcounterend}]}
-
-\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
-      \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
-
-% initialize theorem environment
-
-\if@envcntsect % show section counter
-   \def\@thmcountersep{.}
-   \spnewtheorem{theorem}{Theorem}[\envankh]{\bfseries}{\itshape}
-\else          % theorem counter only
-   \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
-   \if@envcntreset
-      \@addtoreset{theorem}{section}
-   \else
-      \@addtoreset{theorem}{chapter}
-   \fi
-\fi
-
-%definition of divers theorem environments
-\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
-\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
-\if@envcntsame % all environments like "Theorem" - using its counter
-   \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
-\else % all environments with their own counter
-   \if@envcntsect % show section counter
-      \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[\envankh]{#3}{#4}}
-   \else          % environment counter only
-      \if@envcntreset % environment counter is reset each section
-         \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
-                                   \@addtoreset{#1}{section}}
-      \else
-         \let\spn@wtheorem=\@spynthm
-      \fi
-   \fi
-\fi
-\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
-\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
-\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
-\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
-\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
-%%LCP%% \spn@wtheorem{exercise}{Exercise}{\bfseries}{\rmfamily}
-\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
-\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
-\spn@wtheorem{problem}{Problem}{\bfseries}{\rmfamily}
-\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
-\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
-\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
-\spn@wtheorem{solution}{Solution}{\bfseries}{\rmfamily}
-\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
-
-\def\@takefromreset#1#2{%
-    \def\@tempa{#1}%
-    \let\@tempd\@elt
-    \def\@elt##1{%
-        \def\@tempb{##1}%
-        \ifx\@tempa\@tempb\else
-            \@addtoreset{##1}{#2}%
-        \fi}%
-    \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
-    \expandafter\def\csname cl@#2\endcsname{}%
-    \@tempc
-    \let\@elt\@tempd}
-
-\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
-      \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
-                  \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
-      \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}
-      }
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%
-%%             This is figure.neu
-%%
-%% It redefines the captions for "figure" and "table"
-%% environments.
-%%
-%% There are three new kind of captions: "\firstcaption"
-%% and "\secondcaption" for captions set side by side.
-%% Usage for those two commands: like "\caption".
-%%
-%% "\sidecaption" with two parms: #1 width of picture
-%%                                #2 height of picture
-%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\@ifundefined{floatlegendstyle}{\def\floatlegendstyle{\bfseries}}{}
-\def\floatcounterend{.\ }
-\def\capstrut{\vrule\@width\z@\@height\topskip}
-\@ifundefined{captionstyle}{\def\captionstyle{\normalfont\small}}{}
-\@ifundefined{instindent}{\newdimen\instindent}{}
-
-\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
-  ext@#1\endcsname}{#1}{\protect\numberline{\csname
-  the#1\endcsname}{\ignorespaces #2}}\begingroup
-    \@parboxrestore
-    \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
-  \endgroup}
-
-\def\firstcaption{\refstepcounter\@captype\@dblarg%
-            {\@firstcaption\@captype}}
-
-\def\secondcaption{\refstepcounter\@captype\@dblarg%
-            {\@secondcaption\@captype}}
-
-\long\def\@firstcaption#1[#2]#3{\addcontentsline{\csname
-  ext@#1\endcsname}{#1}{\protect\numberline{\csname
-  the#1\endcsname}{\ignorespaces #2}}\begingroup
-    \@parboxrestore
-    \vskip3pt
-    \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
-    \ignorespaces\hspace{.073\textwidth}\hfil%
-  \endgroup}
-
-\long\def\@secondcaption#1[#2]#3{\addcontentsline{\csname
-  ext@#1\endcsname}{#1}{\protect\numberline{\csname
-  the#1\endcsname}{\ignorespaces #2}}\begingroup
-    \@parboxrestore
-    \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
-  \endgroup}
-
-\long\def\@maketwocaptions#1#2{%
-   \parbox[t]{.46\textwidth}{{\floatlegendstyle #1\floatcounterend} #2}}
-
-\newdimen\figgap\figgap=14.2pt
-%
-\long\def\@makesidecaption#1#2{%
-   \setbox0=\vbox{\hsize=\@tempdima
-                  \captionstyle{\floatlegendstyle
-                                         #1\floatcounterend}#2}%
-   \ifdim\instindent<\z@
-      \ifdim\ht0>-\instindent
-         \advance\instindent by\ht0
-         \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
-                     \@captype\space\csname the\@captype\endcsname
-                  ^^Jis \the\instindent\space taller than the corresponding float -
-                  ^^Jyou'd better switch the environment. }%
-         \instindent\z@
-      \fi
-   \else
-      \ifdim\ht0<\instindent
-         \advance\instindent by-\ht0
-         \advance\instindent by-\dp0\relax
-         \advance\instindent by\topskip
-         \advance\instindent by-11pt
-      \else
-         \advance\instindent by-\ht0
-         \instindent=-\instindent
-         \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
-                     \@captype\space\csname the\@captype\endcsname
-                  ^^Jis \the\instindent\space taller than the corresponding float -
-                  ^^Jyou'd better switch the environment. }%
-         \instindent\z@
-      \fi
-   \fi
-   \parbox[b]{\@tempdima}{\captionstyle{\floatlegendstyle
-                                        #1\floatcounterend}#2%
-                          \ifdim\instindent>\z@ \\
-                               \vrule\@width\z@\@height\instindent
-                                     \@depth\z@
-                          \fi}}
-\def\sidecaption{\@ifnextchar[\sidec@ption{\sidec@ption[b]}}
-\def\sidec@ption[#1]#2\caption{%
-\setbox\@tempboxa=\hbox{\ignorespaces#2\unskip}%
-\if@twocolumn
- \ifdim\hsize<\textwidth\else
-   \ifdim\wd\@tempboxa<\columnwidth
-      \typeout{Double column float fits into single column -
-            ^^Jyou'd better switch the environment. }%
-   \fi
- \fi
-\fi
-  \instindent=\ht\@tempboxa
-  \advance\instindent by\dp\@tempboxa
-\if t#1
-\else
-  \instindent=-\instindent
-\fi
-\@tempdima=\hsize
-\advance\@tempdima by-\figgap
-\advance\@tempdima by-\wd\@tempboxa
-\ifdim\@tempdima<3cm
-    \typeout{\string\sidecaption: No sufficient room for the legend;
-             using normal \string\caption. }%
-   \unhbox\@tempboxa
-   \let\@capcommand=\@caption
-\else
-   \ifdim\@tempdima<4.5cm
-      \typeout{\string\sidecaption: Room for the legend very narrow;
-               using \string\raggedright. }%
-      \toks@\expandafter{\captionstyle\sloppy
-                         \rightskip=0ptplus6mm\relax}%
-      \def\captionstyle{\the\toks@}%
-   \fi
-   \let\@capcommand=\@sidecaption
-   \leavevmode
-   \unhbox\@tempboxa
-   \hfill
-\fi
-\refstepcounter\@captype
-\@dblarg{\@capcommand\@captype}}
-\long\def\@sidecaption#1[#2]#3{\addcontentsline{\csname
-  ext@#1\endcsname}{#1}{\protect\numberline{\csname
-  the#1\endcsname}{\ignorespaces #2}}\begingroup
-    \@parboxrestore
-    \@makesidecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
-  \endgroup}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\fig@type{figure}
-
-\def\leftlegendglue{\hfil}
-\newdimen\figcapgap\figcapgap=3pt
-\newdimen\tabcapgap\tabcapgap=5.5pt
-
-\long\def\@makecaption#1#2{%
- \captionstyle
- \ifx\@captype\fig@type
-   \vskip\figcapgap
- \fi
- \setbox\@tempboxa\hbox{{\floatlegendstyle #1\floatcounterend}%
- \capstrut #2}%
- \ifdim \wd\@tempboxa >\hsize
-   {\floatlegendstyle #1\floatcounterend}\capstrut #2\par
- \else
-   \hbox to\hsize{\leftlegendglue\unhbox\@tempboxa\hfil}%
- \fi
- \ifx\@captype\fig@type\else
-   \vskip\tabcapgap
- \fi}
-
-\newcounter{merk}
-\def\endfigure{\resetsubfig\end@float}
-\@namedef{endfigure*}{\resetsubfig\end@dblfloat}
-\let\resetsubfig\relax
-\def\subfigures{\stepcounter{figure}\setcounter{merk}{\value{figure}}%
-\setcounter{figure}{0}\def\thefigure{\if@numart\else\thechapter.\fi
-\@arabic\c@merk\alph{figure}}%
-\def\resetsubfig{\setcounter{figure}{\value{merk}}}}
-\let\leftlegendglue\relax
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Definition of environment  thebibliography
-%
-% Borrowed from book.cls
-%
-% by lcp
-
-\newcommand\bibname{Bibliography}
-\setlength\bibindent{1.5em}
-\renewenvironment{thebibliography}[1]
-     {\chapter*{\bibname
-        \@mkboth{\MakeUppercase\bibname}{\MakeUppercase\bibname}}%
-      \list{\@biblabel{\@arabic\c@enumiv}}%
-           {\settowidth\labelwidth{\@biblabel{#1}}%
-            \leftmargin\labelwidth
-            \advance\leftmargin\labelsep
-            \@openbib@code
-            \usecounter{enumiv}%
-            \let\p@enumiv\@empty
-            \renewcommand\theenumiv{\@arabic\c@enumiv}}%
-      \sloppy
-      \clubpenalty4000
-      \@clubpenalty \clubpenalty
-      \widowpenalty4000%
-      \sfcode`\.\@m}
-     {\def\@noitemerr
-       {\@latex@warning{Empty `thebibliography' environment}}%
-      \endlist}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is fonotebk.xxx
-%
-% It redefines how footnotes will be typeset.
-%
-% Usage like described by Lamport.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newdimen\footnoterulewidth
-  \footnoterulewidth=1.666cm
-
-\def\footnoterule{\kern-3\p@
- \hrule width\footnoterulewidth
- \kern 2.6\p@}
-
-\newdimen\foot@parindent
-\foot@parindent 10.83\p@
-
-%\long\def\@makefntext#1{\parindent\foot@parindent\noindent
-%         \hbox to\foot@parindent{\hss$\m@th^{\@thefnmark}$\kern3pt}#1}
-\long\def\@makefntext#1{\@setpar{\@@par\@tempdima \hsize
-         \advance\@tempdima-\foot@parindent\parshape\@ne\foot@parindent
-         \@tempdima}\par
-         \parindent \foot@parindent\noindent \hbox to \z@{%
-         \hss\hss$^{\@thefnmark}$ }#1}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is environ.tex
-%
-% It defines the environment for acknowledgements.
-%                            and noteadd
-%
-% Usage e.g.: \begin{acknowledgement}
-%                Text
-%             \end{acknowledgement}
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% Define `abstract' environment
-\def\acknowledgement{\par\addvspace{17pt}\small\rm
-\trivlist\item[\hskip\labelsep
-{\it\ackname}]}
-\def\endacknowledgement{\endtrivlist\addvspace{6pt}}
-% Define `noteadd' environment
-\def\noteadd{\par\addvspace{17pt}\small\rm
-\trivlist\item[\hskip\labelsep
-{\it\noteaddname}]}
-\def\endnoteadd{\endtrivlist\addvspace{6pt}}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is item.xxx
-%
-% It redefines the kind of label for "itemize", "enumerate"
-% and "description" environment. The last is extended by
-% an optional parameter. Its length is used for overall
-% indentation.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% labels of enumerate
-
-\def\labelenumi{\theenumi.}
-\def\labelenumii{\theenumii)}
-\def\theenumii{\alph{enumii}}
-\def\p@enumii{\theenumi}
-
-% labels of itemize
-
-\def\labelitemi{\bf --}
-\def\labelitemii{\bf --}
-\def\labelitemiii{$\bullet$}
-\def\labelitemiv{$\cdot$}
-
-% labels of description
-\def\descriptionlabel#1{\hspace\labelsep #1\hfil}
-
-% make indentations changeable
-
-\def\setitemindent#1{\settowidth{\labelwidth}{#1}%
-        \leftmargini\labelwidth
-        \advance\leftmargini\labelsep
-   \def\@listi{\leftmargin\leftmargini
-        \labelwidth\leftmargini\advance\labelwidth by -\labelsep
-        \parsep=\parskip
-        \topsep=\medskipamount
-        \itemsep=\parskip \advance\itemsep by -\parsep}}
-\def\setitemitemindent#1{\settowidth{\labelwidth}{#1}%
-        \leftmarginii\labelwidth
-        \advance\leftmarginii\labelsep
-\def\@listii{\leftmargin\leftmarginii
-        \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
-        \parsep=\parskip
-        \topsep=\z@
-        \itemsep=\parskip \advance\itemsep by -\parsep}}
-%
-% adjusted environment "description"
-% if an optional parameter (at the first two levels of lists)
-% is present, its width is considered to be the widest mark
-% throughout the current list.
-\def\description{\@ifnextchar[{\@describe}{\list{}{\labelwidth\z@
-          \itemindent-\leftmargin \let\makelabel\descriptionlabel}}}
-%
-\def\describelabel#1{#1\hfil}
-\def\@describe[#1]{\relax\ifnum\@listdepth=0
-\setitemindent{#1}\else\ifnum\@listdepth=1
-\setitemitemindent{#1}\fi\fi
-\list{--}{\let\makelabel\describelabel}}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is index.xxx
-%
-% It defines miscelaneous addons used for the preparation
-% of an index.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\theindex{\@restonecoltrue\if@twocolumn\@restonecolfalse\fi
-\columnseprule \z@
-\columnsep 1cc\twocolumn[\@makeschapterhead{\indexname}%
-    \csname indexstarthook\endcsname]%
-    \@mkboth{\indexname}{\indexname}%
-    \thispagestyle{empty}\parindent\z@
-    \rightskip0\p@ plus 40\p@
-    \parskip\z@ plus .3\p@\relax\let\item\@idxitem
-    \def\,{\relax\ifmmode\mskip\thinmuskip
-           \else\hskip0.2em\ignorespaces\fi}%
-    \small\rm}
-
-\def\idxquad{\hskip 10\p@}% space that divides entry from number
-
-\def\@idxitem{\par\hangindent 10\p@}
-
-\def\subitem{\par\setbox0=\hbox{--\enspace}% second order
-                \noindent\hangindent\wd0\box0}% index entry
-
-\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third
-                \noindent\hangindent\wd0\box0}% order index entry
-
-\def\endtheindex{\if@restonecol\onecolumn\else\clearpage\fi}
-
-\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax}
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-%             This is numberbk.xxx
-%
-% It redefines the kind of numeration for figures,
-% tables and equations. With style option "numart" they
-% are numbered with "no.", otherwise with "kapno.no."
-%
-% e.g. \documentstyle[numart]{article} gives a
-% numbering like in article.sty defined.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\def\@takefromreset#1#2{%
-    \def\@tempa{#1}%
-    \let\@tempd\@elt
-    \def\@elt##1{%
-        \def\@tempb{##1}%
-        \ifx\@tempa\@tempb\else
-            \@addtoreset{##1}{#2}%
-        \fi}%
-    \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
-    \expandafter\def\csname cl@#2\endcsname{}%
-    \@tempc
-    \let\@elt\@tempd
-}
-%
-\def\ds@numart{\@numarttrue
-  \@takefromreset{figure}{chapter}%
-  \@takefromreset{table}{chapter}%
-  \@takefromreset{equation}{chapter}%
-  \def\thefigure{\@arabic\c@figure}%
-  \def\thetable{\@arabic\c@table}%
-  \def\theequation{\arabic{equation}}}
-%
-\def\thefigure{\thechapter.\@arabic\c@figure}
-\def\thetable{\thechapter.\@arabic\c@table}
-\def\theequation{\thechapter.\arabic{equation}}
-\@addtoreset{figure}{chapter}
-\@addtoreset{table}{chapter}
-\@addtoreset{equation}{chapter}
-\endinput
-

--- a/doc-src/TutorialI/document/AB.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,462 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{AB}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Case Study: A Context Free Grammar%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:CFG}
-\index{grammars!defining inductively|(}%
-Grammars are nothing but shorthands for inductive definitions of nonterminals
-which represent sets of strings. For example, the production
-$A \to B c$ is short for
-\[ w \in B \Longrightarrow wc \in A \]
-This section demonstrates this idea with an example
-due to Hopcroft and Ullman, a grammar for generating all words with an
-equal number of $a$'s and~$b$'s:
-\begin{eqnarray}
-S &\to& \epsilon \mid b A \mid a B \nonumber\\
-A &\to& a S \mid b A A \nonumber\\
-B &\to& b S \mid a B B \nonumber
-\end{eqnarray}
-At the end we say a few words about the relationship between
-the original proof \cite[p.\ts81]{HopcroftUllman} and our formal version.
-
-We start by fixing the alphabet, which consists only of \isa{a}'s
-and~\isa{b}'s:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ alfa\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{7C}{\isacharbar}}\ b%
-\begin{isamarkuptext}%
-\noindent
-For convenience we include the following easy lemmas as simplification rules:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ x{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Words over this alphabet are of type \isa{alfa\ list}, and
-the three nonterminals are declared as sets of such words.
-The productions above are recast as a \emph{mutual} inductive
-definition\index{inductive definition!simultaneous}
-of \isa{S}, \isa{A} and~\isa{B}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ S\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
-\ \ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
-\ \ B\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}alfa\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}w\ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ v{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{3B}{\isacharsemicolon}}\ w{\isaliteral{5C3C696E3E}{\isasymin}}A\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}v{\isaliteral{40}{\isacharat}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b{\isaliteral{23}{\isacharhash}}w\ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{3B}{\isacharsemicolon}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a{\isaliteral{23}{\isacharhash}}v{\isaliteral{40}{\isacharat}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-First we show that all words in \isa{S} contain the same number of \isa{a}'s and \isa{b}'s. Since the definition of \isa{S} is by mutual
-induction, so is the proof: we show at the same time that all words in
-\isa{A} contain one more \isa{a} than \isa{b} and all words in \isa{B} contain one more \isa{b} than \isa{a}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ correctness{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-These propositions are expressed with the help of the predefined \isa{filter} function on lists, which has the convenient syntax \isa{{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}xs{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}}, the list of all elements \isa{x} in \isa{xs} such that \isa{P\ x}
-holds. Remember that on lists \isa{size} and \isa{length} are synonymous.
-
-The proof itself is by rule induction and afterwards automatic:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-This may seem surprising at first, and is indeed an indication of the power
-of inductive definitions. But it is also quite straightforward. For example,
-consider the production $A \to b A A$: if $v,w \in A$ and the elements of $A$
-contain one more $a$ than~$b$'s, then $bvw$ must again contain one more $a$
-than~$b$'s.
-
-As usual, the correctness of syntactic descriptions is easy, but completeness
-is hard: does \isa{S} contain \emph{all} words with an equal number of
-\isa{a}'s and \isa{b}'s? It turns out that this proof requires the
-following lemma: every string with two more \isa{a}'s than \isa{b}'s can be cut somewhere such that each half has one more \isa{a} than
-\isa{b}. This is best seen by imagining counting the difference between the
-number of \isa{a}'s and \isa{b}'s starting at the left end of the
-word. We start with 0 and end (at the right end) with 2. Since each move to the
-right increases or decreases the difference by 1, we must have passed through
-1 on our way from 0 to 2. Formally, we appeal to the following discrete
-intermediate value theorem \isa{nat{\isadigit{0}}{\isaliteral{5F}{\isacharunderscore}}intermed{\isaliteral{5F}{\isacharunderscore}}int{\isaliteral{5F}{\isacharunderscore}}val}
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}f\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ f\ i{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{1}}{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isadigit{0}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{5C3C6C653E}{\isasymle}}n{\isaliteral{2E}{\isachardot}}\ f\ i\ {\isaliteral{3D}{\isacharequal}}\ k%
-\end{isabelle}
-where \isa{f} is of type \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int}, \isa{int} are the integers,
-\isa{{\isaliteral{5C3C6261723E}{\isasymbar}}{\isaliteral{2E}{\isachardot}}{\isaliteral{5C3C6261723E}{\isasymbar}}} is the absolute value function\footnote{See
-Table~\ref{tab:ascii} in the Appendix for the correct \textsc{ascii}
-syntax.}, and \isa{{\isadigit{1}}} is the integer 1 (see \S\ref{sec:numbers}).
-
-First we show that our specific function, the difference between the
-numbers of \isa{a}'s and \isa{b}'s, does indeed only change by 1 in every
-move to the right. At this point we also start generalizing from \isa{a}'s
-and \isa{b}'s to an arbitrary property \isa{P}. Otherwise we would have
-to prove the desired lemma twice, once as stated above and once with the
-roles of \isa{a}'s and \isa{b}'s interchanged.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ step{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i\ {\isaliteral{3C}{\isacharless}}\ size\ w{\isaliteral{2E}{\isachardot}}\isanewline
-\ \ {\isaliteral{5C3C6261723E}{\isasymbar}}{\isaliteral{28}{\isacharparenleft}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{2D}{\isacharminus}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{2D}{\isacharminus}}int{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The lemma is a bit hard to read because of the coercion function
-\isa{int\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int}. It is required because \isa{size} returns
-a natural number, but subtraction on type~\isa{nat} will do the wrong thing.
-Function \isa{take} is predefined and \isa{take\ i\ xs} is the prefix of
-length \isa{i} of \isa{xs}; below we also need \isa{drop\ i\ xs}, which
-is what remains after that prefix has been dropped from \isa{xs}.
-
-The proof is by induction on \isa{w}, with a trivial base case, and a not
-so trivial induction step. Since it is essentially just arithmetic, we do not
-discuss it.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ abs{\isaliteral{5F}{\isacharunderscore}}if\ take{\isaliteral{5F}{\isacharunderscore}}Cons\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Finally we come to the above-mentioned lemma about cutting in half a word with two more elements of one sort than of the other sort:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ part{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ {\isaliteral{22}{\isachardoublequoteopen}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{2}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\ \ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{5C3C6C653E}{\isasymle}}size\ w{\isaliteral{2E}{\isachardot}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-This is proved by \isa{force} with the help of the intermediate value theorem,
-instantiated appropriately and with its first premise disposed of by lemma
-\isa{step{\isadigit{1}}}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}insert\ nat{\isadigit{0}}{\isaliteral{5F}{\isacharunderscore}}intermed{\isaliteral{5F}{\isacharunderscore}}int{\isaliteral{5F}{\isacharunderscore}}val{\isaliteral{5B}{\isacharbrackleft}}OF\ step{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ of\ {\isaliteral{22}{\isachardoublequoteopen}}P{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}w{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{by}\isamarkupfalse%
-\ force%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-
-Lemma \isa{part{\isadigit{1}}} tells us only about the prefix \isa{take\ i\ w}.
-An easy lemma deals with the suffix \isa{drop\ i\ w}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ part{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w\ {\isaliteral{40}{\isacharat}}\ drop\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ \ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w\ {\isaliteral{40}{\isacharat}}\ drop\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ w{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ w{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}P\ x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ del{\isaliteral{3A}{\isacharcolon}}\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-In the proof we have disabled the normally useful lemma
-\begin{isabelle}
-\isa{take\ n\ xs\ {\isaliteral{40}{\isacharat}}\ drop\ n\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs}
-\rulename{append_take_drop_id}
-\end{isabelle}
-to allow the simplifier to apply the following lemma instead:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}xs{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C696E3E}{\isasymin}}ys{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-
-To dispose of trivial cases automatically, the rules of the inductive
-definition are declared simplification rules:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-\noindent
-This could have been done earlier but was not necessary so far.
-
-The completeness theorem tells us that if a word has the same number of
-\isa{a}'s and \isa{b}'s, then it is in \isa{S}, and similarly 
-for \isa{A} and \isa{B}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ completeness{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ S{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ size{\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}w{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ w\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The proof is by induction on \isa{w}. Structural induction would fail here
-because, as we can see from the grammar, we need to make bigger steps than
-merely appending a single letter at the front. Hence we induct on the length
-of \isa{w}, using the induction rule \isa{length{\isaliteral{5F}{\isacharunderscore}}induct}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ w\ rule{\isaliteral{3A}{\isacharcolon}}\ length{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rename{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-The \isa{rule} parameter tells \isa{induct{\isaliteral{5F}{\isacharunderscore}}tac} explicitly which induction
-rule to use. For details see \S\ref{sec:complete-ind} below.
-In this case the result is that we may assume the lemma already
-holds for all words shorter than \isa{w}. Because the induction step renames
-the induction variable we rename it back to \isa{w}.
-
-The proof continues with a case distinction on \isa{w},
-on whether \isa{w} is empty or not.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ w{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Simplification disposes of the base case and leaves only a conjunction
-of two step cases to be proved:
-if \isa{w\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ v} and \begin{isabelle}%
-\ \ \ \ \ length\ {\isaliteral{28}{\isacharparenleft}}if\ x\ {\isaliteral{3D}{\isacharequal}}\ a\ then\ {\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ v{\isaliteral{5D}{\isacharbrackright}}\ else\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\isaindent{\ \ \ \ \ }length\ {\isaliteral{28}{\isacharparenleft}}if\ x\ {\isaliteral{3D}{\isacharequal}}\ b\ then\ {\isaliteral{5B}{\isacharbrackleft}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ v{\isaliteral{5D}{\isacharbrackright}}\ else\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}%
-\end{isabelle} then
-\isa{b\ {\isaliteral{23}{\isacharhash}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}, and similarly for \isa{w\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ v}.
-We only consider the first case in detail.
-
-After breaking the conjunction up into two cases, we can apply
-\isa{part{\isadigit{1}}} to the assumption that \isa{w} contains two more \isa{a}'s than \isa{b}'s.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ conjI{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}frule\ part{\isadigit{1}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-This yields an index \isa{i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ length\ v} such that
-\begin{isabelle}%
-\ \ \ \ \ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}take\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}%
-\end{isabelle}
-With the help of \isa{part{\isadigit{2}}} it follows that
-\begin{isabelle}%
-\ \ \ \ \ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ length\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5C3C6C6566746172726F773E}{\isasymleftarrow}}drop\ i\ v\ {\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}drule\ part{\isadigit{2}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}a{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}assumption{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Now it is time to decompose \isa{v} in the conclusion \isa{b\ {\isaliteral{23}{\isacharhash}}\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}
-into \isa{take\ i\ v\ {\isaliteral{40}{\isacharat}}\ drop\ i\ v},%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isadigit{1}}{\isaliteral{3D}{\isacharequal}}i\ \isakeyword{and}\ t{\isaliteral{3D}{\isacharequal}}v\ \isakeyword{in}\ subst{\isaliteral{5B}{\isacharbrackleft}}OF\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-(the variables \isa{n{\isadigit{1}}} and \isa{t} are the result of composing the
-theorems \isa{subst} and \isa{append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id})
-after which the appropriate rule of the grammar reduces the goal
-to the two subgoals \isa{take\ i\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A} and \isa{drop\ i\ v\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-Both subgoals follow from the induction hypothesis because both \isa{take\ i\ v} and \isa{drop\ i\ v} are shorter than \isa{w}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}force\ split\ add{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-The case \isa{w\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{23}{\isacharhash}}\ v} is proved analogously:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}frule\ part{\isadigit{1}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}drule\ part{\isadigit{2}}{\isaliteral{5B}{\isacharbrackleft}}of\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}b{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ simplified{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}assumption{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isadigit{1}}{\isaliteral{3D}{\isacharequal}}i\ \isakeyword{and}\ t{\isaliteral{3D}{\isacharequal}}v\ \isakeyword{in}\ subst{\isaliteral{5B}{\isacharbrackleft}}OF\ append{\isaliteral{5F}{\isacharunderscore}}take{\isaliteral{5F}{\isacharunderscore}}drop{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ S{\isaliteral{5F}{\isacharunderscore}}A{\isaliteral{5F}{\isacharunderscore}}B{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}force\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ min{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}disj\ split\ add{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-We conclude this section with a comparison of our proof with 
-Hopcroft\index{Hopcroft, J. E.} and Ullman's\index{Ullman, J. D.}
-\cite[p.\ts81]{HopcroftUllman}.
-For a start, the textbook
-grammar, for no good reason, excludes the empty word, thus complicating
-matters just a little bit: they have 8 instead of our 7 productions.
-
-More importantly, the proof itself is different: rather than
-separating the two directions, they perform one induction on the
-length of a word. This deprives them of the beauty of rule induction,
-and in the easy direction (correctness) their reasoning is more
-detailed than our \isa{auto}. For the hard part (completeness), they
-consider just one of the cases that our \isa{simp{\isaliteral{5F}{\isacharunderscore}}all} disposes of
-automatically. Then they conclude the proof by saying about the
-remaining cases: ``We do this in a manner similar to our method of
-proof for part (1); this part is left to the reader''. But this is
-precisely the part that requires the intermediate value theorem and
-thus is not at all similar to the other cases (which are automatic in
-Isabelle). The authors are at least cavalier about this point and may
-even have overlooked the slight difficulty lurking in the omitted
-cases.  Such errors are found in many pen-and-paper proofs when they
-are scrutinized formally.%
-\index{grammars!defining inductively|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/ABexpr.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,199 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{ABexpr}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\index{datatypes!mutually recursive}%
-Sometimes it is necessary to define two datatypes that depend on each
-other. This is called \textbf{mutual recursion}. As an example consider a
-language of arithmetic and boolean expressions where
-\begin{itemize}
-\item arithmetic expressions contain boolean expressions because there are
-  conditional expressions like ``if $m<n$ then $n-m$ else $m-n$'',
-  and
-\item boolean expressions contain arithmetic expressions because of
-  comparisons like ``$m<n$''.
-\end{itemize}
-In Isabelle this becomes%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{3D}{\isacharequal}}\ IF\ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Sum\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Diff\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Var\ {\isaliteral{27}{\isacharprime}}a\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Num\ nat\isanewline
-\isakeyword{and}\ \ \ \ \ \ {\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{3D}{\isacharequal}}\ Less\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Neg\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Type \isa{aexp} is similar to \isa{expr} in \S\ref{sec:ExprCompiler},
-except that we have added an \isa{IF} constructor,
-fixed the values to be of type \isa{nat} and declared the two binary
-operations \isa{Sum} and \isa{Diff}.  Boolean
-expressions can be arithmetic comparisons, conjunctions and negations.
-The semantics is given by two evaluation functions:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ evala\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
-\ \ \ \ \ \ \ \ \ evalb\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}if\ evalb\ b\ env\ then\ evala\ a{\isadigit{1}}\ env\ else\ evala\ a{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Sum\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a{\isadigit{1}}\ env\ {\isaliteral{2B}{\isacharplus}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Diff\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a{\isadigit{1}}\ env\ {\isaliteral{2D}{\isacharminus}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Var\ v{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ env\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}Num\ n{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}Less\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}evala\ a{\isadigit{1}}\ env\ {\isaliteral{3C}{\isacharless}}\ evala\ a{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}And\ b{\isadigit{1}}\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}evalb\ b{\isadigit{1}}\ env\ {\isaliteral{5C3C616E643E}{\isasymand}}\ evalb\ b{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}evalb\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ evalb\ b\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-
-Both take an expression and an environment (a mapping from variables
-\isa{{\isaliteral{27}{\isacharprime}}a} to values \isa{nat}) and return its arithmetic/boolean
-value. Since the datatypes are mutually recursive, so are functions
-that operate on them. Hence they need to be defined in a single
-\isacommand{primrec} section. Notice the \isakeyword{and} separating
-the declarations of \isa{evala} and \isa{evalb}. Their defining
-equations need not be split into two groups;
-the empty line is purely for readability.
-
-In the same fashion we also define two functions that perform substitution:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ substa\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
-\ \ \ \ \ \ \ \ \ substb\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ aexp{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ bexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ bexp{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ IF\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Sum\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Sum\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Diff\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Diff\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Var\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ s\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substa\ s\ {\isaliteral{28}{\isacharparenleft}}Num\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Num\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}Less\ a{\isadigit{1}}\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Less\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}And\ b{\isadigit{1}}\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ And\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substb\ s\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Neg\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Their first argument is a function mapping variables to expressions, the
-substitution. It is applied to all variables in the second argument. As a
-result, the type of variables in the expression may change from \isa{{\isaliteral{27}{\isacharprime}}a}
-to \isa{{\isaliteral{27}{\isacharprime}}b}. Note that there are only arithmetic and no boolean variables.
-
-Now we can prove a fundamental theorem about the interaction between
-evaluation and substitution: applying a substitution $s$ to an expression $a$
-and evaluating the result in an environment $env$ yields the same result as
-evaluation $a$ in the environment that maps every variable $x$ to the value
-of $s(x)$ under $env$. If you try to prove this separately for arithmetic or
-boolean expressions (by induction), you find that you always need the other
-theorem in the induction step. Therefore you need to state and prove both
-theorems simultaneously:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}evala\ {\isaliteral{28}{\isacharparenleft}}substa\ s\ a{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evala\ a\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ evala\ {\isaliteral{28}{\isacharparenleft}}s\ x{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ \ \ \ \ \ evalb\ {\isaliteral{28}{\isacharparenleft}}substb\ s\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ evalb\ b\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ evala\ {\isaliteral{28}{\isacharparenleft}}s\ x{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ a\ \isakeyword{and}\ b{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent The resulting 8 goals (one for each constructor) are proved in one fell swoop:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ simp{\isaliteral{5F}{\isacharunderscore}}all%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-In general, given $n$ mutually recursive datatypes $\tau@1$, \dots, $\tau@n$,
-an inductive proof expects a goal of the form
-\[ P@1(x@1)\ \land \dots \land P@n(x@n) \]
-where each variable $x@i$ is of type $\tau@i$. Induction is started by
-\begin{isabelle}
-\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $x@1$ \isacommand{and} \dots\ \isacommand{and} $x@n$\isa{{\isaliteral{29}{\isacharparenright}}}
-\end{isabelle}
-
-\begin{exercise}
-  Define a function \isa{norma} of type \isa{{\isaliteral{27}{\isacharprime}}a\ aexp\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ aexp} that
-  replaces \isa{IF}s with complex boolean conditions by nested
-  \isa{IF}s; it should eliminate the constructors
-  \isa{And} and \isa{Neg}, leaving only \isa{Less}.
-  Prove that \isa{norma}
-  preserves the value of an expression and that the result of \isa{norma}
-  is really normal, i.e.\ no more \isa{And}s and \isa{Neg}s occur in
-  it.  ({\em Hint:} proceed as in \S\ref{sec:boolex} and read the discussion
-  of type annotations following lemma \isa{subst{\isaliteral{5F}{\isacharunderscore}}id} below).
-\end{exercise}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Advanced.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,599 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Advanced}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\begin{isamarkuptext}%
-The premises of introduction rules may contain universal quantifiers and
-monotone functions.  A universal quantifier lets the rule 
-refer to any number of instances of 
-the inductively defined set.  A monotone function lets the rule refer
-to existing constructions (such as ``list of'') over the inductively defined
-set.  The examples below show how to use the additional expressiveness
-and how to reason from the resulting definitions.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Universal Quantifiers in Introduction Rules \label{sec:gterm-datatype}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{ground terms example|(}%
-\index{quantifiers!and inductive definitions|(}%
-As a running example, this section develops the theory of \textbf{ground
-terms}: terms constructed from constant and function 
-symbols but not variables. To simplify matters further, we regard a
-constant as a function applied to the null argument  list.  Let us declare a
-datatype \isa{gterm} for the type of ground  terms. It is a type constructor
-whose argument is a type of  function symbols.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}f\ gterm\ {\isaliteral{3D}{\isacharequal}}\ Apply\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ gterm\ list{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-To try it out, we declare a datatype of some integer operations: 
-integer constants, the unary minus operator and the addition 
-operator.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ integer{\isaliteral{5F}{\isacharunderscore}}op\ {\isaliteral{3D}{\isacharequal}}\ Number\ int\ {\isaliteral{7C}{\isacharbar}}\ UnaryMinus\ {\isaliteral{7C}{\isacharbar}}\ Plus%
-\begin{isamarkuptext}%
-Now the type \isa{integer{\isaliteral{5F}{\isacharunderscore}}op\ gterm} denotes the ground 
-terms built over those symbols.
-
-The type constructor \isa{gterm} can be generalized to a function 
-over sets.  It returns 
-the set of ground terms that can be formed over a set \isa{F} of function symbols. For
-example,  we could consider the set of ground terms formed from the finite 
-set \isa{{\isaliteral{7B}{\isacharbraceleft}}Number\ {\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ UnaryMinus{\isaliteral{2C}{\isacharcomma}}\ Plus{\isaliteral{7D}{\isacharbraceright}}}.
-
-This concept is inductive. If we have a list \isa{args} of ground terms 
-over~\isa{F} and a function symbol \isa{f} in \isa{F}, then we 
-can apply \isa{f} to \isa{args} to obtain another ground term. 
-The only difficulty is that the argument list may be of any length. Hitherto, 
-each rule in an inductive definition referred to the inductively 
-defined set a fixed number of times, typically once or twice. 
-A universal quantifier in the premise of the introduction rule 
-expresses that every element of \isa{args} belongs
-to our inductively defined set: is a ground term 
-over~\isa{F}.  The function \isa{set} denotes the set of elements in a given 
-list.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ gterms\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ F\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\ \ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-To demonstrate a proof from this definition, let us 
-show that the function \isa{gterms}
-is \textbf{monotone}.  We shall need this concept shortly.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ gterms{\isaliteral{5F}{\isacharunderscore}}mono{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}F{\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}G\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ gterms\ F\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ gterms\ G{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ clarify\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ gterms{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ blast\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-Intuitively, this theorem says that
-enlarging the set of function symbols enlarges the set of ground 
-terms. The proof is a trivial rule induction.
-First we use the \isa{clarify} method to assume the existence of an element of
-\isa{gterms\ F}.  (We could have used \isa{intro\ subsetI}.)  We then
-apply rule induction. Here is the resulting subgoal:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}F\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ G{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G%
-\end{isabelle}
-The assumptions state that \isa{f} belongs 
-to~\isa{F}, which is included in~\isa{G}, and that every element of the list \isa{args} is
-a ground term over~\isa{G}.  The \isa{blast} method finds this chain of reasoning easily.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{warn}
-Why do we call this function \isa{gterms} instead 
-of \isa{gterm}?  A constant may have the same name as a type.  However,
-name  clashes could arise in the theorems that Isabelle generates. 
-Our choice of names keeps \isa{gterms{\isaliteral{2E}{\isachardot}}induct} separate from 
-\isa{gterm{\isaliteral{2E}{\isachardot}}induct}.
-\end{warn}
-
-Call a term \textbf{well-formed} if each symbol occurring in it is applied
-to the correct number of arguments.  (This number is called the symbol's
-\textbf{arity}.)  We can express well-formedness by
-generalizing the inductive definition of
-\isa{gterms}.
-Suppose we are given a function called \isa{arity}, specifying the arities
-of all symbols.  In the inductive step, we have a list \isa{args} of such
-terms and a function  symbol~\isa{f}. If the length of the list matches the
-function's arity  then applying \isa{f} to \isa{args} yields a well-formed
-term.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ arity\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{3B}{\isacharsemicolon}}\ \ \isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-The inductive definition neatly captures the reasoning above.
-The universal quantification over the
-\isa{set} of arguments expresses that all of them are well-formed.%
-\index{quantifiers!and inductive definitions|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Alternative Definition Using a Monotone Function%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{monotone functions!and inductive definitions|(}% 
-An inductive definition may refer to the
-inductively defined  set through an arbitrary monotone function.  To
-demonstrate this powerful feature, let us
-change the  inductive definition above, replacing the
-quantifier by a use of the function \isa{lists}. This
-function, from the Isabelle theory of lists, is analogous to the
-function \isa{gterms} declared above: if \isa{A} is a set then
-\isa{lists\ A} is the set of lists whose elements belong to
-\isa{A}.  
-
-In the inductive definition of well-formed terms, examine the one
-introduction rule.  The first premise states that \isa{args} belongs to
-the \isa{lists} of well-formed terms.  This formulation is more
-direct, if more obscure, than using a universal quantifier.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}f\ gterm\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ arity\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ \ \isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Apply\ f\ args{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{monos}\ lists{\isaliteral{5F}{\isacharunderscore}}mono%
-\begin{isamarkuptext}%
-We cite the theorem \isa{lists{\isaliteral{5F}{\isacharunderscore}}mono} to justify 
-using the function \isa{lists}.%
-\footnote{This particular theorem is installed by default already, but we
-include the \isakeyword{monos} declaration in order to illustrate its syntax.}
-\begin{isabelle}%
-A\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ lists\ A\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lists\ B\rulename{lists{\isaliteral{5F}{\isacharunderscore}}mono}%
-\end{isabelle}
-Why must the function be monotone?  An inductive definition describes
-an iterative construction: each element of the set is constructed by a
-finite number of introduction rule applications.  For example, the
-elements of \isa{even} are constructed by finitely many applications of
-the rules
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isasep\isanewline%
-n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
-\end{isabelle}
-All references to a set in its
-inductive definition must be positive.  Applications of an
-introduction rule cannot invalidate previous applications, allowing the
-construction process to converge.
-The following pair of rules do not constitute an inductive definition:
-\begin{trivlist}
-\item \isa{{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}
-\item \isa{n\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}
-\end{trivlist}
-Showing that 4 is even using these rules requires showing that 3 is not
-even.  It is far from trivial to show that this set of rules
-characterizes the even numbers.  
-
-Even with its use of the function \isa{lists}, the premise of our
-introduction rule is positive:
-\begin{isabelle}%
-args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-To apply the rule we construct a list \isa{args} of previously
-constructed well-formed terms.  We obtain a
-new term, \isa{Apply\ f\ args}.  Because \isa{lists} is monotone,
-applications of the rule remain valid as new terms are constructed.
-Further lists of well-formed
-terms become available and none are taken away.%
-\index{monotone functions!and inductive definitions|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{A Proof of Equivalence%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-We naturally hope that these two inductive definitions of ``well-formed'' 
-coincide.  The equality can be proved by separate inclusions in 
-each direction.  Each is a trivial rule induction.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ clarify\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ auto\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-The \isa{clarify} method gives
-us an element of \isa{well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity} on which to perform 
-induction.  The resulting subgoal can be proved automatically:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ \ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity%
-\end{isabelle}
-This proof resembles the one given in
-{\S}\ref{sec:gterm-datatype} above, especially in the form of the
-induction hypothesis.  Next, we consider the opposite inclusion:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ clarify\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ auto\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-The proof script is virtually identical,
-but the subgoal after applying induction may be surprising:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ args\ f{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}args\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}}{\isaliteral{5C3C696E3E}{\isasymin}}\ lists\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C696E3E}{\isasymin}}\ \ }{\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C696E3E}{\isasymin}}\ \ {\isaliteral{28}{\isacharparenleft}}}{\isaliteral{7B}{\isacharbraceleft}}a{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }length\ args\ {\isaliteral{3D}{\isacharequal}}\ arity\ f{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity%
-\end{isabelle}
-The induction hypothesis contains an application of \isa{lists}.  Using a
-monotone function in the inductive definition always has this effect.  The
-subgoal may look uninviting, but fortunately 
-\isa{lists} distributes over intersection:
-\begin{isabelle}%
-lists\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ lists\ A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ lists\ B\rulename{lists{\isaliteral{5F}{\isacharunderscore}}Int{\isaliteral{5F}{\isacharunderscore}}eq}%
-\end{isabelle}
-Thanks to this default simplification rule, the induction hypothesis 
-is quickly replaced by its two parts:
-\begin{trivlist}
-\item \isa{args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{27}{\isacharprime}}\ arity{\isaliteral{29}{\isacharparenright}}}
-\item \isa{args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lists\ {\isaliteral{28}{\isacharparenleft}}well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm\ arity{\isaliteral{29}{\isacharparenright}}}
-\end{trivlist}
-Invoking the rule \isa{well{\isaliteral{5F}{\isacharunderscore}}formed{\isaliteral{5F}{\isacharunderscore}}gterm{\isaliteral{2E}{\isachardot}}step} completes the proof.  The
-call to \isa{auto} does all this work.
-
-This example is typical of how monotone functions
-\index{monotone functions} can be used.  In particular, many of them
-distribute over intersection.  Monotonicity implies one direction of
-this set equality; we have this theorem:
-\begin{isabelle}%
-mono\ f\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ f\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ f\ A\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ f\ B\rulename{mono{\isaliteral{5F}{\isacharunderscore}}Int}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Another Example of Rule Inversion%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{rule inversion|(}%
-Does \isa{gterms} distribute over intersection?  We have proved that this
-function is monotone, so \isa{mono{\isaliteral{5F}{\isacharunderscore}}Int} gives one of the inclusions.  The
-opposite inclusion asserts that if \isa{t} is a ground term over both of the
-sets
-\isa{F} and~\isa{G} then it is also a ground term over their intersection,
-\isa{F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ gterms{\isaliteral{5F}{\isacharunderscore}}IntI{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F{\isaliteral{5C3C696E7465723E}{\isasyminter}}G{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Attempting this proof, we get the assumption 
-\isa{Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G}, which cannot be broken down. 
-It looks like a job for rule inversion:\cmmdx{inductive\protect\_cases}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
-\ gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-Here is the result.
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F{\isaliteral{3B}{\isacharsemicolon}}\ f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim}%
-\end{isabelle}
-This rule replaces an assumption about \isa{Apply\ f\ args} by 
-assumptions about \isa{f} and~\isa{args}.  
-No cases are discarded (there was only one to begin
-with) but the rule applies specifically to the pattern \isa{Apply\ f\ args}.
-It can be applied repeatedly as an elimination rule without looping, so we
-have given the \isa{elim{\isaliteral{21}{\isacharbang}}} attribute. 
-
-Now we can prove the other half of that distributive law.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ gterms{\isaliteral{5F}{\isacharunderscore}}IntI\ {\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F{\isaliteral{5C3C696E7465723E}{\isasyminter}}G{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ gterms{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ blast\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-The proof begins with rule induction over the definition of
-\isa{gterms}, which leaves a single subgoal:  
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}args\ f{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{5C3C696E3E}{\isasymin}}set\ args{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ \ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ F\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-To prove this, we assume \isa{Apply\ f\ args\ {\isaliteral{5C3C696E3E}{\isasymin}}\ gterms\ G}.  Rule inversion,
-in the form of \isa{gterm{\isaliteral{5F}{\isacharunderscore}}Apply{\isaliteral{5F}{\isacharunderscore}}elim}, infers
-that every element of \isa{args} belongs to 
-\isa{gterms\ G}; hence (by the induction hypothesis) it belongs
-to \isa{gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}}.  Rule inversion also yields
-\isa{f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ G} and hence \isa{f\ {\isaliteral{5C3C696E3E}{\isasymin}}\ F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G}. 
-All of this reasoning is done by \isa{blast}.
-
-\smallskip
-Our distributive law is a trivial consequence of previously-proved results:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ gterms{\isaliteral{5F}{\isacharunderscore}}Int{\isaliteral{5F}{\isacharunderscore}}eq\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}gterms\ {\isaliteral{28}{\isacharparenleft}}F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ G{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ gterms\ F\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ gterms\ G{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{3A}{\isacharcolon}}\ mono{\isaliteral{5F}{\isacharunderscore}}Int\ monoI\ gterms{\isaliteral{5F}{\isacharunderscore}}mono{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\index{rule inversion|)}%
-\index{ground terms example|)}
-
-
-\begin{isamarkuptext}
-\begin{exercise}
-A function mapping function symbols to their 
-types is called a \textbf{signature}.  Given a type 
-ranging over type symbols, we can represent a function's type by a
-list of argument types paired with the result type. 
-Complete this inductive definition:
-\begin{isabelle}
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ well{\isaliteral{5F}{\isacharunderscore}}typed{\isaliteral{5F}{\isacharunderscore}}gterm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}t\ list\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}f\ gterm\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ sig\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}f\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}t\ list\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}t{\isaliteral{22}{\isachardoublequoteclose}}%
-\end{isabelle}
-\end{exercise}
-\end{isamarkuptext}
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/AdvancedInd.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,436 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{AdvancedInd}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-Now that we have learned about rules and logic, we take another look at the
-finer points of induction.  We consider two questions: what to do if the
-proposition to be proved is not directly amenable to induction
-(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
-and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
-with an extended example of induction (\S\ref{sec:CTL-revisited}).%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Massaging the Proposition%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:ind-var-in-prems}
-Often we have assumed that the theorem to be proved is already in a form
-that is amenable to induction, but sometimes it isn't.
-Here is an example.
-Since \isa{hd} and \isa{last} return the first and last element of a
-non-empty list, this lemma looks easy to prove:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-But induction produces the warning
-\begin{quote}\tt
-Induction variable occurs also among premises!
-\end{quote}
-and leads to the base case
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-Simplification reduces the base case to this:
-\begin{isabelle}
-\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
-\end{isabelle}
-We cannot prove this equality because we do not know what \isa{hd} and
-\isa{last} return when applied to \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
-
-We should not have ignored the warning. Because the induction
-formula is only the conclusion, induction does not affect the occurrence of \isa{xs} in the premises.  
-Thus the case that should have been trivial
-becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
-heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
-\begin{quote}
-\emph{Pull all occurrences of the induction variable into the conclusion
-using \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.}
-\end{quote}
-Thus we should state the lemma as an ordinary 
-implication~(\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}), letting
-\attrdx{rule_format} (\S\ref{sec:forward}) convert the
-result to the usual \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}} form:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ hd{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-This time, induction leaves us with a trivial base case:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ hd\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-And \isa{auto} completes the proof.
-
-If there are multiple premises $A@1$, \dots, $A@n$ containing the
-induction variable, you should turn the conclusion $C$ into
-\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
-Additionally, you may also have to universally quantify some other variables,
-which can yield a fairly complex conclusion.  However, \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} 
-can remove any number of occurrences of \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}} and
-\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}.
-
-\index{induction!on a term}%
-A second reason why your proposition may not be amenable to induction is that
-you want to induct on a complex term, rather than a variable. In
-general, induction on a term~$t$ requires rephrasing the conclusion~$C$
-as
-\begin{equation}\label{eqn:ind-over-term}
-\forall y@1 \dots y@n.~ x = t \longrightarrow C.
-\end{equation}
-where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
-Now you can perform induction on~$x$. An example appears in
-\S\ref{sec:complete-ind} below.
-
-The very same problem may occur in connection with rule induction. Remember
-that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
-some inductively defined set and the $x@i$ are variables.  If instead we have
-a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
-replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
-\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
-For an example see \S\ref{sec:CTL-revisited} below.
-
-Of course, all premises that share free variables with $t$ need to be pulled into
-the conclusion as well, under the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}, again using \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}} as shown above.
-
-Readers who are puzzled by the form of statement
-(\ref{eqn:ind-over-term}) above should remember that the
-transformation is only performed to permit induction. Once induction
-has been applied, the statement can be transformed back into something quite
-intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
-$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
-little leads to the goal
-\[ \bigwedge\overline{y}.\ 
-   \forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
-    \ \Longrightarrow\ C\,\overline{y} \]
-where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
-$C$ on the free variables of $t$ has been made explicit.
-Unfortunately, this induction schema cannot be expressed as a
-single theorem because it depends on the number of free variables in $t$ ---
-the notation $\overline{y}$ is merely an informal device.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Beyond Structural and Recursion Induction%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:complete-ind}
-So far, inductive proofs were by structural induction for
-primitive recursive functions and recursion induction for total recursive
-functions. But sometimes structural induction is awkward and there is no
-recursive function that could furnish a more appropriate
-induction schema. In such cases a general-purpose induction schema can
-be helpful. We show how to apply such induction schemas by an example.
-
-Structural induction on \isa{nat} is
-usually known as mathematical induction. There is also \textbf{complete}
-\index{induction!complete}%
-induction, where you prove $P(n)$ under the assumption that $P(m)$
-holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n%
-\end{isabelle}
-As an application, we prove a property of the following
-function:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ f\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{axioms}\isamarkupfalse%
-\ f{\isaliteral{5F}{\isacharunderscore}}ax{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}f{\isaliteral{28}{\isacharparenleft}}f{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ f{\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\begin{warn}
-We discourage the use of axioms because of the danger of
-inconsistencies.  Axiom \isa{f{\isaliteral{5F}{\isacharunderscore}}ax} does
-not introduce an inconsistency because, for example, the identity function
-satisfies it.  Axioms can be useful in exploratory developments, say when 
-you assume some well-known theorems so that you can quickly demonstrate some
-point about methodology.  If your example turns into a substantial proof
-development, you should replace axioms by theorems.
-\end{warn}\noindent
-The axiom for \isa{f} implies \isa{n\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ n}, which can
-be proved by induction on \mbox{\isa{f\ n}}. Following the recipe outlined
-above, we have to phrase the proposition as follows to allow induction:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ k\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-To perform induction on \isa{k} using \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct}, we use
-the same general induction method as for recursion induction (see
-\S\ref{sec:fun-induction}):%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ k\ rule{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-We get the following proof state:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ m\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i%
-\end{isabelle}
-After stripping the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i}, the proof continues with a case
-distinction on \isa{i}. The case \isa{i\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}} is trivial and we focus on
-the other case:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ allI{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ i{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n\ i\ nat{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ m\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{3B}{\isacharsemicolon}}\ i\ {\isaliteral{3D}{\isacharequal}}\ Suc\ nat{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{21}{\isacharbang}}{\isaliteral{3A}{\isacharcolon}}\ f{\isaliteral{5F}{\isacharunderscore}}ax\ Suc{\isaliteral{5F}{\isacharunderscore}}leI\ intro{\isaliteral{3A}{\isacharcolon}}\ le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-If you find the last step puzzling, here are the two lemmas it employs:
-\begin{isabelle}
-\isa{m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ m\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n}
-\rulename{Suc_leI}\isanewline
-\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C6C653E}{\isasymle}}\ y{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{3C}{\isacharless}}\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{3C}{\isacharless}}\ z}
-\rulename{le_less_trans}
-\end{isabelle}
-%
-The proof goes like this (writing \isa{j} instead of \isa{nat}).
-Since \isa{i\ {\isaliteral{3D}{\isacharequal}}\ Suc\ j} it suffices to show
-\hbox{\isa{j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}}},
-by \isa{Suc{\isaliteral{5F}{\isacharunderscore}}leI}\@.  This is
-proved as follows. From \isa{f{\isaliteral{5F}{\isacharunderscore}}ax} we have \isa{f\ {\isaliteral{28}{\isacharparenleft}}f\ j{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}}
-(1) which implies \isa{f\ j\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ {\isaliteral{28}{\isacharparenleft}}f\ j{\isaliteral{29}{\isacharparenright}}} by the induction hypothesis.
-Using (1) once more we obtain \isa{f\ j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}} (2) by the transitivity
-rule \isa{le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans}.
-Using the induction hypothesis once more we obtain \isa{j\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ j}
-which, together with (2) yields \isa{j\ {\isaliteral{3C}{\isacharless}}\ f\ {\isaliteral{28}{\isacharparenleft}}Suc\ j{\isaliteral{29}{\isacharparenright}}} (again by
-\isa{le{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}trans}).
-
-This last step shows both the power and the danger of automatic proofs.  They
-will usually not tell you how the proof goes, because it can be hard to
-translate the internal proof into a human-readable format.  Automatic
-proofs are easy to write but hard to read and understand.
-
-The desired result, \isa{i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i}, follows from \isa{f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemmas}\isamarkupfalse%
-\ f{\isaliteral{5F}{\isacharunderscore}}incr\ {\isaliteral{3D}{\isacharequal}}\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ OF\ refl{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-\noindent
-The final \isa{refl} gets rid of the premise \isa{{\isaliteral{3F}{\isacharquery}}k\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{3F}{\isacharquery}}i}. 
-We could have included this derivation in the original statement of the lemma:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ f{\isaliteral{5F}{\isacharunderscore}}incr{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{2C}{\isacharcomma}}\ OF\ refl{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ k\ {\isaliteral{3D}{\isacharequal}}\ f\ i\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{exercise}
-From the axiom and lemma for \isa{f}, show that \isa{f} is the
-identity function.
-\end{exercise}
-
-Method \methdx{induct_tac} can be applied with any rule $r$
-whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
-format is
-\begin{quote}
-\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $y@1 \dots y@n$ \isa{rule{\isaliteral{3A}{\isacharcolon}}} $r$\isa{{\isaliteral{29}{\isacharparenright}}}
-\end{quote}
-where $y@1, \dots, y@n$ are variables in the conclusion of the first subgoal.
-
-A further useful induction rule is \isa{length{\isaliteral{5F}{\isacharunderscore}}induct},
-induction on the length of a list\indexbold{*length_induct}
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}xs{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ length\ ys\ {\isaliteral{3C}{\isacharless}}\ length\ xs\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ xs%
-\end{isabelle}
-which is a special case of \isa{measure{\isaliteral{5F}{\isacharunderscore}}induct}
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ f\ y\ {\isaliteral{3C}{\isacharless}}\ f\ x\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ y\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a%
-\end{isabelle}
-where \isa{f} may be any function into type \isa{nat}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Derivation of New Induction Schemas%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:derive-ind}
-\index{induction!deriving new schemas}%
-Induction schemas are ordinary theorems and you can derive new ones
-whenever you wish.  This section shows you how, using the example
-of \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct}. Assume we only have structural induction
-available for \isa{nat} and want to derive complete induction.  We
-must generalize the statement as shown:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ induct{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-The base case is vacuously true. For the induction step (\isa{m\ {\isaliteral{3C}{\isacharless}}\ Suc\ n}) we distinguish two cases: case \isa{m\ {\isaliteral{3C}{\isacharless}}\ n} is true by induction
-hypothesis and case \isa{m\ {\isaliteral{3D}{\isacharequal}}\ n} follows from the assumption, again using
-the induction hypothesis:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ elim{\isaliteral{3A}{\isacharcolon}}\ less{\isaliteral{5F}{\isacharunderscore}}SucE{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-The elimination rule \isa{less{\isaliteral{5F}{\isacharunderscore}}SucE} expresses the case distinction:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}m\ {\isaliteral{3C}{\isacharless}}\ Suc\ n{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P%
-\end{isabelle}
-
-Now it is straightforward to derive the original version of
-\isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct} by manipulating the conclusion of the above
-lemma: instantiate \isa{n} by \isa{Suc\ n} and \isa{m} by \isa{n}
-and remove the trivial condition \isa{n\ {\isaliteral{3C}{\isacharless}}\ Suc\ n}. Fortunately, this
-happens automatically when we add the lemma as a new premise to the
-desired goal:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{3C}{\isacharless}}n{\isaliteral{2E}{\isachardot}}\ P\ m\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}insert\ induct{\isaliteral{5F}{\isacharunderscore}}lem{\isaliteral{2C}{\isacharcomma}}\ blast{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-HOL already provides the mother of
-all inductions, well-founded induction (see \S\ref{sec:Well-founded}).  For
-example theorem \isa{nat{\isaliteral{5F}{\isacharunderscore}}less{\isaliteral{5F}{\isacharunderscore}}induct} is
-a special case of \isa{wf{\isaliteral{5F}{\isacharunderscore}}induct} where \isa{r} is \isa{{\isaliteral{3C}{\isacharless}}} on
-\isa{nat}. The details can be found in theory \isa{Wellfounded_Recursion}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Axioms.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,487 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Axioms}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{Axioms%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Attaching axioms to our classes lets us reason on the level of
-classes.  The results will be applicable to all types in a class, just
-as in axiomatic mathematics.
-
-\begin{warn}
-Proofs in this section use structured \emph{Isar} proofs, which are not
-covered in this tutorial; but see \cite{Nipkow-TYPES02}.%
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Semigroups%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-We specify \emph{semigroups} as subclass of \isa{plus}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{class}\isamarkupfalse%
-\ semigroup\ {\isaliteral{3D}{\isacharequal}}\ plus\ {\isaliteral{2B}{\isacharplus}}\isanewline
-\ \ \isakeyword{assumes}\ assoc{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent This \hyperlink{command.class}{\mbox{\isa{\isacommand{class}}}} specification requires that
-all instances of \isa{semigroup} obey \hyperlink{fact.assoc:}{\mbox{\isa{assoc{\isaliteral{3A}{\isacharcolon}}}}}~\isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ z\ {\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}}.
-
-We can use this class axiom to derive further abstract theorems
-relative to class \isa{semigroup}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ assoc{\isaliteral{5F}{\isacharunderscore}}left{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \isakeyword{fixes}\ x\ y\ z\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{using}\isamarkupfalse%
-\ assoc\ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}rule\ sym{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent The \isa{semigroup} constraint on type \isa{{\isaliteral{27}{\isacharprime}}a} restricts instantiations of \isa{{\isaliteral{27}{\isacharprime}}a} to types of class
-\isa{semigroup} and during the proof enables us to use the fact
-\hyperlink{fact.assoc}{\mbox{\isa{assoc}}} whose type parameter is itself constrained to class
-\isa{semigroup}.  The main advantage of classes is that theorems
-can be proved in the abstract and freely reused for each instance.
-
-On instantiation, we have to give a proof that the given operations
-obey the class axioms:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instantiation}\isamarkupfalse%
-\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ semigroup\isanewline
-\isakeyword{begin}\isanewline
-\isanewline
-\isacommand{instance}\isamarkupfalse%
-%
-\isadelimproof
-\ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{proof}\isamarkupfalse%
-%
-\begin{isamarkuptxt}%
-\noindent The proof opens with a default proof step, which for
-instance judgements invokes method \hyperlink{method.intro-classes}{\mbox{\isa{intro{\isaliteral{5F}{\isacharunderscore}}classes}}}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \ \isacommand{fix}\isamarkupfalse%
-\ m\ n\ q\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\isanewline
-\ \ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ q\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ q{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}induct\ m{\isaliteral{29}{\isacharparenright}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
-\isacommand{qed}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{end}\isamarkupfalse%
-%
-\begin{isamarkuptext}%
-\noindent Again, the interesting things enter the stage with
-parametric types:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instantiation}\isamarkupfalse%
-\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}semigroup{\isaliteral{2C}{\isacharcomma}}\ semigroup{\isaliteral{29}{\isacharparenright}}\ semigroup\isanewline
-\isakeyword{begin}\isanewline
-\isanewline
-\isacommand{instance}\isamarkupfalse%
-%
-\isadelimproof
-\ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{proof}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{fix}\isamarkupfalse%
-\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}semigroup{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}\ {\isaliteral{3D}{\isacharequal}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ cases\ p\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{3}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ assoc{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent Associativity of product semigroups is established
-using the hypothetical associativity \hyperlink{fact.assoc}{\mbox{\isa{assoc}}} of the type
-components, which holds due to the \isa{semigroup} constraints
-imposed on the type components by the \hyperlink{command.instance}{\mbox{\isa{\isacommand{instance}}}} proposition.
-Indeed, this pattern often occurs with parametric types and type
-classes.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{qed}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{end}\isamarkupfalse%
-%
-\isamarkupsubsubsection{Monoids%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-We define a subclass \isa{monoidl} (a semigroup with a
-left-hand neutral) by extending \isa{semigroup} with one additional
-parameter \isa{neutral} together with its property:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{class}\isamarkupfalse%
-\ monoidl\ {\isaliteral{3D}{\isacharequal}}\ semigroup\ {\isaliteral{2B}{\isacharplus}}\isanewline
-\ \ \isakeyword{fixes}\ neutral\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isakeyword{assumes}\ neutl{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent Again, we prove some instances, by providing
-suitable parameter definitions and proofs for the additional
-specifications.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instantiation}\isamarkupfalse%
-\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ monoidl\isanewline
-\isakeyword{begin}\isanewline
-\isanewline
-\isacommand{definition}\isamarkupfalse%
-\isanewline
-\ \ neutral{\isaliteral{5F}{\isacharunderscore}}nat{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isacommand{instance}\isamarkupfalse%
-%
-\isadelimproof
-\ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{proof}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{fix}\isamarkupfalse%
-\ n\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ nat\isanewline
-\ \ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \isacommand{unfolding}\isamarkupfalse%
-\ neutral{\isaliteral{5F}{\isacharunderscore}}nat{\isaliteral{5F}{\isacharunderscore}}def\ \isacommand{by}\isamarkupfalse%
-\ simp\isanewline
-\isacommand{qed}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{end}\isamarkupfalse%
-%
-\begin{isamarkuptext}%
-\noindent In contrast to the examples above, we here have both
-specification of class operations and a non-trivial instance proof.
-
-This covers products as well:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instantiation}\isamarkupfalse%
-\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}monoidl{\isaliteral{2C}{\isacharcomma}}\ monoidl{\isaliteral{29}{\isacharparenright}}\ monoidl\isanewline
-\isakeyword{begin}\isanewline
-\isanewline
-\isacommand{definition}\isamarkupfalse%
-\isanewline
-\ \ neutral{\isaliteral{5F}{\isacharunderscore}}prod{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isacommand{instance}\isamarkupfalse%
-%
-\isadelimproof
-\ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{proof}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{fix}\isamarkupfalse%
-\ p\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}monoidl\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}monoidl{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ p\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}cases\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ neutral{\isaliteral{5F}{\isacharunderscore}}prod{\isaliteral{5F}{\isacharunderscore}}def\ neutl{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{qed}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{end}\isamarkupfalse%
-%
-\begin{isamarkuptext}%
-\noindent Fully-fledged monoids are modelled by another
-subclass which does not add new parameters but tightens the
-specification:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{class}\isamarkupfalse%
-\ monoid\ {\isaliteral{3D}{\isacharequal}}\ monoidl\ {\isaliteral{2B}{\isacharplus}}\isanewline
-\ \ \isakeyword{assumes}\ neutr{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent Corresponding instances for \isa{nat} and products
-are left as an exercise to the reader.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Groups%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\noindent To finish our small algebra example, we add a \isa{group} class:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{class}\isamarkupfalse%
-\ group\ {\isaliteral{3D}{\isacharequal}}\ monoidl\ {\isaliteral{2B}{\isacharplus}}\isanewline
-\ \ \isakeyword{fixes}\ inv\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{8}}{\isadigit{1}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{8}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isakeyword{assumes}\ invl{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent We continue with a further example for abstract
-proofs relative to type classes:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ left{\isaliteral{5F}{\isacharunderscore}}cancel{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \isakeyword{fixes}\ x\ y\ z\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}group{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{shows}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z\ {\isaliteral{5C3C6C6F6E676C65667472696768746172726F773E}{\isasymlongleftrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{proof}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{assume}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isacommand{then}\isamarkupfalse%
-\ \isacommand{have}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
-\ simp\isanewline
-\ \ \isacommand{then}\isamarkupfalse%
-\ \isacommand{have}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ assoc{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isacommand{then}\isamarkupfalse%
-\ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ invl\ neutl{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{next}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{assume}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}y\ {\isaliteral{3D}{\isacharequal}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isacommand{then}\isamarkupfalse%
-\ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
-\ simp\isanewline
-\isacommand{qed}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent Any \isa{group} is also a \isa{monoid}; this
-can be made explicit by claiming an additional subclass relation,
-together with a proof of the logical difference:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instance}\isamarkupfalse%
-\ group\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ monoid\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{proof}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{fix}\isamarkupfalse%
-\ x\isanewline
-\ \ \isacommand{from}\isamarkupfalse%
-\ invl\ \isacommand{have}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
-\isanewline
-\ \ \isacommand{then}\isamarkupfalse%
-\ \isacommand{have}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6469763E}{\isasymdiv}}\ x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ neutl\ invl\ assoc\ {\isaliteral{5B}{\isacharbrackleft}}symmetric{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isacommand{then}\isamarkupfalse%
-\ \isacommand{show}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{5C3C7A65726F3E}{\isasymzero}}\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\ \isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ left{\isaliteral{5F}{\isacharunderscore}}cancel{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{qed}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent The proof result is propagated to the type system,
-making \isa{group} an instance of \isa{monoid} by adding an
-additional edge to the graph of subclass relation; see also
-Figure~\ref{fig:subclass}.
-
-\begin{figure}[htbp]
- \begin{center}
-   \small
-   \unitlength 0.6mm
-   \begin{picture}(40,60)(0,0)
-     \put(20,60){\makebox(0,0){\isa{semigroup}}}
-     \put(20,40){\makebox(0,0){\isa{monoidl}}}
-     \put(00,20){\makebox(0,0){\isa{monoid}}}
-     \put(40,00){\makebox(0,0){\isa{group}}}
-     \put(20,55){\vector(0,-1){10}}
-     \put(15,35){\vector(-1,-1){10}}
-     \put(25,35){\vector(1,-3){10}}
-   \end{picture}
-   \hspace{8em}
-   \begin{picture}(40,60)(0,0)
-     \put(20,60){\makebox(0,0){\isa{semigroup}}}
-     \put(20,40){\makebox(0,0){\isa{monoidl}}}
-     \put(00,20){\makebox(0,0){\isa{monoid}}}
-     \put(40,00){\makebox(0,0){\isa{group}}}
-     \put(20,55){\vector(0,-1){10}}
-     \put(15,35){\vector(-1,-1){10}}
-     \put(05,15){\vector(3,-1){30}}
-   \end{picture}
-   \caption{Subclass relationship of monoids and groups:
-      before and after establishing the relationship
-      \isa{group\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ monoid};  transitive edges are left out.}
-   \label{fig:subclass}
- \end{center}
-\end{figure}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Inconsistencies%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-The reader may be wondering what happens if we attach an
-inconsistent set of axioms to a class. So far we have always avoided
-to add new axioms to HOL for fear of inconsistencies and suddenly it
-seems that we are throwing all caution to the wind. So why is there no
-problem?
-
-The point is that by construction, all type variables in the axioms of
-a \isacommand{class} are automatically constrained with the class
-being defined (as shown for axiom \isa{refl} above). These
-constraints are always carried around and Isabelle takes care that
-they are never lost, unless the type variable is instantiated with a
-type that has been shown to belong to that class. Thus you may be able
-to prove \isa{False} from your axioms, but Isabelle will remind you
-that this theorem has the hidden hypothesis that the class is
-non-empty.
-
-Even if each individual class is consistent, intersections of
-(unrelated) classes readily become inconsistent in practice. Now we
-know this need not worry us.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Syntactic Classes and Predefined Overloading%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-In our algebra example, we have started with a \emph{syntactic
-class} \isa{plus} which only specifies operations but no axioms; it
-would have been also possible to start immediately with class \isa{semigroup}, specifying the \isa{{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}} operation and associativity at
-the same time.
-
-Which approach is more appropriate depends.  Usually it is more
-convenient to introduce operations and axioms in the same class: then
-the type checker will automatically insert the corresponding class
-constraints whenever the operations occur, reducing the need of manual
-annotations.  However, when operations are decorated with popular
-syntax, syntactic classes can be an option to re-use the syntax in
-different contexts; this is indeed the way most overloaded constants
-in HOL are introduced, of which the most important are listed in
-Table~\ref{tab:overloading} in the appendix.  Section
-\ref{sec:numeric-classes} covers a range of corresponding classes
-\emph{with} axioms.
-
-Further note that classes may contain axioms but \emph{no} operations.
-An example is class \isa{finite} from theory \isa{Finite{\isaliteral{5F}{\isacharunderscore}}Set}
-which specifies a type to be finite: \isa{{\isaliteral{22}{\isachardoublequote}}finite\ {\isaliteral{28}{\isacharparenleft}}UNIV\ {\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}finite\ set{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Base.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,130 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Base}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Case Study: Verified Model Checking%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:VMC}
-This chapter ends with a case study concerning model checking for 
-Computation Tree Logic (CTL), a temporal logic.
-Model checking is a popular technique for the verification of finite
-state systems (implementations) with respect to temporal logic formulae
-(specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic
-and this section will explore them in HOL\@. This is done in two steps.  First
-we consider a simple modal logic called propositional dynamic
-logic (PDL)\@.  We then proceed to the temporal logic CTL, which is
-used in many real
-model checkers. In each case we give both a traditional semantics (\isa{{\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}}) and a
-recursive function \isa{mc} that maps a formula into the set of all states of
-the system where the formula is valid. If the system has a finite number of
-states, \isa{mc} is directly executable: it is a model checker, albeit an
-inefficient one. The main proof obligation is to show that the semantics
-and the model checker agree.
-
-\underscoreon
-
-Our models are \emph{transition systems}:\index{transition systems}
-sets of \emph{states} with
-transitions between them.  Here is a simple example:
-\begin{center}
-\unitlength.5mm
-\thicklines
-\begin{picture}(100,60)
-\put(50,50){\circle{20}}
-\put(50,50){\makebox(0,0){$p,q$}}
-\put(61,55){\makebox(0,0)[l]{$s_0$}}
-\put(44,42){\vector(-1,-1){26}}
-\put(16,18){\vector(1,1){26}}
-\put(57,43){\vector(1,-1){26}}
-\put(10,10){\circle{20}}
-\put(10,10){\makebox(0,0){$q,r$}}
-\put(-1,15){\makebox(0,0)[r]{$s_1$}}
-\put(20,10){\vector(1,0){60}}
-\put(90,10){\circle{20}}
-\put(90,10){\makebox(0,0){$r$}}
-\put(98, 5){\line(1,0){10}}
-\put(108, 5){\line(0,1){10}}
-\put(108,15){\vector(-1,0){10}}
-\put(91,21){\makebox(0,0)[bl]{$s_2$}}
-\end{picture}
-\end{center}
-Each state has a unique name or number ($s_0,s_1,s_2$), and in each state
-certain \emph{atomic propositions} ($p,q,r$) hold.  The aim of temporal logic
-is to formalize statements such as ``there is no path starting from $s_2$
-leading to a state where $p$ or $q$ holds,'' which is true, and ``on all paths
-starting from $s_0$, $q$ always holds,'' which is false.
-
-Abstracting from this concrete example, we assume there is a type of
-states:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{typedecl}\isamarkupfalse%
-\ state%
-\begin{isamarkuptext}%
-\noindent
-Command \commdx{typedecl} merely declares a new type but without
-defining it (see \S\ref{sec:typedecl}). Thus we know nothing
-about the type other than its existence. That is exactly what we need
-because \isa{state} really is an implicit parameter of our model.  Of
-course it would have been more generic to make \isa{state} a type
-parameter of everything but declaring \isa{state} globally as above
-reduces clutter.  Similarly we declare an arbitrary but fixed
-transition system, i.e.\ a relation between states:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ M\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}state\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ state{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-This is Isabelle's way of declaring a constant without defining it.
-Finally we introduce a type of atomic propositions%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{typedecl}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}atom{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-and a \emph{labelling function}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ L\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ atom\ set{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-telling us which atomic propositions are true in each state.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/CTL.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,575 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{CTL}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{Computation Tree Logic --- CTL%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:CTL}
-\index{CTL|(}%
-The semantics of PDL only needs reflexive transitive closure.
-Let us be adventurous and introduce a more expressive temporal operator.
-We extend the datatype
-\isa{formula} by a new constructor%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ AF\ formula%
-\begin{isamarkuptext}%
-\noindent
-which stands for ``\emph{A}lways in the \emph{F}uture'':
-on all infinite paths, at some point the formula holds.
-Formalizing the notion of an infinite path is easy
-in HOL: it is simply a function from \isa{nat} to \isa{state}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ Paths\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}Paths\ s\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{7B}{\isacharbraceleft}}p{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p{\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{29}{\isacharparenright}}{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-This definition allows a succinct statement of the semantics of \isa{AF}:
-\footnote{Do not be misled: neither datatypes nor recursive functions can be
-extended by new constructors or equations. This is just a trick of the
-presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define
-a new datatype and a new function.}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AF\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Model checking \isa{AF} involves a function which
-is just complicated enough to warrant a separate definition:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ af\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}af\ A\ T\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ T{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Now we define \isa{mc\ {\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}} as the least set \isa{T} that includes
-\isa{mc\ f} and all states all of whose direct successors are in \isa{T}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}af{\isaliteral{28}{\isacharparenleft}}mc\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Because \isa{af} is monotone in its second argument (and also its first, but
-that is irrelevant), \isa{af\ A} has a least fixed point:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mono{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ mono{\isaliteral{5F}{\isacharunderscore}}def\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ blast\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-All we need to prove now is  \isa{mc\ {\isaliteral{28}{\isacharparenleft}}AF\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AF\ f{\isaliteral{7D}{\isacharbraceright}}}, which states
-that \isa{mc} and \isa{{\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}} agree for \isa{AF}\@.
-This time we prove the two inclusions separately, starting
-with the easy one:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-In contrast to the analogous proof for \isa{EF}, and just
-for a change, we do not use fixed point induction.  Park-induction,
-named after David Park, is weaker but sufficient for this proof:
-\begin{center}
-\isa{f\ S\ {\isaliteral{5C3C6C653E}{\isasymle}}\ S\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ lfp\ f\ {\isaliteral{5C3C6C653E}{\isasymle}}\ S} \hfill (\isa{lfp{\isaliteral{5F}{\isacharunderscore}}lowerbound})
-\end{center}
-The instance of the premise \isa{f\ S\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ S} is proved pointwise,
-a decision that \isa{auto} takes for us:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ lfp{\isaliteral{5F}{\isacharunderscore}}lowerbound{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ {\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ \ }{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}p{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A%
-\end{isabelle}
-In this remaining case, we set \isa{t} to \isa{p\ {\isadigit{1}}}.
-The rest is automatic, which is surprising because it involves
-finding the instantiation \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}}
-for \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ allE{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The opposite inclusion is proved by contradiction: if some state
-\isa{s} is not in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}, then we can construct an
-infinite \isa{A}-avoiding path starting from~\isa{s}. The reason is
-that by unfolding \isa{lfp} we find that if \isa{s} is not in
-\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}, then \isa{s} is not in \isa{A} and there is a
-direct successor of \isa{s} that is again not in \mbox{\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}}. Iterating this argument yields the promised infinite
-\isa{A}-avoiding path. Let us formalize this sketch.
-
-The one-step argument in the sketch above
-is proved by a variant of contraposition:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ not{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5F}{\isacharunderscore}}afD{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ {\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}np{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-We assume the negation of the conclusion and prove \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.
-Unfolding \isa{lfp} once and
-simplifying with the definition of \isa{af} finishes the proof.
-
-Now we iterate this process. The following construction of the desired
-path is parameterized by a predicate \isa{Q} that should hold along the path:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ path\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ s{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ n{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Element \isa{n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}} on this path is some arbitrary successor
-\isa{t} of element \isa{n} such that \isa{Q\ t} holds.  Remember that \isa{SOME\ t{\isaliteral{2E}{\isachardot}}\ R\ t}
-is some arbitrary but fixed \isa{t} such that \isa{R\ t} holds (see \S\ref{sec:SOME}). Of
-course, such a \isa{t} need not exist, but that is of no
-concern to us since we will only use \isa{path} when a
-suitable \isa{t} does exist.
-
-Let us show that if each state \isa{s} that satisfies \isa{Q}
-has a successor that again satisfies \isa{Q}, then there exists an infinite \isa{Q}-path:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ infinity{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\ \ \ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ Q{\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-First we rephrase the conclusion slightly because we need to prove simultaneously
-both the path property and the fact that \isa{Q} holds:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{3D}{\isacharequal}}\ p\ {\isadigit{0}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{2C}{\isacharcomma}}\ p{\isaliteral{28}{\isacharparenleft}}i{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{28}{\isacharparenleft}}p\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-From this proposition the original goal follows easily:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{2C}{\isacharcomma}}\ blast{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-The new subgoal is proved by providing the witness \isa{path\ s\ Q} for \isa{p}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}path\ s\ Q{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ exI{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarsimp{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-After simplification and clarification, the subgoal has the following form:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{2C}{\isacharcomma}}\ SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Q\ {\isaliteral{28}{\isacharparenleft}}path\ s\ Q\ i{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-It invites a proof by induction on \isa{i}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ i{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-After simplification, the base case boils down to
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Q\ s{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ Q\ s\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ SOME\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M%
-\end{isabelle}
-The conclusion looks exceedingly trivial: after all, \isa{t} is chosen such that \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M}
-holds. However, we first have to show that such a \isa{t} actually exists! This reasoning
-is embodied in the theorem \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex}:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}a{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ a{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ {\isaliteral{28}{\isacharparenleft}}SOME\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-When we apply this theorem as an introduction rule, \isa{{\isaliteral{3F}{\isacharquery}}P\ x} becomes
-\isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x} and \isa{{\isaliteral{3F}{\isacharquery}}Q\ x} becomes \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M} and we have to prove
-two subgoals: \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}a{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ a}, which follows from the assumptions, and
-\isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M}, which is trivial. Thus it is not surprising that
-\isa{fast} can prove the base case quickly:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}fast\ intro{\isaliteral{3A}{\isacharcolon}}\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-What is worth noting here is that we have used \methdx{fast} rather than
-\isa{blast}.  The reason is that \isa{blast} would fail because it cannot
-cope with \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex}: unifying its conclusion with the current
-subgoal is non-trivial because of the nested schematic variables. For
-efficiency reasons \isa{blast} does not even attempt such unifications.
-Although \isa{fast} can in principle cope with complicated unification
-problems, in practice the number of unifiers arising is often prohibitive and
-the offending rule may need to be applied explicitly rather than
-automatically. This is what happens in the step case.
-
-The induction step is similar, but more involved, because now we face nested
-occurrences of \isa{SOME}. As a result, \isa{fast} is no longer able to
-solve the subgoal and we apply \isa{someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex} by hand.  We merely
-show the proof commands but do not describe the details:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ someI{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}ex{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Function \isa{path} has fulfilled its purpose now and can be forgotten.
-It was merely defined to provide the witness in the proof of the
-\isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma}. Aficionados of minimal proofs might like to know
-that we could have given the witness without having to define a new function:
-the term
-\begin{isabelle}%
-\ \ \ \ \ nat{\isaliteral{5F}{\isacharunderscore}}rec\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}n\ t{\isaliteral{2E}{\isachardot}}\ SOME\ u{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}\ u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ u{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-is extensionally equal to \isa{path\ s\ Q},
-where \isa{nat{\isaliteral{5F}{\isacharunderscore}}rec} is the predefined primitive recursor on \isa{nat}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-At last we can prove the opposite direction of \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The proof is again pointwise and then by contraposition:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}pp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ simp%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A%
-\end{isabelle}
-Applying the \isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} as a destruction rule leaves two subgoals, the second
-premise of \isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} and the original subgoal:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}drule\ infinity{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A%
-\end{isabelle}
-Both are solved automatically:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ dest{\isaliteral{3A}{\isacharcolon}}\ not{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5F}{\isacharunderscore}}afD{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-If you find these proofs too complicated, we recommend that you read
-\S\ref{sec:CTL-revisited}, where we show how inductive definitions lead to
-simpler arguments.
-
-The main theorem is proved as for PDL, except that we also derive the
-necessary equality \isa{lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}} by combining
-\isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}} and \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} on the spot:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}mc\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ f{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ EF{\isaliteral{5F}{\isacharunderscore}}lemma\ equalityI{\isaliteral{5B}{\isacharbrackleft}}OF\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{1}}\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The language defined above is not quite CTL\@. The latter also includes an
-until-operator \isa{EU\ f\ g} with semantics ``there \emph{E}xists a path
-where \isa{f} is true \emph{U}ntil \isa{g} becomes true''.  We need
-an auxiliary function:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\isanewline
-until{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}until\ A\ B\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}until\ A\ B\ s\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{23}{\isacharhash}}p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ until\ A\ B\ t\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Expressing the semantics of \isa{EU} is now straightforward:
-\begin{isabelle}%
-\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EU\ f\ g\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{2E}{\isachardot}}\ until\ {\isaliteral{7B}{\isacharbraceleft}}t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{7B}{\isacharbraceleft}}t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ g{\isaliteral{7D}{\isacharbraceright}}\ s\ p{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Note that \isa{EU} is not definable in terms of the other operators!
-
-Model checking \isa{EU} is again a least fixed point construction:
-\begin{isabelle}%
-\ \ \ \ \ mc{\isaliteral{28}{\isacharparenleft}}EU\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ g\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ mc\ f\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-
-\begin{exercise}
-Extend the datatype of formulae by the above until operator
-and prove the equivalence between semantics and model checking, i.e.\ that
-\begin{isabelle}%
-\ \ \ \ \ mc\ {\isaliteral{28}{\isacharparenleft}}EU\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EU\ f\ g{\isaliteral{7D}{\isacharbraceright}}%
-\end{isabelle}
-%For readability you may want to annotate {term EU} with its customary syntax
-%{text[display]"| EU formula formula    E[_ U _]"}
-%which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
-\end{exercise}
-For more CTL exercises see, for example, Huth and Ryan \cite{Huth-Ryan-book}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Let us close this section with a few words about the executability of
-our model checkers.  It is clear that if all sets are finite, they can be
-represented as lists and the usual set operations are easily
-implemented. Only \isa{lfp} requires a little thought.  Fortunately, theory
-\isa{While{\isaliteral{5F}{\isacharunderscore}}Combinator} in the Library~\cite{HOL-Library} provides a
-theorem stating that in the case of finite sets and a monotone
-function~\isa{F}, the value of \mbox{\isa{lfp\ F}} can be computed by
-iterated application of \isa{F} to~\isa{{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{7D}{\isacharbraceright}}} until a fixed point is
-reached. It is actually possible to generate executable functional programs
-from HOL definitions, but that is beyond the scope of the tutorial.%
-\index{CTL|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/CTLind.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,252 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{CTLind}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{CTL Revisited%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:CTL-revisited}
-\index{CTL|(}%
-The purpose of this section is twofold: to demonstrate
-some of the induction principles and heuristics discussed above and to
-show how inductive definitions can simplify proofs.
-In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a
-model checker for CTL\@. In particular the proof of the
-\isa{infinity{\isaliteral{5F}{\isacharunderscore}}lemma} on the way to \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} is not as
-simple as one might expect, due to the \isa{SOME} operator
-involved. Below we give a simpler proof of \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}}
-based on an auxiliary inductive definition.
-
-Let us call a (finite or infinite) path \emph{\isa{A}-avoiding} if it does
-not touch any node in the set \isa{A}. Then \isa{AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}} says
-that if no infinite path from some state \isa{s} is \isa{A}-avoiding,
-then \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. We prove this by inductively defining the set
-\isa{Avoid\ s\ A} of states reachable from \isa{s} by a finite \isa{A}-avoiding path:
-% Second proof of opposite direction, directly by well-founded induction
-% on the initial segment of M that avoids A.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ Avoid\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ s\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ state\ \isakeyword{and}\ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ u\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-It is easy to see that for any infinite \isa{A}-avoiding path \isa{f}
-with \isa{f\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A} there is an infinite \isa{A}-avoiding path
-starting with \isa{s} because (by definition of \isa{Avoid}) there is a
-finite \isa{A}-avoiding path from \isa{s} to \isa{f\ {\isadigit{0}}}.
-The proof is by induction on \isa{f\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A}. However,
-this requires the following
-reformulation, as explained in \S\ref{sec:ind-var-in-prems} above;
-the \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive undoes the reformulation after the proof.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\ \ \ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}f{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ f\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ Avoid{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarify{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}drule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ case\ i\ of\ {\isadigit{0}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ t\ {\isaliteral{7C}{\isacharbar}}\ Suc\ i\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ i{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ bspec{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-The base case (\isa{t\ {\isaliteral{3D}{\isacharequal}}\ s}) is trivial and proved by \isa{blast}.
-In the induction step, we have an infinite \isa{A}-avoiding path \isa{f}
-starting from \isa{u}, a successor of \isa{t}. Now we simply instantiate
-the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}f{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ t} in the induction hypothesis by the path starting with
-\isa{t} and continuing with \isa{f}. That is what the above $\lambda$-term
-expresses.  Simplification shows that this is a path starting with \isa{t} 
-and that the instantiated induction hypothesis implies the conclusion.
-
-Now we come to the key lemma. Assuming that no infinite \isa{A}-avoiding
-path starts from \isa{s}, we want to show \isa{s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. For the
-inductive proof this must be generalized to the statement that every point \isa{t}
-``between'' \isa{s} and \isa{A}, in other words all of \isa{Avoid\ s\ A},
-is contained in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The proof is by induction on the ``distance'' between \isa{t} and \isa{A}. Remember that \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.
-If \isa{t} is already in \isa{A}, then \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} is
-trivial. If \isa{t} is not in \isa{A} but all successors are in
-\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} (induction hypothesis), then \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}} is
-again trivial.
-
-The formal counterpart of this proof sketch is a well-founded induction
-on~\isa{M} restricted to \isa{Avoid\ s\ A\ {\isaliteral{2D}{\isacharminus}}\ A}, roughly speaking:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}%
-\end{isabelle}
-As we shall see presently, the absence of infinite \isa{A}-avoiding paths
-starting from \isa{s} implies well-foundedness of this relation. For the
-moment we assume this and proceed with the induction:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}wf{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule{\isaliteral{5F}{\isacharunderscore}}tac\ a\ {\isaliteral{3D}{\isacharequal}}\ t\ \isakeyword{in}\ wf{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}clarsimp{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ }{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}t{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ }y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ \ }t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}t{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ }wf\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ x\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A{\isaliteral{7D}{\isacharbraceright}}%
-\end{isabelle}
-Now the induction hypothesis states that if \isa{t\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ A}
-then all successors of \isa{t} that are in \isa{Avoid\ s\ A} are in
-\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. Unfolding \isa{lfp} in the conclusion of the first
-subgoal once, we have to prove that \isa{t} is in \isa{A} or all successors
-of \isa{t} are in \isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}.  But if \isa{t} is not in \isa{A},
-the second 
-\isa{Avoid}-rule implies that all successors of \isa{t} are in
-\isa{Avoid\ s\ A}, because we also assume \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A}.
-Hence, by the induction hypothesis, all successors of \isa{t} are indeed in
-\isa{lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}}. Mechanically:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}af{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ {\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}\ add{\isaliteral{3A}{\isacharcolon}}\ af{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-Having proved the main goal, we return to the proof obligation that the 
-relation used above is indeed well-founded. This is proved by contradiction: if
-the relation is not well-founded then there exists an infinite \isa{A}-avoiding path all in \isa{Avoid\ s\ A}, by theorem
-\isa{wf{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}down{\isaliteral{5F}{\isacharunderscore}}chain}:
-\begin{isabelle}%
-\ \ \ \ \ wf\ r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}f{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}Suc\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{2C}{\isacharcomma}}\ f\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-From lemma \isa{ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path} the existence of an infinite
-\isa{A}-avoiding path starting in \isa{s} follows, contradiction.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ contrapos{\isaliteral{5F}{\isacharunderscore}}pp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ wf{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}down{\isaliteral{5F}{\isacharunderscore}}chain{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ exE{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ ex{\isaliteral{5F}{\isacharunderscore}}infinite{\isaliteral{5F}{\isacharunderscore}}path{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ Paths{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The \isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}} modifier of the \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive in the
-statement of the lemma means
-that the assumption is left unchanged; otherwise the \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p} 
-would be turned
-into a \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}p}, which would complicate matters below. As it is,
-\isa{Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp} is now
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{5C3C696E3E}{\isasymin}}Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-The main theorem is simply the corollary where \isa{t\ {\isaliteral{3D}{\isacharequal}}\ s},
-when the assumption \isa{t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Avoid\ s\ A} is trivially true
-by the first \isa{Avoid}-rule. Isabelle confirms this:%
-\index{CTL|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ AF{\isaliteral{5F}{\isacharunderscore}}lemma{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Paths\ s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}\ i{\isaliteral{2E}{\isachardot}}\ p\ i\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ lfp{\isaliteral{28}{\isacharparenleft}}af\ A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ elim{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{5F}{\isacharunderscore}}in{\isaliteral{5F}{\isacharunderscore}}lfp\ intro{\isaliteral{3A}{\isacharcolon}}\ Avoid{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
-\isanewline
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/CodeGen.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,237 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{CodeGen}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Case Study: Compiling Expressions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:ExprCompiler}
-\index{compiling expressions example|(}%
-The task is to develop a compiler from a generic type of expressions (built
-from variables, constants and binary operations) to a stack machine.  This
-generic type of expressions is a generalization of the boolean expressions in
-\S\ref{sec:boolex}.  This time we do not commit ourselves to a particular
-type of variables or values but make them type parameters.  Neither is there
-a fixed set of binary operations: instead the expression contains the
-appropriate function itself.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}v\ binop\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{3D}{\isacharequal}}\ Cex\ {\isaliteral{27}{\isacharprime}}v\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Vex\ {\isaliteral{27}{\isacharprime}}a\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Bex\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ binop{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The three constructors represent constants, variables and the application of
-a binary operation to two subexpressions.
-
-The value of an expression with respect to an environment that maps variables to
-values is easily defined:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Cex\ v{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ v{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Vex\ a{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ env\ a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Bex\ f\ e{\isadigit{1}}\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}value\ e{\isadigit{1}}\ env{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}value\ e{\isadigit{2}}\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-The stack machine has three instructions: load a constant value onto the
-stack, load the contents of an address onto the stack, and apply a
-binary operation to the two topmost elements of the stack, replacing them by
-the result. As for \isa{expr}, addresses and values are type parameters:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ instr\ {\isaliteral{3D}{\isacharequal}}\ Const\ {\isaliteral{27}{\isacharprime}}v\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Load\ {\isaliteral{27}{\isacharprime}}a\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Apply\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ binop{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-The execution of the stack machine is modelled by a function
-\isa{exec} that takes a list of instructions, a store (modelled as a
-function from addresses to values, just like the environment for
-evaluating expressions), and a stack (modelled as a list) of values,
-and returns the stack at the end of the execution --- the store remains
-unchanged:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ exec\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}instr\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ vs{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{28}{\isacharparenleft}}i{\isaliteral{23}{\isacharhash}}is{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ i\ of\isanewline
-\ \ \ \ Const\ v\ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}v{\isaliteral{23}{\isacharhash}}vs{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Load\ a\ \ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}s\ a{\isaliteral{29}{\isacharparenright}}{\isaliteral{23}{\isacharhash}}vs{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Apply\ f\ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ exec\ is\ s\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}hd\ vs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}hd{\isaliteral{28}{\isacharparenleft}}tl\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{23}{\isacharhash}}{\isaliteral{28}{\isacharparenleft}}tl{\isaliteral{28}{\isacharparenleft}}tl\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Recall that \isa{hd} and \isa{tl}
-return the first element and the remainder of a list.
-Because all functions are total, \cdx{hd} is defined even for the empty
-list, although we do not know what the result is. Thus our model of the
-machine always terminates properly, although the definition above does not
-tell us much about the result in situations where \isa{Apply} was executed
-with fewer than two elements on the stack.
-
-The compiler is a function from expressions to a list of instructions. Its
-definition is obvious:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ compile\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}expr\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}instr\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Cex\ v{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}Const\ v{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Vex\ a{\isaliteral{29}{\isacharparenright}}\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}Load\ a{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}compile\ {\isaliteral{28}{\isacharparenleft}}Bex\ f\ e{\isadigit{1}}\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}Apply\ f{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-Now we have to prove the correctness of the compiler, i.e.\ that the
-execution of a compiled expression results in the value of the expression:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}value\ e\ s{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-This theorem needs to be generalized:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}vs{\isaliteral{2E}{\isachardot}}\ exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}value\ e\ s{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ vs{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-It will be proved by induction on \isa{e} followed by simplification.  
-First, we must prove a lemma about executing the concatenation of two
-instruction sequences:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ exec{\isaliteral{5F}{\isacharunderscore}}app{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}vs{\isaliteral{2E}{\isachardot}}\ exec\ {\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ s\ vs\ {\isaliteral{3D}{\isacharequal}}\ exec\ ys\ s\ {\isaliteral{28}{\isacharparenleft}}exec\ xs\ s\ vs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-This requires induction on \isa{xs} and ordinary simplification for the
-base cases. In the induction step, simplification leaves us with a formula
-that contains two \isa{case}-expressions over instructions. Thus we add
-automatic case splitting, which finishes the proof:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{2C}{\isacharcomma}}\ simp\ split{\isaliteral{3A}{\isacharcolon}}\ instr{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Note that because both \methdx{simp_all} and \methdx{auto} perform simplification, they can
-be modified in the same way as \isa{simp}.  Thus the proof can be
-rewritten as%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all\ split{\isaliteral{3A}{\isacharcolon}}\ instr{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Although this is more compact, it is less clear for the reader of the proof.
-
-We could now go back and prove \isa{exec\ {\isaliteral{28}{\isacharparenleft}}compile\ e{\isaliteral{29}{\isacharparenright}}\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}value\ e\ s{\isaliteral{5D}{\isacharbrackright}}}
-merely by simplification with the generalized version we just proved.
-However, this is unnecessary because the generalized version fully subsumes
-its instance.%
-\index{compiling expressions example|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Documents.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,933 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Documents}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Concrete Syntax \label{sec:concrete-syntax}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-The core concept of Isabelle's framework for concrete syntax is that
-  of \bfindex{mixfix annotations}.  Associated with any kind of
-  constant declaration, mixfixes affect both the grammar productions
-  for the parser and output templates for the pretty printer.
-
-  In full generality, parser and pretty printer configuration is a
-  subtle affair~\cite{isabelle-ref}.  Your syntax specifications need
-  to interact properly with the existing setup of Isabelle/Pure and
-  Isabelle/HOL\@.  To avoid creating ambiguities with existing
-  elements, it is particularly important to give new syntactic
-  constructs the right precedence.
-
-  Below we introduce a few simple syntax declaration
-  forms that already cover many common situations fairly well.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Infix Annotations%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Syntax annotations may be included wherever constants are declared,
-  such as \isacommand{definition} and \isacommand{primrec} --- and also
-  \isacommand{datatype}, which declares constructor operations.
-  Type-constructors may be annotated as well, although this is less
-  frequently encountered in practice (the infix type \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} comes
-  to mind).
-
-  Infix declarations\index{infix annotations} provide a useful special
-  case of mixfixes.  The following example of the exclusive-or
-  operation on boolean values illustrates typical infix declarations.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent Now \isa{xor\ A\ B} and \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B} refer to the
-  same expression internally.  Any curried function with at least two
-  arguments may be given infix syntax.  For partial applications with
-  fewer than two operands, there is a notation using the prefix~\isa{op}.  For instance, \isa{xor} without arguments is represented as
-  \isa{op\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}}; together with ordinary function application, this
-  turns \isa{xor\ A} into \isa{op\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ A}.
-
-  The keyword \isakeyword{infixl} seen above specifies an
-  infix operator that is nested to the \emph{left}: in iterated
-  applications the more complex expression appears on the left-hand
-  side, and \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} stands for \isa{{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C}.  Similarly, \isakeyword{infixr} means nesting to the
-  \emph{right}, reading \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} as \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{28}{\isacharparenleft}}B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C{\isaliteral{29}{\isacharparenright}}}.  A \emph{non-oriented} declaration via \isakeyword{infix}
-  would render \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ C} illegal, but demand explicit
-  parentheses to indicate the intended grouping.
-
-  The string \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequote}}} in our annotation refers to the
-  concrete syntax to represent the operator (a literal token), while
-  the number \isa{{\isadigit{6}}{\isadigit{0}}} determines the precedence of the construct:
-  the syntactic priorities of the arguments and result.  Isabelle/HOL
-  already uses up many popular combinations of ASCII symbols for its
-  own use, including both \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2B}{\isacharplus}}{\isaliteral{2B}{\isacharplus}}}.  Longer
-  character combinations are more likely to be still available for
-  user extensions, such as our~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}}.
-
-  Operator precedences have a range of 0--1000.  Very low or high
-  priorities are reserved for the meta-logic.  HOL syntax mainly uses
-  the range of 10--100: the equality infix \isa{{\isaliteral{3D}{\isacharequal}}} is centered at
-  50; logical connectives (like \isa{{\isaliteral{5C3C6F723E}{\isasymor}}} and \isa{{\isaliteral{5C3C616E643E}{\isasymand}}}) are
-  below 50; algebraic ones (like \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2A}{\isacharasterisk}}}) are
-  above 50.  User syntax should strive to coexist with common HOL
-  forms, or use the mostly unused range 100--900.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Mathematical Symbols \label{sec:syntax-symbols}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Concrete syntax based on ASCII characters has inherent limitations.
-  Mathematical notation demands a larger repertoire of glyphs.
-  Several standards of extended character sets have been proposed over
-  decades, but none has become universally available so far.  Isabelle
-  has its own notion of \bfindex{symbols} as the smallest entities of
-  source text, without referring to internal encodings.  There are
-  three kinds of such ``generalized characters'':
-
-  \begin{enumerate}
-
-  \item 7-bit ASCII characters
-
-  \item named symbols: \verb,\,\verb,<,$ident$\verb,>,
-
-  \item named control symbols: \verb,\,\verb,<^,$ident$\verb,>,
-
-  \end{enumerate}
-
-  Here $ident$ is any sequence of letters. 
-  This results in an infinite store of symbols, whose
-  interpretation is left to further front-end tools.  For example, the
-  user-interface of Proof~General + X-Symbol and the Isabelle document
-  processor (see \S\ref{sec:document-preparation}) display the
-  \verb,\,\verb,<forall>, symbol as~\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}.
-
-  A list of standard Isabelle symbols is given in
-  \cite{isabelle-isar-ref}.  You may introduce your own
-  interpretation of further symbols by configuring the appropriate
-  front-end tool accordingly, e.g.\ by defining certain {\LaTeX}
-  macros (see also \S\ref{sec:doc-prep-symbols}).  There are also a
-  few predefined control symbols, such as \verb,\,\verb,<^sub>, and
-  \verb,\,\verb,<^sup>, for sub- and superscript of the subsequent
-  printable symbol, respectively.  For example, \verb,A\<^sup>\<star>, is
-  output as \isa{A\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{5C3C737461723E}{\isasymstar}}}.
-
-  A number of symbols are considered letters by the Isabelle lexer and
-  can be used as part of identifiers. These are the greek letters
-  \isa{{\isaliteral{5C3C616C7068613E}{\isasymalpha}}} (\verb+\+\verb+<alpha>+), \isa{{\isaliteral{5C3C626574613E}{\isasymbeta}}}
-  (\verb+\+\verb+<beta>+), etc. (excluding \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}}),
-  special letters like \isa{{\isaliteral{5C3C413E}{\isasymA}}} (\verb+\+\verb+<A>+) and \isa{{\isaliteral{5C3C41413E}{\isasymAA}}} (\verb+\+\verb+<AA>+), and the control symbols
-  \verb+\+\verb+<^isub>+ and \verb+\+\verb+<^isup>+ for single letter
-  sub and super scripts. This means that the input
-
-  \medskip
-  {\small\noindent \verb,\,\verb,<forall>\,\verb,<alpha>\<^isub>1.,~\verb,\,\verb,<alpha>\<^isub>1 = \,\verb,<Pi>\<^isup>\<A>,}
-
-  \medskip
-  \noindent is recognized as the term \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{5C3C616C7068613E}{\isasymalpha}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C616C7068613E}{\isasymalpha}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C50693E}{\isasymPi}}\isaliteral{5C3C5E697375703E}{}\isactrlisup {\isaliteral{5C3C413E}{\isasymA}}} 
-  by Isabelle. Note that \isa{{\isaliteral{5C3C50693E}{\isasymPi}}\isaliteral{5C3C5E697375703E}{}\isactrlisup {\isaliteral{5C3C413E}{\isasymA}}} is a single
-  syntactic entity, not an exponentiation.
-
-  Replacing our previous definition of \isa{xor} by the
-  following specifies an Isabelle symbol for the new operator:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-\isacommand{definition}\isamarkupfalse%
-\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\begin{isamarkuptext}%
-\noindent Proof~General provides several input methods to enter
-  \isa{{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}} in the text.  If all fails one may just type a named
-  entity \verb,\,\verb,<oplus>, by hand; the corresponding symbol will
-  be displayed after further input.
-
-  More flexible is to provide alternative syntax forms
-  through the \bfindex{print mode} concept~\cite{isabelle-ref}.  By
-  convention, the mode of ``$xsymbols$'' is enabled whenever
-  Proof~General's X-Symbol mode or {\LaTeX} output is active.  Now
-  consider the following hybrid declaration of \isa{xor}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-\isacommand{definition}\isamarkupfalse%
-\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isacommand{notation}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}\ xor\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\begin{isamarkuptext}%
-\noindent
-The \commdx{notation} command associates a mixfix
-annotation with a known constant.  The print mode specification,
-here \isa{{\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}}, is optional.
-
-We may now write \isa{A\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{2B}{\isacharplus}}{\isaliteral{5D}{\isacharbrackright}}\ B} or \isa{A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B} in input, while
-output uses the nicer syntax of $xsymbols$ whenever that print mode is
-active.  Such an arrangement is particularly useful for interactive
-development, where users may type ASCII text and see mathematical
-symbols displayed during proofs.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Prefix Annotations%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Prefix syntax annotations\index{prefix annotation} are another form
-  of mixfixes \cite{isabelle-ref}, without any template arguments or
-  priorities --- just some literal syntax.  The following example
-  associates common symbols with the constructors of a datatype.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ currency\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ \ Euro\ nat\ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6575726F3E}{\isasymeuro}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Pounds\ nat\ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C706F756E64733E}{\isasympounds}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Yen\ nat\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C79656E3E}{\isasymyen}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Dollar\ nat\ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{24}{\isachardollar}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptext}%
-\noindent Here the mixfix annotations on the rightmost column happen
-  to consist of a single Isabelle symbol each: \verb,\,\verb,<euro>,,
-  \verb,\,\verb,<pounds>,, \verb,\,\verb,<yen>,, and \verb,$,.  Recall
-  that a constructor like \isa{Euro} actually is a function \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ currency}.  The expression \isa{Euro\ {\isadigit{1}}{\isadigit{0}}} will be
-  printed as \isa{{\isaliteral{5C3C6575726F3E}{\isasymeuro}}\ {\isadigit{1}}{\isadigit{0}}}; only the head of the application is
-  subject to our concrete syntax.  This rather simple form already
-  achieves conformance with notational standards of the European
-  Commission.
-
-  Prefix syntax works the same way for other commands that introduce new constants, e.g. \isakeyword{primrec}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Abbreviations \label{sec:abbreviations}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Mixfix syntax annotations merely decorate particular constant
-application forms with concrete syntax, for instance replacing
-\isa{xor\ A\ B} by \isa{A\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ B}.  Occasionally, the relationship
-between some piece of notation and its internal form is more
-complicated.  Here we need \emph{abbreviations}.
-
-Command \commdx{abbreviation} introduces an uninterpreted notational
-constant as an abbreviation for a complex term. Abbreviations are
-unfolded upon parsing and re-introduced upon printing. This provides a
-simple mechanism for syntactic macros.
-
-A typical use of abbreviations is to introduce relational notation for
-membership in a set of pairs, replacing \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim} by
-\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}. We assume that a constant \isa{sim} of type
-\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ set} has been introduced at this point.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{abbreviation}\isamarkupfalse%
-\ sim{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infix}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C617070726F783E}{\isasymapprox}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent The given meta-equality is used as a rewrite rule
-after parsing (replacing \mbox{\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}} by \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim}) and before printing (turning \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ sim} back into
-\mbox{\isa{x\ {\isaliteral{5C3C617070726F783E}{\isasymapprox}}\ y}}). The name of the dummy constant \isa{sim{\isadigit{2}}}
-does not matter, as long as it is unique.
-
-Another common application of abbreviations is to
-provide variant versions of fundamental relational expressions, such
-as \isa{{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}} for negated equalities.  The following declaration
-stems from Isabelle/HOL itself:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{abbreviation}\isamarkupfalse%
-\ not{\isaliteral{5F}{\isacharunderscore}}equal\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7E}{\isachartilde}}{\isaliteral{3D}{\isacharequal}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{7E}{\isachartilde}}{\isaliteral{3D}{\isacharequal}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}\ y\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isacommand{notation}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}xsymbols{\isaliteral{29}{\isacharparenright}}\ not{\isaliteral{5F}{\isacharunderscore}}equal\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infix}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}{\isaliteral{5C3C69676E6F72653E}{\isasymignore}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{5}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptext}%
-\noindent The notation \isa{{\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}} is introduced separately to restrict it
-to the \emph{xsymbols} mode.
-
-Abbreviations are appropriate when the defined concept is a
-simple variation on an existing one.  But because of the automatic
-folding and unfolding of abbreviations, they do not scale up well to
-large hierarchies of concepts. Abbreviations do not replace
-definitions.
-
-Abbreviations are a simplified form of the general concept of
-\emph{syntax translations}; even heavier transformations may be
-written in ML \cite{isabelle-ref}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsection{Document Preparation \label{sec:document-preparation}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Isabelle/Isar is centered around the concept of \bfindex{formal
-  proof documents}\index{documents|bold}.  The outcome of a formal
-  development effort is meant to be a human-readable record, presented
-  as browsable PDF file or printed on paper.  The overall document
-  structure follows traditional mathematical articles, with sections,
-  intermediate explanations, definitions, theorems and proofs.
-
-  \medskip The Isabelle document preparation system essentially acts
-  as a front-end to {\LaTeX}.  After checking specifications and
-  proofs formally, the theory sources are turned into typesetting
-  instructions in a schematic manner.  This lets you write authentic
-  reports on theory developments with little effort: many technical
-  consistency checks are handled by the system.
-
-  Here is an example to illustrate the idea of Isabelle document
-  preparation.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\begin{quotation}
-%
-\begin{isamarkuptext}%
-The following datatype definition of \isa{{\isaliteral{27}{\isacharprime}}a\ bintree} models
-  binary trees with nodes being decorated by elements of type \isa{{\isaliteral{27}{\isacharprime}}a}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}a\ bintree\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ \ \ Leaf\ {\isaliteral{7C}{\isacharbar}}\ Branch\ {\isaliteral{27}{\isacharprime}}a\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bintree{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ bintree{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent The datatype induction rule generated here is of the form
-  \begin{isabelle}%
-\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ Leaf{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}a\ bintree{\isadigit{1}}\ bintree{\isadigit{2}}{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ \ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ bintree{\isadigit{1}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ bintree{\isadigit{2}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Branch\ a\ bintree{\isadigit{1}}\ bintree{\isadigit{2}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ bintree%
-\end{isabelle}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\end{quotation}
-%
-\begin{isamarkuptext}%
-\noindent The above document output has been produced as follows:
-
-  \begin{ttbox}
-  text {\ttlbrace}*
-    The following datatype definition of {\at}{\ttlbrace}text "'a bintree"{\ttrbrace}
-    models binary trees with nodes being decorated by elements
-    of type {\at}{\ttlbrace}typ 'a{\ttrbrace}.
-  *{\ttrbrace}
-
-  datatype 'a bintree =
-    Leaf | Branch 'a  "'a bintree"  "'a bintree"
-  \end{ttbox}
-  \begin{ttbox}
-  text {\ttlbrace}*
-    {\ttback}noindent The datatype induction rule generated here is
-    of the form {\at}{\ttlbrace}thm [display] bintree.induct [no_vars]{\ttrbrace}
-  *{\ttrbrace}
-  \end{ttbox}\vspace{-\medskipamount}
-
-  \noindent Here we have augmented the theory by formal comments
-  (using \isakeyword{text} blocks), the informal parts may again refer
-  to formal entities by means of ``antiquotations'' (such as
-  \texttt{\at}\verb,{text "'a bintree"}, or
-  \texttt{\at}\verb,{typ 'a},), see also \S\ref{sec:doc-prep-text}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Isabelle Sessions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-In contrast to the highly interactive mode of Isabelle/Isar theory
-  development, the document preparation stage essentially works in
-  batch-mode.  An Isabelle \bfindex{session} consists of a collection
-  of source files that may contribute to an output document.  Each
-  session is derived from a single parent, usually an object-logic
-  image like \texttt{HOL}.  This results in an overall tree structure,
-  which is reflected by the output location in the file system
-  (usually rooted at \verb,~/.isabelle/IsabelleXXXX/browser_info,).
-
-  \medskip The easiest way to manage Isabelle sessions is via
-  \texttt{isabelle mkdir} (generates an initial session source setup)
-  and \texttt{isabelle make} (run sessions controlled by
-  \texttt{IsaMakefile}).  For example, a new session
-  \texttt{MySession} derived from \texttt{HOL} may be produced as
-  follows:
-
-\begin{verbatim}
-  isabelle mkdir HOL MySession
-  isabelle make
-\end{verbatim}
-
-  The \texttt{isabelle make} job also informs about the file-system
-  location of the ultimate results.  The above dry run should be able
-  to produce some \texttt{document.pdf} (with dummy title, empty table
-  of contents etc.).  Any failure at this stage usually indicates
-  technical problems of the {\LaTeX} installation.
-
-  \medskip The detailed arrangement of the session sources is as
-  follows.
-
-  \begin{itemize}
-
-  \item Directory \texttt{MySession} holds the required theory files
-  $T@1$\texttt{.thy}, \dots, $T@n$\texttt{.thy}.
-
-  \item File \texttt{MySession/ROOT.ML} holds appropriate ML commands
-  for loading all wanted theories, usually just
-  ``\texttt{use_thy"$T@i$";}'' for any $T@i$ in leaf position of the
-  dependency graph.
-
-  \item Directory \texttt{MySession/document} contains everything
-  required for the {\LaTeX} stage; only \texttt{root.tex} needs to be
-  provided initially.
-
-  The latter file holds appropriate {\LaTeX} code to commence a
-  document (\verb,\documentclass, etc.), and to include the generated
-  files $T@i$\texttt{.tex} for each theory.  Isabelle will generate a
-  file \texttt{session.tex} holding {\LaTeX} commands to include all
-  generated theory output files in topologically sorted order, so
-  \verb,\input{session}, in the body of \texttt{root.tex} does the job
-  in most situations.
-
-  \item \texttt{IsaMakefile} holds appropriate dependencies and
-  invocations of Isabelle tools to control the batch job.  In fact,
-  several sessions may be managed by the same \texttt{IsaMakefile}.
-  See the \emph{Isabelle System Manual} \cite{isabelle-sys} 
-  for further details, especially on
-  \texttt{isabelle usedir} and \texttt{isabelle make}.
-
-  \end{itemize}
-
-  One may now start to populate the directory \texttt{MySession}, and
-  the file \texttt{MySession/ROOT.ML} accordingly.  The file
-  \texttt{MySession/document/root.tex} should also be adapted at some
-  point; the default version is mostly self-explanatory.  Note that
-  \verb,\isabellestyle, enables fine-tuning of the general appearance
-  of characters and mathematical symbols (see also
-  \S\ref{sec:doc-prep-symbols}).
-
-  Especially observe the included {\LaTeX} packages \texttt{isabelle}
-  (mandatory), \texttt{isabellesym} (required for mathematical
-  symbols), and the final \texttt{pdfsetup} (provides sane defaults
-  for \texttt{hyperref}, including URL markup).  All three are
-  distributed with Isabelle. Further packages may be required in
-  particular applications, say for unusual mathematical symbols.
-
-  \medskip Any additional files for the {\LaTeX} stage go into the
-  \texttt{MySession/document} directory as well.  In particular,
-  adding a file named \texttt{root.bib} causes an automatic run of
-  \texttt{bibtex} to process a bibliographic database; see also
-  \texttt{isabelle document} \cite{isabelle-sys}.
-
-  \medskip Any failure of the document preparation phase in an
-  Isabelle batch session leaves the generated sources in their target
-  location, identified by the accompanying error message.  This lets
-  you trace {\LaTeX} problems with the generated files at hand.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Structure Markup%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-The large-scale structure of Isabelle documents follows existing
-  {\LaTeX} conventions, with chapters, sections, subsubsections etc.
-  The Isar language includes separate \bfindex{markup commands}, which
-  do not affect the formal meaning of a theory (or proof), but result
-  in corresponding {\LaTeX} elements.
-
-  There are separate markup commands depending on the textual context:
-  in header position (just before \isakeyword{theory}), within the
-  theory body, or within a proof.  The header needs to be treated
-  specially here, since ordinary theory and proof commands may only
-  occur \emph{after} the initial \isakeyword{theory} specification.
-
-  \medskip
-
-  \begin{tabular}{llll}
-  header & theory & proof & default meaning \\\hline
-    & \commdx{chapter} & & \verb,\chapter, \\
-  \commdx{header} & \commdx{section} & \commdx{sect} & \verb,\section, \\
-    & \commdx{subsection} & \commdx{subsect} & \verb,\subsection, \\
-    & \commdx{subsubsection} & \commdx{subsubsect} & \verb,\subsubsection, \\
-  \end{tabular}
-
-  \medskip
-
-  From the Isabelle perspective, each markup command takes a single
-  $text$ argument (delimited by \verb,",~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,", or
-  \verb,{,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,},).  After stripping any
-  surrounding white space, the argument is passed to a {\LaTeX} macro
-  \verb,\isamarkupXYZ, for command \isakeyword{XYZ}.  These macros are
-  defined in \verb,isabelle.sty, according to the meaning given in the
-  rightmost column above.
-
-  \medskip The following source fragment illustrates structure markup
-  of a theory.  Note that {\LaTeX} labels may be included inside of
-  section headings as well.
-
-  \begin{ttbox}
-  header {\ttlbrace}* Some properties of Foo Bar elements *{\ttrbrace}
-
-  theory Foo_Bar
-  imports Main
-  begin
-
-  subsection {\ttlbrace}* Basic definitions *{\ttrbrace}
-
-  definition foo :: \dots
-
-  definition bar :: \dots
-
-  subsection {\ttlbrace}* Derived rules *{\ttrbrace}
-
-  lemma fooI: \dots
-  lemma fooE: \dots
-
-  subsection {\ttlbrace}* Main theorem {\ttback}label{\ttlbrace}sec:main-theorem{\ttrbrace} *{\ttrbrace}
-
-  theorem main: \dots
-
-  end
-  \end{ttbox}\vspace{-\medskipamount}
-
-  You may occasionally want to change the meaning of markup commands,
-  say via \verb,\renewcommand, in \texttt{root.tex}.  For example,
-  \verb,\isamarkupheader, is a good candidate for some tuning.  We
-  could move it up in the hierarchy to become \verb,\chapter,.
-
-\begin{verbatim}
-  \renewcommand{\isamarkupheader}[1]{\chapter{#1}}
-\end{verbatim}
-
-  \noindent Now we must change the document class given in
-  \texttt{root.tex} to something that supports chapters.  A suitable
-  command is \verb,\documentclass{report},.
-
-  \medskip The {\LaTeX} macro \verb,\isabellecontext, is maintained to
-  hold the name of the current theory context.  This is particularly
-  useful for document headings:
-
-\begin{verbatim}
-  \renewcommand{\isamarkupheader}[1]
-  {\chapter{#1}\markright{THEORY~\isabellecontext}}
-\end{verbatim}
-
-  \noindent Make sure to include something like
-  \verb,\pagestyle{headings}, in \texttt{root.tex}; the document
-  should have more than two pages to show the effect.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Formal Comments and Antiquotations \label{sec:doc-prep-text}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Isabelle \bfindex{source comments}, which are of the form
-  \verb,(,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,),, essentially act like
-  white space and do not really contribute to the content.  They
-  mainly serve technical purposes to mark certain oddities in the raw
-  input text.  In contrast, \bfindex{formal comments} are portions of
-  text that are associated with formal Isabelle/Isar commands
-  (\bfindex{marginal comments}), or as standalone paragraphs within a
-  theory or proof context (\bfindex{text blocks}).
-
-  \medskip Marginal comments are part of each command's concrete
-  syntax \cite{isabelle-ref}; the common form is ``\verb,--,~$text$''
-  where $text$ is delimited by \verb,",\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}\verb,", or
-  \verb,{,\verb,*,~\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}~\verb,*,\verb,}, as before.  Multiple
-  marginal comments may be given at the same time.  Here is a simple
-  example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{2D}{\isacharminus}}{\isaliteral{2D}{\isacharminus}}{\isaliteral{3E}{\isachargreater}}\ A{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ %
-\isamarkupcmt{a triviality of propositional logic%
-}
-\isanewline
-\ \ %
-\isamarkupcmt{(should not really bother)%
-}
-\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}rule\ impI{\isaliteral{29}{\isacharparenright}}\ %
-\isamarkupcmt{implicit assumption step involved here%
-}
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent The above output has been produced as follows:
-
-\begin{verbatim}
-  lemma "A --> A"
-    -- "a triviality of propositional logic"
-    -- "(should not really bother)"
-    by (rule impI) -- "implicit assumption step involved here"
-\end{verbatim}
-
-  From the {\LaTeX} viewpoint, ``\verb,--,'' acts like a markup
-  command, associated with the macro \verb,\isamarkupcmt, (taking a
-  single argument).
-
-  \medskip Text blocks are introduced by the commands \bfindex{text}
-  and \bfindex{txt}, for theory and proof contexts, respectively.
-  Each takes again a single $text$ argument, which is interpreted as a
-  free-form paragraph in {\LaTeX} (surrounded by some additional
-  vertical space).  This behavior may be changed by redefining the
-  {\LaTeX} environments of \verb,isamarkuptext, or
-  \verb,isamarkuptxt,, respectively (via \verb,\renewenvironment,) The
-  text style of the body is determined by \verb,\isastyletext, and
-  \verb,\isastyletxt,; the default setup uses a smaller font within
-  proofs.  This may be changed as follows:
-
-\begin{verbatim}
-  \renewcommand{\isastyletxt}{\isastyletext}
-\end{verbatim}
-
-  \medskip The $text$ part of Isabelle markup commands essentially
-  inserts \emph{quoted material} into a formal text, mainly for
-  instruction of the reader.  An \bfindex{antiquotation} is again a
-  formal object embedded into such an informal portion.  The
-  interpretation of antiquotations is limited to some well-formedness
-  checks, with the result being pretty printed to the resulting
-  document.  Quoted text blocks together with antiquotations provide
-  an attractive means of referring to formal entities, with good
-  confidence in getting the technical details right (especially syntax
-  and types).
-
-  The general syntax of antiquotations is as follows:
-  \texttt{{\at}{\ttlbrace}$name$ $arguments${\ttrbrace}}, or
-  \texttt{{\at}{\ttlbrace}$name$ [$options$] $arguments${\ttrbrace}}
-  for a comma-separated list of options consisting of a $name$ or
-  \texttt{$name$=$value$} each.  The syntax of $arguments$ depends on
-  the kind of antiquotation, it generally follows the same conventions
-  for types, terms, or theorems as in the formal part of a theory.
-
-  \medskip This sentence demonstrates quotations and antiquotations:
-  \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ x} is a well-typed term.
-
-  \medskip\noindent The output above was produced as follows:
-  \begin{ttbox}
-text {\ttlbrace}*
-  This sentence demonstrates quotations and antiquotations:
-  {\at}{\ttlbrace}term "%x y. x"{\ttrbrace} is a well-typed term.
-*{\ttrbrace}
-  \end{ttbox}\vspace{-\medskipamount}
-
-  The notational change from the ASCII character~\verb,%, to the
-  symbol~\isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}} reveals that Isabelle printed this term, after
-  parsing and type-checking.  Document preparation enables symbolic
-  output by default.
-
-  \medskip The next example includes an option to show the type of all
-  variables.  The antiquotation
-  \texttt{{\at}}\verb,{term [show_types] "%x y. x"}, produces the
-  output \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ y{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}b{\isaliteral{2E}{\isachardot}}\ x}.  Type inference has figured
-  out the most general typings in the present theory context.  Terms
-  may acquire different typings due to constraints imposed by their
-  environment; within a proof, for example, variables are given the
-  same types as they have in the main goal statement.
-
-  \medskip Several further kinds of antiquotations and options are
-  available \cite{isabelle-isar-ref}.  Here are a few commonly used
-  combinations:
-
-  \medskip
-
-  \begin{tabular}{ll}
-  \texttt{\at}\verb,{typ,~$\tau$\verb,}, & print type $\tau$ \\
-  \texttt{\at}\verb,{const,~$c$\verb,}, & check existence of $c$ and print it \\
-  \texttt{\at}\verb,{term,~$t$\verb,}, & print term $t$ \\
-  \texttt{\at}\verb,{prop,~$\phi$\verb,}, & print proposition $\phi$ \\
-  \texttt{\at}\verb,{prop [display],~$\phi$\verb,}, & print large proposition $\phi$ (with linebreaks) \\
-  \texttt{\at}\verb,{prop [source],~$\phi$\verb,}, & check proposition $\phi$, print its input \\
-  \texttt{\at}\verb,{thm,~$a$\verb,}, & print fact $a$ \\
-  \texttt{\at}\verb,{thm,~$a$~\verb,[no_vars]}, & print fact $a$, fixing schematic variables \\
-  \texttt{\at}\verb,{thm [source],~$a$\verb,}, & check availability of fact $a$, print its name \\
-  \texttt{\at}\verb,{text,~$s$\verb,}, & print uninterpreted text $s$ \\
-  \end{tabular}
-
-  \medskip
-
-  Note that \attrdx{no_vars} given above is \emph{not} an
-  antiquotation option, but an attribute of the theorem argument given
-  here.  This might be useful with a diagnostic command like
-  \isakeyword{thm}, too.
-
-  \medskip The \texttt{\at}\verb,{text, $s$\verb,}, antiquotation is
-  particularly interesting.  Embedding uninterpreted text within an
-  informal body might appear useless at first sight.  Here the key
-  virtue is that the string $s$ is processed as Isabelle output,
-  interpreting Isabelle symbols appropriately.
-
-  For example, \texttt{\at}\verb,{text "\<forall>\<exists>"}, produces \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}}, according to the standard interpretation of these symbol
-  (cf.\ \S\ref{sec:doc-prep-symbols}).  Thus we achieve consistent
-  mathematical notation in both the formal and informal parts of the
-  document very easily, independently of the term language of
-  Isabelle.  Manual {\LaTeX} code would leave more control over the
-  typesetting, but is also slightly more tedious.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Interpretation of Symbols \label{sec:doc-prep-symbols}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-As has been pointed out before (\S\ref{sec:syntax-symbols}),
-  Isabelle symbols are the smallest syntactic entities --- a
-  straightforward generalization of ASCII characters.  While Isabelle
-  does not impose any interpretation of the infinite collection of
-  named symbols, {\LaTeX} documents use canonical glyphs for certain
-  standard symbols \cite{isabelle-isar-ref}.
-
-  The {\LaTeX} code produced from Isabelle text follows a simple
-  scheme.  You can tune the final appearance by redefining certain
-  macros, say in \texttt{root.tex} of the document.
-
-  \begin{enumerate}
-
-  \item 7-bit ASCII characters: letters \texttt{A\dots Z} and
-  \texttt{a\dots z} are output directly, digits are passed as an
-  argument to the \verb,\isadigit, macro, other characters are
-  replaced by specifically named macros of the form
-  \verb,\isacharXYZ,.
-
-  \item Named symbols: \verb,\,\verb,<XYZ>, is turned into
-  \verb,{\isasymXYZ},; note the additional braces.
-
-  \item Named control symbols: \verb,\,\verb,<^XYZ>, is turned into
-  \verb,\isactrlXYZ,; subsequent symbols may act as arguments if the
-  control macro is defined accordingly.
-
-  \end{enumerate}
-
-  You may occasionally wish to give new {\LaTeX} interpretations of
-  named symbols.  This merely requires an appropriate definition of
-  \verb,\isasymXYZ,, for \verb,\,\verb,<XYZ>, (see
-  \texttt{isabelle.sty} for working examples).  Control symbols are
-  slightly more difficult to get right, though.
-
-  \medskip The \verb,\isabellestyle, macro provides a high-level
-  interface to tune the general appearance of individual symbols.  For
-  example, \verb,\isabellestyle{it}, uses the italics text style to
-  mimic the general appearance of the {\LaTeX} math mode; double
-  quotes are not printed at all.  The resulting quality of typesetting
-  is quite good, so this should be the default style for work that
-  gets distributed to a broader audience.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Suppressing Output \label{sec:doc-prep-suppress}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-By default, Isabelle's document system generates a {\LaTeX} file for
-  each theory that gets loaded while running the session.  The
-  generated \texttt{session.tex} will include all of these in order of
-  appearance, which in turn gets included by the standard
-  \texttt{root.tex}.  Certainly one may change the order or suppress
-  unwanted theories by ignoring \texttt{session.tex} and load
-  individual files directly in \texttt{root.tex}.  On the other hand,
-  such an arrangement requires additional maintenance whenever the
-  collection of theories changes.
-
-  Alternatively, one may tune the theory loading process in
-  \texttt{ROOT.ML} itself: traversal of the theory dependency graph
-  may be fine-tuned by adding \verb,use_thy, invocations, although
-  topological sorting still has to be observed.  Moreover, the ML
-  operator \verb,no_document, temporarily disables document generation
-  while executing a theory loader command.  Its usage is like this:
-
-\begin{verbatim}
-  no_document use_thy "T";
-\end{verbatim}
-
-  \medskip Theory output may be suppressed more selectively, either
-  via \bfindex{tagged command regions} or \bfindex{ignored material}.
-
-  Tagged command regions works by annotating commands with named tags,
-  which correspond to certain {\LaTeX} markup that tells how to treat
-  particular parts of a document when doing the actual type-setting.
-  By default, certain Isabelle/Isar commands are implicitly marked up
-  using the predefined tags ``\emph{theory}'' (for theory begin and
-  end), ``\emph{proof}'' (for proof commands), and ``\emph{ML}'' (for
-  commands involving ML code).  Users may add their own tags using the
-  \verb,%,\emph{tag} notation right after a command name.  In the
-  subsequent example we hide a particularly irrelevant proof:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadeliminvisible
-\ %
-\endisadeliminvisible
-%
-\isataginvisible
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
-\endisataginvisible
-{\isafoldinvisible}%
-%
-\isadeliminvisible
-%
-\endisadeliminvisible
-%
-\begin{isamarkuptext}%
-The original source has been ``\verb,lemma "x = x" by %invisible (simp),''.
-  Tags observe the structure of proofs; adjacent commands with the
-  same tag are joined into a single region.  The Isabelle document
-  preparation system allows the user to specify how to interpret a
-  tagged region, in order to keep, drop, or fold the corresponding
-  parts of the document.  See the \emph{Isabelle System Manual}
-  \cite{isabelle-sys} for further details, especially on
-  \texttt{isabelle usedir} and \texttt{isabelle document}.
-
-  Ignored material is specified by delimiting the original formal
-  source with special source comments
-  \verb,(,\verb,*,\verb,<,\verb,*,\verb,), and
-  \verb,(,\verb,*,\verb,>,\verb,*,\verb,),.  These parts are stripped
-  before the type-setting phase, without affecting the formal checking
-  of the theory, of course.  For example, we may hide parts of a proof
-  that seem unfit for general public inspection.  The following
-  ``fully automatic'' proof is actually a fake:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}x\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}int{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ x\ {\isaliteral{2A}{\isacharasterisk}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent The real source of the proof has been as follows:
-
-\begin{verbatim}
-  by (auto(*<*)simp add: zero_less_mult_iff(*>*))
-\end{verbatim}
-%(*
-
-  \medskip Suppressing portions of printed text demands care.  You
-  should not misrepresent the underlying theory development.  It is
-  easy to invalidate the visible text by hiding references to
-  questionable axioms, for example.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Even.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,543 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Even}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isamarkupsection{The Set of Even Numbers%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{even numbers!defining inductively|(}%
-The set of even numbers can be inductively defined as the least set
-containing 0 and closed under the operation $+2$.  Obviously,
-\emph{even} can also be expressed using the divides relation (\isa{dvd}). 
-We shall prove below that the two formulations coincide.  On the way we
-shall examine the primary means of reasoning about inductively defined
-sets: rule induction.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Making an Inductive Definition%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Using \commdx{inductive\protect\_set}, we declare the constant \isa{even} to be
-a set of natural numbers with the desired properties.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\ even\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-zero{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-step{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-An inductive definition consists of introduction rules.  The first one
-above states that 0 is even; the second states that if $n$ is even, then so
-is~$n+2$.  Given this declaration, Isabelle generates a fixed point
-definition for \isa{even} and proves theorems about it,
-thus following the definitional approach (see {\S}\ref{sec:definitional}).
-These theorems
-include the introduction rules specified in the declaration, an elimination
-rule for case analysis and an induction rule.  We can refer to these
-theorems by automatically-generated names.  Here are two examples:
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\rulename{even{\isaliteral{2E}{\isachardot}}zero}\par\smallskip%
-n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\rulename{even{\isaliteral{2E}{\isachardot}}step}%
-\end{isabelle}
-
-The introduction rules can be given attributes.  Here
-both rules are specified as \isa{intro!},%
-\index{intro"!@\isa {intro"!} (attribute)}
-directing the classical reasoner to 
-apply them aggressively. Obviously, regarding 0 as even is safe.  The
-\isa{step} rule is also safe because $n+2$ is even if and only if $n$ is
-even.  We prove this equivalence later.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Using Introduction Rules%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Our first lemma states that numbers of the form $2\times k$ are even.
-Introduction rules are used to show that specific values belong to the
-inductive set.  Such proofs typically involve 
-induction, perhaps over some other inductive set.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ two{\isaliteral{5F}{\isacharunderscore}}times{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}{\isaliteral{2A}{\isacharasterisk}}k\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ k{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-\ auto\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The first step is induction on the natural number \isa{k}, which leaves
-two subgoals:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
-\end{isabelle}
-Here \isa{auto} simplifies both subgoals so that they match the introduction
-rules, which are then applied automatically.
-
-Our ultimate goal is to prove the equivalence between the traditional
-definition of \isa{even} (using the divides relation) and our inductive
-definition.  One direction of this equivalence is immediate by the lemma
-just proved, whose \isa{intro{\isaliteral{21}{\isacharbang}}} attribute ensures it is applied automatically.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ dvd{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ dvd\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Rule Induction \label{sec:rule-induction}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{rule induction|(}%
-From the definition of the set
-\isa{even}, Isabelle has
-generated an induction rule:
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isadigit{0}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ }{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ P\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x\rulename{even{\isaliteral{2E}{\isachardot}}induct}%
-\end{isabelle}
-A property \isa{P} holds for every even number provided it
-holds for~\isa{{\isadigit{0}}} and is closed under the operation
-\isa{Suc(Suc \(\cdot\))}.  Then \isa{P} is closed under the introduction
-rules for \isa{even}, which is the least set closed under those rules. 
-This type of inductive argument is called \textbf{rule induction}. 
-
-Apart from the double application of \isa{Suc}, the induction rule above
-resembles the familiar mathematical induction, which indeed is an instance
-of rule induction; the natural numbers can be defined inductively to be
-the least set containing \isa{{\isadigit{0}}} and closed under~\isa{Suc}.
-
-Induction is the usual way of proving a property of the elements of an
-inductively defined set.  Let us prove that all members of the set
-\isa{even} are multiples of two.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-We begin by applying induction.  Note that \isa{even{\isaliteral{2E}{\isachardot}}induct} has the form
-of an elimination rule, so we use the method \isa{erule}.  We get two
-subgoals:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ dvd\ {\isadigit{0}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-We unfold the definition of \isa{dvd} in both subgoals, proving the first
-one and simplifying the second:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{5F}{\isacharunderscore}}all\ add{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}k{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}k{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k%
-\end{isabelle}
-The next command eliminates the existential quantifier from the assumption
-and replaces \isa{n} by \isa{{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ clarify%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n\ k{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}ka{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ k{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ ka%
-\end{isabelle}
-To conclude, we tell Isabelle that the desired value is
-\isa{Suc\ k}.  With this hint, the subgoal falls to \isa{simp}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ k{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{in}\ exI{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Combining the previous two results yields our objective, the
-equivalence relating \isa{even} and \isa{dvd}. 
-%
-%we don't want [iff]: discuss?%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ even{\isaliteral{5F}{\isacharunderscore}}iff{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ dvd\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ dvd{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}dvd{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Generalization and Rule Induction \label{sec:gen-rule-induction}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{generalizing for induction}%
-Before applying induction, we typically must generalize
-the induction formula.  With rule induction, the required generalization
-can be hard to find and sometimes requires a complete reformulation of the
-problem.  In this  example, our first attempt uses the obvious statement of
-the result.  It fails:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{oops}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-Rule induction finds no occurrences of \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} in the
-conclusion, which it therefore leaves unchanged.  (Look at
-\isa{even{\isaliteral{2E}{\isachardot}}induct} to see why this happens.)  We have these subgoals:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}na{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}na\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
-\end{isabelle}
-The first one is hopeless.  Rule induction on
-a non-variable term discards information, and usually fails.
-How to deal with such situations
-in general is described in {\S}\ref{sec:ind-var-in-prems} below.
-In the current case the solution is easy because
-we have the necessary inverse, subtraction:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ even{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-\ auto\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-This lemma is trivially inductive.  Here are the subgoals:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{0}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
-\end{isabelle}
-The first is trivial because \isa{{\isadigit{0}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}} simplifies to \isa{{\isadigit{0}}}, which is
-even.  The second is trivial too: \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}} simplifies to
-\isa{n}, matching the assumption.%
-\index{rule induction|)}  %the sequel isn't really about induction
-
-\medskip
-Using our lemma, we can easily prove the result we originally wanted:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}drule\ even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-We have just proved the converse of the introduction rule \isa{even{\isaliteral{2E}{\isachardot}}step}.
-This suggests proving the following equivalence.  We give it the
-\attrdx{iff} attribute because of its obvious value for simplification.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}iff{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}blast\ dest{\isaliteral{3A}{\isacharcolon}}\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Rule Inversion \label{sec:rule-inversion}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{rule inversion|(}%
-Case analysis on an inductive definition is called \textbf{rule
-inversion}.  It is frequently used in proofs about operational
-semantics.  It can be highly effective when it is applied
-automatically.  Let us look at how rule inversion is done in
-Isabelle/HOL\@.
-
-Recall that \isa{even} is the minimal set closed under these two rules:
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\isasep\isanewline%
-n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
-\end{isabelle}
-Minimality means that \isa{even} contains only the elements that these
-rules force it to contain.  If we are told that \isa{a}
-belongs to
-\isa{even} then there are only two possibilities.  Either \isa{a} is \isa{{\isadigit{0}}}
-or else \isa{a} has the form \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}}, for some suitable \isa{n}
-that belongs to
-\isa{even}.  That is the gist of the \isa{cases} rule, which Isabelle proves
-for us when it accepts an inductive definition:
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ a\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ }{\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{even{\isaliteral{2E}{\isachardot}}cases}%
-\end{isabelle}
-This general rule is less useful than instances of it for
-specific patterns.  For example, if \isa{a} has the form
-\isa{Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}} then the first case becomes irrelevant, while the second
-case tells us that \isa{n} belongs to \isa{even}.  Isabelle will generate
-this instance for us:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
-\ Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-The \commdx{inductive\protect\_cases} command generates an instance of
-the \isa{cases} rule for the supplied pattern and gives it the supplied name:
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\rulename{Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases}%
-\end{isabelle}
-Applying this as an elimination rule yields one case where \isa{even{\isaliteral{2E}{\isachardot}}cases}
-would yield two.  Rule inversion works well when the conclusions of the
-introduction rules involve datatype constructors like \isa{Suc} and \isa{{\isaliteral{23}{\isacharhash}}}
-(list ``cons''); freeness reasoning discards all but one or two cases.
-
-In the \isacommand{inductive\_cases} command we supplied an
-attribute, \isa{elim{\isaliteral{21}{\isacharbang}}},
-\index{elim"!@\isa {elim"!} (attribute)}%
-indicating that this elimination rule can be
-applied aggressively.  The original
-\isa{cases} rule would loop if used in that manner because the
-pattern~\isa{a} matches everything.
-
-The rule \isa{Suc{\isaliteral{5F}{\isacharunderscore}}Suc{\isaliteral{5F}{\isacharunderscore}}cases} is equivalent to the following implication:
-\begin{isabelle}%
-Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even%
-\end{isabelle}
-Just above we devoted some effort to reaching precisely
-this result.  Yet we could have obtained it by a one-line declaration,
-dispensing with the lemma \isa{even{\isaliteral{5F}{\isacharunderscore}}imp{\isaliteral{5F}{\isacharunderscore}}even{\isaliteral{5F}{\isacharunderscore}}minus{\isaliteral{5F}{\isacharunderscore}}{\isadigit{2}}}. 
-This example also justifies the terminology
-\textbf{rule inversion}: the new rule inverts the introduction rule
-\isa{even{\isaliteral{2E}{\isachardot}}step}.  In general, a rule can be inverted when the set of elements
-it introduces is disjoint from those of the other introduction rules.
-
-For one-off applications of rule inversion, use the \methdx{ind_cases} method. 
-Here is an example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}ind{\isaliteral{5F}{\isacharunderscore}}cases\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The specified instance of the \isa{cases} rule is generated, then applied
-as an elimination rule.
-
-To summarize, every inductive definition produces a \isa{cases} rule.  The
-\commdx{inductive\protect\_cases} command stores an instance of the
-\isa{cases} rule for a given pattern.  Within a proof, the
-\isa{ind{\isaliteral{5F}{\isacharunderscore}}cases} method applies an instance of the \isa{cases}
-rule.
-
-The even numbers example has shown how inductive definitions can be
-used.  Later examples will show that they are actually worth using.%
-\index{rule inversion|)}%
-\index{even numbers!defining inductively|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Event.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,518 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Event}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isamarkupsection{Event Traces \label{sec:events}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-The system's behaviour is formalized as a set of traces of
-\emph{events}.  The most important event, \isa{Says\ A\ B\ X}, expresses
-$A\to B : X$, which is the attempt by~$A$ to send~$B$ the message~$X$.
-A trace is simply a list, constructed in reverse
-using~\isa{{\isaliteral{23}{\isacharhash}}}.  Other event types include reception of messages (when
-we want to make it explicit) and an agent's storing a fact.
-
-Sometimes the protocol requires an agent to generate a new nonce. The
-probability that a 20-byte random number has appeared before is effectively
-zero.  To formalize this important property, the set \isa{used\ evs}
-denotes the set of all items mentioned in the trace~\isa{evs}.
-The function \isa{used} has a straightforward
-recursive definition.  Here is the case for \isa{Says} event:
-\begin{isabelle}%
-\ \ \ \ \ used\ {\isaliteral{28}{\isacharparenleft}}Says\ A\ B\ X\ {\isaliteral{23}{\isacharhash}}\ evs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ parts\ {\isaliteral{7B}{\isacharbraceleft}}X{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ used\ evs%
-\end{isabelle}
-
-The function \isa{knows} formalizes an agent's knowledge.  Mostly we only
-care about the spy's knowledge, and \isa{knows\ Spy\ evs} is the set of items
-available to the spy in the trace~\isa{evs}.  Already in the empty trace,
-the spy starts with some secrets at his disposal, such as the private keys
-of compromised users.  After each \isa{Says} event, the spy learns the
-message that was sent:
-\begin{isabelle}%
-\ \ \ \ \ knows\ Spy\ {\isaliteral{28}{\isacharparenleft}}Says\ A\ B\ X\ {\isaliteral{23}{\isacharhash}}\ evs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ insert\ X\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Combinations of functions express other important
-sets of messages derived from~\isa{evs}:
-\begin{itemize}
-\item \isa{analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}} is everything that the spy could
-learn by decryption
-\item \isa{synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}} is everything that the spy
-could generate
-\end{itemize}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Fundata.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,115 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Fundata}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree\ {\isaliteral{3D}{\isacharequal}}\ Tip\ {\isaliteral{7C}{\isacharbar}}\ Br\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}i\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Parameter \isa{{\isaliteral{27}{\isacharprime}}a} is the type of values stored in
-the \isa{Br}anches of the tree, whereas \isa{{\isaliteral{27}{\isacharprime}}i} is the index
-type over which the tree branches. If \isa{{\isaliteral{27}{\isacharprime}}i} is instantiated to
-\isa{bool}, the result is a binary tree; if it is instantiated to
-\isa{nat}, we have an infinitely branching tree because each node
-has as many subtrees as there are natural numbers. How can we possibly
-write down such a tree? Using functional notation! For example, the term
-\begin{isabelle}%
-\ \ \ \ \ Br\ {\isadigit{0}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ Br\ i\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}n{\isaliteral{2E}{\isachardot}}\ Tip{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-of type \isa{{\isaliteral{28}{\isacharparenleft}}nat{\isaliteral{2C}{\isacharcomma}}\ nat{\isaliteral{29}{\isacharparenright}}\ bigtree} is the tree whose
-root is labeled with 0 and whose $i$th subtree is labeled with $i$ and
-has merely \isa{Tip}s as further subtrees.
-
-Function \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} applies a function to all labels in a \isa{bigtree}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}b{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}i{\isaliteral{29}{\isacharparenright}}bigtree{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ Tip\ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ Tip{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Br\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent This is a valid \isacommand{primrec} definition because the
-recursive calls of \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} involve only subtrees of
-\isa{F}, which is itself a subterm of the left-hand side. Thus termination
-is assured.  The seasoned functional programmer might try expressing
-\isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}i{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ i{\isaliteral{29}{\isacharparenright}}} as \isa{map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ F}, which Isabelle 
-however will reject.  Applying \isa{map{\isaliteral{5F}{\isacharunderscore}}bt} to only one of its arguments
-makes the termination proof less obvious.
-
-The following lemma has a simple proof by induction:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ o\ f{\isaliteral{29}{\isacharparenright}}\ T\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ T{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-Because of the function type, the proof state after induction looks unusual.
-Notice the quantified induction hypothesis:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ Tip\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ Tip{\isaliteral{29}{\isacharparenright}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ F{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}F\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}F\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ F{\isaliteral{2E}{\isachardot}}\ }map{\isaliteral{5F}{\isacharunderscore}}bt\ {\isaliteral{28}{\isacharparenleft}}g\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ map{\isaliteral{5F}{\isacharunderscore}}bt\ g\ {\isaliteral{28}{\isacharparenleft}}map{\isaliteral{5F}{\isacharunderscore}}bt\ f\ {\isaliteral{28}{\isacharparenleft}}Br\ a\ F{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Ifexpr.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,351 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Ifexpr}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{Case Study: Boolean Expressions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:boolex}\index{boolean expressions example|(}
-The aim of this case study is twofold: it shows how to model boolean
-expressions and some algorithms for manipulating them, and it demonstrates
-the constructs introduced above.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Modelling Boolean Expressions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-We want to represent boolean expressions built up from variables and
-constants by negation and conjunction. The following datatype serves exactly
-that purpose:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ boolex\ {\isaliteral{3D}{\isacharequal}}\ Const\ bool\ {\isaliteral{7C}{\isacharbar}}\ Var\ nat\ {\isaliteral{7C}{\isacharbar}}\ Neg\ boolex\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ boolex\ boolex%
-\begin{isamarkuptext}%
-\noindent
-The two constants are represented by \isa{Const\ True} and
-\isa{Const\ False}. Variables are represented by terms of the form
-\isa{Var\ n}, where \isa{n} is a natural number (type \isa{nat}).
-For example, the formula $P@0 \land \neg P@1$ is represented by the term
-\isa{And\ {\isaliteral{28}{\isacharparenleft}}Var\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Neg\ {\isaliteral{28}{\isacharparenleft}}Var\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}.
-
-\subsubsection{The Value of a Boolean Expression}
-
-The value of a boolean expression depends on the value of its variables.
-Hence the function \isa{value} takes an additional parameter, an
-\emph{environment} of type \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}, which maps variables to their
-values:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}boolex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Const\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ env\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ value\ b\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value\ {\isaliteral{28}{\isacharparenleft}}And\ b\ c{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}value\ b\ env\ {\isaliteral{5C3C616E643E}{\isasymand}}\ value\ c\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-\subsubsection{If-Expressions}
-
-An alternative and often more efficient (because in a certain sense
-canonical) representation are so-called \emph{If-expressions} built up
-from constants (\isa{CIF}), variables (\isa{VIF}) and conditionals
-(\isa{IF}):%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ ifex\ {\isaliteral{3D}{\isacharequal}}\ CIF\ bool\ {\isaliteral{7C}{\isacharbar}}\ VIF\ nat\ {\isaliteral{7C}{\isacharbar}}\ IF\ ifex\ ifex\ ifex%
-\begin{isamarkuptext}%
-\noindent
-The evaluation of If-expressions proceeds as for \isa{boolex}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ valif\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ env\ {\isaliteral{3D}{\isacharequal}}\ env\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ valif\ b\ env\ then\ valif\ t\ env\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ else\ valif\ e\ env{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\subsubsection{Converting Boolean and If-Expressions}
-
-The type \isa{boolex} is close to the customary representation of logical
-formulae, whereas \isa{ifex} is designed for efficiency. It is easy to
-translate from \isa{boolex} into \isa{ifex}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ bool{\isadigit{2}}if\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}boolex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Const\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ CIF\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ VIF\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}Neg\ b{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ False{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ True{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}bool{\isadigit{2}}if\ {\isaliteral{28}{\isacharparenleft}}And\ b\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}CIF\ False{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-At last, we have something we can verify: that \isa{bool{\isadigit{2}}if} preserves the
-value of its argument:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}bool{\isadigit{2}}if\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ value\ b\ env{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The proof is canonical:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ b{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-In fact, all proofs in this case study look exactly like this. Hence we do
-not show them below.
-
-More interesting is the transformation of If-expressions into a normal form
-where the first argument of \isa{IF} cannot be another \isa{IF} but
-must be a constant or variable. Such a normal form can be computed by
-repeatedly replacing a subterm of the form \isa{IF\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ x\ y{\isaliteral{29}{\isacharparenright}}\ z\ u} by
-\isa{IF\ b\ {\isaliteral{28}{\isacharparenleft}}IF\ x\ z\ u{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}IF\ y\ z\ u{\isaliteral{29}{\isacharparenright}}}, which has the same value. The following
-primitive recursive functions perform this task:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ normif\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ t\ e\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ t\ e{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ t\ e\ {\isaliteral{3D}{\isacharequal}}\ IF\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ t\ e{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}normif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ u\ f\ {\isaliteral{3D}{\isacharequal}}\ normif\ b\ {\isaliteral{28}{\isacharparenleft}}normif\ t\ u\ f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}normif\ e\ u\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isacommand{primrec}\isamarkupfalse%
-\ norm\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ ifex{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ CIF\ b{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ VIF\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}norm\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ normif\ b\ {\isaliteral{28}{\isacharparenleft}}norm\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}norm\ e{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Their interplay is tricky; we leave it to you to develop an
-intuitive understanding. Fortunately, Isabelle can help us to verify that the
-transformation preserves the value of the expression:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}valif\ {\isaliteral{28}{\isacharparenleft}}norm\ b{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ valif\ b\ env{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-The proof is canonical, provided we first show the following simplification
-lemma, which also helps to understand what \isa{normif} does:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e{\isaliteral{2E}{\isachardot}}\ valif\ {\isaliteral{28}{\isacharparenleft}}normif\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env\ {\isaliteral{3D}{\isacharequal}}\ valif\ {\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ env{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Note that the lemma does not have a name, but is implicitly used in the proof
-of the theorem shown above because of the \isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}} attribute.
-
-But how can we be sure that \isa{norm} really produces a normal form in
-the above sense? We define a function that tests If-expressions for normality:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ normal\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}ifex\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}CIF\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}VIF\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}normal{\isaliteral{28}{\isacharparenleft}}IF\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}normal\ t\ {\isaliteral{5C3C616E643E}{\isasymand}}\ normal\ e\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}case\ b\ of\ CIF\ b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ True\ {\isaliteral{7C}{\isacharbar}}\ VIF\ x\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ True\ {\isaliteral{7C}{\isacharbar}}\ IF\ x\ y\ z\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ False{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Now we prove \isa{normal\ {\isaliteral{28}{\isacharparenleft}}norm\ b{\isaliteral{29}{\isacharparenright}}}. Of course, this requires a lemma about
-normality of \isa{normif}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e{\isaliteral{2E}{\isachardot}}\ normal{\isaliteral{28}{\isacharparenleft}}normif\ b\ t\ e{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}normal\ t\ {\isaliteral{5C3C616E643E}{\isasymand}}\ normal\ e{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\medskip
-How do we come up with the required lemmas? Try to prove the main theorems
-without them and study carefully what \isa{auto} leaves unproved. This 
-can provide the clue.  The necessity of universal quantification
-(\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ e}) in the two lemmas is explained in
-\S\ref{sec:InductionHeuristics}
-
-\begin{exercise}
-  We strengthen the definition of a \isa{normal} If-expression as follows:
-  the first argument of all \isa{IF}s must be a variable. Adapt the above
-  development to this changed requirement. (Hint: you may need to formulate
-  some of the goals as implications (\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}) rather than
-  equalities (\isa{{\isaliteral{3D}{\isacharequal}}}).)
-\end{exercise}
-\index{boolean expressions example|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/Isa-logics.eps	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,753 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%BoundingBox: 106 651 274 788
+%%Title: (Isa-logics)
+%%Creator: (ClarisDraw: LaserWriter 8 8.1.1)
+%%CreationDate: (9:19 pm Wednesday, April 24, 1996)
+%%For: (Larry)
+%%Pages: 1
+%%DocumentFonts: Times-Roman
+%%DocumentNeededFonts: Times-Roman
+%%DocumentSuppliedFonts:
+%%DocumentData: Clean7Bit
+%%PageOrder: Ascend
+%%Orientation: Portrait
+%ADO_PaperArea: -124 -112 3244 2268
+%ADO_ImageableArea: 0 0 3124 2152
+%%EndComments
+/md 148 dict def md begin
+/currentpacking where {pop /sc_oldpacking currentpacking def true setpacking}if
+%%BeginFile: adobe_psp_basic
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/bd{bind def}bind def
+/xdf{exch def}bd
+/xs{exch store}bd
+/ld{load def}bd
+/Z{0 def}bd
+/T/true
+/F/false
+/:L/lineto
+/lw/setlinewidth
+/:M/moveto
+/rl/rlineto
+/rm/rmoveto
+/:C/curveto
+/:T/translate
+/:K/closepath
+/:mf/makefont
+/gS/gsave
+/gR/grestore
+/np/newpath
+14{ld}repeat
+/$m matrix def
+/av 81 def
+/por true def
+/normland false def
+/psb-nosave{}bd
+/pse-nosave{}bd
+/us Z
+/psb{/us save store}bd
+/pse{us restore}bd
+/level2
+/languagelevel where
+{
+pop languagelevel 2 ge
+}{
+false
+}ifelse
+def
+/featurecleanup
+{
+stopped
+cleartomark
+countdictstack exch sub dup 0 gt
+{
+{end}repeat
+}{
+pop
+}ifelse
+}bd
+/noload Z
+/startnoload
+{
+{/noload save store}if
+}bd
+/endnoload
+{
+{noload restore}if
+}bd
+level2 startnoload
+/setjob
+{
+statusdict/jobname 3 -1 roll put
+}bd
+/setcopies
+{
+userdict/#copies 3 -1 roll put
+}bd
+level2 endnoload level2 not startnoload
+/setjob
+{
+1 dict begin/JobName xdf currentdict end setuserparams
+}bd
+/setcopies
+{
+1 dict begin/NumCopies xdf currentdict end setpagedevice
+}bd
+level2 not endnoload
+/pm Z
+/mT Z
+/sD Z
+/realshowpage Z
+/initializepage
+{
+/pm save store mT concat
+}bd
+/endp
+{
+pm restore showpage
+}def
+/$c/DeviceRGB def
+/rectclip where
+{
+pop/rC/rectclip ld
+}{
+/rC
+{
+np 4 2 roll
+:M
+1 index 0 rl
+0 exch rl
+neg 0 rl
+:K
+clip np
+}bd
+}ifelse
+/rectfill where
+{
+pop/rF/rectfill ld
+}{
+/rF
+{
+gS
+np
+4 2 roll
+:M
+1 index 0 rl
+0 exch rl
+neg 0 rl
+fill
+gR
+}bd
+}ifelse
+/rectstroke where
+{
+pop/rS/rectstroke ld
+}{
+/rS
+{
+gS
+np
+4 2 roll
+:M
+1 index 0 rl
+0 exch rl
+neg 0 rl
+:K
+stroke
+gR
+}bd
+}ifelse
+%%EndFile
+%%BeginFile: adobe_psp_colorspace_level1
+%%Copyright: Copyright 1991-1993 Adobe Systems Incorporated. All Rights Reserved.
+/G/setgray ld
+/:F/setrgbcolor ld
+%%EndFile
+%%BeginFile: adobe_psp_uniform_graphics
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/@a
+{
+np :M 0 rl :L 0 exch rl 0 rl :L fill
+}bd
+/@b
+{
+np :M 0 rl 0 exch rl :L 0 rl 0 exch rl fill
+}bd
+/arct where
+{
+pop
+}{
+/arct
+{
+arcto pop pop pop pop
+}bd
+}ifelse
+/x1 Z
+/x2 Z
+/y1 Z
+/y2 Z
+/rad Z
+/@q
+{
+/rad xs
+/y2 xs
+/x2 xs
+/y1 xs
+/x1 xs
+np
+x2 x1 add 2 div y1 :M
+x2 y1 x2 y2 rad arct
+x2 y2 x1 y2 rad arct
+x1 y2 x1 y1 rad arct
+x1 y1 x2 y1 rad arct
+fill
+}bd
+/@s
+{
+/rad xs
+/y2 xs
+/x2 xs
+/y1 xs
+/x1 xs
+np
+x2 x1 add 2 div y1 :M
+x2 y1 x2 y2 rad arct
+x2 y2 x1 y2 rad arct
+x1 y2 x1 y1 rad arct
+x1 y1 x2 y1 rad arct
+:K
+stroke
+}bd
+/@i
+{
+np 0 360 arc fill
+}bd
+/@j
+{
+gS
+np
+:T
+scale
+0 0 .5 0 360 arc
+fill
+gR
+}bd
+/@e
+{
+np
+0 360 arc
+:K
+stroke
+}bd
+/@f
+{
+np
+$m currentmatrix
+pop
+:T
+scale
+0 0 .5 0 360 arc
+:K
+$m setmatrix
+stroke
+}bd
+/@k
+{
+gS
+np
+:T
+0 0 :M
+0 0 5 2 roll
+arc fill
+gR
+}bd
+/@l
+{
+gS
+np
+:T
+0 0 :M
+scale
+0 0 .5 5 -2 roll arc
+fill
+gR
+}bd
+/@m
+{
+np
+arc
+stroke
+}bd
+/@n
+{
+np
+$m currentmatrix
+pop
+:T
+scale
+0 0 .5 5 -2 roll arc
+$m setmatrix
+stroke
+}bd
+%%EndFile
+%%BeginFile: adobe_psp_customps
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/$t Z
+/$p Z
+/$s Z
+/$o 1. def
+/2state? false def
+/ps Z
+level2 startnoload
+/pushcolor/currentrgbcolor ld
+/popcolor/setrgbcolor ld
+/setcmykcolor where
+{
+pop/currentcmykcolor where
+{
+pop/pushcolor/currentcmykcolor ld
+/popcolor/setcmykcolor ld
+}if
+}if
+level2 endnoload level2 not startnoload
+/pushcolor
+{
+currentcolorspace $c eq
+{
+currentcolor currentcolorspace true
+}{
+currentcmykcolor false
+}ifelse
+}bd
+/popcolor
+{
+{
+setcolorspace setcolor
+}{
+setcmykcolor
+}ifelse
+}bd
+level2 not endnoload
+/pushstatic
+{
+ps
+2state?
+$o
+$t
+$p
+$s
+}bd
+/popstatic
+{
+/$s xs
+/$p xs
+/$t xs
+/$o xs
+/2state? xs
+/ps xs
+}bd
+/pushgstate
+{
+save errordict/nocurrentpoint{pop 0 0}put
+currentpoint
+3 -1 roll restore
+pushcolor
+currentlinewidth
+currentlinecap
+currentlinejoin
+currentdash exch aload length
+np clippath pathbbox
+$m currentmatrix aload pop
+}bd
+/popgstate
+{
+$m astore setmatrix
+2 index sub exch
+3 index sub exch
+rC
+array astore exch setdash
+setlinejoin
+setlinecap
+lw
+popcolor
+np :M
+}bd
+/bu
+{
+pushgstate
+gR
+pushgstate
+2state?
+{
+gR
+pushgstate
+}if
+pushstatic
+pm restore
+mT concat
+}bd
+/bn
+{
+/pm save store
+popstatic
+popgstate
+gS
+popgstate
+2state?
+{
+gS
+popgstate
+}if
+}bd
+/cpat{pop 64 div G 8{pop}repeat}bd
+%%EndFile
+%%BeginFile: adobe_psp_basic_text
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/S/show ld
+/A{
+0.0 exch ashow
+}bd
+/R{
+0.0 exch 32 exch widthshow
+}bd
+/W{
+0.0 3 1 roll widthshow
+}bd
+/J{
+0.0 32 4 2 roll 0.0 exch awidthshow
+}bd
+/V{
+0.0 4 1 roll 0.0 exch awidthshow
+}bd
+/fcflg true def
+/fc{
+fcflg{
+vmstatus exch sub 50000 lt{
+(%%[ Warning: Running out of memory ]%%\r)print flush/fcflg false store
+}if pop
+}if
+}bd
+/$f[1 0 0 -1 0 0]def
+/:ff{$f :mf}bd
+/MacEncoding StandardEncoding 256 array copy def
+MacEncoding 39/quotesingle put
+MacEncoding 96/grave put
+/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute
+/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave
+/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute
+/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis
+/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
+/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash
+/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation
+/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash
+/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft
+/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
+/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge
+/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl
+/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
+/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave
+/Oacute/Ocircumflex/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde
+/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron
+MacEncoding 128 128 getinterval astore pop
+level2 startnoload
+/copyfontdict
+{
+findfont dup length dict
+begin
+{
+1 index/FID ne{def}{pop pop}ifelse
+}forall
+}bd
+level2 endnoload level2 not startnoload
+/copyfontdict
+{
+findfont dup length dict
+copy
+begin
+}bd
+level2 not endnoload
+md/fontname known not{
+/fontname/customfont def
+}if
+/Encoding Z
+/:mre
+{
+copyfontdict
+/Encoding MacEncoding def
+fontname currentdict
+end
+definefont :ff def
+}bd
+/:bsr
+{
+copyfontdict
+/Encoding Encoding 256 array copy def
+Encoding dup
+}bd
+/pd{put dup}bd
+/:esr
+{
+pop pop
+fontname currentdict
+end
+definefont :ff def
+}bd
+/scf
+{
+scalefont def
+}bd
+/scf-non
+{
+$m scale :mf setfont
+}bd
+/ps Z
+/fz{/ps xs}bd
+/sf/setfont ld
+/cF/currentfont ld
+/mbf
+{
+/makeblendedfont where
+{
+pop
+makeblendedfont
+/ABlend exch definefont
+}{
+pop
+}ifelse
+def
+}def
+%%EndFile
+/currentpacking where {pop sc_oldpacking setpacking}if
+end		% md
+%%EndProlog
+%%BeginSetup
+md begin
+/pT[1 0 0 -1 28 811]def/mT[.25 0 0 -.25 28 811]def
+/sD 16 dict def
+%%IncludeFont: Times-Roman
+/f0_1/Times-Roman :mre
+/f0_40 f0_1 40 scf
+/Courier findfont[10 0 0 -10 0 0]:mf setfont
+%PostScript Hack by Mike Brors 12/7/90
+/DisableNextSetRGBColor
+	{
+	userdict begin
+	/setrgbcolor 
+		{
+		pop
+		pop
+		pop
+		userdict begin
+		/setrgbcolor systemdict /setrgbcolor get def
+		end
+		} def
+	end
+} bind def
+/bcarray where {
+	pop
+	bcarray 2 {
+		/da 4 ps div def
+		df setfont gsave cs wi
+		1 index 0 ne{exch da add exch}if grestore setcharwidth
+		cs 0 0 smc da 0 smc da da smc 0 da smc c
+		gray
+		{ gl}
+		{1 setgray}ifelse
+		da 2. div dup moveto show
+	}bind put
+} if
+%
+% Used to snap to device pixels, 1/4th of the pixel in.
+/stp {  % x y  pl  x y                % Snap To Pixel, pixel  (auto stroke adjust)
+	transform
+	0.25 sub round 0.25 add exch
+	0.25 sub round 0.25 add exch
+	itransform
+} bind def
+
+/snapmoveto { % x y  m  -             % moveto, auto stroke adjust
+	stp  moveto
+} bind def
+
+/snaplineto { % x y  l  -             % lineto, auto stroke adjust
+	stp lineto
+} bind def
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+initializepage
+%%EndPageSetup
+gS 0 0 2152 3124 rC
+0 0 :M
+.25 0 translate
+/DrawObject_save_matrix_0 matrix currentmatrix def
+0 0 2152 2912 rC
+-40 -12 :M
+DrawObject_save_matrix_0 setmatrix
+/DrawObject_save_matrix_0 matrix currentmatrix def
+-40 -12 :M
+/DrawObject_save_matrix_1 matrix currentmatrix def
+0 0 2152 2911 rC
+-40 -12 :M
+/DrawObject_save_matrix_2 matrix currentmatrix def
+-40 -12 :M
+DrawObject_save_matrix_2 setmatrix
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+558 556 208 48 rC
+558 556 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 553 520 218 84 rC
+558 592 :M
+f0_40 sf
+-.055(Pure Isabelle)A
+gR
+gS 0 0 2152 2912 rC
+4 lw
+518 528 806 636 32 @s
+168 24 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+426 422 -4 4 538 526 4 426 418 @a
+426 418 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+-4 -4 790 530 4 4 894 418 @b
+786 526 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+588 422 -4 4 610 526 4 588 418 @a
+588 418 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+-4 -4 718 530 4 4 732 418 @b
+714 526 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+376 364 92 48 rC
+376 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 371 328 102 84 rC
+376 400 :M
+f0_40 sf
+-.286(IFOL)A
+gR
+gS 556 364 76 48 rC
+556 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 551 328 86 84 rC
+556 400 :M
+f0_40 sf
+-.273(CTT)A
+gR
+gS 700 364 84 48 rC
+700 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 695 328 94 84 rC
+700 400 :M
+f0_40 sf
+-.094(HOL)A
+gR
+gS 880 364 56 48 rC
+880 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 875 328 66 84 rC
+880 400 :M
+f0_40 sf
+-.311(LK)A
+gR
+gS 0 0 2152 2912 rC
+-4 -4 916 361 4 4 912 285 @b
+4 lw
+912 357 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+320 94 :M
+/DrawObject_save_matrix_2 matrix currentmatrix def
+336 152 -4 4 394 220 4 336 148 @a
+336 148 :M
+DrawObject_save_matrix_2 setmatrix
+/DrawObject_save_matrix_2 matrix currentmatrix def
+-4 -4 430 224 4 4 480 148 @b
+426 220 :M
+DrawObject_save_matrix_2 setmatrix
+/DrawObject_save_matrix_2 matrix currentmatrix def
+320 94 48 48 rC
+320 94 :M
+DrawObject_save_matrix_2 setmatrix
+/DrawObject_save_matrix_2 matrix currentmatrix def
+gR
+gS 315 58 58 84 rC
+320 130 :M
+f0_40 sf
+-.67(ZF)A
+gR
+gS 448 94 76 48 rC
+448 94 :M
+DrawObject_save_matrix_2 setmatrix
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 443 58 86 84 rC
+448 130 :M
+f0_40 sf
+-.175(LCF)A
+gR
+gS 860 178 116 96 rC
+gR
+gS 855 142 126 132 rC
+860 214 :M
+f0_40 sf
+-.106(Modal)A
+975 262 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+860 262 :M
+-.077(  logics)A
+gR
+gS 0 0 2152 2912 rC
+-4 -4 412 360 4 4 408 284 @b
+4 lw
+408 356 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+376 228 76 48 rC
+376 228 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 371 192 86 84 rC
+376 264 :M
+f0_40 sf
+-.273(FOL)A
+gR
+gS 680 230 132 48 rC
+680 230 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 675 194 142 84 rC
+680 266 :M
+f0_40 sf
+-.026(HOLCF)A
+gR
+gS 0 0 2152 2912 rC
+-4 -4 748 361 4 4 744 285 @b
+4 lw
+744 357 :M
+DrawObject_save_matrix_1 setmatrix
+DrawObject_save_matrix_0 setmatrix
+endp
+%%Trailer
+end		% md
+%%EOF

Binary file doc-src/TutorialI/document/Isa-logics.pdf has changed

--- a/doc-src/TutorialI/document/Itrev.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,222 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Itrev}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Induction Heuristics%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:InductionHeuristics}
-\index{induction heuristics|(}%
-The purpose of this section is to illustrate some simple heuristics for
-inductive proofs. The first one we have already mentioned in our initial
-example:
-\begin{quote}
-\emph{Theorems about recursive functions are proved by induction.}
-\end{quote}
-In case the function has more than one argument
-\begin{quote}
-\emph{Do induction on argument number $i$ if the function is defined by
-recursion in argument number $i$.}
-\end{quote}
-When we look at the proof of \isa{{\isaliteral{28}{\isacharparenleft}}xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}}
-in \S\ref{sec:intro-proof} we find
-\begin{itemize}
-\item \isa{{\isaliteral{40}{\isacharat}}} is recursive in
-the first argument
-\item \isa{xs}  occurs only as the first argument of
-\isa{{\isaliteral{40}{\isacharat}}}
-\item both \isa{ys} and \isa{zs} occur at least once as
-the second argument of \isa{{\isaliteral{40}{\isacharat}}}
-\end{itemize}
-Hence it is natural to perform induction on~\isa{xs}.
-
-The key heuristic, and the main point of this section, is to
-\emph{generalize the goal before induction}.
-The reason is simple: if the goal is
-too specific, the induction hypothesis is too weak to allow the induction
-step to go through. Let us illustrate the idea with an example.
-
-Function \cdx{rev} has quadratic worst-case running time
-because it calls function \isa{{\isaliteral{40}{\isacharat}}} for each element of the list and
-\isa{{\isaliteral{40}{\isacharat}}} is linear in its first argument.  A linear time version of
-\isa{rev} reqires an extra argument where the result is accumulated
-gradually, using only~\isa{{\isaliteral{23}{\isacharhash}}}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ itrev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ ys\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}itrev\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}xs{\isaliteral{29}{\isacharparenright}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The behaviour of \cdx{itrev} is simple: it reverses
-its first argument by stacking its elements onto the second argument,
-and returning that second argument when the first one becomes
-empty. Note that \isa{itrev} is tail-recursive: it can be
-compiled into a loop.
-
-Naturally, we would like to show that \isa{itrev} does indeed reverse
-its first argument provided the second one is empty:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-There is no choice as to the induction variable, and we immediately simplify:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Unfortunately, this attempt does not prove
-the induction step:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ itrev\ list\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-The induction hypothesis is too weak.  The fixed
-argument,~\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, prevents it from rewriting the conclusion.  
-This example suggests a heuristic:
-\begin{quote}\index{generalizing induction formulae}%
-\emph{Generalize goals for induction by replacing constants by variables.}
-\end{quote}
-Of course one cannot do this na\"{\i}vely: \isa{itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs} is
-just not true.  The correct generalization is%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-If \isa{ys} is replaced by \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, the right-hand side simplifies to
-\isa{rev\ xs}, as required.
-
-In this instance it was easy to guess the right generalization.
-Other situations can require a good deal of creativity.  
-
-Although we now have two variables, only \isa{xs} is suitable for
-induction, and we repeat our proof attempt. Unfortunately, we are still
-not there:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }itrev\ list\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ ys%
-\end{isabelle}
-The induction hypothesis is still too weak, but this time it takes no
-intuition to generalize: the problem is that \isa{ys} is fixed throughout
-the subgoal, but the induction hypothesis needs to be applied with
-\isa{a\ {\isaliteral{23}{\isacharhash}}\ ys} instead of \isa{ys}. Hence we prove the theorem
-for all \isa{ys} instead of a fixed one:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}ys{\isaliteral{2E}{\isachardot}}\ itrev\ xs\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-This time induction on \isa{xs} followed by simplification succeeds. This
-leads to another heuristic for generalization:
-\begin{quote}
-\emph{Generalize goals for induction by universally quantifying all free
-variables {\em(except the induction variable itself!)}.}
-\end{quote}
-This prevents trivial failures like the one above and does not affect the
-validity of the goal.  However, this heuristic should not be applied blindly.
-It is not always required, and the additional quantifiers can complicate
-matters in some cases. The variables that should be quantified are typically
-those that change in recursive calls.
-
-A final point worth mentioning is the orientation of the equation we just
-proved: the more complex notion (\isa{itrev}) is on the left-hand
-side, the simpler one (\isa{rev}) on the right-hand side. This constitutes
-another, albeit weak heuristic that is not restricted to induction:
-\begin{quote}
-  \emph{The right-hand side of an equation should (in some sense) be simpler
-    than the left-hand side.}
-\end{quote}
-This heuristic is tricky to apply because it is not obvious that
-\isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys} is simpler than \isa{itrev\ xs\ ys}. But see what
-happens if you try to prove \isa{rev\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ itrev\ xs\ ys}!
-
-If you have tried these heuristics and still find your
-induction does not go through, and no obvious lemma suggests itself, you may
-need to generalize your proposition even further. This requires insight into
-the problem at hand and is beyond simple rules of thumb.  
-Additionally, you can read \S\ref{sec:advanced-ind}
-to learn about some advanced techniques for inductive proofs.%
-\index{induction heuristics|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Message.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1638 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Message}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsection{Agents and Messages%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-All protocol specifications refer to a syntactic theory of messages. 
-Datatype
-\isa{agent} introduces the constant \isa{Server} (a trusted central
-machine, needed for some protocols), an infinite population of
-friendly agents, and the~\isa{Spy}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ agent\ {\isaliteral{3D}{\isacharequal}}\ Server\ {\isaliteral{7C}{\isacharbar}}\ Friend\ nat\ {\isaliteral{7C}{\isacharbar}}\ Spy%
-\begin{isamarkuptext}%
-Keys are just natural numbers.  Function \isa{invKey} maps a public key to
-the matching private key, and vice versa:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{type{\isaliteral{5F}{\isacharunderscore}}synonym}\isamarkupfalse%
-\ key\ {\isaliteral{3D}{\isacharequal}}\ nat\isanewline
-\isacommand{consts}\isamarkupfalse%
-\ invKey\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Datatype
-\isa{msg} introduces the message forms, which include agent names, nonces,
-keys, compound messages, and encryptions.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\isanewline
-\ \ \ \ \ msg\ {\isaliteral{3D}{\isacharequal}}\ Agent\ \ agent\isanewline
-\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Nonce\ \ nat\isanewline
-\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Key\ \ \ \ key\isanewline
-\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ msg\ msg\isanewline
-\ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ key\ msg%
-\begin{isamarkuptext}%
-\noindent
-The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$
-abbreviates
-$\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$.
-
-Since datatype constructors are injective, we have the theorem
-\begin{isabelle}%
-Crypt\ K\ X\ {\isaliteral{3D}{\isacharequal}}\ Crypt\ K{\isaliteral{27}{\isacharprime}}\ X{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ K\ {\isaliteral{3D}{\isacharequal}}\ K{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ X\ {\isaliteral{3D}{\isacharequal}}\ X{\isaliteral{27}{\isacharprime}}%
-\end{isabelle}
-A ciphertext can be decrypted using only one key and
-can yield only one plaintext.  In the real world, decryption with the
-wrong key succeeds but yields garbage.  Our model of encryption is
-realistic if encryption adds some redundancy to the plaintext, such as a
-checksum, so that garbage can be detected.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsection{Modelling the Adversary%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-The spy is part of the system and must be built into the model.  He is
-a malicious user who does not have to follow the protocol.  He
-watches the network and uses any keys he knows to decrypt messages.
-Thus he accumulates additional keys and nonces.  These he can use to
-compose new messages, which he may send to anybody.  
-
-Two functions enable us to formalize this behaviour: \isa{analz} and
-\isa{synth}.  Each function maps a sets of messages to another set of
-messages. The set \isa{analz\ H} formalizes what the adversary can learn
-from the set of messages~$H$.  The closure properties of this set are
-defined inductively.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ analz\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{where}\isanewline
-\ \ \ \ Inj\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{2C}{\isacharcomma}}simp{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Fst{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Snd{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Decrypt\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{3B}{\isacharsemicolon}}\ Key{\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Note the \isa{Decrypt} rule: the spy can decrypt a
-message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. 
-Properties proved by rule induction include the following:
-\begin{isabelle}%
-G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ analz\ G\ {\isaliteral{5C3C73756273657465713E}{\isasymsubseteq}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}mono}\par\smallskip%
-analz\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}idem}%
-\end{isabelle}
-
-The set of fake messages that an intruder could invent
-starting from~\isa{H} is \isa{synth{\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}}, where \isa{synth\ H}
-formalizes what the adversary can build from the set of messages~$H$.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ synth\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ H\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}msg\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{where}\isanewline
-\ \ \ \ Inj\ \ \ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Agent\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Agent\ agt\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ MPair\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}X{\isaliteral{2C}{\isacharcomma}}Y{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ Crypt\ \ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{3B}{\isacharsemicolon}}\ \ Key\ K\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The set includes all agent names.  Nonces and keys are assumed to be
-unguessable, so none are included beyond those already in~$H$.   Two
-elements of \isa{synth\ H} can be combined, and an element can be encrypted
-using a key present in~$H$.
-
-Like \isa{analz}, this set operator is monotone and idempotent.  It also
-satisfies an interesting equation involving \isa{analz}:
-\begin{isabelle}%
-analz\ {\isaliteral{28}{\isacharparenleft}}synth\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ analz\ H\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ synth\ H\rulename{analz{\isaliteral{5F}{\isacharunderscore}}synth}%
-\end{isabelle}
-Rule inversion plays a major role in reasoning about \isa{synth}, through
-declarations such as this one:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}cases}\isamarkupfalse%
-\ Nonce{\isaliteral{5F}{\isacharunderscore}}synth\ {\isaliteral{5B}{\isacharbrackleft}}elim{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The resulting elimination rule replaces every assumption of the form
-\isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ H} by \isa{Nonce\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ H},
-expressing that a nonce cannot be guessed.  
-
-A third operator, \isa{parts}, is useful for stating correctness
-properties.  The set
-\isa{parts\ H} consists of the components of elements of~$H$.  This set
-includes~\isa{H} and is closed under the projections from a compound
-message to its immediate parts. 
-Its definition resembles that of \isa{analz} except in the rule
-corresponding to the constructor \isa{Crypt}: 
-\begin{isabelle}%
-\ \ \ \ \ Crypt\ K\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ H%
-\end{isabelle}
-The body of an encrypted message is always regarded as part of it.  We can
-use \isa{parts} to express general well-formedness properties of a protocol,
-for example, that an uncompromised agent's private key will never be
-included as a component of any message.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Mutual.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,131 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Mutual}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{Mutually Inductive Definitions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Just as there are datatypes defined by mutual recursion, there are sets defined
-by mutual induction. As a trivial example we consider the even and odd
-natural numbers:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ Even\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
-\ \ Odd\ \ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-\ \ zero{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{0}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ EvenI{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ OddI{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Suc\ n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The mutually inductive definition of multiple sets is no different from
-that of a single set, except for induction: just as for mutually recursive
-datatypes, induction needs to involve all the simultaneously defined sets. In
-the above case, the induction rule is called \isa{Even{\isaliteral{5F}{\isacharunderscore}}Odd{\isaliteral{2E}{\isachardot}}induct}
-(simply concatenate the names of the sets involved) and has the conclusion
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{3F}{\isacharquery}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}Q\ {\isaliteral{3F}{\isacharquery}}y{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-
-If we want to prove that all even numbers are divisible by two, we have to
-generalize the statement as follows:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isadigit{2}}\ dvd\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isadigit{2}}\ dvd\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The proof is by rule induction. Because of the form of the induction theorem,
-it is applied by \isa{rule} rather than \isa{erule} as for ordinary
-inductive definitions:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ Even{\isaliteral{5F}{\isacharunderscore}}Odd{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ dvd\ {\isadigit{0}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Odd{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ Suc\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ n\isanewline
-\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}n{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ Even{\isaliteral{3B}{\isacharsemicolon}}\ {\isadigit{2}}\ dvd\ n{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{2}}\ dvd\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-The first two subgoals are proved by simplification and the final one can be
-proved in the same manner as in \S\ref{sec:rule-induction}
-where the same subgoal was encountered before.
-We do not show the proof script.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Inductively Defined Predicates\label{sec:ind-predicates}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{inductive predicates|(}
-Instead of a set of even numbers one can also define a predicate on \isa{nat}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive}\isamarkupfalse%
-\ evn\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-zero{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}evn\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-step{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}evn\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ evn{\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent Everything works as before, except that
-you write \commdx{inductive} instead of \isacommand{inductive\_set} and
-\isa{evn\ n} instead of \isa{n\ {\isaliteral{5C3C696E3E}{\isasymin}}\ even}.
-When defining an n-ary relation as a predicate, it is recommended to curry
-the predicate: its type should be \mbox{\isa{{\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub n\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}}
-rather than
-\isa{{\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub n\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}. The curried version facilitates inductions.
-
-When should you choose sets and when predicates? If you intend to combine your notion with set theoretic notation, define it as an inductive set. If not, define it as an inductive predicate, thus avoiding the \isa{{\isaliteral{5C3C696E3E}{\isasymin}}} notation. But note that predicates of more than one argument cannot be combined with the usual set theoretic operators: \isa{P\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ Q} is not well-typed if \isa{P{\isaliteral{2C}{\isacharcomma}}\ Q\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{1}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5C3C7461753E}{\isasymtau}}\isaliteral{5C3C5E697375623E}{}\isactrlisub {\isadigit{2}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool}, you have to write \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ P\ x\ y\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q\ x\ y} instead.
-\index{inductive predicates|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/NS_Public.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,517 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{NS{\isaliteral{5F}{\isacharunderscore}}Public}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Modelling the Protocol \label{sec:modelling}%
-}
-\isamarkuptrue%
-%
-\begin{figure}
-\begin{isabelle}
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\ ns{\isaliteral{5F}{\isacharunderscore}}public\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}event\ list\ set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{where}\isanewline
-\isanewline
-\ \ \ Nil{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isanewline
-\ {\isaliteral{7C}{\isacharbar}}\ Fake{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ Spy\ B\ X\ \ {\isaliteral{23}{\isacharhash}}\ evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isanewline
-\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{1}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ Nonce\ NA\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{1}}\ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ \ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isanewline
-\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{2}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\ \ Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{2}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{2}}\ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ \ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isanewline
-\ {\isaliteral{7C}{\isacharbar}}\ NS{\isadigit{3}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evs{\isadigit{3}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ Says\ A\ \ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{3}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ Says\ B{\isaliteral{27}{\isacharprime}}\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{3}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ evs{\isadigit{3}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{22}{\isachardoublequoteclose}}%
-\end{isabelle}
-\caption{An Inductive Protocol Definition}\label{fig:ns_public}
-\end{figure}
-%
-\begin{isamarkuptext}%
-Let us formalize the Needham-Schroeder public-key protocol, as corrected by
-Lowe:
-\begin{alignat*%
-}{2}
-  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
-  &2.&\quad  B\to A  &: \comp{Na,Nb,B}\sb{Ka} \\
-  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
-\end{alignat*%
-}
-
-Each protocol step is specified by a rule of an inductive definition.  An
-event trace has type \isa{event\ list}, so we declare the constant
-\isa{ns{\isaliteral{5F}{\isacharunderscore}}public} to be a set of such traces.
-
-Figure~\ref{fig:ns_public} presents the inductive definition.  The
-\isa{Nil} rule introduces the empty trace.  The \isa{Fake} rule models the
-adversary's sending a message built from components taken from past
-traffic, expressed using the functions \isa{synth} and
-\isa{analz}. 
-The next three rules model how honest agents would perform the three
-protocol steps.  
-
-Here is a detailed explanation of rule \isa{NS{\isadigit{2}}}.
-A trace containing an event of the form
-\begin{isabelle}%
-\ \ \ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-may be extended by an event of the form
-\begin{isabelle}%
-\ \ \ \ \ Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-where \isa{NB} is a fresh nonce: \isa{Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{2}}}.
-Writing the sender as \isa{A{\isaliteral{27}{\isacharprime}}} indicates that \isa{B} does not 
-know who sent the message.  Calling the trace variable \isa{evs{\isadigit{2}}} rather
-than simply \isa{evs} helps us know where we are in a proof after many
-case-splits: every subgoal mentioning \isa{evs{\isadigit{2}}} involves message~2 of the
-protocol.
-
-Benefits of this approach are simplicity and clarity.  The semantic model
-is set theory, proofs are by induction and the translation from the informal
-notation to the inductive rules is straightforward.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsection{Proving Elementary Properties \label{sec:regularity}%
-}
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Secrecy properties can be hard to prove.  The conclusion of a typical
-secrecy theorem is 
-\isa{X\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}}.  The difficulty arises from
-having to reason about \isa{analz}, or less formally, showing that the spy
-can never learn~\isa{X}.  Much easier is to prove that \isa{X} can never
-occur at all.  Such \emph{regularity} properties are typically expressed
-using \isa{parts} rather than \isa{analz}.
-
-The following lemma states that \isa{A}'s private key is potentially
-known to the spy if and only if \isa{A} belongs to the set \isa{bad} of
-compromised agents.  The statement uses \isa{parts}: the very presence of
-\isa{A}'s private key in a message, whether protected by encryption or
-not, is enough to confirm that \isa{A} is compromised.  The proof, like
-nearly all protocol proofs, is by induction over traces.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ Spy{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}priK\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public\isanewline
-\ \ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-The induction yields five subgoals, one for each rule in the definition of
-\isa{ns{\isaliteral{5F}{\isacharunderscore}}public}.  The idea is to prove that the protocol property holds initially
-(rule \isa{Nil}), is preserved by each of the legitimate protocol steps (rules
-\isa{NS{\isadigit{1}}}--\isa{{\isadigit{3}}}), and even is preserved in the face of anything the
-spy can do (rule \isa{Fake}).  
-
-The proof is trivial.  No legitimate protocol rule sends any keys
-at all, so only \isa{Fake} is relevant. Indeed, simplification leaves
-only the \isa{Fake} case, as indicated by the variable name \isa{evsf}:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}evsf\ X{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}evsf\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }{\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }X\ {\isaliteral{5C3C696E3E}{\isasymin}}\ synth\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Key\ {\isaliteral{28}{\isacharparenleft}}priK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}insert\ X\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evsf{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }{\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{by}\isamarkupfalse%
-\ blast%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The \isa{Fake} case is proved automatically.  If
-\isa{priK\ A} is in the extended trace then either (1) it was already in the
-original trace or (2) it was
-generated by the spy, who must have known this key already. 
-Either way, the induction hypothesis applies.
-
-\emph{Unicity} lemmas are regularity lemmas stating that specified items
-can occur only once in a trace.  The following lemma states that a nonce
-cannot be used both as $Na$ and as $Nb$ unless
-it is known to the spy.  Intuitively, it holds because honest agents
-always choose fresh values as nonces; only the spy might reuse a value,
-and he doesn't know this particular value.  The proof script is short:
-induction, simplification, \isa{blast}.  The first line uses the rule
-\isa{rev{\isaliteral{5F}{\isacharunderscore}}mp} to prepare the induction by moving two assumptions into the 
-induction formula.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ no{\isaliteral{5F}{\isacharunderscore}}nonce{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{2}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ C{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}NA{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ D{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Nonce\ NA\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{2C}{\isacharcomma}}\ erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ analz{\isaliteral{5F}{\isacharunderscore}}insertI{\isaliteral{29}{\isacharparenright}}{\isaliteral{2B}{\isacharplus}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The following unicity lemma states that, if \isa{NA} is secret, then its
-appearance in any instance of message~1 determines the other components. 
-The proof is similar to the previous one.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ unique{\isaliteral{5F}{\isacharunderscore}}NA{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Crypt{\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A\ {\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts{\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ \ Crypt{\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ parts{\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ \ \ \ \ Nonce\ NA\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ \ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ A{\isaliteral{3D}{\isacharequal}}A{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{3D}{\isacharequal}}B{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsection{Proving Secrecy Theorems \label{sec:secrecy}%
-}
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The secrecy theorems for Bob (the second participant) are especially
-important because they fail for the original protocol.  The following
-theorem states that if Bob sends message~2 to Alice, and both agents are
-uncompromised, then Bob's nonce will never reach the spy.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ Spy{\isaliteral{5F}{\isacharunderscore}}not{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}NB\ {\isaliteral{5B}{\isacharbrackleft}}dest{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-To prove it, we must formulate the induction properly (one of the
-assumptions mentions~\isa{evs}), apply induction, and simplify:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}erule\ rev{\isaliteral{5F}{\isacharunderscore}}mp{\isaliteral{2C}{\isacharcomma}}\ erule\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{2E}{\isachardot}}induct{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-The proof states are too complicated to present in full.  
-Let's examine the simplest subgoal, that for message~1.  The following
-event has just occurred:
-\[ 1.\quad  A'\to B'  : \comp{Na',A'}\sb{Kb'} \]
-The variables above have been primed because this step
-belongs to a different run from that referred to in the theorem
-statement --- the theorem
-refers to a past instance of message~2, while this subgoal
-concerns message~1 being sent just now.
-In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$
-we have \isa{Ba} and~\isa{NAa}:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}evs{\isadigit{1}}\ NAa\ Ba{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ evs{\isadigit{1}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }{\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Nonce\ NB\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ analz\ {\isaliteral{28}{\isacharparenleft}}knows\ Spy\ evs{\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }Nonce\ NAa\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Ba\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }Says\ B\ A\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }{\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isadigit{1}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ }NB\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ NAa%
-\end{isabelle}
-The simplifier has used a 
-default simplification rule that does a case
-analysis for each encrypted message on whether or not the decryption key
-is compromised.
-\begin{isabelle}%
-analz\ {\isaliteral{28}{\isacharparenleft}}insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ H{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-{\isaliteral{28}{\isacharparenleft}}if\ Key\ {\isaliteral{28}{\isacharparenleft}}invKey\ K{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ analz\ H\isanewline
-\isaindent{{\isaliteral{28}{\isacharparenleft}}}then\ insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}analz\ {\isaliteral{28}{\isacharparenleft}}insert\ X\ H{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isaindent{{\isaliteral{28}{\isacharparenleft}}}else\ insert\ {\isaliteral{28}{\isacharparenleft}}Crypt\ K\ X{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}analz\ H{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\rulename{analz{\isaliteral{5F}{\isacharunderscore}}Crypt{\isaliteral{5F}{\isacharunderscore}}if}%
-\end{isabelle}
-The simplifier has also used \isa{Spy{\isaliteral{5F}{\isacharunderscore}}see{\isaliteral{5F}{\isacharunderscore}}priK}, proved in
-{\S}\ref{sec:regularity} above, to yield \isa{Ba\ {\isaliteral{5C3C696E3E}{\isasymin}}\ bad}.
-
-Recall that this subgoal concerns the case
-where the last message to be sent was
-\[ 1.\quad  A'\to B'  : \comp{Na',A'}\sb{Kb'}. \]
-This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised,
-allowing the spy to decrypt the message.  The Isabelle subgoal says
-precisely this, if we allow for its choice of variable names.
-Proving \isa{NB\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ NAa} is easy: \isa{NB} was
-sent earlier, while \isa{NAa} is fresh; formally, we have
-the assumption \isa{Nonce\ NAa\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ used\ evs{\isadigit{1}}}. 
-
-Note that our reasoning concerned \isa{B}'s participation in another
-run.  Agents may engage in several runs concurrently, and some attacks work
-by interleaving the messages of two runs.  With model checking, this
-possibility can cause a state-space explosion, and for us it
-certainly complicates proofs.  The biggest subgoal concerns message~2.  It
-splits into several cases, such as whether or not the message just sent is
-the very message mentioned in the theorem statement.
-Some of the cases are proved by unicity, others by
-the induction hypothesis.  For all those complications, the proofs are
-automatic by \isa{blast} with the theorem \isa{no{\isaliteral{5F}{\isacharunderscore}}nonce{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{2}}}.
-
-The remaining theorems about the protocol are not hard to prove.  The
-following one asserts a form of \emph{authenticity}: if
-\isa{B} has sent an instance of message~2 to~\isa{A} and has received the
-expected reply, then that reply really originated with~\isa{A}.  The
-proof is a simple induction.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{theorem}\isamarkupfalse%
-\ B{\isaliteral{5F}{\isacharunderscore}}trusts{\isaliteral{5F}{\isacharunderscore}}NS{\isadigit{3}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}Says\ B\ A\ \ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Nonce\ NB{\isaliteral{2C}{\isacharcomma}}\ Agent\ B{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ Says\ A{\isaliteral{27}{\isacharprime}}\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\ \ \ A\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ B\ {\isaliteral{5C3C6E6F74696E3E}{\isasymnotin}}\ bad{\isaliteral{3B}{\isacharsemicolon}}\ \ evs\ {\isaliteral{5C3C696E3E}{\isasymin}}\ ns{\isaliteral{5F}{\isacharunderscore}}public{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Nonce\ NB{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-From similar assumptions, we can prove that \isa{A} started the protocol
-run by sending an instance of message~1 involving the nonce~\isa{NA}\@. 
-For this theorem, the conclusion is 
-\begin{isabelle}%
-Says\ A\ B\ {\isaliteral{28}{\isacharparenleft}}Crypt\ {\isaliteral{28}{\isacharparenleft}}pubK\ B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C62726163653E}{\isasymlbrace}}Nonce\ NA{\isaliteral{2C}{\isacharcomma}}\ Agent\ A{\isaliteral{5C3C7262726163653E}{\isasymrbrace}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ set\ evs%
-\end{isabelle}
-Analogous theorems can be proved for~\isa{A}, stating that nonce~\isa{NA}
-remains secret and that message~2 really originates with~\isa{B}.  Even the
-flawed protocol establishes these properties for~\isa{A};
-the flaw only harms the second participant.
-
-\medskip
-
-Detailed information on this protocol verification technique can be found
-elsewhere~\cite{paulson-jcs}, including proofs of an Internet
-protocol~\cite{paulson-tls}.  We must stress that the protocol discussed
-in this chapter is trivial.  There are only three messages; no keys are
-exchanged; we merely have to prove that encrypted data remains secret. 
-Real world protocols are much longer and distribute many secrets to their
-participants.  To be realistic, the model has to include the possibility
-of keys being lost dynamically due to carelessness.  If those keys have
-been used to encrypt other sensitive information, there may be cascading
-losses.  We may still be able to establish a bound on the losses and to
-prove that other protocol runs function
-correctly~\cite{paulson-yahalom}.  Proofs of real-world protocols follow
-the strategy illustrated above, but the subgoals can
-be much bigger and there are more of them.
-\index{protocols!security|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Nested.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,240 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Nested}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\index{datatypes!and nested recursion}%
-So far, all datatypes had the property that on the right-hand side of their
-definition they occurred only at the top-level: directly below a
-constructor. Now we consider \emph{nested recursion}, where the recursive
-datatype occurs nested in some other datatype (but not inside itself!).
-Consider the following model of terms
-where function symbols can be applied to a list of arguments:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteopen}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{7C}{\isacharbar}}\ App\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Note that we need to quote \isa{term} on the left to avoid confusion with
-the Isabelle command \isacommand{term}.
-Parameter \isa{{\isaliteral{27}{\isacharprime}}v} is the type of variables and \isa{{\isaliteral{27}{\isacharprime}}f} the type of
-function symbols.
-A mathematical term like $f(x,g(y))$ becomes \isa{App\ f\ {\isaliteral{5B}{\isacharbrackleft}}Var\ x{\isaliteral{2C}{\isacharcomma}}\ App\ g\ {\isaliteral{5B}{\isacharbrackleft}}Var\ y{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}}, where \isa{f}, \isa{g}, \isa{x}, \isa{y} are
-suitable values, e.g.\ numbers or strings.
-
-What complicates the definition of \isa{term} is the nested occurrence of
-\isa{term} inside \isa{list} on the right-hand side. In principle,
-nested recursion can be eliminated in favour of mutual recursion by unfolding
-the offending datatypes, here \isa{list}. The result for \isa{term}
-would be something like
-\medskip
-
-\input{document/unfoldnested.tex}
-\medskip
-
-\noindent
-Although we do not recommend this unfolding to the user, it shows how to
-simulate nested recursion by mutual recursion.
-Now we return to the initial definition of \isa{term} using
-nested recursion.
-
-Let us define a substitution function on terms. Because terms involve term
-lists, we need to define two substitution functions simultaneously:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\isanewline
-subst\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ \ \ \ \ \ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{and}\isanewline
-substs{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ s\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-\ \ subst{\isaliteral{5F}{\isacharunderscore}}App{\isaliteral{3A}{\isacharcolon}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}substs\ s\ ts{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substs\ s\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}substs\ s\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{23}{\isacharhash}}\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ subst\ s\ t\ {\isaliteral{23}{\isacharhash}}\ substs\ s\ ts{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Individual equations in a \commdx{primrec} definition may be
-named as shown for \isa{subst{\isaliteral{5F}{\isacharunderscore}}App}.
-The significance of this device will become apparent below.
-
-Similarly, when proving a statement about terms inductively, we need
-to prove a related statement about term lists simultaneously. For example,
-the fact that the identity substitution does not change a term needs to be
-strengthened and proved as follows:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ subst{\isaliteral{5F}{\isacharunderscore}}id{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}subst\ \ Var\ t\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}t\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ substs\ Var\ ts\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}ts{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term\ list{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ t\ \isakeyword{and}\ ts{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Note that \isa{Var} is the identity substitution because by definition it
-leaves variables unchanged: \isa{subst\ Var\ {\isaliteral{28}{\isacharparenleft}}Var\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ x}. Note also
-that the type annotations are necessary because otherwise there is nothing in
-the goal to enforce that both halves of the goal talk about the same type
-parameters \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}}. As a result, induction would fail
-because the two halves of the goal would be unrelated.
-
-\begin{exercise}
-The fact that substitution distributes over composition can be expressed
-roughly as follows:
-\begin{isabelle}%
-\ \ \ \ \ subst\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{5C3C636972633E}{\isasymcirc}}\ g{\isaliteral{29}{\isacharparenright}}\ t\ {\isaliteral{3D}{\isacharequal}}\ subst\ f\ {\isaliteral{28}{\isacharparenleft}}subst\ g\ t{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Correct this statement (you will find that it does not type-check),
-strengthen it, and prove it. (Note: \isa{{\isaliteral{5C3C636972633E}{\isasymcirc}}} is function composition;
-its definition is found in theorem \isa{o{\isaliteral{5F}{\isacharunderscore}}def}).
-\end{exercise}
-\begin{exercise}\label{ex:trev-trev}
-  Define a function \isa{trev} of type \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}\ Nested{\isaliteral{2E}{\isachardot}}term\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}\ Nested{\isaliteral{2E}{\isachardot}}term}
-that recursively reverses the order of arguments of all function symbols in a
-  term. Prove that \isa{trev\ {\isaliteral{28}{\isacharparenleft}}trev\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ t}.
-\end{exercise}
-
-The experienced functional programmer may feel that our definition of
-\isa{subst} is too complicated in that \isa{substs} is
-unnecessary. The \isa{App}-case can be defined directly as
-\begin{isabelle}%
-\ \ \ \ \ subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}map\ {\isaliteral{28}{\isacharparenleft}}subst\ s{\isaliteral{29}{\isacharparenright}}\ ts{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-where \isa{map} is the standard list function such that
-\isa{map\ f\ {\isaliteral{5B}{\isacharbrackleft}}x{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2C}{\isacharcomma}}xn{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}f\ x{\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2C}{\isacharcomma}}f\ xn{\isaliteral{5D}{\isacharbrackright}}}. This is true, but Isabelle
-insists on the conjunctive format. Fortunately, we can easily \emph{prove}
-that the suggested equation holds:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\isanewline
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}subst\ s\ {\isaliteral{28}{\isacharparenleft}}App\ f\ ts{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ App\ f\ {\isaliteral{28}{\isacharparenleft}}map\ {\isaliteral{28}{\isacharparenleft}}subst\ s{\isaliteral{29}{\isacharparenright}}\ ts{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ ts{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-What is more, we can now disable the old defining equation as a
-simplification rule:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ subst{\isaliteral{5F}{\isacharunderscore}}App\ {\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-\noindent The advantage is that now we have replaced \isa{substs} by \isa{map}, we can profit from the large number of
-pre-proved lemmas about \isa{map}.  Unfortunately, inductive proofs
-about type \isa{term} are still awkward because they expect a
-conjunction. One could derive a new induction principle as well (see
-\S\ref{sec:derive-ind}), but simpler is to stop using
-\isacommand{primrec} and to define functions with \isacommand{fun}
-instead.  Simple uses of \isacommand{fun} are described in
-\S\ref{sec:fun} below.  Advanced applications, including functions
-over nested datatypes like \isa{term}, are discussed in a
-separate tutorial~\cite{isabelle-function}.
-
-Of course, you may also combine mutual and nested recursion of datatypes. For example,
-constructor \isa{Sum} in \S\ref{sec:datatype-mut-rec} could take a list of
-expressions as its argument: \isa{Sum}~\isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a\ aexp\ list{\isaliteral{22}{\isachardoublequote}}}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Numbers.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,593 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Numbers}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-\isacommand{theory}\isamarkupfalse%
-\ Numbers\isanewline
-\isakeyword{imports}\ Complex{\isaliteral{5F}{\isacharunderscore}}Main\isanewline
-\isakeyword{begin}%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-numeric literals; default simprules; can re-orient%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2B}{\isacharplus}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2B}{\isacharplus}}\ m%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{oops}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{fun}\isamarkupfalse%
-\ h\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}h\ i\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ i\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{3}}\ then\ {\isadigit{2}}\ else\ i{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\isa{h\ {\isadigit{3}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}}
-\isa{h\ i\ {\isaliteral{3D}{\isacharequal}}\ i}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\begin{isabelle}%
-Numeral{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{numeral_1_eq_1}
-
-\begin{isabelle}%
-{\isadigit{2}}\ {\isaliteral{2B}{\isacharplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{add_2_eq_Suc}
-
-\begin{isabelle}%
-n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{add_2_eq_Suc'}
-
-\begin{isabelle}%
-a\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{2B}{\isacharplus}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{add_assoc}
-
-\begin{isabelle}%
-a\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2B}{\isacharplus}}\ a%
-\end{isabelle}
-\rulename{add_commute}
-
-\begin{isabelle}%
-b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2B}{\isacharplus}}\ c{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{add_left_commute}
-
-these form add_ac; similarly there is mult_ac%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}Suc{\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ j{\isaliteral{2A}{\isacharasterisk}}l{\isaliteral{2A}{\isacharasterisk}}k\ {\isaliteral{2B}{\isacharplus}}\ m{\isaliteral{2A}{\isacharasterisk}}n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}n{\isaliteral{2A}{\isacharasterisk}}m\ {\isaliteral{2B}{\isacharplus}}\ i\ {\isaliteral{2B}{\isacharplus}}\ k{\isaliteral{2A}{\isacharasterisk}}j{\isaliteral{2A}{\isacharasterisk}}l{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ l\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{2B}{\isacharplus}}\ m\ {\isaliteral{2A}{\isacharasterisk}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2A}{\isacharasterisk}}\ m\ {\isaliteral{2B}{\isacharplus}}\ i\ {\isaliteral{2B}{\isacharplus}}\ k\ {\isaliteral{2A}{\isacharasterisk}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ add{\isaliteral{5F}{\isacharunderscore}}ac\ mult{\isaliteral{5F}{\isacharunderscore}}ac{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }f\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2B}{\isacharplus}}\ j\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2A}{\isacharasterisk}}\ l{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{oops}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{isabelle}%
-m\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ div\ k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ n\ div\ k%
-\end{isabelle}
-\rulename{div_le_mono}
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2D}{\isacharminus}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{3D}{\isacharequal}}\ m\ {\isaliteral{2A}{\isacharasterisk}}\ k\ {\isaliteral{2D}{\isacharminus}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ k%
-\end{isabelle}
-\rulename{diff_mult_distrib}
-
-\begin{isabelle}%
-a\ mod\ b\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{mult_mod_left}
-
-\begin{isabelle}%
-P\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2D}{\isacharminus}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}d{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2B}{\isacharplus}}\ d\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ P\ d{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{nat_diff_split}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}clarsimp\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split\ iff\ del{\isaliteral{3A}{\isacharcolon}}\ less{\isaliteral{5F}{\isacharunderscore}}Suc{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ %
-\isamarkupcmt{\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}d{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{3C}{\isacharless}}\ Suc\ {\isadigit{0}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ d{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ d\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}%
-\end{isabelle}%
-}
-\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ force{\isaliteral{2C}{\isacharcomma}}\ arith{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\isanewline
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{4}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ nat{\isaliteral{5F}{\isacharunderscore}}diff{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{2C}{\isacharcomma}}\ clarify{\isaliteral{29}{\isacharparenright}}\isanewline
-\ %
-\isamarkupcmt{\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}d{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}n\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{2}}{\isaliteral{3B}{\isacharsemicolon}}\ n\ {\isaliteral{2A}{\isacharasterisk}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{4}}\ {\isaliteral{2B}{\isacharplus}}\ d{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ d\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}%
-\end{isabelle}%
-}
-\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}subgoal{\isaliteral{5F}{\isacharunderscore}}tac\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{2C}{\isacharcomma}}\ force{\isaliteral{2C}{\isacharcomma}}\ arith{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{isabelle}%
-m\ mod\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ m\ {\isaliteral{3C}{\isacharless}}\ n\ then\ m\ else\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{2D}{\isacharminus}}\ n{\isaliteral{29}{\isacharparenright}}\ mod\ n{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{mod_if}
-
-\begin{isabelle}%
-a\ div\ b\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b\ {\isaliteral{3D}{\isacharequal}}\ a%
-\end{isabelle}
-\rulename{mod_div_equality}
-
-
-\begin{isabelle}%
-a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ div\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
-\end{isabelle}
-\rulename{div_mult1_eq}
-
-\begin{isabelle}%
-a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
-\end{isabelle}
-\rulename{mod_mult_right_eq}
-
-\begin{isabelle}%
-a\ div\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b\ div\ c%
-\end{isabelle}
-\rulename{div_mult2_eq}
-
-\begin{isabelle}%
-a\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a\ div\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b%
-\end{isabelle}
-\rulename{mod_mult2_eq}
-
-\begin{isabelle}%
-c\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ div\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b%
-\end{isabelle}
-\rulename{div_mult_mult1}
-
-\begin{isabelle}%
-a\ div\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{div_by_0}
-
-\begin{isabelle}%
-a\ mod\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a%
-\end{isabelle}
-\rulename{mod_by_0}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}m\ dvd\ n{\isaliteral{3B}{\isacharsemicolon}}\ n\ dvd\ m{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n%
-\end{isabelle}
-\rulename{dvd_antisym}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}a\ dvd\ b{\isaliteral{3B}{\isacharsemicolon}}\ a\ dvd\ c{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ dvd\ b\ {\isaliteral{2B}{\isacharplus}}\ c%
-\end{isabelle}
-\rulename{dvd_add}
-
-For the integers, I'd list a few theorems that somehow involve negative 
-numbers.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Division, remainder of negatives
-
-
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ a\ mod\ b%
-\end{isabelle}
-\rulename{pos_mod_sign}
-
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ b\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ b\ {\isaliteral{3C}{\isacharless}}\ b%
-\end{isabelle}
-\rulename{pos_mod_bound}
-
-\begin{isabelle}%
-b\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ b\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isadigit{0}}%
-\end{isabelle}
-\rulename{neg_mod_sign}
-
-\begin{isabelle}%
-b\ {\isaliteral{3C}{\isacharless}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ b\ {\isaliteral{3C}{\isacharless}}\ a\ mod\ b%
-\end{isabelle}
-\rulename{neg_mod_bound}
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ div\ c\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}a\ mod\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
-\end{isabelle}
-\rulename{zdiv_zadd1_eq}
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ mod\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
-\end{isabelle}
-\rulename{mod_add_eq}
-
-\begin{isabelle}%
-a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ div\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ div\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ div\ c%
-\end{isabelle}
-\rulename{zdiv_zmult1_eq}
-
-\begin{isabelle}%
-a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ mod\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ mod\ c%
-\end{isabelle}
-\rulename{mod_mult_right_eq}
-
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ div\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ div\ b\ div\ c%
-\end{isabelle}
-\rulename{zdiv_zmult2_eq}
-
-\begin{isabelle}%
-{\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ mod\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a\ div\ b\ mod\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2B}{\isacharplus}}\ a\ mod\ b%
-\end{isabelle}
-\rulename{zmod_zmult2_eq}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}abs\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ abs\ x\ {\isaliteral{2B}{\isacharplus}}\ abs\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ arith%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\isanewline
-%
-\endisadelimproof
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}abs\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}{\isaliteral{2A}{\isacharasterisk}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}\ {\isaliteral{2A}{\isacharasterisk}}\ abs\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ abs{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Induction rules for the Integers
-
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ k{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{5C3C6C653E}{\isasymle}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
-\end{isabelle}
-\rulename{int_ge_induct}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{3C}{\isacharless}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}k\ {\isaliteral{3C}{\isacharless}}\ i{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
-\end{isabelle}
-\rulename{int_gr_induct}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ k{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{5C3C6C653E}{\isasymle}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
-\end{isabelle}
-\rulename{int_le_induct}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{3C}{\isacharless}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ {\isaliteral{28}{\isacharparenleft}}k\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}i{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}i\ {\isaliteral{3C}{\isacharless}}\ k{\isaliteral{3B}{\isacharsemicolon}}\ P\ i{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}i\ {\isaliteral{2D}{\isacharminus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ i%
-\end{isabelle}
-\rulename{int_less_induct}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-FIELDS
-
-\begin{isabelle}%
-x\ {\isaliteral{3C}{\isacharless}}\ y\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}z{\isaliteral{3E}{\isachargreater}}x{\isaliteral{2E}{\isachardot}}\ z\ {\isaliteral{3C}{\isacharless}}\ y%
-\end{isabelle}
-\rulename{dense}
-
-\begin{isabelle}%
-a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2F}{\isacharslash}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c%
-\end{isabelle}
-\rulename{times_divide_eq_right}
-
-\begin{isabelle}%
-b\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{2F}{\isacharslash}}\ c%
-\end{isabelle}
-\rulename{times_divide_eq_left}
-
-\begin{isabelle}%
-a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2F}{\isacharslash}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{2F}{\isacharslash}}\ b%
-\end{isabelle}
-\rulename{divide_divide_eq_right}
-
-\begin{isabelle}%
-a\ {\isaliteral{2F}{\isacharslash}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{28}{\isacharparenleft}}b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{divide_divide_eq_left}
-
-\begin{isabelle}%
-{\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2F}{\isacharslash}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}\ a\ {\isaliteral{2F}{\isacharslash}}\ b%
-\end{isabelle}
-\rulename{minus_divide_left}
-
-\begin{isabelle}%
-{\isaliteral{2D}{\isacharminus}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2F}{\isacharslash}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ {\isaliteral{2D}{\isacharminus}}\ b%
-\end{isabelle}
-\rulename{minus_divide_right}
-
-This last NOT a simprule
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{2F}{\isacharslash}}\ c\ {\isaliteral{2B}{\isacharplus}}\ b\ {\isaliteral{2F}{\isacharslash}}\ c%
-\end{isabelle}
-\rulename{add_divide_distrib}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}\ {\isaliteral{3C}{\isacharless}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{7}}{\isaliteral{2F}{\isacharslash}}{\isadigit{8}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\ \isanewline
-%
-\endisadelimproof
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}P\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}{\isaliteral{2F}{\isacharslash}}{\isadigit{1}}{\isadigit{5}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{4}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ simp%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{2}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{5}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{oops}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{3}}{\isaliteral{2F}{\isacharslash}}{\isadigit{4}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}{\isaliteral{2F}{\isacharslash}}{\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ real{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{3}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{4}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{8}}\ {\isaliteral{2F}{\isacharslash}}\ {\isadigit{1}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3C}{\isacharless}}\ x%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ simp%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isadigit{2}}\ {\isaliteral{3C}{\isacharless}}\ x\ {\isaliteral{2A}{\isacharasterisk}}\ {\isadigit{5}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{oops}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Ring and Field
-
-Requires a field, or else an ordered ring
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2A}{\isacharasterisk}}\ b\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ b\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{mult_eq_0_iff}
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{2A}{\isacharasterisk}}\ c\ {\isaliteral{3D}{\isacharequal}}\ b\ {\isaliteral{2A}{\isacharasterisk}}\ c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{mult_cancel_right}
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{2A}{\isacharasterisk}}\ a\ {\isaliteral{3D}{\isacharequal}}\ c\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{mult_cancel_left}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-effect of show sorts on the above
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}c{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\isaindent{{\isaliteral{28}{\isacharparenleft}}}c\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}b{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-{\isaliteral{28}{\isacharparenleft}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ring{\isaliteral{5F}{\isacharunderscore}}no{\isaliteral{5F}{\isacharunderscore}}zero{\isaliteral{5F}{\isacharunderscore}}divisors{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ a\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{mult_cancel_left}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-absolute value
-
-\begin{isabelle}%
-{\isaliteral{5C3C6261723E}{\isasymbar}}a\ {\isaliteral{2A}{\isacharasterisk}}\ b{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}b{\isaliteral{5C3C6261723E}{\isasymbar}}%
-\end{isabelle}
-\rulename{abs_mult}
-
-\begin{isabelle}%
-{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{2D}{\isacharminus}}\ a\ {\isaliteral{5C3C6C653E}{\isasymle}}\ b{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\rulename{abs_le_iff}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6261723E}{\isasymbar}}a\ {\isaliteral{2B}{\isacharplus}}\ b{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{5C3C6C653E}{\isasymle}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}b{\isaliteral{5C3C6261723E}{\isasymbar}}%
-\end{isabelle}
-\rulename{abs_triangle_ineq}
-
-\begin{isabelle}%
-a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\ {\isaliteral{2B}{\isacharplus}}\ n\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{3D}{\isacharequal}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{2A}{\isacharasterisk}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
-\end{isabelle}
-\rulename{power_add}
-
-\begin{isabelle}%
-a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\ {\isaliteral{2A}{\isacharasterisk}}\ n\isaliteral{5C3C5E657375703E}{}\isactrlesup \ {\isaliteral{3D}{\isacharequal}}\ a\isaliteral{5C3C5E627375703E}{}\isactrlbsup m\isaliteral{5C3C5E657375703E}{}\isactrlesup \isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
-\end{isabelle}
-\rulename{power_mult}
-
-\begin{isabelle}%
-{\isaliteral{5C3C6261723E}{\isasymbar}}a\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup {\isaliteral{5C3C6261723E}{\isasymbar}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6261723E}{\isasymbar}}a{\isaliteral{5C3C6261723E}{\isasymbar}}\isaliteral{5C3C5E627375703E}{}\isactrlbsup n\isaliteral{5C3C5E657375703E}{}\isactrlesup %
-\end{isabelle}
-\rulename{power_abs}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-\isacommand{end}\isamarkupfalse%
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\isanewline
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Option2.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,56 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Option{\isadigit{2}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\indexbold{*option (type)}\indexbold{*None (constant)}%
-\indexbold{*Some (constant)}
-Our final datatype is very simple but still eminently useful:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}a\ option\ {\isaliteral{3D}{\isacharequal}}\ None\ {\isaliteral{7C}{\isacharbar}}\ Some\ {\isaliteral{27}{\isacharprime}}a%
-\begin{isamarkuptext}%
-\noindent
-Frequently one needs to add a distinguished element to some existing type.
-For example, type \isa{t\ option} can model the result of a computation that
-may either terminate with an error (represented by \isa{None}) or return
-some value \isa{v} (represented by \isa{Some\ v}).
-Similarly, \isa{nat} extended with $\infty$ can be modeled by type
-\isa{nat\ option}. In both cases one could define a new datatype with
-customized constructors like \isa{Error} and \isa{Infinity},
-but it is often simpler to use \isa{option}. For an application see
-\S\ref{sec:Trie}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Overloading.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,159 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Overloading}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-Type classes allow \emph{overloading}; thus a constant may
-have multiple definitions at non-overlapping types.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Overloading%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-We can introduce a binary infix addition operator \isa{{\isaliteral{5C3C6F74696D65733E}{\isasymotimes}}}
-for arbitrary types by means of a type class:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{class}\isamarkupfalse%
-\ plus\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \isakeyword{fixes}\ plus\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixl}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6F706C75733E}{\isasymoplus}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{7}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptext}%
-\noindent This introduces a new class \isa{plus},
-along with a constant \isa{plus} with nice infix syntax.
-\isa{plus} is also named \emph{class operation}.  The type
-of \isa{plus} carries a class constraint \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ plus{\isaliteral{22}{\isachardoublequote}}} on its type variable, meaning that only types of class
-\isa{plus} can be instantiated for \isa{{\isaliteral{22}{\isachardoublequote}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequote}}}.
-To breathe life into \isa{plus} we need to declare a type
-to be an \bfindex{instance} of \isa{plus}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instantiation}\isamarkupfalse%
-\ nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ plus\isanewline
-\isakeyword{begin}%
-\begin{isamarkuptext}%
-\noindent Command \isacommand{instantiation} opens a local
-theory context.  Here we can now instantiate \isa{plus} on
-\isa{nat}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ plus{\isaliteral{5F}{\isacharunderscore}}nat\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-\ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}Suc\ m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent Note that the name \isa{plus} carries a
-suffix \isa{{\isaliteral{5F}{\isacharunderscore}}nat}; by default, the local name of a class operation
-\isa{f} to be instantiated on type constructor \isa{{\isaliteral{5C3C6B617070613E}{\isasymkappa}}} is mangled
-as \isa{f{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{5C3C6B617070613E}{\isasymkappa}}}.  In case of uncertainty, these names may be inspected
-using the \hyperlink{command.print-context}{\mbox{\isa{\isacommand{print{\isaliteral{5F}{\isacharunderscore}}context}}}} command or the corresponding
-ProofGeneral button.
-
-Although class \isa{plus} has no axioms, the instantiation must be
-formally concluded by a (trivial) instantiation proof ``..'':%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instance}\isamarkupfalse%
-%
-\isadelimproof
-\ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent More interesting \isacommand{instance} proofs will
-arise below.
-
-The instantiation is finished by an explicit%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{end}\isamarkupfalse%
-%
-\begin{isamarkuptext}%
-\noindent From now on, terms like \isa{Suc\ {\isaliteral{28}{\isacharparenleft}}m\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isadigit{2}}{\isaliteral{29}{\isacharparenright}}} are
-legal.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instantiation}\isamarkupfalse%
-\ prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{28}{\isacharparenleft}}plus{\isaliteral{2C}{\isacharcomma}}\ plus{\isaliteral{29}{\isacharparenright}}\ plus\isanewline
-\isakeyword{begin}%
-\begin{isamarkuptext}%
-\noindent Here we instantiate the product type \isa{prod} to
-class \isa{plus}, given that its type arguments are of
-class \isa{plus}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ plus{\isaliteral{5F}{\isacharunderscore}}prod\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ {\isaliteral{28}{\isacharparenleft}}w{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ w{\isaliteral{2C}{\isacharcomma}}\ y\ {\isaliteral{5C3C6F706C75733E}{\isasymoplus}}\ z{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent Obviously, overloaded specifications may include
-recursion over the syntactic structure of types.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{instance}\isamarkupfalse%
-%
-\isadelimproof
-\ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isanewline
-\isanewline
-\isacommand{end}\isamarkupfalse%
-%
-\begin{isamarkuptext}%
-\noindent This way we have encoded the canonical lifting of
-binary operations to products by means of type classes.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/PDL.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,342 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{PDL}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{Propositional Dynamic Logic --- PDL%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{PDL|(}
-The formulae of PDL are built up from atomic propositions via
-negation and conjunction and the two temporal
-connectives \isa{AX} and \isa{EF}\@. Since formulae are essentially
-syntax trees, they are naturally modelled as a datatype:%
-\footnote{The customary definition of PDL
-\cite{HarelKT-DL} looks quite different from ours, but the two are easily
-shown to be equivalent.}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ formula\ {\isaliteral{3D}{\isacharequal}}\ Atom\ {\isaliteral{22}{\isachardoublequoteopen}}atom{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Neg\ formula\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ And\ formula\ formula\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ AX\ formula\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ EF\ formula%
-\begin{isamarkuptext}%
-\noindent
-This resembles the boolean expression case study in
-\S\ref{sec:boolex}.
-A validity relation between states and formulae specifies the semantics.
-The syntax annotation allows us to write \isa{s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f} instead of
-\hbox{\isa{valid\ s\ f}}. The definition is by recursion over the syntax:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ valid\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}state\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ formula\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{8}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}{\isadigit{8}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{8}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ Atom\ a\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ L\ s{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ Neg\ f\ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}{\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ And\ f\ g\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f\ {\isaliteral{5C3C616E643E}{\isasymand}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ g{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ AX\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EF\ f\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The first three equations should be self-explanatory. The temporal formula
-\isa{AX\ f} means that \isa{f} is true in \emph{A}ll ne\emph{X}t states whereas
-\isa{EF\ f} means that there \emph{E}xists some \emph{F}uture state in which \isa{f} is
-true. The future is expressed via \isa{\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}}, the reflexive transitive
-closure. Because of reflexivity, the future includes the present.
-
-Now we come to the model checker itself. It maps a formula into the
-set of states where the formula is true.  It too is defined by
-recursion over the syntax:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ mc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}formula\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ state\ set{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}Atom\ a{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ L\ s{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}Neg\ f{\isaliteral{29}{\isacharparenright}}\ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}mc\ f{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}And\ f\ g{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ mc\ f\ {\isaliteral{5C3C696E7465723E}{\isasyminter}}\ mc\ g{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}AX\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ \ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ mc\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}mc{\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ f\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Only the equation for \isa{EF} deserves some comments. Remember that the
-postfix \isa{{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}} and the infix \isa{{\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}} are predefined and denote the
-converse of a relation and the image of a set under a relation.  Thus
-\isa{M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T} is the set of all predecessors of \isa{T} and the least
-fixed point (\isa{lfp}) of \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ mc\ f\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T} is the least set
-\isa{T} containing \isa{mc\ f} and all predecessors of \isa{T}. If you
-find it hard to see that \isa{mc\ {\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}} contains exactly those states from
-which there is a path to a state where \isa{f} is true, do not worry --- this
-will be proved in a moment.
-
-First we prove monotonicity of the function inside \isa{lfp}
-in order to make sure it really has a least fixed point.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mono{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ monoI{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ blast\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Now we can relate model checking and semantics. For the \isa{EF} case we need
-a separate lemma:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ EF{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}lfp{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ {\isaliteral{28}{\isacharparenleft}}M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The equality is proved in the canonical fashion by proving that each set
-includes the other; the inclusion is shown pointwise:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ equalityI{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Simplification leaves us with the following first subgoal
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A%
-\end{isabelle}
-which is proved by \isa{lfp}-induction:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ lfp{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{5F}{\isacharunderscore}}set{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Having disposed of the monotonicity subgoal,
-simplification leaves us with the following goal:
-\begin{isabelle}
-\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
-\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
-\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
-\end{isabelle}
-It is proved by \isa{blast}, using the transitivity of 
-\isa{M\isactrlsup {\isacharasterisk}}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtrancl{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-We now return to the second set inclusion subgoal, which is again proved
-pointwise:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule\ subsetI{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{2C}{\isacharcomma}}\ clarify{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-After simplification and clarification we are left with
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-This goal is proved by induction on \isa{{\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}}. But since the model
-checker works backwards (from \isa{t} to \isa{s}), we cannot use the
-induction theorem \isa{rtrancl{\isaliteral{5F}{\isacharunderscore}}induct}: it works in the
-forward direction. Fortunately the converse induction theorem
-\isa{converse{\isaliteral{5F}{\isacharunderscore}}rtrancl{\isaliteral{5F}{\isacharunderscore}}induct} already exists:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ b{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ \ \ \ \ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}y\ z{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}z{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ P\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ y{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ a%
-\end{isabelle}
-It says that if \isa{{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}} and we know \isa{P\ b} then we can infer
-\isa{P\ a} provided each step backwards from a predecessor \isa{z} of
-\isa{b} preserves \isa{P}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ converse{\isaliteral{5F}{\isacharunderscore}}rtrancl{\isaliteral{5F}{\isacharunderscore}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-The base case
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-is solved by unrolling \isa{lfp} once%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ t{\isaliteral{2E}{\isachardot}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{5C3C696E3E}{\isasymin}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ lfp\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}T{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C756E696F6E3E}{\isasymunion}}\ M{\isaliteral{5C3C696E76657273653E}{\isasyminverse}}\ {\isaliteral{60}{\isacharbackquote}}{\isaliteral{60}{\isacharbackquote}}\ T{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-and disposing of the resulting trivial subgoal automatically:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-The proof of the induction step is identical to the one for the base case:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}subst\ lfp{\isaliteral{5F}{\isacharunderscore}}unfold{\isaliteral{5B}{\isacharbrackleft}}OF\ mono{\isaliteral{5F}{\isacharunderscore}}ef{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The main theorem is proved in the familiar manner: induction followed by
-\isa{auto} augmented with the lemma as a simplification rule.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}mc\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{7B}{\isacharbraceleft}}s{\isaliteral{2E}{\isachardot}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ f{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ EF{\isaliteral{5F}{\isacharunderscore}}lemma{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{exercise}
-\isa{AX} has a dual operator \isa{EN} 
-(``there exists a next state such that'')%
-\footnote{We cannot use the customary \isa{EX}: it is reserved
-as the \textsc{ascii}-equivalent of \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}.}
-with the intended semantics
-\begin{isabelle}%
-\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EN\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}t{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}s{\isaliteral{2C}{\isacharcomma}}\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ M\ {\isaliteral{5C3C616E643E}{\isasymand}}\ t\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Fortunately, \isa{EN\ f} can already be expressed as a PDL formula. How?
-
-Show that the semantics for \isa{EF} satisfies the following recursion equation:
-\begin{isabelle}%
-\ \ \ \ \ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EF\ f\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ f\ {\isaliteral{5C3C6F723E}{\isasymor}}\ s\ {\isaliteral{5C3C5475726E7374696C653E}{\isasymTurnstile}}\ EN\ {\isaliteral{28}{\isacharparenleft}}EF\ f{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\end{exercise}
-\index{PDL|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Pairs.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,394 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Pairs}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Pairs and Tuples%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:products}
-Ordered pairs were already introduced in \S\ref{sec:pairs}, but only with a minimal
-repertoire of operations: pairing and the two projections \isa{fst} and
-\isa{snd}. In any non-trivial application of pairs you will find that this
-quickly leads to unreadable nests of projections. This
-section introduces syntactic sugar to overcome this
-problem: pattern matching with tuples.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Pattern Matching with Tuples%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Tuples may be used as patterns in $\lambda$-abstractions,
-for example \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{2B}{\isacharplus}}z} and \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{2B}{\isacharplus}}y{\isaliteral{2B}{\isacharplus}}z}. In fact,
-tuple patterns can be used in most variable binding constructs,
-and they can be nested. Here are
-some typical examples:
-\begin{quote}
-\isa{let\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ z\ in\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ x{\isaliteral{29}{\isacharparenright}}}\\
-\isa{case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ zs\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ x\ {\isaliteral{2B}{\isacharplus}}\ y}\\
-\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y}\\
-\isa{{\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}z{\isaliteral{7D}{\isacharbraceright}}}\\
-\isa{{\isaliteral{5C3C556E696F6E3E}{\isasymUnion}}\isaliteral{5C3C5E627375623E}{}\isactrlbsub {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C696E3E}{\isasymin}}A\isaliteral{5C3C5E657375623E}{}\isactrlesub \ {\isaliteral{7B}{\isacharbraceleft}}x\ {\isaliteral{2B}{\isacharplus}}\ y{\isaliteral{7D}{\isacharbraceright}}}
-\end{quote}
-The intuitive meanings of these expressions should be obvious.
-Unfortunately, we need to know in more detail what the notation really stands
-for once we have to reason about it.  Abstraction
-over pairs and tuples is merely a convenient shorthand for a more complex
-internal representation.  Thus the internal and external form of a term may
-differ, which can affect proofs. If you want to avoid this complication,
-stick to \isa{fst} and \isa{snd} and write \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}p{\isaliteral{2E}{\isachardot}}\ fst\ p\ {\isaliteral{2B}{\isacharplus}}\ snd\ p}
-instead of \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{2B}{\isacharplus}}y}.  These terms are distinct even though they
-denote the same function.
-
-Internally, \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ t} becomes \isa{split\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x\ y{\isaliteral{2E}{\isachardot}}\ t{\isaliteral{29}{\isacharparenright}}}, where
-\cdx{split} is the uncurrying function of type \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}c{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}c} defined as
-\begin{center}
-\isa{prod{\isaliteral{5F}{\isacharunderscore}}case\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}c\ p{\isaliteral{2E}{\isachardot}}\ c\ {\isaliteral{28}{\isacharparenleft}}fst\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}snd\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
-\hfill(\isa{split{\isaliteral{5F}{\isacharunderscore}}def})
-\end{center}
-Pattern matching in
-other variable binding constructs is translated similarly. Thus we need to
-understand how to reason about such constructs.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Theorem Proving%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-The most obvious approach is the brute force expansion of \isa{prod{\isaliteral{5F}{\isacharunderscore}}case}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}x{\isaliteral{29}{\isacharparenright}}\ p\ {\isaliteral{3D}{\isacharequal}}\ fst\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-This works well if rewriting with \isa{split{\isaliteral{5F}{\isacharunderscore}}def} finishes the
-proof, as it does above.  But if it does not, you end up with exactly what
-we are trying to avoid: nests of \isa{fst} and \isa{snd}. Thus this
-approach is neither elegant nor very practical in large examples, although it
-can be effective in small ones.
-
-If we consider why this lemma presents a problem, 
-we realize that we need to replace variable~\isa{p} by some pair \isa{{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}}.  Then both sides of the
-equation would simplify to \isa{a} by the simplification rules
-\isa{{\isaliteral{28}{\isacharparenleft}}case\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ x\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ a\ b} and \isa{fst\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a}.  
-To reason about tuple patterns requires some way of
-converting a variable of product type into a pair.
-In case of a subterm of the form \isa{case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ f\ x\ xa} this is easy: the split
-rule \isa{split{\isaliteral{5F}{\isacharunderscore}}split} replaces \isa{p} by a pair:%
-\index{*split (method)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}y{\isaliteral{29}{\isacharparenright}}\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x\ y{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ snd\ p%
-\end{isabelle}
-This subgoal is easily proved by simplification. Thus we could have combined
-simplification and splitting in one command that proves the goal outright:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Let us look at a second example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}let\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p\ in\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ x%
-\end{isabelle}
-A paired \isa{let} reduces to a paired $\lambda$-abstraction, which
-can be split as above. The same is true for paired set comprehension:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ simp%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}case\ p\ of\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ x\ {\isaliteral{3D}{\isacharequal}}\ xa{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p%
-\end{isabelle}
-Again, simplification produces a term suitable for \isa{split{\isaliteral{5F}{\isacharunderscore}}split}
-as above. If you are worried about the strange form of the premise:
-\isa{split\ {\isaliteral{28}{\isacharparenleft}}op\ {\isaliteral{3D}{\isacharequal}}{\isaliteral{29}{\isacharparenright}}} is short for \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ y}.
-The same proof procedure works for%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}p\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}{\isaliteral{2E}{\isachardot}}\ x{\isaliteral{3D}{\isacharequal}}y{\isaliteral{7D}{\isacharbraceright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ fst\ p\ {\isaliteral{3D}{\isacharequal}}\ snd\ p{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-except that we now have to use \isa{split{\isaliteral{5F}{\isacharunderscore}}split{\isaliteral{5F}{\isacharunderscore}}asm}, because
-\isa{prod{\isaliteral{5F}{\isacharunderscore}}case} occurs in the assumptions.
-
-However, splitting \isa{prod{\isaliteral{5F}{\isacharunderscore}}case} is not always a solution, as no \isa{prod{\isaliteral{5F}{\isacharunderscore}}case}
-may be present in the goal. Consider the following function:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{primrec}\isamarkupfalse%
-\ swap\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}b\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}swap\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Note that the above \isacommand{primrec} definition is admissible
-because \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} is a datatype. When we now try to prove%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}swap{\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-simplification will do nothing, because the defining equation for
-\isa{swap} expects a pair. Again, we need to turn \isa{p}
-into a pair first, but this time there is no \isa{prod{\isaliteral{5F}{\isacharunderscore}}case} in sight.
-The only thing we can do is to split the term by hand:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ p{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ b{\isaliteral{2E}{\isachardot}}\ p\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ swap\ {\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p%
-\end{isabelle}
-Again, \methdx{case_tac} is applicable because \isa{{\isaliteral{5C3C74696D65733E}{\isasymtimes}}} is a datatype.
-The subgoal is easily proved by \isa{simp}.
-
-Splitting by \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} also solves the previous examples and may thus
-appear preferable to the more arcane methods introduced first. However, see
-the warning about \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} in \S\ref{sec:struct-ind-case}.
-
-Alternatively, you can split \emph{all} \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-quantified variables
-in a goal with the rewrite rule \isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C416E643E}{\isasymAnd}}p\ q{\isaliteral{2E}{\isachardot}}\ swap{\isaliteral{28}{\isacharparenleft}}swap\ p{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ q\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ p\ {\isaliteral{3D}{\isacharequal}}\ q{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ b\ aa\ ba{\isaliteral{2E}{\isachardot}}\ swap\ {\isaliteral{28}{\isacharparenleft}}swap\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}aa{\isaliteral{2C}{\isacharcomma}}\ ba{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}aa{\isaliteral{2C}{\isacharcomma}}\ ba{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ simp\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Note that we have intentionally included only \isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all}
-in the first simplification step, and then we simplify again. 
-This time the reason was not merely
-pedagogical:
-\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all} may interfere with other functions
-of the simplifier.
-The following command could fail (here it does not)
-where two separate \isa{simp} applications succeed.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Finally, the simplifier automatically splits all \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}} and
-\isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}-quantified variables:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}p{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}q{\isaliteral{2E}{\isachardot}}\ swap\ p\ {\isaliteral{3D}{\isacharequal}}\ swap\ q{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-To turn off this automatic splitting, disable the
-responsible simplification rules:
-\begin{center}
-\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}a\ b{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
-\hfill
-(\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}All})\\
-\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}a\ b{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}\ b{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}
-\hfill
-(\isa{split{\isaliteral{5F}{\isacharunderscore}}paired{\isaliteral{5F}{\isacharunderscore}}Ex})
-\end{center}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Partial.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,352 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Partial}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent Throughout this tutorial, we have emphasized
-that all functions in HOL are total.  We cannot hope to define
-truly partial functions, but must make them total.  A straightforward
-method is to lift the result type of the function from $\tau$ to
-$\tau$~\isa{option} (see \ref{sec:option}), where \isa{None} is
-returned if the function is applied to an argument not in its
-domain. Function \isa{assoc} in \S\ref{sec:Trie} is a simple example.
-We do not pursue this schema further because it should be clear
-how it works. Its main drawback is that the result of such a lifted
-function has to be unpacked first before it can be processed
-further. Its main advantage is that you can distinguish if the
-function was applied to an argument in its domain or not. If you do
-not need to make this distinction, for example because the function is
-never used outside its domain, it is easier to work with
-\emph{underdefined}\index{functions!underdefined} functions: for
-certain arguments we only know that a result exists, but we do not
-know what it is. When defining functions that are normally considered
-partial, underdefinedness turns out to be a very reasonable
-alternative.
-
-We have already seen an instance of underdefinedness by means of
-non-exhaustive pattern matching: the definition of \isa{last} in
-\S\ref{sec:fun}. The same is allowed for \isacommand{primrec}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ hd\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharprime}a\ list\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
-\isacommand{primrec}\isamarkupfalse%
-\ {\isachardoublequoteopen}hd\ {\isacharparenleft}x{\isacharhash}xs{\isacharparenright}\ {\isacharequal}\ x{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-although it generates a warning.
-Even ordinary definitions allow underdefinedness, this time by means of
-preconditions:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{constdefs}\isamarkupfalse%
-\ subtract\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-{\isachardoublequoteopen}n\ {\isasymle}\ m\ {\isasymLongrightarrow}\ subtract\ m\ n\ {\isasymequiv}\ m\ {\isacharminus}\ n{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-The rest of this section is devoted to the question of how to define
-partial recursive functions by other means than non-exhaustive pattern
-matching.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Guarded Recursion%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{recursion!guarded}%
-Neither \isacommand{primrec} nor \isacommand{recdef} allow to
-prefix an equation with a condition in the way ordinary definitions do
-(see \isa{subtract} above). Instead we have to move the condition over
-to the right-hand side of the equation. Given a partial function $f$
-that should satisfy the recursion equation $f(x) = t$ over its domain
-$dom(f)$, we turn this into the \isacommand{recdef}
-\begin{isabelle}%
-\ \ \ \ \ f\ x\ {\isacharequal}\ {\isacharparenleft}if\ x\ {\isasymin}\ dom\ f\ then\ t\ else\ arbitrary{\isacharparenright}%
-\end{isabelle}
-where \isa{arbitrary} is a predeclared constant of type \isa{{\isacharprime}a}
-which has no definition. Thus we know nothing about its value,
-which is ideal for specifying underdefined functions on top of it.
-
-As a simple example we define division on \isa{nat}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ divi\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ divi\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}{\isachardot}\ m{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}divi{\isacharparenleft}m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ arbitrary{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}divi{\isacharparenleft}m{\isacharcomma}n{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ m\ {\isacharless}\ n\ then\ {\isadigit{0}}\ else\ divi{\isacharparenleft}m{\isacharminus}n{\isacharcomma}n{\isacharparenright}{\isacharplus}{\isadigit{1}}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent Of course we could also have defined
-\isa{divi\ {\isacharparenleft}m{\isacharcomma}\ {\isadigit{0}}{\isacharparenright}} to be some specific number, for example 0. The
-latter option is chosen for the predefined \isa{div} function, which
-simplifies proofs at the expense of deviating from the
-standard mathematical division function.
-
-As a more substantial example we consider the problem of searching a graph.
-For simplicity our graph is given by a function \isa{f} of
-type \isa{{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a} which
-maps each node to its successor; the graph has out-degree 1.
-The task is to find the end of a chain, modelled by a node pointing to
-itself. Here is a first attempt:
-\begin{isabelle}%
-\ \ \ \ \ find\ {\isacharparenleft}f{\isacharcomma}\ x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find\ {\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}{\isacharparenright}%
-\end{isabelle}
-This may be viewed as a fixed point finder or as the second half of the well
-known \emph{Union-Find} algorithm.
-The snag is that it may not terminate if \isa{f} has non-trivial cycles.
-Phrased differently, the relation%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{constdefs}\isamarkupfalse%
-\ step{\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymtimes}\ {\isacharprime}a{\isacharparenright}set{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}step{\isadigit{1}}\ f\ {\isasymequiv}\ {\isacharbraceleft}{\isacharparenleft}y{\isacharcomma}x{\isacharparenright}{\isachardot}\ y\ {\isacharequal}\ f\ x\ {\isasymand}\ y\ {\isasymnoteq}\ x{\isacharbraceright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-must be well-founded. Thus we make the following definition:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ find\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymtimes}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ find\ {\isachardoublequoteopen}same{\isacharunderscore}fst\ {\isacharparenleft}{\isasymlambda}f{\isachardot}\ wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}{\isacharparenright}\ step{\isadigit{1}}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ then\ if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find{\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ else\ arbitrary{\isacharparenright}{\isachardoublequoteclose}\isanewline
-{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}simp{\isacharcolon}\ step{\isadigit{1}}{\isacharunderscore}def{\isacharparenright}%
-\begin{isamarkuptext}%
-\noindent
-The recursion equation itself should be clear enough: it is our aborted
-first attempt augmented with a check that there are no non-trivial loops.
-To express the required well-founded relation we employ the
-predefined combinator \isa{same{\isacharunderscore}fst} of type
-\begin{isabelle}%
-\ \ \ \ \ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}b{\isasymtimes}{\isacharprime}b{\isacharparenright}set{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharparenleft}{\isacharprime}a{\isasymtimes}{\isacharprime}b{\isacharparenright}\ {\isasymtimes}\ {\isacharparenleft}{\isacharprime}a{\isasymtimes}{\isacharprime}b{\isacharparenright}{\isacharparenright}set%
-\end{isabelle}
-defined as
-\begin{isabelle}%
-\ \ \ \ \ same{\isacharunderscore}fst\ P\ R\ {\isasymequiv}\ {\isacharbraceleft}{\isacharparenleft}{\isacharparenleft}x{\isacharprime}{\isacharcomma}\ y{\isacharprime}{\isacharparenright}{\isacharcomma}\ x{\isacharcomma}\ y{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isacharequal}\ x\ {\isasymand}\ P\ x\ {\isasymand}\ {\isacharparenleft}y{\isacharprime}{\isacharcomma}\ y{\isacharparenright}\ {\isasymin}\ R\ x{\isacharbraceright}%
-\end{isabelle}
-This combinator is designed for
-recursive functions on pairs where the first component of the argument is
-passed unchanged to all recursive calls. Given a constraint on the first
-component and a relation on the second component, \isa{same{\isacharunderscore}fst} builds the
-required relation on pairs.  The theorem
-\begin{isabelle}%
-\ \ \ \ \ {\isacharparenleft}{\isasymAnd}x{\isachardot}\ P\ x\ {\isasymLongrightarrow}\ wf\ {\isacharparenleft}R\ x{\isacharparenright}{\isacharparenright}\ {\isasymLongrightarrow}\ wf\ {\isacharparenleft}same{\isacharunderscore}fst\ P\ R{\isacharparenright}%
-\end{isabelle}
-is known to the well-foundedness prover of \isacommand{recdef}.  Thus
-well-foundedness of the relation given to \isacommand{recdef} is immediate.
-Furthermore, each recursive call descends along that relation: the first
-argument stays unchanged and the second one descends along \isa{step{\isadigit{1}}\ f}. The proof requires unfolding the definition of \isa{step{\isadigit{1}}},
-as specified in the \isacommand{hints} above.
-
-Normally you will then derive the following conditional variant from
-the recursion equation:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isacharbrackleft}simp{\isacharbrackright}{\isacharcolon}\isanewline
-\ \ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\ find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}if\ f\ x\ {\isacharequal}\ x\ then\ x\ else\ find{\isacharparenleft}f{\isacharcomma}\ f\ x{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent Then you should disable the original recursion equation:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ find{\isachardot}simps{\isacharbrackleft}simp\ del{\isacharbrackright}%
-\begin{isamarkuptext}%
-Reasoning about such underdefined functions is like that for other
-recursive functions.  Here is a simple example of recursion induction:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymlongrightarrow}\ f{\isacharparenleft}find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}{\isacharparenright}\ {\isacharequal}\ find{\isacharparenleft}f{\isacharcomma}x{\isacharparenright}{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}induct{\isacharunderscore}tac\ f\ x\ rule{\isacharcolon}\ find{\isachardot}induct{\isacharparenright}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ simp\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsubsection{The {\tt\slshape while} Combinator%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-If the recursive function happens to be tail recursive, its
-definition becomes a triviality if based on the predefined \cdx{while}
-combinator.  The latter lives in the Library theory \thydx{While_Combinator}.
-% which is not part of {text Main} but needs to
-% be included explicitly among the ancestor theories.
-
-Constant \isa{while} is of type \isa{{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ bool{\isacharparenright}\ {\isasymRightarrow}\ {\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a}
-and satisfies the recursion equation \begin{isabelle}%
-\ \ \ \ \ while\ b\ c\ s\ {\isacharequal}\ {\isacharparenleft}if\ b\ s\ then\ while\ b\ c\ {\isacharparenleft}c\ s{\isacharparenright}\ else\ s{\isacharparenright}%
-\end{isabelle}
-That is, \isa{while\ b\ c\ s} is equivalent to the imperative program
-\begin{verbatim}
-     x := s; while b(x) do x := c(x); return x
-\end{verbatim}
-In general, \isa{s} will be a tuple or record.  As an example
-consider the following definition of function \isa{find}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{constdefs}\isamarkupfalse%
-\ find{\isadigit{2}}\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}{\isacharparenleft}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isasymRightarrow}\ {\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}find{\isadigit{2}}\ f\ x\ {\isasymequiv}\isanewline
-\ \ \ fst{\isacharparenleft}while\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isasymnoteq}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}f\ x{\isacharprime}{\isacharparenright}{\isacharparenright}\ {\isacharparenleft}x{\isacharcomma}f\ x{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-The loop operates on two ``local variables'' \isa{x} and \isa{x{\isacharprime}}
-containing the ``current'' and the ``next'' value of function \isa{f}.
-They are initialized with the global \isa{x} and \isa{f\ x}. At the
-end \isa{fst} selects the local \isa{x}.
-
-Although the definition of tail recursive functions via \isa{while} avoids
-termination proofs, there is no free lunch. When proving properties of
-functions defined by \isa{while}, termination rears its ugly head
-again. Here is \tdx{while_rule}, the well known proof rule for total
-correctness of loops expressed with \isa{while}:
-\begin{isabelle}%
-\ \ \ \ \ {\isasymlbrakk}P\ s{\isacharsemicolon}\ {\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}c\ s{\isacharparenright}{\isacharsemicolon}\isanewline
-\isaindent{\ \ \ \ \ \ }{\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ {\isasymnot}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ Q\ s{\isacharsemicolon}\ wf\ r{\isacharsemicolon}\isanewline
-\isaindent{\ \ \ \ \ \ }{\isasymAnd}s{\isachardot}\ {\isasymlbrakk}P\ s{\isacharsemicolon}\ b\ s{\isasymrbrakk}\ {\isasymLongrightarrow}\ {\isacharparenleft}c\ s{\isacharcomma}\ s{\isacharparenright}\ {\isasymin}\ r{\isasymrbrakk}\isanewline
-\isaindent{\ \ \ \ \ }{\isasymLongrightarrow}\ Q\ {\isacharparenleft}while\ b\ c\ s{\isacharparenright}%
-\end{isabelle} \isa{P} needs to be true of
-the initial state \isa{s} and invariant under \isa{c} (premises 1
-and~2). The post-condition \isa{Q} must become true when leaving the loop
-(premise~3). And each loop iteration must descend along a well-founded
-relation \isa{r} (premises 4 and~5).
-
-Let us now prove that \isa{find{\isadigit{2}}} does indeed find a fixed point. Instead
-of induction we apply the above while rule, suitably instantiated.
-Only the final premise of \isa{while{\isacharunderscore}rule} is left unproved
-by \isa{auto} but falls to \isa{simp}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ lem{\isacharcolon}\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\isanewline
-\ \ {\isasymexists}y{\isachardot}\ while\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isasymnoteq}\ x{\isacharparenright}\ {\isacharparenleft}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}f\ x{\isacharprime}{\isacharparenright}{\isacharparenright}\ {\isacharparenleft}x{\isacharcomma}f\ x{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}y{\isacharcomma}y{\isacharparenright}\ {\isasymand}\isanewline
-\ \ \ \ \ \ \ f\ y\ {\isacharequal}\ y{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}rule{\isacharunderscore}tac\ P\ {\isacharequal}\ {\isachardoublequoteopen}{\isasymlambda}{\isacharparenleft}x{\isacharcomma}x{\isacharprime}{\isacharparenright}{\isachardot}\ x{\isacharprime}\ {\isacharequal}\ f\ x{\isachardoublequoteclose}\ \isakeyword{and}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ r\ {\isacharequal}\ {\isachardoublequoteopen}inv{\isacharunderscore}image\ {\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ fst{\isachardoublequoteclose}\ \isakeyword{in}\ while{\isacharunderscore}rule{\isacharparenright}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ auto\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}simp\ add{\isacharcolon}\ inv{\isacharunderscore}image{\isacharunderscore}def\ step{\isadigit{1}}{\isacharunderscore}def{\isacharparenright}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The theorem itself is a simple consequence of this lemma:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isachardoublequoteopen}wf{\isacharparenleft}step{\isadigit{1}}\ f{\isacharparenright}\ {\isasymLongrightarrow}\ f{\isacharparenleft}find{\isadigit{2}}\ f\ x{\isacharparenright}\ {\isacharequal}\ find{\isadigit{2}}\ f\ x{\isachardoublequoteclose}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}drule{\isacharunderscore}tac\ x\ {\isacharequal}\ x\ \isakeyword{in}\ lem{\isacharparenright}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isacharparenleft}auto\ simp\ add{\isacharcolon}\ find{\isadigit{2}}{\isacharunderscore}def{\isacharparenright}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Let us conclude this section on partial functions by a
-discussion of the merits of the \isa{while} combinator. We have
-already seen that the advantage of not having to
-provide a termination argument when defining a function via \isa{while} merely puts off the evil hour. On top of that, tail recursive
-functions tend to be more complicated to reason about. So why use
-\isa{while} at all? The only reason is executability: the recursion
-equation for \isa{while} is a directly executable functional
-program. This is in stark contrast to guarded recursion as introduced
-above which requires an explicit test \isa{x\ {\isasymin}\ dom\ f} in the
-function body.  Unless \isa{dom} is trivial, this leads to a
-definition that is impossible to execute or prohibitively slow.
-Thus, if you are aiming for an efficiently executable definition
-of a partial function, you are likely to need \isa{while}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Plus.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,74 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Plus}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent Define the following addition function%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ add\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}add\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}add\ m\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ add\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ n{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent and prove%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}add\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{2B}{\isacharplus}}n{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Public.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,321 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Public}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-The function
-\isa{pubK} maps agents to their public keys.  The function
-\isa{priK} maps agents to their private keys.  It is merely
-an abbreviation (cf.\ \S\ref{sec:abbreviations}) defined in terms of
-\isa{invKey} and \isa{pubK}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ pubK\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}agent\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{abbreviation}\isamarkupfalse%
-\ priK\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}agent\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ key{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}priK\ x\ \ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ \ invKey{\isaliteral{28}{\isacharparenleft}}pubK\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The set \isa{bad} consists of those agents whose private keys are known to
-the spy.
-
-Two axioms are asserted about the public-key cryptosystem. 
-No two agents have the same public key, and no private key equals
-any public key.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{axioms}\isamarkupfalse%
-\isanewline
-\ \ inj{\isaliteral{5F}{\isacharunderscore}}pubK{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}inj\ pubK{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ priK{\isaliteral{5F}{\isacharunderscore}}neq{\isaliteral{5F}{\isacharunderscore}}pubK{\isaliteral{3A}{\isacharcolon}}\ \ \ {\isaliteral{22}{\isachardoublequoteopen}}priK\ A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ pubK\ B{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isatagML
-%
-\endisatagML
-{\isafoldML}%
-%
-\isadelimML
-%
-\endisadelimML
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Records.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,665 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Records}%
-%
-\isamarkupheader{Records \label{sec:records}%
-}
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\index{records|(}%
-  Records are familiar from programming languages.  A record of $n$
-  fields is essentially an $n$-tuple, but the record's components have
-  names, which can make expressions easier to read and reduces the
-  risk of confusing one field for another.
-
-  A record of Isabelle/HOL covers a collection of fields, with select
-  and update operations.  Each field has a specified type, which may
-  be polymorphic.  The field names are part of the record type, and
-  the order of the fields is significant --- as it is in Pascal but
-  not in Standard ML.  If two different record types have field names
-  in common, then the ambiguity is resolved in the usual way, by
-  qualified names.
-
-  Record types can also be defined by extending other record types.
-  Extensible records make use of the reserved pseudo-field \cdx{more},
-  which is present in every record type.  Generic record operations
-  work on all possible extensions of a given type scheme; polymorphism
-  takes care of structural sub-typing behind the scenes.  There are
-  also explicit coercion functions between fixed record types.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Record Basics%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Record types are not primitive in Isabelle and have a delicate
-  internal representation \cite{NaraschewskiW-TPHOLs98}, based on
-  nested copies of the primitive product type.  A \commdx{record}
-  declaration introduces a new record type scheme by specifying its
-  fields, which are packaged internally to hold up the perception of
-  the record as a distinguished entity.  Here is a simple example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{record}\isamarkupfalse%
-\ point\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int\isanewline
-\ \ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int%
-\begin{isamarkuptext}%
-\noindent
-  Records of type \isa{point} have two fields named \isa{Xcoord}
-  and \isa{Ycoord}, both of type~\isa{int}.  We now define a
-  constant of type \isa{point}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ pt{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ point\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}pt{\isadigit{1}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{7C}{\isacharbar}}\ Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}\ {\isaliteral{7C}{\isacharbar}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-  We see above the ASCII notation for record brackets.  You can also
-  use the symbolic brackets \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}} and \isa{{\isaliteral{5C3C72706172723E}{\isasymrparr}}}.  Record type
-  expressions can be also written directly with individual fields.
-  The type name above is merely an abbreviation.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ pt{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}pt{\isadigit{2}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{2D}{\isacharminus}}{\isadigit{4}}{\isadigit{5}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{7}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-For each field, there is a \emph{selector}\index{selector!record}
-  function of the same name.  For example, if \isa{p} has type \isa{point} then \isa{Xcoord\ p} denotes the value of the \isa{Xcoord} field of~\isa{p}.  Expressions involving field selection
-  of explicit records are simplified automatically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}Xcoord\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The \emph{update}\index{update!record} operation is functional.  For
-  example, \isa{p{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}} is a record whose \isa{Xcoord}
-  value is zero and whose \isa{Ycoord} value is copied from~\isa{p}.  Updates of explicit records are also simplified automatically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ \ \ \ \ \ \ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{warn}
-  Field names are declared as constants and can no longer be used as
-  variables.  It would be unwise, for example, to call the fields of
-  type \isa{point} simply \isa{x} and~\isa{y}.
-  \end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Extensible Records and Generic Operations%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{records!extensible|(}%
-
-  Now, let us define coloured points (type \isa{cpoint}) to be
-  points extended with a field \isa{col} of type \isa{colour}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ colour\ {\isaliteral{3D}{\isacharequal}}\ Red\ {\isaliteral{7C}{\isacharbar}}\ Green\ {\isaliteral{7C}{\isacharbar}}\ Blue\isanewline
-\isanewline
-\isacommand{record}\isamarkupfalse%
-\ cpoint\ {\isaliteral{3D}{\isacharequal}}\ point\ {\isaliteral{2B}{\isacharplus}}\isanewline
-\ \ col\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ colour%
-\begin{isamarkuptext}%
-\noindent
-  The fields of this new type are \isa{Xcoord}, \isa{Ycoord} and
-  \isa{col}, in that order.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ cpt{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ cpoint\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{1}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-We can define generic operations that work on arbitrary
-  instances of a record scheme, e.g.\ covering \isa{point}, \isa{cpoint}, and any further extensions.  Every record structure has an
-  implicit pseudo-field, \cdx{more}, that keeps the extension as an
-  explicit value.  Its type is declared as completely
-  polymorphic:~\isa{{\isaliteral{27}{\isacharprime}}a}.  When a fixed record value is expressed
-  using just its standard fields, the value of \isa{more} is
-  implicitly set to \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{29}{\isacharparenright}}}, the empty tuple, which has type
-  \isa{unit}.  Within the record brackets, you can refer to the
-  \isa{more} field by writing ``\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}'' (three dots):%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}Xcoord\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-This lemma applies to any record whose first two fields are \isa{Xcoord} and~\isa{Ycoord}.  Note that \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}} is exactly the same as \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}}.  Selectors and updates are always polymorphic wrt.\ the
-  \isa{more} part of a record scheme, its value is just ignored (for
-  select) or copied (for update).
-
-  The \isa{more} pseudo-field may be manipulated directly as well,
-  but the identifier needs to be qualified:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}point{\isaliteral{2E}{\isachardot}}more\ cpt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ cpt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-  We see that the colour part attached to this \isa{point} is a
-  rudimentary record in its own right, namely \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ Green{\isaliteral{5C3C72706172723E}{\isasymrparr}}}.  In order to select or update \isa{col}, this fragment
-  needs to be put back into the context of the parent type scheme, say
-  as \isa{more} part of another \isa{point}.
-
-  To define generic operations, we need to know a bit more about
-  records.  Our definition of \isa{point} above has generated two
-  type abbreviations:
-
-  \medskip
-  \begin{tabular}{l}
-  \isa{point}~\isa{{\isaliteral{3D}{\isacharequal}}}~\isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{5C3C72706172723E}{\isasymrparr}}} \\
-  \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme}~\isa{{\isaliteral{3D}{\isacharequal}}}~\isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ int{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C72706172723E}{\isasymrparr}}} \\
-  \end{tabular}
-  \medskip
-  
-\noindent
-  Type \isa{point} is for fixed records having exactly the two fields
-  \isa{Xcoord} and~\isa{Ycoord}, while the polymorphic type \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme} comprises all possible extensions to those two
-  fields.  Note that \isa{unit\ point{\isaliteral{5F}{\isacharunderscore}}scheme} coincides with \isa{point}, and \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ colour{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ point{\isaliteral{5F}{\isacharunderscore}}scheme} with \isa{cpoint}.
-
-  In the following example we define two operations --- methods, if we
-  regard records as objects --- to get and set any point's \isa{Xcoord} field.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ getX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}getX\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Xcoord\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{definition}\isamarkupfalse%
-\ setX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ int\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}setX\ r\ a\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-Here is a generic method that modifies a point, incrementing its
-  \isa{Xcoord} field.  The \isa{Ycoord} and \isa{more} fields
-  are copied across.  It works for any record type scheme derived from
-  \isa{point} (including \isa{cpoint} etc.):%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ incX\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}incX\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
-\ \ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ point{\isaliteral{2E}{\isachardot}}more\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-Generic theorems can be proved about generic methods.  This trivial
-  lemma relates \isa{incX} to \isa{getX} and \isa{setX}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}incX\ r\ {\isaliteral{3D}{\isacharequal}}\ setX\ r\ {\isaliteral{28}{\isacharparenleft}}getX\ r\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{1}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ getX{\isaliteral{5F}{\isacharunderscore}}def\ setX{\isaliteral{5F}{\isacharunderscore}}def\ incX{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{warn}
-  If you use the symbolic record brackets \isa{{\isaliteral{5C3C6C706172723E}{\isasymlparr}}} and \isa{{\isaliteral{5C3C72706172723E}{\isasymrparr}}},
-  then you must also use the symbolic ellipsis, ``\isa{{\isaliteral{5C3C646F74733E}{\isasymdots}}}'', rather
-  than three consecutive periods, ``\isa{{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}{\isaliteral{2E}{\isachardot}}}''.  Mixing the ASCII
-  and symbolic versions causes a syntax error.  (The two versions are
-  more distinct on screen than they are on paper.)
-  \end{warn}%
-  \index{records!extensible|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Record Equality%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Two records are equal\index{equality!of records} if all pairs of
-  corresponding fields are equal.  Concrete record equalities are
-  simplified automatically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ \ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ b\ {\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The following equality is similar, but generic, in that \isa{r}
-  can be any instance of \isa{{\isaliteral{27}{\isacharprime}}a\ point{\isaliteral{5F}{\isacharunderscore}}scheme}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{2C}{\isacharcomma}}\ Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-  We see above the syntax for iterated updates.  We could equivalently
-  have written the left-hand side as \isa{r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Ycoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ b{\isaliteral{5C3C72706172723E}{\isasymrparr}}}.
-
-  Record equality is \emph{extensional}:
-  \index{extensionality!for records} a record is determined entirely
-  by the values of its fields.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-  The generic version of this equality includes the pseudo-field
-  \isa{more}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ point{\isaliteral{2E}{\isachardot}}more\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The simplifier can prove many record equalities
-  automatically, but general equality reasoning can be tricky.
-  Consider proving this obvious fact:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ simp{\isaliteral{3F}{\isacharquery}}\isanewline
-\ \ \isacommand{oops}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-  Here the simplifier can do nothing, since general record equality is
-  not eliminated automatically.  One way to proceed is by an explicit
-  forward step that applies the selector \isa{Xcoord} to both sides
-  of the assumed record equality:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}drule{\isaliteral{5F}{\isacharunderscore}}tac\ f\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ \isakeyword{in}\ arg{\isaliteral{5F}{\isacharunderscore}}cong{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Xcoord\ {\isaliteral{28}{\isacharparenleft}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ {\isaliteral{28}{\isacharparenleft}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}%
-\end{isabelle}
-    Now, \isa{simp} will reduce the assumption to the desired
-    conclusion.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \ \isacommand{apply}\isamarkupfalse%
-\ simp\isanewline
-\ \ \isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The \isa{cases} method is preferable to such a forward proof.  We
-  state the desired lemma again:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-The \methdx{cases} method adds an equality to replace the
-  named record term by an explicit record expression, listing all
-  fields.  It even includes the pseudo-field \isa{more}, since the
-  record equality stated here is generic for all extensions.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \ \isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}cases\ r{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}Xcoord\ Ycoord\ more{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{5C3C72706172723E}{\isasymrparr}}\ {\isaliteral{3D}{\isacharequal}}\ r{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ \ }r\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ a\ {\isaliteral{3D}{\isacharequal}}\ a{\isaliteral{27}{\isacharprime}}%
-\end{isabelle} Again, \isa{simp} finishes the proof.  Because \isa{r} is now represented as
-  an explicit record construction, the updates can be applied and the
-  record equality can be replaced by equality of the corresponding
-  fields (due to injectivity).%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \ \isacommand{apply}\isamarkupfalse%
-\ simp\isanewline
-\ \ \isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-The generic cases method does not admit references to locally bound
-  parameters of a goal.  In longer proof scripts one might have to
-  fall back on the primitive \isa{rule{\isaliteral{5F}{\isacharunderscore}}tac} used together with the
-  internal field representation rules of records.  The above use of
-  \isa{{\isaliteral{28}{\isacharparenleft}}cases\ r{\isaliteral{29}{\isacharparenright}}} would become \isa{{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ r\ {\isaliteral{3D}{\isacharequal}}\ r\ in\ point{\isaliteral{2E}{\isachardot}}cases{\isaliteral{5F}{\isacharunderscore}}scheme{\isaliteral{29}{\isacharparenright}}}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Extending and Truncating Records%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Each record declaration introduces a number of derived operations to
-  refer collectively to a record's fields and to convert between fixed
-  record types.  They can, for instance, convert between types \isa{point} and \isa{cpoint}.  We can add a colour to a point or convert
-  a \isa{cpoint} to a \isa{point} by forgetting its colour.
-
-  \begin{itemize}
-
-  \item Function \cdx{make} takes as arguments all of the record's
-  fields (including those inherited from ancestors).  It returns the
-  corresponding record.
-
-  \item Function \cdx{fields} takes the record's very own fields and
-  returns a record fragment consisting of just those fields.  This may
-  be filled into the \isa{more} part of the parent record scheme.
-
-  \item Function \cdx{extend} takes two arguments: a record to be
-  extended and a record containing the new fields.
-
-  \item Function \cdx{truncate} takes a record (possibly an extension
-  of the original record type) and returns a fixed record, removing
-  any additional fields.
-
-  \end{itemize}
-  These functions provide useful abbreviations for standard
-  record expressions involving constructors and selectors.  The
-  definitions, which are \emph{not} unfolded by default, are made
-  available by the collective name of \isa{defs} (\isa{point{\isaliteral{2E}{\isachardot}}defs}, \isa{cpoint{\isaliteral{2E}{\isachardot}}defs}, etc.).
-  For example, here are the versions of those functions generated for
-  record \isa{point}.  We omit \isa{point{\isaliteral{2E}{\isachardot}}fields}, which happens to
-  be the same as \isa{point{\isaliteral{2E}{\isachardot}}make}.
-
-  \begin{isabelle}%
-point{\isaliteral{2E}{\isachardot}}make\ Xcoord\ Ycoord\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
-point{\isaliteral{2E}{\isachardot}}extend\ r\ more\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
-{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
-point{\isaliteral{2E}{\isachardot}}truncate\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}%
-\end{isabelle}
-  Contrast those with the corresponding functions for record \isa{cpoint}.  Observe \isa{cpoint{\isaliteral{2E}{\isachardot}}fields} in particular.
-  \begin{isabelle}%
-cpoint{\isaliteral{2E}{\isachardot}}make\ Xcoord\ Ycoord\ col\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
-{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
-cpoint{\isaliteral{2E}{\isachardot}}fields\ col\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{5C3C6C706172723E}{\isasymlparr}}col\ {\isaliteral{3D}{\isacharequal}}\ col{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
-cpoint{\isaliteral{2E}{\isachardot}}extend\ r\ more\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
-{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col\ r{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}\ {\isaliteral{3D}{\isacharequal}}\ more{\isaliteral{5C3C72706172723E}{\isasymrparr}}\isasep\isanewline%
-cpoint{\isaliteral{2E}{\isachardot}}truncate\ r\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\isanewline
-{\isaliteral{5C3C6C706172723E}{\isasymlparr}}Xcoord\ {\isaliteral{3D}{\isacharequal}}\ Xcoord\ r{\isaliteral{2C}{\isacharcomma}}\ Ycoord\ {\isaliteral{3D}{\isacharequal}}\ Ycoord\ r{\isaliteral{2C}{\isacharcomma}}\ col\ {\isaliteral{3D}{\isacharequal}}\ col\ r{\isaliteral{5C3C72706172723E}{\isasymrparr}}%
-\end{isabelle}
-
-  To demonstrate these functions, we declare a new coloured point by
-  extending an ordinary point.  Function \isa{point{\isaliteral{2E}{\isachardot}}extend} augments
-  \isa{pt{\isadigit{1}}} with a colour value, which is converted into an
-  appropriate record fragment by \isa{cpoint{\isaliteral{2E}{\isachardot}}fields}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ cpt{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ cpoint\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{2}}\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ point{\isaliteral{2E}{\isachardot}}extend\ pt{\isadigit{1}}\ {\isaliteral{28}{\isacharparenleft}}cpoint{\isaliteral{2E}{\isachardot}}fields\ Green{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-The coloured points \isa{cpt{\isadigit{1}}} and \isa{cpt{\isadigit{2}}} are equal.  The
-  proof is trivial, by unfolding all the definitions.  We deliberately
-  omit the definition of~\isa{pt{\isadigit{1}}} in order to reveal the underlying
-  comparison on type \isa{point}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}cpt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ cpt{\isadigit{2}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ cpt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def\ cpt{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}def\ point{\isaliteral{2E}{\isachardot}}defs\ cpoint{\isaliteral{2E}{\isachardot}}defs{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ Xcoord\ pt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Ycoord\ pt{\isadigit{1}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}{\isadigit{3}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \ \isacommand{apply}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ pt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-In the example below, a coloured point is truncated to leave a
-  point.  We use the \isa{truncate} function of the target record.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}point{\isaliteral{2E}{\isachardot}}truncate\ cpt{\isadigit{2}}\ {\isaliteral{3D}{\isacharequal}}\ pt{\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-\ \ %
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ pt{\isadigit{1}}{\isaliteral{5F}{\isacharunderscore}}def\ cpt{\isadigit{2}}{\isaliteral{5F}{\isacharunderscore}}def\ point{\isaliteral{2E}{\isachardot}}defs{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\begin{exercise}
-  Extend record \isa{cpoint} to have a further field, \isa{intensity}, of type~\isa{nat}.  Experiment with generic operations
-  (using polymorphic selectors and updates) and explicit coercions
-  (using \isa{extend}, \isa{truncate} etc.) among the three record
-  types.
-  \end{exercise}
-
-  \begin{exercise}
-  (For Java programmers.)
-  Model a small class hierarchy using records.
-  \end{exercise}
-  \index{records|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Star.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,315 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Star}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{The Reflexive Transitive Closure%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:rtc}
-\index{reflexive transitive closure!defining inductively|(}%
-An inductive definition may accept parameters, so it can express 
-functions that yield sets.
-Relations too can be defined inductively, since they are just sets of pairs.
-A perfect example is the function that maps a relation to its
-reflexive transitive closure.  This concept was already
-introduced in \S\ref{sec:Relations}, where the operator \isa{\isaliteral{5C3C5E7375703E}{}\isactrlsup {\isaliteral{2A}{\isacharasterisk}}} was
-defined as a least fixed point because inductive definitions were not yet
-available. But now they are:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ rtc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isadigit{0}}{\isadigit{0}}{\isadigit{0}}{\isaliteral{5D}{\isacharbrackright}}\ {\isadigit{9}}{\isadigit{9}}{\isadigit{9}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-\ \ rtc{\isaliteral{5F}{\isacharunderscore}}refl{\isaliteral{5B}{\isacharbrackleft}}iff{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{3A}{\isacharcolon}}\ \ \ \ \ \ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The function \isa{rtc} is annotated with concrete syntax: instead of
-\isa{rtc\ r} we can write \isa{r{\isaliteral{2A}{\isacharasterisk}}}. The actual definition
-consists of two rules. Reflexivity is obvious and is immediately given the
-\isa{iff} attribute to increase automation. The
-second rule, \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step}, says that we can always add one more
-\isa{r}-step to the left. Although we could make \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} an
-introduction rule, this is dangerous: the recursion in the second premise
-slows down and may even kill the automatic tactics.
-
-The above definition of the concept of reflexive transitive closure may
-be sufficiently intuitive but it is certainly not the only possible one:
-for a start, it does not even mention transitivity.
-The rest of this section is devoted to proving that it is equivalent to
-the standard definition. We start with a simple lemma:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}intro{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Although the lemma itself is an unremarkable consequence of the basic rules,
-it has the advantage that it can be declared an introduction rule without the
-danger of killing the automatic tactics because \isa{r{\isaliteral{2A}{\isacharasterisk}}} occurs only in
-the conclusion and not in the premise. Thus some proofs that would otherwise
-need \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} can now be found automatically. The proof also
-shows that \isa{blast} is able to handle \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step}. But
-some of the other automatic tactics are more sensitive, and even \isa{blast} can be lead astray in the presence of large numbers of rules.
-
-To prove transitivity, we need rule induction, i.e.\ theorem
-\isa{rtc{\isaliteral{2E}{\isachardot}}induct}:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ x{\isaliteral{3B}{\isacharsemicolon}}\isanewline
-\isaindent{\ \ \ \ \ \ }{\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ z{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{3F}{\isacharquery}}P\ y\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ z{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}%
-\end{isabelle}
-It says that \isa{{\isaliteral{3F}{\isacharquery}}P} holds for an arbitrary pair \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}x{\isadigit{1}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{3F}{\isacharquery}}x{\isadigit{2}}{\isaliteral{2E}{\isachardot}}{\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{3F}{\isacharquery}}r{\isaliteral{2A}{\isacharasterisk}}}
-if \isa{{\isaliteral{3F}{\isacharquery}}P} is preserved by all rules of the inductive definition,
-i.e.\ if \isa{{\isaliteral{3F}{\isacharquery}}P} holds for the conclusion provided it holds for the
-premises. In general, rule induction for an $n$-ary inductive relation $R$
-expects a premise of the form $(x@1,\dots,x@n) \in R$.
-
-Now we turn to the inductive proof of transitivity:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Unfortunately, even the base case is a problem:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
-\end{isabelle}
-We have to abandon this proof attempt.
-To understand what is going on, let us look again at \isa{rtc{\isaliteral{2E}{\isachardot}}induct}.
-In the above application of \isa{erule}, the first premise of
-\isa{rtc{\isaliteral{2E}{\isachardot}}induct} is unified with the first suitable assumption, which
-is \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}} rather than \isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}}. Although that
-is what we want, it is merely due to the order in which the assumptions occur
-in the subgoal, which it is not good practice to rely on. As a result,
-\isa{{\isaliteral{3F}{\isacharquery}}xb} becomes \isa{x}, \isa{{\isaliteral{3F}{\isacharquery}}xa} becomes
-\isa{y} and \isa{{\isaliteral{3F}{\isacharquery}}P} becomes \isa{{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}u\ v{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}u{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}}, thus
-yielding the above subgoal. So what went wrong?
-
-When looking at the instantiation of \isa{{\isaliteral{3F}{\isacharquery}}P} we see that it does not
-depend on its second parameter at all. The reason is that in our original
-goal, of the pair \isa{{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}} only \isa{x} appears also in the
-conclusion, but not \isa{y}. Thus our induction statement is too
-general. Fortunately, it can easily be specialized:
-transfer the additional premise \isa{{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}} into the conclusion:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{5B}{\isacharbrackleft}}rule{\isaliteral{5F}{\isacharunderscore}}format{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-This is not an obscure trick but a generally applicable heuristic:
-\begin{quote}\em
-When proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
-pull all other premises containing any of the $x@i$ into the conclusion
-using $\longrightarrow$.
-\end{quote}
-A similar heuristic for other kinds of inductions is formulated in
-\S\ref{sec:ind-var-in-prems}. The \isa{rule{\isaliteral{5F}{\isacharunderscore}}format} directive turns
-\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}} back into \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}}: in the end we obtain the original
-statement of our lemma.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Now induction produces two subgoals which are both proved automatically:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x\ y\ za{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ za{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}za{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}za{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
-\end{isabelle}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}step{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Let us now prove that \isa{r{\isaliteral{2A}{\isacharasterisk}}} is really the reflexive transitive closure
-of \isa{r}, i.e.\ the least reflexive and transitive
-relation containing \isa{r}. The latter is easily formalized%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{inductive{\isaliteral{5F}{\isacharunderscore}}set}\isamarkupfalse%
-\isanewline
-\ \ rtc{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\ \ \isakeyword{for}\ r\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}set{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{where}\isanewline
-\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-{\isaliteral{7C}{\isacharbar}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-and the equivalence of the two definitions is easily shown by the obvious rule
-inductions:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isaliteral{5F}{\isacharunderscore}}trans{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\isanewline
-%
-\endisadelimproof
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ rtc{\isadigit{2}}\ r{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}erule\ rtc{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}blast\ intro{\isaliteral{3A}{\isacharcolon}}\ rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}intros{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-So why did we start with the first definition? Because it is simpler. It
-contains only two rules, and the single step rule is simpler than
-transitivity.  As a consequence, \isa{rtc{\isaliteral{2E}{\isachardot}}induct} is simpler than
-\isa{rtc{\isadigit{2}}{\isaliteral{2E}{\isachardot}}induct}. Since inductive proofs are hard enough
-anyway, we should always pick the simplest induction schema available.
-Hence \isa{rtc} is the definition of choice.
-\index{reflexive transitive closure!defining inductively|)}
-
-\begin{exercise}\label{ex:converse-rtc-step}
-Show that the converse of \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} also holds:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}{\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{2C}{\isacharcomma}}\ z{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ r{\isaliteral{2A}{\isacharasterisk}}%
-\end{isabelle}
-\end{exercise}
-\begin{exercise}
-Repeat the development of this section, but starting with a definition of
-\isa{rtc} where \isa{rtc{\isaliteral{5F}{\isacharunderscore}}step} is replaced by its converse as shown
-in exercise~\ref{ex:converse-rtc-step}.
-\end{exercise}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/ToyList.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,530 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{ToyList}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-\isacommand{theory}\isamarkupfalse%
-\ ToyList\isanewline
-\isakeyword{imports}\ Datatype\isanewline
-\isakeyword{begin}%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-HOL already has a predefined theory of lists called \isa{List} ---
-\isa{ToyList} is merely a small fragment of it chosen as an example. In
-contrast to what is recommended in \S\ref{sec:Basic:Theories},
-\isa{ToyList} is not based on \isa{Main} but on \isa{Datatype}, a
-theory that contains pretty much everything but lists, thus avoiding
-ambiguities caused by defining lists twice.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{3D}{\isacharequal}}\ Nil\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Cons\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixr}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{23}{\isacharhash}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptext}%
-\noindent
-The datatype\index{datatype@\isacommand {datatype} (command)}
-\tydx{list} introduces two
-constructors \cdx{Nil} and \cdx{Cons}, the
-empty~list and the operator that adds an element to the front of a list. For
-example, the term \isa{Cons True (Cons False Nil)} is a value of
-type \isa{bool\ list}, namely the list with the elements \isa{True} and
-\isa{False}. Because this notation quickly becomes unwieldy, the
-datatype declaration is annotated with an alternative syntax: instead of
-\isa{Nil} and \isa{Cons x xs} we can write
-\isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}\index{$HOL2list@\isa{[]}|bold} and
-\isa{x\ {\isaliteral{23}{\isacharhash}}\ xs}\index{$HOL2list@\isa{\#}|bold}. In fact, this
-alternative syntax is the familiar one.  Thus the list \isa{Cons True
-(Cons False Nil)} becomes \isa{True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}. The annotation
-\isacommand{infixr}\index{infixr@\isacommand{infixr} (annotation)} 
-means that \isa{{\isaliteral{23}{\isacharhash}}} associates to
-the right: the term \isa{x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ z} is read as \isa{x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ z{\isaliteral{29}{\isacharparenright}}}
-and not as \isa{{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ z}.
-The \isa{{\isadigit{6}}{\isadigit{5}}} is the priority of the infix \isa{{\isaliteral{23}{\isacharhash}}}.
-
-\begin{warn}
-  Syntax annotations can be powerful, but they are difficult to master and 
-  are never necessary.  You
-  could drop them from theory \isa{ToyList} and go back to the identifiers
-  \isa{Nil} and \isa{Cons}.  Novices should avoid using
-  syntax annotations in their own theories.
-\end{warn}
-Next, two functions \isa{app} and \cdx{rev} are defined recursively,
-in this order, because Isabelle insists on definition before use:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ app\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{28}{\isacharparenleft}}\isakeyword{infixr}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{40}{\isacharat}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isadigit{6}}{\isadigit{5}}{\isaliteral{29}{\isacharparenright}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ ys\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isanewline
-\isacommand{primrec}\isamarkupfalse%
-\ rev\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ xs{\isaliteral{29}{\isacharparenright}}\ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Each function definition is of the form
-\begin{center}
-\isacommand{primrec} \textit{name} \isa{{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}} \textit{type} \textit{(optional syntax)} \isakeyword{where} \textit{equations}
-\end{center}
-The equations must be separated by \isa{{\isaliteral{7C}{\isacharbar}}}.
-%
-Function \isa{app} is annotated with concrete syntax. Instead of the
-prefix syntax \isa{app\ xs\ ys} the infix
-\isa{xs\ {\isaliteral{40}{\isacharat}}\ ys}\index{$HOL2list@\isa{\at}|bold} becomes the preferred
-form.
-
-\index{*rev (constant)|(}\index{append function|(}
-The equations for \isa{app} and \isa{rev} hardly need comments:
-\isa{app} appends two lists and \isa{rev} reverses a list.  The
-keyword \commdx{primrec} indicates that the recursion is
-of a particularly primitive kind where each recursive call peels off a datatype
-constructor from one of the arguments.  Thus the
-recursion always terminates, i.e.\ the function is \textbf{total}.
-\index{functions!total}
-
-The termination requirement is absolutely essential in HOL, a logic of total
-functions. If we were to drop it, inconsistencies would quickly arise: the
-``definition'' $f(n) = f(n)+1$ immediately leads to $0 = 1$ by subtracting
-$f(n)$ on both sides.
-% However, this is a subtle issue that we cannot discuss here further.
-
-\begin{warn}
-  As we have indicated, the requirement for total functions is an essential characteristic of HOL\@. It is only
-  because of totality that reasoning in HOL is comparatively easy.  More
-  generally, the philosophy in HOL is to refrain from asserting arbitrary axioms (such as
-  function definitions whose totality has not been proved) because they
-  quickly lead to inconsistencies. Instead, fixed constructs for introducing
-  types and functions are offered (such as \isacommand{datatype} and
-  \isacommand{primrec}) which are guaranteed to preserve consistency.
-\end{warn}
-
-\index{syntax}%
-A remark about syntax.  The textual definition of a theory follows a fixed
-syntax with keywords like \isacommand{datatype} and \isacommand{end}.
-% (see Fig.~\ref{fig:keywords} in Appendix~\ref{sec:Appendix} for a full list).
-Embedded in this syntax are the types and formulae of HOL, whose syntax is
-extensible (see \S\ref{sec:concrete-syntax}), e.g.\ by new user-defined infix operators.
-To distinguish the two levels, everything
-HOL-specific (terms and types) should be enclosed in
-\texttt{"}\dots\texttt{"}. 
-To lessen this burden, quotation marks around a single identifier can be
-dropped, unless the identifier happens to be a keyword, for example
-\isa{"end"}.
-When Isabelle prints a syntax error message, it refers to the HOL syntax as
-the \textbf{inner syntax} and the enclosing theory language as the \textbf{outer syntax}.
-
-Comments\index{comment} must be in enclosed in \texttt{(* }and\texttt{ *)}.
-
-\section{Evaluation}
-\index{evaluation}
-
-Assuming you have processed the declarations and definitions of
-\texttt{ToyList} presented so far, you may want to test your
-functions by running them. For example, what is the value of
-\isa{rev\ {\isaliteral{28}{\isacharparenleft}}True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}}? Command%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{value}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}True\ {\isaliteral{23}{\isacharhash}}\ False\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent yields the correct result \isa{False\ {\isaliteral{23}{\isacharhash}}\ True\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
-But we can go beyond mere functional programming and evaluate terms with
-variables in them, executing functions symbolically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{value}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ c\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent yields \isa{c\ {\isaliteral{23}{\isacharhash}}\ b\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}.
-
-\section{An Introductory Proof}
-\label{sec:intro-proof}
-
-Having convinced ourselves (as well as one can by testing) that our
-definitions capture our intentions, we are ready to prove a few simple
-theorems. This will illustrate not just the basic proof commands but
-also the typical proof process.
-
-\subsubsection*{Main Goal.}
-
-Our goal is to show that reversing a list twice produces the original
-list.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ rev{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\index{theorem@\isacommand {theorem} (command)|bold}%
-\noindent
-This \isacommand{theorem} command does several things:
-\begin{itemize}
-\item
-It establishes a new theorem to be proved, namely \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs}.
-\item
-It gives that theorem the name \isa{rev{\isaliteral{5F}{\isacharunderscore}}rev}, for later reference.
-\item
-It tells Isabelle (via the bracketed attribute \attrdx{simp}) to take the eventual theorem as a simplification rule: future proofs involving
-simplification will replace occurrences of \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}} by
-\isa{xs}.
-\end{itemize}
-The name and the simplification attribute are optional.
-Isabelle's response is to print the initial proof state consisting
-of some header information (like how many subgoals there are) followed by
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs%
-\end{isabelle}
-For compactness reasons we omit the header in this tutorial.
-Until we have finished a proof, the \rmindex{proof state} proper
-always looks like this:
-\begin{isabelle}
-~1.~$G\sb{1}$\isanewline
-~~\vdots~~\isanewline
-~$n$.~$G\sb{n}$
-\end{isabelle}
-The numbered lines contain the subgoals $G\sb{1}$, \dots, $G\sb{n}$
-that we need to prove to establish the main goal.\index{subgoals}
-Initially there is only one subgoal, which is identical with the
-main goal. (If you always want to see the main goal as well,
-set the flag \isa{Proof.show_main_goal}\index{*show_main_goal (flag)}
---- this flag used to be set by default.)
-
-Let us now get back to \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs}. Properties of recursively
-defined functions are best established by induction. In this case there is
-nothing obvious except induction on \isa{xs}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent\index{*induct_tac (method)}%
-This tells Isabelle to perform induction on variable \isa{xs}. The suffix
-\isa{tac} stands for \textbf{tactic},\index{tactics}
-a synonym for ``theorem proving function''.
-By default, induction acts on the first subgoal. The new proof state contains
-two subgoals, namely the base case (\isa{Nil}) and the induction step
-(\isa{Cons}):
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ {\isaliteral{28}{\isacharparenleft}}a\ {\isaliteral{23}{\isacharhash}}\ list{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list%
-\end{isabelle}
-
-The induction step is an example of the general format of a subgoal:\index{subgoals}
-\begin{isabelle}
-~$i$.~{\isasymAnd}$x\sb{1}$~\dots$x\sb{n}$.~{\it assumptions}~{\isasymLongrightarrow}~{\it conclusion}
-\end{isabelle}\index{$IsaAnd@\isasymAnd|bold}
-The prefix of bound variables \isasymAnd$x\sb{1}$~\dots~$x\sb{n}$ can be
-ignored most of the time, or simply treated as a list of variables local to
-this subgoal. Their deeper significance is explained in Chapter~\ref{chap:rules}.
-The {\it assumptions}\index{assumptions!of subgoal}
-are the local assumptions for this subgoal and {\it
-  conclusion}\index{conclusion!of subgoal} is the actual proposition to be proved. 
-Typical proof steps
-that add new assumptions are induction and case distinction. In our example
-the only assumption is the induction hypothesis \isa{rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list}, where \isa{list} is a variable name chosen by Isabelle. If there
-are multiple assumptions, they are enclosed in the bracket pair
-\indexboldpos{\isasymlbrakk}{$Isabrl} and
-\indexboldpos{\isasymrbrakk}{$Isabrr} and separated by semicolons.
-
-Let us try to solve both goals automatically:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-This command tells Isabelle to apply a proof strategy called
-\isa{auto} to all subgoals. Essentially, \isa{auto} tries to
-simplify the subgoals.  In our case, subgoal~1 is solved completely (thanks
-to the equation \isa{rev\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}) and disappears; the simplified version
-of subgoal~2 becomes the new subgoal~1:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ rev\ {\isaliteral{28}{\isacharparenleft}}rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list%
-\end{isabelle}
-In order to simplify this subgoal further, a lemma suggests itself.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsubsection{First Lemma%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\indexbold{abandoning a proof}\indexbold{proofs!abandoning}
-After abandoning the above proof attempt (at the shell level type
-\commdx{oops}) we start a new proof:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent The keywords \commdx{theorem} and
-\commdx{lemma} are interchangeable and merely indicate
-the importance we attach to a proposition.  Therefore we use the words
-\emph{theorem} and \emph{lemma} pretty much interchangeably, too.
-
-There are two variables that we could induct on: \isa{xs} and
-\isa{ys}. Because \isa{{\isaliteral{40}{\isacharat}}} is defined by recursion on
-the first argument, \isa{xs} is the correct one:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-This time not even the base case is solved automatically:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ rev\ ys\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-Again, we need to abandon this proof attempt and prove another simple lemma
-first. In the future the step of abandoning an incomplete proof before
-embarking on the proof of a lemma usually remains implicit.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsubsection{Second Lemma%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-We again try the canonical proof procedure:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ app{\isaliteral{5F}{\isacharunderscore}}Nil{\isadigit{2}}\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-It works, yielding the desired message \isa{No\ subgoals{\isaliteral{21}{\isacharbang}}}:
-\begin{isabelle}%
-xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ xs\isanewline
-No\ subgoals{\isaliteral{21}{\isacharbang}}%
-\end{isabelle}
-We still need to confirm that the proof is now finished:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-As a result of that final \commdx{done}, Isabelle associates the lemma just proved
-with its name. In this tutorial, we sometimes omit to show that final \isacommand{done}
-if it is obvious from the context that the proof is finished.
-
-% Instead of \isacommand{apply} followed by a dot, you can simply write
-% \isacommand{by}\indexbold{by}, which we do most of the time.
-Notice that in lemma \isa{app{\isaliteral{5F}{\isacharunderscore}}Nil{\isadigit{2}}},
-as printed out after the final \isacommand{done}, the free variable \isa{xs} has been
-replaced by the unknown \isa{{\isaliteral{3F}{\isacharquery}}xs}, just as explained in
-\S\ref{sec:variables}.
-
-Going back to the proof of the first lemma%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-we find that this time \isa{auto} solves the base case, but the
-induction step merely simplifies to
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }rev\ {\isaliteral{28}{\isacharparenleft}}list\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }{\isaliteral{28}{\isacharparenleft}}rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ ys\ {\isaliteral{40}{\isacharat}}\ rev\ list\ {\isaliteral{40}{\isacharat}}\ a\ {\isaliteral{23}{\isacharhash}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-Now we need to remember that \isa{{\isaliteral{40}{\isacharat}}} associates to the right, and that
-\isa{{\isaliteral{23}{\isacharhash}}} and \isa{{\isaliteral{40}{\isacharat}}} have the same priority (namely the \isa{{\isadigit{6}}{\isadigit{5}}}
-in their \isacommand{infixr} annotation). Thus the conclusion really is
-\begin{isabelle}
-~~~~~(rev~ys~@~rev~list)~@~(a~\#~[])~=~rev~ys~@~(rev~list~@~(a~\#~[]))
-\end{isabelle}
-and the missing lemma is associativity of \isa{{\isaliteral{40}{\isacharat}}}.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsubsection{Third Lemma%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-Abandoning the previous attempt, the canonical proof procedure
-succeeds without further ado.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ app{\isaliteral{5F}{\isacharunderscore}}assoc\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}ys\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Now we can prove the first lemma:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ rev{\isaliteral{5F}{\isacharunderscore}}app\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{40}{\isacharat}}\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}rev\ ys{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Finally, we prove our main theorem:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ rev{\isaliteral{5F}{\isacharunderscore}}rev\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}rev{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-The final \commdx{end} tells Isabelle to close the current theory because
-we are finished with its development:%
-\index{*rev (constant)|)}\index{append function|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-\isacommand{end}\isamarkupfalse%
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\isanewline
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Tree.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,83 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Tree}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-Define the datatype of \rmindex{binary trees}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{27}{\isacharprime}}a\ tree\ {\isaliteral{3D}{\isacharequal}}\ Tip\ {\isaliteral{7C}{\isacharbar}}\ Node\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{27}{\isacharprime}}a\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Define a function \isa{mirror} that mirrors a binary tree
-by swapping subtrees recursively. Prove%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ mirror{\isaliteral{5F}{\isacharunderscore}}mirror{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}mirror{\isaliteral{28}{\isacharparenleft}}mirror\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ t{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Define a function \isa{flatten} that flattens a tree into a list
-by traversing it in infix order. Prove%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}flatten{\isaliteral{28}{\isacharparenleft}}mirror\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev{\isaliteral{28}{\isacharparenleft}}flatten\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Tree2.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,75 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Tree{\isadigit{2}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent In Exercise~\ref{ex:Tree} we defined a function
-\isa{flatten} from trees to lists. The straightforward version of
-\isa{flatten} is based on \isa{{\isaliteral{40}{\isacharat}}} and is thus, like \isa{rev},
-quadratic. A linear time version of \isa{flatten} again reqires an extra
-argument, the accumulator. Define%
-\end{isamarkuptext}%
-\isamarkuptrue%
-flatten{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ tree\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent and prove%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}flatten{\isadigit{2}}\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ flatten\ t{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Trie.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,297 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Trie}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-To minimize running time, each node of a trie should contain an array that maps
-letters to subtries. We have chosen a
-representation where the subtries are held in an association list, i.e.\ a
-list of (letter,trie) pairs.  Abstracting over the alphabet \isa{{\isaliteral{27}{\isacharprime}}a} and the
-values \isa{{\isaliteral{27}{\isacharprime}}v} we define a trie as follows:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{3D}{\isacharequal}}\ Trie\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{29}{\isacharparenright}}list{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-\index{datatypes!and nested recursion}%
-The first component is the optional value, the second component the
-association list of subtries.  This is an example of nested recursion involving products,
-which is fine because products are datatypes as well.
-We define two selector functions:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}value{\isaliteral{28}{\isacharparenleft}}Trie\ ov\ al{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ov{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{primrec}\isamarkupfalse%
-\ alist\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{29}{\isacharparenright}}list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}alist{\isaliteral{28}{\isacharparenleft}}Trie\ ov\ al{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ al{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-Association lists come with a generic lookup function.  Its result
-involves type \isa{option} because a lookup can fail:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ assoc\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}key\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{27}{\isacharprime}}val{\isaliteral{29}{\isacharparenright}}list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}key\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}val\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}assoc\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ x\ {\isaliteral{3D}{\isacharequal}}\ None{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}assoc\ {\isaliteral{28}{\isacharparenleft}}p{\isaliteral{23}{\isacharhash}}ps{\isaliteral{29}{\isacharparenright}}\ x\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}let\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ p\ in\ if\ a{\isaliteral{3D}{\isacharequal}}x\ then\ Some\ b\ else\ assoc\ ps\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-Now we can define the lookup function for tries. It descends into the trie
-examining the letters of the search string one by one. As
-recursion on lists is simpler than on tries, let us express this as primitive
-recursion on the search string argument:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ lookup\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ option{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}lookup\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ value\ t{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}lookup\ t\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{23}{\isacharhash}}as{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ assoc\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}\ a\ of\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ None\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ None\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{7C}{\isacharbar}}\ Some\ at\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ lookup\ at\ as{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-As a first simple property we prove that looking up a string in the empty
-trie \isa{Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} always returns \isa{None}. The proof merely
-distinguishes the two cases whether the search string is empty or not:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}lookup\ {\isaliteral{28}{\isacharparenleft}}Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ as\ {\isaliteral{3D}{\isacharequal}}\ None{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ as{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{5F}{\isacharunderscore}}all{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Things begin to get interesting with the definition of an update function
-that adds a new (string, value) pair to a trie, overwriting the old value
-associated with that string:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ update{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}trie{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}update\ t\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ v\ {\isaliteral{3D}{\isacharequal}}\ Trie\ {\isaliteral{28}{\isacharparenleft}}Some\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}update\ t\ {\isaliteral{28}{\isacharparenleft}}a{\isaliteral{23}{\isacharhash}}as{\isaliteral{29}{\isacharparenright}}\ v\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ {\isaliteral{28}{\isacharparenleft}}let\ tt\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ assoc\ {\isaliteral{28}{\isacharparenleft}}alist\ t{\isaliteral{29}{\isacharparenright}}\ a\ of\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ None\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ Trie\ None\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ Some\ at\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ at{\isaliteral{29}{\isacharparenright}}\isanewline
-\ \ \ \ in\ Trie\ {\isaliteral{28}{\isacharparenleft}}value\ t{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}a{\isaliteral{2C}{\isacharcomma}}update\ tt\ as\ v{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ alist\ t{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The base case is obvious. In the recursive case the subtrie
-\isa{tt} associated with the first letter \isa{a} is extracted,
-recursively updated, and then placed in front of the association list.
-The old subtrie associated with \isa{a} is still in the association list
-but no longer accessible via \isa{assoc}. Clearly, there is room here for
-optimizations!
-
-Before we start on any proofs about \isa{update} we tell the simplifier to
-expand all \isa{let}s and to split all \isa{case}-constructs over
-options:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}\ option{\isaliteral{2E}{\isachardot}}split{\isaliteral{5B}{\isacharbrackleft}}split{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-\noindent
-The reason becomes clear when looking (probably after a failed proof
-attempt) at the body of \isa{update}: it contains both
-\isa{let} and a case distinction over type \isa{option}.
-
-Our main goal is to prove the correct interaction of \isa{update} and
-\isa{lookup}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{theorem}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}t\ v\ bs{\isaliteral{2E}{\isachardot}}\ lookup\ {\isaliteral{28}{\isacharparenleft}}update\ t\ as\ v{\isaliteral{29}{\isacharparenright}}\ bs\ {\isaliteral{3D}{\isacharequal}}\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}if\ as{\isaliteral{3D}{\isacharequal}}bs\ then\ Some\ v\ else\ lookup\ t\ bs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-Our plan is to induct on \isa{as}; hence the remaining variables are
-quantified. From the definitions it is clear that induction on either
-\isa{as} or \isa{bs} is required. The choice of \isa{as} is 
-guided by the intuition that simplification of \isa{lookup} might be easier
-if \isa{update} has already been simplified, which can only happen if
-\isa{as} is instantiated.
-The start of the proof is conventional:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ as{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Unfortunately, this time we are left with three intimidating looking subgoals:
-\begin{isabelle}
-~1.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
-~2.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
-~3.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs
-\end{isabelle}
-Clearly, if we want to make headway we have to instantiate \isa{bs} as
-well now. It turns out that instead of induction, case distinction
-suffices:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}\ bs{\isaliteral{2C}{\isacharcomma}}\ auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-\index{subgoal numbering}%
-All methods ending in \isa{tac} take an optional first argument that
-specifies the range of subgoals they are applied to, where \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{21}{\isacharbang}}{\isaliteral{5D}{\isacharbrackright}}} means
-all subgoals, i.e.\ \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isadigit{1}}{\isaliteral{2D}{\isacharminus}}{\isadigit{3}}{\isaliteral{5D}{\isacharbrackright}}} in our case. Individual subgoal numbers,
-e.g. \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isadigit{2}}{\isaliteral{5D}{\isacharbrackright}}} are also allowed.
-
-This proof may look surprisingly straightforward. However, note that this
-comes at a cost: the proof script is unreadable because the intermediate
-proof states are invisible, and we rely on the (possibly brittle) magic of
-\isa{auto} (\isa{simp{\isaliteral{5F}{\isacharunderscore}}all} will not do --- try it) to split the subgoals
-of the induction up in such a way that case distinction on \isa{bs} makes
-sense and solves the proof. 
-
-\begin{exercise}
-  Modify \isa{update} (and its type) such that it allows both insertion and
-  deletion of entries with a single function.  Prove the corresponding version 
-  of the main theorem above.
-  Optimize your function such that it shrinks tries after
-  deletion if possible.
-\end{exercise}
-
-\begin{exercise}
-  Write an improved version of \isa{update} that does not suffer from the
-  space leak (pointed out above) caused by not deleting overwritten entries
-  from the association list. Prove the main theorem for your improved
-  \isa{update}.
-\end{exercise}
-
-\begin{exercise}
-  Conceptually, each node contains a mapping from letters to optional
-  subtries. Above we have implemented this by means of an association
-  list. Replay the development replacing \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C74696D65733E}{\isasymtimes}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ trie{\isaliteral{29}{\isacharparenright}}\ list}
-  with \isa{{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{2C}{\isacharcomma}}\ {\isaliteral{27}{\isacharprime}}v{\isaliteral{29}{\isacharparenright}}\ trie\ option}.
-\end{exercise}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/Typedefs.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,340 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{Typedefs}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Introducing New Types%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:adv-typedef}
-For most applications, a combination of predefined types like \isa{bool} and
-\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}} with recursive datatypes and records is quite sufficient. Very
-occasionally you may feel the need for a more advanced type.  If you
-are certain that your type is not definable by any of the
-standard means, then read on.
-\begin{warn}
-  Types in HOL must be non-empty; otherwise the quantifier rules would be
-  unsound, because $\exists x.\ x=x$ is a theorem.
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Declaring New Types%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:typedecl}
-\index{types!declaring|(}%
-\index{typedecl@\isacommand {typedecl} (command)}%
-The most trivial way of introducing a new type is by a \textbf{type
-declaration}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{typedecl}\isamarkupfalse%
-\ my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type%
-\begin{isamarkuptext}%
-\noindent
-This does not define \isa{my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type} at all but merely introduces its
-name. Thus we know nothing about this type, except that it is
-non-empty. Such declarations without definitions are
-useful if that type can be viewed as a parameter of the theory.
-A typical example is given in \S\ref{sec:VMC}, where we define a transition
-relation over an arbitrary type of states.
-
-In principle we can always get rid of such type declarations by making those
-types parameters of every other type, thus keeping the theory generic. In
-practice, however, the resulting clutter can make types hard to read.
-
-If you are looking for a quick and dirty way of introducing a new type
-together with its properties: declare the type and state its properties as
-axioms. Example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{axioms}\isamarkupfalse%
-\isanewline
-just{\isaliteral{5F}{\isacharunderscore}}one{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}my{\isaliteral{5F}{\isacharunderscore}}new{\isaliteral{5F}{\isacharunderscore}}type{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}y{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-However, we strongly discourage this approach, except at explorative stages
-of your development. It is extremely easy to write down contradictory sets of
-axioms, in which case you will be able to prove everything but it will mean
-nothing.  In the example above, the axiomatic approach is
-unnecessary: a one-element type called \isa{unit} is already defined in HOL.
-\index{types!declaring|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Defining New Types%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:typedef}
-\index{types!defining|(}%
-\index{typedecl@\isacommand {typedef} (command)|(}%
-Now we come to the most general means of safely introducing a new type, the
-\textbf{type definition}. All other means, for example
-\isacommand{datatype}, are based on it. The principle is extremely simple:
-any non-empty subset of an existing type can be turned into a new type.
-More precisely, the new type is specified to be isomorphic to some
-non-empty subset of an existing type.
-
-Let us work a simple example, the definition of a three-element type.
-It is easily represented by the first three natural numbers:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{typedef}\isamarkupfalse%
-\ three\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-In order to enforce that the representing set on the right-hand side is
-non-empty, this definition actually starts a proof to that effect:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6578697374733E}{\isasymexists}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}%
-\end{isabelle}
-Fortunately, this is easy enough to show, even \isa{auto} could do it.
-In general, one has to provide a witness, in our case 0:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}rule{\isaliteral{5F}{\isacharunderscore}}tac\ x\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ \isakeyword{in}\ exI{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{by}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-This type definition introduces the new type \isa{three} and asserts
-that it is a copy of the set \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}. This assertion
-is expressed via a bijection between the \emph{type} \isa{three} and the
-\emph{set} \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}. To this end, the command declares the following
-constants behind the scenes:
-\begin{center}
-\begin{tabular}{rcl}
-\isa{three} &::& \isa{nat\ set} \\
-\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} &::& \isa{three\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat}\\
-\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} &::& \isa{nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ three}
-\end{tabular}
-\end{center}
-where constant \isa{three} is explicitly defined as the representing set:
-\begin{center}
-\isa{three\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}\hfill(\isa{three{\isaliteral{5F}{\isacharunderscore}}def})
-\end{center}
-The situation is best summarized with the help of the following diagram,
-where squares denote types and the irregular region denotes a set:
-\begin{center}
-\includegraphics[scale=.8]{typedef}
-\end{center}
-Finally, \isacommand{typedef} asserts that \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} is
-surjective on the subset \isa{three} and \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} are inverses of each other:
-\begin{center}
-\begin{tabular}{@ {}r@ {\qquad\qquad}l@ {}}
-\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three}) \\
-\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inverse}) \\
-\isa{y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inverse})
-\end{tabular}
-\end{center}
-%
-From this example it should be clear what \isacommand{typedef} does
-in general given a name (here \isa{three}) and a set
-(here \isa{{\isaliteral{7B}{\isacharbraceleft}}{\isadigit{0}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{1}}{\isaliteral{2C}{\isacharcomma}}\ {\isadigit{2}}{\isaliteral{7D}{\isacharbraceright}}}).
-
-Our next step is to define the basic functions expected on the new type.
-Although this depends on the type at hand, the following strategy works well:
-\begin{itemize}
-\item define a small kernel of basic functions that can express all other
-functions you anticipate.
-\item define the kernel in terms of corresponding functions on the
-representing type using \isa{Abs} and \isa{Rep} to convert between the
-two levels.
-\end{itemize}
-In our example it suffices to give the three elements of type \isa{three}
-names:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ A\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{definition}\isamarkupfalse%
-\ B\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isacommand{definition}\isamarkupfalse%
-\ C\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ three\ \isakeyword{where}\ {\isaliteral{22}{\isachardoublequoteopen}}C\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ {\isadigit{2}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-So far, everything was easy. But it is clear that reasoning about \isa{three} will be hell if we have to go back to \isa{nat} every time. Thus our
-aim must be to raise our level of abstraction by deriving enough theorems
-about type \isa{three} to characterize it completely. And those theorems
-should be phrased in terms of \isa{A}, \isa{B} and \isa{C}, not \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three}. Because of the simplicity of the example,
-we merely need to prove that \isa{A}, \isa{B} and \isa{C} are distinct
-and that they exhaust the type.
-
-In processing our \isacommand{typedef} declaration, 
-Isabelle proves several helpful lemmas. The first two
-express injectivity of \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three} and \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three}:
-\begin{center}
-\begin{tabular}{@ {}r@ {\qquad}l@ {}}
-\isa{{\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{3D}{\isacharequal}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject}) \\
-\begin{tabular}{@ {}l@ {}}
-\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}} \\
-\isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{3D}{\isacharequal}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{29}{\isacharparenright}}}
-\end{tabular} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject}) \\
-\end{tabular}
-\end{center}
-The following ones allow to replace some \isa{x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}three} by
-\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{28}{\isacharparenleft}}y{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}}, and conversely \isa{y} by \isa{Rep{\isaliteral{5F}{\isacharunderscore}}three\ x}:
-\begin{center}
-\begin{tabular}{@ {}r@ {\qquad}l@ {}}
-\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ y\ {\isaliteral{3D}{\isacharequal}}\ Rep{\isaliteral{5F}{\isacharunderscore}}three\ x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}cases}) \\
-\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}x\ {\isaliteral{3D}{\isacharequal}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}cases}) \\
-\isa{{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ P\ {\isaliteral{28}{\isacharparenleft}}Rep{\isaliteral{5F}{\isacharunderscore}}three\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ y} & (\isa{Rep{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}induct}) \\
-\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x} & (\isa{Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}induct}) \\
-\end{tabular}
-\end{center}
-These theorems are proved for any type definition, with \isa{three}
-replaced by the name of the type in question.
-
-Distinctness of \isa{A}, \isa{B} and \isa{C} follows immediately
-if we expand their definitions and rewrite with the injectivity
-of \isa{Abs{\isaliteral{5F}{\isacharunderscore}}three}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ B\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ A\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ C\ {\isaliteral{5C3C616E643E}{\isasymand}}\ C\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ C\ {\isaliteral{5C3C616E643E}{\isasymand}}\ C\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ B{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{by}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Abs{\isaliteral{5F}{\isacharunderscore}}three{\isaliteral{5F}{\isacharunderscore}}inject\ A{\isaliteral{5F}{\isacharunderscore}}def\ B{\isaliteral{5F}{\isacharunderscore}}def\ C{\isaliteral{5F}{\isacharunderscore}}def\ three{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Of course we rely on the simplifier to solve goals like \isa{{\isadigit{0}}\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{1}}}.
-
-The fact that \isa{A}, \isa{B} and \isa{C} exhaust type \isa{three} is
-best phrased as a case distinction theorem: if you want to prove \isa{P\ x}
-(where \isa{x} is of type \isa{three}) it suffices to prove \isa{P\ A},
-\isa{P\ B} and \isa{P\ C}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ three{\isaliteral{5F}{\isacharunderscore}}cases{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ P\ A{\isaliteral{3B}{\isacharsemicolon}}\ P\ B{\isaliteral{3B}{\isacharsemicolon}}\ P\ C\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent Again this follows easily using the induction principle stemming from the type definition:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ x{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}y{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ A{\isaliteral{3B}{\isacharsemicolon}}\ P\ B{\isaliteral{3B}{\isacharsemicolon}}\ P\ C{\isaliteral{3B}{\isacharsemicolon}}\ y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ three{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ {\isaliteral{28}{\isacharparenleft}}Abs{\isaliteral{5F}{\isacharunderscore}}three\ y{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Simplification with \isa{three{\isaliteral{5F}{\isacharunderscore}}def} leads to the disjunction \isa{y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ y\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{2}}} which \isa{auto} separates into three
-subgoals, each of which is easily solved by simplification:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto\ simp\ add{\isaliteral{3A}{\isacharcolon}}\ three{\isaliteral{5F}{\isacharunderscore}}def\ A{\isaliteral{5F}{\isacharunderscore}}def\ B{\isaliteral{5F}{\isacharunderscore}}def\ C{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-This concludes the derivation of the characteristic theorems for
-type \isa{three}.
-
-The attentive reader has realized long ago that the
-above lengthy definition can be collapsed into one line:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ better{\isaliteral{5F}{\isacharunderscore}}three\ {\isaliteral{3D}{\isacharequal}}\ A\ {\isaliteral{7C}{\isacharbar}}\ B\ {\isaliteral{7C}{\isacharbar}}\ C%
-\begin{isamarkuptext}%
-\noindent
-In fact, the \isacommand{datatype} command performs internally more or less
-the same derivations as we did, which gives you some idea what life would be
-like without \isacommand{datatype}.
-
-Although \isa{three} could be defined in one line, we have chosen this
-example to demonstrate \isacommand{typedef} because its simplicity makes the
-key concepts particularly easy to grasp. If you would like to see a
-non-trivial example that cannot be defined more directly, we recommend the
-definition of \emph{finite multisets} in the Library~\cite{HOL-Library}.
-
-Let us conclude by summarizing the above procedure for defining a new type.
-Given some abstract axiomatic description $P$ of a type $ty$ in terms of a
-set of functions $F$, this involves three steps:
-\begin{enumerate}
-\item Find an appropriate type $\tau$ and subset $A$ which has the desired
-  properties $P$, and make a type definition based on this representation.
-\item Define the required functions $F$ on $ty$ by lifting
-analogous functions on the representation via $Abs_ty$ and $Rep_ty$.
-\item Prove that $P$ holds for $ty$ by lifting $P$ from the representation.
-\end{enumerate}
-You can now forget about the representation and work solely in terms of the
-abstract functions $F$ and properties $P$.%
-\index{typedecl@\isacommand {typedef} (command)|)}%
-\index{types!defining|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/WFrec.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,169 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{WFrec}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-So far, all recursive definitions were shown to terminate via measure
-functions. Sometimes this can be inconvenient or
-impossible. Fortunately, \isacommand{recdef} supports much more
-general definitions. For example, termination of Ackermann's function
-can be shown by means of the \rmindex{lexicographic product} \isa{{\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ ack\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat{\isasymtimes}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ ack\ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}m{\isachardot}\ m{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}n{\isachardot}\ n{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}ack{\isacharparenleft}{\isadigit{0}}{\isacharcomma}n{\isacharparenright}\ \ \ \ \ \ \ \ \ {\isacharequal}\ Suc\ n{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}ack{\isacharparenleft}Suc\ m{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}\ {\isadigit{1}}{\isacharparenright}{\isachardoublequoteclose}\isanewline
-\ \ {\isachardoublequoteopen}ack{\isacharparenleft}Suc\ m{\isacharcomma}Suc\ n{\isacharparenright}\ {\isacharequal}\ ack{\isacharparenleft}m{\isacharcomma}ack{\isacharparenleft}Suc\ m{\isacharcomma}n{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-The lexicographic product decreases if either its first component
-decreases (as in the second equation and in the outer call in the
-third equation) or its first component stays the same and the second
-component decreases (as in the inner call in the third equation).
-
-In general, \isacommand{recdef} supports termination proofs based on
-arbitrary well-founded relations as introduced in \S\ref{sec:Well-founded}.
-This is called \textbf{well-founded
-recursion}\indexbold{recursion!well-founded}.  A function definition
-is total if and only if the set of 
-all pairs $(r,l)$, where $l$ is the argument on the
-left-hand side of an equation and $r$ the argument of some recursive call on
-the corresponding right-hand side, induces a well-founded relation.  For a
-systematic account of termination proofs via well-founded relations see, for
-example, Baader and Nipkow~\cite{Baader-Nipkow}.
-
-Each \isacommand{recdef} definition should be accompanied (after the function's
-name) by a well-founded relation on the function's argument type.  
-Isabelle/HOL formalizes some of the most important
-constructions of well-founded relations (see \S\ref{sec:Well-founded}). For
-example, \isa{measure\ f} is always well-founded.   The lexicographic
-product of two well-founded relations is again well-founded, which we relied
-on when defining Ackermann's function above.
-Of course the lexicographic product can also be iterated:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ contrived\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymtimes}\ nat\ {\isasymtimes}\ nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ contrived\isanewline
-\ \ {\isachardoublequoteopen}measure{\isacharparenleft}{\isasymlambda}i{\isachardot}\ i{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}j{\isachardot}\ j{\isacharparenright}\ {\isacharless}{\isacharasterisk}lex{\isacharasterisk}{\isachargreater}\ measure{\isacharparenleft}{\isasymlambda}k{\isachardot}\ k{\isacharparenright}{\isachardoublequoteclose}\isanewline
-{\isachardoublequoteopen}contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}Suc\ k{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}k{\isacharparenright}{\isachardoublequoteclose}\isanewline
-{\isachardoublequoteopen}contrived{\isacharparenleft}i{\isacharcomma}Suc\ j{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}j{\isacharcomma}j{\isacharparenright}{\isachardoublequoteclose}\isanewline
-{\isachardoublequoteopen}contrived{\isacharparenleft}Suc\ i{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ {\isacharequal}\ contrived{\isacharparenleft}i{\isacharcomma}i{\isacharcomma}i{\isacharparenright}{\isachardoublequoteclose}\isanewline
-{\isachardoublequoteopen}contrived{\isacharparenleft}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharcomma}{\isadigit{0}}{\isacharparenright}\ \ \ \ \ {\isacharequal}\ {\isadigit{0}}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-Lexicographic products of measure functions already go a long
-way. Furthermore, you may embed a type in an
-existing well-founded relation via the inverse image construction \isa{inv{\isacharunderscore}image}. All these constructions are known to \isacommand{recdef}. Thus you
-will never have to prove well-foundedness of any relation composed
-solely of these building blocks. But of course the proof of
-termination of your function definition --- that the arguments
-decrease with every recursive call --- may still require you to provide
-additional lemmas.
-
-It is also possible to use your own well-founded relations with
-\isacommand{recdef}.  For example, the greater-than relation can be made
-well-founded by cutting it off at a certain point.  Here is an example
-of a recursive function that calls itself with increasing values up to ten:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{consts}\isamarkupfalse%
-\ f\ {\isacharcolon}{\isacharcolon}\ {\isachardoublequoteopen}nat\ {\isasymRightarrow}\ nat{\isachardoublequoteclose}\isanewline
-\isacommand{recdef}\isamarkupfalse%
-\ f\ {\isachardoublequoteopen}{\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}{\isadigit{1}}{\isadigit{0}}{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}\isanewline
-{\isachardoublequoteopen}f\ i\ {\isacharequal}\ {\isacharparenleft}if\ {\isadigit{1}}{\isadigit{0}}\ {\isasymle}\ i\ then\ {\isadigit{0}}\ else\ i\ {\isacharasterisk}\ f{\isacharparenleft}Suc\ i{\isacharparenright}{\isacharparenright}{\isachardoublequoteclose}%
-\begin{isamarkuptext}%
-\noindent
-Since \isacommand{recdef} is not prepared for the relation supplied above,
-Isabelle rejects the definition.  We should first have proved that
-our relation was well-founded:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ wf{\isacharunderscore}greater{\isacharcolon}\ {\isachardoublequoteopen}wf\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}j{\isacharparenright}{\isachardot}\ j{\isacharless}i\ {\isasymand}\ i\ {\isasymle}\ {\isacharparenleft}N{\isacharcolon}{\isacharcolon}nat{\isacharparenright}{\isacharbraceright}{\isachardoublequoteclose}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The proof is by showing that our relation is a subset of another well-founded
-relation: one given by a measure function.\index{*wf_subset (theorem)}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ {\isacharparenleft}rule\ wf{\isacharunderscore}subset\ {\isacharbrackleft}of\ {\isachardoublequoteopen}measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ N{\isacharminus}k{\isacharparenright}{\isachardoublequoteclose}{\isacharbrackright}{\isacharcomma}\ blast{\isacharparenright}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isachardot}\ {\isacharbraceleft}{\isacharparenleft}i{\isacharcomma}\ j{\isacharparenright}{\isachardot}\ j\ {\isacharless}\ i\ {\isasymand}\ i\ {\isasymle}\ N{\isacharbraceright}\ {\isasymsubseteq}\ measure\ {\isacharparenleft}op\ {\isacharminus}\ N{\isacharparenright}%
-\end{isabelle}
-
-\noindent
-The inclusion remains to be proved. After unfolding some definitions, 
-we are left with simple arithmetic that is dispatched automatically.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{by}\isamarkupfalse%
-\ {\isacharparenleft}clarify{\isacharcomma}\ simp\ add{\isacharcolon}\ measure{\isacharunderscore}def\ inv{\isacharunderscore}image{\isacharunderscore}def{\isacharparenright}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-
-Armed with this lemma, we use the \attrdx{recdef_wf} attribute to attach a
-crucial hint\cmmdx{hints} to our definition:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-{\isacharparenleft}\isakeyword{hints}\ recdef{\isacharunderscore}wf{\isacharcolon}\ wf{\isacharunderscore}greater{\isacharparenright}%
-\begin{isamarkuptext}%
-\noindent
-Alternatively, we could have given \isa{measure\ {\isacharparenleft}{\isasymlambda}k{\isacharcolon}{\isacharcolon}nat{\isachardot}\ {\isadigit{1}}{\isadigit{0}}{\isacharminus}k{\isacharparenright}} for the
-well-founded relation in our \isacommand{recdef}.  However, the arithmetic
-goal in the lemma above would have arisen instead in the \isacommand{recdef}
-termination proof, where we have less control.  A tailor-made termination
-relation makes even more sense when it can be used in several function
-declarations.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/advanced0.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,49 @@
+\chapter{Advanced Simplification and Induction}
+
+Although we have already learned a lot about simplification and
+induction, there are some advanced proof techniques that we have not covered
+yet and which are worth learning. The sections of this chapter are
+independent of each other and can be read in any order.
+
+\input{simp2.tex}
+
+\section{Advanced Induction Techniques}
+\label{sec:advanced-ind}
+\index{induction|(}
+\input{AdvancedInd.tex}
+\input{CTLind.tex}
+\index{induction|)}
+
+%\section{Advanced Forms of Recursion}
+%\index{recdef@\isacommand {recdef} (command)|(}
+
+%This section introduces advanced forms of
+%\isacommand{recdef}: how to establish termination by means other than measure
+%functions, how to define recursive functions over nested recursive datatypes
+%and how to deal with partial functions.
+%
+%If, after reading this section, you feel that the definition of recursive
+%functions is overly complicated by the requirement of
+%totality, you should ponder the alternatives.  In a logic of partial functions,
+%recursive definitions are always accepted.  But there are many
+%such logics, and no clear winner has emerged. And in all of these logics you
+%are (more or less frequently) required to reason about the definedness of
+%terms explicitly. Thus one shifts definedness arguments from definition time to
+%proof time. In HOL you may have to work hard to define a function, but proofs
+%can then proceed unencumbered by worries about undefinedness.
+
+%\subsection{Beyond Measure}
+%\label{sec:beyond-measure}
+%\input{WFrec.tex}
+%
+%\subsection{Recursion Over Nested Datatypes}
+%\label{sec:nested-recdef}
+%\input{Nested0.tex}
+%\input{Nested1.tex}
+%\input{Nested2.tex}
+%
+%\subsection{Partial Functions}
+%\index{functions!partial}
+%\input{Partial.tex}
+%
+%\index{recdef@\isacommand {recdef} (command)|)}

--- a/doc-src/TutorialI/document/appendix.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,63 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{appendix}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\begin{table}[htbp]
-\begin{center}
-\begin{tabular}{lll}
-Constant & Type & Syntax \\
-\hline
-\isa{{\isadigit{0}}} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}zero} \\
-\isa{{\isadigit{1}}} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}one} \\
-\isa{plus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}plus} & (infixl $+$ 65) \\
-\isa{minus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}minus} & (infixl $-$ 65) \\
-\isa{uminus} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}uminus\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}uminus} & $- x$ \\
-\isa{times} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}times} & (infixl $*$ 70) \\
-\isa{divide} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}inverse} & (infixl $/$ 70) \\
-\isa{Divides{\isaliteral{2E}{\isachardot}}div} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div} & (infixl $div$ 70) \\
-\isa{Divides{\isaliteral{2E}{\isachardot}}mod} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}div} & (infixl $mod$ 70) \\
-\isa{abs} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}abs\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}abs} & ${\mid} x {\mid}$ \\
-\isa{sgn} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}sgn\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}sgn} \\
-\isa{less{\isaliteral{5F}{\isacharunderscore}}eq} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool} & (infixl $\le$ 50) \\
-\isa{less} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}ord\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool} & (infixl $<$ 50) \\
-\isa{top} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}top} \\
-\isa{bot} & \isa{{\isaliteral{27}{\isacharprime}}a{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}bot}
-\end{tabular}
-\caption{Important Overloaded Constants in Main}
-\label{tab:overloading}
-\end{center}
-\end{table}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/appendix0.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,190 @@
+\appendix
+
+\chapter{Appendix}
+\label{sec:Appendix}
+
+\begin{table}[htbp]
+\begin{center}
+\begin{tabular}{|l|l|l|}
+\hline
+\indexboldpos{\isasymlbrakk}{$Isabrl} &
+\texttt{[|}\index{$Isabrl@\ttlbr|bold} &
+\verb$\<lbrakk>$ \\
+\indexboldpos{\isasymrbrakk}{$Isabrr} &
+\texttt{|]}\index{$Isabrr@\ttrbr|bold} &
+\verb$\<rbrakk>$ \\
+\indexboldpos{\isasymImp}{$IsaImp} &
+\ttindexboldpos{==>}{$IsaImp} &
+\verb$\<Longrightarrow>$ \\
+\isasymAnd\index{$IsaAnd@\isasymAnd|bold}&
+\texttt{!!}\index{$IsaAnd@\ttAnd|bold} &
+\verb$\<And>$ \\
+\indexboldpos{\isasymequiv}{$IsaEq} &
+\ttindexboldpos{==}{$IsaEq} &
+\verb$\<equiv>$ \\
+\indexboldpos{\isasymrightleftharpoons}{$IsaEqTrans} &
+\ttindexboldpos{==}{$IsaEq} &
+\verb$\<rightleftharpoons>$ \\
+\indexboldpos{\isasymrightharpoonup}{$IsaEqTrans1} &
+\ttindexboldpos{=>}{$IsaFun} &
+\verb$\<rightharpoonup>$ \\
+\indexboldpos{\isasymleftharpoondown}{$IsaEqTrans2} &
+\ttindexboldpos{<=}{$IsaFun2} &
+\verb$\<leftharpoondown>$ \\
+\indexboldpos{\isasymlambda}{$Isalam} &
+\texttt{\%}\indexbold{$Isalam@\texttt{\%}} &
+\verb$\<lambda>$ \\
+\indexboldpos{\isasymFun}{$IsaFun} &
+\ttindexboldpos{=>}{$IsaFun} &
+\verb$\<Rightarrow>$ \\
+\indexboldpos{\isasymand}{$HOL0and} &
+\texttt{\&}\indexbold{$HOL0and@{\texttt{\&}}} &
+\verb$\<and>$ \\
+\indexboldpos{\isasymor}{$HOL0or} &
+\texttt{|}\index{$HOL0or@\ttor|bold} &
+\verb$\<or>$ \\
+\indexboldpos{\isasymimp}{$HOL0imp} &
+\ttindexboldpos{-->}{$HOL0imp} &
+\verb$\<longrightarrow>$ \\
+\indexboldpos{\isasymnot}{$HOL0not} &
+\verb$~$\index{$HOL0not@\verb$~$|bold} &
+\verb$\<not>$ \\
+\indexboldpos{\isasymnoteq}{$HOL0noteq} &
+\verb$~=$\index{$HOL0noteq@\verb$~=$|bold} &
+\verb$\<noteq>$ \\
+\indexboldpos{\isasymforall}{$HOL0All} &
+\ttindexbold{ALL}, \texttt{!}\index{$HOL0All@\ttall|bold} &
+\verb$\<forall>$ \\
+\indexboldpos{\isasymexists}{$HOL0Ex} &
+\ttindexbold{EX}, \texttt{?}\index{$HOL0Ex@\texttt{?}|bold} &
+\verb$\<exists>$ \\
+\isasymuniqex\index{$HOL0ExU@\isasymuniqex|bold} &
+\ttEXU\index{EXX@\ttEXU|bold}, \ttuniquex\index{$HOL0ExU@\ttuniquex|bold} &
+\verb$\<exists>!$\\
+\indexboldpos{\isasymepsilon}{$HOL0ExSome} &
+\ttindexbold{SOME}, \isa{\at}\index{$HOL2list@\isa{\at}} &
+\verb$\<epsilon>$\\
+\indexboldpos{\isasymcirc}{$HOL1} &
+\ttindexbold{o} &
+\verb$\<circ>$\\
+\indexboldpos{\isasymbar~\isasymbar}{$HOL2arithfun}&
+\ttindexbold{abs}&
+\verb$\<bar> \<bar>$\\
+\indexboldpos{\isasymle}{$HOL2arithrel}&
+\isadxboldpos{<=}{$HOL2arithrel}&
+\verb$\<le>$\\
+\indexboldpos{\isasymtimes}{$Isatype}&
+\ttindexboldpos{*}{$HOL2arithfun} &
+\verb$\<times>$\\
+\indexboldpos{\isasymin}{$HOL3Set0a}&
+\ttindexboldpos{:}{$HOL3Set0b} &
+\verb$\<in>$\\
+\isasymnotin\index{$HOL3Set0c@\isasymnotin|bold} &
+\verb$~:$\index{$HOL3Set0d@\verb$~:$|bold} &
+\verb$\<notin>$\\
+\indexboldpos{\isasymsubseteq}{$HOL3Set0e}&
+\verb$<=$ & \verb$\<subseteq>$\\
+\indexboldpos{\isasymsubset}{$HOL3Set0f}&
+\verb$<$ & \verb$\<subset>$\\
+\indexboldpos{\isasymunion}{$HOL3Set1}&
+\ttindexbold{Un} &
+\verb$\<union>$\\
+\indexboldpos{\isasyminter}{$HOL3Set1}&
+\ttindexbold{Int} &
+\verb$\<inter>$\\
+\isasymUnion\index{$HOL3Set2@\isasymUnion|bold}&
+\ttindexbold{UN}, \ttindexbold{Union} &
+\verb$\<Union>$\\
+\isasymInter\index{$HOL3Set2@\isasymInter|bold}&
+\ttindexbold{INT}, \ttindexbold{Inter} &
+\verb$\<Inter>$\\
+\isactrlsup{\isacharasterisk}\index{$HOL4star@\isactrlsup{\isacharasterisk}|bold}&
+\verb$^*$\index{$HOL4star@\verb$^$\texttt{*}|bold} &
+\verb$\<^sup>*$\\
+\isasyminverse\index{$HOL4inv@\isasyminverse|bold}&
+\verb$^-1$\index{$HOL4inv@\verb$^-1$|bold} &
+\verb$\<inverse>$\\
+\hline
+\end{tabular}
+\end{center}
+\caption{Mathematical Symbols, Their \textsc{ascii}-Equivalents and Internal Names}
+\label{tab:ascii}
+\end{table}\indexbold{ASCII@\textsc{ascii} symbols}
+
+\input{appendix.tex}
+
+\begin{table}[htbp]
+\begin{center}
+\begin{tabular}{@{}|lllllllll|@{}}
+\hline
+\texttt{ALL} &
+\texttt{BIT} &
+\texttt{CHR} &
+\texttt{EX} &
+\texttt{GREATEST} &
+\texttt{INT} &
+\texttt{Int} &
+\texttt{LEAST} &
+\texttt{O} \\
+\texttt{OFCLASS} &
+\texttt{PI} &
+\texttt{PROP} &
+\texttt{SIGMA} &
+\texttt{SOME} &
+\texttt{THE} &
+\texttt{TYPE} &
+\texttt{UN} &
+\texttt{Un} \\
+\texttt{WRT} &
+\texttt{case} &
+\texttt{choose} &
+\texttt{div} &
+\texttt{dvd} &
+\texttt{else} &
+\texttt{funcset} &
+\texttt{if} &
+\texttt{in} \\
+\texttt{let} &
+\texttt{mem} &
+\texttt{mod} &
+\texttt{o} &
+\texttt{of} &
+\texttt{op} &
+\texttt{then} &&\\
+\hline
+\end{tabular}
+\end{center}
+\caption{Reserved Words in HOL Terms}
+\label{tab:ReservedWords}
+\end{table}
+
+
+%\begin{table}[htbp]
+%\begin{center}
+%\begin{tabular}{|lllll|}
+%\hline
+%\texttt{and} &
+%\texttt{binder} &
+%\texttt{concl} &
+%\texttt{congs} \\
+%\texttt{distinct} &
+%\texttt{files} &
+%\texttt{in} &
+%\texttt{induction} &
+%\texttt{infixl} \\
+%\texttt{infixr} &
+%\texttt{inject} &
+%\texttt{intrs} &
+%\texttt{is} &
+%\texttt{monos} \\
+%\texttt{output} &
+%\texttt{where} &
+% &
+% &
+% \\
+%\hline
+%\end{tabular}
+%\end{center}
+%\caption{Minor Keywords in HOL Theories}
+%\label{tab:keywords}
+%\end{table}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/basics.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,350 @@
+\chapter{The Basics}
+
+\section{Introduction}
+
+This book is a tutorial on how to use the theorem prover Isabelle/HOL as a
+specification and verification system. Isabelle is a generic system for
+implementing logical formalisms, and Isabelle/HOL is the specialization
+of Isabelle for HOL, which abbreviates Higher-Order Logic. We introduce
+HOL step by step following the equation
+\[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]
+We do not assume that you are familiar with mathematical logic. 
+However, we do assume that
+you are used to logical and set theoretic notation, as covered
+in a good discrete mathematics course~\cite{Rosen-DMA}, and
+that you are familiar with the basic concepts of functional
+programming~\cite{Bird-Haskell,Hudak-Haskell,paulson-ml2,Thompson-Haskell}.
+Although this tutorial initially concentrates on functional programming, do
+not be misled: HOL can express most mathematical concepts, and functional
+programming is just one particularly simple and ubiquitous instance.
+
+Isabelle~\cite{paulson-isa-book} is implemented in ML~\cite{SML}.  This has
+influenced some of Isabelle/HOL's concrete syntax but is otherwise irrelevant
+for us: this tutorial is based on
+Isabelle/Isar~\cite{isabelle-isar-ref}, an extension of Isabelle which hides
+the implementation language almost completely.  Thus the full name of the
+system should be Isabelle/Isar/HOL, but that is a bit of a mouthful.
+
+There are other implementations of HOL, in particular the one by Mike Gordon
+\index{Gordon, Mike}%
+\emph{et al.}, which is usually referred to as ``the HOL system''
+\cite{mgordon-hol}. For us, HOL refers to the logical system, and sometimes
+its incarnation Isabelle/HOL\@.
+
+A tutorial is by definition incomplete.  Currently the tutorial only
+introduces the rudiments of Isar's proof language. To fully exploit the power
+of Isar, in particular the ability to write readable and structured proofs,
+you should start with Nipkow's overview~\cite{Nipkow-TYPES02} and consult
+the Isabelle/Isar Reference Manual~\cite{isabelle-isar-ref} and Wenzel's
+PhD thesis~\cite{Wenzel-PhD} (which discusses many proof patterns)
+for further details. If you want to use Isabelle's ML level
+directly (for example for writing your own proof procedures) see the Isabelle
+Reference Manual~\cite{isabelle-ref}; for details relating to HOL see the
+Isabelle/HOL manual~\cite{isabelle-HOL}. All manuals have a comprehensive
+index.
+
+\section{Theories}
+\label{sec:Basic:Theories}
+
+\index{theories|(}%
+Working with Isabelle means creating theories. Roughly speaking, a
+\textbf{theory} is a named collection of types, functions, and theorems,
+much like a module in a programming language or a specification in a
+specification language. In fact, theories in HOL can be either. The general
+format of a theory \texttt{T} is
+\begin{ttbox}
+theory T
+imports B\(@1\) \(\ldots\) B\(@n\)
+begin
+{\rmfamily\textit{declarations, definitions, and proofs}}
+end
+\end{ttbox}\cmmdx{theory}\cmmdx{imports}
+where \texttt{B}$@1$ \dots\ \texttt{B}$@n$ are the names of existing
+theories that \texttt{T} is based on and \textit{declarations,
+    definitions, and proofs} represents the newly introduced concepts
+(types, functions etc.) and proofs about them. The \texttt{B}$@i$ are the
+direct \textbf{parent theories}\indexbold{parent theories} of~\texttt{T}\@.
+Everything defined in the parent theories (and their parents, recursively) is
+automatically visible. To avoid name clashes, identifiers can be
+\textbf{qualified}\indexbold{identifiers!qualified}
+by theory names as in \texttt{T.f} and~\texttt{B.f}. 
+Each theory \texttt{T} must
+reside in a \textbf{theory file}\index{theory files} named \texttt{T.thy}.
+
+This tutorial is concerned with introducing you to the different linguistic
+constructs that can fill the \textit{declarations, definitions, and
+    proofs} above.  A complete grammar of the basic
+constructs is found in the Isabelle/Isar Reference
+Manual~\cite{isabelle-isar-ref}.
+
+\begin{warn}
+  HOL contains a theory \thydx{Main}, the union of all the basic
+  predefined theories like arithmetic, lists, sets, etc.  
+  Unless you know what you are doing, always include \isa{Main}
+  as a direct or indirect parent of all your theories.
+\end{warn}
+HOL's theory collection is available online at
+\begin{center}\small
+    \url{http://isabelle.in.tum.de/library/HOL/}
+\end{center}
+and is recommended browsing. In subdirectory \texttt{Library} you find
+a growing library of useful theories that are not part of \isa{Main}
+but can be included among the parents of a theory and will then be
+loaded automatically.
+
+For the more adventurous, there is the \emph{Archive of Formal Proofs},
+a journal-like collection of more advanced Isabelle theories:
+\begin{center}\small
+    \url{http://afp.sourceforge.net/}
+\end{center}
+We hope that you will contribute to it yourself one day.%
+\index{theories|)}
+
+
+\section{Types, Terms and Formulae}
+\label{sec:TypesTermsForms}
+
+Embedded in a theory are the types, terms and formulae of HOL\@. HOL is a typed
+logic whose type system resembles that of functional programming languages
+like ML or Haskell. Thus there are
+\index{types|(}
+\begin{description}
+\item[base types,] 
+in particular \tydx{bool}, the type of truth values,
+and \tydx{nat}, the type of natural numbers.
+\item[type constructors,]\index{type constructors}
+ in particular \tydx{list}, the type of
+lists, and \tydx{set}, the type of sets. Type constructors are written
+postfix, e.g.\ \isa{(nat)list} is the type of lists whose elements are
+natural numbers. Parentheses around single arguments can be dropped (as in
+\isa{nat list}), multiple arguments are separated by commas (as in
+\isa{(bool,nat)ty}).
+\item[function types,]\index{function types}
+denoted by \isasymFun\indexbold{$IsaFun@\isasymFun}.
+  In HOL \isasymFun\ represents \emph{total} functions only. As is customary,
+  \isa{$\tau@1$ \isasymFun~$\tau@2$ \isasymFun~$\tau@3$} means
+  \isa{$\tau@1$ \isasymFun~($\tau@2$ \isasymFun~$\tau@3$)}. Isabelle also
+  supports the notation \isa{[$\tau@1,\dots,\tau@n$] \isasymFun~$\tau$}
+  which abbreviates \isa{$\tau@1$ \isasymFun~$\cdots$ \isasymFun~$\tau@n$
+    \isasymFun~$\tau$}.
+\item[type variables,]\index{type variables}\index{variables!type}
+  denoted by \ttindexboldpos{'a}{$Isatype}, \isa{'b} etc., just like in ML\@. They give rise
+  to polymorphic types like \isa{'a \isasymFun~'a}, the type of the identity
+  function.
+\end{description}
+\begin{warn}
+  Types are extremely important because they prevent us from writing
+  nonsense.  Isabelle insists that all terms and formulae must be
+  well-typed and will print an error message if a type mismatch is
+  encountered. To reduce the amount of explicit type information that
+  needs to be provided by the user, Isabelle infers the type of all
+  variables automatically (this is called \bfindex{type inference})
+  and keeps quiet about it. Occasionally this may lead to
+  misunderstandings between you and the system. If anything strange
+  happens, we recommend that you ask Isabelle to display all type
+  information via the Proof General menu item \pgmenu{Isabelle} $>$
+  \pgmenu{Settings} $>$ \pgmenu{Show Types} (see \S\ref{sec:interface}
+  for details).
+\end{warn}%
+\index{types|)}
+
+
+\index{terms|(}
+\textbf{Terms} are formed as in functional programming by
+applying functions to arguments. If \isa{f} is a function of type
+\isa{$\tau@1$ \isasymFun~$\tau@2$} and \isa{t} is a term of type
+$\tau@1$ then \isa{f~t} is a term of type $\tau@2$. HOL also supports
+infix functions like \isa{+} and some basic constructs from functional
+programming, such as conditional expressions:
+\begin{description}
+\item[\isa{if $b$ then $t@1$ else $t@2$}]\index{*if expressions}
+Here $b$ is of type \isa{bool} and $t@1$ and $t@2$ are of the same type.
+\item[\isa{let $x$ = $t$ in $u$}]\index{*let expressions}
+is equivalent to $u$ where all free occurrences of $x$ have been replaced by
+$t$. For example,
+\isa{let x = 0 in x+x} is equivalent to \isa{0+0}. Multiple bindings are separated
+by semicolons: \isa{let $x@1$ = $t@1$;\dots; $x@n$ = $t@n$ in $u$}.
+\item[\isa{case $e$ of $c@1$ \isasymFun~$e@1$ |~\dots~| $c@n$ \isasymFun~$e@n$}]
+\index{*case expressions}
+evaluates to $e@i$ if $e$ is of the form $c@i$.
+\end{description}
+
+Terms may also contain
+\isasymlambda-abstractions.\index{lambda@$\lambda$ expressions}
+For example,
+\isa{\isasymlambda{}x.~x+1} is the function that takes an argument \isa{x} and
+returns \isa{x+1}. Instead of
+\isa{\isasymlambda{}x.\isasymlambda{}y.\isasymlambda{}z.~$t$} we can write
+\isa{\isasymlambda{}x~y~z.~$t$}.%
+\index{terms|)}
+
+\index{formulae|(}%
+\textbf{Formulae} are terms of type \tydx{bool}.
+There are the basic constants \cdx{True} and \cdx{False} and
+the usual logical connectives (in decreasing order of priority):
+\indexboldpos{\protect\isasymnot}{$HOL0not}, \indexboldpos{\protect\isasymand}{$HOL0and},
+\indexboldpos{\protect\isasymor}{$HOL0or}, and \indexboldpos{\protect\isasymimp}{$HOL0imp},
+all of which (except the unary \isasymnot) associate to the right. In
+particular \isa{A \isasymimp~B \isasymimp~C} means \isa{A \isasymimp~(B
+  \isasymimp~C)} and is thus logically equivalent to \isa{A \isasymand~B
+  \isasymimp~C} (which is \isa{(A \isasymand~B) \isasymimp~C}).
+
+Equality\index{equality} is available in the form of the infix function
+\isa{=} of type \isa{'a \isasymFun~'a
+  \isasymFun~bool}. Thus \isa{$t@1$ = $t@2$} is a formula provided $t@1$
+and $t@2$ are terms of the same type. If $t@1$ and $t@2$ are of type
+\isa{bool} then \isa{=} acts as \rmindex{if-and-only-if}.
+The formula
+\isa{$t@1$~\isasymnoteq~$t@2$} is merely an abbreviation for
+\isa{\isasymnot($t@1$ = $t@2$)}.
+
+Quantifiers\index{quantifiers} are written as
+\isa{\isasymforall{}x.~$P$} and \isa{\isasymexists{}x.~$P$}. 
+There is even
+\isa{\isasymuniqex{}x.~$P$}, which
+means that there exists exactly one \isa{x} that satisfies \isa{$P$}. 
+Nested quantifications can be abbreviated:
+\isa{\isasymforall{}x~y~z.~$P$} means
+\isa{\isasymforall{}x.\isasymforall{}y.\isasymforall{}z.~$P$}.%
+\index{formulae|)}
+
+Despite type inference, it is sometimes necessary to attach explicit
+\bfindex{type constraints} to a term.  The syntax is
+\isa{$t$::$\tau$} as in \isa{x < (y::nat)}. Note that
+\ttindexboldpos{::}{$Isatype} binds weakly and should therefore be enclosed
+in parentheses.  For instance,
+\isa{x < y::nat} is ill-typed because it is interpreted as
+\isa{(x < y)::nat}.  Type constraints may be needed to disambiguate
+expressions
+involving overloaded functions such as~\isa{+}, 
+\isa{*} and~\isa{<}.  Section~\ref{sec:overloading} 
+discusses overloading, while Table~\ref{tab:overloading} presents the most
+important overloaded function symbols.
+
+In general, HOL's concrete \rmindex{syntax} tries to follow the conventions of
+functional programming and mathematics.  Here are the main rules that you
+should be familiar with to avoid certain syntactic traps:
+\begin{itemize}
+\item
+Remember that \isa{f t u} means \isa{(f t) u} and not \isa{f(t u)}!
+\item
+Isabelle allows infix functions like \isa{+}. The prefix form of function
+application binds more strongly than anything else and hence \isa{f~x + y}
+means \isa{(f~x)~+~y} and not \isa{f(x+y)}.
+\item Remember that in HOL if-and-only-if is expressed using equality.  But
+  equality has a high priority, as befitting a relation, while if-and-only-if
+  typically has the lowest priority.  Thus, \isa{\isasymnot~\isasymnot~P =
+    P} means \isa{\isasymnot\isasymnot(P = P)} and not
+  \isa{(\isasymnot\isasymnot P) = P}. When using \isa{=} to mean
+  logical equivalence, enclose both operands in parentheses, as in \isa{(A
+    \isasymand~B) = (B \isasymand~A)}.
+\item
+Constructs with an opening but without a closing delimiter bind very weakly
+and should therefore be enclosed in parentheses if they appear in subterms, as
+in \isa{(\isasymlambda{}x.~x) = f}.  This includes 
+\isa{if},\index{*if expressions}
+\isa{let},\index{*let expressions}
+\isa{case},\index{*case expressions}
+\isa{\isasymlambda}, and quantifiers.
+\item
+Never write \isa{\isasymlambda{}x.x} or \isa{\isasymforall{}x.x=x}
+because \isa{x.x} is always taken as a single qualified identifier. Write
+\isa{\isasymlambda{}x.~x} and \isa{\isasymforall{}x.~x=x} instead.
+\item Identifiers\indexbold{identifiers} may contain the characters \isa{_} 
+and~\isa{'}, except at the beginning.
+\end{itemize}
+
+For the sake of readability, we use the usual mathematical symbols throughout
+the tutorial. Their \textsc{ascii}-equivalents are shown in table~\ref{tab:ascii} in
+the appendix.
+
+\begin{warn}
+A particular problem for novices can be the priority of operators. If
+you are unsure, use additional parentheses. In those cases where
+Isabelle echoes your input, you can see which parentheses are dropped
+--- they were superfluous. If you are unsure how to interpret
+Isabelle's output because you don't know where the (dropped)
+parentheses go, set the Proof General flag \pgmenu{Isabelle} $>$
+\pgmenu{Settings} $>$ \pgmenu{Show Brackets} (see \S\ref{sec:interface}).
+\end{warn}
+
+
+\section{Variables}
+\label{sec:variables}
+\index{variables|(}
+
+Isabelle distinguishes free and bound variables, as is customary. Bound
+variables are automatically renamed to avoid clashes with free variables. In
+addition, Isabelle has a third kind of variable, called a \textbf{schematic
+  variable}\index{variables!schematic} or \textbf{unknown}\index{unknowns}, 
+which must have a~\isa{?} as its first character.  
+Logically, an unknown is a free variable. But it may be
+instantiated by another term during the proof process. For example, the
+mathematical theorem $x = x$ is represented in Isabelle as \isa{?x = ?x},
+which means that Isabelle can instantiate it arbitrarily. This is in contrast
+to ordinary variables, which remain fixed. The programming language Prolog
+calls unknowns {\em logical\/} variables.
+
+Most of the time you can and should ignore unknowns and work with ordinary
+variables. Just don't be surprised that after you have finished the proof of
+a theorem, Isabelle will turn your free variables into unknowns.  It
+indicates that Isabelle will automatically instantiate those unknowns
+suitably when the theorem is used in some other proof.
+Note that for readability we often drop the \isa{?}s when displaying a theorem.
+\begin{warn}
+  For historical reasons, Isabelle accepts \isa{?} as an ASCII representation
+  of the \(\exists\) symbol.  However, the \isa{?} character must then be followed
+  by a space, as in \isa{?~x. f(x) = 0}.  Otherwise, \isa{?x} is
+  interpreted as a schematic variable.  The preferred ASCII representation of
+  the \(\exists\) symbol is \isa{EX}\@. 
+\end{warn}%
+\index{variables|)}
+
+\section{Interaction and Interfaces}
+\label{sec:interface}
+
+The recommended interface for Isabelle/Isar is the (X)Emacs-based
+\bfindex{Proof General}~\cite{proofgeneral,Aspinall:TACAS:2000}.
+Interaction with Isabelle at the shell level, although possible,
+should be avoided. Most of the tutorial is independent of the
+interface and is phrased in a neutral language. For example, the
+phrase ``to abandon a proof'' corresponds to the obvious
+action of clicking on the \pgmenu{Undo} symbol in Proof General.
+Proof General specific information is often displayed in paragraphs
+identified by a miniature Proof General icon. Here are two examples:
+\begin{pgnote}
+Proof General supports a special font with mathematical symbols known
+as ``x-symbols''. All symbols have \textsc{ascii}-equivalents: for
+example, you can enter either \verb!&!  or \verb!\<and>! to obtain
+$\land$. For a list of the most frequent symbols see table~\ref{tab:ascii}
+in the appendix.
+
+Note that by default x-symbols are not enabled. You have to switch
+them on via the menu item \pgmenu{Proof-General} $>$ \pgmenu{Options} $>$
+\pgmenu{X-Symbols} (and save the option via the top-level
+\pgmenu{Options} menu).
+\end{pgnote}
+
+\begin{pgnote}
+Proof General offers the \pgmenu{Isabelle} menu for displaying
+information and setting flags. A particularly useful flag is
+\pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgdx{Show Types} which
+causes Isabelle to output the type information that is usually
+suppressed. This is indispensible in case of errors of all kinds
+because often the types reveal the source of the problem. Once you
+have diagnosed the problem you may no longer want to see the types
+because they clutter all output. Simply reset the flag.
+\end{pgnote}
+
+\section{Getting Started}
+
+Assuming you have installed Isabelle and Proof General, you start it by typing
+\texttt{Isabelle} in a shell window. This launches a Proof General window.
+By default, you are in HOL\footnote{This is controlled by the
+\texttt{ISABELLE_LOGIC} setting, see \emph{The Isabelle System Manual}
+for more details.}.
+
+\begin{pgnote}
+You can choose a different logic via the \pgmenu{Isabelle} $>$
+\pgmenu{Logics} menu.
+\end{pgnote}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/build	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
+"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
+
+cp "$ISABELLE_HOME/doc-src/proof.sty" .
+cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
+cp "$ISABELLE_HOME/doc-src/manual.bib" .
+
+cp "$ISABELLE_HOME/doc-src/TutorialI/ToyList/ToyList1" .
+cp "$ISABELLE_HOME/doc-src/TutorialI/ToyList/ToyList2" .
+
+"$ISABELLE_TOOL" latex -o sty
+cp "$ISABELLE_HOME/doc-src/pdfsetup.sty" .
+
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_TOOL" latex -o bbl
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_HOME/doc-src/sedindex" root
+[ -f root.out ] && "$ISABELLE_HOME/doc-src/fixbookmarks" root.out
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_TOOL" latex -o "$FORMAT"

--- a/doc-src/TutorialI/document/case_exprs.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,137 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{case{\isaliteral{5F}{\isacharunderscore}}exprs}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\subsection{Case Expressions}
-\label{sec:case-expressions}\index{*case expressions}%
-HOL also features \isa{case}-expressions for analyzing
-elements of a datatype. For example,
-\begin{isabelle}%
-\ \ \ \ \ case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ y%
-\end{isabelle}
-evaluates to \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} if \isa{xs} is \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and to \isa{y} if 
-\isa{xs} is \isa{y\ {\isaliteral{23}{\isacharhash}}\ ys}. (Since the result in both branches must be of
-the same type, it follows that \isa{y} is of type \isa{{\isaliteral{27}{\isacharprime}}a\ list} and hence
-that \isa{xs} is of type \isa{{\isaliteral{27}{\isacharprime}}a\ list\ list}.)
-
-In general, case expressions are of the form
-\[
-\begin{array}{c}
-\isa{case}~e~\isa{of}\ pattern@1~\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}}~e@1\ \isa{{\isaliteral{7C}{\isacharbar}}}\ \dots\
- \isa{{\isaliteral{7C}{\isacharbar}}}~pattern@m~\isa{{\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}}~e@m
-\end{array}
-\]
-Like in functional programming, patterns are expressions consisting of
-datatype constructors (e.g. \isa{{\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and \isa{{\isaliteral{23}{\isacharhash}}})
-and variables, including the wildcard ``\verb$_$''.
-Not all cases need to be covered and the order of cases matters.
-However, one is well-advised not to wallow in complex patterns because
-complex case distinctions tend to induce complex proofs.
-
-\begin{warn}
-Internally Isabelle only knows about exhaustive case expressions with
-non-nested patterns: $pattern@i$ must be of the form
-$C@i~x@ {i1}~\dots~x@ {ik@i}$ and $C@1, \dots, C@m$ must be exactly the
-constructors of the type of $e$.
-%
-More complex case expressions are automatically
-translated into the simpler form upon parsing but are not translated
-back for printing. This may lead to surprising output.
-\end{warn}
-
-\begin{warn}
-Like \isa{if}, \isa{case}-expressions may need to be enclosed in
-parentheses to indicate their scope.
-\end{warn}
-
-\subsection{Structural Induction and Case Distinction}
-\label{sec:struct-ind-case}
-\index{case distinctions}\index{induction!structural}%
-Induction is invoked by \methdx{induct_tac}, as we have seen above; 
-it works for any datatype.  In some cases, induction is overkill and a case
-distinction over all constructors of the datatype suffices.  This is performed
-by \methdx{case_tac}.  Here is a trivial example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y{\isaliteral{23}{\isacharhash}}ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-results in the proof state
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ list{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }xs\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{7C}{\isacharbar}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs%
-\end{isabelle}
-which is solved automatically:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-Note that we do not need to give a lemma a name if we do not intend to refer
-to it explicitly in the future.
-Other basic laws about a datatype are applied automatically during
-simplification, so no special methods are provided for them.
-
-\begin{warn}
-  Induction is only allowed on free (or \isasymAnd-bound) variables that
-  should not occur among the assumptions of the subgoal; see
-  \S\ref{sec:ind-var-in-prems} for details. Case distinction
-  (\isa{case{\isaliteral{5F}{\isacharunderscore}}tac}) works for arbitrary terms, which need to be
-  quoted if they are non-atomic. However, apart from \isa{{\isaliteral{5C3C416E643E}{\isasymAnd}}}-bound
-  variables, the terms must not contain variables that are bound outside.
-  For example, given the goal \isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6578697374733E}{\isasymexists}}y\ ys{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{23}{\isacharhash}}\ ys{\isaliteral{29}{\isacharparenright}}},
-  \isa{case{\isaliteral{5F}{\isacharunderscore}}tac\ xs} will not work as expected because Isabelle interprets
-  the \isa{xs} as a new free variable distinct from the bound
-  \isa{xs} in the goal.
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/cl2emono-modified.sty	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,1371 @@
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%  This is cl2emono.sty version 2.2
+%%  (intermediate fix also for springer.sty for the use of
+%%  LaTeX2e and NFSS2)
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%  This is ucgreek
+%  the definition of versal greek characters
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\mathchardef\Gamma="0100
+\mathchardef\Delta="0101
+\mathchardef\Theta="0102
+\mathchardef\Lambda="0103
+\mathchardef\Xi="0104
+\mathchardef\Pi="0105
+\mathchardef\Sigma="0106
+\mathchardef\Upsilon="0107
+\mathchardef\Phi="0108
+\mathchardef\Psi="0109
+\mathchardef\Omega="010A
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is referee.tex
+%
+% It defines the style option "referee"
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newif\if@referee \@refereefalse
+\def\ds@referee{\@refereetrue
+\typeout{A referee's copy will be produced.}%
+\def\baselinestretch{2}\small
+\normalsize\rm
+\newbox\refereebox
+\setbox\refereebox=\vbox to0pt{\vskip0.5cm%
+  \hbox to\textwidth{\normalsize\tt\hrulefill\lower0.5ex
+        \hbox{\kern5pt referee's copy\kern5pt}\hrulefill}\vss}%
+\def\@oddfoot{\copy\refereebox}\let\@evenfoot=\@oddfoot}
+% This is footinfo.tex
+% it provides an informatory line on every page
+%
+\def\SpringerMacroPackageNameA{\springerstylefile}
+% \thetime, \thedate and \timstamp are macros to include
+% time, date (or both) of the TeX run in the document
+\def\maketimestamp{\count255=\time
+\divide\count255 by 60\relax
+\edef\thetime{\the\count255:}%
+\multiply\count255 by-60\relax
+\advance\count255 by\time
+\edef\thetime{\thetime\ifnum\count255<10 0\fi\the\count255}
+\edef\thedate{\number\day-\ifcase\month\or Jan\or Feb\or Mar\or
+             Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or
+             Nov\or Dec\fi-\number\year}
+\def\timstamp{\hbox to\hsize{\tt\hfil\thedate\hfil\thetime\hfil}}}
+\maketimestamp
+%
+% \footinfo generates a info footline on every page containing
+% pagenumber, jobname, macroname, and timestamp
+\def\ds@footinfo{\maketimestamp
+   \def\@oddfoot{\footnotesize\tt Page: \thepage\hfil job: \jobname\hfil
+                 macro: \SpringerMacroPackageNameA\hfil
+                 date/time: \thedate/\thetime}%
+   \let\@evenfoot=\@oddfoot}
+\def\footinfo{\maketimestamp
+   \ds@footinfo
+   \typeout{You ordered a foot-info line. }}
+\def\nofootinfo{%
+   \def\@oddfoot{}\def\@evenfoot{}%
+   \typeout{Foot-info has been disabled. }}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is vector.tex
+%
+% It redefines the plain TeX \vec command
+% and adds a \tens command for tensors
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% ##### (changed by RB)
+\def\vec@style{\relax} % hook to change style of vector
+                       % default yields boldface italic
+% \def\vec@style{\bf}  % hook to change style of vector
+%                      % default yields mathstyle i.e. boldface upright
+
+\def\vec#1{\relax\ifmmode\mathchoice
+{\mbox{\boldmath$\vec@style\displaystyle#1$}}
+{\mbox{\boldmath$\vec@style\textstyle#1$}}
+{\mbox{\boldmath$\vec@style\scriptstyle#1$}}
+{\mbox{\boldmath$\vec@style\scriptscriptstyle#1$}}\else
+\hbox{\boldmath$\vec@style\textstyle#1$}\fi}
+
+\def\tens#1{\relax\ifmmode\mathchoice{\mbox{$\sf\displaystyle#1$}}
+{\mbox{$\sf\textstyle#1$}}
+{\mbox{$\sf\scriptstyle#1$}}
+{\mbox{$\sf\scriptscriptstyle#1$}}\else
+\hbox{$\sf\textstyle#1$}\fi}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is vecstyle.tex
+%
+% It enables documentstyle options vecmath and vecphys
+% to change the vectors to upright bold face or
+% to math italic bold respectively
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\ds@vecmath{\def\vec@style{\bf}\typeout{Vectors are now represented
+in mathematics style as boldface upright characters.}}
+\def\ds@vecphys{\let\vec@style\relax\typeout{Vectors are now represented
+in physics style as boldface italics.}}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is defaults.tex
+%
+% It sets the switches for twoside printing, numbering
+% of equations and kind of citation.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\@twosidetrue                       % twoside is default
+\newif\if@bibay    \@bibayfalse     % citation with numbers
+                                    % is default
+\newif\if@numart   \@numartfalse    % numbering with chapternumbers
+                                    % is default
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is misc.xxx
+%
+% It defines various commands not available in "plain LaTeX"
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newcommand{\ts}{\thinspace{}}
+\newcommand{\sq}{\hbox{\rlap{$\sqcap$}$\sqcup$}}
+\newcommand{\qed}{\ifmmode\sq\else{\unskip\nobreak\hfil
+  \penalty50\hskip1em\null\nobreak\hfil\sq
+  \parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi{}}
+\def\D{{\rm d}}
+\def\E{{\rm e}}
+\let\eul=\E
+\def\I{{\rm i}}
+\let\imag=\I
+\def\strich{\vskip0.5cm\hrule\vskip3ptplus12pt\null}
+
+% Frame for paste-in figures or tables
+%\def\mpicplace#1#2{%#1 = width   #2 = height
+%\vbox{\@tempdima=#2\advance\@tempdima by-2\fboxrule
+%\hrule\@height \fboxrule\@width #1
+%\hbox to #1{\vrule\@width \fboxrule\@height\@tempdima\hfil
+%\vrule\@width \fboxrule\@height\@tempdima}\hrule\@height
+%\fboxrule\@width #1}}
+
+% #####
+% Frame for paste-in figures or tables
+\def\mpicplace#1#2{%  #1 =width   #2 =height
+\vbox{\hbox to #1{\vrule width \fboxrule height #2\hfill}}}
+
+\def\picplace#1{\mpicplace{\hsize}{#1}}
+% Ragged bottom for the actual page
+\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil
+\global\let\@textbottom\relax}}
+\flushbottom
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is layout.m01
+%
+% It defines various sizes and settings for books
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\topmargin=0cm
+\textwidth=11.7cm
+\textheight=18.9cm
+\oddsidemargin=0.7cm
+\evensidemargin=0.7cm
+\headsep=12pt
+
+\baselineskip=12pt
+\parindent=15pt
+\parskip=0pt plus 1pt
+\hfuzz=2pt
+\frenchspacing
+
+\tolerance=500
+
+\abovedisplayskip=3mm plus6pt minus 4pt
+\belowdisplayskip=3mm plus6pt minus 4pt
+\abovedisplayshortskip=0mm plus6pt minus 2pt
+\belowdisplayshortskip=2mm plus4pt minus 4pt
+
+\predisplaypenalty=0
+\clubpenalty=10000
+\widowpenalty=10000
+
+\newdimen\betweenumberspace          % dimension for space between
+\betweenumberspace=5pt               % number and text of titles.
+\newdimen\headlineindent             % dimension for space between
+\headlineindent=2.5cc                % number and text of headings.
+
+\intextsep 20pt plus 2pt minus 2pt
+
+\setcounter{topnumber}{4}
+\def\topfraction{.9}
+\setcounter{bottomnumber}{2}
+\def\bottomfraction{.5}
+\setcounter{totalnumber}{6}
+\def\textfraction{.2}
+\def\floatpagefraction{.5}
+
+% Figures and tables are processed in small print
+\def \@floatboxreset {%
+        \reset@font
+        \small
+        \@setnobreak
+        \@setminipage
+}
+\def\figure{\@float{figure}}
+\@namedef{figure*}{\@dblfloat{figure}}
+\def\table{\@float{table}}
+\@namedef{table*}{\@dblfloat{table}}
+\def\fps@figure{htbp}
+\def\fps@table{htbp}
+
+\labelsep=5\p@                       % measures for lists
+\leftmargini=17.777\p@
+\labelwidth\leftmargini\advance\labelwidth-\labelsep
+\leftmarginii=\leftmargini
+\leftmarginiii=\leftmargini
+\parsep=\parskip
+
+\def\@listI{\leftmargin\leftmargini
+        \parsep=\parskip
+        \topsep=\medskipamount
+        \itemsep=\parskip \advance\itemsep by -\parsep}
+\let\@listi\@listI
+\@listi
+
+\def\@listii{\leftmargin\leftmarginii
+        \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
+        \parsep=\parskip
+        \topsep=\z@
+        \itemsep=\parskip \advance\itemsep by -\parsep}
+\def\@listiii{\leftmargin\leftmarginiii
+        \labelwidth\leftmarginiii\advance\labelwidth by -\labelsep
+        \parsep=\parskip
+        \topsep=\z@
+        \itemsep=\parskip \advance\itemsep by -\parsep}
+%
+\def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt
+\abovedisplayskip=3mm plus6pt minus 4pt
+\belowdisplayskip=3mm plus6pt minus 4pt
+\abovedisplayshortskip=0mm plus6pt minus 2pt
+\belowdisplayshortskip=2mm plus4pt minus 4pt
+\let\@listi\@listI}   % Setting of \@listi added 9 Jun 87
+%
+\def\small{\@setsize\small{10pt}\ixpt\@ixpt
+\abovedisplayskip 8.5\p@ plus3\p@ minus4\p@
+\belowdisplayskip \abovedisplayskip
+\abovedisplayshortskip \z@ plus2\p@
+\belowdisplayshortskip 4\p@ plus2\p@ minus2\p@
+\def\@listi{\leftmargin\leftmargini
+\topsep 4pt plus 2pt minus 2pt\parsep\parskip
+\itemsep\parskip}}
+%
+\def\itemize{\ifnum \@itemdepth >3 \@toodeep\else \advance\@itemdepth \@ne
+\ifnum \@itemdepth=1 \leftmargini=10\p@
+\labelwidth\leftmargini\advance\labelwidth-\labelsep
+\leftmarginii=\leftmargini \leftmarginiii=\leftmargini \fi
+\edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+\list{\csname\@itemitem\endcsname}{\def\makelabel##1{\rlap{##1}\hss}}\fi}
+%
+\newdimen\verbatimindent \verbatimindent\parindent
+\def\verbatim{\advance\@totalleftmargin by\verbatimindent
+\@verbatim \frenchspacing\@vobeyspaces \@xverbatim}
+%
+\let\footnotesize=\small
+%
+\def\petit{\par\addvspace{6pt}\small}
+\def\endpetit{\par\addvspace{6pt}}
+%
+\raggedbottom
+\normalsize  % Choose the normalsize font.
+% This is texte.tex
+% it defines various texts and their translations
+% called up with documentstyle options
+\def\abstractname{Summary.}
+\def\ackname{Acknowledgement.}
+\def\andname{and}
+\def\lastandname{, and}
+\def\appendixname{Appendix}
+\def\chaptername{Chapter}
+\def\claimname{Claim}
+\def\conjecturename{Conjecture}
+\def\contentsname{Table of Contents}
+\def\corollaryname{Corollary}
+\def\definitionname{Definition}
+\def\examplename{Example}
+\def\exercisename{Exercise}
+\def\figurename{Fig.}
+\def\keywordname{{\bf Key words:}}
+\def\indexname{Index}
+\def\lemmaname{Lemma}
+\def\contriblistname{List of Contributors}
+\def\listfigurename{List of Figures}
+\def\listtablename{List of Tables}
+\def\mailname{{\it Correspondence to\/}:}
+\def\noteaddname{Note added in proof}
+\def\notename{Note}
+\def\partname{Part}
+\def\problemname{Problem}
+\def\proofname{Proof}
+\def\propertyname{Property}
+\def\propositionname{Proposition}
+\def\questionname{Question}
+\def\remarkname{Remark}
+\def\seename{see}
+\def\solutionname{Solution}
+\def\subclassname{{\it Subject Classifications\/}:}
+\def\tablename{Table}
+\def\theoremname{Theorem}
+% Names of theorem like environments are already defined
+% but must be translated if another language is chosen
+%
+% French section
+\def\ds@francais{\typeout{On parle francais.}%
+ \def\abstractname{R\'esum\'e.}%
+ \def\ackname{Remerciements.}%
+ \def\andname{et}%
+ \def\lastandname{ et}%
+ \def\appendixname{Appendice}
+ \def\chaptername{Chapitre}%
+ \def\claimname{Pr\'etention}%
+ \def\conjecturename{Hypoth\`ese}%
+ \def\contentsname{Table des mati\`eres}%
+ \def\corollaryname{Corollaire}%
+ \def\definitionname{D\'efinition}%
+ \def\examplename{Exemple}%
+ \def\exercisename{Exercice}%
+ \def\figurename{Fig.}%
+ \def\keywordname{{\bf Mots-cl\'e:}}
+ \def\indexname{Index}
+ \def\lemmaname{Lemme}%
+ \def\contriblistname{Liste des contributeurs}
+ \def\listfigurename{Liste des figures}%
+ \def\listtablename{Liste des tables}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
+ \def\notename{Remarque}%
+ \def\partname{Partie}%
+ \def\problemname{Probl\`eme}%
+ \def\proofname{\'Epreuve}%
+ \def\propertyname{Caract\'eristique}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Question}%
+ \def\remarkname{Remarque}%
+ \def\seename{voir}
+ \def\solutionname{Solution}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tableau}%
+ \def\theoremname{Th\'eor\`eme}%
+}
+%
+% German section
+\def\ds@deutsch{\typeout{Man spricht deutsch.}%
+ \def\abstractname{Zusammenfassung.}%
+ \def\ackname{Danksagung.}%
+ \def\andname{und}%
+ \def\lastandname{ und}%
+ \def\appendixname{Anhang}%
+ \def\chaptername{Kapitel}%
+ \def\claimname{Behauptung}%
+ \def\conjecturename{Hypothese}%
+ \def\contentsname{Inhaltsverzeichnis}%
+ \def\corollaryname{Korollar}%
+%\def\definitionname{Definition}%
+ \def\examplename{Beispiel}%
+ \def\exercisename{\"Ubung}%
+ \def\figurename{Abb.}%
+ \def\keywordname{{\bf Schl\"usselw\"orter:}}
+ \def\indexname{Index}
+%\def\lemmaname{Lemma}%
+ \def\contriblistname{Mitarbeiter}
+ \def\listfigurename{Abbildungsverzeichnis}%
+ \def\listtablename{Tabellenverzeichnis}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Nachtrag}%
+ \def\notename{Anmerkung}%
+ \def\partname{Teil}%
+%\def\problemname{Problem}%
+ \def\proofname{Beweis}%
+ \def\propertyname{Eigenschaft}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Frage}%
+ \def\remarkname{Anmerkung}%
+ \def\seename{siehe}
+ \def\solutionname{L\"osung}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tabelle}%
+%\def\theoremname{Theorem}%
+}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is titneu.xxx
+%
+% It redefines titles. Usage is like Lamport described.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\setcounter{secnumdepth}{2}           % depth of the highest-level
+                                      % sectioning command
+\newcounter{chapter}                  % to use chapter together with
+\@addtoreset{section}{chapter}        % article.sty
+\@addtoreset{footnote}{chapter}
+
+\def\thechapter{\arabic{chapter}}     % how titles will be typeset
+\def\thesection{\thechapter.\arabic{section}}
+\def\thesubsection{\thesection.\arabic{subsection}}
+\def\thesubsubsection{\thesubsection.\arabic{subsubsection}}
+\def\theparagraph{\thesubsubsection.\arabic{paragraph}}
+\def\thesubparagraph{\theparagraph.\arabic{subparagraph}}
+\def\chaptermark#1{}
+\def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
+      \hangindent \z@\noindent\box\@tempboxa}
+
+% definition of chapter
+
+\def\@chapapp{\chaptername}
+
+\def\@makechapterhead#1{{\parindent0pt\raggedright
+  \hyphenpenalty \@M
+  \Large\bf\boldmath
+  \sec@hangfrom{\thechapter\thechapterend\hskip\betweenumberspace}%!!!
+  \ignorespaces#1\par
+  \ifdim\pagetotal>118pt
+     \vskip 24pt
+  \else
+     \@tempdima=118pt\advance\@tempdima by-\pagetotal
+     \vskip\@tempdima
+  \fi}}
+
+\def\@makeschapterhead#1{{\parindent0pt\raggedright
+  \hyphenpenalty \@M
+  \Large\bf\boldmath
+  \ignorespaces#1\par
+  \ifdim\pagetotal>118pt
+     \vskip 24pt
+  \else
+     \@tempdima=118pt\advance\@tempdima by-\pagetotal
+     \vskip\@tempdima
+  \fi}}
+
+\newcommand{\clearemptydoublepage}{%
+        \newpage{\pagestyle{empty}\cleardoublepage}}
+
+\def\chapter{\clearemptydoublepage\thispagestyle{empty}
+   \global\@topnum\z@\@afterindentfalse
+   \secdef\@chapter\@schapter}
+
+\def\@chapter[#1]#2{\ifnum\c@secnumdepth>\m@ne
+   \refstepcounter{chapter}
+   \typeout{\@chapapp\space\thechapter}
+   \addcontentsline{toc}{chapter}{\protect
+      \numberline{\thechapter\thechapterend}#1}\else %!!!
+      \addcontentsline{toc}{chapter}{#1}
+   \fi
+   \chaptermark{#1}
+   \addtocontents{lof}{\protect\addvspace{10pt}}
+   \addtocontents{lot}{\protect\addvspace{10pt}}
+   \if@twocolumn
+       \@topnewpage[\@makechapterhead{#2}]
+   \else \@makechapterhead{#2}
+           \@afterheading
+   \fi}
+
+\def\@schapter#1{\if@twocolumn\@topnewpage[\@makeschapterhead{#1}]
+        \else \@makeschapterhead{#1}
+              \@afterheading\fi}
+
+% Appendix
+\def\appendix{\par
+  \setcounter{chapter}{0}%
+  \setcounter{section}{0}%
+  \def\@chapapp{\appendixname}%
+  \def\thechapter{\Alph{chapter}}}
+
+%  definition of sections
+%  \hyphenpenalty and \raggedright added, so that there is no
+%  hyphenation and the text is set ragged-right in sectioning
+
+\def\runinsep{.}
+\def\aftertext{\unskip\runinsep}
+
+\def\@sect#1#2#3#4#5#6[#7]#8{\ifnum #2>\c@secnumdepth
+   \let\@svsec\@empty\else
+   \refstepcounter{#1}\edef\@svsec{\csname the#1\endcsname
+                                   \hskip\betweenumberspace
+                                   \ignorespaces}\fi
+   \@tempskipa #5\relax
+    \ifdim \@tempskipa>\z@
+      \begingroup #6\relax
+        \sec@hangfrom{\hskip #3\relax\@svsec}{%
+        \raggedright
+        \hyphenpenalty \@M
+        \interlinepenalty \@M #8\par}%
+      \endgroup
+     \csname #1mark\endcsname{#7}\addcontentsline
+       {toc}{#1}{\ifnum #2>\c@secnumdepth \else
+                    \protect\numberline{\csname the#1\endcsname}\fi
+                  #7}\else
+     \def\@svsechd{#6\hskip #3\relax
+                \@svsec #8\aftertext\ignorespaces
+                    \csname #1mark\endcsname
+                    {#7}\addcontentsline
+                         {toc}{#1}{\ifnum #2>\c@secnumdepth \else
+                           \protect\numberline{\csname the#1\endcsname}\fi
+                     #7}}\fi
+   \@xsect{#5}}
+
+% measures and setting of sections
+
+\def\section{\@startsection{section}{1}{\z@}%
+    {-25pt plus-4pt minus-4pt}{12.5pt plus4pt
+     minus4pt}{\large\bf\boldmath}}
+\def\subsection{\@startsection{subsection}{2}{\z@}%
+    {-17pt plus-4pt minus-4pt}{10pt plus4pt
+     minus4pt}{\normalsize\bf\boldmath}}
+\def\subsubsection{\@startsection{subsubsection}{3}{\z@}%
+    {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\bf\boldmath}}
+\def\paragraph{\@startsection{paragraph}{4}{\z@}%
+    {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
+\def\subparagraph{\@startsection{subparagraph}{5}{\z@}%
+    {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
+
+%  definition of \part
+\def\thepart{\Roman{part}}
+\def\part{\clearemptydoublepage   % Starts new page.
+   \thispagestyle{empty}     % Page style of part page is empty
+  \if@twocolumn              % IF two-column style
+     \onecolumn              %  THEN \onecolumn
+     \@tempswatrue           %       @tempswa := true
+    \else \@tempswafalse     %  ELSE @tempswa := false
+  \fi                        % FI
+% \hbox{}\vfil               % Add fil glue to center title
+%%  \bgroup  \centering      % BEGIN centering %% Removed 19 Jan 88
+  \secdef\@part\@spart}
+
+
+\def\@part[#1]#2{\ifnum \c@secnumdepth >-2\relax  % IF secnumdepth > -2
+        \refstepcounter{part}                     %   THEN step part counter
+        \addcontentsline{toc}{part}{\partname\    %        add toc line
+        \thepart. #1}\else                        %   ELSE add unnumbered line
+        \addcontentsline{toc}{part}{#1}\fi        % FI
+   \markboth{}{}
+   {\raggedleft                      % added 8.1.92 FUH
+    \ifnum \c@secnumdepth >-2\relax  % IF secnumdepth > -2
+      \Large\partname\ \thepart      %   THEN Print 'Part' and number
+    \par                             %         in \Large
+    \vskip 103.3pt \fi               %        Add space before title.
+    \bf\boldmath                     % FI
+    #2\par}\@endpart}                % Print Title in \Large bold.
+
+
+% \@endpart finishes the part page
+%
+\def\@endpart{\vfil\newpage   % End page with 1fil glue.
+   \if@twoside                % IF twoside printing
+       \hbox{}                %   THEN Produce totally blank page
+       \thispagestyle{empty}
+       \newpage
+   \fi                        % FI
+   \if@tempswa                % IF @tempswa = true
+     \twocolumn               %   THEN \twocolumn
+   \fi}                       % FI
+
+\def\@spart#1{{\raggedleft     % added 8 Jan 92 FUH
+   \Large\bf\boldmath          % Print title in \Large-boldface
+   #1\par}\@endpart}
+
+\def\subtitle#1{\gdef\@subtitle{#1}}
+\def\@subtitle{}
+
+\def\maketitle{\par
+ \begingroup
+   \def\thefootnote{\fnsymbol{footnote}}%
+   \def\@makefnmark{\hbox
+       to\z@{$\m@th^{\@thefnmark}$\hss}}%
+   \if@twocolumn
+     \twocolumn[\@maketitle]%
+     \else \newpage
+     \global\@topnum\z@   % Prevents figures from going at top of page.
+     \@maketitle \fi\thispagestyle{empty}\@thanks
+     \par\penalty -\@M
+ \endgroup
+ \setcounter{footnote}{0}%
+ \let\maketitle\relax
+ \let\@maketitle\relax
+ \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
+
+\def\@maketitle{\newpage
+ \null
+ \vskip 2em                 % Vertical space above title.
+\begingroup
+  \def\and{\unskip, }
+  \parindent=\z@
+  \pretolerance=10000
+  \rightskip=0pt plus 3cm
+  {\LARGE                   % each author set in \LARGE
+   \lineskip .5em
+   \@author
+   \par}%
+  \vskip 2cm                % Vertical space after author.
+  {\Huge \@title \par}%     % Title set in \Huge size.
+  \vskip 1cm                % Vertical space after title.
+  \if!\@subtitle!\else
+   {\LARGE\ignorespaces\@subtitle \par}
+   \vskip 1cm                % Vertical space after subtitle.
+  \fi
+  \if!\@date!\else
+    {\large \@date}%          % Date set in \large size.
+    \par
+    \vskip 1.5em               % Vertical space after date.
+  \fi
+ \vfill
+ {\Large Springer-\kern-0.1em Verlag\par}
+ \vskip 5pt
+ \large
+   Berlin\enspace Heidelberg\enspace New\kern0.1em York\\
+   London\enspace Paris\enspace Tokyo\\
+   Hong\thinspace Kong\enspace Barcelona\\
+   Budapest\par
+\endgroup}
+
+\def\abstract{\if@twocolumn
+\section*{\abstractname}%
+\else \small
+\begin{center}%
+{\bf \abstractname\vspace{-.5em}\vspace{\z@}}%
+\end{center}%
+\quotation
+\fi}
+
+\def\endabstract{\if@twocolumn\else\endquotation\fi}
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is toc.xxx
+%
+% it modifies the appearence of the table of contents
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\def\tableofcontents{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\contentsname \@mkboth{{\contentsname}}{{\contentsname}}}
+ \@starttoc{toc}\if@restonecol\twocolumn\fi}
+
+\setcounter{tocdepth}{2}
+
+\def\l@part#1#2{\addpenalty{\@secpenalty}%
+   \addvspace{2em plus\p@}%  % space above part line
+   \begingroup
+     \parindent \z@
+     \rightskip \z@ plus 5em
+     \hrule\vskip5pt
+     \bf\boldmath        % set line in boldface
+     \leavevmode          % TeX command to enter horizontal mode.
+     #1\par
+     \vskip5pt
+     \hrule
+     \vskip1pt
+     \nobreak             % Never break after part entry
+   \endgroup}
+
+\def\@dotsep{2}
+
+\def\l@chapter#1#2{\addpenalty{-\@highpenalty}
+ \vskip 1.0em plus 1pt \@tempdima \tocchpnum \begingroup
+ \parindent \z@ \rightskip \@pnumwidth
+ \parfillskip -\@pnumwidth
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ {\bf\boldmath#1}\nobreak
+ \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
+ \@dotsep mu$}\hfill
+ \nobreak\hbox to\@pnumwidth{\hss #2}\par
+ \penalty\@highpenalty \endgroup}
+
+\newdimen\tocchpnum
+\newdimen\tocsecnum
+\newdimen\tocsectotal
+\newdimen\tocsubsecnum
+\newdimen\tocsubsectotal
+\newdimen\tocsubsubsecnum
+\newdimen\tocsubsubsectotal
+\newdimen\tocparanum
+\newdimen\tocparatotal
+\newdimen\tocsubparanum
+\tocchpnum=20\p@            % chapter {\bf 88.} plus 5.3pt
+\tocsecnum=22.5\p@          % section 88.8. plus 4.722pt
+\tocsubsecnum=30.5\p@       % subsection 88.8.8 plus 4.944pt
+\tocsubsubsecnum=38\p@      % subsubsection 88.8.8.8 plus 4.666pt
+\tocparanum=45\p@           % paragraph 88.8.8.8.8 plus 3.888pt
+\tocsubparanum=53\p@        % subparagraph 88.8.8.8.8.8 plus 4.11pt
+\def\calctocindent{%
+\tocsectotal=\tocchpnum
+\advance\tocsectotal by\tocsecnum
+\tocsubsectotal=\tocsectotal
+\advance\tocsubsectotal by\tocsubsecnum
+\tocsubsubsectotal=\tocsubsectotal
+\advance\tocsubsubsectotal by\tocsubsubsecnum
+\tocparatotal=\tocsubsubsectotal
+\advance\tocparatotal by\tocparanum}
+\calctocindent
+
+\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
+\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
+\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
+\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
+\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
+
+\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}}
+ \@starttoc{lof}\if@restonecol\twocolumn\fi}
+\def\l@figure{\@dottedtocline{1}{0em}{\tocsecnum}}
+
+\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}}
+ \@starttoc{lot}\if@restonecol\twocolumn\fi}
+\let\l@table\l@figure
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is runnhead.xxx
+%
+% It redefines the headings of a text. There are two
+% pagestyles possible: "\pagestyle{headings}" and
+% "\pagestyle{myheadings}". "\pagestyle{headings}" is
+% default.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+\@ifundefined{thechapterend}{\def\thechapterend{.}}{}
+\if@twoside
+\def\ps@headings{\let\@mkboth\markboth
+   \def\@oddfoot{}\def\@evenfoot{}
+   \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
+                  \leftmark\hfil}
+   \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
+                  \llap{\thepage}}
+   \def\chaptermark##1{\markboth{{\ifnum\c@secnumdepth>\m@ne
+      \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}{{\ifnum %!!!
+      \c@secnumdepth>\m@ne\thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}%!!!
+   \def\sectionmark##1{\markright{{\ifnum\c@secnumdepth>\z@
+      \thesection\hskip\betweenumberspace\fi ##1}}}}
+\else \def\ps@headings{\let\@mkboth\markboth
+   \def\@oddfoot{}\def\@evenfoot{}
+   \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
+                 \llap{\thepage}}
+   \def\chaptermark##1{\markright{{\ifnum\c@secnumdepth>\m@ne
+      \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}} %!!!
+\fi
+\def\ps@myheadings{\let\@mkboth\@gobbletwo
+   \def\@oddfoot{}\def\@evenfoot{}
+   \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
+                  \leftmark\hfil}
+   \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
+                  \llap{\thepage}}
+   \def\chaptermark##1{}
+   \def\sectionmark##1{}%
+   \def\subsectionmark##1{}}
+\ps@headings
+
+% Definition of the "\spnewtheorem" command.
+%
+% Usage:
+%
+%     \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
+% or  \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
+% or  \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
+%
+% New is "cap_font" and "body_font". It stands for
+% fontdefinition of the caption and the text itself.
+%
+% "\spnewtheorem*" gives a theorem without number.
+%
+% A defined spnewthoerem environment is used as described
+% by Lamport.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\let\if@envcntreset\iffalse % environment counter is reset each chapter
+\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue}
+\let\if@envcntsame\iffalse  % NOT all environments like "Theorem",
+                            % each using its own counter
+\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
+\def\envankh{section}       % show \thesection along with theorem number
+\DeclareOption{envcountchap}{\def\envankh{chapter}%
+\ExecuteOptions{envcountsect}}
+\let\if@envcntsect\iftrue   % show \csname the\envankh\endcsname along
+                            % with environment number
+\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue}
+\ProcessOptions
+
+\def\@thmcountersep{.}
+\def\@thmcounterend{.}
+
+\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
+
+% definition of \spnewtheorem with number
+
+\def\@spnthm#1#2{%
+  \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
+\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
+
+\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
+   {\@definecounter{#1}\@addtoreset{#1}{#3}%
+   \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
+     \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
+   \expandafter\xdef\csname #1name\endcsname{#2}%
+   \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+                              \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+   {\@definecounter{#1}%
+   \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
+   \expandafter\xdef\csname #1name\endcsname{#2}%
+   \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
+                               \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spothm#1[#2]#3#4#5{%
+  \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
+  {\expandafter\@ifdefinable\csname #1\endcsname
+  {\global\@namedef{the#1}{\@nameuse{the#2}}%
+  \expandafter\xdef\csname #1name\endcsname{#3}%
+  \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}%
+  \global\@namedef{end#1}{\@endtheorem}}}}
+
+\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\refstepcounter{#1}%
+\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
+
+\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
+                    \ignorespaces}
+
+\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
+       the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
+
+\def\@spbegintheorem#1#2#3#4{\trivlist
+                 \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4}
+
+\def\@spopargbegintheorem#1#2#3#4#5{\trivlist
+      \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5}
+
+% definition of \spnewtheorem* without number
+
+\def\@sthm#1#2{\@Ynthm{#1}{#2}}
+
+\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+   {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
+    \expandafter\xdef\csname #1name\endcsname{#2}%
+    \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
+
+\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
+
+\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
+       {#4}{#2}{#3}\ignorespaces}
+
+\def\@Begintheorem#1#2#3{#3\trivlist
+                           \item[\hskip\labelsep{#2#1\@thmcounterend}]}
+
+\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
+      \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
+
+% initialize theorem environment
+
+\if@envcntsect % show section counter
+   \def\@thmcountersep{.}
+   \spnewtheorem{theorem}{Theorem}[\envankh]{\bfseries}{\itshape}
+\else          % theorem counter only
+   \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
+   \if@envcntreset
+      \@addtoreset{theorem}{section}
+   \else
+      \@addtoreset{theorem}{chapter}
+   \fi
+\fi
+
+%definition of divers theorem environments
+\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
+\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
+\if@envcntsame % all environments like "Theorem" - using its counter
+   \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
+\else % all environments with their own counter
+   \if@envcntsect % show section counter
+      \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[\envankh]{#3}{#4}}
+   \else          % environment counter only
+      \if@envcntreset % environment counter is reset each section
+         \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+                                   \@addtoreset{#1}{section}}
+      \else
+         \let\spn@wtheorem=\@spynthm
+      \fi
+   \fi
+\fi
+\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
+\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
+\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
+\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
+\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
+%%LCP%% \spn@wtheorem{exercise}{Exercise}{\bfseries}{\rmfamily}
+\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
+\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
+\spn@wtheorem{problem}{Problem}{\bfseries}{\rmfamily}
+\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
+\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
+\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
+\spn@wtheorem{solution}{Solution}{\bfseries}{\rmfamily}
+\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
+
+\def\@takefromreset#1#2{%
+    \def\@tempa{#1}%
+    \let\@tempd\@elt
+    \def\@elt##1{%
+        \def\@tempb{##1}%
+        \ifx\@tempa\@tempb\else
+            \@addtoreset{##1}{#2}%
+        \fi}%
+    \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+    \expandafter\def\csname cl@#2\endcsname{}%
+    \@tempc
+    \let\@elt\@tempd}
+
+\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+      \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
+                  \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
+      \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}
+      }
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%%             This is figure.neu
+%%
+%% It redefines the captions for "figure" and "table"
+%% environments.
+%%
+%% There are three new kind of captions: "\firstcaption"
+%% and "\secondcaption" for captions set side by side.
+%% Usage for those two commands: like "\caption".
+%%
+%% "\sidecaption" with two parms: #1 width of picture
+%%                                #2 height of picture
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\@ifundefined{floatlegendstyle}{\def\floatlegendstyle{\bfseries}}{}
+\def\floatcounterend{.\ }
+\def\capstrut{\vrule\@width\z@\@height\topskip}
+\@ifundefined{captionstyle}{\def\captionstyle{\normalfont\small}}{}
+\@ifundefined{instindent}{\newdimen\instindent}{}
+
+\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
+  ext@#1\endcsname}{#1}{\protect\numberline{\csname
+  the#1\endcsname}{\ignorespaces #2}}\begingroup
+    \@parboxrestore
+    \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+  \endgroup}
+
+\def\firstcaption{\refstepcounter\@captype\@dblarg%
+            {\@firstcaption\@captype}}
+
+\def\secondcaption{\refstepcounter\@captype\@dblarg%
+            {\@secondcaption\@captype}}
+
+\long\def\@firstcaption#1[#2]#3{\addcontentsline{\csname
+  ext@#1\endcsname}{#1}{\protect\numberline{\csname
+  the#1\endcsname}{\ignorespaces #2}}\begingroup
+    \@parboxrestore
+    \vskip3pt
+    \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
+    \ignorespaces\hspace{.073\textwidth}\hfil%
+  \endgroup}
+
+\long\def\@secondcaption#1[#2]#3{\addcontentsline{\csname
+  ext@#1\endcsname}{#1}{\protect\numberline{\csname
+  the#1\endcsname}{\ignorespaces #2}}\begingroup
+    \@parboxrestore
+    \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+  \endgroup}
+
+\long\def\@maketwocaptions#1#2{%
+   \parbox[t]{.46\textwidth}{{\floatlegendstyle #1\floatcounterend} #2}}
+
+\newdimen\figgap\figgap=14.2pt
+%
+\long\def\@makesidecaption#1#2{%
+   \setbox0=\vbox{\hsize=\@tempdima
+                  \captionstyle{\floatlegendstyle
+                                         #1\floatcounterend}#2}%
+   \ifdim\instindent<\z@
+      \ifdim\ht0>-\instindent
+         \advance\instindent by\ht0
+         \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
+                     \@captype\space\csname the\@captype\endcsname
+                  ^^Jis \the\instindent\space taller than the corresponding float -
+                  ^^Jyou'd better switch the environment. }%
+         \instindent\z@
+      \fi
+   \else
+      \ifdim\ht0<\instindent
+         \advance\instindent by-\ht0
+         \advance\instindent by-\dp0\relax
+         \advance\instindent by\topskip
+         \advance\instindent by-11pt
+      \else
+         \advance\instindent by-\ht0
+         \instindent=-\instindent
+         \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
+                     \@captype\space\csname the\@captype\endcsname
+                  ^^Jis \the\instindent\space taller than the corresponding float -
+                  ^^Jyou'd better switch the environment. }%
+         \instindent\z@
+      \fi
+   \fi
+   \parbox[b]{\@tempdima}{\captionstyle{\floatlegendstyle
+                                        #1\floatcounterend}#2%
+                          \ifdim\instindent>\z@ \\
+                               \vrule\@width\z@\@height\instindent
+                                     \@depth\z@
+                          \fi}}
+\def\sidecaption{\@ifnextchar[\sidec@ption{\sidec@ption[b]}}
+\def\sidec@ption[#1]#2\caption{%
+\setbox\@tempboxa=\hbox{\ignorespaces#2\unskip}%
+\if@twocolumn
+ \ifdim\hsize<\textwidth\else
+   \ifdim\wd\@tempboxa<\columnwidth
+      \typeout{Double column float fits into single column -
+            ^^Jyou'd better switch the environment. }%
+   \fi
+ \fi
+\fi
+  \instindent=\ht\@tempboxa
+  \advance\instindent by\dp\@tempboxa
+\if t#1
+\else
+  \instindent=-\instindent
+\fi
+\@tempdima=\hsize
+\advance\@tempdima by-\figgap
+\advance\@tempdima by-\wd\@tempboxa
+\ifdim\@tempdima<3cm
+    \typeout{\string\sidecaption: No sufficient room for the legend;
+             using normal \string\caption. }%
+   \unhbox\@tempboxa
+   \let\@capcommand=\@caption
+\else
+   \ifdim\@tempdima<4.5cm
+      \typeout{\string\sidecaption: Room for the legend very narrow;
+               using \string\raggedright. }%
+      \toks@\expandafter{\captionstyle\sloppy
+                         \rightskip=0ptplus6mm\relax}%
+      \def\captionstyle{\the\toks@}%
+   \fi
+   \let\@capcommand=\@sidecaption
+   \leavevmode
+   \unhbox\@tempboxa
+   \hfill
+\fi
+\refstepcounter\@captype
+\@dblarg{\@capcommand\@captype}}
+\long\def\@sidecaption#1[#2]#3{\addcontentsline{\csname
+  ext@#1\endcsname}{#1}{\protect\numberline{\csname
+  the#1\endcsname}{\ignorespaces #2}}\begingroup
+    \@parboxrestore
+    \@makesidecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+  \endgroup}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\fig@type{figure}
+
+\def\leftlegendglue{\hfil}
+\newdimen\figcapgap\figcapgap=3pt
+\newdimen\tabcapgap\tabcapgap=5.5pt
+
+\long\def\@makecaption#1#2{%
+ \captionstyle
+ \ifx\@captype\fig@type
+   \vskip\figcapgap
+ \fi
+ \setbox\@tempboxa\hbox{{\floatlegendstyle #1\floatcounterend}%
+ \capstrut #2}%
+ \ifdim \wd\@tempboxa >\hsize
+   {\floatlegendstyle #1\floatcounterend}\capstrut #2\par
+ \else
+   \hbox to\hsize{\leftlegendglue\unhbox\@tempboxa\hfil}%
+ \fi
+ \ifx\@captype\fig@type\else
+   \vskip\tabcapgap
+ \fi}
+
+\newcounter{merk}
+\def\endfigure{\resetsubfig\end@float}
+\@namedef{endfigure*}{\resetsubfig\end@dblfloat}
+\let\resetsubfig\relax
+\def\subfigures{\stepcounter{figure}\setcounter{merk}{\value{figure}}%
+\setcounter{figure}{0}\def\thefigure{\if@numart\else\thechapter.\fi
+\@arabic\c@merk\alph{figure}}%
+\def\resetsubfig{\setcounter{figure}{\value{merk}}}}
+\let\leftlegendglue\relax
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Definition of environment  thebibliography
+%
+% Borrowed from book.cls
+%
+% by lcp
+
+\newcommand\bibname{Bibliography}
+\setlength\bibindent{1.5em}
+\renewenvironment{thebibliography}[1]
+     {\chapter*{\bibname
+        \@mkboth{\MakeUppercase\bibname}{\MakeUppercase\bibname}}%
+      \list{\@biblabel{\@arabic\c@enumiv}}%
+           {\settowidth\labelwidth{\@biblabel{#1}}%
+            \leftmargin\labelwidth
+            \advance\leftmargin\labelsep
+            \@openbib@code
+            \usecounter{enumiv}%
+            \let\p@enumiv\@empty
+            \renewcommand\theenumiv{\@arabic\c@enumiv}}%
+      \sloppy
+      \clubpenalty4000
+      \@clubpenalty \clubpenalty
+      \widowpenalty4000%
+      \sfcode`\.\@m}
+     {\def\@noitemerr
+       {\@latex@warning{Empty `thebibliography' environment}}%
+      \endlist}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is fonotebk.xxx
+%
+% It redefines how footnotes will be typeset.
+%
+% Usage like described by Lamport.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newdimen\footnoterulewidth
+  \footnoterulewidth=1.666cm
+
+\def\footnoterule{\kern-3\p@
+ \hrule width\footnoterulewidth
+ \kern 2.6\p@}
+
+\newdimen\foot@parindent
+\foot@parindent 10.83\p@
+
+%\long\def\@makefntext#1{\parindent\foot@parindent\noindent
+%         \hbox to\foot@parindent{\hss$\m@th^{\@thefnmark}$\kern3pt}#1}
+\long\def\@makefntext#1{\@setpar{\@@par\@tempdima \hsize
+         \advance\@tempdima-\foot@parindent\parshape\@ne\foot@parindent
+         \@tempdima}\par
+         \parindent \foot@parindent\noindent \hbox to \z@{%
+         \hss\hss$^{\@thefnmark}$ }#1}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is environ.tex
+%
+% It defines the environment for acknowledgements.
+%                            and noteadd
+%
+% Usage e.g.: \begin{acknowledgement}
+%                Text
+%             \end{acknowledgement}
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% Define `abstract' environment
+\def\acknowledgement{\par\addvspace{17pt}\small\rm
+\trivlist\item[\hskip\labelsep
+{\it\ackname}]}
+\def\endacknowledgement{\endtrivlist\addvspace{6pt}}
+% Define `noteadd' environment
+\def\noteadd{\par\addvspace{17pt}\small\rm
+\trivlist\item[\hskip\labelsep
+{\it\noteaddname}]}
+\def\endnoteadd{\endtrivlist\addvspace{6pt}}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is item.xxx
+%
+% It redefines the kind of label for "itemize", "enumerate"
+% and "description" environment. The last is extended by
+% an optional parameter. Its length is used for overall
+% indentation.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% labels of enumerate
+
+\def\labelenumi{\theenumi.}
+\def\labelenumii{\theenumii)}
+\def\theenumii{\alph{enumii}}
+\def\p@enumii{\theenumi}
+
+% labels of itemize
+
+\def\labelitemi{\bf --}
+\def\labelitemii{\bf --}
+\def\labelitemiii{$\bullet$}
+\def\labelitemiv{$\cdot$}
+
+% labels of description
+\def\descriptionlabel#1{\hspace\labelsep #1\hfil}
+
+% make indentations changeable
+
+\def\setitemindent#1{\settowidth{\labelwidth}{#1}%
+        \leftmargini\labelwidth
+        \advance\leftmargini\labelsep
+   \def\@listi{\leftmargin\leftmargini
+        \labelwidth\leftmargini\advance\labelwidth by -\labelsep
+        \parsep=\parskip
+        \topsep=\medskipamount
+        \itemsep=\parskip \advance\itemsep by -\parsep}}
+\def\setitemitemindent#1{\settowidth{\labelwidth}{#1}%
+        \leftmarginii\labelwidth
+        \advance\leftmarginii\labelsep
+\def\@listii{\leftmargin\leftmarginii
+        \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
+        \parsep=\parskip
+        \topsep=\z@
+        \itemsep=\parskip \advance\itemsep by -\parsep}}
+%
+% adjusted environment "description"
+% if an optional parameter (at the first two levels of lists)
+% is present, its width is considered to be the widest mark
+% throughout the current list.
+\def\description{\@ifnextchar[{\@describe}{\list{}{\labelwidth\z@
+          \itemindent-\leftmargin \let\makelabel\descriptionlabel}}}
+%
+\def\describelabel#1{#1\hfil}
+\def\@describe[#1]{\relax\ifnum\@listdepth=0
+\setitemindent{#1}\else\ifnum\@listdepth=1
+\setitemitemindent{#1}\fi\fi
+\list{--}{\let\makelabel\describelabel}}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is index.xxx
+%
+% It defines miscelaneous addons used for the preparation
+% of an index.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\theindex{\@restonecoltrue\if@twocolumn\@restonecolfalse\fi
+\columnseprule \z@
+\columnsep 1cc\twocolumn[\@makeschapterhead{\indexname}%
+    \csname indexstarthook\endcsname]%
+    \@mkboth{\indexname}{\indexname}%
+    \thispagestyle{empty}\parindent\z@
+    \rightskip0\p@ plus 40\p@
+    \parskip\z@ plus .3\p@\relax\let\item\@idxitem
+    \def\,{\relax\ifmmode\mskip\thinmuskip
+           \else\hskip0.2em\ignorespaces\fi}%
+    \small\rm}
+
+\def\idxquad{\hskip 10\p@}% space that divides entry from number
+
+\def\@idxitem{\par\hangindent 10\p@}
+
+\def\subitem{\par\setbox0=\hbox{--\enspace}% second order
+                \noindent\hangindent\wd0\box0}% index entry
+
+\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third
+                \noindent\hangindent\wd0\box0}% order index entry
+
+\def\endtheindex{\if@restonecol\onecolumn\else\clearpage\fi}
+
+\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax}
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+%             This is numberbk.xxx
+%
+% It redefines the kind of numeration for figures,
+% tables and equations. With style option "numart" they
+% are numbered with "no.", otherwise with "kapno.no."
+%
+% e.g. \documentstyle[numart]{article} gives a
+% numbering like in article.sty defined.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\def\@takefromreset#1#2{%
+    \def\@tempa{#1}%
+    \let\@tempd\@elt
+    \def\@elt##1{%
+        \def\@tempb{##1}%
+        \ifx\@tempa\@tempb\else
+            \@addtoreset{##1}{#2}%
+        \fi}%
+    \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+    \expandafter\def\csname cl@#2\endcsname{}%
+    \@tempc
+    \let\@elt\@tempd
+}
+%
+\def\ds@numart{\@numarttrue
+  \@takefromreset{figure}{chapter}%
+  \@takefromreset{table}{chapter}%
+  \@takefromreset{equation}{chapter}%
+  \def\thefigure{\@arabic\c@figure}%
+  \def\thetable{\@arabic\c@table}%
+  \def\theequation{\arabic{equation}}}
+%
+\def\thefigure{\thechapter.\@arabic\c@figure}
+\def\thetable{\thechapter.\@arabic\c@table}
+\def\theequation{\thechapter.\arabic{equation}}
+\@addtoreset{figure}{chapter}
+\@addtoreset{table}{chapter}
+\@addtoreset{equation}{chapter}
+\endinput
+

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/ctl0.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,6 @@
+\index{model checking example|(}%
+\index{lfp@{\texttt{lfp}}!applications of|see{CTL}}
+\input{Base.tex}
+\input{PDL.tex}
+\input{CTL.tex}
+\index{model checking example|)}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/documents0.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,24 @@
+
+\chapter{Presenting Theories}
+\label{ch:thy-present}
+
+By now the reader should have become sufficiently acquainted with elementary
+theory development in Isabelle/HOL\@.  The following interlude describes
+how to present theories in a typographically
+pleasing manner.  Isabelle provides a rich infrastructure for concrete syntax
+of the underlying $\lambda$-calculus language (see
+{\S}\ref{sec:concrete-syntax}), as well as document preparation of theory texts
+based on existing PDF-{\LaTeX} technology (see
+{\S}\ref{sec:document-preparation}).
+
+As pointed out by Leibniz\index{Leibniz, Gottfried Wilhelm} more than 300
+years ago, \emph{notions} are in principle more important than
+\emph{notations}, but suggestive textual representation of ideas is vital to
+reduce the mental effort to comprehend and apply them.
+
+\input{Documents.tex}
+
+%%% Local Variables: 
+%%% mode: latex
+%%% TeX-master: t
+%%% End:

--- a/doc-src/TutorialI/document/fakenat.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,42 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{fakenat}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-The type \tydx{nat} of natural
-numbers is predefined to have the constructors \cdx{0} and~\cdx{Suc}.  It  behaves as if it were declared like this:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{datatype}\isamarkupfalse%
-\ nat\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ Suc\ nat%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/find2.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,101 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{find{\isadigit{2}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\index{finding theorems}\index{searching theorems} In
-\S\ref{sec:find}, we introduced Proof General's \pgmenu{Find} button
-for finding theorems in the database via pattern matching. If we are
-inside a proof, we can be more specific; we can search for introduction,
-elimination and destruction rules \emph{with respect to the current goal}.
-For this purpose, \pgmenu{Find} provides three aditional search criteria:
-\texttt{intro}, \texttt{elim} and \texttt{dest}.
-
-For example, given the goal \begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B%
-\end{isabelle}
-you can click on \pgmenu{Find} and type in the search expression
-\texttt{intro}. You will be shown a few rules ending in \isa{{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{3F}{\isacharquery}}Q},
-among them \isa{conjI}\@. You may even discover that
-the very theorem you are trying to prove is already in the
-database.  Given the goal%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\vspace{-\bigskipamount}
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ A%
-\end{isabelle}
-the search for \texttt{intro} finds not just \isa{impI}
-but also \isa{imp{\isaliteral{5F}{\isacharunderscore}}refl}: \isa{{\isaliteral{3F}{\isacharquery}}P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ {\isaliteral{3F}{\isacharquery}}P}.
-
-As before, search criteria can be combined freely: for example,
-\begin{ttbox}
-"_ \at\ _"  intro
-\end{ttbox}
-searches for all introduction rules that match the current goal and
-mention the \isa{{\isaliteral{40}{\isacharat}}} function.
-
-Searching for elimination and destruction rules via \texttt{elim} and
-\texttt{dest} is analogous to \texttt{intro} but takes the assumptions
-into account, too.%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/fp.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,484 @@
+\chapter{Functional Programming in HOL}
+
+This chapter describes how to write
+functional programs in HOL and how to verify them.  However, 
+most of the constructs and
+proof procedures introduced are general and recur in any specification
+or verification task.  We really should speak of functional
+\emph{modelling} rather than functional \emph{programming}: 
+our primary aim is not
+to write programs but to design abstract models of systems.  HOL is
+a specification language that goes well beyond what can be expressed as a
+program. However, for the time being we concentrate on the computable.
+
+If you are a purist functional programmer, please note that all functions
+in HOL must be total:
+they must terminate for all inputs.  Lazy data structures are not
+directly available.
+
+\section{An Introductory Theory}
+\label{sec:intro-theory}
+
+Functional programming needs datatypes and functions. Both of them can be
+defined in a theory with a syntax reminiscent of languages like ML or
+Haskell. As an example consider the theory in figure~\ref{fig:ToyList}.
+We will now examine it line by line.
+
+\begin{figure}[htbp]
+\begin{ttbox}\makeatother
+\input{ToyList1}\end{ttbox}
+\caption{A Theory of Lists}
+\label{fig:ToyList}
+\end{figure}
+
+\index{*ToyList example|(}
+{\makeatother\medskip\input{ToyList.tex}}
+
+The complete proof script is shown in Fig.\ts\ref{fig:ToyList-proofs}. The
+concatenation of Figs.\ts\ref{fig:ToyList} and~\ref{fig:ToyList-proofs}
+constitutes the complete theory \texttt{ToyList} and should reside in file
+\texttt{ToyList.thy}.
+% It is good practice to present all declarations and
+%definitions at the beginning of a theory to facilitate browsing.%
+\index{*ToyList example|)}
+
+\begin{figure}[htbp]
+\begin{ttbox}\makeatother
+\input{ToyList2}\end{ttbox}
+\caption{Proofs about Lists}
+\label{fig:ToyList-proofs}
+\end{figure}
+
+\subsubsection*{Review}
+
+This is the end of our toy proof. It should have familiarized you with
+\begin{itemize}
+\item the standard theorem proving procedure:
+state a goal (lemma or theorem); proceed with proof until a separate lemma is
+required; prove that lemma; come back to the original goal.
+\item a specific procedure that works well for functional programs:
+induction followed by all-out simplification via \isa{auto}.
+\item a basic repertoire of proof commands.
+\end{itemize}
+
+\begin{warn}
+It is tempting to think that all lemmas should have the \isa{simp} attribute
+just because this was the case in the example above. However, in that example
+all lemmas were equations, and the right-hand side was simpler than the
+left-hand side --- an ideal situation for simplification purposes. Unless
+this is clearly the case, novices should refrain from awarding a lemma the
+\isa{simp} attribute, which has a global effect. Instead, lemmas can be
+applied locally where they are needed, which is discussed in the following
+chapter.
+\end{warn}
+
+\section{Some Helpful Commands}
+\label{sec:commands-and-hints}
+
+This section discusses a few basic commands for manipulating the proof state
+and can be skipped by casual readers.
+
+There are two kinds of commands used during a proof: the actual proof
+commands and auxiliary commands for examining the proof state and controlling
+the display. Simple proof commands are of the form
+\commdx{apply}(\textit{method}), where \textit{method} is typically 
+\isa{induct_tac} or \isa{auto}.  All such theorem proving operations
+are referred to as \bfindex{methods}, and further ones are
+introduced throughout the tutorial.  Unless stated otherwise, you may
+assume that a method attacks merely the first subgoal. An exception is
+\isa{auto}, which tries to solve all subgoals.
+
+The most useful auxiliary commands are as follows:
+\begin{description}
+\item[Modifying the order of subgoals:]
+\commdx{defer} moves the first subgoal to the end and
+\commdx{prefer}~$n$ moves subgoal $n$ to the front.
+\item[Printing theorems:]
+  \commdx{thm}~\textit{name}$@1$~\dots~\textit{name}$@n$
+  prints the named theorems.
+\item[Reading terms and types:] \commdx{term}
+  \textit{string} reads, type-checks and prints the given string as a term in
+  the current context; the inferred type is output as well.
+  \commdx{typ} \textit{string} reads and prints the given
+  string as a type in the current context.
+\end{description}
+Further commands are found in the Isabelle/Isar Reference
+Manual~\cite{isabelle-isar-ref}.
+
+\begin{pgnote}
+Clicking on the \pgmenu{State} button redisplays the current proof state.
+This is helpful in case commands like \isacommand{thm} have overwritten it.
+\end{pgnote}
+
+We now examine Isabelle's functional programming constructs systematically,
+starting with inductive datatypes.
+
+
+\section{Datatypes}
+\label{sec:datatype}
+
+\index{datatypes|(}%
+Inductive datatypes are part of almost every non-trivial application of HOL.
+First we take another look at an important example, the datatype of
+lists, before we turn to datatypes in general. The section closes with a
+case study.
+
+
+\subsection{Lists}
+
+\index{*list (type)}%
+Lists are one of the essential datatypes in computing.  We expect that you
+are already familiar with their basic operations.
+Theory \isa{ToyList} is only a small fragment of HOL's predefined theory
+\thydx{List}\footnote{\url{http://isabelle.in.tum.de/library/HOL/List.html}}.
+The latter contains many further operations. For example, the functions
+\cdx{hd} (``head'') and \cdx{tl} (``tail'') return the first
+element and the remainder of a list. (However, pattern matching is usually
+preferable to \isa{hd} and \isa{tl}.)  
+Also available are higher-order functions like \isa{map} and \isa{filter}.
+Theory \isa{List} also contains
+more syntactic sugar: \isa{[}$x@1$\isa{,}\dots\isa{,}$x@n$\isa{]} abbreviates
+$x@1$\isa{\#}\dots\isa{\#}$x@n$\isa{\#[]}.  In the rest of the tutorial we
+always use HOL's predefined lists by building on theory \isa{Main}.
+\begin{warn}
+Looking ahead to sets and quanifiers in Part II:
+The best way to express that some element \isa{x} is in a list \isa{xs} is
+\isa{x $\in$ set xs}, where \isa{set} is a function that turns a list into the
+set of its elements.
+By the same device you can also write bounded quantifiers like
+\isa{$\forall$x $\in$ set xs} or embed lists in other set expressions.
+\end{warn}
+
+
+\subsection{The General Format}
+\label{sec:general-datatype}
+
+The general HOL \isacommand{datatype} definition is of the form
+\[
+\isacommand{datatype}~(\alpha@1, \dots, \alpha@n) \, t ~=~
+C@1~\tau@{11}~\dots~\tau@{1k@1} ~\mid~ \dots ~\mid~
+C@m~\tau@{m1}~\dots~\tau@{mk@m}
+\]
+where $\alpha@i$ are distinct type variables (the parameters), $C@i$ are distinct
+constructor names and $\tau@{ij}$ are types; it is customary to capitalize
+the first letter in constructor names. There are a number of
+restrictions (such as that the type should not be empty) detailed
+elsewhere~\cite{isabelle-HOL}. Isabelle notifies you if you violate them.
+
+Laws about datatypes, such as \isa{[] \isasymnoteq~x\#xs} and
+\isa{(x\#xs = y\#ys) = (x=y \isasymand~xs=ys)}, are used automatically
+during proofs by simplification.  The same is true for the equations in
+primitive recursive function definitions.
+
+Every\footnote{Except for advanced datatypes where the recursion involves
+``\isasymRightarrow'' as in {\S}\ref{sec:nested-fun-datatype}.} datatype $t$
+comes equipped with a \isa{size} function from $t$ into the natural numbers
+(see~{\S}\ref{sec:nat} below). For lists, \isa{size} is just the length, i.e.\
+\isa{size [] = 0} and \isa{size(x \# xs) = size xs + 1}.  In general,
+\cdx{size} returns
+\begin{itemize}
+\item zero for all constructors that do not have an argument of type $t$,
+\item one plus the sum of the sizes of all arguments of type~$t$,
+for all other constructors.
+\end{itemize}
+Note that because
+\isa{size} is defined on every datatype, it is overloaded; on lists
+\isa{size} is also called \sdx{length}, which is not overloaded.
+Isabelle will always show \isa{size} on lists as \isa{length}.
+
+
+\subsection{Primitive Recursion}
+
+\index{recursion!primitive}%
+Functions on datatypes are usually defined by recursion. In fact, most of the
+time they are defined by what is called \textbf{primitive recursion} over some
+datatype $t$. This means that the recursion equations must be of the form
+\[ f \, x@1 \, \dots \, (C \, y@1 \, \dots \, y@k)\, \dots \, x@n = r \]
+such that $C$ is a constructor of $t$ and all recursive calls of
+$f$ in $r$ are of the form $f \, \dots \, y@i \, \dots$ for some $i$. Thus
+Isabelle immediately sees that $f$ terminates because one (fixed!) argument
+becomes smaller with every recursive call. There must be at most one equation
+for each constructor.  Their order is immaterial.
+A more general method for defining total recursive functions is introduced in
+{\S}\ref{sec:fun}.
+
+\begin{exercise}\label{ex:Tree}
+\input{Tree.tex}%
+\end{exercise}
+
+\input{case_exprs.tex}
+
+\input{Ifexpr.tex}
+\index{datatypes|)}
+
+
+\section{Some Basic Types}
+
+This section introduces the types of natural numbers and ordered pairs.  Also
+described is type \isa{option}, which is useful for modelling exceptional
+cases. 
+
+\subsection{Natural Numbers}
+\label{sec:nat}\index{natural numbers}%
+\index{linear arithmetic|(}
+
+\input{fakenat.tex}\medskip
+\input{natsum.tex}
+
+\index{linear arithmetic|)}
+
+
+\subsection{Pairs}
+\input{pairs2.tex}
+
+\subsection{Datatype {\tt\slshape option}}
+\label{sec:option}
+\input{Option2.tex}
+
+\section{Definitions}
+\label{sec:Definitions}
+
+A definition is simply an abbreviation, i.e.\ a new name for an existing
+construction. In particular, definitions cannot be recursive. Isabelle offers
+definitions on the level of types and terms. Those on the type level are
+called \textbf{type synonyms}; those on the term level are simply called 
+definitions.
+
+
+\subsection{Type Synonyms}
+
+\index{type synonyms}%
+Type synonyms are similar to those found in ML\@. They are created by a 
+\commdx{type\protect\_synonym} command:
+
+\medskip
+\input{types.tex}
+
+\input{prime_def.tex}
+
+
+\section{The Definitional Approach}
+\label{sec:definitional}
+
+\index{Definitional Approach}%
+As we pointed out at the beginning of the chapter, asserting arbitrary
+axioms such as $f(n) = f(n) + 1$ can easily lead to contradictions. In order
+to avoid this danger, we advocate the definitional rather than
+the axiomatic approach: introduce new concepts by definitions. However,  Isabelle/HOL seems to
+support many richer definitional constructs, such as
+\isacommand{primrec}. The point is that Isabelle reduces such constructs to first principles. For example, each
+\isacommand{primrec} function definition is turned into a proper
+(nonrecursive!) definition from which the user-supplied recursion equations are
+automatically proved.  This process is
+hidden from the user, who does not have to understand the details.  Other commands described
+later, like \isacommand{fun} and \isacommand{inductive}, work similarly.  
+This strict adherence to the definitional approach reduces the risk of 
+soundness errors.
+
+\chapter{More Functional Programming}
+
+The purpose of this chapter is to deepen your understanding of the
+concepts encountered so far and to introduce advanced forms of datatypes and
+recursive functions. The first two sections give a structured presentation of
+theorem proving by simplification ({\S}\ref{sec:Simplification}) and discuss
+important heuristics for induction ({\S}\ref{sec:InductionHeuristics}).  You can
+skip them if you are not planning to perform proofs yourself.
+We then present a case
+study: a compiler for expressions ({\S}\ref{sec:ExprCompiler}). Advanced
+datatypes, including those involving function spaces, are covered in
+{\S}\ref{sec:advanced-datatypes}; it closes with another case study, search
+trees (``tries'').  Finally we introduce \isacommand{fun}, a general
+form of recursive function definition that goes well beyond 
+\isacommand{primrec} ({\S}\ref{sec:fun}).
+
+
+\section{Simplification}
+\label{sec:Simplification}
+\index{simplification|(}
+
+So far we have proved our theorems by \isa{auto}, which simplifies
+all subgoals. In fact, \isa{auto} can do much more than that. 
+To go beyond toy examples, you
+need to understand the ingredients of \isa{auto}.  This section covers the
+method that \isa{auto} always applies first, simplification.
+
+Simplification is one of the central theorem proving tools in Isabelle and
+many other systems. The tool itself is called the \textbf{simplifier}. 
+This section introduces the many features of the simplifier
+and is required reading if you intend to perform proofs.  Later on,
+{\S}\ref{sec:simplification-II} explains some more advanced features and a
+little bit of how the simplifier works. The serious student should read that
+section as well, in particular to understand why the simplifier did
+something unexpected.
+
+\subsection{What is Simplification?}
+
+In its most basic form, simplification means repeated application of
+equations from left to right. For example, taking the rules for \isa{\at}
+and applying them to the term \isa{[0,1] \at\ []} results in a sequence of
+simplification steps:
+\begin{ttbox}\makeatother
+(0#1#[]) @ []  \(\leadsto\)  0#((1#[]) @ [])  \(\leadsto\)  0#(1#([] @ []))  \(\leadsto\)  0#1#[]
+\end{ttbox}
+This is also known as \bfindex{term rewriting}\indexbold{rewriting} and the
+equations are referred to as \bfindex{rewrite rules}.
+``Rewriting'' is more honest than ``simplification'' because the terms do not
+necessarily become simpler in the process.
+
+The simplifier proves arithmetic goals as described in
+{\S}\ref{sec:nat} above.  Arithmetic expressions are simplified using built-in
+procedures that go beyond mere rewrite rules.  New simplification procedures
+can be coded and installed, but they are definitely not a matter for this
+tutorial. 
+
+\input{simp.tex}
+
+\index{simplification|)}
+
+\input{Itrev.tex}
+\begin{exercise}
+\input{Plus.tex}%
+\end{exercise}
+\begin{exercise}
+\input{Tree2.tex}%
+\end{exercise}
+
+\input{CodeGen.tex}
+
+
+\section{Advanced Datatypes}
+\label{sec:advanced-datatypes}
+\index{datatype@\isacommand {datatype} (command)|(}
+\index{primrec@\isacommand {primrec} (command)|(}
+%|)
+
+This section presents advanced forms of datatypes: mutual and nested
+recursion.  A series of examples will culminate in a treatment of the trie
+data structure.
+
+
+\subsection{Mutual Recursion}
+\label{sec:datatype-mut-rec}
+
+\input{ABexpr.tex}
+
+\subsection{Nested Recursion}
+\label{sec:nested-datatype}
+
+{\makeatother\input{Nested.tex}}
+
+
+\subsection{The Limits of Nested Recursion}
+\label{sec:nested-fun-datatype}
+
+How far can we push nested recursion? By the unfolding argument above, we can
+reduce nested to mutual recursion provided the nested recursion only involves
+previously defined datatypes. This does not include functions:
+\begin{isabelle}
+\isacommand{datatype} t = C "t \isasymRightarrow\ bool"
+\end{isabelle}
+This declaration is a real can of worms.
+In HOL it must be ruled out because it requires a type
+\isa{t} such that \isa{t} and its power set \isa{t \isasymFun\ bool} have the
+same cardinality --- an impossibility. For the same reason it is not possible
+to allow recursion involving the type \isa{t set}, which is isomorphic to
+\isa{t \isasymFun\ bool}.
+
+Fortunately, a limited form of recursion
+involving function spaces is permitted: the recursive type may occur on the
+right of a function arrow, but never on the left. Hence the above can of worms
+is ruled out but the following example of a potentially 
+\index{infinitely branching trees}%
+infinitely branching tree is accepted:
+\smallskip
+
+\input{Fundata.tex}
+
+If you need nested recursion on the left of a function arrow, there are
+alternatives to pure HOL\@.  In the Logic for Computable Functions 
+(\rmindex{LCF}), types like
+\begin{isabelle}
+\isacommand{datatype} lam = C "lam \isasymrightarrow\ lam"
+\end{isabelle}
+do indeed make sense~\cite{paulson87}.  Note the different arrow,
+\isa{\isasymrightarrow} instead of \isa{\isasymRightarrow},
+expressing the type of \emph{continuous} functions. 
+There is even a version of LCF on top of HOL,
+called \rmindex{HOLCF}~\cite{MuellerNvOS99}.
+\index{datatype@\isacommand {datatype} (command)|)}
+\index{primrec@\isacommand {primrec} (command)|)}
+
+
+\subsection{Case Study: Tries}
+\label{sec:Trie}
+
+\index{tries|(}%
+Tries are a classic search tree data structure~\cite{Knuth3-75} for fast
+indexing with strings. Figure~\ref{fig:trie} gives a graphical example of a
+trie containing the words ``all'', ``an'', ``ape'', ``can'', ``car'' and
+``cat''.  When searching a string in a trie, the letters of the string are
+examined sequentially. Each letter determines which subtrie to search next.
+In this case study we model tries as a datatype, define a lookup and an
+update function, and prove that they behave as expected.
+
+\begin{figure}[htbp]
+\begin{center}
+\unitlength1mm
+\begin{picture}(60,30)
+\put( 5, 0){\makebox(0,0)[b]{l}}
+\put(25, 0){\makebox(0,0)[b]{e}}
+\put(35, 0){\makebox(0,0)[b]{n}}
+\put(45, 0){\makebox(0,0)[b]{r}}
+\put(55, 0){\makebox(0,0)[b]{t}}
+%
+\put( 5, 9){\line(0,-1){5}}
+\put(25, 9){\line(0,-1){5}}
+\put(44, 9){\line(-3,-2){9}}
+\put(45, 9){\line(0,-1){5}}
+\put(46, 9){\line(3,-2){9}}
+%
+\put( 5,10){\makebox(0,0)[b]{l}}
+\put(15,10){\makebox(0,0)[b]{n}}
+\put(25,10){\makebox(0,0)[b]{p}}
+\put(45,10){\makebox(0,0)[b]{a}}
+%
+\put(14,19){\line(-3,-2){9}}
+\put(15,19){\line(0,-1){5}}
+\put(16,19){\line(3,-2){9}}
+\put(45,19){\line(0,-1){5}}
+%
+\put(15,20){\makebox(0,0)[b]{a}}
+\put(45,20){\makebox(0,0)[b]{c}}
+%
+\put(30,30){\line(-3,-2){13}}
+\put(30,30){\line(3,-2){13}}
+\end{picture}
+\end{center}
+\caption{A Sample Trie}
+\label{fig:trie}
+\end{figure}
+
+Proper tries associate some value with each string. Since the
+information is stored only in the final node associated with the string, many
+nodes do not carry any value. This distinction is modeled with the help
+of the predefined datatype \isa{option} (see {\S}\ref{sec:option}).
+\input{Trie.tex}
+\index{tries|)}
+
+\section{Total Recursive Functions: \isacommand{fun}}
+\label{sec:fun}
+\index{fun@\isacommand {fun} (command)|(}\index{functions!total|(}
+
+Although many total functions have a natural primitive recursive definition,
+this is not always the case. Arbitrary total recursive functions can be
+defined by means of \isacommand{fun}: you can use full pattern matching,
+recursion need not involve datatypes, and termination is proved by showing
+that the arguments of all recursive calls are smaller in a suitable sense.
+In this section we restrict ourselves to functions where Isabelle can prove
+termination automatically. More advanced function definitions, including user
+supplied termination proofs, nested recursion and partiality, are discussed
+in a separate tutorial~\cite{isabelle-function}.
+
+\input{fun0.tex}
+
+\index{fun@\isacommand {fun} (command)|)}\index{functions!total|)}

--- a/doc-src/TutorialI/document/fun0.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,360 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{fun{\isadigit{0}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\subsection{Definition}
-\label{sec:fun-examples}
-
-Here is a simple example, the \rmindex{Fibonacci function}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ fib\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}fib\ {\isaliteral{28}{\isacharparenleft}}Suc{\isaliteral{28}{\isacharparenleft}}Suc\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ fib\ x\ {\isaliteral{2B}{\isacharplus}}\ fib\ {\isaliteral{28}{\isacharparenleft}}Suc\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-This resembles ordinary functional programming languages. Note the obligatory
-\isacommand{where} and \isa{|}. Command \isacommand{fun} declares and
-defines the function in one go. Isabelle establishes termination automatically
-because \isa{fib}'s argument decreases in every recursive call.
-
-Slightly more interesting is the insertion of a fixed element
-between any two elements of a list:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ sep\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ sep\ a\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-This time the length of the list decreases with the
-recursive call; the first argument is irrelevant for termination.
-
-Pattern matching\index{pattern matching!and \isacommand{fun}}
-need not be exhaustive and may employ wildcards:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ last\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}last\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ x{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}last\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ last\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-Overlapping patterns are disambiguated by taking the order of equations into
-account, just as in functional programming:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ sep{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sep{\isadigit{1}}\ a\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{23}{\isacharhash}}\ a\ {\isaliteral{23}{\isacharhash}}\ sep{\isadigit{1}}\ a\ {\isaliteral{28}{\isacharparenleft}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sep{\isadigit{1}}\ {\isaliteral{5F}{\isacharunderscore}}\ xs\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-To guarantee that the second equation can only be applied if the first
-one does not match, Isabelle internally replaces the second equation
-by the two possibilities that are left: \isa{sep{\isadigit{1}}\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} and
-\isa{sep{\isadigit{1}}\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}}.  Thus the functions \isa{sep} and
-\isa{sep{\isadigit{1}}} are identical.
-
-Because of its pattern matching syntax, \isacommand{fun} is also useful
-for the definition of non-recursive functions:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ swap{\isadigit{1}}{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{27}{\isacharprime}}a\ list\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isaliteral{27}{\isacharprime}}a\ list{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}swap{\isadigit{1}}{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{23}{\isacharhash}}y{\isaliteral{23}{\isacharhash}}zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ y{\isaliteral{23}{\isacharhash}}x{\isaliteral{23}{\isacharhash}}zs{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}swap{\isadigit{1}}{\isadigit{2}}\ zs\ \ \ \ \ \ \ {\isaliteral{3D}{\isacharequal}}\ zs{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-After a function~$f$ has been defined via \isacommand{fun},
-its defining equations (or variants derived from them) are available
-under the name $f$\isa{{\isaliteral{2E}{\isachardot}}simps} as theorems.
-For example, look (via \isacommand{thm}) at
-\isa{sep{\isaliteral{2E}{\isachardot}}simps} and \isa{sep{\isadigit{1}}{\isaliteral{2E}{\isachardot}}simps} to see that they define
-the same function. What is more, those equations are automatically declared as
-simplification rules.
-
-\subsection{Termination}
-
-Isabelle's automatic termination prover for \isacommand{fun} has a
-fixed notion of the \emph{size} (of type \isa{nat}) of an
-argument. The size of a natural number is the number itself. The size
-of a list is its length. For the general case see \S\ref{sec:general-datatype}.
-A recursive function is accepted if \isacommand{fun} can
-show that the size of one fixed argument becomes smaller with each
-recursive call.
-
-More generally, \isacommand{fun} allows any \emph{lexicographic
-combination} of size measures in case there are multiple
-arguments. For example, the following version of \rmindex{Ackermann's
-function} is accepted:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ ack{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ n\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ n{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ {\isadigit{0}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ {\isadigit{0}}{\isaliteral{29}{\isacharparenright}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ack{\isadigit{2}}\ {\isaliteral{28}{\isacharparenleft}}ack{\isadigit{2}}\ n\ {\isaliteral{28}{\isacharparenleft}}Suc\ m{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-The order of arguments has no influence on whether
-\isacommand{fun} can prove termination of a function. For more details
-see elsewhere~\cite{bulwahnKN07}.
-
-\subsection{Simplification}
-\label{sec:fun-simplification}
-
-Upon a successful termination proof, the recursion equations become
-simplification rules, just as with \isacommand{primrec}.
-In most cases this works fine, but there is a subtle
-problem that must be mentioned: simplification may not
-terminate because of automatic splitting of \isa{if}.
-\index{*if expressions!splitting of}
-Let us look at an example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ gcd\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ then\ m\ else\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The second argument decreases with each recursive call.
-The termination condition
-\begin{isabelle}%
-\ \ \ \ \ n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ mod\ n\ {\isaliteral{3C}{\isacharless}}\ n%
-\end{isabelle}
-is proved automatically because it is already present as a lemma in
-HOL\@.  Thus the recursion equation becomes a simplification
-rule. Of course the equation is nonterminating if we are allowed to unfold
-the recursive call inside the \isa{else} branch, which is why programming
-languages and our simplifier don't do that. Unfortunately the simplifier does
-something else that leads to the same problem: it splits 
-each \isa{if}-expression unless its
-condition simplifies to \isa{True} or \isa{False}.  For
-example, simplification reduces
-\begin{isabelle}%
-\ \ \ \ \ gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ k%
-\end{isabelle}
-in one step to
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}if\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ then\ m\ else\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ k%
-\end{isabelle}
-where the condition cannot be reduced further, and splitting leads to
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ k{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ k{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Since the recursive call \isa{gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}} is no longer protected by
-an \isa{if}, it is unfolded again, which leads to an infinite chain of
-simplification steps. Fortunately, this problem can be avoided in many
-different ways.
-
-The most radical solution is to disable the offending theorem
-\isa{split{\isaliteral{5F}{\isacharunderscore}}if},
-as shown in \S\ref{sec:AutoCaseSplits}.  However, we do not recommend this
-approach: you will often have to invoke the rule explicitly when
-\isa{if} is involved.
-
-If possible, the definition should be given by pattern matching on the left
-rather than \isa{if} on the right. In the case of \isa{gcd} the
-following alternative definition suggests itself:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ gcd{\isadigit{1}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{1}}\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{1}}\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ gcd{\isadigit{1}}\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-The order of equations is important: it hides the side condition
-\isa{n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}}.  Unfortunately, not all conditionals can be
-expressed by pattern matching.
-
-A simple alternative is to replace \isa{if} by \isa{case}, 
-which is also available for \isa{bool} and is not split automatically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{fun}\isamarkupfalse%
-\ gcd{\isadigit{2}}\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}gcd{\isadigit{2}}\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}case\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}\ of\ True\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ m\ {\isaliteral{7C}{\isacharbar}}\ False\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ gcd{\isadigit{2}}\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-This is probably the neatest solution next to pattern matching, and it is
-always available.
-
-A final alternative is to replace the offending simplification rules by
-derived conditional ones. For \isa{gcd} it means we have to prove
-these lemmas:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}gcd\ m\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ m{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-\isanewline
-%
-\endisadelimproof
-\isanewline
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}n\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isadigit{0}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ gcd\ m\ n\ {\isaliteral{3D}{\isacharequal}}\ gcd\ n\ {\isaliteral{28}{\isacharparenleft}}m\ mod\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Simplification terminates for these proofs because the condition of the \isa{if} simplifies to \isa{True} or \isa{False}.
-Now we can disable the original simplification rule:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ gcd{\isaliteral{2E}{\isachardot}}simps\ {\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-\index{induction!recursion|(}
-\index{recursion induction|(}
-
-\subsection{Induction}
-\label{sec:fun-induction}
-
-Having defined a function we might like to prove something about it.
-Since the function is recursive, the natural proof principle is
-again induction. But this time the structural form of induction that comes
-with datatypes is unlikely to work well --- otherwise we could have defined the
-function by \isacommand{primrec}. Therefore \isacommand{fun} automatically
-proves a suitable induction rule $f$\isa{{\isaliteral{2E}{\isachardot}}induct} that follows the
-recursion pattern of the particular function $f$. We call this
-\textbf{recursion induction}. Roughly speaking, it
-requires you to prove for each \isacommand{fun} equation that the property
-you are trying to establish holds for the left-hand side provided it holds
-for all recursive calls on the right-hand side. Here is a simple example
-involving the predefined \isa{map} functional on lists:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ x\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ xs{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-Note that \isa{map\ f\ xs}
-is the result of applying \isa{f} to all elements of \isa{xs}. We prove
-this lemma by recursion induction over \isa{sep}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ x\ xs\ rule{\isaliteral{3A}{\isacharcolon}}\ sep{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-The resulting proof state has three subgoals corresponding to the three
-clauses for \isa{sep}:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a{\isaliteral{2E}{\isachardot}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ x{\isaliteral{2E}{\isachardot}}\ map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{5B}{\isacharbrackleft}}x{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}a\ x\ y\ zs{\isaliteral{2E}{\isachardot}}\isanewline
-\isaindent{\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{28}{\isacharparenleft}}y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\isanewline
-\isaindent{\ {\isadigit{3}}{\isaliteral{2E}{\isachardot}}\ \ \ \ }map\ f\ {\isaliteral{28}{\isacharparenleft}}sep\ a\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ sep\ {\isaliteral{28}{\isacharparenleft}}f\ a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}map\ f\ {\isaliteral{28}{\isacharparenleft}}x\ {\isaliteral{23}{\isacharhash}}\ y\ {\isaliteral{23}{\isacharhash}}\ zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-The rest is pure simplification:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-\ simp{\isaliteral{5F}{\isacharunderscore}}all\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent The proof goes smoothly because the induction rule
-follows the recursion of \isa{sep}.  Try proving the above lemma by
-structural induction, and you find that you need an additional case
-distinction.
-
-In general, the format of invoking recursion induction is
-\begin{quote}
-\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac} $x@1 \dots x@n$ \isa{rule{\isaliteral{3A}{\isacharcolon}}} $f$\isa{{\isaliteral{2E}{\isachardot}}induct{\isaliteral{29}{\isacharparenright}}}
-\end{quote}\index{*induct_tac (method)}%
-where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
-name of a function that takes $n$ arguments. Usually the subgoal will
-contain the term $f x@1 \dots x@n$ but this need not be the case. The
-induction rules do not mention $f$ at all. Here is \isa{sep{\isaliteral{2E}{\isachardot}}induct}:
-\begin{isabelle}
-{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
-~~{\isasymAnd}a~x.~P~a~[x];\isanewline
-~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
-{\isasymLongrightarrow}~P~u~v%
-\end{isabelle}
-It merely says that in order to prove a property \isa{P} of \isa{u} and
-\isa{v} you need to prove it for the three cases where \isa{v} is the
-empty list, the singleton list, and the list with at least two elements.
-The final case has an induction hypothesis:  you may assume that \isa{P}
-holds for the tail of that list.
-\index{induction!recursion|)}
-\index{recursion induction|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/inductive0.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,31 @@
+\chapter{Inductively Defined Sets} \label{chap:inductive}
+\index{inductive definitions|(}
+
+This chapter is dedicated to the most important definition principle after
+recursive functions and datatypes: inductively defined sets.
+
+We start with a simple example: the set of even numbers.  A slightly more
+complicated example, the reflexive transitive closure, is the subject of
+{\S}\ref{sec:rtc}. In particular, some standard induction heuristics are
+discussed. Advanced forms of inductive definitions are discussed in
+{\S}\ref{sec:adv-ind-def}. To demonstrate the versatility of inductive
+definitions, the chapter closes with a case study from the realm of
+context-free grammars. The first two sections are required reading for anybody
+interested in mathematical modelling.
+
+\begin{warn}
+Predicates can also be defined inductively.
+See {\S}\ref{sec:ind-predicates}.
+\end{warn}
+
+\input{Even}
+\input{Mutual}
+\input{Star}
+
+\section{Advanced Inductive Definitions}
+\label{sec:adv-ind-def}
+\input{Advanced}
+
+\input{AB}
+
+\index{inductive definitions|)}

--- a/doc-src/TutorialI/document/natsum.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,232 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{natsum}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\noindent
-In particular, there are \isa{case}-expressions, for example
-\begin{isabelle}%
-\ \ \ \ \ case\ n\ of\ {\isadigit{0}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ {\isadigit{0}}\ {\isaliteral{7C}{\isacharbar}}\ Suc\ m\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ m%
-\end{isabelle}
-primitive recursion, for example%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{primrec}\isamarkupfalse%
-\ sum\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}nat\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ nat{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sum\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{7C}{\isacharbar}}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}sum\ {\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ n\ {\isaliteral{2B}{\isacharplus}}\ sum\ n{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-and induction, for example%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}sum\ n\ {\isaliteral{2B}{\isacharplus}}\ sum\ n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2A}{\isacharasterisk}}{\isaliteral{28}{\isacharparenleft}}Suc\ n{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}induct{\isaliteral{5F}{\isacharunderscore}}tac\ n{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}auto{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\newcommand{\mystar}{*%
-}
-\index{arithmetic operations!for \protect\isa{nat}}%
-The arithmetic operations \isadxboldpos{+}{$HOL2arithfun},
-\isadxboldpos{-}{$HOL2arithfun}, \isadxboldpos{\mystar}{$HOL2arithfun},
-\sdx{div}, \sdx{mod}, \cdx{min} and
-\cdx{max} are predefined, as are the relations
-\isadxboldpos{\isasymle}{$HOL2arithrel} and
-\isadxboldpos{<}{$HOL2arithrel}. As usual, \isa{m\ {\isaliteral{2D}{\isacharminus}}\ n\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{0}}} if
-\isa{m\ {\isaliteral{3C}{\isacharless}}\ n}. There is even a least number operation
-\sdx{LEAST}\@.  For example, \isa{{\isaliteral{28}{\isacharparenleft}}LEAST\ n{\isaliteral{2E}{\isachardot}}\ {\isadigit{0}}\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ Suc\ {\isadigit{0}}}.
-\begin{warn}\index{overloading}
-  The constants \cdx{0} and \cdx{1} and the operations
-  \isadxboldpos{+}{$HOL2arithfun}, \isadxboldpos{-}{$HOL2arithfun},
-  \isadxboldpos{\mystar}{$HOL2arithfun}, \cdx{min},
-  \cdx{max}, \isadxboldpos{\isasymle}{$HOL2arithrel} and
-  \isadxboldpos{<}{$HOL2arithrel} are overloaded: they are available
-  not just for natural numbers but for other types as well.
-  For example, given the goal \isa{x\ {\isaliteral{2B}{\isacharplus}}\ {\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ x}, there is nothing to indicate
-  that you are talking about natural numbers. Hence Isabelle can only infer
-  that \isa{x} is of some arbitrary type where \isa{{\isadigit{0}}} and \isa{{\isaliteral{2B}{\isacharplus}}} are
-  declared. As a consequence, you will be unable to prove the
-  goal. To alert you to such pitfalls, Isabelle flags numerals without a
-  fixed type in its output: \isa{x\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{0}}{\isaliteral{5C3C436F6C6F6E3E}{\isasymColon}}{\isaliteral{27}{\isacharprime}}a{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ x}. (In the absence of a numeral,
-  it may take you some time to realize what has happened if \pgmenu{Show
-  Types} is not set).  In this particular example, you need to include
-  an explicit type constraint, for example \isa{x{\isaliteral{2B}{\isacharplus}}{\isadigit{0}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}}. If there
-  is enough contextual information this may not be necessary: \isa{Suc\ x\ {\isaliteral{3D}{\isacharequal}}\ x} automatically implies \isa{x{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} because \isa{Suc} is not
-  overloaded.
-
-  For details on overloading see \S\ref{sec:overloading}.
-  Table~\ref{tab:overloading} in the appendix shows the most important
-  overloaded operations.
-\end{warn}
-\begin{warn}
-  The symbols \isadxboldpos{>}{$HOL2arithrel} and
-  \isadxboldpos{\isasymge}{$HOL2arithrel} are merely syntax: \isa{x\ {\isaliteral{3E}{\isachargreater}}\ y}
-  stands for \isa{y\ {\isaliteral{3C}{\isacharless}}\ x} and similary for \isa{{\isaliteral{5C3C67653E}{\isasymge}}} and
-  \isa{{\isaliteral{5C3C6C653E}{\isasymle}}}.
-\end{warn}
-\begin{warn}
-  Constant \isa{{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat} is defined to equal \isa{Suc\ {\isadigit{0}}}. This definition
-  (see \S\ref{sec:ConstDefinitions}) is unfolded automatically by some
-  tactics (like \isa{auto}, \isa{simp} and \isa{arith}) but not by
-  others (especially the single step tactics in Chapter~\ref{chap:rules}).
-  If you need the full set of numerals, see~\S\ref{sec:numerals}.
-  \emph{Novices are advised to stick to \isa{{\isadigit{0}}} and \isa{Suc}.}
-\end{warn}
-
-Both \isa{auto} and \isa{simp}
-(a method introduced below, \S\ref{sec:Simplification}) prove 
-simple arithmetic goals automatically:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ m\ {\isaliteral{3C}{\isacharless}}\ n{\isaliteral{3B}{\isacharsemicolon}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isadigit{1}}{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-For efficiency's sake, this built-in prover ignores quantified formulae,
-many logical connectives, and all arithmetic operations apart from addition.
-In consequence, \isa{auto} and \isa{simp} cannot prove this slightly more complex goal:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}m\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{28}{\isacharparenleft}}n{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ m\ {\isaliteral{3C}{\isacharless}}\ n\ {\isaliteral{5C3C6F723E}{\isasymor}}\ n\ {\isaliteral{3C}{\isacharless}}\ m{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent The method \methdx{arith} is more general.  It attempts to
-prove the first subgoal provided it is a \textbf{linear arithmetic} formula.
-Such formulas may involve the usual logical connectives (\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}},
-\isa{{\isaliteral{5C3C616E643E}{\isasymand}}}, \isa{{\isaliteral{5C3C6F723E}{\isasymor}}}, \isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}, \isa{{\isaliteral{3D}{\isacharequal}}},
-\isa{{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}}, \isa{{\isaliteral{5C3C6578697374733E}{\isasymexists}}}), the relations \isa{{\isaliteral{3D}{\isacharequal}}},
-\isa{{\isaliteral{5C3C6C653E}{\isasymle}}} and \isa{{\isaliteral{3C}{\isacharless}}}, and the operations \isa{{\isaliteral{2B}{\isacharplus}}}, \isa{{\isaliteral{2D}{\isacharminus}}},
-\isa{min} and \isa{max}.  For example,%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}min\ i\ {\isaliteral{28}{\isacharparenleft}}max\ j\ {\isaliteral{28}{\isacharparenleft}}k{\isaliteral{2A}{\isacharasterisk}}k{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ max\ {\isaliteral{28}{\isacharparenleft}}min\ {\isaliteral{28}{\isacharparenleft}}k{\isaliteral{2A}{\isacharasterisk}}k{\isaliteral{29}{\isacharparenright}}\ i{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{28}{\isacharparenleft}}min\ i\ {\isaliteral{28}{\isacharparenleft}}j{\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}nat{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}arith{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-succeeds because \isa{k\ {\isaliteral{2A}{\isacharasterisk}}\ k} can be treated as atomic. In contrast,%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}n{\isaliteral{2A}{\isacharasterisk}}n\ {\isaliteral{3D}{\isacharequal}}\ n{\isaliteral{2B}{\isacharplus}}{\isadigit{1}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ n{\isaliteral{3D}{\isacharequal}}{\isadigit{0}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-is not proved by \isa{arith} because the proof relies 
-on properties of multiplication. Only multiplication by numerals (which is
-the same as iterated addition) is taken into account.
-
-\begin{warn} The running time of \isa{arith} is exponential in the number
-  of occurrences of \ttindexboldpos{-}{$HOL2arithfun}, \cdx{min} and
-  \cdx{max} because they are first eliminated by case distinctions.
-
-If \isa{k} is a numeral, \sdx{div}~\isa{k}, \sdx{mod}~\isa{k} and
-\isa{k}~\sdx{dvd} are also supported, where the former two are eliminated
-by case distinctions, again blowing up the running time.
-
-If the formula involves quantifiers, \isa{arith} may take
-super-exponential time and space.
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/numerics.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,543 @@
+\section{Numbers}
+\label{sec:numbers}
+
+\index{numbers|(}%
+Until now, our numerical examples have used the type of \textbf{natural
+numbers},
+\isa{nat}.  This is a recursive datatype generated by the constructors
+zero  and successor, so it works well with inductive proofs and primitive
+recursive function definitions.  HOL also provides the type
+\isa{int} of \textbf{integers}, which lack induction but support true
+subtraction.  With subtraction, arithmetic reasoning is easier, which makes
+the integers preferable to the natural numbers for
+complicated arithmetic expressions, even if they are non-negative.  There are also the types
+\isa{rat}, \isa{real} and \isa{complex}: the rational, real and complex numbers.  Isabelle has no 
+subtyping,  so the numeric
+types are distinct and there are functions to convert between them.
+Most numeric operations are overloaded: the same symbol can be
+used at all numeric types. Table~\ref{tab:overloading} in the appendix
+shows the most important operations, together with the priorities of the
+infix symbols. Algebraic properties are organized using type classes
+around algebraic concepts such as rings and fields;
+a property such as the commutativity of addition is a single theorem 
+(\isa{add_commute}) that applies to all numeric types.
+
+\index{linear arithmetic}%
+Many theorems involving numeric types can be proved automatically by
+Isabelle's arithmetic decision procedure, the method
+\methdx{arith}.  Linear arithmetic comprises addition, subtraction
+and multiplication by constant factors; subterms involving other operators
+are regarded as variables.  The procedure can be slow, especially if the
+subgoal to be proved involves subtraction over type \isa{nat}, which 
+causes case splits.  On types \isa{nat} and \isa{int}, \methdx{arith}
+can deal with quantifiers---this is known as Presburger arithmetic---whereas on type \isa{real} it cannot.
+
+The simplifier reduces arithmetic expressions in other
+ways, such as dividing through by common factors.  For problems that lie
+outside the scope of automation, HOL provides hundreds of
+theorems about multiplication, division, etc., that can be brought to
+bear.  You can locate them using Proof General's Find
+button.  A few lemmas are given below to show what
+is available.
+
+\subsection{Numeric Literals}
+\label{sec:numerals}
+
+\index{numeric literals|(}%
+The constants \cdx{0} and \cdx{1} are overloaded.  They denote zero and one,
+respectively, for all numeric types.  Other values are expressed by numeric
+literals, which consist of one or more decimal digits optionally preceeded by a minus sign (\isa{-}).  Examples are \isa{2}, \isa{-3} and
+\isa{441223334678}.  Literals are available for the types of natural
+numbers, integers, rationals, reals, etc.; they denote integer values of
+arbitrary size.
+
+Literals look like constants, but they abbreviate 
+terms representing the number in a two's complement binary notation. 
+Isabelle performs arithmetic on literals by rewriting rather 
+than using the hardware arithmetic. In most cases arithmetic 
+is fast enough, even for numbers in the millions. The arithmetic operations 
+provided for literals include addition, subtraction, multiplication, 
+integer division and remainder.  Fractions of literals (expressed using
+division) are reduced to lowest terms.
+
+\begin{warn}\index{overloading!and arithmetic}
+The arithmetic operators are 
+overloaded, so you must be careful to ensure that each numeric 
+expression refers to a specific type, if necessary by inserting 
+type constraints.  Here is an example of what can go wrong:
+\par
+\begin{isabelle}
+\isacommand{lemma}\ "2\ *\ m\ =\ m\ +\ m"
+\end{isabelle}
+%
+Carefully observe how Isabelle displays the subgoal:
+\begin{isabelle}
+\ 1.\ (2::'a)\ *\ m\ =\ m\ +\ m
+\end{isabelle}
+The type \isa{'a} given for the literal \isa{2} warns us that no numeric
+type has been specified.  The problem is underspecified.  Given a type
+constraint such as \isa{nat}, \isa{int} or \isa{real}, it becomes trivial.
+\end{warn}
+
+\begin{warn}
+\index{function@\isacommand {function} (command)!and numeric literals}  
+Numeric literals are not constructors and therefore
+must not be used in patterns.  For example, this declaration is
+rejected:
+\begin{isabelle}
+\isacommand{function}\ h\ \isakeyword{where}\isanewline
+"h\ 3\ =\ 2"\isanewline
+\isacharbar "h\ i\ \ =\ i"
+\end{isabelle}
+
+You should use a conditional expression instead:
+\begin{isabelle}
+"h\ i\ =\ (if\ i\ =\ 3\ then\ 2\ else\ i)"
+\end{isabelle}
+\index{numeric literals|)}
+\end{warn}
+
+
+\subsection{The Type of Natural Numbers, {\tt\slshape nat}}
+
+\index{natural numbers|(}\index{*nat (type)|(}%
+This type requires no introduction: we have been using it from the
+beginning.  Hundreds of theorems about the natural numbers are
+proved in the theories \isa{Nat} and \isa{Divides}.  
+Basic properties of addition and multiplication are available through the
+axiomatic type class for semirings (\S\ref{sec:numeric-classes}).
+
+\subsubsection{Literals}
+\index{numeric literals!for type \protect\isa{nat}}%
+The notational options for the natural  numbers are confusing.  Recall that an
+overloaded constant can be defined independently for each type; the definition
+of \cdx{1} for type \isa{nat} is
+\begin{isabelle}
+1\ \isasymequiv\ Suc\ 0
+\rulename{One_nat_def}
+\end{isabelle}
+This is installed as a simplification rule, so the simplifier will replace
+every occurrence of \isa{1::nat} by \isa{Suc\ 0}.  Literals are obviously
+better than nested \isa{Suc}s at expressing large values.  But many theorems,
+including the rewrite rules for primitive recursive functions, can only be
+applied to terms of the form \isa{Suc\ $n$}.
+
+The following default  simplification rules replace
+small literals by zero and successor: 
+\begin{isabelle}
+2\ +\ n\ =\ Suc\ (Suc\ n)
+\rulename{add_2_eq_Suc}\isanewline
+n\ +\ 2\ =\ Suc\ (Suc\ n)
+\rulename{add_2_eq_Suc'}
+\end{isabelle}
+It is less easy to transform \isa{100} into \isa{Suc\ 99} (for example), and
+the simplifier will normally reverse this transformation.  Novices should
+express natural numbers using \isa{0} and \isa{Suc} only.
+
+\subsubsection{Division}
+\index{division!for type \protect\isa{nat}}%
+The infix operators \isa{div} and \isa{mod} are overloaded.
+Isabelle/HOL provides the basic facts about quotient and remainder
+on the natural numbers:
+\begin{isabelle}
+m\ mod\ n\ =\ (if\ m\ <\ n\ then\ m\ else\ (m\ -\ n)\ mod\ n)
+\rulename{mod_if}\isanewline
+m\ div\ n\ *\ n\ +\ m\ mod\ n\ =\ m%
+\rulenamedx{mod_div_equality}
+\end{isabelle}
+
+Many less obvious facts about quotient and remainder are also provided. 
+Here is a selection:
+\begin{isabelle}
+a\ *\ b\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
+\rulename{div_mult1_eq}\isanewline
+a\ *\ b\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
+\rulename{mod_mult_right_eq}\isanewline
+a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
+\rulename{div_mult2_eq}\isanewline
+a\ mod\ (b*c)\ =\ b * (a\ div\ b\ mod\ c)\ +\ a\ mod\ b%
+\rulename{mod_mult2_eq}\isanewline
+0\ <\ c\ \isasymLongrightarrow \ (c\ *\ a)\ div\ (c\ *\ b)\ =\ a\ div\ b%
+\rulename{div_mult_mult1}\isanewline
+(m\ mod\ n)\ *\ k\ =\ (m\ *\ k)\ mod\ (n\ *\ k)
+\rulenamedx{mod_mult_distrib}\isanewline
+m\ \isasymle \ n\ \isasymLongrightarrow \ m\ div\ k\ \isasymle \ n\ div\ k%
+\rulename{div_le_mono}
+\end{isabelle}
+
+Surprisingly few of these results depend upon the
+divisors' being nonzero.
+\index{division!by zero}%
+That is because division by
+zero yields zero:
+\begin{isabelle}
+a\ div\ 0\ =\ 0
+\rulename{DIVISION_BY_ZERO_DIV}\isanewline
+a\ mod\ 0\ =\ a%
+\rulename{DIVISION_BY_ZERO_MOD}
+\end{isabelle}
+In \isa{div_mult_mult1} above, one of
+the two divisors (namely~\isa{c}) must still be nonzero.
+
+The \textbf{divides} relation\index{divides relation}
+has the standard definition, which
+is overloaded over all numeric types: 
+\begin{isabelle}
+m\ dvd\ n\ \isasymequiv\ {\isasymexists}k.\ n\ =\ m\ *\ k
+\rulenamedx{dvd_def}
+\end{isabelle}
+%
+Section~\ref{sec:proving-euclid} discusses proofs involving this
+relation.  Here are some of the facts proved about it:
+\begin{isabelle}
+\isasymlbrakk m\ dvd\ n;\ n\ dvd\ m\isasymrbrakk \ \isasymLongrightarrow \ m\ =\ n%
+\rulenamedx{dvd_antisym}\isanewline
+\isasymlbrakk k\ dvd\ m;\ k\ dvd\ n\isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ (m\ +\ n)
+\rulenamedx{dvd_add}
+\end{isabelle}
+
+\subsubsection{Subtraction}
+
+There are no negative natural numbers, so \isa{m\ -\ n} equals zero unless 
+\isa{m} exceeds~\isa{n}. The following is one of the few facts
+about \isa{m\ -\ n} that is not subject to
+the condition \isa{n\ \isasymle \  m}. 
+\begin{isabelle}
+(m\ -\ n)\ *\ k\ =\ m\ *\ k\ -\ n\ *\ k%
+\rulenamedx{diff_mult_distrib}
+\end{isabelle}
+Natural number subtraction has few
+nice properties; often you should remove it by simplifying with this split
+rule.
+\begin{isabelle}
+P(a-b)\ =\ ((a<b\ \isasymlongrightarrow \ P\
+0)\ \isasymand \ (\isasymforall d.\ a\ =\ b+d\ \isasymlongrightarrow \ P\
+d))
+\rulename{nat_diff_split}
+\end{isabelle}
+For example, splitting helps to prove the following fact.
+\begin{isabelle}
+\isacommand{lemma}\ "(n\ -\ 2)\ *\ (n\ +\ 2)\ =\ n\ *\ n\ -\ (4::nat)"\isanewline
+\isacommand{apply}\ (simp\ split:\ nat_diff_split,\ clarify)\isanewline
+\ 1.\ \isasymAnd d.\ \isasymlbrakk n\ <\ 2;\ n\ *\ n\ =\ 4\ +\ d\isasymrbrakk \ \isasymLongrightarrow \ d\ =\ 0
+\end{isabelle}
+The result lies outside the scope of linear arithmetic, but
+ it is easily found
+if we explicitly split \isa{n<2} as \isa{n=0} or \isa{n=1}:
+\begin{isabelle}
+\isacommand{apply}\ (subgoal_tac\ "n=0\ |\ n=1",\ force,\ arith)\isanewline
+\isacommand{done}
+\end{isabelle}%%%%%%
+\index{natural numbers|)}\index{*nat (type)|)}
+
+
+\subsection{The Type of Integers, {\tt\slshape int}}
+
+\index{integers|(}\index{*int (type)|(}%
+Reasoning methods for the integers resemble those for the natural numbers, 
+but induction and
+the constant \isa{Suc} are not available.  HOL provides many lemmas for
+proving inequalities involving integer multiplication and division, similar
+to those shown above for type~\isa{nat}. The laws of addition, subtraction
+and multiplication are available through the axiomatic type class for rings
+(\S\ref{sec:numeric-classes}).
+
+The \rmindex{absolute value} function \cdx{abs} is overloaded, and is 
+defined for all types that involve negative numbers, including the integers.
+The \isa{arith} method can prove facts about \isa{abs} automatically, 
+though as it does so by case analysis, the cost can be exponential.
+\begin{isabelle}
+\isacommand{lemma}\ "abs\ (x+y)\ \isasymle \ abs\ x\ +\ abs\ (y\ ::\ int)"\isanewline
+\isacommand{by}\ arith
+\end{isabelle}
+
+For division and remainder,\index{division!by negative numbers}
+the treatment of negative divisors follows
+mathematical practice: the sign of the remainder follows that
+of the divisor:
+\begin{isabelle}
+0\ <\ b\ \isasymLongrightarrow \ 0\ \isasymle \ a\ mod\ b%
+\rulename{pos_mod_sign}\isanewline
+0\ <\ b\ \isasymLongrightarrow \ a\ mod\ b\ <\ b%
+\rulename{pos_mod_bound}\isanewline
+b\ <\ 0\ \isasymLongrightarrow \ a\ mod\ b\ \isasymle \ 0
+\rulename{neg_mod_sign}\isanewline
+b\ <\ 0\ \isasymLongrightarrow \ b\ <\ a\ mod\ b%
+\rulename{neg_mod_bound}
+\end{isabelle}
+ML treats negative divisors in the same way, but most computer hardware
+treats signed operands using the same rules as for multiplication.
+Many facts about quotients and remainders are provided:
+\begin{isabelle}
+(a\ +\ b)\ div\ c\ =\isanewline
+a\ div\ c\ +\ b\ div\ c\ +\ (a\ mod\ c\ +\ b\ mod\ c)\ div\ c%
+\rulename{zdiv_zadd1_eq}
+\par\smallskip
+(a\ +\ b)\ mod\ c\ =\ (a\ mod\ c\ +\ b\ mod\ c)\ mod\ c%
+\rulename{mod_add_eq}
+\end{isabelle}
+
+\begin{isabelle}
+(a\ *\ b)\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
+\rulename{zdiv_zmult1_eq}\isanewline
+(a\ *\ b)\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
+\rulename{zmod_zmult1_eq}
+\end{isabelle}
+
+\begin{isabelle}
+0\ <\ c\ \isasymLongrightarrow \ a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
+\rulename{zdiv_zmult2_eq}\isanewline
+0\ <\ c\ \isasymLongrightarrow \ a\ mod\ (b*c)\ =\ b*(a\ div\ b\ mod\
+c)\ +\ a\ mod\ b%
+\rulename{zmod_zmult2_eq}
+\end{isabelle}
+The last two differ from their natural number analogues by requiring
+\isa{c} to be positive.  Since division by zero yields zero, we could allow
+\isa{c} to be zero.  However, \isa{c} cannot be negative: a counterexample
+is
+$\isa{a} = 7$, $\isa{b} = 2$ and $\isa{c} = -3$, when the left-hand side of
+\isa{zdiv_zmult2_eq} is $-2$ while the right-hand side is~$-1$.
+The prefix~\isa{z} in many theorem names recalls the use of $\mathbb{Z}$ to
+denote the set of integers.%
+\index{integers|)}\index{*int (type)|)}
+
+Induction is less important for integers than it is for the natural numbers, but it can be valuable if the range of integers has a lower or upper bound.  There are four rules for integer induction, corresponding to the possible relations of the bound ($\geq$, $>$, $\leq$ and $<$):
+\begin{isabelle}
+\isasymlbrakk k\ \isasymle \ i;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk k\ \isasymle \ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_ge_induct}\isanewline
+\isasymlbrakk k\ <\ i;\ P(k+1);\ \isasymAnd i.\ \isasymlbrakk k\ <\ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_gr_induct}\isanewline
+\isasymlbrakk i\ \isasymle \ k;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk i\ \isasymle \ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_le_induct}\isanewline
+\isasymlbrakk i\ <\ k;\ P(k-1);\ \isasymAnd i.\ \isasymlbrakk i\ <\ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_less_induct}
+\end{isabelle}
+
+
+\subsection{The Types of Rational, Real and Complex Numbers}
+\label{sec:real}
+
+\index{rational numbers|(}\index{*rat (type)|(}%
+\index{real numbers|(}\index{*real (type)|(}%
+\index{complex numbers|(}\index{*complex (type)|(}%
+These types provide true division, the overloaded operator \isa{/}, 
+which differs from the operator \isa{div} of the 
+natural numbers and integers. The rationals and reals are 
+\textbf{dense}: between every two distinct numbers lies another.
+This property follows from the division laws, since if $x\not=y$ then $(x+y)/2$ lies between them:
+\begin{isabelle}
+a\ <\ b\ \isasymLongrightarrow \ \isasymexists r.\ a\ <\ r\ \isasymand \ r\ <\ b%
+\rulename{dense}
+\end{isabelle}
+
+The real numbers are, moreover, \textbf{complete}: every set of reals that
+is bounded above has a least upper bound.  Completeness distinguishes the
+reals from the rationals, for which the set $\{x\mid x^2<2\}$ has no least
+upper bound.  (It could only be $\surd2$, which is irrational.) The
+formalization of completeness, which is complicated, 
+can be found in theory \texttt{RComplete}.
+
+Numeric literals\index{numeric literals!for type \protect\isa{real}}
+for type \isa{real} have the same syntax as those for type
+\isa{int} and only express integral values.  Fractions expressed
+using the division operator are automatically simplified to lowest terms:
+\begin{isabelle}
+\ 1.\ P\ ((3\ /\ 4)\ *\ (8\ /\ 15))\isanewline
+\isacommand{apply} simp\isanewline
+\ 1.\ P\ (2\ /\ 5)
+\end{isabelle}
+Exponentiation can express floating-point values such as
+\isa{2 * 10\isacharcircum6}, which will be simplified to integers.
+
+\begin{warn}
+Types \isa{rat}, \isa{real} and \isa{complex} are provided by theory HOL-Complex, which is
+Main extended with a definitional development of the rational, real and complex
+numbers.  Base your theory upon theory \thydx{Complex_Main}, not the
+usual \isa{Main}.%
+\end{warn}
+
+Available in the logic HOL-NSA is the
+theory \isa{Hyperreal}, which define the type \tydx{hypreal} of 
+\rmindex{non-standard reals}.  These
+\textbf{hyperreals} include infinitesimals, which represent infinitely
+small and infinitely large quantities; they facilitate proofs
+about limits, differentiation and integration~\cite{fleuriot-jcm}.  The
+development defines an infinitely large number, \isa{omega} and an
+infinitely small positive number, \isa{epsilon}.  The 
+relation $x\approx y$ means ``$x$ is infinitely close to~$y$.''
+Theory \isa{Hyperreal} also defines transcendental functions such as sine,
+cosine, exponential and logarithm --- even the versions for type
+\isa{real}, because they are defined using nonstandard limits.%
+\index{rational numbers|)}\index{*rat (type)|)}%
+\index{real numbers|)}\index{*real (type)|)}%
+\index{complex numbers|)}\index{*complex (type)|)}
+
+
+\subsection{The Numeric Type Classes}\label{sec:numeric-classes}
+
+Isabelle/HOL organises its numeric theories using axiomatic type classes.
+Hundreds of basic properties are proved in the theory \isa{Ring_and_Field}.
+These lemmas are available (as simprules if they were declared as such)
+for all numeric types satisfying the necessary axioms. The theory defines
+dozens of type classes, such as the following:
+\begin{itemize}
+\item 
+\tcdx{semiring} and \tcdx{ordered_semiring}: a \emph{semiring}
+provides the associative operators \isa{+} and~\isa{*}, with \isa{0} and~\isa{1}
+as their respective identities. The operators enjoy the usual distributive law,
+and addition (\isa{+}) is also commutative.
+An \emph{ordered semiring} is also linearly
+ordered, with addition and multiplication respecting the ordering. Type \isa{nat} is an ordered semiring.
+\item 
+\tcdx{ring} and \tcdx{ordered_ring}: a \emph{ring} extends a semiring
+with unary minus (the additive inverse) and subtraction (both
+denoted~\isa{-}). An \emph{ordered ring} includes the absolute value
+function, \cdx{abs}. Type \isa{int} is an ordered ring.
+\item 
+\tcdx{field} and \tcdx{ordered_field}: a field extends a ring with the
+multiplicative inverse (called simply \cdx{inverse} and division~(\isa{/})).
+An ordered field is based on an ordered ring. Type \isa{complex} is a field, while type \isa{real} is an ordered field.
+\item 
+\tcdx{division_by_zero} includes all types where \isa{inverse 0 = 0}
+and \isa{a / 0 = 0}. These include all of Isabelle's standard numeric types.
+However, the basic properties of fields are derived without assuming
+division by zero.
+\end{itemize}
+
+Hundreds of basic lemmas are proved, each of which
+holds for all types in the corresponding type class. In most
+cases, it is obvious whether a property is valid for a particular type. No
+abstract properties involving subtraction hold for type \isa{nat};
+instead, theorems such as
+\isa{diff_mult_distrib} are proved specifically about subtraction on
+type~\isa{nat}. All abstract properties involving division require a field.
+Obviously, all properties involving orderings required an ordered
+structure.
+
+The class \tcdx{ring_no_zero_divisors} of rings without zero divisors satisfies a number of natural cancellation laws, the first of which characterizes this class:
+\begin{isabelle}
+(a\ *\ b\ =\ (0::'a))\ =\ (a\ =\ (0::'a)\ \isasymor \ b\ =\ (0::'a))
+\rulename{mult_eq_0_iff}\isanewline
+(a\ *\ c\ =\ b\ *\ c)\ =\ (c\ =\ (0::'a)\ \isasymor \ a\ =\ b)
+\rulename{mult_cancel_right}
+\end{isabelle}
+\begin{pgnote}
+Setting the flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
+\pgmenu{Show Sorts} will display the type classes of all type variables.
+\end{pgnote}
+\noindent
+Here is how the theorem \isa{mult_cancel_left} appears with the flag set.
+\begin{isabelle}
+((c::'a::ring_no_zero_divisors)\ *\ (a::'a::ring_no_zero_divisors) =\isanewline
+\ c\ *\ (b::'a::ring_no_zero_divisors))\ =\isanewline
+(c\ =\ (0::'a::ring_no_zero_divisors)\ \isasymor\ a\ =\ b)
+\end{isabelle}
+
+
+\subsubsection{Simplifying with the AC-Laws}
+Suppose that two expressions are equal, differing only in 
+associativity and commutativity of addition.  Simplifying with the
+following equations sorts the terms and groups them to the right, making
+the two expressions identical.
+\begin{isabelle}
+a\ +\ b\ +\ c\ =\ a\ +\ (b\ +\ c)
+\rulenamedx{add_assoc}\isanewline
+a\ +\ b\ =\ b\ +\ a%
+\rulenamedx{add_commute}\isanewline
+a\ +\ (b\ +\ c)\ =\ b\ +\ (a\ +\ c)
+\rulename{add_left_commute}
+\end{isabelle}
+The name \isa{add_ac}\index{*add_ac (theorems)} 
+refers to the list of all three theorems; similarly
+there is \isa{mult_ac}.\index{*mult_ac (theorems)} 
+They are all proved for semirings and therefore hold for all numeric types.
+
+Here is an example of the sorting effect.  Start
+with this goal, which involves type \isa{nat}.
+\begin{isabelle}
+\ 1.\ Suc\ (i\ +\ j\ *\ l\ *\ k\ +\ m\ *\ n)\ =\
+f\ (n\ *\ m\ +\ i\ +\ k\ *\ j\ *\ l)
+\end{isabelle}
+%
+Simplify using  \isa{add_ac} and \isa{mult_ac}.
+\begin{isabelle}
+\isacommand{apply}\ (simp\ add:\ add_ac\ mult_ac)
+\end{isabelle}
+%
+Here is the resulting subgoal.
+\begin{isabelle}
+\ 1.\ Suc\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))\
+=\ f\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))%
+\end{isabelle}
+
+
+\subsubsection{Division Laws for Fields}
+
+Here is a selection of rules about the division operator.  The following
+are installed as default simplification rules in order to express
+combinations of products and quotients as rational expressions:
+\begin{isabelle}
+a\ *\ (b\ /\ c)\ =\ a\ *\ b\ /\ c
+\rulename{times_divide_eq_right}\isanewline
+b\ /\ c\ *\ a\ =\ b\ *\ a\ /\ c
+\rulename{times_divide_eq_left}\isanewline
+a\ /\ (b\ /\ c)\ =\ a\ *\ c\ /\ b
+\rulename{divide_divide_eq_right}\isanewline
+a\ /\ b\ /\ c\ =\ a\ /\ (b\ *\ c)
+\rulename{divide_divide_eq_left}
+\end{isabelle}
+
+Signs are extracted from quotients in the hope that complementary terms can
+then be cancelled:
+\begin{isabelle}
+-\ (a\ /\ b)\ =\ -\ a\ /\ b
+\rulename{minus_divide_left}\isanewline
+-\ (a\ /\ b)\ =\ a\ /\ -\ b
+\rulename{minus_divide_right}
+\end{isabelle}
+
+The following distributive law is available, but it is not installed as a
+simplification rule.
+\begin{isabelle}
+(a\ +\ b)\ /\ c\ =\ a\ /\ c\ +\ b\ /\ c%
+\rulename{add_divide_distrib}
+\end{isabelle}
+
+
+\subsubsection{Absolute Value}
+
+The \rmindex{absolute value} function \cdx{abs} is available for all 
+ordered rings, including types \isa{int}, \isa{rat} and \isa{real}.
+It satisfies many properties,
+such as the following:
+\begin{isabelle}
+\isasymbar x\ *\ y\isasymbar \ =\ \isasymbar x\isasymbar \ *\ \isasymbar y\isasymbar 
+\rulename{abs_mult}\isanewline
+(\isasymbar a\isasymbar \ \isasymle \ b)\ =\ (a\ \isasymle \ b\ \isasymand \ -\ a\ \isasymle \ b)
+\rulename{abs_le_iff}\isanewline
+\isasymbar a\ +\ b\isasymbar \ \isasymle \ \isasymbar a\isasymbar \ +\ \isasymbar b\isasymbar 
+\rulename{abs_triangle_ineq}
+\end{isabelle}
+
+\begin{warn}
+The absolute value bars shown above cannot be typed on a keyboard.  They
+can be entered using the X-symbol package.  In \textsc{ascii}, type \isa{abs x} to
+get \isa{\isasymbar x\isasymbar}.
+\end{warn}
+
+
+\subsubsection{Raising to a Power}
+
+Another type class, \tcdx{ordered\_idom}, specifies rings that also have 
+exponentation to a natural number power, defined using the obvious primitive
+recursion. Theory \thydx{Power} proves various theorems, such as the 
+following.
+\begin{isabelle}
+a\ \isacharcircum \ (m\ +\ n)\ =\ a\ \isacharcircum \ m\ *\ a\ \isacharcircum \ n%
+\rulename{power_add}\isanewline
+a\ \isacharcircum \ (m\ *\ n)\ =\ (a\ \isacharcircum \ m)\ \isacharcircum \ n%
+\rulename{power_mult}\isanewline
+\isasymbar a\ \isacharcircum \ n\isasymbar \ =\ \isasymbar a\isasymbar \ \isacharcircum \ n%
+\rulename{power_abs}
+\end{isabelle}%%%%%%%%%%%%%%%%%%%%%%%%%
+\index{numbers|)}

--- a/doc-src/TutorialI/document/pairs2.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,66 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{pairs{\isadigit{2}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\label{sec:pairs}\index{pairs and tuples}
-HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
-\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
-$\tau@i$. The functions \cdx{fst} and
-\cdx{snd} extract the components of a pair:
- \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
-are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
-for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
-$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
-\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
-
-Remarks:
-\begin{itemize}
-\item
-There is also the type \tydx{unit}, which contains exactly one
-element denoted by~\cdx{()}.  This type can be viewed
-as a degenerate product with 0 components.
-\item
-Products, like type \isa{nat}, are datatypes, which means
-in particular that \isa{induct{\isaliteral{5F}{\isacharunderscore}}tac} and \isa{case{\isaliteral{5F}{\isacharunderscore}}tac} are applicable to
-terms of product type.
-Both split the term into a number of variables corresponding to the tuple structure
-(up to 7 components).
-\item
-Tuples with more than two or three components become unwieldy;
-records are preferable.
-\end{itemize}
-For more information on pairs and records see Chapter~\ref{ch:more-types}.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/pghead.eps	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,73 @@
+%!PS-Adobe-3.0 EPSF-3.0
%%Title: (portrait-head copy)
%%Version: 1 6
%%Creator: Adobe Acrobat 7.0
%%CreationDate: 26/05/2005 09:00
%%DocumentData: Clean7Bit
%%LanguageLevel: 2
%%ADO_ContainsXMP: MainFirst
%%BoundingBox: 172 54 468 463
%%HiResBoundingBox: 172.0 54.0 468.0 463.0
%%Pages: 0
%%DocumentProcessColors: Black
%%DocumentSuppliedResources:
%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
%%EndComments
%%BeginProlog
%%EndProlog
%%BeginSetup
%ADOPrintSettings: L2 W0 VM op crd os scsa T h ef bg ucr sf ef r b fa pr seps ttf hb EF t2 irt Printer/PostScript Color Management 0
+

%%BeginResource: procset l2check 6.0 1
%%Copyright: Copyright 1993,2001 Adobe Systems Incorporated. All Rights Reserved.
systemdict /languagelevel known
{ systemdict /languagelevel get 1 eq }
{ true }
ifelse
{
initgraphics /Helvetica findfont 18 scalefont setfont
72 600 moveto (Error: This application does not support) dup show
72 580 moveto (printing to a PostScript Language Level 1 printer.) dup show
exch = =
/Times-Roman findfont 16 scalefont setfont
72 500 moveto (As a workaround, try selecting Print As Image from) show
72 480 moveto (the Advanced Print dialog.) show
showpage
quit
}
if
%%EndResource
/currentpacking where{pop currentpacking true setpacking}if
%%BeginResource: procset pdfvars 6.0 1
%%Copyright: Copyright 1987-2002 Adobe Systems Incorporated. All Rights Reserved.
%%Title: definition of dictionary of variables used by PDF & PDFText procsets
userdict /PDF 162 dict put
userdict /PDFVars 89 dict dup begin put
/docSetupDone false def
/InitAll 0 def
/TermAll 0 def
/DocInitAll 0 def
/DocTermAll 0 def
/_pdfEncodings 2 array def
/_pdf_str1 1 string def
/_pdf_i 0 def
/_pdf_na 0 def
/_pdf_showproc 0 def
/_italMtx [1 0 .212557 1 0 0] def
/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
/_italMtxType0 [1 0 .1062785 1 0 0] def
/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
/_basefont 0 def
/_basefonto 0 def
/_pdf_oldCIDInit null def
/_pdf_FontDirectory 30 dict def
/_categories 10 dict def
/_sa? true def
/_ColorSep5044? false def
/nulldict 0 dict def
/_processColors 0 def
/overprintstack null def
/_defaulttransfer currenttransfer def
/_defaultflatness currentflat def
/_defaulthalftone null def
/_defaultcolortransfer null def
/_defaultblackgeneration null def
/_defaultundercolorremoval null def
/_defaultcolortransfer null def
PDF begin
[/c/cs/cm/d/d0/f/h/i/j/J/l/m/M/n/q/Q/re/ri/S/sc/sh/Tf/w/W
/applyInterpFunc/applystitchFunc/domainClip/encodeInput
/initgs/int/limit/rangeClip
/defineRes/undefineRes/findRes/setSA/pl
/? /! /| /: /+ /GetGlyphDirectory
/pdf_flushFilters /pdf_readstring /pdf_dictOp /pdf_image /pdf_maskedImage
/pdf_shfill /pdf_sethalftone
] {null def} bind forall
end
end
%%EndResource
PDFVars begin PDF begin
%%BeginResource: procset pdfutil 6.0 1
%%Copyright: Copyright 1993-2001 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Basic utilities used by other PDF procsets
/bd {bind def} bind def
/ld {load def} bd
/bld {
dup length dict begin
{ null def } forall
bind
end
def
} bd
/dd { PDFVars 3 1 roll put } bd
/xdd { exch dd } bd
/Level2?
systemdict /languagelevel known
{ systemdict /languagelevel get 2 ge } { false } ifelse
def
/Level1? Level2? not def
/Level3?
systemdict /languagelevel known
{systemdict /languagelevel get 3 eq } { false } ifelse
def
/getifknown {
2 copy known { get true } { pop pop false } ifelse
} bd
/here {
currentdict exch getifknown
} bd
/isdefined? { where { pop true } { false } ifelse } bd
%%EndResource
%%BeginResource: procset pdf 6.0 1
%%Copyright: Copyright 1998-2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: General operators for PDF, common to all Language Levels.
/cm { matrix astore concat } bd
/d /setdash ld
/f /fill ld
/h /closepath ld
/i {dup 0 eq {pop _defaultflatness} if setflat} bd
/j /setlinejoin ld
/J /setlinecap ld
/M /setmiterlimit ld
/n /newpath ld
/S /stroke ld
/w /setlinewidth ld
/W /clip ld
/sg /setgray ld
/initgs {
0 setgray
[] 0 d
0 j
0 J
10 M
1 w
false setSA
/_defaulttransfer load settransfer
0 i
/RelativeColorimetric ri
newpath
} bd
/int {
dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
exch pop add exch pop
} bd
/limit {
dup 2 index le { exch } if pop
dup 2 index ge { exch } if pop
} bd
/domainClip {
Domain aload pop 3 2 roll
limit
} [/Domain] bld
/applyInterpFunc {
0 1 DimOut 1 sub
{
dup C0 exch get exch
dup C1 exch get exch
3 1 roll
1 index sub
3 index
N exp mul add
exch
currentdict /Range_lo known
{
dup Range_lo exch get exch
Range_hi exch get
3 2 roll limit
}
{
pop
}
ifelse
exch
} for
pop
} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
/encodeInput {
NumParts 1 sub
0 1 2 index
{
dup Bounds exch get
2 index gt
{ exit }
{ dup
3 index eq
{ exit }
{ pop } ifelse
} ifelse
} for
3 2 roll pop
dup Bounds exch get exch
dup 1 add Bounds exch get exch
2 mul
dup Encode exch get exch
1 add Encode exch get
int
} [/NumParts /Bounds /Encode] bld
/rangeClip {
exch dup Range_lo exch get
exch Range_hi exch get
3 2 roll
limit
} [/Range_lo /Range_hi] bld
/applyStitchFunc {
Functions exch get exec
currentdict /Range_lo known {
0 1 DimOut 1 sub {
DimOut 1 add -1 roll
rangeClip
} for
} if
} [/Functions /Range_lo /DimOut] bld
/pdf_flushfilters
{
aload length
{ dup status
1 index currentfile ne and
{ dup flushfile closefile }
{ pop }
ifelse
} repeat
} bd
/pdf_readstring
{
1 index dup length 1 sub get
exch readstring pop
exch pdf_flushfilters
} bind def
/pdf_dictOp
{
3 2 roll
10 dict copy
begin
_Filters dup length 1 sub get def
currentdict exch exec
_Filters pdf_flushfilters
end
} [/_Filters] bld
/pdf_imagemask {{imagemask} /DataSource pdf_dictOp} bd
/pdf_shfill {{sh} /DataSource pdf_dictOp} bd
/pdf_sethalftone {{sethalftone} /Thresholds pdf_dictOp} bd
/masks [ 2#10000000
2#11000000
2#11100000
2#11110000
2#11111000
2#11111100
2#11111110
2#11111111 ] def
/addNBits
{
/numBits exch def
/byte exch def
OutBitOffset numBits add 8 gt
{
byte OutBitOffset 8 sub bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutByteIndex OutByteIndex 1 add def
/bitsDoneSoFar OutBitOffset def
/OutBitOffset numBits 8 OutBitOffset sub sub def
OutBitOffset 0 gt
{
byte bitsDoneSoFar bitshift
masks numBits bitsDoneSoFar sub get and
OutBuffer OutByteIndex 3 -1 roll put
} if
}
{
byte masks numBits 1 sub get and
OutBitOffset neg bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutBitOffset OutBitOffset numBits add def
OutBitOffset 8 eq
{
/OutBitOffset 0 def
/OutByteIndex OutByteIndex 1 add def
} if
} ifelse
} bind def
/DevNNFilter
{
/InBuffer Width NumComps mul BitsPerComponent mul 7 add 8 idiv string def
AllSource InBuffer readstring pop pop
/outlen Width NewNumComps mul BitsPerComponent mul 7 add 8 idiv def
/OutBuffer outlen string def
0 1 outlen 1 sub { OutBuffer exch 0 put } for
/InByteIndex 0 def
/InBitOffset 0 def
/OutByteIndex 0 def
/OutBitOffset 0 def
/KeepArray NumComps array def
0 1 NumComps 1 sub { KeepArray exch true put } for
DevNNones { KeepArray exch false put } forall
Width {
KeepArray
{
{
/bitsLeft BitsPerComponent def
{
bitsLeft 0 le { exit } if
/bitsToDo 8 InBitOffset sub dup bitsLeft gt { pop bitsLeft } if def
InBuffer InByteIndex get
InBitOffset bitshift
bitsToDo addNBits
/bitsLeft bitsLeft bitsToDo sub def
InBitOffset bitsToDo add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
} loop
}
{
InBitOffset BitsPerComponent add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
}
ifelse
}
forall
} repeat
OutBuffer
} bd
/pdf_image
{
20 dict copy
begin
/UnusedNones where { /UnusedNones get}{false} ifelse
{
/NumComps Decode length 2 div cvi def
/OrigDecode Decode def
/NumNones DevNNones length def
/NewNumComps NumComps NumNones sub def
/Decode NewNumComps 2 mul cvi array def
/devNNindx 0 def
/decIndx 0 def
/cmpIndx 0 def
NumComps {
cmpIndx DevNNones devNNindx get eq
{
/devNNindx devNNindx 1 add dup NumNones eq {pop 0} if def
}
{
Decode decIndx OrigDecode cmpIndx 2 mul get put
Decode decIndx 1 add OrigDecode cmpIndx 2 mul 1 add get put
/decIndx decIndx 2 add def
} ifelse
/cmpIndx cmpIndx 1 add def
} repeat
_Filters dup length 1 sub get /AllSource exch def
/DataSource { DevNNFilter } def
}
{ _Filters dup length 1 sub get /DataSource exch def }
ifelse
currentdict image
_Filters pdf_flushfilters
end
} bd
/pdf_maskedImage
{
10 dict copy begin
/miDict currentdict def
/DataDict DataDict 10 dict copy def
DataDict begin
/DataSource
_Filters dup length 1 sub get
def
miDict image
_Filters pdf_flushfilters
end
miDict /InterleaveType get 3 eq
{ MaskDict /DataSource get dup type /filetype eq { closefile } { pop } ifelse }
if
end
} [/miDict /DataDict /_Filters] bld
/RadialShade {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/r2 exch def
/c2y exch def
/c2x exch def
/r1 exch def
/c1y exch def
/c1x exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
c1x c2x eq
{
c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope c2y c1y sub c2x c1x sub div def
/theta slope 1 atan def
c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if
c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
c1x c1y translate
theta rotate
-90 rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
/max { 2 copy gt { pop } {exch pop} ifelse } bind def
/min { 2 copy lt { pop } {exch pop} ifelse } bind def
rampdict begin
40 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
c1x c1y translate
theta rotate
-90 rotate
/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
/c1y 0 def
/c1x 0 def
/c2x 0 def
ext0 {
0 getrampcolor
c2y r2 add r1 sub 0.0001 lt
{
c1x c1y r1 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2y r1 add r2 le
{
c1x c1y r1 0 360 arc
fill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r1 neg def
/p1y c1y def
/p2x r1 def
/p2y c1y def
p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y p1x SS1 div neg def
/SS2 90 theta sub dup sin exch cos div def
/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y p2x SS2 div neg def
r1 r2 gt
{
/L1maxX p1x yMin p1y sub SS1 div add def
/L2maxX p2x yMin p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
c1x c2x sub dup mul
c1y c2y sub dup mul
add 0.5 exp
0 dtransform
dup mul exch dup mul add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
/hires exch def
hires mul
/numpix exch def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
/xInc c2x c1x sub numsteps div def
/yInc c2y c1y sub numsteps div def
/rInc r2 r1 sub numsteps div def
/cx c1x def
/cy c1y def
/radius r1 def
newpath
xInc 0 eq yInc 0 eq rInc 0 eq and and
{
0 getrampcolor
cx cy radius 0 360 arc
stroke
NumSamples 1 sub getrampcolor
cx cy radius 72 hires div add 0 360 arc
0 setlinewidth
stroke
}
{
0
numsteps
{
dup
subsampling { round } if
getrampcolor
cx cy radius 0 360 arc
/cx cx xInc add def
/cy cy yInc add def
/radius radius rInc add def
cx cy radius 360 0 arcn
eofill
rampIndxInc add
}
repeat
pop
} ifelse
ext1 {
c2y r2 add r1 lt
{
c2x c2y r2 0 360 arc
fill
}
{
c2y r1 add r2 sub 0.0001 le
{
c2x c2y r2 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r2 neg def
/p1y c2y def
/p2x r2 def
/p2y c2y def
p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y c2y p1x SS1 div sub def
/SS2 90 theta sub dup sin exch cos div def
/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y c2y p2x SS2 div sub def
r1 r2 lt
{
/L1maxX p1x yMax p1y sub SS1 div add def
/L2maxX p2x yMax p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
grestore
grestore
end
end
end
} ifelse
} bd
/GenStrips {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/y2 exch def
/x2 exch def
/y1 exch def
/x1 exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
x1 x2 eq
{
y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope y2 y1 sub x2 x1 sub div def
/theta slope 1 atan def
x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if
x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
x1 y1 translate
theta rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
rampdict begin
20 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
x1 y1 translate
theta rotate
/xStart 0 def
/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
/ySpan yMax yMin sub def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
xStart 0 transform
xEnd 0 transform
3 -1 roll
sub dup mul
3 1 roll
sub dup mul
add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
mul
/numpix exch def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
ext0 {
0 getrampcolor
xMin xStart lt
{ xMin yMin xMin neg ySpan rectfill } if
} if
/xInc xEnd xStart sub numsteps div def
/x xStart def
0
numsteps
{
dup
subsampling { round } if
getrampcolor
x yMin xInc ySpan rectfill
/x x xInc add def
rampIndxInc add
}
repeat
pop
ext1 {
xMax xEnd gt
{ xEnd yMin xMax xEnd sub ySpan rectfill } if
} if
grestore
grestore
end
end
end
} ifelse
} bd
/currentdistillerparams where { pop currentdistillerparams /CoreDistVersion get 5000 lt}{true}ifelse
{
/PDFMark5 {cleartomark} bd
}
{
/PDFMark5 {pdfmark} bd
}ifelse
/ReadByPDFMark5
{
2 dict begin
/makerString exch def string /tmpString exch def
{
currentfile tmpString readline pop
makerString anchorsearch
{
pop pop cleartomark exit
}
{
3 copy /PUT PDFMark5 pop 2 copy (\n) /PUT PDFMark5
} ifelse
}loop
end
}bd
%%EndResource
%%BeginResource: procset pdflev2 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: PDF operators, with code specific for Level 2
/docinitialize {
PDF begin
/_defaulthalftone currenthalftone dd
/_defaultblackgeneration currentblackgeneration dd
/_defaultundercolorremoval currentundercolorremoval dd
/_defaultcolortransfer [currentcolortransfer] dd
/_defaulttransfer currenttransfer dd
end
PDFVars /docSetupDone true put
} bd
/initialize {
PDFVars /docSetupDone get {
_defaulthalftone sethalftone
/_defaultblackgeneration load setblackgeneration
/_defaultundercolorremoval load setundercolorremoval
_defaultcolortransfer aload pop setcolortransfer
} if
false setoverprint
} bd
/terminate { } bd
/c /curveto ld
/cs /setcolorspace ld
/l /lineto ld
/m /moveto ld
/q /gsave ld
/Q /grestore ld
/sc /setcolor ld
/setSA/setstrokeadjust ld
/re {
4 2 roll m
1 index 0 rlineto
0 exch rlineto
neg 0 rlineto
h
} bd
/concattransferfuncs {
[ 3 1 roll /exec load exch /exec load ] cvx
} bd
/concatandsettransfer {
/_defaulttransfer load concattransferfuncs settransfer
} bd
/concatandsetcolortransfer {
_defaultcolortransfer aload pop
8 -1 roll 5 -1 roll concattransferfuncs 7 1 roll
6 -1 roll 4 -1 roll concattransferfuncs 5 1 roll
4 -1 roll 3 -1 roll concattransferfuncs 3 1 roll
concattransferfuncs
setcolortransfer
} bd
/defineRes/defineresource ld
/undefineRes/undefineresource ld
/findRes/findresource ld
currentglobal
true systemdict /setglobal get exec
[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource /Image]
{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
forall
systemdict /setglobal get exec
/ri
{
/findcolorrendering isdefined?
{
mark exch
findcolorrendering
counttomark 2 eq
{ type /booleantype eq
{ dup type /nametype eq
{ dup /ColorRendering resourcestatus
{ pop pop
dup /DefaultColorRendering ne
{
/ColorRendering findresource
setcolorrendering
} if
} if
} if
} if
} if
cleartomark
}
{ pop
} ifelse
} bd
/knownColorants? {
pop false
} bd
/getrampcolor {
cvi
/indx exch def
0 1 NumComp 1 sub {
dup
Samples exch get
dup type /stringtype eq { indx get } if
exch
Scaling exch get aload pop
3 1 roll
mul add
} for
setcolor
} bd
/sssetbackground { aload pop setcolor } bd
%%EndResource
%%BeginResource: procset pdftext 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Text operators for PDF
PDF /PDFText 78 dict dup begin put
/docinitialize
{
/resourcestatus where {
pop
/CIDParams /ProcSet resourcestatus {
pop pop
false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
} if
} if
PDF begin
PDFText /_pdfDefineIdentity-H known
{ PDFText /_pdfDefineIdentity-H get exec}
if
end
} bd
/initialize {
PDFText begin
} bd
/terminate { end } bd
Level2?
{
/_safeput
{
3 -1 roll load 3 1 roll put
}
bd
}
{
/_safeput
{
2 index load dup dup length exch maxlength ge
{ dup length 5 add dict copy
3 index xdd
}
{ pop }
ifelse
3 -1 roll load 3 1 roll put
}
bd
}
ifelse
/pdf_has_composefont? systemdict /composefont known def
/CopyFont {
{
1 index /FID ne 2 index /UniqueID ne and
{ def } { pop pop } ifelse
} forall
} bd
/Type0CopyFont
{
exch
dup length dict
begin
CopyFont
[
exch
FDepVector
{
dup /FontType get 0 eq
{
1 index Type0CopyFont
/_pdfType0 exch definefont
}
{
/_pdfBaseFont exch
2 index exec
}
ifelse
exch
}
forall
pop
]
/FDepVector exch def
currentdict
end
} bd
Level2? {currentglobal true setglobal} if
/cHexEncoding
[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
Level2? {setglobal} if
/modEnc {
/_enc xdd
/_icode 0 dd
counttomark 1 sub -1 0
{
index
dup type /nametype eq
{
_enc _icode 3 -1 roll put
_icode 1 add
}
if
/_icode xdd
} for
cleartomark
_enc
} bd
/trEnc {
/_enc xdd
255 -1 0 {
exch dup -1 eq
{ pop /.notdef }
{ Encoding exch get }
ifelse
_enc 3 1 roll put
} for
pop
_enc
} bd
/TE {
/_i xdd
StandardEncoding 256 array copy modEnc
_pdfEncodings exch _i exch put
} bd
Level2?
{
/pdfPatchCStrings
{
currentdict /CharStrings known currentdict /FontType known and
{
FontType 1 eq CharStrings type /dicttype eq and
{
CharStrings /mu known CharStrings /mu1 known not and CharStrings wcheck and
{
CharStrings /mu get
type /stringtype eq
{
currentglobal
CharStrings /mu1
CharStrings /mu get
dup gcheck setglobal
dup length string copy
put
setglobal
} if
} if
} if
} if
} bd
}
{ /pdfPatchCStrings {} bd }
ifelse
/TZ
{
/_usePDFEncoding xdd
findfont
dup length 6 add dict
begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
/pdf_origFontName FontName def
/FontName exch def
currentdict /PaintType known
{ PaintType 2 eq {/PaintType 0 def} if }
if
_usePDFEncoding 0 ge
{
/Encoding _pdfEncodings _usePDFEncoding get def
pop
}
{
_usePDFEncoding -1 eq
{
counttomark 0 eq
{ pop }
{
Encoding 256 array copy
modEnc /Encoding exch def
}
ifelse
}
{
256 array
trEnc /Encoding exch def
}
ifelse
}
ifelse
pdf_EuroProcSet pdf_origFontName known
{
pdf_origFontName pdf_AddEuroGlyphProc
} if
Level2?
{
currentdict /pdf_origFontName undef
} if
FontName currentdict
end
definefont pop
}
bd
Level2?
{
/TZG
{
currentglobal true setglobal
2 index _pdfFontStatus
{
2 index findfont
false setglobal
3 index findfont
true setglobal
ne
{
2 index findfont dup rcheck
{
dup length dict begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
currentdict end
}
if
3 index exch definefont pop
}
if
} if
setglobal
TZ
} bd
}
{
/TZG {TZ} bd
} ifelse
Level2?
{
currentglobal false setglobal
userdict /pdftext_data 5 dict put
pdftext_data
begin
/saveStacks
{
pdftext_data
begin
/vmmode currentglobal def
false setglobal
count array astore /os exch def
end
countdictstack array dictstack pdftext_data exch /ds exch put
cleardictstack pdftext_data /dscount countdictstack put
pdftext_data /vmmode get setglobal
} bind def
/restoreStacks
{
pdftext_data /vmmode currentglobal put false setglobal
clear cleardictstack
pdftext_data /ds get dup
pdftext_data /dscount get 1 2 index length 1 sub
{ get begin dup } for
pop pop
pdftext_data /os get aload pop
pdftext_data /vmmode get setglobal
} bind def
/testForClonePrinterBug
{
currentglobal true setglobal
/undefinedCategory /Generic /Category findresource
dup length dict copy /Category defineresource pop
setglobal
pdftext_data /saveStacks get exec
pdftext_data /vmmode currentglobal put false setglobal
/undefined /undefinedCategory { resourcestatus } stopped
pdftext_data exch /bugFound exch put
pdftext_data /vmmode get setglobal
pdftext_data /restoreStacks get exec
pdftext_data /bugFound get
} bind def
end
setglobal
/pdf_resourcestatus
pdftext_data /testForClonePrinterBug get exec
{
{
pdftext_data /saveStacks get exec
pdftext_data /os get dup dup length 1 sub
dup 1 sub dup 0 lt { pop 0 } if
exch 1 exch { get exch dup } for
pop pop
{ resourcestatus }
stopped
{
clear cleardictstack pdftext_data /restoreStacks get exec
{ pop pop } stopped pop false
}
{
count array astore pdftext_data exch /results exch put
pdftext_data /restoreStacks get exec pop pop
pdftext_data /results get aload pop
}
ifelse
}
}
{ { resourcestatus } }
ifelse
bd
}
if
Level2?
{
/_pdfUndefineResource
{
currentglobal 3 1 roll
_pdf_FontDirectory 2 index 2 copy known
{undef}
{pop pop}
ifelse
1 index (pdf) exch _pdfConcatNames 1 index
1 index 1 _pdfConcatNames 1 index
5 index 1 _pdfConcatNames 1 index
4
{
2 copy pdf_resourcestatus
{
pop 2 lt
{2 copy findresource gcheck setglobal undefineresource}
{pop pop}
ifelse
}
{ pop pop}
ifelse
} repeat
setglobal
} bd
}
{
/_pdfUndefineResource { pop pop} bd
}
ifelse
Level2?
{
/_pdfFontStatus
{
currentglobal exch
/Font pdf_resourcestatus
{pop pop true}
{false}
ifelse
exch setglobal
} bd
}
{
/_pdfFontStatusString 50 string def
_pdfFontStatusString 0 (fonts/) putinterval
/_pdfFontStatus
{
FontDirectory 1 index known
{ pop true }
{
_pdfFontStatusString 6 42 getinterval
cvs length 6 add
_pdfFontStatusString exch 0 exch getinterval
{ status } stopped
{pop false}
{
{ pop pop pop pop true}
{ false }
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
Level2?
{
/_pdfCIDFontStatus
{
/CIDFont /Category pdf_resourcestatus
{
pop pop
/CIDFont pdf_resourcestatus
{pop pop true}
{false}
ifelse
}
{ pop false }
ifelse
} bd
}
if
/_pdfString100 100 string def
/_pdfComposeFontName
{
dup length 1 eq
{
0 get
1 index
type /nametype eq
{
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
2 index exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
exch pop
true
}
{
pop pop
false
}
ifelse
}
{
false
}
ifelse
dup {exch cvn exch} if
} bd
/_pdfConcatNames
{
exch
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
3 -1 roll exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
cvn
} bind def
/_pdfTextTempString 50 string def
/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
/_pdf_CheckCIDSystemInfo
{
1 index _pdfTextTempString cvs
(Identity) anchorsearch
{
pop pop pop pop true
}
{
false
_pdfRegOrderingArray
{
2 index exch
anchorsearch
{ pop pop pop true exit}
{ pop }
ifelse
}
forall
exch pop
exch /CIDFont findresource
/CIDSystemInfo get
3 -1 roll /CMap findresource
/CIDSystemInfo get
exch
3 -1 roll
{
2 copy
/Supplement get
exch
dup type /dicttype eq
{/Supplement get}
{pop 0 }
ifelse
ge
}
{ true }
ifelse
{
dup /Registry get
2 index /Registry get eq
{
/Ordering get
exch /Ordering get
dup type /arraytype eq
{
1 index type /arraytype eq
{
true
1 index length 1 sub -1 0
{
dup 2 index exch get exch 3 index exch get ne
{ pop false exit}
if
} for
exch pop exch pop
}
{ pop pop false }
ifelse
}
{
eq
}
ifelse
}
{ pop pop false }
ifelse
}
{ pop pop false }
ifelse
}
ifelse
} bind def
pdf_has_composefont?
{
/_pdfComposeFont
{
2 copy _pdfComposeFontName not
{
2 index
}
if
(pdf) exch _pdfConcatNames
dup _pdfFontStatus
{ dup findfont 5 2 roll pop pop pop true}
{
4 1 roll
1 index /CMap pdf_resourcestatus
{
pop pop
true
}
{false}
ifelse
1 index true exch
{
_pdfCIDFontStatus not
{pop false exit}
if
}
forall
and
{
1 index 1 index 0 get _pdf_CheckCIDSystemInfo
{
3 -1 roll pop
2 index 3 1 roll
composefont true
}
{
pop pop exch pop false
}
ifelse
}
{
_pdfComposeFontName
{
dup _pdfFontStatus
{
exch pop
1 index exch
findfont definefont true
}
{
pop exch pop
false
}
ifelse
}
{
exch pop
false
}
ifelse
}
ifelse
{ true }
{
dup _pdfFontStatus
{ dup findfont true }
{ pop false }
ifelse
}
ifelse
}
ifelse
} bd
}
{
/_pdfComposeFont
{
_pdfComposeFontName not
{
dup
}
if
dup
_pdfFontStatus
{exch pop dup findfont true}
{
1 index
dup type /nametype eq
{pop}
{cvn}
ifelse
eq
{pop false}
{
dup _pdfFontStatus
{dup findfont true}
{pop false}
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
/_pdfStyleDicts 4 dict dup begin
/Adobe-Japan1 4 dict dup begin
Level2?
{
/Serif
/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMin-W3}
{
/HeiseiMin-W3 _pdfCIDFontStatus
{/HeiseiMin-W3}
{/Ryumin-Light}
ifelse
}
ifelse
def
/SansSerif
/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
{/HeiseiKakuGo-W5}
{
/HeiseiKakuGo-W5 _pdfCIDFontStatus
{/HeiseiKakuGo-W5}
{/GothicBBB-Medium}
ifelse
}
ifelse
def
/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMaruGo-W4}
{
/HeiseiMaruGo-W4 _pdfCIDFontStatus
{/HeiseiMaruGo-W4}
{
/Jun101-Light-RKSJ-H _pdfFontStatus
{ /Jun101-Light }
{ SansSerif }
ifelse
}
ifelse
}
ifelse
/RoundSansSerif exch def
/Default Serif def
}
{
/Serif /Ryumin-Light def
/SansSerif /GothicBBB-Medium def
{
(fonts/Jun101-Light-83pv-RKSJ-H) status
}stopped
{pop}{
{ pop pop pop pop /Jun101-Light }
{ SansSerif }
ifelse
/RoundSansSerif exch def
}ifelse
/Default Serif def
}
ifelse
end
def
/Adobe-Korea1 4 dict dup begin
/Serif /HYSMyeongJo-Medium def
/SansSerif /HYGoThic-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-GB1 4 dict dup begin
/Serif /STSong-Light def
/SansSerif /STHeiti-Regular def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-CNS1 4 dict dup begin
/Serif /MKai-Medium def
/SansSerif /MHei-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
end
def
/TZzero
{
/_wmode xdd
/_styleArr xdd
/_regOrdering xdd
3 copy
_pdfComposeFont
{
5 2 roll pop pop pop
}
{
[
0 1 _styleArr length 1 sub
{
_styleArr exch get
_pdfStyleDicts _regOrdering 2 copy known
{
get
exch 2 copy known not
{ pop /Default }
if
get
}
{
pop pop pop /Unknown
}
ifelse
}
for
]
exch pop
2 index 3 1 roll
_pdfComposeFont
{3 -1 roll pop}
{
findfont dup /FontName get exch
}
ifelse
}
ifelse
dup /WMode 2 copy known
{ get _wmode ne }
{ pop pop _wmode 1 eq}
ifelse
{
exch _wmode _pdfConcatNames
dup _pdfFontStatus
{ exch pop dup findfont false}
{ exch true }
ifelse
}
{
dup /FontType get 0 ne
}
ifelse
{
dup /FontType get 3 eq _wmode 1 eq and
{
_pdfVerticalRomanT3Font dup length 10 add dict copy
begin
/_basefont exch
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
if
def
FontName
currentdict
end
definefont
def
/Encoding _basefont /Encoding get def
/_fauxfont true def
}
{
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
FontType 0 ne
{
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put}
if
def
/_fauxfont true def
} if
} ifelse
/WMode _wmode def
dup dup /FontName exch def
currentdict
end
definefont pop
}
{
pop
}
ifelse
/_pdf_FontDirectory 3 1 roll _safeput
}
bd
Level2?
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
selectfont
} bd
}
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
exch findfont exch
dup type /arraytype eq
{makefont}
{scalefont}
ifelse
setfont
} bd
}
ifelse
/cshow where
{
pop /pdf_cshow /cshow load dd
/pdf_remove2 {pop pop} dd
}
{
/pdf_cshow {exch forall} dd
/pdf_remove2 {} dd
} ifelse
/pdf_xshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_yshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0 exch
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_xyshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
{_pdf_na _pdf_i 1 add get} stopped
{ pop pop pop}
{
_pdf_x _pdf_y moveto
rmoveto
}
ifelse
}
ifelse
_pdf_i 2 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdfl1xs {/_pdf_showproc /show load dd pdf_xshow} bd
/pdfl1ys {/_pdf_showproc /show load dd pdf_yshow} bd
/pdfl1xys {/_pdf_showproc /show load dd pdf_xyshow} bd
Level2? _ColorSep5044? not and
{
/pdfxs {{xshow} stopped {pdfl1xs} if} bd
/pdfys {{yshow} stopped {pdfl1ys} if} bd
/pdfxys {{xyshow} stopped {pdfl1xys} if} bd
}
{
/pdfxs /pdfl1xs load dd
/pdfys /pdfl1ys load dd
/pdfxys /pdfl1xys load dd
} ifelse
/pdf_charpath {false charpath} bd
/pdf_xcharpath {/_pdf_showproc /pdf_charpath load dd pdf_xshow} bd
/pdf_ycharpath {/_pdf_showproc /pdf_charpath load dd pdf_yshow} bd
/pdf_xycharpath {/_pdf_showproc /pdf_charpath load dd pdf_xyshow} bd
/pdf_strokepath
{
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 false charpath
currentpoint S moveto
} bind
exch pdf_cshow
} bd
/pdf_xstrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xshow} bd
/pdf_ystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_yshow} bd
/pdf_xystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xyshow} bd
Level2? {currentglobal true setglobal} if
/d0/setcharwidth ld
/nND {{/.notdef} repeat} bd
/T3Defs {
/BuildChar
{
1 index /Encoding get exch get
1 index /BuildGlyph get exec
}
def
/BuildGlyph {
exch begin
GlyphProcs exch get exec
end
} def
/_pdfT3Font true def
} bd
/_pdfBoldRomanWidthProc
{
stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
0 0
} bd
/_pdfType0WidthProc
{
dup stringwidth 0 0 moveto
2 index true charpath pathbbox
0 -1
7 index 2 div .88
setcachedevice2
pop
0 0
} bd
/_pdfType0WMode1WidthProc
{
dup stringwidth
pop 2 div neg -0.88
2 copy
moveto
0 -1
5 -1 roll true charpath pathbbox
setcachedevice
} bd
/_pdfBoldBaseFont
11 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/Encoding cHexEncoding def
/_setwidthProc /_pdfBoldRomanWidthProc load def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
pdf_has_composefont?
{
/_pdfBoldBaseCIDFont
11 dict begin
/CIDFontType 1 def
/CIDFontName /_pdfBoldBaseCIDFont def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_setwidthProc /_pdfType0WidthProc load def
/_bcstr2 2 string def
/BuildGlyph
{
exch begin
_basefont setfont
_bcstr2 1 2 index 256 mod put
_bcstr2 0 3 -1 roll 256 idiv put
_bcstr2 dup _setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
/_pdfDefineIdentity-H
{
/Identity-H /CMap PDFText /pdf_resourcestatus get exec
{
pop pop
}
{
/CIDInit/ProcSet findresource begin 12 dict begin
begincmap
/CIDSystemInfo
3 dict begin
/Registry (Adobe) def
/Ordering (Identity) def
/Supplement 0 def
currentdict
end
def
/CMapName /Identity-H def
/CMapVersion 1 def
/CMapType 1 def
1 begincodespacerange
<0000> <ffff>
endcodespacerange
1 begincidrange
<0000> <ffff> 0
endcidrange
endcmap
CMapName currentdict/CMap defineresource pop
end
end
} ifelse
} def
} if
/_pdfVerticalRomanT3Font
10 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_pdfType0WidthProc
moveto
show
end
}bd
currentdict
end
def
Level2? {setglobal} if
/MakeBoldFont
{
dup /ct_SyntheticBold known
{
dup length 3 add dict begin
CopyFont
/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
/ct_SyntheticBold true def
currentdict
end
definefont
}
{
dup dup length 3 add dict
begin
CopyFont
/PaintType 2 def
/StrokeWidth .03 0 FontMatrix idtransform pop def
/dummybold currentdict
end
definefont
dup /FontType get dup 9 ge exch 11 le and
{
_pdfBoldBaseCIDFont
dup length 3 add dict copy begin
dup /CIDSystemInfo get /CIDSystemInfo exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefont exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefonto exch def
currentdict
end
/CIDFont defineresource
}
{
_pdfBoldBaseFont
dup length 3 add dict copy begin
/_basefont exch def
/_basefonto exch def
currentdict
end
definefont
}
ifelse
}
ifelse
} bd
/MakeBold {
1 index
_pdf_FontDirectory 2 index 2 copy known
{get}
{exch pop}
ifelse
findfont
dup
/FontType get 0 eq
{
dup /WMode known {dup /WMode get 1 eq }{false} ifelse
version length 4 ge
and
{version 0 4 getinterval cvi 2015 ge }
{true}
ifelse
{/_pdfType0WidthProc}
{/_pdfType0WMode1WidthProc}
ifelse
_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
{MakeBoldFont} Type0CopyFont definefont
}
{
dup /_fauxfont known not 1 index /SubstMaster known not and
{
_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
MakeBoldFont
}
{
2 index 2 index eq
{ exch pop }
{
dup length dict begin
CopyFont
currentdict
end
definefont
}
ifelse
}
ifelse
}
ifelse
pop pop
dup /dummybold ne
{/_pdf_FontDirectory exch dup _safeput }
{ pop }
ifelse
}bd
/MakeItalic {
_pdf_FontDirectory exch 2 copy known
{get}
{exch pop}
ifelse
dup findfont
dup /FontInfo 2 copy known
{
get
/ItalicAngle 2 copy known
{get 0 eq }
{ pop pop true}
ifelse
}
{ pop pop true}
ifelse
{
exch pop
dup /FontType get 0 eq Level2? not and
{ dup /FMapType get 6 eq }
{ false }
ifelse
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1Type0 }
{ _italMtxType0 }
ifelse
}
{ pop pop _italMtxType0 }
ifelse
}
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1 }
{ _italMtx }
ifelse
}
{ pop pop _italMtx }
ifelse
}
ifelse
makefont
dup /FontType get 42 eq Level2? not or
{
dup length dict begin
CopyFont
currentdict
end
}
if
1 index exch
definefont pop
/_pdf_FontDirectory exch dup _safeput
}
{
pop
2 copy ne
{
/_pdf_FontDirectory 3 1 roll _safeput
}
{ pop pop }
ifelse
}
ifelse
}bd
/MakeBoldItalic {
/dummybold exch
MakeBold
/dummybold
MakeItalic
}bd
Level2?
{
/pdf_CopyDict
{1 index length add dict copy}
def
}
{
/pdf_CopyDict
{
1 index length add dict
1 index wcheck
{ copy }
{ begin
{def} forall
currentdict
end
}
ifelse
}
def
}
ifelse
/pdf_AddEuroGlyphProc
{
currentdict /CharStrings known
{
CharStrings /Euro known not
{
dup
/CharStrings
CharStrings 1 pdf_CopyDict
begin
/Euro pdf_EuroProcSet 4 -1 roll get def
currentdict
end
def
/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
/pdf_PathOps /pdf_PathOps load def
/Symbol eq Encoding 160 get /.notdef eq and
{
/Encoding Encoding dup length array copy
dup 160 /Euro put def
}
if
}
{ pop
}
ifelse
}
{ pop
}
ifelse
}
def
Level2? {currentglobal true setglobal} if
/pdf_PathOps 4 dict dup begin
/m {moveto} def
/l {lineto} def
/c {curveto} def
/cp {closepath} def
end
def
/pdf_PSBuildGlyph
{
gsave
8 -1 roll pop
7 1 roll
currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
dup 9 1 roll
{
currentdict /StrokeWidth 2 copy known
{
get 2 div
5 1 roll
4 -1 roll 4 index sub
4 1 roll
3 -1 roll 4 index sub
3 1 roll
exch 4 index add exch
4 index add
5 -1 roll pop
}
{
pop pop
}
ifelse
}
if
setcachedevice
pdf_PathOps begin
exec
end
{
currentdict /StrokeWidth 2 copy known
{ get }
{ pop pop 0 }
ifelse
setlinewidth stroke
}
{
fill
}
ifelse
grestore
} def
/pdf_EuroProcSet 13 dict def
pdf_EuroProcSet
begin
/Courier-Bold
{
600 0 6 -12 585 612
{
385 274 m
180 274 l
179 283 179 293 179 303 c
179 310 179 316 180 323 c
398 323 l
423 404 l
197 404 l
219 477 273 520 357 520 c
409 520 466 490 487 454 c
487 389 l
579 389 l
579 612 l
487 612 l
487 560 l
449 595 394 612 349 612 c
222 612 130 529 98 404 c
31 404 l
6 323 l
86 323 l
86 304 l
86 294 86 284 87 274 c
31 274 l
6 193 l
99 193 l
129 77 211 -12 359 -12 c
398 -12 509 8 585 77 c
529 145 l
497 123 436 80 356 80 c
285 80 227 122 198 193 c
360 193 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-BoldOblique /Courier-Bold load def
/Courier
{
600 0 17 -12 578 584
{
17 204 m
97 204 l
126 81 214 -12 361 -12 c
440 -12 517 17 578 62 c
554 109 l
501 70 434 43 366 43 c
266 43 184 101 154 204 c
380 204 l
400 259 l
144 259 l
144 270 143 281 143 292 c
143 299 143 307 144 314 c
418 314 l
438 369 l
153 369 l
177 464 249 529 345 529 c
415 529 484 503 522 463 c
522 391 l
576 391 l
576 584 l
522 584 l
522 531 l
473 566 420 584 348 584 c
216 584 122 490 95 369 c
37 369 l
17 314 l
87 314 l
87 297 l
87 284 88 272 89 259 c
37 259 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-Oblique /Courier load def
/Helvetica
{
556 0 24 -19 541 703
{
541 628 m
510 669 442 703 354 703 c
201 703 117 607 101 444 c
50 444 l
25 372 l
97 372 l
97 301 l
49 301 l
24 229 l
103 229 l
124 67 209 -19 350 -19 c
435 -19 501 25 509 32 c
509 131 l
492 105 417 60 343 60 c
267 60 204 127 197 229 c
406 229 l
430 301 l
191 301 l
191 372 l
455 372 l
479 444 l
194 444 l
201 531 245 624 348 624 c
433 624 484 583 509 534 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-Oblique /Helvetica load def
/Helvetica-Bold
{
556 0 12 -19 563 710
{
563 621 m
537 659 463 710 363 710 c
216 710 125 620 101 462 c
51 462 l
12 367 l
92 367 l
92 346 l
92 337 93 328 93 319 c
52 319 l
12 224 l
102 224 l
131 58 228 -19 363 -19 c
417 -19 471 -12 517 18 c
517 146 l
481 115 426 93 363 93 c
283 93 254 166 246 224 c
398 224 l
438 319 l
236 319 l
236 367 l
457 367 l
497 462 l
244 462 l
259 552 298 598 363 598 c
425 598 464 570 486 547 c
507 526 513 517 517 509 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-BoldOblique /Helvetica-Bold load def
/Symbol
{
750 0 20 -12 714 685
{
714 581 m
650 645 560 685 465 685 c
304 685 165 580 128 432 c
50 432 l
20 369 l
116 369 l
115 356 115 347 115 337 c
115 328 115 319 116 306 c
50 306 l
20 243 l
128 243 l
165 97 300 -12 465 -12 c
560 -12 635 25 685 65 c
685 155 l
633 91 551 51 465 51 c
340 51 238 131 199 243 c
555 243 l
585 306 l
184 306 l
183 317 182 326 182 336 c
182 346 183 356 184 369 c
614 369 l 644 432 l
199 432 l
233 540 340 622 465 622 c
555 622 636 580 685 520 c
cp
750 0 m
}
pdf_PSBuildGlyph
} def
/Times-Bold
{
500 0 16 -14 478 700
{
367 308 m
224 308 l
224 368 l
375 368 l
380 414 l
225 414 l
230 589 257 653 315 653 c
402 653 431 521 444 457 c
473 457 l
473 698 l
444 697 l
441 679 437 662 418 662 c
393 662 365 700 310 700 c
211 700 97 597 73 414 c
21 414 l
16 368 l
69 368 l
69 359 68 350 68 341 c
68 330 68 319 69 308 c
21 308 l
16 262 l
73 262 l
91 119 161 -14 301 -14 c
380 -14 443 50 478 116 c
448 136 l
415 84 382 40 323 40 c
262 40 231 77 225 262 c
362 262 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-BoldItalic
{
500 0 9 -20 542 686
{
542 686 m
518 686 l
513 673 507 660 495 660 c
475 660 457 683 384 683 c
285 683 170 584 122 430 c
58 430 l
34 369 l
105 369 l
101 354 92 328 90 312 c
34 312 l
9 251 l
86 251 l
85 238 84 223 84 207 c
84 112 117 -14 272 -14 c
326 -14 349 9 381 9 c
393 9 393 -10 394 -20 c
420 -20 l
461 148 l
429 148 l
416 109 362 15 292 15 c
227 15 197 55 197 128 c
197 162 204 203 216 251 c
378 251 l
402 312 l
227 312 l
229 325 236 356 241 369 c
425 369 l
450 430 l
255 430 l
257 435 264 458 274 488 c
298 561 337 654 394 654 c
437 654 484 621 484 530 c
484 516 l
516 516 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Italic
{
500 0 23 -10 595 692
{
399 317 m
196 317 l
199 340 203 363 209 386 c
429 386 l
444 424 l
219 424 l
246 514 307 648 418 648 c
448 648 471 638 492 616 c
529 576 524 529 527 479 c
549 475 l
595 687 l
570 687 l
562 674 558 664 542 664 c
518 664 474 692 423 692 c
275 692 162 551 116 424 c
67 424 l
53 386 l
104 386 l
98 363 93 340 90 317 c
37 317 l
23 279 l
86 279 l
85 266 85 253 85 240 c
85 118 137 -10 277 -10 c
370 -10 436 58 488 128 c
466 149 l
424 101 375 48 307 48 c
212 48 190 160 190 234 c
190 249 191 264 192 279 c
384 279 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Roman
{
500 0 10 -12 484 692
{
347 298 m
171 298 l
170 310 170 322 170 335 c
170 362 l
362 362 l
374 403 l
172 403 l
184 580 244 642 308 642 c
380 642 434 574 457 457 c
481 462 l
474 691 l
449 691 l
433 670 429 657 410 657 c
394 657 360 692 299 692 c
204 692 94 604 73 403 c
22 403 l
10 362 l
70 362 l
69 352 69 341 69 330 c
69 319 69 308 70 298 c
22 298 l
10 257 l
73 257 l
97 57 216 -12 295 -12 c
364 -12 427 25 484 123 c
458 142 l
425 101 384 37 316 37 c
256 37 189 84 173 257 c
335 257 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
end
Level2? {setglobal} if
currentdict readonly pop end
%%EndResource
PDFText begin
[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
/hungarumlaut/ogonek/caron
0 TE
[1/dotlessi/caron 39/quotesingle 96/grave 
127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
/ucircumflex/udieresis/yacute/thorn/ydieresis
1 TE
end
%%BeginResource: procset pdfasc.prc 6.0 1
%%Copyright: Copyright 1992-2003 Adobe Systems Incorporated. All Rights Reserved.
/ASR {
13 dict begin
/mirV? exch def
/mirH? exch def
/center? exch def
/autorotate? exch def
/angle exch def
/shrink exch def
/Pury exch def
/Purx exch def
/Plly exch def
/Pllx exch def
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury 0 eq Durx 0 eq and Dlly 0 eq Dllx 0 eq and and
{ shrink 0 gt { GClipBBox } { GPageBBox } ifelse }
{ ITransDBBox }
ifelse
/PHt Pury Plly sub def
/PW Purx Pllx sub def
/DHt Dury Dlly sub def
/DW Durx Dllx sub def
angle 90 eq angle 270 eq or
{
PHt /PHt PW def /PW exch def
} if
autorotate? PHt PW ne and DHt DW ne and
{
DHt DW ge
PHt PW ge
ne
{ /angle angle 90 add def
PHt /PHt PW def /PW exch def
}
if
} if
angle 0 ne
{
/angle angle 360 mod def
angle rotate
angle 90 eq
{ 0 DW neg translate }
if
angle 180 eq
{ DW neg DHt neg translate }
if
angle 270 eq
{ DHt neg 0 translate }
if
} if
center?
{
ITransBBox
Durx Dllx add 2 div Dury Dlly add 2 div
Purx Pllx add -2 div Pury Plly add -2 div
3 -1 roll add exch
3 -1 roll add exch
translate
}
{
ITransBBox
angle 0 eq
{Dllx Pllx sub Dury Pury sub}
if
angle 90 eq
{Durx Purx sub Dury Pury sub}
if
angle 180 eq
{Durx Purx sub Dlly Plly sub}
if
angle 270 eq
{Dllx Pllx sub Dlly Plly sub}
if
translate
}
ifelse
mirH? mirV? or
{
ITransBBox
mirH?
{
-1 1 scale
Durx Dllx add neg 0 translate
} if
mirV?
{
1 -1 scale
0 Dury Dlly add neg translate
} if
} if
shrink 0 ne
{
ITransBBox
Dury Dlly sub Pury Plly sub div
Durx Dllx sub Purx Pllx sub div
2 copy gt { exch } if pop
shrink 1 eq
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{
shrink 2 eq 1 index 1.0 lt and
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{ pop }
ifelse
}
ifelse
} if
end
} [/autorotate? /shrink? /mirH? /mirV? /angle /Pury /Purx /Plly /Pllx /Durx /Dury /Dllx /Dlly /PW /PHt /DW /DHt
/Devurx /Devury /Devllx /Devlly /pdfHt /pdfW]
bld
/GClipBBox
{
gsave newpath clippath pathbbox newpath grestore
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
ITransDBBox
} [/Durx /Dury /Dllx /Dlly]
bld
/GPageBBox
{
{
currentpagedevice /PageSize get aload pop
/Devury exch def /Devurx exch def
/Devllx 0 def /Devlly 0 def
ITransBBox
}
stopped
{ GClipBBox }
if
} [/Devurx /Devury /Devllx /Devlly ]
bld
/ITransDBBox
{
Durx Dury transform matrix defaultmatrix itransform
/Devury exch def
/Devurx exch def
Dllx Dlly transform matrix defaultmatrix itransform
/Devlly exch def
/Devllx exch def
Devury Devlly lt {/Devlly Devury /Devury Devlly def def} if
Devurx Devllx lt {/Devllx Devurx /Devurx Devllx def def} if
} [/Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
/ITransBBox
{
/um matrix currentmatrix matrix defaultmatrix matrix invertmatrix matrix concatmatrix def
Devllx Devlly um itransform
Devurx Devury um itransform
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury Dlly lt {/Dlly Dury /Dury Dlly def def} if
Durx Dllx lt {/Dllx Durx /Durx Dllx def def} if
} [ /um /Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
%%EndResource
currentdict readonly pop
end end
/currentpacking where {pop setpacking}if
PDFVars/DocInitAll{[PDF PDFText]{/docinitialize get exec}forall }put
+PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
+PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
+PDFVars begin PDF begin
PDFVars/DocInitAll get exec PDFVars/InitAll get exec

[/NamespacePush PDFMark5
[/_objdef {Metadata_In_EPS} /type /stream /OBJ PDFMark5
[{Metadata_In_EPS} 17988 (% &end XMP packet& %) ReadByPDFMark5
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
+<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1-701">
+   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+      <rdf:Description rdf:about=""
+            xmlns:xap="http://ns.adobe.com/xap/1.0/"
+            xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">
+         <xap:CreateDate>2005-05-26T09:00:06+01:00</xap:CreateDate>
+         <xap:ModifyDate>2005-05-26T09:00:06+01:00</xap:ModifyDate>
+         <xap:MetadataDate>2005-05-26T09:00:06+01:00</xap:MetadataDate>
+         <xap:Thumbnails>
+            <rdf:Alt>
+               <rdf:li rdf:parseType="Resource">
+                  <xapGImg:width>196</xapGImg:width>
+                  <xapGImg:height>256</xapGImg:height>
+                  <xapGImg:format>JPEG</xapGImg:format>
+                  <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgBAADEAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9U4q7FXYq7FXYq7FXYq7&#xA;FXYq7FUJdaxpFozrdX1vbtEOUiyyohUEVq3Iim2KsV1X86vyn0q8+p33mnT0uaAlEmEoWppRmi5q&#xA;p9icVRFl+bn5W3ppbebdIZq0CNewIx77K7qTirJbLUtOv4vVsbqG7i/35BIsi/epI7YqiMVdirsV&#xA;dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVUL6+stPs576+njtbO2Rpbi4lYJGiKKszM1AA&#xA;Bir48/PH/nKbVddkufL3kmZ9P0VHKTazC7pcXaDp6dVjeGM9/wBpvECoKr55nnnuJmmnkaaZzV5J&#xA;GLMT7k7nFVPFXYqvjllicPG7I46MpIP3jFX0h+Rv/OVV3oy2vlvz073mlhkhtNaO81tHTiBOAKyx&#xA;jb4vtAV+1sAq+vLS7tby1hu7SZLi1uEWWCeJg6OjiqsrCoIINQRiqrirsVdirsVdirsVdirsVdir&#xA;sVdirsVdirsVdirsVU7q6t7S2murmRYba3RpZ5nIVURByZmJ6AAVOKvgX86vz+8y/mLcvpyUsPK9&#xA;vMzWthFUNMFY+nLcsT8TU6L9keFd8VeU4q7FXYq7FXYq7FXrP5Lf85BeZfy7u4rC5Z9S8qO/+kaa&#xA;5q0IY/FJbMfst3KfZb2PxBV96aff2eoWNvf2Uq3FndxpPbTpurxyKGRh7EGuKq+KuxV2KuxV2Kux&#xA;V2KuxV2KuxV2KuxV2KuxV2Kvm3/nMj8yf0doVl5I0+cpe6qfrWqemxBWzQlUjanaaTf5J74q+PcV&#xA;dirsVZn+Ulh5S1bzvp2heZ7KW6stamTT4ZoJmhkt57hvTilAAIejsuzbUxVIPNGgXfl3zJqmg3ZB&#xA;udLuprSVhUBjC5TktezUqPbFUrxV2KuxV9U/84jfnMicfy7124oCWfy7cSHap+J7Sp8d3j+lf5Ri&#xA;r6rxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KpL5y826P5R8s3/mLV5PTsbCIyMB9p3OyRIO7yOQ&#xA;q+5xV+cPnbzfq3nDzTqPmPVWreahKZCgJKxoBxjiSv7MaAKPliqR4q7FXYqynQobvy7pVt5zpwu2&#xA;ung8vVA2uLZUeW6oev1f1Y+Hi5r+wQVWXf8AOSVtHP58s/NFugSz83aVY6xDw+yGkhEbr/rcoqn5&#xA;4q8smglhZVlUozKrgHrxdQyn6VIOKqeKuxVUt7i4triK5t5GhuIXWSGaMlXR0NVZWG4IIqDir9Hv&#xA;ye85v5y/LXQfMEzc7y4txHfseIJurdjDO3FaBeckZcDwIxVmWKuxV2KuxV2KuxV2KuxV2KuxV2Ku&#xA;xV2Kvkv/AJzJ/M6O5vLX8vrBqrZOl9rMg/36yVgh/wBiknNvmvhir5fxV2KuxV2KssS91XzN5f0n&#xA;R7i5htrHy4s6WjG2uGVY7mUTSM8ltHOW+Mknkop79lUdq3myzk8s6PoepX0fmBdA9b9ERwQSQwxr&#xA;cNzZJrmYRTyIGA/diIezjuqx3RbD/EfmGO1vdSt9Ne9ZuV/dLIIEahIDCBJCi7U2XivsMVVtV8j+&#xA;ZtN1HU7CWzaeTSYxc3ctsRNF9VfjwuUdK8oHDqRINqEYqkOKuxV9T/8AOEvm+b19f8oTOWiKLqtk&#xA;hOylSsFxT/W5Rfdir6txV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+dn/OQEc0f5zebFm+2b0sKmvw&#xA;sisn/CkYq8+xVdGzJIrJ9pSCu1dx02OKphHf3FlLdmaIPqMxZJ/rUMUvA8wzHjMkhDkrSooRv44q&#xA;l7uXcuaAsakKAo+gCgGKu5vw4cjwry412r0rTFVuKpx5U82+YPKetwa3oF2bPUreojmCo44tsysr&#xA;hlIPuMVereUfPWkebPNI1vUoZNP83RIy2CWFzHHZTllIeL6lcgJwn5MJY0mJk5HjGSd1WC655GvE&#xA;0LUdej0u80tLO+kje1uUk9P6s0npgxSOkfJreUiKUHf4l2HxYqwvFXsf/OJd1ND+demRxmi3NteR&#xA;SjfdRA0n/Eoxir7xxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV8I/85W+T9W0T81r3VrleWneYAl1Y&#xA;XABAJjjSKWI/5SMtfkQe+KvGcVZPoF5DZQwQaDaS6h5vvnCW9wqFza8jRUtIhyL3D/78I+D9gcvj&#xA;CrpvLuiaSSfMWqerf9W0rTClxKrdStxdE/V4j/qeqwOzKuKqLeZNGtiV0vy9aRgGsdxfvLe3FPBq&#xA;mK1b/pHGKpheav5/tNGsNbl0+Gx0m+dhp+oQ6XZW0UskJ4twkigQMVK/gffFVC085+eL644wcdQm&#xA;RCfTawtbqiVAJ4PDIKVp2xVVn83SLK0fmLyrpd0zVBH1NtLkX3Qae1mgI/ykI9sVXppHkHXlZdGv&#xA;5tA1Q/3Om6u6TWkrfypqEawiIk9PXiVB3kxVXvvzA876fpd35V8wRfWFMfpFL5G9eMenwjdXqCaR&#xA;misa1SgqVCcVWDYq+gv+cM/KdzqH5g3vmNoyLHRbR0WWmxubr92iiv8AxUJCae3jir7SxV2KuxV2&#xA;KuxV2KuxV2KuxV2KuxV2KuxV59+ef5aw+f8A8v77S44wdXtQbvR5Nqi5jU0jqeiyiqH517Yq/PK7&#xA;tLuzuZLW7hktrqFik0EqlJEYdVZWAIPzxVlfk3TvPV1omqL5Z0+5mjuf9GurqwtJLi7kBXk1qjxh&#xA;nSMr8UvGlV2avwrirDyCDQ9cVaxV9earfeX/AD1/ziJLHokEa3fl+ztjcWEZ5PbT2Mi+s5WvICSE&#xA;SOCf2W8a4qy/8j/JWhflL+V36e8xEWmqakkd3q87IzSxq/8AcWqogZyUDbqoqXJ9sVXat/zkV5Xl&#xA;Etrd+RvM97p4DetJJpKGFlHfhLKPhpWvIDFWGP5M/wCcbPzhaa18tP8A4X828WZbVIvqcvJQT8Vm&#xA;37iUDq3pHl4kYq8J/MzQvOPkhT5E81W8V2tq63OhaoKsyQMWDrbymjGCQ/aib7LiopvyVYRo2j6l&#xA;rOq2mk6ZA1zqF9KkFrAnVpHNAN9h7k7DFX6M/lT5As/IfkbTfLsHB7iBPU1C5RQPWupDylcmgJFT&#xA;xWu/EAdsVZdirsVdirsVdirsVdirsVdirsVdirsVdirsVeO/np/zjxpH5ir+mNPlGm+aoIvTS441&#xA;hulX7EdwBQ1HRZBuBseQAAVY15wsLj8tP+cUUsdLpZaleWtqmoSqQJDPqDIbujKd24syA/yj2xV8&#xA;ZYquRijqwpVSCKgEbeINQcVegeV/zH1HRbN7+0jexWCL9HzjTHgtnm+tCRubNNb3dKLGwIWgrxIp&#xA;TdVOfNH5x+aG8vWMa6zeapJrMUlxNb6s0V9HZxpNJbJGqtDHFJM/os5kMfwqyhaMC2KvNv8AEvmP&#xA;iqDVLsIgoiCeQKorWiqGoBU9BiqZ6J5+1+w1jT9QvLiTUxp80U0C3MjPJH6Th19CYkyQkEVHAgeI&#xA;I2xV9k/85G+SE/ML8qYNU0O0e+1a0Nvf6MsSVmlhuSqyRgdaNG4cjxUYqnH5O/kN5U/LqxjuFiXU&#xA;PMkihrjVp0UyRlk4tHb9fSTcg0NW7mlAFXp2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KsX/M&#xA;Typb+cvKmr+WJ/Ui+tWvK2uEd4wJ/i9OvEryCOqllO24rir5k832M+pf84eeWLm3eV10W+P16Loq&#xA;f6TcW9XG5+B5FVd6Ubp0oq+bsVV7GxvL+8hsrKFri6uGEcMMYqzMegAxVPNG8lapqepaDp0UsRfz&#xA;DfmxtVR+dCkqQ+s1NuHKRuJ/yT2xV7f/AM5P/lpo+m61olj5f0+HT/UsKaXBBGkQupbeQi5gHAAN&#xA;NxeKRB1clxuzKMVfNxBBoeuKs6/I/wAm2PnH80dC0LUBy0+WV57yM/txW0bTtHtvST0+B+eKv0YR&#xA;FRQiAKqgBVAoAB0AGKt4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FWG/m5ba5f+QtU0fy9O&#xA;IPMWrRNa6T+89FpJOJlljSTYKzQRSUqRirxjzTp2s+Wf+cV9GTTLF5Y7edZPNVpctUywyyTJeB6c&#xA;WKtcOvGnxKtGrVeWKvkq8+p/WpfqfqfVSxMIm4+oFPQMV+EkdKiletB0xVOvJNrq2qa9aeXNKmW1&#xA;utfni083R2ZUuHEbLzHxBG5fGF+0Num2KvTxZflV5R/OXyM/lXzC2oaRY3UUGtXsrMpju4rgiSQl&#xA;0RBA4kXdKrQN8R64q+oPzs/Law/MjylPolvcxQ+YNPKX2lylhWORuSoJKVdYpgrLXxFd+NMVfH3k&#xA;fyHrX5qX99bQWZk1ewCm81i0ltqPy5KslxBNLAJizJQzQtX9p1dmrir3H8nf+cVfMfk7zxYeaNX1&#xA;62I0wu8FtYq7tKZI2iZXeVUCLxc1oGr7dcVfQHmmbzLDoF5L5Zt7a61xE5WVveu8cDsDuGZATuK0&#xA;6CvUgb4qmFp9ZNrCbrj9Z4L6/pghPUoOXEEsaV6b4qq4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7&#xA;FXYqhr+OExLcSQxSyWjevC03ECNgrIzq7A8G9N2FfAkdCcVY7+arWY/LjzDBdSQwxXllJYRPckrC&#xA;Jr0fVoAzKG4gyyqOVNuuKvzev9PvtPuntL+3ktbqMKXgmRo3AdQ6kqwB+JWBHtirKPyj84aV5O/M&#xA;TRvMWq2f16wsZSZohQuodGj9VAdi8XLmo8R1HXFUNe+c7i3896n5j0ZY7aG61CS7js1QLbtD9aFz&#xA;HA8WwMVUSqHwxV9H+Uf+cpPL3mHzvpmo67b23li3tIHtri6a4mkknE0bM8ZRLZ0aJZ0jK8nRl6gm&#xA;rLirHpb/AEr8t/8AnI2180WHmGwufKvmh5prx4J4z6NvdDnJHcRRfEgSXi8fw/FQd+QxV9DWf55/&#xA;k/dsFi83aapJ4/vp1gFfnLw298VZDa+b/LF/Zz3Wl6rZ6kkEbSv9UuIpvhVS3+62bsMVfPX5u/m7&#xA;p+h/85H+VlkvJhpXl+MQa0sUhWJZL1XDMyfErCKOVHbavbrir6dVlZQykFSKgjcEHFXYq7FXYq7F&#xA;XYq7FXYq7FXYq7FXYq7FXYq7FXYqxT8x/I9t5t8jX/lZQIIL94C/CihQl1HcOwp3+AnFXxX/AM5P&#xA;3i3H51a7FH/cWSWlrCKUoI7SIsN/B2bFXlWKuxV2KuxV2Krkd0dXRirqQVYGhBHQg4qqyy3l9dmS&#xA;V5Lq8uH+J2LSSSOx7k1ZmJxV+lX5bWmr2f5e+W7PWUMeqW2mWkN5G32lkSFVIev7Qp8XvirI8Vdi&#xA;rsVdirsVdirsVdirsVdirsVdirsVdirsVdir4V/5yw8rxaN+aN3fNMz3GuEXqRFRwW3EMMKHkP2m&#xA;njnBWmyhT3xV4rirsVfan5A3v5Wee9Nt77TPLWl6P5s0BYk1KJLKIpIkoIMsdQGPMoaNyLIaAkg0&#xA;ZV7TqHk7yhqKenqGh6feJSnC4tYZRQ+zqcVYnd/84+fkzdyyyS+VbNTLx5LD6kCjia/CImTjXvTF&#xA;XWP5Cfk9psqG18oWMwlLJIbgNchFZCeVLhpe6gCm4rXFU90P8sfy70K8F9o/lvTrK9X7F1FbRCVf&#xA;9R6cl+g4qybFXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYqw+H82/y59F3u/Mem2kkd5PYtDN&#xA;dwpIJIbl7fdCwYBinIGlOPxdN8VYj/zkZ+UN7+ZXlSxk0OWM61pDvPYI7AR3EU6qJIg/RWbghVjt&#xA;tQ0rUKvhC9sryxupLS9gktrqE8ZYJVKOp8GVqEYqyC68jXkH5cWHnbkxtbzVLjS3jK0CmKGOWJw3&#xA;fn+9B8OH3Kvf/wDnB7R3Nz5r1lgwjRLSziNDwYsZJJN+lV4p9+Kvq7FXYqhZNV0yPUYdMku4U1G4&#xA;jaaCyaRRM8aEB3SMnkyrXcgYqisVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir5R/wCcqPz3&#xA;1OK/vfy78vSG2hiCLreoxSfHL6iBzaoV+woDUk3qfs7CtVXzNqemyWDW0coIlnt4rkg9lnX1I6fO&#xA;NlOKs6/LL8+vzA/L944NPu/r2iqfj0e8LSQAE1PpGvKE7k/AaV6g4qs/PL8wfL3n/wA3W3mbSLGX&#xA;T57mwhj1a3mKt/pcTOlVdftr6IjAag6dMVZnN54/LuT/AJxVs/KV3chvNMV3LNaWUQZpFmF48nrS&#xA;GnFVNvKU3O/b2VeqfkB+Z35NeTvyy03SbjzLbwanLyu9UjmSRGW5npyXZKNwVVStT0xVluvf85Sf&#xA;lJp3GHTr248wahIeMNjplvJI7M32RzkEUe5/lYn2xV5X+YP/ADkF+Zs0Ekk5t/IWnKCYtNZhc65c&#xA;kUIj9IgNbq21XdI6CtGcjjiry382tH1Ox0zyx5w1S4ZfNfnF7/XbwRsw9C3neFrOOMliyqELFR+z&#xA;Xj2xV9Hf84y/njL540xvLWtKF8waNbRlbovU3kCngZCp3EifDz61rXbpir3TFXYq7FXYq7FXYq7F&#xA;XYq7FXYq7FXYqxzVvzI/L3R5ZYNU8zaXZXEAJltpryBJhxFSPSL86+wFcVeRa3/zmh+W9nPJDpmn&#xA;alqnAkCcJFBC9DsVLuZKH3QYq8h81f8AOYP5napNdxaOtpo1hLzS39KIyXKRtUKWlkZ19QA/aVRv&#xA;2xV4ZNNNPNJNNI0s0rF5ZXJZmZjVmZjuST1OKsn/ADLdW80qEUKkWmaRCgWtOMOlWsYO++4WuKpd&#xA;r3lDzDoNnpV9qdo0Flrdst5plzUNHNE1OjKTRlr8SncbdiMVTP8ALb8s/M/5h6+dF0BIhLHE09xd&#xA;XLMlvDGu1ZGRZG+JiAAFJP34qlnmW08vWV59S0mW4uXtgsV3dSlBFJOg4zGBVAb0uY+AsaleoGKv&#xA;Yfyf/LP8h/Pept5dGo+YG1z6qbgTsttb27FaCQIqrcspQmvxtQj32xV6j5Y/5w08vaVe3E975p1O&#xA;eGQFIorEJYNwPVJpKzmQU8AuKpp54/KL8mvy3/LbzHrcOjRG/XT7i3tb29d7mY3NzGYYeAlZkRzI&#xA;4+JFBAqcVfG2v+add8wfo/8AS1011+irOLTrHlQenbQV9NBTwr16nFVnlvzHrPlrXLPXNGuWtNSs&#xA;ZBLBMviOqsOjKw2ZTsRscVe5+RP+cx/O2n6kF84wx61pT19R7eKO3uozTYpw4RMPFWH04q9g0H/n&#xA;L78pdW1KCxlXUtL9dxGtzewRCEM2w5NBNOVFe5FB32xV61Y+avK9/fGwsdYsbu+UFjaQXMUkoAFS&#xA;fTVi34YqmmKuxV2KuxV2KrZJI4o2kkYJGgLO7EBQoFSST0AxV8yeaP8AnNvSre+9Hy15dlvrVKh7&#xA;q+mW3LMCR8EUQn+GlCGLA/5IxVhXmH/nND8xb74NF06w0eIqAXZXupg9TUhnKR0pTYxn54q8r1z8&#xA;2/zO1yd5tT8z6lKXrWJLh4Yd9jSGExxr9C4qxIkk1PXFWsVdirsVR2sarNql4t3MKSCC2tz7i2t0&#xA;gB+ZEVcVZf5g/N7VvMH5d6X5I1TTrN7bQzF+idRhDx3MYjUoVkJZ1dXRqEALuAe2KvYY721/KD/n&#xA;Gm1nsXEfm/8AMBFlSdac1gmTkHX/ACYbaQAeEklcVfMOKvpL/nC9vLFl5h1i+1LUba21m8jj0/SL&#xA;OWVEllUsJJ+CsaklhEFp13p0OKvd/wA2/wA/PJv5bqLS9Emo69LH6tvpNvQNxNQrTSmqxKSPdvBT&#xA;ir40/NT86fOP5kXqNq8q22l27FrPSbeogjJ25tXeSSm3JvoArirAcVdirsVdiqM0rV9V0e/i1DSb&#xA;yfT7+Cvo3drI8MqcgVbi6FWFVJB9sVZ75c/5yJ/N/QruW5j8w3GoGWMxmHUna7jWpB5oshPFhTqM&#xA;Veh+Vf8AnNTznYiRPMmj2uspxPoyW7GylD7fbPGdCvyQH3xV7B+U3/OUPlPz5q6aHeWUmg61PX6n&#xA;DLKs8E5ArwSYLEfU60VkFexJ2xV7RirsVfOX/OTH/OQNjo1jrH5f6Ikr69cRC21G9+EQwQ3Eas6o&#xA;QSzSNG/HoONetcVfHGKuxV2KuxV2KuxV2KuxV2Kp/wCbPOuteZxpCai6+homnW2lafCgoqQWsYQH&#xA;3ZyOTH+AGKpBirasVIZSQwNQR1BxVk3mPXb7zVYW2qXvqXOtaZCttqd6QWM1qhWO1nmbf94vP0WY&#xA;9R6f7VSVWMYq7FXYq7FXYq7FXYq7FVayvLqxvIL20laC7tZEmt5kNGSSNgyMp8VYVGKv0A/KX8/P&#xA;JXn6xtrZbxLHzL6ai60m4IjdpAo5Nbk/DKpNaBTyA6gYq9OxV+V0sss0ryyu0kshLPI5LMzHckk7&#xA;k4qsxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvQfyMg0O78+rYeYruK08uXun6hDrLzOI1Nv9UkccS37&#xA;aSoki9wVBHTFWL+bJvLT6uY/LkDxaXbxxwJPKWMlzIgpJcsrE8PVepVB9laDrU4qk2KuxV2Ksz0P&#xA;8n/zC1vzRe+VrDS+WvafbLeXVlJNDEVhcRsrc3dUPIToR8XfFUfqn/OP35y6YrNdeVbsqgJZrcxX&#xA;IAFCTWB5B3xVjF/5I856cgkv9B1G0jIDB57SeNSpFQQzIAQRvXFUlZWVirAqymjKdiCOxxVrFW1Z&#xA;lYMpKspqrDYgjuMVfTX+OPOP/QpX6W/TV7+lP0p9T+v+vJ6/1flw9P1a8+PHbrir5kxV2KuxV2Ku&#xA;xV2KuxV2KuxV2Kq5tSLNLr1YyGkaIwhv3q8VDciv8rctj7HFVDFXYq2CR0xVrFXYq7FXYq+t/wAs&#xA;tdsovzt8tSu6CfzL5V0qUuxCfHFYOjxiv2iXhGw8PbFXrP59WNzc+QGlW1e/06wv7G+1vTYuXK50&#xA;62uFkuouK/aHAciPAYqgNMn8p2eqQ3XkXWoLfy9q7wNq8OmejJb2S+hciG4RSskNsJ5RHHICm7KN&#xA;geZxVX/T6a1bSXGvaRYXsNu1nGltNbCV7q3urlrM3UJkLcUeQF4k4n4difjDBVb5+/Ij8s9V8s6u&#xA;LLytYW2rNZXH1CazhW2Zbj0mMTAQ+mCQ9Dv174q/PnFX0B/65t/2/P8Ambir5/xV2KuxV2KuxV2K&#xA;uxV2KuxV2KuxV2KuxV2KuxV2KuxVPI/Kty2k6Lqj3EaW2t31xp8QNeUb2oty7vsBxIu1pQ9jir2H&#xA;zp/zil+YmlaVLrGoeYrC9sNLgROcjX0ksdvHRVSOKOCduKV6LsBviqS+WPyX/PifSLfWfJt1Jc6b&#xA;ccjaXWn6j9UDhH4clEz2rUqm23bFUbpvlj/nLDygkkOmWusW8bO8ssds0V2jSftOQjTKzN4/te+K&#xA;qmpfmJ/zlDCsR17R766W1dZLea90NQY3i+JXjnS3jYMpFeStXFU2g/5zD/NnTWCaxoOnuoO5eC6t&#xA;pDWppUylenT4cVfPl/NBPfXE1vF6FvLK7wwV5cEZiVTlQV4jauKvef8A1zb/ALfn/M3FXz/irsVd&#xA;irsVdirsVdirsVdirsVdirsVdirsVdirsVdir0O7h9T8idF1GLaTTfM19blttjc2VrKp6d/QP3Yq&#xA;/QSCWLWNEjlVjHDqNsGDRkFlWeOtVJFKgNtUYq+b7PzF5Mt/+cbrjyqNWhuNXsptVsNFjSV/rEk8&#xA;FzcS200aWhMhHpFSGpwqRy2OKpZ5a83XFro+kW+ra9qP6BFnqTC+0+9u7BV1ZhFc28D3l66qWS25&#xA;KsUsjR+pUbjFWW6Z+ZXnQ6fcatc6+EvLf9D3uj6NLBAq6rpd5DEkiRIA8puJbhnXkshCSDiSErir&#xA;1j82NFXWvyy80aaVLvNptyYVH+/o4zJF1/4sRcVfmtir6A/9c2/7fn/M3FXz/irsVdirsVdirsVd&#xA;irsVdirsVdirsVdirsVdirsVTzyl5fg1y9vrWWZoWttN1DUIitPiewtJLrga9mWIjb+3FXpvk/8A&#xA;KvSNS8m+XBqlzrUSeZdVWz/0JrWSwivGjDWzyRzNEQ7wTbHlXZqdhir1i3/5xn8x2omh0D83L+2e&#xA;wBWW3j9VfR5A0V/SvF9MEA/s4qktp/zj9+Zug6+V0L8x9Nj100C+qTHeMrLU1HGeTcfeMVZJJ5L/&#xA;AOcxLWMRDzbo+pQNUtFIkL9KEcjNYofl8WKoW6tv+cuzNbT32haDrlxYkS2c06WTPFKP2omMkHB2&#xA;4jdaYqlnnT/nIL/nIPyQluvnTyho9pDqHNbenORJAgHqLWK7uF6MOuKvlSUxmVzECsRY8A25C12r&#xA;9GKvff8A1zb/ALfn/M3FXz/irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVZl+UUbT+fbKyUq&#xA;G1C21DT1Lgstb3T57YVA95cVey/lprui6X+R2mXd/OkgsPOGk37GEPPJCsUkHqBlVeSuILaRqdOJ&#xA;FDvTFXub6Jqc1t5gh01Hm0HzGyOizIl3bql7Nynmh4yxSyW08UzvJCWBR+RXZ8VeT/mh5O803sei&#xA;StZ6jL5g03TtT0u81e30i4vTdvpU8M+lyh41keE3TRbShuSkkfZriqUS+WrOa889C90mTR7y5sb+&#xA;/wBHsba1vYJ47k2VtqQRJlpbNHDNbSx8aKwc0FQ9FVeiWnnryJfeem1dNcm0vRtd0SbT7iOSe6tD&#xA;Fqlq1o3FFZoyJ/QuURTGKsY2AJNcVeS/mdOdc/I2GW71aLVta0bU4J55k1CbUpPq8sTWckkpuPjg&#xA;aW5i5ekv7ulCnUnFXz1ir6A/9c2/7fn/ADNxV8/4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq&#xA;7FVS3ubi2mSe3kaGaM1SWMlWU+II3GKsq8s/ll+ZWu6eureXdEvb2ydmjF1aiqlkPxLUEdDirJbb&#xA;8tP+cjbX/eXTNfg24/upZk+EdvhcbYqm1voX/OWtvQRP5qCgcVU3dyygDwVpCBiqZWz/APOYtsVM&#xA;f6fbgKD1Qsvtv6nKv04qn1rqX/ObsUSiNLxkPxASwaUzb70JkQv9GKpH+aGu/wDOR9l5G1BPzB0y&#xA;3TQNdaC0luClikwnSQXMJ/0RxKD/AKP/ALsUrT3pirwLFX0B/wCubf8Ab8/5m4q+f8VdirsVdirs&#xA;VTLSvL+q6rHdS2cPKKzglup5nIjjWOAKXrI1EDfGtAT8RIUVZlBVS3FXYq7FXYq7FXYq7FXYq7FX&#xA;Yq7FX27/AM4Z3Bl/KW6j5V+r6vcxgeFYYJKf8PXFXu+Ksf8AIsNxD5dhikvrS+hjYxWbWDSSwRQQ&#xA;gQpF60sk0kzr6fxyO1WauwxVH6HqulahBcfoy+hv4bS4ktJmhl9YxzREB4pHLOfUUncHFUJ5Qv7q&#xA;9sLt7q8tLuaG+urfhZSGVIEhmKRwyOzOxmCBWk5UoxIApTFWB/8AOU2mpe/klrzkVks2tbmL2K3U&#xA;aMTt/vt2xV8B4q+gP/XNv+35/wAzcVfP+KuxV2KuxV2Kpvd+bfMV3odvoU1840a1IaKwjCxQlx0d&#xA;0jCiR/8ALere+KpRirsVdirsVdirsVdirsVdirsVdir3X/nH7/nIPS/y50K70DUdPluY7+++tJdC&#xA;ThFDzjSJi6qkslP3YJ4qTToDir1bzP8A85h+X9JihS10m31uaf1vUjs76T040RuEZd5bOP8AvR8Q&#xA;UAkD7VDtirCfL3/OYOkeXNL/AEbovkMW1sCWRW1V5aHiEWpe1LMERVRRy2VQO2KoLy//AM5bw+Xh&#xA;fDSPJNtbfpK6kv70/Xp3LzygBmq6NxFFACrRR2GKusf+cwtQ0prn9DeT7CyjvJTcXKG4nk5SlQpY&#xA;bIFHFR8Kin34qg/OH/OW2ueavKOreXNQ8u2kcWqQNALiGaUGOu4fiwbkQQD1GKvA8VfQH/rm3/b8&#xA;/wCZuKvn/FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+gP/AFzb&#xA;/t+f8zcVfP8AirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfQH/r&#xA;m3/b8/5m4q+f8VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir6A/9&#xA;c2/7fn/M3FX/2Q==</xapGImg:image>
+               </rdf:li>
+            </rdf:Alt>
+         </xap:Thumbnails>
+      </rdf:Description>
+      <rdf:Description rdf:about=""
+            xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
+            xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
+         <xapMM:DocumentID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:DocumentID>
+         <xapMM:InstanceID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:InstanceID>
+         <xapMM:DerivedFrom rdf:parseType="Resource">
+            <stRef:instanceID>uuid:e3e3a208-cd3c-11d9-8977-000d936c956e</stRef:instanceID>
+            <stRef:documentID>uuid:AB03F8A6CDD611D982B3C176F4FB2AEE</stRef:documentID>
+         </xapMM:DerivedFrom>
+      </rdf:Description>
+      <rdf:Description rdf:about=""
+            xmlns:dc="http://purl.org/dc/elements/1.1/">
+         <dc:title>
+            <rdf:Alt>
+               <rdf:li xml:lang="x-default">portrait-head copy</rdf:li>
+            </rdf:Alt>
+         </dc:title>
+         <dc:format>application/eps</dc:format>
+      </rdf:Description>
+      <rdf:Description rdf:about=""
+            xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/">
+         <photoshop:ColorMode>3</photoshop:ColorMode>
+         <photoshop:History/>
+      </rdf:Description>
+   </rdf:RDF>
+</x:xmpmeta>
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                           
+<?xpacket end="w"?>

% &end XMP packet& %

[{Metadata_In_EPS} 2 dict begin /Type /Metadata def /Subtype /XML def currentdict end /PUT PDFMark5
[/Document 1 dict begin /Metadata {Metadata_In_EPS} def currentdict end /BDC PDFMark5
[/NamespacePop PDFMark5

PDFVars/TermAll get exec end end
 PDF /docinitialize get exec
+
%%EndSetup
PDFVars begin PDF begin PDFVars/InitAll get exec
172.0 54.0 296.0 409.0 rectclip
q
172.0 54.0 m
468.0 54.0 l
468.0 463.0 l
172.0 463.0 l
h
W
n
q
n
0.0 480.0 640.0 -480.0 re
W
n
q
true setSA
172.0 54.0 296.0 409.0 re
W
n
n
335.201 367.981 m
333.385 369.335 330.805 369.835 328.2 368.652 c
322.949 374.353 322.186 384.354 319.8 392.8 c
315.154 386.669 307.689 378.628 311.4 368.652 c
308.876 369.681 308.006 368.819 304.399 369.323 c
304.324 380.208 313.847 387.489 318.4 396.154 c
317.73 402.89 317.119 409.683 308.6 408.898 c
311.234 410.792 315.023 413.818 319.8 411.582 c
327.617 399.62 326.688 379.276 335.201 367.981 c
[/DeviceGray] cs 1.0 sc
eofill
n
322.6 357.249 m
318.99 354.59 309.367 354.389 304.399 355.237 c
309.273 356.61 318.049 357.799 322.6 357.249 c
eofill
n
273.598 353.896 m
275.535 354.009 276.001 352.865 274.998 351.883 c
278.4 352.2 281.25 353.047 284.098 353.896 c
283.331 350.815 273.651 348.813 270.098 349.871 c
270.095 352.333 272.549 352.441 273.598 353.896 c
eofill
n
275.698 347.188 m
271.917 344.774 266.738 343.699 262.397 341.821 c
265.361 344.664 271.338 347.885 275.698 347.188 c
eofill
n
246.296 343.163 m
248.1 342.035 245.702 339.313 244.896 338.468 c
244.126 330.771 243.94 342.296 246.296 343.163 c
eofill
n
367.402 342.492 m
382.533 343.126 391.632 332.171 399.604 323.71 c
389.667 328.053 379.82 338.291 367.402 342.492 c
eofill
n
263.797 337.126 m
256.335 330.414 249.26 323.331 240.696 317.674 c
242.625 325.219 252.857 330.614 258.897 336.455 c
261.325 335.917 261.588 337.454 263.797 337.126 c
eofill
n
242.096 334.443 m
243.162 332.5 239.825 329.038 239.996 325.723 c
238.557 328.023 240.96 332.381 242.096 334.443 c
eofill
n
349.901 292.855 m
345.818 290.507 339.01 290.771 332.4 290.843 c
335.809 294.692 344.583 293.494 349.901 292.855 c
0.0 sc
eofill
n
380.003 243.889 m
361.751 227.327 333.626 256.615 328.9 270.049 c
320.358 294.333 372.045 299.295 382.804 283.464 c
383.45 282.512 385.821 277.044 385.604 274.745 c
385.214 270.637 378.237 264.074 377.903 255.963 c
377.744 252.102 378.594 248.677 380.003 243.889 c
eofill
n
303.699 289.501 m
300.093 289.492 299.222 288.63 296.699 290.172 c
298.743 290.818 303.655 292.552 303.699 289.501 c
1.0 sc
eofill
n
405.904 243.889 m
405.44 241.427 405.159 238.79 404.504 236.511 c
400.915 236.201 401.338 239.737 397.504 239.193 c
398.963 243.326 400.66 244.252 405.904 243.889 c
0.0 sc
eofill
n
313.5 231.145 m
316.143 231.441 316.786 229.821 318.4 229.132 c
317.548 228.16 315.604 228.233 315.6 226.449 c
314.251 226.722 315.047 229.05 312.8 228.461 c
312.711 229.664 313.657 229.876 313.5 231.145 c
1.0 sc
eofill
n
234.396 223.766 m
235.994 221.496 236.419 218.103 236.496 214.375 c
235.048 216.789 233.883 219.474 234.396 223.766 c
0.0 sc
eofill
n
236.496 213.704 m
237.603 212.306 238.778 210.972 239.296 209.009 c
239.95 209.501 240.357 210.229 240.696 211.021 c
243.049 209.716 241.634 205.406 242.096 200.96 c
240.518 201.459 241.823 204.722 241.396 206.326 c
241.263 206.869 240.694 206.994 240.696 207.668 c
239.257 207.358 239.345 209.687 236.496 209.68 c
h
eofill
n
240.696 192.91 m
242.821 189.055 239.509 178.342 241.396 172.117 c
239.354 169.795 240.487 182.937 240.696 186.203 c
240.851 188.61 240.575 191.107 240.696 192.91 c
eofill
n
308.6 162.055 m
314.675 154.383 312.125 145.973 317.7 138.578 c
316.42 136.645 316.564 136.48 317.0 133.883 c
313.95 133.228 311.994 131.525 310.0 129.858 c
307.797 129.537 307.263 130.813 305.799 131.2 c
305.191 140.651 304.613 147.547 307.899 154.006 c
303.2 152.07 309.483 158.048 308.6 162.055 c
1.0 sc
eofill
n
244.896 143.273 m
244.156 129.208 241.88 108.192 242.796 92.966 c
236.285 107.105 239.955 130.17 244.896 143.273 c
eofill
n
302.299 118.455 m
306.008 120.202 310.441 116.88 315.6 117.784 c
314.137 116.504 312.257 115.621 310.0 115.102 c
310.43 115.698 310.846 116.301 310.0 116.442 c
306.528 115.744 305.256 112.939 301.599 112.418 c
301.313 110.802 302.878 110.96 302.299 109.064 c
295.729 97.919 290.589 85.405 283.398 74.855 c
276.968 92.139 288.191 102.929 294.599 113.76 c
297.204 114.617 300.502 114.811 303.0 115.772 c
302.941 116.834 303.336 118.33 302.299 118.455 c
eofill
n
261.697 113.76 m
269.896 111.554 271.323 102.86 274.998 96.319 c
272.167 96.234 266.496 98.782 261.697 99.003 c
h
eofill
n
453.507 21.864 m
451.755 21.308 450.758 20.026 448.606 19.852 c
448.186 29.957 446.449 38.803 445.807 48.695 c
446.854 49.48 448.67 49.529 449.307 50.707 c
452.953 43.245 452.55 31.903 453.507 21.864 c
eofill
n
455.606 50.036 m
458.758 41.682 459.65 32.563 459.107 23.206 c
456.895 31.84 456.211 41.077 455.606 50.036 c
eofill
n
508.109 24.547 m
511.355 28.32 510.013 38.014 502.509 37.292 c
500.598 31.98 503.062 25.393 508.109 24.547 c
510.21 23.877 m
501.324 22.965 498.933 28.274 499.009 35.95 c
505.278 45.055 517.523 31.475 510.21 23.877 c
0.0 sc
eofill
n
502.509 37.292 m
510.013 38.014 511.355 28.32 508.109 24.547 c
503.062 25.393 500.598 31.98 502.509 37.292 c
1.0 sc
eofill
n
517.91 35.95 m
514.734 31.577 517.265 22.836 523.51 23.206 c
525.542 27.478 524.332 35.844 517.91 35.95 c
524.91 22.535 m
525.076 20.682 528.859 22.295 528.41 19.852 c
524.141 16.739 520.433 25.449 517.21 21.193 c
516.797 25.973 513.585 27.31 513.71 33.938 c
519.671 43.435 532.165 29.572 524.91 22.535 c
0.0 sc
eofill
n
523.51 23.206 m
517.265 22.836 514.734 31.577 517.91 35.95 c
524.332 35.844 525.542 27.478 523.51 23.206 c
1.0 sc
eofill
n
284.798 30.584 m
287.068 31.878 288.612 30.792 291.099 30.584 c
291.099 24.547 l
288.065 25.665 287.627 29.27 284.798 30.584 c
eofill
n
433.906 12.474 m
434.501 12.597 434.566 12.212 434.605 11.803 c
434.492 11.022 434.761 10.609 435.306 10.461 c
435.139 4.936 436.164 -1.384 436.706 -7.649 c
437.207 -13.44 439.325 -20.188 436.006 -22.406 c
431.935 -20.405 432.173 -13.479 431.806 -8.32 c
431.358 -2.04 432.145 5.144 431.806 11.132 c
432.37 11.709 433.724 11.53 433.906 12.474 c
eofill
n
420.605 -25.761 m
421.2 -25.637 421.266 -26.022 421.305 -26.432 c
421.177 -27.002 421.578 -27.063 422.005 -27.102 c
422.263 -33.01 422.791 -40.389 423.405 -47.225 c
423.912 -52.866 427.445 -61.162 421.305 -63.323 c
419.491 -51.869 419.411 -38.755 417.805 -27.102 c
419.108 -27.01 420.145 -26.661 420.605 -25.761 c
eofill
n
455.606 -37.163 m
455.987 -39.606 456.104 -40.257 457.007 -43.2 c
454.473 -41.866 454.052 -35.555 449.307 -38.505 c
453.136 -43.367 461.496 -48.421 455.606 -55.274 c
452.412 -55.876 451.639 -54.157 449.307 -53.933 c
450.123 -50.738 447.19 -48.917 448.606 -47.225 c
449.906 -49.78 451.392 -52.158 453.507 -53.933 c
455.754 -54.521 454.958 -52.193 456.307 -51.92 c
454.046 -46.284 446.483 -45.169 447.906 -37.834 c
449.713 -35.324 452.823 -35.775 455.606 -37.163 c
0.0 sc
eofill
n
463.308 -47.225 m
464.538 -46.839 467.42 -48.036 467.508 -46.555 c
464.521 -46.487 465.668 -42.06 464.707 -41.859 c
464.017 -43.434 463.479 -45.154 463.308 -47.225 c
464.008 -36.493 m
469.731 -41.293 470.361 -50.975 475.208 -56.616 c
473.366 -55.921 470.912 -55.813 468.207 -55.945 c
468.848 -54.77 468.448 -52.599 469.607 -51.92 c
467.864 -49.391 465.679 -48.632 462.607 -49.908 c
461.353 -53.794 464.99 -52.991 464.707 -55.945 c
463.105 -55.244 460.484 -55.52 459.107 -54.604 c
462.148 -49.915 462.82 -42.957 464.008 -36.493 c
eofill
n
478.708 -39.847 m
481.508 -39.847 l
482.104 -41.735 483.77 -42.599 483.608 -45.213 c
482.284 -46.543 480.301 -45.538 478.708 -45.213 c
480.231 -43.992 477.185 -41.067 478.708 -39.847 c
1.0 sc
eofill
n
428.306 -42.529 m
432.835 -44.021 429.524 -46.889 431.105 -50.579 c
427.428 -48.271 430.559 -45.576 428.306 -42.529 c
eofill
n
479.408 -47.896 m
481.681 -47.507 482.665 -48.353 484.309 -48.566 c
485.405 -51.125 485.772 -52.598 484.309 -55.274 c
479.157 -55.492 479.966 -50.419 479.408 -47.896 c
eofill
n
508.109 -82.775 m
511.609 -82.775 l
511.521 -83.979 512.467 -84.19 512.31 -85.459 c
510.906 -84.757 509.056 -81.867 508.81 -85.459 c
507.859 -85.251 508.229 -83.779 508.109 -82.775 c
0.0 sc
eofill
n
494.108 -86.801 m
495.318 -88.66 492.325 -92.224 489.209 -92.167 c
491.068 -90.595 493.245 -89.326 494.108 -86.801 c
eofill
n
428.306 -87.471 m
429.944 -87.689 428.985 -90.397 430.405 -90.825 c
429.02 -92.962 427.683 -89.473 428.306 -87.471 c
1.0 sc
eofill
n
472.408 -103.569 m
471.546 -103.862 470.971 -104.428 471.008 -105.582 c
468.381 -106.087 469.481 -103.02 467.508 -102.898 c
468.134 -101.71 470.349 -102.044 469.607 -99.545 c
470.46 -100.965 472.242 -101.493 472.408 -103.569 c
eofill
n
489.908 -103.569 m
489.57 -101.457 492.058 -102.051 491.309 -99.545 c
492.63 -100.515 494.412 -101.043 494.108 -103.569 c
492.57 -105.11 491.783 -104.658 489.908 -103.569 c
eofill
n
423.405 -107.595 m
424.647 -105.805 423.915 -111.524 424.105 -112.961 c
422.863 -114.75 423.596 -109.03 423.405 -107.595 c
eofill
n
450.707 -116.985 m
451.855 -117.096 451.855 -112.851 450.707 -112.961 c
451.451 -111.438 455.107 -112.705 457.007 -112.29 c
456.223 -121.449 443.292 -119.499 440.906 -112.961 c
445.277 -113.214 449.114 -111.688 450.707 -116.985 c
eofill
n
440.906 -112.961 m
443.292 -119.499 456.223 -121.449 457.007 -112.29 c
455.107 -112.705 451.451 -111.438 450.707 -112.961 c
451.855 -112.851 451.855 -117.096 450.707 -116.985 c
449.114 -111.688 445.277 -113.214 440.906 -112.961 c
424.105 -112.961 m
423.915 -111.524 424.647 -105.805 423.405 -107.595 c
423.596 -109.03 422.863 -114.75 424.105 -112.961 c
185.394 -103.569 m
185.436 -101.911 184.688 -97.609 183.993 -98.874 c
185.312 -103.715 180.065 -102.266 179.093 -104.911 c
188.182 -106.018 190.452 -100.591 194.494 -96.862 c
192.126 -97.08 190.815 -92.836 188.894 -94.85 c
190.269 -95.992 192.393 -96.416 193.094 -98.203 c
189.207 -98.727 187.533 -101.372 185.394 -103.569 c
430.405 -90.825 m
428.985 -90.397 429.944 -87.689 428.306 -87.471 c
427.683 -89.473 429.02 -92.962 430.405 -90.825 c
540.312 -75.397 m
504.953 -77.282 466.034 -76.428 431.105 -76.739 c
432.544 -88.105 432.56 -100.835 433.906 -112.29 c
462.218 -111.651 511.072 -109.362 545.911 -110.277 c
544.442 -98.493 543.693 -86.02 541.011 -75.397 c
h
431.806 -53.933 m
430.96 -53.791 431.375 -53.188 431.806 -52.591 c
431.263 -52.441 430.425 -52.572 430.405 -51.92 c
430.833 -51.883 431.234 -51.82 431.105 -51.25 c
427.934 -50.69 430.186 -58.35 431.806 -55.274 c
430.668 -55.475 429.917 -54.368 431.105 -53.933 c
431.104 -54.305 431.673 -54.694 431.806 -53.933 c
431.105 -50.579 m
429.524 -46.889 432.835 -44.021 428.306 -42.529 c
430.559 -45.576 427.428 -48.271 431.105 -50.579 c
429.006 -41.859 m
431.135 -40.424 429.522 -34.865 428.306 -32.468 c
426.215 -35.179 429.978 -40.22 429.006 -41.859 c
433.906 -59.299 m
467.277 -61.479 504.295 -63.707 540.312 -65.336 c
542.679 -65.303 543.348 -66.897 544.512 -68.019 c
543.232 -56.276 540.656 -45.776 538.911 -34.48 c
499.032 -31.887 468.391 -29.707 431.105 -26.432 c
431.704 -38.723 432.988 -45.673 433.906 -59.299 c
417.805 -27.102 m
419.411 -38.755 419.491 -51.869 421.305 -63.323 c
427.445 -61.162 423.912 -52.866 423.405 -47.225 c
422.791 -40.389 422.263 -33.01 422.005 -27.102 c
421.578 -27.063 421.177 -27.002 421.305 -26.432 c
421.266 -26.022 421.2 -25.637 420.605 -25.761 c
420.145 -26.661 419.108 -27.01 417.805 -27.102 c
444.406 11.803 m
444.775 2.329 446.709 -9.633 447.206 -19.053 c
481.067 -21.219 507.654 -24.143 548.712 -26.432 c
548.808 -27.681 549.172 -28.673 550.111 -29.114 c
548.047 -18.796 546.644 -7.842 544.512 2.412 c
512.655 5.229 472.271 8.489 444.406 11.803 c
431.806 11.132 m
432.145 5.144 431.358 -2.04 431.806 -8.32 c
432.173 -13.479 431.935 -20.405 436.006 -22.406 c
439.325 -20.188 437.207 -13.44 436.706 -7.649 c
436.164 -1.384 435.139 4.936 435.306 10.461 c
434.761 10.609 434.492 11.022 434.605 11.803 c
434.566 12.212 434.501 12.597 433.906 12.474 c
433.724 11.53 432.37 11.709 431.806 11.132 c
291.099 24.547 m
291.099 30.584 l
288.612 30.792 287.068 31.878 284.798 30.584 c
287.627 29.27 288.065 25.665 291.099 24.547 c
548.712 14.485 m
549.565 14.41 550.369 14.285 550.111 13.145 c
550.081 12.431 550.441 11.44 550.812 12.474 c
549.29 21.523 547.661 30.473 545.911 39.305 c
517.488 43.596 487.951 46.82 458.407 50.036 c
459.174 43.407 460.608 33.383 461.207 24.547 c
489.498 20.354 520.27 18.535 548.712 14.485 c
459.107 23.206 m
459.65 32.563 458.758 41.682 455.606 50.036 c
456.211 41.077 456.895 31.84 459.107 23.206 c
449.307 50.707 m
448.67 49.529 446.854 49.48 445.807 48.695 c
446.449 38.803 448.186 29.957 448.606 19.852 c
450.758 20.026 451.755 21.308 453.507 21.864 c
452.55 31.903 452.953 43.245 449.307 50.707 c
261.697 99.003 m
266.496 98.782 272.167 96.234 274.998 96.319 c
271.323 102.86 269.896 111.554 261.697 113.76 c
h
303.0 115.772 m
300.502 114.811 297.204 114.617 294.599 113.76 c
288.191 102.929 276.968 92.139 283.398 74.855 c
290.589 85.405 295.729 97.919 302.299 109.064 c
302.878 110.96 301.313 110.802 301.599 112.418 c
305.256 112.939 306.528 115.744 310.0 116.442 c
310.846 116.301 310.43 115.698 310.0 115.102 c
312.257 115.621 314.137 116.504 315.6 117.784 c
310.441 116.88 306.008 120.202 302.299 118.455 c
303.336 118.33 302.941 116.834 303.0 115.772 c
356.202 48.695 m
356.612 47.3 357.673 46.527 358.302 45.341 c
357.542 45.181 356.621 44.236 357.602 44.0 c
357.611 45.332 359.512 44.853 359.002 46.683 c
363.245 49.29 372.338 60.687 369.503 59.428 c
369.542 59.837 369.607 60.222 370.203 60.098 c
369.969 56.951 366.326 58.617 364.603 58.757 c
365.335 56.859 363.447 54.155 364.603 54.062 c
364.809 54.657 366.496 56.998 366.702 55.402 c
364.903 55.338 365.701 52.784 363.902 52.72 c
360.545 58.223 357.465 63.991 354.102 69.489 c
354.707 62.384 360.926 58.399 356.202 48.695 c
349.201 88.941 m
362.053 98.986 383.324 100.964 380.703 125.834 c
372.736 121.118 364.62 120.807 356.202 119.126 c
353.471 118.58 351.11 116.456 347.802 116.442 c
344.115 116.428 340.976 119.504 337.301 119.797 c
332.525 120.177 327.116 118.04 322.6 117.113 c
324.914 116.107 321.146 115.474 321.9 113.76 c
328.2 113.76 l
329.125 115.438 325.433 115.859 327.501 116.442 c
330.774 115.108 333.572 113.316 335.901 111.076 c
334.361 103.381 330.914 93.947 329.601 88.271 c
331.902 89.168 330.764 88.077 331.701 90.283 c
342.099 86.468 348.807 79.973 352.702 70.16 c
353.492 75.701 346.735 79.582 347.102 86.929 c
349.868 85.295 346.583 87.678 348.502 88.271 c
349.956 87.52 349.984 87.547 349.201 88.941 c
354.102 125.163 m
365.544 127.169 378.804 131.006 382.104 138.578 c
375.081 131.892 363.15 129.907 354.102 125.163 c
242.796 92.966 m
241.88 108.192 244.156 129.208 244.896 143.273 c
239.955 130.17 236.285 107.105 242.796 92.966 c
388.403 121.139 m
393.903 127.276 393.784 139.751 391.903 144.615 c
392.907 136.637 380.407 129.962 388.403 121.139 c
307.899 154.006 m
304.613 147.547 305.191 140.651 305.799 131.2 c
307.263 130.813 307.797 129.537 310.0 129.858 c
311.994 131.525 313.95 133.228 317.0 133.883 c
316.564 136.48 316.42 136.645 317.7 138.578 c
312.125 145.973 314.675 154.383 308.6 162.055 c
309.483 158.048 303.2 152.07 307.899 154.006 c
312.8 228.461 m
315.047 229.05 314.251 226.722 315.6 226.449 c
315.604 228.233 317.548 228.16 318.4 229.132 c
316.786 229.821 316.143 231.441 313.5 231.145 c
313.657 229.876 312.711 229.664 312.8 228.461 c
300.899 216.388 m
301.256 220.518 302.618 223.684 303.0 227.791 c
295.785 231.439 304.666 240.863 310.0 234.498 c
309.641 239.792 307.21 240.92 307.2 245.901 c
302.201 243.472 295.592 238.216 297.399 229.803 c
295.535 228.251 292.96 223.265 295.999 221.083 c
296.192 222.259 294.028 224.43 295.999 225.107 c
296.472 219.969 298.21 218.106 300.899 216.388 c
289.699 245.23 m
294.173 248.55 300.955 253.22 301.599 257.976 c
299.028 252.832 291.614 248.768 289.699 245.23 c
307.899 250.597 m
308.51 252.941 310.588 257.381 308.6 259.987 c
308.989 257.6 305.037 254.656 308.6 254.621 c
307.443 254.611 308.208 252.761 307.2 252.609 c
307.202 252.981 306.632 253.37 306.5 252.609 c
307.655 252.599 306.891 250.749 307.899 250.597 c
311.4 271.391 m
312.958 273.594 313.662 279.421 311.4 281.452 c
311.106 277.181 310.998 273.175 311.4 271.391 c
326.801 283.464 m
323.645 285.683 311.96 286.438 312.8 282.123 c
315.108 285.945 324.377 282.989 326.801 283.464 c
309.3 283.464 m
309.015 286.491 301.809 289.471 301.599 288.16 c
304.835 287.235 306.922 285.211 309.3 283.464 c
296.699 290.172 m
299.222 288.63 300.093 289.492 303.699 289.501 c
303.655 292.552 298.743 290.818 296.699 290.172 c
254.697 303.587 m
252.251 303.222 249.397 299.756 250.497 298.221 c
250.653 298.742 250.516 299.544 251.197 299.563 c
251.354 299.042 251.216 298.24 251.897 298.221 c
252.015 302.573 253.02 299.924 254.697 303.587 c
387.703 314.991 m
383.931 317.518 379.809 321.193 375.803 323.04 c
337.156 340.858 272.046 333.811 246.997 307.612 c
249.687 307.003 253.665 311.43 256.797 313.649 c
292.652 339.057 370.621 337.958 396.804 304.258 c
398.016 309.765 391.957 312.142 387.703 314.991 c
239.996 325.723 m
239.825 329.038 243.162 332.5 242.096 334.443 c
240.96 332.381 238.557 328.023 239.996 325.723 c
258.897 336.455 m
252.857 330.614 242.625 325.219 240.696 317.674 c
249.26 323.331 256.335 330.414 263.797 337.126 c
261.588 337.454 261.325 335.917 258.897 336.455 c
401.004 326.394 m
399.797 327.266 396.705 332.1 394.004 333.772 c
394.158 334.295 394.59 334.552 395.404 334.443 c
395.325 336.157 394.12 336.791 393.304 337.797 c
391.721 334.498 386.21 338.901 387.703 337.797 c
391.603 334.546 399.437 325.275 401.004 326.394 c
399.604 323.71 m
391.632 332.171 382.533 343.126 367.402 342.492 c
379.82 338.291 389.667 328.053 399.604 323.71 c
244.896 338.468 m
245.702 339.313 248.1 342.035 246.296 343.163 c
243.94 342.296 244.126 330.771 244.896 338.468 c
262.397 341.821 m
266.738 343.699 271.917 344.774 275.698 347.188 c
271.338 347.885 265.361 344.664 262.397 341.821 c
401.704 327.064 m
398.708 335.149 396.251 343.751 389.804 348.529 c
394.293 340.481 397.984 334.951 401.704 327.064 c
270.098 349.871 m
273.651 348.813 283.331 350.815 284.098 353.896 c
281.25 353.047 278.4 352.2 274.998 351.883 c
276.001 352.865 275.535 354.009 273.598 353.896 c
272.549 352.441 270.095 352.333 270.098 349.871 c
257.497 351.883 m
257.699 351.692 261.628 353.248 259.597 352.554 c
259.054 352.704 258.216 352.572 258.197 353.225 c
259.129 353.896 260.31 354.33 260.997 355.237 c
258.894 355.418 256.148 352.788 257.497 351.883 c
377.203 345.846 m
378.514 346.826 381.842 345.873 382.804 347.188 c
380.734 349.4 376.373 349.005 374.403 348.529 c
375.637 347.923 376.57 347.029 377.203 345.846 c
363.902 351.212 m
366.568 350.894 368.272 351.497 368.803 353.225 c
364.142 353.23 362.604 356.229 357.602 355.908 c
359.67 352.818 355.885 354.838 354.802 353.225 c
363.754 348.833 375.564 343.608 384.203 341.151 c
378.763 347.249 370.329 346.707 363.902 351.212 c
304.399 355.237 m
309.367 354.389 318.99 354.59 322.6 357.249 c
318.049 357.799 309.273 356.61 304.399 355.237 c
386.304 344.504 m
383.562 350.378 380.271 359.289 373.703 359.261 c
377.983 354.863 382.952 347.559 386.304 344.504 c
371.603 353.225 m
367.71 354.423 364.802 365.927 356.902 363.286 c
357.662 363.125 358.583 362.182 357.602 361.944 c
356.816 361.876 356.512 362.919 356.202 361.944 c
361.791 360.525 370.078 351.941 371.603 353.225 c
308.6 363.957 m
324.934 355.586 344.37 368.122 347.102 380.726 c
342.493 366.581 323.285 358.619 308.6 363.957 c
319.8 411.582 m
315.023 413.818 311.234 410.792 308.6 408.898 c
317.119 409.683 317.73 402.89 318.4 396.154 c
313.847 387.489 304.324 380.208 304.399 369.323 c
308.006 368.819 308.876 369.681 311.4 368.652 c
307.689 378.628 315.154 386.669 319.8 392.8 c
322.186 384.354 322.949 374.353 328.2 368.652 c
330.805 369.835 333.385 369.335 335.201 367.981 c
326.688 379.276 327.617 399.62 319.8 411.582 c
327.501 269.378 m
322.6 269.378 l
321.13 260.632 316.914 254.621 317.7 247.914 c
317.857 248.435 317.719 249.236 318.4 249.255 c
318.066 246.853 317.262 245.379 318.4 243.219 c
317.698 243.216 317.567 243.762 317.0 243.889 c
318.358 241.653 316.006 236.907 318.4 239.864 c
317.352 235.7 319.959 233.483 322.6 231.145 c
321.516 230.396 321.143 228.964 319.1 229.132 c
318.209 223.359 322.566 222.616 324.7 219.741 c
325.35 221.802 329.084 220.907 330.301 222.425 c
330.279 220.442 333.542 220.153 334.501 221.083 c
332.215 224.93 331.089 229.888 326.801 231.815 c
327.437 233.218 328.866 233.86 331.001 233.827 c
331.932 230.026 339.512 222.925 335.201 222.425 c
335.819 220.78 337.299 219.963 336.601 217.059 c
334.429 216.178 334.604 217.24 331.701 217.059 c
331.73 216.135 331.371 215.585 331.001 215.046 c
332.971 217.131 340.802 213.493 343.602 214.375 c
343.538 212.545 344.768 213.025 343.602 211.692 c
347.513 211.298 348.997 213.229 352.702 213.033 c
349.92 217.076 346.073 220.098 343.602 224.437 c
347.06 224.808 342.873 224.781 342.901 225.778 c
343.019 226.56 344.008 226.507 345.001 226.449 c
344.618 227.424 345.819 229.916 344.302 229.803 c
344.233 229.305 341.568 229.305 341.501 229.803 c
340.95 232.791 341.979 234.264 342.901 235.84 c
333.62 243.046 329.249 254.955 327.501 269.378 c
71.988 63.452 m
75.19 64.854 77.814 66.813 77.588 71.501 c
88.843 73.461 89.955 85.141 94.389 93.637 c
99.289 93.637 l
100.435 99.065 114.086 95.906 120.29 96.99 c
121.11 97.099 120.881 98.214 120.99 99.003 c
133.707 99.115 139.85 105.526 153.192 105.04 c
157.742 108.581 167.309 110.369 172.793 109.064 c
179.777 116.142 188.263 114.573 199.394 116.442 c
192.942 118.949 210.24 121.288 213.395 121.139 c
216.919 125.811 223.365 127.683 223.195 135.896 c
230.365 138.863 231.902 147.229 239.996 149.311 c
240.101 154.104 239.949 155.726 240.696 162.055 c
241.628 160.029 241.277 150.994 245.597 149.981 c
248.687 150.53 251.995 149.833 253.997 152.664 c
264.717 146.168 276.445 140.635 286.898 133.883 c
288.442 140.015 285.188 144.035 284.098 148.64 c
282.085 150.052 279.969 149.369 278.498 149.981 c
279.1 150.522 278.914 151.818 279.898 151.993 c
272.857 157.003 270.389 157.391 268.698 168.763 c
267.877 168.654 268.107 167.54 267.998 166.751 c
265.892 170.24 265.636 174.191 268.698 176.813 c
268.122 178.859 266.729 178.421 267.998 180.837 c
266.171 177.745 266.76 176.318 265.197 172.787 c
261.265 181.377 263.206 199.305 265.197 209.68 c
263.715 209.127 263.383 210.187 263.097 213.033 c
261.504 212.548 262.889 209.209 260.297 209.68 c
259.078 213.482 257.669 213.832 257.497 217.729 c
255.328 214.287 258.865 210.56 260.297 208.338 c
257.133 200.089 256.719 199.613 256.097 190.898 c
255.147 199.59 250.905 209.717 254.697 217.059 c
255.517 216.95 255.287 215.835 255.397 215.046 c
258.126 215.63 254.389 217.795 254.697 219.07 c
254.829 219.615 256.784 220.126 256.797 220.412 c
256.835 221.227 254.701 221.836 254.697 221.754 c
254.748 222.902 256.515 221.827 256.797 222.425 c
256.554 221.91 256.152 226.146 256.097 226.449 c
255.404 230.285 252.718 236.249 250.497 238.522 c
250.917 241.572 250.755 243.198 251.897 246.572 c
248.035 241.922 253.948 250.153 251.197 249.926 c
255.398 249.473 256.996 240.732 263.097 239.864 c
256.299 243.683 249.691 257.859 251.197 266.024 c
250.545 264.189 247.705 264.451 246.296 263.342 c
250.755 267.016 254.723 278.546 251.897 286.147 c
251.906 287.724 253.807 285.902 253.297 284.806 c
254.627 289.65 257.457 293.415 258.897 294.868 c
256.895 296.548 252.736 295.404 249.797 293.526 c
248.231 293.815 249.513 296.832 249.097 298.221 c
246.199 290.817 239.14 287.001 240.696 274.074 c
239.241 274.449 239.213 275.12 239.996 276.086 c
236.154 274.206 242.033 272.992 242.796 271.391 c
242.378 264.876 244.448 262.773 241.396 259.316 c
242.404 259.692 243.104 260.363 243.496 261.329 c
243.853 257.172 244.297 249.94 243.496 243.889 c
242.033 243.605 241.643 244.349 240.696 244.56 c
241.746 239.452 244.62 233.072 239.996 229.803 c
237.942 230.88 236.193 235.81 238.596 237.182 c
238.39 238.776 236.702 236.436 236.496 235.84 c
230.089 238.514 234.56 249.341 235.796 251.938 c
237.492 253.625 237.353 250.587 237.896 249.255 c
240.165 252.384 233.58 275.508 228.795 266.024 c
226.797 262.063 228.462 252.25 228.795 246.572 c
225.05 256.536 225.567 272.131 237.896 272.732 c
239.774 279.764 233.73 282.106 229.496 284.806 c
225.178 287.558 222.336 294.917 217.595 294.868 c
212.686 305.367 206.74 314.875 200.794 324.381 c
201.981 336.655 198.296 346.384 200.794 355.908 c
202.785 363.495 210.137 368.878 210.595 376.702 c
218.609 388.922 226.706 401.063 232.296 415.606 c
237.006 418.248 237.862 424.583 240.696 429.021 c
250.083 432.101 253.288 441.104 262.397 444.449 c
262.397 447.803 l
271.344 449.292 272.312 458.426 282.698 458.535 c
284.896 458.218 284.548 460.341 286.198 460.548 c
294.623 460.524 303.629 459.944 308.6 463.231 c
329.235 463.775 345.591 460.218 363.902 458.535 c
366.289 454.114 372.183 453.054 374.403 448.474 c
375.215 447.911 376.279 447.589 377.903 447.803 c
385.117 439.511 394.755 433.542 403.104 426.338 c
407.774 415.807 419.248 401.453 427.605 390.117 c
427.787 386.937 428.332 384.106 430.405 382.738 c
430.405 378.714 l
439.521 362.954 445.832 329.106 432.506 312.308 c
432.536 310.592 431.985 311.49 431.105 311.637 c
428.293 302.144 423.28 298.4 419.205 290.843 c
412.571 290.715 412.852 283.963 406.604 283.464 c
404.175 281.321 405.457 275.62 401.704 274.745 c
402.15 271.818 405.29 271.473 407.305 270.049 c
410.933 266.431 409.264 266.431 406.604 270.049 c
404.266 270.491 403.181 272.135 401.004 272.732 c
401.51 274.782 400.288 275.177 400.304 276.757 c
399.483 276.648 399.714 275.534 399.604 274.745 c
395.828 304.747 365.267 315.206 334.501 314.991 c
335.927 313.099 332.96 314.154 334.501 311.637 c
333.007 311.323 333.168 312.595 333.101 313.649 c
328.189 307.244 321.906 296.282 320.5 290.843 c
312.896 297.83 319.043 312.756 308.6 317.674 c
303.84 316.645 305.106 309.842 301.599 307.612 c
306.119 300.45 306.033 293.025 317.0 292.185 c
314.397 290.206 308.9 291.001 304.399 290.843 c
306.656 287.192 317.93 292.181 318.4 286.818 c
320.311 287.424 316.271 288.319 318.4 289.501 c
338.001 289.501 l
333.701 287.361 330.055 284.595 326.801 281.452 c
325.453 261.088 348.013 241.605 364.603 237.182 c
363.159 236.328 360.984 236.177 359.702 235.169 c
362.563 239.252 356.666 234.34 354.102 236.511 c
354.34 235.164 353.959 234.412 352.702 234.498 c
354.491 228.909 361.311 221.284 358.302 214.375 c
373.915 214.578 387.628 212.962 400.304 210.351 c
404.061 213.459 401.965 222.175 405.904 225.107 c
403.462 218.644 404.88 214.72 402.404 209.68 c
403.049 208.508 404.593 208.199 406.604 208.338 c
409.308 214.603 414.059 221.266 412.904 229.132 c
414.857 229.72 416.362 230.738 418.505 231.145 c
419.699 228.776 421.743 225.721 419.905 222.425 c
424.084 214.456 428.896 207.888 428.306 196.936 c
423.385 184.104 409.015 184.798 397.504 186.874 c
398.991 181.145 397.844 172.889 398.204 166.08 c
396.625 168.601 397.931 179.674 397.504 185.532 c
390.178 184.465 378.929 184.465 371.603 185.532 c
369.684 185.519 369.94 182.368 370.902 181.508 c
370.03 180.072 369.17 184.266 368.803 185.532 c
353.525 187.353 341.924 191.047 334.501 186.203 c
334.352 182.466 339.798 180.567 340.102 179.495 c
341.099 177.271 332.095 181.212 333.101 185.532 c
330.057 186.455 323.282 186.907 321.2 184.861 c
320.938 182.03 325.963 181.521 324.7 178.153 c
327.806 182.509 327.499 172.85 329.601 175.471 c
332.455 174.976 331.188 168.955 333.801 169.434 c
335.99 168.349 331.019 168.6 332.4 166.08 c
332.41 164.504 334.311 166.325 333.801 167.421 c
332.895 161.781 331.273 157.57 331.001 148.64 c
330.24 148.806 330.525 149.974 329.601 149.981 c
331.038 148.042 325.5 143.503 328.2 140.591 c
325.265 139.363 323.438 135.075 324.7 131.87 c
327.669 132.229 339.268 130.912 339.401 131.2 c
352.32 130.529 375.411 142.27 382.804 145.286 c
384.537 144.224 383.089 140.593 382.804 139.249 c
384.727 140.536 386.058 142.391 385.604 145.957 c
389.419 148.561 395.013 149.462 396.804 154.006 c
398.832 155.117 395.44 152.419 396.104 150.652 c
398.395 149.046 400.019 146.802 404.504 147.298 c
406.847 142.388 409.719 137.984 415.005 135.896 c
414.936 128.227 421.337 126.758 423.405 121.139 c
429.476 122.459 436.398 121.338 440.206 117.113 c
441.187 117.351 440.267 118.295 439.506 118.455 c
440.644 120.145 441.778 116.214 442.307 115.102 c
451.886 114.25 465.622 115.221 466.107 107.723 c
472.891 108.617 480.403 110.39 483.608 105.04 c
482.305 104.398 481.269 107.049 480.809 105.04 c
486.318 101.815 501.291 106.936 501.109 99.674 c
510.051 100.993 517.076 100.198 522.811 95.648 c
539.221 99.815 547.974 87.258 551.512 74.855 c
558.645 69.169 568.117 65.724 576.013 60.769 c
576.013 -184.063 l
71.988 -184.063 l
h
0.0 sc
eofill
n
240.696 186.203 m
240.487 182.937 239.354 169.795 241.396 172.117 c
239.509 178.342 242.821 189.055 240.696 192.91 c
240.575 191.107 240.851 188.61 240.696 186.203 c
236.496 209.68 m
239.345 209.687 239.257 207.358 240.696 207.668 c
240.694 206.994 241.263 206.869 241.396 206.326 c
241.823 204.722 240.518 201.459 242.096 200.96 c
241.634 205.406 243.049 209.716 240.696 211.021 c
240.357 210.229 239.95 209.501 239.296 209.009 c
238.778 210.972 237.603 212.306 236.496 213.704 c
h
236.496 214.375 m
236.419 218.103 235.994 221.496 234.396 223.766 c
233.883 219.474 235.048 216.789 236.496 214.375 c
232.996 228.461 m
231.852 230.294 231.038 235.945 230.196 235.84 c
230.663 232.934 230.372 229.301 232.996 228.461 c
397.504 239.193 m
401.338 239.737 400.915 236.201 404.504 236.511 c
405.159 238.79 405.44 241.427 405.904 243.889 c
400.66 244.252 398.963 243.326 397.504 239.193 c
332.4 290.843 m
339.01 290.771 345.818 290.507 349.901 292.855 c
344.583 293.494 335.809 294.692 332.4 290.843 c
382.104 286.818 m
379.886 300.126 346.105 307.075 335.901 294.197 c
354.41 298.166 372.812 294.284 382.104 286.818 c
377.903 255.963 m
378.237 264.074 385.214 270.637 385.604 274.745 c
385.821 277.044 383.45 282.512 382.804 283.464 c
372.045 299.295 320.358 294.333 328.9 270.049 c
333.626 256.615 361.751 227.327 380.003 243.889 c
378.594 248.677 377.744 252.102 377.903 255.963 c
576.013 60.769 m
568.117 65.724 558.645 69.169 551.512 74.855 c
547.974 87.258 539.221 99.815 522.811 95.648 c
517.076 100.198 510.051 100.993 501.109 99.674 c
501.291 106.936 486.318 101.815 480.809 105.04 c
481.269 107.049 482.305 104.398 483.608 105.04 c
480.403 110.39 472.891 108.617 466.107 107.723 c
465.622 115.221 451.886 114.25 442.307 115.102 c
441.778 116.214 440.644 120.145 439.506 118.455 c
440.267 118.295 441.187 117.351 440.206 117.113 c
436.398 121.338 429.476 122.459 423.405 121.139 c
421.337 126.758 414.936 128.227 415.005 135.896 c
409.719 137.984 406.847 142.388 404.504 147.298 c
400.019 146.802 398.395 149.046 396.104 150.652 c
395.44 152.419 398.832 155.117 396.804 154.006 c
395.013 149.462 389.419 148.561 385.604 145.957 c
386.058 142.391 384.727 140.536 382.804 139.249 c
383.089 140.593 384.537 144.224 382.804 145.286 c
375.411 142.27 352.32 130.529 339.401 131.2 c
339.268 130.912 327.669 132.229 324.7 131.87 c
323.438 135.075 325.265 139.363 328.2 140.591 c
325.5 143.503 331.038 148.042 329.601 149.981 c
330.525 149.974 330.24 148.806 331.001 148.64 c
331.273 157.57 332.895 161.781 333.801 167.421 c
334.311 166.325 332.41 164.504 332.4 166.08 c
331.019 168.6 335.99 168.349 333.801 169.434 c
331.188 168.955 332.455 174.976 329.601 175.471 c
327.499 172.85 327.806 182.509 324.7 178.153 c
325.963 181.521 320.938 182.03 321.2 184.861 c
323.282 186.907 330.057 186.455 333.101 185.532 c
332.095 181.212 341.099 177.271 340.102 179.495 c
339.798 180.567 334.352 182.466 334.501 186.203 c
341.924 191.047 353.525 187.353 368.803 185.532 c
369.17 184.266 370.03 180.072 370.902 181.508 c
369.94 182.368 369.684 185.519 371.603 185.532 c
378.929 184.465 390.178 184.465 397.504 185.532 c
397.931 179.674 396.625 168.601 398.204 166.08 c
397.844 172.889 398.991 181.145 397.504 186.874 c
409.015 184.798 423.385 184.104 428.306 196.936 c
428.896 207.888 424.084 214.456 419.905 222.425 c
421.743 225.721 419.699 228.776 418.505 231.145 c
416.362 230.738 414.857 229.72 412.904 229.132 c
414.059 221.266 409.308 214.603 406.604 208.338 c
404.593 208.199 403.049 208.508 402.404 209.68 c
404.88 214.72 403.462 218.644 405.904 225.107 c
401.965 222.175 404.061 213.459 400.304 210.351 c
387.628 212.962 373.915 214.578 358.302 214.375 c
361.311 221.284 354.491 228.909 352.702 234.498 c
353.959 234.412 354.34 235.164 354.102 236.511 c
356.666 234.34 362.563 239.252 359.702 235.169 c
360.984 236.177 363.159 236.328 364.603 237.182 c
348.013 241.605 325.453 261.088 326.801 281.452 c
330.055 284.595 333.701 287.361 338.001 289.501 c
318.4 289.501 l
316.271 288.319 320.311 287.424 318.4 286.818 c
317.93 292.181 306.656 287.192 304.399 290.843 c
308.9 291.001 314.397 290.206 317.0 292.185 c
306.033 293.025 306.119 300.45 301.599 307.612 c
305.106 309.842 303.84 316.645 308.6 317.674 c
319.043 312.756 312.896 297.83 320.5 290.843 c
321.906 296.282 328.189 307.244 333.101 313.649 c
333.168 312.595 333.007 311.323 334.501 311.637 c
332.96 314.154 335.927 313.099 334.501 314.991 c
365.267 315.206 395.828 304.747 399.604 274.745 c
399.714 275.534 399.483 276.648 400.304 276.757 c
400.288 275.177 401.51 274.782 401.004 272.732 c
403.181 272.135 404.266 270.491 406.604 270.049 c
409.264 266.431 410.933 266.431 407.305 270.049 c
405.29 271.473 402.15 271.818 401.704 274.745 c
405.457 275.62 404.175 281.321 406.604 283.464 c
412.852 283.963 412.571 290.715 419.205 290.843 c
423.28 298.4 428.293 302.144 431.105 311.637 c
431.985 311.49 432.536 310.592 432.506 312.308 c
445.832 329.106 439.521 362.954 430.405 378.714 c
430.405 382.738 l
428.332 384.106 427.787 386.937 427.605 390.117 c
419.248 401.453 407.774 415.807 403.104 426.338 c
394.755 433.542 385.117 439.511 377.903 447.803 c
376.279 447.589 375.215 447.911 374.403 448.474 c
372.183 453.054 366.289 454.114 363.902 458.535 c
345.591 460.218 329.235 463.775 308.6 463.231 c
303.629 459.944 294.623 460.524 286.198 460.548 c
284.548 460.341 284.896 458.218 282.698 458.535 c
272.312 458.426 271.344 449.292 262.397 447.803 c
262.397 444.449 l
253.288 441.104 250.083 432.101 240.696 429.021 c
237.862 424.583 237.006 418.248 232.296 415.606 c
226.706 401.063 218.609 388.922 210.595 376.702 c
210.137 368.878 202.785 363.495 200.794 355.908 c
198.296 346.384 201.981 336.655 200.794 324.381 c
206.74 314.875 212.686 305.367 217.595 294.868 c
222.336 294.917 225.178 287.558 229.496 284.806 c
233.73 282.106 239.774 279.764 237.896 272.732 c
225.567 272.131 225.05 256.536 228.795 246.572 c
228.462 252.25 226.797 262.063 228.795 266.024 c
233.58 275.508 240.165 252.384 237.896 249.255 c
237.353 250.587 237.492 253.625 235.796 251.938 c
234.56 249.341 230.089 238.514 236.496 235.84 c
236.702 236.436 238.39 238.776 238.596 237.182 c
236.193 235.81 237.942 230.88 239.996 229.803 c
244.62 233.072 241.746 239.452 240.696 244.56 c
241.643 244.349 242.033 243.605 243.496 243.889 c
244.297 249.94 243.853 257.172 243.496 261.329 c
243.104 260.363 242.404 259.692 241.396 259.316 c
244.448 262.773 242.378 264.876 242.796 271.391 c
242.033 272.992 236.154 274.206 239.996 276.086 c
239.213 275.12 239.241 274.449 240.696 274.074 c
239.14 287.001 246.199 290.817 249.097 298.221 c
249.513 296.832 248.231 293.815 249.797 293.526 c
252.736 295.404 256.895 296.548 258.897 294.868 c
257.457 293.415 254.627 289.65 253.297 284.806 c
253.807 285.902 251.906 287.724 251.897 286.147 c
254.723 278.546 250.755 267.016 246.296 263.342 c
247.705 264.451 250.545 264.189 251.197 266.024 c
249.691 257.859 256.299 243.683 263.097 239.864 c
256.996 240.732 255.398 249.473 251.197 249.926 c
253.948 250.153 248.035 241.922 251.897 246.572 c
250.755 243.198 250.917 241.572 250.497 238.522 c
252.718 236.249 255.404 230.285 256.097 226.449 c
256.152 226.146 256.554 221.91 256.797 222.425 c
256.515 221.827 254.748 222.902 254.697 221.754 c
254.701 221.836 256.835 221.227 256.797 220.412 c
256.784 220.126 254.829 219.615 254.697 219.07 c
254.389 217.795 258.126 215.63 255.397 215.046 c
255.287 215.835 255.517 216.95 254.697 217.059 c
250.905 209.717 255.147 199.59 256.097 190.898 c
256.719 199.613 257.133 200.089 260.297 208.338 c
258.865 210.56 255.328 214.287 257.497 217.729 c
257.669 213.832 259.078 213.482 260.297 209.68 c
262.889 209.209 261.504 212.548 263.097 213.033 c
263.383 210.187 263.715 209.127 265.197 209.68 c
263.206 199.305 261.265 181.377 265.197 172.787 c
266.76 176.318 266.171 177.745 267.998 180.837 c
266.729 178.421 268.122 178.859 268.698 176.813 c
265.636 174.191 265.892 170.24 267.998 166.751 c
268.107 167.54 267.877 168.654 268.698 168.763 c
270.389 157.391 272.857 157.003 279.898 151.993 c
278.914 151.818 279.1 150.522 278.498 149.981 c
279.969 149.369 282.085 150.052 284.098 148.64 c
285.188 144.035 288.442 140.015 286.898 133.883 c
276.445 140.635 264.717 146.168 253.997 152.664 c
251.995 149.833 248.687 150.53 245.597 149.981 c
241.277 150.994 241.628 160.029 240.696 162.055 c
239.949 155.726 240.101 154.104 239.996 149.311 c
231.902 147.229 230.365 138.863 223.195 135.896 c
223.365 127.683 216.919 125.811 213.395 121.139 c
210.24 121.288 192.942 118.949 199.394 116.442 c
188.263 114.573 179.777 116.142 172.793 109.064 c
167.309 110.369 157.742 108.581 153.192 105.04 c
139.85 105.526 133.707 99.115 120.99 99.003 c
120.881 98.214 121.11 97.099 120.29 96.99 c
114.086 95.906 100.435 99.065 99.289 93.637 c
94.389 93.637 l
89.955 85.141 88.843 73.461 77.588 71.501 c
77.814 66.813 75.19 64.854 71.988 63.452 c
71.988 480.0 l
576.013 480.0 l
h
1.0 sc
eofill
n
342.901 235.84 m
341.979 234.264 340.95 232.791 341.501 229.803 c
341.568 229.305 344.233 229.305 344.302 229.803 c
345.819 229.916 344.618 227.424 345.001 226.449 c
344.008 226.507 343.019 226.56 342.901 225.778 c
342.873 224.781 347.06 224.808 343.602 224.437 c
346.073 220.098 349.92 217.076 352.702 213.033 c
348.997 213.229 347.513 211.298 343.602 211.692 c
344.768 213.025 343.538 212.545 343.602 214.375 c
340.802 213.493 332.971 217.131 331.001 215.046 c
331.371 215.585 331.73 216.135 331.701 217.059 c
334.604 217.24 334.429 216.178 336.601 217.059 c
337.299 219.963 335.819 220.78 335.201 222.425 c
339.512 222.925 331.932 230.026 331.001 233.827 c
328.866 233.86 327.437 233.218 326.801 231.815 c
331.089 229.888 332.215 224.93 334.501 221.083 c
333.542 220.153 330.279 220.442 330.301 222.425 c
329.084 220.907 325.35 221.802 324.7 219.741 c
322.566 222.616 318.209 223.359 319.1 229.132 c
321.143 228.964 321.516 230.396 322.6 231.145 c
319.959 233.483 317.352 235.7 318.4 239.864 c
316.006 236.907 318.358 241.653 317.0 243.889 c
317.567 243.762 317.698 243.216 318.4 243.219 c
317.262 245.379 318.066 246.853 318.4 249.255 c
317.719 249.236 317.857 248.435 317.7 247.914 c
316.914 254.621 321.13 260.632 322.6 269.378 c
327.501 269.378 l
329.249 254.955 333.62 243.046 342.901 235.84 c
eofill
n
347.102 380.726 m
344.37 368.122 324.934 355.586 308.6 363.957 c
323.285 358.619 342.493 366.581 347.102 380.726 c
eofill
n
356.202 361.944 m
356.512 362.919 356.816 361.876 357.602 361.944 c
358.583 362.182 357.662 363.125 356.902 363.286 c
364.802 365.927 367.71 354.423 371.603 353.225 c
370.078 351.941 361.791 360.525 356.202 361.944 c
eofill
n
373.703 359.261 m
380.271 359.289 383.562 350.378 386.304 344.504 c
382.952 347.559 377.983 354.863 373.703 359.261 c
eofill
n
384.203 341.151 m
375.564 343.608 363.754 348.833 354.802 353.225 c
355.885 354.838 359.67 352.818 357.602 355.908 c
362.604 356.229 364.142 353.23 368.803 353.225 c
368.272 351.497 366.568 350.894 363.902 351.212 c
370.329 346.707 378.763 347.249 384.203 341.151 c
eofill
n
374.403 348.529 m
376.373 349.005 380.734 349.4 382.804 347.188 c
381.842 345.873 378.514 346.826 377.203 345.846 c
376.57 347.029 375.637 347.923 374.403 348.529 c
eofill
n
260.997 355.237 m
260.31 354.33 259.129 353.896 258.197 353.225 c
258.216 352.572 259.054 352.704 259.597 352.554 c
261.628 353.248 257.699 351.692 257.497 351.883 c
256.148 352.788 258.894 355.418 260.997 355.237 c
eofill
n
389.804 348.529 m
396.251 343.751 398.708 335.149 401.704 327.064 c
397.984 334.951 394.293 340.481 389.804 348.529 c
eofill
n
387.703 337.797 m
386.21 338.901 391.721 334.498 393.304 337.797 c
394.12 336.791 395.325 336.157 395.404 334.443 c
394.59 334.552 394.158 334.295 394.004 333.772 c
396.705 332.1 399.797 327.266 401.004 326.394 c
399.437 325.275 391.603 334.546 387.703 337.797 c
eofill
n
396.804 304.258 m
370.621 337.958 292.652 339.057 256.797 313.649 c
253.665 311.43 249.687 307.003 246.997 307.612 c
272.046 333.811 337.156 340.858 375.803 323.04 c
379.809 321.193 383.931 317.518 387.703 314.991 c
391.957 312.142 398.016 309.765 396.804 304.258 c
eofill
n
251.897 298.221 m
251.216 298.24 251.354 299.042 251.197 299.563 c
250.516 299.544 250.653 298.742 250.497 298.221 c
249.397 299.756 252.251 303.222 254.697 303.587 c
253.02 299.924 252.015 302.573 251.897 298.221 c
eofill
n
335.901 294.197 m
346.105 307.075 379.886 300.126 382.104 286.818 c
372.812 294.284 354.41 298.166 335.901 294.197 c
0.0 sc
eofill
n
301.599 288.16 m
301.809 289.471 309.015 286.491 309.3 283.464 c
306.922 285.211 304.835 287.235 301.599 288.16 c
1.0 sc
eofill
n
312.8 282.123 m
311.96 286.438 323.645 285.683 326.801 283.464 c
324.377 282.989 315.108 285.945 312.8 282.123 c
eofill
n
311.4 281.452 m
313.662 279.421 312.958 273.594 311.4 271.391 c
310.998 273.175 311.106 277.181 311.4 281.452 c
eofill
n
306.5 252.609 m
306.632 253.37 307.202 252.981 307.2 252.609 c
308.208 252.761 307.443 254.611 308.6 254.621 c
305.037 254.656 308.989 257.6 308.6 259.987 c
310.588 257.381 308.51 252.941 307.899 250.597 c
306.891 250.749 307.655 252.599 306.5 252.609 c
eofill
n
301.599 257.976 m
300.955 253.22 294.173 248.55 289.699 245.23 c
291.614 248.768 299.028 252.832 301.599 257.976 c
eofill
n
295.999 225.107 m
294.028 224.43 296.192 222.259 295.999 221.083 c
292.96 223.265 295.535 228.251 297.399 229.803 c
295.592 238.216 302.201 243.472 307.2 245.901 c
307.21 240.92 309.641 239.792 310.0 234.498 c
304.666 240.863 295.785 231.439 303.0 227.791 c
302.618 223.684 301.256 220.518 300.899 216.388 c
298.21 218.106 296.472 219.969 295.999 225.107 c
eofill
n
230.196 235.84 m
231.038 235.945 231.852 230.294 232.996 228.461 c
230.372 229.301 230.663 232.934 230.196 235.84 c
0.0 sc
eofill
n
391.903 144.615 m
393.784 139.751 393.903 127.276 388.403 121.139 c
380.407 129.962 392.907 136.637 391.903 144.615 c
1.0 sc
eofill
n
382.104 138.578 m
378.804 131.006 365.544 127.169 354.102 125.163 c
363.15 129.907 375.081 131.892 382.104 138.578 c
eofill
n
348.502 88.271 m
346.583 87.678 349.868 85.295 347.102 86.929 c
346.735 79.582 353.492 75.701 352.702 70.16 c
348.807 79.973 342.099 86.468 331.701 90.283 c
330.764 88.077 331.902 89.168 329.601 88.271 c
330.914 93.947 334.361 103.381 335.901 111.076 c
333.572 113.316 330.774 115.108 327.501 116.442 c
325.433 115.859 329.125 115.438 328.2 113.76 c
321.9 113.76 l
321.146 115.474 324.914 116.107 322.6 117.113 c
327.116 118.04 332.525 120.177 337.301 119.797 c
340.976 119.504 344.115 116.428 347.802 116.442 c
351.11 116.456 353.471 118.58 356.202 119.126 c
364.62 120.807 372.736 121.118 380.703 125.834 c
383.324 100.964 362.053 98.986 349.201 88.941 c
349.984 87.547 349.956 87.52 348.502 88.271 c
eofill
n
354.102 69.489 m
357.465 63.991 360.545 58.223 363.902 52.72 c
365.701 52.784 364.903 55.338 366.702 55.402 c
366.496 56.998 364.809 54.657 364.603 54.062 c
363.447 54.155 365.335 56.859 364.603 58.757 c
366.326 58.617 369.969 56.951 370.203 60.098 c
369.607 60.222 369.542 59.837 369.503 59.428 c
372.338 60.687 363.245 49.29 359.002 46.683 c
359.512 44.853 357.611 45.332 357.602 44.0 c
356.621 44.236 357.542 45.181 358.302 45.341 c
357.673 46.527 356.612 47.3 356.202 48.695 c
360.926 58.399 354.707 62.384 354.102 69.489 c
eofill
n
513.71 33.938 m
513.585 27.31 516.797 25.973 517.21 21.193 c
520.433 25.449 524.141 16.739 528.41 19.852 c
528.859 22.295 525.076 20.682 524.91 22.535 c
532.165 29.572 519.671 43.435 513.71 33.938 c
499.009 35.95 m
498.933 28.274 501.324 22.965 510.21 23.877 c
517.523 31.475 505.278 45.055 499.009 35.95 c
483.608 43.329 m
473.862 36.4 489.757 11.258 498.309 27.23 c
495.953 26.805 496.118 23.964 492.709 24.547 c
484.476 24.824 479.798 42.453 489.209 42.658 c
494.111 42.765 494.484 35.844 497.609 35.279 c
496.105 36.745 497.28 40.778 495.509 41.987 c
492.297 42.364 487.997 46.449 483.608 43.329 c
461.207 24.547 m
460.608 33.383 459.174 43.407 458.407 50.036 c
487.951 46.82 517.488 43.596 545.911 39.305 c
547.661 30.473 549.29 21.523 550.812 12.474 c
550.441 11.44 550.081 12.431 550.111 13.145 c
550.369 14.285 549.565 14.41 548.712 14.485 c
520.27 18.535 489.498 20.354 461.207 24.547 c
eofill
n
513.71 -12.345 m
514.29 -14.766 522.841 -25.274 526.311 -16.369 c
526.042 -17.059 525.966 -15.34 526.311 -14.357 c
525.778 -15.878 530.232 -11.084 526.311 -9.662 c
528.308 -0.039 507.711 0.298 513.01 -10.333 c
512.75 -11.035 513.188 -10.168 513.71 -12.345 c
508.109 -14.357 m
508.067 -14.385 505.99 -12.608 508.109 -15.699 c
506.466 -15.913 505.481 -16.759 503.209 -16.369 c
501.104 -13.021 499.115 -9.56 499.709 -3.625 c
503.16 0.303 509.199 -5.246 508.109 -7.649 c
511.438 -7.439 507.689 -4.61 508.81 -2.283 c
495.225 4.92 494.452 -11.113 498.309 -11.004 c
495.951 -17.397 505.944 -20.3 510.909 -16.369 c
510.954 -14.092 510.089 -12.685 508.81 -11.674 c
510.044 -10.411 510.978 -12.592 511.609 -10.333 c
510.106 -9.09 506.481 -9.88 503.909 -9.662 c
505.396 -13.008 509.979 -13.119 508.109 -14.357 c
465.407 -3.625 m
466.97 -3.917 467.903 -4.811 468.207 -6.308 c
465.706 -4.497 467.644 -10.472 468.907 -12.345 c
466.355 -10.606 468.975 -13.419 468.207 -15.699 c
467.092 -15.825 464.534 -17.888 466.107 -18.382 c
470.16 -19.059 482.469 -22.261 483.608 -14.357 c
482.847 -17.136 491.803 -17.475 494.809 -16.369 c
493.89 -15.987 497.907 -12.704 494.809 -11.674 c
494.77 -14.549 489.864 -15.989 488.509 -13.687 c
488.235 -10.549 488.082 -11.458 487.809 -8.32 c
491.104 -7.623 491.329 -9.866 492.709 -11.004 c
492.587 -7.262 492.76 -3.865 490.608 -4.296 c
492.839 -5.624 489.197 -6.904 487.108 -6.308 c
487.525 -4.918 486.243 -1.901 487.809 -1.612 c
490.67 -3.498 488.209 -2.143 490.608 -1.612 c
492.255 -1.824 491.024 -4.792 493.409 -4.296 c
493.971 -1.969 492.366 -1.718 492.709 0.399 c
488.191 -0.451 481.102 3.483 480.108 -0.271 c
483.077 -0.355 483.722 -3.065 485.009 -2.954 c
483.574 -3.797 484.608 -5.908 483.608 -8.32 c
484.432 -8.426 485.596 -8.205 485.708 -8.991 c
482.286 -9.183 485.566 -11.446 486.408 -11.674 c
483.868 -11.028 485.82 -14.688 483.608 -14.357 c
483.46 -13.547 482.831 -13.945 482.208 -14.357 c
482.296 -12.679 483.544 -12.258 481.508 -11.674 c
481.235 -12.402 480.668 -13.285 481.508 -12.345 c
481.661 -14.077 478.034 -17.945 473.107 -17.04 c
470.458 -10.191 471.482 -1.868 469.607 4.424 c
470.708 4.488 472.035 4.334 471.708 5.766 c
471.514 6.73 460.44 8.643 461.907 5.766 c
462.18 6.795 462.747 5.864 461.907 5.095 c
466.096 5.308 466.209 1.615 467.508 -0.942 c
466.482 -0.953 465.289 1.887 465.407 -0.942 c
468.336 -0.688 466.172 -3.38 465.407 -3.625 c
544.512 2.412 m
546.644 -7.842 548.047 -18.796 550.111 -29.114 c
549.172 -28.673 548.808 -27.681 548.712 -26.432 c
507.654 -24.143 481.067 -21.219 447.206 -19.053 c
446.709 -9.633 444.775 2.329 444.406 11.803 c
472.271 8.489 512.655 5.229 544.512 2.412 c
eofill
n
465.407 -0.942 m
465.289 1.887 466.482 -0.953 467.508 -0.942 c
466.209 1.615 466.096 5.308 461.907 5.095 c
462.747 5.864 462.18 6.795 461.907 5.766 c
460.44 8.643 471.514 6.73 471.708 5.766 c
472.035 4.334 470.708 4.488 469.607 4.424 c
471.482 -1.868 470.458 -10.191 473.107 -17.04 c
478.034 -17.945 481.661 -14.077 481.508 -12.345 c
480.668 -13.285 481.235 -12.402 481.508 -11.674 c
483.544 -12.258 482.296 -12.679 482.208 -14.357 c
482.831 -13.945 483.46 -13.547 483.608 -14.357 c
485.82 -14.688 483.868 -11.028 486.408 -11.674 c
485.566 -11.446 482.286 -9.183 485.708 -8.991 c
485.596 -8.205 484.432 -8.426 483.608 -8.32 c
484.608 -5.908 483.574 -3.797 485.009 -2.954 c
483.722 -3.065 483.077 -0.355 480.108 -0.271 c
481.102 3.483 488.191 -0.451 492.709 0.399 c
492.366 -1.718 493.971 -1.969 493.409 -4.296 c
491.024 -4.792 492.255 -1.824 490.608 -1.612 c
488.209 -2.143 490.67 -3.498 487.809 -1.612 c
486.243 -1.901 487.525 -4.918 487.108 -6.308 c
489.197 -6.904 492.839 -5.624 490.608 -4.296 c
492.76 -3.865 492.587 -7.262 492.709 -11.004 c
491.329 -9.866 491.104 -7.623 487.809 -8.32 c
488.082 -11.458 488.235 -10.549 488.509 -13.687 c
489.864 -15.989 494.77 -14.549 494.809 -11.674 c
497.907 -12.704 493.89 -15.987 494.809 -16.369 c
491.803 -17.475 482.847 -17.136 483.608 -14.357 c
482.469 -22.261 470.16 -19.059 466.107 -18.382 c
464.534 -17.888 467.092 -15.825 468.207 -15.699 c
468.975 -13.419 466.355 -10.606 468.907 -12.345 c
467.644 -10.472 465.706 -4.497 468.207 -6.308 c
467.903 -4.811 466.97 -3.917 465.407 -3.625 c
466.172 -3.38 468.336 -0.688 465.407 -0.942 c
0.0 sc
eofill
n
503.909 -9.662 m
506.481 -9.88 510.106 -9.09 511.609 -10.333 c
510.978 -12.592 510.044 -10.411 508.81 -11.674 c
510.089 -12.685 510.954 -14.092 510.909 -16.369 c
505.944 -20.3 495.951 -17.397 498.309 -11.004 c
494.452 -11.113 495.225 4.92 508.81 -2.283 c
507.689 -4.61 511.438 -7.439 508.109 -7.649 c
509.199 -5.246 503.16 0.303 499.709 -3.625 c
499.115 -9.56 501.104 -13.021 503.209 -16.369 c
505.481 -16.759 506.466 -15.913 508.109 -15.699 c
505.99 -12.608 508.067 -14.385 508.109 -14.357 c
509.979 -13.119 505.396 -13.008 503.909 -9.662 c
eofill
n
520.01 -2.954 m
522.51 -5.376 523.174 -9.944 527.011 -11.004 c
524.954 -13.318 524.831 -13.35 524.21 -17.04 c
522.562 -17.025 522.149 -18.195 520.01 -17.711 c
519.215 -16.237 517.669 -15.482 517.21 -13.687 c
517.199 -15.384 515.373 -15.244 515.109 -12.345 c
518.12 -13.974 514.128 -5.783 516.51 -3.625 c
517.527 -3.258 520.128 -4.409 520.01 -2.954 c
1.0 sc
eofill
n
516.51 -3.625 m
514.128 -5.783 518.12 -13.974 515.109 -12.345 c
515.373 -15.244 517.199 -15.384 517.21 -13.687 c
517.669 -15.482 519.215 -16.237 520.01 -17.711 c
522.149 -18.195 522.562 -17.025 524.21 -17.04 c
524.831 -13.35 524.954 -13.318 527.011 -11.004 c
523.174 -9.944 522.51 -5.376 520.01 -2.954 c
520.128 -4.409 517.527 -3.258 516.51 -3.625 c
513.01 -10.333 m
507.711 0.298 528.308 -0.039 526.311 -9.662 c
530.232 -11.084 525.778 -15.878 526.311 -14.357 c
525.966 -15.34 526.042 -17.059 526.311 -16.369 c
522.841 -25.274 514.29 -14.766 513.71 -12.345 c
513.188 -10.168 512.75 -11.035 513.01 -10.333 c
0.0 sc
eofill
n
533.311 -57.957 m
531.124 -56.543 533.923 -54.238 531.211 -53.933 c
529.556 -54.807 529.861 -57.559 529.11 -59.299 c
533.097 -58.833 534.925 -60.436 538.911 -59.97 c
539.607 -57.969 539.688 -55.864 538.911 -55.274 c
538.501 -57.564 536.621 -58.446 533.311 -57.957 c
531.211 -49.237 m
530.808 -48.059 532.057 -45.297 530.511 -45.213 c
530.513 -45.585 529.943 -45.975 529.811 -45.213 c
530.942 -44.062 532.738 -43.547 535.411 -43.871 c
535.303 -44.768 536.511 -47.569 536.811 -45.884 c
535.43 -45.418 536.983 -42.141 535.411 -41.859 c
533.875 -43.528 526.524 -40.004 524.91 -42.529 c
526.494 -43.248 527.988 -44.052 529.11 -45.213 c
527.148 -45.871 530.127 -47.002 528.41 -47.896 c
532.328 -47.169 527.048 -52.794 531.211 -52.591 c
530.783 -52.629 530.382 -52.691 530.511 -53.262 c
531.926 -51.304 535.653 -50.172 536.811 -53.262 c
536.054 -50.916 535.984 -47.044 535.411 -47.896 c
535.333 -49.609 533.066 -49.228 531.211 -49.237 c
517.21 -58.628 m
521.196 -58.162 523.024 -59.765 527.011 -59.299 c
527.667 -58.732 528.506 -55.022 527.011 -54.604 c
526.601 -56.894 524.721 -57.775 521.41 -57.286 c
520.051 -51.876 518.526 -47.809 520.01 -41.188 c
517.195 -41.649 516.014 -40.545 513.71 -40.518 c
513.025 -43.823 516.34 -42.256 516.51 -43.2 c
515.503 -48.569 520.995 -55.437 517.21 -58.628 c
506.01 -48.566 m
504.687 -49.932 506.695 -55.79 505.31 -57.957 c
509.357 -57.433 511.294 -58.931 515.109 -58.628 c
515.107 -57.43 516.995 -54.726 515.109 -53.933 c
514.501 -55.586 513.479 -56.841 510.909 -56.616 c
507.021 -52.478 506.979 -45.906 508.109 -40.518 c
504.169 -40.451 505.05 -39.912 501.109 -39.847 c
503.802 -42.594 504.768 -45.967 506.01 -48.566 c
491.309 -57.286 m
495.507 -56.842 498.141 -57.895 501.81 -57.957 c
502.548 -57.26 503.255 -53.168 501.81 -52.591 c
499.905 -59.398 492.142 -53.92 495.509 -48.566 c
497.876 -48.534 498.546 -50.128 499.709 -51.25 c
498.921 -49.322 499.567 -46.02 498.309 -44.542 c
497.873 -47.376 496.754 -47.006 494.108 -46.555 c
494.625 -43.649 492.525 -42.399 494.809 -41.188 c
497.295 -40.841 498.587 -42.632 500.409 -44.542 c
500.186 -42.967 499.303 -42.024 499.709 -39.847 c
497.789 -39.646 490.268 -38.615 487.809 -39.176 c
489.694 -41.15 490.73 -43.675 492.709 -43.871 c
489.426 -46.578 494.073 -52.155 491.309 -57.286 c
478.008 -52.591 m
475.885 -52.569 476.264 -54.944 475.908 -56.616 c
487.108 -56.616 l
490.347 -52.326 487.916 -49.979 485.708 -45.884 c
488.177 -38.196 479.556 -37.093 472.408 -37.834 c
478.483 -43.708 475.183 -46.119 478.008 -52.591 c
459.107 -54.604 m
460.484 -55.52 463.105 -55.244 464.707 -55.945 c
464.99 -52.991 461.353 -53.794 462.607 -49.908 c
465.679 -48.632 467.864 -49.391 469.607 -51.92 c
468.448 -52.599 468.848 -54.77 468.207 -55.945 c
470.912 -55.813 473.366 -55.921 475.208 -56.616 c
470.361 -50.975 469.731 -41.293 464.008 -36.493 c
462.82 -42.957 462.148 -49.915 459.107 -54.604 c
447.906 -37.834 m
446.483 -45.169 454.046 -46.284 456.307 -51.92 c
454.958 -52.193 455.754 -54.521 453.507 -53.933 c
451.392 -52.158 449.906 -49.78 448.606 -47.225 c
447.19 -48.917 450.123 -50.738 449.307 -53.933 c
451.639 -54.157 452.412 -55.876 455.606 -55.274 c
461.496 -48.421 453.136 -43.367 449.307 -38.505 c
454.052 -35.555 454.473 -41.866 457.007 -43.2 c
456.104 -40.257 455.987 -39.606 455.606 -37.163 c
452.823 -35.775 449.713 -35.324 447.906 -37.834 c
437.406 -57.286 m
440.371 -59.115 442.306 -57.745 447.206 -58.628 c
446.944 -55.432 444.229 -56.3 443.006 -53.262 c
441.3 -49.024 443.648 -39.649 440.906 -34.48 c
441.452 -34.332 441.72 -33.919 441.606 -33.139 c
442.706 -33.075 444.033 -33.229 443.706 -31.797 c
441.124 -30.694 437.121 -30.952 433.906 -30.456 c
436.934 -34.807 439.159 -35.103 438.806 -40.518 c
438.804 -40.145 439.373 -39.756 439.506 -40.518 c
439.196 -41.807 437.896 -46.914 440.206 -47.225 c
438.474 -50.775 442.523 -53.217 437.406 -57.286 c
431.105 -26.432 m
468.391 -29.707 499.032 -31.887 538.911 -34.48 c
540.656 -45.776 543.232 -56.276 544.512 -68.019 c
543.348 -66.897 542.679 -65.303 540.312 -65.336 c
504.295 -63.707 467.277 -61.479 433.906 -59.299 c
432.988 -45.673 431.704 -38.723 431.105 -26.432 c
1.0 sc
eofill
n
428.306 -32.468 m
429.522 -34.865 431.135 -40.424 429.006 -41.859 c
429.978 -40.22 426.215 -35.179 428.306 -32.468 c
eofill
n
535.411 -47.896 m
535.984 -47.044 536.054 -50.916 536.811 -53.262 c
535.653 -50.172 531.926 -51.304 530.511 -53.262 c
530.382 -52.691 530.783 -52.629 531.211 -52.591 c
527.048 -52.794 532.328 -47.169 528.41 -47.896 c
530.127 -47.002 527.148 -45.871 529.11 -45.213 c
527.988 -44.052 526.494 -43.248 524.91 -42.529 c
526.524 -40.004 533.875 -43.528 535.411 -41.859 c
536.983 -42.141 535.43 -45.418 536.811 -45.884 c
536.511 -47.569 535.303 -44.768 535.411 -43.871 c
532.738 -43.547 530.942 -44.062 529.811 -45.213 c
529.943 -45.975 530.513 -45.585 530.511 -45.213 c
532.057 -45.297 530.808 -48.059 531.211 -49.237 c
533.066 -49.228 535.333 -49.609 535.411 -47.896 c
0.0 sc
eofill
n
464.707 -41.859 m
465.668 -42.06 464.521 -46.487 467.508 -46.555 c
467.42 -48.036 464.538 -46.839 463.308 -47.225 c
463.479 -45.154 464.017 -43.434 464.707 -41.859 c
1.0 sc
eofill
n
431.105 -53.933 m
429.917 -54.368 430.668 -55.475 431.806 -55.274 c
430.186 -58.35 427.934 -50.69 431.105 -51.25 c
431.234 -51.82 430.833 -51.883 430.405 -51.92 c
430.425 -52.572 431.263 -52.441 431.806 -52.591 c
431.375 -53.188 430.96 -53.791 431.806 -53.933 c
431.673 -54.694 431.104 -54.305 431.105 -53.933 c
eofill
n
538.911 -55.274 m
539.688 -55.864 539.607 -57.969 538.911 -59.97 c
534.925 -60.436 533.097 -58.833 529.11 -59.299 c
529.861 -57.559 529.556 -54.807 531.211 -53.933 c
533.923 -54.238 531.124 -56.543 533.311 -57.957 c
536.621 -58.446 538.501 -57.564 538.911 -55.274 c
0.0 sc
eofill
n
468.907 -82.105 m
467.16 -82.569 470.207 -83.895 469.607 -85.459 c
468.232 -83.845 466.108 -83.914 465.407 -86.13 c
463.758 -85.563 465.989 -83.188 466.107 -82.105 c
471.093 -79.012 478.185 -89.206 468.907 -82.105 c
eofill
n
509.51 -82.105 m
511.788 -80.185 515.938 -82.177 515.81 -84.788 c
514.552 -83.087 513.049 -81.62 509.51 -82.105 c
eofill
n
487.108 -84.117 m
485.948 -82.813 488.402 -81.903 490.608 -82.775 c
490.52 -83.979 491.466 -84.19 491.309 -85.459 c
489.495 -83.424 488.706 -84.772 486.408 -85.459 c
486.799 -84.863 488.515 -82.522 487.108 -84.117 c
eofill
n
469.607 -106.924 m
471.535 -106.088 473.003 -104.811 473.107 -102.229 c
471.944 -100.884 471.229 -99.11 468.907 -98.874 c
468.448 -100.67 466.902 -101.425 466.107 -102.898 c
466.982 -104.52 469.638 -104.436 469.607 -106.924 c
509.51 -101.558 m
512.524 -102.434 511.724 -99.654 513.01 -98.874 c
513.226 -100.456 515.44 -100.122 515.109 -102.229 c
514.409 -103.121 513.956 -104.253 513.01 -104.911 c
513.195 -103.538 510.294 -101.806 510.21 -102.898 c
512.107 -103.316 511.952 -105.701 514.41 -105.582 c
514.071 -103.469 516.559 -104.063 515.81 -101.558 c
514.94 -100.154 513.773 -99.036 512.31 -98.203 c
511.836 -99.762 509.983 -99.999 509.51 -101.558 c
491.309 -98.203 m
488.066 -98.293 488.341 -104.381 491.309 -106.253 c
497.375 -105.275 494.477 -98.116 491.309 -98.203 c
513.01 -90.154 m
510.521 -91.197 512.587 -87.876 510.909 -88.142 c
510.962 -89.311 510.753 -90.228 510.21 -90.825 c
513.488 -90.907 509.447 -91.802 510.21 -93.508 c
511.414 -93.243 512.004 -94.504 512.31 -93.508 c
511.883 -93.47 511.48 -93.408 511.609 -92.837 c
512.048 -90.549 516.63 -88.738 515.109 -86.801 c
514.579 -89.529 511.547 -88.388 513.01 -90.154 c
489.209 -92.167 m
492.325 -92.224 495.318 -88.66 494.108 -86.801 c
493.245 -89.326 491.068 -90.595 489.209 -92.167 c
470.308 -90.154 m
470.268 -90.563 470.203 -90.948 469.607 -90.825 c
468.905 -90.827 468.774 -90.281 468.207 -90.154 c
468.003 -90.566 466.466 -92.736 468.207 -92.837 c
468.221 -90.572 472.396 -91.906 473.808 -86.801 c
471.348 -89.656 469.983 -87.971 468.207 -89.483 c
469.031 -89.589 470.194 -89.368 470.308 -90.154 c
508.81 -85.459 m
509.056 -81.867 510.906 -84.757 512.31 -85.459 c
512.467 -84.19 511.521 -83.979 511.609 -82.775 c
508.109 -82.775 l
508.229 -83.779 507.859 -85.251 508.81 -85.459 c
515.81 -84.788 m
515.938 -82.177 511.788 -80.185 509.51 -82.105 c
513.049 -81.62 514.552 -83.087 515.81 -84.788 c
466.107 -82.105 m
465.989 -83.188 463.758 -85.563 465.407 -86.13 c
466.108 -83.914 468.232 -83.845 469.607 -85.459 c
470.207 -83.895 467.16 -82.569 468.907 -82.105 c
478.185 -89.206 471.093 -79.012 466.107 -82.105 c
486.408 -85.459 m
488.706 -84.772 489.495 -83.424 491.309 -85.459 c
491.466 -84.19 490.52 -83.979 490.608 -82.775 c
488.402 -81.903 485.948 -82.813 487.108 -84.117 c
488.515 -82.522 486.799 -84.863 486.408 -85.459 c
541.011 -75.397 m
543.693 -86.02 544.442 -98.493 545.911 -110.277 c
511.072 -109.362 462.218 -111.651 433.906 -112.29 c
432.56 -100.835 432.544 -88.105 431.105 -76.739 c
466.034 -76.428 504.953 -77.282 540.312 -75.397 c
h
1.0 sc
eofill
n
468.207 -89.483 m
469.983 -87.971 471.348 -89.656 473.808 -86.801 c
472.396 -91.906 468.221 -90.572 468.207 -92.837 c
466.466 -92.736 468.003 -90.566 468.207 -90.154 c
468.774 -90.281 468.905 -90.827 469.607 -90.825 c
470.203 -90.948 470.268 -90.563 470.308 -90.154 c
470.194 -89.368 469.031 -89.589 468.207 -89.483 c
0.0 sc
eofill
n
515.109 -86.801 m
516.63 -88.738 512.048 -90.549 511.609 -92.837 c
511.48 -93.408 511.883 -93.47 512.31 -93.508 c
512.004 -94.504 511.414 -93.243 510.21 -93.508 c
509.447 -91.802 513.488 -90.907 510.21 -90.825 c
510.753 -90.228 510.962 -89.311 510.909 -88.142 c
512.587 -87.876 510.521 -91.197 513.01 -90.154 c
511.547 -88.388 514.579 -89.529 515.109 -86.801 c
eofill
n
193.094 -98.203 m
192.393 -96.416 190.269 -95.992 188.894 -94.85 c
190.815 -92.836 192.126 -97.08 194.494 -96.862 c
190.452 -100.591 188.182 -106.018 179.093 -104.911 c
180.065 -102.266 185.312 -103.715 183.993 -98.874 c
184.688 -97.609 185.436 -101.911 185.394 -103.569 c
187.533 -101.372 189.207 -98.727 193.094 -98.203 c
1.0 sc
eofill
n
494.108 -103.569 m
494.412 -101.043 492.63 -100.515 491.309 -99.545 c
492.058 -102.051 489.57 -101.457 489.908 -103.569 c
491.783 -104.658 492.57 -105.11 494.108 -103.569 c
491.309 -106.253 m
488.341 -104.381 488.066 -98.293 491.309 -98.203 c
494.477 -98.116 497.375 -105.275 491.309 -106.253 c
0.0 sc
eofill
n
512.31 -98.203 m
513.773 -99.036 514.94 -100.154 515.81 -101.558 c
516.559 -104.063 514.071 -103.469 514.41 -105.582 c
511.952 -105.701 512.107 -103.316 510.21 -102.898 c
510.294 -101.806 513.195 -103.538 513.01 -104.911 c
513.956 -104.253 514.409 -103.121 515.109 -102.229 c
515.44 -100.122 513.226 -100.456 513.01 -98.874 c
511.724 -99.654 512.524 -102.434 509.51 -101.558 c
509.983 -99.999 511.836 -99.762 512.31 -98.203 c
eofill
n
469.607 -99.545 m
470.349 -102.044 468.134 -101.71 467.508 -102.898 c
469.481 -103.02 468.381 -106.087 471.008 -105.582 c
470.971 -104.428 471.546 -103.862 472.408 -103.569 c
472.242 -101.493 470.46 -100.965 469.607 -99.545 c
466.107 -102.898 m
466.902 -101.425 468.448 -100.67 468.907 -98.874 c
471.229 -99.11 471.944 -100.884 473.107 -102.229 c
473.003 -104.811 471.535 -106.088 469.607 -106.924 c
469.638 -104.436 466.982 -104.52 466.107 -102.898 c
eofill
n
495.509 41.987 m
497.28 40.778 496.105 36.745 497.609 35.279 c
494.484 35.844 494.111 42.765 489.209 42.658 c
479.798 42.453 484.476 24.824 492.709 24.547 c
496.118 23.964 495.953 26.805 498.309 27.23 c
489.757 11.258 473.862 36.4 483.608 43.329 c
487.997 46.449 492.297 42.364 495.509 41.987 c
eofill
n
440.206 -47.225 m
437.896 -46.914 439.196 -41.807 439.506 -40.518 c
439.373 -39.756 438.804 -40.145 438.806 -40.518 c
439.159 -35.103 436.934 -34.807 433.906 -30.456 c
437.121 -30.952 441.124 -30.694 443.706 -31.797 c
444.033 -33.229 442.706 -33.075 441.606 -33.139 c
441.72 -33.919 441.452 -34.332 440.906 -34.48 c
443.648 -39.649 441.3 -49.024 443.006 -53.262 c
444.229 -56.3 446.944 -55.432 447.206 -58.628 c
442.306 -57.745 440.371 -59.115 437.406 -57.286 c
442.523 -53.217 438.474 -50.775 440.206 -47.225 c
eofill
n
516.51 -43.2 m
516.34 -42.256 513.025 -43.823 513.71 -40.518 c
516.014 -40.545 517.195 -41.649 520.01 -41.188 c
518.526 -47.809 520.051 -51.876 521.41 -57.286 c
524.721 -57.775 526.601 -56.894 527.011 -54.604 c
528.506 -55.022 527.667 -58.732 527.011 -59.299 c
523.024 -59.765 521.196 -58.162 517.21 -58.628 c
520.995 -55.437 515.503 -48.569 516.51 -43.2 c
eofill
n
484.309 -55.274 m
485.772 -52.598 485.405 -51.125 484.309 -48.566 c
482.665 -48.353 481.681 -47.507 479.408 -47.896 c
479.966 -50.419 479.157 -55.492 484.309 -55.274 c
478.708 -45.213 m
480.301 -45.538 482.284 -46.543 483.608 -45.213 c
483.77 -42.599 482.104 -41.735 481.508 -39.847 c
478.708 -39.847 l
477.185 -41.067 480.231 -43.992 478.708 -45.213 c
472.408 -37.834 m
479.556 -37.093 488.177 -38.196 485.708 -45.884 c
487.916 -49.979 490.347 -52.326 487.108 -56.616 c
475.908 -56.616 l
476.264 -54.944 475.885 -52.569 478.008 -52.591 c
475.183 -46.119 478.483 -43.708 472.408 -37.834 c
eofill
n
492.709 -43.871 m
490.73 -43.675 489.694 -41.15 487.809 -39.176 c
490.268 -38.615 497.789 -39.646 499.709 -39.847 c
499.303 -42.024 500.186 -42.967 500.409 -44.542 c
498.587 -42.632 497.295 -40.841 494.809 -41.188 c
492.525 -42.399 494.625 -43.649 494.108 -46.555 c
496.754 -47.006 497.873 -47.376 498.309 -44.542 c
499.567 -46.02 498.921 -49.322 499.709 -51.25 c
498.546 -50.128 497.876 -48.534 495.509 -48.566 c
492.142 -53.92 499.905 -59.398 501.81 -52.591 c
503.255 -53.168 502.548 -57.26 501.81 -57.957 c
498.141 -57.895 495.507 -56.842 491.309 -57.286 c
494.073 -52.155 489.426 -46.578 492.709 -43.871 c
eofill
n
501.109 -39.847 m
505.05 -39.912 504.169 -40.451 508.109 -40.518 c
506.979 -45.906 507.021 -52.478 510.909 -56.616 c
513.479 -56.841 514.501 -55.586 515.109 -53.933 c
516.995 -54.726 515.107 -57.43 515.109 -58.628 c
511.294 -58.931 509.357 -57.433 505.31 -57.957 c
506.695 -55.79 504.687 -49.932 506.01 -48.566 c
504.768 -45.967 503.802 -42.594 501.109 -39.847 c
eofill
Q
Q
Q
[/EMC PDFMark5
PDFVars/TermAll get exec end end
%%PageTrailer
%%Trailer
%%EOF
\ No newline at end of file

Binary file doc-src/TutorialI/document/pghead.pdf has changed

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/preface.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,56 @@
+\chapter*{Preface}
+\markboth{Preface}{Preface}
+
+This volume is a self-contained introduction to interactive proof
+in higher-order logic (HOL), using the proof assistant Isabelle. 
+It is written for potential users rather
+than for our colleagues in the research world.
+
+The book has three parts.  
+\begin{itemize}
+\item 
+The first part, \textbf{Elementary Techniques},
+shows how to model functional programs in higher-order logic.  Early
+examples involve lists and the natural numbers.  Most proofs
+are two steps long, consisting of induction on a chosen variable
+followed by the \isa{auto} tactic.  But even this elementary part
+covers such advanced topics as nested and mutual recursion.
+\item 
+The second part, \textbf{Logic and Sets}, presents a collection of
+lower-level tactics that you can use to apply rules selectively.  It
+also describes Isabelle/HOL's treatment of sets, functions and
+relations and explains how to define sets inductively.  One of the
+examples concerns the theory of model checking, and another is drawn
+from a classic textbook on formal languages.
+\item 
+The third part, \textbf{Advanced Material}, describes a variety of other
+topics.  Among these are the real numbers, records and overloading.  Advanced
+techniques for induction and recursion are described.  A whole chapter is
+devoted to an extended example: the verification of a security protocol.
+\end{itemize}
+
+The typesetting relies on Wenzel's theory presentation tools.  An
+annotated source file is run, typesetting the theory
+in the form of a \LaTeX\ source file.  This book is derived almost entirely
+from output generated in this way.  The final chapter of Part~I explains how
+users may produce their own formal documents in a similar fashion.
+
+Isabelle's \hfootref{http://isabelle.in.tum.de/}{web site} contains
+links to the download area and to documentation and other information.
+The classic Isabelle user interface is Proof~General~/ Emacs by David
+Aspinall's\index{Aspinall, David}.  This book says very little about
+Proof General, which has its own documentation.
+
+This tutorial owes a lot to the constant discussions with and the valuable
+feedback from the Isabelle group at Munich: Stefan Berghofer, Olaf
+M{\"u}ller, Wolfgang Naraschewski, David von Oheimb, Leonor Prensa Nieto,
+Cornelia Pusch, Norbert Schirmer and Martin Strecker. Stephan
+Merz was also kind enough to read and comment on a draft version.  We
+received comments from Stefano Bistarelli, Gergely Buday, John Matthews
+and Tanja Vos.
+
+The research has been funded by many sources, including the {\sc dfg} grants
+NI~491/2, NI~491/3, NI~491/4, NI~491/6, {\sc bmbf} project Verisoft, the {\sc
+epsrc} grants GR/K57381, GR/K77051, GR/M75440, GR/R01156/01 GR/S57198/01 and
+by the \textsc{esprit} working groups 21900 and IST-1999-29001 (the
+\emph{Types} project).

--- a/doc-src/TutorialI/document/prime_def.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,53 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{prime{\isaliteral{5F}{\isacharunderscore}}def}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\begin{isamarkuptext}%
-\begin{warn}
-A common mistake when writing definitions is to introduce extra free
-variables on the right-hand side.  Consider the following, flawed definition
-(where \isa{dvd} means ``divides''):
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{22}{\isachardoublequote}}prime\ p\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isadigit{1}}\ {\isaliteral{3C}{\isacharless}}\ p\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}m\ dvd\ p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ m\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}%
-\end{isabelle}
-\par\noindent\hangindent=0pt
-Isabelle rejects this ``definition'' because of the extra \isa{m} on the
-right-hand side, which would introduce an inconsistency (why?). 
-The correct version is
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{22}{\isachardoublequote}}prime\ p\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isadigit{1}}\ {\isaliteral{3C}{\isacharless}}\ p\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}m{\isaliteral{2E}{\isachardot}}\ m\ dvd\ p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ m\ {\isaliteral{3D}{\isacharequal}}\ {\isadigit{1}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ m\ {\isaliteral{3D}{\isacharequal}}\ p{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequote}}%
-\end{isabelle}
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/protocol.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,135 @@
+\chapter{Case Study: Verifying a Security Protocol}
+\label{chap:crypto}
+
+\index{protocols!security|(}
+
+%crypto primitives 
+\def\lbb{\mathopen{\{\kern-.30em|}}
+\def\rbb{\mathclose{|\kern-.32em\}}}
+\def\comp#1{\lbb#1\rbb}
+
+Communications security is an ancient art.  Julius Caesar is said to have
+encrypted his messages, shifting each letter three places along the
+alphabet.  Mary Queen of Scots was convicted of treason after a cipher used
+in her letters was broken.  Today's postal system
+incorporates security features.  The envelope provides a degree of
+\emph{secrecy}.  The signature provides \emph{authenticity} (proof of
+origin), as do departmental stamps and letterheads.
+
+Networks are vulnerable: messages pass through many computers, any of which
+might be controlled by an adversary, who thus can capture or redirect
+messages.  People who wish to communicate securely over such a network can
+use cryptography, but if they are to understand each other, they need to
+follow a
+\emph{protocol}: a pre-arranged sequence of message formats. 
+
+Protocols can be attacked in many ways, even if encryption is unbreakable. 
+A \emph{splicing attack} involves an adversary's sending a message composed
+of parts of several old messages.  This fake message may have the correct
+format, fooling an honest party.  The adversary might be able to masquerade
+as somebody else, or he might obtain a secret key.
+
+\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
+random number. Each message that requires a reply incorporates a nonce. The
+reply must include a copy of that nonce, to prove that it is not a replay of
+a past message.  The nonce in the reply must be cryptographically
+protected, since otherwise an adversary could easily replace it by a
+different one. You should be starting to see that protocol design is
+tricky!
+
+Researchers are developing methods for proving the correctness of security
+protocols.  The Needham-Schroeder public-key
+protocol~\cite{needham-schroeder} has become a standard test case. 
+Proposed in 1978, it was found to be defective nearly two decades
+later~\cite{lowe-fdr}.  This toy protocol will be useful in demonstrating
+how to verify protocols using Isabelle.
+
+
+\section{The Needham-Schroeder Public-Key Protocol}\label{sec:ns-protocol}
+
+\index{Needham-Schroeder protocol|(}%
+This protocol uses public-key cryptography. Each person has a private key, known only to
+himself, and a public key, known to everybody. If Alice wants to send Bob a secret message, she
+encrypts it using Bob's public key (which everybody knows), and sends it to Bob. Only Bob has the
+matching private key, which is needed in order to decrypt Alice's message.
+
+The core of the Needham-Schroeder protocol consists of three messages:
+\begin{alignat*}{2}
+  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
+  &2.&\quad  B\to A  &: \comp{Na,Nb}\sb{Ka} \\
+  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
+\end{alignat*}
+First, let's understand the notation. In the first message, Alice
+sends Bob a message consisting of a nonce generated by Alice~($Na$)
+paired  with Alice's name~($A$) and encrypted using Bob's public
+key~($Kb$). In the second message, Bob sends Alice a message
+consisting of $Na$ paired with a nonce generated by Bob~($Nb$), 
+encrypted using Alice's public key~($Ka$). In the last message, Alice
+returns $Nb$ to Bob, encrypted using his public key.
+
+When Alice receives Message~2, she knows that Bob has acted on her
+message, since only he could have decrypted
+$\comp{Na,A}\sb{Kb}$ and extracted~$Na$.  That is precisely what
+nonces are for.  Similarly, message~3 assures Bob that Alice is
+active.  But the protocol was widely believed~\cite{ban89} to satisfy a
+further property: that
+$Na$ and~$Nb$ were secrets shared by Alice and Bob.  (Many
+protocols generate such shared secrets, which can be used
+to lessen the reliance on slow public-key operations.)  
+Lowe\index{Lowe, Gavin|(} found this
+claim to be false: if Alice runs the protocol with someone untrustworthy
+(Charlie say), then he can start a new run with another agent (Bob say). 
+Charlie uses Alice as an oracle, masquerading as
+Alice to Bob~\cite{lowe-fdr}.
+\begin{alignat*}{4}
+  &1.&\quad  A\to C  &: \comp{Na,A}\sb{Kc}   &&
+      \qquad 1'.&\quad  C\to B  &: \comp{Na,A}\sb{Kb} \\
+  &2.&\quad  B\to A  &: \comp{Na,Nb}\sb{Ka} \\
+  &3.&\quad  A\to C  &: \comp{Nb}\sb{Kc}  &&
+      \qquad 3'.&\quad  C\to B  &: \comp{Nb}\sb{Kb}
+\end{alignat*}
+In messages~1 and~3, Charlie removes the encryption using his private
+key and re-encrypts Alice's messages using Bob's public key. Bob is
+left thinking he has run the protocol with Alice, which was not
+Alice's intention, and Bob is unaware that the ``secret'' nonces are
+known to Charlie.  This is a typical man-in-the-middle attack launched
+by an insider.
+
+Whether this counts as an attack has been disputed.  In protocols of this
+type, we normally assume that the other party is honest.  To be honest
+means to obey the protocol rules, so Alice's running the protocol with
+Charlie does not make her dishonest, just careless.  After Lowe's
+attack, Alice has no grounds for complaint: this protocol does not have to
+guarantee anything if you run it with a bad person.  Bob does have
+grounds for complaint, however: the protocol tells him that he is
+communicating with Alice (who is honest) but it does not guarantee
+secrecy of the nonces.
+
+Lowe also suggested a correction, namely to include Bob's name in
+message~2:
+\begin{alignat*}{2}
+  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
+  &2.&\quad  B\to A  &: \comp{Na,Nb,B}\sb{Ka} \\
+  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
+\end{alignat*}
+If Charlie tries the same attack, Alice will receive the message
+$\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive
+$\comp{Na,Nb,C}\sb{Ka}$.  She will abandon the run, and eventually so
+will Bob.  Below, we shall look at parts of this protocol's correctness
+proof. 
+
+In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
+showed how such attacks
+could be found automatically using a model checker.  An alternative,
+which we shall examine below, is to prove protocols correct.  Proofs
+can be done under more realistic assumptions because our model does
+not have to be finite.  The strategy is to formalize the operational
+semantics of the system and to prove security properties using rule
+induction.%
+\index{Needham-Schroeder protocol|)}
+
+
+\input{Message}
+\input{Event}
+\input{Public}
+\input{NS_Public}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/root.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,98 @@
+\documentclass{article}
+\usepackage{cl2emono-modified,isabelle,isabellesym}
+\usepackage{proof,amsmath,amsfonts}
+\usepackage{latexsym,wasysym,verbatim,graphicx,tutorial,ttbox,comment}
+\usepackage{eurosym}
+\usepackage[english]{babel}
+\usepackage{pdfsetup}   
+%last package!
+
+\remarkstrue          %TRUE causes remarks to be displayed (as marginal notes)
+%\remarksfalse
+
+\makeindex
+
+\index{conditional expressions|see{\isa{if} expressions}}
+\index{primitive recursion|see{recursion, primitive}}
+\index{product type|see{pairs and tuples}}
+\index{structural induction|see{induction, structural}}
+\index{termination|see{functions, total}}
+\index{tuples|see{pairs and tuples}}
+\index{*<*lex*>|see{lexicographic product}}
+
+\underscoreoff
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}  %% {secnumdepth}{2}???
+
+\pagestyle{headings}
+
+
+\begin{document}
+\title{
+\begin{center}
+\includegraphics[scale=.8]{isabelle_hol}
+       \\ \vspace{0.5cm} A Proof Assistant for Higher-Order Logic
+\end{center}}
+\author{Tobias Nipkow \quad Lawrence C. Paulson \quad Markus Wenzel%\\[1ex]
+%Technische Universit{\"a}t M{\"u}nchen \\
+%Institut f{\"u}r Informatik \\[1ex]
+%University of Cambridge\\
+%Computer Laboratory
+}
+\pagenumbering{roman}
+\maketitle
+\newpage
+
+%\setcounter{page}{5}
+%\vspace*{\fill}
+%\begin{center}
+%\LARGE In memoriam \\[1ex]
+%{\sc Annette Schumann}\\[1ex]
+%1959 -- 2001
+%\end{center}
+%\vspace*{\fill}
+%\vspace*{\fill}
+%\newpage
+
+\input{preface}
+
+\tableofcontents
+
+\cleardoublepage\pagenumbering{arabic}
+
+\part{Elementary Techniques}
+\input{basics}
+\input{fp}
+\input{documents0}
+
+\part{Logic and Sets}
+\input{rules}
+\input{sets}
+\input{inductive0}
+
+\part{Advanced Material}
+\input{types0}
+\input{advanced0}
+\input{protocol}
+
+\markboth{}{}
+\cleardoublepage
+\vspace*{\fill}
+\begin{flushright}
+\begin{tabular}{l}
+{\large\sf\slshape You know my methods. Apply them!}\\[1ex]
+Sherlock Holmes
+\end{tabular}
+\end{flushright}
+\vspace*{\fill}
+\vspace*{\fill}
+
+\underscoreoff
+
+\input{appendix0}
+
+\bibliographystyle{plain}
+\bibliography{manual}
+\underscoreoff
+\printindex
+\end{document}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/rules.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,2641 @@
+%!TEX root = ../tutorial.tex
+\chapter{The Rules of the Game}
+\label{chap:rules}
+ 
+This chapter outlines the concepts and techniques that underlie reasoning
+in Isabelle.  Until now, we have proved everything using only induction and
+simplification, but any serious verification project requires more elaborate
+forms of inference.  The chapter also introduces the fundamentals of
+predicate logic.  The first examples in this chapter will consist of
+detailed, low-level proof steps.  Later, we shall see how to automate such
+reasoning using the methods
+\isa{blast},
+\isa{auto} and others.  Backward or goal-directed proof is our usual style,
+but the chapter also introduces forward reasoning, where one theorem is
+transformed to yield another.
+
+\section{Natural Deduction}
+
+\index{natural deduction|(}%
+In Isabelle, proofs are constructed using inference rules. The 
+most familiar inference rule is probably \emph{modus ponens}:%
+\index{modus ponens@\emph{modus ponens}} 
+\[ \infer{Q}{P\imp Q & P} \]
+This rule says that from $P\imp Q$ and $P$ we may infer~$Q$.  
+
+\textbf{Natural deduction} is an attempt to formalize logic in a way 
+that mirrors human reasoning patterns. 
+For each logical symbol (say, $\conj$), there 
+are two kinds of rules: \textbf{introduction} and \textbf{elimination} rules. 
+The introduction rules allow us to infer this symbol (say, to 
+infer conjunctions). The elimination rules allow us to deduce 
+consequences from this symbol. Ideally each rule should mention 
+one symbol only.  For predicate logic this can be 
+done, but when users define their own concepts they typically 
+have to refer to other symbols as well.  It is best not to be dogmatic.
+
+Natural deduction generally deserves its name.  It is easy to use.  Each
+proof step consists of identifying the outermost symbol of a formula and
+applying the corresponding rule.  It creates new subgoals in
+an obvious way from parts of the chosen formula.  Expanding the
+definitions of constants can blow up the goal enormously.  Deriving natural
+deduction rules for such constants lets us reason in terms of their key
+properties, which might otherwise be obscured by the technicalities of its
+definition.  Natural deduction rules also lend themselves to automation.
+Isabelle's
+\textbf{classical reasoner} accepts any suitable  collection of natural deduction
+rules and uses them to search for proofs automatically.  Isabelle is designed around
+natural deduction and many of its tools use the terminology of introduction
+and elimination rules.%
+\index{natural deduction|)}
+
+
+\section{Introduction Rules}
+
+\index{introduction rules|(}%
+An introduction rule tells us when we can infer a formula 
+containing a specific logical symbol. For example, the conjunction 
+introduction rule says that if we have $P$ and if we have $Q$ then 
+we have $P\conj Q$. In a mathematics text, it is typically shown 
+like this:
+\[  \infer{P\conj Q}{P & Q} \]
+The rule introduces the conjunction
+symbol~($\conj$) in its conclusion.  In Isabelle proofs we
+mainly  reason backwards.  When we apply this rule, the subgoal already has
+the form of a conjunction; the proof step makes this conjunction symbol
+disappear. 
+
+In Isabelle notation, the rule looks like this:
+\begin{isabelle}
+\isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P\ \isasymand\ ?Q\rulenamedx{conjI}
+\end{isabelle}
+Carefully examine the syntax.  The premises appear to the
+left of the arrow and the conclusion to the right.  The premises (if 
+more than one) are grouped using the fat brackets.  The question marks
+indicate \textbf{schematic variables} (also called
+\textbf{unknowns}):\index{unknowns|bold} they may
+be replaced by arbitrary formulas.  If we use the rule backwards, Isabelle
+tries to unify the current subgoal with the conclusion of the rule, which
+has the form \isa{?P\ \isasymand\ ?Q}.  (Unification is discussed below,
+{\S}\ref{sec:unification}.)  If successful,
+it yields new subgoals given by the formulas assigned to 
+\isa{?P} and \isa{?Q}.
+
+The following trivial proof illustrates how rules work.  It also introduces a
+style of indentation.  If a command adds a new subgoal, then the next
+command's indentation is increased by one space; if it proves a subgoal, then
+the indentation is reduced.  This provides the reader with hints about the
+subgoal structure.
+\begin{isabelle}
+\isacommand{lemma}\ conj_rule:\ "\isasymlbrakk P;\
+Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\
+(Q\ \isasymand\ P)"\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ assumption
+\end{isabelle}
+At the start, Isabelle presents 
+us with the assumptions (\isa{P} and~\isa{Q}) and with the goal to be proved,
+\isa{P\ \isasymand\
+(Q\ \isasymand\ P)}.  We are working backwards, so when we
+apply conjunction introduction, the rule removes the outermost occurrence
+of the \isa{\isasymand} symbol.  To apply a  rule to a subgoal, we apply
+the proof method \isa{rule} --- here with \isa{conjI}, the  conjunction
+introduction rule. 
+\begin{isabelle}
+%\isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\ Q\
+%\isasymand\ P\isanewline
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
+\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\ \isasymand\ P
+\end{isabelle}
+Isabelle leaves two new subgoals: the two halves of the original conjunction. 
+The first is simply \isa{P}, which is trivial, since \isa{P} is among 
+the assumptions.  We can apply the \methdx{assumption} 
+method, which proves a subgoal by finding a matching assumption.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ 
+Q\ \isasymand\ P
+\end{isabelle}
+We are left with the subgoal of proving  
+\isa{Q\ \isasymand\ P} from the assumptions \isa{P} and~\isa{Q}.  We apply
+\isa{rule conjI} again. 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\isanewline
+\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P
+\end{isabelle}
+We are left with two new subgoals, \isa{Q} and~\isa{P}, each of which can be proved
+using the \isa{assumption} method.%
+\index{introduction rules|)}
+
+
+\section{Elimination Rules}
+
+\index{elimination rules|(}%
+Elimination rules work in the opposite direction from introduction 
+rules. In the case of conjunction, there are two such rules. 
+From $P\conj Q$ we infer $P$. also, from $P\conj Q$  
+we infer $Q$:
+\[ \infer{P}{P\conj Q} \qquad \infer{Q}{P\conj Q}  \]
+
+Now consider disjunction. There are two introduction rules, which resemble inverted forms of the
+conjunction elimination rules:
+\[ \infer{P\disj Q}{P} \qquad \infer{P\disj Q}{Q}  \]
+
+What is the disjunction elimination rule?  The situation is rather different from 
+conjunction.  From $P\disj Q$ we cannot conclude  that $P$ is true and we
+cannot conclude that $Q$ is true; there are no direct
+elimination rules of the sort that we have seen for conjunction.  Instead,
+there is an elimination  rule that works indirectly.  If we are trying  to prove
+something else, say $R$, and we know that $P\disj Q$ holds,  then we have to consider
+two cases.  We can assume that $P$ is true  and prove $R$ and then assume that $Q$ is
+true and prove $R$ a second  time.  Here we see a fundamental concept used in natural
+deduction:  that of the \textbf{assumptions}. We have to prove $R$ twice, under
+different assumptions.  The assumptions are local to these subproofs and are visible 
+nowhere else. 
+
+In a logic text, the disjunction elimination rule might be shown 
+like this:
+\[ \infer{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}} \]
+The assumptions $[P]$ and $[Q]$ are bracketed 
+to emphasize that they are local to their subproofs.  In Isabelle 
+notation, the already-familiar \isa{\isasymLongrightarrow} syntax serves the
+same  purpose:
+\begin{isabelle}
+\isasymlbrakk?P\ \isasymor\ ?Q;\ ?P\ \isasymLongrightarrow\ ?R;\ ?Q\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{disjE}
+\end{isabelle}
+When we use this sort of elimination rule backwards, it produces 
+a case split.  (We have seen this before, in proofs by induction.)  The following  proof
+illustrates the use of disjunction elimination.  
+\begin{isabelle}
+\isacommand{lemma}\ disj_swap:\ "P\ \isasymor\ Q\ 
+\isasymLongrightarrow\ Q\ \isasymor\ P"\isanewline
+\isacommand{apply}\ (erule\ disjE)\isanewline
+\ \isacommand{apply}\ (rule\ disjI2)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (rule\ disjI1)\isanewline
+\isacommand{apply}\ assumption
+\end{isabelle}
+We assume \isa{P\ \isasymor\ Q} and
+must prove \isa{Q\ \isasymor\ P}\@.  Our first step uses the disjunction
+elimination rule, \isa{disjE}\@.  We invoke it using \methdx{erule}, a
+method designed to work with elimination rules.  It looks for an assumption that
+matches the rule's first premise.  It deletes the matching assumption,
+regards the first premise as proved and returns subgoals corresponding to
+the remaining premises.  When we apply \isa{erule} to \isa{disjE}, only two
+subgoals result.  This is better than applying it using \isa{rule}
+to get three subgoals, then proving the first by assumption: the other
+subgoals would have the redundant assumption 
+\hbox{\isa{P\ \isasymor\ Q}}.
+Most of the time, \isa{erule} is  the best way to use elimination rules, since it
+replaces an assumption by its subformulas; only rarely does the original
+assumption remain useful.
+
+\begin{isabelle}
+%P\ \isasymor\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
+\ 1.\ P\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
+\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
+\end{isabelle}
+These are the two subgoals returned by \isa{erule}.  The first assumes
+\isa{P} and the  second assumes \isa{Q}.  Tackling the first subgoal, we
+need to  show \isa{Q\ \isasymor\ P}\@.  The second introduction rule
+(\isa{disjI2}) can reduce this  to \isa{P}, which matches the assumption.
+So, we apply the
+\isa{rule}  method with \isa{disjI2} \ldots
+\begin{isabelle}
+\ 1.\ P\ \isasymLongrightarrow\ P\isanewline
+\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
+\end{isabelle}
+\ldots and finish off with the \isa{assumption} 
+method.  We are left with the other subgoal, which 
+assumes \isa{Q}.  
+\begin{isabelle}
+\ 1.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
+\end{isabelle}
+Its proof is similar, using the introduction 
+rule \isa{disjI1}. 
+
+The result of this proof is a new inference rule \isa{disj_swap}, which is neither 
+an introduction nor an elimination rule, but which might 
+be useful.  We can use it to replace any goal of the form $Q\disj P$
+by one of the form $P\disj Q$.%
+\index{elimination rules|)}
+
+
+\section{Destruction Rules: Some Examples}
+
+\index{destruction rules|(}%
+Now let us examine the analogous proof for conjunction. 
+\begin{isabelle}
+\isacommand{lemma}\ conj_swap:\ "P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P"\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ \isacommand{apply}\ (drule\ conjunct2)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (drule\ conjunct1)\isanewline
+\isacommand{apply}\ assumption
+\end{isabelle}
+Recall that the conjunction elimination rules --- whose Isabelle names are 
+\isa{conjunct1} and \isa{conjunct2} --- simply return the first or second half
+of a conjunction.  Rules of this sort (where the conclusion is a subformula of a
+premise) are called \textbf{destruction} rules because they take apart and destroy
+a premise.%
+\footnote{This Isabelle terminology has no counterpart in standard logic texts, 
+although the distinction between the two forms of elimination rule is well known. 
+Girard \cite[page 74]{girard89},\index{Girard, Jean-Yves|fnote}
+for example, writes ``The elimination rules 
+[for $\disj$ and $\exists$] are very
+bad.  What is catastrophic about them is the parasitic presence of a formula [$R$]
+which has no structural link with the formula which is eliminated.''}
+
+The first proof step applies conjunction introduction, leaving 
+two subgoals: 
+\begin{isabelle}
+%P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P\isanewline
+\ 1.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\isanewline
+\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
+\end{isabelle}
+
+To invoke the elimination rule, we apply a new method, \isa{drule}. 
+Think of the \isa{d} as standing for \textbf{destruction} (or \textbf{direct}, if
+you prefer).   Applying the 
+second conjunction rule using \isa{drule} replaces the assumption 
+\isa{P\ \isasymand\ Q} by \isa{Q}. 
+\begin{isabelle}
+\ 1.\ Q\ \isasymLongrightarrow\ Q\isanewline
+\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
+\end{isabelle}
+The resulting subgoal can be proved by applying \isa{assumption}.
+The other subgoal is similarly proved, using the \isa{conjunct1} rule and the 
+\isa{assumption} method.
+
+Choosing among the methods \isa{rule}, \isa{erule} and \isa{drule} is up to 
+you.  Isabelle does not attempt to work out whether a rule 
+is an introduction rule or an elimination rule.  The 
+method determines how the rule will be interpreted. Many rules 
+can be used in more than one way.  For example, \isa{disj_swap} can 
+be applied to assumptions as well as to goals; it replaces any
+assumption of the form
+$P\disj Q$ by a one of the form $Q\disj P$.
+
+Destruction rules are simpler in form than indirect rules such as \isa{disjE},
+but they can be inconvenient.  Each of the conjunction rules discards half 
+of the formula, when usually we want to take both parts of the conjunction as new
+assumptions.  The easiest way to do so is by using an 
+alternative conjunction elimination rule that resembles \isa{disjE}\@.  It is
+seldom, if ever, seen in logic books.  In Isabelle syntax it looks like this: 
+\begin{isabelle}
+\isasymlbrakk?P\ \isasymand\ ?Q;\ \isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{conjE}
+\end{isabelle}
+\index{destruction rules|)}
+
+\begin{exercise}
+Use the rule \isa{conjE} to shorten the proof above. 
+\end{exercise}
+
+
+\section{Implication}
+
+\index{implication|(}%
+At the start of this chapter, we saw the rule \emph{modus ponens}.  It is, in fact,
+a destruction rule. The matching introduction rule looks like this 
+in Isabelle: 
+\begin{isabelle}
+(?P\ \isasymLongrightarrow\ ?Q)\ \isasymLongrightarrow\ ?P\
+\isasymlongrightarrow\ ?Q\rulenamedx{impI}
+\end{isabelle}
+And this is \emph{modus ponens}\index{modus ponens@\emph{modus ponens}}:
+\begin{isabelle}
+\isasymlbrakk?P\ \isasymlongrightarrow\ ?Q;\ ?P\isasymrbrakk\
+\isasymLongrightarrow\ ?Q
+\rulenamedx{mp}
+\end{isabelle}
+
+Here is a proof using the implication rules.  This 
+lemma performs a sort of uncurrying, replacing the two antecedents 
+of a nested implication by a conjunction.  The proof illustrates
+how assumptions work.  At each proof step, the subgoals inherit the previous
+assumptions, perhaps with additions or deletions.  Rules such as
+\isa{impI} and \isa{disjE} add assumptions, while applying \isa{erule} or
+\isa{drule} deletes the matching assumption.
+\begin{isabelle}
+\isacommand{lemma}\ imp_uncurry:\
+"P\ \isasymlongrightarrow\ (Q\
+\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
+\isasymand\ Q\ \isasymlongrightarrow\
+R"\isanewline
+\isacommand{apply}\ (rule\ impI)\isanewline
+\isacommand{apply}\ (erule\ conjE)\isanewline
+\isacommand{apply}\ (drule\ mp)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (drule\ mp)\isanewline
+\ \ \isacommand{apply}\ assumption\isanewline
+\ \isacommand{apply}\ assumption
+\end{isabelle}
+First, we state the lemma and apply implication introduction (\isa{rule impI}), 
+which moves the conjunction to the assumptions. 
+\begin{isabelle}
+%P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R\ \isasymLongrightarrow\ P\
+%\isasymand\ Q\ \isasymlongrightarrow\ R\isanewline
+\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P\ \isasymand\ Q\isasymrbrakk\ \isasymLongrightarrow\ R
+\end{isabelle}
+Next, we apply conjunction elimination (\isa{erule conjE}), which splits this
+conjunction into two  parts. 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P;\
+Q\isasymrbrakk\ \isasymLongrightarrow\ R
+\end{isabelle}
+Now, we work on the assumption \isa{P\ \isasymlongrightarrow\ (Q\
+\isasymlongrightarrow\ R)}, where the parentheses have been inserted for
+clarity.  The nested implication requires two applications of
+\textit{modus ponens}: \isa{drule mp}.  The first use  yields the
+implication \isa{Q\
+\isasymlongrightarrow\ R}, but first we must prove the extra subgoal 
+\isa{P}, which we do by assumption. 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
+\ 2.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\ \isasymLongrightarrow\ R
+\end{isabelle}
+Repeating these steps for \isa{Q\
+\isasymlongrightarrow\ R} yields the conclusion we seek, namely~\isa{R}.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\
+\isasymLongrightarrow\ R
+\end{isabelle}
+
+The symbols \isa{\isasymLongrightarrow} and \isa{\isasymlongrightarrow}
+both stand for implication, but they differ in many respects.  Isabelle
+uses \isa{\isasymLongrightarrow} to express inference rules; the symbol is
+built-in and Isabelle's inference mechanisms treat it specially.  On the
+other hand, \isa{\isasymlongrightarrow} is just one of the many connectives
+available in higher-order logic.  We reason about it using inference rules
+such as \isa{impI} and \isa{mp}, just as we reason about the other
+connectives.  You will have to use \isa{\isasymlongrightarrow} in any
+context that requires a formula of higher-order logic.  Use
+\isa{\isasymLongrightarrow} to separate a theorem's preconditions from its
+conclusion.%
+\index{implication|)}
+
+\medskip
+\index{by@\isacommand{by} (command)|(}%
+The \isacommand{by} command is useful for proofs like these that use
+\isa{assumption} heavily.  It executes an
+\isacommand{apply} command, then tries to prove all remaining subgoals using
+\isa{assumption}.  Since (if successful) it ends the proof, it also replaces the 
+\isacommand{done} symbol.  For example, the proof above can be shortened:
+\begin{isabelle}
+\isacommand{lemma}\ imp_uncurry:\
+"P\ \isasymlongrightarrow\ (Q\
+\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
+\isasymand\ Q\ \isasymlongrightarrow\
+R"\isanewline
+\isacommand{apply}\ (rule\ impI)\isanewline
+\isacommand{apply}\ (erule\ conjE)\isanewline
+\isacommand{apply}\ (drule\ mp)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{by}\ (drule\ mp)
+\end{isabelle}
+We could use \isacommand{by} to replace the final \isacommand{apply} and
+\isacommand{done} in any proof, but typically we use it
+to eliminate calls to \isa{assumption}.  It is also a nice way of expressing a
+one-line proof.%
+\index{by@\isacommand{by} (command)|)}
+
+
+
+\section{Negation}
+ 
+\index{negation|(}%
+Negation causes surprising complexity in proofs.  Its natural 
+deduction rules are straightforward, but additional rules seem 
+necessary in order to handle negated assumptions gracefully.  This section
+also illustrates the \isa{intro} method: a convenient way of
+applying introduction rules.
+
+Negation introduction deduces $\lnot P$ if assuming $P$ leads to a 
+contradiction. Negation elimination deduces any formula in the 
+presence of $\lnot P$ together with~$P$: 
+\begin{isabelle}
+(?P\ \isasymLongrightarrow\ False)\ \isasymLongrightarrow\ \isasymnot\ ?P%
+\rulenamedx{notI}\isanewline
+\isasymlbrakk{\isasymnot}\ ?P;\ ?P\isasymrbrakk\ \isasymLongrightarrow\ ?R%
+\rulenamedx{notE}
+\end{isabelle}
+%
+Classical logic allows us to assume $\lnot P$ 
+when attempting to prove~$P$: 
+\begin{isabelle}
+(\isasymnot\ ?P\ \isasymLongrightarrow\ ?P)\ \isasymLongrightarrow\ ?P%
+\rulenamedx{classical}
+\end{isabelle}
+
+\index{contrapositives|(}%
+The implications $P\imp Q$ and $\lnot Q\imp\lnot P$ are logically
+equivalent, and each is called the
+\textbf{contrapositive} of the other.  Four further rules support
+reasoning about contrapositives.  They differ in the placement of the
+negation symbols: 
+\begin{isabelle}
+\isasymlbrakk?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulename{contrapos_pp}\isanewline
+\isasymlbrakk?Q;\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\
+\isasymnot\ ?P%
+\rulename{contrapos_pn}\isanewline
+\isasymlbrakk{\isasymnot}\ ?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulename{contrapos_np}\isanewline
+\isasymlbrakk{\isasymnot}\ ?Q;\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ \isasymnot\ ?P%
+\rulename{contrapos_nn}
+\end{isabelle}
+%
+These rules are typically applied using the \isa{erule} method, where 
+their effect is to form a contrapositive from an 
+assumption and the goal's conclusion.%
+\index{contrapositives|)}
+
+The most important of these is \isa{contrapos_np}.  It is useful
+for applying introduction rules to negated assumptions.  For instance, 
+the assumption $\lnot(P\imp Q)$ is equivalent to the conclusion $P\imp Q$ and we 
+might want to use conjunction introduction on it. 
+Before we can do so, we must move that assumption so that it 
+becomes the conclusion. The following proof demonstrates this 
+technique: 
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk{\isasymnot}(P{\isasymlongrightarrow}Q);\
+\isasymnot(R{\isasymlongrightarrow}Q)\isasymrbrakk\ \isasymLongrightarrow\
+R"\isanewline
+\isacommand{apply}\ (erule_tac\ Q = "R{\isasymlongrightarrow}Q"\ \isakeyword{in}\
+contrapos_np)\isanewline
+\isacommand{apply}\ (intro\ impI)\isanewline
+\isacommand{by}\ (erule\ notE)
+\end{isabelle}
+%
+There are two negated assumptions and we need to exchange the conclusion with the
+second one.  The method \isa{erule contrapos_np} would select the first assumption,
+which we do not want.  So we specify the desired assumption explicitly
+using a new method, \isa{erule_tac}.  This is the resulting subgoal: 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\
+R\isasymrbrakk\ \isasymLongrightarrow\ R\ \isasymlongrightarrow\ Q%
+\end{isabelle}
+The former conclusion, namely \isa{R}, now appears negated among the assumptions,
+while the negated formula \isa{R\ \isasymlongrightarrow\ Q} becomes the new
+conclusion.
+
+We can now apply introduction rules.  We use the \methdx{intro} method, which
+repeatedly applies the given introduction rules.  Here its effect is equivalent
+to \isa{rule impI}.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\ R;\
+R\isasymrbrakk\ \isasymLongrightarrow\ Q%
+\end{isabelle}
+We can see a contradiction in the form of assumptions \isa{\isasymnot\ R}
+and~\isa{R}, which suggests using negation elimination.  If applied on its own,
+\isa{notE} will select the first negated assumption, which is useless.  
+Instead, we invoke the rule using the
+\isa{by} command.
+Now when Isabelle selects the first assumption, it tries to prove \isa{P\
+\isasymlongrightarrow\ Q} and fails; it then backtracks, finds the 
+assumption \isa{\isasymnot~R} and finally proves \isa{R} by assumption.  That
+concludes the proof.
+
+\medskip
+
+The following example may be skipped on a first reading.  It involves a
+peculiar but important rule, a form of disjunction introduction:
+\begin{isabelle}
+(\isasymnot \ ?Q\ \isasymLongrightarrow \ ?P)\ \isasymLongrightarrow \ ?P\ \isasymor \ ?Q%
+\rulenamedx{disjCI}
+\end{isabelle}
+This rule combines the effects of \isa{disjI1} and \isa{disjI2}.  Its great
+advantage is that we can remove the disjunction symbol without deciding
+which disjunction to prove.  This treatment of disjunction is standard in sequent
+and tableau calculi.
+
+\begin{isabelle}
+\isacommand{lemma}\ "(P\ \isasymor\ Q)\ \isasymand\ R\
+\isasymLongrightarrow\ P\ \isasymor\ (Q\ \isasymand\ R)"\isanewline
+\isacommand{apply}\ (rule\ disjCI)\isanewline
+\isacommand{apply}\ (elim\ conjE\ disjE)\isanewline
+\ \isacommand{apply}\ assumption
+\isanewline
+\isacommand{by}\ (erule\ contrapos_np,\ rule\ conjI)
+\end{isabelle}
+%
+The first proof step to applies the introduction rules \isa{disjCI}.
+The resulting subgoal has the negative assumption 
+\hbox{\isa{\isasymnot(Q\ \isasymand\ R)}}.  
+
+\begin{isabelle}
+\ 1.\ \isasymlbrakk(P\ \isasymor\ Q)\ \isasymand\ R;\ \isasymnot\ (Q\ \isasymand\
+R)\isasymrbrakk\ \isasymLongrightarrow\ P%
+\end{isabelle}
+Next we apply the \isa{elim} method, which repeatedly applies 
+elimination rules; here, the elimination rules given 
+in the command.  One of the subgoals is trivial (\isa{\isacommand{apply} assumption}),
+leaving us with one other:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymnot}\ (Q\ \isasymand\ R);\ R;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P%
+\end{isabelle}
+%
+Now we must move the formula \isa{Q\ \isasymand\ R} to be the conclusion.  The
+combination 
+\begin{isabelle}
+\ \ \ \ \ (erule\ contrapos_np,\ rule\ conjI)
+\end{isabelle}
+is robust: the \isa{conjI} forces the \isa{erule} to select a
+conjunction.  The two subgoals are the ones we would expect from applying
+conjunction introduction to
+\isa{Q~\isasymand~R}:  
+\begin{isabelle}
+\ 1.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\
+Q\isanewline
+\ 2.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\ R%
+\end{isabelle}
+They are proved by assumption, which is implicit in the \isacommand{by}
+command.%
+\index{negation|)}
+
+
+\section{Interlude: the Basic Methods for Rules}
+
+We have seen examples of many tactics that operate on individual rules.  It
+may be helpful to review how they work given an arbitrary rule such as this:
+\[ \infer{Q}{P@1 & \ldots & P@n} \]
+Below, we refer to $P@1$ as the \bfindex{major premise}.  This concept
+applies only to elimination and destruction rules.  These rules act upon an
+instance of their major premise, typically to replace it by subformulas of itself.
+
+Suppose that the rule above is called~\isa{R}\@.  Here are the basic rule
+methods, most of which we have already seen:
+\begin{itemize}
+\item 
+Method \isa{rule\ R} unifies~$Q$ with the current subgoal, replacing it
+by $n$ new subgoals: instances of $P@1$, \ldots,~$P@n$. 
+This is backward reasoning and is appropriate for introduction rules.
+\item 
+Method \isa{erule\ R} unifies~$Q$ with the current subgoal and
+simultaneously unifies $P@1$ with some assumption.  The subgoal is 
+replaced by the $n-1$ new subgoals of proving
+instances of $P@2$,
+\ldots,~$P@n$, with the matching assumption deleted.  It is appropriate for
+elimination rules.  The method
+\isa{(rule\ R,\ assumption)} is similar, but it does not delete an
+assumption.
+\item 
+Method \isa{drule\ R} unifies $P@1$ with some assumption, which it
+then deletes.  The subgoal is 
+replaced by the $n-1$ new subgoals of proving $P@2$, \ldots,~$P@n$; an
+$n$th subgoal is like the original one but has an additional assumption: an
+instance of~$Q$.  It is appropriate for destruction rules. 
+\item 
+Method \isa{frule\ R} is like \isa{drule\ R} except that the matching
+assumption is not deleted.  (See {\S}\ref{sec:frule} below.)
+\end{itemize}
+
+Other methods apply a rule while constraining some of its
+variables.  The typical form is
+\begin{isabelle}
+\ \ \ \ \ \methdx{rule_tac}\ $v@1$ = $t@1$ \isakeyword{and} \ldots \isakeyword{and}
+$v@k$ =
+$t@k$ \isakeyword{in} R
+\end{isabelle}
+This method behaves like \isa{rule R}, while instantiating the variables
+$v@1$, \ldots,
+$v@k$ as specified.  We similarly have \methdx{erule_tac}, \methdx{drule_tac} and
+\methdx{frule_tac}.  These methods also let us specify which subgoal to
+operate on.  By default it is the first subgoal, as with nearly all
+methods, but we can specify that rule \isa{R} should be applied to subgoal
+number~$i$:
+\begin{isabelle}
+\ \ \ \ \ rule_tac\ [$i$] R
+\end{isabelle}
+
+
+
+\section{Unification and Substitution}\label{sec:unification}
+
+\index{unification|(}%
+As we have seen, Isabelle rules involve schematic variables, which begin with
+a question mark and act as
+placeholders for terms.  \textbf{Unification} --- well known to Prolog programmers --- is the act of
+making two terms identical, possibly replacing their schematic variables by
+terms.  The simplest case is when the two terms are already the same. Next
+simplest is \textbf{pattern-matching}, which replaces variables in only one of the
+terms.  The
+\isa{rule} method typically  matches the rule's conclusion
+against the current subgoal.  The
+\isa{assumption} method matches the current subgoal's conclusion
+against each of its assumptions.   Unification can instantiate variables in both terms; the \isa{rule} method can do this if the goal
+itself contains schematic variables.  Other occurrences of the variables in
+the rule or proof state are updated at the same time.
+
+Schematic variables in goals represent unknown terms.  Given a goal such
+as $\exists x.\,P$, they let us proceed with a proof.  They can be 
+filled in later, sometimes in stages and often automatically. 
+
+\begin{pgnote}
+If unification fails when you think it should succeed, try setting the Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
+\pgmenu{Trace Unification},
+which makes Isabelle show the cause of unification failures (in Proof
+General's \pgmenu{Trace} buffer).
+\end{pgnote}
+\noindent
+For example, suppose we are trying to prove this subgoal by assumption:
+\begin{isabelle}
+\ 1.\ P\ (a,\ f\ (b,\ g\ (e,\ a),\ b),\ a)\ \isasymLongrightarrow \ P\ (a,\ f\ (b,\ g\ (c,\ a),\ b),\ a)
+\end{isabelle}
+The \isa{assumption} method having failed, we try again with the flag set:
+\begin{isabelle}
+\isacommand{apply} assumption
+\end{isabelle}
+In this trivial case, the output clearly shows that \isa{e} clashes with \isa{c}:
+\begin{isabelle}
+Clash: e =/= c
+\end{isabelle}
+
+Isabelle uses
+\textbf{higher-order} unification, which works in the
+typed $\lambda$-calculus.  The procedure requires search and is potentially
+undecidable.  For our purposes, however, the differences from ordinary
+unification are straightforward.  It handles bound variables
+correctly, avoiding capture.  The two terms
+\isa{{\isasymlambda}x.\ f(x,z)} and \isa{{\isasymlambda}y.\ f(y,z)} are
+trivially unifiable because they differ only by a bound variable renaming.  The two terms \isa{{\isasymlambda}x.\ ?P} and
+\isa{{\isasymlambda}x.\ t x}  are not unifiable; replacing \isa{?P} by
+\isa{t x} is forbidden because the free occurrence of~\isa{x} would become
+bound.  Unfortunately, even if \isa{trace_unify_fail} is set, Isabelle displays no information about this type of failure.
+
+\begin{warn}
+Higher-order unification sometimes must invent
+$\lambda$-terms to replace function  variables,
+which can lead to a combinatorial explosion. However,  Isabelle proofs tend
+to involve easy cases where there are few possibilities for the
+$\lambda$-term being constructed. In the easiest case, the
+function variable is applied only to bound variables, 
+as when we try to unify \isa{{\isasymlambda}x\ y.\ f(?h x y)} and
+\isa{{\isasymlambda}x\ y.\ f(x+y+a)}.  The only solution is to replace
+\isa{?h} by \isa{{\isasymlambda}x\ y.\ x+y+a}.  Such cases admit at most
+one unifier, like ordinary unification.  A harder case is
+unifying \isa{?h a} with~\isa{a+b}; it admits two solutions for \isa{?h},
+namely \isa{{\isasymlambda}x.~a+b} and \isa{{\isasymlambda}x.~x+b}. 
+Unifying \isa{?h a} with~\isa{a+a+b} admits four solutions; their number is
+exponential in the number of occurrences of~\isa{a} in the second term.
+\end{warn}
+
+
+
+\subsection{Substitution and the {\tt\slshape subst} Method}
+\label{sec:subst}
+
+\index{substitution|(}%
+Isabelle also uses function variables to express \textbf{substitution}. 
+A typical substitution rule allows us to replace one term by 
+another if we know that two terms are equal. 
+\[ \infer{P[t/x]}{s=t & P[s/x]} \]
+The rule uses a notation for substitution: $P[t/x]$ is the result of
+replacing $x$ by~$t$ in~$P$.  The rule only substitutes in the positions
+designated by~$x$.  For example, it can
+derive symmetry of equality from reflexivity.  Using $x=s$ for~$P$
+replaces just the first $s$ in $s=s$ by~$t$:
+\[ \infer{t=s}{s=t & \infer{s=s}{}} \]
+
+The Isabelle version of the substitution rule looks like this: 
+\begin{isabelle}
+\isasymlbrakk?t\ =\ ?s;\ ?P\ ?s\isasymrbrakk\ \isasymLongrightarrow\ ?P\
+?t
+\rulenamedx{ssubst}
+\end{isabelle}
+Crucially, \isa{?P} is a function 
+variable.  It can be replaced by a $\lambda$-term 
+with one bound variable, whose occurrences identify the places 
+in which $s$ will be replaced by~$t$.  The proof above requires \isa{?P}
+to be replaced by \isa{{\isasymlambda}x.~x=s}; the second premise will then
+be \isa{s=s} and the conclusion will be \isa{t=s}.
+
+The \isa{simp} method also replaces equals by equals, but the substitution
+rule gives us more control.  Consider this proof: 
+\begin{isabelle}
+\isacommand{lemma}\
+"\isasymlbrakk x\ =\ f\ x;\ odd(f\ x)\isasymrbrakk\ \isasymLongrightarrow\
+odd\ x"\isanewline
+\isacommand{by}\ (erule\ ssubst)
+\end{isabelle}
+%
+The assumption \isa{x\ =\ f\ x}, if used for rewriting, would loop, 
+replacing \isa{x} by \isa{f x} and then by
+\isa{f(f x)} and so forth. (Here \isa{simp} 
+would see the danger and would re-orient the equality, but in more complicated
+cases it can be fooled.) When we apply the substitution rule,  
+Isabelle replaces every
+\isa{x} in the subgoal by \isa{f x} just once. It cannot loop.  The
+resulting subgoal is trivial by assumption, so the \isacommand{by} command
+proves it implicitly. 
+
+We are using the \isa{erule} method in a novel way. Hitherto, 
+the conclusion of the rule was just a variable such as~\isa{?R}, but it may
+be any term. The conclusion is unified with the subgoal just as 
+it would be with the \isa{rule} method. At the same time \isa{erule} looks 
+for an assumption that matches the rule's first premise, as usual.  With
+\isa{ssubst} the effect is to find, use and delete an equality 
+assumption.
+
+The \methdx{subst} method performs individual substitutions. In simple cases,
+it closely resembles a use of the substitution rule.  Suppose a
+proof has reached this point:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \ \isasymLongrightarrow \ f\ z\ =\ x\ *\ y%
+\end{isabelle}
+Now we wish to apply a commutative law:
+\begin{isabelle}
+?m\ *\ ?n\ =\ ?n\ *\ ?m%
+\rulename{mult_commute}
+\end{isabelle}
+Isabelle rejects our first attempt:
+\begin{isabelle}
+apply (simp add: mult_commute)
+\end{isabelle}
+The simplifier notices the danger of looping and refuses to apply the
+rule.%
+\footnote{More precisely, it only applies such a rule if the new term is
+smaller under a specified ordering; here, \isa{x\ *\ y}
+is already smaller than
+\isa{y\ *\ x}.}
+%
+The \isa{subst} method applies \isa{mult_commute} exactly once.  
+\begin{isabelle}
+\isacommand{apply}\ (subst\ mult_commute)\isanewline
+\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \
+\isasymLongrightarrow \ f\ z\ =\ y\ *\ x%
+\end{isabelle}
+As we wanted, \isa{x\ *\ y} has become \isa{y\ *\ x}.
+
+\medskip
+This use of the \methdx{subst} method has the same effect as the command
+\begin{isabelle}
+\isacommand{apply}\ (rule\ mult_commute [THEN ssubst])
+\end{isabelle}
+The attribute \isa{THEN}, which combines two rules, is described in 
+{\S}\ref{sec:THEN} below. The \methdx{subst} method is more powerful than
+applying the substitution rule. It can perform substitutions in a subgoal's
+assumptions. Moreover, if the subgoal contains more than one occurrence of
+the left-hand side of the equality, the \methdx{subst} method lets us specify which occurrence should be replaced.
+
+
+\subsection{Unification and Its Pitfalls}
+
+Higher-order unification can be tricky.  Here is an example, which you may
+want to skip on your first reading:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\
+f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
+\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{apply}\ (erule\ ssubst)\isanewline
+\isacommand{back}\isanewline
+\isacommand{back}\isanewline
+\isacommand{back}\isanewline
+\isacommand{back}\isanewline
+\isacommand{apply}\ assumption\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+By default, Isabelle tries to substitute for all the 
+occurrences.  Applying \isa{erule\ ssubst} yields this subgoal:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ (f\ x)
+\end{isabelle}
+The substitution should have been done in the first two occurrences 
+of~\isa{x} only. Isabelle has gone too far. The \commdx{back}
+command allows us to reject this possibility and demand a new one: 
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ (f\ x)\ (f\ x)
+\end{isabelle}
+%
+Now Isabelle has left the first occurrence of~\isa{x} alone. That is 
+promising but it is not the desired combination. So we use \isacommand{back} 
+again:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ x\ (f\ x)
+\end{isabelle}
+%
+This also is wrong, so we use \isacommand{back} again: 
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ x\ (f\ x)
+\end{isabelle}
+%
+And this one is wrong too. Looking carefully at the series 
+of alternatives, we see a binary countdown with reversed bits: 111,
+011, 101, 001.  Invoke \isacommand{back} again: 
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ x%
+\end{isabelle}
+At last, we have the right combination!  This goal follows by assumption.%
+\index{unification|)}
+
+\medskip
+This example shows that unification can do strange things with
+function variables.  We were forced to select the right unifier using the
+\isacommand{back} command.  That is all right during exploration, but \isacommand{back}
+should never appear in the final version of a proof.  You can eliminate the
+need for \isacommand{back} by giving Isabelle less freedom when you apply a rule.
+
+One way to constrain the inference is by joining two methods in a 
+\isacommand{apply} command. Isabelle  applies the first method and then the
+second. If the second method  fails then Isabelle automatically backtracks.
+This process continues until  the first method produces an output that the
+second method can  use. We get a one-line proof of our example: 
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
+\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{apply}\ (erule\ ssubst,\ assumption)\isanewline
+\isacommand{done}
+\end{isabelle}
+
+\noindent
+The \isacommand{by} command works too, since it backtracks when
+proving subgoals by assumption:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
+\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{by}\ (erule\ ssubst)
+\end{isabelle}
+
+
+The most general way to constrain unification is 
+by instantiating variables in the rule.  The method \isa{rule_tac} is
+similar to \isa{rule}, but it
+makes some of the rule's variables  denote specified terms.  
+Also available are {\isa{drule_tac}}  and \isa{erule_tac}.  Here we need
+\isa{erule_tac} since above we used \isa{erule}.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\ \isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{by}\ (erule_tac\ P = "\isasymlambda u.\ triple\ u\ u\ x"\ 
+\isakeyword{in}\ ssubst)
+\end{isabelle}
+%
+To specify a desired substitution 
+requires instantiating the variable \isa{?P} with a $\lambda$-expression. 
+The bound variable occurrences in \isa{{\isasymlambda}u.\ P\ u\
+u\ x} indicate that the first two arguments have to be substituted, leaving
+the third unchanged.  With this instantiation, backtracking is neither necessary
+nor possible.
+
+An alternative to \isa{rule_tac} is to use \isa{rule} with a theorem
+modified using~\isa{of}, described in
+{\S}\ref{sec:forward} below.   But \isa{rule_tac}, unlike \isa{of}, can 
+express instantiations that refer to 
+\isasymAnd-bound variables in the current subgoal.%
+\index{substitution|)}
+
+
+\section{Quantifiers}
+
+\index{quantifiers!universal|(}%
+Quantifiers require formalizing syntactic substitution and the notion of 
+arbitrary value.  Consider the universal quantifier.  In a logic
+book, its introduction  rule looks like this: 
+\[ \infer{\forall x.\,P}{P} \]
+Typically, a proviso written in English says that $x$ must not
+occur in the assumptions.  This proviso guarantees that $x$ can be regarded as
+arbitrary, since it has not been assumed to satisfy any special conditions. 
+Isabelle's  underlying formalism, called the
+\bfindex{meta-logic}, eliminates the  need for English.  It provides its own
+universal quantifier (\isasymAnd) to express the notion of an arbitrary value.
+We have already seen  another operator of the meta-logic, namely
+\isa\isasymLongrightarrow, which expresses  inference rules and the treatment
+of assumptions. The only other operator in the meta-logic is \isa\isasymequiv,
+which can be used to define constants.
+
+\subsection{The Universal Introduction Rule}
+
+Returning to the universal quantifier, we find that having a similar quantifier
+as part of the meta-logic makes the introduction rule trivial to express:
+\begin{isabelle}
+(\isasymAnd x.\ ?P\ x)\ \isasymLongrightarrow\ {\isasymforall}x.\ ?P\ x\rulenamedx{allI}
+\end{isabelle}
+
+
+The following trivial proof demonstrates how the universal introduction 
+rule works. 
+\begin{isabelle}
+\isacommand{lemma}\ "{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ x"\isanewline
+\isacommand{apply}\ (rule\ allI)\isanewline
+\isacommand{by}\ (rule\ impI)
+\end{isabelle}
+The first step invokes the rule by applying the method \isa{rule allI}. 
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ P\ x\ \isasymlongrightarrow\ P\ x
+\end{isabelle}
+Note  that the resulting proof state has a bound variable,
+namely~\isa{x}.  The rule has replaced the universal quantifier of
+higher-order  logic by Isabelle's meta-level quantifier.  Our goal is to
+prove
+\isa{P\ x\ \isasymlongrightarrow\ P\ x} for arbitrary~\isa{x}; it is 
+an implication, so we apply the corresponding introduction rule (\isa{impI}). 
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow\ P\ x
+\end{isabelle}
+This last subgoal is implicitly proved by assumption. 
+
+\subsection{The Universal Elimination Rule}
+
+Now consider universal elimination. In a logic text, 
+the rule looks like this: 
+\[ \infer{P[t/x]}{\forall x.\,P} \]
+The conclusion is $P$ with $t$ substituted for the variable~$x$.  
+Isabelle expresses substitution using a function variable: 
+\begin{isabelle}
+{\isasymforall}x.\ ?P\ x\ \isasymLongrightarrow\ ?P\ ?x\rulenamedx{spec}
+\end{isabelle}
+This destruction rule takes a 
+universally quantified formula and removes the quantifier, replacing 
+the bound variable \isa{x} by the schematic variable \isa{?x}.  Recall that a
+schematic variable starts with a question mark and acts as a
+placeholder: it can be replaced by any term.  
+
+The universal elimination rule is also
+available in the standard elimination format.  Like \isa{conjE}, it never
+appears in logic books:
+\begin{isabelle}
+\isasymlbrakk \isasymforall x.\ ?P\ x;\ ?P\ ?x\ \isasymLongrightarrow \ ?R\isasymrbrakk \ \isasymLongrightarrow \ ?R%
+\rulenamedx{allE}
+\end{isabelle}
+The methods \isa{drule~spec} and \isa{erule~allE} do precisely the
+same inference.
+
+To see how $\forall$-elimination works, let us derive a rule about reducing 
+the scope of a universal quantifier.  In mathematical notation we write
+\[ \infer{P\imp\forall x.\,Q}{\forall x.\,P\imp Q} \]
+with the proviso ``$x$ not free in~$P$.''  Isabelle's treatment of
+substitution makes the proviso unnecessary.  The conclusion is expressed as
+\isa{P\
+\isasymlongrightarrow\ ({\isasymforall}x.\ Q\ x)}. No substitution for the
+variable \isa{P} can introduce a dependence upon~\isa{x}: that would be a
+bound variable capture.  Let us walk through the proof.
+\begin{isabelle}
+\isacommand{lemma}\ "(\isasymforall x.\ P\ \isasymlongrightarrow \ Q\ x)\
+\isasymLongrightarrow \ P\ \isasymlongrightarrow \ (\isasymforall x.\ Q\
+x)"
+\end{isabelle}
+First we apply implies introduction (\isa{impI}), 
+which moves the \isa{P} from the conclusion to the assumptions. Then 
+we apply universal introduction (\isa{allI}).  
+\begin{isabelle}
+\isacommand{apply}\ (rule\ impI,\ rule\ allI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymforall}x.\ P\ \isasymlongrightarrow\ Q\
+x;\ P\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
+\end{isabelle}
+As before, it replaces the HOL 
+quantifier by a meta-level quantifier, producing a subgoal that 
+binds the variable~\isa{x}.  The leading bound variables
+(here \isa{x}) and the assumptions (here \isa{{\isasymforall}x.\ P\
+\isasymlongrightarrow\ Q\ x} and \isa{P}) form the \textbf{context} for the
+conclusion, here \isa{Q\ x}.  Subgoals inherit the context,
+although assumptions can be added or deleted (as we saw
+earlier), while rules such as \isa{allI} add bound variables.
+
+Now, to reason from the universally quantified 
+assumption, we apply the elimination rule using the \isa{drule} 
+method.  This rule is called \isa{spec} because it specializes a universal formula
+to a particular term.
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ P\ \isasymlongrightarrow\ Q\ (?x2\
+x)\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
+\end{isabelle}
+Observe how the context has changed.  The quantified formula is gone,
+replaced by a new assumption derived from its body.  We have
+removed the quantifier and replaced the bound variable
+by the curious term 
+\isa{?x2~x}.  This term is a placeholder: it may become any term that can be
+built from~\isa{x}.  (Formally, \isa{?x2} is an unknown of function type, applied
+to the argument~\isa{x}.)  This new assumption is an implication, so we can  use
+\emph{modus ponens} on it, which concludes the proof. 
+\begin{isabelle}
+\isacommand{by}\ (drule\ mp)
+\end{isabelle}
+Let us take a closer look at this last step.  \emph{Modus ponens} yields
+two subgoals: one where we prove the antecedent (in this case \isa{P}) and
+one where we may assume the consequent.  Both of these subgoals are proved
+by the
+\isa{assumption} method, which is implicit in the
+\isacommand{by} command.  Replacing the \isacommand{by} command by 
+\isa{\isacommand{apply} (drule\ mp, assumption)} would have left one last
+subgoal:
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ Q\ (?x2\ x)\isasymrbrakk\
+\isasymLongrightarrow\ Q\ x
+\end{isabelle}
+The consequent is \isa{Q} applied to that placeholder.  It may be replaced by any
+term built from~\isa{x}, and here 
+it should simply be~\isa{x}.  The assumption need not
+be identical to the conclusion, provided the two formulas are unifiable.%
+\index{quantifiers!universal|)}  
+
+
+\subsection{The Existential Quantifier}
+
+\index{quantifiers!existential|(}%
+The concepts just presented also apply
+to the existential quantifier, whose introduction rule looks like this in
+Isabelle: 
+\begin{isabelle}
+?P\ ?x\ \isasymLongrightarrow\ {\isasymexists}x.\ ?P\ x\rulenamedx{exI}
+\end{isabelle}
+If we can exhibit some $x$ such that $P(x)$ is true, then $\exists x.
+P(x)$ is also true.  It is a dual of the universal elimination rule, and
+logic texts present it using the same notation for substitution.
+
+The existential
+elimination rule looks like this
+in a logic text: 
+\[ \infer{Q}{\exists x.\,P & \infer*{Q}{[P]}} \]
+%
+It looks like this in Isabelle: 
+\begin{isabelle}
+\isasymlbrakk{\isasymexists}x.\ ?P\ x;\ \isasymAnd x.\ ?P\ x\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?Q\rulenamedx{exE}
+\end{isabelle}
+%
+Given an existentially quantified theorem and some
+formula $Q$ to prove, it creates a new assumption by removing the quantifier.  As with
+the universal introduction  rule, the textbook version imposes a proviso on the
+quantified variable, which Isabelle expresses using its meta-logic.  It is
+enough to have a universal quantifier in the meta-logic; we do not need an existential
+quantifier to be built in as well.
+ 
+
+\begin{exercise}
+Prove the lemma
+\[ \exists x.\, P\conj Q(x)\Imp P\conj(\exists x.\, Q(x)). \]
+\emph{Hint}: the proof is similar 
+to the one just above for the universal quantifier. 
+\end{exercise}
+\index{quantifiers!existential|)}
+
+
+\subsection{Renaming a Bound Variable: {\tt\slshape rename_tac}}
+
+\index{assumptions!renaming|(}\index{*rename_tac (method)|(}%
+When you apply a rule such as \isa{allI}, the quantified variable
+becomes a new bound variable of the new subgoal.  Isabelle tries to avoid
+changing its name, but sometimes it has to choose a new name in order to
+avoid a clash.  The result may not be ideal:
+\begin{isabelle}
+\isacommand{lemma}\ "x\ <\ y\ \isasymLongrightarrow \ \isasymforall x\ y.\ P\ x\
+(f\ y)"\isanewline
+\isacommand{apply}\ (intro allI)\isanewline
+\ 1.\ \isasymAnd xa\ ya.\ x\ <\ y\ \isasymLongrightarrow \ P\ xa\ (f\ ya)
+\end{isabelle}
+%
+The names \isa{x} and \isa{y} were already in use, so the new bound variables are
+called \isa{xa} and~\isa{ya}.  You can rename them by invoking \isa{rename_tac}:
+
+\begin{isabelle}
+\isacommand{apply}\ (rename_tac\ v\ w)\isanewline
+\ 1.\ \isasymAnd v\ w.\ x\ <\ y\ \isasymLongrightarrow \ P\ v\ (f\ w)
+\end{isabelle}
+Recall that \isa{rule_tac}\index{*rule_tac (method)!and renaming} 
+instantiates a
+theorem with specified terms.  These terms may involve the goal's bound
+variables, but beware of referring to  variables
+like~\isa{xa}.  A future change to your theories could change the set of names
+produced at top level, so that \isa{xa} changes to~\isa{xb} or reverts to~\isa{x}.
+It is safer to rename automatically-generated variables before mentioning them.
+
+If the subgoal has more bound variables than there are names given to
+\isa{rename_tac}, the rightmost ones are renamed.%
+\index{assumptions!renaming|)}\index{*rename_tac (method)|)}
+
+
+\subsection{Reusing an Assumption: {\tt\slshape frule}}
+\label{sec:frule}
+
+\index{assumptions!reusing|(}\index{*frule (method)|(}%
+Note that \isa{drule spec} removes the universal quantifier and --- as
+usual with elimination rules --- discards the original formula.  Sometimes, a
+universal formula has to be kept so that it can be used again.  Then we use a new
+method: \isa{frule}.  It acts like \isa{drule} but copies rather than replaces
+the selected assumption.  The \isa{f} is for \emph{forward}.
+
+In this example, going from \isa{P\ a} to \isa{P(h(h~a))}
+requires two uses of the quantified assumption, one for each~\isa{h}
+in~\isa{h(h~a)}.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);
+\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P(h\ (h\ a))"
+\end{isabelle}
+%
+Examine the subgoal left by \isa{frule}:
+\begin{isabelle}
+\isacommand{apply}\ (frule\ spec)\isanewline
+\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ ?x\ \isasymlongrightarrow\ P\ (h\ ?x)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
+\end{isabelle}
+It is what \isa{drule} would have left except that the quantified
+assumption is still present.  Next we apply \isa{mp} to the
+implication and the assumption~\isa{P\ a}:
+\begin{isabelle}
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
+\end{isabelle}
+%
+We have created the assumption \isa{P(h\ a)}, which is progress.  To
+continue the proof, we apply \isa{spec} again.  We shall not need it
+again, so we can use
+\isa{drule}.
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec)\isanewline
+\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ ?x2\ 
+\isasymlongrightarrow \ P\ (h\ ?x2)\isasymrbrakk \ \isasymLongrightarrow \
+P\ (h\ (h\ a))
+\end{isabelle}
+%
+The new assumption bridges the gap between \isa{P(h\ a)} and \isa{P(h(h\ a))}.
+\begin{isabelle}
+\isacommand{by}\ (drule\ mp)
+\end{isabelle}
+
+\medskip
+\emph{A final remark}.  Replacing this \isacommand{by} command with
+\begin{isabelle}
+\isacommand{apply}\ (drule\ mp,\ assumption)
+\end{isabelle}
+would not work: it would add a second copy of \isa{P(h~a)} instead
+of the desired assumption, \isa{P(h(h~a))}.  The \isacommand{by}
+command forces Isabelle to backtrack until it finds the correct one.
+Alternatively, we could have used the \isacommand{apply} command and bundled the
+\isa{drule mp} with \emph{two} calls of \isa{assumption}.  Or, of course,
+we could have given the entire proof to \isa{auto}.%
+\index{assumptions!reusing|)}\index{*frule (method)|)}
+
+
+
+\subsection{Instantiating a Quantifier Explicitly}
+\index{quantifiers!instantiating}
+
+We can prove a theorem of the form $\exists x.\,P\, x$ by exhibiting a
+suitable term~$t$ such that $P\,t$ is true.  Dually, we can use an
+assumption of the form $\forall x.\,P\, x$ to generate a new assumption $P\,t$ for
+a suitable term~$t$.  In many cases, 
+Isabelle makes the correct choice automatically, constructing the term by
+unification.  In other cases, the required term is not obvious and we must
+specify it ourselves.  Suitable methods are \isa{rule_tac}, \isa{drule_tac}
+and \isa{erule_tac}.
+
+We have seen (just above, {\S}\ref{sec:frule}) a proof of this lemma:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk \isasymforall x.\ P\ x\
+\isasymlongrightarrow \ P\ (h\ x);\ P\ a\isasymrbrakk \
+\isasymLongrightarrow \ P(h\ (h\ a))"
+\end{isabelle}
+We had reached this subgoal:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\
+x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
+\end{isabelle}
+%
+The proof requires instantiating the quantified assumption with the
+term~\isa{h~a}.
+\begin{isabelle}
+\isacommand{apply}\ (drule_tac\ x\ =\ "h\ a"\ \isakeyword{in}\
+spec)\isanewline
+\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ (h\ a)\ \isasymlongrightarrow \
+P\ (h\ (h\ a))\isasymrbrakk \ \isasymLongrightarrow \ P\ (h\ (h\ a))
+\end{isabelle}
+We have forced the desired instantiation.
+
+\medskip
+Existential formulas can be instantiated too.  The next example uses the 
+\textbf{divides} relation\index{divides relation}
+of number theory: 
+\begin{isabelle}
+?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
+\rulename{dvd_def}
+\end{isabelle}
+
+Let us prove that multiplication of natural numbers is monotone with
+respect to the divides relation:
+\begin{isabelle}
+\isacommand{lemma}\ mult_dvd_mono:\ "{\isasymlbrakk}i\ dvd\ m;\ j\ dvd\
+n\isasymrbrakk\ \isasymLongrightarrow\ i*j\ dvd\ (m*n\ ::\ nat)"\isanewline
+\isacommand{apply}\ (simp\ add:\ dvd_def)
+\end{isabelle}
+%
+Unfolding the definition of divides has left this subgoal:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk \isasymexists k.\ m\ =\ i\ *\ k;\ \isasymexists k.\ n\
+=\ j\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\
+n\ =\ i\ *\ j\ *\ k
+\end{isabelle}
+%
+Next, we eliminate the two existential quantifiers in the assumptions:
+\begin{isabelle}
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd k.\ \isasymlbrakk \isasymexists k.\ n\ =\ j\ *\ k;\ m\ =\
+i\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\
+=\ i\ *\ j\ *\ k%
+\isanewline
+\isacommand{apply}\ (erule\ exE)
+\isanewline
+\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
+ka\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\
+*\ j\ *\ k
+\end{isabelle}
+%
+The term needed to instantiate the remaining quantifier is~\isa{k*ka}.  But
+\isa{ka} is an automatically-generated name.  As noted above, references to
+such variable names makes a proof less resilient to future changes.  So,
+first we rename the most recent variable to~\isa{l}:
+\begin{isabelle}
+\isacommand{apply}\ (rename_tac\ l)\isanewline
+\ 1.\ \isasymAnd k\ l.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\ l\isasymrbrakk \
+\isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\ *\ j\ *\ k%
+\end{isabelle}
+
+We instantiate the quantifier with~\isa{k*l}:
+\begin{isabelle}
+\isacommand{apply}\ (rule_tac\ x="k*l"\ \isakeyword{in}\ exI)\ \isanewline
+\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
+ka\isasymrbrakk \ \isasymLongrightarrow \ m\ *\ n\ =\ i\
+*\ j\ *\ (k\ *\ ka)
+\end{isabelle}
+%
+The rest is automatic, by arithmetic.
+\begin{isabelle}
+\isacommand{apply}\ simp\isanewline
+\isacommand{done}\isanewline
+\end{isabelle}
+
+
+
+\section{Description Operators}
+\label{sec:SOME}
+
+\index{description operators|(}%
+HOL provides two description operators.
+A \textbf{definite description} formalizes the word ``the,'' as in
+``the greatest divisior of~$n$.''
+It returns an arbitrary value unless the formula has a unique solution.
+An \textbf{indefinite description} formalizes the word ``some,'' as in
+``some member of~$S$.''  It differs from a definite description in not
+requiring the solution to be unique: it uses the axiom of choice to pick any
+solution. 
+
+\begin{warn}
+Description operators can be hard to reason about.  Novices
+should try to avoid them.  Fortunately, descriptions are seldom required.
+\end{warn}
+
+\subsection{Definite Descriptions}
+
+\index{descriptions!definite}%
+A definite description is traditionally written $\iota x.  P(x)$.  It denotes
+the $x$ such that $P(x)$ is true, provided there exists a unique such~$x$;
+otherwise, it returns an arbitrary value of the expected type.
+Isabelle uses \sdx{THE} for the Greek letter~$\iota$.  
+
+%(The traditional notation could be provided, but it is not legible on screen.)
+
+We reason using this rule, where \isa{a} is the unique solution:
+\begin{isabelle}
+\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \ 
+\isasymLongrightarrow \ (THE\ x.\ P\ x)\ =\ a%
+\rulenamedx{the_equality}
+\end{isabelle}
+For instance, we can define the
+cardinality of a finite set~$A$ to be that
+$n$ such that $A$ is in one-to-one correspondence with $\{1,\ldots,n\}$.  We can then
+prove that the cardinality of the empty set is zero (since $n=0$ satisfies the
+description) and proceed to prove other facts.
+
+A more challenging example illustrates how Isabelle/HOL defines the least number
+operator, which denotes the least \isa{x} satisfying~\isa{P}:%
+\index{least number operator|see{\protect\isa{LEAST}}}
+\begin{isabelle}
+(LEAST\ x.\ P\ x)\ = (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\
+P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))
+\end{isabelle}
+%
+Let us prove the analogue of \isa{the_equality} for \sdx{LEAST}\@.
+\begin{isabelle}
+\isacommand{theorem}\ Least_equality:\isanewline
+\ \ \ \ \ "\isasymlbrakk P\ (k::nat);\ \ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ (LEAST\ x.\ P\ x)\ =\ k"\isanewline
+\isacommand{apply}\ (simp\ add:\ Least_def)\isanewline
+\isanewline
+\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))\ =\ k%
+\end{isabelle}
+The first step has merely unfolded the definition.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ the_equality)\isanewline
+\isanewline
+\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\
+\isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ P\ k\ \isasymand \
+(\isasymforall y.\ P\ y\ \isasymlongrightarrow \ k\ \isasymle \ y)\isanewline
+\ 2.\ \isasymAnd x.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x;\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y)\isasymrbrakk \isanewline
+\ \ \ \ \ \ \ \ \isasymLongrightarrow \ x\ =\ k%
+\end{isabelle}
+As always with \isa{the_equality}, we must show existence and
+uniqueness of the claimed solution,~\isa{k}.  Existence, the first
+subgoal, is trivial.  Uniqueness, the second subgoal, follows by antisymmetry:
+\begin{isabelle}
+\isasymlbrakk x\ \isasymle \ y;\ y\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ x\ =\ y%
+\rulename{order_antisym}
+\end{isabelle}
+The assumptions imply both \isa{k~\isasymle~x} and \isa{x~\isasymle~k}.  One
+call to \isa{auto} does it all: 
+\begin{isabelle}
+\isacommand{by}\ (auto\ intro:\ order_antisym)
+\end{isabelle}
+
+
+\subsection{Indefinite Descriptions}
+
+\index{Hilbert's $\varepsilon$-operator}%
+\index{descriptions!indefinite}%
+An indefinite description is traditionally written $\varepsilon x. P(x)$ and is
+known as Hilbert's $\varepsilon$-operator.  It denotes
+some $x$ such that $P(x)$ is true, provided one exists.
+Isabelle uses \sdx{SOME} for the Greek letter~$\varepsilon$.
+
+Here is the definition of~\cdx{inv},\footnote{In fact, \isa{inv} is defined via a second constant \isa{inv_into}, which we ignore here.} which expresses inverses of
+functions:
+\begin{isabelle}
+inv\ f\ \isasymequiv \ \isasymlambda y.\ SOME\ x.\ f\ x\ =\ y%
+\rulename{inv_def}
+\end{isabelle}
+Using \isa{SOME} rather than \isa{THE} makes \isa{inv~f} behave well
+even if \isa{f} is not injective.  As it happens, most useful theorems about
+\isa{inv} do assume the function to be injective.
+
+The inverse of \isa{f}, when applied to \isa{y}, returns some~\isa{x} such that
+\isa{f~x~=~y}.  For example, we can prove \isa{inv~Suc} really is the inverse
+of the \isa{Suc} function 
+\begin{isabelle}
+\isacommand{lemma}\ "inv\ Suc\ (Suc\ n)\ =\ n"\isanewline
+\isacommand{by}\ (simp\ add:\ inv_def)
+\end{isabelle}
+
+\noindent
+The proof is a one-liner: the subgoal simplifies to a degenerate application of
+\isa{SOME}, which is then erased.  In detail, the left-hand side simplifies
+to \isa{SOME\ x.\ Suc\ x\ =\ Suc\ n}, then to \isa{SOME\ x.\ x\ =\ n} and
+finally to~\isa{n}.  
+
+We know nothing about what
+\isa{inv~Suc} returns when applied to zero.  The proof above still treats
+\isa{SOME} as a definite description, since it only reasons about
+situations in which the value is described uniquely.  Indeed, \isa{SOME}
+satisfies this rule:
+\begin{isabelle}
+\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \ 
+\isasymLongrightarrow \ (SOME\ x.\ P\ x)\ =\ a%
+\rulenamedx{some_equality}
+\end{isabelle}
+To go further is
+tricky and requires rules such as these:
+\begin{isabelle}
+P\ x\ \isasymLongrightarrow \ P\ (SOME\ x.\ P\ x)
+\rulenamedx{someI}\isanewline
+\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ Q\
+x\isasymrbrakk \ \isasymLongrightarrow \ Q\ (SOME\ x.\ P\ x)
+\rulenamedx{someI2}
+\end{isabelle}
+Rule \isa{someI} is basic: if anything satisfies \isa{P} then so does
+\hbox{\isa{SOME\ x.\ P\ x}}.  The repetition of~\isa{P} in the conclusion makes it
+difficult to apply in a backward proof, so the derived rule \isa{someI2} is
+also provided. 
+
+\medskip
+For example, let us prove the \rmindex{axiom of choice}:
+\begin{isabelle}
+\isacommand{theorem}\ axiom_of_choice:
+\ "(\isasymforall x.\ \isasymexists y.\ P\ x\ y)\ \isasymLongrightarrow \
+\isasymexists f.\ \isasymforall x.\ P\ x\ (f\ x)"\isanewline
+\isacommand{apply}\ (rule\ exI,\ rule\ allI)\isanewline
+
+\ 1.\ \isasymAnd x.\ \isasymforall x.\ \isasymexists y.\ P\ x\ y\
+\isasymLongrightarrow \ P\ x\ (?f\ x)
+\end{isabelle}
+%
+We have applied the introduction rules; now it is time to apply the elimination
+rules.
+
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec,\ erule\ exE)\isanewline
+
+\ 1.\ \isasymAnd x\ y.\ P\ (?x2\ x)\ y\ \isasymLongrightarrow \ P\ x\ (?f\ x)
+\end{isabelle}
+
+\noindent
+The rule \isa{someI} automatically instantiates
+\isa{f} to \hbox{\isa{\isasymlambda x.\ SOME y.\ P\ x\ y}}, which is the choice
+function.  It also instantiates \isa{?x2\ x} to \isa{x}.
+\begin{isabelle}
+\isacommand{by}\ (rule\ someI)\isanewline
+\end{isabelle}
+
+\subsubsection{Historical Note}
+The original purpose of Hilbert's $\varepsilon$-operator was to express an
+existential destruction rule:
+\[ \infer{P[(\varepsilon x. P) / \, x]}{\exists x.\,P} \]
+This rule is seldom used for that purpose --- it can cause exponential
+blow-up --- but it is occasionally used as an introduction rule
+for the~$\varepsilon$-operator.  Its name in HOL is \tdxbold{someI_ex}.%%
+\index{description operators|)}
+
+
+\section{Some Proofs That Fail}
+
+\index{proofs!examples of failing|(}%
+Most of the examples in this tutorial involve proving theorems.  But not every 
+conjecture is true, and it can be instructive to see how  
+proofs fail. Here we attempt to prove a distributive law involving 
+the existential quantifier and conjunction. 
+\begin{isabelle}
+\isacommand{lemma}\ "({\isasymexists}x.\ P\ x)\ \isasymand\ 
+({\isasymexists}x.\ Q\ x)\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\
+\isasymand\ Q\ x"
+\end{isabelle}
+The first steps are  routine.  We apply conjunction elimination to break
+the assumption into two existentially quantified assumptions. 
+Applying existential elimination removes one of the quantifiers. 
+\begin{isabelle}
+\isacommand{apply}\ (erule\ conjE)\isanewline
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymexists}x.\ Q\ x;\ P\ x\isasymrbrakk\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
+\end{isabelle}
+%
+When we remove the other quantifier, we get a different bound 
+variable in the subgoal.  (The name \isa{xa} is generated automatically.)
+\begin{isabelle}
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
+\isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
+\end{isabelle}
+The proviso of the existential elimination rule has forced the variables to
+differ: we can hardly expect two arbitrary values to be equal!  There is
+no way to prove this subgoal.  Removing the
+conclusion's existential quantifier yields two
+identical placeholders, which can become  any term involving the variables \isa{x}
+and~\isa{xa}.  We need one to become \isa{x}
+and the other to become~\isa{xa}, but Isabelle requires all instances of a
+placeholder to be identical. 
+\begin{isabelle}
+\isacommand{apply}\ (rule\ exI)\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
+\isasymLongrightarrow\ P\ (?x3\ x\ xa)\isanewline
+\ 2.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\ \isasymLongrightarrow\ Q\ (?x3\ x\ xa)
+\end{isabelle}
+We can prove either subgoal 
+using the \isa{assumption} method.  If we prove the first one, the placeholder
+changes into~\isa{x}. 
+\begin{isabelle}
+\ \isacommand{apply}\ assumption\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
+\isasymLongrightarrow\ Q\ x
+\end{isabelle}
+We are left with a subgoal that cannot be proved.  Applying the \isa{assumption}
+method results in an error message:
+\begin{isabelle}
+*** empty result sequence -- proof command failed
+\end{isabelle}
+When interacting with Isabelle via the shell interface,
+you can abandon a proof using the \isacommand{oops} command.
+
+\medskip 
+
+Here is another abortive proof, illustrating the interaction between 
+bound variables and unknowns.  
+If $R$ is a reflexive relation, 
+is there an $x$ such that $R\,x\,y$ holds for all $y$?  Let us see what happens when
+we attempt to prove it. 
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymforall y.\ R\ y\ y\ \isasymLongrightarrow 
+\ \isasymexists x.\ \isasymforall y.\ R\ x\ y"
+\end{isabelle}
+First,  we remove the existential quantifier. The new proof state has  an
+unknown, namely~\isa{?x}. 
+\begin{isabelle}
+\isacommand{apply}\ (rule\ exI)\isanewline
+\ 1.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ \isasymforall y.\ R\ ?x\ y%
+\end{isabelle}
+It looks like we can just apply \isa{assumption}, but it fails.  Isabelle
+refuses to substitute \isa{y}, a bound variable, for~\isa{?x}; that would be
+a bound variable capture.  We can still try to finish the proof in some
+other way. We remove the universal quantifier  from the conclusion, moving
+the bound variable~\isa{y} into the subgoal.  But note that it is still
+bound!
+\begin{isabelle}
+\isacommand{apply}\ (rule\ allI)\isanewline
+\ 1.\ \isasymAnd y.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ R\ ?x\ y%
+\end{isabelle}
+Finally, we try to apply our reflexivity assumption.  We obtain a 
+new assumption whose identical placeholders may be replaced by 
+any term involving~\isa{y}. 
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec)\isanewline
+\ 1.\ \isasymAnd y.\ R\ (?z2\ y)\ (?z2\ y)\ \isasymLongrightarrow\ R\ ?x\ y
+\end{isabelle}
+This subgoal can only be proved by putting \isa{y} for all the placeholders,
+making the assumption and conclusion become \isa{R\ y\ y}.  Isabelle can
+replace \isa{?z2~y} by \isa{y}; this involves instantiating
+\isa{?z2} to the identity function.  But, just as two steps earlier,
+Isabelle refuses to substitute~\isa{y} for~\isa{?x}.
+This example is typical of how Isabelle enforces sound quantifier reasoning. 
+\index{proofs!examples of failing|)}
+
+\section{Proving Theorems Using the {\tt\slshape blast} Method}
+
+\index{*blast (method)|(}%
+It is hard to prove many theorems using the methods 
+described above. A proof may be hundreds of steps long.  You 
+may need to search among different ways of proving certain 
+subgoals. Often a choice that proves one subgoal renders another 
+impossible to prove.  There are further complications that we have not
+discussed, concerning negation and disjunction.  Isabelle's
+\textbf{classical reasoner} is a family of tools that perform such
+proofs automatically.  The most important of these is the 
+\isa{blast} method. 
+
+In this section, we shall first see how to use the classical 
+reasoner in its default mode and then how to insert additional 
+rules, enabling it to work in new problem domains. 
+
+ We begin with examples from pure predicate logic. The following 
+example is known as Andrew's challenge. Peter Andrews designed 
+it to be hard to prove by automatic means.
+It is particularly hard for a resolution prover, where 
+converting the nested biconditionals to
+clause form produces a combinatorial
+explosion~\cite{pelletier86}. However, the
+\isa{blast} method proves it in a fraction  of a second. 
+\begin{isabelle}
+\isacommand{lemma}\
+"(({\isasymexists}x.\
+{\isasymforall}y.\
+p(x){=}p(y))\
+=\
+(({\isasymexists}x.\
+q(x))=({\isasymforall}y.\
+p(y))))\
+\ \ =\ \ \ \ \isanewline
+\ \ \ \ \ \ \ \
+(({\isasymexists}x.\
+{\isasymforall}y.\
+q(x){=}q(y))\ =\ (({\isasymexists}x.\ p(x))=({\isasymforall}y.\ q(y))))"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+The next example is a logic problem composed by Lewis Carroll. 
+The \isa{blast} method finds it trivial. Moreover, it turns out 
+that not all of the assumptions are necessary. We can  
+experiment with variations of this formula and see which ones 
+can be proved. 
+\begin{isabelle}
+\isacommand{lemma}\
+"({\isasymforall}x.\
+honest(x)\ \isasymand\
+industrious(x)\ \isasymlongrightarrow\
+healthy(x))\
+\isasymand\ \ \isanewline
+\ \ \ \ \ \ \ \ \isasymnot\ ({\isasymexists}x.\
+grocer(x)\ \isasymand\
+healthy(x))\
+\isasymand\ \isanewline
+\ \ \ \ \ \ \ \ ({\isasymforall}x.\
+industrious(x)\ \isasymand\
+grocer(x)\ \isasymlongrightarrow\
+honest(x))\
+\isasymand\ \isanewline
+\ \ \ \ \ \ \ \ ({\isasymforall}x.\
+cyclist(x)\ \isasymlongrightarrow\
+industrious(x))\
+\isasymand\ \isanewline
+\ \ \ \ \ \ \ \ ({\isasymforall}x.\
+{\isasymnot}healthy(x)\ \isasymand\
+cyclist(x)\ \isasymlongrightarrow\
+{\isasymnot}honest(x))\
+\ \isanewline
+\ \ \ \ \ \ \ \ \isasymlongrightarrow\
+({\isasymforall}x.\
+grocer(x)\ \isasymlongrightarrow\
+{\isasymnot}cyclist(x))"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+The \isa{blast} method is also effective for set theory, which is
+described in the next chapter.  The formula below may look horrible, but
+the \isa{blast} method proves it in milliseconds. 
+\begin{isabelle}
+\isacommand{lemma}\ "({\isasymUnion}i{\isasymin}I.\ A(i))\ \isasyminter\ ({\isasymUnion}j{\isasymin}J.\ B(j))\ =\isanewline
+\ \ \ \ \ \ \ \ ({\isasymUnion}i{\isasymin}I.\ {\isasymUnion}j{\isasymin}J.\ A(i)\ \isasyminter\ B(j))"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+Few subgoals are couched purely in predicate logic and set theory.
+We can extend the scope of the classical reasoner by giving it new rules. 
+Extending it effectively requires understanding the notions of
+introduction, elimination and destruction rules.  Moreover, there is a
+distinction between  safe and unsafe rules. A 
+\textbf{safe}\indexbold{safe rules} rule is one that can be applied 
+backwards without losing information; an
+\textbf{unsafe}\indexbold{unsafe rules} rule loses  information, perhaps
+transforming the subgoal into one that cannot be proved.  The safe/unsafe
+distinction affects the proof search: if a proof attempt fails, the
+classical reasoner backtracks to the most recent unsafe rule application
+and makes another choice. 
+
+An important special case avoids all these complications.  A logical 
+equivalence, which in higher-order logic is an equality between 
+formulas, can be given to the classical 
+reasoner and simplifier by using the attribute \attrdx{iff}.  You 
+should do so if the right hand side of the equivalence is  
+simpler than the left-hand side.  
+
+For example, here is a simple fact about list concatenation. 
+The result of appending two lists is empty if and only if both 
+of the lists are themselves empty. Obviously, applying this equivalence 
+will result in a simpler goal. When stating this lemma, we include 
+the \attrdx{iff} attribute. Once we have proved the lemma, Isabelle 
+will make it known to the classical reasoner (and to the simplifier). 
+\begin{isabelle}
+\isacommand{lemma}\
+[iff]:\ "(xs{\isacharat}ys\ =\ [])\ =\
+(xs=[]\ \isasymand\ ys=[])"\isanewline
+\isacommand{apply}\ (induct_tac\ xs)\isanewline
+\isacommand{apply}\ (simp_all)\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+This fact about multiplication is also appropriate for 
+the \attrdx{iff} attribute:
+\begin{isabelle}
+(\mbox{?m}\ *\ \mbox{?n}\ =\ 0)\ =\ (\mbox{?m}\ =\ 0\ \isasymor\ \mbox{?n}\ =\ 0)
+\end{isabelle}
+A product is zero if and only if one of the factors is zero.  The
+reasoning  involves a disjunction.  Proving new rules for
+disjunctive reasoning  is hard, but translating to an actual disjunction
+works:  the classical reasoner handles disjunction properly.
+
+In more detail, this is how the \attrdx{iff} attribute works.  It converts
+the equivalence $P=Q$ to a pair of rules: the introduction
+rule $Q\Imp P$ and the destruction rule $P\Imp Q$.  It gives both to the
+classical reasoner as safe rules, ensuring that all occurrences of $P$ in
+a subgoal are replaced by~$Q$.  The simplifier performs the same
+replacement, since \isa{iff} gives $P=Q$ to the
+simplifier.  
+
+Classical reasoning is different from
+simplification.  Simplification is deterministic.  It applies rewrite rules
+repeatedly, as long as possible, transforming a goal into another goal.  Classical
+reasoning uses search and backtracking in order to prove a goal outright.%
+\index{*blast (method)|)}%
+
+
+\section{Other Classical Reasoning Methods}
+ 
+The \isa{blast} method is our main workhorse for proving theorems 
+automatically. Other components of the classical reasoner interact 
+with the simplifier. Still others perform classical reasoning 
+to a limited extent, giving the user fine control over the proof. 
+
+Of the latter methods, the most useful is 
+\methdx{clarify}.
+It performs 
+all obvious reasoning steps without splitting the goal into multiple 
+parts. It does not apply unsafe rules that could render the 
+goal unprovable. By performing the obvious 
+steps, \isa{clarify} lays bare the difficult parts of the problem, 
+where human intervention is necessary. 
+
+For example, the following conjecture is false:
+\begin{isabelle}
+\isacommand{lemma}\ "({\isasymforall}x.\ P\ x)\ \isasymand\
+({\isasymexists}x.\ Q\ x)\ \isasymlongrightarrow\ ({\isasymforall}x.\ P\ x\
+\isasymand\ Q\ x)"\isanewline
+\isacommand{apply}\ clarify
+\end{isabelle}
+The \isa{blast} method would simply fail, but \isa{clarify} presents 
+a subgoal that helps us see why we cannot continue the proof. 
+\begin{isabelle}
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk{\isasymforall}x.\ P\ x;\ Q\
+xa\isasymrbrakk\ \isasymLongrightarrow\ P\ x\ \isasymand\ Q\ x
+\end{isabelle}
+The proof must fail because the assumption \isa{Q\ xa} and conclusion \isa{Q\ x}
+refer to distinct bound variables.  To reach this state, \isa{clarify} applied
+the introduction rules for \isa{\isasymlongrightarrow} and \isa{\isasymforall}
+and the elimination rule for \isa{\isasymand}.  It did not apply the introduction
+rule for  \isa{\isasymand} because of its policy never to split goals.
+
+Also available is \methdx{clarsimp}, a method
+that interleaves \isa{clarify} and \isa{simp}.  Also there is  \methdx{safe},
+which like \isa{clarify} performs obvious steps but even applies those that
+split goals.
+
+The \methdx{force} method applies the classical
+reasoner and simplifier  to one goal. 
+Unless it can prove the goal, it fails. Contrast 
+that with the \isa{auto} method, which also combines classical reasoning 
+with simplification. The latter's purpose is to prove all the 
+easy subgoals and parts of subgoals. Unfortunately, it can produce 
+large numbers of new subgoals; also, since it proves some subgoals 
+and splits others, it obscures the structure of the proof tree. 
+The \isa{force} method does not have these drawbacks. Another 
+difference: \isa{force} tries harder than {\isa{auto}} to prove 
+its goal, so it can take much longer to terminate.
+
+Older components of the classical reasoner have largely been 
+superseded by \isa{blast}, but they still have niche applications. 
+Most important among these are \isa{fast} and \isa{best}. While \isa{blast} 
+searches for proofs using a built-in first-order reasoner, these 
+earlier methods search for proofs using standard Isabelle inference. 
+That makes them slower but enables them to work in the 
+presence of the more unusual features of Isabelle rules, such 
+as type classes and function unknowns. For example, recall the introduction rule
+for Hilbert's $\varepsilon$-operator: 
+\begin{isabelle}
+?P\ ?x\ \isasymLongrightarrow\ ?P\ (SOME\ x.\ ?P x)
+\rulename{someI}
+\end{isabelle}
+%
+The repeated occurrence of the variable \isa{?P} makes this rule tricky 
+to apply. Consider this contrived example: 
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\isanewline
+\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ P\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)\
+\isasymand\ Q\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)"\isanewline
+\isacommand{apply}\ (rule\ someI)
+\end{isabelle}
+%
+We can apply rule \isa{someI} explicitly.  It yields the 
+following subgoal: 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P\ ?x\
+\isasymand\ Q\ ?x%
+\end{isabelle}
+The proof from this point is trivial.  Could we have
+proved the theorem with a single command? Not using \isa{blast}: it
+cannot perform  the higher-order unification needed here.  The
+\methdx{fast} method succeeds: 
+\begin{isabelle}
+\isacommand{apply}\ (fast\ intro!:\ someI)
+\end{isabelle}
+
+The \methdx{best} method is similar to
+\isa{fast} but it uses a  best-first search instead of depth-first search.
+Accordingly,  it is slower but is less susceptible to divergence.
+Transitivity  rules usually cause \isa{fast} to loop where \isa{best} 
+can often manage.
+
+Here is a summary of the classical reasoning methods:
+\begin{itemize}
+\item \methdx{blast} works automatically and is the fastest
+
+\item \methdx{clarify} and \methdx{clarsimp} perform obvious steps without
+splitting the goal;  \methdx{safe} even splits goals
+
+\item \methdx{force} uses classical reasoning and simplification to prove a goal;
+ \methdx{auto} is similar but leaves what it cannot prove
+
+\item \methdx{fast} and \methdx{best} are legacy methods that work well with rules
+involving unusual features
+\end{itemize}
+A table illustrates the relationships among four of these methods. 
+\begin{center}
+\begin{tabular}{r|l|l|}
+           & no split   & split \\ \hline
+  no simp  & \methdx{clarify}    & \methdx{safe} \\ \hline
+     simp  & \methdx{clarsimp}   & \methdx{auto} \\ \hline
+\end{tabular}
+\end{center}
+
+\section{Finding More Theorems}
+\label{sec:find2}
+\input{find2.tex}
+
+
+\section{Forward Proof: Transforming Theorems}\label{sec:forward}
+
+\index{forward proof|(}%
+Forward proof means deriving new facts from old ones.  It is  the
+most fundamental type of proof.  Backward proof, by working  from goals to
+subgoals, can help us find a difficult proof.  But it is
+not always the best way of presenting the proof thus found.  Forward
+proof is particularly good for reasoning from the general
+to the specific.  For example, consider this distributive law for
+the greatest common divisor:
+\[ k\times\gcd(m,n) = \gcd(k\times m,k\times n)\]
+
+Putting $m=1$ we get (since $\gcd(1,n)=1$ and $k\times1=k$) 
+\[ k = \gcd(k,k\times n)\]
+We have derived a new fact; if re-oriented, it might be
+useful for simplification.  After re-orienting it and putting $n=1$, we
+derive another useful law: 
+\[ \gcd(k,k)=k \]
+Substituting values for variables --- instantiation --- is a forward step. 
+Re-orientation works by applying the symmetry of equality to 
+an equation, so it too is a forward step.  
+
+\subsection{Modifying a Theorem using {\tt\slshape of},  {\tt\slshape where}
+ and {\tt\slshape THEN}}
+
+\label{sec:THEN}
+
+Let us reproduce our examples in Isabelle.  Recall that in
+{\S}\ref{sec:fun-simplification} we declared the recursive function
+\isa{gcd}:\index{*gcd (constant)|(}
+\begin{isabelle}
+\isacommand{fun}\ gcd\ ::\ "nat\ \isasymRightarrow \ nat\ \isasymRightarrow \ nat"\ \isakeyword{where}\isanewline
+\ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
+\end{isabelle}
+%
+From this definition, it is possible to prove the distributive law.  
+That takes us to the starting point for our example.
+\begin{isabelle}
+?k\ *\ gcd\ ?m\ ?n\ =\ gcd\ (?k\ *\ ?m)\ (?k\ *\ ?n)
+\rulename{gcd_mult_distrib2}
+\end{isabelle}
+%
+The first step in our derivation is to replace \isa{?m} by~1.  We instantiate the
+theorem using~\attrdx{of}, which identifies variables in order of their
+appearance from left to right.  In this case, the variables  are \isa{?k}, \isa{?m}
+and~\isa{?n}. So, the expression
+\hbox{\texttt{[of k 1]}} replaces \isa{?k} by~\isa{k} and \isa{?m}
+by~\isa{1}.
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_mult_0\ =\ gcd_mult_distrib2\ [of\ k\ 1]
+\end{isabelle}
+%
+The keyword \commdx{lemmas} declares a new theorem, which can be derived
+from an existing one using attributes such as \isa{[of~k~1]}.
+The command 
+\isa{thm gcd_mult_0}
+displays the result:
+\begin{isabelle}
+\ \ \ \ \ k\ *\ gcd\ 1\ ?n\ =\ gcd\ (k\ *\ 1)\ (k\ *\ ?n)
+\end{isabelle}
+Something is odd: \isa{k} is an ordinary variable, while \isa{?n} 
+is schematic.  We did not specify an instantiation 
+for \isa{?n}.  In its present form, the theorem does not allow 
+substitution for \isa{k}.  One solution is to avoid giving an instantiation for
+\isa{?k}: instead of a term we can put an underscore~(\isa{_}).  For example,
+\begin{isabelle}
+\ \ \ \ \ gcd_mult_distrib2\ [of\ _\ 1]
+\end{isabelle}
+replaces \isa{?m} by~\isa{1} but leaves \isa{?k} unchanged.  
+
+An equivalent solution is to use the attribute \isa{where}. 
+\begin{isabelle}
+\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1]
+\end{isabelle}
+While \isa{of} refers to
+variables by their position, \isa{where} refers to variables by name. Multiple
+instantiations are separated by~\isa{and}, as in this example:
+\begin{isabelle}
+\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1\ and\ k=1]
+\end{isabelle}
+
+We now continue the present example with the version of \isa{gcd_mult_0}
+shown above, which has \isa{k} instead of \isa{?k}.
+Once we have replaced \isa{?m} by~1, we must next simplify
+the theorem \isa{gcd_mult_0}, performing the steps 
+$\gcd(1,n)=1$ and $k\times1=k$.  The \attrdx{simplified}
+attribute takes a theorem
+and returns the result of simplifying it, with respect to the default
+simplification rules:
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_mult_1\ =\ gcd_mult_0\
+[simplified]%
+\end{isabelle}
+%
+Again, we display the resulting theorem:
+\begin{isabelle}
+\ \ \ \ \ k\ =\ gcd\ k\ (k\ *\ ?n)
+\end{isabelle}
+%
+To re-orient the equation requires the symmetry rule:
+\begin{isabelle}
+?s\ =\ ?t\
+\isasymLongrightarrow\ ?t\ =\
+?s%
+\rulenamedx{sym}
+\end{isabelle}
+The following declaration gives our equation to \isa{sym}:
+\begin{isabelle}
+\ \ \ \isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_1\ [THEN\ sym]
+\end{isabelle}
+%
+Here is the result:
+\begin{isabelle}
+\ \ \ \ \ gcd\ k\ (k\ *\ ?n)\ =\ k%
+\end{isabelle}
+\isa{THEN~sym}\indexbold{*THEN (attribute)} gives the current theorem to the
+rule \isa{sym} and returns the resulting conclusion.  The effect is to
+exchange the two operands of the equality. Typically \isa{THEN} is used
+with destruction rules.  Also useful is \isa{THEN~spec}, which removes the
+quantifier from a theorem of the form $\forall x.\,P$, and \isa{THEN~mp},
+which converts the implication $P\imp Q$ into the rule
+$\vcenter{\infer{Q}{P}}$. Similar to \isa{mp} are the following two rules,
+which extract  the two directions of reasoning about a boolean equivalence:
+\begin{isabelle}
+\isasymlbrakk?Q\ =\ ?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulenamedx{iffD1}%
+\isanewline
+\isasymlbrakk?P\ =\ ?Q;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulenamedx{iffD2}
+\end{isabelle}
+%
+Normally we would never name the intermediate theorems
+such as \isa{gcd_mult_0} and \isa{gcd_mult_1} but would combine
+the three forward steps: 
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym]%
+\end{isabelle}
+The directives, or attributes, are processed from left to right.  This
+declaration of \isa{gcd_mult} is equivalent to the
+previous one.
+
+Such declarations can make the proof script hard to read.  Better   
+is to state the new lemma explicitly and to prove it using a single
+\isa{rule} method whose operand is expressed using forward reasoning:
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_mult\ [simp]:\ "gcd\ k\ (k*n)\ =\ k"\isanewline
+\isacommand{by}\ (rule\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym])
+\end{isabelle}
+Compared with the previous proof of \isa{gcd_mult}, this
+version shows the reader what has been proved.  Also, the result will be processed
+in the normal way.  In particular, Isabelle generalizes over all variables: the
+resulting theorem will have {\isa{?k}} instead of {\isa{k}}.
+
+At the start  of this section, we also saw a proof of $\gcd(k,k)=k$.  Here
+is the Isabelle version:\index{*gcd (constant)|)}
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_self\ [simp]:\ "gcd\ k\ k\ =\ k"\isanewline
+\isacommand{by}\ (rule\ gcd_mult\ [of\ k\ 1,\ simplified])
+\end{isabelle}
+
+\begin{warn}
+To give~\isa{of} a nonatomic term, enclose it in quotation marks, as in
+\isa{[of "k*m"]}.  The term must not contain unknowns: an
+attribute such as 
+\isa{[of "?k*m"]} will be rejected.
+\end{warn}
+
+%Answer is now included in that section! Is a modified version of this
+%  exercise worth including? E.g. find a difference between the two ways
+%  of substituting.
+%\begin{exercise}
+%In {\S}\ref{sec:subst} the method \isa{subst\ mult_commute} was applied.  How
+%can we achieve the same effect using \isa{THEN} with the rule \isa{ssubst}?
+%% answer  rule (mult_commute [THEN ssubst])
+%\end{exercise}
+
+\subsection{Modifying a Theorem using {\tt\slshape OF}}
+
+\index{*OF (attribute)|(}%
+Recall that \isa{of} generates an instance of a
+rule by specifying values for its variables.  Analogous is \isa{OF}, which
+generates an instance of a rule by specifying facts for its premises.  
+
+We again need the divides relation\index{divides relation} of number theory, which
+as we recall is defined by 
+\begin{isabelle}
+?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
+\rulename{dvd_def}
+\end{isabelle}
+%
+Suppose, for example, that we have proved the following rule.  
+It states that if $k$ and $n$ are relatively prime
+and if $k$ divides $m\times n$ then $k$ divides $m$.
+\begin{isabelle}
+\isasymlbrakk gcd ?k ?n {=} 1;\ ?k\ dvd\ ?m * ?n\isasymrbrakk\
+\isasymLongrightarrow\ ?k\ dvd\ ?m
+\rulename{relprime_dvd_mult}
+\end{isabelle}
+We can use \isa{OF} to create an instance of this rule.
+First, we
+prove an instance of its first premise:
+\begin{isabelle}
+\isacommand{lemma}\ relprime\_20\_81:\ "gcd\ 20\ 81\ =\ 1"\isanewline
+\isacommand{by}\ (simp\ add:\ gcd.simps)
+\end{isabelle}
+We have evaluated an application of the \isa{gcd} function by
+simplification.  Expression evaluation involving recursive functions is not
+guaranteed to terminate, and it can be slow; Isabelle
+performs arithmetic by  rewriting symbolic bit strings.  Here,
+however, the simplification takes less than one second.  We can
+give this new lemma to \isa{OF}.  The expression
+\begin{isabelle}
+\ \ \ \ \ relprime_dvd_mult [OF relprime_20_81]
+\end{isabelle}
+yields the theorem
+\begin{isabelle}
+\ \ \ \ \ 20\ dvd\ (?m\ *\ 81)\ \isasymLongrightarrow\ 20\ dvd\ ?m%
+\end{isabelle}
+%
+\isa{OF} takes any number of operands.  Consider 
+the following facts about the divides relation: 
+\begin{isabelle}
+\isasymlbrakk?k\ dvd\ ?m;\
+?k\ dvd\ ?n\isasymrbrakk\
+\isasymLongrightarrow\ ?k\ dvd\
+?m\ +\ ?n
+\rulename{dvd_add}\isanewline
+?m\ dvd\ ?m%
+\rulename{dvd_refl}
+\end{isabelle}
+Let us supply \isa{dvd_refl} for each of the premises of \isa{dvd_add}:
+\begin{isabelle}
+\ \ \ \ \ dvd_add [OF dvd_refl dvd_refl]
+\end{isabelle}
+Here is the theorem that we have expressed: 
+\begin{isabelle}
+\ \ \ \ \ ?k\ dvd\ (?k\ +\ ?k)
+\end{isabelle}
+As with \isa{of}, we can use the \isa{_} symbol to leave some positions
+unspecified:
+\begin{isabelle}
+\ \ \ \ \ dvd_add [OF _ dvd_refl]
+\end{isabelle}
+The result is 
+\begin{isabelle}
+\ \ \ \ \ ?k\ dvd\ ?m\ \isasymLongrightarrow\ ?k\ dvd\ ?m\ +\ ?k
+\end{isabelle}
+
+You may have noticed that \isa{THEN} and \isa{OF} are based on 
+the same idea, namely to combine two rules.  They differ in the
+order of the combination and thus in their effect.  We use \isa{THEN}
+typically with a destruction rule to extract a subformula of the current
+theorem.  We use \isa{OF} with a list of facts to generate an instance of
+the current theorem.%
+\index{*OF (attribute)|)}
+
+Here is a summary of some primitives for forward reasoning:
+\begin{itemize}
+\item \attrdx{of} instantiates the variables of a rule to a list of terms
+\item \attrdx{OF} applies a rule to a list of theorems
+\item \attrdx{THEN} gives a theorem to a named rule and returns the
+conclusion 
+%\item \attrdx{rule_format} puts a theorem into standard form
+%  by removing \isa{\isasymlongrightarrow} and~\isa{\isasymforall}
+\item \attrdx{simplified} applies the simplifier to a theorem
+\item \isacommand{lemmas} assigns a name to the theorem produced by the
+attributes above
+\end{itemize}
+
+
+\section{Forward Reasoning in a Backward Proof}
+
+We have seen that the forward proof directives work well within a backward 
+proof.  There are many ways to achieve a forward style using our existing
+proof methods.  We shall also meet some new methods that perform forward
+reasoning.  
+
+The methods \isa{drule}, \isa{frule}, \isa{drule_tac}, etc.,
+reason forward from a subgoal.  We have seen them already, using rules such as
+\isa{mp} and
+\isa{spec} to operate on formulae.  They can also operate on terms, using rules
+such as these:
+\begin{isabelle}
+x\ =\ y\ \isasymLongrightarrow \ f\ x\ =\ f\ y%
+\rulenamedx{arg_cong}\isanewline
+i\ \isasymle \ j\ \isasymLongrightarrow \ i\ *\ k\ \isasymle \ j\ *\ k%
+\rulename{mult_le_mono1}
+\end{isabelle}
+
+For example, let us prove a fact about divisibility in the natural numbers:
+\begin{isabelle}
+\isacommand{lemma}\ "2\ \isasymle \ u\ \isasymLongrightarrow \ u*m\ \isasymnoteq
+\ Suc(u*n)"\isanewline
+\isacommand{apply}\ (intro\ notI)\isanewline
+\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ =\ Suc\ (u\ *\ n)\isasymrbrakk \ \isasymLongrightarrow \ False%
+\end{isabelle}
+%
+The key step is to apply the function \ldots\isa{mod\ u} to both sides of the
+equation
+\isa{u*m\ =\ Suc(u*n)}:\index{*drule_tac (method)}
+\begin{isabelle}
+\isacommand{apply}\ (drule_tac\ f="\isasymlambda x.\ x\ mod\ u"\ \isakeyword{in}\
+arg_cong)\isanewline
+\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ mod\ u\ =\ Suc\ (u\ *\ n)\ mod\
+u\isasymrbrakk \ \isasymLongrightarrow \ False
+\end{isabelle}
+%
+Simplification reduces the left side to 0 and the right side to~1, yielding the
+required contradiction.
+\begin{isabelle}
+\isacommand{apply}\ (simp\ add:\ mod_Suc)\isanewline
+\isacommand{done}
+\end{isabelle}
+
+Our proof has used a fact about remainder:
+\begin{isabelle}
+Suc\ m\ mod\ n\ =\isanewline
+(if\ Suc\ (m\ mod\ n)\ =\ n\ then\ 0\ else\ Suc\ (m\ mod\ n))
+\rulename{mod_Suc}
+\end{isabelle}
+
+\subsection{The Method {\tt\slshape insert}}
+
+\index{*insert (method)|(}%
+The \isa{insert} method
+inserts a given theorem as a new assumption of all subgoals.  This
+already is a forward step; moreover, we may (as always when using a
+theorem) apply
+\isa{of}, \isa{THEN} and other directives.  The new assumption can then
+be used to help prove the subgoals.
+
+For example, consider this theorem about the divides relation.  The first
+proof step inserts the distributive law for
+\isa{gcd}.  We specify its variables as shown. 
+\begin{isabelle}
+\isacommand{lemma}\ relprime\_dvd\_mult:\ \isanewline
+\ \ \ \ \ \ "\isasymlbrakk \ gcd\ k\ n\ =\ 1;\ k\ dvd\ m*n\ \isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ m"\isanewline
+\isacommand{apply}\ (insert\ gcd_mult_distrib2\ [of\ m\ k\ n])
+\end{isabelle}
+In the resulting subgoal, note how the equation has been 
+inserted: 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ 1;\ k\ dvd\ m\ *\ n;\ m\ *\ gcd\ k\ n\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
+\end{isabelle}
+The next proof step utilizes the assumption \isa{gcd\ k\ n\ =\ 1}
+(note that \isa{Suc\ 0} is another expression for 1):
+\begin{isabelle}
+\isacommand{apply}(simp)\isanewline
+\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ Suc\ 0;\ k\ dvd\ m\ *\ n;\ m\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
+\end{isabelle}
+Simplification has yielded an equation for~\isa{m}.  The rest of the proof
+is omitted.
+
+\medskip
+Here is another demonstration of \isa{insert}.  Division and
+remainder obey a well-known law: 
+\begin{isabelle}
+(?m\ div\ ?n)\ *\ ?n\ +\ ?m\ mod\ ?n\ =\ ?m
+\rulename{mod_div_equality}
+\end{isabelle}
+
+We refer to this law explicitly in the following proof: 
+\begin{isabelle}
+\isacommand{lemma}\ div_mult_self_is_m:\ \isanewline
+\ \ \ \ \ \ "0{\isacharless}n\ \isasymLongrightarrow\ (m*n)\ div\ n\ =\
+(m::nat)"\isanewline
+\isacommand{apply}\ (insert\ mod_div_equality\ [of\ "m*n"\ n])\isanewline
+\isacommand{apply}\ (simp)\isanewline
+\isacommand{done}
+\end{isabelle}
+The first step inserts the law, specifying \isa{m*n} and
+\isa{n} for its variables.  Notice that non-trivial expressions must be
+enclosed in quotation marks.  Here is the resulting 
+subgoal, with its new assumption: 
+\begin{isabelle}
+%0\ \isacharless\ n\ \isasymLongrightarrow\ (m\
+%*\ n)\ div\ n\ =\ m\isanewline
+\ 1.\ \isasymlbrakk0\ \isacharless\
+n;\ \ (m\ *\ n)\ div\ n\ *\ n\ +\ (m\ *\ n)\ mod\ n\
+=\ m\ *\ n\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ (m\ *\ n)\ div\ n\
+=\ m
+\end{isabelle}
+Simplification reduces \isa{(m\ *\ n)\ mod\ n} to zero.
+Then it cancels the factor~\isa{n} on both
+sides of the equation \isa{(m\ *\ n)\ div\ n\ *\ n\ =\ m\ *\ n}, proving the
+theorem.
+
+\begin{warn}
+Any unknowns in the theorem given to \methdx{insert} will be universally
+quantified in the new assumption.
+\end{warn}%
+\index{*insert (method)|)}
+
+\subsection{The Method {\tt\slshape subgoal_tac}}
+
+\index{*subgoal_tac (method)}%
+A related method is \isa{subgoal_tac}, but instead
+of inserting  a theorem as an assumption, it inserts an arbitrary formula. 
+This formula must be proved later as a separate subgoal. The 
+idea is to claim that the formula holds on the basis of the current 
+assumptions, to use this claim to complete the proof, and finally 
+to justify the claim. It gives the proof 
+some structure.  If you find yourself generating a complex assumption by a
+long series of forward steps, consider using \isa{subgoal_tac} instead: you can
+state the formula you are aiming for, and perhaps prove it automatically.
+
+Look at the following example. 
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk(z::int)\ <\ 37;\ 66\ <\ 2*z;\ z*z\
+\isasymnoteq\ 1225;\ Q(34);\ Q(36)\isasymrbrakk\isanewline
+\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ Q(z)"\isanewline
+\isacommand{apply}\ (subgoal_tac\ "z\ =\ 34\ \isasymor\ z\ =\
+36")\isanewline
+\isacommand{apply}\ blast\isanewline
+\isacommand{apply}\ (subgoal_tac\ "z\ \isasymnoteq\ 35")\isanewline
+\isacommand{apply}\ arith\isanewline
+\isacommand{apply}\ force\isanewline
+\isacommand{done}
+\end{isabelle}
+The first assumption tells us 
+that \isa{z} is no greater than~36. The second tells us that \isa{z} 
+is at least~34. The third assumption tells us that \isa{z} cannot be 35, since
+$35\times35=1225$.  So \isa{z} is either 34 or~36, and since \isa{Q} holds for
+both of those  values, we have the conclusion. 
+
+The Isabelle proof closely follows this reasoning. The first 
+step is to claim that \isa{z} is either 34 or 36. The resulting proof 
+state gives us two subgoals: 
+\begin{isabelle}
+%\isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\
+%Q\ 34;\ Q\ 36\isasymrbrakk\ \isasymLongrightarrow\ Q\ z\isanewline
+\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36;\isanewline
+\ \ \ \ \ z\ =\ 34\ \isasymor\ z\ =\ 36\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ Q\ z\isanewline
+\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36
+\end{isabelle}
+The first subgoal is trivial (\isa{blast}), but for the second Isabelle needs help to eliminate
+the case
+\isa{z}=35.  The second invocation  of {\isa{subgoal_tac}} leaves two
+subgoals: 
+\begin{isabelle}
+\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\
+1225;\ Q\ 34;\ Q\ 36;\isanewline
+\ \ \ \ \ z\ \isasymnoteq\ 35\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36\isanewline
+\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ z\ \isasymnoteq\ 35
+\end{isabelle}
+
+Assuming that \isa{z} is not 35, the first subgoal follows by linear arithmetic
+(\isa{arith}). For the second subgoal we apply the method \isa{force}, 
+which proceeds by assuming that \isa{z}=35 and arriving at a contradiction.
+
+
+\medskip
+Summary of these methods:
+\begin{itemize}
+\item \methdx{insert} adds a theorem as a new assumption
+\item \methdx{subgoal_tac} adds a formula as a new assumption and leaves the
+subgoal of proving that formula
+\end{itemize}
+\index{forward proof|)}
+
+
+\section{Managing Large Proofs}
+
+Naturally you should try to divide proofs into manageable parts.  Look for lemmas
+that can be proved separately.  Sometimes you will observe that they are
+instances of much simpler facts.  On other occasions, no lemmas suggest themselves
+and you are forced to cope with a long proof involving many subgoals.  
+
+\subsection{Tacticals, or Control Structures}
+
+\index{tacticals|(}%
+If the proof is long, perhaps it at least has some regularity.  Then you can
+express it more concisely using \textbf{tacticals}, which provide control
+structures.  Here is a proof (it would be a one-liner using
+\isa{blast}, but forget that) that contains a series of repeated
+commands:
+%
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\
+Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \
+\isasymLongrightarrow \ S"\isanewline
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\isacommand{apply}\ (assumption)\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+Each of the three identical commands finds an implication and proves its
+antecedent by assumption.  The first one finds \isa{P\isasymlongrightarrow Q} and
+\isa{P}, concluding~\isa{Q}; the second one concludes~\isa{R} and the third one
+concludes~\isa{S}.  The final step matches the assumption \isa{S} with the goal to
+be proved.
+
+Suffixing a method with a plus sign~(\isa+)\index{*"+ (tactical)}
+expresses one or more repetitions:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\ Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \ \isasymLongrightarrow \ S"\isanewline
+\isacommand{by}\ (drule\ mp,\ assumption)+
+\end{isabelle}
+%
+Using \isacommand{by} takes care of the final use of \isa{assumption}.  The new
+proof is more concise.  It is also more general: the repetitive method works
+for a chain of implications having any length, not just three.
+
+Choice is another control structure.  Separating two methods by a vertical
+% we must use ?? rather than "| as the sorting item because somehow the presence
+% of | (even quoted) stops hyperref from putting |hyperpage at the end of the index
+% entry.
+bar~(\isa|)\index{??@\texttt{"|} (tactical)}  gives the effect of applying the
+first method, and if that fails, trying the second.  It can be combined with
+repetition, when the choice must be made over and over again.  Here is a chain of
+implications in which most of the antecedents are proved by assumption, but one is
+proved by arithmetic:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ x<5\isasymlongrightarrow P;\
+Suc\ x\ <\ 5\isasymrbrakk \ \isasymLongrightarrow \ R"\ \isanewline
+\isacommand{by}\ (drule\ mp,\ (assumption|arith))+
+\end{isabelle}
+The \isa{arith}
+method can prove $x<5$ from $x+1<5$, but it cannot duplicate the effect of
+\isa{assumption}.  Therefore, we combine these methods using the choice
+operator.
+
+A postfixed question mark~(\isa?)\index{*"? (tactical)} expresses zero or one
+repetitions of a method.  It can also be viewed as the choice between executing a
+method and doing nothing.  It is useless at top level but can be valuable
+within other control structures; for example, 
+\isa{($m$+)?} performs zero or more repetitions of method~$m$.%
+\index{tacticals|)}
+
+
+\subsection{Subgoal Numbering}
+
+Another problem in large proofs is contending with huge
+subgoals or many subgoals.  Induction can produce a proof state that looks
+like this:
+\begin{isabelle}
+\ 1.\ bigsubgoal1\isanewline
+\ 2.\ bigsubgoal2\isanewline
+\ 3.\ bigsubgoal3\isanewline
+\ 4.\ bigsubgoal4\isanewline
+\ 5.\ bigsubgoal5\isanewline
+\ 6.\ bigsubgoal6
+\end{isabelle}
+If each \isa{bigsubgoal} is 15 lines or so, the proof state will be too big to
+scroll through.  By default, Isabelle displays at most 10 subgoals.  The 
+\commdx{pr} command lets you change this limit:
+\begin{isabelle}
+\isacommand{pr}\ 2\isanewline
+\ 1.\ bigsubgoal1\isanewline
+\ 2.\ bigsubgoal2\isanewline
+A total of 6 subgoals...
+\end{isabelle}
+
+\medskip
+All methods apply to the first subgoal.
+Sometimes, not only in a large proof, you may want to focus on some other
+subgoal.  Then you should try the commands \isacommand{defer} or \isacommand{prefer}.
+
+In the following example, the first subgoal looks hard, while the others
+look as if \isa{blast} alone could prove them:
+\begin{isabelle}
+\ 1.\ hard\isanewline
+\ 2.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
+\ 3.\ Q\ \isasymLongrightarrow \ Q%
+\end{isabelle}
+%
+The \commdx{defer} command moves the first subgoal into the last position.
+\begin{isabelle}
+\isacommand{defer}\ 1\isanewline
+\ 1.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
+\ 2.\ Q\ \isasymLongrightarrow \ Q\isanewline
+\ 3.\ hard%
+\end{isabelle}
+%
+Now we apply \isa{blast} repeatedly to the easy subgoals:
+\begin{isabelle}
+\isacommand{apply}\ blast+\isanewline
+\ 1.\ hard%
+\end{isabelle}
+Using \isacommand{defer}, we have cleared away the trivial parts of the proof so
+that we can devote attention to the difficult part.
+
+\medskip
+The \commdx{prefer} command moves the specified subgoal into the
+first position.  For example, if you suspect that one of your subgoals is
+invalid (not a theorem), then you should investigate that subgoal first.  If it
+cannot be proved, then there is no point in proving the other subgoals.
+\begin{isabelle}
+\ 1.\ ok1\isanewline
+\ 2.\ ok2\isanewline
+\ 3.\ doubtful%
+\end{isabelle}
+%
+We decide to work on the third subgoal.
+\begin{isabelle}
+\isacommand{prefer}\ 3\isanewline
+\ 1.\ doubtful\isanewline
+\ 2.\ ok1\isanewline
+\ 3.\ ok2
+\end{isabelle}
+If we manage to prove \isa{doubtful}, then we can work on the other
+subgoals, confident that we are not wasting our time.  Finally we revise the
+proof script to remove the \isacommand{prefer} command, since we needed it only to
+focus our exploration.  The previous example is different: its use of
+\isacommand{defer} stops trivial subgoals from cluttering the rest of the
+proof.  Even there, we should consider proving \isa{hard} as a preliminary
+lemma.  Always seek ways to streamline your proofs.
+ 
+
+\medskip
+Summary:
+\begin{itemize}
+\item the control structures \isa+, \isa? and \isa| help express complicated proofs
+\item the \isacommand{pr} command can limit the number of subgoals to display
+\item the \isacommand{defer} and \isacommand{prefer} commands move a 
+subgoal to the last or first position
+\end{itemize}
+
+\begin{exercise}
+Explain the use of \isa? and \isa+ in this proof.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk P\isasymand Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ R"\isanewline
+\isacommand{by}\ (drule\ mp,\ (intro conjI)?,\ assumption+)+
+\end{isabelle}
+\end{exercise}
+
+
+
+\section{Proving the Correctness of Euclid's Algorithm}
+\label{sec:proving-euclid}
+
+\index{Euclid's algorithm|(}\index{*gcd (constant)|(}\index{divides relation|(}%
+A brief development will demonstrate the techniques of this chapter,
+including \isa{blast} applied with additional rules.  We shall also see
+\isa{case_tac} used to perform a Boolean case split.
+
+Let us prove that \isa{gcd} computes the greatest common
+divisor of its two arguments.  
+%
+We use induction: \isa{gcd.induct} is the
+induction rule returned by \isa{fun}.  We simplify using
+rules proved in {\S}\ref{sec:fun-simplification}, since rewriting by the
+definition of \isa{gcd} can loop.
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_dvd\_both:\ "(gcd\ m\ n\ dvd\ m)\ \isasymand \ (gcd\ m\ n\ dvd\ n)"
+\end{isabelle}
+The induction formula must be a conjunction.  In the
+inductive step, each conjunct establishes the other. 
+\begin{isabelle}
+\ 1.\ \isasymAnd m\ n.\ (n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n)\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
+\end{isabelle}
+
+The conditional induction hypothesis suggests doing a case
+analysis on \isa{n=0}.  We apply \methdx{case_tac} with type
+\isa{bool} --- and not with a datatype, as we have done until now.  Since
+\isa{nat} is a datatype, we could have written
+\isa{case_tac~n} instead of \isa{case_tac~"n=0"}.  However, the definition
+of \isa{gcd} makes a Boolean decision:
+\begin{isabelle}
+\ \ \ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
+\end{isabelle}
+Proofs about a function frequently follow the function's definition, so we perform
+case analysis over the same formula.
+\begin{isabelle}
+\isacommand{apply}\ (case_tac\ "n=0")\isanewline
+\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n\isanewline
+\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
+\end{isabelle}
+%
+Simplification leaves one subgoal: 
+\begin{isabelle}
+\isacommand{apply}\ (simp_all)\isanewline
+\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }0\ <\ n\isasymrbrakk \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ n\ (m\ mod\ n)\ dvd\ m%
+\end{isabelle}
+%
+Here, we can use \isa{blast}.  
+One of the assumptions, the induction hypothesis, is a conjunction. 
+The two divides relationships it asserts are enough to prove 
+the conclusion, for we have the following theorem at our disposal: 
+\begin{isabelle}
+\isasymlbrakk?k\ dvd\ (?m\ mod\ ?n){;}\ ?k\ dvd\ ?n\isasymrbrakk\ \isasymLongrightarrow\ ?k\ dvd\ ?m%
+\rulename{dvd_mod_imp_dvd}
+\end{isabelle}
+%
+This theorem can be applied in various ways.  As an introduction rule, it
+would cause backward chaining from  the conclusion (namely
+\isa{?k~dvd~?m}) to the two premises, which 
+also involve the divides relation. This process does not look promising
+and could easily loop.  More sensible is  to apply the rule in the forward
+direction; each step would eliminate an occurrence of the \isa{mod} symbol, so the
+process must terminate.  
+\begin{isabelle}
+\isacommand{apply}\ (blast\ dest:\ dvd_mod_imp_dvd)\isanewline
+\isacommand{done}
+\end{isabelle}
+Attaching the \attrdx{dest} attribute to \isa{dvd_mod_imp_dvd} tells
+\isa{blast} to use it as destruction rule; that is, in the forward direction.
+
+\medskip
+We have proved a conjunction.  Now, let us give names to each of the
+two halves:
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_dvd1\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct1]\isanewline
+\isacommand{lemmas}\ gcd_dvd2\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct2]%
+\end{isabelle}
+Here we see \commdx{lemmas}
+used with the \attrdx{iff} attribute, which supplies the new theorems to the
+classical reasoner and the simplifier.  Recall that \attrdx{THEN} is
+frequently used with destruction rules; \isa{THEN conjunct1} extracts the
+first half of a conjunctive theorem.  Given \isa{gcd_dvd_both} it yields
+\begin{isabelle}
+\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?m1
+\end{isabelle}
+The variable names \isa{?m1} and \isa{?n1} arise because
+Isabelle renames schematic variables to prevent 
+clashes.  The second \isacommand{lemmas} declaration yields
+\begin{isabelle}
+\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?n1
+\end{isabelle}
+
+\medskip
+To complete the verification of the \isa{gcd} function, we must 
+prove that it returns the greatest of all the common divisors 
+of its arguments.  The proof is by induction, case analysis and simplification.
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_greatest\ [rule\_format]:\isanewline
+\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
+\end{isabelle}
+%
+The goal is expressed using HOL implication,
+\isa{\isasymlongrightarrow}, because the induction affects the two
+preconditions.  The directive \isa{rule_format} tells Isabelle to replace
+each \isa{\isasymlongrightarrow} by \isa{\isasymLongrightarrow} before
+storing the eventual theorem.  This directive can also remove outer
+universal quantifiers, converting the theorem into the usual format for
+inference rules.  It can replace any series of applications of
+\isa{THEN} to the rules \isa{mp} and \isa{spec}.  We did not have to
+write this:
+\begin{isabelle}
+\isacommand{lemma}\ gcd_greatest\
+[THEN mp, THEN mp]:\isanewline
+\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
+\end{isabelle}
+
+Because we are again reasoning about \isa{gcd}, we perform the same
+induction and case analysis as in the previous proof:
+\begingroup\samepage
+\begin{isabelle}
+\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n\isanewline
+\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n%
+\end{isabelle}
+\endgroup
+
+\noindent Simplification proves both subgoals. 
+\begin{isabelle}
+\isacommand{apply}\ (simp_all\ add:\ dvd_mod)\isanewline
+\isacommand{done}
+\end{isabelle}
+In the first, where \isa{n=0}, the implication becomes trivial: \isa{k\ dvd\
+gcd\ m\ n} goes to~\isa{k\ dvd\ m}.  The second subgoal is proved by
+an unfolding of \isa{gcd}, using this rule about divides:
+\begin{isabelle}
+\isasymlbrakk ?f\ dvd\ ?m;\ ?f\ dvd\ ?n\isasymrbrakk \
+\isasymLongrightarrow \ ?f\ dvd\ ?m\ mod\ ?n%
+\rulename{dvd_mod}
+\end{isabelle}
+
+
+\medskip
+The facts proved above can be summarized as a single logical 
+equivalence.  This step gives us a chance to see another application
+of \isa{blast}.
+\begin{isabelle}
+\isacommand{theorem}\ gcd\_greatest\_iff\ [iff]:\ \isanewline
+\ \ \ \ \ \ \ \ "(k\ dvd\ gcd\ m\ n)\ =\ (k\ dvd\ m\ \isasymand \ k\ dvd\ n)"\isanewline
+\isacommand{by}\ (blast\ intro!:\ gcd_greatest\ intro:\ dvd_trans)
+\end{isabelle}
+This theorem concisely expresses the correctness of the \isa{gcd} 
+function. 
+We state it with the \isa{iff} attribute so that 
+Isabelle can use it to remove some occurrences of \isa{gcd}. 
+The theorem has a one-line 
+proof using \isa{blast} supplied with two additional introduction 
+rules. The exclamation mark 
+({\isa{intro}}{\isa{!}})\ signifies safe rules, which are 
+applied aggressively.  Rules given without the exclamation mark 
+are applied reluctantly and their uses can be undone if 
+the search backtracks.  Here the unsafe rule expresses transitivity  
+of the divides relation:
+\begin{isabelle}
+\isasymlbrakk?m\ dvd\ ?n;\ ?n\ dvd\ ?p\isasymrbrakk\ \isasymLongrightarrow\ ?m\ dvd\ ?p%
+\rulename{dvd_trans}
+\end{isabelle}
+Applying \isa{dvd_trans} as 
+an introduction rule entails a risk of looping, for it multiplies 
+occurrences of the divides symbol. However, this proof relies 
+on transitivity reasoning.  The rule {\isa{gcd\_greatest}} is safe to apply 
+aggressively because it yields simpler subgoals.  The proof implicitly
+uses \isa{gcd_dvd1} and \isa{gcd_dvd2} as safe rules, because they were
+declared using \isa{iff}.%
+\index{Euclid's algorithm|)}\index{*gcd (constant)|)}\index{divides relation|)}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/sets.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,1069 @@
+\chapter{Sets, Functions and Relations}
+
+This chapter describes the formalization of typed set theory, which is
+the basis of much else in HOL\@.  For example, an
+inductive definition yields a set, and the abstract theories of relations
+regard a relation as a set of pairs.  The chapter introduces the well-known
+constants such as union and intersection, as well as the main operations on relations, such as converse, composition and
+transitive closure.  Functions are also covered.  They are not sets in
+HOL, but many of their properties concern sets: the range of a
+function is a set, and the inverse image of a function maps sets to sets.
+
+This chapter will be useful to anybody who plans to develop a substantial
+proof.  Sets are convenient for formalizing  computer science concepts such
+as grammars, logical calculi and state transition systems.  Isabelle can
+prove many statements involving sets automatically.
+
+This chapter ends with a case study concerning model checking for the
+temporal logic CTL\@.  Most of the other examples are simple.  The
+chapter presents a small selection of built-in theorems in order to point
+out some key properties of the various constants and to introduce you to
+the notation. 
+
+Natural deduction rules are provided for the set theory constants, but they
+are seldom used directly, so only a few are presented here.  
+
+
+\section{Sets}
+
+\index{sets|(}%
+HOL's set theory should not be confused with traditional,  untyped set
+theory, in which everything is a set.  Our sets are typed. In a given set,
+all elements have the same type, say~$\tau$,  and the set itself has type
+$\tau$~\tydx{set}. 
+
+We begin with \textbf{intersection}, \textbf{union} and
+\textbf{complement}. In addition to the
+\textbf{membership relation}, there  is a symbol for its negation. These
+points can be seen below.  
+
+Here are the natural deduction rules for \rmindex{intersection}.  Note
+the  resemblance to those for conjunction.  
+\begin{isabelle}
+\isasymlbrakk c\ \isasymin\ A;\ c\ \isasymin\ B\isasymrbrakk\ 
+\isasymLongrightarrow\ c\ \isasymin\ A\ \isasyminter\ B%
+\rulenamedx{IntI}\isanewline
+c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ A
+\rulenamedx{IntD1}\isanewline
+c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ B
+\rulenamedx{IntD2}
+\end{isabelle}
+
+Here are two of the many installed theorems concerning set
+complement.\index{complement!of a set}
+Note that it is denoted by a minus sign.
+\begin{isabelle}
+(c\ \isasymin\ -\ A)\ =\ (c\ \isasymnotin\ A)
+\rulenamedx{Compl_iff}\isanewline
+-\ (A\ \isasymunion\ B)\ =\ -\ A\ \isasyminter\ -\ B
+\rulename{Compl_Un}
+\end{isabelle}
+
+Set \textbf{difference}\indexbold{difference!of sets} is the intersection
+of a set with the  complement of another set. Here we also see the syntax
+for the  empty set and for the universal set. 
+\begin{isabelle}
+A\ \isasyminter\ (B\ -\ A)\ =\ \isacharbraceleft\isacharbraceright
+\rulename{Diff_disjoint}\isanewline
+A\ \isasymunion\ -\ A\ =\ UNIV%
+\rulename{Compl_partition}
+\end{isabelle}
+
+The \bfindex{subset relation} holds between two sets just if every element 
+of one is also an element of the other. This relation is reflexive.  These
+are its natural deduction rules:
+\begin{isabelle}
+({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ x\ \isasymin\ B)\ \isasymLongrightarrow\ A\ \isasymsubseteq\ B%
+\rulenamedx{subsetI}%
+\par\smallskip%          \isanewline didn't leave enough space
+\isasymlbrakk A\ \isasymsubseteq\ B;\ c\ \isasymin\
+A\isasymrbrakk\ \isasymLongrightarrow\ c\
+\isasymin\ B%
+\rulenamedx{subsetD}
+\end{isabelle}
+In harder proofs, you may need to apply \isa{subsetD} giving a specific term
+for~\isa{c}.  However, \isa{blast} can instantly prove facts such as this
+one: 
+\begin{isabelle}
+(A\ \isasymunion\ B\ \isasymsubseteq\ C)\ =\
+(A\ \isasymsubseteq\ C\ \isasymand\ B\ \isasymsubseteq\ C)
+\rulenamedx{Un_subset_iff}
+\end{isabelle}
+Here is another example, also proved automatically:
+\begin{isabelle}
+\isacommand{lemma}\ "(A\
+\isasymsubseteq\ -B)\ =\ (B\ \isasymsubseteq\ -A)"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+%
+This is the same example using \textsc{ascii} syntax, illustrating a pitfall: 
+\begin{isabelle}
+\isacommand{lemma}\ "(A\ <=\ -B)\ =\ (B\ <=\ -A)"
+\end{isabelle}
+%
+The proof fails.  It is not a statement about sets, due to overloading;
+the relation symbol~\isa{<=} can be any relation, not just  
+subset. 
+In this general form, the statement is not valid.  Putting
+in a type constraint forces the variables to denote sets, allowing the
+proof to succeed:
+
+\begin{isabelle}
+\isacommand{lemma}\ "((A::\ {\isacharprime}a\ set)\ <=\ -B)\ =\ (B\ <=\
+-A)"
+\end{isabelle}
+Section~\ref{sec:axclass} below describes overloading.  Incidentally,
+\isa{A~\isasymsubseteq~-B} asserts that the sets \isa{A} and \isa{B} are
+disjoint.
+
+\medskip
+Two sets are \textbf{equal}\indexbold{equality!of sets} if they contain the
+same elements.   This is
+the principle of \textbf{extensionality}\indexbold{extensionality!for sets}
+for sets. 
+\begin{isabelle}
+({\isasymAnd}x.\ (x\ {\isasymin}\ A)\ =\ (x\ {\isasymin}\ B))\
+{\isasymLongrightarrow}\ A\ =\ B
+\rulenamedx{set_ext}
+\end{isabelle}
+Extensionality can be expressed as 
+$A=B\iff (A\subseteq B)\conj (B\subseteq A)$.  
+The following rules express both
+directions of this equivalence.  Proving a set equation using
+\isa{equalityI} allows the two inclusions to be proved independently.
+\begin{isabelle}
+\isasymlbrakk A\ \isasymsubseteq\ B;\ B\ \isasymsubseteq\
+A\isasymrbrakk\ \isasymLongrightarrow\ A\ =\ B
+\rulenamedx{equalityI}
+\par\smallskip%          \isanewline didn't leave enough space
+\isasymlbrakk A\ =\ B;\ \isasymlbrakk A\ \isasymsubseteq\ B;\ B\
+\isasymsubseteq\ A\isasymrbrakk\ \isasymLongrightarrow\ P\isasymrbrakk\
+\isasymLongrightarrow\ P%
+\rulenamedx{equalityE}
+\end{isabelle}
+
+
+\subsection{Finite Set Notation} 
+
+\indexbold{sets!notation for finite}
+Finite sets are expressed using the constant \cdx{insert}, which is
+a form of union:
+\begin{isabelle}
+insert\ a\ A\ =\ \isacharbraceleft a\isacharbraceright\ \isasymunion\ A
+\rulename{insert_is_Un}
+\end{isabelle}
+%
+The finite set expression \isa{\isacharbraceleft
+a,b\isacharbraceright} abbreviates
+\isa{insert\ a\ (insert\ b\ \isacharbraceleft\isacharbraceright)}.
+Many facts about finite sets can be proved automatically: 
+\begin{isabelle}
+\isacommand{lemma}\
+"\isacharbraceleft a,b\isacharbraceright\
+\isasymunion\ \isacharbraceleft c,d\isacharbraceright\ =\
+\isacharbraceleft a,b,c,d\isacharbraceright"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+
+Not everything that we would like to prove is valid. 
+Consider this attempt: 
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ \isacharbraceleft b,c\isacharbraceright\ =\
+\isacharbraceleft b\isacharbraceright"\isanewline
+\isacommand{apply}\ auto
+\end{isabelle}
+%
+The proof fails, leaving the subgoal \isa{b=c}. To see why it 
+fails, consider a correct version: 
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ 
+\isacharbraceleft b,c\isacharbraceright\ =\ (if\ a=c\ then\
+\isacharbraceleft a,b\isacharbraceright\ else\ \isacharbraceleft
+b\isacharbraceright)"\isanewline
+\isacommand{apply}\ simp\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+Our mistake was to suppose that the various items were distinct.  Another
+remark: this proof uses two methods, namely {\isa{simp}}  and
+{\isa{blast}}. Calling {\isa{simp}} eliminates the
+\isa{if}-\isa{then}-\isa{else} expression,  which {\isa{blast}}
+cannot break down. The combined methods (namely {\isa{force}}  and
+\isa{auto}) can prove this fact in one step. 
+
+
+\subsection{Set Comprehension}
+
+\index{set comprehensions|(}%
+The set comprehension \isa{\isacharbraceleft x.\
+P\isacharbraceright} expresses the set of all elements that satisfy the
+predicate~\isa{P}.  Two laws describe the relationship between set 
+comprehension and the membership relation:
+\begin{isabelle}
+(a\ \isasymin\
+\isacharbraceleft x.\ P\ x\isacharbraceright)\ =\ P\ a
+\rulename{mem_Collect_eq}\isanewline
+\isacharbraceleft x.\ x\ \isasymin\ A\isacharbraceright\ =\ A
+\rulename{Collect_mem_eq}
+\end{isabelle}
+
+\smallskip
+Facts such as these have trivial proofs:
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\ \isasymor\
+x\ \isasymin\ A\isacharbraceright\ =\
+\isacharbraceleft x.\ P\ x\isacharbraceright\ \isasymunion\ A"
+\par\smallskip
+\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\
+\isasymlongrightarrow\ Q\ x\isacharbraceright\ =\
+-\isacharbraceleft x.\ P\ x\isacharbraceright\
+\isasymunion\ \isacharbraceleft x.\ Q\ x\isacharbraceright"
+\end{isabelle}
+
+\smallskip
+Isabelle has a general syntax for comprehension, which is best 
+described through an example: 
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft p*q\ \isacharbar\ p\ q.\ 
+p{\isasymin}prime\ \isasymand\ q{\isasymin}prime\isacharbraceright\ =\ 
+\isanewline
+\ \ \ \ \ \ \ \ \isacharbraceleft z.\ \isasymexists p\ q.\ z\ =\ p*q\
+\isasymand\ p{\isasymin}prime\ \isasymand\
+q{\isasymin}prime\isacharbraceright"
+\end{isabelle}
+The left and right hand sides
+of this equation are identical. The syntax used in the 
+left-hand side abbreviates the right-hand side: in this case, all numbers
+that are the product of two primes.  The syntax provides a neat
+way of expressing any set given by an expression built up from variables
+under specific constraints.  The drawback is that it hides the true form of
+the expression, with its existential quantifiers. 
+
+\smallskip
+\emph{Remark}.  We do not need sets at all.  They are essentially equivalent
+to predicate variables, which are allowed in  higher-order logic.  The main
+benefit of sets is their notation;  we can write \isa{x{\isasymin}A}
+and
+\isa{\isacharbraceleft z.\ P\isacharbraceright} where predicates would
+require writing
+\isa{A(x)} and
+\isa{{\isasymlambda}z.\ P}. 
+\index{set comprehensions|)}
+
+
+\subsection{Binding Operators}
+
+\index{quantifiers!for sets|(}%
+Universal and existential quantifications may range over sets, 
+with the obvious meaning.  Here are the natural deduction rules for the
+bounded universal quantifier.  Occasionally you will need to apply
+\isa{bspec} with an explicit instantiation of the variable~\isa{x}:
+%
+\begin{isabelle}
+({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ P\ x)\ \isasymLongrightarrow\ {\isasymforall}x\isasymin
+A.\ P\ x%
+\rulenamedx{ballI}%
+\isanewline
+\isasymlbrakk{\isasymforall}x\isasymin A.\
+P\ x;\ x\ \isasymin\
+A\isasymrbrakk\ \isasymLongrightarrow\ P\
+x%
+\rulenamedx{bspec}
+\end{isabelle}
+%
+Dually, here are the natural deduction rules for the
+bounded existential quantifier.  You may need to apply
+\isa{bexI} with an explicit instantiation:
+\begin{isabelle}
+\isasymlbrakk P\ x;\
+x\ \isasymin\ A\isasymrbrakk\
+\isasymLongrightarrow\
+\isasymexists x\isasymin A.\ P\
+x%
+\rulenamedx{bexI}%
+\isanewline
+\isasymlbrakk\isasymexists x\isasymin A.\
+P\ x;\ {\isasymAnd}x.\
+{\isasymlbrakk}x\ \isasymin\ A;\
+P\ x\isasymrbrakk\ \isasymLongrightarrow\
+Q\isasymrbrakk\ \isasymLongrightarrow\ Q%
+\rulenamedx{bexE}
+\end{isabelle}
+\index{quantifiers!for sets|)}
+
+\index{union!indexed}%
+Unions can be formed over the values of a given  set.  The syntax is
+\mbox{\isa{\isasymUnion x\isasymin A.\ B}} or 
+\isa{UN x:A.\ B} in \textsc{ascii}. Indexed union satisfies this basic law:
+\begin{isabelle}
+(b\ \isasymin\
+(\isasymUnion x\isasymin A. B\ x)) =\ (\isasymexists x\isasymin A.\
+b\ \isasymin\ B\ x)
+\rulenamedx{UN_iff}
+\end{isabelle}
+It has two natural deduction rules similar to those for the existential
+quantifier.  Sometimes \isa{UN_I} must be applied explicitly:
+\begin{isabelle}
+\isasymlbrakk a\ \isasymin\
+A;\ b\ \isasymin\
+B\ a\isasymrbrakk\ \isasymLongrightarrow\
+b\ \isasymin\
+(\isasymUnion x\isasymin A. B\ x)
+\rulenamedx{UN_I}%
+\isanewline
+\isasymlbrakk b\ \isasymin\
+(\isasymUnion x\isasymin A. B\ x);\
+{\isasymAnd}x.\ {\isasymlbrakk}x\ \isasymin\
+A;\ b\ \isasymin\
+B\ x\isasymrbrakk\ \isasymLongrightarrow\
+R\isasymrbrakk\ \isasymLongrightarrow\ R%
+\rulenamedx{UN_E}
+\end{isabelle}
+%
+The following built-in abbreviation (see {\S}\ref{sec:abbreviations})
+lets us express the union over a \emph{type}:
+\begin{isabelle}
+\ \ \ \ \
+({\isasymUnion}x.\ B\ x)\ {\isasymequiv}\
+({\isasymUnion}x{\isasymin}UNIV. B\ x)
+\end{isabelle}
+
+We may also express the union of a set of sets, written \isa{Union\ C} in
+\textsc{ascii}: 
+\begin{isabelle}
+(A\ \isasymin\ \isasymUnion C)\ =\ (\isasymexists X\isasymin C.\ A\
+\isasymin\ X)
+\rulenamedx{Union_iff}
+\end{isabelle}
+
+\index{intersection!indexed}%
+Intersections are treated dually, although they seem to be used less often
+than unions.  The syntax below would be \isa{INT
+x:\ A.\ B} and \isa{Inter\ C} in \textsc{ascii}.  Among others, these
+theorems are available:
+\begin{isabelle}
+(b\ \isasymin\
+(\isasymInter x\isasymin A. B\ x))\
+=\
+({\isasymforall}x\isasymin A.\
+b\ \isasymin\ B\ x)
+\rulenamedx{INT_iff}%
+\isanewline
+(A\ \isasymin\
+\isasymInter C)\ =\
+({\isasymforall}X\isasymin C.\
+A\ \isasymin\ X)
+\rulenamedx{Inter_iff}
+\end{isabelle}
+
+Isabelle uses logical equivalences such as those above in automatic proof. 
+Unions, intersections and so forth are not simply replaced by their
+definitions.  Instead, membership tests are simplified.  For example,  $x\in
+A\cup B$ is replaced by $x\in A\lor x\in B$.
+
+The internal form of a comprehension involves the constant  
+\cdx{Collect},
+which occasionally appears when a goal or theorem
+is displayed.  For example, \isa{Collect\ P}  is the same term as
+\isa{\isacharbraceleft x.\ P\ x\isacharbraceright}.  The same thing can
+happen with quantifiers:   \hbox{\isa{All\ P}}\index{*All (constant)}
+is 
+\isa{{\isasymforall}x.\ P\ x} and 
+\hbox{\isa{Ex\ P}}\index{*Ex (constant)} is \isa{\isasymexists x.\ P\ x}; 
+also \isa{Ball\ A\ P}\index{*Ball (constant)} is 
+\isa{{\isasymforall}x\isasymin A.\ P\ x} and 
+\isa{Bex\ A\ P}\index{*Bex (constant)} is 
+\isa{\isasymexists x\isasymin A.\ P\ x}.  For indexed unions and
+intersections, you may see the constants 
+\cdx{UNION} and  \cdx{INTER}\@.
+The internal constant for $\varepsilon x.P(x)$ is~\cdx{Eps}.
+
+We have only scratched the surface of Isabelle/HOL's set theory, which provides
+hundreds of theorems for your use.
+
+
+\subsection{Finiteness and Cardinality}
+
+\index{sets!finite}%
+The predicate \sdx{finite} holds of all finite sets.  Isabelle/HOL
+includes many familiar theorems about finiteness and cardinality 
+(\cdx{card}). For example, we have theorems concerning the
+cardinalities of unions, intersections and the
+powerset:\index{cardinality}
+%
+\begin{isabelle}
+{\isasymlbrakk}finite\ A;\ finite\ B\isasymrbrakk\isanewline
+\isasymLongrightarrow\ card\ A\ \isacharplus\ card\ B\ =\ card\ (A\ \isasymunion\ B)\ \isacharplus\ card\ (A\ \isasyminter\ B)
+\rulenamedx{card_Un_Int}%
+\isanewline
+\isanewline
+finite\ A\ \isasymLongrightarrow\ card\
+(Pow\ A)\  =\ 2\ \isacharcircum\ card\ A%
+\rulenamedx{card_Pow}%
+\isanewline
+\isanewline
+finite\ A\ \isasymLongrightarrow\isanewline
+card\ \isacharbraceleft B.\ B\ \isasymsubseteq\
+A\ \isasymand\ card\ B\ =\
+k\isacharbraceright\ =\ card\ A\ choose\ k%
+\rulename{n_subsets}
+\end{isabelle}
+Writing $|A|$ as $n$, the last of these theorems says that the number of
+$k$-element subsets of~$A$ is \index{binomial coefficients}
+$\binom{n}{k}$.
+
+%\begin{warn}
+%The term \isa{finite\ A} is defined via a syntax translation as an
+%abbreviation for \isa{A {\isasymin} Finites}, where the constant
+%\cdx{Finites} denotes the set of all finite sets of a given type.  There
+%is no constant \isa{finite}.
+%\end{warn}
+\index{sets|)}
+
+
+\section{Functions}
+
+\index{functions|(}%
+This section describes a few concepts that involve
+functions.  Some of the more important theorems are given along with the 
+names. A few sample proofs appear. Unlike with set theory, however, 
+we cannot simply state lemmas and expect them to be proved using
+\isa{blast}. 
+
+\subsection{Function Basics}
+
+Two functions are \textbf{equal}\indexbold{equality!of functions}
+if they yield equal results given equal
+arguments.  This is the principle of
+\textbf{extensionality}\indexbold{extensionality!for functions} for
+functions:
+\begin{isabelle}
+({\isasymAnd}x.\ f\ x\ =\ g\ x)\ {\isasymLongrightarrow}\ f\ =\ g
+\rulenamedx{ext}
+\end{isabelle}
+
+\indexbold{updating a function}%
+Function \textbf{update} is useful for modelling machine states. It has 
+the obvious definition and many useful facts are proved about 
+it.  In particular, the following equation is installed as a simplification
+rule:
+\begin{isabelle}
+(f(x:=y))\ z\ =\ (if\ z\ =\ x\ then\ y\ else\ f\ z)
+\rulename{fun_upd_apply}
+\end{isabelle}
+Two syntactic points must be noted.  In
+\isa{(f(x:=y))\ z} we are applying an updated function to an
+argument; the outer parentheses are essential.  A series of two or more
+updates can be abbreviated as shown on the left-hand side of this theorem:
+\begin{isabelle}
+f(x:=y,\ x:=z)\ =\ f(x:=z)
+\rulename{fun_upd_upd}
+\end{isabelle}
+Note also that we can write \isa{f(x:=z)} with only one pair of parentheses
+when it is not being applied to an argument.
+
+\medskip
+The \bfindex{identity function} and function 
+\textbf{composition}\indexbold{composition!of functions} are
+defined:
+\begin{isabelle}%
+id\ \isasymequiv\ {\isasymlambda}x.\ x%
+\rulenamedx{id_def}\isanewline
+f\ \isasymcirc\ g\ \isasymequiv\
+{\isasymlambda}x.\ f\
+(g\ x)%
+\rulenamedx{o_def}
+\end{isabelle}
+%
+Many familiar theorems concerning the identity and composition 
+are proved. For example, we have the associativity of composition: 
+\begin{isabelle}
+f\ \isasymcirc\ (g\ \isasymcirc\ h)\ =\ f\ \isasymcirc\ g\ \isasymcirc\ h
+\rulename{o_assoc}
+\end{isabelle}
+
+\subsection{Injections, Surjections, Bijections}
+
+\index{injections}\index{surjections}\index{bijections}%
+A function may be \textbf{injective}, \textbf{surjective} or \textbf{bijective}: 
+\begin{isabelle}
+inj_on\ f\ A\ \isasymequiv\ {\isasymforall}x\isasymin A.\
+{\isasymforall}y\isasymin  A.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\
+=\ y%
+\rulenamedx{inj_on_def}\isanewline
+surj\ f\ \isasymequiv\ {\isasymforall}y.\
+\isasymexists x.\ y\ =\ f\ x%
+\rulenamedx{surj_def}\isanewline
+bij\ f\ \isasymequiv\ inj\ f\ \isasymand\ surj\ f
+\rulenamedx{bij_def}
+\end{isabelle}
+The second argument
+of \isa{inj_on} lets us express that a function is injective over a
+given set. This refinement is useful in higher-order logic, where
+functions are total; in some cases, a function's natural domain is a subset
+of its domain type.  Writing \isa{inj\ f} abbreviates \isa{inj_on\ f\
+UNIV}, for when \isa{f} is injective everywhere.
+
+The operator \isa{inv} expresses the 
+\textbf{inverse}\indexbold{inverse!of a function}
+of a function. In 
+general the inverse may not be well behaved.  We have the usual laws,
+such as these: 
+\begin{isabelle}
+inj\ f\ \ \isasymLongrightarrow\ inv\ f\ (f\ x)\ =\ x%
+\rulename{inv_f_f}\isanewline
+surj\ f\ \isasymLongrightarrow\ f\ (inv\ f\ y)\ =\ y
+\rulename{surj_f_inv_f}\isanewline
+bij\ f\ \ \isasymLongrightarrow\ inv\ (inv\ f)\ =\ f
+\rulename{inv_inv_eq}
+\end{isabelle}
+%
+%Other useful facts are that the inverse of an injection 
+%is a surjection and vice versa; the inverse of a bijection is 
+%a bijection. 
+%\begin{isabelle}
+%inj\ f\ \isasymLongrightarrow\ surj\
+%(inv\ f)
+%\rulename{inj_imp_surj_inv}\isanewline
+%surj\ f\ \isasymLongrightarrow\ inj\ (inv\ f)
+%\rulename{surj_imp_inj_inv}\isanewline
+%bij\ f\ \isasymLongrightarrow\ bij\ (inv\ f)
+%\rulename{bij_imp_bij_inv}
+%\end{isabelle}
+%
+%The converses of these results fail.  Unless a function is 
+%well behaved, little can be said about its inverse. Here is another 
+%law: 
+%\begin{isabelle}
+%{\isasymlbrakk}bij\ f;\ bij\ g\isasymrbrakk\ \isasymLongrightarrow\ inv\ (f\ \isasymcirc\ g)\ =\ inv\ g\ \isasymcirc\ inv\ f%
+%\rulename{o_inv_distrib}
+%\end{isabelle}
+
+Theorems involving these concepts can be hard to prove. The following 
+example is easy, but it cannot be proved automatically. To begin 
+with, we need a law that relates the equality of functions to 
+equality over all arguments: 
+\begin{isabelle}
+(f\ =\ g)\ =\ ({\isasymforall}x.\ f\ x\ =\ g\ x)
+\rulename{fun_eq_iff}
+\end{isabelle}
+%
+This is just a restatement of
+extensionality.\indexbold{extensionality!for functions}
+Our lemma
+states  that an injection can be cancelled from the left  side of
+function composition: 
+\begin{isabelle}
+\isacommand{lemma}\ "inj\ f\ \isasymLongrightarrow\ (f\ o\ g\ =\ f\ o\ h)\ =\ (g\ =\ h)"\isanewline
+\isacommand{apply}\ (simp\ add:\ fun_eq_iff\ inj_on_def)\isanewline
+\isacommand{apply}\ auto\isanewline
+\isacommand{done}
+\end{isabelle}
+
+The first step of the proof invokes extensionality and the definitions 
+of injectiveness and composition. It leaves one subgoal:
+\begin{isabelle}
+\ 1.\ {\isasymforall}x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\ =\ y\
+\isasymLongrightarrow\isanewline
+\ \ \ \ ({\isasymforall}x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ ({\isasymforall}x.\ g\ x\ =\ h\ x)
+\end{isabelle}
+This can be proved using the \isa{auto} method. 
+
+
+\subsection{Function Image}
+
+The \textbf{image}\indexbold{image!under a function}
+of a set under a function is a most useful notion.  It
+has the obvious definition: 
+\begin{isabelle}
+f\ `\ A\ \isasymequiv\ \isacharbraceleft y.\ \isasymexists x\isasymin
+A.\ y\ =\ f\ x\isacharbraceright
+\rulenamedx{image_def}
+\end{isabelle}
+%
+Here are some of the many facts proved about image: 
+\begin{isabelle}
+(f\ \isasymcirc\ g)\ `\ r\ =\ f\ `\ g\ `\ r
+\rulename{image_compose}\isanewline
+f`(A\ \isasymunion\ B)\ =\ f`A\ \isasymunion\ f`B
+\rulename{image_Un}\isanewline
+inj\ f\ \isasymLongrightarrow\ f`(A\ \isasyminter\
+B)\ =\ f`A\ \isasyminter\ f`B
+\rulename{image_Int}
+%\isanewline
+%bij\ f\ \isasymLongrightarrow\ f\ `\ (-\ A)\ =\ -\ f\ `\ A%
+%\rulename{bij_image_Compl_eq}
+\end{isabelle}
+
+
+Laws involving image can often be proved automatically. Here 
+are two examples, illustrating connections with indexed union and with the
+general syntax for comprehension:
+\begin{isabelle}
+\isacommand{lemma}\ "f`A\ \isasymunion\ g`A\ =\ ({\isasymUnion}x{\isasymin}A.\ \isacharbraceleft f\ x,\ g\
+x\isacharbraceright)"
+\par\smallskip
+\isacommand{lemma}\ "f\ `\ \isacharbraceleft(x,y){.}\ P\ x\ y\isacharbraceright\ =\ \isacharbraceleft f(x,y)\ \isacharbar\ x\ y.\ P\ x\
+y\isacharbraceright"
+\end{isabelle}
+
+\medskip
+\index{range!of a function}%
+A function's \textbf{range} is the set of values that the function can 
+take on. It is, in fact, the image of the universal set under 
+that function. There is no constant \isa{range}.  Instead,
+\sdx{range}  abbreviates an application of image to \isa{UNIV}: 
+\begin{isabelle}
+\ \ \ \ \ range\ f\
+{\isasymrightleftharpoons}\ f`UNIV
+\end{isabelle}
+%
+Few theorems are proved specifically 
+for {\isa{range}}; in most cases, you should look for a more general
+theorem concerning images.
+
+\medskip
+\textbf{Inverse image}\index{inverse image!of a function} is also  useful.
+It is defined as follows: 
+\begin{isabelle}
+f\ -`\ B\ \isasymequiv\ \isacharbraceleft x.\ f\ x\ \isasymin\ B\isacharbraceright
+\rulenamedx{vimage_def}
+\end{isabelle}
+%
+This is one of the facts proved about it:
+\begin{isabelle}
+f\ -`\ (-\ A)\ =\ -\ f\ -`\ A%
+\rulename{vimage_Compl}
+\end{isabelle}
+\index{functions|)}
+
+
+\section{Relations}
+\label{sec:Relations}
+
+\index{relations|(}%
+A \textbf{relation} is a set of pairs.  As such, the set operations apply
+to them.  For instance, we may form the union of two relations.  Other
+primitives are defined specifically for relations. 
+
+\subsection{Relation Basics}
+
+The \bfindex{identity relation}, also known as equality, has the obvious 
+definition: 
+\begin{isabelle}
+Id\ \isasymequiv\ \isacharbraceleft p.\ \isasymexists x.\ p\ =\ (x,x){\isacharbraceright}%
+\rulenamedx{Id_def}
+\end{isabelle}
+
+\indexbold{composition!of relations}%
+\textbf{Composition} of relations (the infix \sdx{O}) is also
+available: 
+\begin{isabelle}
+r\ O\ s\ \isasymequiv\ \isacharbraceleft(x,z).\ \isasymexists y.\ (x,y)\ \isasymin\ s\ \isasymand\ (y,z)\ \isasymin\ r\isacharbraceright
+\rulenamedx{rel_comp_def}
+\end{isabelle}
+%
+This is one of the many lemmas proved about these concepts: 
+\begin{isabelle}
+R\ O\ Id\ =\ R
+\rulename{R_O_Id}
+\end{isabelle}
+%
+Composition is monotonic, as are most of the primitives appearing 
+in this chapter.  We have many theorems similar to the following 
+one: 
+\begin{isabelle}
+\isasymlbrakk r\isacharprime\ \isasymsubseteq\ r;\ s\isacharprime\
+\isasymsubseteq\ s\isasymrbrakk\ \isasymLongrightarrow\ r\isacharprime\ O\
+s\isacharprime\ \isasymsubseteq\ r\ O\ s%
+\rulename{rel_comp_mono}
+\end{isabelle}
+
+\indexbold{converse!of a relation}%
+\indexbold{inverse!of a relation}%
+The \textbf{converse} or inverse of a
+relation exchanges the roles  of the two operands.  We use the postfix
+notation~\isa{r\isasyminverse} or
+\isa{r\isacharcircum-1} in ASCII\@.
+\begin{isabelle}
+((a,b)\ \isasymin\ r\isasyminverse)\ =\
+((b,a)\ \isasymin\ r)
+\rulenamedx{converse_iff}
+\end{isabelle}
+%
+Here is a typical law proved about converse and composition: 
+\begin{isabelle}
+(r\ O\ s)\isasyminverse\ =\ s\isasyminverse\ O\ r\isasyminverse
+\rulename{converse_rel_comp}
+\end{isabelle}
+
+\indexbold{image!under a relation}%
+The \textbf{image} of a set under a relation is defined
+analogously  to image under a function: 
+\begin{isabelle}
+(b\ \isasymin\ r\ ``\ A)\ =\ (\isasymexists x\isasymin
+A.\ (x,b)\ \isasymin\ r)
+\rulenamedx{Image_iff}
+\end{isabelle}
+It satisfies many similar laws.
+
+\index{domain!of a relation}%
+\index{range!of a relation}%
+The \textbf{domain} and \textbf{range} of a relation are defined in the 
+standard way: 
+\begin{isabelle}
+(a\ \isasymin\ Domain\ r)\ =\ (\isasymexists y.\ (a,y)\ \isasymin\
+r)
+\rulenamedx{Domain_iff}%
+\isanewline
+(a\ \isasymin\ Range\ r)\
+\ =\ (\isasymexists y.\
+(y,a)\
+\isasymin\ r)
+\rulenamedx{Range_iff}
+\end{isabelle}
+
+Iterated composition of a relation is available.  The notation overloads 
+that of exponentiation.  Two simplification rules are installed: 
+\begin{isabelle}
+R\ \isacharcircum\ \isadigit{0}\ =\ Id\isanewline
+R\ \isacharcircum\ Suc\ n\ =\ R\ O\ R\isacharcircum n
+\end{isabelle}
+
+\subsection{The Reflexive and Transitive Closure}
+
+\index{reflexive and transitive closure|(}%
+The \textbf{reflexive and transitive closure} of the
+relation~\isa{r} is written with a
+postfix syntax.  In ASCII we write \isa{r\isacharcircum*} and in
+symbol notation~\isa{r\isactrlsup *}.  It is the least solution of the
+equation
+\begin{isabelle}
+r\isactrlsup *\ =\ Id\ \isasymunion \ (r\ O\ r\isactrlsup *)
+\rulename{rtrancl_unfold}
+\end{isabelle}
+%
+Among its basic properties are three that serve as introduction 
+rules:
+\begin{isabelle}
+(a,\ a)\ \isasymin \ r\isactrlsup *
+\rulenamedx{rtrancl_refl}\isanewline
+p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup *
+\rulenamedx{r_into_rtrancl}\isanewline
+\isasymlbrakk (a,b)\ \isasymin \ r\isactrlsup *;\ 
+(b,c)\ \isasymin \ r\isactrlsup *\isasymrbrakk \ \isasymLongrightarrow \
+(a,c)\ \isasymin \ r\isactrlsup *
+\rulenamedx{rtrancl_trans}
+\end{isabelle}
+%
+Induction over the reflexive transitive closure is available: 
+\begin{isabelle}
+\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup *;\ P\ a;\ \isasymAnd y\ z.\ \isasymlbrakk (a,\ y)\ \isasymin \ r\isactrlsup *;\ (y,\ z)\ \isasymin \ r;\ P\ y\isasymrbrakk \ \isasymLongrightarrow \ P\ z\isasymrbrakk \isanewline
+\isasymLongrightarrow \ P\ b%
+\rulename{rtrancl_induct}
+\end{isabelle}
+%
+Idempotence is one of the laws proved about the reflexive transitive 
+closure: 
+\begin{isabelle}
+(r\isactrlsup *)\isactrlsup *\ =\ r\isactrlsup *
+\rulename{rtrancl_idemp}
+\end{isabelle}
+
+\smallskip
+The transitive closure is similar.  The ASCII syntax is
+\isa{r\isacharcircum+}.  It has two  introduction rules: 
+\begin{isabelle}
+p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup +
+\rulenamedx{r_into_trancl}\isanewline
+\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup +;\ (b,\ c)\ \isasymin \ r\isactrlsup +\isasymrbrakk \ \isasymLongrightarrow \ (a,\ c)\ \isasymin \ r\isactrlsup +
+\rulenamedx{trancl_trans}
+\end{isabelle}
+%
+The induction rule resembles the one shown above. 
+A typical lemma states that transitive closure commutes with the converse
+operator: 
+\begin{isabelle}
+(r\isasyminverse )\isactrlsup +\ =\ (r\isactrlsup +)\isasyminverse 
+\rulename{trancl_converse}
+\end{isabelle}
+
+\subsection{A Sample Proof}
+
+The reflexive transitive closure also commutes with the converse
+operator.  Let us examine the proof. Each direction of the equivalence
+is  proved separately. The two proofs are almost identical. Here 
+is the first one: 
+\begin{isabelle}
+\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \
+(r\isasyminverse)\isactrlsup *\ \isasymLongrightarrow \ (y,x)\ \isasymin
+\ r\isactrlsup *"\isanewline
+\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
+\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
+\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+The first step of the proof applies induction, leaving these subgoals: 
+\begin{isabelle}
+\ 1.\ (x,\ x)\ \isasymin \ r\isactrlsup *\isanewline
+\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \
+(r\isasyminverse)\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\
+(y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline
+\ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (z,x)\ \isasymin \ r\isactrlsup *
+\end{isabelle}
+%
+The first subgoal is trivial by reflexivity. The second follows 
+by first eliminating the converse operator, yielding the
+assumption \isa{(z,y)\
+\isasymin\ r}, and then
+applying the introduction rules shown above.  The same proof script handles
+the other direction: 
+\begin{isabelle}
+\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isactrlsup *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isasyminverse)\isactrlsup *"\isanewline
+\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
+\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
+\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
+\isacommand{done}
+\end{isabelle}
+
+
+Finally, we combine the two lemmas to prove the desired equation: 
+\begin{isabelle}
+\isacommand{lemma}\ rtrancl_converse:\ "(r\isasyminverse)\isactrlsup *\ =\ (r\isactrlsup *)\isasyminverse"\isanewline
+\isacommand{by}\ (auto\ intro:\ rtrancl_converseI\ dest:\
+rtrancl_converseD)
+\end{isabelle}
+
+\begin{warn}
+This trivial proof requires \isa{auto} rather than \isa{blast} because
+of a subtle issue involving ordered pairs.  Here is a subgoal that
+arises internally after  the rules
+\isa{equalityI} and \isa{subsetI} have been applied:
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ x\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ x\ \isasymin \ (r\isactrlsup
+*)\isasyminverse
+%ignore subgoal 2
+%\ 2.\ \isasymAnd x.\ x\ \isasymin \ (r\isactrlsup *)\isasyminverse \
+%\isasymLongrightarrow \ x\ \isasymin \ (r\isasyminverse )\isactrlsup *
+\end{isabelle}
+\par\noindent
+We cannot apply \isa{rtrancl_converseD}\@.  It refers to
+ordered pairs, while \isa{x} is a variable of product type.
+The \isa{simp} and \isa{blast} methods can do nothing, so let us try
+\isa{clarify}:
+\begin{isabelle}
+\ 1.\ \isasymAnd a\ b.\ (a,b)\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ (b,a)\ \isasymin \ r\isactrlsup
+*
+\end{isabelle}
+Now that \isa{x} has been replaced by the pair \isa{(a,b)}, we can
+proceed.  Other methods that split variables in this way are \isa{force},
+\isa{auto}, \isa{fast} and \isa{best}.  Section~\ref{sec:products} will discuss proof
+techniques for ordered pairs in more detail.
+\end{warn}
+\index{relations|)}\index{reflexive and transitive closure|)}
+
+
+\section{Well-Founded Relations and Induction}
+\label{sec:Well-founded}
+
+\index{relations!well-founded|(}%
+A well-founded relation captures the notion of a terminating
+process. Complex recursive functions definitions must specify a
+well-founded relation that justifies their
+termination~\cite{isabelle-function}. Most of the forms of induction found
+in mathematics are merely special cases of induction over a
+well-founded relation.
+
+Intuitively, the relation~$\prec$ is \textbf{well-founded} if it admits no
+infinite  descending chains
+\[ \cdots \prec a@2 \prec a@1 \prec a@0. \]
+Well-foundedness can be hard to show. The various 
+formulations are all complicated.  However,  often a relation
+is well-founded by construction.  HOL provides
+theorems concerning ways of constructing  a well-founded relation.  The
+most familiar way is to specify a 
+\index{measure functions}\textbf{measure function}~\isa{f} into
+the natural numbers, when $\isa{x}\prec \isa{y}\iff \isa{f x} < \isa{f y}$;
+we write this particular relation as
+\isa{measure~f}.
+
+\begin{warn}
+You may want to skip the rest of this section until you need to perform a
+complex recursive function definition or induction.  The induction rule
+returned by
+\isacommand{fun} is good enough for most purposes.  We use an explicit
+well-founded induction only in {\S}\ref{sec:CTL-revisited}.
+\end{warn}
+
+Isabelle/HOL declares \cdx{less_than} as a relation object, 
+that is, a set of pairs of natural numbers. Two theorems tell us that this
+relation  behaves as expected and that it is well-founded: 
+\begin{isabelle}
+((x,y)\ \isasymin\ less_than)\ =\ (x\ <\ y)
+\rulenamedx{less_than_iff}\isanewline
+wf\ less_than
+\rulenamedx{wf_less_than}
+\end{isabelle}
+
+The notion of measure generalizes to the 
+\index{inverse image!of a relation}\textbf{inverse image} of
+a relation. Given a relation~\isa{r} and a function~\isa{f}, we express  a
+new relation using \isa{f} as a measure.  An infinite descending chain on
+this new relation would give rise to an infinite descending chain
+on~\isa{r}.  Isabelle/HOL defines this concept and proves a
+theorem stating that it preserves well-foundedness: 
+\begin{isabelle}
+inv_image\ r\ f\ \isasymequiv\ \isacharbraceleft(x,y).\ (f\ x,\ f\ y)\
+\isasymin\ r\isacharbraceright
+\rulenamedx{inv_image_def}\isanewline
+wf\ r\ \isasymLongrightarrow\ wf\ (inv_image\ r\ f)
+\rulenamedx{wf_inv_image}
+\end{isabelle}
+
+A measure function involves the natural numbers.  The relation \isa{measure
+size} justifies primitive recursion and structural induction over a
+datatype.  Isabelle/HOL defines
+\isa{measure} as shown: 
+\begin{isabelle}
+measure\ \isasymequiv\ inv_image\ less_than%
+\rulenamedx{measure_def}\isanewline
+wf\ (measure\ f)
+\rulenamedx{wf_measure}
+\end{isabelle}
+
+Of the other constructions, the most important is the
+\bfindex{lexicographic product} of two relations. It expresses the
+standard dictionary  ordering over pairs.  We write \isa{ra\ <*lex*>\
+rb}, where \isa{ra} and \isa{rb} are the two operands.  The
+lexicographic product satisfies the usual  definition and it preserves
+well-foundedness: 
+\begin{isabelle}
+ra\ <*lex*>\ rb\ \isasymequiv \isanewline
+\ \ \isacharbraceleft ((a,b),(a',b')).\ (a,a')\ \isasymin \ ra\
+\isasymor\isanewline
+\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \,a=a'\ \isasymand \ (b,b')\
+\isasymin \ rb\isacharbraceright 
+\rulenamedx{lex_prod_def}%
+\par\smallskip
+\isasymlbrakk wf\ ra;\ wf\ rb\isasymrbrakk \ \isasymLongrightarrow \ wf\ (ra\ <*lex*>\ rb)
+\rulenamedx{wf_lex_prod}
+\end{isabelle}
+
+%These constructions can be used in a
+%\textbf{recdef} declaration ({\S}\ref{sec:recdef-simplification}) to define
+%the well-founded relation used to prove termination.
+
+The \bfindex{multiset ordering}, useful for hard termination proofs, is
+available in the Library~\cite{HOL-Library}.
+Baader and Nipkow \cite[{\S}2.5]{Baader-Nipkow} discuss it. 
+
+\medskip
+Induction\index{induction!well-founded|(}
+comes in many forms,
+including traditional mathematical  induction, structural induction on
+lists and induction on size.  All are instances of the following rule,
+for a suitable well-founded relation~$\prec$: 
+\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \]
+To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for
+arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$. 
+Intuitively, the well-foundedness of $\prec$ ensures that the chains of
+reasoning are finite.
+
+\smallskip
+In Isabelle, the induction rule is expressed like this:
+\begin{isabelle}
+{\isasymlbrakk}wf\ r;\ 
+  {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\
+\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
+\isasymLongrightarrow\ P\ a
+\rulenamedx{wf_induct}
+\end{isabelle}
+Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded.
+
+Many familiar induction principles are instances of this rule. 
+For example, the predecessor relation on the natural numbers 
+is well-founded; induction over it is mathematical induction. 
+The ``tail of'' relation on lists is well-founded; induction over 
+it is structural induction.%
+\index{induction!well-founded|)}%
+\index{relations!well-founded|)}
+
+
+\section{Fixed Point Operators}
+
+\index{fixed points|(}%
+Fixed point operators define sets
+recursively.  They are invoked implicitly when making an inductive
+definition, as discussed in Chap.\ts\ref{chap:inductive} below.  However,
+they can be used directly, too. The
+\emph{least}  or \emph{strongest} fixed point yields an inductive
+definition;  the \emph{greatest} or \emph{weakest} fixed point yields a
+coinductive  definition.  Mathematicians may wish to note that the
+existence  of these fixed points is guaranteed by the Knaster-Tarski
+theorem. 
+
+\begin{warn}
+Casual readers should skip the rest of this section.  We use fixed point
+operators only in {\S}\ref{sec:VMC}.
+\end{warn}
+
+The theory applies only to monotonic functions.\index{monotone functions|bold} 
+Isabelle's definition of monotone is overloaded over all orderings:
+\begin{isabelle}
+mono\ f\ \isasymequiv\ {\isasymforall}A\ B.\ A\ \isasymle\ B\ \isasymlongrightarrow\ f\ A\ \isasymle\ f\ B%
+\rulenamedx{mono_def}
+\end{isabelle}
+%
+For fixed point operators, the ordering will be the subset relation: if
+$A\subseteq B$ then we expect $f(A)\subseteq f(B)$.  In addition to its
+definition, monotonicity has the obvious introduction and destruction
+rules:
+\begin{isabelle}
+({\isasymAnd}A\ B.\ A\ \isasymle\ B\ \isasymLongrightarrow\ f\ A\ \isasymle\ f\ B)\ \isasymLongrightarrow\ mono\ f%
+\rulename{monoI}%
+\par\smallskip%          \isanewline didn't leave enough space
+{\isasymlbrakk}mono\ f;\ A\ \isasymle\ B\isasymrbrakk\
+\isasymLongrightarrow\ f\ A\ \isasymle\ f\ B%
+\rulename{monoD}
+\end{isabelle}
+
+The most important properties of the least fixed point are that 
+it is a fixed point and that it enjoys an induction rule: 
+\begin{isabelle}
+mono\ f\ \isasymLongrightarrow\ lfp\ f\ =\ f\ (lfp\ f)
+\rulename{lfp_unfold}%
+\par\smallskip%          \isanewline didn't leave enough space
+{\isasymlbrakk}a\ \isasymin\ lfp\ f;\ mono\ f;\isanewline
+  \ {\isasymAnd}x.\ x\
+\isasymin\ f\ (lfp\ f\ \isasyminter\ \isacharbraceleft x.\ P\
+x\isacharbraceright)\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
+\isasymLongrightarrow\ P\ a%
+\rulename{lfp_induct}
+\end{isabelle}
+%
+The induction rule shown above is more convenient than the basic 
+one derived from the minimality of {\isa{lfp}}.  Observe that both theorems
+demand \isa{mono\ f} as a premise.
+
+The greatest fixed point is similar, but it has a \bfindex{coinduction} rule: 
+\begin{isabelle}
+mono\ f\ \isasymLongrightarrow\ gfp\ f\ =\ f\ (gfp\ f)
+\rulename{gfp_unfold}%
+\isanewline
+{\isasymlbrakk}mono\ f;\ a\ \isasymin\ X;\ X\ \isasymsubseteq\ f\ (X\
+\isasymunion\ gfp\ f)\isasymrbrakk\ \isasymLongrightarrow\ a\ \isasymin\
+gfp\ f%
+\rulename{coinduct}
+\end{isabelle}
+A \textbf{bisimulation}\index{bisimulations} 
+is perhaps the best-known concept defined as a
+greatest fixed point.  Exhibiting a bisimulation to prove the equality of
+two agents in a process algebra is an example of coinduction.
+The coinduction rule can be strengthened in various ways.
+\index{fixed points|)}
+
+%The section "Case Study: Verified Model Checking" is part of this chapter
+\input{ctl0}
+\endinput

--- a/doc-src/TutorialI/document/simp.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,799 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{simp}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsubsection{Simplification Rules%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{simplification rules}
-To facilitate simplification,  
-the attribute \isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}}\index{*simp (attribute)}
-declares theorems to be simplification rules, which the simplifier
-will use automatically.  In addition, \isacommand{datatype} and
-\isacommand{primrec} declarations (and a few others) 
-implicitly declare some simplification rules.  
-Explicit definitions are \emph{not} declared as 
-simplification rules automatically!
-
-Nearly any theorem can become a simplification
-rule. The simplifier will try to transform it into an equation.  
-For example, the theorem
-\isa{{\isaliteral{5C3C6E6F743E}{\isasymnot}}\ P} is turned into \isa{P\ {\isaliteral{3D}{\isacharequal}}\ False}. The details
-are explained in \S\ref{sec:SimpHow}.
-
-The simplification attribute of theorems can be turned on and off:%
-\index{*simp del (attribute)}
-\begin{quote}
-\isacommand{declare} \textit{theorem-name}\isa{{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}}\\
-\isacommand{declare} \textit{theorem-name}\isa{{\isaliteral{5B}{\isacharbrackleft}}simp\ del{\isaliteral{5D}{\isacharbrackright}}}
-\end{quote}
-Only equations that really simplify, like \isa{rev\
-{\isacharparenleft}rev\ xs{\isacharparenright}\ {\isacharequal}\ xs} and
-\isa{xs\ {\isacharat}\ {\isacharbrackleft}{\isacharbrackright}\
-{\isacharequal}\ xs}, should be declared as default simplification rules. 
-More specific ones should only be used selectively and should
-not be made default.  Distributivity laws, for example, alter
-the structure of terms and can produce an exponential blow-up instead of
-simplification.  A default simplification rule may
-need to be disabled in certain proofs.  Frequent changes in the simplification
-status of a theorem may indicate an unwise use of defaults.
-\begin{warn}
-  Simplification can run forever, for example if both $f(x) = g(x)$ and
-  $g(x) = f(x)$ are simplification rules. It is the user's responsibility not
-  to include simplification rules that can lead to nontermination, either on
-  their own or in combination with other simplification rules.
-\end{warn}
-\begin{warn}
-  It is inadvisable to toggle the simplification attribute of a
-  theorem from a parent theory $A$ in a child theory $B$ for good.
-  The reason is that if some theory $C$ is based both on $B$ and (via a
-  different path) on $A$, it is not defined what the simplification attribute
-  of that theorem will be in $C$: it could be either.
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{The {\tt\slshape simp}  Method%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{*simp (method)|bold}
-The general format of the simplification method is
-\begin{quote}
-\isa{simp} \textit{list of modifiers}
-\end{quote}
-where the list of \emph{modifiers} fine tunes the behaviour and may
-be empty. Specific modifiers are discussed below.  Most if not all of the
-proofs seen so far could have been performed
-with \isa{simp} instead of \isa{auto}, except that \isa{simp} attacks
-only the first subgoal and may thus need to be repeated --- use
-\methdx{simp_all} to simplify all subgoals.
-If nothing changes, \isa{simp} fails.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Adding and Deleting Simplification Rules%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{simplification rules!adding and deleting}%
-If a certain theorem is merely needed in a few proofs by simplification,
-we do not need to make it a global simplification rule. Instead we can modify
-the set of simplification rules used in a simplification step by adding rules
-to it and/or deleting rules from it. The two modifiers for this are
-\begin{quote}
-\isa{add{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*add (modifier)}\\
-\isa{del{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*del (modifier)}
-\end{quote}
-Or you can use a specific list of theorems and omit all others:
-\begin{quote}
-\isa{only{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}\index{*only (modifier)}
-\end{quote}
-In this example, we invoke the simplifier, adding two distributive
-laws:
-\begin{quote}
-\isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ mod{\isaliteral{5F}{\isacharunderscore}}mult{\isaliteral{5F}{\isacharunderscore}}distrib\ add{\isaliteral{5F}{\isacharunderscore}}mult{\isaliteral{5F}{\isacharunderscore}}distrib{\isaliteral{29}{\isacharparenright}}}
-\end{quote}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Assumptions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{simplification!with/of assumptions}
-By default, assumptions are part of the simplification process: they are used
-as simplification rules and are simplified themselves. For example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ ys\ {\isaliteral{40}{\isacharat}}\ xs{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ zs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-\ simp\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-The second assumption simplifies to \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, which in turn
-simplifies the first assumption to \isa{zs\ {\isaliteral{3D}{\isacharequal}}\ ys}, thus reducing the
-conclusion to \isa{ys\ {\isaliteral{3D}{\isacharequal}}\ ys} and hence to \isa{True}.
-
-In some cases, using the assumptions can lead to nontermination:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}g\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ f\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{40}{\isacharat}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-An unmodified application of \isa{simp} loops.  The culprit is the
-simplification rule \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ {\isaliteral{28}{\isacharparenleft}}f\ {\isaliteral{28}{\isacharparenleft}}g\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}, which is extracted from
-the assumption.  (Isabelle notices certain simple forms of
-nontermination but not this one.)  The problem can be circumvented by
-telling the simplifier to ignore the assumptions:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ {\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Three modifiers influence the treatment of assumptions:
-\begin{description}
-\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm (modifier)}
- means that assumptions are completely ignored.
-\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{5F}{\isacharunderscore}}simp{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm_simp (modifier)}
- means that the assumptions are not simplified but
-  are used in the simplification of the conclusion.
-\item[\isa{{\isaliteral{28}{\isacharparenleft}}no{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{5F}{\isacharunderscore}}use{\isaliteral{29}{\isacharparenright}}}]\index{*no_asm_use (modifier)}
- means that the assumptions are simplified but are not
-  used in the simplification of each other or the conclusion.
-\end{description}
-Only one of the modifiers is allowed, and it must precede all
-other modifiers.
-%\begin{warn}
-%Assumptions are simplified in a left-to-right fashion. If an
-%assumption can help in simplifying one to the left of it, this may get
-%overlooked. In such cases you have to rotate the assumptions explicitly:
-%\isacommand{apply}@ {text"("}\methdx{rotate_tac}~$n$@ {text")"}
-%causes a cyclic shift by $n$ positions from right to left, if $n$ is
-%positive, and from left to right, if $n$ is negative.
-%Beware that such rotations make proofs quite brittle.
-%\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Rewriting with Definitions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:Simp-with-Defs}\index{simplification!with definitions}
-Constant definitions (\S\ref{sec:ConstDefinitions}) can be used as
-simplification rules, but by default they are not: the simplifier does not
-expand them automatically.  Definitions are intended for introducing abstract
-concepts and not merely as abbreviations.  Of course, we need to expand
-the definition initially, but once we have proved enough abstract properties
-of the new constant, we can forget its original definition.  This style makes
-proofs more robust: if the definition has to be changed,
-only the proofs of the abstract properties will be affected.
-
-For example, given%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{definition}\isamarkupfalse%
-\ xor\ {\isaliteral{3A}{\isacharcolon}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ bool{\isaliteral{22}{\isachardoublequoteclose}}\ \isakeyword{where}\isanewline
-{\isaliteral{22}{\isachardoublequoteopen}}xor\ A\ B\ {\isaliteral{5C3C65717569763E}{\isasymequiv}}\ {\isaliteral{28}{\isacharparenleft}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}B{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ B{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\begin{isamarkuptext}%
-\noindent
-we may want to prove%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}xor\ A\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6E6F743E}{\isasymnot}}A{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-Typically, we begin by unfolding some definitions:
-\indexbold{definitions!unfolding}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ only{\isaliteral{3A}{\isacharcolon}}\ xor{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-In this particular case, the resulting goal
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C6F723E}{\isasymor}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ A%
-\end{isabelle}
-can be proved by simplification. Thus we could have proved the lemma outright by%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ xor{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Of course we can also unfold definitions in the middle of a proof.
-
-\begin{warn}
-  If you have defined $f\,x\,y~\isasymequiv~t$ then you can only unfold
-  occurrences of $f$ with at least two arguments. This may be helpful for unfolding
-  $f$ selectively, but it may also get in the way. Defining
-  $f$~\isasymequiv~\isasymlambda$x\,y.\;t$ allows to unfold all occurrences of $f$.
-\end{warn}
-
-There is also the special method \isa{unfold}\index{*unfold (method)|bold}
-which merely unfolds
-one or several definitions, as in \isacommand{apply}\isa{(unfold xor_def)}.
-This is can be useful in situations where \isa{simp} does too much.
-Warning: \isa{unfold} acts on all subgoals!%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Simplifying {\tt\slshape let}-Expressions%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{simplification!of \isa{let}-expressions}\index{*let expressions}%
-Proving a goal containing \isa{let}-expressions almost invariably requires the
-\isa{let}-con\-structs to be expanded at some point. Since
-\isa{let}\ldots\isa{=}\ldots\isa{in}{\ldots} is just syntactic sugar for
-the predefined constant \isa{Let}, expanding \isa{let}-constructs
-means rewriting with \tdx{Let_def}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}let\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ in\ xs{\isaliteral{40}{\isacharat}}ys{\isaliteral{40}{\isacharat}}xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ ys{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ add{\isaliteral{3A}{\isacharcolon}}\ Let{\isaliteral{5F}{\isacharunderscore}}def{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-If, in a particular context, there is no danger of a combinatorial explosion
-of nested \isa{let}s, you could even simplify with \isa{Let{\isaliteral{5F}{\isacharunderscore}}def} by
-default:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ Let{\isaliteral{5F}{\isacharunderscore}}def\ {\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}%
-\isamarkupsubsection{Conditional Simplification Rules%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{conditional simplification rules}%
-So far all examples of rewrite rules were equations. The simplifier also
-accepts \emph{conditional} equations, for example%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ hd{\isaliteral{5F}{\isacharunderscore}}Cons{\isaliteral{5F}{\isacharunderscore}}tl{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3A}{\isacharcolon}}\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ \ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ \ hd\ xs\ {\isaliteral{23}{\isacharhash}}\ tl\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}case{\isaliteral{5F}{\isacharunderscore}}tac\ xs{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{2C}{\isacharcomma}}\ simp{\isaliteral{29}{\isacharparenright}}\isanewline
-\isacommand{done}\isamarkupfalse%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Note the use of ``\ttindexboldpos{,}{$Isar}'' to string together a
-sequence of methods. Assuming that the simplification rule
-\isa{{\isaliteral{28}{\isacharparenleft}}rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}}
-is present as well,
-the lemma below is proved by plain simplification:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ hd{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ tl{\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ rev\ xs{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-The conditional equation \isa{hd{\isaliteral{5F}{\isacharunderscore}}Cons{\isaliteral{5F}{\isacharunderscore}}tl} above
-can simplify \isa{hd\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{23}{\isacharhash}}\ tl\ {\isaliteral{28}{\isacharparenleft}}rev\ xs{\isaliteral{29}{\isacharparenright}}} to \isa{rev\ xs}
-because the corresponding precondition \isa{rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}
-simplifies to \isa{xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}}, which is exactly the local
-assumption of the subgoal.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Automatic Case Splits%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:AutoCaseSplits}\indexbold{case splits}%
-Goals containing \isa{if}-expressions\index{*if expressions!splitting of}
-are usually proved by case
-distinction on the boolean condition.  Here is an example:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ if\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ then\ rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ else\ rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-%
-\begin{isamarkuptxt}%
-\noindent
-The goal can be split by a special method, \methdx{split}:%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}xs{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ rev\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ rev\ xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-where \tdx{split_if} is a theorem that expresses splitting of
-\isa{if}s. Because
-splitting the \isa{if}s is usually the right proof strategy, the
-simplifier does it automatically.  Try \isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}}
-on the initial goal above.
-
-This splitting idea generalizes from \isa{if} to \sdx{case}.
-Let us simplify a case analysis over lists:\index{*list.split (theorem)}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}case\ xs\ of\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ zs\ {\isaliteral{7C}{\isacharbar}}\ y{\isaliteral{23}{\isacharhash}}ys\ {\isaliteral{5C3C52696768746172726F773E}{\isasymRightarrow}}\ y{\isaliteral{23}{\isacharhash}}{\isaliteral{28}{\isacharparenleft}}ys{\isaliteral{40}{\isacharat}}zs{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ xs{\isaliteral{40}{\isacharat}}zs{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}split\ list{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{28}{\isacharparenleft}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\isanewline
-\isaindent{\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ }{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}a\ list{\isaliteral{2E}{\isachardot}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ a\ {\isaliteral{23}{\isacharhash}}\ list\ {\isaliteral{40}{\isacharat}}\ zs\ {\isaliteral{3D}{\isacharequal}}\ xs\ {\isaliteral{40}{\isacharat}}\ zs{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-The simplifier does not split
-\isa{case}-expressions, as it does \isa{if}-expressions, 
-because with recursive datatypes it could lead to nontermination.
-Instead, the simplifier has a modifier
-\isa{split}\index{*split (modifier)} 
-for adding splitting rules explicitly.  The
-lemma above can be proved in one step by%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ split{\isaliteral{3A}{\isacharcolon}}\ list{\isaliteral{2E}{\isachardot}}split{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-whereas \isacommand{apply}\isa{{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}} alone will not succeed.
-
-Every datatype $t$ comes with a theorem
-$t$\isa{{\isaliteral{2E}{\isachardot}}split} which can be declared to be a \bfindex{split rule} either
-locally as above, or by giving it the \attrdx{split} attribute globally:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ list{\isaliteral{2E}{\isachardot}}split\ {\isaliteral{5B}{\isacharbrackleft}}split{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-\noindent
-The \isa{split} attribute can be removed with the \isa{del} modifier,
-either locally%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp\ split\ del{\isaliteral{3A}{\isacharcolon}}\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-or globally:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{declare}\isamarkupfalse%
-\ list{\isaliteral{2E}{\isachardot}}split\ {\isaliteral{5B}{\isacharbrackleft}}split\ del{\isaliteral{5D}{\isacharbrackright}}%
-\begin{isamarkuptext}%
-Polished proofs typically perform splitting within \isa{simp} rather than 
-invoking the \isa{split} method.  However, if a goal contains
-several \isa{if} and \isa{case} expressions, 
-the \isa{split} method can be
-helpful in selectively exploring the effects of splitting.
-
-The split rules shown above are intended to affect only the subgoal's
-conclusion.  If you want to split an \isa{if} or \isa{case}-expression
-in the assumptions, you have to apply \tdx{split_if_asm} or
-$t$\isa{{\isaliteral{2E}{\isachardot}}split{\isaliteral{5F}{\isacharunderscore}}asm}:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}if\ xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ then\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ else\ ys\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}split\ split{\isaliteral{5F}{\isacharunderscore}}if{\isaliteral{5F}{\isacharunderscore}}asm{\isaliteral{29}{\isacharparenright}}%
-\begin{isamarkuptxt}%
-\noindent
-Unlike splitting the conclusion, this step creates two
-separate subgoals, which here can be solved by \isa{simp{\isaliteral{5F}{\isacharunderscore}}all}:
-\begin{isabelle}%
-\ {\isadigit{1}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
-\ {\isadigit{2}}{\isaliteral{2E}{\isachardot}}\ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}xs\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{3B}{\isacharsemicolon}}\ ys\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ ys\ {\isaliteral{5C3C6E6F7465713E}{\isasymnoteq}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}%
-\end{isabelle}
-If you need to split both in the assumptions and the conclusion,
-use $t$\isa{{\isaliteral{2E}{\isachardot}}splits} which subsumes $t$\isa{{\isaliteral{2E}{\isachardot}}split} and
-$t$\isa{{\isaliteral{2E}{\isachardot}}split{\isaliteral{5F}{\isacharunderscore}}asm}. Analogously, there is \isa{if{\isaliteral{5F}{\isacharunderscore}}splits}.
-
-\begin{warn}
-  The simplifier merely simplifies the condition of an 
-  \isa{if}\index{*if expressions!simplification of} but not the
-  \isa{then} or \isa{else} parts. The latter are simplified only after the
-  condition reduces to \isa{True} or \isa{False}, or after splitting. The
-  same is true for \sdx{case}-expressions: only the selector is
-  simplified at first, until either the expression reduces to one of the
-  cases or it is split.
-\end{warn}%
-\end{isamarkuptxt}%
-\isamarkuptrue%
-%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isamarkupsubsection{Tracing%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\indexbold{tracing the simplifier}
-Using the simplifier effectively may take a bit of experimentation.  Set the
-Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier} to get a better idea of what is going on:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-\isacommand{lemma}\isamarkupfalse%
-\ {\isaliteral{22}{\isachardoublequoteopen}}rev\ {\isaliteral{5B}{\isacharbrackleft}}a{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{apply}\isamarkupfalse%
-{\isaliteral{28}{\isacharparenleft}}simp{\isaliteral{29}{\isacharparenright}}%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-produces the following trace in Proof General's \pgmenu{Trace} buffer:
-
-\begin{ttbox}\makeatother
-[1]Applying instance of rewrite rule "List.rev.simps_2":
-rev (?x1 # ?xs1) \(\equiv\) rev ?xs1 @ [?x1]
-
-[1]Rewriting:
-rev [a] \(\equiv\) rev [] @ [a]
-
-[1]Applying instance of rewrite rule "List.rev.simps_1":
-rev [] \(\equiv\) []
-
-[1]Rewriting:
-rev [] \(\equiv\) []
-
-[1]Applying instance of rewrite rule "List.op @.append_Nil":
-[] @ ?y \(\equiv\) ?y
-
-[1]Rewriting:
-[] @ [a] \(\equiv\) [a]
-
-[1]Applying instance of rewrite rule
-?x2 # ?t1 = ?t1 \(\equiv\) False
-
-[1]Rewriting:
-[a] = [] \(\equiv\) False
-\end{ttbox}
-The trace lists each rule being applied, both in its general form and
-the instance being used. The \texttt{[}$i$\texttt{]} in front (where
-above $i$ is always \texttt{1}) indicates that we are inside the $i$th
-invocation of the simplifier. Each attempt to apply a
-conditional rule shows the rule followed by the trace of the
-(recursive!) simplification of the conditions, the latter prefixed by
-\texttt{[}$i+1$\texttt{]} instead of \texttt{[}$i$\texttt{]}.
-Another source of recursive invocations of the simplifier are
-proofs of arithmetic formulae. By default, recursive invocations are not shown,
-you must increase the trace depth via \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier Depth}.
-
-Many other hints about the simplifier's actions may appear.
-
-In more complicated cases, the trace can be very lengthy.  Thus it is
-advisable to reset the \pgmenu{Trace Simplifier} flag after having
-obtained the desired trace.
-Since this is easily forgotten (and may have the unpleasant effect of
-swamping the interface with trace information), here is how you can switch
-the trace on locally in a proof:%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\isatagproof
-\isacommand{using}\isamarkupfalse%
-\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5B}{\isacharbrackleft}}simp{\isaliteral{5F}{\isacharunderscore}}trace{\isaliteral{3D}{\isacharequal}}true{\isaliteral{5D}{\isacharbrackright}}{\isaliteral{5D}{\isacharbrackright}}\isanewline
-\isacommand{apply}\isamarkupfalse%
-\ simp%
-\endisatagproof
-{\isafoldproof}%
-%
-\isadelimproof
-%
-\endisadelimproof
-%
-\begin{isamarkuptext}%
-\noindent
-Within the current proof, all simplifications in subsequent proof steps
-will be traced, but the text reminds you to remove the \isa{using} clause
-after it has done its job.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Finding Theorems\label{sec:find}%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\indexbold{finding theorems}\indexbold{searching theorems}
-Isabelle's large database of proved theorems 
-offers a powerful search engine. Its chief limitation is
-its restriction to the theories currently loaded.
-
-\begin{pgnote}
-The search engine is started by clicking on Proof General's \pgmenu{Find} icon.
-You specify your search textually in the input buffer at the bottom
-of the window.
-\end{pgnote}
-
-The simplest form of search finds theorems containing specified
-patterns.  A pattern can be any term (even
-a single identifier).  It may contain ``\texttt{\_}'', a wildcard standing
-for any term. Here are some
-examples:
-\begin{ttbox}
-length
-"_ # _ = _ # _"
-"_ + _"
-"_ * (_ - (_::nat))"
-\end{ttbox}
-Specifying types, as shown in the last example, 
-constrains searches involving overloaded operators.
-
-\begin{warn}
-Always use ``\texttt{\_}'' rather than variable names: searching for
-\texttt{"x + y"} will usually not find any matching theorems
-because they would need to contain \texttt{x} and~\texttt{y} literally.
-When searching for infix operators, do not just type in the symbol,
-such as~\texttt{+}, but a proper term such as \texttt{"_ + _"}.
-This remark applies to more complicated syntaxes, too.
-\end{warn}
-
-If you are looking for rewrite rules (possibly conditional) that could
-simplify some term, prefix the pattern with \texttt{simp:}.
-\begin{ttbox}
-simp: "_ * (_ + _)"
-\end{ttbox}
-This finds \emph{all} equations---not just those with a \isa{simp} attribute---whose conclusion has the form
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}%
-\end{isabelle}
-It only finds equations that can simplify the given pattern
-at the root, not somewhere inside: for example, equations of the form
-\isa{{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5C3C646F74733E}{\isasymdots}}} do not match.
-
-You may also search for theorems by name---you merely
-need to specify a substring. For example, you could search for all
-commutativity theorems like this:
-\begin{ttbox}
-name: comm
-\end{ttbox}
-This retrieves all theorems whose name contains \texttt{comm}.
-
-Search criteria can also be negated by prefixing them with ``\texttt{-}''.
-For example,
-\begin{ttbox}
--name: List
-\end{ttbox}
-finds theorems whose name does not contain \texttt{List}. You can use this
-to exclude particular theories from the search: the long name of
-a theorem contains the name of the theory it comes from.
-
-Finallly, different search criteria can be combined arbitrarily. 
-The effect is conjuctive: Find returns the theorems that satisfy all of
-the criteria. For example,
-\begin{ttbox}
-"_ + _"  -"_ - _"  -simp: "_ * (_ + _)"  name: assoc
-\end{ttbox}
-looks for theorems containing plus but not minus, and which do not simplify
-\mbox{\isa{{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2A}{\isacharasterisk}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5F}{\isacharunderscore}}\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{5F}{\isacharunderscore}}{\isaliteral{29}{\isacharparenright}}}} at the root, and whose name contains \texttt{assoc}.
-
-Further search criteria are explained in \S\ref{sec:find2}.
-
-\begin{pgnote}
-Proof General keeps a history of all your search expressions.
-If you click on \pgmenu{Find}, you can use the arrow keys to scroll
-through previous searches and just modify them. This saves you having
-to type in lengthy expressions again and again.
-\end{pgnote}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/document/simp2.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,249 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{simp{\isadigit{2}}}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isamarkupsection{Simplification%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:simplification-II}\index{simplification|(}
-This section describes features not covered until now.  It also
-outlines the simplification process itself, which can be helpful
-when the simplifier does not do what you expect of it.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{Advanced Features%
-}
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Congruence Rules%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:simp-cong}
-While simplifying the conclusion $Q$
-of $P \Imp Q$, it is legal to use the assumption $P$.
-For $\Imp$ this policy is hardwired, but 
-contextual information can also be made available for other
-operators. For example, \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ xs\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs} simplifies to \isa{True} because we may use \isa{xs\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{5B}{\isacharbrackleft}}{\isaliteral{5D}{\isacharbrackright}}} when simplifying \isa{xs\ {\isaliteral{40}{\isacharat}}\ xs\ {\isaliteral{3D}{\isacharequal}}\ xs}. The generation of contextual information during simplification is
-controlled by so-called \bfindex{congruence rules}. This is the one for
-\isa{{\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}}:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{3D}{\isacharequal}}\ P{\isaliteral{27}{\isacharprime}}{\isaliteral{3B}{\isacharsemicolon}}\ P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ {\isaliteral{3D}{\isacharequal}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-It should be read as follows:
-In order to simplify \isa{P\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q} to \isa{P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ Q{\isaliteral{27}{\isacharprime}}},
-simplify \isa{P} to \isa{P{\isaliteral{27}{\isacharprime}}}
-and assume \isa{P{\isaliteral{27}{\isacharprime}}} when simplifying \isa{Q} to \isa{Q{\isaliteral{27}{\isacharprime}}}.
-
-Here are some more examples.  The congruence rules for bounded
-quantifiers supply contextual information about the bound variable:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}A\ {\isaliteral{3D}{\isacharequal}}\ B{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C416E643E}{\isasymAnd}}x{\isaliteral{2E}{\isachardot}}\ x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ B\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ P\ x\ {\isaliteral{3D}{\isacharequal}}\ Q\ x{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{5C3C696E3E}{\isasymin}}A{\isaliteral{2E}{\isachardot}}\ P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{5C3C696E3E}{\isasymin}}B{\isaliteral{2E}{\isachardot}}\ Q\ x{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-One congruence rule for conditional expressions supplies contextual
-information for simplifying the \isa{then} and \isa{else} cases:
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}b\ {\isaliteral{3D}{\isacharequal}}\ c{\isaliteral{3B}{\isacharsemicolon}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ x\ {\isaliteral{3D}{\isacharequal}}\ u{\isaliteral{3B}{\isacharsemicolon}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ y\ {\isaliteral{3D}{\isacharequal}}\ v{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\isanewline
-\isaindent{\ \ \ \ \ }{\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}if\ b\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ c\ then\ u\ else\ v{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-An alternative congruence rule for conditional expressions
-actually \emph{prevents} simplification of some arguments:
-\begin{isabelle}%
-\ \ \ \ \ b\ {\isaliteral{3D}{\isacharequal}}\ c\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}if\ b\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}if\ c\ then\ x\ else\ y{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-Only the first argument is simplified; the others remain unchanged.
-This makes simplification much faster and is faithful to the evaluation
-strategy in programming languages, which is why this is the default
-congruence rule for \isa{if}. Analogous rules control the evaluation of
-\isa{case} expressions.
-
-You can declare your own congruence rules with the attribute \attrdx{cong},
-either globally, in the usual manner,
-\begin{quote}
-\isacommand{declare} \textit{theorem-name} \isa{{\isaliteral{5B}{\isacharbrackleft}}cong{\isaliteral{5D}{\isacharbrackright}}}
-\end{quote}
-or locally in a \isa{simp} call by adding the modifier
-\begin{quote}
-\isa{cong{\isaliteral{3A}{\isacharcolon}}} \textit{list of theorem names}
-\end{quote}
-The effect is reversed by \isa{cong\ del} instead of \isa{cong}.
-
-\begin{warn}
-The congruence rule \isa{conj{\isaliteral{5F}{\isacharunderscore}}cong}
-\begin{isabelle}%
-\ \ \ \ \ {\isaliteral{5C3C6C6272616B6B3E}{\isasymlbrakk}}P\ {\isaliteral{3D}{\isacharequal}}\ P{\isaliteral{27}{\isacharprime}}{\isaliteral{3B}{\isacharsemicolon}}\ P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ Q\ {\isaliteral{3D}{\isacharequal}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{5C3C726272616B6B3E}{\isasymrbrakk}}\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}P\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}P{\isaliteral{27}{\isacharprime}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ Q{\isaliteral{27}{\isacharprime}}{\isaliteral{29}{\isacharparenright}}%
-\end{isabelle}
-\par\noindent
-is occasionally useful but is not a default rule; you have to declare it explicitly.
-\end{warn}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Permutative Rewrite Rules%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{rewrite rules!permutative|bold}%
-An equation is a \textbf{permutative rewrite rule} if the left-hand
-side and right-hand side are the same up to renaming of variables.  The most
-common permutative rule is commutativity: \isa{x\ {\isaliteral{2B}{\isacharplus}}\ y\ {\isaliteral{3D}{\isacharequal}}\ y\ {\isaliteral{2B}{\isacharplus}}\ x}.  Other examples
-include \isa{x\ {\isaliteral{2D}{\isacharminus}}\ y\ {\isaliteral{2D}{\isacharminus}}\ z\ {\isaliteral{3D}{\isacharequal}}\ x\ {\isaliteral{2D}{\isacharminus}}\ z\ {\isaliteral{2D}{\isacharminus}}\ y} in arithmetic and \isa{insert\ x\ {\isaliteral{28}{\isacharparenleft}}insert\ y\ A{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ insert\ y\ {\isaliteral{28}{\isacharparenleft}}insert\ x\ A{\isaliteral{29}{\isacharparenright}}} for sets. Such rules are problematic because
-once they apply, they can be used forever. The simplifier is aware of this
-danger and treats permutative rules by means of a special strategy, called
-\bfindex{ordered rewriting}: a permutative rewrite
-rule is only applied if the term becomes smaller with respect to a fixed
-lexicographic ordering on terms. For example, commutativity rewrites
-\isa{b\ {\isaliteral{2B}{\isacharplus}}\ a} to \isa{a\ {\isaliteral{2B}{\isacharplus}}\ b}, but then stops because \isa{a\ {\isaliteral{2B}{\isacharplus}}\ b} is strictly
-smaller than \isa{b\ {\isaliteral{2B}{\isacharplus}}\ a}.  Permutative rewrite rules can be turned into
-simplification rules in the usual manner via the \isa{simp} attribute; the
-simplifier recognizes their special status automatically.
-
-Permutative rewrite rules are most effective in the case of
-associative-commutative functions.  (Associativity by itself is not
-permutative.)  When dealing with an AC-function~$f$, keep the
-following points in mind:
-\begin{itemize}\index{associative-commutative function}
-  
-\item The associative law must always be oriented from left to right,
-  namely $f(f(x,y),z) = f(x,f(y,z))$.  The opposite orientation, if
-  used with commutativity, can lead to nontermination.
-
-\item To complete your set of rewrite rules, you must add not just
-  associativity~(A) and commutativity~(C) but also a derived rule, {\bf
-    left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
-\end{itemize}
-Ordered rewriting with the combination of A, C, and LC sorts a term
-lexicographically:
-\[\def\maps#1{~\stackrel{#1}{\leadsto}~}
- f(f(b,c),a) \maps{A} f(b,f(c,a)) \maps{C} f(b,f(a,c)) \maps{LC} f(a,f(b,c)) \]
-
-Note that ordered rewriting for \isa{{\isaliteral{2B}{\isacharplus}}} and \isa{{\isaliteral{2A}{\isacharasterisk}}} on numbers is rarely
-necessary because the built-in arithmetic prover often succeeds without
-such tricks.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsection{How the Simplifier Works%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:SimpHow}
-Roughly speaking, the simplifier proceeds bottom-up: subterms are simplified
-first.  A conditional equation is only applied if its condition can be
-proved, again by simplification.  Below we explain some special features of
-the rewriting process.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{Higher-Order Patterns%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\index{simplification rule|(}
-So far we have pretended the simplifier can deal with arbitrary
-rewrite rules. This is not quite true.  For reasons of feasibility,
-the simplifier expects the
-left-hand side of each rule to be a so-called \emph{higher-order
-pattern}~\cite{nipkow-patterns}\indexbold{patterns!higher-order}. 
-This restricts where
-unknowns may occur.  Higher-order patterns are terms in $\beta$-normal
-form.  (This means there are no subterms of the form $(\lambda x. M)(N)$.)  
-Each occurrence of an unknown is of the form
-$\Var{f}~x@1~\dots~x@n$, where the $x@i$ are distinct bound
-variables. Thus all ordinary rewrite rules, where all unknowns are
-of base type, for example \isa{{\isaliteral{3F}{\isacharquery}}a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}c\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}a\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}b\ {\isaliteral{2B}{\isacharplus}}\ {\isaliteral{3F}{\isacharquery}}c{\isaliteral{29}{\isacharparenright}}}, are acceptable: if an unknown is
-of base type, it cannot have any arguments. Additionally, the rule
-\isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}P\ x{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C666F72616C6C3E}{\isasymforall}}x{\isaliteral{2E}{\isachardot}}\ {\isaliteral{3F}{\isacharquery}}Q\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}} is also acceptable, in
-both directions: all arguments of the unknowns \isa{{\isaliteral{3F}{\isacharquery}}P} and
-\isa{{\isaliteral{3F}{\isacharquery}}Q} are distinct bound variables.
-
-If the left-hand side is not a higher-order pattern, all is not lost.
-The simplifier will still try to apply the rule provided it
-matches directly: without much $\lambda$-calculus hocus
-pocus.  For example, \isa{{\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ {\isaliteral{3F}{\isacharquery}}f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True} rewrites
-\isa{g\ a\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ g} to \isa{True}, but will fail to match
-\isa{g{\isaliteral{28}{\isacharparenleft}}h\ b{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range{\isaliteral{28}{\isacharparenleft}}{\isaliteral{5C3C6C616D6264613E}{\isasymlambda}}x{\isaliteral{2E}{\isachardot}}\ g{\isaliteral{28}{\isacharparenleft}}h\ x{\isaliteral{29}{\isacharparenright}}{\isaliteral{29}{\isacharparenright}}}.  However, you can
-eliminate the offending subterms --- those that are not patterns ---
-by adding new variables and conditions.
-In our example, we eliminate \isa{{\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x} and obtain
- \isa{{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{3D}{\isacharequal}}\ {\isaliteral{3F}{\isacharquery}}f\ {\isaliteral{3F}{\isacharquery}}x\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{3F}{\isacharquery}}y\ {\isaliteral{5C3C696E3E}{\isasymin}}\ range\ {\isaliteral{3F}{\isacharquery}}f{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{3D}{\isacharequal}}\ True}, which is fine
-as a conditional rewrite rule since conditions can be arbitrary
-terms.  However, this trick is not a panacea because the newly
-introduced conditions may be hard to solve.
-  
-There is no restriction on the form of the right-hand
-sides.  They may not contain extraneous term or type variables, though.%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isamarkupsubsubsection{The Preprocessor%
-}
-\isamarkuptrue%
-%
-\begin{isamarkuptext}%
-\label{sec:simp-preprocessor}
-When a theorem is declared a simplification rule, it need not be a
-conditional equation already.  The simplifier will turn it into a set of
-conditional equations automatically.  For example, \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ x\ {\isaliteral{5C3C616E643E}{\isasymand}}\ h\ x\ {\isaliteral{3D}{\isacharequal}}\ k\ x} becomes the two separate
-simplification rules \isa{f\ x\ {\isaliteral{3D}{\isacharequal}}\ g\ x} and \isa{h\ x\ {\isaliteral{3D}{\isacharequal}}\ k\ x}. In
-general, the input theorem is converted as follows:
-\begin{eqnarray}
-\neg P &\mapsto& P = \hbox{\isa{False}} \nonumber\\
-P \longrightarrow Q &\mapsto& P \Longrightarrow Q \nonumber\\
-P \land Q &\mapsto& P,\ Q \nonumber\\
-\forall x.~P~x &\mapsto& P~\Var{x}\nonumber\\
-\forall x \in A.\ P~x &\mapsto& \Var{x} \in A \Longrightarrow P~\Var{x} \nonumber\\
-\isa{if}\ P\ \isa{then}\ Q\ \isa{else}\ R &\mapsto&
- P \Longrightarrow Q,\ \neg P \Longrightarrow R \nonumber
-\end{eqnarray}
-Once this conversion process is finished, all remaining non-equations
-$P$ are turned into trivial equations $P =\isa{True}$.
-For example, the formula 
-\begin{center}\isa{{\isaliteral{28}{\isacharparenleft}}p\ {\isaliteral{5C3C6C6F6E6772696768746172726F773E}{\isasymlongrightarrow}}\ t\ {\isaliteral{3D}{\isacharequal}}\ u\ {\isaliteral{5C3C616E643E}{\isasymand}}\ {\isaliteral{5C3C6E6F743E}{\isasymnot}}\ r{\isaliteral{29}{\isacharparenright}}\ {\isaliteral{5C3C616E643E}{\isasymand}}\ s}\end{center}
-is converted into the three rules
-\begin{center}
-\isa{p\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ t\ {\isaliteral{3D}{\isacharequal}}\ u},\quad  \isa{p\ {\isaliteral{5C3C4C6F6E6772696768746172726F773E}{\isasymLongrightarrow}}\ r\ {\isaliteral{3D}{\isacharequal}}\ False},\quad  \isa{s\ {\isaliteral{3D}{\isacharequal}}\ True}.
-\end{center}
-\index{simplification rule|)}
-\index{simplification|)}%
-\end{isamarkuptext}%
-\isamarkuptrue%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/tutorial.sty	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,191 @@
+% tutorial.sty : Isabelle Tutorial Page Layout
+%
+\typeout{Document Style tutorial. Released 9 July 2001}
+
+\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
+\hyphenation{data-type data-types co-data-type co-data-types }
+
+%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
+\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
+
+
+%%%INDEXING  use isa-index to process the index
+
+\newcommand\seealso[2]{\emph{see also} #1}
+\usepackage{makeidx}
+
+%index, putting page numbers of definitions in boldface
+\def\bold#1{\textbf{#1}}
+\newcommand\fnote[1]{#1n}
+\newcommand\indexbold[1]{\index{#1|bold}}
+
+% The alternative to \protect\isa in the indexing macros is
+% \noexpand\noexpand \noexpand\isa
+% need TWO levels of \noexpand to delay the expansion of \isa:
+%  the \noexpand\noexpand will leave one \noexpand, to be given to the
+%  (still unexpanded) \isa token.  See TeX by Topic, page 122.
+
+%%%% for indexing constants, symbols, theorems, ...
+\newcommand\cdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (constant)}}
+\newcommand\sdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (symbol)}}
+\newcommand\sdxpos[2]{\isa{#1}\index{#2@\protect\isa{#1} (symbol)}}
+
+\newcommand\tdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)}}
+\newcommand\tdxbold[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)|bold}}
+
+\newcommand\cldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (class)}}
+\newcommand\tydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type)}}
+\newcommand\tcdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type class)}}
+\newcommand\thydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theory)}}
+
+\newcommand\attrdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (attribute)}}
+\newcommand\cmmdx[1]{\index{#1@\protect\isacommand{#1} (command)}}
+\newcommand\commdx[1]{\isacommand{#1}\index{#1@\protect\isacommand{#1} (command)}}
+\newcommand\methdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (method)}}
+\newcommand\tooldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (tool)}}
+\newcommand\settdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (setting)}}
+\newcommand\pgdx[1]{\pgmenu{#1}\index{#1@\protect\pgmenu{#1} (Proof General)}}
+
+%set argument in \bf font and index in ROMAN font (for definitions in text!)
+\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
+
+\newcommand\rmindex[1]{{#1}\index{#1}\@}
+\newcommand\ttindex[1]{\texttt{#1}\index{#1@\texttt{#1}}\@}
+\newcommand\ttindexbold[1]{\texttt{#1}\index{#1@\texttt{#1}|bold}\@}
+
+\newcommand{\isadxpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}}\@}
+\newcommand{\isadxboldpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}|bold}\@}
+
+%Commented-out the original versions to see what the index looks like without them.
+%   In any event, they need to use \isa or \protect\isa rather than \texttt.
+%%\newcommand{\indexboldpos}[2]{#1\index{#2@#1|bold}\@}
+%%\newcommand{\ttindexboldpos}[2]{\texttt{#1}\index{#2@\texttt{#1}|bold}\@}
+\newcommand{\indexboldpos}[2]{#1\@}
+\newcommand{\ttindexboldpos}[2]{\isa{#1}\@}
+
+%\newtheorem{theorem}{Theorem}[section]
+\newtheorem{Exercise}{Exercise}[section]
+\newenvironment{exercise}{\begin{Exercise}\rm}{\end{Exercise}}
+\newcommand{\ttlbr}{\texttt{[|}}
+\newcommand{\ttrbr}{\texttt{|]}}
+\newcommand{\ttor}{\texttt{|}}
+\newcommand{\ttall}{\texttt{!}}
+\newcommand{\ttuniquex}{\texttt{?!}}
+\newcommand{\ttEXU}{\texttt{EX!}}
+\newcommand{\ttAnd}{\texttt{!!}}
+
+\newcommand{\isasymignore}{}
+\newcommand{\isasymimp}{\isasymlongrightarrow}
+\newcommand{\isasymImp}{\isasymLongrightarrow}
+\newcommand{\isasymFun}{\isasymRightarrow}
+\newcommand{\isasymuniqex}{\isamath{\exists!\,}}
+\renewcommand{\S}{Sect.\ts}
+
+\renewenvironment{isamarkuptxt}{\begin{isamarkuptext}}{\end{isamarkuptext}}
+
+\newif\ifremarks
+\newcommand{\REMARK}[1]{\ifremarks\marginpar{\raggedright\footnotesize#1}\fi}
+
+%names of Isabelle rules
+\newcommand{\rulename}[1]{\hfill(#1)}
+\newcommand{\rulenamedx}[1]{\hfill(#1\index{#1@\protect\isa{#1} (theorem)|bold})}
+
+%%%% meta-logical connectives
+
+\let\Forall=\bigwedge
+\let\Imp=\Longrightarrow
+\let\To=\Rightarrow
+\newcommand{\Var}[1]{{?\!#1}}
+
+%%% underscores as ordinary characters, not for subscripting
+%%  use @ or \sb for subscripting; use \at for @
+%%  only works in \tt font
+%%  must not make _ an active char; would make \ttindex fail!
+\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
+\gdef\underscoreon{\catcode`\_=8\makeatother}
+\chardef\other=12
+\chardef\at=`\@
+
+% alternative underscore
+\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
+
+
+%%%% ``WARNING'' environment: 2 ! characters separated by negative thin space
+\def\warnbang{\vtop to 0pt{\vss\hbox{\Huge\bf!\!!}\vss}}
+\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000 
+         \small %%WAS\baselineskip=0.9\baselineskip
+         \noindent \hangindent\parindent \hangafter=-2 
+         \hbox to0pt{\hskip-\hangindent\warnbang\hfill}\ignorespaces}%
+        {\par\endgroup\medbreak}
+
+%%%% ``PROOF GENERAL'' environment
+\def\pghead{\lower3pt\vbox to 0pt{\vss\hbox{\includegraphics[width=12pt]{pghead}}\vss}}
+\newenvironment{pgnote}{\medskip\medbreak\begingroup \clubpenalty=10000 
+         \small \noindent \hangindent\parindent \hangafter=-2 
+         \hbox to0pt{\hskip-\hangindent \pghead\hfill}\ignorespaces}%
+  {\par\endgroup\medbreak}
+\newcommand{\pgmenu}[1]{\textsf{#1}}
+
+
+%%%% Standard logical symbols
+\let\turn=\vdash
+\let\conj=\wedge
+\let\disj=\vee
+\let\imp=\rightarrow
+\let\bimp=\leftrightarrow
+\newcommand\all[1]{\forall#1.}  %quantification
+\newcommand\ex[1]{\exists#1.}
+\newcommand{\pair}[1]{\langle#1\rangle}
+
+\newcommand{\lparr}{\mathopen{(\!|}}
+\newcommand{\rparr}{\mathclose{|\!)}}
+\newcommand{\fs}{\mathpunct{,\,}}
+\newcommand{\ty}{\mathrel{::}}
+\newcommand{\asn}{\mathrel{:=}}
+\newcommand{\more}{\ldots}
+\newcommand{\record}[1]{\lparr #1 \rparr}
+\newcommand{\dtt}{\mathord.}
+
+\newcommand\lbrakk{\mathopen{[\![}}
+\newcommand\rbrakk{\mathclose{]\!]}}
+\newcommand\List[1]{\lbrakk#1\rbrakk}  %was \obj
+\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
+\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
+\newcommand{\Text}[1]{\mbox{#1}}
+
+\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
+\newcommand{\dsh}{\mathit{\dshsym}}
+
+\let\int=\cap
+\let\un=\cup
+\let\inter=\bigcap
+\let\union=\bigcup
+
+\def\ML{{\sc ml}}
+\def\AST{{\sc ast}}
+
+%macros to change the treatment of symbols
+\def\relsemicolon{\mathcode`\;="303B}   %treat ; like a relation
+\def\binperiod{\mathcode`\.="213A}   %treat . like a binary operator
+\def\binvert{\mathcode`\|="226A}     %treat | like a binary operator
+
+%redefinition of \sloppy and \fussy to use \emergencystretch
+\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
+\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
+
+%non-bf version of description
+\def\descrlabel#1{\hspace\labelsep #1}
+\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
+\let\enddescr\endlist
+
+% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
+% generate text italic rather than math italic by default. This makes
+% multi-letter identifiers look better. The mathcode for character c
+% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
+%
+\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
+\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
+        \loop \global\mathcode\count0=\count1 \ifnum \count0<#2
+        \advance\count0 by1 \advance\count1 by1 \repeat}}
+\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
+\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}

Binary file doc-src/TutorialI/document/typedef.pdf has changed

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/typedef.ps	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,2461 @@
+%!PS-Adobe-3.0
+%%Title: (new.pdf)
+%%Version: 1 3
+%%DocumentData: Clean7Bit
+%%LanguageLevel: 2
+%%BoundingBox: 155 328 457 464
+%%Pages: 1
+%%DocumentProcessColors: (atend)
+%%DocumentSuppliedResources: (atend)
+%%EndComments
+%%BeginDefaults
+%%EndDefaults
+%%BeginProlog
+%%EndProlog
+%%BeginSetup
+%%BeginResource: l2check
+%%Copyright: Copyright 1993 Adobe Systems Incorporated. All Rights Reserved.
+systemdict /languagelevel known
+{ systemdict /languagelevel get 1 eq }
+{ true }
+ifelse
+{
+initgraphics /Helvetica findfont 18 scalefont setfont
+72 600 moveto (Error: Your printer driver needs to be configured) dup show
+72 580 moveto (for printing to a PostScript Language Level 1 printer.) dup show
+exch = =
+/Helvetica-Bold findfont 16 scalefont setfont
+72 520 moveto (Windows and Unix) show
+/Times-Roman findfont 16 scalefont setfont
+72 500 moveto (Select �Language Level 1� in the PostScript options section) show
+72 480 moveto (of the Acrobat print dialog.) show
+/Helvetica-Bold findfont 16 scalefont setfont
+72 440 moveto (Macintosh) show
+/Times-Roman findfont 16 scalefont setfont
+72 420 moveto (In the Chooser, select your printer driver.) show
+72 400 moveto (Then select your printer and click the Setup button.) show
+72 380 moveto (Follow any on-screen dialogs that may appear.) show
+showpage
+quit
+}
+if
+%%EndResource
+/currentpacking where{pop currentpacking true setpacking}if
+%%BeginResource: procset pdfvars
+%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Version: 4.0 2
+%%Title: definition of dictionary of variables used by PDF & PDFText procsets
+userdict /PDF 160 dict put
+userdict /PDFVars 86 dict dup begin put
+/_save 0 def
+/_cshow 0 def
+/InitAll 0 def
+/TermAll 0 def
+/DocInitAll 0 def
+/DocTermAll 0 def
+/_lp /none def
+/_doClip 0 def
+/sfc 0 def
+/_sfcs 0 def
+/_sfc 0 def
+/ssc 0 def
+/_sscs 0 def
+/_ssc 0 def
+/_fcs 0 def
+/_scs 0 def
+/_fp 0 def
+/_sp 0 def
+/AGM_MAX_CS_COMPONENTS 10 def
+/_fillColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
+/_strokeColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
+/_fc null def
+/_sc null def
+/DefaultGray [/DeviceGray] def
+/DefaultRGB [/DeviceRGB] def
+/DefaultCMYK [/DeviceCMYK] def
+/_inT false def
+/_tr -1 def
+/_rise 0 def
+/_ax 0 def
+/_cx 0 def
+/_ld 0 def
+/_tm matrix def
+/_ctm matrix def
+/_mtx matrix def
+/_hy (-) def
+/_fScl 0 def
+/_hs 1 def
+/_pdfEncodings 2 array def
+/_baselineadj 0 def
+/_fTzero false def
+/_Tj 0 def
+/_italMtx [1 0 .212557 1 0 0] def
+/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
+/_italMtxType0 [1 0 .1062785 1 0 0] def
+/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
+/_basefont 0 def
+/_basefonto 0 def
+/_pdf_oldCIDInit null def
+/_pdf_FontDirectory 30 dict def
+/_categories 10 dict def
+/_sa? true def
+/_op? false def
+/_OP? false def
+/_opmode 0 def
+/_ColorSep5044? false def
+/_tmpcolr? [] def
+/_tmpop? {} def
+/_processColors 0 def
+/_defaulttransfer currenttransfer def
+/_defaultflatness currentflat def
+/_defaulthalftone null def
+/_defaultcolortransfer null def
+/_defaultblackgeneration null def
+/_defaultundercolorremoval null def
+/_defaultcolortransfer null def
+end
+%%EndResource
+PDFVars begin PDF begin
+%%BeginResource: procset pdfutil
+%%Copyright: Copyright 1993-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Version: 4.0 2
+%%Title: Basic utilities used by other PDF procsets
+/bd {bind def} bind def
+/ld {load def} bd
+/bld {
+dup length dict begin
+{ null def } forall
+bind
+end
+def
+} bd
+/dd { PDFVars 3 1 roll put } bd
+/xdd { exch dd } bd
+/Level2?
+systemdict /languagelevel known
+{ systemdict /languagelevel get 2 ge } { false } ifelse
+def
+/Level3?
+systemdict /languagelevel known
+{systemdict /languagelevel get 3 eq } { false } ifelse
+def
+/getifknown {
+2 copy known { get true } { pop pop false } ifelse
+} bd
+/here {
+currentdict exch getifknown
+} bd
+/isdefined? { where { pop true } { false } ifelse } bd
+/StartLoad { dup dup not { /_save save dd } if } bd
+/EndLoad { if not { _save restore } if } bd
+%%EndResource
+%%BeginResource: procset pdf
+%%Version: 4.0 3
+%%Copyright: Copyright 1998-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Title: General operators for PDF, common to all Language Levels.
+[/b/B/b*/B*/BDC/BI/BMC/BT/BX/c/cm/cs/CS/d/d0/d1/Do/DP/EI/EMC/ET/EX/f/f*/g/G/gs
+/h/i/j/J/k/K/l/m/M/MP/n/q/Q/re/rg/RG/ri/s/S/sc/SC/scn/SCN/sg/Tc/Td/TD/Tf/Tj/TJ
+/TL/Tm/Tr/Ts/Tw/Tz/T*/v/w/W/W*/y/'/"
+/applyInterpFunc/applystitchFunc/domainClip/EF/encodeInput/gsDI/ilp/icl
+/initgs/int/limit/PS/rangeClip/RC/rf/makePat/csfamily 
+/? /! /| /: /+ /GetGlyphDirectory
+] {null def} bind forall
+/v { currentpoint 6 2 roll c } bd
+/y { 2 copy c } bd
+/h/closepath ld
+/d/setdash ld
+/j/setlinejoin ld
+/J/setlinecap ld
+/M/setmiterlimit ld
+/w/setlinewidth ld
+/i {
+dup 0 eq { pop _defaultflatness } if
+setflat
+} bd
+/gsDI {
+begin
+/OP here { /_OP? xdd } if
+/op here { /_op? xdd }
+{ /OP here { /_op? xdd } if }
+ifelse
+/OPM here { /_opmode xdd } if
+/Font here { aload pop Tf } if
+/LW here { w } if
+/LC here { J } if
+/LJ here { j } if
+/ML here { M } if
+/D here { aload pop d } if
+end
+} bd
+/ilp { /_lp /none dd } bd
+/icl { /_doClip 0 dd } bd
+/W { /_doClip 1 dd } bd
+/W* { /_doClip 2 dd } bd
+/n {
+{{} {clip} {eoclip}} _doClip get exec
+icl
+newpath
+} bd
+/s { h S } bd
+/B { q f Q S } bd
+/B* { q f* Q S } bd
+/b { h B } bd
+/b* { h B* } bd
+/q/save ld
+/Q { restore ilp } bd
+/GetCSFamily {
+dup type /arraytype eq {0 get} if
+} bd
+/GetCompsDict
+11 dict begin
+/DeviceGray { pop 1 } bd
+/DeviceRGB { pop 3 } bd
+/DeviceCMYK { pop 4 } bd
+/CIEBasedA { pop 1 } bd
+/CIEBasedABC { pop 3 } bd
+/CIEBasedDEF { pop 3 } bd
+/CIEBasedDEFG { pop 4 } bd
+/DeviceN { 1 get length } bd
+/Separation { pop 1 } bd
+/Indexed { pop 1 } bd
+/Pattern { pop 0 } bd
+currentdict
+end
+def
+/GetComps {
+GetCompsDict
+1 index GetCSFamily
+get exec
+} bd
+/cs
+{
+dup _fcs eq
+{ pop }
+{ dup /_fcs xdd
+GetComps
+_fillColors exch get
+/_fc xdd
+/_fp null dd
+} ifelse
+} bd
+/CS
+{
+dup _scs eq
+{ pop }
+{ dup /_scs xdd GetComps _strokeColors exch get /_sc xdd /_sp null dd }
+ifelse
+} bd
+/sc {
+_fc astore pop
+ilp
+} bd
+/SC {
+_sc astore pop
+ilp
+} bd
+/g { DefaultGray cs sc } bd
+/rg { DefaultRGB cs sc } bd
+/k { DefaultCMYK cs sc } bd
+/G { DefaultGray CS SC } bd
+/RG { DefaultRGB CS SC } bd
+/K { DefaultCMYK CS SC } bd
+/cm { _mtx astore concat } bd
+/re {
+4 2 roll m
+1 index 0 rlineto
+0 exch rlineto
+neg 0 rlineto
+h
+} bd
+/RC/rectclip ld
+/EF/execform ld
+/PS { cvx exec } bd
+/initgs {
+/DefaultGray [/DeviceGray] dd
+/DefaultRGB [/DeviceRGB] dd
+/DefaultCMYK [/DeviceCMYK] dd
+0 g 0 G
+[] 0 d
+0 j
+0 J
+10 M
+1 w
+true setSA
+/_op? false dd
+/_OP? false dd
+/_opmode 0 dd
+/_defaulttransfer load settransfer
+0 i
+/RelativeColorimetric ri
+newpath
+} bd
+/int {
+dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
+exch pop add exch pop
+} bd
+/limit {
+dup 2 index le { exch } if pop
+dup 2 index ge { exch } if pop
+} bd
+/domainClip {
+Domain aload pop 3 2 roll
+limit
+} [/Domain] bld
+/applyInterpFunc {
+0 1 DimOut 1 sub
+{
+dup C0 exch get exch
+dup C1 exch get exch
+3 1 roll
+1 index sub
+3 index
+N exp mul add
+exch
+currentdict /Range_lo known
+{
+dup Range_lo exch get exch
+Range_hi exch get
+3 2 roll limit
+}
+{
+pop
+}
+ifelse
+exch
+} for
+pop
+} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
+/encodeInput {
+NumParts 1 sub
+0 1 2 index
+{
+dup Bounds exch get
+2 index gt
+{ exit }
+{ dup
+3 index eq
+{ exit }
+{ pop } ifelse
+} ifelse
+} for
+3 2 roll pop
+dup Bounds exch get exch
+dup 1 add Bounds exch get exch
+2 mul
+dup Encode exch get exch
+1 add Encode exch get
+int
+} [/NumParts /Bounds /Encode] bld
+/rangeClip {
+exch dup Range_lo exch get
+exch Range_hi exch get
+3 2 roll
+limit
+} [/Range_lo /Range_hi] bld
+/applyStitchFunc {
+Functions exch get exec
+currentdict /Range_lo known {
+0 1 DimOut 1 sub {
+DimOut 1 add -1 roll
+rangeClip
+} for
+} if
+} [/Functions /Range_lo /DimOut] bld
+%%EndResource
+%%BeginResource: procset pdflev2
+%%Version: 4.0 5
+%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%LanguageLevel: 2
+%%Title: PDF operators, with code specific for Level 2
+/_defaulthalftone currenthalftone dd
+/_defaultblackgeneration currentblackgeneration dd
+/_defaultundercolorremoval currentundercolorremoval dd
+/_defaultcolortransfer [currentcolortransfer] dd
+/initialize {
+_defaulthalftone sethalftone
+/_defaultblackgeneration load setblackgeneration
+/_defaultundercolorremoval load setundercolorremoval
+_defaultcolortransfer aload pop setcolortransfer
+false setoverprint
+<</MaxFormItem 0>> setuserparams
+} bd
+/terminate { } bd
+/m/moveto ld
+/l/lineto ld
+/c/curveto ld
+/setSA/setstrokeadjust ld
+/defineRes/defineresource ld
+/findRes/findresource ld
+currentglobal
+true systemdict /setglobal get exec
+[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource]
+{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
+forall
+systemdict /setglobal get exec
+/ri
+{
+/findcolorrendering isdefined?
+{
+mark exch
+findcolorrendering
+counttomark 2 eq
+{ type /booleantype eq
+{ dup type /nametype eq
+{ dup /ColorRendering resourcestatus
+{ pop pop
+dup /DefaultColorRendering ne
+{
+/ColorRendering findresource
+setcolorrendering
+} if
+} if
+} if
+} if
+} if
+cleartomark
+}
+{ pop
+} ifelse
+} bd
+/_sfcs {_fcs setcolorspace} bind dd
+/_sscs {_scs setcolorspace} bind dd
+/_sfc
+{
+_fc aload pop
+_fp null eq
+{ setcolor }
+{ _fp setpattern }
+ifelse
+} bind dd
+/_ssc
+{
+_sc aload pop
+_sp null eq { setcolor} { _sp setpattern } ifelse
+} bind dd
+/scn {
+dup type /dicttype eq
+{ dup /_fp xdd
+/PaintType get 1 eq
+{ /_fc _fillColors 0 get dd ilp }
+{ /_fc _fillColors
+_fcs 1 get
+GetComps get dd
+sc
+}
+ifelse
+}
+{ sc }
+ifelse
+} bd
+/SCN {
+dup type /dicttype eq
+{ dup /_sp xdd
+/PaintType get 1 eq
+{ /_sc _strokeColors 0 get dd ilp }
+{ /_sc _strokeColors _scs 1 get GetComps get dd
+SC
+}
+ifelse
+}
+{ SC }
+ifelse
+} bd
+/gs
+{
+begin
+/SA here { setstrokeadjust } if
+/BG here { setblackgeneration } if
+/UCR here { setundercolorremoval } if
+/FL here { i } if
+/RI here { ri } if
+/TR here
+{
+dup xcheck
+{ settransfer }
+{ aload pop setcolortransfer }
+ifelse
+} if
+/sethalftonephase isdefined? { /HTP here { sethalftonephase } if } if
+/HT here { sethalftone } if
+currentdict gsDI
+end
+} bd
+/sfc {
+_op? setoverprint
+_lp /fill ne {
+_sfcs
+_sfc
+/_lp /fill dd
+} if
+} dd
+/ssc {
+_OP? setoverprint
+_lp /stroke ne {
+_sscs
+_ssc
+/_lp /stroke dd
+} if
+} dd
+/f {
+{ { sfc fill }
+{gsave sfc fill grestore clip newpath icl ilp}
+{gsave sfc fill grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/f* {
+{ { sfc eofill }
+{gsave sfc eofill grestore clip newpath icl ilp}
+{gsave sfc eofill grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/S {
+{ { ssc stroke }
+{gsave ssc stroke grestore clip newpath icl ilp}
+{gsave ssc stroke grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/rf {
+{ { sfc rectfill }
+{gsave sfc rectfill grestore clip newpath icl ilp}
+{gsave sfc rectfill grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/knownColorants? {
+pop false
+} bd
+/makePat {
+gsave
+dup /Matrix get concat
+matrix makepattern
+grestore
+/MadePattern defineRes pop
+} bd
+%%EndResource
+%%BeginResource: procset spots
+%%Version: 4.0 1
+%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Title: Predefined (named) spot functions for PDF
+21 dict dup begin
+/CosineDot
+{ 180 mul cos exch 180 mul cos add 2 div } bd
+/Cross
+{ abs exch abs 2 copy gt { exch } if pop neg } bd
+/Diamond
+{ abs exch abs 2 copy add .75 le
+{ dup mul exch dup mul add 1 exch sub }
+{ 2 copy add 1.23 le
+{ .85 mul add 1 exch sub }
+{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
+ifelse }
+ifelse } bd
+/Double
+{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add } bd
+/DoubleDot
+{ 2 { 360 mul sin 2 div exch } repeat add } bd
+/Ellipse
+{ abs exch abs 2 copy 3 mul exch 4 mul add 3 sub dup 0 lt
+{ pop dup mul exch .75 div dup mul add 4 div
+1 exch sub }
+{ dup 1 gt
+{pop 1 exch sub dup mul exch 1 exch sub
+.75 div dup mul add 4 div 1 sub }
+{ .5 exch sub exch pop exch pop }
+ifelse }
+ifelse } bd
+/EllipseA
+{ dup mul .9 mul exch dup mul add 1 exch sub } bd
+/EllipseB
+{ dup 5 mul 8 div mul exch dup mul exch add sqrt 1 exch sub } bd
+/EllipseC
+{ dup mul exch dup mul .9 mul add 1 exch sub } bd
+/InvertedDouble
+{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add neg } bd
+/InvertedDoubleDot
+{ 2 { 360 mul sin 2 div exch } repeat add neg } bd
+/InvertedEllipseA
+{ dup mul .9 mul exch dup mul add 1 sub } bd
+/InvertedEllipseC
+{ dup mul exch dup mul .9 mul add 1 sub } bd
+/InvertedSimpleDot
+{ dup mul exch dup mul add 1 sub } bd
+/Line
+{ exch pop abs neg } bd
+/LineX
+{ pop } bd
+/LineY
+{ exch pop } bd
+/Rhomboid
+{ abs exch abs 0.9 mul add 2 div } bd
+/Round
+{ abs exch abs 2 copy add 1 le
+{ dup mul exch dup mul add 1 exch sub }
+{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
+ifelse } bd
+/SimpleDot
+{ dup mul exch dup mul add 1 exch sub } bd
+/Square
+{ abs exch abs 2 copy lt { exch } if pop neg } bd
+end
+{ /Function defineRes pop } forall
+%%EndResource
+%%BeginResource: procset pdftext
+%%Version: 4.0 2
+%%Copyright: Copyright 1987-1998 Adobe Systems Incorporated. All Rights Reserved.
+%%Title: Text operators for PDF
+PDF /PDFText 75 dict dup begin put
+/docinitialize
+{
+/resourcestatus where {
+pop
+/CIDParams /ProcSet resourcestatus {
+pop pop
+false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
+} if
+} if
+PDF begin
+PDFText /_pdfDefineIdentity-H known
+{ PDFText /_pdfDefineIdentity-H get exec}
+if
+end
+} bd
+/initialize {
+PDFText begin
+/_intT false dd
+0 Tr
+} bd
+/terminate { end } bd
+/_safeput
+{
+Level2? not
+{
+2 index load dup dup length exch maxlength ge
+{ dup length 5 add dict copy
+3 index xdd
+}
+{ pop }
+ifelse
+}
+if
+3 -1 roll load 3 1 roll put
+}
+bd
+/pdf_has_composefont? systemdict /composefont known def
+/CopyFont {
+{
+1 index /FID ne 2 index /UniqueID ne and
+{ def } { pop pop } ifelse
+} forall
+} bd
+/Type0CopyFont
+{
+exch
+dup length dict
+begin
+CopyFont
+[
+exch
+FDepVector
+{
+dup /FontType get 0 eq
+{
+1 index Type0CopyFont
+/_pdfType0 exch definefont
+}
+{
+/_pdfBaseFont exch
+2 index exec
+}
+ifelse
+exch
+}
+forall
+pop
+]
+/FDepVector exch def
+currentdict
+end
+} bd
+/cHexEncoding
+[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
+/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
+/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
+/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
+/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
+/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
+/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
+/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
+/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
+/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
+/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
+/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
+/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
+/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
+/modEnc {
+/_enc xdd
+/_icode 0 dd
+counttomark 1 sub -1 0
+{
+index
+dup type /nametype eq
+{
+_enc _icode 3 -1 roll put
+_icode 1 add
+}
+if
+/_icode xdd
+} for
+cleartomark
+_enc
+} bd
+/trEnc {
+/_enc xdd
+255 -1 0 {
+exch dup -1 eq
+{ pop /.notdef }
+{ Encoding exch get }
+ifelse
+_enc 3 1 roll put
+} for
+pop
+_enc
+} bd
+/TE {
+/_i xdd
+StandardEncoding 256 array copy modEnc
+_pdfEncodings exch _i exch put
+} bd
+/TZ
+{
+/_usePDFEncoding xdd
+findfont
+dup length 6 add dict
+begin
+{
+1 index /FID ne { def } { pop pop } ifelse
+} forall
+/pdf_origFontName FontName def
+/FontName exch def
+_usePDFEncoding 0 ge
+{
+/Encoding _pdfEncodings _usePDFEncoding get def
+pop
+}
+{
+_usePDFEncoding -1 eq
+{
+counttomark 0 eq
+{ pop }
+{
+Encoding 256 array copy
+modEnc /Encoding exch def
+}
+ifelse
+}
+{
+256 array
+trEnc /Encoding exch def
+}
+ifelse
+}
+ifelse
+pdf_EuroProcSet pdf_origFontName known
+{
+pdf_origFontName pdf_AddEuroGlyphProc
+} if
+FontName currentdict
+end
+definefont pop
+}
+bd
+/Level2?
+systemdict /languagelevel known
+{systemdict /languagelevel get 2 ge}
+{false}
+ifelse
+def
+Level2?
+{
+/_pdfFontStatus
+{
+currentglobal exch
+/Font resourcestatus
+{pop pop true}
+{false}
+ifelse
+exch setglobal
+} bd
+}
+{
+/_pdfFontStatusString 50 string def
+_pdfFontStatusString 0 (fonts/) putinterval
+/_pdfFontStatus
+{
+FontDirectory 1 index known
+{ pop true }
+{
+_pdfFontStatusString 6 42 getinterval
+cvs length 6 add
+_pdfFontStatusString exch 0 exch getinterval
+{ status } stopped
+{pop false}
+{
+{ pop pop pop pop true}
+{ false }
+ifelse
+}
+ifelse
+}
+ifelse
+} bd
+}
+ifelse
+Level2?
+{
+/_pdfCIDFontStatus
+{
+/CIDFont /Category resourcestatus
+{
+pop pop
+/CIDFont resourcestatus
+{pop pop true}
+{false}
+ifelse
+}
+{ pop false }
+ifelse
+} bd
+}
+if
+/_pdfString100 100 string def
+/_pdfComposeFontName
+{
+dup length 1 eq
+{
+0 get
+1 index
+type /nametype eq
+{
+_pdfString100 cvs
+length dup dup _pdfString100 exch (-) putinterval
+_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
+2 index exch cvs length
+add 1 add _pdfString100 exch 0 exch getinterval
+exch pop
+true
+}
+{
+pop pop
+false
+}
+ifelse
+}
+{
+false
+}
+ifelse
+dup {exch cvn exch} if
+} bd
+/_pdfConcatNames
+{
+exch
+_pdfString100 cvs
+length dup dup _pdfString100 exch (-) putinterval
+_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
+3 -1 roll exch cvs length
+add 1 add _pdfString100 exch 0 exch getinterval
+cvn
+} bind def
+/_pdfTextTempString 50 string def
+/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
+/_pdf_CheckSupplements
+{
+1 index _pdfTextTempString cvs
+false
+_pdfRegOrderingArray
+{
+2 index exch
+anchorsearch
+{ pop pop pop true exit}
+{ pop }
+ifelse
+}
+forall
+exch pop
+{
+/CIDFont findresource
+/CIDSystemInfo get /Supplement get
+exch /CMap findresource
+/CIDSystemInfo get
+dup type /dicttype eq
+{/Supplement get}
+{pop 0 }
+ifelse
+ge
+}
+{ pop pop true }
+ifelse
+} bind def
+pdf_has_composefont?
+{
+/_pdfComposeFont
+{
+2 copy _pdfComposeFontName not
+{
+2 index
+}
+if
+(pdf) exch _pdfConcatNames
+dup _pdfFontStatus
+{ dup findfont 5 2 roll pop pop pop true}
+{
+4 1 roll
+1 index /CMap resourcestatus
+{
+pop pop
+true
+}
+{false}
+ifelse
+1 index true exch
+{
+_pdfCIDFontStatus not
+{pop false exit}
+if
+}
+forall
+and
+{
+1 index 1 index 0 get _pdf_CheckSupplements
+{
+3 -1 roll pop
+2 index 3 1 roll
+composefont true
+}
+{
+pop pop exch pop false
+}
+ifelse
+}
+{
+_pdfComposeFontName
+{
+dup _pdfFontStatus
+{
+exch pop
+1 index exch
+findfont definefont true
+}
+{
+pop exch pop
+false
+}
+ifelse
+}
+{
+exch pop
+false
+}
+ifelse
+}
+ifelse
+{ true }
+{
+dup _pdfFontStatus
+{ dup findfont true }
+{ pop false }
+ifelse
+}
+ifelse
+}
+ifelse
+} bd
+}
+{
+/_pdfComposeFont
+{
+_pdfComposeFontName not
+{
+dup
+}
+if
+dup
+_pdfFontStatus
+{exch pop dup findfont true}
+{
+1 index
+dup type /nametype eq
+{pop}
+{cvn}
+ifelse
+eq
+{pop false}
+{
+dup _pdfFontStatus
+{dup findfont true}
+{pop false}
+ifelse
+}
+ifelse
+}
+ifelse
+} bd
+}
+ifelse
+/_pdfStyleDicts 4 dict dup begin
+/Adobe-Japan1 4 dict dup begin
+Level2?
+{
+/Serif
+/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
+{/HeiseiMin-W3}
+{
+/HeiseiMin-W3 _pdfCIDFontStatus
+{/HeiseiMin-W3}
+{/Ryumin-Light}
+ifelse
+}
+ifelse
+def
+/SansSerif
+/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
+{/HeiseiKakuGo-W5}
+{
+/HeiseiKakuGo-W5 _pdfCIDFontStatus
+{/HeiseiKakuGo-W5}
+{/GothicBBB-Medium}
+ifelse
+}
+ifelse
+def
+/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
+{/HeiseiMaruGo-W4}
+{
+/HeiseiMaruGo-W4 _pdfCIDFontStatus
+{/HeiseiMaruGo-W4}
+{
+/Jun101-Light-RKSJ-H _pdfFontStatus
+{ /Jun101-Light }
+{ SansSerif }
+ifelse
+}
+ifelse
+}
+ifelse
+/RoundSansSerif exch def
+/Default Serif def
+}
+{
+/Serif /Ryumin-Light def
+/SansSerif /GothicBBB-Medium def
+{
+(fonts/Jun101-Light-83pv-RKSJ-H) status
+}stopped
+{pop}{
+{ pop pop pop pop /Jun101-Light }
+{ SansSerif }
+ifelse
+/RoundSansSerif exch def
+}ifelse
+/Default Serif def
+}
+ifelse
+end
+def
+/Adobe-Korea1 4 dict dup begin
+/Serif /HYSMyeongJo-Medium def
+/SansSerif /HYGoThic-Medium def
+/RoundSansSerif SansSerif def
+/Default Serif def
+end
+def
+/Adobe-GB1 4 dict dup begin
+/Serif /STSong-Light def
+/SansSerif /STHeiti-Regular def
+/RoundSansSerif SansSerif def
+/Default Serif def
+end
+def
+/Adobe-CNS1 4 dict dup begin
+/Serif /MKai-Medium def
+/SansSerif /MHei-Medium def
+/RoundSansSerif SansSerif def
+/Default Serif def
+end
+def
+end
+def
+/TZzero
+{
+/_fyAdj xdd
+/_wmode xdd
+/_styleArr xdd
+/_regOrdering xdd
+3 copy
+_pdfComposeFont
+{
+5 2 roll pop pop pop
+}
+{
+[
+0 1 _styleArr length 1 sub
+{
+_styleArr exch get
+_pdfStyleDicts _regOrdering 2 copy known
+{
+get
+exch 2 copy known not
+{ pop /Default }
+if
+get
+}
+{
+pop pop pop /Unknown
+}
+ifelse
+}
+for
+]
+exch pop
+2 index 3 1 roll
+_pdfComposeFont
+{3 -1 roll pop}
+{
+findfont dup /FontName get exch
+}
+ifelse
+}
+ifelse
+dup /WMode 2 copy known
+{ get _wmode ne }
+{ pop pop _wmode 1 eq}
+ifelse
+_fyAdj 0 ne or
+{
+exch _wmode _pdfConcatNames _fyAdj _pdfConcatNames
+dup _pdfFontStatus
+{ exch pop dup findfont false}
+{ exch true }
+ifelse
+}
+{
+dup /FontType get 0 ne
+}
+ifelse
+{
+dup /FontType get 3 eq _wmode 1 eq and
+{
+_pdfVerticalRomanT3Font dup length 10 add dict copy
+begin
+/_basefont exch
+dup length 3 add dict
+begin
+{1 index /FID ne {def}{pop pop} ifelse }
+forall
+/Encoding Encoding dup length array copy
+dup 16#27 /quotesingle put
+dup 16#60 /grave put
+_regOrdering /Adobe-Japan1 eq
+{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
+if
+def
+FontName
+currentdict
+end
+definefont
+def
+/Encoding _basefont /Encoding get def
+/_fauxfont true def
+}
+{
+dup length 3 add dict
+begin
+{1 index /FID ne {def}{pop pop} ifelse }
+forall
+FontType 0 ne
+{
+/Encoding Encoding dup length array copy
+dup 16#27 /quotesingle put
+dup 16#60 /grave put
+_regOrdering /Adobe-Japan1 eq
+{dup 16#5c /yen put}
+if
+def
+/_fauxfont true def
+} if
+} ifelse
+/WMode _wmode def
+/BaseLineAdj _fyAdj def
+dup dup /FontName exch def
+currentdict
+end
+definefont pop
+}
+{
+pop
+}
+ifelse
+/_pdf_FontDirectory 3 1 roll _safeput
+}
+bd
+/swj {
+dup 4 1 roll
+dup length exch stringwidth
+exch 5 -1 roll 3 index mul add
+4 1 roll 3 1 roll mul add
+6 2 roll /_cnt 0 dd
+{1 index eq {/_cnt _cnt 1 add dd} if} forall pop
+exch _cnt mul exch _cnt mul 2 index add 4 1 roll 2 index add 4 1 roll pop pop
+} bd
+/jss {
+4 1 roll
+{
+pop pop
+(0) exch 2 copy 0 exch put
+gsave
+exch false charpath currentpoint
+5 index setmatrix stroke
+3 -1 roll
+32 eq
+{
+moveto
+5 index 5 index rmoveto currentpoint
+}
+if
+grestore
+moveto
+2 copy rmoveto
+} exch cshow
+6 {pop} repeat
+} def
+/jsfTzero {
+{
+pop pop
+(0) exch 2 copy 0 exch put
+exch show
+32 eq
+{
+4 index 4 index rmoveto
+}
+if
+2 copy rmoveto
+} exch cshow
+5 {pop} repeat
+} def
+/jsp
+{
+{
+pop pop
+(0) exch 2 copy 0 exch put
+32 eq
+dup {currentfont /Encoding get dup length 33 ge 
+{32 get /space eq and}{pop}ifelse
+}if
+{ exch 5 index 5 index 5 index 5 -1 roll widthshow }
+{ false charpath }
+ifelse
+2 copy rmoveto
+} exch cshow
+5 {pop} repeat
+} bd
+/trj { _cx 0 fWModeProc 32 _ax 0 fWModeProc 6 5 roll } bd
+/pjsf { trj sfc fawidthshowProc } bd
+/pjss { trj _ctm ssc jss } bd
+/pjsc { trj jsp } bd
+/_Tjdef [
+/pjsf load
+/pjss load
+{
+dup
+currentpoint 3 2 roll
+pjsf
+newpath moveto
+pjss
+} bind
+{
+trj swj rmoveto
+} bind
+{
+dup currentpoint 4 2 roll gsave
+pjsf
+grestore 3 1 roll moveto
+pjsc
+} bind
+{
+dup currentpoint 4 2 roll
+currentpoint gsave newpath moveto
+pjss
+grestore 3 1 roll moveto
+pjsc
+} bind
+{
+dup currentpoint 4 2 roll gsave
+dup currentpoint 3 2 roll
+pjsf
+newpath moveto
+pjss
+grestore 3 1 roll moveto
+pjsc
+} bind
+/pjsc load
+] def
+/BT
+{
+/_inT true dd
+_ctm currentmatrix pop matrix _tm copy pop
+0 _rise _baselineadj add translate _hs 1 scale
+0 0 moveto
+} bd
+/ET
+{
+/_inT false dd
+_tr 3 gt {clip} if
+_ctm setmatrix newpath
+} bd
+/Tr {
+_inT { _tr 3 le {currentpoint newpath moveto} if } if
+dup /_tr xdd
+_Tjdef exch get /_Tj xdd
+} bd
+/Tj {
+userdict /$$copystring 2 index put
+_Tj
+} bd
+/iTm { _ctm setmatrix _tm concat 0 _rise _baselineadj add translate _hs 1 scale } bd
+/Tm { _tm astore pop iTm 0 0 moveto } bd
+/Td { _mtx translate _tm _tm concatmatrix pop iTm 0 0 moveto } bd
+/TD { dup /_ld xdd Td } bd
+/_nullProc {} bd
+/Tf {
+dup 1000 div /_fScl xdd
+_pdf_FontDirectory 2 index 2 copy known
+{get exch 3 -1 roll pop}
+{pop pop}
+ifelse
+Level2?
+{ selectfont }
+{ exch findfont exch scalefont setfont}
+ifelse
+currentfont dup
+/_nullProc exch
+/WMode known
+{
+1 index /WMode get 1 eq
+{pop /exch}
+if
+}
+if
+load /fWModeProc xdd
+dup
+/FontType get 0 eq dup _cx 0 ne and
+{ /jsfTzero }
+{ /awidthshow }
+ifelse
+load /fawidthshowProc xdd
+/_fTzero xdd
+dup /BaseLineAdj known
+{ dup /BaseLineAdj get _fScl mul }
+{ 0 }
+ifelse
+/_baselineadj xdd
+dup /_pdfT3Font known
+{ 0 }
+{_tr}
+ifelse
+_Tjdef exch get /_Tj xdd
+_intT
+{currentpoint iTm moveto}
+if
+pop
+} bd
+/TL { neg /_ld xdd } bd
+/Tw {
+/_cx xdd
+_cx 0 ne _fTzero and
+{ /jsfTzero }
+{ /awidthshow }
+ifelse
+load /fawidthshowProc xdd
+} bd
+/Tc { /_ax xdd } bd
+/Ts { /_rise xdd currentpoint iTm moveto } bd
+/Tz { 100 div /_hs xdd iTm } bd
+/Tk { exch pop _fScl mul neg 0 fWModeProc rmoveto } bd
+/T* { 0 _ld Td } bd
+/' { T* Tj } bd
+/" { exch Tc exch Tw ' } bd
+/TJ {
+{
+dup type /stringtype eq
+{ Tj }
+{ 0 exch Tk }
+ifelse
+} forall
+} bd
+/T- { _hy Tj } bd
+/d0/setcharwidth ld
+/d1 { setcachedevice /sfc{}dd /ssc{}dd } bd
+/nND {{/.notdef} repeat} bd
+/T3Defs {
+/BuildChar
+{
+1 index /Encoding get exch get
+1 index /BuildGlyph get exec
+}
+def
+/BuildGlyph {
+exch begin
+GlyphProcs exch get exec
+end
+} def
+/_pdfT3Font true def
+} bd
+/_pdfBoldRomanWidthProc
+{
+stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
+0 0
+} bd
+/_pdfType0WidthProc
+{
+dup stringwidth 0 0 moveto
+2 index true charpath pathbbox
+0 -1
+7 index 2 div .88
+setcachedevice2
+pop
+0 0
+} bd
+/_pdfType0WMode1WidthProc
+{
+dup stringwidth
+pop 2 div neg -0.88
+2 copy
+moveto
+0 -1
+5 -1 roll true charpath pathbbox
+setcachedevice
+} bd
+/_pdfBoldBaseFont
+11 dict begin
+/FontType 3 def
+/FontMatrix[1 0 0 1 0 0]def
+/FontBBox[0 0 1 1]def
+/Encoding cHexEncoding def
+/_setwidthProc /_pdfBoldRomanWidthProc load def
+/_bcstr1 1 string def
+/BuildChar
+{
+exch begin
+_basefont setfont
+_bcstr1 dup 0 4 -1 roll put
+dup
+_setwidthProc
+3 copy
+moveto
+show
+_basefonto setfont
+moveto
+show
+end
+}bd
+currentdict
+end
+def
+pdf_has_composefont?
+{
+/_pdfBoldBaseCIDFont
+11 dict begin
+/CIDFontType 1 def
+/CIDFontName /_pdfBoldBaseCIDFont def
+/FontMatrix[1 0 0 1 0 0]def
+/FontBBox[0 0 1 1]def
+/_setwidthProc /_pdfType0WidthProc load def
+/_bcstr2 2 string def
+/BuildGlyph
+{
+exch begin
+_basefont setfont
+_bcstr2 1 2 index 256 mod put
+_bcstr2 0 3 -1 roll 256 idiv put
+_bcstr2 dup _setwidthProc
+3 copy
+moveto
+show
+_basefonto setfont
+moveto
+show
+end
+}bd
+currentdict
+end
+def
+/_pdfDefineIdentity-H
+{
+/Identity-H /CMap resourcestatus
+{
+pop pop
+}
+{
+/CIDInit/ProcSet findresource begin 12 dict begin
+begincmap
+/CIDSystemInfo
+3 dict begin
+/Registry (Adobe) def
+/Ordering (Identity) def
+/Supplement 0 def
+currentdict
+end
+def
+/CMapName /Identity-H def
+/CMapVersion 1 def
+/CMapType 1 def
+1 begincodespacerange
+<0000> <ffff>
+endcodespacerange
+1 begincidrange
+<0000> <ffff> 0
+endcidrange
+endcmap
+CMapName currentdict/CMap defineresource pop
+end
+end
+} ifelse
+} def
+} if
+/_pdfVerticalRomanT3Font
+10 dict begin
+/FontType 3 def
+/FontMatrix[1 0 0 1 0 0]def
+/FontBBox[0 0 1 1]def
+/_bcstr1 1 string def
+/BuildChar
+{
+exch begin
+_basefont setfont
+_bcstr1 dup 0 4 -1 roll put
+dup
+_pdfType0WidthProc
+moveto
+show
+end
+}bd
+currentdict
+end
+def
+/MakeBoldFont
+{
+dup /ct_SyntheticBold known
+{
+dup length 3 add dict begin
+CopyFont
+/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
+/ct_SyntheticBold true def
+currentdict
+end
+definefont
+}
+{
+dup dup length 3 add dict
+begin
+CopyFont
+/PaintType 2 def
+/StrokeWidth .03 0 FontMatrix idtransform pop def
+/dummybold currentdict
+end
+definefont
+dup /FontType get dup 9 ge exch 11 le and
+{
+_pdfBoldBaseCIDFont
+dup length 3 add dict copy begin
+dup /CIDSystemInfo get /CIDSystemInfo exch def
+/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
+/_basefont exch def
+/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
+/_basefonto exch def
+currentdict
+end
+/CIDFont defineresource
+}
+{
+_pdfBoldBaseFont
+dup length 3 add dict copy begin
+/_basefont exch def
+/_basefonto exch def
+currentdict
+end
+definefont
+}
+ifelse
+}
+ifelse
+} bd
+/MakeBold {
+1 index
+_pdf_FontDirectory 2 index 2 copy known
+{get}
+{exch pop}
+ifelse
+findfont
+dup
+/FontType get 0 eq
+{
+dup /WMode known {dup /WMode get 1 eq }{false} ifelse
+version length 4 ge
+and
+{version 0 4 getinterval cvi 2015 ge }
+{true}
+ifelse
+{/_pdfType0WidthProc}
+{/_pdfType0WMode1WidthProc}
+ifelse
+_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
+{MakeBoldFont} Type0CopyFont definefont
+}
+{
+dup /_fauxfont known not 1 index /SubstMaster known not and
+{
+_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
+MakeBoldFont
+}
+{
+2 index 2 index eq
+{ exch pop }
+{
+dup length dict begin
+CopyFont
+currentdict
+end
+definefont
+}
+ifelse
+}
+ifelse
+}
+ifelse
+pop pop
+dup /dummybold ne
+{/_pdf_FontDirectory exch dup _safeput }
+{ pop }
+ifelse
+}bd
+/MakeItalic {
+_pdf_FontDirectory exch 2 copy known
+{get}
+{exch pop}
+ifelse
+dup findfont
+dup /FontInfo 2 copy known
+{
+get
+/ItalicAngle 2 copy known
+{get 0 eq }
+{ pop pop true}
+ifelse
+}
+{ pop pop true}
+ifelse
+{
+exch pop
+dup /FontType get 0 eq Level2? not and
+{ dup /FMapType get 6 eq }
+{ false }
+ifelse
+{
+dup /WMode 2 copy known
+{
+get 1 eq
+{ _italMtx_WMode1Type0 }
+{ _italMtxType0 }
+ifelse
+}
+{ pop pop _italMtxType0 }
+ifelse
+}
+{
+dup /WMode 2 copy known
+{
+get 1 eq
+{ _italMtx_WMode1 }
+{ _italMtx }
+ifelse
+}
+{ pop pop _italMtx }
+ifelse
+}
+ifelse
+makefont
+dup /FontType get 42 eq Level2? not or
+{
+dup length dict begin
+CopyFont
+currentdict
+end
+}
+if
+1 index exch
+definefont pop
+/_pdf_FontDirectory exch dup _safeput
+}
+{
+pop
+2 copy ne
+{
+/_pdf_FontDirectory 3 1 roll _safeput
+}
+{ pop pop }
+ifelse
+}
+ifelse
+}bd
+/MakeBoldItalic {
+/dummybold exch
+MakeBold
+/dummybold
+MakeItalic
+}bd
+Level2?
+{
+/pdf_CopyDict
+{1 index length add dict copy}
+def
+}
+{
+/pdf_CopyDict
+{
+1 index length add dict
+1 index wcheck
+{ copy }
+{ begin
+{def} forall
+currentdict
+end
+}
+ifelse
+}
+def
+}
+ifelse
+/pdf_AddEuroGlyphProc
+{
+currentdict /CharStrings known
+{
+CharStrings /Euro known not
+{
+dup
+/CharStrings
+CharStrings 1 pdf_CopyDict
+begin
+/Euro pdf_EuroProcSet 4 -1 roll get def
+currentdict
+end
+def
+/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
+/pdf_PathOps /pdf_PathOps load def
+/Symbol eq
+{
+/Encoding Encoding dup length array copy
+dup 160 /Euro put def
+}
+if
+}
+{ pop
+}
+ifelse
+}
+{ pop
+}
+ifelse
+}
+def
+/pdf_PathOps 4 dict dup begin
+/m {moveto} def
+/l {lineto} def
+/c {curveto} def
+/cp {closepath} def
+end
+def
+/pdf_PSBuildGlyph
+{
+gsave
+8 -1 roll pop
+7 1 roll
+currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
+dup 9 1 roll
+{
+currentdict /StrokeWidth 2 copy known
+{
+get 2 div
+5 1 roll
+4 -1 roll 4 index sub
+4 1 roll
+3 -1 roll 4 index sub
+3 1 roll
+exch 4 index add exch
+4 index add
+5 -1 roll pop
+}
+{
+pop pop
+}
+ifelse
+}
+if
+setcachedevice
+pdf_PathOps begin
+exec
+end
+{
+currentdict /StrokeWidth 2 copy known
+{ get }
+{ pop pop 0 }
+ifelse
+setlinewidth stroke
+}
+{
+fill
+}
+ifelse
+grestore
+} def
+/pdf_EuroProcSet 13 dict def
+pdf_EuroProcSet
+begin
+/Courier-Bold
+{
+600 0 6 -12 585 612
+{
+385 274 m
+180 274 l
+179 283 179 293 179 303 c
+179 310 179 316 180 323 c
+398 323 l
+423 404 l
+197 404 l
+219 477 273 520 357 520 c
+409 520 466 490 487 454 c
+487 389 l
+579 389 l
+579 612 l
+487 612 l
+487 560 l
+449 595 394 612 349 612 c
+222 612 130 529 98 404 c
+31 404 l
+6 323 l
+86 323 l
+86 304 l
+86 294 86 284 87 274 c
+31 274 l
+6 193 l
+99 193 l
+129 77 211 -12 359 -12 c
+398 -12 509 8 585 77 c
+529 145 l
+497 123 436 80 356 80 c
+285 80 227 122 198 193 c
+360 193 l
+cp
+600 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Courier-BoldOblique /Courier-Bold load def
+/Courier
+{
+600 0 17 -12 578 584
+{
+17 204 m
+97 204 l
+126 81 214 -12 361 -12 c
+440 -12 517 17 578 62 c
+554 109 l
+501 70 434 43 366 43 c
+266 43 184 101 154 204 c
+380 204 l
+400 259 l
+144 259 l
+144 270 143 281 143 292 c
+143 299 143 307 144 314 c
+418 314 l
+438 369 l
+153 369 l
+177 464 249 529 345 529 c
+415 529 484 503 522 463 c
+522 391 l
+576 391 l
+576 584 l
+522 584 l
+522 531 l
+473 566 420 584 348 584 c
+216 584 122 490 95 369 c
+37 369 l
+17 314 l
+87 314 l
+87 297 l
+87 284 88 272 89 259 c
+37 259 l
+cp
+600 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Courier-Oblique /Courier load def
+/Helvetica
+{
+556 0 24 -19 541 703
+{
+541 628 m
+510 669 442 703 354 703 c
+201 703 117 607 101 444 c
+50 444 l
+25 372 l
+97 372 l
+97 301 l
+49 301 l
+24 229 l
+103 229 l
+124 67 209 -19 350 -19 c
+435 -19 501 25 509 32 c
+509 131 l
+492 105 417 60 343 60 c
+267 60 204 127 197 229 c
+406 229 l
+430 301 l
+191 301 l
+191 372 l
+455 372 l
+479 444 l
+194 444 l
+201 531 245 624 348 624 c
+433 624 484 583 509 534 c
+cp
+556 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Helvetica-Oblique /Helvetica load def
+/Helvetica-Bold
+{
+556 0 12 -19 563 710
+{
+563 621 m
+537 659 463 710 363 710 c
+216 710 125 620 101 462 c
+51 462 l
+12 367 l
+92 367 l
+92 346 l
+92 337 93 328 93 319 c
+52 319 l
+12 224 l
+102 224 l
+131 58 228 -19 363 -19 c
+417 -19 471 -12 517 18 c
+517 146 l
+481 115 426 93 363 93 c
+283 93 254 166 246 224 c
+398 224 l
+438 319 l
+236 319 l
+236 367 l
+457 367 l
+497 462 l
+244 462 l
+259 552 298 598 363 598 c
+425 598 464 570 486 547 c
+507 526 513 517 517 509 c
+cp
+556 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Helvetica-BoldOblique /Helvetica-Bold load def
+/Symbol
+{
+750 0 20 -12 714 685
+{
+714 581 m
+650 645 560 685 465 685 c
+304 685 165 580 128 432 c
+50 432 l
+20 369 l
+116 369 l
+115 356 115 347 115 337 c
+115 328 115 319 116 306 c
+50 306 l
+20 243 l
+128 243 l
+165 97 300 -12 465 -12 c
+560 -12 635 25 685 65 c
+685 155 l
+633 91 551 51 465 51 c
+340 51 238 131 199 243 c
+555 243 l
+585 306 l
+184 306 l
+183 317 182 326 182 336 c
+182 346 183 356 184 369 c
+614 369 l 644 432 l
+199 432 l
+233 540 340 622 465 622 c
+555 622 636 580 685 520 c
+cp
+750 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-Bold
+{
+500 0 16 -14 478 700
+{
+367 308 m
+224 308 l
+224 368 l
+375 368 l
+380 414 l
+225 414 l
+230 589 257 653 315 653 c
+402 653 431 521 444 457 c
+473 457 l
+473 698 l
+444 697 l
+441 679 437 662 418 662 c
+393 662 365 700 310 700 c
+211 700 97 597 73 414 c
+21 414 l
+16 368 l
+69 368 l
+69 359 68 350 68 341 c
+68 330 68 319 69 308 c
+21 308 l
+16 262 l
+73 262 l
+91 119 161 -14 301 -14 c
+380 -14 443 50 478 116 c
+448 136 l
+415 84 382 40 323 40 c
+262 40 231 77 225 262 c
+362 262 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-BoldItalic
+{
+500 0 9 -20 542 686
+{
+542 686 m
+518 686 l
+513 673 507 660 495 660 c
+475 660 457 683 384 683 c
+285 683 170 584 122 430 c
+58 430 l
+34 369 l
+105 369 l
+101 354 92 328 90 312 c
+34 312 l
+9 251 l
+86 251 l
+85 238 84 223 84 207 c
+84 112 117 -14 272 -14 c
+326 -14 349 9 381 9 c
+393 9 393 -10 394 -20 c
+420 -20 l
+461 148 l
+429 148 l
+416 109 362 15 292 15 c
+227 15 197 55 197 128 c
+197 162 204 203 216 251 c
+378 251 l
+402 312 l
+227 312 l
+229 325 236 356 241 369 c
+425 369 l
+450 430 l
+255 430 l
+257 435 264 458 274 488 c
+298 561 337 654 394 654 c
+437 654 484 621 484 530 c
+484 516 l
+516 516 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-Italic
+{
+500 0 23 -10 595 692
+{
+399 317 m
+196 317 l
+199 340 203 363 209 386 c
+429 386 l
+444 424 l
+219 424 l
+246 514 307 648 418 648 c
+448 648 471 638 492 616 c
+529 576 524 529 527 479 c
+549 475 l
+595 687 l
+570 687 l
+562 674 558 664 542 664 c
+518 664 474 692 423 692 c
+275 692 162 551 116 424 c
+67 424 l
+53 386 l
+104 386 l
+98 363 93 340 90 317 c
+37 317 l
+23 279 l
+86 279 l
+85 266 85 253 85 240 c
+85 118 137 -10 277 -10 c
+370 -10 436 58 488 128 c
+466 149 l
+424 101 375 48 307 48 c
+212 48 190 160 190 234 c
+190 249 191 264 192 279 c
+384 279 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-Roman
+{
+500 0 10 -12 484 692
+{
+347 298 m
+171 298 l
+170 310 170 322 170 335 c
+170 362 l
+362 362 l
+374 403 l
+172 403 l
+184 580 244 642 308 642 c
+380 642 434 574 457 457 c
+481 462 l
+474 691 l
+449 691 l
+433 670 429 657 410 657 c
+394 657 360 692 299 692 c
+204 692 94 604 73 403 c
+22 403 l
+10 362 l
+70 362 l
+69 352 69 341 69 330 c
+69 319 69 308 70 298 c
+22 298 l
+10 257 l
+73 257 l
+97 57 216 -12 295 -12 c
+364 -12 427 25 484 123 c
+458 142 l
+425 101 384 37 316 37 c
+256 37 189 84 173 257 c
+335 257 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+end
+currentdict readonly pop end
+%%EndResource
+PDFText begin
+[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
+/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
+/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
+/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
+/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
+/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
+/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
+/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
+/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
+/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
+/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
+/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
+/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
+/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
+/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
+/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
+/hungarumlaut/ogonek/caron
+0 TE
+[1/dotlessi/caron 39/quotesingle 96/grave 
+127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
+/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
+/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
+/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
+/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
+/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
+/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
+/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
+/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
+/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
+/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
+/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
+/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
+/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
+/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
+/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
+/ucircumflex/udieresis/yacute/thorn/ydieresis
+1 TE
+end
+currentdict readonly pop
+end end
+/currentpacking where {pop setpacking}if
+PDFVars/DocInitAll{[ PDFText]{/docinitialize get exec}forall }put
+PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
+PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
+PDFVars begin PDF begin
+PDFVars/DocInitAll get exec PDFVars/InitAll get exec
+PDFVars/TermAll get exec end end
+
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+userdict /pgsave save put
+PDFVars begin PDF begin PDFVars/InitAll get exec
+156 331 translate
+%%BeginResource: font N34
+%!FontType1-1.0: N34
+11 dict begin
+/FontInfo 5 dict dup begin
+/Notice (Copyright \(C\) 1997 American Mathematical Society. All Rights Reserved) def
+/FamilyName (Computer Modern) def
+/FullName (CMTT10) def
+end readonly def
+/FontName /N34 def
+/Encoding 256 array
+0 1 255 {1 index exch /.notdef put} for
+dup 44 /comma put
+dup 48 /zero put
+dup 49 /one put
+dup 50 /two put
+dup 97 /a put
+dup 101 /e put
+dup 104 /h put
+dup 110 /n put
+dup 114 /r put
+dup 116 /t put
+dup 123 /braceleft put
+dup 125 /braceright put
+readonly def
+/FontMatrix [0.001 0 0 0.001 0 0] readonly def
+/FontBBox {-4 -235 731 800} readonly def
+/FontType 1 def
+/PaintType 0 def
+/StrokeWidth 0 def
+currentdict end
+currentfile eexec
+f3e7f93fe0b3c7a88086f982b4b55bdb0f2f559321725d901e33615b89ebc3ed
+b644cbe16c663d6859274d0ce2e86ecfea9f7e1b5970a122f75e9b050df4480e
+56172e8b6a9a7322d8372244fb30b64ec966496b08baae35096817082b1ee90a
+634d662a40353df3516c1402378432ab41d28040059334248c54fc26fbf5fc94
+879f85cd5bfa2b3d6d059c93f11fe5780c1fcf8d5dc00e950018df83ec4928de
+7cec20207ab2cf39abc85a9caa0b0e2c323f501f5962617e99a333fe9738b872
+fcc9a8251b532781309174dc760f25d7636c27db2792bd40f540cb897c86c8fe
+0eda9639093664059ed48c227060d40f39eabac85c47e505de850379e1267e79
+2d6e82c3d67cb2e9f84a7ff7a61df53239fe2625ac170163bf19e528676f0853
+e7abcece7107203958dc0b5bb270a0de82161699a18d4d5b8da383e6c4937d39
+9c20cfb315dd9c8a08d93ee76257cd6a52b6a8800735be153582e40f2f85a432
+7c5527b7e085f60031b66fad2baca496b105ff4cb56629346f3fe9d596a90cd0
+6c125fa5e27179c9b7d4980f2c2d0969fd3f87796a05c1c030bc94ceacdb95fd
+fe11d180104266be31ea0837366a9001d0f54ce82d78e992228606798a6ed75e
+9ad79061031e325d884aa3747b7a4d4e398888c2eb0fd2a7e9c9a88999859ebf
+d10290b74c3dcba000519bd2e4cc03e4f466007d60731bfba66e92bd0e6a367d
+8e706e0b1c606425d4c7ff696440cf4f0a231961f0b9d5636cfb4a5abf263408
+b80f06166d9c533b3b13112cd9cedbc2e9197a4675125022e28d23047a93e6e7
+f3255e2fe972045499c7527fb9f32e1363a60cb2254abf34ab918f5d08f181ce
+c85dbd3408edc656c0bb2dbc47b854aedb2acd8d9fc0d5f7cce1724eb4c93133
+3e496ba69350daeeed903ee17260db986f11afaf68b53d894dd3d679ebe7f703
+b4ae32683591d34ce4137f9abc8dedb065d06ca3470afce541a9b0fe1f4de178
+db038a0a5b0c30a5ac304c5ea38686389f8fdfc9790296ba65b6ea7450659e46
+e17173f120846258b315eed9142ac66063205167a553e47d24547ad2c4a8f702
+fb9bec6b138ac48c5f5465e345d40f455cae3ef6838c2cb147344ecf7da3302d
+e1f8ca2a49e6d6c25d64d76a0007d91183a500f4db07b7232ae944051ec6db95
+c83956967f6e8cc3eb79ba8f6f7f9d9588e0790aa4ef2c8bb1af4bbe40c3e6e9
+c4c2abb5b8955d7f7db4744779ce92f484438d836457bd63a15762120b30d264
+064049f0b4e3f543f275f27d1490e4ec3ab8744cb0d07dd31166f744f9099dba
+9d4c7532182bfe249b19166e5a9c793ad26dfe0a4f6eb4f1f81c7daebfbb4f41
+900682d3f98e1d12d5d2cedf7d5d81f5294253cd05392a6c1b08faf2c937c587
+acb67c282079d5381342090e8f6bc758b6aafa1987e4025a38e0b007b5e734fb
+f7653c6d09bb30c736ed42f6faa6c8be715ee08edeb32e32716e161de47fa740
+2c7520f6a147a3a1ac4008ac7ac47e68ac95dd0e40def0262d7f19420ec9d836
+a83b0a6e8864bc93fb0246b910bd00506ac7e91476ac4f4ea8030c570d74d3c7
+f50ae3960629442be51c34d3d5064d144e4d5882e454f1f70b5db71acb0851ee
+ea8472b8bbf439406e33f3967b4e44371843616eb00bb0bbb2d7b50e64275eb7
+b0bf39d87aeef439b352c5d5549063adaca1807abb74c6d4b369bccf032a3a07
+e38165eb254cf180cb4b4e686f361ced5579846482cc428c7e317c7d35136f92
+2cfc13f1d489c450b84f26bb7ff8bf1751a1fe52be5b11ed2c9b21620b22b7e3
+da6b3bb7f97b07e6e53022f1e8fe751308247716fd05d7b925b7e019962c5ae8
+6f011dd826d13f3f797453ad0250bfb8ff3835b952b3f86d2a84fb4b646d2013
+39841e22dc6111dc48b71ddc930224f2a2cd65518f44c58fc4d0c703ac11aaf5
+e98a735db48973639a28b97b5181afc5129c2521df2369f4091bcad9ec2ecc57
+39a0c3fbc77b7293125db00eed1d7b6075f390b5f9aa84fe48cca11b71e92559
+2d81a03384d3fdfe7d782bc2bbd96e50af51259cd4c1d063629c41d932bf8d39
+aaf0a55979fbe4245b867b23f965abfc16c5fe1ae6dc46fb4341922cdf1e4466
+11c7c9f9c73001469081ced3169c7d55631800b59b5ef77405b3814bff9fd90c
+8a01addc3c525ddfc00f3579cd0e9effe77f4d8f27b6e55a5d18b0c66dfed09b
+ee81795632d12b202f606300f6aad5201cb07634500bba045aef4c198a8b640e
+1f974e4cb6eb54790a3e412b485888ec8931a028bf92647e874c5f69142e61b6
+8cce581e6d79c80eb947fe6eb9cd7c68ed8051c618acca8d0d094105154c891f
+545ddfe32e786f9fb516189571ad8aeb643658c5e7c4d19226166d6b5696ba0b
+d215d3020d2549971e15e2057fb25e27e3ebb8182440a32a8df73bb5a60b48c0
+d1ab1ec93b54b49e3277f0b177d2bbcbb4245dfc78032f7b0aa304ed83b67b2d
+8dba0f9d0d3771a8f89b2255c83248ef3d00600f2a486fff6658539aed4a9f00
+c3c42b10d0f4c244b6469ff45ec83926d3ac4ca1012e8ff7a761db98cd899eea
+80fee257ce8dafa44415d6ff106fc6f387dd1767f1afac6170e732784da4ba20
+5aaa275b9272df543410fc8f8289a6b49f86991912f0d5d087c0d72a43df98a4
+b6d3551660fa557b867f62a22d6bf7956f9c0c929fec10a91c871366a7b22a18
+87d91ac067f1bb24cc26ae2a614235ddaef02c0ce47ec6ea3d625d007ab9b0e3
+f329f0cbc2ff80c1c5338dfa4d46cfb7982b71ba740a2f67171562d81a226906
+ecfd0fffeb67fde9f741a911c33dfecbfb5e6c115948ac90d76bdc3bf1474d9a
+39b6a931f4a6a0b5650f878eefdb8c222f66816e57e4f50c25a30d36ea28
+9e8d92f7230d739034c81f27adc4a9e48b852faf5299636d6d51fabbc0358857
+892f306e6f760c780ee75ccc2e2d976dfc836c7f086fe12970e997dff6ecea59
+9f629f24ed853d4ec5a9872527b8d26bb25bb7c3f612d212447a96f6dc098bae
+c16e6726dd90f6742422e953650c83fd020902f7b460a6de1248c38826fc538b
+e49bab3522d3bca7cd6558fe0cb4f8e488e7bce25eb53d9b498c78180099b809
+0e8bef2f7a97189a65a448895aea28b96e68f2c311db2caadf85281a4ac31723
+1667348978e47ab73d3e23e366ce99481972f7fd6882aaaac15727e6dd93afb3
+89bab7af45d82b56bed628443e6d079e19ede69edbe920538b104a7f062c42a4
+2b793f867529594f9b5d625b5afb30b2ea70e59075808899d3f95b4f68e1ba72
+4082aafb0c1278e4e0b0759e2beaa53d17de4f86
+0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark
%%EndResource
+[/N9/N34 -1 TZ
+%%EndPageSetup
+0 0 300 130 RC
+0.09999 0 0 0.09999 0 0 cm
+
+q
+Q
+q
+0 0 m
+0 1300 l
+3000 1300 l
+3000 0 l
+h
+W n 
+1 i
+10 w
+4 M
+46.25 377.25 554 554 re
+S 
+q
+10 0 0 10 0 0 cm
+
+BT
+/N9 12 Tf
+1 0 0 1 16.60778 62.02688 Tm
+(t)Tj 
+6.29998 0 Td
+(h)Tj 
+6.29998 0 Td
+(r)Tj 
+6.29998 0 Td
+(e)Tj 
+6.29998 0 Td
+(e)Tj 
+ET
+Q
+1 g
+1707.25 30.25 1244 1243 rf
+1707.25 30.25 1244 1243 re
+S 
+0 g
+q
+10 0 0 10 0 0 cm
+
+BT
+/N9 12 Tf
+1 0 0 1 223.47399 106.70199 Tm
+(n)Tj 
+6.29998 0 Td
+(a)Tj 
+6.29998 0 Td
+(t)Tj 
+ET
+Q
+0.85089 g
+2304.25 931.25 m
+2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
+1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
+2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
+2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
+2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
+f 
+2304.25 931.25 m
+2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
+1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
+2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
+2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
+2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
+h
+S 
+0 g
+q
+10 0 0 10 0 0 cm
+
+BT
+/N9 12 Tf
+1 0 0 1 209.33399 61.78269 Tm
+({)Tj 
+6.29998 0 Td
+(0)Tj 
+6.29998 0 Td
+(,)Tj 
+6.29998 0 Td
+(1)Tj 
+6.29998 0 Td
+(,)Tj 
+6.29998 0 Td
+(2)Tj 
+6.29998 0 Td
+(})Tj 
+ET
+Q
+2373.25 821.25 m
+386.25 821.25 l
+S 
+356.25 821.25 m
+370.69799 826.43598 388.31399 835.42498 399.25 845.25 c
+390.25 821.25 l
+399.25 797.25 l
+388.31399 806.90899 370.69799 815.89898 356.25 821.25 c
+f 
+326.25 821.25 m
+354.72099 831.70498 389.95498 849.68399 412.25 868.25 c
+394.25 821.25 l
+412.25 773.25 l
+389.95498 792.65199 354.72099 810.63499 326.25 821.25 c
+f 
+326.25 481.25 m
+2313.25 481.25 l
+S 
+2343.25 481.25 m
+2328.95999 486.44099 2311.34999 495.42498 2300.25 505.25 c
+2309.25 481.25 l
+2300.25 457.25 l
+2311.34999 466.90899 2328.95999 475.89399 2343.25 481.25 c
+f 
+2373.25 481.25 m
+2344.93998 491.70498 2309.70999 509.68399 2288.25 528.25 c
+2305.25 481.25 l
+2288.25 433.25 l
+2309.70999 452.65199 2344.93998 470.63999 2373.25 481.25 c
+f 
+Q
+PDFVars/TermAll get exec end end
+userdict /pgsave get restore
+showpage
+%%PageTrailer
+%%EndPage
+%%Trailer
+%%DocumentProcessColors: Black
+%%DocumentSuppliedResources:
+%%+ font N34
+%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
+%%+ procset (Adobe Acrobat - type operators) 1.2 0
+%%EOF

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/doc-src/TutorialI/document/types0.tex	Tue Aug 28 14:37:57 2012 +0200
@@ -0,0 +1,69 @@
+\chapter{More about Types}
+\label{ch:more-types}
+
+So far we have learned about a few basic types (for example \isa{bool} and
+\isa{nat}), type abbreviations (\isacommand{types}) and recursive datatypes
+(\isacommand{datatype}). This chapter will introduce more
+advanced material:
+\begin{itemize}
+\item Pairs ({\S}\ref{sec:products}) and records ({\S}\ref{sec:records}),
+and how to reason about them.
+\item Type classes: how to specify and reason about axiomatic collections of
+  types ({\S}\ref{sec:axclass}). This section leads on to a discussion of
+  Isabelle's numeric types ({\S}\ref{sec:numbers}).  
+\item Introducing your own types: how to define types that
+  cannot be constructed with any of the basic methods
+  ({\S}\ref{sec:adv-typedef}).
+\end{itemize}
+
+The material in this section goes beyond the needs of most novices.
+Serious users should at least skim the sections as far as type classes.
+That material is fairly advanced; read the beginning to understand what it
+is about, but consult the rest only when necessary.
+
+\index{pairs and tuples|(}
+\input{Pairs}    %%%Section "Pairs and Tuples"
+\index{pairs and tuples|)}
+
+\input{Records}  %%%Section "Records"
+
+
+\section{Type Classes} %%%Section
+\label{sec:axclass}
+\index{axiomatic type classes|(}
+\index{*axclass|(}
+
+The programming language Haskell has popularized the notion of type
+classes: a type class is a set of types with a
+common interface: all types in that class must provide the functions
+in the interface.  Isabelle offers a similar type class concept: in
+addition, properties (\emph{class axioms}) can be specified which any
+instance of this type class must obey.  Thus we can talk about a type
+$\tau$ being in a class $C$, which is written $\tau :: C$.  This is the case
+if $\tau$ satisfies the axioms of $C$. Furthermore, type classes can be
+organized in a hierarchy.  Thus there is the notion of a class $D$
+being a subclass\index{subclasses} of a class $C$, written $D
+< C$. This is the case if all axioms of $C$ are also provable in $D$.
+
+In this section we introduce the most important concepts behind type
+classes by means of a running example from algebra.  This should give
+you an intuition how to use type classes and to understand
+specifications involving type classes.  Type classes are covered more
+deeply in a separate tutorial \cite{isabelle-classes}.
+
+\subsection{Overloading}
+\label{sec:overloading}
+\index{overloading|(}
+
+\input{Overloading}
+
+\index{overloading|)}
+
+\input{Axioms}
+
+\index{type classes|)}
+\index{*class|)}
+
+\input{numerics}             %%%Section "Numbers"
+
+\input{Typedefs}    %%%Section "Introducing New Types"

--- a/doc-src/TutorialI/document/unfoldnested.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,36 +0,0 @@
-%
-\begin{isabellebody}%
-\def\isabellecontext{unfoldnested}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\isacommand{datatype}\isamarkupfalse%
-\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}{\isaliteral{22}{\isachardoublequoteopen}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{3D}{\isacharequal}}\ Var\ {\isaliteral{27}{\isacharprime}}v\ {\isaliteral{7C}{\isacharbar}}\ App\ {\isaliteral{27}{\isacharprime}}f\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list{\isaliteral{22}{\isachardoublequoteclose}}\isanewline
-\isakeyword{and}\ {\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list\ {\isaliteral{3D}{\isacharequal}}\ Nil\ {\isaliteral{7C}{\isacharbar}}\ Cons\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{22}{\isachardoublequoteclose}}\ {\isaliteral{22}{\isachardoublequoteopen}}{\isaliteral{28}{\isacharparenleft}}{\isaliteral{27}{\isacharprime}}v{\isaliteral{2C}{\isacharcomma}}{\isaliteral{27}{\isacharprime}}f{\isaliteral{29}{\isacharparenright}}term{\isaliteral{5F}{\isacharunderscore}}list{\isaliteral{22}{\isachardoublequoteclose}}%
-\isadelimtheory
-%
-\endisadelimtheory
-%
-\isatagtheory
-%
-\endisatagtheory
-{\isafoldtheory}%
-%
-\isadelimtheory
-%
-\endisadelimtheory
-\end{isabellebody}%
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "root"
-%%% End:

--- a/doc-src/TutorialI/fp.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,484 +0,0 @@
-\chapter{Functional Programming in HOL}
-
-This chapter describes how to write
-functional programs in HOL and how to verify them.  However, 
-most of the constructs and
-proof procedures introduced are general and recur in any specification
-or verification task.  We really should speak of functional
-\emph{modelling} rather than functional \emph{programming}: 
-our primary aim is not
-to write programs but to design abstract models of systems.  HOL is
-a specification language that goes well beyond what can be expressed as a
-program. However, for the time being we concentrate on the computable.
-
-If you are a purist functional programmer, please note that all functions
-in HOL must be total:
-they must terminate for all inputs.  Lazy data structures are not
-directly available.
-
-\section{An Introductory Theory}
-\label{sec:intro-theory}
-
-Functional programming needs datatypes and functions. Both of them can be
-defined in a theory with a syntax reminiscent of languages like ML or
-Haskell. As an example consider the theory in figure~\ref{fig:ToyList}.
-We will now examine it line by line.
-
-\begin{figure}[htbp]
-\begin{ttbox}\makeatother
-\input{ToyList2/ToyList1}\end{ttbox}
-\caption{A Theory of Lists}
-\label{fig:ToyList}
-\end{figure}
-
-\index{*ToyList example|(}
-{\makeatother\medskip\input{document/ToyList.tex}}
-
-The complete proof script is shown in Fig.\ts\ref{fig:ToyList-proofs}. The
-concatenation of Figs.\ts\ref{fig:ToyList} and~\ref{fig:ToyList-proofs}
-constitutes the complete theory \texttt{ToyList} and should reside in file
-\texttt{ToyList.thy}.
-% It is good practice to present all declarations and
-%definitions at the beginning of a theory to facilitate browsing.%
-\index{*ToyList example|)}
-
-\begin{figure}[htbp]
-\begin{ttbox}\makeatother
-\input{ToyList2/ToyList2}\end{ttbox}
-\caption{Proofs about Lists}
-\label{fig:ToyList-proofs}
-\end{figure}
-
-\subsubsection*{Review}
-
-This is the end of our toy proof. It should have familiarized you with
-\begin{itemize}
-\item the standard theorem proving procedure:
-state a goal (lemma or theorem); proceed with proof until a separate lemma is
-required; prove that lemma; come back to the original goal.
-\item a specific procedure that works well for functional programs:
-induction followed by all-out simplification via \isa{auto}.
-\item a basic repertoire of proof commands.
-\end{itemize}
-
-\begin{warn}
-It is tempting to think that all lemmas should have the \isa{simp} attribute
-just because this was the case in the example above. However, in that example
-all lemmas were equations, and the right-hand side was simpler than the
-left-hand side --- an ideal situation for simplification purposes. Unless
-this is clearly the case, novices should refrain from awarding a lemma the
-\isa{simp} attribute, which has a global effect. Instead, lemmas can be
-applied locally where they are needed, which is discussed in the following
-chapter.
-\end{warn}
-
-\section{Some Helpful Commands}
-\label{sec:commands-and-hints}
-
-This section discusses a few basic commands for manipulating the proof state
-and can be skipped by casual readers.
-
-There are two kinds of commands used during a proof: the actual proof
-commands and auxiliary commands for examining the proof state and controlling
-the display. Simple proof commands are of the form
-\commdx{apply}(\textit{method}), where \textit{method} is typically 
-\isa{induct_tac} or \isa{auto}.  All such theorem proving operations
-are referred to as \bfindex{methods}, and further ones are
-introduced throughout the tutorial.  Unless stated otherwise, you may
-assume that a method attacks merely the first subgoal. An exception is
-\isa{auto}, which tries to solve all subgoals.
-
-The most useful auxiliary commands are as follows:
-\begin{description}
-\item[Modifying the order of subgoals:]
-\commdx{defer} moves the first subgoal to the end and
-\commdx{prefer}~$n$ moves subgoal $n$ to the front.
-\item[Printing theorems:]
-  \commdx{thm}~\textit{name}$@1$~\dots~\textit{name}$@n$
-  prints the named theorems.
-\item[Reading terms and types:] \commdx{term}
-  \textit{string} reads, type-checks and prints the given string as a term in
-  the current context; the inferred type is output as well.
-  \commdx{typ} \textit{string} reads and prints the given
-  string as a type in the current context.
-\end{description}
-Further commands are found in the Isabelle/Isar Reference
-Manual~\cite{isabelle-isar-ref}.
-
-\begin{pgnote}
-Clicking on the \pgmenu{State} button redisplays the current proof state.
-This is helpful in case commands like \isacommand{thm} have overwritten it.
-\end{pgnote}
-
-We now examine Isabelle's functional programming constructs systematically,
-starting with inductive datatypes.
-
-
-\section{Datatypes}
-\label{sec:datatype}
-
-\index{datatypes|(}%
-Inductive datatypes are part of almost every non-trivial application of HOL.
-First we take another look at an important example, the datatype of
-lists, before we turn to datatypes in general. The section closes with a
-case study.
-
-
-\subsection{Lists}
-
-\index{*list (type)}%
-Lists are one of the essential datatypes in computing.  We expect that you
-are already familiar with their basic operations.
-Theory \isa{ToyList} is only a small fragment of HOL's predefined theory
-\thydx{List}\footnote{\url{http://isabelle.in.tum.de/library/HOL/List.html}}.
-The latter contains many further operations. For example, the functions
-\cdx{hd} (``head'') and \cdx{tl} (``tail'') return the first
-element and the remainder of a list. (However, pattern matching is usually
-preferable to \isa{hd} and \isa{tl}.)  
-Also available are higher-order functions like \isa{map} and \isa{filter}.
-Theory \isa{List} also contains
-more syntactic sugar: \isa{[}$x@1$\isa{,}\dots\isa{,}$x@n$\isa{]} abbreviates
-$x@1$\isa{\#}\dots\isa{\#}$x@n$\isa{\#[]}.  In the rest of the tutorial we
-always use HOL's predefined lists by building on theory \isa{Main}.
-\begin{warn}
-Looking ahead to sets and quanifiers in Part II:
-The best way to express that some element \isa{x} is in a list \isa{xs} is
-\isa{x $\in$ set xs}, where \isa{set} is a function that turns a list into the
-set of its elements.
-By the same device you can also write bounded quantifiers like
-\isa{$\forall$x $\in$ set xs} or embed lists in other set expressions.
-\end{warn}
-
-
-\subsection{The General Format}
-\label{sec:general-datatype}
-
-The general HOL \isacommand{datatype} definition is of the form
-\[
-\isacommand{datatype}~(\alpha@1, \dots, \alpha@n) \, t ~=~
-C@1~\tau@{11}~\dots~\tau@{1k@1} ~\mid~ \dots ~\mid~
-C@m~\tau@{m1}~\dots~\tau@{mk@m}
-\]
-where $\alpha@i$ are distinct type variables (the parameters), $C@i$ are distinct
-constructor names and $\tau@{ij}$ are types; it is customary to capitalize
-the first letter in constructor names. There are a number of
-restrictions (such as that the type should not be empty) detailed
-elsewhere~\cite{isabelle-HOL}. Isabelle notifies you if you violate them.
-
-Laws about datatypes, such as \isa{[] \isasymnoteq~x\#xs} and
-\isa{(x\#xs = y\#ys) = (x=y \isasymand~xs=ys)}, are used automatically
-during proofs by simplification.  The same is true for the equations in
-primitive recursive function definitions.
-
-Every\footnote{Except for advanced datatypes where the recursion involves
-``\isasymRightarrow'' as in {\S}\ref{sec:nested-fun-datatype}.} datatype $t$
-comes equipped with a \isa{size} function from $t$ into the natural numbers
-(see~{\S}\ref{sec:nat} below). For lists, \isa{size} is just the length, i.e.\
-\isa{size [] = 0} and \isa{size(x \# xs) = size xs + 1}.  In general,
-\cdx{size} returns
-\begin{itemize}
-\item zero for all constructors that do not have an argument of type $t$,
-\item one plus the sum of the sizes of all arguments of type~$t$,
-for all other constructors.
-\end{itemize}
-Note that because
-\isa{size} is defined on every datatype, it is overloaded; on lists
-\isa{size} is also called \sdx{length}, which is not overloaded.
-Isabelle will always show \isa{size} on lists as \isa{length}.
-
-
-\subsection{Primitive Recursion}
-
-\index{recursion!primitive}%
-Functions on datatypes are usually defined by recursion. In fact, most of the
-time they are defined by what is called \textbf{primitive recursion} over some
-datatype $t$. This means that the recursion equations must be of the form
-\[ f \, x@1 \, \dots \, (C \, y@1 \, \dots \, y@k)\, \dots \, x@n = r \]
-such that $C$ is a constructor of $t$ and all recursive calls of
-$f$ in $r$ are of the form $f \, \dots \, y@i \, \dots$ for some $i$. Thus
-Isabelle immediately sees that $f$ terminates because one (fixed!) argument
-becomes smaller with every recursive call. There must be at most one equation
-for each constructor.  Their order is immaterial.
-A more general method for defining total recursive functions is introduced in
-{\S}\ref{sec:fun}.
-
-\begin{exercise}\label{ex:Tree}
-\input{document/Tree.tex}%
-\end{exercise}
-
-\input{document/case_exprs.tex}
-
-\input{document/Ifexpr.tex}
-\index{datatypes|)}
-
-
-\section{Some Basic Types}
-
-This section introduces the types of natural numbers and ordered pairs.  Also
-described is type \isa{option}, which is useful for modelling exceptional
-cases. 
-
-\subsection{Natural Numbers}
-\label{sec:nat}\index{natural numbers}%
-\index{linear arithmetic|(}
-
-\input{document/fakenat.tex}\medskip
-\input{document/natsum.tex}
-
-\index{linear arithmetic|)}
-
-
-\subsection{Pairs}
-\input{document/pairs2.tex}
-
-\subsection{Datatype {\tt\slshape option}}
-\label{sec:option}
-\input{document/Option2.tex}
-
-\section{Definitions}
-\label{sec:Definitions}
-
-A definition is simply an abbreviation, i.e.\ a new name for an existing
-construction. In particular, definitions cannot be recursive. Isabelle offers
-definitions on the level of types and terms. Those on the type level are
-called \textbf{type synonyms}; those on the term level are simply called 
-definitions.
-
-
-\subsection{Type Synonyms}
-
-\index{type synonyms}%
-Type synonyms are similar to those found in ML\@. They are created by a 
-\commdx{type\protect\_synonym} command:
-
-\medskip
-\input{document/types.tex}
-
-\input{document/prime_def.tex}
-
-
-\section{The Definitional Approach}
-\label{sec:definitional}
-
-\index{Definitional Approach}%
-As we pointed out at the beginning of the chapter, asserting arbitrary
-axioms such as $f(n) = f(n) + 1$ can easily lead to contradictions. In order
-to avoid this danger, we advocate the definitional rather than
-the axiomatic approach: introduce new concepts by definitions. However,  Isabelle/HOL seems to
-support many richer definitional constructs, such as
-\isacommand{primrec}. The point is that Isabelle reduces such constructs to first principles. For example, each
-\isacommand{primrec} function definition is turned into a proper
-(nonrecursive!) definition from which the user-supplied recursion equations are
-automatically proved.  This process is
-hidden from the user, who does not have to understand the details.  Other commands described
-later, like \isacommand{fun} and \isacommand{inductive}, work similarly.  
-This strict adherence to the definitional approach reduces the risk of 
-soundness errors.
-
-\chapter{More Functional Programming}
-
-The purpose of this chapter is to deepen your understanding of the
-concepts encountered so far and to introduce advanced forms of datatypes and
-recursive functions. The first two sections give a structured presentation of
-theorem proving by simplification ({\S}\ref{sec:Simplification}) and discuss
-important heuristics for induction ({\S}\ref{sec:InductionHeuristics}).  You can
-skip them if you are not planning to perform proofs yourself.
-We then present a case
-study: a compiler for expressions ({\S}\ref{sec:ExprCompiler}). Advanced
-datatypes, including those involving function spaces, are covered in
-{\S}\ref{sec:advanced-datatypes}; it closes with another case study, search
-trees (``tries'').  Finally we introduce \isacommand{fun}, a general
-form of recursive function definition that goes well beyond 
-\isacommand{primrec} ({\S}\ref{sec:fun}).
-
-
-\section{Simplification}
-\label{sec:Simplification}
-\index{simplification|(}
-
-So far we have proved our theorems by \isa{auto}, which simplifies
-all subgoals. In fact, \isa{auto} can do much more than that. 
-To go beyond toy examples, you
-need to understand the ingredients of \isa{auto}.  This section covers the
-method that \isa{auto} always applies first, simplification.
-
-Simplification is one of the central theorem proving tools in Isabelle and
-many other systems. The tool itself is called the \textbf{simplifier}. 
-This section introduces the many features of the simplifier
-and is required reading if you intend to perform proofs.  Later on,
-{\S}\ref{sec:simplification-II} explains some more advanced features and a
-little bit of how the simplifier works. The serious student should read that
-section as well, in particular to understand why the simplifier did
-something unexpected.
-
-\subsection{What is Simplification?}
-
-In its most basic form, simplification means repeated application of
-equations from left to right. For example, taking the rules for \isa{\at}
-and applying them to the term \isa{[0,1] \at\ []} results in a sequence of
-simplification steps:
-\begin{ttbox}\makeatother
-(0#1#[]) @ []  \(\leadsto\)  0#((1#[]) @ [])  \(\leadsto\)  0#(1#([] @ []))  \(\leadsto\)  0#1#[]
-\end{ttbox}
-This is also known as \bfindex{term rewriting}\indexbold{rewriting} and the
-equations are referred to as \bfindex{rewrite rules}.
-``Rewriting'' is more honest than ``simplification'' because the terms do not
-necessarily become simpler in the process.
-
-The simplifier proves arithmetic goals as described in
-{\S}\ref{sec:nat} above.  Arithmetic expressions are simplified using built-in
-procedures that go beyond mere rewrite rules.  New simplification procedures
-can be coded and installed, but they are definitely not a matter for this
-tutorial. 
-
-\input{document/simp.tex}
-
-\index{simplification|)}
-
-\input{document/Itrev.tex}
-\begin{exercise}
-\input{document/Plus.tex}%
-\end{exercise}
-\begin{exercise}
-\input{document/Tree2.tex}%
-\end{exercise}
-
-\input{document/CodeGen.tex}
-
-
-\section{Advanced Datatypes}
-\label{sec:advanced-datatypes}
-\index{datatype@\isacommand {datatype} (command)|(}
-\index{primrec@\isacommand {primrec} (command)|(}
-%|)
-
-This section presents advanced forms of datatypes: mutual and nested
-recursion.  A series of examples will culminate in a treatment of the trie
-data structure.
-
-
-\subsection{Mutual Recursion}
-\label{sec:datatype-mut-rec}
-
-\input{document/ABexpr.tex}
-
-\subsection{Nested Recursion}
-\label{sec:nested-datatype}
-
-{\makeatother\input{document/Nested.tex}}
-
-
-\subsection{The Limits of Nested Recursion}
-\label{sec:nested-fun-datatype}
-
-How far can we push nested recursion? By the unfolding argument above, we can
-reduce nested to mutual recursion provided the nested recursion only involves
-previously defined datatypes. This does not include functions:
-\begin{isabelle}
-\isacommand{datatype} t = C "t \isasymRightarrow\ bool"
-\end{isabelle}
-This declaration is a real can of worms.
-In HOL it must be ruled out because it requires a type
-\isa{t} such that \isa{t} and its power set \isa{t \isasymFun\ bool} have the
-same cardinality --- an impossibility. For the same reason it is not possible
-to allow recursion involving the type \isa{t set}, which is isomorphic to
-\isa{t \isasymFun\ bool}.
-
-Fortunately, a limited form of recursion
-involving function spaces is permitted: the recursive type may occur on the
-right of a function arrow, but never on the left. Hence the above can of worms
-is ruled out but the following example of a potentially 
-\index{infinitely branching trees}%
-infinitely branching tree is accepted:
-\smallskip
-
-\input{document/Fundata.tex}
-
-If you need nested recursion on the left of a function arrow, there are
-alternatives to pure HOL\@.  In the Logic for Computable Functions 
-(\rmindex{LCF}), types like
-\begin{isabelle}
-\isacommand{datatype} lam = C "lam \isasymrightarrow\ lam"
-\end{isabelle}
-do indeed make sense~\cite{paulson87}.  Note the different arrow,
-\isa{\isasymrightarrow} instead of \isa{\isasymRightarrow},
-expressing the type of \emph{continuous} functions. 
-There is even a version of LCF on top of HOL,
-called \rmindex{HOLCF}~\cite{MuellerNvOS99}.
-\index{datatype@\isacommand {datatype} (command)|)}
-\index{primrec@\isacommand {primrec} (command)|)}
-
-
-\subsection{Case Study: Tries}
-\label{sec:Trie}
-
-\index{tries|(}%
-Tries are a classic search tree data structure~\cite{Knuth3-75} for fast
-indexing with strings. Figure~\ref{fig:trie} gives a graphical example of a
-trie containing the words ``all'', ``an'', ``ape'', ``can'', ``car'' and
-``cat''.  When searching a string in a trie, the letters of the string are
-examined sequentially. Each letter determines which subtrie to search next.
-In this case study we model tries as a datatype, define a lookup and an
-update function, and prove that they behave as expected.
-
-\begin{figure}[htbp]
-\begin{center}
-\unitlength1mm
-\begin{picture}(60,30)
-\put( 5, 0){\makebox(0,0)[b]{l}}
-\put(25, 0){\makebox(0,0)[b]{e}}
-\put(35, 0){\makebox(0,0)[b]{n}}
-\put(45, 0){\makebox(0,0)[b]{r}}
-\put(55, 0){\makebox(0,0)[b]{t}}
-%
-\put( 5, 9){\line(0,-1){5}}
-\put(25, 9){\line(0,-1){5}}
-\put(44, 9){\line(-3,-2){9}}
-\put(45, 9){\line(0,-1){5}}
-\put(46, 9){\line(3,-2){9}}
-%
-\put( 5,10){\makebox(0,0)[b]{l}}
-\put(15,10){\makebox(0,0)[b]{n}}
-\put(25,10){\makebox(0,0)[b]{p}}
-\put(45,10){\makebox(0,0)[b]{a}}
-%
-\put(14,19){\line(-3,-2){9}}
-\put(15,19){\line(0,-1){5}}
-\put(16,19){\line(3,-2){9}}
-\put(45,19){\line(0,-1){5}}
-%
-\put(15,20){\makebox(0,0)[b]{a}}
-\put(45,20){\makebox(0,0)[b]{c}}
-%
-\put(30,30){\line(-3,-2){13}}
-\put(30,30){\line(3,-2){13}}
-\end{picture}
-\end{center}
-\caption{A Sample Trie}
-\label{fig:trie}
-\end{figure}
-
-Proper tries associate some value with each string. Since the
-information is stored only in the final node associated with the string, many
-nodes do not carry any value. This distinction is modeled with the help
-of the predefined datatype \isa{option} (see {\S}\ref{sec:option}).
-\input{document/Trie.tex}
-\index{tries|)}
-
-\section{Total Recursive Functions: \isacommand{fun}}
-\label{sec:fun}
-\index{fun@\isacommand {fun} (command)|(}\index{functions!total|(}
-
-Although many total functions have a natural primitive recursive definition,
-this is not always the case. Arbitrary total recursive functions can be
-defined by means of \isacommand{fun}: you can use full pattern matching,
-recursion need not involve datatypes, and termination is proved by showing
-that the arguments of all recursive calls are smaller in a suitable sense.
-In this section we restrict ourselves to functions where Isabelle can prove
-termination automatically. More advanced function definitions, including user
-supplied termination proofs, nested recursion and partiality, are discussed
-in a separate tutorial~\cite{isabelle-function}.
-
-\input{document/fun0.tex}
-
-\index{fun@\isacommand {fun} (command)|)}\index{functions!total|)}

--- a/doc-src/TutorialI/pghead.eps	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,73 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
%%Title: (portrait-head copy)
%%Version: 1 6
%%Creator: Adobe Acrobat 7.0
%%CreationDate: 26/05/2005 09:00
%%DocumentData: Clean7Bit
%%LanguageLevel: 2
%%ADO_ContainsXMP: MainFirst
%%BoundingBox: 172 54 468 463
%%HiResBoundingBox: 172.0 54.0 468.0 463.0
%%Pages: 0
%%DocumentProcessColors: Black
%%DocumentSuppliedResources:
%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
%%EndComments
%%BeginProlog
%%EndProlog
%%BeginSetup
%ADOPrintSettings: L2 W0 VM op crd os scsa T h ef bg ucr sf ef r b fa pr seps ttf hb EF t2 irt Printer/PostScript Color Management 0
-

%%BeginResource: procset l2check 6.0 1
%%Copyright: Copyright 1993,2001 Adobe Systems Incorporated. All Rights Reserved.
systemdict /languagelevel known
{ systemdict /languagelevel get 1 eq }
{ true }
ifelse
{
initgraphics /Helvetica findfont 18 scalefont setfont
72 600 moveto (Error: This application does not support) dup show
72 580 moveto (printing to a PostScript Language Level 1 printer.) dup show
exch = =
/Times-Roman findfont 16 scalefont setfont
72 500 moveto (As a workaround, try selecting Print As Image from) show
72 480 moveto (the Advanced Print dialog.) show
showpage
quit
}
if
%%EndResource
/currentpacking where{pop currentpacking true setpacking}if
%%BeginResource: procset pdfvars 6.0 1
%%Copyright: Copyright 1987-2002 Adobe Systems Incorporated. All Rights Reserved.
%%Title: definition of dictionary of variables used by PDF & PDFText procsets
userdict /PDF 162 dict put
userdict /PDFVars 89 dict dup begin put
/docSetupDone false def
/InitAll 0 def
/TermAll 0 def
/DocInitAll 0 def
/DocTermAll 0 def
/_pdfEncodings 2 array def
/_pdf_str1 1 string def
/_pdf_i 0 def
/_pdf_na 0 def
/_pdf_showproc 0 def
/_italMtx [1 0 .212557 1 0 0] def
/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
/_italMtxType0 [1 0 .1062785 1 0 0] def
/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
/_basefont 0 def
/_basefonto 0 def
/_pdf_oldCIDInit null def
/_pdf_FontDirectory 30 dict def
/_categories 10 dict def
/_sa? true def
/_ColorSep5044? false def
/nulldict 0 dict def
/_processColors 0 def
/overprintstack null def
/_defaulttransfer currenttransfer def
/_defaultflatness currentflat def
/_defaulthalftone null def
/_defaultcolortransfer null def
/_defaultblackgeneration null def
/_defaultundercolorremoval null def
/_defaultcolortransfer null def
PDF begin
[/c/cs/cm/d/d0/f/h/i/j/J/l/m/M/n/q/Q/re/ri/S/sc/sh/Tf/w/W
/applyInterpFunc/applystitchFunc/domainClip/encodeInput
/initgs/int/limit/rangeClip
/defineRes/undefineRes/findRes/setSA/pl
/? /! /| /: /+ /GetGlyphDirectory
/pdf_flushFilters /pdf_readstring /pdf_dictOp /pdf_image /pdf_maskedImage
/pdf_shfill /pdf_sethalftone
] {null def} bind forall
end
end
%%EndResource
PDFVars begin PDF begin
%%BeginResource: procset pdfutil 6.0 1
%%Copyright: Copyright 1993-2001 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Basic utilities used by other PDF procsets
/bd {bind def} bind def
/ld {load def} bd
/bld {
dup length dict begin
{ null def } forall
bind
end
def
} bd
/dd { PDFVars 3 1 roll put } bd
/xdd { exch dd } bd
/Level2?
systemdict /languagelevel known
{ systemdict /languagelevel get 2 ge } { false } ifelse
def
/Level1? Level2? not def
/Level3?
systemdict /languagelevel known
{systemdict /languagelevel get 3 eq } { false } ifelse
def
/getifknown {
2 copy known { get true } { pop pop false } ifelse
} bd
/here {
currentdict exch getifknown
} bd
/isdefined? { where { pop true } { false } ifelse } bd
%%EndResource
%%BeginResource: procset pdf 6.0 1
%%Copyright: Copyright 1998-2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: General operators for PDF, common to all Language Levels.
/cm { matrix astore concat } bd
/d /setdash ld
/f /fill ld
/h /closepath ld
/i {dup 0 eq {pop _defaultflatness} if setflat} bd
/j /setlinejoin ld
/J /setlinecap ld
/M /setmiterlimit ld
/n /newpath ld
/S /stroke ld
/w /setlinewidth ld
/W /clip ld
/sg /setgray ld
/initgs {
0 setgray
[] 0 d
0 j
0 J
10 M
1 w
false setSA
/_defaulttransfer load settransfer
0 i
/RelativeColorimetric ri
newpath
} bd
/int {
dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
exch pop add exch pop
} bd
/limit {
dup 2 index le { exch } if pop
dup 2 index ge { exch } if pop
} bd
/domainClip {
Domain aload pop 3 2 roll
limit
} [/Domain] bld
/applyInterpFunc {
0 1 DimOut 1 sub
{
dup C0 exch get exch
dup C1 exch get exch
3 1 roll
1 index sub
3 index
N exp mul add
exch
currentdict /Range_lo known
{
dup Range_lo exch get exch
Range_hi exch get
3 2 roll limit
}
{
pop
}
ifelse
exch
} for
pop
} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
/encodeInput {
NumParts 1 sub
0 1 2 index
{
dup Bounds exch get
2 index gt
{ exit }
{ dup
3 index eq
{ exit }
{ pop } ifelse
} ifelse
} for
3 2 roll pop
dup Bounds exch get exch
dup 1 add Bounds exch get exch
2 mul
dup Encode exch get exch
1 add Encode exch get
int
} [/NumParts /Bounds /Encode] bld
/rangeClip {
exch dup Range_lo exch get
exch Range_hi exch get
3 2 roll
limit
} [/Range_lo /Range_hi] bld
/applyStitchFunc {
Functions exch get exec
currentdict /Range_lo known {
0 1 DimOut 1 sub {
DimOut 1 add -1 roll
rangeClip
} for
} if
} [/Functions /Range_lo /DimOut] bld
/pdf_flushfilters
{
aload length
{ dup status
1 index currentfile ne and
{ dup flushfile closefile }
{ pop }
ifelse
} repeat
} bd
/pdf_readstring
{
1 index dup length 1 sub get
exch readstring pop
exch pdf_flushfilters
} bind def
/pdf_dictOp
{
3 2 roll
10 dict copy
begin
_Filters dup length 1 sub get def
currentdict exch exec
_Filters pdf_flushfilters
end
} [/_Filters] bld
/pdf_imagemask {{imagemask} /DataSource pdf_dictOp} bd
/pdf_shfill {{sh} /DataSource pdf_dictOp} bd
/pdf_sethalftone {{sethalftone} /Thresholds pdf_dictOp} bd
/masks [ 2#10000000
2#11000000
2#11100000
2#11110000
2#11111000
2#11111100
2#11111110
2#11111111 ] def
/addNBits
{
/numBits exch def
/byte exch def
OutBitOffset numBits add 8 gt
{
byte OutBitOffset 8 sub bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutByteIndex OutByteIndex 1 add def
/bitsDoneSoFar OutBitOffset def
/OutBitOffset numBits 8 OutBitOffset sub sub def
OutBitOffset 0 gt
{
byte bitsDoneSoFar bitshift
masks numBits bitsDoneSoFar sub get and
OutBuffer OutByteIndex 3 -1 roll put
} if
}
{
byte masks numBits 1 sub get and
OutBitOffset neg bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutBitOffset OutBitOffset numBits add def
OutBitOffset 8 eq
{
/OutBitOffset 0 def
/OutByteIndex OutByteIndex 1 add def
} if
} ifelse
} bind def
/DevNNFilter
{
/InBuffer Width NumComps mul BitsPerComponent mul 7 add 8 idiv string def
AllSource InBuffer readstring pop pop
/outlen Width NewNumComps mul BitsPerComponent mul 7 add 8 idiv def
/OutBuffer outlen string def
0 1 outlen 1 sub { OutBuffer exch 0 put } for
/InByteIndex 0 def
/InBitOffset 0 def
/OutByteIndex 0 def
/OutBitOffset 0 def
/KeepArray NumComps array def
0 1 NumComps 1 sub { KeepArray exch true put } for
DevNNones { KeepArray exch false put } forall
Width {
KeepArray
{
{
/bitsLeft BitsPerComponent def
{
bitsLeft 0 le { exit } if
/bitsToDo 8 InBitOffset sub dup bitsLeft gt { pop bitsLeft } if def
InBuffer InByteIndex get
InBitOffset bitshift
bitsToDo addNBits
/bitsLeft bitsLeft bitsToDo sub def
InBitOffset bitsToDo add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
} loop
}
{
InBitOffset BitsPerComponent add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
}
ifelse
}
forall
} repeat
OutBuffer
} bd
/pdf_image
{
20 dict copy
begin
/UnusedNones where { /UnusedNones get}{false} ifelse
{
/NumComps Decode length 2 div cvi def
/OrigDecode Decode def
/NumNones DevNNones length def
/NewNumComps NumComps NumNones sub def
/Decode NewNumComps 2 mul cvi array def
/devNNindx 0 def
/decIndx 0 def
/cmpIndx 0 def
NumComps {
cmpIndx DevNNones devNNindx get eq
{
/devNNindx devNNindx 1 add dup NumNones eq {pop 0} if def
}
{
Decode decIndx OrigDecode cmpIndx 2 mul get put
Decode decIndx 1 add OrigDecode cmpIndx 2 mul 1 add get put
/decIndx decIndx 2 add def
} ifelse
/cmpIndx cmpIndx 1 add def
} repeat
_Filters dup length 1 sub get /AllSource exch def
/DataSource { DevNNFilter } def
}
{ _Filters dup length 1 sub get /DataSource exch def }
ifelse
currentdict image
_Filters pdf_flushfilters
end
} bd
/pdf_maskedImage
{
10 dict copy begin
/miDict currentdict def
/DataDict DataDict 10 dict copy def
DataDict begin
/DataSource
_Filters dup length 1 sub get
def
miDict image
_Filters pdf_flushfilters
end
miDict /InterleaveType get 3 eq
{ MaskDict /DataSource get dup type /filetype eq { closefile } { pop } ifelse }
if
end
} [/miDict /DataDict /_Filters] bld
/RadialShade {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/r2 exch def
/c2y exch def
/c2x exch def
/r1 exch def
/c1y exch def
/c1x exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
c1x c2x eq
{
c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope c2y c1y sub c2x c1x sub div def
/theta slope 1 atan def
c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if
c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
c1x c1y translate
theta rotate
-90 rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
/max { 2 copy gt { pop } {exch pop} ifelse } bind def
/min { 2 copy lt { pop } {exch pop} ifelse } bind def
rampdict begin
40 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
c1x c1y translate
theta rotate
-90 rotate
/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
/c1y 0 def
/c1x 0 def
/c2x 0 def
ext0 {
0 getrampcolor
c2y r2 add r1 sub 0.0001 lt
{
c1x c1y r1 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2y r1 add r2 le
{
c1x c1y r1 0 360 arc
fill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r1 neg def
/p1y c1y def
/p2x r1 def
/p2y c1y def
p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y p1x SS1 div neg def
/SS2 90 theta sub dup sin exch cos div def
/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y p2x SS2 div neg def
r1 r2 gt
{
/L1maxX p1x yMin p1y sub SS1 div add def
/L2maxX p2x yMin p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
c1x c2x sub dup mul
c1y c2y sub dup mul
add 0.5 exp
0 dtransform
dup mul exch dup mul add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
/hires exch def
hires mul
/numpix exch def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
/xInc c2x c1x sub numsteps div def
/yInc c2y c1y sub numsteps div def
/rInc r2 r1 sub numsteps div def
/cx c1x def
/cy c1y def
/radius r1 def
newpath
xInc 0 eq yInc 0 eq rInc 0 eq and and
{
0 getrampcolor
cx cy radius 0 360 arc
stroke
NumSamples 1 sub getrampcolor
cx cy radius 72 hires div add 0 360 arc
0 setlinewidth
stroke
}
{
0
numsteps
{
dup
subsampling { round } if
getrampcolor
cx cy radius 0 360 arc
/cx cx xInc add def
/cy cy yInc add def
/radius radius rInc add def
cx cy radius 360 0 arcn
eofill
rampIndxInc add
}
repeat
pop
} ifelse
ext1 {
c2y r2 add r1 lt
{
c2x c2y r2 0 360 arc
fill
}
{
c2y r1 add r2 sub 0.0001 le
{
c2x c2y r2 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r2 neg def
/p1y c2y def
/p2x r2 def
/p2y c2y def
p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y c2y p1x SS1 div sub def
/SS2 90 theta sub dup sin exch cos div def
/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y c2y p2x SS2 div sub def
r1 r2 lt
{
/L1maxX p1x yMax p1y sub SS1 div add def
/L2maxX p2x yMax p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
grestore
grestore
end
end
end
} ifelse
} bd
/GenStrips {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/y2 exch def
/x2 exch def
/y1 exch def
/x1 exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
x1 x2 eq
{
y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope y2 y1 sub x2 x1 sub div def
/theta slope 1 atan def
x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if
x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
x1 y1 translate
theta rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
rampdict begin
20 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
x1 y1 translate
theta rotate
/xStart 0 def
/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
/ySpan yMax yMin sub def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
xStart 0 transform
xEnd 0 transform
3 -1 roll
sub dup mul
3 1 roll
sub dup mul
add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
mul
/numpix exch def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
ext0 {
0 getrampcolor
xMin xStart lt
{ xMin yMin xMin neg ySpan rectfill } if
} if
/xInc xEnd xStart sub numsteps div def
/x xStart def
0
numsteps
{
dup
subsampling { round } if
getrampcolor
x yMin xInc ySpan rectfill
/x x xInc add def
rampIndxInc add
}
repeat
pop
ext1 {
xMax xEnd gt
{ xEnd yMin xMax xEnd sub ySpan rectfill } if
} if
grestore
grestore
end
end
end
} ifelse
} bd
/currentdistillerparams where { pop currentdistillerparams /CoreDistVersion get 5000 lt}{true}ifelse
{
/PDFMark5 {cleartomark} bd
}
{
/PDFMark5 {pdfmark} bd
}ifelse
/ReadByPDFMark5
{
2 dict begin
/makerString exch def string /tmpString exch def
{
currentfile tmpString readline pop
makerString anchorsearch
{
pop pop cleartomark exit
}
{
3 copy /PUT PDFMark5 pop 2 copy (\n) /PUT PDFMark5
} ifelse
}loop
end
}bd
%%EndResource
%%BeginResource: procset pdflev2 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: PDF operators, with code specific for Level 2
/docinitialize {
PDF begin
/_defaulthalftone currenthalftone dd
/_defaultblackgeneration currentblackgeneration dd
/_defaultundercolorremoval currentundercolorremoval dd
/_defaultcolortransfer [currentcolortransfer] dd
/_defaulttransfer currenttransfer dd
end
PDFVars /docSetupDone true put
} bd
/initialize {
PDFVars /docSetupDone get {
_defaulthalftone sethalftone
/_defaultblackgeneration load setblackgeneration
/_defaultundercolorremoval load setundercolorremoval
_defaultcolortransfer aload pop setcolortransfer
} if
false setoverprint
} bd
/terminate { } bd
/c /curveto ld
/cs /setcolorspace ld
/l /lineto ld
/m /moveto ld
/q /gsave ld
/Q /grestore ld
/sc /setcolor ld
/setSA/setstrokeadjust ld
/re {
4 2 roll m
1 index 0 rlineto
0 exch rlineto
neg 0 rlineto
h
} bd
/concattransferfuncs {
[ 3 1 roll /exec load exch /exec load ] cvx
} bd
/concatandsettransfer {
/_defaulttransfer load concattransferfuncs settransfer
} bd
/concatandsetcolortransfer {
_defaultcolortransfer aload pop
8 -1 roll 5 -1 roll concattransferfuncs 7 1 roll
6 -1 roll 4 -1 roll concattransferfuncs 5 1 roll
4 -1 roll 3 -1 roll concattransferfuncs 3 1 roll
concattransferfuncs
setcolortransfer
} bd
/defineRes/defineresource ld
/undefineRes/undefineresource ld
/findRes/findresource ld
currentglobal
true systemdict /setglobal get exec
[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource /Image]
{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
forall
systemdict /setglobal get exec
/ri
{
/findcolorrendering isdefined?
{
mark exch
findcolorrendering
counttomark 2 eq
{ type /booleantype eq
{ dup type /nametype eq
{ dup /ColorRendering resourcestatus
{ pop pop
dup /DefaultColorRendering ne
{
/ColorRendering findresource
setcolorrendering
} if
} if
} if
} if
} if
cleartomark
}
{ pop
} ifelse
} bd
/knownColorants? {
pop false
} bd
/getrampcolor {
cvi
/indx exch def
0 1 NumComp 1 sub {
dup
Samples exch get
dup type /stringtype eq { indx get } if
exch
Scaling exch get aload pop
3 1 roll
mul add
} for
setcolor
} bd
/sssetbackground { aload pop setcolor } bd
%%EndResource
%%BeginResource: procset pdftext 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Text operators for PDF
PDF /PDFText 78 dict dup begin put
/docinitialize
{
/resourcestatus where {
pop
/CIDParams /ProcSet resourcestatus {
pop pop
false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
} if
} if
PDF begin
PDFText /_pdfDefineIdentity-H known
{ PDFText /_pdfDefineIdentity-H get exec}
if
end
} bd
/initialize {
PDFText begin
} bd
/terminate { end } bd
Level2?
{
/_safeput
{
3 -1 roll load 3 1 roll put
}
bd
}
{
/_safeput
{
2 index load dup dup length exch maxlength ge
{ dup length 5 add dict copy
3 index xdd
}
{ pop }
ifelse
3 -1 roll load 3 1 roll put
}
bd
}
ifelse
/pdf_has_composefont? systemdict /composefont known def
/CopyFont {
{
1 index /FID ne 2 index /UniqueID ne and
{ def } { pop pop } ifelse
} forall
} bd
/Type0CopyFont
{
exch
dup length dict
begin
CopyFont
[
exch
FDepVector
{
dup /FontType get 0 eq
{
1 index Type0CopyFont
/_pdfType0 exch definefont
}
{
/_pdfBaseFont exch
2 index exec
}
ifelse
exch
}
forall
pop
]
/FDepVector exch def
currentdict
end
} bd
Level2? {currentglobal true setglobal} if
/cHexEncoding
[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
Level2? {setglobal} if
/modEnc {
/_enc xdd
/_icode 0 dd
counttomark 1 sub -1 0
{
index
dup type /nametype eq
{
_enc _icode 3 -1 roll put
_icode 1 add
}
if
/_icode xdd
} for
cleartomark
_enc
} bd
/trEnc {
/_enc xdd
255 -1 0 {
exch dup -1 eq
{ pop /.notdef }
{ Encoding exch get }
ifelse
_enc 3 1 roll put
} for
pop
_enc
} bd
/TE {
/_i xdd
StandardEncoding 256 array copy modEnc
_pdfEncodings exch _i exch put
} bd
Level2?
{
/pdfPatchCStrings
{
currentdict /CharStrings known currentdict /FontType known and
{
FontType 1 eq CharStrings type /dicttype eq and
{
CharStrings /mu known CharStrings /mu1 known not and CharStrings wcheck and
{
CharStrings /mu get
type /stringtype eq
{
currentglobal
CharStrings /mu1
CharStrings /mu get
dup gcheck setglobal
dup length string copy
put
setglobal
} if
} if
} if
} if
} bd
}
{ /pdfPatchCStrings {} bd }
ifelse
/TZ
{
/_usePDFEncoding xdd
findfont
dup length 6 add dict
begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
/pdf_origFontName FontName def
/FontName exch def
currentdict /PaintType known
{ PaintType 2 eq {/PaintType 0 def} if }
if
_usePDFEncoding 0 ge
{
/Encoding _pdfEncodings _usePDFEncoding get def
pop
}
{
_usePDFEncoding -1 eq
{
counttomark 0 eq
{ pop }
{
Encoding 256 array copy
modEnc /Encoding exch def
}
ifelse
}
{
256 array
trEnc /Encoding exch def
}
ifelse
}
ifelse
pdf_EuroProcSet pdf_origFontName known
{
pdf_origFontName pdf_AddEuroGlyphProc
} if
Level2?
{
currentdict /pdf_origFontName undef
} if
FontName currentdict
end
definefont pop
}
bd
Level2?
{
/TZG
{
currentglobal true setglobal
2 index _pdfFontStatus
{
2 index findfont
false setglobal
3 index findfont
true setglobal
ne
{
2 index findfont dup rcheck
{
dup length dict begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
currentdict end
}
if
3 index exch definefont pop
}
if
} if
setglobal
TZ
} bd
}
{
/TZG {TZ} bd
} ifelse
Level2?
{
currentglobal false setglobal
userdict /pdftext_data 5 dict put
pdftext_data
begin
/saveStacks
{
pdftext_data
begin
/vmmode currentglobal def
false setglobal
count array astore /os exch def
end
countdictstack array dictstack pdftext_data exch /ds exch put
cleardictstack pdftext_data /dscount countdictstack put
pdftext_data /vmmode get setglobal
} bind def
/restoreStacks
{
pdftext_data /vmmode currentglobal put false setglobal
clear cleardictstack
pdftext_data /ds get dup
pdftext_data /dscount get 1 2 index length 1 sub
{ get begin dup } for
pop pop
pdftext_data /os get aload pop
pdftext_data /vmmode get setglobal
} bind def
/testForClonePrinterBug
{
currentglobal true setglobal
/undefinedCategory /Generic /Category findresource
dup length dict copy /Category defineresource pop
setglobal
pdftext_data /saveStacks get exec
pdftext_data /vmmode currentglobal put false setglobal
/undefined /undefinedCategory { resourcestatus } stopped
pdftext_data exch /bugFound exch put
pdftext_data /vmmode get setglobal
pdftext_data /restoreStacks get exec
pdftext_data /bugFound get
} bind def
end
setglobal
/pdf_resourcestatus
pdftext_data /testForClonePrinterBug get exec
{
{
pdftext_data /saveStacks get exec
pdftext_data /os get dup dup length 1 sub
dup 1 sub dup 0 lt { pop 0 } if
exch 1 exch { get exch dup } for
pop pop
{ resourcestatus }
stopped
{
clear cleardictstack pdftext_data /restoreStacks get exec
{ pop pop } stopped pop false
}
{
count array astore pdftext_data exch /results exch put
pdftext_data /restoreStacks get exec pop pop
pdftext_data /results get aload pop
}
ifelse
}
}
{ { resourcestatus } }
ifelse
bd
}
if
Level2?
{
/_pdfUndefineResource
{
currentglobal 3 1 roll
_pdf_FontDirectory 2 index 2 copy known
{undef}
{pop pop}
ifelse
1 index (pdf) exch _pdfConcatNames 1 index
1 index 1 _pdfConcatNames 1 index
5 index 1 _pdfConcatNames 1 index
4
{
2 copy pdf_resourcestatus
{
pop 2 lt
{2 copy findresource gcheck setglobal undefineresource}
{pop pop}
ifelse
}
{ pop pop}
ifelse
} repeat
setglobal
} bd
}
{
/_pdfUndefineResource { pop pop} bd
}
ifelse
Level2?
{
/_pdfFontStatus
{
currentglobal exch
/Font pdf_resourcestatus
{pop pop true}
{false}
ifelse
exch setglobal
} bd
}
{
/_pdfFontStatusString 50 string def
_pdfFontStatusString 0 (fonts/) putinterval
/_pdfFontStatus
{
FontDirectory 1 index known
{ pop true }
{
_pdfFontStatusString 6 42 getinterval
cvs length 6 add
_pdfFontStatusString exch 0 exch getinterval
{ status } stopped
{pop false}
{
{ pop pop pop pop true}
{ false }
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
Level2?
{
/_pdfCIDFontStatus
{
/CIDFont /Category pdf_resourcestatus
{
pop pop
/CIDFont pdf_resourcestatus
{pop pop true}
{false}
ifelse
}
{ pop false }
ifelse
} bd
}
if
/_pdfString100 100 string def
/_pdfComposeFontName
{
dup length 1 eq
{
0 get
1 index
type /nametype eq
{
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
2 index exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
exch pop
true
}
{
pop pop
false
}
ifelse
}
{
false
}
ifelse
dup {exch cvn exch} if
} bd
/_pdfConcatNames
{
exch
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
3 -1 roll exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
cvn
} bind def
/_pdfTextTempString 50 string def
/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
/_pdf_CheckCIDSystemInfo
{
1 index _pdfTextTempString cvs
(Identity) anchorsearch
{
pop pop pop pop true
}
{
false
_pdfRegOrderingArray
{
2 index exch
anchorsearch
{ pop pop pop true exit}
{ pop }
ifelse
}
forall
exch pop
exch /CIDFont findresource
/CIDSystemInfo get
3 -1 roll /CMap findresource
/CIDSystemInfo get
exch
3 -1 roll
{
2 copy
/Supplement get
exch
dup type /dicttype eq
{/Supplement get}
{pop 0 }
ifelse
ge
}
{ true }
ifelse
{
dup /Registry get
2 index /Registry get eq
{
/Ordering get
exch /Ordering get
dup type /arraytype eq
{
1 index type /arraytype eq
{
true
1 index length 1 sub -1 0
{
dup 2 index exch get exch 3 index exch get ne
{ pop false exit}
if
} for
exch pop exch pop
}
{ pop pop false }
ifelse
}
{
eq
}
ifelse
}
{ pop pop false }
ifelse
}
{ pop pop false }
ifelse
}
ifelse
} bind def
pdf_has_composefont?
{
/_pdfComposeFont
{
2 copy _pdfComposeFontName not
{
2 index
}
if
(pdf) exch _pdfConcatNames
dup _pdfFontStatus
{ dup findfont 5 2 roll pop pop pop true}
{
4 1 roll
1 index /CMap pdf_resourcestatus
{
pop pop
true
}
{false}
ifelse
1 index true exch
{
_pdfCIDFontStatus not
{pop false exit}
if
}
forall
and
{
1 index 1 index 0 get _pdf_CheckCIDSystemInfo
{
3 -1 roll pop
2 index 3 1 roll
composefont true
}
{
pop pop exch pop false
}
ifelse
}
{
_pdfComposeFontName
{
dup _pdfFontStatus
{
exch pop
1 index exch
findfont definefont true
}
{
pop exch pop
false
}
ifelse
}
{
exch pop
false
}
ifelse
}
ifelse
{ true }
{
dup _pdfFontStatus
{ dup findfont true }
{ pop false }
ifelse
}
ifelse
}
ifelse
} bd
}
{
/_pdfComposeFont
{
_pdfComposeFontName not
{
dup
}
if
dup
_pdfFontStatus
{exch pop dup findfont true}
{
1 index
dup type /nametype eq
{pop}
{cvn}
ifelse
eq
{pop false}
{
dup _pdfFontStatus
{dup findfont true}
{pop false}
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
/_pdfStyleDicts 4 dict dup begin
/Adobe-Japan1 4 dict dup begin
Level2?
{
/Serif
/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMin-W3}
{
/HeiseiMin-W3 _pdfCIDFontStatus
{/HeiseiMin-W3}
{/Ryumin-Light}
ifelse
}
ifelse
def
/SansSerif
/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
{/HeiseiKakuGo-W5}
{
/HeiseiKakuGo-W5 _pdfCIDFontStatus
{/HeiseiKakuGo-W5}
{/GothicBBB-Medium}
ifelse
}
ifelse
def
/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMaruGo-W4}
{
/HeiseiMaruGo-W4 _pdfCIDFontStatus
{/HeiseiMaruGo-W4}
{
/Jun101-Light-RKSJ-H _pdfFontStatus
{ /Jun101-Light }
{ SansSerif }
ifelse
}
ifelse
}
ifelse
/RoundSansSerif exch def
/Default Serif def
}
{
/Serif /Ryumin-Light def
/SansSerif /GothicBBB-Medium def
{
(fonts/Jun101-Light-83pv-RKSJ-H) status
}stopped
{pop}{
{ pop pop pop pop /Jun101-Light }
{ SansSerif }
ifelse
/RoundSansSerif exch def
}ifelse
/Default Serif def
}
ifelse
end
def
/Adobe-Korea1 4 dict dup begin
/Serif /HYSMyeongJo-Medium def
/SansSerif /HYGoThic-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-GB1 4 dict dup begin
/Serif /STSong-Light def
/SansSerif /STHeiti-Regular def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-CNS1 4 dict dup begin
/Serif /MKai-Medium def
/SansSerif /MHei-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
end
def
/TZzero
{
/_wmode xdd
/_styleArr xdd
/_regOrdering xdd
3 copy
_pdfComposeFont
{
5 2 roll pop pop pop
}
{
[
0 1 _styleArr length 1 sub
{
_styleArr exch get
_pdfStyleDicts _regOrdering 2 copy known
{
get
exch 2 copy known not
{ pop /Default }
if
get
}
{
pop pop pop /Unknown
}
ifelse
}
for
]
exch pop
2 index 3 1 roll
_pdfComposeFont
{3 -1 roll pop}
{
findfont dup /FontName get exch
}
ifelse
}
ifelse
dup /WMode 2 copy known
{ get _wmode ne }
{ pop pop _wmode 1 eq}
ifelse
{
exch _wmode _pdfConcatNames
dup _pdfFontStatus
{ exch pop dup findfont false}
{ exch true }
ifelse
}
{
dup /FontType get 0 ne
}
ifelse
{
dup /FontType get 3 eq _wmode 1 eq and
{
_pdfVerticalRomanT3Font dup length 10 add dict copy
begin
/_basefont exch
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
if
def
FontName
currentdict
end
definefont
def
/Encoding _basefont /Encoding get def
/_fauxfont true def
}
{
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
FontType 0 ne
{
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put}
if
def
/_fauxfont true def
} if
} ifelse
/WMode _wmode def
dup dup /FontName exch def
currentdict
end
definefont pop
}
{
pop
}
ifelse
/_pdf_FontDirectory 3 1 roll _safeput
}
bd
Level2?
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
selectfont
} bd
}
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
exch findfont exch
dup type /arraytype eq
{makefont}
{scalefont}
ifelse
setfont
} bd
}
ifelse
/cshow where
{
pop /pdf_cshow /cshow load dd
/pdf_remove2 {pop pop} dd
}
{
/pdf_cshow {exch forall} dd
/pdf_remove2 {} dd
} ifelse
/pdf_xshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_yshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0 exch
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_xyshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
{_pdf_na _pdf_i 1 add get} stopped
{ pop pop pop}
{
_pdf_x _pdf_y moveto
rmoveto
}
ifelse
}
ifelse
_pdf_i 2 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdfl1xs {/_pdf_showproc /show load dd pdf_xshow} bd
/pdfl1ys {/_pdf_showproc /show load dd pdf_yshow} bd
/pdfl1xys {/_pdf_showproc /show load dd pdf_xyshow} bd
Level2? _ColorSep5044? not and
{
/pdfxs {{xshow} stopped {pdfl1xs} if} bd
/pdfys {{yshow} stopped {pdfl1ys} if} bd
/pdfxys {{xyshow} stopped {pdfl1xys} if} bd
}
{
/pdfxs /pdfl1xs load dd
/pdfys /pdfl1ys load dd
/pdfxys /pdfl1xys load dd
} ifelse
/pdf_charpath {false charpath} bd
/pdf_xcharpath {/_pdf_showproc /pdf_charpath load dd pdf_xshow} bd
/pdf_ycharpath {/_pdf_showproc /pdf_charpath load dd pdf_yshow} bd
/pdf_xycharpath {/_pdf_showproc /pdf_charpath load dd pdf_xyshow} bd
/pdf_strokepath
{
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 false charpath
currentpoint S moveto
} bind
exch pdf_cshow
} bd
/pdf_xstrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xshow} bd
/pdf_ystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_yshow} bd
/pdf_xystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xyshow} bd
Level2? {currentglobal true setglobal} if
/d0/setcharwidth ld
/nND {{/.notdef} repeat} bd
/T3Defs {
/BuildChar
{
1 index /Encoding get exch get
1 index /BuildGlyph get exec
}
def
/BuildGlyph {
exch begin
GlyphProcs exch get exec
end
} def
/_pdfT3Font true def
} bd
/_pdfBoldRomanWidthProc
{
stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
0 0
} bd
/_pdfType0WidthProc
{
dup stringwidth 0 0 moveto
2 index true charpath pathbbox
0 -1
7 index 2 div .88
setcachedevice2
pop
0 0
} bd
/_pdfType0WMode1WidthProc
{
dup stringwidth
pop 2 div neg -0.88
2 copy
moveto
0 -1
5 -1 roll true charpath pathbbox
setcachedevice
} bd
/_pdfBoldBaseFont
11 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/Encoding cHexEncoding def
/_setwidthProc /_pdfBoldRomanWidthProc load def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
pdf_has_composefont?
{
/_pdfBoldBaseCIDFont
11 dict begin
/CIDFontType 1 def
/CIDFontName /_pdfBoldBaseCIDFont def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_setwidthProc /_pdfType0WidthProc load def
/_bcstr2 2 string def
/BuildGlyph
{
exch begin
_basefont setfont
_bcstr2 1 2 index 256 mod put
_bcstr2 0 3 -1 roll 256 idiv put
_bcstr2 dup _setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
/_pdfDefineIdentity-H
{
/Identity-H /CMap PDFText /pdf_resourcestatus get exec
{
pop pop
}
{
/CIDInit/ProcSet findresource begin 12 dict begin
begincmap
/CIDSystemInfo
3 dict begin
/Registry (Adobe) def
/Ordering (Identity) def
/Supplement 0 def
currentdict
end
def
/CMapName /Identity-H def
/CMapVersion 1 def
/CMapType 1 def
1 begincodespacerange
<0000> <ffff>
endcodespacerange
1 begincidrange
<0000> <ffff> 0
endcidrange
endcmap
CMapName currentdict/CMap defineresource pop
end
end
} ifelse
} def
} if
/_pdfVerticalRomanT3Font
10 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_pdfType0WidthProc
moveto
show
end
}bd
currentdict
end
def
Level2? {setglobal} if
/MakeBoldFont
{
dup /ct_SyntheticBold known
{
dup length 3 add dict begin
CopyFont
/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
/ct_SyntheticBold true def
currentdict
end
definefont
}
{
dup dup length 3 add dict
begin
CopyFont
/PaintType 2 def
/StrokeWidth .03 0 FontMatrix idtransform pop def
/dummybold currentdict
end
definefont
dup /FontType get dup 9 ge exch 11 le and
{
_pdfBoldBaseCIDFont
dup length 3 add dict copy begin
dup /CIDSystemInfo get /CIDSystemInfo exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefont exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefonto exch def
currentdict
end
/CIDFont defineresource
}
{
_pdfBoldBaseFont
dup length 3 add dict copy begin
/_basefont exch def
/_basefonto exch def
currentdict
end
definefont
}
ifelse
}
ifelse
} bd
/MakeBold {
1 index
_pdf_FontDirectory 2 index 2 copy known
{get}
{exch pop}
ifelse
findfont
dup
/FontType get 0 eq
{
dup /WMode known {dup /WMode get 1 eq }{false} ifelse
version length 4 ge
and
{version 0 4 getinterval cvi 2015 ge }
{true}
ifelse
{/_pdfType0WidthProc}
{/_pdfType0WMode1WidthProc}
ifelse
_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
{MakeBoldFont} Type0CopyFont definefont
}
{
dup /_fauxfont known not 1 index /SubstMaster known not and
{
_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
MakeBoldFont
}
{
2 index 2 index eq
{ exch pop }
{
dup length dict begin
CopyFont
currentdict
end
definefont
}
ifelse
}
ifelse
}
ifelse
pop pop
dup /dummybold ne
{/_pdf_FontDirectory exch dup _safeput }
{ pop }
ifelse
}bd
/MakeItalic {
_pdf_FontDirectory exch 2 copy known
{get}
{exch pop}
ifelse
dup findfont
dup /FontInfo 2 copy known
{
get
/ItalicAngle 2 copy known
{get 0 eq }
{ pop pop true}
ifelse
}
{ pop pop true}
ifelse
{
exch pop
dup /FontType get 0 eq Level2? not and
{ dup /FMapType get 6 eq }
{ false }
ifelse
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1Type0 }
{ _italMtxType0 }
ifelse
}
{ pop pop _italMtxType0 }
ifelse
}
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1 }
{ _italMtx }
ifelse
}
{ pop pop _italMtx }
ifelse
}
ifelse
makefont
dup /FontType get 42 eq Level2? not or
{
dup length dict begin
CopyFont
currentdict
end
}
if
1 index exch
definefont pop
/_pdf_FontDirectory exch dup _safeput
}
{
pop
2 copy ne
{
/_pdf_FontDirectory 3 1 roll _safeput
}
{ pop pop }
ifelse
}
ifelse
}bd
/MakeBoldItalic {
/dummybold exch
MakeBold
/dummybold
MakeItalic
}bd
Level2?
{
/pdf_CopyDict
{1 index length add dict copy}
def
}
{
/pdf_CopyDict
{
1 index length add dict
1 index wcheck
{ copy }
{ begin
{def} forall
currentdict
end
}
ifelse
}
def
}
ifelse
/pdf_AddEuroGlyphProc
{
currentdict /CharStrings known
{
CharStrings /Euro known not
{
dup
/CharStrings
CharStrings 1 pdf_CopyDict
begin
/Euro pdf_EuroProcSet 4 -1 roll get def
currentdict
end
def
/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
/pdf_PathOps /pdf_PathOps load def
/Symbol eq Encoding 160 get /.notdef eq and
{
/Encoding Encoding dup length array copy
dup 160 /Euro put def
}
if
}
{ pop
}
ifelse
}
{ pop
}
ifelse
}
def
Level2? {currentglobal true setglobal} if
/pdf_PathOps 4 dict dup begin
/m {moveto} def
/l {lineto} def
/c {curveto} def
/cp {closepath} def
end
def
/pdf_PSBuildGlyph
{
gsave
8 -1 roll pop
7 1 roll
currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
dup 9 1 roll
{
currentdict /StrokeWidth 2 copy known
{
get 2 div
5 1 roll
4 -1 roll 4 index sub
4 1 roll
3 -1 roll 4 index sub
3 1 roll
exch 4 index add exch
4 index add
5 -1 roll pop
}
{
pop pop
}
ifelse
}
if
setcachedevice
pdf_PathOps begin
exec
end
{
currentdict /StrokeWidth 2 copy known
{ get }
{ pop pop 0 }
ifelse
setlinewidth stroke
}
{
fill
}
ifelse
grestore
} def
/pdf_EuroProcSet 13 dict def
pdf_EuroProcSet
begin
/Courier-Bold
{
600 0 6 -12 585 612
{
385 274 m
180 274 l
179 283 179 293 179 303 c
179 310 179 316 180 323 c
398 323 l
423 404 l
197 404 l
219 477 273 520 357 520 c
409 520 466 490 487 454 c
487 389 l
579 389 l
579 612 l
487 612 l
487 560 l
449 595 394 612 349 612 c
222 612 130 529 98 404 c
31 404 l
6 323 l
86 323 l
86 304 l
86 294 86 284 87 274 c
31 274 l
6 193 l
99 193 l
129 77 211 -12 359 -12 c
398 -12 509 8 585 77 c
529 145 l
497 123 436 80 356 80 c
285 80 227 122 198 193 c
360 193 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-BoldOblique /Courier-Bold load def
/Courier
{
600 0 17 -12 578 584
{
17 204 m
97 204 l
126 81 214 -12 361 -12 c
440 -12 517 17 578 62 c
554 109 l
501 70 434 43 366 43 c
266 43 184 101 154 204 c
380 204 l
400 259 l
144 259 l
144 270 143 281 143 292 c
143 299 143 307 144 314 c
418 314 l
438 369 l
153 369 l
177 464 249 529 345 529 c
415 529 484 503 522 463 c
522 391 l
576 391 l
576 584 l
522 584 l
522 531 l
473 566 420 584 348 584 c
216 584 122 490 95 369 c
37 369 l
17 314 l
87 314 l
87 297 l
87 284 88 272 89 259 c
37 259 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-Oblique /Courier load def
/Helvetica
{
556 0 24 -19 541 703
{
541 628 m
510 669 442 703 354 703 c
201 703 117 607 101 444 c
50 444 l
25 372 l
97 372 l
97 301 l
49 301 l
24 229 l
103 229 l
124 67 209 -19 350 -19 c
435 -19 501 25 509 32 c
509 131 l
492 105 417 60 343 60 c
267 60 204 127 197 229 c
406 229 l
430 301 l
191 301 l
191 372 l
455 372 l
479 444 l
194 444 l
201 531 245 624 348 624 c
433 624 484 583 509 534 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-Oblique /Helvetica load def
/Helvetica-Bold
{
556 0 12 -19 563 710
{
563 621 m
537 659 463 710 363 710 c
216 710 125 620 101 462 c
51 462 l
12 367 l
92 367 l
92 346 l
92 337 93 328 93 319 c
52 319 l
12 224 l
102 224 l
131 58 228 -19 363 -19 c
417 -19 471 -12 517 18 c
517 146 l
481 115 426 93 363 93 c
283 93 254 166 246 224 c
398 224 l
438 319 l
236 319 l
236 367 l
457 367 l
497 462 l
244 462 l
259 552 298 598 363 598 c
425 598 464 570 486 547 c
507 526 513 517 517 509 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-BoldOblique /Helvetica-Bold load def
/Symbol
{
750 0 20 -12 714 685
{
714 581 m
650 645 560 685 465 685 c
304 685 165 580 128 432 c
50 432 l
20 369 l
116 369 l
115 356 115 347 115 337 c
115 328 115 319 116 306 c
50 306 l
20 243 l
128 243 l
165 97 300 -12 465 -12 c
560 -12 635 25 685 65 c
685 155 l
633 91 551 51 465 51 c
340 51 238 131 199 243 c
555 243 l
585 306 l
184 306 l
183 317 182 326 182 336 c
182 346 183 356 184 369 c
614 369 l 644 432 l
199 432 l
233 540 340 622 465 622 c
555 622 636 580 685 520 c
cp
750 0 m
}
pdf_PSBuildGlyph
} def
/Times-Bold
{
500 0 16 -14 478 700
{
367 308 m
224 308 l
224 368 l
375 368 l
380 414 l
225 414 l
230 589 257 653 315 653 c
402 653 431 521 444 457 c
473 457 l
473 698 l
444 697 l
441 679 437 662 418 662 c
393 662 365 700 310 700 c
211 700 97 597 73 414 c
21 414 l
16 368 l
69 368 l
69 359 68 350 68 341 c
68 330 68 319 69 308 c
21 308 l
16 262 l
73 262 l
91 119 161 -14 301 -14 c
380 -14 443 50 478 116 c
448 136 l
415 84 382 40 323 40 c
262 40 231 77 225 262 c
362 262 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-BoldItalic
{
500 0 9 -20 542 686
{
542 686 m
518 686 l
513 673 507 660 495 660 c
475 660 457 683 384 683 c
285 683 170 584 122 430 c
58 430 l
34 369 l
105 369 l
101 354 92 328 90 312 c
34 312 l
9 251 l
86 251 l
85 238 84 223 84 207 c
84 112 117 -14 272 -14 c
326 -14 349 9 381 9 c
393 9 393 -10 394 -20 c
420 -20 l
461 148 l
429 148 l
416 109 362 15 292 15 c
227 15 197 55 197 128 c
197 162 204 203 216 251 c
378 251 l
402 312 l
227 312 l
229 325 236 356 241 369 c
425 369 l
450 430 l
255 430 l
257 435 264 458 274 488 c
298 561 337 654 394 654 c
437 654 484 621 484 530 c
484 516 l
516 516 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Italic
{
500 0 23 -10 595 692
{
399 317 m
196 317 l
199 340 203 363 209 386 c
429 386 l
444 424 l
219 424 l
246 514 307 648 418 648 c
448 648 471 638 492 616 c
529 576 524 529 527 479 c
549 475 l
595 687 l
570 687 l
562 674 558 664 542 664 c
518 664 474 692 423 692 c
275 692 162 551 116 424 c
67 424 l
53 386 l
104 386 l
98 363 93 340 90 317 c
37 317 l
23 279 l
86 279 l
85 266 85 253 85 240 c
85 118 137 -10 277 -10 c
370 -10 436 58 488 128 c
466 149 l
424 101 375 48 307 48 c
212 48 190 160 190 234 c
190 249 191 264 192 279 c
384 279 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Roman
{
500 0 10 -12 484 692
{
347 298 m
171 298 l
170 310 170 322 170 335 c
170 362 l
362 362 l
374 403 l
172 403 l
184 580 244 642 308 642 c
380 642 434 574 457 457 c
481 462 l
474 691 l
449 691 l
433 670 429 657 410 657 c
394 657 360 692 299 692 c
204 692 94 604 73 403 c
22 403 l
10 362 l
70 362 l
69 352 69 341 69 330 c
69 319 69 308 70 298 c
22 298 l
10 257 l
73 257 l
97 57 216 -12 295 -12 c
364 -12 427 25 484 123 c
458 142 l
425 101 384 37 316 37 c
256 37 189 84 173 257 c
335 257 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
end
Level2? {setglobal} if
currentdict readonly pop end
%%EndResource
PDFText begin
[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
/hungarumlaut/ogonek/caron
0 TE
[1/dotlessi/caron 39/quotesingle 96/grave 
127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
/ucircumflex/udieresis/yacute/thorn/ydieresis
1 TE
end
%%BeginResource: procset pdfasc.prc 6.0 1
%%Copyright: Copyright 1992-2003 Adobe Systems Incorporated. All Rights Reserved.
/ASR {
13 dict begin
/mirV? exch def
/mirH? exch def
/center? exch def
/autorotate? exch def
/angle exch def
/shrink exch def
/Pury exch def
/Purx exch def
/Plly exch def
/Pllx exch def
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury 0 eq Durx 0 eq and Dlly 0 eq Dllx 0 eq and and
{ shrink 0 gt { GClipBBox } { GPageBBox } ifelse }
{ ITransDBBox }
ifelse
/PHt Pury Plly sub def
/PW Purx Pllx sub def
/DHt Dury Dlly sub def
/DW Durx Dllx sub def
angle 90 eq angle 270 eq or
{
PHt /PHt PW def /PW exch def
} if
autorotate? PHt PW ne and DHt DW ne and
{
DHt DW ge
PHt PW ge
ne
{ /angle angle 90 add def
PHt /PHt PW def /PW exch def
}
if
} if
angle 0 ne
{
/angle angle 360 mod def
angle rotate
angle 90 eq
{ 0 DW neg translate }
if
angle 180 eq
{ DW neg DHt neg translate }
if
angle 270 eq
{ DHt neg 0 translate }
if
} if
center?
{
ITransBBox
Durx Dllx add 2 div Dury Dlly add 2 div
Purx Pllx add -2 div Pury Plly add -2 div
3 -1 roll add exch
3 -1 roll add exch
translate
}
{
ITransBBox
angle 0 eq
{Dllx Pllx sub Dury Pury sub}
if
angle 90 eq
{Durx Purx sub Dury Pury sub}
if
angle 180 eq
{Durx Purx sub Dlly Plly sub}
if
angle 270 eq
{Dllx Pllx sub Dlly Plly sub}
if
translate
}
ifelse
mirH? mirV? or
{
ITransBBox
mirH?
{
-1 1 scale
Durx Dllx add neg 0 translate
} if
mirV?
{
1 -1 scale
0 Dury Dlly add neg translate
} if
} if
shrink 0 ne
{
ITransBBox
Dury Dlly sub Pury Plly sub div
Durx Dllx sub Purx Pllx sub div
2 copy gt { exch } if pop
shrink 1 eq
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{
shrink 2 eq 1 index 1.0 lt and
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{ pop }
ifelse
}
ifelse
} if
end
} [/autorotate? /shrink? /mirH? /mirV? /angle /Pury /Purx /Plly /Pllx /Durx /Dury /Dllx /Dlly /PW /PHt /DW /DHt
/Devurx /Devury /Devllx /Devlly /pdfHt /pdfW]
bld
/GClipBBox
{
gsave newpath clippath pathbbox newpath grestore
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
ITransDBBox
} [/Durx /Dury /Dllx /Dlly]
bld
/GPageBBox
{
{
currentpagedevice /PageSize get aload pop
/Devury exch def /Devurx exch def
/Devllx 0 def /Devlly 0 def
ITransBBox
}
stopped
{ GClipBBox }
if
} [/Devurx /Devury /Devllx /Devlly ]
bld
/ITransDBBox
{
Durx Dury transform matrix defaultmatrix itransform
/Devury exch def
/Devurx exch def
Dllx Dlly transform matrix defaultmatrix itransform
/Devlly exch def
/Devllx exch def
Devury Devlly lt {/Devlly Devury /Devury Devlly def def} if
Devurx Devllx lt {/Devllx Devurx /Devurx Devllx def def} if
} [/Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
/ITransBBox
{
/um matrix currentmatrix matrix defaultmatrix matrix invertmatrix matrix concatmatrix def
Devllx Devlly um itransform
Devurx Devury um itransform
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury Dlly lt {/Dlly Dury /Dury Dlly def def} if
Durx Dllx lt {/Dllx Durx /Durx Dllx def def} if
} [ /um /Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
%%EndResource
currentdict readonly pop
end end
/currentpacking where {pop setpacking}if
PDFVars/DocInitAll{[PDF PDFText]{/docinitialize get exec}forall }put
-PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
-PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
-PDFVars begin PDF begin
PDFVars/DocInitAll get exec PDFVars/InitAll get exec

[/NamespacePush PDFMark5
[/_objdef {Metadata_In_EPS} /type /stream /OBJ PDFMark5
[{Metadata_In_EPS} 17988 (% &end XMP packet& %) ReadByPDFMark5
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
-<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1-701">
-   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
-      <rdf:Description rdf:about=""
-            xmlns:xap="http://ns.adobe.com/xap/1.0/"
-            xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">
-         <xap:CreateDate>2005-05-26T09:00:06+01:00</xap:CreateDate>
-         <xap:ModifyDate>2005-05-26T09:00:06+01:00</xap:ModifyDate>
-         <xap:MetadataDate>2005-05-26T09:00:06+01:00</xap:MetadataDate>
-         <xap:Thumbnails>
-            <rdf:Alt>
-               <rdf:li rdf:parseType="Resource">
-                  <xapGImg:width>196</xapGImg:width>
-                  <xapGImg:height>256</xapGImg:height>
-                  <xapGImg:format>JPEG</xapGImg:format>
-                  <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgBAADEAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9U4q7FXYq7FXYq7FXYq7&#xA;FXYq7FUJdaxpFozrdX1vbtEOUiyyohUEVq3Iim2KsV1X86vyn0q8+p33mnT0uaAlEmEoWppRmi5q&#xA;p9icVRFl+bn5W3ppbebdIZq0CNewIx77K7qTirJbLUtOv4vVsbqG7i/35BIsi/epI7YqiMVdirsV&#xA;dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVUL6+stPs576+njtbO2Rpbi4lYJGiKKszM1AA&#xA;Bir48/PH/nKbVddkufL3kmZ9P0VHKTazC7pcXaDp6dVjeGM9/wBpvECoKr55nnnuJmmnkaaZzV5J&#xA;GLMT7k7nFVPFXYqvjllicPG7I46MpIP3jFX0h+Rv/OVV3oy2vlvz073mlhkhtNaO81tHTiBOAKyx&#xA;jb4vtAV+1sAq+vLS7tby1hu7SZLi1uEWWCeJg6OjiqsrCoIINQRiqrirsVdirsVdirsVdirsVdir&#xA;sVdirsVdirsVdirsVU7q6t7S2murmRYba3RpZ5nIVURByZmJ6AAVOKvgX86vz+8y/mLcvpyUsPK9&#xA;vMzWthFUNMFY+nLcsT8TU6L9keFd8VeU4q7FXYq7FXYq7FXrP5Lf85BeZfy7u4rC5Z9S8qO/+kaa&#xA;5q0IY/FJbMfst3KfZb2PxBV96aff2eoWNvf2Uq3FndxpPbTpurxyKGRh7EGuKq+KuxV2KuxV2Kux&#xA;V2KuxV2KuxV2KuxV2KuxV2Kvm3/nMj8yf0doVl5I0+cpe6qfrWqemxBWzQlUjanaaTf5J74q+PcV&#xA;dirsVZn+Ulh5S1bzvp2heZ7KW6stamTT4ZoJmhkt57hvTilAAIejsuzbUxVIPNGgXfl3zJqmg3ZB&#xA;udLuprSVhUBjC5TktezUqPbFUrxV2KuxV9U/84jfnMicfy7124oCWfy7cSHap+J7Sp8d3j+lf5Ri&#xA;r6rxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KpL5y826P5R8s3/mLV5PTsbCIyMB9p3OyRIO7yOQ&#xA;q+5xV+cPnbzfq3nDzTqPmPVWreahKZCgJKxoBxjiSv7MaAKPliqR4q7FXYqynQobvy7pVt5zpwu2&#xA;ung8vVA2uLZUeW6oev1f1Y+Hi5r+wQVWXf8AOSVtHP58s/NFugSz83aVY6xDw+yGkhEbr/rcoqn5&#xA;4q8smglhZVlUozKrgHrxdQyn6VIOKqeKuxVUt7i4triK5t5GhuIXWSGaMlXR0NVZWG4IIqDir9Hv&#xA;ye85v5y/LXQfMEzc7y4txHfseIJurdjDO3FaBeckZcDwIxVmWKuxV2KuxV2KuxV2KuxV2KuxV2Ku&#xA;xV2Kvkv/AJzJ/M6O5vLX8vrBqrZOl9rMg/36yVgh/wBiknNvmvhir5fxV2KuxV2KssS91XzN5f0n&#xA;R7i5htrHy4s6WjG2uGVY7mUTSM8ltHOW+Mknkop79lUdq3myzk8s6PoepX0fmBdA9b9ERwQSQwxr&#xA;cNzZJrmYRTyIGA/diIezjuqx3RbD/EfmGO1vdSt9Ne9ZuV/dLIIEahIDCBJCi7U2XivsMVVtV8j+&#xA;ZtN1HU7CWzaeTSYxc3ctsRNF9VfjwuUdK8oHDqRINqEYqkOKuxV9T/8AOEvm+b19f8oTOWiKLqtk&#xA;hOylSsFxT/W5Rfdir6txV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+dn/OQEc0f5zebFm+2b0sKmvw&#xA;sisn/CkYq8+xVdGzJIrJ9pSCu1dx02OKphHf3FlLdmaIPqMxZJ/rUMUvA8wzHjMkhDkrSooRv44q&#xA;l7uXcuaAsakKAo+gCgGKu5vw4cjwry412r0rTFVuKpx5U82+YPKetwa3oF2bPUreojmCo44tsysr&#xA;hlIPuMVereUfPWkebPNI1vUoZNP83RIy2CWFzHHZTllIeL6lcgJwn5MJY0mJk5HjGSd1WC655GvE&#xA;0LUdej0u80tLO+kje1uUk9P6s0npgxSOkfJreUiKUHf4l2HxYqwvFXsf/OJd1ND+demRxmi3NteR&#xA;SjfdRA0n/Eoxir7xxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV8I/85W+T9W0T81r3VrleWneYAl1Y&#xA;XABAJjjSKWI/5SMtfkQe+KvGcVZPoF5DZQwQaDaS6h5vvnCW9wqFza8jRUtIhyL3D/78I+D9gcvj&#xA;CrpvLuiaSSfMWqerf9W0rTClxKrdStxdE/V4j/qeqwOzKuKqLeZNGtiV0vy9aRgGsdxfvLe3FPBq&#xA;mK1b/pHGKpheav5/tNGsNbl0+Gx0m+dhp+oQ6XZW0UskJ4twkigQMVK/gffFVC085+eL644wcdQm&#xA;RCfTawtbqiVAJ4PDIKVp2xVVn83SLK0fmLyrpd0zVBH1NtLkX3Qae1mgI/ykI9sVXppHkHXlZdGv&#xA;5tA1Q/3Om6u6TWkrfypqEawiIk9PXiVB3kxVXvvzA876fpd35V8wRfWFMfpFL5G9eMenwjdXqCaR&#xA;misa1SgqVCcVWDYq+gv+cM/KdzqH5g3vmNoyLHRbR0WWmxubr92iiv8AxUJCae3jir7SxV2KuxV2&#xA;KuxV2KuxV2KuxV2KuxV2KuxV59+ef5aw+f8A8v77S44wdXtQbvR5Nqi5jU0jqeiyiqH517Yq/PK7&#xA;tLuzuZLW7hktrqFik0EqlJEYdVZWAIPzxVlfk3TvPV1omqL5Z0+5mjuf9GurqwtJLi7kBXk1qjxh&#xA;nSMr8UvGlV2avwrirDyCDQ9cVaxV9earfeX/AD1/ziJLHokEa3fl+ztjcWEZ5PbT2Mi+s5WvICSE&#xA;SOCf2W8a4qy/8j/JWhflL+V36e8xEWmqakkd3q87IzSxq/8AcWqogZyUDbqoqXJ9sVXat/zkV5Xl&#xA;Etrd+RvM97p4DetJJpKGFlHfhLKPhpWvIDFWGP5M/wCcbPzhaa18tP8A4X828WZbVIvqcvJQT8Vm&#xA;37iUDq3pHl4kYq8J/MzQvOPkhT5E81W8V2tq63OhaoKsyQMWDrbymjGCQ/aib7LiopvyVYRo2j6l&#xA;rOq2mk6ZA1zqF9KkFrAnVpHNAN9h7k7DFX6M/lT5As/IfkbTfLsHB7iBPU1C5RQPWupDylcmgJFT&#xA;xWu/EAdsVZdirsVdirsVdirsVdirsVdirsVdirsVdirsVeO/np/zjxpH5ir+mNPlGm+aoIvTS441&#xA;hulX7EdwBQ1HRZBuBseQAAVY15wsLj8tP+cUUsdLpZaleWtqmoSqQJDPqDIbujKd24syA/yj2xV8&#xA;ZYquRijqwpVSCKgEbeINQcVegeV/zH1HRbN7+0jexWCL9HzjTHgtnm+tCRubNNb3dKLGwIWgrxIp&#xA;TdVOfNH5x+aG8vWMa6zeapJrMUlxNb6s0V9HZxpNJbJGqtDHFJM/os5kMfwqyhaMC2KvNv8AEvmP&#xA;iqDVLsIgoiCeQKorWiqGoBU9BiqZ6J5+1+w1jT9QvLiTUxp80U0C3MjPJH6Th19CYkyQkEVHAgeI&#xA;I2xV9k/85G+SE/ML8qYNU0O0e+1a0Nvf6MsSVmlhuSqyRgdaNG4cjxUYqnH5O/kN5U/LqxjuFiXU&#xA;PMkihrjVp0UyRlk4tHb9fSTcg0NW7mlAFXp2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KsX/M&#xA;Typb+cvKmr+WJ/Ui+tWvK2uEd4wJ/i9OvEryCOqllO24rir5k832M+pf84eeWLm3eV10W+P16Loq&#xA;f6TcW9XG5+B5FVd6Ubp0oq+bsVV7GxvL+8hsrKFri6uGEcMMYqzMegAxVPNG8lapqepaDp0UsRfz&#xA;DfmxtVR+dCkqQ+s1NuHKRuJ/yT2xV7f/AM5P/lpo+m61olj5f0+HT/UsKaXBBGkQupbeQi5gHAAN&#xA;NxeKRB1clxuzKMVfNxBBoeuKs6/I/wAm2PnH80dC0LUBy0+WV57yM/txW0bTtHtvST0+B+eKv0YR&#xA;FRQiAKqgBVAoAB0AGKt4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FWG/m5ba5f+QtU0fy9O&#xA;IPMWrRNa6T+89FpJOJlljSTYKzQRSUqRirxjzTp2s+Wf+cV9GTTLF5Y7edZPNVpctUywyyTJeB6c&#xA;WKtcOvGnxKtGrVeWKvkq8+p/WpfqfqfVSxMIm4+oFPQMV+EkdKiletB0xVOvJNrq2qa9aeXNKmW1&#xA;utfni083R2ZUuHEbLzHxBG5fGF+0Num2KvTxZflV5R/OXyM/lXzC2oaRY3UUGtXsrMpju4rgiSQl&#xA;0RBA4kXdKrQN8R64q+oPzs/Law/MjylPolvcxQ+YNPKX2lylhWORuSoJKVdYpgrLXxFd+NMVfH3k&#xA;fyHrX5qX99bQWZk1ewCm81i0ltqPy5KslxBNLAJizJQzQtX9p1dmrir3H8nf+cVfMfk7zxYeaNX1&#xA;62I0wu8FtYq7tKZI2iZXeVUCLxc1oGr7dcVfQHmmbzLDoF5L5Zt7a61xE5WVveu8cDsDuGZATuK0&#xA;6CvUgb4qmFp9ZNrCbrj9Z4L6/pghPUoOXEEsaV6b4qq4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7&#xA;FXYqhr+OExLcSQxSyWjevC03ECNgrIzq7A8G9N2FfAkdCcVY7+arWY/LjzDBdSQwxXllJYRPckrC&#xA;Jr0fVoAzKG4gyyqOVNuuKvzev9PvtPuntL+3ktbqMKXgmRo3AdQ6kqwB+JWBHtirKPyj84aV5O/M&#xA;TRvMWq2f16wsZSZohQuodGj9VAdi8XLmo8R1HXFUNe+c7i3896n5j0ZY7aG61CS7js1QLbtD9aFz&#xA;HA8WwMVUSqHwxV9H+Uf+cpPL3mHzvpmo67b23li3tIHtri6a4mkknE0bM8ZRLZ0aJZ0jK8nRl6gm&#xA;rLirHpb/AEr8t/8AnI2180WHmGwufKvmh5prx4J4z6NvdDnJHcRRfEgSXi8fw/FQd+QxV9DWf55/&#xA;k/dsFi83aapJ4/vp1gFfnLw298VZDa+b/LF/Zz3Wl6rZ6kkEbSv9UuIpvhVS3+62bsMVfPX5u/m7&#xA;p+h/85H+VlkvJhpXl+MQa0sUhWJZL1XDMyfErCKOVHbavbrir6dVlZQykFSKgjcEHFXYq7FXYq7F&#xA;XYq7FXYq7FXYq7FXYq7FXYq7FXYqxT8x/I9t5t8jX/lZQIIL94C/CihQl1HcOwp3+AnFXxX/AM5P&#xA;3i3H51a7FH/cWSWlrCKUoI7SIsN/B2bFXlWKuxV2KuxV2Krkd0dXRirqQVYGhBHQg4qqyy3l9dmS&#xA;V5Lq8uH+J2LSSSOx7k1ZmJxV+lX5bWmr2f5e+W7PWUMeqW2mWkN5G32lkSFVIev7Qp8XvirI8Vdi&#xA;rsVdirsVdirsVdirsVdirsVdirsVdirsVdir4V/5yw8rxaN+aN3fNMz3GuEXqRFRwW3EMMKHkP2m&#xA;njnBWmyhT3xV4rirsVfan5A3v5Wee9Nt77TPLWl6P5s0BYk1KJLKIpIkoIMsdQGPMoaNyLIaAkg0&#xA;ZV7TqHk7yhqKenqGh6feJSnC4tYZRQ+zqcVYnd/84+fkzdyyyS+VbNTLx5LD6kCjia/CImTjXvTF&#xA;XWP5Cfk9psqG18oWMwlLJIbgNchFZCeVLhpe6gCm4rXFU90P8sfy70K8F9o/lvTrK9X7F1FbRCVf&#xA;9R6cl+g4qybFXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYqw+H82/y59F3u/Mem2kkd5PYtDN&#xA;dwpIJIbl7fdCwYBinIGlOPxdN8VYj/zkZ+UN7+ZXlSxk0OWM61pDvPYI7AR3EU6qJIg/RWbghVjt&#xA;tQ0rUKvhC9sryxupLS9gktrqE8ZYJVKOp8GVqEYqyC68jXkH5cWHnbkxtbzVLjS3jK0CmKGOWJw3&#xA;fn+9B8OH3Kvf/wDnB7R3Nz5r1lgwjRLSziNDwYsZJJN+lV4p9+Kvq7FXYqhZNV0yPUYdMku4U1G4&#xA;jaaCyaRRM8aEB3SMnkyrXcgYqisVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir5R/wCcqPz3&#xA;1OK/vfy78vSG2hiCLreoxSfHL6iBzaoV+woDUk3qfs7CtVXzNqemyWDW0coIlnt4rkg9lnX1I6fO&#xA;NlOKs6/LL8+vzA/L944NPu/r2iqfj0e8LSQAE1PpGvKE7k/AaV6g4qs/PL8wfL3n/wA3W3mbSLGX&#xA;T57mwhj1a3mKt/pcTOlVdftr6IjAag6dMVZnN54/LuT/AJxVs/KV3chvNMV3LNaWUQZpFmF48nrS&#xA;GnFVNvKU3O/b2VeqfkB+Z35NeTvyy03SbjzLbwanLyu9UjmSRGW5npyXZKNwVVStT0xVluvf85Sf&#xA;lJp3GHTr248wahIeMNjplvJI7M32RzkEUe5/lYn2xV5X+YP/ADkF+Zs0Ekk5t/IWnKCYtNZhc65c&#xA;kUIj9IgNbq21XdI6CtGcjjiry382tH1Ox0zyx5w1S4ZfNfnF7/XbwRsw9C3neFrOOMliyqELFR+z&#xA;Xj2xV9Hf84y/njL540xvLWtKF8waNbRlbovU3kCngZCp3EifDz61rXbpir3TFXYq7FXYq7FXYq7F&#xA;XYq7FXYq7FXYqxzVvzI/L3R5ZYNU8zaXZXEAJltpryBJhxFSPSL86+wFcVeRa3/zmh+W9nPJDpmn&#xA;alqnAkCcJFBC9DsVLuZKH3QYq8h81f8AOYP5napNdxaOtpo1hLzS39KIyXKRtUKWlkZ19QA/aVRv&#xA;2xV4ZNNNPNJNNI0s0rF5ZXJZmZjVmZjuST1OKsn/ADLdW80qEUKkWmaRCgWtOMOlWsYO++4WuKpd&#xA;r3lDzDoNnpV9qdo0Flrdst5plzUNHNE1OjKTRlr8SncbdiMVTP8ALb8s/M/5h6+dF0BIhLHE09xd&#xA;XLMlvDGu1ZGRZG+JiAAFJP34qlnmW08vWV59S0mW4uXtgsV3dSlBFJOg4zGBVAb0uY+AsaleoGKv&#xA;Yfyf/LP8h/Pept5dGo+YG1z6qbgTsttb27FaCQIqrcspQmvxtQj32xV6j5Y/5w08vaVe3E975p1O&#xA;eGQFIorEJYNwPVJpKzmQU8AuKpp54/KL8mvy3/LbzHrcOjRG/XT7i3tb29d7mY3NzGYYeAlZkRzI&#xA;4+JFBAqcVfG2v+add8wfo/8AS1011+irOLTrHlQenbQV9NBTwr16nFVnlvzHrPlrXLPXNGuWtNSs&#xA;ZBLBMviOqsOjKw2ZTsRscVe5+RP+cx/O2n6kF84wx61pT19R7eKO3uozTYpw4RMPFWH04q9g0H/n&#xA;L78pdW1KCxlXUtL9dxGtzewRCEM2w5NBNOVFe5FB32xV61Y+avK9/fGwsdYsbu+UFjaQXMUkoAFS&#xA;fTVi34YqmmKuxV2KuxV2KrZJI4o2kkYJGgLO7EBQoFSST0AxV8yeaP8AnNvSre+9Hy15dlvrVKh7&#xA;q+mW3LMCR8EUQn+GlCGLA/5IxVhXmH/nND8xb74NF06w0eIqAXZXupg9TUhnKR0pTYxn54q8r1z8&#xA;2/zO1yd5tT8z6lKXrWJLh4Yd9jSGExxr9C4qxIkk1PXFWsVdirsVR2sarNql4t3MKSCC2tz7i2t0&#xA;gB+ZEVcVZf5g/N7VvMH5d6X5I1TTrN7bQzF+idRhDx3MYjUoVkJZ1dXRqEALuAe2KvYY721/KD/n&#xA;Gm1nsXEfm/8AMBFlSdac1gmTkHX/ACYbaQAeEklcVfMOKvpL/nC9vLFl5h1i+1LUba21m8jj0/SL&#xA;OWVEllUsJJ+CsaklhEFp13p0OKvd/wA2/wA/PJv5bqLS9Emo69LH6tvpNvQNxNQrTSmqxKSPdvBT&#xA;ir40/NT86fOP5kXqNq8q22l27FrPSbeogjJ25tXeSSm3JvoArirAcVdirsVdiqM0rV9V0e/i1DSb&#xA;yfT7+Cvo3drI8MqcgVbi6FWFVJB9sVZ75c/5yJ/N/QruW5j8w3GoGWMxmHUna7jWpB5oshPFhTqM&#xA;Veh+Vf8AnNTznYiRPMmj2uspxPoyW7GylD7fbPGdCvyQH3xV7B+U3/OUPlPz5q6aHeWUmg61PX6n&#xA;DLKs8E5ArwSYLEfU60VkFexJ2xV7RirsVfOX/OTH/OQNjo1jrH5f6Ikr69cRC21G9+EQwQ3Eas6o&#xA;QSzSNG/HoONetcVfHGKuxV2KuxV2KuxV2KuxV2Kp/wCbPOuteZxpCai6+homnW2lafCgoqQWsYQH&#xA;3ZyOTH+AGKpBirasVIZSQwNQR1BxVk3mPXb7zVYW2qXvqXOtaZCttqd6QWM1qhWO1nmbf94vP0WY&#xA;9R6f7VSVWMYq7FXYq7FXYq7FXYq7FVayvLqxvIL20laC7tZEmt5kNGSSNgyMp8VYVGKv0A/KX8/P&#xA;JXn6xtrZbxLHzL6ai60m4IjdpAo5Nbk/DKpNaBTyA6gYq9OxV+V0sss0ryyu0kshLPI5LMzHckk7&#xA;k4qsxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvQfyMg0O78+rYeYruK08uXun6hDrLzOI1Nv9UkccS37&#xA;aSoki9wVBHTFWL+bJvLT6uY/LkDxaXbxxwJPKWMlzIgpJcsrE8PVepVB9laDrU4qk2KuxV2Ksz0P&#xA;8n/zC1vzRe+VrDS+WvafbLeXVlJNDEVhcRsrc3dUPIToR8XfFUfqn/OP35y6YrNdeVbsqgJZrcxX&#xA;IAFCTWB5B3xVjF/5I856cgkv9B1G0jIDB57SeNSpFQQzIAQRvXFUlZWVirAqymjKdiCOxxVrFW1Z&#xA;lYMpKspqrDYgjuMVfTX+OPOP/QpX6W/TV7+lP0p9T+v+vJ6/1flw9P1a8+PHbrir5kxV2KuxV2Ku&#xA;xV2KuxV2KuxV2Kq5tSLNLr1YyGkaIwhv3q8VDciv8rctj7HFVDFXYq2CR0xVrFXYq7FXYq+t/wAs&#xA;tdsovzt8tSu6CfzL5V0qUuxCfHFYOjxiv2iXhGw8PbFXrP59WNzc+QGlW1e/06wv7G+1vTYuXK50&#xA;62uFkuouK/aHAciPAYqgNMn8p2eqQ3XkXWoLfy9q7wNq8OmejJb2S+hciG4RSskNsJ5RHHICm7KN&#xA;geZxVX/T6a1bSXGvaRYXsNu1nGltNbCV7q3urlrM3UJkLcUeQF4k4n4difjDBVb5+/Ij8s9V8s6u&#xA;LLytYW2rNZXH1CazhW2Zbj0mMTAQ+mCQ9Dv174q/PnFX0B/65t/2/P8Ambir5/xV2KuxV2KuxV2K&#xA;uxV2KuxV2KuxV2KuxV2KuxV2KuxVPI/Kty2k6Lqj3EaW2t31xp8QNeUb2oty7vsBxIu1pQ9jir2H&#xA;zp/zil+YmlaVLrGoeYrC9sNLgROcjX0ksdvHRVSOKOCduKV6LsBviqS+WPyX/PifSLfWfJt1Jc6b&#xA;ccjaXWn6j9UDhH4clEz2rUqm23bFUbpvlj/nLDygkkOmWusW8bO8ssds0V2jSftOQjTKzN4/te+K&#xA;qmpfmJ/zlDCsR17R766W1dZLea90NQY3i+JXjnS3jYMpFeStXFU2g/5zD/NnTWCaxoOnuoO5eC6t&#xA;pDWppUylenT4cVfPl/NBPfXE1vF6FvLK7wwV5cEZiVTlQV4jauKvef8A1zb/ALfn/M3FXz/irsVd&#xA;irsVdirsVdirsVdirsVdirsVdirsVdirsVdir0O7h9T8idF1GLaTTfM19blttjc2VrKp6d/QP3Yq&#xA;/QSCWLWNEjlVjHDqNsGDRkFlWeOtVJFKgNtUYq+b7PzF5Mt/+cbrjyqNWhuNXsptVsNFjSV/rEk8&#xA;FzcS200aWhMhHpFSGpwqRy2OKpZ5a83XFro+kW+ra9qP6BFnqTC+0+9u7BV1ZhFc28D3l66qWS25&#xA;KsUsjR+pUbjFWW6Z+ZXnQ6fcatc6+EvLf9D3uj6NLBAq6rpd5DEkiRIA8puJbhnXkshCSDiSErir&#xA;1j82NFXWvyy80aaVLvNptyYVH+/o4zJF1/4sRcVfmtir6A/9c2/7fn/M3FXz/irsVdirsVdirsVd&#xA;irsVdirsVdirsVdirsVdirsVTzyl5fg1y9vrWWZoWttN1DUIitPiewtJLrga9mWIjb+3FXpvk/8A&#xA;KvSNS8m+XBqlzrUSeZdVWz/0JrWSwivGjDWzyRzNEQ7wTbHlXZqdhir1i3/5xn8x2omh0D83L+2e&#xA;wBWW3j9VfR5A0V/SvF9MEA/s4qktp/zj9+Zug6+V0L8x9Nj100C+qTHeMrLU1HGeTcfeMVZJJ5L/&#xA;AOcxLWMRDzbo+pQNUtFIkL9KEcjNYofl8WKoW6tv+cuzNbT32haDrlxYkS2c06WTPFKP2omMkHB2&#xA;4jdaYqlnnT/nIL/nIPyQluvnTyho9pDqHNbenORJAgHqLWK7uF6MOuKvlSUxmVzECsRY8A25C12r&#xA;9GKvff8A1zb/ALfn/M3FXz/irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVZl+UUbT+fbKyUq&#xA;G1C21DT1Lgstb3T57YVA95cVey/lprui6X+R2mXd/OkgsPOGk37GEPPJCsUkHqBlVeSuILaRqdOJ&#xA;FDvTFXub6Jqc1t5gh01Hm0HzGyOizIl3bql7Nynmh4yxSyW08UzvJCWBR+RXZ8VeT/mh5O803sei&#xA;StZ6jL5g03TtT0u81e30i4vTdvpU8M+lyh41keE3TRbShuSkkfZriqUS+WrOa889C90mTR7y5sb+&#xA;/wBHsba1vYJ47k2VtqQRJlpbNHDNbSx8aKwc0FQ9FVeiWnnryJfeem1dNcm0vRtd0SbT7iOSe6tD&#xA;Fqlq1o3FFZoyJ/QuURTGKsY2AJNcVeS/mdOdc/I2GW71aLVta0bU4J55k1CbUpPq8sTWckkpuPjg&#xA;aW5i5ekv7ulCnUnFXz1ir6A/9c2/7fn/ADNxV8/4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq&#xA;7FVS3ubi2mSe3kaGaM1SWMlWU+II3GKsq8s/ll+ZWu6eureXdEvb2ydmjF1aiqlkPxLUEdDirJbb&#xA;8tP+cjbX/eXTNfg24/upZk+EdvhcbYqm1voX/OWtvQRP5qCgcVU3dyygDwVpCBiqZWz/APOYtsVM&#xA;f6fbgKD1Qsvtv6nKv04qn1rqX/ObsUSiNLxkPxASwaUzb70JkQv9GKpH+aGu/wDOR9l5G1BPzB0y&#xA;3TQNdaC0luClikwnSQXMJ/0RxKD/AKP/ALsUrT3pirwLFX0B/wCubf8Ab8/5m4q+f8VdirsVdirs&#xA;VTLSvL+q6rHdS2cPKKzglup5nIjjWOAKXrI1EDfGtAT8RIUVZlBVS3FXYq7FXYq7FXYq7FXYq7FX&#xA;Yq7FX27/AM4Z3Bl/KW6j5V+r6vcxgeFYYJKf8PXFXu+Ksf8AIsNxD5dhikvrS+hjYxWbWDSSwRQQ&#xA;gQpF60sk0kzr6fxyO1WauwxVH6HqulahBcfoy+hv4bS4ktJmhl9YxzREB4pHLOfUUncHFUJ5Qv7q&#xA;9sLt7q8tLuaG+urfhZSGVIEhmKRwyOzOxmCBWk5UoxIApTFWB/8AOU2mpe/klrzkVks2tbmL2K3U&#xA;aMTt/vt2xV8B4q+gP/XNv+35/wAzcVfP+KuxV2KuxV2Kpvd+bfMV3odvoU1840a1IaKwjCxQlx0d&#xA;0jCiR/8ALere+KpRirsVdirsVdirsVdirsVdirsVdir3X/nH7/nIPS/y50K70DUdPluY7+++tJdC&#xA;ThFDzjSJi6qkslP3YJ4qTToDir1bzP8A85h+X9JihS10m31uaf1vUjs76T040RuEZd5bOP8AvR8Q&#xA;UAkD7VDtirCfL3/OYOkeXNL/AEbovkMW1sCWRW1V5aHiEWpe1LMERVRRy2VQO2KoLy//AM5bw+Xh&#xA;fDSPJNtbfpK6kv70/Xp3LzygBmq6NxFFACrRR2GKusf+cwtQ0prn9DeT7CyjvJTcXKG4nk5SlQpY&#xA;bIFHFR8Kin34qg/OH/OW2ueavKOreXNQ8u2kcWqQNALiGaUGOu4fiwbkQQD1GKvA8VfQH/rm3/b8&#xA;/wCZuKvn/FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+gP/AFzb&#xA;/t+f8zcVfP8AirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfQH/r&#xA;m3/b8/5m4q+f8VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir6A/9&#xA;c2/7fn/M3FX/2Q==</xapGImg:image>
-               </rdf:li>
-            </rdf:Alt>
-         </xap:Thumbnails>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
-            xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
-         <xapMM:DocumentID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:DocumentID>
-         <xapMM:InstanceID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:InstanceID>
-         <xapMM:DerivedFrom rdf:parseType="Resource">
-            <stRef:instanceID>uuid:e3e3a208-cd3c-11d9-8977-000d936c956e</stRef:instanceID>
-            <stRef:documentID>uuid:AB03F8A6CDD611D982B3C176F4FB2AEE</stRef:documentID>
-         </xapMM:DerivedFrom>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:dc="http://purl.org/dc/elements/1.1/">
-         <dc:title>
-            <rdf:Alt>
-               <rdf:li xml:lang="x-default">portrait-head copy</rdf:li>
-            </rdf:Alt>
-         </dc:title>
-         <dc:format>application/eps</dc:format>
-      </rdf:Description>
-      <rdf:Description rdf:about=""
-            xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/">
-         <photoshop:ColorMode>3</photoshop:ColorMode>
-         <photoshop:History/>
-      </rdf:Description>
-   </rdf:RDF>
-</x:xmpmeta>
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                                                                                                    
-                           
-<?xpacket end="w"?>

% &end XMP packet& %

[{Metadata_In_EPS} 2 dict begin /Type /Metadata def /Subtype /XML def currentdict end /PUT PDFMark5
[/Document 1 dict begin /Metadata {Metadata_In_EPS} def currentdict end /BDC PDFMark5
[/NamespacePop PDFMark5

PDFVars/TermAll get exec end end
 PDF /docinitialize get exec
-
%%EndSetup
PDFVars begin PDF begin PDFVars/InitAll get exec
172.0 54.0 296.0 409.0 rectclip
q
172.0 54.0 m
468.0 54.0 l
468.0 463.0 l
172.0 463.0 l
h
W
n
q
n
0.0 480.0 640.0 -480.0 re
W
n
q
true setSA
172.0 54.0 296.0 409.0 re
W
n
n
335.201 367.981 m
333.385 369.335 330.805 369.835 328.2 368.652 c
322.949 374.353 322.186 384.354 319.8 392.8 c
315.154 386.669 307.689 378.628 311.4 368.652 c
308.876 369.681 308.006 368.819 304.399 369.323 c
304.324 380.208 313.847 387.489 318.4 396.154 c
317.73 402.89 317.119 409.683 308.6 408.898 c
311.234 410.792 315.023 413.818 319.8 411.582 c
327.617 399.62 326.688 379.276 335.201 367.981 c
[/DeviceGray] cs 1.0 sc
eofill
n
322.6 357.249 m
318.99 354.59 309.367 354.389 304.399 355.237 c
309.273 356.61 318.049 357.799 322.6 357.249 c
eofill
n
273.598 353.896 m
275.535 354.009 276.001 352.865 274.998 351.883 c
278.4 352.2 281.25 353.047 284.098 353.896 c
283.331 350.815 273.651 348.813 270.098 349.871 c
270.095 352.333 272.549 352.441 273.598 353.896 c
eofill
n
275.698 347.188 m
271.917 344.774 266.738 343.699 262.397 341.821 c
265.361 344.664 271.338 347.885 275.698 347.188 c
eofill
n
246.296 343.163 m
248.1 342.035 245.702 339.313 244.896 338.468 c
244.126 330.771 243.94 342.296 246.296 343.163 c
eofill
n
367.402 342.492 m
382.533 343.126 391.632 332.171 399.604 323.71 c
389.667 328.053 379.82 338.291 367.402 342.492 c
eofill
n
263.797 337.126 m
256.335 330.414 249.26 323.331 240.696 317.674 c
242.625 325.219 252.857 330.614 258.897 336.455 c
261.325 335.917 261.588 337.454 263.797 337.126 c
eofill
n
242.096 334.443 m
243.162 332.5 239.825 329.038 239.996 325.723 c
238.557 328.023 240.96 332.381 242.096 334.443 c
eofill
n
349.901 292.855 m
345.818 290.507 339.01 290.771 332.4 290.843 c
335.809 294.692 344.583 293.494 349.901 292.855 c
0.0 sc
eofill
n
380.003 243.889 m
361.751 227.327 333.626 256.615 328.9 270.049 c
320.358 294.333 372.045 299.295 382.804 283.464 c
383.45 282.512 385.821 277.044 385.604 274.745 c
385.214 270.637 378.237 264.074 377.903 255.963 c
377.744 252.102 378.594 248.677 380.003 243.889 c
eofill
n
303.699 289.501 m
300.093 289.492 299.222 288.63 296.699 290.172 c
298.743 290.818 303.655 292.552 303.699 289.501 c
1.0 sc
eofill
n
405.904 243.889 m
405.44 241.427 405.159 238.79 404.504 236.511 c
400.915 236.201 401.338 239.737 397.504 239.193 c
398.963 243.326 400.66 244.252 405.904 243.889 c
0.0 sc
eofill
n
313.5 231.145 m
316.143 231.441 316.786 229.821 318.4 229.132 c
317.548 228.16 315.604 228.233 315.6 226.449 c
314.251 226.722 315.047 229.05 312.8 228.461 c
312.711 229.664 313.657 229.876 313.5 231.145 c
1.0 sc
eofill
n
234.396 223.766 m
235.994 221.496 236.419 218.103 236.496 214.375 c
235.048 216.789 233.883 219.474 234.396 223.766 c
0.0 sc
eofill
n
236.496 213.704 m
237.603 212.306 238.778 210.972 239.296 209.009 c
239.95 209.501 240.357 210.229 240.696 211.021 c
243.049 209.716 241.634 205.406 242.096 200.96 c
240.518 201.459 241.823 204.722 241.396 206.326 c
241.263 206.869 240.694 206.994 240.696 207.668 c
239.257 207.358 239.345 209.687 236.496 209.68 c
h
eofill
n
240.696 192.91 m
242.821 189.055 239.509 178.342 241.396 172.117 c
239.354 169.795 240.487 182.937 240.696 186.203 c
240.851 188.61 240.575 191.107 240.696 192.91 c
eofill
n
308.6 162.055 m
314.675 154.383 312.125 145.973 317.7 138.578 c
316.42 136.645 316.564 136.48 317.0 133.883 c
313.95 133.228 311.994 131.525 310.0 129.858 c
307.797 129.537 307.263 130.813 305.799 131.2 c
305.191 140.651 304.613 147.547 307.899 154.006 c
303.2 152.07 309.483 158.048 308.6 162.055 c
1.0 sc
eofill
n
244.896 143.273 m
244.156 129.208 241.88 108.192 242.796 92.966 c
236.285 107.105 239.955 130.17 244.896 143.273 c
eofill
n
302.299 118.455 m
306.008 120.202 310.441 116.88 315.6 117.784 c
314.137 116.504 312.257 115.621 310.0 115.102 c
310.43 115.698 310.846 116.301 310.0 116.442 c
306.528 115.744 305.256 112.939 301.599 112.418 c
301.313 110.802 302.878 110.96 302.299 109.064 c
295.729 97.919 290.589 85.405 283.398 74.855 c
276.968 92.139 288.191 102.929 294.599 113.76 c
297.204 114.617 300.502 114.811 303.0 115.772 c
302.941 116.834 303.336 118.33 302.299 118.455 c
eofill
n
261.697 113.76 m
269.896 111.554 271.323 102.86 274.998 96.319 c
272.167 96.234 266.496 98.782 261.697 99.003 c
h
eofill
n
453.507 21.864 m
451.755 21.308 450.758 20.026 448.606 19.852 c
448.186 29.957 446.449 38.803 445.807 48.695 c
446.854 49.48 448.67 49.529 449.307 50.707 c
452.953 43.245 452.55 31.903 453.507 21.864 c
eofill
n
455.606 50.036 m
458.758 41.682 459.65 32.563 459.107 23.206 c
456.895 31.84 456.211 41.077 455.606 50.036 c
eofill
n
508.109 24.547 m
511.355 28.32 510.013 38.014 502.509 37.292 c
500.598 31.98 503.062 25.393 508.109 24.547 c
510.21 23.877 m
501.324 22.965 498.933 28.274 499.009 35.95 c
505.278 45.055 517.523 31.475 510.21 23.877 c
0.0 sc
eofill
n
502.509 37.292 m
510.013 38.014 511.355 28.32 508.109 24.547 c
503.062 25.393 500.598 31.98 502.509 37.292 c
1.0 sc
eofill
n
517.91 35.95 m
514.734 31.577 517.265 22.836 523.51 23.206 c
525.542 27.478 524.332 35.844 517.91 35.95 c
524.91 22.535 m
525.076 20.682 528.859 22.295 528.41 19.852 c
524.141 16.739 520.433 25.449 517.21 21.193 c
516.797 25.973 513.585 27.31 513.71 33.938 c
519.671 43.435 532.165 29.572 524.91 22.535 c
0.0 sc
eofill
n
523.51 23.206 m
517.265 22.836 514.734 31.577 517.91 35.95 c
524.332 35.844 525.542 27.478 523.51 23.206 c
1.0 sc
eofill
n
284.798 30.584 m
287.068 31.878 288.612 30.792 291.099 30.584 c
291.099 24.547 l
288.065 25.665 287.627 29.27 284.798 30.584 c
eofill
n
433.906 12.474 m
434.501 12.597 434.566 12.212 434.605 11.803 c
434.492 11.022 434.761 10.609 435.306 10.461 c
435.139 4.936 436.164 -1.384 436.706 -7.649 c
437.207 -13.44 439.325 -20.188 436.006 -22.406 c
431.935 -20.405 432.173 -13.479 431.806 -8.32 c
431.358 -2.04 432.145 5.144 431.806 11.132 c
432.37 11.709 433.724 11.53 433.906 12.474 c
eofill
n
420.605 -25.761 m
421.2 -25.637 421.266 -26.022 421.305 -26.432 c
421.177 -27.002 421.578 -27.063 422.005 -27.102 c
422.263 -33.01 422.791 -40.389 423.405 -47.225 c
423.912 -52.866 427.445 -61.162 421.305 -63.323 c
419.491 -51.869 419.411 -38.755 417.805 -27.102 c
419.108 -27.01 420.145 -26.661 420.605 -25.761 c
eofill
n
455.606 -37.163 m
455.987 -39.606 456.104 -40.257 457.007 -43.2 c
454.473 -41.866 454.052 -35.555 449.307 -38.505 c
453.136 -43.367 461.496 -48.421 455.606 -55.274 c
452.412 -55.876 451.639 -54.157 449.307 -53.933 c
450.123 -50.738 447.19 -48.917 448.606 -47.225 c
449.906 -49.78 451.392 -52.158 453.507 -53.933 c
455.754 -54.521 454.958 -52.193 456.307 -51.92 c
454.046 -46.284 446.483 -45.169 447.906 -37.834 c
449.713 -35.324 452.823 -35.775 455.606 -37.163 c
0.0 sc
eofill
n
463.308 -47.225 m
464.538 -46.839 467.42 -48.036 467.508 -46.555 c
464.521 -46.487 465.668 -42.06 464.707 -41.859 c
464.017 -43.434 463.479 -45.154 463.308 -47.225 c
464.008 -36.493 m
469.731 -41.293 470.361 -50.975 475.208 -56.616 c
473.366 -55.921 470.912 -55.813 468.207 -55.945 c
468.848 -54.77 468.448 -52.599 469.607 -51.92 c
467.864 -49.391 465.679 -48.632 462.607 -49.908 c
461.353 -53.794 464.99 -52.991 464.707 -55.945 c
463.105 -55.244 460.484 -55.52 459.107 -54.604 c
462.148 -49.915 462.82 -42.957 464.008 -36.493 c
eofill
n
478.708 -39.847 m
481.508 -39.847 l
482.104 -41.735 483.77 -42.599 483.608 -45.213 c
482.284 -46.543 480.301 -45.538 478.708 -45.213 c
480.231 -43.992 477.185 -41.067 478.708 -39.847 c
1.0 sc
eofill
n
428.306 -42.529 m
432.835 -44.021 429.524 -46.889 431.105 -50.579 c
427.428 -48.271 430.559 -45.576 428.306 -42.529 c
eofill
n
479.408 -47.896 m
481.681 -47.507 482.665 -48.353 484.309 -48.566 c
485.405 -51.125 485.772 -52.598 484.309 -55.274 c
479.157 -55.492 479.966 -50.419 479.408 -47.896 c
eofill
n
508.109 -82.775 m
511.609 -82.775 l
511.521 -83.979 512.467 -84.19 512.31 -85.459 c
510.906 -84.757 509.056 -81.867 508.81 -85.459 c
507.859 -85.251 508.229 -83.779 508.109 -82.775 c
0.0 sc
eofill
n
494.108 -86.801 m
495.318 -88.66 492.325 -92.224 489.209 -92.167 c
491.068 -90.595 493.245 -89.326 494.108 -86.801 c
eofill
n
428.306 -87.471 m
429.944 -87.689 428.985 -90.397 430.405 -90.825 c
429.02 -92.962 427.683 -89.473 428.306 -87.471 c
1.0 sc
eofill
n
472.408 -103.569 m
471.546 -103.862 470.971 -104.428 471.008 -105.582 c
468.381 -106.087 469.481 -103.02 467.508 -102.898 c
468.134 -101.71 470.349 -102.044 469.607 -99.545 c
470.46 -100.965 472.242 -101.493 472.408 -103.569 c
eofill
n
489.908 -103.569 m
489.57 -101.457 492.058 -102.051 491.309 -99.545 c
492.63 -100.515 494.412 -101.043 494.108 -103.569 c
492.57 -105.11 491.783 -104.658 489.908 -103.569 c
eofill
n
423.405 -107.595 m
424.647 -105.805 423.915 -111.524 424.105 -112.961 c
422.863 -114.75 423.596 -109.03 423.405 -107.595 c
eofill
n
450.707 -116.985 m
451.855 -117.096 451.855 -112.851 450.707 -112.961 c
451.451 -111.438 455.107 -112.705 457.007 -112.29 c
456.223 -121.449 443.292 -119.499 440.906 -112.961 c
445.277 -113.214 449.114 -111.688 450.707 -116.985 c
eofill
n
440.906 -112.961 m
443.292 -119.499 456.223 -121.449 457.007 -112.29 c
455.107 -112.705 451.451 -111.438 450.707 -112.961 c
451.855 -112.851 451.855 -117.096 450.707 -116.985 c
449.114 -111.688 445.277 -113.214 440.906 -112.961 c
424.105 -112.961 m
423.915 -111.524 424.647 -105.805 423.405 -107.595 c
423.596 -109.03 422.863 -114.75 424.105 -112.961 c
185.394 -103.569 m
185.436 -101.911 184.688 -97.609 183.993 -98.874 c
185.312 -103.715 180.065 -102.266 179.093 -104.911 c
188.182 -106.018 190.452 -100.591 194.494 -96.862 c
192.126 -97.08 190.815 -92.836 188.894 -94.85 c
190.269 -95.992 192.393 -96.416 193.094 -98.203 c
189.207 -98.727 187.533 -101.372 185.394 -103.569 c
430.405 -90.825 m
428.985 -90.397 429.944 -87.689 428.306 -87.471 c
427.683 -89.473 429.02 -92.962 430.405 -90.825 c
540.312 -75.397 m
504.953 -77.282 466.034 -76.428 431.105 -76.739 c
432.544 -88.105 432.56 -100.835 433.906 -112.29 c
462.218 -111.651 511.072 -109.362 545.911 -110.277 c
544.442 -98.493 543.693 -86.02 541.011 -75.397 c
h
431.806 -53.933 m
430.96 -53.791 431.375 -53.188 431.806 -52.591 c
431.263 -52.441 430.425 -52.572 430.405 -51.92 c
430.833 -51.883 431.234 -51.82 431.105 -51.25 c
427.934 -50.69 430.186 -58.35 431.806 -55.274 c
430.668 -55.475 429.917 -54.368 431.105 -53.933 c
431.104 -54.305 431.673 -54.694 431.806 -53.933 c
431.105 -50.579 m
429.524 -46.889 432.835 -44.021 428.306 -42.529 c
430.559 -45.576 427.428 -48.271 431.105 -50.579 c
429.006 -41.859 m
431.135 -40.424 429.522 -34.865 428.306 -32.468 c
426.215 -35.179 429.978 -40.22 429.006 -41.859 c
433.906 -59.299 m
467.277 -61.479 504.295 -63.707 540.312 -65.336 c
542.679 -65.303 543.348 -66.897 544.512 -68.019 c
543.232 -56.276 540.656 -45.776 538.911 -34.48 c
499.032 -31.887 468.391 -29.707 431.105 -26.432 c
431.704 -38.723 432.988 -45.673 433.906 -59.299 c
417.805 -27.102 m
419.411 -38.755 419.491 -51.869 421.305 -63.323 c
427.445 -61.162 423.912 -52.866 423.405 -47.225 c
422.791 -40.389 422.263 -33.01 422.005 -27.102 c
421.578 -27.063 421.177 -27.002 421.305 -26.432 c
421.266 -26.022 421.2 -25.637 420.605 -25.761 c
420.145 -26.661 419.108 -27.01 417.805 -27.102 c
444.406 11.803 m
444.775 2.329 446.709 -9.633 447.206 -19.053 c
481.067 -21.219 507.654 -24.143 548.712 -26.432 c
548.808 -27.681 549.172 -28.673 550.111 -29.114 c
548.047 -18.796 546.644 -7.842 544.512 2.412 c
512.655 5.229 472.271 8.489 444.406 11.803 c
431.806 11.132 m
432.145 5.144 431.358 -2.04 431.806 -8.32 c
432.173 -13.479 431.935 -20.405 436.006 -22.406 c
439.325 -20.188 437.207 -13.44 436.706 -7.649 c
436.164 -1.384 435.139 4.936 435.306 10.461 c
434.761 10.609 434.492 11.022 434.605 11.803 c
434.566 12.212 434.501 12.597 433.906 12.474 c
433.724 11.53 432.37 11.709 431.806 11.132 c
291.099 24.547 m
291.099 30.584 l
288.612 30.792 287.068 31.878 284.798 30.584 c
287.627 29.27 288.065 25.665 291.099 24.547 c
548.712 14.485 m
549.565 14.41 550.369 14.285 550.111 13.145 c
550.081 12.431 550.441 11.44 550.812 12.474 c
549.29 21.523 547.661 30.473 545.911 39.305 c
517.488 43.596 487.951 46.82 458.407 50.036 c
459.174 43.407 460.608 33.383 461.207 24.547 c
489.498 20.354 520.27 18.535 548.712 14.485 c
459.107 23.206 m
459.65 32.563 458.758 41.682 455.606 50.036 c
456.211 41.077 456.895 31.84 459.107 23.206 c
449.307 50.707 m
448.67 49.529 446.854 49.48 445.807 48.695 c
446.449 38.803 448.186 29.957 448.606 19.852 c
450.758 20.026 451.755 21.308 453.507 21.864 c
452.55 31.903 452.953 43.245 449.307 50.707 c
261.697 99.003 m
266.496 98.782 272.167 96.234 274.998 96.319 c
271.323 102.86 269.896 111.554 261.697 113.76 c
h
303.0 115.772 m
300.502 114.811 297.204 114.617 294.599 113.76 c
288.191 102.929 276.968 92.139 283.398 74.855 c
290.589 85.405 295.729 97.919 302.299 109.064 c
302.878 110.96 301.313 110.802 301.599 112.418 c
305.256 112.939 306.528 115.744 310.0 116.442 c
310.846 116.301 310.43 115.698 310.0 115.102 c
312.257 115.621 314.137 116.504 315.6 117.784 c
310.441 116.88 306.008 120.202 302.299 118.455 c
303.336 118.33 302.941 116.834 303.0 115.772 c
356.202 48.695 m
356.612 47.3 357.673 46.527 358.302 45.341 c
357.542 45.181 356.621 44.236 357.602 44.0 c
357.611 45.332 359.512 44.853 359.002 46.683 c
363.245 49.29 372.338 60.687 369.503 59.428 c
369.542 59.837 369.607 60.222 370.203 60.098 c
369.969 56.951 366.326 58.617 364.603 58.757 c
365.335 56.859 363.447 54.155 364.603 54.062 c
364.809 54.657 366.496 56.998 366.702 55.402 c
364.903 55.338 365.701 52.784 363.902 52.72 c
360.545 58.223 357.465 63.991 354.102 69.489 c
354.707 62.384 360.926 58.399 356.202 48.695 c
349.201 88.941 m
362.053 98.986 383.324 100.964 380.703 125.834 c
372.736 121.118 364.62 120.807 356.202 119.126 c
353.471 118.58 351.11 116.456 347.802 116.442 c
344.115 116.428 340.976 119.504 337.301 119.797 c
332.525 120.177 327.116 118.04 322.6 117.113 c
324.914 116.107 321.146 115.474 321.9 113.76 c
328.2 113.76 l
329.125 115.438 325.433 115.859 327.501 116.442 c
330.774 115.108 333.572 113.316 335.901 111.076 c
334.361 103.381 330.914 93.947 329.601 88.271 c
331.902 89.168 330.764 88.077 331.701 90.283 c
342.099 86.468 348.807 79.973 352.702 70.16 c
353.492 75.701 346.735 79.582 347.102 86.929 c
349.868 85.295 346.583 87.678 348.502 88.271 c
349.956 87.52 349.984 87.547 349.201 88.941 c
354.102 125.163 m
365.544 127.169 378.804 131.006 382.104 138.578 c
375.081 131.892 363.15 129.907 354.102 125.163 c
242.796 92.966 m
241.88 108.192 244.156 129.208 244.896 143.273 c
239.955 130.17 236.285 107.105 242.796 92.966 c
388.403 121.139 m
393.903 127.276 393.784 139.751 391.903 144.615 c
392.907 136.637 380.407 129.962 388.403 121.139 c
307.899 154.006 m
304.613 147.547 305.191 140.651 305.799 131.2 c
307.263 130.813 307.797 129.537 310.0 129.858 c
311.994 131.525 313.95 133.228 317.0 133.883 c
316.564 136.48 316.42 136.645 317.7 138.578 c
312.125 145.973 314.675 154.383 308.6 162.055 c
309.483 158.048 303.2 152.07 307.899 154.006 c
312.8 228.461 m
315.047 229.05 314.251 226.722 315.6 226.449 c
315.604 228.233 317.548 228.16 318.4 229.132 c
316.786 229.821 316.143 231.441 313.5 231.145 c
313.657 229.876 312.711 229.664 312.8 228.461 c
300.899 216.388 m
301.256 220.518 302.618 223.684 303.0 227.791 c
295.785 231.439 304.666 240.863 310.0 234.498 c
309.641 239.792 307.21 240.92 307.2 245.901 c
302.201 243.472 295.592 238.216 297.399 229.803 c
295.535 228.251 292.96 223.265 295.999 221.083 c
296.192 222.259 294.028 224.43 295.999 225.107 c
296.472 219.969 298.21 218.106 300.899 216.388 c
289.699 245.23 m
294.173 248.55 300.955 253.22 301.599 257.976 c
299.028 252.832 291.614 248.768 289.699 245.23 c
307.899 250.597 m
308.51 252.941 310.588 257.381 308.6 259.987 c
308.989 257.6 305.037 254.656 308.6 254.621 c
307.443 254.611 308.208 252.761 307.2 252.609 c
307.202 252.981 306.632 253.37 306.5 252.609 c
307.655 252.599 306.891 250.749 307.899 250.597 c
311.4 271.391 m
312.958 273.594 313.662 279.421 311.4 281.452 c
311.106 277.181 310.998 273.175 311.4 271.391 c
326.801 283.464 m
323.645 285.683 311.96 286.438 312.8 282.123 c
315.108 285.945 324.377 282.989 326.801 283.464 c
309.3 283.464 m
309.015 286.491 301.809 289.471 301.599 288.16 c
304.835 287.235 306.922 285.211 309.3 283.464 c
296.699 290.172 m
299.222 288.63 300.093 289.492 303.699 289.501 c
303.655 292.552 298.743 290.818 296.699 290.172 c
254.697 303.587 m
252.251 303.222 249.397 299.756 250.497 298.221 c
250.653 298.742 250.516 299.544 251.197 299.563 c
251.354 299.042 251.216 298.24 251.897 298.221 c
252.015 302.573 253.02 299.924 254.697 303.587 c
387.703 314.991 m
383.931 317.518 379.809 321.193 375.803 323.04 c
337.156 340.858 272.046 333.811 246.997 307.612 c
249.687 307.003 253.665 311.43 256.797 313.649 c
292.652 339.057 370.621 337.958 396.804 304.258 c
398.016 309.765 391.957 312.142 387.703 314.991 c
239.996 325.723 m
239.825 329.038 243.162 332.5 242.096 334.443 c
240.96 332.381 238.557 328.023 239.996 325.723 c
258.897 336.455 m
252.857 330.614 242.625 325.219 240.696 317.674 c
249.26 323.331 256.335 330.414 263.797 337.126 c
261.588 337.454 261.325 335.917 258.897 336.455 c
401.004 326.394 m
399.797 327.266 396.705 332.1 394.004 333.772 c
394.158 334.295 394.59 334.552 395.404 334.443 c
395.325 336.157 394.12 336.791 393.304 337.797 c
391.721 334.498 386.21 338.901 387.703 337.797 c
391.603 334.546 399.437 325.275 401.004 326.394 c
399.604 323.71 m
391.632 332.171 382.533 343.126 367.402 342.492 c
379.82 338.291 389.667 328.053 399.604 323.71 c
244.896 338.468 m
245.702 339.313 248.1 342.035 246.296 343.163 c
243.94 342.296 244.126 330.771 244.896 338.468 c
262.397 341.821 m
266.738 343.699 271.917 344.774 275.698 347.188 c
271.338 347.885 265.361 344.664 262.397 341.821 c
401.704 327.064 m
398.708 335.149 396.251 343.751 389.804 348.529 c
394.293 340.481 397.984 334.951 401.704 327.064 c
270.098 349.871 m
273.651 348.813 283.331 350.815 284.098 353.896 c
281.25 353.047 278.4 352.2 274.998 351.883 c
276.001 352.865 275.535 354.009 273.598 353.896 c
272.549 352.441 270.095 352.333 270.098 349.871 c
257.497 351.883 m
257.699 351.692 261.628 353.248 259.597 352.554 c
259.054 352.704 258.216 352.572 258.197 353.225 c
259.129 353.896 260.31 354.33 260.997 355.237 c
258.894 355.418 256.148 352.788 257.497 351.883 c
377.203 345.846 m
378.514 346.826 381.842 345.873 382.804 347.188 c
380.734 349.4 376.373 349.005 374.403 348.529 c
375.637 347.923 376.57 347.029 377.203 345.846 c
363.902 351.212 m
366.568 350.894 368.272 351.497 368.803 353.225 c
364.142 353.23 362.604 356.229 357.602 355.908 c
359.67 352.818 355.885 354.838 354.802 353.225 c
363.754 348.833 375.564 343.608 384.203 341.151 c
378.763 347.249 370.329 346.707 363.902 351.212 c
304.399 355.237 m
309.367 354.389 318.99 354.59 322.6 357.249 c
318.049 357.799 309.273 356.61 304.399 355.237 c
386.304 344.504 m
383.562 350.378 380.271 359.289 373.703 359.261 c
377.983 354.863 382.952 347.559 386.304 344.504 c
371.603 353.225 m
367.71 354.423 364.802 365.927 356.902 363.286 c
357.662 363.125 358.583 362.182 357.602 361.944 c
356.816 361.876 356.512 362.919 356.202 361.944 c
361.791 360.525 370.078 351.941 371.603 353.225 c
308.6 363.957 m
324.934 355.586 344.37 368.122 347.102 380.726 c
342.493 366.581 323.285 358.619 308.6 363.957 c
319.8 411.582 m
315.023 413.818 311.234 410.792 308.6 408.898 c
317.119 409.683 317.73 402.89 318.4 396.154 c
313.847 387.489 304.324 380.208 304.399 369.323 c
308.006 368.819 308.876 369.681 311.4 368.652 c
307.689 378.628 315.154 386.669 319.8 392.8 c
322.186 384.354 322.949 374.353 328.2 368.652 c
330.805 369.835 333.385 369.335 335.201 367.981 c
326.688 379.276 327.617 399.62 319.8 411.582 c
327.501 269.378 m
322.6 269.378 l
321.13 260.632 316.914 254.621 317.7 247.914 c
317.857 248.435 317.719 249.236 318.4 249.255 c
318.066 246.853 317.262 245.379 318.4 243.219 c
317.698 243.216 317.567 243.762 317.0 243.889 c
318.358 241.653 316.006 236.907 318.4 239.864 c
317.352 235.7 319.959 233.483 322.6 231.145 c
321.516 230.396 321.143 228.964 319.1 229.132 c
318.209 223.359 322.566 222.616 324.7 219.741 c
325.35 221.802 329.084 220.907 330.301 222.425 c
330.279 220.442 333.542 220.153 334.501 221.083 c
332.215 224.93 331.089 229.888 326.801 231.815 c
327.437 233.218 328.866 233.86 331.001 233.827 c
331.932 230.026 339.512 222.925 335.201 222.425 c
335.819 220.78 337.299 219.963 336.601 217.059 c
334.429 216.178 334.604 217.24 331.701 217.059 c
331.73 216.135 331.371 215.585 331.001 215.046 c
332.971 217.131 340.802 213.493 343.602 214.375 c
343.538 212.545 344.768 213.025 343.602 211.692 c
347.513 211.298 348.997 213.229 352.702 213.033 c
349.92 217.076 346.073 220.098 343.602 224.437 c
347.06 224.808 342.873 224.781 342.901 225.778 c
343.019 226.56 344.008 226.507 345.001 226.449 c
344.618 227.424 345.819 229.916 344.302 229.803 c
344.233 229.305 341.568 229.305 341.501 229.803 c
340.95 232.791 341.979 234.264 342.901 235.84 c
333.62 243.046 329.249 254.955 327.501 269.378 c
71.988 63.452 m
75.19 64.854 77.814 66.813 77.588 71.501 c
88.843 73.461 89.955 85.141 94.389 93.637 c
99.289 93.637 l
100.435 99.065 114.086 95.906 120.29 96.99 c
121.11 97.099 120.881 98.214 120.99 99.003 c
133.707 99.115 139.85 105.526 153.192 105.04 c
157.742 108.581 167.309 110.369 172.793 109.064 c
179.777 116.142 188.263 114.573 199.394 116.442 c
192.942 118.949 210.24 121.288 213.395 121.139 c
216.919 125.811 223.365 127.683 223.195 135.896 c
230.365 138.863 231.902 147.229 239.996 149.311 c
240.101 154.104 239.949 155.726 240.696 162.055 c
241.628 160.029 241.277 150.994 245.597 149.981 c
248.687 150.53 251.995 149.833 253.997 152.664 c
264.717 146.168 276.445 140.635 286.898 133.883 c
288.442 140.015 285.188 144.035 284.098 148.64 c
282.085 150.052 279.969 149.369 278.498 149.981 c
279.1 150.522 278.914 151.818 279.898 151.993 c
272.857 157.003 270.389 157.391 268.698 168.763 c
267.877 168.654 268.107 167.54 267.998 166.751 c
265.892 170.24 265.636 174.191 268.698 176.813 c
268.122 178.859 266.729 178.421 267.998 180.837 c
266.171 177.745 266.76 176.318 265.197 172.787 c
261.265 181.377 263.206 199.305 265.197 209.68 c
263.715 209.127 263.383 210.187 263.097 213.033 c
261.504 212.548 262.889 209.209 260.297 209.68 c
259.078 213.482 257.669 213.832 257.497 217.729 c
255.328 214.287 258.865 210.56 260.297 208.338 c
257.133 200.089 256.719 199.613 256.097 190.898 c
255.147 199.59 250.905 209.717 254.697 217.059 c
255.517 216.95 255.287 215.835 255.397 215.046 c
258.126 215.63 254.389 217.795 254.697 219.07 c
254.829 219.615 256.784 220.126 256.797 220.412 c
256.835 221.227 254.701 221.836 254.697 221.754 c
254.748 222.902 256.515 221.827 256.797 222.425 c
256.554 221.91 256.152 226.146 256.097 226.449 c
255.404 230.285 252.718 236.249 250.497 238.522 c
250.917 241.572 250.755 243.198 251.897 246.572 c
248.035 241.922 253.948 250.153 251.197 249.926 c
255.398 249.473 256.996 240.732 263.097 239.864 c
256.299 243.683 249.691 257.859 251.197 266.024 c
250.545 264.189 247.705 264.451 246.296 263.342 c
250.755 267.016 254.723 278.546 251.897 286.147 c
251.906 287.724 253.807 285.902 253.297 284.806 c
254.627 289.65 257.457 293.415 258.897 294.868 c
256.895 296.548 252.736 295.404 249.797 293.526 c
248.231 293.815 249.513 296.832 249.097 298.221 c
246.199 290.817 239.14 287.001 240.696 274.074 c
239.241 274.449 239.213 275.12 239.996 276.086 c
236.154 274.206 242.033 272.992 242.796 271.391 c
242.378 264.876 244.448 262.773 241.396 259.316 c
242.404 259.692 243.104 260.363 243.496 261.329 c
243.853 257.172 244.297 249.94 243.496 243.889 c
242.033 243.605 241.643 244.349 240.696 244.56 c
241.746 239.452 244.62 233.072 239.996 229.803 c
237.942 230.88 236.193 235.81 238.596 237.182 c
238.39 238.776 236.702 236.436 236.496 235.84 c
230.089 238.514 234.56 249.341 235.796 251.938 c
237.492 253.625 237.353 250.587 237.896 249.255 c
240.165 252.384 233.58 275.508 228.795 266.024 c
226.797 262.063 228.462 252.25 228.795 246.572 c
225.05 256.536 225.567 272.131 237.896 272.732 c
239.774 279.764 233.73 282.106 229.496 284.806 c
225.178 287.558 222.336 294.917 217.595 294.868 c
212.686 305.367 206.74 314.875 200.794 324.381 c
201.981 336.655 198.296 346.384 200.794 355.908 c
202.785 363.495 210.137 368.878 210.595 376.702 c
218.609 388.922 226.706 401.063 232.296 415.606 c
237.006 418.248 237.862 424.583 240.696 429.021 c
250.083 432.101 253.288 441.104 262.397 444.449 c
262.397 447.803 l
271.344 449.292 272.312 458.426 282.698 458.535 c
284.896 458.218 284.548 460.341 286.198 460.548 c
294.623 460.524 303.629 459.944 308.6 463.231 c
329.235 463.775 345.591 460.218 363.902 458.535 c
366.289 454.114 372.183 453.054 374.403 448.474 c
375.215 447.911 376.279 447.589 377.903 447.803 c
385.117 439.511 394.755 433.542 403.104 426.338 c
407.774 415.807 419.248 401.453 427.605 390.117 c
427.787 386.937 428.332 384.106 430.405 382.738 c
430.405 378.714 l
439.521 362.954 445.832 329.106 432.506 312.308 c
432.536 310.592 431.985 311.49 431.105 311.637 c
428.293 302.144 423.28 298.4 419.205 290.843 c
412.571 290.715 412.852 283.963 406.604 283.464 c
404.175 281.321 405.457 275.62 401.704 274.745 c
402.15 271.818 405.29 271.473 407.305 270.049 c
410.933 266.431 409.264 266.431 406.604 270.049 c
404.266 270.491 403.181 272.135 401.004 272.732 c
401.51 274.782 400.288 275.177 400.304 276.757 c
399.483 276.648 399.714 275.534 399.604 274.745 c
395.828 304.747 365.267 315.206 334.501 314.991 c
335.927 313.099 332.96 314.154 334.501 311.637 c
333.007 311.323 333.168 312.595 333.101 313.649 c
328.189 307.244 321.906 296.282 320.5 290.843 c
312.896 297.83 319.043 312.756 308.6 317.674 c
303.84 316.645 305.106 309.842 301.599 307.612 c
306.119 300.45 306.033 293.025 317.0 292.185 c
314.397 290.206 308.9 291.001 304.399 290.843 c
306.656 287.192 317.93 292.181 318.4 286.818 c
320.311 287.424 316.271 288.319 318.4 289.501 c
338.001 289.501 l
333.701 287.361 330.055 284.595 326.801 281.452 c
325.453 261.088 348.013 241.605 364.603 237.182 c
363.159 236.328 360.984 236.177 359.702 235.169 c
362.563 239.252 356.666 234.34 354.102 236.511 c
354.34 235.164 353.959 234.412 352.702 234.498 c
354.491 228.909 361.311 221.284 358.302 214.375 c
373.915 214.578 387.628 212.962 400.304 210.351 c
404.061 213.459 401.965 222.175 405.904 225.107 c
403.462 218.644 404.88 214.72 402.404 209.68 c
403.049 208.508 404.593 208.199 406.604 208.338 c
409.308 214.603 414.059 221.266 412.904 229.132 c
414.857 229.72 416.362 230.738 418.505 231.145 c
419.699 228.776 421.743 225.721 419.905 222.425 c
424.084 214.456 428.896 207.888 428.306 196.936 c
423.385 184.104 409.015 184.798 397.504 186.874 c
398.991 181.145 397.844 172.889 398.204 166.08 c
396.625 168.601 397.931 179.674 397.504 185.532 c
390.178 184.465 378.929 184.465 371.603 185.532 c
369.684 185.519 369.94 182.368 370.902 181.508 c
370.03 180.072 369.17 184.266 368.803 185.532 c
353.525 187.353 341.924 191.047 334.501 186.203 c
334.352 182.466 339.798 180.567 340.102 179.495 c
341.099 177.271 332.095 181.212 333.101 185.532 c
330.057 186.455 323.282 186.907 321.2 184.861 c
320.938 182.03 325.963 181.521 324.7 178.153 c
327.806 182.509 327.499 172.85 329.601 175.471 c
332.455 174.976 331.188 168.955 333.801 169.434 c
335.99 168.349 331.019 168.6 332.4 166.08 c
332.41 164.504 334.311 166.325 333.801 167.421 c
332.895 161.781 331.273 157.57 331.001 148.64 c
330.24 148.806 330.525 149.974 329.601 149.981 c
331.038 148.042 325.5 143.503 328.2 140.591 c
325.265 139.363 323.438 135.075 324.7 131.87 c
327.669 132.229 339.268 130.912 339.401 131.2 c
352.32 130.529 375.411 142.27 382.804 145.286 c
384.537 144.224 383.089 140.593 382.804 139.249 c
384.727 140.536 386.058 142.391 385.604 145.957 c
389.419 148.561 395.013 149.462 396.804 154.006 c
398.832 155.117 395.44 152.419 396.104 150.652 c
398.395 149.046 400.019 146.802 404.504 147.298 c
406.847 142.388 409.719 137.984 415.005 135.896 c
414.936 128.227 421.337 126.758 423.405 121.139 c
429.476 122.459 436.398 121.338 440.206 117.113 c
441.187 117.351 440.267 118.295 439.506 118.455 c
440.644 120.145 441.778 116.214 442.307 115.102 c
451.886 114.25 465.622 115.221 466.107 107.723 c
472.891 108.617 480.403 110.39 483.608 105.04 c
482.305 104.398 481.269 107.049 480.809 105.04 c
486.318 101.815 501.291 106.936 501.109 99.674 c
510.051 100.993 517.076 100.198 522.811 95.648 c
539.221 99.815 547.974 87.258 551.512 74.855 c
558.645 69.169 568.117 65.724 576.013 60.769 c
576.013 -184.063 l
71.988 -184.063 l
h
0.0 sc
eofill
n
240.696 186.203 m
240.487 182.937 239.354 169.795 241.396 172.117 c
239.509 178.342 242.821 189.055 240.696 192.91 c
240.575 191.107 240.851 188.61 240.696 186.203 c
236.496 209.68 m
239.345 209.687 239.257 207.358 240.696 207.668 c
240.694 206.994 241.263 206.869 241.396 206.326 c
241.823 204.722 240.518 201.459 242.096 200.96 c
241.634 205.406 243.049 209.716 240.696 211.021 c
240.357 210.229 239.95 209.501 239.296 209.009 c
238.778 210.972 237.603 212.306 236.496 213.704 c
h
236.496 214.375 m
236.419 218.103 235.994 221.496 234.396 223.766 c
233.883 219.474 235.048 216.789 236.496 214.375 c
232.996 228.461 m
231.852 230.294 231.038 235.945 230.196 235.84 c
230.663 232.934 230.372 229.301 232.996 228.461 c
397.504 239.193 m
401.338 239.737 400.915 236.201 404.504 236.511 c
405.159 238.79 405.44 241.427 405.904 243.889 c
400.66 244.252 398.963 243.326 397.504 239.193 c
332.4 290.843 m
339.01 290.771 345.818 290.507 349.901 292.855 c
344.583 293.494 335.809 294.692 332.4 290.843 c
382.104 286.818 m
379.886 300.126 346.105 307.075 335.901 294.197 c
354.41 298.166 372.812 294.284 382.104 286.818 c
377.903 255.963 m
378.237 264.074 385.214 270.637 385.604 274.745 c
385.821 277.044 383.45 282.512 382.804 283.464 c
372.045 299.295 320.358 294.333 328.9 270.049 c
333.626 256.615 361.751 227.327 380.003 243.889 c
378.594 248.677 377.744 252.102 377.903 255.963 c
576.013 60.769 m
568.117 65.724 558.645 69.169 551.512 74.855 c
547.974 87.258 539.221 99.815 522.811 95.648 c
517.076 100.198 510.051 100.993 501.109 99.674 c
501.291 106.936 486.318 101.815 480.809 105.04 c
481.269 107.049 482.305 104.398 483.608 105.04 c
480.403 110.39 472.891 108.617 466.107 107.723 c
465.622 115.221 451.886 114.25 442.307 115.102 c
441.778 116.214 440.644 120.145 439.506 118.455 c
440.267 118.295 441.187 117.351 440.206 117.113 c
436.398 121.338 429.476 122.459 423.405 121.139 c
421.337 126.758 414.936 128.227 415.005 135.896 c
409.719 137.984 406.847 142.388 404.504 147.298 c
400.019 146.802 398.395 149.046 396.104 150.652 c
395.44 152.419 398.832 155.117 396.804 154.006 c
395.013 149.462 389.419 148.561 385.604 145.957 c
386.058 142.391 384.727 140.536 382.804 139.249 c
383.089 140.593 384.537 144.224 382.804 145.286 c
375.411 142.27 352.32 130.529 339.401 131.2 c
339.268 130.912 327.669 132.229 324.7 131.87 c
323.438 135.075 325.265 139.363 328.2 140.591 c
325.5 143.503 331.038 148.042 329.601 149.981 c
330.525 149.974 330.24 148.806 331.001 148.64 c
331.273 157.57 332.895 161.781 333.801 167.421 c
334.311 166.325 332.41 164.504 332.4 166.08 c
331.019 168.6 335.99 168.349 333.801 169.434 c
331.188 168.955 332.455 174.976 329.601 175.471 c
327.499 172.85 327.806 182.509 324.7 178.153 c
325.963 181.521 320.938 182.03 321.2 184.861 c
323.282 186.907 330.057 186.455 333.101 185.532 c
332.095 181.212 341.099 177.271 340.102 179.495 c
339.798 180.567 334.352 182.466 334.501 186.203 c
341.924 191.047 353.525 187.353 368.803 185.532 c
369.17 184.266 370.03 180.072 370.902 181.508 c
369.94 182.368 369.684 185.519 371.603 185.532 c
378.929 184.465 390.178 184.465 397.504 185.532 c
397.931 179.674 396.625 168.601 398.204 166.08 c
397.844 172.889 398.991 181.145 397.504 186.874 c
409.015 184.798 423.385 184.104 428.306 196.936 c
428.896 207.888 424.084 214.456 419.905 222.425 c
421.743 225.721 419.699 228.776 418.505 231.145 c
416.362 230.738 414.857 229.72 412.904 229.132 c
414.059 221.266 409.308 214.603 406.604 208.338 c
404.593 208.199 403.049 208.508 402.404 209.68 c
404.88 214.72 403.462 218.644 405.904 225.107 c
401.965 222.175 404.061 213.459 400.304 210.351 c
387.628 212.962 373.915 214.578 358.302 214.375 c
361.311 221.284 354.491 228.909 352.702 234.498 c
353.959 234.412 354.34 235.164 354.102 236.511 c
356.666 234.34 362.563 239.252 359.702 235.169 c
360.984 236.177 363.159 236.328 364.603 237.182 c
348.013 241.605 325.453 261.088 326.801 281.452 c
330.055 284.595 333.701 287.361 338.001 289.501 c
318.4 289.501 l
316.271 288.319 320.311 287.424 318.4 286.818 c
317.93 292.181 306.656 287.192 304.399 290.843 c
308.9 291.001 314.397 290.206 317.0 292.185 c
306.033 293.025 306.119 300.45 301.599 307.612 c
305.106 309.842 303.84 316.645 308.6 317.674 c
319.043 312.756 312.896 297.83 320.5 290.843 c
321.906 296.282 328.189 307.244 333.101 313.649 c
333.168 312.595 333.007 311.323 334.501 311.637 c
332.96 314.154 335.927 313.099 334.501 314.991 c
365.267 315.206 395.828 304.747 399.604 274.745 c
399.714 275.534 399.483 276.648 400.304 276.757 c
400.288 275.177 401.51 274.782 401.004 272.732 c
403.181 272.135 404.266 270.491 406.604 270.049 c
409.264 266.431 410.933 266.431 407.305 270.049 c
405.29 271.473 402.15 271.818 401.704 274.745 c
405.457 275.62 404.175 281.321 406.604 283.464 c
412.852 283.963 412.571 290.715 419.205 290.843 c
423.28 298.4 428.293 302.144 431.105 311.637 c
431.985 311.49 432.536 310.592 432.506 312.308 c
445.832 329.106 439.521 362.954 430.405 378.714 c
430.405 382.738 l
428.332 384.106 427.787 386.937 427.605 390.117 c
419.248 401.453 407.774 415.807 403.104 426.338 c
394.755 433.542 385.117 439.511 377.903 447.803 c
376.279 447.589 375.215 447.911 374.403 448.474 c
372.183 453.054 366.289 454.114 363.902 458.535 c
345.591 460.218 329.235 463.775 308.6 463.231 c
303.629 459.944 294.623 460.524 286.198 460.548 c
284.548 460.341 284.896 458.218 282.698 458.535 c
272.312 458.426 271.344 449.292 262.397 447.803 c
262.397 444.449 l
253.288 441.104 250.083 432.101 240.696 429.021 c
237.862 424.583 237.006 418.248 232.296 415.606 c
226.706 401.063 218.609 388.922 210.595 376.702 c
210.137 368.878 202.785 363.495 200.794 355.908 c
198.296 346.384 201.981 336.655 200.794 324.381 c
206.74 314.875 212.686 305.367 217.595 294.868 c
222.336 294.917 225.178 287.558 229.496 284.806 c
233.73 282.106 239.774 279.764 237.896 272.732 c
225.567 272.131 225.05 256.536 228.795 246.572 c
228.462 252.25 226.797 262.063 228.795 266.024 c
233.58 275.508 240.165 252.384 237.896 249.255 c
237.353 250.587 237.492 253.625 235.796 251.938 c
234.56 249.341 230.089 238.514 236.496 235.84 c
236.702 236.436 238.39 238.776 238.596 237.182 c
236.193 235.81 237.942 230.88 239.996 229.803 c
244.62 233.072 241.746 239.452 240.696 244.56 c
241.643 244.349 242.033 243.605 243.496 243.889 c
244.297 249.94 243.853 257.172 243.496 261.329 c
243.104 260.363 242.404 259.692 241.396 259.316 c
244.448 262.773 242.378 264.876 242.796 271.391 c
242.033 272.992 236.154 274.206 239.996 276.086 c
239.213 275.12 239.241 274.449 240.696 274.074 c
239.14 287.001 246.199 290.817 249.097 298.221 c
249.513 296.832 248.231 293.815 249.797 293.526 c
252.736 295.404 256.895 296.548 258.897 294.868 c
257.457 293.415 254.627 289.65 253.297 284.806 c
253.807 285.902 251.906 287.724 251.897 286.147 c
254.723 278.546 250.755 267.016 246.296 263.342 c
247.705 264.451 250.545 264.189 251.197 266.024 c
249.691 257.859 256.299 243.683 263.097 239.864 c
256.996 240.732 255.398 249.473 251.197 249.926 c
253.948 250.153 248.035 241.922 251.897 246.572 c
250.755 243.198 250.917 241.572 250.497 238.522 c
252.718 236.249 255.404 230.285 256.097 226.449 c
256.152 226.146 256.554 221.91 256.797 222.425 c
256.515 221.827 254.748 222.902 254.697 221.754 c
254.701 221.836 256.835 221.227 256.797 220.412 c
256.784 220.126 254.829 219.615 254.697 219.07 c
254.389 217.795 258.126 215.63 255.397 215.046 c
255.287 215.835 255.517 216.95 254.697 217.059 c
250.905 209.717 255.147 199.59 256.097 190.898 c
256.719 199.613 257.133 200.089 260.297 208.338 c
258.865 210.56 255.328 214.287 257.497 217.729 c
257.669 213.832 259.078 213.482 260.297 209.68 c
262.889 209.209 261.504 212.548 263.097 213.033 c
263.383 210.187 263.715 209.127 265.197 209.68 c
263.206 199.305 261.265 181.377 265.197 172.787 c
266.76 176.318 266.171 177.745 267.998 180.837 c
266.729 178.421 268.122 178.859 268.698 176.813 c
265.636 174.191 265.892 170.24 267.998 166.751 c
268.107 167.54 267.877 168.654 268.698 168.763 c
270.389 157.391 272.857 157.003 279.898 151.993 c
278.914 151.818 279.1 150.522 278.498 149.981 c
279.969 149.369 282.085 150.052 284.098 148.64 c
285.188 144.035 288.442 140.015 286.898 133.883 c
276.445 140.635 264.717 146.168 253.997 152.664 c
251.995 149.833 248.687 150.53 245.597 149.981 c
241.277 150.994 241.628 160.029 240.696 162.055 c
239.949 155.726 240.101 154.104 239.996 149.311 c
231.902 147.229 230.365 138.863 223.195 135.896 c
223.365 127.683 216.919 125.811 213.395 121.139 c
210.24 121.288 192.942 118.949 199.394 116.442 c
188.263 114.573 179.777 116.142 172.793 109.064 c
167.309 110.369 157.742 108.581 153.192 105.04 c
139.85 105.526 133.707 99.115 120.99 99.003 c
120.881 98.214 121.11 97.099 120.29 96.99 c
114.086 95.906 100.435 99.065 99.289 93.637 c
94.389 93.637 l
89.955 85.141 88.843 73.461 77.588 71.501 c
77.814 66.813 75.19 64.854 71.988 63.452 c
71.988 480.0 l
576.013 480.0 l
h
1.0 sc
eofill
n
342.901 235.84 m
341.979 234.264 340.95 232.791 341.501 229.803 c
341.568 229.305 344.233 229.305 344.302 229.803 c
345.819 229.916 344.618 227.424 345.001 226.449 c
344.008 226.507 343.019 226.56 342.901 225.778 c
342.873 224.781 347.06 224.808 343.602 224.437 c
346.073 220.098 349.92 217.076 352.702 213.033 c
348.997 213.229 347.513 211.298 343.602 211.692 c
344.768 213.025 343.538 212.545 343.602 214.375 c
340.802 213.493 332.971 217.131 331.001 215.046 c
331.371 215.585 331.73 216.135 331.701 217.059 c
334.604 217.24 334.429 216.178 336.601 217.059 c
337.299 219.963 335.819 220.78 335.201 222.425 c
339.512 222.925 331.932 230.026 331.001 233.827 c
328.866 233.86 327.437 233.218 326.801 231.815 c
331.089 229.888 332.215 224.93 334.501 221.083 c
333.542 220.153 330.279 220.442 330.301 222.425 c
329.084 220.907 325.35 221.802 324.7 219.741 c
322.566 222.616 318.209 223.359 319.1 229.132 c
321.143 228.964 321.516 230.396 322.6 231.145 c
319.959 233.483 317.352 235.7 318.4 239.864 c
316.006 236.907 318.358 241.653 317.0 243.889 c
317.567 243.762 317.698 243.216 318.4 243.219 c
317.262 245.379 318.066 246.853 318.4 249.255 c
317.719 249.236 317.857 248.435 317.7 247.914 c
316.914 254.621 321.13 260.632 322.6 269.378 c
327.501 269.378 l
329.249 254.955 333.62 243.046 342.901 235.84 c
eofill
n
347.102 380.726 m
344.37 368.122 324.934 355.586 308.6 363.957 c
323.285 358.619 342.493 366.581 347.102 380.726 c
eofill
n
356.202 361.944 m
356.512 362.919 356.816 361.876 357.602 361.944 c
358.583 362.182 357.662 363.125 356.902 363.286 c
364.802 365.927 367.71 354.423 371.603 353.225 c
370.078 351.941 361.791 360.525 356.202 361.944 c
eofill
n
373.703 359.261 m
380.271 359.289 383.562 350.378 386.304 344.504 c
382.952 347.559 377.983 354.863 373.703 359.261 c
eofill
n
384.203 341.151 m
375.564 343.608 363.754 348.833 354.802 353.225 c
355.885 354.838 359.67 352.818 357.602 355.908 c
362.604 356.229 364.142 353.23 368.803 353.225 c
368.272 351.497 366.568 350.894 363.902 351.212 c
370.329 346.707 378.763 347.249 384.203 341.151 c
eofill
n
374.403 348.529 m
376.373 349.005 380.734 349.4 382.804 347.188 c
381.842 345.873 378.514 346.826 377.203 345.846 c
376.57 347.029 375.637 347.923 374.403 348.529 c
eofill
n
260.997 355.237 m
260.31 354.33 259.129 353.896 258.197 353.225 c
258.216 352.572 259.054 352.704 259.597 352.554 c
261.628 353.248 257.699 351.692 257.497 351.883 c
256.148 352.788 258.894 355.418 260.997 355.237 c
eofill
n
389.804 348.529 m
396.251 343.751 398.708 335.149 401.704 327.064 c
397.984 334.951 394.293 340.481 389.804 348.529 c
eofill
n
387.703 337.797 m
386.21 338.901 391.721 334.498 393.304 337.797 c
394.12 336.791 395.325 336.157 395.404 334.443 c
394.59 334.552 394.158 334.295 394.004 333.772 c
396.705 332.1 399.797 327.266 401.004 326.394 c
399.437 325.275 391.603 334.546 387.703 337.797 c
eofill
n
396.804 304.258 m
370.621 337.958 292.652 339.057 256.797 313.649 c
253.665 311.43 249.687 307.003 246.997 307.612 c
272.046 333.811 337.156 340.858 375.803 323.04 c
379.809 321.193 383.931 317.518 387.703 314.991 c
391.957 312.142 398.016 309.765 396.804 304.258 c
eofill
n
251.897 298.221 m
251.216 298.24 251.354 299.042 251.197 299.563 c
250.516 299.544 250.653 298.742 250.497 298.221 c
249.397 299.756 252.251 303.222 254.697 303.587 c
253.02 299.924 252.015 302.573 251.897 298.221 c
eofill
n
335.901 294.197 m
346.105 307.075 379.886 300.126 382.104 286.818 c
372.812 294.284 354.41 298.166 335.901 294.197 c
0.0 sc
eofill
n
301.599 288.16 m
301.809 289.471 309.015 286.491 309.3 283.464 c
306.922 285.211 304.835 287.235 301.599 288.16 c
1.0 sc
eofill
n
312.8 282.123 m
311.96 286.438 323.645 285.683 326.801 283.464 c
324.377 282.989 315.108 285.945 312.8 282.123 c
eofill
n
311.4 281.452 m
313.662 279.421 312.958 273.594 311.4 271.391 c
310.998 273.175 311.106 277.181 311.4 281.452 c
eofill
n
306.5 252.609 m
306.632 253.37 307.202 252.981 307.2 252.609 c
308.208 252.761 307.443 254.611 308.6 254.621 c
305.037 254.656 308.989 257.6 308.6 259.987 c
310.588 257.381 308.51 252.941 307.899 250.597 c
306.891 250.749 307.655 252.599 306.5 252.609 c
eofill
n
301.599 257.976 m
300.955 253.22 294.173 248.55 289.699 245.23 c
291.614 248.768 299.028 252.832 301.599 257.976 c
eofill
n
295.999 225.107 m
294.028 224.43 296.192 222.259 295.999 221.083 c
292.96 223.265 295.535 228.251 297.399 229.803 c
295.592 238.216 302.201 243.472 307.2 245.901 c
307.21 240.92 309.641 239.792 310.0 234.498 c
304.666 240.863 295.785 231.439 303.0 227.791 c
302.618 223.684 301.256 220.518 300.899 216.388 c
298.21 218.106 296.472 219.969 295.999 225.107 c
eofill
n
230.196 235.84 m
231.038 235.945 231.852 230.294 232.996 228.461 c
230.372 229.301 230.663 232.934 230.196 235.84 c
0.0 sc
eofill
n
391.903 144.615 m
393.784 139.751 393.903 127.276 388.403 121.139 c
380.407 129.962 392.907 136.637 391.903 144.615 c
1.0 sc
eofill
n
382.104 138.578 m
378.804 131.006 365.544 127.169 354.102 125.163 c
363.15 129.907 375.081 131.892 382.104 138.578 c
eofill
n
348.502 88.271 m
346.583 87.678 349.868 85.295 347.102 86.929 c
346.735 79.582 353.492 75.701 352.702 70.16 c
348.807 79.973 342.099 86.468 331.701 90.283 c
330.764 88.077 331.902 89.168 329.601 88.271 c
330.914 93.947 334.361 103.381 335.901 111.076 c
333.572 113.316 330.774 115.108 327.501 116.442 c
325.433 115.859 329.125 115.438 328.2 113.76 c
321.9 113.76 l
321.146 115.474 324.914 116.107 322.6 117.113 c
327.116 118.04 332.525 120.177 337.301 119.797 c
340.976 119.504 344.115 116.428 347.802 116.442 c
351.11 116.456 353.471 118.58 356.202 119.126 c
364.62 120.807 372.736 121.118 380.703 125.834 c
383.324 100.964 362.053 98.986 349.201 88.941 c
349.984 87.547 349.956 87.52 348.502 88.271 c
eofill
n
354.102 69.489 m
357.465 63.991 360.545 58.223 363.902 52.72 c
365.701 52.784 364.903 55.338 366.702 55.402 c
366.496 56.998 364.809 54.657 364.603 54.062 c
363.447 54.155 365.335 56.859 364.603 58.757 c
366.326 58.617 369.969 56.951 370.203 60.098 c
369.607 60.222 369.542 59.837 369.503 59.428 c
372.338 60.687 363.245 49.29 359.002 46.683 c
359.512 44.853 357.611 45.332 357.602 44.0 c
356.621 44.236 357.542 45.181 358.302 45.341 c
357.673 46.527 356.612 47.3 356.202 48.695 c
360.926 58.399 354.707 62.384 354.102 69.489 c
eofill
n
513.71 33.938 m
513.585 27.31 516.797 25.973 517.21 21.193 c
520.433 25.449 524.141 16.739 528.41 19.852 c
528.859 22.295 525.076 20.682 524.91 22.535 c
532.165 29.572 519.671 43.435 513.71 33.938 c
499.009 35.95 m
498.933 28.274 501.324 22.965 510.21 23.877 c
517.523 31.475 505.278 45.055 499.009 35.95 c
483.608 43.329 m
473.862 36.4 489.757 11.258 498.309 27.23 c
495.953 26.805 496.118 23.964 492.709 24.547 c
484.476 24.824 479.798 42.453 489.209 42.658 c
494.111 42.765 494.484 35.844 497.609 35.279 c
496.105 36.745 497.28 40.778 495.509 41.987 c
492.297 42.364 487.997 46.449 483.608 43.329 c
461.207 24.547 m
460.608 33.383 459.174 43.407 458.407 50.036 c
487.951 46.82 517.488 43.596 545.911 39.305 c
547.661 30.473 549.29 21.523 550.812 12.474 c
550.441 11.44 550.081 12.431 550.111 13.145 c
550.369 14.285 549.565 14.41 548.712 14.485 c
520.27 18.535 489.498 20.354 461.207 24.547 c
eofill
n
513.71 -12.345 m
514.29 -14.766 522.841 -25.274 526.311 -16.369 c
526.042 -17.059 525.966 -15.34 526.311 -14.357 c
525.778 -15.878 530.232 -11.084 526.311 -9.662 c
528.308 -0.039 507.711 0.298 513.01 -10.333 c
512.75 -11.035 513.188 -10.168 513.71 -12.345 c
508.109 -14.357 m
508.067 -14.385 505.99 -12.608 508.109 -15.699 c
506.466 -15.913 505.481 -16.759 503.209 -16.369 c
501.104 -13.021 499.115 -9.56 499.709 -3.625 c
503.16 0.303 509.199 -5.246 508.109 -7.649 c
511.438 -7.439 507.689 -4.61 508.81 -2.283 c
495.225 4.92 494.452 -11.113 498.309 -11.004 c
495.951 -17.397 505.944 -20.3 510.909 -16.369 c
510.954 -14.092 510.089 -12.685 508.81 -11.674 c
510.044 -10.411 510.978 -12.592 511.609 -10.333 c
510.106 -9.09 506.481 -9.88 503.909 -9.662 c
505.396 -13.008 509.979 -13.119 508.109 -14.357 c
465.407 -3.625 m
466.97 -3.917 467.903 -4.811 468.207 -6.308 c
465.706 -4.497 467.644 -10.472 468.907 -12.345 c
466.355 -10.606 468.975 -13.419 468.207 -15.699 c
467.092 -15.825 464.534 -17.888 466.107 -18.382 c
470.16 -19.059 482.469 -22.261 483.608 -14.357 c
482.847 -17.136 491.803 -17.475 494.809 -16.369 c
493.89 -15.987 497.907 -12.704 494.809 -11.674 c
494.77 -14.549 489.864 -15.989 488.509 -13.687 c
488.235 -10.549 488.082 -11.458 487.809 -8.32 c
491.104 -7.623 491.329 -9.866 492.709 -11.004 c
492.587 -7.262 492.76 -3.865 490.608 -4.296 c
492.839 -5.624 489.197 -6.904 487.108 -6.308 c
487.525 -4.918 486.243 -1.901 487.809 -1.612 c
490.67 -3.498 488.209 -2.143 490.608 -1.612 c
492.255 -1.824 491.024 -4.792 493.409 -4.296 c
493.971 -1.969 492.366 -1.718 492.709 0.399 c
488.191 -0.451 481.102 3.483 480.108 -0.271 c
483.077 -0.355 483.722 -3.065 485.009 -2.954 c
483.574 -3.797 484.608 -5.908 483.608 -8.32 c
484.432 -8.426 485.596 -8.205 485.708 -8.991 c
482.286 -9.183 485.566 -11.446 486.408 -11.674 c
483.868 -11.028 485.82 -14.688 483.608 -14.357 c
483.46 -13.547 482.831 -13.945 482.208 -14.357 c
482.296 -12.679 483.544 -12.258 481.508 -11.674 c
481.235 -12.402 480.668 -13.285 481.508 -12.345 c
481.661 -14.077 478.034 -17.945 473.107 -17.04 c
470.458 -10.191 471.482 -1.868 469.607 4.424 c
470.708 4.488 472.035 4.334 471.708 5.766 c
471.514 6.73 460.44 8.643 461.907 5.766 c
462.18 6.795 462.747 5.864 461.907 5.095 c
466.096 5.308 466.209 1.615 467.508 -0.942 c
466.482 -0.953 465.289 1.887 465.407 -0.942 c
468.336 -0.688 466.172 -3.38 465.407 -3.625 c
544.512 2.412 m
546.644 -7.842 548.047 -18.796 550.111 -29.114 c
549.172 -28.673 548.808 -27.681 548.712 -26.432 c
507.654 -24.143 481.067 -21.219 447.206 -19.053 c
446.709 -9.633 444.775 2.329 444.406 11.803 c
472.271 8.489 512.655 5.229 544.512 2.412 c
eofill
n
465.407 -0.942 m
465.289 1.887 466.482 -0.953 467.508 -0.942 c
466.209 1.615 466.096 5.308 461.907 5.095 c
462.747 5.864 462.18 6.795 461.907 5.766 c
460.44 8.643 471.514 6.73 471.708 5.766 c
472.035 4.334 470.708 4.488 469.607 4.424 c
471.482 -1.868 470.458 -10.191 473.107 -17.04 c
478.034 -17.945 481.661 -14.077 481.508 -12.345 c
480.668 -13.285 481.235 -12.402 481.508 -11.674 c
483.544 -12.258 482.296 -12.679 482.208 -14.357 c
482.831 -13.945 483.46 -13.547 483.608 -14.357 c
485.82 -14.688 483.868 -11.028 486.408 -11.674 c
485.566 -11.446 482.286 -9.183 485.708 -8.991 c
485.596 -8.205 484.432 -8.426 483.608 -8.32 c
484.608 -5.908 483.574 -3.797 485.009 -2.954 c
483.722 -3.065 483.077 -0.355 480.108 -0.271 c
481.102 3.483 488.191 -0.451 492.709 0.399 c
492.366 -1.718 493.971 -1.969 493.409 -4.296 c
491.024 -4.792 492.255 -1.824 490.608 -1.612 c
488.209 -2.143 490.67 -3.498 487.809 -1.612 c
486.243 -1.901 487.525 -4.918 487.108 -6.308 c
489.197 -6.904 492.839 -5.624 490.608 -4.296 c
492.76 -3.865 492.587 -7.262 492.709 -11.004 c
491.329 -9.866 491.104 -7.623 487.809 -8.32 c
488.082 -11.458 488.235 -10.549 488.509 -13.687 c
489.864 -15.989 494.77 -14.549 494.809 -11.674 c
497.907 -12.704 493.89 -15.987 494.809 -16.369 c
491.803 -17.475 482.847 -17.136 483.608 -14.357 c
482.469 -22.261 470.16 -19.059 466.107 -18.382 c
464.534 -17.888 467.092 -15.825 468.207 -15.699 c
468.975 -13.419 466.355 -10.606 468.907 -12.345 c
467.644 -10.472 465.706 -4.497 468.207 -6.308 c
467.903 -4.811 466.97 -3.917 465.407 -3.625 c
466.172 -3.38 468.336 -0.688 465.407 -0.942 c
0.0 sc
eofill
n
503.909 -9.662 m
506.481 -9.88 510.106 -9.09 511.609 -10.333 c
510.978 -12.592 510.044 -10.411 508.81 -11.674 c
510.089 -12.685 510.954 -14.092 510.909 -16.369 c
505.944 -20.3 495.951 -17.397 498.309 -11.004 c
494.452 -11.113 495.225 4.92 508.81 -2.283 c
507.689 -4.61 511.438 -7.439 508.109 -7.649 c
509.199 -5.246 503.16 0.303 499.709 -3.625 c
499.115 -9.56 501.104 -13.021 503.209 -16.369 c
505.481 -16.759 506.466 -15.913 508.109 -15.699 c
505.99 -12.608 508.067 -14.385 508.109 -14.357 c
509.979 -13.119 505.396 -13.008 503.909 -9.662 c
eofill
n
520.01 -2.954 m
522.51 -5.376 523.174 -9.944 527.011 -11.004 c
524.954 -13.318 524.831 -13.35 524.21 -17.04 c
522.562 -17.025 522.149 -18.195 520.01 -17.711 c
519.215 -16.237 517.669 -15.482 517.21 -13.687 c
517.199 -15.384 515.373 -15.244 515.109 -12.345 c
518.12 -13.974 514.128 -5.783 516.51 -3.625 c
517.527 -3.258 520.128 -4.409 520.01 -2.954 c
1.0 sc
eofill
n
516.51 -3.625 m
514.128 -5.783 518.12 -13.974 515.109 -12.345 c
515.373 -15.244 517.199 -15.384 517.21 -13.687 c
517.669 -15.482 519.215 -16.237 520.01 -17.711 c
522.149 -18.195 522.562 -17.025 524.21 -17.04 c
524.831 -13.35 524.954 -13.318 527.011 -11.004 c
523.174 -9.944 522.51 -5.376 520.01 -2.954 c
520.128 -4.409 517.527 -3.258 516.51 -3.625 c
513.01 -10.333 m
507.711 0.298 528.308 -0.039 526.311 -9.662 c
530.232 -11.084 525.778 -15.878 526.311 -14.357 c
525.966 -15.34 526.042 -17.059 526.311 -16.369 c
522.841 -25.274 514.29 -14.766 513.71 -12.345 c
513.188 -10.168 512.75 -11.035 513.01 -10.333 c
0.0 sc
eofill
n
533.311 -57.957 m
531.124 -56.543 533.923 -54.238 531.211 -53.933 c
529.556 -54.807 529.861 -57.559 529.11 -59.299 c
533.097 -58.833 534.925 -60.436 538.911 -59.97 c
539.607 -57.969 539.688 -55.864 538.911 -55.274 c
538.501 -57.564 536.621 -58.446 533.311 -57.957 c
531.211 -49.237 m
530.808 -48.059 532.057 -45.297 530.511 -45.213 c
530.513 -45.585 529.943 -45.975 529.811 -45.213 c
530.942 -44.062 532.738 -43.547 535.411 -43.871 c
535.303 -44.768 536.511 -47.569 536.811 -45.884 c
535.43 -45.418 536.983 -42.141 535.411 -41.859 c
533.875 -43.528 526.524 -40.004 524.91 -42.529 c
526.494 -43.248 527.988 -44.052 529.11 -45.213 c
527.148 -45.871 530.127 -47.002 528.41 -47.896 c
532.328 -47.169 527.048 -52.794 531.211 -52.591 c
530.783 -52.629 530.382 -52.691 530.511 -53.262 c
531.926 -51.304 535.653 -50.172 536.811 -53.262 c
536.054 -50.916 535.984 -47.044 535.411 -47.896 c
535.333 -49.609 533.066 -49.228 531.211 -49.237 c
517.21 -58.628 m
521.196 -58.162 523.024 -59.765 527.011 -59.299 c
527.667 -58.732 528.506 -55.022 527.011 -54.604 c
526.601 -56.894 524.721 -57.775 521.41 -57.286 c
520.051 -51.876 518.526 -47.809 520.01 -41.188 c
517.195 -41.649 516.014 -40.545 513.71 -40.518 c
513.025 -43.823 516.34 -42.256 516.51 -43.2 c
515.503 -48.569 520.995 -55.437 517.21 -58.628 c
506.01 -48.566 m
504.687 -49.932 506.695 -55.79 505.31 -57.957 c
509.357 -57.433 511.294 -58.931 515.109 -58.628 c
515.107 -57.43 516.995 -54.726 515.109 -53.933 c
514.501 -55.586 513.479 -56.841 510.909 -56.616 c
507.021 -52.478 506.979 -45.906 508.109 -40.518 c
504.169 -40.451 505.05 -39.912 501.109 -39.847 c
503.802 -42.594 504.768 -45.967 506.01 -48.566 c
491.309 -57.286 m
495.507 -56.842 498.141 -57.895 501.81 -57.957 c
502.548 -57.26 503.255 -53.168 501.81 -52.591 c
499.905 -59.398 492.142 -53.92 495.509 -48.566 c
497.876 -48.534 498.546 -50.128 499.709 -51.25 c
498.921 -49.322 499.567 -46.02 498.309 -44.542 c
497.873 -47.376 496.754 -47.006 494.108 -46.555 c
494.625 -43.649 492.525 -42.399 494.809 -41.188 c
497.295 -40.841 498.587 -42.632 500.409 -44.542 c
500.186 -42.967 499.303 -42.024 499.709 -39.847 c
497.789 -39.646 490.268 -38.615 487.809 -39.176 c
489.694 -41.15 490.73 -43.675 492.709 -43.871 c
489.426 -46.578 494.073 -52.155 491.309 -57.286 c
478.008 -52.591 m
475.885 -52.569 476.264 -54.944 475.908 -56.616 c
487.108 -56.616 l
490.347 -52.326 487.916 -49.979 485.708 -45.884 c
488.177 -38.196 479.556 -37.093 472.408 -37.834 c
478.483 -43.708 475.183 -46.119 478.008 -52.591 c
459.107 -54.604 m
460.484 -55.52 463.105 -55.244 464.707 -55.945 c
464.99 -52.991 461.353 -53.794 462.607 -49.908 c
465.679 -48.632 467.864 -49.391 469.607 -51.92 c
468.448 -52.599 468.848 -54.77 468.207 -55.945 c
470.912 -55.813 473.366 -55.921 475.208 -56.616 c
470.361 -50.975 469.731 -41.293 464.008 -36.493 c
462.82 -42.957 462.148 -49.915 459.107 -54.604 c
447.906 -37.834 m
446.483 -45.169 454.046 -46.284 456.307 -51.92 c
454.958 -52.193 455.754 -54.521 453.507 -53.933 c
451.392 -52.158 449.906 -49.78 448.606 -47.225 c
447.19 -48.917 450.123 -50.738 449.307 -53.933 c
451.639 -54.157 452.412 -55.876 455.606 -55.274 c
461.496 -48.421 453.136 -43.367 449.307 -38.505 c
454.052 -35.555 454.473 -41.866 457.007 -43.2 c
456.104 -40.257 455.987 -39.606 455.606 -37.163 c
452.823 -35.775 449.713 -35.324 447.906 -37.834 c
437.406 -57.286 m
440.371 -59.115 442.306 -57.745 447.206 -58.628 c
446.944 -55.432 444.229 -56.3 443.006 -53.262 c
441.3 -49.024 443.648 -39.649 440.906 -34.48 c
441.452 -34.332 441.72 -33.919 441.606 -33.139 c
442.706 -33.075 444.033 -33.229 443.706 -31.797 c
441.124 -30.694 437.121 -30.952 433.906 -30.456 c
436.934 -34.807 439.159 -35.103 438.806 -40.518 c
438.804 -40.145 439.373 -39.756 439.506 -40.518 c
439.196 -41.807 437.896 -46.914 440.206 -47.225 c
438.474 -50.775 442.523 -53.217 437.406 -57.286 c
431.105 -26.432 m
468.391 -29.707 499.032 -31.887 538.911 -34.48 c
540.656 -45.776 543.232 -56.276 544.512 -68.019 c
543.348 -66.897 542.679 -65.303 540.312 -65.336 c
504.295 -63.707 467.277 -61.479 433.906 -59.299 c
432.988 -45.673 431.704 -38.723 431.105 -26.432 c
1.0 sc
eofill
n
428.306 -32.468 m
429.522 -34.865 431.135 -40.424 429.006 -41.859 c
429.978 -40.22 426.215 -35.179 428.306 -32.468 c
eofill
n
535.411 -47.896 m
535.984 -47.044 536.054 -50.916 536.811 -53.262 c
535.653 -50.172 531.926 -51.304 530.511 -53.262 c
530.382 -52.691 530.783 -52.629 531.211 -52.591 c
527.048 -52.794 532.328 -47.169 528.41 -47.896 c
530.127 -47.002 527.148 -45.871 529.11 -45.213 c
527.988 -44.052 526.494 -43.248 524.91 -42.529 c
526.524 -40.004 533.875 -43.528 535.411 -41.859 c
536.983 -42.141 535.43 -45.418 536.811 -45.884 c
536.511 -47.569 535.303 -44.768 535.411 -43.871 c
532.738 -43.547 530.942 -44.062 529.811 -45.213 c
529.943 -45.975 530.513 -45.585 530.511 -45.213 c
532.057 -45.297 530.808 -48.059 531.211 -49.237 c
533.066 -49.228 535.333 -49.609 535.411 -47.896 c
0.0 sc
eofill
n
464.707 -41.859 m
465.668 -42.06 464.521 -46.487 467.508 -46.555 c
467.42 -48.036 464.538 -46.839 463.308 -47.225 c
463.479 -45.154 464.017 -43.434 464.707 -41.859 c
1.0 sc
eofill
n
431.105 -53.933 m
429.917 -54.368 430.668 -55.475 431.806 -55.274 c
430.186 -58.35 427.934 -50.69 431.105 -51.25 c
431.234 -51.82 430.833 -51.883 430.405 -51.92 c
430.425 -52.572 431.263 -52.441 431.806 -52.591 c
431.375 -53.188 430.96 -53.791 431.806 -53.933 c
431.673 -54.694 431.104 -54.305 431.105 -53.933 c
eofill
n
538.911 -55.274 m
539.688 -55.864 539.607 -57.969 538.911 -59.97 c
534.925 -60.436 533.097 -58.833 529.11 -59.299 c
529.861 -57.559 529.556 -54.807 531.211 -53.933 c
533.923 -54.238 531.124 -56.543 533.311 -57.957 c
536.621 -58.446 538.501 -57.564 538.911 -55.274 c
0.0 sc
eofill
n
468.907 -82.105 m
467.16 -82.569 470.207 -83.895 469.607 -85.459 c
468.232 -83.845 466.108 -83.914 465.407 -86.13 c
463.758 -85.563 465.989 -83.188 466.107 -82.105 c
471.093 -79.012 478.185 -89.206 468.907 -82.105 c
eofill
n
509.51 -82.105 m
511.788 -80.185 515.938 -82.177 515.81 -84.788 c
514.552 -83.087 513.049 -81.62 509.51 -82.105 c
eofill
n
487.108 -84.117 m
485.948 -82.813 488.402 -81.903 490.608 -82.775 c
490.52 -83.979 491.466 -84.19 491.309 -85.459 c
489.495 -83.424 488.706 -84.772 486.408 -85.459 c
486.799 -84.863 488.515 -82.522 487.108 -84.117 c
eofill
n
469.607 -106.924 m
471.535 -106.088 473.003 -104.811 473.107 -102.229 c
471.944 -100.884 471.229 -99.11 468.907 -98.874 c
468.448 -100.67 466.902 -101.425 466.107 -102.898 c
466.982 -104.52 469.638 -104.436 469.607 -106.924 c
509.51 -101.558 m
512.524 -102.434 511.724 -99.654 513.01 -98.874 c
513.226 -100.456 515.44 -100.122 515.109 -102.229 c
514.409 -103.121 513.956 -104.253 513.01 -104.911 c
513.195 -103.538 510.294 -101.806 510.21 -102.898 c
512.107 -103.316 511.952 -105.701 514.41 -105.582 c
514.071 -103.469 516.559 -104.063 515.81 -101.558 c
514.94 -100.154 513.773 -99.036 512.31 -98.203 c
511.836 -99.762 509.983 -99.999 509.51 -101.558 c
491.309 -98.203 m
488.066 -98.293 488.341 -104.381 491.309 -106.253 c
497.375 -105.275 494.477 -98.116 491.309 -98.203 c
513.01 -90.154 m
510.521 -91.197 512.587 -87.876 510.909 -88.142 c
510.962 -89.311 510.753 -90.228 510.21 -90.825 c
513.488 -90.907 509.447 -91.802 510.21 -93.508 c
511.414 -93.243 512.004 -94.504 512.31 -93.508 c
511.883 -93.47 511.48 -93.408 511.609 -92.837 c
512.048 -90.549 516.63 -88.738 515.109 -86.801 c
514.579 -89.529 511.547 -88.388 513.01 -90.154 c
489.209 -92.167 m
492.325 -92.224 495.318 -88.66 494.108 -86.801 c
493.245 -89.326 491.068 -90.595 489.209 -92.167 c
470.308 -90.154 m
470.268 -90.563 470.203 -90.948 469.607 -90.825 c
468.905 -90.827 468.774 -90.281 468.207 -90.154 c
468.003 -90.566 466.466 -92.736 468.207 -92.837 c
468.221 -90.572 472.396 -91.906 473.808 -86.801 c
471.348 -89.656 469.983 -87.971 468.207 -89.483 c
469.031 -89.589 470.194 -89.368 470.308 -90.154 c
508.81 -85.459 m
509.056 -81.867 510.906 -84.757 512.31 -85.459 c
512.467 -84.19 511.521 -83.979 511.609 -82.775 c
508.109 -82.775 l
508.229 -83.779 507.859 -85.251 508.81 -85.459 c
515.81 -84.788 m
515.938 -82.177 511.788 -80.185 509.51 -82.105 c
513.049 -81.62 514.552 -83.087 515.81 -84.788 c
466.107 -82.105 m
465.989 -83.188 463.758 -85.563 465.407 -86.13 c
466.108 -83.914 468.232 -83.845 469.607 -85.459 c
470.207 -83.895 467.16 -82.569 468.907 -82.105 c
478.185 -89.206 471.093 -79.012 466.107 -82.105 c
486.408 -85.459 m
488.706 -84.772 489.495 -83.424 491.309 -85.459 c
491.466 -84.19 490.52 -83.979 490.608 -82.775 c
488.402 -81.903 485.948 -82.813 487.108 -84.117 c
488.515 -82.522 486.799 -84.863 486.408 -85.459 c
541.011 -75.397 m
543.693 -86.02 544.442 -98.493 545.911 -110.277 c
511.072 -109.362 462.218 -111.651 433.906 -112.29 c
432.56 -100.835 432.544 -88.105 431.105 -76.739 c
466.034 -76.428 504.953 -77.282 540.312 -75.397 c
h
1.0 sc
eofill
n
468.207 -89.483 m
469.983 -87.971 471.348 -89.656 473.808 -86.801 c
472.396 -91.906 468.221 -90.572 468.207 -92.837 c
466.466 -92.736 468.003 -90.566 468.207 -90.154 c
468.774 -90.281 468.905 -90.827 469.607 -90.825 c
470.203 -90.948 470.268 -90.563 470.308 -90.154 c
470.194 -89.368 469.031 -89.589 468.207 -89.483 c
0.0 sc
eofill
n
515.109 -86.801 m
516.63 -88.738 512.048 -90.549 511.609 -92.837 c
511.48 -93.408 511.883 -93.47 512.31 -93.508 c
512.004 -94.504 511.414 -93.243 510.21 -93.508 c
509.447 -91.802 513.488 -90.907 510.21 -90.825 c
510.753 -90.228 510.962 -89.311 510.909 -88.142 c
512.587 -87.876 510.521 -91.197 513.01 -90.154 c
511.547 -88.388 514.579 -89.529 515.109 -86.801 c
eofill
n
193.094 -98.203 m
192.393 -96.416 190.269 -95.992 188.894 -94.85 c
190.815 -92.836 192.126 -97.08 194.494 -96.862 c
190.452 -100.591 188.182 -106.018 179.093 -104.911 c
180.065 -102.266 185.312 -103.715 183.993 -98.874 c
184.688 -97.609 185.436 -101.911 185.394 -103.569 c
187.533 -101.372 189.207 -98.727 193.094 -98.203 c
1.0 sc
eofill
n
494.108 -103.569 m
494.412 -101.043 492.63 -100.515 491.309 -99.545 c
492.058 -102.051 489.57 -101.457 489.908 -103.569 c
491.783 -104.658 492.57 -105.11 494.108 -103.569 c
491.309 -106.253 m
488.341 -104.381 488.066 -98.293 491.309 -98.203 c
494.477 -98.116 497.375 -105.275 491.309 -106.253 c
0.0 sc
eofill
n
512.31 -98.203 m
513.773 -99.036 514.94 -100.154 515.81 -101.558 c
516.559 -104.063 514.071 -103.469 514.41 -105.582 c
511.952 -105.701 512.107 -103.316 510.21 -102.898 c
510.294 -101.806 513.195 -103.538 513.01 -104.911 c
513.956 -104.253 514.409 -103.121 515.109 -102.229 c
515.44 -100.122 513.226 -100.456 513.01 -98.874 c
511.724 -99.654 512.524 -102.434 509.51 -101.558 c
509.983 -99.999 511.836 -99.762 512.31 -98.203 c
eofill
n
469.607 -99.545 m
470.349 -102.044 468.134 -101.71 467.508 -102.898 c
469.481 -103.02 468.381 -106.087 471.008 -105.582 c
470.971 -104.428 471.546 -103.862 472.408 -103.569 c
472.242 -101.493 470.46 -100.965 469.607 -99.545 c
466.107 -102.898 m
466.902 -101.425 468.448 -100.67 468.907 -98.874 c
471.229 -99.11 471.944 -100.884 473.107 -102.229 c
473.003 -104.811 471.535 -106.088 469.607 -106.924 c
469.638 -104.436 466.982 -104.52 466.107 -102.898 c
eofill
n
495.509 41.987 m
497.28 40.778 496.105 36.745 497.609 35.279 c
494.484 35.844 494.111 42.765 489.209 42.658 c
479.798 42.453 484.476 24.824 492.709 24.547 c
496.118 23.964 495.953 26.805 498.309 27.23 c
489.757 11.258 473.862 36.4 483.608 43.329 c
487.997 46.449 492.297 42.364 495.509 41.987 c
eofill
n
440.206 -47.225 m
437.896 -46.914 439.196 -41.807 439.506 -40.518 c
439.373 -39.756 438.804 -40.145 438.806 -40.518 c
439.159 -35.103 436.934 -34.807 433.906 -30.456 c
437.121 -30.952 441.124 -30.694 443.706 -31.797 c
444.033 -33.229 442.706 -33.075 441.606 -33.139 c
441.72 -33.919 441.452 -34.332 440.906 -34.48 c
443.648 -39.649 441.3 -49.024 443.006 -53.262 c
444.229 -56.3 446.944 -55.432 447.206 -58.628 c
442.306 -57.745 440.371 -59.115 437.406 -57.286 c
442.523 -53.217 438.474 -50.775 440.206 -47.225 c
eofill
n
516.51 -43.2 m
516.34 -42.256 513.025 -43.823 513.71 -40.518 c
516.014 -40.545 517.195 -41.649 520.01 -41.188 c
518.526 -47.809 520.051 -51.876 521.41 -57.286 c
524.721 -57.775 526.601 -56.894 527.011 -54.604 c
528.506 -55.022 527.667 -58.732 527.011 -59.299 c
523.024 -59.765 521.196 -58.162 517.21 -58.628 c
520.995 -55.437 515.503 -48.569 516.51 -43.2 c
eofill
n
484.309 -55.274 m
485.772 -52.598 485.405 -51.125 484.309 -48.566 c
482.665 -48.353 481.681 -47.507 479.408 -47.896 c
479.966 -50.419 479.157 -55.492 484.309 -55.274 c
478.708 -45.213 m
480.301 -45.538 482.284 -46.543 483.608 -45.213 c
483.77 -42.599 482.104 -41.735 481.508 -39.847 c
478.708 -39.847 l
477.185 -41.067 480.231 -43.992 478.708 -45.213 c
472.408 -37.834 m
479.556 -37.093 488.177 -38.196 485.708 -45.884 c
487.916 -49.979 490.347 -52.326 487.108 -56.616 c
475.908 -56.616 l
476.264 -54.944 475.885 -52.569 478.008 -52.591 c
475.183 -46.119 478.483 -43.708 472.408 -37.834 c
eofill
n
492.709 -43.871 m
490.73 -43.675 489.694 -41.15 487.809 -39.176 c
490.268 -38.615 497.789 -39.646 499.709 -39.847 c
499.303 -42.024 500.186 -42.967 500.409 -44.542 c
498.587 -42.632 497.295 -40.841 494.809 -41.188 c
492.525 -42.399 494.625 -43.649 494.108 -46.555 c
496.754 -47.006 497.873 -47.376 498.309 -44.542 c
499.567 -46.02 498.921 -49.322 499.709 -51.25 c
498.546 -50.128 497.876 -48.534 495.509 -48.566 c
492.142 -53.92 499.905 -59.398 501.81 -52.591 c
503.255 -53.168 502.548 -57.26 501.81 -57.957 c
498.141 -57.895 495.507 -56.842 491.309 -57.286 c
494.073 -52.155 489.426 -46.578 492.709 -43.871 c
eofill
n
501.109 -39.847 m
505.05 -39.912 504.169 -40.451 508.109 -40.518 c
506.979 -45.906 507.021 -52.478 510.909 -56.616 c
513.479 -56.841 514.501 -55.586 515.109 -53.933 c
516.995 -54.726 515.107 -57.43 515.109 -58.628 c
511.294 -58.931 509.357 -57.433 505.31 -57.957 c
506.695 -55.79 504.687 -49.932 506.01 -48.566 c
504.768 -45.967 503.802 -42.594 501.109 -39.847 c
eofill
Q
Q
Q
[/EMC PDFMark5
PDFVars/TermAll get exec end end
%%PageTrailer
%%Trailer
%%EOF
\ No newline at end of file

Binary file doc-src/TutorialI/pghead.pdf has changed

--- a/doc-src/TutorialI/preface.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,56 +0,0 @@
-\chapter*{Preface}
-\markboth{Preface}{Preface}
-
-This volume is a self-contained introduction to interactive proof
-in higher-order logic (HOL), using the proof assistant Isabelle. 
-It is written for potential users rather
-than for our colleagues in the research world.
-
-The book has three parts.  
-\begin{itemize}
-\item 
-The first part, \textbf{Elementary Techniques},
-shows how to model functional programs in higher-order logic.  Early
-examples involve lists and the natural numbers.  Most proofs
-are two steps long, consisting of induction on a chosen variable
-followed by the \isa{auto} tactic.  But even this elementary part
-covers such advanced topics as nested and mutual recursion.
-\item 
-The second part, \textbf{Logic and Sets}, presents a collection of
-lower-level tactics that you can use to apply rules selectively.  It
-also describes Isabelle/HOL's treatment of sets, functions and
-relations and explains how to define sets inductively.  One of the
-examples concerns the theory of model checking, and another is drawn
-from a classic textbook on formal languages.
-\item 
-The third part, \textbf{Advanced Material}, describes a variety of other
-topics.  Among these are the real numbers, records and overloading.  Advanced
-techniques for induction and recursion are described.  A whole chapter is
-devoted to an extended example: the verification of a security protocol.
-\end{itemize}
-
-The typesetting relies on Wenzel's theory presentation tools.  An
-annotated source file is run, typesetting the theory
-in the form of a \LaTeX\ source file.  This book is derived almost entirely
-from output generated in this way.  The final chapter of Part~I explains how
-users may produce their own formal documents in a similar fashion.
-
-Isabelle's \hfootref{http://isabelle.in.tum.de/}{web site} contains
-links to the download area and to documentation and other information.
-The classic Isabelle user interface is Proof~General~/ Emacs by David
-Aspinall's\index{Aspinall, David}.  This book says very little about
-Proof General, which has its own documentation.
-
-This tutorial owes a lot to the constant discussions with and the valuable
-feedback from the Isabelle group at Munich: Stefan Berghofer, Olaf
-M{\"u}ller, Wolfgang Naraschewski, David von Oheimb, Leonor Prensa Nieto,
-Cornelia Pusch, Norbert Schirmer and Martin Strecker. Stephan
-Merz was also kind enough to read and comment on a draft version.  We
-received comments from Stefano Bistarelli, Gergely Buday, John Matthews
-and Tanja Vos.
-
-The research has been funded by many sources, including the {\sc dfg} grants
-NI~491/2, NI~491/3, NI~491/4, NI~491/6, {\sc bmbf} project Verisoft, the {\sc
-epsrc} grants GR/K57381, GR/K77051, GR/M75440, GR/R01156/01 GR/S57198/01 and
-by the \textsc{esprit} working groups 21900 and IST-1999-29001 (the
-\emph{Types} project).

--- a/doc-src/TutorialI/tutorial.sty	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,191 +0,0 @@
-% tutorial.sty : Isabelle Tutorial Page Layout
-%
-\typeout{Document Style tutorial. Released 9 July 2001}
-
-\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
-\hyphenation{data-type data-types co-data-type co-data-types }
-
-%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
-\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
-
-
-%%%INDEXING  use isa-index to process the index
-
-\newcommand\seealso[2]{\emph{see also} #1}
-\usepackage{makeidx}
-
-%index, putting page numbers of definitions in boldface
-\def\bold#1{\textbf{#1}}
-\newcommand\fnote[1]{#1n}
-\newcommand\indexbold[1]{\index{#1|bold}}
-
-% The alternative to \protect\isa in the indexing macros is
-% \noexpand\noexpand \noexpand\isa
-% need TWO levels of \noexpand to delay the expansion of \isa:
-%  the \noexpand\noexpand will leave one \noexpand, to be given to the
-%  (still unexpanded) \isa token.  See TeX by Topic, page 122.
-
-%%%% for indexing constants, symbols, theorems, ...
-\newcommand\cdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (constant)}}
-\newcommand\sdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (symbol)}}
-\newcommand\sdxpos[2]{\isa{#1}\index{#2@\protect\isa{#1} (symbol)}}
-
-\newcommand\tdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)}}
-\newcommand\tdxbold[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)|bold}}
-
-\newcommand\cldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (class)}}
-\newcommand\tydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type)}}
-\newcommand\tcdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type class)}}
-\newcommand\thydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theory)}}
-
-\newcommand\attrdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (attribute)}}
-\newcommand\cmmdx[1]{\index{#1@\protect\isacommand{#1} (command)}}
-\newcommand\commdx[1]{\isacommand{#1}\index{#1@\protect\isacommand{#1} (command)}}
-\newcommand\methdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (method)}}
-\newcommand\tooldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (tool)}}
-\newcommand\settdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (setting)}}
-\newcommand\pgdx[1]{\pgmenu{#1}\index{#1@\protect\pgmenu{#1} (Proof General)}}
-
-%set argument in \bf font and index in ROMAN font (for definitions in text!)
-\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
-
-\newcommand\rmindex[1]{{#1}\index{#1}\@}
-\newcommand\ttindex[1]{\texttt{#1}\index{#1@\texttt{#1}}\@}
-\newcommand\ttindexbold[1]{\texttt{#1}\index{#1@\texttt{#1}|bold}\@}
-
-\newcommand{\isadxpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}}\@}
-\newcommand{\isadxboldpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}|bold}\@}
-
-%Commented-out the original versions to see what the index looks like without them.
-%   In any event, they need to use \isa or \protect\isa rather than \texttt.
-%%\newcommand{\indexboldpos}[2]{#1\index{#2@#1|bold}\@}
-%%\newcommand{\ttindexboldpos}[2]{\texttt{#1}\index{#2@\texttt{#1}|bold}\@}
-\newcommand{\indexboldpos}[2]{#1\@}
-\newcommand{\ttindexboldpos}[2]{\isa{#1}\@}
-
-%\newtheorem{theorem}{Theorem}[section]
-\newtheorem{Exercise}{Exercise}[section]
-\newenvironment{exercise}{\begin{Exercise}\rm}{\end{Exercise}}
-\newcommand{\ttlbr}{\texttt{[|}}
-\newcommand{\ttrbr}{\texttt{|]}}
-\newcommand{\ttor}{\texttt{|}}
-\newcommand{\ttall}{\texttt{!}}
-\newcommand{\ttuniquex}{\texttt{?!}}
-\newcommand{\ttEXU}{\texttt{EX!}}
-\newcommand{\ttAnd}{\texttt{!!}}
-
-\newcommand{\isasymignore}{}
-\newcommand{\isasymimp}{\isasymlongrightarrow}
-\newcommand{\isasymImp}{\isasymLongrightarrow}
-\newcommand{\isasymFun}{\isasymRightarrow}
-\newcommand{\isasymuniqex}{\isamath{\exists!\,}}
-\renewcommand{\S}{Sect.\ts}
-
-\renewenvironment{isamarkuptxt}{\begin{isamarkuptext}}{\end{isamarkuptext}}
-
-\newif\ifremarks
-\newcommand{\REMARK}[1]{\ifremarks\marginpar{\raggedright\footnotesize#1}\fi}
-
-%names of Isabelle rules
-\newcommand{\rulename}[1]{\hfill(#1)}
-\newcommand{\rulenamedx}[1]{\hfill(#1\index{#1@\protect\isa{#1} (theorem)|bold})}
-
-%%%% meta-logical connectives
-
-\let\Forall=\bigwedge
-\let\Imp=\Longrightarrow
-\let\To=\Rightarrow
-\newcommand{\Var}[1]{{?\!#1}}
-
-%%% underscores as ordinary characters, not for subscripting
-%%  use @ or \sb for subscripting; use \at for @
-%%  only works in \tt font
-%%  must not make _ an active char; would make \ttindex fail!
-\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
-\gdef\underscoreon{\catcode`\_=8\makeatother}
-\chardef\other=12
-\chardef\at=`\@
-
-% alternative underscore
-\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
-
-
-%%%% ``WARNING'' environment: 2 ! characters separated by negative thin space
-\def\warnbang{\vtop to 0pt{\vss\hbox{\Huge\bf!\!!}\vss}}
-\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000 
-         \small %%WAS\baselineskip=0.9\baselineskip
-         \noindent \hangindent\parindent \hangafter=-2 
-         \hbox to0pt{\hskip-\hangindent\warnbang\hfill}\ignorespaces}%
-        {\par\endgroup\medbreak}
-
-%%%% ``PROOF GENERAL'' environment
-\def\pghead{\lower3pt\vbox to 0pt{\vss\hbox{\includegraphics[width=12pt]{pghead}}\vss}}
-\newenvironment{pgnote}{\medskip\medbreak\begingroup \clubpenalty=10000 
-         \small \noindent \hangindent\parindent \hangafter=-2 
-         \hbox to0pt{\hskip-\hangindent \pghead\hfill}\ignorespaces}%
-  {\par\endgroup\medbreak}
-\newcommand{\pgmenu}[1]{\textsf{#1}}
-
-
-%%%% Standard logical symbols
-\let\turn=\vdash
-\let\conj=\wedge
-\let\disj=\vee
-\let\imp=\rightarrow
-\let\bimp=\leftrightarrow
-\newcommand\all[1]{\forall#1.}  %quantification
-\newcommand\ex[1]{\exists#1.}
-\newcommand{\pair}[1]{\langle#1\rangle}
-
-\newcommand{\lparr}{\mathopen{(\!|}}
-\newcommand{\rparr}{\mathclose{|\!)}}
-\newcommand{\fs}{\mathpunct{,\,}}
-\newcommand{\ty}{\mathrel{::}}
-\newcommand{\asn}{\mathrel{:=}}
-\newcommand{\more}{\ldots}
-\newcommand{\record}[1]{\lparr #1 \rparr}
-\newcommand{\dtt}{\mathord.}
-
-\newcommand\lbrakk{\mathopen{[\![}}
-\newcommand\rbrakk{\mathclose{]\!]}}
-\newcommand\List[1]{\lbrakk#1\rbrakk}  %was \obj
-\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
-\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
-\newcommand{\Text}[1]{\mbox{#1}}
-
-\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
-\newcommand{\dsh}{\mathit{\dshsym}}
-
-\let\int=\cap
-\let\un=\cup
-\let\inter=\bigcap
-\let\union=\bigcup
-
-\def\ML{{\sc ml}}
-\def\AST{{\sc ast}}
-
-%macros to change the treatment of symbols
-\def\relsemicolon{\mathcode`\;="303B}   %treat ; like a relation
-\def\binperiod{\mathcode`\.="213A}   %treat . like a binary operator
-\def\binvert{\mathcode`\|="226A}     %treat | like a binary operator
-
-%redefinition of \sloppy and \fussy to use \emergencystretch
-\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
-\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
-
-%non-bf version of description
-\def\descrlabel#1{\hspace\labelsep #1}
-\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
-\let\enddescr\endlist
-
-% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
-% generate text italic rather than math italic by default. This makes
-% multi-letter identifiers look better. The mathcode for character c
-% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
-%
-\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
-\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
-        \loop \global\mathcode\count0=\count1 \ifnum \count0<#2
-        \advance\count0 by1 \advance\count1 by1 \repeat}}
-\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
-\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}

--- a/doc-src/TutorialI/tutorial.tex	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,99 +0,0 @@
-\documentclass{article}
-%%\includeonly{Types/types} %%UNCOMMENT to process only selected chapters
-\usepackage{cl2emono-modified,../../lib/texinputs/isabelle,../../lib/texinputs/isabellesym}
-\usepackage{../proof,amsmath,amsfonts}
-\usepackage{latexsym,wasysym,verbatim,graphicx,tutorial,../ttbox,comment}
-\usepackage{eurosym}
-\usepackage[english]{babel}
-\usepackage{../pdfsetup}   
-%last package!
-
-\remarkstrue          %TRUE causes remarks to be displayed (as marginal notes)
-%\remarksfalse
-
-\makeindex
-
-\index{conditional expressions|see{\isa{if} expressions}}
-\index{primitive recursion|see{recursion, primitive}}
-\index{product type|see{pairs and tuples}}
-\index{structural induction|see{induction, structural}}
-\index{termination|see{functions, total}}
-\index{tuples|see{pairs and tuples}}
-\index{*<*lex*>|see{lexicographic product}}
-
-\underscoreoff
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}  %% {secnumdepth}{2}???
-
-\pagestyle{headings}
-
-
-\begin{document}
-\title{
-\begin{center}
-\includegraphics[scale=.8]{isabelle_hol}
-       \\ \vspace{0.5cm} A Proof Assistant for Higher-Order Logic
-\end{center}}
-\author{Tobias Nipkow \quad Lawrence C. Paulson \quad Markus Wenzel%\\[1ex]
-%Technische Universit{\"a}t M{\"u}nchen \\
-%Institut f{\"u}r Informatik \\[1ex]
-%University of Cambridge\\
-%Computer Laboratory
-}
-\pagenumbering{roman}
-\maketitle
-\newpage
-
-%\setcounter{page}{5}
-%\vspace*{\fill}
-%\begin{center}
-%\LARGE In memoriam \\[1ex]
-%{\sc Annette Schumann}\\[1ex]
-%1959 -- 2001
-%\end{center}
-%\vspace*{\fill}
-%\vspace*{\fill}
-%\newpage
-
-\include{preface}
-
-\tableofcontents
-
-\cleardoublepage\pagenumbering{arabic}
-
-\part{Elementary Techniques}
-\include{basics}
-\include{fp}
-\include{Documents/documents}
-
-\part{Logic and Sets}
-\include{Rules/rules}
-\include{Sets/sets}
-\include{Inductive/inductive}
-
-\part{Advanced Material}
-\include{Types/types}
-\include{Advanced/advanced}
-\include{Protocol/protocol}
-
-\markboth{}{}
-\cleardoublepage
-\vspace*{\fill}
-\begin{flushright}
-\begin{tabular}{l}
-{\large\sf\slshape You know my methods. Apply them!}\\[1ex]
-Sherlock Holmes
-\end{tabular}
-\end{flushright}
-\vspace*{\fill}
-\vspace*{\fill}
-
-\underscoreoff
-
-\include{appendix}
-
-\bibliographystyle{plain}
-\bibliography{../manual}
-\underscoreoff
-\printindex
-\end{document}

--- a/doc-src/gfx/Isa-logics.eps	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,753 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
-%%BoundingBox: 106 651 274 788
-%%Title: (Isa-logics)
-%%Creator: (ClarisDraw: LaserWriter 8 8.1.1)
-%%CreationDate: (9:19 pm Wednesday, April 24, 1996)
-%%For: (Larry)
-%%Pages: 1
-%%DocumentFonts: Times-Roman
-%%DocumentNeededFonts: Times-Roman
-%%DocumentSuppliedFonts:
-%%DocumentData: Clean7Bit
-%%PageOrder: Ascend
-%%Orientation: Portrait
-%ADO_PaperArea: -124 -112 3244 2268
-%ADO_ImageableArea: 0 0 3124 2152
-%%EndComments
-/md 148 dict def md begin
-/currentpacking where {pop /sc_oldpacking currentpacking def true setpacking}if
-%%BeginFile: adobe_psp_basic
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/bd{bind def}bind def
-/xdf{exch def}bd
-/xs{exch store}bd
-/ld{load def}bd
-/Z{0 def}bd
-/T/true
-/F/false
-/:L/lineto
-/lw/setlinewidth
-/:M/moveto
-/rl/rlineto
-/rm/rmoveto
-/:C/curveto
-/:T/translate
-/:K/closepath
-/:mf/makefont
-/gS/gsave
-/gR/grestore
-/np/newpath
-14{ld}repeat
-/$m matrix def
-/av 81 def
-/por true def
-/normland false def
-/psb-nosave{}bd
-/pse-nosave{}bd
-/us Z
-/psb{/us save store}bd
-/pse{us restore}bd
-/level2
-/languagelevel where
-{
-pop languagelevel 2 ge
-}{
-false
-}ifelse
-def
-/featurecleanup
-{
-stopped
-cleartomark
-countdictstack exch sub dup 0 gt
-{
-{end}repeat
-}{
-pop
-}ifelse
-}bd
-/noload Z
-/startnoload
-{
-{/noload save store}if
-}bd
-/endnoload
-{
-{noload restore}if
-}bd
-level2 startnoload
-/setjob
-{
-statusdict/jobname 3 -1 roll put
-}bd
-/setcopies
-{
-userdict/#copies 3 -1 roll put
-}bd
-level2 endnoload level2 not startnoload
-/setjob
-{
-1 dict begin/JobName xdf currentdict end setuserparams
-}bd
-/setcopies
-{
-1 dict begin/NumCopies xdf currentdict end setpagedevice
-}bd
-level2 not endnoload
-/pm Z
-/mT Z
-/sD Z
-/realshowpage Z
-/initializepage
-{
-/pm save store mT concat
-}bd
-/endp
-{
-pm restore showpage
-}def
-/$c/DeviceRGB def
-/rectclip where
-{
-pop/rC/rectclip ld
-}{
-/rC
-{
-np 4 2 roll
-:M
-1 index 0 rl
-0 exch rl
-neg 0 rl
-:K
-clip np
-}bd
-}ifelse
-/rectfill where
-{
-pop/rF/rectfill ld
-}{
-/rF
-{
-gS
-np
-4 2 roll
-:M
-1 index 0 rl
-0 exch rl
-neg 0 rl
-fill
-gR
-}bd
-}ifelse
-/rectstroke where
-{
-pop/rS/rectstroke ld
-}{
-/rS
-{
-gS
-np
-4 2 roll
-:M
-1 index 0 rl
-0 exch rl
-neg 0 rl
-:K
-stroke
-gR
-}bd
-}ifelse
-%%EndFile
-%%BeginFile: adobe_psp_colorspace_level1
-%%Copyright: Copyright 1991-1993 Adobe Systems Incorporated. All Rights Reserved.
-/G/setgray ld
-/:F/setrgbcolor ld
-%%EndFile
-%%BeginFile: adobe_psp_uniform_graphics
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/@a
-{
-np :M 0 rl :L 0 exch rl 0 rl :L fill
-}bd
-/@b
-{
-np :M 0 rl 0 exch rl :L 0 rl 0 exch rl fill
-}bd
-/arct where
-{
-pop
-}{
-/arct
-{
-arcto pop pop pop pop
-}bd
-}ifelse
-/x1 Z
-/x2 Z
-/y1 Z
-/y2 Z
-/rad Z
-/@q
-{
-/rad xs
-/y2 xs
-/x2 xs
-/y1 xs
-/x1 xs
-np
-x2 x1 add 2 div y1 :M
-x2 y1 x2 y2 rad arct
-x2 y2 x1 y2 rad arct
-x1 y2 x1 y1 rad arct
-x1 y1 x2 y1 rad arct
-fill
-}bd
-/@s
-{
-/rad xs
-/y2 xs
-/x2 xs
-/y1 xs
-/x1 xs
-np
-x2 x1 add 2 div y1 :M
-x2 y1 x2 y2 rad arct
-x2 y2 x1 y2 rad arct
-x1 y2 x1 y1 rad arct
-x1 y1 x2 y1 rad arct
-:K
-stroke
-}bd
-/@i
-{
-np 0 360 arc fill
-}bd
-/@j
-{
-gS
-np
-:T
-scale
-0 0 .5 0 360 arc
-fill
-gR
-}bd
-/@e
-{
-np
-0 360 arc
-:K
-stroke
-}bd
-/@f
-{
-np
-$m currentmatrix
-pop
-:T
-scale
-0 0 .5 0 360 arc
-:K
-$m setmatrix
-stroke
-}bd
-/@k
-{
-gS
-np
-:T
-0 0 :M
-0 0 5 2 roll
-arc fill
-gR
-}bd
-/@l
-{
-gS
-np
-:T
-0 0 :M
-scale
-0 0 .5 5 -2 roll arc
-fill
-gR
-}bd
-/@m
-{
-np
-arc
-stroke
-}bd
-/@n
-{
-np
-$m currentmatrix
-pop
-:T
-scale
-0 0 .5 5 -2 roll arc
-$m setmatrix
-stroke
-}bd
-%%EndFile
-%%BeginFile: adobe_psp_customps
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/$t Z
-/$p Z
-/$s Z
-/$o 1. def
-/2state? false def
-/ps Z
-level2 startnoload
-/pushcolor/currentrgbcolor ld
-/popcolor/setrgbcolor ld
-/setcmykcolor where
-{
-pop/currentcmykcolor where
-{
-pop/pushcolor/currentcmykcolor ld
-/popcolor/setcmykcolor ld
-}if
-}if
-level2 endnoload level2 not startnoload
-/pushcolor
-{
-currentcolorspace $c eq
-{
-currentcolor currentcolorspace true
-}{
-currentcmykcolor false
-}ifelse
-}bd
-/popcolor
-{
-{
-setcolorspace setcolor
-}{
-setcmykcolor
-}ifelse
-}bd
-level2 not endnoload
-/pushstatic
-{
-ps
-2state?
-$o
-$t
-$p
-$s
-}bd
-/popstatic
-{
-/$s xs
-/$p xs
-/$t xs
-/$o xs
-/2state? xs
-/ps xs
-}bd
-/pushgstate
-{
-save errordict/nocurrentpoint{pop 0 0}put
-currentpoint
-3 -1 roll restore
-pushcolor
-currentlinewidth
-currentlinecap
-currentlinejoin
-currentdash exch aload length
-np clippath pathbbox
-$m currentmatrix aload pop
-}bd
-/popgstate
-{
-$m astore setmatrix
-2 index sub exch
-3 index sub exch
-rC
-array astore exch setdash
-setlinejoin
-setlinecap
-lw
-popcolor
-np :M
-}bd
-/bu
-{
-pushgstate
-gR
-pushgstate
-2state?
-{
-gR
-pushgstate
-}if
-pushstatic
-pm restore
-mT concat
-}bd
-/bn
-{
-/pm save store
-popstatic
-popgstate
-gS
-popgstate
-2state?
-{
-gS
-popgstate
-}if
-}bd
-/cpat{pop 64 div G 8{pop}repeat}bd
-%%EndFile
-%%BeginFile: adobe_psp_basic_text
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/S/show ld
-/A{
-0.0 exch ashow
-}bd
-/R{
-0.0 exch 32 exch widthshow
-}bd
-/W{
-0.0 3 1 roll widthshow
-}bd
-/J{
-0.0 32 4 2 roll 0.0 exch awidthshow
-}bd
-/V{
-0.0 4 1 roll 0.0 exch awidthshow
-}bd
-/fcflg true def
-/fc{
-fcflg{
-vmstatus exch sub 50000 lt{
-(%%[ Warning: Running out of memory ]%%\r)print flush/fcflg false store
-}if pop
-}if
-}bd
-/$f[1 0 0 -1 0 0]def
-/:ff{$f :mf}bd
-/MacEncoding StandardEncoding 256 array copy def
-MacEncoding 39/quotesingle put
-MacEncoding 96/grave put
-/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute
-/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave
-/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute
-/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis
-/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
-/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash
-/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation
-/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash
-/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft
-/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
-/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge
-/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl
-/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
-/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave
-/Oacute/Ocircumflex/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde
-/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron
-MacEncoding 128 128 getinterval astore pop
-level2 startnoload
-/copyfontdict
-{
-findfont dup length dict
-begin
-{
-1 index/FID ne{def}{pop pop}ifelse
-}forall
-}bd
-level2 endnoload level2 not startnoload
-/copyfontdict
-{
-findfont dup length dict
-copy
-begin
-}bd
-level2 not endnoload
-md/fontname known not{
-/fontname/customfont def
-}if
-/Encoding Z
-/:mre
-{
-copyfontdict
-/Encoding MacEncoding def
-fontname currentdict
-end
-definefont :ff def
-}bd
-/:bsr
-{
-copyfontdict
-/Encoding Encoding 256 array copy def
-Encoding dup
-}bd
-/pd{put dup}bd
-/:esr
-{
-pop pop
-fontname currentdict
-end
-definefont :ff def
-}bd
-/scf
-{
-scalefont def
-}bd
-/scf-non
-{
-$m scale :mf setfont
-}bd
-/ps Z
-/fz{/ps xs}bd
-/sf/setfont ld
-/cF/currentfont ld
-/mbf
-{
-/makeblendedfont where
-{
-pop
-makeblendedfont
-/ABlend exch definefont
-}{
-pop
-}ifelse
-def
-}def
-%%EndFile
-/currentpacking where {pop sc_oldpacking setpacking}if
-end		% md
-%%EndProlog
-%%BeginSetup
-md begin
-/pT[1 0 0 -1 28 811]def/mT[.25 0 0 -.25 28 811]def
-/sD 16 dict def
-%%IncludeFont: Times-Roman
-/f0_1/Times-Roman :mre
-/f0_40 f0_1 40 scf
-/Courier findfont[10 0 0 -10 0 0]:mf setfont
-%PostScript Hack by Mike Brors 12/7/90
-/DisableNextSetRGBColor
-	{
-	userdict begin
-	/setrgbcolor 
-		{
-		pop
-		pop
-		pop
-		userdict begin
-		/setrgbcolor systemdict /setrgbcolor get def
-		end
-		} def
-	end
-} bind def
-/bcarray where {
-	pop
-	bcarray 2 {
-		/da 4 ps div def
-		df setfont gsave cs wi
-		1 index 0 ne{exch da add exch}if grestore setcharwidth
-		cs 0 0 smc da 0 smc da da smc 0 da smc c
-		gray
-		{ gl}
-		{1 setgray}ifelse
-		da 2. div dup moveto show
-	}bind put
-} if
-%
-% Used to snap to device pixels, 1/4th of the pixel in.
-/stp {  % x y  pl  x y                % Snap To Pixel, pixel  (auto stroke adjust)
-	transform
-	0.25 sub round 0.25 add exch
-	0.25 sub round 0.25 add exch
-	itransform
-} bind def
-
-/snapmoveto { % x y  m  -             % moveto, auto stroke adjust
-	stp  moveto
-} bind def
-
-/snaplineto { % x y  l  -             % lineto, auto stroke adjust
-	stp lineto
-} bind def
-%%EndSetup
-%%Page: 1 1
-%%BeginPageSetup
-initializepage
-%%EndPageSetup
-gS 0 0 2152 3124 rC
-0 0 :M
-.25 0 translate
-/DrawObject_save_matrix_0 matrix currentmatrix def
-0 0 2152 2912 rC
--40 -12 :M
-DrawObject_save_matrix_0 setmatrix
-/DrawObject_save_matrix_0 matrix currentmatrix def
--40 -12 :M
-/DrawObject_save_matrix_1 matrix currentmatrix def
-0 0 2152 2911 rC
--40 -12 :M
-/DrawObject_save_matrix_2 matrix currentmatrix def
--40 -12 :M
-DrawObject_save_matrix_2 setmatrix
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-558 556 208 48 rC
-558 556 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 553 520 218 84 rC
-558 592 :M
-f0_40 sf
--.055(Pure Isabelle)A
-gR
-gS 0 0 2152 2912 rC
-4 lw
-518 528 806 636 32 @s
-168 24 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-426 422 -4 4 538 526 4 426 418 @a
-426 418 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
--4 -4 790 530 4 4 894 418 @b
-786 526 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-588 422 -4 4 610 526 4 588 418 @a
-588 418 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
--4 -4 718 530 4 4 732 418 @b
-714 526 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-376 364 92 48 rC
-376 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 371 328 102 84 rC
-376 400 :M
-f0_40 sf
--.286(IFOL)A
-gR
-gS 556 364 76 48 rC
-556 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 551 328 86 84 rC
-556 400 :M
-f0_40 sf
--.273(CTT)A
-gR
-gS 700 364 84 48 rC
-700 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 695 328 94 84 rC
-700 400 :M
-f0_40 sf
--.094(HOL)A
-gR
-gS 880 364 56 48 rC
-880 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 875 328 66 84 rC
-880 400 :M
-f0_40 sf
--.311(LK)A
-gR
-gS 0 0 2152 2912 rC
--4 -4 916 361 4 4 912 285 @b
-4 lw
-912 357 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-320 94 :M
-/DrawObject_save_matrix_2 matrix currentmatrix def
-336 152 -4 4 394 220 4 336 148 @a
-336 148 :M
-DrawObject_save_matrix_2 setmatrix
-/DrawObject_save_matrix_2 matrix currentmatrix def
--4 -4 430 224 4 4 480 148 @b
-426 220 :M
-DrawObject_save_matrix_2 setmatrix
-/DrawObject_save_matrix_2 matrix currentmatrix def
-320 94 48 48 rC
-320 94 :M
-DrawObject_save_matrix_2 setmatrix
-/DrawObject_save_matrix_2 matrix currentmatrix def
-gR
-gS 315 58 58 84 rC
-320 130 :M
-f0_40 sf
--.67(ZF)A
-gR
-gS 448 94 76 48 rC
-448 94 :M
-DrawObject_save_matrix_2 setmatrix
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 443 58 86 84 rC
-448 130 :M
-f0_40 sf
--.175(LCF)A
-gR
-gS 860 178 116 96 rC
-gR
-gS 855 142 126 132 rC
-860 214 :M
-f0_40 sf
--.106(Modal)A
-975 262 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-860 262 :M
--.077(  logics)A
-gR
-gS 0 0 2152 2912 rC
--4 -4 412 360 4 4 408 284 @b
-4 lw
-408 356 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-376 228 76 48 rC
-376 228 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 371 192 86 84 rC
-376 264 :M
-f0_40 sf
--.273(FOL)A
-gR
-gS 680 230 132 48 rC
-680 230 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 675 194 142 84 rC
-680 266 :M
-f0_40 sf
--.026(HOLCF)A
-gR
-gS 0 0 2152 2912 rC
--4 -4 748 361 4 4 744 285 @b
-4 lw
-744 357 :M
-DrawObject_save_matrix_1 setmatrix
-DrawObject_save_matrix_0 setmatrix
-endp
-%%Trailer
-end		% md
-%%EOF

Binary file doc-src/gfx/Isa-logics.pdf has changed

Binary file doc-src/gfx/typedef.pdf has changed

--- a/doc-src/gfx/typedef.ps	Tue Aug 28 13:15:15 2012 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,2461 +0,0 @@
-%!PS-Adobe-3.0
-%%Title: (new.pdf)
-%%Version: 1 3
-%%DocumentData: Clean7Bit
-%%LanguageLevel: 2
-%%BoundingBox: 155 328 457 464
-%%Pages: 1
-%%DocumentProcessColors: (atend)
-%%DocumentSuppliedResources: (atend)
-%%EndComments
-%%BeginDefaults
-%%EndDefaults
-%%BeginProlog
-%%EndProlog
-%%BeginSetup
-%%BeginResource: l2check
-%%Copyright: Copyright 1993 Adobe Systems Incorporated. All Rights Reserved.
-systemdict /languagelevel known
-{ systemdict /languagelevel get 1 eq }
-{ true }
-ifelse
-{
-initgraphics /Helvetica findfont 18 scalefont setfont
-72 600 moveto (Error: Your printer driver needs to be configured) dup show
-72 580 moveto (for printing to a PostScript Language Level 1 printer.) dup show
-exch = =
-/Helvetica-Bold findfont 16 scalefont setfont
-72 520 moveto (Windows and Unix) show
-/Times-Roman findfont 16 scalefont setfont
-72 500 moveto (Select �Language Level 1� in the PostScript options section) show
-72 480 moveto (of the Acrobat print dialog.) show
-/Helvetica-Bold findfont 16 scalefont setfont
-72 440 moveto (Macintosh) show
-/Times-Roman findfont 16 scalefont setfont
-72 420 moveto (In the Chooser, select your printer driver.) show
-72 400 moveto (Then select your printer and click the Setup button.) show
-72 380 moveto (Follow any on-screen dialogs that may appear.) show
-showpage
-quit
-}
-if
-%%EndResource
-/currentpacking where{pop currentpacking true setpacking}if
-%%BeginResource: procset pdfvars
-%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Version: 4.0 2
-%%Title: definition of dictionary of variables used by PDF & PDFText procsets
-userdict /PDF 160 dict put
-userdict /PDFVars 86 dict dup begin put
-/_save 0 def
-/_cshow 0 def
-/InitAll 0 def
-/TermAll 0 def
-/DocInitAll 0 def
-/DocTermAll 0 def
-/_lp /none def
-/_doClip 0 def
-/sfc 0 def
-/_sfcs 0 def
-/_sfc 0 def
-/ssc 0 def
-/_sscs 0 def
-/_ssc 0 def
-/_fcs 0 def
-/_scs 0 def
-/_fp 0 def
-/_sp 0 def
-/AGM_MAX_CS_COMPONENTS 10 def
-/_fillColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
-/_strokeColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
-/_fc null def
-/_sc null def
-/DefaultGray [/DeviceGray] def
-/DefaultRGB [/DeviceRGB] def
-/DefaultCMYK [/DeviceCMYK] def
-/_inT false def
-/_tr -1 def
-/_rise 0 def
-/_ax 0 def
-/_cx 0 def
-/_ld 0 def
-/_tm matrix def
-/_ctm matrix def
-/_mtx matrix def
-/_hy (-) def
-/_fScl 0 def
-/_hs 1 def
-/_pdfEncodings 2 array def
-/_baselineadj 0 def
-/_fTzero false def
-/_Tj 0 def
-/_italMtx [1 0 .212557 1 0 0] def
-/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
-/_italMtxType0 [1 0 .1062785 1 0 0] def
-/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
-/_basefont 0 def
-/_basefonto 0 def
-/_pdf_oldCIDInit null def
-/_pdf_FontDirectory 30 dict def
-/_categories 10 dict def
-/_sa? true def
-/_op? false def
-/_OP? false def
-/_opmode 0 def
-/_ColorSep5044? false def
-/_tmpcolr? [] def
-/_tmpop? {} def
-/_processColors 0 def
-/_defaulttransfer currenttransfer def
-/_defaultflatness currentflat def
-/_defaulthalftone null def
-/_defaultcolortransfer null def
-/_defaultblackgeneration null def
-/_defaultundercolorremoval null def
-/_defaultcolortransfer null def
-end
-%%EndResource
-PDFVars begin PDF begin
-%%BeginResource: procset pdfutil
-%%Copyright: Copyright 1993-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Version: 4.0 2
-%%Title: Basic utilities used by other PDF procsets
-/bd {bind def} bind def
-/ld {load def} bd
-/bld {
-dup length dict begin
-{ null def } forall
-bind
-end
-def
-} bd
-/dd { PDFVars 3 1 roll put } bd
-/xdd { exch dd } bd
-/Level2?
-systemdict /languagelevel known
-{ systemdict /languagelevel get 2 ge } { false } ifelse
-def
-/Level3?
-systemdict /languagelevel known
-{systemdict /languagelevel get 3 eq } { false } ifelse
-def
-/getifknown {
-2 copy known { get true } { pop pop false } ifelse
-} bd
-/here {
-currentdict exch getifknown
-} bd
-/isdefined? { where { pop true } { false } ifelse } bd
-/StartLoad { dup dup not { /_save save dd } if } bd
-/EndLoad { if not { _save restore } if } bd
-%%EndResource
-%%BeginResource: procset pdf
-%%Version: 4.0 3
-%%Copyright: Copyright 1998-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Title: General operators for PDF, common to all Language Levels.
-[/b/B/b*/B*/BDC/BI/BMC/BT/BX/c/cm/cs/CS/d/d0/d1/Do/DP/EI/EMC/ET/EX/f/f*/g/G/gs
-/h/i/j/J/k/K/l/m/M/MP/n/q/Q/re/rg/RG/ri/s/S/sc/SC/scn/SCN/sg/Tc/Td/TD/Tf/Tj/TJ
-/TL/Tm/Tr/Ts/Tw/Tz/T*/v/w/W/W*/y/'/"
-/applyInterpFunc/applystitchFunc/domainClip/EF/encodeInput/gsDI/ilp/icl
-/initgs/int/limit/PS/rangeClip/RC/rf/makePat/csfamily 
-/? /! /| /: /+ /GetGlyphDirectory
-] {null def} bind forall
-/v { currentpoint 6 2 roll c } bd
-/y { 2 copy c } bd
-/h/closepath ld
-/d/setdash ld
-/j/setlinejoin ld
-/J/setlinecap ld
-/M/setmiterlimit ld
-/w/setlinewidth ld
-/i {
-dup 0 eq { pop _defaultflatness } if
-setflat
-} bd
-/gsDI {
-begin
-/OP here { /_OP? xdd } if
-/op here { /_op? xdd }
-{ /OP here { /_op? xdd } if }
-ifelse
-/OPM here { /_opmode xdd } if
-/Font here { aload pop Tf } if
-/LW here { w } if
-/LC here { J } if
-/LJ here { j } if
-/ML here { M } if
-/D here { aload pop d } if
-end
-} bd
-/ilp { /_lp /none dd } bd
-/icl { /_doClip 0 dd } bd
-/W { /_doClip 1 dd } bd
-/W* { /_doClip 2 dd } bd
-/n {
-{{} {clip} {eoclip}} _doClip get exec
-icl
-newpath
-} bd
-/s { h S } bd
-/B { q f Q S } bd
-/B* { q f* Q S } bd
-/b { h B } bd
-/b* { h B* } bd
-/q/save ld
-/Q { restore ilp } bd
-/GetCSFamily {
-dup type /arraytype eq {0 get} if
-} bd
-/GetCompsDict
-11 dict begin
-/DeviceGray { pop 1 } bd
-/DeviceRGB { pop 3 } bd
-/DeviceCMYK { pop 4 } bd
-/CIEBasedA { pop 1 } bd
-/CIEBasedABC { pop 3 } bd
-/CIEBasedDEF { pop 3 } bd
-/CIEBasedDEFG { pop 4 } bd
-/DeviceN { 1 get length } bd
-/Separation { pop 1 } bd
-/Indexed { pop 1 } bd
-/Pattern { pop 0 } bd
-currentdict
-end
-def
-/GetComps {
-GetCompsDict
-1 index GetCSFamily
-get exec
-} bd
-/cs
-{
-dup _fcs eq
-{ pop }
-{ dup /_fcs xdd
-GetComps
-_fillColors exch get
-/_fc xdd
-/_fp null dd
-} ifelse
-} bd
-/CS
-{
-dup _scs eq
-{ pop }
-{ dup /_scs xdd GetComps _strokeColors exch get /_sc xdd /_sp null dd }
-ifelse
-} bd
-/sc {
-_fc astore pop
-ilp
-} bd
-/SC {
-_sc astore pop
-ilp
-} bd
-/g { DefaultGray cs sc } bd
-/rg { DefaultRGB cs sc } bd
-/k { DefaultCMYK cs sc } bd
-/G { DefaultGray CS SC } bd
-/RG { DefaultRGB CS SC } bd
-/K { DefaultCMYK CS SC } bd
-/cm { _mtx astore concat } bd
-/re {
-4 2 roll m
-1 index 0 rlineto
-0 exch rlineto
-neg 0 rlineto
-h
-} bd
-/RC/rectclip ld
-/EF/execform ld
-/PS { cvx exec } bd
-/initgs {
-/DefaultGray [/DeviceGray] dd
-/DefaultRGB [/DeviceRGB] dd
-/DefaultCMYK [/DeviceCMYK] dd
-0 g 0 G
-[] 0 d
-0 j
-0 J
-10 M
-1 w
-true setSA
-/_op? false dd
-/_OP? false dd
-/_opmode 0 dd
-/_defaulttransfer load settransfer
-0 i
-/RelativeColorimetric ri
-newpath
-} bd
-/int {
-dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
-exch pop add exch pop
-} bd
-/limit {
-dup 2 index le { exch } if pop
-dup 2 index ge { exch } if pop
-} bd
-/domainClip {
-Domain aload pop 3 2 roll
-limit
-} [/Domain] bld
-/applyInterpFunc {
-0 1 DimOut 1 sub
-{
-dup C0 exch get exch
-dup C1 exch get exch
-3 1 roll
-1 index sub
-3 index
-N exp mul add
-exch
-currentdict /Range_lo known
-{
-dup Range_lo exch get exch
-Range_hi exch get
-3 2 roll limit
-}
-{
-pop
-}
-ifelse
-exch
-} for
-pop
-} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
-/encodeInput {
-NumParts 1 sub
-0 1 2 index
-{
-dup Bounds exch get
-2 index gt
-{ exit }
-{ dup
-3 index eq
-{ exit }
-{ pop } ifelse
-} ifelse
-} for
-3 2 roll pop
-dup Bounds exch get exch
-dup 1 add Bounds exch get exch
-2 mul
-dup Encode exch get exch
-1 add Encode exch get
-int
-} [/NumParts /Bounds /Encode] bld
-/rangeClip {
-exch dup Range_lo exch get
-exch Range_hi exch get
-3 2 roll
-limit
-} [/Range_lo /Range_hi] bld
-/applyStitchFunc {
-Functions exch get exec
-currentdict /Range_lo known {
-0 1 DimOut 1 sub {
-DimOut 1 add -1 roll
-rangeClip
-} for
-} if
-} [/Functions /Range_lo /DimOut] bld
-%%EndResource
-%%BeginResource: procset pdflev2
-%%Version: 4.0 5
-%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%LanguageLevel: 2
-%%Title: PDF operators, with code specific for Level 2
-/_defaulthalftone currenthalftone dd
-/_defaultblackgeneration currentblackgeneration dd
-/_defaultundercolorremoval currentundercolorremoval dd
-/_defaultcolortransfer [currentcolortransfer] dd
-/initialize {
-_defaulthalftone sethalftone
-/_defaultblackgeneration load setblackgeneration
-/_defaultundercolorremoval load setundercolorremoval
-_defaultcolortransfer aload pop setcolortransfer
-false setoverprint
-<</MaxFormItem 0>> setuserparams
-} bd
-/terminate { } bd
-/m/moveto ld
-/l/lineto ld
-/c/curveto ld
-/setSA/setstrokeadjust ld
-/defineRes/defineresource ld
-/findRes/findresource ld
-currentglobal
-true systemdict /setglobal get exec
-[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource]
-{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
-forall
-systemdict /setglobal get exec
-/ri
-{
-/findcolorrendering isdefined?
-{
-mark exch
-findcolorrendering
-counttomark 2 eq
-{ type /booleantype eq
-{ dup type /nametype eq
-{ dup /ColorRendering resourcestatus
-{ pop pop
-dup /DefaultColorRendering ne
-{
-/ColorRendering findresource
-setcolorrendering
-} if
-} if
-} if
-} if
-} if
-cleartomark
-}
-{ pop
-} ifelse
-} bd
-/_sfcs {_fcs setcolorspace} bind dd
-/_sscs {_scs setcolorspace} bind dd
-/_sfc
-{
-_fc aload pop
-_fp null eq
-{ setcolor }
-{ _fp setpattern }
-ifelse
-} bind dd
-/_ssc
-{
-_sc aload pop
-_sp null eq { setcolor} { _sp setpattern } ifelse
-} bind dd
-/scn {
-dup type /dicttype eq
-{ dup /_fp xdd
-/PaintType get 1 eq
-{ /_fc _fillColors 0 get dd ilp }
-{ /_fc _fillColors
-_fcs 1 get
-GetComps get dd
-sc
-}
-ifelse
-}
-{ sc }
-ifelse
-} bd
-/SCN {
-dup type /dicttype eq
-{ dup /_sp xdd
-/PaintType get 1 eq
-{ /_sc _strokeColors 0 get dd ilp }
-{ /_sc _strokeColors _scs 1 get GetComps get dd
-SC
-}
-ifelse
-}
-{ SC }
-ifelse
-} bd
-/gs
-{
-begin
-/SA here { setstrokeadjust } if
-/BG here { setblackgeneration } if
-/UCR here { setundercolorremoval } if
-/FL here { i } if
-/RI here { ri } if
-/TR here
-{
-dup xcheck
-{ settransfer }
-{ aload pop setcolortransfer }
-ifelse
-} if
-/sethalftonephase isdefined? { /HTP here { sethalftonephase } if } if
-/HT here { sethalftone } if
-currentdict gsDI
-end
-} bd
-/sfc {
-_op? setoverprint
-_lp /fill ne {
-_sfcs
-_sfc
-/_lp /fill dd
-} if
-} dd
-/ssc {
-_OP? setoverprint
-_lp /stroke ne {
-_sscs
-_ssc
-/_lp /stroke dd
-} if
-} dd
-/f {
-{ { sfc fill }
-{gsave sfc fill grestore clip newpath icl ilp}
-{gsave sfc fill grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/f* {
-{ { sfc eofill }
-{gsave sfc eofill grestore clip newpath icl ilp}
-{gsave sfc eofill grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/S {
-{ { ssc stroke }
-{gsave ssc stroke grestore clip newpath icl ilp}
-{gsave ssc stroke grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/rf {
-{ { sfc rectfill }
-{gsave sfc rectfill grestore clip newpath icl ilp}
-{gsave sfc rectfill grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/knownColorants? {
-pop false
-} bd
-/makePat {
-gsave
-dup /Matrix get concat
-matrix makepattern
-grestore
-/MadePattern defineRes pop
-} bd
-%%EndResource
-%%BeginResource: procset spots
-%%Version: 4.0 1
-%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Title: Predefined (named) spot functions for PDF
-21 dict dup begin
-/CosineDot
-{ 180 mul cos exch 180 mul cos add 2 div } bd
-/Cross
-{ abs exch abs 2 copy gt { exch } if pop neg } bd
-/Diamond
-{ abs exch abs 2 copy add .75 le
-{ dup mul exch dup mul add 1 exch sub }
-{ 2 copy add 1.23 le
-{ .85 mul add 1 exch sub }
-{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
-ifelse }
-ifelse } bd
-/Double
-{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add } bd
-/DoubleDot
-{ 2 { 360 mul sin 2 div exch } repeat add } bd
-/Ellipse
-{ abs exch abs 2 copy 3 mul exch 4 mul add 3 sub dup 0 lt
-{ pop dup mul exch .75 div dup mul add 4 div
-1 exch sub }
-{ dup 1 gt
-{pop 1 exch sub dup mul exch 1 exch sub
-.75 div dup mul add 4 div 1 sub }
-{ .5 exch sub exch pop exch pop }
-ifelse }
-ifelse } bd
-/EllipseA
-{ dup mul .9 mul exch dup mul add 1 exch sub } bd
-/EllipseB
-{ dup 5 mul 8 div mul exch dup mul exch add sqrt 1 exch sub } bd
-/EllipseC
-{ dup mul exch dup mul .9 mul add 1 exch sub } bd
-/InvertedDouble
-{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add neg } bd
-/InvertedDoubleDot
-{ 2 { 360 mul sin 2 div exch } repeat add neg } bd
-/InvertedEllipseA
-{ dup mul .9 mul exch dup mul add 1 sub } bd
-/InvertedEllipseC
-{ dup mul exch dup mul .9 mul add 1 sub } bd
-/InvertedSimpleDot
-{ dup mul exch dup mul add 1 sub } bd
-/Line
-{ exch pop abs neg } bd
-/LineX
-{ pop } bd
-/LineY
-{ exch pop } bd
-/Rhomboid
-{ abs exch abs 0.9 mul add 2 div } bd
-/Round
-{ abs exch abs 2 copy add 1 le
-{ dup mul exch dup mul add 1 exch sub }
-{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
-ifelse } bd
-/SimpleDot
-{ dup mul exch dup mul add 1 exch sub } bd
-/Square
-{ abs exch abs 2 copy lt { exch } if pop neg } bd
-end
-{ /Function defineRes pop } forall
-%%EndResource
-%%BeginResource: procset pdftext
-%%Version: 4.0 2
-%%Copyright: Copyright 1987-1998 Adobe Systems Incorporated. All Rights Reserved.
-%%Title: Text operators for PDF
-PDF /PDFText 75 dict dup begin put
-/docinitialize
-{
-/resourcestatus where {
-pop
-/CIDParams /ProcSet resourcestatus {
-pop pop
-false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
-} if
-} if
-PDF begin
-PDFText /_pdfDefineIdentity-H known
-{ PDFText /_pdfDefineIdentity-H get exec}
-if
-end
-} bd
-/initialize {
-PDFText begin
-/_intT false dd
-0 Tr
-} bd
-/terminate { end } bd
-/_safeput
-{
-Level2? not
-{
-2 index load dup dup length exch maxlength ge
-{ dup length 5 add dict copy
-3 index xdd
-}
-{ pop }
-ifelse
-}
-if
-3 -1 roll load 3 1 roll put
-}
-bd
-/pdf_has_composefont? systemdict /composefont known def
-/CopyFont {
-{
-1 index /FID ne 2 index /UniqueID ne and
-{ def } { pop pop } ifelse
-} forall
-} bd
-/Type0CopyFont
-{
-exch
-dup length dict
-begin
-CopyFont
-[
-exch
-FDepVector
-{
-dup /FontType get 0 eq
-{
-1 index Type0CopyFont
-/_pdfType0 exch definefont
-}
-{
-/_pdfBaseFont exch
-2 index exec
-}
-ifelse
-exch
-}
-forall
-pop
-]
-/FDepVector exch def
-currentdict
-end
-} bd
-/cHexEncoding
-[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
-/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
-/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
-/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
-/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
-/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
-/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
-/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
-/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
-/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
-/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
-/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
-/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
-/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
-/modEnc {
-/_enc xdd
-/_icode 0 dd
-counttomark 1 sub -1 0
-{
-index
-dup type /nametype eq
-{
-_enc _icode 3 -1 roll put
-_icode 1 add
-}
-if
-/_icode xdd
-} for
-cleartomark
-_enc
-} bd
-/trEnc {
-/_enc xdd
-255 -1 0 {
-exch dup -1 eq
-{ pop /.notdef }
-{ Encoding exch get }
-ifelse
-_enc 3 1 roll put
-} for
-pop
-_enc
-} bd
-/TE {
-/_i xdd
-StandardEncoding 256 array copy modEnc
-_pdfEncodings exch _i exch put
-} bd
-/TZ
-{
-/_usePDFEncoding xdd
-findfont
-dup length 6 add dict
-begin
-{
-1 index /FID ne { def } { pop pop } ifelse
-} forall
-/pdf_origFontName FontName def
-/FontName exch def
-_usePDFEncoding 0 ge
-{
-/Encoding _pdfEncodings _usePDFEncoding get def
-pop
-}
-{
-_usePDFEncoding -1 eq
-{
-counttomark 0 eq
-{ pop }
-{
-Encoding 256 array copy
-modEnc /Encoding exch def
-}
-ifelse
-}
-{
-256 array
-trEnc /Encoding exch def
-}
-ifelse
-}
-ifelse
-pdf_EuroProcSet pdf_origFontName known
-{
-pdf_origFontName pdf_AddEuroGlyphProc
-} if
-FontName currentdict
-end
-definefont pop
-}
-bd
-/Level2?
-systemdict /languagelevel known
-{systemdict /languagelevel get 2 ge}
-{false}
-ifelse
-def
-Level2?
-{
-/_pdfFontStatus
-{
-currentglobal exch
-/Font resourcestatus
-{pop pop true}
-{false}
-ifelse
-exch setglobal
-} bd
-}
-{
-/_pdfFontStatusString 50 string def
-_pdfFontStatusString 0 (fonts/) putinterval
-/_pdfFontStatus
-{
-FontDirectory 1 index known
-{ pop true }
-{
-_pdfFontStatusString 6 42 getinterval
-cvs length 6 add
-_pdfFontStatusString exch 0 exch getinterval
-{ status } stopped
-{pop false}
-{
-{ pop pop pop pop true}
-{ false }
-ifelse
-}
-ifelse
-}
-ifelse
-} bd
-}
-ifelse
-Level2?
-{
-/_pdfCIDFontStatus
-{
-/CIDFont /Category resourcestatus
-{
-pop pop
-/CIDFont resourcestatus
-{pop pop true}
-{false}
-ifelse
-}
-{ pop false }
-ifelse
-} bd
-}
-if
-/_pdfString100 100 string def
-/_pdfComposeFontName
-{
-dup length 1 eq
-{
-0 get
-1 index
-type /nametype eq
-{
-_pdfString100 cvs
-length dup dup _pdfString100 exch (-) putinterval
-_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
-2 index exch cvs length
-add 1 add _pdfString100 exch 0 exch getinterval
-exch pop
-true
-}
-{
-pop pop
-false
-}
-ifelse
-}
-{
-false
-}
-ifelse
-dup {exch cvn exch} if
-} bd
-/_pdfConcatNames
-{
-exch
-_pdfString100 cvs
-length dup dup _pdfString100 exch (-) putinterval
-_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
-3 -1 roll exch cvs length
-add 1 add _pdfString100 exch 0 exch getinterval
-cvn
-} bind def
-/_pdfTextTempString 50 string def
-/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
-/_pdf_CheckSupplements
-{
-1 index _pdfTextTempString cvs
-false
-_pdfRegOrderingArray
-{
-2 index exch
-anchorsearch
-{ pop pop pop true exit}
-{ pop }
-ifelse
-}
-forall
-exch pop
-{
-/CIDFont findresource
-/CIDSystemInfo get /Supplement get
-exch /CMap findresource
-/CIDSystemInfo get
-dup type /dicttype eq
-{/Supplement get}
-{pop 0 }
-ifelse
-ge
-}
-{ pop pop true }
-ifelse
-} bind def
-pdf_has_composefont?
-{
-/_pdfComposeFont
-{
-2 copy _pdfComposeFontName not
-{
-2 index
-}
-if
-(pdf) exch _pdfConcatNames
-dup _pdfFontStatus
-{ dup findfont 5 2 roll pop pop pop true}
-{
-4 1 roll
-1 index /CMap resourcestatus
-{
-pop pop
-true
-}
-{false}
-ifelse
-1 index true exch
-{
-_pdfCIDFontStatus not
-{pop false exit}
-if
-}
-forall
-and
-{
-1 index 1 index 0 get _pdf_CheckSupplements
-{
-3 -1 roll pop
-2 index 3 1 roll
-composefont true
-}
-{
-pop pop exch pop false
-}
-ifelse
-}
-{
-_pdfComposeFontName
-{
-dup _pdfFontStatus
-{
-exch pop
-1 index exch
-findfont definefont true
-}
-{
-pop exch pop
-false
-}
-ifelse
-}
-{
-exch pop
-false
-}
-ifelse
-}
-ifelse
-{ true }
-{
-dup _pdfFontStatus
-{ dup findfont true }
-{ pop false }
-ifelse
-}
-ifelse
-}
-ifelse
-} bd
-}
-{
-/_pdfComposeFont
-{
-_pdfComposeFontName not
-{
-dup
-}
-if
-dup
-_pdfFontStatus
-{exch pop dup findfont true}
-{
-1 index
-dup type /nametype eq
-{pop}
-{cvn}
-ifelse
-eq
-{pop false}
-{
-dup _pdfFontStatus
-{dup findfont true}
-{pop false}
-ifelse
-}
-ifelse
-}
-ifelse
-} bd
-}
-ifelse
-/_pdfStyleDicts 4 dict dup begin
-/Adobe-Japan1 4 dict dup begin
-Level2?
-{
-/Serif
-/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
-{/HeiseiMin-W3}
-{
-/HeiseiMin-W3 _pdfCIDFontStatus
-{/HeiseiMin-W3}
-{/Ryumin-Light}
-ifelse
-}
-ifelse
-def
-/SansSerif
-/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
-{/HeiseiKakuGo-W5}
-{
-/HeiseiKakuGo-W5 _pdfCIDFontStatus
-{/HeiseiKakuGo-W5}
-{/GothicBBB-Medium}
-ifelse
-}
-ifelse
-def
-/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
-{/HeiseiMaruGo-W4}
-{
-/HeiseiMaruGo-W4 _pdfCIDFontStatus
-{/HeiseiMaruGo-W4}
-{
-/Jun101-Light-RKSJ-H _pdfFontStatus
-{ /Jun101-Light }
-{ SansSerif }
-ifelse
-}
-ifelse
-}
-ifelse
-/RoundSansSerif exch def
-/Default Serif def
-}
-{
-/Serif /Ryumin-Light def
-/SansSerif /GothicBBB-Medium def
-{
-(fonts/Jun101-Light-83pv-RKSJ-H) status
-}stopped
-{pop}{
-{ pop pop pop pop /Jun101-Light }
-{ SansSerif }
-ifelse
-/RoundSansSerif exch def
-}ifelse
-/Default Serif def
-}
-ifelse
-end
-def
-/Adobe-Korea1 4 dict dup begin
-/Serif /HYSMyeongJo-Medium def
-/SansSerif /HYGoThic-Medium def
-/RoundSansSerif SansSerif def
-/Default Serif def
-end
-def
-/Adobe-GB1 4 dict dup begin
-/Serif /STSong-Light def
-/SansSerif /STHeiti-Regular def
-/RoundSansSerif SansSerif def
-/Default Serif def
-end
-def
-/Adobe-CNS1 4 dict dup begin
-/Serif /MKai-Medium def
-/SansSerif /MHei-Medium def
-/RoundSansSerif SansSerif def
-/Default Serif def
-end
-def
-end
-def
-/TZzero
-{
-/_fyAdj xdd
-/_wmode xdd
-/_styleArr xdd
-/_regOrdering xdd
-3 copy
-_pdfComposeFont
-{
-5 2 roll pop pop pop
-}
-{
-[
-0 1 _styleArr length 1 sub
-{
-_styleArr exch get
-_pdfStyleDicts _regOrdering 2 copy known
-{
-get
-exch 2 copy known not
-{ pop /Default }
-if
-get
-}
-{
-pop pop pop /Unknown
-}
-ifelse
-}
-for
-]
-exch pop
-2 index 3 1 roll
-_pdfComposeFont
-{3 -1 roll pop}
-{
-findfont dup /FontName get exch
-}
-ifelse
-}
-ifelse
-dup /WMode 2 copy known
-{ get _wmode ne }
-{ pop pop _wmode 1 eq}
-ifelse
-_fyAdj 0 ne or
-{
-exch _wmode _pdfConcatNames _fyAdj _pdfConcatNames
-dup _pdfFontStatus
-{ exch pop dup findfont false}
-{ exch true }
-ifelse
-}
-{
-dup /FontType get 0 ne
-}
-ifelse
-{
-dup /FontType get 3 eq _wmode 1 eq and
-{
-_pdfVerticalRomanT3Font dup length 10 add dict copy
-begin
-/_basefont exch
-dup length 3 add dict
-begin
-{1 index /FID ne {def}{pop pop} ifelse }
-forall
-/Encoding Encoding dup length array copy
-dup 16#27 /quotesingle put
-dup 16#60 /grave put
-_regOrdering /Adobe-Japan1 eq
-{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
-if
-def
-FontName
-currentdict
-end
-definefont
-def
-/Encoding _basefont /Encoding get def
-/_fauxfont true def
-}
-{
-dup length 3 add dict
-begin
-{1 index /FID ne {def}{pop pop} ifelse }
-forall
-FontType 0 ne
-{
-/Encoding Encoding dup length array copy
-dup 16#27 /quotesingle put
-dup 16#60 /grave put
-_regOrdering /Adobe-Japan1 eq
-{dup 16#5c /yen put}
-if
-def
-/_fauxfont true def
-} if
-} ifelse
-/WMode _wmode def
-/BaseLineAdj _fyAdj def
-dup dup /FontName exch def
-currentdict
-end
-definefont pop
-}
-{
-pop
-}
-ifelse
-/_pdf_FontDirectory 3 1 roll _safeput
-}
-bd
-/swj {
-dup 4 1 roll
-dup length exch stringwidth
-exch 5 -1 roll 3 index mul add
-4 1 roll 3 1 roll mul add
-6 2 roll /_cnt 0 dd
-{1 index eq {/_cnt _cnt 1 add dd} if} forall pop
-exch _cnt mul exch _cnt mul 2 index add 4 1 roll 2 index add 4 1 roll pop pop
-} bd
-/jss {
-4 1 roll
-{
-pop pop
-(0) exch 2 copy 0 exch put
-gsave
-exch false charpath currentpoint
-5 index setmatrix stroke
-3 -1 roll
-32 eq
-{
-moveto
-5 index 5 index rmoveto currentpoint
-}
-if
-grestore
-moveto
-2 copy rmoveto
-} exch cshow
-6 {pop} repeat
-} def
-/jsfTzero {
-{
-pop pop
-(0) exch 2 copy 0 exch put
-exch show
-32 eq
-{
-4 index 4 index rmoveto
-}
-if
-2 copy rmoveto
-} exch cshow
-5 {pop} repeat
-} def
-/jsp
-{
-{
-pop pop
-(0) exch 2 copy 0 exch put
-32 eq
-dup {currentfont /Encoding get dup length 33 ge 
-{32 get /space eq and}{pop}ifelse
-}if
-{ exch 5 index 5 index 5 index 5 -1 roll widthshow }
-{ false charpath }
-ifelse
-2 copy rmoveto
-} exch cshow
-5 {pop} repeat
-} bd
-/trj { _cx 0 fWModeProc 32 _ax 0 fWModeProc 6 5 roll } bd
-/pjsf { trj sfc fawidthshowProc } bd
-/pjss { trj _ctm ssc jss } bd
-/pjsc { trj jsp } bd
-/_Tjdef [
-/pjsf load
-/pjss load
-{
-dup
-currentpoint 3 2 roll
-pjsf
-newpath moveto
-pjss
-} bind
-{
-trj swj rmoveto
-} bind
-{
-dup currentpoint 4 2 roll gsave
-pjsf
-grestore 3 1 roll moveto
-pjsc
-} bind
-{
-dup currentpoint 4 2 roll
-currentpoint gsave newpath moveto
-pjss
-grestore 3 1 roll moveto
-pjsc
-} bind
-{
-dup currentpoint 4 2 roll gsave
-dup currentpoint 3 2 roll
-pjsf
-newpath moveto
-pjss
-grestore 3 1 roll moveto
-pjsc
-} bind
-/pjsc load
-] def
-/BT
-{
-/_inT true dd
-_ctm currentmatrix pop matrix _tm copy pop
-0 _rise _baselineadj add translate _hs 1 scale
-0 0 moveto
-} bd
-/ET
-{
-/_inT false dd
-_tr 3 gt {clip} if
-_ctm setmatrix newpath
-} bd
-/Tr {
-_inT { _tr 3 le {currentpoint newpath moveto} if } if
-dup /_tr xdd
-_Tjdef exch get /_Tj xdd
-} bd
-/Tj {
-userdict /$$copystring 2 index put
-_Tj
-} bd
-/iTm { _ctm setmatrix _tm concat 0 _rise _baselineadj add translate _hs 1 scale } bd
-/Tm { _tm astore pop iTm 0 0 moveto } bd
-/Td { _mtx translate _tm _tm concatmatrix pop iTm 0 0 moveto } bd
-/TD { dup /_ld xdd Td } bd
-/_nullProc {} bd
-/Tf {
-dup 1000 div /_fScl xdd
-_pdf_FontDirectory 2 index 2 copy known
-{get exch 3 -1 roll pop}
-{pop pop}
-ifelse
-Level2?
-{ selectfont }
-{ exch findfont exch scalefont setfont}
-ifelse
-currentfont dup
-/_nullProc exch
-/WMode known
-{
-1 index /WMode get 1 eq
-{pop /exch}
-if
-}
-if
-load /fWModeProc xdd
-dup
-/FontType get 0 eq dup _cx 0 ne and
-{ /jsfTzero }
-{ /awidthshow }
-ifelse
-load /fawidthshowProc xdd
-/_fTzero xdd
-dup /BaseLineAdj known
-{ dup /BaseLineAdj get _fScl mul }
-{ 0 }
-ifelse
-/_baselineadj xdd
-dup /_pdfT3Font known
-{ 0 }
-{_tr}
-ifelse
-_Tjdef exch get /_Tj xdd
-_intT
-{currentpoint iTm moveto}
-if
-pop
-} bd
-/TL { neg /_ld xdd } bd
-/Tw {
-/_cx xdd
-_cx 0 ne _fTzero and
-{ /jsfTzero }
-{ /awidthshow }
-ifelse
-load /fawidthshowProc xdd
-} bd
-/Tc { /_ax xdd } bd
-/Ts { /_rise xdd currentpoint iTm moveto } bd
-/Tz { 100 div /_hs xdd iTm } bd
-/Tk { exch pop _fScl mul neg 0 fWModeProc rmoveto } bd
-/T* { 0 _ld Td } bd
-/' { T* Tj } bd
-/" { exch Tc exch Tw ' } bd
-/TJ {
-{
-dup type /stringtype eq
-{ Tj }
-{ 0 exch Tk }
-ifelse
-} forall
-} bd
-/T- { _hy Tj } bd
-/d0/setcharwidth ld
-/d1 { setcachedevice /sfc{}dd /ssc{}dd } bd
-/nND {{/.notdef} repeat} bd
-/T3Defs {
-/BuildChar
-{
-1 index /Encoding get exch get
-1 index /BuildGlyph get exec
-}
-def
-/BuildGlyph {
-exch begin
-GlyphProcs exch get exec
-end
-} def
-/_pdfT3Font true def
-} bd
-/_pdfBoldRomanWidthProc
-{
-stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
-0 0
-} bd
-/_pdfType0WidthProc
-{
-dup stringwidth 0 0 moveto
-2 index true charpath pathbbox
-0 -1
-7 index 2 div .88
-setcachedevice2
-pop
-0 0
-} bd
-/_pdfType0WMode1WidthProc
-{
-dup stringwidth
-pop 2 div neg -0.88
-2 copy
-moveto
-0 -1
-5 -1 roll true charpath pathbbox
-setcachedevice
-} bd
-/_pdfBoldBaseFont
-11 dict begin
-/FontType 3 def
-/FontMatrix[1 0 0 1 0 0]def
-/FontBBox[0 0 1 1]def
-/Encoding cHexEncoding def
-/_setwidthProc /_pdfBoldRomanWidthProc load def
-/_bcstr1 1 string def
-/BuildChar
-{
-exch begin
-_basefont setfont
-_bcstr1 dup 0 4 -1 roll put
-dup
-_setwidthProc
-3 copy
-moveto
-show
-_basefonto setfont
-moveto
-show
-end
-}bd
-currentdict
-end
-def
-pdf_has_composefont?
-{
-/_pdfBoldBaseCIDFont
-11 dict begin
-/CIDFontType 1 def
-/CIDFontName /_pdfBoldBaseCIDFont def
-/FontMatrix[1 0 0 1 0 0]def
-/FontBBox[0 0 1 1]def
-/_setwidthProc /_pdfType0WidthProc load def
-/_bcstr2 2 string def
-/BuildGlyph
-{
-exch begin
-_basefont setfont
-_bcstr2 1 2 index 256 mod put
-_bcstr2 0 3 -1 roll 256 idiv put
-_bcstr2 dup _setwidthProc
-3 copy
-moveto
-show
-_basefonto setfont
-moveto
-show
-end
-}bd
-currentdict
-end
-def
-/_pdfDefineIdentity-H
-{
-/Identity-H /CMap resourcestatus
-{
-pop pop
-}
-{
-/CIDInit/ProcSet findresource begin 12 dict begin
-begincmap
-/CIDSystemInfo
-3 dict begin
-/Registry (Adobe) def
-/Ordering (Identity) def
-/Supplement 0 def
-currentdict
-end
-def
-/CMapName /Identity-H def
-/CMapVersion 1 def
-/CMapType 1 def
-1 begincodespacerange
-<0000> <ffff>
-endcodespacerange
-1 begincidrange
-<0000> <ffff> 0
-endcidrange
-endcmap
-CMapName currentdict/CMap defineresource pop
-end
-end
-} ifelse
-} def
-} if
-/_pdfVerticalRomanT3Font
-10 dict begin
-/FontType 3 def
-/FontMatrix[1 0 0 1 0 0]def
-/FontBBox[0 0 1 1]def
-/_bcstr1 1 string def
-/BuildChar
-{
-exch begin
-_basefont setfont
-_bcstr1 dup 0 4 -1 roll put
-dup
-_pdfType0WidthProc
-moveto
-show
-end
-}bd
-currentdict
-end
-def
-/MakeBoldFont
-{
-dup /ct_SyntheticBold known
-{
-dup length 3 add dict begin
-CopyFont
-/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
-/ct_SyntheticBold true def
-currentdict
-end
-definefont
-}
-{
-dup dup length 3 add dict
-begin
-CopyFont
-/PaintType 2 def
-/StrokeWidth .03 0 FontMatrix idtransform pop def
-/dummybold currentdict
-end
-definefont
-dup /FontType get dup 9 ge exch 11 le and
-{
-_pdfBoldBaseCIDFont
-dup length 3 add dict copy begin
-dup /CIDSystemInfo get /CIDSystemInfo exch def
-/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
-/_basefont exch def
-/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
-/_basefonto exch def
-currentdict
-end
-/CIDFont defineresource
-}
-{
-_pdfBoldBaseFont
-dup length 3 add dict copy begin
-/_basefont exch def
-/_basefonto exch def
-currentdict
-end
-definefont
-}
-ifelse
-}
-ifelse
-} bd
-/MakeBold {
-1 index
-_pdf_FontDirectory 2 index 2 copy known
-{get}
-{exch pop}
-ifelse
-findfont
-dup
-/FontType get 0 eq
-{
-dup /WMode known {dup /WMode get 1 eq }{false} ifelse
-version length 4 ge
-and
-{version 0 4 getinterval cvi 2015 ge }
-{true}
-ifelse
-{/_pdfType0WidthProc}
-{/_pdfType0WMode1WidthProc}
-ifelse
-_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
-{MakeBoldFont} Type0CopyFont definefont
-}
-{
-dup /_fauxfont known not 1 index /SubstMaster known not and
-{
-_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
-MakeBoldFont
-}
-{
-2 index 2 index eq
-{ exch pop }
-{
-dup length dict begin
-CopyFont
-currentdict
-end
-definefont
-}
-ifelse
-}
-ifelse
-}
-ifelse
-pop pop
-dup /dummybold ne
-{/_pdf_FontDirectory exch dup _safeput }
-{ pop }
-ifelse
-}bd
-/MakeItalic {
-_pdf_FontDirectory exch 2 copy known
-{get}
-{exch pop}
-ifelse
-dup findfont
-dup /FontInfo 2 copy known
-{
-get
-/ItalicAngle 2 copy known
-{get 0 eq }
-{ pop pop true}
-ifelse
-}
-{ pop pop true}
-ifelse
-{
-exch pop
-dup /FontType get 0 eq Level2? not and
-{ dup /FMapType get 6 eq }
-{ false }
-ifelse
-{
-dup /WMode 2 copy known
-{
-get 1 eq
-{ _italMtx_WMode1Type0 }
-{ _italMtxType0 }
-ifelse
-}
-{ pop pop _italMtxType0 }
-ifelse
-}
-{
-dup /WMode 2 copy known
-{
-get 1 eq
-{ _italMtx_WMode1 }
-{ _italMtx }
-ifelse
-}
-{ pop pop _italMtx }
-ifelse
-}
-ifelse
-makefont
-dup /FontType get 42 eq Level2? not or
-{
-dup length dict begin
-CopyFont
-currentdict
-end
-}
-if
-1 index exch
-definefont pop
-/_pdf_FontDirectory exch dup _safeput
-}
-{
-pop
-2 copy ne
-{
-/_pdf_FontDirectory 3 1 roll _safeput
-}
-{ pop pop }
-ifelse
-}
-ifelse
-}bd
-/MakeBoldItalic {
-/dummybold exch
-MakeBold
-/dummybold
-MakeItalic
-}bd
-Level2?
-{
-/pdf_CopyDict
-{1 index length add dict copy}
-def
-}
-{
-/pdf_CopyDict
-{
-1 index length add dict
-1 index wcheck
-{ copy }
-{ begin
-{def} forall
-currentdict
-end
-}
-ifelse
-}
-def
-}
-ifelse
-/pdf_AddEuroGlyphProc
-{
-currentdict /CharStrings known
-{
-CharStrings /Euro known not
-{
-dup
-/CharStrings
-CharStrings 1 pdf_CopyDict
-begin
-/Euro pdf_EuroProcSet 4 -1 roll get def
-currentdict
-end
-def
-/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
-/pdf_PathOps /pdf_PathOps load def
-/Symbol eq
-{
-/Encoding Encoding dup length array copy
-dup 160 /Euro put def
-}
-if
-}
-{ pop
-}
-ifelse
-}
-{ pop
-}
-ifelse
-}
-def
-/pdf_PathOps 4 dict dup begin
-/m {moveto} def
-/l {lineto} def
-/c {curveto} def
-/cp {closepath} def
-end
-def
-/pdf_PSBuildGlyph
-{
-gsave
-8 -1 roll pop
-7 1 roll
-currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
-dup 9 1 roll
-{
-currentdict /StrokeWidth 2 copy known
-{
-get 2 div
-5 1 roll
-4 -1 roll 4 index sub
-4 1 roll
-3 -1 roll 4 index sub
-3 1 roll
-exch 4 index add exch
-4 index add
-5 -1 roll pop
-}
-{
-pop pop
-}
-ifelse
-}
-if
-setcachedevice
-pdf_PathOps begin
-exec
-end
-{
-currentdict /StrokeWidth 2 copy known
-{ get }
-{ pop pop 0 }
-ifelse
-setlinewidth stroke
-}
-{
-fill
-}
-ifelse
-grestore
-} def
-/pdf_EuroProcSet 13 dict def
-pdf_EuroProcSet
-begin
-/Courier-Bold
-{
-600 0 6 -12 585 612
-{
-385 274 m
-180 274 l
-179 283 179 293 179 303 c
-179 310 179 316 180 323 c
-398 323 l
-423 404 l
-197 404 l
-219 477 273 520 357 520 c
-409 520 466 490 487 454 c
-487 389 l
-579 389 l
-579 612 l
-487 612 l
-487 560 l
-449 595 394 612 349 612 c
-222 612 130 529 98 404 c
-31 404 l
-6 323 l
-86 323 l
-86 304 l
-86 294 86 284 87 274 c
-31 274 l
-6 193 l
-99 193 l
-129 77 211 -12 359 -12 c
-398 -12 509 8 585 77 c
-529 145 l
-497 123 436 80 356 80 c
-285 80 227 122 198 193 c
-360 193 l
-cp
-600 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Courier-BoldOblique /Courier-Bold load def
-/Courier
-{
-600 0 17 -12 578 584
-{
-17 204 m
-97 204 l
-126 81 214 -12 361 -12 c
-440 -12 517 17 578 62 c
-554 109 l
-501 70 434 43 366 43 c
-266 43 184 101 154 204 c
-380 204 l
-400 259 l
-144 259 l
-144 270 143 281 143 292 c
-143 299 143 307 144 314 c
-418 314 l
-438 369 l
-153 369 l
-177 464 249 529 345 529 c
-415 529 484 503 522 463 c
-522 391 l
-576 391 l
-576 584 l
-522 584 l
-522 531 l
-473 566 420 584 348 584 c
-216 584 122 490 95 369 c
-37 369 l
-17 314 l
-87 314 l
-87 297 l
-87 284 88 272 89 259 c
-37 259 l
-cp
-600 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Courier-Oblique /Courier load def
-/Helvetica
-{
-556 0 24 -19 541 703
-{
-541 628 m
-510 669 442 703 354 703 c
-201 703 117 607 101 444 c
-50 444 l
-25 372 l
-97 372 l
-97 301 l
-49 301 l
-24 229 l
-103 229 l
-124 67 209 -19 350 -19 c
-435 -19 501 25 509 32 c
-509 131 l
-492 105 417 60 343 60 c
-267 60 204 127 197 229 c
-406 229 l
-430 301 l
-191 301 l
-191 372 l
-455 372 l
-479 444 l
-194 444 l
-201 531 245 624 348 624 c
-433 624 484 583 509 534 c
-cp
-556 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Helvetica-Oblique /Helvetica load def
-/Helvetica-Bold
-{
-556 0 12 -19 563 710
-{
-563 621 m
-537 659 463 710 363 710 c
-216 710 125 620 101 462 c
-51 462 l
-12 367 l
-92 367 l
-92 346 l
-92 337 93 328 93 319 c
-52 319 l
-12 224 l
-102 224 l
-131 58 228 -19 363 -19 c
-417 -19 471 -12 517 18 c
-517 146 l
-481 115 426 93 363 93 c
-283 93 254 166 246 224 c
-398 224 l
-438 319 l
-236 319 l
-236 367 l
-457 367 l
-497 462 l
-244 462 l
-259 552 298 598 363 598 c
-425 598 464 570 486 547 c
-507 526 513 517 517 509 c
-cp
-556 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Helvetica-BoldOblique /Helvetica-Bold load def
-/Symbol
-{
-750 0 20 -12 714 685
-{
-714 581 m
-650 645 560 685 465 685 c
-304 685 165 580 128 432 c
-50 432 l
-20 369 l
-116 369 l
-115 356 115 347 115 337 c
-115 328 115 319 116 306 c
-50 306 l
-20 243 l
-128 243 l
-165 97 300 -12 465 -12 c
-560 -12 635 25 685 65 c
-685 155 l
-633 91 551 51 465 51 c
-340 51 238 131 199 243 c
-555 243 l
-585 306 l
-184 306 l
-183 317 182 326 182 336 c
-182 346 183 356 184 369 c
-614 369 l 644 432 l
-199 432 l
-233 540 340 622 465 622 c
-555 622 636 580 685 520 c
-cp
-750 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-Bold
-{
-500 0 16 -14 478 700
-{
-367 308 m
-224 308 l
-224 368 l
-375 368 l
-380 414 l
-225 414 l
-230 589 257 653 315 653 c
-402 653 431 521 444 457 c
-473 457 l
-473 698 l
-444 697 l
-441 679 437 662 418 662 c
-393 662 365 700 310 700 c
-211 700 97 597 73 414 c
-21 414 l
-16 368 l
-69 368 l
-69 359 68 350 68 341 c
-68 330 68 319 69 308 c
-21 308 l
-16 262 l
-73 262 l
-91 119 161 -14 301 -14 c
-380 -14 443 50 478 116 c
-448 136 l
-415 84 382 40 323 40 c
-262 40 231 77 225 262 c
-362 262 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-BoldItalic
-{
-500 0 9 -20 542 686
-{
-542 686 m
-518 686 l
-513 673 507 660 495 660 c
-475 660 457 683 384 683 c
-285 683 170 584 122 430 c
-58 430 l
-34 369 l
-105 369 l
-101 354 92 328 90 312 c
-34 312 l
-9 251 l
-86 251 l
-85 238 84 223 84 207 c
-84 112 117 -14 272 -14 c
-326 -14 349 9 381 9 c
-393 9 393 -10 394 -20 c
-420 -20 l
-461 148 l
-429 148 l
-416 109 362 15 292 15 c
-227 15 197 55 197 128 c
-197 162 204 203 216 251 c
-378 251 l
-402 312 l
-227 312 l
-229 325 236 356 241 369 c
-425 369 l
-450 430 l
-255 430 l
-257 435 264 458 274 488 c
-298 561 337 654 394 654 c
-437 654 484 621 484 530 c
-484 516 l
-516 516 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-Italic
-{
-500 0 23 -10 595 692
-{
-399 317 m
-196 317 l
-199 340 203 363 209 386 c
-429 386 l
-444 424 l
-219 424 l
-246 514 307 648 418 648 c
-448 648 471 638 492 616 c
-529 576 524 529 527 479 c
-549 475 l
-595 687 l
-570 687 l
-562 674 558 664 542 664 c
-518 664 474 692 423 692 c
-275 692 162 551 116 424 c
-67 424 l
-53 386 l
-104 386 l
-98 363 93 340 90 317 c
-37 317 l
-23 279 l
-86 279 l
-85 266 85 253 85 240 c
-85 118 137 -10 277 -10 c
-370 -10 436 58 488 128 c
-466 149 l
-424 101 375 48 307 48 c
-212 48 190 160 190 234 c
-190 249 191 264 192 279 c
-384 279 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-Roman
-{
-500 0 10 -12 484 692
-{
-347 298 m
-171 298 l
-170 310 170 322 170 335 c
-170 362 l
-362 362 l
-374 403 l
-172 403 l
-184 580 244 642 308 642 c
-380 642 434 574 457 457 c
-481 462 l
-474 691 l
-449 691 l
-433 670 429 657 410 657 c
-394 657 360 692 299 692 c
-204 692 94 604 73 403 c
-22 403 l
-10 362 l
-70 362 l
-69 352 69 341 69 330 c
-69 319 69 308 70 298 c
-22 298 l
-10 257 l
-73 257 l
-97 57 216 -12 295 -12 c
-364 -12 427 25 484 123 c
-458 142 l
-425 101 384 37 316 37 c
-256 37 189 84 173 257 c
-335 257 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-end
-currentdict readonly pop end
-%%EndResource
-PDFText begin
-[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
-/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
-/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
-/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
-/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
-/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
-/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
-/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
-/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
-/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
-/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
-/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
-/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
-/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
-/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
-/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
-/hungarumlaut/ogonek/caron
-0 TE
-[1/dotlessi/caron 39/quotesingle 96/grave 
-127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
-/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
-/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
-/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
-/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
-/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
-/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
-/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
-/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
-/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
-/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
-/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
-/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
-/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
-/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
-/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
-/ucircumflex/udieresis/yacute/thorn/ydieresis
-1 TE
-end
-currentdict readonly pop
-end end
-/currentpacking where {pop setpacking}if
-PDFVars/DocInitAll{[ PDFText]{/docinitialize get exec}forall }put
-PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
-PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
-PDFVars begin PDF begin
-PDFVars/DocInitAll get exec PDFVars/InitAll get exec
-PDFVars/TermAll get exec end end
-
-%%EndSetup
-%%Page: 1 1
-%%BeginPageSetup
-userdict /pgsave save put
-PDFVars begin PDF begin PDFVars/InitAll get exec
-156 331 translate
-%%BeginResource: font N34
-%!FontType1-1.0: N34
-11 dict begin
-/FontInfo 5 dict dup begin
-/Notice (Copyright \(C\) 1997 American Mathematical Society. All Rights Reserved) def
-/FamilyName (Computer Modern) def
-/FullName (CMTT10) def
-end readonly def
-/FontName /N34 def
-/Encoding 256 array
-0 1 255 {1 index exch /.notdef put} for
-dup 44 /comma put
-dup 48 /zero put
-dup 49 /one put
-dup 50 /two put
-dup 97 /a put
-dup 101 /e put
-dup 104 /h put
-dup 110 /n put
-dup 114 /r put
-dup 116 /t put
-dup 123 /braceleft put
-dup 125 /braceright put
-readonly def
-/FontMatrix [0.001 0 0 0.001 0 0] readonly def
-/FontBBox {-4 -235 731 800} readonly def
-/FontType 1 def
-/PaintType 0 def
-/StrokeWidth 0 def
-currentdict end
-currentfile eexec
-f3e7f93fe0b3c7a88086f982b4b55bdb0f2f559321725d901e33615b89ebc3ed
-b644cbe16c663d6859274d0ce2e86ecfea9f7e1b5970a122f75e9b050df4480e
-56172e8b6a9a7322d8372244fb30b64ec966496b08baae35096817082b1ee90a
-634d662a40353df3516c1402378432ab41d28040059334248c54fc26fbf5fc94
-879f85cd5bfa2b3d6d059c93f11fe5780c1fcf8d5dc00e950018df83ec4928de
-7cec20207ab2cf39abc85a9caa0b0e2c323f501f5962617e99a333fe9738b872
-fcc9a8251b532781309174dc760f25d7636c27db2792bd40f540cb897c86c8fe
-0eda9639093664059ed48c227060d40f39eabac85c47e505de850379e1267e79
-2d6e82c3d67cb2e9f84a7ff7a61df53239fe2625ac170163bf19e528676f0853
-e7abcece7107203958dc0b5bb270a0de82161699a18d4d5b8da383e6c4937d39
-9c20cfb315dd9c8a08d93ee76257cd6a52b6a8800735be153582e40f2f85a432
-7c5527b7e085f60031b66fad2baca496b105ff4cb56629346f3fe9d596a90cd0
-6c125fa5e27179c9b7d4980f2c2d0969fd3f87796a05c1c030bc94ceacdb95fd
-fe11d180104266be31ea0837366a9001d0f54ce82d78e992228606798a6ed75e
-9ad79061031e325d884aa3747b7a4d4e398888c2eb0fd2a7e9c9a88999859ebf
-d10290b74c3dcba000519bd2e4cc03e4f466007d60731bfba66e92bd0e6a367d
-8e706e0b1c606425d4c7ff696440cf4f0a231961f0b9d5636cfb4a5abf263408
-b80f06166d9c533b3b13112cd9cedbc2e9197a4675125022e28d23047a93e6e7
-f3255e2fe972045499c7527fb9f32e1363a60cb2254abf34ab918f5d08f181ce
-c85dbd3408edc656c0bb2dbc47b854aedb2acd8d9fc0d5f7cce1724eb4c93133
-3e496ba69350daeeed903ee17260db986f11afaf68b53d894dd3d679ebe7f703
-b4ae32683591d34ce4137f9abc8dedb065d06ca3470afce541a9b0fe1f4de178
-db038a0a5b0c30a5ac304c5ea38686389f8fdfc9790296ba65b6ea7450659e46
-e17173f120846258b315eed9142ac66063205167a553e47d24547ad2c4a8f702
-fb9bec6b138ac48c5f5465e345d40f455cae3ef6838c2cb147344ecf7da3302d
-e1f8ca2a49e6d6c25d64d76a0007d91183a500f4db07b7232ae944051ec6db95
-c83956967f6e8cc3eb79ba8f6f7f9d9588e0790aa4ef2c8bb1af4bbe40c3e6e9
-c4c2abb5b8955d7f7db4744779ce92f484438d836457bd63a15762120b30d264
-064049f0b4e3f543f275f27d1490e4ec3ab8744cb0d07dd31166f744f9099dba
-9d4c7532182bfe249b19166e5a9c793ad26dfe0a4f6eb4f1f81c7daebfbb4f41
-900682d3f98e1d12d5d2cedf7d5d81f5294253cd05392a6c1b08faf2c937c587
-acb67c282079d5381342090e8f6bc758b6aafa1987e4025a38e0b007b5e734fb
-f7653c6d09bb30c736ed42f6faa6c8be715ee08edeb32e32716e161de47fa740
-2c7520f6a147a3a1ac4008ac7ac47e68ac95dd0e40def0262d7f19420ec9d836
-a83b0a6e8864bc93fb0246b910bd00506ac7e91476ac4f4ea8030c570d74d3c7
-f50ae3960629442be51c34d3d5064d144e4d5882e454f1f70b5db71acb0851ee
-ea8472b8bbf439406e33f3967b4e44371843616eb00bb0bbb2d7b50e64275eb7
-b0bf39d87aeef439b352c5d5549063adaca1807abb74c6d4b369bccf032a3a07
-e38165eb254cf180cb4b4e686f361ced5579846482cc428c7e317c7d35136f92
-2cfc13f1d489c450b84f26bb7ff8bf1751a1fe52be5b11ed2c9b21620b22b7e3
-da6b3bb7f97b07e6e53022f1e8fe751308247716fd05d7b925b7e019962c5ae8
-6f011dd826d13f3f797453ad0250bfb8ff3835b952b3f86d2a84fb4b646d2013
-39841e22dc6111dc48b71ddc930224f2a2cd65518f44c58fc4d0c703ac11aaf5
-e98a735db48973639a28b97b5181afc5129c2521df2369f4091bcad9ec2ecc57
-39a0c3fbc77b7293125db00eed1d7b6075f390b5f9aa84fe48cca11b71e92559
-2d81a03384d3fdfe7d782bc2bbd96e50af51259cd4c1d063629c41d932bf8d39
-aaf0a55979fbe4245b867b23f965abfc16c5fe1ae6dc46fb4341922cdf1e4466
-11c7c9f9c73001469081ced3169c7d55631800b59b5ef77405b3814bff9fd90c
-8a01addc3c525ddfc00f3579cd0e9effe77f4d8f27b6e55a5d18b0c66dfed09b
-ee81795632d12b202f606300f6aad5201cb07634500bba045aef4c198a8b640e
-1f974e4cb6eb54790a3e412b485888ec8931a028bf92647e874c5f69142e61b6
-8cce581e6d79c80eb947fe6eb9cd7c68ed8051c618acca8d0d094105154c891f
-545ddfe32e786f9fb516189571ad8aeb643658c5e7c4d19226166d6b5696ba0b
-d215d3020d2549971e15e2057fb25e27e3ebb8182440a32a8df73bb5a60b48c0
-d1ab1ec93b54b49e3277f0b177d2bbcbb4245dfc78032f7b0aa304ed83b67b2d
-8dba0f9d0d3771a8f89b2255c83248ef3d00600f2a486fff6658539aed4a9f00
-c3c42b10d0f4c244b6469ff45ec83926d3ac4ca1012e8ff7a761db98cd899eea
-80fee257ce8dafa44415d6ff106fc6f387dd1767f1afac6170e732784da4ba20
-5aaa275b9272df543410fc8f8289a6b49f86991912f0d5d087c0d72a43df98a4
-b6d3551660fa557b867f62a22d6bf7956f9c0c929fec10a91c871366a7b22a18
-87d91ac067f1bb24cc26ae2a614235ddaef02c0ce47ec6ea3d625d007ab9b0e3
-f329f0cbc2ff80c1c5338dfa4d46cfb7982b71ba740a2f67171562d81a226906
-ecfd0fffeb67fde9f741a911c33dfecbfb5e6c115948ac90d76bdc3bf1474d9a
-39b6a931f4a6a0b5650f878eefdb8c222f66816e57e4f50c25a30d36ea28
-9e8d92f7230d739034c81f27adc4a9e48b852faf5299636d6d51fabbc0358857
-892f306e6f760c780ee75ccc2e2d976dfc836c7f086fe12970e997dff6ecea59
-9f629f24ed853d4ec5a9872527b8d26bb25bb7c3f612d212447a96f6dc098bae
-c16e6726dd90f6742422e953650c83fd020902f7b460a6de1248c38826fc538b
-e49bab3522d3bca7cd6558fe0cb4f8e488e7bce25eb53d9b498c78180099b809
-0e8bef2f7a97189a65a448895aea28b96e68f2c311db2caadf85281a4ac31723
-1667348978e47ab73d3e23e366ce99481972f7fd6882aaaac15727e6dd93afb3
-89bab7af45d82b56bed628443e6d079e19ede69edbe920538b104a7f062c42a4
-2b793f867529594f9b5d625b5afb30b2ea70e59075808899d3f95b4f68e1ba72
-4082aafb0c1278e4e0b0759e2beaa53d17de4f86
-0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark
%%EndResource
-[/N9/N34 -1 TZ
-%%EndPageSetup
-0 0 300 130 RC
-0.09999 0 0 0.09999 0 0 cm
-
-q
-Q
-q
-0 0 m
-0 1300 l
-3000 1300 l
-3000 0 l
-h
-W n 
-1 i
-10 w
-4 M
-46.25 377.25 554 554 re
-S 
-q
-10 0 0 10 0 0 cm
-
-BT
-/N9 12 Tf
-1 0 0 1 16.60778 62.02688 Tm
-(t)Tj 
-6.29998 0 Td
-(h)Tj 
-6.29998 0 Td
-(r)Tj 
-6.29998 0 Td
-(e)Tj 
-6.29998 0 Td
-(e)Tj 
-ET
-Q
-1 g
-1707.25 30.25 1244 1243 rf
-1707.25 30.25 1244 1243 re
-S 
-0 g
-q
-10 0 0 10 0 0 cm
-
-BT
-/N9 12 Tf
-1 0 0 1 223.47399 106.70199 Tm
-(n)Tj 
-6.29998 0 Td
-(a)Tj 
-6.29998 0 Td
-(t)Tj 
-ET
-Q
-0.85089 g
-2304.25 931.25 m
-2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
-1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
-2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
-2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
-2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
-f 
-2304.25 931.25 m
-2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
-1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
-2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
-2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
-2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
-h
-S 
-0 g
-q
-10 0 0 10 0 0 cm
-
-BT
-/N9 12 Tf
-1 0 0 1 209.33399 61.78269 Tm
-({)Tj 
-6.29998 0 Td
-(0)Tj 
-6.29998 0 Td
-(,)Tj 
-6.29998 0 Td
-(1)Tj 
-6.29998 0 Td
-(,)Tj 
-6.29998 0 Td
-(2)Tj 
-6.29998 0 Td
-(})Tj 
-ET
-Q
-2373.25 821.25 m
-386.25 821.25 l
-S 
-356.25 821.25 m
-370.69799 826.43598 388.31399 835.42498 399.25 845.25 c
-390.25 821.25 l
-399.25 797.25 l
-388.31399 806.90899 370.69799 815.89898 356.25 821.25 c
-f 
-326.25 821.25 m
-354.72099 831.70498 389.95498 849.68399 412.25 868.25 c
-394.25 821.25 l
-412.25 773.25 l
-389.95498 792.65199 354.72099 810.63499 326.25 821.25 c
-f 
-326.25 481.25 m
-2313.25 481.25 l
-S 
-2343.25 481.25 m
-2328.95999 486.44099 2311.34999 495.42498 2300.25 505.25 c
-2309.25 481.25 l
-2300.25 457.25 l
-2311.34999 466.90899 2328.95999 475.89399 2343.25 481.25 c
-f 
-2373.25 481.25 m
-2344.93998 491.70498 2309.70999 509.68399 2288.25 528.25 c
-2305.25 481.25 l
-2288.25 433.25 l
-2309.70999 452.65199 2344.93998 470.63999 2373.25 481.25 c
-f 
-Q
-PDFVars/TermAll get exec end end
-userdict /pgsave get restore
-showpage
-%%PageTrailer
-%%EndPage
-%%Trailer
-%%DocumentProcessColors: Black
-%%DocumentSuppliedResources:
-%%+ font N34
-%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
-%%+ procset (Adobe Acrobat - type operators) 1.2 0
-%%EOF

author	wenzelm
	Tue, 28 Aug 2012 14:37:57 +0200
changeset 48966	6e15de7dd871
parent 48965	1fead823c7c6
child 48967	389e44f9e47a

doc-src/ROOT		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Advanced/advanced.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/CTL/ctl.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Datatype/Nested.thy		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Documents/documents.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Inductive/inductive.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Protocol/protocol.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/Induction.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/Nested0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/Nested1.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/Nested2.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/examples.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/simplification.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Recdef/document/termination.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Rules/rules.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Sets/sets.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/ToyList/ToyList.thy		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/ToyList/ToyList1		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/ToyList/ToyList2		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/ToyList2/ToyList.thy		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/ToyList2/ToyList1		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/ToyList2/ToyList2		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Types/numerics.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/Types/types.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/appendix.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/basics.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/cl2emono-modified.sty		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/AB.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/ABexpr.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Advanced.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/AdvancedInd.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Axioms.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Base.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/CTL.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/CTLind.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/CodeGen.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Documents.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Even.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Event.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Fundata.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Ifexpr.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Isa-logics.eps		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Isa-logics.pdf		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Itrev.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Message.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Mutual.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/NS_Public.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Nested.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Numbers.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Option2.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Overloading.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/PDL.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Pairs.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Partial.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Plus.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Public.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Records.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Star.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/ToyList.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Tree.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Tree2.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Trie.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/Typedefs.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/WFrec.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/advanced0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/appendix.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/appendix0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/basics.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/build		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/case_exprs.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/cl2emono-modified.sty		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/ctl0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/documents0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/fakenat.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/find2.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/fp.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/fun0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/inductive0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/natsum.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/numerics.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/pairs2.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/pghead.eps		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/pghead.pdf		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/preface.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/prime_def.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/protocol.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/root.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/rules.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/sets.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/simp.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/simp2.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/tutorial.sty		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/typedef.pdf		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/typedef.ps		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/types0.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/document/unfoldnested.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/fp.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/pghead.eps		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/pghead.pdf		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/preface.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/tutorial.sty		file \| annotate \| diff \| comparison \| revisions
doc-src/TutorialI/tutorial.tex		file \| annotate \| diff \| comparison \| revisions
doc-src/gfx/Isa-logics.eps		file \| annotate \| diff \| comparison \| revisions
doc-src/gfx/Isa-logics.pdf		file \| annotate \| diff \| comparison \| revisions
doc-src/gfx/typedef.pdf		file \| annotate \| diff \| comparison \| revisions
doc-src/gfx/typedef.ps		file \| annotate \| diff \| comparison \| revisions