Adapted to new inductive definition package.
authorberghofe
Wed Jul 11 11:14:51 2007 +0200 (2007-07-11)
changeset 23746a455e69c31cc
parent 23745 28df61d931e2
child 23747 b07cff284683
Adapted to new inductive definition package.
src/HOL/Algebra/FiniteProduct.thy
src/HOL/Auth/CertifiedEmail.thy
src/HOL/Auth/Guard/Analz.thy
src/HOL/Auth/Guard/Guard.thy
src/HOL/Auth/Guard/GuardK.thy
src/HOL/Auth/Guard/Guard_NS_Public.thy
src/HOL/Auth/Guard/Guard_OtwayRees.thy
src/HOL/Auth/Guard/Guard_Yahalom.thy
src/HOL/Auth/Guard/List_Msg.thy
src/HOL/Auth/Guard/P1.thy
src/HOL/Auth/Guard/P2.thy
src/HOL/Auth/Guard/Proto.thy
src/HOL/Auth/KerberosIV.thy
src/HOL/Auth/KerberosIV_Gets.thy
src/HOL/Auth/KerberosV.thy
src/HOL/Auth/Kerberos_BAN.thy
src/HOL/Auth/Kerberos_BAN_Gets.thy
src/HOL/Auth/Message.thy
src/HOL/Auth/NS_Public.thy
src/HOL/Auth/NS_Public_Bad.thy
src/HOL/Auth/NS_Shared.thy
src/HOL/Auth/OtwayRees.thy
src/HOL/Auth/OtwayReesBella.thy
src/HOL/Auth/OtwayRees_AN.thy
src/HOL/Auth/OtwayRees_Bad.thy
src/HOL/Auth/Recur.thy
src/HOL/Auth/Smartcard/ShoupRubin.thy
src/HOL/Auth/Smartcard/ShoupRubinBella.thy
src/HOL/Auth/TLS.thy
src/HOL/Auth/WooLam.thy
src/HOL/Auth/Yahalom.thy
src/HOL/Auth/Yahalom2.thy
src/HOL/Auth/Yahalom_Bad.thy
src/HOL/Auth/ZhouGollmann.thy
src/HOL/HoareParallel/OG_Hoare.thy
src/HOL/HoareParallel/OG_Tran.thy
src/HOL/HoareParallel/RG_Hoare.thy
src/HOL/HoareParallel/RG_Tran.thy
src/HOL/IMP/Compiler.thy
src/HOL/IMP/Compiler0.thy
src/HOL/IMP/Denotation.thy
src/HOL/IMP/Expr.thy
src/HOL/IMP/Hoare.thy
src/HOL/IMP/Machines.thy
src/HOL/IMP/Natural.thy
src/HOL/IMP/Transition.thy
src/HOL/IMP/VC.thy
src/HOL/IMPP/Com.thy
src/HOL/IMPP/Hoare.thy
src/HOL/IMPP/Natural.thy
src/HOL/Induct/Com.thy
src/HOL/Induct/Comb.thy
src/HOL/Induct/LFilter.thy
src/HOL/Induct/LList.thy
src/HOL/Induct/Mutil.thy
src/HOL/Induct/PropLog.thy
src/HOL/Induct/QuoDataType.thy
src/HOL/Induct/QuoNestedDataType.thy
src/HOL/Induct/ROOT.ML
src/HOL/Induct/SList.thy
src/HOL/Induct/Sexp.thy
src/HOL/Induct/Sigma_Algebra.thy
src/HOL/Isar_examples/MutilatedCheckerboard.thy
     1.1 --- a/src/HOL/Algebra/FiniteProduct.thy	Wed Jul 11 11:13:08 2007 +0200
     1.2 +++ b/src/HOL/Algebra/FiniteProduct.thy	Wed Jul 11 11:14:51 2007 +0200
     1.3 @@ -18,13 +18,12 @@
     1.4    @{text "x \<in> carrier G"}.  We introduce an explicit argument for the domain
     1.5    @{text D}. *}
     1.6  
     1.7 -consts
     1.8 +inductive_set
     1.9    foldSetD :: "['a set, 'b => 'a => 'a, 'a] => ('b set * 'a) set"
    1.10 -
    1.11 -inductive "foldSetD D f e"
    1.12 -  intros
    1.13 +  for D :: "'a set" and f :: "'b => 'a => 'a" and e :: 'a
    1.14 +  where
    1.15      emptyI [intro]: "e \<in> D ==> ({}, e) \<in> foldSetD D f e"
    1.16 -    insertI [intro]: "[| x ~: A; f x y \<in> D; (A, y) \<in> foldSetD D f e |] ==>
    1.17 +  | insertI [intro]: "[| x ~: A; f x y \<in> D; (A, y) \<in> foldSetD D f e |] ==>
    1.18                        (insert x A, f x y) \<in> foldSetD D f e"
    1.19  
    1.20  inductive_cases empty_foldSetDE [elim!]: "({}, x) \<in> foldSetD D f e"
    1.21 @@ -36,7 +35,7 @@
    1.22  lemma foldSetD_closed:
    1.23    "[| (A, z) \<in> foldSetD D f e ; e \<in> D; !!x y. [| x \<in> A; y \<in> D |] ==> f x y \<in> D 
    1.24        |] ==> z \<in> D";
    1.25 -  by (erule foldSetD.elims) auto
    1.26 +  by (erule foldSetD.cases) auto
    1.27  
    1.28  lemma Diff1_foldSetD:
    1.29    "[| (A - {x}, y) \<in> foldSetD D f e; x \<in> A; f x y \<in> D |] ==>
    1.30 @@ -75,7 +74,7 @@
    1.31  
    1.32  lemma (in LCD) foldSetD_closed [dest]:
    1.33    "(A, z) \<in> foldSetD D f e ==> z \<in> D";
    1.34 -  by (erule foldSetD.elims) auto
    1.35 +  by (erule foldSetD.cases) auto
    1.36  
    1.37  lemma (in LCD) Diff1_foldSetD:
    1.38    "[| (A - {x}, y) \<in> foldSetD D f e; x \<in> A; A \<subseteq> B |] ==>
    1.39 @@ -117,7 +116,7 @@
    1.40    apply (erule rev_mp)
    1.41    apply (simp add: less_Suc_eq_le)
    1.42    apply (rule impI)
    1.43 -  apply (rename_tac Aa xa ya Ab xb yb, case_tac "xa = xb")
    1.44 +  apply (rename_tac xa Aa ya xb Ab yb, case_tac "xa = xb")
    1.45     apply (subgoal_tac "Aa = Ab")
    1.46      prefer 2 apply (blast elim!: equalityE)
    1.47     apply blast
     2.1 --- a/src/HOL/Auth/CertifiedEmail.thy	Wed Jul 11 11:13:08 2007 +0200
     2.2 +++ b/src/HOL/Auth/CertifiedEmail.thy	Wed Jul 11 11:14:51 2007 +0200
     2.3 @@ -30,24 +30,23 @@
     2.4     "response S R q == Hash {|Agent S, Key (shrK R), Nonce q|}"
     2.5  
     2.6  
     2.7 -consts  certified_mail   :: "event list set"
     2.8 -inductive "certified_mail"
     2.9 -  intros 
    2.10 +inductive_set certified_mail :: "event list set"
    2.11 +  where
    2.12  
    2.13 -Nil: --{*The empty trace*}
    2.14 +  Nil: --{*The empty trace*}
    2.15       "[] \<in> certified_mail"
    2.16  
    2.17 -Fake: --{*The Spy may say anything he can say.  The sender field is correct,
    2.18 +| Fake: --{*The Spy may say anything he can say.  The sender field is correct,
    2.19            but agents don't use that information.*}
    2.20        "[| evsf \<in> certified_mail; X \<in> synth(analz(spies evsf))|] 
    2.21         ==> Says Spy B X # evsf \<in> certified_mail"
    2.22  
    2.23 -FakeSSL: --{*The Spy may open SSL sessions with TTP, who is the only agent
    2.24 +| FakeSSL: --{*The Spy may open SSL sessions with TTP, who is the only agent
    2.25      equipped with the necessary credentials to serve as an SSL server.*}
    2.26  	 "[| evsfssl \<in> certified_mail; X \<in> synth(analz(spies evsfssl))|]
    2.27            ==> Notes TTP {|Agent Spy, Agent TTP, X|} # evsfssl \<in> certified_mail"
    2.28  
    2.29 -CM1: --{*The sender approaches the recipient.  The message is a number.*}
    2.30 +| CM1: --{*The sender approaches the recipient.  The message is a number.*}
    2.31   "[|evs1 \<in> certified_mail;
    2.32      Key K \<notin> used evs1;
    2.33      K \<in> symKeys;
    2.34 @@ -58,7 +57,7 @@
    2.35  		 Number cleartext, Nonce q, S2TTP|} # evs1 
    2.36  	\<in> certified_mail"
    2.37  
    2.38 -CM2: --{*The recipient records @{term S2TTP} while transmitting it and her
    2.39 +| CM2: --{*The recipient records @{term S2TTP} while transmitting it and her
    2.40       password to @{term TTP} over an SSL channel.*}
    2.41   "[|evs2 \<in> certified_mail;
    2.42      Gets R {|Agent S, Agent TTP, em, Number BothAuth, Number cleartext, 
    2.43 @@ -69,7 +68,7 @@
    2.44     Notes TTP {|Agent R, Agent TTP, S2TTP, Key(RPwd R), hr|} # evs2
    2.45        \<in> certified_mail"
    2.46  
    2.47 -CM3: --{*@{term TTP} simultaneously reveals the key to the recipient and gives
    2.48 +| CM3: --{*@{term TTP} simultaneously reveals the key to the recipient and gives
    2.49           a receipt to the sender.  The SSL channel does not authenticate 
    2.50           the client (@{term R}), but @{term TTP} accepts the message only 
    2.51           if the given password is that of the claimed sender, @{term R}.
    2.52 @@ -84,7 +83,7 @@
    2.53     Gets S (Crypt (priSK TTP) S2TTP) # 
    2.54     Says TTP S (Crypt (priSK TTP) S2TTP) # evs3 \<in> certified_mail"
    2.55  
    2.56 -Reception:
    2.57 +| Reception:
    2.58   "[|evsr \<in> certified_mail; Says A B X \<in> set evsr|]
    2.59    ==> Gets B X#evsr \<in> certified_mail"
    2.60  
     3.1 --- a/src/HOL/Auth/Guard/Analz.thy	Wed Jul 11 11:13:08 2007 +0200
     3.2 +++ b/src/HOL/Auth/Guard/Analz.thy	Wed Jul 11 11:14:51 2007 +0200
     3.3 @@ -18,13 +18,13 @@
     3.4  
     3.5  subsection{*messages that do not contribute to analz*}
     3.6  
     3.7 -consts pparts :: "msg set => msg set"
     3.8 -
     3.9 -inductive "pparts H"
    3.10 -intros
    3.11 -Inj [intro]: "[| X:H; is_MPair X |] ==> X:pparts H"
    3.12 -Fst [dest]: "[| {|X,Y|}:pparts H; is_MPair X |] ==> X:pparts H"
    3.13 -Snd [dest]: "[| {|X,Y|}:pparts H; is_MPair Y |] ==> Y:pparts H"
    3.14 +inductive_set
    3.15 +  pparts :: "msg set => msg set"
    3.16 +  for H :: "msg set"
    3.17 +where
    3.18 +  Inj [intro]: "[| X:H; is_MPair X |] ==> X:pparts H"
    3.19 +| Fst [dest]: "[| {|X,Y|}:pparts H; is_MPair X |] ==> X:pparts H"
    3.20 +| Snd [dest]: "[| {|X,Y|}:pparts H; is_MPair Y |] ==> Y:pparts H"
    3.21  
    3.22  subsection{*basic facts about @{term pparts}*}
    3.23  
    3.24 @@ -120,13 +120,13 @@
    3.25  
    3.26  subsection{*messages that contribute to analz*}
    3.27  
    3.28 -consts kparts :: "msg set => msg set"
    3.29 -
    3.30 -inductive "kparts H"
    3.31 -intros
    3.32 -Inj [intro]: "[| X:H; not_MPair X |] ==> X:kparts H"
    3.33 -Fst [intro]: "[| {|X,Y|}:pparts H; not_MPair X |] ==> X:kparts H"
    3.34 -Snd [intro]: "[| {|X,Y|}:pparts H; not_MPair Y |] ==> Y:kparts H"
    3.35 +inductive_set
    3.36 +  kparts :: "msg set => msg set"
    3.37 +  for H :: "msg set"
    3.38 +where
    3.39 +  Inj [intro]: "[| X:H; not_MPair X |] ==> X:kparts H"
    3.40 +| Fst [intro]: "[| {|X,Y|}:pparts H; not_MPair X |] ==> X:kparts H"
    3.41 +| Snd [intro]: "[| {|X,Y|}:pparts H; not_MPair Y |] ==> Y:kparts H"
    3.42  
    3.43  subsection{*basic facts about @{term kparts}*}
    3.44  
     4.1 --- a/src/HOL/Auth/Guard/Guard.thy	Wed Jul 11 11:13:08 2007 +0200
     4.2 +++ b/src/HOL/Auth/Guard/Guard.thy	Wed Jul 11 11:14:51 2007 +0200
     4.3 @@ -18,14 +18,14 @@
     4.4  in a sub-message of the form Crypt (invKey K) X with K:Ks
     4.5  ******************************************************************************)
     4.6  
     4.7 -consts guard :: "nat => key set => msg set"
     4.8 -
     4.9 -inductive "guard n Ks"
    4.10 -intros
    4.11 -No_Nonce [intro]: "Nonce n ~:parts {X} ==> X:guard n Ks"
    4.12 -Guard_Nonce [intro]: "invKey K:Ks ==> Crypt K X:guard n Ks"
    4.13 -Crypt [intro]: "X:guard n Ks ==> Crypt K X:guard n Ks"
    4.14 -Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> {|X,Y|}:guard n Ks"
    4.15 +inductive_set
    4.16 +  guard :: "nat => key set => msg set"
    4.17 +  for n :: nat and Ks :: "key set"
    4.18 +where
    4.19 +  No_Nonce [intro]: "Nonce n ~:parts {X} ==> X:guard n Ks"
    4.20 +| Guard_Nonce [intro]: "invKey K:Ks ==> Crypt K X:guard n Ks"
    4.21 +| Crypt [intro]: "X:guard n Ks ==> Crypt K X:guard n Ks"
    4.22 +| Pair [intro]: "[| X:guard n Ks; Y:guard n Ks |] ==> {|X,Y|}:guard n Ks"
    4.23  
    4.24  subsection{*basic facts about @{term guard}*}
    4.25  
    4.26 @@ -117,7 +117,7 @@
    4.27  ==> Guard n Ks (analz G)"
    4.28  apply (auto simp: Guard_def)
    4.29  apply (erule analz.induct, auto)
    4.30 -by (ind_cases "Crypt K Xa:guard n Ks", auto)
    4.31 +by (ind_cases "Crypt K Xa:guard n Ks" for K Xa, auto)
    4.32  
    4.33  lemma in_Guard [dest]: "[| X:G; Guard n Ks G |] ==> X:guard n Ks"
    4.34  by (auto simp: Guard_def)
     5.1 --- a/src/HOL/Auth/Guard/GuardK.thy	Wed Jul 11 11:13:08 2007 +0200
     5.2 +++ b/src/HOL/Auth/Guard/GuardK.thy	Wed Jul 11 11:14:51 2007 +0200
     5.3 @@ -23,14 +23,14 @@
     5.4  in a sub-message of the form Crypt (invKey K) X with K:Ks
     5.5  ******************************************************************************)
     5.6  
     5.7 -consts guardK :: "nat => key set => msg set"
     5.8 -
     5.9 -inductive "guardK n Ks"
    5.10 -intros
    5.11 -No_Key [intro]: "Key n ~:parts {X} ==> X:guardK n Ks"
    5.12 -Guard_Key [intro]: "invKey K:Ks ==> Crypt K X:guardK n Ks"
    5.13 -Crypt [intro]: "X:guardK n Ks ==> Crypt K X:guardK n Ks"
    5.14 -Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> {|X,Y|}:guardK n Ks"
    5.15 +inductive_set
    5.16 +  guardK :: "nat => key set => msg set"
    5.17 +  for n :: nat and Ks :: "key set"
    5.18 +where
    5.19 +  No_Key [intro]: "Key n ~:parts {X} ==> X:guardK n Ks"
    5.20 +| Guard_Key [intro]: "invKey K:Ks ==> Crypt K X:guardK n Ks"
    5.21 +| Crypt [intro]: "X:guardK n Ks ==> Crypt K X:guardK n Ks"
    5.22 +| Pair [intro]: "[| X:guardK n Ks; Y:guardK n Ks |] ==> {|X,Y|}:guardK n Ks"
    5.23  
    5.24  subsection{*basic facts about @{term guardK}*}
    5.25  
    5.26 @@ -119,7 +119,7 @@
    5.27  ==> GuardK n Ks (analz G)"
    5.28  apply (auto simp: GuardK_def)
    5.29  apply (erule analz.induct, auto)
    5.30 -by (ind_cases "Crypt K Xa:guardK n Ks", auto)
    5.31 +by (ind_cases "Crypt K Xa:guardK n Ks" for K Xa, auto)
    5.32  
    5.33  lemma in_GuardK [dest]: "[| X:G; GuardK n Ks G |] ==> X:guardK n Ks"
    5.34  by (auto simp: GuardK_def)
     6.1 --- a/src/HOL/Auth/Guard/Guard_NS_Public.thy	Wed Jul 11 11:13:08 2007 +0200
     6.2 +++ b/src/HOL/Auth/Guard/Guard_NS_Public.thy	Wed Jul 11 11:14:51 2007 +0200
     6.3 @@ -40,22 +40,20 @@
     6.4  
     6.5  subsection{*definition of the protocol*}
     6.6  
     6.7 -consts nsp :: "event list set"
     6.8 +inductive_set nsp :: "event list set"
     6.9 +where
    6.10  
    6.11 -inductive nsp
    6.12 -intros
    6.13 +  Nil: "[]:nsp"
    6.14  
    6.15 -Nil: "[]:nsp"
    6.16 +| Fake: "[| evs:nsp; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs : nsp"
    6.17  
    6.18 -Fake: "[| evs:nsp; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs : nsp"
    6.19 -
    6.20 -NS1: "[| evs1:nsp; Nonce NA ~:used evs1 |] ==> ns1 A B NA # evs1 : nsp"
    6.21 +| NS1: "[| evs1:nsp; Nonce NA ~:used evs1 |] ==> ns1 A B NA # evs1 : nsp"
    6.22  
    6.23 -NS2: "[| evs2:nsp; Nonce NB ~:used evs2; ns1' A' A B NA:set evs2 |] ==>
    6.24 -ns2 B A NA NB # evs2:nsp"
    6.25 +| NS2: "[| evs2:nsp; Nonce NB ~:used evs2; ns1' A' A B NA:set evs2 |] ==>
    6.26 +  ns2 B A NA NB # evs2:nsp"
    6.27  
    6.28 -NS3: "[| evs3:nsp; ns1 A B NA:set evs3; ns2' B' B A NA NB:set evs3 |] ==>
    6.29 -ns3 A B NB # evs3:nsp"
    6.30 +| NS3: "!!A B B' NA NB evs3. [| evs3:nsp; ns1 A B NA:set evs3; ns2' B' B A NA NB:set evs3 |] ==>
    6.31 +  ns3 A B NB # evs3:nsp"
    6.32  
    6.33  subsection{*declarations for tactics*}
    6.34  
    6.35 @@ -72,7 +70,7 @@
    6.36  by (auto simp: Gets_correct_def dest: nsp_has_no_Gets)
    6.37  
    6.38  lemma nsp_is_one_step [iff]: "one_step nsp"
    6.39 -by (unfold one_step_def, clarify, ind_cases "ev#evs:nsp", auto)
    6.40 +by (unfold one_step_def, clarify, ind_cases "ev#evs:nsp" for ev evs, auto)
    6.41  
    6.42  lemma nsp_has_only_Says' [rule_format]: "evs:nsp ==>
    6.43  ev:set evs --> (EX A B X. ev=Says A B X)"
     7.1 --- a/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Wed Jul 11 11:13:08 2007 +0200
     7.2 +++ b/src/HOL/Auth/Guard/Guard_OtwayRees.thy	Wed Jul 11 11:14:51 2007 +0200
     7.3 @@ -62,25 +62,23 @@
     7.4  
     7.5  subsection{*definition of the protocol*}
     7.6  
     7.7 -consts or :: "event list set"
     7.8 +inductive_set or :: "event list set"
     7.9 +where
    7.10  
    7.11 -inductive or
    7.12 -intros
    7.13 +  Nil: "[]:or"
    7.14  
    7.15 -Nil: "[]:or"
    7.16 +| Fake: "[| evs:or; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs:or"
    7.17  
    7.18 -Fake: "[| evs:or; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs:or"
    7.19 +| OR1: "[| evs1:or; Nonce NA ~:used evs1 |] ==> or1 A B NA # evs1:or"
    7.20  
    7.21 -OR1: "[| evs1:or; Nonce NA ~:used evs1 |] ==> or1 A B NA # evs1:or"
    7.22 -
    7.23 -OR2: "[| evs2:or; or1' A' A B NA X:set evs2; Nonce NB ~:used evs2 |]
    7.24 -==> or2 A B NA NB X # evs2:or"
    7.25 +| OR2: "[| evs2:or; or1' A' A B NA X:set evs2; Nonce NB ~:used evs2 |]
    7.26 +  ==> or2 A B NA NB X # evs2:or"
    7.27  
    7.28 -OR3: "[| evs3:or; or2' B' A B NA NB:set evs3; Key K ~:used evs3 |]
    7.29 -==> or3 A B NA NB K # evs3:or"
    7.30 +| OR3: "[| evs3:or; or2' B' A B NA NB:set evs3; Key K ~:used evs3 |]
    7.31 +  ==> or3 A B NA NB K # evs3:or"
    7.32  
    7.33 -OR4: "[| evs4:or; or2 A B NA NB X:set evs4; or3' S Y A B NA NB K:set evs4 |]
    7.34 -==> or4 A B NA X # evs4:or"
    7.35 +| OR4: "[| evs4:or; or2 A B NA NB X:set evs4; or3' S Y A B NA NB K:set evs4 |]
    7.36 +  ==> or4 A B NA X # evs4:or"
    7.37  
    7.38  subsection{*declarations for tactics*}
    7.39  
    7.40 @@ -97,7 +95,7 @@
    7.41  by (auto simp: Gets_correct_def dest: or_has_no_Gets)
    7.42  
    7.43  lemma or_is_one_step [iff]: "one_step or"
    7.44 -by (unfold one_step_def, clarify, ind_cases "ev#evs:or", auto)
    7.45 +by (unfold one_step_def, clarify, ind_cases "ev#evs:or" for ev evs, auto)
    7.46  
    7.47  lemma or_has_only_Says' [rule_format]: "evs:or ==>
    7.48  ev:set evs --> (EX A B X. ev=Says A B X)"
     8.1 --- a/src/HOL/Auth/Guard/Guard_Yahalom.thy	Wed Jul 11 11:13:08 2007 +0200
     8.2 +++ b/src/HOL/Auth/Guard/Guard_Yahalom.thy	Wed Jul 11 11:14:51 2007 +0200
     8.3 @@ -53,25 +53,23 @@
     8.4  
     8.5  subsection{*definition of the protocol*}
     8.6  
     8.7 -consts ya :: "event list set"
     8.8 +inductive_set ya :: "event list set"
     8.9 +where
    8.10  
    8.11 -inductive ya
    8.12 -intros
    8.13 +  Nil: "[]:ya"
    8.14  
    8.15 -Nil: "[]:ya"
    8.16 +| Fake: "[| evs:ya; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs:ya"
    8.17  
    8.18 -Fake: "[| evs:ya; X:synth (analz (spies evs)) |] ==> Says Spy B X # evs:ya"
    8.19 +| YA1: "[| evs1:ya; Nonce NA ~:used evs1 |] ==> ya1 A B NA # evs1:ya"
    8.20  
    8.21 -YA1: "[| evs1:ya; Nonce NA ~:used evs1 |] ==> ya1 A B NA # evs1:ya"
    8.22 -
    8.23 -YA2: "[| evs2:ya; ya1' A' A B NA:set evs2; Nonce NB ~:used evs2 |]
    8.24 -==> ya2 A B NA NB # evs2:ya"
    8.25 +| YA2: "[| evs2:ya; ya1' A' A B NA:set evs2; Nonce NB ~:used evs2 |]
    8.26 +  ==> ya2 A B NA NB # evs2:ya"
    8.27  
    8.28 -YA3: "[| evs3:ya; ya2' B' A B NA NB:set evs3; Key K ~:used evs3 |]
    8.29 -==> ya3 A B NA NB K # evs3:ya"
    8.30 +| YA3: "[| evs3:ya; ya2' B' A B NA NB:set evs3; Key K ~:used evs3 |]
    8.31 +  ==> ya3 A B NA NB K # evs3:ya"
    8.32  
    8.33 -YA4: "[| evs4:ya; ya1 A B NA:set evs4; ya3' S Y A B NA NB K:set evs4 |]
    8.34 -==> ya4 A B K NB Y # evs4:ya"
    8.35 +| YA4: "[| evs4:ya; ya1 A B NA:set evs4; ya3' S Y A B NA NB K:set evs4 |]
    8.36 +  ==> ya4 A B K NB Y # evs4:ya"
    8.37  
    8.38  subsection{*declarations for tactics*}
    8.39  
    8.40 @@ -88,7 +86,7 @@
    8.41  by (auto simp: Gets_correct_def dest: ya_has_no_Gets)
    8.42  
    8.43  lemma ya_is_one_step [iff]: "one_step ya"
    8.44 -by (unfold one_step_def, clarify, ind_cases "ev#evs:ya", auto)
    8.45 +by (unfold one_step_def, clarify, ind_cases "ev#evs:ya" for ev evs, auto)
    8.46  
    8.47  lemma ya_has_only_Says' [rule_format]: "evs:ya ==>
    8.48  ev:set evs --> (EX A B X. ev=Says A B X)"
     9.1 --- a/src/HOL/Auth/Guard/List_Msg.thy	Wed Jul 11 11:13:08 2007 +0200
     9.2 +++ b/src/HOL/Auth/Guard/List_Msg.thy	Wed Jul 11 11:14:51 2007 +0200
     9.3 @@ -137,12 +137,10 @@
     9.4    nil :: msg where
     9.5    "nil == Number 0"
     9.6  
     9.7 -consts agl :: "msg set"
     9.8 -
     9.9 -inductive agl
    9.10 -intros
    9.11 -Nil[intro]: "nil:agl"
    9.12 -Cons[intro]: "[| A:agent; I:agl |] ==> cons (Agent A) I :agl"
    9.13 +inductive_set agl :: "msg set"
    9.14 +where
    9.15 +  Nil[intro]: "nil:agl"
    9.16 +| Cons[intro]: "[| A:agent; I:agl |] ==> cons (Agent A) I :agl"
    9.17  
    9.18  subsubsection{*basic facts about agent lists*}
    9.19  
    10.1 --- a/src/HOL/Auth/Guard/P1.thy	Wed Jul 11 11:13:08 2007 +0200
    10.2 +++ b/src/HOL/Auth/Guard/P1.thy	Wed Jul 11 11:14:51 2007 +0200
    10.3 @@ -150,20 +150,18 @@
    10.4  
    10.5  subsubsection{*protocol*}
    10.6  
    10.7 -consts p1 :: "event list set"
    10.8 +inductive_set p1 :: "event list set"
    10.9 +where
   10.10  
   10.11 -inductive p1
   10.12 -intros
   10.13 -
   10.14 -Nil: "[]:p1"
   10.15 +  Nil: "[]:p1"
   10.16  
   10.17 -Fake: "[| evsf:p1; X:synth (analz (spies evsf)) |] ==> Says Spy B X # evsf : p1"
   10.18 +| Fake: "[| evsf:p1; X:synth (analz (spies evsf)) |] ==> Says Spy B X # evsf : p1"
   10.19  
   10.20 -Request: "[| evsr:p1; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p1"
   10.21 +| Request: "[| evsr:p1; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p1"
   10.22  
   10.23 -Propose: "[| evsp:p1; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp;
   10.24 -I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   10.25 -Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p1"
   10.26 +| Propose: "[| evsp:p1; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp;
   10.27 +  I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   10.28 +  Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p1"
   10.29  
   10.30  subsubsection{*Composition of Traces*}
   10.31  
   10.32 @@ -181,13 +179,13 @@
   10.33  
   10.34  subsubsection{*Valid Offer Lists*}
   10.35  
   10.36 -consts valid :: "agent => nat => agent => msg set"
   10.37 +inductive_set
   10.38 +  valid :: "agent => nat => agent => msg set"
   10.39 +  for A :: agent and n :: nat and B :: agent
   10.40 +where
   10.41 +  Request [intro]: "cons (anchor A n B) nil:valid A n B"
   10.42  
   10.43 -inductive "valid A n B"
   10.44 -intros
   10.45 -Request [intro]: "cons (anchor A n B) nil:valid A n B"
   10.46 -
   10.47 -Propose [intro]: "L:valid A n B
   10.48 +| Propose [intro]: "L:valid A n B
   10.49  ==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
   10.50  
   10.51  subsubsection{*basic properties of valid*}
   10.52 @@ -284,15 +282,15 @@
   10.53  apply clarify
   10.54  apply (frule len_not_empty, clarsimp)
   10.55  apply (frule len_not_empty, clarsimp)
   10.56 -apply (ind_cases "{|x,xa,l'a|}:valid A n B")
   10.57 -apply (ind_cases "{|x,M,l'a|}:valid A n B")
   10.58 +apply (ind_cases "{|x,xa,l'a|}:valid A n B" for x xa l'a)
   10.59 +apply (ind_cases "{|x,M,l'a|}:valid A n B" for x l'a)
   10.60  apply (simp add: chain_def)
   10.61  (* i > 0 *)
   10.62  apply clarify
   10.63  apply (frule len_not_empty, clarsimp)
   10.64 -apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B")
   10.65 +apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B" for x l' na)
   10.66  apply (frule len_not_empty, clarsimp)
   10.67 -apply (ind_cases "{|x,l'|}:valid A n B")
   10.68 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   10.69  by (drule_tac x=l' in spec, simp, blast)
   10.70  
   10.71  subsubsection{*insertion resilience:
   10.72 @@ -308,15 +306,15 @@
   10.73  (* i = 0 *)
   10.74  apply clarify
   10.75  apply (frule len_not_empty, clarsimp)
   10.76 -apply (ind_cases "{|x,l'|}:valid A n B", simp)
   10.77 -apply (ind_cases "{|x,M,l'|}:valid A n B", clarsimp)
   10.78 -apply (ind_cases "{|head l',l'|}:valid A n B", simp, simp)
   10.79 +apply (ind_cases "{|x,l'|}:valid A n B" for x l', simp)
   10.80 +apply (ind_cases "{|x,M,l'|}:valid A n B" for x l', clarsimp)
   10.81 +apply (ind_cases "{|head l',l'|}:valid A n B" for l', simp, simp)
   10.82  (* i > 0 *)
   10.83  apply clarify
   10.84  apply (frule len_not_empty, clarsimp)
   10.85 -apply (ind_cases "{|x,l'|}:valid A n B")
   10.86 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   10.87  apply (frule len_not_empty, clarsimp)
   10.88 -apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B")
   10.89 +apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B" for x l' na)
   10.90  apply (frule len_not_empty, clarsimp)
   10.91  by (drule_tac x=l' in spec, clarsimp)
   10.92  
   10.93 @@ -329,14 +327,14 @@
   10.94  (* i = 0 *)
   10.95  apply clarify
   10.96  apply (frule len_not_empty, clarsimp)
   10.97 -apply (ind_cases "{|x,l'|}:valid A n B")
   10.98 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   10.99  apply (frule len_not_empty, clarsimp)
  10.100 -apply (ind_cases "{|M,l'|}:valid A n B")
  10.101 +apply (ind_cases "{|M,l'|}:valid A n B" for l')
  10.102  apply (frule len_not_empty, clarsimp, simp)
  10.103  (* i > 0 *)
  10.104  apply clarify
  10.105  apply (frule len_not_empty, clarsimp)
  10.106 -apply (ind_cases "{|x,l'|}:valid A n B")
  10.107 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  10.108  apply (frule len_not_empty, clarsimp)
  10.109  by (drule_tac x=l' in spec, clarsimp)
  10.110  
  10.111 @@ -375,7 +373,7 @@
  10.112  by (auto simp: Gets_correct_def dest: p1_has_no_Gets)
  10.113  
  10.114  lemma p1_is_one_step [iff]: "one_step p1"
  10.115 -by (unfold one_step_def, clarify, ind_cases "ev#evs:p1", auto)
  10.116 +by (unfold one_step_def, clarify, ind_cases "ev#evs:p1" for ev evs, auto)
  10.117  
  10.118  lemma p1_has_only_Says' [rule_format]: "evs:p1 ==>
  10.119  ev:set evs --> (EX A B X. ev=Says A B X)"
    11.1 --- a/src/HOL/Auth/Guard/P2.thy	Wed Jul 11 11:13:08 2007 +0200
    11.2 +++ b/src/HOL/Auth/Guard/P2.thy	Wed Jul 11 11:14:51 2007 +0200
    11.3 @@ -130,31 +130,29 @@
    11.4  
    11.5  subsubsection{*protocol*}
    11.6  
    11.7 -consts p2 :: "event list set"
    11.8 +inductive_set p2 :: "event list set"
    11.9 +where
   11.10  
   11.11 -inductive p2
   11.12 -intros
   11.13 -
   11.14 -Nil: "[]:p2"
   11.15 +  Nil: "[]:p2"
   11.16  
   11.17 -Fake: "[| evsf:p2; X:synth (analz (spies evsf)) |] ==> Says Spy B X # evsf : p2"
   11.18 +| Fake: "[| evsf:p2; X:synth (analz (spies evsf)) |] ==> Says Spy B X # evsf : p2"
   11.19  
   11.20 -Request: "[| evsr:p2; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p2"
   11.21 +| Request: "[| evsr:p2; Nonce n ~:used evsr; I:agl |] ==> req A r n I B # evsr : p2"
   11.22  
   11.23 -Propose: "[| evsp:p2; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp;
   11.24 -I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   11.25 -Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p2"
   11.26 +| Propose: "[| evsp:p2; Says A' B {|Agent A,Number r,I,cons M L|}:set evsp;
   11.27 +  I:agl; J:agl; isin (Agent C, app (J, del (Agent B, I)));
   11.28 +  Nonce ofr ~:used evsp |] ==> pro B ofr A r I (cons M L) J C # evsp : p2"
   11.29  
   11.30  subsubsection{*valid offer lists*}
   11.31  
   11.32 -consts valid :: "agent => nat => agent => msg set"
   11.33 +inductive_set
   11.34 +  valid :: "agent => nat => agent => msg set"
   11.35 +  for A :: agent and  n :: nat and B :: agent
   11.36 +where
   11.37 +  Request [intro]: "cons (anchor A n B) nil:valid A n B"
   11.38  
   11.39 -inductive "valid A n B"
   11.40 -intros
   11.41 -Request [intro]: "cons (anchor A n B) nil:valid A n B"
   11.42 -
   11.43 -Propose [intro]: "L:valid A n B
   11.44 -==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
   11.45 +| Propose [intro]: "L:valid A n B
   11.46 +  ==> cons (chain (next_shop (head L)) ofr A L C) L:valid A n B"
   11.47  
   11.48  subsubsection{*basic properties of valid*}
   11.49  
   11.50 @@ -188,15 +186,15 @@
   11.51  apply clarify
   11.52  apply (frule len_not_empty, clarsimp)
   11.53  apply (frule len_not_empty, clarsimp)
   11.54 -apply (ind_cases "{|x,xa,l'a|}:valid A n B")
   11.55 -apply (ind_cases "{|x,M,l'a|}:valid A n B")
   11.56 +apply (ind_cases "{|x,xa,l'a|}:valid A n B" for x xa l'a)
   11.57 +apply (ind_cases "{|x,M,l'a|}:valid A n B" for x l'a)
   11.58  apply (simp add: chain_def)
   11.59  (* i > 0 *)
   11.60  apply clarify
   11.61  apply (frule len_not_empty, clarsimp)
   11.62 -apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B")
   11.63 +apply (ind_cases "{|x,repl(l',Suc na,M)|}:valid A n B" for x l' na)
   11.64  apply (frule len_not_empty, clarsimp)
   11.65 -apply (ind_cases "{|x,l'|}:valid A n B")
   11.66 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   11.67  by (drule_tac x=l' in spec, simp, blast)
   11.68  
   11.69  subsection{*insertion resilience:
   11.70 @@ -212,15 +210,15 @@
   11.71  (* i = 0 *)
   11.72  apply clarify
   11.73  apply (frule len_not_empty, clarsimp)
   11.74 -apply (ind_cases "{|x,l'|}:valid A n B", simp)
   11.75 -apply (ind_cases "{|x,M,l'|}:valid A n B", clarsimp)
   11.76 -apply (ind_cases "{|head l',l'|}:valid A n B", simp, simp)
   11.77 +apply (ind_cases "{|x,l'|}:valid A n B" for x l', simp)
   11.78 +apply (ind_cases "{|x,M,l'|}:valid A n B" for x l', clarsimp)
   11.79 +apply (ind_cases "{|head l',l'|}:valid A n B" for l', simp, simp)
   11.80  (* i > 0 *)
   11.81  apply clarify
   11.82  apply (frule len_not_empty, clarsimp)
   11.83 -apply (ind_cases "{|x,l'|}:valid A n B")
   11.84 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   11.85  apply (frule len_not_empty, clarsimp)
   11.86 -apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B")
   11.87 +apply (ind_cases "{|x,ins(l',Suc na,M)|}:valid A n B" for x l' na)
   11.88  apply (frule len_not_empty, clarsimp)
   11.89  by (drule_tac x=l' in spec, clarsimp)
   11.90  
   11.91 @@ -233,14 +231,14 @@
   11.92  (* i = 0 *)
   11.93  apply clarify
   11.94  apply (frule len_not_empty, clarsimp)
   11.95 -apply (ind_cases "{|x,l'|}:valid A n B")
   11.96 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
   11.97  apply (frule len_not_empty, clarsimp)
   11.98 -apply (ind_cases "{|M,l'|}:valid A n B")
   11.99 +apply (ind_cases "{|M,l'|}:valid A n B" for l')
  11.100  apply (frule len_not_empty, clarsimp, simp)
  11.101  (* i > 0 *)
  11.102  apply clarify
  11.103  apply (frule len_not_empty, clarsimp)
  11.104 -apply (ind_cases "{|x,l'|}:valid A n B")
  11.105 +apply (ind_cases "{|x,l'|}:valid A n B" for x l')
  11.106  apply (frule len_not_empty, clarsimp)
  11.107  by (drule_tac x=l' in spec, clarsimp)
  11.108  
  11.109 @@ -279,7 +277,7 @@
  11.110  by (auto simp: Gets_correct_def dest: p2_has_no_Gets)
  11.111  
  11.112  lemma p2_is_one_step [iff]: "one_step p2"
  11.113 -by (unfold one_step_def, clarify, ind_cases "ev#evs:p2", auto)
  11.114 +by (unfold one_step_def, clarify, ind_cases "ev#evs:p2" for ev evs, auto)
  11.115  
  11.116  lemma p2_has_only_Says' [rule_format]: "evs:p2 ==>
  11.117  ev:set evs --> (EX A B X. ev=Says A B X)"
    12.1 --- a/src/HOL/Auth/Guard/Proto.thy	Wed Jul 11 11:13:08 2007 +0200
    12.2 +++ b/src/HOL/Auth/Guard/Proto.thy	Wed Jul 11 11:14:51 2007 +0200
    12.3 @@ -106,22 +106,23 @@
    12.4  "ok evs R s == ((ALL x. x:fst R --> ap s x:set evs)
    12.5  & (ALL n. n:newn R --> Nonce (nonce s n) ~:used evs))"
    12.6  
    12.7 -consts tr :: "proto => event list set"
    12.8 -
    12.9 -inductive "tr p" intros
   12.10 +inductive_set
   12.11 +  tr :: "proto => event list set"
   12.12 +  for p :: proto
   12.13 +where
   12.14  
   12.15 -Nil [intro]: "[]:tr p"
   12.16 +  Nil [intro]: "[]:tr p"
   12.17  
   12.18 -Fake [intro]: "[| evsf:tr p; X:synth (analz (spies evsf)) |]
   12.19 -==> Says Spy B X # evsf:tr p"
   12.20 +| Fake [intro]: "[| evsf:tr p; X:synth (analz (spies evsf)) |]
   12.21 +  ==> Says Spy B X # evsf:tr p"
   12.22  
   12.23 -Proto [intro]: "[| evs:tr p; R:p; ok evs R s |] ==> ap' s R # evs:tr p"
   12.24 +| Proto [intro]: "[| evs:tr p; R:p; ok evs R s |] ==> ap' s R # evs:tr p"
   12.25  
   12.26  subsection{*general properties*}
   12.27  
   12.28  lemma one_step_tr [iff]: "one_step (tr p)"
   12.29  apply (unfold one_step_def, clarify)
   12.30 -by (ind_cases "ev # evs:tr p", auto)
   12.31 +by (ind_cases "ev # evs:tr p" for ev evs, auto)
   12.32  
   12.33  constdefs has_only_Says' :: "proto => bool"
   12.34  "has_only_Says' p == ALL R. R:p --> is_Says (snd R)"
   12.35 @@ -379,9 +380,6 @@
   12.36  Na :: nat "Na == 0"
   12.37  Nb :: nat "Nb == 1"
   12.38  
   12.39 -consts
   12.40 -ns :: proto
   12.41 -
   12.42  abbreviation
   12.43    ns1 :: rule where
   12.44    "ns1 == ({}, Says a b (Crypt (pubK b) {|Nonce Na, Agent a|}))"
   12.45 @@ -397,10 +395,10 @@
   12.46      Says b' a (Crypt (pubK a) {|Nonce Na, Nonce Nb, Agent b|})},
   12.47      Says a b (Crypt (pubK b) (Nonce Nb)))"
   12.48  
   12.49 -inductive ns intros
   12.50 -[iff]: "ns1:ns"
   12.51 -[iff]: "ns2:ns"
   12.52 -[iff]: "ns3:ns"
   12.53 +inductive_set ns :: proto where
   12.54 +  [iff]: "ns1:ns"
   12.55 +| [iff]: "ns2:ns"
   12.56 +| [iff]: "ns3:ns"
   12.57  
   12.58  abbreviation (input)
   12.59    ns3a :: event where
   12.60 @@ -428,6 +426,8 @@
   12.61  lemma inf_is_ord [iff]: "ord ns inf"
   12.62  apply (unfold ord_def inf_def)
   12.63  apply (rule allI)+
   12.64 +apply (rule impI)
   12.65 +apply (simp add: split_paired_all)
   12.66  by (rule impI, erule ns.cases, simp_all)+
   12.67  
   12.68  subsection{*general properties*}
   12.69 @@ -435,6 +435,7 @@
   12.70  lemma ns_has_only_Says' [iff]: "has_only_Says' ns"
   12.71  apply (unfold has_only_Says'_def)
   12.72  apply (rule allI, rule impI)
   12.73 +apply (simp add: split_paired_all)
   12.74  by (erule ns.cases, auto)
   12.75  
   12.76  lemma newn_ns1 [iff]: "newn ns1 = {Na}"
   12.77 @@ -458,6 +459,7 @@
   12.78  apply (erule fresh_ruleD, simp, simp, simp, simp)
   12.79  apply (rule allI)+
   12.80  apply (rule impI, rule impI, rule impI)
   12.81 +apply (simp add: split_paired_all)
   12.82  apply (erule ns.cases)
   12.83  (* fresh with NS1 *)
   12.84  apply (rule impI, rule impI, rule impI, rule impI, rule impI, rule impI)
   12.85 @@ -525,6 +527,7 @@
   12.86  lemma "uniq' ns inf secret"
   12.87  apply (unfold uniq'_def)
   12.88  apply (rule allI)+
   12.89 +apply (simp add: split_paired_all)
   12.90  apply (rule impI, erule ns.cases)
   12.91  (* R = ns1 *)
   12.92  apply (rule impI, erule ns.cases)
   12.93 @@ -540,7 +543,8 @@
   12.94  apply (drule Crypt_insert_synth, simp, simp, simp)
   12.95  apply (drule Crypt_insert_synth, simp, simp, simp, simp)
   12.96  (* Proto *)
   12.97 -apply (erule_tac P="ok evsa Ra sa" in rev_mp)
   12.98 +apply (erule_tac P="ok evsa R sa" in rev_mp)
   12.99 +apply (simp add: split_paired_all)
  12.100  apply (erule ns.cases)
  12.101  (* ns1 *)
  12.102  apply (clarify, simp add: secret_def)
  12.103 @@ -563,7 +567,8 @@
  12.104  apply (drule Crypt_insert_synth, simp, simp, simp)
  12.105  apply (drule_tac n="nonce s' Nb" in Crypt_insert_synth, simp, simp, simp, simp)
  12.106  (* Proto *)
  12.107 -apply (erule_tac P="ok evsa Ra sa" in rev_mp)
  12.108 +apply (erule_tac P="ok evsa R sa" in rev_mp)
  12.109 +apply (simp add: split_paired_all)
  12.110  apply (erule ns.cases)
  12.111  (* ns1 *)
  12.112  apply (clarify, simp add: secret_def)
  12.113 @@ -591,7 +596,8 @@
  12.114  apply (drule_tac n="nonce s' Nb" in Crypt_insert_synth, simp, simp, simp)
  12.115  apply (drule_tac n="nonce s' Nb" in Crypt_insert_synth, simp, simp, simp, simp)
  12.116  (* Proto *)
  12.117 -apply (erule_tac P="ok evsa Ra sa" in rev_mp)
  12.118 +apply (erule_tac P="ok evsa R sa" in rev_mp)
  12.119 +apply (simp add: split_paired_all)
  12.120  apply (erule ns.cases)
  12.121  (* ns1 *)
  12.122  apply (simp add: secret_def)
    13.1 --- a/src/HOL/Auth/KerberosIV.thy	Wed Jul 11 11:13:08 2007 +0200
    13.2 +++ b/src/HOL/Auth/KerberosIV.thy	Wed Jul 11 11:14:51 2007 +0200
    13.3 @@ -110,19 +110,16 @@
    13.4                         Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
    13.5           \<in> set evs"
    13.6  
    13.7 -consts
    13.8 -
    13.9 -kerbIV   :: "event list set"
   13.10 -inductive "kerbIV"
   13.11 -  intros
   13.12 +inductive_set kerbIV :: "event list set"
   13.13 +  where
   13.14  
   13.15     Nil:  "[] \<in> kerbIV"
   13.16  
   13.17 -   Fake: "\<lbrakk> evsf \<in> kerbIV;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   13.18 + | Fake: "\<lbrakk> evsf \<in> kerbIV;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   13.19            \<Longrightarrow> Says Spy B X  # evsf \<in> kerbIV"
   13.20  
   13.21  (* FROM the initiator *)
   13.22 -   K1:   "\<lbrakk> evs1 \<in> kerbIV \<rbrakk>
   13.23 + | K1:   "\<lbrakk> evs1 \<in> kerbIV \<rbrakk>
   13.24            \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1
   13.25            \<in> kerbIV"
   13.26  
   13.27 @@ -133,7 +130,7 @@
   13.28  (*---------------------------------------------------------------------*)
   13.29  
   13.30  (*FROM Kas *)
   13.31 -   K2:  "\<lbrakk> evs2 \<in> kerbIV; Key authK \<notin> used evs2; authK \<in> symKeys;
   13.32 + | K2:  "\<lbrakk> evs2 \<in> kerbIV; Key authK \<notin> used evs2; authK \<in> symKeys;
   13.33              Says A' Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk>
   13.34            \<Longrightarrow> Says Kas A
   13.35                  (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2),
   13.36 @@ -149,7 +146,7 @@
   13.37  (*---------------------------------------------------------------------*)
   13.38  
   13.39  (* FROM the initiator *)
   13.40 -   K3:  "\<lbrakk> evs3 \<in> kerbIV;
   13.41 + | K3:  "\<lbrakk> evs3 \<in> kerbIV;
   13.42              Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3;
   13.43              Says Kas' A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
   13.44                authTicket\<rbrace>) \<in> set evs3;
   13.45 @@ -169,7 +166,7 @@
   13.46     Theorems that exploit it have the suffix `_u', which stands for updated 
   13.47     protocol.
   13.48  *)
   13.49 -   K4:  "\<lbrakk> evs4 \<in> kerbIV; Key servK \<notin> used evs4; servK \<in> symKeys;
   13.50 + | K4:  "\<lbrakk> evs4 \<in> kerbIV; Key servK \<notin> used evs4; servK \<in> symKeys;
   13.51              B \<noteq> Tgs;  authK \<in> symKeys;
   13.52              Says A' Tgs \<lbrace>
   13.53               (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
   13.54 @@ -196,7 +193,7 @@
   13.55  (*---------------------------------------------------------------------*)
   13.56  
   13.57  (* FROM the initiator *)
   13.58 -   K5:  "\<lbrakk> evs5 \<in> kerbIV; authK \<in> symKeys; servK \<in> symKeys;
   13.59 + | K5:  "\<lbrakk> evs5 \<in> kerbIV; authK \<in> symKeys; servK \<in> symKeys;
   13.60              Says A Tgs
   13.61                  \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
   13.62  		  Agent B\<rbrace>
   13.63 @@ -213,7 +210,7 @@
   13.64  (*---------------------------------------------------------------------*)
   13.65  
   13.66  (* FROM the responder*)
   13.67 -    K6:  "\<lbrakk> evs6 \<in> kerbIV;
   13.68 +  | K6:  "\<lbrakk> evs6 \<in> kerbIV;
   13.69              Says A' B \<lbrace>
   13.70                (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>),
   13.71                (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace>
   13.72 @@ -228,7 +225,7 @@
   13.73  (*---------------------------------------------------------------------*)
   13.74  
   13.75  (* Leaking an authK... *)
   13.76 -   Oops1: "\<lbrakk> evsO1 \<in> kerbIV;  A \<noteq> Spy;
   13.77 + | Oops1: "\<lbrakk> evsO1 \<in> kerbIV;  A \<noteq> Spy;
   13.78                Says Kas A
   13.79                  (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
   13.80                                    authTicket\<rbrace>)  \<in> set evsO1;
   13.81 @@ -239,7 +236,7 @@
   13.82  (*---------------------------------------------------------------------*)
   13.83  
   13.84  (*Leaking a servK... *)
   13.85 -   Oops2: "\<lbrakk> evsO2 \<in> kerbIV;  A \<noteq> Spy;
   13.86 + | Oops2: "\<lbrakk> evsO2 \<in> kerbIV;  A \<noteq> Spy;
   13.87                Says Tgs A
   13.88                  (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
   13.89                     \<in> set evsO2;
    14.1 --- a/src/HOL/Auth/KerberosIV_Gets.thy	Wed Jul 11 11:13:08 2007 +0200
    14.2 +++ b/src/HOL/Auth/KerberosIV_Gets.thy	Wed Jul 11 11:14:51 2007 +0200
    14.3 @@ -98,22 +98,19 @@
    14.4                         Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace> \<rbrace>)
    14.5           \<in> set evs"
    14.6  
    14.7 -consts
    14.8 -
    14.9 -kerbIV_gets   :: "event list set"
   14.10 -inductive "kerbIV_gets"
   14.11 -  intros
   14.12 +inductive_set "kerbIV_gets" :: "event list set"
   14.13 +  where
   14.14  
   14.15     Nil:  "[] \<in> kerbIV_gets"
   14.16  
   14.17 -   Fake: "\<lbrakk> evsf \<in> kerbIV_gets;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   14.18 + | Fake: "\<lbrakk> evsf \<in> kerbIV_gets;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   14.19            \<Longrightarrow> Says Spy B X  # evsf \<in> kerbIV_gets"
   14.20  
   14.21 -   Reception: "\<lbrakk> evsr \<in> kerbIV_gets;  Says A B X \<in> set evsr \<rbrakk>
   14.22 + | Reception: "\<lbrakk> evsr \<in> kerbIV_gets;  Says A B X \<in> set evsr \<rbrakk>
   14.23                  \<Longrightarrow> Gets B X # evsr \<in> kerbIV_gets"
   14.24  
   14.25  (* FROM the initiator *)
   14.26 -   K1:   "\<lbrakk> evs1 \<in> kerbIV_gets \<rbrakk>
   14.27 + | K1:   "\<lbrakk> evs1 \<in> kerbIV_gets \<rbrakk>
   14.28            \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1
   14.29            \<in> kerbIV_gets"
   14.30  
   14.31 @@ -124,7 +121,7 @@
   14.32  (*---------------------------------------------------------------------*)
   14.33  
   14.34  (*FROM Kas *)
   14.35 -   K2:  "\<lbrakk> evs2 \<in> kerbIV_gets; Key authK \<notin> used evs2; authK \<in> symKeys;
   14.36 + | K2:  "\<lbrakk> evs2 \<in> kerbIV_gets; Key authK \<notin> used evs2; authK \<in> symKeys;
   14.37              Gets Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk>
   14.38            \<Longrightarrow> Says Kas A
   14.39                  (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2),
   14.40 @@ -140,7 +137,7 @@
   14.41  (*---------------------------------------------------------------------*)
   14.42  
   14.43  (* FROM the initiator *)
   14.44 -   K3:  "\<lbrakk> evs3 \<in> kerbIV_gets;
   14.45 + | K3:  "\<lbrakk> evs3 \<in> kerbIV_gets;
   14.46              Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3;
   14.47              Gets A (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
   14.48                authTicket\<rbrace>) \<in> set evs3;
   14.49 @@ -160,7 +157,7 @@
   14.50     Theorems that exploit it have the suffix `_u', which stands for updated 
   14.51     protocol.
   14.52  *)
   14.53 -   K4:  "\<lbrakk> evs4 \<in> kerbIV_gets; Key servK \<notin> used evs4; servK \<in> symKeys;
   14.54 + | K4:  "\<lbrakk> evs4 \<in> kerbIV_gets; Key servK \<notin> used evs4; servK \<in> symKeys;
   14.55              B \<noteq> Tgs;  authK \<in> symKeys;
   14.56              Gets Tgs \<lbrace>
   14.57               (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
   14.58 @@ -187,7 +184,7 @@
   14.59  (*---------------------------------------------------------------------*)
   14.60  
   14.61  (* FROM the initiator *)
   14.62 -   K5:  "\<lbrakk> evs5 \<in> kerbIV_gets; authK \<in> symKeys; servK \<in> symKeys;
   14.63 + | K5:  "\<lbrakk> evs5 \<in> kerbIV_gets; authK \<in> symKeys; servK \<in> symKeys;
   14.64              Says A Tgs
   14.65                  \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
   14.66  		  Agent B\<rbrace>
   14.67 @@ -204,7 +201,7 @@
   14.68  (*---------------------------------------------------------------------*)
   14.69  
   14.70  (* FROM the responder*)
   14.71 -    K6:  "\<lbrakk> evs6 \<in> kerbIV_gets;
   14.72 +  | K6:  "\<lbrakk> evs6 \<in> kerbIV_gets;
   14.73              Gets B \<lbrace>
   14.74                (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>),
   14.75                (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace>
   14.76 @@ -219,7 +216,7 @@
   14.77  (*---------------------------------------------------------------------*)
   14.78  
   14.79  (* Leaking an authK... *)
   14.80 -   Oops1: "\<lbrakk> evsO1 \<in> kerbIV_gets;  A \<noteq> Spy;
   14.81 + | Oops1: "\<lbrakk> evsO1 \<in> kerbIV_gets;  A \<noteq> Spy;
   14.82                Says Kas A
   14.83                  (Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta,
   14.84                                    authTicket\<rbrace>)  \<in> set evsO1;
   14.85 @@ -230,7 +227,7 @@
   14.86  (*---------------------------------------------------------------------*)
   14.87  
   14.88  (*Leaking a servK... *)
   14.89 -   Oops2: "\<lbrakk> evsO2 \<in> kerbIV_gets;  A \<noteq> Spy;
   14.90 + | Oops2: "\<lbrakk> evsO2 \<in> kerbIV_gets;  A \<noteq> Spy;
   14.91                Says Tgs A
   14.92                  (Crypt authK \<lbrace>Key servK, Agent B, Number Ts, servTicket\<rbrace>)
   14.93                     \<in> set evsO2;
    15.1 --- a/src/HOL/Auth/KerberosV.thy	Wed Jul 11 11:13:08 2007 +0200
    15.2 +++ b/src/HOL/Auth/KerberosV.thy	Wed Jul 11 11:14:51 2007 +0200
    15.3 @@ -100,24 +100,21 @@
    15.4                      Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, tt\<rbrace> \<rbrace>
    15.5           \<in> set evs"
    15.6  
    15.7 -consts
    15.8 -
    15.9 -kerbV   :: "event list set"
   15.10 -inductive "kerbV"
   15.11 -  intros
   15.12 +inductive_set kerbV :: "event list set"
   15.13 +  where
   15.14  
   15.15     Nil:  "[] \<in> kerbV"
   15.16  
   15.17 -   Fake: "\<lbrakk> evsf \<in> kerbV;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   15.18 + | Fake: "\<lbrakk> evsf \<in> kerbV;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   15.19            \<Longrightarrow> Says Spy B X  # evsf \<in> kerbV"
   15.20  
   15.21  
   15.22  (*Authentication phase*)
   15.23 -   KV1:   "\<lbrakk> evs1 \<in> kerbV \<rbrakk>
   15.24 + | KV1:   "\<lbrakk> evs1 \<in> kerbV \<rbrakk>
   15.25            \<Longrightarrow> Says A Kas \<lbrace>Agent A, Agent Tgs, Number (CT evs1)\<rbrace> # evs1
   15.26            \<in> kerbV"
   15.27     (*Unlike version IV, authTicket is not re-encrypted*)
   15.28 -   KV2:  "\<lbrakk> evs2 \<in> kerbV; Key authK \<notin> used evs2; authK \<in> symKeys;
   15.29 + | KV2:  "\<lbrakk> evs2 \<in> kerbV; Key authK \<notin> used evs2; authK \<in> symKeys;
   15.30              Says A' Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs2 \<rbrakk>
   15.31            \<Longrightarrow> Says Kas A \<lbrace>
   15.32            Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number (CT evs2)\<rbrace>,
   15.33 @@ -126,7 +123,7 @@
   15.34  
   15.35  
   15.36  (* Authorisation phase *)
   15.37 -   KV3:  "\<lbrakk> evs3 \<in> kerbV; A \<noteq> Kas; A \<noteq> Tgs;
   15.38 + | KV3:  "\<lbrakk> evs3 \<in> kerbV; A \<noteq> Kas; A \<noteq> Tgs;
   15.39              Says A Kas \<lbrace>Agent A, Agent Tgs, Number T1\<rbrace> \<in> set evs3;
   15.40              Says Kas' A \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>,
   15.41                            authTicket\<rbrace> \<in> set evs3;
   15.42 @@ -136,7 +133,7 @@
   15.43                             (Crypt authK \<lbrace>Agent A, Number (CT evs3)\<rbrace>),
   15.44                             Agent B\<rbrace> # evs3 \<in> kerbV"
   15.45     (*Unlike version IV, servTicket is not re-encrypted*)
   15.46 -   KV4:  "\<lbrakk> evs4 \<in> kerbV; Key servK \<notin> used evs4; servK \<in> symKeys;
   15.47 + | KV4:  "\<lbrakk> evs4 \<in> kerbV; Key servK \<notin> used evs4; servK \<in> symKeys;
   15.48              B \<noteq> Tgs;  authK \<in> symKeys;
   15.49              Says A' Tgs \<lbrace>
   15.50               (Crypt (shrK Tgs) \<lbrace>Agent A, Agent Tgs, Key authK,
   15.51 @@ -154,7 +151,7 @@
   15.52  
   15.53  
   15.54  (*Service phase*)
   15.55 -   KV5:  "\<lbrakk> evs5 \<in> kerbV; authK \<in> symKeys; servK \<in> symKeys;
   15.56 + | KV5:  "\<lbrakk> evs5 \<in> kerbV; authK \<in> symKeys; servK \<in> symKeys;
   15.57              A \<noteq> Kas; A \<noteq> Tgs;
   15.58              Says A Tgs
   15.59                  \<lbrace>authTicket, Crypt authK \<lbrace>Agent A, Number T2\<rbrace>,
   15.60 @@ -168,7 +165,7 @@
   15.61  			 Crypt servK \<lbrace>Agent A, Number (CT evs5)\<rbrace> \<rbrace>
   15.62                 # evs5 \<in> kerbV"
   15.63  
   15.64 -    KV6:  "\<lbrakk> evs6 \<in> kerbV; B \<noteq> Kas; B \<noteq> Tgs;
   15.65 +  | KV6:  "\<lbrakk> evs6 \<in> kerbV; B \<noteq> Kas; B \<noteq> Tgs;
   15.66              Says A' B \<lbrace>
   15.67                (Crypt (shrK B) \<lbrace>Agent A, Agent B, Key servK, Number Ts\<rbrace>),
   15.68                (Crypt servK \<lbrace>Agent A, Number T3\<rbrace>)\<rbrace>
   15.69 @@ -182,7 +179,7 @@
   15.70  
   15.71  
   15.72  (* Leaking an authK... *)
   15.73 -   Oops1:"\<lbrakk> evsO1 \<in> kerbV;  A \<noteq> Spy;
   15.74 + | Oops1:"\<lbrakk> evsO1 \<in> kerbV;  A \<noteq> Spy;
   15.75               Says Kas A \<lbrace>Crypt (shrK A) \<lbrace>Key authK, Agent Tgs, Number Ta\<rbrace>,
   15.76                            authTicket\<rbrace>  \<in> set evsO1;
   15.77                expiredAK Ta evsO1 \<rbrakk>
   15.78 @@ -190,7 +187,7 @@
   15.79                 # evsO1 \<in> kerbV"
   15.80  
   15.81  (*Leaking a servK... *)
   15.82 -   Oops2: "\<lbrakk> evsO2 \<in> kerbV;  A \<noteq> Spy;
   15.83 + | Oops2: "\<lbrakk> evsO2 \<in> kerbV;  A \<noteq> Spy;
   15.84                Says Tgs A \<lbrace>Crypt authK \<lbrace>Key servK, Agent B, Number Ts\<rbrace>,
   15.85                             servTicket\<rbrace>  \<in> set evsO2;
   15.86                expiredSK Ts evsO2 \<rbrakk>
    16.1 --- a/src/HOL/Auth/Kerberos_BAN.thy	Wed Jul 11 11:13:08 2007 +0200
    16.2 +++ b/src/HOL/Auth/Kerberos_BAN.thy	Wed Jul 11 11:14:51 2007 +0200
    16.3 @@ -71,22 +71,21 @@
    16.4        ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))"
    16.5  
    16.6  
    16.7 -consts  bankerberos   :: "event list set"
    16.8 -inductive "bankerberos"
    16.9 - intros
   16.10 +inductive_set bankerberos :: "event list set"
   16.11 + where
   16.12  
   16.13     Nil:  "[] \<in> bankerberos"
   16.14  
   16.15 -   Fake: "\<lbrakk> evsf \<in> bankerberos;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   16.16 + | Fake: "\<lbrakk> evsf \<in> bankerberos;  X \<in> synth (analz (spies evsf)) \<rbrakk>
   16.17  	  \<Longrightarrow> Says Spy B X # evsf \<in> bankerberos"
   16.18  
   16.19  
   16.20 -   BK1:  "\<lbrakk> evs1 \<in> bankerberos \<rbrakk>
   16.21 + | BK1:  "\<lbrakk> evs1 \<in> bankerberos \<rbrakk>
   16.22  	  \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> # evs1
   16.23  		\<in>  bankerberos"
   16.24  
   16.25  
   16.26 -   BK2:  "\<lbrakk> evs2 \<in> bankerberos;  Key K \<notin> used evs2; K \<in> symKeys;
   16.27 + | BK2:  "\<lbrakk> evs2 \<in> bankerberos;  Key K \<notin> used evs2; K \<in> symKeys;
   16.28  	     Says A' Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   16.29  	  \<Longrightarrow> Says Server A
   16.30  		(Crypt (shrK A)
   16.31 @@ -95,7 +94,7 @@
   16.32  		# evs2 \<in> bankerberos"
   16.33  
   16.34  
   16.35 -   BK3:  "\<lbrakk> evs3 \<in> bankerberos;
   16.36 + | BK3:  "\<lbrakk> evs3 \<in> bankerberos;
   16.37  	     Says S A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   16.38  	       \<in> set evs3;
   16.39  	     Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   16.40 @@ -104,7 +103,7 @@
   16.41  	       # evs3 \<in> bankerberos"
   16.42  
   16.43  
   16.44 -   BK4:  "\<lbrakk> evs4 \<in> bankerberos;
   16.45 + | BK4:  "\<lbrakk> evs4 \<in> bankerberos;
   16.46  	     Says A' B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   16.47  			 (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   16.48  	     \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   16.49 @@ -112,7 +111,7 @@
   16.50  		\<in> bankerberos"
   16.51  
   16.52  	(*Old session keys may become compromised*)
   16.53 -   Oops: "\<lbrakk> evso \<in> bankerberos;
   16.54 + | Oops: "\<lbrakk> evso \<in> bankerberos;
   16.55           Says Server A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   16.56  	       \<in> set evso;
   16.57  	     expiredK Tk evso \<rbrakk>
    17.1 --- a/src/HOL/Auth/Kerberos_BAN_Gets.thy	Wed Jul 11 11:13:08 2007 +0200
    17.2 +++ b/src/HOL/Auth/Kerberos_BAN_Gets.thy	Wed Jul 11 11:14:51 2007 +0200
    17.3 @@ -63,24 +63,23 @@
    17.4        ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))"
    17.5  
    17.6  
    17.7 -consts  bankerb_gets   :: "event list set"
    17.8 -inductive "bankerb_gets"
    17.9 - intros
   17.10 +inductive_set bankerb_gets :: "event list set"
   17.11 + where
   17.12  
   17.13     Nil:  "[] \<in> bankerb_gets"
   17.14  
   17.15 -   Fake: "\<lbrakk> evsf \<in> bankerb_gets;  X \<in> synth (analz (knows Spy evsf)) \<rbrakk>
   17.16 + | Fake: "\<lbrakk> evsf \<in> bankerb_gets;  X \<in> synth (analz (knows Spy evsf)) \<rbrakk>
   17.17  	  \<Longrightarrow> Says Spy B X # evsf \<in> bankerb_gets"
   17.18  
   17.19 -   Reception: "\<lbrakk> evsr\<in> bankerb_gets; Says A B X \<in> set evsr \<rbrakk>
   17.20 + | Reception: "\<lbrakk> evsr\<in> bankerb_gets; Says A B X \<in> set evsr \<rbrakk>
   17.21                  \<Longrightarrow> Gets B X # evsr \<in> bankerb_gets"
   17.22  
   17.23 -   BK1:  "\<lbrakk> evs1 \<in> bankerb_gets \<rbrakk>
   17.24 + | BK1:  "\<lbrakk> evs1 \<in> bankerb_gets \<rbrakk>
   17.25  	  \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> # evs1
   17.26  		\<in>  bankerb_gets"
   17.27  
   17.28  
   17.29 -   BK2:  "\<lbrakk> evs2 \<in> bankerb_gets;  Key K \<notin> used evs2; K \<in> symKeys;
   17.30 + | BK2:  "\<lbrakk> evs2 \<in> bankerb_gets;  Key K \<notin> used evs2; K \<in> symKeys;
   17.31  	     Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   17.32  	  \<Longrightarrow> Says Server A
   17.33  		(Crypt (shrK A)
   17.34 @@ -89,7 +88,7 @@
   17.35  		# evs2 \<in> bankerb_gets"
   17.36  
   17.37  
   17.38 -   BK3:  "\<lbrakk> evs3 \<in> bankerb_gets;
   17.39 + | BK3:  "\<lbrakk> evs3 \<in> bankerb_gets;
   17.40  	     Gets A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   17.41  	       \<in> set evs3;
   17.42  	     Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   17.43 @@ -98,7 +97,7 @@
   17.44  	       # evs3 \<in> bankerb_gets"
   17.45  
   17.46  
   17.47 -   BK4:  "\<lbrakk> evs4 \<in> bankerb_gets;
   17.48 + | BK4:  "\<lbrakk> evs4 \<in> bankerb_gets;
   17.49  	     Gets B \<lbrace>(Crypt (shrK B) \<lbrace>Number Tk, Agent A, Key K\<rbrace>),
   17.50  			 (Crypt K \<lbrace>Agent A, Number Ta\<rbrace>) \<rbrace>: set evs4;
   17.51  	     \<not> expiredK Tk evs4;  \<not> expiredA Ta evs4 \<rbrakk>
   17.52 @@ -106,7 +105,7 @@
   17.53  		\<in> bankerb_gets"
   17.54  
   17.55  	(*Old session keys may become compromised*)
   17.56 -   Oops: "\<lbrakk> evso \<in> bankerb_gets;
   17.57 + | Oops: "\<lbrakk> evso \<in> bankerb_gets;
   17.58           Says Server A (Crypt (shrK A) \<lbrace>Number Tk, Agent B, Key K, Ticket\<rbrace>)
   17.59  	       \<in> set evso;
   17.60  	     expiredK Tk evso \<rbrakk>
    18.1 --- a/src/HOL/Auth/Message.thy	Wed Jul 11 11:13:08 2007 +0200
    18.2 +++ b/src/HOL/Auth/Message.thy	Wed Jul 11 11:14:51 2007 +0200
    18.3 @@ -72,13 +72,14 @@
    18.4  
    18.5  subsubsection{*Inductive Definition of All Parts" of a Message*}
    18.6  
    18.7 -consts  parts   :: "msg set => msg set"
    18.8 -inductive "parts H"
    18.9 -  intros 
   18.10 +inductive_set
   18.11 +  parts :: "msg set => msg set"
   18.12 +  for H :: "msg set"
   18.13 +  where
   18.14      Inj [intro]:               "X \<in> H ==> X \<in> parts H"
   18.15 -    Fst:         "{|X,Y|}   \<in> parts H ==> X \<in> parts H"
   18.16 -    Snd:         "{|X,Y|}   \<in> parts H ==> Y \<in> parts H"
   18.17 -    Body:        "Crypt K X \<in> parts H ==> X \<in> parts H"
   18.18 +  | Fst:         "{|X,Y|}   \<in> parts H ==> X \<in> parts H"
   18.19 +  | Snd:         "{|X,Y|}   \<in> parts H ==> Y \<in> parts H"
   18.20 +  | Body:        "Crypt K X \<in> parts H ==> X \<in> parts H"
   18.21  
   18.22  
   18.23  text{*Monotonicity*}
   18.24 @@ -335,13 +336,14 @@
   18.25      messages, including keys.  A form of downward closure.  Pairs can
   18.26      be taken apart; messages decrypted with known keys.  *}
   18.27  
   18.28 -consts  analz   :: "msg set => msg set"
   18.29 -inductive "analz H"
   18.30 -  intros 
   18.31 +inductive_set
   18.32 +  analz :: "msg set => msg set"
   18.33 +  for H :: "msg set"
   18.34 +  where
   18.35      Inj [intro,simp] :    "X \<in> H ==> X \<in> analz H"
   18.36 -    Fst:     "{|X,Y|} \<in> analz H ==> X \<in> analz H"
   18.37 -    Snd:     "{|X,Y|} \<in> analz H ==> Y \<in> analz H"
   18.38 -    Decrypt [dest]: 
   18.39 +  | Fst:     "{|X,Y|} \<in> analz H ==> X \<in> analz H"
   18.40 +  | Snd:     "{|X,Y|} \<in> analz H ==> Y \<in> analz H"
   18.41 +  | Decrypt [dest]: 
   18.42               "[|Crypt K X \<in> analz H; Key(invKey K): analz H|] ==> X \<in> analz H"
   18.43  
   18.44  
   18.45 @@ -460,14 +462,14 @@
   18.46                 analz (insert (Crypt K X) H) \<subseteq>  
   18.47                 insert (Crypt K X) (analz (insert X H))"
   18.48  apply (rule subsetI)
   18.49 -apply (erule_tac xa = x in analz.induct, auto)
   18.50 +apply (erule_tac x = x in analz.induct, auto)
   18.51  done
   18.52  
   18.53  lemma lemma2: "Key (invKey K) \<in> analz H ==>   
   18.54                 insert (Crypt K X) (analz (insert X H)) \<subseteq>  
   18.55                 analz (insert (Crypt K X) H)"
   18.56  apply auto
   18.57 -apply (erule_tac xa = x in analz.induct, auto)
   18.58 +apply (erule_tac x = x in analz.induct, auto)
   18.59  apply (blast intro: analz_insertI analz.Decrypt)
   18.60  done
   18.61  
   18.62 @@ -579,15 +581,16 @@
   18.63      encrypted with known keys.  Agent names are public domain.
   18.64      Numbers can be guessed, but Nonces cannot be.  *}
   18.65  
   18.66 -consts  synth   :: "msg set => msg set"
   18.67 -inductive "synth H"
   18.68 -  intros 
   18.69 +inductive_set
   18.70 +  synth :: "msg set => msg set"
   18.71 +  for H :: "msg set"
   18.72 +  where
   18.73      Inj    [intro]:   "X \<in> H ==> X \<in> synth H"
   18.74 -    Agent  [intro]:   "Agent agt \<in> synth H"
   18.75 -    Number [intro]:   "Number n  \<in> synth H"
   18.76 -    Hash   [intro]:   "X \<in> synth H ==> Hash X \<in> synth H"
   18.77 -    MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> {|X,Y|} \<in> synth H"
   18.78 -    Crypt  [intro]:   "[|X \<in> synth H;  Key(K) \<in> H|] ==> Crypt K X \<in> synth H"
   18.79 +  | Agent  [intro]:   "Agent agt \<in> synth H"
   18.80 +  | Number [intro]:   "Number n  \<in> synth H"
   18.81 +  | Hash   [intro]:   "X \<in> synth H ==> Hash X \<in> synth H"
   18.82 +  | MPair  [intro]:   "[|X \<in> synth H;  Y \<in> synth H|] ==> {|X,Y|} \<in> synth H"
   18.83 +  | Crypt  [intro]:   "[|X \<in> synth H;  Key(K) \<in> H|] ==> Crypt K X \<in> synth H"
   18.84  
   18.85  text{*Monotonicity*}
   18.86  lemma synth_mono: "G\<subseteq>H ==> synth(G) \<subseteq> synth(H)"
    19.1 --- a/src/HOL/Auth/NS_Public.thy	Wed Jul 11 11:13:08 2007 +0200
    19.2 +++ b/src/HOL/Auth/NS_Public.thy	Wed Jul 11 11:14:51 2007 +0200
    19.3 @@ -11,32 +11,30 @@
    19.4  
    19.5  theory NS_Public imports Public begin
    19.6  
    19.7 -consts  ns_public  :: "event list set"
    19.8 -
    19.9 -inductive ns_public
   19.10 -  intros 
   19.11 +inductive_set ns_public :: "event list set"
   19.12 +  where 
   19.13           (*Initial trace is empty*)
   19.14     Nil:  "[] \<in> ns_public"
   19.15  
   19.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   19.17             invent new nonces here, but he can also use NS1.  Common to
   19.18             all similar protocols.*)
   19.19 -   Fake: "\<lbrakk>evsf \<in> ns_public;  X \<in> synth (analz (spies evsf))\<rbrakk>
   19.20 + | Fake: "\<lbrakk>evsf \<in> ns_public;  X \<in> synth (analz (spies evsf))\<rbrakk>
   19.21            \<Longrightarrow> Says Spy B X  # evsf \<in> ns_public"
   19.22  
   19.23           (*Alice initiates a protocol run, sending a nonce to Bob*)
   19.24 -   NS1:  "\<lbrakk>evs1 \<in> ns_public;  Nonce NA \<notin> used evs1\<rbrakk>
   19.25 + | NS1:  "\<lbrakk>evs1 \<in> ns_public;  Nonce NA \<notin> used evs1\<rbrakk>
   19.26            \<Longrightarrow> Says A B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>)
   19.27                   # evs1  \<in>  ns_public"
   19.28  
   19.29           (*Bob responds to Alice's message with a further nonce*)
   19.30 -   NS2:  "\<lbrakk>evs2 \<in> ns_public;  Nonce NB \<notin> used evs2;
   19.31 + | NS2:  "\<lbrakk>evs2 \<in> ns_public;  Nonce NB \<notin> used evs2;
   19.32             Says A' B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs2\<rbrakk>
   19.33            \<Longrightarrow> Says B A (Crypt (pubEK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)
   19.34                  # evs2  \<in>  ns_public"
   19.35  
   19.36           (*Alice proves her existence by sending NB back to Bob.*)
   19.37 -   NS3:  "\<lbrakk>evs3 \<in> ns_public;
   19.38 + | NS3:  "\<lbrakk>evs3 \<in> ns_public;
   19.39             Says A  B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs3;
   19.40             Says B' A (Crypt (pubEK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)
   19.41                \<in> set evs3\<rbrakk>
    20.1 --- a/src/HOL/Auth/NS_Public_Bad.thy	Wed Jul 11 11:13:08 2007 +0200
    20.2 +++ b/src/HOL/Auth/NS_Public_Bad.thy	Wed Jul 11 11:14:51 2007 +0200
    20.3 @@ -15,32 +15,30 @@
    20.4  
    20.5  theory NS_Public_Bad imports Public begin
    20.6  
    20.7 -consts  ns_public  :: "event list set"
    20.8 -
    20.9 -inductive ns_public
   20.10 -  intros 
   20.11 +inductive_set ns_public :: "event list set"
   20.12 +  where
   20.13           (*Initial trace is empty*)
   20.14     Nil:  "[] \<in> ns_public"
   20.15  
   20.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   20.17             invent new nonces here, but he can also use NS1.  Common to
   20.18             all similar protocols.*)
   20.19 -   Fake: "\<lbrakk>evsf \<in> ns_public;  X \<in> synth (analz (spies evsf))\<rbrakk>
   20.20 + | Fake: "\<lbrakk>evsf \<in> ns_public;  X \<in> synth (analz (spies evsf))\<rbrakk>
   20.21            \<Longrightarrow> Says Spy B X  # evsf \<in> ns_public"
   20.22  
   20.23           (*Alice initiates a protocol run, sending a nonce to Bob*)
   20.24 -   NS1:  "\<lbrakk>evs1 \<in> ns_public;  Nonce NA \<notin> used evs1\<rbrakk>
   20.25 + | NS1:  "\<lbrakk>evs1 \<in> ns_public;  Nonce NA \<notin> used evs1\<rbrakk>
   20.26            \<Longrightarrow> Says A B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>)
   20.27                  # evs1  \<in>  ns_public"
   20.28  
   20.29           (*Bob responds to Alice's message with a further nonce*)
   20.30 -   NS2:  "\<lbrakk>evs2 \<in> ns_public;  Nonce NB \<notin> used evs2;
   20.31 + | NS2:  "\<lbrakk>evs2 \<in> ns_public;  Nonce NB \<notin> used evs2;
   20.32             Says A' B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs2\<rbrakk>
   20.33            \<Longrightarrow> Says B A (Crypt (pubEK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>)
   20.34                  # evs2  \<in>  ns_public"
   20.35  
   20.36           (*Alice proves her existence by sending NB back to Bob.*)
   20.37 -   NS3:  "\<lbrakk>evs3 \<in> ns_public;
   20.38 + | NS3:  "\<lbrakk>evs3 \<in> ns_public;
   20.39             Says A  B (Crypt (pubEK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs3;
   20.40             Says B' A (Crypt (pubEK A) \<lbrace>Nonce NA, Nonce NB\<rbrace>) \<in> set evs3\<rbrakk>
   20.41            \<Longrightarrow> Says A B (Crypt (pubEK B) (Nonce NB)) # evs3 \<in> ns_public"
    21.1 --- a/src/HOL/Auth/NS_Shared.thy	Wed Jul 11 11:13:08 2007 +0200
    21.2 +++ b/src/HOL/Auth/NS_Shared.thy	Wed Jul 11 11:14:51 2007 +0200
    21.3 @@ -25,26 +25,25 @@
    21.4        X \<notin> parts (spies (takeWhile (% z. z  \<noteq> Says A B Y) (rev evs)))"
    21.5  
    21.6  
    21.7 -consts  ns_shared   :: "event list set"
    21.8 -inductive "ns_shared"
    21.9 - intros
   21.10 +inductive_set ns_shared :: "event list set"
   21.11 + where
   21.12  	(*Initial trace is empty*)
   21.13    Nil:  "[] \<in> ns_shared"
   21.14  	(*The spy MAY say anything he CAN say.  We do not expect him to
   21.15  	  invent new nonces here, but he can also use NS1.  Common to
   21.16  	  all similar protocols.*)
   21.17 -  Fake: "\<lbrakk>evsf \<in> ns_shared;  X \<in> synth (analz (spies evsf))\<rbrakk>
   21.18 +| Fake: "\<lbrakk>evsf \<in> ns_shared;  X \<in> synth (analz (spies evsf))\<rbrakk>
   21.19  	 \<Longrightarrow> Says Spy B X # evsf \<in> ns_shared"
   21.20  
   21.21  	(*Alice initiates a protocol run, requesting to talk to any B*)
   21.22 -  NS1:  "\<lbrakk>evs1 \<in> ns_shared;  Nonce NA \<notin> used evs1\<rbrakk>
   21.23 +| NS1:  "\<lbrakk>evs1 \<in> ns_shared;  Nonce NA \<notin> used evs1\<rbrakk>
   21.24  	 \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> # evs1  \<in>  ns_shared"
   21.25  
   21.26  	(*Server's response to Alice's message.
   21.27  	  !! It may respond more than once to A's request !!
   21.28  	  Server doesn't know who the true sender is, hence the A' in
   21.29  	      the sender field.*)
   21.30 -  NS2:  "\<lbrakk>evs2 \<in> ns_shared;  Key KAB \<notin> used evs2;  KAB \<in> symKeys;
   21.31 +| NS2:  "\<lbrakk>evs2 \<in> ns_shared;  Key KAB \<notin> used evs2;  KAB \<in> symKeys;
   21.32  	  Says A' Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in> set evs2\<rbrakk>
   21.33  	 \<Longrightarrow> Says Server A
   21.34  	       (Crypt (shrK A)
   21.35 @@ -54,14 +53,14 @@
   21.36  
   21.37  	 (*We can't assume S=Server.  Agent A "remembers" her nonce.
   21.38  	   Need A \<noteq> Server because we allow messages to self.*)
   21.39 -  NS3:  "\<lbrakk>evs3 \<in> ns_shared;  A \<noteq> Server;
   21.40 +| NS3:  "\<lbrakk>evs3 \<in> ns_shared;  A \<noteq> Server;
   21.41  	  Says S A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>) \<in> set evs3;
   21.42  	  Says A Server \<lbrace>Agent A, Agent B, Nonce NA\<rbrace> \<in> set evs3\<rbrakk>
   21.43  	 \<Longrightarrow> Says A B X # evs3 \<in> ns_shared"
   21.44  
   21.45  	(*Bob's nonce exchange.  He does not know who the message came
   21.46  	  from, but responds to A because she is mentioned inside.*)
   21.47 -  NS4:  "\<lbrakk>evs4 \<in> ns_shared;  Nonce NB \<notin> used evs4;  K \<in> symKeys;
   21.48 +| NS4:  "\<lbrakk>evs4 \<in> ns_shared;  Nonce NB \<notin> used evs4;  K \<in> symKeys;
   21.49  	  Says A' B (Crypt (shrK B) \<lbrace>Key K, Agent A\<rbrace>) \<in> set evs4\<rbrakk>
   21.50  	 \<Longrightarrow> Says B A (Crypt K (Nonce NB)) # evs4 \<in> ns_shared"
   21.51  
   21.52 @@ -70,7 +69,7 @@
   21.53  	  We do NOT send NB-1 or similar as the Spy cannot spoof such things.
   21.54  	  Letting the Spy add or subtract 1 lets him send all nonces.
   21.55  	  Instead we distinguish the messages by sending the nonce twice.*)
   21.56 -  NS5:  "\<lbrakk>evs5 \<in> ns_shared;  K \<in> symKeys;
   21.57 +| NS5:  "\<lbrakk>evs5 \<in> ns_shared;  K \<in> symKeys;
   21.58  	  Says B' A (Crypt K (Nonce NB)) \<in> set evs5;
   21.59  	  Says S  A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>)
   21.60  	    \<in> set evs5\<rbrakk>
   21.61 @@ -79,7 +78,7 @@
   21.62  	(*This message models possible leaks of session keys.
   21.63  	  The two Nonces identify the protocol run: the rule insists upon
   21.64  	  the true senders in order to make them accurate.*)
   21.65 -  Oops: "\<lbrakk>evso \<in> ns_shared;  Says B A (Crypt K (Nonce NB)) \<in> set evso;
   21.66 +| Oops: "\<lbrakk>evso \<in> ns_shared;  Says B A (Crypt K (Nonce NB)) \<in> set evso;
   21.67  	  Says Server A (Crypt (shrK A) \<lbrace>Nonce NA, Agent B, Key K, X\<rbrace>)
   21.68  	      \<in> set evso\<rbrakk>
   21.69  	 \<Longrightarrow> Notes Spy \<lbrace>Nonce NA, Nonce NB, Key K\<rbrace> # evso \<in> ns_shared"
    22.1 --- a/src/HOL/Auth/OtwayRees.thy	Wed Jul 11 11:13:08 2007 +0200
    22.2 +++ b/src/HOL/Auth/OtwayRees.thy	Wed Jul 11 11:14:51 2007 +0200
    22.3 @@ -14,31 +14,30 @@
    22.4  
    22.5  This is the original version, which encrypts Nonce NB.*}
    22.6  
    22.7 -consts  otway   :: "event list set"
    22.8 -inductive "otway"
    22.9 -  intros
   22.10 +inductive_set otway :: "event list set"
   22.11 +  where
   22.12           (*Initial trace is empty*)
   22.13     Nil:  "[] \<in> otway"
   22.14  
   22.15           (*The spy MAY say anything he CAN say.  We do not expect him to
   22.16             invent new nonces here, but he can also use NS1.  Common to
   22.17             all similar protocols.*)
   22.18 -   Fake: "[| evsf \<in> otway;  X \<in> synth (analz (knows Spy evsf)) |]
   22.19 + | Fake: "[| evsf \<in> otway;  X \<in> synth (analz (knows Spy evsf)) |]
   22.20            ==> Says Spy B X  # evsf \<in> otway"
   22.21  
   22.22           (*A message that has been sent can be received by the
   22.23             intended recipient.*)
   22.24 -   Reception: "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
   22.25 + | Reception: "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
   22.26                 ==> Gets B X # evsr \<in> otway"
   22.27  
   22.28           (*Alice initiates a protocol run*)
   22.29 -   OR1:  "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
   22.30 + | OR1:  "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
   22.31            ==> Says A B {|Nonce NA, Agent A, Agent B,
   22.32                           Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
   22.33                   # evs1 : otway"
   22.34  
   22.35           (*Bob's response to Alice's message.  Note that NB is encrypted.*)
   22.36 -   OR2:  "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   22.37 + | OR2:  "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   22.38               Gets B {|Nonce NA, Agent A, Agent B, X|} : set evs2 |]
   22.39            ==> Says B Server
   22.40                    {|Nonce NA, Agent A, Agent B, X,
   22.41 @@ -49,7 +48,7 @@
   22.42           (*The Server receives Bob's message and checks that the three NAs
   22.43             match.  Then he sends a new session key to Bob with a packet for
   22.44             forwarding to Alice.*)
   22.45 -   OR3:  "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   22.46 + | OR3:  "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   22.47               Gets Server
   22.48                    {|Nonce NA, Agent A, Agent B,
   22.49                      Crypt (shrK A) {|Nonce NA, Agent A, Agent B|},
   22.50 @@ -64,7 +63,7 @@
   22.51           (*Bob receives the Server's (?) message and compares the Nonces with
   22.52  	   those in the message he previously sent the Server.
   22.53             Need B \<noteq> Server because we allow messages to self.*)
   22.54 -   OR4:  "[| evs4 \<in> otway;  B \<noteq> Server;
   22.55 + | OR4:  "[| evs4 \<in> otway;  B \<noteq> Server;
   22.56               Says B Server {|Nonce NA, Agent A, Agent B, X',
   22.57                               Crypt (shrK B)
   22.58                                     {|Nonce NA, Nonce NB, Agent A, Agent B|}|}
   22.59 @@ -75,7 +74,7 @@
   22.60  
   22.61           (*This message models possible leaks of session keys.  The nonces
   22.62             identify the protocol run.*)
   22.63 -   Oops: "[| evso \<in> otway;
   22.64 + | Oops: "[| evso \<in> otway;
   22.65               Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
   22.66                 : set evso |]
   22.67            ==> Notes Spy {|Nonce NA, Nonce NB, Key K|} # evso : otway"
    23.1 --- a/src/HOL/Auth/OtwayReesBella.thy	Wed Jul 11 11:13:08 2007 +0200
    23.2 +++ b/src/HOL/Auth/OtwayReesBella.thy	Wed Jul 11 11:14:51 2007 +0200
    23.3 @@ -16,31 +16,30 @@
    23.4  updated protocol makes no use of the session key to encrypt but informs A that
    23.5  B knows it.*}
    23.6  
    23.7 -consts  orb   :: "event list set"
    23.8 -inductive "orb"
    23.9 - intros 
   23.10 +inductive_set orb :: "event list set"
   23.11 + where
   23.12  
   23.13    Nil:  "[]\<in> orb"
   23.14  
   23.15 -  Fake: "\<lbrakk>evsa\<in> orb;  X\<in> synth (analz (knows Spy evsa))\<rbrakk>
   23.16 +| Fake: "\<lbrakk>evsa\<in> orb;  X\<in> synth (analz (knows Spy evsa))\<rbrakk>
   23.17   	 \<Longrightarrow> Says Spy B X  # evsa \<in> orb"
   23.18  
   23.19 -  Reception: "\<lbrakk>evsr\<in> orb;  Says A B X \<in> set evsr\<rbrakk>
   23.20 +| Reception: "\<lbrakk>evsr\<in> orb;  Says A B X \<in> set evsr\<rbrakk>
   23.21  	      \<Longrightarrow> Gets B X # evsr \<in> orb"
   23.22  
   23.23 -  OR1:  "\<lbrakk>evs1\<in> orb;  Nonce NA \<notin> used evs1\<rbrakk>
   23.24 +| OR1:  "\<lbrakk>evs1\<in> orb;  Nonce NA \<notin> used evs1\<rbrakk>
   23.25  	 \<Longrightarrow> Says A B \<lbrace>Nonce M, Agent A, Agent B, 
   23.26  		   Crypt (shrK A) \<lbrace>Nonce NA, Nonce M, Agent A, Agent B\<rbrace>\<rbrace> 
   23.27  	       # evs1 \<in> orb"
   23.28  
   23.29 -  OR2:  "\<lbrakk>evs2\<in> orb;  Nonce NB \<notin> used evs2;
   23.30 +| OR2:  "\<lbrakk>evs2\<in> orb;  Nonce NB \<notin> used evs2;
   23.31  	   Gets B \<lbrace>Nonce M, Agent A, Agent B, X\<rbrace> \<in> set evs2\<rbrakk>
   23.32  	\<Longrightarrow> Says B Server 
   23.33  		\<lbrace>Nonce M, Agent A, Agent B, X, 
   23.34  	   Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   23.35  	       # evs2 \<in> orb"
   23.36  
   23.37 -  OR3:  "\<lbrakk>evs3\<in> orb;  Key KAB \<notin> used evs3;
   23.38 +| OR3:  "\<lbrakk>evs3\<in> orb;  Key KAB \<notin> used evs3;
   23.39  	  Gets Server 
   23.40  	     \<lbrace>Nonce M, Agent A, Agent B, 
   23.41  	       Crypt (shrK A) \<lbrace>Nonce NA, Nonce M, Agent A, Agent B\<rbrace>, 
   23.42 @@ -53,7 +52,7 @@
   23.43  
   23.44    (*B can only check that the message he is bouncing is a ciphertext*)
   23.45    (*Sending M back is omitted*)   
   23.46 -  OR4:  "\<lbrakk>evs4\<in> orb; B \<noteq> Server; \<forall> p q. X \<noteq> \<lbrace>p, q\<rbrace>; 
   23.47 +| OR4:  "\<lbrakk>evs4\<in> orb; B \<noteq> Server; \<forall> p q. X \<noteq> \<lbrace>p, q\<rbrace>; 
   23.48  	  Says B Server \<lbrace>Nonce M, Agent A, Agent B, X', 
   23.49  		Crypt (shrK B) \<lbrace>Nonce NB, Nonce M, Nonce M, Agent A, Agent B\<rbrace>\<rbrace>
   23.50  	    \<in> set evs4;
   23.51 @@ -62,7 +61,7 @@
   23.52  	\<Longrightarrow> Says B A \<lbrace>Nonce M, X\<rbrace> # evs4 \<in> orb"
   23.53  
   23.54  
   23.55 -  Oops: "\<lbrakk>evso\<in> orb;  
   23.56 +| Oops: "\<lbrakk>evso\<in> orb;  
   23.57  	   Says Server B \<lbrace>Nonce M,
   23.58  		    Crypt (shrK B) \<lbrace>Crypt (shrK A) \<lbrace>Nonce NA, Key KAB\<rbrace>,
   23.59  				      Nonce NB, Key KAB\<rbrace>\<rbrace> 
    24.1 --- a/src/HOL/Auth/OtwayRees_AN.thy	Wed Jul 11 11:13:08 2007 +0200
    24.2 +++ b/src/HOL/Auth/OtwayRees_AN.thy	Wed Jul 11 11:14:51 2007 +0200
    24.3 @@ -22,34 +22,33 @@
    24.4    IEEE Trans. SE 22 (1)
    24.5  *}
    24.6  
    24.7 -consts  otway   :: "event list set"
    24.8 -inductive "otway"
    24.9 -  intros
   24.10 +inductive_set otway :: "event list set"
   24.11 +  where
   24.12     Nil: --{*The empty trace*}
   24.13          "[] \<in> otway"
   24.14  
   24.15 -   Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   24.16 + | Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   24.17              but agents don't use that information.*}
   24.18           "[| evsf \<in> otway;  X \<in> synth (analz (knows Spy evsf)) |]
   24.19            ==> Says Spy B X  # evsf \<in> otway"
   24.20  
   24.21          
   24.22 -   Reception: --{*A message that has been sent can be received by the
   24.23 + | Reception: --{*A message that has been sent can be received by the
   24.24                    intended recipient.*}
   24.25  	      "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
   24.26                 ==> Gets B X # evsr \<in> otway"
   24.27  
   24.28 -   OR1:  --{*Alice initiates a protocol run*}
   24.29 + | OR1:  --{*Alice initiates a protocol run*}
   24.30           "evs1 \<in> otway
   24.31            ==> Says A B {|Agent A, Agent B, Nonce NA|} # evs1 \<in> otway"
   24.32  
   24.33 -   OR2:  --{*Bob's response to Alice's message.*}
   24.34 + | OR2:  --{*Bob's response to Alice's message.*}
   24.35  	 "[| evs2 \<in> otway;
   24.36               Gets B {|Agent A, Agent B, Nonce NA|} \<in>set evs2 |]
   24.37            ==> Says B Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   24.38                   # evs2 \<in> otway"
   24.39  
   24.40 -   OR3:  --{*The Server receives Bob's message.  Then he sends a new
   24.41 + | OR3:  --{*The Server receives Bob's message.  Then he sends a new
   24.42             session key to Bob with a packet for forwarding to Alice.*}
   24.43  	 "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   24.44               Gets Server {|Agent A, Agent B, Nonce NA, Nonce NB|}
   24.45 @@ -59,7 +58,7 @@
   24.46                   Crypt (shrK B) {|Nonce NB, Agent A, Agent B, Key KAB|}|}
   24.47                # evs3 \<in> otway"
   24.48  
   24.49 -   OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   24.50 + | OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   24.51  	     those in the message he previously sent the Server.
   24.52               Need @{term "B \<noteq> Server"} because we allow messages to self.*}
   24.53  	 "[| evs4 \<in> otway;  B \<noteq> Server;
   24.54 @@ -68,7 +67,7 @@
   24.55                 \<in>set evs4 |]
   24.56            ==> Says B A X # evs4 \<in> otway"
   24.57  
   24.58 -   Oops: --{*This message models possible leaks of session keys.  The nonces
   24.59 + | Oops: --{*This message models possible leaks of session keys.  The nonces
   24.60               identify the protocol run.*}
   24.61  	 "[| evso \<in> otway;
   24.62               Says Server B
    25.1 --- a/src/HOL/Auth/OtwayRees_Bad.thy	Wed Jul 11 11:13:08 2007 +0200
    25.2 +++ b/src/HOL/Auth/OtwayRees_Bad.thy	Wed Jul 11 11:14:51 2007 +0200
    25.3 @@ -19,30 +19,29 @@
    25.4  the protocol is open to a middleperson attack.  Attempting to prove some key
    25.5  lemmas indicates the possibility of this attack.*}
    25.6  
    25.7 -consts  otway   :: "event list set"
    25.8 -inductive "otway"
    25.9 -  intros
   25.10 +inductive_set otway :: "event list set"
   25.11 +  where
   25.12     Nil: --{*The empty trace*}
   25.13          "[] \<in> otway"
   25.14  
   25.15 -   Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   25.16 + | Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   25.17              but agents don't use that information.*}
   25.18           "[| evsf \<in> otway;  X \<in> synth (analz (knows Spy evsf)) |]
   25.19            ==> Says Spy B X  # evsf \<in> otway"
   25.20  
   25.21          
   25.22 -   Reception: --{*A message that has been sent can be received by the
   25.23 + | Reception: --{*A message that has been sent can be received by the
   25.24                    intended recipient.*}
   25.25  	      "[| evsr \<in> otway;  Says A B X \<in>set evsr |]
   25.26                 ==> Gets B X # evsr \<in> otway"
   25.27  
   25.28 -   OR1:  --{*Alice initiates a protocol run*}
   25.29 + | OR1:  --{*Alice initiates a protocol run*}
   25.30  	 "[| evs1 \<in> otway;  Nonce NA \<notin> used evs1 |]
   25.31            ==> Says A B {|Nonce NA, Agent A, Agent B,
   25.32                           Crypt (shrK A) {|Nonce NA, Agent A, Agent B|} |}
   25.33                   # evs1 \<in> otway"
   25.34  
   25.35 -   OR2:  --{*Bob's response to Alice's message.
   25.36 + | OR2:  --{*Bob's response to Alice's message.
   25.37               This variant of the protocol does NOT encrypt NB.*}
   25.38  	 "[| evs2 \<in> otway;  Nonce NB \<notin> used evs2;
   25.39               Gets B {|Nonce NA, Agent A, Agent B, X|} \<in> set evs2 |]
   25.40 @@ -51,7 +50,7 @@
   25.41                      Crypt (shrK B) {|Nonce NA, Agent A, Agent B|}|}
   25.42                   # evs2 \<in> otway"
   25.43  
   25.44 -   OR3:  --{*The Server receives Bob's message and checks that the three NAs
   25.45 + | OR3:  --{*The Server receives Bob's message and checks that the three NAs
   25.46             match.  Then he sends a new session key to Bob with a packet for
   25.47             forwarding to Alice.*}
   25.48  	 "[| evs3 \<in> otway;  Key KAB \<notin> used evs3;
   25.49 @@ -67,7 +66,7 @@
   25.50                      Crypt (shrK B) {|Nonce NB, Key KAB|}|}
   25.51                   # evs3 \<in> otway"
   25.52  
   25.53 -   OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   25.54 + | OR4:  --{*Bob receives the Server's (?) message and compares the Nonces with
   25.55  	     those in the message he previously sent the Server.
   25.56               Need @{term "B \<noteq> Server"} because we allow messages to self.*}
   25.57  	 "[| evs4 \<in> otway;  B \<noteq> Server;
   25.58 @@ -78,7 +77,7 @@
   25.59                 \<in> set evs4 |]
   25.60            ==> Says B A {|Nonce NA, X|} # evs4 \<in> otway"
   25.61  
   25.62 -   Oops: --{*This message models possible leaks of session keys.  The nonces
   25.63 + | Oops: --{*This message models possible leaks of session keys.  The nonces
   25.64               identify the protocol run.*}
   25.65  	 "[| evso \<in> otway;
   25.66               Says Server B {|Nonce NA, X, Crypt (shrK B) {|Nonce NB, Key K|}|}
    26.1 --- a/src/HOL/Auth/Recur.thy	Wed Jul 11 11:13:08 2007 +0200
    26.2 +++ b/src/HOL/Auth/Recur.thy	Wed Jul 11 11:14:51 2007 +0200
    26.3 @@ -17,16 +17,17 @@
    26.4          who receives one.
    26.5    Perhaps the two session keys could be bundled into a single message.
    26.6  *)
    26.7 -consts     respond :: "event list => (msg*msg*key)set"
    26.8 -inductive "respond evs" (*Server's response to the nested message*)
    26.9 -  intros
   26.10 +inductive_set (*Server's response to the nested message*)
   26.11 +  respond :: "event list => (msg*msg*key)set"
   26.12 +  for evs :: "event list"
   26.13 +  where
   26.14     One:  "Key KAB \<notin> used evs
   26.15            ==> (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|},
   26.16                 {|Crypt (shrK A) {|Key KAB, Agent B, Nonce NA|}, END|},
   26.17                 KAB)   \<in> respond evs"
   26.18  
   26.19      (*The most recent session key is passed up to the caller*)
   26.20 -   Cons: "[| (PA, RA, KAB) \<in> respond evs;
   26.21 + | Cons: "[| (PA, RA, KAB) \<in> respond evs;
   26.22               Key KBC \<notin> used evs;  Key KBC \<notin> parts {RA};
   26.23               PA = Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, P|} |]
   26.24            ==> (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|},
   26.25 @@ -40,50 +41,50 @@
   26.26  (*Induction over "respond" can be difficult due to the complexity of the
   26.27    subgoals.  Set "responses" captures the general form of certificates.
   26.28  *)
   26.29 -consts     responses :: "event list => msg set"
   26.30 -inductive "responses evs"
   26.31 -  intros
   26.32 +inductive_set
   26.33 +  responses :: "event list => msg set"
   26.34 +  for evs :: "event list"
   26.35 +  where
   26.36      (*Server terminates lists*)
   26.37     Nil:  "END \<in> responses evs"
   26.38  
   26.39 -   Cons: "[| RA \<in> responses evs;  Key KAB \<notin> used evs |]
   26.40 + | Cons: "[| RA \<in> responses evs;  Key KAB \<notin> used evs |]
   26.41            ==> {|Crypt (shrK B) {|Key KAB, Agent A, Nonce NB|},
   26.42                  RA|}  \<in> responses evs"
   26.43  
   26.44  
   26.45 -consts     recur   :: "event list set"
   26.46 -inductive "recur"
   26.47 -  intros
   26.48 +inductive_set recur :: "event list set"
   26.49 +  where
   26.50           (*Initial trace is empty*)
   26.51     Nil:  "[] \<in> recur"
   26.52  
   26.53           (*The spy MAY say anything he CAN say.  Common to
   26.54             all similar protocols.*)
   26.55 -   Fake: "[| evsf \<in> recur;  X \<in> synth (analz (knows Spy evsf)) |]
   26.56 + | Fake: "[| evsf \<in> recur;  X \<in> synth (analz (knows Spy evsf)) |]
   26.57            ==> Says Spy B X  # evsf \<in> recur"
   26.58  
   26.59           (*Alice initiates a protocol run.
   26.60             END is a placeholder to terminate the nesting.*)
   26.61 -   RA1:  "[| evs1 \<in> recur;  Nonce NA \<notin> used evs1 |]
   26.62 + | RA1:  "[| evs1 \<in> recur;  Nonce NA \<notin> used evs1 |]
   26.63            ==> Says A B (Hash[Key(shrK A)] {|Agent A, Agent B, Nonce NA, END|})
   26.64                # evs1 \<in> recur"
   26.65  
   26.66           (*Bob's response to Alice's message.  C might be the Server.
   26.67             We omit PA = {|XA, Agent A, Agent B, Nonce NA, P|} because
   26.68             it complicates proofs, so B may respond to any message at all!*)
   26.69 -   RA2:  "[| evs2 \<in> recur;  Nonce NB \<notin> used evs2;
   26.70 + | RA2:  "[| evs2 \<in> recur;  Nonce NB \<notin> used evs2;
   26.71               Says A' B PA \<in> set evs2 |]
   26.72            ==> Says B C (Hash[Key(shrK B)] {|Agent B, Agent C, Nonce NB, PA|})
   26.73                # evs2 \<in> recur"
   26.74  
   26.75           (*The Server receives Bob's message and prepares a response.*)
   26.76 -   RA3:  "[| evs3 \<in> recur;  Says B' Server PB \<in> set evs3;
   26.77 + | RA3:  "[| evs3 \<in> recur;  Says B' Server PB \<in> set evs3;
   26.78               (PB,RB,K) \<in> respond evs3 |]
   26.79            ==> Says Server B RB # evs3 \<in> recur"
   26.80  
   26.81           (*Bob receives the returned message and compares the Nonces with
   26.82             those in the message he previously sent the Server.*)
   26.83 -   RA4:  "[| evs4 \<in> recur;
   26.84 + | RA4:  "[| evs4 \<in> recur;
   26.85               Says B  C {|XH, Agent B, Agent C, Nonce NB,
   26.86                           XA, Agent A, Agent B, Nonce NA, P|} \<in> set evs4;
   26.87               Says C' B {|Crypt (shrK B) {|Key KBC, Agent C, Nonce NB|},
   26.88 @@ -350,7 +351,7 @@
   26.89  lemma respond_certificate:
   26.90       "(Hash[Key(shrK A)] {|Agent A, B, NA, P|}, RA, K) \<in> respond evs
   26.91        ==> Crypt (shrK A) {|Key K, B, NA|} \<in> parts {RA}"
   26.92 -apply (ind_cases "(X, RA, K) \<in> respond evs")
   26.93 +apply (ind_cases "(Hash[Key (shrK A)] \<lbrace>Agent A, B, NA, P\<rbrace>, RA, K) \<in> respond evs")
   26.94  apply simp_all
   26.95  done
   26.96  
    27.1 --- a/src/HOL/Auth/Smartcard/ShoupRubin.thy	Wed Jul 11 11:13:08 2007 +0200
    27.2 +++ b/src/HOL/Auth/Smartcard/ShoupRubin.thy	Wed Jul 11 11:14:51 2007 +0200
    27.3 @@ -36,15 +36,14 @@
    27.4        ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))"
    27.5  
    27.6  
    27.7 -consts  sr   :: "event list set"
    27.8 -inductive "sr"
    27.9 -  intros 
   27.10 +inductive_set sr :: "event list set"
   27.11 +  where
   27.12  
   27.13      Nil:  "[]\<in> sr"
   27.14  
   27.15  
   27.16  
   27.17 -    Fake: "\<lbrakk> evsF\<in> sr;  X\<in> synth (analz (knows Spy evsF)); 
   27.18 +  | Fake: "\<lbrakk> evsF\<in> sr;  X\<in> synth (analz (knows Spy evsF)); 
   27.19               illegalUse(Card B) \<rbrakk>
   27.20            \<Longrightarrow> Says Spy A X # 
   27.21                Inputs Spy (Card B) X # evsF \<in> sr"
   27.22 @@ -52,24 +51,24 @@
   27.23  (*In general this rule causes the assumption Card B \<notin> cloned
   27.24    in most guarantees for B - starting with confidentiality -
   27.25    otherwise pairK_confidential could not apply*)
   27.26 -    Forge:
   27.27 +  | Forge:
   27.28           "\<lbrakk> evsFo \<in> sr; Nonce Nb \<in> analz (knows Spy evsFo);
   27.29               Key (pairK(A,B)) \<in> knows Spy evsFo \<rbrakk>
   27.30            \<Longrightarrow> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo \<in> sr"
   27.31  
   27.32  
   27.33  
   27.34 -   Reception: "\<lbrakk> evsR\<in> sr; Says A B X \<in> set evsR \<rbrakk>
   27.35 +  | Reception: "\<lbrakk> evsR\<in> sr; Says A B X \<in> set evsR \<rbrakk>
   27.36                \<Longrightarrow> Gets B X # evsR \<in> sr"
   27.37  
   27.38  
   27.39  
   27.40  (*A AND THE SERVER *)
   27.41 -    SR1:  "\<lbrakk> evs1\<in> sr; A \<noteq> Server\<rbrakk>
   27.42 +  | SR1:  "\<lbrakk> evs1\<in> sr; A \<noteq> Server\<rbrakk>
   27.43            \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> 
   27.44                  # evs1 \<in> sr"
   27.45  
   27.46 -    SR2:  "\<lbrakk> evs2\<in> sr; 
   27.47 +  | SR2:  "\<lbrakk> evs2\<in> sr; 
   27.48               Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   27.49            \<Longrightarrow> Says Server A \<lbrace>Nonce (Pairkey(A,B)), 
   27.50                             Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace>
   27.51 @@ -82,7 +81,7 @@
   27.52  (*A AND HER CARD*)
   27.53  (*A cannot decrypt the verifier for she dosn't know shrK A,
   27.54    but the pairkey is recognisable*)
   27.55 -    SR3:  "\<lbrakk> evs3\<in> sr; legalUse(Card A);
   27.56 +  | SR3:  "\<lbrakk> evs3\<in> sr; legalUse(Card A);
   27.57               Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   27.58               Gets A \<lbrace>Nonce Pk, Certificate\<rbrace> \<in> set evs3 \<rbrakk>
   27.59            \<Longrightarrow> Inputs A (Card A) (Agent A)
   27.60 @@ -93,7 +92,7 @@
   27.61  the server*)
   27.62   
   27.63  (*The card outputs the nonce Na to A*)               
   27.64 -    SR4:  "\<lbrakk> evs4\<in> sr;  A \<noteq> Server; 
   27.65 +  | SR4:  "\<lbrakk> evs4\<in> sr;  A \<noteq> Server; 
   27.66               Nonce Na \<notin> used evs4; legalUse(Card A);
   27.67               Inputs A (Card A) (Agent A) \<in> set evs4 \<rbrakk> 
   27.68         \<Longrightarrow> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
   27.69 @@ -101,9 +100,9 @@
   27.70  
   27.71  (*The card can be exploited by the spy*)
   27.72  (*because of the assumptions on the card, A is certainly not server nor spy*)
   27.73 - SR4Fake: "\<lbrakk> evs4F\<in> sr; Nonce Na \<notin> used evs4F; 
   27.74 -             illegalUse(Card A);
   27.75 -             Inputs Spy (Card A) (Agent A) \<in> set evs4F \<rbrakk> 
   27.76 +  | SR4Fake: "\<lbrakk> evs4F\<in> sr; Nonce Na \<notin> used evs4F; 
   27.77 +                illegalUse(Card A);
   27.78 +                Inputs Spy (Card A) (Agent A) \<in> set evs4F \<rbrakk> 
   27.79        \<Longrightarrow> Outpts (Card A) Spy \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
   27.80              # evs4F \<in> sr"
   27.81  
   27.82 @@ -111,7 +110,7 @@
   27.83  
   27.84  
   27.85  (*A TOWARDS B*)
   27.86 -    SR5:  "\<lbrakk> evs5\<in> sr; 
   27.87 +  | SR5:  "\<lbrakk> evs5\<in> sr; 
   27.88               Outpts (Card A) A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs5;
   27.89               \<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk>
   27.90            \<Longrightarrow> Says A B \<lbrace>Agent A, Nonce Na\<rbrace> # evs5 \<in> sr"
   27.91 @@ -122,13 +121,13 @@
   27.92  
   27.93  
   27.94  (*B AND HIS CARD*)
   27.95 -    SR6:  "\<lbrakk> evs6\<in> sr; legalUse(Card B);
   27.96 +  | SR6:  "\<lbrakk> evs6\<in> sr; legalUse(Card B);
   27.97               Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs6 \<rbrakk>
   27.98            \<Longrightarrow> Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> 
   27.99                  # evs6 \<in> sr"
  27.100  
  27.101  (*B gets back from the card the session key and various verifiers*)
  27.102 -    SR7:  "\<lbrakk> evs7\<in> sr; 
  27.103 +  | SR7:  "\<lbrakk> evs7\<in> sr; 
  27.104               Nonce Nb \<notin> used evs7; legalUse(Card B); B \<noteq> Server;
  27.105               K = sesK(Nb,pairK(A,B));
  27.106               Key K \<notin> used evs7;
  27.107 @@ -140,11 +139,11 @@
  27.108  
  27.109   (*The card can be exploited by the spy*)
  27.110  (*because of the assumptions on the card, A is certainly not server nor spy*)
  27.111 - SR7Fake:  "\<lbrakk> evs7F\<in> sr; Nonce Nb \<notin> used evs7F; 
  27.112 -             illegalUse(Card B);
  27.113 -             K = sesK(Nb,pairK(A,B));
  27.114 -             Key K \<notin> used evs7F;
  27.115 -             Inputs Spy (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7F \<rbrakk>
  27.116 +  | SR7Fake:  "\<lbrakk> evs7F\<in> sr; Nonce Nb \<notin> used evs7F; 
  27.117 +                 illegalUse(Card B);
  27.118 +                 K = sesK(Nb,pairK(A,B));
  27.119 +                 Key K \<notin> used evs7F;
  27.120 +                 Inputs Spy (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs7F \<rbrakk>
  27.121            \<Longrightarrow> Outpts (Card B) Spy \<lbrace>Nonce Nb, Key K,
  27.122                              Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, 
  27.123                              Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> 
  27.124 @@ -156,7 +155,7 @@
  27.125  (*B TOWARDS A*)
  27.126  (*having sent an input that mentions A is the only memory B relies on,
  27.127    since the output doesn't mention A - lack of explicitness*) 
  27.128 -    SR8:  "\<lbrakk> evs8\<in> sr;  
  27.129 +  | SR8:  "\<lbrakk> evs8\<in> sr;  
  27.130               Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs8;
  27.131               Outpts (Card B) B \<lbrace>Nonce Nb, Key K, 
  27.132                                   Cert1, Cert2\<rbrace> \<in> set evs8 \<rbrakk>
  27.133 @@ -168,7 +167,7 @@
  27.134  (*A AND HER CARD*)
  27.135  (*A cannot check the form of the verifiers - although I can prove the form of
  27.136    Cert2 - and just feeds her card with what she's got*)
  27.137 -    SR9:  "\<lbrakk> evs9\<in> sr; legalUse(Card A);
  27.138 +  | SR9:  "\<lbrakk> evs9\<in> sr; legalUse(Card A);
  27.139               Gets A \<lbrace>Nonce Pk, Cert1\<rbrace> \<in> set evs9;
  27.140               Outpts (Card A) A \<lbrace>Nonce Na, Cert2\<rbrace> \<in> set evs9; 
  27.141               Gets A \<lbrace>Nonce Nb, Cert3\<rbrace> \<in> set evs9;
  27.142 @@ -179,7 +178,7 @@
  27.143                  # evs9 \<in> sr"
  27.144  
  27.145  (*But the card will only give outputs to the inputs of the correct form*)
  27.146 -    SR10: "\<lbrakk> evs10\<in> sr; legalUse(Card A); A \<noteq> Server;
  27.147 +  | SR10: "\<lbrakk> evs10\<in> sr; legalUse(Card A); A \<noteq> Server;
  27.148               K = sesK(Nb,pairK(A,B));
  27.149               Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, 
  27.150                                   Nonce (Pairkey(A,B)),
  27.151 @@ -193,16 +192,16 @@
  27.152  
  27.153  (*The card can be exploited by the spy*)
  27.154  (*because of the assumptions on the card, A is certainly not server nor spy*)
  27.155 -SR10Fake: "\<lbrakk> evs10F\<in> sr; 
  27.156 -             illegalUse(Card A);
  27.157 -             K = sesK(Nb,pairK(A,B));
  27.158 -             Inputs Spy (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, 
  27.159 -                                   Nonce (Pairkey(A,B)),
  27.160 -                                   Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), 
  27.161 -                                                    Agent B\<rbrace>,
  27.162 -                                   Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, 
  27.163 -                                   Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
  27.164 -               \<in> set evs10F \<rbrakk>
  27.165 +  | SR10Fake: "\<lbrakk> evs10F\<in> sr; 
  27.166 +                 illegalUse(Card A);
  27.167 +                 K = sesK(Nb,pairK(A,B));
  27.168 +                 Inputs Spy (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, 
  27.169 +                                       Nonce (Pairkey(A,B)),
  27.170 +                                       Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), 
  27.171 +                                                        Agent B\<rbrace>,
  27.172 +                                       Crypt (pairK(A,B)) \<lbrace>Nonce Na, Nonce Nb\<rbrace>, 
  27.173 +                                       Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
  27.174 +                   \<in> set evs10F \<rbrakk>
  27.175            \<Longrightarrow> Outpts (Card A) Spy \<lbrace>Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace>
  27.176                   # evs10F \<in> sr"
  27.177  
  27.178 @@ -212,7 +211,7 @@
  27.179  (*A TOWARDS B*)
  27.180  (*having initiated with B is the only memory A relies on,
  27.181    since the output doesn't mention B - lack of explicitness*) 
  27.182 -    SR11: "\<lbrakk> evs11\<in> sr;
  27.183 +  | SR11: "\<lbrakk> evs11\<in> sr;
  27.184               Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs11;
  27.185               Outpts (Card A) A \<lbrace>Key K, Certificate\<rbrace> \<in> set evs11 \<rbrakk>
  27.186            \<Longrightarrow> Says A B (Certificate) 
  27.187 @@ -222,13 +221,13 @@
  27.188  
  27.189      (*Both peers may leak by accident the session keys obtained from their
  27.190        cards*)
  27.191 -    Oops1:
  27.192 +  | Oops1:
  27.193       "\<lbrakk> evsO1 \<in> sr;
  27.194           Outpts (Card B) B \<lbrace>Nonce Nb, Key K, Certificate, 
  27.195                               Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> \<in> set evsO1 \<rbrakk>
  27.196       \<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO1 \<in> sr"
  27.197  
  27.198 -    Oops2:
  27.199 +  | Oops2:
  27.200       "\<lbrakk> evsO2 \<in> sr;
  27.201           Outpts (Card A) A \<lbrace>Key K, Crypt (pairK(A,B)) (Nonce Nb)\<rbrace> 
  27.202             \<in> set evsO2 \<rbrakk>
    28.1 --- a/src/HOL/Auth/Smartcard/ShoupRubinBella.thy	Wed Jul 11 11:13:08 2007 +0200
    28.2 +++ b/src/HOL/Auth/Smartcard/ShoupRubinBella.thy	Wed Jul 11 11:14:51 2007 +0200
    28.3 @@ -42,15 +42,14 @@
    28.4        ev \<notin> set (tl (dropWhile (% z. z \<noteq> ev) evs))"
    28.5  
    28.6  
    28.7 -consts  srb   :: "event list set"
    28.8 -inductive "srb"
    28.9 -  intros 
   28.10 +inductive_set srb :: "event list set"
   28.11 +  where
   28.12  
   28.13      Nil:  "[]\<in> srb"
   28.14  
   28.15  
   28.16  
   28.17 -    Fake: "\<lbrakk> evsF \<in> srb;  X \<in> synth (analz (knows Spy evsF)); 
   28.18 +  | Fake: "\<lbrakk> evsF \<in> srb;  X \<in> synth (analz (knows Spy evsF)); 
   28.19               illegalUse(Card B) \<rbrakk>
   28.20            \<Longrightarrow> Says Spy A X # 
   28.21                Inputs Spy (Card B) X # evsF \<in> srb"
   28.22 @@ -58,24 +57,24 @@
   28.23  (*In general this rule causes the assumption Card B \<notin> cloned
   28.24    in most guarantees for B - starting with confidentiality -
   28.25    otherwise pairK_confidential could not apply*)
   28.26 -    Forge:
   28.27 +  | Forge:
   28.28           "\<lbrakk> evsFo \<in> srb; Nonce Nb \<in> analz (knows Spy evsFo);
   28.29               Key (pairK(A,B)) \<in> knows Spy evsFo \<rbrakk>
   28.30            \<Longrightarrow> Notes Spy (Key (sesK(Nb,pairK(A,B)))) # evsFo \<in> srb"
   28.31  
   28.32  
   28.33  
   28.34 -   Reception: "\<lbrakk> evsrb\<in> srb; Says A B X \<in> set evsrb \<rbrakk>
   28.35 +  | Reception: "\<lbrakk> evsrb\<in> srb; Says A B X \<in> set evsrb \<rbrakk>
   28.36                \<Longrightarrow> Gets B X # evsrb \<in> srb"
   28.37  
   28.38  
   28.39  
   28.40  (*A AND THE SERVER*)
   28.41 -    SR_U1:  "\<lbrakk> evs1 \<in> srb; A \<noteq> Server \<rbrakk>
   28.42 +  | SR_U1:  "\<lbrakk> evs1 \<in> srb; A \<noteq> Server \<rbrakk>
   28.43            \<Longrightarrow> Says A Server \<lbrace>Agent A, Agent B\<rbrace> 
   28.44                  # evs1 \<in> srb"
   28.45  
   28.46 -    SR_U2:  "\<lbrakk> evs2 \<in> srb; 
   28.47 +  | SR_U2:  "\<lbrakk> evs2 \<in> srb; 
   28.48               Gets Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs2 \<rbrakk>
   28.49            \<Longrightarrow> Says Server A \<lbrace>Nonce (Pairkey(A,B)), 
   28.50                             Crypt (shrK A) \<lbrace>Nonce (Pairkey(A,B)), Agent B\<rbrace>
   28.51 @@ -88,7 +87,7 @@
   28.52  (*A AND HER CARD*)
   28.53  (*A cannot decrypt the verifier for she dosn't know shrK A,
   28.54    but the pairkey is recognisable*)
   28.55 -    SR_U3:  "\<lbrakk> evs3 \<in> srb; legalUse(Card A);
   28.56 +  | SR_U3:  "\<lbrakk> evs3 \<in> srb; legalUse(Card A);
   28.57               Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs3;
   28.58               Gets A \<lbrace>Nonce Pk, Certificate\<rbrace> \<in> set evs3 \<rbrakk>
   28.59            \<Longrightarrow> Inputs A (Card A) (Agent A)
   28.60 @@ -99,7 +98,7 @@
   28.61  the server*)
   28.62   
   28.63  (*The card outputs the nonce Na to A*)               
   28.64 -    SR_U4:  "\<lbrakk> evs4 \<in> srb; 
   28.65 +  | SR_U4:  "\<lbrakk> evs4 \<in> srb; 
   28.66               Nonce Na \<notin> used evs4; legalUse(Card A); A \<noteq> Server;
   28.67               Inputs A (Card A) (Agent A) \<in> set evs4 \<rbrakk> 
   28.68         \<Longrightarrow> Outpts (Card A) A \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
   28.69 @@ -107,7 +106,7 @@
   28.70  
   28.71  (*The card can be exploited by the spy*)
   28.72  (*because of the assumptions on the card, A is certainly not server nor spy*)
   28.73 - SR_U4Fake: "\<lbrakk> evs4F \<in> srb; Nonce Na \<notin> used evs4F; 
   28.74 +  | SR_U4Fake: "\<lbrakk> evs4F \<in> srb; Nonce Na \<notin> used evs4F; 
   28.75               illegalUse(Card A);
   28.76               Inputs Spy (Card A) (Agent A) \<in> set evs4F \<rbrakk> 
   28.77        \<Longrightarrow> Outpts (Card A) Spy \<lbrace>Nonce Na, Crypt (crdK (Card A)) (Nonce Na)\<rbrace>
   28.78 @@ -117,7 +116,7 @@
   28.79  
   28.80  
   28.81  (*A TOWARDS B*)
   28.82 -    SR_U5:  "\<lbrakk> evs5 \<in> srb; 
   28.83 +  | SR_U5:  "\<lbrakk> evs5 \<in> srb; 
   28.84               Outpts (Card A) A \<lbrace>Nonce Na, Certificate\<rbrace> \<in> set evs5;
   28.85               \<forall> p q. Certificate \<noteq> \<lbrace>p, q\<rbrace> \<rbrakk>
   28.86            \<Longrightarrow> Says A B \<lbrace>Agent A, Nonce Na\<rbrace> # evs5 \<in> srb"
   28.87 @@ -128,12 +127,12 @@
   28.88  
   28.89  
   28.90  (*B AND HIS CARD*)
   28.91 -    SR_U6:  "\<lbrakk> evs6 \<in> srb; legalUse(Card B);
   28.92 +  | SR_U6:  "\<lbrakk> evs6 \<in> srb; legalUse(Card B);
   28.93               Gets B \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs6 \<rbrakk>
   28.94            \<Longrightarrow> Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> 
   28.95                  # evs6 \<in> srb"
   28.96  (*B gets back from the card the session key and various verifiers*)
   28.97 -    SR_U7:  "\<lbrakk> evs7 \<in> srb; 
   28.98 +  | SR_U7:  "\<lbrakk> evs7 \<in> srb; 
   28.99               Nonce Nb \<notin> used evs7; legalUse(Card B); B \<noteq> Server;
  28.100               K = sesK(Nb,pairK(A,B));
  28.101               Key K \<notin> used evs7;
  28.102 @@ -144,7 +143,7 @@
  28.103                  # evs7 \<in> srb"
  28.104  (*The card can be exploited by the spy*)
  28.105  (*because of the assumptions on the card, A is certainly not server nor spy*)
  28.106 - SR_U7Fake:  "\<lbrakk> evs7F \<in> srb; Nonce Nb \<notin> used evs7F; 
  28.107 +  | SR_U7Fake:  "\<lbrakk> evs7F \<in> srb; Nonce Nb \<notin> used evs7F; 
  28.108               illegalUse(Card B);
  28.109               K = sesK(Nb,pairK(A,B));
  28.110               Key K \<notin> used evs7F;
  28.111 @@ -160,7 +159,7 @@
  28.112  (*B TOWARDS A*)
  28.113  (*having sent an input that mentions A is the only memory B relies on,
  28.114    since the output doesn't mention A - lack of explicitness*) 
  28.115 -    SR_U8:  "\<lbrakk> evs8 \<in> srb;  
  28.116 +  | SR_U8:  "\<lbrakk> evs8 \<in> srb;  
  28.117               Inputs B (Card B) \<lbrace>Agent A, Nonce Na\<rbrace> \<in> set evs8;
  28.118               Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, 
  28.119                                   Cert1, Cert2\<rbrace> \<in> set evs8 \<rbrakk>
  28.120 @@ -172,7 +171,7 @@
  28.121  (*A AND HER CARD*)
  28.122  (*A cannot check the form of the verifiers - although I can prove the form of
  28.123    Cert2 - and just feeds her card with what she's got*)
  28.124 -    SR_U9:  "\<lbrakk> evs9 \<in> srb; legalUse(Card A);
  28.125 +  | SR_U9:  "\<lbrakk> evs9 \<in> srb; legalUse(Card A);
  28.126               Gets A \<lbrace>Nonce Pk, Cert1\<rbrace> \<in> set evs9;
  28.127               Outpts (Card A) A \<lbrace>Nonce Na, Cert2\<rbrace> \<in> set evs9; 
  28.128               Gets A \<lbrace>Nonce Nb, Cert3\<rbrace> \<in> set evs9;
  28.129 @@ -182,7 +181,7 @@
  28.130                    Cert1, Cert3, Cert2\<rbrace> 
  28.131                  # evs9 \<in> srb"
  28.132  (*But the card will only give outputs to the inputs of the correct form*)
  28.133 -    SR_U10: "\<lbrakk> evs10 \<in> srb; legalUse(Card A); A \<noteq> Server;
  28.134 +  | SR_U10: "\<lbrakk> evs10 \<in> srb; legalUse(Card A); A \<noteq> Server;
  28.135               K = sesK(Nb,pairK(A,B));
  28.136               Inputs A (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, 
  28.137                                   Nonce (Pairkey(A,B)),
  28.138 @@ -196,7 +195,7 @@
  28.139                   # evs10 \<in> srb"
  28.140  (*The card can be exploited by the spy*)
  28.141  (*because of the assumptions on the card, A is certainly not server nor spy*)
  28.142 -SR_U10Fake: "\<lbrakk> evs10F \<in> srb; 
  28.143 +  | SR_U10Fake: "\<lbrakk> evs10F \<in> srb; 
  28.144               illegalUse(Card A);
  28.145               K = sesK(Nb,pairK(A,B));
  28.146               Inputs Spy (Card A) \<lbrace>Agent B, Nonce Na, Nonce Nb, 
  28.147 @@ -216,7 +215,7 @@
  28.148  (*A TOWARDS B*)
  28.149  (*having initiated with B is the only memory A relies on,
  28.150    since the output doesn't mention B - lack of explicitness*) 
  28.151 -    SR_U11: "\<lbrakk> evs11 \<in> srb;
  28.152 +  | SR_U11: "\<lbrakk> evs11 \<in> srb;
  28.153               Says A Server \<lbrace>Agent A, Agent B\<rbrace> \<in> set evs11;
  28.154               Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> 
  28.155                 \<in> set evs11 \<rbrakk>
  28.156 @@ -227,13 +226,13 @@
  28.157  
  28.158  (*Both peers may leak by accident the session keys obtained from their
  28.159    cards*)
  28.160 -    Oops1:
  28.161 +  | Oops1:
  28.162       "\<lbrakk> evsO1 \<in> srb;
  28.163           Outpts (Card B) B \<lbrace>Nonce Nb, Agent A, Key K, Cert1, Cert2\<rbrace> 
  28.164             \<in> set evsO1 \<rbrakk>
  28.165       \<Longrightarrow> Notes Spy \<lbrace>Key K, Nonce Nb, Agent A, Agent B\<rbrace> # evsO1 \<in> srb"
  28.166  
  28.167 -    Oops2:
  28.168 +  | Oops2:
  28.169       "\<lbrakk> evsO2 \<in> srb;
  28.170           Outpts (Card A) A \<lbrace>Agent B, Nonce Nb, Key K, Certificate\<rbrace> 
  28.171             \<in> set evsO2 \<rbrakk>
    29.1 --- a/src/HOL/Auth/TLS.thy	Wed Jul 11 11:13:08 2007 +0200
    29.2 +++ b/src/HOL/Auth/TLS.thy	Wed Jul 11 11:14:51 2007 +0200
    29.3 @@ -99,25 +99,24 @@
    29.4    sessionK_neq_shrK [iff]: "sessionK nonces \<noteq> shrK A"
    29.5  
    29.6  
    29.7 -consts    tls :: "event list set"
    29.8 -inductive tls
    29.9 -  intros
   29.10 +inductive_set tls :: "event list set"
   29.11 +  where
   29.12     Nil:  --{*The initial, empty trace*}
   29.13           "[] \<in> tls"
   29.14  
   29.15 -   Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   29.16 + | Fake: --{*The Spy may say anything he can say.  The sender field is correct,
   29.17            but agents don't use that information.*}
   29.18           "[| evsf \<in> tls;  X \<in> synth (analz (spies evsf)) |]
   29.19            ==> Says Spy B X # evsf \<in> tls"
   29.20  
   29.21 -   SpyKeys: --{*The spy may apply @{term PRF} and @{term sessionK}
   29.22 + | SpyKeys: --{*The spy may apply @{term PRF} and @{term sessionK}
   29.23                  to available nonces*}
   29.24           "[| evsSK \<in> tls;
   29.25  	     {Nonce NA, Nonce NB, Nonce M} <= analz (spies evsSK) |]
   29.26            ==> Notes Spy {| Nonce (PRF(M,NA,NB)),
   29.27  			   Key (sessionK((NA,NB,M),role)) |} # evsSK \<in> tls"
   29.28  
   29.29 -   ClientHello:
   29.30 + | ClientHello:
   29.31  	 --{*(7.4.1.2)
   29.32  	   PA represents @{text CLIENT_VERSION}, @{text CIPHER_SUITES} and @{text COMPRESSION_METHODS}.
   29.33  	   It is uninterpreted but will be confirmed in the FINISHED messages.
   29.34 @@ -129,7 +128,7 @@
   29.35            ==> Says A B {|Agent A, Nonce NA, Number SID, Number PA|}
   29.36  	        # evsCH  \<in>  tls"
   29.37  
   29.38 -   ServerHello:
   29.39 + | ServerHello:
   29.40           --{*7.4.1.3 of the TLS Internet-Draft
   29.41  	   PB represents @{text CLIENT_VERSION}, @{text CIPHER_SUITE} and @{text COMPRESSION_METHOD}.
   29.42             SERVER CERTIFICATE (7.4.2) is always present.
   29.43 @@ -139,11 +138,11 @@
   29.44  	       \<in> set evsSH |]
   29.45            ==> Says B A {|Nonce NB, Number SID, Number PB|} # evsSH  \<in>  tls"
   29.46  
   29.47 -   Certificate:
   29.48 + | Certificate:
   29.49           --{*SERVER (7.4.2) or CLIENT (7.4.6) CERTIFICATE.*}
   29.50           "evsC \<in> tls ==> Says B A (certificate B (pubK B)) # evsC  \<in>  tls"
   29.51  
   29.52 -   ClientKeyExch:
   29.53 + | ClientKeyExch:
   29.54           --{*CLIENT KEY EXCHANGE (7.4.7).
   29.55             The client, A, chooses PMS, the PREMASTER SECRET.
   29.56             She encrypts PMS using the supplied KB, which ought to be pubK B.
   29.57 @@ -158,7 +157,7 @@
   29.58  	      # Notes A {|Agent B, Nonce PMS|}
   29.59  	      # evsCX  \<in>  tls"
   29.60  
   29.61 -   CertVerify:
   29.62 + | CertVerify:
   29.63  	--{*The optional Certificate Verify (7.4.8) message contains the
   29.64            specific components listed in the security analysis, F.1.1.2.
   29.65            It adds the pre-master-secret, which is also essential!
   29.66 @@ -174,7 +173,7 @@
   29.67            among other things.  The master-secret is PRF(PMS,NA,NB).
   29.68            Either party may send its message first.*}
   29.69  
   29.70 -   ClientFinished:
   29.71 + | ClientFinished:
   29.72          --{*The occurrence of Notes A {|Agent B, Nonce PMS|} stops the
   29.73            rule's applying when the Spy has satisfied the "Says A B" by
   29.74            repaying messages sent by the true client; in that case, the
   29.75 @@ -193,7 +192,7 @@
   29.76  			       Nonce NB, Number PB, Agent B|}))
   29.77                # evsCF  \<in>  tls"
   29.78  
   29.79 -   ServerFinished:
   29.80 + | ServerFinished:
   29.81  	--{*Keeping A' and A'' distinct means B cannot even check that the
   29.82            two messages originate from the same source. *}
   29.83           "[| evsSF \<in> tls;
   29.84 @@ -208,7 +207,7 @@
   29.85  			       Nonce NB, Number PB, Agent B|}))
   29.86                # evsSF  \<in>  tls"
   29.87  
   29.88 -   ClientAccepts:
   29.89 + | ClientAccepts:
   29.90  	--{*Having transmitted ClientFinished and received an identical
   29.91            message encrypted with serverK, the client stores the parameters
   29.92            needed to resume this session.  The "Notes A ..." premise is
   29.93 @@ -224,7 +223,7 @@
   29.94            ==>
   29.95               Notes A {|Number SID, Agent A, Agent B, Nonce M|} # evsCA  \<in>  tls"
   29.96  
   29.97 -   ServerAccepts:
   29.98 + | ServerAccepts:
   29.99  	--{*Having transmitted ServerFinished and received an identical
  29.100            message encrypted with clientK, the server stores the parameters
  29.101            needed to resume this session.  The "Says A'' B ..." premise is
  29.102 @@ -241,7 +240,7 @@
  29.103            ==>
  29.104               Notes B {|Number SID, Agent A, Agent B, Nonce M|} # evsSA  \<in>  tls"
  29.105  
  29.106 -   ClientResume:
  29.107 + | ClientResume:
  29.108           --{*If A recalls the @{text SESSION_ID}, then she sends a FINISHED
  29.109               message using the new nonces and stored MASTER SECRET.*}
  29.110           "[| evsCR \<in> tls;
  29.111 @@ -254,7 +253,7 @@
  29.112  			       Nonce NB, Number PB, Agent B|}))
  29.113                # evsCR  \<in>  tls"
  29.114  
  29.115 -   ServerResume:
  29.116 + | ServerResume:
  29.117           --{*Resumption (7.3):  If B finds the @{text SESSION_ID} then he can 
  29.118               send a FINISHED message using the recovered MASTER SECRET*}
  29.119           "[| evsSR \<in> tls;
  29.120 @@ -267,7 +266,7 @@
  29.121  			       Nonce NB, Number PB, Agent B|})) # evsSR
  29.122  	        \<in>  tls"
  29.123  
  29.124 -   Oops:
  29.125 + | Oops:
  29.126           --{*The most plausible compromise is of an old session key.  Losing
  29.127             the MASTER SECRET or PREMASTER SECRET is more serious but
  29.128             rather unlikely.  The assumption @{term "A\<noteq>Spy"} is essential: 
    30.1 --- a/src/HOL/Auth/WooLam.thy	Wed Jul 11 11:13:08 2007 +0200
    30.2 +++ b/src/HOL/Auth/WooLam.thy	Wed Jul 11 11:14:51 2007 +0200
    30.3 @@ -18,9 +18,8 @@
    30.4    Computer Security Foundations Workshop
    30.5  *}
    30.6  
    30.7 -consts  woolam  :: "event list set"
    30.8 -inductive woolam
    30.9 -  intros
   30.10 +inductive_set woolam :: "event list set"
   30.11 +  where
   30.12           (*Initial trace is empty*)
   30.13     Nil:  "[] \<in> woolam"
   30.14  
   30.15 @@ -29,20 +28,20 @@
   30.16           (*The spy MAY say anything he CAN say.  We do not expect him to
   30.17             invent new nonces here, but he can also use NS1.  Common to
   30.18             all similar protocols.*)
   30.19 -   Fake: "[| evsf \<in> woolam;  X \<in> synth (analz (spies evsf)) |]
   30.20 + | Fake: "[| evsf \<in> woolam;  X \<in> synth (analz (spies evsf)) |]
   30.21            ==> Says Spy B X  # evsf \<in> woolam"
   30.22  
   30.23           (*Alice initiates a protocol run*)
   30.24 -   WL1:  "evs1 \<in> woolam ==> Says A B (Agent A) # evs1 \<in> woolam"
   30.25 + | WL1:  "evs1 \<in> woolam ==> Says A B (Agent A) # evs1 \<in> woolam"
   30.26  
   30.27           (*Bob responds to Alice's message with a challenge.*)
   30.28 -   WL2:  "[| evs2 \<in> woolam;  Says A' B (Agent A) \<in> set evs2 |]
   30.29 + | WL2:  "[| evs2 \<in> woolam;  Says A' B (Agent A) \<in> set evs2 |]
   30.30            ==> Says B A (Nonce NB) # evs2 \<in> woolam"
   30.31  
   30.32           (*Alice responds to Bob's challenge by encrypting NB with her key.
   30.33             B is *not* properly determined -- Alice essentially broadcasts
   30.34             her reply.*)
   30.35 -   WL3:  "[| evs3 \<in> woolam;
   30.36 + | WL3:  "[| evs3 \<in> woolam;
   30.37               Says A  B (Agent A)  \<in> set evs3;
   30.38               Says B' A (Nonce NB) \<in> set evs3 |]
   30.39            ==> Says A B (Crypt (shrK A) (Nonce NB)) # evs3 \<in> woolam"
   30.40 @@ -51,13 +50,13 @@
   30.41             the messages are shown in chronological order, for clarity.
   30.42             But here, exchanging the two events would cause the lemma
   30.43             WL4_analz_spies to pick up the wrong assumption!*)
   30.44 -   WL4:  "[| evs4 \<in> woolam;
   30.45 + | WL4:  "[| evs4 \<in> woolam;
   30.46               Says A'  B X         \<in> set evs4;
   30.47               Says A'' B (Agent A) \<in> set evs4 |]
   30.48            ==> Says B Server {|Agent A, Agent B, X|} # evs4 \<in> woolam"
   30.49  
   30.50           (*Server decrypts Alice's response for Bob.*)
   30.51 -   WL5:  "[| evs5 \<in> woolam;
   30.52 + | WL5:  "[| evs5 \<in> woolam;
   30.53               Says B' Server {|Agent A, Agent B, Crypt (shrK A) (Nonce NB)|}
   30.54                 \<in> set evs5 |]
   30.55            ==> Says Server B (Crypt (shrK B) {|Agent A, Nonce NB|})
    31.1 --- a/src/HOL/Auth/Yahalom.thy	Wed Jul 11 11:13:08 2007 +0200
    31.2 +++ b/src/HOL/Auth/Yahalom.thy	Wed Jul 11 11:14:51 2007 +0200
    31.3 @@ -15,29 +15,28 @@
    31.4  This theory has the prototypical example of a secrecy relation, KeyCryptNonce.
    31.5  *}
    31.6  
    31.7 -consts  yahalom   :: "event list set"
    31.8 -inductive "yahalom"
    31.9 -  intros 
   31.10 +inductive_set yahalom :: "event list set"
   31.11 +  where
   31.12           (*Initial trace is empty*)
   31.13     Nil:  "[] \<in> yahalom"
   31.14  
   31.15           (*The spy MAY say anything he CAN say.  We do not expect him to
   31.16             invent new nonces here, but he can also use NS1.  Common to
   31.17             all similar protocols.*)
   31.18 -   Fake: "[| evsf \<in> yahalom;  X \<in> synth (analz (knows Spy evsf)) |]
   31.19 + | Fake: "[| evsf \<in> yahalom;  X \<in> synth (analz (knows Spy evsf)) |]
   31.20            ==> Says Spy B X  # evsf \<in> yahalom"
   31.21  
   31.22           (*A message that has been sent can be received by the
   31.23             intended recipient.*)
   31.24 -   Reception: "[| evsr \<in> yahalom;  Says A B X \<in> set evsr |]
   31.25 + | Reception: "[| evsr \<in> yahalom;  Says A B X \<in> set evsr |]
   31.26                 ==> Gets B X # evsr \<in> yahalom"
   31.27  
   31.28           (*Alice initiates a protocol run*)
   31.29 -   YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
   31.30 + | YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
   31.31            ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom"
   31.32  
   31.33           (*Bob's response to Alice's message.*)
   31.34 -   YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   31.35 + | YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   31.36               Gets B {|Agent A, Nonce NA|} \<in> set evs2 |]
   31.37            ==> Says B Server 
   31.38                    {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   31.39 @@ -45,7 +44,7 @@
   31.40  
   31.41           (*The Server receives Bob's message.  He responds by sending a
   31.42              new session key to Alice, with a packet for forwarding to Bob.*)
   31.43 -   YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;  KAB \<in> symKeys;
   31.44 + | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;  KAB \<in> symKeys;
   31.45               Gets Server 
   31.46                    {|Agent B, Crypt (shrK B) {|Agent A, Nonce NA, Nonce NB|}|}
   31.47                 \<in> set evs3 |]
   31.48 @@ -54,7 +53,7 @@
   31.49                       Crypt (shrK B) {|Agent A, Key KAB|}|}
   31.50                  # evs3 \<in> yahalom"
   31.51  
   31.52 -   YM4:  
   31.53 + | YM4:  
   31.54         --{*Alice receives the Server's (?) message, checks her Nonce, and
   31.55             uses the new session key to send Bob his Nonce.  The premise
   31.56             @{term "A \<noteq> Server"} is needed for @{text Says_Server_not_range}.
   31.57 @@ -68,7 +67,7 @@
   31.58           (*This message models possible leaks of session keys.  The Nonces
   31.59             identify the protocol run.  Quoting Server here ensures they are
   31.60             correct.*)
   31.61 -   Oops: "[| evso \<in> yahalom;  
   31.62 + | Oops: "[| evso \<in> yahalom;  
   31.63               Says Server A {|Crypt (shrK A)
   31.64                                     {|Agent B, Key K, Nonce NA, Nonce NB|},
   31.65                               X|}  \<in> set evso |]
    32.1 --- a/src/HOL/Auth/Yahalom2.thy	Wed Jul 11 11:13:08 2007 +0200
    32.2 +++ b/src/HOL/Auth/Yahalom2.thy	Wed Jul 11 11:14:51 2007 +0200
    32.3 @@ -19,29 +19,28 @@
    32.4  This theory has the prototypical example of a secrecy relation, KeyCryptNonce.
    32.5  *}
    32.6  
    32.7 -consts  yahalom   :: "event list set"
    32.8 -inductive "yahalom"
    32.9 -  intros
   32.10 +inductive_set yahalom :: "event list set"
   32.11 +  where
   32.12           (*Initial trace is empty*)
   32.13     Nil:  "[] \<in> yahalom"
   32.14  
   32.15           (*The spy MAY say anything he CAN say.  We do not expect him to
   32.16             invent new nonces here, but he can also use NS1.  Common to
   32.17             all similar protocols.*)
   32.18 -   Fake: "[| evsf \<in> yahalom;  X \<in> synth (analz (knows Spy evsf)) |]
   32.19 + | Fake: "[| evsf \<in> yahalom;  X \<in> synth (analz (knows Spy evsf)) |]
   32.20            ==> Says Spy B X  # evsf \<in> yahalom"
   32.21  
   32.22           (*A message that has been sent can be received by the
   32.23             intended recipient.*)
   32.24 -   Reception: "[| evsr \<in> yahalom;  Says A B X \<in> set evsr |]
   32.25 + | Reception: "[| evsr \<in> yahalom;  Says A B X \<in> set evsr |]
   32.26                 ==> Gets B X # evsr \<in> yahalom"
   32.27  
   32.28           (*Alice initiates a protocol run*)
   32.29 -   YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
   32.30 + | YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
   32.31            ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom"
   32.32  
   32.33           (*Bob's response to Alice's message.*)
   32.34 -   YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   32.35 + | YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   32.36               Gets B {|Agent A, Nonce NA|} \<in> set evs2 |]
   32.37            ==> Says B Server
   32.38                    {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   32.39 @@ -50,7 +49,7 @@
   32.40           (*The Server receives Bob's message.  He responds by sending a
   32.41             new session key to Alice, with a certificate for forwarding to Bob.
   32.42             Both agents are quoted in the 2nd certificate to prevent attacks!*)
   32.43 -   YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;
   32.44 + | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;
   32.45               Gets Server {|Agent B, Nonce NB,
   32.46  			   Crypt (shrK B) {|Agent A, Nonce NA|}|}
   32.47                 \<in> set evs3 |]
   32.48 @@ -62,7 +61,7 @@
   32.49  
   32.50           (*Alice receives the Server's (?) message, checks her Nonce, and
   32.51             uses the new session key to send Bob his Nonce.*)
   32.52 -   YM4:  "[| evs4 \<in> yahalom;
   32.53 + | YM4:  "[| evs4 \<in> yahalom;
   32.54               Gets A {|Nonce NB, Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
   32.55                        X|}  \<in> set evs4;
   32.56               Says A B {|Agent A, Nonce NA|} \<in> set evs4 |]
   32.57 @@ -71,7 +70,7 @@
   32.58           (*This message models possible leaks of session keys.  The nonces
   32.59             identify the protocol run.  Quoting Server here ensures they are
   32.60             correct. *)
   32.61 -   Oops: "[| evso \<in> yahalom;
   32.62 + | Oops: "[| evso \<in> yahalom;
   32.63               Says Server A {|Nonce NB,
   32.64                               Crypt (shrK A) {|Agent B, Key K, Nonce NA|},
   32.65                               X|}  \<in> set evso |]
    33.1 --- a/src/HOL/Auth/Yahalom_Bad.thy	Wed Jul 11 11:13:08 2007 +0200
    33.2 +++ b/src/HOL/Auth/Yahalom_Bad.thy	Wed Jul 11 11:14:51 2007 +0200
    33.3 @@ -14,29 +14,28 @@
    33.4  The issues are discussed in lcp's LICS 2000 invited lecture.
    33.5  *}
    33.6  
    33.7 -consts  yahalom   :: "event list set"
    33.8 -inductive "yahalom"
    33.9 -  intros
   33.10 +inductive_set yahalom :: "event list set"
   33.11 +  where
   33.12           (*Initial trace is empty*)
   33.13     Nil:  "[] \<in> yahalom"
   33.14  
   33.15           (*The spy MAY say anything he CAN say.  We do not expect him to
   33.16             invent new nonces here, but he can also use NS1.  Common to
   33.17             all similar protocols.*)
   33.18 -   Fake: "[| evsf \<in> yahalom;  X \<in> synth (analz (knows Spy evsf)) |]
   33.19 + | Fake: "[| evsf \<in> yahalom;  X \<in> synth (analz (knows Spy evsf)) |]
   33.20            ==> Says Spy B X  # evsf \<in> yahalom"
   33.21  
   33.22           (*A message that has been sent can be received by the
   33.23             intended recipient.*)
   33.24 -   Reception: "[| evsr \<in> yahalom;  Says A B X \<in> set evsr |]
   33.25 + | Reception: "[| evsr \<in> yahalom;  Says A B X \<in> set evsr |]
   33.26                 ==> Gets B X # evsr \<in> yahalom"
   33.27  
   33.28           (*Alice initiates a protocol run*)
   33.29 -   YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
   33.30 + | YM1:  "[| evs1 \<in> yahalom;  Nonce NA \<notin> used evs1 |]
   33.31            ==> Says A B {|Agent A, Nonce NA|} # evs1 \<in> yahalom"
   33.32  
   33.33           (*Bob's response to Alice's message.*)
   33.34 -   YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   33.35 + | YM2:  "[| evs2 \<in> yahalom;  Nonce NB \<notin> used evs2;
   33.36               Gets B {|Agent A, Nonce NA|} \<in> set evs2 |]
   33.37            ==> Says B Server
   33.38                    {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   33.39 @@ -44,7 +43,7 @@
   33.40  
   33.41           (*The Server receives Bob's message.  He responds by sending a
   33.42              new session key to Alice, with a packet for forwarding to Bob.*)
   33.43 -   YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;  KAB \<in> symKeys;
   33.44 + | YM3:  "[| evs3 \<in> yahalom;  Key KAB \<notin> used evs3;  KAB \<in> symKeys;
   33.45               Gets Server
   33.46                    {|Agent B, Nonce NB, Crypt (shrK B) {|Agent A, Nonce NA|}|}
   33.47                 \<in> set evs3 |]
   33.48 @@ -56,7 +55,7 @@
   33.49           (*Alice receives the Server's (?) message, checks her Nonce, and
   33.50             uses the new session key to send Bob his Nonce.  The premise
   33.51             A \<noteq> Server is needed to prove Says_Server_not_range.*)
   33.52 -   YM4:  "[| evs4 \<in> yahalom;  A \<noteq> Server;  K \<in> symKeys;
   33.53 + | YM4:  "[| evs4 \<in> yahalom;  A \<noteq> Server;  K \<in> symKeys;
   33.54               Gets A {|Crypt(shrK A) {|Agent B, Key K, Nonce NA, Nonce NB|}, X|}
   33.55                  \<in> set evs4;
   33.56               Says A B {|Agent A, Nonce NA|} \<in> set evs4 |]
    34.1 --- a/src/HOL/Auth/ZhouGollmann.thy	Wed Jul 11 11:13:08 2007 +0200
    34.2 +++ b/src/HOL/Auth/ZhouGollmann.thy	Wed Jul 11 11:14:51 2007 +0200
    34.3 @@ -29,29 +29,27 @@
    34.4  
    34.5  declare broken_def [simp]
    34.6  
    34.7 -consts  zg  :: "event list set"
    34.8 -
    34.9 -inductive zg
   34.10 -  intros
   34.11 +inductive_set zg :: "event list set"
   34.12 +  where
   34.13  
   34.14    Nil:  "[] \<in> zg"
   34.15  
   34.16 -  Fake: "[| evsf \<in> zg;  X \<in> synth (analz (spies evsf)) |]
   34.17 +| Fake: "[| evsf \<in> zg;  X \<in> synth (analz (spies evsf)) |]
   34.18  	 ==> Says Spy B X  # evsf \<in> zg"
   34.19  
   34.20 -Reception:  "[| evsr \<in> zg; Says A B X \<in> set evsr |] ==> Gets B X # evsr \<in> zg"
   34.21 +| Reception:  "[| evsr \<in> zg; Says A B X \<in> set evsr |] ==> Gets B X # evsr \<in> zg"
   34.22  
   34.23    (*L is fresh for honest agents.
   34.24      We don't require K to be fresh because we don't bother to prove secrecy!
   34.25      We just assume that the protocol's objective is to deliver K fairly,
   34.26      rather than to keep M secret.*)
   34.27 -  ZG1: "[| evs1 \<in> zg;  Nonce L \<notin> used evs1; C = Crypt K (Number m);
   34.28 +| ZG1: "[| evs1 \<in> zg;  Nonce L \<notin> used evs1; C = Crypt K (Number m);
   34.29  	   K \<in> symKeys;
   34.30  	   NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|}|]
   34.31         ==> Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} # evs1 \<in> zg"
   34.32  
   34.33    (*B must check that NRO is A's signature to learn the sender's name*)
   34.34 -  ZG2: "[| evs2 \<in> zg;
   34.35 +| ZG2: "[| evs2 \<in> zg;
   34.36  	   Gets B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs2;
   34.37  	   NRO = Crypt (priK A) {|Number f_nro, Agent B, Nonce L, C|};
   34.38  	   NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|}|]
   34.39 @@ -59,7 +57,7 @@
   34.40  
   34.41    (*A must check that NRR is B's signature to learn the sender's name;
   34.42      without spy, the matching label would be enough*)
   34.43 -  ZG3: "[| evs3 \<in> zg; C = Crypt K M; K \<in> symKeys;
   34.44 +| ZG3: "[| evs3 \<in> zg; C = Crypt K M; K \<in> symKeys;
   34.45  	   Says A B {|Number f_nro, Agent B, Nonce L, C, NRO|} \<in> set evs3;
   34.46  	   Gets A {|Number f_nrr, Agent A, Nonce L, NRR|} \<in> set evs3;
   34.47  	   NRR = Crypt (priK B) {|Number f_nrr, Agent A, Nonce L, C|};
   34.48 @@ -73,7 +71,7 @@
   34.49     give con_K to the Spy. This makes the threat model more dangerous, while 
   34.50     also allowing lemma @{text Crypt_used_imp_spies} to omit the condition
   34.51     @{term "K \<noteq> priK TTP"}. *)
   34.52 -  ZG4: "[| evs4 \<in> zg; K \<in> symKeys;
   34.53 +| ZG4: "[| evs4 \<in> zg; K \<in> symKeys;
   34.54  	   Gets TTP {|Number f_sub, Agent B, Nonce L, Key K, sub_K|}
   34.55  	     \<in> set evs4;
   34.56  	   sub_K = Crypt (priK A) {|Number f_sub, Agent B, Nonce L, Key K|};
    35.1 --- a/src/HOL/HoareParallel/OG_Hoare.thy	Wed Jul 11 11:13:08 2007 +0200
    35.2 +++ b/src/HOL/HoareParallel/OG_Hoare.thy	Wed Jul 11 11:14:51 2007 +0200
    35.3 @@ -36,46 +36,40 @@
    35.4    "interfree Ts \<equiv> \<forall>i j. i < length Ts \<and> j < length Ts \<and> i \<noteq> j \<longrightarrow> 
    35.5                           interfree_aux (com (Ts!i), post (Ts!i), com (Ts!j)) "
    35.6  
    35.7 -consts ann_hoare :: "('a ann_com \<times> 'a assn) set" 
    35.8 -syntax "_ann_hoare" :: "'a ann_com \<Rightarrow> 'a assn \<Rightarrow> bool"  ("(2\<turnstile> _// _)" [60,90] 45)
    35.9 -translations "\<turnstile> c q" \<rightleftharpoons> "(c, q) \<in> ann_hoare"
   35.10 -
   35.11 -consts oghoare :: "('a assn \<times> 'a com \<times> 'a assn) set"
   35.12 -syntax "_oghoare" :: "'a assn \<Rightarrow> 'a com \<Rightarrow> 'a assn \<Rightarrow> bool"  ("(3\<parallel>- _//_//_)" [90,55,90] 50)
   35.13 -translations "\<parallel>- p c q" \<rightleftharpoons> "(p, c, q) \<in> oghoare"
   35.14 -
   35.15 -inductive oghoare ann_hoare
   35.16 -intros
   35.17 +inductive
   35.18 +  oghoare :: "'a assn \<Rightarrow> 'a com \<Rightarrow> 'a assn \<Rightarrow> bool"  ("(3\<parallel>- _//_//_)" [90,55,90] 50)
   35.19 +  and ann_hoare :: "'a ann_com \<Rightarrow> 'a assn \<Rightarrow> bool"  ("(2\<turnstile> _// _)" [60,90] 45)
   35.20 +where
   35.21    AnnBasic: "r \<subseteq> {s. f s \<in> q} \<Longrightarrow> \<turnstile> (AnnBasic r f) q"
   35.22  
   35.23 -  AnnSeq:   "\<lbrakk> \<turnstile> c0 pre c1; \<turnstile> c1 q \<rbrakk> \<Longrightarrow> \<turnstile> (AnnSeq c0 c1) q"
   35.24 +| AnnSeq:   "\<lbrakk> \<turnstile> c0 pre c1; \<turnstile> c1 q \<rbrakk> \<Longrightarrow> \<turnstile> (AnnSeq c0 c1) q"
   35.25    
   35.26 -  AnnCond1: "\<lbrakk> r \<inter> b \<subseteq> pre c1; \<turnstile> c1 q; r \<inter> -b \<subseteq> pre c2; \<turnstile> c2 q\<rbrakk> 
   35.27 +| AnnCond1: "\<lbrakk> r \<inter> b \<subseteq> pre c1; \<turnstile> c1 q; r \<inter> -b \<subseteq> pre c2; \<turnstile> c2 q\<rbrakk> 
   35.28                \<Longrightarrow> \<turnstile> (AnnCond1 r b c1 c2) q"
   35.29 -  AnnCond2: "\<lbrakk> r \<inter> b \<subseteq> pre c; \<turnstile> c q; r \<inter> -b \<subseteq> q \<rbrakk> \<Longrightarrow> \<turnstile> (AnnCond2 r b c) q"
   35.30 +| AnnCond2: "\<lbrakk> r \<inter> b \<subseteq> pre c; \<turnstile> c q; r \<inter> -b \<subseteq> q \<rbrakk> \<Longrightarrow> \<turnstile> (AnnCond2 r b c) q"
   35.31    
   35.32 -  AnnWhile: "\<lbrakk> r \<subseteq> i; i \<inter> b \<subseteq> pre c; \<turnstile> c i; i \<inter> -b \<subseteq> q \<rbrakk> 
   35.33 +| AnnWhile: "\<lbrakk> r \<subseteq> i; i \<inter> b \<subseteq> pre c; \<turnstile> c i; i \<inter> -b \<subseteq> q \<rbrakk> 
   35.34                \<Longrightarrow> \<turnstile> (AnnWhile r b i c) q"
   35.35    
   35.36 -  AnnAwait:  "\<lbrakk> atom_com c; \<parallel>- (r \<inter> b) c q \<rbrakk> \<Longrightarrow> \<turnstile> (AnnAwait r b c) q"
   35.37 +| AnnAwait:  "\<lbrakk> atom_com c; \<parallel>- (r \<inter> b) c q \<rbrakk> \<Longrightarrow> \<turnstile> (AnnAwait r b c) q"
   35.38    
   35.39 -  AnnConseq: "\<lbrakk>\<turnstile> c q; q \<subseteq> q' \<rbrakk> \<Longrightarrow> \<turnstile> c q'"
   35.40 +| AnnConseq: "\<lbrakk>\<turnstile> c q; q \<subseteq> q' \<rbrakk> \<Longrightarrow> \<turnstile> c q'"
   35.41  
   35.42  
   35.43 -  Parallel: "\<lbrakk> \<forall>i<length Ts. \<exists>c q. Ts!i = (Some c, q) \<and> \<turnstile> c q; interfree Ts \<rbrakk>
   35.44 +| Parallel: "\<lbrakk> \<forall>i<length Ts. \<exists>c q. Ts!i = (Some c, q) \<and> \<turnstile> c q; interfree Ts \<rbrakk>
   35.45  	   \<Longrightarrow> \<parallel>- (\<Inter>i\<in>{i. i<length Ts}. pre(the(com(Ts!i)))) 
   35.46                       Parallel Ts 
   35.47                    (\<Inter>i\<in>{i. i<length Ts}. post(Ts!i))"
   35.48  
   35.49 -  Basic:   "\<parallel>- {s. f s \<in>q} (Basic f) q"
   35.50 +| Basic:   "\<parallel>- {s. f s \<in>q} (Basic f) q"
   35.51    
   35.52 -  Seq:    "\<lbrakk> \<parallel>- p c1 r; \<parallel>- r c2 q \<rbrakk> \<Longrightarrow> \<parallel>- p (Seq c1 c2) q "
   35.53 +| Seq:    "\<lbrakk> \<parallel>- p c1 r; \<parallel>- r c2 q \<rbrakk> \<Longrightarrow> \<parallel>- p (Seq c1 c2) q "
   35.54  
   35.55 -  Cond:   "\<lbrakk> \<parallel>- (p \<inter> b) c1 q; \<parallel>- (p \<inter> -b) c2 q \<rbrakk> \<Longrightarrow> \<parallel>- p (Cond b c1 c2) q"
   35.56 +| Cond:   "\<lbrakk> \<parallel>- (p \<inter> b) c1 q; \<parallel>- (p \<inter> -b) c2 q \<rbrakk> \<Longrightarrow> \<parallel>- p (Cond b c1 c2) q"
   35.57  
   35.58 -  While:  "\<lbrakk> \<parallel>- (p \<inter> b) c p \<rbrakk> \<Longrightarrow> \<parallel>- p (While b i c) (p \<inter> -b)"
   35.59 +| While:  "\<lbrakk> \<parallel>- (p \<inter> b) c p \<rbrakk> \<Longrightarrow> \<parallel>- p (While b i c) (p \<inter> -b)"
   35.60  
   35.61 -  Conseq: "\<lbrakk> p' \<subseteq> p; \<parallel>- p c q ; q \<subseteq> q' \<rbrakk> \<Longrightarrow> \<parallel>- p' c q'"
   35.62 +| Conseq: "\<lbrakk> p' \<subseteq> p; \<parallel>- p c q ; q \<subseteq> q' \<rbrakk> \<Longrightarrow> \<parallel>- p' c q'"
   35.63  					    
   35.64  section {* Soundness *}
   35.65  (* In the version Isabelle-10-Sep-1999: HOL: The THEN and ELSE
   35.66 @@ -147,13 +141,13 @@
   35.67  subsection {* Soundness of the System for Component Programs *}
   35.68  
   35.69  inductive_cases ann_transition_cases:
   35.70 -    "(None,s) -1\<rightarrow> t"
   35.71 -    "(Some (AnnBasic r f),s) -1\<rightarrow> t"
   35.72 -    "(Some (AnnSeq c1 c2), s) -1\<rightarrow> t" 
   35.73 -    "(Some (AnnCond1 r b c1 c2), s) -1\<rightarrow> t"
   35.74 -    "(Some (AnnCond2 r b c), s) -1\<rightarrow> t"
   35.75 -    "(Some (AnnWhile r b I c), s) -1\<rightarrow> t"
   35.76 -    "(Some (AnnAwait r b c),s) -1\<rightarrow> t"
   35.77 +    "(None,s) -1\<rightarrow> (c', s')"
   35.78 +    "(Some (AnnBasic r f),s) -1\<rightarrow> (c', s')"
   35.79 +    "(Some (AnnSeq c1 c2), s) -1\<rightarrow> (c', s')"
   35.80 +    "(Some (AnnCond1 r b c1 c2), s) -1\<rightarrow> (c', s')"
   35.81 +    "(Some (AnnCond2 r b c), s) -1\<rightarrow> (c', s')"
   35.82 +    "(Some (AnnWhile r b I c), s) -1\<rightarrow> (c', s')"
   35.83 +    "(Some (AnnAwait r b c),s) -1\<rightarrow> (c', s')"
   35.84  
   35.85  text {* Strong Soundness for Component Programs:*}
   35.86  
   35.87 @@ -174,7 +168,7 @@
   35.88  apply(clarify,simp,clarify,rule_tac x=qa in exI,fast)
   35.89  done
   35.90  
   35.91 -lemma Help: "(transition \<inter> {(v,v,u). True}) = (transition)"
   35.92 +lemma Help: "(transition \<inter> {(x,y). True}) = (transition)"
   35.93  apply force
   35.94  done
   35.95  
   35.96 @@ -412,7 +406,7 @@
   35.97  apply clarify
   35.98  apply(drule Parallel_length_post_PStar)
   35.99  apply clarify
  35.100 -apply (ind_cases "(Parallel Ts, s) -P1\<rightarrow> (Parallel Rs, t)")
  35.101 +apply (ind_cases "(Parallel Ts, s) -P1\<rightarrow> (Parallel Rs, t)" for Ts s Rs t)
  35.102  apply(rule conjI)
  35.103   apply clarify
  35.104   apply(case_tac "i=j")
    36.1 --- a/src/HOL/HoareParallel/OG_Tran.thy	Wed Jul 11 11:13:08 2007 +0200
    36.2 +++ b/src/HOL/HoareParallel/OG_Tran.thy	Wed Jul 11 11:14:51 2007 +0200
    36.3 @@ -19,71 +19,72 @@
    36.4  
    36.5  subsection {* The Transition Relation *}
    36.6  
    36.7 -consts
    36.8 +inductive_set
    36.9    ann_transition :: "(('a ann_com_op \<times> 'a) \<times> ('a ann_com_op \<times> 'a)) set"        
   36.10 -  transition :: "(('a com \<times> 'a) \<times> ('a com \<times> 'a)) set"
   36.11 -    
   36.12 -syntax
   36.13 -  "_ann_transition" :: "('a ann_com_op \<times> 'a) \<Rightarrow> ('a ann_com_op \<times> 'a) \<Rightarrow> bool"
   36.14 -                           ("_ -1\<rightarrow> _"[81,81] 100)
   36.15 -  "_ann_transition_n" :: "('a ann_com_op \<times> 'a) \<Rightarrow> nat \<Rightarrow> ('a ann_com_op \<times> 'a) 
   36.16 -                           \<Rightarrow> bool"  ("_ -_\<rightarrow> _"[81,81] 100)
   36.17 -  "_ann_transition_*" :: "('a ann_com_op \<times> 'a) \<Rightarrow> ('a ann_com_op \<times> 'a) \<Rightarrow> bool"
   36.18 -                           ("_ -*\<rightarrow> _"[81,81] 100)
   36.19 +  and transition :: "(('a com \<times> 'a) \<times> ('a com \<times> 'a)) set"
   36.20 +  and ann_transition' :: "('a ann_com_op \<times> 'a) \<Rightarrow> ('a ann_com_op \<times> 'a) \<Rightarrow> bool"
   36.21 +    ("_ -1\<rightarrow> _"[81,81] 100)
   36.22 +  and transition' :: "('a com \<times> 'a) \<Rightarrow> ('a com \<times> 'a) \<Rightarrow> bool"
   36.23 +    ("_ -P1\<rightarrow> _"[81,81] 100)
   36.24 +  and transitions :: "('a com \<times> 'a) \<Rightarrow> ('a com \<times> 'a) \<Rightarrow> bool"
   36.25 +    ("_ -P*\<rightarrow> _"[81,81] 100)
   36.26 +where
   36.27 +  "con_0 -1\<rightarrow> con_1 \<equiv> (con_0, con_1) \<in> ann_transition"
   36.28 +| "con_0 -P1\<rightarrow> con_1 \<equiv> (con_0, con_1) \<in> transition"
   36.29 +| "con_0 -P*\<rightarrow> con_1 \<equiv> (con_0, con_1) \<in> transition\<^sup>*"
   36.30 +
   36.31 +| AnnBasic:  "(Some (AnnBasic r f), s) -1\<rightarrow> (None, f s)"
   36.32 +
   36.33 +| AnnSeq1: "(Some c0, s) -1\<rightarrow> (None, t) \<Longrightarrow> 
   36.34 +               (Some (AnnSeq c0 c1), s) -1\<rightarrow> (Some c1, t)"
   36.35 +| AnnSeq2: "(Some c0, s) -1\<rightarrow> (Some c2, t) \<Longrightarrow> 
   36.36 +               (Some (AnnSeq c0 c1), s) -1\<rightarrow> (Some (AnnSeq c2 c1), t)"
   36.37 +
   36.38 +| AnnCond1T: "s \<in> b  \<Longrightarrow> (Some (AnnCond1 r b c1 c2), s) -1\<rightarrow> (Some c1, s)"
   36.39 +| AnnCond1F: "s \<notin> b \<Longrightarrow> (Some (AnnCond1 r b c1 c2), s) -1\<rightarrow> (Some c2, s)"
   36.40  
   36.41 -  "_transition" :: "('a com \<times> 'a) \<Rightarrow> ('a com \<times> 'a) \<Rightarrow> bool"  ("_ -P1\<rightarrow> _"[81,81] 100)
   36.42 -  "_transition_n" :: "('a com \<times> 'a) \<Rightarrow> nat \<Rightarrow> ('a com \<times> 'a) \<Rightarrow> bool"  
   36.43 -                          ("_ -P_\<rightarrow> _"[81,81,81] 100)  
   36.44 -  "_transition_*" :: "('a com \<times> 'a) \<Rightarrow> ('a com \<times> 'a) \<Rightarrow> bool"  ("_ -P*\<rightarrow> _"[81,81] 100)
   36.45 +| AnnCond2T: "s \<in> b  \<Longrightarrow> (Some (AnnCond2 r b c), s) -1\<rightarrow> (Some c, s)"
   36.46 +| AnnCond2F: "s \<notin> b \<Longrightarrow> (Some (AnnCond2 r b c), s) -1\<rightarrow> (None, s)"
   36.47 +
   36.48 +| AnnWhileF: "s \<notin> b \<Longrightarrow> (Some (AnnWhile r b i c), s) -1\<rightarrow> (None, s)"
   36.49 +| AnnWhileT: "s \<in> b  \<Longrightarrow> (Some (AnnWhile r b i c), s) -1\<rightarrow> 
   36.50 +                         (Some (AnnSeq c (AnnWhile i b i c)), s)"
   36.51 +
   36.52 +| AnnAwait: "\<lbrakk> s \<in> b; atom_com c; (c, s) -P*\<rightarrow> (Parallel [], t) \<rbrakk> \<Longrightarrow>
   36.53 +	           (Some (AnnAwait r b c), s) -1\<rightarrow> (None, t)" 
   36.54 +
   36.55 +| Parallel: "\<lbrakk> i<length Ts; Ts!i = (Some c, q); (Some c, s) -1\<rightarrow> (r, t) \<rbrakk>
   36.56 +              \<Longrightarrow> (Parallel Ts, s) -P1\<rightarrow> (Parallel (Ts [i:=(r, q)]), t)"
   36.57 +
   36.58 +| Basic:  "(Basic f, s) -P1\<rightarrow> (Parallel [], f s)"
   36.59 +
   36.60 +| Seq1:   "All_None Ts \<Longrightarrow> (Seq (Parallel Ts) c, s) -P1\<rightarrow> (c, s)"
   36.61 +| Seq2:   "(c0, s) -P1\<rightarrow> (c2, t) \<Longrightarrow> (Seq c0 c1, s) -P1\<rightarrow> (Seq c2 c1, t)"
   36.62 +
   36.63 +| CondT: "s \<in> b \<Longrightarrow> (Cond b c1 c2, s) -P1\<rightarrow> (c1, s)"
   36.64 +| CondF: "s \<notin> b \<Longrightarrow> (Cond b c1 c2, s) -P1\<rightarrow> (c2, s)"
   36.65 +
   36.66 +| WhileF: "s \<notin> b \<Longrightarrow> (While b i c, s) -P1\<rightarrow> (Parallel [], s)"
   36.67 +| WhileT: "s \<in> b \<Longrightarrow> (While b i c, s) -P1\<rightarrow> (Seq c (While b i c), s)"
   36.68 +
   36.69 +monos "rtrancl_mono"
   36.70  
   36.71  text {* The corresponding syntax translations are: *}
   36.72  
   36.73 -translations
   36.74 -  "con_0 -1\<rightarrow> con_1" \<rightleftharpoons> "(con_0, con_1) \<in> ann_transition"
   36.75 -  "con_0 -n\<rightarrow> con_1" \<rightleftharpoons> "(con_0, con_1) \<in> ann_transition^n"
   36.76 -  "con_0 -*\<rightarrow> con_1" \<rightleftharpoons> "(con_0, con_1) \<in> ann_transition\<^sup>*"
   36.77 -   
   36.78 -  "con_0 -P1\<rightarrow> con_1" \<rightleftharpoons> "(con_0, con_1) \<in> transition"
   36.79 -  "con_0 -Pn\<rightarrow> con_1" \<rightleftharpoons> "(con_0, con_1) \<in> transition^n"
   36.80 -  "con_0 -P*\<rightarrow> con_1" \<rightleftharpoons> "(con_0, con_1) \<in> transition\<^sup>*"
   36.81 -
   36.82 -inductive ann_transition  transition
   36.83 -intros
   36.84 -  AnnBasic:  "(Some (AnnBasic r f), s) -1\<rightarrow> (None, f s)"
   36.85 -
   36.86 -  AnnSeq1: "(Some c0, s) -1\<rightarrow> (None, t) \<Longrightarrow> 
   36.87 -               (Some (AnnSeq c0 c1), s) -1\<rightarrow> (Some c1, t)"
   36.88 -  AnnSeq2: "(Some c0, s) -1\<rightarrow> (Some c2, t) \<Longrightarrow> 
   36.89 -               (Some (AnnSeq c0 c1), s) -1\<rightarrow> (Some (AnnSeq c2 c1), t)"
   36.90 -
   36.91 -  AnnCond1T: "s \<in> b  \<Longrightarrow> (Some (AnnCond1 r b c1 c2), s) -1\<rightarrow> (Some c1, s)"
   36.92 -  AnnCond1F: "s \<notin> b \<Longrightarrow> (Some (AnnCond1 r b c1 c2), s) -1\<rightarrow> (Some c2, s)"
   36.93 +abbreviation
   36.94 +  ann_transition_n :: "('a ann_com_op \<times> 'a) \<Rightarrow> nat \<Rightarrow> ('a ann_com_op \<times> 'a) 
   36.95 +                           \<Rightarrow> bool"  ("_ -_\<rightarrow> _"[81,81] 100)  where
   36.96 +  "con_0 -n\<rightarrow> con_1 \<equiv> (con_0, con_1) \<in> ann_transition^n"
   36.97  
   36.98 -  AnnCond2T: "s \<in> b  \<Longrightarrow> (Some (AnnCond2 r b c), s) -1\<rightarrow> (Some c, s)"
   36.99 -  AnnCond2F: "s \<notin> b \<Longrightarrow> (Some (AnnCond2 r b c), s) -1\<rightarrow> (None, s)"
  36.100 -
  36.101 -  AnnWhileF: "s \<notin> b \<Longrightarrow> (Some (AnnWhile r b i c), s) -1\<rightarrow> (None, s)"
  36.102 -  AnnWhileT: "s \<in> b  \<Longrightarrow> (Some (AnnWhile r b i c), s) -1\<rightarrow> 
  36.103 -                         (Some (AnnSeq c (AnnWhile i b i c)), s)"
  36.104 -
  36.105 -  AnnAwait: "\<lbrakk> s \<in> b; atom_com c; (c, s) -P*\<rightarrow> (Parallel [], t) \<rbrakk> \<Longrightarrow>
  36.106 -	           (Some (AnnAwait r b c), s) -1\<rightarrow> (None, t)" 
  36.107 -
  36.108 -  Parallel: "\<lbrakk> i<length Ts; Ts!i = (Some c, q); (Some c, s) -1\<rightarrow> (r, t) \<rbrakk>
  36.109 -              \<Longrightarrow> (Parallel Ts, s) -P1\<rightarrow> (Parallel (Ts [i:=(r, q)]), t)"
  36.110 +abbreviation
  36.111 +  ann_transitions :: "('a ann_com_op \<times> 'a) \<Rightarrow> ('a ann_com_op \<times> 'a) \<Rightarrow> bool"
  36.112 +                           ("_ -*\<rightarrow> _"[81,81] 100)  where
  36.113 +  "con_0 -*\<rightarrow> con_1 \<equiv> (con_0, con_1) \<in> ann_transition\<^sup>*"
  36.114  
  36.115 -  Basic:  "(Basic f, s) -P1\<rightarrow> (Parallel [], f s)"
  36.116 -
  36.117 -  Seq1:   "All_None Ts \<Longrightarrow> (Seq (Parallel Ts) c, s) -P1\<rightarrow> (c, s)"
  36.118 -  Seq2:   "(c0, s) -P1\<rightarrow> (c2, t) \<Longrightarrow> (Seq c0 c1, s) -P1\<rightarrow> (Seq c2 c1, t)"
  36.119 -
  36.120 -  CondT: "s \<in> b \<Longrightarrow> (Cond b c1 c2, s) -P1\<rightarrow> (c1, s)"
  36.121 -  CondF: "s \<notin> b \<Longrightarrow> (Cond b c1 c2, s) -P1\<rightarrow> (c2, s)"
  36.122 -
  36.123 -  WhileF: "s \<notin> b \<Longrightarrow> (While b i c, s) -P1\<rightarrow> (Parallel [], s)"
  36.124 -  WhileT: "s \<in> b \<Longrightarrow> (While b i c, s) -P1\<rightarrow> (Seq c (While b i c), s)"
  36.125 -
  36.126 -monos "rtrancl_mono"
  36.127 +abbreviation
  36.128 +  transition_n :: "('a com \<times> 'a) \<Rightarrow> nat \<Rightarrow> ('a com \<times> 'a) \<Rightarrow> bool"  
  36.129 +                          ("_ -P_\<rightarrow> _"[81,81,81] 100)  where
  36.130 +  "con_0 -Pn\<rightarrow> con_1 \<equiv> (con_0, con_1) \<in> transition^n"
  36.131  
  36.132  subsection {* Definition of Semantics *}
  36.133  
    37.1 --- a/src/HOL/HoareParallel/RG_Hoare.thy	Wed Jul 11 11:13:08 2007 +0200
    37.2 +++ b/src/HOL/HoareParallel/RG_Hoare.thy	Wed Jul 11 11:14:51 2007 +0200
    37.3 @@ -11,36 +11,31 @@
    37.4    stable :: "'a set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> bool"  
    37.5    "stable \<equiv> \<lambda>f g. (\<forall>x y. x \<in> f \<longrightarrow> (x, y) \<in> g \<longrightarrow> y \<in> f)" 
    37.6  
    37.7 -consts rghoare :: "('a rgformula) set" 
    37.8 -syntax 
    37.9 -  "_rghoare" :: "['a com, 'a set, ('a \<times> 'a) set, ('a \<times> 'a) set, 'a set] \<Rightarrow> bool"  
   37.10 -                ("\<turnstile> _ sat [_, _, _, _]" [60,0,0,0,0] 45)
   37.11 -translations 
   37.12 -  "\<turnstile> P sat [pre, rely, guar, post]" \<rightleftharpoons> "(P, pre, rely, guar, post) \<in> rghoare"
   37.13 -
   37.14 -inductive rghoare
   37.15 -intros
   37.16 +inductive
   37.17 +  rghoare :: "['a com, 'a set, ('a \<times> 'a) set, ('a \<times> 'a) set, 'a set] \<Rightarrow> bool"  
   37.18 +    ("\<turnstile> _ sat [_, _, _, _]" [60,0,0,0,0] 45)
   37.19 +where
   37.20    Basic: "\<lbrakk> pre \<subseteq> {s. f s \<in> post}; {(s,t). s \<in> pre \<and> (t=f s \<or> t=s)} \<subseteq> guar; 
   37.21              stable pre rely; stable post rely \<rbrakk> 
   37.22             \<Longrightarrow> \<turnstile> Basic f sat [pre, rely, guar, post]"
   37.23  
   37.24 -  Seq: "\<lbrakk> \<turnstile> P sat [pre, rely, guar, mid]; \<turnstile> Q sat [mid, rely, guar, post] \<rbrakk> 
   37.25 +| Seq: "\<lbrakk> \<turnstile> P sat [pre, rely, guar, mid]; \<turnstile> Q sat [mid, rely, guar, post] \<rbrakk> 
   37.26             \<Longrightarrow> \<turnstile> Seq P Q sat [pre, rely, guar, post]"
   37.27  
   37.28 -  Cond: "\<lbrakk> stable pre rely; \<turnstile> P1 sat [pre \<inter> b, rely, guar, post];
   37.29 +| Cond: "\<lbrakk> stable pre rely; \<turnstile> P1 sat [pre \<inter> b, rely, guar, post];
   37.30             \<turnstile> P2 sat [pre \<inter> -b, rely, guar, post]; \<forall>s. (s,s)\<in>guar \<rbrakk>
   37.31            \<Longrightarrow> \<turnstile> Cond b P1 P2 sat [pre, rely, guar, post]"
   37.32  
   37.33 -  While: "\<lbrakk> stable pre rely; (pre \<inter> -b) \<subseteq> post; stable post rely;
   37.34 +| While: "\<lbrakk> stable pre rely; (pre \<inter> -b) \<subseteq> post; stable post rely;
   37.35              \<turnstile> P sat [pre \<inter> b, rely, guar, pre]; \<forall>s. (s,s)\<in>guar \<rbrakk>
   37.36            \<Longrightarrow> \<turnstile> While b P sat [pre, rely, guar, post]"
   37.37  
   37.38 -  Await: "\<lbrakk> stable pre rely; stable post rely; 
   37.39 +| Await: "\<lbrakk> stable pre rely; stable post rely; 
   37.40              \<forall>V. \<turnstile> P sat [pre \<inter> b \<inter> {V}, {(s, t). s = t}, 
   37.41                  UNIV, {s. (V, s) \<in> guar} \<inter> post] \<rbrakk>
   37.42             \<Longrightarrow> \<turnstile> Await b P sat [pre, rely, guar, post]"
   37.43    
   37.44 -  Conseq: "\<lbrakk> pre \<subseteq> pre'; rely \<subseteq> rely'; guar' \<subseteq> guar; post' \<subseteq> post;
   37.45 +| Conseq: "\<lbrakk> pre \<subseteq> pre'; rely \<subseteq> rely'; guar' \<subseteq> guar; post' \<subseteq> post;
   37.46               \<turnstile> P sat [pre', rely', guar', post'] \<rbrakk>
   37.47              \<Longrightarrow> \<turnstile> P sat [pre, rely, guar, post]"
   37.48  
   37.49 @@ -60,14 +55,10 @@
   37.50  
   37.51  types 'a par_rgformula = "('a rgformula) list \<times> 'a set \<times> ('a \<times> 'a) set \<times> ('a \<times> 'a) set \<times> 'a set"
   37.52  
   37.53 -consts par_rghoare :: "('a par_rgformula) set" 
   37.54 -syntax 
   37.55 -  "_par_rghoare" :: "('a rgformula) list \<Rightarrow> 'a set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> 'a set \<Rightarrow> bool"    ("\<turnstile> _ SAT [_, _, _, _]" [60,0,0,0,0] 45)
   37.56 -translations 
   37.57 -  "\<turnstile> Ps SAT [pre, rely, guar, post]" \<rightleftharpoons> "(Ps, pre, rely, guar, post) \<in> par_rghoare"
   37.58 -
   37.59 -inductive par_rghoare
   37.60 -intros
   37.61 +inductive
   37.62 +  par_rghoare :: "('a rgformula) list \<Rightarrow> 'a set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> 'a set \<Rightarrow> bool"
   37.63 +    ("\<turnstile> _ SAT [_, _, _, _]" [60,0,0,0,0] 45)
   37.64 +where
   37.65    Parallel: 
   37.66    "\<lbrakk> \<forall>i<length xs. rely \<union> (\<Union>j\<in>{j. j<length xs \<and> j\<noteq>i}. Guar(xs!j)) \<subseteq> Rely(xs!i);
   37.67      (\<Union>j\<in>{j. j<length xs}. Guar(xs!j)) \<subseteq> guar;
   37.68 @@ -113,22 +104,22 @@
   37.69  lemma takecptn_is_cptn [rule_format, elim!]: 
   37.70    "\<forall>j. c \<in> cptn \<longrightarrow> take (Suc j) c \<in> cptn"
   37.71  apply(induct "c")
   37.72 - apply(force elim: cptn.elims)
   37.73 + apply(force elim: cptn.cases)
   37.74  apply clarify
   37.75  apply(case_tac j) 
   37.76   apply simp
   37.77   apply(rule CptnOne)
   37.78  apply simp
   37.79 -apply(force intro:cptn.intros elim:cptn.elims)
   37.80 +apply(force intro:cptn.intros elim:cptn.cases)
   37.81  done
   37.82  
   37.83  lemma dropcptn_is_cptn [rule_format,elim!]: 
   37.84    "\<forall>j<length c. c \<in> cptn \<longrightarrow> drop j c \<in> cptn"
   37.85  apply(induct "c")
   37.86 - apply(force elim: cptn.elims)
   37.87 + apply(force elim: cptn.cases)
   37.88  apply clarify
   37.89  apply(case_tac j,simp+) 
   37.90 -apply(erule cptn.elims)
   37.91 +apply(erule cptn.cases)
   37.92    apply simp
   37.93   apply force
   37.94  apply force
   37.95 @@ -137,20 +128,20 @@
   37.96  lemma takepar_cptn_is_par_cptn [rule_format,elim]: 
   37.97    "\<forall>j. c \<in> par_cptn \<longrightarrow> take (Suc j) c \<in> par_cptn"
   37.98  apply(induct "c")
   37.99 - apply(force elim: cptn.elims)
  37.100 + apply(force elim: cptn.cases)
  37.101  apply clarify
  37.102  apply(case_tac j,simp) 
  37.103   apply(rule ParCptnOne)
  37.104 -apply(force intro:par_cptn.intros elim:par_cptn.elims)
  37.105 +apply(force intro:par_cptn.intros elim:par_cptn.cases)
  37.106  done
  37.107  
  37.108  lemma droppar_cptn_is_par_cptn [rule_format]:
  37.109    "\<forall>j<length c. c \<in> par_cptn \<longrightarrow> drop j c \<in> par_cptn"
  37.110  apply(induct "c")
  37.111 - apply(force elim: par_cptn.elims)
  37.112 + apply(force elim: par_cptn.cases)
  37.113  apply clarify
  37.114  apply(case_tac j,simp+) 
  37.115 -apply(erule par_cptn.elims)
  37.116 +apply(erule par_cptn.cases)
  37.117    apply simp
  37.118   apply force
  37.119  apply force
  37.120 @@ -165,16 +156,16 @@
  37.121    "\<forall>s. (None, s)#xs \<in> cptn \<longrightarrow> (\<forall>i<length xs. ((None, s)#xs)!i -e\<rightarrow> xs!i)"
  37.122  apply(induct xs,simp+)
  37.123  apply clarify
  37.124 -apply(erule cptn.elims,simp)
  37.125 +apply(erule cptn.cases,simp)
  37.126   apply simp
  37.127   apply(case_tac i,simp)
  37.128    apply(rule Env)
  37.129   apply simp
  37.130 -apply(force elim:ctran.elims)
  37.131 +apply(force elim:ctran.cases)
  37.132  done
  37.133  
  37.134  lemma cptn_not_empty [simp]:"[] \<notin> cptn"
  37.135 -apply(force elim:cptn.elims)
  37.136 +apply(force elim:cptn.cases)
  37.137  done
  37.138  
  37.139  lemma etran_or_ctran [rule_format]: 
  37.140 @@ -183,7 +174,7 @@
  37.141     \<longrightarrow> x!i -e\<rightarrow> x!Suc i"
  37.142  apply(induct x,simp)
  37.143  apply clarify
  37.144 -apply(erule cptn.elims,simp)
  37.145 +apply(erule cptn.cases,simp)
  37.146   apply(case_tac i,simp)
  37.147    apply(rule Env)
  37.148   apply simp
  37.149 @@ -202,10 +193,10 @@
  37.150  apply(induct x)
  37.151   apply simp
  37.152  apply clarify
  37.153 -apply(erule cptn.elims,simp)
  37.154 +apply(erule cptn.cases,simp)
  37.155   apply(case_tac i,simp+)
  37.156  apply(case_tac i,simp)
  37.157 - apply(force elim:etran.elims)
  37.158 + apply(force elim:etran.cases)
  37.159  apply simp
  37.160  done
  37.161  
  37.162 @@ -221,7 +212,7 @@
  37.163    "\<lbrakk> (None, s) # xs \<in>cptn; i<length xs\<rbrakk> \<Longrightarrow> \<not> ((None, s) # xs) ! i -c\<rightarrow> xs ! i"
  37.164  apply(frule not_ctran_None,simp)
  37.165  apply(case_tac i,simp)
  37.166 - apply(force elim:etran.elims)
  37.167 + apply(force elim:etranE)
  37.168  apply simp
  37.169  apply(rule etran_or_ctran2_disjI2,simp_all)
  37.170  apply(force intro:tl_of_cptn_is_cptn)
  37.171 @@ -241,9 +232,9 @@
  37.172    (\<forall>i. j\<le>i \<and> i<k \<longrightarrow> x!i -e\<rightarrow> x!Suc i) \<longrightarrow> snd(x!k)\<in>p \<and> fst(x!j)=fst(x!k)"
  37.173  apply(induct x)
  37.174   apply clarify
  37.175 - apply(force elim:cptn.elims)
  37.176 + apply(force elim:cptn.cases)
  37.177  apply clarify
  37.178 -apply(erule cptn.elims,simp)
  37.179 +apply(erule cptn.cases,simp)
  37.180   apply simp
  37.181   apply(case_tac k,simp,simp)
  37.182   apply(case_tac j,simp) 
  37.183 @@ -274,7 +265,7 @@
  37.184  apply(case_tac k,simp,simp)
  37.185  apply(case_tac j)
  37.186   apply(erule_tac x=0 and P="\<lambda>j. (?H j) \<longrightarrow> (?J j)\<in>etran" in allE,simp)
  37.187 - apply(erule etran.elims,simp)
  37.188 + apply(erule etran.cases,simp)
  37.189  apply(erule_tac x="nata" in allE)
  37.190  apply(erule_tac x="nat" and P="\<lambda>j. (?s\<le>j) \<longrightarrow> (?J j)" in allE,simp)
  37.191  apply(subgoal_tac "(\<forall>i. i < length xs \<longrightarrow> ((Q, t) # xs) ! i -e\<rightarrow> xs ! i \<longrightarrow> (snd (((Q, t) # xs) ! i), snd (xs ! i)) \<in> rely)")
  37.192 @@ -295,7 +286,7 @@
  37.193  apply(induct x,simp)
  37.194  apply simp
  37.195  apply clarify
  37.196 -apply(erule cptn.elims,simp)
  37.197 +apply(erule cptn.cases,simp)
  37.198   apply(case_tac i,simp+)
  37.199   apply clarify
  37.200   apply(case_tac j,simp)
  37.201 @@ -305,12 +296,12 @@
  37.202  apply simp
  37.203  apply(case_tac i)
  37.204   apply(case_tac j,simp,simp)
  37.205 - apply(erule ctran.elims,simp_all)
  37.206 + apply(erule ctran.cases,simp_all)
  37.207   apply(force elim: not_ctran_None)
  37.208 -apply(ind_cases "((Some (Basic f), sa), Q, t) \<in> ctran")
  37.209 +apply(ind_cases "((Some (Basic f), sa), Q, t) \<in> ctran" for sa Q t)
  37.210  apply simp
  37.211  apply(drule_tac i=nat in not_ctran_None,simp)
  37.212 -apply(erule etran.elims,simp)
  37.213 +apply(erule etranE,simp)
  37.214  done
  37.215  
  37.216  lemma exists_ctran_Basic_None [rule_format]: 
  37.217 @@ -319,7 +310,7 @@
  37.218  apply(induct x,simp)
  37.219  apply simp
  37.220  apply clarify
  37.221 -apply(erule cptn.elims,simp)
  37.222 +apply(erule cptn.cases,simp)
  37.223   apply(case_tac i,simp,simp)
  37.224   apply(erule_tac x=nat in allE,simp)
  37.225   apply clarify
  37.226 @@ -349,7 +340,7 @@
  37.227   apply clarify
  37.228   apply(drule_tac s="Some (Basic f)" in sym,simp)
  37.229   apply(thin_tac "\<forall>j. ?H j")
  37.230 - apply(force elim:ctran.elims)
  37.231 + apply(force elim:ctran.cases)
  37.232  apply clarify
  37.233  apply(simp add:cp_def)
  37.234  apply clarify
  37.235 @@ -368,7 +359,7 @@
  37.236  apply simp
  37.237  apply(drule_tac s="Some (Basic f)" in sym,simp)
  37.238  apply(case_tac "x!Suc j",simp)
  37.239 -apply(rule ctran.elims,simp)
  37.240 +apply(rule ctran.cases,simp)
  37.241  apply(simp_all)
  37.242  apply(drule_tac c=sa in subsetD,simp)
  37.243  apply clarify
  37.244 @@ -389,7 +380,7 @@
  37.245    (\<forall>j. Suc j<length x \<longrightarrow> i\<noteq>j \<longrightarrow> x!j -e\<rightarrow> x!Suc j)"
  37.246  apply(induct x,simp+)
  37.247  apply clarify
  37.248 -apply(erule cptn.elims,simp)
  37.249 +apply(erule cptn.cases,simp)
  37.250   apply(case_tac i,simp+)
  37.251   apply clarify
  37.252   apply(case_tac j,simp)
  37.253 @@ -399,11 +390,11 @@
  37.254  apply simp
  37.255  apply(case_tac i)
  37.256   apply(case_tac j,simp,simp)
  37.257 - apply(erule ctran.elims,simp_all)
  37.258 + apply(erule ctran.cases,simp_all)
  37.259   apply(force elim: not_ctran_None)
  37.260 -apply(ind_cases "((Some (Await b c), sa), Q, t) \<in> ctran",simp)
  37.261 +apply(ind_cases "((Some (Await b c), sa), Q, t) \<in> ctran" for sa Q t,simp)
  37.262  apply(drule_tac i=nat in not_ctran_None,simp)
  37.263 -apply(erule etran.elims,simp)
  37.264 +apply(erule etranE,simp)
  37.265  done
  37.266  
  37.267  lemma exists_ctran_Await_None [rule_format]: 
  37.268 @@ -411,7 +402,7 @@
  37.269    \<longrightarrow> i<length x \<longrightarrow> fst(x!i)=None \<longrightarrow> (\<exists>j<i. x!j -c\<rightarrow> x!Suc j)"
  37.270  apply(induct x,simp+)
  37.271  apply clarify
  37.272 -apply(erule cptn.elims,simp)
  37.273 +apply(erule cptn.cases,simp)
  37.274   apply(case_tac i,simp+)
  37.275   apply(erule_tac x=nat in allE,simp)
  37.276   apply clarify
  37.277 @@ -440,7 +431,7 @@
  37.278  apply force
  37.279  apply(simp add:cp_def)
  37.280   apply(case_tac l)
  37.281 - apply(force elim:cptn.elims)
  37.282 + apply(force elim:cptn.cases)
  37.283  apply simp
  37.284  apply(erule CptnComp)
  37.285  apply clarify
  37.286 @@ -466,7 +457,7 @@
  37.287    apply(erule_tac i=i in unique_ctran_Await,force,simp_all)
  37.288    apply(simp add:cp_def)
  37.289  --{* here starts the different part. *}
  37.290 - apply(erule ctran.elims,simp_all)
  37.291 + apply(erule ctran.cases,simp_all)
  37.292   apply(drule Star_imp_cptn) 
  37.293   apply clarify
  37.294   apply(erule_tac x=sa in allE)
  37.295 @@ -476,7 +467,7 @@
  37.296    apply (simp add:cp_def)
  37.297    apply clarify
  37.298    apply(erule_tac x=ia and P="\<lambda>i. ?H i \<longrightarrow> (?J i,?I i)\<in>ctran" in allE,simp)
  37.299 -  apply(erule etran.elims,simp)
  37.300 +  apply(erule etranE,simp)
  37.301   apply simp
  37.302  apply clarify
  37.303  apply(simp add:cp_def)
  37.304 @@ -496,7 +487,7 @@
  37.305  apply simp
  37.306  apply(drule_tac s="Some (Await b P)" in sym,simp)
  37.307  apply(case_tac "x!Suc j",simp)
  37.308 -apply(rule ctran.elims,simp)
  37.309 +apply(rule ctran.cases,simp)
  37.310  apply(simp_all)
  37.311  apply(drule Star_imp_cptn) 
  37.312  apply clarify
  37.313 @@ -507,7 +498,7 @@
  37.314   apply (simp add:cp_def)
  37.315   apply clarify
  37.316   apply(erule_tac x=i and P="\<lambda>i. ?H i \<longrightarrow> (?J i,?I i)\<in>ctran" in allE,simp)
  37.317 - apply(erule etran.elims,simp)
  37.318 + apply(erule etranE,simp)
  37.319  apply simp
  37.320  apply clarify
  37.321  apply(frule_tac j="Suc j" and k="length x - 1" and p=post in stability,simp_all)
  37.322 @@ -544,7 +535,7 @@
  37.323  apply (simp add:assum_def)
  37.324  apply(frule_tac j=0 and k="m" and p=pre in stability,simp+)
  37.325   apply(erule_tac m="Suc m" in etran_or_ctran,simp+)
  37.326 -apply(erule ctran.elims,simp_all)
  37.327 +apply(erule ctran.cases,simp_all)
  37.328   apply(erule_tac x="sa" in allE)
  37.329   apply(drule_tac c="drop (Suc m) x" in subsetD)
  37.330    apply simp
  37.331 @@ -616,7 +607,7 @@
  37.332      apply(simp (no_asm_use) add:lift_def)
  37.333     apply clarify
  37.334     apply(erule_tac x="Suc i" in allE, simp)
  37.335 -  apply(ind_cases "((Some (Seq Pa Q), sa), None, t) \<in> ctran")
  37.336 +  apply(ind_cases "((Some (Seq Pa Q), sa), None, t) \<in> ctran" for Pa sa t)
  37.337   apply(rule_tac x="(Some P, sa) # xs" in exI, simp add:cptn_iff_cptn_mod lift_def)
  37.338  apply(erule_tac x="length xs" in allE, simp)
  37.339  apply(simp only:Cons_lift_append)
  37.340 @@ -649,7 +640,7 @@
  37.341   apply(rule conjI,erule CptnEnv)
  37.342   apply(simp (no_asm_use) add:lift_def)
  37.343   apply(rule_tac x=ys in exI,simp)
  37.344 -apply(ind_cases "((Some (Seq Pa Q), sa), t) \<in> ctran")
  37.345 +apply(ind_cases "((Some (Seq Pa Q), sa), t) \<in> ctran" for Pa sa t)
  37.346   apply simp
  37.347   apply(rule_tac x="(Some Pa, sa)#[(None, ta)]" in exI,simp)
  37.348   apply(rule conjI)
  37.349 @@ -724,7 +715,7 @@
  37.350    apply(erule_tac P="\<lambda>j. ?H j \<longrightarrow> ?J j \<longrightarrow> ?I j" in allE,erule impE, assumption)
  37.351    apply(simp add:snd_lift)
  37.352    apply(erule mp)
  37.353 -  apply(force elim:etran.elims intro:Env simp add:lift_def)
  37.354 +  apply(force elim:etranE intro:Env simp add:lift_def)
  37.355   apply(simp add:comm_def)
  37.356   apply(rule conjI)
  37.357    apply clarify
  37.358 @@ -766,7 +757,7 @@
  37.359    back 
  37.360   apply(simp add:snd_lift)
  37.361   apply(erule mp)
  37.362 - apply(force elim:etran.elims intro:Env simp add:lift_def)
  37.363 + apply(force elim:etranE intro:Env simp add:lift_def)
  37.364  apply simp
  37.365  apply clarify
  37.366  apply(erule_tac x="snd(xs!m)" in allE)
  37.367 @@ -786,7 +777,7 @@
  37.368   apply (case_tac i, (simp add:snd_lift)+)
  37.369    apply(erule mp)
  37.370    apply(case_tac "xs!m")
  37.371 -  apply(force elim:etran.elims intro:Env simp add:lift_def)
  37.372 +  apply(force elim:etran.cases intro:Env simp add:lift_def)
  37.373   apply simp 
  37.374  apply simp
  37.375  apply clarify
  37.376 @@ -866,7 +857,7 @@
  37.377   apply simp
  37.378   apply(simp add:Cons_lift_append nth_append snd_lift del:map.simps)
  37.379   apply(erule mp)
  37.380 - apply(erule etran.elims,simp)
  37.381 + apply(erule etranE,simp)
  37.382   apply(case_tac "fst(((Some P, s) # xs) ! i)")
  37.383    apply(force intro:Env simp add:lift_def)
  37.384   apply(force intro:Env simp add:lift_def)
  37.385 @@ -900,7 +891,7 @@
  37.386  apply(erule mp)
  37.387  apply(erule tl_of_assum_in_assum,simp)
  37.388  --{* While-None *}
  37.389 -apply(ind_cases "((Some (While b P), s), None, t) \<in> ctran")
  37.390 +apply(ind_cases "((Some (While b P), s), None, t) \<in> ctran" for s t)
  37.391  apply(simp add:comm_def)
  37.392  apply(simp add:cptn_iff_cptn_mod [THEN sym])
  37.393  apply(rule conjI,clarify)
  37.394 @@ -909,7 +900,7 @@
  37.395  apply(rule conjI, clarify)
  37.396   apply(case_tac i,simp,simp)
  37.397   apply(force simp add:not_ctran_None2)
  37.398 -apply(subgoal_tac "\<forall>i. Suc i < length ((None, sa) # xs) \<longrightarrow> (((None, sa) # xs) ! i, ((None, sa) # xs) ! Suc i)\<in> etran")
  37.399 +apply(subgoal_tac "\<forall>i. Suc i < length ((None, t) # xs) \<longrightarrow> (((None, t) # xs) ! i, ((None, t) # xs) ! Suc i)\<in> etran")
  37.400   prefer 2
  37.401   apply clarify
  37.402   apply(rule_tac m="length ((None, s) # xs)" in etran_or_ctran,simp+)
  37.403 @@ -934,7 +925,7 @@
  37.404   apply(case_tac "fst(((Some P, sa) # xs) ! i)")
  37.405    apply(case_tac "((Some P, sa) # xs) ! i")
  37.406    apply (simp add:lift_def)
  37.407 -  apply(ind_cases "(Some (While b P), ba) -c\<rightarrow> t")
  37.408 +  apply(ind_cases "(Some (While b P), ba) -c\<rightarrow> t" for ba t)
  37.409     apply simp
  37.410    apply simp
  37.411   apply(simp add:snd_lift del:map.simps)
  37.412 @@ -946,9 +937,9 @@
  37.413    apply(erule_tac x="Suc ia" in allE,simp add:snd_lift del:map.simps)
  37.414    apply(erule mp)
  37.415    apply(case_tac "fst(((Some P, sa) # xs) ! ia)")
  37.416 -   apply(erule etran.elims,simp add:lift_def)
  37.417 +   apply(erule etranE,simp add:lift_def)
  37.418     apply(rule Env)
  37.419 -  apply(erule etran.elims,simp add:lift_def)
  37.420 +  apply(erule etranE,simp add:lift_def)
  37.421    apply(rule Env)
  37.422   apply (simp add:comm_def del:map.simps)
  37.423   apply clarify
  37.424 @@ -986,7 +977,7 @@
  37.425    apply(case_tac "fst(((Some P, sa) # xs) ! i)")
  37.426     apply(case_tac "((Some P, sa) # xs) ! i")
  37.427     apply (simp add:lift_def del:last.simps)
  37.428 -   apply(ind_cases "(Some (While b P), ba) -c\<rightarrow> t")
  37.429 +   apply(ind_cases "(Some (While b P), ba) -c\<rightarrow> t" for ba t)
  37.430      apply simp
  37.431     apply simp
  37.432    apply(simp add:snd_lift del:map.simps last.simps)
  37.433 @@ -998,9 +989,9 @@
  37.434     apply clarify
  37.435     apply(erule_tac x="Suc ia" in allE,simp add:nth_append snd_lift del:map.simps last.simps, erule mp)
  37.436     apply(case_tac "fst(((Some P, sa) # xs) ! ia)")
  37.437 -    apply(erule etran.elims,simp add:lift_def)
  37.438 +    apply(erule etranE,simp add:lift_def)
  37.439      apply(rule Env)
  37.440 -   apply(erule etran.elims,simp add:lift_def)
  37.441 +   apply(erule etranE,simp add:lift_def)
  37.442     apply(rule Env)
  37.443    apply (simp add:comm_def del:map.simps)
  37.444    apply clarify
  37.445 @@ -1158,9 +1149,9 @@
  37.446  --{* a c-tran in some @{text "\<sigma>_{ib}"}  *}
  37.447   apply clarify
  37.448   apply(case_tac "i=ib",simp)
  37.449 -  apply(erule etran.elims,simp)
  37.450 +  apply(erule etranE,simp)
  37.451   apply(erule_tac x="ib" and P="\<lambda>i. ?H i \<longrightarrow> (?I i) \<or> (?J i)" in allE)
  37.452 - apply (erule etran.elims)
  37.453 + apply (erule etranE)
  37.454   apply(case_tac "ia=m",simp)
  37.455   apply simp
  37.456   apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> (\<forall> i. ?P i j)" in allE)
  37.457 @@ -1198,7 +1189,7 @@
  37.458   apply(force simp add:same_state_def par_assum_def)
  37.459  apply clarify
  37.460  apply(case_tac "i=ia",simp)
  37.461 - apply(erule etran.elims,simp)
  37.462 + apply(erule etranE,simp)
  37.463  apply(erule_tac x="ia" and P="\<lambda>i. ?H i \<longrightarrow> (?I i) \<or> (?J i)" in allE,simp)
  37.464  apply(erule_tac x=j and P="\<lambda>j. \<forall>i. ?S j i \<longrightarrow> (?I j i, ?H j i)\<in> ctran \<longrightarrow> (?P i j)" in allE)
  37.465  apply(erule_tac x=ia and P="\<lambda>j. ?S j \<longrightarrow> (?I j, ?H j)\<in> ctran \<longrightarrow> (?P j)" in allE)
  37.466 @@ -1237,7 +1228,7 @@
  37.467  apply clarify
  37.468  apply(erule_tac x=i and P="\<lambda>j. ?H j \<longrightarrow> fst(?I j)=(?J j)" in all_dupE)
  37.469  apply(erule_tac x="Suc i" and P="\<lambda>j. ?H j \<longrightarrow> fst(?I j)=(?J j)" in allE)
  37.470 -apply(erule par_ctran.elims,simp)
  37.471 +apply(erule par_ctranE,simp)
  37.472  apply(erule_tac x=i and P="\<lambda>j. \<forall>i. ?S j i \<longrightarrow> (?I j i, ?H j i)\<in> ctran \<longrightarrow> (?P i j)" in allE)
  37.473  apply(erule_tac x=ia and P="\<lambda>j. ?S j \<longrightarrow> (?I j, ?H j)\<in> ctran \<longrightarrow> (?P j)" in allE)
  37.474  apply(rule_tac x=ia in exI)
  37.475 @@ -1255,7 +1246,7 @@
  37.476  done
  37.477  
  37.478  lemma parcptn_not_empty [simp]:"[] \<notin> par_cptn"
  37.479 -apply(force elim:par_cptn.elims)
  37.480 +apply(force elim:par_cptn.cases)
  37.481  done
  37.482  
  37.483  lemma five: 
  37.484 @@ -1336,12 +1327,12 @@
  37.485  apply(case_tac list,simp,simp)
  37.486  apply(case_tac i)
  37.487   apply(simp add:par_cp_def ParallelCom_def)
  37.488 - apply(erule par_ctran.elims,simp)
  37.489 + apply(erule par_ctranE,simp)
  37.490  apply(simp add:par_cp_def ParallelCom_def)
  37.491  apply clarify
  37.492 -apply(erule par_cptn.elims,simp)
  37.493 +apply(erule par_cptn.cases,simp)
  37.494   apply simp
  37.495 -apply(erule par_ctran.elims)
  37.496 +apply(erule par_ctranE)
  37.497  back
  37.498  apply simp
  37.499  done
    38.1 --- a/src/HOL/HoareParallel/RG_Tran.thy	Wed Jul 11 11:13:08 2007 +0200
    38.2 +++ b/src/HOL/HoareParallel/RG_Tran.thy	Wed Jul 11 11:14:51 2007 +0200
    38.3 @@ -10,73 +10,76 @@
    38.4  
    38.5  types 'a conf = "(('a com) option) \<times> 'a"
    38.6  
    38.7 -consts etran    :: "('a conf \<times> 'a conf) set" 
    38.8 -syntax  "_etran"  :: "'a conf \<Rightarrow> 'a conf \<Rightarrow> bool"  ("_ -e\<rightarrow> _" [81,81] 80)
    38.9 -translations  "P -e\<rightarrow> Q"  \<rightleftharpoons> "(P,Q) \<in> etran"
   38.10 -inductive etran
   38.11 -intros
   38.12 -  Env: "(P, s) -e\<rightarrow> (P, t)"
   38.13 +inductive_set
   38.14 +  etran :: "('a conf \<times> 'a conf) set" 
   38.15 +  and etran' :: "'a conf \<Rightarrow> 'a conf \<Rightarrow> bool"  ("_ -e\<rightarrow> _" [81,81] 80)
   38.16 +where
   38.17 +  "P -e\<rightarrow> Q \<equiv> (P,Q) \<in> etran"
   38.18 +| Env: "(P, s) -e\<rightarrow> (P, t)"
   38.19 +
   38.20 +lemma etranE: "c -e\<rightarrow> c' \<Longrightarrow> (\<And>P s t. c = (P, s) \<Longrightarrow> c' = (P, t) \<Longrightarrow> Q) \<Longrightarrow> Q"
   38.21 +  by (induct c, induct c', erule etran.cases, blast)
   38.22  
   38.23  subsubsection {* Component transitions *}
   38.24  
   38.25 -consts ctran    :: "('a conf \<times> 'a conf) set"
   38.26 -syntax
   38.27 -  "_ctran"  :: "'a conf \<Rightarrow> 'a conf \<Rightarrow> bool"   ("_ -c\<rightarrow> _" [81,81] 80)
   38.28 -  "_ctran_*":: "'a conf \<Rightarrow> 'a conf \<Rightarrow> bool"   ("_ -c*\<rightarrow> _" [81,81] 80)
   38.29 -translations
   38.30 -  "P -c\<rightarrow> Q"  \<rightleftharpoons> "(P,Q) \<in> ctran"
   38.31 -  "P -c*\<rightarrow> Q" \<rightleftharpoons> "(P,Q) \<in> ctran^*"
   38.32 +inductive_set
   38.33 +  ctran :: "('a conf \<times> 'a conf) set"
   38.34 +  and ctran' :: "'a conf \<Rightarrow> 'a conf \<Rightarrow> bool"   ("_ -c\<rightarrow> _" [81,81] 80)
   38.35 +  and ctrans :: "'a conf \<Rightarrow> 'a conf \<Rightarrow> bool"   ("_ -c*\<rightarrow> _" [81,81] 80)
   38.36 +where
   38.37 +  "P -c\<rightarrow> Q \<equiv> (P,Q) \<in> ctran"
   38.38 +| "P -c*\<rightarrow> Q \<equiv> (P,Q) \<in> ctran^*"
   38.39  
   38.40 -inductive  ctran 
   38.41 -intros
   38.42 -  Basic:  "(Some(Basic f), s) -c\<rightarrow> (None, f s)"
   38.43 +| Basic:  "(Some(Basic f), s) -c\<rightarrow> (None, f s)"
   38.44  
   38.45 -  Seq1:   "(Some P0, s) -c\<rightarrow> (None, t) \<Longrightarrow> (Some(Seq P0 P1), s) -c\<rightarrow> (Some P1, t)"
   38.46 +| Seq1:   "(Some P0, s) -c\<rightarrow> (None, t) \<Longrightarrow> (Some(Seq P0 P1), s) -c\<rightarrow> (Some P1, t)"
   38.47  
   38.48 -  Seq2:   "(Some P0, s) -c\<rightarrow> (Some P2, t) \<Longrightarrow> (Some(Seq P0 P1), s) -c\<rightarrow> (Some(Seq P2 P1), t)"
   38.49 +| Seq2:   "(Some P0, s) -c\<rightarrow> (Some P2, t) \<Longrightarrow> (Some(Seq P0 P1), s) -c\<rightarrow> (Some(Seq P2 P1), t)"
   38.50  
   38.51 -  CondT: "s\<in>b  \<Longrightarrow> (Some(Cond b P1 P2), s) -c\<rightarrow> (Some P1, s)"
   38.52 -  CondF: "s\<notin>b \<Longrightarrow> (Some(Cond b P1 P2), s) -c\<rightarrow> (Some P2, s)"
   38.53 +| CondT: "s\<in>b  \<Longrightarrow> (Some(Cond b P1 P2), s) -c\<rightarrow> (Some P1, s)"
   38.54 +| CondF: "s\<notin>b \<Longrightarrow> (Some(Cond b P1 P2), s) -c\<rightarrow> (Some P2, s)"
   38.55  
   38.56 -  WhileF: "s\<notin>b \<Longrightarrow> (Some(While b P), s) -c\<rightarrow> (None, s)"
   38.57 -  WhileT: "s\<in>b  \<Longrightarrow> (Some(While b P), s) -c\<rightarrow> (Some(Seq P (While b P)), s)"
   38.58 +| WhileF: "s\<notin>b \<Longrightarrow> (Some(While b P), s) -c\<rightarrow> (None, s)"
   38.59 +| WhileT: "s\<in>b  \<Longrightarrow> (Some(While b P), s) -c\<rightarrow> (Some(Seq P (While b P)), s)"
   38.60  
   38.61 -  Await:  "\<lbrakk>s\<in>b; (Some P, s) -c*\<rightarrow> (None, t)\<rbrakk> \<Longrightarrow> (Some(Await b P), s) -c\<rightarrow> (None, t)" 
   38.62 +| Await:  "\<lbrakk>s\<in>b; (Some P, s) -c*\<rightarrow> (None, t)\<rbrakk> \<Longrightarrow> (Some(Await b P), s) -c\<rightarrow> (None, t)" 
   38.63  
   38.64  monos "rtrancl_mono"
   38.65  
   38.66  subsection {* Semantics of Parallel Programs *}
   38.67  
   38.68  types 'a par_conf = "('a par_com) \<times> 'a"
   38.69 -consts
   38.70 +
   38.71 +inductive_set
   38.72    par_etran :: "('a par_conf \<times> 'a par_conf) set"
   38.73 +  and par_etran' :: "['a par_conf,'a par_conf] \<Rightarrow> bool" ("_ -pe\<rightarrow> _" [81,81] 80)
   38.74 +where
   38.75 +  "P -pe\<rightarrow> Q \<equiv> (P,Q) \<in> par_etran"
   38.76 +| ParEnv:  "(Ps, s) -pe\<rightarrow> (Ps, t)"
   38.77 +
   38.78 +inductive_set
   38.79    par_ctran :: "('a par_conf \<times> 'a par_conf) set"
   38.80 -syntax
   38.81 -  "_par_etran":: "['a par_conf,'a par_conf] \<Rightarrow> bool" ("_ -pe\<rightarrow> _" [81,81] 80)
   38.82 -  "_par_ctran":: "['a par_conf,'a par_conf] \<Rightarrow> bool" ("_ -pc\<rightarrow> _" [81,81] 80)
   38.83 -translations
   38.84 -  "P -pe\<rightarrow> Q"  \<rightleftharpoons> "(P,Q) \<in> par_etran"
   38.85 -  "P -pc\<rightarrow> Q"  \<rightleftharpoons> "(P,Q) \<in> par_ctran"
   38.86 +  and par_ctran' :: "['a par_conf,'a par_conf] \<Rightarrow> bool" ("_ -pc\<rightarrow> _" [81,81] 80)
   38.87 +where
   38.88 +  "P -pc\<rightarrow> Q \<equiv> (P,Q) \<in> par_ctran"
   38.89 +| ParComp: "\<lbrakk>i<length Ps; (Ps!i, s) -c\<rightarrow> (r, t)\<rbrakk> \<Longrightarrow> (Ps, s) -pc\<rightarrow> (Ps[i:=r], t)"
   38.90  
   38.91 -inductive  par_etran
   38.92 -intros
   38.93 -  ParEnv:  "(Ps, s) -pe\<rightarrow> (Ps, t)"
   38.94 -
   38.95 -inductive  par_ctran
   38.96 -intros
   38.97 -  ParComp: "\<lbrakk>i<length Ps; (Ps!i, s) -c\<rightarrow> (r, t)\<rbrakk> \<Longrightarrow> (Ps, s) -pc\<rightarrow> (Ps[i:=r], t)"
   38.98 +lemma par_ctranE: "c -pc\<rightarrow> c' \<Longrightarrow>
   38.99 +  (\<And>i Ps s r t. c = (Ps, s) \<Longrightarrow> c' = (Ps[i := r], t) \<Longrightarrow> i < length Ps \<Longrightarrow>
  38.100 +     (Ps ! i, s) -c\<rightarrow> (r, t) \<Longrightarrow> P) \<Longrightarrow> P"
  38.101 +  by (induct c, induct c', erule par_ctran.cases, blast)
  38.102  
  38.103  subsection {* Computations *}
  38.104  
  38.105  subsubsection {* Sequential computations *}
  38.106  
  38.107  types 'a confs = "('a conf) list"
  38.108 -consts cptn :: "('a confs) set"
  38.109 -inductive  "cptn"
  38.110 -intros
  38.111 +
  38.112 +inductive_set cptn :: "('a confs) set"
  38.113 +where
  38.114    CptnOne: "[(P,s)] \<in> cptn"
  38.115 -  CptnEnv: "(P, t)#xs \<in> cptn \<Longrightarrow> (P,s)#(P,t)#xs \<in> cptn"
  38.116 -  CptnComp: "\<lbrakk>(P,s) -c\<rightarrow> (Q,t); (Q, t)#xs \<in> cptn \<rbrakk> \<Longrightarrow> (P,s)#(Q,t)#xs \<in> cptn"
  38.117 +| CptnEnv: "(P, t)#xs \<in> cptn \<Longrightarrow> (P,s)#(P,t)#xs \<in> cptn"
  38.118 +| CptnComp: "\<lbrakk>(P,s) -c\<rightarrow> (Q,t); (Q, t)#xs \<in> cptn \<rbrakk> \<Longrightarrow> (P,s)#(Q,t)#xs \<in> cptn"
  38.119  
  38.120  constdefs
  38.121    cp :: "('a com) option \<Rightarrow> 'a \<Rightarrow> ('a confs) set"
  38.122 @@ -85,12 +88,12 @@
  38.123  subsubsection {* Parallel computations *}
  38.124  
  38.125  types  'a par_confs = "('a par_conf) list"
  38.126 -consts par_cptn :: "('a par_confs) set"
  38.127 -inductive  "par_cptn"
  38.128 -intros
  38.129 +
  38.130 +inductive_set par_cptn :: "('a par_confs) set"
  38.131 +where
  38.132    ParCptnOne: "[(P,s)] \<in> par_cptn"
  38.133 -  ParCptnEnv: "(P,t)#xs \<in> par_cptn \<Longrightarrow> (P,s)#(P,t)#xs \<in> par_cptn"
  38.134 -  ParCptnComp: "\<lbrakk> (P,s) -pc\<rightarrow> (Q,t); (Q,t)#xs \<in> par_cptn \<rbrakk> \<Longrightarrow> (P,s)#(Q,t)#xs \<in> par_cptn"
  38.135 +| ParCptnEnv: "(P,t)#xs \<in> par_cptn \<Longrightarrow> (P,s)#(P,t)#xs \<in> par_cptn"
  38.136 +| ParCptnComp: "\<lbrakk> (P,s) -pc\<rightarrow> (Q,t); (Q,t)#xs \<in> par_cptn \<rbrakk> \<Longrightarrow> (P,s)#(Q,t)#xs \<in> par_cptn"
  38.137  
  38.138  constdefs
  38.139    par_cp :: "'a par_com \<Rightarrow> 'a \<Rightarrow> ('a par_confs) set"
  38.140 @@ -102,25 +105,24 @@
  38.141    lift :: "'a com \<Rightarrow> 'a conf \<Rightarrow> 'a conf"
  38.142    "lift Q \<equiv> \<lambda>(P, s). (if P=None then (Some Q,s) else (Some(Seq (the P) Q), s))"
  38.143  
  38.144 -consts  cptn_mod :: "('a confs) set"
  38.145 -inductive  "cptn_mod"
  38.146 -intros
  38.147 +inductive_set cptn_mod :: "('a confs) set"
  38.148 +where
  38.149    CptnModOne: "[(P, s)] \<in> cptn_mod"
  38.150 -  CptnModEnv: "(P, t)#xs \<in> cptn_mod \<Longrightarrow> (P, s)#(P, t)#xs \<in> cptn_mod"
  38.151 -  CptnModNone: "\<lbrakk>(Some P, s) -c\<rightarrow> (None, t); (None, t)#xs \<in> cptn_mod \<rbrakk> \<Longrightarrow> (Some P,s)#(None, t)#xs \<in>cptn_mod"
  38.152 -  CptnModCondT: "\<lbrakk>(Some P0, s)#ys \<in> cptn_mod; s \<in> b \<rbrakk> \<Longrightarrow> (Some(Cond b P0 P1), s)#(Some P0, s)#ys \<in> cptn_mod"
  38.153 -  CptnModCondF: "\<lbrakk>(Some P1, s)#ys \<in> cptn_mod; s \<notin> b \<rbrakk> \<Longrightarrow> (Some(Cond b P0 P1), s)#(Some P1, s)#ys \<in> cptn_mod"
  38.154 -  CptnModSeq1: "\<lbrakk>(Some P0, s)#xs \<in> cptn_mod; zs=map (lift P1) xs \<rbrakk>
  38.155 +| CptnModEnv: "(P, t)#xs \<in> cptn_mod \<Longrightarrow> (P, s)#(P, t)#xs \<in> cptn_mod"
  38.156 +| CptnModNone: "\<lbrakk>(Some P, s) -c\<rightarrow> (None, t); (None, t)#xs \<in> cptn_mod \<rbrakk> \<Longrightarrow> (Some P,s)#(None, t)#xs \<in>cptn_mod"
  38.157 +| CptnModCondT: "\<lbrakk>(Some P0, s)#ys \<in> cptn_mod; s \<in> b \<rbrakk> \<Longrightarrow> (Some(Cond b P0 P1), s)#(Some P0, s)#ys \<in> cptn_mod"
  38.158 +| CptnModCondF: "\<lbrakk>(Some P1, s)#ys \<in> cptn_mod; s \<notin> b \<rbrakk> \<Longrightarrow> (Some(Cond b P0 P1), s)#(Some P1, s)#ys \<in> cptn_mod"
  38.159 +| CptnModSeq1: "\<lbrakk>(Some P0, s)#xs \<in> cptn_mod; zs=map (lift P1) xs \<rbrakk>
  38.160                   \<Longrightarrow> (Some(Seq P0 P1), s)#zs \<in> cptn_mod"
  38.161 -  CptnModSeq2: 
  38.162 +| CptnModSeq2: 
  38.163    "\<lbrakk>(Some P0, s)#xs \<in> cptn_mod; fst(last ((Some P0, s)#xs)) = None; 
  38.164    (Some P1, snd(last ((Some P0, s)#xs)))#ys \<in> cptn_mod; 
  38.165    zs=(map (lift P1) xs)@ys \<rbrakk> \<Longrightarrow> (Some(Seq P0 P1), s)#zs \<in> cptn_mod"
  38.166  
  38.167 -  CptnModWhile1: 
  38.168 +| CptnModWhile1: 
  38.169    "\<lbrakk> (Some P, s)#xs \<in> cptn_mod; s \<in> b; zs=map (lift (While b P)) xs \<rbrakk> 
  38.170    \<Longrightarrow> (Some(While b P), s)#(Some(Seq P (While b P)), s)#zs \<in> cptn_mod"
  38.171 -  CptnModWhile2: 
  38.172 +| CptnModWhile2: 
  38.173    "\<lbrakk> (Some P, s)#xs \<in> cptn_mod; fst(last ((Some P, s)#xs))=None; s \<in> b; 
  38.174    zs=(map (lift (While b P)) xs)@ys; 
  38.175    (Some(While b P), snd(last ((Some P, s)#xs)))#ys \<in> cptn_mod\<rbrakk> 
  38.176 @@ -169,7 +171,7 @@
  38.177      apply simp
  38.178     apply(simp add:lift_def)
  38.179    apply clarify
  38.180 -  apply(erule ctran.elims,simp_all)
  38.181 +  apply(erule ctran.cases,simp_all)
  38.182   apply clarify
  38.183   apply(rule_tac x="xs" in exI)
  38.184   apply simp
  38.185 @@ -185,10 +187,10 @@
  38.186  apply simp_all
  38.187  --{* basic *}
  38.188  apply clarify
  38.189 -apply(erule ctran.elims,simp_all)
  38.190 +apply(erule ctran.cases,simp_all)
  38.191  apply(rule CptnModNone,rule Basic,simp)
  38.192  apply clarify
  38.193 -apply(erule ctran.elims,simp_all)
  38.194 +apply(erule ctran.cases,simp_all)
  38.195  --{* Seq1 *}
  38.196  apply(rule_tac xs="[(None,ta)]" in CptnModSeq2)
  38.197    apply(erule CptnModNone)
  38.198 @@ -216,12 +218,12 @@
  38.199  apply(simp add:lift_def)
  38.200  --{* Cond *}
  38.201  apply clarify
  38.202 -apply(erule ctran.elims,simp_all)
  38.203 +apply(erule ctran.cases,simp_all)
  38.204  apply(force elim: CptnModCondT)
  38.205  apply(force elim: CptnModCondF)
  38.206  --{* While *}
  38.207  apply  clarify
  38.208 -apply(erule ctran.elims,simp_all)
  38.209 +apply(erule ctran.cases,simp_all)
  38.210  apply(rule CptnModNone,erule WhileF,simp)
  38.211  apply(drule div_seq,force)
  38.212  apply clarify
  38.213 @@ -231,7 +233,7 @@
  38.214  apply(force simp add:last_length elim:CptnModWhile2)
  38.215  --{* await *}
  38.216  apply clarify
  38.217 -apply(erule ctran.elims,simp_all)
  38.218 +apply(erule ctran.cases,simp_all)
  38.219  apply(rule CptnModNone,erule Await,simp+)
  38.220  done
  38.221  
  38.222 @@ -241,7 +243,7 @@
  38.223   apply(erule CptnModEnv)
  38.224  apply(case_tac P)
  38.225   apply simp
  38.226 - apply(erule ctran.elims,simp_all)
  38.227 + apply(erule ctran.cases,simp_all)
  38.228  apply(force elim:cptn_onlyif_cptn_mod_aux)
  38.229  done
  38.230  
  38.231 @@ -249,7 +251,7 @@
  38.232  apply(erule cptn.induct)
  38.233    apply(force simp add:lift_def CptnOne)
  38.234   apply(force intro:CptnEnv simp add:lift_def)
  38.235 -apply(force simp add:lift_def intro:CptnComp Seq2 Seq1 elim:ctran.elims)
  38.236 +apply(force simp add:lift_def intro:CptnComp Seq2 Seq1 elim:ctran.cases)
  38.237  done
  38.238  
  38.239  lemma cptn_append_is_cptn [rule_format]: 
  38.240 @@ -257,7 +259,7 @@
  38.241  apply(induct c1)
  38.242   apply simp
  38.243  apply clarify
  38.244 -apply(erule cptn.elims,simp_all)
  38.245 +apply(erule cptn.cases,simp_all)
  38.246   apply(force intro:CptnEnv)
  38.247  apply(force elim:CptnComp)
  38.248  done
  38.249 @@ -309,7 +311,7 @@
  38.250      apply(rule CptnComp)
  38.251      apply(erule CondF,simp)
  38.252  --{* Seq1 *}   
  38.253 -apply(erule cptn.elims,simp_all)
  38.254 +apply(erule cptn.cases,simp_all)
  38.255    apply(rule CptnOne)
  38.256   apply clarify
  38.257   apply(drule_tac P=P1 in lift_is_cptn)
  38.258 @@ -495,10 +497,10 @@
  38.259  seq_not_eq1 [THEN not_sym] seq_not_eq2 [THEN not_sym] 
  38.260  if_not_eq1 if_not_eq2 if_not_eq1 [THEN not_sym] if_not_eq2 [THEN not_sym]
  38.261  
  38.262 -lemma prog_not_eq_in_ctran_aux [rule_format]: "(P,s) -c\<rightarrow> (Q,t) \<Longrightarrow> (P\<noteq>Q)"
  38.263 -apply(erule ctran.induct)
  38.264 -apply simp_all
  38.265 -done
  38.266 +lemma prog_not_eq_in_ctran_aux:
  38.267 +  assumes c: "(P,s) -c\<rightarrow> (Q,t)"
  38.268 +  shows "P\<noteq>Q" using c
  38.269 +  by (induct x1 \<equiv> "(P,s)" x2 \<equiv> "(Q,t)" arbitrary: P s Q t) auto
  38.270  
  38.271  lemma prog_not_eq_in_ctran [simp]: "\<not> (P,s) -c\<rightarrow> (P,t)"
  38.272  apply clarify
  38.273 @@ -522,7 +524,7 @@
  38.274  done
  38.275  
  38.276  lemma tl_in_cptn: "\<lbrakk> a#xs \<in>cptn; xs\<noteq>[] \<rbrakk> \<Longrightarrow> xs\<in>cptn"
  38.277 -apply(force elim:cptn.elims)
  38.278 +apply(force elim:cptn.cases)
  38.279  done
  38.280  
  38.281  lemma tl_zero[rule_format]: 
  38.282 @@ -562,7 +564,7 @@
  38.283    apply(case_tac "i=ia",simp,simp)
  38.284    apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> ?I j \<longrightarrow> ?J j" in allE)
  38.285    apply(drule_tac t=i in not_sym,simp)
  38.286 -  apply(erule etran.elims,simp)
  38.287 +  apply(erule etranE,simp)
  38.288   apply(rule ParCptnComp)
  38.289    apply(erule ParComp,simp)
  38.290  --{* applying the induction hypothesis *}
  38.291 @@ -584,7 +586,7 @@
  38.292       erule_tac x=1 and P="\<lambda>j. ?H j \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE)
  38.293     apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> ?I j \<longrightarrow> ?J j" in allE)
  38.294     apply(drule_tac t=i  in not_sym,simp)
  38.295 -   apply(erule etran.elims,simp)
  38.296 +   apply(erule etranE,simp)
  38.297    apply(erule allE,erule impE,assumption,erule tl_in_cptn)
  38.298    apply(force simp add:same_length_def length_Suc_conv)
  38.299   apply(simp add:same_length_def same_state_def)
  38.300 @@ -620,7 +622,7 @@
  38.301      apply(rule tl_zero)
  38.302        apply(erule_tac x=l in allE, erule impE, assumption, 
  38.303              erule_tac x=1 and P="\<lambda>j.  (?H j) \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE,simp)
  38.304 -      apply(force elim:etran.elims intro:Env)
  38.305 +      apply(force elim:etranE intro:Env)
  38.306       apply force
  38.307      apply force
  38.308     apply simp
  38.309 @@ -637,7 +639,7 @@
  38.310            erule_tac x=1 and P="\<lambda>j. ?H j \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE)
  38.311      apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> ?I j \<longrightarrow> ?J j" in allE)
  38.312      apply(drule_tac t=i  in not_sym,simp)
  38.313 -    apply(erule etran.elims,simp)
  38.314 +    apply(erule etranE,simp)
  38.315     apply(erule tl_zero)
  38.316      apply force
  38.317     apply force
  38.318 @@ -654,7 +656,7 @@
  38.319      apply(erule_tac x=l  in allE, erule impE, assumption,
  38.320            erule_tac x=1 and P="\<lambda>j. ?H j \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE)
  38.321      apply(erule_tac x=l and P="\<lambda>j. ?H j \<longrightarrow> ?I j \<longrightarrow> ?J j" in allE,erule impE, assumption,simp)
  38.322 -    apply(erule etran.elims,simp)
  38.323 +    apply(erule etranE,simp)
  38.324     apply(rule tl_zero)
  38.325      apply force
  38.326     apply force
  38.327 @@ -668,7 +670,7 @@
  38.328      apply(erule_tac x=ia  in allE, erule impE, assumption,
  38.329      erule_tac x=1 and P="\<lambda>j. ?H j \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE)
  38.330      apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> ?I j \<longrightarrow> ?J j" in allE,erule impE, assumption,simp)
  38.331 -    apply(force elim:etran.elims intro:Env)
  38.332 +    apply(force elim:etranE intro:Env)
  38.333     apply force
  38.334    apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> (length (?s j) = ?t)" in allE,force)
  38.335   apply simp
  38.336 @@ -681,7 +683,7 @@
  38.337   apply(erule_tac x=ia and P="\<lambda>j. ?H j \<longrightarrow> (length (?s j) = ?t)" in allE,force)
  38.338  --{* first step is an environmental step *}
  38.339  apply clarify
  38.340 -apply(erule par_etran.elims)
  38.341 +apply(erule par_etran.cases)
  38.342  apply simp
  38.343  apply(rule ParCptnEnv)
  38.344  apply(erule_tac x="Ps" in allE)
  38.345 @@ -691,14 +693,14 @@
  38.346  apply(rule conjI)
  38.347   apply clarify
  38.348   apply(erule_tac x=i and P="\<lambda>j. ?H j \<longrightarrow> (?I ?s j) \<in> cptn" in allE,simp)
  38.349 - apply(erule cptn.elims)
  38.350 + apply(erule cptn.cases)
  38.351     apply(simp add:same_length_def)
  38.352     apply(erule_tac x=i and P="\<lambda>j. ?H j \<longrightarrow> (length (?s j) = ?t)" in allE,force)
  38.353    apply(simp add:same_state_def)
  38.354    apply(erule_tac x=i  in allE, erule impE, assumption,
  38.355     erule_tac x=1 and P="\<lambda>j. ?H j \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE,simp)
  38.356   apply(erule_tac x=i and P="\<lambda>j. ?H j \<longrightarrow> ?J j \<in>etran" in allE,simp)
  38.357 - apply(erule etran.elims,simp)
  38.358 + apply(erule etranE,simp)
  38.359  apply(simp add:same_state_def same_length_def)
  38.360  apply(rule conjI,clarify)
  38.361   apply(case_tac j,simp,simp)
  38.362 @@ -725,7 +727,7 @@
  38.363   apply(rule_tac x=i in exI,simp)
  38.364   apply(rule conjI)
  38.365    apply(erule_tac x=i and P="\<lambda>i. ?H i \<longrightarrow> ?J i \<in>etran" in allE, erule impE, assumption)
  38.366 -  apply(erule etran.elims,simp)
  38.367 +  apply(erule etranE,simp)
  38.368    apply(erule_tac x=i  in allE, erule impE, assumption,
  38.369          erule_tac x=1 and P="\<lambda>j.  (?H j) \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE,simp)
  38.370    apply(rule nth_tl_if)
  38.371 @@ -735,7 +737,7 @@
  38.372    apply(erule_tac x=i and P="\<lambda>j. ?H j \<longrightarrow> (length (?s j) = ?t)" in allE,force)
  38.373   apply clarify
  38.374   apply(erule_tac x=l and P="\<lambda>i. ?H i \<longrightarrow> ?J i \<in>etran" in allE, erule impE, assumption)
  38.375 - apply(erule etran.elims,simp)
  38.376 + apply(erule etranE,simp)
  38.377   apply(erule_tac x=l  in allE, erule impE, assumption,
  38.378         erule_tac x=1 and P="\<lambda>j.  (?H j) \<longrightarrow> (snd (?d j))=(snd (?e j))" in allE,simp)
  38.379   apply(rule nth_tl_if)
  38.380 @@ -751,7 +753,7 @@
  38.381   apply(rule tl_zero)
  38.382     apply(erule_tac x=i and P="\<lambda>i. ?H i \<longrightarrow> ?J i \<in>etran" in allE, erule impE, assumption)
  38.383     apply(erule_tac x=i and P="\<lambda>i. ?H i \<longrightarrow> ?J i \<in>etran" in allE, erule impE, assumption)
  38.384 -   apply(force elim:etran.elims intro:Env)
  38.385 +   apply(force elim:etranE intro:Env)
  38.386    apply force
  38.387   apply(erule_tac x=i and P="\<lambda>j. ?H j \<longrightarrow> (length (?s j) = ?t)" in allE,force)
  38.388  apply simp
  38.389 @@ -778,7 +780,7 @@
  38.390    apply(rule nth_equalityI,simp,simp)
  38.391   apply(force intro: cptn.intros)
  38.392  apply(clarify)
  38.393 -apply(erule par_cptn.elims,simp)
  38.394 +apply(erule par_cptn.cases,simp)
  38.395   apply simp
  38.396   apply(erule_tac x="xs" in allE)
  38.397   apply(erule_tac x="t" in allE,simp)
  38.398 @@ -811,7 +813,7 @@
  38.399    apply clarify
  38.400    apply(rule_tac x=i in exI,simp)
  38.401   apply force
  38.402 -apply(erule par_ctran.elims,simp)
  38.403 +apply(erule par_ctran.cases,simp)
  38.404  apply(erule_tac x="Ps[i:=r]" in allE)
  38.405  apply(erule_tac x="ta" in allE,simp)
  38.406  apply clarify
  38.407 @@ -887,7 +889,7 @@
  38.408    apply(clarify)
  38.409    apply(simp add:par_cp_def cp_def)
  38.410    apply(case_tac x)
  38.411 -   apply(force elim:par_cptn.elims)
  38.412 +   apply(force elim:par_cptn.cases)
  38.413    apply simp
  38.414    apply(erule_tac x="list" in allE)
  38.415    apply clarify
  38.416 @@ -899,7 +901,7 @@
  38.417    apply(erule_tac x=0 in allE)
  38.418    apply(simp add:cp_def conjoin_def same_length_def same_program_def same_state_def compat_label_def)
  38.419    apply clarify
  38.420 -  apply(erule cptn.elims,force,force,force)
  38.421 +  apply(erule cptn.cases,force,force,force)
  38.422   apply(simp add:par_cp_def conjoin_def  same_length_def same_program_def same_state_def compat_label_def)
  38.423   apply clarify
  38.424   apply(erule_tac x=0 and P="\<lambda>j. ?H j \<longrightarrow> (length (?s j) = ?t)" in all_dupE)
    39.1 --- a/src/HOL/IMP/Compiler.thy	Wed Jul 11 11:13:08 2007 +0200
    39.2 +++ b/src/HOL/IMP/Compiler.thy	Wed Jul 11 11:14:51 2007 +0200
    39.3 @@ -54,7 +54,7 @@
    39.4  
    39.5  text {* The other direction! *}
    39.6  
    39.7 -inductive_cases [elim!]: "(([],p,s),next) : stepa1"
    39.8 +inductive_cases [elim!]: "(([],p,s),(is',p',s')) : stepa1"
    39.9  
   39.10  lemma [simp]: "(\<langle>[],q,s\<rangle> -n\<rightarrow> \<langle>p',q',t\<rangle>) = (n=0 \<and> p' = [] \<and> q' = q \<and> t = s)"
   39.11  apply(rule iffI)
    40.1 --- a/src/HOL/IMP/Compiler0.thy	Wed Jul 11 11:13:08 2007 +0200
    40.2 +++ b/src/HOL/IMP/Compiler0.thy	Wed Jul 11 11:14:51 2007 +0200
    40.3 @@ -20,48 +20,32 @@
    40.4  text {* We describe execution of programs in the machine by
    40.5    an operational (small step) semantics:
    40.6  *}
    40.7 -consts  stepa1 :: "instr list \<Rightarrow> ((state\<times>nat) \<times> (state\<times>nat))set"
    40.8 -
    40.9 -syntax
   40.10 -  "_stepa1" :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.11 -               ("_ |- (3<_,_>/ -1-> <_,_>)" [50,0,0,0,0] 50)
   40.12 -  "_stepa" :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.13 -               ("_ |-/ (3<_,_>/ -*-> <_,_>)" [50,0,0,0,0] 50)
   40.14 -
   40.15 -  "_stepan" :: "[instr list,state,nat,nat,state,nat] \<Rightarrow> bool"
   40.16 -               ("_ |-/ (3<_,_>/ -(_)-> <_,_>)" [50,0,0,0,0,0] 50)
   40.17 -
   40.18 -syntax (xsymbols)
   40.19 -  "_stepa1" :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.20 -               ("_ \<turnstile> (3\<langle>_,_\<rangle>/ -1\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0] 50)
   40.21 -  "_stepa" :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.22 -               ("_ \<turnstile>/ (3\<langle>_,_\<rangle>/ -*\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0] 50)
   40.23 -  "_stepan" :: "[instr list,state,nat,nat,state,nat] \<Rightarrow> bool"
   40.24 -               ("_ \<turnstile>/ (3\<langle>_,_\<rangle>/ -(_)\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0,0] 50)
   40.25  
   40.26 -syntax (HTML output)
   40.27 -  "_stepa1" :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.28 -               ("_ |- (3\<langle>_,_\<rangle>/ -1\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0] 50)
   40.29 -  "_stepa" :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.30 -               ("_ |-/ (3\<langle>_,_\<rangle>/ -*\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0] 50)
   40.31 -  "_stepan" :: "[instr list,state,nat,nat,state,nat] \<Rightarrow> bool"
   40.32 -               ("_ |-/ (3\<langle>_,_\<rangle>/ -(_)\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0,0] 50)
   40.33 +inductive_set
   40.34 +  stepa1 :: "instr list \<Rightarrow> ((state\<times>nat) \<times> (state\<times>nat))set"
   40.35 +  and stepa1' :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.36 +    ("_ \<turnstile> (3\<langle>_,_\<rangle>/ -1\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0] 50)
   40.37 +  for P :: "instr list"
   40.38 +where
   40.39 +  "P \<turnstile> \<langle>s,m\<rangle> -1\<rightarrow> \<langle>t,n\<rangle> == ((s,m),t,n) : stepa1 P"
   40.40 +| ASIN[simp]:
   40.41 +  "\<lbrakk> n<size P; P!n = ASIN x a \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s[x\<mapsto> a s],Suc n\<rangle>"
   40.42 +| JMPFT[simp,intro]:
   40.43 +  "\<lbrakk> n<size P; P!n = JMPF b i;  b s \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s,Suc n\<rangle>"
   40.44 +| JMPFF[simp,intro]:
   40.45 +  "\<lbrakk> n<size P; P!n = JMPF b i; ~b s; m=n+i \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s,m\<rangle>"
   40.46 +| JMPB[simp]:
   40.47 +  "\<lbrakk> n<size P; P!n = JMPB i; i <= n; j = n-i \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s,j\<rangle>"
   40.48  
   40.49 -translations
   40.50 -  "P \<turnstile> \<langle>s,m\<rangle> -1\<rightarrow> \<langle>t,n\<rangle>" == "((s,m),t,n) : stepa1 P"
   40.51 -  "P \<turnstile> \<langle>s,m\<rangle> -*\<rightarrow> \<langle>t,n\<rangle>" == "((s,m),t,n) : ((stepa1 P)^*)"
   40.52 -  "P \<turnstile> \<langle>s,m\<rangle> -(i)\<rightarrow> \<langle>t,n\<rangle>" == "((s,m),t,n) : ((stepa1 P)^i)"
   40.53 +abbreviation
   40.54 +  stepa :: "[instr list,state,nat,state,nat] \<Rightarrow> bool"
   40.55 +    ("_ \<turnstile>/ (3\<langle>_,_\<rangle>/ -*\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0] 50)  where
   40.56 +  "P \<turnstile> \<langle>s,m\<rangle> -*\<rightarrow> \<langle>t,n\<rangle> == ((s,m),t,n) : ((stepa1 P)^*)"
   40.57  
   40.58 -inductive "stepa1 P"
   40.59 -intros
   40.60 -ASIN[simp]:
   40.61 -  "\<lbrakk> n<size P; P!n = ASIN x a \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s[x\<mapsto> a s],Suc n\<rangle>"
   40.62 -JMPFT[simp,intro]:
   40.63 -  "\<lbrakk> n<size P; P!n = JMPF b i;  b s \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s,Suc n\<rangle>"
   40.64 -JMPFF[simp,intro]:
   40.65 -  "\<lbrakk> n<size P; P!n = JMPF b i; ~b s; m=n+i \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s,m\<rangle>"
   40.66 -JMPB[simp]:
   40.67 -  "\<lbrakk> n<size P; P!n = JMPB i; i <= n; j = n-i \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>s,n\<rangle> -1\<rightarrow> \<langle>s,j\<rangle>"
   40.68 +abbreviation
   40.69 +  stepan :: "[instr list,state,nat,nat,state,nat] \<Rightarrow> bool"
   40.70 +    ("_ \<turnstile>/ (3\<langle>_,_\<rangle>/ -(_)\<rightarrow> \<langle>_,_\<rangle>)" [50,0,0,0,0,0] 50)  where
   40.71 +  "P \<turnstile> \<langle>s,m\<rangle> -(i)\<rightarrow> \<langle>t,n\<rangle> == ((s,m),t,n) : ((stepa1 P)^i)"
   40.72  
   40.73  subsection "The compiler"
   40.74  
    41.1 --- a/src/HOL/IMP/Denotation.thy	Wed Jul 11 11:13:08 2007 +0200
    41.2 +++ b/src/HOL/IMP/Denotation.thy	Wed Jul 11 11:14:51 2007 +0200
    41.3 @@ -62,7 +62,7 @@
    41.4  apply fast
    41.5  
    41.6  (* while *)
    41.7 -apply (erule lfp_induct_set [OF _ Gamma_mono])
    41.8 +apply (erule lfp_induct2 [OF _ Gamma_mono])
    41.9  apply (unfold Gamma_def)
   41.10  apply fast
   41.11  done
    42.1 --- a/src/HOL/IMP/Expr.thy	Wed Jul 11 11:13:08 2007 +0200
    42.2 +++ b/src/HOL/IMP/Expr.thy	Wed Jul 11 11:14:51 2007 +0200
    42.3 @@ -26,16 +26,14 @@
    42.4         | Op2 "nat => nat => nat" aexp aexp
    42.5  
    42.6  subsection "Evaluation of arithmetic expressions"
    42.7 -consts  evala    :: "((aexp*state) * nat) set"
    42.8 -syntax "_evala"  :: "[aexp*state,nat] => bool"         (infixl "-a->" 50)
    42.9 -translations
   42.10 -    "aesig -a-> n" == "(aesig,n) : evala"
   42.11 -inductive evala
   42.12 -  intros
   42.13 +
   42.14 +inductive
   42.15 +  evala :: "[aexp*state,nat] => bool"  (infixl "-a->" 50)
   42.16 +where
   42.17    N:   "(N(n),s) -a-> n"
   42.18 -  X:   "(X(x),s) -a-> s(x)"
   42.19 -  Op1: "(e,s) -a-> n ==> (Op1 f e,s) -a-> f(n)"
   42.20 -  Op2: "[| (e0,s) -a-> n0;  (e1,s)  -a-> n1 |]
   42.21 +| X:   "(X(x),s) -a-> s(x)"
   42.22 +| Op1: "(e,s) -a-> n ==> (Op1 f e,s) -a-> f(n)"
   42.23 +| Op2: "[| (e0,s) -a-> n0;  (e1,s)  -a-> n1 |]
   42.24          ==> (Op2 f e0 e1,s) -a-> f n0 n1"
   42.25  
   42.26  lemmas [intro] = N X Op1 Op2
   42.27 @@ -52,23 +50,19 @@
   42.28         | ori  bexp bexp         (infixl "ori" 60)
   42.29  
   42.30  subsection "Evaluation of boolean expressions"
   42.31 -consts evalb    :: "((bexp*state) * bool)set"
   42.32 -syntax "_evalb" :: "[bexp*state,bool] => bool"         (infixl "-b->" 50)
   42.33  
   42.34 -translations
   42.35 -    "besig -b-> b" == "(besig,b) : evalb"
   42.36 -
   42.37 -inductive evalb
   42.38 +inductive
   42.39 +  evalb :: "[bexp*state,bool] => bool"  (infixl "-b->" 50)
   42.40    -- "avoid clash with ML constructors true, false"
   42.41 -  intros
   42.42 +where
   42.43    tru:   "(true,s) -b-> True"
   42.44 -  fls:   "(false,s) -b-> False"
   42.45 -  ROp:   "[| (a0,s) -a-> n0; (a1,s) -a-> n1 |]
   42.46 +| fls:   "(false,s) -b-> False"
   42.47 +| ROp:   "[| (a0,s) -a-> n0; (a1,s) -a-> n1 |]
   42.48            ==> (ROp f a0 a1,s) -b-> f n0 n1"
   42.49 -  noti:  "(b,s) -b-> w ==> (noti(b),s) -b-> (~w)"
   42.50 -  andi:  "[| (b0,s) -b-> w0; (b1,s) -b-> w1 |]
   42.51 +| noti:  "(b,s) -b-> w ==> (noti(b),s) -b-> (~w)"
   42.52 +| andi:  "[| (b0,s) -b-> w0; (b1,s) -b-> w1 |]
   42.53            ==> (b0 andi b1,s) -b-> (w0 & w1)"
   42.54 -  ori:   "[| (b0,s) -b-> w0; (b1,s) -b-> w1 |]
   42.55 +| ori:   "[| (b0,s) -b-> w0; (b1,s) -b-> w1 |]
   42.56            ==> (b0 ori b1,s) -b-> (w0 | w1)"
   42.57  
   42.58  lemmas [intro] = tru fls ROp noti andi ori
   42.59 @@ -117,21 +111,21 @@
   42.60  lemma [simp]:
   42.61    "((ROp f a0 a1,sigma) -b-> w) =
   42.62    (? m. (a0,sigma) -a-> m & (? n. (a1,sigma) -a-> n & w = f m n))"
   42.63 -  by (rule,cases set: evalb) auto
   42.64 +  by (rule,cases set: evalb) blast+
   42.65  
   42.66  lemma [simp]:
   42.67    "((noti(b),sigma) -b-> w) = (? x. (b,sigma) -b-> x & w = (~x))"
   42.68 -  by (rule,cases set: evalb) auto
   42.69 +  by (rule,cases set: evalb) blast+
   42.70  
   42.71  lemma [simp]:
   42.72    "((b0 andi b1,sigma) -b-> w) =
   42.73    (? x. (b0,sigma) -b-> x & (? y. (b1,sigma) -b-> y & w = (x&y)))"
   42.74 -  by (rule,cases set: evalb) auto
   42.75 +  by (rule,cases set: evalb) blast+
   42.76  
   42.77  lemma [simp]:
   42.78    "((b0 ori b1,sigma) -b-> w) =
   42.79    (? x. (b0,sigma) -b-> x & (? y. (b1,sigma) -b-> y & w = (x|y)))"
   42.80 -  by (rule,cases set: evalb) auto
   42.81 +  by (rule,cases set: evalb) blast+
   42.82  
   42.83  
   42.84  lemma aexp_iff: "((a,s) -a-> n) = (A a s = n)"
    43.1 --- a/src/HOL/IMP/Hoare.thy	Wed Jul 11 11:13:08 2007 +0200
    43.2 +++ b/src/HOL/IMP/Hoare.thy	Wed Jul 11 11:14:51 2007 +0200
    43.3 @@ -13,20 +13,17 @@
    43.4  constdefs hoare_valid :: "[assn,com,assn] => bool" ("|= {(1_)}/ (_)/ {(1_)}" 50)
    43.5            "|= {P}c{Q} == !s t. (s,t) : C(c) --> P s --> Q t"
    43.6  
    43.7 -consts hoare :: "(assn * com * assn) set"
    43.8 -syntax "_hoare" :: "[bool,com,bool] => bool" ("|- ({(1_)}/ (_)/ {(1_)})" 50)
    43.9 -translations "|- {P}c{Q}" == "(P,c,Q) : hoare"
   43.10 -
   43.11 -inductive hoare
   43.12 -intros
   43.13 +inductive
   43.14 +  hoare :: "assn => com => assn => bool" ("|- ({(1_)}/ (_)/ {(1_)})" 50)
   43.15 +where
   43.16    skip: "|- {P}\<SKIP>{P}"
   43.17 -  ass:  "|- {%s. P(s[x\<mapsto>a s])} x:==a {P}"
   43.18 -  semi: "[| |- {P}c{Q}; |- {Q}d{R} |] ==> |- {P} c;d {R}"
   43.19 -  If: "[| |- {%s. P s & b s}c{Q}; |- {%s. P s & ~b s}d{Q} |] ==>
   43.20 +| ass:  "|- {%s. P(s[x\<mapsto>a s])} x:==a {P}"
   43.21 +| semi: "[| |- {P}c{Q}; |- {Q}d{R} |] ==> |- {P} c;d {R}"
   43.22 +| If: "[| |- {%s. P s & b s}c{Q}; |- {%s. P s & ~b s}d{Q} |] ==>
   43.23        |- {P} \<IF> b \<THEN> c \<ELSE> d {Q}"
   43.24 -  While: "|- {%s. P s & b s} c {P} ==>
   43.25 +| While: "|- {%s. P s & b s} c {P} ==>
   43.26           |- {P} \<WHILE> b \<DO> c {%s. P s & ~b s}"
   43.27 -  conseq: "[| !s. P' s --> P s; |- {P}c{Q}; !s. Q s --> Q' s |] ==>
   43.28 +| conseq: "[| !s. P' s --> P s; |- {P}c{Q}; !s. Q s --> Q' s |] ==>
   43.29            |- {P'}c{Q'}"
   43.30  
   43.31  constdefs wp :: "com => assn => assn"
    44.1 --- a/src/HOL/IMP/Machines.thy	Wed Jul 11 11:13:08 2007 +0200
    44.2 +++ b/src/HOL/IMP/Machines.thy	Wed Jul 11 11:14:51 2007 +0200
    44.3 @@ -36,43 +36,28 @@
    44.4  
    44.5  subsection "M0 with PC"
    44.6  
    44.7 -consts  exec01 :: "instr list \<Rightarrow> ((nat\<times>state) \<times> (nat\<times>state))set"
    44.8 -syntax
    44.9 -  "_exec01" :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.10 -               ("(_/ |- (1<_,/_>)/ -1-> (1<_,/_>))" [50,0,0,0,0] 50)
   44.11 -  "_exec0s" :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.12 -               ("(_/ |- (1<_,/_>)/ -*-> (1<_,/_>))" [50,0,0,0,0] 50)
   44.13 -  "_exec0n" :: "[instrs, nat,state, nat, nat,state] \<Rightarrow> bool"
   44.14 -               ("(_/ |- (1<_,/_>)/ -_-> (1<_,/_>))" [50,0,0,0,0] 50)
   44.15 -
   44.16 -syntax (xsymbols)
   44.17 -  "_exec01" :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.18 -               ("(_/ \<turnstile> (1\<langle>_,/_\<rangle>)/ -1\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.19 -  "_exec0s" :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.20 -               ("(_/ \<turnstile> (1\<langle>_,/_\<rangle>)/ -*\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.21 -  "_exec0n" :: "[instrs, nat,state, nat, nat,state] \<Rightarrow> bool"
   44.22 -               ("(_/ \<turnstile> (1\<langle>_,/_\<rangle>)/ -_\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.23 +inductive_set
   44.24 +  exec01 :: "instr list \<Rightarrow> ((nat\<times>state) \<times> (nat\<times>state))set"
   44.25 +  and exec01' :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.26 +    ("(_/ \<turnstile> (1\<langle>_,/_\<rangle>)/ -1\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.27 +  for P :: "instr list"
   44.28 +where
   44.29 +  "p \<turnstile> \<langle>i,s\<rangle> -1\<rightarrow> \<langle>j,t\<rangle> == ((i,s),j,t) : (exec01 p)"
   44.30 +| SET: "\<lbrakk> n<size P; P!n = SET x a \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>Suc n,s[x\<mapsto> a s]\<rangle>"
   44.31 +| JMPFT: "\<lbrakk> n<size P; P!n = JMPF b i;  b s \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>Suc n,s\<rangle>"
   44.32 +| JMPFF: "\<lbrakk> n<size P; P!n = JMPF b i; \<not>b s; m=n+i+1; m \<le> size P \<rbrakk>
   44.33 +        \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>m,s\<rangle>"
   44.34 +| JMPB:  "\<lbrakk> n<size P; P!n = JMPB i; i \<le> n; j = n-i \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>j,s\<rangle>"
   44.35  
   44.36 -syntax (HTML output)
   44.37 -  "_exec01" :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.38 -               ("(_/ |- (1\<langle>_,/_\<rangle>)/ -1\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.39 -  "_exec0s" :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.40 -               ("(_/ |- (1\<langle>_,/_\<rangle>)/ -*\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.41 -  "_exec0n" :: "[instrs, nat,state, nat, nat,state] \<Rightarrow> bool"
   44.42 -               ("(_/ |- (1\<langle>_,/_\<rangle>)/ -_\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)
   44.43 +abbreviation
   44.44 +  exec0s :: "[instrs, nat,state, nat,state] \<Rightarrow> bool"
   44.45 +    ("(_/ \<turnstile> (1\<langle>_,/_\<rangle>)/ -*\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)  where
   44.46 +  "p \<turnstile> \<langle>i,s\<rangle> -*\<rightarrow> \<langle>j,t\<rangle> == ((i,s),j,t) : (exec01 p)^*"
   44.47  
   44.48 -translations
   44.49 -  "p \<turnstile> \<langle>i,s\<rangle> -1\<rightarrow> \<langle>j,t\<rangle>" == "((i,s),j,t) : (exec01 p)"
   44.50 -  "p \<turnstile> \<langle>i,s\<rangle> -*\<rightarrow> \<langle>j,t\<rangle>" == "((i,s),j,t) : (exec01 p)^*"
   44.51 -  "p \<turnstile> \<langle>i,s\<rangle> -n\<rightarrow> \<langle>j,t\<rangle>" == "((i,s),j,t) : (exec01 p)^n"
   44.52 -
   44.53 -inductive "exec01 P"
   44.54 -intros
   44.55 -SET: "\<lbrakk> n<size P; P!n = SET x a \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>Suc n,s[x\<mapsto> a s]\<rangle>"
   44.56 -JMPFT: "\<lbrakk> n<size P; P!n = JMPF b i;  b s \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>Suc n,s\<rangle>"
   44.57 -JMPFF: "\<lbrakk> n<size P; P!n = JMPF b i; \<not>b s; m=n+i+1; m \<le> size P \<rbrakk>
   44.58 -        \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>m,s\<rangle>"
   44.59 -JMPB:  "\<lbrakk> n<size P; P!n = JMPB i; i \<le> n; j = n-i \<rbrakk> \<Longrightarrow> P \<turnstile> \<langle>n,s\<rangle> -1\<rightarrow> \<langle>j,s\<rangle>"
   44.60 +abbreviation
   44.61 +  exec0n :: "[instrs, nat,state, nat, nat,state] \<Rightarrow> bool"
   44.62 +    ("(_/ \<turnstile> (1\<langle>_,/_\<rangle>)/ -_\<rightarrow> (1\<langle>_,/_\<rangle>))" [50,0,0,0,0] 50)  where
   44.63 +  "p \<turnstile> \<langle>i,s\<rangle> -n\<rightarrow> \<langle>j,t\<rangle> == ((i,s),j,t) : (exec01 p)^n"
   44.64  
   44.65  subsection "M0 with lists"
   44.66  
   44.67 @@ -82,40 +67,31 @@
   44.68  
   44.69  types config = "instrs \<times> instrs \<times> state"
   44.70  
   44.71 -consts  stepa1 :: "(config \<times> config)set"
   44.72  
   44.73 -syntax
   44.74 -  "_stepa1" :: "[instrs,instrs,state, instrs,instrs,state] \<Rightarrow> bool"
   44.75 -               ("((1<_,/_,/_>)/ -1-> (1<_,/_,/_>))" 50)
   44.76 -  "_stepa" :: "[instrs,instrs,state, instrs,instrs,state] \<Rightarrow> bool"
   44.77 -               ("((1<_,/_,/_>)/ -*-> (1<_,/_,/_>))" 50)
   44.78 -  "_stepan" :: "[state,instrs,instrs, nat, instrs,instrs,state] \<Rightarrow> bool"
   44.79 -               ("((1<_,/_,/_>)/ -_-> (1<_,/_,/_>))" 50)
   44.80 -
   44.81 -syntax (xsymbols)
   44.82 -  "_stepa1" :: "[instrs,instrs,state, instrs,instrs,state] \<Rightarrow> bool"
   44.83 -               ("((1\<langle>_,/_,/_\<rangle>)/ -1\<rightarrow> (1\<langle>_,/_,/_\<rangle>))" 50)
   44.84 -  "_stepa" :: "[instrs,instrs,state, instrs,instrs,state] \<Rightarrow> bool"
   44.85 -               ("((1\<langle>_,/_,/_\<rangle>)/ -*\<rightarrow> (1\<langle>_,/_,/_\<rangle>))" 50)
   44.86 -  "_stepan" :: "[instrs,instrs,state, nat, instrs,instrs,state] \<Rightarrow> bool"
   44.87 -               ("((1\<langle>_,/_,/_\<rangle>)/ -_\<rightarrow> (1\<langle>_,/_,/_\<rangle>))" 50)
   44.88 -
   44.89 -translations
   44.90 -  "\<langle>p,q,s\<rangle> -1\<rightarrow> \<langle>p',q',t\<rangle>" == "((p,q,s),p',q',t) : stepa1"
   44.91 -  "\<langle>p,q,s\<rangle> -*\<rightarrow> \<langle>p',q',t\<rangle>" == "((p,q,s),p',q',t) : (stepa1^*)"
   44.92 -  "\<langle>p,q,s\<rangle> -i\<rightarrow> \<langle>p',q',t\<rangle>" == "((p,q,s),p',q',t) : (stepa1^i)"
   44.93 -
   44.94 -
   44.95 -inductive "stepa1"
   44.96 -intros
   44.97 -  "\<langle>SET x a#p,q,s\<rangle> -1\<rightarrow> \<langle>p,SET x a#q,s[x\<mapsto> a s]\<rangle>"
   44.98 -  "b s \<Longrightarrow> \<langle>JMPF b i#p,q,s\<rangle> -1\<rightarrow> \<langle>p,JMPF b i#q,s\<rangle>"
   44.99 -  "\<lbrakk> \<not> b s; i \<le> size p \<rbrakk>
  44.100 +inductive_set
  44.101 +  stepa1 :: "(config \<times> config)set"
  44.102 +  and stepa1' :: "[instrs,instrs,state, instrs,instrs,state] \<Rightarrow> bool"
  44.103 +    ("((1\<langle>_,/_,/_\<rangle>)/ -1\<rightarrow> (1\<langle>_,/_,/_\<rangle>))" 50)
  44.104 +where
  44.105 +  "\<langle>p,q,s\<rangle> -1\<rightarrow> \<langle>p',q',t\<rangle> == ((p,q,s),p',q',t) : stepa1"
  44.106 +| "\<langle>SET x a#p,q,s\<rangle> -1\<rightarrow> \<langle>p,SET x a#q,s[x\<mapsto> a s]\<rangle>"
  44.107 +| "b s \<Longrightarrow> \<langle>JMPF b i#p,q,s\<rangle> -1\<rightarrow> \<langle>p,JMPF b i#q,s\<rangle>"
  44.108 +| "\<lbrakk> \<not> b s; i \<le> size p \<rbrakk>
  44.109     \<Longrightarrow> \<langle>JMPF b i # p, q, s\<rangle> -1\<rightarrow> \<langle>drop i p, rev(take i p) @ JMPF b i # q, s\<rangle>"
  44.110 -  "i \<le> size q
  44.111 +| "i \<le> size q
  44.112     \<Longrightarrow> \<langle>JMPB i # p, q, s\<rangle> -1\<rightarrow> \<langle>rev(take i q) @ JMPB i # p, drop i q, s\<rangle>"
  44.113  
  44.114 -inductive_cases execE: "((i#is,p,s),next) : stepa1"
  44.115 +abbreviation
  44.116 +  stepa :: "[instrs,instrs,state, instrs,instrs,state] \<Rightarrow> bool"
  44.117 +    ("((1\<langle>_,/_,/_\<rangle>)/ -*\<rightarrow> (1\<langle>_,/_,/_\<rangle>))" 50)  where
  44.118 +  "\<langle>p,q,s\<rangle> -*\<rightarrow> \<langle>p',q',t\<rangle> == ((p,q,s),p',q',t) : (stepa1^*)"
  44.119 +
  44.120 +abbreviation
  44.121 +  stepan :: "[instrs,instrs,state, nat, instrs,instrs,state] \<Rightarrow> bool"
  44.122 +    ("((1\<langle>_,/_,/_\<rangle>)/ -_\<rightarrow> (1\<langle>_,/_,/_\<rangle>))" 50) where
  44.123 +  "\<langle>p,q,s\<rangle> -i\<rightarrow> \<langle>p',q',t\<rangle> == ((p,q,s),p',q',t) : (stepa1^i)"
  44.124 +
  44.125 +inductive_cases execE: "((i#is,p,s), (is',p',s')) : stepa1"
  44.126  
  44.127  lemma exec_simp[simp]:
  44.128   "(\<langle>i#p,q,s\<rangle> -1\<rightarrow> \<langle>p',q',t\<rangle>) = (case i of
    45.1 --- a/src/HOL/IMP/Natural.thy	Wed Jul 11 11:13:08 2007 +0200
    45.2 +++ b/src/HOL/IMP/Natural.thy	Wed Jul 11 11:14:51 2007 +0200
    45.3 @@ -11,22 +11,12 @@
    45.4  
    45.5  subsection "Execution of commands"
    45.6  
    45.7 -consts  evalc   :: "(com \<times> state \<times> state) set"
    45.8 -syntax "_evalc" :: "[com,state,state] \<Rightarrow> bool" ("<_,_>/ -c-> _" [0,0,60] 60)
    45.9 -
   45.10 -syntax (xsymbols)
   45.11 -  "_evalc" :: "[com,state,state] \<Rightarrow> bool" ("\<langle>_,_\<rangle>/ \<longrightarrow>\<^sub>c _" [0,0,60] 60)
   45.12 -
   45.13 -syntax (HTML output)
   45.14 -  "_evalc" :: "[com,state,state] \<Rightarrow> bool" ("\<langle>_,_\<rangle>/ \<longrightarrow>\<^sub>c _" [0,0,60] 60)
   45.15 -
   45.16  text {*
   45.17    We write @{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} for \emph{Statement @{text c}, started
   45.18    in state @{text s}, terminates in state @{text s'}}. Formally,
   45.19    @{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} is just another form of saying \emph{the tuple
   45.20    @{text "(c,s,s')"} is part of the relation @{text evalc}}:
   45.21  *}
   45.22 -translations  "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" == "(c,s,s') \<in> evalc"
   45.23  
   45.24  constdefs
   45.25    update :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a \<Rightarrow> 'b)" ("_/[_ ::= /_]" [900,0,0] 900)
   45.26 @@ -38,18 +28,19 @@
   45.27  text {*
   45.28    The big-step execution relation @{text evalc} is defined inductively:
   45.29  *}
   45.30 -inductive evalc
   45.31 -  intros
   45.32 +inductive
   45.33 +  evalc :: "[com,state,state] \<Rightarrow> bool" ("\<langle>_,_\<rangle>/ \<longrightarrow>\<^sub>c _" [0,0,60] 60)
   45.34 +where
   45.35    Skip:    "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s"
   45.36 -  Assign:  "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s[x\<mapsto>a s]"
   45.37 +| Assign:  "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s[x\<mapsto>a s]"
   45.38  
   45.39 -  Semi:    "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.40 +| Semi:    "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.41  
   45.42 -  IfTrue:  "b s \<Longrightarrow> \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.43 -  IfFalse: "\<not>b s \<Longrightarrow> \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.44 +| IfTrue:  "b s \<Longrightarrow> \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.45 +| IfFalse: "\<not>b s \<Longrightarrow> \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.46  
   45.47 -  WhileFalse: "\<not>b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s"
   45.48 -  WhileTrue:  "b s \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s'
   45.49 +| WhileFalse: "\<not>b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s"
   45.50 +| WhileTrue:  "b s \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s'
   45.51                 \<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.52  
   45.53  lemmas evalc.intros [intro] -- "use those rules in automatic proofs"
   45.54 @@ -74,33 +65,33 @@
   45.55  *}
   45.56  lemma skip:
   45.57    "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s)"
   45.58 -  by (rule, erule evalc.elims) auto
   45.59 +  by (rule, erule evalc.cases) auto
   45.60  
   45.61  lemma assign:
   45.62    "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s[x\<mapsto>a s])"
   45.63 -  by (rule, erule evalc.elims) auto
   45.64 +  by (rule, erule evalc.cases) auto
   45.65  
   45.66  lemma semi:
   45.67    "\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s' = (\<exists>s''. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<and> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s')"
   45.68 -  by (rule, erule evalc.elims) auto
   45.69 +  by (rule, erule evalc.cases) auto
   45.70  
   45.71  lemma ifTrue:
   45.72    "b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.73 -  by (rule, erule evalc.elims) auto
   45.74 +  by (rule, erule evalc.cases) auto
   45.75  
   45.76  lemma ifFalse:
   45.77    "\<not>b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s'"
   45.78 -  by (rule, erule evalc.elims) auto
   45.79 +  by (rule, erule evalc.cases) auto
   45.80  
   45.81  lemma whileFalse:
   45.82    "\<not> b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s)"
   45.83 -  by (rule, erule evalc.elims) auto
   45.84 +  by (rule, erule evalc.cases) auto
   45.85  
   45.86  lemma whileTrue:
   45.87    "b s \<Longrightarrow>
   45.88    \<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s' =
   45.89    (\<exists>s''. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<and> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s')"
   45.90 -  by (rule, erule evalc.elims) auto
   45.91 +  by (rule, erule evalc.cases) auto
   45.92  
   45.93  text "Again, Isabelle may use these rules in automatic proofs:"
   45.94  lemmas evalc_cases [simp] = skip assign ifTrue ifFalse whileFalse semi whileTrue
    46.1 --- a/src/HOL/IMP/Transition.thy	Wed Jul 11 11:13:08 2007 +0200
    46.2 +++ b/src/HOL/IMP/Transition.thy	Wed Jul 11 11:14:51 2007 +0200
    46.3 @@ -20,10 +20,8 @@
    46.4    a statement, the transition relation is not
    46.5    @{typ "((com \<times> state) \<times> (com \<times> state)) set"}
    46.6    but instead:
    46.7 -*}
    46.8 -consts evalc1 :: "((com option \<times> state) \<times> (com option \<times> state)) set"
    46.9 +  @{typ "((com option \<times> state) \<times> (com option \<times> state)) set"}
   46.10  
   46.11 -text {*
   46.12    Some syntactic sugar that we will use to hide the
   46.13    @{text option} part in configurations:
   46.14  *}
   46.15 @@ -44,53 +42,40 @@
   46.16    "\<langle>s\<rangle>" == "(None, s)"
   46.17  
   46.18  text {*
   46.19 +  Now, finally, we are set to write down the rules for our small step semantics:
   46.20 +*}
   46.21 +inductive_set
   46.22 +  evalc1 :: "((com option \<times> state) \<times> (com option \<times> state)) set"
   46.23 +  and evalc1' :: "[(com option\<times>state),(com option\<times>state)] \<Rightarrow> bool"
   46.24 +    ("_ \<longrightarrow>\<^sub>1 _" [60,60] 61)
   46.25 +where
   46.26 +  "cs \<longrightarrow>\<^sub>1 cs' == (cs,cs') \<in> evalc1"
   46.27 +| Skip:    "\<langle>\<SKIP>, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s\<rangle>"
   46.28 +| Assign:  "\<langle>x :== a, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s[x \<mapsto> a s]\<rangle>"
   46.29 +
   46.30 +| Semi1:   "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s'\<rangle> \<Longrightarrow> \<langle>c0;c1,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c1,s'\<rangle>"
   46.31 +| Semi2:   "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c0',s'\<rangle> \<Longrightarrow> \<langle>c0;c1,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c0';c1,s'\<rangle>"
   46.32 +
   46.33 +| IfTrue:  "b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c1 \<ELSE> c2,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c1,s\<rangle>"
   46.34 +| IfFalse: "\<not>b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c1 \<ELSE> c2,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c2,s\<rangle>"
   46.35 +
   46.36 +| While:   "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>,s\<rangle>"
   46.37 +
   46.38 +lemmas [intro] = evalc1.intros -- "again, use these rules in automatic proofs"
   46.39 +
   46.40 +text {*
   46.41    More syntactic sugar for the transition relation, and its
   46.42    iteration.
   46.43  *}
   46.44 -syntax
   46.45 -  "_evalc1" :: "[(com option\<times>state),(com option\<times>state)] \<Rightarrow> bool"
   46.46 -    ("_ -1-> _" [60,60] 60)
   46.47 -  "_evalcn" :: "[(com option\<times>state),nat,(com option\<times>state)] \<Rightarrow> bool"
   46.48 -    ("_ -_-> _" [60,60,60] 60)
   46.49 -  "_evalc*" :: "[(com option\<times>state),(com option\<times>state)] \<Rightarrow> bool"
   46.50 -    ("_ -*-> _" [60,60] 60)
   46.51 -
   46.52 -syntax (xsymbols)
   46.53 -  "_evalc1" :: "[(com option\<times>state),(com option\<times>state)] \<Rightarrow> bool"
   46.54 -    ("_ \<longrightarrow>\<^sub>1 _" [60,60] 61)
   46.55 -  "_evalcn" :: "[(com option\<times>state),nat,(com option\<times>state)] \<Rightarrow> bool"
   46.56 -    ("_ -_\<rightarrow>\<^sub>1 _" [60,60,60] 60)
   46.57 -  "_evalc*" :: "[(com option\<times>state),(com option\<times>state)] \<Rightarrow> bool"
   46.58 -    ("_ \<longrightarrow>\<^sub>1\<^sup>* _" [60,60] 60)
   46.59 -
   46.60 -translations
   46.61 -  "cs \<longrightarrow>\<^sub>1 cs'" == "(cs,cs') \<in> evalc1"
   46.62 -  "cs -n\<rightarrow>\<^sub>1 cs'" == "(cs,cs') \<in> evalc1^n"
   46.63 -  "cs \<longrightarrow>\<^sub>1\<^sup>* cs'" == "(cs,cs') \<in> evalc1^*"
   46.64 +abbreviation
   46.65 +  evalcn :: "[(com option\<times>state),nat,(com option\<times>state)] \<Rightarrow> bool"
   46.66 +    ("_ -_\<rightarrow>\<^sub>1 _" [60,60,60] 60)  where
   46.67 +  "cs -n\<rightarrow>\<^sub>1 cs' == (cs,cs') \<in> evalc1^n"
   46.68  
   46.69 -  -- {* Isabelle/HOL converts @{text "(cs0,(c1,s1))"} to @{term "(cs0,c1,s1)"},
   46.70 -        so we also include: *}
   46.71 -  "cs0 \<longrightarrow>\<^sub>1 (c1,s1)" == "(cs0,c1,s1) \<in> evalc1"
   46.72 -  "cs0 -n\<rightarrow>\<^sub>1 (c1,s1)" == "(cs0,c1,s1) \<in> evalc1^n"
   46.73 -  "cs0 \<longrightarrow>\<^sub>1\<^sup>* (c1,s1)" == "(cs0,c1,s1) \<in> evalc1^*"
   46.74 -
   46.75 -text {*
   46.76 -  Now, finally, we are set to write down the rules for our small step semantics:
   46.77 -*}
   46.78 -inductive evalc1
   46.79 -  intros
   46.80 -  Skip:    "\<langle>\<SKIP>, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s\<rangle>"
   46.81 -  Assign:  "\<langle>x :== a, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s[x \<mapsto> a s]\<rangle>"
   46.82 -
   46.83 -  Semi1:   "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s'\<rangle> \<Longrightarrow> \<langle>c0;c1,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c1,s'\<rangle>"
   46.84 -  Semi2:   "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c0',s'\<rangle> \<Longrightarrow> \<langle>c0;c1,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c0';c1,s'\<rangle>"
   46.85 -
   46.86 -  IfTrue:  "b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c1 \<ELSE> c2,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c1,s\<rangle>"
   46.87 -  IfFalse: "\<not>b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c1 \<ELSE> c2,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c2,s\<rangle>"
   46.88 -
   46.89 -  While:   "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>1 \<langle>\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>,s\<rangle>"
   46.90 -
   46.91 -lemmas [intro] = evalc1.intros -- "again, use these rules in automatic proofs"
   46.92 +abbreviation
   46.93 +  evalc' :: "[(com option\<times>state),(com option\<times>state)] \<Rightarrow> bool"
   46.94 +    ("_ \<longrightarrow>\<^sub>1\<^sup>* _" [60,60] 60)  where
   46.95 +  "cs \<longrightarrow>\<^sub>1\<^sup>* cs' == (cs,cs') \<in> evalc1^*"
   46.96  
   46.97  (*<*)
   46.98  (* fixme: move to Relation_Power.thy *)
   46.99 @@ -120,18 +105,18 @@
  46.100    syntax directed way:
  46.101  *}
  46.102  lemma SKIP_1: "\<langle>\<SKIP>, s\<rangle> \<longrightarrow>\<^sub>1 y = (y = \<langle>s\<rangle>)"
  46.103 -  by (rule, cases set: evalc1, auto)
  46.104 +  by (induct y, rule, cases set: evalc1, auto)
  46.105  
  46.106  lemma Assign_1: "\<langle>x :== a, s\<rangle> \<longrightarrow>\<^sub>1 y = (y = \<langle>s[x \<mapsto> a s]\<rangle>)"
  46.107 -  by (rule, cases set: evalc1, auto)
  46.108 +  by (induct y, rule, cases set: evalc1, auto)
  46.109  
  46.110  lemma Cond_1:
  46.111    "\<langle>\<IF> b \<THEN> c1 \<ELSE> c2, s\<rangle> \<longrightarrow>\<^sub>1 y = ((b s \<longrightarrow> y = \<langle>c1, s\<rangle>) \<and> (\<not>b s \<longrightarrow> y = \<langle>c2, s\<rangle>))"
  46.112 -  by (rule, cases set: evalc1, auto)
  46.113 +  by (induct y, rule, cases set: evalc1, auto)
  46.114  
  46.115  lemma While_1:
  46.116    "\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>1 y = (y = \<langle>\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>, s\<rangle>)"
  46.117 -  by (rule, cases set: evalc1, auto)
  46.118 +  by (induct y, rule, cases set: evalc1, auto)
  46.119  
  46.120  lemmas [simp] = SKIP_1 Assign_1 Cond_1 While_1
  46.121  
  46.122 @@ -197,10 +182,10 @@
  46.123    has terminated and there is no next configuration:
  46.124  *}
  46.125  lemma stuck [elim!]: "\<langle>s\<rangle> \<longrightarrow>\<^sub>1 y \<Longrightarrow> P"
  46.126 -  by (auto elim: evalc1.elims)
  46.127 +  by (induct y, auto elim: evalc1.cases)
  46.128  
  46.129  lemma evalc_None_retrancl [simp, dest!]: "\<langle>s\<rangle> \<longrightarrow>\<^sub>1\<^sup>* s' \<Longrightarrow> s' = \<langle>s\<rangle>"
  46.130 -  by (induct set: rtrancl_set) auto
  46.131 +  by (induct set: rtrancl) auto
  46.132  
  46.133  (*<*)
  46.134  (* FIXME: relpow.simps don't work *)
  46.135 @@ -230,10 +215,10 @@
  46.136    case (Suc n)
  46.137  
  46.138    from `\<langle>c1; c2, s\<rangle> -Suc n\<rightarrow>\<^sub>1 \<langle>s''\<rangle>`
  46.139 -  obtain y where
  46.140 -      1: "\<langle>c1; c2, s\<rangle> \<longrightarrow>\<^sub>1 y" and
  46.141 -      n: "y -n\<rightarrow>\<^sub>1 \<langle>s''\<rangle>"
  46.142 -    by blast
  46.143 +  obtain co s''' where
  46.144 +      1: "\<langle>c1; c2, s\<rangle> \<longrightarrow>\<^sub>1 (co, s''')" and
  46.145 +      n: "(co, s''') -n\<rightarrow>\<^sub>1 \<langle>s''\<rangle>"
  46.146 +    by auto
  46.147  
  46.148    from 1
  46.149    show "\<exists>i j s'. \<langle>c1, s\<rangle> -i\<rightarrow>\<^sub>1 \<langle>s'\<rangle> \<and> \<langle>c2, s'\<rangle> -j\<rightarrow>\<^sub>1 \<langle>s''\<rangle> \<and> Suc n = i+j"
  46.150 @@ -241,14 +226,14 @@
  46.151    proof (cases set: evalc1)
  46.152      case Semi1
  46.153      then obtain s' where
  46.154 -        "y = \<langle>c2, s'\<rangle>" and "\<langle>c1, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s'\<rangle>"
  46.155 +        "co = Some c2" and "s''' = s'" and "\<langle>c1, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>s'\<rangle>"
  46.156        by auto
  46.157      with 1 n have "?Q 1 n s'" by simp
  46.158      thus ?thesis by blast
  46.159    next
  46.160      case Semi2
  46.161      then obtain c1' s' where
  46.162 -        y:  "y = \<langle>c1'; c2, s'\<rangle>" and
  46.163 +        "co = Some (c1'; c2)" "s''' = s'" and
  46.164          c1: "\<langle>c1, s\<rangle> \<longrightarrow>\<^sub>1 \<langle>c1', s'\<rangle>"
  46.165        by auto
  46.166      with n have "\<langle>c1'; c2, s'\<rangle> -n\<rightarrow>\<^sub>1 \<langle>s''\<rangle>" by simp
  46.167 @@ -476,13 +461,13 @@
  46.168  qed
  46.169  
  46.170  inductive_cases evalc1_SEs:
  46.171 -  "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>1 t"
  46.172 -  "\<langle>x:==a,s\<rangle> \<longrightarrow>\<^sub>1 t"
  46.173 -  "\<langle>c1;c2, s\<rangle> \<longrightarrow>\<^sub>1 t"
  46.174 -  "\<langle>\<IF> b \<THEN> c1 \<ELSE> c2, s\<rangle> \<longrightarrow>\<^sub>1 t"
  46.175 -  "\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>1 t"
  46.176 +  "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>1 (co, s')"
  46.177 +  "\<langle>x:==a,s\<rangle> \<longrightarrow>\<^sub>1 (co, s')"
  46.178 +  "\<langle>c1;c2, s\<rangle> \<longrightarrow>\<^sub>1 (co, s')"
  46.179 +  "\<langle>\<IF> b \<THEN> c1 \<ELSE> c2, s\<rangle> \<longrightarrow>\<^sub>1 (co, s')"
  46.180 +  "\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>1 (co, s')"
  46.181  
  46.182 -inductive_cases evalc1_E: "\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>1 t"
  46.183 +inductive_cases evalc1_E: "\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>1 (co, s')"
  46.184  
  46.185  declare evalc1_SEs [elim!]
  46.186  
  46.187 @@ -546,6 +531,7 @@
  46.188  apply (intro strip)
  46.189  apply (erule rel_pow_E2)
  46.190   apply simp
  46.191 +apply (simp only: split_paired_all)
  46.192  apply (erule evalc1_E)
  46.193  
  46.194  apply simp
    47.1 --- a/src/HOL/IMP/VC.thy	Wed Jul 11 11:13:08 2007 +0200
    47.2 +++ b/src/HOL/IMP/VC.thy	Wed Jul 11 11:14:51 2007 +0200
    47.3 @@ -120,11 +120,11 @@
    47.4    show ?case (is "? ac. ?C ac")
    47.5    proof show "?C Askip" by simp qed
    47.6  next
    47.7 -  case (ass P a x)
    47.8 +  case (ass P x a)
    47.9    show ?case (is "? ac. ?C ac")
   47.10    proof show "?C(Aass x a)" by simp qed
   47.11  next
   47.12 -  case (semi P Q R c1 c2)
   47.13 +  case (semi P c1 Q c2 R)
   47.14    from semi.hyps obtain ac1 where ih1: "?Eq P c1 Q ac1" by fast
   47.15    from semi.hyps obtain ac2 where ih2: "?Eq Q c2 R ac2" by fast
   47.16    show ?case (is "? ac. ?C ac")
   47.17 @@ -133,7 +133,7 @@
   47.18        using ih1 ih2 by simp (fast elim!: awp_mono vc_mono)
   47.19    qed
   47.20  next
   47.21 -  case (If P Q b c1 c2)
   47.22 +  case (If P b c1 Q c2)
   47.23    from If.hyps obtain ac1 where ih1: "?Eq (%s. P s & b s) c1 Q ac1" by fast
   47.24    from If.hyps obtain ac2 where ih2: "?Eq (%s. P s & ~b s) c2 Q ac2" by fast
   47.25    show ?case (is "? ac. ?C ac")
    48.1 --- a/src/HOL/IMPP/Com.thy	Wed Jul 11 11:13:08 2007 +0200
    48.2 +++ b/src/HOL/IMPP/Com.thy	Wed Jul 11 11:14:51 2007 +0200
    48.3 @@ -48,32 +48,29 @@
    48.4  
    48.5  
    48.6  (* Well-typedness: all procedures called must exist *)
    48.7 -consts WTs :: "com set"
    48.8 -syntax WT  :: "com => bool"
    48.9 -translations "WT c" == "c : WTs"
   48.10  
   48.11 -inductive WTs intros
   48.12 +inductive WT  :: "com => bool" where
   48.13  
   48.14      Skip:    "WT SKIP"
   48.15  
   48.16 -    Assign:  "WT (X :== a)"
   48.17 +  | Assign:  "WT (X :== a)"
   48.18  
   48.19 -    Local:   "WT c ==>
   48.20 +  | Local:   "WT c ==>
   48.21                WT (LOCAL Y := a IN c)"
   48.22  
   48.23 -    Semi:    "[| WT c0; WT c1 |] ==>
   48.24 +  | Semi:    "[| WT c0; WT c1 |] ==>
   48.25                WT (c0;; c1)"
   48.26  
   48.27 -    If:      "[| WT c0; WT c1 |] ==>
   48.28 +  | If:      "[| WT c0; WT c1 |] ==>
   48.29                WT (IF b THEN c0 ELSE c1)"
   48.30  
   48.31 -    While:   "WT c ==>
   48.32 +  | While:   "WT c ==>
   48.33                WT (WHILE b DO c)"
   48.34  
   48.35 -    Body:    "body pn ~= None ==>
   48.36 +  | Body:    "body pn ~= None ==>
   48.37                WT (BODY pn)"
   48.38  
   48.39 -    Call:    "WT (BODY pn) ==>
   48.40 +  | Call:    "WT (BODY pn) ==>
   48.41                WT (X:=CALL pn(a))"
   48.42  
   48.43  inductive_cases WTs_elim_cases:
    49.1 --- a/src/HOL/IMPP/Hoare.thy	Wed Jul 11 11:13:08 2007 +0200
    49.2 +++ b/src/HOL/IMPP/Hoare.thy	Wed Jul 11 11:14:51 2007 +0200
    49.3 @@ -34,59 +34,58 @@
    49.4  consts
    49.5    triple_valid ::            "nat => 'a triple     => bool" ( "|=_:_" [0 , 58] 57)
    49.6    hoare_valids ::  "'a triple set => 'a triple set => bool" ("_||=_"  [58, 58] 57)
    49.7 -  hoare_derivs :: "('a triple set *  'a triple set)   set"
    49.8  syntax
    49.9    triples_valid::            "nat => 'a triple set => bool" ("||=_:_" [0 , 58] 57)
   49.10    hoare_valid  ::  "'a triple set => 'a triple     => bool" ("_|=_"   [58, 58] 57)
   49.11 -"@hoare_derivs"::  "'a triple set => 'a triple set => bool" ("_||-_"  [58, 58] 57)
   49.12 -"@hoare_deriv" ::  "'a triple set => 'a triple     => bool" ("_|-_"   [58, 58] 57)
   49.13  
   49.14  defs triple_valid_def: "|=n:t  ==  case t of {P}.c.{Q} =>
   49.15                                  !Z s. P Z s --> (!s'. <c,s> -n-> s' --> Q Z s')"
   49.16  translations          "||=n:G" == "Ball G (triple_valid n)"
   49.17  defs hoare_valids_def: "G||=ts   ==  !n. ||=n:G --> ||=n:ts"
   49.18  translations         "G |=t  " == " G||={t}"
   49.19 -                     "G||-ts"  == "(G,ts) : hoare_derivs"
   49.20 -                     "G |-t"   == " G||-{t}"
   49.21  
   49.22  (* Most General Triples *)
   49.23  constdefs MGT    :: "com => state triple"            ("{=}._.{->}" [60] 58)
   49.24           "{=}.c.{->} == {%Z s0. Z = s0}. c .{%Z s1. <c,Z> -c-> s1}"
   49.25  
   49.26 -inductive hoare_derivs intros
   49.27 +inductive
   49.28 +  hoare_derivs :: "'a triple set => 'a triple set => bool" ("_||-_"  [58, 58] 57)
   49.29 +  and hoare_deriv :: "'a triple set => 'a triple     => bool" ("_|-_"   [58, 58] 57)
   49.30 +where
   49.31 +  "G |-t == G||-{t}"
   49.32  
   49.33 -  empty:    "G||-{}"
   49.34 -  insert: "[| G |-t;  G||-ts |]
   49.35 +| empty:    "G||-{}"
   49.36 +| insert: "[| G |-t;  G||-ts |]
   49.37          ==> G||-insert t ts"
   49.38  
   49.39 -  asm:      "ts <= G ==>
   49.40 +| asm:      "ts <= G ==>
   49.41               G||-ts" (* {P}.BODY pn.{Q} instead of (general) t for SkipD_lemma *)
   49.42  
   49.43 -  cut:   "[| G'||-ts; G||-G' |] ==> G||-ts" (* for convenience and efficiency *)
   49.44 +| cut:   "[| G'||-ts; G||-G' |] ==> G||-ts" (* for convenience and efficiency *)
   49.45  
   49.46 -  weaken: "[| G||-ts' ; ts <= ts' |] ==> G||-ts"
   49.47 +| weaken: "[| G||-ts' ; ts <= ts' |] ==> G||-ts"
   49.48  
   49.49 -  conseq: "!Z s. P  Z  s --> (? P' Q'. G|-{P'}.c.{Q'} &
   49.50 +| conseq: "!Z s. P  Z  s --> (? P' Q'. G|-{P'}.c.{Q'} &
   49.51                                     (!s'. (!Z'. P' Z' s --> Q' Z' s') --> Q Z s'))
   49.52            ==> G|-{P}.c.{Q}"
   49.53  
   49.54  
   49.55 -  Skip:  "G|-{P}. SKIP .{P}"
   49.56 +| Skip:  "G|-{P}. SKIP .{P}"
   49.57  
   49.58 -  Ass:   "G|-{%Z s. P Z (s[X::=a s])}. X:==a .{P}"
   49.59 +| Ass:   "G|-{%Z s. P Z (s[X::=a s])}. X:==a .{P}"
   49.60  
   49.61 -  Local: "G|-{P}. c .{%Z s. Q Z (s[Loc X::=s'<X>])}
   49.62 +| Local: "G|-{P}. c .{%Z s. Q Z (s[Loc X::=s'<X>])}
   49.63        ==> G|-{%Z s. s'=s & P Z (s[Loc X::=a s])}. LOCAL X:=a IN c .{Q}"
   49.64  
   49.65 -  Comp:  "[| G|-{P}.c.{Q};
   49.66 +| Comp:  "[| G|-{P}.c.{Q};
   49.67               G|-{Q}.d.{R} |]
   49.68           ==> G|-{P}. (c;;d) .{R}"
   49.69  
   49.70 -  If:    "[| G|-{P &>        b }.c.{Q};
   49.71 +| If:    "[| G|-{P &>        b }.c.{Q};
   49.72               G|-{P &> (Not o b)}.d.{Q} |]
   49.73           ==> G|-{P}. IF b THEN c ELSE d .{Q}"
   49.74  
   49.75 -  Loop:  "G|-{P &> b}.c.{P} ==>
   49.76 +| Loop:  "G|-{P &> b}.c.{P} ==>
   49.77            G|-{P}. WHILE b DO c .{P &> (Not o b)}"
   49.78  
   49.79  (*
   49.80 @@ -94,11 +93,11 @@
   49.81             |-{P}.  the (body pn) .{Q} ==>
   49.82            G|-{P}.       BODY pn  .{Q}"
   49.83  *)
   49.84 -  Body:  "[| G Un (%p. {P p}.      BODY p  .{Q p})`Procs
   49.85 +| Body:  "[| G Un (%p. {P p}.      BODY p  .{Q p})`Procs
   49.86                 ||-(%p. {P p}. the (body p) .{Q p})`Procs |]
   49.87           ==>  G||-(%p. {P p}.      BODY p  .{Q p})`Procs"
   49.88  
   49.89 -  Call:     "G|-{P}. BODY pn .{%Z s. Q Z (setlocs s (getlocs s')[X::=s<Res>])}
   49.90 +| Call:     "G|-{P}. BODY pn .{%Z s. Q Z (setlocs s (getlocs s')[X::=s<Res>])}
   49.91           ==> G|-{%Z s. s'=s & P Z (setlocs s newlocs[Loc Arg::=a s])}.
   49.92               X:=CALL pn(a) .{Q}"
   49.93  
   49.94 @@ -283,7 +282,7 @@
   49.95  apply          (blast) (* asm *)
   49.96  apply         (blast) (* cut *)
   49.97  apply        (blast) (* weaken *)
   49.98 -apply       (tactic {* ALLGOALS (EVERY'[REPEAT o thin_tac "?x : hoare_derivs", SIMPSET' simp_tac, CLASET' clarify_tac, REPEAT o smp_tac 1]) *})
   49.99 +apply       (tactic {* ALLGOALS (EVERY'[REPEAT o thin_tac "hoare_derivs ?x ?y", SIMPSET' simp_tac, CLASET' clarify_tac, REPEAT o smp_tac 1]) *})
  49.100  apply       (simp_all (no_asm_use) add: triple_valid_def2)
  49.101  apply       (intro strip, tactic "smp_tac 2 1", blast) (* conseq *)
  49.102  apply      (tactic {* ALLGOALS (CLASIMPSET' clarsimp_tac) *}) (* Skip, Ass, Local *)
    50.1 --- a/src/HOL/IMPP/Natural.thy	Wed Jul 11 11:13:08 2007 +0200
    50.2 +++ b/src/HOL/IMPP/Natural.thy	Wed Jul 11 11:14:51 2007 +0200
    50.3 @@ -11,17 +11,6 @@
    50.4  begin
    50.5  
    50.6  (** Execution of commands **)
    50.7 -consts
    50.8 -  evalc :: "(com * state *       state) set"
    50.9 -  evaln :: "(com * state * nat * state) set"
   50.10 -
   50.11 -syntax
   50.12 -  "@evalc":: "[com,state,    state] => bool"  ("<_,_>/ -c-> _" [0,0,  51] 51)
   50.13 -  "@evaln":: "[com,state,nat,state] => bool"  ("<_,_>/ -_-> _" [0,0,0,51] 51)
   50.14 -
   50.15 -translations
   50.16 -  "<c,s> -c-> s'" == "(c,s,  s') : evalc"
   50.17 -  "<c,s> -n-> s'" == "(c,s,n,s') : evaln"
   50.18  
   50.19  consts
   50.20    newlocs :: locals
   50.21 @@ -33,63 +22,65 @@
   50.22  translations
   50.23    "s<X>" == "getlocs s X"
   50.24  
   50.25 -inductive evalc
   50.26 -  intros
   50.27 +inductive
   50.28 +  evalc :: "[com,state,    state] => bool"  ("<_,_>/ -c-> _" [0,0,  51] 51)
   50.29 +  where
   50.30      Skip:    "<SKIP,s> -c-> s"
   50.31  
   50.32 -    Assign:  "<X :== a,s> -c-> s[X::=a s]"
   50.33 +  | Assign:  "<X :== a,s> -c-> s[X::=a s]"
   50.34  
   50.35 -    Local:   "<c, s0[Loc Y::= a s0]> -c-> s1 ==>
   50.36 +  | Local:   "<c, s0[Loc Y::= a s0]> -c-> s1 ==>
   50.37                <LOCAL Y := a IN c, s0> -c-> s1[Loc Y::=s0<Y>]"
   50.38  
   50.39 -    Semi:    "[| <c0,s0> -c-> s1; <c1,s1> -c-> s2 |] ==>
   50.40 +  | Semi:    "[| <c0,s0> -c-> s1; <c1,s1> -c-> s2 |] ==>
   50.41                <c0;; c1, s0> -c-> s2"
   50.42  
   50.43 -    IfTrue:  "[| b s; <c0,s> -c-> s1 |] ==>
   50.44 +  | IfTrue:  "[| b s; <c0,s> -c-> s1 |] ==>
   50.45                <IF b THEN c0 ELSE c1, s> -c-> s1"
   50.46  
   50.47 -    IfFalse: "[| ~b s; <c1,s> -c-> s1 |] ==>
   50.48 +  | IfFalse: "[| ~b s; <c1,s> -c-> s1 |] ==>
   50.49                <IF b THEN c0 ELSE c1, s> -c-> s1"
   50.50  
   50.51 -    WhileFalse: "~b s ==> <WHILE b DO c,s> -c-> s"
   50.52 +  | WhileFalse: "~b s ==> <WHILE b DO c,s> -c-> s"
   50.53  
   50.54 -    WhileTrue:  "[| b s0;  <c,s0> -c-> s1;  <WHILE b DO c, s1> -c-> s2 |] ==>
   50.55 +  | WhileTrue:  "[| b s0;  <c,s0> -c-> s1;  <WHILE b DO c, s1> -c-> s2 |] ==>
   50.56                   <WHILE b DO c, s0> -c-> s2"
   50.57  
   50.58 -    Body:       "<the (body pn), s0> -c-> s1 ==>
   50.59 +  | Body:       "<the (body pn), s0> -c-> s1 ==>
   50.60                   <BODY pn, s0> -c-> s1"
   50.61  
   50.62 -    Call:       "<BODY pn, (setlocs s0 newlocs)[Loc Arg::=a s0]> -c-> s1 ==>
   50.63 +  | Call:       "<BODY pn, (setlocs s0 newlocs)[Loc Arg::=a s0]> -c-> s1 ==>
   50.64                   <X:=CALL pn(a), s0> -c-> (setlocs s1 (getlocs s0))
   50.65                                            [X::=s1<Res>]"
   50.66  
   50.67 -inductive evaln
   50.68 -  intros
   50.69 +inductive
   50.70 +  evaln :: "[com,state,nat,state] => bool"  ("<_,_>/ -_-> _" [0,0,0,51] 51)
   50.71 +  where
   50.72      Skip:    "<SKIP,s> -n-> s"
   50.73  
   50.74 -    Assign:  "<X :== a,s> -n-> s[X::=a s]"
   50.75 +  | Assign:  "<X :== a,s> -n-> s[X::=a s]"
   50.76  
   50.77 -    Local:   "<c, s0[Loc Y::= a s0]> -n-> s1 ==>
   50.78 +  | Local:   "<c, s0[Loc Y::= a s0]> -n-> s1 ==>
   50.79                <LOCAL Y := a IN c, s0> -n-> s1[Loc Y::=s0<Y>]"
   50.80  
   50.81 -    Semi:    "[| <c0,s0> -n-> s1; <c1,s1> -n-> s2 |] ==>
   50.82 +  | Semi:    "[| <c0,s0> -n-> s1; <c1,s1> -n-> s2 |] ==>
   50.83                <c0;; c1, s0> -n-> s2"
   50.84  
   50.85 -    IfTrue:  "[| b s; <c0,s> -n-> s1 |] ==>
   50.86 +  | IfTrue:  "[| b s; <c0,s> -n-> s1 |] ==>
   50.87                <IF b THEN c0 ELSE c1, s> -n-> s1"
   50.88  
   50.89 -    IfFalse: "[| ~b s; <c1,s> -n-> s1 |] ==>
   50.90 +  | IfFalse: "[| ~b s; <c1,s> -n-> s1 |] ==>
   50.91                <IF b THEN c0 ELSE c1, s> -n-> s1"
   50.92  
   50.93 -    WhileFalse: "~b s ==> <WHILE b DO c,s> -n-> s"
   50.94 +  | WhileFalse: "~b s ==> <WHILE b DO c,s> -n-> s"
   50.95  
   50.96 -    WhileTrue:  "[| b s0;  <c,s0> -n-> s1;  <WHILE b DO c, s1> -n-> s2 |] ==>
   50.97 +  | WhileTrue:  "[| b s0;  <c,s0> -n-> s1;  <WHILE b DO c, s1> -n-> s2 |] ==>
   50.98                   <WHILE b DO c, s0> -n-> s2"
   50.99  
  50.100 -    Body:       "<the (body pn), s0> -    n-> s1 ==>
  50.101 +  | Body:       "<the (body pn), s0> -    n-> s1 ==>
  50.102                   <BODY pn, s0> -Suc n-> s1"
  50.103  
  50.104 -    Call:       "<BODY pn, (setlocs s0 newlocs)[Loc Arg::=a s0]> -n-> s1 ==>
  50.105 +  | Call:       "<BODY pn, (setlocs s0 newlocs)[Loc Arg::=a s0]> -n-> s1 ==>
  50.106                   <X:=CALL pn(a), s0> -n-> (setlocs s1 (getlocs s0))
  50.107                                            [X::=s1<Res>]"
  50.108  
    51.1 --- a/src/HOL/Induct/Com.thy	Wed Jul 11 11:13:08 2007 +0200
    51.2 +++ b/src/HOL/Induct/Com.thy	Wed Jul 11 11:14:51 2007 +0200
    51.3 @@ -15,8 +15,6 @@
    51.4  types  state = "loc => nat"
    51.5         n2n2n = "nat => nat => nat"
    51.6  
    51.7 -arities loc :: type
    51.8 -
    51.9  datatype
   51.10    exp = N nat
   51.11        | X loc
   51.12 @@ -33,36 +31,38 @@
   51.13  subsection {* Commands *}
   51.14  
   51.15  text{* Execution of commands *}
   51.16 -consts  exec    :: "((exp*state) * (nat*state)) set => ((com*state)*state)set"
   51.17 -
   51.18 -abbreviation
   51.19 -  exec_rel  ("_/ -[_]-> _" [50,0,50] 50)
   51.20 -  "csig -[eval]-> s == (csig,s) \<in> exec eval"
   51.21  
   51.22  abbreviation (input)
   51.23 -  generic_rel  ("_/ -|[_]-> _" [50,0,50] 50)
   51.24 +  generic_rel  ("_/ -|[_]-> _" [50,0,50] 50)  where
   51.25    "esig -|[eval]-> ns == (esig,ns) \<in> eval"
   51.26  
   51.27  text{*Command execution.  Natural numbers represent Booleans: 0=True, 1=False*}
   51.28 -inductive "exec eval"
   51.29 -  intros
   51.30 -    Skip:    "(SKIP,s) -[eval]-> s"
   51.31  
   51.32 -    Assign:  "(e,s) -|[eval]-> (v,s') ==> (x := e, s) -[eval]-> s'(x:=v)"
   51.33 +inductive_set
   51.34 +  exec :: "((exp*state) * (nat*state)) set => ((com*state)*state)set"
   51.35 +  and exec_rel :: "com * state => ((exp*state) * (nat*state)) set => state => bool"
   51.36 +    ("_/ -[_]-> _" [50,0,50] 50)
   51.37 +  for eval :: "((exp*state) * (nat*state)) set"
   51.38 +  where
   51.39 +    "csig -[eval]-> s == (csig,s) \<in> exec eval"
   51.40  
   51.41 -    Semi:    "[| (c0,s) -[eval]-> s2; (c1,s2) -[eval]-> s1 |]
   51.42 +  | Skip:    "(SKIP,s) -[eval]-> s"
   51.43 +
   51.44 +  | Assign:  "(e,s) -|[eval]-> (v,s') ==> (x := e, s) -[eval]-> s'(x:=v)"
   51.45 +
   51.46 +  | Semi:    "[| (c0,s) -[eval]-> s2; (c1,s2) -[eval]-> s1 |]
   51.47               ==> (c0 ;; c1, s) -[eval]-> s1"
   51.48  
   51.49 -    IfTrue: "[| (e,s) -|[eval]-> (0,s');  (c0,s') -[eval]-> s1 |]
   51.50 +  | IfTrue: "[| (e,s) -|[eval]-> (0,s');  (c0,s') -[eval]-> s1 |]
   51.51               ==> (IF e THEN c0 ELSE c1, s) -[eval]-> s1"
   51.52  
   51.53 -    IfFalse: "[| (e,s) -|[eval]->  (Suc 0, s');  (c1,s') -[eval]-> s1 |]
   51.54 +  | IfFalse: "[| (e,s) -|[eval]->  (Suc 0, s');  (c1,s') -[eval]-> s1 |]
   51.55                ==> (IF e THEN c0 ELSE c1, s) -[eval]-> s1"
   51.56  
   51.57 -    WhileFalse: "(e,s) -|[eval]-> (Suc 0, s1)
   51.58 +  | WhileFalse: "(e,s) -|[eval]-> (Suc 0, s1)
   51.59                   ==> (WHILE e DO c, s) -[eval]-> s1"
   51.60  
   51.61 -    WhileTrue:  "[| (e,s) -|[eval]-> (0,s1);
   51.62 +  | WhileTrue:  "[| (e,s) -|[eval]-> (0,s1);
   51.63                      (c,s1) -[eval]-> s2;  (WHILE e DO c, s2) -[eval]-> s3 |]
   51.64                   ==> (WHILE e DO c, s) -[eval]-> s3"
   51.65  
   51.66 @@ -79,11 +79,20 @@
   51.67  
   51.68  text{*Justifies using "exec" in the inductive definition of "eval"*}
   51.69  lemma exec_mono: "A<=B ==> exec(A) <= exec(B)"
   51.70 -apply (unfold exec.defs )
   51.71 -apply (rule lfp_mono)
   51.72 -apply (assumption | rule basic_monos)+
   51.73 +apply (rule subsetI)
   51.74 +apply (simp add: split_paired_all)
   51.75 +apply (erule exec.induct)
   51.76 +apply blast+
   51.77  done
   51.78  
   51.79 +lemma [pred_set_conv]:
   51.80 +  "((\<lambda>x x' y y'. ((x, x'), (y, y')) \<in> R) <= (\<lambda>x x' y y'. ((x, x'), (y, y')) \<in> S)) = (R <= S)"
   51.81 +  by (auto simp add: le_fun_def le_bool_def)
   51.82 +
   51.83 +lemma [pred_set_conv]:
   51.84 +  "((\<lambda>x x' y. ((x, x'), y) \<in> R) <= (\<lambda>x x' y. ((x, x'), y) \<in> S)) = (R <= S)"
   51.85 +  by (auto simp add: le_fun_def le_bool_def)
   51.86 +
   51.87  ML {*
   51.88  Unify.trace_bound := 30;
   51.89  Unify.search_bound := 60;
   51.90 @@ -102,23 +111,21 @@
   51.91  subsection {* Expressions *}
   51.92  
   51.93  text{* Evaluation of arithmetic expressions *}
   51.94 -consts
   51.95 -  eval    :: "((exp*state) * (nat*state)) set"
   51.96 -
   51.97 -abbreviation
   51.98 -  eval_rel :: "[exp*state,nat*state] => bool"         (infixl "-|->" 50)
   51.99 -  "esig -|-> ns == (esig, ns) \<in> eval"
  51.100  
  51.101 -inductive eval
  51.102 -  intros
  51.103 -    N [intro!]: "(N(n),s) -|-> (n,s)"
  51.104 +inductive_set
  51.105 +  eval    :: "((exp*state) * (nat*state)) set"
  51.106 +  and eval_rel :: "[exp*state,nat*state] => bool"  (infixl "-|->" 50)
  51.107 +  where
  51.108 +    "esig -|-> ns == (esig, ns) \<in> eval"
  51.109  
  51.110 -    X [intro!]: "(X(x),s) -|-> (s(x),s)"
  51.111 +  | N [intro!]: "(N(n),s) -|-> (n,s)"
  51.112  
  51.113 -    Op [intro]: "[| (e0,s) -|-> (n0,s0);  (e1,s0)  -|-> (n1,s1) |]
  51.114 +  | X [intro!]: "(X(x),s) -|-> (s(x),s)"
  51.115 +
  51.116 +  | Op [intro]: "[| (e0,s) -|-> (n0,s0);  (e1,s0)  -|-> (n1,s1) |]
  51.117                   ==> (Op f e0 e1, s) -|-> (f n0 n1, s1)"
  51.118  
  51.119 -    valOf [intro]: "[| (c,s) -[eval]-> s0;  (e,s0)  -|-> (n,s1) |]
  51.120 +  | valOf [intro]: "[| (c,s) -[eval]-> s0;  (e,s0)  -|-> (n,s1) |]
  51.121                      ==> (VALOF c RESULTIS e, s) -|-> (n, s1)"
  51.122  
  51.123    monos exec_mono
  51.124 @@ -135,7 +142,7 @@
  51.125  by (rule fun_upd_same [THEN subst], fast)
  51.126  
  51.127  
  51.128 -text{* Make the induction rule look nicer -- though eta_contract makes the new
  51.129 +text{* Make the induction rule look nicer -- though @{text eta_contract} makes the new
  51.130      version look worse than it is...*}
  51.131  
  51.132  lemma split_lemma:
  51.133 @@ -167,11 +174,11 @@
  51.134  done
  51.135  
  51.136  
  51.137 -text{*Lemma for Function_eval.  The major premise is that (c,s) executes to s1
  51.138 +text{*Lemma for @{text Function_eval}.  The major premise is that @{text "(c,s)"} executes to @{text "s1"}
  51.139    using eval restricted to its functional part.  Note that the execution
  51.140 -  (c,s) -[eval]-> s2 can use unrestricted eval!  The reason is that
  51.141 -  the execution (c,s) -[eval Int {...}]-> s1 assures us that execution is
  51.142 -  functional on the argument (c,s).
  51.143 +  @{text "(c,s) -[eval]-> s2"} can use unrestricted @{text eval}!  The reason is that
  51.144 +  the execution @{text "(c,s) -[eval Int {...}]-> s1"} assures us that execution is
  51.145 +  functional on the argument @{text "(c,s)"}.
  51.146  *}
  51.147  lemma com_Unique:
  51.148   "(c,s) -[eval Int {((e,s),(n,t)). \<forall>nt'. (e,s) -|-> nt' --> (n,t)=nt'}]-> s1
    52.1 --- a/src/HOL/Induct/Comb.thy	Wed Jul 11 11:13:08 2007 +0200
    52.2 +++ b/src/HOL/Induct/Comb.thy	Wed Jul 11 11:14:51 2007 +0200
    52.3 @@ -34,47 +34,39 @@
    52.4    (multi-step) reductions, @{text "--->"}.
    52.5  *}
    52.6  
    52.7 -consts
    52.8 -  contract  :: "(comb*comb) set"
    52.9 -
   52.10 -abbreviation
   52.11 -  contract_rel1 :: "[comb,comb] => bool"   (infixl "-1->" 50) where
   52.12 -  "x -1-> y == (x,y) \<in> contract"
   52.13 +inductive_set
   52.14 +  contract :: "(comb*comb) set"
   52.15 +  and contract_rel1 :: "[comb,comb] => bool"  (infixl "-1->" 50)
   52.16 +  where
   52.17 +    "x -1-> y == (x,y) \<in> contract"
   52.18 +   | K:     "K##x##y -1-> x"
   52.19 +   | S:     "S##x##y##z -1-> (x##z)##(y##z)"
   52.20 +   | Ap1:   "x-1->y ==> x##z -1-> y##z"
   52.21 +   | Ap2:   "x-1->y ==> z##x -1-> z##y"
   52.22  
   52.23  abbreviation
   52.24    contract_rel :: "[comb,comb] => bool"   (infixl "--->" 50) where
   52.25    "x ---> y == (x,y) \<in> contract^*"
   52.26  
   52.27 -inductive contract
   52.28 -  intros
   52.29 -    K:     "K##x##y -1-> x"
   52.30 -    S:     "S##x##y##z -1-> (x##z)##(y##z)"
   52.31 -    Ap1:   "x-1->y ==> x##z -1-> y##z"
   52.32 -    Ap2:   "x-1->y ==> z##x -1-> z##y"
   52.33 -
   52.34  text {*
   52.35    Inductive definition of parallel contractions, @{text "=1=>"} and
   52.36    (multi-step) parallel reductions, @{text "===>"}.
   52.37  *}
   52.38  
   52.39 -consts
   52.40 +inductive_set
   52.41    parcontract :: "(comb*comb) set"
   52.42 -
   52.43 -abbreviation
   52.44 -  parcontract_rel1 :: "[comb,comb] => bool"   (infixl "=1=>" 50) where
   52.45 -  "x =1=> y == (x,y) \<in> parcontract"
   52.46 +  and parcontract_rel1 :: "[comb,comb] => bool"  (infixl "=1=>" 50)
   52.47 +  where
   52.48 +    "x =1=> y == (x,y) \<in> parcontract"
   52.49 +  | refl:  "x =1=> x"
   52.50 +  | K:     "K##x##y =1=> x"
   52.51 +  | S:     "S##x##y##z =1=> (x##z)##(y##z)"
   52.52 +  | Ap:    "[| x=1=>y;  z=1=>w |] ==> x##z =1=> y##w"
   52.53  
   52.54  abbreviation
   52.55    parcontract_rel :: "[comb,comb] => bool"   (infixl "===>" 50) where
   52.56    "x ===> y == (x,y) \<in> parcontract^*"
   52.57  
   52.58 -inductive parcontract
   52.59 -  intros
   52.60 -    refl:  "x =1=> x"
   52.61 -    K:     "K##x##y =1=> x"
   52.62 -    S:     "S##x##y##z =1=> (x##z)##(y##z)"
   52.63 -    Ap:    "[| x=1=>y;  z=1=>w |] ==> x##z =1=> y##w"
   52.64 -
   52.65  text {*
   52.66    Misc definitions.
   52.67  *}
    53.1 --- a/src/HOL/Induct/LFilter.thy	Wed Jul 11 11:13:08 2007 +0200
    53.2 +++ b/src/HOL/Induct/LFilter.thy	Wed Jul 11 11:14:51 2007 +0200
    53.3 @@ -9,13 +9,12 @@
    53.4  
    53.5  theory LFilter imports LList begin
    53.6  
    53.7 -consts
    53.8 +inductive_set
    53.9    findRel	:: "('a => bool) => ('a llist * 'a llist)set"
   53.10 -
   53.11 -inductive "findRel p"
   53.12 -  intros
   53.13 +  for p :: "'a => bool"
   53.14 +  where
   53.15      found:  "p x ==> (LCons x l, LCons x l) \<in> findRel p"
   53.16 -    seek:   "[| ~p x;  (l,l') \<in> findRel p |] ==> (LCons x l, l') \<in> findRel p"
   53.17 +  | seek:   "[| ~p x;  (l,l') \<in> findRel p |] ==> (LCons x l, l') \<in> findRel p"
   53.18  
   53.19  declare findRel.intros [intro]
   53.20  
    54.1 --- a/src/HOL/Induct/LList.thy	Wed Jul 11 11:13:08 2007 +0200
    54.2 +++ b/src/HOL/Induct/LList.thy	Wed Jul 11 11:14:51 2007 +0200
    54.3 @@ -24,21 +24,19 @@
    54.4  
    54.5  theory LList imports SList begin
    54.6  
    54.7 -consts
    54.8 -
    54.9 +coinductive_set
   54.10    llist  :: "'a item set => 'a item set"
   54.11 -  LListD :: "('a item * 'a item)set => ('a item * 'a item)set"
   54.12 -
   54.13 +  for A :: "'a item set"
   54.14 +  where
   54.15 +    NIL_I:  "NIL \<in> llist(A)"
   54.16 +  | CONS_I:         "[| a \<in> A;  M \<in> llist(A) |] ==> CONS a M \<in> llist(A)"
   54.17  
   54.18 -coinductive "llist(A)"
   54.19 -  intros
   54.20 -    NIL_I:  "NIL \<in> llist(A)"
   54.21 -    CONS_I:         "[| a \<in> A;  M \<in> llist(A) |] ==> CONS a M \<in> llist(A)"
   54.22 -
   54.23 -coinductive "LListD(r)"
   54.24 -  intros
   54.25 +coinductive_set
   54.26 +  LListD :: "('a item * 'a item)set => ('a item * 'a item)set"
   54.27 +  for r :: "('a item * 'a item)set"
   54.28 +  where
   54.29      NIL_I:  "(NIL, NIL) \<in> LListD(r)"
   54.30 -    CONS_I:         "[| (a,b) \<in> r;  (M,N) \<in> LListD(r) |] 
   54.31 +  | CONS_I:         "[| (a,b) \<in> r;  (M,N) \<in> LListD(r) |] 
   54.32                       ==> (CONS a M, CONS b N) \<in> LListD(r)"
   54.33  
   54.34  
   54.35 @@ -159,11 +157,19 @@
   54.36  declare option.split [split]
   54.37  
   54.38  text{*This justifies using llist in other recursive type definitions*}
   54.39 -lemma llist_mono: "A\<subseteq>B ==> llist(A) \<subseteq> llist(B)"
   54.40 -apply (simp add: llist.defs)
   54.41 -apply (rule gfp_mono)
   54.42 -apply (assumption | rule basic_monos)+
   54.43 -done
   54.44 +lemma llist_mono:
   54.45 +  assumes subset: "A \<subseteq> B"
   54.46 +  shows "llist A \<subseteq> llist B"
   54.47 +proof
   54.48 +  fix x
   54.49 +  assume "x \<in> llist A"
   54.50 +  then show "x \<in> llist B"
   54.51 +  proof coinduct
   54.52 +    case llist
   54.53 +    then show ?case using subset
   54.54 +      by cases blast+
   54.55 +  qed
   54.56 +qed
   54.57  
   54.58  
   54.59  lemma llist_unfold: "llist(A) = usum {Numb(0)} (uprod A (llist A))"
   54.60 @@ -195,9 +201,9 @@
   54.61  
   54.62  text{*Utilise the ``strong'' part, i.e. @{text "gfp(f)"}*}
   54.63  lemma list_Fun_llist_I: "M \<in> llist(A) ==> M \<in> list_Fun A (X Un llist(A))"
   54.64 -apply (unfold llist.defs list_Fun_def)
   54.65 -apply (rule gfp_fun_UnI2) 
   54.66 -apply (rule monoI, auto)
   54.67 +apply (unfold list_Fun_def)
   54.68 +apply (erule llist.cases)
   54.69 +apply auto
   54.70  done
   54.71  
   54.72  subsection{* @{text LList_corec} satisfies the desired recurion equation *}
   54.73 @@ -278,10 +284,10 @@
   54.74  text{*The domain of the @{text LListD} relation*}
   54.75  lemma Domain_LListD: 
   54.76      "Domain (LListD(diag A)) \<subseteq> llist(A)"
   54.77 -apply (simp add: llist.defs NIL_def CONS_def)
   54.78 -apply (rule gfp_upperbound)
   54.79 -txt{*avoids unfolding @{text LListD} on the rhs*}
   54.80 -apply (rule_tac P = "%x. Domain x \<subseteq> ?B" in LListD_unfold [THEN ssubst], auto) 
   54.81 +apply (rule subsetI)
   54.82 +apply (erule llist.coinduct)
   54.83 +apply (simp add: NIL_def CONS_def)
   54.84 +apply (drule_tac P = "%x. xa \<in> Domain x" in LListD_unfold [THEN subst], auto)
   54.85  done
   54.86  
   54.87  text{*This inclusion justifies the use of coinduction to show @{text "M = N"}*}
   54.88 @@ -305,6 +311,7 @@
   54.89  
   54.90  lemma LListD_coinduct: 
   54.91      "[| M \<in> X;  X \<subseteq> LListD_Fun r (X Un LListD(r)) |] ==>  M \<in> LListD(r)"
   54.92 +apply (cases M)
   54.93  apply (simp add: LListD_Fun_def)
   54.94  apply (erule LListD.coinduct)
   54.95  apply (auto ); 
   54.96 @@ -320,9 +327,10 @@
   54.97  text{*Utilise the "strong" part, i.e. @{text "gfp(f)"}*}
   54.98  lemma LListD_Fun_LListD_I:
   54.99       "M \<in> LListD(r) ==> M \<in> LListD_Fun r (X Un LListD(r))"
  54.100 -apply (unfold LListD.defs LListD_Fun_def)
  54.101 -apply (rule gfp_fun_UnI2) 
  54.102 -apply (rule monoI, auto)
  54.103 +apply (cases M)
  54.104 +apply (simp add: LListD_Fun_def)
  54.105 +apply (erule LListD.cases)
  54.106 +apply auto
  54.107  done
  54.108  
  54.109  
  54.110 @@ -523,7 +531,7 @@
  54.111  apply (rule LList_equalityI)
  54.112  apply (erule imageI)
  54.113  apply (rule image_subsetI)
  54.114 -apply (erule_tac aa=x in llist.cases)
  54.115 +apply (erule_tac a=x in llist.cases)
  54.116  apply (erule ssubst, erule ssubst, erule LListD_Fun_diag_I, blast) 
  54.117  done
  54.118  
  54.119 @@ -608,8 +616,8 @@
  54.120  apply (rule_tac X = "\<Union>u\<in>llist (A) . \<Union>v \<in> llist (A) . {Lappend u v}" in llist_coinduct)
  54.121  apply fast
  54.122  apply safe
  54.123 -apply (erule_tac aa = u in llist.cases)
  54.124 -apply (erule_tac aa = v in llist.cases, simp_all, blast)
  54.125 +apply (erule_tac a = u in llist.cases)
  54.126 +apply (erule_tac a = v in llist.cases, simp_all, blast)
  54.127  done
  54.128  
  54.129  text{*strong co-induction: bisimulation and case analysis on one variable*}
  54.130 @@ -617,7 +625,7 @@
  54.131  apply (rule_tac X = "(%u. Lappend u N) `llist (A)" in llist_coinduct)
  54.132  apply (erule imageI)
  54.133  apply (rule image_subsetI)
  54.134 -apply (erule_tac aa = x in llist.cases)
  54.135 +apply (erule_tac a = x in llist.cases)
  54.136  apply (simp add: list_Fun_llist_I, simp)
  54.137  done
  54.138  
    55.1 --- a/src/HOL/Induct/Mutil.thy	Wed Jul 11 11:13:08 2007 +0200
    55.2 +++ b/src/HOL/Induct/Mutil.thy	Wed Jul 11 11:14:51 2007 +0200
    55.3 @@ -15,18 +15,19 @@
    55.4    the Mutilated Checkerboard Problem by J McCarthy.
    55.5  *}
    55.6  
    55.7 -consts tiling :: "'a set set => 'a set set"
    55.8 -inductive "tiling A"
    55.9 -  intros
   55.10 +inductive_set
   55.11 +  tiling :: "'a set set => 'a set set"
   55.12 +  for A :: "'a set set"
   55.13 +  where
   55.14      empty [simp, intro]: "{} \<in> tiling A"
   55.15 -    Un [simp, intro]:    "[| a \<in> A; t \<in> tiling A; a \<inter> t = {} |] 
   55.16 +  | Un [simp, intro]:    "[| a \<in> A; t \<in> tiling A; a \<inter> t = {} |] 
   55.17                            ==> a \<union> t \<in> tiling A"
   55.18  
   55.19 -consts domino :: "(nat \<times> nat) set set"
   55.20 -inductive domino
   55.21 -  intros
   55.22 +inductive_set
   55.23 +  domino :: "(nat \<times> nat) set set"
   55.24 +  where
   55.25      horiz [simp]: "{(i, j), (i, Suc j)} \<in> domino"
   55.26 -    vertl [simp]: "{(i, j), (Suc i, j)} \<in> domino"
   55.27 +  | vertl [simp]: "{(i, j), (Suc i, j)} \<in> domino"
   55.28  
   55.29  text {* \medskip Sets of squares of the given colour*}
   55.30  
    56.1 --- a/src/HOL/Induct/PropLog.thy	Wed Jul 11 11:13:08 2007 +0200
    56.2 +++ b/src/HOL/Induct/PropLog.thy	Wed Jul 11 11:14:51 2007 +0200
    56.3 @@ -26,20 +26,15 @@
    56.4  
    56.5  subsection {* The proof system *}
    56.6  
    56.7 -consts
    56.8 -  thms  :: "'a pl set => 'a pl set"
    56.9 -
   56.10 -abbreviation
   56.11 -  thm_rel :: "['a pl set, 'a pl] => bool"   (infixl "|-" 50) where
   56.12 -  "H |- p == p \<in> thms H"
   56.13 -
   56.14 -inductive "thms(H)"
   56.15 -  intros
   56.16 -  H [intro]:  "p\<in>H ==> H |- p"
   56.17 -  K:          "H |- p->q->p"
   56.18 -  S:          "H |- (p->q->r) -> (p->q) -> p->r"
   56.19 -  DN:         "H |- ((p->false) -> false) -> p"
   56.20 -  MP:         "[| H |- p->q; H |- p |] ==> H |- q"
   56.21 +inductive
   56.22 +  thms :: "['a pl set, 'a pl] => bool"  (infixl "|-" 50)
   56.23 +  for H :: "'a pl set"
   56.24 +  where
   56.25 +    H [intro]:  "p\<in>H ==> H |- p"
   56.26 +  | K:          "H |- p->q->p"
   56.27 +  | S:          "H |- (p->q->r) -> (p->q) -> p->r"
   56.28 +  | DN:         "H |- ((p->false) -> false) -> p"
   56.29 +  | MP:         "[| H |- p->q; H |- p |] ==> H |- q"
   56.30  
   56.31  subsection {* The semantics *}
   56.32  
   56.33 @@ -80,9 +75,9 @@
   56.34  subsection {* Proof theory of propositional logic *}
   56.35  
   56.36  lemma thms_mono: "G<=H ==> thms(G) <= thms(H)"
   56.37 -apply (unfold thms.defs )
   56.38 -apply (rule lfp_mono)
   56.39 -apply (assumption | rule basic_monos)+
   56.40 +apply (rule predicate1I)
   56.41 +apply (erule thms.induct)
   56.42 +apply (auto intro: thms.intros)
   56.43  done
   56.44  
   56.45  lemma thms_I: "H |- p->p"
   56.46 @@ -94,7 +89,7 @@
   56.47  
   56.48  lemma weaken_left: "[| G \<subseteq> H;  G|-p |] ==> H|-p"
   56.49    -- {* Order of premises is convenient with @{text THEN} *}
   56.50 -  by (erule thms_mono [THEN subsetD])
   56.51 +  by (erule thms_mono [THEN predicate1D])
   56.52  
   56.53  lemmas weaken_left_insert = subset_insertI [THEN weaken_left]
   56.54  
    57.1 --- a/src/HOL/Induct/QuoDataType.thy	Wed Jul 11 11:13:08 2007 +0200
    57.2 +++ b/src/HOL/Induct/QuoDataType.thy	Wed Jul 11 11:14:51 2007 +0200
    57.3 @@ -19,31 +19,25 @@
    57.4  	     | DECRYPT  nat freemsg
    57.5  
    57.6  text{*The equivalence relation, which makes encryption and decryption inverses
    57.7 -provided the keys are the same.*}
    57.8 -consts  msgrel :: "(freemsg * freemsg) set"
    57.9 -
   57.10 -abbreviation
   57.11 -  msg_rel :: "[freemsg, freemsg] => bool"  (infixl "~~" 50) where
   57.12 -  "X ~~ Y == (X,Y) \<in> msgrel"
   57.13 +provided the keys are the same.
   57.14  
   57.15 -notation (xsymbols)
   57.16 -  msg_rel  (infixl "\<sim>" 50)
   57.17 -notation (HTML output)
   57.18 -  msg_rel  (infixl "\<sim>" 50)
   57.19 -
   57.20 -text{*The first two rules are the desired equations. The next four rules
   57.21 +The first two rules are the desired equations. The next four rules
   57.22  make the equations applicable to subterms. The last two rules are symmetry
   57.23  and transitivity.*}
   57.24 -inductive "msgrel"
   57.25 -  intros 
   57.26 -    CD:    "CRYPT K (DECRYPT K X) \<sim> X"
   57.27 -    DC:    "DECRYPT K (CRYPT K X) \<sim> X"
   57.28 -    NONCE: "NONCE N \<sim> NONCE N"
   57.29 -    MPAIR: "\<lbrakk>X \<sim> X'; Y \<sim> Y'\<rbrakk> \<Longrightarrow> MPAIR X Y \<sim> MPAIR X' Y'"
   57.30 -    CRYPT: "X \<sim> X' \<Longrightarrow> CRYPT K X \<sim> CRYPT K X'"
   57.31 -    DECRYPT: "X \<sim> X' \<Longrightarrow> DECRYPT K X \<sim> DECRYPT K X'"
   57.32 -    SYM:   "X \<sim> Y \<Longrightarrow> Y \<sim> X"
   57.33 -    TRANS: "\<lbrakk>X \<sim> Y; Y \<sim> Z\<rbrakk> \<Longrightarrow> X \<sim> Z"
   57.34 +
   57.35 +inductive_set
   57.36 +  msgrel :: "(freemsg * freemsg) set"
   57.37 +  and msg_rel :: "[freemsg, freemsg] => bool"  (infixl "\<sim>" 50)
   57.38 +  where
   57.39 +    "X \<sim> Y == (X,Y) \<in> msgrel"
   57.40 +  | CD:    "CRYPT K (DECRYPT K X) \<sim> X"
   57.41 +  | DC:    "DECRYPT K (CRYPT K X) \<sim> X"
   57.42 +  | NONCE: "NONCE N \<sim> NONCE N"
   57.43 +  | MPAIR: "\<lbrakk>X \<sim> X'; Y \<sim> Y'\<rbrakk> \<Longrightarrow> MPAIR X Y \<sim> MPAIR X' Y'"
   57.44 +  | CRYPT: "X \<sim> X' \<Longrightarrow> CRYPT K X \<sim> CRYPT K X'"
   57.45 +  | DECRYPT: "X \<sim> X' \<Longrightarrow> DECRYPT K X \<sim> DECRYPT K X'"
   57.46 +  | SYM:   "X \<sim> Y \<Longrightarrow> Y \<sim> X"
   57.47 +  | TRANS: "\<lbrakk>X \<sim> Y; Y \<sim> Z\<rbrakk> \<Longrightarrow> X \<sim> Z"
   57.48  
   57.49  
   57.50  text{*Proving that it is an equivalence relation*}
    58.1 --- a/src/HOL/Induct/QuoNestedDataType.thy	Wed Jul 11 11:13:08 2007 +0200
    58.2 +++ b/src/HOL/Induct/QuoNestedDataType.thy	Wed Jul 11 11:14:51 2007 +0200
    58.3 @@ -18,28 +18,21 @@
    58.4  	     | FNCALL  nat "freeExp list"
    58.5  
    58.6  text{*The equivalence relation, which makes PLUS associative.*}
    58.7 -consts  exprel :: "(freeExp * freeExp) set"
    58.8 -
    58.9 -abbreviation
   58.10 -  exp_rel :: "[freeExp, freeExp] => bool"  (infixl "~~" 50) where
   58.11 -  "X ~~ Y == (X,Y) \<in> exprel"
   58.12 -
   58.13 -notation (xsymbols)
   58.14 -  exp_rel  (infixl "\<sim>" 50)
   58.15 -notation (HTML output)
   58.16 -  exp_rel  (infixl "\<sim>" 50)
   58.17  
   58.18  text{*The first rule is the desired equation. The next three rules
   58.19  make the equations applicable to subterms. The last two rules are symmetry
   58.20  and transitivity.*}
   58.21 -inductive "exprel"
   58.22 -  intros 
   58.23 -    ASSOC: "PLUS X (PLUS Y Z) \<sim> PLUS (PLUS X Y) Z"
   58.24 -    VAR: "VAR N \<sim> VAR N"
   58.25 -    PLUS: "\<lbrakk>X \<sim> X'; Y \<sim> Y'\<rbrakk> \<Longrightarrow> PLUS X Y \<sim> PLUS X' Y'"
   58.26 -    FNCALL: "(Xs,Xs') \<in> listrel exprel \<Longrightarrow> FNCALL F Xs \<sim> FNCALL F Xs'"
   58.27 -    SYM:   "X \<sim> Y \<Longrightarrow> Y \<sim> X"
   58.28 -    TRANS: "\<lbrakk>X \<sim> Y; Y \<sim> Z\<rbrakk> \<Longrightarrow> X \<sim> Z"
   58.29 +inductive_set
   58.30 +  exprel :: "(freeExp * freeExp) set"
   58.31 +  and exp_rel :: "[freeExp, freeExp] => bool"  (infixl "\<sim>" 50)
   58.32 +  where
   58.33 +    "X \<sim> Y == (X,Y) \<in> exprel"
   58.34 +  | ASSOC: "PLUS X (PLUS Y Z) \<sim> PLUS (PLUS X Y) Z"
   58.35 +  | VAR: "VAR N \<sim> VAR N"
   58.36 +  | PLUS: "\<lbrakk>X \<sim> X'; Y \<sim> Y'\<rbrakk> \<Longrightarrow> PLUS X Y \<sim> PLUS X' Y'"
   58.37 +  | FNCALL: "(Xs,Xs') \<in> listrel exprel \<Longrightarrow> FNCALL F Xs \<sim> FNCALL F Xs'"
   58.38 +  | SYM:   "X \<sim> Y \<Longrightarrow> Y \<sim> X"
   58.39 +  | TRANS: "\<lbrakk>X \<sim> Y; Y \<sim> Z\<rbrakk> \<Longrightarrow> X \<sim> Z"
   58.40    monos listrel_mono
   58.41  
   58.42  
   58.43 @@ -47,7 +40,7 @@
   58.44  
   58.45  lemma exprel_refl: "X \<sim> X"
   58.46    and list_exprel_refl: "(Xs,Xs) \<in> listrel(exprel)"
   58.47 -  by (induct X and Xs) (blast intro: exprel.intros listrel_intros)+
   58.48 +  by (induct X and Xs) (blast intro: exprel.intros listrel.intros)+
   58.49  
   58.50  theorem equiv_exprel: "equiv UNIV exprel"
   58.51  proof -
   58.52 @@ -63,13 +56,13 @@
   58.53  
   58.54  lemma FNCALL_Nil: "FNCALL F [] \<sim> FNCALL F []"
   58.55  apply (rule exprel.intros) 
   58.56 -apply (rule listrel_intros) 
   58.57 +apply (rule listrel.intros) 
   58.58  done
   58.59  
   58.60  lemma FNCALL_Cons:
   58.61       "\<lbrakk>X \<sim> X'; (Xs,Xs') \<in> listrel(exprel)\<rbrakk>
   58.62        \<Longrightarrow> FNCALL F (X#Xs) \<sim> FNCALL F (X'#Xs')"
   58.63 -by (blast intro: exprel.intros listrel_intros) 
   58.64 +by (blast intro: exprel.intros listrel.intros) 
   58.65  
   58.66  
   58.67  
   58.68 @@ -98,7 +91,7 @@
   58.69    (the abstract constructor) is injective*}
   58.70  theorem exprel_imp_eq_freevars: "U \<sim> V \<Longrightarrow> freevars U = freevars V"
   58.71  apply (induct set: exprel) 
   58.72 -apply (erule_tac [4] listrel_induct) 
   58.73 +apply (erule_tac [4] listrel.induct) 
   58.74  apply (simp_all add: Un_assoc)
   58.75  done
   58.76  
   58.77 @@ -129,7 +122,7 @@
   58.78  
   58.79  theorem exprel_imp_eq_freefun:
   58.80       "U \<sim> V \<Longrightarrow> freefun U = freefun V"
   58.81 -  by (induct set: exprel) (simp_all add: listrel_intros)
   58.82 +  by (induct set: exprel) (simp_all add: listrel.intros)
   58.83  
   58.84  
   58.85  text{*This function, which returns the list of function arguments, is used to
   58.86 @@ -143,8 +136,8 @@
   58.87  theorem exprel_imp_eqv_freeargs:
   58.88       "U \<sim> V \<Longrightarrow> (freeargs U, freeargs V) \<in> listrel exprel"
   58.89  apply (induct set: exprel)
   58.90 -apply (erule_tac [4] listrel_induct) 
   58.91 -apply (simp_all add: listrel_intros)
   58.92 +apply (erule_tac [4] listrel.induct) 
   58.93 +apply (simp_all add: listrel.intros)
   58.94  apply (blast intro: symD [OF equiv.sym [OF equiv_list_exprel]])
   58.95  apply (blast intro: transD [OF equiv.trans [OF equiv_list_exprel]])
   58.96  done
   58.97 @@ -258,7 +251,7 @@
   58.98       "FnCall F [Abs_Exp(exprel``{U})] = Abs_Exp (exprel``{FNCALL F [U]})"
   58.99  proof -
  58.100    have "(\<lambda>U. exprel `` {FNCALL F [U]}) respects exprel"
  58.101 -    by (simp add: congruent_def FNCALL_Cons listrel_intros)
  58.102 +    by (simp add: congruent_def FNCALL_Cons listrel.intros)
  58.103    thus ?thesis
  58.104      by (simp add: FnCall_def UN_equiv_class [OF equiv_exprel])
  58.105  qed
    59.1 --- a/src/HOL/Induct/ROOT.ML	Wed Jul 11 11:13:08 2007 +0200
    59.2 +++ b/src/HOL/Induct/ROOT.ML	Wed Jul 11 11:14:51 2007 +0200
    59.3 @@ -13,3 +13,4 @@
    59.4  time_use_thy "PropLog";
    59.5  time_use_thy "SList";
    59.6  time_use_thy "LFilter";
    59.7 +time_use_thy "Com";
    60.1 --- a/src/HOL/Induct/SList.thy	Wed Jul 11 11:13:08 2007 +0200
    60.2 +++ b/src/HOL/Induct/SList.thy	Wed Jul 11 11:14:51 2007 +0200
    60.3 @@ -46,12 +46,12 @@
    60.4    CONS :: "['a item, 'a item] => 'a item" where
    60.5    "CONS M N = In1(Scons M N)"
    60.6  
    60.7 -consts
    60.8 -  list      :: "'a item set => 'a item set"
    60.9 -inductive "list(A)"
   60.10 -  intros
   60.11 +inductive_set
   60.12 +  list :: "'a item set => 'a item set"
   60.13 +  for A :: "'a item set"
   60.14 +  where
   60.15      NIL_I:  "NIL: list A"
   60.16 -    CONS_I: "[| a: A;  M: list A |] ==> CONS a M : list A"
   60.17 +  | CONS_I: "[| a: A;  M: list A |] ==> CONS a M : list A"
   60.18  
   60.19  
   60.20  typedef (List)
   60.21 @@ -149,6 +149,8 @@
   60.22    ttl       :: "'a list => 'a list" where
   60.23    "ttl xs   = list_rec xs [] (%x xs r. xs)"
   60.24  
   60.25 +(*<*)no_syntax
   60.26 +    member :: "'a \<Rightarrow> 'a list \<Rightarrow> bool" (infixl "mem" 55)(*>*)
   60.27  definition
   60.28    member :: "['a, 'a list] => bool"    (infixl "mem" 55) where
   60.29    "x mem xs = list_rec xs False (%y ys r. if y=x then True else r)"
   60.30 @@ -254,16 +256,17 @@
   60.31  
   60.32  (*This justifies using list in other recursive type definitions*)
   60.33  lemma list_mono: "A<=B ==> list(A) <= list(B)"
   60.34 -apply (unfold list.defs )
   60.35 -apply (rule lfp_mono)
   60.36 -apply (assumption | rule basic_monos)+
   60.37 +apply (rule subsetI)
   60.38 +apply (erule list.induct)
   60.39 +apply (auto intro!: list.intros)
   60.40  done
   60.41  
   60.42  (*Type checking -- list creates well-founded sets*)
   60.43  lemma list_sexp: "list(sexp) <= sexp"
   60.44 -apply (unfold NIL_def CONS_def list.defs)
   60.45 -apply (rule lfp_lowerbound)
   60.46 -apply (fast intro: sexp.intros sexp_In0I sexp_In1I)
   60.47 +apply (rule subsetI)
   60.48 +apply (erule list.induct)
   60.49 +apply (unfold NIL_def CONS_def)
   60.50 +apply (auto intro: sexp.intros sexp_In0I sexp_In1I)
   60.51  done
   60.52  
   60.53  (* A <= sexp ==> list(A) <= sexp *)
    61.1 --- a/src/HOL/Induct/Sexp.thy	Wed Jul 11 11:13:08 2007 +0200
    61.2 +++ b/src/HOL/Induct/Sexp.thy	Wed Jul 11 11:14:51 2007 +0200
    61.3 @@ -14,14 +14,12 @@
    61.4  abbreviation "Leaf == Datatype.Leaf"
    61.5  abbreviation "Numb == Datatype.Numb"
    61.6  
    61.7 -consts
    61.8 +inductive_set
    61.9    sexp      :: "'a item set"
   61.10 -
   61.11 -inductive sexp
   61.12 -  intros
   61.13 +  where
   61.14      LeafI:  "Leaf(a) \<in> sexp"
   61.15 -    NumbI:  "Numb(i) \<in> sexp"
   61.16 -    SconsI: "[| M \<in> sexp;  N \<in> sexp |] ==> Scons M N \<in> sexp"
   61.17 +  | NumbI:  "Numb(i) \<in> sexp"
   61.18 +  | SconsI: "[| M \<in> sexp;  N \<in> sexp |] ==> Scons M N \<in> sexp"
   61.19  
   61.20  definition
   61.21    sexp_case :: "['a=>'b, nat=>'b, ['a item, 'a item]=>'b, 
    62.1 --- a/src/HOL/Induct/Sigma_Algebra.thy	Wed Jul 11 11:13:08 2007 +0200
    62.2 +++ b/src/HOL/Induct/Sigma_Algebra.thy	Wed Jul 11 11:14:51 2007 +0200
    62.3 @@ -13,15 +13,14 @@
    62.4    \<sigma>}-algebra over a given set of sets.
    62.5  *}
    62.6  
    62.7 -consts
    62.8 +inductive_set
    62.9    \<sigma>_algebra :: "'a set set => 'a set set"
   62.10 -
   62.11 -inductive "\<sigma>_algebra A"
   62.12 -  intros
   62.13 +  for A :: "'a set set"
   62.14 +  where
   62.15      basic: "a \<in> A ==> a \<in> \<sigma>_algebra A"
   62.16 -    UNIV: "UNIV \<in> \<sigma>_algebra A"
   62.17 -    complement: "a \<in> \<sigma>_algebra A ==> -a \<in> \<sigma>_algebra A"
   62.18 -    Union: "(!!i::nat. a i \<in> \<sigma>_algebra A) ==> (\<Union>i. a i) \<in> \<sigma>_algebra A"
   62.19 +  | UNIV: "UNIV \<in> \<sigma>_algebra A"
   62.20 +  | complement: "a \<in> \<sigma>_algebra A ==> -a \<in> \<sigma>_algebra A"
   62.21 +  | Union: "(!!i::nat. a i \<in> \<sigma>_algebra A) ==> (\<Union>i. a i) \<in> \<sigma>_algebra A"
   62.22  
   62.23  text {*
   62.24    The following basic facts are consequences of the closure properties
    63.1 --- a/src/HOL/Isar_examples/MutilatedCheckerboard.thy	Wed Jul 11 11:13:08 2007 +0200
    63.2 +++ b/src/HOL/Isar_examples/MutilatedCheckerboard.thy	Wed Jul 11 11:14:51 2007 +0200
    63.3 @@ -17,13 +17,12 @@
    63.4  
    63.5  subsection {* Tilings *}
    63.6  
    63.7 -consts
    63.8 +inductive_set
    63.9    tiling :: "'a set set => 'a set set"
   63.10 -
   63.11 -inductive "tiling A"
   63.12 -  intros
   63.13 +  for A :: "'a set set"
   63.14 +  where
   63.15      empty: "{} : tiling A"
   63.16 -    Un: "a : A ==> t : tiling A ==> a <= - t ==> a Un t : tiling A"
   63.17 +  | Un: "a : A ==> t : tiling A ==> a <= - t ==> a Un t : tiling A"
   63.18  
   63.19  
   63.20  text "The union of two disjoint tilings is a tiling."
   63.21 @@ -118,13 +117,11 @@
   63.22  
   63.23  subsection {* Dominoes *}
   63.24  
   63.25 -consts
   63.26 +inductive_set
   63.27    domino :: "(nat * nat) set set"
   63.28 -
   63.29 -inductive domino
   63.30 -  intros
   63.31 +  where
   63.32      horiz: "{(i, j), (i, j + 1)} : domino"
   63.33 -    vertl: "{(i, j), (i + 1, j)} : domino"
   63.34 +  | vertl: "{(i, j), (i + 1, j)} : domino"
   63.35  
   63.36  lemma dominoes_tile_row:
   63.37    "{i} <*> below (2 * n) : tiling domino"