nominal2: comparison Pearl-jv/Paper.thy

equal deleted inserted replaced

-:3c769bf10e63
+:2c6851248b3f
 In the nominal logic woworkrk, the `new quantifier' plays a prominent role.
 $\new$
+Obstacles for Coq; no type-classes, difficulties with quotient types,
+need for classical reasoning
 Two binders
 A preliminary version
 *}
 atoms. However, we found that this does not blend well with
 type-classes in Isabelle/HOL (see Section~\ref{related} about
 related work).  Therefore we use here a single unified atom type to
 represent atoms of different sorts. A basic requirement is that
 there must be a countably infinite number of atoms of each sort.
-This can be implemented as the datatype
+This can be implemented in Isabelle/HOL as the datatype
 *}
 datatype atom\<iota> = Atom\<iota> string nat
 \begin{proposition}\label{choosefresh}\mbox{}\\
 @{text "For a finite set of atoms S, there exists an atom a such that
 sort a = s and a \<notin> S"}.
 \end{proposition}
+\noindent
+This property will be used later on whenever we have to chose a `fresh' atom.
 For implementing sort-respecting permutations, we use functions of type @{typ
 "atom => atom"} that are bijective; are the
 identity on all atoms, except a finite number of them; and map
 each atom to one of the same sort. These properties can be conveniently stated
 This function is bijective, the identity on all atoms except
 @{text a} and @{text b}, and sort respecting. Therefore it is
 a function in @{typ perm}.
 One advantage of using functions as a representation for
-permutations is that it is unique. For example the swappings
+permutations is that it is a unique representation. For example the swappings
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm swap_commute[no_vars]}\hspace{10mm}
 @{text "(a a) = id"}
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 @{text "_ \<bullet> _ :: perm \<Rightarrow> \<beta> \<Rightarrow> \<beta>"}
 \end{isabelle}
 \noindent
-whereby @{text "\<beta>"} is a generic type for @{text x}. The definition of this operation will be
+whereby @{text "\<beta>"} is a generic type for the object @{text
-given by in terms of `induction' over this generic type. The type-class mechanism
+x}.\footnote{We will use the standard notation @{text "((op \<bullet>) \<pi>)
-of Isabelle/HOL \cite{Wenzel04} allows us to give a definition for
+x"} for this operation in the few cases where we need to indicate
-`base' types, such as atoms, permutations, booleans and natural numbers:
+that it is a function applied with two arguments.}  The definition
+of this operation will be given by in terms of `induction' over this
+generic type. The type-class mechanism of Isabelle/HOL
+\cite{Wenzel04} allows us to give a definition for `base' types,
+such as atoms, permutations, booleans and natural numbers:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
 atoms: & @{thm permute_atom_def[where p="\<pi>",no_vars, THEN eq_reflection]}\\
 permutations: & @{thm permute_perm_def[where p="\<pi>" and q="\<pi>'", THEN eq_reflection]}\\
 \end{isabelle}
 \end{proof}
 \noindent
 Note that the permutation operation for functions is defined so that
-we have for applications the property
+we have for applications the equation
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 @{text "\<pi> \<bullet> (f x) ="}
 @{thm (rhs) permute_fun_app_eq[where p="\<pi>", no_vars]}
 \hfill\numbered{permutefunapp}
 \end{isabelle}
 \noindent
-whenever the permutation properties hold for @{text x}. This property can
+provided the permutation properties hold for @{text x}. This equation can
 be easily shown by unfolding the permutation operation for functions on
-the right-hand side, simplifying the beta-redex and eliminating the permutations
+the right-hand side of the equation, simplifying the resulting beta-redex
-in front of @{text x} using \eqref{cancel}.
+and eliminating the permutations in front of @{text x} using \eqref{cancel}.
 The main benefit of the use of type classes is that it allows us to delegate
 much of the routine resoning involved in determining whether the permutation properties
 are satisfied to Isabelle/HOL's type system: we only have to
 establish that base types satisfy them and that type-constructors
-preserve them. Isabelle/HOL will use this information and determine
+preserve them. Then Isabelle/HOL will use this information and determine
-whether an object @{text x} with a compound type satisfies the
+whether an object @{text x} with a compound type, like @{typ "atom \<Rightarrow> (atom set * nat)"}, satisfies the
 permutation properties.  For this we define the notion of a
 \emph{permutation type}:
-\begin{definition}[Permutation type]
+\begin{definition}[Permutation Type]
 A type @{text "\<beta>"} is a \emph{permutation type} if the permutation
 properties in \eqref{newpermprops} are satisfied for every @{text
 "x"} of type @{text "\<beta>"}.
 \end{definition}
 *}
 section {* Equivariance *}
 text {*
-An important notion in the nominal logic work is
+Two important notions in the nominal logic work are what Pitts calls
-\emph{equivariance}.  This notion allows us to characterise how
+\emph{equivariance} and the \emph{equivariance principle}.  These
-permutations act upon compound statements in HOL by analysing how
+notions allows us to characterise how permutations act upon compound
-these statements are constructed.  To do so, let us first define
+statements in HOL by analysing how these statements are constructed.
-\emph{HOL-terms}. They are given by the grammar
+The notion of equivariance can defined as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "t ::= c | x | t\<^isub>1 t\<^isub>2 | \<lambda>x. t"}
-\hfill\numbered{holterms}
-\end{isabelle}
-\noindent
-where @{text c} stands for constants and @{text x} for
-variables.
-We assume HOL-terms are fully typed, but for the sake of
-greater legibility we leave the typing information implicit.  We
-also assume the usual notions for free and bound variables of a
-HOL-term.  Furthermore, it is custom in HOL to regard terms as equal
-modulo alpha-, beta- and eta-equivalence.
-An \emph{equivariant} HOL-term is one that is invariant under the
-permutation operation. This can be defined in Isabelle/HOL
-as follows:
 \begin{definition}[Equivariance]\label{equivariance}
-A  HOL-term @{text t} is \emph{equivariant} provided
+An object @{text "x"} of permutation type is \emph{equivariant} provided
-@{term "\<pi> \<bullet> t = t"} holds for all permutations @{text "\<pi>"}.
+for all permutations @{text "\<pi>"}, \mbox{@{term "\<pi> \<bullet> x = x"}} holds.
 \end{definition}
 \noindent
-In what follows we will primarily be interested in the cases where @{text t}
+In what follows we will primarily be interested in the cases where
-is a constant, but of course there is no way in Isabelle/HOL to restrict
+@{text x} is a constant, but of course there is no way in
-this definition to just these cases.
+Isabelle/HOL to restrict this definition to just these cases.
 There are a number of equivalent formulations for the equivariance
-property.  For example, assuming @{text t} is of permutation type @{text "\<alpha> \<Rightarrow>
+property.  For example, assuming @{text f} is a function of permutation
-\<beta>"}, then equivariance can also be stated as
+type @{text "\<alpha> \<Rightarrow> \<beta>"}, then equivariance can also be stated as
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
-@{text "\<forall>\<pi> x.  \<pi> \<bullet> (t x) = t (\<pi> \<bullet> x)"}
+@{text "\<forall>\<pi> x.  \<pi> \<bullet> (f x) = f (\<pi> \<bullet> x)"}
 \end{tabular}\hfill\numbered{altequivariance}
 \end{isabelle}
 \noindent
 We will call this formulation of equivariance in \emph{fully applied form}.
 To see that this formulation implies the definition, we just unfold
 the definition of the permutation operation for functions and
 simplify with the equation and the cancellation property shown in
 \eqref{cancel}. To see the other direction, we use
-\eqref{permutefunapp}. Similarly for HOL-terms that take more than
+\eqref{permutefunapp}. Similarly for functions that take more than
 one argument. The point to note is that equivariance and equivariance in fully
-applied form are (for permutation types) always interderivable.
+applied form are always interderivable (for permutation types).
 Both formulations of equivariance have their advantages and
 disadvantages: \eqref{altequivariance} is usually more convenient to
-establish, since statements in Isabelle/HOL are commonly given in a
+establish, since statements in HOL are commonly given in a
 form where functions are fully applied. For example we can easily
 show that equality is equivariant
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 \end{isabelle}
 \noindent
 for all @{text a}, @{text b} and @{text \<pi>}. Also the booleans
 @{const True} and @{const False} are equivariant by the definition
-of the permutation operation for booleans. It is easy to see
+of the permutation operation for booleans. Given this definition, it
-that the boolean operators, like @{text "\<and>"}, @{text "\<or>"}, @{text
+is also easy to see that the boolean operators, like @{text "\<and>"},
-"\<not>"} and @{text "\<longrightarrow>"}, are equivariant too; for example we have
+@{text "\<or>"}, @{text "\<longrightarrow>"} and  @{text "\<not>"} are equivariant:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}lcl}
 @{text "\<pi> \<bullet> (A \<and> B) = (\<pi> \<bullet> A) \<and> (\<pi> \<bullet> B)"}\\
+@{text "\<pi> \<bullet> (A \<or> B) = (\<pi> \<bullet> A) \<or> (\<pi> \<bullet> B)"}\\
 @{text "\<pi> \<bullet> (A \<longrightarrow> B) = (\<pi> \<bullet> A) \<longrightarrow> (\<pi> \<bullet> B)"}\\
+@{text "\<pi> \<bullet> (\<not>A) = \<not>(\<pi> \<bullet> A)"}\\
 \end{tabular}
 \end{isabelle}
-\noindent
-by the definition of the permutation operation acting on booleans.
 In contrast, the advantage of Definition \ref{equivariance} is that
-it leads to a relatively simple rewrite system that allows us to `push' a permutation
+it allows us to state a general principle how permutations act on
-towards the leaves of a HOL-term (i.e.~constants and
+statements in HOL.  For this we will define a rewrite system that
-variables).  Then the permutation disappears in cases where the
+`pushes' a permutation towards the leaves of statements (i.e.~constants
-constants are equivariant. We have implemented this rewrite system
+and variables).  Then the permutations disappear in cases where the
-as a simplification tactic on the ML-level of Isabelle/HOL.  Having this tactic
+constants are equivariant.  To do so, let us first define
-at our disposal, together with a collection of constants for which
+\emph{HOL-terms}, which are the building blocks of statements in HOL.
-equivariance is already established, we can automatically establish
+They are given by the grammar
-equivariance of a constant for which equivariance is not yet known. For this we only have to
-make sure that the definiens of this constant
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-is a HOL-term whose constants are all equivariant.  In what follows
+@{text "t ::= c | x | t\<^isub>1 t\<^isub>2 | \<lambda>x. t"}
-we shall specify this tactic and argue that it terminates and
+\hfill\numbered{holterms}
-is correct (in the sense of pushing a
+\end{isabelle}
-permutation @{text "\<pi>"} inside a term and the only remaining
-instances of @{text "\<pi>"} are in front of the term's free variables).
+\noindent
+where @{text c} stands for constants and @{text x} for variables.
-The simplifiaction tactic is a rewrite systems consisting of four `oriented'
+We assume HOL-terms are fully typed, but for the sake of better
-equations. We will first give a naive version of this tactic, which however
+legibility we leave the typing information implicit.  We also assume
-is in some cornercases incorrect and does not terminate, and then modify
+the usual notions for free and bound variables of a HOL-term.
-it in order to obtain the desired properties. A permutation @{text \<pi>} can
+Furthermore, HOL-terms are regarded as equal modulo alpha-, beta-
-be pushed into applications and abstractions as follows
+and eta-equivalence. The equivariance principle can now be stated
+formally as follows:
+\begin{theorem}[Equivariance Principle]\label{eqvtprin}
+Suppose a HOL-term @{text t} whose constants are all equivariant. For any
+permutation @{text \<pi>}, let @{text t'} be @{text t} except every
+free variable @{text x} in @{term t} is replaced by @{text "\<pi> \<bullet> x"}, then
+@{text "\<pi> \<bullet> t = t'"}.
+\end{theorem}
+\noindent
+The significance of this principle is that we can automatically establish
+the equivariance of a constant for which equivariance is not yet
+known. For this we only have to make sure that the definiens of this
+constant is a HOL-term whose constants are all equivariant. For example
+the universal quantifier @{text "\<forall>"} is definied in HOL as
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+@{text "\<forall>x. P x \<equiv> "}~@{thm (rhs) All_def[no_vars]}
+\end{isabelle}
+\noindent
+The constants in the definiens @{thm (rhs) All_def[no_vars]}, namely @{text "="}
+and @{text "True"}, are equivariant (we shown this above). Therefore
+the equivariance principle gives us
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+@{text "\<pi> \<bullet> (\<forall>x. P x)  \<equiv>  \<pi> \<bullet> (P = (\<lambda>x. True))  =  ((\<pi> \<bullet> P) = (\<lambda>x. True))  \<equiv>  \<forall>x. (\<pi> \<bullet> P) x"}
+\end{isabelle}
+\noindent
+and consequently, the constant @{text "\<forall>"} must be equivariant. From this
+we can deduce that the existential quantifier @{text "\<exists>"} is equivariant.
+Its definition in HOL is
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+@{text "\<exists>x. P x \<equiv> "}~@{thm (rhs) Ex_def[no_vars]}
+\end{isabelle}
+\noindent
+where again the HOL-term on the right-hand side only contains equivariant constants
+(namely @{text "\<forall>"} and @{text "\<longrightarrow>"}). Taking both facts together, we can deduce that
+the unique existential quantifier @{text "\<exists>!"} is equivariant. Its definition
+is
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+@{text "\<exists>!x. P x \<equiv> "}~@{thm (rhs) Ex1_def[no_vars]}
+\end{isabelle}
+\noindent
+with all constants on the right-hand side being equivariant. With this kind
+of reasoning we can build up a database of equivariant constants.
+Before we proceed, let us give a justification for the equivariance principle.
+For this we will use a rewrite system consisting of a series of equalities
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+@{text "\<pi> \<cdot> t  =  ...  =  t'"}
+\end{isabelle}
+\noindent
+that establish the equality between @{term "\<pi> \<bullet> t"} and
+@{text "t'"}. The idea of the rewrite system is to push the
+permutation inside the term @{text t}. We have implemented this as a
+conversion tactic on the ML-level of Isabelle/HOL.  In what follows,
+we will show that this tactic produces only finitely many equations
+and also show that is correct (in the sense of pushing a permutation
+@{text "\<pi>"} inside a term and the only remaining instances of @{text
+"\<pi>"} are in front of the term's free variables).  The tactic applies
+four `oriented' equations. We will first give a naive version of
+this tactic, which however in some cornercases produces incorrect
+results or does not terminate.  We then give a modification in order
+to obtain the desired properties.
+Consider the following oriented equations
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}lr@ {\hspace{3mm}}c@ {\hspace{3mm}}l}
 i) & @{text "\<pi> \<bullet> (t\<^isub>1 t\<^isub>2)"} & \rrh & @{term "(\<pi> \<bullet> t\<^isub>1) (\<pi> \<bullet> t\<^isub>2)"}\\
 ii) & @{text "\<pi> \<bullet> (\<lambda>x. t)"} & \rrh & @{text "\<lambda>x. \<pi> \<bullet> (t[x :=  (-\<pi>) \<bullet> x])"}\\
+iii) & @{term "\<pi> \<bullet> (- \<pi>) \<bullet> x"} & \rrh & @{term "x"}\\
+iv) &  @{term "\<pi> \<bullet> c"} & \rrh &
+{\rm @{term "c"}\hspace{6mm}provided @{text c} is equivariant}\\
 \end{tabular}\hfill\numbered{rewriteapplam}
 \end{isabelle}
 \noindent
+A permutation @{text \<pi>} can be pushed into applications and abstractions as follows
 The first equation we established in \eqref{permutefunapp};
 the second follows from the definition of permutations acting on functions
 and the fact that HOL-terms are equal modulo beta-equivalence.
-Once the permutations are pushed towards the leaves we need the
+Once the permutations are pushed towards the leaves, we need the
 following two equations
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}lr@ {\hspace{3mm}}c@ {\hspace{3mm}}l}
-iii) & @{term "\<pi> \<bullet> (- \<pi>) \<bullet> x"} & \rrh & @{term "x"}\\
-iv) &  @{term "\<pi> \<bullet> c"} & \rrh &
-{\rm @{term "c"}\hspace{6mm}provided @{text c} is equivariant}\\
 \end{tabular}\hfill\numbered{rewriteother}
 \end{isabelle}
 \noindent
 in order to remove permuations in front of bound variables and
 equivariant constants.  Unfortunately, we have to be careful with
 the rules {\it i)} and {\it iv}): they can lead to a loop whenever
-\mbox{@{text "t\<^isub>1 t\<^isub>2"}} is of the form @{text "((op \<bullet>) \<pi>') t"}. Note
+\mbox{@{text "t\<^isub>1 t\<^isub>2"}} is of the form @{text "((op \<bullet>) \<pi>') t"}, where
-that we usually write this application using infix notation as
+we do not write the permutation operation infix, as usual, but
-@{text "\<pi> \<bullet> t"} and recall that by Lemma \ref{permutecompose} the
+as an application. Recall that we established in Lemma \ref{permutecompose} that the
-constant @{text "(op \<bullet>)"} is equivariant. Now consider the infinite
+constant @{text "(op \<bullet>)"} is equivariant and consider the infinite
 reduction sequence
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{text "\<pi> \<bullet> (\<pi>' \<bullet> t)"}
 \end{tabular}
 \end{isabelle}
 \noindent
-where the last step is again an instance of the first term, but it
+The last term is again an instance of rewrite rule {\it i}), but the term
 is bigger.  To avoid this loop we need to apply our rewrite rule
 using an `outside to inside' strategy.  This strategy is sufficient
 since we are only interested of rewriting terms of the form @{term
 "\<pi> \<bullet> t"}, where an outermost permutation needs to pushed inside a term.
-Another problem we have to avoid is that the rules {\it i)} and
+Another problem we have to avoid is that the rules {\it i)} and {\it
-{\it iii)} can `overlap'. For this note that
+iii)} can `overlap'. For this note that the term @{term "\<pi>
-the term @{term "\<pi> \<bullet>(\<lambda>x. x)"} reduces by {\it ii)} to
+\<bullet>(\<lambda>x. x)"} reduces by {\it ii)} to @{term "\<lambda>x. \<pi> \<bullet> (- \<pi>) \<bullet> x"}, to
-@{term "\<lambda>x. \<pi> \<bullet> (- \<pi>) \<bullet> x"}, to which we can apply rule {\it iii)}
+which we can apply rule {\it iii)} in order to obtain @{term
-in order to obtain @{term "\<lambda>x. x"}, as is desired---there is no
+"\<lambda>x. x"}, as is desired---there is no free variable in the original
-free variable in the original term and so the permutation should completely
+term and so the permutation should completely vanish. However, the
-vanish. However, the subterm @{text
+subterm @{text "(- \<pi>) \<bullet> x"} is also an application. Consequently,
-"(- \<pi>) \<bullet> x"} is also an application. Consequently, the term
+the term @{term "\<lambda>x. \<pi> \<bullet> (- \<pi>) \<bullet>x"} can reduce to @{text "\<lambda>x. (- (\<pi>
-@{term "\<lambda>x. \<pi> \<bullet> (- \<pi>) \<bullet>x"} can reduce to @{text "\<lambda>x. (- (\<pi> \<bullet> \<pi>)) \<bullet> (\<pi> \<bullet> x)"} using
+\<bullet> \<pi>)) \<bullet> (\<pi> \<bullet> x)"} using {\it i)}.  Given our strategy we cannot
-{\it i)}.  Given our strategy we cannot apply rule {\it iii)} anymore and
+apply rule {\it iii)} anymore and even worse the measure we will
-even worse the measure we will introduce shortly increased. On the
+introduce shortly increased. On the other hand, if we had started
-other hand, if we had started with the term @{text "\<pi> \<bullet> ((- \<pi>) \<bullet> x)"}
+with the term @{text "\<pi> \<bullet> ((- \<pi>) \<bullet> x)"} where @{text \<pi>} and @{text
-where @{text \<pi>} and @{text x} are free variables, then we \emph{do}
+x} are free variables, then we \emph{do} want to apply rule {\it i)}
-want to apply rule  {\it i)} and not rule {\it iii)}. The latter
+and not rule {\it iii)}. The latter would eliminate @{text \<pi>}
-would eliminate @{text \<pi>} completely. The problem is that rule {\it iii)}
+completely. The problem is that rule {\it iii)} should only apply to
-should only apply to instances where the variable is to bound; for free variables
+instances where the variable is to bound; for free variables we want
-we want to use {\it ii)}.
+to use {\it ii)}.  In order to distinguish these cases we have to
+maintain the information which variable is bound when inductively
-The problem is that in order to distinguish both cases when
+taking a term `apart'. This, unfortunately, does not mesh well with
-inductively taking a term `apart', we have to maintain the
+the way how conversion tactics are implemented in Isabelle/HOL.
-information which variable is bound. This, unfortunately, does not
-mesh well with the way how simplification tactics are implemented in
+Our remedy is to use a standard trick in HOL: we introduce a
-Isabelle/HOL. Our remedy is to use a standard trick in HOL: we
+separate definition for terms of the form @{text "(- \<pi>) \<bullet> x"},
-introduce a separate definition for terms of the form @{text "(- \<pi>)
+namely as
-\<bullet> x"}, namely as
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 @{term "unpermute \<pi> x \<equiv> (- \<pi>) \<bullet> x"}
 \end{isabelle}
 of lexicographically ordered pairs whose first component is the size
 of a term (counting terms of the form @{text "unpermute \<pi> x"} as
 leaves) and the second is the number of occurences of @{text
 "unpermute \<pi> x"} and @{text "\<pi> \<bullet> c"}.
-With the definition of the simplification tactic in place, we can
+With the rules of the conversions tactic in place, we can
-establish its correctness. The property we are after is that for for
+establish its correctness. The property we are after is that
-a HOL-term @{text t} whose constants are all equivariant, the
+for a HOL-term @{text t} whose constants are all equivariant the
-HOL-term @{text "\<pi> \<bullet> t"} is equal to @{text "t'"} with @{text "t'"}
+term \mbox{@{text "\<pi> \<bullet> t"}} is equal to @{text "t'"} with @{text "t'"}
 being equal to @{text t} except that every free variable @{text x}
-in @{text t} is replaced by @{text "\<pi> \<bullet> x"}.  Pitts calls this
+in @{text t} is replaced by \mbox{@{text "\<pi> \<bullet> x"}}. Let us call
-property \emph{equivariance principle} (book ref ???). In our
+a variable @{text x} \emph{really free}, if it is free and not occuring
-setting the precise statement of this property is a slightly more
+in an unpermute, such as @{text "unpermute _ x"} and @{text "unpermute x _"}.
-involved because of the fact that @{text unpermutes} needs to be
+We need the following technical notion characterising a \emph{@{text "\<pi>"}-proper} HOL-term
-treated specially.
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{theorem}[Equivariance Principle]
+\begin{tabular}{@ {}ll}
-Suppose a HOL-term @{text t} does not contain any @{text unpermutes} and all
+$\bullet$ & variables and constants are @{text \<pi>}-proper,\\
-its constants are equivariant. For any permutation @{text \<pi>}, let @{text t'}
+$\bullet$ & @{term "unpermute \<pi> x"} is @{text \<pi>}-proper,\\
-be the HOL-term @{text t} except every free variable @{text x} in @{term t} is
+$\bullet$ & @{term "\<lambda>x. t"} is @{text \<pi>}-proper, if @{text t} is @{text \<pi>}-proper and @{text x} is
-replaced by @{text "\<pi> \<bullet> x"}, then @{text "\<pi> \<bullet> t = t'"}.
+really free in @{text t}, and\\
-\end{theorem}
+$\bullet$ & @{term "t\<^isub>1 t\<^isub>2"} is @{text \<pi>}-proper, if @{text "t\<^isub>1"} and @{text "t\<^isub>2"} are
+@{text \<pi>}-proper.
+\end{tabular}
+\end{isabelle}
-With these definitions in place we can define the notion of an \emph{equivariant}
-HOL-term
+\begin{proof}[Theorem~\ref{eqvtprin}] We establish the property if @{text t}
+is @{text \<pi>}-proper and only contains equivaraint constants, then
-\begin{definition}[Equivariant HOL-term]
+@{text "\<pi> \<bullet> t = t'"} where @{text "t'"} is equal to @{text "t"} except all really
-A HOL-term is \emph{equivariant}, provided it is closed and composed of applications,
+free variables @{text x} are replaced by @{text "\<pi> \<bullet> x"}, and all semi-free variables
-abstractions and equivariant constants only.
+@{text "unpermute \<pi> x"} by @{text "x"}. We establish this property by induction
-\end{definition}
+on the size of HOL-terms, counting terms like @{text "unpermuting \<pi> x"} as leafes,
+like variables and constants. The cases for variables, constants and @{text unpermutes}
-\noindent
+are routine. In the case of abstractions we have by induction hypothesis that
-For equivariant terms we have
+@{text "\<pi> \<bullet> (t[x := unpermute \<pi> x]) = t'"} with @{text "t'"} satisfying our
+correctness property. This implies that @{text "\<lambda>x. \<pi> \<bullet> (t[x := unpermute \<pi> x]) = \<lambda>x. t'"}
-\begin{lemma}
+and hence @{text "\<pi> \<bullet> (\<lambda>x. t) = \<lambda>x. t'"} as needed.\hfill\qed
-For an equivariant HOL-term @{text "t"},  @{term "\<pi> \<bullet> t = t"} for all permutations @{term "\<pi>"}.
+\end{proof}
-\end{lemma}
+Pitts calls this property \emph{equivariance principle} (book ref ???).
-Let us now see how to use the equivariance principle. We have
+Problems with @{text undefined}
+Lines of code
 *}
 section {* Support and Freshness *}
 definition for `the set of free variables, or free atoms, of an object @{text "x"}'.  This
 definition is general in the sense that it applies not only to lambda terms,
 but to any type for which a permutation operation is defined
 (like lists, sets, functions and so on).
-\begin{definition}[Support] Given @{text x} is of permutation type, then
+\begin{definition}[Support] \label{support}
+Given @{text x} is of permutation type, then
 @{thm [display,indent=10] supp_def[no_vars, THEN eq_reflection]}
 \end{definition}
 \noindent
 We also use the notation @{thm (lhs) fresh_star_def[no_vars]} for sets ot atoms
 defined as follows
 @{thm [display,indent=10] fresh_star_def[no_vars]}
+\noindent
-\noindent
+Using the equivariance principle, it can be easily checked that all three notions
-A striking consequence of these definitions is that we can prove
+are equivariant. A simple consequence of the definition of support and equivariance
-without knowing anything about the structure of @{term x} that
+is that if @{text x} is equivariant then we have
-swapping two fresh atoms, say @{text a} and @{text b}, leave
-@{text x} unchanged. For the proof we use the following lemma
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-about swappings applied to an @{text x}:
+\begin{tabular}{@ {}l}
+@{thm  (concl) supp_fun_eqvt[where f="x", no_vars]}
+\end{tabular}\hfill\numbered{suppeqvtfun}
+\end{isabelle}
+\noindent
+For function applications we can establish the following two properties.
+\begin{lemma}\label{suppfunapp} Let @{text f} and @{text x} be of permutation type, then
+\begin{isabelle}
+\begin{tabular}{r@ {\hspace{4mm}}p{10cm}}
+{\it i)} & @{thm[mode=IfThen] fresh_fun_app[no_vars]}\\
+{\it ii)} & @{thm supp_fun_app[no_vars]}\\
+\end{tabular}
+\end{isabelle}
+\end{lemma}
+\begin{proof}
+For the first property, we know from the assumption that @{term
+"finite {b. (a \<rightleftharpoons> b) \<bullet> f \<noteq> f}"} and @{term "finite {b . (a \<rightleftharpoons> b) \<bullet> x \<noteq>
+x}"} hold. That means for all, but finitely many @{text b} we have
+@{term "(a \<rightleftharpoons> b) \<bullet> f = f"} and @{term "(a \<rightleftharpoons> b) \<bullet> x = x"}. Similarly,
+we have to show that for but, but finitely @{text b} the equation
+@{term "(a \<rightleftharpoons> b) \<bullet> f x = f x"} holds. The left-hand side of this
+equation is equal to @{term "((a \<rightleftharpoons> b) \<bullet> f) ((a \<rightleftharpoons> b) \<bullet> x)"} by
+\eqref{permutefunapp}, which we know by the previous two facts for
+@{text f} and @{text x} is equal to the right-hand side for all,
+but finitely many @{text b}. This establishes the first
+property. The second is a simple corollary of {\it i)} by
+unfolding the definition of freshness.\qed
+\end{proof}
+A striking consequence of the definitions for support and freshness
+is that we can prove without knowing anything about the structure of
+@{term x} that swapping two fresh atoms, say @{text a} and @{text
+b}, leave @{text x} unchanged. For the proof we use the following
+lemma about swappings applied to an @{text x}:
 \begin{lemma}\label{swaptriple}
 Assuming @{text x} is of permutation type, and @{text a}, @{text b} and @{text c}
 have the same sort, then \mbox{@{thm (prem 3) swap_rel_trans[no_vars]}} and
 @{thm (prem 4) swap_rel_trans[no_vars]} imply @{thm (concl) swap_rel_trans[no_vars]}.
 @{thm [display,indent=10] (concl) swap_triple[no_vars]}
 \noindent
 are equal. The lemma is then by application of the second permutation
-property shown in~\eqref{newpermprops}.\hfill\qed
+property shown in~\eqref{newpermprops}.\qed
 \end{proof}
 \begin{theorem}\label{swapfreshfresh}
 Let @{text x} be of permutation type.
 @{thm [mode=IfThen] swap_fresh_fresh[no_vars]}
 that there is an atom @{term c}, with the same sort as @{term a} and @{term b},
 that satisfies \mbox{@{term "(a \<rightleftharpoons> c) \<bullet> x = x"}} and @{term "(b \<rightleftharpoons> c) \<bullet> x = x"}.
 Now the theorem follows from Lemma~\ref{swaptriple}.\hfill\qed
 \end{proof}
-\noindent
-Two important properties that need to be established for later calculations is
-that @{text "supp"} and freshness are equivariant. For this we first show that:
-\begin{lemma}\label{half}
-If @{term x} is a permutation type, then @{thm (lhs) fresh_permute_iff[where p="\<pi>",no_vars]}
-if and only if @{thm (rhs) fresh_permute_iff[where p="\<pi>",no_vars]}.
-\end{lemma}
-\begin{proof}
-\begin{isabelle}
-\begin{tabular}[t]{c@ {\hspace{2mm}}l@ {\hspace{5mm}}l}
-& @{thm (lhs) fresh_permute_iff[where p="\<pi>",no_vars]}\\
-@{text "\<equiv>"} &
-@{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}\\
-@{text "\<Leftrightarrow>"}
-& @{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> \<pi> \<bullet> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}
-& since @{text "\<pi> \<bullet> _"} is bijective\\
-@{text "\<Leftrightarrow>"}
-& @{term "finite {b. \<pi> \<bullet> (a \<rightleftharpoons> b) \<bullet> x \<noteq> \<pi> \<bullet> x}"}
-& by Lemma~\ref{permutecompose} and \eqref{swapeqvt}\\
-@{text "\<Leftrightarrow>"}
-& @{term "finite {b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"}
-& by \eqref{permuteequ}\\
-@{text "\<equiv>"}
-& @{thm (rhs) fresh_permute_iff[where p="\<pi>",no_vars]}
-\end{tabular}
-\end{isabelle}\hfill\qed
-\end{proof}
-\noindent
-Together with the definition of the permutation operation on booleans,
-we can immediately infer equivariance of freshness:
-@{thm [display,indent=10] fresh_eqvt[where p="\<pi>",no_vars]}
-\noindent
-Now equivariance of @{text "supp"}, namely
-@{thm [display,indent=10] supp_eqvt[where p="\<pi>",no_vars]}
-\noindent
-is by noting that @{thm supp_conv_fresh[no_vars]} and that freshness and
-the logical connectives are equivariant. ??? Equivariance
-A simple consequence of the definition of support and equivariance is that
-if a function @{text f} is equivariant then we have
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm  (concl) supp_fun_eqvt[no_vars]}
-\end{tabular}\hfill\numbered{suppeqvtfun}
-\end{isabelle}
-\noindent
-For function applications we can establish the two following properties.
-\begin{lemma} Let @{text f} and @{text x} be of permutation type, then
-\begin{isabelle}
-\begin{tabular}{r@ {\hspace{4mm}}p{10cm}}
-@{text "i)"} & @{thm[mode=IfThen] fresh_fun_app[no_vars]}\\
-@{text "ii)"} & @{thm supp_fun_app[no_vars]}\\
-\end{tabular}
-\end{isabelle}
-\end{lemma}
-\begin{proof}
-???
-\end{proof}
 While the abstract properties of support and freshness, particularly
 Theorem~\ref{swapfreshfresh}, are useful for developing Nominal Isabelle,
-one often has to calculate the support of some concrete object. This is
+one often has to calculate the support of concrete objects.
-straightforward for example for booleans, nats, products and lists:
+For booleans, nats, products and lists it is easy to check that
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
 @{text "booleans"}: & @{term "supp b = {}"}\\
 @{text "nats"}:     & @{term "supp n = {}"}\\
 @{text "lists:"} & @{thm supp_Nil[no_vars]}\\
 & @{thm supp_Cons[no_vars]}\\
 \end{tabular}
 \end{isabelle}
 \noindent
-But establishing the support of atoms and permutations is a bit
+hold.  Establishing the support of atoms and permutations is a bit
 trickier. To do so we will use the following notion about a \emph{supporting set}.
 \begin{definition}[Supporting Set]
 A set @{text S} \emph{supports} @{text x} if for all atoms @{text a} and @{text b}
 not in @{text S} we have @{term "(a \<rightleftharpoons> b) \<bullet> x = x"}.
 \end{tabular}
 \end{isabelle}
 \end{lemma}
 \begin{proof}
-For @{text "i)"} we derive a contradiction by assuming there is an atom @{text a}
+For {\it i)} we derive a contradiction by assuming there is an atom @{text a}
 with @{term "a \<in> supp x"} and @{text "a \<notin> S"}. Using the second fact, the
 assumption that @{term "S supports x"} gives us that @{text S} is a superset of
 @{term "{b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"}, which is finite by the assumption of @{text S}
 being finite. But this means @{term "a \<notin> supp x"}, contradicting our assumption.
-Property @{text "ii)"} is by a direct application of
+Property {\it ii)} is by a direct application of
-Theorem~\ref{swapfreshfresh}. For the last property, part @{text "i)"} proves
+Theorem~\ref{swapfreshfresh}. For the last property, part {\it i)} proves
 one ``half'' of the claimed equation. The other ``half'' is by property
-@{text "ii)"} and the fact that @{term "supp x"} is finite by @{text "i)"}.\hfill\qed
+{\it ii)} and the fact that @{term "supp x"} is finite by {\it i)}.\hfill\qed
 \end{proof}
 \noindent
 These are all relatively straightforward proofs adapted from the existing
 nominal logic work. However for establishing the support of atoms and
-permutations we found  the following `optimised' variant of @{text "iii)"}
+permutations we found  the following `optimised' variant of {\it iii)}
 more useful:
 \begin{lemma}\label{optimised} Let @{text x} be of permutation type.
 We have that @{thm (concl) finite_supp_unique[no_vars]}
 provided @{thm (prem 1) finite_supp_unique[no_vars]},
 The proof-obligation can then be discharged by analysing the inequality
 between the permutations @{term "(\<pi> \<bullet> a \<rightleftharpoons> b)"} and @{term "(a \<rightleftharpoons> b)"}.
 The main point about support is that whenever an object @{text x} has finite
 support, then Proposition~\ref{choosefresh} allows us to choose for @{text x} a
-fresh atom with arbitrary sort. This is an important operation in Nominal
+fresh atom with arbitrary sort. This is a crucial operation in Nominal
 Isabelle in situations where, for example, a bound variable needs to be
 renamed. To allow such a choice, we only have to assume that
 @{text "finite (supp x)"} holds. For more convenience we
-can define a type class for types where every element has finite support, and
+can define a type class in Isabelle/HOL corresponding to the
-prove that the types @{term "atom"}, @{term "perm"}, lists, products and
+property:
-booleans are instances of this type class.
+\begin{definition}[Finitely Supported Type]
-Unfortunately, this does not work for sets or Isabelle/HOL's function
+A type @{text "\<beta>"} is \emph{finitely supported} if @{term "finite (supp x)"}
-type. There are functions and sets definable in Isabelle/HOL for which the
+holds for all @{text x} of type @{text "\<beta>"}.
-finite support property does not hold.  A simple example of a function with
+\end{definition}
-infinite support is @{const nat_of} shown in \eqref{sortnatof}.  This
-function's support is the set of \emph{all} atoms @{term "UNIV::atom set"}.
+\noindent
-To establish this we show
+By the calculations above we can easily establish
-@{term "\<not> a \<sharp> nat_of"}. This is equivalent to assuming the set @{term
-"{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite and deriving a
+\begin{theorem}\label{finsuptype}
-contradiction. From the assumption we also know that @{term "{a} \<union> {b. (a \<rightleftharpoons>
+The types @{type atom}, @{type perm}, @{type bool} and @{type nat}
-b) \<bullet> nat_of \<noteq> nat_of}"} is finite. Then we can use
+are fintitely supported, and assuming @{text \<beta>}, @{text "\<beta>\<^isub>1"} and
-Proposition~\ref{choosefresh} to choose an atom @{text c} such that @{term
+@{text "\<beta>\<^isub>2"} are finitely supported types, then @{text "\<beta> list"} and
-"c \<noteq> a"}, @{term "sort_of c = sort_of a"} and @{term "(a \<rightleftharpoons> c) \<bullet> nat_of =
+@{text "\<beta>\<^isub>1 \<times> \<beta>\<^isub>2"} are finitely supported.
-nat_of"}.  Now we can reason as follows:
+\end{theorem}
+\noindent
+The main benefit of using the finite support property for choosing a
+fresh atom is that the reasoning is `compositional'. To see this,
+assume we have a list of atoms and a method of choosing a fresh atom
+that is not a member in this list---for example the maximum plus
+one.  Then if we enlarge this list \emph{after} the choice, then
+obviously the fresh atom might not be fresh anymore. In contrast, by
+the classical reasoning of Proposition~\ref{choosefresh} we know a
+fresh atom exists for every list of atoms and no matter how we
+extend this list of atoms, we always preserve the property of being
+finitely supported. Consequently the existence of a fresh atom is
+still guarantied by Proposition~\ref{choosefresh}.  Using the method
+of `maximum plus one' we might have to adapt the choice of a fresh
+atom.
+Unfortunately, Theorem~\ref{finsuptype} does not work in general for the
+types of sets and functions.  There are functions definable in HOL
+for which the finite support property does not hold.  A simple
+example of a function with infinite support is @{const nat_of} shown
+in \eqref{sortnatof}.  This function's support is the set of
+\emph{all} atoms @{term "UNIV::atom set"}.  To establish this we
+show @{term "\<not> a \<sharp> nat_of"}. This is equivalent to assuming the set
+@{term "{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite and deriving a
+contradiction. From the assumption we also know that @{term "{a} \<union>
+{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite. Then we can use
+Proposition~\ref{choosefresh} to choose an atom @{text c} such that
+@{term "c \<noteq> a"}, @{term "sort_of c = sort_of a"} and @{term "(a \<rightleftharpoons> c)
+\<bullet> nat_of = nat_of"}.  Now we can reason as follows:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}[b]{@ {}rcl@ {\hspace{5mm}}l}
 @{text "nat_of a"} & @{text "="} & @{text "(a \<rightleftharpoons> c) \<bullet> (nat_of a)"} & by def.~of permutations on nats\\
 & @{text "="} & @{term "((a \<rightleftharpoons> c) \<bullet> nat_of) ((a \<rightleftharpoons> c) \<bullet> a)"} & by \eqref{permutefunapp}\\
 *}
 section {* Support of Finite Sets *}
 text {*
-Also the set type is one instance whose elements are not generally finitely
+Also the set type is an instance whose elements are not generally finitely
 supported (we will give an example in Section~\ref{concrete}).
 However, we can easily show that finite sets and co-finite sets of atoms are finitely
-supported, because their support can be characterised as:
+supported. Their support can be characterised as:
-\begin{lemma}\label{finatomsets}\mbox{}\\
+\begin{lemma}\label{finatomsets}
-@{text "i)"} If @{text S} is a finite set of atoms, then @{thm (concl) supp_finite_atom_set[no_vars]}.\\
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "ii)"} If @{term "UNIV - (S::atom set)"} is a finite set of atoms, then
+\begin{tabular}[b]{@ {}rl}
+{\it i)} & If @{text S} is a finite set of atoms, then @{thm (concl) supp_finite_atom_set[no_vars]}.\\
+{\it ii)} & If @{term "UNIV - (S::atom set)"} is a finite set of atoms, then
 @{thm (concl) supp_cofinite_atom_set[no_vars]}.
+\end{tabular}
+\end{isabelle}
 \end{lemma}
 \begin{proof}
 Both parts can be easily shown by Lemma~\ref{optimised}.  We only have to observe
 that a swapping @{text "(a b)"} leaves a set @{text S} unchanged provided both
 \noindent
 Note that a consequence of the second part of this lemma is that
 @{term "supp (UNIV::atom set) = {}"}.
 More difficult, however, is it to establish that finite sets of finitely
 supported objects are finitely supported. For this we first show that
-the union of the suports of finitely many and finitely supported  objects
+the union of the supports of finitely many and finitely supported  objects
 is finite, namely
 \begin{lemma}\label{unionsupp}
-If @{text S} is a finite set whose elements are all finitely supported, then\\
+If @{text S} is a finite set whose elements are all finitely supported, then
-@{text "i)"} @{thm (concl) Union_of_finite_supp_sets[no_vars]} and\\
+%
-@{text "ii)"} @{thm (concl) Union_included_in_supp[no_vars]}.
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+\begin{tabular}[b]{@ {}rl}
+{\it i)} & @{thm (concl) Union_of_finite_supp_sets[no_vars]} and\\
+{\it ii)} & @{thm (concl) Union_included_in_supp[no_vars]}.
+\end{tabular}
+\end{isabelle}
 \end{lemma}
 \begin{proof}
-The first part is by a straightforward induction on the finiteness of @{text S}.
+The first part is by a straightforward induction on the finiteness
-For the second part, we know that @{term "\<Union>x\<in>S. supp x"} is a set of atoms, which
+of @{text S}.  For the second part, we know that @{term "\<Union>x\<in>S. supp
-by the first part is finite. Therefore we know by Lemma~\ref{finatomsets}.@{text "i)"}
+x"} is a set of atoms, which by the first part is finite. Therefore
-that @{term "(\<Union>x\<in>S. supp x) = supp (\<Union>x\<in>S. supp x)"}. Taking @{text "f"} to be
+we know by Lemma~\ref{finatomsets}.{\it i)} that @{term "(\<Union>x\<in>S. supp
-\mbox{@{text "\<lambda>S. \<Union> (supp ` S)"}}, we can write the right hand side as @{text "supp (f S)"}.
+x) = supp (\<Union>x\<in>S. supp x)"}. Taking @{text "f"} to be the function
-Since @{text "f"} is an equivariant function, we have that
+\mbox{@{text "\<lambda>S. \<Union> (supp ` S)"}}, we can write the right-hand side
-@{text "supp (f S) \<subseteq> supp S"} by ??? This completes the second part.\hfill\qed
+as @{text "supp (f S)"}.  Since @{text "f"} is an equivariant
+function (can be easily checked by the equivariance principle), we
+have that @{text "supp (f S) \<subseteq> supp S"} by
+Lemma~\ref{suppfunapp}.{\it ii)}. This completes the second
+part.\hfill\qed
 \end{proof}
 \noindent
 With this lemma in place we can establish that
 \begin{lemma}
 @{thm[mode=IfThen] supp_of_finite_sets[no_vars]}
 \end{lemma}
 \begin{proof}
-The right-to-left inclusion is proved in Lemma~\ref{unionsupp}.@{text "ii)"}. To show the inclusion
+The right-to-left inclusion is proved in Lemma~\ref{unionsupp}.{\it ii)}. To show the inclusion
-in the other direction we have to show Lemma~\ref{supports}.@{text "i)"}
+in the other direction we can use Lemma~\ref{supports}.{\it i)}. This means
+for all @{text a} and @{text b} that are not in @{text S} we have to show that
+@{term "(a \<rightleftharpoons> b) \<bullet> (\<Union>x \<in> S. supp x) = (\<Union>x \<in> S. supp x)"} holds. By the equivariance
+principle, the left-hand side is equal to @{term "\<Union>x \<in> ((a \<rightleftharpoons> b) \<bullet> S). supp x"}. Now
+the swapping in front of @{text S} disappears, since @{term "a \<sharp> S"} and @{term "b \<sharp> S"}
+whenever @{text "a, b \<notin> S"}. Thus we are done.\hfill\qed
 \end{proof}
+\noindent
+To sum up, every finite set of finitely supported elements has
+finite support.  Unfortunately, we cannot use
+Theorem~\ref{finsuptype} to let Isabelle/HOL find this out
+automatically. This would require to introduce a separate type of
+finite sets, which however is not so convenient to reason about as
+Isabelle's standard set type.
 *}
-section {* Induction Principles *}
+section {* Induction Principles for Permutations *}
 text {*
 While the use of functions as permutation provides us with a unique
 representation for permutations (for example @{term "(a \<rightleftharpoons> b)"} and
-@{term "(b \<rightleftharpoons> a)"} are equal permutations), this representation has
+@{term "(b \<rightleftharpoons> a)"} are equal permutations), this representation does
-one draw back: it does not come readily with an induction principle.
+not come automatically with an induction principle.  Such an
-Such an induction principle is handy for deriving properties like
+induction principle is however handy for generalising
+Lemma~\ref{swapfreshfresh} from swappings to permutations
-@{thm [display, indent=10] supp_perm_eq[no_vars]}
+\begin{lemma}
-\noindent
+@{thm [mode=IfThen] perm_supp_eq[no_vars]}
-However, it is not too difficult to derive an induction principle,
+\end{lemma}
-given the fact that we allow only permutations with a finite domain.
+\noindent
+In this section we will establish an induction principle for permutations
+with which this lemma can be easily proved. It is not too difficult to derive
+an induction principle for permutations, given the fact that we allow only
+permutations having a finite support.
+Using a the property from \cite{???}
+\begin{lemma}\label{smallersupp}
+@{thm [mode=IfThen] smaller_supp[no_vars]}
+\end{lemma}
 *}
 section {* An Abstraction Type *}
 So far, we have presented a system that uses only a single multi-sorted atom
 type.  This design gives us the flexibility to define operations and prove
 theorems that are generic with respect to atom sorts.  For example, as
 illustrated above the @{term supp} function returns a set that includes the
-free atoms of \emph{all} sorts together; the flexibility offered by the new
+free atoms of \emph{all} sorts together.
-atom type makes this possible.
 However, the single multi-sorted atom type does not make an ideal interface
 for end-users of Nominal Isabelle.  If sorts are not distinguished by
 Isabelle's type system, users must reason about atom sorts manually.  That
-means subgoals involving sorts must be discharged explicitly within proof
+means for example that subgoals involving sorts must be discharged explicitly within proof
-scripts, instead of being inferred by Isabelle/HOL's type checker.  In other
+scripts, instead of being inferred automatically.  In other
 cases, lemmas might require additional side conditions about sorts to be true.
 For example, swapping @{text a} and @{text b} in the pair \mbox{@{term "(a,
 b)"}} will only produce the expected result if we state the lemma in
 Isabelle/HOL as:
 *}
 generic atom type, which we will write @{text "|_|"}.  For each class
 instance, this function must be injective and equivariant, and its outputs
 must all have the same sort, that is
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{r@ {\hspace{3mm}}l}
+\begin{tabular}{@ {}r@ {\hspace{3mm}}l}
-i)   if @{thm (lhs) atom_eq_iff [no_vars]} then @{thm (rhs) atom_eq_iff [no_vars]}\\
+i)   & if @{thm (lhs) atom_eq_iff [no_vars]} then @{thm (rhs) atom_eq_iff [no_vars]}\\
-ii)  @{thm atom_eqvt[where p="\<pi>", no_vars]}\\
+ii)  & @{thm atom_eqvt[where p="\<pi>", no_vars]}\\
-iii) @{thm sort_of_atom_eq [no_vars]}
+iii) & @{thm sort_of_atom_eq [no_vars]}
 \end{tabular}\hfill\numbered{atomprops}
 \end{isabelle}
 \noindent
 With the definition @{thm atom_name_def [THEN eq_reflection, no_vars]} we can
 show that @{typ name} satisfies all the above requirements of a concrete atom
 type.
-The whole point of defining the concrete atom type class was to let users
+The whole point of defining the concrete atom type class is to let users
 avoid explicit reasoning about sorts.  This benefit is realised by defining a
 special swapping operation of type @{text "\<alpha> \<Rightarrow> \<alpha>
 \<Rightarrow> perm"}, where @{text "\<alpha>"} is a concrete atom type:
 @{thm [display,indent=10] flip_def [THEN eq_reflection, no_vars]}
 \end{tabular}
 \end{isabelle}
 \noindent
 This command can be implemented using less than 100 lines of custom ML-code.
+*}
+section {* Related Work\label{related} *}
+text {*
+Coq-tries, but failed
+Add here comparison with old work.
 In comparison, the old version of Nominal Isabelle included more than 1000
 lines of ML-code for creating concrete atom types, and for defining various
 type classes and instantiating generic lemmas for them.  In addition to
 simplifying the ML-code, the setup here also offers user-visible improvements:
 Now concrete atoms can be declared at any point of a formalisation, and
 theories that separately declare different atom types can be merged
 together---it is no longer required to collect all atom declarations in one
 place.
-*}
-section {* Related Work\label{related} *}
-text {*
-Add here comparison with old work.
 Using a single atom type to represent atoms of different sorts and
 representing permutations as functions are not new ideas; see
 \cite{GunterOsbornPopescu09} \footnote{function rep.}  The main contribution
 of this paper is to show an example of how to make better theorem proving

changeset 2780	2c6851248b3f
parent 2776	8e0f0b2b51dd
child 2783	8412c7e503d4