nominal2: comparison Pearl-jv/Paper.thy

equal deleted inserted replaced

-:a6f3e1b08494
+:b6873d123f9b
-(*<*)
-theory Paper
-imports "../Nominal/Nominal2_Base"
-"../Nominal/Atoms"
-"../Nominal/Nominal2_Abs"
-"~~/src/HOL/Library/LaTeXsugar"
-begin
-abbreviation
-UNIV_atom ("\<allatoms>")
-where
-"UNIV_atom \<equiv> UNIV::atom set"
-notation (latex output)
-sort_of ("sort _" [1000] 100) and
-Abs_perm ("_") and
-Rep_perm ("_") and
-swap ("'(_ _')" [1000, 1000] 1000) and
-fresh ("_ # _" [51, 51] 50) and
-fresh_star ("_ #\<^sup>* _" [51, 51] 50) and
-Cons ("_::_" [78,77] 73) and
-supp ("supp _" [78] 73) and
-uminus ("-_" [78] 73) and
-atom ("|_|") and
-If  ("if _ then _ else _" 10) and
-Rep_name ("\<lfloor>_\<rfloor>") and
-Abs_name ("\<lceil>_\<rceil>") and
-Rep_var ("\<lfloor>_\<rfloor>") and
-Abs_var ("\<lceil>_\<rceil>") and
-sort_of_ty ("sort'_ty _")
-(* BH: uncomment if you really prefer the dot notation
-syntax (latex output)
-"_Collect" :: "pttrn => bool => 'a set" ("(1{_ . _})")
-*)
-(* sort is used in Lists for sorting *)
-hide_const sort
-abbreviation
-"sort \<equiv> sort_of"
-lemma infinite_collect:
-assumes "\<forall>x \<in> S. P x" "infinite S"
-shows "infinite {x \<in> S. P x}"
-using assms
-apply(subgoal_tac "infinite {x. x \<in> S}")
-apply(simp only: Inf_many_def[symmetric])
-apply(erule INFM_mono)
-apply(auto)
-done
-(*>*)
-section {* Introduction *}
-text {*
-Nominal Isabelle provides a proving infratructure for convenient reasoning
-about syntax involving binders, such as lambda terms or type schemes in Mini-ML:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "\<lambda>x. t       \<forall>{x\<^isub>1,\<dots>, x\<^isub>n}. \<tau>"}
-\end{isabelle}
-\noindent
-At its core Nominal Isabelle is based on the nominal logic work by
-Pitts at al \cite{GabbayPitts02,Pitts03}, whose most basic notion is
-a sort-respecting permutation operation defined over a countably
-infinite collection of sorted atoms.
-The aim of this paper is to
-describe how we adapted this work so that it can be implemented in a
-theorem prover based on Higher-Order Logic (HOL). For this we
-present the definition we made in the implementation and also review
-many proofs. There are a two main design choices to be made. One is
-how to represent sorted atoms. We opt here for a single unified atom
-type to represent atoms of different sorts. The other is how to
-present sort-respecting permutations. For them we use the standard
-technique of HOL-formalisations of introducing an appropriate
-subtype of functions from atoms to atoms.
-The nominal logic work has been the starting point for a number of proving
-infrastructures, most notable by Norrish \cite{norrish04} in HOL4, by
-Aydemir et al \cite{AydemirBohannonWeirich07} in Coq and the work by Urban
-and Berghofer in Isabelle/HOL \cite{Urban08}. Its key attraction is a very
-general notion, called \emph{support}, for the `set of free variables, or
-atoms, of an object' that applies not just to lambda terms and type schemes,
-but also to sets, products, lists, booleans and even functions. The notion of support
-is derived from the permutation operation defined over the
-hierarchy of types. This
-permutation operation, written @{text "_ \<bullet> _"}, has proved to be much more
-convenient for reasoning about syntax, in comparison to, say, arbitrary
-renaming substitutions of atoms. One reason is that permutations are
-bijective renamings of atoms and thus they can be easily `undone'---namely
-by applying the inverse permutation. A corresponding inverse substitution
-might not always exist, since renaming substitutions are in general only injective.
-Another reason is that permutations preserve many constructions when reasoning about syntax.
-For example, suppose a typing context @{text "\<Gamma>"} of the form
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "x\<^isub>1:\<tau>\<^isub>1, \<dots>, x\<^isub>n:\<tau>\<^isub>n"}
-\end{isabelle}
-\noindent
-is said to be \emph{valid} provided none of its variables, or atoms, @{text "x\<^isub>i"}
-occur twice. Then validity of typing contexts is preserved under
-permutations in the sense that if @{text \<Gamma>} is valid then so is \mbox{@{text "\<pi> \<bullet> \<Gamma>"}} for
-all permutations @{text "\<pi>"}. Again, this is \emph{not} the case for arbitrary
-renaming substitutions, as they might identify some of the @{text "x\<^isub>i"} in @{text \<Gamma>}.
-Permutations also behave uniformly with respect to HOL's logic connectives.
-Applying a permutation to a formula gives, for example
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}lcl}
-@{term "\<pi> \<bullet> (A \<and> B)"} & if and only if & @{text "(\<pi> \<bullet> A) \<and> (\<pi> \<bullet> B)"}\\
-@{term "\<pi> \<bullet> (A \<longrightarrow> B)"} & if and only if & @{text "(\<pi> \<bullet> A) \<longrightarrow> (\<pi> \<bullet> B)"}\\
-\end{tabular}
-\end{isabelle}
-\noindent
-This uniform behaviour can also be extended to quantifiers and functions.
-Because of these good properties of permutations, we are able to automate
-reasoning to do with \emph{equivariance}. By equivariance we mean the property
-that every permutation leaves a function unchanged, that is @{term "\<pi> \<bullet> f = f"}
-for all @{text "\<pi>"}. This will often simplify arguments involving support
-of functions, since if they are equivariant then they have empty support---or
-`no free atoms'.
-There are a number of subtle differences between the nominal logic work by
-Pitts and the formalisation we will present in this paper. One difference
-is that our
-formalisation is compatible with HOL, in the sense that we only extend
-HOL by some definitions, withouth the introduction of any new axioms.
-The reason why the original nominal logic work is
-incompatible with HOL has to do with the way how the finite support property
-is enforced: FM-set theory is defined in \cite{Pitts01b} so that every set
-in the FM-set-universe has finite support.  In nominal logic \cite{Pitts03},
-the axioms (E3) and (E4) imply that every function symbol and proposition
-has finite support. However, there are notions in HOL that do \emph{not}
-have finite support (we will give some examples).  In our formalisation, we
-will avoid the incompatibility of the original nominal logic work by not a
-priory restricting our discourse to only finitely supported entities, rather
-we will explicitly assume this property whenever it is needed in proofs. One
-consequence is that we state our basic definitions not in terms of nominal
-sets (as done for example in \cite{Pitts06}), but in terms of the weaker
-notion of permutation types---essentially sets equipped with a ``sensible''
-notion of permutation operation.
-In the nominal logic woworkrk, the `new quantifier' plays a prominent role.
-$\new$
-Obstacles for Coq; no type-classes, difficulties with quotient types,
-need for classical reasoning
-Two binders
-A preliminary version
-*}
-section {* Sorted Atoms and Sort-Respecting Permutations *}
-text {*
-The two most basic notions in the nominal logic work are a countably
-infinite collection of sorted atoms and sort-respecting permutations
-of atoms.  The atoms are used for representing variable names that
-might be bound or free. Multiple sorts are necessary for being able
-to represent different kinds of variables. For example, in the
-language Mini-ML there are bound term variables in lambda
-abstractions and bound type variables in type schemes. In order to
-be able to separate them, each kind of variables needs to be
-represented by a different sort of atoms.
-The existing nominal logic work usually leaves implicit the sorting
-information for atoms and leaves out a description of how sorts are
-represented.  In our formalisation, we therefore have to make a
-design decision about how to implement sorted atoms and
-sort-respecting permutations. One possibility, which we described in
-\cite{Urban08}, is to have separate types for different sorts of
-atoms. However, we found that this does not blend well with
-type-classes in Isabelle/HOL (see Section~\ref{related} about
-related work).  Therefore we use here a single unified atom type to
-represent atoms of different sorts. A basic requirement is that
-there must be a countably infinite number of atoms of each sort.
-This can be implemented in Isabelle/HOL as the datatype
-*}
-datatype atom\<iota> = Atom\<iota> string nat
-text {*
-\noindent
-whereby the string argument specifies the sort of the
-atom.\footnote{A similar design choice was made by Gunter et al
-\cite{GunterOsbornPopescu09} for their variables.}  The use of type
-\emph{string} for sorts is merely for convenience; any countably
-infinite type would work as well.  In what follows we shall write
-@{term "UNIV::atom set"} for the set of all atoms.  We also have two
-auxiliary functions for atoms, namely @{text sort} and @{const
-nat_of} which are defined as
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-@{thm (lhs) sort_of.simps[no_vars]} & @{text "\<equiv>"} & @{thm (rhs) sort_of.simps[no_vars]}\\
-@{thm (lhs) nat_of.simps[no_vars]} & @{text "\<equiv>"}  & @{thm (rhs) nat_of.simps[no_vars]}
-\end{tabular}\hfill\numbered{sortnatof}
-\end{isabelle}
-\noindent
-We clearly have for every finite set @{text S}
-of atoms and every sort @{text s} the property:
-\begin{proposition}\label{choosefresh}\mbox{}\\
-@{text "For a finite set of atoms S, there exists an atom a such that
-sort a = s and a \<notin> S"}.
-\end{proposition}
-\noindent
-This property will be used later whenever we have to chose a `fresh' atom.
-For implementing sort-respecting permutations, we use functions of type @{typ
-"atom => atom"} that are bijective; are the
-identity on all atoms, except a finite number of them; and map
-each atom to one of the same sort. These properties can be conveniently stated
-in Isabelle/HOL for a function @{text \<pi>} as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{r@ {\hspace{4mm}}l}
-i)   & @{term "bij \<pi>"}\\
-ii)  & @{term "finite {a. \<pi> a \<noteq> a}"}\\
-iii) & @{term "\<forall>a. sort (\<pi> a) = sort a"}
-\end{tabular}\hfill\numbered{permtype}
-\end{isabelle}
-\noindent
-Like all HOL-based theorem provers, Isabelle/HOL allows us to
-introduce a new type @{typ perm} that includes just those functions
-satisfying all three properties. For example the identity function,
-written @{term id}, is included in @{typ perm}. Also function composition,
-written  \mbox{@{text "_ \<circ> _"}}, and function inversion, given by Isabelle/HOL's
-inverse operator and written \mbox{@{text "inv _"}}, preserve the properties
-(\ref{permtype}.@{text "i"}-@{text "iii"}).
-However, a moment of thought is needed about how to construct non-trivial
-permutations. In the nominal logic work it turned out to be most convenient
-to work with swappings, written @{text "(a b)"}.  In our setting the
-type of swappings must be
-@{text [display,indent=10] "(_ _) :: atom \<Rightarrow> atom \<Rightarrow> perm"}
-\noindent
-but since permutations are required to respect sorts, we must carefully
-consider what happens if a user states a swapping of atoms with different
-sorts.  The following definition\footnote{To increase legibility, we omit
-here and in what follows the @{term Rep_perm} and @{term "Abs_perm"}
-wrappers that are needed in our implementation in Isabelle/HOL since we defined permutation
-not to be the full function space, but only those functions of type @{typ
-perm} satisfying properties @{text i}-@{text "iii"} in \eqref{permtype}.}
-@{text [display,indent=10] "(a b) \<equiv> \<lambda>c. if a = c then b else (if b = c then a else c)"}
-\noindent
-does not work in general, because @{text a} and @{text b} may have different
-sorts---in which case the function would violate property @{text iii} in \eqref{permtype}.  We
-could make the definition of swappings partial by adding the precondition
-@{term "sort a = sort b"}, which would mean that in case @{text a} and
-@{text b} have different sorts, the value of @{text "(a b)"} is unspecified.
-However, this looked like a cumbersome solution, since sort-related side
-conditions would be required everywhere, even to unfold the definition.  It
-turned out to be more convenient to actually allow the user to state
-`ill-sorted' swappings but limit their `damage' by defaulting to the
-identity permutation in the ill-sorted case:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}rl}
-@{text "(a b) \<equiv>"} & @{text "if (sort a = sort b)"}\\
-& \hspace{3mm}@{text "then \<lambda>c. if a = c then b else (if b = c then a else c)"}\\
-& \hspace{3mm}@{text "else id"}
-\end{tabular}\hfill\numbered{swapdef}
-\end{isabelle}
-\noindent
-This function is bijective, the identity on all atoms except
-@{text a} and @{text b}, and sort respecting. Therefore it is
-a function in @{typ perm}.
-One advantage of using functions as a representation for
-permutations is that it is a unique representation. For example the swappings
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm swap_commute[no_vars]}\hspace{10mm}
-@{text "(a a) = id"}
-\end{tabular}\hfill\numbered{swapeqs}
-\end{isabelle}
-\noindent
-are \emph{equal} and can be used interchangeably. Another advantage of the function
-representation is that they form a (non-com\-mu\-ta\-tive) group provided we define
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l@ {\hspace{10mm}}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-@{thm (lhs) zero_perm_def[no_vars]} & @{text "\<equiv>"} & @{thm (rhs) zero_perm_def[no_vars]} &
-@{thm (lhs) plus_perm_def[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2"]} & @{text "\<equiv>"} &
-@{thm (rhs) plus_perm_def[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2"]}\\
-@{thm (lhs) uminus_perm_def[where p="\<pi>"]} & @{text "\<equiv>"} & @{thm (rhs) uminus_perm_def[where p="\<pi>"]} &
-@{thm (lhs) minus_perm_def[where ?p1.0="\<pi>\<^isub>1" and ?p2.0="\<pi>\<^isub>2"]} & @{text "\<equiv>"} &
-@{thm (rhs) minus_perm_def[where ?p1.0="\<pi>\<^isub>1" and ?p2.0="\<pi>\<^isub>2"]}
-\end{tabular}\hfill\numbered{groupprops}
-\end{isabelle}
-\noindent
-and verify the four simple properties
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-i)~~@{thm add_assoc[where a="\<pi>\<^isub>1" and b="\<pi>\<^isub>2" and c="\<pi>\<^isub>3"]}\smallskip\\
-ii)~~@{thm monoid_add_class.add_0_left[where a="\<pi>::perm"]} \hspace{9mm}
-iii)~~@{thm monoid_add_class.add_0_right[where a="\<pi>::perm"]} \hspace{9mm}
-iv)~~@{thm group_add_class.left_minus[where a="\<pi>::perm"]}
-\end{tabular}\hfill\numbered{grouplaws}
-\end{isabelle}
-\noindent
-The technical importance of this fact is that we can rely on
-Isabelle/HOL's existing simplification infrastructure for groups, which will
-come in handy when we have to do calculations with permutations.
-Note that Isabelle/HOL defies standard conventions of mathematical notation
-by using additive syntax even for non-commutative groups.  Obviously,
-composition of permutations is not commutative in general; for example
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "(a b) + (b c) \<noteq> (b c) + (a b)"}\;.
-\end{isabelle}
-\noindent
-But since the point of this paper is to implement the
-nominal theory as smoothly as possible in Isabelle/HOL, we tolerate
-the non-standard notation in order to reuse the existing libraries.
-A \emph{permutation operation}, written infix as @{text "\<pi> \<bullet> x"},
-applies a permutation @{text "\<pi>"} to an object @{text "x"}.  This
-operation has the type
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "_ \<bullet> _ :: perm \<Rightarrow> \<beta> \<Rightarrow> \<beta>"}
-\end{isabelle}
-\noindent
-whereby @{text "\<beta>"} is a generic type for the object @{text
-x}.\footnote{We will write @{text "((op \<bullet>) \<pi>)
-x"} for this operation in the few cases where we need to indicate
-that it is a function applied with two arguments.}  The definition
-of this operation will be given by in terms of `induction' over this
-generic type. The type-class mechanism of Isabelle/HOL
-\cite{Wenzel04} allows us to give a definition for `base' types,
-such as atoms, permutations, booleans and natural numbers:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
-atoms: & @{thm permute_atom_def[where p="\<pi>",no_vars, THEN eq_reflection]}\\
-permutations: & @{thm permute_perm_def[where p="\<pi>" and q="\<pi>'", THEN eq_reflection]}\\
-booleans: & @{thm permute_bool_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-nats: & @{thm permute_nat_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-\end{tabular}\hfill\numbered{permdefsbase}
-\end{isabelle}
-\noindent
-and for type-constructors, such as functions, sets, lists and products:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
-functions: &  @{text "\<pi> \<bullet> f \<equiv> \<lambda>x. \<pi> \<bullet> (f ((-\<pi>) \<bullet> x))"}\\
-sets: & @{thm permute_set_eq[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-lists: & @{thm permute_list.simps(1)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-& @{thm permute_list.simps(2)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-products: & @{thm permute_prod.simps[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-\end{tabular}\hfill\numbered{permdefsconstrs}
-\end{isabelle}
-\noindent
-The type classes also allow us to reason abstractly about the permutation operation.
-For this we state the following two
-\emph{permutation properties}:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}p{10cm}}
-i) & @{thm permute_zero[no_vars]}\\
-ii) & @{thm permute_plus[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2",no_vars]}
-\end{tabular}\hfill\numbered{newpermprops}
-\end{isabelle}
-\noindent
-From these properties and law (\ref{grouplaws}.{\it iv}) about groups
-follows that a permutation and its inverse cancel each other. That is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm permute_minus_cancel(1)[where p="\<pi>", no_vars]}\hspace{10mm}
-@{thm permute_minus_cancel(2)[where p="\<pi>", no_vars]}
-\end{tabular}\hfill\numbered{cancel}
-\end{isabelle}
-\noindent
-Consequently, the permutation operation @{text "\<pi> \<bullet> _"}~~is bijective,
-which in turn implies the property
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm (lhs) permute_eq_iff[where p="\<pi>", no_vars]}
-$\;$if and only if$\;$
-@{thm (rhs) permute_eq_iff[where p="\<pi>", no_vars]}.
-\end{tabular}\hfill\numbered{permuteequ}
-\end{isabelle}
-\noindent
-We can also show that the following property holds for the permutation
-operation.
-\begin{lemma}\label{permutecompose}
-@{text "\<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x) = (\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}.
-\end{lemma}
-\begin{proof} The proof is as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}c@ {\hspace{2mm}}l@ {\hspace{8mm}}l}
-& @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> x"}\\
-@{text "="} & @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> (-\<pi>\<^isub>1) \<bullet> \<pi>\<^isub>1 \<bullet> x"} & by \eqref{cancel}\\
-@{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2 - \<pi>\<^isub>1) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}  & by {\rm(\ref{newpermprops}.@{text "ii"})}\\
-@{text "\<equiv>"} & @{text "(\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}\\
-\end{tabular}\hfill\qed
-\end{isabelle}
-\end{proof}
-\noindent
-Note that the permutation operation for functions is defined so that
-we have for applications the equation
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "\<pi> \<bullet> (f x) ="}
-@{thm (rhs) permute_fun_app_eq[where p="\<pi>", no_vars]}
-\hfill\numbered{permutefunapp}
-\end{isabelle}
-\noindent
-provided the permutation properties hold for @{text x}. This equation can
-be easily shown by unfolding the permutation operation for functions on
-the right-hand side of the equation, simplifying the resulting beta-redex
-and eliminating the permutations in front of @{text x} using \eqref{cancel}.
-The main benefit of the use of type classes is that it allows us to delegate
-much of the routine resoning involved in determining whether the permutation properties
-are satisfied to Isabelle/HOL's type system: we only have to
-establish that base types satisfy them and that type-constructors
-preserve them. Then Isabelle/HOL will use this information and determine
-whether an object @{text x} with a compound type, like @{typ "atom \<Rightarrow> (atom set * nat)"}, satisfies the
-permutation properties.  For this we define the notion of a
-\emph{permutation type}:
-\begin{definition}[Permutation Type]
-A type @{text "\<beta>"} is a \emph{permutation type} if the permutation
-properties in \eqref{newpermprops} are satisfied for every @{text
-"x"} of type @{text "\<beta>"}.
-\end{definition}
-\noindent
-and establish:
-\begin{theorem}
-The types @{type atom}, @{type perm}, @{type bool} and @{type nat}
-are permutation types, and if @{text \<beta>}, @{text "\<beta>\<^isub>1"} and @{text
-"\<beta>\<^isub>2"} are permutation types, then so are \mbox{@{text "\<beta>\<^isub>1 \<Rightarrow> \<beta>\<^isub>2"}},
-@{text "\<beta> set"}, @{text "\<beta> list"} and @{text "\<beta>\<^isub>1 \<times> \<beta>\<^isub>2"}.
-\end{theorem}
-\begin{proof}
-All statements are by unfolding the definitions of the permutation
-operations and simple calculations involving addition and
-minus. In case of permutations for example we have
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rcl}
-@{text "0 \<bullet> \<pi>'"} & @{text "\<equiv>"} & @{text "0 + \<pi>' - 0 = \<pi>'"}\smallskip\\
-@{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) \<bullet> \<pi>'"} & @{text "\<equiv>"} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) + \<pi>' - (\<pi>\<^isub>1 + \<pi>\<^isub>2)"}\\
-& @{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) + \<pi>' - \<pi>\<^isub>2 - \<pi>\<^isub>1"}\\
-& @{text "="} & @{text "\<pi>\<^isub>1 + (\<pi>\<^isub>2 + \<pi>' - \<pi>\<^isub>2) - \<pi>\<^isub>1"}\\
-& @{text "\<equiv>"} & @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> \<pi>'"}
-\end{tabular}\hfill\qed
-\end{isabelle}
-\end{proof}
-*}
-section {* Equivariance *}
-text {*
-(mention alpha-structural paper by Andy)
-Two important notions in the nominal logic work are what Pitts calls
-\emph{equivariance} and the \emph{equivariance principle}.  These
-notions allows us to characterise how permutations act upon compound
-statements in HOL by analysing how these statements are constructed.
-The notion of equivariance means that an object is invariant under
-any permutations. This can be defined as follows:
-\begin{definition}[Equivariance]\label{equivariance}
-An object @{text "x"} of permutation type is \emph{equivariant} provided
-for all permutations @{text "\<pi>"}, \mbox{@{term "\<pi> \<bullet> x = x"}} holds.
-\end{definition}
-\noindent
-In what follows we will primarily be interested in the cases where
-@{text x} is a constant, but of course there is no way in
-Isabelle/HOL to restrict this definition to just these cases.
-There are a number of equivalent formulations for equivariance.
-For example, assuming @{text f} is a function of permutation
-type @{text "\<alpha> \<Rightarrow> \<beta>"}, then equivariance of @{text f} can also be stated as
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<forall>\<pi> x.  \<pi> \<bullet> (f x) = f (\<pi> \<bullet> x)"}
-\end{tabular}\hfill\numbered{altequivariance}
-\end{isabelle}
-\noindent
-We will say this formulation of equivariance is in \emph{fully applied form}.
-To see that this formulation implies the definition, we just unfold
-the definition of the permutation operation for functions and
-simplify with the equation and the cancellation property shown in
-\eqref{cancel}. To see the other direction, we use
-\eqref{permutefunapp}. Similarly for functions that take more than
-one argument. The point to note is that equivariance and equivariance in fully
-applied form are always interderivable (for permutation types).
-Both formulations of equivariance have their advantages and
-disadvantages: \eqref{altequivariance} is usually more convenient to
-establish, since statements in HOL are commonly given in a
-form where functions are fully applied. For example we can easily
-show that equality is equivariant
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm eq_eqvt[where p="\<pi>", no_vars]}
-\end{tabular}\hfill\numbered{eqeqvt}
-\end{isabelle}
-\noindent
-using the permutation operation on booleans and property
-\eqref{permuteequ}.
-Lemma~\ref{permutecompose} establishes that the
-permutation operation is equivariant. The permutation operation for
-lists and products, shown in \eqref{permdefsconstrs}, state that the
-constructors for products, @{text "Nil"} and @{text Cons} are
-equivariant. Furthermore a simple calculation will show that our
-swapping functions are equivariant, that is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm swap_eqvt[where p="\<pi>", no_vars]}
-\end{tabular}\hfill\numbered{swapeqvt}
-\end{isabelle}
-\noindent
-for all @{text a}, @{text b} and @{text \<pi>}. Also the booleans
-@{const True} and @{const False} are equivariant by the definition
-of the permutation operation for booleans. Given this definition, it
-is also easy to see that the boolean operators, like @{text "\<and>"},
-@{text "\<or>"}, @{text "\<longrightarrow>"} and  @{text "\<not>"} are equivariant:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}lcl}
-@{text "\<pi> \<bullet> (A \<and> B) = (\<pi> \<bullet> A) \<and> (\<pi> \<bullet> B)"}\\
-@{text "\<pi> \<bullet> (A \<or> B) = (\<pi> \<bullet> A) \<or> (\<pi> \<bullet> B)"}\\
-@{text "\<pi> \<bullet> (A \<longrightarrow> B) = (\<pi> \<bullet> A) \<longrightarrow> (\<pi> \<bullet> B)"}\\
-@{text "\<pi> \<bullet> (\<not>A) = \<not>(\<pi> \<bullet> A)"}\\
-\end{tabular}
-\end{isabelle}
-In contrast, the advantage of Definition \ref{equivariance} is that
-it allows us to state a general principle how permutations act on
-statements in HOL.  For this we will define a rewrite system that
-`pushes' a permutation towards the leaves of statements (i.e.~constants
-and variables).  Then the permutations disappear in cases where the
-constants are equivariant.  To do so, let us first define
-\emph{HOL-terms}, which are the building blocks of statements in HOL.
-They are given by the grammar
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "t ::= c | x | t\<^isub>1 t\<^isub>2 | \<lambda>x. t"}
-\hfill\numbered{holterms}
-\end{isabelle}
-\noindent
-where @{text c} stands for constants and @{text x} for variables.
-We assume HOL-terms are fully typed, but for the sake of better
-legibility we leave the typing information implicit.  We also assume
-the usual notions for free and bound variables of a HOL-term.
-Furthermore, HOL-terms are regarded as equal modulo alpha-, beta-
-and eta-equivalence. The equivariance principle can now
-be stated formally as follows:
-\begin{theorem}[Equivariance Principle]\label{eqvtprin}
-Suppose a HOL-term @{text t} whose constants are all equivariant. For any
-permutation @{text \<pi>}, let @{text t'} be @{text t} except every
-free variable @{text x} in @{term t} is replaced by @{text "\<pi> \<bullet> x"}, then
-@{text "\<pi> \<bullet> t = t'"}.
-\end{theorem}
-\noindent
-The significance of this principle is that we can automatically establish
-the equivariance of a constant for which equivariance is not yet
-known. For this we only have to establish that the definiens of this
-constant is a HOL-term whose constants are all equivariant.
-This meshes well with how HOL is designed: except for a few axioms, every constant
-is defined in terms of existing constants. For example an alternative way
-to deduce that @{term True} is equivariant is to look at its
-definition
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{thm True_def}
-\end{isabelle}
-\noindent
-and observing that the only constant in the definiens, namely @{text "="}, is
-equivariant. Similarly, the universal quantifier @{text "\<forall>"} is definied in HOL as
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "\<forall>x. P x \<equiv> "}~@{thm (rhs) All_def[no_vars]}
-\end{isabelle}
-\noindent
-The constants in the definiens @{thm (rhs) All_def[no_vars]}, namely @{text "="}
-and @{text "True"}, are equivariant (we shown this above). Therefore
-the equivariance principle gives us
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{r@ {\hspace{1mm}}c@ {\hspace{1mm}}l}
-@{text "\<pi> \<bullet> (\<forall>x. P x)"} & @{text "\<equiv>"} & @{text "\<pi> \<bullet> (P = (\<lambda>x. True))"}\\
-& @{text "="} & @{text "(\<pi> \<bullet> P) = (\<lambda>x. True)"}\\
-& @{text "\<equiv>"} & @{text "\<forall>x. (\<pi> \<bullet> P) x"}
-\end{tabular}
-\end{isabelle}
-\noindent
-which means the constant @{text "\<forall>"} must be equivariant. From this
-we can deduce that the existential quantifier @{text "\<exists>"} is equivariant.
-Its definition in HOL is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "\<exists>x. P x \<equiv> "}~@{thm (rhs) Ex_def[no_vars]}
-\end{isabelle}
-\noindent
-where again the HOL-term on the right-hand side only contains equivariant constants
-(namely @{text "\<forall>"} and @{text "\<longrightarrow>"}). Taking both facts together, we can deduce that
-the unique existential quantifier @{text "\<exists>!"} is equivariant. Its definition
-is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "\<exists>!x. P x \<equiv> "}~@{thm (rhs) Ex1_def[no_vars]}
-\end{isabelle}
-\noindent
-with all constants on the right-hand side being equivariant. With this kind
-of reasoning we can build up a database of equivariant constants, which will
-be handy for more complex calculations later on.
-Before we proceed, let us give a justification for the equivariance principle.
-This justification cannot be given directly inside Isabelle/HOL since we cannot
-prove any statement about HOL-terms. Instead, we will use a rewrite
-system consisting of a series of equalities
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{text "\<pi> \<cdot> t  =  ...  =  t'"}
-\end{isabelle}
-\noindent
-that establish the equality between @{term "\<pi> \<bullet> t"} and
-@{text "t'"}. The idea of the rewrite system is to push the
-permutation inside the term @{text t}. We have implemented this as a
-conversion tactic on the ML-level of Isabelle/HOL.  In what follows,
-we will show that this tactic produces only finitely many equations
-and also show that it is correct (in the sense of pushing a permutation
-@{text "\<pi>"} inside a term and the only remaining instances of @{text
-"\<pi>"} are in front of the term's free variables).
-The tactic applies four `oriented' equations.
-We will first give a naive version of
-our tactic, which however in some corner cases produces incorrect
-results or does not terminate.  We then give a modification in order
-to obtain the desired properties.
-Consider the following for oriented equations
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}lr@ {\hspace{3mm}}c@ {\hspace{3mm}}l}
-i) & @{text "\<pi> \<bullet> (t\<^isub>1 t\<^isub>2)"} & \rrh & @{term "(\<pi> \<bullet> t\<^isub>1) (\<pi> \<bullet> t\<^isub>2)"}\\
-ii) & @{text "\<pi> \<bullet> (\<lambda>x. t)"} & \rrh & @{text "\<lambda>x. \<pi> \<bullet> (t[x :=  (-\<pi>) \<bullet> x])"}\\
-iii) & @{term "\<pi> \<bullet> (- \<pi>) \<bullet> x"} & \rrh & @{term "x"}\\
-iv) &  @{term "\<pi> \<bullet> c"} & \rrh &
-{\rm @{term "c"}\hspace{6mm}provided @{text c} is equivariant}\\
-\end{tabular}\hfill\numbered{rewriteapplam}
-\end{isabelle}
-\noindent
-These equation are oriented in the sense of being applied in the left-to-right
-direction. The first equation we established in \eqref{permutefunapp};
-the second follows from the definition of permutations acting on functions
-and the fact that HOL-terms are equal modulo beta-equivalence.
-The third is a consequence of \eqref{cancel} and the fourth from
-Definition~\ref{equivariance}. Unfortunately, we have to be careful with
-the rules {\it i)} and {\it iv}) since they can lead to loops whenever
-\mbox{@{text "t\<^isub>1 t\<^isub>2"}} is of the form @{text "((op \<bullet>) \<pi>') t"}.
-Recall that we established in Lemma \ref{permutecompose} that the
-constant @{text "(op \<bullet>)"} is equivariant and consider the infinite
-reduction sequence
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<pi> \<bullet> (\<pi>' \<bullet> t)"}
-$\;\;\stackrel{\text{\it i)}}{\rrh}\stackrel{\text{\it i)}}{\rrh}\stackrel{\text{\it iv)}}{\rrh}\;\;$
-@{text "(\<pi> \<bullet> \<pi>') \<bullet> (\<pi> \<bullet> t)"}
-$\;\;\stackrel{\text{\it i)}}{\rrh}\stackrel{\text{\it i)}}{\rrh}\stackrel{\text{\it iv)}}{\rrh}\;\;$
-@{text "((\<pi> \<bullet> \<pi>') \<bullet> \<pi>) \<bullet> ((\<pi> \<bullet> \<pi>') \<bullet> t)"}~~\ldots%
-\end{tabular}
-\end{isabelle}
-\noindent
-where the last term is again an instance of rewrite rule {\it i}), but larger.
-To avoid this loop we will apply the rewrite rule
-using an `outside to inside' strategy.  This strategy is sufficient
-since we are only interested of rewriting terms of the form @{term
-"\<pi> \<bullet> t"}, where an outermost permutation needs to pushed inside a term.
-Another problem we have to avoid is that the rules {\it i)} and {\it
-iii)} can `overlap'. For this note that the term @{term "\<pi>
-\<bullet>(\<lambda>x. x)"} reduces by {\it ii)} to @{term "\<lambda>x. \<pi> \<bullet> (- \<pi>) \<bullet> x"}, to
-which we can apply rule {\it iii)} in order to obtain @{term
-"\<lambda>x. x"}, as is desired: since there is no free variable in the original
-term, the permutation should completely vanish. However, the
-subterm @{text "(- \<pi>) \<bullet> x"} is also an application. Consequently,
-the term @{term "\<lambda>x. \<pi> \<bullet> (- \<pi>) \<bullet>x"} can also reduce to @{text "\<lambda>x. (- (\<pi>
-\<bullet> \<pi>)) \<bullet> (\<pi> \<bullet> x)"} using {\it i)}.  Given our strategy, we cannot
-apply rule {\it iii)} anymore in order to eliminate the permutation.
-In contrast, if we start
-with the term @{text "\<pi> \<bullet> ((- \<pi>) \<bullet> x)"} where @{text \<pi>} and @{text
-x} are free variables, then we \emph{do} want to apply rule {\it i)}
-in order to obtain @{text "(\<pi> \<bullet> (- \<pi>)) \<bullet> (\<pi> \<bullet> x)"}
-and not rule {\it iii)}. The latter would eliminate @{text \<pi>}
-completely and thus violating our correctness property. The problem is that
-rule {\it iii)} should only apply to
-instances where the corresponding variable is to bound; for free variables we want
-to use {\it ii)}.  In order to distinguish these cases we have to
-maintain the information which variable is bound when inductively
-taking a term `apart'. This, unfortunately, does not mesh well with
-the way how conversion tactics are implemented in Isabelle/HOL.
-Our remedy is to use a standard trick in HOL: we introduce a
-separate definition for terms of the form @{text "(- \<pi>) \<bullet> x"},
-namely as
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-@{term "unpermute \<pi> x \<equiv> (- \<pi>) \<bullet> x"}
-\end{isabelle}
-\noindent
-The point is that now we can re-formulate the rewrite rules as follows
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}lrcl}
-i') & @{text "\<pi> \<bullet> (t\<^isub>1 t\<^isub>2)"} & \rrh &
-@{term "(\<pi> \<bullet> t\<^isub>1) (\<pi> \<bullet> t\<^isub>2)"}\hspace{45mm}\mbox{}\\
-\multicolumn{4}{r}{\rm provided @{text "t\<^isub>1 t\<^isub>2"} is not of the form @{text "unpermute \<pi> x"}}\smallskip\\
-ii') & @{text "\<pi> \<bullet> (\<lambda>x. t)"} & \rrh & @{text "\<lambda>x. \<pi> \<bullet> (t[x := unpermute \<pi> x])"}\\
-iii') & @{text "\<pi> \<bullet> (unpermute \<pi> x)"} & \rrh & @{term x}\\
-iv') &  @{term "\<pi> \<bullet> c"} & \rrh & @{term "c"}
-\hspace{6mm}{\rm provided @{text c} is equivariant}\\
-\end{tabular}
-\end{isabelle}
-\noindent
-where @{text unpermutes} are only generated in case of bound variables.
-Clearly none of these rules overlap. Moreover, given our
-outside-to-inside strategy, applying them repeatedly must terminate.
-To see this, notice that
-the permutation on the right-hand side of the rewrite rules is
-always applied to a smaller term, provided we take the measure consisting
-of lexicographically ordered pairs whose first component is the size
-of a term (counting terms of the form @{text "unpermute \<pi> x"} as
-leaves) and the second is the number of occurences of @{text
-"unpermute \<pi> x"} and @{text "\<pi> \<bullet> c"}.
-With the rewrite rules of the conversions tactic in place, we can
-establish its correctness. The property we are after is that
-for a HOL-term @{text t} whose constants are all equivariant the
-term \mbox{@{text "\<pi> \<bullet> t"}} is equal to @{text "t'"} with @{text "t'"}
-being equal to @{text t} except that every free variable @{text x}
-in @{text t} is replaced by \mbox{@{text "\<pi> \<bullet> x"}}. Let us call
-a variable @{text x} \emph{really free}, if it is free and not occuring
-in an @{term unpermute}, such as @{text "unpermute _ x"} and @{text "unpermute x _"}.
-We need the following technical notion characterising \emph{@{text "\<pi>"}-proper} HOL-terms
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}ll}
-$\bullet$ & variables and constants are @{text \<pi>}-proper,\\
-$\bullet$ & @{term "unpermute \<pi> x"} is @{text \<pi>}-proper,\\
-$\bullet$ & @{term "\<lambda>x. t"} is @{text \<pi>}-proper, if @{text t} is @{text \<pi>}-proper and @{text x} is
-really free in @{text t}, and\\
-$\bullet$ & @{term "t\<^isub>1 t\<^isub>2"} is @{text \<pi>}-proper, if @{text "t\<^isub>1"} and @{text "t\<^isub>2"} are
-@{text \<pi>}-proper.
-\end{tabular}
-\end{isabelle}
-\begin{proof}[Theorem~\ref{eqvtprin}] We establish the property if @{text t}
-is @{text \<pi>}-proper and only contains equivaraint constants, then
-@{text "\<pi> \<bullet> t = t'"} where @{text "t'"} is equal to @{text "t"} except all really
-free variables @{text x} are replaced by @{text "\<pi> \<bullet> x"}, and all semi-free variables
-@{text "unpermute \<pi> x"} by @{text "x"}. We establish this property by induction
-on the size of HOL-terms, counting terms like @{text "unpermuting \<pi> x"} as leafes,
-like variables and constants. The cases for variables, constants and @{text unpermutes}
-are routine. In the case of abstractions we have by induction hypothesis that
-@{text "\<pi> \<bullet> (t[x := unpermute \<pi> x]) = t'"} with @{text "t'"} satisfying our
-correctness property. This implies that @{text "\<lambda>x. \<pi> \<bullet> (t[x := unpermute \<pi> x]) = \<lambda>x. t'"}
-and hence @{text "\<pi> \<bullet> (\<lambda>x. t) = \<lambda>x. t'"} as needed.\hfill\qed
-\end{proof}
-Pitts calls this property \emph{equivariance principle} (book ref ???).
-Problems with @{text undefined}
-Lines of code
-*}
-section {* Support and Freshness *}
-text {*
-The most original aspect of the nominal logic work of Pitts is a general
-definition for `the set of free variables, or free atoms, of an object @{text "x"}'.  This
-definition is general in the sense that it applies not only to lambda terms,
-but to any type for which a permutation operation is defined
-(like lists, sets, functions and so on).
-\begin{definition}[Support] \label{support}
-Given @{text x} is of permutation type, then
-@{thm [display,indent=10] supp_def[no_vars, THEN eq_reflection]}
-\end{definition}
-\noindent
-(Note that due to the definition of swapping in \eqref{swapdef}, we do not
-need to explicitly restrict @{text a} and @{text b} to have the same sort.)
-There is also the derived notion for when an atom @{text a} is \emph{fresh}
-for an @{text x} of permutation type, defined as
-@{thm [display,indent=10] fresh_def[no_vars]}
-\noindent
-We also use the notation @{thm (lhs) fresh_star_def[no_vars]} for sets ot atoms
-defined as follows
-@{thm [display,indent=10] fresh_star_def[no_vars]}
-\noindent
-Using the equivariance principle, it can be easily checked that all three notions
-are equivariant. A simple consequence of the definition of support and equivariance
-is that if @{text x} is equivariant then we have
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm  (concl) supp_fun_eqvt[where f="x", no_vars]}
-\end{tabular}\hfill\numbered{suppeqvtfun}
-\end{isabelle}
-\noindent
-For function applications we can establish the following two properties.
-\begin{lemma}\label{suppfunapp} Let @{text f} and @{text x} be of permutation type, then
-\begin{isabelle}
-\begin{tabular}{r@ {\hspace{4mm}}p{10cm}}
-{\it i)} & @{thm[mode=IfThen] fresh_fun_app[no_vars]}\\
-{\it ii)} & @{thm supp_fun_app[no_vars]}\\
-\end{tabular}
-\end{isabelle}
-\end{lemma}
-\begin{proof}
-For the first property, we know from the assumption that @{term
-"finite {b. (a \<rightleftharpoons> b) \<bullet> f \<noteq> f}"} and @{term "finite {b . (a \<rightleftharpoons> b) \<bullet> x \<noteq>
-x}"} hold. That means for all, but finitely many @{text b} we have
-@{term "(a \<rightleftharpoons> b) \<bullet> f = f"} and @{term "(a \<rightleftharpoons> b) \<bullet> x = x"}. Similarly,
-we have to show that for but, but finitely @{text b} the equation
-@{term "(a \<rightleftharpoons> b) \<bullet> f x = f x"} holds. The left-hand side of this
-equation is equal to @{term "((a \<rightleftharpoons> b) \<bullet> f) ((a \<rightleftharpoons> b) \<bullet> x)"} by
-\eqref{permutefunapp}, which we know by the previous two facts for
-@{text f} and @{text x} is equal to the right-hand side for all,
-but finitely many @{text b}. This establishes the first
-property. The second is a simple corollary of {\it i)} by
-unfolding the definition of freshness.\qed
-\end{proof}
-A striking consequence of the definitions for support and freshness
-is that we can prove without knowing anything about the structure of
-@{term x} that swapping two fresh atoms, say @{text a} and @{text
-b}, leave @{text x} unchanged. For the proof we use the following
-lemma about swappings applied to an @{text x}:
-\begin{lemma}\label{swaptriple}
-Assuming @{text x} is of permutation type, and @{text a}, @{text b} and @{text c}
-have the same sort, then \mbox{@{thm (prem 3) swap_rel_trans[no_vars]}} and
-@{thm (prem 4) swap_rel_trans[no_vars]} imply @{thm (concl) swap_rel_trans[no_vars]}.
-\end{lemma}
-\begin{proof}
-The cases where @{text "a = c"} and @{text "b = c"} are immediate.
-For the remaining case it is, given our assumptions, easy to calculate
-that the permutations
-@{thm [display,indent=10] (concl) swap_triple[no_vars]}
-\noindent
-are equal. The lemma is then by application of the second permutation
-property shown in~\eqref{newpermprops}.\qed
-\end{proof}
-\begin{theorem}\label{swapfreshfresh}
-Let @{text x} be of permutation type.
-@{thm [mode=IfThen] swap_fresh_fresh[no_vars]}
-\end{theorem}
-\begin{proof}
-If @{text a} and @{text b} have different sort, then the swapping is the identity.
-If they have the same sort, we know by definition of support that both
-@{term "finite {c. (a \<rightleftharpoons> c) \<bullet> x \<noteq> x}"} and  @{term "finite {c. (b \<rightleftharpoons> c) \<bullet> x \<noteq> x}"}
-hold. So the union of these sets is finite too, and we know by Proposition~\ref{choosefresh}
-that there is an atom @{term c}, with the same sort as @{term a} and @{term b},
-that satisfies \mbox{@{term "(a \<rightleftharpoons> c) \<bullet> x = x"}} and @{term "(b \<rightleftharpoons> c) \<bullet> x = x"}.
-Now the theorem follows from Lemma~\ref{swaptriple}.\hfill\qed
-\end{proof}
-While the abstract properties of support and freshness, particularly
-Theorem~\ref{swapfreshfresh}, are useful for developing Nominal Isabelle,
-one often has to calculate the support of concrete objects.
-For booleans, nats, products and lists it is easy to check that
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
-@{text "booleans"}: & @{term "supp b = {}"}\\
-@{text "nats"}:     & @{term "supp n = {}"}\\
-@{text "products"}: & @{thm supp_Pair[no_vars]}\\
-@{text "lists:"} & @{thm supp_Nil[no_vars]}\\
-& @{thm supp_Cons[no_vars]}\\
-\end{tabular}
-\end{isabelle}
-\noindent
-hold.  Establishing the support of atoms and permutations is a bit
-trickier. To do so we will use the following notion about a \emph{supporting set}.
-\begin{definition}[Supporting Set]
-A set @{text S} \emph{supports} @{text x} if for all atoms @{text a} and @{text b}
-not in @{text S} we have @{term "(a \<rightleftharpoons> b) \<bullet> x = x"}.
-\end{definition}
-\noindent
-The main motivation for this notion is that we can characterise @{text "supp x"}
-as the smallest finite set that supports @{text "x"}. For this we prove:
-\begin{lemma}\label{supports} Let @{text x} be of permutation type.
-\begin{isabelle}
-\begin{tabular}{r@ {\hspace{4mm}}p{10cm}}
-i)    & @{thm[mode=IfThen] supp_is_subset[no_vars]}\\
-ii)   & @{thm[mode=IfThen] supp_supports[no_vars]}\\
-iii)  & @{thm (concl) supp_is_least_supports[no_vars]}
-provided @{thm (prem 1) supp_is_least_supports[no_vars]},
-@{thm (prem 2) supp_is_least_supports[no_vars]}
-and @{text "S"} is the least such set, that means formally,
-for all @{text "S'"}, if @{term "finite S'"} and
-@{term "S' supports x"} then @{text "S \<subseteq> S'"}.
-\end{tabular}
-\end{isabelle}
-\end{lemma}
-\begin{proof}
-For {\it i)} we derive a contradiction by assuming there is an atom @{text a}
-with @{term "a \<in> supp x"} and @{text "a \<notin> S"}. Using the second fact, the
-assumption that @{term "S supports x"} gives us that @{text S} is a superset of
-@{term "{b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"}, which is finite by the assumption of @{text S}
-being finite. But this means @{term "a \<notin> supp x"}, contradicting our assumption.
-Property {\it ii)} is by a direct application of
-Theorem~\ref{swapfreshfresh}. For the last property, part {\it i)} proves
-one ``half'' of the claimed equation. The other ``half'' is by property
-{\it ii)} and the fact that @{term "supp x"} is finite by {\it i)}.\hfill\qed
-\end{proof}
-\noindent
-These are all relatively straightforward proofs adapted from the existing
-nominal logic work. However for establishing the support of atoms and
-permutations we found  the following `optimised' variant of {\it iii)}
-more useful:
-\begin{lemma}\label{optimised} Let @{text x} be of permutation type.
-We have that @{thm (concl) finite_supp_unique[no_vars]}
-provided @{thm (prem 1) finite_supp_unique[no_vars]},
-@{thm (prem 2) finite_supp_unique[no_vars]}, and for
-all @{text "a \<in> S"} and all @{text "b \<notin> S"}, with @{text a}
-and @{text b} having the same sort, \mbox{@{term "(a \<rightleftharpoons> b) \<bullet> x \<noteq> x"}}
-\end{lemma}
-\begin{proof}
-By Lemma \ref{supports}@{text ".iii)"} we have to show that for every finite
-set @{text S'} that supports @{text x}, \mbox{@{text "S \<subseteq> S'"}} holds. We will
-assume that there is an atom @{text "a"} that is element of @{text S}, but
-not @{text "S'"} and derive a contradiction.  Since both @{text S} and
-@{text S'} are finite, we can by Proposition \ref{choosefresh} obtain an atom
-@{text b}, which has the same sort as @{text "a"} and for which we know
-@{text "b \<notin> S"} and @{text "b \<notin> S'"}. Since we assumed @{text "a \<notin> S'"} and
-we have that @{text "S' supports x"}, we have on one hand @{term "(a \<rightleftharpoons> b) \<bullet> x
-= x"}. On the other hand, the fact @{text "a \<in> S"} and @{text "b \<notin> S"} imply
-@{term "(a \<rightleftharpoons> b) \<bullet> x \<noteq> x"} using the assumed implication. This gives us the
-contradiction.\hfill\qed
-\end{proof}
-\noindent
-Using this lemma we only have to show the following three proof-obligations
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}l}
-i)   & @{term "{c} supports c"}\\
-ii)  & @{term "finite {c}"}\\
-iii) & @{text "\<forall>a \<in> {c} b \<notin> {c}. sort a = sort b \<longrightarrow> (a b) \<bullet> c \<noteq> c"}
-\end{tabular}
-\end{isabelle}
-\noindent
-in order to establish that @{thm supp_atom[where a="c", no_vars]} holds.  In
-Isabelle/HOL these proof-obligations can be discharged by easy
-simplifications. Similar proof-obligations arise for the support of
-permutations, which is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm supp_perm[where p="\<pi>", no_vars]}
-\end{tabular}
-\end{isabelle}
-\noindent
-The only proof-obligation that is
-interesting is the one where we have to show that
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "If \<pi> \<bullet> a \<noteq> a, \<pi> \<bullet> b = b and sort a = sort b, then (a b) \<bullet> \<pi> \<noteq> \<pi>"}.
-\end{tabular}
-\end{isabelle}
-\noindent
-For this we observe that
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}rcl}
-@{thm (lhs) perm_swap_eq[where p="\<pi>", no_vars]} &
-if and only if &
-@{thm (rhs) perm_swap_eq[where p="\<pi>", no_vars]}
-\end{tabular}
-\end{isabelle}
-\noindent
-holds by a simple calculation using the group properties of permutations.
-The proof-obligation can then be discharged by analysing the inequality
-between the permutations @{term "(\<pi> \<bullet> a \<rightleftharpoons> b)"} and @{term "(a \<rightleftharpoons> b)"}.
-The main point about support is that whenever an object @{text x} has finite
-support, then Proposition~\ref{choosefresh} allows us to choose for @{text x} a
-fresh atom with arbitrary sort. This is a crucial operation in Nominal
-Isabelle in situations where, for example, a bound variable needs to be
-renamed. To allow such a choice, we only have to assume that
-@{text "finite (supp x)"} holds. For more convenience we
-can define a type class in Isabelle/HOL corresponding to the
-property:
-\begin{definition}[Finitely Supported Type]
-A type @{text "\<beta>"} is \emph{finitely supported} if @{term "finite (supp x)"}
-holds for all @{text x} of type @{text "\<beta>"}.
-\end{definition}
-\noindent
-By the calculations above we can easily establish
-\begin{theorem}\label{finsuptype}
-The types @{type atom}, @{type perm}, @{type bool} and @{type nat}
-are fintitely supported, and assuming @{text \<beta>}, @{text "\<beta>\<^isub>1"} and
-@{text "\<beta>\<^isub>2"} are finitely supported types, then @{text "\<beta> list"} and
-@{text "\<beta>\<^isub>1 \<times> \<beta>\<^isub>2"} are finitely supported.
-\end{theorem}
-\noindent
-The main benefit of using the finite support property for choosing a
-fresh atom is that the reasoning is `compositional'. To see this,
-assume we have a list of atoms and a method of choosing a fresh atom
-that is not a member in this list---for example the maximum plus
-one.  Then if we enlarge this list \emph{after} the choice, then
-obviously the fresh atom might not be fresh anymore. In contrast, by
-the classical reasoning of Proposition~\ref{choosefresh} we know a
-fresh atom exists for every list of atoms and no matter how we
-extend this list of atoms, we always preserve the property of being
-finitely supported. Consequently the existence of a fresh atom is
-still guarantied by Proposition~\ref{choosefresh}.  Using the method
-of `maximum plus one' we might have to adapt the choice of a fresh
-atom.
-Unfortunately, Theorem~\ref{finsuptype} does not work in general for the
-types of sets and functions.  There are functions definable in HOL
-for which the finite support property does not hold.  A simple
-example of a function with infinite support is @{const nat_of} shown
-in \eqref{sortnatof}.  This function's support is the set of
-\emph{all} atoms @{term "UNIV::atom set"}.  To establish this we
-show @{term "\<not> a \<sharp> nat_of"}. This is equivalent to assuming the set
-@{term "{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite and deriving a
-contradiction. From the assumption we also know that @{term "{a} \<union>
-{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite. Then we can use
-Proposition~\ref{choosefresh} to choose an atom @{text c} such that
-@{term "c \<noteq> a"}, @{term "sort_of c = sort_of a"} and @{term "(a \<rightleftharpoons> c)
-\<bullet> nat_of = nat_of"}.  Now we can reason as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rcl@ {\hspace{5mm}}l}
-@{text "nat_of a"} & @{text "="} & @{text "(a \<rightleftharpoons> c) \<bullet> (nat_of a)"} & by def.~of permutations on nats\\
-& @{text "="} & @{term "((a \<rightleftharpoons> c) \<bullet> nat_of) ((a \<rightleftharpoons> c) \<bullet> a)"} & by \eqref{permutefunapp}\\
-& @{text "="} & @{term "nat_of c"} & by assumptions on @{text c}\\
-\end{tabular}
-\end{isabelle}
-\noindent
-But this means we have that @{term "nat_of a = nat_of c"} and @{term "sort_of a = sort_of c"}.
-This implies that atoms @{term a} and @{term c} must be equal, which clashes with our
-assumption @{term "c \<noteq> a"} about how we chose @{text c}.\footnote{Cheney \cite{Cheney06}
-gives similar examples for constructions that have infinite support.}
-*}
-section {* Support of Finite Sets *}
-text {*
-Also the set type is an instance whose elements are not generally finitely
-supported (we will give an example in Section~\ref{concrete}).
-However, we can easily show that finite sets and co-finite sets of atoms are finitely
-supported. Their support can be characterised as:
-\begin{lemma}\label{finatomsets}
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rl}
-{\it i)} & If @{text S} is a finite set of atoms, then @{thm (concl) supp_finite_atom_set[no_vars]}.\\
-{\it ii)} & If @{term "UNIV - (S::atom set)"} is a finite set of atoms, then
-@{thm (concl) supp_cofinite_atom_set[no_vars]}.
-\end{tabular}
-\end{isabelle}
-\end{lemma}
-\begin{proof}
-Both parts can be easily shown by Lemma~\ref{optimised}.  We only have to observe
-that a swapping @{text "(a b)"} leaves a set @{text S} unchanged provided both
-@{text a} and @{text b} are elements in @{text S} or both are not in @{text S}.
-However if the sorts of a @{text a} and @{text b} agree, then the swapping will
-change @{text S} if either of them is an element in @{text S} and the other is
-not.\hfill\qed
-\end{proof}
-\noindent
-Note that a consequence of the second part of this lemma is that
-@{term "supp (UNIV::atom set) = {}"}.
-More difficult, however, is it to establish that finite sets of finitely
-supported objects are finitely supported. For this we first show that
-the union of the supports of finitely many and finitely supported  objects
-is finite, namely
-\begin{lemma}\label{unionsupp}
-If @{text S} is a finite set whose elements are all finitely supported, then
-%
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rl}
-{\it i)} & @{thm (concl) Union_of_finite_supp_sets[no_vars]} and\\
-{\it ii)} & @{thm (concl) Union_included_in_supp[no_vars]}.
-\end{tabular}
-\end{isabelle}
-\end{lemma}
-\begin{proof}
-The first part is by a straightforward induction on the finiteness
-of @{text S}.  For the second part, we know that @{term "\<Union>x\<in>S. supp
-x"} is a set of atoms, which by the first part is finite. Therefore
-we know by Lemma~\ref{finatomsets}.{\it i)} that @{term "(\<Union>x\<in>S. supp
-x) = supp (\<Union>x\<in>S. supp x)"}. Taking @{text "f"} to be the function
-\mbox{@{text "\<lambda>S. \<Union> (supp ` S)"}}, we can write the right-hand side
-as @{text "supp (f S)"}.  Since @{text "f"} is an equivariant
-function (can be easily checked by the equivariance principle), we
-have that @{text "supp (f S) \<subseteq> supp S"} by
-Lemma~\ref{suppfunapp}.{\it ii)}. This completes the second
-part.\hfill\qed
-\end{proof}
-\noindent
-With this lemma in place we can establish that
-\begin{lemma}
-@{thm[mode=IfThen] supp_of_finite_sets[no_vars]}
-\end{lemma}
-\begin{proof}
-The right-to-left inclusion is proved in Lemma~\ref{unionsupp}.{\it ii)}. To show the inclusion
-in the other direction we can use Lemma~\ref{supports}.{\it i)}. This means
-for all @{text a} and @{text b} that are not in @{text S} we have to show that
-@{term "(a \<rightleftharpoons> b) \<bullet> (\<Union>x \<in> S. supp x) = (\<Union>x \<in> S. supp x)"} holds. By the equivariance
-principle, the left-hand side is equal to @{term "\<Union>x \<in> ((a \<rightleftharpoons> b) \<bullet> S). supp x"}. Now
-the swapping in front of @{text S} disappears, since @{term "a \<sharp> S"} and @{term "b \<sharp> S"}
-whenever @{text "a, b \<notin> S"}. Thus we are done.\hfill\qed
-\end{proof}
-\noindent
-To sum up, every finite set of finitely supported elements has
-finite support.  Unfortunately, we cannot use
-Theorem~\ref{finsuptype} to let Isabelle/HOL find this out
-automatically. This would require to introduce a separate type of
-finite sets, which however is not so convenient to reason about as
-Isabelle's standard set type.
-*}
-section {* Induction Principles for Permutations *}
-text {*
-While the use of functions as permutation provides us with a unique
-representation for permutations (for example @{term "(a \<rightleftharpoons> b)"} and
-@{term "(b \<rightleftharpoons> a)"} are equal permutations), this representation does
-not come automatically with an induction principle.  Such an
-induction principle is however useful for generalising
-Lemma~\ref{swapfreshfresh} from swappings to permutations, namely
-\begin{lemma}
-@{thm [mode=IfThen] perm_supp_eq[where p="\<pi>", no_vars]}
-\end{lemma}
-\noindent
-In this section we will establish an induction principle for permutations
-with which this lemma can be easily proved. It is not too difficult to derive
-an induction principle for permutations, given the fact that we allow only
-permutations having a finite support.
-Using a the property from \cite{???}
-\begin{lemma}\label{smallersupp}
-@{thm [mode=IfThen] smaller_supp[where p="\<pi>", no_vars]}
-\end{lemma}
-*}
-section {* An Abstraction Type *}
-text {*
-To that end, we will consider
-first pairs @{text "(as, x)"} of type @{text "(atom set) \<times> \<beta>"}.  These pairs
-are intended to represent the abstraction, or binding, of the set of atoms @{text
-"as"} in the body @{text "x"}.
-The first question we have to answer is when two pairs @{text "(as, x)"} and
-@{text "(bs, y)"} are $\alpha$-equivalent? (For the moment we are interested in
-the notion of $\alpha$-equivalence that is \emph{not} preserved by adding
-vacuous binders.) To answer this question, we identify four conditions: {\it (i)}
-given a free-atom function @{text "fa"} of type \mbox{@{text "\<beta> \<Rightarrow> atom
-set"}}, then @{text x} and @{text y} need to have the same set of free
-atoms; moreover there must be a permutation @{text p} such that {\it
-(ii)} @{text p} leaves the free atoms of @{text x} and @{text y} unchanged, but
-{\it (iii)} ``moves'' their bound names so that we obtain modulo a relation,
-say \mbox{@{text "_ R _"}}, two equivalent terms. We also require that {\it (iv)}
-@{text p} makes the sets of abstracted atoms @{text as} and @{text bs} equal. The
-requirements {\it (i)} to {\it (iv)} can be stated formally as follows:
-%
-\begin{equation}\label{alphaset}
-\begin{array}{@ {\hspace{10mm}}r@ {\hspace{2mm}}l@ {\hspace{4mm}}r}
-\multicolumn{3}{l}{@{text "(as, x) \<approx>set R fa p (bs, y)"}\hspace{2mm}@{text "\<equiv>"}}\\[1mm]
-& @{term "fa(x) - as = fa(y) - bs"} & \mbox{\it (i)}\\
-@{text "\<and>"} & @{term "(fa(x) - as) \<sharp>* p"} & \mbox{\it (ii)}\\
-@{text "\<and>"} & @{text "(p \<bullet> x) R y"} & \mbox{\it (iii)}\\
-@{text "\<and>"} & @{term "(p \<bullet> as) = bs"} & \mbox{\it (iv)}\\
-\end{array}
-\end{equation}
-\noindent
-Note that this relation depends on the permutation @{text
-"p"}; $\alpha$-equivalence between two pairs is then the relation where we
-existentially quantify over this @{text "p"}. Also note that the relation is
-dependent on a free-atom function @{text "fa"} and a relation @{text
-"R"}. The reason for this extra generality is that we will use
-$\approx_{\,\textit{set}}$ for both ``raw'' terms and $\alpha$-equated terms. In
-the latter case, @{text R} will be replaced by equality @{text "="} and we
-will prove that @{text "fa"} is equal to @{text "supp"}.
-It might be useful to consider first some examples about how these definitions
-of $\alpha$-equivalence pan out in practice.  For this consider the case of
-abstracting a set of atoms over types (as in type-schemes). We set
-@{text R} to be the usual equality @{text "="} and for @{text "fa(T)"} we
-define
-\begin{center}
-@{text "fa(x) = {x}"}  \hspace{5mm} @{text "fa(T\<^isub>1 \<rightarrow> T\<^isub>2) = fa(T\<^isub>1) \<union> fa(T\<^isub>2)"}
-\end{center}
-\noindent
-Now recall the examples shown in \eqref{ex1}, \eqref{ex2} and
-\eqref{ex3}. It can be easily checked that @{text "({x, y}, x \<rightarrow> y)"} and
-@{text "({y, x}, y \<rightarrow> x)"} are $\alpha$-equivalent according to
-$\approx_{\,\textit{set}}$ and $\approx_{\,\textit{res}}$ by taking @{text p} to
-be the swapping @{term "(x \<rightleftharpoons> y)"}. In case of @{text "x \<noteq> y"}, then @{text
-"([x, y], x \<rightarrow> y)"} $\not\approx_{\,\textit{list}}$ @{text "([y, x], x \<rightarrow> y)"}
-since there is no permutation that makes the lists @{text "[x, y]"} and
-@{text "[y, x]"} equal, and also leaves the type \mbox{@{text "x \<rightarrow> y"}}
-unchanged. Another example is @{text "({x}, x)"} $\approx_{\,\textit{res}}$
-@{text "({x, y}, x)"} which holds by taking @{text p} to be the identity
-permutation.  However, if @{text "x \<noteq> y"}, then @{text "({x}, x)"}
-$\not\approx_{\,\textit{set}}$ @{text "({x, y}, x)"} since there is no
-permutation that makes the sets @{text "{x}"} and @{text "{x, y}"} equal
-(similarly for $\approx_{\,\textit{list}}$).  It can also relatively easily be
-shown that all three notions of $\alpha$-equivalence coincide, if we only
-abstract a single atom.
-In the rest of this section we are going to introduce three abstraction
-types. For this we define
-%
-\begin{equation}
-@{term "abs_set (as, x) (bs, x) \<equiv> \<exists>p. alpha_set (as, x) equal supp p (bs, x)"}
-\end{equation}
-\noindent
-(similarly for $\approx_{\,\textit{abs\_res}}$
-and $\approx_{\,\textit{abs\_list}}$). We can show that these relations are equivalence
-relations and equivariant.
-\begin{lemma}\label{alphaeq}
-The relations $\approx_{\,\textit{abs\_set}}$, $\approx_{\,\textit{abs\_list}}$
-and $\approx_{\,\textit{abs\_res}}$ are equivalence relations, and if @{term
-"abs_set (as, x) (bs, y)"} then also @{term "abs_set (p \<bullet> as, p \<bullet> x) (p \<bullet>
-bs, p \<bullet> y)"} (similarly for the other two relations).
-\end{lemma}
-\begin{proof}
-Reflexivity is by taking @{text "p"} to be @{text "0"}. For symmetry we have
-a permutation @{text p} and for the proof obligation take @{term "-p"}. In case
-of transitivity, we have two permutations @{text p} and @{text q}, and for the
-proof obligation use @{text "q + p"}. All conditions are then by simple
-calculations.
-\end{proof}
-\noindent
-This lemma allows us to use our quotient package for introducing
-new types @{text "\<beta> abs_set"}, @{text "\<beta> abs_res"} and @{text "\<beta> abs_list"}
-representing $\alpha$-equivalence classes of pairs of type
-@{text "(atom set) \<times> \<beta>"} (in the first two cases) and of type @{text "(atom list) \<times> \<beta>"}
-(in the third case).
-The elements in these types will be, respectively, written as:
-\begin{center}
-@{term "Abs_set as x"} \hspace{5mm}
-@{term "Abs_res as x"} \hspace{5mm}
-@{term "Abs_lst as x"}
-\end{center}
-\noindent
-indicating that a set (or list) of atoms @{text as} is abstracted in @{text x}. We will
-call the types \emph{abstraction types} and their elements
-\emph{abstractions}. The important property we need to derive is the support of
-abstractions, namely:
-\begin{theorem}[Support of Abstractions]\label{suppabs}
-Assuming @{text x} has finite support, then\\[-6mm]
-\begin{center}
-\begin{tabular}{l@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-%@ {thm (lhs) supp_abs(1)[no_vars]} & $=$ & @ {thm (rhs) supp_abs(1)[no_vars]}\\
-%@ {thm (lhs) supp_abs(2)[no_vars]} & $=$ & @ {thm (rhs) supp_abs(2)[no_vars]}\\
-%@ {thm (lhs) supp_abs(3)[where bs="as", no_vars]} & $=$ & @ {thm (rhs) supp_abs(3)[where bs="as", no_vars]}
-\end{tabular}
-\end{center}
-\end{theorem}
-\noindent
-Below we will show the first equation. The others
-follow by similar arguments. By definition of the abstraction type @{text "abs_set"}
-we have
-%
-\begin{equation}\label{abseqiff}
-%@ {thm (lhs) abs_eq_iff(1)[where bs="as" and cs="bs", no_vars]} \;\;\text{if and only if}\;\;
-%@ {thm (rhs) abs_eq_iff(1)[where bs="as" and cs="bs", no_vars]}
-\end{equation}
-\noindent
-and also
-%
-\begin{equation}\label{absperm}
-@{thm permute_Abs[no_vars]}
-\end{equation}
-\noindent
-The second fact derives from the definition of permutations acting on pairs
-\eqref{permute} and $\alpha$-equivalence being equivariant
-(see Lemma~\ref{alphaeq}). With these two facts at our disposal, we can show
-the following lemma about swapping two atoms in an abstraction.
-\begin{lemma}
-%@ {thm[mode=IfThen] abs_swap1(1)[where bs="as", no_vars]}
-\end{lemma}
-\begin{proof}
-This lemma is straightforward using \eqref{abseqiff} and observing that
-the assumptions give us @{term "(a \<rightleftharpoons> b) \<bullet> (supp x - as) = (supp x - as)"}.
-Moreover @{text supp} and set difference are equivariant (see \cite{HuffmanUrban10}).
-\end{proof}
-\noindent
-Assuming that @{text "x"} has finite support, this lemma together
-with \eqref{absperm} allows us to show
-%
-\begin{equation}\label{halfone}
-%@ {thm abs_supports(1)[no_vars]}
-\end{equation}
-\noindent
-which by Property~\ref{supportsprop} gives us ``one half'' of
-Theorem~\ref{suppabs}. The ``other half'' is a bit more involved. To establish
-it, we use a trick from \cite{Pitts04} and first define an auxiliary
-function @{text aux}, taking an abstraction as argument:
-%
-\begin{center}
-@{thm supp_set.simps[THEN eq_reflection, no_vars]}
-\end{center}
-\noindent
-Using the second equation in \eqref{equivariance}, we can show that
-@{text "aux"} is equivariant (since @{term "p \<bullet> (supp x - as) =
-(supp (p \<bullet> x)) - (p \<bullet> as)"}) and therefore has empty support.
-This in turn means
-%
-\begin{center}
-@{term "supp (supp_gen (Abs_set as x)) \<subseteq> supp (Abs_set as x)"}
-\end{center}
-\noindent
-using \eqref{suppfun}. Assuming @{term "supp x - as"} is a finite set,
-we further obtain
-%
-\begin{equation}\label{halftwo}
-%@ {thm (concl) supp_abs_subset1(1)[no_vars]}
-\end{equation}
-\noindent
-since for finite sets of atoms, @{text "bs"}, we have
-@{thm (concl) supp_finite_atom_set[where S="bs", no_vars]}.
-Finally, taking \eqref{halfone} and \eqref{halftwo} together establishes
-Theorem~\ref{suppabs}.
-The method of first considering abstractions of the
-form @{term "Abs_set as x"} etc is motivated by the fact that
-we can conveniently establish  at the Isabelle/HOL level
-properties about them.  It would be
-laborious to write custom ML-code that derives automatically such properties
-for every term-constructor that binds some atoms. Also the generality of
-the definitions for $\alpha$-equivalence will help us in the next section.
-*}
-section {* Concrete Atom Types\label{concrete} *}
-text {*
-So far, we have presented a system that uses only a single multi-sorted atom
-type.  This design gives us the flexibility to define operations and prove
-theorems that are generic with respect to atom sorts.  For example, as
-illustrated above the @{term supp} function returns a set that includes the
-free atoms of \emph{all} sorts together.
-However, the single multi-sorted atom type does not make an ideal interface
-for end-users of Nominal Isabelle.  If sorts are not distinguished by
-Isabelle's type system, users must reason about atom sorts manually.  That
-means for example that subgoals involving sorts must be discharged explicitly within proof
-scripts, instead of being inferred automatically.  In other
-cases, lemmas might require additional side conditions about sorts to be true.
-For example, swapping @{text a} and @{text b} in the pair \mbox{@{term "(a,
-b)"}} will only produce the expected result if we state the lemma in
-Isabelle/HOL as:
-*}
-lemma
-	    fixes a b :: "atom"
-	    assumes asm: "sort a = sort b"
-	    shows "(a \<rightleftharpoons> b) \<bullet> (a, b) = (b, a)"
-using asm by simp
-text {*
-\noindent
-Fortunately, it is possible to regain most of the type-checking automation
-that is lost by moving to a single atom type.  We accomplish this by defining
-\emph{subtypes} of the generic atom type that only include atoms of a single
-specific sort.  We call such subtypes \emph{concrete atom types}.
-The following Isabelle/HOL command defines a concrete atom type called
-\emph{name}, which consists of atoms whose sort equals the string @{term
-"''name''"}.
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\isacommand{typedef}\ \ @{typ name} = @{term "{a. sort\<iota> a = ''name''}"}
-\end{isabelle}
-\noindent
-This command automatically generates injective functions that map from the
-concrete atom type into the generic atom type and back, called
-representation and abstraction functions, respectively. We will write these
-functions as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l@ {\hspace{10mm}}l}
-@{text "\<lfloor>_\<rfloor> :: name \<Rightarrow> atom"} &
-@{text "\<lceil>_\<rceil> :: atom \<Rightarrow> name"}
-\end{tabular}
-\end{isabelle}
-\noindent
-With the definition @{thm permute_name_def [where p="\<pi>", THEN
-eq_reflection, no_vars]}, it is straightforward to verify that the type
-@{typ name} is a permutation type.
-In order to reason uniformly about arbitrary concrete atom types, we define a
-type class that characterises type @{typ name} and other similarly-defined
-types.  The definition of the concrete atom type class is as follows: First,
-every concrete atom type must be a permutation type.  In addition, the class
-defines an overloaded function that maps from the concrete type into the
-generic atom type, which we will write @{text "|_|"}.  For each class
-instance, this function must be injective and equivariant, and its outputs
-must all have the same sort, that is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{3mm}}l}
-i)   & if @{thm (lhs) atom_eq_iff [no_vars]} then @{thm (rhs) atom_eq_iff [no_vars]}\\
-ii)  & @{thm atom_eqvt[where p="\<pi>", no_vars]}\\
-iii) & @{thm sort_of_atom_eq [no_vars]}
-\end{tabular}\hfill\numbered{atomprops}
-\end{isabelle}
-\noindent
-With the definition @{thm atom_name_def [THEN eq_reflection, no_vars]} we can
-show that @{typ name} satisfies all the above requirements of a concrete atom
-type.
-The whole point of defining the concrete atom type class is to let users
-avoid explicit reasoning about sorts.  This benefit is realised by defining a
-special swapping operation of type @{text "\<alpha> \<Rightarrow> \<alpha>
-\<Rightarrow> perm"}, where @{text "\<alpha>"} is a concrete atom type:
-@{thm [display,indent=10] flip_def [THEN eq_reflection, no_vars]}
-\noindent
-As a consequence of its type, the @{text "\<leftrightarrow>"}-swapping
-operation works just like the generic swapping operation, but it does not
-require any sort-checking side conditions---the sort-correctness is ensured by
-the types!  For @{text "\<leftrightarrow>"} we can establish the following
-simplification rule:
-@{thm [display,indent=10] permute_flip_at[no_vars]}
-\noindent
-If we now want to swap the \emph{concrete} atoms @{text a} and @{text b}
-in the pair @{term "(a, b)"} we can establish the lemma as follows:
-*}
-lemma
-	    fixes a b :: "name"
-	    shows "(a \<leftrightarrow> b) \<bullet> (a, b) = (b, a)"
-	  by simp
-text {*
-\noindent
-There is no need to state an explicit premise involving sorts.
-We can automate the process of creating concrete atom types, so that users
-can define a new one simply by issuing the command
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-\isacommand{atom\_decl}~~@{text "name"}
-\end{tabular}
-\end{isabelle}
-\noindent
-This command can be implemented using less than 100 lines of custom ML-code.
-*}
-section {* Related Work\label{related} *}
-text {*
-Coq-tries, but failed
-Add here comparison with old work.
-In comparison, the old version of Nominal Isabelle included more than 1000
-lines of ML-code for creating concrete atom types, and for defining various
-type classes and instantiating generic lemmas for them.  In addition to
-simplifying the ML-code, the setup here also offers user-visible improvements:
-Now concrete atoms can be declared at any point of a formalisation, and
-theories that separately declare different atom types can be merged
-together---it is no longer required to collect all atom declarations in one
-place.
-Using a single atom type to represent atoms of different sorts and
-representing permutations as functions are not new ideas; see
-\cite{GunterOsbornPopescu09} \footnote{function rep.}  The main contribution
-of this paper is to show an example of how to make better theorem proving
-tools by choosing the right level of abstraction for the underlying
-theory---our design choices take advantage of Isabelle's type system, type
-classes and reasoning infrastructure.  The novel technical contribution is a
-mechanism for dealing with ``Church-style'' lambda-terms \cite{Church40} and
-HOL-based languages \cite{PittsHOL4} where variables and variable binding
-depend on type annotations.
-The paper is organised as follows\ldots
-The main point is that the above reasoning blends smoothly with the reasoning
-infrastructure of Isabelle/HOL; no custom ML-code is necessary and a single
-type class suffices.
-With this
-design one can represent permutations as lists of pairs of atoms and the
-operation of applying a permutation to an object as the function
-@{text [display,indent=10] "_ \<bullet> _  ::  (\<alpha> \<times> \<alpha>) list \<Rightarrow> \<beta> \<Rightarrow> \<beta>"}
-\noindent
-where @{text "\<alpha>"} stands for a type of atoms and @{text "\<beta>"} for the type
-of the objects on which the permutation acts. For atoms
-the permutation operation is defined over the length of lists as follows
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-@{text "[] \<bullet> c"} & @{text "="} & @{text c}\\
-@{text "(a b)::\<pi> \<bullet> c"} & @{text "="} &
-$\begin{cases} @{text a} & \textrm{if}~@{text "\<pi> \<bullet> c = b"}\\
-@{text b} & \textrm{if}~@{text "\<pi> \<bullet> c = a"}\\
-@{text "\<pi> \<bullet> c"} & \textrm{otherwise}\end{cases}$
-\end{tabular}\hfill\numbered{atomperm}
-\end{isabelle}
-\noindent
-where we write @{text "(a b)"} for a swapping of atoms @{text "a"} and
-@{text "b"}. For atoms with different type than the permutation, we
-define @{text "\<pi> \<bullet> c \<equiv> c"}.
-With the separate atom types and the list representation of permutations it
-is impossible in systems like Isabelle/HOL to state an ``ill-sorted''
-permutation, since the type system excludes lists containing atoms of
-different type. However, a disadvantage is that whenever we need to
-generalise induction hypotheses by quantifying over permutations, we have to
-build quantifications like
-@{text [display,indent=10] "\<forall>\<pi>\<^isub>1 \<dots> \<forall>\<pi>\<^isub>n. \<dots>"}
-\noindent
-where the @{text "\<pi>\<^isub>i"} are of type @{text "(\<alpha>\<^isub>i \<times> \<alpha>\<^isub>i) list"}.
-The reason is that the permutation operation behaves differently for
-every @{text "\<alpha>\<^isub>i"} and the type system does not allow use to have a
-single quantification to stand for all permutations. Similarly, the
-notion of support
-@{text [display,indent=10] "supp _ :: \<beta> \<Rightarrow> \<alpha> set"}
-\noindent
-which we will define later, cannot be
-used to express the support of an object over \emph{all} atoms. The reason
-is that support can behave differently for each @{text
-"\<alpha>\<^isub>i"}. This problem is annoying, because if we need to know in
-a statement that an object, say @{text "x"}, is finitely supported we end up
-with having to state premises of the form
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "finite ((supp x) :: \<alpha>\<^isub>1 set) , \<dots>, finite ((supp x) :: \<alpha>\<^isub>n set)"}
-\end{tabular}\hfill\numbered{fssequence}
-\end{isabelle}
-\noindent
-Because of these disadvantages, we will use in this paper a single unified atom type to
-represent atoms of different sorts. Consequently, we have to deal with the
-case that a swapping of two atoms is ill-sorted: we cannot rely anymore on
-the type systems to exclude them.
-We also will not represent permutations as lists of pairs of atoms (as done in
-\cite{Urban08}).  Although an
-advantage of this representation is that the basic operations on
-permutations are already defined in Isabelle's list library: composition of
-two permutations (written @{text "_ @ _"}) is just list append, and
-inversion of a permutation (written @{text "_\<^sup>-\<^sup>1"}) is just
-list reversal, and another advantage is that there is a well-understood
-induction principle for lists, a disadvantage is that permutations
-do not have unique representations as lists. We have to explicitly identify
-them according to the relation
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<pi>\<^isub>1 \<sim> \<pi>\<^isub>2  \<equiv>  \<forall>a. \<pi>\<^isub>1 \<bullet> a = \<pi>\<^isub>2 \<bullet> a"}
-\end{tabular}\hfill\numbered{permequ}
-\end{isabelle}
-\noindent
-This is a problem when lifting the permutation operation to other types, for
-example sets, functions and so on. For this we need to ensure that every definition
-is well-behaved in the sense that it satisfies some
-\emph{permutation properties}. In the list representation we need
-to state these properties as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}p{10cm}}
-i) & @{text "[] \<bullet> x = x"}\\
-ii) & @{text "(\<pi>\<^isub>1 @ \<pi>\<^isub>2) \<bullet> x = \<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x)"}\\
-iii) & if @{text "\<pi>\<^isub>1 \<sim> \<pi>\<^isub>2"} then @{text "\<pi>\<^isub>1 \<bullet> x = \<pi>\<^isub>2 \<bullet> x"}
-\end{tabular}\hfill\numbered{permprops}
-\end{isabelle}
-\noindent
-where the last clause explicitly states that the permutation operation has
-to produce the same result for related permutations.  Moreover,
-``permutations-as-lists'' do not satisfy the group properties. This means by
-using this representation we will not be able to reuse the extensive
-reasoning infrastructure in Isabelle about groups.  Because of this, we will represent
-in this paper permutations as functions from atoms to atoms. This representation
-is unique and satisfies the laws of non-commutative groups.
-*}
-section {* Conclusion *}
-text {*
-This proof pearl describes a new formalisation of the nominal logic work by
-Pitts et al. With the definitions we presented here, the formal reasoning blends
-smoothly with the infrastructure of the Isabelle/HOL theorem prover.
-Therefore the formalisation will be the underlying theory for a
-new version of Nominal Isabelle.
-The main difference of this paper with respect to existing work on Nominal
-Isabelle is the representation of atoms and permutations. First, we used a
-single type for sorted atoms. This design choice means for a term @{term t},
-say, that its support is completely characterised by @{term "supp t"}, even
-if the term contains different kinds of atoms. Also, whenever we have to
-generalise an induction so that a property @{text P} is not just established
-for all @{text t}, but for all @{text t} \emph{and} under all permutations
-@{text \<pi>}, then we only have to state @{term "\<forall>\<pi>. P (\<pi> \<bullet> t)"}. The reason is
-that permutations can now consist of multiple swapping each of which can
-swap different kinds of atoms. This simplifies considerably the reasoning
-involved in building Nominal Isabelle.
-Second, we represented permutations as functions so that the associated
-permutation operation has only a single type parameter. This is very convenient
-because the abstract reasoning about permutations fits cleanly
-with Isabelle/HOL's type classes. No custom ML-code is required to work
-around rough edges. Moreover, by establishing that our permutations-as-functions
-representation satisfy the group properties, we were able to use extensively
-Isabelle/HOL's reasoning infrastructure for groups. This often reduced proofs
-to simple calculations over @{text "+"}, @{text "-"} and @{text "0"}.
-An interesting point is that we defined the swapping operation so that a
-swapping of two atoms with different sorts is \emph{not} excluded, like
-in our older work on Nominal Isabelle, but there is no ``effect'' of such
-a swapping (it is defined as the identity). This is a crucial insight
-in order to make the approach based on a single type of sorted atoms to work.
-But of course it is analogous to the well-known trick of defining division by
-zero to return zero.
-We noticed only one disadvantage of the permutations-as-functions: Over
-lists we can easily perform inductions. For permutations made up from
-functions, we have to manually derive an appropriate induction principle. We
-can establish such a principle, but we have no real experience yet whether ours
-is the most useful principle: such an induction principle was not needed in
-any of the reasoning we ported from the old Nominal Isabelle, except
-when showing that if @{term "\<forall>a \<in> supp x. a \<sharp> p"} implies @{term "p \<bullet> x = x"}.
-Finally, our implementation of sorted atoms turned out powerful enough to
-use it for representing variables that carry on additional information, for
-example typing annotations. This information is encoded into the sorts. With
-this we can represent conveniently binding in ``Church-style'' lambda-terms
-and HOL-based languages. While dealing with such additional information in
-dependent type-theories, such as LF or Coq, is straightforward, we are not
-aware of any  other approach in a non-dependent HOL-setting that can deal
-conveniently with such binders.
-The formalisation presented here will eventually become part of the Isabelle
-distribution, but for the moment it can be downloaded from the
-Mercurial repository linked at
-\href{http://isabelle.in.tum.de/nominal/download}
-{http://isabelle.in.tum.de/nominal/download}.\smallskip
-\noindent
-{\bf Acknowledgements:} We are very grateful to Jesper Bengtson, Stefan
-Berghofer and Cezary Kaliszyk for their comments on earlier versions
-of this paper. We are also grateful to the anonymous referee who helped us to
-put the work into the right context.
-*}
-(*<*)
-end
-(*>*)

branch	Nominal2-Isabelle2012
changeset 3169	b6873d123f9b
parent 3168	a6f3e1b08494
child 3170	89715c48f728