nominal2: comparison Pearl/Paper.thy

equal deleted inserted replaced

-:a6f3e1b08494
+:b6873d123f9b
-(*<*)
-theory Paper
-imports "../Nominal/Nominal2_Base"
-"../Nominal/Atoms"
-"~~/src/HOL/Library/LaTeXsugar"
-begin
-notation (latex output)
-sort_of ("sort _" [1000] 100) and
-Abs_perm ("_") and
-Rep_perm ("_") and
-swap ("'(_ _')" [1000, 1000] 1000) and
-fresh ("_ # _" [51, 51] 50) and
-Cons ("_::_" [78,77] 73) and
-supp ("supp _" [78] 73) and
-uminus ("-_" [78] 73) and
-atom ("|_|") and
-If  ("if _ then _ else _" 10) and
-Rep_name ("\<lfloor>_\<rfloor>") and
-Abs_name ("\<lceil>_\<rceil>") and
-Rep_var ("\<lfloor>_\<rfloor>") and
-Abs_var ("\<lceil>_\<rceil>") and
-sort_of_ty ("sort'_ty _")
-(* BH: uncomment if you really prefer the dot notation
-syntax (latex output)
-"_Collect" :: "pttrn => bool => 'a set" ("(1{_ . _})")
-*)
-(* sort is used in Lists for sorting *)
-hide_const sort
-abbreviation
-"sort \<equiv> sort_of"
-abbreviation
-"sort_ty \<equiv> sort_of_ty"
-(*>*)
-section {* Introduction *}
-text {*
-Nominal Isabelle is a definitional extension of the Isabelle/HOL theorem
-prover providing a proving infrastructure for convenient reasoning about
-programming languages. It has been used to formalise an equivalence checking
-algorithm for LF \cite{UrbanCheneyBerghofer08},
-Typed Scheme~\cite{TobinHochstadtFelleisen08}, several calculi for concurrency
-\cite{BengtsonParrow07} and a strong normalisation result for
-cut-elimination in classical logic \cite{UrbanZhu08}. It has also been used
-by Pollack for formalisations in the locally-nameless approach to binding
-\cite{SatoPollack10}.
-At its core Nominal Isabelle is based on the nominal logic work of Pitts et
-al \cite{GabbayPitts02,Pitts03}.  The most basic notion in this work is a
-sort-respecting permutation operation defined over a countably infinite
-collection of sorted atoms. The atoms are used for representing variables
-that might be bound. Multiple sorts are necessary for being
-able to represent different kinds of variables. For example, in the language
-Mini-ML there are bound term variables and bound type variables; each kind
-needs to be represented by a different sort of atoms.
-Unfortunately, the type system of Isabelle/HOL is not a good fit for the way
-atoms and sorts are used in the original formulation of the nominal logic work.
-Therefore it was decided in earlier versions of Nominal Isabelle to use a
-separate type for each sort of atoms and let the type system enforce the
-sort-respecting property of permutations. Inspired by the work on nominal
-unification \cite{UrbanPittsGabbay04}, it seemed best at the time to also
-implement permutations concretely as lists of pairs of atoms. Thus Nominal
-Isabelle used the two-place permutation operation with the generic type
-@{text [display,indent=10] "_ \<bullet> _  ::  (\<alpha> \<times> \<alpha>) list \<Rightarrow> \<beta> \<Rightarrow> \<beta>"}
-\noindent
-where @{text "\<alpha>"} stands for the type of atoms and @{text "\<beta>"} for the type
-of the objects on which the permutation acts. For atoms of type @{text "\<alpha>"}
-the permutation operation is defined over the length of lists as follows
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-@{text "[] \<bullet> c"} & @{text "="} & @{text c}\\
-\end{tabular}\hspace{12mm}
-\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-@{text "(a b)::\<pi> \<bullet> c"} & @{text "="} &
-$\begin{cases} @{text a} & \textrm{if}~@{text "\<pi> \<bullet> c = b"}\\
-@{text b} & \textrm{if}~@{text "\<pi> \<bullet> c = a"}\\
-@{text "\<pi> \<bullet> c"} & \textrm{otherwise}\end{cases}$
-\end{tabular}\hfill\numbered{atomperm}
-\end{isabelle}
-\noindent
-where we write @{text "(a b)"} for a swapping of atoms @{text "a"} and
-@{text "b"}. For atoms of different type, the permutation operation
-is defined as @{text "\<pi> \<bullet> c \<equiv> c"}.
-With the list representation of permutations it is impossible to state an
-``ill-sorted'' permutation, since the type system excludes lists containing
-atoms of different type. Another advantage of the list representation is that
-the basic operations on permutations are already defined in the list library:
-composition of two permutations (written @{text "_ @ _"}) is just list append,
-and inversion of a permutation (written @{text "_\<^sup>-\<^sup>1"}) is just
-list reversal. A disadvantage is that permutations do not have unique
-representations as lists; we had to explicitly identify permutations according
-to the relation
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<pi>\<^isub>1 \<sim> \<pi>\<^isub>2  \<equiv>  \<forall>a. \<pi>\<^isub>1 \<bullet> a = \<pi>\<^isub>2 \<bullet> a"}
-\end{tabular}\hfill\numbered{permequ}
-\end{isabelle}
-When lifting the permutation operation to other types, for example sets,
-functions and so on, we needed to ensure that every definition is
-well-behaved in the sense that it satisfies the following three
-\emph{permutation properties}:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}p{10cm}}
-i) & @{text "[] \<bullet> x = x"}\\
-ii) & @{text "(\<pi>\<^isub>1 @ \<pi>\<^isub>2) \<bullet> x = \<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x)"}\\
-iii) & if @{text "\<pi>\<^isub>1 \<sim> \<pi>\<^isub>2"} then @{text "\<pi>\<^isub>1 \<bullet> x = \<pi>\<^isub>2 \<bullet> x"}
-\end{tabular}\hfill\numbered{permprops}
-\end{isabelle}
-\noindent
-From these properties we were able to derive most facts about permutations, and
-the type classes of Isabelle/HOL allowed us to reason abstractly about these
-three properties, and then let the type system automatically enforce these
-properties for each type.
-The major problem with Isabelle/HOL's type classes, however, is that they
-support operations with only a single type parameter and the permutation
-operations @{text "_ \<bullet> _"} used above in the permutation properties
-contain two! To work around this obstacle, Nominal Isabelle
-required the user to
-declare up-front the collection of \emph{all} atom types, say @{text
-"\<alpha>\<^isub>1,\<dots>,\<alpha>\<^isub>n"}. From this collection it used custom ML-code to
-generate @{text n} type classes corresponding to the permutation properties,
-whereby in these type classes the permutation operation is restricted to
-@{text [display,indent=10] "_ \<bullet> _ :: (\<alpha>\<^isub>i \<times> \<alpha>\<^isub>i) list \<Rightarrow> \<beta> \<Rightarrow> \<beta>"}
-\noindent
-This operation has only a single type parameter @{text "\<beta>"} (the @{text "\<alpha>\<^isub>i"} are the
-atom types given by the user).
-While the representation of permutations-as-lists solved the
-``sort-respecting'' requirement and the declaration of all atom types
-up-front solved the problem with Isabelle/HOL's type classes, this setup
-caused several problems for formalising the nominal logic work: First,
-Nominal Isabelle had to generate @{text "n\<^sup>2"} definitions for the
-permutation operation over @{text "n"} types of atoms.  Second, whenever we
-need to generalise induction hypotheses by quantifying over permutations, we
-have to build cumbersome quantifications like
-@{text [display,indent=10] "\<forall>\<pi>\<^isub>1 \<dots> \<forall>\<pi>\<^isub>n. \<dots>"}
-\noindent
-where the @{text "\<pi>\<^isub>i"} are of type @{text "(\<alpha>\<^isub>i \<times> \<alpha>\<^isub>i) list"}.
-The reason is that the permutation operation behaves differently for
-every @{text "\<alpha>\<^isub>i"}. Third, although the notion of support
-@{text [display,indent=10] "supp _ :: \<beta> \<Rightarrow> \<alpha> set"}
-\noindent
-which we will define later, has a generic type @{text "\<alpha> set"}, it cannot be
-used to express the support of an object over \emph{all} atoms. The reason
-is again that support can behave differently for each @{text
-"\<alpha>\<^isub>i"}. This problem is annoying, because if we need to know in
-a statement that an object, say @{text "x"}, is finitely supported we end up
-with having to state premises of the form
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "finite ((supp x) :: \<alpha>\<^isub>1 set) , \<dots>, finite ((supp x) :: \<alpha>\<^isub>n set)"}
-\end{tabular}\hfill\numbered{fssequence}
-\end{isabelle}
-\noindent
-Sometimes we can avoid such premises completely, if @{text x} is a member of a
-\emph{finitely supported type}.  However, keeping track of finitely supported
-types requires another @{text n} type classes, and for technical reasons not
-all types can be shown to be finitely supported.
-The real pain of having a separate type for each atom sort arises, however,
-from another permutation property
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}p{10cm}}
-iv) & @{text "\<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x) = (\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}
-\end{tabular}
-\end{isabelle}
-\noindent
-where permutation @{text "\<pi>\<^isub>1"} has type @{text "(\<alpha> \<times> \<alpha>) list"},
-@{text "\<pi>\<^isub>2"} type @{text "(\<alpha>' \<times> \<alpha>') list"} and @{text x} type @{text
-"\<beta>"}. This property is needed in order to derive facts about how
-permutations of different types interact, which is not covered by the
-permutation properties @{text "i"}-@{text "iii"} shown in
-\eqref{permprops}. The problem is that this property involves three type
-parameters. In order to use again Isabelle/HOL's type class mechanism with
-only permitting a single type parameter, we have to instantiate the atom
-types. Consequently we end up with an additional @{text "n\<^sup>2"}
-slightly different type classes for this permutation property.
-While the problems and pain can be almost completely hidden from the user in
-the existing implementation of Nominal Isabelle, the work is \emph{not}
-pretty. It requires a large amount of custom ML-code and also forces the
-user to declare up-front all atom-types that are ever going to be used in a
-formalisation. In this paper we set out to solve the problems with multiple
-type parameters in the permutation operation, and in this way can dispense
-with the large amounts of custom ML-code for generating multiple variants
-for some basic definitions. The result is that we can implement a pleasingly
-simple formalisation of the nominal logic work.\smallskip
-\noindent
-{\bf Contributions of the paper:} Using a single atom type to represent
-atoms of different sorts and representing permutations as functions are not
-new ideas.  The main contribution of this paper is to show an example of how
-to make better theorem proving tools by choosing the right level of
-abstraction for the underlying theory---our design choices take advantage of
-Isabelle's type system, type classes, and reasoning infrastructure.
-The novel
-technical contribution is a mechanism for dealing with
-``Church-style'' lambda-terms \cite{Church40} and HOL-based languages
-\cite{PittsHOL4} where variables and variable binding depend on type
-annotations.
-*}
-section {* Sorted Atoms and Sort-Respecting Permutations *}
-text {*
-In the nominal logic work of Pitts, binders and bound variables are
-represented by \emph{atoms}.  As stated above, we need to have different
-\emph{sorts} of atoms to be able to bind different kinds of variables.  A
-basic requirement is that there must be a countably infinite number of atoms
-of each sort.  Unlike in our earlier work, where we identified each sort with
-a separate type, we implement here atoms to be
-*}
-datatype atom\<iota> = Atom\<iota> string nat
-text {*
-\noindent
-whereby the string argument specifies the sort of the atom.\footnote{A similar
-design choice was made by Gunter et al \cite{GunterOsbornPopescu09}
-for their variables.}  (The use type
-\emph{string} is merely for convenience; any countably infinite type would work
-as well.)
-We have an auxiliary function @{text sort} that is defined as @{thm
-sort_of.simps[no_vars]}, and we clearly have for every finite set @{text X} of
-atoms and every sort @{text s} the property:
-\begin{proposition}\label{choosefresh}
-@{text "If finite X then there exists an atom a such that
-sort a = s and a \<notin> X"}.
-\end{proposition}
-For implementing sort-respecting permutations, we use functions of type @{typ
-"atom => atom"} that @{text "i)"} are bijective; @{text "ii)"} are the
-identity on all atoms, except a finite number of them; and @{text "iii)"} map
-each atom to one of the same sort. These properties can be conveniently stated
-for a function @{text \<pi>} as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-i)~~~@{term "bij \<pi>"}\hspace{5mm}
-ii)~~~@{term "finite {a. \<pi> a \<noteq> a}"}\hspace{5mm}
-iii)~~~@{term "\<forall>a. sort (\<pi> a) = sort a"}\hfill\numbered{permtype}
-\end{isabelle}
-\noindent
-Like all HOL-based theorem provers, Isabelle/HOL allows us to
-introduce a new type @{typ perm} that includes just those functions
-satisfying all three properties. For example the identity function,
-written @{term id}, is included in @{typ perm}. Also function composition,
-written  \mbox{@{text "_ \<circ> _"}}, and function inversion, given by Isabelle/HOL's
-inverse operator and written \mbox{@{text "inv _"}}, preserve the properties
-@{text "i"}-@{text "iii"}.
-However, a moment of thought is needed about how to construct non-trivial
-permutations. In the nominal logic work it turned out to be most convenient
-to work with swappings, written @{text "(a b)"}.  In our setting the
-type of swappings must be
-@{text [display,indent=10] "(_ _) :: atom \<Rightarrow> atom \<Rightarrow> perm"}
-\noindent
-but since permutations are required to respect sorts, we must carefully
-consider what happens if a user states a swapping of atoms with different
-sorts.  In earlier versions of Nominal Isabelle, we avoided this problem by
-using different types for different sorts; the type system prevented users
-from stating ill-sorted swappings.  Here, however, definitions such
-as\footnote{To increase legibility, we omit here and in what follows the
-@{term Rep_perm} and @{term "Abs_perm"} wrappers that are needed in our
-implementation since we defined permutation not to be the full function space,
-but only those functions of type @{typ perm} satisfying properties @{text
-i}-@{text "iii"}.}
-@{text [display,indent=10] "(a b) \<equiv> \<lambda>c. if a = c then b else (if b = c then a else c)"}
-\noindent
-do not work in general, because the type system does not prevent @{text a}
-and @{text b} from having different sorts---in which case the function would
-violate property @{text iii}.  We could make the definition of swappings
-partial by adding the precondition @{term "sort a = sort b"},
-which would mean that in case @{text a} and @{text b} have different sorts,
-the value of @{text "(a b)"} is unspecified.  However, this looked like a
-cumbersome solution, since sort-related side conditions would be required
-everywhere, even to unfold the definition.  It turned out to be more
-convenient to actually allow the user to state ``ill-sorted'' swappings but
-limit their ``damage'' by defaulting to the identity permutation in the
-ill-sorted case:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}rl}
-@{text "(a b) \<equiv>"} & @{text "if (sort a = sort b)"}\\
-& \hspace{3mm}@{text "then \<lambda>c. if a = c then b else (if b = c then a else c)"}\\
-& \hspace{3mm}@{text "else id"}
-\end{tabular}\hfill\numbered{swapdef}
-\end{isabelle}
-\noindent
-This function is bijective, the identity on all atoms except
-@{text a} and @{text b}, and sort respecting. Therefore it is
-a function in @{typ perm}.
-One advantage of using functions instead of lists as a representation for
-permutations is that for example the swappings
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm swap_commute[no_vars]}\hspace{10mm}
-@{text "(a a) = id"}
-\end{tabular}\hfill\numbered{swapeqs}
-\end{isabelle}
-\noindent
-are \emph{equal}.  We do not have to use the equivalence relation shown
-in~\eqref{permequ} to identify them, as we would if they had been represented
-as lists of pairs.  Another advantage of the function representation is that
-they form a (non-commutative) group, provided we define
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm zero_perm_def[no_vars, THEN eq_reflection]} \hspace{4mm}
-@{thm plus_perm_def[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2", THEN eq_reflection]} \hspace{4mm}
-@{thm uminus_perm_def[where p="\<pi>", THEN eq_reflection]} \hspace{4mm}
-@{thm minus_perm_def[where ?p1.0="\<pi>\<^isub>1" and ?p2.0="\<pi>\<^isub>2"]}
-\end{tabular}
-\end{isabelle}
-\noindent
-and verify the simple properties
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm add_assoc[where a="\<pi>\<^isub>1" and b="\<pi>\<^isub>2" and c="\<pi>\<^isub>3"]} \hspace{3mm}
-@{thm monoid_add_class.add_0_left[where a="\<pi>::perm"]} \hspace{3mm}
-@{thm monoid_add_class.add_0_right[where a="\<pi>::perm"]} \hspace{3mm}
-@{thm group_add_class.left_minus[where a="\<pi>::perm"]}
-\end{tabular}
-\end{isabelle}
-\noindent
-Again this is in contrast to the list-of-pairs representation which does not
-form a group.  The technical importance of this fact is that we can rely on
-Isabelle/HOL's existing simplification infrastructure for groups, which will
-come in handy when we have to do calculations with permutations.
-Note that Isabelle/HOL defies standard conventions of mathematical notation
-by using additive syntax even for non-commutative groups.  Obviously,
-composition of permutations is not commutative in general---@{text
-"\<pi>\<^sub>1 + \<pi>\<^sub>2 \<noteq> \<pi>\<^sub>2 + \<pi>\<^sub>1"}.  But since the point of this paper is to implement the
-nominal theory as smoothly as possible in Isabelle/HOL, we tolerate
-the non-standard notation in order to reuse the existing libraries.
-By formalising permutations abstractly as functions, and using a single type
-for all atoms, we can now restate the \emph{permutation properties} from
-\eqref{permprops} as just the two equations
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}p{10cm}}
-i) & @{thm permute_zero[no_vars]}\\
-ii) & @{thm permute_plus[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2",no_vars]}
-\end{tabular}\hfill\numbered{newpermprops}
-\end{isabelle}
-\noindent
-in which the permutation operations are of type @{text "perm \<Rightarrow> \<beta> \<Rightarrow> \<beta>"} and so
-have only a single type parameter.  Consequently, these properties are
-compatible with the one-parameter restriction of Isabelle/HOL's type classes.
-There is no need to introduce a separate type class instantiated for each
-sort, like in the old approach.
-The next notion allows us to establish generic lemmas involving the
-permutation operation.
-\begin{definition}
-A type @{text "\<beta>"} is a \emph{permutation type} if the permutation
-properties in \eqref{newpermprops} are satisfied for every @{text "x"} of type
-@{text "\<beta>"}.
-\end{definition}
-\noindent
-First, it follows from the laws governing
-groups that a permutation and its inverse cancel each other.  That is, for any
-@{text "x"} of a permutation type:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm permute_minus_cancel(1)[where p="\<pi>", no_vars]}\hspace{10mm}
-@{thm permute_minus_cancel(2)[where p="\<pi>", no_vars]}
-\end{tabular}\hfill\numbered{cancel}
-\end{isabelle}
-\noindent
-Consequently, in a permutation type the permutation operation @{text "\<pi> \<bullet> _"} is bijective,
-which in turn implies the property
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm (lhs) permute_eq_iff[where p="\<pi>", no_vars]}
-$\;$if and only if$\;$
-@{thm (rhs) permute_eq_iff[where p="\<pi>", no_vars]}.
-\end{tabular}\hfill\numbered{permuteequ}
-\end{isabelle}
-\noindent
-In order to lift the permutation operation to other types, we can define for:
-\begin{isabelle}
-\begin{tabular}{@ {}c@ {\hspace{-1mm}}c@ {}}
-\begin{tabular}{@ {}r@ {\hspace{2mm}}l@ {}}
-atoms: & @{thm permute_atom_def[where p="\<pi>",no_vars, THEN eq_reflection]}\\
-functions: &  @{text "\<pi> \<bullet> f \<equiv> \<lambda>x. \<pi> \<bullet> (f ((-\<pi>) \<bullet> x))"}\\
-permutations: & @{thm permute_perm_def[where p="\<pi>" and q="\<pi>'", THEN eq_reflection]}\\
-sets: & @{thm permute_set_eq[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-booleans: & @{thm permute_bool_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-\end{tabular} &
-\begin{tabular}{@ {}r@ {\hspace{2mm}}l@ {}}
-lists: & @{thm permute_list.simps(1)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-& @{thm permute_list.simps(2)[where p="\<pi>", no_vars, THEN eq_reflection]}\\[2mm]
-products: & @{thm permute_prod.simps[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-nats: & @{thm permute_nat_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-\end{tabular}
-\end{tabular}
-\end{isabelle}
-\noindent
-and then establish:
-\begin{theorem}
-If @{text \<beta>}, @{text "\<beta>\<^isub>1"} and @{text "\<beta>\<^isub>2"} are permutation types,
-then so are @{text "atom"}, @{text "\<beta>\<^isub>1 \<Rightarrow> \<beta>\<^isub>2"},
-@{text perm}, @{term "\<beta> set"}, @{term "\<beta> list"}, @{term "\<beta>\<^isub>1 \<times> \<beta>\<^isub>2"},
-@{text bool} and @{text "nat"}.
-\end{theorem}
-\begin{proof}
-All statements are by unfolding the definitions of the permutation operations and simple
-calculations involving addition and minus. With permutations for example we
-have
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rcl}
-@{text "0 \<bullet> \<pi>'"} & @{text "\<equiv>"} & @{text "0 + \<pi>' - 0 = \<pi>'"}\\
-@{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) \<bullet> \<pi>'"} & @{text "\<equiv>"} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) + \<pi>' - (\<pi>\<^isub>1 + \<pi>\<^isub>2)"}\\
-& @{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) + \<pi>' - \<pi>\<^isub>2 - \<pi>\<^isub>1"}\\
-& @{text "="} & @{text "\<pi>\<^isub>1 + (\<pi>\<^isub>2 + \<pi>' - \<pi>\<^isub>2) - \<pi>\<^isub>1"} @{text "\<equiv>"} @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> \<pi>'"}
-\end{tabular}\hfill\qed
-\end{isabelle}
-\end{proof}
-\noindent
-The main point is that the above reasoning blends smoothly with the reasoning
-infrastructure of Isabelle/HOL; no custom ML-code is necessary and a single
-type class suffices. We can also show once and for all that the following
-property---which caused so many headaches in our earlier setup---holds for any
-permutation type.
-\begin{lemma}\label{permutecompose}
-Given @{term x} is of permutation type, then
-@{text "\<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x) = (\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}.
-\end{lemma}
-\begin{proof} The proof is as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rcl@ {\hspace{8mm}}l}
-@{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> x"}
-& @{text "="} & @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> (-\<pi>\<^isub>1) \<bullet> \<pi>\<^isub>1 \<bullet> x"} & by \eqref{cancel}\\
-& @{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2 - \<pi>\<^isub>1) \<bullet> \<pi>\<^isub>1 \<bullet> x"}  & by {\rm(\ref{newpermprops}.@{text "ii"})}\\
-& @{text "\<equiv>"} & @{text "(\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}\\
-\end{tabular}\hfill\qed
-\end{isabelle}
-\end{proof}
-%* }
-%
-%section { * Equivariance * }
-%
-%text { *
-An \emph{equivariant} function or predicate is one that is invariant under
-the swapping of atoms.  Having a notion of equivariance with nice logical
-properties is a major advantage of bijective permutations over traditional
-renaming substitutions \cite[\S2]{Pitts03}.  Equivariance can be defined
-uniformly for all permutation types, and it is satisfied by most HOL
-functions and constants.
-\begin{definition}\label{equivariance}
-A function @{text f} is \emph{equivariant} if @{term "\<forall>\<pi>. \<pi> \<bullet> f = f"}.
-\end{definition}
-\noindent
-There are a number of equivalent formulations for the equivariance property.
-For example, assuming @{text f} is of type @{text "\<alpha> \<Rightarrow> \<beta>"}, then equivariance
-can also be stated as
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<forall>\<pi> x.  \<pi> \<bullet> (f x) = f (\<pi> \<bullet> x)"}
-\end{tabular}\hfill\numbered{altequivariance}
-\end{isabelle}
-\noindent
-To see that this formulation implies the definition, we just unfold the
-definition of the permutation operation for functions and simplify with the equation
-and the cancellation property shown in \eqref{cancel}. To see the other direction, we use
-the fact
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<pi> \<bullet> (f x) = (\<pi> \<bullet> f) (\<pi> \<bullet> x)"}
-\end{tabular}\hfill\numbered{permutefunapp}
-\end{isabelle}
-\noindent
-which follows again directly
-from the definition of the permutation operation for functions and the cancellation
-property. Similarly for functions with more than one argument.
-Both formulations of equivariance have their advantages and disadvantages:
-\eqref{altequivariance} is often easier to establish. For example we
-can easily show that equality is equivariant
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm eq_eqvt[where p="\<pi>", no_vars]}
-\end{tabular}
-\end{isabelle}
-\noindent
-using the permutation operation on booleans and property \eqref{permuteequ}.
-Lemma~\ref{permutecompose} establishes that the permutation operation is
-equivariant. It is also easy to see that the boolean operators, like
-@{text "\<and>"}, @{text "\<or>"} and @{text "\<longrightarrow>"} are all equivariant. Furthermore
-a simple calculation will show that our swapping functions are equivariant, that is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm swap_eqvt[where p="\<pi>", no_vars]}
-\end{tabular}\hfill\numbered{swapeqvt}
-\end{isabelle}
-\noindent
-for all @{text a}, @{text b} and @{text \<pi>}.  These equivariance properties
-are tremendously helpful later on when we have to push permutations inside
-terms.
-*}
-section {* Support and Freshness *}
-text {*
-The most original aspect of the nominal logic work of Pitts et al is a general
-definition for ``the set of free variables of an object @{text "x"}''.  This
-definition is general in the sense that it applies not only to lambda-terms,
-but also to lists, products, sets and even functions. The definition depends
-only on the permutation operation and on the notion of equality defined for
-the type of @{text x}, namely:
-@{thm [display,indent=10] supp_def[no_vars, THEN eq_reflection]}
-\noindent
-(Note that due to the definition of swapping in \eqref{swapdef}, we do not
-need to explicitly restrict @{text a} and @{text b} to have the same sort.)
-There is also the derived notion for when an atom @{text a} is \emph{fresh}
-for an @{text x}, defined as
-@{thm [display,indent=10] fresh_def[no_vars]}
-\noindent
-A striking consequence of these definitions is that we can prove
-without knowing anything about the structure of @{term x} that
-swapping two fresh atoms, say @{text a} and @{text b}, leave
-@{text x} unchanged. For the proof we use the following lemma
-about swappings applied to an @{text x}:
-\begin{lemma}\label{swaptriple}
-Assuming @{text x} is of permutation type, and @{text a}, @{text b} and @{text c}
-have the same sort, then @{thm (prem 3) swap_rel_trans[no_vars]} and
-@{thm (prem 4) swap_rel_trans[no_vars]} imply @{thm (concl) swap_rel_trans[no_vars]}.
-\end{lemma}
-\begin{proof}
-The cases where @{text "a = c"} and @{text "b = c"} are immediate.
-For the remaining case it is, given our assumptions, easy to calculate
-that the permutations
-@{thm [display,indent=10] (concl) swap_triple[no_vars]}
-\noindent
-are equal. The lemma is then by application of the second permutation
-property shown in \eqref{newpermprops}.\hfill\qed
-\end{proof}
-\begin{theorem}\label{swapfreshfresh}
-Let @{text x} be of permutation type.
-@{thm [mode=IfThen] swap_fresh_fresh[no_vars]}
-\end{theorem}
-\begin{proof}
-If @{text a} and @{text b} have different sort, then the swapping is the identity.
-If they have the same sort, we know by definition of support that both
-@{term "finite {c. (a \<rightleftharpoons> c) \<bullet> x \<noteq> x}"} and  @{term "finite {c. (b \<rightleftharpoons> c) \<bullet> x \<noteq> x}"}
-hold. So the union of these sets is finite too, and we know by Proposition~\ref{choosefresh}
-that there is an atom @{term c}, with the same sort as @{term a} and @{term b},
-that satisfies \mbox{@{term "(a \<rightleftharpoons> c) \<bullet> x = x"}} and @{term "(b \<rightleftharpoons> c) \<bullet> x = x"}.
-Now the theorem follows from Lemma~\ref{swaptriple}.\hfill\qed
-\end{proof}
-\noindent
-Two important properties that need to be established for later calculations is
-that @{text "supp"} and freshness are equivariant. For this we first show that:
-\begin{lemma}\label{half}
-If @{term x} is a permutation type, then @{thm (lhs) fresh_permute_iff[where p="\<pi>",no_vars]}
-if and only if @{thm (rhs) fresh_permute_iff[where p="\<pi>",no_vars]}.
-\end{lemma}
-\begin{proof}
-\begin{isabelle}
-\begin{tabular}[t]{c@ {\hspace{2mm}}l@ {\hspace{5mm}}l}
-& \multicolumn{2}{@ {}l}{@{thm (lhs) fresh_permute_iff[where p="\<pi>",no_vars]} @{text "\<equiv>"}
-@{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}}\\
-@{text "\<Leftrightarrow>"}
-& @{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> \<pi> \<bullet> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}
-& since @{text "\<pi> \<bullet> _"} is bijective\\
-@{text "\<Leftrightarrow>"}
-& @{term "finite {b. \<pi> \<bullet> (a \<rightleftharpoons> b) \<bullet> x \<noteq> \<pi> \<bullet> x}"}
-& by \eqref{permutecompose} and \eqref{swapeqvt}\\
-@{text "\<Leftrightarrow>"}
-& @{term "finite {b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"} @{text "\<equiv>"}
-@{thm (rhs) fresh_permute_iff[where p="\<pi>",no_vars]}
-& by \eqref{permuteequ}\\
-\end{tabular}
-\end{isabelle}\hfill\qed
-\end{proof}
-\noindent
-Together with the definition of the permutation operation on booleans,
-we can immediately infer equivariance of freshness:
-@{thm [display,indent=10] fresh_eqvt[where p="\<pi>",no_vars]}
-\noindent
-Now equivariance of @{text "supp"}, namely
-@{thm [display,indent=10] supp_eqvt[where p="\<pi>",no_vars]}
-\noindent
-is by noting that @{thm supp_conv_fresh[no_vars]} and that freshness and
-the logical connectives are equivariant.
-While the abstract properties of support and freshness, particularly
-Theorem~\ref{swapfreshfresh}, are useful for developing Nominal Isabelle,
-one often has to calculate the support of some concrete object. This is
-straightforward for example for booleans, nats, products and lists:
-\begin{center}
-\begin{tabular}{@ {}c@ {\hspace{2mm}}c@ {}}
-\begin{tabular}{@ {}r@ {\hspace{2mm}}l}
-@{text "booleans"}: & @{term "supp b = {}"}\\
-@{text "nats"}:     & @{term "supp n = {}"}\\
-@{text "products"}: & @{thm supp_Pair[no_vars]}\\
-\end{tabular} &
-\begin{tabular}{r@ {\hspace{2mm}}l@ {}}
-@{text "lists:"} & @{thm supp_Nil[no_vars]}\\
-& @{thm supp_Cons[no_vars]}\\
-\end{tabular}
-\end{tabular}
-\end{center}
-\noindent
-But establishing the support of atoms and permutations in our setup here is a bit
-trickier. To do so we will use the following notion about a \emph{supporting set}.
-\begin{definition}
-A set @{text S} \emph{supports} @{text x} if for all atoms @{text a} and @{text b}
-not in @{text S} we have @{term "(a \<rightleftharpoons> b) \<bullet> x = x"}.
-\end{definition}
-\noindent
-The main motivation for this notion is that we can characterise @{text "supp x"}
-as the smallest finite set that supports @{text "x"}. For this we prove:
-\begin{lemma}\label{supports} Let @{text x} be of permutation type.
-\begin{isabelle}
-\begin{tabular}{r@ {\hspace{4mm}}p{10cm}}
-i)    & @{thm[mode=IfThen] supp_is_subset[no_vars]}\\
-ii)   & @{thm[mode=IfThen] supp_supports[no_vars]}\\
-iii)  & @{thm (concl) supp_is_least_supports[no_vars]}
-provided @{thm (prem 1) supp_is_least_supports[no_vars]},
-@{thm (prem 2) supp_is_least_supports[no_vars]}
-and @{text "S"} is the least such set, that means formally,
-for all @{text "S'"}, if @{term "finite S'"} and
-@{term "S' supports x"} then @{text "S \<subseteq> S'"}.
-\end{tabular}
-\end{isabelle}
-\end{lemma}
-\begin{proof}
-For @{text "i)"} we derive a contradiction by assuming there is an atom @{text a}
-with @{term "a \<in> supp x"} and @{text "a \<notin> S"}. Using the second fact, the
-assumption that @{term "S supports x"} gives us that @{text S} is a superset of
-@{term "{b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"}, which is finite by the assumption of @{text S}
-being finite. But this means @{term "a \<notin> supp x"}, contradicting our assumption.
-Property @{text "ii)"} is by a direct application of
-Theorem~\ref{swapfreshfresh}. For the last property, part @{text "i)"} proves
-one ``half'' of the claimed equation. The other ``half'' is by property
-@{text "ii)"} and the fact that @{term "supp x"} is finite by @{text "i)"}.\hfill\qed
-\end{proof}
-\noindent
-These are all relatively straightforward proofs adapted from the existing
-nominal logic work. However for establishing the support of atoms and
-permutations we found  the following ``optimised'' variant of @{text "iii)"}
-more useful:
-\begin{lemma}\label{optimised} Let @{text x} be of permutation type.
-We have that @{thm (concl) finite_supp_unique[no_vars]}
-provided @{thm (prem 1) finite_supp_unique[no_vars]},
-@{thm (prem 2) finite_supp_unique[no_vars]}, and for
-all @{text "a \<in> S"} and all @{text "b \<notin> S"}, with @{text a}
-and @{text b} having the same sort, \mbox{@{term "(a \<rightleftharpoons> b) \<bullet> x \<noteq> x"}}
-\end{lemma}
-\begin{proof}
-By Lemma \ref{supports}@{text ".iii)"} we have to show that for every finite
-set @{text S'} that supports @{text x}, \mbox{@{text "S \<subseteq> S'"}} holds. We will
-assume that there is an atom @{text "a"} that is element of @{text S}, but
-not @{text "S'"} and derive a contradiction.  Since both @{text S} and
-@{text S'} are finite, we can by Proposition \ref{choosefresh} obtain an atom
-@{text b}, which has the same sort as @{text "a"} and for which we know
-@{text "b \<notin> S"} and @{text "b \<notin> S'"}. Since we assumed @{text "a \<notin> S'"} and
-we have that @{text "S' supports x"}, we have on one hand @{term "(a \<rightleftharpoons> b) \<bullet> x
-= x"}. On the other hand, the fact @{text "a \<in> S"} and @{text "b \<notin> S"} imply
-@{term "(a \<rightleftharpoons> b) \<bullet> x \<noteq> x"} using the assumed implication. This gives us the
-contradiction.\hfill\qed
-\end{proof}
-\noindent
-Using this lemma we only have to show the following three proof-obligations
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}r@ {\hspace{4mm}}l}
-i)   & @{term "{c} supports c"}\\
-ii)  & @{term "finite {c}"}\\
-iii) & @{text "\<forall>a \<in> {c} b \<notin> {c}. sort a = sort b \<longrightarrow> (a b) \<bullet> c \<noteq> c"}
-\end{tabular}
-\end{isabelle}
-\noindent
-in order to establish that @{thm supp_atom[where a="c", no_vars]} holds.  In
-Isabelle/HOL these proof-obligations can be discharged by easy
-simplifications. Similar proof-obligations arise for the support of
-permutations, which is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm supp_perm[where p="\<pi>", no_vars]}
-\end{tabular}
-\end{isabelle}
-\noindent
-The only proof-obligation that is
-interesting is the one where we have to show that
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "If \<pi> \<bullet> a \<noteq> a, \<pi> \<bullet> b = b and sort a = sort b, then (a b) \<bullet> \<pi> \<noteq> \<pi>"}.
-\end{tabular}
-\end{isabelle}
-\noindent
-For this we observe that
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}rcl}
-@{thm (lhs) perm_swap_eq[where p="\<pi>", no_vars]} &
-if and only if &
-@{thm (rhs) perm_swap_eq[where p="\<pi>", no_vars]}
-\end{tabular}
-\end{isabelle}
-\noindent
-holds by a simple calculation using the group properties of permutations.
-The proof-obligation can then be discharged by analysing the inequality
-between the permutations @{term "(\<pi> \<bullet> a \<rightleftharpoons> b)"} and @{term "(a \<rightleftharpoons> b)"}.
-The main point about support is that whenever an object @{text x} has finite
-support, then Proposition~\ref{choosefresh} allows us to choose for @{text x} a
-fresh atom with arbitrary sort. This is an important operation in Nominal
-Isabelle in situations where, for example, a bound variable needs to be
-renamed. To allow such a choice, we only have to assume \emph{one} premise
-of the form @{text "finite (supp x)"}
-for each @{text x}. Compare that with the sequence of premises in our earlier
-version of Nominal Isabelle (see~\eqref{fssequence}). For more convenience we
-can define a type class for types where every element has finite support, and
-prove that the types @{term "atom"}, @{term "perm"}, lists, products and
-booleans are instances of this type class. Then \emph{no} premise is needed,
-as the type system of Isabelle/HOL can figure out automatically when an object
-is finitely supported.
-Unfortunately, this does not work for sets or Isabelle/HOL's function type.
-There are functions and sets definable in Isabelle/HOL for which the finite
-support property does not hold.  A simple example of a function with
-infinite support is the function that returns the natural number of an atom
-@{text [display, indent=10] "nat_of (Atom s i) \<equiv> i"}
-\noindent
-This function's support is the set of \emph{all} atoms. To establish this we show @{term "\<not> a \<sharp> nat_of"}.
-This is equivalent to assuming the set @{term "{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite
-and deriving a contradiction. From the assumption we also know that
-@{term "{a} \<union> {b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite. Then we can use
-Proposition~\ref{choosefresh} to choose an atom @{text c} such that
-@{term "c \<noteq> a"}, @{term "sort_of c = sort_of a"} and @{term "(a \<rightleftharpoons> c) \<bullet> nat_of = nat_of"}.
-Now we can reason as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rcl@ {\hspace{5mm}}l}
-@{text "nat_of a"} & @{text "="} & @{text "(a \<rightleftharpoons> c) \<bullet> (nat_of a)"} & by def.~of permutations on nats\\
-& @{text "="} & @{term "((a \<rightleftharpoons> c) \<bullet> nat_of) ((a \<rightleftharpoons> c) \<bullet> a)"} & by \eqref{permutefunapp}\\
-& @{text "="} & @{term "nat_of c"} & by assumptions on @{text c}\\
-\end{tabular}
-\end{isabelle}
-\noindent
-But this means we have that @{term "nat_of a = nat_of c"} and @{term "sort_of a = sort_of c"}.
-This implies that atoms @{term a} and @{term c} must be equal, which clashes with our
-assumption @{term "c \<noteq> a"} about how we chose @{text c}.
-Cheney \cite{Cheney06} gives similar examples for constructions that have infinite support.
-*}
-section {* Concrete Atom Types *}
-text {*
-So far, we have presented a system that uses only a single multi-sorted atom
-type.  This design gives us the flexibility to define operations and prove
-theorems that are generic with respect to atom sorts.  For example, as
-illustrated above the @{term supp} function returns a set that includes the
-free atoms of \emph{all} sorts together; the flexibility offered by the new
-atom type makes this possible.
-However, the single multi-sorted atom type does not make an ideal interface
-for end-users of Nominal Isabelle.  If sorts are not distinguished by
-Isabelle's type system, users must reason about atom sorts manually.  That
-means subgoals involving sorts must be discharged explicitly within proof
-scripts, instead of being inferred by Isabelle/HOL's type checker.  In other
-cases, lemmas might require additional side conditions about sorts to be true.
-For example, swapping @{text a} and @{text b} in the pair \mbox{@{term "(a,
-b)"}} will only produce the expected result if we state the lemma in
-Isabelle/HOL as:
-*}
-lemma
-	    fixes a b :: "atom"
-	    assumes asm: "sort a = sort b"
-	    shows "(a \<rightleftharpoons> b) \<bullet> (a, b) = (b, a)"
-using asm by simp
-text {*
-\noindent
-Fortunately, it is possible to regain most of the type-checking automation
-that is lost by moving to a single atom type.  We accomplish this by defining
-\emph{subtypes} of the generic atom type that only include atoms of a single
-specific sort.  We call such subtypes \emph{concrete atom types}.
-The following Isabelle/HOL command defines a concrete atom type called
-\emph{name}, which consists of atoms whose sort equals the string @{term
-"''name''"}.
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\isacommand{typedef}\ \ @{typ name} = @{term "{a. sort\<iota> a = ''name''}"}
-\end{isabelle}
-\noindent
-This command automatically generates injective functions that map from the
-concrete atom type into the generic atom type and back, called
-representation and abstraction functions, respectively. We will write these
-functions as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l@ {\hspace{10mm}}l}
-@{text "\<lfloor>_\<rfloor> :: name \<Rightarrow> atom"} &
-@{text "\<lceil>_\<rceil> :: atom \<Rightarrow> name"}
-\end{tabular}
-\end{isabelle}
-\noindent
-With the definition @{thm permute_name_def [where p="\<pi>", THEN
-eq_reflection, no_vars]}, it is straightforward to verify that the type
-@{typ name} is a permutation type.
-In order to reason uniformly about arbitrary concrete atom types, we define a
-type class that characterises type @{typ name} and other similarly-defined
-types.  The definition of the concrete atom type class is as follows: First,
-every concrete atom type must be a permutation type.  In addition, the class
-defines an overloaded function that maps from the concrete type into the
-generic atom type, which we will write @{text "|_|"}.  For each class
-instance, this function must be injective and equivariant, and its outputs
-must all have the same sort, that is
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-i)   \hspace{1mm}if @{thm (lhs) atom_eq_iff [no_vars]} then @{thm (rhs) atom_eq_iff [no_vars]}\hspace{4mm}
-ii)  \hspace{1mm}@{thm atom_eqvt[where p="\<pi>", no_vars]}\hspace{4mm}
-iii) \hspace{1mm}@{thm sort_of_atom_eq [no_vars]}
-\hfill\numbered{atomprops}
-\end{isabelle}
-\noindent
-With the definition @{thm atom_name_def [THEN eq_reflection, no_vars]} we can
-show that @{typ name} satisfies all the above requirements of a concrete atom
-type.
-The whole point of defining the concrete atom type class was to let users
-avoid explicit reasoning about sorts.  This benefit is realised by defining a
-special swapping operation of type @{text "\<alpha> \<Rightarrow> \<alpha>
-\<Rightarrow> perm"}, where @{text "\<alpha>"} is a concrete atom type:
-@{thm [display,indent=10] flip_def [THEN eq_reflection, no_vars]}
-\noindent
-As a consequence of its type, the @{text "\<leftrightarrow>"}-swapping
-operation works just like the generic swapping operation, but it does not
-require any sort-checking side conditions---the sort-correctness is ensured by
-the types!  For @{text "\<leftrightarrow>"} we can establish the following
-simplification rule:
-@{thm [display,indent=10] permute_flip_at[no_vars]}
-\noindent
-If we now want to swap the \emph{concrete} atoms @{text a} and @{text b}
-in the pair @{term "(a, b)"} we can establish the lemma as follows:
-*}
-lemma
-	    fixes a b :: "name"
-	    shows "(a \<leftrightarrow> b) \<bullet> (a, b) = (b, a)"
-	  by simp
-text {*
-\noindent
-There is no need to state an explicit premise involving sorts.
-We can automate the process of creating concrete atom types, so that users
-can define a new one simply by issuing the command
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-\isacommand{atom\_decl}~~@{text "name"}
-\end{tabular}
-\end{isabelle}
-\noindent
-This command can be implemented using less than 100 lines of custom ML-code.
-In comparison, the old version of Nominal Isabelle included more than 1000
-lines of ML-code for creating concrete atom types, and for defining various
-type classes and instantiating generic lemmas for them.  In addition to
-simplifying the ML-code, the setup here also offers user-visible improvements:
-Now concrete atoms can be declared at any point of a formalisation, and
-theories that separately declare different atom types can be merged
-together---it is no longer required to collect all atom declarations in one
-place.
-*}
-section {* Multi-Sorted Concrete Atoms *}
-(*<*)
-datatype ty = TVar string | Fun ty ty ("_ \<rightarrow> _")
-(*>*)
-text {*
-The formalisation presented so far allows us to streamline proofs and reduce
-the amount of custom ML-code in the existing implementation of Nominal
-Isabelle. In this section we describe a mechanism that extends the
-capabilities of Nominal Isabelle. This mechanism is about variables with
-additional information, for example typing constraints.
-While we leave a detailed treatment of binders and binding of variables for a
-later paper, we will have a look here at how such variables can be
-represented by concrete atoms.
-In the previous section we considered concrete atoms that can be used in
-simple binders like \emph{@{text "\<lambda>x. x"}}.  Such concrete atoms do
-not carry any information beyond their identities---comparing for equality
-is really the only way to analyse ordinary concrete atoms.
-However, in ``Church-style'' lambda-terms \cite{Church40} and in the terms
-underlying HOL-systems \cite{PittsHOL4} binders and bound variables have a
-more complicated structure. For example in the ``Church-style'' lambda-term
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<lambda>x\<^isub>\<alpha>. x\<^isub>\<alpha> x\<^isub>\<beta>"}
-\end{tabular}\hfill\numbered{church}
-\end{isabelle}
-\noindent
-both variables and binders include typing information indicated by @{text \<alpha>}
-and @{text \<beta>}. In this setting, we treat @{text "x\<^isub>\<alpha>"} and @{text
-"x\<^isub>\<beta>"} as distinct variables (assuming @{term "\<alpha>\<noteq>\<beta>"}) so that the
-variable @{text "x\<^isub>\<alpha>"} is bound by the lambda-abstraction, but not
-@{text "x\<^isub>\<beta>"}.
-To illustrate how we can deal with this phenomenon, let us represent object
-types like @{text \<alpha>} and @{text \<beta>} by the datatype
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-\isacommand{datatype}~~@{text "ty = TVar string | ty \<rightarrow> ty"}
-\end{tabular}
-\end{isabelle}
-\noindent
-If we attempt to encode a variable naively as a pair of a @{text name} and a @{text ty}, we have the
-problem that a swapping, say @{term "(x \<leftrightarrow> y)"}, applied to the pair @{text "((x, \<alpha>), (x, \<beta>))"}
-will always permute \emph{both} occurrences of @{text x}, even if the types
-@{text "\<alpha>"} and @{text "\<beta>"} are different. This is unwanted, because it will
-eventually mean that both occurrences of @{text x} will become bound by a
-corresponding binder.
-Another attempt might be to define variables as an instance of the concrete
-atom type class, where a @{text ty} is somehow encoded within each variable.
-Remember we defined atoms as the datatype:
-*}
-datatype  atom\<iota>\<iota> = Atom\<iota>\<iota> string nat
-text {*
-\noindent
-Considering our method of defining concrete atom types, the usage of a string
-for the sort of atoms seems a natural choice.  However, none of the results so
-far depend on this choice and we are free to change it.
-One possibility is to encode types or any other information by making the sort
-argument parametric as follows:
-*}
-datatype  'a \<iota>atom\<iota>\<iota>\<iota> = \<iota>Atom\<iota>\<iota> 'a nat
-text {*
-\noindent
-The problem with this possibility is that we are then back in the old
-situation where our permutation operation is parametric in two types and
-this would require to work around Isabelle/HOL's restriction on type
-classes. Fortunately, encoding the types in a separate parameter is not
-necessary for what we want to achieve, as we only have to know when two
-types are equal or not. The solution is to use a different sort for each
-object type.  Then we can use the fact that permutations respect \emph{sorts} to
-ensure that permutations also respect \emph{object types}.  In order to do
-this, we must define an injective function @{text "sort_ty"} mapping from
-object types to sorts.  For defining functions like @{text "sort_ty"}, it is
-more convenient to use a tree datatype for sorts. Therefore we define
-*}
-datatype  sort = Sort string "(sort list)"
-datatype  atom\<iota>\<iota>\<iota>\<iota> = Atom\<iota>\<iota>\<iota>\<iota> sort nat
-text {*
-\noindent
-With this definition,
-the sorts we considered so far can be encoded just as \mbox{@{text "Sort s []"}}.
-The point, however, is that we can now define the function @{text sort_ty} simply as
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "sort_ty (TVar s) = Sort ''TVar'' [Sort s []]"}\\
-@{text "sort_ty (\<tau>\<^isub>1 \<rightarrow> \<tau>\<^isub>2) = Sort ''Fun''  [sort_ty \<tau>\<^isub>1, sort_ty \<tau>\<^isub>2]"}
-\end{tabular}\hfill\numbered{sortty}
-\end{isabelle}
-\noindent
-which can easily be shown to be injective.
-Having settled on what the sorts should be for ``Church-like'' atoms, we have to
-give a subtype definition for concrete atoms. Previously we identified a subtype consisting
-of atoms of only one specified sort. This must be generalised to all sorts the
-function @{text "sort_ty"} might produce, i.e.~the
-range of @{text "sort_ty"}. Therefore we define
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\isacommand{typedef}\ \ @{text var} = @{term "{a. sort a : range sort_ty}"}
-\end{isabelle}
-\noindent
-This command gives us again injective representation and abstraction
-functions. We will write them also as \mbox{@{text "\<lfloor>_\<rfloor> :: var \<Rightarrow> atom"}} and
-@{text "\<lceil>_\<rceil> :: atom \<Rightarrow> var"}, respectively.
-We can define the permutation operation for @{text var} as @{thm
-permute_var_def[where p="\<pi>", THEN eq_reflection, no_vars]} and the
-injective function to type @{typ atom} as @{thm atom_var_def[THEN
-eq_reflection, no_vars]}. Finally, we can define a constructor function that
-makes a @{text var} from a variable name and an object type:
-@{thm [display,indent=10] Var_def[where t="\<alpha>", THEN eq_reflection, no_vars]}
-\noindent
-With these definitions we can verify all the properties for concrete atom
-types except Property \ref{atomprops}@{text ".iii)"}, which requires every
-atom to have the same sort.  This last property is clearly not true for type
-@{text "var"}.
-This fact is slightly unfortunate since this
-property allowed us to use the type-checker in order to shield the user from
-all sort-constraints.  But this failure is expected here, because we cannot
-burden the type-system of Isabelle/HOL with the task of deciding when two
-object types are equal.  This means we sometimes need to explicitly state sort
-constraints or explicitly discharge them, but as we will see in the lemma
-below this seems a natural price to pay in these circumstances.
-To sum up this section, the encoding of type-information into atoms allows us
-to form the swapping @{term "(Var x \<alpha> \<leftrightarrow> Var y \<alpha>)"} and to prove the following
-lemma
-*}
-lemma
-	    assumes asm: "\<alpha> \<noteq> \<beta>"
-	    shows "(Var x \<alpha> \<leftrightarrow> Var y \<alpha>) \<bullet> (Var x \<alpha>, Var x \<beta>) = (Var y \<alpha>, Var x \<beta>)"
-	    using asm by simp
-text {*
-\noindent
-As we expect, the atom @{term "Var x \<beta>"} is left unchanged by the
-swapping. With this we can faithfully represent bindings in languages
-involving ``Church-style'' terms and bindings as shown in \eqref{church}. We
-expect that the creation of such atoms can be easily automated so that the
-user just needs to specify \isacommand{atom\_decl}~~@{text "var (ty)"}
-where the argument, or arguments, are datatypes for which we can automatically
-define an injective function like @{text "sort_ty"} (see \eqref{sortty}).
-Our hope is that with this approach Benzmueller and Paulson can make
-headway with formalising their results
-about simple type theory \cite{PaulsonBenzmueller}.
-Because of its limitations, they did not attempt this with the old version
-of Nominal Isabelle. We also hope we can make progress with formalisations of
-HOL-based languages.
-*}
-section {* Conclusion *}
-text {*
-This proof pearl describes a new formalisation of the nominal logic work by
-Pitts et al. With the definitions we presented here, the formal reasoning blends
-smoothly with the infrastructure of the Isabelle/HOL theorem prover.
-Therefore the formalisation will be the underlying theory for a
-new version of Nominal Isabelle.
-The main difference of this paper with respect to existing work on Nominal
-Isabelle is the representation of atoms and permutations. First, we used a
-single type for sorted atoms. This design choice means for a term @{term t},
-say, that its support is completely characterised by @{term "supp t"}, even
-if the term contains different kinds of atoms. Also, whenever we have to
-generalise an induction so that a property @{text P} is not just established
-for all @{text t}, but for all @{text t} \emph{and} under all permutations
-@{text \<pi>}, then we only have to state @{term "\<forall>\<pi>. P (\<pi> \<bullet> t)"}. The reason is
-that permutations can now consist of multiple swapping each of which can
-swap different kinds of atoms. This simplifies considerably the reasoning
-involved in building Nominal Isabelle.
-Second, we represented permutations as functions so that the associated
-permutation operation has only a single type parameter. This is very convenient
-because the abstract reasoning about permutations fits cleanly
-with Isabelle/HOL's type classes. No custom ML-code is required to work
-around rough edges. Moreover, by establishing that our permutations-as-functions
-representation satisfy the group properties, we were able to use extensively
-Isabelle/HOL's reasoning infrastructure for groups. This often reduced proofs
-to simple calculations over @{text "+"}, @{text "-"} and @{text "0"}.
-An interesting point is that we defined the swapping operation so that a
-swapping of two atoms with different sorts is \emph{not} excluded, like
-in our older work on Nominal Isabelle, but there is no ``effect'' of such
-a swapping (it is defined as the identity). This is a crucial insight
-in order to make the approach based on a single type of sorted atoms to work.
-But of course it is analogous to the well-known trick of defining division by
-zero to return zero.
-We noticed only one disadvantage of the permutations-as-functions: Over
-lists we can easily perform inductions. For permutations made up from
-functions, we have to manually derive an appropriate induction principle. We
-can establish such a principle, but we have no real experience yet whether ours
-is the most useful principle: such an induction principle was not needed in
-any of the reasoning we ported from the old Nominal Isabelle, except
-when showing that if @{term "\<forall>a \<in> supp x. a \<sharp> p"} implies @{term "p \<bullet> x = x"}.
-Finally, our implementation of sorted atoms turned out powerful enough to
-use it for representing variables that carry on additional information, for
-example typing annotations. This information is encoded into the sorts. With
-this we can represent conveniently binding in ``Church-style'' lambda-terms
-and HOL-based languages. While dealing with such additional information in
-dependent type-theories, such as LF or Coq, is straightforward, we are not
-aware of any  other approach in a non-dependent HOL-setting that can deal
-conveniently with such binders.
-The formalisation presented here will eventually become part of the Isabelle
-distribution, but for the moment it can be downloaded from the
-Mercurial repository linked at
-\href{http://isabelle.in.tum.de/nominal/download}
-{http://isabelle.in.tum.de/nominal/download}.\smallskip
-\noindent
-{\bf Acknowledgements:} We are very grateful to Jesper Bengtson, Stefan
-Berghofer and Cezary Kaliszyk for their comments on earlier versions
-of this paper. We are also grateful to the anonymous referee who helped us to
-put the work into the right context.
-*}
-(*<*)
-end
-(*>*)

branch	Nominal2-Isabelle2012
changeset 3169	b6873d123f9b
parent 3168	a6f3e1b08494
child 3170	89715c48f728