nominal2: comparison LMCS-Paper/Paper.thy

equal deleted inserted replaced

-:41c1e98c686f
+:e842807d8268
 atoms; moreover there must be a permutation @{text \<pi>} such that {\it
 (ii)} @{text \<pi>} leaves the free atoms of @{text x} and @{text y} unchanged, but
 {\it (iii)} ``moves'' their bound names so that we obtain modulo a relation,
 say \mbox{@{text "_ R _"}}, two equivalent terms. We also require that {\it (iv)}
 @{text \<pi>} makes the sets of abstracted atoms @{text as} and @{text bs} equal. The
-requirements {\it (i)} to {\it (iv)} can be stated formally as the conjunction of:
+requirements {\it (i)} to {\it (iv)} can be stated formally as:
 \begin{defi}[Alpha-Equivalence for Set-Bindings]\label{alphaset}\mbox{}\\
 \begin{tabular}{@ {\hspace{10mm}}l@ {\hspace{5mm}}rl}
 @{term "alpha_set_ex (as, x) R fa (bs, y)"}\hspace{2mm}@{text "\<equiv>"} &
 \multicolumn{2}{@ {}l}{if there exists a @{text "\<pi>"} such that:}\\
 This is because for every finite sets of atoms, say @{text "bs"}, we have
 @{thm (concl) supp_finite_atom_set[where S="bs", no_vars]}.
 Finally, taking \eqref{halfone} and \eqref{halftwo} together establishes
 the first equation of Theorem~\ref{suppabs}.
+Recall the definition of support \eqref{suppdef}, and note the difference between
+the support of a ``raw'' pair and an abstraction
+\[
+@{term "supp (as, x) = supp as \<union> supp x"}\hspace{15mm}
+@{term "supp (Abs_set as x) = supp x - as"}
+\]\smallskip
+\noindent
+While the permutation operations behave in both cases the same (the permutation
+is just moved to the arguments), the notion of equality is different for pairs and
+abstractions. Therefore we have different supports.
 The method of first considering abstractions of the form @{term "Abs_set as
 x"} etc is motivated by the fact that we can conveniently establish at the
 Isabelle/HOL level properties about them.  It would be extremely laborious
 to write custom ML-code that derives automatically such properties for every
 term-constructor that binds some atoms. Also the generality of the
 For binders we distinguish between \emph{shallow} and \emph{deep} binders.
 Shallow binders are just labels. The restriction we need to impose on them
 is that in case of \isacommand{binds (set)} and \isacommand{binds (set+)} the
 labels must either refer to atom types or to sets of atom types; in case of
-\isacommand{binds} the labels must refer to atom types or lists of atom
+\isacommand{binds} the labels must refer to atom types or to lists of atom
 types. Two examples for the use of shallow binders are the specification of
 lambda-terms, where a single name is bound, and type-schemes, where a finite
 set of names is bound:
 \[\mbox{
-\begin{tabular}{@ {}c@ {\hspace{5mm}}c@ {}}
+\begin{tabular}{@ {}c@ {\hspace{8mm}}c@ {}}
 \begin{tabular}{@ {}l}
 \isacommand{nominal\_datatype} @{text lam} $=$\\
 \hspace{2mm}\phantom{$\mid$}~@{text "Var name"}\\
 \hspace{2mm}$\mid$~@{text "App lam lam"}\\
 \hspace{2mm}$\mid$~@{text "Lam x::name t::lam"}\hspace{3mm}%
 \isacommand{binds} @{text x} \isacommand{in} @{text t}\\
+\\
 \end{tabular} &
 \begin{tabular}{@ {}l@ {}}
 \isacommand{nominal\_datatype}~@{text ty} $=$\\
-\hspace{5mm}\phantom{$\mid$}~@{text "TVar name"}\\
+\hspace{2mm}\phantom{$\mid$}~@{text "TVar name"}\\
-\hspace{5mm}$\mid$~@{text "TFun ty ty"}\\
+\hspace{2mm}$\mid$~@{text "TFun ty ty"}\\
-\isacommand{and}~@{text "tsc = All xs::(name fset) T::ty"}\hspace{3mm}%
+\isacommand{and}~@{text "tsc ="}\\
+\hspace{2mm}\phantom{$\mid$}~@{text "TAll xs::(name fset) T::ty"}\hspace{3mm}%
 \isacommand{binds (set+)} @{text xs} \isacommand{in} @{text T}\\
 \end{tabular}
 \end{tabular}}
 \]\smallskip
 \hspace{5mm}$\mid$~@{text "bn(ACons' x y t as) = [atom x] @ bn(as)"}\\
 \end{tabular}}
 \end{equation}\smallskip
 \noindent
-In this example the term constructor @{text "ACons'"} contains a binding
+In this example the term constructor @{text "ACons'"} has four arguments and
-clause, and also is used in the definition of the binding function. The
+contains a binding clause. This constructor is also used in the definition
-restriction we have to impose is that the binding function can only return
+of the binding function. The restriction we have to impose is that the
-free atoms, that is the ones that are not mentioned in a binding clause.
+binding function can only return free atoms, that is the ones that are not
-Therefore @{text "y"} cannot be used in the binding function @{text "bn"}
+mentioned in a binding clause.  Therefore @{text "y"} cannot be used in the
-(since it is bound in @{text "ACons'"} by the binding clause), but @{text x}
+binding function @{text "bn"} (since it is bound in @{text "ACons'"} by the
-can (since it is a free atom). This restriction is sufficient for lifting
+binding clause), but @{text x} can (since it is a free atom). This
-the binding function to alpha-equated terms. If we would permit that @{text "bn"}
+restriction is sufficient for lifting the binding function to alpha-equated
-can also return @{text "y"}, then it would not be respectful and therefore
+terms. If we would permit that @{text "bn"} can also return @{text "y"},
-cannot be lifted.
+then it would not be respectful and therefore cannot be lifted.
 In the version of Nominal Isabelle described here, we also adopted the
 restriction from the Ott-tool that binding functions can only return: the
 empty set or empty list (as in case @{text ANil'}), a singleton set or
 singleton list containing an atom (case @{text PVar} in \eqref{letpat}), or
 {@{text "prems(bc\<^isub>1) \<dots> prems(bc\<^isub>k)"}}}
 \]\smallskip
 \noindent
 The task below is to specify what the premises corresponding to a binding
-clause are. To understand better whet the general pattern is, let us first
+clause are. To understand better what the general pattern is, let us first
 treat the special instance where @{text "bc\<^isub>i"} is the empty binding clause
 of the form
 \[
 \mbox{\isacommand{binds (set)} @{term "{}"} \isacommand{in} @{text "d\<^isub>1\<dots>d\<^isub>q"}.}
 \]\smallskip
 \noindent
-In this binding clause no atom is bound and we only have to `alpha-relate' the bodies. For this
+In this binding clause no atom is bound and we only have to `alpha-relate'
-we build first the tuples @{text "D \<equiv> (d\<^isub>1,\<dots>, d\<^isub>q)"} and @{text "D' \<equiv> (d\<PRIME>\<^isub>1,\<dots>, d\<PRIME>\<^isub>q)"}
+the bodies. For this we build first the tuples @{text "D \<equiv> (d\<^isub>1,\<dots>,
-whereby the labels @{text "d"}$_{1..q}$ refer to arguments @{text "z"}$_{1..n}$ and
+d\<^isub>q)"} and @{text "D' \<equiv> (d\<PRIME>\<^isub>1,\<dots>, d\<PRIME>\<^isub>q)"}
-respectively @{text "d\<PRIME>"}$_{1..q}$ to @{text "z\<PRIME>"}$_{1..n}$. In order to relate
+whereby the labels @{text "d"}$_{1..q}$ refer to the arguments @{text
-two such tuples we define the compound alpha-equivalence relation @{text "R"} as follows
+"z"}$_{1..n}$ and respectively @{text "d\<PRIME>"}$_{1..q}$ to @{text
+"z\<PRIME>"}$_{1..n}$ of the term-constructor. In order to relate two such
+tuples we define the compound alpha-equivalence relation @{text "R"} as
+follows
 \begin{equation}\label{rempty}
 \mbox{@{text "R \<equiv> (R\<^isub>1,\<dots>, R\<^isub>q)"}}
-\end{equation}
+\end{equation}\smallskip
 \noindent
-with @{text "R\<^isub>i"} being @{text "\<approx>ty\<^isub>i"} if the corresponding labels @{text "d\<^isub>i"} and
+with @{text "R\<^isub>i"} being @{text "\<approx>ty\<^isub>i"} if the corresponding
-@{text "d\<PRIME>\<^isub>i"} refer
+labels @{text "d\<^isub>i"} and @{text "d\<PRIME>\<^isub>i"} refer to a
-to a recursive argument of @{text C} with type @{text "ty\<^isub>i"}; otherwise
+recursive argument of @{text C} with type @{text "ty\<^isub>i"}; otherwise
-we take @{text "R\<^isub>i"} to be the equality @{text "="}. This lets us define
+we take @{text "R\<^isub>i"} to be the equality @{text "="}. Again the
-the premise for an empty binding clause succinctly as @{text "prems(bc\<^isub>i) \<equiv> D R D'"},
+latter is because @{text "ty\<^isub>i"} is not part of the specified types
-which can be unfolded to the series of premises
+and alpha-equivalence of any previously defined type is supposed to coincide
+with equality.  This lets us now define the premise for an empty binding
-\begin{center}
+clause succinctly as @{text "prems(bc\<^isub>i) \<equiv> D R D'"}, which can be
+unfolded to the series of premises
+\[
 @{text "d\<^isub>1 R\<^isub>1 d\<PRIME>\<^isub>1  \<dots> d\<^isub>q R\<^isub>q d\<PRIME>\<^isub>q"}.
-\end{center}
+\]\smallskip
 \noindent
 We will use the unfolded version in the examples below.
 Now suppose the binding clause @{text "bc\<^isub>i"} is of the general form
 \begin{equation}\label{nonempty}
 \mbox{\isacommand{binds (set)} @{text "b\<^isub>1\<dots>b\<^isub>p"} \isacommand{in} @{text "d\<^isub>1\<dots>d\<^isub>q"}.}
-\end{equation}
+\end{equation}\smallskip
 \noindent
 In this case we define a premise @{text P} using the relation
 $\approx_{\,\textit{set}}$ given in Section~\ref{sec:binders} (similarly
 $\approx_{\,\textit{set+}}$ and $\approx_{\,\textit{list}}$ for the other
 @{text "D'"} for the bodies @{text "d"}$_{1..q}$, and the corresponding
 compound alpha-relation @{text "R"} (shown in \eqref{rempty}).
 For $\approx_{\,\textit{set}}$  we also need
 a compound free-atom function for the bodies defined as
-\begin{center}
+\[
 \mbox{@{text "fa \<equiv> (fa_ty\<^isub>1,\<dots>, fa_ty\<^isub>q)"}}
-\end{center}
+\]\smallskip
 \noindent
 with the assumption that the @{text "d"}$_{1..q}$ refer to arguments of types @{text "ty"}$_{1..q}$.
 The last ingredient we need are the sets of atoms bound in the bodies.
 For this we take
-\begin{center}
+\[
 @{text "B \<equiv> bn_ty\<^isub>1 b\<^isub>1 \<union> \<dots> \<union> bn_ty\<^isub>p b\<^isub>p"}\;.\\
-\end{center}
+\]\smallskip
 \noindent
 Similarly for @{text "B'"} using the labels @{text "b\<PRIME>"}$_{1..p}$. This
 lets us formally define the premise @{text P} for a non-empty binding clause as:
-\begin{center}
+\[
 \mbox{@{term "P \<equiv> alpha_set_ex (B, D) R fa (B', D')"}}\;.
-\end{center}
+\]\smallskip
 \noindent
 This premise accounts for alpha-equivalence of the bodies of the binding
-clause.
+clause. However, in case the binders have non-recursive deep binders, this
-However, in case the binders have non-recursive deep binders, this premise
+premise is not enough: we also have to ``propagate'' alpha-equivalence
-is not enough:
+inside the structure of these binders. An example is @{text "Let"} where we
-we also have to ``propagate'' alpha-equivalence inside the structure of
+have to make sure the right-hand sides of assignments are
-these binders. An example is @{text "Let"} where we have to make sure the
+alpha-equivalent. For this we use relations @{text "\<approx>bn"}$_{1..m}$ (which we
-right-hand sides of assignments are alpha-equivalent. For this we use
+will formally define shortly).  Let us assume the non-recursive deep binders
-relations @{text "\<approx>bn"}$_{1..m}$ (which we will formally define shortly).
+in @{text "bc\<^isub>i"} are
-Let us assume the non-recursive deep binders in @{text "bc\<^isub>i"} are
+\[
-\begin{center}
 @{text "bn\<^isub>1 l\<^isub>1, \<dots>, bn\<^isub>r l\<^isub>r"}.
-\end{center}
+\]\smallskip
 \noindent
-The tuple @{text L} is then @{text "(l\<^isub>1,\<dots>,l\<^isub>r)"} (similarly @{text "L'"})
+The tuple @{text L} consists then of all these binders @{text "(l\<^isub>1,\<dots>,l\<^isub>r)"}
-and the compound equivalence relation @{text "R'"} is @{text "(\<approx>bn\<^isub>1,\<dots>,\<approx>bn\<^isub>r)"}.
+(similarly @{text "L'"}) and the compound equivalence relation @{text "R'"}
-All premises for @{text "bc\<^isub>i"} are then given by
+is @{text "(\<approx>bn\<^isub>1,\<dots>,\<approx>bn\<^isub>r)"}.  All premises for @{text "bc\<^isub>i"} are then given by
-\begin{center}
+\[
 @{text "prems(bc\<^isub>i) \<equiv> P  \<and>   L R' L'"}
-\end{center}
+\]\smallskip
 \noindent
 The auxiliary alpha-equivalence relations @{text "\<approx>bn"}$_{1..m}$
 in @{text "R'"} are defined as follows: assuming a @{text bn}-clause is of the form
-\begin{center}
+\[
 @{text "bn (C z\<^isub>1 \<dots> z\<^isub>s) = rhs"}
-\end{center}
+\]\smallskip
 \noindent
 where the @{text "z"}$_{1..s}$ are of types @{text "ty"}$_{1..s}$,
 then the corresponding alpha-equivalence clause for @{text "\<approx>bn"} has the form
-\begin{center}
+\[
 \mbox{\infer{@{text "C z\<^isub>1 \<dots> z\<^isub>s \<approx>bn C z\<PRIME>\<^isub>1 \<dots> z\<PRIME>\<^isub>s"}}
 {@{text "z\<^isub>1 R\<^isub>1 z\<PRIME>\<^isub>1 \<dots> z\<^isub>s R\<^isub>s z\<PRIME>\<^isub>s"}}}
-\end{center}
+\]\smallskip
 \noindent
 In this clause the relations @{text "R"}$_{1..s}$ are given by
-\begin{center}
+\[\mbox{
 \begin{tabular}{c@ {\hspace{2mm}}p{0.9\textwidth}}
 $\bullet$ & @{text "z\<^isub>i \<approx>ty z\<PRIME>\<^isub>i"} provided @{text "z\<^isub>i"} does not occur in @{text rhs} and
-is a recursive argument of @{text C},\\
+is a recursive argument of @{text C},\smallskip\\
 $\bullet$ & @{text "z\<^isub>i = z\<PRIME>\<^isub>i"} provided @{text "z\<^isub>i"} does not occur in @{text rhs}
-and is a non-recursive argument of @{text C},\\
+and is a non-recursive argument of @{text C},\smallskip\\
 $\bullet$ & @{text "z\<^isub>i \<approx>bn\<^isub>i z\<PRIME>\<^isub>i"} provided @{text "z\<^isub>i"} occurs in @{text rhs}
-with the recursive call @{text "bn\<^isub>i x\<^isub>i"} and\\
+with the recursive call @{text "bn\<^isub>i x\<^isub>i"} and\smallskip\\
 $\bullet$ & @{text True} provided @{text "z\<^isub>i"} occurs in @{text rhs} but without a
 recursive call.
-\end{tabular}
+\end{tabular}}
-\end{center}
+\]\smallskip
 \noindent
 This completes the definition of alpha-equivalence. As a sanity check, we can show
 that the premises of empty binding clauses are a special case of the clauses for
 non-empty ones (we just have to unfold the definition of $\approx_{\,\textit{set}}$ and take @{text "0"}
 Again let us take a look at a concrete example for these definitions. For \eqref{letrecs}
 we have three relations $\approx_{\textit{trm}}$, $\approx_{\textit{assn}}$ and
 $\approx_{\textit{bn}}$ with the following clauses:
-\begin{center}
+\[\mbox{
 \begin{tabular}{@ {}c @ {}}
 \infer{@{text "Let as t \<approx>\<^bsub>trm\<^esub> Let as' t'"}}
-{@{term "alpha_lst_ex (bn as, t) alpha_trm fa_trm (bn as', t')"} & @{text "as \<approx>\<^bsub>bn\<^esub> as'"}}\smallskip\\
+{@{term "alpha_lst_ex (bn as, t) alpha_trm fa_trm (bn as', t')"} &
+\hspace{5mm}@{text "as \<approx>\<^bsub>bn\<^esub> as'"}}\\
+\\
 \makebox[0mm]{\infer{@{text "Let_rec as t \<approx>\<^bsub>trm\<^esub> Let_rec as' t'"}}
-{@{term "alpha_lst_ex (bn as, ast) alpha_trm2 fa_trm2 (bn as', ast')"}}}
+{@{term "alpha_lst_ex (bn as, ast) alpha_trm2 fa_trm2 (bn as', ast')"}}}\\
-\end{tabular}
+\\
-\end{center}
-\begin{center}
 \begin{tabular}{@ {}c @ {}}
 \infer{@{text "ANil \<approx>\<^bsub>assn\<^esub> ANil"}}{}\hspace{9mm}
 \infer{@{text "ACons a t as \<approx>\<^bsub>assn\<^esub> ACons a' t' as"}}
-{@{text "a = a'"} & @{text "t \<approx>\<^bsub>trm\<^esub> t'"} & @{text "as \<approx>\<^bsub>assn\<^esub> as'"}}
+{@{text "a = a'"} & \hspace{5mm}@{text "t \<approx>\<^bsub>trm\<^esub> t'"} & \hspace{5mm}@{text "as \<approx>\<^bsub>assn\<^esub> as'"}}
-\end{tabular}
+\end{tabular}\\
-\end{center}
+\\
-\begin{center}
 \begin{tabular}{@ {}c @ {}}
 \infer{@{text "ANil \<approx>\<^bsub>bn\<^esub> ANil"}}{}\hspace{9mm}
 \infer{@{text "ACons a t as \<approx>\<^bsub>bn\<^esub> ACons a' t' as"}}
-{@{text "t \<approx>\<^bsub>trm\<^esub> t'"} & @{text "as \<approx>\<^bsub>bn\<^esub> as'"}}
+{@{text "t \<approx>\<^bsub>trm\<^esub> t'"} & \hspace{5mm}@{text "as \<approx>\<^bsub>bn\<^esub> as'"}}
 \end{tabular}
-\end{center}
+\end{tabular}}
+\]\smallskip
 \noindent
 Note the difference between  $\approx_{\textit{assn}}$ and
 $\approx_{\textit{bn}}$: the latter only ``tracks'' alpha-equivalence of
 the components in an assignment that are \emph{not} bound. This is needed in the
 *}
 section {* Establishing the Reasoning Infrastructure *}
 text {*
-Having made all necessary definitions for raw terms, we can start
+Having made all necessary definitions for raw terms, we can start with
-with establishing the reasoning infrastructure for the alpha-equated types
+establishing the reasoning infrastructure for the alpha-equated types @{text
-@{text "ty\<AL>"}$_{1..n}$, that is the types the user originally specified. We sketch
+"ty\<AL>"}$_{1..n}$, that is the types the user originally specified. We
-in this section the proofs we need for establishing this infrastructure. One
+give in this section and the next the proofs we need for establishing this
-main point of our work is that we have completely automated these proofs in Isabelle/HOL.
+infrastructure. One main point of our work is that we have completely
+automated these proofs in Isabelle/HOL.
-First we establish that the
-alpha-equivalence relations defined in the previous section are
+First we establish that the free-variable functions, the binding functions and the
+alpha-equivalences are equivariant.
+\begin{lem}\mbox{}\\
+@{text "(i)"} The functions @{text "fa_ty"}$_{1..n}$, @{text "fa_bn"}$_{1..m}$ and
+@{text "bn"}$_{1..m}$ are equivariant.\\
+@{text "(ii)"} The relations @{text "\<approx>ty"}$_{1..n}$ and
+@{text "\<approx>bn"}$_{1..m}$ are equivariant.
+\end{lem}
+\begin{proof}
+The function package of Isabelle/HOL allows us to prove the first part is by mutual
+induction over the definitions of the functions. The second is by a straightforward
+induction over the rules of @{text "\<approx>ty"}$_{1..n}$ and @{text "\<approx>bn"}$_{1..m}$ using
+the first part.
+\end{proof}
+\noindent
+Next we establish that the alpha-equivalence relations defined in the
+previous section are equivalence relations.
+\begin{lem}\label{equiv}
+The relations @{text "\<approx>ty"}$_{1..n}$ and @{text "\<approx>bn"}$_{1..m}$ are
 equivalence relations.
-\begin{lem}\label{equiv}
-Given the raw types @{text "ty"}$_{1..n}$ and binding functions
-@{text "bn"}$_{1..m}$, the relations @{text "\<approx>ty"}$_{1..n}$ and
-@{text "\<approx>bn"}$_{1..m}$ are equivalence relations. and equivariant.
 \end{lem}
 \begin{proof}
 The proof is by mutual induction over the definitions. The non-trivial
 cases involve premises built up by $\approx_{\textit{set}}$,
 $\approx_{\textit{set+}}$ and $\approx_{\textit{list}}$. They
-can be dealt with as in Lemma~\ref{alphaeq}.
+can be dealt with as in Lemma~\ref{alphaeq}. However, the transitivity
+case needs in addition the fact that the relations are equivariant.
 \end{proof}
 \noindent
 We can feed this lemma into our quotient package and obtain new types @{text
 "ty"}$^\alpha_{1..n}$ representing alpha-equated terms of types @{text "ty"}$_{1..n}$.
 We also obtain definitions for the term-constructors @{text
-"C"}$^\alpha_{1..k}$ from the raw term-constructors @{text
+"C"}$^\alpha_{1..k}$ from the raw term-constructors @{text "C"}$_{1..k}$,
-"C"}$_{1..k}$, and similar definitions for the free-atom functions @{text
+and similar definitions for the free-atom functions @{text
-"fa_ty"}$^\alpha_{1..n}$ and @{text "fa_bn"}$^\alpha_{1..m}$ as well as the binding functions @{text
+"fa_ty"}$^\alpha_{1..n}$ and @{text "fa_bn"}$^\alpha_{1..m}$ as well as the
-"bn"}$^\alpha_{1..m}$. However, these definitions are not really useful to the
+binding functions @{text "bn"}$^\alpha_{1..m}$. For this we have to show
+by induction over the definitions of alpha-equivalences that the ``raw''
+functions are respectful. This means we need to establish that
+\[\mbox{
+\begin{tabular}{lll}
+@{text "x \<approx>ty\<^isub>i x'"} & implies & @{text "fa_ty\<^isub>i x = fa_ty\<^isub>i x'"}\\
+@{text "x \<approx>ty\<^isub>l x'"} & implies & @{text "fa_bn\<^isub>j x = fa_bn\<^isub>j x'"}\\
+@{text "x \<approx>ty\<^isub>l x'"} & implies & @{text "bn\<^isub>j x = bn\<^isub>j x'"}\\
+\end{tabular}
+}\]\smallskip
+\noindent
+holds whereby @{text "ty\<^isub>l"} is the type over which @{text "bn\<^isub>j"} is defined. A
+similar property is needed for the constructors @{text "C"}$_{1..k}$. In order
+to establish it we need to prove that
+\[\mbox{
+\begin{tabular}{lll}
+@{text "x \<approx>ty\<^isub>l x'"} & implies & @{text "x \<approx>bn\<^isub>j x'"}\\
+\end{tabular}
+}\]\smallskip
+\noindent
+The respectfulness properties are crucial, ... ???
+However, these definitions are not really useful to the
 user, since they are given in terms of the isomorphisms we obtained by
 creating new types in Isabelle/HOL (recall the picture shown in the
 Introduction).
 The first useful property for the user is the fact that distinct
 term-constructors are not
 equal, that is
-\begin{equation}\label{distinctalpha}
+\[\label{distinctalpha}
 \mbox{@{text "C"}$^\alpha$~@{text "x\<^isub>1 \<dots> x\<^isub>r"}~@{text "\<noteq>"}~%
 @{text "D"}$^\alpha$~@{text "y\<^isub>1 \<dots> y\<^isub>s"}}
-\end{equation}
+\]\smallskip
 \noindent
 whenever @{text "C"}$^\alpha$~@{text "\<noteq>"}~@{text "D"}$^\alpha$.
 In order to derive this fact, we use the definition of alpha-equivalence
 and establish that
-\begin{equation}\label{distinctraw}
+\[\label{distinctraw}
 \mbox{@{text "C x\<^isub>1 \<dots> x\<^isub>r"}\;$\not\approx$@{text ty}\;@{text "D y\<^isub>1 \<dots> y\<^isub>s"}}
-\end{equation}
+\]\smallskip
 \noindent
 holds for the corresponding raw term-constructors.
 In order to deduce \eqref{distinctalpha} from \eqref{distinctraw}, our quotient
 package needs to know that the raw term-constructors @{text "C"} and @{text "D"}
 result is that the lifting of the corresponding binding functions in Ott to alpha-equated
 terms is impossible.
 Having established respectfulness for the raw term-constructors, the
 quotient package is able to automatically deduce \eqref{distinctalpha} from
-\eqref{distinctraw}. Having the facts \eqref{fnresp} at our disposal, we can
+\eqref{distinctraw}. ??? Having the facts \eqref{fnresp} at our disposal, we can
 also lift properties that characterise when two raw terms of the form
-%
-\begin{center}
+\[
-@{text "C x\<^isub>1 \<dots> x\<^isub>r \<approx>ty C x\<PRIME>\<^isub>1 \<dots> x\<PRIME>\<^isub>r"}
+\mbox{@{text "C x\<^isub>1 \<dots> x\<^isub>r \<approx>ty C x\<PRIME>\<^isub>1 \<dots> x\<PRIME>\<^isub>r"}}
-\end{center}
+\]\smallskip
 \noindent
 are alpha-equivalent. This gives us conditions when the corresponding
 alpha-equated terms are \emph{equal}, namely
-\begin{center}
+\[
 @{text "C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>r = C\<^sup>\<alpha> x\<PRIME>\<^isub>1 \<dots> x\<PRIME>\<^isub>r"}.
-\end{center}
+\]\smallskip
 \noindent
 We call these conditions as \emph{quasi-injectivity}. They correspond to
 the premises in our alpha-equivalence relations.
 , which we already established
 in Lemma~\ref{equiv}.
 As a result we can add the equations
 \begin{equation}\label{calphaeqvt}
-@{text "p \<bullet> (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>r) = C\<^sup>\<alpha> (p \<bullet> x\<^isub>1) \<dots> (p \<bullet> x\<^isub>r)"}
+@{text "\<pi> \<bullet> (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>r) = C\<^sup>\<alpha> (\<pi> \<bullet> x\<^isub>1) \<dots> (\<pi> \<bullet> x\<^isub>r)"}
-\end{equation}
+\end{equation}\smallskip
 \noindent
 to our infrastructure. In a similar fashion we can lift the defining equations
 of the free-atom functions @{text "fn_ty\<AL>"}$_{1..n}$ and
 @{text "fa_bn\<AL>"}$_{1..m}$ as well as of the binding functions @{text
 for the types @{text "ty\<AL>"}$_{1..n}$. The conclusion of the induction principle is
 of the form
 \begin{equation}\label{weakinduct}
 \mbox{@{text "P\<^isub>1 x\<^isub>1 \<and> \<dots> \<and> P\<^isub>n x\<^isub>n "}}
-\end{equation}
+\end{equation} \smallskip
 \noindent
 whereby the @{text P}$_{1..n}$ are predicates and the @{text x}$_{1..n}$
 have types @{text "ty\<AL>"}$_{1..n}$. This induction principle has for each
 term constructor @{text "C"}$^\alpha$ a premise of the form
 \begin{equation}\label{weakprem}
 \mbox{@{text "\<forall>x\<^isub>1\<dots>x\<^isub>r. P\<^isub>i x\<^isub>i \<and> \<dots> \<and> P\<^isub>j x\<^isub>j \<Rightarrow> P (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>r)"}}
-\end{equation}
+\end{equation}\smallskip
 \noindent
 in which the @{text "x"}$_{i..j}$ @{text "\<subseteq>"} @{text "x"}$_{1..r}$ are
 the recursive arguments of @{text "C\<AL>"}.
 By working now completely on the alpha-equated level, we
 can first show that the free-atom functions and binding functions are
 equivariant, namely
-\begin{center}
+\[\mbox{
-\begin{tabular}{rcl@ {\hspace{10mm}}rcl}
+\begin{tabular}{rcl}
-@{text "p \<bullet> (fa_ty\<AL>\<^isub>i  x)"} & $=$ & @{text "fa_ty\<AL>\<^isub>i (p \<bullet> x)"} &
+@{text "\<pi> \<bullet> (fa_ty\<AL>\<^isub>i  x)"} & $=$ & @{text "fa_ty\<AL>\<^isub>i (\<pi> \<bullet> x)"}\\
-@{text "p \<bullet> (bn\<AL>\<^isub>j  x)"}    & $=$ & @{text "bn\<AL>\<^isub>j (p \<bullet> x)"}\\
+@{text "\<pi> \<bullet> (fa_bn\<AL>\<^isub>j  x)"} & $=$ & @{text "fa_bn\<AL>\<^isub>j (\<pi> \<bullet> x)"}\\
-@{text "p \<bullet> (fa_bn\<AL>\<^isub>j  x)"} & $=$ & @{text "fa_bn\<AL>\<^isub>j (p \<bullet> x)"}\\
+@{text "\<pi> \<bullet> (bn\<AL>\<^isub>j  x)"}    & $=$ & @{text "bn\<AL>\<^isub>j (\<pi> \<bullet> x)"}\\
-\end{tabular}
+\end{tabular}}
-\end{center}
+\]
-\noindent
-These properties can be established using the induction principle for the types @{text "ty\<AL>"}$_{1..n}$.
+\noindent
-in \eqref{weakinduct}.
+These properties can be established using the induction principle for the
-Having these equivariant properties established, we can
+types @{text "ty\<AL>"}$_{1..n}$.  in \eqref{weakinduct}.  Having these
-show that the support of term-constructors @{text "C\<^sup>\<alpha>"} is included in
+equivariant properties established, we can show that the support of
-the support of its arguments, that means
+term-constructors @{text "C\<^sup>\<alpha>"} is included in the support of its
+arguments, that means
-\begin{center}
+\[
 @{text "supp (C\<^sup>\<alpha> x\<^isub>1 \<dots> x\<^isub>r) \<subseteq> (supp x\<^isub>1 \<union> \<dots> \<union> supp x\<^isub>r)"}
-\end{center}
+\]\smallskip
 \noindent
 holds. This allows us to prove by induction that
 every @{text x} of type @{text "ty\<AL>"}$_{1..n}$ is finitely supported.
 This can be again shown by induction
 section {* Related Work\label{related} *}
 text {*
 To our knowledge the earliest usage of general binders in a theorem prover
-is described in \cite{NaraschewskiNipkow99} about a formalisation of the
+is described by Nara\-schew\-ski and Nipkow \cite{NaraschewskiNipkow99} with a
-algorithm W. This formalisation implements binding in type-schemes using a
+formalisation of the algorithm W. This formalisation implements binding in
-de-Bruijn indices representation. Since type-schemes in W contain only a single
+type-schemes using a de-Bruijn indices representation. Since type-schemes in
-place where variables are bound, different indices do not refer to different binders (as in the usual
+W contain only a single place where variables are bound, different indices
-de-Bruijn representation), but to different bound variables. A similar idea
+do not refer to different binders (as in the usual de-Bruijn
-has been recently explored for general binders in the locally nameless
+representation), but to different bound variables. A similar idea has been
-approach to binding \cite{chargueraud09}.  There, de-Bruijn indices consist
+recently explored for general binders by Chargu\'eraud in the locally nameless
-of two numbers, one referring to the place where a variable is bound, and the
+approach to
-other to which variable is bound. The reasoning infrastructure for both
+binding \cite{chargueraud09}.  There, de-Bruijn indices consist of two
-representations of bindings comes for free in theorem provers like Isabelle/HOL or
+numbers, one referring to the place where a variable is bound, and the other
-Coq, since the corresponding term-calculi can be implemented as ``normal''
+to which variable is bound. The reasoning infrastructure for both
-datatypes.  However, in both approaches it seems difficult to achieve our
+representations of bindings comes for free in theorem provers like
-fine-grained control over the ``semantics'' of bindings (i.e.~whether the
+Isabelle/HOL or Coq, since the corresponding term-calculi can be implemented
-order of binders should matter, or vacuous binders should be taken into
+as ``normal'' datatypes.  However, in both approaches it seems difficult to
-account). To do so, one would require additional predicates that filter out
+achieve our fine-grained control over the ``semantics'' of bindings
-unwanted terms. Our guess is that such predicates result in rather
+(i.e.~whether the order of binders should matter, or vacuous binders should
-intricate formal reasoning.
+be taken into account). To do so, one would require additional predicates
+that filter out unwanted terms. Our guess is that such predicates result in
+rather intricate formal reasoning. We are not aware of any non-trivial
+formalisation that uses Chargu\'eraud's idea.
 Another technique for representing binding is higher-order abstract syntax
-(HOAS). , which for example is implemented in the Twelf system.
+(HOAS), which for example is implemented in the Twelf system. This
-This representation
+representation technique supports very elegantly many aspects of
-technique supports very elegantly many aspects of \emph{single} binding, and
+\emph{single} binding, and impressive work by Lee et al has been done that
-impressive work has been done that uses HOAS for mechanising the metatheory
+uses HOAS for mechanising the metatheory of SML~\cite{LeeCraryHarper07}. We
-of SML~\cite{LeeCraryHarper07}. We are, however, not aware how multiple
+are, however, not aware how multiple binders of SML are represented in this
-binders of SML are represented in this work. Judging from the submitted
+work. Judging from the submitted Twelf-solution for the POPLmark challenge,
-Twelf-solution for the POPLmark challenge, HOAS cannot easily deal with
+HOAS cannot easily deal with binding constructs where the number of bound
-binding constructs where the number of bound variables is not fixed. For example
+variables is not fixed. For example In the second part of this challenge,
-In the second part of this challenge, @{text "Let"}s involve
+@{text "Let"}s involve patterns that bind multiple variables at once. In
-patterns that bind multiple variables at once. In such situations, HOAS
+such situations, HOAS seems to have to resort to the
-seems to have to resort to the iterated-single-binders-approach with
+iterated-single-binders-approach with all the unwanted consequences when
-all the unwanted consequences when reasoning about the resulting terms.
+reasoning about the resulting terms.
 Two formalisations involving general binders have been
 performed in older
 versions of Nominal Isabelle (one about Psi-calculi and one about algorithm W
 \cite{BengtsonParow09,UrbanNipkow09}).  Both
 use the approach based on iterated single binders. Our experience with
 the latter formalisation has been disappointing. The major pain arose from
 the need to ``unbind'' variables. This can be done in one step with our
 general binders described in this paper, but needs a cumbersome
 iteration with single binders. The resulting formal reasoning turned out to
-be rather unpleasant. The hope is that the extension presented in this paper
+be rather unpleasant.
-is a substantial improvement.
-The most closely related work to the one presented here is the Ott-tool
+The most closely related work to the one presented here is the Ott-tool by
-\cite{ott-jfp} and the C$\alpha$ml language \cite{Pottier06}. Ott is a nifty
+Sewell et al \cite{ott-jfp} and the C$\alpha$ml language by Pottier
-front-end for creating \LaTeX{} documents from specifications of
+\cite{Pottier06}. Ott is a nifty front-end for creating \LaTeX{} documents
-term-calculi involving general binders. For a subset of the specifications
+from specifications of term-calculi involving general binders. For a subset
-Ott can also generate theorem prover code using a raw representation of
+of the specifications Ott can also generate theorem prover code using a raw
-terms, and in Coq also a locally nameless representation. The developers of
+representation of terms, and in Coq also a locally nameless
-this tool have also put forward (on paper) a definition for
+representation. The developers of this tool have also put forward (on paper)
-alpha-equivalence of terms that can be specified in Ott.  This definition is
+a definition for alpha-equivalence and free variables for terms that can be
-rather different from ours, not using any nominal techniques.  To our
+specified in Ott.  This definition is rather different from ours, not using
-knowledge there is no concrete mathematical result concerning this
+any nominal techniques.  To our knowledge there is no concrete mathematical
-notion of alpha-equivalence.  Also the definition for the
+result concerning this notion of alpha-equivalence and free variables. We
-notion of free variables
+have proved that our definitions lead to alpha-equated terms, whose support
-is work in progress.
+is as expected (that means bound names are removed from the support). We
+also showed that our specifications lift from a raw type to a type of
-Although we were heavily inspired by the syntax of Ott,
+alpha-equivalence classes. For this we were able to establish then every
-its definition of alpha-equi\-valence is unsuitable for our extension of
+term-constructor and function is repectful w.r.t.~alpha-equivalence.
-Nominal Isabelle. First, it is far too complicated to be a basis for
-automated proofs implemented on the ML-level of Isabelle/HOL. Second, it
+Although we were heavily inspired by the syntax of Ott, its definition of
-covers cases of binders depending on other binders, which just do not make
+alpha-equi\-valence is unsuitable for our extension of Nominal
-sense for our alpha-equated terms. Third, it allows empty types that have no
+Isabelle. First, it is far too complicated to be a basis for automated
-meaning in a HOL-based theorem prover. We also had to generalise slightly Ott's
+proofs implemented on the ML-level of Isabelle/HOL. Second, it covers cases
-binding clauses. In Ott you specify binding clauses with a single body; we
+of binders depending on other binders, which just do not make sense for our
-allow more than one. We have to do this, because this makes a difference
+alpha-equated terms. Third, it allows empty types that have no meaning in a
-for our notion of alpha-equivalence in case of \isacommand{binds (set)} and
+HOL-based theorem prover. We also had to generalise slightly Ott's binding
-\isacommand{binds (set+)}.
+clauses. In Ott one specifies binding clauses with a single body; we allow
+more than one. We have to do this, because this makes a difference for our
-Consider the examples
+notion of alpha-equivalence in case of \isacommand{binds (set)} and
+\isacommand{binds (set+)}. Consider the examples
-\begin{center}
+\[\mbox{
 \begin{tabular}{@ {}l@ {\hspace{2mm}}l@ {}}
 @{text "Foo\<^isub>1 xs::name fset t::trm s::trm"} &
 \isacommand{binds (set)} @{text "xs"} \isacommand{in} @{text "t s"}\\
 @{text "Foo\<^isub>2 xs::name fset t::trm s::trm"} &
 \isacommand{binds (set)} @{text "xs"} \isacommand{in} @{text "t"},
 \isacommand{binds (set)} @{text "xs"} \isacommand{in} @{text "s"}\\
-\end{tabular}
+\end{tabular}}
-\end{center}
+\]\smallskip
 \noindent
-In the first term-constructor we have a single
+In the first term-constructor we have a single body that happens to be
-body that happens to be ``spread'' over two arguments; in the second term-constructor we have
+``spread'' over two arguments; in the second term-constructor we have two
-two independent bodies in which the same variables are bound. As a result we
+independent bodies in which the same variables are bound. As a result we
-have
+have\footnote{Assuming @{term "a \<noteq> b"}, there is no permutation that can
+make @{text "(a, b)"} equal with @{text "(a, b)"} and @{text "(b, a)"}, but
+there are two permutations so that we can make @{text "(a, b)"} and @{text
+"(a, b)"} equal with one permutation, and @{text "(a, b)"} and @{text "(b,
+a)"} with the other.}
-\begin{center}
+\[\mbox{
 \begin{tabular}{r@ {\hspace{1.5mm}}c@ {\hspace{1.5mm}}l}
 @{text "Foo\<^isub>1 {a, b} (a, b) (a, b)"} & $\not=$ &
-@{text "Foo\<^isub>1 {a, b} (a, b) (b, a)"}\\
+@{text "Foo\<^isub>1 {a, b} (a, b) (b, a)"}
+\end{tabular}}
+\]\smallskip
+\noindent
+but
+\[\mbox{
+\begin{tabular}{r@ {\hspace{1.5mm}}c@ {\hspace{1.5mm}}l}
 @{text "Foo\<^isub>2 {a, b} (a, b) (a, b)"} & $=$ &
 @{text "Foo\<^isub>2 {a, b} (a, b) (b, a)"}\\
-\end{tabular}
+\end{tabular}}
-\end{center}
+\]\smallskip
 \noindent
 and therefore need the extra generality to be able to distinguish between
-both specifications.
+both specifications.  Because of how we set up our definitions, we also had
-Because of how we set up our definitions, we also had to impose some restrictions
+to impose some restrictions (like a single binding function for a deep
-(like a single binding function for a deep binder) that are not present in Ott.
+binder) that are not present in Ott. Our expectation is that we can still
-Our
+cover many interesting term-calculi from programming language research, for
-expectation is that we can still cover many interesting term-calculi from
+example Core-Haskell. ???
-programming language research, for example Core-Haskell.
+Pottier presents a programming language, called C$\alpha$ml, for
-Pottier presents in \cite{Pottier06} a language, called C$\alpha$ml, for
+representing terms with general binders inside OCaml \cite{Pottier06}. This
-representing terms with general binders inside OCaml. This language is
+language is implemented as a front-end that can be translated to OCaml with
-implemented as a front-end that can be translated to OCaml with the help of
+the help of a library. He presents a type-system in which the scope of
-a library. He presents a type-system in which the scope of general binders
+general binders can be specified using special markers, written @{text
-can be specified using special markers, written @{text "inner"} and
+"inner"} and @{text "outer"}. It seems our and his specifications can be
-@{text "outer"}. It seems our and his specifications can be
+inter-translated as long as ours use the binding mode \isacommand{binds}
-inter-translated as long as ours use the binding mode
+only.  However, we have not proved this. Pottier gives a definition for
-\isacommand{binds} only.
-However, we have not proved this. Pottier gives a definition for
 alpha-equivalence, which also uses a permutation operation (like ours).
 Still, this definition is rather different from ours and he only proves that
-it defines an equivalence relation. A complete
+it defines an equivalence relation. A complete reasoning infrastructure is
-reasoning infrastructure is well beyond the purposes of his language.
+well beyond the purposes of his language. Similar work for Haskell with
-Similar work for Haskell with similar results was reported by Cheney \cite{Cheney05a}.
+similar results was reported by Cheney \cite{Cheney05a} and more recently
+by ???
-In a slightly different domain (programming with dependent types), the
-paper \cite{Altenkirch10} presents a calculus with a notion of
+In a slightly different domain (programming with dependent types),
-alpha-equivalence related to our binding mode \isacommand{binds (set+)}.
+Altenkirch et al present a calculus with a notion of alpha-equivalence
-The definition in \cite{Altenkirch10} is similar to the one by Pottier, except that it
+related to our binding mode \isacommand{binds (set+)} \cite{Altenkirch10}.
-has a more operational flavour and calculates a partial (renaming) map.
+Their definition is similar to the one by Pottier, except that it has a more
-In this way, the definition can deal with vacuous binders. However, to our
+operational flavour and calculates a partial (renaming) map. In this way,
-best knowledge, no concrete mathematical result concerning this
+the definition can deal with vacuous binders. However, to our best
-definition of alpha-equivalence has been proved.
+knowledge, no concrete mathematical result concerning this definition of
+alpha-equivalence has been proved.
 *}
 section {* Conclusion *}
 text {*
-Telsescopes by de Bruijn (AUTOMATH project does not provide an automatic infrastructure).
+%%Telsescopes by de Bruijn (AUTOMATH project does not provide an automatic infrastructure).
-We have presented an extension of Nominal Isabelle for dealing with
+We have presented an extension of Nominal Isabelle for dealing with general
-general binders, that is term-constructors having multiple bound
+binders, that is term-constructors having multiple bound variables. For this
-variables. For this extension we introduced new definitions of
+extension we introduced new definitions of alpha-equivalence and automated
-alpha-equivalence and automated all necessary proofs in Isabelle/HOL.
+all necessary proofs in Isabelle/HOL.  To specify general binders we used
-To specify general binders we used the specifications from Ott, but extended them
+the syntax from Ott, but extended it in some places and restricted
-in some places and restricted
+it in others so that they make sense in the context of alpha-equated
-them in others so that they make sense in the context of alpha-equated terms.
+terms. We also introduced two binding modes (set and set+) that do not exist
-We also introduced two binding modes (set and set+) that do not
+in Ott. We have tried out the extension with calculi such as Core-Haskell,
-exist in Ott.
+type-schemes and approximately a dozen of other typical examples from
-We have tried out the extension with calculi such as Core-Haskell, type-schemes
+programming language research~\cite{SewellBestiary}. The code will
-and approximately a  dozen of other typical examples from programming
+eventually become part of the next Isabelle distribution.\footnote{It
-language research~\cite{SewellBestiary}.
+can be downloaded already from the Mercurial repository linked at
-The code
-will eventually become part of the next Isabelle distribution.\footnote{For the moment
-it can be downloaded from the Mercurial repository linked at
 \href{http://isabelle.in.tum.de/nominal/download}
 {http://isabelle.in.tum.de/nominal/download}.}
 We have left out a discussion about how functions can be defined over
 alpha-equated terms involving general binders. In earlier versions of Nominal
 There are some restrictions we imposed in this paper that we would like to lift in
 future work. One is the exclusion of nested datatype definitions. Nested
 datatype definitions allow one to specify, for instance, the function kinds
 in Core-Haskell as @{text "TFun string (ty list)"} instead of the unfolded
 version @{text "TFun string ty_list"} (see Figure~\ref{nominalcorehas}). To
-achieve this, we need a slightly more clever implementation than we have at the moment.
+achieve this, we need more clever implementation than we have
+at the moment. However, really lifting this restriction will involve major
+work on the datatype package of Isabelle/HOL.
 A more interesting line of investigation is whether we can go beyond the
 simple-minded form of binding functions that we adopted from Ott. At the moment, binding
 functions can only return the empty set, a singleton atom set or unions
 of atom sets (similarly for lists). It remains to be seen whether
 properties like
-\begin{center}
+\[
-@{text "fa_ty x  =  bn x \<union> fa_bn x"}.
+\mbox{@{text "fa_ty x  =  bn x \<union> fa_bn x"}}
-\end{center}
+\]\smallskip
 \noindent
 allow us to support more interesting binding functions.
 We have also not yet played with other binding modes. For example we can
-imagine that there is need for a binding mode where instead of lists, we
+imagine that there is need for a binding mode where instead of usual lists,
-abstract lists of distinct elements.  Once we feel confident about such
+we abstract lists of distinct elements (the corresponding type @{text
-binding modes, our implementation can be easily extended to accommodate
+"dlist"} already exists in the library of Isabelle/HOL). We expect the
-them.\medskip
+presented work can be easily extended to accommodate them.\medskip
 \noindent
 {\bf Acknowledgements:} We are very grateful to Andrew Pitts for many
 discussions about Nominal Isabelle. We thank Peter Sewell for making the
 informal notes \cite{SewellBestiary} available to us and also for patiently

changeset 3010	e842807d8268
parent 3009	41c1e98c686f
child 3011	a33e96e62a2b