nominal2: comparison Pearl-jv/Paper.thy

equal deleted inserted replaced

-:651355113eee
+:f1192e3474e0
 imports "../Nominal/Nominal2_Base"
 "../Nominal/Atoms"
 "../Nominal/Nominal2_Abs"
 "LaTeXsugar"
 begin
+abbreviation
+UNIV_atom ("\<allatoms>")
+where
+"UNIV_atom \<equiv> UNIV::atom set"
 notation (latex output)
 sort_of ("sort _" [1000] 100) and
 Abs_perm ("_") and
 Rep_perm ("_") and
 If  ("if _ then _ else _" 10) and
 Rep_name ("\<lfloor>_\<rfloor>") and
 Abs_name ("\<lceil>_\<rceil>") and
 Rep_var ("\<lfloor>_\<rfloor>") and
 Abs_var ("\<lceil>_\<rceil>") and
 sort_of_ty ("sort'_ty _")
 (* BH: uncomment if you really prefer the dot notation
 syntax (latex output)
 "_Collect" :: "pttrn => bool => 'a set" ("(1{_ . _})")
 *)
 hide_const sort
 abbreviation
 "sort \<equiv> sort_of"
-abbreviation
+lemma infinite_collect:
-"sort_ty \<equiv> sort_of_ty"
+assumes "\<forall>x \<in> S. P x" "infinite S"
+shows "infinite {x \<in> S. P x}"
+using assms
+apply(subgoal_tac "infinite {x. x \<in> S}")
+apply(simp only: Inf_many_def[symmetric])
+apply(erule INFM_mono)
+apply(auto)
+done
 (*>*)
 section {* Introduction *}
 text {*
 Nominal Isabelle provides a proving infratructure for convenient reasoning
 about syntax involving binders, such as lambda terms or type schemes:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 @{text "\<lambda>x. t       \<forall>{x\<^isub>1,\<dots>, x\<^isub>n}. \<tau>"}
-\hfill\numbered{atomperm}
 \end{isabelle}
 \noindent
 At its core Nominal Isabelle is based on the nominal logic work by Pitts at
 al \cite{GabbayPitts02,Pitts03}, whose most basic notion is a
 type schemes. In order to be able to separate them, each kind of variables needs to be
 represented by a different sort of atoms.
 The nominal logic work has been the starting point for a number of proving
 infrastructures, most notable by Norrish \cite{norrish04} in HOL4, by
-Aydemir et al \cite{AydemirBohannonWeirich07} in Coq and teh work by Urban
+Aydemir et al \cite{AydemirBohannonWeirich07} in Coq and the work by Urban
 and Berghofer in Isabelle/HOL \cite{Urban08}. Its key attraction is a very
 general notion, called \emph{support}, for the `set of free variables, or
-atoms' of an object that applies not just to lambda terms and type schemes,
+atoms, of an object' that applies not just to lambda terms and type schemes,
-but also to sets, products, lists and even functions. The notion of support
+but also to sets, products, lists, booleans and even functions. The notion of support
-is derived from the permutation operation defined over atoms. This
+is derived from the permutation operation defined over the
-permutation operation, written @{text "_ \<bullet> _"}, has proved to be very
+hierarchy of types. This
+permutation operation, written @{text "_ \<bullet> _"}, has proved to be much more
 convenient for reasoning about syntax, in comparison to, say, arbitrary
-renaming substitutions of atoms. The reason is that permutations are
+renaming substitutions of atoms. One reason is that permutations are
 bijective renamings of atoms and thus they can be easily `undone'---namely
 by applying the inverse permutation. A corresponding inverse substitution
-might not exist in general, since renaming substitutions are only injective.
+might not always exist, since renaming substitutions are in general only injective.
-Permutations also preserve many constructions when reasoning about syntax.
+Another reason is that permutations preserve many constructions when reasoning about syntax.
-For example validity of a typing context is preserved under permutations.
+For example the validity of a typing context is preserved under any permutation.
 Suppose a typing context @{text "\<Gamma>"} of the form
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 @{text "x\<^isub>1:\<tau>\<^isub>1, \<dots>, x\<^isub>n:\<tau>\<^isub>n"}
 \end{isabelle}
 \noindent
 is said to be \emph{valid} provided none of its variables, or atoms, @{text "x\<^isub>i"}
 occur twice. Then validity is preserved under
 permutations in the sense that if @{text \<Gamma>} is valid then so is @{text "\<pi> \<bullet> \<Gamma>"} for
-all permutations @{text "\<pi>"}. This is \emph{not} the case for arbitrary
+all permutations @{text "\<pi>"}. This is again \emph{not} the case for arbitrary
-renaming substitutions, as they might identify some variables in @{text \<Gamma>}.
+renaming substitutions, as they might identify some of the @{text "x\<^isub>i"} in @{text \<Gamma>}.
-Permutations fit well with HOL's definitions. For example
+Permutations also behave uniformly with respect to HOL's logic connectives.
+Applying a permutation to a formula gives, for example
-Because
-of the good properties of permutations, we will be able to automate reasoning
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-steps determining when a construction in HOL is
+\begin{tabular}{@ {}lcl}
-\emph{equivariant}. By equivariance we mean the property that every
+@{term "\<pi> \<bullet> (A \<and> B)"} & if and only if & @{text "(\<pi> \<bullet> A) \<and> (\<pi> \<bullet> B)"}\\
-permutation leaves an object unchanged, that is @{term "\<forall>\<pi>. \<pi> \<bullet> x = x"}.
+@{term "\<pi> \<bullet> (A \<longrightarrow> B)"} & if and only if & @{text "(\<pi> \<bullet> A) \<longrightarrow> (\<pi> \<bullet> B)"}\\
-This will often simplify arguments involving the notion of support.
+\end{tabular}
+\end{isabelle}
-There are a number of subtle differences between the nominal logic work by Pitts
+\noindent
-and the one we will present in this paper. Nominal
+This uniform behaviour can also be extended to quantifiers and functions.
+Because of these good properties of permutations, we are able to automate
-In the nominal logic work, the `new quantifier' plays a prominent role.
+reasoning to do with \emph{equivariance}. By equivariance we mean the property
+that every permutation leaves an object unchanged, that is @{term "\<pi> \<bullet> x = x"}
+for all @{text "\<pi>"}. This will often simplify arguments involving support
+and functions, since equivariant objects have empty support---or
-Using a single atom type to represent atoms of different sorts and
+`no free atoms'.
-representing permutations as functions are not new ideas; see
-\cite{GunterOsbornPopescu09} \footnote{function rep.}  The main contribution
+There are a number of subtle differences between the nominal logic work by
-of this paper is to show an example of how to make better theorem proving
+Pitts and the formalisation we will present in this paper. One difference
-tools by choosing the right level of abstraction for the underlying
+is that our
-theory---our design choices take advantage of Isabelle's type system, type
+formalisation is compatible with HOL, in the sense that we only extend
-classes and reasoning infrastructure.  The novel technical contribution is a
+HOL by some definitions, withouth the introduction of any new axioms.
-mechanism for dealing with ``Church-style'' lambda-terms \cite{Church40} and
+The reason why the original nominal logic work is
-HOL-based languages \cite{PittsHOL4} where variables and variable binding
+incompatible with HOL has to do with the way how the finite support property
-depend on type annotations.
+is enforced: FM-set theory is defined in \cite{Pitts01b} so that every set
+in the FM-set-universe has finite support.  In nominal logic \cite{Pitts03},
-The paper is organised as follows\ldots
+the axioms (E3) and (E4) imply that every function symbol and proposition
+has finite support. However, there are notions in HOL that do \emph{not}
+have finite support (we will give some examples).  In our formalisation, we
+will avoid the incompatibility of the original nominal logic work by not a
+priory restricting our discourse to only finitely supported entities, rather
+we will explicitly assume this property whenever it is needed in proofs. One
+consequence is that we state our basic definitions not in terms of nominal
+sets (as done for example in \cite{Pitts06}), but in terms of the weaker
+notion of permutation types---essentially sets equipped with a ``sensible''
+notion of permutation operation.
+In the nominal logic woworkrk, the `new quantifier' plays a prominent role.
+$\new$
 Two binders
 *}
 section {* Sorted Atoms and Sort-Respecting Permutations *}
 text {*
-The two most basic notions in the nominal logic work are
+The two most basic notions in the nominal logic work are a countably
-sort-respecting permutation operation defined over a countably infinite
+infinite collection of sorted atoms and sort-respecting permutations.
-collection of sorted atoms.
+The existing nominal logic work usually leaves implicit
-The existing nominal logic work usually leaves implicit the sorting
+the sorting information for atoms and as far as we know leaves out a
-information for atoms and as far as we know leaves out a description of how
+description of how sorts are represented.  In our formalisation, we
-sorts are represented.  In our formalisation, we therefore have to make a
+therefore have to make a design decision about how to implement sorted atoms
-design decision about how to implement sorted atoms and sort-respecting
+and sort-respecting permutations. One possibility, which we described in
-permutations. One possibility, which we described in \cite{Urban08}, is to
+\cite{Urban08}, is to have separate types for the different sorts of
-have separate types for the different kinds of atoms, say types @{text
+atoms. However, we found that this does not blend well with type-classes in
-"\<alpha>\<^isub>1,\<dots>,\<alpha>\<^isub>n"}. However, this does not blend well with the
+Isabelle/HOL (see Section~\ref{related} about related work).  Therefore we use here a
-resoning infrastructure of type-classes in Isabelle/HOL (see Section ???
+single unified atom type to represent atoms of different sorts. A basic
-about related work).  Therefore we use here a single unified atom type to
+requirement is that there must be a countably infinite number of atoms of
-represent atoms of different sorts. A basic requirement is that there must
+each sort.  This can be implemented as the datatype
-be a countably infinite number of atoms of each sort.  This can be
-implemented as the datatype
 *}
 datatype atom\<iota> = Atom\<iota> string nat
 text {*
 \noindent
 whereby the string argument specifies the sort of the atom.\footnote{A
 similar design choice was made by Gunter et al \cite{GunterOsbornPopescu09}
 for their variables.}  The use of type \emph{string} for sorts is merely for
-convenience; any countably infinite type would work as well. We have an
+convenience; any countably infinite type would work as well.
-auxiliary function @{text sort} that is defined as
+The set of all atoms we shall write as @{term "UNIV::atom set"}.
+We have two
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+auxiliary functions @{text sort} and @{const nat_of} that are defined as
-@{thm sort_of.simps[no_vars, THEN eq_reflection]}
-\end{isabelle}
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
-\noindent
+@{thm (lhs) sort_of.simps[no_vars]} & @{text "\<equiv>"} & @{thm (rhs) sort_of.simps[no_vars]}\\
-and we clearly have for every finite set @{text S}
+@{thm (lhs) nat_of.simps[no_vars]} & @{text "\<equiv>"}  & @{thm (rhs) nat_of.simps[no_vars]}
+\end{tabular}\hfill\numbered{sortnatof}
+\end{isabelle}
+\noindent
+We clearly have for every finite set @{text S}
 of atoms and every sort @{text s} the property:
 \begin{proposition}\label{choosefresh}\mbox{}\\
 @{text "For a finite set of atoms S, there exists an atom a such that
 sort a = s and a \<notin> S"}.
 For implementing sort-respecting permutations, we use functions of type @{typ
 "atom => atom"} that @{text "i)"} are bijective; @{text "ii)"} are the
 identity on all atoms, except a finite number of them; and @{text "iii)"} map
 each atom to one of the same sort. These properties can be conveniently stated
-for a function @{text \<pi>} as follows:
+in Isabelle/HOL for a function @{text \<pi>} as follows:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{r@ {\hspace{4mm}}l}
 i)   & @{term "bij \<pi>"}\\
 ii)  & @{term "finite {a. \<pi> a \<noteq> a}"}\\
 @{text [display,indent=10] "(_ _) :: atom \<Rightarrow> atom \<Rightarrow> perm"}
 \noindent
 but since permutations are required to respect sorts, we must carefully
 consider what happens if a user states a swapping of atoms with different
-sorts.  In early versions of Nominal Isabelle, we avoided this problem by
+sorts.  The following definition\footnote{To increase legibility, we omit
-using different types for different sorts; the type system prevented users
+here and in what follows the @{term Rep_perm} and @{term "Abs_perm"}
-from stating ill-sorted swappings.  Here, however, definitions such
+wrappers that are needed in our implementation since we defined permutation
-as\footnote{To increase legibility, we omit here and in what follows the
+not to be the full function space, but only those functions of type @{typ
-@{term Rep_perm} and @{term "Abs_perm"} wrappers that are needed in our
+perm} satisfying properties @{text i}-@{text "iii"} in \eqref{permtype}.}
-implementation since we defined permutation not to be the full function space,
-but only those functions of type @{typ perm} satisfying properties @{text
-i}-@{text "iii"}.}
 @{text [display,indent=10] "(a b) \<equiv> \<lambda>c. if a = c then b else (if b = c then a else c)"}
 \noindent
-do not work in general, because the type system does not prevent @{text a}
+does not work in general, because @{text a} and @{text b} may have different
-and @{text b} from having different sorts---in which case the function would
+sorts---in which case the function would violate property @{text iii} in \eqref{permtype}.  We
-violate property @{text iii}.  We could make the definition of swappings
+could make the definition of swappings partial by adding the precondition
-partial by adding the precondition @{term "sort a = sort b"},
+@{term "sort a = sort b"}, which would mean that in case @{text a} and
-which would mean that in case @{text a} and @{text b} have different sorts,
+@{text b} have different sorts, the value of @{text "(a b)"} is unspecified.
-the value of @{text "(a b)"} is unspecified.  However, this looked like a
+However, this looked like a cumbersome solution, since sort-related side
-cumbersome solution, since sort-related side conditions would be required
+conditions would be required everywhere, even to unfold the definition.  It
-everywhere, even to unfold the definition.  It turned out to be more
+turned out to be more convenient to actually allow the user to state
-convenient to actually allow the user to state `ill-sorted' swappings but
+`ill-sorted' swappings but limit their `damage' by defaulting to the
-limit their `damage' by defaulting to the identity permutation in the
+identity permutation in the ill-sorted case:
-ill-sorted case:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}rl}
 @{text "(a b) \<equiv>"} & @{text "if (sort a = sort b)"}\\
 & \hspace{3mm}@{text "then \<lambda>c. if a = c then b else (if b = c then a else c)"}\\
 This function is bijective, the identity on all atoms except
 @{text a} and @{text b}, and sort respecting. Therefore it is
 a function in @{typ perm}.
 One advantage of using functions as a representation for
-permutations is that for example the swappings
+permutations is that it is unique. For example the swappings
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm swap_commute[no_vars]}\hspace{10mm}
 @{text "(a a) = id"}
 \end{tabular}\hfill\numbered{swapeqs}
 \end{isabelle}
 \noindent
-are \emph{equal}.  Therfore we can use for permutations HOL's built-in
+are \emph{equal}. Another advantage of the function representation is that
-principle of `replacing equals by equals in any context'. Another advantage
+they form a (non-com\-mu\-ta\-tive) group provided we define
-of the function representation is that they form a (non-commutative) group
-provided we define
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+\begin{tabular}{@ {}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l@ {\hspace{10mm}}r@ {\hspace{2mm}}c@ {\hspace{2mm}}l}
+@{thm (lhs) zero_perm_def[no_vars]} & @{text "\<equiv>"} & @{thm (rhs) zero_perm_def[no_vars]} &
+@{thm (lhs) plus_perm_def[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2"]} & @{text "\<equiv>"} &
+@{thm (rhs) plus_perm_def[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2"]}\\
+@{thm (lhs) uminus_perm_def[where p="\<pi>"]} & @{text "\<equiv>"} & @{thm (rhs) uminus_perm_def[where p="\<pi>"]} &
+@{thm (lhs) minus_perm_def[where ?p1.0="\<pi>\<^isub>1" and ?p2.0="\<pi>\<^isub>2"]} & @{text "\<equiv>"} &
+@{thm (rhs) minus_perm_def[where ?p1.0="\<pi>\<^isub>1" and ?p2.0="\<pi>\<^isub>2"]}
+\end{tabular}\hfill\numbered{groupprops}
+\end{isabelle}
+\noindent
+and verify the four simple properties
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
-@{thm zero_perm_def[no_vars, THEN eq_reflection]} \hspace{5mm}
+@{thm add_assoc[where a="\<pi>\<^isub>1" and b="\<pi>\<^isub>2" and c="\<pi>\<^isub>3"]}\\
-@{thm plus_perm_def[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2", THEN eq_reflection]} \hspace{5mm}
+@{thm monoid_add_class.add_0_left[where a="\<pi>::perm"]} \hspace{9mm}
-@{thm uminus_perm_def[where p="\<pi>", THEN eq_reflection]} \hspace{5mm}
+@{thm monoid_add_class.add_0_right[where a="\<pi>::perm"]} \hspace{9mm}
-@{thm minus_perm_def[where ?p1.0="\<pi>\<^isub>1" and ?p2.0="\<pi>\<^isub>2"]}
-\end{tabular}
-\end{isabelle}
-\noindent
-and verify the simple properties
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{thm add_assoc[where a="\<pi>\<^isub>1" and b="\<pi>\<^isub>2" and c="\<pi>\<^isub>3"]} \hspace{5mm}
-@{thm monoid_add_class.add_0_left[where a="\<pi>::perm"]} \hspace{5mm}
-@{thm monoid_add_class.add_0_right[where a="\<pi>::perm"]} \hspace{5mm}
 @{thm group_add_class.left_minus[where a="\<pi>::perm"]}
 \end{tabular}
 \end{isabelle}
 \noindent
 composition of permutations is not commutative in general, because @{text
 "\<pi>\<^sub>1 + \<pi>\<^sub>2 \<noteq>  \<pi>\<^sub>2 + \<pi>\<^sub>1"}.  But since the point of this paper is to implement the
 nominal theory as smoothly as possible in Isabelle/HOL, we tolerate
 the non-standard notation in order to reuse the existing libraries.
-In order to reason abstractly about permutations, we state the following two
+In order to reason abstractly about permutations, we use Isabelle/HOL's
-\emph{permutation properties}
+type classes~\cite{Wenzel04} and state the following two
+\emph{permutation properties}:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}r@ {\hspace{4mm}}p{10cm}}
 i) & @{thm permute_zero[no_vars]}\\
 ii) & @{thm permute_plus[where p="\<pi>\<^isub>1" and q="\<pi>\<^isub>2",no_vars]}
 \end{tabular}\hfill\numbered{newpermprops}
 \end{isabelle}
 \noindent
-We state these properties in terms of Isabelle/HOL's type class
+The use of type classes allows us to delegate much of the routine resoning involved in
-mechanism \cite{}.
+determining whether these properties are satisfied to Isabelle/HOL's type system:
-This allows us to delegate much of the resoning involved in
+we only have to establish that `base' types, such as @{text booleans} and
-determining whether these properties are satisfied to the type system.
+@{text atoms}, satisfy them and that type-constructors, such as products and lists,
-For this we define
+preserve them.  For this we define
-\begin{definition}
+\begin{definition}[Permutation type]
 A type @{text "\<beta>"} is a \emph{permutation type} if the permutation
 properties in \eqref{newpermprops} are satisfied for every @{text "x"} of type
 @{text "\<beta>"}.
 \end{definition}
 \noindent
-The type class also allows us to establish generic lemmas involving the
+The type classes also allows us to establish generic lemmas involving the
 permutation operation. First, it follows from the laws governing
 groups that a permutation and its inverse cancel each other.  That is, for any
 @{text "x"} of a permutation type:
 @{thm permute_minus_cancel(2)[where p="\<pi>", no_vars]}
 \end{tabular}\hfill\numbered{cancel}
 \end{isabelle}
 \noindent
-??? Proof
 Consequently, in a permutation type the permutation operation @{text "\<pi> \<bullet> _"}~~is bijective,
 which in turn implies the property
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm (lhs) permute_eq_iff[where p="\<pi>", no_vars]}
 $\;$if and only if$\;$
 @{thm (rhs) permute_eq_iff[where p="\<pi>", no_vars]}.
 \end{tabular}\hfill\numbered{permuteequ}
 \end{isabelle}
-\noindent
-We can also show that the following property holds for any permutation type.
-\begin{lemma}\label{permutecompose}
-Given @{term x} is of permutation type, then
-@{text "\<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x) = (\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}.
-\end{lemma}
-\begin{proof} The proof is as follows:
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}[b]{@ {}rcl@ {\hspace{8mm}}l}
-@{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> x"}
-& @{text "="} & @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> (-\<pi>\<^isub>1) \<bullet> \<pi>\<^isub>1 \<bullet> x"} & by \eqref{cancel}\\
-& @{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2 - \<pi>\<^isub>1) \<bullet> \<pi>\<^isub>1 \<bullet> x"}  & by {\rm(\ref{newpermprops}.@{text "ii"})}\\
-& @{text "\<equiv>"} & @{text "(\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}\\
-\end{tabular}\hfill\qed
-\end{isabelle}
-\end{proof}
 \noindent
 In order to lift the permutation operation to other types, we can define for:
-\begin{equation}\label{permdefs}
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\mbox{
+\begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
-\begin{tabular}{@ {}ll@ {\hspace{4mm}}l@ {}}
+atoms: & @{thm permute_atom_def[where p="\<pi>",no_vars, THEN eq_reflection]}\\
-a) & atoms: & @{thm permute_atom_def[where p="\<pi>",no_vars, THEN eq_reflection]}\\
+functions: &  @{text "\<pi> \<bullet> f \<equiv> \<lambda>x. \<pi> \<bullet> (f ((-\<pi>) \<bullet> x))"}\\
-b) & functions: &  @{text "\<pi> \<bullet> f \<equiv> \<lambda>x. \<pi> \<bullet> (f ((-\<pi>) \<bullet> x))"}\\
+permutations: & @{thm permute_perm_def[where p="\<pi>" and q="\<pi>'", THEN eq_reflection]}\\
-c) & permutations: & @{thm permute_perm_def[where p="\<pi>" and q="\<pi>'", THEN eq_reflection]}\\
+sets: & @{thm permute_set_eq[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-d) & sets: & @{thm permute_set_eq[where p="\<pi>", no_vars, THEN eq_reflection]}\\
+booleans: & @{thm permute_bool_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-e) & booleans: & @{thm permute_bool_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
+lists: & @{thm permute_list.simps(1)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-f) & lists: & @{thm permute_list.simps(1)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
+& @{thm permute_list.simps(2)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-& & @{thm permute_list.simps(2)[where p="\<pi>", no_vars, THEN eq_reflection]}\\
+products: & @{thm permute_prod.simps[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-g) & products: & @{thm permute_prod.simps[where p="\<pi>", no_vars, THEN eq_reflection]}\\
+nats: & @{thm permute_nat_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
-h) & nats: & @{thm permute_nat_def[where p="\<pi>", no_vars, THEN eq_reflection]}\\
+\end{tabular}\hfill\numbered{permdefs}
-\end{tabular}}
+\end{isabelle}
-\end{equation}
 \noindent
 and then establish:
 \begin{theorem}
 & @{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2) + \<pi>' - \<pi>\<^isub>2 - \<pi>\<^isub>1"}\\
 & @{text "="} & @{text "\<pi>\<^isub>1 + (\<pi>\<^isub>2 + \<pi>' - \<pi>\<^isub>2) - \<pi>\<^isub>1"} @{text "\<equiv>"} @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> \<pi>'"}
 \end{tabular}\hfill\qed
 \end{isabelle}
 \end{proof}
+\noindent
+Note that the permutation operation for functions is defined so that we have the property
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+@{text "\<pi> \<bullet> (f x) ="}
+@{thm (rhs) permute_fun_app_eq[where p="\<pi>", no_vars]}
+\hfill\numbered{permutefunapp}
+\end{isabelle}
+\noindent
+which is a simple consequence of the definition and the cancellation property in \eqref{cancel}.
+We can also show that the following property holds for any permutation type.
+\begin{lemma}\label{permutecompose}
+Given @{term x} is of permutation type, then
+@{text "\<pi>\<^isub>1 \<bullet> (\<pi>\<^isub>2 \<bullet> x) = (\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}.
+\end{lemma}
+\begin{proof} The proof is as follows:
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+\begin{tabular}[b]{@ {}c@ {\hspace{2mm}}l@ {\hspace{8mm}}l}
+& @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> x"}\\
+@{text "="} & @{text "\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2 \<bullet> (-\<pi>\<^isub>1) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"} & by \eqref{cancel}\\
+@{text "="} & @{text "(\<pi>\<^isub>1 + \<pi>\<^isub>2 - \<pi>\<^isub>1) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}  & by {\rm(\ref{newpermprops}.@{text "ii"})}\\
+@{text "\<equiv>"} & @{text "(\<pi>\<^isub>1 \<bullet> \<pi>\<^isub>2) \<bullet> (\<pi>\<^isub>1 \<bullet> x)"}\\
+\end{tabular}\hfill\qed
+\end{isabelle}
+\end{proof}
 *}
 section {* Equivariance *}
 text {*
 An important notion in the nominal logic work is \emph{equivariance}.
-An equivariant function or predicate is one that is invariant under
+An equivariant function is one that is invariant under
-the swapping of atoms. This notion can be defined
+permutations of atoms. This notion can be defined
 uniformly as follows:
-\begin{definition}\label{equivariance}
+\begin{definition}[Equivariance]\label{equivariance}
 A function @{text f} is \emph{equivariant} if @{term "\<forall>\<pi>. \<pi> \<bullet> f = f"}.
 \end{definition}
 \noindent
 There are a number of equivalent formulations for the equivariance property.
 \noindent
 To see that this formulation implies the definition, we just unfold the
 definition of the permutation operation for functions and simplify with the equation
 and the cancellation property shown in \eqref{cancel}. To see the other direction, we use
-the fact
+\eqref{permutefunapp}. Similarly for functions with more than one argument.
-\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\begin{tabular}{@ {}l}
-@{text "\<pi> \<bullet> (f x) = (\<pi> \<bullet> f) (\<pi> \<bullet> x)"}
-\end{tabular}\hfill\numbered{permutefunapp}
-\end{isabelle}
-\noindent
-which follows again directly
-from the definition of the permutation operation for functions and the cancellation
-property. Similarly for functions with more than one argument.
 Both formulations of equivariance have their advantages and disadvantages:
-the definition, \eqref{permutefunapp} and (\ref{permdefs}.2) lead to a simple
-rewrite system that pushes permutations inside a term until they reach
-either function constants or variables. The permutations in front of
-equivariant functions disappear. Such a rewrite system is often very helpful
-in determining whether @{text "p \<bullet> t = t"} holds for a compound term @{text t}. In contrast
 \eqref{altequivariance} is usually easier to establish, since statements are
-commonly given in a form where functions are fully applied. For example we can
+commonly given in a form where functions are fully applied. For example we
-easily show that equality is equivariant
+can easily show that equality is equivariant
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm eq_eqvt[where p="\<pi>", no_vars]}
 \end{tabular}
 \noindent
 using the permutation operation on booleans and property \eqref{permuteequ}.
 Lemma~\ref{permutecompose} establishes that the permutation operation is
 equivariant. It is also easy to see that the boolean operators, like
-@{text "\<and>"}, @{text "\<or>"} and @{text "\<longrightarrow>"} are all equivariant. Furthermore
+@{text "\<and>"}, @{text "\<or>"}, @{text "\<not>"} and @{text "\<longrightarrow>"} are all equivariant. Furthermore
 a simple calculation will show that our swapping functions are equivariant, that is
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}{@ {}l}
 @{thm swap_eqvt[where p="\<pi>", no_vars]}
 \end{tabular}\hfill\numbered{swapeqvt}
 \end{isabelle}
 \noindent
 for all @{text a}, @{text b} and @{text \<pi>}.
+In contrast, Definition~\ref{equivariance} together with the permutation
+operation for functions and \eqref{permutefunapp} lead to a simple
+rewrite system that pushes permutations inside a term until they reach
+either function constants or variables. The permutations in front of
+equivariant functions disappear. Such a rewrite system is often very helpful
+in determining whether @{text "\<pi> \<bullet> t = t"} holds for a compound term @{text t}. ???
 *}
 section {* Support and Freshness *}
 text {*
-The most original aspect of the nominal logic work of Pitts et al is a general
+The most original aspect of the nominal logic work of Pitts is a general
-definition for ``the set of free variables of an object @{text "x"}''.  This
+definition for `the set of free variables, or free atoms, of an object @{text "x"}'.  This
-definition is general in the sense that it applies not only to lambda-terms,
+definition is general in the sense that it applies not only to lambda terms,
-but also to lists, products, sets and even functions. The definition depends
+but to any type for which a permutation operation is defined
-only on the permutation operation and on the notion of equality defined for
+(like lists, sets, functions and so on).
-the type of @{text x}, namely:
+\begin{definition}[Support] Given @{text x} is of permutation type, then
 @{thm [display,indent=10] supp_def[no_vars, THEN eq_reflection]}
+\end{definition}
 \noindent
 (Note that due to the definition of swapping in \eqref{swapdef}, we do not
 need to explicitly restrict @{text a} and @{text b} to have the same sort.)
 There is also the derived notion for when an atom @{text a} is \emph{fresh}
-for an @{text x}, defined as
+for an @{text x} of permutation type, defined as
 @{thm [display,indent=10] fresh_def[no_vars]}
 \noindent
 We also use the notation @{thm (lhs) fresh_star_def[no_vars]} for sets ot atoms
 defined as follows
 @{thm [display,indent=10] fresh_star_def[no_vars]}
 \noindent
 A striking consequence of these definitions is that we can prove
 without knowing anything about the structure of @{term x} that
 swapping two fresh atoms, say @{text a} and @{text b}, leave
 @{text x} unchanged. For the proof we use the following lemma
 about swappings applied to an @{text x}:
 \begin{lemma}\label{swaptriple}
 Assuming @{text x} is of permutation type, and @{text a}, @{text b} and @{text c}
-have the same sort, then @{thm (prem 3) swap_rel_trans[no_vars]} and
+have the same sort, then \mbox{@{thm (prem 3) swap_rel_trans[no_vars]}} and
 @{thm (prem 4) swap_rel_trans[no_vars]} imply @{thm (concl) swap_rel_trans[no_vars]}.
 \end{lemma}
 \begin{proof}
 The cases where @{text "a = c"} and @{text "b = c"} are immediate.
 @{thm [display,indent=10] (concl) swap_triple[no_vars]}
 \noindent
 are equal. The lemma is then by application of the second permutation
-property shown in \eqref{newpermprops}.\hfill\qed
+property shown in~\eqref{newpermprops}.\hfill\qed
 \end{proof}
 \begin{theorem}\label{swapfreshfresh}
 Let @{text x} be of permutation type.
 @{thm [mode=IfThen] swap_fresh_fresh[no_vars]}
 \end{lemma}
 \begin{proof}
 \begin{isabelle}
 \begin{tabular}[t]{c@ {\hspace{2mm}}l@ {\hspace{5mm}}l}
-& \multicolumn{2}{@ {}l}{@{thm (lhs) fresh_permute_iff[where p="\<pi>",no_vars]} @{text "\<equiv>"}
+& @{thm (lhs) fresh_permute_iff[where p="\<pi>",no_vars]}\\
-@{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}}\\
+@{text "\<equiv>"} &
+@{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}\\
 @{text "\<Leftrightarrow>"}
 & @{term "finite {b. (\<pi> \<bullet> a \<rightleftharpoons> \<pi> \<bullet> b) \<bullet> \<pi> \<bullet> x \<noteq> \<pi> \<bullet> x}"}
 & since @{text "\<pi> \<bullet> _"} is bijective\\
 @{text "\<Leftrightarrow>"}
 & @{term "finite {b. \<pi> \<bullet> (a \<rightleftharpoons> b) \<bullet> x \<noteq> \<pi> \<bullet> x}"}
-& by \eqref{permutecompose} and \eqref{swapeqvt}\\
+& by Lemma~\ref{permutecompose} and \eqref{swapeqvt}\\
 @{text "\<Leftrightarrow>"}
-& @{term "finite {b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"} @{text "\<equiv>"}
+& @{term "finite {b. (a \<rightleftharpoons> b) \<bullet> x \<noteq> x}"}
-@{thm (rhs) fresh_permute_iff[where p="\<pi>",no_vars]}
 & by \eqref{permuteequ}\\
+@{text "\<equiv>"}
+& @{thm (rhs) fresh_permute_iff[where p="\<pi>",no_vars]}
 \end{tabular}
 \end{isabelle}\hfill\qed
 \end{proof}
 \noindent
 @{thm [display,indent=10] supp_eqvt[where p="\<pi>",no_vars]}
 \noindent
 is by noting that @{thm supp_conv_fresh[no_vars]} and that freshness and
-the logical connectives are equivariant.
+the logical connectives are equivariant. ??? Equivariance
+A simple consequence of the definition of support and equivariance is that
+if a function @{text f} is equivariant then we have
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
+\begin{tabular}{@ {}l}
+@{thm  (concl) supp_fun_eqvt[no_vars]}
+\end{tabular}\hfill\numbered{suppeqvtfun}
+\end{isabelle}
+\noindent
+For function applications we can establish the two following properties.
+\begin{lemma} Let @{text f} and @{text x} be of permutation type, then
+\begin{isabelle}
+\begin{tabular}{r@ {\hspace{4mm}}p{10cm}}
+@{text "i)"} & @{thm[mode=IfThen] fresh_fun_app[no_vars]}\\
+@{text "ii)"} & @{thm supp_fun_app[no_vars]}\\
+\end{tabular}
+\end{isabelle}
+\end{lemma}
+\begin{proof}
+???
+\end{proof}
 While the abstract properties of support and freshness, particularly
 Theorem~\ref{swapfreshfresh}, are useful for developing Nominal Isabelle,
 one often has to calculate the support of some concrete object. This is
 straightforward for example for booleans, nats, products and lists:
-\begin{equation}
+\begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
-\mbox{
+\begin{tabular}{@ {}l@ {\hspace{4mm}}l@ {}}
-\begin{tabular}{@ {}r@ {\hspace{2mm}}l}
 @{text "booleans"}: & @{term "supp b = {}"}\\
 @{text "nats"}:     & @{term "supp n = {}"}\\
 @{text "products"}: & @{thm supp_Pair[no_vars]}\\
 @{text "lists:"} & @{thm supp_Nil[no_vars]}\\
 & @{thm supp_Cons[no_vars]}\\
-\end{tabular}}
+\end{tabular}
-\end{equation}
+\end{isabelle}
 \noindent
 But establishing the support of atoms and permutations is a bit
 trickier. To do so we will use the following notion about a \emph{supporting set}.
-\begin{definition}
+\begin{definition}[Supporting Set]
 A set @{text S} \emph{supports} @{text x} if for all atoms @{text a} and @{text b}
 not in @{text S} we have @{term "(a \<rightleftharpoons> b) \<bullet> x = x"}.
 \end{definition}
 \noindent
 \end{proof}
 \noindent
 These are all relatively straightforward proofs adapted from the existing
 nominal logic work. However for establishing the support of atoms and
-permutations we found  the following ``optimised'' variant of @{text "iii)"}
+permutations we found  the following `optimised' variant of @{text "iii)"}
 more useful:
 \begin{lemma}\label{optimised} Let @{text x} be of permutation type.
 We have that @{thm (concl) finite_supp_unique[no_vars]}
 provided @{thm (prem 1) finite_supp_unique[no_vars]},
 can define a type class for types where every element has finite support, and
 prove that the types @{term "atom"}, @{term "perm"}, lists, products and
 booleans are instances of this type class.
 Unfortunately, this does not work for sets or Isabelle/HOL's function
-type.\footnote{Isabelle/HOL takes the type @{text "\<alpha> set"} as an abbreviation
+type. There are functions and sets definable in Isabelle/HOL for which the
-of @{text "\<alpha> \<Rightarrow> bool"}.}  There are functions and sets definable in
+finite support property does not hold.  A simple example of a function with
-Isabelle/HOL for which the finite support property does not hold.  A simple
+infinite support is @{const nat_of} shown in \eqref{sortnatof}.  This
-example of a function with infinite support is the function that returns the
+function's support is the set of \emph{all} atoms @{term "UNIV::atom set"}.
-natural number of an atom
+To establish this we show
+@{term "\<not> a \<sharp> nat_of"}. This is equivalent to assuming the set @{term
-@{text [display, indent=10] "nat_of (Atom s i) \<equiv> i"}
+"{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite and deriving a
+contradiction. From the assumption we also know that @{term "{a} \<union> {b. (a \<rightleftharpoons>
-\noindent
+b) \<bullet> nat_of \<noteq> nat_of}"} is finite. Then we can use
-This function's support is the set of \emph{all} atoms. To establish this we show @{term "\<not> a \<sharp> nat_of"}.
+Proposition~\ref{choosefresh} to choose an atom @{text c} such that @{term
-This is equivalent to assuming the set @{term "{b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite
+"c \<noteq> a"}, @{term "sort_of c = sort_of a"} and @{term "(a \<rightleftharpoons> c) \<bullet> nat_of =
-and deriving a contradiction. From the assumption we also know that
+nat_of"}.  Now we can reason as follows:
-@{term "{a} \<union> {b. (a \<rightleftharpoons> b) \<bullet> nat_of \<noteq> nat_of}"} is finite. Then we can use
-Proposition~\ref{choosefresh} to choose an atom @{text c} such that
-@{term "c \<noteq> a"}, @{term "sort_of c = sort_of a"} and @{term "(a \<rightleftharpoons> c) \<bullet> nat_of = nat_of"}.
-Now we can reason as follows:
 \begin{isabelle}\ \ \ \ \ \ \ \ \ \ %%%
 \begin{tabular}[b]{@ {}rcl@ {\hspace{5mm}}l}
 @{text "nat_of a"} & @{text "="} & @{text "(a \<rightleftharpoons> c) \<bullet> (nat_of a)"} & by def.~of permutations on nats\\
 & @{text "="} & @{term "((a \<rightleftharpoons> c) \<bullet> nat_of) ((a \<rightleftharpoons> c) \<bullet> a)"} & by \eqref{permutefunapp}\\
 \end{isabelle}
 \noindent
 But this means we have that @{term "nat_of a = nat_of c"} and @{term "sort_of a = sort_of c"}.
 This implies that atoms @{term a} and @{term c} must be equal, which clashes with our
-assumption @{term "c \<noteq> a"} about how we chose @{text c}.
+assumption @{term "c \<noteq> a"} about how we chose @{text c}.\footnote{Cheney \cite{Cheney06}
-Cheney \cite{Cheney06} gives similar examples for constructions that have infinite support.
+gives similar examples for constructions that have infinite support.}
 *}
 section {* Support of Finite Sets *}
 text {*
-As shown above, sets is one instance of a type that is not generally finitely supported.
+Also the set type is one instance whose elements are not generally finitely
-However, we can easily show that finite sets of atoms are finitely
+supported (we will give an example in Section~\ref{concrete}).
+However, we can easily show that finite sets and co-finite sets of atoms are finitely
 supported, because their support can be characterised as:
-\begin{lemma}\label{finatomsets}
+\begin{lemma}\label{finatomsets}\mbox{}\\
-If @{text S} is a finite set of atoms, then @{thm (concl) supp_finite_atom_set[no_vars]}.
+@{text "i)"} If @{text S} is a finite set of atoms, then @{thm (concl) supp_finite_atom_set[no_vars]}.\\
+@{text "ii)"} If @{term "UNIV - (S::atom set)"} is a finite set of atoms, then
+@{thm (concl) supp_cofinite_atom_set[no_vars]}.
 \end{lemma}
 \begin{proof}
-finite-supp-unique
+Both parts can be easily shown by Lemma~\ref{optimised}.  We only have to observe
+that a swapping @{text "(a b)"} leaves a set @{text S} unchanged provided both
+@{text a} and @{text b} are elements in @{text S} or both are not in @{text S}.
+However if the sorts of a @{text a} and @{text b} agree, then the swapping will
+change @{text S} if either of them is an element in @{text S} and the other is
+not.\hfill\qed
 \end{proof}
 \noindent
+Note that a consequence of the second part of this lemma is that
+@{term "supp (UNIV::atom set) = {}"}.
 More difficult, however, is it to establish that finite sets of finitely
-supported objects are finitely supported.
+supported objects are finitely supported. For this we first show that
+the union of the suports of finitely many and finitely supported  objects
+is finite, namely
+\begin{lemma}\label{unionsupp}
+If @{text S} is a finite set whose elements are all finitely supported, then\\
+@{text "i)"} @{thm (concl) Union_of_finite_supp_sets[no_vars]} and\\
+@{text "ii)"} @{thm (concl) Union_included_in_supp[no_vars]}.
+\end{lemma}
+\begin{proof}
+The first part is by a straightforward induction on the finiteness of @{text S}.
+For the second part, we know that @{term "\<Union>x\<in>S. supp x"} is a set of atoms, which
+by the first part is finite. Therefore we know by Lemma~\ref{finatomsets}.@{text "i)"}
+that @{term "(\<Union>x\<in>S. supp x) = supp (\<Union>x\<in>S. supp x)"}. Taking @{text "f"} to be
+\mbox{@{text "\<lambda>S. \<Union> (supp ` S)"}}, we can write the right hand side as @{text "supp (f S)"}.
+Since @{text "f"} is an equivariant function, we have that
+@{text "supp (f S) \<subseteq> supp S"} by ??? This completes the second part.\hfill\qed
+\end{proof}
+\noindent
+With this lemma in place we can establish that
+\begin{lemma}
+@{thm[mode=IfThen] supp_of_finite_sets[no_vars]}
+\end{lemma}
+\begin{proof}
+The right-to-left inclusion is proved in Lemma~\ref{unionsupp}.@{text "ii)"}. To show the inclusion
+in the other direction we have to show Lemma~\ref{supports}.@{text "i)"}
+\end{proof}
 *}
 section {* Induction Principles *}
 for every term-constructor that binds some atoms. Also the generality of
 the definitions for $\alpha$-equivalence will help us in the next section.
 *}
-section {* Concrete Atom Types *}
+section {* Concrete Atom Types\label{concrete} *}
 text {*
 So far, we have presented a system that uses only a single multi-sorted atom
 type.  This design gives us the flexibility to define operations and prove
 place.
 *}
-section {* Related Work *}
+section {* Related Work\label{related} *}
 text {*
 Add here comparison with old work.
+Using a single atom type to represent atoms of different sorts and
+representing permutations as functions are not new ideas; see
+\cite{GunterOsbornPopescu09} \footnote{function rep.}  The main contribution
+of this paper is to show an example of how to make better theorem proving
+tools by choosing the right level of abstraction for the underlying
+theory---our design choices take advantage of Isabelle's type system, type
+classes and reasoning infrastructure.  The novel technical contribution is a
+mechanism for dealing with ``Church-style'' lambda-terms \cite{Church40} and
+HOL-based languages \cite{PittsHOL4} where variables and variable binding
+depend on type annotations.
+The paper is organised as follows\ldots
 The main point is that the above reasoning blends smoothly with the reasoning
 infrastructure of Isabelle/HOL; no custom ML-code is necessary and a single
 type class suffices.

changeset 2742	f1192e3474e0
parent 2740	a9e63abf3feb
child 2744	56b8d977d1c0