updated to massive changes in Isabelle
  Nominal Isabelle
  or, How Not to be Intimidated by the Variable Convention
  \Large the Variable Convention\\[-5mm]
  Christian Urban
  King's College London
  Variable Convention: 
  If $M_1,\ldots,M_n$ occur in a certain mathematical context
  (e.g. definition, proof), then in these terms all bound variables 
  are chosen to be different from the free variables.
  Henk Barendregt in ``The Lambda-Calculus: Its Syntax and Semantics''



  dinner after my PhD examination


  Aim: develop Nominal Isabelle for reasoning formally about programming languages 
  programming languages\\[-10mm]\mbox{}
  Variable Convention: 
  If $M_1,\ldots,M_n$ occur in a certain mathematical context
  (e.g. definition, proof), then in these terms all bound variables 
  are chosen to be different from the free variables. ---Henk Barendregt


  found an error in an ACM journal paper by Bob Harper and Frank Pfenning about LF (and fixed it in three ways) 
  about LF (and fixed it in three ways)
  (examined by Henk Barendregt and Andy Pitts)
  (examined by Henk Barendregt and Andy Pitts)
  \item found that the variable convention can in principle be used for proving false


  Andy Pitts showed me that permutations preserve $\alpha$-equivalence:
  \smath{t_1 \approx_{\alpha} t_2 \quad \Rightarrow\quad \pi \act t_1 \approx_{\alpha} \pi \act t_2} 

  also permutations and substitutions commute, if you suspend permutations in front of variables
  in front of variables
  \smath{\pi\act\sigma(t) = \sigma(\pi\act t)}

  this allowed us to define as simple Nominal Unification algorithm
  \smath{\nabla \vdash t \approx^?_{\alpha} t'}
  \smath{\nabla \vdash a \fresh^? t}



  a general theory about atoms and permutations
  sorted atoms and
  sort-respecting permutations
  support and freshness
  \smath{\textit{supp}(x) \dn \{ a \mid \textit{infinite}\,\{ b \mid \swap{a}{b}\act x \not= x\}\}}
  \smath{a \fresh x \dn a \notin \textit{supp}(x)}

  allow users to reason about alpha-equivalence classes as if they were syntax trees 
  syntax trees
  %\item $\alpha$-equivalence
  %\smath{as.x \approx_\alpha bs.y \dn}\\[2mm]
  %\hspace{2cm}\smath{\exists \pi.\;\text{supp}(x) - as = \text{supp}(y) - bs}\\ 
  %\hspace{2cm}\smath{\;\wedge\; \text{supp}(x) - as \fresh \pi}\\
  %\hspace{2cm}\smath{\;\wedge\; \pi \act x = y}


  Nominal logic by Pitts is incompatible with choice principles 
  with choice principles\medskip

  but HOL includes Hilbert's epsilon

  The solution: Do not require that everything has finite support

  \smath{\onslide<1-2>{\textit{finite}(\textit{supp}(x))  \quad\Rightarrow\quad} a \fresh a.x}


  define fv and $\alpha$
  build quotient / new type
  derive a reasoning infrastructure ($\fresh$, distinctness, injectivity, cases,\ldots) 
  derive a {\bf stronger} cases lemma
  from this, a {\bf stronger} induction principle (Barendregt variable convention built in)
  Foo ($\lambda x. \lambda y. t$) ($\lambda u. \lambda v. s$) 


  Users can for example define lambda-terms as:
 atom_decl name
	nominal_datatype lam =
	    Var name
	  | App lam lam 
	  | Lam x::name t::lam   binds x in t ("Lam _. _")

  These are \underline{\bf named} alpha-equivalence classes, for example

  \gb{@{text "Lam a.(Var a)"}} \alert{$\,=\,$} \gb{@{text "Lam b.(Var b)"}}



  The usual induction principle for lambda-terms is as follows:

  \forall x.\;P\,x
  \forall x.\;P\,x\\[2mm]
  \forall x\,t.\;P\,t\Rightarrow P\,(\lambda x.t)
  \forall x\,t.\;P\,t\Rightarrow P\,(\lambda x.t)\\

  It requires us in the lambda-case to show the property \smath{P} for all binders \smath{x}.
  all binders \smath{x}.\medskip\\ 

  (This nearly always requires renamings and they can be tricky to automate.) 
  tricky to automate.)



  Therefore we introduced the following strong induction principle:

  \mbox{}\hspace{-2mm}\begin{beamercolorbox}[sep=1mm, wd=11.5cm]{boxcolor}
  \infer{\tikz[remember picture] \node[inner sep=1mm] (n1a) {\alert<4>{$P$}};%
         \tikz[remember picture] \node[inner sep=1mm] (n2a) {\alert<3>{$c$}};%
         \tikz[remember picture] \node[inner sep=1mm] (n3a) {\alert<2>{$t$}};}
  \forall x\,c.\;P\,c\;x\\[2mm]
  \forall t_1\,t_2\,c.\;(\forall d.\,P d\,t_1)\wedge (\forall d. P\,d\,t_2)
  \Rightarrow P\,c\;(t_1\,t_2)\\[2mm]
  \forall x\,t\,c.\;\alert<1>{x\fresh \alert<3>{c}} 
  \wedge (\forall d. P\,d\,t)\Rightarrow P\,c\;(\lambda x.t)

  {The {\bf context} of the induction; i.e.~what the binder should be fresh for
   $\quad\Rightarrow$ \smath{(x,y,N,L)}:\\[2mm]
   ``\ldots By the variable convention we can assume \mbox{\smath{z\not\equiv x,y}} 
     and \smath{z} not free in \smath{N}$\!$,\,\smath{L}\ldots''};

  \path[overlay, ->, ultra thick, red] (n2b) edge[out=90, in=-100] (n2a);

  {The property to be proved by induction:\\[-3mm]
  (x,\!y,\!N\!,\!L).\,\lambda M.\;\,x\not=y\,\wedge\,x\fresh L\,\Rightarrow}\\[1mm]
  \smath{M[x\!:=\!N][y\!:=\!L] = M[y\!:=\!L][x\!:=\!N[y\!:=\!L]]}  

  \path[overlay, ->, ultra thick, red] (n1b) edge[out=90, in=-70] (n1a);



  binding sets of names has some interesting properties:
  \textcolor{blue}{$\forall\{x, y\}.\, x \rightarrow y \;\;\approx_\alpha\;\; \forall\{y, x\}.\, y \rightarrow x$}

  \textcolor{blue}{$\forall\{x, y\}.\, x \rightarrow y \;\;\not\approx_\alpha\;\; \forall\{z\}.\, z \rightarrow z$}

  \textcolor{blue}{$\forall\{x\}.\, x \rightarrow y \;\;\approx_\alpha\;\; \forall\{x, \alert{z}\}.\, x \rightarrow y$}
  provided $z$ is fresh for the type
  $^*$ $x$, $y$, $z$ are assumed to be distinct

  For type-schemes the order of bound names does not matter, and
  $\alpha$-equivalence is preserved under \alert{vacuous} binders.

  alpha-equivalence being preserved under vacuous binders is \underline{not} always
  \textcolor{blue}{\begin{tabular}{@ {\hspace{-8mm}}l}
  $\text{let}\;x = 3\;\text{and}\;y = 2\;\text{in}\;x - y\;\text{end}$\medskip\\
   \text{let}\;y = 2\;\text{and}\;x = 3\only<3->{\alert{\;\text{and}
    \;z = \text{loop}}}\;\text{in}\;x - y\;\text{end}$}



  sometimes one wants to abstract more than one name, but the order \underline{does} matter
  \textcolor{blue}{\begin{tabular}{@ {\hspace{-8mm}}l}
  $\text{let}\;(x, y) = (3, 2)\;\text{in}\;x - y\;\text{end}$\medskip\\
   \text{let}\;(y, x) = (3, 2)\;\text{in}\;x - y\;\text{end}$



  \multicolumn{2}{l}{\isacommand{nominal\_datatype} trm $=$}\\
  \hspace{5mm}\phantom{$|$} Var name\\
  \hspace{5mm}$|$ App trm trm\\
  \hspace{5mm}$|$ Lam \only<2->{x::}name \only<2->{t::}trm
  & \onslide<2->{\isacommand{bind} x \isacommand{in} t}\\
  \hspace{5mm}$|$ Let \only<2->{as::}assns \only<2->{t::}trm
  & \onslide<2->{\isacommand{bind} bn(as) \isacommand{in} t}\\
  \multicolumn{2}{l}{\isacommand{and} assns $=$}\\
  \multicolumn{2}{l}{\hspace{5mm}\phantom{$|$} ANil}\\
  \multicolumn{2}{l}{\hspace{5mm}$|$ ACons name trm assns}\\
  \multicolumn{2}{l}{\onslide<3->{\isacommand{binder} bn \isacommand{where}}}\\
  \multicolumn{2}{l}{\onslide<3->{\hspace{5mm}\phantom{$|$} bn(ANil) $=$ $[]$}}\\
  \multicolumn{2}{l}{\onslide<3->{\hspace{5mm}$|$ bn(ACons a t as) $=$ $[$a$]$ @ bn(as)}}\\


  \item A Faulty Lemma with the Variable Convention?\\[-8mm]\mbox{}

  {\bf\mbox{}\hspace{-1.5mm}Variable Convention:}\\[1mm] 
  If $M_1,\ldots,M_n$ occur in a certain mathematical context
  (e.g. definition, proof), then in these terms all bound variables 
  are chosen to be different from the free variables.\\[2mm]
  \footnotesize\hfill Barendregt in ``The Lambda-Calculus: Its Syntax and Semantics''


  Inductive Definitions:\\
  \smath{\infer{\text{concl}}{\text{prem}_1 \ldots \text{prem}_n\;\text{scs}}}
  Rule Inductions:\\[2mm]
  \begin{tabular}{l@ {\hspace{2mm}}p{5.5cm}}
  1.) & Assume the property for\\ & the premises. Assume \\ & the side-conditions.\\[1mm]
  2.) & Show the property for\\ & the conclusion.\\



  \item Consider the two-place relation \smath{\text{foo}}:\medskip
  \smath{\;\infer{x\mapsto x}{}}}}\hspace{2mm}
  \smath{\infer{t_1\;t_2\mapsto t_1\;t_2}{}}}}\hspace{2mm}
  \smath{\infer{\lambda x.t\mapsto t'}{t\mapsto t'}}}\\[5mm]


  \item The lemma we going to prove:\smallskip
  Let \smath{t\mapsto t'}. If \smath{y\fresh t} then \smath{y\fresh t'}.

  \item Cases 1 and 2 are trivial:\medskip
  \item If \smath{y\fresh x} then \smath{y\fresh x}.
  \item If \smath{y\fresh t_1\,t_2} then \smath{y\fresh t_1\,t_2}.

  \item Case 3:
  \item We know \tikz[remember picture,baseline=(ta.base)] \node (ta) {\smath{y\fresh \lambda x.t}.}; 
  We have to show \smath{y\fresh t'}.$\!\!\!\!$ 
  \item The IH says: if \smath{y\fresh t} then \smath{y\fresh t'}.
  \item<7,8> So we have \smath{y\fresh t}. Hence \smath{y\fresh t'} by IH. Done!
  {{\bf Variable Convention:}\\[2mm] 
   If $M_1,\ldots,M_n$ occur in a certain mathematical context
   (e.g. definition, proof), then in these terms all bound variables 
   are chosen to be different from the free variables.\smallskip

   {\bf In our case:}\\[2mm]
   The free variables are \smath{y} and \smath{t'}; the bound one is 
   By the variable convention we conclude that \smath{x\not= y}.

  {\small\smath{y\!\not\in\! \text{fv}(\lambda x.t) \Longleftrightarrow
          y\!\not\in\! \text{fv}(t)\!-\!\{x\}
          y\!\not\in\! \text{fv}(t)}};

  \path[overlay, ->, ultra thick, red] (tb) edge[out=-120, in=75] (ta);



  \item The user does not see anything of the ``raw'' level.
  \item The Nominal Isabelle automatically derives the strong structural
  induction principle for \underline{\bf all} nominal datatypes (not just the 

  \item They are easy to use: you just have to think carefully what the variable
  convention should be.

  \item We can explore the \colorbox{black}{\textcolor{white}{dark}} corners 
  of the variable convention: when and where it can be used safely.
  \item<2> \alert{\bf Main Point:} Actually these proofs using the
  variable convention are all trivial / obvious / routine\ldots {\bf provided} 
  you use Nominal Isabelle. ;o)



  \alert{\LARGE Thank you very much!}\\
  \alert{\Large Questions?}

