Quotient-Paper-jv/Paper.thy
author Christian Urban <christian dot urban at kcl dot ac dot uk>
Mon, 19 May 2014 16:45:46 +0100
changeset 3236 e2da10806a34
parent 3156 80e2fb39332b
permissions -rw-r--r--
changed nominal_primrec to nominal_function and termination to nominal_termination

(*<*)
theory Paper
imports "Quotient"
        "~~/src/HOL/Library/Quotient_Syntax"
        "~~/src/HOL/Library/LaTeXsugar"
        "~~/src/HOL/Quotient_Examples/FSet"
begin

notation (latex output)
  rel_conj ("_ \<circ>\<circ>\<circ> _" [53, 53] 52) and
  pred_comp ("_ \<circ>\<circ> _" [1, 1] 30) and
  implies (infix "\<longrightarrow>" 100) and
  "==>" (infix "\<Longrightarrow>" 100) and
  map_fun ("_ \<singlearr> _" 51) and
  fun_rel ("_ \<doublearr> _" 51) and
  list_eq (infix "\<approx>" 50) and (* Not sure if we want this notation...? *)
  empty_fset ("\<emptyset>") and
  union_fset ("_ \<union> _") and
  insert_fset ("{_} \<union> _") and
  Cons ("_::_") and
  concat ("flat") and
  concat_fset ("\<Union>") and
  Quotient ("Quot _ _ _")

declare [[show_question_marks = false]]

ML {*
fun nth_conj n (_, r) = nth (HOLogic.dest_conj r) n;

fun style_lhs_rhs proj = Scan.succeed (fn ctxt => fn t =>
  let
    val concl =
      Object_Logic.drop_judgment (Proof_Context.theory_of ctxt) (Logic.strip_imp_concl t)
  in
    case concl of (_ $ l $ r) => proj (l, r)
    | _ => error ("Binary operator expected in term: " ^ Syntax.string_of_term ctxt concl)
  end);
*}

setup {*
  Term_Style.setup "rhs1" (style_lhs_rhs (nth_conj 0)) #>
  Term_Style.setup "rhs2" (style_lhs_rhs (nth_conj 1)) #>
  Term_Style.setup "rhs3" (style_lhs_rhs (nth_conj 2))
*}

fun add_pair :: "(nat \<times> nat) \<Rightarrow> (nat \<times> nat) \<Rightarrow> (nat \<times> nat)" 
where "add_pair (n1, m1) (n2, m2) = (n1 + n2, m1 + m2)"

fun minus_pair :: "(nat \<times> nat) \<Rightarrow> (nat \<times> nat)" 
where "minus_pair (n, m) = (m, n)"

fun
  intrel :: "(nat \<times> nat) \<Rightarrow> (nat \<times> nat) \<Rightarrow> bool" ("_ \<approx> _" [50, 50] 50) 
where
  "intrel (x, y) (u, v) = (x + v = u + y)"

(*>*)

section {* Introduction *}

text {*
  \noindent
  One might think quotients have been studied to death, but in the
  context of theorem provers a number questions concerning them are
  far from settled. In this paper we address the question of how to
  establish a convenient reasoning infrastructure for quotient
  constructions in the Isabelle/HOL theorem prover. Higher-Order Logic
  (HOL) consists of a small number of axioms and inference rules over
  a simply-typed term-language. Safe reasoning in HOL is ensured by
  two very restricted mechanisms for extending the logic: one is the
  definition of new constants in terms of existing ones; the other is
  the introduction of new types by identifying non-empty subsets in
  existing types. Previous work has shown how to use both mechanisms
  for dealing with quotient constructions in HOL (see
  \cite{Homeier05,Paulson06}).  For example the integers in
  Isabelle/HOL are constructed by a quotient construction over the
  type @{typ "nat \<times> nat"} and the equivalence relation


  \begin{isabelle}\ \ \ \ \ %%%
  @{text "(n\<^isub>1, n\<^isub>2) \<approx> (m\<^isub>1, m\<^isub>2) \<equiv> n\<^isub>1 + m\<^isub>2 = m\<^isub>1 + n\<^isub>2"}\hfill\numbered{natpairequiv}
  \end{isabelle}

  \noindent
  This constructions yields the new type @{typ int}, and definitions for @{text
  "0"} and @{text "1"} of type @{typ int} can be given in terms of pairs of
  natural numbers (namely @{text "(0, 0)"} and @{text "(1, 0)"}). Operations
  such as @{text "add"} with type @{typ "int \<Rightarrow> int \<Rightarrow> int"} can be defined 
  in terms of operations on pairs of natural numbers:

  \begin{isabelle}\ \ \ \ \ %%%
  @{thm add_pair.simps[where ?n1.0="n\<^isub>1" and ?n2.0="n\<^isub>2" and ?m1.0="m\<^isub>1" and ?m2.0="m\<^isub>2", THEN eq_reflection]}%
  \hfill\numbered{addpair}
  \end{isabelle}

  \noindent
  Negation on integers is defined in terms of swapping of pairs:

  \begin{isabelle}\ \ \ \ \ %%%
  @{thm minus_pair.simps[where ?n="n" and ?m="m", THEN eq_reflection]}%
  \hfill\numbered{minuspair}
  \end{isabelle}

  \noindent
  Similarly one can construct the type of finite sets, written @{term
  "\<alpha> fset"}, by quotienting the type @{text "\<alpha> list"} according to the
  equivalence relation

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "xs \<approx> ys \<equiv> (\<forall>x. memb x xs \<longleftrightarrow> memb x ys)"}\hfill\numbered{listequiv}
  \end{isabelle}

  \noindent
  which states that two lists are equivalent if every element in one
  list is also member in the other, and vice versa. The empty finite
  set, written @{term "{||}"}, can then be defined as the empty list
  and the union of two finite sets, written @{text "\<union>"}, as list
  append.

  Quotients are important in a variety of areas, but they are really ubiquitous in
  the area of reasoning about programming language calculi. A simple example
  is the lambda-calculus, whose raw, or un-quotient, terms are defined as

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "t ::= x | t t | \<lambda>x.t"}%\hfill\numbered{lambda}
  \end{isabelle}

  \noindent
  The problem with this definition arises from the need to reason
  modulo $\alpha$-equivalence, for instance, when one attempts to
  prove formally the substitution lemma \cite{Barendregt81} by
  induction over the structure of terms. This can be fiendishly
  complicated (see \cite[Pages 94--104]{CurryFeys58} for some
  ``rough'' sketches of a proof about raw lambda-terms). In contrast,
  if we reason about $\alpha$-equated lambda-terms, that means terms
  quotient according to $\alpha$-equivalence, then the reasoning
  infrastructure provided, for example, by Nominal Isabelle
  \cite{UrbanKaliszyk11} makes the formal proof of the substitution
  lemma almost trivial. The fundamental reason is that in case of
  $\alpha$-equated terms, equality coincides with $\alpha$-equivalence and
  we can use for reasoning HOL's built-in notion of ``replacing equals by equals''.

  There is also often a need to consider quotients of parial equivalence relations. For 
  example the rational numbers
  can be constructed using pairs of integers and the partial equivalence relation

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "(n\<^isub>1, n\<^isub>2) \<approx> (m\<^isub>1, m\<^isub>2) \<equiv> n\<^isub>1 * m\<^isub>2 = m\<^isub>1 * n\<^isub>2"}\hfill\numbered{ratpairequiv}
  \end{isabelle}

  \noindent
  where @{text "n\<^isub>2"} and @{text "m\<^isub>2"} are not allowed to be zero.

  The difficulty is that in order to be able to reason about integers,
  finite sets, etc.~one needs to establish a reasoning infrastructure
  by transferring, or \emph{lifting}, definitions and theorems from
  the raw type @{typ "nat \<times> nat"} to the quotient type @{typ int}
  (similarly for finite sets, $\alpha$-equated lambda-terms and
  rational numbers). This lifting usually requires a reasoning effort
  that can be rather repetitive and involves explicit conversions 
  between the quotient and raw level in form of abstraction and 
  representation functions \cite{Paulson06}.  In principle it is feasible to do this
  work manually if one has only a few quotient constructions at
  hand. But if they have to be done over and over again, as in Nominal
  Isabelle, then manual reasoning is not an option.

  The purpose of a \emph{quotient package} is to ease the lifting of
  theorems and automate the reasoning as much as possible. Before we
  delve into the details, let us show how the user interacts with our
  quotient package when defining integers. We assume the definitions
  involving pairs of natural numbers shown in \eqref{natpairequiv},
  \eqref{addpair} and \eqref{minuspair} have already been made. A
  quotient can then be introduced by declaring the new type (in this case
  @{typ int}), the raw type (that is @{typ "nat \<times> nat"}) and the
  equivalence relation (that is @{text intrel} defined in
  \eqref{natpairequiv}).
*}

  quotient_type int = "nat \<times> nat" / intrel

txt {*
  \noindent
  This declaration requires the user to prove that @{text intrel} is
  indeed an equivalence relation, whereby an equivalence 
  relation is defined as one that is reflexive, symmetric and
  transitive.  This proof obligation can thus be discharged by
  unfolding the definitions and using the standard automatic proving
  tactic in Isabelle/HOL.
*}
    unfolding equivp_reflp_symp_transp
    unfolding reflp_def symp_def transp_def
    by auto
(*<*)
    instantiation int :: "{zero, one, plus, uminus}"
    begin
(*>*)
text {*
  \noindent
  Next we can declare the constants @{text "0"} and @{text "1"} for the 
  quotient type @{text int}.
*}
    quotient_definition
      "0 \<Colon> int"  is  "(0\<Colon>nat, 0\<Colon>nat)" .

    quotient_definition
      "1 \<Colon> int"  is  "(1\<Colon>nat, 0\<Colon>nat)" .

text {*
  \noindent
  To be useful, we can also need declare two operations for adding two
  integers (written @{text plus}) and negating an integer
  (written @{text "uminus"}).
*}

    quotient_definition
      "plus \<Colon> int \<Rightarrow> int \<Rightarrow> int"  is  add_pair 
      by auto

    quotient_definition
      "uminus \<Colon> int \<Rightarrow> int"  is  minus_pair 
      by auto
(*<*)    
    instance ..

    end
(*>*)

text {*
  \noindent
  Isabelle/HOL can introduce some convenient short-hand notation for these
  operations allowing the user to write
  addition as infix operation, for example @{text "i + j"}, and
  negation as prefix operation, for example @{text "- i"}.  In both
  cases, however, the declaration requires the user to discharge a
  proof-obligation which ensures that the operations a
  \emph{respectful}. This property ensures that the operations are
  well-defined on the quotient level (a formal definition of
  respectfulness will be given later). Both proofs can be solved by
  the automatic proving tactic in Isabelle/HOL.

  Besides helping with declarations of quotient types and definitions 
  of constants, the point of a quotient package is to help with 
  proving properties about quotient types. For example we might be
  interested in the usual property that zero is an ???. This property 
  can be stated as follows:
*}

     lemma zero_add:
       shows "0 + i = (i::int)"
     proof(descending)
txt {*
  \noindent 
  The tactic @{text "descending"} automatically transfers this property of integers
  to a proof-obligation involving pairs of @{typ nat}s. (There is also
  a tactic, called @{text lifting}, which automatically transfers properties
  from the raw level to the quotient type.) In case of lemma @{text "zero_add"}
  we obtain the subgoal

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "add_pair (0, 0) i \<approx> i"}
  \end{isabelle}

  \noindent
  which can be solved again by the automatic proving tactic @{text "auto"}, as follows
*}
     qed(auto)

text {*
  In this simple example the task of the user is to state the property for integers
  and use the quotient package and automatic proving tools of Isabelle/HOL to do
  the ``rest''. A more interesting example is to establish an induction principle for 
  integers. For this we first establish the following induction principle where the 
  induction proceeds over two natural numbers. 
*}

    lemma nat_induct2:
      assumes "P 0 0"
      and     "\<And>n m. P n m \<Longrightarrow> P (Suc n) m"
      and     "\<And>n m. P n m \<Longrightarrow> P n (Suc m)"
      shows   "P n m"
      using assms
      by (induction_schema) (pat_completeness, lexicographic_order)

text {*
  \noindent
  The symbol @{text "\<And>"} stands for Isabelle/HOL's universal quantifier and
  @{text "\<Longrightarrow>"} for its implication.
  As can be seen, this induction principle can be conveniently established using the
  reasoning infrastructure of the function package \cite{???}, which 
  provides the tactics @{text "induction_schema"}, @{text "pat_completeness"}
  and @{text "lexicographic_order"}. These tactics enable Isabelle/HOL
  to use well-founded induction to prove @{text "nat_induct2"}. Our 
  quotient package can now be used to prove the following property:
*}

    lemma int_induct:
      assumes "P 0"
      and     "\<And>i. P i \<Longrightarrow> P (i + 1)"
      and     "\<And>i. P i \<Longrightarrow> P (i + (- 1))"
      shows   "P (j::int)"
      using assms 
      proof (descending)

txt {*
  \noindent
  The @{text descending} tactic transfers it to the following proof 
  obligation on the raw level.
  
  @{subgoals[display]}

  \noindent
  Note that the variable @{text "j"} in this subgoal is of type
  @{text "nat \<times> nat"}. This subgoal cannot be proved automatically by 
  @{text auto}, but if we give it the hint to use @{text nat_induct2},
  then @{text auto} can discharge it as follows.
  
*}
       qed (auto intro: nat_induct2)

text {*
  This completes the proof of the induction principle
  for integers. Isabelle/HOL would allow us to inspect the 
  detailed reasoning steps involved which would confirm that
  @{text "int_induct"} has been proved from ``first-principles''
  by transforming the property over the quotient type @{text int}
  to a corresponding property one on the raw level.


  In the
  context of HOL, there have been a few quotient packages already
  \cite{harrison-thesis,Slotosch97}. The most notable one is by Homeier
  \cite{Homeier05} implemented in HOL4.  The fundamental construction these
  quotient packages perform can be illustrated by the following picture:

%%% FIXME: Referee 1 says:
%%% Diagram is unclear.  Firstly, isn't an existing type a "set (not sets) of raw elements"?
%%% Secondly, isn't the _set of_ equivalence classes mapped to and from the new type?
%%% Thirdly, what do the words "non-empty subset" refer to ?

%%% Cezary: I like the diagram, maybe 'new type' could be outside, but otherwise
%%% I wouldn't change it.

  \begin{center}
  \mbox{}\hspace{20mm}\begin{tikzpicture}[scale=1.1]
  %%\draw[step=2mm] (-4,-1) grid (4,1);

  \draw[very thick] (0.7,0.3) circle (4.85mm);
  \draw[rounded corners=1mm, very thick] ( 0.0,-0.9) rectangle ( 1.8, 0.9);
  \draw[rounded corners=1mm, very thick] (-1.95,0.8) rectangle (-2.9,-0.195);

  \draw (-2.0, 0.8) --  (0.7,0.8);
  \draw (-2.0,-0.195)  -- (0.7,-0.195);

  \draw ( 0.7, 0.23) node {\begin{tabular}{@ {}c@ {}}equiv-\\[-1mm]clas.\end{tabular}};
  \draw (-2.45, 0.35) node {\begin{tabular}{@ {}c@ {}}new\\[-1mm]type\end{tabular}};
  \draw (1.8, 0.35) node[right=-0.1mm]
    {\begin{tabular}{@ {}l@ {}}existing\\[-1mm] type\\ (sets of raw elements)\end{tabular}};
  \draw (0.9, -0.55) node {\begin{tabular}{@ {}l@ {}}non-empty\\[-1mm]subset\end{tabular}};

  \draw[->, very thick] (-1.8, 0.36) -- (-0.1,0.36);
  \draw[<-, very thick] (-1.8, 0.16) -- (-0.1,0.16);
  \draw (-0.95, 0.26) node[above=0.4mm] {@{text Rep}};
  \draw (-0.95, 0.26) node[below=0.4mm] {@{text Abs}};
  \end{tikzpicture}
  \end{center}

  \noindent
  The starting point is an existing type, to which we refer as the
  \emph{raw type} and over which an equivalence relation is given by the user.
  With this input the package introduces a new type, to which we
  refer as the \emph{quotient type}. This type comes with an
  \emph{abstraction} and a \emph{representation} function, written @{text Abs}
  and @{text Rep}.\footnote{Actually slightly more basic functions are given;
  the functions @{text Abs} and @{text Rep} need to be derived from them. We
  will show the details later. } They relate elements in the
  existing type to elements in the new type, % and vice versa,
  and can be uniquely
  identified by their quotient type. For example for the integer quotient construction
  the types of @{text Abs} and @{text Rep} are


  \begin{isabelle}\ \ \ \ \ %%%
  @{text "Abs :: nat \<times> nat \<Rightarrow> int"}\hspace{10mm}@{text "Rep :: int \<Rightarrow> nat \<times> nat"}
  \end{isabelle}

  \noindent
  We therefore often write @{text Abs_int} and @{text Rep_int} if the
  typing information is important.

  Every abstraction and representation function stands for an isomorphism
  between the non-empty subset and elements in the new type. They are
  necessary for making definitions involving the new type. For example @{text
  "0"} and @{text "1"} of type @{typ int} can be defined as


  \begin{isabelle}\ \ \ \ \ %%%
  @{text "0 \<equiv> Abs_int (0, 0)"}\hspace{10mm}@{text "1 \<equiv> Abs_int (1, 0)"}
  \end{isabelle}

  \noindent
  Slightly more complicated is the definition of @{text "add"} having type
  @{typ "int \<Rightarrow> int \<Rightarrow> int"}. Its definition is as follows

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "add n m \<equiv> Abs_int (add_pair (Rep_int n) (Rep_int m))"}
  \hfill\numbered{adddef}
  \end{isabelle}

  \noindent
  where we take the representation of the arguments @{text n} and @{text m},
  add them according to the function @{text "add_pair"} and then take the
  abstraction of the result.  This is all straightforward and the existing
  quotient packages can deal with such definitions. But what is surprising is
  that none of them can deal with slightly more complicated definitions involving
  \emph{compositions} of quotients. Such compositions are needed for example
  in case of quotienting lists to yield finite sets and the operator that
  flattens lists of lists, defined as follows

  \begin{isabelle}\ \ \ \ \ %%%
  \begin{tabular}{@ {}l}
  @{thm concat.simps(1)[THEN eq_reflection]}\\
  @{thm concat.simps(2)[THEN eq_reflection, where x1="x" and xs1="xs"]}
  \end{tabular}
  \end{isabelle}

  \noindent
  where @{text "@"} is the usual
  list append. We expect that the corresponding
  operator on finite sets, written @{term "fconcat"},
  builds finite unions of finite sets:

  \begin{isabelle}\ \ \ \ \ %%%
  \begin{tabular}{@ {}l}
  @{thm concat_empty_fset[THEN eq_reflection]}\\
  @{thm concat_insert_fset[THEN eq_reflection, where x1="x" and S1="S"]}
  \end{tabular}
  \end{isabelle}

  \noindent
  The quotient package should automatically provide us with a definition for @{text "\<Union>"} in
  terms of @{text flat}, @{text Rep_fset} and @{text Abs_fset}. The problem is
  that the method  used in the existing quotient
  packages of just taking the representation of the arguments and then taking
  the abstraction of the result is \emph{not} enough. The reason is that in case
  of @{text "\<Union>"} we obtain the incorrect definition

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "\<Union> S \<equiv> Abs_fset (flat (Rep_fset S))"}
  \end{isabelle}

  \noindent
  where the right-hand side is not even typable! This problem can be remedied in the
  existing quotient packages by introducing an intermediate step and reasoning
  about flattening of lists of finite sets. However, this remedy is rather
  cumbersome and inelegant in light of our work, which can deal with such
  definitions directly. The solution is that we need to build aggregate
  representation and abstraction functions, which in case of @{text "\<Union>"}
  generate the %%%following
  definition

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "\<Union> S \<equiv> Abs_fset (flat ((map_list Rep_fset \<circ> Rep_fset) S))"}
  \end{isabelle}

  \noindent
  where @{term map_list} is the usual mapping function for lists. In this paper we
  will present a formal definition of our aggregate abstraction and
  representation functions (this definition was omitted in \cite{Homeier05}).
  They generate definitions, like the one above for @{text "\<Union>"},
  according to the type of the raw constant and the type
  of the quotient constant. This means we also have to extend the notions
  of \emph{aggregate equivalence relation}, \emph{respectfulness} and \emph{preservation}
  from Homeier \cite{Homeier05}.

  {\bf EXAMPLE BY HUFFMAN @{thm map_concat_fset}}

%%%TODO Update the contents.

  In addition we are able to clearly specify what is involved
  in the lifting process (this was only hinted at in \cite{Homeier05} and
  implemented as a ``rough recipe'' in ML-code). A pleasing side-result
  is that our procedure for lifting theorems is completely deterministic
  following the structure of the theorem being lifted and the theorem
  on the quotient level. {\it Space constraints, unfortunately, allow us to only
  sketch this part of our work in Section 5 and we defer the reader to a longer
  version for the details.} However, we will give in Section 3 and 4 all
  definitions that specify the input and output data of our three-step
  lifting procedure. Appendix A gives an example how our quotient
  package works in practise.
*}

section {* Preliminaries and General Quotients\label{sec:prelims} *}

text {*
  \noindent
  We will give in this section a crude overview of HOL and describe the main
  definitions given by Homeier for quotients \cite{Homeier05}.

  At its core, HOL is based on a simply-typed term language, where types are
  recorded in Church-style fashion (that means, we can always infer the type of
  a term and its subterms without any additional information). The grammars
  for types and terms are

  \begin{isabelle}\ \ \ \ \ %%%
  \begin{tabular}{@ {}c@ {\hspace{10mm}}c@ {}}
  @{text "\<sigma>, \<tau> ::= \<alpha> | (\<sigma>,\<dots>, \<sigma>) \<kappa>"} &
  @{text "t, s ::= x\<^isup>\<sigma> | c\<^isup>\<sigma> | t t | \<lambda>x\<^isup>\<sigma>. t"}\\
  \end{tabular}
  \end{isabelle}

  \noindent
  with types being either type variables or type constructors and terms
  being variables, constants, applications or abstractions.
  We often write just @{text \<kappa>} for @{text "() \<kappa>"}, and use @{text "\<alpha>s"} and
  @{text "\<sigma>s"} to stand for collections of type variables and types,
  respectively.  The type of a term is often made explicit by writing @{text
  "t :: \<sigma>"}. HOL includes a type @{typ bool} for booleans and the function
  type, written @{text "\<sigma> \<Rightarrow> \<tau>"}. HOL also contains many primitive and defined
  constants; for example, a primitive constant is equality, with type @{text "= :: \<sigma> \<Rightarrow> \<sigma> \<Rightarrow>
  bool"}, and the identity function with type @{text "id :: \<sigma> \<Rightarrow> \<sigma>"} is
  defined as @{text "\<lambda>x\<^sup>\<sigma>. x\<^sup>\<sigma>"}.

  An important point to note is that theorems in HOL can be seen as a subset
  of terms that are constructed specially (namely through axioms and proof
  rules). As a result we are able to define automatic proof
  procedures showing that one theorem implies another by decomposing the term
  underlying the first theorem.

  Like Homeier's, our work relies on map-functions defined for every type
  constructor taking some arguments, for example @{text map_list} for lists. Homeier
  describes in \cite{Homeier05} map-functions for products, sums, options and
  also the following map for function types

  \begin{isabelle}\ \ \ \ \ %%%
  @{thm map_fun_def[THEN eq_reflection]}
  \end{isabelle}

  \noindent
  Using this map-function, we can give the following, equivalent, but more
  uniform definition for @{text add} shown in \eqref{adddef}:

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "add \<equiv> (Rep_int \<singlearr> Rep_int \<singlearr> Abs_int) add_pair"}
  \end{isabelle}

  \noindent
  Using extensionality and unfolding the definition of @{text "\<singlearr>"},
  we can get back to \eqref{adddef}.
  In what follows we shall use the convention to write @{text "map_\<kappa>"} for a map-function
  of the type-constructor @{text \<kappa>}.
  %% a general type for map all types is difficult to give (algebraic types are
  %% easy, but for example the function type is not algebraic
  %For a type @{text \<kappa>} with arguments @{text "\<alpha>\<^isub>1\<^isub>\<dots>\<^isub>n"} the
  %type of the function @{text "map_\<kappa>"} has to be @{text "\<alpha>\<^isub>1\<Rightarrow>\<dots>\<Rightarrow>\<alpha>\<^isub>n\<Rightarrow>\<alpha>\<^isub>1\<dots>\<alpha>\<^isub>n \<kappa>"}.
  %For example @{text "map_list"}
  %has to have the type @{text "\<alpha>\<Rightarrow>\<alpha> list"}.
  In our implementation we maintain
  a database of these map-functions that can be dynamically extended.

  It will also be necessary to have operators, referred to as @{text "rel_\<kappa>"},
  which define equivalence relations in terms of constituent equivalence
  relations. For example given two equivalence relations @{text "R\<^isub>1"}
  and @{text "R\<^isub>2"}, we can define an equivalence relations over
  products as %% follows

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "(R\<^isub>1 \<tripple> R\<^isub>2) (x\<^isub>1, x\<^isub>2) (y\<^isub>1, y\<^isub>2) \<equiv> R\<^isub>1 x\<^isub>1 y\<^isub>1 \<and> R\<^isub>2 x\<^isub>2 y\<^isub>2"}
  \end{isabelle}

  \noindent
  Homeier gives also the following operator for defining equivalence
  relations over function types
  %
  \begin{isabelle}\ \ \ \ \ %%%
  @{thm fun_rel_def[of "R\<^isub>1" "R\<^isub>2", THEN eq_reflection]}
  \hfill\numbered{relfun}
  \end{isabelle}

  \noindent
  In the context of quotients, the following two notions from \cite{Homeier05}
  are needed later on.

  \begin{definition}[Respects]\label{def:respects}
  An element @{text "x"} respects a relation @{text "R"} provided @{text "R x x"}.
  \end{definition}

  \begin{definition}[Bounded $\forall$ and $\lambda$]\label{def:babs}
  @{text "\<forall>x \<in> S. P x"} holds if for all @{text x}, @{text "x \<in> S"} implies @{text "P x"};
  and @{text "(\<lambda>x \<in> S. f x) x = f x"} provided @{text "x \<in> S"}.
  \end{definition}

  The central definition in Homeier's work \cite{Homeier05} relates equivalence
  relations, abstraction and representation functions:

  \begin{definition}[Quotient Types]
  Given a relation $R$, an abstraction function $Abs$
  and a representation function $Rep$, the predicate @{term "Quotient R Abs Rep"}
  holds if and only if
  \begin{isabelle}\ \ \ \ \ %%%%
  \begin{tabular}{rl}
  (i) & \begin{isa}@{thm (rhs1) Quotient_def[of "R"]}\end{isa}\\
  (ii) & \begin{isa}@{thm (rhs2) Quotient_def[of "R"]}\end{isa}\\
  (iii) & \begin{isa}@{thm (rhs3) Quotient_def[of "R"]}\end{isa}\\
  \end{tabular}
  \end{isabelle}
  \end{definition}

  \noindent
  The value of this definition lies in the fact that validity of @{term "Quotient R Abs Rep"} can
  often be proved in terms of the validity of @{term "Quot"} over the constituent
  types of @{text "R"}, @{text Abs} and @{text Rep}.
  For example Homeier proves the following property for higher-order quotient
  types:

  \begin{proposition}\label{funquot}
  \begin{isa}
  @{thm[mode=IfThen] fun_quotient[where ?R1.0="R\<^isub>1" and ?R2.0="R\<^isub>2"
      and ?abs1.0="Abs\<^isub>1" and ?abs2.0="Abs\<^isub>2" and ?rep1.0="Rep\<^isub>1" and ?rep2.0="Rep\<^isub>2"]}
  \end{isa}
  \end{proposition}

  \noindent
  As a result, Homeier is able to build an automatic prover that can nearly
  always discharge a proof obligation involving @{text "Quot"}. Our quotient
  package makes heavy
  use of this part of Homeier's work including an extension
  for dealing with \emph{conjugations} of equivalence relations\footnote{That are
  symmetric by definition.} defined as follows:

%%% FIXME Referee 2 claims that composition-of-relations means OO, and this is also
%%% what wikipedia says. Any idea for a different name? Conjugation of Relations?

  \begin{definition}%%[Composition of Relations]
  @{abbrev "rel_conj R\<^isub>1 R\<^isub>2"} where @{text "\<circ>\<circ>"} is the predicate
  composition defined by
  @{thm (concl) pred_compI[of "R\<^isub>1" "x" "y" "R\<^isub>2" "z"]}
  holds if and only if there exists a @{text y} such that @{thm (prem 1) pred_compI[of "R\<^isub>1" "x" "y" "R\<^isub>2" "z"]} and
  @{thm (prem 2) pred_compI[of "R\<^isub>1" "x" "y" "R\<^isub>2" "z"]}.
  \end{definition}

  \noindent
  Unfortunately a general quotient theorem for @{text "\<circ>\<circ>\<circ>"}, analogous to the one
  for @{text "\<singlearr>"} given in Proposition \ref{funquot}, would not be true
  in general. It cannot even be stated inside HOL, because of restrictions on types.
  However, we can prove specific instances of a
  quotient theorem for composing particular quotient relations.
  For example, to lift theorems involving @{term flat} the quotient theorem for
  composing @{text "\<approx>\<^bsub>list\<^esub>"} will be necessary: given @{term "Quotient R Abs Rep"}
  with @{text R} being an equivalence relation, then

  \begin{isabelle}\ \ \ \ \ %%%
  \begin{tabular}{r@ {\hspace{1mm}}l}
  @{text  "Quot"} & @{text "(rel_list R \<circ>\<circ>\<circ> \<approx>\<^bsub>list\<^esub>)"}\\
                  & @{text "(Abs_fset \<circ> map_list Abs)"} @{text "(map_list Rep \<circ> Rep_fset)"}\\
  \end{tabular}
  \end{isabelle}
*}

section {* Quotient Types and Quotient Definitions\label{sec:type} *}

text {*
  \noindent
  The first step in a quotient construction is to take a name for the new
  type, say @{text "\<kappa>\<^isub>q"}, and an equivalence relation, say @{text R},
  defined over a raw type, say @{text "\<sigma>"}. The type of the equivalence
  relation must be @{text "\<sigma> \<Rightarrow> \<sigma> \<Rightarrow> bool"}. The user-visible part of
  the quotient type declaration is therefore

  \begin{isabelle}\ \ \ \ \ %%%
  \isacommand{quotient\_type}~~@{text "\<alpha>s \<kappa>\<^isub>q = \<sigma> / R"}\hfill\numbered{typedecl}
  \end{isabelle}

  \noindent
  and a proof that @{text "R"} is indeed an equivalence relation. The @{text "\<alpha>s"}
  indicate the arity of the new type and the type-variables of @{text "\<sigma>"} can only
  be contained in @{text "\<alpha>s"}. Two concrete
  examples are


  \begin{isabelle}\ \ \ \ \ %%%
  \begin{tabular}{@ {}l}
  \isacommand{quotient\_type}~~@{text "int = nat \<times> nat / \<approx>\<^bsub>nat \<times> nat\<^esub>"}\\
  \isacommand{quotient\_type}~~@{text "\<alpha> fset = \<alpha> list / \<approx>\<^bsub>list\<^esub>"}
  \end{tabular}
  \end{isabelle}

  \noindent
  which introduce the type of integers and of finite sets using the
  equivalence relations @{text "\<approx>\<^bsub>nat \<times> nat\<^esub>"} and @{text
  "\<approx>\<^bsub>list\<^esub>"} defined in \eqref{natpairequiv} and
  \eqref{listequiv}, respectively (the proofs about being equivalence
  relations are omitted).  Given this data, we define for declarations shown in
  \eqref{typedecl} the quotient types internally as

  \begin{isabelle}\ \ \ \ \ %%%
  \isacommand{typedef}~~@{text "\<alpha>s \<kappa>\<^isub>q = {c. \<exists>x. c = R x}"}
  \end{isabelle}

  \noindent
  where the right-hand side is the (non-empty) set of equivalence classes of
  @{text "R"}. The constraint in this declaration is that the type variables
  in the raw type @{text "\<sigma>"} must be included in the type variables @{text
  "\<alpha>s"} declared for @{text "\<kappa>\<^isub>q"}. HOL will then provide us with the following
  abstraction and representation functions

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "abs_\<kappa>\<^isub>q :: \<sigma> set \<Rightarrow> \<alpha>s \<kappa>\<^isub>q"}\hspace{10mm}@{text "rep_\<kappa>\<^isub>q :: \<alpha>s \<kappa>\<^isub>q \<Rightarrow> \<sigma> set"}
  \end{isabelle}

  \noindent
  As can be seen from the type, they relate the new quotient type and equivalence classes of the raw
  type. However, as Homeier \cite{Homeier05} noted, it is much more convenient
  to work with the following derived abstraction and representation functions

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "Abs_\<kappa>\<^isub>q x \<equiv> abs_\<kappa>\<^isub>q (R x)"}\hspace{10mm}@{text "Rep_\<kappa>\<^isub>q x \<equiv> \<epsilon> (rep_\<kappa>\<^isub>q x)"}
  \end{isabelle}

  \noindent
  on the expense of having to use Hilbert's choice operator @{text "\<epsilon>"} in the
  definition of @{text "Rep_\<kappa>\<^isub>q"}. These derived notions relate the
  quotient type and the raw type directly, as can be seen from their type,
  namely @{text "\<sigma> \<Rightarrow> \<alpha>s \<kappa>\<^isub>q"} and @{text "\<alpha>s \<kappa>\<^isub>q \<Rightarrow> \<sigma>"},
  respectively.  Given that @{text "R"} is an equivalence relation, the
  following property holds  for every quotient type
  (for the proof see \cite{Homeier05}).

  \begin{proposition}
  \begin{isa}@{term "Quotient R Abs_\<kappa>\<^isub>q Rep_\<kappa>\<^isub>q"}.\end{isa}
  \end{proposition}

  The next step in a quotient construction is to introduce definitions of new constants
  involving the quotient type. These definitions need to be given in terms of concepts
  of the raw type (remember this is the only way how to extend HOL
  with new definitions). For the user the visible part of such definitions is the declaration

  \begin{isabelle}\ \ \ \ \ %%%
  \isacommand{quotient\_definition}~~@{text "c :: \<tau>"}~~\isacommand{is}~~@{text "t :: \<sigma>"}
  \end{isabelle}

  \noindent
  where @{text t} is the definiens (its type @{text \<sigma>} can always be inferred)
  and @{text "c"} is the name of definiendum, whose type @{text "\<tau>"} needs to be
  given explicitly (the point is that @{text "\<tau>"} and @{text "\<sigma>"} can only differ
  in places where a quotient and raw type is involved). Two concrete examples are

  \begin{isabelle}\ \ \ \ \ %%%
  \begin{tabular}{@ {}l}
  \isacommand{quotient\_definition}~~@{text "0 :: int"}~~\isacommand{is}~~@{text "(0::nat, 0::nat)"}\\
  \isacommand{quotient\_definition}~~@{text "\<Union> :: (\<alpha> fset) fset \<Rightarrow> \<alpha> fset"}~~%
  \isacommand{is}~~@{text "flat"}
  \end{tabular}
  \end{isabelle}

  \noindent
  The first one declares zero for integers and the second the operator for
  building unions of finite sets (@{text "flat"} having the type
  @{text "(\<alpha> list) list \<Rightarrow> \<alpha> list"}).

  From such declarations given by the user, the quotient package needs to derive proper
  definitions using @{text "Abs"} and @{text "Rep"}. The data we rely on is the given quotient type
  @{text "\<tau>"} and the raw type @{text "\<sigma>"}.  They allow us to define \emph{aggregate
  abstraction} and \emph{representation functions} using the functions @{text "ABS (\<sigma>,
  \<tau>)"} and @{text "REP (\<sigma>, \<tau>)"} whose clauses we shall give below. The idea behind
  these two functions is to simultaneously descend into the raw types @{text \<sigma>} and
  quotient types @{text \<tau>}, and generate the appropriate
  @{text "Abs"} and @{text "Rep"} in places where the types differ. Therefore
  we generate just the identity whenever the types are equal. On the ``way'' down,
  however we might have to use map-functions to let @{text Abs} and @{text Rep} act
  over the appropriate types. In what follows we use the short-hand notation
  @{text "ABS (\<sigma>s, \<tau>s)"} to mean @{text "ABS (\<sigma>\<^isub>1, \<tau>\<^isub>1)\<dots>ABS (\<sigma>\<^isub>n, \<tau>\<^isub>n)"}; similarly
  for @{text REP}.
  %
  \begin{center}
  \hfill
  \begin{tabular}{@ {\hspace{2mm}}l@ {}}
  \multicolumn{1}{@ {}l}{equal types:}\\
  @{text "ABS (\<sigma>, \<sigma>)"} $\dn$ @{text "id :: \<sigma> \<Rightarrow> \<sigma>"}\hspace{5mm}%\\
  @{text "REP (\<sigma>, \<sigma>)"} $\dn$ @{text "id :: \<sigma> \<Rightarrow> \<sigma>"}\smallskip\\
  \multicolumn{1}{@ {}l}{function types:}\\
  @{text "ABS (\<sigma>\<^isub>1 \<Rightarrow> \<sigma>\<^isub>2, \<tau>\<^isub>1 \<Rightarrow> \<tau>\<^isub>2)"} $\dn$ @{text "REP (\<sigma>\<^isub>1, \<tau>\<^isub>1) \<singlearr> ABS (\<sigma>\<^isub>2, \<tau>\<^isub>2)"}\\
  @{text "REP (\<sigma>\<^isub>1 \<Rightarrow> \<sigma>\<^isub>2, \<tau>\<^isub>1 \<Rightarrow> \<tau>\<^isub>2)"} $\dn$ @{text "ABS (\<sigma>\<^isub>1, \<tau>\<^isub>1) \<singlearr> REP (\<sigma>\<^isub>2, \<tau>\<^isub>2)"}\smallskip\\
  \multicolumn{1}{@ {}l}{equal type constructors:}\\
  @{text "ABS (\<sigma>s \<kappa>, \<tau>s \<kappa>)"} $\dn$ @{text "map_\<kappa> (ABS (\<sigma>s, \<tau>s))"}\\
  @{text "REP (\<sigma>s \<kappa>, \<tau>s \<kappa>)"} $\dn$ @{text "map_\<kappa> (REP (\<sigma>s, \<tau>s))"}\smallskip\\
  \multicolumn{1}{@ {}l}{unequal type constructors:}\\
  @{text "ABS (\<sigma>s \<kappa>, \<tau>s \<kappa>\<^isub>q)"} $\dn$ @{text "Abs_\<kappa>\<^isub>q \<circ> (MAP(\<rho>s \<kappa>) (ABS (\<sigma>s', \<tau>s)))"}\\
  @{text "REP (\<sigma>s \<kappa>, \<tau>s \<kappa>\<^isub>q)"} $\dn$ @{text "(MAP(\<rho>s \<kappa>) (REP (\<sigma>s', \<tau>s))) \<circ> Rep_\<kappa>\<^isub>q"}
  \end{tabular}\hfill\numbered{ABSREP}
  \end{center}
  %
  \noindent
  In the last two clauses are subtle. We rely in them on the fact that the type @{text "\<alpha>s
  \<kappa>\<^isub>q"} is the quotient of the raw type @{text "\<rho>s \<kappa>"} (for example
  @{text "int"} and @{text "nat \<times> nat"}, or @{text "\<alpha> fset"} and @{text "\<alpha>
  list"}). This data is given by declarations shown in \eqref{typedecl}.
  The quotient construction ensures that the type variables in @{text
  "\<rho>s \<kappa>"} must be among the @{text "\<alpha>s"}. The @{text "\<sigma>s'"} are given by the
  substitutions for the @{text "\<alpha>s"} when matching  @{text "\<sigma>s \<kappa>"} against
  @{text "\<rho>s \<kappa>"}. This calculation determines what are the types in place
  of the type variables @{text "\<alpha>s"} in the instance of
  quotient type @{text "\<alpha>s \<kappa>\<^isub>q"}---namely @{text "\<tau>s"}, and the corresponding
  types in place of the @{text "\<alpha>s"} in the raw type @{text "\<rho>s \<kappa>"}---namely @{text "\<sigma>s'"}. The
  function @{text "MAP"} calculates an \emph{aggregate map-function} for a raw
  type as follows:
  %
  \begin{center}
  \begin{tabular}{r@ {\hspace{1mm}}c@ {\hspace{1mm}}l}
  @{text "MAP' (\<alpha>)"} & $\dn$ & @{text "a\<^sup>\<alpha>"}\\
  @{text "MAP' (\<kappa>)"} & $\dn$ & @{text "id :: \<kappa> \<Rightarrow> \<kappa>"}\\
  @{text "MAP' (\<sigma>s \<kappa>)"} & $\dn$ & @{text "map_\<kappa> (MAP'(\<sigma>s))"}\smallskip\\
  @{text "MAP (\<sigma>)"} & $\dn$ & @{text "\<lambda>as. MAP'(\<sigma>)"}
  \end{tabular}
  \end{center}
  %
  \noindent
  In this definition we rely on the fact that in the first clause we can interpret type-variables @{text \<alpha>} as
  term variables @{text a}. In the last clause we build an abstraction over all
  term-variables of the map-function generated by the auxiliary function
  @{text "MAP'"}.
  The need for aggregate map-functions can be seen in cases where we build quotients,
  say @{text "(\<alpha>, \<beta>) \<kappa>\<^isub>q"}, out of compound raw types, say @{text "(\<alpha> list) \<times> \<beta>"}.
  In this case @{text MAP} generates  the
  aggregate map-function:

%%% FIXME: Reviewer 2 asks: last two lines defining ABS and REP for
%%% unequal type constructors: How are the $\varrho$s defined? The
%%% following paragraph mentions them, but this paragraph is unclear,
%%% since it then mentions $\alpha$s, which do not seem to be defined
%%% either. As a result, I do not understand the first two sentences
%%% in this paragraph. I can imagine roughly what the following
%%% sentence `The $\sigma$s' are given by the matchers for the
%%% $\alpha$s$ when matching $\varrho$s $\kappa$ against $\sigma$s
%%% $\kappa$.' means, but also think that it is too vague.

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "\<lambda>a b. map_prod (map_list a) b"}
  \end{isabelle}

  \noindent
  which is essential in order to define the corresponding aggregate
  abstraction and representation functions.

  To see how these definitions pan out in practise, let us return to our
  example about @{term "concat"} and @{term "fconcat"}, where we have the raw type
  @{text "(\<alpha> list) list \<Rightarrow> \<alpha> list"} and the quotient type @{text "(\<alpha> fset) fset \<Rightarrow> \<alpha>
  fset"}. Feeding these types into @{text ABS} gives us (after some @{text "\<beta>"}-simplifications)
  the abstraction function

  \begin{isabelle}\ \ \ %%%
  \begin{tabular}{l}
  @{text "(map_list (map_list id \<circ> Rep_fset) \<circ> Rep_fset) \<singlearr>"}\\
  \mbox{}\hspace{4.5cm}@{text " Abs_fset \<circ> map_list id"}
  \end{tabular}
  \end{isabelle}

  \noindent
  In our implementation we further
  simplify this function by rewriting with the usual laws about @{text
  "map"}s and @{text "id"}, for example @{term "map_list id = id"} and @{text "f \<circ> id =
  id \<circ> f = f"}. This gives us the simpler abstraction function

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "(map_list Rep_fset \<circ> Rep_fset) \<singlearr> Abs_fset"}
  \end{isabelle}

  \noindent
  which we can use for defining @{term "fconcat"} as follows

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "\<Union> \<equiv> ((map_list Rep_fset \<circ> Rep_fset) \<singlearr> Abs_fset) flat"}
  \end{isabelle}

  \noindent
  Note that by using the operator @{text "\<singlearr>"} and special clauses
  for function types in \eqref{ABSREP}, we do not have to
  distinguish between arguments and results, but can deal with them uniformly.
  Consequently, all definitions in the quotient package
  are of the general form

  \begin{isabelle}\ \ \ \ \ %%%
  \mbox{@{text "c \<equiv> ABS (\<sigma>, \<tau>) t"}}
  \end{isabelle}

  \noindent
  where @{text \<sigma>} is the type of the definiens @{text "t"} and @{text "\<tau>"} the
  type of the defined quotient constant @{text "c"}. This data can be easily
  generated from the declaration given by the user.
  To increase the confidence in this way of making definitions, we can prove
  that the terms involved are all typable.

  \begin{lemma}
  If @{text "ABS (\<sigma>, \<tau>)"} returns some abstraction function @{text "Abs"}
  and @{text "REP (\<sigma>, \<tau>)"} some representation function @{text "Rep"},
  then @{text "Abs"} is of type @{text "\<sigma> \<Rightarrow> \<tau>"} and @{text "Rep"} of type
  @{text "\<tau> \<Rightarrow> \<sigma>"}.
  \end{lemma}

  \begin{proof}
  By mutual induction and analysing the definitions of @{text "ABS"} and @{text "REP"}.
  The cases of equal types and function types are
  straightforward (the latter follows from @{text "\<singlearr>"} having the
  type @{text "(\<alpha> \<Rightarrow> \<beta>) \<Rightarrow> (\<gamma> \<Rightarrow> \<delta>) \<Rightarrow> (\<beta> \<Rightarrow> \<gamma>) \<Rightarrow> (\<alpha> \<Rightarrow> \<delta>)"}). In case of equal type
  constructors we can observe that a map-function after applying the functions
  @{text "ABS (\<sigma>s, \<tau>s)"} produces a term of type @{text "\<sigma>s \<kappa> \<Rightarrow> \<tau>s \<kappa>"}.  The
  interesting case is the one with unequal type constructors. Since we know
  the quotient is between @{text "\<alpha>s \<kappa>\<^isub>q"} and @{text "\<rho>s \<kappa>"}, we have
  that @{text "Abs_\<kappa>\<^isub>q"} is of type @{text "\<rho>s \<kappa> \<Rightarrow> \<alpha>s
  \<kappa>\<^isub>q"}. This type can be more specialised to @{text "\<rho>s[\<tau>s] \<kappa> \<Rightarrow> \<tau>s
  \<kappa>\<^isub>q"} where the type variables @{text "\<alpha>s"} are instantiated with the
  @{text "\<tau>s"}. The complete type can be calculated by observing that @{text
  "MAP (\<rho>s \<kappa>)"}, after applying the functions @{text "ABS (\<sigma>s', \<tau>s)"} to it,
  returns a term of type @{text "\<rho>s[\<sigma>s'] \<kappa> \<Rightarrow> \<rho>s[\<tau>s] \<kappa>"}. This type is
  equivalent to @{text "\<sigma>s \<kappa> \<Rightarrow> \<rho>s[\<tau>s] \<kappa>"}, which we just have to compose with
  @{text "\<rho>s[\<tau>s] \<kappa> \<Rightarrow> \<tau>s \<kappa>\<^isub>q"} according to the type of @{text "\<circ>"}.\qed
  \end{proof}
*}

section {* Respectfulness and Preservation \label{sec:resp} *}

text {*
  \noindent
  The main point of the quotient package is to automatically ``lift'' theorems
  involving constants over the raw type to theorems involving constants over
  the quotient type. Before we can describe this lifting process, we need to impose
  two restrictions in form of proof obligations that arise during the
  lifting. The reason is that even if definitions for all raw constants
  can be given, \emph{not} all theorems can be lifted to the quotient type. Most
  notable is the bound variable function, that is the constant @{text bn},
  defined
  for raw lambda-terms as follows

  \begin{isabelle}
  \begin{center}
  @{text "bn (x) \<equiv> \<emptyset>"}\hspace{4mm}
  @{text "bn (t\<^isub>1 t\<^isub>2) \<equiv> bn (t\<^isub>1) \<union> bn (t\<^isub>2)"}\smallskip\\
  @{text "bn (\<lambda>x. t) \<equiv> {x} \<union> bn (t)"}
  \end{center}
  \end{isabelle}

  \noindent
  We can generate a definition for this constant using @{text ABS} and @{text REP}.
  But this constant does \emph{not} respect @{text "\<alpha>"}-equivalence and
  consequently no theorem involving this constant can be lifted to @{text
  "\<alpha>"}-equated lambda terms. Homeier formulates the restrictions in terms of
  the properties of \emph{respectfulness} and \emph{preservation}. We have
  to slightly extend Homeier's definitions in order to deal with quotient
  compositions.

%%% FIXME: Reviewer 3 asks why are the definitions that follow enough to deal
%%% with quotient composition.

  To formally define what respectfulness is, we have to first define
  the notion of \emph{aggregate equivalence relations} using the function @{text "REL(\<sigma>, \<tau>)"}
  The idea behind this function is to simultaneously descend into the raw types
  @{text \<sigma>} and quotient types @{text \<tau>}, and generate the appropriate
  quotient equivalence relations in places where the types differ and equalities
  elsewhere.

  \begin{center}
  \hfill
  \begin{tabular}{l}
  \multicolumn{1}{@ {}l}{equal types:}
  @{text "REL (\<sigma>, \<sigma>)"} $\dn$ @{text "= :: \<sigma> \<Rightarrow> \<sigma> \<Rightarrow> bool"}\smallskip\\
   \multicolumn{1}{@ {}l}{equal type constructors:}\\
  @{text "REL (\<sigma>s \<kappa>, \<tau>s \<kappa>)"} $\dn$ @{text "rel_\<kappa> (REL (\<sigma>s, \<tau>s))"}\smallskip\\
  \multicolumn{1}{@ {}l}{unequal type constructors:}\\
  @{text "REL (\<sigma>s \<kappa>, \<tau>s \<kappa>\<^isub>q)"} $\dn$ @{text "rel_\<kappa>\<^isub>q (REL (\<sigma>s', \<tau>s))"}\\
  \end{tabular}\hfill\numbered{REL}
  \end{center}

  \noindent
  The @{text "\<sigma>s'"} in the last clause are calculated as in \eqref{ABSREP}:
  again we know that type @{text "\<alpha>s \<kappa>\<^isub>q"} is the quotient of the raw type
  @{text "\<rho>s \<kappa>"}. The @{text "\<sigma>s'"} are the substitutions for @{text "\<alpha>s"} obtained by matching
  @{text "\<rho>s \<kappa>"} and @{text "\<sigma>s \<kappa>"}.

  Let us return to the lifting procedure of theorems. Assume we have a theorem
  that contains the raw constant @{text "c\<^isub>r :: \<sigma>"} and which we want to
  lift to a theorem where @{text "c\<^isub>r"} is replaced by the corresponding
  constant @{text "c\<^isub>q :: \<tau>"} defined over a quotient type. In this situation
  we generate the following proof obligation

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "REL (\<sigma>, \<tau>) c\<^isub>r c\<^isub>r"}.
  \end{isabelle}

  \noindent
  Homeier calls these proof obligations \emph{respectfulness
  theorems}. However, unlike his quotient package, we might have several
  respectfulness theorems for one constant---he has at most one.
  The reason is that because of our quotient compositions, the types
  @{text \<sigma>} and @{text \<tau>} are not completely determined by @{text "c\<^bsub>r\<^esub>"}.
  And for every instantiation of the types, a corresponding
  respectfulness theorem is necessary.

  Before lifting a theorem, we require the user to discharge
  respectfulness proof obligations. In case of @{text bn}
  this obligation is %%as follows

  \begin{isabelle}\ \ \ \ \ %%%
  @{text  "(\<approx>\<^isub>\<alpha> \<doublearr> =) bn bn"}
  \end{isabelle}

  \noindent
  and the point is that the user cannot discharge it: because it is not true. To see this,
  we can just unfold the definition of @{text "\<doublearr>"} \eqref{relfun}
  using extensionality to obtain the false statement

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "\<forall>t\<^isub>1 t\<^isub>2. if t\<^isub>1 \<approx>\<^isub>\<alpha> t\<^isub>2 then bn(t\<^isub>1) = bn(t\<^isub>2)"}
  \end{isabelle}

  \noindent
  In contrast, lifting a theorem about @{text "append"} to a theorem describing
  the union of finite sets will mean to discharge the proof obligation

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "(\<approx>\<^bsub>list\<^esub> \<doublearr> \<approx>\<^bsub>list\<^esub> \<doublearr> \<approx>\<^bsub>list\<^esub>) append append"}
  \end{isabelle}

  \noindent
  To do so, we have to establish

  \begin{isabelle}\ \ \ \ \ %%%
  if @{text "xs \<approx>\<^bsub>list\<^esub> ys"} and  @{text "us \<approx>\<^bsub>list\<^esub> vs"}
  then @{text "xs @ us \<approx>\<^bsub>list\<^esub> ys @ vs"}
  \end{isabelle}

  \noindent
  which is straightforward given the definition shown in \eqref{listequiv}.

  The second restriction we have to impose arises from non-lifted polymorphic
  constants, which are instantiated to a type being quotient. For example,
  take the @{term "cons"}-constructor to add a pair of natural numbers to a
  list, whereby we assume the pair of natural numbers turns into an integer in
  the quotient construction. The point is that we still want to use @{text
  cons} for adding integers to lists---just with a different type. To be able
  to lift such theorems, we need a \emph{preservation property} for @{text
  cons}. Assuming we have a polymorphic raw constant @{text "c\<^isub>r :: \<sigma>"}
  and a corresponding quotient constant @{text "c\<^isub>q :: \<tau>"}, then a
  preservation property is as follows

%%% FIXME: Reviewer 2 asks: You say what a preservation theorem is,
%%% but not which preservation theorems you assume. Do you generate a
%%% proof obligation for a preservation theorem for each raw constant
%%% and its corresponding lifted constant?

%%% Cezary: I think this would be a nice thing to do but we have not
%%% done it, the theorems need to be 'guessed' from the remaining obligations

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "Quot R\<^bsub>\<alpha>s\<^esub> Abs\<^bsub>\<alpha>s\<^esub> Rep\<^bsub>\<alpha>s\<^esub> implies  ABS (\<sigma>, \<tau>) c\<^isub>r = c\<^isub>r"}
  \end{isabelle}

  \noindent
  where the @{text "\<alpha>s"} stand for the type variables in the type of @{text "c\<^isub>r"}.
  In case of @{text cons} (which has type @{text "\<alpha> \<Rightarrow> \<alpha> list \<Rightarrow> \<alpha> list"}) we have

  \begin{isabelle}\ \ \ \ \ %%%
  @{text "(Rep \<singlearr> map_list Rep \<singlearr> map_list Abs) cons = cons"}
  \end{isabelle}

  \noindent
  under the assumption @{term "Quotient R Abs Rep"}. The point is that if we have
  an instance of @{text cons} where the type variable @{text \<alpha>} is instantiated
  with @{text "nat \<times> nat"} and we also quotient this type to yield integers,
  then we need to show this preservation property.

  %%%@ {thm [display, indent=10] Cons_prs2}

  %Given two quotients, one of which quotients a container, and the
  %other quotients the type in the container, we can write the
  %composition of those quotients. To compose two quotient theorems
  %we compose the relations with relation composition as defined above
  %and the abstraction and relation functions are the ones of the sub
  %quotients composed with the usual function composition.
  %The @ {term "Rep"} and @ {term "Abs"} functions that we obtain agree
  %with the definition of aggregate Abs/Rep functions and the
  %relation is the same as the one given by aggregate relations.
  %This becomes especially interesting
  %when we compose the quotient with itself, as there is no simple
  %intermediate step.
  %
  %Lets take again the example of @ {term flat}. To be able to lift
  %theorems that talk about it we provide the composition quotient
  %theorem which allows quotienting inside the container:
  %
  %If @ {term R} is an equivalence relation and @ {term "Quotient R Abs Rep"}
  %then
  %
  %@ {text [display, indent=10] "Quotient (list_rel R \<circ>\<circ>\<circ> \<approx>\<^bsub>list\<^esub>) (abs_fset \<circ> map_list Abs) (map_list Rep o rep_fset)"}
  %%%
  %%%\noindent
  %%%this theorem will then instantiate the quotients needed in the
  %%%injection and cleaning proofs allowing the lifting procedure to
  %%%proceed in an unchanged way.
*}

section {* Lifting of Theorems\label{sec:lift} *}

text {*

%%% FIXME Reviewer 3 asks: Section 5 shows the technicalities of
%%% lifting theorems. But there is no clarification about the
%%% correctness. A reader would also be interested in seeing some
%%% discussions about the generality and limitation of the approach
%%% proposed there

%%% TODO: This introduction is same as the introduction to the previous section.

  \noindent
  The main benefit of a quotient package is to lift automatically theorems over raw
  types to theorems over quotient types. We will perform this lifting in
  three phases, called \emph{regularization},
  \emph{injection} and \emph{cleaning} according to procedures in Homeier's ML-code.
  Space restrictions, unfortunately, prevent us from giving anything but a sketch of these three
  phases. However, we will precisely define the input and output data of these phases
  (this was omitted in \cite{Homeier05}).

  The purpose of regularization is to change the quantifiers and abstractions
  in a ``raw'' theorem to quantifiers over variables that respect their respective relations
  (Definition \ref{def:respects} states what respects means). The purpose of injection is to add @{term Rep}
  and @{term Abs} of appropriate types in front of constants and variables
  of the raw type so that they can be replaced by the corresponding constants from the
  quotient type. The purpose of cleaning is to bring the theorem derived in the
  first two phases into the form the user has specified. Abstractly, our
  package establishes the following three proof steps:

%%% FIXME: Reviewer 1 complains that the reader needs to guess the
%%% meaning of reg_thm and inj_thm, as well as the arguments of REG
%%% which are given above. I wouldn't change it.

  \begin{center}
  \begin{tabular}{l@ {\hspace{4mm}}l}
  1.) Regularization & @{text "raw_thm \<longrightarrow> reg_thm"}\\
  2.) Injection & @{text "reg_thm \<longleftrightarrow> inj_thm"}\\
  3.) Cleaning & @{text "inj_thm \<longleftrightarrow> quot_thm"}\\
  \end{tabular}
  \end{center}

  \noindent
  which means, stringed together, the raw theorem implies the quotient theorem.
  The core of the quotient package requires both the @{text "raw_thm"} (as a
  theorem) and the \emph{term} of the @{text "quot_thm"}. This lets the user
  have a finer control over which parts of a raw theorem should be lifted.
  We also provide more automated modes where either the @{text "quot_thm"} 
  is guessed from the form of @{text "raw_thm"} or the @{text "raw_thm"} is
  guessed from the current goal and these are described in Section \ref{sec:descending}.

  The second and third proof step performed in package will always succeed if the appropriate
  respectfulness and preservation theorems are given. In contrast, the first
  proof step can fail: a theorem given by the user does not always
  imply a regularized version and a stronger one needs to be proved. An example
  for this kind of failure is the simple statement for integers @{text "0 \<noteq> 1"}.
  One might hope that it can be proved by lifting @{text "(0, 0) \<noteq> (1, 0)"},
  but this raw theorem only shows that two particular elements in the
  equivalence classes are not equal. In order to obtain @{text "0 \<noteq> 1"}, a
  more general statement stipulating that the equivalence classes are not
  equal is necessary.  This kind of failure is beyond the scope where the
  quotient package can help: the user has to provide a raw theorem that
  can be regularized automatically, or has to provide an explicit proof
  for the first proof step. Homeier gives more details about this issue
  in the long version of \cite{Homeier05}.

  In the following we will first define the statement of the
  regularized theorem based on @{text "raw_thm"} and
  @{text "quot_thm"}. Then we define the statement of the injected theorem, based
  on @{text "reg_thm"} and @{text "quot_thm"}. We then show the three proof steps,
  which can all be performed independently from each other.

  We first define the function @{text REG}, which takes the terms of the
  @{text "raw_thm"} and @{text "quot_thm"} as input and returns
  @{text "reg_thm"}. The idea
  behind this function is that it replaces quantifiers and
  abstractions involving raw types by bounded ones, and equalities
  involving raw types by appropriate aggregate
  equivalence relations. It is defined by simultaneous recursion on
  the structure of  the terms of @{text "raw_thm"} and @{text "quot_thm"} as follows:
  %
  \begin{center}
  \begin{tabular}{@ {}l@ {}}
  \multicolumn{1}{@ {}l@ {}}{abstractions:}\\%%\smallskip\\
  @{text "REG (\<lambda>x\<^sup>\<sigma>. t, \<lambda>x\<^sup>\<tau>. s)"} $\dn$
  $\begin{cases}
  @{text "\<lambda>x\<^sup>\<sigma>. REG (t, s)"} \quad\mbox{provided @{text "\<sigma> = \<tau>"}}\\
  @{text "\<lambda>x\<^sup>\<sigma> \<in> Resp (REL (\<sigma>, \<tau>)). REG (t, s)"}
  \end{cases}$\\%%\smallskip\\
  \multicolumn{1}{@ {}l@ {}}{universal quantifiers:}\\
  @{text "REG (\<forall>x\<^sup>\<sigma>. t, \<forall>x\<^sup>\<tau>. s)"} $\dn$
  $\begin{cases}
  @{text "\<forall>x\<^sup>\<sigma>. REG (t, s)"} \quad\mbox{provided @{text "\<sigma> = \<tau>"}}\\
  @{text "\<forall>x\<^sup>\<sigma> \<in> Resp (REL (\<sigma>, \<tau>)). REG (t, s)"}
  \end{cases}$\\%%\smallskip\\
  \multicolumn{1}{@ {}l@ {}}{equality:  \hspace{3mm}%%}\smallskip\\
  %% REL of two equal types is the equality so we do not need a separate case
  @{text "REG (=\<^bsup>\<sigma>\<Rightarrow>\<sigma>\<Rightarrow>bool\<^esup>, =\<^bsup>\<tau>\<Rightarrow>\<tau>\<Rightarrow>bool\<^esup>)"} $\dn$ @{text "REL (\<sigma>, \<tau>)"}}\smallskip\\
  \multicolumn{1}{@ {}l@ {}}{applications, variables and constants:}\\
  @{text "REG (t\<^isub>1 t\<^isub>2, s\<^isub>1 s\<^isub>2)"} $\dn$ @{text "REG (t\<^isub>1, s\<^isub>1) REG (t\<^isub>2, s\<^isub>2)"}\\
  @{text "REG (x\<^isub>1, x\<^isub>2)"} $\dn$ @{text "x\<^isub>1"}\\
  @{text "REG (c\<^isub>1, c\<^isub>2)"} $\dn$ @{text "c\<^isub>1"}\\
  \end{tabular}
  \end{center}
  %
  \noindent
  In the above definition we omitted the cases for existential quantifiers
  and unique existential quantifiers, as they are very similar to the cases
  for the universal quantifier.

  Next we define the function @{text INJ} which takes as argument
  @{text "reg_thm"} and @{text "quot_thm"} (both as
  terms) and returns @{text "inj_thm"}:

  \begin{center}
  \begin{tabular}{l}
  \multicolumn{1}{@ {}l}{abstractions:}\\
  @{text "INJ (\<lambda>x. t :: \<sigma>, \<lambda>x. s :: \<tau>) "} $\dn$\\
  \hspace{18mm}$\begin{cases}
  @{text "\<lambda>x. INJ (t, s)"} \quad\mbox{provided @{text "\<sigma> = \<tau>"}}\\
  @{text "REP (\<sigma>, \<tau>) (ABS (\<sigma>, \<tau>) (\<lambda>x. INJ (t, s)))"}
  \end{cases}$\smallskip\\
  @{text "INJ (\<lambda>x \<in> R. t :: \<sigma>, \<lambda>x. s :: \<tau>) "} $\dn$\\
  \hspace{18mm}@{text "REP (\<sigma>, \<tau>) (ABS (\<sigma>, \<tau>) (\<lambda>x \<in> R. INJ (t, s)))"}\smallskip\\
  \multicolumn{1}{@ {}l}{universal quantifiers:}\\
  @{text "INJ (\<forall> t, \<forall> s) "} $\dn$ @{text "\<forall> INJ (t, s)"}\\
  @{text "INJ (\<forall> t \<in> R, \<forall> s) "} $\dn$ @{text "\<forall> INJ (t, s) \<in> R"}\smallskip\\
  \multicolumn{1}{@ {}l}{applications, variables and constants:}\smallskip\\
  @{text "INJ (t\<^isub>1 t\<^isub>2, s\<^isub>1 s\<^isub>2) "} $\dn$ @{text " INJ (t\<^isub>1, s\<^isub>1) INJ (t\<^isub>2, s\<^isub>2)"}\\
  @{text "INJ (x\<^isub>1\<^sup>\<sigma>, x\<^isub>2\<^sup>\<tau>) "} $\dn$
  $\begin{cases}
  @{text "x\<^isub>1"} \quad\mbox{provided @{text "\<sigma> = \<tau>"}}\\
  @{text "REP (\<sigma>, \<tau>) (ABS (\<sigma>, \<tau>) x\<^isub>1)"}\\
  \end{cases}$\\
  @{text "INJ (c\<^isub>1\<^sup>\<sigma>, c\<^isub>2\<^sup>\<tau>) "} $\dn$
  $\begin{cases}
  @{text "c\<^isub>1"} \quad\mbox{provided @{text "\<sigma> = \<tau>"}}\\
  @{text "REP (\<sigma>, \<tau>) (ABS (\<sigma>, \<tau>) c\<^isub>1)"}\\
  \end{cases}$\\
  \end{tabular}
  \end{center}

  \noindent
  In this definition we again omitted the cases for existential and unique existential
  quantifiers.

%%% FIXME: Reviewer2 citing following sentence: You mention earlier
%%% that this implication may fail to be true. Does that meant that
%%% the `first proof step' is a heuristic that proves the implication
%%% raw_thm \implies reg_thm in some instances, but fails in others?
%%% You should clarify under which circumstances the implication is
%%% being proved here.
%%% Cezary: It would be nice to cite Homeiers discussions in the
%%% Quotient Package manual from HOL (the longer paper), do you agree?

  In the first phase, establishing @{text "raw_thm \<longrightarrow> reg_thm"}, we always
  start with an implication. Isabelle provides \emph{mono} rules that can split up
  the implications into simpler implicational subgoals. This succeeds for every
  monotone connective, except in places where the function @{text REG} replaced,
  for instance, a quantifier by a bounded quantifier. To decompose them, we have
  to prove that the relations involved are aggregate equivalence relations.


  %In this case we have
  %rules of the form
  %
  % \begin{isabelle}\ \ \ \ \ %%%
  %@{text "(\<forall>x. R x \<longrightarrow> (P x \<longrightarrow> Q x)) \<longrightarrow> (\<forall>x. P x \<longrightarrow> \<forall>x \<in> R. Q x)"}
  %\end{isabelle}

  %\noindent
  %They decompose a bounded quantifier on the right-hand side. We can decompose a
  %bounded quantifier anywhere if R is an equivalence relation or
  %if it is a relation over function types with the range being an equivalence
  %relation. If @{text R} is an equivalence relation we can prove that

  %\begin{isabelle}\ \ \ \ \ %%%
  %@{text "\<forall>x \<in> Resp R. P x = \<forall>x. P x"}
  %\end{isabelle}

  %\noindent
  %If @{term R\<^isub>2} is an equivalence relation, we can prove that for any predicate @{term P}

%%% FIXME Reviewer 1 claims the theorem is obviously false so maybe we
%%% should include a proof sketch?

  %\begin{isabelle}\ \ \ \ \ %%%
  %@{thm (concl) ball_reg_eqv_range[of R\<^isub>1 R\<^isub>2]}
  %\end{isabelle}

  %\noindent
  %The last theorem is new in comparison with Homeier's package. There the
  %injection procedure would be used to prove such goals and
  %the assumption about the equivalence relation would be used. We use the above theorem directly,
  %because this allows us to completely separate the first and the second
  %proof step into two independent ``units''.

  The second phase, establishing @{text "reg_thm \<longleftrightarrow> inj_thm"},  starts with an equality
  between the terms of the regularized theorem and the injected theorem.
  The proof again follows the structure of the
  two underlying terms taking respectfulness theorems into account.

  %\begin{itemize}
  %\item For two constants an appropriate respectfulness theorem is applied.
  %\item For two variables, we use the assumptions proved in the regularization step.
  %\item For two abstractions, we @{text "\<eta>"}-expand and @{text "\<beta>"}-reduce them.
  %\item For two applications, we check that the right-hand side is an application of
  %  @{term Rep} to an @{term Abs} and @{term "Quotient R Rep Abs"} holds. If yes then we
  %  can apply the theorem:

  %\begin{isabelle}\ \ \ \ \ %%%
  %  @{term "R x y \<longrightarrow> R x (Rep (Abs y))"}
  %\end{isabelle}

  %  Otherwise we introduce an appropriate relation between the subterms
  %  and continue with two subgoals using the lemma:

  %\begin{isabelle}\ \ \ \ \ %%%
  %  @{text "(R\<^isub>1 \<doublearr> R\<^isub>2) f g \<longrightarrow> R\<^isub>1 x y \<longrightarrow> R\<^isub>2 (f x) (g y)"}
  %\end{isabelle}
  %\end{itemize}

  We defined the theorem @{text "inj_thm"} in such a way that
  establishing in the third phase the equivalence @{text "inj_thm \<longleftrightarrow> quot_thm"} can be
  achieved by rewriting @{text "inj_thm"} with the preservation theorems and quotient
  definitions. This step also requires that the definitions of all lifted constants
  are used to fold the @{term Rep} with the raw constants. We will give more details
  about our lifting procedure in a longer version of this paper.

  %Next for
  %all abstractions and quantifiers the lambda and
  %quantifier preservation theorems are used to replace the
  %variables that include raw types with respects by quantifiers
  %over variables that include quotient types. We show here only
  %the lambda preservation theorem. Given
  %@{term "Quotient R\<^isub>1 Abs\<^isub>1 Rep\<^isub>1"} and @{term "Quotient R\<^isub>2 Abs\<^isub>2 Rep\<^isub>2"}, we have:

  %\begin{isabelle}\ \ \ \ \ %%%
  %@{thm (concl) lambda_prs[of _ "Abs\<^isub>1" "Rep\<^isub>1" _ "Abs\<^isub>2" "Rep\<^isub>2"]}
  %\end{isabelle}

  %\noindent
  %Next, relations over lifted types can be rewritten to equalities
  %over lifted type. Rewriting is performed with the following theorem,
  %which has been shown by Homeier~\cite{Homeier05}:

  %\begin{isabelle}\ \ \ \ \ %%%
  %@{thm (concl) Quotient_rel_rep}
  %\end{isabelle}


  %Finally, we rewrite with the preservation theorems. This will result
  %in two equal terms that can be solved by reflexivity.
*}

section {* Derivation of the shape of lifted and raw theorems\label{sec:descending} *}

text {*
  In the previous sections we have assumed, that the user specifies
  both the raw theorem and the statement of the quotient one.
  This allows complete flexibility, as to which parts of the statement
  are lifted to the quotient level and which are intact. In
  other implementations of automatic quotients (for example Homeier's
  package) only the raw theorem is given to the quotient package and
  the package is able to guess the quotient one. In this
  section we give examples where there are multiple possible valid lifted
  theorems starting from a raw one. We also show a heuristic for
  computing the quotient theorem from a raw one, and a mechanism for
  guessing a raw theorem starting with a quotient one.
*}

subsection {* Multiple lifted theorems *}

text {*
  There are multiple reasons why multiple valid lifted theorems can arize.
  Below we describe three possible scenarios: multiple raw variable,
  multiple quotients for the same raw type and multiple quotients.

  Given a raw theorem there are often several variables that include
  a raw type. It this case, one can choose which of the variables to
  lift. In certain cases this can lead to a number of valid theorem
  statements, however type constraints may disallow certain combinations.
  Lets see an example where multiple variables can have different types.
  The Isabelle/HOL induction principle for two lists is:
  \begin{isabelle}\ \ \ \ \ %%%
  @{thm list_induct2'}
  \end{isabelle}

  the conclusion is a predicate of the form @{text "P xs ys"}, where
  the two variables are lists. When lifting such theorem to the quotient
  type one can choose if one want to quotient @{text "xs"} or @{text "ys"}, or
  both. All these give rise to valid quotiented theorems, however the
  automatic mode (or other quotient packages) would derive only the version
  with both being quotiented, namely:
  \begin{isabelle}\ \ \ \ \ %%%
  @{thm list_induct2'[quot_lifted]}
  \end{isabelle}

  A second scenario, where multiple possible quotient theorems arise is
  when a single raw type is used in two quotients. Consider three quotients
  of the list type: finite sets, finite multisets and lists with distinct
  elements. We have developed all three types with the help of the quotient
  package. Given a theorem that talks about lists --- for example the regular
  induction principle --- one can lift it to three possible theorems: the
  induction principle for finite sets, induction principle for finite
  multisets or the induction principle for distinct lists. Again given an
  induction principle for two lists this gives rise to 15 possible valid
  lifted theorems.

  In our developments using the quotient package we also encountered a
  scenario where multiple valid theorem statements arise, but the raw
  types are not identical. Consider the type of lambda terms, where the
  variables are indexed with strings. Quotienting lambda terms by alpha
  equivalence gives rise to a Nominal construction~\cite{Nominal}. However
  at the same time the type of strings being a list of characters can
  lift to theorems about finite sets of characters.
*}

subsection {* Derivation of the shape of theorems *}

text {*
  To derive a the shape of a lifted or raw theorem the quotient package
  first builds a type and term substitution.

  The list of type substitution is created by taking the pairs
  @{text "(raw_type, quotient_type)"} for every user defined quotient.
  The term substitutions are of two types: First for every user-defined
  quotient constant, the pair @{text "(raw_term, quotient_constant)"}
  is included in the substitution. Second, for every quotient relation
  @{text "\<approx>"} the pair @{text "(\<approx>, =)"} with the equality being the
  equality on the defined quotient type is included in the substitution.

  The derivation function next traverses the theorem statement expressed
  as a term and replaces the types of all free variables and of all
  lambda-abstractions using the type substitution. For every constant
  is not matched by the term substitution and we perform the type substitution
  on the type of the constant (this is necessary for quotienting theorems
  with polymorphic constants) or the type of the substitution is matched
  and the match is returned.

  The heuristic defined above is greedy and according to our experience
  this is what the user wants. The procedure may in some cases produce
  theorem statements that do not type-check. However verifying all
  possible theorem statements is too costly in general.
*}

subsection {* Interaction modes and derivation of the the shape of theorems *}

text {*
  In the quotient package we provide three interaction modes, that use
  can the procedure procedure defined in the previous subsection.

  First, the completely manual mode which we implemented as the
  Isabelle method @{text lifting}. In this mode the user first
  proves the raw theorem. Then the lifted theorem can be proved
  by the method lifting, that takes the reference to the raw theorem
  (or theorem list) as an argument. Such completely manual mode is
  necessary for theorems where the specification of the lifted theorem
  from the raw one is not unique, which we discussed in the previous
  subsection.

  Next, we provide a mode for automatically lifting a given
  raw theorem. We implemented this mode as an isabelle attribute,
  so given the raw theorem @{text thm}, the user can refer to the
  theorem @{text "thm[quot_lifted]"}.

  Finally we provie a method for translating a given quotient
  level theorem to a raw one. We implemented this as an Isabelle
  method @{text descending}. The user starts with expressing a
  quotient level theorem statement and applies this method.
  The quotient package derives a raw level statement and assumes
  it as a subgoal. Given that this subgoal is proved, the quotient
  package can lift the raw theorem fulfilling the proof of the
  original lifted theorem statement. 
*}

section {* Conclusion and Related Work\label{sec:conc}*}

text {*

  \noindent
  The code of the quotient package and the examples described here are already
  included in the standard distribution of Isabelle.
  \footnote{Available from \href{http://isabelle.in.tum.de/}{http://isabelle.in.tum.de/}.}
  The package is
  heavily used in the new version of Nominal Isabelle, which provides a
  convenient reasoning infrastructure for programming language calculi
  involving general binders.  To achieve this, it builds types representing
  @{text \<alpha>}-equivalent terms.  Earlier versions of Nominal Isabelle have been
  used successfully in formalisations of an equivalence checking algorithm for
  LF \cite{UrbanCheneyBerghofer08}, Typed
  Scheme~\cite{TobinHochstadtFelleisen08}, several calculi for concurrency
  \cite{BengtsonParow09} and a strong normalisation result for cut-elimination
  in classical logic \cite{UrbanZhu08}.

  {\bf INSTEAD OF NOMINAL WORK, GIVE WORK BY BULWAHN ET AL?}

  There is a wide range of existing literature for dealing with quotients
  in theorem provers.  Slotosch~\cite{Slotosch97} implemented a mechanism that
  automatically defines quotient types for Isabelle/HOL. But he did not
  include theorem lifting.  Harrison's quotient package~\cite{harrison-thesis}
  is the first one that is able to automatically lift theorems, however only
  first-order theorems (that is theorems where abstractions, quantifiers and
  variables do not involve functions that include the quotient type). There is
  also some work on quotient types in non-HOL based systems and logical
  frameworks, including theory interpretations in
  PVS~\cite{PVS:Interpretations}, new types in MetaPRL~\cite{Nogin02}, and
  setoids in Coq \cite{ChicliPS02}.  Paulson showed a construction of
  quotients that does not require the Hilbert Choice operator, but also only
  first-order theorems can be lifted~\cite{Paulson06}.  The most related work
  to our package is the package for HOL4 by Homeier~\cite{Homeier05}.  He
  introduced most of the abstract notions about quotients and also deals with
  lifting of higher-order theorems. However, he cannot deal with quotient
  compositions (needed for lifting theorems about @{text flat}). Also, a
  number of his definitions, like @{text ABS}, @{text REP} and @{text INJ} etc
  only exist in \cite{Homeier05} as ML-code, not included in the paper.
  Like Homeier's, our quotient package can deal with partial equivalence
  relations, but for lack of space we do not describe the mechanisms
  needed for this kind of quotient constructions.

%%% FIXME Reviewer 3 would like to know more about the lifting in Coq and PVS,
%%% and some comparison. I don't think we have the space for any additions...

  One feature of our quotient package is that when lifting theorems, the user
  can precisely specify what the lifted theorem should look like. This feature
  is necessary, for example, when lifting an induction principle for two
  lists.  Assuming this principle has as the conclusion a predicate of the
  form @{text "P xs ys"}, then we can precisely specify whether we want to
  quotient @{text "xs"} or @{text "ys"}, or both. We found this feature very
  useful in the new version of Nominal Isabelle, where such a choice is
  required to generate a reasoning infrastructure for alpha-equated terms.
%%
%% give an example for this
%%
  \smallskip

  \noindent
  {\bf Acknowledgements:} We would like to thank Peter Homeier for the many
  discussions about his HOL4 quotient package and explaining to us
  some of its finer points in the implementation. Without his patient
  help, this work would have been impossible. We would like to thank
  Andreas Lochbiler for his comments on the first version of the quotient
  package, in particular for the suggestions about the descending method.

*}

text_raw {*
  %%\bibliographystyle{abbrv}
  \bibliography{root}

  \appendix

*}

section {* Examples \label{sec:examples} *}

text {*

%%% FIXME Reviewer 1 would like an example of regularized and injected
%%% statements. He asks for the examples twice, but I would still ignore
%%% it due to lack of space...

  \noindent
  In this appendix we will show a sequence of declarations for defining the
  type of integers by quotienting pairs of natural numbers, and
  lifting one theorem.

  A user of our quotient package first needs to define a relation on
  the raw type with which the quotienting will be performed. We give
  the same integer relation as the one presented in \eqref{natpairequiv}:

  \begin{isabelle}\ \ \ \ \ %
  \begin{tabular}{@ {}l}
  \isacommand{fun}~~@{text "int_rel :: (nat \<times> nat) \<Rightarrow> (nat \<times> nat) \<Rightarrow> bool"}\\
  \isacommand{where}~~@{text "int_rel (m, n) (p, q) = (m + q = n + p)"}
  \end{tabular}
  \end{isabelle}

  \noindent
  Next the quotient type must be defined. This generates a proof obligation that the
  relation is an equivalence relation, which is solved automatically using the
  definition of equivalence and extensionality:

  \begin{isabelle}\ \ \ \ \ %
  \begin{tabular}{@ {}l}
  \isacommand{quotient\_type}~~@{text "int"}~~\isacommand{=}~~@{text "(nat \<times> nat)"}~~\isacommand{/}~~@{text "int_rel"}\\
  \hspace{5mm}@{text "by (auto simp add: equivp_def expand_fun_eq)"}
  \end{tabular}
  \end{isabelle}

  \noindent
  The user can then specify the constants on the quotient type:

  \begin{isabelle}\ \ \ \ \ %
  \begin{tabular}{@ {}l}
  \isacommand{quotient\_definition}~~@{text "0 :: int"}~~\isacommand{is}~~@{text "(0 :: nat, 0 :: nat)"}\\[3mm]
  \isacommand{fun}~~@{text "add_pair"}\\
  \isacommand{where}~~%
  @{text "add_pair (m, n) (p, q) \<equiv> (m + p :: nat, n + q :: nat)"}\\
  \isacommand{quotient\_definition}~~@{text "+ :: int \<Rightarrow> int \<Rightarrow> int"}~~%
  \isacommand{is}~~@{text "add_pair"}\\
  \end{tabular}
  \end{isabelle}

  \noindent
  The following theorem about addition on the raw level can be proved.

  \begin{isabelle}\ \ \ \ \ %
  \isacommand{lemma}~~@{text "add_pair_zero: int_rel (add_pair (0, 0) x) x"}
  \end{isabelle}

  \noindent
  If the user lifts this theorem, the quotient package performs all the lifting
  automatically leaving the respectfulness proof for the constant @{text "add_pair"}
  as the only remaining proof obligation. This property needs to be proved by the user:

  \begin{isabelle}\ \ \ \ \ %
  \begin{tabular}{@ {}l}
  \isacommand{lemma}~~@{text "[quot_respect]:"}\\
  @{text "(int_rel \<doublearr> int_rel \<doublearr> int_rel) add_pair add_pair"}
  \end{tabular}
  \end{isabelle}

  \noindent
  It can be discharged automatically by Isabelle when hinting to unfold the definition
  of @{text "\<doublearr>"}.
  After this, the user can prove the lifted lemma as follows:

  \begin{isabelle}\ \ \ \ \ %
  \isacommand{lemma}~~@{text "0 + (x :: int) = x"}~~\isacommand{by}~~@{text "lifting add_pair_zero"}
  \end{isabelle}

  \noindent
  or by using the completely automated mode stating just:

  \begin{isabelle}\ \ \ \ \ %
  \isacommand{thm}~~@{text "add_pair_zero[quot_lifted]"}
  \end{isabelle}

  \noindent
  Both methods give the same result, namely @{text "0 + x = x"}
  where @{text x} is of type integer.
  Although seemingly simple, arriving at this result without the help of a quotient
  package requires a substantial reasoning effort (see \cite{Paulson06}).

  {\bf \begin{itemize}
  \item explain how Quotient R Abs Rep is proved
  \item Type maps and Relation maps (show the case for functions)
  \item Quotient extensions (quot\_thms)
  \item Respectfulness and preservation
  - Show special cases for quantifiers and lambda
  - How do prs theorems look like for quotient compositions
  \item Quotient-type locale
  - Show the proof as much simpler than Homeier's one
  \item ??? Infrastructure for storing theorems (rsp, prs, eqv, quot and idsimp)
  \item Lifting vs Descending vs quot\_lifted
  - automatic theorem translation heuristic
  \item Partial equivalence quotients
  - Bounded abstraction
  - Respects
  - partial descending
  \item The heuristics for automatic regularization, injection and cleaning.
  \item A complete example of a lifted theorem together with the regularized
  injected and cleaned statement
  \item Examples of quotients and properties that we used the package for.
  \item co/contra-variance from Ondrej should be taken into account
  \item give an example where precise specification of goal is necessary
  \item mention multiple map\_prs2 theorems for compositional quotients
  \end{itemize}}
*}



(*<*)
end
(*>*)