public_html: Nominal/example.html--@f1be8028a4a9 (annotated)

415 f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	1	<?xml version="1.0" encoding="utf-8"?>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	2	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	3	<html>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	4	<head>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	5	<title>Nominal Methods Group</title>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	6	<link rel="stylesheet" href="nominal.css">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	7	</head>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	8
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	9	<body>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	10
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	11	<div align="right" style="position:relative; left:15%; width:80%">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	12	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	13	<small>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	14	<SCRIPT LANGUAGE="JAVASCRIPT" type="text/javascript">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	15	<!--
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	16	var r_text = new Array ();
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	17	r_text[0] = "<em>\"Proving theorems about substitutions (and related operations such as alpha-conversion) required far more time and HOL code than any other variety of theorem.\"<br><\/em>M. VanInwegen using a concrete representation for binders in her PhD-thesis, 1996";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	18
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	19	r_text[1] = "<em>\"When doing the formalization, I discovered that the core part of the proof... is fairly straightforward and only requires a good understanding of the paper version. However, in completing the proof I observed that in certain places I had to invest much more work than expected, e.g. proving lemmas about substitution and weakening.\"<\/em><br>T. Altenkirch using de Bruijn indices in Proc. of TLCA, 1993";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	20
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	21	r_text[2] = "<em>\"Technical work, however, still represents the biggest part of our implementation, mainly due to the managing of de Bruijn indexes...Of our 800 proved lemmas, about 600 are concerned with operators on free names.\"<\/em><br>D. Hirschkoff in Proc. of TPHOLs, 1997";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	22
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	23	r_text[3] = "<em>\"It took the author many long months to complete the work on this formalization...The part concerning substitution is by far the largest part of the whole development.\"<\/em><br>A. Koprowski using de Bruijn indices in a draft paper, 2006";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	24
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	25	r_text[4] = "<em>\"We thank T. Thacher Robinson for showing us on August 19, 1962 by a counterexample the existence of an error in our handling of bound variables.\"<\/em><br>S. Kleene in J. of Symbolic Logic 21(1):11-18, 1962";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	26
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	27	r_text[5] = "<em>\"The main drawback in HOAS is the difficulty of dealing with metatheoretic issues concerning names in processes...As a consequence, some metatheoretic properties involving substitution and freshness of names inside proofs and processes cannot be proved inside the framework and instead have to be postulated.\"<\/em><br>F. Honsell, M. Miculan and I. Scagnetto in Theoretical Computer Science, 253(2):239-285, 2001";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	28
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	29	r_text[6] = "<em>\"Because Twelf metatheorems are proved using totality assertions about LF type families, the class of metatheorems that can be mechanized is restricted to All/Exists-statements over LF types. On the one hand, as the successful Twelf formalizations cited in Section 5 demonstrate, these All/Exists-statements have proved to be sufficient for formalizing a wide variety of metatheorems about programming languages and logics. On the other hand, we have no way to quantify when metatheorems of this form will be sufficient, and there are some well-known examples of proofs that cannot be formalized directly using Twelf as metatheorem language. For example, proofs by logical relations often require more quantifier complexity than All/Exists-statements afford.\"<\/em><br>Robert Harper and Daniel Licata in a paper on Twelf, 2007";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	30
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	31	r_text[7] = "<em>\"So we cannot, hand-on-heart, recommend the vanilla LN style for anything but small, kernel language developments. \"<\/em><br>in F-ing Modules by Rossberg, Russo and Dreyer, TLDI 2010";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	32
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	33	r_text[8] = "<em>\"Higher-order abstract syntax is a convenient way to approach languages with binding, but it is possible to imagine a problem where manipulating a fully concrete object without binding is simpler. In these cases, it is possible to establish a bijection between your HOAS terms and de Bruijn versions of the same terms. \"<\/em><br>Interesting responses from the <A HREF=\"http://twelf.plparty.org/wiki/Ask_Twelf_Elf\">Twelf wiki.</A> (To be honest, the same comment applies to Nominal. --cu)";
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	34
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	35
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	36	var i = Math.floor(r_text.length*Math.random());
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	37	document.write(r_text[i]);
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	38	//-->
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	39	</SCRIPT>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	40	</small>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	41	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	42	</div>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	43
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	44
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	45	<H1>Barendregt's Substitution Lemma</H1>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	46
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	47	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	48	Let us explain one of our results with a simple proof about the lambda calculus.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	49	An informal "pencil-and-paper" proof there looks typically as follows (this one is taken from <A
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	50	HREF="http://www.cs.ru.nl/~henk/" target="_top">Barendregt's</A> classic book
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	51	on the lambda calculus):
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	52	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	53
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	54	<!-- Barendregt's proof -->
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	55	<CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	56	<TABLE style="text-align: left; width: 90%;" BORDER=0 CELLSPACING=0 CELLPADDING=5>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	57	<TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	58	<TD style="background-color: rgb(180, 180, 180);">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	59	<B>2.1.16. Substitution Lemma:</B> If <I>x≠y</I> and <I>x</I> not free in <I>L</I>,
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	60	then
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	61	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	62	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	63	<TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	64	<TD style="background-color: rgb(180, 180, 180);">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	65	<CENTER><I>M[x:=N][y:=L] = M[y:=L][x:=N[y:=L]]</I>.</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	66	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	67	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	68	<TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	69	<TD style="background-color: rgb(210, 210, 210);">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	70	<B>Proof:</B> By induction on the structure of <I>M</I>.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	71	<DL>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	72	<DT>Case 1. <I>M</I> is a variable.<DD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	73	<DL>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	74	<DT>Case 1.1. <I>M=x</I>. Then both sides equal <I>N[y:=L]</I> since <I>x≠y</I>.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	75	<DT>Case 1.2. <I>M=y</I>. Then both sides equal <I>L</I>, for <I>x</I> not free in <I>L</I>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	76	implies <I>L[x:=...]=L</I>.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	77	<DT>Case 1.3. <I>M=z≠x,y</I>. Then both sides equal <I>z</I>.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	78	</DL></DD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	79	<DT>Case 2. <I>M=λz.M<SUB>1</SUB></I>. <DD>By the variable convention we may assume that
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	80	<I>z≠x,y</I> and <I>z</I> is not free in <I>N</I>, <I>L</I>. Then by the induction hypothesis<BR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	81	<CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	82	<TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	83	<TR><TD ALIGN=RIGHT><I>(λz.M<SUB>1</SUB>)[x:=N][y:=L]</I></TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	84	<TD ALIGN=CENTER><I>=</I></TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	85	<TD ALIGN=Left><I>λz.M<SUB>1</SUB>[x:=N][y:=L]</I></TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	86	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	87	<TR><TD ALIGN=RIGHT> </TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	88	<TD ALIGN=CENTER><I>=</I></TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	89	<TD ALIGN=Left><I>λz.M<SUB>1</SUB>[y:=L][x:=N[y:=L]]</I></TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	90	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	91	<TR><TD ALIGN=RIGHT> </TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	92	<TD ALIGN=CENTER><I>=</I></TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	93	<TD ALIGN=Left><I>(λz.M<SUB>1</SUB>)[y:=L][x:=N[y:=L]]</I>.</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	94	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	95	</TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	96	</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	97	<DT>Case 3. <I>M=M<SUB>1</SUB> M<SUB>2</SUB></I>.<DD>Then the statement follows
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	98	again from the induction hypothesis.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	99	</DL>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	100	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	101	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	102	</TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	103	</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	104
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	105	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	106	We want to make it as easy as possible to formalise such informal proofs (and
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	107	more complicated ones). Inspired by the <A
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	108	HREF="http://fling-l.seas.upenn.edu/~plclub/cgi-bin/poplmark/"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	109	target="_top">PoplMark Challenge</A>, we want that masses use theorem
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	110	assistants to do their formal proofs.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	111	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	112
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	113	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	114	Since the kind of informal reasoning illustrated by Barendregt's proof is very
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	115	common in the literature on programming languages, it might be surprising that
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	116	implementing his proof
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	117	in a theorem assistant is not a trivial task. This is because he relies
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	118	implicitly on some assumptions and conventions. For example he states in his
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	119	book:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	120	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	121
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	122	<CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	123	<TABLE style="text-align: left; width: 90%;" BORDER=0 CELLSPACING=0 CELLPADDING=5>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	124	<TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	125	<TD style="background-color: rgb(180, 180, 180);">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	126	<B>2.1.12. Convention.</B> Terms that are α-congruent are identified. So now we
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	127	write <I>λx.x=λy.y</I>, etcetera.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	128	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	129	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	130	</TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	131	</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	132
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	133	<CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	134	<TABLE style="text-align: left; width: 90%;" BORDER=0 CELLSPACING=0 CELLPADDING=5>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	135	<TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	136	<TD style="background-color: rgb(180, 180, 180);">
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	137	<B>2.1.13. Variable Convention.</B> If <I>M<SUB>1</SUB>,...,M<SUB>n</SUB></I> occur
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	138	in a certain mathematical context (e.g. definition, proof), then in these terms all
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	139	bound variables are chosen to be different from the free variables.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	140	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	141	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	142	</TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	143	</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	144
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	145	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	146	The first convention is crucial for the proof above as it allows one to deal
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	147	with the variable case by using equational reasoning - one can just calculate
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	148	what the results of the substitutions are. If one uses un-equated, or raw, lambda-terms,
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	149	the same kind of reasoning cannot be performed (the reasoning then has to be
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	150	modulo α-equivalence, which causes a lot of headaches in
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	151	the lambda-case.) But if the data-structure over which the proof is
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	152	formulated is α-equivalence classes of lambda-terms, then what is the
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	153	principle "by induction over the structure of <I>M</I>"? There is an
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	154	induction principle "over the structure" for (un-equated) lambda-terms. But
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	155	quotening lambda-terms by α-equivalence does not automatically lead to
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	156	such a principle for α-equivalence classes. This seems to be a point
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	157	that is nearly always ignored in the literature. In fact it takes, as we have
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	158	shown in [1] and [2], some serious work to provide such an induction principle
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	159	for α-equivalence classes.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	160	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	161
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	162	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	163	The second problem for an implementation of Barendregt's proof is his use of
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	164	the variable convention: there is just no proof-principle "by convention" in a
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	165	theorem assistant. Taking a closer look at Barendregt's reasoning, it turns
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	166	out that for a proof obligation of the form "for all α-equated
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	167	lambda-terms <I>λz.M<SUB>1</SUB></I>...", he does not establish this
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	168	proof obligation for all <I>λz.M<SUB>1</SUB></I>, but only for some
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	169	carefully chosen α-equated lambda-terms, namely the ones for which
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	170	<I>z</I> is not free in <I>x,y,N</I> and <I>L</I>. This style of reasoning
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	171	clearly needs some justification and in fact depends on some assumptions of
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	172	the "context" of the induction. By "context" of the induction we mean the
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	173	variables <I>x,y,N</I> and <I>L</I>. When employing the variable convention in
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	174	a formal proof, one always implicitly assumes that one can choose a fresh name
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	175	for this context. This might, however, not always be possible, for example
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	176	when the context already mentions all names. Also we found out recently that the
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	177	use of the variable convention in proofs by rule-induction can lead to
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	178	faulty reasoning [5]. So our work introduces safeguards that ensure that the
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	179	use of the variable convention is always safe.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	180	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	181
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	182	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	183	One might conclude from our comments about Barendregt's proof that it is no
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	184	proof at all. This is, however, not the case! With Nominal Isabelle
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	185	and its infrastructure one can easily formalise his reasoning. One first
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	186	has to declare the structure of <U>α-equated</U>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	187	lambda-terms as a nominal datatype:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	188	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	189
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	190
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	191	<div class="codedisplay"> atom_decl name
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	192	nominal_datatype term = Var "name"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	193	\| App "term" "term"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	194	\| Lam "«name»term"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	195	</div>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	196
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	197	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	198	Note though, that nominal datatypes are not datatypes in the traditional
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	199	sense, but stand for α-equivalence classes. Indeed we have for terms of
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	200	type <code>term</code> the equation(!)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	201	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	202
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	203	<div class="codedisplay"> lemma alpha: "Lam [a].(Var a) = Lam [b].(Var b)"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	204	</div>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	205
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	206
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	207	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	208	which does not hold for traditional datatypes (note that we write
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	209	lambda-abstractions as <code>Lam [a].t</code>). The proof of the substitution
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	210	lemma can then be formalised as follows:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	211	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	212
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	213	<div class="codedisplay"> lemma substitution_lemma:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	214	assumes asm: "x≠y" "x#L"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	215	shows "M[x:=N][y:=L] = M[y:=L][x:=N[y:=L]]"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	216	using asm
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	217	by (nominal_induct M avoiding: x y N L rule: term.induct)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	218	(auto simp add: forget fresh_fact)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	219	</div>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	220
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	221
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	222	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	223	where the assumption "<I>x</I> is fresh for <I>L</I>", written <code>x#L</code>,
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	224	encodes the usual relation of "<I>x</I> not free in <I>L</I>". The method
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	225	<code>nominal_induct</code> takes as arguments the variable over which the
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	226	induction is
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	227	performed (here <I>M</I>), and the context of the induction, which consists of
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	228	the variables mentioned in the variable convention (that is the part in
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	229	Barendregt's proof where he writes "...we may assume that <I>z≠x,y</I> and
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	230	<I>z</I> is not free in <I>N,L</I>"). The last argument of <code>nominal_induct</code>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	231	specifies which induction rule should be applied - in this case induction over
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	232	α-equated lambda-terms, an induction-principle Nominal Isabelle provides
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	233	automatically when the nominal datatype <code>term</code> is defined. The
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	234	implemented proof of the substitution lemma proceeds then completely
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	235	automatically, except for the need of having to mention the facts <code>forget</code> and
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	236	<code>fresh_fact</code>, which are proved separately (also by induction over
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	237	α-equated lambda-terms).</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	238
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	239
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	240	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	241	The lemma <code>forget</code> shows that if <I>x</I> is not
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	242	free in <I>L</I>, then <I>L[x:=...]=L</I> (Barendregt's Case 1.2). Its formalised proof
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	243	is as follows:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	244	</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	245
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	246	<div class="codedisplay"> lemma forget:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	247	assumes asm: "x#L"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	248	shows "L[x:=P] = L"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	249	using asm
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	250	by (nominal_induct L avoiding: x P rule: term.induct)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	251	(auto simp add: abs_fresh fresh_atm)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	252	</div>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	253
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	254
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	255	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	256	In this proof <code>abs_fresh</code> is an automatically generated lemma that
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	257	establishes when <I>x</I> is fresh for a lambda-abstraction, namely <I>x#Lam
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	258	[z].P'</I> if and only if <I>x=z</I> or (<I>x≠z</I> and <I>x#P'</I>);
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	259	<code>fresh_atm</code> states that <I>x#y</I> if and only if <I>x≠y</I>. The lemma
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	260	<code>fresh_fact</code> proves the property that if <I>z</I> does not occur
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	261	freely in <I>N</I> and <I>L</I> then it also does not occur freely in
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	262	<I>N[y:=L]</I>. This fact can be formalised as follows:</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	263
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	264	<div class="codedisplay"> lemma fresh_fact:
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	265	assumes asm: "z#N" "z#L"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	266	shows "z#N[y:=L]"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	267	using asm
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	268	by (nominal_induct N avoiding: z y L rule: term.induct)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	269	(auto simp add: abs_fresh fresh_atm)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	270	</div>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	271
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	272	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	273	Although the latter lemma does not appear explicitly in Barendregt's reasoning, it is required
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	274	in the last step of the lambda-case (Case 2) where he pulls the substitution from under
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	275	the binder <I>z</I> (the interesting step is marked with a •):</P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	276	<CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	277	<TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	278	<TR><TD> </TD><TD><I>λz.(M<SUB>1</SUB>[y:=L][x:=N[y:=L]])</I></TD><TD> </TD></TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	279	<TR><TD>=</TD><TD><I>(λz.M<SUB>1</SUB>[y:=L])[x:=N[y:=L]]</I></TD><TD>  •</TD></TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	280	<TR><TD>=</TD><TD><I>(λz.M<SUB>1</SUB>)[y:=L][x:=N[y:=L]]</I></TD><TD> </TD></TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	281	</TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	282	</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	283
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	284	<P>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	285	After these 22 lines one has a completely formalised proof of the substitution
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	286	lemma. This proof does not rely on any axioms, apart from the ones on which
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	287	HOL is built.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	288	</P><BR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	289
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	290	<B>References</B><BR><BR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	291	<CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	292	<TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	293	<TR><TD WIDTH="7%" VALIGN=Top>[1]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	294	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	295	<B>Nominal Reasoning Techniques in Isabelle/HOL.</B> In
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	296	Journal of Automatic Reasoning, 2008, Vol. 40(4), 327-356.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	297	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/nom-tech.ps" target="_top">ps</A>].
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	298	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	299	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	300	<TR><TD VALIGN=Top>[2]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	301	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	302	<B>A Formal Treatment of the Barendregt Variable Convention in Rule Inductions</B>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	303	(Christian Urban and Michael Norrish)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	304	Proceedings of the ACM Workshop on Mechanized Reasoning about Languages with Variable
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	305	Binding and Names (MERLIN 2005). Tallinn, Estonia. September 2005. Pages 25-32. &copy ACM, Inc.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	306	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/merlin-05.ps" target="_top">ps</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	307	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/merlin-05.pdf" target="_top">pdf</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	308	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	309	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	310	<TR><TD VALIGN=Top>[3]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	311	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	312	<B>A Recursion Combinator for Nominal Datatypes Implemented in Isabelle/HOL</B>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	313	(Christian Urban and Stefan Berghofer)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	314	Proceedings of the 3rd
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	315	International Joint Conference on Automated Deduction (IJCAR 2006). In volume 4130 of
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	316	Lecture Notes in Artificial Intelligence. Seattle, USA. August 2006. Pages 498-512.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	317	&copy <A HREF="http://link.springer.de/link/service/series/0558/" target="_top">Springer Verlag</A>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	318	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/ijcar-06.ps" target="_top">ps</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	319	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	320	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	321
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	322	<TR><TD VALIGN=Top>[4]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	323	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	324	<B>A Head-to-Head Comparison of de Bruijn Indices and Names.</B>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	325	(Stefan Berghofer and Christian Urban)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	326	Proceedings of the International Workshop on Logical Frameworks and
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	327	Meta-Languages: Theory and Practice (LFMTP 2006). Seattle, USA. ENTCS. Pages 53-67.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	328	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/lfmtp-06.ps" target="_top">ps</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	329	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	330	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	331
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	332	<TR><TD VALIGN=Top>[5]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	333	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	334	<B>Barendregt's Variable Convention in Rule Inductions.</B> (Christian
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	335	Urban, Stefan Berghofer and Michael Norrish) Proceedings of the 21th
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	336	Conference on Automated Deduction (CADE 2007). In volume 4603 of Lecture
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	337	Notes in Artificial Intelligence. Bremen, Germany. July 2007. Pages 35-50.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	338	&copy <A HREF="http://link.springer.de/link/service/series/0558/tocs/t4603.htm"
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	339	target="_top">Springer Verlag</A>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	340	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/cade07.ps" target="_top">ps</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	341	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	342	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	343
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	344	<TR><TD VALIGN=Top>[6]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	345	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	346	<B>Mechanising the Metatheory of LF.</B>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	347	(Christian Urban, James Cheney and Stefan Berghofer)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	348	In Proc. of the 23rd IEEE Symposium on Logic in Computer Science (LICS 2008), IEEE Computer Society,
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	349	June 2008. Pages 45-56.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	350	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/lics-08.pdf">pdf</A>] More
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	351	information <A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Nominal/LF/index.html">elsewhere</A>.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	352	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	353	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	354	<TR><TD VALIGN=Top>[7]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	355	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	356	<B>Proof Pearl: A New Foundation for Nominal Isabelle.</B>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	357	(Brian Huffman and Christian Urban)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	358	In Proc. of the 1st Conference on Interactive Theorem Proving (ITP 2010). In volume 6172 in
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	359	Lecture Notes in Computer Science, Pages 35-50, 2010.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	360	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/nominal-atoms.pdf">pdf</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	361	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	362	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	363	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	364	<TR><TD VALIGN=Top>[8]</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	365	<TD ALIGN=Left>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	366	<B>General Bindings and Alpha-Equivalence in Nominal Isabelle.</B>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	367	(Christian Urban and Cezary Kaliszyk)
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	368	In Proc. of the 20th European Symposium on Programming (ESOP 2011).
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	369	In Volume 6602 of Lecture Notes in Computer Science, Pages 480-500, 2011.
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	370	[<A HREF="http://http://www.inf.kcl.ac.uk/staff/urbanc/Publications/esop-11.pdf">pdf</A>]
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	371	</TD>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	372	</TR>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	373
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	374	</TABLE>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	375	</CENTER>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	376
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	377	<P><!-- Created: Tue Mar 4 00:23:25 GMT 1997 -->
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	378	<!-- hhmts start -->
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	379	Last modified: Mon May 9 05:35:17 BST 2011
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	380	<!-- hhmts end -->
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	381	<a href="http://validator.w3.org/check/referer" target="_top">[Validate this page.]</a>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	382
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	383	</body>
f1be8028a4a9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: diff changeset	384	</html>

author	Christian Urban <christian dot urban at kcl dot ac dot uk>
	Wed, 30 Mar 2016 17:27:34 +0100
changeset 415	f1be8028a4a9
permissions	-rw-r--r--