diff --git a/thys/Q0_Soundness/HOLZF_Set_Theory.thy b/thys/Q0_Soundness/HOLZF_Set_Theory.thy new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/HOLZF_Set_Theory.thy @@ -0,0 +1,8 @@ +section \Isabelle/HOLZF lives up to CakeML's set theory specification\ + +theory HOLZF_Set_Theory imports "HOL-ZF.MainZF" Set_Theory begin + +interpretation set_theory Elem Sep Power Sum Upair + using Ext Sep Power subset_def Sum Upair by unfold_locales auto + +end diff --git a/thys/Q0_Soundness/Q0.thy b/thys/Q0_Soundness/Q0.thy new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/Q0.thy @@ -0,0 +1,2414 @@ +section \Q0 abbreviations\ + +theory Q0 + imports Set_Theory + abbrevs "App" = "\<^bold>\" + and "Abs" = "\<^bold>[\<^bold>\_:_. _\<^bold>]" + and "Eql" = "\<^bold>[_ \<^bold>=_\<^bold>= _\<^bold>]" + and "Con" = "\<^bold>\" + and "Forall" = "\<^bold>[\<^bold>\_:_. _\<^bold>]" + and "Imp" = "\<^bold>\" + and "Fun" = "\<^bold>\" +begin + +lemma arg_cong3: "a = b \ c = d \ e = f \ h a c e = h b d f" + by auto + + +section \Syntax and typing\ + +datatype type_sym = + Ind | + Tv | + Fun type_sym type_sym (infixl "\<^bold>\" 80) + +type_synonym var_sym = string +type_synonym cst_sym = string + +datatype trm = + Var var_sym type_sym | + Cst cst_sym type_sym | + App trm trm (infixl "\<^bold>\" 80) | + Abs var_sym type_sym trm ("\<^bold>[\<^bold>\_:_. _\<^bold>]" [80,80,80]) + +fun vars :: "trm \ (var_sym * type_sym) set" where + "vars (Var x \) = {(x,\)}" +| "vars (Cst _ _) = {}" +| "vars (A \<^bold>\ B) = vars A \ vars B" +| "vars (\<^bold>[\<^bold>\x:\. A\<^bold>]) = {(x,\)} \ vars A" + +fun frees :: "trm \ (var_sym * type_sym) set" where + "frees (Var x \) = {(x,\)}" +| "frees (Cst _ _) = {}" +| "frees (A \<^bold>\ B) = frees A \ frees B" +| "frees (\<^bold>[\<^bold>\x:\. A\<^bold>]) = frees A - {(x,\)}" + +lemma frees_subset_vars: + "frees A \ vars A" + by (induction A) auto + +inductive wff :: "type_sym \ trm \ bool" where + wff_Var: "wff \ (Var _ \)" +| wff_Cst: "wff \ (Cst _ \)" +| wff_App: "wff (\ \<^bold>\ \) A \ wff \ B \ wff \ (A \<^bold>\ B)" +| wff_Abs: "wff \ A \ wff (\ \<^bold>\ \) \<^bold>[\<^bold>\x:\. A\<^bold>]" + +fun type_of :: "trm \ type_sym" where + "type_of (Var x \) = \" +| "type_of (Cst c \) = \" +| "type_of (A \<^bold>\ B) = + (case type_of A of \ \<^bold>\ \ \ \)" +| "type_of \<^bold>[\<^bold>\x:\. A\<^bold>] = (type_of A) \<^bold>\ \" + +lemma type_of[simp]: + "wff \ A \ type_of A = \" + by (induction rule: wff.induct) auto + +lemma wff_Var'[simp, code]: + "wff \ (Var x \) \ \ = \" + using wff.cases wff_Var by auto + +lemma wff_Cst'[simp, code]: + "wff \ (Cst c \) \ \ = \" + using wff.cases wff_Cst by auto + +lemma wff_App'[simp]: + "wff \ (A \<^bold>\ B) \ (\\. wff (\ \<^bold>\ \) A \ wff \ B)" +proof + assume "wff \ (A \<^bold>\ B)" + then show "\\. wff (\ \<^bold>\ \) A \ wff \ B" + using wff.cases by fastforce +next + assume "\\. wff (\ \<^bold>\ \) A \ wff \ B" + then show "wff \ (A \<^bold>\ B)" + using wff_App by auto +qed + +lemma wff_Abs'[simp]: + "wff \ (\<^bold>[\<^bold>\x:\. A\<^bold>]) \ (\\. wff \ A \ \ = \ \<^bold>\ \)" +proof + assume "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + then show "\\. wff \ A \ \ = \ \<^bold>\ \" + using wff.cases by blast +next + assume "\\. wff \ A \ \ = \ \<^bold>\ \" + then show "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + using wff_Abs by auto +qed + +lemma wff_Abs_type_of[code]: + "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>] \ (wff (type_of A) A \ \ = (type_of A) \<^bold>\ \)" +proof + assume "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + then show "wff (type_of A) A \ \ = (type_of A) \<^bold>\ \" + using wff.cases by auto +next + assume "wff (type_of A) A \ \ = (type_of A) \<^bold>\ \" + then show "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + using wff_Abs by auto +qed + +lemma wff_App_type_of[code]: + "wff \ ((A \<^bold>\ B)) \ (wff (type_of A) A \ wff (type_of B) B \ type_of A = \ \<^bold>\ (type_of B))" +proof + assume "wff \ (A \<^bold>\ B)" + then show "wff (type_of A) A \ wff (type_of B) B \ type_of A = \ \<^bold>\ (type_of B)" + by auto +next + assume "wff (type_of A) A \ wff (type_of B) B \ type_of A = \ \<^bold>\ (type_of B)" + then show "wff \ (A \<^bold>\ B)" + by (metis wff_App') +qed + +lemma unique_type: + "wff \ A \ wff \ A \ \ = \" +proof (induction arbitrary: \ rule: wff.induct) + case (wff_Var \' y) + then show ?case + by simp +next + case (wff_Cst \' c) + then show ?case + by simp +next + case (wff_App \' \ A B) + then show ?case + using wff_App' by blast +next + case (wff_Abs \ A \ x) + then show ?case + using wff_Abs_type_of by blast +qed + + +section \Replacement\ + +inductive replacement :: "trm \ trm \ trm \ trm \ bool" where + replace: "replacement A B A B" +| replace_App_left: "replacement A B C E \ replacement A B (C \<^bold>\ D) (E \<^bold>\ D)" +| replace_App_right: "replacement A B D E \ replacement A B (C \<^bold>\ D) (C \<^bold>\ E)" +| replace_Abs: "replacement A B C D \ replacement A B \<^bold>[\<^bold>\x:\. C\<^bold>] \<^bold>[\<^bold>\x:\. D\<^bold>]" + +lemma replacement_preserves_type: + assumes "replacement A B C D" + assumes "wff \ A" + assumes "wff \ B" + assumes "wff \ C" + shows "wff \ D" + using assms +proof (induction arbitrary: \ \ rule: replacement.induct) + case (replace A B) + then show ?case + using unique_type by auto +next + case (replace_App_left A B C E D) + then have "\\'. wff (\ \<^bold>\ \') C" + by auto + then obtain \' where wff_C: "wff (\ \<^bold>\ \') C" + by auto + then have e: "wff (\ \<^bold>\ \') E" + using replace_App_left by auto + define \' where "\' = \ \<^bold>\ \'" + have "wff \' D" + using wff_C unique_type replace_App_left.prems(3) by auto + then have "wff \ (E \<^bold>\ D)" + using e by auto + then show ?case + by auto +next + case (replace_App_right A B D E C) + have "\\'. wff (\ \<^bold>\ \') C" + using replace_App_right.prems(3) by auto + then obtain \' where wff_C: "wff (\ \<^bold>\ \') C" + by auto + have wff_E: "wff \' E" + using wff_C unique_type replace_App_right by fastforce + define \' where \': "\' = \ \<^bold>\ \'" + have "wff \ (C \<^bold>\ E)" + using wff_C wff_E by auto + then show ?case + using \' by auto +next + case (replace_Abs A B C D x \') + then have "\\'. wff \' D" + by auto + then obtain \' where wff_D: "wff \' D" + by auto + have \: "\ = \' \<^bold>\ \'" + using wff_D unique_type replace_Abs by auto + have "wff (\' \<^bold>\ \') (\<^bold>[\<^bold>\x:\'. D\<^bold>])" + using wff_D by auto + then show ?case + using \ by auto +qed + +lemma replacement_preserved_type: + assumes "replacement A B C D" + assumes "wff \ A" + assumes "wff \ B" + assumes "wff \ D" + shows "wff \ C" + using assms +proof (induction arbitrary: \ \ rule: replacement.induct) + case (replace A B) + then show ?case + using unique_type by auto +next + case (replace_App_left A B C E D) + then obtain \ where \: "wff (\ \<^bold>\ \) E \ wff \ D" + by auto + then have "wff (\ \<^bold>\ \) C" + using replace_App_left by auto + then show ?case + using \ by auto +next + case (replace_App_right A B D E C) + then obtain \ where \: "wff (\ \<^bold>\ \) C \ wff \ E" + by auto + then have "wff \ D" + using replace_App_right by auto + then show ?case + using \ by auto +next + case (replace_Abs A B C D x \') + then obtain \ where "wff \ D" + by auto + then show ?case + using unique_type replace_Abs by auto +qed + + +section \Defined wffs\ + \ \This section formalizes most of the definitions and abbreviations from page 212. + We formalize enough to define the Q0 proof system.\ + + +subsection \Common expressions\ + +abbreviation (input) Var_yi ("y\<^sub>i") where + "y\<^sub>i == Cst ''y'' Ind" + +abbreviation (input) Var_xo ("x\<^sub>o") where + "x\<^sub>o == Var ''x'' Tv" + +abbreviation (input) Var_yo ("y\<^sub>o") where + "y\<^sub>o == Var ''y'' Tv" + +abbreviation (input) Fun_oo ("oo") where + "oo == Tv \<^bold>\ Tv" + +abbreviation (input) Fun_ooo ("ooo") where + "ooo == oo \<^bold>\ Tv" + +abbreviation (input) Var_goo ("g\<^sub>o\<^sub>o") where + "g\<^sub>o\<^sub>o == Var ''g'' oo" + +abbreviation (input) Var_gooo ("g\<^sub>o\<^sub>o\<^sub>o") where + "g\<^sub>o\<^sub>o\<^sub>o == Var ''g'' ooo" + + +subsection \Equality symbol\ + +abbreviation QQ :: "type_sym \ trm" ("\<^bold>Q") where + "\<^bold>Q \ \ Cst ''Q'' \" + + +subsection \Description or selection operator\ + +abbreviation \\ :: "trm" ("\<^bold>\") where + "\<^bold>\ \ Cst ''i'' (Ind \<^bold>\ (Tv \<^bold>\ Ind))" + + +subsection \Equality\ + +definition Eql :: "trm \ trm \ type_sym \ trm" where + "Eql A B \ \ (\<^bold>Q (Tv \<^bold>\ \ \<^bold>\ \)) \<^bold>\ A \<^bold>\ B" + +abbreviation Eql' :: "trm \ type_sym \ trm \ trm" ("\<^bold>[_ \<^bold>=_\<^bold>= _\<^bold>]" [89]) where + "\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>] \ Eql A B \" + +definition LHS where + "LHS EqlAB = (case EqlAB of (_ \<^bold>\ A \<^bold>\ _) \ A)" + +lemma LHS_def2[simp]: "LHS \<^bold>[A \<^bold>=\\<^bold>= B\<^bold>] = A" + unfolding LHS_def Eql_def by auto + +definition RHS where + "RHS EqlAB = (case EqlAB of (_ \<^bold>\ B ) \ B)" + +lemma RHS_def2[simp]: "RHS (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) = B" + unfolding RHS_def Eql_def by auto + +lemma wff_Eql[simp]: + "wff \ A \ wff \ B \ wff Tv \<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]" + unfolding Eql_def by force + +lemma wff_Eql_iff[simp]: + "wff \ \<^bold>[A \<^bold>=\\<^bold>= B\<^bold>] \ wff \ A \ wff \ B \ \ = Tv" + using Eql_def by auto + + +subsection \Truth\ + +definition T :: trm where + "T \ \<^bold>[(\<^bold>Q ooo) \<^bold>=ooo\<^bold>= (\<^bold>Q ooo)\<^bold>]" + +lemma wff_T[simp]: "wff Tv T" + unfolding T_def by auto + +lemma wff_T_iff[simp]: "wff \ T \ \ = Tv" + using unique_type wff_T by blast + +subsection \Falsity\ + +abbreviation F :: trm where + "F \ \<^bold>[\<^bold>[\<^bold>\''x'':Tv. T\<^bold>] \<^bold>= oo\<^bold>= \<^bold>[\<^bold>\''x'':Tv. x\<^sub>o\<^bold>]\<^bold>]" + +lemma wff_F[simp]: "wff Tv F" + by auto + +lemma wff_F_iff[simp]: "wff \ F \ \ = Tv" + using unique_type wff_F by blast + + +subsection \Pi\ + +definition PI :: "type_sym \ trm" where + "PI \ \ (\<^bold>Q (Tv \<^bold>\ (Tv \<^bold>\ \) \<^bold>\ (Tv \<^bold>\ \))) \<^bold>\ \<^bold>[\<^bold>\ ''x'':\. T\<^bold>]" + +lemma wff_PI[simp]: "wff (Tv \<^bold>\ (Tv \<^bold>\ \)) (PI \)" + unfolding PI_def by auto + +lemma wff_PI_subterm[simp]: "wff (Tv \<^bold>\ \) \<^bold>[\<^bold>\ ''x'':\. T\<^bold>]" + by auto + +lemma wff_PI_subterm_iff[simp]: + "wff \ \<^bold>[\<^bold>\ ''x'':\. T\<^bold>] \ \ = (Tv \<^bold>\ \)" + by auto + + +subsection \Forall\ + +definition Forall :: "string \ type_sym \ trm \ trm" ("\<^bold>[\<^bold>\_:_. _\<^bold>]" [80,80,80]) where + "\<^bold>[\<^bold>\x:\. A\<^bold>] = (PI \) \<^bold>\ \<^bold>[\<^bold>\x:\. A\<^bold>]" + +lemma wff_Forall[simp]: "wff Tv A \ wff Tv \<^bold>[\<^bold>\x:\. A\<^bold>]" + unfolding Forall_def by force + +lemma wff_Forall_iff[simp]: "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>] \ wff Tv A \ \ = Tv" +proof + assume "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + then show "wff Tv A \ \ = Tv" + by (smt Forall_def unique_type type_sym.inject wff_Abs' wff_App' wff_PI) +next + assume "wff Tv A \ \ = Tv" + then show "wff \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + unfolding Forall_def by force +qed + + +subsection \Conjunction symbol\ + +definition Con_sym :: trm where + "Con_sym \ + \<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\''y'':Tv. + \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=Tv \<^bold>\ ooo\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>] + \<^bold>]\<^bold>]" + +lemma wff_Con_sym[simp]: "wff ooo Con_sym" + unfolding Con_sym_def by auto + +lemma wff_Con_sym'[simp]: "wff \ Con_sym \ \ = ooo" + unfolding Con_sym_def by auto + + +lemma wff_Con_sym_subterm0[simp]: + "wff Tv A \ wff Tv B \ wff (Tv \<^bold>\ ooo) \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ A \<^bold>\ B\<^bold>]" + by force + +lemma wff_Con_sym_subterm0_iff[simp]: + "wff \ \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ A \<^bold>\ B\<^bold>] \ wff Tv A \ wff Tv B \ \ = (Tv \<^bold>\ ooo)" +proof + assume wff: "wff \ \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ A \<^bold>\ B\<^bold>]" + then have "wff Tv A" + by auto + moreover + from wff have "wff Tv B" + by auto + moreover + from wff have "\ = Tv \<^bold>\ ooo" + by auto + ultimately show "wff Tv A \ wff Tv B \ \ = Tv \<^bold>\ ooo" + by auto +next + assume "wff Tv A \ wff Tv B \ \ = Tv \<^bold>\ ooo" + then show "wff \ \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ A \<^bold>\ B\<^bold>]" + by force +qed + +lemma wff_Con_sym_subterm1[simp]: + "wff Tv \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]" + by auto + +lemma wff_Con_sym_subterm1_iff[simp]: + "wff \ \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>] \ \ = Tv" + using unique_type wff_Con_sym_subterm1 by blast + +lemma wff_Con_sym_subterm2[simp]: + "wff oo \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]" + by auto + +lemma wff_Con_sym_subterm2_iff[simp]: + "wff \ \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>] \ \ = oo" + by auto + +subsection \Conjunction\ + +definition Con :: "trm \ trm \ trm" (infix "\<^bold>\" 80) where + "A \<^bold>\ B = Con_sym \<^bold>\ A \<^bold>\ B" + +lemma wff_Con[simp]: "wff Tv A \ wff Tv B \ wff Tv (A \<^bold>\ B)" + unfolding Con_def by auto + +lemma wff_Con_iff[simp]: "wff \ (A \<^bold>\ B) \ wff Tv A \ wff Tv B \ \ = Tv" + unfolding Con_def by auto + + +subsection \Implication symbol\ + +definition Imp_sym :: trm where + "Imp_sym \ \<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]\<^bold>]" + +lemma wff_Imp_sym[simp]: + "wff ooo Imp_sym" + unfolding Imp_sym_def by auto + +lemma wff_Imp_sym_iff[simp]: + "wff \ Imp_sym \ \ = ooo" + unfolding Imp_sym_def by auto + +lemma wff_Imp_sym_subterm0[simp]: + "wff Tv (x\<^sub>o \<^bold>\ y\<^sub>o)" + by auto + +lemma wff_Imp_sym_subterm0_iff[simp]: + "wff \ (x\<^sub>o \<^bold>\ y\<^sub>o) \ \ = Tv" + by auto + +lemma wff_Imp_sym_subterm1[simp]: + "wff Tv \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]" + by auto + +lemma wff_Imp_sym_subterm1_iff[simp]: + "wff \ \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>] \ \ = Tv" + using unique_type wff_Imp_sym_subterm1 by blast + +lemma wff_Imp_sym_subterm2[simp]: + "wff oo \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]" + by auto + +lemma wff_Imp_sym_subterm2_iff[simp]: + "wff \ \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] \ \ = oo" + by auto + + +subsection \Implication\ + +definition Imp :: "trm \ trm \ trm" (infix "\<^bold>\" 80) where + "A \<^bold>\ B = Imp_sym \<^bold>\ A \<^bold>\ B" + +lemma wff_Imp[simp]: "wff Tv A \ wff Tv B \ wff Tv (A \<^bold>\ B)" + unfolding Imp_def by auto + +lemma wff_Imp_iff[simp]: "wff \ (A \<^bold>\ B) \ wff Tv A \ wff Tv B \ \ = Tv" + using Imp_def by auto + + +section \The Q0 proof system\ + +definition axiom_1 :: trm where + "axiom_1 \ \<^bold>[((g\<^sub>o\<^sub>o \<^bold>\ T) \<^bold>\ (g\<^sub>o\<^sub>o \<^bold>\ F)) \<^bold>=Tv\<^bold>= \<^bold>[\<^bold>\''x'':Tv. g\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o\<^bold>]\<^bold>]" + +lemma wff_axiom_1[simp]: "wff Tv axiom_1" + unfolding axiom_1_def by auto + +definition axiom_2 :: "type_sym \ trm" where + "axiom_2 \ \ + \<^bold>[(Var ''x'' \) \<^bold>=\\<^bold>= (Var ''y'' \)\<^bold>] \<^bold>\ + \<^bold>[((Var ''h'' (Tv \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) \<^bold>=Tv\<^bold>= ((Var ''h'' (Tv \<^bold>\ \)) \<^bold>\ (Var ''y'' \))\<^bold>]" + +definition axiom_3 :: "type_sym \ type_sym \ trm" where + "axiom_3 \ \ \ + \<^bold>[\<^bold>[(Var ''f'' (\ \<^bold>\ \)) \<^bold>=\ \<^bold>\ \\<^bold>= (Var ''g'' (\ \<^bold>\ \))\<^bold>] \<^bold>=Tv\<^bold>= + \<^bold>[\<^bold>\''x'':\. \<^bold>[((Var ''f'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) \<^bold>=\\<^bold>= ((Var ''g'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \))\<^bold>]\<^bold>]\<^bold>]" + +definition axiom_4_1 :: "var_sym \ type_sym \ trm \ type_sym \ trm \ trm" where + "axiom_4_1 x \ B \ A \ \<^bold>[(\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A) \<^bold>=\\<^bold>= B\<^bold>]" + +definition axiom_4_1_side_condition :: "var_sym \ type_sym \ trm \ type_sym \ trm \ bool" where + "axiom_4_1_side_condition x \ B \ A \ (\c. B = Cst c \) \ (\y. B = Var y \ \ (x \ y \ \ \ \))" + +definition axiom_4_2 :: "var_sym \ type_sym \ trm \ trm" where + "axiom_4_2 x \ A = \<^bold>[(\<^bold>[\<^bold>\x:\. Var x \\<^bold>] \<^bold>\ A) \<^bold>=\\<^bold>= A\<^bold>]" + +definition axiom_4_3 :: "var_sym \ type_sym \ trm \ + type_sym \ type_sym \ trm \ trm \ trm" where + "axiom_4_3 x \ B \ \ C A = \<^bold>[(\<^bold>[\<^bold>\x:\. B \<^bold>\ C\<^bold>] \<^bold>\ A) \<^bold>=\\<^bold>= ((\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A) \<^bold>\ (\<^bold>[\<^bold>\x:\. C\<^bold>] \<^bold>\ A))\<^bold>]" + +definition axiom_4_4 :: "var_sym \ type_sym \ var_sym \ type_sym \ trm \ type_sym \ trm \ trm" where + "axiom_4_4 x \ y \ B \ A = \<^bold>[(\<^bold>[\<^bold>\x:\. \<^bold>[\<^bold>\y:\. B\<^bold>]\<^bold>] \<^bold>\ A) \<^bold>=\ \<^bold>\ \\<^bold>= \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>]\<^bold>]" + +definition axiom_4_4_side_condition :: "var_sym \ type_sym \ var_sym \ type_sym \ trm \ type_sym \ trm \ bool" where + "axiom_4_4_side_condition x \ y \ B \ A \ (x \ y \ \ \ \) \ (y, \) \ vars A" + +definition axiom_4_5 :: "var_sym \ type_sym \ trm \ type_sym \ trm \ trm" where + "axiom_4_5 x \ B \ A = \<^bold>[(\<^bold>[\<^bold>\x:\. \<^bold>[\<^bold>\x:\. B\<^bold>]\<^bold>] \<^bold>\ A) \<^bold>=\ \<^bold>\ \ \<^bold>= \<^bold>[\<^bold>\x:\. B\<^bold>]\<^bold>]" + +definition axiom_5 where + "axiom_5 = \<^bold>[(\<^bold>\ \<^bold>\ ((\<^bold>Q (Tv \<^bold>\ Ind \<^bold>\ Ind)) \<^bold>\ y\<^sub>i)) \<^bold>=Ind\<^bold>= y\<^sub>i\<^bold>]" + +inductive axiom :: "trm \ bool" where + by_axiom_1: + "axiom axiom_1" +| by_axiom_2: + "axiom (axiom_2 \)" +| by_axiom_3: + "axiom (axiom_3 \ \)" +| by_axiom_4_1: + "wff \ A \ + wff \ B \ + axiom_4_1_side_condition x \ B \ A \ + axiom (axiom_4_1 x \ B \ A)" +| by_axiom_4_2: + "wff \ A \ + axiom (axiom_4_2 x \ A)" +| by_axiom_4_3: + "wff \ A \ + wff (\ \<^bold>\ \) B \ + wff \ C \ + axiom (axiom_4_3 x \ B \ \ C A)" +| by_axiom_4_4: + "wff \ A \ + wff \ B \ + axiom_4_4_side_condition x \ y \ B \ A \ + axiom (axiom_4_4 x \ y \ B \ A)" +| by_axiom_4_5: + "wff \ A \ + wff \ B \ + axiom (axiom_4_5 x \ B \ A)" +| by_axiom_5: + "axiom (axiom_5)" + +inductive rule_R :: "trm \ trm \ trm \ bool" where + "replacement A B C D \ rule_R C (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) D" + +definition "proof" :: "trm \ trm list \ bool" where + "proof A p \ (p \ [] \ last p = A \ + (\i (\jk bool" where + by_axiom: "axiom A \ theorem A" +| by_rule_R: "theorem A \ theorem B \ rule_R A B C \ theorem C" + +(* Two variant formulations of axiom 4_1: *) +definition axiom_4_1_variant_cst :: "var_sym \ type_sym \ var_sym \ type_sym \ trm \ trm" where + "axiom_4_1_variant_cst x \ c \ A \ \<^bold>[(\<^bold>[\<^bold>\x:\. Cst c \\<^bold>] \<^bold>\ A) \<^bold>=\\<^bold>= (Cst c \)\<^bold>]" + +definition axiom_4_1_variant_var :: "var_sym \ type_sym \ var_sym \ type_sym \ trm \ trm" where + "axiom_4_1_variant_var x \ y \ A \ \<^bold>[(\<^bold>[\<^bold>\x:\. Var y \\<^bold>] \<^bold>\ A) \<^bold>=\\<^bold>= Var y \\<^bold>]" + +definition axiom_4_1_variant_var_side_condition :: "var_sym \ type_sym \ var_sym \ type_sym \ trm \ bool" where + "axiom_4_1_variant_var_side_condition x \ y \ A \ x \ y \ \ \ \" + + +section \Semantics\ + +type_synonym 's frame = "type_sym \ 's" + +type_synonym 's denotation = "cst_sym \ type_sym \ 's" + +type_synonym 's asg = "var_sym * type_sym \ 's" + +definition agree_off_asg :: "'s asg \ 's asg \ var_sym \ type_sym \ bool" where + "agree_off_asg \ \ x \ \ (\y \. (y\x \ \ \ \) \ \ (y,\) = \ (y,\))" + +lemma agree_off_asg_def2: + "agree_off_asg \ \ x \ \ (\xa. \((x, \) := xa) = \)" + unfolding agree_off_asg_def by force + +lemma agree_off_asg_disagree_var_sym[simp]: + "agree_off_asg \ \ x \ \ x \ y \ \(y,\) = \(y,\)" + unfolding agree_off_asg_def by auto + +lemma agree_off_asg_disagree_type_sym[simp]: + "agree_off_asg \ \ x \ \ \ \ \ \ \(y,\) = \(y,\)" + unfolding agree_off_asg_def by auto + + +context set_theory +begin + +definition wf_frame :: "'s frame \ bool" where + "wf_frame D \ D Tv = boolset \ (\\ \. D (\ \<^bold>\ \) \: funspace (D \) (D \)) \ (\\. D \ \ Ø)" + +definition inds :: "'s frame \ 's" where + "inds Fr = Fr Ind" + +inductive wf_interp :: "'s frame \ 's denotation \ bool" where + "wf_frame D \ + \c \. I c \ \: D \ \ + \\. I ''Q'' (Tv \<^bold>\ \ \<^bold>\ \) = iden (D \) \ + (I ''i'' (Ind \<^bold>\ (Tv \<^bold>\ Ind))) \: funspace (D (Tv \<^bold>\ Ind)) (D Ind) \ + \x. x \: D Ind \ (I ''i'' (Ind \<^bold>\ (Tv \<^bold>\ Ind))) \ one_elem_fun x (D Ind) = x \ + wf_interp D I" + +definition asg_into_frame :: "'s asg \ 's frame \ bool" where + "asg_into_frame \ D \ (\x \. \ (x, \) \: D \)" + +abbreviation(input) asg_into_interp :: "'s asg \ 's frame \ 's denotation \ bool" where + "asg_into_interp \ D I \ asg_into_frame \ D" + +(* Note that because Isabelle's HOL is total, val will also give values to trms that are not wffs *) +fun val :: "'s frame \ 's denotation \ 's asg \ trm \ 's" where + "val D I \ (Var x \) = \ (x,\)" +| "val D I \ (Cst c \) = I c \" +| "val D I \ (A \<^bold>\ B) = val D I \ A \ val D I \ B" +| "val D I \ \<^bold>[\<^bold>\x:\. B\<^bold>] = abstract (D \) (D (type_of B)) (\z. val D I (\((x,\):=z)) B)" + +fun general_model :: "'s frame \ 's denotation \ bool" where + "general_model D I \ wf_interp D I \ (\\ A \. asg_into_interp \ D I \ wff \ A \ val D I \ A \: D \)" + +fun standard_model :: "'s frame \ 's denotation \ bool" where + "standard_model D I \ wf_interp D I \ (\\ \. D (\ \<^bold>\ \) = funspace (D \) (D \))" + +lemma asg_into_frame_fun_upd: + assumes "asg_into_frame \ D" + assumes "xa \: D \" + shows "asg_into_frame (\((x, \) := xa)) D" + using assms unfolding asg_into_frame_def by auto + +lemma asg_into_interp_fun_upd: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + shows "asg_into_interp (\((x, \) := val D I \ A)) D I" + using assms asg_into_frame_fun_upd by auto + +lemma standard_model_is_general_model: (* property mentioned on page 239 *) + assumes "standard_model D I" + shows "general_model D I" +proof - + have "wf_interp D I" + using assms by auto + moreover + have "wff \ A \ asg_into_interp \ D I \ val D I \ A \: D \" for \ \ A + proof (induction arbitrary: \ rule: wff.induct) + case (wff_Var \ uu) + then show ?case + unfolding asg_into_frame_def using assms by auto + next + case (wff_Cst \ uv) + then show ?case + using assms using wf_interp.simps by auto + next + case (wff_App \ \ A B) + then show ?case + using apply_in_rng assms by fastforce + next + case (wff_Abs \ A \ x) + then show ?case + using assms abstract_in_funspace asg_into_frame_fun_upd by force + qed + ultimately + have "general_model D I" + unfolding general_model.simps by auto + then show "general_model D I" + by auto +qed + +abbreviation agree_on_asg :: "'s asg \ 's asg \ var_sym \ type_sym \ bool" where + "agree_on_asg \ \ x \ == (\ (x, \) = \ (x, \))" + +(* Corresponds to Andrews' proposition 5400 *) +proposition prop_5400: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + assumes "\(x,\) \ frees A. agree_on_asg \ \ x \" + shows "val D I \ A = val D I \ A" + using assms(4) assms(1-3,5) +proof (induction arbitrary: \ \ rule: wff.induct) + case (wff_Var \ x) + then show ?case by auto +next + case (wff_Cst \ c) + then show ?case by auto +next + case (wff_App \ \ A B) + show ?case + using wff_App(1,2,5,6,7,8) wff_App(3,4)[of \ \] by auto +next + case (wff_Abs \ A \ x) + have "abstract (D \) (D \) (\z. val D I (\((x, \) := z)) A) = + abstract (D \) (D \) (\z. val D I (\((x, \) := z)) A)" + proof (rule abstract_extensional, rule, rule) + fix xa + assume "xa \: D \" + then have "val D I (\((x, \) := xa)) A \: D \" + using wff_Abs asg_into_frame_fun_upd by auto + moreover + { + have "asg_into_frame (\((x, \) := xa)) D" + using \xa \: D \\ asg_into_frame_fun_upd wff_Abs by auto + moreover + have "asg_into_frame (\((x, \) := xa)) D" + using \xa \: D \\ asg_into_frame_fun_upd wff_Abs by auto + moreover + have "(\y\frees A. (\((x, \) := xa)) y = (\((x, \) := xa)) y)" + using wff_Abs by auto + ultimately + have "val D I (\((x, \) := xa)) A = val D I (\((x, \) := xa)) A" + using assms wff_Abs by (smt case_prodI2) + } + ultimately + show "val D I (\((x, \) := xa)) A \: D \ \ val D I (\((x, \) := xa)) A = val D I (\((x, \) := xa)) A" + by auto + qed + then show ?case + using wff_Abs by auto +qed + +(* definitions on page 239 *) +abbreviation satisfies :: "'s frame \ 's denotation \ 's asg \ trm \ bool" where + "satisfies D I \ A \ (val D I \ A = true)" + +definition valid_in_model :: "'s frame \ 's denotation \ trm \ bool" where + "valid_in_model D I A \ (\\. asg_into_interp \ D I \ val D I \ A = true)" + +definition valid_general :: "trm \ bool" where + "valid_general A \ \D I. general_model D I \ valid_in_model D I A" + +definition valid_standard :: "trm \ bool" where + "valid_standard A \ \D I. standard_model D I \ valid_in_model D I A" + + +section \Semantics of defined wffs\ + +(* Corresponds to Andrews' lemma 5401 a *) +lemma lemma_5401_a: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" "wff \ B" + shows "val D I \ (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A) = val D I (\((x,\):=val D I \ A)) B" +proof - + have val_A: "val D I \ A \: D \" + using assms by simp + have "asg_into_interp (\((x, \) := val D I \ A)) D I" + using assms asg_into_frame_fun_upd by force + then have val_B: "val D I (\((x, \) := val D I \ A)) B \: D \" + using assms by simp + + have "val D I \ (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A) = + (abstract (D \) (D \) (\z. val D I (\((x, \) := z)) B)) \ val D I \ A" + using assms by auto + also + have "... = val D I (\((x, \) := val D I \ A)) B" + using apply_abstract val_A val_B by auto + finally + show ?thesis + by auto +qed + +(* Corresponds to Andrews' lemma 5401 b *) +lemma lemma_5401_b_variant_1: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" "wff \ B" + shows "val D I \ (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) = (boolean (val D I \ A = val D I \ B))" +proof - + have "val D I \ (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) = (I ''Q'' (Tv \<^bold>\ \ \<^bold>\ \)) \ val D I \ A \ val D I \ B" + unfolding Eql_def by auto + have "... = (iden (D \)) \ val D I \ A \ val D I \ B" + using assms general_model.simps wf_interp.simps by auto + also + have "... = boolean (val D I \ A = val D I \ B)" + using apply_id using assms general_model.simps by blast + finally show ?thesis + unfolding Eql_def by simp +qed + +(* Corresponds to Andrews' lemma 5401 b *) +lemma lemma_5401_b: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" "wff \ B" + shows "val D I \ (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) = true \ val D I \ A = val D I \ B" + using lemma_5401_b_variant_1[OF assms] boolean_eq_true by auto + +(* Corresponds to Andrews' lemma 5401 b *) +lemma lemma_5401_b_variant_2: \ \Just a reformulation of @{thm [source] lemma_5401_b}'s directions\ + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" "wff \ B" + assumes "val D I \ A = val D I \ B" + shows "val D I \ (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) = true" + using assms(5) lemma_5401_b[OF assms(1,2,3,4)] by auto + +(* Corresponds to Andrews' lemma 5401 b *) +lemma lemma_5401_b_variant_3: \ \Just a reformulation of @{thm [source] lemma_5401_b}'s directions\ + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" "wff \ B" + assumes "val D I \ A \ val D I \ B" + shows "val D I \ (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) = false" + using assms(5) lemma_5401_b_variant_1[OF assms(1,2,3,4)] by (simp add: boolean_def) + +(* Corresponds to Andrews' lemma 5401 c *) +lemma lemma_5401_c: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "val D I \ T = true" + using assms lemma_5401_b[OF assms(1,2)] unfolding T_def by auto + +(* Corresponds to Andrews' lemma 5401 d *) +lemma lemma_5401_d: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "val D I \ F = false" +proof - + have "iden boolset \: D ooo" + using assms general_model.simps wf_interp.simps wf_frame_def by metis + then have "(val D I \ \<^bold>[\<^bold>\''x'':Tv. T\<^bold>]) \ false \ (val D I \ \<^bold>[\<^bold>\''x'':Tv. x\<^sub>o\<^bold>]) \ false" + using assms wf_interp.simps wf_frame_def true_neq_false + apply_id[of "iden boolset" "(D ooo)" "iden boolset"] + unfolding boolean_def Eql_def T_def by auto + then have neqLR: "val D I \ \<^bold>[\<^bold>\''x'':Tv. T\<^bold>] \ val D I \ \<^bold>[\<^bold>\''x'':Tv. x\<^sub>o\<^bold>]" + by metis + have "val D I \ F = boolean (val D I \ (\<^bold>[\<^bold>\''x'':Tv. T\<^bold>]) = val D I \ \<^bold>[\<^bold>\''x'':Tv. x\<^sub>o\<^bold>])" + using lemma_5401_b_variant_1[OF assms(1,2), + of "oo" "(\<^bold>[\<^bold>\''x'':Tv. T\<^bold>])" "\<^bold>[\<^bold>\''x'':Tv. x\<^sub>o\<^bold>]"] assms + by auto + also + have "... = boolean False" + using neqLR by auto + also + have "... = false" + unfolding boolean_def by auto + finally + show ?thesis + by auto +qed + +lemma asg_into_interp_fun_upd_true: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "asg_into_interp (\((x, Tv) := true)) D I" + using asg_into_interp_fun_upd[OF assms wff_T, of x] lemma_5401_c[OF assms(1,2)] by auto + +lemma asg_into_interp_fun_upd_false: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "asg_into_interp (\((x, Tv) := false)) D I" + using asg_into_interp_fun_upd[OF assms wff_F, of x] lemma_5401_d[OF assms] by auto + +(* Corresponds to Andrews' lemma 5401 e_1 *) +lemma lemma_5401_e_1: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "(val D I \ Con_sym) \ true \ true = true" +proof - + define \' where "\' \ \((''x'',Tv) := val D I \ T)" + define \'' where "\'' \ \'((''y'',Tv) := val D I \' T)" + define \''' where "\''' \ \z. \''((''g'', ooo) := z)" + have \'_asg_into: "asg_into_interp \' D I" + unfolding \'_def using asg_into_interp_fun_upd[OF assms wff_T] by blast + have \''_asg_into: "asg_into_interp \'' D I" + unfolding \''_def using asg_into_interp_fun_upd[OF assms(1) \'_asg_into wff_T] by blast + + have "(val D I \ Con_sym) \ true \ true = val D I \ (Con_sym \<^bold>\ T \<^bold>\ T)" + using lemma_5401_c[OF assms(1,2)] by auto + also + have "... = val D I \ (\<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]\<^bold>] \<^bold>\ T \<^bold>\ T)" + unfolding Con_sym_def by auto + also + have "... = (val D I \ ((\<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]\<^bold>] \<^bold>\ T))) \ val D I \ T" + by simp + also + have "... = (val D I (\((''x'',Tv) := val D I \ T)) ((\<^bold>[\<^bold>\''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]))) \ val D I \ T" + by (metis lemma_5401_a[OF assms(1,2)] wff_Con_sym_subterm2 wff_T) + also + have "... = (val D I \' ((\<^bold>[\<^bold>\''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]))) \ val D I \ T" + unfolding \'_def .. + also + have "... = (val D I \' ((\<^bold>[\<^bold>\''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]))) \ val D I \' T" + using \'_asg_into assms(2) lemma_5401_c[OF assms(1)] by auto + also + have "... = (val D I \' (\<^bold>[\<^bold>\''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>] \<^bold>\ T))" + by simp + also + have "... = (val D I (\'((''y'',Tv) := val D I \' T)) (\<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]))" + by (meson \'_asg_into assms(1) lemma_5401_a[OF assms(1)] wff_Con_sym_subterm1 wff_T) + also + have "... = (val D I \'' (\<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]))" + unfolding \''_def .. + also + have "... = true" + proof (rule lemma_5401_b_variant_2[OF assms(1)]) + show "wff (Tv \<^bold>\ ooo) \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>]" + by auto + next + show "wff (Tv \<^bold>\ ooo) \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]" + by auto + next + show "asg_into_frame \'' D" + using \''_asg_into by blast + next + have "val D I \'' \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] = abstract (D ooo) (D Tv) + (\z. val D I (\''((''g'', ooo) := z)) + (g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T))" + by (simp only: val.simps(4) type_of.simps type_sym.case) + also + have "... = abstract (D ooo) (D Tv) + (\z. val D I (\''' z) (g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T))" + unfolding \'''_def .. + also + have "... = abstract (D ooo) (D Tv) + (\z. val D I (\''' z) g\<^sub>o\<^sub>o\<^sub>o \ val D I (\''' z) T + \ val D I (\''' z) T)" + unfolding val.simps(3) .. + also + have "... = abstract (D ooo) (D Tv) + (\z. val D I (\''' z) g\<^sub>o\<^sub>o\<^sub>o \ true \ true)" + proof (rule abstract_extensional') + fix x + assume "x \: D ooo" + then have "val D I (\''' x) (g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T) \: D Tv" + using \'''_def \''_asg_into asg_into_frame_fun_upd assms(1) + general_model.elims(2) type_sym.inject wff_Abs_type_of wff_Con_sym_subterm0 wff_T + by (metis wff_App wff_Var) + then show "val D I (\''' x) g\<^sub>o\<^sub>o\<^sub>o \ val D I (\''' x) T \ + val D I (\''' x) T + \: D Tv" + by simp + next + fix x + assume "x \: D ooo" + then have "val D I (\''' x) T = true" + unfolding \'''_def using \''_asg_into asg_into_frame_fun_upd + lemma_5401_c[OF assms(1)] by blast + then show "val D I (\''' x) g\<^sub>o\<^sub>o\<^sub>o \ val D I (\''' x) T \ + val D I (\''' x) T = + val D I (\''' x) g\<^sub>o\<^sub>o\<^sub>o \ true \ true" by auto + qed + also + have "... = abstract (D ooo) (D Tv) + (\z. val D I (\''' z) g\<^sub>o\<^sub>o\<^sub>o \ + val D I (\''' z) x\<^sub>o \ val D I (\''' z) y\<^sub>o)" + proof (rule abstract_extensional') + fix x + assume x_in_D: "x \: D ooo" + then have "val D I (\''' x) (g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T) \: D Tv" + using \'''_def \''_asg_into asg_into_frame_fun_upd assms(1) + general_model.elims(2) type_sym.inject wff_Abs_type_of wff_Con_sym_subterm0 wff_T + by (metis wff_App wff_Var) + then have "val D I (\''' x) g\<^sub>o\<^sub>o\<^sub>o \ val D I (\''' x) T \ + val D I (\''' x) T \: D Tv" + by simp + then show "val D I (\''' x) g\<^sub>o\<^sub>o\<^sub>o \ true \ true \: D Tv" + by (metis \'''_def \''_asg_into lemma_5401_c[OF assms(1)] asg_into_frame_fun_upd x_in_D) + next + fix x + assume x_in_D: "x \: D ooo" + then have "val D I (\''' x) x\<^sub>o = true" + unfolding \'''_def \''_def \'_def using lemma_5401_c[OF assms(1,2)] by auto + moreover + from x_in_D have "val D I (\''' x) y\<^sub>o = true" + unfolding \'''_def \''_def using \'_asg_into lemma_5401_c[OF assms(1)] by auto + ultimately + show "val D I (\''' x) g\<^sub>o\<^sub>o\<^sub>o \ true \ true = + val D I (\''' x) + g\<^sub>o\<^sub>o\<^sub>o \ + val D I (\''' x) x\<^sub>o \ val D I (\''' x) y\<^sub>o" + by auto + qed + also + have "... = abstract (D ooo) (D Tv) (\z. val D I (\''' z) + (g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o))" + unfolding val.simps(3) .. + also + have "... = abstract (D ooo) (D Tv) + (\z. val D I (\''((''g'', ooo) := z)) + (g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o))" + unfolding \'''_def .. + also + have "... = val D I \'' \<^bold>[\<^bold>\''g'':ooo. + g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]" + by (simp only: val.simps(4) type_of.simps type_sym.case) + finally + show "val D I \'' \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] = val D I \'' \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]" + . + qed + finally show ?thesis . +qed + +(* Corresponds to Andrews' lemma 5401 e_2 *) +lemma lemma_5401_e_2: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "y = true \ y = false" + shows "(val D I \ Con_sym) \ false \ y = false" +proof - + define give_x :: trm where "give_x = \<^bold>[\<^bold>\''y'':Tv. x\<^sub>o\<^bold>]" + define give_fst :: trm where "give_fst = \<^bold>[\<^bold>\ ''x'':Tv. give_x\<^bold>]" + define val_give_fst :: 's where "val_give_fst = val D I \ give_fst" + have wff_give_x: "wff oo give_x" + unfolding give_x_def by auto + + have "\a b. a \: D Tv \ + b \: D Tv \ + val D I (\((''x'', Tv) := a)) give_x \: D (type_of give_x)" + using wff_give_x asg_into_frame_def assms(1,2) by auto + moreover + have "\a b. a \: D Tv \ b \: D Tv \ val D I (\((''x'', Tv) := a)) give_x \ b = a" + unfolding give_x_def by auto + ultimately + have "\a b. a \: D Tv \ + b \: D Tv \ + abstract (D Tv) (D (type_of give_x)) (\z. val D I (\((''x'', Tv) := z)) give_x) \ a \ b + = a" + by auto + then have val_give_fst_simp: "\a b. a \: D Tv \ b \: D Tv \ val_give_fst \ a \ b = a" + unfolding val_give_fst_def give_fst_def by auto + + have wff_give_fst: "wff ooo give_fst" + unfolding give_fst_def give_x_def by auto + then have val_give_fst_fun: "val_give_fst \: D ooo" + unfolding val_give_fst_def using assms by auto + + have "val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T \: D Tv" + by (smt Pair_inject wff_give_fst assms(1,2,3) fun_upd_twist general_model.simps + asg_into_interp_fun_upd[OF assms(1,2)] asg_into_interp_fun_upd_true[OF assms(1)] + asg_into_interp_fun_upd_false[OF assms(1)] type_sym.distinct(5) val_give_fst_def wff_T) + then have val_give_fst_D: + "val_give_fst \ val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T \ + val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T + \: D Tv" + using val_give_fst_simp[of + "val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T" + "val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T" ] + by auto + + have false_y_TV: "false \: D Tv \ y \: D Tv" + using assms(1) assms(3) wf_frame_def wf_interp.simps by auto + then have val_give_fst_in_D: "val_give_fst \ false \ y \: D Tv" + using val_give_fst_simp by auto + + have "true \: D Tv" + by (metis assms(1) assms(2) general_model.simps lemma_5401_c[OF assms(1,2)] wff_T) + from this val_give_fst_in_D false_y_TV have "val_give_fst \ true \ true \ val_give_fst \ false \ y" + using val_give_fst_simp true_neq_false by auto + then have val_give_fst_not_false: + "val_give_fst \ val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T + \ val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := val_give_fst)) T + \ val_give_fst \ false \ y" + using asg_into_frame_fun_upd assms(1) assms(2) lemma_5401_c false_y_TV val_give_fst_fun by auto + have Con_sym_subterm0TT_neq_Con_sym_subterm0xy: + "val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \ + val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]" + using abstract_cong_specific[of + val_give_fst + "(D ooo)" + "(\z. z \ val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := z)) T + \ val D I (\((''x'', Tv) := false, + (''y'', Tv) := y, + (''g'', ooo) := z)) T)" + "(D Tv)" + "(\z. z \ false \ y)"] + using val_give_fst_fun val_give_fst_D val_give_fst_in_D val_give_fst_not_false by auto + + have "asg_into_frame (\((''x'', Tv) := false, (''y'', Tv) := y)) D" + using asg_into_interp_fun_upd_false[OF assms(1)] general_model.simps[of D I] assms wff_Con_sym_subterm1 + asg_into_interp_fun_upd_true[OF assms(1)] by auto + then have val_Con_sym_subterm1: "val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>] = false" + using Con_sym_subterm0TT_neq_Con_sym_subterm0xy lemma_5401_b_variant_3[OF assms(1)] + by auto + + have "y \: D Tv" + using general_model.simps lemma_5401_d[OF assms(1,2)] wff_F assms + by (metis lemma_5401_c[OF assms(1,2)] wff_T) + moreover + have "val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>] \: D Tv" + using asg_into_interp_fun_upd_false[OF assms(1)] general_model.simps[of D I] assms wff_Con_sym_subterm1 + asg_into_interp_fun_upd_true[OF assms(1)] by auto + moreover + have "val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>] = false" + using val_Con_sym_subterm1 by auto + ultimately + have val_y: "(val D I (\((''x'', Tv) := false)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]) \ y = false" + by simp + + have 11: "val D I (\((''x'', Tv) := false)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>] \: D oo" + using asg_into_interp_fun_upd_false[OF assms(1,2)] general_model.simps[of D I] assms + wff_Con_sym_subterm2 by blast + moreover + have "val D I (\((''x'', Tv) := false)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>] \ y = false" + using val_y by auto + ultimately + have "(val D I \ \<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]\<^bold>]) \ false \ y = false" + using false_y_TV by simp + then show "(val D I \ Con_sym) \ false \ y = false" + unfolding Con_sym_def by auto +qed + +(* Corresponds to Andrews' lemma 5401 e_3 *) +lemma lemma_5401_e_3: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "x = true \ x = false" + shows "(val D I \ Con_sym) \ x \ false = false" +proof - + (* proof adapted from lemma_5401_e_2 *) + define give_y :: trm where "give_y = (\<^bold>[\<^bold>\ ''y'':Tv. y\<^sub>o\<^bold>])" + define give_snd :: trm where "give_snd = \<^bold>[\<^bold>\ ''x'':Tv. give_y\<^bold>]" + define val_give_snd :: 's where "val_give_snd = val D I \ give_snd" + have wff_give_y: "wff oo give_y" + unfolding give_y_def by auto + + have "\a b. a \: D Tv \ b \: D Tv \ a \: D Tv" + by simp + moreover + have "\a b. a \: D Tv \ b \: D Tv \ val D I (\((''x'', Tv) := a)) give_y \: D (type_of give_y)" + using wff_give_y asg_into_frame_def assms(1) assms(2) by auto + moreover + have "\a b. a \: D Tv \ b \: D Tv \ val D I (\((''x'', Tv) := a)) give_y \ b = b" + unfolding give_y_def by auto + ultimately + have val_give_snd_simp: "\a b. a \: D Tv \ b \: D Tv \ val_give_snd \ a \ b = b" + unfolding val_give_snd_def give_snd_def by auto + + have wff_give_snd: "wff ooo give_snd" + unfolding give_snd_def give_y_def by auto + then have val_give_snd_in_D: "val_give_snd \: D ooo" + unfolding val_give_snd_def using assms + by auto + + then have "val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T \: D Tv" + by (smt Pair_inject wff_give_snd assms(1,2,3) + fun_upd_twist general_model.simps asg_into_interp_fun_upd[OF assms(1,2)] + asg_into_interp_fun_upd_false[OF assms(1)] asg_into_interp_fun_upd_true[OF assms(1)] + type_sym.distinct(5) val_give_snd_def wff_T) + then have val_give_snd_app_in_D: + "val_give_snd \ val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T + \ val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T + \: D Tv" + using val_give_snd_simp[of + "val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T" + "val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T" ] + by auto + + have false_and_x_in_D: "false \: D Tv \ x \: D Tv" + using assms(1,3) wf_frame_def wf_interp.simps by auto + then have val_give_snd_app_x_false_in_D: "val_give_snd \ x \ false \: D Tv" + using val_give_snd_simp by auto + + have "true \: D Tv" + by (metis assms(1) assms(2) general_model.simps lemma_5401_c[OF assms(1,2)] wff_T) + then have "val_give_snd \ true \ true \ val_give_snd \ x \ false" + using val_give_snd_simp true_neq_false val_give_snd_app_in_D false_and_x_in_D by auto + then have + "val_give_snd \ val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T + \ val D I (\((''x'', Tv) := x, + (''y'', Tv) := false, + (''g'', ooo) := val_give_snd)) T \ + val_give_snd \ x \ false" + using asg_into_frame_fun_upd assms(1) assms(2) lemma_5401_c false_and_x_in_D val_give_snd_in_D + by auto + then have "val D I (\((''x'', Tv) := x, (''y'', Tv) := false)) \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \ + val D I (\((''x'', Tv) := x, (''y'', Tv) := false)) + \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]" + using abstract_cong_specific[of + val_give_snd + "(D ooo)" + "(\z. z \ val D I (\((''x'', Tv) := x, (''y'', Tv) := false, (''g'', ooo) := z)) + T \ val D I (\((''x'', Tv) := x, (''y'', Tv) := false, (''g'', ooo) := z)) T)" + "(D Tv)" + "(\z. z \ x \ false)" + ] + using val_give_snd_in_D val_give_snd_app_x_false_in_D val_give_snd_app_in_D by auto + then have "val D I (\((''x'', Tv) := x, (''y'', Tv) := false)) \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>] = false" + using asg_into_frame_fun_upd assms(1,2) lemma_5401_b_variant_3 false_and_x_in_D by auto + then have val_Con_sym_subterm2_false: "(val D I (\((''x'', Tv) := x)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]) \ false = false" + using false_and_x_in_D by simp + + have "x \: D Tv" + by (simp add: false_and_x_in_D) + moreover + have "val D I (\((''x'', Tv) := x)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>] \: D oo" + by (metis assms(1,3) general_model.simps lemma_5401_c[OF assms(1,2)] + asg_into_interp_fun_upd[OF assms(1,2)] asg_into_interp_fun_upd_false[OF assms(1,2)] + wff_Con_sym_subterm2 wff_T) + moreover + have "val D I (\((''x'', Tv) := x)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>] \ false = false" + using val_Con_sym_subterm2_false by auto + ultimately + have "(val D I \ \<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[\<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ T \<^bold>\ T\<^bold>] \<^bold>=(Tv \<^bold>\ ooo)\<^bold>= \<^bold>[\<^bold>\''g'':ooo. g\<^sub>o\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o \<^bold>\ y\<^sub>o\<^bold>]\<^bold>]\<^bold>]\<^bold>]) \ x \ false = false" + by auto + then show "(val D I \ Con_sym) \ x \ false = false" + unfolding Con_sym_def by auto +qed + +(* Corresponds to Andrews' lemma 5401 e *) +lemma lemma_5401_e_variant_1: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "y = true \ y = false" + assumes "x = true \ x = false" + shows "(val D I \ Con_sym) \ x \ y = boolean (x = true \ y = true)" +proof (cases "y = true") + case True + note True_outer = this + then show ?thesis + proof (cases "x = true") + case True + then show ?thesis + using True_outer assms lemma_5401_e_1 unfolding boolean_def by auto + next + case False + then show ?thesis + using True_outer assms lemma_5401_e_2 unfolding boolean_def by auto + qed +next + case False + note False_outer = this + then show ?thesis + proof (cases "x = true") + case True + then show ?thesis + using False_outer assms lemma_5401_e_3 unfolding boolean_def by auto + next + case False + then show ?thesis + using False_outer assms lemma_5401_e_2 unfolding boolean_def by auto + qed +qed + +lemma asg_into_interp_is_true_or_false: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "\ (x, Tv) = true \ \ (x, Tv) = false" +proof - + have "wff Tv (Var x Tv)" + by auto + then have "val D I \ (Var x Tv) \: D Tv" + using assms general_model.simps by blast + then have "val D I \ (Var x Tv) \: boolset" + using assms unfolding general_model.simps wf_interp.simps wf_frame_def by auto + then show ?thesis + using mem_boolset by simp +qed + +lemma wff_Tv_is_true_or_false: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "wff Tv A" + shows "val D I \ A = true \ val D I \ A = false" +proof - + have "val D I \ A \: D Tv" + using assms by auto + then have "val D I \ A \: boolset" + using assms unfolding general_model.simps wf_interp.simps wf_frame_def by force + then show ?thesis + using mem_boolset by blast +qed + +(* Corresponds to Andrews' lemma 5401 e *) +lemma lemma_5401_e_variant_2: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "wff Tv A" + assumes "wff Tv B" + shows "(val D I \ (A \<^bold>\ B)) = boolean (satisfies D I \ A \ satisfies D I \ B)" + using assms wff_Tv_is_true_or_false[of \ D I] lemma_5401_e_variant_1 unfolding Con_def by auto + +(* Corresponds to Andrews' lemma 5401 f_1 *) +lemma lemma_5401_f_1: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "y = true \ y = false" + shows "(val D I \ Imp_sym) \ false \ y = true" +proof - + define Imp_subterm2 :: trm where + "Imp_subterm2 \ \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]" + + have val_Imp_subterm0_false: "val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) (x\<^sub>o \<^bold>\ y\<^sub>o) = false" + using assms asg_into_interp_fun_upd_false[OF assms(1)] asg_into_interp_fun_upd_true[OF assms(1)] + boolean_def lemma_5401_e_variant_2 by auto + + have "asg_into_frame (\((''x'', Tv) := false, (''y'', Tv) := y)) D" + using assms(1, 2, 3) lemma_5401_c[OF assms(1)] asg_into_interp_fun_upd wff_T + asg_into_interp_fun_upd_false by metis + then have "val D I (\((''x'', Tv) := false, (''y'', Tv) := y)) \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>] = true" + using lemma_5401_b_variant_1[OF assms(1)] val_Imp_subterm0_false unfolding boolean_def by auto + then have val_Imp_subterm2_true: "(val D I (\((''x'', Tv) := false)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]) \ y = true" + using assms(1,3) wf_frame_def wf_interp.simps by auto + + have "val D I \ \<^bold>[\<^bold>\ ''x'':Tv. \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]\<^bold>] \ false \ y = true" + proof - + have "false \: D Tv" + by (metis asg_into_frame_def asg_into_interp_fun_upd_false assms(1) assms(2) fun_upd_same) + then have "val D I (\((''x'', Tv) := false)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] = val D I \ \<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]\<^bold>] \ false" + using asg_into_interp_fun_upd_false assms(1,2) Imp_subterm2_def[symmetric] wff_Imp_sym_subterm2_iff by force + then show ?thesis + by (metis val_Imp_subterm2_true) + qed + then show "(val D I \ Imp_sym) \ false \ y = true" + unfolding Imp_sym_def Imp_subterm2_def by auto +qed + +(* Corresponds to Andrews' lemma 5401 f_2 *) +lemma lemma_5401_f_2: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "x = true \ x = false" + shows "(val D I \ Imp_sym) \ x \ true = true" +proof - + have asg: "asg_into_frame (\((''x'', Tv) := x, (''y'', Tv) := true)) D" + using assms(1,2,3) asg_into_interp_fun_upd_false asg_into_interp_fun_upd_true[OF assms(1)] by blast + then have "val D I (\((''x'', Tv) := x, (''y'', Tv) := true)) (x\<^sub>o \<^bold>\ y\<^sub>o) = x" + using lemma_5401_e_variant_2 assms unfolding boolean_def by auto + then have val_Imp_subterm1_true: "val D I (\((''x'', Tv) := x, (''y'', Tv) := true)) \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>] = true" + using asg lemma_5401_b_variant_1[OF assms(1)] boolean_eq_true by auto + + have val_Imp_subterm2_true: "val D I (\((''x'', Tv) := x)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] \ true = true" + using val_Imp_subterm1_true assms(1) wf_frame_def wf_interp.simps by auto + + have "x \: D Tv" + by (metis asg_into_frame_def assms(1) assms(3) fun_upd_same asg_into_interp_fun_upd_false + asg_into_interp_fun_upd_true[OF assms(1,2)]) + moreover + have "val D I (\((''x'', Tv) := x)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] \: D oo" + using wff_Imp_sym_subterm2 + by (metis assms(1,2,3) general_model.simps lemma_5401_c[OF assms(1,2)] + asg_into_interp_fun_upd[OF assms(1,2)] asg_into_interp_fun_upd_false wff_T) + ultimately + have "(val D I \ \<^bold>[\<^bold>\''x'':Tv. \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]\<^bold>]) \ x \ true = true" + using val_Imp_subterm2_true by auto + then show "(val D I \ Imp_sym) \ x \ true = true" + unfolding Imp_sym_def by auto +qed + +(* Corresponds to Andrews' lemma 5401 f_3 *) +lemma lemma_5401_f_3: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "(val D I \ Imp_sym) \ true \ false = false" +proof - + have asg: "asg_into_frame (\((''x'', Tv) := true, (''y'', Tv) := false)) D" + by (meson assms(1,2) asg_into_interp_fun_upd_false asg_into_interp_fun_upd_true) + moreover + have "false = true \ false = false" + unfolding boolean_def by auto + moreover + have "boolean (true = true \ false = true) = false" + unfolding boolean_def by auto + ultimately + have 3: "val D I (\((''x'', Tv) := true, (''y'', Tv) := false)) (x\<^sub>o \<^bold>\ y\<^sub>o) = false" + using lemma_5401_e_variant_2 assms by auto + then have Imp_subterm1_false: "val D I (\((''x'', Tv) := true, (''y'', Tv) := false)) \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>] = false" + using subst lemma_5401_b_variant_1[OF assms(1)] asg boolean_def by auto + + have asdff: "wff Tv \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]" + by auto + + have false_Tv: "false \: D Tv" + using assms(1) wf_frame_def wf_interp.simps by auto + moreover + have "val D I (\((''x'', Tv) := true, (''y'', Tv) := false)) \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>] \: D Tv" + by (simp add: Imp_subterm1_false false_Tv) + moreover + have "val D I (\((''x'', Tv) := true, (''y'', Tv) := false)) \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>] = false" + using Imp_subterm1_false by auto + ultimately + have Imp_subterm2_app_false: "val D I (\((''x'', Tv) := true)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] \ false = false" + by auto + + have wff_Imp_sym_subterm2: "wff oo \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]" + by auto + + have "(val D I \ \<^bold>[\<^bold>\ ''x'':Tv. \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>]\<^bold>]) \ true \ false = false" + proof - + have "true \: D Tv" + by (metis assms(1) assms(2) general_model.simps lemma_5401_c[OF assms(1,2)] wff_T) + moreover + have "val D I (\((''x'', Tv) := true)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] \: D oo" + using wff_Imp_sym_subterm2 + by (metis assms(1) general_model.simps asg_into_interp_fun_upd_true[OF assms(1,2)]) + moreover + have "val D I (\((''x'', Tv) := true)) \<^bold>[\<^bold>\ ''y'':Tv. \<^bold>[x\<^sub>o \<^bold>=Tv\<^bold>= (x\<^sub>o \<^bold>\ y\<^sub>o)\<^bold>]\<^bold>] \ false = false" + using Imp_subterm2_app_false by auto + ultimately + show ?thesis + by auto + qed + then show "(val D I \ Imp_sym) \ true \ false = false" + unfolding Imp_sym_def by auto +qed + +(* Corresponds to Andrews' lemma 5401 f *) +lemma lemma_5401_f_variant_1: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "x = true \ x = false" + assumes "y = true \ y = false" + shows "(val D I \ Imp_sym) \ x \ y = boolean (x = true \ y = true)" +proof (cases "y = true") + case True + note True_outer = this + then show ?thesis + proof (cases "x = true") + case True + then show ?thesis + using True_outer assms lemma_5401_f_2 unfolding boolean_def by auto + next + case False + then show ?thesis + using True_outer assms lemma_5401_f_2 unfolding boolean_def by auto + qed +next + case False + note False_outer = this + then show ?thesis + proof (cases "x = true") + case True + then show ?thesis + using False_outer assms lemma_5401_f_3 unfolding boolean_def by auto + next + case False + then show ?thesis + using False_outer assms lemma_5401_f_1 unfolding boolean_def by auto + qed +qed + +(* Corresponds to Andrews' lemma 5401 f *) +lemma lemma_5401_f_variant_2: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "wff Tv A" + assumes "wff Tv B" + shows "(val D I \ (A \<^bold>\ B)) = boolean (satisfies D I \ A \ satisfies D I \ B)" + using assms unfolding Imp_def + by (simp add: lemma_5401_f_variant_1 wff_Tv_is_true_or_false) + +(* Corresponds to Andrews' lemma 5401 g *) +lemma lemma_5401_g: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff Tv A" + shows "satisfies D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] \ + (\\. asg_into_interp \ D I \ agree_off_asg \ \ x \ \ satisfies D I \ A)" +proof - + have "wff (Tv \<^bold>\ \) \<^bold>[\<^bold>\ ''x'':\. T\<^bold>]" + by auto + then have PI_subterm_in_D: "val D I \ \<^bold>[\<^bold>\ ''x'':\. T\<^bold>] \: D (Tv \<^bold>\ \)" + using assms(1,2) general_model.simps by blast + + have "wff (Tv \<^bold>\ \) (\<^bold>[\<^bold>\x:\. A\<^bold>])" + using assms by auto + moreover + have "\\. asg_into_frame \ D \ (\A \. wff \ A \ val D I \ A \: D \)" + using assms(1) by auto + then have "\t cs. val D I \ \<^bold>[\<^bold>\cs:t. A\<^bold>] \: D (Tv \<^bold>\ t)" + using wff_Abs assms(1,2,3) by presburger + then have "abstract (D \) (D Tv) (\u. val D I (\((x, \) := u)) A) \: D (Tv \<^bold>\ \)" + using assms(3) by simp + ultimately + have val_lambda_A: "val D I \ (\<^bold>[\<^bold>\x:\. A\<^bold>]) \: D (Tv \<^bold>\ \)" + using assms by auto + + have true_and_A_in_D: "\z. z \: D \ \ true \: D Tv \ val D I (\((x, \) := z)) A \: D Tv" + by (metis assms(1,2,3) general_model.simps lemma_5401_c[OF assms(1,2)] asg_into_frame_fun_upd wff_T) + + have "satisfies D I \ \<^bold>[\<^bold>\ x: \. A\<^bold>] \ val D I \ \<^bold>[\<^bold>\x: \. A\<^bold>] = true" + by auto + moreover have "... \ val D I \ (PI \) \ val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] = true" + unfolding Forall_def by simp + moreover have "... \ I ''Q'' ((Tv \<^bold>\ (Tv \<^bold>\ \)) \<^bold>\ (Tv \<^bold>\ \)) + \ val D I \ \<^bold>[\<^bold>\ ''x'':\. T\<^bold>] \ val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] = + true" + unfolding PI_def by simp + moreover have "... \ (iden (D (Tv \<^bold>\ \))) \ val D I \ \<^bold>[\<^bold>\ ''x'':\. T\<^bold>] \ val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] = + true" + unfolding PI_def using wf_interp.simps assms by simp + moreover have "... \ val D I \ \<^bold>[\<^bold>\''x'':\. T\<^bold>] = val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + using PI_subterm_in_D val_lambda_A apply_id_true by auto + moreover have "... \ abstract (D \) (D Tv) (\z. val D I (\((''x'', \) := z)) T) = val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + using assms wff_T by simp + moreover have "... \ abstract (D \) (D Tv) (\z. true) = val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>]" + proof - + have "\x. x \: D \ \ val D I (\((''x'', \) := x)) T \: D Tv \ true \: D Tv" + using true_and_A_in_D assms(1,2) asg_into_frame_fun_upd by auto + moreover + have "\x. x \: D \ \ val D I (\((''x'', \) := x)) T \: D Tv \ satisfies D I (\((''x'', \) := x)) T" + using true_and_A_in_D assms(1) assms(2) lemma_5401_c[OF assms(1)] asg_into_frame_fun_upd by auto + ultimately + have "abstract (D \) (D Tv) (\z. val D I (\((''x'', \) := z)) T) = abstract (D \) (D Tv) (\z. true)" + using abstract_extensional by auto + then show ?thesis + by auto + qed + moreover have "... \ abstract (D \) (D Tv) (\z. true) = val D I \ (\<^bold>[\<^bold>\x:\. A\<^bold>])" + by auto + moreover have "... \ abstract (D \) (D Tv) (\z. true) = + abstract (D \) (D Tv) (\z. val D I (\((x, \) := z)) A)" + using assms by simp + moreover have "... \ (\z. z \: D \ \ true \: D Tv \ true = val D I (\((x, \) := z)) A)" + proof - + have "\z. z \: D \ \ true \: D Tv \ val D I (\((x, \) := z)) A \: D Tv" + using true_and_A_in_D by auto + then show ?thesis + using abstract_iff_extensional by auto + qed + moreover have "... \ (\z. z \: D \ \ true = val D I (\((x, \) := z)) A)" + by (metis assms(1,2) general_model.simps lemma_5401_c[OF assms(1,2)] wff_T) + moreover have "... \ (\z. z \: D \ \ satisfies D I (\((x, \) := z)) A)" + by auto + moreover have "... \ (\\. asg_into_interp \ D I \ agree_off_asg \ \ x \ \ satisfies D I \ A)" + proof - + show ?thesis + proof + assume A_sat: "\z. z \: D \ \ satisfies D I (\((x, \) := z)) A" + show "\\. asg_into_frame \ D \ agree_off_asg \ \ x \ \ satisfies D I \ A" + proof (rule; rule; rule) + fix \ + assume a1: "asg_into_frame \ D" + assume a2: "agree_off_asg \ \ x \" + have "\xa. (\((x, \) := xa)) = \" + using a1 a2 agree_off_asg_def2 by blast + then show "satisfies D I \ A" + using A_sat a1 a2 by (metis asg_into_frame_def fun_upd_same) + qed + next + assume "\\. asg_into_frame \ D \ agree_off_asg \ \ x \ \ satisfies D I \ A" + then show "\z. z \: D \ \ satisfies D I (\((x, \) := z)) A" + using asg_into_frame_fun_upd asg_into_interp_fun_upd[OF assms(1,2)] assms(2) fun_upd_other + unfolding agree_off_asg_def by auto + qed + qed + ultimately show ?thesis + by auto +qed + +(* Corresponds to Andrews' lemma 5401 g *) +theorem lemma_5401_g_variant_1: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "wff Tv A" + shows "val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] = + boolean (\\. asg_into_interp \ D I \ agree_off_asg \ \ x \ \ satisfies D I \ A)" +proof - + have "val D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] = (if satisfies D I \ \<^bold>[\<^bold>\x:\. A\<^bold>] then true else false)" + using assms wff_Forall wff_Tv_is_true_or_false by metis + then show ?thesis + using assms lemma_5401_g[symmetric] unfolding boolean_def by auto +qed + + +section \Soundness\ + +lemma fun_sym_asg_to_funspace: + assumes "asg_into_frame \ D" + assumes "general_model D I" + shows "\ (f, \ \<^bold>\ \) \: funspace (D \) (D \)" +proof - + have "wff (\ \<^bold>\ \) (Var f (\ \<^bold>\ \))" + by auto + then have "val D I \ (Var f (\ \<^bold>\ \)) \: D (\ \<^bold>\ \)" + using assms + using general_model.simps by blast + then show "\ (f, \ \<^bold>\ \) \: funspace (D \) (D \)" + using assms unfolding general_model.simps wf_interp.simps wf_frame_def + by (simp add: subs_def) +qed + +lemma fun_sym_interp_to_funspace: + assumes "asg_into_frame \ D" + assumes "general_model D I" + shows "I f (\ \<^bold>\ \) \: funspace (D \) (D \)" +proof - + have "wff (\ \<^bold>\ \) (Cst f (\ \<^bold>\ \))" + by auto + then have "val D I \ (Cst f (\ \<^bold>\ \)) \: D (\ \<^bold>\ \)" + using assms general_model.simps by blast + then show "I f (\ \<^bold>\ \) \: funspace (D \) (D \)" + using assms subs_def unfolding general_model.simps wf_interp.simps wf_frame_def by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for rule R *) +theorem theorem_5402_a_rule_R: + assumes A_eql_B: "valid_general (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>])" + assumes "valid_general C" + assumes "rule_R C (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>]) C'" + assumes "wff \ A" + assumes "wff \ B" + assumes "wff \ C" + shows "valid_general C'" + unfolding valid_general_def +proof (rule allI, rule allI, rule impI) + fix D :: "type_sym \ 's" and I :: "char list \ type_sym \ 's" + assume DI: "general_model D I" + then have "valid_in_model D I (\<^bold>[A \<^bold>=\\<^bold>= B\<^bold>])" + using A_eql_B unfolding valid_general_def by auto + then have x: "\\. asg_into_frame \ D \ (val D I \ A = val D I \ B)" + unfolding valid_in_model_def using lemma_5401_b[OF DI, of _ \ A B ] assms(4,5) by auto + have r: "replacement A B C C'" + using assms(3) using Eql_def rule_R.cases by fastforce + from r have "\\. asg_into_frame \ D \ (val D I \ C = val D I \ C')" + using x assms(4,5,6) + proof (induction arbitrary: \ rule: replacement.induct) + case (replace A B) + then show ?case by auto + next + case (replace_App_left A B C E D') + define \' where "\' = type_of C" + define \' where "\' = type_of D'" + show ?case + proof (rule, rule) + fix \ + assume asg: "asg_into_frame \ D" + have \': "\' = \ \<^bold>\ \'" + using trm.distinct(11) trm.distinct(3,7) trm.inject(3) replace_App_left.prems(4) wff.simps + by (metis \'_def \'_def wff_App_type_of) + from asg have "wff \' C" + using replace_App_left trm.distinct(3,7,11) trm.inject(3) wff.simps + by (metis \' \'_def type_of wff_App') + then have "val D I \ C = val D I \ E" + using asg replace_App_left by auto + then show "val D I \ (C \<^bold>\ D') = val D I \ (E \<^bold>\ D')" + using \' by auto + qed + next + case (replace_App_right A B D' E C) + define \' where "\' = type_of C" + define \' where "\' = type_of D'" + show ?case + proof (rule, rule) + fix \ + assume asg: "asg_into_frame \ D" + have \': "\' = \ \<^bold>\ \'" + using trm.distinct(11) trm.distinct(3) trm.distinct(7) trm.inject(3) + replace_App_right.prems(4) wff.simps by (metis \'_def \'_def type_of wff_App') + from asg have "wff \' D'" + using \'_def replace_App_right.prems(4) by fastforce + then have "val D I \ D' = val D I \ E" + using asg replace_App_right by auto + then show "val D I \ (C \<^bold>\ D') = val D I \ (C \<^bold>\ E)" + using \' by auto + qed + next + case (replace_Abs A B C D' x \') + define \' where "\' = type_of C" + show ?case + proof (rule, rule) + fix \ + assume asg: "asg_into_frame \ D" + then have val_C_eql_val_D': + "\z. z \: D \' \ val D I (\((x, \') := z)) C = val D I (\((x, \') := z)) D'" + using asg replace_App_right + by (metis trm.distinct(11) trm.distinct(5) trm.distinct(9) trm.inject(4) + asg_into_frame_fun_upd replace_Abs.IH replace_Abs.prems(1) replace_Abs.prems(2) + replace_Abs.prems(3) replace_Abs.prems(4) wff.cases) + + have val_C_eql_val_D'_type: + "\z. z \: D \' \ + val D I (\((x, \') := z)) C \: D (type_of C) \ + val D I (\((x, \') := z)) C = val D I (\((x, \') := z)) D'" + proof (rule; rule) + fix z + assume a2: "z \: D \'" + have "val D I (\((x, \') := z)) C \: D (type_of C)" + using DI asg a2 asg_into_frame_fun_upd replace_Abs.prems(4) by auto + moreover + have "val D I (\((x, \') := z)) C = val D I (\((x, \') := z)) D'" + using a2 val_C_eql_val_D' replace_Abs by auto + ultimately + show + "val D I (\((x, \') := z)) C \: D (type_of C) \ + val D I (\((x, \') := z)) C = val D I (\((x, \') := z)) D'" + by auto + qed + have "wff (type_of C) D'" + using replacement_preserves_type replace_Abs.hyps replace_Abs.prems(2) + replace_Abs.prems(3) replace_Abs.prems(4) wff_Abs_type_of by blast + then have same_type: + "abstract (D \') (D (type_of C)) (\z. val D I (\((x, \') := z)) D') = + abstract (D \') (D (type_of D')) (\z. val D I (\((x, \') := z)) D')" + using type_of by presburger + then show "val D I \ \<^bold>[\<^bold>\x:\'. C\<^bold>] = val D I \ (\<^bold>[\<^bold>\x:\'. D'\<^bold>])" + using val_C_eql_val_D'_type same_type + abstract_extensional[of _ _ _ "\xa. val D I (\((x, \') := xa)) D'"] + by (simp add: val_C_eql_val_D'_type same_type) + qed + qed + then show "valid_in_model D I C'" + using assms(2) DI unfolding valid_in_model_def valid_general_def by auto +qed + +theorem Fun_Tv_Tv_frame_subs_funspace: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "D oo \: funspace (boolset) (boolset)" + by (metis assms(1) general_model.elims(2) wf_frame_def wf_interp.simps) + +(* Corresponds to Andrews' theorem 5402 a for axiom 1 *) +theorem theorem_5402_a_axiom_1_variant: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "satisfies D I \ axiom_1" +proof (cases "(\ (''g'',oo)) \ true = true \ (\ (''g'',oo)) \ false = true") + case True + then have val: "val D I \ ((g\<^sub>o\<^sub>o \<^bold>\ T) \<^bold>\ (g\<^sub>o\<^sub>o \<^bold>\ F)) = true" + using assms lemma_5401_e_variant_2 + by (auto simp add: boolean_eq_true lemma_5401_c[OF assms(1,2)] lemma_5401_d[OF assms(1,2)]) + have "\\. asg_into_frame \ D \ + agree_off_asg \ \ ''x'' Tv \ + satisfies D I \ (g\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o)" + proof (rule; rule; rule) + fix \ + assume \: "asg_into_frame \ D" "agree_off_asg \ \ ''x'' Tv" + then have "\ (''x'', Tv) = true \ \ (''x'', Tv) = false" + using asg_into_interp_is_true_or_false assms + by auto + then show " satisfies D I \ (g\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o)" + using True \ unfolding agree_off_asg_def by auto + qed + then have "val D I \ (\<^bold>[\<^bold>\''x'':Tv. (g\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o)\<^bold>]) = true" + using lemma_5401_g using assms by auto + then show ?thesis + unfolding axiom_1_def + using lemma_5401_b[OF assms(1,2)] val by auto +next + case False + have "\ (''g'', oo) \: D oo" + using assms + by (simp add: asg_into_frame_def) + then have 0: "\ (''g'', oo) \: funspace (D Tv) (D Tv)" + using assms(1) assms(2) fun_sym_asg_to_funspace by blast + + from False have "(\ (''g'', oo) \ true \ true \ \ (''g'', oo) \ false \ true)" + by auto + then have "\z. \ (''g'', oo) \ z = false \ z \: D Tv" + proof + assume a: "\ (''g'', oo) \ true \ true" + have "\ (''g'', oo) \ true \: boolset" + by (metis "0" apply_abstract assms(1) boolset_def general_model.elims(2) in_funspace_abstract + mem_two true_def wf_frame_def wf_interp.simps) + from this a have "\ (''g'', oo) \ true = false \ true \: D Tv" + using assms(1) wf_frame_def wf_interp.simps by auto + then show "\z. \ (''g'', oo) \ z = false \ z \: D Tv" + by auto + next + assume a: "\ (''g'', oo) \ false \ true" + have "\ (''g'', oo) \ false \: boolset" + by (metis "0" apply_abstract assms(1) boolset_def general_model.elims(2) in_funspace_abstract + mem_two false_def wf_frame_def wf_interp.simps) + from this a have "\ (''g'', oo) \ false = false \ false \: D Tv" + using assms(1) wf_frame_def wf_interp.simps by auto + then show "\z. \ (''g'', oo) \ z = false \ z \: D Tv" + by auto + qed + then obtain z where z_p: "\ (''g'', oo) \ z = false \ z \: D Tv" + by auto + have "boolean (satisfies D I \ (g\<^sub>o\<^sub>o \<^bold>\ T) + \ satisfies D I \ (g\<^sub>o\<^sub>o \<^bold>\ F)) = false" + using False + by (smt boolean_def val.simps(1) val.simps(3) lemma_5401_c[OF assms(1,2)] + lemma_5401_d[OF assms(1,2)]) + then have 1: "val D I \ ( + (g\<^sub>o\<^sub>o \<^bold>\ T) \<^bold>\ + (g\<^sub>o\<^sub>o \<^bold>\ F)) = false" + using lemma_5401_e_variant_2 assms by auto + have 3: "asg_into_frame (\((''x'', Tv) := z)) D \ + agree_off_asg (\((''x'', Tv) := z)) \ ''x'' Tv \ + \ (''g'', oo) \ (\((''x'', Tv) := z)) (''x'', Tv) \ true" + using z_p Pair_inject agree_off_asg_def2 asg_into_frame_fun_upd assms(2) true_neq_false by fastforce + then have 2: "val D I \ (\<^bold>[\<^bold>\''x'':Tv. (g\<^sub>o\<^sub>o \<^bold>\ x\<^sub>o)\<^bold>]) = false" + using lemma_5401_g_variant_1 assms boolean_def by auto + then show ?thesis + unfolding axiom_1_def using 1 2 lemma_5401_b_variant_2[OF assms(1,2)] by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 1 *) +theorem theorem_5402_a_axiom_1: "valid_general axiom_1" + using theorem_5402_a_axiom_1_variant unfolding valid_general_def valid_in_model_def by auto + +(* Corresponds to Andrews' theorem 5402 a for axiom 2 *) +theorem theorem_5402_a_axiom_2_variant: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "satisfies D I \ (axiom_2 \)" +proof (cases "\(''x'',\) = \(''y'',\)") + case True + have "val D I \ ((Var ''h'' (Tv \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) = + (\ (''h'', (Tv \<^bold>\ \))) \ \ (''x'', \)" + using assms by auto + also + have "... = \ (''h'', (Tv \<^bold>\ \)) \ \ (''y'', \)" + using True by auto + also + have "... = val D I \ ((Var ''h'' (Tv \<^bold>\ \)) \<^bold>\ (Var ''y'' \))" + using assms by auto + finally + show ?thesis + unfolding axiom_2_def + using lemma_5401_f_variant_2 assms lemma_5401_b_variant_1[OF assms(1,2)] boolean_def by auto +next + case False + have "asg_into_frame \ D" + using assms(2) by blast + moreover + have "general_model D I" + using assms(1) by blast + ultimately + have + "boolean (satisfies D I \ \<^bold>[Var ''x'' \ \<^bold>=\\<^bold>= Var ''y'' \\<^bold>] \ + satisfies D I \ + \<^bold>[(Var ''h'' (Tv \<^bold>\ \) \<^bold>\ Var ''x'' \) \<^bold>=Tv\<^bold>= Var ''h'' (Tv \<^bold>\ \) \<^bold>\ Var ''y'' \\<^bold>]) = + true" + using boolean_eq_true lemma_5401_b by auto + then + show ?thesis + using assms lemma_5401_f_variant_2 unfolding axiom_2_def by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 2 *) +theorem theorem_5402_a_axiom_2: "valid_general (axiom_2 \)" + using theorem_5402_a_axiom_2_variant unfolding valid_general_def valid_in_model_def by auto + +(* Corresponds to Andrews' theorem 5402 a for axiom 3 *) +theorem theorem_5402_a_axiom_3_variant: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "satisfies D I \ (axiom_3 \ \)" +proof (cases "\ (''f'',\ \<^bold>\ \) = \ (''g'',\ \<^bold>\ \)") + case True + { + fix \ + assume agree: "agree_off_asg \ \ ''x'' \" + assume asg: "asg_into_interp \ D I" + have "val D I \ ((Var ''f'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) = \ (''f'',\ \<^bold>\ \) \ \ (''x'', \)" + by auto + also + have "... = \ (''f'',\ \<^bold>\ \) \ \ (''x'', \)" + using agree by auto + also + have "... = \ (''g'',\ \<^bold>\ \) \ \ (''x'', \)" + using True by auto + also + have "... = \ (''g'',\ \<^bold>\ \) \ \ (''x'', \)" + using agree by auto + also + have "... = val D I \ ((Var ''g'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \))" + by auto + finally + have + "val D I \ + (\<^bold>[((Var ''f'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) \<^bold>=\\<^bold>= ((Var ''g'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \))\<^bold>]) + = true" + using lemma_5401_b_variant_1[OF assms(1)] assms agree asg boolean_eq_true by auto + } + then have "satisfies D I \ + (\<^bold>[\<^bold>\''x'':\. \<^bold>[(Var ''f'' (\ \<^bold>\ \) \<^bold>\ Var ''x'' \) \<^bold>=\\<^bold>= Var ''g'' (\ \<^bold>\ \) \<^bold>\ Var ''x'' \\<^bold>]\<^bold>])" + using assms lemma_5401_g by force + moreover + have "satisfies D I \ \<^bold>[Var ''f'' (\ \<^bold>\ \) \<^bold>=\ \<^bold>\ \\<^bold>= Var ''g'' (\ \<^bold>\ \)\<^bold>]" + using True assms using lemma_5401_b_variant_2 wff_Var by auto + ultimately + show ?thesis + using axiom_3_def lemma_5401_b_variant_2 assms by auto +next + case False + then have "\z. z \: D \ \ \ (''f'', \ \<^bold>\ \) \ z \ \ (''g'', \ \<^bold>\ \) \ z" + using funspace_difference_witness[of "\ (''f'', \ \<^bold>\ \)" "D \" "D \" "\ (''g'', \ \<^bold>\ \)"] + assms(1,2) fun_sym_asg_to_funspace by blast + then obtain z where + z\: "z \: D \" and + z_neq: "\ (''f'', \ \<^bold>\ \) \ z \ \ (''g'', \ \<^bold>\ \) \ z" + by auto + define \ where "\ = (\((''x'',\):= z))" + have agree: "agree_off_asg \ \ ''x'' \" + using \_def agree_off_asg_def2 by blast + have asg: "asg_into_interp \ D I" + using z\ \_def asg_into_frame_fun_upd assms(2) by blast + have "val D I \ ((Var ''f'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) = \ (''f'',\ \<^bold>\ \) \ \ (''x'', \)" + by auto + moreover + have "... = \ (''f'',\ \<^bold>\ \) \ z" + by (simp add: \_def) + moreover + have "... \ \ (''g'',\ \<^bold>\ \) \ z" + using False z_neq by blast + moreover + have "\ (''g'',\ \<^bold>\ \) \ z = \ (''g'',\ \<^bold>\ \) \ \ (''x'', \)" + by (simp add: \_def) + moreover + have "... = val D I \ ((Var ''g'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \))" + by auto + ultimately + have + "val D I \ + (\<^bold>[((Var ''f'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \)) \<^bold>=\\<^bold>= ((Var ''g'' (\ \<^bold>\ \)) \<^bold>\ (Var ''x'' \))\<^bold>]) + = false" + by (metis asg assms(1) lemma_5401_b_variant_3 wff_App wff_Var) + have "val D I \ + (\<^bold>[\<^bold>\''x'':\. \<^bold>[(Var ''f'' (\ \<^bold>\ \) \<^bold>\ Var ''x'' \) \<^bold>=\\<^bold>= Var ''g'' (\ \<^bold>\ \) \<^bold>\ Var ''x'' \\<^bold>]\<^bold>]) = false" + by (smt (verit) \val D I \ \<^bold>[(Var ''f'' (\ \<^bold>\ \) \<^bold>\ Var ''x'' \) \<^bold>=\\<^bold>= Var ''g'' (\ \<^bold>\ \) \<^bold>\ Var ''x'' \\<^bold>] = false\ + agree asg assms(1,2) lemma_5401_g wff_App wff_Eql wff_Forall wff_Tv_is_true_or_false wff_Var) + moreover + have "val D I \ \<^bold>[Var ''f'' (\ \<^bold>\ \) \<^bold>=\ \<^bold>\ \\<^bold>= Var ''g'' (\ \<^bold>\ \)\<^bold>] = false" + using False assms(1,2) lemma_5401_b_variant_3 wff_Var by auto + ultimately show ?thesis + using assms(1,2) axiom_3_def lemma_5401_b by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 3 *) +theorem theorem_5402_a_axiom_3: "valid_general (axiom_3 \ \)" + using theorem_5402_a_axiom_3_variant unfolding valid_general_def valid_in_model_def by auto + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_1 with a constant *) +theorem theorem_5402_a_axiom_4_1_variant_cst: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + shows "satisfies D I \ (axiom_4_1_variant_cst x \ c \ A)" +proof - + let ?\ = "\((x,\):=val D I \ A)" + have "val D I \ (\<^bold>[\<^bold>\x:\. (Cst c \)\<^bold>] \<^bold>\ A) = val D I ?\ (Cst c \)" + by (rule lemma_5401_a[of _ _ _ _ _ \]; use assms in auto) + then have "val D I \ (\<^bold>[\<^bold>\x:\. Cst c \\<^bold>] \<^bold>\ A) = val D I \ (Cst c \)" + by auto + moreover + have "wff \ (\<^bold>[\<^bold>\x:\. Cst c \\<^bold>] \<^bold>\ A)" + using assms by auto + ultimately + show ?thesis + unfolding axiom_4_1_variant_cst_def + using lemma_5401_b_variant_2[OF assms(1,2)] by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_1 *) +theorem theorem_5402_a_axiom_4_1_variant_var: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + assumes "axiom_4_1_variant_var_side_condition x \ y \ A" + shows "satisfies D I \ (axiom_4_1_variant_var x \ y \ A)" +proof - + let ?\ = "\((x,\):=val D I \ A)" + have "val D I \ (\<^bold>[\<^bold>\x:\. (Var y \)\<^bold>] \<^bold>\ A) = val D I ?\ (Var y \)" + by (rule lemma_5401_a[of _ _ _ _ _ \], use assms in auto) + then have "val D I \ (\<^bold>[\<^bold>\x:\. Var y \\<^bold>] \<^bold>\ A) = val D I \ (Var y \)" + using assms unfolding axiom_4_1_variant_var_side_condition_def by auto + moreover + have "wff \ (\<^bold>[\<^bold>\x:\. Var y \\<^bold>] \<^bold>\ A)" + using assms by auto + moreover + have "wff \ (Var y \)" + using assms by auto + ultimately + show ?thesis + unfolding axiom_4_1_variant_var_def + using lemma_5401_b_variant_2[OF assms(1,2)] by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_1 *) +theorem theorem_5402_a_axiom_4_1: + assumes "asg_into_interp \ D I" + assumes "general_model D I" + assumes "axiom_4_1_side_condition x \ y \ A" + assumes "wff \ A" + shows "satisfies D I \ (axiom_4_1 x \ y \ A)" + using assms theorem_5402_a_axiom_4_1_variant_cst theorem_5402_a_axiom_4_1_variant_var + unfolding axiom_4_1_variant_cst_def axiom_4_1_variant_var_side_condition_def + axiom_4_1_side_condition_def axiom_4_1_variant_var_def + axiom_4_1_def by auto + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_2 *) +theorem theorem_5402_a_axiom_4_2: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + shows "satisfies D I \ (axiom_4_2 x \ A)" +proof - + let ?\ = "\((x,\):=val D I \ A)" + have "wff \ (\<^bold>[\<^bold>\x:\. Var x \\<^bold>] \<^bold>\ A)" + using assms by auto + moreover + have "wff \ A" + using assms by auto + moreover + have "val D I \ (\<^bold>[\<^bold>\x:\. Var x \\<^bold>] \<^bold>\ A) = val D I \ A" + using lemma_5401_a[of _ _ _ _ _ \ _ _] assms by auto + ultimately + show ?thesis + unfolding axiom_4_2_def by (rule lemma_5401_b_variant_2[OF assms(1,2)]) +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_3 *) +theorem theorem_5402_a_axiom_4_3: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + assumes "wff (\ \<^bold>\ \) B" + assumes "wff \ C" + shows "satisfies D I \ (axiom_4_3 x \ B \ \ C A)" +proof - + let ?\ = "\((x,\):=val D I \ A)" + let ?E = "B \<^bold>\ C" + + have "val D I \ (LHS (axiom_4_3 x \ B \ \ C A)) = val D I ?\ ?E" + by (metis LHS_def2 assms(3) assms(4) assms(5) axiom_4_3_def lemma_5401_a[OF assms(1,2)] wff_App) + moreover + have "... = val D I ?\ (B \<^bold>\ C)" + by simp + moreover + have "... = (val D I ?\ B) \ val D I ?\ C" + by simp + moreover + have "... = (val D I \ (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A)) \ val D I \ (App \<^bold>[\<^bold>\x :\. C\<^bold>] A)" + by (metis assms(3) assms(4) assms(5) lemma_5401_a[OF assms(1,2)]) + moreover + have "... = val D I \ (RHS (axiom_4_3 x \ B \ \ C A))" + unfolding axiom_4_3_def by auto + ultimately + have "val D I \ (LHS (axiom_4_3 x \ B \ \ C A)) = val D I \ (RHS (axiom_4_3 x \ B \ \ C A))" + by auto + then have "val D I \ (\<^bold>[\<^bold>\x:\. B \<^bold>\ C\<^bold>] \<^bold>\ A) = val D I \ (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A \<^bold>\ (\<^bold>[\<^bold>\x:\. C\<^bold>] \<^bold>\ A))" + unfolding axiom_4_3_def by auto + moreover + have "wff \ (\<^bold>[\<^bold>\x:\. B \<^bold>\ C\<^bold>] \<^bold>\ A)" + using assms by auto + moreover + have "wff \ (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A \<^bold>\ (\<^bold>[\<^bold>\x:\. C\<^bold>] \<^bold>\ A))" + using assms by auto + ultimately + show ?thesis + unfolding axiom_4_3_def using lemma_5401_b_variant_2[OF assms(1,2)] by auto +qed + +lemma lemma_to_help_with_theorem_5402_a_axiom_4_4: + assumes lambda_eql_lambda_lambda: + "\z. z \: D \ \ val D I \ \<^bold>[\<^bold>\y:\. B\<^bold>] \ z = val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>] \ z" + assumes \_eql: "\ = \((x, \) := val D I \ A)" + assumes "asg_into_frame \ D" + assumes "general_model D I" + assumes "axiom_4_4_side_condition x \ y \ B \ A" + assumes "wff \ A" + assumes "wff \ B" + shows "val D I \ \<^bold>[\<^bold>\y:\. B\<^bold>] = val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>]" +proof - + { + fix e + assume e_in_D: "e \: D \" + then have "val D I (\((y, \) := e)) B \: D (type_of B)" + using asg_into_frame_fun_upd assms(3,4,6,7) \_eql by auto + then have val_lambda_B: "val D I \ \<^bold>[\<^bold>\y:\. B\<^bold>] \ e = val D I (\((y, \) := e)) B" + using e_in_D by auto + have + "val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>] \ e = + abstract (D \) (D (type_of B)) + (\z. val D I (\((y, \) := e, (x, \) := z)) B) \ val D I (\((y, \) := e)) A" + using apply_abstract e_in_D asg_into_frame_fun_upd assms(3,4,6,7) by auto + then have "val D I (\((y, \) := e)) B = + abstract (D \) (D (type_of B)) + (\z. val D I (\((y, \) := e, (x, \) := z)) B) \ val D I (\((y, \) := e)) A" + using val_lambda_B lambda_eql_lambda_lambda e_in_D by metis + } + note val_eql_abstract = this + + have + "\e. e \: D \ \ + val D I (\((y, \) := e)) B \: D (type_of B) \ + val D I (\((y, \) := e)) B = + abstract (D \) (D (type_of B)) + (\za. val D I (\((y, \) := e, (x, \) := za)) B) \ val D I (\((y, \) := e)) A" + using asg_into_frame_fun_upd assms(3,4,6,7) \_eql val_eql_abstract by auto + then have + "abstract (D \) (D (type_of B)) (\z. val D I (\((y, \) := z)) B) = + abstract (D \) (D (type_of B)) + (\z. abstract (D \) (D (type_of B)) + (\za. val D I (\((y, \) := z, (x, \) := za)) B) \ val D I (\((y, \) := z)) A)" + by (rule abstract_extensional) + then show ?thesis + by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_4 *) +theorem theorem_5402_a_axiom_4_4: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "axiom_4_4_side_condition x \ y \ B \ A" + assumes "wff \ A" + assumes "wff \ B" + shows "satisfies D I \ (axiom_4_4 x \ y \ B \ A)" +proof - + define \ where "\ = \((x,\):=val D I \ A)" + let ?E = "\<^bold>[\<^bold>\y:\. B\<^bold>]" + have fr: "(y, \) \ vars A" + using assms(3) axiom_4_4_side_condition_def by blast + { + fix z + assume z_in_D: "z \: D \" + define \' where "\' = \((y,\) := z)" + have "asg_into_frame \' D" + using assms z_in_D unfolding asg_into_frame_def \'_def by auto + moreover + have "\(x, \)\vars A. agree_on_asg \ \' x \" + using fr unfolding \'_def by auto + ultimately + have "val D I \ A = val D I \' A" + using prop_5400[OF assms(1), of _ _ \] assms(2) assms(4) frees_subset_vars by blast + then have Az: "\'((x,\):=(val D I \' A)) = \((y,\):=z)" + using assms(3) unfolding axiom_4_4_side_condition_def + by (simp add: fun_upd_twist \'_def \_def) + then have "abstract (D \) (D (type_of B)) (\z. val D I (\((y, \) := z)) B) \ z = + val D I (\((y, \) := z)) B" + using apply_abstract_matchable assms(1,2,4,5) type_of asg_into_frame_fun_upd + general_model.elims(2) z_in_D by (metis \'_def) + then have "(val D I \ ?E) \ z = (val D I (\((y,\):=z)) B)" + by auto + moreover + have "... = val D I \' (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A)" + using assms(1,2,4,5) asg_into_frame_fun_upd lemma_5401_a z_in_D + by (metis Az \'_def) + moreover + have "... = val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>] \ z" + proof - + have valA: "val D I \' A \: D \" + using \'_def asg_into_frame_fun_upd z_in_D assms by simp + have valB: "val D I (\'((x, \) := val D I \' A)) B \: D (type_of B)" + using asg_into_frame_fun_upd z_in_D assms by (simp add: Az \_def) + have valA': "val D I (\((y, \) := z)) A \: D \" + using z_in_D assms asg_into_frame_fun_upd valA unfolding \_def \'_def + by blast + have valB': + "val D I (\((y, \) := z, (x, \) := val D I (\((y, \) := z)) A)) B + \: D (type_of B)" + using asg_into_frame_fun_upd z_in_D assms valB \'_def by blast + have + "val D I (\'((x, \) := val D I \' A)) B = + val D I (\((y, \) := z, (x, \) := val D I (\((y, \) := z)) A)) B" + unfolding \_def \'_def by (metis apply_abstract asg_into_frame_fun_upd) + then have valB_eql_abs: + "val D I (\'((x, \) := val D I \' A)) B = + abstract (D \) (D (type_of B)) + (\za. val D I (\((y, \) := z, (x, \) := za)) B) \ val D I (\((y, \) := z)) A" + using valA' valB' by auto + then have "abstract (D \) (D (type_of B)) + (\za. val D I (\((y, \) := z, (x, \) := za)) B) \ val D I (\((y, \) := z)) A + \: D (type_of B)" + using valB assms z_in_D by auto + then have + "val D I (\'((x, \) := val D I \' A)) B = + abstract (D \) (D (type_of B)) + (\z. abstract (D \) (D (type_of B)) + (\za. val D I (\((y, \) := z, (x, \) := za)) B) \ val D I (\((y, \) := z)) A) \ z" + using z_in_D valB_eql_abs by auto + then show "val D I \' (\<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A) = val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>] \ z" + using valA valB by auto + qed + ultimately + have "val D I \ \<^bold>[\<^bold>\y:\. B\<^bold>] \ z = val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>] \ z" + by simp + } + note lambda_eql_lambda_lambda = this + have equal_funs: "val D I \ ?E = val D I \ (\<^bold>[\<^bold>\y:\. (\<^bold>[\<^bold>\x:\. B\<^bold>]) \<^bold>\ A\<^bold>])" + using lambda_eql_lambda_lambda \_def assms lemma_to_help_with_theorem_5402_a_axiom_4_4 by metis + have "val D I \ (\<^bold>[\<^bold>\x:\. \<^bold>[\<^bold>\y:\. B\<^bold>]\<^bold>] \<^bold>\ A) = val D I \ \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>]" + using equal_funs by (metis \_def assms(1,2,4,5) lemma_5401_a wff_Abs) + then have "satisfies D I \ \<^bold>[(\<^bold>[\<^bold>\x:\. \<^bold>[\<^bold>\y:\. B\<^bold>]\<^bold>] \<^bold>\ A) \<^bold>=\ \<^bold>\ \\<^bold>= \<^bold>[\<^bold>\y:\. \<^bold>[\<^bold>\x:\. B\<^bold>] \<^bold>\ A\<^bold>]\<^bold>]" + using lemma_5401_b[OF assms(1,2)] assms by auto + then show ?thesis + unfolding axiom_4_4_def . +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 4_5 *) +theorem theorem_5402_a_axiom_4_5: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + assumes "wff \ A" + assumes "wff \ B" + shows "satisfies D I \ (axiom_4_5 x \ B \ A)" +proof - + define \ where "\ = \((x,\):=val D I \ A)" + let ?E = "\<^bold>[\<^bold>\x:\. B\<^bold>]" + + { + assume val: "\\. asg_into_frame \ D \ (\A \. wff \ A \ val D I \ A \: D \)" + assume asg: "asg_into_frame \ D" + assume wffA: "wff \ A" + assume wffB: "wff \ B" + have valA: "val D I \ A \: D \" + using val asg wffA by blast + have "\t cs. val D I \ \<^bold>[\<^bold>\cs:t. B\<^bold>] \: D (\ \<^bold>\ t)" + using val asg wffB wff_Abs by blast + then have "abstract (D \) (D (\ \<^bold>\ \)) + (\u. abstract (D \) (D \) (\u. val D I (\((x, \) := u)) B)) \ val D I \ A = + abstract (D \) (D \) (\u. val D I (\((x, \) := u)) B)" + using valA wffB by simp + } + note abstract_eql = this + + have "val D I \ ?E = val D I \ ?E" + using prop_5400[OF assms(1), of _ _ "\ \<^bold>\ \"] \_def assms(2) by auto + then show ?thesis + unfolding axiom_4_5_def using lemma_5401_b[OF assms(1,2)] assms abstract_eql by auto +qed + +(* Corresponds to Andrews' theorem 5402 a for axiom 5 *) +theorem theorem_5402_a_axiom_5: + assumes "general_model D I" + assumes "asg_into_interp \ D I" + shows "satisfies D I \ (axiom_5)" +proof - + have iden_eql: "iden (D Ind) \ I ''y'' Ind = one_elem_fun (I ''y'' Ind) (D Ind)" + proof - + have "I ''y'' Ind \: D Ind" + using assms unfolding general_model.simps wf_interp.simps[simplified] iden_def one_elem_fun_def + by auto + moreover + have "abstract (D Ind) boolset (\y. boolean (I ''y'' Ind = y)) \: funspace (D Ind) boolset" + using boolean_in_boolset by auto + ultimately + show ?thesis + unfolding iden_def one_elem_fun_def by auto + qed + + have "val D I \ (\<^bold>\ \<^bold>\ ((\<^bold>Q (Tv \<^bold>\ Ind \<^bold>\ Ind)) \<^bold>\ y\<^sub>i)) = + val D I \ \<^bold>\ \ val D I \ ((\<^bold>Q (Tv \<^bold>\ Ind \<^bold>\ Ind)) \<^bold>\ y\<^sub>i)" + by auto + moreover + have "... = val D I \ y\<^sub>i" + using assms iden_eql unfolding general_model.simps wf_interp.simps[simplified] by auto + ultimately + show ?thesis + unfolding axiom_5_def using lemma_5401_b[OF assms(1,2)] by auto +qed + +lemma theorem_isa_Tv: + assumes "theorem A" + shows "wff Tv A" + using assms proof (induction) + case (by_axiom A) + then show ?case + proof (induction) + case by_axiom_1 + then show ?case + unfolding axiom_1_def by auto + next + case (by_axiom_2 \) + then show ?case + unfolding axiom_2_def by auto + next + case (by_axiom_3 \ \) + then show ?case + unfolding axiom_3_def by auto + next + case (by_axiom_4_1 \ A \ B x) + then show ?case + unfolding axiom_4_1_def by auto + next + case (by_axiom_4_2 \ A x) + then show ?case + unfolding axiom_4_2_def by auto + next + case (by_axiom_4_3 \ A \ \ B C x) + then show ?case + unfolding axiom_4_3_def by auto + next + case (by_axiom_4_4 \ A \ B x y \) + then show ?case + unfolding axiom_4_4_def by auto + next + case (by_axiom_4_5 \ A \ B x) + then show ?case + unfolding axiom_4_5_def by auto + next + case by_axiom_5 + then show ?case + unfolding axiom_5_def by auto + qed +next + case (by_rule_R A B C) + then show ?case + by (smt replacement_preserves_type rule_R.cases wff_Eql_iff) +qed + +(* Corresponds to Andrews' theorem 5402 a *) +theorem theorem_5402_a_general: + assumes "theorem A" + shows "valid_general A" + using assms +proof (induction) + case (by_axiom A) + then show ?case + proof (induction) + case by_axiom_1 + then show ?case + using theorem_5402_a_axiom_1 by auto + next + case (by_axiom_2 \) + then show ?case + using theorem_5402_a_axiom_2 by auto + next + case (by_axiom_3 \ \) + then show ?case + using theorem_5402_a_axiom_3 by auto + next + case (by_axiom_4_1 \ A \ B x) + then show ?case + using theorem_5402_a_axiom_4_1 + unfolding valid_general_def valid_in_model_def by auto + next + case (by_axiom_4_2 \ A x) + then show ?case + using theorem_5402_a_axiom_4_2 + unfolding valid_general_def valid_in_model_def by auto + next + case (by_axiom_4_3 \ A \ \ B C x) + then show ?case + using theorem_5402_a_axiom_4_3 + unfolding valid_general_def valid_in_model_def by auto + next + case (by_axiom_4_4 \ A \ B x y \) + then show ?case + using theorem_5402_a_axiom_4_4 + unfolding valid_general_def valid_in_model_def by auto + next + case (by_axiom_4_5 \ A \ B x) + then show ?case + using theorem_5402_a_axiom_4_5 + unfolding valid_general_def valid_in_model_def by auto + next + case by_axiom_5 + then show ?case + using theorem_5402_a_axiom_5 + unfolding valid_general_def valid_in_model_def by auto + qed +next + case (by_rule_R C AB C') + then have C_isa_Tv: "wff Tv C" + using theorem_isa_Tv by blast + have "\A B \. AB = \<^bold>[A \<^bold>=\\<^bold>= B\<^bold>] \ wff \ A \ wff \ B" + using by_rule_R rule_R.simps theorem_isa_Tv by fastforce + then obtain A B \ where A_B_\_p: "AB = \<^bold>[A \<^bold>=\\<^bold>= B\<^bold>] \ wff \ A \ wff \ B" + by blast + then have R: "rule_R C \<^bold>[A \<^bold>=\\<^bold>= B\<^bold>] C'" + using by_rule_R by auto + then have "replacement A B C C'" + using Eql_def rule_R.cases by fastforce + show ?case + using theorem_5402_a_rule_R[of A B \ C C' Tv] by_rule_R.IH R + A_B_\_p C_isa_Tv by auto +qed + +(* Corresponds to Andrews' theorem 5402 a *) +theorem theorem_5402_a_standard: + assumes "theorem A" + shows "valid_standard A" + using theorem_5402_a_general assms standard_model_is_general_model valid_general_def + valid_standard_def by blast + +end + +end diff --git a/thys/Q0_Soundness/ROOT b/thys/Q0_Soundness/ROOT new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/ROOT @@ -0,0 +1,14 @@ +chapter AFP + +session Q0_Soundness = "HOL-ZF" + + options [timeout = 300] + sessions + ZFC_in_HOL + theories + Set_Theory + HOLZF_Set_Theory + ZFC_in_HOL_Set_Theory + Q0 + document_files + "root.bib" + "root.tex" diff --git a/thys/Q0_Soundness/Set_Theory.thy b/thys/Q0_Soundness/Set_Theory.thy new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/Set_Theory.thy @@ -0,0 +1,594 @@ +section \Set Theory\ + +theory Set_Theory imports Main begin + + +subsection \CakeML License\ + +text \ +CakeML Copyright Notice, License, and Disclaimer. + +Copyright 2013-2023 by Anthony Fox, Google LLC, Ramana Kumar, Magnus Myreen, +Michael Norrish, Scott Owens, Yong Kiam Tan, and other contributors listed +at https://cakeml.org + +All rights reserved. + +CakeML is free software. Redistribution and use in source and binary forms, +with or without modification, are permitted provided that the following +conditions are met: + + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + * The names of the copyright holders and contributors may not be + used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS'' +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +\ + + +subsection \Set theory specification\ + +text \ + This formal document is the set theory from + https://github.com/CakeML/cakeml/blob/master/candle/set-theory/setSpecScript.sml + ported to Isabelle/HOL and extended. +\ + +(* Corresponds to CakeML's constant is_set_theory_def *) +locale set_theory = + fixes mem :: "'s \ 's \ bool" (infix "\:" 67) + fixes sub :: "'s \ ('s \ bool) \ 's" (infix "suchthat" 67) + fixes pow :: "'s \ 's" + fixes uni :: "'s \ 's" ("\:_" [900] 900) + fixes upair :: "'s \ 's \ 's" (infix "+:" 67) + assumes extensional: "\x y. x = y \ (\a. a \: x \ a \: y)" + assumes mem_sub[simp]: "\x P a. a \: (x suchthat P) \ a \: x \ P a" + assumes mem_pow[simp]: "\x a. a \: (pow x) \ (\b. b \: a \ b \: x)" + assumes mem_uni[simp]: "\x a. a \: \:x \ (\b. a \: b \ b \: x)" + assumes mem_upair[simp]: "\x y a. a \: (x +: y) \ a = x \ a = y" +begin + +(* Corresponds to CakeML's theorem separation_unique *) +lemma seperation_unique: + assumes "\x P a. a \: (sub2 x P) \ a \: x \ P a" + shows "sub2 = sub" +proof + fix x + show "sub2 x = (suchthat) x" + using assms extensional by auto +qed + +(* Corresponds to CakeML's theorem power_unique *) +lemma pow_unique: + assumes "\x a. a \: (pow2 x) \ (\b. b \: a \ b \: x)" + shows "pow2 = pow" + using assms extensional by auto + +(* Corresponds to CakeML's theorem union_unique *) +lemma uni_unique: + assumes "\x a. a \: uni2 x \ (\b. a \: b \ b \: x)" + shows "uni2 = uni" + using assms extensional by auto + +(* Corresponds to CakeML's theorem upair_unique *) +lemma upair_unique: + assumes "\x y a. a \: upair2 x y \ a = x \ a = y" + shows "upair2 = upair" +proof + fix x + show "upair2 x = (+:) x" + using assms extensional by auto +qed + +(* Corresponds to CakeML's Ø *) +definition empt :: 's ("Ø") where + "Ø = undefined suchthat (\x. False)" + +(* Corresponds to CakeML's theorem mem_empty *) +lemma mem_empty[simp]: "\x \: Ø" + unfolding empt_def using mem_sub by auto + +(* Corresponds to CakeML's constant unit *) +definition unit :: "'s \ 's" where + "unit x = x +: x" + +(* Corresponds to CakeML's theorem mem_unit *) +lemma mem_unit[simp]: "x \: (unit y) \ x = y" + unfolding unit_def using mem_upair by auto + +(* Corresponds to CakeML's theorem unit_inj *) +lemma unit_inj: "unit x = unit y \ x = y" + using extensional unfolding unit_def by auto + +(* Corresponds to CakeML's constant one *) +definition one :: 's where + "one = unit Ø" + +(* Corresponds to CakeML's theorem mem_one *) +lemma mem_one[simp]: "x \: one \ x = Ø" + unfolding one_def by auto + +(* Corresponds to CakeML's constant two *) +definition two :: 's where + "two = Ø +: one" + +(* Corresponds to CakeML's theorem mem_two *) +lemma mem_two[simp]: "\x. x \: two \ x = Ø \ x = one" + unfolding two_def by auto + +(* Corresponds to CakeML's constant pair *) +definition pair :: "'s \ 's \ 's" (infix ",:" 50) where + "(x,:y) = (unit x) +: (x +: y)" + +(* Corresponds to CakeML's theorem upair_inj *) +lemma upair_inj: + "a +: b = c +: d \ a = c \ b = d \ a = d \ b = c" + using extensional by auto + +(* Corresponds to CakeML's theorem unit_eq_upair *) +lemma unit_eq_upair: + "unit x = y +: z \ x = y \ y = z" + using extensional mem_unit mem_upair by metis + +(* Corresponds to CakeML's theorem pair_inj *) +lemma pair_inj: + "(a,:b) = (c,:d) \ a = c \ b = d" + using pair_def upair_inj unit_inj unit_eq_upair by metis + +(* Corresponds to CakeML's constant binary_uni *) +definition binary_uni (infix "\:" 67) where + "x \: y = \: (x +: y)" + +(* Corresponds to CakeML's theorem mem_binary_uni *) +lemma mem_binary_uni[simp]: + "a \: (x \: y) \ a \: x \ a \: y" + unfolding binary_uni_def by auto + +(* Corresponds to CakeML's constant product *) +definition product :: "'s \ 's \ 's" (infix "\:" 67) where + "x \: y = (pow (pow (x \: y)) suchthat (\a. \b c. b \: x \ c \: y \ a = (b,:c)))" + +(* Corresponds to CakeML's theorem mem_product *) +lemma mem_product[simp]: + "a \: (x \: y) \ (\b c. a = (b,:c) \ b \: x \ c \: y)" + using product_def pair_def by auto + +(* Corresponds to CakeML's constant product *) +definition relspace where + "relspace x y = pow (x \: y)" + +(* Corresponds to CakeML's constant funspace *) +definition funspace where + "funspace x y = + (relspace x y suchthat + (\f. \a. a \: x \ (\!b. (a,:b) \: f)))" + +(* Corresponds to CakeML's constant apply *) +definition "apply" :: "'s \ 's \ 's" (infixl "\" 68) where + "(x\y) = (SOME a. (y,:a) \: x)" + +(* Corresponds to CakeML's overloading of boolset *) +definition boolset where + "boolset \ two" + +(* Corresponds to CakeML's constant true *) +definition true where + "true = Ø" + +(* Corresponds to CakeML's constant false *) +definition false where + "false = one" + +(* Corresponds to CakeML's theorem true_neq_false *) +lemma true_neq_false: + "true \ false" + using true_def false_def extensional one_def by auto + +(* Corresponds to CakeML's theorem mem_boolset *) +lemma mem_boolset[simp]: + "x \: boolset \ ((x = true) \ (x = false))" + using true_def false_def boolset_def by auto + +(* Corresponds to CakeML's constant boolean *) +definition boolean :: "bool \ 's" where + "boolean b = (if b then true else false)" + +(* Corresponds to CakeML's theorem boolean_in_boolset *) +lemma boolean_in_boolset: + "boolean b \: boolset" + using boolean_def one_def true_def false_def by auto + +(* Corresponds to CakeML's theorem boolean_eq_true *) +lemma boolean_eq_true: + "boolean b = true \ b" + using boolean_def true_neq_false by auto + +(* Corresponds to CakeML's constant holds *) +definition "holds s x \ s \ x = true" + +(* Corresponds to CakeML's constant abstract *) +definition abstract where + "abstract doma rang f = ((doma \: rang) suchthat (\x. \a. x = (a,:f a)))" + +(* Corresponds to CakeML's theorem apply_abstract *) +lemma apply_abstract[simp]: + "x \: s \ f x \: t \ abstract s t f \ x = f x" + using apply_def abstract_def pair_inj by auto + +(* Corresponds to CakeML's theorem apply_abstract_matchable *) +lemma apply_abstract_matchable: + "x \: s \ f x \: t \ f x = u \ abstract s t f \ x = u" + using apply_abstract by auto + +(* Corresponds to CakeML's theorem apply_in_rng *) +lemma apply_in_rng: + assumes "x \: s" + assumes "f \: funspace s t" + shows "f \ x \: t" +proof - + from assms have "f \: (relspace s t suchthat (\f. \a. a \: s \ (\!b. (a ,: b) \: f)))" + unfolding funspace_def by auto + then have f_p: "f \: relspace s t \ (\a. a \: s \ (\!b. (a ,: b) \: f))" + by auto + then have fxf: "(x ,: f \ x) \: f" + using someI assms apply_def by metis + from f_p have "f \: pow (s \: t)" + unfolding relspace_def by auto + then have "(x ,: f \ x) \: (s \: t)" + using fxf by auto + then show ?thesis + using pair_inj by auto +qed + +(* Corresponds to CakeML's theorem abstract_in_funspace *) +lemma abstract_in_funspace[simp]: + "(\x. x \: s \ f x \: t) \ abstract s t f \: funspace s t" + using funspace_def relspace_def abstract_def pair_inj by auto + +(* Corresponds to CakeML's theorem abstract_in_funspace_matchable *) +lemma abstract_in_funspace_matchable: + "(\x. x \: s \ f x \: t) \ fs = funspace s t \ abstract s t f \: fs" + using abstract_in_funspace by auto + +(* Corresponds to CakeML's theorem abstract_eq *) +lemma abstract_eq: + assumes "\x. x \: s \ f x \: t1 \ g x \: t2 \ f x = g x" + shows "abstract s t1 f = abstract s t2 g" +proof (rule iffD2[OF extensional], rule) + fix a + from assms show "a \: abstract s t1 f = a \: abstract s t2 g" + unfolding abstract_def using pair_inj by auto +qed + +lemma abstract_extensional: + assumes "\x. x \: s \ f x \: t \ f x = g x" + shows "abstract s t f = abstract s t g" +proof (rule iffD2[OF extensional], rule) + fix a + from assms show "a \: abstract s t f = a \: abstract s t g" + unfolding abstract_def using pair_inj by auto +qed + +lemma abstract_extensional': + assumes "\x. x \: s \ f x \: t" + assumes "\x. x \: s \ f x = g x" + shows "abstract s t f = abstract s t g" +proof (rule iffD2[OF extensional], rule) + fix a + from assms show "a \: abstract s t f = a \: abstract s t g" + unfolding abstract_def using pair_inj by auto +qed + +lemma abstract_cong: + assumes "\x. x \: s \ f x \: t \ g x \: t" + assumes "abstract s t f = abstract s t g" + assumes "x \: s" + shows "f x = g x" + using assms + by (metis apply_abstract_matchable) + +lemma abstract_cong_specific: + assumes "x \: s" + assumes "f x \: t" + assumes "abstract s t f = abstract s t g" + assumes "g x \: t" + shows "f x = g x" +proof - + have "f x = abstract s t f \ x" + using apply_abstract[of x s f t] + using assms by auto + also have "... = abstract s t g \ x" + using assms by auto + also have "... = g x" + using apply_abstract[of x s g t] + using assms by auto + finally show ?thesis + by auto +qed + +lemma abstract_iff_extensional: + assumes "\x. x \: s \ f x \: t \ g x \: t" + shows "(abstract s t f = abstract s t g) \ (\x. x \: s \ f x \: t \ f x = g x)" + using assms abstract_cong + abstract_extensional by meson + +(* Corresponds to CakeML's theorem in_funspace_abstract *) +lemma in_funspace_abstract[simp]: + assumes "z \: funspace s t" + shows "\f. z = abstract s t f \ (\x. x \: s \ f x \: t)" +proof - + define f where "f = (\x. SOME y. (x,:y) \: z)" + have "\x. x \: z \ x \: (abstract s t f)" + proof (rule, rule) + fix x + assume xz: "x \: z" + moreover + have "\b. b \: z \ (\ba c. b = (ba ,: c) \ ba \: s \ c \: t)" + using xz assms + unfolding funspace_def relspace_def by (auto) + moreover + have "\a. a \: s \ (\!b. (a ,: b) \: z)" + using xz using assms + unfolding funspace_def relspace_def by auto + ultimately + have "\a. x = (a ,: f a)" + using assms f_def someI_ex unfolding funspace_def relspace_def by (metis (no_types, lifting)) + then show "x \: abstract s t f" + using xz assms unfolding funspace_def relspace_def abstract_def by auto + next + fix x + assume xf: "x \: abstract s t f" + then have "(\b c. x = (b ,: c) \ b \: s \ c \: t)" + unfolding abstract_def by simp + moreover + have "(\a. x = (a ,: (SOME y. (a ,: y) \: z)))" + using xf f_def unfolding abstract_def by simp + moreover + have "(\a. a \: s \ (\!b. (a ,: b) \: z))" + using assms unfolding funspace_def by simp + ultimately + show "x \: z" + using f_def by (metis pair_inj someI_ex) + qed + then have "z = abstract s t f" + using extensional by auto + moreover + from f_def have "\x. x \: s \ f x \: t" + using apply_in_rng assms local.apply_def by force + ultimately + show ?thesis + by auto +qed + +(* Corresponds to CakeML's theorem axiom_of_choice *) +theorem axiom_of_choice: + assumes "\a. a \: x \ (\b. b \: a)" + shows "\f. \a. a \: x \ f \ a \: a" +proof - + define f where "f = (\a. SOME b. mem b a)" + define fa where "fa = abstract x (uni x) f" + + have "\a. a \: x \ fa \ a \: a" + proof (rule, rule) + fix a + assume "a \: x" + moreover + have "f a \: \:x" + by (metis (full_types) assms calculation f_def mem_uni someI_ex) + moreover + have "f a \: a" + using assms calculation(1) f_def someI_ex by force + ultimately + show "fa \ a \: a" + unfolding fa_def using apply_abstract by auto + qed + then show ?thesis + by auto +qed + +(* Corresponds to CakeML's constant is_infinite *) +definition is_infinite where + "is_infinite s = infinite {a. a \: s}" + +(* Corresponds to CakeML's theorem funspace_inhabited *) +lemma funspace_inhabited: + "(\x. x \: s) \ (\x. x \: t) \ (\f. f \: funspace s t)" + apply (rule exI[of _ "abstract s t (\x. SOME x. x \: t)"]) + using abstract_in_funspace + using someI by metis + +(* Corresponds to CakeML's constant tuple *) +fun tuple where + "tuple [] = Ø" | + "tuple (a#as) = (a,: tuple as)" + +(* Corresponds to CakeML's theorem pair_not_empty *) +lemma pair_not_empty: + "(x,:y) \ Ø" + apply rule + unfolding extensional using mem_empty pair_def mem_upair by metis + +(* Corresponds to CakeML's theorem tuple_empty *) +lemma tuple_empty: + "tuple ls = Ø \ ls = []" + using pair_not_empty by (cases ls) auto + +(* Corresponds to CakeML's theorem tuple_inj *) +lemma tuple_inj: + "tuple l1 = tuple l2 \ l1 = l2" +proof (induction l1 arbitrary: l2) + case Nil + then show ?case + using tuple_empty by metis +next + case (Cons a l1) + then show ?case + using pair_not_empty pair_inj by (metis tuple.elims tuple.simps(2)) +qed + +(* Corresponds to CakeML's constant bigcross *) +fun bigcross where + "bigcross [] = one" | + "bigcross (a#as) = a \: (bigcross as)" + +(* Corresponds to CakeML's theorem mem_bigcross *) +lemma mem_bigcross[simp]: + "x \: (bigcross ls) \ (\xs. x = tuple xs \ list_all2 mem xs ls)" +proof (induction ls arbitrary: x) + case Nil + then show ?case + using mem_one mem_product by simp +next + case (Cons l ls) + show ?case + proof + assume "x \: bigcross (l # ls)" + then obtain b c where bc_p: "x = (b ,: c) \ b \: l \ c \: bigcross ls " + by auto + then obtain xs' where "c = tuple xs' \ list_all2 (\:) xs' ls" + using Cons[of c] by auto + then have "x = tuple (b#xs') \ list_all2 (\:) (b#xs') (l # ls)" + using bc_p by auto + then show "\xs. x = tuple xs \ list_all2 (\:) xs (l # ls)" + by metis + next + assume "\xs. x = tuple xs \ list_all2 (\:) xs (l # ls)" + then obtain xs where "x = tuple xs \ list_all2 (\:) xs (l # ls)" + by auto + then obtain xs where "x = tuple xs \ list_all2 (\:) xs (l # ls)" + by auto + then show "x \: bigcross (l # ls)" + using Cons list.distinct(1) list.rel_cases mem_product by fastforce + qed +qed + +definition subs :: "'s \ 's \ bool" (infix "\:" 67) where + "x \: y \ x \: pow y" + + +definition one_elem_fun :: "'s \ 's \ 's" where + "one_elem_fun x d = abstract d boolset (\y. boolean (x=y))" + +definition iden :: "'s \ 's" where + "iden D = abstract D (funspace D boolset) (\x. one_elem_fun x D)" + +lemma apply_id[simp]: + assumes A_in_D: "A \: D" + assumes B_in_D: "B \: D" + shows "iden D \ A \ B = boolean (A = B)" +proof - + have abstract_D: "abstract D boolset (\y. boolean (A = y)) \: funspace D boolset" + using boolean_in_boolset by auto + have bool_in_two: "boolean (A = B) \: boolset" + using boolean_in_boolset by blast + have "(boolean (A = B)) = (abstract D boolset (\y. boolean (A = y)) \ B)" + using apply_abstract[of B D "\y. boolean (A = y)" two] B_in_D bool_in_two by auto + also + have "... = (abstract D (funspace D boolset) (\x. abstract D boolset (\y. boolean (x = y))) \ A) \ B" + using A_in_D abstract_D + apply_abstract[of A D "\x. abstract D boolset (\y. boolean (x = y))" "funspace D boolset"] + by auto + also + have "... = iden D \ A \ B" + unfolding iden_def one_elem_fun_def .. + finally + show ?thesis + by auto +qed + +lemma apply_id_true[simp]: + assumes A_in_D: "A \: D" + assumes B_in_D: "B \: D" + shows "iden D \ A \ B = true \ A = B" + using assms using boolean_def using true_neq_false by auto + +lemma apply_if_pair_in: + assumes "(a1,: a2) \: f" + assumes "f \: funspace s t" + shows "f \ a1 = a2" + using assms + by (smt abstract_def apply_abstract mem_product pair_inj set_theory.in_funspace_abstract + set_theory.mem_sub set_theory_axioms) + +lemma funspace_app_unique: + assumes "f \: funspace s t" + assumes "(a1,: a2) \: f" + assumes "(a1,: a3) \: f" + shows "a3 = a2" + using assms apply_if_pair_in by blast + +lemma funspace_extensional: + assumes "f \: funspace s t" + assumes "g \: funspace s t" + assumes "\x. x \: s \ f \ x = g \ x" + shows "f = g" +proof - + have "\a. a \: f \ a \: g" + proof - + fix a + assume af: "a \: f" + from af have "\a1 a2. a1 \:s \ a2 \: t \ (a1 ,: a2) = a" + using assms unfolding funspace_def apply_def using relspace_def by force + then obtain a1 a2 where a12: + "a1 \:s \ a2 \: t \ (a1 ,: a2) = a" + by blast + then have "\a3. a2 \: t \ (a1 ,: a3) \: g" + using assms(2) funspace_def by auto + then obtain a3 where a3: "a2 \: t \ (a1 ,: a3) \: g" + by auto + then have "a3 = a2" + using a12 af assms(1,2,3) apply_if_pair_in by auto + then show "a \: g" + using a12 a3 by blast + qed + moreover + have "\a. a \: g \ a \: f" + proof - + fix a + assume ag: "a \: g" + then have "\a1 a2. a1 \:s \ a2 \: t \ (a1 ,: a2) = a" + using assms unfolding funspace_def apply_def using relspace_def by force + then obtain a1 a2 where a12: + "a1 \:s \ a2 \: t \ (a1 ,: a2) = a" + by blast + then have "\a3. a2 \: t \ (a1 ,: a3) \: f" + using assms(1) funspace_def by auto + then obtain a3 where a3: "a2 \: t \ (a1 ,: a3) \: f" + by auto + then have "a3 = a2" + using a12 ag assms(1,2,3) apply_if_pair_in by auto + then show "a \: f" + using a3 a12 by blast + qed + ultimately + show ?thesis + using iffD2[OF extensional] by metis +qed + +lemma funspace_difference_witness: + assumes "f \: funspace s t" + assumes "g \: funspace s t" + assumes "f \ g" + shows "\z. z \: s \ f \ z \ g \ z" + using assms(1,2,3) funspace_extensional by blast + + +end + +end diff --git a/thys/Q0_Soundness/ZFC_in_HOL_Set_Theory.thy b/thys/Q0_Soundness/ZFC_in_HOL_Set_Theory.thy new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/ZFC_in_HOL_Set_Theory.thy @@ -0,0 +1,34 @@ +section \ZFC\_in\_HOL lives up to CakeML's set theory specification\ + +theory ZFC_in_HOL_Set_Theory imports ZFC_in_HOL.ZFC_in_HOL Set_Theory begin + +interpretation set_theory "\x y. x \ elts y" "\x::V. \P. (inv elts) ({y. y \ elts x \ P y})" VPow + "(\Y. SOME Z. elts Z = \(elts ` (elts Y)))" "\x y::V. (inv elts) {x, y}" + apply unfold_locales + subgoal for x y + apply blast + done + subgoal for x P a + apply (rule iffI) + subgoal + using mem_Collect_eq set_of_elts ZFC_in_HOL.set_def subsetI small_iff smaller_than_small + apply smt + done + subgoal + using elts_0 elts_of_set empty_iff f_inv_into_f mem_Collect_eq set_of_elts small_def + small_elts subset_eq subset_iff_less_eq_V zero_V_def + apply (smt ZFC_in_HOL.set_def down subsetI) + done + done + subgoal for x a + apply blast + done + subgoal for x a + apply (metis (mono_tags) UN_iff elts_Sup small_elts tfl_some) + done + subgoal for x y a + apply (metis ZFC_in_HOL.set_def elts_of_set insert_iff singletonD small_upair) + done + done + +end diff --git a/thys/Q0_Soundness/document/root.bib b/thys/Q0_Soundness/document/root.bib new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/document/root.bib @@ -0,0 +1,390 @@ +@book{andrews2013introduction, + title={An introduction to mathematical logic and type theory: to truth through proof}, + author={Andrews, Peter B.}, + volume={27}, + year={2013}, + edition = {2nd}, + series={Applied Logic Series}, + publisher={Springer Science \& Business Media} +} + +@inproceedings{DBLP:conf/itp/AbrahamssonMKS22, + author = {Oskar Abrahamsson and + Magnus O. Myreen and + Ramana Kumar and + Thomas Sewell}, + editor = {June Andronick and + Leonardo de Moura}, + title = {Candle: {A} Verified Implementation of {HOL Light}}, + booktitle = {13th International Conference on Interactive Theorem Proving, {ITP} + 2022, August 7-10, 2022, Haifa, Israel}, + series = {LIPIcs}, + volume = {237}, + pages = {3:1--3:17}, + publisher = {Schloss Dagstuhl - Leibniz-Zentrum f{\"{u}}r Informatik}, + year = {2022}, + url = {https://doi.org/10.4230/LIPIcs.ITP.2022.3}, + doi = {10.4230/LIPIcs.ITP.2022.3}, + timestamp = {Mon, 26 Jun 2023 20:47:39 +0200}, + biburl = {https://dblp.org/rec/conf/itp/AbrahamssonMKS22.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@article{DBLP:journals/jar/KumarAMO16, + author = {Ramana Kumar and + Rob Arthan and + Magnus O. Myreen and + Scott Owens}, + title = {Self-Formalisation of Higher-Order Logic - Semantics, Soundness, and + a Verified Implementation}, + journal = {J. Autom. Reason.}, + volume = {56}, + number = {3}, + pages = {221--259}, + year = {2016}, + url = {https://doi.org/10.1007/s10817-015-9357-x}, + doi = {10.1007/s10817-015-9357-x}, + timestamp = {Wed, 02 Sep 2020 13:29:45 +0200}, + biburl = {https://dblp.org/rec/journals/jar/KumarAMO16.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/itp/KumarAMO14, + author = {Ramana Kumar and + Rob Arthan and + Magnus O. Myreen and + Scott Owens}, + editor = {Gerwin Klein and + Ruben Gamboa}, + title = {{HOL} with Definitions: Semantics, Soundness, and a Verified Implementation}, + booktitle = {Interactive Theorem Proving - 5th International Conference, {ITP} + 2014, Held as Part of the Vienna Summer of Logic, {VSL} 2014, Vienna, + Austria, July 14-17, 2014. Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {8558}, + pages = {308--324}, + publisher = {Springer}, + year = {2014}, + url = {https://doi.org/10.1007/978-3-319-08970-6\_20}, + doi = {10.1007/978-3-319-08970-6\_20}, + timestamp = {Tue, 14 May 2019 10:00:37 +0200}, + biburl = {https://dblp.org/rec/conf/itp/KumarAMO14.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/itp/AbrahamssonM23, + author = {Oskar Abrahamsson and + Magnus O. Myreen}, + editor = {Adam Naumowicz and + Ren{\'{e}} Thiemann}, + title = {Fast, Verified Computation for {Candle}}, + booktitle = {14th International Conference on Interactive Theorem Proving, {ITP} + 2023, July 31 to August 4, 2023, Bia{\l}ystok, Poland}, + series = {LIPIcs}, + volume = {268}, + pages = {4:1--4:17}, + publisher = {Schloss Dagstuhl - Leibniz-Zentrum f{\"{u}}r Informatik}, + year = {2023}, + url = {https://doi.org/10.4230/LIPIcs.ITP.2023.4}, + doi = {10.4230/LIPICS.ITP.2023.4}, + timestamp = {Wed, 26 Jul 2023 17:17:16 +0200}, + biburl = {https://dblp.org/rec/conf/itp/AbrahamssonM23.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/cade/Harrison06, + author = {John Harrison}, + editor = {Ulrich Furbach and + Natarajan Shankar}, + title = {Towards Self-verification of {HOL Light}}, + booktitle = {Automated Reasoning, Third International Joint Conference, {IJCAR} + 2006, Seattle, WA, USA, August 17-20, 2006, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {4130}, + pages = {177--191}, + publisher = {Springer}, + year = {2006}, + url = {https://doi.org/10.1007/11814771\_17}, + doi = {10.1007/11814771\_17}, + timestamp = {Thu, 05 Sep 2019 14:51:32 +0200}, + biburl = {https://dblp.org/rec/conf/cade/Harrison06.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@article{Metalogic_ProofChecker-AFP, + author = {Tobias Nipkow and Simon Ro{\ss}kopf}, + title = {Isabelle's Metalogic: Formalization and Proof Checker}, + journal = {Archive of Formal Proofs}, + month = {April}, + year = {2021}, + note = {\url{https://isa-afp.org/entries/Metalogic_ProofChecker.html}, + Formal proof development}, + ISSN = {2150-914x}, +} + +@article{DBLP:journals/jar/RosskopfN23, + author = {Simon Ro{\ss}kopf and + Tobias Nipkow}, + title = {A Formalization and Proof Checker for {Isabelle's} Metalogic}, + journal = {J. Autom. Reason.}, + volume = {67}, + number = {1}, + pages = {1}, + year = {2023}, + url = {https://doi.org/10.1007/s10817-022-09648-w}, + doi = {10.1007/s10817-022-09648-w}, + timestamp = {Tue, 28 Feb 2023 10:48:15 +0100}, + biburl = {https://dblp.org/rec/journals/jar/RosskopfN23.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/cade/NipkowR21, + author = {Tobias Nipkow and + Simon Ro{\ss}kopf}, + editor = {Andr{\'{e}} Platzer and + Geoff Sutcliffe}, + title = {Isabelle's Metalogic: Formalization and Proof Checker}, + booktitle = {Automated Deduction - {CADE} 28 - 28th International Conference on + Automated Deduction, Virtual Event, July 12-15, 2021, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {12699}, + pages = {93--110}, + publisher = {Springer}, + year = {2021}, + url = {https://doi.org/10.1007/978-3-030-79876-5\_6}, + doi = {10.1007/978-3-030-79876-5\_6}, + timestamp = {Thu, 29 Jul 2021 13:42:16 +0200}, + biburl = {https://dblp.org/rec/conf/cade/NipkowR21.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/cpp/KochK22, + author = {Mark Koch and + Dominik Kirst}, + editor = {Andrei Popescu and + Steve Zdancewic}, + title = {Undecidability, incompleteness, and completeness of second-order logic + in Coq}, + booktitle = {{CPP} '22: 11th {ACM} {SIGPLAN} International Conference on Certified + Programs and Proofs, Philadelphia, PA, USA, January 17 - 18, 2022}, + pages = {274--290}, + publisher = {{ACM}}, + year = {2022}, + url = {https://doi.org/10.1145/3497775.3503684}, + doi = {10.1145/3497775.3503684}, + timestamp = {Sat, 30 Sep 2023 09:37:48 +0200}, + biburl = {https://dblp.org/rec/conf/cpp/KochK22.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/ictac/Obua06, + author = {Steven Obua}, + editor = {Kamel Barkaoui and + Ana Cavalcanti and + Antonio Cerone}, + title = {Partizan Games in {Isabelle/HOLZF}}, + booktitle = {Theoretical Aspects of Computing - {ICTAC} 2006, Third International + Colloquium, Tunis, Tunisia, November 20-24, 2006, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {4281}, + pages = {272--286}, + publisher = {Springer}, + year = {2006}, + url = {https://doi.org/10.1007/11921240\_19}, + doi = {10.1007/11921240\_19}, + timestamp = {Mon, 21 Feb 2022 14:40:49 +0100}, + biburl = {https://dblp.org/rec/conf/ictac/Obua06.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@article{ZFC_in_HOL-AFP, + author = {Lawrence C. Paulson}, + title = {Zermelo {Fraenkel} Set Theory in Higher-Order Logic}, + journal = {Archive of Formal Proofs}, + month = {October}, + year = {2019}, + note = {\url{https://isa-afp.org/entries/ZFC_in_HOL.html}, + Formal proof development}, + ISSN = {2150-914x}, +} + +@article{DBLP:journals/pacmpl/SozeauBFTW20, + author = {Matthieu Sozeau and + Simon Boulier and + Yannick Forster and + Nicolas Tabareau and + Th{\'{e}}o Winterhalter}, + title = {{Coq} {Coq} correct! verification of type checking and erasure for {Coq}, + in {Coq}}, + journal = {Proc. {ACM} Program. Lang.}, + volume = {4}, + number = {{POPL}}, + pages = {8:1--8:28}, + year = {2020}, + url = {https://doi.org/10.1145/3371076}, + doi = {10.1145/3371076}, + timestamp = {Sat, 30 Sep 2023 10:23:24 +0200}, + biburl = {https://dblp.org/rec/journals/pacmpl/SozeauBFTW20.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@inproceedings{DBLP:conf/types/Barras96, + author = {Bruno Barras}, + editor = {Eduardo Gim{\'{e}}nez and + Christine Paulin{-}Mohring}, + title = {Verification of the Interface of a Small Proof System in {Coq}}, + booktitle = {Types for Proofs and Programs, International Workshop TYPES'96, Aussois, + France, December 15-19, 1996, Selected Papers}, + series = {Lecture Notes in Computer Science}, + volume = {1512}, + pages = {28--45}, + publisher = {Springer}, + year = {1996}, + url = {https://doi.org/10.1007/BFb0097785}, + doi = {10.1007/BFB0097785}, + timestamp = {Tue, 14 May 2019 10:00:42 +0200}, + biburl = {https://dblp.org/rec/conf/types/Barras96.bib}, + bibsource = {dblp computer science bibliography, https://dblp.org} +} + +@techreport{barras:inria-00073667, + TITLE = {{Coq en Coq}}, + AUTHOR = {Barras, Bruno}, + URL = {https://inria.hal.science/inria-00073667}, + NOTE = {Projet COQ, \url{https://inria.hal.science/inria-00073667}}, + TYPE = {Research Report}, + NUMBER = {RR-3026}, + INSTITUTION = {{INRIA}}, + YEAR = {1996}, + KEYWORDS = {TYPE THEORY ; METATHEORY ; CALCULUS OF CONSTRUCTIONS ; PROGRAM EXTRACTION}, + PDF = {https://inria.hal.science/inria-00073667/file/RR-3026.pdf}, + HAL_ID = {inria-00073667}, + HAL_VERSION = {v1}, +} + +@techreport{coqincoqmanuscript, + title = {{Coq} in {Coq} (manuscript)}, + author = {Bruno Barras and Benjamin Werner}, + year = {1996}, + note = {\url{http://www.lix.polytechnique.fr/Labo/Bruno.Barras/publi/coqincoq.pdf}} +} + +@inproceedings{coqincoqcontribs, + title={coq-in-coq}, + author={Bruno Barras}, + booktitle={coq-contribs}, + note={\url{https://github.com/coq-contribs/coq-in-coq}}, + year={1997} +} + +@misc{arthan1993, + title={{HOL} Formalised: Language and Overview}, + author={Arthan, Rob}, + year={1993, revised 2014}, + note={\url{http://www.lemma-one.com/ProofPower/specs/specs.html}} +} + +@misc{arthan1991sem, + title={{HOL} Formalised: Semantics}, + author={Arthan, Rob}, + year={1993, revised 2014}, + note={\url{http://www.lemma-one.com/ProofPower/specs/specs.html}} +} + +@misc{arthan1991ded, + title={{HOL} Formalised: Deductive System}, + author={Arthan, Rob}, + year={1993, revised 2002}, + note={\url{http://www.lemma-one.com/ProofPower/specs/specs.html}} +} + +@article{russell1908mathematical, + title={Mathematical logic as based on the theory of types}, + author={Russell, Bertrand}, + journal={American journal of mathematics}, + volume={30}, + number={3}, + pages={222--262}, + year={1908} +} + +@book{whiteheadrussel, + title={Principia Mathematica}, + author={Alfred North Whitehead and Bertrand Russell}, + publisher={Cambridge University Press, Cambridge England}, + year={1913}, + note={3 volumes; first edition 1913, second edition 1927} +} + +@article{church1940formulation, + title={A formulation of the simple theory of types}, + author={Church, Alonzo}, + journal={The journal of symbolic logic}, + volume={5}, + number={2}, + pages={56--68}, + year={1940}, + publisher={Cambridge University Press} +} + +@article{henkin1950completeness, + title={Completeness in the theory of types}, + author={Henkin, Leon}, + journal={The Journal of Symbolic Logic}, + volume={15}, + number={2}, + pages={81--91}, + year={1950}, + publisher={Cambridge University Press} +} + +@article{henkin1963b, + title={A Theory of Propositional Types}, + author={Henkin, Leon}, + journal={Fundamenta Mathematicae}, + volume={52}, + pages={323--344}, + year={1963} +} + +@article{andrews1963reduction, + title={A reduction of the axioms for the theory of propositional types}, + author={Andrews, Peter}, + journal={Fundamenta Mathematicae}, + volume={52}, + pages={345--350}, + year={1963} +} + +@article{andrews1972general, + title={General models and extensionality}, + author={Andrews, Peter B}, + journal={The Journal of Symbolic Logic}, + volume={37}, + number={2}, + pages={395--397}, + year={1972}, + publisher={Cambridge University Press} +} + +@article{Q0_Metatheory-AFP, + author = {Javier D{\'i}az}, + title = {Metatheory of {Q0}}, + journal = {Archive of Formal Proofs}, + month = {November}, + year = {2023}, + note = {\url{https://isa-afp.org/entries/Q0_Metatheory.html}, + Formal proof development}, + ISSN = {2150-914x}, +} + +@article{Q0IsaFoL, + author = {Anders Schlichtkrull}, + title = {Q0}, + journal = {IsaFoL}, + year = {Jan 4th 2022 - Nov 2023}, + note = {Now at GitHub \url{https://github.com/IsaFoL/IsaFoL/tree/master/Q0} but formerly at BitBucket \url{https://bitbucket.org/isafol/isafol/src/master/Q0/}. + Formal proof development} +} + + diff --git a/thys/Q0_Soundness/document/root.tex b/thys/Q0_Soundness/document/root.tex new file mode 100644 --- /dev/null +++ b/thys/Q0_Soundness/document/root.tex @@ -0,0 +1,107 @@ +\documentclass[10pt,a4paper]{article} +\usepackage[T1]{fontenc} +\usepackage{amssymb} +\usepackage[left=15mm,right=15mm,top=20mm,bottom=27mm]{geometry} +\usepackage{graphicx} +\usepackage{isabelle} +\usepackage{isabellesym} +\usepackage[only,bigsqcap]{stmaryrd} +\usepackage{pdfsetup} + +\urlstyle{tt} +\isabellestyle{tt} + +\renewcommand{\isacharunderscore}{\_} +\renewcommand{\isachardoublequoteopen}{``} +\renewcommand{\isachardoublequoteclose}{''} + +\begin{document} + +\title{Soundness of the Q0 proof system for higher-order logic} +\author{Anders Schlichtkrull} +\date{} + +\maketitle + +\begin{abstract} +\noindent +This entry formalizes the Q0 proof system for higher-order logic (also known as simple type theory) from +the book ``An Introduction to Mathematical Logic and Type Theory: To Truth Through Proof'' +by Peter B. Andrews \cite{andrews2013introduction} together with the system's soundness. +Most of the used theorems and lemmas are also from his book. +The soundness proof is with respect to general models and as a consequence also holds for standard models. +Higher-order logic is given a semantics by porting to Isabelle/HOL the +specification of set theory from the CakeML project \cite{DBLP:conf/itp/KumarAMO14,DBLP:journals/jar/KumarAMO16}. +The independently developed AFP entry ``Metatheory of Q0'' by Javier D{\'i}az \cite{Q0_Metatheory-AFP} also formalizes Q0 in Isabelle/HOL. +I highly recommend the reader to also take a look at his formalization! +\end{abstract} + +\tableofcontents + +\newpage + +% sane default for proof documents +\parindent 0pt +\parskip 0.5ex + +\section{Introduction} +This entry formalizes the Q0 proof system for higher-order logic (also called simple type theory) +and its soundness. +Both the system and most of the proven lemmas and +theorems are from Peter B. Andrews' book \cite{andrews2013introduction}. +In the book's chapter on type theory, Andrews explains that type theory was invented by +Russell \cite{russell1908mathematical} and that Whitehead and Russell \cite{whiteheadrussel} showed that fundamental +parts of mathematics could be formalized in type theory. +As influences on the type theory presented in Andrews' chapter he mentions Church \cite{church1940formulation}, Henkin \cite{henkin1950completeness,henkin1963b} and earlier works by himself \cite{andrews1963reduction,andrews1972general}. +The present Isabelle formalization of higher-order logic is given a semantics by using a port to Isabelle/HOL of +CakeML's specification of set theory \cite{DBLP:journals/jar/KumarAMO16}. +The specification is formalized as a locale that fixes a type of set theoretic sets +and a number of functions (powerset, union, separation) and the set membership predicate. +The soundness proof is with respect to general models and as a consequence it also holds for standard models. +Variables are implemented simply using named variables rather than e.g.\ De Bruijn indices or nominal techniques. +It is well-known that named variables require the definition of substitution to rename variables, but since +substitution is derived in Q0 rather than built into the proof system this complication is essentially +circumvented in the present formalization. +As a curiosity the present AFP entry also proves that the set theory specification is fulfilled +by the sets axiomatized in Isabelle/HOLZF \cite{DBLP:conf/ictac/Obua06} and also by the sets axiomatized by the +AFP entry on Zermelo Fraenkel Set Theory in Higher-Order Logic \cite{ZFC_in_HOL-AFP}. +The theory files of the present entry appeared in the IsaFoL effort \cite{Q0IsaFoL}. + +In the literature we find other formalizations of the metatheory of higher-order logics and type theories. +Independently from my work here, Javier Díaz also formalizes Q0 in Isabelle/HOL. +His work is available in the AFP entry ``Metatheory of Q0'' \cite{Q0_Metatheory-AFP}. +I highly recommend the reader to take a look also at his very thorough formalization! +Arthan specifies HOL \cite{arthan1993,arthan1991sem,arthan1991ded} in ProofPower but does not prove soundness. +John Harrison formalizes the soundness of the proof system of HOL Light \cite{DBLP:conf/cade/Harrison06} in HOL Light +and Kumar et al.\ \cite{DBLP:conf/itp/KumarAMO14,DBLP:journals/jar/KumarAMO16,DBLP:conf/itp/AbrahamssonMKS22,DBLP:conf/itp/AbrahamssonM23} formalize +it in HOL4 as part of the CakeML project including also definitions and a verified implementation. +Ro{\ss}kopf and Nipkow \cite{DBLP:conf/cade/NipkowR21,Metalogic_ProofChecker-AFP,DBLP:journals/jar/RosskopfN23} +formalize a proof system for terms in Isabelle's metalogic together with an implementation of a +proof checker and prove that the proof checker indeed implements this proof system. +There are also a number of works using Coq to formalize metatheory of the calculus of constructions and +the calculus of inductive constructions \cite{DBLP:conf/types/Barras96,barras:inria-00073667,coqincoqmanuscript,coqincoqcontribs,DBLP:journals/pacmpl/SozeauBFTW20}. +Worth mentioning is also the formalization in Coq of second-order logic which also formalizes general models \cite{DBLP:conf/cpp/KochK22}. + +There are plenty of opportunities to go further with the present formalization. +The present formalization proves soundness of Q0 theorems (i.e. $\vdash A$ implies $\models A$), but not +soundness of Q0 derivability (i.e. $M \models G$ and $G \vdash A$ implies $M \models A$). +Other interesting lemmas and theorems from Andrews' book could also be proved such as e.g.\ derived inference rules and completeness. + +\begin{figure} +\begin{center} + \includegraphics[width=0.4\textwidth,keepaspectratio]{session_graph} +\end{center} +\caption{Theory dependency graph} +\label{fig:thys} +\end{figure} + +\newpage + +% generated text of all theories +\input{session} + +% optional bibliography +\bibliographystyle{alpha} +\bibliography{root} + +\end{document} diff --git a/thys/ROOTS b/thys/ROOTS --- a/thys/ROOTS +++ b/thys/ROOTS @@ -1,786 +1,787 @@ ABY3_Protocols ADS_Functor AI_Planning_Languages_Semantics AODV AOT AVL-Trees AWN Abortable_Linearizable_Modules Abs_Int_ITP2012 Abstract-Hoare-Logics Abstract-Rewriting Abstract_Completeness Abstract_Soundness Ackermanns_not_PR Actuarial_Mathematics Adaptive_State_Counting Affine_Arithmetic Aggregation_Algebras Akra_Bazzi Algebraic_Numbers Algebraic_VCs Allen_Calculus Amicable_Numbers Amortized_Complexity AnselmGod Applicative_Lifting Approximation_Algorithms Architectural_Design_Patterns Aristotles_Assertoric_Syllogistic Arith_Prog_Rel_Primes ArrowImpossibilityGS Attack_Trees Auto2_HOL Auto2_Imperative_HOL AutoFocus-Stream Automated_Stateful_Protocol_Verification Automatic_Refinement AxiomaticCategoryTheory BDD BD_Security_Compositional BNF_CC BNF_Operations BTree Balog_Szemeredi_Gowers Banach_Steinhaus Belief_Revision Bell_Numbers_Spivey BenOr_Kozen_Reif Berlekamp_Zassenhaus Bernoulli Bertrands_Postulate Bicategory BinarySearchTree Binary_Code_Imprimitive Binding_Syntax_Theory Binomial-Heaps Binomial-Queues BirdKMP Birkhoff_Finite_Distributive_Lattices Blue_Eyes Bondy Boolean_Expression_Checkers Boolos_Curious_Inference Boolos_Curious_Inference_Automated Bounded_Deducibility_Security Buchi_Complementation Budan_Fourier Buffons_Needle Buildings BytecodeLogicJmlTypes C2KA_DistributedSystems CAVA_Automata CAVA_LTL_Modelchecker CCS CHERI-C_Memory_Model CISC-Kernel CRDT CRYSTALS-Kyber CSP_RefTK CVP_Hardness CYK CZH_Elementary_Categories CZH_Foundations CZH_Universal_Constructions CakeML CakeML_Codegen Call_Arity Card_Equiv_Relations Card_Multisets Card_Number_Partitions Card_Partitions Cardinality_Continuum Cartan_FP Case_Labeling Catalan_Numbers Category Category2 Category3 Catoids Cauchy Cayley_Hamilton Certification_Monads Ceva Chandy_Lamport Chebyshev_Polynomials Chord_Segments Circus Clean Clique_and_Monotone_Circuits ClockSynchInst Closest_Pair_Points CoCon CoSMeDis CoSMed CofGroups Coinductive Coinductive_Languages Collections Combinable_Wands Combinatorial_Enumeration_Algorithms Combinatorics_Words Combinatorics_Words_Graph_Lemma Combinatorics_Words_Lyndon CommCSL Commuting_Hermitian Comparison_Sort_Lower_Bound Compiling-Exceptions-Correctly Complete_Non_Orders Completeness Complex_Bounded_Operators Complex_Geometry Complx ComponentDependencies ConcurrentGC ConcurrentIMP Concurrent_Ref_Alg Concurrent_Revisions Conditional_Simplification Conditional_Transfer_Rule Consensus_Refined Constructive_Cryptography Constructive_Cryptography_CM Constructor_Funs Containers Cook_Levin CoreC++ Core_DOM Core_SC_DOM Correctness_Algebras Cotangent_PFD_Formula Count_Complex_Roots Coupledsim_Contrasim CryptHOL CryptoBasedCompositionalProperties Crypto_Standards Cubic_Quartic_Equations DCR-ExecutionEquivalence DFS_Framework DOM_Components DPRM_Theorem DPT-SAT-Solver DataRefinementIBP Datatype_Order_Generator Decl_Sem_Fun_PL Decreasing-Diagrams Decreasing-Diagrams-II Dedekind_Real Deep_Learning Delta_System_Lemma Density_Compiler Dependent_SIFUM_Refinement Dependent_SIFUM_Type_Systems Depth-First-Search Derangements Deriving Descartes_Sign_Rule Design_Theory Dict_Construction Differential_Dynamic_Logic Differential_Game_Logic DigitsInBase Digit_Expansions Dijkstra_Shortest_Path Diophantine_Eqns_Lin_Hom Directed_Sets Dirichlet_L Dirichlet_Series DiscretePricing Discrete_Summation Disintegration DiskPaxos Distributed_Distinct_Elements Dominance_CHK DynamicArchitectures Dynamic_Tables E_Transcendental Earley_Parser Echelon_Form EdmondsKarp_Maxflow Edwards_Elliptic_Curves_Group Efficient-Mergesort Efficient_Weighted_Path_Order Elimination_Of_Repeated_Factors Elliptic_Curves_Group_Law Encodability_Process_Calculi Epistemic_Logic Equivalence_Relation_Enumeration Ergodic_Theory Error_Function Euler_MacLaurin Euler_Partition Euler_Polyhedron_Formula Eudoxus_Reals Eval_FO Example-Submission Executable_Randomized_Algorithms Expander_Graphs Extended_Finite_State_Machine_Inference Extended_Finite_State_Machines FFT FLP FOL-Fitting FOL_Axiomatic FOL_Harrison FOL_Seq_Calc1 FOL_Seq_Calc2 FOL_Seq_Calc3 FO_Theory_Rewriting FSM_Tests Factor_Algebraic_Polynomial Factored_Transition_System_Bounding Falling_Factorial_Sum Farkas FeatherweightJava Featherweight_OCL Fermat3_4 FileRefinement FinFun Finger-Trees Finite-Map-Extras Finite_Automata_HF Finite_Fields Finitely_Generated_Abelian_Groups First_Order_Terms First_Welfare_Theorem Fishburn_Impossibility Fisher_Yates Fishers_Inequality Fixed_Length_Vector Flow_Networks Floyd_Warshall Flyspeck-Tame FocusStreamsCaseStudies Forcing Formal_Puiseux_Series Formal_SSA Formula_Derivatives Foundation_of_geometry Fourier Free-Boolean-Algebra Free-Groups Frequency_Moments Fresh_Identifiers FunWithFunctions FunWithTilings Functional-Automata Functional_Ordered_Resolution_Prover Furstenberg_Topology GPU_Kernel_PL Gabow_SCC GaleStewart_Games Gale_Shapley Game_Based_Crypto Gauss-Jordan-Elim-Fun Gauss_Jordan Gauss_Sums Gaussian_Integers GenClock General-Triangle Generalized_Counting_Sort Generic_Deriving Generic_Join GewirthPGCProof Girth_Chromatic Given_Clause_Loops GoedelGod Goedel_HFSet_Semantic Goedel_HFSet_Semanticless Goedel_Incompleteness Goodstein_Lambda GraphMarkingIBP Graph_Saturation Graph_Theory Gray_Codes Green Groebner_Bases Groebner_Macaulay Gromov_Hyperbolicity Grothendieck_Schemes Group-Ring-Module HOL-CSP HOLCF-Prelude HRB-Slicing Hahn_Jordan_Decomposition Hales_Jewett Heard_Of Hello_World HereditarilyFinite Hermite Hermite_Lindemann Hidden_Markov_Models Higher_Order_Terms HoareForDivergence Hoare_Time Hood_Melville_Queue HotelKeyCards Huffman Hybrid_Logic Hybrid_Multi_Lane_Spatial_Logic Hybrid_Systems_VCs HyperCTL HyperHoareLogic Hyperdual Hypergraph_Basics Hypergraph_Colourings IEEE_Floating_Point IFC_Tracking IMAP-CRDT IMO2019 IMP2 IMP2_Binary_Heap IMP_Compiler IMP_Compiler_Reuse IO_Language_Conformance IP_Addresses Imperative_Insertion_Sort Implicational_Logic Impossible_Geometry Incompleteness Incredible_Proof_Machine Independence_CH Inductive_Confidentiality Inductive_Inference InfPathElimination InformationFlowSlicing InformationFlowSlicing_Inter Integration Interpolation_Polynomials_HOL_Algebra Interpreter_Optimizations Interval_Arithmetic_Word32 Intro_Dest_Elim Involutions2Squares Iptables_Semantics Irrational_Series_Erdos_Straus Irrationality_J_Hancl Irrationals_From_THEBOOK IsaGeoCoq IsaNet Isabelle_C Isabelle_Marries_Dirac Isabelle_Meta_Model Jacobson_Basic_Algebra Jinja JinjaDCI JinjaThreads JiveDataStoreModel Jordan_Hoelder Jordan_Normal_Form KAD KAT_and_DRA KBPs KD_Tree Key_Agreement_Strong_Adversaries Khovanskii_Theorem Kleene_Algebra Kneser_Cauchy_Davenport Knights_Tour Knot_Theory Knuth_Bendix_Order Knuth_Morris_Pratt Koenigsberg_Friendship Kruskal Kuratowski_Closure_Complement LLL_Basis_Reduction LLL_Factorization LOFT LP_Duality LTL LTL_Master_Theorem LTL_Normal_Form LTL_to_DRA LTL_to_GBA Lam-ml-Normalization LambdaAuth LambdaMu Lambda_Free_EPO Lambda_Free_KBOs Lambda_Free_RPOs Lambert_W Landau_Symbols Laplace_Transform Latin_Square LatticeProperties Launchbury Laws_of_Large_Numbers Lazy-Lists-II Lazy_Case Lehmer Lifting_Definition_Option Lifting_the_Exponent LightweightJava LinearQuantifierElim Linear_Inequalities Linear_Programming Linear_Recurrences Liouville_Numbers List-Index List-Infinite List_Interleaving List_Inversions List_Update LocalLexing Localization_Ring Locally-Nameless-Sigma Logging_Independent_Anonymity Lovasz_Local Lowe_Ontological_Argument Lower_Semicontinuous Lp Lucas_Theorem MDP-Algorithms MDP-Rewards MFMC_Countable MFODL_Monitor_Optimized MFOTL_Monitor MSO_Regex_Equivalence Markov_Models Marriage Mason_Stothers Matrices_for_ODEs Matrix Matrix_Tensor Matroids Max-Card-Matching Maximum_Segment_Sum Median_Method Median_Of_Medians_Selection Menger Mereology Mersenne_Primes Metalogic_ProofChecker MHComputation MiniML MiniSail Minimal_SSA Minkowskis_Theorem Minsky_Machines MLSS_Decision_Proc ML_Unification Modal_Logics_for_NTS Modular_Assembly_Kit_Security Modular_arithmetic_LLL_and_HNF_algorithms Monad_Memo_DP Monad_Normalisation MonoBoolTranAlgebra MonoidalCategory Monomorphic_Monad MuchAdoAboutTwo Multi_Party_Computation Multirelations Multirelations_Heterogeneous Multiset_Ordering_NPC Multitape_To_Singletape_TM Myhill-Nerode Name_Carrying_Type_Inference Nano_JSON Nash_Williams Nat-Interval-Logic Native_Word Nested_Multisets_Ordinals Network_Security_Policy_Verification Neumann_Morgenstern_Utility No_FTL_observers No_FTL_observers_Gen_Rel Nominal2 Nominal_Myhill_Nerode Noninterference_CSP Noninterference_Concurrent_Composition Noninterference_Generic_Unwinding Noninterference_Inductive_Unwinding Noninterference_Ipurge_Unwinding Noninterference_Sequential_Composition NormByEval Nullstellensatz Number_Theoretic_Transform Octonions OpSets Open_Induction Optics Optimal_BST Orbit_Stabiliser Order_Lattice_Props Ordered_Resolution_Prover Ordinal Ordinal_Partitions Ordinals_and_Cardinals Ordinary_Differential_Equations PAC_Checker PAL PAPP_Impossibility PCF PLM POPLmark-deBruijn PSemigroupsConvolution Package_logic Padic_Field Padic_Ints Pairing_Heap Paraconsistency Parity_Game Partial_Function_MR Partial_Order_Reduction Password_Authentication_Protocol Pell Perfect_Fields Perfect-Number-Thm Perron_Frobenius Physical_Quantities Pi_Calculus Pi_Transcendental Planarity_Certificates Pluennecke_Ruzsa_Inequality Poincare_Bendixson Poincare_Disc Polygonal_Number_Theorem Polylog Polynomial_Crit_Geometry Polynomial_Factorization Polynomial_Interpolation Polynomials Pop_Refinement Posix-Lexing Possibilistic_Noninterference Power_Sum_Polynomials Pratt_Certificate Prefix_Free_Code_Combinators Presburger-Automata Prim_Dijkstra_Simple Prime_Distribution_Elementary Prime_Harmonic_Series Prime_Number_Theorem Priority_Queue_Braun Priority_Search_Trees Probabilistic_Noninterference Probabilistic_Prime_Tests Probabilistic_System_Zoo Probabilistic_Timed_Automata Probabilistic_While Probability_Inequality_Completeness Program-Conflict-Analysis Progress_Tracking Projective_Geometry Projective_Measurements Promela Proof_Strategy_Language PropResPI Propositional_Logic_Class Propositional_Proof_Systems Prpu_Maxflow PseudoHoops Psi_Calculi Ptolemys_Theorem Public_Announcement_Logic Q0_Metatheory +Q0_Soundness QHLProver QR_Decomposition Quantales Quantales_Converse Quantifier_Elimination_Hybrid Quasi_Borel_Spaces Quaternions Query_Optimization Quick_Sort_Cost RIPEMD-160-SPARK ROBDD RSAPSS Ramsey-Infinite Random_BSTs Random_Graph_Subgraph_Threshold Randomised_BSTs Randomised_Social_Choice Rank_Nullity_Theorem Real_Impl Real_Power Real_Time_Deque Recursion-Addition Recursion-Theory-I Refine_Imperative_HOL Refine_Monadic RefinementReactive Regex_Equivalence Registers Regression_Test_Selection Regular-Sets Regular_Algebras Regular_Tree_Relations Relation_Algebra Relational-Incorrectness-Logic Relational_Cardinality Relational_Disjoint_Set_Forests Relational_Forests Relational_Method Relational_Minimum_Spanning_Trees Relational_Paths Rensets Rep_Fin_Groups ResiduatedTransitionSystem Residuated_Lattices Resolution_FOL Rewrite_Properties_Reduction Rewriting_Z Ribbon_Proofs Risk_Free_Lending Robbins-Conjecture Robinson_Arithmetic Root_Balanced_Tree Roth_Arithmetic_Progressions Routing Roy_Floyd_Warshall SATSolverVerification SCC_Bloemen_Sequential SC_DOM_Components SDS_Impossibility SIFPL SIFUM_Type_Systems SPARCv8 S_Finite_Measure_Monad Safe_Distance Safe_OCL Safe_Range_RC Saturation_Framework Saturation_Framework_Extensions Sauer_Shelah_Lemma Schutz_Spacetime Schwartz_Zippel Secondary_Sylow Security_Protocol_Refinement Selection_Heap_Sort SenSocialChoice Separata Separation_Algebra Separation_Logic_Imperative_HOL Separation_Logic_Unbounded SequentInvertibility Shadow_DOM Shadow_SC_DOM Shivers-CFA ShortestPath Show Sigma_Commit_Crypto Signature_Groebner Simpl Simple_Clause_Learning Simple_Firewall Simplex Simplicial_complexes_and_boolean_functions SimplifiedOntologicalArgument Skew_Heap Skip_Lists Slicing Sliding_Window_Algorithm Smith_Normal_Form Smooth_Manifolds Solidity Sophomores_Dream Sort_Encodings Source_Coding_Theorem SpecCheck Special_Function_Bounds Splay_Tree Sqrt_Babylonian Stable_Matching Stalnaker_Logic Standard_Borel_Spaces Statecharts Stateful_Protocol_Composition_and_Typing Stellar_Quorums Stern_Brocot Stewart_Apollonius Stirling_Formula Stochastic_Matrices Stone_Algebras Stone_Kleene_Relation_Algebras Stone_Relation_Algebras Store_Buffer_Reduction Stream-Fusion Stream_Fusion_Code StrictOmegaCategories Strong_Security Sturm_Sequences Sturm_Tarski Stuttering_Equivalence Subresultants Subset_Boolean_Algebras SumSquares Sunflowers SuperCalc Suppes_Theorem Surprise_Paradox Symmetric_Polynomials Syntax_Independent_Logic Synthetic_Completeness Szemeredi_Regularity Szpilrajn TESL_Language TLA Tail_Recursive_Functions Tarskis_Geometry Taylor_Models Three_Circles Three_Squares Timed_Automata Topological_Semantics Topology TortoiseHare TsirelsonBound Transcendence_Series_Hancl_Rucki Transformer_Semantics Transition_Systems_and_Automata Transitive-Closure Transitive-Closure-II Transitive_Models Transport Treaps Tree-Automata Tree_Decomposition Tree_Enumeration Triangle Trie Turans_Graph_Theorem Twelvefold_Way Two_Generated_Word_Monoids_Intersection Tycon Types_Tableaus_and_Goedels_God Types_To_Sets_Extension UPF UPF_Firewall UTP Undirected_Graph_Theory Universal_Hash_Families Universal_Turing_Machine UpDown_Scheme VYDRA_MDL Valuation Van_Emde_Boas_Trees Van_der_Waerden VectorSpace VeriComp Verified-Prover Verified_SAT_Based_AI_Planning VerifyThis2018 VerifyThis2019 Vickrey_Clarke_Groves Virtual_Substitution VolpanoSmith WHATandWHERE_Security WOOT_Strong_Eventual_Consistency WebAssembly Weight_Balanced_Trees Weighted_Arithmetic_Geometric_Mean Weighted_Path_Order Well_Quasi_Orders Wetzels_Problem Winding_Number_Eval Word_Lib WorkerWrapper X86_Semantics XML Youngs_Inequality ZFC_in_HOL Zeckendorf Zeta_3_Irrational Zeta_Function pGCL Labeled_Transition_Systems Pushdown_Systems