%

\begin{isabellebody}%

\def\isabellecontext{Generic}%

%

\isadelimtheory

\isanewline

\isanewline

%

\endisadelimtheory

%

\isatagtheory

\isacommand{theory}\isamarkupfalse%

\ Generic\isanewline

\isakeyword{imports}\ CPure\isanewline

\isakeyword{begin}%

\endisatagtheory

{\isafoldtheory}%

%

\isadelimtheory

%

\endisadelimtheory

%

\isamarkupchapter{Generic tools and packages \label{ch:gen-tools}%

}

\isamarkuptrue%

%

\isamarkupsection{Specification commands%

}

\isamarkuptrue%

%

\isamarkupsubsection{Derived specifications%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

\begin{matharray}{rcll}

    \indexdef{}{command}{axiomatization}\mbox{\isa{\isacommand{axiomatization}}} & : & \isarkeep{local{\dsh}theory} & (axiomatic!)\\

    \indexdef{}{command}{definition}\mbox{\isa{\isacommand{definition}}} & : & \isarkeep{local{\dsh}theory} \\

    \indexdef{}{attribute}{defn}\mbox{\isa{defn}} & : & \isaratt \\

    \indexdef{}{command}{abbreviation}\mbox{\isa{\isacommand{abbreviation}}} & : & \isarkeep{local{\dsh}theory} \\

    \indexdef{}{command}{print\_abbrevs}\mbox{\isa{\isacommand{print{\isacharunderscore}abbrevs}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarkeep{theory~|~proof} \\

    \indexdef{}{command}{notation}\mbox{\isa{\isacommand{notation}}} & : & \isarkeep{local{\dsh}theory} \\

    \indexdef{}{command}{no\_notation}\mbox{\isa{\isacommand{no{\isacharunderscore}notation}}} & : & \isarkeep{local{\dsh}theory} \\

  \end{matharray}

  These specification mechanisms provide a slightly more abstract view

  than the underlying primitives of \mbox{\isa{\isacommand{consts}}}, \mbox{\isa{\isacommand{defs}}} (see \secref{sec:consts}), and \mbox{\isa{\isacommand{axioms}}} (see

  \secref{sec:axms-thms}).  In particular, type-inference is commonly

  available, and result names need not be given.

  \begin{rail}

    'axiomatization' target? fixes? ('where' specs)?

    ;

    'definition' target? (decl 'where')? thmdecl? prop

    ;

    'abbreviation' target? mode? (decl 'where')? prop

    ;

    ('notation' | 'no\_notation') target? mode? (nameref structmixfix + 'and')

    ;

    fixes: ((name ('::' type)? mixfix? | vars) + 'and')

    ;

    specs: (thmdecl? props + 'and')

    ;

    decl: name ('::' type)? mixfix?

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{axiomatization}}}~\isa{{\isachardoublequote}c\isactrlsub {\isadigit{1}}\ {\isasymdots}\ c\isactrlsub m\ {\isasymWHERE}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymdots}\ {\isasymphi}\isactrlsub n{\isachardoublequote}}] introduces several constants

  simultaneously and states axiomatic properties for these.  The

  constants are marked as being specified once and for all, which

  prevents additional specifications being issued later on.

  Note that axiomatic specifications are only appropriate when

  declaring a new logical system.  Normal applications should only use

  definitional mechanisms!

  \item [\mbox{\isa{\isacommand{definition}}}~\isa{{\isachardoublequote}c\ {\isasymWHERE}\ eq{\isachardoublequote}}] produces an

  internal definition \isa{{\isachardoublequote}c\ {\isasymequiv}\ t{\isachardoublequote}} according to the specification

  given as \isa{eq}, which is then turned into a proven fact.  The

  given proposition may deviate from internal meta-level equality

  according to the rewrite rules declared as \mbox{\isa{defn}} by the

  object-logic.  This usually covers object-level equality \isa{{\isachardoublequote}x\ {\isacharequal}\ y{\isachardoublequote}} and equivalence \isa{{\isachardoublequote}A\ {\isasymleftrightarrow}\ B{\isachardoublequote}}.  End-users normally need not

  change the \mbox{\isa{defn}} setup.

  Definitions may be presented with explicit arguments on the LHS, as

  well as additional conditions, e.g.\ \isa{{\isachardoublequote}f\ x\ y\ {\isacharequal}\ t{\isachardoublequote}} instead of

  \isa{{\isachardoublequote}f\ {\isasymequiv}\ {\isasymlambda}x\ y{\isachardot}\ t{\isachardoublequote}} and \isa{{\isachardoublequote}y\ {\isasymnoteq}\ {\isadigit{0}}\ {\isasymLongrightarrow}\ g\ x\ y\ {\isacharequal}\ u{\isachardoublequote}} instead of an

  unrestricted \isa{{\isachardoublequote}g\ {\isasymequiv}\ {\isasymlambda}x\ y{\isachardot}\ u{\isachardoublequote}}.

  \item [\mbox{\isa{\isacommand{abbreviation}}}~\isa{{\isachardoublequote}c\ {\isasymWHERE}\ eq{\isachardoublequote}}] introduces

  a syntactic constant which is associated with a certain term

  according to the meta-level equality \isa{eq}.

  Abbreviations participate in the usual type-inference process, but

  are expanded before the logic ever sees them.  Pretty printing of

  terms involves higher-order rewriting with rules stemming from

  reverted abbreviations.  This needs some care to avoid overlapping

  or looping syntactic replacements!

  The optional \isa{mode} specification restricts output to a

  particular print mode; using ``\isa{input}'' here achieves the

  effect of one-way abbreviations.  The mode may also include an

  ``\mbox{\isa{\isakeyword{output}}}'' qualifier that affects the concrete syntax

  declared for abbreviations, cf.\ \mbox{\isa{\isacommand{syntax}}} in

  \secref{sec:syn-trans}.

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}abbrevs}}}] prints all constant abbreviations

  of the current context.

  \item [\mbox{\isa{\isacommand{notation}}}~\isa{{\isachardoublequote}c\ {\isacharparenleft}mx{\isacharparenright}{\isachardoublequote}}] associates mixfix

  syntax with an existing constant or fixed variable.  This is a

  robust interface to the underlying \mbox{\isa{\isacommand{syntax}}} primitive

  (\secref{sec:syn-trans}).  Type declaration and internal syntactic

  representation of the given entity is retrieved from the context.

  \item [\mbox{\isa{\isacommand{no{\isacharunderscore}notation}}}] is similar to \mbox{\isa{\isacommand{notation}}}, but removes the specified syntax annotation from the

  present context.

  \end{descr}

  All of these specifications support local theory targets (cf.\

  \secref{sec:target}).%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Generic declarations%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

Arbitrary operations on the background context may be wrapped-up as

  generic declaration elements.  Since the underlying concept of local

  theories may be subject to later re-interpretation, there is an

  additional dependency on a morphism that tells the difference of the

  original declaration context wrt.\ the application context

  encountered later on.  A fact declaration is an important special

  case: it consists of a theorem which is applied to the context by

  means of an attribute.

  \begin{matharray}{rcl}

    \indexdef{}{command}{declaration}\mbox{\isa{\isacommand{declaration}}} & : & \isarkeep{local{\dsh}theory} \\

    \indexdef{}{command}{declare}\mbox{\isa{\isacommand{declare}}} & : & \isarkeep{local{\dsh}theory} \\

  \end{matharray}

  \begin{rail}

    'declaration' target? text

    ;

    'declare' target? (thmrefs + 'and')

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{declaration}}}~\isa{d}] adds the declaration

  function \isa{d} of ML type \verb|declaration|, to the current

  local theory under construction.  In later application contexts, the

  function is transformed according to the morphisms being involved in

  the interpretation hierarchy.

  \item [\mbox{\isa{\isacommand{declare}}}~\isa{thms}] declares theorems to the

  current local theory context.  No theorem binding is involved here,

  unlike \mbox{\isa{\isacommand{theorems}}} or \mbox{\isa{\isacommand{lemmas}}} (cf.\

  \secref{sec:axms-thms}), so \mbox{\isa{\isacommand{declare}}} only has the effect

  of applying attributes as included in the theorem specification.

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Local theory targets \label{sec:target}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

A local theory target is a context managed separately within the

  enclosing theory.  Contexts may introduce parameters (fixed

  variables) and assumptions (hypotheses).  Definitions and theorems

  depending on the context may be added incrementally later on.  Named

  contexts refer to locales (cf.\ \secref{sec:locale}) or type classes

  (cf.\ \secref{sec:class}); the name ``\isa{{\isachardoublequote}{\isacharminus}{\isachardoublequote}}'' signifies the

  global theory context.

  \begin{matharray}{rcll}

    \indexdef{}{command}{context}\mbox{\isa{\isacommand{context}}} & : & \isartrans{theory}{local{\dsh}theory} \\

    \indexdef{}{command}{end}\mbox{\isa{\isacommand{end}}} & : & \isartrans{local{\dsh}theory}{theory} \\

  \end{matharray}

  \indexouternonterm{target}

  \begin{rail}

    'context' name 'begin'

    ;

    target: '(' 'in' name ')'

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{context}}}~\isa{{\isachardoublequote}c\ {\isasymBEGIN}{\isachardoublequote}}] recommences an

  existing locale or class context \isa{c}.  Note that locale and

  class definitions allow to include the \indexref{}{keyword}{begin}\mbox{\isa{\isakeyword{begin}}}

  keyword as well, in order to continue the local theory immediately

  after the initial specification.

  \item [\mbox{\isa{\isacommand{end}}}] concludes the current local theory and

  continues the enclosing global theory.  Note that a non-local

  \mbox{\isa{\isacommand{end}}} has a different meaning: it concludes the theory

  itself (\secref{sec:begin-thy}).

  \item [\isa{{\isachardoublequote}{\isacharparenleft}{\isasymIN}\ c{\isacharparenright}{\isachardoublequote}}] given after any local theory command

  specifies an immediate target, e.g.\ ``\mbox{\isa{\isacommand{definition}}}~\isa{{\isachardoublequote}{\isacharparenleft}{\isasymIN}\ c{\isacharparenright}\ {\isasymdots}{\isachardoublequote}}'' or ``\mbox{\isa{\isacommand{theorem}}}~\isa{{\isachardoublequote}{\isacharparenleft}{\isasymIN}\ c{\isacharparenright}\ {\isasymdots}{\isachardoublequote}}''.  This works both in a local or

  global theory context; the current target context will be suspended

  for this command only.  Note that ``\isa{{\isachardoublequote}{\isacharparenleft}{\isasymIN}\ {\isacharminus}{\isacharparenright}{\isachardoublequote}}'' will

  always produce a global result independently of the current target

  context.

  \end{descr}

  The exact meaning of results produced within a local theory context

  depends on the underlying target infrastructure (locale, type class

  etc.).  The general idea is as follows, considering a context named

  \isa{c} with parameter \isa{x} and assumption \isa{{\isachardoublequote}A{\isacharbrackleft}x{\isacharbrackright}{\isachardoublequote}}.

  Definitions are exported by introducing a global version with

  additional arguments; a syntactic abbreviation links the long form

  with the abstract version of the target context.  For example,

  \isa{{\isachardoublequote}a\ {\isasymequiv}\ t{\isacharbrackleft}x{\isacharbrackright}{\isachardoublequote}} becomes \isa{{\isachardoublequote}c{\isachardot}a\ {\isacharquery}x\ {\isasymequiv}\ t{\isacharbrackleft}{\isacharquery}x{\isacharbrackright}{\isachardoublequote}} at the theory

  level (for arbitrary \isa{{\isachardoublequote}{\isacharquery}x{\isachardoublequote}}), together with a local

  abbreviation \isa{{\isachardoublequote}c\ {\isasymequiv}\ c{\isachardot}a\ x{\isachardoublequote}} in the target context (for the

  fixed parameter \isa{x}).

  Theorems are exported by discharging the assumptions and

  generalizing the parameters of the context.  For example, \isa{{\isachardoublequote}a{\isacharcolon}\ B{\isacharbrackleft}x{\isacharbrackright}{\isachardoublequote}} becomes \isa{{\isachardoublequote}c{\isachardot}a{\isacharcolon}\ A{\isacharbrackleft}{\isacharquery}x{\isacharbrackright}\ {\isasymLongrightarrow}\ B{\isacharbrackleft}{\isacharquery}x{\isacharbrackright}{\isachardoublequote}}, again for arbitrary

  \isa{{\isachardoublequote}{\isacharquery}x{\isachardoublequote}}.%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Locales \label{sec:locale}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

Locales are named local contexts, consisting of a list of

  declaration elements that are modeled after the Isar proof context

  commands (cf.\ \secref{sec:proof-context}).%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsubsection{Locale specifications%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

\begin{matharray}{rcl}

    \indexdef{}{command}{locale}\mbox{\isa{\isacommand{locale}}} & : & \isartrans{theory}{local{\dsh}theory} \\

    \indexdef{}{command}{print\_locale}\mbox{\isa{\isacommand{print{\isacharunderscore}locale}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarkeep{theory~|~proof} \\

    \indexdef{}{command}{print\_locales}\mbox{\isa{\isacommand{print{\isacharunderscore}locales}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarkeep{theory~|~proof} \\

    \indexdef{}{method}{intro\_locales}\mbox{\isa{intro{\isacharunderscore}locales}} & : & \isarmeth \\

    \indexdef{}{method}{unfold\_locales}\mbox{\isa{unfold{\isacharunderscore}locales}} & : & \isarmeth \\

  \end{matharray}

  \indexouternonterm{contextexpr}\indexouternonterm{contextelem}

  \indexisarelem{fixes}\indexisarelem{constrains}\indexisarelem{assumes}

  \indexisarelem{defines}\indexisarelem{notes}\indexisarelem{includes}

  \begin{rail}

    'locale' ('(open)')? name ('=' localeexpr)? 'begin'?

    ;

    'print\_locale' '!'? localeexpr

    ;

    localeexpr: ((contextexpr '+' (contextelem+)) | contextexpr | (contextelem+))

    ;

    contextexpr: nameref | '(' contextexpr ')' |

    (contextexpr (name mixfix? +)) | (contextexpr + '+')

    ;

    contextelem: fixes | constrains | assumes | defines | notes

    ;

    fixes: 'fixes' ((name ('::' type)? structmixfix? | vars) + 'and')

    ;

    constrains: 'constrains' (name '::' type + 'and')

    ;

    assumes: 'assumes' (thmdecl? props + 'and')

    ;

    defines: 'defines' (thmdecl? prop proppat? + 'and')

    ;

    notes: 'notes' (thmdef? thmrefs + 'and')

    ;

    includes: 'includes' contextexpr

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{locale}}}~\isa{{\isachardoublequote}loc\ {\isacharequal}\ import\ {\isacharplus}\ body{\isachardoublequote}}] defines a

  new locale \isa{loc} as a context consisting of a certain view of

  existing locales (\isa{import}) plus some additional elements

  (\isa{body}).  Both \isa{import} and \isa{body} are optional;

  the degenerate form \mbox{\isa{\isacommand{locale}}}~\isa{loc} defines an empty

  locale, which may still be useful to collect declarations of facts

  later on.  Type-inference on locale expressions automatically takes

  care of the most general typing that the combined context elements

  may acquire.

  The \isa{import} consists of a structured context expression,

  consisting of references to existing locales, renamed contexts, or

  merged contexts.  Renaming uses positional notation: \isa{{\isachardoublequote}c\ x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub n{\isachardoublequote}} means that (a prefix of) the fixed

  parameters of context \isa{c} are named \isa{{\isachardoublequote}x\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ x\isactrlsub n{\isachardoublequote}}; a ``\isa{{\isacharunderscore}}'' (underscore) means to skip that

  position.  Renaming by default deletes concrete syntax, but new

  syntax may by specified with a mixfix annotation.  An exeption of

  this rule is the special syntax declared with ``\isa{{\isachardoublequote}{\isacharparenleft}{\isasymSTRUCTURE}{\isacharparenright}{\isachardoublequote}}'' (see below), which is neither deleted nor can it

  be changed.  Merging proceeds from left-to-right, suppressing any

  duplicates stemming from different paths through the import

  hierarchy.

  The \isa{body} consists of basic context elements, further context

  expressions may be included as well.

  \begin{descr}

  \item [\mbox{\isa{\isakeyword{fixes}}}~\isa{{\isachardoublequote}x\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}\ {\isacharparenleft}mx{\isacharparenright}{\isachardoublequote}}] declares a local

  parameter of type \isa{{\isasymtau}} and mixfix annotation \isa{mx} (both

  are optional).  The special syntax declaration ``\isa{{\isachardoublequote}{\isacharparenleft}{\isasymSTRUCTURE}{\isacharparenright}{\isachardoublequote}}'' means that \isa{x} may be referenced

  implicitly in this context.

  \item [\mbox{\isa{\isakeyword{constrains}}}~\isa{{\isachardoublequote}x\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}{\isachardoublequote}}] introduces a type

  constraint \isa{{\isasymtau}} on the local parameter \isa{x}.

  \item [\mbox{\isa{\isakeyword{assumes}}}~\isa{{\isachardoublequote}a{\isacharcolon}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymdots}\ {\isasymphi}\isactrlsub n{\isachardoublequote}}]

  introduces local premises, similar to \mbox{\isa{\isacommand{assume}}} within a

  proof (cf.\ \secref{sec:proof-context}).

  \item [\mbox{\isa{\isakeyword{defines}}}~\isa{{\isachardoublequote}a{\isacharcolon}\ x\ {\isasymequiv}\ t{\isachardoublequote}}] defines a previously

  declared parameter.  This is similar to \mbox{\isa{\isacommand{def}}} within a

  proof (cf.\ \secref{sec:proof-context}), but \mbox{\isa{\isakeyword{defines}}}

  takes an equational proposition instead of variable-term pair.  The

  left-hand side of the equation may have additional arguments, e.g.\

  ``\mbox{\isa{\isakeyword{defines}}}~\isa{{\isachardoublequote}f\ x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub n\ {\isasymequiv}\ t{\isachardoublequote}}''.

  \item [\mbox{\isa{\isakeyword{notes}}}~\isa{{\isachardoublequote}a\ {\isacharequal}\ b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub n{\isachardoublequote}}]

  reconsiders facts within a local context.  Most notably, this may

  include arbitrary declarations in any attribute specifications

  included here, e.g.\ a local \mbox{\isa{simp}} rule.

  \item [\mbox{\isa{\isakeyword{includes}}}~\isa{c}] copies the specified context

  in a statically scoped manner.  Only available in the long goal

  format of \secref{sec:goals}.

  In contrast, the initial \isa{import} specification of a locale

  expression maintains a dynamic relation to the locales being

  referenced (benefiting from any later fact declarations in the

  obvious manner).

  \end{descr}

  Note that ``\isa{{\isachardoublequote}{\isacharparenleft}{\isasymIS}\ p\isactrlsub {\isadigit{1}}\ {\isasymdots}\ p\isactrlsub n{\isacharparenright}{\isachardoublequote}}'' patterns given

  in the syntax of \mbox{\isa{\isakeyword{assumes}}} and \mbox{\isa{\isakeyword{defines}}} above

  are illegal in locale definitions.  In the long goal format of

  \secref{sec:goals}, term bindings may be included as expected,

  though.

  \medskip By default, locale specifications are ``closed up'' by

  turning the given text into a predicate definition \isa{loc{\isacharunderscore}axioms} and deriving the original assumptions as local lemmas

  (modulo local definitions).  The predicate statement covers only the

  newly specified assumptions, omitting the content of included locale

  expressions.  The full cumulative view is only provided on export,

  involving another predicate \isa{loc} that refers to the complete

  specification text.

  In any case, the predicate arguments are those locale parameters

  that actually occur in the respective piece of text.  Also note that

  these predicates operate at the meta-level in theory, but the locale

  packages attempts to internalize statements according to the

  object-logic setup (e.g.\ replacing \isa{{\isasymAnd}} by \isa{{\isasymforall}}, and

  \isa{{\isachardoublequote}{\isasymLongrightarrow}{\isachardoublequote}} by \isa{{\isachardoublequote}{\isasymlongrightarrow}{\isachardoublequote}} in HOL; see also

  \secref{sec:object-logic}).  Separate introduction rules \isa{loc{\isacharunderscore}axioms{\isachardot}intro} and \isa{loc{\isachardot}intro} are provided as well.

  The \isa{{\isachardoublequote}{\isacharparenleft}open{\isacharparenright}{\isachardoublequote}} option of a locale specification prevents both

  the current \isa{loc{\isacharunderscore}axioms} and cumulative \isa{loc} predicate

  constructions.  Predicates are also omitted for empty specification

  texts.

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}locale}}}~\isa{{\isachardoublequote}import\ {\isacharplus}\ body{\isachardoublequote}}] prints the

  specified locale expression in a flattened form.  The notable

  special case \mbox{\isa{\isacommand{print{\isacharunderscore}locale}}}~\isa{loc} just prints the

  contents of the named locale, but keep in mind that type-inference

  will normalize type variables according to the usual alphabetical

  order.  The command omits \mbox{\isa{\isakeyword{notes}}} elements by default.

  Use \mbox{\isa{\isacommand{print{\isacharunderscore}locale}}}\isa{{\isachardoublequote}{\isacharbang}{\isachardoublequote}} to get them included.

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}locales}}}] prints the names of all locales

  of the current theory.

  \item [\mbox{\isa{intro{\isacharunderscore}locales}} and \mbox{\isa{unfold{\isacharunderscore}locales}}]

  repeatedly expand all introduction rules of locale predicates of the

  theory.  While \mbox{\isa{intro{\isacharunderscore}locales}} only applies the \isa{loc{\isachardot}intro} introduction rules and therefore does not decend to

  assumptions, \mbox{\isa{unfold{\isacharunderscore}locales}} is more aggressive and applies

  \isa{loc{\isacharunderscore}axioms{\isachardot}intro} as well.  Both methods are aware of locale

  specifications entailed by the context, both from target and

  \mbox{\isa{\isakeyword{includes}}} statements, and from interpretations (see

  below).  New goals that are entailed by the current context are

  discharged automatically.

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsubsection{Interpretation of locales%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

Locale expressions (more precisely, \emph{context expressions}) may

  be instantiated, and the instantiated facts added to the current

  context.  This requires a proof of the instantiated specification

  and is called \emph{locale interpretation}.  Interpretation is

  possible in theories and locales (command \mbox{\isa{\isacommand{interpretation}}}) and also within a proof body (command \mbox{\isa{\isacommand{interpret}}}).

  \begin{matharray}{rcl}

    \indexdef{}{command}{interpretation}\mbox{\isa{\isacommand{interpretation}}} & : & \isartrans{theory}{proof(prove)} \\

    \indexdef{}{command}{interpret}\mbox{\isa{\isacommand{interpret}}} & : & \isartrans{proof(state) ~|~ proof(chain)}{proof(prove)} \\

    \indexdef{}{command}{print\_interps}\mbox{\isa{\isacommand{print{\isacharunderscore}interps}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : &  \isarkeep{theory~|~proof} \\

  \end{matharray}

  \indexouternonterm{interp}

  \begin{rail}

    'interpretation' (interp | name ('<' | subseteq) contextexpr)

    ;

    'interpret' interp

    ;

    'print\_interps' '!'? name

    ;

    instantiation: ('[' (inst+) ']')?

    ;

    interp: thmdecl? \\ (contextexpr instantiation |

      name instantiation 'where' (thmdecl? prop + 'and'))

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{interpretation}}}~\isa{{\isachardoublequote}expr\ insts\ {\isasymWHERE}\ eqns{\isachardoublequote}}]

  The first form of \mbox{\isa{\isacommand{interpretation}}} interprets \isa{expr} in the theory.  The instantiation is given as a list of terms

  \isa{insts} and is positional.  All parameters must receive an

  instantiation term --- with the exception of defined parameters.

  These are, if omitted, derived from the defining equation and other

  instantiations.  Use ``\isa{{\isacharunderscore}}'' to omit an instantiation term.

  The command generates proof obligations for the instantiated

  specifications (assumes and defines elements).  Once these are

  discharged by the user, instantiated facts are added to the theory

  in a post-processing phase.

  Additional equations, which are unfolded in facts during

  post-processing, may be given after the keyword \mbox{\isa{\isakeyword{where}}}.

  This is useful for interpreting concepts introduced through

  definition specification elements.  The equations must be proved.

  Note that if equations are present, the context expression is

  restricted to a locale name.

  The command is aware of interpretations already active in the

  theory.  No proof obligations are generated for those, neither is

  post-processing applied to their facts.  This avoids duplication of

  interpreted facts, in particular.  Note that, in the case of a

  locale with import, parts of the interpretation may already be

  active.  The command will only generate proof obligations and

  process facts for new parts.

  The context expression may be preceded by a name and/or attributes.

  These take effect in the post-processing of facts.  The name is used

  to prefix fact names, for example to avoid accidental hiding of

  other facts.  Attributes are applied after attributes of the

  interpreted facts.

  Adding facts to locales has the effect of adding interpreted facts

  to the theory for all active interpretations also.  That is,

  interpretations dynamically participate in any facts added to

  locales.

  \item [\mbox{\isa{\isacommand{interpretation}}}~\isa{{\isachardoublequote}name\ {\isasymsubseteq}\ expr{\isachardoublequote}}]

  This form of the command interprets \isa{expr} in the locale

  \isa{name}.  It requires a proof that the specification of \isa{name} implies the specification of \isa{expr}.  As in the

  localized version of the theorem command, the proof is in the

  context of \isa{name}.  After the proof obligation has been

  dischared, the facts of \isa{expr} become part of locale \isa{name} as \emph{derived} context elements and are available when the

  context \isa{name} is subsequently entered.  Note that, like

  import, this is dynamic: facts added to a locale part of \isa{expr} after interpretation become also available in \isa{name}.

  Like facts of renamed context elements, facts obtained by

  interpretation may be accessed by prefixing with the parameter

  renaming (where the parameters are separated by ``\isa{{\isacharunderscore}}'').

  Unlike interpretation in theories, instantiation is confined to the

  renaming of parameters, which may be specified as part of the

  context expression \isa{expr}.  Using defined parameters in \isa{name} one may achieve an effect similar to instantiation, though.

  Only specification fragments of \isa{expr} that are not already

  part of \isa{name} (be it imported, derived or a derived fragment

  of the import) are considered by interpretation.  This enables

  circular interpretations.

  If interpretations of \isa{name} exist in the current theory, the

  command adds interpretations for \isa{expr} as well, with the same

  prefix and attributes, although only for fragments of \isa{expr}

  that are not interpreted in the theory already.

  \item [\mbox{\isa{\isacommand{interpret}}}~\isa{{\isachardoublequote}expr\ insts\ {\isasymWHERE}\ eqns{\isachardoublequote}}]

  interprets \isa{expr} in the proof context and is otherwise

  similar to interpretation in theories.

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}interps}}}~\isa{loc}] prints the

  interpretations of a particular locale \isa{loc} that are active

  in the current context, either theory or proof context.  The

  exclamation point argument triggers printing of \emph{witness}

  theorems justifying interpretations.  These are normally omitted

  from the output.

  \end{descr}

  \begin{warn}

    Since attributes are applied to interpreted theorems,

    interpretation may modify the context of common proof tools, e.g.\

    the Simplifier or Classical Reasoner.  Since the behavior of such

    automated reasoning tools is \emph{not} stable under

    interpretation morphisms, manual declarations might have to be

    issued.

  \end{warn}

  \begin{warn}

    An interpretation in a theory may subsume previous

    interpretations.  This happens if the same specification fragment

    is interpreted twice and the instantiation of the second

    interpretation is more general than the interpretation of the

    first.  A warning is issued, since it is likely that these could

    have been generalized in the first place.  The locale package does

    not attempt to remove subsumed interpretations.

  \end{warn}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Classes \label{sec:class}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

A class is a particular locale with \emph{exactly one} type variable

  \isa{{\isasymalpha}}.  Beyond the underlying locale, a corresponding type class

  is established which is interpreted logically as axiomatic type

  class \cite{Wenzel:1997:TPHOL} whose logical content are the

  assumptions of the locale.  Thus, classes provide the full

  generality of locales combined with the commodity of type classes

  (notably type-inference).  See \cite{isabelle-classes} for a short

  tutorial.

  \begin{matharray}{rcl}

    \indexdef{}{command}{class}\mbox{\isa{\isacommand{class}}} & : & \isartrans{theory}{local{\dsh}theory} \\

    \indexdef{}{command}{instantiation}\mbox{\isa{\isacommand{instantiation}}} & : & \isartrans{theory}{local{\dsh}theory} \\

    \indexdef{}{command}{instance}\mbox{\isa{\isacommand{instance}}} & : & \isartrans{local{\dsh}theory}{local{\dsh}theory} \\

    \indexdef{}{command}{subclass}\mbox{\isa{\isacommand{subclass}}} & : & \isartrans{local{\dsh}theory}{local{\dsh}theory} \\

    \indexdef{}{command}{print\_classes}\mbox{\isa{\isacommand{print{\isacharunderscore}classes}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarkeep{theory~|~proof} \\

    \indexdef{}{method}{intro\_classes}\mbox{\isa{intro{\isacharunderscore}classes}} & : & \isarmeth \\

  \end{matharray}

  \begin{rail}

    'class' name '=' ((superclassexpr '+' (contextelem+)) | superclassexpr | (contextelem+)) \\

      'begin'?

    ;

    'instantiation' (nameref + 'and') '::' arity 'begin'

    ;

    'instance'

    ;

    'subclass' target? nameref

    ;

    'print\_classes'

    ;

    superclassexpr: nameref | (nameref '+' superclassexpr)

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{class}}}~\isa{{\isachardoublequote}c\ {\isacharequal}\ superclasses\ {\isacharplus}\ body{\isachardoublequote}}] defines

  a new class \isa{c}, inheriting from \isa{superclasses}.  This

  introduces a locale \isa{c} with import of all locales \isa{superclasses}.

  Any \mbox{\isa{\isakeyword{fixes}}} in \isa{body} are lifted to the global

  theory level (\emph{class operations} \isa{{\isachardoublequote}f\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ f\isactrlsub n{\isachardoublequote}} of class \isa{c}), mapping the local type parameter

  \isa{{\isasymalpha}} to a schematic type variable \isa{{\isachardoublequote}{\isacharquery}{\isasymalpha}\ {\isacharcolon}{\isacharcolon}\ c{\isachardoublequote}}.

  Likewise, \mbox{\isa{\isakeyword{assumes}}} in \isa{body} are also lifted,

  mapping each local parameter \isa{{\isachardoublequote}f\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}{\isacharbrackleft}{\isasymalpha}{\isacharbrackright}{\isachardoublequote}} to its

  corresponding global constant \isa{{\isachardoublequote}f\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}{\isacharbrackleft}{\isacharquery}{\isasymalpha}\ {\isacharcolon}{\isacharcolon}\ c{\isacharbrackright}{\isachardoublequote}}.  The

  corresponding introduction rule is provided as \isa{c{\isacharunderscore}class{\isacharunderscore}axioms{\isachardot}intro}.  This rule should be rarely needed directly

  --- the \mbox{\isa{intro{\isacharunderscore}classes}} method takes care of the details of

  class membership proofs.

  \item [\mbox{\isa{\isacommand{instantiation}}}~\isa{{\isachardoublequote}t\ {\isacharcolon}{\isacharcolon}\ {\isacharparenleft}s\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ s\isactrlsub n{\isacharparenright}\ s\ {\isasymBEGIN}{\isachardoublequote}}] opens a theory target (cf.\

  \secref{sec:target}) which allows to specify class operations \isa{{\isachardoublequote}f\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ f\isactrlsub n{\isachardoublequote}} corresponding to sort \isa{s} at the

  particular type instance \isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ s\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub n\ {\isacharcolon}{\isacharcolon}\ s\isactrlsub n{\isacharparenright}\ t{\isachardoublequote}}.  A plain \mbox{\isa{\isacommand{instance}}} command

  in the target body poses a goal stating these type arities.  The

  target is concluded by an \indexref{}{command}{end}\mbox{\isa{\isacommand{end}}} command.

  Note that a list of simultaneous type constructors may be given;

  this corresponds nicely to mutual recursive type definitions, e.g.\

  in Isabelle/HOL.

  \item [\mbox{\isa{\isacommand{instance}}}] in an instantiation target body sets

  up a goal stating the type arities claimed at the opening \mbox{\isa{\isacommand{instantiation}}}.  The proof would usually proceed by \mbox{\isa{intro{\isacharunderscore}classes}}, and then establish the characteristic theorems of

  the type classes involved.  After finishing the proof, the

  background theory will be augmented by the proven type arities.

  \item [\mbox{\isa{\isacommand{subclass}}}~\isa{c}] in a class context for class

  \isa{d} sets up a goal stating that class \isa{c} is logically

  contained in class \isa{d}.  After finishing the proof, class

  \isa{d} is proven to be subclass \isa{c} and the locale \isa{c} is interpreted into \isa{d} simultaneously.

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}classes}}}] prints all classes in the current

  theory.

  \item [\mbox{\isa{intro{\isacharunderscore}classes}}] repeatedly expands all class

  introduction rules of this theory.  Note that this method usually

  needs not be named explicitly, as it is already included in the

  default proof step (e.g.\ of \mbox{\isa{\isacommand{proof}}}).  In particular,

  instantiation of trivial (syntactic) classes may be performed by a

  single ``\mbox{\isa{\isacommand{{\isachardot}{\isachardot}}}}'' proof step.

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsubsection{The class target%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

%FIXME check

  A named context may refer to a locale (cf.\ \secref{sec:target}).

  If this locale is also a class \isa{c}, apart from the common

  locale target behaviour the following happens.

  \begin{itemize}

  \item Local constant declarations \isa{{\isachardoublequote}g{\isacharbrackleft}{\isasymalpha}{\isacharbrackright}{\isachardoublequote}} referring to the

  local type parameter \isa{{\isasymalpha}} and local parameters \isa{{\isachardoublequote}f{\isacharbrackleft}{\isasymalpha}{\isacharbrackright}{\isachardoublequote}}

  are accompanied by theory-level constants \isa{{\isachardoublequote}g{\isacharbrackleft}{\isacharquery}{\isasymalpha}\ {\isacharcolon}{\isacharcolon}\ c{\isacharbrackright}{\isachardoublequote}}

  referring to theory-level class operations \isa{{\isachardoublequote}f{\isacharbrackleft}{\isacharquery}{\isasymalpha}\ {\isacharcolon}{\isacharcolon}\ c{\isacharbrackright}{\isachardoublequote}}.

  \item Local theorem bindings are lifted as are assumptions.

  \item Local syntax refers to local operations \isa{{\isachardoublequote}g{\isacharbrackleft}{\isasymalpha}{\isacharbrackright}{\isachardoublequote}} and

  global operations \isa{{\isachardoublequote}g{\isacharbrackleft}{\isacharquery}{\isasymalpha}\ {\isacharcolon}{\isacharcolon}\ c{\isacharbrackright}{\isachardoublequote}} uniformly.  Type inference

  resolves ambiguities.  In rare cases, manual type annotations are

  needed.

  \end{itemize}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Axiomatic type classes \label{sec:axclass}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

\begin{matharray}{rcl}

    \indexdef{}{command}{axclass}\mbox{\isa{\isacommand{axclass}}} & : & \isartrans{theory}{theory} \\

    \indexdef{}{command}{instance}\mbox{\isa{\isacommand{instance}}} & : & \isartrans{theory}{proof(prove)} \\

  \end{matharray}

  Axiomatic type classes are Isabelle/Pure's primitive

  \emph{definitional} interface to type classes.  For practical

  applications, you should consider using classes

  (cf.~\secref{sec:classes}) which provide high level interface.

  \begin{rail}

    'axclass' classdecl (axmdecl prop +)

    ;

    'instance' (nameref ('<' | subseteq) nameref | nameref '::' arity)

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{axclass}}}~\isa{{\isachardoublequote}c\ {\isasymsubseteq}\ c\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ c\isactrlsub n\ axms{\isachardoublequote}}] defines an axiomatic type class as the intersection of

  existing classes, with additional axioms holding.  Class axioms may

  not contain more than one type variable.  The class axioms (with

  implicit sort constraints added) are bound to the given names.

  Furthermore a class introduction rule is generated (being bound as

  \isa{c{\isacharunderscore}class{\isachardot}intro}); this rule is employed by method \mbox{\isa{intro{\isacharunderscore}classes}} to support instantiation proofs of this class.

  The ``class axioms'' are stored as theorems according to the given

  name specifications, adding \isa{{\isachardoublequote}c{\isacharunderscore}class{\isachardoublequote}} as name space prefix;

  the same facts are also stored collectively as \isa{c{\isacharunderscore}class{\isachardot}axioms}.

  \item [\mbox{\isa{\isacommand{instance}}}~\isa{{\isachardoublequote}c\isactrlsub {\isadigit{1}}\ {\isasymsubseteq}\ c\isactrlsub {\isadigit{2}}{\isachardoublequote}} and

  \mbox{\isa{\isacommand{instance}}}~\isa{{\isachardoublequote}t\ {\isacharcolon}{\isacharcolon}\ {\isacharparenleft}s\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ s\isactrlsub n{\isacharparenright}\ s{\isachardoublequote}}]

  setup a goal stating a class relation or type arity.  The proof

  would usually proceed by \mbox{\isa{intro{\isacharunderscore}classes}}, and then establish

  the characteristic theorems of the type classes involved.  After

  finishing the proof, the theory will be augmented by a type

  signature declaration corresponding to the resulting theorem.

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Arbitrary overloading%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

Isabelle/Pure's definitional schemes support certain forms of

  overloading (see \secref{sec:consts}).  At most occassions

  overloading will be used in a Haskell-like fashion together with

  type classes by means of \mbox{\isa{\isacommand{instantiation}}} (see

  \secref{sec:class}).  Sometimes low-level overloading is desirable.

  The \mbox{\isa{\isacommand{overloading}}} target provides a convenient view for

  end-users.

  \begin{matharray}{rcl}

    \indexdef{}{command}{overloading}\mbox{\isa{\isacommand{overloading}}} & : & \isartrans{theory}{local{\dsh}theory} \\

  \end{matharray}

  \begin{rail}

    'overloading' \\

    ( string ( '==' | equiv ) term ( '(' 'unchecked' ')' )? + ) 'begin'

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{overloading}}}~\isa{{\isachardoublequote}x\isactrlsub {\isadigit{1}}\ {\isasymequiv}\ c\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}\isactrlsub {\isadigit{1}}\ {\isasymAND}\ {\isasymdots}\ x\isactrlsub n\ {\isasymequiv}\ c\isactrlsub n\ {\isacharcolon}{\isacharcolon}\ {\isasymtau}\isactrlsub n\ {\isasymBEGIN}{\isachardoublequote}}]

  opens a theory target (cf.\ \secref{sec:target}) which allows to

  specify constants with overloaded definitions.  These are identified

  by an explicitly given mapping from variable names \isa{{\isachardoublequote}x\isactrlsub i{\isachardoublequote}} to constants \isa{{\isachardoublequote}c\isactrlsub i{\isachardoublequote}} at particular type

  instances.  The definitions themselves are established using common

  specification tools, using the names \isa{{\isachardoublequote}x\isactrlsub i{\isachardoublequote}} as

  reference to the corresponding constants.  The target is concluded

  by \mbox{\isa{\isacommand{end}}}.

  A \isa{{\isachardoublequote}{\isacharparenleft}unchecked{\isacharparenright}{\isachardoublequote}} option disables global dependency checks for

  the corresponding definition, which is occasionally useful for

  exotic overloading.  It is at the discretion of the user to avoid

  malformed theory specifications!

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Configuration options%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

Isabelle/Pure maintains a record of named configuration options

  within the theory or proof context, with values of type \verb|bool|, \verb|int|, or \verb|string|.  Tools may declare

  options in ML, and then refer to these values (relative to the

  context).  Thus global reference variables are easily avoided.  The

  user may change the value of a configuration option by means of an

  associated attribute of the same name.  This form of context

  declaration works particularly well with commands such as \mbox{\isa{\isacommand{declare}}} or \mbox{\isa{\isacommand{using}}}.

  For historical reasons, some tools cannot take the full proof

  context into account and merely refer to the background theory.

  This is accommodated by configuration options being declared as

  ``global'', which may not be changed within a local context.

  \begin{matharray}{rcll}

    \indexdef{}{command}{print\_configs}\mbox{\isa{\isacommand{print{\isacharunderscore}configs}}} & : & \isarkeep{theory~|~proof} \\

  \end{matharray}

  \begin{rail}

    name ('=' ('true' | 'false' | int | name))?

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}configs}}}] prints the available

  configuration options, with names, types, and current values.

  \item [\isa{{\isachardoublequote}name\ {\isacharequal}\ value{\isachardoublequote}}] as an attribute expression modifies

  the named option, with the syntax of the value depending on the

  option's type.  For \verb|bool| the default value is \isa{true}.  Any attempt to change a global option in a local context is

  ignored.

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsection{Derived proof schemes%

}

\isamarkuptrue%

%

\isamarkupsubsection{Generalized elimination \label{sec:obtain}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

\begin{matharray}{rcl}

    \indexdef{}{command}{obtain}\mbox{\isa{\isacommand{obtain}}} & : & \isartrans{proof(state)}{proof(prove)} \\

    \indexdef{}{command}{guess}\mbox{\isa{\isacommand{guess}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isartrans{proof(state)}{proof(prove)} \\

  \end{matharray}

  Generalized elimination means that additional elements with certain

  properties may be introduced in the current context, by virtue of a

  locally proven ``soundness statement''.  Technically speaking, the

  \mbox{\isa{\isacommand{obtain}}} language element is like a declaration of

  \mbox{\isa{\isacommand{fix}}} and \mbox{\isa{\isacommand{assume}}} (see also see

  \secref{sec:proof-context}), together with a soundness proof of its

  additional claim.  According to the nature of existential reasoning,

  assumptions get eliminated from any result exported from the context

  later, provided that the corresponding parameters do \emph{not}

  occur in the conclusion.

  \begin{rail}

    'obtain' parname? (vars + 'and') 'where' (props + 'and')

    ;

    'guess' (vars + 'and')

    ;

  \end{rail}

  The derived Isar command \mbox{\isa{\isacommand{obtain}}} is defined as follows

  (where \isa{{\isachardoublequote}b\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ b\isactrlsub k{\isachardoublequote}} shall refer to (optional)

  facts indicated for forward chaining).

  \begin{matharray}{l}

    \isa{{\isachardoublequote}{\isasymlangle}using\ b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub k{\isasymrangle}{\isachardoublequote}}~~\mbox{\isa{\isacommand{obtain}}}~\isa{{\isachardoublequote}x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub m\ {\isasymWHERE}\ a{\isacharcolon}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymdots}\ {\isasymphi}\isactrlsub n\ \ {\isasymlangle}proof{\isasymrangle}\ {\isasymequiv}{\isachardoublequote}} \\[1ex]

    \quad \mbox{\isa{\isacommand{have}}}~\isa{{\isachardoublequote}{\isasymAnd}thesis{\isachardot}\ {\isacharparenleft}{\isasymAnd}x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub m{\isachardot}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymLongrightarrow}\ {\isasymdots}\ {\isasymphi}\isactrlsub n\ {\isasymLongrightarrow}\ thesis{\isacharparenright}\ {\isasymLongrightarrow}\ thesis{\isachardoublequote}} \\

    \quad \mbox{\isa{\isacommand{proof}}}~\isa{succeed} \\

    \qquad \mbox{\isa{\isacommand{fix}}}~\isa{thesis} \\

    \qquad \mbox{\isa{\isacommand{assume}}}~\isa{{\isachardoublequote}that\ {\isacharbrackleft}Pure{\isachardot}intro{\isacharquery}{\isacharbrackright}{\isacharcolon}\ {\isasymAnd}x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub m{\isachardot}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymLongrightarrow}\ {\isasymdots}\ {\isasymphi}\isactrlsub n\ {\isasymLongrightarrow}\ thesis{\isachardoublequote}} \\

    \qquad \mbox{\isa{\isacommand{then}}}~\mbox{\isa{\isacommand{show}}}~\isa{thesis} \\

    \quad\qquad \mbox{\isa{\isacommand{apply}}}~\isa{{\isacharminus}} \\

    \quad\qquad \mbox{\isa{\isacommand{using}}}~\isa{{\isachardoublequote}b\isactrlsub {\isadigit{1}}\ {\isasymdots}\ b\isactrlsub k\ \ {\isasymlangle}proof{\isasymrangle}{\isachardoublequote}} \\

    \quad \mbox{\isa{\isacommand{qed}}} \\

    \quad \mbox{\isa{\isacommand{fix}}}~\isa{{\isachardoublequote}x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub m{\isachardoublequote}}~\mbox{\isa{\isacommand{assume}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}\ a{\isacharcolon}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymdots}\ {\isasymphi}\isactrlsub n{\isachardoublequote}} \\

  \end{matharray}

  Typically, the soundness proof is relatively straight-forward, often

  just by canonical automated tools such as ``\mbox{\isa{\isacommand{by}}}~\isa{simp}'' or ``\mbox{\isa{\isacommand{by}}}~\isa{blast}''.  Accordingly, the

  ``\isa{that}'' reduction above is declared as simplification and

  introduction rule.

  In a sense, \mbox{\isa{\isacommand{obtain}}} represents at the level of Isar

  proofs what would be meta-logical existential quantifiers and

  conjunctions.  This concept has a broad range of useful

  applications, ranging from plain elimination (or introduction) of

  object-level existential and conjunctions, to elimination over

  results of symbolic evaluation of recursive definitions, for

  example.  Also note that \mbox{\isa{\isacommand{obtain}}} without parameters acts

  much like \mbox{\isa{\isacommand{have}}}, where the result is treated as a

  genuine assumption.

  An alternative name to be used instead of ``\isa{that}'' above may

  be given in parentheses.

  \medskip The improper variant \mbox{\isa{\isacommand{guess}}} is similar to

  \mbox{\isa{\isacommand{obtain}}}, but derives the obtained statement from the

  course of reasoning!  The proof starts with a fixed goal \isa{thesis}.  The subsequent proof may refine this to anything of the

  form like \isa{{\isachardoublequote}{\isasymAnd}x\isactrlsub {\isadigit{1}}\ {\isasymdots}\ x\isactrlsub m{\isachardot}\ {\isasymphi}\isactrlsub {\isadigit{1}}\ {\isasymLongrightarrow}\ {\isasymdots}\ {\isasymphi}\isactrlsub n\ {\isasymLongrightarrow}\ thesis{\isachardoublequote}}, but must not introduce new subgoals.  The

  final goal state is then used as reduction rule for the obtain

  scheme described above.  Obtained parameters \isa{{\isachardoublequote}x\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ x\isactrlsub m{\isachardoublequote}} are marked as internal by default, which prevents the

  proof context from being polluted by ad-hoc variables.  The variable

  names and type constraints given as arguments for \mbox{\isa{\isacommand{guess}}}

  specify a prefix of obtained parameters explicitly in the text.

  It is important to note that the facts introduced by \mbox{\isa{\isacommand{obtain}}} and \mbox{\isa{\isacommand{guess}}} may not be polymorphic: any

  type-variables occurring here are fixed in the present context!%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsubsection{Calculational reasoning \label{sec:calculation}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

\begin{matharray}{rcl}

    \indexdef{}{command}{also}\mbox{\isa{\isacommand{also}}} & : & \isartrans{proof(state)}{proof(state)} \\

    \indexdef{}{command}{finally}\mbox{\isa{\isacommand{finally}}} & : & \isartrans{proof(state)}{proof(chain)} \\

    \indexdef{}{command}{moreover}\mbox{\isa{\isacommand{moreover}}} & : & \isartrans{proof(state)}{proof(state)} \\

    \indexdef{}{command}{ultimately}\mbox{\isa{\isacommand{ultimately}}} & : & \isartrans{proof(state)}{proof(chain)} \\

    \indexdef{}{command}{print\_trans\_rules}\mbox{\isa{\isacommand{print{\isacharunderscore}trans{\isacharunderscore}rules}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarkeep{theory~|~proof} \\

    \mbox{\isa{trans}} & : & \isaratt \\

    \mbox{\isa{sym}} & : & \isaratt \\

    \mbox{\isa{symmetric}} & : & \isaratt \\

  \end{matharray}

  Calculational proof is forward reasoning with implicit application

  of transitivity rules (such those of \isa{{\isachardoublequote}{\isacharequal}{\isachardoublequote}}, \isa{{\isachardoublequote}{\isasymle}{\isachardoublequote}},

  \isa{{\isachardoublequote}{\isacharless}{\isachardoublequote}}).  Isabelle/Isar maintains an auxiliary fact register

  \indexref{}{fact}{calculation}\mbox{\isa{calculation}} for accumulating results obtained by

  transitivity composed with the current result.  Command \mbox{\isa{\isacommand{also}}} updates \mbox{\isa{calculation}} involving \mbox{\isa{this}}, while

  \mbox{\isa{\isacommand{finally}}} exhibits the final \mbox{\isa{calculation}} by

  forward chaining towards the next goal statement.  Both commands

  require valid current facts, i.e.\ may occur only after commands

  that produce theorems such as \mbox{\isa{\isacommand{assume}}}, \mbox{\isa{\isacommand{note}}}, or some finished proof of \mbox{\isa{\isacommand{have}}}, \mbox{\isa{\isacommand{show}}} etc.  The \mbox{\isa{\isacommand{moreover}}} and \mbox{\isa{\isacommand{ultimately}}}

  commands are similar to \mbox{\isa{\isacommand{also}}} and \mbox{\isa{\isacommand{finally}}},

  but only collect further results in \mbox{\isa{calculation}} without

  applying any rules yet.

  Also note that the implicit term abbreviation ``\isa{{\isachardoublequote}{\isasymdots}{\isachardoublequote}}'' has

  its canonical application with calculational proofs.  It refers to

  the argument of the preceding statement. (The argument of a curried

  infix expression happens to be its right-hand side.)

  Isabelle/Isar calculations are implicitly subject to block structure

  in the sense that new threads of calculational reasoning are

  commenced for any new block (as opened by a local goal, for

  example).  This means that, apart from being able to nest

  calculations, there is no separate \emph{begin-calculation} command

  required.

  \medskip The Isar calculation proof commands may be defined as

  follows:\footnote{We suppress internal bookkeeping such as proper

  handling of block-structure.}

  \begin{matharray}{rcl}

    \mbox{\isa{\isacommand{also}}}\isa{{\isachardoublequote}\isactrlsub {\isadigit{0}}{\isachardoublequote}} & \equiv & \mbox{\isa{\isacommand{note}}}~\isa{{\isachardoublequote}calculation\ {\isacharequal}\ this{\isachardoublequote}} \\

    \mbox{\isa{\isacommand{also}}}\isa{{\isachardoublequote}\isactrlsub n\isactrlsub {\isacharplus}\isactrlsub {\isadigit{1}}{\isachardoublequote}} & \equiv & \mbox{\isa{\isacommand{note}}}~\isa{{\isachardoublequote}calculation\ {\isacharequal}\ trans\ {\isacharbrackleft}OF\ calculation\ this{\isacharbrackright}{\isachardoublequote}} \\[0.5ex]

    \mbox{\isa{\isacommand{finally}}} & \equiv & \mbox{\isa{\isacommand{also}}}~\mbox{\isa{\isacommand{from}}}~\isa{calculation} \\[0.5ex]

    \mbox{\isa{\isacommand{moreover}}} & \equiv & \mbox{\isa{\isacommand{note}}}~\isa{{\isachardoublequote}calculation\ {\isacharequal}\ calculation\ this{\isachardoublequote}} \\

    \mbox{\isa{\isacommand{ultimately}}} & \equiv & \mbox{\isa{\isacommand{moreover}}}~\mbox{\isa{\isacommand{from}}}~\isa{calculation} \\

  \end{matharray}

  \begin{rail}

    ('also' | 'finally') ('(' thmrefs ')')?

    ;

    'trans' (() | 'add' | 'del')

    ;

  \end{rail}

  \begin{descr}

  \item [\mbox{\isa{\isacommand{also}}}~\isa{{\isachardoublequote}{\isacharparenleft}a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n{\isacharparenright}{\isachardoublequote}}]

  maintains the auxiliary \mbox{\isa{calculation}} register as follows.

  The first occurrence of \mbox{\isa{\isacommand{also}}} in some calculational

  thread initializes \mbox{\isa{calculation}} by \mbox{\isa{this}}. Any

  subsequent \mbox{\isa{\isacommand{also}}} on the same level of block-structure

  updates \mbox{\isa{calculation}} by some transitivity rule applied to

  \mbox{\isa{calculation}} and \mbox{\isa{this}} (in that order).  Transitivity

  rules are picked from the current context, unless alternative rules

  are given as explicit arguments.

  \item [\mbox{\isa{\isacommand{finally}}}~\isa{{\isachardoublequote}{\isacharparenleft}a\isactrlsub {\isadigit{1}}\ {\isasymdots}\ a\isactrlsub n{\isacharparenright}{\isachardoublequote}}]

  maintaining \mbox{\isa{calculation}} in the same way as \mbox{\isa{\isacommand{also}}}, and concludes the current calculational thread.  The final

  result is exhibited as fact for forward chaining towards the next

  goal. Basically, \mbox{\isa{\isacommand{finally}}} just abbreviates \mbox{\isa{\isacommand{also}}}~\mbox{\isa{\isacommand{from}}}~\mbox{\isa{calculation}}.  Typical idioms for

  concluding calculational proofs are ``\mbox{\isa{\isacommand{finally}}}~\mbox{\isa{\isacommand{show}}}~\isa{{\isacharquery}thesis}~\mbox{\isa{\isacommand{{\isachardot}}}}'' and ``\mbox{\isa{\isacommand{finally}}}~\mbox{\isa{\isacommand{have}}}~\isa{{\isasymphi}}~\mbox{\isa{\isacommand{{\isachardot}}}}''.

  \item [\mbox{\isa{\isacommand{moreover}}} and \mbox{\isa{\isacommand{ultimately}}}] are

  analogous to \mbox{\isa{\isacommand{also}}} and \mbox{\isa{\isacommand{finally}}}, but collect

  results only, without applying rules.

  \item [\mbox{\isa{\isacommand{print{\isacharunderscore}trans{\isacharunderscore}rules}}}] prints the list of

  transitivity rules (for calculational commands \mbox{\isa{\isacommand{also}}} and

  \mbox{\isa{\isacommand{finally}}}) and symmetry rules (for the \mbox{\isa{symmetric}} operation and single step elimination patters) of the

  current context.

  \item [\mbox{\isa{trans}}] declares theorems as transitivity rules.

  \item [\mbox{\isa{sym}}] declares symmetry rules, as well as

  \mbox{\isa{Pure{\isachardot}elim{\isacharquery}}} rules.

  \item [\mbox{\isa{symmetric}}] resolves a theorem with some rule

  declared as \mbox{\isa{sym}} in the current context.  For example,

  ``\mbox{\isa{\isacommand{assume}}}~\isa{{\isachardoublequote}{\isacharbrackleft}symmetric{\isacharbrackright}{\isacharcolon}\ x\ {\isacharequal}\ y{\isachardoublequote}}'' produces a

  swapped fact derived from that assumption.

  In structured proof texts it is often more appropriate to use an

  explicit single-step elimination proof, such as ``\mbox{\isa{\isacommand{assume}}}~\isa{{\isachardoublequote}x\ {\isacharequal}\ y{\isachardoublequote}}~\mbox{\isa{\isacommand{then}}}~\mbox{\isa{\isacommand{have}}}~\isa{{\isachardoublequote}y\ {\isacharequal}\ x{\isachardoublequote}}~\mbox{\isa{\isacommand{{\isachardot}{\isachardot}}}}''.

  \end{descr}%

\end{isamarkuptext}%

\isamarkuptrue%

%

\isamarkupsection{Proof tools%

}

\isamarkuptrue%

%

\isamarkupsubsection{Miscellaneous methods and attributes \label{sec:misc-meth-att}%

}

\isamarkuptrue%

%

\begin{isamarkuptext}%

\begin{matharray}{rcl}

    \indexdef{}{method}{unfold}\mbox{\isa{unfold}} & : & \isarmeth \\

    \indexdef{}{method}{fold}\mbox{\isa{fold}} & : & \isarmeth \\

    \indexdef{}{method}{insert}\mbox{\isa{insert}} & : & \isarmeth \\[0.5ex]

    \indexdef{}{method}{erule}\mbox{\isa{erule}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarmeth \\

    \indexdef{}{method}{drule}\mbox{\isa{drule}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarmeth \\

    \indexdef{}{method}{frule}\mbox{\isa{frule}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isarmeth \\