%

 \begin{isabellebody}%

 \def\isabellecontext{HOL{\isacharunderscore}Specific}%

 %

 \isadelimtheory

 %

 \endisadelimtheory

 %

 \isatagtheory

 \isacommand{theory}\isamarkupfalse%

 \ HOL{\isacharunderscore}Specific\isanewline

 \isakeyword{imports}\ Main\isanewline

 \isakeyword{begin}%

 \endisatagtheory

 {\isafoldtheory}%

 %

 \isadelimtheory

 %

 \endisadelimtheory

 %

 \isamarkupchapter{Isabelle/HOL \label{ch:hol}%

 }

 \isamarkuptrue%

 %

 \isamarkupsection{Typedef axiomatization \label{sec:hol-typedef}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{command}{typedef}\hypertarget{command.HOL.typedef}{\hyperlink{command.HOL.typedef}{\mbox{\isa{\isacommand{typedef}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

     'typedef' altname? abstype '=' repset

     ;

     altname: '(' (name | 'open' | 'open' name) ')'

     ;

     abstype: typespecsorts mixfix?

     ;

     repset: term ('morphisms' name name)?

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.typedef}{\mbox{\isa{\isacommand{typedef}}}}~\isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub n{\isacharparenright}\ t\ {\isacharequal}\ A{\isachardoublequote}}

   axiomatizes a Gordon/HOL-style type definition in the background

   theory of the current context, depending on a non-emptiness result

   of the set \isa{A} (which needs to be proven interactively).

   The raw type may not depend on parameters or assumptions of the

   context --- this is logically impossible in Isabelle/HOL --- but the

   non-emptiness property can be local, potentially resulting in

   multiple interpretations in target contexts.  Thus the established

   bijection between the representing set \isa{A} and the new type

   \isa{t} may semantically depend on local assumptions.

   By default, \hyperlink{command.HOL.typedef}{\mbox{\isa{\isacommand{typedef}}}} defines both a type \isa{t}

   and a set (term constant) of the same name, unless an alternative

   base name is given in parentheses, or the ``\isa{{\isachardoublequote}{\isacharparenleft}open{\isacharparenright}{\isachardoublequote}}''

   declaration is used to suppress a separate constant definition

   altogether.  The injection from type to set is called \isa{Rep{\isacharunderscore}t},

   its inverse \isa{Abs{\isacharunderscore}t} --- this may be changed via an explicit

   \hyperlink{keyword.HOL.morphisms}{\mbox{\isa{\isakeyword{morphisms}}}} declaration.

   Theorems \isa{Rep{\isacharunderscore}t}, \isa{Rep{\isacharunderscore}t{\isacharunderscore}inverse}, and \isa{Abs{\isacharunderscore}t{\isacharunderscore}inverse} provide the most basic characterization as a

   corresponding injection/surjection pair (in both directions).  Rules

   \isa{Rep{\isacharunderscore}t{\isacharunderscore}inject} and \isa{Abs{\isacharunderscore}t{\isacharunderscore}inject} provide a slightly

   more convenient view on the injectivity part, suitable for automated

   proof tools (e.g.\ in \hyperlink{attribute.simp}{\mbox{\isa{simp}}} or \hyperlink{attribute.iff}{\mbox{\isa{iff}}}

   declarations).  Rules \isa{Rep{\isacharunderscore}t{\isacharunderscore}cases}/\isa{Rep{\isacharunderscore}t{\isacharunderscore}induct}, and

   \isa{Abs{\isacharunderscore}t{\isacharunderscore}cases}/\isa{Abs{\isacharunderscore}t{\isacharunderscore}induct} provide alternative views

   on surjectivity; these are already declared as set or type rules for

   the generic \hyperlink{method.cases}{\mbox{\isa{cases}}} and \hyperlink{method.induct}{\mbox{\isa{induct}}} methods.

   An alternative name for the set definition (and other derived

   entities) may be specified in parentheses; the default is to use

   \isa{t} as indicated before.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Adhoc tuples%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \hyperlink{attribute.HOL.split-format}{\mbox{\isa{split{\isacharunderscore}format}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{attribute} \\

   \end{matharray}

   \begin{rail}

     'split\_format' ((( name * ) + 'and') | ('(' 'complete' ')'))

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{attribute.HOL.split-format}{\mbox{\isa{split{\isacharunderscore}format}}}~\isa{{\isachardoublequote}p\isactrlsub {\isadigit{1}}\ {\isasymdots}\ p\isactrlsub m\ {\isasymAND}\ {\isasymdots}\ {\isasymAND}\ q\isactrlsub {\isadigit{1}}\ {\isasymdots}\ q\isactrlsub n{\isachardoublequote}} puts expressions of low-level tuple types into

   canonical form as specified by the arguments given; the \isa{i}-th

   collection of arguments refers to occurrences in premise \isa{i}

   of the rule.  The ``\isa{{\isachardoublequote}{\isacharparenleft}complete{\isacharparenright}{\isachardoublequote}}'' option causes \emph{all}

   arguments in function applications to be represented canonically

   according to their tuple type structure.

   Note that these operations tend to invent funny names for new local

   parameters to be introduced.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Records \label{sec:hol-record}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 In principle, records merely generalize the concept of tuples, where

   components may be addressed by labels instead of just position.  The

   logical infrastructure of records in Isabelle/HOL is slightly more

   advanced, though, supporting truly extensible record schemes.  This

   admits operations that are polymorphic with respect to record

   extension, yielding ``object-oriented'' effects like (single)

   inheritance.  See also \cite{NaraschewskiW-TPHOLs98} for more

   details on object-oriented verification and record subtyping in HOL.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Basic concepts%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Isabelle/HOL supports both \emph{fixed} and \emph{schematic} records

   at the level of terms and types.  The notation is as follows:

   \begin{center}

   \begin{tabular}{l|l|l}

     & record terms & record types \\ \hline

     fixed & \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isasymrparr}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharcolon}{\isacharcolon}\ A{\isacharcomma}\ y\ {\isacharcolon}{\isacharcolon}\ B{\isasymrparr}{\isachardoublequote}} \\

     schematic & \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isacharcomma}\ {\isasymdots}\ {\isacharequal}\ m{\isasymrparr}{\isachardoublequote}} &

       \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharcolon}{\isacharcolon}\ A{\isacharcomma}\ y\ {\isacharcolon}{\isacharcolon}\ B{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ M{\isasymrparr}{\isachardoublequote}} \\

   \end{tabular}

   \end{center}

   \noindent The ASCII representation of \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isasymrparr}{\isachardoublequote}} is \isa{{\isachardoublequote}{\isacharparenleft}{\isacharbar}\ x\ {\isacharequal}\ a\ {\isacharbar}{\isacharparenright}{\isachardoublequote}}.

   A fixed record \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isasymrparr}{\isachardoublequote}} has field \isa{x} of value

   \isa{a} and field \isa{y} of value \isa{b}.  The corresponding

   type is \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharcolon}{\isacharcolon}\ A{\isacharcomma}\ y\ {\isacharcolon}{\isacharcolon}\ B{\isasymrparr}{\isachardoublequote}}, assuming that \isa{{\isachardoublequote}a\ {\isacharcolon}{\isacharcolon}\ A{\isachardoublequote}}

   and \isa{{\isachardoublequote}b\ {\isacharcolon}{\isacharcolon}\ B{\isachardoublequote}}.

   A record scheme like \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isacharcomma}\ {\isasymdots}\ {\isacharequal}\ m{\isasymrparr}{\isachardoublequote}} contains fields

   \isa{x} and \isa{y} as before, but also possibly further fields

   as indicated by the ``\isa{{\isachardoublequote}{\isasymdots}{\isachardoublequote}}'' notation (which is actually part

   of the syntax).  The improper field ``\isa{{\isachardoublequote}{\isasymdots}{\isachardoublequote}}'' of a record

   scheme is called the \emph{more part}.  Logically it is just a free

   variable, which is occasionally referred to as ``row variable'' in

   the literature.  The more part of a record scheme may be

   instantiated by zero or more further components.  For example, the

   previous scheme may get instantiated to \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isacharcomma}\ z\ {\isacharequal}\ c{\isacharcomma}\ {\isasymdots}\ {\isacharequal}\ m{\isacharprime}{\isasymrparr}{\isachardoublequote}}, where \isa{m{\isacharprime}} refers to a different more part.

   Fixed records are special instances of record schemes, where

   ``\isa{{\isachardoublequote}{\isasymdots}{\isachardoublequote}}'' is properly terminated by the \isa{{\isachardoublequote}{\isacharparenleft}{\isacharparenright}\ {\isacharcolon}{\isacharcolon}\ unit{\isachardoublequote}}

   element.  In fact, \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isasymrparr}{\isachardoublequote}} is just an abbreviation

   for \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharequal}\ a{\isacharcomma}\ y\ {\isacharequal}\ b{\isacharcomma}\ {\isasymdots}\ {\isacharequal}\ {\isacharparenleft}{\isacharparenright}{\isasymrparr}{\isachardoublequote}}.

   \medskip Two key observations make extensible records in a simply

   typed language like HOL work out:

   \begin{enumerate}

   \item the more part is internalized, as a free term or type

   variable,

   \item field names are externalized, they cannot be accessed within

   the logic as first-class values.

   \end{enumerate}

   \medskip In Isabelle/HOL record types have to be defined explicitly,

   fixing their field names and types, and their (optional) parent

   record.  Afterwards, records may be formed using above syntax, while

   obeying the canonical order of fields as given by their declaration.

   The record package provides several standard operations like

   selectors and updates.  The common setup for various generic proof

   tools enable succinct reasoning patterns.  See also the Isabelle/HOL

   tutorial \cite{isabelle-hol-book} for further instructions on using

   records in practice.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Record specifications%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{command}{record}\hypertarget{command.HOL.record}{\hyperlink{command.HOL.record}{\mbox{\isa{\isacommand{record}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

     'record' typespec '=' (type '+')? (constdecl +)

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.record}{\mbox{\isa{\isacommand{record}}}}~\isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isacharparenright}\ t\ {\isacharequal}\ {\isasymtau}\ {\isacharplus}\ c\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub {\isadigit{1}}\ {\isasymdots}\ c\isactrlsub n\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub n{\isachardoublequote}} defines extensible record type \isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isacharparenright}\ t{\isachardoublequote}},

   derived from the optional parent record \isa{{\isachardoublequote}{\isasymtau}{\isachardoublequote}} by adding new

   field components \isa{{\isachardoublequote}c\isactrlsub i\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub i{\isachardoublequote}} etc.

   The type variables of \isa{{\isachardoublequote}{\isasymtau}{\isachardoublequote}} and \isa{{\isachardoublequote}{\isasymsigma}\isactrlsub i{\isachardoublequote}} need to be

   covered by the (distinct) parameters \isa{{\isachardoublequote}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isachardoublequote}}.  Type constructor \isa{t} has to be new, while \isa{{\isasymtau}} needs to specify an instance of an existing record type.  At

   least one new field \isa{{\isachardoublequote}c\isactrlsub i{\isachardoublequote}} has to be specified.

   Basically, field names need to belong to a unique record.  This is

   not a real restriction in practice, since fields are qualified by

   the record name internally.

   The parent record specification \isa{{\isasymtau}} is optional; if omitted

   \isa{t} becomes a root record.  The hierarchy of all records

   declared within a theory context forms a forest structure, i.e.\ a

   set of trees starting with a root record each.  There is no way to

   merge multiple parent records!

   For convenience, \isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isacharparenright}\ t{\isachardoublequote}} is made a

   type abbreviation for the fixed record type \isa{{\isachardoublequote}{\isasymlparr}c\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ c\isactrlsub n\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub n{\isasymrparr}{\isachardoublequote}}, likewise is \isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isacharcomma}\ {\isasymzeta}{\isacharparenright}\ t{\isacharunderscore}scheme{\isachardoublequote}} made an abbreviation for

   \isa{{\isachardoublequote}{\isasymlparr}c\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ c\isactrlsub n\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub n{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}{\isachardoublequote}}.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Record operations%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Any record definition of the form presented above produces certain

   standard operations.  Selectors and updates are provided for any

   field, including the improper one ``\isa{more}''.  There are also

   cumulative record constructor functions.  To simplify the

   presentation below, we assume for now that \isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isacharparenright}\ t{\isachardoublequote}} is a root record with fields \isa{{\isachardoublequote}c\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ c\isactrlsub n\ {\isacharcolon}{\isacharcolon}\ {\isasymsigma}\isactrlsub n{\isachardoublequote}}.

   \medskip \textbf{Selectors} and \textbf{updates} are available for

   any field (including ``\isa{more}''):

   \begin{matharray}{lll}

     \isa{{\isachardoublequote}c\isactrlsub i{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymlparr}\isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}\ {\isasymRightarrow}\ {\isasymsigma}\isactrlsub i{\isachardoublequote}} \\

     \isa{{\isachardoublequote}c\isactrlsub i{\isacharunderscore}update{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymsigma}\isactrlsub i\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}{\isachardoublequote}} \\

   \end{matharray}

   There is special syntax for application of updates: \isa{{\isachardoublequote}r{\isasymlparr}x\ {\isacharcolon}{\isacharequal}\ a{\isasymrparr}{\isachardoublequote}} abbreviates term \isa{{\isachardoublequote}x{\isacharunderscore}update\ a\ r{\isachardoublequote}}.  Further notation for

   repeated updates is also available: \isa{{\isachardoublequote}r{\isasymlparr}x\ {\isacharcolon}{\isacharequal}\ a{\isasymrparr}{\isasymlparr}y\ {\isacharcolon}{\isacharequal}\ b{\isasymrparr}{\isasymlparr}z\ {\isacharcolon}{\isacharequal}\ c{\isasymrparr}{\isachardoublequote}} may be written \isa{{\isachardoublequote}r{\isasymlparr}x\ {\isacharcolon}{\isacharequal}\ a{\isacharcomma}\ y\ {\isacharcolon}{\isacharequal}\ b{\isacharcomma}\ z\ {\isacharcolon}{\isacharequal}\ c{\isasymrparr}{\isachardoublequote}}.  Note that

   because of postfix notation the order of fields shown here is

   reverse than in the actual term.  Since repeated updates are just

   function applications, fields may be freely permuted in \isa{{\isachardoublequote}{\isasymlparr}x\ {\isacharcolon}{\isacharequal}\ a{\isacharcomma}\ y\ {\isacharcolon}{\isacharequal}\ b{\isacharcomma}\ z\ {\isacharcolon}{\isacharequal}\ c{\isasymrparr}{\isachardoublequote}}, as far as logical equality is concerned.

   Thus commutativity of independent updates can be proven within the

   logic for any two fields, but not as a general theorem.

   \medskip The \textbf{make} operation provides a cumulative record

   constructor function:

   \begin{matharray}{lll}

     \isa{{\isachardoublequote}t{\isachardot}make{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymsigma}\isactrlsub {\isadigit{1}}\ {\isasymRightarrow}\ {\isasymdots}\ {\isasymsigma}\isactrlsub n\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isasymrparr}{\isachardoublequote}} \\

   \end{matharray}

   \medskip We now reconsider the case of non-root records, which are

   derived of some parent.  In general, the latter may depend on

   another parent as well, resulting in a list of \emph{ancestor

   records}.  Appending the lists of fields of all ancestors results in

   a certain field prefix.  The record package automatically takes care

   of this by lifting operations over this context of ancestor fields.

   Assuming that \isa{{\isachardoublequote}{\isacharparenleft}{\isasymalpha}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ {\isasymalpha}\isactrlsub m{\isacharparenright}\ t{\isachardoublequote}} has ancestor

   fields \isa{{\isachardoublequote}b\isactrlsub {\isadigit{1}}\ {\isacharcolon}{\isacharcolon}\ {\isasymrho}\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ b\isactrlsub k\ {\isacharcolon}{\isacharcolon}\ {\isasymrho}\isactrlsub k{\isachardoublequote}},

   the above record operations will get the following types:

   \medskip

   \begin{tabular}{lll}

     \isa{{\isachardoublequote}c\isactrlsub i{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}\ {\isasymRightarrow}\ {\isasymsigma}\isactrlsub i{\isachardoublequote}} \\

     \isa{{\isachardoublequote}c\isactrlsub i{\isacharunderscore}update{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymsigma}\isactrlsub i\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}{\isachardoublequote}} \\

     \isa{{\isachardoublequote}t{\isachardot}make{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymrho}\isactrlsub {\isadigit{1}}\ {\isasymRightarrow}\ {\isasymdots}\ {\isasymrho}\isactrlsub k\ {\isasymRightarrow}\ {\isasymsigma}\isactrlsub {\isadigit{1}}\ {\isasymRightarrow}\ {\isasymdots}\ {\isasymsigma}\isactrlsub n\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isasymrparr}{\isachardoublequote}} \\

   \end{tabular}

   \medskip

   \noindent Some further operations address the extension aspect of a

   derived record scheme specifically: \isa{{\isachardoublequote}t{\isachardot}fields{\isachardoublequote}} produces a

   record fragment consisting of exactly the new fields introduced here

   (the result may serve as a more part elsewhere); \isa{{\isachardoublequote}t{\isachardot}extend{\isachardoublequote}}

   takes a fixed record and adds a given more part; \isa{{\isachardoublequote}t{\isachardot}truncate{\isachardoublequote}} restricts a record scheme to a fixed record.

   \medskip

   \begin{tabular}{lll}

     \isa{{\isachardoublequote}t{\isachardot}fields{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymsigma}\isactrlsub {\isadigit{1}}\ {\isasymRightarrow}\ {\isasymdots}\ {\isasymsigma}\isactrlsub n\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isasymrparr}{\isachardoublequote}} \\

     \isa{{\isachardoublequote}t{\isachardot}extend{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isasymrparr}\ {\isasymRightarrow}\ {\isasymzeta}\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}{\isachardoublequote}} \\

     \isa{{\isachardoublequote}t{\isachardot}truncate{\isachardoublequote}} & \isa{{\isachardoublequote}{\isacharcolon}{\isacharcolon}{\isachardoublequote}} & \isa{{\isachardoublequote}{\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isacharcomma}\ {\isasymdots}\ {\isacharcolon}{\isacharcolon}\ {\isasymzeta}{\isasymrparr}\ {\isasymRightarrow}\ {\isasymlparr}\isactrlvec b\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymrho}{\isacharcomma}\ \isactrlvec c\ {\isacharcolon}{\isacharcolon}\ \isactrlvec {\isasymsigma}{\isasymrparr}{\isachardoublequote}} \\

   \end{tabular}

   \medskip

   \noindent Note that \isa{{\isachardoublequote}t{\isachardot}make{\isachardoublequote}} and \isa{{\isachardoublequote}t{\isachardot}fields{\isachardoublequote}} coincide

   for root records.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Derived rules and proof tools%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 The record package proves several results internally, declaring

   these facts to appropriate proof tools.  This enables users to

   reason about record structures quite conveniently.  Assume that

   \isa{t} is a record type as specified above.

   \begin{enumerate}

   \item Standard conversions for selectors or updates applied to

   record constructor terms are made part of the default Simplifier

   context; thus proofs by reduction of basic operations merely require

   the \hyperlink{method.simp}{\mbox{\isa{simp}}} method without further arguments.  These rules

   are available as \isa{{\isachardoublequote}t{\isachardot}simps{\isachardoublequote}}, too.

   \item Selectors applied to updated records are automatically reduced

   by an internal simplification procedure, which is also part of the

   standard Simplifier setup.

   \item Inject equations of a form analogous to \isa{{\isachardoublequote}{\isacharparenleft}x{\isacharcomma}\ y{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}x{\isacharprime}{\isacharcomma}\ y{\isacharprime}{\isacharparenright}\ {\isasymequiv}\ x\ {\isacharequal}\ x{\isacharprime}\ {\isasymand}\ y\ {\isacharequal}\ y{\isacharprime}{\isachardoublequote}} are declared to the Simplifier and Classical

   Reasoner as \hyperlink{attribute.iff}{\mbox{\isa{iff}}} rules.  These rules are available as

   \isa{{\isachardoublequote}t{\isachardot}iffs{\isachardoublequote}}.

   \item The introduction rule for record equality analogous to \isa{{\isachardoublequote}x\ r\ {\isacharequal}\ x\ r{\isacharprime}\ {\isasymLongrightarrow}\ y\ r\ {\isacharequal}\ y\ r{\isacharprime}\ {\isasymdots}\ {\isasymLongrightarrow}\ r\ {\isacharequal}\ r{\isacharprime}{\isachardoublequote}} is declared to the Simplifier,

   and as the basic rule context as ``\hyperlink{attribute.intro}{\mbox{\isa{intro}}}\isa{{\isachardoublequote}{\isacharquery}{\isachardoublequote}}''.

   The rule is called \isa{{\isachardoublequote}t{\isachardot}equality{\isachardoublequote}}.

   \item Representations of arbitrary record expressions as canonical

   constructor terms are provided both in \hyperlink{method.cases}{\mbox{\isa{cases}}} and \hyperlink{method.induct}{\mbox{\isa{induct}}} format (cf.\ the generic proof methods of the same name,

   \secref{sec:cases-induct}).  Several variations are available, for

   fixed records, record schemes, more parts etc.

   The generic proof methods are sufficiently smart to pick the most

   sensible rule according to the type of the indicated record

   expression: users just need to apply something like ``\isa{{\isachardoublequote}{\isacharparenleft}cases\ r{\isacharparenright}{\isachardoublequote}}'' to a certain proof problem.

   \item The derived record operations \isa{{\isachardoublequote}t{\isachardot}make{\isachardoublequote}}, \isa{{\isachardoublequote}t{\isachardot}fields{\isachardoublequote}}, \isa{{\isachardoublequote}t{\isachardot}extend{\isachardoublequote}}, \isa{{\isachardoublequote}t{\isachardot}truncate{\isachardoublequote}} are \emph{not}

   treated automatically, but usually need to be expanded by hand,

   using the collective fact \isa{{\isachardoublequote}t{\isachardot}defs{\isachardoublequote}}.

   \end{enumerate}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Datatypes \label{sec:hol-datatype}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{command}{datatype}\hypertarget{command.HOL.datatype}{\hyperlink{command.HOL.datatype}{\mbox{\isa{\isacommand{datatype}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

   \indexdef{HOL}{command}{rep\_datatype}\hypertarget{command.HOL.rep-datatype}{\hyperlink{command.HOL.rep-datatype}{\mbox{\isa{\isacommand{rep{\isacharunderscore}datatype}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

     'datatype' (dtspec + 'and')

     ;

     'rep\_datatype' ('(' (name +) ')')? (term +)

     ;

     dtspec: parname? typespec mixfix? '=' (cons + '|')

     ;

     cons: name ( type * ) mixfix?

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.datatype}{\mbox{\isa{\isacommand{datatype}}}} defines inductive datatypes in

   HOL.

   \item \hyperlink{command.HOL.rep-datatype}{\mbox{\isa{\isacommand{rep{\isacharunderscore}datatype}}}} represents existing types as

   inductive ones, generating the standard infrastructure of derived

   concepts (primitive recursion etc.).

   \end{description}

   The induction and exhaustion theorems generated provide case names

   according to the constructors involved, while parameters are named

   after the types (see also \secref{sec:cases-induct}).

   See \cite{isabelle-HOL} for more details on datatypes, but beware of

   the old-style theory syntax being used there!  Apart from proper

   proof methods for case-analysis and induction, there are also

   emulations of ML tactics \hyperlink{method.HOL.case-tac}{\mbox{\isa{case{\isacharunderscore}tac}}} and \hyperlink{method.HOL.induct-tac}{\mbox{\isa{induct{\isacharunderscore}tac}}} available, see \secref{sec:hol-induct-tac}; these admit

   to refer directly to the internal structure of subgoals (including

   internally bound parameters).%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Recursive functions \label{sec:recursion}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{command}{primrec}\hypertarget{command.HOL.primrec}{\hyperlink{command.HOL.primrec}{\mbox{\isa{\isacommand{primrec}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{fun}\hypertarget{command.HOL.fun}{\hyperlink{command.HOL.fun}{\mbox{\isa{\isacommand{fun}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{function}\hypertarget{command.HOL.function}{\hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{termination}\hypertarget{command.HOL.termination}{\hyperlink{command.HOL.termination}{\mbox{\isa{\isacommand{termination}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

     'primrec' target? fixes 'where' equations

     ;

     equations: (thmdecl? prop + '|')

     ;

     ('fun' | 'function') target? functionopts? fixes 'where' clauses

     ;

     clauses: (thmdecl? prop ('(' 'otherwise' ')')? + '|')

     ;

     functionopts: '(' (('sequential' | 'domintros' | 'tailrec' | 'default' term) + ',') ')'

     ;

     'termination' ( term )?

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.primrec}{\mbox{\isa{\isacommand{primrec}}}} defines primitive recursive

   functions over datatypes, see also \cite{isabelle-HOL}.

   \item \hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}} defines functions by general

   wellfounded recursion. A detailed description with examples can be

   found in \cite{isabelle-function}. The function is specified by a

   set of (possibly conditional) recursive equations with arbitrary

   pattern matching. The command generates proof obligations for the

   completeness and the compatibility of patterns.

   The defined function is considered partial, and the resulting

   simplification rules (named \isa{{\isachardoublequote}f{\isachardot}psimps{\isachardoublequote}}) and induction rule

   (named \isa{{\isachardoublequote}f{\isachardot}pinduct{\isachardoublequote}}) are guarded by a generated domain

   predicate \isa{{\isachardoublequote}f{\isacharunderscore}dom{\isachardoublequote}}. The \hyperlink{command.HOL.termination}{\mbox{\isa{\isacommand{termination}}}}

   command can then be used to establish that the function is total.

   \item \hyperlink{command.HOL.fun}{\mbox{\isa{\isacommand{fun}}}} is a shorthand notation for ``\hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}}~\isa{{\isachardoublequote}{\isacharparenleft}sequential{\isacharparenright}{\isachardoublequote}}, followed by automated

   proof attempts regarding pattern matching and termination.  See

   \cite{isabelle-function} for further details.

   \item \hyperlink{command.HOL.termination}{\mbox{\isa{\isacommand{termination}}}}~\isa{f} commences a

   termination proof for the previously defined function \isa{f}.  If

   this is omitted, the command refers to the most recent function

   definition.  After the proof is closed, the recursive equations and

   the induction principle is established.

   \end{description}

   Recursive definitions introduced by the \hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}}

   command accommodate

   reasoning by induction (cf.\ \secref{sec:cases-induct}): rule \isa{{\isachardoublequote}c{\isachardot}induct{\isachardoublequote}} (where \isa{c} is the name of the function definition)

   refers to a specific induction rule, with parameters named according

   to the user-specified equations. Cases are numbered (starting from 1).

   For \hyperlink{command.HOL.primrec}{\mbox{\isa{\isacommand{primrec}}}}, the induction principle coincides

   with structural recursion on the datatype the recursion is carried

   out.

   The equations provided by these packages may be referred later as

   theorem list \isa{{\isachardoublequote}f{\isachardot}simps{\isachardoublequote}}, where \isa{f} is the (collective)

   name of the functions defined.  Individual equations may be named

   explicitly as well.

   The \hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}} command accepts the following

   options.

   \begin{description}

   \item \isa{sequential} enables a preprocessor which disambiguates

   overlapping patterns by making them mutually disjoint.  Earlier

   equations take precedence over later ones.  This allows to give the

   specification in a format very similar to functional programming.

   Note that the resulting simplification and induction rules

   correspond to the transformed specification, not the one given

   originally. This usually means that each equation given by the user

   may result in several theorems.  Also note that this automatic

   transformation only works for ML-style datatype patterns.

   \item \isa{domintros} enables the automated generation of

   introduction rules for the domain predicate. While mostly not

   needed, they can be helpful in some proofs about partial functions.

   \item \isa{tailrec} generates the unconstrained recursive

   equations even without a termination proof, provided that the

   function is tail-recursive. This currently only works

   \item \isa{{\isachardoublequote}default\ d{\isachardoublequote}} allows to specify a default value for a

   (partial) function, which will ensure that \isa{{\isachardoublequote}f\ x\ {\isacharequal}\ d\ x{\isachardoublequote}}

   whenever \isa{{\isachardoublequote}x\ {\isasymnotin}\ f{\isacharunderscore}dom{\isachardoublequote}}.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Proof methods related to recursive definitions%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{method}{pat\_completeness}\hypertarget{method.HOL.pat-completeness}{\hyperlink{method.HOL.pat-completeness}{\mbox{\isa{pat{\isacharunderscore}completeness}}}} & : & \isa{method} \\

     \indexdef{HOL}{method}{relation}\hypertarget{method.HOL.relation}{\hyperlink{method.HOL.relation}{\mbox{\isa{relation}}}} & : & \isa{method} \\

     \indexdef{HOL}{method}{lexicographic\_order}\hypertarget{method.HOL.lexicographic-order}{\hyperlink{method.HOL.lexicographic-order}{\mbox{\isa{lexicographic{\isacharunderscore}order}}}} & : & \isa{method} \\

     \indexdef{HOL}{method}{size\_change}\hypertarget{method.HOL.size-change}{\hyperlink{method.HOL.size-change}{\mbox{\isa{size{\isacharunderscore}change}}}} & : & \isa{method} \\

   \end{matharray}

   \begin{rail}

     'relation' term

     ;

     'lexicographic\_order' ( clasimpmod * )

     ;

     'size\_change' ( orders ( clasimpmod * ) )

     ;

     orders: ( 'max' | 'min' | 'ms' ) *

   \end{rail}

   \begin{description}

   \item \hyperlink{method.HOL.pat-completeness}{\mbox{\isa{pat{\isacharunderscore}completeness}}} is a specialized method to

   solve goals regarding the completeness of pattern matching, as

   required by the \hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}} package (cf.\

   \cite{isabelle-function}).

   \item \hyperlink{method.HOL.relation}{\mbox{\isa{relation}}}~\isa{R} introduces a termination

   proof using the relation \isa{R}.  The resulting proof state will

   contain goals expressing that \isa{R} is wellfounded, and that the

   arguments of recursive calls decrease with respect to \isa{R}.

   Usually, this method is used as the initial proof step of manual

   termination proofs.

   \item \hyperlink{method.HOL.lexicographic-order}{\mbox{\isa{lexicographic{\isacharunderscore}order}}} attempts a fully

   automated termination proof by searching for a lexicographic

   combination of size measures on the arguments of the function. The

   method accepts the same arguments as the \hyperlink{method.auto}{\mbox{\isa{auto}}} method,

   which it uses internally to prove local descents.  The same context

   modifiers as for \hyperlink{method.auto}{\mbox{\isa{auto}}} are accepted, see

   \secref{sec:clasimp}.

   In case of failure, extensive information is printed, which can help

   to analyse the situation (cf.\ \cite{isabelle-function}).

   \item \hyperlink{method.HOL.size-change}{\mbox{\isa{size{\isacharunderscore}change}}} also works on termination goals,

   using a variation of the size-change principle, together with a

   graph decomposition technique (see \cite{krauss_phd} for details).

   Three kinds of orders are used internally: \isa{max}, \isa{min},

   and \isa{ms} (multiset), which is only available when the theory

   \isa{Multiset} is loaded. When no order kinds are given, they are

   tried in order. The search for a termination proof uses SAT solving

   internally.

  For local descent proofs, the same context modifiers as for \hyperlink{method.auto}{\mbox{\isa{auto}}} are accepted, see \secref{sec:clasimp}.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Old-style recursive function definitions (TFL)%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 The old TFL commands \hyperlink{command.HOL.recdef}{\mbox{\isa{\isacommand{recdef}}}} and \hyperlink{command.HOL.recdef-tc}{\mbox{\isa{\isacommand{recdef{\isacharunderscore}tc}}}} for defining recursive are mostly obsolete; \hyperlink{command.HOL.function}{\mbox{\isa{\isacommand{function}}}} or \hyperlink{command.HOL.fun}{\mbox{\isa{\isacommand{fun}}}} should be used instead.

   \begin{matharray}{rcl}

     \indexdef{HOL}{command}{recdef}\hypertarget{command.HOL.recdef}{\hyperlink{command.HOL.recdef}{\mbox{\isa{\isacommand{recdef}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isacharparenright}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{recdef\_tc}\hypertarget{command.HOL.recdef-tc}{\hyperlink{command.HOL.recdef-tc}{\mbox{\isa{\isacommand{recdef{\isacharunderscore}tc}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

     'recdef' ('(' 'permissive' ')')? \\ name term (prop +) hints?

     ;

     recdeftc thmdecl? tc

     ;

     hints: '(' 'hints' ( recdefmod * ) ')'

     ;

     recdefmod: (('recdef\_simp' | 'recdef\_cong' | 'recdef\_wf') (() | 'add' | 'del') ':' thmrefs) | clasimpmod

     ;

     tc: nameref ('(' nat ')')?

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.recdef}{\mbox{\isa{\isacommand{recdef}}}} defines general well-founded

   recursive functions (using the TFL package), see also

   \cite{isabelle-HOL}.  The ``\isa{{\isachardoublequote}{\isacharparenleft}permissive{\isacharparenright}{\isachardoublequote}}'' option tells

   TFL to recover from failed proof attempts, returning unfinished

   results.  The \isa{recdef{\isacharunderscore}simp}, \isa{recdef{\isacharunderscore}cong}, and \isa{recdef{\isacharunderscore}wf} hints refer to auxiliary rules to be used in the internal

   automated proof process of TFL.  Additional \hyperlink{syntax.clasimpmod}{\mbox{\isa{clasimpmod}}}

   declarations (cf.\ \secref{sec:clasimp}) may be given to tune the

   context of the Simplifier (cf.\ \secref{sec:simplifier}) and

   Classical reasoner (cf.\ \secref{sec:classical}).

   \item \hyperlink{command.HOL.recdef-tc}{\mbox{\isa{\isacommand{recdef{\isacharunderscore}tc}}}}~\isa{{\isachardoublequote}c\ {\isacharparenleft}i{\isacharparenright}{\isachardoublequote}} recommences the

   proof for leftover termination condition number \isa{i} (default

   1) as generated by a \hyperlink{command.HOL.recdef}{\mbox{\isa{\isacommand{recdef}}}} definition of

   constant \isa{c}.

   Note that in most cases, \hyperlink{command.HOL.recdef}{\mbox{\isa{\isacommand{recdef}}}} is able to finish

   its internal proofs without manual intervention.

   \end{description}

   \medskip Hints for \hyperlink{command.HOL.recdef}{\mbox{\isa{\isacommand{recdef}}}} may be also declared

   globally, using the following attributes.

   \begin{matharray}{rcl}

     \indexdef{HOL}{attribute}{recdef\_simp}\hypertarget{attribute.HOL.recdef-simp}{\hyperlink{attribute.HOL.recdef-simp}{\mbox{\isa{recdef{\isacharunderscore}simp}}}} & : & \isa{attribute} \\

     \indexdef{HOL}{attribute}{recdef\_cong}\hypertarget{attribute.HOL.recdef-cong}{\hyperlink{attribute.HOL.recdef-cong}{\mbox{\isa{recdef{\isacharunderscore}cong}}}} & : & \isa{attribute} \\

     \indexdef{HOL}{attribute}{recdef\_wf}\hypertarget{attribute.HOL.recdef-wf}{\hyperlink{attribute.HOL.recdef-wf}{\mbox{\isa{recdef{\isacharunderscore}wf}}}} & : & \isa{attribute} \\

   \end{matharray}

   \begin{rail}

     ('recdef\_simp' | 'recdef\_cong' | 'recdef\_wf') (() | 'add' | 'del')

     ;

   \end{rail}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Inductive and coinductive definitions \label{sec:hol-inductive}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 An \textbf{inductive definition} specifies the least predicate (or

   set) \isa{R} closed under given rules: applying a rule to elements

   of \isa{R} yields a result within \isa{R}.  For example, a

   structural operational semantics is an inductive definition of an

   evaluation relation.

   Dually, a \textbf{coinductive definition} specifies the greatest

   predicate~/ set \isa{R} that is consistent with given rules: every

   element of \isa{R} can be seen as arising by applying a rule to

   elements of \isa{R}.  An important example is using bisimulation

   relations to formalise equivalence of processes and infinite data

   structures.

   \medskip The HOL package is related to the ZF one, which is

   described in a separate paper,\footnote{It appeared in CADE

   \cite{paulson-CADE}; a longer version is distributed with Isabelle.}

   which you should refer to in case of difficulties.  The package is

   simpler than that of ZF thanks to implicit type-checking in HOL.

   The types of the (co)inductive predicates (or sets) determine the

   domain of the fixedpoint definition, and the package does not have

   to use inference rules for type-checking.

   \begin{matharray}{rcl}

     \indexdef{HOL}{command}{inductive}\hypertarget{command.HOL.inductive}{\hyperlink{command.HOL.inductive}{\mbox{\isa{\isacommand{inductive}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{inductive\_set}\hypertarget{command.HOL.inductive-set}{\hyperlink{command.HOL.inductive-set}{\mbox{\isa{\isacommand{inductive{\isacharunderscore}set}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{coinductive}\hypertarget{command.HOL.coinductive}{\hyperlink{command.HOL.coinductive}{\mbox{\isa{\isacommand{coinductive}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{coinductive\_set}\hypertarget{command.HOL.coinductive-set}{\hyperlink{command.HOL.coinductive-set}{\mbox{\isa{\isacommand{coinductive{\isacharunderscore}set}}}}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

     \indexdef{HOL}{attribute}{mono}\hypertarget{attribute.HOL.mono}{\hyperlink{attribute.HOL.mono}{\mbox{\isa{mono}}}} & : & \isa{attribute} \\

   \end{matharray}

   \begin{rail}

     ('inductive' | 'inductive\_set' | 'coinductive' | 'coinductive\_set') target? fixes ('for' fixes)? \\

     ('where' clauses)? ('monos' thmrefs)?

     ;

     clauses: (thmdecl? prop + '|')

     ;

     'mono' (() | 'add' | 'del')

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.inductive}{\mbox{\isa{\isacommand{inductive}}}} and \hyperlink{command.HOL.coinductive}{\mbox{\isa{\isacommand{coinductive}}}} define (co)inductive predicates from the

   introduction rules given in the \hyperlink{keyword.where}{\mbox{\isa{\isakeyword{where}}}} part.  The

   optional \hyperlink{keyword.for}{\mbox{\isa{\isakeyword{for}}}} part contains a list of parameters of the

   (co)inductive predicates that remain fixed throughout the

   definition.  The optional \hyperlink{keyword.monos}{\mbox{\isa{\isakeyword{monos}}}} section contains

   \emph{monotonicity theorems}, which are required for each operator

   applied to a recursive set in the introduction rules.  There

   \emph{must} be a theorem of the form \isa{{\isachardoublequote}A\ {\isasymle}\ B\ {\isasymLongrightarrow}\ M\ A\ {\isasymle}\ M\ B{\isachardoublequote}},

   for each premise \isa{{\isachardoublequote}M\ R\isactrlsub i\ t{\isachardoublequote}} in an introduction rule!

   \item \hyperlink{command.HOL.inductive-set}{\mbox{\isa{\isacommand{inductive{\isacharunderscore}set}}}} and \hyperlink{command.HOL.coinductive-set}{\mbox{\isa{\isacommand{coinductive{\isacharunderscore}set}}}} are wrappers for to the previous commands,

   allowing the definition of (co)inductive sets.

   \item \hyperlink{attribute.HOL.mono}{\mbox{\isa{mono}}} declares monotonicity rules.  These

   rule are involved in the automated monotonicity proof of \hyperlink{command.HOL.inductive}{\mbox{\isa{\isacommand{inductive}}}}.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Derived rules%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Each (co)inductive definition \isa{R} adds definitions to the

   theory and also proves some theorems:

   \begin{description}

   \item \isa{R{\isachardot}intros} is the list of introduction rules as proven

   theorems, for the recursive predicates (or sets).  The rules are

   also available individually, using the names given them in the

   theory file;

   \item \isa{R{\isachardot}cases} is the case analysis (or elimination) rule;

   \item \isa{R{\isachardot}induct} or \isa{R{\isachardot}coinduct} is the (co)induction

   rule.

   \end{description}

   When several predicates \isa{{\isachardoublequote}R\isactrlsub {\isadigit{1}}{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ R\isactrlsub n{\isachardoublequote}} are

   defined simultaneously, the list of introduction rules is called

   \isa{{\isachardoublequote}R\isactrlsub {\isadigit{1}}{\isacharunderscore}{\isasymdots}{\isacharunderscore}R\isactrlsub n{\isachardot}intros{\isachardoublequote}}, the case analysis rules are

   called \isa{{\isachardoublequote}R\isactrlsub {\isadigit{1}}{\isachardot}cases{\isacharcomma}\ {\isasymdots}{\isacharcomma}\ R\isactrlsub n{\isachardot}cases{\isachardoublequote}}, and the list

   of mutual induction rules is called \isa{{\isachardoublequote}R\isactrlsub {\isadigit{1}}{\isacharunderscore}{\isasymdots}{\isacharunderscore}R\isactrlsub n{\isachardot}inducts{\isachardoublequote}}.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsubsection{Monotonicity theorems%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Each theory contains a default set of theorems that are used in

   monotonicity proofs.  New rules can be added to this set via the

   \hyperlink{attribute.HOL.mono}{\mbox{\isa{mono}}} attribute.  The HOL theory \isa{Inductive}

   shows how this is done.  In general, the following monotonicity

   theorems may be added:

   \begin{itemize}

   \item Theorems of the form \isa{{\isachardoublequote}A\ {\isasymle}\ B\ {\isasymLongrightarrow}\ M\ A\ {\isasymle}\ M\ B{\isachardoublequote}}, for proving

   monotonicity of inductive definitions whose introduction rules have

   premises involving terms such as \isa{{\isachardoublequote}M\ R\isactrlsub i\ t{\isachardoublequote}}.

   \item Monotonicity theorems for logical operators, which are of the

   general form \isa{{\isachardoublequote}{\isacharparenleft}{\isasymdots}\ {\isasymlongrightarrow}\ {\isasymdots}{\isacharparenright}\ {\isasymLongrightarrow}\ {\isasymdots}\ {\isacharparenleft}{\isasymdots}\ {\isasymlongrightarrow}\ {\isasymdots}{\isacharparenright}\ {\isasymLongrightarrow}\ {\isasymdots}\ {\isasymlongrightarrow}\ {\isasymdots}{\isachardoublequote}}.  For example, in

   the case of the operator \isa{{\isachardoublequote}{\isasymor}{\isachardoublequote}}, the corresponding theorem is

   \[

   \infer{\isa{{\isachardoublequote}P\isactrlsub {\isadigit{1}}\ {\isasymor}\ P\isactrlsub {\isadigit{2}}\ {\isasymlongrightarrow}\ Q\isactrlsub {\isadigit{1}}\ {\isasymor}\ Q\isactrlsub {\isadigit{2}}{\isachardoublequote}}}{\isa{{\isachardoublequote}P\isactrlsub {\isadigit{1}}\ {\isasymlongrightarrow}\ Q\isactrlsub {\isadigit{1}}{\isachardoublequote}} & \isa{{\isachardoublequote}P\isactrlsub {\isadigit{2}}\ {\isasymlongrightarrow}\ Q\isactrlsub {\isadigit{2}}{\isachardoublequote}}}

   \]

   \item De Morgan style equations for reasoning about the ``polarity''

   of expressions, e.g.

   \[

   \isa{{\isachardoublequote}{\isasymnot}\ {\isasymnot}\ P\ {\isasymlongleftrightarrow}\ P{\isachardoublequote}} \qquad\qquad

   \isa{{\isachardoublequote}{\isasymnot}\ {\isacharparenleft}P\ {\isasymand}\ Q{\isacharparenright}\ {\isasymlongleftrightarrow}\ {\isasymnot}\ P\ {\isasymor}\ {\isasymnot}\ Q{\isachardoublequote}}

   \]

   \item Equations for reducing complex operators to more primitive

   ones whose monotonicity can easily be proved, e.g.

   \[

   \isa{{\isachardoublequote}{\isacharparenleft}P\ {\isasymlongrightarrow}\ Q{\isacharparenright}\ {\isasymlongleftrightarrow}\ {\isasymnot}\ P\ {\isasymor}\ Q{\isachardoublequote}} \qquad\qquad

   \isa{{\isachardoublequote}Ball\ A\ P\ {\isasymequiv}\ {\isasymforall}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymlongrightarrow}\ P\ x{\isachardoublequote}}

   \]

   \end{itemize}

   %FIXME: Example of an inductive definition%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Arithmetic proof support%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{method}{arith}\hypertarget{method.HOL.arith}{\hyperlink{method.HOL.arith}{\mbox{\isa{arith}}}} & : & \isa{method} \\

     \indexdef{HOL}{attribute}{arith}\hypertarget{attribute.HOL.arith}{\hyperlink{attribute.HOL.arith}{\mbox{\isa{arith}}}} & : & \isa{attribute} \\

     \indexdef{HOL}{attribute}{arith\_split}\hypertarget{attribute.HOL.arith-split}{\hyperlink{attribute.HOL.arith-split}{\mbox{\isa{arith{\isacharunderscore}split}}}} & : & \isa{attribute} \\

   \end{matharray}

   The \hyperlink{method.HOL.arith}{\mbox{\isa{arith}}} method decides linear arithmetic problems

   (on types \isa{nat}, \isa{int}, \isa{real}).  Any current

   facts are inserted into the goal before running the procedure.

   The \hyperlink{attribute.HOL.arith}{\mbox{\isa{arith}}} attribute declares facts that are

   always supplied to the arithmetic provers implicitly.

   The \hyperlink{attribute.HOL.arith-split}{\mbox{\isa{arith{\isacharunderscore}split}}} attribute declares case split

   rules to be expanded before \hyperlink{method.HOL.arith}{\mbox{\isa{arith}}} is invoked.

   Note that a simpler (but faster) arithmetic prover is

   already invoked by the Simplifier.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Intuitionistic proof search%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{method}{iprover}\hypertarget{method.HOL.iprover}{\hyperlink{method.HOL.iprover}{\mbox{\isa{iprover}}}} & : & \isa{method} \\

   \end{matharray}

   \begin{rail}

     'iprover' ( rulemod * )

     ;

   \end{rail}

   The \hyperlink{method.HOL.iprover}{\mbox{\isa{iprover}}} method performs intuitionistic proof

   search, depending on specifically declared rules from the context,

   or given as explicit arguments.  Chained facts are inserted into the

   goal before commencing proof search.

   Rules need to be classified as \hyperlink{attribute.Pure.intro}{\mbox{\isa{intro}}},

   \hyperlink{attribute.Pure.elim}{\mbox{\isa{elim}}}, or \hyperlink{attribute.Pure.dest}{\mbox{\isa{dest}}}; here the

   ``\isa{{\isachardoublequote}{\isacharbang}{\isachardoublequote}}'' indicator refers to ``safe'' rules, which may be

   applied aggressively (without considering back-tracking later).

   Rules declared with ``\isa{{\isachardoublequote}{\isacharquery}{\isachardoublequote}}'' are ignored in proof search (the

   single-step \hyperlink{method.rule}{\mbox{\isa{rule}}} method still observes these).  An

   explicit weight annotation may be given as well; otherwise the

   number of rule premises will be taken into account here.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Coherent Logic%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{method}{coherent}\hypertarget{method.HOL.coherent}{\hyperlink{method.HOL.coherent}{\mbox{\isa{coherent}}}} & : & \isa{method} \\

   \end{matharray}

   \begin{rail}

     'coherent' thmrefs?

     ;

   \end{rail}

   The \hyperlink{method.HOL.coherent}{\mbox{\isa{coherent}}} method solves problems of

   \emph{Coherent Logic} \cite{Bezem-Coquand:2005}, which covers

   applications in confluence theory, lattice theory and projective

   geometry.  See \hyperlink{file.~~/src/HOL/ex/Coherent.thy}{\mbox{\isa{\isatt{{\isachartilde}{\isachartilde}{\isacharslash}src{\isacharslash}HOL{\isacharslash}ex{\isacharslash}Coherent{\isachardot}thy}}}} for some

   examples.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Checking and refuting propositions%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Identifying incorrect propositions usually involves evaluation of

   particular assignments and systematic counter example search.  This

   is supported by the following commands.

   \begin{matharray}{rcl}

     \indexdef{HOL}{command}{value}\hypertarget{command.HOL.value}{\hyperlink{command.HOL.value}{\mbox{\isa{\isacommand{value}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{quickcheck}\hypertarget{command.HOL.quickcheck}{\hyperlink{command.HOL.quickcheck}{\mbox{\isa{\isacommand{quickcheck}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}proof\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{quickcheck\_params}\hypertarget{command.HOL.quickcheck-params}{\hyperlink{command.HOL.quickcheck-params}{\mbox{\isa{\isacommand{quickcheck{\isacharunderscore}params}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}}

   \end{matharray}

   \begin{rail}

     'value' ( ( '[' name ']' ) ? ) modes? term

     ;

     'quickcheck' ( ( '[' args ']' ) ? ) nat?

     ;

     'quickcheck_params' ( ( '[' args ']' ) ? )

     ;

     modes: '(' (name + ) ')'

     ;

     args: ( name '=' value + ',' )

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.value}{\mbox{\isa{\isacommand{value}}}}~\isa{t} evaluates and prints a

     term; optionally \isa{modes} can be specified, which are

     appended to the current print mode (see also \cite{isabelle-ref}).

     Internally, the evaluation is performed by registered evaluators,

     which are invoked sequentially until a result is returned.

     Alternatively a specific evaluator can be selected using square

     brackets; available evaluators include \isa{nbe} for

     \emph{normalization by evaluation} and \emph{code} for code

     generation in SML.

   \item \hyperlink{command.HOL.quickcheck}{\mbox{\isa{\isacommand{quickcheck}}}} tests the current goal for

     counter examples using a series of arbitrary assignments for its

     free variables; by default the first subgoal is tested, an other

     can be selected explicitly using an optional goal index.

     A number of configuration options are supported for

     \hyperlink{command.HOL.quickcheck}{\mbox{\isa{\isacommand{quickcheck}}}}, notably:

     \begin{description}

       \item[size] specifies the maximum size of the search space for

         assignment values.

       \item[iterations] sets how many sets of assignments are

         generated for each particular size.

       \item[no\_assms] specifies whether assumptions in

         structured proofs should be ignored.

     \end{description}

     These option can be given within square brackets.

   \item \hyperlink{command.HOL.quickcheck-params}{\mbox{\isa{\isacommand{quickcheck{\isacharunderscore}params}}}} changes quickcheck

     configuration options persitently.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Invoking automated reasoning tools --- The Sledgehammer%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Isabelle/HOL includes a generic \emph{ATP manager} that allows

   external automated reasoning tools to crunch a pending goal.

   Supported provers include E\footnote{\url{http://www.eprover.org}},

   SPASS\footnote{\url{http://www.spass-prover.org/}}, and Vampire.

   There is also a wrapper to invoke provers remotely via the

   SystemOnTPTP\footnote{\url{http://www.cs.miami.edu/~tptp/cgi-bin/SystemOnTPTP}}

   web service.

   The problem passed to external provers consists of the goal together

   with a smart selection of lemmas from the current theory context.

   The result of a successful proof search is some source text that

   usually reconstructs the proof within Isabelle, without requiring

   external provers again.  The Metis

   prover\footnote{\url{http://www.gilith.com/software/metis/}} that is

   integrated into Isabelle/HOL is being used here.

   In this mode of operation, heavy means of automated reasoning are

   used as a strong relevance filter, while the main proof checking

   works via explicit inferences going through the Isabelle kernel.

   Moreover, rechecking Isabelle proof texts with already specified

   auxiliary facts is much faster than performing fully automated

   search over and over again.

   \begin{matharray}{rcl}

     \indexdef{HOL}{command}{sledgehammer}\hypertarget{command.HOL.sledgehammer}{\hyperlink{command.HOL.sledgehammer}{\mbox{\isa{\isacommand{sledgehammer}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}proof\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{print\_atps}\hypertarget{command.HOL.print-atps}{\hyperlink{command.HOL.print-atps}{\mbox{\isa{\isacommand{print{\isacharunderscore}atps}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{atp\_info}\hypertarget{command.HOL.atp-info}{\hyperlink{command.HOL.atp-info}{\mbox{\isa{\isacommand{atp{\isacharunderscore}info}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}any\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{atp\_kill}\hypertarget{command.HOL.atp-kill}{\hyperlink{command.HOL.atp-kill}{\mbox{\isa{\isacommand{atp{\isacharunderscore}kill}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}any\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{atp\_messages}\hypertarget{command.HOL.atp-messages}{\hyperlink{command.HOL.atp-messages}{\mbox{\isa{\isacommand{atp{\isacharunderscore}messages}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}any\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{method}{metis}\hypertarget{method.HOL.metis}{\hyperlink{method.HOL.metis}{\mbox{\isa{metis}}}} & : & \isa{method} \\

   \end{matharray}

   \begin{rail}

   'sledgehammer' ( nameref * )

   ;

   'atp\_messages' ('(' nat ')')?

   ;

   'metis' thmrefs

   ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.sledgehammer}{\mbox{\isa{\isacommand{sledgehammer}}}}~\isa{{\isachardoublequote}prover\isactrlsub {\isadigit{1}}\ {\isasymdots}\ prover\isactrlsub n{\isachardoublequote}}

   invokes the specified automated theorem provers on the first

   subgoal.  Provers are run in parallel, the first successful result

   is displayed, and the other attempts are terminated.

   Provers are defined in the theory context, see also \hyperlink{command.HOL.print-atps}{\mbox{\isa{\isacommand{print{\isacharunderscore}atps}}}}.  If no provers are given as arguments to \hyperlink{command.HOL.sledgehammer}{\mbox{\isa{\isacommand{sledgehammer}}}}, the system refers to the default defined as

   ``ATP provers'' preference by the user interface.

   There are additional preferences for timeout (default: 60 seconds),

   and the maximum number of independent prover processes (default: 5);

   excessive provers are automatically terminated.

   \item \hyperlink{command.HOL.print-atps}{\mbox{\isa{\isacommand{print{\isacharunderscore}atps}}}} prints the list of automated

   theorem provers available to the \hyperlink{command.HOL.sledgehammer}{\mbox{\isa{\isacommand{sledgehammer}}}}

   command.

   \item \hyperlink{command.HOL.atp-info}{\mbox{\isa{\isacommand{atp{\isacharunderscore}info}}}} prints information about presently

   running provers, including elapsed runtime, and the remaining time

   until timeout.

   \item \hyperlink{command.HOL.atp-kill}{\mbox{\isa{\isacommand{atp{\isacharunderscore}kill}}}} terminates all presently running

   provers.

   \item \hyperlink{command.HOL.atp-messages}{\mbox{\isa{\isacommand{atp{\isacharunderscore}messages}}}} displays recent messages issued

   by automated theorem provers.  This allows to examine results that

   might have got lost due to the asynchronous nature of default

   \hyperlink{command.HOL.sledgehammer}{\mbox{\isa{\isacommand{sledgehammer}}}} output.  An optional message limit may

   be specified (default 5).

   \item \hyperlink{method.HOL.metis}{\mbox{\isa{metis}}}~\isa{{\isachardoublequote}facts{\isachardoublequote}} invokes the Metis prover

   with the given facts.  Metis is an automated proof tool of medium

   strength, but is fully integrated into Isabelle/HOL, with explicit

   inferences going through the kernel.  Thus its results are

   guaranteed to be ``correct by construction''.

   Note that all facts used with Metis need to be specified as explicit

   arguments.  There are no rule declarations as for other Isabelle

   provers, like \hyperlink{method.blast}{\mbox{\isa{blast}}} or \hyperlink{method.fast}{\mbox{\isa{fast}}}.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Unstructured case analysis and induction \label{sec:hol-induct-tac}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 The following tools of Isabelle/HOL support cases analysis and

   induction in unstructured tactic scripts; see also

   \secref{sec:cases-induct} for proper Isar versions of similar ideas.

   \begin{matharray}{rcl}

     \indexdef{HOL}{method}{case\_tac}\hypertarget{method.HOL.case-tac}{\hyperlink{method.HOL.case-tac}{\mbox{\isa{case{\isacharunderscore}tac}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{method} \\

     \indexdef{HOL}{method}{induct\_tac}\hypertarget{method.HOL.induct-tac}{\hyperlink{method.HOL.induct-tac}{\mbox{\isa{induct{\isacharunderscore}tac}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{method} \\

     \indexdef{HOL}{method}{ind\_cases}\hypertarget{method.HOL.ind-cases}{\hyperlink{method.HOL.ind-cases}{\mbox{\isa{ind{\isacharunderscore}cases}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{method} \\

     \indexdef{HOL}{command}{inductive\_cases}\hypertarget{command.HOL.inductive-cases}{\hyperlink{command.HOL.inductive-cases}{\mbox{\isa{\isacommand{inductive{\isacharunderscore}cases}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}local{\isacharunderscore}theory\ {\isasymrightarrow}\ local{\isacharunderscore}theory{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

     'case\_tac' goalspec? term rule?

     ;

     'induct\_tac' goalspec? (insts * 'and') rule?

     ;

     'ind\_cases' (prop +) ('for' (name +)) ?

     ;

     'inductive\_cases' (thmdecl? (prop +) + 'and')

     ;

     rule: ('rule' ':' thmref)

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{method.HOL.case-tac}{\mbox{\isa{case{\isacharunderscore}tac}}} and \hyperlink{method.HOL.induct-tac}{\mbox{\isa{induct{\isacharunderscore}tac}}} admit

   to reason about inductive types.  Rules are selected according to

   the declarations by the \hyperlink{attribute.cases}{\mbox{\isa{cases}}} and \hyperlink{attribute.induct}{\mbox{\isa{induct}}}

   attributes, cf.\ \secref{sec:cases-induct}.  The \hyperlink{command.HOL.datatype}{\mbox{\isa{\isacommand{datatype}}}} package already takes care of this.

   These unstructured tactics feature both goal addressing and dynamic

   instantiation.  Note that named rule cases are \emph{not} provided

   as would be by the proper \hyperlink{method.cases}{\mbox{\isa{cases}}} and \hyperlink{method.induct}{\mbox{\isa{induct}}} proof

   methods (see \secref{sec:cases-induct}).  Unlike the \hyperlink{method.induct}{\mbox{\isa{induct}}} method, \hyperlink{method.induct-tac}{\mbox{\isa{induct{\isacharunderscore}tac}}} does not handle structured rule

   statements, only the compact object-logic conclusion of the subgoal

   being addressed.

   \item \hyperlink{method.HOL.ind-cases}{\mbox{\isa{ind{\isacharunderscore}cases}}} and \hyperlink{command.HOL.inductive-cases}{\mbox{\isa{\isacommand{inductive{\isacharunderscore}cases}}}} provide an interface to the internal \verb|mk_cases| operation.  Rules are simplified in an unrestricted

   forward manner.

   While \hyperlink{method.HOL.ind-cases}{\mbox{\isa{ind{\isacharunderscore}cases}}} is a proof method to apply the

   result immediately as elimination rules, \hyperlink{command.HOL.inductive-cases}{\mbox{\isa{\isacommand{inductive{\isacharunderscore}cases}}}} provides case split theorems at the theory level

   for later use.  The \hyperlink{keyword.for}{\mbox{\isa{\isakeyword{for}}}} argument of the \hyperlink{method.HOL.ind-cases}{\mbox{\isa{ind{\isacharunderscore}cases}}} method allows to specify a list of variables that should

   be generalized before applying the resulting rule.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Executable code%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 Isabelle/Pure provides two generic frameworks to support code

   generation from executable specifications.  Isabelle/HOL

   instantiates these mechanisms in a way that is amenable to end-user

   applications.

   One framework generates code from both functional and relational

   programs to SML.  See \cite{isabelle-HOL} for further information

   (this actually covers the new-style theory format as well).

   \begin{matharray}{rcl}

     \indexdef{HOL}{command}{code\_module}\hypertarget{command.HOL.code-module}{\hyperlink{command.HOL.code-module}{\mbox{\isa{\isacommand{code{\isacharunderscore}module}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_library}\hypertarget{command.HOL.code-library}{\hyperlink{command.HOL.code-library}{\mbox{\isa{\isacommand{code{\isacharunderscore}library}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{consts\_code}\hypertarget{command.HOL.consts-code}{\hyperlink{command.HOL.consts-code}{\mbox{\isa{\isacommand{consts{\isacharunderscore}code}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{types\_code}\hypertarget{command.HOL.types-code}{\hyperlink{command.HOL.types-code}{\mbox{\isa{\isacommand{types{\isacharunderscore}code}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\  

     \indexdef{HOL}{attribute}{code}\hypertarget{attribute.HOL.code}{\hyperlink{attribute.HOL.code}{\mbox{\isa{code}}}} & : & \isa{attribute} \\

   \end{matharray}

   \begin{rail}

   ( 'code\_module' | 'code\_library' ) modespec ? name ? \\

     ( 'file' name ) ? ( 'imports' ( name + ) ) ? \\

     'contains' ( ( name '=' term ) + | term + )

   ;

   modespec: '(' ( name * ) ')'

   ;

   'consts\_code' (codespec +)

   ;

   codespec: const template attachment ?

   ;

   'types\_code' (tycodespec +)

   ;

   tycodespec: name template attachment ?

   ;

   const: term

   ;

   template: '(' string ')'

   ;

   attachment: 'attach' modespec ? verblbrace text verbrbrace

   ;

   'code' (name)?

   ;

   \end{rail}

   \medskip The other framework generates code from functional programs

   (including overloading using type classes) to SML \cite{SML}, OCaml

   \cite{OCaml} and Haskell \cite{haskell-revised-report}.

   Conceptually, code generation is split up in three steps:

   \emph{selection} of code theorems, \emph{translation} into an

   abstract executable view and \emph{serialization} to a specific

   \emph{target language}.  See \cite{isabelle-codegen} for an

   introduction on how to use it.

   \begin{matharray}{rcl}

     \indexdef{HOL}{command}{export\_code}\hypertarget{command.HOL.export-code}{\hyperlink{command.HOL.export-code}{\mbox{\isa{\isacommand{export{\isacharunderscore}code}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_thms}\hypertarget{command.HOL.code-thms}{\hyperlink{command.HOL.code-thms}{\mbox{\isa{\isacommand{code{\isacharunderscore}thms}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_deps}\hypertarget{command.HOL.code-deps}{\hyperlink{command.HOL.code-deps}{\mbox{\isa{\isacommand{code{\isacharunderscore}deps}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_datatype}\hypertarget{command.HOL.code-datatype}{\hyperlink{command.HOL.code-datatype}{\mbox{\isa{\isacommand{code{\isacharunderscore}datatype}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_const}\hypertarget{command.HOL.code-const}{\hyperlink{command.HOL.code-const}{\mbox{\isa{\isacommand{code{\isacharunderscore}const}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_type}\hypertarget{command.HOL.code-type}{\hyperlink{command.HOL.code-type}{\mbox{\isa{\isacommand{code{\isacharunderscore}type}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_class}\hypertarget{command.HOL.code-class}{\hyperlink{command.HOL.code-class}{\mbox{\isa{\isacommand{code{\isacharunderscore}class}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_instance}\hypertarget{command.HOL.code-instance}{\hyperlink{command.HOL.code-instance}{\mbox{\isa{\isacommand{code{\isacharunderscore}instance}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_monad}\hypertarget{command.HOL.code-monad}{\hyperlink{command.HOL.code-monad}{\mbox{\isa{\isacommand{code{\isacharunderscore}monad}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_reserved}\hypertarget{command.HOL.code-reserved}{\hyperlink{command.HOL.code-reserved}{\mbox{\isa{\isacommand{code{\isacharunderscore}reserved}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_include}\hypertarget{command.HOL.code-include}{\hyperlink{command.HOL.code-include}{\mbox{\isa{\isacommand{code{\isacharunderscore}include}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_modulename}\hypertarget{command.HOL.code-modulename}{\hyperlink{command.HOL.code-modulename}{\mbox{\isa{\isacommand{code{\isacharunderscore}modulename}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{code\_abort}\hypertarget{command.HOL.code-abort}{\hyperlink{command.HOL.code-abort}{\mbox{\isa{\isacommand{code{\isacharunderscore}abort}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ theory{\isachardoublequote}} \\

     \indexdef{HOL}{command}{print\_codesetup}\hypertarget{command.HOL.print-codesetup}{\hyperlink{command.HOL.print-codesetup}{\mbox{\isa{\isacommand{print{\isacharunderscore}codesetup}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{print\_codeproc}\hypertarget{command.HOL.print-codeproc}{\hyperlink{command.HOL.print-codeproc}{\mbox{\isa{\isacommand{print{\isacharunderscore}codeproc}}}}}\isa{{\isachardoublequote}\isactrlsup {\isacharasterisk}{\isachardoublequote}} & : & \isa{{\isachardoublequote}context\ {\isasymrightarrow}{\isachardoublequote}} \\

     \indexdef{HOL}{attribute}{code}\hypertarget{attribute.HOL.code}{\hyperlink{attribute.HOL.code}{\mbox{\isa{code}}}} & : & \isa{attribute} \\

   \end{matharray}

   \begin{rail}

     'export\_code' ( constexpr + ) \\

       ( ( 'in' target ( 'module\_name' string ) ? \\

         ( 'file' ( string | '-' ) ) ? ( '(' args ')' ) ?) + ) ?

     ;

     'code\_thms' ( constexpr + ) ?

     ;

     'code\_deps' ( constexpr + ) ?

     ;

     const: term

     ;

     constexpr: ( const | 'name.*' | '*' )

     ;

     typeconstructor: nameref

     ;

     class: nameref

     ;

     target: 'OCaml' | 'SML' | 'Haskell'

     ;

     'code\_datatype' const +

     ;

     'code\_const' (const + 'and') \\

       ( ( '(' target ( syntax ? + 'and' ) ')' ) + )

     ;

     'code\_type' (typeconstructor + 'and') \\

       ( ( '(' target ( syntax ? + 'and' ) ')' ) + )

     ;

     'code\_class' (class + 'and') \\

       ( ( '(' target \\ ( string ? + 'and' ) ')' ) + )

     ;

     'code\_instance' (( typeconstructor '::' class ) + 'and') \\

       ( ( '(' target ( '-' ? + 'and' ) ')' ) + )

     ;

     'code\_monad' const const target

     ;

     'code\_reserved' target ( string + )

     ;

     'code\_include' target ( string ( string | '-') )

     ;

     'code\_modulename' target ( ( string string ) + )

     ;

     'code\_abort' ( const + )

     ;

     syntax: string | ( 'infix' | 'infixl' | 'infixr' ) nat string

     ;

     'code' ( 'del' ) ?

     ;

     'code_unfold' ( 'del' ) ?

     ;

     'code_post' ( 'del' ) ?

     ;

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.export-code}{\mbox{\isa{\isacommand{export{\isacharunderscore}code}}}} is the canonical interface for

   generating and serializing code: for a given list of constants, code

   is generated for the specified target languages.  If no serialization

   instruction is given, only abstract code is generated internally.

   Constants may be specified by giving them literally, referring to

   all executable contants within a certain theory by giving \isa{{\isachardoublequote}name{\isachardot}{\isacharasterisk}{\isachardoublequote}}, or referring to \emph{all} executable constants currently

   available by giving \isa{{\isachardoublequote}{\isacharasterisk}{\isachardoublequote}}.

   By default, for each involved theory one corresponding name space

   module is generated.  Alternativly, a module name may be specified

   after the \hyperlink{keyword.module-name}{\mbox{\isa{\isakeyword{module{\isacharunderscore}name}}}} keyword; then \emph{all} code is

   placed in this module.

   For \emph{SML} and \emph{OCaml}, the file specification refers to a

   single file; for \emph{Haskell}, it refers to a whole directory,

   where code is generated in multiple files reflecting the module

   hierarchy.  The file specification ``\isa{{\isachardoublequote}{\isacharminus}{\isachardoublequote}}'' denotes standard

   output.  For \emph{SML}, omitting the file specification compiles

   code internally in the context of the current ML session.

   Serializers take an optional list of arguments in parentheses.  For

   \emph{SML} and \emph{OCaml}, ``\isa{no{\isacharunderscore}signatures}`` omits

   explicit module signatures.

   For \emph{Haskell} a module name prefix may be given using the ``\isa{{\isachardoublequote}root{\isacharcolon}{\isachardoublequote}}'' argument; ``\isa{string{\isacharunderscore}classes}'' adds a ``\verb|deriving (Read, Show)|'' clause to each appropriate datatype

   declaration.

   \item \hyperlink{command.HOL.code-thms}{\mbox{\isa{\isacommand{code{\isacharunderscore}thms}}}} prints a list of theorems

   representing the corresponding program containing all given

   constants.

   \item \hyperlink{command.HOL.code-deps}{\mbox{\isa{\isacommand{code{\isacharunderscore}deps}}}} visualizes dependencies of

   theorems representing the corresponding program containing all given

   constants.

   \item \hyperlink{command.HOL.code-datatype}{\mbox{\isa{\isacommand{code{\isacharunderscore}datatype}}}} specifies a constructor set

   for a logical type.

   \item \hyperlink{command.HOL.code-const}{\mbox{\isa{\isacommand{code{\isacharunderscore}const}}}} associates a list of constants

   with target-specific serializations; omitting a serialization

   deletes an existing serialization.

   \item \hyperlink{command.HOL.code-type}{\mbox{\isa{\isacommand{code{\isacharunderscore}type}}}} associates a list of type

   constructors with target-specific serializations; omitting a

   serialization deletes an existing serialization.

   \item \hyperlink{command.HOL.code-class}{\mbox{\isa{\isacommand{code{\isacharunderscore}class}}}} associates a list of classes

   with target-specific class names; omitting a serialization deletes

   an existing serialization.  This applies only to \emph{Haskell}.

   \item \hyperlink{command.HOL.code-instance}{\mbox{\isa{\isacommand{code{\isacharunderscore}instance}}}} declares a list of type

   constructor / class instance relations as ``already present'' for a

   given target.  Omitting a ``\isa{{\isachardoublequote}{\isacharminus}{\isachardoublequote}}'' deletes an existing

   ``already present'' declaration.  This applies only to

   \emph{Haskell}.

   \item \hyperlink{command.HOL.code-monad}{\mbox{\isa{\isacommand{code{\isacharunderscore}monad}}}} provides an auxiliary mechanism

   to generate monadic code for Haskell.

   \item \hyperlink{command.HOL.code-reserved}{\mbox{\isa{\isacommand{code{\isacharunderscore}reserved}}}} declares a list of names as

   reserved for a given target, preventing it to be shadowed by any

   generated code.

   \item \hyperlink{command.HOL.code-include}{\mbox{\isa{\isacommand{code{\isacharunderscore}include}}}} adds arbitrary named content

   (``include'') to generated code.  A ``\isa{{\isachardoublequote}{\isacharminus}{\isachardoublequote}}'' as last argument

   will remove an already added ``include''.

   \item \hyperlink{command.HOL.code-modulename}{\mbox{\isa{\isacommand{code{\isacharunderscore}modulename}}}} declares aliasings from one

   module name onto another.

   \item \hyperlink{command.HOL.code-abort}{\mbox{\isa{\isacommand{code{\isacharunderscore}abort}}}} declares constants which are not

   required to have a definition by means of code equations; if

   needed these are implemented by program abort instead.

   \item \hyperlink{attribute.HOL.code}{\mbox{\isa{code}}} explicitly selects (or with option

   ``\isa{{\isachardoublequote}del{\isachardoublequote}}'' deselects) a code equation for code

   generation.  Usually packages introducing code equations provide

   a reasonable default setup for selection.

   \item \hyperlink{attribute.HOL.code-inline}{\mbox{\isa{code{\isacharunderscore}inline}}} declares (or with

   option ``\isa{{\isachardoublequote}del{\isachardoublequote}}'' removes) inlining theorems which are

   applied as rewrite rules to any code equation during

   preprocessing.

   \item \hyperlink{attribute.HOL.code-post}{\mbox{\isa{code{\isacharunderscore}post}}} declares (or with

   option ``\isa{{\isachardoublequote}del{\isachardoublequote}}'' removes) theorems which are

   applied as rewrite rules to any result of an evaluation.

   \item \hyperlink{command.HOL.print-codesetup}{\mbox{\isa{\isacommand{print{\isacharunderscore}codesetup}}}} gives an overview on

   selected code equations and code generator datatypes.

   \item \hyperlink{command.HOL.print-codeproc}{\mbox{\isa{\isacommand{print{\isacharunderscore}codeproc}}}} prints the setup

   of the code generator preprocessor.

   \end{description}%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isamarkupsection{Definition by specification \label{sec:hol-specification}%

 }

 \isamarkuptrue%

 %

 \begin{isamarkuptext}%

 \begin{matharray}{rcl}

     \indexdef{HOL}{command}{specification}\hypertarget{command.HOL.specification}{\hyperlink{command.HOL.specification}{\mbox{\isa{\isacommand{specification}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

     \indexdef{HOL}{command}{ax\_specification}\hypertarget{command.HOL.ax-specification}{\hyperlink{command.HOL.ax-specification}{\mbox{\isa{\isacommand{ax{\isacharunderscore}specification}}}}} & : & \isa{{\isachardoublequote}theory\ {\isasymrightarrow}\ proof{\isacharparenleft}prove{\isacharparenright}{\isachardoublequote}} \\

   \end{matharray}

   \begin{rail}

   ('specification' | 'ax\_specification') '(' (decl +) ')' \\ (thmdecl? prop +)

   ;

   decl: ((name ':')? term '(' 'overloaded' ')'?)

   \end{rail}

   \begin{description}

   \item \hyperlink{command.HOL.specification}{\mbox{\isa{\isacommand{specification}}}}~\isa{{\isachardoublequote}decls\ {\isasymphi}{\isachardoublequote}} sets up a

   goal stating the existence of terms with the properties specified to

   hold for the constants given in \isa{decls}.  After finishing the

   proof, the theory will be augmented with definitions for the given

   constants, as well as with theorems stating the properties for these

   constants.

   \item \hyperlink{command.HOL.ax-specification}{\mbox{\isa{\isacommand{ax{\isacharunderscore}specification}}}}~\isa{{\isachardoublequote}decls\ {\isasymphi}{\isachardoublequote}} sets up

   a goal stating the existence of terms with the properties specified

   to hold for the constants given in \isa{decls}.  After finishing

   the proof, the theory will be augmented with axioms expressing the

   properties given in the first place.

   \item \isa{decl} declares a constant to be defined by the

   specification given.  The definition for the constant \isa{c} is

   bound to the name \isa{c{\isacharunderscore}def} unless a theorem name is given in

   the declaration.  Overloaded constants should be declared as such.

   \end{description}

   Whether to use \hyperlink{command.HOL.specification}{\mbox{\isa{\isacommand{specification}}}} or \hyperlink{command.HOL.ax-specification}{\mbox{\isa{\isacommand{ax{\isacharunderscore}specification}}}} is to some extent a matter of style.  \hyperlink{command.HOL.specification}{\mbox{\isa{\isacommand{specification}}}} introduces no new axioms, and so by

   construction cannot introduce inconsistencies, whereas \hyperlink{command.HOL.ax-specification}{\mbox{\isa{\isacommand{ax{\isacharunderscore}specification}}}} does introduce axioms, but only after the

   user has explicitly proven it to be safe.  A practical issue must be

   considered, though: After introducing two constants with the same

   properties using \hyperlink{command.HOL.specification}{\mbox{\isa{\isacommand{specification}}}}, one can prove

   that the two constants are, in fact, equal.  If this might be a

   problem, one should use \hyperlink{command.HOL.ax-specification}{\mbox{\isa{\isacommand{ax{\isacharunderscore}specification}}}}.%

 \end{isamarkuptext}%

 \isamarkuptrue%

 %

 \isadelimtheory

 %

 \endisadelimtheory

 %

 \isatagtheory

 \isacommand{end}\isamarkupfalse%

 %

 \endisatagtheory

 {\isafoldtheory}%

 %

 \isadelimtheory

 %

 \endisadelimtheory

 \isanewline

 \end{isabellebody}%

 %%% Local Variables:

 %%% mode: latex

 %%% TeX-master: "root"

 %%% End: