NEWS

Isabelle NEWS -- history of user-relevant changes
=================================================

New in this Isabelle version
----------------------------

*** HOL ***

* Sledgehammer:
  - Minimization is now always enabled by default.
    Removed subcommand:
      min


New in Isabelle2014 (August 2014)
---------------------------------

*** General ***

* Support for official Standard ML within the Isabelle context.
Command 'SML_file' reads and evaluates the given Standard ML file.
Toplevel bindings are stored within the theory context; the initial
environment is restricted to the Standard ML implementation of
Poly/ML, without the add-ons of Isabelle/ML.  Commands 'SML_import'
and 'SML_export' allow to exchange toplevel bindings between the two
separate environments.  See also ~~/src/Tools/SML/Examples.thy for
some examples.

* Standard tactics and proof methods such as "clarsimp", "auto" and
"safe" now preserve equality hypotheses "x = expr" where x is a free
variable.  Locale assumptions and chained facts containing "x"
continue to be useful.  The new method "hypsubst_thin" and the
configuration option "hypsubst_thin" (within the attribute name space)
restore the previous behavior.  INCOMPATIBILITY, especially where
induction is done after these methods or when the names of free and
bound variables clash.  As first approximation, old proofs may be
repaired by "using [[hypsubst_thin = true]]" in the critical spot.

* More static checking of proof methods, which allows the system to
form a closure over the concrete syntax.  Method arguments should be
processed in the original proof context as far as possible, before
operating on the goal state.  In any case, the standard discipline for
subgoal-addressing needs to be observed: no subgoals or a subgoal
number that is out of range produces an empty result sequence, not an
exception.  Potential INCOMPATIBILITY for non-conformant tactical
proof tools.

* Lexical syntax (inner and outer) supports text cartouches with
arbitrary nesting, and without escapes of quotes etc.  The Prover IDE
supports input via ` (backquote).

* The outer syntax categories "text" (for formal comments and document
markup commands) and "altstring" (for literal fact references) allow
cartouches as well, in addition to the traditional mix of quotations.

* Syntax of document antiquotation @{rail} now uses \<newline> instead
of "\\", to avoid the optical illusion of escaped backslash within
string token.  General renovation of its syntax using text cartouches.
Minor INCOMPATIBILITY.

* Discontinued legacy_isub_isup, which was a temporary workaround for
Isabelle/ML in Isabelle2013-1.  The prover process no longer accepts
old identifier syntax with \<^isub> or \<^isup>.  Potential
INCOMPATIBILITY.

* Document antiquotation @{url} produces markup for the given URL,
which results in an active hyperlink within the text.

* Document antiquotation @{file_unchecked} is like @{file}, but does
not check existence within the file-system.

* Updated and extended manuals: codegen, datatypes, implementation,
isar-ref, jedit, system.


*** Prover IDE -- Isabelle/Scala/jEdit ***

* Improved Document panel: simplified interaction where every single
mouse click (re)opens document via desktop environment or as jEdit
buffer.

* Support for Navigator plugin (with toolbar buttons), with connection
to PIDE hyperlinks.

* Auxiliary files ('ML_file' etc.) are managed by the Prover IDE.
Open text buffers take precedence over copies within the file-system.

* Improved support for Isabelle/ML, with jEdit mode "isabelle-ml" for
auxiliary ML files.

* Improved syntactic and semantic completion mechanism, with simple
templates, completion language context, name-space completion,
file-name completion, spell-checker completion.

* Refined GUI popup for completion: more robust key/mouse event
handling and propagation to enclosing text area -- avoid loosing
keystrokes with slow / remote graphics displays.

* Refined insertion of completion items wrt. jEdit text: multiple
selections, rectangular selections, rectangular selection as "tall
caret".

* Integrated spell-checker for document text, comments etc. with
completion popup and context-menu.

* More general "Query" panel supersedes "Find" panel, with GUI access
to commands 'find_theorems' and 'find_consts', as well as print
operations for the context.  Minor incompatibility in keyboard
shortcuts etc.: replace action isabelle-find by isabelle-query.

* Search field for all output panels ("Output", "Query", "Info" etc.)
to highlight text via regular expression.

* Option "jedit_print_mode" (see also "Plugin Options / Isabelle /
General") allows to specify additional print modes for the prover
process, without requiring old-fashioned command-line invocation of
"isabelle jedit -m MODE".

* More support for remote files (e.g. http) using standard Java
networking operations instead of jEdit virtual file-systems.

* Improved Console/Scala plugin: more uniform scala.Console output,
more robust treatment of threads and interrupts.

* Improved management of dockable windows: clarified keyboard focus
and window placement wrt. main editor view; optional menu item to
"Detach" a copy where this makes sense.

* New Simplifier Trace panel provides an interactive view of the
simplification process, enabled by the "simp_trace_new" attribute
within the context.


*** Pure ***

* Low-level type-class commands 'classes', 'classrel', 'arities' have
been discontinued to avoid the danger of non-trivial axiomatization
that is not immediately visible.  INCOMPATIBILITY, use regular
'instance' command with proof.  The required OFCLASS(...) theorem
might be postulated via 'axiomatization' beforehand, or the proof
finished trivially if the underlying class definition is made vacuous
(without any assumptions).  See also Isabelle/ML operations
Axclass.class_axiomatization, Axclass.classrel_axiomatization,
Axclass.arity_axiomatization.

* Basic constants of Pure use more conventional names and are always
qualified.  Rare INCOMPATIBILITY, but with potentially serious
consequences, notably for tools in Isabelle/ML.  The following
renaming needs to be applied:

  ==             ~>  Pure.eq
  ==>            ~>  Pure.imp
  all            ~>  Pure.all
  TYPE           ~>  Pure.type
  dummy_pattern  ~>  Pure.dummy_pattern

Systematic porting works by using the following theory setup on a
*previous* Isabelle version to introduce the new name accesses for the
old constants:

setup {*
  fn thy => thy
    |> Sign.root_path
    |> Sign.const_alias (Binding.qualify true "Pure" @{binding eq}) "=="
    |> Sign.const_alias (Binding.qualify true "Pure" @{binding imp}) "==>"
    |> Sign.const_alias (Binding.qualify true "Pure" @{binding all}) "all"
    |> Sign.restore_naming thy
*}

Thus ML antiquotations like @{const_name Pure.eq} may be used already.
Later the application is moved to the current Isabelle version, and
the auxiliary aliases are deleted.

* Attributes "where" and "of" allow an optional context of local
variables ('for' declaration): these variables become schematic in the
instantiated theorem.

* Obsolete attribute "standard" has been discontinued (legacy since
Isabelle2012).  Potential INCOMPATIBILITY, use explicit 'for' context
where instantiations with schematic variables are intended (for
declaration commands like 'lemmas' or attributes like "of").  The
following temporary definition may help to port old applications:

  attribute_setup standard =
    "Scan.succeed (Thm.rule_attribute (K Drule.export_without_context))"

* More thorough check of proof context for goal statements and
attributed fact expressions (concerning background theory, declared
hyps).  Potential INCOMPATIBILITY, tools need to observe standard
context discipline.  See also Assumption.add_assumes and the more
primitive Thm.assume_hyps.

* Inner syntax token language allows regular quoted strings "..."
(only makes sense in practice, if outer syntax is delimited
differently, e.g. via cartouches).

* Command 'print_term_bindings' supersedes 'print_binds' for clarity,
but the latter is retained some time as Proof General legacy.

* Code generator preprocessor: explicit control of simp tracing on a
per-constant basis.  See attribute "code_preproc".


*** HOL ***

* Code generator: enforce case of identifiers only for strict target
language requirements.  INCOMPATIBILITY.

* Code generator: explicit proof contexts in many ML interfaces.
INCOMPATIBILITY.

* Code generator: minimize exported identifiers by default.  Minor
INCOMPATIBILITY.

* Code generation for SML and OCaml: dropped arcane "no_signatures"
option.  Minor INCOMPATIBILITY.

* "declare [[code abort: ...]]" replaces "code_abort ...".
INCOMPATIBILITY.

* "declare [[code drop: ...]]" drops all code equations associated
with the given constants.

* Code generations are provided for make, fields, extend and truncate
operations on records.

* Command and antiquotation "value" are now hardcoded against nbe and
ML.  Minor INCOMPATIBILITY.

* Renamed command 'enriched_type' to 'functor'. INCOMPATIBILITY.

* The symbol "\<newline>" may be used within char or string literals
to represent (Char Nibble0 NibbleA), i.e. ASCII newline.

* Qualified String.implode and String.explode.  INCOMPATIBILITY.

* Simplifier: Enhanced solver of preconditions of rewrite rules can
now deal with conjunctions.  For help with converting proofs, the old
behaviour of the simplifier can be restored like this: declare/using
[[simp_legacy_precond]].  This configuration option will disappear
again in the future.  INCOMPATIBILITY.

* Simproc "finite_Collect" is no longer enabled by default, due to
spurious crashes and other surprises.  Potential INCOMPATIBILITY.

* Moved new (co)datatype package and its dependencies from session
  "HOL-BNF" to "HOL".  The commands 'bnf', 'wrap_free_constructors',
  'datatype_new', 'codatatype', 'primcorec', 'primcorecursive' are now
  part of theory "Main".

  Theory renamings:
    FunDef.thy ~> Fun_Def.thy (and Fun_Def_Base.thy)
    Library/Wfrec.thy ~> Wfrec.thy
    Library/Zorn.thy ~> Zorn.thy
    Cardinals/Order_Relation.thy ~> Order_Relation.thy
    Library/Order_Union.thy ~> Cardinals/Order_Union.thy
    Cardinals/Cardinal_Arithmetic_Base.thy ~> BNF_Cardinal_Arithmetic.thy
    Cardinals/Cardinal_Order_Relation_Base.thy ~> BNF_Cardinal_Order_Relation.thy
    Cardinals/Constructions_on_Wellorders_Base.thy ~> BNF_Constructions_on_Wellorders.thy
    Cardinals/Wellorder_Embedding_Base.thy ~> BNF_Wellorder_Embedding.thy
    Cardinals/Wellorder_Relation_Base.thy ~> BNF_Wellorder_Relation.thy
    BNF/Ctr_Sugar.thy ~> Ctr_Sugar.thy
    BNF/Basic_BNFs.thy ~> Basic_BNFs.thy
    BNF/BNF_Comp.thy ~> BNF_Comp.thy
    BNF/BNF_Def.thy ~> BNF_Def.thy
    BNF/BNF_FP_Base.thy ~> BNF_FP_Base.thy
    BNF/BNF_GFP.thy ~> BNF_GFP.thy
    BNF/BNF_LFP.thy ~> BNF_LFP.thy
    BNF/BNF_Util.thy ~> BNF_Util.thy
    BNF/Coinduction.thy ~> Coinduction.thy
    BNF/More_BNFs.thy ~> Library/More_BNFs.thy
    BNF/Countable_Type.thy ~> Library/Countable_Set_Type.thy
    BNF/Examples/* ~> BNF_Examples/*

  New theories:
    Wellorder_Extension.thy (split from Zorn.thy)
    Library/Cardinal_Notations.thy
    Library/BNF_Axomatization.thy
    BNF_Examples/Misc_Primcorec.thy
    BNF_Examples/Stream_Processor.thy

  Discontinued theories:
    BNF/BNF.thy
    BNF/Equiv_Relations_More.thy

INCOMPATIBILITY.

* New (co)datatype package:
  - Command 'primcorec' is fully implemented.
  - Command 'datatype_new' generates size functions ("size_xxx" and
    "size") as required by 'fun'.
  - BNFs are integrated with the Lifting tool and new-style
    (co)datatypes with Transfer.
  - Renamed commands:
      datatype_new_compat ~> datatype_compat
      primrec_new ~> primrec
      wrap_free_constructors ~> free_constructors
    INCOMPATIBILITY.
  - The generated constants "xxx_case" and "xxx_rec" have been renamed
    "case_xxx" and "rec_xxx" (e.g., "prod_case" ~> "case_prod").
    INCOMPATIBILITY.
  - The constant "xxx_(un)fold" and related theorems are no longer
    generated.  Use "xxx_(co)rec" or define "xxx_(un)fold" manually
    using "prim(co)rec".
    INCOMPATIBILITY.
  - No discriminators are generated for nullary constructors by
    default, eliminating the need for the odd "=:" syntax.
    INCOMPATIBILITY.
  - No discriminators or selectors are generated by default by
    "datatype_new", unless custom names are specified or the new
    "discs_sels" option is passed.
    INCOMPATIBILITY.

* Old datatype package:
  - The generated theorems "xxx.cases" and "xxx.recs" have been
    renamed "xxx.case" and "xxx.rec" (e.g., "sum.cases" ->
    "sum.case").  INCOMPATIBILITY.
  - The generated constants "xxx_case", "xxx_rec", and "xxx_size" have
    been renamed "case_xxx", "rec_xxx", and "size_xxx" (e.g.,
    "prod_case" ~> "case_prod").  INCOMPATIBILITY.

* The types "'a list" and "'a option", their set and map functions,
  their relators, and their selectors are now produced using the new
  BNF-based datatype package.

  Renamed constants:
    Option.set ~> set_option
    Option.map ~> map_option
    option_rel ~> rel_option

  Renamed theorems:
    set_def ~> set_rec[abs_def]
    map_def ~> map_rec[abs_def]
    Option.map_def ~> map_option_case[abs_def] (with "case_option" instead of "rec_option")
    option.recs ~> option.rec
    list_all2_def ~> list_all2_iff
    set.simps ~> set_simps (or the slightly different "list.set")
    map.simps ~> list.map
    hd.simps ~> list.sel(1)
    tl.simps ~> list.sel(2-3)
    the.simps ~> option.sel

INCOMPATIBILITY.

* The following map functions and relators have been renamed:
    sum_map ~> map_sum
    map_pair ~> map_prod
    prod_rel ~> rel_prod
    sum_rel ~> rel_sum
    fun_rel ~> rel_fun
    set_rel ~> rel_set
    filter_rel ~> rel_filter
    fset_rel ~> rel_fset (in "src/HOL/Library/FSet.thy")
    cset_rel ~> rel_cset (in "src/HOL/Library/Countable_Set_Type.thy")
    vset ~> rel_vset (in "src/HOL/Library/Quotient_Set.thy")

INCOMPATIBILITY.

* New internal SAT solver "cdclite" that produces models and proof
traces.  This solver replaces the internal SAT solvers "enumerate" and
"dpll".  Applications that explicitly used one of these two SAT
solvers should use "cdclite" instead. In addition, "cdclite" is now
the default SAT solver for the "sat" and "satx" proof methods and
corresponding tactics; the old default can be restored using "declare
[[sat_solver = zchaff_with_proofs]]".  Minor INCOMPATIBILITY.

* SMT module: A new version of the SMT module, temporarily called
"SMT2", uses SMT-LIB 2 and supports recent versions of Z3 (e.g.,
4.3). The new proof method is called "smt2". CVC3 and CVC4 are also
supported as oracles. Yices is no longer supported, because no version
of the solver can handle both SMT-LIB 2 and quantifiers.

* Activation of Z3 now works via "z3_non_commercial" system option
(without requiring restart), instead of former settings variable
"Z3_NON_COMMERCIAL".  The option can be edited in Isabelle/jEdit menu
Plugin Options / Isabelle / General.

* Sledgehammer:
  - Z3 can now produce Isar proofs.
  - MaSh overhaul:
    . New SML-based learning algorithms eliminate the dependency on
      Python and increase performance and reliability.
    . MaSh and MeSh are now used by default together with the
      traditional MePo (Meng-Paulson) relevance filter. To disable
      MaSh, set the "MaSh" system option in Isabelle/jEdit Plugin
      Options / Isabelle / General to "none".
  - New option:
      smt_proofs
  - Renamed options:
      isar_compress ~> compress
      isar_try0 ~> try0

INCOMPATIBILITY.

* Removed solvers remote_cvc3 and remote_z3. Use cvc3 and z3 instead.

* Nitpick:
  - Fixed soundness bug whereby mutually recursive datatypes could
    take infinite values.
  - Fixed soundness bug with low-level number functions such as
    "Abs_Integ" and "Rep_Integ".
  - Removed "std" option.
  - Renamed "show_datatypes" to "show_types" and "hide_datatypes" to
    "hide_types".

* Metis: Removed legacy proof method 'metisFT'. Use 'metis
(full_types)' instead. INCOMPATIBILITY.

* Try0: Added 'algebra' and 'meson' to the set of proof methods.

* Adjustion of INF and SUP operations:
  - Elongated constants INFI and SUPR to INFIMUM and SUPREMUM.
  - Consolidated theorem names containing INFI and SUPR: have INF and
    SUP instead uniformly.
  - More aggressive normalization of expressions involving INF and Inf
    or SUP and Sup.
  - INF_image and SUP_image do not unfold composition.
  - Dropped facts INF_comp, SUP_comp.
  - Default congruence rules strong_INF_cong and strong_SUP_cong, with
    simplifier implication in premises.  Generalize and replace former
    INT_cong, SUP_cong

INCOMPATIBILITY.

* SUP and INF generalized to conditionally_complete_lattice.

* Swapped orientation of facts image_comp and vimage_comp:

  image_compose ~> image_comp [symmetric]
  image_comp ~> image_comp [symmetric]
  vimage_compose ~> vimage_comp [symmetric]
  vimage_comp ~> vimage_comp [symmetric]

INCOMPATIBILITY.

* Theory reorganization: split of Big_Operators.thy into
Groups_Big.thy and Lattices_Big.thy.

* Consolidated some facts about big group operators:

    setsum_0' ~> setsum.neutral
    setsum_0 ~> setsum.neutral_const
    setsum_addf ~> setsum.distrib
    setsum_cartesian_product ~> setsum.cartesian_product
    setsum_cases ~> setsum.If_cases
    setsum_commute ~> setsum.commute
    setsum_cong ~> setsum.cong
    setsum_delta ~> setsum.delta
    setsum_delta' ~> setsum.delta'
    setsum_diff1' ~> setsum.remove
    setsum_empty ~> setsum.empty
    setsum_infinite ~> setsum.infinite
    setsum_insert ~> setsum.insert
    setsum_inter_restrict'' ~> setsum.inter_filter
    setsum_mono_zero_cong_left ~> setsum.mono_neutral_cong_left
    setsum_mono_zero_cong_right ~> setsum.mono_neutral_cong_right
    setsum_mono_zero_left ~> setsum.mono_neutral_left
    setsum_mono_zero_right ~> setsum.mono_neutral_right
    setsum_reindex ~> setsum.reindex
    setsum_reindex_cong ~> setsum.reindex_cong
    setsum_reindex_nonzero ~> setsum.reindex_nontrivial
    setsum_restrict_set ~> setsum.inter_restrict
    setsum_Plus ~> setsum.Plus
    setsum_setsum_restrict ~> setsum.commute_restrict
    setsum_Sigma ~> setsum.Sigma
    setsum_subset_diff ~> setsum.subset_diff
    setsum_Un_disjoint ~> setsum.union_disjoint
    setsum_UN_disjoint ~> setsum.UNION_disjoint
    setsum_Un_Int ~> setsum.union_inter
    setsum_Union_disjoint ~> setsum.Union_disjoint
    setsum_UNION_zero ~> setsum.Union_comp
    setsum_Un_zero ~> setsum.union_inter_neutral
    strong_setprod_cong ~> setprod.strong_cong
    strong_setsum_cong ~> setsum.strong_cong
    setprod_1' ~> setprod.neutral
    setprod_1 ~> setprod.neutral_const
    setprod_cartesian_product ~> setprod.cartesian_product
    setprod_cong ~> setprod.cong
    setprod_delta ~> setprod.delta
    setprod_delta' ~> setprod.delta'
    setprod_empty ~> setprod.empty
    setprod_infinite ~> setprod.infinite
    setprod_insert ~> setprod.insert
    setprod_mono_one_cong_left ~> setprod.mono_neutral_cong_left
    setprod_mono_one_cong_right ~> setprod.mono_neutral_cong_right
    setprod_mono_one_left ~> setprod.mono_neutral_left
    setprod_mono_one_right ~> setprod.mono_neutral_right
    setprod_reindex ~> setprod.reindex
    setprod_reindex_cong ~> setprod.reindex_cong
    setprod_reindex_nonzero ~> setprod.reindex_nontrivial
    setprod_Sigma ~> setprod.Sigma
    setprod_subset_diff ~> setprod.subset_diff
    setprod_timesf ~> setprod.distrib
    setprod_Un2 ~> setprod.union_diff2
    setprod_Un_disjoint ~> setprod.union_disjoint
    setprod_UN_disjoint ~> setprod.UNION_disjoint
    setprod_Un_Int ~> setprod.union_inter
    setprod_Union_disjoint ~> setprod.Union_disjoint
    setprod_Un_one ~> setprod.union_inter_neutral

  Dropped setsum_cong2 (simple variant of setsum.cong).
  Dropped setsum_inter_restrict' (simple variant of setsum.inter_restrict)
  Dropped setsum_reindex_id, setprod_reindex_id
    (simple variants of setsum.reindex [symmetric], setprod.reindex [symmetric]).

INCOMPATIBILITY.

* Abolished slightly odd global lattice interpretation for min/max.

  Fact consolidations:
    min_max.inf_assoc ~> min.assoc
    min_max.inf_commute ~> min.commute
    min_max.inf_left_commute ~> min.left_commute
    min_max.inf_idem ~> min.idem
    min_max.inf_left_idem ~> min.left_idem
    min_max.inf_right_idem ~> min.right_idem
    min_max.sup_assoc ~> max.assoc
    min_max.sup_commute ~> max.commute
    min_max.sup_left_commute ~> max.left_commute
    min_max.sup_idem ~> max.idem
    min_max.sup_left_idem ~> max.left_idem
    min_max.sup_inf_distrib1 ~> max_min_distrib2
    min_max.sup_inf_distrib2 ~> max_min_distrib1
    min_max.inf_sup_distrib1 ~> min_max_distrib2
    min_max.inf_sup_distrib2 ~> min_max_distrib1
    min_max.distrib ~> min_max_distribs
    min_max.inf_absorb1 ~> min.absorb1
    min_max.inf_absorb2 ~> min.absorb2
    min_max.sup_absorb1 ~> max.absorb1
    min_max.sup_absorb2 ~> max.absorb2
    min_max.le_iff_inf ~> min.absorb_iff1
    min_max.le_iff_sup ~> max.absorb_iff2
    min_max.inf_le1 ~> min.cobounded1
    min_max.inf_le2 ~> min.cobounded2
    le_maxI1, min_max.sup_ge1 ~> max.cobounded1
    le_maxI2, min_max.sup_ge2 ~> max.cobounded2
    min_max.le_infI1 ~> min.coboundedI1
    min_max.le_infI2 ~> min.coboundedI2
    min_max.le_supI1 ~> max.coboundedI1
    min_max.le_supI2 ~> max.coboundedI2
    min_max.less_infI1 ~> min.strict_coboundedI1
    min_max.less_infI2 ~> min.strict_coboundedI2
    min_max.less_supI1 ~> max.strict_coboundedI1
    min_max.less_supI2 ~> max.strict_coboundedI2
    min_max.inf_mono ~> min.mono
    min_max.sup_mono ~> max.mono
    min_max.le_infI, min_max.inf_greatest ~> min.boundedI
    min_max.le_supI, min_max.sup_least ~> max.boundedI
    min_max.le_inf_iff ~> min.bounded_iff
    min_max.le_sup_iff ~> max.bounded_iff

For min_max.inf_sup_aci, prefer (one of) min.commute, min.assoc,
min.left_commute, min.left_idem, max.commute, max.assoc,
max.left_commute, max.left_idem directly.

For min_max.inf_sup_ord, prefer (one of) min.cobounded1,
min.cobounded2, max.cobounded1m max.cobounded2 directly.

For min_ac or max_ac, prefer more general collection ac_simps.

INCOMPATBILITY.

* Theorem disambiguation Inf_le_Sup (on finite sets) ~>
Inf_fin_le_Sup_fin.  INCOMPATIBILITY.

* Qualified constant names Wellfounded.acc, Wellfounded.accp.
INCOMPATIBILITY.

* Fact generalization and consolidation:
    neq_one_mod_two, mod_2_not_eq_zero_eq_one_int ~> not_mod_2_eq_0_eq_1

INCOMPATIBILITY.

* Purely algebraic definition of even.  Fact generalization and
  consolidation:
    nat_even_iff_2_dvd, int_even_iff_2_dvd ~> even_iff_2_dvd
    even_zero_(nat|int) ~> even_zero

INCOMPATIBILITY.

* Abolished neg_numeral.
  - Canonical representation for minus one is "- 1".
  - Canonical representation for other negative numbers is "- (numeral _)".
  - When devising rule sets for number calculation, consider the
    following canonical cases: 0, 1, numeral _, - 1, - numeral _.
  - HOLogic.dest_number also recognizes numerals in non-canonical forms
    like "numeral One", "- numeral One", "- 0" and even "- ... - _".
  - Syntax for negative numerals is mere input syntax.

INCOMPATIBILITY.

* Reduced name variants for rules on associativity and commutativity:

    add_assoc ~> add.assoc
    add_commute ~> add.commute
    add_left_commute ~> add.left_commute
    mult_assoc ~> mult.assoc
    mult_commute ~> mult.commute
    mult_left_commute ~> mult.left_commute
    nat_add_assoc ~> add.assoc
    nat_add_commute ~> add.commute
    nat_add_left_commute ~> add.left_commute
    nat_mult_assoc ~> mult.assoc
    nat_mult_commute ~> mult.commute
    eq_assoc ~> iff_assoc
    eq_left_commute ~> iff_left_commute

INCOMPATIBILITY.

* Fact collections add_ac and mult_ac are considered old-fashioned.
Prefer ac_simps instead, or specify rules
(add|mult).(assoc|commute|left_commute) individually.

* Elimination of fact duplicates:
    equals_zero_I ~> minus_unique
    diff_eq_0_iff_eq ~> right_minus_eq
    nat_infinite ~> infinite_UNIV_nat
    int_infinite ~> infinite_UNIV_int

INCOMPATIBILITY.

* Fact name consolidation:
    diff_def, diff_minus, ab_diff_minus ~> diff_conv_add_uminus
    minus_le_self_iff ~> neg_less_eq_nonneg
    le_minus_self_iff ~> less_eq_neg_nonpos
    neg_less_nonneg ~> neg_less_pos
    less_minus_self_iff ~> less_neg_neg [simp]

INCOMPATIBILITY.

* More simplification rules on unary and binary minus:
add_diff_cancel, add_diff_cancel_left, add_le_same_cancel1,
add_le_same_cancel2, add_less_same_cancel1, add_less_same_cancel2,
add_minus_cancel, diff_add_cancel, le_add_same_cancel1,
le_add_same_cancel2, less_add_same_cancel1, less_add_same_cancel2,
minus_add_cancel, uminus_add_conv_diff.  These correspondingly have
been taken away from fact collections algebra_simps and field_simps.
INCOMPATIBILITY.

To restore proofs, the following patterns are helpful:

a) Arbitrary failing proof not involving "diff_def":
Consider simplification with algebra_simps or field_simps.

b) Lifting rules from addition to subtraction:
Try with "using <rule for addition> of [... "- _" ...]" by simp".

c) Simplification with "diff_def": just drop "diff_def".
Consider simplification with algebra_simps or field_simps;
or the brute way with
"simp add: diff_conv_add_uminus del: add_uminus_conv_diff".

* Introduce bdd_above and bdd_below in theory
Conditionally_Complete_Lattices, use them instead of explicitly
stating boundedness of sets.

* ccpo.admissible quantifies only over non-empty chains to allow more
syntax-directed proof rules; the case of the empty chain shows up as
additional case in fixpoint induction proofs.  INCOMPATIBILITY.

* Removed and renamed theorems in Series:
  summable_le         ~>  suminf_le
  suminf_le           ~>  suminf_le_const
  series_pos_le       ~>  setsum_le_suminf
  series_pos_less     ~>  setsum_less_suminf
  suminf_ge_zero      ~>  suminf_nonneg
  suminf_gt_zero      ~>  suminf_pos
  suminf_gt_zero_iff  ~>  suminf_pos_iff
  summable_sumr_LIMSEQ_suminf  ~>  summable_LIMSEQ
  suminf_0_le         ~>  suminf_nonneg [rotate]
  pos_summable        ~>  summableI_nonneg_bounded
  ratio_test          ~>  summable_ratio_test

  removed series_zero, replaced by sums_finite

  removed auxiliary lemmas:

    sumr_offset, sumr_offset2, sumr_offset3, sumr_offset4, sumr_group,
    half, le_Suc_ex_iff, lemma_realpow_diff_sumr,
    real_setsum_nat_ivl_bounded, summable_le2, ratio_test_lemma2,
    sumr_minus_one_realpow_zerom, sumr_one_lb_realpow_zero,
    summable_convergent_sumr_iff, sumr_diff_mult_const

INCOMPATIBILITY.

* Replace (F)DERIV syntax by has_derivative:
  - "(f has_derivative f') (at x within s)" replaces "FDERIV f x : s : f'"

  - "(f has_field_derivative f') (at x within s)" replaces "DERIV f x : s : f'"

  - "f differentiable at x within s" replaces "_ differentiable _ in _" syntax

  - removed constant isDiff

  - "DERIV f x : f'" and "FDERIV f x : f'" syntax is only available as
    input syntax.

  - "DERIV f x : s : f'" and "FDERIV f x : s : f'" syntax removed.

  - Renamed FDERIV_... lemmas to has_derivative_...

  - renamed deriv (the syntax constant used for "DERIV _ _ :> _") to DERIV

  - removed DERIV_intros, has_derivative_eq_intros

  - introduced derivative_intros and deriative_eq_intros which
    includes now rules for DERIV, has_derivative and
    has_vector_derivative.

  - Other renamings:
    differentiable_def        ~>  real_differentiable_def
    differentiableE           ~>  real_differentiableE
    fderiv_def                ~>  has_derivative_at
    field_fderiv_def          ~>  field_has_derivative_at
    isDiff_der                ~>  differentiable_def
    deriv_fderiv              ~>  has_field_derivative_def
    deriv_def                 ~>  DERIV_def

INCOMPATIBILITY.

* Include more theorems in continuous_intros. Remove the
continuous_on_intros, isCont_intros collections, these facts are now
in continuous_intros.

* Theorems about complex numbers are now stated only using Re and Im,
the Complex constructor is not used anymore. It is possible to use
primcorec to defined the behaviour of a complex-valued function.

Removed theorems about the Complex constructor from the simpset, they
are available as the lemma collection legacy_Complex_simps. This
especially removes

    i_complex_of_real: "ii * complex_of_real r = Complex 0 r".

Instead the reverse direction is supported with
    Complex_eq: "Complex a b = a + \<i> * b"

Moved csqrt from Fundamental_Algebra_Theorem to Complex.

  Renamings:
    Re/Im                  ~>  complex.sel
    complex_Re/Im_zero     ~>  zero_complex.sel
    complex_Re/Im_add      ~>  plus_complex.sel
    complex_Re/Im_minus    ~>  uminus_complex.sel
    complex_Re/Im_diff     ~>  minus_complex.sel
    complex_Re/Im_one      ~>  one_complex.sel
    complex_Re/Im_mult     ~>  times_complex.sel
    complex_Re/Im_inverse  ~>  inverse_complex.sel
    complex_Re/Im_scaleR   ~>  scaleR_complex.sel
    complex_Re/Im_i        ~>  ii.sel
    complex_Re/Im_cnj      ~>  cnj.sel
    Re/Im_cis              ~>  cis.sel

    complex_divide_def   ~>  divide_complex_def
    complex_norm_def     ~>  norm_complex_def
    cmod_def             ~>  norm_complex_de

  Removed theorems:
    complex_zero_def
    complex_add_def
    complex_minus_def
    complex_diff_def
    complex_one_def
    complex_mult_def
    complex_inverse_def
    complex_scaleR_def

INCOMPATIBILITY.

* Theory Lubs moved HOL image to HOL-Library. It is replaced by
Conditionally_Complete_Lattices.  INCOMPATIBILITY.

* HOL-Library: new theory src/HOL/Library/Tree.thy.

* HOL-Library: removed theory src/HOL/Library/Kleene_Algebra.thy; it
is subsumed by session Kleene_Algebra in AFP.

* HOL-Cardinals: new theory src/HOL/Cardinals/Ordinal_Arithmetic.thy.

* HOL-Word: bit representations prefer type bool over type bit.
INCOMPATIBILITY.

* HOL-Word:
  - Abandoned fact collection "word_arith_alts", which is a duplicate
    of "word_arith_wis".
  - Dropped first (duplicated) element in fact collections
    "sint_word_ariths", "word_arith_alts", "uint_word_ariths",
    "uint_word_arith_bintrs".

* HOL-Number_Theory:
  - consolidated the proofs of the binomial theorem
  - the function fib is again of type nat => nat and not overloaded
  - no more references to Old_Number_Theory in the HOL libraries
    (except the AFP)

INCOMPATIBILITY.

* HOL-Multivariate_Analysis:
  - Type class ordered_real_vector for ordered vector spaces.
  - New theory Complex_Basic_Analysis defining complex derivatives,
    holomorphic functions, etc., ported from HOL Light's canal.ml.
  - Changed order of ordered_euclidean_space to be compatible with
    pointwise ordering on products. Therefore instance of
    conditionally_complete_lattice and ordered_real_vector.
    INCOMPATIBILITY: use box instead of greaterThanLessThan or
    explicit set-comprehensions with eucl_less for other (half-)open
    intervals.
  - removed dependencies on type class ordered_euclidean_space with
    introduction of "cbox" on euclidean_space
    - renamed theorems:
        interval ~> box
        mem_interval ~> mem_box
        interval_eq_empty ~> box_eq_empty
        interval_ne_empty ~> box_ne_empty
        interval_sing(1) ~> cbox_sing
        interval_sing(2) ~> box_sing
        subset_interval_imp ~> subset_box_imp
        subset_interval ~> subset_box
        open_interval ~> open_box
        closed_interval ~> closed_cbox
        interior_closed_interval ~> interior_cbox
        bounded_closed_interval ~> bounded_cbox
        compact_interval ~> compact_cbox
        bounded_subset_closed_interval_symmetric ~> bounded_subset_cbox_symmetric
        bounded_subset_closed_interval ~> bounded_subset_cbox
        mem_interval_componentwiseI ~> mem_box_componentwiseI
        convex_box ~> convex_prod
        rel_interior_real_interval ~> rel_interior_real_box
        convex_interval ~> convex_box
        convex_hull_eq_real_interval ~> convex_hull_eq_real_cbox
        frechet_derivative_within_closed_interval ~> frechet_derivative_within_cbox
        content_closed_interval' ~> content_cbox'
        elementary_subset_interval ~> elementary_subset_box
        diameter_closed_interval ~> diameter_cbox
        frontier_closed_interval ~> frontier_cbox
        frontier_open_interval ~> frontier_box
        bounded_subset_open_interval_symmetric ~> bounded_subset_box_symmetric
        closure_open_interval ~> closure_box
        open_closed_interval_convex ~> open_cbox_convex
        open_interval_midpoint ~> box_midpoint
        content_image_affinity_interval ~> content_image_affinity_cbox
        is_interval_interval ~> is_interval_cbox + is_interval_box + is_interval_closed_interval
        bounded_interval ~> bounded_closed_interval + bounded_boxes

    - respective theorems for intervals over the reals:
        content_closed_interval + content_cbox
        has_integral + has_integral_real
        fine_division_exists + fine_division_exists_real
        has_integral_null + has_integral_null_real
        tagged_division_union_interval + tagged_division_union_interval_real
        has_integral_const + has_integral_const_real
        integral_const + integral_const_real
        has_integral_bound + has_integral_bound_real
        integrable_continuous + integrable_continuous_real
        integrable_subinterval + integrable_subinterval_real
        has_integral_reflect_lemma + has_integral_reflect_lemma_real
        integrable_reflect + integrable_reflect_real
        integral_reflect + integral_reflect_real
        image_affinity_interval + image_affinity_cbox
        image_smult_interval + image_smult_cbox
        integrable_const + integrable_const_ivl
        integrable_on_subinterval + integrable_on_subcbox

  - renamed theorems:
    derivative_linear         ~>  has_derivative_bounded_linear
    derivative_is_linear      ~>  has_derivative_linear
    bounded_linear_imp_linear ~>  bounded_linear.linear

* HOL-Probability:
  - replaced the Lebesgue integral on real numbers by the more general
    Bochner integral for functions into a real-normed vector space.

    integral_zero               ~>  integral_zero / integrable_zero
    integral_minus              ~>  integral_minus / integrable_minus
    integral_add                ~>  integral_add / integrable_add
    integral_diff               ~>  integral_diff / integrable_diff
    integral_setsum             ~>  integral_setsum / integrable_setsum
    integral_multc              ~>  integral_mult_left / integrable_mult_left
    integral_cmult              ~>  integral_mult_right / integrable_mult_right
    integral_triangle_inequality~>  integral_norm_bound
    integrable_nonneg           ~>  integrableI_nonneg
    integral_positive           ~>  integral_nonneg_AE
    integrable_abs_iff          ~>  integrable_abs_cancel
    positive_integral_lim_INF   ~>  positive_integral_liminf
    lebesgue_real_affine        ~>  lborel_real_affine
    borel_integral_has_integral ~>  has_integral_lebesgue_integral
    integral_indicator          ~>
         integral_real_indicator / integrable_real_indicator
    positive_integral_fst       ~>  positive_integral_fst'
    positive_integral_fst_measurable ~> positive_integral_fst
    positive_integral_snd_measurable ~> positive_integral_snd

    integrable_fst_measurable   ~>
         integral_fst / integrable_fst / AE_integrable_fst

    integrable_snd_measurable   ~>
         integral_snd / integrable_snd / AE_integrable_snd

    integral_monotone_convergence  ~>
         integral_monotone_convergence / integrable_monotone_convergence

    integral_monotone_convergence_at_top  ~>
         integral_monotone_convergence_at_top /
         integrable_monotone_convergence_at_top

    has_integral_iff_positive_integral_lebesgue  ~>
         has_integral_iff_has_bochner_integral_lebesgue_nonneg

    lebesgue_integral_has_integral  ~>
         has_integral_integrable_lebesgue_nonneg

    positive_integral_lebesgue_has_integral  ~>
         integral_has_integral_lebesgue_nonneg /
         integrable_has_integral_lebesgue_nonneg

    lebesgue_integral_real_affine  ~>
         positive_integral_real_affine

    has_integral_iff_positive_integral_lborel  ~>
         integral_has_integral_nonneg / integrable_has_integral_nonneg

    The following theorems where removed:

    lebesgue_integral_nonneg
    lebesgue_integral_uminus
    lebesgue_integral_cmult
    lebesgue_integral_multc
    lebesgue_integral_cmult_nonneg
    integral_cmul_indicator
    integral_real

  - Renamed positive_integral to nn_integral:

    . Renamed all lemmas "*positive_integral*" to *nn_integral*"
      positive_integral_positive ~> nn_integral_nonneg

    . Renamed abbreviation integral\<^sup>P to integral\<^sup>N.

  - Formalized properties about exponentially, Erlang, and normal
    distributed random variables.

* HOL-Decision_Procs: Separate command 'approximate' for approximative
computation in src/HOL/Decision_Procs/Approximation.  Minor
INCOMPATIBILITY.


*** Scala ***

* The signature and semantics of Document.Snapshot.cumulate_markup /
select_markup have been clarified.  Markup is now traversed in the
order of reports given by the prover: later markup is usually more
specific and may override results accumulated so far.  The elements
guard is mandatory and checked precisely.  Subtle INCOMPATIBILITY.

* Substantial reworking of internal PIDE protocol communication
channels.  INCOMPATIBILITY.


*** ML ***

* Subtle change of semantics of Thm.eq_thm: theory stamps are not
compared (according to Thm.thm_ord), but assumed to be covered by the
current background theory.  Thus equivalent data produced in different
branches of the theory graph usually coincides (e.g. relevant for
theory merge).  Note that the softer Thm.eq_thm_prop is often more
appropriate than Thm.eq_thm.

* Proper context for basic Simplifier operations: rewrite_rule,
rewrite_goals_rule, rewrite_goals_tac etc. INCOMPATIBILITY, need to
pass runtime Proof.context (and ensure that the simplified entity
actually belongs to it).

* Proper context discipline for read_instantiate and instantiate_tac:
variables that are meant to become schematic need to be given as
fixed, and are generalized by the explicit context of local variables.
This corresponds to Isar attributes "where" and "of" with 'for'
declaration.  INCOMPATIBILITY, also due to potential change of indices
of schematic variables.

* Moved ML_Compiler.exn_trace and other operations on exceptions to
structure Runtime.  Minor INCOMPATIBILITY.

* Discontinued old Toplevel.debug in favour of system option
"ML_exception_trace", which may be also declared within the context
via "declare [[ML_exception_trace = true]]".  Minor INCOMPATIBILITY.

* Renamed configuration option "ML_trace" to "ML_source_trace". Minor
INCOMPATIBILITY.

* Configuration option "ML_print_depth" controls the pretty-printing
depth of the ML compiler within the context.  The old print_depth in
ML is still available as default_print_depth, but rarely used.  Minor
INCOMPATIBILITY.

* Toplevel function "use" refers to raw ML bootstrap environment,
without Isar context nor antiquotations.  Potential INCOMPATIBILITY.
Note that 'ML_file' is the canonical command to load ML files into the
formal context.

* Simplified programming interface to define ML antiquotations, see
structure ML_Antiquotation.  Minor INCOMPATIBILITY.

* ML antiquotation @{here} refers to its source position, which is
occasionally useful for experimentation and diagnostic purposes.

* ML antiquotation @{path} produces a Path.T value, similarly to
Path.explode, but with compile-time check against the file-system and
some PIDE markup.  Note that unlike theory source, ML does not have a
well-defined master directory, so an absolute symbolic path
specification is usually required, e.g. "~~/src/HOL".

* ML antiquotation @{print} inlines a function to print an arbitrary
ML value, which is occasionally useful for diagnostic or demonstration
purposes.


*** System ***

* Proof General with its traditional helper scripts is now an optional
Isabelle component, e.g. see ProofGeneral-4.2-2 from the Isabelle
component repository http://isabelle.in.tum.de/components/.  Note that
the "system" manual provides general explanations about add-on
components, especially those that are not bundled with the release.

* The raw Isabelle process executable has been renamed from
"isabelle-process" to "isabelle_process", which conforms to common
shell naming conventions, and allows to define a shell function within
the Isabelle environment to avoid dynamic path lookup.  Rare
incompatibility for old tools that do not use the ISABELLE_PROCESS
settings variable.

* Former "isabelle tty" has been superseded by "isabelle console",
with implicit build like "isabelle jedit", and without the mostly
obsolete Isar TTY loop.

* Simplified "isabelle display" tool.  Settings variables DVI_VIEWER
and PDF_VIEWER now refer to the actual programs, not shell
command-lines.  Discontinued option -c: invocation may be asynchronous
via desktop environment, without any special precautions.  Potential
INCOMPATIBILITY with ambitious private settings.

* Removed obsolete "isabelle unsymbolize".  Note that the usual format
for email communication is the Unicode rendering of Isabelle symbols,
as produced by Isabelle/jEdit, for example.

* Removed obsolete tool "wwwfind". Similar functionality may be
integrated into Isabelle/jEdit eventually.

* Improved 'display_drafts' concerning desktop integration and
repeated invocation in PIDE front-end: re-use single file
$ISABELLE_HOME_USER/tmp/drafts.pdf and corresponding views.

* Session ROOT specifications require explicit 'document_files' for
robust dependencies on LaTeX sources.  Only these explicitly given
files are copied to the document output directory, before document
processing is started.

* Windows: support for regular TeX installation (e.g. MiKTeX) instead
of TeX Live from Cygwin.


New in Isabelle2013-2 (December 2013)
-------------------------------------

*** Prover IDE -- Isabelle/Scala/jEdit ***

* More robust editing of running commands with internal forks,
e.g. non-terminating 'by' steps.

* More relaxed Sledgehammer panel: avoid repeated application of query
after edits surrounding the command location.

* More status information about commands that are interrupted
accidentally (via physical event or Poly/ML runtime system signal,
e.g. out-of-memory).


*** System ***

* More robust termination of external processes managed by
Isabelle/ML: support cancellation of tasks within the range of
milliseconds, as required for PIDE document editing with automatically
tried tools (e.g. Sledgehammer).

* Reactivated Isabelle/Scala kill command for external processes on
Mac OS X, which was accidentally broken in Isabelle2013-1 due to a
workaround for some Debian/Ubuntu Linux versions from 2013.


New in Isabelle2013-1 (November 2013)
-------------------------------------

*** General ***

* Discontinued obsolete 'uses' within theory header.  Note that
commands like 'ML_file' work without separate declaration of file
dependencies.  Minor INCOMPATIBILITY.

* Discontinued redundant 'use' command, which was superseded by
'ML_file' in Isabelle2013.  Minor INCOMPATIBILITY.

* Simplified subscripts within identifiers, using plain \<^sub>
instead of the second copy \<^isub> and \<^isup>.  Superscripts are
only for literal tokens within notation; explicit mixfix annotations
for consts or fixed variables may be used as fall-back for unusual
names.  Obsolete \<twosuperior> has been expanded to \<^sup>2 in
Isabelle/HOL.  INCOMPATIBILITY, use "isabelle update_sub_sup" to
standardize symbols as a starting point for further manual cleanup.
The ML reference variable "legacy_isub_isup" may be set as temporary
workaround, to make the prover accept a subset of the old identifier
syntax.

* Document antiquotations: term style "isub" has been renamed to
"sub".  Minor INCOMPATIBILITY.

* Uniform management of "quick_and_dirty" as system option (see also
"isabelle options"), configuration option within the context (see also
Config.get in Isabelle/ML), and attribute in Isabelle/Isar.  Minor
INCOMPATIBILITY, need to use more official Isabelle means to access
quick_and_dirty, instead of historical poking into mutable reference.

* Renamed command 'print_configs' to 'print_options'.  Minor
INCOMPATIBILITY.

* Proper diagnostic command 'print_state'.  Old 'pr' (with its
implicit change of some global references) is retained for now as
control command, e.g. for ProofGeneral 3.7.x.

* Discontinued 'print_drafts' command with its old-fashioned PS output
and Unix command-line print spooling.  Minor INCOMPATIBILITY: use
'display_drafts' instead and print via the regular document viewer.

* Updated and extended "isar-ref" and "implementation" manual,
eliminated old "ref" manual.


*** Prover IDE -- Isabelle/Scala/jEdit ***

* New manual "jedit" for Isabelle/jEdit, see isabelle doc or
Documentation panel.

* Dockable window "Documentation" provides access to Isabelle
documentation.

* Dockable window "Find" provides query operations for formal entities
(GUI front-end to 'find_theorems' command).

* Dockable window "Sledgehammer" manages asynchronous / parallel
sledgehammer runs over existing document sources, independently of
normal editing and checking process.

* Dockable window "Timing" provides an overview of relevant command
timing information, depending on option jedit_timing_threshold.  The
same timing information is shown in the extended tooltip of the
command keyword, when hovering the mouse over it while the CONTROL or
COMMAND modifier is pressed.

* Improved dockable window "Theories": Continuous checking of proof
document (visible and required parts) may be controlled explicitly,
using check box or shortcut "C+e ENTER".  Individual theory nodes may
be marked explicitly as required and checked in full, using check box
or shortcut "C+e SPACE".

* Improved completion mechanism, which is now managed by the
Isabelle/jEdit plugin instead of SideKick.  Refined table of Isabelle
symbol abbreviations (see $ISABELLE_HOME/etc/symbols).

* Standard jEdit keyboard shortcut C+b complete-word is remapped to
isabelle.complete for explicit completion in Isabelle sources.
INCOMPATIBILITY wrt. jEdit defaults, may have to invent new shortcuts
to resolve conflict.

* Improved support of various "minor modes" for Isabelle NEWS,
options, session ROOT etc., with completion and SideKick tree view.

* Strictly monotonic document update, without premature cancellation of
running transactions that are still needed: avoid reset/restart of
such command executions while editing.

* Support for asynchronous print functions, as overlay to existing
document content.

* Support for automatic tools in HOL, which try to prove or disprove
toplevel theorem statements.

* Action isabelle.reset-font-size resets main text area font size
according to Isabelle/Scala plugin option "jedit_font_reset_size" (see
also "Plugin Options / Isabelle / General").  It can be bound to some
keyboard shortcut by the user (e.g. C+0 and/or C+NUMPAD0).

* File specifications in jEdit (e.g. file browser) may refer to
$ISABELLE_HOME and $ISABELLE_HOME_USER on all platforms.  Discontinued
obsolete $ISABELLE_HOME_WINDOWS variable.

* Improved support for Linux look-and-feel "GTK+", see also "Utilities
/ Global Options / Appearance".

* Improved support of native Mac OS X functionality via "MacOSX"
plugin, which is now enabled by default.


*** Pure ***

* Commands 'interpretation' and 'sublocale' are now target-sensitive.
In particular, 'interpretation' allows for non-persistent
interpretation within "context ... begin ... end" blocks offering a
light-weight alternative to 'sublocale'.  See "isar-ref" manual for
details.

* Improved locales diagnostic command 'print_dependencies'.

* Discontinued obsolete 'axioms' command, which has been marked as
legacy since Isabelle2009-2.  INCOMPATIBILITY, use 'axiomatization'
instead, while observing its uniform scope for polymorphism.

* Discontinued empty name bindings in 'axiomatization'.
INCOMPATIBILITY.

* System option "proofs" has been discontinued.  Instead the global
state of Proofterm.proofs is persistently compiled into logic images
as required, notably HOL-Proofs.  Users no longer need to change
Proofterm.proofs dynamically.  Minor INCOMPATIBILITY.

* Syntax translation functions (print_translation etc.) always depend
on Proof.context.  Discontinued former "(advanced)" option -- this is
now the default.  Minor INCOMPATIBILITY.

* Former global reference trace_unify_fail is now available as
configuration option "unify_trace_failure" (global context only).

* SELECT_GOAL now retains the syntactic context of the overall goal
state (schematic variables etc.).  Potential INCOMPATIBILITY in rare
situations.


*** HOL ***

* Stronger precedence of syntax for big intersection and union on
sets, in accordance with corresponding lattice operations.
INCOMPATIBILITY.

* Notation "{p:A. P}" now allows tuple patterns as well.

* Nested case expressions are now translated in a separate check phase
rather than during parsing. The data for case combinators is separated
from the datatype package. The declaration attribute
"case_translation" can be used to register new case combinators:

  declare [[case_translation case_combinator constructor1 ... constructorN]]

* Code generator:
  - 'code_printing' unifies 'code_const' / 'code_type' / 'code_class' /
    'code_instance'.
  - 'code_identifier' declares name hints for arbitrary identifiers in
    generated code, subsuming 'code_modulename'.

See the isar-ref manual for syntax diagrams, and the HOL theories for
examples.

* Attibute 'code': 'code' now declares concrete and abstract code
equations uniformly.  Use explicit 'code equation' and 'code abstract'
to distinguish both when desired.

* Discontinued theories Code_Integer and Efficient_Nat by a more
fine-grain stack of theories Code_Target_Int, Code_Binary_Nat,
Code_Target_Nat and Code_Target_Numeral.  See the tutorial on code
generation for details.  INCOMPATIBILITY.

* Numeric types are mapped by default to target language numerals:
natural (replaces former code_numeral) and integer (replaces former
code_int).  Conversions are available as integer_of_natural /
natural_of_integer / integer_of_nat / nat_of_integer (in HOL) and
Code_Numeral.integer_of_natural / Code_Numeral.natural_of_integer (in
ML).  INCOMPATIBILITY.

* Function package: For mutually recursive functions f and g, separate
cases rules f.cases and g.cases are generated instead of unusable
f_g.cases which exposed internal sum types. Potential INCOMPATIBILITY,
in the case that the unusable rule was used nevertheless.

* Function package: For each function f, new rules f.elims are
generated, which eliminate equalities of the form "f x = t".

* New command 'fun_cases' derives ad-hoc elimination rules for
function equations as simplified instances of f.elims, analogous to
inductive_cases.  See ~~/src/HOL/ex/Fundefs.thy for some examples.

* Lifting:
  - parametrized correspondence relations are now supported:
    + parametricity theorems for the raw term can be specified in
      the command lift_definition, which allow us to generate stronger
      transfer rules
    + setup_lifting generates stronger transfer rules if parametric
      correspondence relation can be generated
    + various new properties of the relator must be specified to support
      parametricity
    + parametricity theorem for the Quotient relation can be specified
  - setup_lifting generates domain rules for the Transfer package
  - stronger reflexivity prover of respectfulness theorems for type
    copies
  - ===> and --> are now local. The symbols can be introduced
    by interpreting the locale lifting_syntax (typically in an
    anonymous context)
  - Lifting/Transfer relevant parts of Library/Quotient_* are now in
    Main. Potential INCOMPATIBILITY
  - new commands for restoring and deleting Lifting/Transfer context:
    lifting_forget, lifting_update
  - the command print_quotmaps was renamed to print_quot_maps.
    INCOMPATIBILITY

* Transfer:
  - better support for domains in Transfer: replace Domainp T
    by the actual invariant in a transferred goal
  - transfer rules can have as assumptions other transfer rules
  - Experimental support for transferring from the raw level to the
    abstract level: Transfer.transferred attribute
  - Attribute version of the transfer method: untransferred attribute

* Reification and reflection:
  - Reification is now directly available in HOL-Main in structure
    "Reification".
  - Reflection now handles multiple lists with variables also.
  - The whole reflection stack has been decomposed into conversions.
INCOMPATIBILITY.

* Revised devices for recursive definitions over finite sets:
  - Only one fundamental fold combinator on finite set remains:
    Finite_Set.fold :: ('a => 'b => 'b) => 'b => 'a set => 'b
    This is now identity on infinite sets.
  - Locales ("mini packages") for fundamental definitions with
    Finite_Set.fold: folding, folding_idem.
  - Locales comm_monoid_set, semilattice_order_set and
    semilattice_neutr_order_set for big operators on sets.
    See theory Big_Operators for canonical examples.
    Note that foundational constants comm_monoid_set.F and
    semilattice_set.F correspond to former combinators fold_image
    and fold1 respectively.  These are now gone.  You may use
    those foundational constants as substitutes, but it is
    preferable to interpret the above locales accordingly.
  - Dropped class ab_semigroup_idem_mult (special case of lattice,
    no longer needed in connection with Finite_Set.fold etc.)
  - Fact renames:
      card.union_inter ~> card_Un_Int [symmetric]
      card.union_disjoint ~> card_Un_disjoint
INCOMPATIBILITY.

* Locale hierarchy for abstract orderings and (semi)lattices.

* Complete_Partial_Order.admissible is defined outside the type class
ccpo, but with mandatory prefix ccpo. Admissibility theorems lose the
class predicate assumption or sort constraint when possible.
INCOMPATIBILITY.

* Introduce type class "conditionally_complete_lattice": Like a
complete lattice but does not assume the existence of the top and
bottom elements.  Allows to generalize some lemmas about reals and
extended reals.  Removed SupInf and replaced it by the instantiation
of conditionally_complete_lattice for real. Renamed lemmas about
conditionally-complete lattice from Sup_... to cSup_... and from
Inf_...  to cInf_... to avoid hidding of similar complete lattice
lemmas.

* Introduce type class linear_continuum as combination of
conditionally-complete lattices and inner dense linorders which have
more than one element.  INCOMPATIBILITY.

* Introduced type classes order_top and order_bot. The old classes top
and bot only contain the syntax without assumptions.  INCOMPATIBILITY:
Rename bot -> order_bot, top -> order_top

* Introduce type classes "no_top" and "no_bot" for orderings without
top and bottom elements.

* Split dense_linorder into inner_dense_order and no_top, no_bot.

* Complex_Main: Unify and move various concepts from
HOL-Multivariate_Analysis to HOL-Complex_Main.

 - Introduce type class (lin)order_topology and
   linear_continuum_topology.  Allows to generalize theorems about
   limits and order.  Instances are reals and extended reals.

 - continuous and continuos_on from Multivariate_Analysis:
   "continuous" is the continuity of a function at a filter.  "isCont"
   is now an abbrevitation: "isCont x f == continuous (at _) f".

   Generalized continuity lemmas from isCont to continuous on an
   arbitrary filter.

 - compact from Multivariate_Analysis. Use Bolzano's lemma to prove
   compactness of closed intervals on reals. Continuous functions
   attain infimum and supremum on compact sets. The inverse of a
   continuous function is continuous, when the function is continuous
   on a compact set.

 - connected from Multivariate_Analysis. Use it to prove the
   intermediate value theorem. Show connectedness of intervals on
   linear_continuum_topology).

 - first_countable_topology from Multivariate_Analysis. Is used to
   show equivalence of properties on the neighbourhood filter of x and
   on all sequences converging to x.

 - FDERIV: Definition of has_derivative moved to Deriv.thy. Moved
   theorems from Library/FDERIV.thy to Deriv.thy and base the
   definition of DERIV on FDERIV. Add variants of DERIV and FDERIV
   which are restricted to sets, i.e. to represent derivatives from
   left or right.

 - Removed the within-filter. It is replaced by the principal filter:

     F within X = inf F (principal X)

 - Introduce "at x within U" as a single constant, "at x" is now an
   abbreviation for "at x within UNIV"

 - Introduce named theorem collections tendsto_intros,
   continuous_intros, continuous_on_intros and FDERIV_intros. Theorems
   in tendsto_intros (or FDERIV_intros) are also available as
   tendsto_eq_intros (or FDERIV_eq_intros) where the right-hand side
   is replaced by a congruence rule. This allows to apply them as
   intro rules and then proving equivalence by the simplifier.

 - Restructured theories in HOL-Complex_Main:

   + Moved RealDef and RComplete into Real

   + Introduced Topological_Spaces and moved theorems about
     topological spaces, filters, limits and continuity to it

   + Renamed RealVector to Real_Vector_Spaces

   + Split Lim, SEQ, Series into Topological_Spaces,
     Real_Vector_Spaces, and Limits

   + Moved Ln and Log to Transcendental

   + Moved theorems about continuity from Deriv to Topological_Spaces

 - Remove various auxiliary lemmas.

INCOMPATIBILITY.

* Nitpick:
  - Added option "spy".
  - Reduce incidence of "too high arity" errors.

* Sledgehammer:
  - Renamed option:
      isar_shrink ~> isar_compress
    INCOMPATIBILITY.
  - Added options "isar_try0", "spy".
  - Better support for "isar_proofs".
  - MaSh has been fined-tuned and now runs as a local server.

* Improved support for ad hoc overloading of constants (see also
isar-ref manual and ~~/src/HOL/ex/Adhoc_Overloading_Examples.thy).

* Library/Polynomial.thy:
  - Use lifting for primitive definitions.
  - Explicit conversions from and to lists of coefficients, used for
    generated code.
  - Replaced recursion operator poly_rec by fold_coeffs.
  - Prefer pre-existing gcd operation for gcd.
  - Fact renames:
    poly_eq_iff ~> poly_eq_poly_eq_iff
    poly_ext ~> poly_eqI
    expand_poly_eq ~> poly_eq_iff
IMCOMPATIBILITY.

* New Library/Simps_Case_Conv.thy: Provides commands simps_of_case and
case_of_simps to convert function definitions between a list of
equations with patterns on the lhs and a single equation with case
expressions on the rhs. See also Ex/Simps_Case_Conv_Examples.thy.

* New Library/FSet.thy: type of finite sets defined as a subtype of
sets defined by Lifting/Transfer.

* Discontinued theory src/HOL/Library/Eval_Witness.  INCOMPATIBILITY.

* Consolidation of library theories on product orders:

    Product_Lattice ~> Product_Order -- pointwise order on products
    Product_ord ~> Product_Lexorder -- lexicographic order on products

INCOMPATIBILITY.

* Imperative-HOL: The MREC combinator is considered legacy and no
longer included by default. INCOMPATIBILITY, use partial_function
instead, or import theory Legacy_Mrec as a fallback.

* HOL-Algebra: Discontinued theories ~~/src/HOL/Algebra/abstract and
~~/src/HOL/Algebra/poly.  Existing theories should be based on
~~/src/HOL/Library/Polynomial instead.  The latter provides
integration with HOL's type classes for rings.  INCOMPATIBILITY.

* HOL-BNF:
  - Various improvements to BNF-based (co)datatype package, including
    new commands "primrec_new", "primcorec", and
    "datatype_new_compat", as well as documentation. See
    "datatypes.pdf" for details.
  - New "coinduction" method to avoid some boilerplate (compared to
    coinduct).
  - Renamed keywords:
    data ~> datatype_new
    codata ~> codatatype
    bnf_def ~> bnf
  - Renamed many generated theorems, including
    discs ~> disc
    map_comp' ~> map_comp
    map_id' ~> map_id
    sels ~> sel
    set_map' ~> set_map
    sets ~> set
IMCOMPATIBILITY.


*** ML ***

* Spec_Check is a Quickcheck tool for Isabelle/ML.  The ML function
"check_property" allows to check specifications of the form "ALL x y
z. prop x y z".  See also ~~/src/Tools/Spec_Check/ with its
Examples.thy in particular.

* Improved printing of exception trace in Poly/ML 5.5.1, with regular
tracing output in the command transaction context instead of physical
stdout.  See also Toplevel.debug, Toplevel.debugging and
ML_Compiler.exn_trace.

* ML type "theory" is now immutable, without any special treatment of
drafts or linear updates (which could lead to "stale theory" errors in
the past).  Discontinued obsolete operations like Theory.copy,
Theory.checkpoint, and the auxiliary type theory_ref.  Minor
INCOMPATIBILITY.

* More uniform naming of goal functions for skipped proofs:

    Skip_Proof.prove  ~>  Goal.prove_sorry
    Skip_Proof.prove_global  ~>  Goal.prove_sorry_global

Minor INCOMPATIBILITY.

* Simplifier tactics and tools use proper Proof.context instead of
historic type simpset.  Old-style declarations like addsimps,
addsimprocs etc. operate directly on Proof.context.  Raw type simpset
retains its use as snapshot of the main Simplifier context, using
simpset_of and put_simpset on Proof.context.  INCOMPATIBILITY -- port
old tools by making them depend on (ctxt : Proof.context) instead of
(ss : simpset), then turn (simpset_of ctxt) into ctxt.

* Modifiers for classical wrappers (e.g. addWrapper, delWrapper)
operate on Proof.context instead of claset, for uniformity with addIs,
addEs, addDs etc. Note that claset_of and put_claset allow to manage
clasets separately from the context.

* Discontinued obsolete ML antiquotations @{claset} and @{simpset}.
INCOMPATIBILITY, use @{context} instead.

* Antiquotation @{theory_context A} is similar to @{theory A}, but
presents the result as initial Proof.context.


*** System ***

* Discontinued obsolete isabelle usedir, mkdir, make -- superseded by
"isabelle build" in Isabelle2013.  INCOMPATIBILITY.

* Discontinued obsolete isabelle-process options -f and -u (former
administrative aliases of option -e).  Minor INCOMPATIBILITY.

* Discontinued obsolete isabelle print tool, and PRINT_COMMAND
settings variable.

* Discontinued ISABELLE_DOC_FORMAT settings variable and historic
document formats: dvi.gz, ps, ps.gz -- the default document format is
always pdf.

* Isabelle settings variable ISABELLE_BUILD_JAVA_OPTIONS allows to
specify global resources of the JVM process run by isabelle build.

* Toplevel executable $ISABELLE_HOME/bin/isabelle_scala_script allows
to run Isabelle/Scala source files as standalone programs.

* Improved "isabelle keywords" tool (for old-style ProofGeneral
keyword tables): use Isabelle/Scala operations, which inspect outer
syntax without requiring to build sessions first.

* Sessions may be organized via 'chapter' specifications in the ROOT
file, which determines a two-level hierarchy of browser info.  The old
tree-like organization via implicit sub-session relation (with its
tendency towards erratic fluctuation of URLs) has been discontinued.
The default chapter is called "Unsorted".  Potential INCOMPATIBILITY
for HTML presentation of theories.


New in Isabelle2013 (February 2013)
-----------------------------------

*** General ***

* Theorem status about oracles and unfinished/failed future proofs is
no longer printed by default, since it is incompatible with
incremental / parallel checking of the persistent document model.  ML
function Thm.peek_status may be used to inspect a snapshot of the
ongoing evaluation process.  Note that in batch mode --- notably
isabelle build --- the system ensures that future proofs of all
accessible theorems in the theory context are finished (as before).

* Configuration option show_markup controls direct inlining of markup
into the printed representation of formal entities --- notably type
and sort constraints.  This enables Prover IDE users to retrieve that
information via tooltips in the output window, for example.

* Command 'ML_file' evaluates ML text from a file directly within the
theory, without any predeclaration via 'uses' in the theory header.

* Old command 'use' command and corresponding keyword 'uses' in the
theory header are legacy features and will be discontinued soon.
Tools that load their additional source files may imitate the
'ML_file' implementation, such that the system can take care of
dependencies properly.

* Discontinued obsolete method fastsimp / tactic fast_simp_tac, which
is called fastforce / fast_force_tac already since Isabelle2011-1.

* Updated and extended "isar-ref" and "implementation" manual, reduced
remaining material in old "ref" manual.

* Improved support for auxiliary contexts that indicate block structure
for specifications.  Nesting of "context fixes ... context assumes ..."
and "class ... context ...".

* Attribute "consumes" allows a negative value as well, which is
interpreted relatively to the total number of premises of the rule in
the target context.  This form of declaration is stable when exported
from a nested 'context' with additional assumptions.  It is the
preferred form for definitional packages, notably cases/rules produced
in HOL/inductive and HOL/function.

* More informative error messages for Isar proof commands involving
lazy enumerations (method applications etc.).

* Refined 'help' command to retrieve outer syntax commands according
to name patterns (with clickable results).


*** Prover IDE -- Isabelle/Scala/jEdit ***

* Parallel terminal proofs ('by') are enabled by default, likewise
proofs that are built into packages like 'datatype', 'function'.  This
allows to "run ahead" checking the theory specifications on the
surface, while the prover is still crunching on internal
justifications.  Unfinished / cancelled proofs are restarted as
required to complete full proof checking eventually.

* Improved output panel with tooltips, hyperlinks etc. based on the
same Rich_Text_Area as regular Isabelle/jEdit buffers.  Activation of
tooltips leads to some window that supports the same recursively,
which can lead to stacks of tooltips as the semantic document content
is explored.  ESCAPE closes the whole stack, individual windows may be
closed separately, or detached to become independent jEdit dockables.

* Improved support for commands that produce graph output: the text
message contains a clickable area to open a new instance of the graph
browser on demand.

* More robust incremental parsing of outer syntax (partial comments,
malformed symbols).  Changing the balance of open/close quotes and
comment delimiters works more conveniently with unfinished situations
that frequently occur in user interaction.

* More efficient painting and improved reactivity when editing large
files.  More scalable management of formal document content.

* Smarter handling of tracing messages: prover process pauses after
certain number of messages per command transaction, with some user
dialog to stop or continue.  This avoids swamping the front-end with
potentially infinite message streams.

* More plugin options and preferences, based on Isabelle/Scala.  The
jEdit plugin option panel provides access to some Isabelle/Scala
options, including tuning parameters for editor reactivity and color
schemes.

* Dockable window "Symbols" provides some editing support for Isabelle
symbols.

* Dockable window "Monitor" shows ML runtime statistics.  Note that
continuous display of the chart slows down the system.

* Improved editing support for control styles: subscript, superscript,
bold, reset of style -- operating on single symbols or text
selections.  Cf. keyboard shortcuts C+e DOWN/UP/RIGHT/LEFT.

* Actions isabelle.increase-font-size and isabelle.decrease-font-size
adjust the main text area font size, and its derivatives for output,
tooltips etc.  Cf. keyboard shortcuts C-PLUS and C-MINUS, which often
need to be adapted to local keyboard layouts.

* More reactive completion popup by default: use \t (TAB) instead of
\n (NEWLINE) to minimize intrusion into regular flow of editing.  See
also "Plugin Options / SideKick / General / Code Completion Options".

* Implicit check and build dialog of the specified logic session
image.  For example, HOL, HOLCF, HOL-Nominal can be produced on
demand, without bundling big platform-dependent heap images in the
Isabelle distribution.

* Uniform Java 7 platform on Linux, Mac OS X, Windows: recent updates
from Oracle provide better multi-platform experience.  This version is
now bundled exclusively with Isabelle.


*** Pure ***

* Code generation for Haskell: restrict unqualified imports from
Haskell Prelude to a small set of fundamental operations.

* Command 'export_code': relative file names are interpreted
relatively to master directory of current theory rather than the
rather arbitrary current working directory.  INCOMPATIBILITY.

* Discontinued obsolete attribute "COMP".  Potential INCOMPATIBILITY,
use regular rule composition via "OF" / "THEN", or explicit proof
structure instead.  Note that Isabelle/ML provides a variety of
operators like COMP, INCR_COMP, COMP_INCR, which need to be applied
with some care where this is really required.

* Command 'typ' supports an additional variant with explicit sort
constraint, to infer and check the most general type conforming to a
given sort.  Example (in HOL):

  typ "_ * _ * bool * unit" :: finite

* Command 'locale_deps' visualizes all locales and their relations as
a Hasse diagram.


*** HOL ***

* Sledgehammer:

  - Added MaSh relevance filter based on machine-learning; see the
    Sledgehammer manual for details.
  - Polished Isar proofs generated with "isar_proofs" option.
  - Rationalized type encodings ("type_enc" option).
  - Renamed "kill_provers" subcommand to "kill_all".
  - Renamed options:
      isar_proof ~> isar_proofs
      isar_shrink_factor ~> isar_shrink
      max_relevant ~> max_facts
      relevance_thresholds ~> fact_thresholds

* Quickcheck: added an optimisation for equality premises.  It is
switched on by default, and can be switched off by setting the
configuration quickcheck_optimise_equality to false.

* Quotient: only one quotient can be defined by quotient_type
INCOMPATIBILITY.

* Lifting:
  - generation of an abstraction function equation in lift_definition
  - quot_del attribute
  - renamed no_abs_code -> no_code (INCOMPATIBILITY.)

* Simproc "finite_Collect" rewrites set comprehensions into pointfree
expressions.

* Preprocessing of the code generator rewrites set comprehensions into
pointfree expressions.

* The SMT solver Z3 has now by default a restricted set of directly
supported features. For the full set of features (div/mod, nonlinear
arithmetic, datatypes/records) with potential proof reconstruction
failures, enable the configuration option "z3_with_extensions".  Minor
INCOMPATIBILITY.

* Simplified 'typedef' specifications: historical options for implicit
set definition and alternative name have been discontinued.  The
former behavior of "typedef (open) t = A" is now the default, but
written just "typedef t = A".  INCOMPATIBILITY, need to adapt theories
accordingly.

* Removed constant "chars"; prefer "Enum.enum" on type "char"
directly.  INCOMPATIBILITY.

* Moved operation product, sublists and n_lists from theory Enum to
List.  INCOMPATIBILITY.

* Theorem UN_o generalized to SUP_comp.  INCOMPATIBILITY.

* Class "comm_monoid_diff" formalises properties of bounded
subtraction, with natural numbers and multisets as typical instances.

* Added combinator "Option.these" with type "'a option set => 'a set".

* Theory "Transitive_Closure": renamed lemmas

  reflcl_tranclp -> reflclp_tranclp
  rtranclp_reflcl -> rtranclp_reflclp

INCOMPATIBILITY.

* Theory "Rings": renamed lemmas (in class semiring)

  left_distrib ~> distrib_right
  right_distrib ~> distrib_left

INCOMPATIBILITY.

* Generalized the definition of limits:

  - Introduced the predicate filterlim (LIM x F. f x :> G) which
    expresses that when the input values x converge to F then the
    output f x converges to G.

  - Added filters for convergence to positive (at_top) and negative
    infinity (at_bot).

  - Moved infinity in the norm (at_infinity) from
    Multivariate_Analysis to Complex_Main.

  - Removed real_tendsto_inf, it is superseded by "LIM x F. f x :>
    at_top".

INCOMPATIBILITY.

* Theory "Library/Option_ord" provides instantiation of option type to
lattice type classes.

* Theory "Library/Multiset": renamed

    constant fold_mset ~> Multiset.fold
    fact fold_mset_commute ~> fold_mset_comm

INCOMPATIBILITY.

* Renamed theory Library/List_Prefix to Library/Sublist, with related
changes as follows.

  - Renamed constants (and related lemmas)

      prefix ~> prefixeq
      strict_prefix ~> prefix

  - Replaced constant "postfix" by "suffixeq" with swapped argument
    order (i.e., "postfix xs ys" is now "suffixeq ys xs") and dropped
    old infix syntax "xs >>= ys"; use "suffixeq ys xs" instead.
    Renamed lemmas accordingly.

  - Added constant "list_hembeq" for homeomorphic embedding on
    lists. Added abbreviation "sublisteq" for special case
    "list_hembeq (op =)".

  - Theory Library/Sublist no longer provides "order" and "bot" type
    class instances for the prefix order (merely corresponding locale
    interpretations). The type class instances are now in theory
    Library/Prefix_Order.

  - The sublist relation of theory Library/Sublist_Order is now based
    on "Sublist.sublisteq".  Renamed lemmas accordingly:

      le_list_append_le_same_iff ~> Sublist.sublisteq_append_le_same_iff
      le_list_append_mono ~> Sublist.list_hembeq_append_mono
      le_list_below_empty ~> Sublist.list_hembeq_Nil, Sublist.list_hembeq_Nil2
      le_list_Cons_EX ~> Sublist.list_hembeq_ConsD
      le_list_drop_Cons2 ~> Sublist.sublisteq_Cons2'
      le_list_drop_Cons_neq ~> Sublist.sublisteq_Cons2_neq
      le_list_drop_Cons ~> Sublist.sublisteq_Cons'
      le_list_drop_many ~> Sublist.sublisteq_drop_many
      le_list_filter_left ~> Sublist.sublisteq_filter_left
      le_list_rev_drop_many ~> Sublist.sublisteq_rev_drop_many
      le_list_rev_take_iff ~> Sublist.sublisteq_append
      le_list_same_length ~> Sublist.sublisteq_same_length
      le_list_take_many_iff ~> Sublist.sublisteq_append'
      less_eq_list.drop ~> less_eq_list_drop
      less_eq_list.induct ~> less_eq_list_induct
      not_le_list_length ~> Sublist.not_sublisteq_length

INCOMPATIBILITY.

* New theory Library/Countable_Set.

* Theory Library/Debug and Library/Parallel provide debugging and
parallel execution for code generated towards Isabelle/ML.

* Theory Library/FuncSet: Extended support for Pi and extensional and
introduce the extensional dependent function space "PiE". Replaced
extensional_funcset by an abbreviation, and renamed lemmas from
extensional_funcset to PiE as follows:

  extensional_empty  ~>  PiE_empty
  extensional_funcset_empty_domain  ~>  PiE_empty_domain
  extensional_funcset_empty_range  ~>  PiE_empty_range
  extensional_funcset_arb  ~>  PiE_arb
  extensional_funcset_mem  ~>  PiE_mem
  extensional_funcset_extend_domainI  ~>  PiE_fun_upd
  extensional_funcset_restrict_domain  ~>  fun_upd_in_PiE
  extensional_funcset_extend_domain_eq  ~>  PiE_insert_eq
  card_extensional_funcset  ~>  card_PiE
  finite_extensional_funcset  ~>  finite_PiE

INCOMPATIBILITY.

* Theory Library/FinFun: theory of almost everywhere constant
functions (supersedes the AFP entry "Code Generation for Functions as
Data").

* Theory Library/Phantom: generic phantom type to make a type
parameter appear in a constant's type.  This alternative to adding
TYPE('a) as another parameter avoids unnecessary closures in generated
code.

* Theory Library/RBT_Impl: efficient construction of red-black trees
from sorted associative lists. Merging two trees with rbt_union may
return a structurally different tree than before.  Potential
INCOMPATIBILITY.

* Theory Library/IArray: immutable arrays with code generation.

* Theory Library/Finite_Lattice: theory of finite lattices.

* HOL/Multivariate_Analysis: replaced

  "basis :: 'a::euclidean_space => nat => real"
  "\<Chi>\<Chi> :: (nat => real) => 'a::euclidean_space"

on euclidean spaces by using the inner product "_ \<bullet> _" with
vectors from the Basis set: "\<Chi>\<Chi> i. f i" is superseded by
"SUM i : Basis. f i * r i".

  With this change the following constants are also changed or removed:

    DIM('a) :: nat  ~>  card (Basis :: 'a set)   (is an abbreviation)
    a $$ i  ~>  inner a i  (where i : Basis)
    cart_base i  removed
    \<pi>, \<pi>'  removed

  Theorems about these constants where removed.

  Renamed lemmas:

    component_le_norm  ~>  Basis_le_norm
    euclidean_eq  ~>  euclidean_eq_iff
    differential_zero_maxmin_component  ~>  differential_zero_maxmin_cart
    euclidean_simps  ~>  inner_simps
    independent_basis  ~>  independent_Basis
    span_basis  ~>  span_Basis
    in_span_basis  ~>  in_span_Basis
    norm_bound_component_le  ~>  norm_boound_Basis_le
    norm_bound_component_lt  ~>  norm_boound_Basis_lt
    component_le_infnorm  ~>  Basis_le_infnorm

INCOMPATIBILITY.

* HOL/Probability:

  - Added simproc "measurable" to automatically prove measurability.

  - Added induction rules for sigma sets with disjoint union
    (sigma_sets_induct_disjoint) and for Borel-measurable functions
    (borel_measurable_induct).

  - Added the Daniell-Kolmogorov theorem (the existence the limit of a
    projective family).

* HOL/Cardinals: Theories of ordinals and cardinals (supersedes the
AFP entry "Ordinals_and_Cardinals").

* HOL/BNF: New (co)datatype package based on bounded natural functors
with support for mixed, nested recursion and interesting non-free
datatypes.

* HOL/Finite_Set and Relation: added new set and relation operations
expressed by Finite_Set.fold.

* New theory HOL/Library/RBT_Set: implementation of sets by red-black
trees for the code generator.

* HOL/Library/RBT and HOL/Library/Mapping have been converted to
Lifting/Transfer.
possible INCOMPATIBILITY.

* HOL/Set: renamed Set.project -> Set.filter
INCOMPATIBILITY.


*** Document preparation ***

* Dropped legacy antiquotations "term_style" and "thm_style", since
styles may be given as arguments to "term" and "thm" already.
Discontinued legacy styles "prem1" .. "prem19".

* Default LaTeX rendering for \<euro> is now based on eurosym package,
instead of slightly exotic babel/greek.

* Document variant NAME may use different LaTeX entry point
document/root_NAME.tex if that file exists, instead of the common
document/root.tex.

* Simplified custom document/build script, instead of old-style
document/IsaMakefile.  Minor INCOMPATIBILITY.


*** ML ***

* The default limit for maximum number of worker threads is now 8,
instead of 4, in correspondence to capabilities of contemporary
hardware and Poly/ML runtime system.

* Type Seq.results and related operations support embedded error
messages within lazy enumerations, and thus allow to provide
informative errors in the absence of any usable results.

* Renamed Position.str_of to Position.here to emphasize that this is a
formal device to inline positions into message text, but not
necessarily printing visible text.


*** System ***

* Advanced support for Isabelle sessions and build management, see
"system" manual for the chapter of that name, especially the "isabelle
build" tool and its examples.  The "isabelle mkroot" tool prepares
session root directories for use with "isabelle build", similar to
former "isabelle mkdir" for "isabelle usedir".  Note that this affects
document preparation as well.  INCOMPATIBILITY, isabelle usedir /
mkdir / make are rendered obsolete.

* Discontinued obsolete Isabelle/build script, it is superseded by the
regular isabelle build tool.  For example:

  isabelle build -s -b HOL

* Discontinued obsolete "isabelle makeall".

* Discontinued obsolete IsaMakefile and ROOT.ML files from the
Isabelle distribution, except for rudimentary src/HOL/IsaMakefile that
provides some traditional targets that invoke "isabelle build".  Note
that this is inefficient!  Applications of Isabelle/HOL involving
"isabelle make" should be upgraded to use "isabelle build" directly.

* The "isabelle options" tool prints Isabelle system options, as
required for "isabelle build", for example.

* The "isabelle logo" tool produces EPS and PDF format simultaneously.
Minor INCOMPATIBILITY in command-line options.

* The "isabelle install" tool has now a simpler command-line.  Minor
INCOMPATIBILITY.

* The "isabelle components" tool helps to resolve add-on components
that are not bundled, or referenced from a bare-bones repository
version of Isabelle.

* Settings variable ISABELLE_PLATFORM_FAMILY refers to the general
platform family: "linux", "macos", "windows".

* The ML system is configured as regular component, and no longer
picked up from some surrounding directory.  Potential INCOMPATIBILITY
for home-made settings.

* Improved ML runtime statistics (heap, threads, future tasks etc.).

* Discontinued support for Poly/ML 5.2.1, which was the last version
without exception positions and advanced ML compiler/toplevel
configuration.

* Discontinued special treatment of Proof General -- no longer guess
PROOFGENERAL_HOME based on accidental file-system layout.  Minor
INCOMPATIBILITY: provide PROOFGENERAL_HOME and PROOFGENERAL_OPTIONS
settings manually, or use a Proof General version that has been
bundled as Isabelle component.


New in Isabelle2012 (May 2012)
------------------------------

*** General ***

* Prover IDE (PIDE) improvements:

  - more robust Sledgehammer integration (as before the sledgehammer
    command-line needs to be typed into the source buffer)
  - markup for bound variables
  - markup for types of term variables (displayed as tooltips)
  - support for user-defined Isar commands within the running session
  - improved support for Unicode outside original 16bit range
    e.g. glyph for \<A> (thanks to jEdit 4.5.1)

* Forward declaration of outer syntax keywords within the theory
header -- minor INCOMPATIBILITY for user-defined commands.  Allow new
commands to be used in the same theory where defined.

* Auxiliary contexts indicate block structure for specifications with
additional parameters and assumptions.  Such unnamed contexts may be
nested within other targets, like 'theory', 'locale', 'class',
'instantiation' etc.  Results from the local context are generalized
accordingly and applied to the enclosing target context.  Example:

  context
    fixes x y z :: 'a
    assumes xy: "x = y" and yz: "y = z"
  begin

  lemma my_trans: "x = z" using xy yz by simp

  end

  thm my_trans

The most basic application is to factor-out context elements of
several fixes/assumes/shows theorem statements, e.g. see
~~/src/HOL/Isar_Examples/Group_Context.thy

Any other local theory specification element works within the "context
... begin ... end" block as well.

* Bundled declarations associate attributed fact expressions with a
given name in the context.  These may be later included in other
contexts.  This allows to manage context extensions casually, without
the logical dependencies of locales and locale interpretation.  See
commands 'bundle', 'include', 'including' etc. in the isar-ref manual.

* Commands 'lemmas' and 'theorems' allow local variables using 'for'
declaration, and results are standardized before being stored.  Thus
old-style "standard" after instantiation or composition of facts
becomes obsolete.  Minor INCOMPATIBILITY, due to potential change of
indices of schematic variables.

* Rule attributes in local theory declarations (e.g. locale or class)
are now statically evaluated: the resulting theorem is stored instead
of the original expression.  INCOMPATIBILITY in rare situations, where
the historic accident of dynamic re-evaluation in interpretations
etc. was exploited.

* New tutorial "Programming and Proving in Isabelle/HOL"
("prog-prove").  It completely supersedes "A Tutorial Introduction to
Structured Isar Proofs" ("isar-overview"), which has been removed.  It
also supersedes "Isabelle/HOL, A Proof Assistant for Higher-Order
Logic" as the recommended beginners tutorial, but does not cover all
of the material of that old tutorial.

* Updated and extended reference manuals: "isar-ref",
"implementation", "system"; reduced remaining material in old "ref"
manual.


*** Pure ***

* Command 'definition' no longer exports the foundational "raw_def"
into the user context.  Minor INCOMPATIBILITY, may use the regular
"def" result with attribute "abs_def" to imitate the old version.

* Attribute "abs_def" turns an equation of the form "f x y == t" into
"f == %x y. t", which ensures that "simp" or "unfold" steps always
expand it.  This also works for object-logic equality.  (Formerly
undocumented feature.)

* Sort constraints are now propagated in simultaneous statements, just
like type constraints.  INCOMPATIBILITY in rare situations, where
distinct sorts used to be assigned accidentally.  For example:

  lemma "P (x::'a::foo)" and "Q (y::'a::bar)"  -- "now illegal"

  lemma "P (x::'a)" and "Q (y::'a::bar)"
    -- "now uniform 'a::bar instead of default sort for first occurrence (!)"

* Rule composition via attribute "OF" (or ML functions OF/MRS) is more
tolerant against multiple unifiers, as long as the final result is
unique.  (As before, rules are composed in canonical right-to-left
order to accommodate newly introduced premises.)

* Renamed some inner syntax categories:

    num ~> num_token
    xnum ~> xnum_token
    xstr ~> str_token

Minor INCOMPATIBILITY.  Note that in practice "num_const" or
"num_position" etc. are mainly used instead (which also include
position information via constraints).

* Simplified configuration options for syntax ambiguity: see
"syntax_ambiguity_warning" and "syntax_ambiguity_limit" in isar-ref
manual.  Minor INCOMPATIBILITY.

* Discontinued configuration option "syntax_positions": atomic terms
in parse trees are always annotated by position constraints.

* Old code generator for SML and its commands 'code_module',
'code_library', 'consts_code', 'types_code' have been discontinued.
Use commands of the generic code generator instead.  INCOMPATIBILITY.

* Redundant attribute "code_inline" has been discontinued. Use
"code_unfold" instead.  INCOMPATIBILITY.

* Dropped attribute "code_unfold_post" in favor of the its dual
"code_abbrev", which yields a common pattern in definitions like

  definition [code_abbrev]: "f = t"

INCOMPATIBILITY.

* Obsolete 'types' command has been discontinued.  Use 'type_synonym'
instead.  INCOMPATIBILITY.

* Discontinued old "prems" fact, which used to refer to the accidental
collection of foundational premises in the context (already marked as
legacy since Isabelle2011).


*** HOL ***

* Type 'a set is now a proper type constructor (just as before
Isabelle2008).  Definitions mem_def and Collect_def have disappeared.
Non-trivial INCOMPATIBILITY.  For developments keeping predicates and
sets separate, it is often sufficient to rephrase some set S that has
been accidentally used as predicates by "%x. x : S", and some
predicate P that has been accidentally used as set by "{x. P x}".
Corresponding proofs in a first step should be pruned from any
tinkering with former theorems mem_def and Collect_def as far as
possible.

For developments which deliberately mix predicates and sets, a
planning step is necessary to determine what should become a predicate
and what a set.  It can be helpful to carry out that step in
Isabelle2011-1 before jumping right into the current release.

* Code generation by default implements sets as container type rather
than predicates.  INCOMPATIBILITY.

* New type synonym 'a rel = ('a * 'a) set

* The representation of numerals has changed.  Datatype "num"
represents strictly positive binary numerals, along with functions
"numeral :: num => 'a" and "neg_numeral :: num => 'a" to represent
positive and negated numeric literals, respectively.  See also
definitions in ~~/src/HOL/Num.thy.  Potential INCOMPATIBILITY, some
user theories may require adaptations as follows:

  - Theorems with number_ring or number_semiring constraints: These
    classes are gone; use comm_ring_1 or comm_semiring_1 instead.

  - Theories defining numeric types: Remove number, number_semiring,
    and number_ring instances. Defer all theorems about numerals until
    after classes one and semigroup_add have been instantiated.

  - Numeral-only simp rules: Replace each rule having a "number_of v"
    pattern with two copies, one for numeral and one for neg_numeral.

  - Theorems about subclasses of semiring_1 or ring_1: These classes
    automatically support numerals now, so more simp rules and
    simprocs may now apply within the proof.

  - Definitions and theorems using old constructors Pls/Min/Bit0/Bit1:
    Redefine using other integer operations.

* Transfer: New package intended to generalize the existing
"descending" method and related theorem attributes from the Quotient
package.  (Not all functionality is implemented yet, but future
development will focus on Transfer as an eventual replacement for the
corresponding parts of the Quotient package.)

  - transfer_rule attribute: Maintains a collection of transfer rules,
    which relate constants at two different types. Transfer rules may
    relate different type instances of the same polymorphic constant,
    or they may relate an operation on a raw type to a corresponding
    operation on an abstract type (quotient or subtype). For example:

    ((A ===> B) ===> list_all2 A ===> list_all2 B) map map
    (cr_int ===> cr_int ===> cr_int) (%(x,y) (u,v). (x+u, y+v)) plus_int

  - transfer method: Replaces a subgoal on abstract types with an
    equivalent subgoal on the corresponding raw types. Constants are
    replaced with corresponding ones according to the transfer rules.
    Goals are generalized over all free variables by default; this is
    necessary for variables whose types change, but can be overridden
    for specific variables with e.g. "transfer fixing: x y z".  The
    variant transfer' method allows replacing a subgoal with one that
    is logically stronger (rather than equivalent).

  - relator_eq attribute: Collects identity laws for relators of
    various type constructors, e.g. "list_all2 (op =) = (op =)".  The
    transfer method uses these lemmas to infer transfer rules for
    non-polymorphic constants on the fly.

  - transfer_prover method: Assists with proving a transfer rule for a
    new constant, provided the constant is defined in terms of other
    constants that already have transfer rules. It should be applied
    after unfolding the constant definitions.

  - HOL/ex/Transfer_Int_Nat.thy: Example theory demonstrating transfer
    from type nat to type int.

* Lifting: New package intended to generalize the quotient_definition
facility of the Quotient package; designed to work with Transfer.

  - lift_definition command: Defines operations on an abstract type in
    terms of a corresponding operation on a representation
    type.  Example syntax:

    lift_definition dlist_insert :: "'a => 'a dlist => 'a dlist"
      is List.insert

    Users must discharge a respectfulness proof obligation when each
    constant is defined. (For a type copy, i.e. a typedef with UNIV,
    the proof is discharged automatically.) The obligation is
    presented in a user-friendly, readable form; a respectfulness
    theorem in the standard format and a transfer rule are generated
    by the package.

  - Integration with code_abstype: For typedefs (e.g. subtypes
    corresponding to a datatype invariant, such as dlist),
    lift_definition generates a code certificate theorem and sets up
    code generation for each constant.

  - setup_lifting command: Sets up the Lifting package to work with a
    user-defined type. The user must provide either a quotient theorem
    or a type_definition theorem.  The package configures transfer
    rules for equality and quantifiers on the type, and sets up the
    lift_definition command to work with the type.

  - Usage examples: See Quotient_Examples/Lift_DList.thy,
    Quotient_Examples/Lift_RBT.thy, Quotient_Examples/Lift_FSet.thy,
    Word/Word.thy and Library/Float.thy.

* Quotient package:

  - The 'quotient_type' command now supports a 'morphisms' option with
    rep and abs functions, similar to typedef.

  - 'quotient_type' sets up new types to work with the Lifting and
    Transfer packages, as with 'setup_lifting'.

  - The 'quotient_definition' command now requires the user to prove a
    respectfulness property at the point where the constant is
    defined, similar to lift_definition; INCOMPATIBILITY.

  - Renamed predicate 'Quotient' to 'Quotient3', and renamed theorems
    accordingly, INCOMPATIBILITY.

* New diagnostic command 'find_unused_assms' to find potentially
superfluous assumptions in theorems using Quickcheck.

* Quickcheck:

  - Quickcheck returns variable assignments as counterexamples, which
    allows to reveal the underspecification of functions under test.
    For example, refuting "hd xs = x", it presents the variable
    assignment xs = [] and x = a1 as a counterexample, assuming that
    any property is false whenever "hd []" occurs in it.

    These counterexample are marked as potentially spurious, as
    Quickcheck also returns "xs = []" as a counterexample to the
    obvious theorem "hd xs = hd xs".

    After finding a potentially spurious counterexample, Quickcheck
    continues searching for genuine ones.

    By default, Quickcheck shows potentially spurious and genuine
    counterexamples. The option "genuine_only" sets quickcheck to only
    show genuine counterexamples.

  - The command 'quickcheck_generator' creates random and exhaustive
    value generators for a given type and operations.

    It generates values by using the operations as if they were
    constructors of that type.

  - Support for multisets.

  - Added "use_subtype" options.

  - Added "quickcheck_locale" configuration to specify how to process
    conjectures in a locale context.

* Nitpick: Fixed infinite loop caused by the 'peephole_optim' option
and affecting 'rat' and 'real'.

* Sledgehammer:
  - Integrated more tightly with SPASS, as described in the ITP 2012
    paper "More SPASS with Isabelle".
  - Made it try "smt" as a fallback if "metis" fails or times out.
  - Added support for the following provers: Alt-Ergo (via Why3 and
    TFF1), iProver, iProver-Eq.
  - Sped up the minimizer.
  - Added "lam_trans", "uncurry_aliases", and "minimize" options.
  - Renamed "slicing" ("no_slicing") option to "slice" ("dont_slice").
  - Renamed "sound" option to "strict".

* Metis: Added possibility to specify lambda translations scheme as a
parenthesized argument (e.g., "by (metis (lifting) ...)").

* SMT: Renamed "smt_fixed" option to "smt_read_only_certificates".

* Command 'try0': Renamed from 'try_methods'. INCOMPATIBILITY.

* New "case_product" attribute to generate a case rule doing multiple
case distinctions at the same time.  E.g.

  list.exhaust [case_product nat.exhaust]

produces a rule which can be used to perform case distinction on both
a list and a nat.

* New "eventually_elim" method as a generalized variant of the
eventually_elim* rules.  Supports structured proofs.

* Typedef with implicit set definition is considered legacy.  Use
"typedef (open)" form instead, which will eventually become the
default.

* Record: code generation can be switched off manually with

  declare [[record_coden = false]]  -- "default true"

* Datatype: type parameters allow explicit sort constraints.

* Concrete syntax for case expressions includes constraints for source
positions, and thus produces Prover IDE markup for its bindings.
INCOMPATIBILITY for old-style syntax translations that augment the
pattern notation; e.g. see src/HOL/HOLCF/One.thy for translations of
one_case.

* Clarified attribute "mono_set": pure declaration without modifying
the result of the fact expression.

* More default pred/set conversions on a couple of relation operations
and predicates.  Added powers of predicate relations.  Consolidation
of some relation theorems:

  converse_def ~> converse_unfold
  rel_comp_def ~> relcomp_unfold
  symp_def ~> (modified, use symp_def and sym_def instead)
  transp_def ~> transp_trans
  Domain_def ~> Domain_unfold
  Range_def ~> Domain_converse [symmetric]

Generalized theorems INF_INT_eq, INF_INT_eq2, SUP_UN_eq, SUP_UN_eq2.

See theory "Relation" for examples for making use of pred/set
conversions by means of attributes "to_set" and "to_pred".

INCOMPATIBILITY.

* Renamed facts about the power operation on relations, i.e., relpow
to match the constant's name:

  rel_pow_1 ~> relpow_1
  rel_pow_0_I ~> relpow_0_I
  rel_pow_Suc_I ~> relpow_Suc_I
  rel_pow_Suc_I2 ~> relpow_Suc_I2
  rel_pow_0_E ~> relpow_0_E
  rel_pow_Suc_E ~> relpow_Suc_E
  rel_pow_E ~> relpow_E
  rel_pow_Suc_D2 ~> relpow_Suc_D2
  rel_pow_Suc_E2 ~> relpow_Suc_E2
  rel_pow_Suc_D2' ~> relpow_Suc_D2'
  rel_pow_E2 ~> relpow_E2
  rel_pow_add ~> relpow_add
  rel_pow_commute ~> relpow
  rel_pow_empty ~> relpow_empty:
  rtrancl_imp_UN_rel_pow ~> rtrancl_imp_UN_relpow
  rel_pow_imp_rtrancl ~> relpow_imp_rtrancl
  rtrancl_is_UN_rel_pow ~> rtrancl_is_UN_relpow
  rtrancl_imp_rel_pow ~> rtrancl_imp_relpow
  rel_pow_fun_conv ~> relpow_fun_conv
  rel_pow_finite_bounded1 ~> relpow_finite_bounded1
  rel_pow_finite_bounded ~> relpow_finite_bounded
  rtrancl_finite_eq_rel_pow ~> rtrancl_finite_eq_relpow
  trancl_finite_eq_rel_pow ~> trancl_finite_eq_relpow
  single_valued_rel_pow ~> single_valued_relpow

INCOMPATIBILITY.

* Theory Relation: Consolidated constant name for relation composition
and corresponding theorem names:

  - Renamed constant rel_comp to relcomp.

  - Dropped abbreviation pred_comp. Use relcompp instead.

  - Renamed theorems:

    rel_compI ~> relcompI
    rel_compEpair ~> relcompEpair
    rel_compE ~> relcompE
    pred_comp_rel_comp_eq ~> relcompp_relcomp_eq
    rel_comp_empty1 ~> relcomp_empty1
    rel_comp_mono ~> relcomp_mono
    rel_comp_subset_Sigma ~> relcomp_subset_Sigma
    rel_comp_distrib ~> relcomp_distrib
    rel_comp_distrib2 ~> relcomp_distrib2
    rel_comp_UNION_distrib ~> relcomp_UNION_distrib
    rel_comp_UNION_distrib2 ~> relcomp_UNION_distrib2
    single_valued_rel_comp ~> single_valued_relcomp
    rel_comp_def ~> relcomp_unfold
    converse_rel_comp ~> converse_relcomp
    pred_compI ~> relcomppI
    pred_compE ~> relcomppE
    pred_comp_bot1 ~> relcompp_bot1
    pred_comp_bot2 ~> relcompp_bot2
    transp_pred_comp_less_eq ~> transp_relcompp_less_eq
    pred_comp_mono ~> relcompp_mono
    pred_comp_distrib ~> relcompp_distrib
    pred_comp_distrib2 ~> relcompp_distrib2
    converse_pred_comp ~> converse_relcompp

    finite_rel_comp ~> finite_relcomp

    set_rel_comp ~> set_relcomp

INCOMPATIBILITY.

* Theory Divides: Discontinued redundant theorems about div and mod.
INCOMPATIBILITY, use the corresponding generic theorems instead.

  DIVISION_BY_ZERO ~> div_by_0, mod_by_0
  zdiv_self ~> div_self
  zmod_self ~> mod_self
  zdiv_zero ~> div_0
  zmod_zero ~> mod_0
  zdiv_zmod_equality ~> div_mod_equality2
  zdiv_zmod_equality2 ~> div_mod_equality
  zmod_zdiv_trivial ~> mod_div_trivial
  zdiv_zminus_zminus ~> div_minus_minus
  zmod_zminus_zminus ~> mod_minus_minus
  zdiv_zminus2 ~> div_minus_right
  zmod_zminus2 ~> mod_minus_right
  zdiv_minus1_right ~> div_minus1_right
  zmod_minus1_right ~> mod_minus1_right
  zdvd_mult_div_cancel ~> dvd_mult_div_cancel
  zmod_zmult1_eq ~> mod_mult_right_eq
  zpower_zmod ~> power_mod
  zdvd_zmod ~> dvd_mod
  zdvd_zmod_imp_zdvd ~> dvd_mod_imp_dvd
  mod_mult_distrib ~> mult_mod_left
  mod_mult_distrib2 ~> mult_mod_right

* Removed redundant theorems nat_mult_2 and nat_mult_2_right; use
generic mult_2 and mult_2_right instead. INCOMPATIBILITY.

* Finite_Set.fold now qualified.  INCOMPATIBILITY.

* Consolidated theorem names concerning fold combinators:

  inf_INFI_fold_inf ~> inf_INF_fold_inf
  sup_SUPR_fold_sup ~> sup_SUP_fold_sup
  INFI_fold_inf ~> INF_fold_inf
  SUPR_fold_sup ~> SUP_fold_sup
  union_set ~> union_set_fold
  minus_set ~> minus_set_fold
  INFI_set_fold ~> INF_set_fold
  SUPR_set_fold ~> SUP_set_fold
  INF_code ~> INF_set_foldr
  SUP_code ~> SUP_set_foldr
  foldr.simps ~> foldr.simps (in point-free formulation)
  foldr_fold_rev ~> foldr_conv_fold
  foldl_fold ~> foldl_conv_fold
  foldr_foldr ~> foldr_conv_foldl
  foldl_foldr ~> foldl_conv_foldr
  fold_set_remdups ~> fold_set_fold_remdups
  fold_set ~> fold_set_fold
  fold1_set ~> fold1_set_fold

INCOMPATIBILITY.

* Dropped rarely useful theorems concerning fold combinators:
foldl_apply, foldl_fun_comm, foldl_rev, fold_weak_invariant,
rev_foldl_cons, fold_set_remdups, fold_set, fold_set1,
concat_conv_foldl, foldl_weak_invariant, foldl_invariant,
foldr_invariant, foldl_absorb0, foldl_foldr1_lemma, foldl_foldr1,
listsum_conv_fold, listsum_foldl, sort_foldl_insort, foldl_assoc,
foldr_conv_foldl, start_le_sum, elem_le_sum, sum_eq_0_conv.
INCOMPATIBILITY.  For the common phrases "%xs. List.foldr plus xs 0"
and "List.foldl plus 0", prefer "List.listsum".  Otherwise it can be
useful to boil down "List.foldr" and "List.foldl" to "List.fold" by
unfolding "foldr_conv_fold" and "foldl_conv_fold".

* Dropped lemmas minus_set_foldr, union_set_foldr, union_coset_foldr,
inter_coset_foldr, Inf_fin_set_foldr, Sup_fin_set_foldr,
Min_fin_set_foldr, Max_fin_set_foldr, Inf_set_foldr, Sup_set_foldr,
INF_set_foldr, SUP_set_foldr.  INCOMPATIBILITY.  Prefer corresponding
lemmas over fold rather than foldr, or make use of lemmas
fold_conv_foldr and fold_rev.

* Congruence rules Option.map_cong and Option.bind_cong for recursion
through option types.

* "Transitive_Closure.ntrancl": bounded transitive closure on
relations.

* Constant "Set.not_member" now qualified.  INCOMPATIBILITY.

* Theory Int: Discontinued many legacy theorems specific to type int.
INCOMPATIBILITY, use the corresponding generic theorems instead.

  zminus_zminus ~> minus_minus
  zminus_0 ~> minus_zero
  zminus_zadd_distrib ~> minus_add_distrib
  zadd_commute ~> add_commute
  zadd_assoc ~> add_assoc
  zadd_left_commute ~> add_left_commute
  zadd_ac ~> add_ac
  zmult_ac ~> mult_ac
  zadd_0 ~> add_0_left
  zadd_0_right ~> add_0_right
  zadd_zminus_inverse2 ~> left_minus
  zmult_zminus ~> mult_minus_left
  zmult_commute ~> mult_commute
  zmult_assoc ~> mult_assoc
  zadd_zmult_distrib ~> left_distrib
  zadd_zmult_distrib2 ~> right_distrib
  zdiff_zmult_distrib ~> left_diff_distrib
  zdiff_zmult_distrib2 ~> right_diff_distrib
  zmult_1 ~> mult_1_left
  zmult_1_right ~> mult_1_right
  zle_refl ~> order_refl
  zle_trans ~> order_trans
  zle_antisym ~> order_antisym
  zle_linear ~> linorder_linear
  zless_linear ~> linorder_less_linear
  zadd_left_mono ~> add_left_mono
  zadd_strict_right_mono ~> add_strict_right_mono
  zadd_zless_mono ~> add_less_le_mono
  int_0_less_1 ~> zero_less_one
  int_0_neq_1 ~> zero_neq_one
  zless_le ~> less_le
  zpower_zadd_distrib ~> power_add
  zero_less_zpower_abs_iff ~> zero_less_power_abs_iff
  zero_le_zpower_abs ~> zero_le_power_abs

* Theory Deriv: Renamed

  DERIV_nonneg_imp_nonincreasing ~> DERIV_nonneg_imp_nondecreasing

* Theory Library/Multiset: Improved code generation of multisets.

* Theory HOL/Library/Set_Algebras: Addition and multiplication on sets
are expressed via type classes again. The special syntax
\<oplus>/\<otimes> has been replaced by plain +/*. Removed constant
setsum_set, which is now subsumed by Big_Operators.setsum.
INCOMPATIBILITY.

* Theory HOL/Library/Diagonalize has been removed. INCOMPATIBILITY,
use theory HOL/Library/Nat_Bijection instead.

* Theory HOL/Library/RBT_Impl: Backing implementation of red-black
trees is now inside a type class context.  Names of affected
operations and lemmas have been prefixed by rbt_.  INCOMPATIBILITY for
theories working directly with raw red-black trees, adapt the names as
follows:

  Operations:
  bulkload -> rbt_bulkload
  del_from_left -> rbt_del_from_left
  del_from_right -> rbt_del_from_right
  del -> rbt_del
  delete -> rbt_delete
  ins -> rbt_ins
  insert -> rbt_insert
  insertw -> rbt_insert_with
  insert_with_key -> rbt_insert_with_key
  map_entry -> rbt_map_entry
  lookup -> rbt_lookup
  sorted -> rbt_sorted
  tree_greater -> rbt_greater
  tree_less -> rbt_less
  tree_less_symbol -> rbt_less_symbol
  union -> rbt_union
  union_with -> rbt_union_with
  union_with_key -> rbt_union_with_key

  Lemmas:
  balance_left_sorted -> balance_left_rbt_sorted
  balance_left_tree_greater -> balance_left_rbt_greater
  balance_left_tree_less -> balance_left_rbt_less
  balance_right_sorted -> balance_right_rbt_sorted
  balance_right_tree_greater -> balance_right_rbt_greater
  balance_right_tree_less -> balance_right_rbt_less
  balance_sorted -> balance_rbt_sorted
  balance_tree_greater -> balance_rbt_greater
  balance_tree_less -> balance_rbt_less
  bulkload_is_rbt -> rbt_bulkload_is_rbt
  combine_sorted -> combine_rbt_sorted
  combine_tree_greater -> combine_rbt_greater
  combine_tree_less -> combine_rbt_less
  delete_in_tree -> rbt_delete_in_tree
  delete_is_rbt -> rbt_delete_is_rbt
  del_from_left_tree_greater -> rbt_del_from_left_rbt_greater
  del_from_left_tree_less -> rbt_del_from_left_rbt_less
  del_from_right_tree_greater -> rbt_del_from_right_rbt_greater
  del_from_right_tree_less -> rbt_del_from_right_rbt_less
  del_in_tree -> rbt_del_in_tree
  del_inv1_inv2 -> rbt_del_inv1_inv2
  del_sorted -> rbt_del_rbt_sorted
  del_tree_greater -> rbt_del_rbt_greater
  del_tree_less -> rbt_del_rbt_less
  dom_lookup_Branch -> dom_rbt_lookup_Branch
  entries_lookup -> entries_rbt_lookup
  finite_dom_lookup -> finite_dom_rbt_lookup
  insert_sorted -> rbt_insert_rbt_sorted
  insertw_is_rbt -> rbt_insertw_is_rbt
  insertwk_is_rbt -> rbt_insertwk_is_rbt
  insertwk_sorted -> rbt_insertwk_rbt_sorted
  insertw_sorted -> rbt_insertw_rbt_sorted
  ins_sorted -> ins_rbt_sorted
  ins_tree_greater -> ins_rbt_greater
  ins_tree_less -> ins_rbt_less
  is_rbt_sorted -> is_rbt_rbt_sorted
  lookup_balance -> rbt_lookup_balance
  lookup_bulkload -> rbt_lookup_rbt_bulkload
  lookup_delete -> rbt_lookup_rbt_delete
  lookup_Empty -> rbt_lookup_Empty
  lookup_from_in_tree -> rbt_lookup_from_in_tree
  lookup_in_tree -> rbt_lookup_in_tree
  lookup_ins -> rbt_lookup_ins
  lookup_insert -> rbt_lookup_rbt_insert
  lookup_insertw -> rbt_lookup_rbt_insertw
  lookup_insertwk -> rbt_lookup_rbt_insertwk
  lookup_keys -> rbt_lookup_keys
  lookup_map -> rbt_lookup_map
  lookup_map_entry -> rbt_lookup_rbt_map_entry
  lookup_tree_greater -> rbt_lookup_rbt_greater
  lookup_tree_less -> rbt_lookup_rbt_less
  lookup_union -> rbt_lookup_rbt_union
  map_entry_color_of -> rbt_map_entry_color_of
  map_entry_inv1 -> rbt_map_entry_inv1
  map_entry_inv2 -> rbt_map_entry_inv2
  map_entry_is_rbt -> rbt_map_entry_is_rbt
  map_entry_sorted -> rbt_map_entry_rbt_sorted
  map_entry_tree_greater -> rbt_map_entry_rbt_greater
  map_entry_tree_less -> rbt_map_entry_rbt_less
  map_tree_greater -> map_rbt_greater
  map_tree_less -> map_rbt_less
  map_sorted -> map_rbt_sorted
  paint_sorted -> paint_rbt_sorted
  paint_lookup -> paint_rbt_lookup
  paint_tree_greater -> paint_rbt_greater
  paint_tree_less -> paint_rbt_less
  sorted_entries -> rbt_sorted_entries
  tree_greater_eq_trans -> rbt_greater_eq_trans
  tree_greater_nit -> rbt_greater_nit
  tree_greater_prop -> rbt_greater_prop
  tree_greater_simps -> rbt_greater_simps
  tree_greater_trans -> rbt_greater_trans
  tree_less_eq_trans -> rbt_less_eq_trans
  tree_less_nit -> rbt_less_nit
  tree_less_prop -> rbt_less_prop
  tree_less_simps -> rbt_less_simps
  tree_less_trans -> rbt_less_trans
  tree_ord_props -> rbt_ord_props
  union_Branch -> rbt_union_Branch
  union_is_rbt -> rbt_union_is_rbt
  unionw_is_rbt -> rbt_unionw_is_rbt
  unionwk_is_rbt -> rbt_unionwk_is_rbt
  unionwk_sorted -> rbt_unionwk_rbt_sorted

* Theory HOL/Library/Float: Floating point numbers are now defined as
a subset of the real numbers.  All operations are defined using the
lifing-framework and proofs use the transfer method.  INCOMPATIBILITY.

  Changed Operations:
  float_abs -> abs
  float_nprt -> nprt
  float_pprt -> pprt
  pow2 -> use powr
  round_down -> float_round_down
  round_up -> float_round_up
  scale -> exponent

  Removed Operations:
  ceiling_fl, lb_mult, lb_mod, ub_mult, ub_mod

  Renamed Lemmas:
  abs_float_def -> Float.compute_float_abs
  bitlen_ge0 -> bitlen_nonneg
  bitlen.simps -> Float.compute_bitlen
  float_components -> Float_mantissa_exponent
  float_divl.simps -> Float.compute_float_divl
  float_divr.simps -> Float.compute_float_divr
  float_eq_odd -> mult_powr_eq_mult_powr_iff
  float_power -> real_of_float_power
  lapprox_posrat_def -> Float.compute_lapprox_posrat
  lapprox_rat.simps -> Float.compute_lapprox_rat
  le_float_def' -> Float.compute_float_le
  le_float_def -> less_eq_float.rep_eq
  less_float_def' -> Float.compute_float_less
  less_float_def -> less_float.rep_eq
  normfloat_def -> Float.compute_normfloat
  normfloat_imp_odd_or_zero -> mantissa_not_dvd and mantissa_noteq_0
  normfloat -> normfloat_def
  normfloat_unique -> use normfloat_def
  number_of_float_Float -> Float.compute_float_numeral, Float.compute_float_neg_numeral
  one_float_def -> Float.compute_float_one
  plus_float_def -> Float.compute_float_plus
  rapprox_posrat_def -> Float.compute_rapprox_posrat
  rapprox_rat.simps -> Float.compute_rapprox_rat
  real_of_float_0 -> zero_float.rep_eq
  real_of_float_1 -> one_float.rep_eq
  real_of_float_abs -> abs_float.rep_eq
  real_of_float_add -> plus_float.rep_eq
  real_of_float_minus -> uminus_float.rep_eq
  real_of_float_mult -> times_float.rep_eq
  real_of_float_simp -> Float.rep_eq
  real_of_float_sub -> minus_float.rep_eq
  round_down.simps -> Float.compute_float_round_down
  round_up.simps -> Float.compute_float_round_up
  times_float_def -> Float.compute_float_times
  uminus_float_def -> Float.compute_float_uminus
  zero_float_def -> Float.compute_float_zero

  Lemmas not necessary anymore, use the transfer method:
  bitlen_B0, bitlen_B1, bitlen_ge1, bitlen_Min, bitlen_Pls, float_divl,
  float_divr, float_le_simp, float_less1_mantissa_bound,
  float_less_simp, float_less_zero, float_le_zero,
  float_pos_less1_e_neg, float_pos_m_pos, float_split, float_split2,
  floor_pos_exp, lapprox_posrat, lapprox_posrat_bottom, lapprox_rat,
  lapprox_rat_bottom, normalized_float, rapprox_posrat,
  rapprox_posrat_le1, rapprox_rat, real_of_float_ge0_exp,
  real_of_float_neg_exp, real_of_float_nge0_exp, round_down floor_fl,
  round_up, zero_le_float, zero_less_float

* New theory HOL/Library/DAList provides an abstract type for
association lists with distinct keys.

* Session HOL/IMP: Added new theory of abstract interpretation of
annotated commands.

* Session HOL-Import: Re-implementation from scratch is faster,
simpler, and more scalable.  Requires a proof bundle, which is
available as an external component.  Discontinued old (and mostly
dead) Importer for HOL4 and HOL Light.  INCOMPATIBILITY.

* Session HOL-Word: Discontinued many redundant theorems specific to
type 'a word. INCOMPATIBILITY, use the corresponding generic theorems
instead.

  word_sub_alt ~> word_sub_wi
  word_add_alt ~> word_add_def
  word_mult_alt ~> word_mult_def
  word_minus_alt ~> word_minus_def
  word_0_alt ~> word_0_wi
  word_1_alt ~> word_1_wi
  word_add_0 ~> add_0_left
  word_add_0_right ~> add_0_right
  word_mult_1 ~> mult_1_left
  word_mult_1_right ~> mult_1_right
  word_add_commute ~> add_commute
  word_add_assoc ~> add_assoc
  word_add_left_commute ~> add_left_commute
  word_mult_commute ~> mult_commute
  word_mult_assoc ~> mult_assoc
  word_mult_left_commute ~> mult_left_commute
  word_left_distrib ~> left_distrib
  word_right_distrib ~> right_distrib
  word_left_minus ~> left_minus
  word_diff_0_right ~> diff_0_right
  word_diff_self ~> diff_self
  word_sub_def ~> diff_minus
  word_diff_minus ~> diff_minus
  word_add_ac ~> add_ac
  word_mult_ac ~> mult_ac
  word_plus_ac0 ~> add_0_left add_0_right add_ac
  word_times_ac1 ~> mult_1_left mult_1_right mult_ac
  word_order_trans ~> order_trans
  word_order_refl ~> order_refl
  word_order_antisym ~> order_antisym
  word_order_linear ~> linorder_linear
  lenw1_zero_neq_one ~> zero_neq_one
  word_number_of_eq ~> number_of_eq
  word_of_int_add_hom ~> wi_hom_add
  word_of_int_sub_hom ~> wi_hom_sub
  word_of_int_mult_hom ~> wi_hom_mult
  word_of_int_minus_hom ~> wi_hom_neg
  word_of_int_succ_hom ~> wi_hom_succ
  word_of_int_pred_hom ~> wi_hom_pred
  word_of_int_0_hom ~> word_0_wi
  word_of_int_1_hom ~> word_1_wi

* Session HOL-Word: New proof method "word_bitwise" for splitting
machine word equalities and inequalities into logical circuits,
defined in HOL/Word/WordBitwise.thy.  Supports addition, subtraction,
multiplication, shifting by constants, bitwise operators and numeric
constants.  Requires fixed-length word types, not 'a word.  Solves
many standard word identities outright and converts more into first
order problems amenable to blast or similar.  See also examples in
HOL/Word/Examples/WordExamples.thy.

* Session HOL-Probability: Introduced the type "'a measure" to
represent measures, this replaces the records 'a algebra and 'a
measure_space.  The locales based on subset_class now have two
locale-parameters the space \<Omega> and the set of measurable sets M.
The product of probability spaces uses now the same constant as the
finite product of sigma-finite measure spaces "PiM :: ('i => 'a)
measure".  Most constants are defined now outside of locales and gain
an additional parameter, like null_sets, almost_eventually or \<mu>'.
Measure space constructions for distributions and densities now got
their own constants distr and density.  Instead of using locales to
describe measure spaces with a finite space, the measure count_space
and point_measure is introduced.  INCOMPATIBILITY.

  Renamed constants:
  measure -> emeasure
  finite_measure.\<mu>' -> measure
  product_algebra_generator -> prod_algebra
  product_prob_space.emb -> prod_emb
  product_prob_space.infprod_algebra -> PiM

  Removed locales:
  completeable_measure_space
  finite_measure_space
  finite_prob_space
  finite_product_finite_prob_space
  finite_product_sigma_algebra
  finite_sigma_algebra
  measure_space
  pair_finite_prob_space
  pair_finite_sigma_algebra
  pair_finite_space
  pair_sigma_algebra
  product_sigma_algebra

  Removed constants:
  conditional_space
  distribution -> use distr measure, or distributed predicate
  image_space
  joint_distribution -> use distr measure, or distributed predicate
  pair_measure_generator
  product_prob_space.infprod_algebra -> use PiM
  subvimage

  Replacement theorems:
  finite_additivity_sufficient -> ring_of_sets.countably_additiveI_finite
  finite_measure.empty_measure -> measure_empty
  finite_measure.finite_continuity_from_above -> finite_measure.finite_Lim_measure_decseq
  finite_measure.finite_continuity_from_below -> finite_measure.finite_Lim_measure_incseq
  finite_measure.finite_measure_countably_subadditive -> finite_measure.finite_measure_subadditive_countably
  finite_measure.finite_measure_eq -> finite_measure.emeasure_eq_measure
  finite_measure.finite_measure -> finite_measure.emeasure_finite
  finite_measure.finite_measure_finite_singleton -> finite_measure.finite_measure_eq_setsum_singleton
  finite_measure.positive_measure' -> measure_nonneg
  finite_measure.real_measure -> finite_measure.emeasure_real
  finite_product_prob_space.finite_measure_times -> finite_product_prob_space.finite_measure_PiM_emb
  finite_product_sigma_algebra.in_P -> sets_PiM_I_finite
  finite_product_sigma_algebra.P_empty -> space_PiM_empty, sets_PiM_empty
  information_space.conditional_entropy_eq -> information_space.conditional_entropy_simple_distributed
  information_space.conditional_entropy_positive -> information_space.conditional_entropy_nonneg_simple
  information_space.conditional_mutual_information_eq_mutual_information -> information_space.conditional_mutual_information_eq_mutual_information_simple
  information_space.conditional_mutual_information_generic_positive -> information_space.conditional_mutual_information_nonneg_simple
  information_space.conditional_mutual_information_positive -> information_space.conditional_mutual_information_nonneg_simple
  information_space.entropy_commute -> information_space.entropy_commute_simple
  information_space.entropy_eq -> information_space.entropy_simple_distributed
  information_space.entropy_generic_eq -> information_space.entropy_simple_distributed
  information_space.entropy_positive -> information_space.entropy_nonneg_simple
  information_space.entropy_uniform_max -> information_space.entropy_uniform
  information_space.KL_eq_0_imp -> information_space.KL_eq_0_iff_eq
  information_space.KL_eq_0 -> information_space.KL_same_eq_0
  information_space.KL_ge_0 -> information_space.KL_nonneg
  information_space.mutual_information_eq -> information_space.mutual_information_simple_distributed
  information_space.mutual_information_positive -> information_space.mutual_information_nonneg_simple
  Int_stable_cuboids -> Int_stable_atLeastAtMost
  Int_stable_product_algebra_generator -> positive_integral
  measure_preserving -> equality "distr M N f = N" "f : measurable M N"
  measure_space.additive -> emeasure_additive
  measure_space.AE_iff_null_set -> AE_iff_null
  measure_space.almost_everywhere_def -> eventually_ae_filter
  measure_space.almost_everywhere_vimage -> AE_distrD
  measure_space.continuity_from_above -> INF_emeasure_decseq
  measure_space.continuity_from_above_Lim -> Lim_emeasure_decseq
  measure_space.continuity_from_below_Lim -> Lim_emeasure_incseq
  measure_space.continuity_from_below -> SUP_emeasure_incseq
  measure_space_density -> emeasure_density
  measure_space.density_is_absolutely_continuous -> absolutely_continuousI_density
  measure_space.integrable_vimage -> integrable_distr
  measure_space.integral_translated_density -> integral_density
  measure_space.integral_vimage -> integral_distr
  measure_space.measure_additive -> plus_emeasure
  measure_space.measure_compl -> emeasure_compl
  measure_space.measure_countable_increasing -> emeasure_countable_increasing
  measure_space.measure_countably_subadditive -> emeasure_subadditive_countably
  measure_space.measure_decseq -> decseq_emeasure
  measure_space.measure_Diff -> emeasure_Diff
  measure_space.measure_Diff_null_set -> emeasure_Diff_null_set
  measure_space.measure_eq_0 -> emeasure_eq_0
  measure_space.measure_finitely_subadditive -> emeasure_subadditive_finite
  measure_space.measure_finite_singleton -> emeasure_eq_setsum_singleton
  measure_space.measure_incseq -> incseq_emeasure
  measure_space.measure_insert -> emeasure_insert
  measure_space.measure_mono -> emeasure_mono
  measure_space.measure_not_negative -> emeasure_not_MInf
  measure_space.measure_preserving_Int_stable -> measure_eqI_generator_eq
  measure_space.measure_setsum -> setsum_emeasure
  measure_space.measure_setsum_split -> setsum_emeasure_cover
  measure_space.measure_space_vimage -> emeasure_distr
  measure_space.measure_subadditive_finite -> emeasure_subadditive_finite
  measure_space.measure_subadditive -> subadditive
  measure_space.measure_top -> emeasure_space
  measure_space.measure_UN_eq_0 -> emeasure_UN_eq_0
  measure_space.measure_Un_null_set -> emeasure_Un_null_set
  measure_space.positive_integral_translated_density -> positive_integral_density
  measure_space.positive_integral_vimage -> positive_integral_distr
  measure_space.real_continuity_from_above -> Lim_measure_decseq
  measure_space.real_continuity_from_below -> Lim_measure_incseq
  measure_space.real_measure_countably_subadditive -> measure_subadditive_countably
  measure_space.real_measure_Diff -> measure_Diff
  measure_space.real_measure_finite_Union -> measure_finite_Union
  measure_space.real_measure_setsum_singleton -> measure_eq_setsum_singleton
  measure_space.real_measure_subadditive -> measure_subadditive
  measure_space.real_measure_Union -> measure_Union
  measure_space.real_measure_UNION -> measure_UNION
  measure_space.simple_function_vimage -> simple_function_comp
  measure_space.simple_integral_vimage -> simple_integral_distr
  measure_space.simple_integral_vimage -> simple_integral_distr
  measure_unique_Int_stable -> measure_eqI_generator_eq
  measure_unique_Int_stable_vimage -> measure_eqI_generator_eq
  pair_sigma_algebra.measurable_cut_fst -> sets_Pair1
  pair_sigma_algebra.measurable_cut_snd -> sets_Pair2
  pair_sigma_algebra.measurable_pair_image_fst -> measurable_Pair1
  pair_sigma_algebra.measurable_pair_image_snd -> measurable_Pair2
  pair_sigma_algebra.measurable_product_swap -> measurable_pair_swap_iff
  pair_sigma_algebra.pair_sigma_algebra_measurable -> measurable_pair_swap
  pair_sigma_algebra.pair_sigma_algebra_swap_measurable -> measurable_pair_swap'
  pair_sigma_algebra.sets_swap -> sets_pair_swap
  pair_sigma_finite.measure_cut_measurable_fst -> pair_sigma_finite.measurable_emeasure_Pair1
  pair_sigma_finite.measure_cut_measurable_snd -> pair_sigma_finite.measurable_emeasure_Pair2
  pair_sigma_finite.measure_preserving_swap -> pair_sigma_finite.distr_pair_swap
  pair_sigma_finite.pair_measure_alt2 -> pair_sigma_finite.emeasure_pair_measure_alt2
  pair_sigma_finite.pair_measure_alt -> pair_sigma_finite.emeasure_pair_measure_alt
  pair_sigma_finite.pair_measure_times -> pair_sigma_finite.emeasure_pair_measure_Times
  prob_space.indep_distribution_eq_measure -> prob_space.indep_vars_iff_distr_eq_PiM
  prob_space.indep_var_distributionD -> prob_space.indep_var_distribution_eq
  prob_space.measure_space_1 -> prob_space.emeasure_space_1
  prob_space.prob_space_vimage -> prob_space_distr
  prob_space.random_variable_restrict -> measurable_restrict
  prob_space_unique_Int_stable -> measure_eqI_prob_space
  product_algebraE -> prod_algebraE_all
  product_algebra_generator_der -> prod_algebra_eq_finite
  product_algebra_generator_into_space -> prod_algebra_sets_into_space
  product_algebraI -> sets_PiM_I_finite
  product_measure_exists -> product_sigma_finite.sigma_finite
  product_prob_space.finite_index_eq_finite_product -> product_prob_space.sets_PiM_generator
  product_prob_space.finite_measure_infprod_emb_Pi -> product_prob_space.measure_PiM_emb
  product_prob_space.infprod_spec -> product_prob_space.emeasure_PiM_emb_not_empty
  product_prob_space.measurable_component -> measurable_component_singleton
  product_prob_space.measurable_emb -> measurable_prod_emb
  product_prob_space.measurable_into_infprod_algebra -> measurable_PiM_single
  product_prob_space.measurable_singleton_infprod -> measurable_component_singleton
  product_prob_space.measure_emb -> emeasure_prod_emb
  product_prob_space.measure_preserving_restrict -> product_prob_space.distr_restrict
  product_sigma_algebra.product_algebra_into_space -> space_closed
  product_sigma_finite.measure_fold -> product_sigma_finite.distr_merge
  product_sigma_finite.measure_preserving_component_singelton -> product_sigma_finite.distr_singleton
  product_sigma_finite.measure_preserving_merge -> product_sigma_finite.distr_merge
  sequence_space.measure_infprod -> sequence_space.measure_PiM_countable
  sets_product_algebra -> sets_PiM
  sigma_algebra.measurable_sigma -> measurable_measure_of
  sigma_finite_measure.disjoint_sigma_finite -> sigma_finite_disjoint
  sigma_finite_measure.RN_deriv_vimage -> sigma_finite_measure.RN_deriv_distr
  sigma_product_algebra_sigma_eq -> sigma_prod_algebra_sigma_eq
  space_product_algebra -> space_PiM

* Session HOL-TPTP: support to parse and import TPTP problems (all
languages) into Isabelle/HOL.


*** FOL ***

* New "case_product" attribute (see HOL).


*** ZF ***

* Greater support for structured proofs involving induction or case
analysis.

* Much greater use of mathematical symbols.

* Removal of many ML theorem bindings.  INCOMPATIBILITY.


*** ML ***

* Antiquotation @{keyword "name"} produces a parser for outer syntax
from a minor keyword introduced via theory header declaration.

* Antiquotation @{command_spec "name"} produces the
Outer_Syntax.command_spec from a major keyword introduced via theory
header declaration; it can be passed to Outer_Syntax.command etc.

* Local_Theory.define no longer hard-wires default theorem name
"foo_def", but retains the binding as given.  If that is Binding.empty
/ Attrib.empty_binding, the result is not registered as user-level
fact.  The Local_Theory.define_internal variant allows to specify a
non-empty name (used for the foundation in the background theory),
while omitting the fact binding in the user-context.  Potential
INCOMPATIBILITY for derived definitional packages: need to specify
naming policy for primitive definitions more explicitly.

* Renamed Thm.capply to Thm.apply, and Thm.cabs to Thm.lambda in
conformance with similar operations in structure Term and Logic.

* Antiquotation @{attributes [...]} embeds attribute source
representation into the ML text, which is particularly useful with
declarations like Local_Theory.note.

* Structure Proof_Context follows standard naming scheme.  Old
ProofContext has been discontinued.  INCOMPATIBILITY.

* Refined Local_Theory.declaration {syntax, pervasive}, with subtle
change of semantics: update is applied to auxiliary local theory
context as well.

* Modernized some old-style infix operations:

  addeqcongs    ~> Simplifier.add_eqcong
  deleqcongs    ~> Simplifier.del_eqcong
  addcongs      ~> Simplifier.add_cong
  delcongs      ~> Simplifier.del_cong
  setmksimps    ~> Simplifier.set_mksimps
  setmkcong     ~> Simplifier.set_mkcong
  setmksym      ~> Simplifier.set_mksym
  setmkeqTrue   ~> Simplifier.set_mkeqTrue
  settermless   ~> Simplifier.set_termless
  setsubgoaler  ~> Simplifier.set_subgoaler
  addsplits     ~> Splitter.add_split
  delsplits     ~> Splitter.del_split


*** System ***

* USER_HOME settings variable points to cross-platform user home
directory, which coincides with HOME on POSIX systems only.  Likewise,
the Isabelle path specification "~" now expands to $USER_HOME, instead
of former $HOME.  A different default for USER_HOME may be set
explicitly in shell environment, before Isabelle settings are
evaluated.  Minor INCOMPATIBILITY: need to adapt Isabelle path where
the generic user home was intended.

* ISABELLE_HOME_WINDOWS refers to ISABELLE_HOME in windows file name
notation, which is useful for the jEdit file browser, for example.

* ISABELLE_JDK_HOME settings variable points to JDK with javac and jar
(not just JRE).


New in Isabelle2011-1 (October 2011)
------------------------------------

*** General ***

* Improved Isabelle/jEdit Prover IDE (PIDE), which can be invoked as
"isabelle jedit" or "ISABELLE_HOME/Isabelle" on the command line.

  - Management of multiple theory files directly from the editor
    buffer store -- bypassing the file-system (no requirement to save
    files for checking).

  - Markup of formal entities within the text buffer, with semantic
    highlighting, tooltips and hyperlinks to jump to defining source
    positions.

  - Improved text rendering, with sub/superscripts in the source
    buffer (including support for copy/paste wrt. output panel, HTML
    theory output and other non-Isabelle text boxes).

  - Refined scheduling of proof checking and printing of results,
    based on interactive editor view.  (Note: jEdit folding and
    narrowing allows to restrict buffer perspectives explicitly.)

  - Reduced CPU performance requirements, usable on machines with few
    cores.

  - Reduced memory requirements due to pruning of unused document
    versions (garbage collection).

See also ~~/src/Tools/jEdit/README.html for further information,
including some remaining limitations.

* Theory loader: source files are exclusively located via the master
directory of each theory node (where the .thy file itself resides).
The global load path (such as src/HOL/Library) has been discontinued.
Note that the path element ~~ may be used to reference theories in the
Isabelle home folder -- for instance, "~~/src/HOL/Library/FuncSet".
INCOMPATIBILITY.

* Theory loader: source files are identified by content via SHA1
digests.  Discontinued former path/modtime identification and optional
ISABELLE_FILE_IDENT plugin scripts.

* Parallelization of nested Isar proofs is subject to
Goal.parallel_proofs_threshold (default 100).  See also isabelle
usedir option -Q.

* Name space: former unsynchronized references are now proper
configuration options, with more conventional names:

  long_names   ~> names_long
  short_names  ~> names_short
  unique_names ~> names_unique

Minor INCOMPATIBILITY, need to declare options in context like this:

  declare [[names_unique = false]]

* Literal facts `prop` may contain dummy patterns, e.g. `_ = _`.  Note
that the result needs to be unique, which means fact specifications
may have to be refined after enriching a proof context.

* Attribute "case_names" has been refined: the assumptions in each case
can be named now by following the case name with [name1 name2 ...].

* Isabelle/Isar reference manual has been updated and extended:
  - "Synopsis" provides a catalog of main Isar language concepts.
  - Formal references in syntax diagrams, via @{rail} antiquotation.
  - Updated material from classic "ref" manual, notably about
    "Classical Reasoner".


*** HOL ***

* Class bot and top require underlying partial order rather than
preorder: uniqueness of bot and top is guaranteed.  INCOMPATIBILITY.

* Class complete_lattice: generalized a couple of lemmas from sets;
generalized theorems INF_cong and SUP_cong.  New type classes for
complete boolean algebras and complete linear orders.  Lemmas
Inf_less_iff, less_Sup_iff, INF_less_iff, less_SUP_iff now reside in
class complete_linorder.

Changed proposition of lemmas Inf_bool_def, Sup_bool_def, Inf_fun_def,
Sup_fun_def, Inf_apply, Sup_apply.

Removed redundant lemmas (the right hand side gives hints how to
replace them for (metis ...), or (simp only: ...) proofs):

  Inf_singleton ~> Inf_insert [where A="{}", unfolded Inf_empty inf_top_right]
  Sup_singleton ~> Sup_insert [where A="{}", unfolded Sup_empty sup_bot_right]
  Inf_binary ~> Inf_insert, Inf_empty, and inf_top_right
  Sup_binary ~> Sup_insert, Sup_empty, and sup_bot_right
  Int_eq_Inter ~> Inf_insert, Inf_empty, and inf_top_right
  Un_eq_Union ~> Sup_insert, Sup_empty, and sup_bot_right
  Inter_def ~> INF_def, image_def
  Union_def ~> SUP_def, image_def
  INT_eq ~> INF_def, and image_def
  UN_eq ~> SUP_def, and image_def
  INF_subset ~> INF_superset_mono [OF _ order_refl]

More consistent and comprehensive names:

  INTER_eq_Inter_image ~> INF_def
  UNION_eq_Union_image ~> SUP_def
  INFI_def ~> INF_def
  SUPR_def ~> SUP_def
  INF_leI ~> INF_lower
  INF_leI2 ~> INF_lower2
  le_INFI ~> INF_greatest
  le_SUPI ~> SUP_upper
  le_SUPI2 ~> SUP_upper2
  SUP_leI ~> SUP_least
  INFI_bool_eq ~> INF_bool_eq
  SUPR_bool_eq ~> SUP_bool_eq
  INFI_apply ~> INF_apply
  SUPR_apply ~> SUP_apply
  INTER_def ~> INTER_eq
  UNION_def ~> UNION_eq

INCOMPATIBILITY.

* Renamed theory Complete_Lattice to Complete_Lattices.
INCOMPATIBILITY.

* Theory Complete_Lattices: lemmas Inf_eq_top_iff, INF_eq_top_iff,
INF_image, Inf_insert, INF_top, Inf_top_conv, INF_top_conv, SUP_bot,
Sup_bot_conv, SUP_bot_conv, Sup_eq_top_iff, SUP_eq_top_iff, SUP_image,
Sup_insert are now declared as [simp].  INCOMPATIBILITY.

* Theory Lattice: lemmas compl_inf_bot, compl_le_comp_iff,
compl_sup_top, inf_idem, inf_left_idem, inf_sup_absorb, sup_idem,
sup_inf_absob, sup_left_idem are now declared as [simp].  Minor
INCOMPATIBILITY.

* Added syntactic classes "inf" and "sup" for the respective
constants.  INCOMPATIBILITY: Changes in the argument order of the
(mostly internal) locale predicates for some derived classes.

* Theorem collections ball_simps and bex_simps do not contain theorems
referring to UNION any longer; these have been moved to collection
UN_ball_bex_simps.  INCOMPATIBILITY.

* Theory Archimedean_Field: floor now is defined as parameter of a
separate type class floor_ceiling.

* Theory Finite_Set: more coherent development of fold_set locales:

    locale fun_left_comm ~> locale comp_fun_commute
    locale fun_left_comm_idem ~> locale comp_fun_idem

Both use point-free characterization; interpretation proofs may need
adjustment.  INCOMPATIBILITY.

* Theory Limits: Type "'a net" has been renamed to "'a filter", in
accordance with standard mathematical terminology. INCOMPATIBILITY.

* Theory Complex_Main: The locale interpretations for the
bounded_linear and bounded_bilinear locales have been removed, in
order to reduce the number of duplicate lemmas. Users must use the
original names for distributivity theorems, potential INCOMPATIBILITY.

  divide.add ~> add_divide_distrib
  divide.diff ~> diff_divide_distrib
  divide.setsum ~> setsum_divide_distrib
  mult.add_right ~> right_distrib
  mult.diff_right ~> right_diff_distrib
  mult_right.setsum ~> setsum_right_distrib
  mult_left.diff ~> left_diff_distrib

* Theory Complex_Main: Several redundant theorems have been removed or
replaced by more general versions. INCOMPATIBILITY.

  real_diff_def ~> minus_real_def
  real_divide_def ~> divide_real_def
  real_less_def ~> less_le
  real_abs_def ~> abs_real_def
  real_sgn_def ~> sgn_real_def
  real_mult_commute ~> mult_commute
  real_mult_assoc ~> mult_assoc
  real_mult_1 ~> mult_1_left
  real_add_mult_distrib ~> left_distrib
  real_zero_not_eq_one ~> zero_neq_one
  real_mult_inverse_left ~> left_inverse
  INVERSE_ZERO ~> inverse_zero
  real_le_refl ~> order_refl
  real_le_antisym ~> order_antisym
  real_le_trans ~> order_trans
  real_le_linear ~> linear
  real_le_eq_diff ~> le_iff_diff_le_0
  real_add_left_mono ~> add_left_mono
  real_mult_order ~> mult_pos_pos
  real_mult_less_mono2 ~> mult_strict_left_mono
  real_of_int_real_of_nat ~> real_of_int_of_nat_eq
  real_0_le_divide_iff ~> zero_le_divide_iff
  realpow_two_disj ~> power2_eq_iff
  real_squared_diff_one_factored ~> square_diff_one_factored
  realpow_two_diff ~> square_diff_square_factored
  reals_complete2 ~> complete_real
  real_sum_squared_expand ~> power2_sum
  exp_ln_eq ~> ln_unique
  expi_add ~> exp_add
  expi_zero ~> exp_zero
  lemma_DERIV_subst ~> DERIV_cong
  LIMSEQ_Zfun_iff ~> tendsto_Zfun_iff
  LIMSEQ_const ~> tendsto_const
  LIMSEQ_norm ~> tendsto_norm
  LIMSEQ_add ~> tendsto_add
  LIMSEQ_minus ~> tendsto_minus
  LIMSEQ_minus_cancel ~> tendsto_minus_cancel
  LIMSEQ_diff ~> tendsto_diff
  bounded_linear.LIMSEQ ~> bounded_linear.tendsto
  bounded_bilinear.LIMSEQ ~> bounded_bilinear.tendsto
  LIMSEQ_mult ~> tendsto_mult
  LIMSEQ_inverse ~> tendsto_inverse
  LIMSEQ_divide ~> tendsto_divide
  LIMSEQ_pow ~> tendsto_power
  LIMSEQ_setsum ~> tendsto_setsum
  LIMSEQ_setprod ~> tendsto_setprod
  LIMSEQ_norm_zero ~> tendsto_norm_zero_iff
  LIMSEQ_rabs_zero ~> tendsto_rabs_zero_iff
  LIMSEQ_imp_rabs ~> tendsto_rabs
  LIMSEQ_add_minus ~> tendsto_add [OF _ tendsto_minus]
  LIMSEQ_add_const ~> tendsto_add [OF _ tendsto_const]
  LIMSEQ_diff_const ~> tendsto_diff [OF _ tendsto_const]
  LIMSEQ_Complex ~> tendsto_Complex
  LIM_ident ~> tendsto_ident_at
  LIM_const ~> tendsto_const
  LIM_add ~> tendsto_add
  LIM_add_zero ~> tendsto_add_zero
  LIM_minus ~> tendsto_minus
  LIM_diff ~> tendsto_diff
  LIM_norm ~> tendsto_norm
  LIM_norm_zero ~> tendsto_norm_zero
  LIM_norm_zero_cancel ~> tendsto_norm_zero_cancel
  LIM_norm_zero_iff ~> tendsto_norm_zero_iff
  LIM_rabs ~> tendsto_rabs
  LIM_rabs_zero ~> tendsto_rabs_zero
  LIM_rabs_zero_cancel ~> tendsto_rabs_zero_cancel
  LIM_rabs_zero_iff ~> tendsto_rabs_zero_iff
  LIM_compose ~> tendsto_compose
  LIM_mult ~> tendsto_mult
  LIM_scaleR ~> tendsto_scaleR
  LIM_of_real ~> tendsto_of_real
  LIM_power ~> tendsto_power
  LIM_inverse ~> tendsto_inverse
  LIM_sgn ~> tendsto_sgn
  isCont_LIM_compose ~> isCont_tendsto_compose
  bounded_linear.LIM ~> bounded_linear.tendsto
  bounded_linear.LIM_zero ~> bounded_linear.tendsto_zero
  bounded_bilinear.LIM ~> bounded_bilinear.tendsto
  bounded_bilinear.LIM_prod_zero ~> bounded_bilinear.tendsto_zero
  bounded_bilinear.LIM_left_zero ~> bounded_bilinear.tendsto_left_zero
  bounded_bilinear.LIM_right_zero ~> bounded_bilinear.tendsto_right_zero
  LIM_inverse_fun ~> tendsto_inverse [OF tendsto_ident_at]

* Theory Complex_Main: The definition of infinite series was
generalized.  Now it is defined on the type class {topological_space,
comm_monoid_add}.  Hence it is useable also for extended real numbers.

* Theory Complex_Main: The complex exponential function "expi" is now
a type-constrained abbreviation for "exp :: complex => complex"; thus
several polymorphic lemmas about "exp" are now applicable to "expi".

* Code generation:

  - Theory Library/Code_Char_ord provides native ordering of
    characters in the target language.

  - Commands code_module and code_library are legacy, use export_code
    instead.

  - Method "evaluation" is legacy, use method "eval" instead.

  - Legacy evaluator "SML" is deactivated by default.  May be
    reactivated by the following theory command:

      setup {* Value.add_evaluator ("SML", Codegen.eval_term) *}

* Declare ext [intro] by default.  Rare INCOMPATIBILITY.

* New proof method "induction" that gives induction hypotheses the
name "IH", thus distinguishing them from further hypotheses that come
from rule induction.  The latter are still called "hyps".  Method
"induction" is a thin wrapper around "induct" and follows the same
syntax.

* Method "fastsimp" has been renamed to "fastforce", but "fastsimp" is
still available as a legacy feature for some time.

* Nitpick:
  - Added "need" and "total_consts" options.
  - Reintroduced "show_skolems" option by popular demand.
  - Renamed attribute: nitpick_def ~> nitpick_unfold.
    INCOMPATIBILITY.

* Sledgehammer:
  - Use quasi-sound (and efficient) translations by default.
  - Added support for the following provers: E-ToFoF, LEO-II,
    Satallax, SNARK, Waldmeister, and Z3 with TPTP syntax.
  - Automatically preplay and minimize proofs before showing them if
    this can be done within reasonable time.
  - sledgehammer available_provers ~> sledgehammer supported_provers.
    INCOMPATIBILITY.
  - Added "preplay_timeout", "slicing", "type_enc", "sound",
    "max_mono_iters", and "max_new_mono_instances" options.
  - Removed "explicit_apply" and "full_types" options as well as "Full
    Types" Proof General menu item. INCOMPATIBILITY.

* Metis:
  - Removed "metisF" -- use "metis" instead. INCOMPATIBILITY.
  - Obsoleted "metisFT" -- use "metis (full_types)" instead.
    INCOMPATIBILITY.

* Command 'try':
  - Renamed 'try_methods' and added "simp:", "intro:", "dest:", and
    "elim:" options. INCOMPATIBILITY.
  - Introduced 'try' that not only runs 'try_methods' but also
    'solve_direct', 'sledgehammer', 'quickcheck', and 'nitpick'.

* Quickcheck:
  - Added "eval" option to evaluate terms for the found counterexample
    (currently only supported by the default (exhaustive) tester).
  - Added post-processing of terms to obtain readable counterexamples
    (currently only supported by the default (exhaustive) tester).
  - New counterexample generator quickcheck[narrowing] enables
    narrowing-based testing.  Requires the Glasgow Haskell compiler
    with its installation location defined in the Isabelle settings
    environment as ISABELLE_GHC.
  - Removed quickcheck tester "SML" based on the SML code generator
    (formly in HOL/Library).

* Function package: discontinued option "tailrec".  INCOMPATIBILITY,
use 'partial_function' instead.

* Theory Library/Extended_Reals replaces now the positive extended
reals found in probability theory. This file is extended by
Multivariate_Analysis/Extended_Real_Limits.

* Theory Library/Old_Recdef: old 'recdef' package has been moved here,
from where it must be imported explicitly if it is really required.
INCOMPATIBILITY.

* Theory Library/Wfrec: well-founded recursion combinator "wfrec" has
been moved here.  INCOMPATIBILITY.

* Theory Library/Saturated provides type of numbers with saturated
arithmetic.

* Theory Library/Product_Lattice defines a pointwise ordering for the
product type 'a * 'b, and provides instance proofs for various order
and lattice type classes.

* Theory Library/Countable now provides the "countable_datatype" proof
method for proving "countable" class instances for datatypes.

* Theory Library/Cset_Monad allows do notation for computable sets
(cset) via the generic monad ad-hoc overloading facility.

* Library: Theories of common data structures are split into theories
for implementation, an invariant-ensuring type, and connection to an
abstract type. INCOMPATIBILITY.

  - RBT is split into RBT and RBT_Mapping.
  - AssocList is split and renamed into AList and AList_Mapping.
  - DList is split into DList_Impl, DList, and DList_Cset.
  - Cset is split into Cset and List_Cset.

* Theory Library/Nat_Infinity has been renamed to
Library/Extended_Nat, with name changes of the following types and
constants:

  type inat   ~> type enat
  Fin         ~> enat
  Infty       ~> infinity (overloaded)
  iSuc        ~> eSuc
  the_Fin     ~> the_enat

Every theorem name containing "inat", "Fin", "Infty", or "iSuc" has
been renamed accordingly. INCOMPATIBILITY.

* Session Multivariate_Analysis: The euclidean_space type class now
fixes a constant "Basis :: 'a set" consisting of the standard
orthonormal basis for the type. Users now have the option of
quantifying over this set instead of using the "basis" function, e.g.
"ALL x:Basis. P x" vs "ALL i<DIM('a). P (basis i)".

* Session Multivariate_Analysis: Type "('a, 'b) cart" has been renamed
to "('a, 'b) vec" (the syntax "'a ^ 'b" remains unaffected). Constants
"Cart_nth" and "Cart_lambda" have been respectively renamed to
"vec_nth" and "vec_lambda"; theorems mentioning those names have
changed to match. Definition theorems for overloaded constants now use
the standard "foo_vec_def" naming scheme. A few other theorems have
been renamed as follows (INCOMPATIBILITY):

  Cart_eq          ~> vec_eq_iff
  dist_nth_le_cart ~> dist_vec_nth_le
  tendsto_vector   ~> vec_tendstoI
  Cauchy_vector    ~> vec_CauchyI

* Session Multivariate_Analysis: Several duplicate theorems have been
removed, and other theorems have been renamed or replaced with more
general versions. INCOMPATIBILITY.

  finite_choice ~> finite_set_choice
  eventually_conjI ~> eventually_conj
  eventually_and ~> eventually_conj_iff
  eventually_false ~> eventually_False
  setsum_norm ~> norm_setsum
  Lim_sequentially ~> LIMSEQ_def
  Lim_ident_at ~> LIM_ident
  Lim_const ~> tendsto_const
  Lim_cmul ~> tendsto_scaleR [OF tendsto_const]
  Lim_neg ~> tendsto_minus
  Lim_add ~> tendsto_add
  Lim_sub ~> tendsto_diff
  Lim_mul ~> tendsto_scaleR
  Lim_vmul ~> tendsto_scaleR [OF _ tendsto_const]
  Lim_null_norm ~> tendsto_norm_zero_iff [symmetric]
  Lim_linear ~> bounded_linear.tendsto
  Lim_component ~> tendsto_euclidean_component
  Lim_component_cart ~> tendsto_vec_nth
  Lim_inner ~> tendsto_inner [OF tendsto_const]
  dot_lsum ~> inner_setsum_left
  dot_rsum ~> inner_setsum_right
  continuous_cmul ~> continuous_scaleR [OF continuous_const]
  continuous_neg ~> continuous_minus
  continuous_sub ~> continuous_diff
  continuous_vmul ~> continuous_scaleR [OF _ continuous_const]
  continuous_mul ~> continuous_scaleR
  continuous_inv ~> continuous_inverse
  continuous_at_within_inv ~> continuous_at_within_inverse
  continuous_at_inv ~> continuous_at_inverse
  continuous_at_norm ~> continuous_norm [OF continuous_at_id]
  continuous_at_infnorm ~> continuous_infnorm [OF continuous_at_id]
  continuous_at_component ~> continuous_component [OF continuous_at_id]
  continuous_on_neg ~> continuous_on_minus
  continuous_on_sub ~> continuous_on_diff
  continuous_on_cmul ~> continuous_on_scaleR [OF continuous_on_const]
  continuous_on_vmul ~> continuous_on_scaleR [OF _ continuous_on_const]
  continuous_on_mul ~> continuous_on_scaleR
  continuous_on_mul_real ~> continuous_on_mult
  continuous_on_inner ~> continuous_on_inner [OF continuous_on_const]
  continuous_on_norm ~> continuous_on_norm [OF continuous_on_id]
  continuous_on_inverse ~> continuous_on_inv
  uniformly_continuous_on_neg ~> uniformly_continuous_on_minus
  uniformly_continuous_on_sub ~> uniformly_continuous_on_diff
  subset_interior ~> interior_mono
  subset_closure ~> closure_mono
  closure_univ ~> closure_UNIV
  real_arch_lt ~> reals_Archimedean2
  real_arch ~> reals_Archimedean3
  real_abs_norm ~> abs_norm_cancel
  real_abs_sub_norm ~> norm_triangle_ineq3
  norm_cauchy_schwarz_abs ~> Cauchy_Schwarz_ineq2

* Session HOL-Probability:
  - Caratheodory's extension lemma is now proved for ring_of_sets.
  - Infinite products of probability measures are now available.
  - Sigma closure is independent, if the generator is independent
  - Use extended reals instead of positive extended
    reals. INCOMPATIBILITY.

* Session HOLCF: Discontinued legacy theorem names, INCOMPATIBILITY.

  expand_fun_below ~> fun_below_iff
  below_fun_ext ~> fun_belowI
  expand_cfun_eq ~> cfun_eq_iff
  ext_cfun ~> cfun_eqI
  expand_cfun_below ~> cfun_below_iff
  below_cfun_ext ~> cfun_belowI
  monofun_fun_fun ~> fun_belowD
  monofun_fun_arg ~> monofunE
  monofun_lub_fun ~> adm_monofun [THEN admD]
  cont_lub_fun ~> adm_cont [THEN admD]
  cont2cont_Rep_CFun ~> cont2cont_APP
  cont_Rep_CFun_app ~> cont_APP_app
  cont_Rep_CFun_app_app ~> cont_APP_app_app
  cont_cfun_fun ~> cont_Rep_cfun1 [THEN contE]
  cont_cfun_arg ~> cont_Rep_cfun2 [THEN contE]
  contlub_cfun ~> lub_APP [symmetric]
  contlub_LAM ~> lub_LAM [symmetric]
  thelubI ~> lub_eqI
  UU_I ~> bottomI
  lift_distinct1 ~> lift.distinct(1)
  lift_distinct2 ~> lift.distinct(2)
  Def_not_UU ~> lift.distinct(2)
  Def_inject ~> lift.inject
  below_UU_iff ~> below_bottom_iff
  eq_UU_iff ~> eq_bottom_iff


*** Document preparation ***

* Antiquotation @{rail} layouts railroad syntax diagrams, see also
isar-ref manual, both for description and actual application of the
same.

* Antiquotation @{value} evaluates the given term and presents its
result.

* Antiquotations: term style "isub" provides ad-hoc conversion of
variables x1, y23 into subscripted form x\<^isub>1,
y\<^isub>2\<^isub>3.

* Predefined LaTeX macros for Isabelle symbols \<bind> and \<then>
(e.g. see ~~/src/HOL/Library/Monad_Syntax.thy).

* Localized \isabellestyle switch can be used within blocks or groups
like this:

  \isabellestyle{it}  %preferred default
  {\isabellestylett @{text "typewriter stuff"}}

* Discontinued special treatment of hard tabulators.  Implicit
tab-width is now defined as 1.  Potential INCOMPATIBILITY for visual
layouts.


*** ML ***

* The inner syntax of sort/type/term/prop supports inlined YXML
representations within quoted string tokens.  By encoding logical
entities via Term_XML (in ML or Scala) concrete syntax can be
bypassed, which is particularly useful for producing bits of text
under external program control.

* Antiquotations for ML and document preparation are managed as theory
data, which requires explicit setup.

* Isabelle_Process.is_active allows tools to check if the official
process wrapper is running (Isabelle/Scala/jEdit) or the old TTY loop
(better known as Proof General).

* Structure Proof_Context follows standard naming scheme.  Old
ProofContext is still available for some time as legacy alias.

* Structure Timing provides various operations for timing; supersedes
former start_timing/end_timing etc.

* Path.print is the official way to show file-system paths to users
(including quotes etc.).

* Inner syntax: identifiers in parse trees of generic categories
"logic", "aprop", "idt" etc. carry position information (disguised as
type constraints).  Occasional INCOMPATIBILITY with non-compliant
translations that choke on unexpected type constraints.  Positions can
be stripped in ML translations via Syntax.strip_positions /
Syntax.strip_positions_ast, or via the syntax constant
"_strip_positions" within parse trees.  As last resort, positions can
be disabled via the configuration option Syntax.positions, which is
called "syntax_positions" in Isar attribute syntax.

* Discontinued special status of various ML structures that contribute
to structure Syntax (Ast, Lexicon, Mixfix, Parser, Printer etc.): less
pervasive content, no inclusion in structure Syntax.  INCOMPATIBILITY,
refer directly to Ast.Constant, Lexicon.is_identifier,
Syntax_Trans.mk_binder_tr etc.

* Typed print translation: discontinued show_sorts argument, which is
already available via context of "advanced" translation.

* Refined PARALLEL_GOALS tactical: degrades gracefully for schematic
goal states; body tactic needs to address all subgoals uniformly.

* Slightly more special eq_list/eq_set, with shortcut involving
pointer equality (assumes that eq relation is reflexive).

* Classical tactics use proper Proof.context instead of historic types
claset/clasimpset.  Old-style declarations like addIs, addEs, addDs
operate directly on Proof.context.  Raw type claset retains its use as
snapshot of the classical context, which can be recovered via
(put_claset HOL_cs) etc.  Type clasimpset has been discontinued.
INCOMPATIBILITY, classical tactics and derived proof methods require
proper Proof.context.


*** System ***

* Discontinued support for Poly/ML 5.2, which was the last version
without proper multithreading and TimeLimit implementation.

* Discontinued old lib/scripts/polyml-platform, which has been
obsolete since Isabelle2009-2.

* Various optional external tools are referenced more robustly and
uniformly by explicit Isabelle settings as follows:

  ISABELLE_CSDP   (formerly CSDP_EXE)
  ISABELLE_GHC    (formerly EXEC_GHC or GHC_PATH)
  ISABELLE_OCAML  (formerly EXEC_OCAML)
  ISABELLE_SWIPL  (formerly EXEC_SWIPL)
  ISABELLE_YAP    (formerly EXEC_YAP)

Note that automated detection from the file-system or search path has
been discontinued.  INCOMPATIBILITY.

* Scala layer provides JVM method invocation service for static
methods of type (String)String, see Invoke_Scala.method in ML.  For
example:

  Invoke_Scala.method "java.lang.System.getProperty" "java.home"

Together with YXML.string_of_body/parse_body and XML.Encode/Decode
this allows to pass structured values between ML and Scala.

* The IsabelleText fonts includes some further glyphs to support the
Prover IDE.  Potential INCOMPATIBILITY: users who happen to have
installed a local copy (which is normally *not* required) need to
delete or update it from ~~/lib/fonts/.


New in Isabelle2011 (January 2011)
----------------------------------

*** General ***

* Experimental Prover IDE based on Isabelle/Scala and jEdit (see
src/Tools/jEdit).  This also serves as IDE for Isabelle/ML, with
useful tooltips and hyperlinks produced from its static analysis.  The
bundled component provides an executable Isabelle tool that can be run
like this:

  Isabelle2011/bin/isabelle jedit

* Significantly improved Isabelle/Isar implementation manual.

* System settings: ISABELLE_HOME_USER now includes ISABELLE_IDENTIFIER
(and thus refers to something like $HOME/.isabelle/Isabelle2011),
while the default heap location within that directory lacks that extra
suffix.  This isolates multiple Isabelle installations from each
other, avoiding problems with old settings in new versions.
INCOMPATIBILITY, need to copy/upgrade old user settings manually.

* Source files are always encoded as UTF-8, instead of old-fashioned
ISO-Latin-1.  INCOMPATIBILITY.  Isabelle LaTeX documents might require
the following package declarations:

  \usepackage[utf8]{inputenc}
  \usepackage{textcomp}

* Explicit treatment of UTF-8 sequences as Isabelle symbols, such that
a Unicode character is treated as a single symbol, not a sequence of
non-ASCII bytes as before.  Since Isabelle/ML string literals may
contain symbols without further backslash escapes, Unicode can now be
used here as well.  Recall that Symbol.explode in ML provides a
consistent view on symbols, while raw explode (or String.explode)
merely give a byte-oriented representation.

* Theory loader: source files are primarily located via the master
directory of each theory node (where the .thy file itself resides).
The global load path is still partially available as legacy feature.
Minor INCOMPATIBILITY due to subtle change in file lookup: use
explicit paths, relatively to the theory.

* Special treatment of ML file names has been discontinued.
Historically, optional extensions .ML or .sml were added on demand --
at the cost of clarity of file dependencies.  Recall that Isabelle/ML
files exclusively use the .ML extension.  Minor INCOMPATIBILTY.

* Various options that affect pretty printing etc. are now properly
handled within the context via configuration options, instead of
unsynchronized references or print modes.  There are both ML Config.T
entities and Isar declaration attributes to access these.

  ML (Config.T)                 Isar (attribute)

  eta_contract                  eta_contract
  show_brackets                 show_brackets
  show_sorts                    show_sorts
  show_types                    show_types
  show_question_marks           show_question_marks
  show_consts                   show_consts
  show_abbrevs                  show_abbrevs

  Syntax.ast_trace              syntax_ast_trace
  Syntax.ast_stat               syntax_ast_stat
  Syntax.ambiguity_level        syntax_ambiguity_level

  Goal_Display.goals_limit      goals_limit
  Goal_Display.show_main_goal   show_main_goal

  Method.rule_trace             rule_trace

  Thy_Output.display            thy_output_display
  Thy_Output.quotes             thy_output_quotes
  Thy_Output.indent             thy_output_indent
  Thy_Output.source             thy_output_source
  Thy_Output.break              thy_output_break

Note that corresponding "..._default" references in ML may only be
changed globally at the ROOT session setup, but *not* within a theory.
The option "show_abbrevs" supersedes the former print mode
"no_abbrevs" with inverted meaning.

* More systematic naming of some configuration options.
INCOMPATIBILITY.

  trace_simp  ~>  simp_trace
  debug_simp  ~>  simp_debug

* Support for real valued configuration options, using simplistic
floating-point notation that coincides with the inner syntax for
float_token.

* Support for real valued preferences (with approximative PGIP type):
front-ends need to accept "pgint" values in float notation.
INCOMPATIBILITY.

* The IsabelleText font now includes Cyrillic, Hebrew, Arabic from
DejaVu Sans.

* Discontinued support for Poly/ML 5.0 and 5.1 versions.


*** Pure ***

* Command 'type_synonym' (with single argument) replaces somewhat
outdated 'types', which is still available as legacy feature for some
time.

* Command 'nonterminal' (with 'and' separated list of arguments)
replaces somewhat outdated 'nonterminals'.  INCOMPATIBILITY.

* Command 'notepad' replaces former 'example_proof' for
experimentation in Isar without any result.  INCOMPATIBILITY.

* Locale interpretation commands 'interpret' and 'sublocale' accept
lists of equations to map definitions in a locale to appropriate
entities in the context of the interpretation.  The 'interpretation'
command already provided this functionality.

* Diagnostic command 'print_dependencies' prints the locale instances
that would be activated if the specified expression was interpreted in
the current context.  Variant "print_dependencies!" assumes a context
without interpretations.

* Diagnostic command 'print_interps' prints interpretations in proofs
in addition to interpretations in theories.

* Discontinued obsolete 'global' and 'local' commands to manipulate
the theory name space.  Rare INCOMPATIBILITY.  The ML functions
Sign.root_path and Sign.local_path may be applied directly where this
feature is still required for historical reasons.

* Discontinued obsolete 'constdefs' command.  INCOMPATIBILITY, use
'definition' instead.

* The "prems" fact, which refers to the accidental collection of
foundational premises in the context, is now explicitly marked as
legacy feature and will be discontinued soon.  Consider using "assms"
of the head statement or reference facts by explicit names.

* Document antiquotations @{class} and @{type} print classes and type
constructors.

* Document antiquotation @{file} checks file/directory entries within
the local file system.


*** HOL ***

* Coercive subtyping: functions can be declared as coercions and type
inference will add them as necessary upon input of a term.  Theory
Complex_Main declares real :: nat => real and real :: int => real as
coercions. A coercion function f is declared like this:

  declare [[coercion f]]

To lift coercions through type constructors (e.g. from nat => real to
nat list => real list), map functions can be declared, e.g.

  declare [[coercion_map map]]

Currently coercion inference is activated only in theories including
real numbers, i.e. descendants of Complex_Main.  This is controlled by
the configuration option "coercion_enabled", e.g. it can be enabled in
other theories like this:

  declare [[coercion_enabled]]

* Command 'partial_function' provides basic support for recursive
function definitions over complete partial orders.  Concrete instances
are provided for i) the option type, ii) tail recursion on arbitrary
types, and iii) the heap monad of Imperative_HOL.  See
src/HOL/ex/Fundefs.thy and src/HOL/Imperative_HOL/ex/Linked_Lists.thy
for examples.

* Function package: f.psimps rules are no longer implicitly declared
as [simp].  INCOMPATIBILITY.

* Datatype package: theorems generated for executable equality (class
"eq") carry proper names and are treated as default code equations.

* Inductive package: now offers command 'inductive_simps' to
automatically derive instantiated and simplified equations for
inductive predicates, similar to 'inductive_cases'.

* Command 'enriched_type' allows to register properties of the
functorial structure of types.

* Improved infrastructure for term evaluation using code generator
techniques, in particular static evaluation conversions.

* Code generator: Scala (2.8 or higher) has been added to the target
languages.

* Code generator: globbing constant expressions "*" and "Theory.*"
have been replaced by the more idiomatic "_" and "Theory._".
INCOMPATIBILITY.

* Code generator: export_code without explicit file declaration prints
to standard output.  INCOMPATIBILITY.

* Code generator: do not print function definitions for case
combinators any longer.

* Code generator: simplification with rules determined with
src/Tools/Code/code_simp.ML and method "code_simp".

* Code generator for records: more idiomatic representation of record
types.  Warning: records are not covered by ancient SML code
generation any longer.  INCOMPATIBILITY.  In cases of need, a suitable
rep_datatype declaration helps to succeed then:

  record 'a foo = ...
  ...
  rep_datatype foo_ext ...

* Records: logical foundation type for records does not carry a
'_type' suffix any longer (obsolete due to authentic syntax).
INCOMPATIBILITY.

* Quickcheck now by default uses exhaustive testing instead of random
testing.  Random testing can be invoked by "quickcheck [random]",
exhaustive testing by "quickcheck [exhaustive]".

* Quickcheck instantiates polymorphic types with small finite
datatypes by default. This enables a simple execution mechanism to
handle quantifiers and function equality over the finite datatypes.

* Quickcheck random generator has been renamed from "code" to
"random".  INCOMPATIBILITY.

* Quickcheck now has a configurable time limit which is set to 30
seconds by default. This can be changed by adding [timeout = n] to the
quickcheck command. The time limit for Auto Quickcheck is still set
independently.

* Quickcheck in locales considers interpretations of that locale for
counter example search.

* Sledgehammer:
  - Added "smt" and "remote_smt" provers based on the "smt" proof
    method. See the Sledgehammer manual for details ("isabelle doc
    sledgehammer").
  - Renamed commands:
    sledgehammer atp_info ~> sledgehammer running_provers
    sledgehammer atp_kill ~> sledgehammer kill_provers
    sledgehammer available_atps ~> sledgehammer available_provers
    INCOMPATIBILITY.
  - Renamed options:
    sledgehammer [atps = ...] ~> sledgehammer [provers = ...]
    sledgehammer [atp = ...] ~> sledgehammer [prover = ...]
    sledgehammer [timeout = 77 s] ~> sledgehammer [timeout = 77]
    (and "ms" and "min" are no longer supported)
    INCOMPATIBILITY.

* Nitpick:
  - Renamed options:
    nitpick [timeout = 77 s] ~> nitpick [timeout = 77]
    nitpick [tac_timeout = 777 ms] ~> nitpick [tac_timeout = 0.777]
    INCOMPATIBILITY.
  - Added support for partial quotient types.
  - Added local versions of the "Nitpick.register_xxx" functions.
  - Added "whack" option.
  - Allow registration of quotient types as codatatypes.
  - Improved "merge_type_vars" option to merge more types.
  - Removed unsound "fast_descrs" option.
  - Added custom symmetry breaking for datatypes, making it possible to reach
    higher cardinalities.
  - Prevent the expansion of too large definitions.

* Proof methods "metis" and "meson" now have configuration options
"meson_trace", "metis_trace", and "metis_verbose" that can be enabled
to diagnose these tools. E.g.

    using [[metis_trace = true]]

* Auto Solve: Renamed "Auto Solve Direct".  The tool is now available
manually as command 'solve_direct'.

* The default SMT solver Z3 must be enabled explicitly (due to
licensing issues) by setting the environment variable
Z3_NON_COMMERCIAL in etc/settings of the component, for example.  For
commercial applications, the SMT solver CVC3 is provided as fall-back;
changing the SMT solver is done via the configuration option
"smt_solver".

* Remote SMT solvers need to be referred to by the "remote_" prefix,
i.e. "remote_cvc3" and "remote_z3".

* Added basic SMT support for datatypes, records, and typedefs using
the oracle mode (no proofs).  Direct support of pairs has been dropped
in exchange (pass theorems fst_conv snd_conv pair_collapse to the SMT
support for a similar behavior).  Minor INCOMPATIBILITY.

* Changed SMT configuration options:
  - Renamed:
    z3_proofs ~> smt_oracle (with inverted meaning)
    z3_trace_assms ~> smt_trace_used_facts
    INCOMPATIBILITY.
  - Added:
    smt_verbose
    smt_random_seed
    smt_datatypes
    smt_infer_triggers
    smt_monomorph_limit
    cvc3_options
    remote_cvc3_options
    remote_z3_options
    yices_options

* Boogie output files (.b2i files) need to be declared in the theory
header.

* Simplification procedure "list_to_set_comprehension" rewrites list
comprehensions applied to List.set to set comprehensions.  Occasional
INCOMPATIBILITY, may be deactivated like this:

  declare [[simproc del: list_to_set_comprehension]]

* Removed old version of primrec package.  INCOMPATIBILITY.

* Removed simplifier congruence rule of "prod_case", as has for long
been the case with "split".  INCOMPATIBILITY.

* String.literal is a type, but not a datatype.  INCOMPATIBILITY.

* Removed [split_format ... and ... and ...] version of
[split_format].  Potential INCOMPATIBILITY.

* Predicate "sorted" now defined inductively, with nice induction
rules.  INCOMPATIBILITY: former sorted.simps now named sorted_simps.

* Constant "contents" renamed to "the_elem", to free the generic name
contents for other uses.  INCOMPATIBILITY.

* Renamed class eq and constant eq (for code generation) to class
equal and constant equal, plus renaming of related facts and various
tuning.  INCOMPATIBILITY.

* Dropped type classes mult_mono and mult_mono1.  INCOMPATIBILITY.

* Removed output syntax "'a ~=> 'b" for "'a => 'b option".
INCOMPATIBILITY.

* Renamed theory Fset to Cset, type Fset.fset to Cset.set, in order to
avoid confusion with finite sets.  INCOMPATIBILITY.

* Abandoned locales equiv, congruent and congruent2 for equivalence
relations.  INCOMPATIBILITY: use equivI rather than equiv_intro (same
for congruent(2)).

* Some previously unqualified names have been qualified:

  types
    bool ~> HOL.bool
    nat ~> Nat.nat

  constants
    Trueprop ~> HOL.Trueprop
    True ~> HOL.True
    False ~> HOL.False
    op & ~> HOL.conj
    op | ~> HOL.disj
    op --> ~> HOL.implies
    op = ~> HOL.eq
    Not ~> HOL.Not
    The ~> HOL.The
    All ~> HOL.All
    Ex ~> HOL.Ex
    Ex1 ~> HOL.Ex1
    Let ~> HOL.Let
    If ~> HOL.If
    Ball ~> Set.Ball
    Bex ~> Set.Bex
    Suc ~> Nat.Suc
    Pair ~> Product_Type.Pair
    fst ~> Product_Type.fst
    snd ~> Product_Type.snd
    curry ~> Product_Type.curry
    op : ~> Set.member
    Collect ~> Set.Collect

INCOMPATIBILITY.

* More canonical naming convention for some fundamental definitions:

    bot_bool_eq ~> bot_bool_def
    top_bool_eq ~> top_bool_def
    inf_bool_eq ~> inf_bool_def
    sup_bool_eq ~> sup_bool_def
    bot_fun_eq  ~> bot_fun_def
    top_fun_eq  ~> top_fun_def
    inf_fun_eq  ~> inf_fun_def
    sup_fun_eq  ~> sup_fun_def

INCOMPATIBILITY.

* More stylized fact names:

  expand_fun_eq ~> fun_eq_iff
  expand_set_eq ~> set_eq_iff
  set_ext       ~> set_eqI
  nat_number    ~> eval_nat_numeral

INCOMPATIBILITY.

* Refactoring of code-generation specific operations in theory List:

  constants
    null ~> List.null

  facts
    mem_iff ~> member_def
    null_empty ~> null_def

INCOMPATIBILITY.  Note that these were not supposed to be used
regularly unless for striking reasons; their main purpose was code
generation.

Various operations from the Haskell prelude are used for generating
Haskell code.

* Term "bij f" is now an abbreviation of "bij_betw f UNIV UNIV".  Term
"surj f" is now an abbreviation of "range f = UNIV".  The theorems
bij_def and surj_def are unchanged.  INCOMPATIBILITY.

* Abolished some non-alphabetic type names: "prod" and "sum" replace
"*" and "+" respectively.  INCOMPATIBILITY.

* Name "Plus" of disjoint sum operator "<+>" is now hidden.  Write
"Sum_Type.Plus" instead.

* Constant "split" has been merged with constant "prod_case"; names of
ML functions, facts etc. involving split have been retained so far,
though.  INCOMPATIBILITY.

* Dropped old infix syntax "_ mem _" for List.member; use "_ : set _"
instead.  INCOMPATIBILITY.

* Removed lemma "Option.is_none_none" which duplicates "is_none_def".
INCOMPATIBILITY.

* Former theory Library/Enum is now part of the HOL-Main image.
INCOMPATIBILITY: all constants of the Enum theory now have to be
referred to by its qualified name.

  enum    ~>  Enum.enum
  nlists  ~>  Enum.nlists
  product ~>  Enum.product

* Theory Library/Monad_Syntax provides do-syntax for monad types.
Syntax in Library/State_Monad has been changed to avoid ambiguities.
INCOMPATIBILITY.

* Theory Library/SetsAndFunctions has been split into
Library/Function_Algebras and Library/Set_Algebras; canonical names
for instance definitions for functions; various improvements.
INCOMPATIBILITY.

* Theory Library/Multiset provides stable quicksort implementation of
sort_key.

* Theory Library/Multiset: renamed empty_idemp ~> empty_neutral.
INCOMPATIBILITY.

* Session Multivariate_Analysis: introduced a type class for euclidean
space.  Most theorems are now stated in terms of euclidean spaces
instead of finite cartesian products.

  types
    real ^ 'n ~>  'a::real_vector
              ~>  'a::euclidean_space
              ~>  'a::ordered_euclidean_space
        (depends on your needs)

  constants
     _ $ _        ~> _ $$ _
     \<chi> x. _  ~> \<chi>\<chi> x. _
     CARD('n)     ~> DIM('a)

Also note that the indices are now natural numbers and not from some
finite type. Finite cartesian products of euclidean spaces, products
of euclidean spaces the real and complex numbers are instantiated to
be euclidean_spaces.  INCOMPATIBILITY.

* Session Probability: introduced pextreal as positive extended real
numbers.  Use pextreal as value for measures.  Introduce the
Radon-Nikodym derivative, product spaces and Fubini's theorem for
arbitrary sigma finite measures.  Introduces Lebesgue measure based on
the integral in Multivariate Analysis.  INCOMPATIBILITY.

* Session Imperative_HOL: revamped, corrected dozens of inadequacies.
INCOMPATIBILITY.

* Session SPARK (with image HOL-SPARK) provides commands to load and
prove verification conditions generated by the SPARK Ada program
verifier.  See also src/HOL/SPARK and src/HOL/SPARK/Examples.


*** HOL-Algebra ***

* Theorems for additive ring operations (locale abelian_monoid and
descendants) are generated by interpretation from their multiplicative
counterparts.  Names (in particular theorem names) have the mandatory
qualifier 'add'.  Previous theorem names are redeclared for
compatibility.

* Structure "int_ring" is now an abbreviation (previously a
definition).  This fits more natural with advanced interpretations.


*** HOLCF ***

* The domain package now runs in definitional mode by default: The
former command 'new_domain' is now called 'domain'.  To use the domain
package in its original axiomatic mode, use 'domain (unsafe)'.
INCOMPATIBILITY.

* The new class "domain" is now the default sort.  Class "predomain"
is an unpointed version of "domain". Theories can be updated by
replacing sort annotations as shown below.  INCOMPATIBILITY.

  'a::type ~> 'a::countable
  'a::cpo  ~> 'a::predomain
  'a::pcpo ~> 'a::domain

* The old type class "rep" has been superseded by class "domain".
Accordingly, users of the definitional package must remove any
"default_sort rep" declarations.  INCOMPATIBILITY.

* The domain package (definitional mode) now supports unpointed
predomain argument types, as long as they are marked 'lazy'. (Strict
arguments must be in class "domain".) For example, the following
domain definition now works:

  domain natlist = nil | cons (lazy "nat discr") (lazy "natlist")

* Theory HOLCF/Library/HOL_Cpo provides cpo and predomain class
instances for types from main HOL: bool, nat, int, char, 'a + 'b,
'a option, and 'a list.  Additionally, it configures fixrec and the
domain package to work with these types.  For example:

  fixrec isInl :: "('a + 'b) u -> tr"
    where "isInl$(up$(Inl x)) = TT" | "isInl$(up$(Inr y)) = FF"

  domain V = VFun (lazy "V -> V") | VCon (lazy "nat") (lazy "V list")

* The "(permissive)" option of fixrec has been replaced with a
per-equation "(unchecked)" option. See
src/HOL/HOLCF/Tutorial/Fixrec_ex.thy for examples. INCOMPATIBILITY.

* The "bifinite" class no longer fixes a constant "approx"; the class
now just asserts that such a function exists.  INCOMPATIBILITY.

* Former type "alg_defl" has been renamed to "defl".  HOLCF no longer
defines an embedding of type 'a defl into udom by default; instances
of "bifinite" and "domain" classes are available in
src/HOL/HOLCF/Library/Defl_Bifinite.thy.

* The syntax "REP('a)" has been replaced with "DEFL('a)".

* The predicate "directed" has been removed.  INCOMPATIBILITY.

* The type class "finite_po" has been removed.  INCOMPATIBILITY.

* The function "cprod_map" has been renamed to "prod_map".
INCOMPATIBILITY.

* The monadic bind operator on each powerdomain has new binder syntax
similar to sets, e.g. "\<Union>\<sharp>x\<in>xs. t" represents
"upper_bind\<cdot>xs\<cdot>(\<Lambda> x. t)".

* The infix syntax for binary union on each powerdomain has changed
from e.g. "+\<sharp>" to "\<union>\<sharp>", for consistency with set
syntax.  INCOMPATIBILITY.

* The constant "UU" has been renamed to "bottom".  The syntax "UU" is
still supported as an input translation.

* Renamed some theorems (the original names are also still available).

  expand_fun_below   ~> fun_below_iff
  below_fun_ext      ~> fun_belowI
  expand_cfun_eq     ~> cfun_eq_iff
  ext_cfun           ~> cfun_eqI
  expand_cfun_below  ~> cfun_below_iff
  below_cfun_ext     ~> cfun_belowI
  cont2cont_Rep_CFun ~> cont2cont_APP

* The Abs and Rep functions for various types have changed names.
Related theorem names have also changed to match. INCOMPATIBILITY.

  Rep_CFun  ~> Rep_cfun
  Abs_CFun  ~> Abs_cfun
  Rep_Sprod ~> Rep_sprod
  Abs_Sprod ~> Abs_sprod
  Rep_Ssum  ~> Rep_ssum
  Abs_Ssum  ~> Abs_ssum

* Lemmas with names of the form *_defined_iff or *_strict_iff have
been renamed to *_bottom_iff.  INCOMPATIBILITY.

* Various changes to bisimulation/coinduction with domain package:

  - Definitions of "bisim" constants no longer mention definedness.
  - With mutual recursion, "bisim" predicate is now curried.
  - With mutual recursion, each type gets a separate coind theorem.
  - Variable names in bisim_def and coinduct rules have changed.

INCOMPATIBILITY.

* Case combinators generated by the domain package for type "foo" are
now named "foo_case" instead of "foo_when".  INCOMPATIBILITY.

* Several theorems have been renamed to more accurately reflect the
names of constants and types involved.  INCOMPATIBILITY.

  thelub_const    ~> lub_const
  lub_const       ~> is_lub_const
  thelubI         ~> lub_eqI
  is_lub_lub      ~> is_lubD2
  lubI            ~> is_lub_lub
  unique_lub      ~> is_lub_unique
  is_ub_lub       ~> is_lub_rangeD1
  lub_bin_chain   ~> is_lub_bin_chain
  lub_fun         ~> is_lub_fun
  thelub_fun      ~> lub_fun
  thelub_cfun     ~> lub_cfun
  thelub_Pair     ~> lub_Pair
  lub_cprod       ~> is_lub_prod
  thelub_cprod    ~> lub_prod
  minimal_cprod   ~> minimal_prod
  inst_cprod_pcpo ~> inst_prod_pcpo
  UU_I            ~> bottomI
  compact_UU      ~> compact_bottom
  deflation_UU    ~> deflation_bottom
  finite_deflation_UU ~> finite_deflation_bottom

* Many legacy theorem names have been discontinued.  INCOMPATIBILITY.

  sq_ord_less_eq_trans ~> below_eq_trans
  sq_ord_eq_less_trans ~> eq_below_trans
  refl_less            ~> below_refl
  trans_less           ~> below_trans
  antisym_less         ~> below_antisym
  antisym_less_inverse ~> po_eq_conv [THEN iffD1]
  box_less             ~> box_below
  rev_trans_less       ~> rev_below_trans
  not_less2not_eq      ~> not_below2not_eq
  less_UU_iff          ~> below_UU_iff
  flat_less_iff        ~> flat_below_iff
  adm_less             ~> adm_below
  adm_not_less         ~> adm_not_below
  adm_compact_not_less ~> adm_compact_not_below
  less_fun_def         ~> below_fun_def
  expand_fun_less      ~> fun_below_iff
  less_fun_ext         ~> fun_belowI
  less_discr_def       ~> below_discr_def
  discr_less_eq        ~> discr_below_eq
  less_unit_def        ~> below_unit_def
  less_cprod_def       ~> below_prod_def
  prod_lessI           ~> prod_belowI
  Pair_less_iff        ~> Pair_below_iff
  fst_less_iff         ~> fst_below_iff
  snd_less_iff         ~> snd_below_iff
  expand_cfun_less     ~> cfun_below_iff
  less_cfun_ext        ~> cfun_belowI
  injection_less       ~> injection_below
  less_up_def          ~> below_up_def
  not_Iup_less         ~> not_Iup_below
  Iup_less             ~> Iup_below
  up_less              ~> up_below
  Def_inject_less_eq   ~> Def_below_Def
  Def_less_is_eq       ~> Def_below_iff
  spair_less_iff       ~> spair_below_iff
  less_sprod           ~> below_sprod
  spair_less           ~> spair_below
  sfst_less_iff        ~> sfst_below_iff
  ssnd_less_iff        ~> ssnd_below_iff
  fix_least_less       ~> fix_least_below
  dist_less_one        ~> dist_below_one
  less_ONE             ~> below_ONE
  ONE_less_iff         ~> ONE_below_iff
  less_sinlD           ~> below_sinlD
  less_sinrD           ~> below_sinrD


*** FOL and ZF ***

* All constant names are now qualified internally and use proper
identifiers, e.g. "IFOL.eq" instead of "op =".  INCOMPATIBILITY.


*** ML ***

* Antiquotation @{assert} inlines a function bool -> unit that raises
Fail if the argument is false.  Due to inlining the source position of
failed assertions is included in the error output.

* Discontinued antiquotation @{theory_ref}, which is obsolete since ML
text is in practice always evaluated with a stable theory checkpoint.
Minor INCOMPATIBILITY, use (Theory.check_thy @{theory}) instead.

* Antiquotation @{theory A} refers to theory A from the ancestry of
the current context, not any accidental theory loader state as before.
Potential INCOMPATIBILITY, subtle change in semantics.

* Syntax.pretty_priority (default 0) configures the required priority
of pretty-printed output and thus affects insertion of parentheses.

* Syntax.default_root (default "any") configures the inner syntax
category (nonterminal symbol) for parsing of terms.

* Former exception Library.UnequalLengths now coincides with
ListPair.UnequalLengths.

* Renamed structure MetaSimplifier to Raw_Simplifier.  Note that the
main functionality is provided by structure Simplifier.

* Renamed raw "explode" function to "raw_explode" to emphasize its
meaning.  Note that internally to Isabelle, Symbol.explode is used in
almost all situations.

* Discontinued obsolete function sys_error and exception SYS_ERROR.
See implementation manual for further details on exceptions in
Isabelle/ML.

* Renamed setmp_noncritical to Unsynchronized.setmp to emphasize its
meaning.

* Renamed structure PureThy to Pure_Thy and moved most of its
operations to structure Global_Theory, to emphasize that this is
rarely-used global-only stuff.

* Discontinued Output.debug.  Minor INCOMPATIBILITY, use plain writeln
instead (or tracing for high-volume output).

* Configuration option show_question_marks only affects regular pretty
printing of types and terms, not raw Term.string_of_vname.

* ML_Context.thm and ML_Context.thms are no longer pervasive.  Rare
INCOMPATIBILITY, superseded by static antiquotations @{thm} and
@{thms} for most purposes.

* ML structure Unsynchronized is never opened, not even in Isar
interaction mode as before.  Old Unsynchronized.set etc. have been
discontinued -- use plain := instead.  This should be *rare* anyway,
since modern tools always work via official context data, notably
configuration options.

* Parallel and asynchronous execution requires special care concerning
interrupts.  Structure Exn provides some convenience functions that
avoid working directly with raw Interrupt.  User code must not absorb
interrupts -- intermediate handling (for cleanup etc.) needs to be
followed by re-raising of the original exception.  Another common
source of mistakes are "handle _" patterns, which make the meaning of
the program subject to physical effects of the environment.


New in Isabelle2009-2 (June 2010)
---------------------------------

*** General ***

* Authentic syntax for *all* logical entities (type classes, type
constructors, term constants): provides simple and robust
correspondence between formal entities and concrete syntax.  Within
the parse tree / AST representations, "constants" are decorated by
their category (class, type, const) and spelled out explicitly with
their full internal name.

Substantial INCOMPATIBILITY concerning low-level syntax declarations
and translations (translation rules and translation functions in ML).
Some hints on upgrading:

  - Many existing uses of 'syntax' and 'translations' can be replaced
    by more modern 'type_notation', 'notation' and 'abbreviation',
    which are independent of this issue.

  - 'translations' require markup within the AST; the term syntax
    provides the following special forms:

      CONST c   -- produces syntax version of constant c from context
      XCONST c  -- literally c, checked as constant from context
      c         -- literally c, if declared by 'syntax'

    Plain identifiers are treated as AST variables -- occasionally the
    system indicates accidental variables via the error "rhs contains
    extra variables".

    Type classes and type constructors are marked according to their
    concrete syntax.  Some old translations rules need to be written
    for the "type" category, using type constructor application
    instead of pseudo-term application of the default category
    "logic".

  - 'parse_translation' etc. in ML may use the following
    antiquotations:

      @{class_syntax c}   -- type class c within parse tree / AST
      @{term_syntax c}    -- type constructor c within parse tree / AST
      @{const_syntax c}   -- ML version of "CONST c" above
      @{syntax_const c}   -- literally c (checked wrt. 'syntax' declarations)

  - Literal types within 'typed_print_translations', i.e. those *not*
    represented as pseudo-terms are represented verbatim.  Use @{class
    c} or @{type_name c} here instead of the above syntax
    antiquotations.

Note that old non-authentic syntax was based on unqualified base
names, so all of the above "constant" names would coincide.  Recall
that 'print_syntax' and ML_command "set Syntax.trace_ast" help to
diagnose syntax problems.

* Type constructors admit general mixfix syntax, not just infix.

* Concrete syntax may be attached to local entities without a proof
body, too.  This works via regular mixfix annotations for 'fix',
'def', 'obtain' etc. or via the explicit 'write' command, which is
similar to the 'notation' command in theory specifications.

* Discontinued unnamed infix syntax (legacy feature for many years) --
need to specify constant name and syntax separately.  Internal ML
datatype constructors have been renamed from InfixName to Infix etc.
Minor INCOMPATIBILITY.

* Schematic theorem statements need to be explicitly markup as such,
via commands 'schematic_lemma', 'schematic_theorem',
'schematic_corollary'.  Thus the relevance of the proof is made
syntactically clear, which impacts performance in a parallel or
asynchronous interactive environment.  Minor INCOMPATIBILITY.

* Use of cumulative prems via "!" in some proof methods has been
discontinued (old legacy feature).

* References 'trace_simp' and 'debug_simp' have been replaced by
configuration options stored in the context. Enabling tracing (the
case of debugging is similar) in proofs works via

  using [[trace_simp = true]]

Tracing is then active for all invocations of the simplifier in
subsequent goal refinement steps. Tracing may also still be enabled or
disabled via the ProofGeneral settings menu.

* Separate commands 'hide_class', 'hide_type', 'hide_const',
'hide_fact' replace the former 'hide' KIND command.  Minor
INCOMPATIBILITY.

* Improved parallelism of proof term normalization: usedir -p2 -q0 is
more efficient than combinations with -q1 or -q2.


*** Pure ***

* Proofterms record type-class reasoning explicitly, using the
"unconstrain" operation internally.  This eliminates all sort
constraints from a theorem and proof, introducing explicit
OFCLASS-premises.  On the proof term level, this operation is
automatically applied at theorem boundaries, such that closed proofs
are always free of sort constraints.  INCOMPATIBILITY for tools that
inspect proof terms.

* Local theory specifications may depend on extra type variables that
are not present in the result type -- arguments TYPE('a) :: 'a itself
are added internally.  For example:

  definition unitary :: bool where "unitary = (ALL (x::'a) y. x = y)"

* Predicates of locales introduced by classes carry a mandatory
"class" prefix.  INCOMPATIBILITY.

* Vacuous class specifications observe default sort.  INCOMPATIBILITY.

* Old 'axclass' command has been discontinued.  INCOMPATIBILITY, use
'class' instead.

* Command 'code_reflect' allows to incorporate generated ML code into
runtime environment; replaces immature code_datatype antiquotation.
INCOMPATIBILITY.

* Code generator: simple concept for abstract datatypes obeying
invariants.

* Code generator: details of internal data cache have no impact on the
user space functionality any longer.

* Methods "unfold_locales" and "intro_locales" ignore non-locale
subgoals.  This is more appropriate for interpretations with 'where'.
INCOMPATIBILITY.

* Command 'example_proof' opens an empty proof body.  This allows to
experiment with Isar, without producing any persistent result.

* Commands 'type_notation' and 'no_type_notation' declare type syntax
within a local theory context, with explicit checking of the
constructors involved (in contrast to the raw 'syntax' versions).

* Commands 'types' and 'typedecl' now work within a local theory
context -- without introducing dependencies on parameters or
assumptions, which is not possible in Isabelle/Pure.

* Command 'defaultsort' has been renamed to 'default_sort', it works
within a local theory context.  Minor INCOMPATIBILITY.


*** HOL ***

* Command 'typedef' now works within a local theory context -- without
introducing dependencies on parameters or assumptions, which is not
possible in Isabelle/Pure/HOL.  Note that the logical environment may
contain multiple interpretations of local typedefs (with different
non-emptiness proofs), even in a global theory context.

* New package for quotient types.  Commands 'quotient_type' and
'quotient_definition' may be used for defining types and constants by
quotient constructions.  An example is the type of integers created by
quotienting pairs of natural numbers:

  fun
    intrel :: "(nat * nat) => (nat * nat) => bool"
  where
    "intrel (x, y) (u, v) = (x + v = u + y)"

  quotient_type int = "nat * nat" / intrel
    by (auto simp add: equivp_def expand_fun_eq)

  quotient_definition
    "0::int" is "(0::nat, 0::nat)"

The method "lifting" can be used to lift of theorems from the
underlying "raw" type to the quotient type.  The example
src/HOL/Quotient_Examples/FSet.thy includes such a quotient
construction and provides a reasoning infrastructure for finite sets.

* Renamed Library/Quotient.thy to Library/Quotient_Type.thy to avoid
clash with new theory Quotient in Main HOL.

* Moved the SMT binding into the main HOL session, eliminating
separate HOL-SMT session.

* List membership infix mem operation is only an input abbreviation.
INCOMPATIBILITY.

* Theory Library/Word.thy has been removed.  Use library Word/Word.thy
for future developements; former Library/Word.thy is still present in
the AFP entry RSAPPS.

* Theorem Int.int_induct renamed to Int.int_of_nat_induct and is no
longer shadowed.  INCOMPATIBILITY.

* Dropped theorem duplicate comp_arith; use semiring_norm instead.
INCOMPATIBILITY.

* Dropped theorem RealPow.real_sq_order; use power2_le_imp_le instead.
INCOMPATIBILITY.

* Dropped normalizing_semiring etc; use the facts in semiring classes
instead.  INCOMPATIBILITY.

* Dropped several real-specific versions of lemmas about floor and
ceiling; use the generic lemmas from theory "Archimedean_Field"
instead.  INCOMPATIBILITY.

  floor_number_of_eq         ~> floor_number_of
  le_floor_eq_number_of      ~> number_of_le_floor
  le_floor_eq_zero           ~> zero_le_floor
  le_floor_eq_one            ~> one_le_floor
  floor_less_eq_number_of    ~> floor_less_number_of
  floor_less_eq_zero         ~> floor_less_zero
  floor_less_eq_one          ~> floor_less_one
  less_floor_eq_number_of    ~> number_of_less_floor
  less_floor_eq_zero         ~> zero_less_floor
  less_floor_eq_one          ~> one_less_floor
  floor_le_eq_number_of      ~> floor_le_number_of
  floor_le_eq_zero           ~> floor_le_zero
  floor_le_eq_one            ~> floor_le_one
  floor_subtract_number_of   ~> floor_diff_number_of
  floor_subtract_one         ~> floor_diff_one
  ceiling_number_of_eq       ~> ceiling_number_of
  ceiling_le_eq_number_of    ~> ceiling_le_number_of
  ceiling_le_zero_eq         ~> ceiling_le_zero
  ceiling_le_eq_one          ~> ceiling_le_one
  less_ceiling_eq_number_of  ~> number_of_less_ceiling
  less_ceiling_eq_zero       ~> zero_less_ceiling
  less_ceiling_eq_one        ~> one_less_ceiling
  ceiling_less_eq_number_of  ~> ceiling_less_number_of
  ceiling_less_eq_zero       ~> ceiling_less_zero
  ceiling_less_eq_one        ~> ceiling_less_one
  le_ceiling_eq_number_of    ~> number_of_le_ceiling
  le_ceiling_eq_zero         ~> zero_le_ceiling
  le_ceiling_eq_one          ~> one_le_ceiling
  ceiling_subtract_number_of ~> ceiling_diff_number_of
  ceiling_subtract_one       ~> ceiling_diff_one

* Theory "Finite_Set": various folding_XXX locales facilitate the
application of the various fold combinators on finite sets.

* Library theory "RBT" renamed to "RBT_Impl"; new library theory "RBT"
provides abstract red-black tree type which is backed by "RBT_Impl" as
implementation.  INCOMPATIBILTY.

* Theory Library/Coinductive_List has been removed -- superseded by
AFP/thys/Coinductive.

* Theory PReal, including the type "preal" and related operations, has
been removed.  INCOMPATIBILITY.

* Real: new development using Cauchy Sequences.

* Split off theory "Big_Operators" containing setsum, setprod,
Inf_fin, Sup_fin, Min, Max from theory Finite_Set.  INCOMPATIBILITY.

* Theory "Rational" renamed to "Rat", for consistency with "Nat",
"Int" etc.  INCOMPATIBILITY.

* Constant Rat.normalize needs to be qualified.  INCOMPATIBILITY.

* New set of rules "ac_simps" provides combined assoc / commute
rewrites for all interpretations of the appropriate generic locales.

* Renamed theory "OrderedGroup" to "Groups" and split theory
"Ring_and_Field" into theories "Rings" and "Fields"; for more
appropriate and more consistent names suitable for name prefixes
within the HOL theories.  INCOMPATIBILITY.

* Some generic constants have been put to appropriate theories:
  - less_eq, less: Orderings
  - zero, one, plus, minus, uminus, times, abs, sgn: Groups
  - inverse, divide: Rings
INCOMPATIBILITY.

* More consistent naming of type classes involving orderings (and
lattices):

    lower_semilattice                   ~> semilattice_inf
    upper_semilattice                   ~> semilattice_sup

    dense_linear_order                  ~> dense_linorder

    pordered_ab_group_add               ~> ordered_ab_group_add
    pordered_ab_group_add_abs           ~> ordered_ab_group_add_abs
    pordered_ab_semigroup_add           ~> ordered_ab_semigroup_add
    pordered_ab_semigroup_add_imp_le    ~> ordered_ab_semigroup_add_imp_le
    pordered_cancel_ab_semigroup_add    ~> ordered_cancel_ab_semigroup_add
    pordered_cancel_comm_semiring       ~> ordered_cancel_comm_semiring
    pordered_cancel_semiring            ~> ordered_cancel_semiring
    pordered_comm_monoid_add            ~> ordered_comm_monoid_add
    pordered_comm_ring                  ~> ordered_comm_ring
    pordered_comm_semiring              ~> ordered_comm_semiring
    pordered_ring                       ~> ordered_ring
    pordered_ring_abs                   ~> ordered_ring_abs
    pordered_semiring                   ~> ordered_semiring

    ordered_ab_group_add                ~> linordered_ab_group_add
    ordered_ab_semigroup_add            ~> linordered_ab_semigroup_add
    ordered_cancel_ab_semigroup_add     ~> linordered_cancel_ab_semigroup_add
    ordered_comm_semiring_strict        ~> linordered_comm_semiring_strict
    ordered_field                       ~> linordered_field
    ordered_field_no_lb                 ~> linordered_field_no_lb
    ordered_field_no_ub                 ~> linordered_field_no_ub
    ordered_field_dense_linear_order    ~> dense_linordered_field
    ordered_idom                        ~> linordered_idom
    ordered_ring                        ~> linordered_ring
    ordered_ring_le_cancel_factor       ~> linordered_ring_le_cancel_factor
    ordered_ring_less_cancel_factor     ~> linordered_ring_less_cancel_factor
    ordered_ring_strict                 ~> linordered_ring_strict
    ordered_semidom                     ~> linordered_semidom
    ordered_semiring                    ~> linordered_semiring
    ordered_semiring_1                  ~> linordered_semiring_1
    ordered_semiring_1_strict           ~> linordered_semiring_1_strict
    ordered_semiring_strict             ~> linordered_semiring_strict

  The following slightly odd type classes have been moved to a
  separate theory Library/Lattice_Algebras:

    lordered_ab_group_add               ~> lattice_ab_group_add
    lordered_ab_group_add_abs           ~> lattice_ab_group_add_abs
    lordered_ab_group_add_meet          ~> semilattice_inf_ab_group_add
    lordered_ab_group_add_join          ~> semilattice_sup_ab_group_add
    lordered_ring                       ~> lattice_ring

INCOMPATIBILITY.

* Refined field classes:
  - classes division_ring_inverse_zero, field_inverse_zero,
    linordered_field_inverse_zero include rule inverse 0 = 0 --
    subsumes former division_by_zero class;
  - numerous lemmas have been ported from field to division_ring.
INCOMPATIBILITY.

* Refined algebra theorem collections:
  - dropped theorem group group_simps, use algebra_simps instead;
  - dropped theorem group ring_simps, use field_simps instead;
  - proper theorem collection field_simps subsumes former theorem
    groups field_eq_simps and field_simps;
  - dropped lemma eq_minus_self_iff which is a duplicate for
    equal_neg_zero.
INCOMPATIBILITY.

* Theory Finite_Set and List: some lemmas have been generalized from
sets to lattices:

  fun_left_comm_idem_inter      ~> fun_left_comm_idem_inf
  fun_left_comm_idem_union      ~> fun_left_comm_idem_sup
  inter_Inter_fold_inter        ~> inf_Inf_fold_inf
  union_Union_fold_union        ~> sup_Sup_fold_sup
  Inter_fold_inter              ~> Inf_fold_inf
  Union_fold_union              ~> Sup_fold_sup
  inter_INTER_fold_inter        ~> inf_INFI_fold_inf
  union_UNION_fold_union        ~> sup_SUPR_fold_sup
  INTER_fold_inter              ~> INFI_fold_inf
  UNION_fold_union              ~> SUPR_fold_sup

* Theory "Complete_Lattice": lemmas top_def and bot_def have been
replaced by the more convenient lemmas Inf_empty and Sup_empty.
Dropped lemmas Inf_insert_simp and Sup_insert_simp, which are subsumed
by Inf_insert and Sup_insert.  Lemmas Inf_UNIV and Sup_UNIV replace
former Inf_Univ and Sup_Univ.  Lemmas inf_top_right and sup_bot_right
subsume inf_top and sup_bot respectively.  INCOMPATIBILITY.

* Reorganized theory Multiset: swapped notation of pointwise and
multiset order:

  - pointwise ordering is instance of class order with standard syntax
    <= and <;
  - multiset ordering has syntax <=# and <#; partial order properties
    are provided by means of interpretation with prefix
    multiset_order;
  - less duplication, less historical organization of sections,
    conversion from associations lists to multisets, rudimentary code
    generation;
  - use insert_DiffM2 [symmetric] instead of elem_imp_eq_diff_union,
    if needed.

Renamed:

  multiset_eq_conv_count_eq  ~>  multiset_ext_iff
  multi_count_ext  ~>  multiset_ext
  diff_union_inverse2  ~>  diff_union_cancelR

INCOMPATIBILITY.

* Theory Permutation: replaced local "remove" by List.remove1.

* Code generation: ML and OCaml code is decorated with signatures.

* Theory List: added transpose.

* Library/Nat_Bijection.thy is a collection of bijective functions
between nat and other types, which supersedes the older libraries
Library/Nat_Int_Bij.thy and HOLCF/NatIso.thy.  INCOMPATIBILITY.

  Constants:
  Nat_Int_Bij.nat2_to_nat         ~> prod_encode
  Nat_Int_Bij.nat_to_nat2         ~> prod_decode
  Nat_Int_Bij.int_to_nat_bij      ~> int_encode
  Nat_Int_Bij.nat_to_int_bij      ~> int_decode
  Countable.pair_encode           ~> prod_encode
  NatIso.prod2nat                 ~> prod_encode
  NatIso.nat2prod                 ~> prod_decode
  NatIso.sum2nat                  ~> sum_encode
  NatIso.nat2sum                  ~> sum_decode
  NatIso.list2nat                 ~> list_encode
  NatIso.nat2list                 ~> list_decode
  NatIso.set2nat                  ~> set_encode
  NatIso.nat2set                  ~> set_decode

  Lemmas:
  Nat_Int_Bij.bij_nat_to_int_bij  ~> bij_int_decode
  Nat_Int_Bij.nat2_to_nat_inj     ~> inj_prod_encode
  Nat_Int_Bij.nat2_to_nat_surj    ~> surj_prod_encode
  Nat_Int_Bij.nat_to_nat2_inj     ~> inj_prod_decode
  Nat_Int_Bij.nat_to_nat2_surj    ~> surj_prod_decode
  Nat_Int_Bij.i2n_n2i_id          ~> int_encode_inverse
  Nat_Int_Bij.n2i_i2n_id          ~> int_decode_inverse
  Nat_Int_Bij.surj_nat_to_int_bij ~> surj_int_encode
  Nat_Int_Bij.surj_int_to_nat_bij ~> surj_int_decode
  Nat_Int_Bij.inj_nat_to_int_bij  ~> inj_int_encode
  Nat_Int_Bij.inj_int_to_nat_bij  ~> inj_int_decode
  Nat_Int_Bij.bij_nat_to_int_bij  ~> bij_int_encode
  Nat_Int_Bij.bij_int_to_nat_bij  ~> bij_int_decode

* Sledgehammer:
  - Renamed ATP commands:
    atp_info     ~> sledgehammer running_atps
    atp_kill     ~> sledgehammer kill_atps
    atp_messages ~> sledgehammer messages
    atp_minimize ~> sledgehammer minimize
    print_atps   ~> sledgehammer available_atps
    INCOMPATIBILITY.
  - Added user's manual ("isabelle doc sledgehammer").
  - Added option syntax and "sledgehammer_params" to customize
    Sledgehammer's behavior.  See the manual for details.
  - Modified the Isar proof reconstruction code so that it produces
    direct proofs rather than proofs by contradiction.  (This feature
    is still experimental.)
  - Made Isar proof reconstruction work for SPASS, remote ATPs, and in
    full-typed mode.
  - Added support for TPTP syntax for SPASS via the "spass_tptp" ATP.

* Nitpick:
  - Added and implemented "binary_ints" and "bits" options.
  - Added "std" option and implemented support for nonstandard models.
  - Added and implemented "finitize" option to improve the precision
    of infinite datatypes based on a monotonicity analysis.
  - Added support for quotient types.
  - Added support for "specification" and "ax_specification"
    constructs.
  - Added support for local definitions (for "function" and
    "termination" proofs).
  - Added support for term postprocessors.
  - Optimized "Multiset.multiset" and "FinFun.finfun".
  - Improved efficiency of "destroy_constrs" optimization.
  - Fixed soundness bugs related to "destroy_constrs" optimization and
    record getters.
  - Fixed soundness bug related to higher-order constructors.
  - Fixed soundness bug when "full_descrs" is enabled.
  - Improved precision of set constructs.
  - Added "atoms" option.
  - Added cache to speed up repeated Kodkod invocations on the same
    problems.
  - Renamed "MiniSatJNI", "zChaffJNI", "BerkMinAlloy", and
    "SAT4JLight" to "MiniSat_JNI", "zChaff_JNI", "BerkMin_Alloy", and
    "SAT4J_Light".  INCOMPATIBILITY.
  - Removed "skolemize", "uncurry", "sym_break", "flatten_prop",
    "sharing_depth", and "show_skolems" options.  INCOMPATIBILITY.
  - Removed "nitpick_intro" attribute.  INCOMPATIBILITY.

* Method "induct" now takes instantiations of the form t, where t is not
  a variable, as a shorthand for "x == t", where x is a fresh variable.
  If this is not intended, t has to be enclosed in parentheses.
  By default, the equalities generated by definitional instantiations
  are pre-simplified, which may cause parameters of inductive cases
  to disappear, or may even delete some of the inductive cases.
  Use "induct (no_simp)" instead of "induct" to restore the old
  behaviour. The (no_simp) option is also understood by the "cases"
  and "nominal_induct" methods, which now perform pre-simplification, too.
  INCOMPATIBILITY.


*** HOLCF ***

* Variable names in lemmas generated by the domain package have
changed; the naming scheme is now consistent with the HOL datatype
package.  Some proof scripts may be affected, INCOMPATIBILITY.

* The domain package no longer defines the function "foo_copy" for
recursive domain "foo".  The reach lemma is now stated directly in
terms of "foo_take".  Lemmas and proofs that mention "foo_copy" must
be reformulated in terms of "foo_take", INCOMPATIBILITY.

* Most definedness lemmas generated by the domain package (previously
of the form "x ~= UU ==> foo$x ~= UU") now have an if-and-only-if form
like "foo$x = UU <-> x = UU", which works better as a simp rule.
Proofs that used definedness lemmas as intro rules may break,
potential INCOMPATIBILITY.

* Induction and casedist rules generated by the domain package now
declare proper case_names (one called "bottom", and one named for each
constructor).  INCOMPATIBILITY.

* For mutually-recursive domains, separate "reach" and "take_lemma"
rules are generated for each domain, INCOMPATIBILITY.

  foo_bar.reach       ~> foo.reach  bar.reach
  foo_bar.take_lemmas ~> foo.take_lemma  bar.take_lemma

* Some lemmas generated by the domain package have been renamed for
consistency with the datatype package, INCOMPATIBILITY.

  foo.ind        ~> foo.induct
  foo.finite_ind ~> foo.finite_induct
  foo.coind      ~> foo.coinduct
  foo.casedist   ~> foo.exhaust
  foo.exhaust    ~> foo.nchotomy

* For consistency with other definition packages, the fixrec package
now generates qualified theorem names, INCOMPATIBILITY.

  foo_simps  ~> foo.simps
  foo_unfold ~> foo.unfold
  foo_induct ~> foo.induct

* The "fixrec_simp" attribute has been removed.  The "fixrec_simp"
method and internal fixrec proofs now use the default simpset instead.
INCOMPATIBILITY.

* The "contlub" predicate has been removed.  Proof scripts should use
lemma contI2 in place of monocontlub2cont, INCOMPATIBILITY.

* The "admw" predicate has been removed, INCOMPATIBILITY.

* The constants cpair, cfst, and csnd have been removed in favor of
Pair, fst, and snd from Isabelle/HOL, INCOMPATIBILITY.


*** ML ***

* Antiquotations for basic formal entities:

    @{class NAME}         -- type class
    @{class_syntax NAME}  -- syntax representation of the above

    @{type_name NAME}     -- logical type
    @{type_abbrev NAME}   -- type abbreviation
    @{nonterminal NAME}   -- type of concrete syntactic category
    @{type_syntax NAME}   -- syntax representation of any of the above

    @{const_name NAME}    -- logical constant (INCOMPATIBILITY)
    @{const_abbrev NAME}  -- abbreviated constant
    @{const_syntax NAME}  -- syntax representation of any of the above

* Antiquotation @{syntax_const NAME} ensures that NAME refers to a raw
syntax constant (cf. 'syntax' command).

* Antiquotation @{make_string} inlines a function to print arbitrary
values similar to the ML toplevel.  The result is compiler dependent
and may fall back on "?" in certain situations.

* Diagnostic commands 'ML_val' and 'ML_command' may refer to
antiquotations @{Isar.state} and @{Isar.goal}.  This replaces impure
Isar.state() and Isar.goal(), which belong to the old TTY loop and do
not work with the asynchronous Isar document model.

* Configuration options now admit dynamic default values, depending on
the context or even global references.

* SHA1.digest digests strings according to SHA-1 (see RFC 3174).  It
uses an efficient external library if available (for Poly/ML).

* Renamed some important ML structures, while keeping the old names
for some time as aliases within the structure Legacy:

  OuterKeyword  ~>  Keyword
  OuterLex      ~>  Token
  OuterParse    ~>  Parse
  OuterSyntax   ~>  Outer_Syntax
  PrintMode     ~>  Print_Mode
  SpecParse     ~>  Parse_Spec
  ThyInfo       ~>  Thy_Info
  ThyLoad       ~>  Thy_Load
  ThyOutput     ~>  Thy_Output
  TypeInfer     ~>  Type_Infer

Note that "open Legacy" simplifies porting of sources, but forgetting
to remove it again will complicate porting again in the future.

* Most operations that refer to a global context are named
accordingly, e.g. Simplifier.global_context or
ProofContext.init_global.  There are some situations where a global
context actually works, but under normal circumstances one needs to
pass the proper local context through the code!

* Discontinued old TheoryDataFun with its copy/init operation -- data
needs to be pure.  Functor Theory_Data_PP retains the traditional
Pretty.pp argument to merge, which is absent in the standard
Theory_Data version.

* Sorts.certify_sort and derived "cert" operations for types and terms
no longer minimize sorts.  Thus certification at the boundary of the
inference kernel becomes invariant under addition of class relations,
which is an important monotonicity principle.  Sorts are now minimized
in the syntax layer only, at the boundary between the end-user and the
system.  Subtle INCOMPATIBILITY, may have to use Sign.minimize_sort
explicitly in rare situations.

* Renamed old-style Drule.standard to Drule.export_without_context, to
emphasize that this is in no way a standard operation.
INCOMPATIBILITY.

* Subgoal.FOCUS (and variants): resulting goal state is normalized as
usual for resolution.  Rare INCOMPATIBILITY.

* Renamed varify/unvarify operations to varify_global/unvarify_global
to emphasize that these only work in a global situation (which is
quite rare).

* Curried take and drop in library.ML; negative length is interpreted
as infinity (as in chop).  Subtle INCOMPATIBILITY.

* Proof terms: type substitutions on proof constants now use canonical
order of type variables.  INCOMPATIBILITY for tools working with proof
terms.

* Raw axioms/defs may no longer carry sort constraints, and raw defs
may no longer carry premises.  User-level specifications are
transformed accordingly by Thm.add_axiom/add_def.


*** System ***

* Discontinued special HOL_USEDIR_OPTIONS for the main HOL image;
ISABELLE_USEDIR_OPTIONS applies uniformly to all sessions.  Note that
proof terms are enabled unconditionally in the new HOL-Proofs image.

* Discontinued old ISABELLE and ISATOOL environment settings (legacy
feature since Isabelle2009).  Use ISABELLE_PROCESS and ISABELLE_TOOL,
respectively.

* Old lib/scripts/polyml-platform is superseded by the
ISABELLE_PLATFORM setting variable, which defaults to the 32 bit
variant, even on a 64 bit machine.  The following example setting
prefers 64 bit if available:

  ML_PLATFORM="${ISABELLE_PLATFORM64:-$ISABELLE_PLATFORM}"

* The preliminary Isabelle/jEdit application demonstrates the emerging
Isabelle/Scala layer for advanced prover interaction and integration.
See src/Tools/jEdit or "isabelle jedit" provided by the properly built
component.

* "IsabelleText" is a Unicode font derived from Bitstream Vera Mono
and Bluesky TeX fonts.  It provides the usual Isabelle symbols,
similar to the default assignment of the document preparation system
(cf. isabellesym.sty).  The Isabelle/Scala class Isabelle_System
provides some operations for direct access to the font without asking
the user for manual installation.


New in Isabelle2009-1 (December 2009)
-------------------------------------

*** General ***

* Discontinued old form of "escaped symbols" such as \\<forall>.  Only
one backslash should be used, even in ML sources.


*** Pure ***

* Locale interpretation propagates mixins along the locale hierarchy.
The currently only available mixins are the equations used to map
local definitions to terms of the target domain of an interpretation.

* Reactivated diagnostic command 'print_interps'.  Use "print_interps
loc" to print all interpretations of locale "loc" in the theory.
Interpretations in proofs are not shown.

* Thoroughly revised locales tutorial.  New section on conditional
interpretation.

* On instantiation of classes, remaining undefined class parameters
are formally declared.  INCOMPATIBILITY.


*** Document preparation ***

* New generalized style concept for printing terms: @{foo (style) ...}
instead of @{foo_style style ...}  (old form is still retained for
backward compatibility).  Styles can be also applied for
antiquotations prop, term_type and typeof.


*** HOL ***

* New proof method "smt" for a combination of first-order logic with
equality, linear and nonlinear (natural/integer/real) arithmetic, and
fixed-size bitvectors; there is also basic support for higher-order
features (esp. lambda abstractions).  It is an incomplete decision
procedure based on external SMT solvers using the oracle mechanism;
for the SMT solver Z3, this method is proof-producing.  Certificates
are provided to avoid calling the external solvers solely for
re-checking proofs.  Due to a remote SMT service there is no need for
installing SMT solvers locally.  See src/HOL/SMT.

* New commands to load and prove verification conditions generated by
the Boogie program verifier or derived systems (e.g. the Verifying C
Compiler (VCC) or Spec#).  See src/HOL/Boogie.

* New counterexample generator tool 'nitpick' based on the Kodkod
relational model finder.  See src/HOL/Tools/Nitpick and
src/HOL/Nitpick_Examples.

* New commands 'code_pred' and 'values' to invoke the predicate
compiler and to enumerate values of inductive predicates.

* A tabled implementation of the reflexive transitive closure.

* New implementation of quickcheck uses generic code generator;
default generators are provided for all suitable HOL types, records
and datatypes.  Old quickcheck can be re-activated importing theory
Library/SML_Quickcheck.

* New testing tool Mirabelle for automated proof tools.  Applies
several tools and tactics like sledgehammer, metis, or quickcheck, to
every proof step in a theory.  To be used in batch mode via the
"mirabelle" utility.

* New proof method "sos" (sum of squares) for nonlinear real
arithmetic (originally due to John Harison). It requires theory
Library/Sum_Of_Squares.  It is not a complete decision procedure but
works well in practice on quantifier-free real arithmetic with +, -,
*, ^, =, <= and <, i.e. boolean combinations of equalities and
inequalities between polynomials.  It makes use of external
semidefinite programming solvers.  Method "sos" generates a
certificate that can be pasted into the proof thus avoiding the need
to call an external tool every time the proof is checked.  See
src/HOL/Library/Sum_Of_Squares.

* New method "linarith" invokes existing linear arithmetic decision
procedure only.

* New command 'atp_minimal' reduces result produced by Sledgehammer.

* New Sledgehammer option "Full Types" in Proof General settings menu.
Causes full type information to be output to the ATPs.  This slows
ATPs down considerably but eliminates a source of unsound "proofs"
that fail later.

* New method "metisFT": A version of metis that uses full type
information in order to avoid failures of proof reconstruction.

* New evaluator "approximate" approximates an real valued term using
the same method as the approximation method.

* Method "approximate" now supports arithmetic expressions as
boundaries of intervals and implements interval splitting and Taylor
series expansion.

* ML antiquotation @{code_datatype} inserts definition of a datatype
generated by the code generator; e.g. see src/HOL/Predicate.thy.

* New theory SupInf of the supremum and infimum operators for sets of
reals.

* New theory Probability, which contains a development of measure
theory, eventually leading to Lebesgue integration and probability.

* Extended Multivariate Analysis to include derivation and Brouwer's
fixpoint theorem.

* Reorganization of number theory, INCOMPATIBILITY:
  - new number theory development for nat and int, in theories Divides
    and GCD as well as in new session Number_Theory
  - some constants and facts now suffixed with _nat and _int
    accordingly
  - former session NumberTheory now named Old_Number_Theory, including
    theories Legacy_GCD and Primes (prefer Number_Theory if possible)
  - moved theory Pocklington from src/HOL/Library to
    src/HOL/Old_Number_Theory

* Theory GCD includes functions Gcd/GCD and Lcm/LCM for the gcd and
lcm of finite and infinite sets. It is shown that they form a complete
lattice.

* Class semiring_div requires superclass no_zero_divisors and proof of
div_mult_mult1; theorems div_mult_mult1, div_mult_mult2,
div_mult_mult1_if, div_mult_mult1 and div_mult_mult2 have been
generalized to class semiring_div, subsuming former theorems
zdiv_zmult_zmult1, zdiv_zmult_zmult1_if, zdiv_zmult_zmult1 and
zdiv_zmult_zmult2.  div_mult_mult1 is now [simp] by default.
INCOMPATIBILITY.

* Refinements to lattice classes and sets:
  - less default intro/elim rules in locale variant, more default
    intro/elim rules in class variant: more uniformity
  - lemma ge_sup_conv renamed to le_sup_iff, in accordance with
    le_inf_iff
  - dropped lemma alias inf_ACI for inf_aci (same for sup_ACI and
    sup_aci)
  - renamed ACI to inf_sup_aci
  - new class "boolean_algebra"
  - class "complete_lattice" moved to separate theory
    "Complete_Lattice"; corresponding constants (and abbreviations)
    renamed and with authentic syntax:
    Set.Inf ~>    Complete_Lattice.Inf
    Set.Sup ~>    Complete_Lattice.Sup
    Set.INFI ~>   Complete_Lattice.INFI
    Set.SUPR ~>   Complete_Lattice.SUPR
    Set.Inter ~>  Complete_Lattice.Inter
    Set.Union ~>  Complete_Lattice.Union
    Set.INTER ~>  Complete_Lattice.INTER
    Set.UNION ~>  Complete_Lattice.UNION
  - authentic syntax for
    Set.Pow
    Set.image
  - mere abbreviations:
    Set.empty               (for bot)
    Set.UNIV                (for top)
    Set.inter               (for inf, formerly Set.Int)
    Set.union               (for sup, formerly Set.Un)
    Complete_Lattice.Inter  (for Inf)
    Complete_Lattice.Union  (for Sup)
    Complete_Lattice.INTER  (for INFI)
    Complete_Lattice.UNION  (for SUPR)
  - object-logic definitions as far as appropriate

INCOMPATIBILITY.  Care is required when theorems Int_subset_iff or
Un_subset_iff are explicitly deleted as default simp rules; then also
their lattice counterparts le_inf_iff and le_sup_iff have to be
deleted to achieve the desired effect.

* Rules inf_absorb1, inf_absorb2, sup_absorb1, sup_absorb2 are no simp
rules by default any longer; the same applies to min_max.inf_absorb1
etc.  INCOMPATIBILITY.

* Rules sup_Int_eq and sup_Un_eq are no longer declared as
pred_set_conv by default.  INCOMPATIBILITY.

* Power operations on relations and functions are now one dedicated
constant "compow" with infix syntax "^^".  Power operation on
multiplicative monoids retains syntax "^" and is now defined generic
in class power.  INCOMPATIBILITY.

* Relation composition "R O S" now has a more standard argument order:
"R O S = {(x, z). EX y. (x, y) : R & (y, z) : S}".  INCOMPATIBILITY,
rewrite propositions with "S O R" --> "R O S". Proofs may occasionally
break, since the O_assoc rule was not rewritten like this.  Fix using
O_assoc[symmetric].  The same applies to the curried version "R OO S".

* Function "Inv" is renamed to "inv_into" and function "inv" is now an
abbreviation for "inv_into UNIV".  Lemmas are renamed accordingly.
INCOMPATIBILITY.

* Most rules produced by inductive and datatype package have mandatory
prefixes.  INCOMPATIBILITY.

* Changed "DERIV_intros" to a dynamic fact, which can be augmented by
the attribute of the same name.  Each of the theorems in the list
DERIV_intros assumes composition with an additional function and
matches a variable to the derivative, which has to be solved by the
Simplifier.  Hence (auto intro!: DERIV_intros) computes the derivative
of most elementary terms.  Former Maclauren.DERIV_tac and
Maclauren.deriv_tac should be replaced by (auto intro!: DERIV_intros).
INCOMPATIBILITY.

* Code generator attributes follow the usual underscore convention:
    code_unfold     replaces    code unfold
    code_post       replaces    code post
    etc.
  INCOMPATIBILITY.

* Renamed methods:
    sizechange -> size_change
    induct_scheme -> induction_schema
  INCOMPATIBILITY.

* Discontinued abbreviation "arbitrary" of constant "undefined".
INCOMPATIBILITY, use "undefined" directly.

* Renamed theorems:
    Suc_eq_add_numeral_1 -> Suc_eq_plus1
    Suc_eq_add_numeral_1_left -> Suc_eq_plus1_left
    Suc_plus1 -> Suc_eq_plus1
    *anti_sym -> *antisym*
    vector_less_eq_def -> vector_le_def
  INCOMPATIBILITY.

* Added theorem List.map_map as [simp].  Removed List.map_compose.
INCOMPATIBILITY.

* Removed predicate "M hassize n" (<--> card M = n & finite M).
INCOMPATIBILITY.


*** HOLCF ***

* Theory Representable defines a class "rep" of domains that are
representable (via an ep-pair) in the universal domain type "udom".
Instances are provided for all type constructors defined in HOLCF.

* The 'new_domain' command is a purely definitional version of the
domain package, for representable domains.  Syntax is identical to the
old domain package.  The 'new_domain' package also supports indirect
recursion using previously-defined type constructors.  See
src/HOLCF/ex/New_Domain.thy for examples.

* Method "fixrec_simp" unfolds one step of a fixrec-defined constant
on the left-hand side of an equation, and then performs
simplification.  Rewriting is done using rules declared with the
"fixrec_simp" attribute.  The "fixrec_simp" method is intended as a
replacement for "fixpat"; see src/HOLCF/ex/Fixrec_ex.thy for examples.

* The pattern-match compiler in 'fixrec' can now handle constructors
with HOL function types.  Pattern-match combinators for the Pair
constructor are pre-configured.

* The 'fixrec' package now produces better fixed-point induction rules
for mutually-recursive definitions:  Induction rules have conclusions
of the form "P foo bar" instead of "P <foo, bar>".

* The constant "sq_le" (with infix syntax "<<" or "\<sqsubseteq>") has
been renamed to "below".  The name "below" now replaces "less" in many
theorem names.  (Legacy theorem names using "less" are still supported
as well.)

* The 'fixrec' package now supports "bottom patterns".  Bottom
patterns can be used to generate strictness rules, or to make
functions more strict (much like the bang-patterns supported by the
Glasgow Haskell Compiler).  See src/HOLCF/ex/Fixrec_ex.thy for
examples.


*** ML ***

* Support for Poly/ML 5.3.0, with improved reporting of compiler
errors and run-time exceptions, including detailed source positions.

* Structure Name_Space (formerly NameSpace) now manages uniquely
identified entries, with some additional information such as source
position, logical grouping etc.

* Theory and context data is now introduced by the simplified and
modernized functors Theory_Data, Proof_Data, Generic_Data.  Data needs
to be pure, but the old TheoryDataFun for mutable data (with explicit
copy operation) is still available for some time.

* Structure Synchronized (cf. src/Pure/Concurrent/synchronized.ML)
provides a high-level programming interface to synchronized state
variables with atomic update.  This works via pure function
application within a critical section -- its runtime should be as
short as possible; beware of deadlocks if critical code is nested,
either directly or indirectly via other synchronized variables!

* Structure Unsynchronized (cf. src/Pure/ML-Systems/unsynchronized.ML)
wraps raw ML references, explicitly indicating their non-thread-safe
behaviour.  The Isar toplevel keeps this structure open, to
accommodate Proof General as well as quick and dirty interactive
experiments with references.

* PARALLEL_CHOICE and PARALLEL_GOALS provide basic support for
parallel tactical reasoning.

* Tacticals Subgoal.FOCUS, Subgoal.FOCUS_PREMS, Subgoal.FOCUS_PARAMS
are similar to SUBPROOF, but are slightly more flexible: only the
specified parts of the subgoal are imported into the context, and the
body tactic may introduce new subgoals and schematic variables.

* Old tactical METAHYPS, which does not observe the proof context, has
been renamed to Old_Goals.METAHYPS and awaits deletion.  Use SUBPROOF
or Subgoal.FOCUS etc.

* Renamed functor TableFun to Table, and GraphFun to Graph.  (Since
functors have their own ML name space there is no point to mark them
separately.)  Minor INCOMPATIBILITY.

* Renamed NamedThmsFun to Named_Thms.  INCOMPATIBILITY.

* Renamed several structures FooBar to Foo_Bar.  Occasional,
INCOMPATIBILITY.

* Operations of structure Skip_Proof no longer require quick_and_dirty
mode, which avoids critical setmp.

* Eliminated old Attrib.add_attributes, Method.add_methods and related
combinators for "args".  INCOMPATIBILITY, need to use simplified
Attrib/Method.setup introduced in Isabelle2009.

* Proper context for simpset_of, claset_of, clasimpset_of.  May fall
back on global_simpset_of, global_claset_of, global_clasimpset_of as
last resort.  INCOMPATIBILITY.

* Display.pretty_thm now requires a proper context (cf. former
ProofContext.pretty_thm).  May fall back on Display.pretty_thm_global
or even Display.pretty_thm_without_context as last resort.
INCOMPATIBILITY.

* Discontinued Display.pretty_ctyp/cterm etc.  INCOMPATIBILITY, use
Syntax.pretty_typ/term directly, preferably with proper context
instead of global theory.


*** System ***

* Further fine tuning of parallel proof checking, scales up to 8 cores
(max. speedup factor 5.0).  See also Goal.parallel_proofs in ML and
usedir option -q.

* Support for additional "Isabelle components" via etc/components, see
also the system manual.

* The isabelle makeall tool now operates on all components with
IsaMakefile, not just hardwired "logics".

* Removed "compress" option from isabelle-process and isabelle usedir;
this is always enabled.

* Discontinued support for Poly/ML 4.x versions.

* Isabelle tool "wwwfind" provides web interface for 'find_theorems'
on a given logic image.  This requires the lighttpd webserver and is
currently supported on Linux only.


New in Isabelle2009 (April 2009)
--------------------------------

*** General ***

* Simplified main Isabelle executables, with less surprises on
case-insensitive file-systems (such as Mac OS).

  - The main Isabelle tool wrapper is now called "isabelle" instead of
    "isatool."

  - The former "isabelle" alias for "isabelle-process" has been
    removed (should rarely occur to regular users).

  - The former "isabelle-interface" and its alias "Isabelle" have been
    removed (interfaces are now regular Isabelle tools).

Within scripts and make files, the Isabelle environment variables
ISABELLE_TOOL and ISABELLE_PROCESS replace old ISATOOL and ISABELLE,
respectively.  (The latter are still available as legacy feature.)

The old isabelle-interface wrapper could react in confusing ways if
the interface was uninstalled or changed otherwise.  Individual
interface tool configuration is now more explicit, see also the
Isabelle system manual.  In particular, Proof General is now available
via "isabelle emacs".

INCOMPATIBILITY, need to adapt derivative scripts.  Users may need to
purge installed copies of Isabelle executables and re-run "isabelle
install -p ...", or use symlinks.

* The default for ISABELLE_HOME_USER is now ~/.isabelle instead of the
old ~/isabelle, which was slightly non-standard and apt to cause
surprises on case-insensitive file-systems (such as Mac OS).

INCOMPATIBILITY, need to move existing ~/isabelle/etc,
~/isabelle/heaps, ~/isabelle/browser_info to the new place.  Special
care is required when using older releases of Isabelle.  Note that
ISABELLE_HOME_USER can be changed in Isabelle/etc/settings of any
Isabelle distribution, in order to use the new ~/.isabelle uniformly.

* Proofs of fully specified statements are run in parallel on
multi-core systems.  A speedup factor of 2.5 to 3.2 can be expected on
a regular 4-core machine, if the initial heap space is made reasonably
large (cf. Poly/ML option -H).  (Requires Poly/ML 5.2.1 or later.)

* The main reference manuals ("isar-ref", "implementation", and
"system") have been updated and extended.  Formally checked references
as hyperlinks are now available uniformly.


*** Pure ***

* Complete re-implementation of locales.  INCOMPATIBILITY in several
respects.  The most important changes are listed below.  See the
Tutorial on Locales ("locales" manual) for details.

- In locale expressions, instantiation replaces renaming.  Parameters
must be declared in a for clause.  To aid compatibility with previous
parameter inheritance, in locale declarations, parameters that are not
'touched' (instantiation position "_" or omitted) are implicitly added
with their syntax at the beginning of the for clause.

- Syntax from abbreviations and definitions in locales is available in
locale expressions and context elements.  The latter is particularly
useful in locale declarations.

- More flexible mechanisms to qualify names generated by locale
expressions.  Qualifiers (prefixes) may be specified in locale
expressions, and can be marked as mandatory (syntax: "name!:") or
optional (syntax "name?:").  The default depends for plain "name:"
depends on the situation where a locale expression is used: in
commands 'locale' and 'sublocale' prefixes are optional, in
'interpretation' and 'interpret' prefixes are mandatory.  The old
implicit qualifiers derived from the parameter names of a locale are
no longer generated.

- Command "sublocale l < e" replaces "interpretation l < e".  The
instantiation clause in "interpretation" and "interpret" (square
brackets) is no longer available.  Use locale expressions.

- When converting proof scripts, mandatory qualifiers in
'interpretation' and 'interpret' should be retained by default, even
if this is an INCOMPATIBILITY compared to former behavior.  In the
worst case, use the "name?:" form for non-mandatory ones.  Qualifiers
in locale expressions range over a single locale instance only.

- Dropped locale element "includes".  This is a major INCOMPATIBILITY.
In existing theorem specifications replace the includes element by the
respective context elements of the included locale, omitting those
that are already present in the theorem specification.  Multiple
assume elements of a locale should be replaced by a single one
involving the locale predicate.  In the proof body, declarations (most
notably theorems) may be regained by interpreting the respective
locales in the proof context as required (command "interpret").

If using "includes" in replacement of a target solely because the
parameter types in the theorem are not as general as in the target,
consider declaring a new locale with additional type constraints on
the parameters (context element "constrains").

- Discontinued "locale (open)".  INCOMPATIBILITY.

- Locale interpretation commands no longer attempt to simplify goal.
INCOMPATIBILITY: in rare situations the generated goal differs.  Use
methods intro_locales and unfold_locales to clarify.

- Locale interpretation commands no longer accept interpretation
attributes.  INCOMPATIBILITY.

* Class declaration: so-called "base sort" must not be given in import
list any longer, but is inferred from the specification.  Particularly
in HOL, write

    class foo = ...

instead of

    class foo = type + ...

* Class target: global versions of theorems stemming do not carry a
parameter prefix any longer.  INCOMPATIBILITY.

* Class 'instance' command no longer accepts attached definitions.
INCOMPATIBILITY, use proper 'instantiation' target instead.

* Recovered hiding of consts, which was accidentally broken in
Isabelle2007.  Potential INCOMPATIBILITY, ``hide const c'' really
makes c inaccessible; consider using ``hide (open) const c'' instead.

* Slightly more coherent Pure syntax, with updated documentation in
isar-ref manual.  Removed locales meta_term_syntax and
meta_conjunction_syntax: TERM and &&& (formerly &&) are now permanent,
INCOMPATIBILITY in rare situations.  Note that &&& should not be used
directly in regular applications.

* There is a new syntactic category "float_const" for signed decimal
fractions (e.g. 123.45 or -123.45).

* Removed exotic 'token_translation' command.  INCOMPATIBILITY, use ML
interface with 'setup' command instead.

* Command 'local_setup' is similar to 'setup', but operates on a local
theory context.

* The 'axiomatization' command now only works within a global theory
context.  INCOMPATIBILITY.

* Goal-directed proof now enforces strict proof irrelevance wrt. sort
hypotheses.  Sorts required in the course of reasoning need to be
covered by the constraints in the initial statement, completed by the
type instance information of the background theory.  Non-trivial sort
hypotheses, which rarely occur in practice, may be specified via
vacuous propositions of the form SORT_CONSTRAINT('a::c).  For example:

  lemma assumes "SORT_CONSTRAINT('a::empty)" shows False ...

The result contains an implicit sort hypotheses as before --
SORT_CONSTRAINT premises are eliminated as part of the canonical rule
normalization.

* Generalized Isar history, with support for linear undo, direct state
addressing etc.

* Changed defaults for unify configuration options:

  unify_trace_bound = 50 (formerly 25)
  unify_search_bound = 60 (formerly 30)

* Different bookkeeping for code equations (INCOMPATIBILITY):

  a) On theory merge, the last set of code equations for a particular
     constant is taken (in accordance with the policy applied by other
     parts of the code generator framework).

  b) Code equations stemming from explicit declarations (e.g. code
     attribute) gain priority over default code equations stemming
     from definition, primrec, fun etc.

* Keyword 'code_exception' now named 'code_abort'.  INCOMPATIBILITY.

* Unified theorem tables for both code generators.  Thus [code
func] has disappeared and only [code] remains.  INCOMPATIBILITY.

* Command 'find_consts' searches for constants based on type and name
patterns, e.g.

    find_consts "_ => bool"

By default, matching is against subtypes, but it may be restricted to
the whole type.  Searching by name is possible.  Multiple queries are
conjunctive and queries may be negated by prefixing them with a
hyphen:

    find_consts strict: "_ => bool" name: "Int" -"int => int"

* New 'find_theorems' criterion "solves" matches theorems that
directly solve the current goal (modulo higher-order unification).

* Auto solve feature for main theorem statements: whenever a new goal
is stated, "find_theorems solves" is called; any theorems that could
solve the lemma directly are listed as part of the goal state.
Cf. associated options in Proof General Isabelle settings menu,
enabled by default, with reasonable timeout for pathological cases of
higher-order unification.


*** Document preparation ***

* Antiquotation @{lemma} now imitates a regular terminal proof,
demanding keyword 'by' and supporting the full method expression
syntax just like the Isar command 'by'.


*** HOL ***

* Integrated main parts of former image HOL-Complex with HOL.  Entry
points Main and Complex_Main remain as before.

* Logic image HOL-Plain provides a minimal HOL with the most important
tools available (inductive, datatype, primrec, ...).  This facilitates
experimentation and tool development.  Note that user applications
(and library theories) should never refer to anything below theory
Main, as before.

* Logic image HOL-Main stops at theory Main, and thus facilitates
experimentation due to shorter build times.

* Logic image HOL-NSA contains theories of nonstandard analysis which
were previously part of former HOL-Complex.  Entry point Hyperreal
remains valid, but theories formerly using Complex_Main should now use
new entry point Hypercomplex.

* Generic ATP manager for Sledgehammer, based on ML threads instead of
Posix processes.  Avoids potentially expensive forking of the ML
process.  New thread-based implementation also works on non-Unix
platforms (Cygwin).  Provers are no longer hardwired, but defined
within the theory via plain ML wrapper functions.  Basic Sledgehammer
commands are covered in the isar-ref manual.

* Wrapper scripts for remote SystemOnTPTP service allows to use
sledgehammer without local ATP installation (Vampire etc.). Other
provers may be included via suitable ML wrappers, see also
src/HOL/ATP_Linkup.thy.

* ATP selection (E/Vampire/Spass) is now via Proof General's settings
menu.

* The metis method no longer fails because the theorem is too trivial
(contains the empty clause).

* The metis method now fails in the usual manner, rather than raising
an exception, if it determines that it cannot prove the theorem.

* Method "coherent" implements a prover for coherent logic (see also
src/Tools/coherent.ML).

* Constants "undefined" and "default" replace "arbitrary".  Usually
"undefined" is the right choice to replace "arbitrary", though
logically there is no difference.  INCOMPATIBILITY.

* Command "value" now integrates different evaluation mechanisms.  The
result of the first successful evaluation mechanism is printed.  In
square brackets a particular named evaluation mechanisms may be
specified (currently, [SML], [code] or [nbe]).  See further
src/HOL/ex/Eval_Examples.thy.

* Normalization by evaluation now allows non-leftlinear equations.
Declare with attribute [code nbe].

* Methods "case_tac" and "induct_tac" now refer to the very same rules
as the structured Isar versions "cases" and "induct", cf. the
corresponding "cases" and "induct" attributes.  Mutual induction rules
are now presented as a list of individual projections
(e.g. foo_bar.inducts for types foo and bar); the old format with
explicit HOL conjunction is no longer supported.  INCOMPATIBILITY, in
rare situations a different rule is selected --- notably nested tuple
elimination instead of former prod.exhaust: use explicit (case_tac t
rule: prod.exhaust) here.

* Attributes "cases", "induct", "coinduct" support "del" option.

* Removed fact "case_split_thm", which duplicates "case_split".

* The option datatype has been moved to a new theory Option.  Renamed
option_map to Option.map, and o2s to Option.set, INCOMPATIBILITY.

* New predicate "strict_mono" classifies strict functions on partial
orders.  With strict functions on linear orders, reasoning about
(in)equalities is facilitated by theorems "strict_mono_eq",
"strict_mono_less_eq" and "strict_mono_less".

* Some set operations are now proper qualified constants with
authentic syntax.  INCOMPATIBILITY:

    op Int ~>   Set.Int
    op Un ~>    Set.Un
    INTER ~>    Set.INTER
    UNION ~>    Set.UNION
    Inter ~>    Set.Inter
    Union ~>    Set.Union
    {} ~>       Set.empty
    UNIV ~>     Set.UNIV

* Class complete_lattice with operations Inf, Sup, INFI, SUPR now in
theory Set.

* Auxiliary class "itself" has disappeared -- classes without any
parameter are treated as expected by the 'class' command.

* Leibnitz's Series for Pi and the arcus tangens and logarithm series.

* Common decision procedures (Cooper, MIR, Ferrack, Approximation,
Dense_Linear_Order) are now in directory HOL/Decision_Procs.

* Theory src/HOL/Decision_Procs/Approximation provides the new proof
method "approximation".  It proves formulas on real values by using
interval arithmetic.  In the formulas are also the transcendental
functions sin, cos, tan, atan, ln, exp and the constant pi are
allowed. For examples see
src/HOL/Descision_Procs/ex/Approximation_Ex.thy.

* Theory "Reflection" now resides in HOL/Library.

* Entry point to Word library now simply named "Word".
INCOMPATIBILITY.

* Made source layout more coherent with logical distribution
structure:

    src/HOL/Library/RType.thy ~> src/HOL/Typerep.thy
    src/HOL/Library/Code_Message.thy ~> src/HOL/
    src/HOL/Library/GCD.thy ~> src/HOL/
    src/HOL/Library/Order_Relation.thy ~> src/HOL/
    src/HOL/Library/Parity.thy ~> src/HOL/
    src/HOL/Library/Univ_Poly.thy ~> src/HOL/
    src/HOL/Real/ContNotDenum.thy ~> src/HOL/Library/
    src/HOL/Real/Lubs.thy ~> src/HOL/
    src/HOL/Real/PReal.thy ~> src/HOL/
    src/HOL/Real/Rational.thy ~> src/HOL/
    src/HOL/Real/RComplete.thy ~> src/HOL/
    src/HOL/Real/RealDef.thy ~> src/HOL/
    src/HOL/Real/RealPow.thy ~> src/HOL/
    src/HOL/Real/Real.thy ~> src/HOL/
    src/HOL/Complex/Complex_Main.thy ~> src/HOL/
    src/HOL/Complex/Complex.thy ~> src/HOL/
    src/HOL/Complex/FrechetDeriv.thy ~> src/HOL/Library/
    src/HOL/Complex/Fundamental_Theorem_Algebra.thy ~> src/HOL/Library/
    src/HOL/Hyperreal/Deriv.thy ~> src/HOL/
    src/HOL/Hyperreal/Fact.thy ~> src/HOL/
    src/HOL/Hyperreal/Integration.thy ~> src/HOL/
    src/HOL/Hyperreal/Lim.thy ~> src/HOL/
    src/HOL/Hyperreal/Ln.thy ~> src/HOL/
    src/HOL/Hyperreal/Log.thy ~> src/HOL/
    src/HOL/Hyperreal/MacLaurin.thy ~> src/HOL/
    src/HOL/Hyperreal/NthRoot.thy ~> src/HOL/
    src/HOL/Hyperreal/Series.thy ~> src/HOL/
    src/HOL/Hyperreal/SEQ.thy ~> src/HOL/
    src/HOL/Hyperreal/Taylor.thy ~> src/HOL/
    src/HOL/Hyperreal/Transcendental.thy ~> src/HOL/
    src/HOL/Real/Float ~> src/HOL/Library/
    src/HOL/Real/HahnBanach ~> src/HOL/HahnBanach
    src/HOL/Real/RealVector.thy ~> src/HOL/

    src/HOL/arith_data.ML ~> src/HOL/Tools
    src/HOL/hologic.ML ~> src/HOL/Tools
    src/HOL/simpdata.ML ~> src/HOL/Tools
    src/HOL/int_arith1.ML ~> src/HOL/Tools/int_arith.ML
    src/HOL/int_factor_simprocs.ML ~> src/HOL/Tools
    src/HOL/nat_simprocs.ML ~> src/HOL/Tools
    src/HOL/Real/float_arith.ML ~> src/HOL/Tools
    src/HOL/Real/float_syntax.ML ~> src/HOL/Tools
    src/HOL/Real/rat_arith.ML ~> src/HOL/Tools
    src/HOL/Real/real_arith.ML ~> src/HOL/Tools

    src/HOL/Library/Array.thy ~> src/HOL/Imperative_HOL
    src/HOL/Library/Heap_Monad.thy ~> src/HOL/Imperative_HOL
    src/HOL/Library/Heap.thy ~> src/HOL/Imperative_HOL
    src/HOL/Library/Imperative_HOL.thy ~> src/HOL/Imperative_HOL
    src/HOL/Library/Ref.thy ~> src/HOL/Imperative_HOL
    src/HOL/Library/Relational.thy ~> src/HOL/Imperative_HOL

* If methods "eval" and "evaluation" encounter a structured proof
state with !!/==>, only the conclusion is evaluated to True (if
possible), avoiding strange error messages.

* Method "sizechange" automates termination proofs using (a
modification of) the size-change principle.  Requires SAT solver.  See
src/HOL/ex/Termination.thy for examples.

* Simplifier: simproc for let expressions now unfolds if bound
variable occurs at most once in let expression body.  INCOMPATIBILITY.

* Method "arith": Linear arithmetic now ignores all inequalities when
fast_arith_neq_limit is exceeded, instead of giving up entirely.

* New attribute "arith" for facts that should always be used
automatically by arithmetic. It is intended to be used locally in
proofs, e.g.

  assumes [arith]: "x > 0"

Global usage is discouraged because of possible performance impact.

* New classes "top" and "bot" with corresponding operations "top" and
"bot" in theory Orderings; instantiation of class "complete_lattice"
requires instantiation of classes "top" and "bot".  INCOMPATIBILITY.

* Changed definition lemma "less_fun_def" in order to provide an
instance for preorders on functions; use lemma "less_le" instead.
INCOMPATIBILITY.

* Theory Orderings: class "wellorder" moved here, with explicit
induction rule "less_induct" as assumption.  For instantiation of
"wellorder" by means of predicate "wf", use rule wf_wellorderI.
INCOMPATIBILITY.

* Theory Orderings: added class "preorder" as superclass of "order".
INCOMPATIBILITY: Instantiation proofs for order, linorder
etc. slightly changed.  Some theorems named order_class.* now named
preorder_class.*.

* Theory Relation: renamed "refl" to "refl_on", "reflexive" to "refl,
"diag" to "Id_on".

* Theory Finite_Set: added a new fold combinator of type

  ('a => 'b => 'b) => 'b => 'a set => 'b

Occasionally this is more convenient than the old fold combinator
which is now defined in terms of the new one and renamed to
fold_image.

* Theories Ring_and_Field and OrderedGroup: The lemmas "group_simps"
and "ring_simps" have been replaced by "algebra_simps" (which can be
extended with further lemmas!).  At the moment both still exist but
the former will disappear at some point.

* Theory Power: Lemma power_Suc is now declared as a simp rule in
class recpower.  Type-specific simp rules for various recpower types
have been removed.  INCOMPATIBILITY, rename old lemmas as follows:

rat_power_0    -> power_0
rat_power_Suc  -> power_Suc
realpow_0      -> power_0
realpow_Suc    -> power_Suc
complexpow_0   -> power_0
complexpow_Suc -> power_Suc
power_poly_0   -> power_0
power_poly_Suc -> power_Suc

* Theories Ring_and_Field and Divides: Definition of "op dvd" has been
moved to separate class dvd in Ring_and_Field; a couple of lemmas on
dvd has been generalized to class comm_semiring_1.  Likewise a bunch
of lemmas from Divides has been generalized from nat to class
semiring_div.  INCOMPATIBILITY.  This involves the following theorem
renames resulting from duplicate elimination:

    dvd_def_mod ~>          dvd_eq_mod_eq_0
    zero_dvd_iff ~>         dvd_0_left_iff
    dvd_0 ~>                dvd_0_right
    DIVISION_BY_ZERO_DIV ~> div_by_0
    DIVISION_BY_ZERO_MOD ~> mod_by_0
    mult_div ~>             div_mult_self2_is_id
    mult_mod ~>             mod_mult_self2_is_0

* Theory IntDiv: removed many lemmas that are instances of class-based
generalizations (from Divides and Ring_and_Field).  INCOMPATIBILITY,
rename old lemmas as follows:

dvd_diff               -> nat_dvd_diff
dvd_zminus_iff         -> dvd_minus_iff
mod_add1_eq            -> mod_add_eq
mod_mult1_eq           -> mod_mult_right_eq
mod_mult1_eq'          -> mod_mult_left_eq
mod_mult_distrib_mod   -> mod_mult_eq
nat_mod_add_left_eq    -> mod_add_left_eq
nat_mod_add_right_eq   -> mod_add_right_eq
nat_mod_div_trivial    -> mod_div_trivial
nat_mod_mod_trivial    -> mod_mod_trivial
zdiv_zadd_self1        -> div_add_self1
zdiv_zadd_self2        -> div_add_self2
zdiv_zmult_self1       -> div_mult_self2_is_id
zdiv_zmult_self2       -> div_mult_self1_is_id
zdvd_triv_left         -> dvd_triv_left
zdvd_triv_right        -> dvd_triv_right
zdvd_zmult_cancel_disj -> dvd_mult_cancel_left
zmod_eq0_zdvd_iff      -> dvd_eq_mod_eq_0[symmetric]
zmod_zadd_left_eq      -> mod_add_left_eq
zmod_zadd_right_eq     -> mod_add_right_eq
zmod_zadd_self1        -> mod_add_self1
zmod_zadd_self2        -> mod_add_self2
zmod_zadd1_eq          -> mod_add_eq
zmod_zdiff1_eq         -> mod_diff_eq
zmod_zdvd_zmod         -> mod_mod_cancel
zmod_zmod_cancel       -> mod_mod_cancel
zmod_zmult_self1       -> mod_mult_self2_is_0
zmod_zmult_self2       -> mod_mult_self1_is_0
zmod_1                 -> mod_by_1
zdiv_1                 -> div_by_1
zdvd_abs1              -> abs_dvd_iff
zdvd_abs2              -> dvd_abs_iff
zdvd_refl              -> dvd_refl
zdvd_trans             -> dvd_trans
zdvd_zadd              -> dvd_add
zdvd_zdiff             -> dvd_diff
zdvd_zminus_iff        -> dvd_minus_iff
zdvd_zminus2_iff       -> minus_dvd_iff
zdvd_zmultD            -> dvd_mult_right
zdvd_zmultD2           -> dvd_mult_left
zdvd_zmult_mono        -> mult_dvd_mono
zdvd_0_right           -> dvd_0_right
zdvd_0_left            -> dvd_0_left_iff
zdvd_1_left            -> one_dvd
zminus_dvd_iff         -> minus_dvd_iff

* Theory Rational: 'Fract k 0' now equals '0'.  INCOMPATIBILITY.

* The real numbers offer decimal input syntax: 12.34 is translated
into 1234/10^2. This translation is not reversed upon output.

* Theory Library/Polynomial defines an abstract type 'a poly of
univariate polynomials with coefficients of type 'a.  In addition to
the standard ring operations, it also supports div and mod.  Code
generation is also supported, using list-style constructors.

* Theory Library/Inner_Product defines a class of real_inner for real
inner product spaces, with an overloaded operation inner :: 'a => 'a
=> real.  Class real_inner is a subclass of real_normed_vector from
theory RealVector.

* Theory Library/Product_Vector provides instances for the product
type 'a * 'b of several classes from RealVector and Inner_Product.
Definitions of addition, subtraction, scalar multiplication, norms,
and inner products are included.

* Theory Library/Bit defines the field "bit" of integers modulo 2.  In
addition to the field operations, numerals and case syntax are also
supported.

* Theory Library/Diagonalize provides constructive version of Cantor's
first diagonalization argument.

* Theory Library/GCD: Curried operations gcd, lcm (for nat) and zgcd,
zlcm (for int); carried together from various gcd/lcm developements in
the HOL Distribution.  Constants zgcd and zlcm replace former igcd and
ilcm; corresponding theorems renamed accordingly.  INCOMPATIBILITY,
may recover tupled syntax as follows:

    hide (open) const gcd
    abbreviation gcd where
      "gcd == (%(a, b). GCD.gcd a b)"
    notation (output)
      GCD.gcd ("gcd '(_, _')")

The same works for lcm, zgcd, zlcm.

* Theory Library/Nat_Infinity: added addition, numeral syntax and more
instantiations for algebraic structures.  Removed some duplicate
theorems.  Changes in simp rules.  INCOMPATIBILITY.

* ML antiquotation @{code} takes a constant as argument and generates
corresponding code in background and inserts name of the corresponding
resulting ML value/function/datatype constructor binding in place.
All occurrences of @{code} with a single ML block are generated
simultaneously.  Provides a generic and safe interface for
instrumentalizing code generation.  See
src/HOL/Decision_Procs/Ferrack.thy for a more ambitious application.
In future you ought to refrain from ad-hoc compiling generated SML
code on the ML toplevel.  Note that (for technical reasons) @{code}
cannot refer to constants for which user-defined serializations are
set.  Refer to the corresponding ML counterpart directly in that
cases.

* Command 'rep_datatype': instead of theorem names the command now
takes a list of terms denoting the constructors of the type to be
represented as datatype.  The characteristic theorems have to be
proven.  INCOMPATIBILITY.  Also observe that the following theorems
have disappeared in favour of existing ones:

    unit_induct                 ~> unit.induct
    prod_induct                 ~> prod.induct
    sum_induct                  ~> sum.induct
    Suc_Suc_eq                  ~> nat.inject
    Suc_not_Zero Zero_not_Suc   ~> nat.distinct


*** HOL-Algebra ***

* New locales for orders and lattices where the equivalence relation
is not restricted to equality.  INCOMPATIBILITY: all order and lattice
locales use a record structure with field eq for the equivalence.

* New theory of factorial domains.

* Units_l_inv and Units_r_inv are now simp rules by default.
INCOMPATIBILITY.  Simplifier proof that require deletion of l_inv
and/or r_inv will now also require deletion of these lemmas.

* Renamed the following theorems, INCOMPATIBILITY:

UpperD ~> Upper_memD
LowerD ~> Lower_memD
least_carrier ~> least_closed
greatest_carrier ~> greatest_closed
greatest_Lower_above ~> greatest_Lower_below
one_zero ~> carrier_one_zero
one_not_zero ~> carrier_one_not_zero  (collision with assumption)


*** HOL-Nominal ***

* Nominal datatypes can now contain type-variables.

* Commands 'nominal_inductive' and 'equivariance' work with local
theory targets.

* Nominal primrec can now works with local theory targets and its
specification syntax now conforms to the general format as seen in
'inductive' etc.

* Method "perm_simp" honours the standard simplifier attributes
(no_asm), (no_asm_use) etc.

* The new predicate #* is defined like freshness, except that on the
left hand side can be a set or list of atoms.

* Experimental command 'nominal_inductive2' derives strong induction
principles for inductive definitions.  In contrast to
'nominal_inductive', which can only deal with a fixed number of
binders, it can deal with arbitrary expressions standing for sets of
atoms to be avoided.  The only inductive definition we have at the
moment that needs this generalisation is the typing rule for Lets in
the algorithm W:

 Gamma |- t1 : T1   (x,close Gamma T1)::Gamma |- t2 : T2   x#Gamma
 -----------------------------------------------------------------
         Gamma |- Let x be t1 in t2 : T2

In this rule one wants to avoid all the binders that are introduced by
"close Gamma T1".  We are looking for other examples where this
feature might be useful.  Please let us know.


*** HOLCF ***

* Reimplemented the simplification procedure for proving continuity
subgoals.  The new simproc is extensible; users can declare additional
continuity introduction rules with the attribute [cont2cont].

* The continuity simproc now uses a different introduction rule for
solving continuity subgoals on terms with lambda abstractions.  In
some rare cases the new simproc may fail to solve subgoals that the
old one could solve, and "simp add: cont2cont_LAM" may be necessary.
Potential INCOMPATIBILITY.

* Command 'fixrec': specification syntax now conforms to the general
format as seen in 'inductive' etc.  See src/HOLCF/ex/Fixrec_ex.thy for
examples.  INCOMPATIBILITY.


*** ZF ***

* Proof of Zorn's Lemma for partial orders.


*** ML ***

* Multithreading for Poly/ML 5.1/5.2 is no longer supported, only for
Poly/ML 5.2.1 or later.  Important note: the TimeLimit facility
depends on multithreading, so timouts will not work before Poly/ML
5.2.1!

* High-level support for concurrent ML programming, see
src/Pure/Cuncurrent.  The data-oriented model of "future values" is
particularly convenient to organize independent functional
computations.  The concept of "synchronized variables" provides a
higher-order interface for components with shared state, avoiding the
delicate details of mutexes and condition variables.  (Requires
Poly/ML 5.2.1 or later.)

* ML bindings produced via Isar commands are stored within the Isar
context (theory or proof).  Consequently, commands like 'use' and 'ML'
become thread-safe and work with undo as expected (concerning
top-level bindings, not side-effects on global references).
INCOMPATIBILITY, need to provide proper Isar context when invoking the
compiler at runtime; really global bindings need to be given outside a
theory.  (Requires Poly/ML 5.2 or later.)

* Command 'ML_prf' is analogous to 'ML' but works within a proof
context.  Top-level ML bindings are stored within the proof context in
a purely sequential fashion, disregarding the nested proof structure.
ML bindings introduced by 'ML_prf' are discarded at the end of the
proof.  (Requires Poly/ML 5.2 or later.)

* Simplified ML attribute and method setup, cf. functions Attrib.setup
and Method.setup, as well as Isar commands 'attribute_setup' and
'method_setup'.  INCOMPATIBILITY for 'method_setup', need to simplify
existing code accordingly, or use plain 'setup' together with old
Method.add_method.

* Simplified ML oracle interface Thm.add_oracle promotes 'a -> cterm
to 'a -> thm, while results are always tagged with an authentic oracle
name.  The Isar command 'oracle' is now polymorphic, no argument type
is specified.  INCOMPATIBILITY, need to simplify existing oracle code
accordingly.  Note that extra performance may be gained by producing
the cterm carefully, avoiding slow Thm.cterm_of.

* Simplified interface for defining document antiquotations via
ThyOutput.antiquotation, ThyOutput.output, and optionally
ThyOutput.maybe_pretty_source.  INCOMPATIBILITY, need to simplify user
antiquotations accordingly, see src/Pure/Thy/thy_output.ML for common
examples.

* More systematic treatment of long names, abstract name bindings, and
name space operations.  Basic operations on qualified names have been
move from structure NameSpace to Long_Name, e.g. Long_Name.base_name,
Long_Name.append.  Old type bstring has been mostly replaced by
abstract type binding (see structure Binding), which supports precise
qualification by packages and local theory targets, as well as proper
tracking of source positions.  INCOMPATIBILITY, need to wrap old
bstring values into Binding.name, or better pass through abstract
bindings everywhere.  See further src/Pure/General/long_name.ML,
src/Pure/General/binding.ML and src/Pure/General/name_space.ML

* Result facts (from PureThy.note_thms, ProofContext.note_thms,
LocalTheory.note etc.) now refer to the *full* internal name, not the
bstring as before.  INCOMPATIBILITY, not detected by ML type-checking!

* Disposed old type and term read functions (Sign.read_def_typ,
Sign.read_typ, Sign.read_def_terms, Sign.read_term,
Thm.read_def_cterms, Thm.read_cterm etc.).  INCOMPATIBILITY, should
use regular Syntax.read_typ, Syntax.read_term, Syntax.read_typ_global,
Syntax.read_term_global etc.; see also OldGoals.read_term as last
resort for legacy applications.

* Disposed old declarations, tactics, tactic combinators that refer to
the simpset or claset of an implicit theory (such as Addsimps,
Simp_tac, SIMPSET).  INCOMPATIBILITY, should use @{simpset} etc. in
embedded ML text, or local_simpset_of with a proper context passed as
explicit runtime argument.

* Rules and tactics that read instantiations (read_instantiate,
res_inst_tac, thin_tac, subgoal_tac etc.) now demand a proper proof
context, which is required for parsing and type-checking.  Moreover,
the variables are specified as plain indexnames, not string encodings
thereof.  INCOMPATIBILITY.

* Generic Toplevel.add_hook interface allows to analyze the result of
transactions.  E.g. see src/Pure/ProofGeneral/proof_general_pgip.ML
for theorem dependency output of transactions resulting in a new
theory state.

* ML antiquotations: block-structured compilation context indicated by
\<lbrace> ... \<rbrace>; additional antiquotation forms:

  @{binding name}                         - basic name binding
  @{let ?pat = term}                      - term abbreviation (HO matching)
  @{note name = fact}                     - fact abbreviation
  @{thm fact}                             - singleton fact (with attributes)
  @{thms fact}                            - general fact (with attributes)
  @{lemma prop by method}                 - singleton goal
  @{lemma prop by meth1 meth2}            - singleton goal
  @{lemma prop1 ... propN by method}      - general goal
  @{lemma prop1 ... propN by meth1 meth2} - general goal
  @{lemma (open) ...}                     - open derivation


*** System ***

* The Isabelle "emacs" tool provides a specific interface to invoke
Proof General / Emacs, with more explicit failure if that is not
installed (the old isabelle-interface script silently falls back on
isabelle-process).  The PROOFGENERAL_HOME setting determines the
installation location of the Proof General distribution.

* Isabelle/lib/classes/Pure.jar provides basic support to integrate
the Isabelle process into a JVM/Scala application.  See
Isabelle/lib/jedit/plugin for a minimal example.  (The obsolete Java
process wrapper has been discontinued.)

* Added homegrown Isabelle font with unicode layout, see lib/fonts.

* Various status messages (with exact source position information) are
emitted, if proper markup print mode is enabled.  This allows
user-interface components to provide detailed feedback on internal
prover operations.


New in Isabelle2008 (June 2008)
-------------------------------

*** General ***

* The Isabelle/Isar Reference Manual (isar-ref) has been reorganized
and updated, with formally checked references as hyperlinks.

* Theory loader: use_thy (and similar operations) no longer set the
implicit ML context, which was occasionally hard to predict and in
conflict with concurrency.  INCOMPATIBILITY, use ML within Isar which
provides a proper context already.

* Theory loader: old-style ML proof scripts being *attached* to a thy
file are no longer supported.  INCOMPATIBILITY, regular 'uses' and
'use' within a theory file will do the job.

* Name space merge now observes canonical order, i.e. the second space
is inserted into the first one, while existing entries in the first
space take precedence.  INCOMPATIBILITY in rare situations, may try to
swap theory imports.

* Syntax: symbol \<chi> is now considered a letter.  Potential
INCOMPATIBILITY in identifier syntax etc.

* Outer syntax: string tokens no longer admit escaped white space,
which was an accidental (undocumented) feature.  INCOMPATIBILITY, use
white space without escapes.

* Outer syntax: string tokens may contain arbitrary character codes
specified via 3 decimal digits (as in SML).  E.g. "foo\095bar" for
"foo_bar".


*** Pure ***

* Context-dependent token translations.  Default setup reverts locally
fixed variables, and adds hilite markup for undeclared frees.

* Unused theorems can be found using the new command 'unused_thms'.
There are three ways of invoking it:

(1) unused_thms
     Only finds unused theorems in the current theory.

(2) unused_thms thy_1 ... thy_n -
     Finds unused theorems in the current theory and all of its ancestors,
     excluding the theories thy_1 ... thy_n and all of their ancestors.

(3) unused_thms thy_1 ... thy_n - thy'_1 ... thy'_m
     Finds unused theorems in the theories thy'_1 ... thy'_m and all of
     their ancestors, excluding the theories thy_1 ... thy_n and all of
     their ancestors.

In order to increase the readability of the list produced by
unused_thms, theorems that have been created by a particular instance
of a theory command such as 'inductive' or 'function' are considered
to belong to the same "group", meaning that if at least one theorem in
this group is used, the other theorems in the same group are no longer
reported as unused.  Moreover, if all theorems in the group are
unused, only one theorem in the group is displayed.

Note that proof objects have to be switched on in order for
unused_thms to work properly (i.e. !proofs must be >= 1, which is
usually the case when using Proof General with the default settings).

* Authentic naming of facts disallows ad-hoc overwriting of previous
theorems within the same name space.  INCOMPATIBILITY, need to remove
duplicate fact bindings, or even accidental fact duplications.  Note
that tools may maintain dynamically scoped facts systematically, using
PureThy.add_thms_dynamic.

* Command 'hide' now allows to hide from "fact" name space as well.

* Eliminated destructive theorem database, simpset, claset, and
clasimpset.  Potential INCOMPATIBILITY, really need to observe linear
update of theories within ML code.

* Eliminated theory ProtoPure and CPure, leaving just one Pure theory.
INCOMPATIBILITY, object-logics depending on former Pure require
additional setup PureThy.old_appl_syntax_setup; object-logics
depending on former CPure need to refer to Pure.

* Commands 'use' and 'ML' are now purely functional, operating on
theory/local_theory.  Removed former 'ML_setup' (on theory), use 'ML'
instead.  Added 'ML_val' as mere diagnostic replacement for 'ML'.
INCOMPATIBILITY.

* Command 'setup': discontinued implicit version with ML reference.

* Instantiation target allows for simultaneous specification of class
instance operations together with an instantiation proof.
Type-checking phase allows to refer to class operations uniformly.
See src/HOL/Complex/Complex.thy for an Isar example and
src/HOL/Library/Eval.thy for an ML example.

* Indexing of literal facts: be more serious about including only
facts from the visible specification/proof context, but not the
background context (locale etc.).  Affects `prop` notation and method
"fact".  INCOMPATIBILITY: need to name facts explicitly in rare
situations.

* Method "cases", "induct", "coinduct": removed obsolete/undocumented
"(open)" option, which used to expose internal bound variables to the
proof text.

* Isar statements: removed obsolete case "rule_context".
INCOMPATIBILITY, better use explicit fixes/assumes.

* Locale proofs: default proof step now includes 'unfold_locales';
hence 'proof' without argument may be used to unfold locale
predicates.


*** Document preparation ***

* Simplified pdfsetup.sty: color/hyperref is used unconditionally for
both pdf and dvi (hyperlinks usually work in xdvi as well); removed
obsolete thumbpdf setup (contemporary PDF viewers do this on the
spot); renamed link color from "darkblue" to "linkcolor" (default
value unchanged, can be redefined via \definecolor); no longer sets
"a4paper" option (unnecessary or even intrusive).

* Antiquotation @{lemma A method} proves proposition A by the given
method (either a method name or a method name plus (optional) method
arguments in parentheses) and prints A just like @{prop A}.


*** HOL ***

* New primrec package.  Specification syntax conforms in style to
definition/function/....  No separate induction rule is provided.  The
"primrec" command distinguishes old-style and new-style specifications
by syntax.  The former primrec package is now named OldPrimrecPackage.
When adjusting theories, beware: constants stemming from new-style
primrec specifications have authentic syntax.

* Metis prover is now an order of magnitude faster, and also works
with multithreading.

* Metis: the maximum number of clauses that can be produced from a
theorem is now given by the attribute max_clauses.  Theorems that
exceed this number are ignored, with a warning printed.

* Sledgehammer no longer produces structured proofs by default. To
enable, declare [[sledgehammer_full = true]].  Attributes
reconstruction_modulus, reconstruction_sorts renamed
sledgehammer_modulus, sledgehammer_sorts.  INCOMPATIBILITY.

* Method "induct_scheme" derives user-specified induction rules
from well-founded induction and completeness of patterns. This factors
out some operations that are done internally by the function package
and makes them available separately.  See
src/HOL/ex/Induction_Scheme.thy for examples.

* More flexible generation of measure functions for termination
proofs: Measure functions can be declared by proving a rule of the
form "is_measure f" and giving it the [measure_function] attribute.
The "is_measure" predicate is logically meaningless (always true), and
just guides the heuristic.  To find suitable measure functions, the
termination prover sets up the goal "is_measure ?f" of the appropriate
type and generates all solutions by Prolog-style backward proof using
the declared rules.

This setup also deals with rules like

  "is_measure f ==> is_measure (list_size f)"

which accommodates nested datatypes that recurse through lists.
Similar rules are predeclared for products and option types.

* Turned the type of sets "'a set" into an abbreviation for "'a => bool"

  INCOMPATIBILITIES:

  - Definitions of overloaded constants on sets have to be replaced by
    definitions on => and bool.

  - Some definitions of overloaded operators on sets can now be proved
    using the definitions of the operators on => and bool.  Therefore,
    the following theorems have been renamed:

      subset_def   -> subset_eq
      psubset_def  -> psubset_eq
      set_diff_def -> set_diff_eq
      Compl_def    -> Compl_eq
      Sup_set_def  -> Sup_set_eq
      Inf_set_def  -> Inf_set_eq
      sup_set_def  -> sup_set_eq
      inf_set_def  -> inf_set_eq

  - Due to the incompleteness of the HO unification algorithm, some
    rules such as subst may require manual instantiation, if some of
    the unknowns in the rule is a set.

  - Higher order unification and forward proofs:
    The proof pattern

      have "P (S::'a set)" <...>
      then have "EX S. P S" ..

    no longer works (due to the incompleteness of the HO unification
    algorithm) and must be replaced by the pattern

      have "EX S. P S"
      proof
        show "P S" <...>
      qed

  - Calculational reasoning with subst (or similar rules):
    The proof pattern

      have "P (S::'a set)" <...>
      also have "S = T" <...>
      finally have "P T" .

    no longer works (for similar reasons as the previous example) and
    must be replaced by something like

      have "P (S::'a set)" <...>
      moreover have "S = T" <...>
      ultimately have "P T" by simp

  - Tactics or packages written in ML code:
    Code performing pattern matching on types via

      Type ("set", [T]) => ...

    must be rewritten. Moreover, functions like strip_type or
    binder_types no longer return the right value when applied to a
    type of the form

      T1 => ... => Tn => U => bool

    rather than

      T1 => ... => Tn => U set

* Merged theories Wellfounded_Recursion, Accessible_Part and
Wellfounded_Relations to theory Wellfounded.

* Explicit class "eq" for executable equality.  INCOMPATIBILITY.

* Class finite no longer treats UNIV as class parameter.  Use class
enum from theory Library/Enum instead to achieve a similar effect.
INCOMPATIBILITY.

* Theory List: rule list_induct2 now has explicitly named cases "Nil"
and "Cons".  INCOMPATIBILITY.

* HOL (and FOL): renamed variables in rules imp_elim and swap.
Potential INCOMPATIBILITY.

* Theory Product_Type: duplicated lemmas split_Pair_apply and
injective_fst_snd removed, use split_eta and prod_eqI instead.
Renamed upd_fst to apfst and upd_snd to apsnd.  INCOMPATIBILITY.

* Theory Nat: removed redundant lemmas that merely duplicate lemmas of
the same name in theory Orderings:

  less_trans
  less_linear
  le_imp_less_or_eq
  le_less_trans
  less_le_trans
  less_not_sym
  less_asym

Renamed less_imp_le to less_imp_le_nat, and less_irrefl to
less_irrefl_nat.  Potential INCOMPATIBILITY due to more general types
and different variable names.

* Library/Option_ord.thy: Canonical order on option type.

* Library/RBT.thy: Red-black trees, an efficient implementation of
finite maps.

* Library/Countable.thy: Type class for countable types.

* Theory Int: The representation of numerals has changed.  The infix
operator BIT and the bit datatype with constructors B0 and B1 have
disappeared.  INCOMPATIBILITY, use "Int.Bit0 x" and "Int.Bit1 y" in
place of "x BIT bit.B0" and "y BIT bit.B1", respectively.  Theorems
involving BIT, B0, or B1 have been renamed with "Bit0" or "Bit1"
accordingly.

* Theory Nat: definition of <= and < on natural numbers no longer
depend on well-founded relations.  INCOMPATIBILITY.  Definitions
le_def and less_def have disappeared.  Consider lemmas not_less
[symmetric, where ?'a = nat] and less_eq [symmetric] instead.

* Theory Finite_Set: locales ACf, ACe, ACIf, ACIfSL and ACIfSLlin
(whose purpose mainly is for various fold_set functionals) have been
abandoned in favor of the existing algebraic classes
ab_semigroup_mult, comm_monoid_mult, ab_semigroup_idem_mult,
lower_semilattice (resp. upper_semilattice) and linorder.
INCOMPATIBILITY.

* Theory Transitive_Closure: induct and cases rules now declare proper
case_names ("base" and "step").  INCOMPATIBILITY.

* Theorem Inductive.lfp_ordinal_induct generalized to complete
lattices.  The form set-specific version is available as
Inductive.lfp_ordinal_induct_set.

* Renamed theorems "power.simps" to "power_int.simps".
INCOMPATIBILITY.

* Class semiring_div provides basic abstract properties of semirings
with division and modulo operations.  Subsumes former class dvd_mod.

* Merged theories IntDef, Numeral and IntArith into unified theory
Int.  INCOMPATIBILITY.

* Theory Library/Code_Index: type "index" now represents natural
numbers rather than integers.  INCOMPATIBILITY.

* New class "uminus" with operation "uminus" (split of from class
"minus" which now only has operation "minus", binary).
INCOMPATIBILITY.

* Constants "card", "internal_split", "option_map" now with authentic
syntax.  INCOMPATIBILITY.

* Definitions subset_def, psubset_def, set_diff_def, Compl_def,
le_bool_def, less_bool_def, le_fun_def, less_fun_def, inf_bool_def,
sup_bool_def, Inf_bool_def, Sup_bool_def, inf_fun_def, sup_fun_def,
Inf_fun_def, Sup_fun_def, inf_set_def, sup_set_def, Inf_set_def,
Sup_set_def, le_def, less_def, option_map_def now with object
equality.  INCOMPATIBILITY.

* Records. Removed K_record, and replaced it by pure lambda term
%x. c. The simplifier setup is now more robust against eta expansion.
INCOMPATIBILITY: in cases explicitly referring to K_record.

* Library/Multiset: {#a, b, c#} abbreviates {#a#} + {#b#} + {#c#}.

* Library/ListVector: new theory of arithmetic vector operations.

* Library/Order_Relation: new theory of various orderings as sets of
pairs.  Defines preorders, partial orders, linear orders and
well-orders on sets and on types.


*** ZF ***

* Renamed some theories to allow to loading both ZF and HOL in the
same session:

  Datatype  -> Datatype_ZF
  Inductive -> Inductive_ZF
  Int       -> Int_ZF
  IntDiv    -> IntDiv_ZF
  Nat       -> Nat_ZF
  List      -> List_ZF
  Main      -> Main_ZF

INCOMPATIBILITY: ZF theories that import individual theories below
Main might need to be adapted.  Regular theory Main is still
available, as trivial extension of Main_ZF.


*** ML ***

* ML within Isar: antiquotation @{const name} or @{const
name(typargs)} produces statically-checked Const term.

* Functor NamedThmsFun: data is available to the user as dynamic fact
(of the same name).  Removed obsolete print command.

* Removed obsolete "use_legacy_bindings" function.

* The ``print mode'' is now a thread-local value derived from a global
template (the former print_mode reference), thus access becomes
non-critical.  The global print_mode reference is for session
management only; user-code should use print_mode_value,
print_mode_active, PrintMode.setmp etc.  INCOMPATIBILITY.

* Functions system/system_out provide a robust way to invoke external
shell commands, with propagation of interrupts (requires Poly/ML
5.2.1).  Do not use OS.Process.system etc. from the basis library!


*** System ***

* Default settings: PROOFGENERAL_OPTIONS no longer impose xemacs ---
in accordance with Proof General 3.7, which prefers GNU emacs.

* isatool tty runs Isabelle process with plain tty interaction;
optional line editor may be specified via ISABELLE_LINE_EDITOR
setting, the default settings attempt to locate "ledit" and "rlwrap".

* isatool browser now works with Cygwin as well, using general
"javapath" function defined in Isabelle process environment.

* YXML notation provides a simple and efficient alternative to
standard XML transfer syntax.  See src/Pure/General/yxml.ML and
isatool yxml as described in the Isabelle system manual.

* JVM class isabelle.IsabelleProcess (located in Isabelle/lib/classes)
provides general wrapper for managing an Isabelle process in a robust
fashion, with ``cooked'' output from stdin/stderr.

* Rudimentary Isabelle plugin for jEdit (see Isabelle/lib/jedit),
based on Isabelle/JVM process wrapper (see Isabelle/lib/classes).

* Removed obsolete THIS_IS_ISABELLE_BUILD feature.  NB: the documented
way of changing the user's settings is via
ISABELLE_HOME_USER/etc/settings, which is a fully featured bash
script.

* Multithreading.max_threads := 0 refers to the number of actual CPU
cores of the underlying machine, which is a good starting point for
optimal performance tuning.  The corresponding usedir option -M allows
"max" as an alias for "0".  WARNING: does not work on certain versions
of Mac OS (with Poly/ML 5.1).

* isabelle-process: non-ML sessions are run with "nice", to reduce the
adverse effect of Isabelle flooding interactive front-ends (notably
ProofGeneral / XEmacs).


New in Isabelle2007 (November 2007)
-----------------------------------

*** General ***

* More uniform information about legacy features, notably a
warning/error of "Legacy feature: ...", depending on the state of the
tolerate_legacy_features flag (default true). FUTURE INCOMPATIBILITY:
legacy features will disappear eventually.

* Theory syntax: the header format ``theory A = B + C:'' has been
discontinued in favour of ``theory A imports B C begin''.  Use isatool
fixheaders to convert existing theory files.  INCOMPATIBILITY.

* Theory syntax: the old non-Isar theory file format has been
discontinued altogether.  Note that ML proof scripts may still be used
with Isar theories; migration is usually quite simple with the ML
function use_legacy_bindings.  INCOMPATIBILITY.

* Theory syntax: some popular names (e.g. 'class', 'declaration',
'fun', 'help', 'if') are now keywords.  INCOMPATIBILITY, use double
quotes.

* Theory loader: be more serious about observing the static theory
header specifications (including optional directories), but not the
accidental file locations of previously successful loads.  The strict
update policy of former update_thy is now already performed by
use_thy, so the former has been removed; use_thys updates several
theories simultaneously, just as 'imports' within a theory header
specification, but without merging the results.  Potential
INCOMPATIBILITY: may need to refine theory headers and commands
ROOT.ML which depend on load order.

* Theory loader: optional support for content-based file
identification, instead of the traditional scheme of full physical
path plus date stamp; configured by the ISABELLE_FILE_IDENT setting
(cf. the system manual).  The new scheme allows to work with
non-finished theories in persistent session images, such that source
files may be moved later on without requiring reloads.

* Theory loader: old-style ML proof scripts being *attached* to a thy
file (with the same base name as the theory) are considered a legacy
feature, which will disappear eventually. Even now, the theory loader
no longer maintains dependencies on such files.

* Syntax: the scope for resolving ambiguities via type-inference is
now limited to individual terms, instead of whole simultaneous
specifications as before. This greatly reduces the complexity of the
syntax module and improves flexibility by separating parsing and
type-checking. INCOMPATIBILITY: additional type-constraints (explicit
'fixes' etc.) are required in rare situations.

* Syntax: constants introduced by new-style packages ('definition',
'abbreviation' etc.) are passed through the syntax module in
``authentic mode''. This means that associated mixfix annotations
really stick to such constants, independently of potential name space
ambiguities introduced later on. INCOMPATIBILITY: constants in parse
trees are represented slightly differently, may need to adapt syntax
translations accordingly. Use CONST marker in 'translations' and
@{const_syntax} antiquotation in 'parse_translation' etc.

* Legacy goal package: reduced interface to the bare minimum required
to keep existing proof scripts running.  Most other user-level
functions are now part of the OldGoals structure, which is *not* open
by default (consider isatool expandshort before open OldGoals).
Removed top_sg, prin, printyp, pprint_term/typ altogether, because
these tend to cause confusion about the actual goal (!) context being
used here, which is not necessarily the same as the_context().

* Command 'find_theorems': supports "*" wild-card in "name:"
criterion; "with_dups" option.  Certain ProofGeneral versions might
support a specific search form (see ProofGeneral/CHANGES).

* The ``prems limit'' option (cf. ProofContext.prems_limit) is now -1
by default, which means that "prems" (and also "fixed variables") are
suppressed from proof state output.  Note that the ProofGeneral
settings mechanism allows to change and save options persistently, but
older versions of Isabelle will fail to start up if a negative prems
limit is imposed.

* Local theory targets may be specified by non-nested blocks of
``context/locale/class ... begin'' followed by ``end''.  The body may
contain definitions, theorems etc., including any derived mechanism
that has been implemented on top of these primitives.  This concept
generalizes the existing ``theorem (in ...)'' towards more versatility
and scalability.

* Proof General interface: proper undo of final 'end' command;
discontinued Isabelle/classic mode (ML proof scripts).


*** Document preparation ***

* Added antiquotation @{theory name} which prints the given name,
after checking that it refers to a valid ancestor theory in the
current context.

* Added antiquotations @{ML_type text} and @{ML_struct text} which
check the given source text as ML type/structure, printing verbatim.

* Added antiquotation @{abbrev "c args"} which prints the abbreviation
"c args == rhs" given in the current context.  (Any number of
arguments may be given on the LHS.)


*** Pure ***

* The 'class' package offers a combination of axclass and locale to
achieve Haskell-like type classes in Isabelle.  Definitions and
theorems within a class context produce both relative results (with
implicit parameters according to the locale context), and polymorphic
constants with qualified polymorphism (according to the class
context).  Within the body context of a 'class' target, a separate
syntax layer ("user space type system") takes care of converting
between global polymorphic consts and internal locale representation.
See src/HOL/ex/Classpackage.thy for examples (as well as main HOL).
"isatool doc classes" provides a tutorial.

* Generic code generator framework allows to generate executable
code for ML and Haskell (including Isabelle classes).  A short usage
sketch:

    internal compilation:
        export_code <list of constants (term syntax)> in SML
    writing SML code to a file:
        export_code <list of constants (term syntax)> in SML <filename>
    writing OCaml code to a file:
        export_code <list of constants (term syntax)> in OCaml <filename>
    writing Haskell code to a bunch of files:
        export_code <list of constants (term syntax)> in Haskell <filename>

    evaluating closed propositions to True/False using code generation:
        method ``eval''

Reasonable default setup of framework in HOL.

Theorem attributs for selecting and transforming function equations theorems:

    [code fun]:        select a theorem as function equation for a specific constant
    [code fun del]:    deselect a theorem as function equation for a specific constant
    [code inline]:     select an equation theorem for unfolding (inlining) in place
    [code inline del]: deselect an equation theorem for unfolding (inlining) in place

User-defined serializations (target in {SML, OCaml, Haskell}):

    code_const <and-list of constants (term syntax)>
      {(target) <and-list of const target syntax>}+

    code_type <and-list of type constructors>
      {(target) <and-list of type target syntax>}+

    code_instance <and-list of instances>
      {(target)}+
        where instance ::= <type constructor> :: <class>

    code_class <and_list of classes>
      {(target) <and-list of class target syntax>}+
        where class target syntax ::= <class name> {where {<classop> == <target syntax>}+}?

code_instance and code_class only are effective to target Haskell.

For example usage see src/HOL/ex/Codegenerator.thy and
src/HOL/ex/Codegenerator_Pretty.thy.  A separate tutorial on code
generation from Isabelle/HOL theories is available via "isatool doc
codegen".

* Code generator: consts in 'consts_code' Isar commands are now
referred to by usual term syntax (including optional type
annotations).

* Command 'no_translations' removes translation rules from theory
syntax.

* Overloaded definitions are now actually checked for acyclic
dependencies.  The overloading scheme is slightly more general than
that of Haskell98, although Isabelle does not demand an exact
correspondence to type class and instance declarations.
INCOMPATIBILITY, use ``defs (unchecked overloaded)'' to admit more
exotic versions of overloading -- at the discretion of the user!

Polymorphic constants are represented via type arguments, i.e. the
instantiation that matches an instance against the most general
declaration given in the signature.  For example, with the declaration
c :: 'a => 'a => 'a, an instance c :: nat => nat => nat is represented
as c(nat).  Overloading is essentially simultaneous structural
recursion over such type arguments.  Incomplete specification patterns
impose global constraints on all occurrences, e.g. c('a * 'a) on the
LHS means that more general c('a * 'b) will be disallowed on any RHS.
Command 'print_theory' outputs the normalized system of recursive
equations, see section "definitions".

* Configuration options are maintained within the theory or proof
context (with name and type bool/int/string), providing a very simple
interface to a poor-man's version of general context data.  Tools may
declare options in ML (e.g. using Attrib.config_int) and then refer to
these values using Config.get etc.  Users may change options via an
associated attribute of the same name.  This form of context
declaration works particularly well with commands 'declare' or
'using', for example ``declare [[foo = 42]]''.  Thus it has become
very easy to avoid global references, which would not observe Isar
toplevel undo/redo and fail to work with multithreading.

Various global ML references of Pure and HOL have been turned into
configuration options:

  Unify.search_bound		unify_search_bound
  Unify.trace_bound		unify_trace_bound
  Unify.trace_simp		unify_trace_simp
  Unify.trace_types		unify_trace_types
  Simplifier.simp_depth_limit	simp_depth_limit
  Blast.depth_limit		blast_depth_limit
  DatatypeProp.dtK		datatype_distinctness_limit
  fast_arith_neq_limit  	fast_arith_neq_limit
  fast_arith_split_limit	fast_arith_split_limit

* Named collections of theorems may be easily installed as context
data using the functor NamedThmsFun (see also
src/Pure/Tools/named_thms.ML).  The user may add or delete facts via
attributes; there is also a toplevel print command.  This facility is
just a common case of general context data, which is the preferred way
for anything more complex than just a list of facts in canonical
order.

* Isar: command 'declaration' augments a local theory by generic
declaration functions written in ML.  This enables arbitrary content
being added to the context, depending on a morphism that tells the
difference of the original declaration context wrt. the application
context encountered later on.

* Isar: proper interfaces for simplification procedures.  Command
'simproc_setup' declares named simprocs (with match patterns, and body
text in ML).  Attribute "simproc" adds/deletes simprocs in the current
context.  ML antiquotation @{simproc name} retrieves named simprocs.

* Isar: an extra pair of brackets around attribute declarations
abbreviates a theorem reference involving an internal dummy fact,
which will be ignored later --- only the effect of the attribute on
the background context will persist.  This form of in-place
declarations is particularly useful with commands like 'declare' and
'using', for example ``have A using [[simproc a]] by simp''.

* Isar: method "assumption" (and implicit closing of subproofs) now
takes simple non-atomic goal assumptions into account: after applying
an assumption as a rule the resulting subgoals are solved by atomic
assumption steps.  This is particularly useful to finish 'obtain'
goals, such as "!!x. (!!x. P x ==> thesis) ==> P x ==> thesis",
without referring to the original premise "!!x. P x ==> thesis" in the
Isar proof context.  POTENTIAL INCOMPATIBILITY: method "assumption" is
more permissive.

* Isar: implicit use of prems from the Isar proof context is
considered a legacy feature.  Common applications like ``have A .''
may be replaced by ``have A by fact'' or ``note `A`''.  In general,
referencing facts explicitly here improves readability and
maintainability of proof texts.

* Isar: improper proof element 'guess' is like 'obtain', but derives
the obtained context from the course of reasoning!  For example:

  assume "EX x y. A x & B y"   -- "any previous fact"
  then guess x and y by clarify

This technique is potentially adventurous, depending on the facts and
proof tools being involved here.

* Isar: known facts from the proof context may be specified as literal
propositions, using ASCII back-quote syntax.  This works wherever
named facts used to be allowed so far, in proof commands, proof
methods, attributes etc.  Literal facts are retrieved from the context
according to unification of type and term parameters.  For example,
provided that "A" and "A ==> B" and "!!x. P x ==> Q x" are known
theorems in the current context, then these are valid literal facts:
`A` and `A ==> B` and `!!x. P x ==> Q x" as well as `P a ==> Q a` etc.

There is also a proof method "fact" which does the same composition
for explicit goal states, e.g. the following proof texts coincide with
certain special cases of literal facts:

  have "A" by fact                 ==  note `A`
  have "A ==> B" by fact           ==  note `A ==> B`
  have "!!x. P x ==> Q x" by fact  ==  note `!!x. P x ==> Q x`
  have "P a ==> Q a" by fact       ==  note `P a ==> Q a`

* Isar: ":" (colon) is no longer a symbolic identifier character in
outer syntax.  Thus symbolic identifiers may be used without
additional white space in declarations like this: ``assume *: A''.

* Isar: 'print_facts' prints all local facts of the current context,
both named and unnamed ones.

* Isar: 'def' now admits simultaneous definitions, e.g.:

  def x == "t" and y == "u"

* Isar: added command 'unfolding', which is structurally similar to
'using', but affects both the goal state and facts by unfolding given
rewrite rules.  Thus many occurrences of the 'unfold' method or
'unfolded' attribute may be replaced by first-class proof text.

* Isar: methods 'unfold' / 'fold', attributes 'unfolded' / 'folded',
and command 'unfolding' now all support object-level equalities
(potentially conditional).  The underlying notion of rewrite rule is
analogous to the 'rule_format' attribute, but *not* that of the
Simplifier (which is usually more generous).

* Isar: the new attribute [rotated n] (default n = 1) rotates the
premises of a theorem by n. Useful in conjunction with drule.

* Isar: the goal restriction operator [N] (default N = 1) evaluates a
method expression within a sandbox consisting of the first N
sub-goals, which need to exist.  For example, ``simp_all [3]''
simplifies the first three sub-goals, while (rule foo, simp_all)[]
simplifies all new goals that emerge from applying rule foo to the
originally first one.

* Isar: schematic goals are no longer restricted to higher-order
patterns; e.g. ``lemma "?P(?x)" by (rule TrueI)'' now works as
expected.

* Isar: the conclusion of a long theorem statement is now either
'shows' (a simultaneous conjunction, as before), or 'obtains'
(essentially a disjunction of cases with local parameters and
assumptions).  The latter allows to express general elimination rules
adequately; in this notation common elimination rules look like this:

  lemma exE:    -- "EX x. P x ==> (!!x. P x ==> thesis) ==> thesis"
    assumes "EX x. P x"
    obtains x where "P x"

  lemma conjE:  -- "A & B ==> (A ==> B ==> thesis) ==> thesis"
    assumes "A & B"
    obtains A and B

  lemma disjE:  -- "A | B ==> (A ==> thesis) ==> (B ==> thesis) ==> thesis"
    assumes "A | B"
    obtains
      A
    | B

The subsequent classical rules even refer to the formal "thesis"
explicitly:

  lemma classical:     -- "(~ thesis ==> thesis) ==> thesis"
    obtains "~ thesis"

  lemma Peirce's_Law:  -- "((thesis ==> something) ==> thesis) ==> thesis"
    obtains "thesis ==> something"

The actual proof of an 'obtains' statement is analogous to that of the
Isar proof element 'obtain', only that there may be several cases.
Optional case names may be specified in parentheses; these will be
available both in the present proof and as annotations in the
resulting rule, for later use with the 'cases' method (cf. attribute
case_names).

* Isar: the assumptions of a long theorem statement are available as
"assms" fact in the proof context.  This is more appropriate than the
(historical) "prems", which refers to all assumptions of the current
context, including those from the target locale, proof body etc.

* Isar: 'print_statement' prints theorems from the current theory or
proof context in long statement form, according to the syntax of a
top-level lemma.

* Isar: 'obtain' takes an optional case name for the local context
introduction rule (default "that").

* Isar: removed obsolete 'concl is' patterns.  INCOMPATIBILITY, use
explicit (is "_ ==> ?foo") in the rare cases where this still happens
to occur.

* Pure: syntax "CONST name" produces a fully internalized constant
according to the current context.  This is particularly useful for
syntax translations that should refer to internal constant
representations independently of name spaces.

* Pure: syntax constant for foo (binder "FOO ") is called "foo_binder"
instead of "FOO ". This allows multiple binder declarations to coexist
in the same context.  INCOMPATIBILITY.

* Isar/locales: 'notation' provides a robust interface to the 'syntax'
primitive that also works in a locale context (both for constants and
fixed variables). Type declaration and internal syntactic representation
of given constants retrieved from the context. Likewise, the
'no_notation' command allows to remove given syntax annotations from the
current context.

* Isar/locales: new derived specification elements 'axiomatization',
'definition', 'abbreviation', which support type-inference, admit
object-level specifications (equality, equivalence).  See also the
isar-ref manual.  Examples:

  axiomatization
    eq  (infix "===" 50) where
    eq_refl: "x === x" and eq_subst: "x === y ==> P x ==> P y"

  definition "f x y = x + y + 1"
  definition g where "g x = f x x"

  abbreviation
    neq  (infix "=!=" 50) where
    "x =!= y == ~ (x === y)"

These specifications may be also used in a locale context.  Then the
constants being introduced depend on certain fixed parameters, and the
constant name is qualified by the locale base name.  An internal
abbreviation takes care for convenient input and output, making the
parameters implicit and using the original short name.  See also
src/HOL/ex/Abstract_NAT.thy for an example of deriving polymorphic
entities from a monomorphic theory.

Presently, abbreviations are only available 'in' a target locale, but
not inherited by general import expressions.  Also note that
'abbreviation' may be used as a type-safe replacement for 'syntax' +
'translations' in common applications.  The "no_abbrevs" print mode
prevents folding of abbreviations in term output.

Concrete syntax is attached to specified constants in internal form,
independently of name spaces.  The parse tree representation is
slightly different -- use 'notation' instead of raw 'syntax', and
'translations' with explicit "CONST" markup to accommodate this.

* Pure/Isar: unified syntax for new-style specification mechanisms
(e.g.  'definition', 'abbreviation', or 'inductive' in HOL) admits
full type inference and dummy patterns ("_").  For example:

  definition "K x _ = x"

  inductive conj for A B
  where "A ==> B ==> conj A B"

* Pure: command 'print_abbrevs' prints all constant abbreviations of
the current context.  Print mode "no_abbrevs" prevents inversion of
abbreviations on output.

* Isar/locales: improved parameter handling: use of locales "var" and
"struct" no longer necessary; - parameter renamings are no longer
required to be injective.  For example, this allows to define
endomorphisms as locale endom = homom mult mult h.

* Isar/locales: changed the way locales with predicates are defined.
Instead of accumulating the specification, the imported expression is
now an interpretation.  INCOMPATIBILITY: different normal form of
locale expressions.  In particular, in interpretations of locales with
predicates, goals repesenting already interpreted fragments are not
removed automatically.  Use methods `intro_locales' and
`unfold_locales'; see below.

* Isar/locales: new methods `intro_locales' and `unfold_locales'
provide backward reasoning on locales predicates.  The methods are
aware of interpretations and discharge corresponding goals.
`intro_locales' is less aggressive then `unfold_locales' and does not
unfold predicates to assumptions.

* Isar/locales: the order in which locale fragments are accumulated
has changed.  This enables to override declarations from fragments due
to interpretations -- for example, unwanted simp rules.

* Isar/locales: interpretation in theories and proof contexts has been
extended.  One may now specify (and prove) equations, which are
unfolded in interpreted theorems.  This is useful for replacing
defined concepts (constants depending on locale parameters) by
concepts already existing in the target context.  Example:

  interpretation partial_order ["op <= :: [int, int] => bool"]
    where "partial_order.less (op <=) (x::int) y = (x < y)"

Typically, the constant `partial_order.less' is created by a
definition specification element in the context of locale
partial_order.

* Method "induct": improved internal context management to support
local fixes and defines on-the-fly. Thus explicit meta-level
connectives !!  and ==> are rarely required anymore in inductive goals
(using object-logic connectives for this purpose has been long
obsolete anyway). Common proof patterns are explained in
src/HOL/Induct/Common_Patterns.thy, see also
src/HOL/Isar_examples/Puzzle.thy and src/HOL/Lambda for realistic
examples.

* Method "induct": improved handling of simultaneous goals. Instead of
introducing object-level conjunction, the statement is now split into
several conclusions, while the corresponding symbolic cases are nested
accordingly. INCOMPATIBILITY, proofs need to be structured explicitly,
see src/HOL/Induct/Common_Patterns.thy, for example.

* Method "induct": mutual induction rules are now specified as a list
of rule sharing the same induction cases. HOL packages usually provide
foo_bar.inducts for mutually defined items foo and bar (e.g. inductive
predicates/sets or datatypes). INCOMPATIBILITY, users need to specify
mutual induction rules differently, i.e. like this:

  (induct rule: foo_bar.inducts)
  (induct set: foo bar)
  (induct pred: foo bar)
  (induct type: foo bar)

The ML function ProjectRule.projections turns old-style rules into the
new format.

* Method "coinduct": dual of induction, see
src/HOL/Library/Coinductive_List.thy for various examples.

* Method "cases", "induct", "coinduct": the ``(open)'' option is
considered a legacy feature.

* Attribute "symmetric" produces result with standardized schematic
variables (index 0).  Potential INCOMPATIBILITY.

* Simplifier: by default the simplifier trace only shows top level
rewrites now. That is, trace_simp_depth_limit is set to 1 by
default. Thus there is less danger of being flooded by the trace. The
trace indicates where parts have been suppressed.

* Provers/classical: removed obsolete classical version of elim_format
attribute; classical elim/dest rules are now treated uniformly when
manipulating the claset.

* Provers/classical: stricter checks to ensure that supplied intro,
dest and elim rules are well-formed; dest and elim rules must have at
least one premise.

* Provers/classical: attributes dest/elim/intro take an optional
weight argument for the rule (just as the Pure versions).  Weights are
ignored by automated tools, but determine the search order of single
rule steps.

* Syntax: input syntax now supports dummy variable binding "%_. b",
where the body does not mention the bound variable.  Note that dummy
patterns implicitly depend on their context of bounds, which makes
"{_. _}" match any set comprehension as expected.  Potential
INCOMPATIBILITY -- parse translations need to cope with syntactic
constant "_idtdummy" in the binding position.

* Syntax: removed obsolete syntactic constant "_K" and its associated
parse translation.  INCOMPATIBILITY -- use dummy abstraction instead,
for example "A -> B" => "Pi A (%_. B)".

* Pure: 'class_deps' command visualizes the subclass relation, using
the graph browser tool.

* Pure: 'print_theory' now suppresses certain internal declarations by
default; use '!' option for full details.


*** HOL ***

* Method "metis" proves goals by applying the Metis general-purpose
resolution prover (see also http://gilith.com/software/metis/).
Examples are in the directory MetisExamples.  WARNING: the
Isabelle/HOL-Metis integration does not yet work properly with
multi-threading.

* Command 'sledgehammer' invokes external automatic theorem provers as
background processes.  It generates calls to the "metis" method if
successful. These can be pasted into the proof.  Users do not have to
wait for the automatic provers to return.  WARNING: does not really
work with multi-threading.

* New "auto_quickcheck" feature tests outermost goal statements for
potential counter-examples.  Controlled by ML references
auto_quickcheck (default true) and auto_quickcheck_time_limit (default
5000 milliseconds).  Fails silently if statements is outside of
executable fragment, or any other codgenerator problem occurs.

* New constant "undefined" with axiom "undefined x = undefined".

* Added class "HOL.eq", allowing for code generation with polymorphic
equality.

* Some renaming of class constants due to canonical name prefixing in
the new 'class' package:

    HOL.abs ~> HOL.abs_class.abs
    HOL.divide ~> HOL.divide_class.divide
    0 ~> HOL.zero_class.zero
    1 ~> HOL.one_class.one
    op + ~> HOL.plus_class.plus
    op - ~> HOL.minus_class.minus
    uminus ~> HOL.minus_class.uminus
    op * ~> HOL.times_class.times
    op < ~> HOL.ord_class.less
    op <= > HOL.ord_class.less_eq
    Nat.power ~> Power.power_class.power
    Nat.size ~> Nat.size_class.size
    Numeral.number_of ~> Numeral.number_class.number_of
    FixedPoint.Inf ~> Lattices.complete_lattice_class.Inf
    FixedPoint.Sup ~> Lattices.complete_lattice_class.Sup
    Orderings.min ~> Orderings.ord_class.min
    Orderings.max ~> Orderings.ord_class.max
    Divides.op div ~> Divides.div_class.div
    Divides.op mod ~> Divides.div_class.mod
    Divides.op dvd ~> Divides.div_class.dvd

INCOMPATIBILITY.  Adaptions may be required in the following cases:

a) User-defined constants using any of the names "plus", "minus",
"times", "less" or "less_eq". The standard syntax translations for
"+", "-" and "*" may go wrong.  INCOMPATIBILITY: use more specific
names.

b) Variables named "plus", "minus", "times", "less", "less_eq"
INCOMPATIBILITY: use more specific names.

c) Permutative equations (e.g. "a + b = b + a")
Since the change of names also changes the order of terms, permutative
rewrite rules may get applied in a different order. Experience shows
that this is rarely the case (only two adaptions in the whole Isabelle
distribution).  INCOMPATIBILITY: rewrite proofs

d) ML code directly refering to constant names
This in general only affects hand-written proof tactics, simprocs and
so on.  INCOMPATIBILITY: grep your sourcecode and replace names.
Consider using @{const_name} antiquotation.

* New class "default" with associated constant "default".

* Function "sgn" is now overloaded and available on int, real, complex
(and other numeric types), using class "sgn".  Two possible defs of
sgn are given as equational assumptions in the classes sgn_if and
sgn_div_norm; ordered_idom now also inherits from sgn_if.
INCOMPATIBILITY.

* Locale "partial_order" now unified with class "order" (cf. theory
Orderings), added parameter "less".  INCOMPATIBILITY.

* Renamings in classes "order" and "linorder": facts "refl", "trans" and
"cases" to "order_refl", "order_trans" and "linorder_cases", to avoid
clashes with HOL "refl" and "trans".  INCOMPATIBILITY.

* Classes "order" and "linorder": potential INCOMPATIBILITY due to
changed order of proof goals in instance proofs.

* The transitivity reasoner for partial and linear orders is set up
for classes "order" and "linorder".  Instances of the reasoner are available
in all contexts importing or interpreting the corresponding locales.
Method "order" invokes the reasoner separately; the reasoner
is also integrated with the Simplifier as a solver.  Diagnostic
command 'print_orders' shows the available instances of the reasoner
in the current context.

* Localized monotonicity predicate in theory "Orderings"; integrated
lemmas max_of_mono and min_of_mono with this predicate.
INCOMPATIBILITY.

* Formulation of theorem "dense" changed slightly due to integration
with new class dense_linear_order.

* Uniform lattice theory development in HOL.

    constants "meet" and "join" now named "inf" and "sup"
    constant "Meet" now named "Inf"

    classes "meet_semilorder" and "join_semilorder" now named
      "lower_semilattice" and "upper_semilattice"
    class "lorder" now named "lattice"
    class "comp_lat" now named "complete_lattice"

    Instantiation of lattice classes allows explicit definitions
    for "inf" and "sup" operations (or "Inf" and "Sup" for complete lattices).

  INCOMPATIBILITY.  Theorem renames:

    meet_left_le            ~> inf_le1
    meet_right_le           ~> inf_le2
    join_left_le            ~> sup_ge1
    join_right_le           ~> sup_ge2
    meet_join_le            ~> inf_sup_ord
    le_meetI                ~> le_infI
    join_leI                ~> le_supI
    le_meet                 ~> le_inf_iff
    le_join                 ~> ge_sup_conv
    meet_idempotent         ~> inf_idem
    join_idempotent         ~> sup_idem
    meet_comm               ~> inf_commute
    join_comm               ~> sup_commute
    meet_leI1               ~> le_infI1
    meet_leI2               ~> le_infI2
    le_joinI1               ~> le_supI1
    le_joinI2               ~> le_supI2
    meet_assoc              ~> inf_assoc
    join_assoc              ~> sup_assoc
    meet_left_comm          ~> inf_left_commute
    meet_left_idempotent    ~> inf_left_idem
    join_left_comm          ~> sup_left_commute
    join_left_idempotent    ~> sup_left_idem
    meet_aci                ~> inf_aci
    join_aci                ~> sup_aci
    le_def_meet             ~> le_iff_inf
    le_def_join             ~> le_iff_sup
    join_absorp2            ~> sup_absorb2
    join_absorp1            ~> sup_absorb1
    meet_absorp1            ~> inf_absorb1
    meet_absorp2            ~> inf_absorb2
    meet_join_absorp        ~> inf_sup_absorb
    join_meet_absorp        ~> sup_inf_absorb
    distrib_join_le         ~> distrib_sup_le
    distrib_meet_le         ~> distrib_inf_le

    add_meet_distrib_left   ~> add_inf_distrib_left
    add_join_distrib_left   ~> add_sup_distrib_left
    is_join_neg_meet        ~> is_join_neg_inf
    is_meet_neg_join        ~> is_meet_neg_sup
    add_meet_distrib_right  ~> add_inf_distrib_right
    add_join_distrib_right  ~> add_sup_distrib_right
    add_meet_join_distribs  ~> add_sup_inf_distribs
    join_eq_neg_meet        ~> sup_eq_neg_inf
    meet_eq_neg_join        ~> inf_eq_neg_sup
    add_eq_meet_join        ~> add_eq_inf_sup
    meet_0_imp_0            ~> inf_0_imp_0
    join_0_imp_0            ~> sup_0_imp_0
    meet_0_eq_0             ~> inf_0_eq_0
    join_0_eq_0             ~> sup_0_eq_0
    neg_meet_eq_join        ~> neg_inf_eq_sup
    neg_join_eq_meet        ~> neg_sup_eq_inf
    join_eq_if              ~> sup_eq_if

    mono_meet               ~> mono_inf
    mono_join               ~> mono_sup
    meet_bool_eq            ~> inf_bool_eq
    join_bool_eq            ~> sup_bool_eq
    meet_fun_eq             ~> inf_fun_eq
    join_fun_eq             ~> sup_fun_eq
    meet_set_eq             ~> inf_set_eq
    join_set_eq             ~> sup_set_eq
    meet1_iff               ~> inf1_iff
    meet2_iff               ~> inf2_iff
    meet1I                  ~> inf1I
    meet2I                  ~> inf2I
    meet1D1                 ~> inf1D1
    meet2D1                 ~> inf2D1
    meet1D2                 ~> inf1D2
    meet2D2                 ~> inf2D2
    meet1E                  ~> inf1E
    meet2E                  ~> inf2E
    join1_iff               ~> sup1_iff
    join2_iff               ~> sup2_iff
    join1I1                 ~> sup1I1
    join2I1                 ~> sup2I1
    join1I1                 ~> sup1I1
    join2I2                 ~> sup1I2
    join1CI                 ~> sup1CI
    join2CI                 ~> sup2CI
    join1E                  ~> sup1E
    join2E                  ~> sup2E

    is_meet_Meet            ~> is_meet_Inf
    Meet_bool_def           ~> Inf_bool_def
    Meet_fun_def            ~> Inf_fun_def
    Meet_greatest           ~> Inf_greatest
    Meet_lower              ~> Inf_lower
    Meet_set_def            ~> Inf_set_def

    Sup_def                 ~> Sup_Inf
    Sup_bool_eq             ~> Sup_bool_def
    Sup_fun_eq              ~> Sup_fun_def
    Sup_set_eq              ~> Sup_set_def

    listsp_meetI            ~> listsp_infI
    listsp_meet_eq          ~> listsp_inf_eq

    meet_min                ~> inf_min
    join_max                ~> sup_max

* Added syntactic class "size"; overloaded constant "size" now has
type "'a::size ==> bool"

* Internal reorganisation of `size' of datatypes: size theorems
"foo.size" are no longer subsumed by "foo.simps" (but are still
simplification rules by default!); theorems "prod.size" now named
"*.size".

* Class "div" now inherits from class "times" rather than "type".
INCOMPATIBILITY.

* HOL/Finite_Set: "name-space" locales Lattice, Distrib_lattice,
Linorder etc.  have disappeared; operations defined in terms of
fold_set now are named Inf_fin, Sup_fin.  INCOMPATIBILITY.

* HOL/Nat: neq0_conv no longer declared as iff.  INCOMPATIBILITY.

* HOL-Word: New extensive library and type for generic, fixed size
machine words, with arithmetic, bit-wise, shifting and rotating
operations, reflection into int, nat, and bool lists, automation for
linear arithmetic (by automatic reflection into nat or int), including
lemmas on overflow and monotonicity.  Instantiated to all appropriate
arithmetic type classes, supporting automatic simplification of
numerals on all operations.

* Library/Boolean_Algebra: locales for abstract boolean algebras.

* Library/Numeral_Type: numbers as types, e.g. TYPE(32).

* Code generator library theories:
  - Code_Integer represents HOL integers by big integer literals in target
    languages.
  - Code_Char represents HOL characters by character literals in target
    languages.
  - Code_Char_chr like Code_Char, but also offers treatment of character
    codes; includes Code_Integer.
  - Executable_Set allows to generate code for finite sets using lists.
  - Executable_Rat implements rational numbers as triples (sign, enumerator,
    denominator).
  - Executable_Real implements a subset of real numbers, namly those
    representable by rational numbers.
  - Efficient_Nat implements natural numbers by integers, which in general will
    result in higher efficency; pattern matching with 0/Suc is eliminated;
    includes Code_Integer.
  - Code_Index provides an additional datatype index which is mapped to
    target-language built-in integers.
  - Code_Message provides an additional datatype message_string which is isomorphic to
    strings; messages are mapped to target-language strings.

* New package for inductive predicates

  An n-ary predicate p with m parameters z_1, ..., z_m can now be defined via

    inductive
      p :: "U_1 => ... => U_m => T_1 => ... => T_n => bool"
      for z_1 :: U_1 and ... and z_n :: U_m
    where
      rule_1: "... ==> p z_1 ... z_m t_1_1 ... t_1_n"
    | ...

  with full support for type-inference, rather than

    consts s :: "U_1 => ... => U_m => (T_1 * ... * T_n) set"

    abbreviation p :: "U_1 => ... => U_m => T_1 => ... => T_n => bool"
    where "p z_1 ... z_m x_1 ... x_n == (x_1, ..., x_n) : s z_1 ... z_m"

    inductive "s z_1 ... z_m"
    intros
      rule_1: "... ==> (t_1_1, ..., t_1_n) : s z_1 ... z_m"
      ...

  For backward compatibility, there is a wrapper allowing inductive
  sets to be defined with the new package via

    inductive_set
      s :: "U_1 => ... => U_m => (T_1 * ... * T_n) set"
      for z_1 :: U_1 and ... and z_n :: U_m
    where
      rule_1: "... ==> (t_1_1, ..., t_1_n) : s z_1 ... z_m"
    | ...

  or

    inductive_set
      s :: "U_1 => ... => U_m => (T_1 * ... * T_n) set"
      and p :: "U_1 => ... => U_m => T_1 => ... => T_n => bool"
      for z_1 :: U_1 and ... and z_n :: U_m
    where
      "p z_1 ... z_m x_1 ... x_n == (x_1, ..., x_n) : s z_1 ... z_m"
    | rule_1: "... ==> p z_1 ... z_m t_1_1 ... t_1_n"
    | ...

  if the additional syntax "p ..." is required.

  Numerous examples can be found in the subdirectories src/HOL/Auth,
  src/HOL/Bali, src/HOL/Induct, and src/HOL/MicroJava.

  INCOMPATIBILITIES:

  - Since declaration and definition of inductive sets or predicates
    is no longer separated, abbreviations involving the newly
    introduced sets or predicates must be specified together with the
    introduction rules after the 'where' keyword (see above), rather
    than before the actual inductive definition.

  - The variables in induction and elimination rules are now
    quantified in the order of their occurrence in the introduction
    rules, rather than in alphabetical order. Since this may break
    some proofs, these proofs either have to be repaired, e.g. by
    reordering the variables a_i_1 ... a_i_{k_i} in Isar 'case'
    statements of the form

      case (rule_i a_i_1 ... a_i_{k_i})

    or the old order of quantification has to be restored by explicitly adding
    meta-level quantifiers in the introduction rules, i.e.

      | rule_i: "!!a_i_1 ... a_i_{k_i}. ... ==> p z_1 ... z_m t_i_1 ... t_i_n"

  - The format of the elimination rules is now

      p z_1 ... z_m x_1 ... x_n ==>
        (!!a_1_1 ... a_1_{k_1}. x_1 = t_1_1 ==> ... ==> x_n = t_1_n ==> ... ==> P)
        ==> ... ==> P

    for predicates and

      (x_1, ..., x_n) : s z_1 ... z_m ==>
        (!!a_1_1 ... a_1_{k_1}. x_1 = t_1_1 ==> ... ==> x_n = t_1_n ==> ... ==> P)
        ==> ... ==> P

    for sets rather than

      x : s z_1 ... z_m ==>
        (!!a_1_1 ... a_1_{k_1}. x = (t_1_1, ..., t_1_n) ==> ... ==> P)
        ==> ... ==> P

    This may require terms in goals to be expanded to n-tuples
    (e.g. using case_tac or simplification with the split_paired_all
    rule) before the above elimination rule is applicable.

  - The elimination or case analysis rules for (mutually) inductive
    sets or predicates are now called "p_1.cases" ... "p_k.cases". The
    list of rules "p_1_..._p_k.elims" is no longer available.

* New package "function"/"fun" for general recursive functions,
supporting mutual and nested recursion, definitions in local contexts,
more general pattern matching and partiality. See HOL/ex/Fundefs.thy
for small examples, and the separate tutorial on the function
package. The old recdef "package" is still available as before, but
users are encouraged to use the new package.

* Method "lexicographic_order" automatically synthesizes termination
relations as lexicographic combinations of size measures.

* Case-expressions allow arbitrary constructor-patterns (including
"_") and take their order into account, like in functional
programming.  Internally, this is translated into nested
case-expressions; missing cases are added and mapped to the predefined
constant "undefined". In complicated cases printing may no longer show
the original input but the internal form. Lambda-abstractions allow
the same form of pattern matching: "% pat1 => e1 | ..." is an
abbreviation for "%x. case x of pat1 => e1 | ..." where x is a new
variable.

* IntDef: The constant "int :: nat => int" has been removed; now "int"
is an abbreviation for "of_nat :: nat => int". The simplification
rules for "of_nat" have been changed to work like "int" did
previously.  Potential INCOMPATIBILITY:
  - "of_nat (Suc m)" simplifies to "1 + of_nat m" instead of "of_nat m + 1"
  - of_nat_diff and of_nat_mult are no longer default simp rules

* Method "algebra" solves polynomial equations over (semi)rings using
Groebner bases. The (semi)ring structure is defined by locales and the
tool setup depends on that generic context. Installing the method for
a specific type involves instantiating the locale and possibly adding
declarations for computation on the coefficients.  The method is
already instantiated for natural numbers and for the axiomatic class
of idoms with numerals.  See also the paper by Chaieb and Wenzel at
CALCULEMUS 2007 for the general principles underlying this
architecture of context-aware proof-tools.

* Method "ferrack" implements quantifier elimination over
special-purpose dense linear orders using locales (analogous to
"algebra"). The method is already installed for class
{ordered_field,recpower,number_ring} which subsumes real, hyperreal,
rat, etc.

* Former constant "List.op @" now named "List.append".  Use ML
antiquotations @{const_name List.append} or @{term " ... @ ... "} to
circumvent possible incompatibilities when working on ML level.

* primrec: missing cases mapped to "undefined" instead of "arbitrary".

* New function listsum :: 'a list => 'a for arbitrary monoids.
Special syntax: "SUM x <- xs. f x" (and latex variants)

* New syntax for Haskell-like list comprehension (input only), eg.
[(x,y). x <- xs, y <- ys, x ~= y], see also src/HOL/List.thy.

* The special syntax for function "filter" has changed from [x :
xs. P] to [x <- xs. P] to avoid an ambiguity caused by list
comprehension syntax, and for uniformity.  INCOMPATIBILITY.

* [a..b] is now defined for arbitrary linear orders.  It used to be
defined on nat only, as an abbreviation for [a..<Suc b]
INCOMPATIBILITY.

* Renamed lemma "set_take_whileD"  to "set_takeWhileD".

* New functions "sorted" and "sort" in src/HOL/List.thy.

* New lemma collection field_simps (an extension of ring_simps) for
manipulating (in)equations involving division. Multiplies with all
denominators that can be proved to be non-zero (in equations) or
positive/negative (in inequations).

* Lemma collections ring_eq_simps, group_eq_simps and ring_distrib
have been improved and renamed to ring_simps, group_simps and
ring_distribs.  Removed lemmas field_xyz in theory Ring_and_Field
because they were subsumed by lemmas xyz.  INCOMPATIBILITY.

* Theory Library/Commutative_Ring: switched from recdef to function
package; constants add, mul, pow now curried.  Infix syntax for
algebraic operations.

* Dropped redundant lemma def_imp_eq in favor of meta_eq_to_obj_eq.
INCOMPATIBILITY.

* Dropped redundant lemma if_def2 in favor of if_bool_eq_conj.
INCOMPATIBILITY.

* HOL/records: generalised field-update to take a function on the
field rather than the new value: r(|A := x|) is translated to A_update
(K x) r The K-combinator that is internally used is called K_record.
INCOMPATIBILITY: Usage of the plain update functions has to be
adapted.

* Class "semiring_0" now contains annihilation axioms x * 0 = 0 and 0
* x = 0, which are required for a semiring.  Richer structures do not
inherit from semiring_0 anymore, because this property is a theorem
there, not an axiom.  INCOMPATIBILITY: In instances of semiring_0,
there is more to prove, but this is mostly trivial.

* Class "recpower" is generalized to arbitrary monoids, not just
commutative semirings.  INCOMPATIBILITY: may need to incorporate
commutativity or semiring properties additionally.

* Constant "List.list_all2" in List.thy now uses authentic syntax.
INCOMPATIBILITY: translations containing list_all2 may go wrong,
better use 'abbreviation'.

* Renamed constant "List.op mem" to "List.member".  INCOMPATIBILITY.

* Numeral syntax: type 'bin' which was a mere type copy of 'int' has
been abandoned in favour of plain 'int'.  INCOMPATIBILITY --
significant changes for setting up numeral syntax for types:
  - New constants Numeral.pred and Numeral.succ instead
      of former Numeral.bin_pred and Numeral.bin_succ.
  - Use integer operations instead of bin_add, bin_mult and so on.
  - Numeral simplification theorems named Numeral.numeral_simps instead of Bin_simps.
  - ML structure Bin_Simprocs now named Int_Numeral_Base_Simprocs.

See src/HOL/Integ/IntArith.thy for an example setup.

* Command 'normal_form' computes the normal form of a term that may
contain free variables.  For example ``normal_form "rev [a, b, c]"''
produces ``[b, c, a]'' (without proof).  This command is suitable for
heavy-duty computations because the functions are compiled to ML
first.  Correspondingly, a method "normalization" is provided.  See
further src/HOL/ex/NormalForm.thy and src/Tools/nbe.ML.

* Alternative iff syntax "A <-> B" for equality on bool (with priority
25 like -->); output depends on the "iff" print_mode, the default is
"A = B" (with priority 50).

* Relations less (<) and less_eq (<=) are also available on type bool.
Modified syntax to disallow nesting without explicit parentheses,
e.g. "(x < y) < z" or "x < (y < z)", but NOT "x < y < z".  Potential
INCOMPATIBILITY.

* "LEAST x:A. P" expands to "LEAST x. x:A & P" (input only).

* Relation composition operator "op O" now has precedence 75 and binds
stronger than union and intersection. INCOMPATIBILITY.

* The old set interval syntax "{m..n(}" (and relatives) has been
removed.  Use "{m..<n}" (and relatives) instead.

* In the context of the assumption "~(s = t)" the Simplifier rewrites
"t = s" to False (by simproc "neq").  INCOMPATIBILITY, consider using
``declare [[simproc del: neq]]''.

* Simplifier: "m dvd n" where m and n are numbers is evaluated to
True/False.

* Theorem Cons_eq_map_conv no longer declared as "simp".

* Theorem setsum_mult renamed to setsum_right_distrib.

* Prefer ex1I over ex_ex1I in single-step reasoning, e.g. by the
``rule'' method.

* Reimplemented methods "sat" and "satx", with several improvements:
goals no longer need to be stated as "<prems> ==> False", equivalences
(i.e. "=" on type bool) are handled, variable names of the form
"lit_<n>" are no longer reserved, significant speedup.

* Methods "sat" and "satx" can now replay MiniSat proof traces.
zChaff is still supported as well.

* 'inductive' and 'datatype': provide projections of mutual rules,
bundled as foo_bar.inducts;

* Library: moved theories Parity, GCD, Binomial, Infinite_Set to
Library.

* Library: moved theory Accessible_Part to main HOL.

* Library: added theory Coinductive_List of potentially infinite lists
as greatest fixed-point.

* Library: added theory AssocList which implements (finite) maps as
association lists.

* Method "evaluation" solves goals (i.e. a boolean expression)
efficiently by compiling it to ML.  The goal is "proved" (via an
oracle) if it evaluates to True.

* Linear arithmetic now splits certain operators (e.g. min, max, abs)
also when invoked by the simplifier.  This results in the Simplifier
being more powerful on arithmetic goals.  INCOMPATIBILITY.
Configuration option fast_arith_split_limit=0 recovers the old
behavior.

* Support for hex (0x20) and binary (0b1001) numerals.

* New method: reify eqs (t), where eqs are equations for an
interpretation I :: 'a list => 'b => 'c and t::'c is an optional
parameter, computes a term s::'b and a list xs::'a list and proves the
theorem I xs s = t. This is also known as reification or quoting. The
resulting theorem is applied to the subgoal to substitute t with I xs
s.  If t is omitted, the subgoal itself is reified.

* New method: reflection corr_thm eqs (t). The parameters eqs and (t)
are as explained above. corr_thm is a theorem for I vs (f t) = I vs t,
where f is supposed to be a computable function (in the sense of code
generattion). The method uses reify to compute s and xs as above then
applies corr_thm and uses normalization by evaluation to "prove" f s =
r and finally gets the theorem t = r, which is again applied to the
subgoal. An Example is available in src/HOL/ex/ReflectionEx.thy.

* Reflection: Automatic reification now handels binding, an example is
available in src/HOL/ex/ReflectionEx.thy

* HOL-Statespace: ``State Spaces: The Locale Way'' introduces a
command 'statespace' that is similar to 'record', but introduces an
abstract specification based on the locale infrastructure instead of
HOL types.  This leads to extra flexibility in composing state spaces,
in particular multiple inheritance and renaming of components.


*** HOL-Complex ***

* Hyperreal: Functions root and sqrt are now defined on negative real
inputs so that root n (- x) = - root n x and sqrt (- x) = - sqrt x.
Nonnegativity side conditions have been removed from many lemmas, so
that more subgoals may now be solved by simplification; potential
INCOMPATIBILITY.

* Real: new type classes formalize real normed vector spaces and
algebras, using new overloaded constants scaleR :: real => 'a => 'a
and norm :: 'a => real.

* Real: constant of_real :: real => 'a::real_algebra_1 injects from
reals into other types. The overloaded constant Reals :: 'a set is now
defined as range of_real; potential INCOMPATIBILITY.

* Real: proper support for ML code generation, including 'quickcheck'.
Reals are implemented as arbitrary precision rationals.

* Hyperreal: Several constants that previously worked only for the
reals have been generalized, so they now work over arbitrary vector
spaces. Type annotations may need to be added in some cases; potential
INCOMPATIBILITY.

  Infinitesimal  :: ('a::real_normed_vector) star set
  HFinite        :: ('a::real_normed_vector) star set
  HInfinite      :: ('a::real_normed_vector) star set
  approx         :: ('a::real_normed_vector) star => 'a star => bool
  monad          :: ('a::real_normed_vector) star => 'a star set
  galaxy         :: ('a::real_normed_vector) star => 'a star set
  (NS)LIMSEQ     :: [nat => 'a::real_normed_vector, 'a] => bool
  (NS)convergent :: (nat => 'a::real_normed_vector) => bool
  (NS)Bseq       :: (nat => 'a::real_normed_vector) => bool
  (NS)Cauchy     :: (nat => 'a::real_normed_vector) => bool
  (NS)LIM        :: ['a::real_normed_vector => 'b::real_normed_vector, 'a, 'b] => bool
  is(NS)Cont     :: ['a::real_normed_vector => 'b::real_normed_vector, 'a] => bool
  deriv          :: ['a::real_normed_field => 'a, 'a, 'a] => bool
  sgn            :: 'a::real_normed_vector => 'a
  exp            :: 'a::{recpower,real_normed_field,banach} => 'a

* Complex: Some complex-specific constants are now abbreviations for
overloaded ones: complex_of_real = of_real, cmod = norm, hcmod =
hnorm.  Other constants have been entirely removed in favor of the
polymorphic versions (INCOMPATIBILITY):

  approx        <-- capprox
  HFinite       <-- CFinite
  HInfinite     <-- CInfinite
  Infinitesimal <-- CInfinitesimal
  monad         <-- cmonad
  galaxy        <-- cgalaxy
  (NS)LIM       <-- (NS)CLIM, (NS)CRLIM
  is(NS)Cont    <-- is(NS)Contc, is(NS)contCR
  (ns)deriv     <-- (ns)cderiv


*** HOL-Algebra ***

* Formalisation of ideals and the quotient construction over rings.

* Order and lattice theory no longer based on records.
INCOMPATIBILITY.

* Renamed lemmas least_carrier -> least_closed and greatest_carrier ->
greatest_closed.  INCOMPATIBILITY.

* Method algebra is now set up via an attribute.  For examples see
Ring.thy.  INCOMPATIBILITY: the method is now weaker on combinations
of algebraic structures.

* Renamed theory CRing to Ring.


*** HOL-Nominal ***

* Substantial, yet incomplete support for nominal datatypes (binding
structures) based on HOL-Nominal logic.  See src/HOL/Nominal and
src/HOL/Nominal/Examples.  Prospective users should consult
http://isabelle.in.tum.de/nominal/


*** ML ***

* ML basics: just one true type int, which coincides with IntInf.int
(even on SML/NJ).

* ML within Isar: antiquotations allow to embed statically-checked
formal entities in the source, referring to the context available at
compile-time.  For example:

ML {* @{sort "{zero,one}"} *}
ML {* @{typ "'a => 'b"} *}
ML {* @{term "%x. x"} *}
ML {* @{prop "x == y"} *}
ML {* @{ctyp "'a => 'b"} *}
ML {* @{cterm "%x. x"} *}
ML {* @{cprop "x == y"} *}
ML {* @{thm asm_rl} *}
ML {* @{thms asm_rl} *}
ML {* @{type_name c} *}
ML {* @{type_syntax c} *}
ML {* @{const_name c} *}
ML {* @{const_syntax c} *}
ML {* @{context} *}
ML {* @{theory} *}
ML {* @{theory Pure} *}
ML {* @{theory_ref} *}
ML {* @{theory_ref Pure} *}
ML {* @{simpset} *}
ML {* @{claset} *}
ML {* @{clasimpset} *}

The same works for sources being ``used'' within an Isar context.

* ML in Isar: improved error reporting; extra verbosity with
ML_Context.trace enabled.

* Pure/General/table.ML: the join operations now works via exceptions
DUP/SAME instead of type option. This is simpler in simple cases, and
admits slightly more efficient complex applications.

* Pure: 'advanced' translation functions (parse_translation etc.) now
use Context.generic instead of just theory.

* Pure: datatype Context.generic joins theory/Proof.context and
provides some facilities for code that works in either kind of
context, notably GenericDataFun for uniform theory and proof data.

* Pure: simplified internal attribute type, which is now always
Context.generic * thm -> Context.generic * thm. Global (theory) vs.
local (Proof.context) attributes have been discontinued, while
minimizing code duplication. Thm.rule_attribute and
Thm.declaration_attribute build canonical attributes; see also structure
Context for further operations on Context.generic, notably
GenericDataFun. INCOMPATIBILITY, need to adapt attribute type
declarations and definitions.

* Context data interfaces (Theory/Proof/GenericDataFun): removed
name/print, uninitialized data defaults to ad-hoc copy of empty value,
init only required for impure data. INCOMPATIBILITY: empty really need
to be empty (no dependencies on theory content!)

* Pure/kernel: consts certification ignores sort constraints given in
signature declarations. (This information is not relevant to the
logic, but only for type inference.) SIGNIFICANT INTERNAL CHANGE,
potential INCOMPATIBILITY.

* Pure: axiomatic type classes are now purely definitional, with
explicit proofs of class axioms and super class relations performed
internally. See Pure/axclass.ML for the main internal interfaces --
notably AxClass.define_class supercedes AxClass.add_axclass, and
AxClass.axiomatize_class/classrel/arity supersede
Sign.add_classes/classrel/arities.

* Pure/Isar: Args/Attrib parsers operate on Context.generic --
global/local versions on theory vs. Proof.context have been
discontinued; Attrib.syntax and Method.syntax have been adapted
accordingly.  INCOMPATIBILITY, need to adapt parser expressions for
attributes, methods, etc.

* Pure: several functions of signature "... -> theory -> theory * ..."
have been reoriented to "... -> theory -> ... * theory" in order to
allow natural usage in combination with the ||>, ||>>, |-> and
fold_map combinators.

* Pure: official theorem names (closed derivations) and additional
comments (tags) are now strictly separate.  Name hints -- which are
maintained as tags -- may be attached any time without affecting the
derivation.

* Pure: primitive rule lift_rule now takes goal cterm instead of an
actual goal state (thm).  Use Thm.lift_rule (Thm.cprem_of st i) to
achieve the old behaviour.

* Pure: the "Goal" constant is now called "prop", supporting a
slightly more general idea of ``protecting'' meta-level rule
statements.

* Pure: Logic.(un)varify only works in a global context, which is now
enforced instead of silently assumed.  INCOMPATIBILITY, may use
Logic.legacy_(un)varify as temporary workaround.

* Pure: structure Name provides scalable operations for generating
internal variable names, notably Name.variants etc.  This replaces
some popular functions from term.ML:

  Term.variant		->  Name.variant
  Term.variantlist	->  Name.variant_list
  Term.invent_names	->  Name.invent_list

Note that low-level renaming rarely occurs in new code -- operations
from structure Variable are used instead (see below).

* Pure: structure Variable provides fundamental operations for proper
treatment of fixed/schematic variables in a context.  For example,
Variable.import introduces fixes for schematics of given facts and
Variable.export reverses the effect (up to renaming) -- this replaces
various freeze_thaw operations.

* Pure: structure Goal provides simple interfaces for
init/conclude/finish and tactical prove operations (replacing former
Tactic.prove).  Goal.prove is the canonical way to prove results
within a given context; Goal.prove_global is a degraded version for
theory level goals, including a global Drule.standard.  Note that
OldGoals.prove_goalw_cterm has long been obsolete, since it is
ill-behaved in a local proof context (e.g. with local fixes/assumes or
in a locale context).

* Pure/Syntax: generic interfaces for parsing (Syntax.parse_term etc.)
and type checking (Syntax.check_term etc.), with common combinations
(Syntax.read_term etc.). These supersede former Sign.read_term etc.
which are considered legacy and await removal.

* Pure/Syntax: generic interfaces for type unchecking
(Syntax.uncheck_terms etc.) and unparsing (Syntax.unparse_term etc.),
with common combinations (Syntax.pretty_term, Syntax.string_of_term
etc.).  Former Sign.pretty_term, Sign.string_of_term etc. are still
available for convenience, but refer to the very same operations using
a mere theory instead of a full context.

* Isar: simplified treatment of user-level errors, using exception
ERROR of string uniformly.  Function error now merely raises ERROR,
without any side effect on output channels.  The Isar toplevel takes
care of proper display of ERROR exceptions.  ML code may use plain
handle/can/try; cat_error may be used to concatenate errors like this:

  ... handle ERROR msg => cat_error msg "..."

Toplevel ML code (run directly or through the Isar toplevel) may be
embedded into the Isar toplevel with exception display/debug like
this:

  Isar.toplevel (fn () => ...)

INCOMPATIBILITY, removed special transform_error facilities, removed
obsolete variants of user-level exceptions (ERROR_MESSAGE,
Context.PROOF, ProofContext.CONTEXT, Proof.STATE, ProofHistory.FAIL)
-- use plain ERROR instead.

* Isar: theory setup now has type (theory -> theory), instead of a
list.  INCOMPATIBILITY, may use #> to compose setup functions.

* Isar: ML toplevel pretty printer for type Proof.context, subject to
ProofContext.debug/verbose flags.

* Isar: Toplevel.theory_to_proof admits transactions that modify the
theory before entering a proof state.  Transactions now always see a
quasi-functional intermediate checkpoint, both in interactive and
batch mode.

* Isar: simplified interfaces for outer syntax.  Renamed
OuterSyntax.add_keywords to OuterSyntax.keywords.  Removed
OuterSyntax.add_parsers -- this functionality is now included in
OuterSyntax.command etc.  INCOMPATIBILITY.

* Simplifier: the simpset of a running simplification process now
contains a proof context (cf. Simplifier.the_context), which is the
very context that the initial simpset has been retrieved from (by
simpset_of/local_simpset_of).  Consequently, all plug-in components
(solver, looper etc.) may depend on arbitrary proof data.

* Simplifier.inherit_context inherits the proof context (plus the
local bounds) of the current simplification process; any simproc
etc. that calls the Simplifier recursively should do this!  Removed
former Simplifier.inherit_bounds, which is already included here --
INCOMPATIBILITY.  Tools based on low-level rewriting may even have to
specify an explicit context using Simplifier.context/theory_context.

* Simplifier/Classical Reasoner: more abstract interfaces
change_simpset/claset for modifying the simpset/claset reference of a
theory; raw versions simpset/claset_ref etc. have been discontinued --
INCOMPATIBILITY.

* Provers: more generic wrt. syntax of object-logics, avoid hardwired
"Trueprop" etc.


*** System ***

* settings: the default heap location within ISABELLE_HOME_USER now
includes ISABELLE_IDENTIFIER.  This simplifies use of multiple
Isabelle installations.

* isabelle-process: option -S (secure mode) disables some critical
operations, notably runtime compilation and evaluation of ML source
code.

* Basic Isabelle mode for jEdit, see Isabelle/lib/jedit/.

* Support for parallel execution, using native multicore support of
Poly/ML 5.1.  The theory loader exploits parallelism when processing
independent theories, according to the given theory header
specifications. The maximum number of worker threads is specified via
usedir option -M or the "max-threads" setting in Proof General. A
speedup factor of 1.5--3.5 can be expected on a 4-core machine, and up
to 6 on a 8-core machine.  User-code needs to observe certain
guidelines for thread-safe programming, see appendix A in the Isar
Implementation manual.


New in Isabelle2005 (October 2005)
----------------------------------

*** General ***

* Theory headers: the new header syntax for Isar theories is

  theory <name>
  imports <theory1> ... <theoryN>
  uses <file1> ... <fileM>
  begin

where the 'uses' part is optional.  The previous syntax

  theory <name> = <theory1> + ... + <theoryN>:

will disappear in the next release.  Use isatool fixheaders to convert
existing theory files.  Note that there is no change in ancient
non-Isar theories now, but these will disappear soon.

* Theory loader: parent theories can now also be referred to via
relative and absolute paths.

* Command 'find_theorems' searches for a list of criteria instead of a
list of constants. Known criteria are: intro, elim, dest, name:string,
simp:term, and any term. Criteria can be preceded by '-' to select
theorems that do not match. Intro, elim, dest select theorems that
match the current goal, name:s selects theorems whose fully qualified
name contain s, and simp:term selects all simplification rules whose
lhs match term.  Any other term is interpreted as pattern and selects
all theorems matching the pattern. Available in ProofGeneral under
'ProofGeneral -> Find Theorems' or C-c C-f.  Example:

  C-c C-f (100) "(_::nat) + _ + _" intro -name: "HOL."

prints the last 100 theorems matching the pattern "(_::nat) + _ + _",
matching the current goal as introduction rule and not having "HOL."
in their name (i.e. not being defined in theory HOL).

* Command 'thms_containing' has been discontinued in favour of
'find_theorems'; INCOMPATIBILITY.

* Communication with Proof General is now 8bit clean, which means that
Unicode text in UTF-8 encoding may be used within theory texts (both
formal and informal parts).  Cf. option -U of the Isabelle Proof
General interface.  Here are some simple examples (cf. src/HOL/ex):

  http://isabelle.in.tum.de/library/HOL/ex/Hebrew.html
  http://isabelle.in.tum.de/library/HOL/ex/Chinese.html

* Improved efficiency of the Simplifier and, to a lesser degree, the
Classical Reasoner.  Typical big applications run around 2 times
faster.


*** Document preparation ***

* Commands 'display_drafts' and 'print_drafts' perform simple output
of raw sources.  Only those symbols that do not require additional
LaTeX packages (depending on comments in isabellesym.sty) are
displayed properly, everything else is left verbatim.  isatool display
and isatool print are used as front ends (these are subject to the
DVI/PDF_VIEWER and PRINT_COMMAND settings, respectively).

* Command tags control specific markup of certain regions of text,
notably folding and hiding.  Predefined tags include "theory" (for
theory begin and end), "proof" for proof commands, and "ML" for
commands involving ML code; the additional tags "visible" and
"invisible" are unused by default.  Users may give explicit tag
specifications in the text, e.g. ''by %invisible (auto)''.  The
interpretation of tags is determined by the LaTeX job during document
preparation: see option -V of isatool usedir, or options -n and -t of
isatool document, or even the LaTeX macros \isakeeptag, \isafoldtag,
\isadroptag.

Several document versions may be produced at the same time via isatool
usedir (the generated index.html will link all of them).  Typical
specifications include ''-V document=theory,proof,ML'' to present
theory/proof/ML parts faithfully, ''-V outline=/proof,/ML'' to fold
proof and ML commands, and ''-V mutilated=-theory,-proof,-ML'' to omit
these parts without any formal replacement text.  The Isabelle site
default settings produce ''document'' and ''outline'' versions as
specified above.

* Several new antiquotations:

  @{term_type term} prints a term with its type annotated;

  @{typeof term} prints the type of a term;

  @{const const} is the same as @{term const}, but checks that the
  argument is a known logical constant;

  @{term_style style term} and @{thm_style style thm} print a term or
  theorem applying a "style" to it

  @{ML text}

Predefined styles are 'lhs' and 'rhs' printing the lhs/rhs of
definitions, equations, inequations etc., 'concl' printing only the
conclusion of a meta-logical statement theorem, and 'prem1' .. 'prem19'
to print the specified premise.  TermStyle.add_style provides an ML
interface for introducing further styles.  See also the "LaTeX Sugar"
document practical applications.  The ML antiquotation prints
type-checked ML expressions verbatim.

* Markup commands 'chapter', 'section', 'subsection', 'subsubsection',
and 'text' support optional locale specification '(in loc)', which
specifies the default context for interpreting antiquotations.  For
example: 'text (in lattice) {* @{thm inf_assoc}*}'.

* Option 'locale=NAME' of antiquotations specifies an alternative
context interpreting the subsequent argument.  For example: @{thm
[locale=lattice] inf_assoc}.

* Proper output of proof terms (@{prf ...} and @{full_prf ...}) within
a proof context.

* Proper output of antiquotations for theory commands involving a
proof context (such as 'locale' or 'theorem (in loc) ...').

* Delimiters of outer tokens (string etc.) now produce separate LaTeX
macros (\isachardoublequoteopen, isachardoublequoteclose etc.).

* isatool usedir: new option -C (default true) controls whether option
-D should include a copy of the original document directory; -C false
prevents unwanted effects such as copying of administrative CVS data.


*** Pure ***

* Considerably improved version of 'constdefs' command.  Now performs
automatic type-inference of declared constants; additional support for
local structure declarations (cf. locales and HOL records), see also
isar-ref manual.  Potential INCOMPATIBILITY: need to observe strictly
sequential dependencies of definitions within a single 'constdefs'
section; moreover, the declared name needs to be an identifier.  If
all fails, consider to fall back on 'consts' and 'defs' separately.

* Improved indexed syntax and implicit structures.  First of all,
indexed syntax provides a notational device for subscripted
application, using the new syntax \<^bsub>term\<^esub> for arbitrary
expressions.  Secondly, in a local context with structure
declarations, number indexes \<^sub>n or the empty index (default
number 1) refer to a certain fixed variable implicitly; option
show_structs controls printing of implicit structures.  Typical
applications of these concepts involve record types and locales.

* New command 'no_syntax' removes grammar declarations (and
translations) resulting from the given syntax specification, which is
interpreted in the same manner as for the 'syntax' command.

* 'Advanced' translation functions (parse_translation etc.) may depend
on the signature of the theory context being presently used for
parsing/printing, see also isar-ref manual.

* Improved 'oracle' command provides a type-safe interface to turn an
ML expression of type theory -> T -> term into a primitive rule of
type theory -> T -> thm (i.e. the functionality of Thm.invoke_oracle
is already included here); see also FOL/ex/IffExample.thy;
INCOMPATIBILITY.

* axclass: name space prefix for class "c" is now "c_class" (was "c"
before); "cI" is no longer bound, use "c.intro" instead.
INCOMPATIBILITY.  This change avoids clashes of fact bindings for
axclasses vs. locales.

* Improved internal renaming of symbolic identifiers -- attach primes
instead of base 26 numbers.

* New flag show_question_marks controls printing of leading question
marks in schematic variable names.

* In schematic variable names, *any* symbol following \<^isub> or
\<^isup> is now treated as part of the base name.  For example, the
following works without printing of awkward ".0" indexes:

  lemma "x\<^isub>1 = x\<^isub>2 ==> x\<^isub>2 = x\<^isub>1"
    by simp

* Inner syntax includes (*(*nested*) comments*).

* Pretty printer now supports unbreakable blocks, specified in mixfix
annotations as "(00...)".

* Clear separation of logical types and nonterminals, where the latter
may only occur in 'syntax' specifications or type abbreviations.
Before that distinction was only partially implemented via type class
"logic" vs. "{}".  Potential INCOMPATIBILITY in rare cases of improper
use of 'types'/'consts' instead of 'nonterminals'/'syntax'.  Some very
exotic syntax specifications may require further adaption
(e.g. Cube/Cube.thy).

* Removed obsolete type class "logic", use the top sort {} instead.
Note that non-logical types should be declared as 'nonterminals'
rather than 'types'.  INCOMPATIBILITY for new object-logic
specifications.

* Attributes 'induct' and 'cases': type or set names may now be
locally fixed variables as well.

* Simplifier: can now control the depth to which conditional rewriting
is traced via the PG menu Isabelle -> Settings -> Trace Simp Depth
Limit.

* Simplifier: simplification procedures may now take the current
simpset into account (cf. Simplifier.simproc(_i) / mk_simproc
interface), which is very useful for calling the Simplifier
recursively.  Minor INCOMPATIBILITY: the 'prems' argument of simprocs
is gone -- use prems_of_ss on the simpset instead.  Moreover, the
low-level mk_simproc no longer applies Logic.varify internally, to
allow for use in a context of fixed variables.

* thin_tac now works even if the assumption being deleted contains !!
or ==>.  More generally, erule now works even if the major premise of
the elimination rule contains !! or ==>.

* Method 'rules' has been renamed to 'iprover'. INCOMPATIBILITY.

* Reorganized bootstrapping of the Pure theories; CPure is now derived
from Pure, which contains all common declarations already.  Both
theories are defined via plain Isabelle/Isar .thy files.
INCOMPATIBILITY: elements of CPure (such as the CPure.intro /
CPure.elim / CPure.dest attributes) now appear in the Pure name space;
use isatool fixcpure to adapt your theory and ML sources.

* New syntax 'name(i-j, i-, i, ...)' for referring to specific
selections of theorems in named facts via index ranges.

* 'print_theorems': in theory mode, really print the difference
wrt. the last state (works for interactive theory development only),
in proof mode print all local facts (cf. 'print_facts');

* 'hide': option '(open)' hides only base names.

* More efficient treatment of intermediate checkpoints in interactive
theory development.

* Code generator is now invoked via code_module (incremental code
generation) and code_library (modular code generation, ML structures
for each theory).  INCOMPATIBILITY: new keywords 'file' and 'contains'
must be quoted when used as identifiers.

* New 'value' command for reading, evaluating and printing terms using
the code generator.  INCOMPATIBILITY: command keyword 'value' must be
quoted when used as identifier.


*** Locales ***

* New commands for the interpretation of locale expressions in
theories (1), locales (2) and proof contexts (3).  These generate
proof obligations from the expression specification.  After the
obligations have been discharged, theorems of the expression are added
to the theory, target locale or proof context.  The synopsis of the
commands is a follows:

  (1) interpretation expr inst
  (2) interpretation target < expr
  (3) interpret expr inst

Interpretation in theories and proof contexts require a parameter
instantiation of terms from the current context.  This is applied to
specifications and theorems of the interpreted expression.
Interpretation in locales only permits parameter renaming through the
locale expression.  Interpretation is smart in that interpretations
that are active already do not occur in proof obligations, neither are
instantiated theorems stored in duplicate.  Use 'print_interps' to
inspect active interpretations of a particular locale.  For details,
see the Isar Reference manual.  Examples can be found in
HOL/Finite_Set.thy and HOL/Algebra/UnivPoly.thy.

INCOMPATIBILITY: former 'instantiate' has been withdrawn, use
'interpret' instead.

* New context element 'constrains' for adding type constraints to
parameters.

* Context expressions: renaming of parameters with syntax
redeclaration.

* Locale declaration: 'includes' disallowed.

* Proper static binding of attribute syntax -- i.e. types / terms /
facts mentioned as arguments are always those of the locale definition
context, independently of the context of later invocations.  Moreover,
locale operations (renaming and type / term instantiation) are applied
to attribute arguments as expected.

INCOMPATIBILITY of the ML interface: always pass Attrib.src instead of
actual attributes; rare situations may require Attrib.attribute to
embed those attributes into Attrib.src that lack concrete syntax.
Attribute implementations need to cooperate properly with the static
binding mechanism.  Basic parsers Args.XXX_typ/term/prop and
Attrib.XXX_thm etc. already do the right thing without further
intervention.  Only unusual applications -- such as "where" or "of"
(cf. src/Pure/Isar/attrib.ML), which process arguments depending both
on the context and the facts involved -- may have to assign parsed
values to argument tokens explicitly.

* Changed parameter management in theorem generation for long goal
statements with 'includes'.  INCOMPATIBILITY: produces a different
theorem statement in rare situations.

* Locale inspection command 'print_locale' omits notes elements.  Use
'print_locale!' to have them included in the output.


*** Provers ***

* Provers/hypsubst.ML: improved version of the subst method, for
single-step rewriting: it now works in bound variable contexts. New is
'subst (asm)', for rewriting an assumption.  INCOMPATIBILITY: may
rewrite a different subterm than the original subst method, which is
still available as 'simplesubst'.

* Provers/quasi.ML: new transitivity reasoners for transitivity only
and quasi orders.

* Provers/trancl.ML: new transitivity reasoner for transitive and
reflexive-transitive closure of relations.

* Provers/blast.ML: new reference depth_limit to make blast's depth
limit (previously hard-coded with a value of 20) user-definable.

* Provers/simplifier.ML has been moved to Pure, where Simplifier.setup
is peformed already.  Object-logics merely need to finish their
initial simpset configuration as before.  INCOMPATIBILITY.


*** HOL ***

* Symbolic syntax of Hilbert Choice Operator is now as follows:

  syntax (epsilon)
    "_Eps" :: "[pttrn, bool] => 'a"    ("(3\<some>_./ _)" [0, 10] 10)

The symbol \<some> is displayed as the alternative epsilon of LaTeX
and x-symbol; use option '-m epsilon' to get it actually printed.
Moreover, the mathematically important symbolic identifier \<epsilon>
becomes available as variable, constant etc.  INCOMPATIBILITY,

* "x > y" abbreviates "y < x" and "x >= y" abbreviates "y <= x".
Similarly for all quantifiers: "ALL x > y" etc.  The x-symbol for >=
is \<ge>. New transitivity rules have been added to HOL/Orderings.thy to
support corresponding Isar calculations.

* "{x:A. P}" abbreviates "{x. x:A & P}", and similarly for "\<in>"
instead of ":".

* theory SetInterval: changed the syntax for open intervals:

  Old       New
  {..n(}    {..<n}
  {)n..}    {n<..}
  {m..n(}   {m..<n}
  {)m..n}   {m<..n}
  {)m..n(}  {m<..<n}

The old syntax is still supported but will disappear in the next
release.  For conversion use the following Emacs search and replace
patterns (these are not perfect but work quite well):

  {)\([^\.]*\)\.\.  ->  {\1<\.\.}
  \.\.\([^(}]*\)(}  ->  \.\.<\1}

* Theory Commutative_Ring (in Library): method comm_ring for proving
equalities in commutative rings; method 'algebra' provides a generic
interface.

* Theory Finite_Set: changed the syntax for 'setsum', summation over
finite sets: "setsum (%x. e) A", which used to be "\<Sum>x:A. e", is
now either "SUM x:A. e" or "\<Sum>x \<in> A. e". The bound variable can
be a tuple pattern.

Some new syntax forms are available:

  "\<Sum>x | P. e"      for     "setsum (%x. e) {x. P}"
  "\<Sum>x = a..b. e"   for     "setsum (%x. e) {a..b}"
  "\<Sum>x = a..<b. e"  for     "setsum (%x. e) {a..<b}"
  "\<Sum>x < k. e"      for     "setsum (%x. e) {..<k}"

The latter form "\<Sum>x < k. e" used to be based on a separate
function "Summation", which has been discontinued.

* theory Finite_Set: in structured induction proofs, the insert case
is now 'case (insert x F)' instead of the old counterintuitive 'case
(insert F x)'.

* The 'refute' command has been extended to support a much larger
fragment of HOL, including axiomatic type classes, constdefs and
typedefs, inductive datatypes and recursion.

* New tactics 'sat' and 'satx' to prove propositional tautologies.
Requires zChaff with proof generation to be installed.  See
HOL/ex/SAT_Examples.thy for examples.

* Datatype induction via method 'induct' now preserves the name of the
induction variable. For example, when proving P(xs::'a list) by
induction on xs, the induction step is now P(xs) ==> P(a#xs) rather
than P(list) ==> P(a#list) as previously.  Potential INCOMPATIBILITY
in unstructured proof scripts.

* Reworked implementation of records.  Improved scalability for
records with many fields, avoiding performance problems for type
inference. Records are no longer composed of nested field types, but
of nested extension types. Therefore the record type only grows linear
in the number of extensions and not in the number of fields.  The
top-level (users) view on records is preserved.  Potential
INCOMPATIBILITY only in strange cases, where the theory depends on the
old record representation. The type generated for a record is called
<record_name>_ext_type.

Flag record_quick_and_dirty_sensitive can be enabled to skip the
proofs triggered by a record definition or a simproc (if
quick_and_dirty is enabled).  Definitions of large records can take
quite long.

New simproc record_upd_simproc for simplification of multiple record
updates enabled by default.  Moreover, trivial updates are also
removed: r(|x := x r|) = r.  INCOMPATIBILITY: old proofs break
occasionally, since simplification is more powerful by default.

* typedef: proper support for polymorphic sets, which contain extra
type-variables in the term.

* Simplifier: automatically reasons about transitivity chains
involving "trancl" (r^+) and "rtrancl" (r^*) by setting up tactics
provided by Provers/trancl.ML as additional solvers.  INCOMPATIBILITY:
old proofs break occasionally as simplification may now solve more
goals than previously.

* Simplifier: converts x <= y into x = y if assumption y <= x is
present.  Works for all partial orders (class "order"), in particular
numbers and sets.  For linear orders (e.g. numbers) it treats ~ x < y
just like y <= x.

* Simplifier: new simproc for "let x = a in f x".  If a is a free or
bound variable or a constant then the let is unfolded.  Otherwise
first a is simplified to b, and then f b is simplified to g. If
possible we abstract b from g arriving at "let x = b in h x",
otherwise we unfold the let and arrive at g.  The simproc can be
enabled/disabled by the reference use_let_simproc.  Potential
INCOMPATIBILITY since simplification is more powerful by default.

* Classical reasoning: the meson method now accepts theorems as arguments.

* Prover support: pre-release of the Isabelle-ATP linkup, which runs background
jobs to provide advice on the provability of subgoals.

* Theory OrderedGroup and Ring_and_Field: various additions and
improvements to faciliate calculations involving equalities and
inequalities.

The following theorems have been eliminated or modified
(INCOMPATIBILITY):

  abs_eq             now named abs_of_nonneg
  abs_of_ge_0        now named abs_of_nonneg
  abs_minus_eq       now named abs_of_nonpos
  imp_abs_id         now named abs_of_nonneg
  imp_abs_neg_id     now named abs_of_nonpos
  mult_pos           now named mult_pos_pos
  mult_pos_le        now named mult_nonneg_nonneg
  mult_pos_neg_le    now named mult_nonneg_nonpos
  mult_pos_neg2_le   now named mult_nonneg_nonpos2
  mult_neg           now named mult_neg_neg
  mult_neg_le        now named mult_nonpos_nonpos

* The following lemmas in Ring_and_Field have been added to the simplifier:

     zero_le_square
     not_square_less_zero

  The following lemmas have been deleted from Real/RealPow:

     realpow_zero_zero
     realpow_two
     realpow_less
     zero_le_power
     realpow_two_le
     abs_realpow_two
     realpow_two_abs

* Theory Parity: added rules for simplifying exponents.

* Theory List:

The following theorems have been eliminated or modified
(INCOMPATIBILITY):

  list_all_Nil       now named list_all.simps(1)
  list_all_Cons      now named list_all.simps(2)
  list_all_conv      now named list_all_iff
  set_mem_eq         now named mem_iff

* Theories SetsAndFunctions and BigO (see HOL/Library) support
asymptotic "big O" calculations.  See the notes in BigO.thy.


*** HOL-Complex ***

* Theory RealDef: better support for embedding natural numbers and
integers in the reals.

The following theorems have been eliminated or modified
(INCOMPATIBILITY):

  exp_ge_add_one_self  now requires no hypotheses
  real_of_int_add      reversed direction of equality (use [symmetric])
  real_of_int_minus    reversed direction of equality (use [symmetric])
  real_of_int_diff     reversed direction of equality (use [symmetric])
  real_of_int_mult     reversed direction of equality (use [symmetric])

* Theory RComplete: expanded support for floor and ceiling functions.

* Theory Ln is new, with properties of the natural logarithm

* Hyperreal: There is a new type constructor "star" for making
nonstandard types.  The old type names are now type synonyms:

  hypreal = real star
  hypnat = nat star
  hcomplex = complex star

* Hyperreal: Many groups of similarly-defined constants have been
replaced by polymorphic versions (INCOMPATIBILITY):

  star_of <-- hypreal_of_real, hypnat_of_nat, hcomplex_of_complex

  starset      <-- starsetNat, starsetC
  *s*          <-- *sNat*, *sc*
  starset_n    <-- starsetNat_n, starsetC_n
  *sn*         <-- *sNatn*, *scn*
  InternalSets <-- InternalNatSets, InternalCSets

  starfun      <-- starfun{Nat,Nat2,C,RC,CR}
  *f*          <-- *fNat*, *fNat2*, *fc*, *fRc*, *fcR*
  starfun_n    <-- starfun{Nat,Nat2,C,RC,CR}_n
  *fn*         <-- *fNatn*, *fNat2n*, *fcn*, *fRcn*, *fcRn*
  InternalFuns <-- InternalNatFuns, InternalNatFuns2, Internal{C,RC,CR}Funs

* Hyperreal: Many type-specific theorems have been removed in favor of
theorems specific to various axiomatic type classes (INCOMPATIBILITY):

  add_commute <-- {hypreal,hypnat,hcomplex}_add_commute
  add_assoc   <-- {hypreal,hypnat,hcomplex}_add_assocs
  OrderedGroup.add_0 <-- {hypreal,hypnat,hcomplex}_add_zero_left
  OrderedGroup.add_0_right <-- {hypreal,hcomplex}_add_zero_right
  right_minus <-- hypreal_add_minus
  left_minus <-- {hypreal,hcomplex}_add_minus_left
  mult_commute <-- {hypreal,hypnat,hcomplex}_mult_commute
  mult_assoc <-- {hypreal,hypnat,hcomplex}_mult_assoc
  mult_1_left <-- {hypreal,hypnat}_mult_1, hcomplex_mult_one_left
  mult_1_right <-- hcomplex_mult_one_right
  mult_zero_left <-- hcomplex_mult_zero_left
  left_distrib <-- {hypreal,hypnat,hcomplex}_add_mult_distrib
  right_distrib <-- hypnat_add_mult_distrib2
  zero_neq_one <-- {hypreal,hypnat,hcomplex}_zero_not_eq_one
  right_inverse <-- hypreal_mult_inverse
  left_inverse <-- hypreal_mult_inverse_left, hcomplex_mult_inv_left
  order_refl <-- {hypreal,hypnat}_le_refl
  order_trans <-- {hypreal,hypnat}_le_trans
  order_antisym <-- {hypreal,hypnat}_le_anti_sym
  order_less_le <-- {hypreal,hypnat}_less_le
  linorder_linear <-- {hypreal,hypnat}_le_linear
  add_left_mono <-- {hypreal,hypnat}_add_left_mono
  mult_strict_left_mono <-- {hypreal,hypnat}_mult_less_mono2
  add_nonneg_nonneg <-- hypreal_le_add_order

* Hyperreal: Separate theorems having to do with type-specific
versions of constants have been merged into theorems that apply to the
new polymorphic constants (INCOMPATIBILITY):

  STAR_UNIV_set <-- {STAR_real,NatStar_real,STARC_complex}_set
  STAR_empty_set <-- {STAR,NatStar,STARC}_empty_set
  STAR_Un <-- {STAR,NatStar,STARC}_Un
  STAR_Int <-- {STAR,NatStar,STARC}_Int
  STAR_Compl <-- {STAR,NatStar,STARC}_Compl
  STAR_subset <-- {STAR,NatStar,STARC}_subset
  STAR_mem <-- {STAR,NatStar,STARC}_mem
  STAR_mem_Compl <-- {STAR,STARC}_mem_Compl
  STAR_diff <-- {STAR,STARC}_diff
  STAR_star_of_image_subset <-- {STAR_hypreal_of_real, NatStar_hypreal_of_real,
    STARC_hcomplex_of_complex}_image_subset
  starset_n_Un <-- starset{Nat,C}_n_Un
  starset_n_Int <-- starset{Nat,C}_n_Int
  starset_n_Compl <-- starset{Nat,C}_n_Compl
  starset_n_diff <-- starset{Nat,C}_n_diff
  InternalSets_Un <-- Internal{Nat,C}Sets_Un
  InternalSets_Int <-- Internal{Nat,C}Sets_Int
  InternalSets_Compl <-- Internal{Nat,C}Sets_Compl
  InternalSets_diff <-- Internal{Nat,C}Sets_diff
  InternalSets_UNIV_diff <-- Internal{Nat,C}Sets_UNIV_diff
  InternalSets_starset_n <-- Internal{Nat,C}Sets_starset{Nat,C}_n
  starset_starset_n_eq <-- starset{Nat,C}_starset{Nat,C}_n_eq
  starset_n_starset <-- starset{Nat,C}_n_starset{Nat,C}
  starfun_n_starfun <-- starfun{Nat,Nat2,C,RC,CR}_n_starfun{Nat,Nat2,C,RC,CR}
  starfun <-- starfun{Nat,Nat2,C,RC,CR}
  starfun_mult <-- starfun{Nat,Nat2,C,RC,CR}_mult
  starfun_add <-- starfun{Nat,Nat2,C,RC,CR}_add
  starfun_minus <-- starfun{Nat,Nat2,C,RC,CR}_minus
  starfun_diff <-- starfun{C,RC,CR}_diff
  starfun_o <-- starfun{NatNat2,Nat2,_stafunNat,C,C_starfunRC,_starfunCR}_o
  starfun_o2 <-- starfun{NatNat2,_stafunNat,C,C_starfunRC,_starfunCR}_o2
  starfun_const_fun <-- starfun{Nat,Nat2,C,RC,CR}_const_fun
  starfun_inverse <-- starfun{Nat,C,RC,CR}_inverse
  starfun_eq <-- starfun{Nat,Nat2,C,RC,CR}_eq
  starfun_eq_iff <-- starfun{C,RC,CR}_eq_iff
  starfun_Id <-- starfunC_Id
  starfun_approx <-- starfun{Nat,CR}_approx
  starfun_capprox <-- starfun{C,RC}_capprox
  starfun_abs <-- starfunNat_rabs
  starfun_lambda_cancel <-- starfun{C,CR,RC}_lambda_cancel
  starfun_lambda_cancel2 <-- starfun{C,CR,RC}_lambda_cancel2
  starfun_mult_HFinite_approx <-- starfunCR_mult_HFinite_capprox
  starfun_mult_CFinite_capprox <-- starfun{C,RC}_mult_CFinite_capprox
  starfun_add_capprox <-- starfun{C,RC}_add_capprox
  starfun_add_approx <-- starfunCR_add_approx
  starfun_inverse_inverse <-- starfunC_inverse_inverse
  starfun_divide <-- starfun{C,CR,RC}_divide
  starfun_n <-- starfun{Nat,C}_n
  starfun_n_mult <-- starfun{Nat,C}_n_mult
  starfun_n_add <-- starfun{Nat,C}_n_add
  starfun_n_add_minus <-- starfunNat_n_add_minus
  starfun_n_const_fun <-- starfun{Nat,C}_n_const_fun
  starfun_n_minus <-- starfun{Nat,C}_n_minus
  starfun_n_eq <-- starfun{Nat,C}_n_eq

  star_n_add <-- {hypreal,hypnat,hcomplex}_add
  star_n_minus <-- {hypreal,hcomplex}_minus
  star_n_diff <-- {hypreal,hcomplex}_diff
  star_n_mult <-- {hypreal,hcomplex}_mult
  star_n_inverse <-- {hypreal,hcomplex}_inverse
  star_n_le <-- {hypreal,hypnat}_le
  star_n_less <-- {hypreal,hypnat}_less
  star_n_zero_num <-- {hypreal,hypnat,hcomplex}_zero_num
  star_n_one_num <-- {hypreal,hypnat,hcomplex}_one_num
  star_n_abs <-- hypreal_hrabs
  star_n_divide <-- hcomplex_divide

  star_of_add <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_add
  star_of_minus <-- {hypreal_of_real,hcomplex_of_complex}_minus
  star_of_diff <-- hypreal_of_real_diff
  star_of_mult <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_mult
  star_of_one <-- {hypreal_of_real,hcomplex_of_complex}_one
  star_of_zero <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_zero
  star_of_le <-- {hypreal_of_real,hypnat_of_nat}_le_iff
  star_of_less <-- {hypreal_of_real,hypnat_of_nat}_less_iff
  star_of_eq <-- {hypreal_of_real,hypnat_of_nat,hcomplex_of_complex}_eq_iff
  star_of_inverse <-- {hypreal_of_real,hcomplex_of_complex}_inverse
  star_of_divide <-- {hypreal_of_real,hcomplex_of_complex}_divide
  star_of_of_nat <-- {hypreal_of_real,hcomplex_of_complex}_of_nat
  star_of_of_int <-- {hypreal_of_real,hcomplex_of_complex}_of_int
  star_of_number_of <-- {hypreal,hcomplex}_number_of
  star_of_number_less <-- number_of_less_hypreal_of_real_iff
  star_of_number_le <-- number_of_le_hypreal_of_real_iff
  star_of_eq_number <-- hypreal_of_real_eq_number_of_iff
  star_of_less_number <-- hypreal_of_real_less_number_of_iff
  star_of_le_number <-- hypreal_of_real_le_number_of_iff
  star_of_power <-- hypreal_of_real_power
  star_of_eq_0 <-- hcomplex_of_complex_zero_iff

* Hyperreal: new method "transfer" that implements the transfer
principle of nonstandard analysis. With a subgoal that mentions
nonstandard types like "'a star", the command "apply transfer"
replaces it with an equivalent one that mentions only standard types.
To be successful, all free variables must have standard types; non-
standard variables must have explicit universal quantifiers.

* Hyperreal: A theory of Taylor series.


*** HOLCF ***

* Discontinued special version of 'constdefs' (which used to support
continuous functions) in favor of the general Pure one with full
type-inference.

* New simplification procedure for solving continuity conditions; it
is much faster on terms with many nested lambda abstractions (cubic
instead of exponential time).

* New syntax for domain package: selector names are now optional.
Parentheses should be omitted unless argument is lazy, for example:

  domain 'a stream = cons "'a" (lazy "'a stream")

* New command 'fixrec' for defining recursive functions with pattern
matching; defining multiple functions with mutual recursion is also
supported.  Patterns may include the constants cpair, spair, up, sinl,
sinr, or any data constructor defined by the domain package. The given
equations are proven as rewrite rules. See HOLCF/ex/Fixrec_ex.thy for
syntax and examples.

* New commands 'cpodef' and 'pcpodef' for defining predicate subtypes
of cpo and pcpo types. Syntax is exactly like the 'typedef' command,
but the proof obligation additionally includes an admissibility
requirement. The packages generate instances of class cpo or pcpo,
with continuity and strictness theorems for Rep and Abs.

* HOLCF: Many theorems have been renamed according to a more standard naming
scheme (INCOMPATIBILITY):

  foo_inject:  "foo$x = foo$y ==> x = y"
  foo_eq:      "(foo$x = foo$y) = (x = y)"
  foo_less:    "(foo$x << foo$y) = (x << y)"
  foo_strict:  "foo$UU = UU"
  foo_defined: "... ==> foo$x ~= UU"
  foo_defined_iff: "(foo$x = UU) = (x = UU)"


*** ZF ***

* ZF/ex: theories Group and Ring provide examples in abstract algebra,
including the First Isomorphism Theorem (on quotienting by the kernel
of a homomorphism).

* ZF/Simplifier: install second copy of type solver that actually
makes use of TC rules declared to Isar proof contexts (or locales);
the old version is still required for ML proof scripts.


*** Cube ***

* Converted to Isar theory format; use locales instead of axiomatic
theories.


*** ML ***

* Pure/library.ML: added ##>, ##>>, #>> -- higher-order counterparts
for ||>, ||>>, |>>,

* Pure/library.ML no longer defines its own option datatype, but uses
that of the SML basis, which has constructors NONE and SOME instead of
None and Some, as well as exception Option.Option instead of OPTION.
The functions the, if_none, is_some, is_none have been adapted
accordingly, while Option.map replaces apsome.

* Pure/library.ML: the exception LIST has been given up in favour of
the standard exceptions Empty and Subscript, as well as
Library.UnequalLengths.  Function like Library.hd and Library.tl are
superceded by the standard hd and tl functions etc.

A number of basic list functions are no longer exported to the ML
toplevel, as they are variants of predefined functions.  The following
suggests how one can translate existing code:

    rev_append xs ys = List.revAppend (xs, ys)
    nth_elem (i, xs) = List.nth (xs, i)
    last_elem xs = List.last xs
    flat xss = List.concat xss
    seq fs = List.app fs
    partition P xs = List.partition P xs
    mapfilter f xs = List.mapPartial f xs

* Pure/library.ML: several combinators for linear functional
transformations, notably reverse application and composition:

  x |> f                f #> g
  (x, y) |-> f          f #-> g

* Pure/library.ML: introduced/changed precedence of infix operators:

  infix 1 |> |-> ||> ||>> |>> |>>> #> #->;
  infix 2 ?;
  infix 3 o oo ooo oooo;
  infix 4 ~~ upto downto;

Maybe INCOMPATIBILITY when any of those is used in conjunction with other
infix operators.

* Pure/library.ML: natural list combinators fold, fold_rev, and
fold_map support linear functional transformations and nesting.  For
example:

  fold f [x1, ..., xN] y =
    y |> f x1 |> ... |> f xN

  (fold o fold) f [xs1, ..., xsN] y =
    y |> fold f xs1 |> ... |> fold f xsN

  fold f [x1, ..., xN] =
    f x1 #> ... #> f xN

  (fold o fold) f [xs1, ..., xsN] =
    fold f xs1 #> ... #> fold f xsN

* Pure/library.ML: the following selectors on type 'a option are
available:

  the:               'a option -> 'a  (*partial*)
  these:             'a option -> 'a  where 'a = 'b list
  the_default: 'a -> 'a option -> 'a
  the_list:          'a option -> 'a list

* Pure/General: structure AList (cf. Pure/General/alist.ML) provides
basic operations for association lists, following natural argument
order; moreover the explicit equality predicate passed here avoids
potentially expensive polymorphic runtime equality checks.
The old functions may be expressed as follows:

  assoc = uncurry (AList.lookup (op =))
  assocs = these oo AList.lookup (op =)
  overwrite = uncurry (AList.update (op =)) o swap

* Pure/General: structure AList (cf. Pure/General/alist.ML) provides

  val make: ('a -> 'b) -> 'a list -> ('a * 'b) list
  val find: ('a * 'b -> bool) -> ('c * 'b) list -> 'a -> 'c list

replacing make_keylist and keyfilter (occassionally used)
Naive rewrites:

  make_keylist = AList.make
  keyfilter = AList.find (op =)

* eq_fst and eq_snd now take explicit equality parameter, thus
  avoiding eqtypes. Naive rewrites:

    eq_fst = eq_fst (op =)
    eq_snd = eq_snd (op =)

* Removed deprecated apl and apr (rarely used).
  Naive rewrites:

    apl (n, op) =>>= curry op n
    apr (op, m) =>>= fn n => op (n, m)

* Pure/General: structure OrdList (cf. Pure/General/ord_list.ML)
provides a reasonably efficient light-weight implementation of sets as
lists.

* Pure/General: generic tables (cf. Pure/General/table.ML) provide a
few new operations; existing lookup and update are now curried to
follow natural argument order (for use with fold etc.);
INCOMPATIBILITY, use (uncurry Symtab.lookup) etc. as last resort.

* Pure/General: output via the Isabelle channels of
writeln/warning/error etc. is now passed through Output.output, with a
hook for arbitrary transformations depending on the print_mode
(cf. Output.add_mode -- the first active mode that provides a output
function wins).  Already formatted output may be embedded into further
text via Output.raw; the result of Pretty.string_of/str_of and derived
functions (string_of_term/cterm/thm etc.) is already marked raw to
accommodate easy composition of diagnostic messages etc.  Programmers
rarely need to care about Output.output or Output.raw at all, with
some notable exceptions: Output.output is required when bypassing the
standard channels (writeln etc.), or in token translations to produce
properly formatted results; Output.raw is required when capturing
already output material that will eventually be presented to the user
a second time.  For the default print mode, both Output.output and
Output.raw have no effect.

* Pure/General: Output.time_accumulator NAME creates an operator ('a
-> 'b) -> 'a -> 'b to measure runtime and count invocations; the
cumulative results are displayed at the end of a batch session.

* Pure/General: File.sysify_path and File.quote_sysify path have been
replaced by File.platform_path and File.shell_path (with appropriate
hooks).  This provides a clean interface for unusual systems where the
internal and external process view of file names are different.

* Pure: more efficient orders for basic syntactic entities: added
fast_string_ord, fast_indexname_ord, fast_term_ord; changed sort_ord
and typ_ord to use fast_string_ord and fast_indexname_ord (term_ord is
NOT affected); structures Symtab, Vartab, Typtab, Termtab use the fast
orders now -- potential INCOMPATIBILITY for code that depends on a
particular order for Symtab.keys, Symtab.dest, etc. (consider using
Library.sort_strings on result).

* Pure/term.ML: combinators fold_atyps, fold_aterms, fold_term_types,
fold_types traverse types/terms from left to right, observing natural
argument order.  Supercedes previous foldl_XXX versions, add_frees,
add_vars etc. have been adapted as well: INCOMPATIBILITY.

* Pure: name spaces have been refined, with significant changes of the
internal interfaces -- INCOMPATIBILITY.  Renamed cond_extern(_table)
to extern(_table).  The plain name entry path is superceded by a
general 'naming' context, which also includes the 'policy' to produce
a fully qualified name and external accesses of a fully qualified
name; NameSpace.extend is superceded by context dependent
Sign.declare_name.  Several theory and proof context operations modify
the naming context.  Especially note Theory.restore_naming and
ProofContext.restore_naming to get back to a sane state; note that
Theory.add_path is no longer sufficient to recover from
Theory.absolute_path in particular.

* Pure: new flags short_names (default false) and unique_names
(default true) for controlling output of qualified names.  If
short_names is set, names are printed unqualified.  If unique_names is
reset, the name prefix is reduced to the minimum required to achieve
the original result when interning again, even if there is an overlap
with earlier declarations.

* Pure/TheoryDataFun: change of the argument structure; 'prep_ext' is
now 'extend', and 'merge' gets an additional Pretty.pp argument
(useful for printing error messages).  INCOMPATIBILITY.

* Pure: major reorganization of the theory context.  Type Sign.sg and
Theory.theory are now identified, referring to the universal
Context.theory (see Pure/context.ML).  Actual signature and theory
content is managed as theory data.  The old code and interfaces were
spread over many files and structures; the new arrangement introduces
considerable INCOMPATIBILITY to gain more clarity:

  Context -- theory management operations (name, identity, inclusion,
    parents, ancestors, merge, etc.), plus generic theory data;

  Sign -- logical signature and syntax operations (declaring consts,
    types, etc.), plus certify/read for common entities;

  Theory -- logical theory operations (stating axioms, definitions,
    oracles), plus a copy of logical signature operations (consts,
    types, etc.); also a few basic management operations (Theory.copy,
    Theory.merge, etc.)

The most basic sign_of operations (Theory.sign_of, Thm.sign_of_thm
etc.) as well as the sign field in Thm.rep_thm etc. have been retained
for convenience -- they merely return the theory.

* Pure: type Type.tsig is superceded by theory in most interfaces.

* Pure: the Isar proof context type is already defined early in Pure
as Context.proof (note that ProofContext.context and Proof.context are
aliases, where the latter is the preferred name).  This enables other
Isabelle components to refer to that type even before Isar is present.

* Pure/sign/theory: discontinued named name spaces (i.e. classK,
typeK, constK, axiomK, oracleK), but provide explicit operations for
any of these kinds.  For example, Sign.intern typeK is now
Sign.intern_type, Theory.hide_space Sign.typeK is now
Theory.hide_types.  Also note that former
Theory.hide_classes/types/consts are now
Theory.hide_classes_i/types_i/consts_i, while the non '_i' versions
internalize their arguments!  INCOMPATIBILITY.

* Pure: get_thm interface (of PureThy and ProofContext) expects
datatype thmref (with constructors Name and NameSelection) instead of
plain string -- INCOMPATIBILITY;

* Pure: cases produced by proof methods specify options, where NONE
means to remove case bindings -- INCOMPATIBILITY in
(RAW_)METHOD_CASES.

* Pure: the following operations retrieve axioms or theorems from a
theory node or theory hierarchy, respectively:

  Theory.axioms_of: theory -> (string * term) list
  Theory.all_axioms_of: theory -> (string * term) list
  PureThy.thms_of: theory -> (string * thm) list
  PureThy.all_thms_of: theory -> (string * thm) list

* Pure: print_tac now outputs the goal through the trace channel.

* Isar toplevel: improved diagnostics, mostly for Poly/ML only.
Reference Toplevel.debug (default false) controls detailed printing
and tracing of low-level exceptions; Toplevel.profiling (default 0)
controls execution profiling -- set to 1 for time and 2 for space
(both increase the runtime).

* Isar session: The initial use of ROOT.ML is now always timed,
i.e. the log will show the actual process times, in contrast to the
elapsed wall-clock time that the outer shell wrapper produces.

* Simplifier: improved handling of bound variables (nameless
representation, avoid allocating new strings).  Simprocs that invoke
the Simplifier recursively should use Simplifier.inherit_bounds to
avoid local name clashes.  Failure to do so produces warnings
"Simplifier: renamed bound variable ..."; set Simplifier.debug_bounds
for further details.

* ML functions legacy_bindings and use_legacy_bindings produce ML fact
bindings for all theorems stored within a given theory; this may help
in porting non-Isar theories to Isar ones, while keeping ML proof
scripts for the time being.

* ML operator HTML.with_charset specifies the charset begin used for
generated HTML files.  For example:

  HTML.with_charset "utf-8" use_thy "Hebrew";
  HTML.with_charset "utf-8" use_thy "Chinese";


*** System ***

* Allow symlinks to all proper Isabelle executables (Isabelle,
isabelle, isatool etc.).

* ISABELLE_DOC_FORMAT setting specifies preferred document format (for
isatool doc, isatool mkdir, display_drafts etc.).

* isatool usedir: option -f allows specification of the ML file to be
used by Isabelle; default is ROOT.ML.

* New isatool version outputs the version identifier of the Isabelle
distribution being used.

* HOL: new isatool dimacs2hol converts files in DIMACS CNF format
(containing Boolean satisfiability problems) into Isabelle/HOL
theories.


New in Isabelle2004 (April 2004)
--------------------------------

*** General ***

* Provers/order.ML:  new efficient reasoner for partial and linear orders.
  Replaces linorder.ML.

* Pure: Greek letters (except small lambda, \<lambda>), as well as Gothic
  (\<aa>...\<zz>\<AA>...\<ZZ>), calligraphic (\<A>...\<Z>), and Euler
  (\<a>...\<z>), are now considered normal letters, and can therefore
  be used anywhere where an ASCII letter (a...zA...Z) has until
  now. COMPATIBILITY: This obviously changes the parsing of some
  terms, especially where a symbol has been used as a binder, say
  '\<Pi>x. ...', which is now a type error since \<Pi>x will be parsed
  as an identifier.  Fix it by inserting a space around former
  symbols.  Call 'isatool fixgreek' to try to fix parsing errors in
  existing theory and ML files.

* Pure: Macintosh and Windows line-breaks are now allowed in theory files.

* Pure: single letter sub/superscripts (\<^isub> and \<^isup>) are now
  allowed in identifiers. Similar to Greek letters \<^isub> is now considered
  a normal (but invisible) letter. For multiple letter subscripts repeat
  \<^isub> like this: x\<^isub>1\<^isub>2.

* Pure: There are now sub-/superscripts that can span more than one
  character. Text between \<^bsub> and \<^esub> is set in subscript in
  ProofGeneral and LaTeX, text between \<^bsup> and \<^esup> in
  superscript. The new control characters are not identifier parts.

* Pure: Control-symbols of the form \<^raw:...> will literally print the
  content of "..." to the latex file instead of \isacntrl... . The "..."
  may consist of any printable characters excluding the end bracket >.

* Pure: Using new Isar command "finalconsts" (or the ML functions
  Theory.add_finals or Theory.add_finals_i) it is now possible to
  declare constants "final", which prevents their being given a definition
  later.  It is useful for constants whose behaviour is fixed axiomatically
  rather than definitionally, such as the meta-logic connectives.

* Pure: 'instance' now handles general arities with general sorts
  (i.e. intersections of classes),

* Presentation: generated HTML now uses a CSS style sheet to make layout
  (somewhat) independent of content. It is copied from lib/html/isabelle.css.
  It can be changed to alter the colors/layout of generated pages.


*** Isar ***

* Tactic emulation methods rule_tac, erule_tac, drule_tac, frule_tac,
  cut_tac, subgoal_tac and thin_tac:
  - Now understand static (Isar) contexts.  As a consequence, users of Isar
    locales are no longer forced to write Isar proof scripts.
    For details see Isar Reference Manual, paragraph 4.3.2: Further tactic
    emulations.
  - INCOMPATIBILITY: names of variables to be instantiated may no
    longer be enclosed in quotes.  Instead, precede variable name with `?'.
    This is consistent with the instantiation attribute "where".

* Attributes "where" and "of":
  - Now take type variables of instantiated theorem into account when reading
    the instantiation string.  This fixes a bug that caused instantiated
    theorems to have too special types in some circumstances.
  - "where" permits explicit instantiations of type variables.

* Calculation commands "moreover" and "also" no longer interfere with
  current facts ("this"), admitting arbitrary combinations with "then"
  and derived forms.

* Locales:
  - Goal statements involving the context element "includes" no longer
    generate theorems with internal delta predicates (those ending on
    "_axioms") in the premise.
    Resolve particular premise with <locale>.intro to obtain old form.
  - Fixed bug in type inference ("unify_frozen") that prevented mix of target
    specification and "includes" elements in goal statement.
  - Rule sets <locale>.intro and <locale>.axioms no longer declared as
    [intro?] and [elim?] (respectively) by default.
  - Experimental command for instantiation of locales in proof contexts:
        instantiate <label>[<attrs>]: <loc>
    Instantiates locale <loc> and adds all its theorems to the current context
    taking into account their attributes.  Label and attrs are optional
    modifiers, like in theorem declarations.  If present, names of
    instantiated theorems are qualified with <label>, and the attributes
    <attrs> are applied after any attributes these theorems might have already.
      If the locale has assumptions, a chained fact of the form
    "<loc> t1 ... tn" is expected from which instantiations of the parameters
    are derived.  The command does not support old-style locales declared
    with "locale (open)".
      A few (very simple) examples can be found in FOL/ex/LocaleInst.thy.

* HOL: Tactic emulation methods induct_tac and case_tac understand static
  (Isar) contexts.


*** HOL ***

* Proof import: new image HOL4 contains the imported library from
  the HOL4 system with about 2500 theorems. It is imported by
  replaying proof terms produced by HOL4 in Isabelle. The HOL4 image
  can be used like any other Isabelle image.  See
  HOL/Import/HOL/README for more information.

* Simplifier:
  - Much improved handling of linear and partial orders.
    Reasoners for linear and partial orders are set up for type classes
    "linorder" and "order" respectively, and are added to the default simpset
    as solvers.  This means that the simplifier can build transitivity chains
    to solve goals from the assumptions.
  - INCOMPATIBILITY: old proofs break occasionally.  Typically, applications
    of blast or auto after simplification become unnecessary because the goal
    is solved by simplification already.

* Numerics: new theory Ring_and_Field contains over 250 basic numerical laws,
    all proved in axiomatic type classes for semirings, rings and fields.

* Numerics:
  - Numeric types (nat, int, and in HOL-Complex rat, real, complex, etc.) are
    now formalized using the Ring_and_Field theory mentioned above.
  - INCOMPATIBILITY: simplification and arithmetic behaves somewhat differently
    than before, because now they are set up once in a generic manner.
  - INCOMPATIBILITY: many type-specific arithmetic laws have gone.
    Look for the general versions in Ring_and_Field (and Power if they concern
    exponentiation).

* Type "rat" of the rational numbers is now available in HOL-Complex.

* Records:
  - Record types are now by default printed with their type abbreviation
    instead of the list of all field types. This can be configured via
    the reference "print_record_type_abbr".
  - Simproc "record_upd_simproc" for simplification of multiple updates added
    (not enabled by default).
  - Simproc "record_ex_sel_eq_simproc" to simplify EX x. sel r = x resp.
    EX x. x = sel r to True (not enabled by default).
  - Tactic "record_split_simp_tac" to split and simplify records added.

* 'specification' command added, allowing for definition by
  specification.  There is also an 'ax_specification' command that
  introduces the new constants axiomatically.

* arith(_tac) is now able to generate counterexamples for reals as well.

* HOL-Algebra: new locale "ring" for non-commutative rings.

* HOL-ex: InductiveInvariant_examples illustrates advanced recursive function
  definitions, thanks to Sava Krsti\'{c} and John Matthews.

* HOL-Matrix: a first theory for matrices in HOL with an application of
  matrix theory to linear programming.

* Unions and Intersections:
  The latex output syntax of UN and INT has been changed
  from "\Union x \in A. B" to "\Union_{x \in A} B"
  i.e. the index formulae has become a subscript.
  Similarly for "\Union x. B", and for \Inter instead of \Union.

* Unions and Intersections over Intervals:
  There is new short syntax "UN i<=n. A" for "UN i:{0..n}. A". There is
  also an x-symbol version with subscripts "\<Union>\<^bsub>i <= n\<^esub>. A"
  like in normal math, and corresponding versions for < and for intersection.

* HOL/List: Ordering "lexico" is renamed "lenlex" and the standard
  lexicographic dictonary ordering has been added as "lexord".

* ML: the legacy theory structures Int and List have been removed. They had
  conflicted with ML Basis Library structures having the same names.

* 'refute' command added to search for (finite) countermodels.  Only works
  for a fragment of HOL.  The installation of an external SAT solver is
  highly recommended.  See "HOL/Refute.thy" for details.

* 'quickcheck' command: Allows to find counterexamples by evaluating
  formulae under an assignment of free variables to random values.
  In contrast to 'refute', it can deal with inductive datatypes,
  but cannot handle quantifiers. See "HOL/ex/Quickcheck_Examples.thy"
  for examples.


*** HOLCF ***

* Streams now come with concatenation and are part of the HOLCF image


New in Isabelle2003 (May 2003)
------------------------------

*** General ***

* Provers/simplifier:

  - Completely reimplemented method simp (ML: Asm_full_simp_tac):
    Assumptions are now subject to complete mutual simplification,
    not just from left to right. The simplifier now preserves
    the order of assumptions.

    Potential INCOMPATIBILITY:

    -- simp sometimes diverges where the old version did
       not, e.g. invoking simp on the goal

        [| P (f x); y = x; f x = f y |] ==> Q

       now gives rise to the infinite reduction sequence

        P(f x) --(f x = f y)--> P(f y) --(y = x)--> P(f x) --(f x = f y)--> ...

       Using "simp (asm_lr)" (ML: Asm_lr_simp_tac) instead often solves this
       kind of problem.

    -- Tactics combining classical reasoner and simplification (such as auto)
       are also affected by this change, because many of them rely on
       simp. They may sometimes diverge as well or yield a different numbers
       of subgoals. Try to use e.g. force, fastsimp, or safe instead of auto
       in case of problems. Sometimes subsequent calls to the classical
       reasoner will fail because a preceeding call to the simplifier too
       eagerly simplified the goal, e.g. deleted redundant premises.

  - The simplifier trace now shows the names of the applied rewrite rules

  - You can limit the number of recursive invocations of the simplifier
    during conditional rewriting (where the simplifie tries to solve the
    conditions before applying the rewrite rule):
    ML "simp_depth_limit := n"
    where n is an integer. Thus you can force termination where previously
    the simplifier would diverge.

  - Accepts free variables as head terms in congruence rules.  Useful in Isar.

  - No longer aborts on failed congruence proof.  Instead, the
    congruence is ignored.

* Pure: New generic framework for extracting programs from constructive
  proofs. See HOL/Extraction.thy for an example instantiation, as well
  as HOL/Extraction for some case studies.

* Pure: The main goal of the proof state is no longer shown by default, only
the subgoals. This behaviour is controlled by a new flag.
   PG menu: Isabelle/Isar -> Settings -> Show Main Goal
(ML: Proof.show_main_goal).

* Pure: You can find all matching introduction rules for subgoal 1, i.e. all
rules whose conclusion matches subgoal 1:
      PG menu: Isabelle/Isar -> Show me -> matching rules
The rules are ordered by how closely they match the subgoal.
In particular, rules that solve a subgoal outright are displayed first
(or rather last, the way they are printed).
(ML: ProofGeneral.print_intros())

* Pure: New flag trace_unify_fail causes unification to print
diagnostic information (PG: in trace buffer) when it fails. This is
useful for figuring out why single step proofs like rule, erule or
assumption failed.

* Pure: Locale specifications now produce predicate definitions
according to the body of text (covering assumptions modulo local
definitions); predicate "loc_axioms" covers newly introduced text,
while "loc" is cumulative wrt. all included locale expressions; the
latter view is presented only on export into the global theory
context; potential INCOMPATIBILITY, use "(open)" option to fall back
on the old view without predicates;

* Pure: predefined locales "var" and "struct" are useful for sharing
parameters (as in CASL, for example); just specify something like
``var x + var y + struct M'' as import;

* Pure: improved thms_containing: proper indexing of facts instead of
raw theorems; check validity of results wrt. current name space;
include local facts of proof configuration (also covers active
locales), cover fixed variables in index; may use "_" in term
specification; an optional limit for the number of printed facts may
be given (the default is 40);

* Pure: disallow duplicate fact bindings within new-style theory files
(batch-mode only);

* Provers: improved induct method: assumptions introduced by case
"foo" are split into "foo.hyps" (from the rule) and "foo.prems" (from
the goal statement); "foo" still refers to all facts collectively;

* Provers: the function blast.overloaded has been removed: all constants
are regarded as potentially overloaded, which improves robustness in exchange
for slight decrease in efficiency;

* Provers/linorder: New generic prover for transitivity reasoning over
linear orders.  Note: this prover is not efficient!

* Isar: preview of problems to finish 'show' now produce an error
rather than just a warning (in interactive mode);


*** HOL ***

* arith(_tac)

 - Produces a counter example if it cannot prove a goal.
   Note that the counter example may be spurious if the goal is not a formula
   of quantifier-free linear arithmetic.
   In ProofGeneral the counter example appears in the trace buffer.

 - Knows about div k and mod k where k is a numeral of type nat or int.

 - Calls full Presburger arithmetic (by Amine Chaieb) if quantifier-free
   linear arithmetic fails. This takes account of quantifiers and divisibility.
   Presburger arithmetic can also be called explicitly via presburger(_tac).

* simp's arithmetic capabilities have been enhanced a bit: it now
takes ~= in premises into account (by performing a case split);

* simp reduces "m*(n div m) + n mod m" to n, even if the two summands
are distributed over a sum of terms;

* New tactic "trans_tac" and method "trans" instantiate
Provers/linorder.ML for axclasses "order" and "linorder" (predicates
"<=", "<" and "=").

* function INCOMPATIBILITIES: Pi-sets have been redefined and moved from main
HOL to Library/FuncSet; constant "Fun.op o" is now called "Fun.comp";

* 'typedef' command has new option "open" to suppress the set
definition;

* functions Min and Max on finite sets have been introduced (theory
Finite_Set);

* attribute [symmetric] now works for relations as well; it turns
(x,y) : R^-1 into (y,x) : R, and vice versa;

* induct over a !!-quantified statement (say !!x1..xn):
  each "case" automatically performs "fix x1 .. xn" with exactly those names.

* Map: `empty' is no longer a constant but a syntactic abbreviation for
%x. None. Warning: empty_def now refers to the previously hidden definition
of the empty set.

* Algebra: formalization of classical algebra.  Intended as base for
any algebraic development in Isabelle.  Currently covers group theory
(up to Sylow's theorem) and ring theory (Universal Property of
Univariate Polynomials).  Contributions welcome;

* GroupTheory: deleted, since its material has been moved to Algebra;

* Complex: new directory of the complex numbers with numeric constants,
nonstandard complex numbers, and some complex analysis, standard and
nonstandard (Jacques Fleuriot);

* HOL-Complex: new image for analysis, replacing HOL-Real and HOL-Hyperreal;

* Hyperreal: introduced Gauge integration and hyperreal logarithms (Jacques
Fleuriot);

* Real/HahnBanach: updated and adapted to locales;

* NumberTheory: added Gauss's law of quadratic reciprocity (by Avigad,
Gray and Kramer);

* UNITY: added the Meier-Sanders theory of progress sets;

* MicroJava: bytecode verifier and lightweight bytecode verifier
as abstract algorithms, instantiated to the JVM;

* Bali: Java source language formalization. Type system, operational
semantics, axiomatic semantics. Supported language features:
classes, interfaces, objects,virtual methods, static methods,
static/instance fields, arrays, access modifiers, definite
assignment, exceptions.


*** ZF ***

* ZF/Constructible: consistency proof for AC (Gdel's constructible
universe, etc.);

* Main ZF: virtually all theories converted to new-style format;


*** ML ***

* Pure: Tactic.prove provides sane interface for internal proofs;
omits the infamous "standard" operation, so this is more appropriate
than prove_goalw_cterm in many situations (e.g. in simprocs);

* Pure: improved error reporting of simprocs;

* Provers: Simplifier.simproc(_i) provides sane interface for setting
up simprocs;


*** Document preparation ***

* uses \par instead of \\ for line breaks in theory text. This may
shift some page breaks in large documents. To get the old behaviour
use \renewcommand{\isanewline}{\mbox{}\\\mbox{}} in root.tex.

* minimized dependencies of isabelle.sty and isabellesym.sty on
other packages

* \<euro> now needs package babel/greek instead of marvosym (which
broke \Rightarrow)

* normal size for \<zero>...\<nine> (uses \mathbf instead of
textcomp package)


New in Isabelle2002 (March 2002)
--------------------------------

*** Document preparation ***

* greatly simplified document preparation setup, including more
graceful interpretation of isatool usedir -i/-d/-D options, and more
instructive isatool mkdir; users should basically be able to get
started with "isatool mkdir HOL Test && isatool make"; alternatively,
users may run a separate document processing stage manually like this:
"isatool usedir -D output HOL Test && isatool document Test/output";

* theory dependency graph may now be incorporated into documents;
isatool usedir -g true will produce session_graph.eps/.pdf for use
with \includegraphics of LaTeX;

* proper spacing of consecutive markup elements, especially text
blocks after section headings;

* support bold style (for single symbols only), input syntax is like
this: "\<^bold>\<alpha>" or "\<^bold>A";

* \<bullet> is now output as bold \cdot by default, which looks much
better in printed text;

* added default LaTeX bindings for \<tturnstile> and \<TTurnstile>;
note that these symbols are currently unavailable in Proof General /
X-Symbol; new symbols \<zero>, \<one>, ..., \<nine>, and \<euro>;

* isatool latex no longer depends on changed TEXINPUTS, instead
isatool document copies the Isabelle style files to the target
location;


*** Isar ***

* Pure/Provers: improved proof by cases and induction;
  - 'case' command admits impromptu naming of parameters (such as
    "case (Suc n)");
  - 'induct' method divinates rule instantiation from the inductive
    claim; no longer requires excessive ?P bindings for proper
    instantiation of cases;
  - 'induct' method properly enumerates all possibilities of set/type
    rules; as a consequence facts may be also passed through *type*
    rules without further ado;
  - 'induct' method now derives symbolic cases from the *rulified*
    rule (before it used to rulify cases stemming from the internal
    atomized version); this means that the context of a non-atomic
    statement becomes is included in the hypothesis, avoiding the
    slightly cumbersome show "PROP ?case" form;
  - 'induct' may now use elim-style induction rules without chaining
    facts, using ``missing'' premises from the goal state; this allows
    rules stemming from inductive sets to be applied in unstructured
    scripts, while still benefitting from proper handling of non-atomic
    statements; NB: major inductive premises need to be put first, all
    the rest of the goal is passed through the induction;
  - 'induct' proper support for mutual induction involving non-atomic
    rule statements (uses the new concept of simultaneous goals, see
    below);
  - append all possible rule selections, but only use the first
    success (no backtracking);
  - removed obsolete "(simplified)" and "(stripped)" options of methods;
  - undeclared rule case names default to numbers 1, 2, 3, ...;
  - added 'print_induct_rules' (covered by help item in recent Proof
    General versions);
  - moved induct/cases attributes to Pure, methods to Provers;
  - generic method setup instantiated for FOL and HOL;

* Pure: support multiple simultaneous goal statements, for example
"have a: A and b: B" (same for 'theorem' etc.); being a pure
meta-level mechanism, this acts as if several individual goals had
been stated separately; in particular common proof methods need to be
repeated in order to cover all claims; note that a single elimination
step is *not* sufficient to establish the two conjunctions, so this
fails:

  assume "A & B" then have A and B ..   (*".." fails*)

better use "obtain" in situations as above; alternative refer to
multi-step methods like 'auto', 'simp_all', 'blast+' etc.;

* Pure: proper integration with ``locales''; unlike the original
version by Florian Kammller, Isar locales package high-level proof
contexts rather than raw logical ones (e.g. we admit to include
attributes everywhere); operations on locales include merge and
rename; support for implicit arguments (``structures''); simultaneous
type-inference over imports and text; see also HOL/ex/Locales.thy for
some examples;

* Pure: the following commands have been ``localized'', supporting a
target locale specification "(in name)": 'lemma', 'theorem',
'corollary', 'lemmas', 'theorems', 'declare'; the results will be
stored both within the locale and at the theory level (exported and
qualified by the locale name);

* Pure: theory goals may now be specified in ``long'' form, with
ad-hoc contexts consisting of arbitrary locale elements. for example
``lemma foo: fixes x assumes "A x" shows "B x"'' (local syntax and
definitions may be given, too); the result is a meta-level rule with
the context elements being discharged in the obvious way;

* Pure: new proof command 'using' allows to augment currently used
facts after a goal statement ('using' is syntactically analogous to
'apply', but acts on the goal's facts only); this allows chained facts
to be separated into parts given before and after a claim, as in
``from a and b have C using d and e <proof>'';

* Pure: renamed "antecedent" case to "rule_context";

* Pure: new 'judgment' command records explicit information about the
object-logic embedding (used by several tools internally); no longer
use hard-wired "Trueprop";

* Pure: added 'corollary' command;

* Pure: fixed 'token_translation' command;

* Pure: removed obsolete 'exported' attribute;

* Pure: dummy pattern "_" in is/let is now automatically lifted over
bound variables: "ALL x. P x --> Q x" (is "ALL x. _ --> ?C x")
supersedes more cumbersome ... (is "ALL x. _ x --> ?C x");

* Pure: method 'atomize' presents local goal premises as object-level
statements (atomic meta-level propositions); setup controlled via
rewrite rules declarations of 'atomize' attribute; example
application: 'induct' method with proper rule statements in improper
proof *scripts*;

* Pure: emulation of instantiation tactics (rule_tac, cut_tac, etc.)
now consider the syntactic context of assumptions, giving a better
chance to get type-inference of the arguments right (this is
especially important for locales);

* Pure: "sorry" no longer requires quick_and_dirty in interactive
mode;

* Pure/obtain: the formal conclusion "thesis", being marked as
``internal'', may no longer be reference directly in the text;
potential INCOMPATIBILITY, may need to use "?thesis" in rare
situations;

* Pure: generic 'sym' attribute which declares a rule both as pure
'elim?' and for the 'symmetric' operation;

* Pure: marginal comments ``--'' may now occur just anywhere in the
text; the fixed correlation with particular command syntax has been
discontinued;

* Pure: new method 'rules' is particularly well-suited for proof
search in intuitionistic logic; a bit slower than 'blast' or 'fast',
but often produces more compact proof terms with less detours;

* Pure/Provers/classical: simplified integration with pure rule
attributes and methods; the classical "intro?/elim?/dest?"
declarations coincide with the pure ones; the "rule" method no longer
includes classically swapped intros; "intro" and "elim" methods no
longer pick rules from the context; also got rid of ML declarations
AddXIs/AddXEs/AddXDs; all of this has some potential for
INCOMPATIBILITY;

* Provers/classical: attribute 'swapped' produces classical inversions
of introduction rules;

* Provers/simplifier: 'simplified' attribute may refer to explicit
rules instead of full simplifier context; 'iff' attribute handles
conditional rules;

* HOL: 'typedef' now allows alternative names for Rep/Abs morphisms;

* HOL: 'recdef' now fails on unfinished automated proofs, use
"(permissive)" option to recover old behavior;

* HOL: 'inductive' no longer features separate (collective) attributes
for 'intros' (was found too confusing);

* HOL: properly declared induction rules less_induct and
wf_induct_rule;


*** HOL ***

* HOL: moved over to sane numeral syntax; the new policy is as
follows:

  - 0 and 1 are polymorphic constants, which are defined on any
  numeric type (nat, int, real etc.);

  - 2, 3, 4, ... and -1, -2, -3, ... are polymorphic numerals, based
  binary representation internally;

  - type nat has special constructor Suc, and generally prefers Suc 0
  over 1::nat and Suc (Suc 0) over 2::nat;

This change may cause significant problems of INCOMPATIBILITY; here
are some hints on converting existing sources:

  - due to the new "num" token, "-0" and "-1" etc. are now atomic
  entities, so expressions involving "-" (unary or binary minus) need
  to be spaced properly;

  - existing occurrences of "1" may need to be constraint "1::nat" or
  even replaced by Suc 0; similar for old "2";

  - replace "#nnn" by "nnn", and "#-nnn" by "-nnn";

  - remove all special provisions on numerals in proofs;

* HOL: simp rules nat_number expand numerals on nat to Suc/0
representation (depends on bin_arith_simps in the default context);

* HOL: symbolic syntax for x^2 (numeral 2);

* HOL: the class of all HOL types is now called "type" rather than
"term"; INCOMPATIBILITY, need to adapt references to this type class
in axclass/classes, instance/arities, and (usually rare) occurrences
in typings (of consts etc.); internally the class is called
"HOL.type", ML programs should refer to HOLogic.typeS;

* HOL/record package improvements:
  - new derived operations "fields" to build a partial record section,
    "extend" to promote a fixed record to a record scheme, and
    "truncate" for the reverse; cf. theorems "xxx.defs", which are *not*
    declared as simp by default;
  - shared operations ("more", "fields", etc.) now need to be always
    qualified) --- potential INCOMPATIBILITY;
  - removed "make_scheme" operations (use "make" with "extend") --
    INCOMPATIBILITY;
  - removed "more" class (simply use "term") -- INCOMPATIBILITY;
  - provides cases/induct rules for use with corresponding Isar
    methods (for concrete records, record schemes, concrete more
    parts, and schematic more parts -- in that order);
  - internal definitions directly based on a light-weight abstract
    theory of product types over typedef rather than datatype;

* HOL: generic code generator for generating executable ML code from
specifications; specific support for HOL constructs such as inductive
datatypes and sets, as well as recursive functions; can be invoked
via 'generate_code' theory section;

* HOL: canonical cases/induct rules for n-tuples (n = 3..7);

* HOL: consolidated and renamed several theories.  In particular:
        Ord.thy has been absorbed into HOL.thy
        String.thy has been absorbed into List.thy

* HOL: concrete setsum syntax "\<Sum>i:A. b" == "setsum (%i. b) A"
(beware of argument permutation!);

* HOL: linorder_less_split superseded by linorder_cases;

* HOL/List: "nodups" renamed to "distinct";

* HOL: added "The" definite description operator; move Hilbert's "Eps"
to peripheral theory "Hilbert_Choice"; some INCOMPATIBILITIES:
  - Ex_def has changed, now need to use some_eq_ex

* HOL: made split_all_tac safe; EXISTING PROOFS MAY FAIL OR LOOP, so
in this (rare) case use:

  delSWrapper "split_all_tac"
  addSbefore ("unsafe_split_all_tac", unsafe_split_all_tac)

* HOL: added safe wrapper "split_conv_tac" to claset; EXISTING PROOFS
MAY FAIL;

* HOL: introduced f^n = f o ... o f; warning: due to the limits of
Isabelle's type classes, ^ on functions and relations has too general
a domain, namely ('a * 'b) set and 'a => 'b; this means that it may be
necessary to attach explicit type constraints;

* HOL/Relation: the prefix name of the infix "O" has been changed from
"comp" to "rel_comp"; INCOMPATIBILITY: a few theorems have been
renamed accordingly (eg "compI" -> "rel_compI").

* HOL: syntax translations now work properly with numerals and records
expressions;

* HOL: bounded abstraction now uses syntax "%" / "\<lambda>" instead
of "lam" -- INCOMPATIBILITY;

* HOL: got rid of some global declarations (potential INCOMPATIBILITY
for ML tools): const "()" renamed "Product_Type.Unity", type "unit"
renamed "Product_Type.unit";

* HOL: renamed rtrancl_into_rtrancl2 to converse_rtrancl_into_rtrancl

* HOL: removed obsolete theorem "optionE" (use "option.exhaust", or
the "cases" method);

* HOL/GroupTheory: group theory examples including Sylow's theorem (by
Florian Kammller);

* HOL/IMP: updated and converted to new-style theory format; several
parts turned into readable document, with proper Isar proof texts and
some explanations (by Gerwin Klein);

* HOL-Real: added Complex_Numbers (by Gertrud Bauer);

* HOL-Hyperreal is now a logic image;


*** HOLCF ***

* Isar: consts/constdefs supports mixfix syntax for continuous
operations;

* Isar: domain package adapted to new-style theory format, e.g. see
HOLCF/ex/Dnat.thy;

* theory Lift: proper use of rep_datatype lift instead of ML hacks --
potential INCOMPATIBILITY; now use plain induct_tac instead of former
lift.induct_tac, always use UU instead of Undef;

* HOLCF/IMP: updated and converted to new-style theory;


*** ZF ***

* Isar: proper integration of logic-specific tools and packages,
including theory commands '(co)inductive', '(co)datatype',
'rep_datatype', 'inductive_cases', as well as methods 'ind_cases',
'induct_tac', 'case_tac', and 'typecheck' (with attribute 'TC');

* theory Main no longer includes AC; for the Axiom of Choice, base
your theory on Main_ZFC;

* the integer library now covers quotients and remainders, with many
laws relating division to addition, multiplication, etc.;

* ZF/UNITY: Chandy and Misra's UNITY is now available in ZF, giving a
typeless version of the formalism;

* ZF/AC, Coind, IMP, Resid: updated and converted to new-style theory
format;

* ZF/Induct: new directory for examples of inductive definitions,
including theory Multiset for multiset orderings; converted to
new-style theory format;

* ZF: many new theorems about lists, ordinals, etc.;


*** General ***

* Pure/kernel: meta-level proof terms (by Stefan Berghofer); reference
variable proof controls level of detail: 0 = no proofs (only oracle
dependencies), 1 = lemma dependencies, 2 = compact proof terms; see
also ref manual for further ML interfaces;

* Pure/axclass: removed obsolete ML interface
goal_subclass/goal_arity;

* Pure/syntax: new token syntax "num" for plain numerals (without "#"
of "xnum"); potential INCOMPATIBILITY, since -0, -1 etc. are now
separate tokens, so expressions involving minus need to be spaced
properly;

* Pure/syntax: support non-oriented infixes, using keyword "infix"
rather than "infixl" or "infixr";

* Pure/syntax: concrete syntax for dummy type variables admits genuine
sort constraint specifications in type inference; e.g. "x::_::foo"
ensures that the type of "x" is of sort "foo" (but not necessarily a
type variable);

* Pure/syntax: print modes "type_brackets" and "no_type_brackets"
control output of nested => (types); the default behavior is
"type_brackets";

* Pure/syntax: builtin parse translation for "_constify" turns valued
tokens into AST constants;

* Pure/syntax: prefer later declarations of translations and print
translation functions; potential INCOMPATIBILITY: need to reverse
multiple declarations for same syntax element constant;

* Pure/show_hyps reset by default (in accordance to existing Isar
practice);

* Provers/classical: renamed addaltern to addafter, addSaltern to
addSafter;

* Provers/clasimp: ``iff'' declarations now handle conditional rules
as well;

* system: tested support for MacOS X; should be able to get Isabelle +
Proof General to work in a plain Terminal after installing Poly/ML
(e.g. from the Isabelle distribution area) and GNU bash alone
(e.g. from http://www.apple.com); full X11, XEmacs and X-Symbol
support requires further installations, e.g. from
http://fink.sourceforge.net/);

* system: support Poly/ML 4.1.1 (able to manage larger heaps);

* system: reduced base memory usage by Poly/ML (approx. 20 MB instead
of 40 MB), cf. ML_OPTIONS;

* system: Proof General keywords specification is now part of the
Isabelle distribution (see etc/isar-keywords.el);

* system: support for persistent Proof General sessions (refrain from
outdating all loaded theories on startup); user may create writable
logic images like this: ``isabelle -q HOL Test'';

* system: smart selection of Isabelle process versus Isabelle
interface, accommodates case-insensitive file systems (e.g. HFS+); may
run both "isabelle" and "Isabelle" even if file names are badly
damaged (executable inspects the case of the first letter of its own
name); added separate "isabelle-process" and "isabelle-interface";

* system: refrain from any attempt at filtering input streams; no
longer support ``8bit'' encoding of old isabelle font, instead proper
iso-latin characters may now be used; the related isatools
"symbolinput" and "nonascii" have disappeared as well;

* system: removed old "xterm" interface (the print modes "xterm" and
"xterm_color" are still available for direct use in a suitable
terminal);


New in Isabelle99-2 (February 2001)
-----------------------------------

*** Overview of INCOMPATIBILITIES ***

* HOL: please note that theories in the Library and elsewhere often use the
new-style (Isar) format; to refer to their theorems in an ML script you must
bind them to ML identifers by e.g.      val thm_name = thm "thm_name";

* HOL: inductive package no longer splits induction rule aggressively,
but only as far as specified by the introductions given; the old
format may be recovered via ML function complete_split_rule or attribute
'split_rule (complete)';

* HOL: induct renamed to lfp_induct, lfp_Tarski to lfp_unfold,
gfp_Tarski to gfp_unfold;

* HOL: contrapos, contrapos2 renamed to contrapos_nn, contrapos_pp;

* HOL: infix "dvd" now has priority 50 rather than 70 (because it is a
relation); infix "^^" has been renamed "``"; infix "``" has been
renamed "`"; "univalent" has been renamed "single_valued";

* HOL/Real: "rinv" and "hrinv" replaced by overloaded "inverse"
operation;

* HOLCF: infix "`" has been renamed "$"; the symbol syntax is \<cdot>;

* Isar: 'obtain' no longer declares "that" fact as simp/intro;

* Isar/HOL: method 'induct' now handles non-atomic goals; as a
consequence, it is no longer monotonic wrt. the local goal context
(which is now passed through the inductive cases);

* Document preparation: renamed standard symbols \<ll> to \<lless> and
\<gg> to \<ggreater>;


*** Document preparation ***

* \isabellestyle{NAME} selects version of Isabelle output (currently
available: are "it" for near math-mode best-style output, "sl" for
slanted text style, and "tt" for plain type-writer; if no
\isabellestyle command is given, output is according to slanted
type-writer);

* support sub/super scripts (for single symbols only), input syntax is
like this: "A\<^sup>*" or "A\<^sup>\<star>";

* some more standard symbols; see Appendix A of the system manual for
the complete list of symbols defined in isabellesym.sty;

* improved isabelle style files; more abstract symbol implementation
(should now use \isamath{...} and \isatext{...} in custom symbol
definitions);

* antiquotation @{goals} and @{subgoals} for output of *dynamic* goals
state; Note that presentation of goal states does not conform to
actual human-readable proof documents.  Please do not include goal
states into document output unless you really know what you are doing!

* proper indentation of antiquoted output with proportional LaTeX
fonts;

* no_document ML operator temporarily disables LaTeX document
generation;

* isatool unsymbolize tunes sources for plain ASCII communication;


*** Isar ***

* Pure: Isar now suffers initial goal statements to contain unbound
schematic variables (this does not conform to actual readable proof
documents, due to unpredictable outcome and non-compositional proof
checking); users who know what they are doing may use schematic goals
for Prolog-style synthesis of proven results;

* Pure: assumption method (an implicit finishing) now handles actual
rules as well;

* Pure: improved 'obtain' --- moved to Pure, insert "that" into
initial goal, declare "that" only as Pure intro (only for single
steps); the "that" rule assumption may now be involved in implicit
finishing, thus ".." becomes a feasible for trivial obtains;

* Pure: default proof step now includes 'intro_classes'; thus trivial
instance proofs may be performed by "..";

* Pure: ?thesis / ?this / "..." now work for pure meta-level
statements as well;

* Pure: more robust selection of calculational rules;

* Pure: the builtin notion of 'finished' goal now includes the ==-refl
rule (as well as the assumption rule);

* Pure: 'thm_deps' command visualizes dependencies of theorems and
lemmas, using the graph browser tool;

* Pure: predict failure of "show" in interactive mode;

* Pure: 'thms_containing' now takes actual terms as arguments;

* HOL: improved method 'induct' --- now handles non-atomic goals
(potential INCOMPATIBILITY); tuned error handling;

* HOL: cases and induct rules now provide explicit hints about the
number of facts to be consumed (0 for "type" and 1 for "set" rules);
any remaining facts are inserted into the goal verbatim;

* HOL: local contexts (aka cases) may now contain term bindings as
well; the 'cases' and 'induct' methods new provide a ?case binding for
the result to be shown in each case;

* HOL: added 'recdef_tc' command;

* isatool convert assists in eliminating legacy ML scripts;


*** HOL ***

* HOL/Library: a collection of generic theories to be used together
with main HOL; the theory loader path already includes this directory
by default; the following existing theories have been moved here:
HOL/Induct/Multiset, HOL/Induct/Acc (as Accessible_Part), HOL/While
(as While_Combinator), HOL/Lex/Prefix (as List_Prefix);

* HOL/Unix: "Some aspects of Unix file-system security", a typical
modelling and verification task performed in Isabelle/HOL +
Isabelle/Isar + Isabelle document preparation (by Markus Wenzel).

* HOL/Algebra: special summation operator SUM no longer exists, it has
been replaced by setsum; infix 'assoc' now has priority 50 (like
'dvd'); axiom 'one_not_zero' has been moved from axclass 'ring' to
'domain', this makes the theory consistent with mathematical
literature;

* HOL basics: added overloaded operations "inverse" and "divide"
(infix "/"), syntax for generic "abs" operation, generic summation
operator \<Sum>;

* HOL/typedef: simplified package, provide more useful rules (see also
HOL/subset.thy);

* HOL/datatype: induction rule for arbitrarily branching datatypes is
now expressed as a proper nested rule (old-style tactic scripts may
require atomize_strip_tac to cope with non-atomic premises);

* HOL: renamed theory "Prod" to "Product_Type", renamed "split" rule
to "split_conv" (old name still available for compatibility);

* HOL: improved concrete syntax for strings (e.g. allows translation
rules with string literals);

* HOL-Real-Hyperreal: this extends HOL-Real with the hyperreals
 and Fleuriot's mechanization of analysis, including the transcendental
 functions for the reals;

* HOL/Real, HOL/Hyperreal: improved arithmetic simplification;


*** CTT ***

* CTT: x-symbol support for Pi, Sigma, -->, : (membership); note that
"lam" is displayed as TWO lambda-symbols

* CTT: theory Main now available, containing everything (that is, Bool
and Arith);


*** General ***

* Pure: the Simplifier has been implemented properly as a derived rule
outside of the actual kernel (at last!); the overall performance
penalty in practical applications is about 50%, while reliability of
the Isabelle inference kernel has been greatly improved;

* print modes "brackets" and "no_brackets" control output of nested =>
(types) and ==> (props); the default behaviour is "brackets";

* Provers: fast_tac (and friends) now handle actual object-logic rules
as assumptions as well;

* system: support Poly/ML 4.0;

* system: isatool install handles KDE version 1 or 2;


New in Isabelle99-1 (October 2000)
----------------------------------

*** Overview of INCOMPATIBILITIES ***

* HOL: simplification of natural numbers is much changed; to partly
recover the old behaviour (e.g. to prevent n+n rewriting to #2*n)
issue the following ML commands:

  Delsimprocs Nat_Numeral_Simprocs.cancel_numerals;
  Delsimprocs [Nat_Numeral_Simprocs.combine_numerals];

* HOL: simplification no longer dives into case-expressions; this is
controlled by "t.weak_case_cong" for each datatype t;

* HOL: nat_less_induct renamed to less_induct;

* HOL: systematic renaming of the SOME (Eps) rules, may use isatool
fixsome to patch .thy and .ML sources automatically;

  select_equality  -> some_equality
  select_eq_Ex     -> some_eq_ex
  selectI2EX       -> someI2_ex
  selectI2         -> someI2
  selectI          -> someI
  select1_equality -> some1_equality
  Eps_sym_eq       -> some_sym_eq_trivial
  Eps_eq           -> some_eq_trivial

* HOL: exhaust_tac on datatypes superceded by new generic case_tac;

* HOL: removed obsolete theorem binding expand_if (refer to split_if
instead);

* HOL: the recursion equations generated by 'recdef' are now called
f.simps instead of f.rules;

* HOL: qed_spec_mp now also handles bounded ALL as well;

* HOL: 0 is now overloaded, so the type constraint ":: nat" may
sometimes be needed;

* HOL: the constant for "f``x" is now "image" rather than "op ``";

* HOL: the constant for "f-``x" is now "vimage" rather than "op -``";

* HOL: the disjoint sum is now "<+>" instead of "Plus"; the cartesian
product is now "<*>" instead of "Times"; the lexicographic product is
now "<*lex*>" instead of "**";

* HOL: theory Sexp is now in HOL/Induct examples (it used to be part
of main HOL, but was unused); better use HOL's datatype package;

* HOL: removed "symbols" syntax for constant "override" of theory Map;
the old syntax may be recovered as follows:

  syntax (symbols)
    override  :: "('a ~=> 'b) => ('a ~=> 'b) => ('a ~=> 'b)"
      (infixl "\\<oplus>" 100)

* HOL/Real: "rabs" replaced by overloaded "abs" function;

* HOL/ML: even fewer consts are declared as global (see theories Ord,
Lfp, Gfp, WF); this only affects ML packages that refer to const names
internally;

* HOL and ZF: syntax for quotienting wrt an equivalence relation
changed from A/r to A//r;

* ZF: new treatment of arithmetic (nat & int) may break some old
proofs;

* Isar: renamed some attributes (RS -> THEN, simplify -> simplified,
rulify -> rule_format, elimify -> elim_format, ...);

* Isar/Provers: intro/elim/dest attributes changed; renamed
intro/intro!/intro!! flags to intro!/intro/intro? (in most cases, one
should have to change intro!! to intro? only); replaced "delrule" by
"rule del";

* Isar/HOL: renamed "intrs" to "intros" in inductive definitions;

* Provers: strengthened force_tac by using new first_best_tac;

* LaTeX document preparation: several changes of isabelle.sty (see
lib/texinputs);


*** Document preparation ***

* formal comments (text blocks etc.) in new-style theories may now
contain antiquotations of thm/prop/term/typ/text to be presented
according to latex print mode; concrete syntax is like this:
@{term[show_types] "f(x) = a + x"};

* isatool mkdir provides easy setup of Isabelle session directories,
including proper document sources;

* generated LaTeX sources are now deleted after successful run
(isatool document -c); may retain a copy somewhere else via -D option
of isatool usedir;

* isatool usedir -D now lets isatool latex -o sty update the Isabelle
style files, achieving self-contained LaTeX sources and simplifying
LaTeX debugging;

* old-style theories now produce (crude) LaTeX output as well;

* browser info session directories are now self-contained (may be put
on WWW server seperately); improved graphs of nested sessions; removed
graph for 'all sessions';

* several improvements in isabelle style files; \isabellestyle{it}
produces fake math mode output; \isamarkupheader is now \section by
default; see lib/texinputs/isabelle.sty etc.;


*** Isar ***

* Isar/Pure: local results and corresponding term bindings are now
subject to Hindley-Milner polymorphism (similar to ML); this
accommodates incremental type-inference very nicely;

* Isar/Pure: new derived language element 'obtain' supports
generalized existence reasoning;

* Isar/Pure: new calculational elements 'moreover' and 'ultimately'
support accumulation of results, without applying any rules yet;
useful to collect intermediate results without explicit name
references, and for use with transitivity rules with more than 2
premises;

* Isar/Pure: scalable support for case-analysis type proofs: new
'case' language element refers to local contexts symbolically, as
produced by certain proof methods; internally, case names are attached
to theorems as "tags";

* Isar/Pure: theory command 'hide' removes declarations from
class/type/const name spaces;

* Isar/Pure: theory command 'defs' supports option "(overloaded)" to
indicate potential overloading;

* Isar/Pure: changed syntax of local blocks from {{ }} to { };

* Isar/Pure: syntax of sorts made 'inner', i.e. have to write
"{a,b,c}" instead of {a,b,c};

* Isar/Pure now provides its own version of intro/elim/dest
attributes; useful for building new logics, but beware of confusion
with the version in Provers/classical;

* Isar/Pure: the local context of (non-atomic) goals is provided via
case name 'antecedent';

* Isar/Pure: removed obsolete 'transfer' attribute (transfer of thms
to the current context is now done automatically);

* Isar/Pure: theory command 'method_setup' provides a simple interface
for definining proof methods in ML;

* Isar/Provers: intro/elim/dest attributes changed; renamed
intro/intro!/intro!! flags to intro!/intro/intro? (INCOMPATIBILITY, in
most cases, one should have to change intro!! to intro? only);
replaced "delrule" by "rule del";

* Isar/Provers: new 'hypsubst' method, plain 'subst' method and
'symmetric' attribute (the latter supercedes [RS sym]);

* Isar/Provers: splitter support (via 'split' attribute and 'simp'
method modifier); 'simp' method: 'only:' modifier removes loopers as
well (including splits);

* Isar/Provers: Simplifier and Classical methods now support all kind
of modifiers used in the past, including 'cong', 'iff', etc.

* Isar/Provers: added 'fastsimp' and 'clarsimp' methods (combination
of Simplifier and Classical reasoner);

* Isar/HOL: new proof method 'cases' and improved version of 'induct'
now support named cases; major packages (inductive, datatype, primrec,
recdef) support case names and properly name parameters;

* Isar/HOL: new transitivity rules for substitution in inequalities --
monotonicity conditions are extracted to be proven at end of
calculations;

* Isar/HOL: removed 'case_split' thm binding, should use 'cases' proof
method anyway;

* Isar/HOL: removed old expand_if = split_if; theorems if_splits =
split_if split_if_asm; datatype package provides theorems foo.splits =
foo.split foo.split_asm for each datatype;

* Isar/HOL: tuned inductive package, rename "intrs" to "intros"
(potential INCOMPATIBILITY), emulation of mk_cases feature for proof
scripts: new 'inductive_cases' command and 'ind_cases' method; (Note:
use "(cases (simplified))" method in proper proof texts);

* Isar/HOL: added global 'arith_split' attribute for 'arith' method;

* Isar: names of theorems etc. may be natural numbers as well;

* Isar: 'pr' command: optional arguments for goals_limit and
ProofContext.prems_limit; no longer prints theory contexts, but only
proof states;

* Isar: diagnostic commands 'pr', 'thm', 'prop', 'term', 'typ' admit
additional print modes to be specified; e.g. "pr(latex)" will print
proof state according to the Isabelle LaTeX style;

* Isar: improved support for emulating tactic scripts, including proof
methods 'rule_tac' etc., 'cut_tac', 'thin_tac', 'subgoal_tac',
'rename_tac', 'rotate_tac', 'tactic', and 'case_tac' / 'induct_tac'
(for HOL datatypes);

* Isar: simplified (more robust) goal selection of proof methods: 1st
goal, all goals, or explicit goal specifier (tactic emulation); thus
'proof method scripts' have to be in depth-first order;

* Isar: tuned 'let' syntax: replaced 'as' keyword by 'and';

* Isar: removed 'help' command, which hasn't been too helpful anyway;
should instead use individual commands for printing items
(print_commands, print_methods etc.);

* Isar: added 'nothing' --- the empty list of theorems;


*** HOL ***

* HOL/MicroJava: formalization of a fragment of Java, together with a
corresponding virtual machine and a specification of its bytecode
verifier and a lightweight bytecode verifier, including proofs of
type-safety; by Gerwin Klein, Tobias Nipkow, David von Oheimb, and
Cornelia Pusch (see also the homepage of project Bali at
http://isabelle.in.tum.de/Bali/);

* HOL/Algebra: new theory of rings and univariate polynomials, by
Clemens Ballarin;

* HOL/NumberTheory: fundamental Theorem of Arithmetic, Chinese
Remainder Theorem, Fermat/Euler Theorem, Wilson's Theorem, by Thomas M
Rasmussen;

* HOL/Lattice: fundamental concepts of lattice theory and order
structures, including duals, properties of bounds versus algebraic
laws, lattice operations versus set-theoretic ones, the Knaster-Tarski
Theorem for complete lattices etc.; may also serve as a demonstration
for abstract algebraic reasoning using axiomatic type classes, and
mathematics-style proof in Isabelle/Isar; by Markus Wenzel;

* HOL/Prolog: a (bare-bones) implementation of Lambda-Prolog, by David
von Oheimb;

* HOL/IMPP: extension of IMP with local variables and mutually
recursive procedures, by David von Oheimb;

* HOL/Lambda: converted into new-style theory and document;

* HOL/ex/Multiquote: example of multiple nested quotations and
anti-quotations -- basically a generalized version of de-Bruijn
representation; very useful in avoiding lifting of operations;

* HOL/record: added general record equality rule to simpset; fixed
select-update simplification procedure to handle extended records as
well; admit "r" as field name;

* HOL: 0 is now overloaded over the new sort "zero", allowing its use with
other numeric types and also as the identity of groups, rings, etc.;

* HOL: new axclass plus_ac0 for addition with the AC-laws and 0 as identity.
Types nat and int belong to this axclass;

* HOL: greatly improved simplification involving numerals of type nat, int, real:
   (i + #8 + j) = Suc k simplifies to  #7 + (i + j) = k
   i*j + k + j*#3*i     simplifies to  #4*(i*j) + k
  two terms #m*u and #n*u are replaced by #(m+n)*u
    (where #m, #n and u can implicitly be 1; this is simproc combine_numerals)
  and the term/formula #m*u+x ~~ #n*u+y simplifies simplifies to #(m-n)+x ~~ y
    or x ~~ #(n-m)+y, where ~~ is one of = < <= or - (simproc cancel_numerals);

* HOL: meson_tac is available (previously in ex/meson.ML); it is a
powerful prover for predicate logic but knows nothing of clasets; see
ex/mesontest.ML and ex/mesontest2.ML for example applications;

* HOL: new version of "case_tac" subsumes both boolean case split and
"exhaust_tac" on datatypes; INCOMPATIBILITY: exhaust_tac no longer
exists, may define val exhaust_tac = case_tac for ad-hoc portability;

* HOL: simplification no longer dives into case-expressions: only the
selector expression is simplified, but not the remaining arms; to
enable full simplification of case-expressions for datatype t, you may
remove t.weak_case_cong from the simpset, either globally (Delcongs
[thm"t.weak_case_cong"];) or locally (delcongs [...]).

* HOL/recdef: the recursion equations generated by 'recdef' for
function 'f' are now called f.simps instead of f.rules; if all
termination conditions are proved automatically, these simplification
rules are added to the simpset, as in primrec; rules may be named
individually as well, resulting in a separate list of theorems for
each equation;

* HOL/While is a new theory that provides a while-combinator. It
permits the definition of tail-recursive functions without the
provision of a termination measure. The latter is necessary once the
invariant proof rule for while is applied.

* HOL: new (overloaded) notation for the set of elements below/above
some element: {..u}, {..u(}, {l..}, {)l..}. See theory SetInterval.

* HOL: theorems impI, allI, ballI bound as "strip";

* HOL: new tactic induct_thm_tac: thm -> string -> int -> tactic
induct_tac th "x1 ... xn" expects th to have a conclusion of the form
P v1 ... vn and abbreviates res_inst_tac [("v1","x1"),...,("vn","xn")] th;

* HOL/Real: "rabs" replaced by overloaded "abs" function;

* HOL: theory Sexp now in HOL/Induct examples (it used to be part of
main HOL, but was unused);

* HOL: fewer consts declared as global (e.g. have to refer to
"Lfp.lfp" instead of "lfp" internally; affects ML packages only);

* HOL: tuned AST representation of nested pairs, avoiding bogus output
in case of overlap with user translations (e.g. judgements over
tuples); (note that the underlying logical represenation is still
bogus);


*** ZF ***

* ZF: simplification automatically cancels common terms in arithmetic
expressions over nat and int;

* ZF: new treatment of nat to minimize type-checking: all operators
coerce their operands to a natural number using the function natify,
making the algebraic laws unconditional;

* ZF: as above, for int: operators coerce their operands to an integer
using the function intify;

* ZF: the integer library now contains many of the usual laws for the
orderings, including $<=, and monotonicity laws for $+ and $*;

* ZF: new example ZF/ex/NatSum to demonstrate integer arithmetic
simplification;

* FOL and ZF: AddIffs now available, giving theorems of the form P<->Q
to the simplifier and classical reasoner simultaneously;


*** General ***

* Provers: blast_tac now handles actual object-logic rules as
assumptions; note that auto_tac uses blast_tac internally as well;

* Provers: new functions rulify/rulify_no_asm: thm -> thm for turning
outer -->/All/Ball into ==>/!!; qed_spec_mp now uses rulify_no_asm;

* Provers: delrules now handles destruct rules as well (no longer need
explicit make_elim);

* Provers: Blast_tac now warns of and ignores "weak elimination rules" e.g.
  [| inj ?f;          ?f ?x = ?f ?y; ?x = ?y ==> ?W |] ==> ?W
use instead the strong form,
  [| inj ?f; ~ ?W ==> ?f ?x = ?f ?y; ?x = ?y ==> ?W |] ==> ?W
in HOL, FOL and ZF the function cla_make_elim will create such rules
from destruct-rules;

* Provers: Simplifier.easy_setup provides a fast path to basic
Simplifier setup for new object-logics;

* Pure: AST translation rules no longer require constant head on LHS;

* Pure: improved name spaces: ambiguous output is qualified; support
for hiding of names;

* system: smart setup of canonical ML_HOME, ISABELLE_INTERFACE, and
XSYMBOL_HOME; no longer need to do manual configuration in most
situations;

* system: compression of ML heaps images may now be controlled via -c
option of isabelle and isatool usedir (currently only observed by
Poly/ML);

* system: isatool installfonts may handle X-Symbol fonts as well (very
useful for remote X11);

* system: provide TAGS file for Isabelle sources;

* ML: infix 'OF' is a version of 'MRS' with more appropriate argument
order;

* ML: renamed flags Syntax.trace_norm_ast to Syntax.trace_ast; global
timing flag supersedes proof_timing and Toplevel.trace;

* ML: new combinators |>> and |>>> for incremental transformations
with secondary results (e.g. certain theory extensions):

* ML: PureThy.add_defs gets additional argument to indicate potential
overloading (usually false);

* ML: PureThy.add_thms/add_axioms/add_defs now return theorems as
results;


New in Isabelle99 (October 1999)
--------------------------------

*** Overview of INCOMPATIBILITIES (see below for more details) ***

* HOL: The THEN and ELSE parts of conditional expressions (if P then x else y)
are no longer simplified.  (This allows the simplifier to unfold recursive
functional programs.)  To restore the old behaviour, declare

    Delcongs [if_weak_cong];

* HOL: Removed the obsolete syntax "Compl A"; use -A for set
complement;

* HOL: the predicate "inj" is now defined by translation to "inj_on";

* HOL/datatype: mutual_induct_tac no longer exists --
  use induct_tac "x_1 ... x_n" instead of mutual_induct_tac ["x_1", ..., "x_n"]

* HOL/typedef: fixed type inference for representing set; type
arguments now have to occur explicitly on the rhs as type constraints;

* ZF: The con_defs part of an inductive definition may no longer refer
to constants declared in the same theory;

* HOL, ZF: the function mk_cases, generated by the inductive
definition package, has lost an argument.  To simplify its result, it
uses the default simpset instead of a supplied list of theorems.

* HOL/List: the constructors of type list are now Nil and Cons;

* Simplifier: the type of the infix ML functions
        setSSolver addSSolver setSolver addSolver
is now  simpset * solver -> simpset  where `solver' is a new abstract type
for packaging solvers. A solver is created via
        mk_solver: string -> (thm list -> int -> tactic) -> solver
where the string argument is only a comment.


*** Proof tools ***

* Provers/Arith/fast_lin_arith.ML contains a functor for creating a
decision procedure for linear arithmetic. Currently it is used for
types `nat', `int', and `real' in HOL (see below); it can, should and
will be instantiated for other types and logics as well.

* The simplifier now accepts rewrite rules with flexible heads, eg
     hom ?f ==> ?f(?x+?y) = ?f ?x + ?f ?y
  They are applied like any rule with a non-pattern lhs, i.e. by first-order
  matching.


*** General ***

* New Isabelle/Isar subsystem provides an alternative to traditional
tactical theorem proving; together with the ProofGeneral/isar user
interface it offers an interactive environment for developing human
readable proof documents (Isar == Intelligible semi-automated
reasoning); for further information see isatool doc isar-ref,
src/HOL/Isar_examples and http://isabelle.in.tum.de/Isar/

* improved and simplified presentation of theories: better HTML markup
(including colors), graph views in several sizes; isatool usedir now
provides a proper interface for user theories (via -P option); actual
document preparation based on (PDF)LaTeX is available as well (for
new-style theories only); see isatool doc system for more information;

* native support for Proof General, both for classic Isabelle and
Isabelle/Isar;

* ML function thm_deps visualizes dependencies of theorems and lemmas,
using the graph browser tool;

* Isabelle manuals now also available as PDF;

* theory loader rewritten from scratch (may not be fully
bug-compatible); old loadpath variable has been replaced by show_path,
add_path, del_path, reset_path functions; new operations such as
update_thy, touch_thy, remove_thy, use/update_thy_only (see also
isatool doc ref);

* improved isatool install: option -k creates KDE application icon,
option -p DIR installs standalone binaries;

* added ML_PLATFORM setting (useful for cross-platform installations);
more robust handling of platform specific ML images for SML/NJ;

* the settings environment is now statically scoped, i.e. it is never
created again in sub-processes invoked from isabelle, isatool, or
Isabelle;

* path element specification '~~' refers to '$ISABELLE_HOME';

* in locales, the "assumes" and "defines" parts may be omitted if
empty;

* new print_mode "xsymbols" for extended symbol support (e.g. genuine
long arrows);

* new print_mode "HTML";

* new flag show_tags controls display of tags of theorems (which are
basically just comments that may be attached by some tools);

* Isamode 2.6 requires patch to accomodate change of Isabelle font
mode and goal output format:

diff -r Isamode-2.6/elisp/isa-load.el Isamode/elisp/isa-load.el
244c244
<       (list (isa-getenv "ISABELLE") "-msymbols" logic-name)
---
>       (list (isa-getenv "ISABELLE") "-misabelle_font" "-msymbols" logic-name)
diff -r Isabelle-2.6/elisp/isa-proofstate.el Isamode/elisp/isa-proofstate.el
181c181
< (defconst proofstate-proofstart-regexp "^Level [0-9]+$"
---
> (defconst proofstate-proofstart-regexp "^Level [0-9]+"

* function bind_thms stores lists of theorems (cf. bind_thm);

* new shorthand tactics ftac, eatac, datac, fatac;

* qed (and friends) now accept "" as result name; in that case the
theorem is not stored, but proper checks and presentation of the
result still apply;

* theorem database now also indexes constants "Trueprop", "all",
"==>", "=="; thus thms_containing, findI etc. may retrieve more rules;


*** HOL ***

** HOL arithmetic **

* There are now decision procedures for linear arithmetic over nat and
int:

1. arith_tac copes with arbitrary formulae involving `=', `<', `<=',
`+', `-', `Suc', `min', `max' and numerical constants; other subterms
are treated as atomic; subformulae not involving type `nat' or `int'
are ignored; quantified subformulae are ignored unless they are
positive universal or negative existential. The tactic has to be
invoked by hand and can be a little bit slow. In particular, the
running time is exponential in the number of occurrences of `min' and
`max', and `-' on `nat'.

2. fast_arith_tac is a cut-down version of arith_tac: it only takes
(negated) (in)equalities among the premises and the conclusion into
account (i.e. no compound formulae) and does not know about `min' and
`max', and `-' on `nat'. It is fast and is used automatically by the
simplifier.

NB: At the moment, these decision procedures do not cope with mixed
nat/int formulae where the two parts interact, such as `m < n ==>
int(m) < int(n)'.

* HOL/Numeral provides a generic theory of numerals (encoded
efficiently as bit strings); setup for types nat/int/real is in place;
INCOMPATIBILITY: since numeral syntax is now polymorphic, rather than
int, existing theories and proof scripts may require a few additional
type constraints;

* integer division and remainder can now be performed on constant
arguments;

* many properties of integer multiplication, division and remainder
are now available;

* An interface to the Stanford Validity Checker (SVC) is available through the
tactic svc_tac.  Propositional tautologies and theorems of linear arithmetic
are proved automatically.  SVC must be installed separately, and its results
must be TAKEN ON TRUST (Isabelle does not check the proofs, but tags any
invocation of the underlying oracle).  For SVC see
  http://verify.stanford.edu/SVC

* IsaMakefile: the HOL-Real target now builds an actual image;


** HOL misc **

* HOL/Real/HahnBanach: the Hahn-Banach theorem for real vector spaces
(in Isabelle/Isar) -- by Gertrud Bauer;

* HOL/BCV: generic model of bytecode verification, i.e. data-flow
analysis for assembly languages with subtypes;

* HOL/TLA (Lamport's Temporal Logic of Actions): major reorganization
-- avoids syntactic ambiguities and treats state, transition, and
temporal levels more uniformly; introduces INCOMPATIBILITIES due to
changed syntax and (many) tactics;

* HOL/inductive: Now also handles more general introduction rules such
  as "ALL y. (y, x) : r --> y : acc r ==> x : acc r"; monotonicity
  theorems are now maintained within the theory (maintained via the
  "mono" attribute);

* HOL/datatype: Now also handles arbitrarily branching datatypes
  (using function types) such as

  datatype 'a tree = Atom 'a | Branch "nat => 'a tree"

* HOL/record: record_simproc (part of the default simpset) takes care
of selectors applied to updated records; record_split_tac is no longer
part of the default claset; update_defs may now be removed from the
simpset in many cases; COMPATIBILITY: old behavior achieved by

  claset_ref () := claset() addSWrapper record_split_wrapper;
  Delsimprocs [record_simproc]

* HOL/typedef: fixed type inference for representing set; type
arguments now have to occur explicitly on the rhs as type constraints;

* HOL/recdef (TFL): 'congs' syntax now expects comma separated list of theorem
names rather than an ML expression;

* HOL/defer_recdef (TFL): like recdef but the well-founded relation can be
supplied later.  Program schemes can be defined, such as
    "While B C s = (if B s then While B C (C s) else s)"
where the well-founded relation can be chosen after B and C have been given.

* HOL/List: the constructors of type list are now Nil and Cons;
INCOMPATIBILITY: while [] and infix # syntax is still there, of
course, ML tools referring to List.list.op # etc. have to be adapted;

* HOL_quantifiers flag superseded by "HOL" print mode, which is
disabled by default; run isabelle with option -m HOL to get back to
the original Gordon/HOL-style output;

* HOL/Ord.thy: new bounded quantifier syntax (input only): ALL x<y. P,
ALL x<=y. P, EX x<y. P, EX x<=y. P;

* HOL basic syntax simplified (more orthogonal): all variants of
All/Ex now support plain / symbolic / HOL notation; plain syntax for
Eps operator is provided as well: "SOME x. P[x]";

* HOL/Sum.thy: sum_case has been moved to HOL/Datatype;

* HOL/Univ.thy: infix syntax <*>, <+>, <**>, <+> eliminated and made
thus available for user theories;

* HOLCF/IOA/Sequents: renamed 'Cons' to 'Consq' to avoid clash with
HOL/List; hardly an INCOMPATIBILITY since '>>' syntax is used all the
time;

* HOL: new tactic smp_tac: int -> int -> tactic, which applies spec
several times and then mp;


*** LK ***

* the notation <<...>> is now available as a notation for sequences of
formulas;

* the simplifier is now installed

* the axiom system has been generalized (thanks to Soren Heilmann)

* the classical reasoner now has a default rule database


*** ZF ***

* new primrec section allows primitive recursive functions to be given
directly (as in HOL) over datatypes and the natural numbers;

* new tactics induct_tac and exhaust_tac for induction (or case
analysis) over datatypes and the natural numbers;

* the datatype declaration of type T now defines the recursor T_rec;

* simplification automatically does freeness reasoning for datatype
constructors;

* automatic type-inference, with AddTCs command to insert new
type-checking rules;

* datatype introduction rules are now added as Safe Introduction rules
to the claset;

* the syntax "if P then x else y" is now available in addition to
if(P,x,y);


*** Internal programming interfaces ***

* tuned simplifier trace output; new flag debug_simp;

* structures Vartab / Termtab (instances of TableFun) offer efficient
tables indexed by indexname_ord / term_ord (compatible with aconv);

* AxClass.axclass_tac lost the theory argument;

* tuned current_goals_markers semantics: begin / end goal avoids
printing empty lines;

* removed prs and prs_fn hook, which was broken because it did not
include \n in its semantics, forcing writeln to add one
uncoditionally; replaced prs_fn by writeln_fn; consider std_output:
string -> unit if you really want to output text without newline;

* Symbol.output subject to print mode; INCOMPATIBILITY: defaults to
plain output, interface builders may have to enable 'isabelle_font'
mode to get Isabelle font glyphs as before;

* refined token_translation interface; INCOMPATIBILITY: output length
now of type real instead of int;

* theory loader actions may be traced via new ThyInfo.add_hook
interface (see src/Pure/Thy/thy_info.ML); example application: keep
your own database of information attached to *whole* theories -- as
opposed to intra-theory data slots offered via TheoryDataFun;

* proper handling of dangling sort hypotheses (at last!);
Thm.strip_shyps and Drule.strip_shyps_warning take care of removing
extra sort hypotheses that can be witnessed from the type signature;
the force_strip_shyps flag is gone, any remaining shyps are simply
left in the theorem (with a warning issued by strip_shyps_warning);


New in Isabelle98-1 (October 1998)
----------------------------------

*** Overview of INCOMPATIBILITIES (see below for more details) ***

* several changes of automated proof tools;

* HOL: major changes to the inductive and datatype packages, including
some minor incompatibilities of theory syntax;

* HOL: renamed r^-1 to 'converse' from 'inverse'; 'inj_onto' is now
called `inj_on';

* HOL: removed duplicate thms in Arith:
  less_imp_add_less  should be replaced by  trans_less_add1
  le_imp_add_le      should be replaced by  trans_le_add1

* HOL: unary minus is now overloaded (new type constraints may be
required);

* HOL and ZF: unary minus for integers is now #- instead of #~.  In
ZF, expressions such as n#-1 must be changed to n#- 1, since #-1 is
now taken as an integer constant.

* Pure: ML function 'theory_of' renamed to 'theory';


*** Proof tools ***

* Simplifier:
  1. Asm_full_simp_tac is now more aggressive.
     1. It will sometimes reorient premises if that increases their power to
        simplify.
     2. It does no longer proceed strictly from left to right but may also
        rotate premises to achieve further simplification.
     For compatibility reasons there is now Asm_lr_simp_tac which is like the
     old Asm_full_simp_tac in that it does not rotate premises.
  2. The simplifier now knows a little bit about nat-arithmetic.

* Classical reasoner: wrapper mechanism for the classical reasoner now
allows for selected deletion of wrappers, by introduction of names for
wrapper functionals.  This implies that addbefore, addSbefore,
addaltern, and addSaltern now take a pair (name, tactic) as argument,
and that adding two tactics with the same name overwrites the first
one (emitting a warning).
  type wrapper = (int -> tactic) -> (int -> tactic)
  setWrapper, setSWrapper, compWrapper and compSWrapper are replaced by
  addWrapper, addSWrapper: claset * (string * wrapper) -> claset
  delWrapper, delSWrapper: claset *  string            -> claset
  getWrapper is renamed to appWrappers, getSWrapper to appSWrappers;

* Classical reasoner: addbefore/addSbefore now have APPEND/ORELSE
semantics; addbefore now affects only the unsafe part of step_tac
etc.; this affects addss/auto_tac/force_tac, so EXISTING PROOFS MAY
FAIL, but proofs should be fixable easily, e.g. by replacing Auto_tac
by Force_tac;

* Classical reasoner: setwrapper to setWrapper and compwrapper to
compWrapper; added safe wrapper (and access functions for it);

* HOL/split_all_tac is now much faster and fails if there is nothing
to split.  Some EXISTING PROOFS MAY REQUIRE ADAPTION because the order
and the names of the automatically generated variables have changed.
split_all_tac has moved within claset() from unsafe wrappers to safe
wrappers, which means that !!-bound variables are split much more
aggressively, and safe_tac and clarify_tac now split such variables.
If this splitting is not appropriate, use delSWrapper "split_all_tac".
Note: the same holds for record_split_tac, which does the job of
split_all_tac for record fields.

* HOL/Simplifier: Rewrite rules for case distinctions can now be added
permanently to the default simpset using Addsplits just like
Addsimps. They can be removed via Delsplits just like
Delsimps. Lower-case versions are also available.

* HOL/Simplifier: The rule split_if is now part of the default
simpset. This means that the simplifier will eliminate all occurrences
of if-then-else in the conclusion of a goal. To prevent this, you can
either remove split_if completely from the default simpset by
`Delsplits [split_if]' or remove it in a specific call of the
simplifier using `... delsplits [split_if]'.  You can also add/delete
other case splitting rules to/from the default simpset: every datatype
generates suitable rules `split_t_case' and `split_t_case_asm' (where
t is the name of the datatype).

* Classical reasoner / Simplifier combination: new force_tac (and
derivatives Force_tac, force) combines rewriting and classical
reasoning (and whatever other tools) similarly to auto_tac, but is
aimed to solve the given subgoal completely.


*** General ***

* new top-level commands `Goal' and `Goalw' that improve upon `goal'
and `goalw': the theory is no longer needed as an explicit argument -
the current theory context is used; assumptions are no longer returned
at the ML-level unless one of them starts with ==> or !!; it is
recommended to convert to these new commands using isatool fixgoal
(backup your sources first!);

* new top-level commands 'thm' and 'thms' for retrieving theorems from
the current theory context, and 'theory' to lookup stored theories;

* new theory section 'locale' for declaring constants, assumptions and
definitions that have local scope;

* new theory section 'nonterminals' for purely syntactic types;

* new theory section 'setup' for generic ML setup functions
(e.g. package initialization);

* the distribution now includes Isabelle icons: see
lib/logo/isabelle-{small,tiny}.xpm;

* isatool install - install binaries with absolute references to
ISABELLE_HOME/bin;

* isatool logo -- create instances of the Isabelle logo (as EPS);

* print mode 'emacs' reserved for Isamode;

* support multiple print (ast) translations per constant name;

* theorems involving oracles are now printed with a suffixed [!];


*** HOL ***

* there is now a tutorial on Isabelle/HOL (do 'isatool doc tutorial');

* HOL/inductive package reorganized and improved: now supports mutual
definitions such as

  inductive EVEN ODD
    intrs
      null "0 : EVEN"
      oddI "n : EVEN ==> Suc n : ODD"
      evenI "n : ODD ==> Suc n : EVEN"

new theorem list "elims" contains an elimination rule for each of the
recursive sets; inductive definitions now handle disjunctive premises
correctly (also ZF);

INCOMPATIBILITIES: requires Inductive as an ancestor; component
"mutual_induct" no longer exists - the induction rule is always
contained in "induct";


* HOL/datatype package re-implemented and greatly improved: now
supports mutually recursive datatypes such as

  datatype
    'a aexp = IF_THEN_ELSE ('a bexp) ('a aexp) ('a aexp)
            | SUM ('a aexp) ('a aexp)
            | DIFF ('a aexp) ('a aexp)
            | NUM 'a
  and
    'a bexp = LESS ('a aexp) ('a aexp)
            | AND ('a bexp) ('a bexp)
            | OR ('a bexp) ('a bexp)

as well as indirectly recursive datatypes such as

  datatype
    ('a, 'b) term = Var 'a
                  | App 'b ((('a, 'b) term) list)

The new tactic  mutual_induct_tac [<var_1>, ..., <var_n>] i  performs
induction on mutually / indirectly recursive datatypes.

Primrec equations are now stored in theory and can be accessed via
<function_name>.simps.

INCOMPATIBILITIES:

  - Theories using datatypes must now have theory Datatype as an
    ancestor.
  - The specific <typename>.induct_tac no longer exists - use the
    generic induct_tac instead.
  - natE has been renamed to nat.exhaust - use exhaust_tac
    instead of res_inst_tac ... natE. Note that the variable
    names in nat.exhaust differ from the names in natE, this
    may cause some "fragile" proofs to fail.
  - The theorems split_<typename>_case and split_<typename>_case_asm
    have been renamed to <typename>.split and <typename>.split_asm.
  - Since default sorts of type variables are now handled correctly,
    some datatype definitions may have to be annotated with explicit
    sort constraints.
  - Primrec definitions no longer require function name and type
    of recursive argument.

Consider using isatool fixdatatype to adapt your theories and proof
scripts to the new package (backup your sources first!).


* HOL/record package: considerably improved implementation; now
includes concrete syntax for record types, terms, updates; theorems
for surjective pairing and splitting !!-bound record variables; proof
support is as follows:

  1) standard conversions (selectors or updates applied to record
constructor terms) are part of the standard simpset;

  2) inject equations of the form ((x, y) = (x', y')) == x=x' & y=y' are
made part of standard simpset and claset via addIffs;

  3) a tactic for record field splitting (record_split_tac) is part of
the standard claset (addSWrapper);

To get a better idea about these rules you may retrieve them via
something like 'thms "foo.simps"' or 'thms "foo.iffs"', where "foo" is
the name of your record type.

The split tactic 3) conceptually simplifies by the following rule:

  "(!!x. PROP ?P x) == (!!a b. PROP ?P (a, b))"

Thus any record variable that is bound by meta-all will automatically
blow up into some record constructor term, consequently the
simplifications of 1), 2) apply.  Thus force_tac, auto_tac etc. shall
solve record problems automatically.


* reorganized the main HOL image: HOL/Integ and String loaded by
default; theory Main includes everything;

* automatic simplification of integer sums and comparisons, using cancellation;

* added option_map_eq_Some and not_Some_eq to the default simpset and claset;

* added disj_not1 = "(~P | Q) = (P --> Q)" to the default simpset;

* many new identities for unions, intersections, set difference, etc.;

* expand_if, expand_split, expand_sum_case and expand_nat_case are now
called split_if, split_split, split_sum_case and split_nat_case (to go
with add/delsplits);

* HOL/Prod introduces simplification procedure unit_eq_proc rewriting
(?x::unit) = (); this is made part of the default simpset, which COULD
MAKE EXISTING PROOFS FAIL under rare circumstances (consider
'Delsimprocs [unit_eq_proc];' as last resort); also note that
unit_abs_eta_conv is added in order to counter the effect of
unit_eq_proc on (%u::unit. f u), replacing it by f rather than by
%u.f();

* HOL/Fun INCOMPATIBILITY: `inj_onto' is now called `inj_on' (which
makes more sense);

* HOL/Set INCOMPATIBILITY: rule `equals0D' is now a well-formed destruct rule;
  It and 'sym RS equals0D' are now in the default  claset, giving automatic
  disjointness reasoning but breaking a few old proofs.

* HOL/Relation INCOMPATIBILITY: renamed the relational operator r^-1
to 'converse' from 'inverse' (for compatibility with ZF and some
literature);

* HOL/recdef can now declare non-recursive functions, with {} supplied as
the well-founded relation;

* HOL/Set INCOMPATIBILITY: the complement of set A is now written -A instead of
    Compl A.  The "Compl" syntax remains available as input syntax for this
    release ONLY.

* HOL/Update: new theory of function updates:
    f(a:=b) == %x. if x=a then b else f x
may also be iterated as in f(a:=b,c:=d,...);

* HOL/Vimage: new theory for inverse image of a function, syntax f-``B;

* HOL/List:
  - new function list_update written xs[i:=v] that updates the i-th
    list position. May also be iterated as in xs[i:=a,j:=b,...].
  - new function `upt' written [i..j(] which generates the list
    [i,i+1,...,j-1], i.e. the upper bound is excluded. To include the upper
    bound write [i..j], which is a shorthand for [i..j+1(].
  - new lexicographic orderings and corresponding wellfoundedness theorems.

* HOL/Arith:
  - removed 'pred' (predecessor) function;
  - generalized some theorems about n-1;
  - many new laws about "div" and "mod";
  - new laws about greatest common divisors (see theory ex/Primes);

* HOL/Relation: renamed the relational operator r^-1 "converse"
instead of "inverse";

* HOL/Induct/Multiset: a theory of multisets, including the wellfoundedness
  of the multiset ordering;

* directory HOL/Real: a construction of the reals using Dedekind cuts
  (not included by default);

* directory HOL/UNITY: Chandy and Misra's UNITY formalism;

* directory HOL/Hoare: a new version of Hoare logic which permits many-sorted
  programs, i.e. different program variables may have different types.

* calling (stac rew i) now fails if "rew" has no effect on the goal
  [previously, this check worked only if the rewrite rule was unconditional]
  Now rew can involve either definitions or equalities (either == or =).


*** ZF ***

* theory Main includes everything; INCOMPATIBILITY: theory ZF.thy contains
  only the theorems proved on ZF.ML;

* ZF INCOMPATIBILITY: rule `equals0D' is now a well-formed destruct rule;
  It and 'sym RS equals0D' are now in the default  claset, giving automatic
  disjointness reasoning but breaking a few old proofs.

* ZF/Update: new theory of function updates
    with default rewrite rule  f(x:=y) ` z = if(z=x, y, f`z)
  may also be iterated as in f(a:=b,c:=d,...);

* in  let x=t in u(x), neither t nor u(x) has to be an FOL term.

* calling (stac rew i) now fails if "rew" has no effect on the goal
  [previously, this check worked only if the rewrite rule was unconditional]
  Now rew can involve either definitions or equalities (either == or =).

* case_tac provided for compatibility with HOL
    (like the old excluded_middle_tac, but with subgoals swapped)


*** Internal programming interfaces ***

* Pure: several new basic modules made available for general use, see
also src/Pure/README;

* improved the theory data mechanism to support encapsulation (data
kind name replaced by private Object.kind, acting as authorization
key); new type-safe user interface via functor TheoryDataFun; generic
print_data function becomes basically useless;

* removed global_names compatibility flag -- all theory declarations
are qualified by default;

* module Pure/Syntax now offers quote / antiquote translation
functions (useful for Hoare logic etc. with implicit dependencies);
see HOL/ex/Antiquote for an example use;

* Simplifier now offers conversions (asm_)(full_)rewrite: simpset ->
cterm -> thm;

* new tactical CHANGED_GOAL for checking that a tactic modifies a
subgoal;

* Display.print_goals function moved to Locale.print_goals;

* standard print function for goals supports current_goals_markers
variable for marking begin of proof, end of proof, start of goal; the
default is ("", "", ""); setting current_goals_markers := ("<proof>",
"</proof>", "<goal>") causes SGML like tagged proof state printing,
for example;


New in Isabelle98 (January 1998)
--------------------------------

*** Overview of INCOMPATIBILITIES (see below for more details) ***

* changed lexical syntax of terms / types: dots made part of long
identifiers, e.g. "%x.x" no longer possible, should be "%x. x";

* simpset (and claset) reference variable replaced by functions
simpset / simpset_ref;

* no longer supports theory aliases (via merge) and non-trivial
implicit merge of thms' signatures;

* most internal names of constants changed due to qualified names;

* changed Pure/Sequence interface (see Pure/seq.ML);


*** General Changes ***

* hierachically structured name spaces (for consts, types, axms, thms
etc.); new lexical class 'longid' (e.g. Foo.bar.x) may render much of
old input syntactically incorrect (e.g. "%x.x"); COMPATIBILITY:
isatool fixdots ensures space after dots (e.g. "%x. x"); set
long_names for fully qualified output names; NOTE: ML programs
(special tactics, packages etc.) referring to internal names may have
to be adapted to cope with fully qualified names; in case of severe
backward campatibility problems try setting 'global_names' at compile
time to have enrything declared within a flat name space; one may also
fine tune name declarations in theories via the 'global' and 'local'
section;

* reimplemented the implicit simpset and claset using the new anytype
data filed in signatures; references simpset:simpset ref etc. are
replaced by functions simpset:unit->simpset and
simpset_ref:unit->simpset ref; COMPATIBILITY: use isatool fixclasimp
to patch your ML files accordingly;

* HTML output now includes theory graph data for display with Java
applet or isatool browser; data generated automatically via isatool
usedir (see -i option, ISABELLE_USEDIR_OPTIONS);

* defs may now be conditional; improved rewrite_goals_tac to handle
conditional equations;

* defs now admits additional type arguments, using TYPE('a) syntax;

* theory aliases via merge (e.g. M=A+B+C) no longer supported, always
creates a new theory node; implicit merge of thms' signatures is
restricted to 'trivial' ones; COMPATIBILITY: one may have to use
transfer:theory->thm->thm in (rare) cases;

* improved handling of draft signatures / theories; draft thms (and
ctyps, cterms) are automatically promoted to real ones;

* slightly changed interfaces for oracles: admit many per theory, named
(e.g. oracle foo = mlfun), additional name argument for invoke_oracle;

* print_goals: optional output of const types (set show_consts and
show_types);

* improved output of warnings (###) and errors (***);

* subgoal_tac displays a warning if the new subgoal has type variables;

* removed old README and Makefiles;

* replaced print_goals_ref hook by print_current_goals_fn and result_error_fn;

* removed obsolete init_pps and init_database;

* deleted the obsolete tactical STATE, which was declared by
    fun STATE tacfun st = tacfun st st;

* cd and use now support path variables, e.g. $ISABELLE_HOME, or ~
(which abbreviates $HOME);

* changed Pure/Sequence interface (see Pure/seq.ML); COMPATIBILITY:
use isatool fixseq to adapt your ML programs (this works for fully
qualified references to the Sequence structure only!);

* use_thy no longer requires writable current directory; it always
reloads .ML *and* .thy file, if either one is out of date;


*** Classical Reasoner ***

* Clarify_tac, clarify_tac, clarify_step_tac, Clarify_step_tac: new
tactics that use classical reasoning to simplify a subgoal without
splitting it into several subgoals;

* Safe_tac: like safe_tac but uses the default claset;


*** Simplifier ***

* added simplification meta rules:
    (asm_)(full_)simplify: simpset -> thm -> thm;

* simplifier.ML no longer part of Pure -- has to be loaded by object
logics (again);

* added prems argument to simplification procedures;

* HOL, FOL, ZF: added infix function `addsplits':
  instead of `<simpset> setloop (split_tac <thms>)'
  you can simply write `<simpset> addsplits <thms>'


*** Syntax ***

* TYPE('a) syntax for type reflection terms;

* no longer handles consts with name "" -- declare as 'syntax' instead;

* pretty printer: changed order of mixfix annotation preference (again!);

* Pure: fixed idt/idts vs. pttrn/pttrns syntactic categories;


*** HOL ***

* HOL: there is a new splitter `split_asm_tac' that can be used e.g.
  with `addloop' of the simplifier to faciliate case splitting in premises.

* HOL/TLA: Stephan Merz's formalization of Lamport's Temporal Logic of Actions;

* HOL/Auth: new protocol proofs including some for the Internet
  protocol TLS;

* HOL/Map: new theory of `maps' a la VDM;

* HOL/simplifier: simplification procedures nat_cancel_sums for
cancelling out common nat summands from =, <, <= (in)equalities, or
differences; simplification procedures nat_cancel_factor for
cancelling common factor from =, <, <= (in)equalities over natural
sums; nat_cancel contains both kinds of procedures, it is installed by
default in Arith.thy -- this COULD MAKE EXISTING PROOFS FAIL;

* HOL/simplifier: terms of the form
  `? x. P1(x) & ... & Pn(x) & x=t & Q1(x) & ... Qn(x)'  (or t=x)
  are rewritten to
  `P1(t) & ... & Pn(t) & Q1(t) & ... Qn(t)',
  and those of the form
  `! x. P1(x) & ... & Pn(x) & x=t & Q1(x) & ... Qn(x) --> R(x)'  (or t=x)
  are rewritten to
  `P1(t) & ... & Pn(t) & Q1(t) & ... Qn(t) --> R(t)',

* HOL/datatype
  Each datatype `t' now comes with a theorem `split_t_case' of the form

  P(t_case f1 ... fn x) =
     ( (!y1 ... ym1. x = C1 y1 ... ym1 --> P(f1 y1 ... ym1)) &
        ...
       (!y1 ... ymn. x = Cn y1 ... ymn --> P(f1 y1 ... ymn))
     )

  and a theorem `split_t_case_asm' of the form

  P(t_case f1 ... fn x) =
    ~( (? y1 ... ym1. x = C1 y1 ... ym1 & ~P(f1 y1 ... ym1)) |
        ...
       (? y1 ... ymn. x = Cn y1 ... ymn & ~P(f1 y1 ... ymn))
     )
  which can be added to a simpset via `addsplits'. The existing theorems
  expand_list_case and expand_option_case have been renamed to
  split_list_case and split_option_case.

* HOL/Arithmetic:
  - `pred n' is automatically converted to `n-1'.
    Users are strongly encouraged not to use `pred' any longer,
    because it will disappear altogether at some point.
  - Users are strongly encouraged to write "0 < n" rather than
    "n ~= 0". Theorems and proof tools have been modified towards this
    `standard'.

* HOL/Lists:
  the function "set_of_list" has been renamed "set" (and its theorems too);
  the function "nth" now takes its arguments in the reverse order and
  has acquired the infix notation "!" as in "xs!n".

* HOL/Set: UNIV is now a constant and is no longer translated to Compl{};

* HOL/Set: The operator (UN x.B x) now abbreviates (UN x:UNIV. B x) and its
  specialist theorems (like UN1_I) are gone.  Similarly for (INT x.B x);

* HOL/record: extensible records with schematic structural subtyping
(single inheritance); EXPERIMENTAL version demonstrating the encoding,
still lacks various theorems and concrete record syntax;


*** HOLCF ***

* removed "axioms" and "generated by" sections;

* replaced "ops" section by extended "consts" section, which is capable of
  handling the continuous function space "->" directly;

* domain package:
  . proves theorems immediately and stores them in the theory,
  . creates hierachical name space,
  . now uses normal mixfix annotations (instead of cinfix...),
  . minor changes to some names and values (for consistency),
  . e.g. cases -> casedist, dists_eq -> dist_eqs, [take_lemma] -> take_lemmas,
  . separator between mutual domain defs: changed "," to "and",
  . improved handling of sort constraints;  now they have to
    appear on the left-hand side of the equations only;

* fixed LAM <x,y,zs>.b syntax;

* added extended adm_tac to simplifier in HOLCF -- can now discharge
adm (%x. P (t x)), where P is chainfinite and t continuous;


*** FOL and ZF ***

* FOL: there is a new splitter `split_asm_tac' that can be used e.g.
  with `addloop' of the simplifier to faciliate case splitting in premises.

* qed_spec_mp, qed_goal_spec_mp, qed_goalw_spec_mp are available, as
in HOL, they strip ALL and --> from proved theorems;


New in Isabelle94-8 (May 1997)
------------------------------

*** General Changes ***

* new utilities to build / run / maintain Isabelle etc. (in parts
still somewhat experimental); old Makefiles etc. still functional;

* new 'Isabelle System Manual';

* INSTALL text, together with ./configure and ./build scripts;

* reimplemented type inference for greater efficiency, better error
messages and clean internal interface;

* prlim command for dealing with lots of subgoals (an easier way of
setting goals_limit);


*** Syntax ***

* supports alternative (named) syntax tables (parser and pretty
printer); internal interface is provided by add_modesyntax(_i);

* Pure, FOL, ZF, HOL, HOLCF now support symbolic input and output; to
be used in conjunction with the Isabelle symbol font; uses the
"symbols" syntax table;

* added token_translation interface (may translate name tokens in
arbitrary ways, dependent on their type (free, bound, tfree, ...) and
the current print_mode); IMPORTANT: user print translation functions
are responsible for marking newly introduced bounds
(Syntax.mark_boundT);

* token translations for modes "xterm" and "xterm_color" that display
names in bold, underline etc. or colors (which requires a color
version of xterm);

* infixes may now be declared with names independent of their syntax;

* added typed_print_translation (like print_translation, but may
access type of constant);


*** Classical Reasoner ***

Blast_tac: a new tactic!  It is often more powerful than fast_tac, but has
some limitations.  Blast_tac...
  + ignores addss, addbefore, addafter; this restriction is intrinsic
  + ignores elimination rules that don't have the correct format
        (the conclusion MUST be a formula variable)
  + ignores types, which can make HOL proofs fail
  + rules must not require higher-order unification, e.g. apply_type in ZF
    [message "Function Var's argument not a bound variable" relates to this]
  + its proof strategy is more general but can actually be slower

* substitution with equality assumptions no longer permutes other
assumptions;

* minor changes in semantics of addafter (now called addaltern); renamed
setwrapper to setWrapper and compwrapper to compWrapper; added safe wrapper
(and access functions for it);

* improved combination of classical reasoner and simplifier:
  + functions for handling clasimpsets
  + improvement of addss: now the simplifier is called _after_ the
    safe steps.
  + safe variant of addss called addSss: uses safe simplifications
    _during_ the safe steps. It is more complete as it allows multiple
    instantiations of unknowns (e.g. with slow_tac).

*** Simplifier ***

* added interface for simplification procedures (functions that
produce *proven* rewrite rules on the fly, depending on current
redex);

* ordering on terms as parameter (used for ordered rewriting);

* new functions delcongs, deleqcongs, and Delcongs. richer rep_ss;

* the solver is now split into a safe and an unsafe part.
This should be invisible for the normal user, except that the
functions setsolver and addsolver have been renamed to setSolver and
addSolver; added safe_asm_full_simp_tac;


*** HOL ***

* a generic induction tactic `induct_tac' which works for all datatypes and
also for type `nat';

* a generic case distinction tactic `exhaust_tac' which works for all
datatypes and also for type `nat';

* each datatype comes with a function `size';

* patterns in case expressions allow tuple patterns as arguments to
constructors, for example `case x of [] => ... | (x,y,z)#ps => ...';

* primrec now also works with type nat;

* recdef: a new declaration form, allows general recursive functions to be
defined in theory files.  See HOL/ex/Fib, HOL/ex/Primes, HOL/Subst/Unify.

* the constant for negation has been renamed from "not" to "Not" to
harmonize with FOL, ZF, LK, etc.;

* HOL/ex/LFilter theory of a corecursive "filter" functional for
infinite lists;

* HOL/Modelcheck demonstrates invocation of model checker oracle;

* HOL/ex/Ring.thy declares cring_simp, which solves equational
problems in commutative rings, using axiomatic type classes for + and *;

* more examples in HOL/MiniML and HOL/Auth;

* more default rewrite rules for quantifiers, union/intersection;

* a new constant `arbitrary == @x.False';

* HOLCF/IOA replaces old HOL/IOA;

* HOLCF changes: derived all rules and arities
  + axiomatic type classes instead of classes
  + typedef instead of faking type definitions
  + eliminated the internal constants less_fun, less_cfun, UU_fun, UU_cfun etc.
  + new axclasses cpo, chfin, flat with flat < chfin < pcpo < cpo < po
  + eliminated the types void, one, tr
  + use unit lift and bool lift (with translations) instead of one and tr
  + eliminated blift from Lift3.thy (use Def instead of blift)
  all eliminated rules are derived as theorems --> no visible changes ;


*** ZF ***

* ZF now has Fast_tac, Simp_tac and Auto_tac.  Union_iff is a now a default
rewrite rule; this may affect some proofs.  eq_cs is gone but can be put back
as ZF_cs addSIs [equalityI];


New in Isabelle94-7 (November 96)
---------------------------------

* allowing negative levels (as offsets) in prlev and choplev;

* super-linear speedup for large simplifications;

* FOL, ZF and HOL now use miniscoping: rewriting pushes
quantifications in as far as possible (COULD MAKE EXISTING PROOFS
FAIL); can suppress it using the command Delsimps (ex_simps @
all_simps); De Morgan laws are also now included, by default;

* improved printing of ==>  :  ~:

* new object-logic "Sequents" adds linear logic, while replacing LK
and Modal (thanks to Sara Kalvala);

* HOL/Auth: correctness proofs for authentication protocols;

* HOL: new auto_tac combines rewriting and classical reasoning (many
examples on HOL/Auth);

* HOL: new command AddIffs for declaring theorems of the form P=Q to
the rewriter and classical reasoner simultaneously;

* function uresult no longer returns theorems in "standard" format;
regain previous version by: val uresult = standard o uresult;


New in Isabelle94-6
-------------------

* oracles -- these establish an interface between Isabelle and trusted
external reasoners, which may deliver results as theorems;

* proof objects (in particular record all uses of oracles);

* Simp_tac, Fast_tac, etc. that refer to implicit simpset / claset;

* "constdefs" section in theory files;

* "primrec" section (HOL) no longer requires names;

* internal type "tactic" now simply "thm -> thm Sequence.seq";


New in Isabelle94-5
-------------------

* reduced space requirements;

* automatic HTML generation from theories;

* theory files no longer require "..." (quotes) around most types;

* new examples, including two proofs of the Church-Rosser theorem;

* non-curried (1994) version of HOL is no longer distributed;


New in Isabelle94-4
-------------------

* greatly reduced space requirements;

* theory files (.thy) no longer require \...\ escapes at line breaks;

* searchable theorem database (see the section "Retrieving theorems" on
page 8 of the Reference Manual);

* new examples, including Grabczewski's monumental case study of the
Axiom of Choice;

* The previous version of HOL renamed to Old_HOL;

* The new version of HOL (previously called CHOL) uses a curried syntax
for functions.  Application looks like f a b instead of f(a,b);

* Mutually recursive inductive definitions finally work in HOL;

* In ZF, pattern-matching on tuples is now available in all abstractions and
translates to the operator "split";


New in Isabelle94-3
-------------------

* new infix operator, addss, allowing the classical reasoner to
perform simplification at each step of its search.  Example:
        fast_tac (cs addss ss)

* a new logic, CHOL, the same as HOL, but with a curried syntax
for functions.  Application looks like f a b instead of f(a,b).  Also pairs
look like (a,b) instead of <a,b>;

* PLEASE NOTE: CHOL will eventually replace HOL!

* In CHOL, pattern-matching on tuples is now available in all abstractions.
It translates to the operator "split".  A new theory of integers is available;

* In ZF, integer numerals now denote two's-complement binary integers.
Arithmetic operations can be performed by rewriting.  See ZF/ex/Bin.ML;

* Many new examples: I/O automata, Church-Rosser theorem, equivalents
of the Axiom of Choice;


New in Isabelle94-2
-------------------

* Significantly faster resolution;

* the different sections in a .thy file can now be mixed and repeated
freely;

* Database of theorems for FOL, HOL and ZF.  New
commands including qed, qed_goal and bind_thm store theorems in the database.

* Simple database queries: return a named theorem (get_thm) or all theorems of
a given theory (thms_of), or find out what theory a theorem was proved in
(theory_of_thm);

* Bugs fixed in the inductive definition and datatype packages;

* The classical reasoner provides deepen_tac and depth_tac, making FOL_dup_cs
and HOL_dup_cs obsolete;

* Syntactic ambiguities caused by the new treatment of syntax in Isabelle94-1
have been removed;

* Simpler definition of function space in ZF;

* new results about cardinal and ordinal arithmetic in ZF;

* 'subtype' facility in HOL for introducing new types as subsets of existing
types;

:mode=isabelle-news:wrap=hard:maxLineLen=72: