(* Title: BDD Author : Veronika Ortner and Norbert Schirmer , 2004 Maintainer : Norbert Schirmer , norbert . schirmer at web de License : LGPL (* RepointProof . thy Copyright ( C ) 2004 - 2008 Veronika Ortner and Norbert Schirmer Some rights reserved , TU Muenchen This library is free software ; you can redistribute it and / or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation ; either version 2 . 1 of the License , or ( at your option ) any later version . This library is distributed in the hope that it will be useful , but WITHOUT ANY WARRANTY ; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU Lesser General Public License for more details . You should have received a copy of the GNU Lesser General Public License along with this library ; if not , write to the Free Software Foundation , Inc . , 59 Temple Place , Suite 330 , Boston , MA 02111 - 1307 USA section ‹ Proof of Procedure Repoint› theory RepointProof imports ProcedureSpecs begin open ) DistinctTreeProver.set_of tree.Node tree.Tiplemma (in Repoint_impl) Repoint_modifies:shows "∀ σ. Γ⊨ {σ} 🍋 p :== PROC Repoint (🍋 p) {t. t may_only_modify_globals σ in [low,high]}" apply (hoare_rule HoarePartial.ProcRec1)apply (vcg spec=modifies)done lemma low_high_exchange_dag: assumes pt_same: "∀ pt. pt ∉ set_of lt ⟶ low pt = lowa pt ∧ high pt = higha pt" assumes pt_changed: "∀ pt ∈ set_of lt. lowa pt = (rep ∝ low) pt ∧ higha pt = (rep ∝ high) pt" assumes rep_pt: "∀ pt ∈ set_of rt. rep pt = pt" shows "∧ ∝ low) (rep ∝ high) rt ==> Dag q (rep ∝ lowa) (rep ∝ higha) rt" using rep_ptproof (induct rt)case Tip thus ?case by simpnext case (Node lrt q' rrt)have "Dag q (rep ∝ low) (rep ∝ high) (Node lrt q' rrt)" by factthen obtain "q = q'" and "q ≠ Null" and "Dag ((rep ∝ low) q) (rep ∝ low) (rep ∝ high) lrt" and "Dag ((rep ∝ high) q) (rep ∝ low) (rep ∝ high) rrt" by autohave rlowa_rlow: "((rep ∝ lowa) q) = ((rep ∝ low) q)" proof (cases "q ∈ set_of lt" )case Truenote q_in_lt=thiswith pt_changed have lowa_q: "lowa q = (rep ∝ low) q" by simpthus "(rep ∝ lowa) q = (rep ∝ low) q" proof (cases "low q = Null" )case Truewith lowa_q have "lowa q = Null" by (simp add: null_comp_def)with True show ?thesisby (simp add: null_comp_def)next assume lq_nNull: "low q ≠ Null" show ?thesisproof (cases "(rep ∝ low) q = Null" )case True with lowa_q have "lowa q = Null" by simpwith True show ?thesisby (simp add: null_comp_def)next assume rlq_nNull: "(rep ∝ low) q ≠ Null" with lrt lowa_q have "lowa q ∈ set_of lrt" by autowith Node.prems Node have "lowa q ∈ set_of (Node lrt q' rrt)" by simpwith Node.prems have "rep (lowa q) = lowa q" by autowith lowa_q rlq_nNull show ?thesisby (simp add: null_comp_def)qed qed next assume q_notin_lt: " q ∉ set_of lt" with pt_same have "low q = lowa q" by autothus ?thesisby (simp add: null_comp_def)qed have rhigha_rhigh: "((rep ∝ higha) q) = ((rep ∝ high) q)" proof (cases "q ∈ set_of lt" )case Truenote q_in_lt=thiswith pt_changed have higha_q: "higha q = (rep ∝ high) q" by simpthus ?thesisproof (cases "high q = Null" )case Truewith higha_q have "higha q = Null" by (simp add: null_comp_def)with True show ?thesisby (simp add: null_comp_def)next assume hq_nNull: "high q ≠ Null" show ?thesisproof (cases "(rep ∝ high) q = Null" )case True with higha_q have "higha q = Null" by simpwith True show ?thesisby (simp add: null_comp_def)next assume rhq_nNull: "(rep ∝ high) q ≠ Null" with rrt higha_q have "higha q ∈ set_of rrt" by autowith Node.prems Node have "higha q ∈ set_of (Node lrt q' rrt)" by simpwith Node.prems have "rep (higha q) = higha q" by autowith higha_q rhq_nNull show ?thesisby (simp add: null_comp_def)qed qed next assume q_notin_lt: " q ∉ set_of lt" with pt_same have "high q = higha q" by autothus ?thesisby (simp add: null_comp_def)qed with rrt have rhigha_mixed_dag: "Dag ((rep ∝ higha) q) (rep ∝ low) (rep ∝ high) rrt" by simpfrom lrt rlowa_rlow have rlowa_mixed_dag: " Dag ((rep ∝ lowa) q) (rep ∝ low) (rep ∝ high) lrt" by simpfrom Node.prems have lrt_rep_eq: " ∀ pt∈ set_of lrt. rep pt = pt" by simpfrom Node.prems have rrt_rep_eq: "∀ pt∈ set_of rrt. rep pt = pt" by simpfrom rlowa_mixed_dag lrt_rep_eq have lowa_lrt: " Dag ((rep ∝ lowa) q) (rep ∝ lowa) (rep ∝ higha) lrt" apply -apply (rule Node.hyps)apply autodone from rhigha_mixed_dag rrt_rep_eq have higha_rrt: " Dag ((rep ∝ higha) q) (rep ∝ lowa) (rep ∝ higha) rrt" apply -apply (rule Node.hyps)apply autodone with lowa_lrt q' q_notNull show " Dag q (rep ∝ lowa) (rep ∝ higha) (Node lrt q' rrt)" by simpqed (*lemma Repoint_spec :includes Repoint_impl shows " \ < forall > \ < sigma > rept . \ < Gamma > \ < turnstile > \ < lbrace > \ < sigma > . ( Dag ( ( \ < ^ bsup > \ < sigma > \ < ^ esup > rep \ < propto > id ) \ < ^ bsup > \ < sigma > \ < ^ esup > p ) ( \ < ^ bsup > \ < sigma > \ < ^ esup > rep \ < propto > \ < ^ bsup > \ < sigma > \ < ^ esup > low ) ( \ < ^ bsup > \ < sigma > \ < ^ esup > rep \ < propto > \ < ^ bsup > \ < sigma > \ < ^ esup > high ) rept ) \ < and > ( \ < forall > no \ < in > set_of rept . \ < ^ bsup > \ < sigma > \ < ^ esup > rep no = no ) \ < rbrace > \ < acute > p : = = CALL Repoint ( \ < acute > p ) \ < lbrace > Dag \ < acute > p \ < acute > low \ < acute > high rept \ < and > ( \ < forall > pt . pt \ < notin > set_of rept \ < longrightarrow > \ < ^ bsup > \ < sigma > \ < ^ esup > low pt = \ < acute > low pt \ < and > \ < ^ bsup > \ < sigma > \ < ^ esup > high pt = \ < acute > high pt ) \ < rbrace > " apply ( hoare_rule CallRec1_SamePost ) apply ( vcg ) apply ( rule conjI ) apply clarify prefer 2 apply ( intro impI allI ) apply ( simp add : null_comp_def ) apply ( rule conjI ) prefer 2 apply ( clarsimp ) apply clarify lemma (in Repoint_impl) Repoint_spec':shows "∀ σ. Γ⊨ {σ} 🍋 p :== PROC Repoint (🍋 p) { ∀ rept. ((Dag ((<sigma> ∝ id) <sigma> <sigma> ∝ <sigma> <sigma> ∝ <sigma> ∧ (∀ no ∈ set_of rept. <sigma> ⟶ Dag 🍋 p 🍋 low 🍋 high rept ∧ (∀ pt. pt ∉ set_of rept ⟶ <sigma> 🍋 low pt ∧ <sigma> 🍋 high pt)} " apply (hoare_rule HoarePartial.ProcRec1)apply vcgapply (rule conjI)apply clarifyprefer 2 apply (intro impI allI )apply (simp add: null_comp_def)apply (rule conjI)prefer 2 apply (clarsimp)apply clarifyproof -fix low high p rep lowa higha pa lowb highb pb reptassume p_nNull: "p ≠ Null" assume rp_nNull: " rep p ≠ Null" assume rec_spec_lrept: "∀ rept. Dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high) rept ∧ (∀ no∈ set_of rept. rep no = no) ⟶ Dag pa lowa higha rept ∧ (∀ pt. pt ∉ set_of rept ⟶ low pt = lowa pt ∧ high pt = higha pt)" assume rec_spec_rrept: "∀ rept. Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rept ∧ (∀ no∈ set_of rept. rep no = no) ⟶ Dag pb lowb highb rept ∧ (∀ pt. pt ∉ set_of rept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt)" assume rept_dag: "Dag ((rep ∝ id) p) (rep ∝ low) (rep ∝ high) rept" assume rno_rept: "∀ no∈ set_of rept. rep no = no" show " Dag (rep p) lowb (highb(rep p := pb)) rept ∧ (∀ pt. pt ∉ set_of rept ⟶ low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt)" proof -from rp_nNull rept_dag p_nNull obtain lrept rrept where "rept = Node lrept (rep p) rrept" by autowith rept_dag p_nNull have lrept_dag: "Dag ((rep ∝ low) (rep p)) (rep ∝ low) (rep ∝ high) lrept" by simpfrom rept_def rept_dag p_nNull have rrept_dag: "Dag ((rep ∝ high) (rep p)) (rep ∝ low) (rep ∝ high) rrept" by simpfrom rno_rept rept_def have rno_lrept: "∀ no ∈ set_of lrept. rep no = no" by autofrom rno_rept rept_def have rno_rrept: "∀ no ∈ set_of rrept. rep no = no" by autohave repoint_post_low: " Dag pa lowa higha lrept ∧ (∀ pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt)" proof -from lrept_dag have " Dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high) lrept" by (simp add: id_trans)with rec_spec_lrept rno_lrept show ?thesisapply -apply (erule_tac x=lrept in allE)apply (erule impE)apply simpapply assumptiondone qed hence low_lowa_nc: "(∀ pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt)" by simpfrom lrept_dag repoint_post_low obtain "pa = (rep ∝ low) (rep p)" and "(∀ no ∈ set_of lrept. lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no)" apply -apply (drule Dags_eq_hp_eq)apply autodone from rept_dag have rept_DAG: "DAG rept" by (rule Dag_is_DAG)with rept_def have rp_notin_lrept: "rep p ∉ set_of lrept" by simpfrom rept_DAG rept_def have rp_notin_rrept: "rep p ∉ set_of rrept" by simphave "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept" proof -from low_lowa_nc rp_notin_lrept have "(rep ∝ high) (rep p) = (rep ∝ higha) (rep p)" by (auto simp add: null_comp_def)with rrept_dag have higha_mixed_rrept: "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ low) (rep ∝ high) rrept" by (simp add: id_trans)thm low_high_exchange_dagwith low_lowa_nc lowa_higha_def rno_rrept have lowa_higha_rrept:"Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept" apply -apply (rule low_high_exchange_dag)apply autodone have "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept = Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept" proof -have "∀ no ∈ set_of rrept. (rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧ (rep ∝ higha) no = (rep ∝ higha) no" proof fix noassume no_in_rrept: "no ∈ set_of rrept" with rp_notin_rrept have "no ≠ rep p" by blastthus "(rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧ (rep ∝ higha) no = (rep ∝ higha) no" by (simp add: null_comp_def)qed thus ?thesisby (rule heaps_eq_Dag_eq)qed with lowa_higha_rrept show ?thesisby simpqed with rec_spec_rrept rno_rrept have repoint_rrept: "Dag pb lowb highb rrept ∧ (∀ pt. pt ∉ set_of rrept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt)" apply -apply (erule_tac x=rrept in allE)apply (erule impE)apply simpapply assumptiondone then have ab_nc: "(∀ pt. pt ∉ set_of rrept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt)" by simpfrom repoint_rrept rrept_dag obtain "pb = ((rep ∝ high) (rep p))" and "(∀ no ∈ set_of rrept. lowb no = (rep ∝ low) no ∧ highb no = (rep ∝ high) no)" apply -apply (drule Dags_eq_hp_eq)apply autodone have rept_end_dag: " Dag (rep p) lowb (highb(rep p := pb)) rept" proof -have "∀ no ∈ set_of rept. lowb no = (rep ∝ low) no ∧ (highb(rep p := pb)) no = (rep ∝ high) no" proof fix noassume no_in_rept: " no ∈ set_of rept" show "lowb no = (rep ∝ low) no ∧ (highb(rep p := pb)) no = (rep ∝ high) no" proof (cases "no ∈ set_of rrept" )case Truewith lowb_highb_def pb_def show ?thesisby simpnext assume no_notin_rrept: " no ∉ set_of rrept" show ?thesisproof (cases "no ∈ set_of lrept" )case Truewith no_notin_rrept rp_notin_lrept ab_nchave ab_nc_no: "lowa no = lowb no ∧ higha no = highb no" apply -apply (erule_tac x=no in allE)apply (erule impE)apply simpapply (subgoal_tac "no ≠ rep p" )apply simpapply blastdone from lowa_higha_def True have "lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no" by autowith ab_nc_no have "lowb no = (rep ∝ low) no ∧ highb no =(rep ∝ high) no" by simpwith rp_notin_lrept True show ?thesisapply (subgoal_tac "no ≠ rep p" )apply simpapply blastdone next assume no_notin_lrept: " no ∉ set_of lrept" with no_in_rept rept_def no_notin_rrept have no_rp: "no = rep p" by simpwith rp_notin_lrept low_lowa_nc have a_nc: "low no = lowa no ∧ high no = higha no" by autofrom rp_notin_rrept no_rp ab_nc have "(lowa(rep p := pa)) no = lowb no ∧ higha no = highb no" by autowith a_nc pa_def no_rp have "(rep ∝ low) no = lowb no ∧ high no = highb no" by autowith pb_def no_rp show ?thesisby simpqed qed qed with rept_dag have " Dag (rep p) lowb (highb(rep p := pb)) rept = Dag (rep p) (rep ∝ low) (rep ∝ high) rept" apply -thm heaps_eq_Dag_eqapply (rule heaps_eq_Dag_eq)apply autodone with rept_dag p_nNull show ?thesisby simpqed have "(∀ pt. pt ∉ set_of rept ⟶ low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt)" proof (intro allI impI)fix ptassume pt_notin_rept: "pt ∉ set_of rept" with rept_def obtain "pt ∉ set_of lrept" and "pt ∉ set_of rrept" and "pt ≠ rep p" by simpwith low_lowa_nc ab_nc show "low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt" by autoqed with rept_end_dag show ?thesisby simpqed qed lemma (in Repoint_impl) Repoint_spec:shows "∀ σ rept. Γ⊨ { σ. Dag ((🍋 rep ∝ id) 🍋 p) (🍋 rep ∝ 🍋 low) (🍋 rep ∝ 🍋 high) rept ∧ (∀ no ∈ set_of rept. 🍋 rep no = no) } 🍋 p :== PROC Repoint (🍋 p) { Dag 🍋 p 🍋 low 🍋 high rept ∧ (∀ pt. pt ∉ set_of rept ⟶ <sigma> 🍋 low pt ∧ <sigma> 🍋 high pt)} " apply (hoare_rule HoarePartial.ProcRec1)apply vcgapply (rule conjI)prefer 2 apply (clarsimp simp add: null_comp_def)apply clarifyapply (rule conjI)prefer 2 apply clarsimpapply clarifyproof -fix rept low high rep passume rept_dag: "Dag ((rep ∝ id) p) (rep ∝ low) (rep ∝ high) rept" assume rno_rept: "∀ no∈ set_of rept. rep no = no" assume p_nNull: "p ≠ Null" assume rp_nNull: " rep p ≠ Null" show "∃ lrept. Dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high) lrept ∧ (∀ no∈ set_of lrept. rep no = no) ∧ (∀ lowa higha pa. Dag pa lowa higha lrept ∧ (∀ pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt) ⟶ (∃ rrept. Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept ∧ (∀ no∈ set_of rrept. rep no = no) ∧ (∀ lowb highb pb. Dag pb lowb highb rrept ∧ (∀ pt. pt ∉ set_of rrept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt) ⟶ Dag (rep p) lowb (highb(rep p := pb)) rept ∧ (∀ pt. pt ∉ set_of rept ⟶ low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt))))" proof -from rp_nNull rept_dag p_nNull obtain lrept rrept where "rept = Node lrept (rep p) rrept" by autowith rept_dag p_nNull have lrept_dag: "Dag ((rep ∝ low) (rep p)) (rep ∝ low) (rep ∝ high) lrept" by simpfrom rept_def rept_dag p_nNull have rrept_dag: "Dag ((rep ∝ high) (rep p)) (rep ∝ low) (rep ∝ high) rrept" by simpfrom rno_rept rept_def have rno_lrept: "∀ no ∈ set_of lrept. rep no = no" by autofrom rno_rept rept_def have rno_rrept: "∀ no ∈ set_of rrept. rep no = no" by autoshow ?thesisapply (rule_tac x=lrept in exI)apply (rule conjI)apply (simp add: id_trans lrept_dag)apply (rule conjI)apply (rule rno_lrept)apply clarifysubgoal premises prems for lowa higha paproof -have lrepta: "Dag pa lowa higha lrept" by facthave low_lowa_nc: "∀ pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt" by factfrom lrept_dag lrepta obtain "pa = (rep ∝ low) (rep p)" and "∀ no ∈ set_of lrept. lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no" apply -apply (drule Dags_eq_hp_eq)apply autodone from rept_dag have rept_DAG: "DAG rept" by (rule Dag_is_DAG)with rept_def have rp_notin_lrept: "rep p ∉ set_of lrept" by simpfrom rept_DAG rept_def have rp_notin_rrept: "rep p ∉ set_of rrept" by simphave rrepta: "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept" proof -from low_lowa_nc rp_notin_lrept have "(rep ∝ high) (rep p) = (rep ∝ higha) (rep p)" by (auto simp add: null_comp_def)with rrept_dag have higha_mixed_rrept: "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ low) (rep ∝ high) rrept" by (simp add: id_trans)thm low_high_exchange_dagwith low_lowa_nc lowa_higha_def rno_rrept have lowa_higha_rrept:"Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept" apply -apply (rule low_high_exchange_dag)apply autodone have "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept = Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept" proof -have "∀ no ∈ set_of rrept. (rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧ (rep ∝ higha) no = (rep ∝ higha) no" proof fix noassume no_in_rrept: "no ∈ set_of rrept" with rp_notin_rrept have "no ≠ rep p" by blastthus "(rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧ (rep ∝ higha) no = (rep ∝ higha) no" by (simp add: null_comp_def)qed thus ?thesisby (rule heaps_eq_Dag_eq)qed with lowa_higha_rrept show ?thesisby simpqed show ?thesisapply (rule_tac x=rrept in exI)apply (rule conjI)apply (rule rrepta)apply (rule conjI)apply (rule rno_rrept)apply clarifysubgoal premises prems for lowb highb pbproof -have rreptb: "Dag pb lowb highb rrept" by facthave ab_nc: "∀ pt. pt ∉ set_of rrept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt" by factfrom rreptb rrept_dag obtain "pb = ((rep ∝ high) (rep p))" and "∀ no ∈ set_of rrept. lowb no = (rep ∝ low) no ∧ highb no = (rep ∝ high) no" apply -apply (drule Dags_eq_hp_eq)apply autodone have rept_end_dag: " Dag (rep p) lowb (highb(rep p := pb)) rept" proof -have "∀ no ∈ set_of rept. lowb no = (rep ∝ low) no ∧ (highb(rep p := pb)) no = (rep ∝ high) no" proof fix noassume no_in_rept: " no ∈ set_of rept" show "lowb no = (rep ∝ low) no ∧ (highb(rep p := pb)) no = (rep ∝ high) no" proof (cases "no ∈ set_of rrept" )case Truewith lowb_highb_def pb_def show ?thesisby simpnext assume no_notin_rrept: " no ∉ set_of rrept" show ?thesisproof (cases "no ∈ set_of lrept" )case Truewith no_notin_rrept rp_notin_lrept ab_nchave ab_nc_no: "lowa no = lowb no ∧ higha no = highb no" apply -apply (erule_tac x=no in allE)apply (erule impE)apply simpapply (subgoal_tac "no ≠ rep p" )apply simpapply blastdone from lowa_higha_def True have "lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no" by autowith ab_nc_no have "lowb no = (rep ∝ low) no ∧ highb no =(rep ∝ high) no" by simpwith rp_notin_lrept True show ?thesisapply (subgoal_tac "no ≠ rep p" )apply simpapply blastdone next assume no_notin_lrept: " no ∉ set_of lrept" with no_in_rept rept_def no_notin_rrept have no_rp: "no = rep p" by simpwith rp_notin_lrept low_lowa_nc have a_nc: "low no = lowa no ∧ high no = higha no" by autofrom rp_notin_rrept no_rp ab_nc have "(lowa(rep p := pa)) no = lowb no ∧ higha no = highb no" by autowith a_nc pa_def no_rp have "(rep ∝ low) no = lowb no ∧ high no = highb no" by autowith pb_def no_rp show ?thesisby simpqed qed qed with rept_dag have "Dag (rep p) lowb (highb(rep p := pb)) rept = Dag (rep p) (rep ∝ low) (rep ∝ high) rept" apply -apply (rule heaps_eq_Dag_eq)apply autodone with rept_dag p_nNull show ?thesisby simpqed have "(∀ pt. pt ∉ set_of rept ⟶ low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt)" proof (intro allI impI)fix ptassume pt_notin_rept: "pt ∉ set_of rept" with rept_def obtain "pt ∉ set_of lrept" and "pt ∉ set_of rrept" and "pt ≠ rep p" by simpwith low_lowa_nc ab_nc show "low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt" by autoqed with rept_end_dag show ?thesisby simpqed done qed done qed qed lemma (in Repoint_impl) Repoint_spec_total:shows "∀ σ rept. Γ⊨ t { σ. Dag ((🍋 rep ∝ id) 🍋 p) (🍋 rep ∝ 🍋 low) (🍋 rep ∝ 🍋 high) rept ∧ (∀ no ∈ set_of rept. 🍋 rep no = no) } 🍋 p :== PROC Repoint (🍋 p) { Dag 🍋 p 🍋 low 🍋 high rept ∧ (∀ pt. pt ∉ set_of rept ⟶ <sigma> 🍋 low pt ∧ <sigma> 🍋 high pt)} " apply (hoare_rule HoareTotal.ProcRec1where r="measure (λ(s,p). size (dag ((∝ id) ∝ ∝ ])apply vcgapply (rule conjI)prefer 2 apply (clarsimp simp add: null_comp_def)apply clarifyapply (rule conjI)prefer 2 apply clarsimpapply clarifyproof -fix rept low high rep passume rept_dag: "Dag ((rep ∝ id) p) (rep ∝ low) (rep ∝ high) rept" assume rno_rept: "∀ no∈ set_of rept. rep no = no" assume p_nNull: "p ≠ Null" assume rp_nNull: " rep p ≠ Null" show "∃ lrept. Dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high) lrept ∧ (∀ no∈ set_of lrept. rep no = no) ∧ size (dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high)) < size (dag ((rep ∝ id) p) (rep ∝ low) (rep ∝ high)) ∧ (∀ lowa higha pa. Dag pa lowa higha lrept ∧ (∀ pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt) ⟶ (∃ rrept. Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept ∧ (∀ no∈ set_of rrept. rep no = no) ∧ size (dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha)) < size (dag ((rep ∝ id) p) (rep ∝ low) (rep ∝ high)) ∧ (∀ lowb highb pb. Dag pb lowb highb rrept ∧ (∀ pt. pt ∉ set_of rrept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt) ⟶ Dag (rep p) lowb (highb(rep p := pb)) rept ∧ (∀ pt. pt ∉ set_of rept ⟶ low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt))))" proof -from rp_nNull rept_dag p_nNull obtain lrept rrept where "rept = Node lrept (rep p) rrept" by autowith rept_dag p_nNull have lrept_dag: "Dag ((rep ∝ low) (rep p)) (rep ∝ low) (rep ∝ high) lrept" by simpfrom rept_def rept_dag p_nNull have rrept_dag: "Dag ((rep ∝ high) (rep p)) (rep ∝ low) (rep ∝ high) rrept" by simpfrom rno_rept rept_def have rno_lrept: "∀ no ∈ set_of lrept. rep no = no" by autofrom rno_rept rept_def have rno_rrept: "∀ no ∈ set_of rrept. rep no = no" by autoshow ?thesisapply (rule_tac x=lrept in exI)apply (rule conjI)apply (simp add: id_trans lrept_dag)apply (rule conjI)apply (rule rno_lrept)apply (rule conjI)using rept_dag rept_defapply (simp only: Dag_dag)apply (clarsimp simp add: id_trans Dag_dag)apply clarifysubgoal premises prems for lowa higha paproof -have lrepta: "Dag pa lowa higha lrept" by facthave low_lowa_nc: "∀ pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt" by factfrom lrept_dag lrepta obtain "pa = (rep ∝ low) (rep p)" and "∀ no ∈ set_of lrept. lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no" apply -apply (drule Dags_eq_hp_eq)apply autodone from rept_dag have rept_DAG: "DAG rept" by (rule Dag_is_DAG)with rept_def have rp_notin_lrept: "rep p ∉ set_of lrept" by simpfrom rept_DAG rept_def have rp_notin_rrept: "rep p ∉ set_of rrept" by simphave rrepta: "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept" proof -from low_lowa_nc rp_notin_lrept have "(rep ∝ high) (rep p) = (rep ∝ higha) (rep p)" by (auto simp add: null_comp_def)with rrept_dag have higha_mixed_rrept: "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ low) (rep ∝ high) rrept" by (simp add: id_trans)thm low_high_exchange_dagwith low_lowa_nc lowa_higha_def rno_rrept have lowa_higha_rrept:"Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept" apply -apply (rule low_high_exchange_dag)apply autodone have "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept = Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept" proof -have "∀ no ∈ set_of rrept. (rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧ (rep ∝ higha) no = (rep ∝ higha) no" proof fix noassume no_in_rrept: "no ∈ set_of rrept" with rp_notin_rrept have "no ≠ rep p" by blastthus "(rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧ (rep ∝ higha) no = (rep ∝ higha) no" by (simp add: null_comp_def)qed thus ?thesisby (rule heaps_eq_Dag_eq)qed with lowa_higha_rrept show ?thesisby simpqed show ?thesisapply (rule_tac x=rrept in exI)apply (rule conjI)apply (rule rrepta)apply (rule conjI)apply (rule rno_rrept)apply (rule conjI)using rept_dag rept_def rreptaapply (simp only: Dag_dag)apply (clarsimp simp add: id_trans Dag_dag)apply clarifysubgoal premises prems for lowb highb pbproof -have rreptb: "Dag pb lowb highb rrept" by facthave ab_nc: "∀ pt. pt ∉ set_of rrept ⟶ (lowa(rep p := pa)) pt = lowb pt ∧ higha pt = highb pt" by factfrom rreptb rrept_dag obtain "pb = ((rep ∝ high) (rep p))" and "∀ no ∈ set_of rrept. lowb no = (rep ∝ low) no ∧ highb no = (rep ∝ high) no" apply -apply (drule Dags_eq_hp_eq)apply autodone have rept_end_dag: " Dag (rep p) lowb (highb(rep p := pb)) rept" proof -have "∀ no ∈ set_of rept. lowb no = (rep ∝ low) no ∧ (highb(rep p := pb)) no = (rep ∝ high) no" proof fix noassume no_in_rept: " no ∈ set_of rept" show "lowb no = (rep ∝ low) no ∧ (highb(rep p := pb)) no = (rep ∝ high) no" proof (cases "no ∈ set_of rrept" )case Truewith lowb_highb_def pb_def show ?thesisby simpnext assume no_notin_rrept: " no ∉ set_of rrept" show ?thesisproof (cases "no ∈ set_of lrept" )case Truewith no_notin_rrept rp_notin_lrept ab_nchave ab_nc_no: "lowa no = lowb no ∧ higha no = highb no" apply -apply (erule_tac x=no in allE)apply (erule impE)apply simpapply (subgoal_tac "no ≠ rep p" )apply simpapply blastdone from lowa_higha_def True have "lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no" by autowith ab_nc_no have "lowb no = (rep ∝ low) no ∧ highb no =(rep ∝ high) no" by simpwith rp_notin_lrept True show ?thesisapply (subgoal_tac "no ≠ rep p" )apply simpapply blastdone next assume no_notin_lrept: " no ∉ set_of lrept" with no_in_rept rept_def no_notin_rrept have no_rp: "no = rep p" by simpwith rp_notin_lrept low_lowa_nc have a_nc: "low no = lowa no ∧ high no = higha no" by autofrom rp_notin_rrept no_rp ab_nc have "(lowa(rep p := pa)) no = lowb no ∧ higha no = highb no" by autowith a_nc pa_def no_rp have "(rep ∝ low) no = lowb no ∧ high no = highb no" by autowith pb_def no_rp show ?thesisby simpqed qed qed with rept_dag have "Dag (rep p) lowb (highb(rep p := pb)) rept = Dag (rep p) (rep ∝ low) (rep ∝ high) rept" apply -apply (rule heaps_eq_Dag_eq)apply autodone with rept_dag p_nNull show ?thesisby simpqed have "(∀ pt. pt ∉ set_of rept ⟶ low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt)" proof (intro allI impI)fix ptassume pt_notin_rept: "pt ∉ set_of rept" with rept_def obtain "pt ∉ set_of lrept" and "pt ∉ set_of rrept" and "pt ≠ rep p" by simpwith low_lowa_nc ab_nc show "low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt" by autoqed with rept_end_dag show ?thesisby simpqed done qed done qed qed end
Messung V0.5 in Prozent C=97 H=94 G=95
¤ Dauer der Verarbeitung: 0.26 Sekunden
¤ *© Formatika GbR, Deutschland
Suchen
