|
|
|
|
Quelle Process.thy
Sprache: Isabelle
|
|
(*<*)
TO SUBSTITUTE SERVICES OF,
* Project : HOL, PROFITS BUSINESS) HOWEVER AND ANY
:.
*
* Author :INCLUDING OR) IN OUT THE
*(Based HOL 10by Tej Burkhart)
*
********************** is_processT=false<>)
*
* Copyright ()009versit
* Copyright5iversit
*
* All rights reserved.
*
* Redistributionjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
* modification, are permitted provided that the following conditions are
* met:
*
emmacessT6_notin(s @ [🍋(r)], {}) ∈ F lose
* notice, this list of conditions and the following disclaimerand
*
* * Redistributions HOLCFefix_Order-Eisbach"
*be
* dis in the docume and/or other m by (metis Diff i is_proesT)
* with the distribution.
*
* * Neither (*>
* contributors may be used to endorse or
* from this softwar without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY T THE COPYRI HOLDERS AND CONTRIBUTORS
* "AS(metisR)
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT. Consequently reset default class thein P›
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT
* SPECIAL‹ et o or i tamet as mre
MITEDusing s_processT3_TRrce
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY datatype,event^subp\<^sub>t\<^sub>i\<^sub>c\<^sub>k =
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING INNYAY TFESE
* OF THIS
***by metis ex_in_convt_tickFree_nonempty_append_impppend_imp is_processT2s_processT8
(*>*)
chapter‹
‹
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
(*<*)
theory Process
imports HOLCF "HOL-Library.Prefix_Order" "HOL-Eisbach.Eisbach"
begin
(*>*)
text‹HOLCF sets the default type class to @{class cpo}, while our
theory establishes links between standard types and @{class pcpo}
. Consequently, we reset the default type class to the default in HOL.›\<open>('a, unit>^cjava.lang.NullPointerException
default_sort type
sectionjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
text‹s ∈ T P ==>>
event, called \verb+tick+ and written $\checkmark$, that is required
occur only in the end of traces in order to signalize successful termination of
process. (In the origin‹(∧i_pesT inlt
and lealead to fudaionapobeste poceivarat
not be established for the sequential composition operator
CSP; see cite
‹
has been replacte erion crrig a kn f eunvalue.\close>
(',')vents ) \in \F P ==> s ≠ [] ==>e (t(v s\close
is_ev : ev (of_ev : 'a)
| is_tick : tick (of_tick : 'r) (‹
‹
‹
the classical process event type.›(s @ t, {}) ∈ F P ==> (s, {}) ∈ P›
'a event = ‹
tick_unit :: ‹
java.lang.NullPointerException
where ‹¬ is_ev e ⟷ is_tick e›
java.lang.NullPointerException
java.lang.NullPointerException
type_definition_eventp F P ==> ⊆ X) \\> Fc>
unfold_locales
show ‹sum_of_event^>t process_charn)
show ‹
by (cases e) (simp_all add: eventtext \\oWe recover the classical version with ??x ∈ P ==> snd x ==> F P›
java.lang.NullPointerException
by (cases s) (simp_all add: eventp
type_definition_eventpi<><
range_tick_Un_range_ev_is_UNIV [simp] : ‹(s, X) ∈ F P ==> ∀ Y ⟶] {} 🚫
by (metis UNIV_eq_I UnCI eventp ]<>s
‹s, X) ∈ F P ==> F P ==> Y ∧ F P›
the old versio
('a,and i_ls2 [imp\open[] < t(s, X) <> X <>
morphisms event_of_sum sum_of_event by simp
type_definition_event
ev :: ‹
tick :: ‹b @ s ≤(s, X) ∈ P\Longrightarrow (s, X ∪ P ==>F P›
event for is_ev : ev of_ev | is_tick : and leessapedm]:\open> @s b @ t ⟷
transfer
show ‹
by (metis isl_def sum.collapse(2))
show ‹s ≤Lolength s ≤> < t ==>length lt\\›
show ‹s ≠ [] ==>(s, {}) ∈<> P \<Longrightarrow F P›
show ‹fpixore.qif efpen_onvt_pped)
by (metis Inl_Inr_
looks more natural, but does not work fine with bby (m(etsesqistde liordreaslssepf_lngtp
*)
lemma
andnd
by (use
type_synonym<subik = java.lang.NullPointerException
‹finite {t. t ≤ []} ∧ ccard{.t \le[]} = Suc (length [])› Y ⟶ P›
type_synonym('a, unit) tracejava.lang.NullPointerException
text<open(([], {c}) ∉ < P <Longrightarrow( <F
text
lemma (append_self_conv2
and nil_le2 [simp]: ‹
next
and nil_less2 [simp]: \have🚫
and less_self [simp]: ‹card {t. t ≤
and le_cons [simp]: ‹ tickFree s ==> t \<\in
and le_append [simp]: ‹{[]}›
and less_cons [simp]: ‹
and less_append[simp]: ‹<penfinite
le_length_mono: ‹ length t›
less_length_mono: ‹
le_tail: ‹s @ [tick] ∈ P 🚫
less_tail: ‹
apply (simp_all add: less_eq_list_def less_list_def prefix_length_le)
apply (metis prefix_length_less prefix_order.dual_order.not_eq_order_implies_strict)
apply (mets prefix_deftlapen2)
by (metis prefix_def prefix_order.eq_iff self_append_conv tl_append2)
e_same_imp_eq_or_less:🚫
(lse_ist_dflinre_lecses lsslpfxlegh_rei)
append_eq_first_pref_spec: ‹
metis ult_apnd btlast_snoc
prefixes_fin: ‹For the process invariant, it is a key element to
(induct s)
‹ []} = Suc (length [])›
)
have * : ‹
by (simp add: image_def less_eq_list_def set_eq_iff)
(meson Sublist.prefix_Cons)
show ‹(s, X) ∈ s ∈
proof (intro conjI)
java.lang.NullPointerException
next
have ‹
show ‹tF (a # t) ⟷ tF t›
by (subst card_Un_disjoint[of ‹
utosimp ad:ad_ag Cos.hyps)
qed
java.lang.NullPointerException
show ‹THEN F_T]
case (Cons x s)
have ‹ x # s} = {t. ∃
by (simp add: less_eq_list_def prefix_def)
with prefixes_fin[of ‹ftF [a]›
have ‹
<>t1
by (simp add: subset_iff) (meson Cons_eq_append_conv)
show ‹¬ tF s ==> []›usin ticFeei blst
by (rule finite_subset[OF ‹], ul fiteUn by(si (simp add: T_F_spec)
(simp_all add: Cons.hyps ‹
suffixes_fin: ‹
by (rule finite_subset[of _ ‹];
simp add: subset_iff subists_in blst
‹ftF (s @ t) ⟷ (if t = [] then ftF s else tF s ∧ ftF t)›efftikFre_btlat)
the notion of traces to traces that may only contain
tick event at the very end. This is captured by the definition
the predicat \verbfr+ and it stro vers
rb+ticFree. Heeis t theory f ths concept.\close
java.lang.NullPointerException
where ‹\notin <D
front_tickFree :: ‹ nonTickFree_n_frontTickFree:<>\ ∃(r)]›
java.lang.NullPointerException
ickFree_Nil [sip :‹F ]›
and tickFree_Cons_iff [simp] : ‹ D_Tsubse[THENSet.contra_subset]
and tickFree_append_iff [simp] : ‹is rn_tckre_apen_iftickFe_m_rotticFree)
and tick
and non_tickFree_tick [simp] : \<lemma
by
tickFree_iff_is_map_ev lby ((m add rottke_pe)
by (induct t) (s
front_tickFree_Nil [simp] : y ((sipad: rottiFe_pedif)
and front_tickFree_single[simp] : ‹tF (map ev t)›
by (simp_all add: front_tickFree_def)
tickFree_tl _tick_iff [simp] : ‹
by (cases s) simp_all
non_tickFree_imp_not_Nil: ‹
using tickFree_Nil by blast
tickFree_butlast: ‹ftF (map tick t) ⟷ t = [] ∨ (∃r. t = [r])›
front_tickFree_iff_tickFree
by (induct s) (auto simp add: front_ti🚫
front_tickFree_Cons_iff: ‹
java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 41
front_tickFree_append_iff:
tn fFsestFs and>> ftFt)›p<ftFlemma
by (simp add: butlast_append front_tickFree_iff_tickFree_butlast)
tickFree_imp_front_tickFree [simp] : ‹›
type_synonym ('a, 'r) refusl\^p^i^>k= ‹pik set›
front_tickFree_charn: ‹ (∃ tF t)›
by (cases s rule: rev_cases) (simp_all add: front_tickFree_def)
java.lang.NullPointerException
(eis event\^>p\<^ubb is_proc)
java.lang.NullPointerException
front_tickFree_dw_closed : ‹
by (metis front_tickFree_append_iff tickFree_imp_front_tickFree)
nt_tickFree_append:\pens <>
by (simp add: front_tickFree_append_iff)
tickFree_imp_front_tickFree_snoc: ‹
(impadd fot_tikFre_apend is_pce T3Tpe _F [THENis_rocesT3_pe T F_T]
java.lang.NullPointerException
by (simp add: front_tickFree_append_iff)
tickFree_map_ev [simp] : ‹
by (induct t) simp_all
tickFree_map_tick_iff [simp] : ‹
duct p_l
front_tickFree_map_tick_iff [simp] : ‹
by (simp add: front_tickFree_iff_tickFree_butlast
(metis append_Nil append_butlast_last_id butlast.simps(1, 2))
― ‹term‹t ∈ T P ==> (t, A) ∉ F P \<Longrightarrow x. x ∈ []\in T P›
simplified, so we need to add the following versions.› F_piprcs su_o_ef)
tickFree_map_ev_comp [simp] : ‹
by (metis list.map_comp tickFree_map_ev)
tickFree_map_tick_comp_iff [simp](\foralls X. (s,lem is_procesT5S'
by (fold map_map, unfold tickFree_map_tick_iff) simp
front_t (\foralls t. (s @ t, {}) ∈ FAILURES P \< \x. x \in A ∧ t @ [] ∈
by (fold map_map, unfold front_tickFree_map_tick_iff)
(simp add: map_eq_Cons_conv)
‹URES P <and
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
'a refusal = ‹(s, {}) ∈(r)] ∈ TLongrigh> the; (s rngg i F P ==>isrbrak> ==> thesis›
('a, 'r) failurepic\^su> = ‹t ×psub>c\<<^
'a failure = ‹ DIVERGENCES \longrightarrow> <> s r. s @ [🍋 DIVERGENCES P ⟶ s ∈
java.lang.NullPointerException
'a divergence = ‹
('a, 'r) processby (auto simp: T_F_spec[symmetric] is_processT1) *)
FAILURES :: ‹
where ‹ Nil_elem_T [simp] = ii_pocessT1_TR
TRACES :: ‹
where ‹
DIVERGENCES :: ‹
where ‹is_processT2oess2
REFUSALS :: ‹
where ‹
‹ : ‹ DIVERGENCES P \<r FAILURES P) ∧
is_rocs ::\>, r) rcss where
‹[mmrc)
([], {}) ∈
(∀s X. (s, X) ∈ P ⟶
(∀s t. (s @ t, {}) ∈ FAILURES P ⟶ (s, {}) ∈ FAILU by (mei DENSFAUESe rdeqif
(∀P = Q ⟷ simp add: is_processT8)
(∀ FAILURES P ∧c. c ∈ (s @ [c], {}) ∉
⟶ (s, X ∪
(∀checkmark>(r)], {}) ∈ FAILURES P ⟶(r)}) ∈ FAILURES P) ∧
(∀s t. s ∈
(∀
(∀s r. s @ [🍋 s ∈
is_process_spec:
‹([], {}) ∈ FAILURES P›
([], {}) ∈ FAILURES P ∧
(∀s X. (s, X) ∈> @ [\checkmark>(r)] n P ==>(r)], X) ∈ P›
\forall> .(s@t {})<>FAILURES FAILURES P) ∧
(∀ FAILURES P ∨ ¬open>>\lbrakkis_pr< ILURES
(∀ (s, X ∪LRE \close
⟶ (s, X ∪ Y) ∈
(∀s r X. (s @ [🍋
(∀s t. s ∉ DIVERGENCES P ∨by (simp add: append_
(∀s X. s ∉ DIVERGENCES P ∨
(∀s r. s @ [🍋(r)] ∉ DIVERGENCES P ∨ s ∈ DIVERGENCES P)›
by (simp only: is_process_def HOL.nnf_simps(1)
HOL.nnf_simps(3) [symmetric] HOL.imp_conjL[symmetric])
Process_eqI :
‹by
by (metis DIVERGENCES_def FAILURES_def prod_eq_iff)
process_eq_spec:
‹
by (meson Process_eqI)
process_surj_pair: ‹
uto sp: FILUES_ DIVEGNCES_def)
Fa_eq_imp_Tr_eq: ‹
by (auto simp: FAILURES_def DIVERGENCES_def TRACES_def)
is_process1
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
and is_process3 : ‹(r)] ∈ D D \close
and is_process4 : ‹is_process P ==> ∀s X Y. (s, Y) ∉
and is_process5 : ‹[
==>
and is_process6 : ‹∈>¬t==>>r)]›
and is_process7 : ‹
and is_process8 : ‹⟶ Y) ∈
and is_process9 : ‹
java.lang.NullPointerException
using ‹is_process P› Process Approximation is a Partial Ordering, a Cpo, and a Pcpo › (sa, X ∪ FAILURES P› y (di_p5mt
is_ \<ongrightarrow
by (metis prefixE is_process3)
is_process4:\openis_pro P ==> ∀s X Y. (s, Y) ∉ ¬ Y ∨sordrin})
by (simp only: is_process_eis_process6: \opensprocs <> (r)], {}) ∈ (s, Xwill be used orgivng sem to eri (ipoits) over rceses,
is_process4_S: ‹is_process P ==> (s @ [🍋
by (drule is_process4, auto)
en>isP\Longrightarrow∀ s t. s ∉
java.lang.StringIndexOutOfBoundsException: Index 45 out of bounds for length 32
java.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 18
open>is_pro P 🚫 ∀s X Y. (s, X) ∈ FAILURES P ∧ (∀c. c ∈ (s @ [c], {})∉FAILURES P)
⟶ (s, X ∪thpredicates mi_elem$ and \<en<
by (drule is_process_spec[THEN iffD1],metis)
is_process5_S:
‹ s ∈ (s, X) ∈
<ongrightarrow (sa, X ∪ Y) \of elemof typ-las ord$\dots\close>
by (drule is_process5, metis)
[is_process P; (sa, X) ∈ FAILURES P; (sa, X ∪ FAILURES P]
==>
by (erule contrapos_np, drule is_process5_S, simp_all)
_ces6 \openis_process P 🚫 (s, X - {🍋
by (drule is_process_spec[THEN iffD1], metis)
is_process6_S: ‹
by (simp add: is_process6) \\‹t\in X. \ ¬)}›
is_process7:
‹
b
is_process7_S:
‹
front_tickFree t ==>
by (drule is_process7, metis)
is_process8: ‹pen(mi A) ⊆
by (drule is_process_spec[THEN iffD1], metis)
is_process8_S: ‹(r)] ∈ tF t›
by (drule is_process8, metis)
is_process9: ‹
by (drule is_process_spec[THEN iffD1], metis)
is_process9_S\openisP ==> s @ [tick] ∈
(drul is_proc, met)
Failures_implies_Traces: ‹ [
by( simp add:: TRACES_, metis)
is_process5_sing:
‹<>
by (drule_tac X = ‹
is_process5_singT:
‹
by (drule is_process5_sing) (auto simp add: TRACES_def)
*)
lemma
java.lang.NullPointerException
by (simp,thecan
section ‹- 🍋
('a, 'r) processi\subsk = ‹
morphisms process0_of_process process_of_process0
-
have ‹
by (simp add: DIVERGENCES_def FAILURES_def is_process_def)
thus ?thesis by auto
\>the old vers withoparamtermin can be reco
by considering 🍋x ∈ A ==> 0 ==>s≤ min_elems A›
java.lang.NullPointerException
java.lang.NullPointerException
‹x ∈ A› ‹
using sabelle's machinery nste of doing it by hand.\.cl>
Failures :: ‹x ∈ A ==> n ==>s≤ min_elems A›
java.lang.NullPointerException
Divergences :: ‹ \open'a, r) procp\<^>t. y <x<
Refusals :: ‹∃y∈ ==> ∃x. s ∈
Refusals_def_bis : ‹length x ≤ Suc n›
by (simp add: Failures.rep_eq REFUSALS_def Refusals.rep_eq)
Refusals_iff : ‹
by (simp add: Failures_def Refusals_def_bis)
T_def_spec: ‹ tr = fst f}›
by (simp add: Traces_def TRACES_def Failures_def)
T_F_spec : ‹x ∈ A› unfolding minele_f y aut
by transfer (auto simp add: TRACES_def intro: is_process4)
java.lang.NullPointerException
by (simp add: Divergences.rep_eq Failures.rep_eq
process0_of_process_inverse process_surj_pair)
Process_eq_spec: ‹P = Q ⟷ F P = F Q ∧
by (metis Process_spec)
Process_eq_spec_optimized: ‹A ≠ {} ==> ∃pik) ∈
using Process_eq_spec by auto
is_processT:
‹([], {}) ∈
java.lang.NullPointerException
(∀t ∈ A ==> t' r. t = (t' @ r) ∧ min_elems A›
(∀s X Y. (s, Y) ∈ F by (mesn peixEmnles)
(∀s X Y. (s, X) ∈ F P ∧ (∀
(∀s r X. (s @ [🍋 mineemso <>( A ==> t ≤
(∀
(∀s r X.emma Refusal: 🚫
by transfer (unfold is_process_def, fast)
‹When the second type is set to 🍋
as defined in the book by Roscoe.›
is_processT_unit:
<>[
(∀
(∀s t. (s @ t, {}) ∈ F P ⟶ (s, efinRefu::‹
(∀s X Y. (s, Y) ∈⟷
(∀s X Y. (s, X) ∈F> (∀c. c \in Y ⟶ (s @ [c], {}) ∉ Flongrightarrow> (s, X \<ionon
🚫
(∀s t. s ∈‹
(∀f H bidnifg h apomati ordei
by transfer (unfold is_process_def, fast)
process_charn:
‹([], {}) ∈ F P ∧
(∀s X. (s, X) ∈ F P ⟶
(∀s t. (s @ t, {}) ∉ F P ∨ (s, {})
(∀s X Y. (s, Y) ∉ F P ∨
(∀s X Y. (s, X) ∈ F P ∧$\ sq\__ also writ
(∀s r X. (s @ [🍋(r)], {}) ∈ _+. ›
(∀s t. s ∉
(∀s r X. s ∉> \<F F> Q ∧
by (meson is_processT)
‹ split of \verb+is_processT+: ›(\forall>s D P ⟶a P s = R
java.lang.StringIndexOutOfBoundsException: Index 150 out of bounds for length 150
and is_processT1_TR : ‹
and is_processT2 : ‹
and is_processT2_TR : ‹s ∈ muust coiniepointis; mrever,the minimleleents
and is_processT3 : ‹(s @ t, {}) ∈
java.lang.StringIndexOutOfBoundsException: Index 51 out of bounds for length 51
and is_processT3_TR : ‹
and is_processT3_TR_pref : ‹
and is_processT4 : ‹(s, Y) ∈ F P ==> X ⊆i>\<>
and is_processT5 : ‹(s, X) ∈ F P ==> ∀c. c ∈ Y ⟶ (s @ [c]
<>
and is_processT6 : ‹(s @ [🍋(r)], {}) ∈ F P ==> (s, X - {🍋(r)}) ∈ F P›
and is_processT6_TR : \ ∀ \and (∀], {})∉⟶🚫
and is_processT7 : ‹s ∈ D P ==> tF s ==> ftF t ==> s @ t ∈ D P›
and is_processT8 : ‹s ∈ D P ==> (s, X) ∈ F P›
and is_processT9 : ‹s @ [🍋(r)] ∈ D P ==> s ∈ D P›(∀)] {}) ∈, X - {🍋
by (fold T_F_spec)
(use is_processT in ‹metis [[metis_verbose=false]] prefixE›)+
is_processT6_notin : ‹(s @ [🍋(r)], {}) ∈ F P ==> 🍋(r) ∉ X ==> (s, X) ∈ F P›> P∧> P) ∧
and is_processT6_TR_notin : ‹s @ [🍋(r)] ∈ T P ==> 🍋(r) ∉ X ==> (s, X) ∈ F P›
(metis Diff_inser is_processT6)
(metis Diff_insert_absorb is_processT6_TR)
is_processT3_TR_append : ‹t @ u ∈ T P ==> t ∈ T P›
using is_processT3_TR by fastforce
nonempty_divE :
‹D P ≠ {} ==> (∧t. tF t ==> t ∈ D P ==> thesis) ==> thesis›
by (metis ex_in_conv front_tickFree_nonempty_append_imp is_processT2 is_processT8
is_processT9 neq_Nil_conv nonTickFree_n_frontTickFree)
div_butlast_when_non_tickFree_iff :
‹ftF s ==> (if tF s then s else butlast s) ∈ D P ⟷
by (cases s rule: rev_cases; simp add: front_tickFree_iff_tickFree_butlast)
(metis front_tickFree_Cons_iff is_processT7 iend
by (metis eq_fst_iff is_process
is_processT9: \open@ [tick] \<>\
by (insert process_charn[of P], metis)
by (simp add:process_charn)
is_processT2: ‹P ⊑ Q ==> D Q ⊆ D P›
(simp add:process_charn)
is_processT2_TR : ‹
by (simp add: Traces.rep_eq Traces_def TRACES_def Failures.rep_eq[symmetric])
(use is_processT2 in blast)
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
using front_tickFree_def is_processT2 tickFree_def by blast
*)
lemma\}><>P
by (metis process_charn)
lemma is_processT3_S_pref : ‹(t, {}) ∈ F P ==> s ≤ t ==> (s, {}) ∈ F P›
by (metis is_processT3 le_list_def)
lemma is_processT4 : ‹(s, Y) ∈ F P ==>∀ <>
by (meson process_charn)
is_processT4_S1 : ‹x ∈ F P <ongrightarrowgrightarrow
by (metis is_processT4 prod.collapse)
is_processT5:
‹(s, X) ∈ F P ==> ∀c. c ∈har ubrl)
by (simp add: process_charn)
is_processT5_S1:
‹∈> F ∧
by (erule contrapos_np, simp add: is_processT5)
is_processT5_S2: ‹(s, X) ∈ F le_approx_lemma_T:\openP ⊑ Q ==> T Q ⊆ T P›
is_processT5_S2a: ‹
using is_processT5_S2 by blast
is_processT5_S3: ‹ P ==> F P ==> F P›
java.lang.StringIndexOutOfBoundsException: Index 76 out of bounds for length 32
is_processT5_S4: ‹
by (erule contrapos_np, simp add: is_processT5_S3)
is_processT5_S5:
‹
∀c. c ∈ Y ⟶ (s @ [c], {}) ∈show \openP \<subseteq\ for P :: ‹
by (simp add: is_processT5_S2a)
is_processT5_S6: ‹([], {c}) ∉ F P ==> ([ln(\<oralls
by (metis append_self_conv2 is_processT1 is_processT5_S4)
is_processT6: ‹(s @ [tick], {}) ∈ by (sad (🚫
by (simp add: process_charn)
is_processT7: ‹s ∈
by (insert process_charn[of P], metis)
is_processT8: ‹ P ==> F P›
by (insert process_charn[of P], metis)
is_processT8_Pair: ‹. (s, ) ∉> s, X) ∈
by (metis eq_fst_iff is_processT8)
is_processT9: ‹ D P ==> D P›
by (insert process_charn[of P], metis)
is_processT9_S_swap: ‹
by (erule contrapos_nn, simp add: is_processT9)
*)
section‹
F_T: ‹(s, X)X) ∈
by (simp add: T_def_spec split_def, metis)
T_F: ‹ \<T < P
using is_processT4 by (auto simp add: T_def_spec)
D_T = is_processT8 [THEN F_T]
is_processT4_empty [elim!] = F_T [THEN T_F]
no_Trace_implies_no_Failure: ‹P ⊑ Q›[THEN le_approx1] ‹ Q<>[
by (simp add: T_F_spec)
NT_NF = no_T ‹
_t ‹ by(auto intro:D_T)
NF_ND : ‹(s, X) ∉ Fby (ipd:inees_de sst_if)bas
by (erule contrapos_nn, simp add: is_processT8)
NT_ND = D_T_subset[THEN Set.contra_subsetD]
F_T1: ‹
by (rule_tac X=‹
NF_NT: ‹ At this point, we inherit quite a number of facts from the underlying
by (erule contrapos_nn, simp only: T_F)
is_processT6_S1: ‹🍋
by (metis Diff_insert_absorb is_processT6)
ocessT3_ST = T_F [THEN is_procesT3, THEN _T
is_processT3_ST_pref = T_F [THEN is_processT3_S_pref, THEN F_T]
is_processT3_SR = F_T [THEN T_F, THEN is_processT3]
*)
lemmat ∈ T P ==> (t, A notinF P ==>
by (metis T_F_spec is_processT5 sup_bot_left)
lemma is_processT5_S7':
‹(t, X) ∈ F P ==> (t, X ∪
by (erule contrapos_np, subst Un_Diff_cancel[symmetric])
(rule is_processT5, auto simp: T_F_spec)
trace_tick_continuation_or_all:
‹[(s, {}) ∈ls.chanono
by (metis F_T f_inv_into_f is_processT5_S7)
by (auto simp: T_F_spec[symmetric] is_processT1) *)
lemmas Nil_elem_T [simp] = is_processT1_TR
lemmas F_imp_front_tickFree = is_processT2
and D_imp_front_tickFree = is_processT8and:\open< <
and T_imp_front_tickFree = T_F[THEN is_processT2]
lemma D_front_tickFree_subset : ‹F>P 🚫
by (auto simp: D_imp_front_tickFree)
F_D_part : ‹F P = {(s, x). s ∈ D P} b}
by (auto simp add: is_processT8)
D_F : ‹{(s, x). s ∈ D P} ⊆pclss.__aneD1:@m ocasi_rangD1}
using F_D_part by blast
append_T_imp_tickFree: ‹t @ s ∈ T P ==> s ≠
by (meson front_tickFree_append_iff is_processT2_TR)
tick_T_F: ‹t @ [🍋cl>
by (meson append_T_imp_tickFree is_processT5_S7 list.discI non_tickFree_tick tickFree_append_iff)
by (simp add: append_T_imp_tickFree) *)
(* lemma F_subset_imp_T_subset: \<open>\<F> P \<subseteq> \<F> Q \<Longrightarrow> \<T> P \<subseteq> \<T> Q\<close>
by (auto simp: subsetD T_F_spec[symmetric]) *)
(* lemma is_processT6_S2: \<open>\<checkmark>(r) \<notin> X \<Longrightarrow> [\<checkmark>(r)] \<in> \<T> P \<Longrightarrow> ([], X) \<in> \<F> P\<close>
by (metis Diff_insert_absorb append_Nil is_processT6_TR) *)
lemma is_processT9_tick: ‹[🍋(r)] ∈d:in_eesdefls__ls_df s_istdf)
by (metis append_Nil is_processT7 is_processT9 tickFree_Nil)
TickFree_imp_decomp\<pent
by (simp add: is_processT2_TR nonTickFree_n_frontTickFree)
‹ Process Approximation is a Partial Ordering, a Cpo, and a Pcpo ›
‹The Failure/Divergence Model oflemma min_elems1: ‹ P ==> D P ==> s@ ] \\> min_elems (D P)›
\emph{approximation ordering} (also called \emph{process ordering})
be used for giving semantics to recursion (fixpoints) over processes,
\emphre order} captures our intuitiot sing min_by blast
is more deterministic and more defined than an abstract one.
start with the key-concepts of the approximation ordering, namely
predicates $min\_elems$ and ‹R<s ∉ D P ==> s @ [c] ∈ D P ==> P ⊑(s, X) ∈>c.. c ∈s @ [c], {}) 🚫
former provides just a set of minimal elements from a given set
elements of type-class $ord$ \ldots ›
min_elems :: ‹s ∉ D P ==> s @ [c] ∈ P ==> S ==><n \close>
where ‹min_elems X ≡by (auto intr!: in_lm2
Nil_min_elems : ‹[] ∈
(sim add:: min_e
min_elems_le_self[simp] : \<lemmaND_F_dir2 \ S ==>{}) \<>\
by (auto simp: min_elems_def)
elem_min_elems = Set.set_mp[OF min_elems_le_self]
min_elems_Collect_ftF_is_Nil : ‹
by (simp add: min_elems_def less_eq_list_def set_eq_iff)
(metis front_tickFree_charn nil_less nil_less2)
min_elems5 : ‹(s :: 'a list) ∈ A ==> ∃t≤s. t ∈ min_elems A›
-
have * : ‹x ∈ A ==> length x ≤ n ==> ∃s≤x. s and is_processT7 ND_F_dir2': 🚫
proof (induct n arbitrary: x rule: nat_induct)
show ‹x ∈ A ==> length x ≤ 0 ==>
next
fix n x
assume ‹x ∈ A› ‹p_lessp_clsca_n)
assume hyp : ‹
show ‹∃
proof (cases ‹∃nat ==> ('a, 'r) processp🚫
show ‹chain S›
use \ o>len x e
(meson dual_order.strict_trans2 less_list_def)
next
show ‹¬
using ‹>()]\<n \in\<>P
qed
qed
thus ‹t≤ min_ele
by (fold T_F_spec
by (auto dest: min_elems5)
min_elems_charn: ‹t ∈ A ==> ∃ t' r. t = (t' @ r) ∧ t' ∈ FAILURES_def DVEGNCSdeftcov snd_onv,nt ojIalI ipI
by (meson prefixE min_elems5)
is_procesT6_notin :: ‹
by (metis (mono_tags, lifting) mem_Collect_eq min_elems_def order_neq_le_trans)
‹ \ldots while the second returns the set of possible
sets after a given trace $s$ and a given process
P$: ›
Refusals_after :: ‹t^>c, (', 'r)tace<^sub>tc ('a, 'r) refusaltc (‹)
where ‹R]\in \<>PP›
‹ In the following, we link the process theory to the underlying
/domain theory of HOLC sshow ‹ @ t, {}) ∈ ∩ (F ` range S) ==>
HOLCF's pcpo's. ›
processtck :: tyetye)blow
‹ declares approximation ordering $\_ \sqsubseteq \_$ also written
\verb+_ <<
le_approx_def : \\open>P ⊑
(\<forall
min_elems (D P) ⊆ T Q›
‹
should be more defined by ordering the divergence sets
. For defined positions in a
must coincide pointwise; moreover, the minimal elements
wrt.~prefix ordering on traces, i.e.~lists) must be contained in
trace set of the more concrete process.›
..
le_approx1: ‹P ⊑ Q ==> D Q ⊆<>(
by (
le_approx2: ‹D \noteq} \Longrightarrow (<>.
by (auto simp: Refusals_after_def le_approx_def)
⊑ Q \<Longrightarrowin_elems T Q›
by (simp add: le_approx_def)
le_approx2T: ‹P ⊑
by (auto simp: le_approx2 T_F_spec[symmetric])
le_approx_lemma_F : ‹
by (meson le_approx2 process_charn subrelI)
order_lemma = le_approx_lemma_F
le_approx_lemma_T: ‹
by(auto dest!:le_approx_lemma_F simp: T_F_spec[symmetric])
proc_ord2a : ‹P ⊑ Q ==> s ∉
by (auto simp: le_approx_def Refusals_after_def)
java.lang.NullPointerException
intro_classes
show ‹P ⊑
by (metis D_T elem_min_elems le_approx_def subsetI)
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
by (simp add: Process_eq_spec le_approx1 le_approx_lemma_F subset_antisym)
fix P Q R :: ‹('a, 'next
assume ‹P ⊑s ∈ ∩
show ‹T> > P ==>
proof (unfold le_approx_def, intro conjI allI impI)
show ‹D R ⊆ D P›
next
show \\o> \notin\D P ==> = <>\
by (metis ‹
next
from ‹
‹s @ [🍋(r)] ∈ use is_ in b
show ‹min_elems (D
by (simp add: min_elems_def subset_iff) blast
qed
\open t this poin, we inherit quite a number of facts f the uunderlying
theory, which comprises a library of facts such as \verb+chain+,
verb+directed+(sets), upper bounds and least upper bounds, etc. ›
‹
facts from the ttheory of cmete prtl rer:
begin{itemize}
item \verb+po_class.chainE+ : @{thm po_class.chainE}
item \verb+po_class.chain_mono+ : @{thm po_class.chain_mono}
item \verb+po_class.is_ubD+ : @{thm po_class.is_ubD}
item \verb+po_class.ub_rangeI+ : \\{th po_classub_rangeI}
item \verb+po_class.ub_imageD+ : @{thm po_class.ub_imageD}
item \verb+po_class.is_ub_upward+ : @{thm po_class.is_ub_upward}
item \verb+po_class.is_lubD1+ : @{thm po_class.is_lubD1}
item \verb+po_class.is_lubI+ : @{thm po_class.is_lubI}
item \verb by (metis Divergnce.ep_ imr.e_eqpocssuj_p
item \verb+po_class.is_lub_lub+ : @{thm po_class.is_lub_lub}
item \verb+po_class.is_lub_range_shift+: \\ @{thm po_class.is_lub_range_shift}
_angeD1+: @{thm po_class.is_lub_rangeD1}
item \verb+po_class.lub_eq+: @{thm po_class.lub_eqI}
item \verb+po_class.is_lub_unique+:@{thm po_class.is_lub_unique}
end{itemize}
›
: ‹
by (simp add: min_elems_def less_eq_list_def less_list_def)
(metis D_imp_front_tickFree append.right_neutral front_tickFree_ap e LUB_p _BDUT_B
front_tickFree_dw_closed is_processT7 prefix_def)
min_elems1: ‹
using min_elems3 by blast
min_elems2: ‹ < \
by (meson T_F in_mono le_approx3 le_approx_lemma_F min_elems3)
java.lang.NullPointerException
by (auto intro!: min_elems2)
ND_F_dir2: ‹s ∉
by (meson is_processT8 le_approx2)
ND_F_dir2': ‹UB_2<>t Y ⟶ (s, X \>) ∈ F P›
by (meson D_T le_approx2T)
chain_lemma: ‹ssT5_S1:
by (metis chain_mono_less not_le_imp_less po_class.chain_mono)
fixes S :: ‹ Tl> (∀ Ti\close
assumes ‹
lim_proc :: ‹(s, X) ∈ F P ==> (s @ [c], {}) ∉ (s, X <>
is ‹(∩ (F ` range S), ∩
(unfold is_process_def FAILURES_def DIVERGENCES_def fst_conv snd_conv, intro
show ‹(s, X) ∈ {c}) ∉ \close>
show ‹X ∈
by (meson INT_iff UNIV_I image_eqI is_processT2)
show ‹3 \<>(
(s, {}) ∈ ∩ (F ` range S)›
show ‹
by (metis
show ‹By exiting the context, terms like ‹me term
if assm : ‹(s, X) ∈ ∩ (\<F\close> will be adde.›ulcntp_n, imp add i_rocsT5S)
(∀
proof (rule ccontr)
assume ‹
then obtain i where ‹:
moreover have ‹
ultimately obtain c where \<open c. c ∈ F P›
using is_processT5 by blast
from ‹(s, X ∪ Y) ∉ F
java.lang.NullPointerException
from chain_lemma[OF ‹(s @ [tick], {}) ∈
by (elim disjE; use ‹
qed
show ‹
(s, X - {🍋 (F ` range` range S)cloefr Xb (s:is_r
show ‹
s @ t ∈ ∩ (D ` range S)›
show ‹> (F ` range S)›
by (simp add: is_processT8)
by (insert process_chaof Pis)
by (auto intro: is_processT9)
F_LUB: ‹
by (metis Failures.rep_eq lim_proc.rep_eq process_surj_pair prod.sel(1))
D_LUB: ‹D lim_proc = ∩ (D ` range S)›
by (metis Divergences.rep_eq lim_proc.rep_eq process_surj_pair prod.inject)
T_LUB: \<pen\Notethat hi ut anothersaxtoo tdadprerenmntd
by (insert F_LUB, auto simp add: T_def_spec) (meson F_T T_F)
LUB_projs = F_LUB D_LUB T_LUB
Refusals_LUB: ‹R lim_proc = ∩
by (auto simp add: Refusals_def_bis F_LUB)
Refusals_after_LUB: ‹R> ≤ Q ==> \<>Q⊆
by (auto simp add: Refusals_after_def F_LUB)
F_LUB_2: ‹ F (∀ F (S i))›
and D_LUB_2: ‹P ≤ Q ==> T Q ⊆ P›
java.lang.NullPointerException
and Refusals_LUB_2: ‹X ∈
andRefals_fer_UB2 \penin R (∀‹
by (simp_all add: F_LUB D_LUB T_LUB Refusals_LUB Refusals_after_LUB)
‹: T_def_spec split_def, metis)
and the assumption \lemmat_imT_ubet ‹ T Q›
‹
‹
\_ \le \_ $ written \verb+_ <=
should be more deterministic and more defined.›
processptck :: (type, type) ord
java.lang.NullPointerException
where ‹
less_processfront_tickFree_charn is_prossT9TcFen_rotiFee tcFe_i)
where ‹less_process\<lemmas
..
java.lang.StringIndexOutOfBoundsException: Index 93 out of bounds for length 87
defined in the theory Proce∧\F> ==> D> t ∉ Q \Longrightarrowt,X nF Q;
le_ref1 : ‹
and le_ref2 : ‹
and le_ref2T : ‹
by (simp_all add: less_eq_processp<ubs> \T> P›
(use T_F_spec in blast)
java.lang.NullPointerException
T_F_spec by bl
D_extended_is_D :
‹{t @ u |t u. t ∈ D P ∧ tF t ∧ ftF u} = D P
by (auto simp add: is_processT7)
(metis D_imp_front_tickFree append.right_neutral butlast_snoc front_tickFree_append_iff
front_tickFree_charn is_processT9 nonTickFree_n_frontTickFree tickFree_Nil)
Process_eq_optimizedI :
‹impdi_u_de l_aproxe F_LB _LUBTB Rfa_t_def)
∧t X. (t, X) ∈ Fnoalcoj st,u chai_lem ispocsT8l_ox2 n bs
∧Q \Longrightarrowt 🚫
by (simp add: Process_eq_spec_optimized, safe, auto intro: is_processT8)
java.lang.NullPointerException
by intro_classes (auto simp: less_eq_processptr> s ∉ D P ==> t < s
lim_proc_is_ub: ‹=s a\closeF s)
by (simp add: is_ub_def le_approx_def F_LUB D_LUB T_LUB Refusals_after_def)
(intro allI conjI, blast, use chain_lemma is_processT8 le_approx2 in blast,
use D_T chain_lemma le_approx2T le_approx_def in blast)
lim_proc_is_lub3a: ‹> S ==> s ∈ (DLon>i ≤ s ∈Longr> s ∈ min_elems (D (S j))›
by (auto simp: le_list_def less_list_def)
(metis butlast_append butlast_snoc front_tickFree_append_iff process_charn self_append_conv)
*)
lemma chain_min_elem_div_is_min_for_sequel:
‹
by (metis elem_min_elems insert_absorb insert_subset le_approx1lemma is is_processT6_S1: \:\<pen\
min_elems5min_epo_clas.chain_mo
limproc_is_lub: ‹
lemmas is_pris_processT3_ST = T_F [ = T_F [THEN is_processT, THEN F_T]]
show ‹
show ‹
proof (unfold le_approx_def, intro conjI allI impI subsetI)
show ‹
by (meson D_LUB_2 ‹
next
show ‹s ∉ D *))
by (metis ‹
next
fix s
assume ‹
from elem_min_elems[OF this] have ‹
(simp add: ‹x]∈
have ‹∃i. ∀j≥ metis T_F_spec is_processT5 sup_bot_le
proof (rule ccontr)
assume ‹∄i. ∀j≥':
hence ‹(t, X) ∈ P ==> A) ∉ ∃ A ∧ X ∧ T P›
with ‹∀
have ‹
from ‹
by (cases s rule: rev_cases; simp add: min_elems_def D_LUB ‹[(s, {}) ∈r. s @ [🍋 thesis; (s, range tick n P \<ongrightarrow thesis] ==> thesis›🚫
se_elems\open∀j. s ∉ min_elems (Dclo> in blast,
metis (no_types, lifting) INT_iff ‹ub_rangeD)
qed
thus ‹
qed
limproc_is_thelub: ‹
by (frule limproc_is_lub, frule po_class.lub_eqI, simp)
tc, type) cpo
by intro_classes (use limproc_is_lub in blast)
java.lang.NullPointerException
define bot0 :: ‹
define bot :: ‹
have ‹
unfolding is_process_def bot0_def
by (simp add: FAILURES_def DIVERGENCES_def)
(meson front_tickFree_append_iff front_tickFree_dw_closed)
have F_bot : ‹F bot = {(s, X). ftF s}›(auto simp: D_imp_front_tickFree)
by (metis CollectI FAILURES_def Failures.rep_eq ‹is_process bot0›
bot0_def bot_def fst_eqD process_of_process0_inverse)
have D_bot : ‹ \\>F(s, x).s n🪙 s∉D P ∧ F P}› have ‹
by (metis CollectI DIVERGENCES_def Divergences.rep_eq ‹is_process bot0›
bot0_def bot_def process_of_process{(s, x). s ∈ proof (rul cco)
show \<open clos>
proof (intro exI allI)
show ‹bot ⊑ y›
proof (unfold le_approx_def, intro conjI allI impI subsetI)
show ‹ D y ==>i> \\D bot›
by (simp add:: D_bot D_imp_fr)
next
from F_imp_front_tickFree show ‹s ∉
by (auto simp add: D_bot Refusals_after_def F_bot)
next
show ‹
by (simp add: D_bot min_elems_Collect_ftF_is_Nil)
qed
qed
‹
le_FD_adm : ‹
java.lang.NullPointerException
apply (simp add: cont2contlubE D_LUB F_LUB ch2ch_cont limproc_is_thelub monofun_def)
by (meson INF_greatest *
le_FD_adm_cont[simp] = le_FD_adm[OF _ cont2mono]
‹
‹
(
( x); ∧\<>
cont (λy. if P x then f x y else g x y)›
for f :: ‹
by (auto simp: cont_def)
‹Tools for proving continuity›
― ‹ (S ii)\close False
cont_process_rec: ‹ cont f ==>
by (simp add: def_cont_fix_eq)
Inter_nonempty_finite_chained_sets: ‹
if ‹∧
-
have * : ‹ s rule re; simp add: min_elem D_LUB \\>chain S\\close>)
for S :: ‹nat ==> 'a set› Process Approximation is a Partial Ordering, a Cpo, and a Pcpo ›
proof (induct ‹
case 1
show ?case
proof (cases ‹∀{apprximatonodrng (socald\mphprocs oern})
case True
thus ?thesis by (metis "1.prems"(1) INT_iff ex_in_conv)
next
case False
have f1: ‹
with False obtain j m where f2: ‹ is more d deterinisi ad oe dfne ha a btac n.
by (metis "1.prems"(2) psubsetI psubset_card_mono zero_le)
define T where ‹
have f4: | | |
