(* Title: HOL/HOLCF/IOA/Abstraction.thy Author: Olaf Müller
*)
section \<open>Abstraction Theory -- tailored for I/O automata\<close>
theory Abstraction imports LiveIOA begin
default_sort type
definition cex_abs :: "('s1 \ 's2) \ ('a, 's1) execution \ ('a, 's2) execution" where"cex_abs f ex = (f (fst ex), Map (\(a, t). (a, f t)) \ (snd ex))"
text\<open>equals cex_abs on Sequences -- after ex2seq application\<close> definition cex_absSeq :: "('s1 \ 's2) \ ('a option, 's1) transition Seq \ ('a option, 's2)transition Seq" where"cex_absSeq f = (\s. Map (\(s, a, t). (f s, a, f t)) \ s)"
definition is_abstraction :: "('s1 \ 's2) \ ('a, 's1) ioa \ ('a, 's2) ioa \ bool" where"is_abstraction f C A \
((\<forall>s \<in> starts_of C. f s \<in> starts_of A) \<and>
(\<forall>s t a. reachable C s \<and> s \<midarrow>a\<midarrow>C\<rightarrow> t \<longrightarrow> f s \<midarrow>a\<midarrow>A\<rightarrow> f t))"
definition weakeningIOA :: "('a, 's2) ioa \ ('a, 's1) ioa \ ('s1 \ 's2) \ bool" where"weakeningIOA A C h \ (\ex. ex \ executions C \ cex_abs h ex \ executions A)"
definition temp_strengthening :: "('a, 's2) ioa_temp \ ('a, 's1) ioa_temp \ ('s1 \'s2) \ bool" where"temp_strengthening Q P h \ (\ex. (cex_abs h ex \ Q) \ (ex \ P))"
definition state_strengthening :: "('a, 's2) step_pred \ ('a, 's1) step_pred \ ('s1 \ 's2) \ bool" where"state_strengthening Q P h \ (\s t a. Q (h s, a, h t) \ P (s, a, t))"
(* thm about ex2seq which is not provable by induction as ex2seq is not continuous *) axiomatizationwhere
ex2seq_abs_cex: "ex2seq (cex_abs h ex) = cex_absSeq h (ex2seq ex)"
(* analog to the proved thm strength_Box - proof skipped as trivial *) axiomatizationwhere
weak_Box: "temp_weakening P Q h \ temp_weakening (\P) (\Q) h"
(* analog to the proved thm strength_Next - proof skipped as trivial *) axiomatizationwhere
weak_Next: "temp_weakening P Q h \ temp_weakening (\P) (\Q) h"
subsection \<open>\<open>cex_abs\<close>\<close>
lemma cex_abs_UU [simp]: "cex_abs f (s, UU) = (f s, UU)" by (simp add: cex_abs_def)
lemma cex_abs_nil [simp]: "cex_abs f (s,nil) = (f s, nil)" by (simp add: cex_abs_def)
lemma cex_abs_cons [simp]: "cex_abs f (s, (a, t) \ ex) = (f s, (a, f t) \ (snd (cex_abs f (t, ex))))" by (simp add: cex_abs_def)
subsection \<open>Lemmas\<close>
lemma temp_weakening_def2: "temp_weakening Q P h \ (\ex. (ex \ P) \ (cex_abs h ex \ Q))" apply (simp add: temp_weakening_def temp_strengthening_def NOT_def temp_sat_def satisfies_def) apply auto done
lemma state_weakening_def2: "state_weakening Q P h \ (\s t a. P (s, a, t) \ Q (h s, a, h t))" apply (simp add: state_weakening_def state_strengthening_def NOT_def) apply auto done
subsection \<open>Abstraction Rules for Properties\<close>
lemma exec_frag_abstraction [rule_format]: "is_abstraction h C A \ \<forall>s. reachable C s \<and> is_exec_frag C (s, xs) \<longrightarrow> is_exec_frag A (cex_abs h (s, xs))" apply (simp add: cex_abs_def) apply (pair_induct xs simp: is_exec_frag_def) txt\<open>main case\<close> apply (auto dest: reachable.reachable_n simp add: is_abstraction_def) done
lemma abs_is_weakening: "is_abstraction h C A \ weakeningIOA A C h" apply (simp add: weakeningIOA_def) apply auto apply (simp add: executions_def) txt\<open>start state\<close> apply (rule conjI) apply (simp add: is_abstraction_def cex_abs_def) txt\<open>is-execution-fragment\<close> apply (erule exec_frag_abstraction) apply (simp add: reachable.reachable_0) done
lemma AbsRuleT1: "is_abstraction h C A \ validIOA A Q \ temp_strengthening Q P h \ validIOA C P" apply (drule abs_is_weakening) apply (simp add: weakeningIOA_def validIOA_def temp_strengthening_def) apply (auto simp add: split_paired_all) done
lemma AbsRuleT2: "is_live_abstraction h (C, L) (A, M) \ validLIOA (A, M) Q \ temp_strengthening Q P h \<Longrightarrow> validLIOA (C, L) P" apply (unfold is_live_abstraction_def) apply auto apply (drule abs_is_weakening) apply (simp add: weakeningIOA_def temp_weakening_def2 validLIOA_def validIOA_def temp_strengthening_def) apply (auto simp add: split_paired_all) done
lemma AbsRuleTImprove: "is_live_abstraction h (C, L) (A, M) \ validLIOA (A,M) (H1 \<^bold>\ Q) \
temp_strengthening Q P h \<Longrightarrow> temp_weakening H1 H2 h \<Longrightarrow> validLIOA (C, L) H2 \<Longrightarrow>
validLIOA (C, L) P" apply (unfold is_live_abstraction_def) apply auto apply (drule abs_is_weakening) apply (simp add: weakeningIOA_def temp_weakening_def2 validLIOA_def validIOA_def temp_strengthening_def) apply (auto simp add: split_paired_all) done
subsection \<open>Correctness of safe abstraction\<close>
lemma abstraction_is_ref_map: "is_abstraction h C A \ is_ref_map h C A" apply (auto simp: is_abstraction_def is_ref_map_def) apply (rule_tac x = "(a,h t) \nil" in exI) apply (simp add: move_def) done
lemma abs_safety: "inp C = inp A \ out C = out A \ is_abstraction h C A \ C =<| A" apply (simp add: ioa_implements_def) apply (rule trace_inclusion) apply (simp (no_asm) add: externals_def) apply (auto)[1] apply (erule abstraction_is_ref_map) done
subsection \<open>Correctness of life abstraction\<close>
text\<open>
Reduces to\<open>Filter (Map fst x) = Filter (Map fst (Map (\<lambda>(a, t). (a, x)) x)\<close>,
that isto special Map Lemma. \<close> lemma traces_coincide_abs: "ext C = ext A \ mk_trace C \ xs = mk_trace A \ (snd (cex_abs f (s, xs)))" apply (unfold cex_abs_def mk_trace_def filter_act_def) apply simp apply (pair_induct xs) done
text\<open>
Does not work with\<open>abstraction_is_ref_map\<close> as proof of \<open>abs_safety\<close>, because \<open>is_live_abstraction\<close> includes \<open>temp_strengthening\<close> which is necessarily based
on \<open>cex_abs\<close> and not on \<open>corresp_ex\<close>. Thus, the proof is redone in a more specific
way for\<open>cex_abs\<close>. \<close> lemma abs_liveness: "inp C = inp A \ out C = out A \ is_live_abstraction h (C, M) (A, L) \
live_implements (C, M) (A, L)" apply (simp add: is_live_abstraction_def live_implements_def livetraces_def liveexecutions_def) apply auto apply (rule_tac x = "cex_abs h ex"in exI) apply auto text\<open>Traces coincide\<close> apply (pair ex) apply (rule traces_coincide_abs) apply (simp (no_asm) add: externals_def) apply (auto)[1]
subsection \<open>Abstraction Rules for Automata\<close>
lemma AbsRuleA1: "inp C = inp A \ out C = out A \ inp Q = inp P \ out Q = out P \
is_abstraction h1 C A \<Longrightarrow> A =<| Q \<Longrightarrow> is_abstraction h2 Q P \<Longrightarrow> C =<| P" apply (drule abs_safety) apply assumption+ apply (drule abs_safety) apply assumption+ apply (erule implements_trans) apply (erule implements_trans) apply assumption done
lemma AbsRuleA2: "inp C = inp A \ out C = out A \ inp Q = inp P \ out Q = out P \
is_live_abstraction h1 (C, LC) (A, LA) \<Longrightarrow> live_implements (A, LA) (Q, LQ) \<Longrightarrow>
is_live_abstraction h2 (Q, LQ) (P, LP) \<Longrightarrow> live_implements (C, LC) (P, LP)" apply (drule abs_liveness) apply assumption+ apply (drule abs_liveness) apply assumption+ apply (erule live_implements_trans) apply (erule live_implements_trans) apply assumption done
declare split_paired_All [simp del]
subsection \<open>Localizing Temporal Strengthenings and Weakenings\<close>
lemma strength_AND: "temp_strengthening P1 Q1 h \ temp_strengthening P2 Q2 h \
temp_strengthening (P1 \<^bold>\<and> P2) (Q1 \<^bold>\<and> Q2) h" by (auto simp: temp_strengthening_def)
lemma strength_OR: "temp_strengthening P1 Q1 h \ temp_strengthening P2 Q2 h \
temp_strengthening (P1 \<^bold>\<or> P2) (Q1 \<^bold>\<or> Q2) h" by (auto simp: temp_strengthening_def)
lemma strength_NOT: "temp_weakening P Q h \ temp_strengthening (\<^bold>\ P) (\<^bold>\ Q) h" by (auto simp: temp_weakening_def2 temp_strengthening_def)
lemma strength_IMPLIES: "temp_weakening P1 Q1 h \ temp_strengthening P2 Q2 h \
temp_strengthening (P1 \<^bold>\<longrightarrow> P2) (Q1 \<^bold>\<longrightarrow> Q2) h" by (simp add: temp_weakening_def2 temp_strengthening_def)
lemma weak_AND: "temp_weakening P1 Q1 h \ temp_weakening P2 Q2 h \
temp_weakening (P1 \<^bold>\<and> P2) (Q1 \<^bold>\<and> Q2) h" by (simp add: temp_weakening_def2)
lemma weak_OR: "temp_weakening P1 Q1 h \ temp_weakening P2 Q2 h \
temp_weakening (P1 \<^bold>\<or> P2) (Q1 \<^bold>\<or> Q2) h" by (simp add: temp_weakening_def2)
lemma weak_NOT: "temp_strengthening P Q h \ temp_weakening (\<^bold>\ P) (\<^bold>\ Q) h" by (auto simp add: temp_weakening_def2 temp_strengthening_def)
lemma weak_IMPLIES: "temp_strengthening P1 Q1 h \ temp_weakening P2 Q2 h \
temp_weakening (P1 \<^bold>\<longrightarrow> P2) (Q1 \<^bold>\<longrightarrow> Q2) h" by (simp add: temp_weakening_def2 temp_strengthening_def)
subsubsection \<open>Box\<close>
(* FIXME: should be same as nil_is_Conc2 when all nils are turned to right side! *) lemma UU_is_Conc: "(UU = x @@ y) = (((x::'a Seq)= UU) | (x = nil \ y = UU))" by (Seq_case_simp x)
(* important property of ex2seq: can be shiftet, as defined "pointwise" *) lemma ex2seq_tsuffix: "tsuffix s (ex2seq ex) \ \ex'. s = (ex2seq ex')" apply (unfold tsuffix_def suffix_def) apply auto apply (drule ex2seqConc) apply auto done
(*important property of cex_absSeq: As it is a 1to1 correspondence,
properties carry over *) lemma cex_absSeq_tsuffix: "tsuffix s t \ tsuffix (cex_absSeq h s) (cex_absSeq h t)" apply (unfold tsuffix_def suffix_def cex_absSeq_def) apply auto apply (simp add: Mapnil) apply (simp add: MapUU) apply (rule_tac x = "Map (% (s,a,t) . (h s,a, h t))\s1" in exI) apply (simp add: Map2Finite MapConc) done
(*important property of cex_absSeq: As it is a 1to1 correspondence,
properties carry over*) lemma cex_absSeq_TL: "cex_absSeq h (TL \ s) = TL \ (cex_absSeq h s)" by (simp add: MapTL cex_absSeq_def)
(* important property of ex2seq: can be shiftet, as defined "pointwise" *) lemma TLex2seq: "snd ex \ UU \ snd ex \ nil \ \ex'. TL\(ex2seq ex) = ex2seq ex'" apply (pair ex) apply (Seq_case_simp x2) apply (pair a) apply auto done
lemma ex2seqnilTL: "TL \ (ex2seq ex) \ nil \ snd ex \ nil \ snd ex \ UU" apply (pair ex) apply (Seq_case_simp x2) apply (pair a) apply (Seq_case_simp s) apply (pair a) done
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
