SSL Lift.thy
Interaktion und PortierbarkeitIsabelle
(* Title: HOL/UNITY/Simple/Lift.thy Author: Lawrence C Paulson, Cambridge University Computer Laboratory Copyright 1998 University of Cambridge
The Lift-Control Example.
*)
theory Lift imports"../UNITY_Main" begin
record state =
floor :: "int"\<comment> \<open>current position of the lift\<close> "open" :: "bool"\<comment> \<open>whether the door is opened at floor\<close>
stop :: "bool"\<comment> \<open>whether the lift is stopped at floor\<close>
req :: "int set"\<comment> \<open>for each floor, whether the lift is requested\<close>
up :: "bool"\<comment> \<open>current direction of movement\<close>
move :: "bool"\<comment> \<open>whether moving takes precedence over opening\<close>
axiomatization
Min :: "int"and\<comment> \<open>least and greatest floors\<close>
Max :: "int"\<comment> \<open>least and greatest floors\<close> where
Min_le_Max [iff]: "Min \ Max"
\<comment> \<open>Abbreviations: the "always" part\<close>
definition
above :: "state set" where"above = {s. \i. floor s < i & i \ Max & i \ req s}"
definition
below :: "state set" where"below = {s. \i. Min \ i & i < floor s & i \ req s}"
definition
queueing :: "state set" where"queueing = above \ below"
definition
goingup :: "state set" where"goingup = above \ ({s. up s} \ -below)"
definition
goingdown :: "state set" where"goingdown = below \ ({s. ~ up s} \ -above)"
definition
ready :: "state set" where"ready = {s. stop s & ~ open s & move s}"
\<comment> \<open>Further abbreviations\<close>
definition
moving :: "state set" where"moving = {s. ~ stop s & ~ open s}"
definition
stopped :: "state set" where"stopped = {s. stop s & ~ open s & ~ move s}"
definition
opened :: "state set" where"opened = {s. stop s & open s & move s}"
definition
closed :: "state set"\<comment> \<open>but this is the same as ready!!\<close> where"closed = {s. stop s & ~ open s & move s}"
definition
atFloor :: "int => state set" where"atFloor n = {s. floor s = n}"
definition
Req :: "int => state set" where"Req n = {s. n \ req s}"
\<comment> \<open>The program\<close>
definition
request_act :: "(state*state) set" where"request_act = {(s,s'). s' = s (|stop:=True, move:=False|)
& ~ stop s & floor s \<in> req s}"
definition
open_act :: "(state*state) set" where"open_act =
{(s,s'). s' = s (|open :=True,
req := req s - {floor s},
move := True|)
& stop s & ~ open s & floor s \<in> req s
& ~(move s & s \<in> queueing)}"
definition
close_act :: "(state*state) set" where"close_act = {(s,s'). s' = s (|open := False|) & open s}"
definition
req_up :: "(state*state) set" where"req_up =
{(s,s'). s' = s (|stop :=False,
floor := floor s + 1,
up := True|)
& s \<in> (ready \<inter> goingup)}"
definition
req_down :: "(state*state) set" where"req_down =
{(s,s'). s' = s (|stop :=False,
floor := floor s - 1,
up := False|)
& s \<in> (ready \<inter> goingdown)}"
definition
move_up :: "(state*state) set" where"move_up =
{(s,s'). s' = s (|floor := floor s + 1|)
& ~ stop s & up s & floor s \<notin> req s}"
definition
move_down :: "(state*state) set" where"move_down =
{(s,s'). s' = s (|floor := floor s - 1|)
& ~ stop s & ~ up s & floor s \<notin> req s}"
definition
button_press :: "(state*state) set" \<comment> \<open>This action is omitted from prior treatments, which therefore are
unrealistic: nobody asks the lift to do anything! But adding this
action invalidates many of the existing progress arguments: various "ensures" properties fail. Maybe it should be constrained to only
allow button presses in the current direction of travel, like in a
real lift.\<close> where"button_press =
{(s,s'). \n. s' = s (|req := insert n (req s)|)
& Min \<le> n & n \<le> Max}"
definition
Lift :: "state program" \<comment> \<open>for the moment, we OMIT \<open>button_press\<close>\<close> where"Lift = mk_total_program
({s. floor s = Min & ~ up s & move s & stop s &
~ open s & req s = {}},
{request_act, open_act, close_act,
req_up, req_down, move_up, move_down},
UNIV)"
\<comment> \<open>Invariants\<close>
definition
bounded :: "state set" where"bounded = {s. Min \ floor s & floor s \ Max}"
definition
open_stop :: "state set" where"open_stop = {s. open s --> stop s}"
definition
open_move :: "state set" where"open_move = {s. open s --> move s}"
definition
stop_floor :: "state set" where"stop_floor = {s. stop s & ~ move s --> floor s \ req s}"
definition
moving_up :: "state set" where"moving_up = {s. ~ stop s & up s -->
(\<exists>f. floor s \<le> f & f \<le> Max & f \<in> req s)}"
definition
moving_down :: "state set" where"moving_down = {s. ~ stop s & ~ up s -->
(\<exists>f. Min \<le> f & f \<le> floor s & f \<in> req s)}"
definition
metric :: "[int,state] => int" where"metric =
(%n s. if floor s < n then (if up s then n - floor s
else (floor s - Min) + (n-Min))
else if n < floor s then (if up s then (Max - floor s) + (Max-n)
else floor s - n)
else 0)"
locale Floor = fixes n assumes Min_le_n [iff]: "Min \ n" and n_le_Max [iff]: "n \ Max"
lemma not_mem_distinct: "[| x \ A; y \ A |] ==> x \ y" by blast
(*lem_lift_4_1 *) lemma E_thm12a: "0 < N ==>
Lift \<in> (moving \<inter> Req n \<inter> {s. metric n s = N} \<inter>
{s. floor s \<notin> req s} \<inter> {s. up s})
LeadsTo
(moving \<inter> Req n \<inter> {s. metric n s < N})" apply (cut_tac moving_up) apply (unfold Lift_def, ensures_tac "move_up", safe) (*this step consolidates two formulae to the goal metric n s' \<le> metric n s*) apply (erule linorder_leI [THEN order_antisym, symmetric]) apply (auto simp add: metric_def) done
(*lem_lift_4_3 *) lemma E_thm12b: "0 < N ==>
Lift \<in> (moving \<inter> Req n \<inter> {s. metric n s = N} \<inter>
{s. floor s \<notin> req s} - {s. up s})
LeadsTo (moving \<inter> Req n \<inter> {s. metric n s < N})" apply (cut_tac moving_down) apply (unfold Lift_def, ensures_tac "move_down", safe) (*this step consolidates two formulae to the goal metric n s' \<le> metric n s*) apply (erule linorder_leI [THEN order_antisym, symmetric]) apply (auto simp add: metric_def) done
(*lift_4*) lemma lift_4: "0 Lift \ (moving \ Req n \ {s. metric n s = N} \
{s. floor s \<notin> req s}) LeadsTo
(moving \<inter> Req n \<inter> {s. metric n s < N})" apply (rule LeadsTo_Trans [OF subset_imp_LeadsTo
LeadsTo_Un [OF E_thm12a E_thm12b]], auto) done
(** towards lift_5 **)
(*lem_lift_5_3*) lemma E_thm16a: "0
==> Lift \<in> (closed \<inter> Req n \<inter> {s. metric n s = N} \<inter> goingup) LeadsTo
(moving \<inter> Req n \<inter> {s. metric n s < N})" apply (cut_tac bounded) apply (unfold Lift_def, ensures_tac "req_up") apply (auto simp add: metric_def) done
(*lem_lift_5_1 has ~goingup instead of goingdown*) lemma E_thm16b: "0
Lift \<in> (closed \<inter> Req n \<inter> {s. metric n s = N} \<inter> goingdown) LeadsTo
(moving \<inter> Req n \<inter> {s. metric n s < N})" apply (cut_tac bounded) apply (unfold Lift_def, ensures_tac "req_down") apply (auto simp add: metric_def) done
(*lem_lift_5_0 proves an intersection involving ~goingup and goingup,
i.e. the trivial disjunction, leading to an asymmetrical proof.*) lemma E_thm16c: "0 Req n \ {s. metric n s = N} \ goingup \ goingdown" by (force simp add: metric_def)
(*lift_5*) lemma lift_5: "0 Lift \ (closed \ Req n \ {s. metric n s = N}) LeadsTo
(moving \<inter> Req n \<inter> {s. metric n s < N})" apply (rule LeadsTo_Trans [OF subset_imp_LeadsTo
LeadsTo_Un [OF E_thm16a E_thm16b]]) apply (drule E_thm16c, auto) done
(** towards lift_3 **)
(*lemma used to prove lem_lift_3_1*) lemma metric_eq_0D [dest]: "[| metric n s = 0; Min \ floor s; floor s \ Max |] ==> floor s = n" by (force simp add: metric_def)
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
