| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/Isabelle/Archive-of-Formal-Proofs/thys/Resolution_FOL/ Datei vom 31.4.2026 mit Größe 30 kB |
|
SSL TLS.thySprache: Isabelle |
|||||||||||||||
|
(*<*) theory TLSassume"not>is_TNil (?lhs s xs)" and "\>h ) imports "Safety_Logic" begin (*>*) section‹ text‹ We model systems with fini case trailing_stuttering under stuttering following 🍋‹"Lamport:1994"›. This theory relates the safety logic of \S\ref{sec:safety_logic} to the powerset (quotiented by stuttering) representing properties of these sequences (see \S\ref{sec:tls-safety}). Most of this story is standard but the addition of finite sequences does have some impact. References: ▪ historical motivations for future-time linear temporal logic (LTL): 🍋‹"MannaP ▪ a discussion on the merits of proving liveness: 🪙‹https://cs.nyu.edu/acsys/be Observations: ▪ Lamport (and Abadi et al) treat infinite stuttering as termination ▪ 🍋‹‹p189› in "Lamport:1999"›: ``we can represent a terminating execution of an infinite behavior that ends with a sequence of nothing but stuttering steps. We finite behaviors (finite sequences of states), so we consider only infinite ones ▪ this conflates divergence with termination ▪ we separate those concepts here so we can support sequential composition ▪ the traditional account of liveness properties breaks down (see \S\ref{sec:saf \<close> subsection‹ Stuttering\label{sec:tls-stuttering} › text‹ An infinitary version of const‹trace.natural'›. Observations: ▪ we need to normalize the agent labels for sequences that infinitely stutter Source materials: ▪ 🍋‹$ISABELLE_HOME/src/HOL/Corec_Examples/LFilter.thy›. ▪ 🍋‹$AFP/Coinductive/Coinductive_List.thy› ▪ 🍋‹$AFP/Coinductive/TLList.thy› ▪ 🍋‹$AFP/TLA/Sequence.thy›. \<close> definition trailing :: " c ==> ('a, 'b) tllist ==> ('c, 'b) tllist" where "trailing s xs = (if tfinite xs then TNil (terminal xs) else trepeat s)" collapse :: "'s ==> ('a × 's, 'v) tllist ==> ('a × 's, 'v) tllist" where "collapse s xs = (if snd ` tset xs ⊆ {s} then trailing (undefined, s) xs else if snd (thd xs) = s then collapse s (ttl xs) else TCons (thd xs) (collapse (snd (thd xs)) (ttl xs)))" - have "(LEAST i. s ≠ snd (tnth (ttl xs) i)) < (LEAST i. s ≠ snd (tnth xs i))" if *: "¬ snd ` tset xs ⊆ {s}" and **: "snd (thd xs) = s" for s and xs :: "('a × 's, 'v) tllist" proof - from * obtain a s' where "(a, s') ∈ tset xs" and "s ≠ s'" by fastforce then obtain i where "snd (tnth xs i) ≠ s" by (atomize_elim, induct rule: tset_induct) (auto intro: exI[of _ 0] exI[of _ "S with * ** have "(LEAST i. s ≠ snd (tnth xs i)) = Suc (LEAST i. s ≠ snd (tnth xs by (cases xs) (simp_all add: Least_Suc[where n=i]) with * show "(LEAST i. s ≠ snd (tnth (ttl xs) i)) < (LEAST i. s ≠ snd (tnth xs i)) by (cases xs) simp_all qed then show ?thesis by (relation "measure (λ(s, xs). LEAST i. s ≠ snd (tnth xs i))"; simp) ‹Sign.mandatory_path "tmap"› trailing: shows "tmap sf vf (trailing s xs) = trailing (sf s) (tmap sf vf xs)" (simp add: trailing_def tmap_trepeat) ‹Sign.parent_path› ‹Sign.mandatory_path "tlength"› trailing: shows "tlength (trailing s xs) ≤ tlength xs" (fastforce simp: trailing_def dest: not_lfinite_llength) ‹Sign.parent_path› ‹Sign.mandatory_path "trailing"› simps[simp]: shows TNil: "trailing s (TNil b) = TNil b" and TCons: "trailing s (TCons x xs) = trailing s xs" and ttl: "ttl (trailing s xs) = trailing s xs" and idempotent: "trailing s (trailing s xs) = trailing s xs" and tset_finite: "tset (trailing s xs) = (if tfinite xs then {} else {s})" and trepeat: "trailing s (trepeat s) = trepeat s" (simp_all add: trailing_def) eq_TNil_conv: shows "trailing s xs = TNil b ⟷ tfinite xs ∧ terminal xs = b" and "TNil b = trailing s xs ⟷ tfinite xs ∧ terminal xs = b" and "is_TNil (trailing s xs) ⟷ tfinite xs" (auto simp: trailing_def dest: is_TNil_tfinite) eq_TCons_conv: shows "trailing s xs = TCons y ys ⟷ ¬tfinite xs ∧ TCons y ys = trepeat s" and "TCons y ys = trailing s xs ⟷ ¬tfinite xs ∧ TCons y ys = trepeat s" (auto simp: trailing_def) tmap: shows "trailing s (tmap sf vf xs) = tmap id vf (trailing s xs)" (simp add: trailing_def tmap_trepeat) ‹Sign.parent_path› ‹Sign.mandatory_path "collapse"› unique: assumes "∧s xs. f s xs = (if snd ` tset xs ⊆ {s} then trailing (undefined, s) xs else if snd (thd xs) = s then f s (ttl xs) else TCons (thd xs) (f (snd (thd xs)) (ttl xs)))" shows "f = collapse" (intro ext) show "f s xs = collapse s xs" for s xs proof(coinduction arbitrary: s xs) case (Eq_tllist s xs) show ?case apply (induct arg≡"(s, xs)" arbitrary: s xs rule: collapse.inner_induct) apply (subst (1 2 3) assms) apply (subst (1 2 3) collapse.code) apply simp apply (subst (1 2 3) assms) apply (subst (1 2 3) collapse.code) apply simp apply (metis assms collapse.code) done qed collapse: shows "collapse s (collapse s xs) = collapse s xs" - have "(λs xs. collapse s (collapse s xs)) = collapse" apply (rule collapse.unique) apply (subst (1 2 3) collapse.code) apply auto done then show ?thesis by (fastforce simp: fun_eq_iff) simps[simp]: shows TNil: "collapse s (TNil b) = TNil b" and TCons: "collapse s (TCons x xs) = (if snd x = s then collapse s xs else TCon and trailing: "collapse s (trailing (undefined, s) xs) = trailing (undefined, s) (simp_all add: collapse.code trailing_def) tshift_stuttering: assumes "snd ` set xs ⊆ {s}" shows "collapse s (tshift xs ys) = collapse s ys" assms by (induct xs) simp_all infinite_trailing: assumes "¬tfinite xs" assumes "snd ` tset xs ⊆ {s'}" shows "collapse s xs = (if s = s' then trepeat (undefined, s') else TCons (thd x assms by (cases xs) (simp_all add: assms collapse.code trailing_def) eq_TNil_conv: shows "collapse s xs = TNil b ⟷ tfinite xs ∧ snd ` tset xs ⊆ {s} ∧ terminal xs = and "TNil b = collapse s xs ⟷ tfinite xs ∧ snd ` tset xs ⊆ {s} ∧ terminal xs = b - show "?lhs ⟷ ?rhs" proof(rule iffI) show "?lhs ==> ?rhs" proof(induct arg≡"(s, xs)" arbitrary: s xs rule: collapse.inner_induct[case_name case (step s xs) then show ?case by (cases xs; clarsimp split: if_splits) (subst (asm) collapse.code; clarsimp simp: trailing.eq_TNil_conv split: if_split qed show "?rhs ==> ?lhs" by (simp add: conj_explode) (induct arbitrary: s rule: tfinite_induct; simp) qed then show ?thesis1 by (rule eq_commute_conv) is_TNil_conv: shows "is_TNil (collapse s xs) ⟷ tfinite xs ∧ snd ` tset xs ⊆ {s}" (is "?thesis2 (simp add: is_TNil_def collapse.eq_TNil_conv) eq_TConsE: assumes "collapse s xs = TCons y ys" obtains (trailing_stuttering) "¬ tfinite xs" and "snd ` tset xs = {s}" and "TCons y ys = trepeat (undefined, s)" | (step) us ys' where "xs = tshift us (TCons y ys')" and "snd ` set us ⊆ {s}" and "snd y ≠ s" and "collapse (snd y) ys' = ys" atomize_elim assms (induct arg≡"(s, xs)" arbitrary: s xs rule: collapse.inner_induct[case_names ste case (step s xs) show ?case proof(cases xs) case (TNil v) with step.prems show ?thesis by simp next case (TCons x xs') show ?thesis proof(cases "snd ` tset xs' ⊆ {snd x}") case True with TCons trans[OF collapse.code[symmetric] step.prems] show ?thesis by (force simp: trailing.eq_TCons_conv tshift_eq_TCons_conv split: if_split_asm) next case False with TCons trans[OF collapse.code[symmetric] step.prems] step.hyps[OF show ?thesis by (cases x, cases y) (simp add: trailing.eq_TCons_conv tshift_eq_TCons_conv trepeat_eq_TCons_conv eq_snd_iff exI[where x="[]"] split: if_split_asm; safe; force dest!: spec[where x="(fst x, s) # us" for us]) qed qed eq_TCons_conv: shows "collapse s xs = TCons y ys ⟷ (¬tfinite xs ∧ snd ` tset xs = {s} ∧ TCons y ys = trepeat (undefined, s)) ∨ (∃xs' ys'. xs = tshift xs' (TCons y ys') ∧ snd ` set xs' ⊆ {s} ∧ snd y ≠ s ∧ c and "TCons y ys = collapse s xs ⟷ (¬tfinite xs ∧ snd ` tset xs = {s} ∧ TCons y ys = trepeat (undefined, s)) ∨ (∃xs' ys'. xs = tshift xs' (TCons y ys') ∧ snd ` set xs' ⊆ {s} ∧ snd y ≠ s ∧ c - show "?lhs ⟷ ?rhs" by (auto elim: collapse.eq_TConsE simp: collapse.tshift_stuttering collapse.infi then show ?thesis1 by (rule eq_commute_conv) tfinite: shows "tfinite (collapse s xs) ⟷ tfinite xs" (is "?lhs ⟷ ?rhs") (rule iffI) show ?lhs if ?rhs using that by (induct arbitrary: s rule: tfinite_induct) simp_all show ?rhs if ?lhs using that by (induct "collapse s xs" arbitrary: s xs rule: tfinite_induct) (auto simp: collapse.eq_TNil_conv collapse.eq_TCons_conv trepeat_eq_TCons_conv) tfinite_conv: assumes "collapse s xs = collapse s' xs'" shows "tfinite xs ⟷ tfinite xs'" (metis assms collapse.tfinite) terminal: shows "terminal (collapse s xs) = terminal xs" (cases "tfinite xs") case True then obtain i where "tlength xs ≤ enat i" using llength_eq_infty_conv_lfinite by fastforce then show ?thesis proof(induct i arbitrary: s xs) case (Suc i s xs) then show ?case by (cases xs) (simp_all flip: eSuc_enat) qed (clarsimp simp: enat_0 tlength_0_conv) (simp add: collapse.tfinite terminal_tinfinite) tlength: shows "tlength (collapse s xs) ≤ tlength xs" (cases "tfinite xs") case True then show ?thesis by (induct arbitrary: s rule: tfinite_induct) (auto intro: order.trans[OF _ ile_ case False then show ?thesis by (fastforce dest: not_lfinite_llength) tset_memberD: assumes "(a, s') ∈ tset (collapse s xs)" shows "s' \<in> snd ` tset xs" using assms by (induct "collapse s xs" arbitrary: s xs rule: tset_induct) (auto simp: collapse.eq_TCons_conv trepeat_eq_TCons_conv tset_tshift image_Un) lemma tset_memberD2: assumes "(a, s') \<in> tset xs" shows "s = s' \<or> s' \<in> snd ` tset (collapse s xs)" usingassmsby( xs arbitrary:a rule: tset_induct;simp; fast) ft: shows"ollapse ( xsys tracenatural )( (.final xs)ys) by ( xs arbitrary: s) simp_all case java.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length shows "collapse by subst .code)( add:)) lemma eq_trepeat_conv: shows "trepeat (undefined showthesis. and "collapse s xs = trepeat ( (stepus ys' proof - show ?thesis1 by ruleiffI, (subst (asm) (\lambda>.sf( ) } add: collapse.infinite_trailing then show ?thesis2 that (rule eq_commute_conv) qed lemma treplicate: shows "collapse s (treplicate i (a, s) v) = TNil v" by(subst collapse.) (simpadd:trailing.eq_TNil_conv.split) lemma eq_tshift_conv: shows then show ?thesis .. \<longleftrightarrow> (\<exists>xs' xs'' ys'. tshift xs' xs'' = xs \<and> trace.natural' step show nd ys' zs = trepeat undefined .final sxs)java.lang.StringIndexOutOfBoundsException: Ind \<or> (ys' =java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for len and "tshift ys zs =by (impadd behaviornatural_def) \longleftrightarrow (<xs ''ys.tshift 'xs' <>trace.atural' xs '=ys \<and> ((\<setup \openSignparent_path\close ] proof show "?lhs "rest(<atural>\^subT\<> (.init <omega)(behaviorrest\omega>)java.lang.StringInde proof(rule iffI) show "?lhs \<Longrightarrow> ?rhs" proof(induct ys arbitrary: s xs) java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 next case (Cons y ys s xs) fromConsprems[simplified ?ase proof(cases rule: collapse.eq_TConsE) by (simp add: exI[where x="[]"]) next case (step xs' ys') from (-3 .[OFstep4]show ?hesis by (fastforce simp: tracejava.lang.StringIndexOutOfBoundsException: Index 0 out of simp flip: trace.natural'.eq_Nil_conv intro: exI[where x="xs' @ y # ys''" for ys'']) qed qed show"rhs\Longrightarrow> ?lhs" by (auto simp: collapse.tshift tshift_append setup \<>.mandatory_path"equiv\close qed then show ?thesis1 by( eq_commute_conv) qed mmaeq_collapse_ttake_dropn_conv: shows "collapse s xs = collapse s ys \<longleftrightarrow> (\<exists>j. trace.natural' s (fst (ttake i xs)) = trace.natural' s (fst ( \>snd ttake xs)=snd (ttake java.lang.StringIndexOutOfBoundsException: Index 54 out of \<and> collapse (trace.final' s (fst (ttake i xs))) (tdropn i xs) = collapse (trace.final' s (from..[ ()] (2 proofproof () behaviornaturalidle[F() behavior..[OF this1]this2) show "?lhs \<Longrightarrow> (\<exists>j. ?rhs i proof(induct i arbitrary: s xs ys) case (Suc i s xs ys) show ?case prooflemmatakeEjava.lang.StringIndexOutOfBoundsException: Index 12 out of bounds TNilb withSucprems show?hesis have\<xists> j. collapse <>traceTsxs ) behaviortakejbehavior java.lang.StringIndexOutOfBou simp: collapse.eq_TNil_conv trace.natural'.eq_Nil_conv ttake_eq_Some_conv tfinite_tlength_conv tdropn_tlength dest: in_set_ttakeD) next case (TCons x xs') show ?thesis proof(cases "snd x = s") case True with Suc TCons show ?thesis by simp next case False note Suc.prems TCons False moreover from calculation obtain us ys' where ys= tshiftus TConsxys'" and "snd ` set us \<subseteq> {lemmatakeE: andand "collapse (snd x)ys' =collapse( x) '" by (auto simp: collapseeq_TCons_convtrepeat_eq_TCons_conv moreover from calculation Suc.hyps[of "nd x "xs'" "ys'] obtain j where "?rhs i j (snd x) xs' ys'" by presburger ultimately show ?thesis byautosimp:ttake_tshift.java.lang.StringIndexOutOfBoundsException: Index 73 out :trace'eq_Nil_conv introexI = lengthus)+j") qed qed setup \>Signparent_path<> show "\<exists>j. ? by (metis collapse.tshift trace.final'.natural' tshift_fst_ttake_tdropn_id) qed lemmas eq_collapse_ttake_dropnE = exE[\^citet><open"AbadiMerz:1996\close. lemma tshift_tdropn: assumes "trace.natural' s (fst (ttake i xs)) = trace.natural' s ys" shows "collapse s (tshift ys typedef ',',')tls=".stutteringclosed: ' s v .t set set java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5 lemma map_collapse: "ollapse(sf s)(tmap (map_prod sf) vf (collapse s xs)) =collapse (fs tmap(map_prod sf) vfxs"( ?lhs s xs = ?rhs sxs proof(coinduction arbitrary:s xsjava.lang.StringIndexOutOfBoundsException: Index 3 case (Eq_tllist s xs) show ?case proof(intro conjI; (intro impI)?) have *: "sf s' = sf s" if "tfinite for a s s' using (nduct: :tfinite_induct clarsimpsplit if_split_asm metis) show "is_TNil (?lhs s xs) \<longleftrightarrow> is_TNil (?rhs SupIwhere 'a"',','v tls"intro] byruleiffI, fastforce!*:collapseis_TNil_convcollapsetfinitetllistset_map snd_image_map_prod show "terminal (?lhs s xs) = terminal (?rhs s xs)" is_TNil(lhs s xs)"and" (? sxs" subsection<open>Irreducibleelements\label{ectls-singleton} \> java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 then obtain y ys ..{omega}java.lang.StringIndexOutOfBoundsException: Index 58 out of bysimp :tllist.disc_eq_case(2)split .split_asm) from show "hd (?hssxs thd(? ) \<and> (\<exists>s' xs'. ttl (?lhs sjava.lang.StringIndexOutOfBoundsException: Index 0 ou proof(cases rule: collapse.eq_TConsE) case lift_definition singleton: "'a s,'v behavior.t <Rightarrow>(','s, ')tls (<><>T<>[] .java.lan note left \rblot\<subT\equiv \lblotbehaviorBsxs\rblot\^sub>Tjava.lang.StringIndexOutO from r show ?thesis ( rule collapse.eq_TConsE) case trailing_stuttering from left(3) trailing_stuttering(3) show ?thesis by (fold l r) (simp; metis) next ( 'java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 2 from left(2) step(1,3) have False by (clarsimp simp: tset_tshift tset_tmap tmap_eq_tshift_conv TCons_eq_tmap_conv collaps split if_split_asm (use step(2) in \<open>fastforce simp flip: trace.final'.map[where af=af]\java.lang.Strin show?thesis .java.lang.StringIndexOutOfBoundsException: Index 28 out of bounds fo qed next case (step us ys') note left =this from r show ?thesis proof(cases rule: collapse.eq_TConsE casetrailing_stuttering haveFalse if "sf s' \qed fastforce and "(\<lambda>x. sf (snd x)) ` tset xs = {sf s}lemmassingleton_le_extI=iffD2[OFtlssingleton <>omega<blot\^> <blot\omega'<>java.lang.StringIndexOutOfBoundsException: Index 78 out of java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 for a s'us vs usingboolean_implication_le_convtlssingleton.]: dest!: arg_cong[where f="\<lambda>xs. s' \ (utosimp rawsingleton_def .set_alt_def intro: imageI[where f="\<lambda>x. sf ( with l left(3) trailing_stuttering( "<lblot\natural\^><><rblot\^>T=\<blot\omega\<blot><^>" fastforce: tmap_eq_tshift_convTCons_eq_tmap_conv collapsejava.lang.StringIndexOutO trepeat_eq_TCons_conv snd_image_map_prodlemmasSup_irreducible [ .Sup_prime_Sup_irre then show ?thesis .. next java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 from left step show ?thesis unfolding l r apply (clarsimpThe notransitionsanddoesnot . tracenatural.'whereaf=afandsfsfandssjava.lang.StringIndexOutOfBoundsException: I iffD2[OF trace.natural'.eq_Nil_conv(1)] dest: arg_cong[where f="<>xs. collapse (f s) (ap_prod sf vf xs)"] split: if_split_asm) apply (use step(2) in \<open>fastforce simp flip: trace.final'.map[where af=af]\<close>) apply (metis list.set_map .. collapse.infinite_trailing apply metis done qed qed qed qed setup \<open>Sign.parent_path<close> setup \<open>Sign.mandatory_path "behaviorsimp:. .singleton_def definition natural :: "('a, 's, 'v) behavior.t \<Rightarrow> ('a\open>ign. tls\closejava.lan java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 setup \<open \lblot\<omega>\<>\<^> \le>. <longleftrightarrow <ottfinite(ehavior.est\omega)\and b lemma collapse[simp]: shows "behavior.sset (behavior.B s (collapse s xs)) = behavior.sset (behavior.B s xs)" by (auto simp: behavior.sset.simps collapse.tset_memberD dest: collapse.tset_memberD2[ lemma natural[simp]: shows "behavior.sset (\<natural>\<^sub>T\<omega>) = behavior.sset \<omega>" by (simp add: behavior.natural_def) lemma continue: shows".sset(<> -\<^ub> )=trace. \sigma <>( trace. <>ofNone\Rightarrow>snd xs | _<> {})java.lang.Strin by (simp add: behavior.sset.simps behavior.continue_def split: option.split) setup \<open>Sign.parent_path\<close> etup<>. ""\<losejava.lang.StringIndexOutOfBoundsException: Index 50 out of bounds fo lemma sel[simp]: shows "behavior.init (\<natural>\<^sub>java.lang.StringIndexOutOfBoundsException: Inde and "behavior.rest (\<natural simp_alladd .natural_defjava.lang.StringIndexOutOfBoundsException: Index 39 out o lemma TNil: ehavior. s( v" by (simp add: behavior.natural_def) lemma tfinite: shows "tfinite (behavior.rest (\<natural>\<^sub>Tet"where by (simp add: behavior.natural_def collapse.tfinite) lemma continue: shows "\<natural>\<^sub>T(\<sigma> "<>.j < \Longrightarrow>the (ehavior. j <> in Pjava.lang.StringInd by (simp add: behavior.t.expand tshift2_def collapse.tshift split: option.split) lemma tshift: shows "\<natural>\<^sub>lemma always_alt_def: by (simp add: behavior.natural_def) lemma trepeat: shows "\<natural>\<shows "omega <>raw. " by (simp add: behavior.natural_def collapse.trepeat) lemma treplicate: shows "\<natural>\<^sub>T by (simp add: behavior.natural_def collapse.treplicate) lemma map_natural: shows "\<natural>\<^sublemmasimps by (simp add: behavior.natural_def collapse.map_collapse) lemma idle: assumes "behavior.sset \<omega".state_prop P \<nion>rawstate_prop .state_prop (\squnion>)j shows "\<natural>\<^sub>T\<omega> = behavior.B (behavior.init \<omega>) (trailing lemma Inf: using assms by (cases \<omega>) (simp add: behavior.natural_def behavior.sset.simps collaps setup \<open>Sign.parent_path\<close> nterpretation stuttering .image_vimage_idempotent"\natural\^sub>" by standard (simp add: behavior.natural_def collapse.collapse) setup \<open>Sign.mandatory_path "stuttering"\< (auto simp: raw.erminated_def setup \<open>Sign.mandatory_path "equiv"\<close> abbreviation syn :: "('a, 's, 'v) behavior shows "<omega> <in>Q \Longrightarrow> \omega> \in .until "\<omega>\<^sub>1 \<simeq>\<^sub>T \<omega>\<^sub>2 \<equiv> assumes\omega'\in> rawuntilPQ" assumes "\<omega>\<^sub>1 \<simeq>\<^sub>T \<omega>\<^sub>2" shows "behavior.map af sf vf \<omega>\<^sub>1 \<simeq>java.lang.StringIndexOutOfBoundsExcept by (metis assms behavior.natural.map_natural) lemma " <> assumes "\<omega>\<^sub>1 \<simeq>\<^sub>T \<omega>\<^sub>2" obtains j where "behavior.take i \<omega>\<^sub>1 \<simeq>\<^sub>S behavior.take j \<omega>\<^sub>2" using assms by (fastforce simpfastforce: .hypsdest: [wherex="Sucj"for j] elimcollapse.eq_collapse_ttake_dropnE[here s"behavior.init <>\^>2" and iiand =behavior <><su lemma idle_dropn: assumes "behavior.dropn i \<omega> = Some \<omega>'" assumes "behavior.sset \<omega> \<subseteq> {behavior.init shows "\<omega> \<simeq>\<^sub>T \<omega>'" proof - from behavior.sset.dropn_le show"\<omega> \<in> ?rhs" if \<omega>\in>?lhs"for\<mega usingthat by have "behavior.sset \<omega>' \<subseteq> {behavior.init \<omega>'}" and "behavior.init \<omega> using behavior.t.set_sel(2) subset_singletonD by fastforce+ fromassms1 behavior..[OFassms2]behaviornaturalidleOF this(1)] this(2) showthesis simpadd trailing_def) (metisfrom ** ? qed setup \<open>Sign.parent_path\<close> setup \<open>Sign.parent_path\<close> setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "trace.stuttering.equiv.behavior"\show "<mega in? "<>\>lhs takeE: fixes\sigma> : "'a,'s v)tracet" assumes "behavior.take i \<omega> \<simeq>\<^sub>S \<sigma>" obtains\omega' j "<> <><subTomega' and "<> =behavior.take j <>' atomize_elim have "\<exists>ys j. collapse s xs = collapse s ys proof induct if "trace.natural' s (fst (ttake i xs)) = trace.natural' s xs'" for s xs' and xs :: "('a \<times> 's, 'v) tllist" using that by (cases "snd (ttake i xs)") (fastforce simp: behavior.take.tshift ttake_eq_Some_conv tdropn_tlength trace.take.all trace.take.all_iff intro: exI[where x="tshift xs' (tdropn i xs)"] exI[where x="length xs'"] exI[where x="Suc (length xs')"] dest: collapse.tshift_tdropn)+ with assms show "\<exists>\<omega>' j. \<omega> \<simeq>\<^sub>T \<omega>' \<and> \<sigma> = behavior.take j \> (clarsimpsimp behavior.atural_deftrace.natural_defbehavior.split_Exjava.lang.Stri qed lemmas rev_takeE= .stuttering.quivbehaviortakeE[ sym] setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "trace.natural.behavior"\<close> lemma takeE: fixes \<omega> :: "('a, 's, 'v) behaviorwith*behaviordropnshorterD show \<mega <>?rhs obtains j where "\<natural>(behavior.take i \<omega>) = behavior.take j (\<natural>\<^sub>T\<omega> proof atomize_elim have "\<exists>j. trace.natural' s (fst (ttake i xs)) = fst (ttake j (collapse s xs)) \and>snd( ixs = snd ( j (ollapse s xs))" for s and xs :: "('a \<times> 's by ( simp:tfinite_tlength_conv proof(induct i arbitrary: s xs) case 0 show ?case by (fastforce simp: ttake_eq_Nil_conv) next case (Suc i s xs) show ?case proof(cases xs) case (TCons x' xs') with Suc[where s="snd x by (fastforce intro: exI[where x="Suc j" for j]) qed (simp add: exI[where x=1]) qed then show "\<exists>j. \<natural> (behavior.take ilemma terminated[]: by (simp add: behavior.take_def trace.natural_def split_def) qed setup \<open>Sign.parent_path\<close> "\omega\^> <>rawuntilPQ \omega\^>\>rawuntil "and"<><sub1<><subT <>sub\>^> omega\^ub2 text\<open> our ' TLAlatticewhichwetreatin a`semantic' waysimilarly java.lang.StringIndexOutOfBou \<^citet>\<open>"AbadiMerz:1996"\<close>. Observations: \<^item> there is a somewhat natural partial ordering on the \<open>tls\<close> lattice induced by t the \<open>spec\<close> lattice (see \S\ref{sec:tls-safety} and \S\ref{sec:safety_closure} \<close> typedef ('a, 's, 'v) tls = "behavior.stuttering.closed :: ('a, 's, 'v) behavior.t set set" morphisms unTLS TLS Nil \omega><sub> *step.yps(,) case by blast setup_lifting type_definition_tls instantiation :(type,type ) complete_boolean_algebra begin lift_definition bot_tls :: "('a, 's, 'v) tls" is empty .. lift_definition top_tls :: "('a, 's, 'v) tls" is UNIV .. lift_definition sup_tls :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls \<Rightarrow> ('a, 's, lift_definition inf_tls :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls \<Rightarrow> ('a, 's, lift_definition less_eq_tls :: "definition valid : (', ',')tls\Rightarrow " where lift_definition less_tls :: "('a, 's, 'v) tls \<Rightarrow> ('a,'s,'v) tls \Rightarrow>bool" i lift_definition Inf_tls :: "('a, 's, 'v) tls set \<Rightarrow> ('a, 's, 'v) tls" is Inf .. "P tls -" lift_definition minus_tls :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls \<Rightarrow> ('a, ' lift_definition uminus_tls :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls" is uminus .. instance by (standard; transfer; auto simp: behavior.stuttering.cl_bot behavior.stuttering.closed_strict_complete_distrib_lattice_axiomI[OF behavior.stu end declare SUPE[where 'a="('a, 's, 'v) tls", intro!] Sup_le_iff[where 'a="('a, 's, 'v) tls", ( \^old\longrightarrow><subBQ" SupI[where 'a="('a, 's, 'v) tls", intro] SUPI[where 'a="('a, 's, 'v) tls", intro] rev_SUPI[where 'a="('a, 's, 'v) tls", intro?] INFE[where 'a="('a, 's, 'v) tls", intro] setup \<open>Sign.mandatory_path "tls"\<close> lemma boolean_implication_transfer[transfer_rule]: shows "rel_fun (pcr_tls (=) (=) (=)) (rel_fun (pcr_tls (=) (=) (=)) (pcr_tls (=) (=) (=))) (\<^b unfolding boolean_implication_def by transfer_prover lemma bot_not_top: \bottom <>(<>: 'a ',')tls" by transfer simp setup \<open>Sign.parent_path\<close> subsection\<open> Irreducible elements\label{sec:tls-singleton} \<close> setup \<open>Sign.mandatory_path "raw"\<close> definition singleton :: "('a, 's, 'v) behavior.t \< \Turnstile java.lang.StringIndexOutOfB "singleton \<omega> = behavior.stuttering.cl {\<omega>}" lemma singleton_le_conv: shows "raw.singleton \<sigma>\<^sub>1 \<le> raw.singleton \<sigma>\<^sub>2 \<longleftrightarrow> \<n rule . .java.lang.StringIndexOutOfBoundsException: Index 88 out of bounds for leng dest: behavior.stuttering.clE behavior.stuttering.equiv_cl_singleton) setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "tls"\<close> lift_definition singleton :: "('a, ' transfer bysimpadd .singleton_def abbreviationsingleton_behavior_syn: 's\<ightarrow>(a\times s,v) <>('a s v tls"(<>\>__\><subT<>[,] "\<lblot> autosimp.singleton_defbehavior setup \<open>Sign.mandatory_path "singleton"\<close> lemma Sup_prime: shows "Sup_prime \<lblot>\<omega>\<rblot>\<^sub>T" by (larsimp simp:Sup_prime_on_def) (; simp:raw.ingleton_def behavior.stuttering elim!: Sup_prime_onE[OF behavior.stuttering.Sup_prime_on_singleton]) lemma nchotomy: \<xists>\inbehavior..closed <Squnion(. ) by transfer osed_convin \openautosimpadd raw.singleton_def tteringdistributiveclose) lemmas java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for lengt lemma collapse[simp]: shows "\<Squnion>(tls.singleton ` {\<omega>. \<lblot>\<omega>\<rblot>\<^sub>T \<le> P}) = P"add .cl_Sup ruletlssingleton.[of P)(simp : antisym SUP_le_iff SUP_upper) lemmas not_bot = Sup_prime_not_bot[OF tls.singleton.Sup_prime] \<comment>\<open> Non-trivi setup \<open>Sign.parent_path\<close> lemma singleton_le_ext_conv: shows "P \<le> Q \<longleftrightarrow> (\<forall>\<omega>. \<lblot>\<omega>\<rblot>\<^sub>T \<le> P proof(rule iffI) show "?rhs \<Longrightarrow> ?lhs" by (rule tls.singleton.exhaust[where x=P]; rule tls.singletonbymetis galois..galoisord qed fastforce lemmas singleton_le_conv = raw.singleton_le_conv[transferred] [ .singleton_le_ext_conv rule_format] lemma singleton_eq_conv[simp]: shows "\<lblot>\<omega>\<rblot>\<^sub>T = \<lblot>\<omega>'\<rblot>\<^sub>T \<longleftrightarrow> \<omeg using tls.singleton_le_conv by (force intro: antisym) lemma singleton_cong: assumes "\<omega> \<simeq>\<^sub>T \<omega>'" shows\lblot><mega><>\^subT= \lblot><>'<rblot><subTjava.lang.StringIndexOutOfBoundsException: using assms by simp setup \<open>Sign.mandatory_path "singleton"\<close> named_theorems le_conv \<open> simplification rules for \<open>\<lblot>\<sigma>\<and: P\U\>=\diam lemma boolean_implication_le_conv[tls.singleton.le_conv]: shows "\<lblot>\<sigma>\<rblot>\<^sub>java.lang.StringIndexOutOfBoundsException: Index 83 by transfer (auto simp: raw.singleton_def boolean_implication.set_alt_def elim!: behavior.stuttering.clE behavior.stuttering.closed_in[OF _ sym]) lemmas antisym = antisym[OF tls.singleton_le_extI tls.singleton_le_extI] lemmas top = tls.singleton.collapse[of \<top>, simplified, symmetric] lemma simps[simp]: shows "\<lblot>\<natural>\<^sub>T\<omega>\<rblot>\<^sub>Tlemmas simps = and \<lblot>s,xs<>\^subT\le \lblots s xs\rblot\^sub>" and "snd ` set ys \<subseteq> {s} \<Longrightarrow> \<lblot>s, tshift ys xs\<rblot>\<^sub>T = \<lblot>s, x and "\<lblot>s, TCons (a, s) xs\<rblot>\<^sub>T = \<lblot>s, xs\<rblot>\<^sub>T" by (simp_all add: antisym tls.singleton_le_conv behavior.natural_def behavior.stuttering.f_idempotent collapse.collapse collapse.tshift_stuttering) lemmas Sup_irreducible = shows \<iamondP=bottom\>P=\<bottom>" lemmas sup_irreducible = Sup_irreducible_on_imp_sup_irreducible_on[OF tls.singleton. lemmas Sup_leE[elim] = Sup_prime_onE[OF tls.singleton.Sup_prime, simplified] lemmas sup_le_conv[simp] = sup_irreducible_le_conv[OF tls.singletonlemmasSup= tls..cl lemmas Sup_le_conv[simp] = Sup_prime_on_conv[OF tls.singleton.Sup_prime, simplified] lemmas compact_point = Sup_prime_is_compact[OF tls.singleton.Sup_prime] lemmas compact[cont_intro] = compact_points_are_ccpo_compact: setup \<open>Sign.parent_path\<close> setuplemmas simps = subsection\ ..top text\<open> The idle process contains no transitions and does not terminate. \<close> setup \<open>Sign.mandatory_path "raw"\<close> definition idle :: "('a, 's, 'v) behavior.t set" where "idle = (\<Union>s. raw.singleton (behavior.B s (trepeat (undefined, s))))" lemma idle_alt_def: shows "raw.idle = {\<omega>. \<not>tfinite (behavior.rest \<omega>) \<and> behavior proof(rule antisym[OF _ subsetI]) show "?lhs \<subseteq> ?rhs" by (force "<ox\box>P=\box>" behavior.sset.simps collapse.trepeat collapse.eq_trepeat_conv elim: behavior.stuttering.clE dest: collapse.tfinite_conv) show "\<omega> \<in> ?lhs" if "\<omega> \<in> ?rhs" for \<omega> using that lemmas[] =monoDOFtls..monotone] (auto simp: raw.idle_def raw.singleton_def behavior.natural_def behavior.sset.simps behavior.stuttering.idemI collapse.infinite_trailing elim: behavior.stuttering.clE intro: exI[where x="behavior.init \<omega>"]) qed setup \<open>Sign.mandatory_path "idle"\<close> lemma not_tfinite: assumes "\<omega> \<in> raw.idle" shows "\<not>tfinite (behavior.rest \<omega>)" using assms by (simp add: raw.idle_alt_def) setup \<open>Sign.parent_path\<close> setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "behavior.stuttering.closed"\<close> lemma idle[iff]: shows "raw.idle \<in> behavior.stuttering.closed" by (simp add: raw.idle_def raw.singleton_def behavior.stuttering.closed_UNION[simplified behavior.stuttering.cl_bot, simplified setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "tls"\<close>using tls..contractive .eventually.cl ..mon ionidle :"', s ' " is rawidle. lemma idle_alt_def: shows "tls.idle = (\<Squnion>s. \<lblot>s, trepeat (undefined, s)\<rblot>\<^sub>T)" by transfer (simp add: raw.idle_def behavior.stuttering.cl_bot) setup \<open>Sign.mandatory_path "singleton"\<close> lemma idle_le_conv[tls.singleton.le_conv]: shows "\<lblot>\<omega>\<rblot>\<^sub>T \<le> tls.idle \<longleftrightarrow> \<not>tfinite (behavior by transfer (simp add: raw.singleton_def behavior.stuttering.least_conv; simp add: raw.i setup \<open>Sign.parent_path\<close> minimal_le shows "\<lblot>s, trepeat (undefined, box ^\><sub><>Q \le>\boxP\^><>\<^subB\>" by (simp add: tls.singleton.idle_le_conv behavior.sset.simps) setup \<open>Sign.parent_path\<close> setup \<open>Sign.parent_path\<close> subsection\<open> Temporal Logic for \<^emph>\<open>Pjava.lang.StringIndexOutOfBoundsExcep text\<open> The following is a straightforward shallow embedding of the now-traditional anchored semantics of LTL \<^citet>\<open>"MannaPnueli:1988"\<close>. References: \<^item> \<^verbatim>\<open>$AFP/TLA/Liveness.thy\<close> \<^item> \<^file>\<open>$ISABELLE_HOME/src/HOL/TLA/TLA.thy\<close> \<^item> \<^url>\<open>https://en.wikipedia.org/wiki/Linear_temporal_logic\<close> \<^item> \<^citet>\<open>"KroegerMerz:2008"\<close> \<^item> \<^citet>\<open>"WarfordVegaStaley:2020"\<close> Observations: \<^item> as we lack next/X/\<open>\<circle>\<close> (due to stuttering closure) we do not have induct \><citet\open>"amport:"\<> omitted LTL `''operator as considered hard use \<^item> As \<^citet>\<open>"DeGiacomoVardi:2013"\<close> observe, things get non-standard on fi \<^ ( simp raw.ventually_alt_defraw.always_alt_def \<^item> \<^citet>\<open>"Maier:2004"\<close> provides an alternative account \<close> setup \<open>Sign.mandatory_path "raw"\<close> definition state_prop :: "'s pred \<Rightarrow> ('a, 's, 'v) behavior.t set" where "state_prop P = {\<omega>. P (behavior.init \<omega>)}" definition until: "'a ', ')behaviortset\Rightarrow ('a,'s v) behavior.tset\Rightarrow (', ','v) beha where "until P Q = {\<omega> . \<exists>i. \<exists>\<omega>'\<in>Q. behavior.dropn i \setup\openSignmanda definition eventually :: "('a, 's, 'v) behavior.t set \<Rightarrow> ('a, 's, 'v) behavior.t set" where "eventually P = raw.until UNIV P" definition always :: "('a, 's, 'v) behavior.t set P\W \le < where "always P = -raw.eventually (-P)" abbreviation (input) "unless P Q \<equiv> raw.until P Q \<union> raw.always P" definition terminated :: "('a, 's, 'v) behavior.t set" where "terminated = {\<omega>. tfinite (behavior.rest \<omega>) \<and> behavior.sset \<omega> \<subseteq> lemma untilI: assumes "behavior.dropn i \<omega> = Some \<omega "is"lhs\le rhs)\comment><>\^><>open()<>in WarfordV assumes "\<omega>' \<in> Q" assumes "\<And>j. j < i \<Longrightarrow> the (behavior.dropn j \<omega>) \<in> P" shows "\<omega> \<in> raw.until P Q" using assms unfolding raw.until_def by blast lemma eventually_alt_def: shows "raw.eventually P = {\<omega> . \<exists>\<omega>'\<in>P. \<exists>i. behavior.dropn i \<omega> = by (auto simp: raw lemma always_alt_def: shows "raw.always P = {\<omega> . \<forall>i \<omega>'. behavior.dropn i \<omega> = Some \<omega>' \<long by (auto simp: raw.always_def raw.eventually_alt_def) lemma alwaysI: assumes "\<And>i \< shows "\<omega> \<in> raw.always P" by (simp add: raw.always_alt_def assms) lemma alwaysD: assumes "\<omega> \lemmas simps= raw.state_propsimps[transferred] assumes "behavior.dropn i \<omega> = Some \<omega>setup <open>.parent_path\close> shows "\<omega>' \<in> P" using assms by (simp add: raw.always_alt_def) setup \<open>Sign.mandatory_path "state_prop"\<close> lemma monotone: shows "mono raw.state_prop" by (fastforce intro: monoI simp: raw.state_prop_def) lemma simps: shows "raw.state_prop \<langle>False\<rangle> = {}" "raw.state_prop \<bottom> = {}" "raw.state_prop \<langle>True\<rangle> = UNIV" "raw.state_prop \<top> = UNIV" "- raw.state_prop P = raw.state_prop (- P)" "raw.state_prop P \<union> raw.state_prop Q = raw.state_prop (P \<squnion> Q)" "raw.state_prop P \<inter> raw.state_prop Q = raw.state_prop (P \<sqinter> Q)" "(raw.state_prop P \<^bold>\<longrightarrow>\<^sub>B raw.state_prop Q) = raw.state_prop (P \<^b by (auto simp: raw.state_prop_def boolean_implication.set_alt_def) lemma Inf: shows "raw.state_prop (\<Sqinter>X) = \<Inter>(raw.state_prop ` X)" by (fastforce simp: raw.state_prop_def) Sup shows "raw.state_prop (\<Squnion>X) = \<Union>(raw.state_prop ` X)" by (fastforce simp: raw.state_prop_def) setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "terminated"\<close> lemma inf_always_le: fixes P :: "('a, 's, 'v) behavior.t set" assumes "P \<in> behavior.stuttering.closed" shows "raw.terminated \<inter> P \<subseteq> raw.always P" by (rule subsetI[OF raw.alwaysI]) (auto simp: raw.terminated_def elim: behavior.stuttering.closed_in[OF _ _ assms] behavior.stuttering.equiv.idle_drop setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_pathshows" \^>\leadsto Q \sqinterQ\^><> <>P\^><> R"( "lhs\le>rhs) lemma base: shows "\<omega> \<in> Q \<Longrightarrow> \<omega> \<in> raw.until P Q" and "Q \<subseteq> raw.until P Q" by (force simp:raw.ntil_def) lemma step: assumes "\<omega> \<in> P" assumes "behavior.tl \<omega> = Some \<omega>'" assumes "\<omega>' \<in> raw.until P Q" shows "\<omega> \<in> raw.until P Q" proof - from \<open>\<omega>' \ "(P <^bold>\longrightarrow\^sub\box>I <U>Q) \sqinter ( <^>\longrightarrow\<s obtain i \<omega>'' where "\<omega>'' \<in> Q" and "\<forall>j<i. the (behavior.dropn j \<omega>') \<in> P" and "behavior.dr by (clarsimp simp: raw.until_def) by(clarsimp simp:raw.until_def behavior.dropn.ucless_Suc_eq_0_disj intro!: exI[where x="Suc i"]) qed lemmas intro[intro] = raw.until.base raw.until.step lemma induct[case_names base step, consumes 1, induct set: raw.until]: assumes "\<omega> \<in> raw.until P Q" assumes base: "\<And>\<omega>. \<omega> \<in> Q \<Longrightarrow> R \<omega>" assumes step: "\<And>\<omega> \<omega>'. \<lbrakk>\<omega> \<in> P; behavior.tl \<omega> = Some shows "R \<omega>" proof - from \<open>\<omega> \<in> raw.until P Q\<close> obtain \<omega>' i where "behavior.dropn i \<omega> = Some \<omega>'" and "\<omega>' \<in> Q" and "\<forall>j<i. the (behavi unfolding raw.until_def by blast then show ?thesis proof(induct i arbitrary: \<omega>) case 0 then show ?case by (force intro: base) next case Suc from Suc.prems show ?case by (fastforce intro: step Suc.hyps dest: spec[where x="Suc j" for j] simp: behavior.dropn.Suc raw.until_def split: Option.bind_split_asm) qed qed lemma mono: assumes "P \<subseteq> P'" assumes "Q shows "raw.until P Q \<subseteq> raw.until P' Q'" unfolding raw.until_def\<close> lemma botL: shows "raw.until {} Q = Q" by (force simp: raw.until_def) lemma botR: shows "raw.until P {} = {}" by (force simp: raw.until_def) lemma untilR: shows "raw.until P (raw.until P Q) = raw.until P Q" (is "?lhs = ?rhs") proof(rule antisym[OF subsetI]) show "\<omega> \<in> ?rhs" if "\<omega> \<in> ?lhs" for \<omega> using that by induct blast+ show "?rhs \<subseteq> ?lhs" by blast qed lemma InfL_not_empty: assumes "X \<noteq> {}" shows "raw.until (\<Inter>X) Q = (\<Inter>x\<in>X. raw.until x Q)" (is "?lhs = ?rhs") proof(rule antisym[OF _ subsetI]) show "?lhs \<subseteq> ?rhs" by (simp add: INT_greatest Inter_lower raw.until.mono) show "\<omega> \<in> ?lhs" if "\<omega> \<in> ?rhs" for \<omega> proof - from \open> \noteq>{}<close> obtainPwhere "P \<in> X" by blast with that obtain i \<omega>' where *: "behavior.dropn i \<omega> = Some \<omega>'" "\<omega>' \<in> Q" "\<forall>j<i. the (behavior.d unfolding raw.until_def by blast from this(1,2) obtain k \<omega>'' where **: "k \<le> i" "behavior.dropn k \<omega> = Some \<omega>'java.lang.StringIndexOutOfBound using ex_has_least_nat[where k=i and P="\<lambda>\<^item \<citet><open\<open\S2<> "AlpernSchnei by clarsimp (metis (no_types, lifting) behavior.dropn.shorterD leD nle_le option.sel orde from that * ** show ?thesis by (clarsimp simp: raw.until_def \open><sigma>\ open. sigma None\> (metis order.strict_trans1 <item\citet\><>S21close "badiLamport:991\<lose> consider thesebe qed qed lemma SupR: shows "raw.until P (\<Union>X) = \<Union>(rawby (astforce : raw.o_spec_def raw.from_spec_def unfolding raw.until_def by blast lemma weakenL: shows "raw.until UNIV P = raw.until (- P) P" (is "?lhs = ?rhs") proof(rule antisym[OF subsetI]) show "\<omega> \<in> ?rhs" if "\<omega> \<in> ?lhs" for \<omega> using that by induct blast+ show "?rhs \<subseteq> ?lhs" by (simp add: raw.until.mono) qed lemma implication_ordering_le: \<comment>\<open> \<^citet>\<open>\<open>(16)\<close> in "WarfordV shows "raw.until P Q \<inter> raw.until (-Q) R \<subseteq> raw.until P R" simp:raw.) (metisorder.trans linorder_not_leoption.sel) lemma infR_ordering_le: \<comment>\<open> \<^citet>\<open>\<open>(18)\<close> in "WarfordVegaStal elimdownwards .tuttering.lE trace...behavior.) proof(rule subsetI) \omega <> ?hs" if \omega <?"for <> using that proof induct case (step \<omega> \<omega>') then show ?case l.tep rule rawuntilstep blast intro: subsetD[OF raw.until.mono, rotated -1]) qed blast qed lemma untilL: shows "raw.until (raw.until P Q) Q \<subseteq> raw.until P Q" (is "?lhs\<subseteq Falsewithassm proof(rule subsetI) show "\<omega> \<in> ?rhs" if "\<omega> \<in> ?lhs" for \<omega> usingby induct java.lang.StringIndexOutOfBoundsException: Index 29 out of bounds f split: option. .split lemma alwaysR_le: shows "raw.until P (raw.always Q) \<subseteq> raw.always (raw.until P Q)" (is "?lhs \<subseteq> ? proof(rule subsetI) show "\<omega> \<in> ?rhs" if "\<omega> \<in> ?lhs" for \<omega> using that proof induct shows\>inPjava.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for l next case (step \<omega> \<omega>') show ?case proof(rule raw.alwaysI) ? <>?" with step "behavior.dropn.0" show "\qed (simp add:raw.afety.expansive) by (cases i; clarsimp simp: raw.always_alt_def behavior.dropn.Suc; blast) qed qed qed setup \<open>Sign.parent_path\<close> >""\close safetycl_altI) rule[ , )] fix \<omega> assume *: "\<omega> \<notin> raw.until P Q" assume "\<omega> \ : option.split) then obtain k \<omega>' where "behavior.dropn k \< length_ttake tfinite_tlength_conv) and "\<omega>' by blast by (clarsimp simp: raw.always_alt_def) with ex_has_least_nat[where k=k and P="\<lambda>i. \<exists>\<omega>'. behavior.dropn i \<omega> obtain k \<omega>' "behaviordropn \\> =Some<>java.lang.StringIndexOutOfBoundsException: Index 54 out of and"<mega<>Pjava.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for l and " note\openrawsafetycl P \subseteq raw.\<> by clarsimp (metis behavior.dropn.shorterD less_le_not_le option.distinct(1) option.ex with * behavior.dropn.shorterD show "\<omega> \<in> ?rhs" by (fastforce :"<>i.\<exists>\<beta.\forall> \<omega' behavior.dropnk(.take i\<>@-<subB\beta) So next show "?rhs \<subseteq> ?lhs" by (clarsimp simp: raw.always_alt_def raw.until_def subset_iff; metis nat_neq_iff option qed setup \<open shows "raw.afetycl(aweventually P) setup \<open>Sign.mandatory_path "eventually"\<close> lemmaterminated shows "raw.eventually raw.terminated = {\<omega>. tfinite (behavior.rest \<omega>)}" (is "fix ( [OF_] show "?lhs \<subseteq> ?rhs" clarsimp simp:raw.ventually_alt_def.terminated_def behavior.ropntfiniteD) show "\<omega> \<in> ?lhs" if "\<omega> \<in> ?rhs" for \<omega> proof - note \<open>\<omega> \<in> ?rhs\<close> moreover from calculation tainiwhere"length (behaviorrest\<omega) ijava.lang.StringIndexOutOfBoundsException: by (clarsimp simp: tfinite_tlength_conv) moreover from calculation obtain \<omega>' where "behavior.dropn by java.lang.StringIndexOutOfBoundsException: In usingbehaviordropneq_Some_tlength_convby moreover from calculation have "behavior.sset \<omega>' \<subseteq> {behavior.init \<omega>'}" by (cases \<omega>') clarsimpdest! behavior.. :tdropn_tlength..) "omega <n lhs by (auto "\in>rawsafetyclosed qed setup \<open>Sign.parent_path\<close> setup simpadd:raw.) setup \<open>Signbehavior. k \omega <mega'""forall><> behaviortake <> @\^> <beta \>P lemma state_prop[intro]: shows "raw.state_prop P \<in> behavior.stuttering.closed" by (fastforce simp: raw.state_prop_def behavior.natural_def elim: behavior.stuttering. lemma shows "raw.terminated \<in> behavior.stuttering.closed" behavior.) (clarsimp simp: raw.terminated_def elim!: behavior.stuttering.clE; metisbehavior.natural.().natural. .sset.) lemma until[intro]: assumes "P \<in> behavior.stuttering.closed" assumes "Q \<in> behavior.stuttering.closed" shows"awuntil \instuttering" proof - ega><^ub2 <in rawuntilPQ"if"<><sub>1\<>. "and \omega\<sub1\simeq\^> <>\<sub2for <><sub> <omega\^sub2 using that proof(induct arbitrary: \<omega>\<^sub>2 rule: raw.until.induct) case (base \<omega>\<^sub>1 \<omega>\<^sub>2apply clarsimp by (blast intro: behavior.stuttering.closed_in) next case (step \<omega>\<^sub>1 \<omega>' \<omega>\<^sub>2) showjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length proof(cases "\<omega>' \<simeq>\<^sub>T \<omega>\<^sub>1" <>Sign.\close case True with \<open>java.lang.StringIndexOutOfBoundsException: Index 0 out of bound by simp next case False from assms(1) \<open>\<omega>\<^sub>1 \<in> P\<close> \<open>\<omega>\<^sub>1 \<simeq>\<^sub>T \<omega>\<^sub>2 by (blast intro: behavior.stuttering.closed_in) obtain a s\<^sub>0 s\<^sub>1 xs\<^sub>1 xs' ys' where \<omega>\<^sub>1: "\<omega>\<^sub>1 = behavior that2) and \<omega>\<^sub>2: "\<omega>\<^sub>2 = behavior.B s\<^sub>0 show thesis and *: "collapse s\<^sub>0 (TCons (a, s\<^sub>1) xs\<^sub>1) = collapse s\<^sub>0 (tshift xs' (TCons ( "s\<^sub>0 \<noteq> s\<^sub>1" ':"snd set'<> {s\^>" by (cases \<omega>\<^sub>1; cases \<omega>\<^sub>2; cases "behavior.rest \<omegausing rawspecclos (fastforce simp: behavior.natural_def collapse.eq_TCons_conv trepeat_eq_TCons_conv split from \<omega>\<^sub>2 \<open>\<omega>\<^sub>2 \<in> P\<close> xs' show ?thesis proof xs arbitrary: \omega<^>) case Nil with \<omega>\<^sub>1 ** step.hyps(2,4) show ?case by (auto simp: behavior.natural_def) next case (Cons x' xs') with behavior.stuttering.closed_in[OF _ _ \<open>P \<in> behavior.stuttering.closed\<close>] show ?case by (auto simp: behavior.natural_def behavior.split_all) qed qed qed then show?thesis by (fastforce elim: behavior.stuttering.clE) qed lemma eventually[intro]: assumes .safetycl_deftls.safetycl_defby transfer_prover shows "raw.eventually P \<in> behavior.stuttering.closed" using assms by (auto simp: raw.eventually_def) lemma always[intro]: assumes "P \<in> behavior.stuttering.closed" shows "raw.always P \<in> behavior.stuttering.closed" using assms by transfer( raw.safetycleventually) setup \<open>Sign.parent_path\<close> definition ::"(,'s ')tls\Rightarrow>bool" java.lang.StringIndexOutOfBoundsException: "valid P \<longleftrightarrow> P =\top>java.lang.StringIndexOutOfBoundsException: Index lift_definition state_prop :: "'s pred \<Rightarrow> ('a, 's, also have"<dots =?rhs lift_definition terminated :: "('a, 'java.lang.StringIndexOutOfBoundsException: Inde lift_definition until :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v definition eventually :: "('asetup\>ignparent_pathclose> "eventually P = tls definition always :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls" where "always java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for leng definition release :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tl "release P Q = -(tls.until (-Pjava.lang.StringIndexOutOfBoundsException: Index 0 out definition unless :: "('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls \<Rightarrow> ('a, 's, 'v) tls "unless P Q = tls.until P Q \<squnion> tls.always P" abbreviation <>Signmandatory_pathcl\close "always_imp_syn P < tls.closed ', 'v) \Rightarrow (' ',v tls <>',',v tls where "leads_to P Q \<equiv> tls.always_imp_syn P (tls.eventually Q)" open_bundle "syntax" begin notation tls.valid (\<open>\<Turnstile> _\<close> [30] 30) notation simp:rawto_spec_def) notation tls.until (infix \<open>\<U>\<close> 85) notationby notation tls.always (\<open>\<box>_\<close> [87] 87) notation tls.release (infixr \<openjava.lang.StringIndexOutOfBoundsException: Index notation tls.unless (infixr \<open>\<W>\<close> 85) notation tls.always_imp_syn (infixr \<open>\<^bold>\<longrightarrow>\<^sub>\<box>\<close> 75) notation tls.leads_to (infixr \<open>\<^bold>\<leadsto>\<close> 75) end bundle "no_syntax" begin no_notation tls.valid (\<open>\<Turnstile> _\<close> [30] 30) no_notation tls.state_prop :"(a>)\>(a s ') \Rightarrow>(',','v)tls where no_notation tls.until (infixr \<open>\<U>\<close> 85) no_notation tls.eventually (\<open>\<diamond>_\<close> [87] 87) no_notation tlsalways (<open\>_close [87]) no_notation tls.release (infixr \<open>\<R>\<close> 85) no_notation tls.unless (infixr \<open>\<W>\<close> 85) no_notation tls.always_imp_syn (infixr \<open>\<^bold>\<longrightarrow>\<^sub>\<box>\<close> 75) proofstandard end lemma validI: assumes "\top \<e>P" shows "\<Turnstile> P" by (simp add: assms tls.valid_def top.extremum_uniqueI) setup \<open>Sign.mandatory_path "valid"\<close> lemma trans[trans]: assumes "\<Turnstile> P" assumes "P \<le> Q" shows "\<Turnstile> Q" using assms by (simp add: tls.valid_def top.extremum_unique) lemma mp: assumes lemmasmono =monotoneD[ tlsmapmonotonejava.lang.StringIndexOutOfBoundsExcept assumes "\<Turnstile> P" shows "\<Turnstile> Q" using assms by (simp add: tls.valid_def) lemmas rev_mp = tls.valid.mp[rotated] setup \<open>Sign.parent_path\<close> setup \<open>Sign.mandatory_path "singleton"\<close> lemma uminus_le_conv[tls.singleton.le_conv]: shows "\<lblot>\<omega>\<rblot>\<^sub>T \<le> -P \<java.lang.StringIndexOutOfBoundsException: I by transfer (simp add: raw.singleton_def behavior.stuttering.closed_uminus behavior.stuttering.l lemma state_prop_le_conv[tls.singleton.le_conv]: shows "\<lblot>\<omega>\<rblot>\<^sub>T \<le> tls.state_prop P \<longleftrightarrow> P (behavior.in by transfer (simp add: raw.singleton_def behavior.stuttering.least_conv[OF behavior.stuttering.c simp add: raw.state_prop_def) lemma terminated_le_conv[tls.singleton.le_conv]: shows "\<lblot>\<omega>\<rblot>\<^sub>Tjava.lang.StringIndexOutOfBoundsException: Index 0 by transfer (simp add: raw.singleton_def behavior.stuttering.least_conv[OF behavior.stuttering.c :raw lemma until_le_conv[tls.singleton.le_conv]: fixes P :: "('a, 's, 'v) tls" shows "\<lblot>\<omega>\<rblot>\<^sub>T \<le> P \<U> Q \<longleftrightarrow> (\<exists>i \<omega>'. behavio ∧ (•ψ'•) (rule iffI) show "?lhs ==> proof transfer assume *: "P ∈ behavior.stuttering.closed" "Q ∈ behavior.stuttering.closed" and "raw.singleton ψ raw.until P Q" then have "∃i. ∃ψ'∈Q. behavior.dropn i ψ = Some ψ' ∧ (∀ ``propositional'' means tha by (auto simp: raw.singleton_def raw.until_def) with * show "∃vi.diψ = Some ψ' ∧ raw.singleton ψ' ⊆ by (auto simp: raw.singleton_def behavior.stuttering.least_conv) qed show "?rhs ==> bytranssfer (unfold raw.singleton_def; rule behavior.stuttering.least[OF _ behavior.stuttering.closed.raw.untl; auto 1 0 intro iffD2OF qsett_m_f[OFraw.until_def]]) java.lang.StringIndexOutOfBoundsException: Index 35 out of bounds for length 3 eventually_le_conv[tls.singleton.le_conv]: shows "(•ψ•)T ≤ ♢P ⟷ (∃i ψ'. behavior.dropn i ψ = Some ψ' ∧ (•ψ'•)T ≤ P)" (simp add: tls.eventually_def tls.singleton.le_conv) always_le_conv[tls.singleton.le_conv]: shows "(•ψ•)T ≤ tls.always P ⟷ (∀i ψ'. behavior.dropn i ψ = Some ψ' ⟶ (•ψ'•)T ≤ P)" (simp add: tls.always_def tls.singleton.le_conv) ‹Sign.parent_path› until: closure_complete_lattice_distributive_class "tls.until P" for P standard show "(x ≤ tls.until P y) = (tls.until P x ≤ tls.until P y)" for x y by transfer (intro iffD2[OF order_class.order.closure_axioms_alt_def[unfolded closure_axioms conjI allI raw.until.base monoI raw.until.mono order.refl raw.until.untilR, assu show "tls.until P (⊔X) ≤ ⊔(tls.until P ` X) ⊔ tls.until P ⊥" for X by transfer (simp add: raw.until.SupR behavior.stuttering.cl_bot) ‹Sign.mandatory_path "until"› botL = raw.until.botL[transferred] botR = raw.until.botR[transferred] topR = tls.until.cl_top expansiveR = tls.until.expansive[of P Q for P Q] weakenL = raw.until.weakenL[transferred] mono = raw.until.mono[transferred] strengthen[strg]: assumes "st_ord F P P'" assumes "st_ord F Q Q'" shows "st_ord F (P U Q) (P' U Q')" assms by (cases F) (auto simp: tls.until.mono) SupL_le: shows "(⊔x∈X. x U R) ≤ (⊔X) U R" (simp add: SupI tls.until.mono) supLle R" (simp add: tls.until.mono) SupR: U>(⊔)P ` X" (simp add: tls.until.cl_Sup tls.until.botR) supR = tls.until.cl_sup InfL_not_empty = raw.until.InfL_not_empty[transferred] infL = tls.until.InfL_not_empty[where X="{P, Q}" for P Q, simplified, of P Q R infR_le = tls.until.cl_inf_le[of P Q R for P Q R] implication_ordering_le: ― 🍋‹ in "WarfordVegaStaley:2020"› shows "P U Q ⊓ (-Q) U R ≤ψ'. behavior.dropn i ψ' ∧ ransfer (rule raw.until.implication_ordering_le) supL_ordering_le: ―‹ 🍋to desD) shows "P U (Q U R) ≤ (P ⊔ Q) U R" (is "?lhs ≤ - have "?rhs = (P ⊔ Q) U ((P ⊔ Q) U R)" by (rule tls.until.idempotent(1)[symmetric also have "?lhs ≤" by (blast intro: tls.until.mono le_supI1 le_supI2) finally show ?thesis . infR_ordering_le: ―‹ shows "P U (Q ⊓ R) ≤ (P U Q) U R" transfer (rule raw.until.infR_ordering_le) oe_ipliatodtile \comment< \🍋‹‹(19)› in "WarfordVegaStaley:2020"› › shows "(P B Q) U R ≤\⟶B (Q U R)" (metis galois.conj_imp.galois order.refl tls.until.infL tls.until.mono) excluded_middleR: ―j < i Suc.hyps shows "⊨ P U Q ⊔h =m +n ]slt:atdf_i_sm (simp add: tls.validI tls.until.cl_top flip: tls.until.cl_sup) untilR = tls.until.idempotent(1)[of P Q for P Q] untilL: Q) U " (i "?lhlhs ?rs") (rule antisym) show lh \le> ?rhs" by transfer (rule raw.until.untilL) show "?rhs ≤ ?lhs" using tls.until.infR_ordering_le[where P=P and Q=Q and R=Q] by simp absorb: shows "P U (metis tls.until.botL tls.until.untilL) absorb_supL: ― 🍋‹(23)› in "WarfordVegaStaley:200" shows "P ⊔ P U Q = P ⊔ Q" (metis inf_commute inf_sup_absorb le_iff_sup assumes "🚫P \⟶B Q" absorb_supR: ― shows "Q ⊔ P U Q = P U Q" (simp add: sup.absorb2 tls.until.expansive) eventually_le: shows "P U Q ≤Q" (simp add: tls.eventually_def tls.until.mono) absorb_eventually: shows inf_eventually_absorbR: "P U Q ⊓ ♢Q = P U Q" \<commentnotation(•_rblot> [0] and sup_eventually_absorbR: "P U Q ⊔ ♢Q = ♢Q" ―‹ and eventually_absorbR: "P U ♢Q = ♢Q" ―‹ 🍋‹ (simp_all add: tls.eventually_def sup.absorb2 tls.until.mono (*>*) flip: tls.until.infL) sup_le: ―‹ 🍋‹‹(28)› in "WarfordVegaStaley:2020"› › shows "P U Q ≤ P ⊔ Q" (simp add: ac_simps sup.absorb_iff1 tls.until.absorb_supL tls.until.absorb_supR ordering: ―‹ 🍋‹‹(251)› in "WarfordVegaStaley:2020"› › shows "(-P) U Q ⊔ (-Q) U P = ♢(P ⊔ Q)" (is "?lhs = ?rhs") - have "?lhs = ⊤ U P ⊓ (- Q) U P ⊔ ⊤ U Q ⊓ (- P) U Q" by (simp add: ac_simps inf.absorb2 tls.until.mono) also have "… = (- P) U P ⊓ (- Q) U P ⊔ (- Q) U Q ⊓ (- P) U Q" by (simp add: tls.until.weakenL) also have "… = (- (P ⊔ Q)) U (P ⊔ Q)" by (simp add: ac_simps tls.until.cl_sup flip: tls.until.infL) also have "… = ?rhs" by (simp add: tls.eventually_def tls.until.weakenL) finally show ?thesis . simps = tls.until.expansiveR tls.until.botL tls.until.botR tls.until.absorb tls.until.absorb_supL tls.until.absorb_supR tls.until.untilL tls.until.untilR ‹Sign.parent_path› eventually: closure_complete_lattice_distributive_class tls.eventually tls.eventually_def (simp add: tls.until.closure_complete_lattice_distributive_class_axioms) eventually_alt_def: shows "♢P = (-P) U P" (simp add: tls.eventually_def tls.until.weakenL) ‹Sign.mandatory_path "eventually"› transfer[transfer_rule]: shows "rel_fun (pcr_tls (=) (=) (=)) (pcr_tls (=) (=) (=)) raw.eventually tls.ev tls.eventually_def raw.eventually_def by transfer_prover bot: shows "♢⊥ = ⊥" (simp add: tls.eventually_def tls.until.simps) bot_conv: shows "♢P = ⊥ ⟷ P = ⊥" (auto simp: tls.eventually.bot bot.extremum_uniqueI[OF order.trans[OF tls.event top = tls.eventually.cl_top monotone = tls.eventually.monotone_cl mono = tls.eventually.mono_cl Sup = tls.eventually.cl_Sup[simplified tls.eventually.bot, simplified] sup = tls.eventually.Sup[where X="{P, Q}" for P Q, simplified] Inf_le = tls.eventually.cl_Inf_le inf_le = tls.eventually.cl_inf_le neg: shows "-♢P = ◻(-P)" (simp add: tls.always_def) boolean_implication_le: shows "♢P \⟶B ♢Q ≤ ♢(P \⟶B Q)" (simp add: boolean_implication.conv_sup tls.eventually.sup) (meson le_supI1 compl_mono order.trans le_supI1 tls.eventually.expansive) simps = tls.eventually.bot tls.eventually.top tls.eventually.expansive tls.eventually_def[symmetric] terminated: shows "♢tls.terminated = ⊔(tls.singleton ` {ψ. tfinite (behavior.rest ψ)})" transfer (auto elim!: behavior.stuttering.clE dest: iffD2[OF behavior.natural.tfinite] simp: raw.eventually.terminated behavior.stuttering.cl_bot raw.singleton_def col always_imp_le: shows "P \⟶\◻ Q ≤ ♢P \⟶B ♢Q" (simp add: tls.always_def boolean_implication.conv_sup flip: shunt2) (metis inf_commute order.refl shunt2 sup.commute tls.eventually.mono tls.eventua until: shows "♢(P U Q) = ♢Q" (meson antisym tls.eventually.cl tls.eventually.mono tls.until.eventually_le tl ‹Sign.parent_path› always_alt_def: shows "◻P = P W ⊥" (simp add: tls.unless_def tls.until.simps) ‹Sign.mandatory_path "always"› transfer[transfer_rule]: shows "rel_fun (pcr_tls (=) (=) (=)) (pcr_tls (=) (=) (=)) raw.always tls.always tls.always_def raw.always_def by transfer_prover ‹ const‹tls.always› is an interior operator › idempotent[simp]: shows "◻◻P = ◻P" (simp add: tls.always_def) contractive: shows "◻P ≤ P" (simp add: tls.always_def compl_le_swap2 tls.eventually.expansive) monotone[iff]: shows "mono tls.always" (simp add: tls.always_def monoI tls.eventually.mono) strengthen[strg] = st_monotone[OF tls.always.monotone] mono[trans] = monoD[OF tls.always.monotone] bot: shows "◻⊥ = ⊥" (simp add: tls.always_def tls.eventually.simps) top: shows "◻⊤ = ⊤" (simp add: tls.always_def tls.eventually.simps) top_conv: shows "◻P = ⊤ ⟷ P = ⊤" (auto simp: tls.always.top intro: top.extremum_uniqueI[OF order.trans[OF _ tls. Sup_le: shows "⊔(tls.always ` X) ≤ ◻(⊔X)" (simp add: SupI tls.always.mono) sup_le: shows "◻P ⊔ ◻Q ≤ ◻(P ⊔ Q)" (simp add: tls.always.mono) Inf: shows "◻(⊓X) = ⊓(tls.always ` X)" (rule iffD1[OF compl_eq_compl_iff]) (simp add: tls.always_def image_image tls.eventually.Sup uminus_Inf) inf: shows "◻(P ⊓ Q) = ◻P ⊓ ◻Q" (simp add: tls.always_def tls.eventually.sup) neg: shows "-◻P = ♢(-P)" (simp add: tls.always_def) always_necessitation: assumes "⊨ P" shows "⊨ ◻P" assms by (simp add: tls.valid_def tls.always.top) valid_conv: shows "⊨ ◻P ⟷ ⊨ P" (simp add: tls.valid_def tls.always.top_conv) always_imp_le: shows "P \⟶\◻ Q ≤ ◻P \⟶B ◻Q" (simp add: galois.conj_imp.lower_upper_contractive tls.always.mono flip: galois.conj_imp.galois tls.always.inf) eventually_le: shows "◻P ≤ ♢P" tls.always.contractive tls.eventually.cl tls.eventually.mono by blast not_until_le: ―‹ 🍋‹‹(81)› in "WarfordVegaStaley:2020"› › shows "◻P ≤ -(Q U (-P))" (simp add: compl_le_swap1 tls.always.neg tls.until.eventually_le) simps = tls.always.bot tls.always.top tls.always.contractive tls.always_alt_def[symmetric] ‹Sign.parent_path› until_alwaysR_le: ―‹ 🍋‹‹(140)› in "WarfordVegaStaley:2020"› › shows "P U ◻Q ≤ ◻(P U Q)" transfer (rule raw.until.alwaysR_le) until_alwaysR: ―‹ 🍋‹‹(141)› in "WarfordVegaStaley:2020"› › shows "P U ◻P = ◻P" (simp add: order.eq_iff order.trans[OF tls.until_alwaysR_le] tls.until.simps) eventually_always_always_eventually_le: ―‹ 🍋‹‹(145)› in "WarfordVegaStaley:202 shows "♢◻P ≤ ◻♢P" (simp add: tls.eventually_def tls.until_alwaysR_le) always_inf_eventually_eventually_le: shows "◻P ⊓ ♢Q ≤ ♢(P ⊓ Q)" (simp add: shunt1 order.trans[OF _ tls.eventually.always_imp_le] boolean_implic tls.always.mono flip: boolean_implication_def) always_always_imp: ―‹🍋‹‹\S2.2: T33 frame› in "KroegerMerz:2008"› › shows "⊨ ◻P \⟶B ◻Q \⟶B ◻(P ⊓ Q)" (simp add: tls.validI tls.always.inf flip: boolean_implication.infL) always_eventually_imp: ―‹🍋‹‹\S2.2: T34 frame› in "KroegerMerz:2008"› › shows "⊨ ◻P \⟶B ♢Q \⟶B ♢(P ⊓ Q)" (simp add: tls.validI boolean_implication.mp tls.always_inf_eventually_eventual always_imp_always_generalization: ―‹🍋‹‹\S2.2: T35› in "KroegerMerz:2008"› › shows "◻P \⟶\◻ Q ≤ ◻P \⟶B ◻Q" (simp add: order.trans[OF tls.always.always_imp_le]) always_imp_eventually_generalization: ―‹🍋‹‹\S2.2: T36› in "KroegerMerz:2008"› shows "P \⟶\◻ ♢Q ≤ ♢P \⟶B ♢Q" (metis tls.eventually.always_imp_le tls.eventually.idempotent(1)) ‹ following show that there is no point nesting const‹tls.always› and const‹tls.e than two deep. › always_eventually_always_absorption: ―‹🍋‹‹\S2.2: T37› in "KroegerMerz:2008"› › shows "♢◻♢P = ◻♢P" (metis order.eq_iff tls.eventually.expansive tls.eventually.idempotent(1) tls.eventually_always_always_eventually_le) eventually_always_eventually_absorption: ―‹🍋‹‹\S2.2: T38› in "KroegerMerz:2008 shows "◻♢◻P = ♢◻P" (metis tls.always.neg tls.always_def tls.always_eventually_always_absorption) always_imp_always_eventually_le: ―‹ 🍋‹‹(157)› in "WarfordVegaStaley:2020"› › shows "P \⟶\◻ Q ≤ ◻♢P \⟶B ◻♢Q" (simp add: order.trans[OF _ tls.always.always_imp_le] order.trans[OF _ tls.always.mono[OF tls.eventually.always_imp_le]]) always_imp_eventually_always_le: ―‹ 🍋‹‹(158)› in "WarfordVegaStaley:2020"› › shows "P \⟶\◻ Q ≤ ♢◻P \⟶B ♢◻Q" (simp add: order.trans[OF _ tls.eventually.always_imp_le] order.trans[OF _ tls.always.mono[OF tls.always.always_imp_le]]) always_eventually_inf_le: shows "◻♢(P ⊓ Q) ≤ ◻♢P ⊓ ◻♢Q" ―‹ 🍋‹‹(159)› in "WarfordVegaStaley:2020"› › (simp add: tls.always.mono tls.eventually.mono) eventually_always_sup_le: shows "♢◻P ⊓ ♢◻Q ≤ ♢◻(P ⊔ Q)" ―‹ 🍋‹‹(160)› in "WarfordVegaStaley:2020"› › (simp add: le_infI2 tls.always.mono tls.eventually.mono) always_eventually_sup: ―‹ 🍋‹‹(161)› in "WarfordVegaStaley:2020"› › fixes P :: "('a, 's, 'v) tls" shows "◻♢(P ⊔ Q) = ◻♢P ⊔ ◻♢Q" (is "?lhs = ?rhs") (rule antisym) show "?lhs ≤ ?rhs" proof transfer fix P Q :: "('a, 's, 'v) behavior.t set" have "∃ψ'∈P. ∃i. behavior.dropn i ψj = Some ψ'" if "∀i ψ'. behavior.dropn i ψ = Some ψ' ⟶ (∃ψ''∈P ∪ Q. ∃i. behavior.dropn i ψ' = Some and "behavior.dropn i ψ = Some ψi" and "∀ψ'∈Q. ∀i. behavior.dropn i ψi ≠ Some ψ'" and "behavior.dropn j ψ = Some ψj" for ψ i j ψi ψj using spec[where x="max i j", OF that(1)] that(2,3,4) by (clarsimp simp: nat_le_iff_add split: split_asm_max; metis add_diff_inverse_nat behavior.dropn.dropn bind.bind_lunit order.asym) then show "raw.always (raw.eventually (P ∪ Q)) ⊆ raw.always (raw.eventually P) ∪ raw.always (raw.eventually Q)" by (clarsimp simp: raw.eventually_alt_def raw.always_alt_def) qed show "?rhs ≤ ?lhs" by (simp add: tls.eventually.sup order.trans[OF _ tls.always.sup_le]) eventually_always_inf: ―‹ 🍋‹‹(162)› in "WarfordVegaStaley:2020"› › shows "♢◻(P ⊓ Q) = ♢◻P ⊓ ♢◻Q" (subst compl_eq_compl_iff[symmetric]) (simp add: tls.always.neg tls.always_eventually_sup tls.eventually.neg) eventual_latching: ―‹ 🍋‹‹(163)› in "WarfordVegaStaley:2020"› › shows "♢◻(P \⟶B ◻Q) = ♢◻(-P) ⊔ ♢◻Q" (is "?lhs = ?rhs") (rule antisym) show "?lhs ≤ ?rhs" by (rule order.trans[OF tls.eventually.mono[OF tls.always_imp_always_eventually_ (simp add: boolean_implication.conv_sup tls.always.neg tls.eventually.neg tls.eventually.sup tls.eventually_always_eventually_absorptio have "♢◻Q ≤ ♢◻(- P ⊔ ◻Q)" apply (rule order.trans[OF tls.eventually.mono[OF eq_refl[OF tls.always.idempote apply (rule tls.eventually.mono[OF tls.always.mono]) apply simp done then show "?rhs ≤ ?lhs" by (simp add: le_sup_iff boolean_implication.conv_sup monoD) ‹Sign.mandatory_path "unless"› transfer[transfer_rule]: shows "rel_fun (pcr_tls (=) (=) (=)) (rel_fun (pcr_tls (=) (=) (=)) (pcr_tls (=) (λP Q. raw.until P Q ∪ raw.always P) tls.unless" tls.unless_def by transfer_prover neg: ―‹ 🍋‹‹(170)› in "WarfordVegaStaley:2020"› › shows "-(P W Q) = (-Q) U (-P ⊓ -Q)" transfer (rule raw.unless.neg) alwaysR_le: ―‹ 🍋‹‹(177)› in "WarfordVegaStaley:2020"› › shows "P W ◻Q ≤ ◻(P W Q)" (simp add: tls.unless_def order.trans[OF tls.until_alwaysR_le] tls.always.mono order.trans[OF _ tls.always.sup_le]) sup_le: ―‹ 🍋‹‹(206)› in "WarfordVegaStaley:2020"› › shows "P W Q ≤ P ⊔ Q" (rule iffD1[OF compl_le_compl_iff]) (simp add: tls.unless.neg tls.until.expansi ordering: ―‹ 🍋‹‹(252)› in "WarfordVegaStaley:2020"› › shows "⊨ (-P) W Q ⊔ (-Q) W P" (simp add: ac_simps tls.validI tls.unless_def tls.until.ordering tls.eventually ‹Sign.parent_path› ‹Sign.mandatory_path "until"› eq_unless_inf_eventually: shows "P U Q = (P W Q) ⊓ ♢Q" transfer (force simp: raw.until_def raw.eventually_def raw.always_alt_def behav always_strengthen_le: ―‹ 🍋‹‹(83)› in "WarfordVegaStaley:2020"› › shows "◻P ⊓ (Q U R) ≤ (P ⊓ Q) U (P ⊓ R)" transfer (clarsimp simp: raw.until_def raw.always_alt_def; fastforce simp: behavior.dropn.shorterD del: exI intro!: exI) until_weakI: shows "◻P ⊓ ♢Q ≤ P U Q" (is "?lhs ≤ ?rhs") ―‹ 🍋‹‹(84)› in "WarfordVegaStaley:20 (simp add: tls.eventually_def order.trans[OF tls.until.always_strengthen_le] tl always_impL: ―‹ 🍋‹‹(86)› in "WarfordVegaStaley:2020"› › shows "P \⟶\◻ P' ⊓ P U Q ≤ P' U Q" (is ?thesis1) and "P U Q ⊓ P \⟶\◻ P' ≤ P' U Q" (is ?thesis2) - show ?thesis1 by (rule order.trans[OF tls.until.always_strengthen_le]) (simp add: tls.until.mono boolean_implication.shunt1) then show ?thesis2 by (simp add: inf_commute) always_impR: ―‹ 🍋‹‹(85)› in "WarfordVegaStaley:2020"› › shows "Q \⟶\◻ Q' ⊓ P U Q ≤ P U Q'" (is ?thesis1) and "P U Q ⊓ Q \⟶\◻ Q' ≤ P U Q'" (is ?thesis2) - show ?thesis1 by (rule order.trans[OF tls.until.always_strengthen_le]) (simp add: tls.until.mono boolean_implication.shunt1) then show ?thesis2 by (simp add: inf_commute) neg: ―‹ 🍋‹‹(173)› in "WarfordVegaStaley:2020"› › shows "-(P U Q) = (-Q) W (-P ⊓ -Q)" tls.unless_def (simp flip: tls.until.eq_unless_inf_eventually tls.unless.neg tls.eventually.ne boolean_algebra.de_Morgan_conj) ‹Sign.parent_path› ‹Sign.mandatory_path "state_prop"› monotone = raw.state_prop.monotone[transferred] strengthen[strg] = st_monotone[OF tls.state_prop.monotone] mono = monoD[OF tls.state_prop.monotone] Sup: shows "tls.state_prop (⊔X) = ⊔(tls.state_prop ` X)" transfer (simp add: raw.state_prop.Sup behavior.stuttering.cl_bot) Inf: shows "tls.state_prop (⊓X) = ⊓(tls.state_prop ` X)" transfer (simp add: raw.state_prop.Inf) simps = raw.state_prop.simps[transferred] ‹Sign.parent_path› ‹Sign.mandatory_path "terminated"› not_bot: shows "tls.terminated ≠ ⊥" transfer (simp add: raw.terminated_def exI[where x="behavior.B undefined (TNil undefined) not_top: shows "tls.terminated ≠ ⊤" transfer (fastforce simp: raw.terminated_def dest: subsetD[OF Set.equalityD2, where c="behavior.B undefined (trepeat (undefin inf_always: shows "tls.terminated ⊓ ◻P = tls.terminated ⊓ P" (rule antisym[OF inf.mono[OF order.refl tls.always.contractive]]) (transfer; simp add: raw.terminated.inf_always_le) always_le_conv: shows "tls.terminated ≤ ◻P ⟷ tls.terminated ≤ P" (simp add: inf.order_iff tls.terminated.inf_always) inf_eventually: shows "tls.terminated ⊓ ♢P = tls.terminated ⊓ P" (is "?lhs = ?rhs") (rule antisym[OF _ inf.mono[OF order.refl tls.eventually.expansive]]) have "tls.terminated ⊓ - P ≤ tls.terminated ⊓ -♢P" by (simp add: tls.terminated.inf_always tls.eventually.neg) then show "?lhs ≤ ?rhs" by (simp add: boolean_implication.shunt1 boolean_implication.imp_trivialI) eventually_le_conv: shows "tls.terminated ≤ tls.eventually P ⟷ tls.terminated ≤ P" (simp add: inf.order_iff tls.terminated.inf_eventually) eq_always_terminated: shows "tls.terminated = ◻tls.terminated" (rule order.antisym[OF _ tls.always.contractive]) (simp add: tls.terminated.always_le_conv) ‹Sign.parent_path› ‹ Leads-to and leads-to-via \label{sec:TLS_leads-to} › ‹ -called ∗‹response› properties are of the form ‹P \⟶\◻ ♢Q› (pronounced ``‹P› leads to ‹Q›'', written ‹P \↝ Q›) 🍋‹"MannaPnueli:1991"›. This connective is similar the ``ensures'' modality of 🍋‹‹\S3.4.4› in "ChandyMisra:1989"›. 🍋‹"Jackson:1998"› used the more general `‹P› leads to ‹Q› via ‹I›'' form ‹P \⟶\◻ I U Q› establish liveness properties in a sequential setting. › leads_to_refl: shows "⊨ P \↝ P" (simp add: tls.validI boolean_implication.shunt_top tls.always.top_conv tls.eve top.extremum_unique) leads_to_mono: assumes "P' ≤ P" assumes "Q ≤ Q'" shows "P \↝ Q ≤ P' \↝ Q'" (simp add: assms boolean_implication.mono tls.always.mono tls.eventually.mono) leads_to_supL: shows "(P \↝ R) ⊓ (Q \↝ R) ≤ (P ⊔ Q) \↝ R" (simp add: boolean_implication.conv_sup sup_inf_distrib2 tls.always.inf) always_imp_leads_to: shows "P \⟶\◻ Q ≤ P \↝ Q" (simp add: boolean_implication.mono tls.always.mono tls.eventually.expansive) leads_to_eventually: shows "♢P ⊓ (P \↝ Q) ≤ ♢Q" (simp add: galois.conj_imp.galois tls.always_imp_eventually_generalization) leads_to_leads_to_via: shows "P \⟶\◻ Q U R ≤ P \↝ R" (simp add: boolean_implication.mono tls.always.mono tls.until.eventually_le) leads_to_trans: shows "P \↝ Q ⊓ Q \↝ R ≤ P \↝ R" (is "?lhs ≤ ?rhs") - have "?lhs ≤ P \↝ Q ⊓ ◻(Q \↝ R)" by (simp add: tls.always.simps) also have "… ≤ P \↝ Q ⊓ ♢Q \↝ R" by (meson order.refl inf_mono tls.always.mono tls.always_imp_eventually_generali also have "… ≤ ?rhs" by (simp add: boolean_implication.trans tls.always.mono flip: tls.always.inf) finally show ?thesis . leads_to_via_weakenR: shows "Q \⟶\◻ Q' ⊓ P \⟶\◻ I U Q ≤ P \⟶\◻ I U Q'" transfer (clarsimp simp: raw.always_alt_def raw.until_def boolean_implication.set_alt_def metis behavior.dropn.dropn Option.bind.bind_lunit) leads_to_via_supL: ―‹ useful for case distinctions › shows "P \⟶\◻ I U Q ⊓ P' \⟶\◻ I' U Q ≤ P ⊔ P' \⟶\◻ (I ⊔ I') U Q" (simp add: boolean_implication.conv_sup ac_simps le_infI2 le_supI2 monoD[OF tls.always.monotone] tls.until.mono) leads_to_via_trans: shows "(P \⟶\◻ I U Q) ⊓ (Q \⟶\◻ I' U R) ≤ P \⟶\◻ (I ⊔ I') U R" (is "?lhs ≤ ?rhs" - have "?lhs ≤ ◻(P \⟶B I U (I' U R))" by (subst inf.commute) (rule tls.leads_to_via_weakenR) also have "… ≤ ?rhs" by (strengthen ord_to_strengthen(1)[OF tls.until.supL_ordering_le]) (rule order. finally show ?thesis . leads_to_via_disj: ―‹ more like a chaining rule › shows "(P \⟶\◻ I U Q) ⊓ (Q \⟶\◻ I' U R) ≤ (P ⊔ Q \⟶\◻ (I ⊔ I') U R)" (simp add: boolean_implication_def inf.coboundedI2 le_supI2 tls.always.mono tls ‹ Fairness\label{sec:tls-fairness} › ‹ few renderings of weak fairness. 🍋‹"vanGlabbeekHofner:2019"› call this `response to insistence'' as a generalisation of weak fairness. › weakly_fair :: "('a, 's, 'v) tls ==> ('a, 's, 'v) tls ==> ('a, 's, 'v) tls" whe "weakly_fair enabled taken = ◻enabled \⟶\◻ ♢taken" weakly_fair_def2: shows "tls.weakly_fair enabled taken = ◻(-(◻(enabled ⊓ -taken)))" (simp add: tls.weakly_fair_def tls.always_def tls.eventually.sup) weakly_fair_def3: shows "tls.weakly_fair enabled taken = ♢◻enabled \⟶B ◻♢taken" (simp add: tls.weakly_fair_def boolean_implication.conv_sup tls.always.neg tls.always_eventually_sup tls.eventually.neg flip: tls.eventually.sup) weakly_fair_def4: shows "tls.weakly_fair enabled taken = ◻♢(enabled \⟶B taken)" (simp add: tls.weakly_fair_def boolean_implication.conv_sup tls.always.neg tls. ‹Sign.mandatory_path "weakly_fair"› mono: assumes "P' ≤ P" assumes "Q ≤ Q'" shows "tls.weakly_fair P Q ≤ tls.weakly_fair P' Q'" tls.weakly_fair_def (strengthen ord_to_strengthen(1)[OF assms(1)]) (strengthen ord_to_strengthen(1)[OF assms(2)]) (rule order.refl) strengthen[strg]: assumes "st_ord (¬F) P P'" assumes "st_ord F Q Q'" shows "st_ord F (tls.weakly_fair P Q) (tls.weakly_fair P' Q')" assms by (cases F) (auto simp: tls.weakly_fair.mono) weakly_fair_triv: shows "◻♢(-enabled) ≤ tls.weakly_fair enabled taken" (simp add: tls.weakly_fair_def3 boolean_implication.conv_sup tls.always.neg tls mp: shows "tls.weakly_fair enabled taken ⊓ ◻enabled ≤ ♢taken" (simp add: tls.weakly_fair_def boolean_implication.shunt1 tls.always.contractiv ‹Sign.parent_path› ‹Sign.mandatory_path "always"› weakly_fair: shows "◻(tls.weakly_fair enabled taken) = tls.weakly_fair enabled taken" (simp add: tls.weakly_fair_def tls.always.simps) ‹Sign.parent_path› ‹Sign.mandatory_path "eventually"› weakly_fair: shows "♢(tls.weakly_fair enabled taken) = tls.weakly_fair enabled taken" (simp add: tls.weakly_fair_def4 tls.always_eventually_always_absorption) ‹Sign.parent_path› ‹ for strong fairness. 🍋‹"vanGlabbeekHofner:2019"› call this response to persistence" as a generalisation of strong fairness. › strongly_fair :: "('a, 's, 'v) tls ==> ('a, 's, 'v) tls ==> ('a, 's, 'v) tls" w "strongly_fair enabled taken = ◻♢enabled \⟶\◻ ♢taken" strongly_fair_def2: shows "tls.strongly_fair enabled taken = ◻(-◻(♢enabled ⊓ -taken))" (simp add: tls.strongly_fair_def boolean_implication.conv_sup tls.always.neg tl strongly_fair_def3: shows "tls.strongly_fair enabled taken = ◻♢enabled \⟶B ◻♢taken" (simp add: tls.strongly_fair_def boolean_implication.conv_sup tls.always.neg tl tls.always_eventually_sup tls.eventually_always_eventually_absorption flip: tls.eventually.sup) ‹Sign.mandatory_path "strongly_fair"› mono: assumes "P' ≤ P" assumes "Q ≤ Q'" shows "tls.strongly_fair P Q ≤ tls.strongly_fair P' Q'" tls.strongly_fair_def (strengthen ord_to_strengthen(1)[OF assms(1)]) (strengthen ord_to_strengthen(1)[OF assms(2)]) (rule order.refl) strengthen[strg]: assumes "st_ord (¬F) P P'" assumes "st_ord F Q Q'" shows "st_ord F (tls.strongly_fair P Q) (tls.strongly_fair P' Q')" assms by (cases F) (auto simp: tls.strongly_fair.mono) supL: ―‹ does not hold for const‹tls.weakly_fair› › shows "tls.strongly_fair (enabled1 ⊔ enabled2) taken = (tls.strongly_fair enabled1 taken ⊓ tls.strongly_fair enabled2 taken)" (simp add: boolean_implication.conv_sup sup_inf_distrib2 tls.always.inf tls.alw tls.strongly_fair_def) weakly_fair_le: shows "tls.strongly_fair enabled taken ≤ tls.weakly_fair enabled taken" (simp add: tls.strongly_fair_def3 tls.weakly_fair_def3 boolean_implication.mono tls.eventually_always_always_eventually_le) always_enabled_weakly_fair_strongly_fair: shows "◻enabled ≤ tls.weakly_fair enabled taken \⟷B tls.strongly_fair enabled ta (simp add: boolean_eq_def boolean_implication_def) ‹Sign.parent_path› ‹Sign.mandatory_path "always"› strongly_fair: shows "◻(tls.strongly_fair enabled taken) = tls.strongly_fair enabled taken" (simp add: tls.strongly_fair_def) ‹Sign.parent_path› ‹Sign.mandatory_path "eventually"› strongly_fair: shows "♢(tls.strongly_fair enabled taken) = tls.strongly_fair enabled taken" (simp add: tls.strongly_fair_def2 tls.always.neg tls.always_eventually_always_a ‹Sign.parent_path› ‹Sign.parent_path› ‹ Safety Properties\label{sec:tls-safety} › ‹ now carve the safety properties out of the 🍋‹('a, 's, 'v) tls› lattice. : ▪ 🍋‹‹\S2› in "AlpernSchneider:1985" and "AlpernDemersSchneider:1986" and "Schne ▪ observes that Lamport's earlier definitions do not work without stuttering ▪ provides the now standard definition that works with and without stuttering ▪ 🍋‹‹\S2.2› in "AbadiLamport:1991"›: topological definitions and intuitions ▪ 🍋‹‹\S2.2› in "Sistla:1994"› go a different way: we establish a Galois connection with 🍋‹('a, 's, 'v) spec› : ▪ our safety closure for 🍋‹('a, 's, 'v) tls› introduces infinite sequences to s prefixes in 🍋‹('a, 's, 'v) spec› ▪ i.e., the non-termination of trace ‹σ› (‹trace.term σ = None›) is represented by a behavior ending with ‹trace.final σ› infinitely stuttered ▪ 🍋‹‹\S2.1› in "AbadiLamport:1991"› consider these behaviors to represent termi ‹Sign.mandatory_path "raw"› to_spec :: "('a, 's, 'v) behavior.t set ==> ('a, 's, 'v) trace.t set" where "to_spec T = {behavior.take i ψ |ψ i. ψ ∈ T}" from_spec :: "('a, 's, 'v) trace.t set ==> ('a, 's, 'v) behavior.t set" where "from_spec S = {ψ . ∀i. behavior.take i ψ ∈ S}" safety: galois.powerset raw.to_spec raw.from_spec standard (fastforce simp: raw.to_spec_def raw.from_spec_def) ‹Sign.mandatory_path "from_spec"› empty: shows "raw.from_spec {} = {}" (simp add: raw.from_spec_def) singleton: shows "raw.from_spec (Safety_Logic.raw.singleton σ) = ∪(raw.singleton ` {ψ . ∀i. behavior.take i ψ ∈ Safety_Logic.raw.singleton σ})" (i (rule antisym) show "?lhs ⊆ ?rhs" by (force simp: raw.from_spec_def TLS.raw.singleton_def) show "?rhs ⊆ ?lhs" by (clarsimp simp: raw.from_spec_def TLS.raw.singleton_def Safety_Logic.raw.sing elim!: behavior.stuttering.clE) (metis behavior.stuttering.equiv.takeE raw.spec.closed raw.spec.closed.stutterin trace.stuttering.clI trace.stuttering.closed_conv) sup: assumes "P ∈ raw.spec.closed" assumes "Q ∈ raw.spec.closed" shows "raw.from_spec (P ∪ Q) = raw.from_spec P ∪ raw.from_spec Q" (rule antisym[OF _ raw.safety.sup_upper_le]) (clarsimp simp: raw.from_spec_def; meson behavior.take.mono downwards.closed_in linorder_le_cases raw.spec.closed.downwards_closed[OF assms(1)] raw.spec.closed.downwards_closed[O ‹Sign.parent_path› ‹Sign.mandatory_path "to_spec"› singleton: shows "raw.to_spec (TLS.raw.singleton ψ) = (∪i. Safety_Logic.raw.singleton (behavior.take i ψ))" (is "?lhs = ?rhs") (rule antisym) show "?lhs ⊆ ?rhs" by (fastforce simp: TLS.raw.singleton_def raw.to_spec_def Safety_Logic.raw.singleton_def raw.spec.cl_def elim: behavior.stuttering.clE behavior.stuttering.equiv.takeE[OF sym] trace.stuttering.clI[OF _ sym, rotated]) show "?rhs ⊆ ?lhs" by (fastforce simp: Safety_Logic.raw.singleton_def raw.spec.cl_def TLS.raw.singl raw.to_spec_def trace.less_eq_take_def trace.take.behavior.take elim: downwards.clE trace.stuttering.clE trace.stuttering.equiv.behavior.takeE) ‹Sign.parent_path› ‹Sign.mandatory_path "safety"› cl_altI: assumes "∧i. ∃ψ' ∈ P. behavior.take i ψ = behavior.take i ψ'" shows "ψ ∈ raw.safety.cl P" assms by (fastforce simp: raw.safety.cl_def raw.from_spec_def raw.to_spec_def) cl_altE: assumes "ψ ∈ raw.safety.cl P" obtains ψ' where "ψ' ∈ P" and "behavior.take i ψ = behavior.take i ψ'" (atomize_elim, cases "enat i ≤ tlength (behavior.rest ψ)") case True with assms show "∃ψ'. ψ' ∈ P ∧ behavior.take i ψ = behavior.take i ψ'" by (clarsimp simp: raw.safety.cl_def raw.from_spec_def raw.to_spec_def) (metis behavior.take.length behavior.take.sel(3) ttake_eq_None_conv(1) min.absorb2 min_enat2_conv_enat the_enat.simps) case False with assms show "∃ψ'. ψ' ∈ P ∧ behavior.take i ψ = behavior.take i ψ'" by (clarsimp simp: raw.safety.cl_def raw.from_spec_def raw.to_spec_def) (metis behavior.continue.take_drop_id behavior.take.continue_id leI) cl_alt_def: ―‹ 🍋‹"AlpernDemersSchneider:1986"›: the classical definition: ‹ψ› b shows "raw.safety.cl P = {ψ. ∀i. ∃β. behavior.take i ψ @-B β ∈ P}" (is "?lhs = ?rhs" (rule antisym) show "?lhs ⊆ ?rhs" by clarsimp (metis behavior.continue.take_drop_id raw.safety.cl_altE) show "?rhs ⊆ ?lhs" proof(clarify intro!: raw.safety.cl_altI) fix ψ i assume "∀j. ∃β. behavior.take j ψ @-B β ∈ P" then show "∃ψ'∈P. behavior.take i ψ = behavior.take i ψ'" by (force dest: spec[where x=i] intro: exI[where x=i] rev_bexI simp: behavior.take.continue trace.take.behavior.take trace.continue.self_conv ttake_eq_None_conv length_ttake split: option.split enat.split) qed closed_alt_def: ―‹ If ‹ψ› is not in ‹P› then some prefix of ‹ψ› has irretrievably shows "raw.safety.closed = {P. ∀ψ. ψ ∉ P ⟶ (∃i. ∀β. behavior.take i ψ @-B β ∉ P)}" raw.safety.closed_def raw.safety.cl_alt_def by fast closed_alt_def2: ―‹ Contraposition gives the customary prefix-closure definitio shows "raw.safety.closed = {P. ∀ψ. (∀i. ∃β. behavior.take i ψ @-B β ∈ P) ⟶ ψ ∈ P}" raw.safety.closed_alt_def by fast closedI2: assumes "∧ψ. (∧i. ∃β. behavior.take i ψ @-B β ∈ P) ==> ψ ∈ P" shows "P ∈ raw.safety.closed" assms unfolding raw.safety.closed_alt_def2 by fast closedE2: assumes "P ∈ raw.safety.closed" assumes "∧i. ψ ∉ P ==> ∃β. behavior.take i ψ @-B β ∈ P" shows "ψ ∈ P" assms unfolding raw.safety.closed_alt_def2 by blast ‹Sign.mandatory_path "cl"› state_prop: shows "raw.safety.cl (raw.state_prop P) = raw.state_prop P" (simp add: raw.safety.cl_alt_def raw.state_prop_def) terminated_iff: assumes "ψ ∈ raw.terminated" shows "ψ ∈ raw.safety.cl P ⟷ ψ ∈ P" (is "?lhs ⟷ ?rhs") (rule iffI) from assms obtain i where "tlength (behavior.rest ψ) = enat i" by (clarsimp simp: raw.terminated_def tfinite_tlength_conv) then show "?lhs ==> ?rhs" by (metis raw.safety.cl_altE[where i="Suc i"] behavior.continue.take_drop_id behavior.take.continue_id enat_ord_simps(2) lessI (simp add: raw.safety.expansive') terminated: shows "raw.safety.cl raw.terminated = raw.idle ∪ raw.terminated" (is "?lhs = ?rh (rule antisym[OF subsetI subsetI]) fix ψ assume "ψ ∈ ?lhs" then have "snd (tnth (behavior.rest ψ) i) = behavior.init ψ" if "enat i < tlength (behavior.rest ψ)" for i using that by (clarsimp simp: raw.terminated_def behavior.take_def behavior.split_all behav split_def simp del: ttake.simps elim!: raw.safety.cl_altE[where i="Suc i"]) (metis (no_types, lifting) Suc_ile_eq in_tset_conv_tnth nth_ttake doubleton_eq_iff insert_image insert_absorb2 lessI subset_singletonD ttake_eq_No then have "behavior.sset ψ ⊆ {behavior.init ψ}" by (cases ψ) (clarsimp simp: behavior.sset.simps tset_conv_tnth) then show "ψ ∈ ?rhs" by (simp add: raw.idle_alt_def raw.terminated_def) show "ψ ∈ ?lhs" if "ψ ∈ ?rhs" for ψ using that proof(cases rule: UnE[consumes 1, case_names idle terminated]) case idle show ?thesis proof(rule raw.safety.cl_altI) fix i let ?ψ' = "behavior.take i ψ @-B TNil undefined" from idle have "?ψ' ∈ raw.terminated" by (auto simp: raw.idle_alt_def raw.terminated_def behavior.sset.continue dest: subsetD[OF behavior.sset.take_le] split: option.split) moreover from idle have "behavior.take i ψ = behavior.take i ?ψ'" by (simp add: raw.idle_alt_def behavior.take.continue trace.take.behavior.take length_ttake tfinite_tlength_conv) ultimately show "∃ψ'∈raw.terminated. behavior.take i ψ = behavior.take i ψ'" by blast qed qed (auto intro: raw.safety.expansive') le_terminated_bot: assumes "P ∈ behavior.stuttering.closed" assumes "raw.safety.cl P ⊆ raw.terminated" shows "P = {}" (rule ccontr) assume ‹P ≠ {}› then obtain ψ where "ψ ∈ P" by blast let ?ψ' = "behavior.B (behavior.init ψ) (trepeat (undefined, behavior.init ψ))" from ‹ψ ∈ P› have "?ψ' ∈ raw.safety.cl P" by (fastforce intro: exI[where x="behavior.rest ψ"] behavior.stuttering.f_closedI[OF ‹P ∈ behavior.stuttering.closed›] simp: raw.safety.cl_alt_def behavior.take.trepeat behavior.continue.simps behavior.natural.tshift collapse.tshift trace.natural'.replicate trace.final'.replicate behavior.stuttering.f_closed[OF ‹P ∈ behavior.stuttering.closed›] simp flip: behavior.natural_def) moreover have "?ψ' ∉ raw.terminated" by (simp add: raw.terminated_def) moreover note ‹raw.safety.cl P ⊆ raw.terminated› ultimately show False by blast always_le: shows "raw.safety.cl (raw.always P) ⊆ raw.always (raw.safety.cl P)" raw.always_alt_def raw.safety.cl_alt_def subset_iff mem_Collect_eq (intro allI impI) fix ψ i ψ' j assume *: "∀i. ∃β. ∀k ψ'. behavior.dropn k (behavior.take i ψ @-B β) = Some ψ' ⟶ ψ' ∈ and **: "behavior.dropn i ψ = Some ψ'" from spec[where x="i + j", OF *] ** behavior.take.dropn[OF **, where j=j] show "∃β. behavior.take j ψ' @-B β ∈ P" by (clarsimp dest!: spec[where x=i]) (subst (asm) behavior.dropn.continue_shorter; force simp: length_ttake trace.dropn.behavior.take dest: behavior.dropn.eq_Some_tlengthD split: enat.split) eventually: assumes "P ≠ ⊥" shows "raw.safety.cl (raw.eventually P) = -raw.eventually raw.terminated ∪ raw.eventually P" (is "?lhs = ?rhs") (rule antisym[OF subsetI iffD2[OF Un_subset_iff, simplified conj_explode, rule_f show "ψ ∈ ?rhs" if "ψ ∈ ?lhs" for ψ proof(cases "tlength (behavior.rest ψ)") case (enat i) with that show ?thesis by (fastforce dest: spec[where x="Suc i"] simp: raw.safety.cl_alt_def raw.terminated_def behavior.take.continue_id) qed (simp add: raw.eventually.terminated tfinite_tlength_conv) from assms obtain ψP where "ψP ∈ P" by blast show "ψ ∈ ?lhs" if "ψ ∈ -raw.eventually raw.terminated" for ψ proof(intro raw.safety.cl_altI exI bexI) fix i let ?ψ' = "behavior.take i ψ @-B TCons (undefined, behavior.init ψP) (behavior.rest from ‹ψP ∈ P› ‹ψ ∈ -raw.eventually raw.terminated› show "?ψ' ∈ raw.eventually P" unfolding raw.eventually.terminated by (auto intro!: exI[where x="Suc i"] simp: raw.eventually_alt_def tfinite_tlength_conv behavior.dropn.continue length_ttake ttake_eq_None_conv) from ‹ψ ∈ -raw.eventually raw.terminated› show "behavior.take i ψ = behavior.take by (simp add: raw.eventually.terminated behavior.take.continue trace.take.behavi length_ttake tfinite_tlength_conv split: enat.split) qed show "raw.eventually P ⊆ ?lhs" by (fast intro!: order.trans[OF _ raw.safety.expansive]) ‹Sign.parent_path› ‹Sign.mandatory_path "closed"› always_eventually: assumes "P ∈ raw.safety.closed" assumes "∀i. ∃j≥i. ∃β. behavior.take j ψ @-B β ∈ P" shows "ψ ∈ P" assms(1) (rule raw.safety.closedE2) fix i from spec[OF assms(2), where x=i] obtain j β where "i ≤ j" and "behavior.take j ψ by blast then show "∃β. behavior.take i ψ @-B β ∈ P" if "ψ ∉ P" using that by (clarsimp simp: tdropn_tshift2 behavior.continue.tshift2 behavior.continue.ta behavior.continue.term_Some behavior.take.term_Some_conv ttake_eq_Some_conv split: enat.split split_min intro!: exI[where x="tdropn i (behavior.rest (behavior.take j ψ @-B β))"]) sup: assumes "P ∈ raw.safety.closed" assumes "Q ∈ raw.safety.closed" shows "P ∪ Q ∈ raw.safety.closed" (clarsimp simp: raw.safety.closed_alt_def2) (meson assms raw.safety.closed.always_eventually sup.cobounded1 sup.cobounded2) unless: ―‹ 🍋‹ ‹\S3.1› in "Sistla:1994"› -- minimality is irrelevant › assumes "P ∈ raw.safety.closed" assumes "Q ∈ raw.safety.closed" shows "raw.unless P Q ∈ raw.safety.closed" (rule raw.safety.closedI2) fix ψ assume *: "∃β. behavior.take i ψ @-B β ∈ raw.unless P Q" for i show "ψ ∈ raw.unless P Q" proof(cases "∀i j ψ'. ∃β. behavior.dropn i ψ = Some ψ' ⟶ behavior.take j ψ' @-B β ∈ P" case True with ‹P ∈ raw.safety.closed› have "behavior.dropn i ψ = Some ψ' ⟶ ψ' ∈ P" for i ψ' by (blast intro: raw.safety.closedE2) then show ?thesis by (simp add: raw.always_alt_def) next case False then obtain ψ' k l where **: "behavior.dropn k ψ = Some ψ'" "∀β. behavior.take l ψ' @-B β ∉ P" by clarsimp { fix i β assume kli: "k + l ≤ i" moreover note ** moreover from kli have "∃j. i - k = l + j" by presburger moreover from ‹behavior.dropn k ψ = Some ψ'› kli have ***: "k ≤ length (trace.rest (behavior.take i ψ))" by (fastforce simp: length_ttake split: enat.splits dest: behavior.dropn.eq_Some_tlengthD) ultimately have ****: "∀ψ''. behavior.dropn k (behavior.take i ψ @-B β) = Some ψ'' ⟶ by (force simp: behavior.dropn.continue_shorter trace.dropn.behavior.take behavi simp flip: behavior.continue.tshift2) { assume PQ: "behavior.take i ψ @-B β ∈ raw.unless P Q" from **** PQ obtain m where "m ≤ k" and "∀ψ'. behavior.dropn m (behavior.take i ψ @-B β) = Some ψ' ⟶ ψ' ∈ Q" and "∀p<m. (∀ψ'. behavior.dropn p (behavior.take i ψ @-B β) = Some ψ' ⟶ ψ' ∈ P)" by (auto 6 0 simp: raw.until_def raw.always_alt_def) (metis behavior.dropn.shorterD leI nle_le option.sel) with kli *** have "(∃m≤k. (∀ψ'. behavior.dropn m ψ = Some ψ' ⟶ behavior.take (i - m) ψ' @-B β ∈ Q) ∧ (∀p<m. (∀ψ'. behavior.dropn p ψ = Some ψ' ⟶ behavior.take (i - p) ψ' @-B β ∈ P)))" by (clarsimp simp: exI[where x=m] behavior.dropn.continue_shorter trace.dropn.be } } then have "∀i. ∃n≥i. ∃m≤k. ∃β. (∀ψ'. behavior.dropn m ψ = Some ψ' ⟶ behavior.take (n ∧ (∀p<m. ∀ψ'. behavior.dropn p ψ = Some ψ' ⟶ behavior.take (n - p) ψ' @-B β ∈ P)" using * by (metis nle_le) then obtain m where "m ≤ k" "∀i. ∃n≥i. ∃β. (∀ψ'. behavior.dropn m ψ = Some ψ' ⟶ behavior.take (n - ∧ (∀p<m. ∀ψ'. behavior.dropn p ψ = Some ψ' ⟶ behavior.take (n - p) ψ' @-B β ∈ P)" by (clarsimp simp: always_eventually_pigeonhole) with behavior.dropn.shorterD[OF ‹behavior.dropn k ψ = Some ψ'› ‹m ≤ k›] raw.safety.closed.always_eventually[OF ‹P ∈ raw.safety.closed›] raw.safety.closed.always_eventually[OF ‹Q ∈ raw.safety.closed›] show "ψ ∈ raw.unless P Q" apply - apply clarsimp apply (rule raw.untilI, assumption) apply (meson add_le_imp_le_diff) apply (metis add_le_imp_le_diff option.sel behavior.dropn.shorterD[OF _ less_imp done qed ‹Sign.parent_path› ‹Sign.parent_path› ‹Sign.parent_path› ‹Sign.mandatory_path "downwards.closed"› to_spec: shows "range raw.to_spec ⊆ downwards.closed" (fastforce elim: downwards.clE simp: raw.to_spec_def trace.less_eq_take_def tra ‹Sign.parent_path› ‹Sign.mandatory_path "trace.stuttering.closed"› to_spec: shows "raw.to_spec ` behavior.stuttering.closed ⊆ trace.stuttering.closed" (fastforce simp: raw.to_spec_def elim: trace.stuttering.clE trace.stuttering.equiv.E trace.stuttering.equiv.behav dest: behavior.stuttering.closed_in) ‹Sign.parent_path› ‹Sign.mandatory_path "raw.spec.closed"› to_spec: shows "raw.to_spec ` behavior.stuttering.closed ⊆ raw.spec.closed" downwards.closed.to_spec trace.stuttering.closed.to_spec by (blast intro: raw.s ‹Sign.parent_path› ‹Sign.mandatory_path "behavior.stuttering.closed"› from_spec: shows "raw.from_spec ` trace.stuttering.closed ⊆ (behavior.stuttering.closed :: ('a, 's, 'v) behavior.t set set)" - have *: "behavior.take i ψ2 ∈ P " if "ψ1 ≃T ψ2" and "∀i. behavior.take i ψ1 ∈ P" and "P ∈ trace.stuttering.closed" for ψ1 ψ2 i and P :: "('a, 's, 'v) trace.t set" using that(2-) by - (rule behavior.stuttering.equiv.takeE[OF sym[OF ‹ψ1 ≃T ψ2›], where i=i]; fastforce intro: trace.stuttering.closed_in) show ?thesis by (fastforce simp: raw.from_spec_def elim: behavior.stuttering.clE *) safety_cl: assumes "P ∈ behavior.stuttering.closed" shows "raw.safety.cl P ∈ behavior.stuttering.closed" raw.safety.cl_def using assms (blast intro: subsetD[OF behavior.stuttering.closed.from_spec] subsetD[OF trace.stuttering.closed.to_spec]) ‹Sign.parent_path› ‹Sign.mandatory_path "tls"› to_spec :: "('a, 's, 'v) tls ==> ('a, 's, 'v) spec" is raw.to_spec raw.spec.closed.to_spec by blast from_spec :: "('a, 's, 'v) spec ==> ('a, 's, 'v) tls" is raw.from_spec (meson image_subset_iff behavior.stuttering.closed.from_spec raw.spec.closed.st safety: galois.complete_lattice_class tls.to_spec tls.from_spec standard (transfer; simp add: raw.safety.galois) ‹Sign.mandatory_path "from_spec"› singleton: notes spec.singleton.transfer[transfer_rule] shows "tls.from_spec (spec.singleton σ) = ⊔(tls.singleton ` {ψ . ∀i. behavior.take i ψ ∈ Safety_Logic.raw.singleton σ})" transfer (simp add: behavior.stuttering.cl_bot raw.from_spec.singleton) bot = raw.from_spec.empty[transferred] sup: shows "tls.from_spec (P ⊔ Q) = tls.from_spec P ⊔ tls.from_spec Q" transfer (rule raw.from_spec.sup) Inf = tls.safety.upper_Inf inf = tls.safety.upper_inf ‹Sign.parent_path› ‹Sign.mandatory_path "to_spec"› singleton: notes spec.singleton.transfer[transfer_rule] shows "tls.to_spec (tls.singleton ψ) = (⊔i. spec.singleton (behavior.take i ψ))" transfer (simp add: raw.to_spec.singleton) bot = tls.safety.lower_bot Sup = tls.safety.lower_Sup sup = tls.safety.lower_sup ‹Sign.parent_path› ‹Sign.mandatory_path "safety"› ‹Sign.mandatory_path "cl"› transfer[transfer_rule]: shows "rel_fun (pcr_tls (=) (=) (=)) (pcr_tls (=) (=) (=)) raw.safety.cl tls.saf raw.safety.cl_def tls.safety.cl_def by transfer_prover bot[iff]: shows "tls.safety.cl ⊥ = ⊥" (simp add: tls.safety.cl_def tls.from_spec.bot tls.safety.lower_bot) sup: shows "tls.safety.cl (P ⊔ Q) = tls.safety.cl P ⊔ tls.safety.cl Q" (simp add: tls.safety.cl_def tls.from_spec.sup tls.to_spec.sup) state_prop = raw.safety.cl.state_prop[transferred] always_le = raw.safety.cl.always_le[transferred] eventually: ―‹ all the infinite traces and any finite ones that satisfy ‹♢P› › assumes "P ≠ ⊥" shows "tls.safety.cl (♢P) = -♢tls.terminated ⊔ ♢P" assms by transfer (rule raw.safety.cl.eventually) terminated_iff: assumes "(•ψ•)T ≤ tls.terminated" shows "(•ψ•)T ≤ tls.safety.cl P ⟷ (•ψ•)T ≤ P" (is "?lhs ⟷ ?rhs") assms transfer (simp add: raw.singleton_def behavior.stuttering.least_conv raw.safety.cl.termin behavior.stuttering.closed.safety_cl behavior.stuttering.closed.raw.terminated) terminated: shows "tls.safety.cl tls.terminated = tls.idle ⊔ tls.terminated" transfer (simp add: raw.safety.cl.terminated) not_terminated: shows "tls.safety.cl (- tls.terminated) = - tls.terminated" (is "?lhs = ?rhs") - have "?lhs = tls.safety.cl (♢(- tls.terminated))" by (simp flip: tls.always.neg tls.terminated.eq_always_terminated) also have "… = - ♢tls.terminated ⊔ ♢(- tls.terminated)" by (metis tls.safety.cl.eventually tls.terminated.not_top boolean_algebra.compl_zero boolean_algebra_class.boolean_algebra.double_compl) also have "… = ?rhs" by (simp add: sup.absorb2 tls.eventually.expansive flip: tls.always.neg tls.terminated.eq_always_terminated) finally show ?thesis . le_terminated_conv: shows "tls.safety.cl P ≤ tls.terminated ⟷ P = ⊥" (is "?lhs ⟷ ?rhs") (rule iffI) show "?lhs ==> ?rhs" by transfer (rule raw.safety.cl.le_terminated_bot) show "?rhs ==> ?lhs" by simp ‹Sign.parent_path› ‹Sign.mandatory_path "closed"› transfer[transfer_rule]: shows "rel_set (pcr_tls (=) (=) (=)) (behavior.stuttering.closed ∩ raw.safety.closed) tls.safety.closed" (is "rel_set _ ?lhs ?rhs") (rule rel_setI) fix X assume "X ∈ ?lhs" then show "∃Y∈?rhs. pcr_tls (=) (=) (=) X Y" by (metis (no_types, opaque_lifting) raw.safety.cl_def raw.safety.closed_conv tl tls.from_spec.rep_eq TLS_inverse cr_tls_def tls.pcr_cr_eq tls.to_spec.rep_eq Int fix Y assume "Y ∈ ?rhs" then show "∃X∈?lhs. pcr_tls (=) (=) (=) X Y" by (metis tls.safety.cl_def tls.safety.closed_conv tls.from_spec.rep_eq tls.pcr_cr_eq cr_tls_def unTLS raw.safety.closed_upper Int_iff) bot: shows "⊥ ∈ tls.safety.closed" (simp add: tls.safety.closed_clI) sup: assumes "P ∈ tls.safety.closed" assumes "Q ∈ tls.safety.closed" shows "P ⊔ Q ∈ tls.safety.closed" (simp add: assms tls.safety.closed_clI tls.safety.cl.sup flip: tls.safety.close inf = tls.safety.closed_inf boolean_implication: assumes "-P ∈ tls.safety.closed" assumes "Q ∈ tls.safety.closed" shows "P \⟶B Q ∈ tls.safety.closed" (simp add: assms boolean_implication.conv_sup tls.safety.closed.sup) state_prop: shows "tls.state_prop P ∈ tls.safety.closed" (simp add: tls.safety.closed_clI tls.safety.cl.state_prop) not_terminated: shows "- tls.terminated ∈ tls.safety.closed" (simp add: tls.safety.closed_clI tls.safety.cl.not_terminated) unless: assumes "P ∈ tls.safety.closed" assumes "Q ∈ tls.safety.closed" shows "tls.unless P Q ∈ tls.safety.closed" assms by transfer (blast intro: raw.safety.closed.unless) always: assumes "P ∈ tls.safety.closed" shows "tls.always P ∈ tls.safety.closed" (simp add: assms tls.always_alt_def tls.safety.closed.bot tls.safety.closed.unl ‹Sign.parent_path› ‹Sign.mandatory_path "cl"› until_unless_le: assumes "P ∈ tls.safety.closed" assumes "Q ∈ tls.safety.closed" shows "tls.safety.cl (tls.until P Q) ≤ tls.unless P Q" (simp add: order.trans[OF tls.safety.cl_inf_le] tls.until.eq_unless_inf_eventua flip: tls.safety.closed_conv[OF tls.safety.closed.unless[OF assms]]) ‹Sign.parent_path› ‹Sign.parent_path› ‹Sign.mandatory_path "singleton"› to_spec_le_conv[tls.singleton.le_conv]: notes spec.singleton.transfer[transfer_rule] shows "(•σ•) ≤ tls.to_spec P ⟷ (∃ψ i. (•ψ•)T ≤ P ∧ σ = behavior.take i ψ)" transfer (simp add: TLS.raw.singleton_def behavior.stuttering.least_conv Safety_Logic.raw raw.spec.least_conv[OF subsetD[OF raw.spec.closed.to_spec]]; fastforce simp: raw.to_spec_def) from_spec_le_conv[tls.singleton.le_conv]: notes spec.singleton.transfer[transfer_rule] shows "(•ψ•)T ≤ tls.from_spec P ⟷ (∀i. (•behavior.take i ψ•) ≤ P)" transfer (simp add: TLS.raw.singleton_def Safety_Logic.raw.singleton_def raw.spec.least_c behavior.stuttering.least_conv subsetD[OF behavior.stuttering.closed.from_spec imageI[OF raw.spec.closed.stuttering_closed]]; simp add: raw.from_spec_def) safety_cl_le_conv[tls.singleton.le_conv]: shows "(•ψ•)T ≤ tls.safety.cl P ⟷ (∀i. ∃ψ'. (•ψ'•)T ≤ P ∧ behavior.take i ψ = behavi transfer (simp add: TLS.raw.singleton_def behavior.stuttering.least_conv behavior.stutter fastforce intro: raw.safety.cl_altI elim: raw.safety.cl_altE) ‹Sign.parent_path› ‹Sign.parent_path› ‹ Maps\label{sec:tls-maps} › ‹Sign.mandatory_path "tls"› map :: "('a ==> 'b) ==> ('s ==> 't) ==> ('v ==> 'w) ==> ('a, 's, 'v) tls ==> (' "map af sf vf P = ⊔(tls.singleton ` behavior.map af sf vf ` {σ. (•σ•)T ≤ P})" invmap :: "('a ==> 'b) ==> ('s ==> 't) ==> ('v ==> 'w) ==> ('b, 't, 'w) tls ==> "invmap af sf vf P = ⊔(tls.singleton ` behavior.map af sf vf -` {σ. (•σ•)T ≤ P})" amap ::"('a ==> 'b) ==> ('a, 's, 'v) tls ==> ('b, 's, 'v) tls" where "amap af ≡ tls.map af id id" ainvmap ::"('a ==> 'b) ==> ('b, 's, 'v) tls ==> ('a, 's, 'v) tls" where "ainvmap af ≡ tls.invmap af id id" smap ::"('s ==> 't) ==> ('a, 's, 'v) tls ==> ('a, 't, 'v) tls" where "smap sf ≡ tls.map id sf id" sinvmap ::"('s ==> 't) ==> ('a, 't, 'v) tls ==> ('a, 's, 'v) tls" where "sinvmap sf ≡ tls.invmap id sf id" vmap ::"('v ==> 'w) ==> ('a, 's, 'v) tls ==> ('a, 's, 'w) tls" where ―‹ aka ‹li "vmap vf ≡ tls.map id id vf" vinvmap ::"('v ==> 'w) ==> ('a, 's, 'w) tls ==> ('a, 's, 'v) tls" where "vinvmap vf ≡ tls.invmap id id vf" map_invmap: galois.complete_lattice_distributive_class "tls.map af sf vf" "tls.invmap af sf vf" for af sf vf standard show "tls.map af sf vf P ≤ Q ⟷ P ≤ tls.invmap af sf vf Q" (is "?lhs ⟷ ?rhs") for proof(rule iffI) show "?lhs ==> ?rhs" by (fastforce simp: tls.map_def tls.invmap_def intro: tls.singleton_le_extI) show "?rhs ==> ?lhs" by (fastforce simp: tls.map_def tls.invmap_def tls.singleton_le_conv dest: order.trans[of _ P] behavior.stuttering.equiv.map[where af=af and sf=sf an cong: tls.singleton_cong) qed show "tls.invmap af sf vf (⊔X) ≤ ⊔(tls.invmap af sf vf ` X)" for X by (fastforce simp: tls.invmap_def) ‹Sign.mandatory_path "singleton"› map_le_conv[tls.singleton.le_conv]: shows "(•ψ•)T ≤ tls.map af sf vf P ⟷ (∃ψ'. (•ψ'•)T ≤ P ∧ (•ψ•)T ≤ (•behavior.map af (simp add: tls.map_def) invmap_le_conv[tls.singleton.le_conv]: shows "(•ψ•)T ≤ tls.invmap af sf vf P ⟷ (•behavior.map af sf vf ψ•)T ≤ P" (simp add: tls.invmap_def tls.singleton_le_conv) (metis behavior.natural.map_natural tls.singleton_eq_conv) ‹Sign.parent_path› ‹Sign.mandatory_path "map"› bot = tls.map_invmap.lower_bot monotone = tls.map_invmap.monotone_lower mono = monotoneD[OF tls.map.monotone] Sup = tls.map_invmap.lower_Sup sup = tls.map_invmap.lower_sup Inf_le = tls.map_invmap.lower_Inf_le ―‹ Converse does not hold › inf_le = tls.map_invmap.lower_inf_le ―‹ Converse does not hold › invmap_le = tls.map_invmap.lower_upper_contractive singleton: shows "tls.map af sf vf (•ψ•)T = (•behavior.map af sf vf ψ•)T" (auto simp: tls.map_def order.eq_iff tls.singleton_le_conv intro: behavior.stut top: assumes "surj af" assumes "surj sf" assumes "surj vf" shows "tls.map af sf vf ⊤ = ⊤" (rule antisym) (auto simp: assms tls.singleton.top tls.map.Sup tls.map.singleton surj_f_inv_f intro: exI[where x="behavior.map (inv af) (inv sf) (inv vf) σ" for σ]) id: shows "tls.map id id id P = P" and "tls.map (λx. x) (λx. x) (λx. x) P = P" (simp_all add: tls.map_def flip: id_def) comp: shows "tls.map af sf vf ∘ tls.map ag sg vg = tls.map (af ∘ ag) (sf ∘ sg) (vf ∘ v and "tls.map af sf vf (tls.map ag sg vg P) = tls.map (λa. af (ag a)) (λs. sf (sg s - have "?lhs P = ?rhs P" for P by (rule tls.singleton.exhaust[where x=P]) (simp add: tls.map.Sup tls.map.singleton map_prod.comp image_image comp_def) then show "?lhs = ?rhs" and ?thesis1 by (simp_all add: comp_def) map = tls.map.comp ‹Sign.parent_path› ‹Sign.mandatory_path "invmap"› bot = tls.map_invmap.upper_bot top = tls.map_invmap.upper_top monotone = tls.map_invmap.monotone_upper mono = monotoneD[OF tls.invmap.monotone] Sup = tls.map_invmap.upper_Sup sup = tls.map_invmap.upper_sup Inf = tls.map_invmap.upper_Inf inf = tls.map_invmap.upper_inf singleton: shows "tls.invmap af sf vf (•ψ•)T = ⊔(tls.singleton ` {ψ'. (•behavior.map af sf vf (simp add: tls.invmap_def) id: shows "tls.invmap id id id P = P" and "tls.invmap (λx. x) (λx. x) (λx. x) P = P" id_def[symmetric] by (metis tls.map.id(1) tls.map_invmap.lower_upper_lower(2))+ comp: shows "tls.invmap af sf vf (tls.invmap ag sg vg P) = tls.invmap (λx. ag (af x)) (λ and "tls.invmap af sf vf ∘ tls.invmap ag sg vg = tls.invmap (ag ∘ af) (sg ∘ sf) - show "?lhs P = ?rhs P" for P by (auto intro: tls.singleton.antisym tls.singleton_le_extI simp: tls.singleton. then show ?thesis1 by (simp add: fun_eq_iff comp_def) invmap = tls.invmap.comp ‹Sign.parent_path› ‹Sign.mandatory_path "to_spec"› map: shows "tls.to_spec (tls.map af sf vf P) = spec.map af sf vf (tls.to_spec P)" (rule tls.singleton.exhaust[of P]) (simp add: tls.map.Sup tls.map.singleton spec.map.Sup spec.map.singleton image_i tls.to_spec.singleton tls.to_spec.Sup behavior.take.map) ‹Sign.parent_path› ‹Sign.parent_path› ‹ Abadi's axioms for TLA\label{sec:tls-abadi_axioms} › ‹ axioms for ``propositional'' TLA due to 🍋‹"Abadi:1990"› hold in this model. are complete for const‹tls.always› and const‹tls.eventually›. : ▪ Abadi says that the temporal system is D aka S4.3Dum; see 🍋‹‹\S8› in "Goldbla ▪ the only interesting axiom here is 5: the discrete-time Dummett axiom ▪ ``propositional'' means that actions are treated separately; we omit this part ‹Sign.mandatory_path "tls.Abadi"› Ax1: shows "⊨ ◻(P \⟶B Q)\⟶B ◻P \⟶B ◻Q" (simp add: tls.valid_def boolean_implication.shunt_top tls.always.always_imp_le Ax2: shows "⊨ ◻P \⟶B P" (simp add: tls.valid_def boolean_implication.shunt_top tls.always.contractive) Ax3: shows "⊨ ◻P \⟶B ◻◻P" (simp add: tls.validI) Ax4: ―‹ ``a classical way to express that time is linear -- that any two instants in 🍋‹‹(254) Lemmon formula› in "WarfordVegaStaley:2020"› shows "⊨ ◻(◻P \⟶B Q) ⊔ ◻(◻Q \⟶B P)" - have "⊨ (-◻P) W ◻Q ⊔ (-◻Q) W ◻P" by (rule tls.unless.ordering) also have "… ≤ ◻((-◻P) W ◻Q) ⊔ ◻((-◻Q) W ◻P)" by (metis sup_mono tls.always.idempotent tls.unless.alwaysR_le) also have "… ≤ ◻(-◻P ⊔ Q) ⊔ ◻(-◻Q ⊔ P)" by (strengthen ord_to_strengthen(1)[OF tls.unless.sup_le]) (meson order.refl sup_mono tls.always.contractive tls.always.mono) also have "… = ◻(◻P \⟶B Q) ⊔ ◻(◻Q \⟶B P)" by (simp add: boolean_implication.conv_sup) finally show ?thesis . Ax5: ―‹ ``expresses the discreteness of time'' See also 🍋‹‹\S4.1 ``the Dummett formula''› in "WarfordVegaStaley:2020"›: for th ``next'' encodes discreteness fixes P :: "('a, 's, 'v) tls" shows "⊨ ◻(◻(P \⟶B ◻P) \⟶B P) \⟶B ♢◻P \⟶B P" (is "⊨ ?goal") - have raw_Ax5: "raw.always (raw.eventually (P ∩ raw.eventually (-P)) ∪ P) ∩ raw.eventually (raw.always P) ⊆ P" (is "?lhs ⊆ ?rhs") for P :: "('a, 's, 'v) behavior.t set" (rule subsetI) fix ψ assume "ψ ∈ ?lhs" from IntD2[OF ‹ψ ∈ ?lhs›] obtain i where "∃ψ'. behavior.dropn i ψ = Some ψ' ∧ ψ' ∈ raw.always P" by (force simp: raw.always_alt_def raw.eventually_alt_def) then obtain i where i: "∃ψ'. behavior.dropn i ψ = Some ψ' ∧ ψ' ∈ raw.always P" and "∀j<i. ∀ψ'. behavior.dropn j ψ = Some ψ' ⟶ ψ' ∉ raw.always P" using ex_has_least_nat[where k=i and P="λi. ∃ψ'. behavior.dropn i ψ = Some ψ' ∧ ψ' ∈ by (auto dest: leD) have "∃ψ'. behavior.dropn (i - j) ψ = Some ψ' ∧ ψ' ∈ raw.always P" for j proof(induct j) case (Suc j) show ?case proof(cases "j < i") case True show ?thesis proof(rule ccontr) assume "∄ψ'. behavior.dropn (i - Suc j) ψ = Some ψ' ∧ ψ' ∈ raw.always P" with ‹∃ψ'. behavior.dropn i ψ = Some ψ' ∧ ψ' ∈ raw.always P› have "∃ψ'. behavior.dropn (i - Suc j) ψ = Some ψ' ∧ ψ' ∉ raw.always P" using behavior.dropn.shorterD[OF _ diff_le_self] by blast then obtain k where "∃ψ'. behavior.dropn (i - Suc j + k) ψ = Some ψ' ∧ ψ' ∉ P" by (clarsimp simp: raw.always_alt_def behavior.dropn.add behavior.dropn.Suc) bla with Suc.hyps ‹j < i› have "∃ψ'. behavior.dropn (i - Suc j) ψ = Some ψ' ∧ ψ' ∉ P" by (fastforce simp: raw.always_alt_def behavior.dropn.add split: nat_diff_split_asm dest: spec[where x="k - 1"]) with ‹j < i› IntD1[OF ‹ψ ∈ ?lhs›] obtain m n where "∃ψ' ψ'' ψ'''. behavior.dropn (i - Suc j) ψ = Some ψ' ∧ ψ' ∉ P ∧ behavior.dropn m ψ' = Some ψ'' ∧ ψ'' ∈ P ∧ behavior.dropn n ψ'' = Some ψ''' ∧ ψ''' ∉ P" by (simp add: raw.always_alt_def raw.eventually_alt_def) (blast dest: spec[where x="i - Suc j"]) with ‹j < i› Suc.hyps show False by (clarsimp simp: raw.always_alt_def dest!: spec[where x="m + n - 1"] split: na (metis behavior.dropn.Suc behavior.dropn.bind_tl_commute behavior.dropn.dropn bi qed qed (use Suc.hyps in simp) qed (use i in simp) from this[of i] show "ψ ∈ P" by (fastforce simp: raw.always_alt_def dest: spec[where x=0]) qed show ?thesis proof(rule tls.validI) have "◻(♢(P ⊓ ♢(- P)) ⊔ P) ⊓ ♢◻P ≤ P" by (rule raw_Ax5[transferred]) then have "◻(♢(P ⊓ ♢(- P)) ⊔ P) ⊓ ♢◻P ≤ P" by (simp add: boolean_implication.conv_sup tls.always.neg) then show "⊤ ≤ ?goal" by - (intro iffD1[OF boolean_implication.shunt1]; simp add: boolean_implication.conv_sup tls.always.neg) qed Ax6: assumes "⊨ P" shows "⊨ ◻P" (rule tls.always.always_necessitation[OF assms]) ―‹ Ax7: propositional tautologies: given by the 🍋‹boolean_algebra› instance › Ax8: assumes "⊨ P" assumes "⊨ P \⟶B Q" shows "⊨ Q" (rule tls.valid.rev_mp[OF assms]) ‹Sign.parent_path› ‹ Tweak syntax › tls.no_syntax tls.singleton (‹(•_•)T›) ‹Sign.mandatory_path "tls"› extra_syntax tls.singleton (‹(•_•)T› [0]) tls.from_spec (‹(_)› [0]) ‹Sign.parent_path› (*<*) end (*>*)
¤ Diese beiden folgenden Angebotsgruppen bietet das Unternehmen0.313Angebot ¤*Eine klare Vorstellung vom Zielzustand |
|
||||||||||||||
2026-06-12