| Quellcodebibliothek Statistik Leitseite products/sources/formale Sprachen/Isabelle/HOL/UNITY/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 14 kB |
|
Quelle SubstAx.thy Sprache: Isabelle |
|||||||||
|
(* Title: HOL/UNITY/SubstAx.thy
Author: Lawrence C Paulson, Cambridge University Computer Laboratory Copyright 1998 University of Cambridge Weak LeadsTo relation (restricted to the set of reachable states) *) section\<open>Weak Progress\<close> theory SubstAx imports WFair Constrains begin definition Ensures :: "['a set, 'a set] => 'a program set" (infixl \<open>Ensures\<close> "A Ensures B == {F. F \ definition LeadsTo :: "['a set, 'a set] => 'a program set" (infixl \<open>LeadsTo\<close> "A LeadsTo B == {F. F \ notation LeadsTo (infixl \<open>\<longmapsto>w\<close> 60) text\<open>Resembles the previous definition of LeadsTo\<close> lemma LeadsTo_eq_leadsTo: "A LeadsTo B = {F. F \ apply (unfold LeadsTo_def) apply (blast dest: psp_stable2 intro: leadsTo_weaken) done subsection\<open>Specialized laws for handling invariants\<close> (** Conjoining an Always property **) lemma Always_LeadsTo_pre: "F \ by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric]) lemma Always_LeadsTo_post: "F \ by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric]) (* [| F \<in> Always C; F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A' *) lemmas Always_LeadsToI = Always_LeadsTo_pre [THEN iffD1] (* [| F \<in> Always INV; F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (INV \<inter> A') *) lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2] subsection\<open>Introduction rules: Basis, Trans, Union\<close> lemma leadsTo_imp_LeadsTo: "F \ apply (simp add: LeadsTo_def) apply (blast intro: leadsTo_weaken_L) done lemma LeadsTo_Trans: "[| F \ apply (simp add: LeadsTo_eq_leadsTo) apply (blast intro: leadsTo_Trans) done lemma LeadsTo_Union: "(!!A. A \ apply (simp add: LeadsTo_def) apply (subst Int_Union) apply (blast intro: leadsTo_UN) done subsection\<open>Derived rules\<close> lemma LeadsTo_UNIV [simp]: "F \ by (simp add: LeadsTo_def) text\<open>Useful with cancellation, disjunction\<close> lemma LeadsTo_Un_duplicate: "F \ by (simp add: Un_ac) lemma LeadsTo_Un_duplicate2: "F \ by (simp add: Un_ac) lemma LeadsTo_UN: "(!!i. i \ apply (blast intro: LeadsTo_Union) done text\<open>Binary union introduction rule\<close> lemma LeadsTo_Un: "[| F \ using LeadsTo_UN [of "{A, B}" F id C] by auto text\<open>Lets us look at the starting state\<close> lemma single_LeadsTo_I: "(!!s. s \ by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast) lemma subset_imp_LeadsTo: "A \ apply (simp add: LeadsTo_def) apply (blast intro: subset_imp_leadsTo) done lemmas empty_LeadsTo = empty_subsetI [THEN subset_imp_LeadsTo, simp] lemma LeadsTo_weaken_R: "[| F \ apply (simp add: LeadsTo_def) apply (blast intro: leadsTo_weaken_R) done lemma LeadsTo_weaken_L: "[| F \ ==> F \<in> B LeadsTo A'" apply (simp add: LeadsTo_def) apply (blast intro: leadsTo_weaken_L) done lemma LeadsTo_weaken: "[| F \ B \<subseteq> A; A' \<subseteq> B' |] ==> F \<in> B LeadsTo B'" by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans) lemma Always_LeadsTo_weaken: "[| F \ C \<inter> B \<subseteq> A; C \<inter> A' \<subseteq> B' |] ==> F \<in> B LeadsTo B'" by (blast dest: Always_LeadsToI intro: LeadsTo_weaken intro: Always_LeadsToD) (** Two theorems for "proof lattices" **) lemma LeadsTo_Un_post: "F \ by (blast intro: LeadsTo_Un subset_imp_LeadsTo) lemma LeadsTo_Trans_Un: "[| F \ ==> F \<in> (A \<union> B) LeadsTo C" by (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans) (** Distributive laws **) lemma LeadsTo_Un_distrib: "(F \ by (blast intro: LeadsTo_Un LeadsTo_weaken_L) lemma LeadsTo_UN_distrib: "(F \ by (blast intro: LeadsTo_UN LeadsTo_weaken_L) lemma LeadsTo_Union_distrib: "(F \ by (blast intro: LeadsTo_Union LeadsTo_weaken_L) (** More rules using the premise "Always INV" **) lemma LeadsTo_Basis: "F \ by (simp add: Ensures_def LeadsTo_def leadsTo_Basis) lemma EnsuresI: "[| F \ ==> F \<in> A Ensures B" apply (simp add: Ensures_def Constrains_eq_constrains) apply (blast intro: ensuresI constrains_weaken transient_strengthen) done lemma Always_LeadsTo_Basis: "[| F \ F \<in> (INV \<inter> (A-A')) Co (A \<union> A'); F \<in> transient (INV \<inter> (A-A')) |] ==> F \<in> A LeadsTo A'" apply (rule Always_LeadsToI, assumption) apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] t done text\<open>Set difference: maybe combine with \<open>leadsTo_weaken_L\<close>?? This is the most useful form of the "disjunction" rule\<close> lemma LeadsTo_Diff: "[| F \ ==> F \<in> A LeadsTo C" by (blast intro: LeadsTo_Un LeadsTo_weaken) lemma LeadsTo_UN_UN: "(!! i. i \ ==> F \<in> (\<Union>i \<in> I. A i) LeadsTo (\<Union>i \<in> I. A' i)" apply (blast intro: LeadsTo_Union LeadsTo_weaken_R) done text\<open>Version with no index set\<close> lemma LeadsTo_UN_UN_noindex: "(!!i. F \ by (blast intro: LeadsTo_UN_UN) text\<open>Version with no index set\<close> lemma all_LeadsTo_UN_UN: "\ ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)" by (blast intro: LeadsTo_UN_UN) text\<open>Binary union version\<close> lemma LeadsTo_Un_Un: "[| F \ ==> F \<in> (A \<union> B) LeadsTo (A' \<union> B')" by (blast intro: LeadsTo_Un LeadsTo_weaken_R) (** The cancellation law **) lemma LeadsTo_cancel2: "[| F \ ==> F \<in> A LeadsTo (A' \<union> B')" by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans) lemma LeadsTo_cancel_Diff2: "[| F \ ==> F \<in> A LeadsTo (A' \<union> B')" apply (rule LeadsTo_cancel2) prefer 2 apply assumption apply (simp_all (no_asm_simp)) done lemma LeadsTo_cancel1: "[| F \ ==> F \<in> A LeadsTo (B' \<union> A')" apply (simp add: Un_commute) apply (blast intro!: LeadsTo_cancel2) done lemma LeadsTo_cancel_Diff1: "[| F \ ==> F \<in> A LeadsTo (B' \<union> A')" apply (rule LeadsTo_cancel1) prefer 2 apply assumption apply (simp_all (no_asm_simp)) done text\<open>The impossibility law\<close> text\<open>The set "A" may be non-empty, but it contains no reachable states\<close> lemma LeadsTo_empty: "[|F \ apply (simp add: LeadsTo_def Always_eq_includes_reachable) apply (drule leadsTo_empty, auto) done subsection\<open>PSP: Progress-Safety-Progress\<close> text\<open>Special case of PSP: Misra's "stable conjunction"\<close> lemma PSP_Stable: "[| F \ ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B)" apply (simp add: LeadsTo_eq_leadsTo Stable_eq_stable) apply (drule psp_stable, assumption) apply (simp add: Int_ac) done lemma PSP_Stable2: "[| F \ ==> F \<in> (B \<inter> A) LeadsTo (B \<inter> A')" by (simp add: PSP_Stable Int_ac) lemma PSP: "[| F \ ==> F \<in> (A \<inter> B') LeadsTo ((A' \<inter> B) \<union> (B' - B))" apply (simp add: LeadsTo_def Constrains_eq_constrains) apply (blast dest: psp intro: leadsTo_weaken) done lemma PSP2: "[| F \ ==> F \<in> (B' \<inter> A) LeadsTo ((B \<inter> A') \<union> (B' - B))" by (simp add: PSP Int_ac) lemma PSP_Unless: "[| F \ ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B) \<union> B')" apply (unfold Unless_def) apply (drule PSP, assumption) apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo) done lemma Stable_transient_Always_LeadsTo: "[| F \ F \<in> Always (-A \<union> B \<union> C) |] ==> F \<in> A LeadsTo B" apply (erule Always_LeadsTo_weaken) apply (rule LeadsTo_Diff) prefer 2 apply (erule transient_imp_leadsTo [THEN leadsTo_imp_LeadsTo, THEN PSP_Stable2]) apply (blast intro: subset_imp_LeadsTo)+ done subsection\<open>Induction rules\<close> (** Meta or object quantifier ????? **) lemma LeadsTo_wf_induct: "[| wf r; \<forall>m. F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(r\<inverse> `` {m})) \<union> B) |] ==> F \<in> A LeadsTo B" apply (simp add: LeadsTo_eq_leadsTo) apply (erule leadsTo_wf_induct) apply (blast intro: leadsTo_weaken) done lemma Bounded_induct: "[| wf r; \<forall>m \<in> I. F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(r\<inverse> `` {m})) \<union> B) |] ==> F \<in> A LeadsTo ((A - (f-`I)) \<union> B)" apply (erule LeadsTo_wf_induct, safe) apply (case_tac "m \ apply (blast intro: LeadsTo_weaken) apply (blast intro: subset_imp_LeadsTo) done lemma LessThan_induct: "(!!m::nat. F \ ==> F \<in> A LeadsTo B" by (rule wf_less_than [THEN LeadsTo_wf_induct], auto) text\<open>Integer version. Could generalize from 0 to any lower bound\<close> lemma integ_0_le_induct: "[| F \ !! z. F \<in> (A \<inter> {s. f s = z}) LeadsTo ((A \<inter> {s. f s < z}) \<union> B) |] ==> F \<in> A LeadsTo B" apply (rule_tac f = "nat o f" in LessThan_induct) apply (simp add: vimage_def) apply (rule Always_LeadsTo_weaken, assumption+) apply (auto simp add: nat_eq_iff nat_less_iff) done lemma LessThan_bounded_induct: "!!l::nat. \ F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(lessThan m)) \<union> B) ==> F \<in> A LeadsTo ((A \<inter> (f-`(atMost l))) \<union> B)" apply (simp only: Diff_eq [symmetric] vimage_Compl Compl_greaterThan [symmetric]) apply (rule wf_less_than [THEN Bounded_induct], simp) done lemma GreaterThan_bounded_induct: "!!l::nat. \ F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(greaterThan m)) \<union> B) ==> F \<in> A LeadsTo ((A \<inter> (f-`(atLeast l))) \<union> B)" apply (rule_tac f = f and f1 = "%k. l - k" in wf_less_than [THEN wf_inv_image, THEN LeadsTo_wf_induct]) apply (simp add: Image_singleton, clarify) apply (case_tac "m apply (blast intro: LeadsTo_weaken_R diff_less_mono2) apply (blast intro: not_le_imp_less subset_imp_LeadsTo) done subsection\<open>Completion: Binary and General Finite versions\<close> lemma Completion: "[| F \ F \<in> B LeadsTo (B' \<union> C); F \<in> B' Co (B' \<union> C) |] ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B') \<union> C)" apply (simp add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib) apply (blast intro: completion leadsTo_weaken) done lemma Finite_completion_lemma: "finite I ==> (\<forall>i \<in> I. F \<in> (A i) LeadsTo (A' i \<union> C)) --> (\<forall>i \<in> I. F \<in> (A' i) Co (A' i \<union> C)) --> F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)" apply (erule finite_induct, auto) apply (rule Completion) prefer 4 apply (simp only: INT_simps [symmetric]) apply (rule Constrains_INT, auto) done lemma Finite_completion: "[| finite I; !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i \<union> C); !!i. i \<in> I ==> F \<in> (A' i) Co (A' i \<union> C) |] ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)" by (blast intro: Finite_completion_lemma [THEN mp, THEN mp]) lemma Stable_completion: "[| F \ F \<in> B LeadsTo B'; F \<in> Stable B' |] ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B')" apply (unfold Stable_def) apply (rule_tac C1 = "{}" in Completion [THEN LeadsTo_weaken_R]) apply (force+) done lemma Finite_stable_completion: "[| finite I; !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i); !!i. i \<in> I ==> F \<in> Stable (A' i) |] ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo (\<Inter>i \<in> I. A' i)" apply (unfold Stable_def) apply (rule_tac C1 = "{}" in Finite_completion [THEN LeadsTo_weaken_R]) apply (simp_all, blast+) done end ¤ Dauer der Verarbeitung: 0.14 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28