Quellcode-Bibliothek

^© Kompilation durch diese Firma

[Weder Korrektheit noch Funktionsfähigkeit der Software werden zugesichert.]

Datei: SubstAx.thy Sprache: Isabelle

Original von: Isabelle^©

(*  Title:      HOL/UNITY/SubstAx.thy
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
    Copyright   1998  University of Cambridge

Weak LeadsTo relation (restricted to the set of reachable states)
*)

section\<open>Weak Progress\<close>

theory SubstAx imports WFair Constrains begin

definition Ensures :: "['a set, 'a set] => 'a program set" (infixl "Ensures" 60) where
    "A Ensures B == {F. F \ (reachable F \ A) ensures B}"

definition LeadsTo :: "['a set, 'a set] => 'a program set" (infixl "LeadsTo" 60) where
    "A LeadsTo B == {F. F \ (reachable F \ A) leadsTo B}"

notation LeadsTo  (infixl "\w" 60)

text\<open>Resembles the previous definition of LeadsTo\<close>
lemma LeadsTo_eq_leadsTo:
     "A LeadsTo B = {F. F \ (reachable F \ A) leadsTo (reachable F \ B)}"
apply (unfold LeadsTo_def)
apply (blast dest: psp_stable2 intro: leadsTo_weaken)
done

subsection\<open>Specialized laws for handling invariants\<close>

(** Conjoining an Always property **)

lemma Always_LeadsTo_pre:
     "F \ Always INV ==> (F \ (INV \ A) LeadsTo A') = (F \ A LeadsTo A')"
by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2
              Int_assoc [symmetric])

lemma Always_LeadsTo_post:
     "F \ Always INV ==> (F \ A LeadsTo (INV \ A')) = (F \ A LeadsTo A')"
by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2
              Int_assoc [symmetric])

(* [| F \<in> Always C;  F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A' *)
lemmas Always_LeadsToI = Always_LeadsTo_pre [THEN iffD1]

(* [| F \<in> Always INV;  F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (INV \<inter> A') *)
lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2]

subsection\<open>Introduction rules: Basis, Trans, Union\<close>

lemma leadsTo_imp_LeadsTo: "F \ A leadsTo B ==> F \ A LeadsTo B"
apply (simp add: LeadsTo_def)
apply (blast intro: leadsTo_weaken_L)
done

lemma LeadsTo_Trans:
     "[| F \ A LeadsTo B; F \ B LeadsTo C |] ==> F \ A LeadsTo C"
apply (simp add: LeadsTo_eq_leadsTo)
apply (blast intro: leadsTo_Trans)
done

lemma LeadsTo_Union:
     "(!!A. A \ S ==> F \ A LeadsTo B) ==> F \ (\S) LeadsTo B"
apply (simp add: LeadsTo_def)
apply (subst Int_Union)
apply (blast intro: leadsTo_UN)
done

subsection\<open>Derived rules\<close>

lemma LeadsTo_UNIV [simp]: "F \ A LeadsTo UNIV"
by (simp add: LeadsTo_def)

text\<open>Useful with cancellation, disjunction\<close>
lemma LeadsTo_Un_duplicate:
     "F \ A LeadsTo (A' \ A') ==> F \ A LeadsTo A'"
by (simp add: Un_ac)

lemma LeadsTo_Un_duplicate2:
     "F \ A LeadsTo (A' \ C \ C) ==> F \ A LeadsTo (A' \ C)"
by (simp add: Un_ac)

lemma LeadsTo_UN:
     "(!!i. i \ I ==> F \ (A i) LeadsTo B) ==> F \ (\i \ I. A i) LeadsTo B"
apply (blast intro: LeadsTo_Union)
done

text\<open>Binary union introduction rule\<close>
lemma LeadsTo_Un:
     "[| F \ A LeadsTo C; F \ B LeadsTo C |] ==> F \ (A \ B) LeadsTo C"
  using LeadsTo_UN [of "{A, B}" F id C] by auto

text\<open>Lets us look at the starting state\<close>
lemma single_LeadsTo_I:
     "(!!s. s \ A ==> F \ {s} LeadsTo B) ==> F \ A LeadsTo B"
by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast)

lemma subset_imp_LeadsTo: "A \ B ==> F \ A LeadsTo B"
apply (simp add: LeadsTo_def)
apply (blast intro: subset_imp_leadsTo)
done

lemmas empty_LeadsTo = empty_subsetI [THEN subset_imp_LeadsTo, simp]

lemma LeadsTo_weaken_R:
     "[| F \ A LeadsTo A'; A' \ B' |] ==> F \ A LeadsTo B'"
apply (simp add: LeadsTo_def)
apply (blast intro: leadsTo_weaken_R)
done

lemma LeadsTo_weaken_L:
     "[| F \ A LeadsTo A'; B \ A |]
      ==> F \<in> B LeadsTo A'"
apply (simp add: LeadsTo_def)
apply (blast intro: leadsTo_weaken_L)
done

lemma LeadsTo_weaken:
     "[| F \ A LeadsTo A';
         B  \<subseteq> A;   A' \<subseteq> B' |]
      ==> F \<in> B LeadsTo B'"
by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)

lemma Always_LeadsTo_weaken:
     "[| F \ Always C; F \ A LeadsTo A';
         C \<inter> B \<subseteq> A;   C \<inter> A' \<subseteq> B' |]
      ==> F \<in> B LeadsTo B'"
by (blast dest: Always_LeadsToI intro: LeadsTo_weaken intro: Always_LeadsToD)

(** Two theorems for "proof lattices" **)

lemma LeadsTo_Un_post: "F \ A LeadsTo B ==> F \ (A \ B) LeadsTo B"
by (blast intro: LeadsTo_Un subset_imp_LeadsTo)

lemma LeadsTo_Trans_Un:
     "[| F \ A LeadsTo B; F \ B LeadsTo C |]
      ==> F \<in> (A \<union> B) LeadsTo C"
by (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans)

(** Distributive laws **)

lemma LeadsTo_Un_distrib:
     "(F \ (A \ B) LeadsTo C) = (F \ A LeadsTo C & F \ B LeadsTo C)"
by (blast intro: LeadsTo_Un LeadsTo_weaken_L)

lemma LeadsTo_UN_distrib:
     "(F \ (\i \ I. A i) LeadsTo B) = (\i \ I. F \ (A i) LeadsTo B)"
by (blast intro: LeadsTo_UN LeadsTo_weaken_L)

lemma LeadsTo_Union_distrib:
     "(F \ (\S) LeadsTo B) = (\A \ S. F \ A LeadsTo B)"
by (blast intro: LeadsTo_Union LeadsTo_weaken_L)

(** More rules using the premise "Always INV" **)

lemma LeadsTo_Basis: "F \ A Ensures B ==> F \ A LeadsTo B"
by (simp add: Ensures_def LeadsTo_def leadsTo_Basis)

lemma EnsuresI:
     "[| F \ (A-B) Co (A \ B); F \ transient (A-B) |]
      ==> F \<in> A Ensures B"
apply (simp add: Ensures_def Constrains_eq_constrains)
apply (blast intro: ensuresI constrains_weaken transient_strengthen)
done

lemma Always_LeadsTo_Basis:
     "[| F \ Always INV;
         F \<in> (INV \<inter> (A-A')) Co (A \<union> A');
         F \<in> transient (INV \<inter> (A-A')) |]
  ==> F \<in> A LeadsTo A'"
apply (rule Always_LeadsToI, assumption)
apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
done

text\<open>Set difference: maybe combine with \<open>leadsTo_weaken_L\<close>??
  This is the most useful form of the "disjunction" rule\<close>
lemma LeadsTo_Diff:
     "[| F \ (A-B) LeadsTo C; F \ (A \ B) LeadsTo C |]
      ==> F \<in> A LeadsTo C"
by (blast intro: LeadsTo_Un LeadsTo_weaken)

lemma LeadsTo_UN_UN:
     "(!! i. i \ I ==> F \ (A i) LeadsTo (A' i))
      ==> F \<in> (\<Union>i \<in> I. A i) LeadsTo (\<Union>i \<in> I. A' i)"
apply (blast intro: LeadsTo_Union LeadsTo_weaken_R)
done

text\<open>Version with no index set\<close>
lemma LeadsTo_UN_UN_noindex:
     "(!!i. F \ (A i) LeadsTo (A' i)) ==> F \ (\i. A i) LeadsTo (\i. A' i)"
by (blast intro: LeadsTo_UN_UN)

text\<open>Version with no index set\<close>
lemma all_LeadsTo_UN_UN:
     "\i. F \ (A i) LeadsTo (A' i)
      ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)"
by (blast intro: LeadsTo_UN_UN)

text\<open>Binary union version\<close>
lemma LeadsTo_Un_Un:
     "[| F \ A LeadsTo A'; F \ B LeadsTo B' |]
            ==> F \<in> (A \<union> B) LeadsTo (A' \<union> B')"
by (blast intro: LeadsTo_Un LeadsTo_weaken_R)

(** The cancellation law **)

lemma LeadsTo_cancel2:
     "[| F \ A LeadsTo (A' \ B); F \ B LeadsTo B' |]
      ==> F \<in> A LeadsTo (A' \<union> B')"
by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans)

lemma LeadsTo_cancel_Diff2:
     "[| F \ A LeadsTo (A' \ B); F \ (B-A') LeadsTo B' |]
      ==> F \<in> A LeadsTo (A' \<union> B')"
apply (rule LeadsTo_cancel2)
prefer 2 apply assumption
apply (simp_all (no_asm_simp))
done

lemma LeadsTo_cancel1:
     "[| F \ A LeadsTo (B \ A'); F \ B LeadsTo B' |]
      ==> F \<in> A LeadsTo (B' \<union> A')"
apply (simp add: Un_commute)
apply (blast intro!: LeadsTo_cancel2)
done

lemma LeadsTo_cancel_Diff1:
     "[| F \ A LeadsTo (B \ A'); F \ (B-A') LeadsTo B' |]
      ==> F \<in> A LeadsTo (B' \<union> A')"
apply (rule LeadsTo_cancel1)
prefer 2 apply assumption
apply (simp_all (no_asm_simp))
done

text\<open>The impossibility law\<close>

text\<open>The set "A" may be non-empty, but it contains no reachable states\<close>
lemma LeadsTo_empty: "[|F \ A LeadsTo {}; all_total F|] ==> F \ Always (-A)"
apply (simp add: LeadsTo_def Always_eq_includes_reachable)
apply (drule leadsTo_empty, auto)
done

subsection\<open>PSP: Progress-Safety-Progress\<close>

text\<open>Special case of PSP: Misra's "stable conjunction"\<close>
lemma PSP_Stable:
     "[| F \ A LeadsTo A'; F \ Stable B |]
      ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B)"
apply (simp add: LeadsTo_eq_leadsTo Stable_eq_stable)
apply (drule psp_stable, assumption)
apply (simp add: Int_ac)
done

lemma PSP_Stable2:
     "[| F \ A LeadsTo A'; F \ Stable B |]
      ==> F \<in> (B \<inter> A) LeadsTo (B \<inter> A')"
by (simp add: PSP_Stable Int_ac)

lemma PSP:
     "[| F \ A LeadsTo A'; F \ B Co B' |]
      ==> F \<in> (A \<inter> B') LeadsTo ((A' \<inter> B) \<union> (B' - B))"
apply (simp add: LeadsTo_def Constrains_eq_constrains)
apply (blast dest: psp intro: leadsTo_weaken)
done

lemma PSP2:
     "[| F \ A LeadsTo A'; F \ B Co B' |]
      ==> F \<in> (B' \<inter> A) LeadsTo ((B \<inter> A') \<union> (B' - B))"
by (simp add: PSP Int_ac)

lemma PSP_Unless:
     "[| F \ A LeadsTo A'; F \ B Unless B' |]
      ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B) \<union> B')"
apply (unfold Unless_def)
apply (drule PSP, assumption)
apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo)
done

lemma Stable_transient_Always_LeadsTo:
     "[| F \ Stable A; F \ transient C;
         F \<in> Always (-A \<union> B \<union> C) |] ==> F \<in> A LeadsTo B"
apply (erule Always_LeadsTo_weaken)
apply (rule LeadsTo_Diff)
   prefer 2
   apply (erule
          transient_imp_leadsTo [THEN leadsTo_imp_LeadsTo, THEN PSP_Stable2])
   apply (blast intro: subset_imp_LeadsTo)+
done

subsection\<open>Induction rules\<close>

(** Meta or object quantifier ????? **)
lemma LeadsTo_wf_induct:
     "[| wf r;
         \<forall>m. F \<in> (A \<inter> f-`{m}) LeadsTo
                    ((A \<inter> f-`(r\<inverse> `` {m})) \<union> B) |]
      ==> F \<in> A LeadsTo B"
apply (simp add: LeadsTo_eq_leadsTo)
apply (erule leadsTo_wf_induct)
apply (blast intro: leadsTo_weaken)
done

lemma Bounded_induct:
     "[| wf r;
         \<forall>m \<in> I. F \<in> (A \<inter> f-`{m}) LeadsTo
                      ((A \<inter> f-`(r\<inverse> `` {m})) \<union> B) |]
      ==> F \<in> A LeadsTo ((A - (f-`I)) \<union> B)"
apply (erule LeadsTo_wf_induct, safe)
apply (case_tac "m \ I")
apply (blast intro: LeadsTo_weaken)
apply (blast intro: subset_imp_LeadsTo)
done

lemma LessThan_induct:
     "(!!m::nat. F \ (A \ f-`{m}) LeadsTo ((A \ f-`(lessThan m)) \ B))
      ==> F \<in> A LeadsTo B"
by (rule wf_less_than [THEN LeadsTo_wf_induct], auto)

text\<open>Integer version.  Could generalize from 0 to any lower bound\<close>
lemma integ_0_le_induct:
     "[| F \ Always {s. (0::int) \ f s};
         !! z. F \<in> (A \<inter> {s. f s = z}) LeadsTo
                   ((A \<inter> {s. f s < z}) \<union> B) |]
      ==> F \<in> A LeadsTo B"
apply (rule_tac f = "nat o f" in LessThan_induct)
apply (simp add: vimage_def)
apply (rule Always_LeadsTo_weaken, assumption+)
apply (auto simp add: nat_eq_iff nat_less_iff)
done

lemma LessThan_bounded_induct:
     "!!l::nat. \m \ greaterThan l.
                   F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(lessThan m)) \<union> B)
            ==> F \<in> A LeadsTo ((A \<inter> (f-`(atMost l))) \<union> B)"
apply (simp only: Diff_eq [symmetric] vimage_Compl
                  Compl_greaterThan [symmetric])
apply (rule wf_less_than [THEN Bounded_induct], simp)
done

lemma GreaterThan_bounded_induct:
     "!!l::nat. \m \ lessThan l.
                 F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(greaterThan m)) \<union> B)
      ==> F \<in> A LeadsTo ((A \<inter> (f-`(atLeast l))) \<union> B)"
apply (rule_tac f = f and f1 = "%k. l - k"
       in wf_less_than [THEN wf_inv_image, THEN LeadsTo_wf_induct])
apply (simp add: Image_singleton, clarify)
apply (case_tac "m)
apply (blast intro: LeadsTo_weaken_R diff_less_mono2)
apply (blast intro: not_le_imp_less subset_imp_LeadsTo)
done

subsection\<open>Completion: Binary and General Finite versions\<close>

lemma Completion:
     "[| F \ A LeadsTo (A' \ C); F \ A' Co (A' \ C);
         F \<in> B LeadsTo (B' \<union> C);  F \<in> B' Co (B' \<union> C) |]
      ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B') \<union> C)"
apply (simp add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib)
apply (blast intro: completion leadsTo_weaken)
done

lemma Finite_completion_lemma:
     "finite I
      ==> (\<forall>i \<in> I. F \<in> (A i) LeadsTo (A' i \<union> C)) -->
          (\<forall>i \<in> I. F \<in> (A' i) Co (A' i \<union> C)) -->
          F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)"
apply (erule finite_induct, auto)
apply (rule Completion)
   prefer 4
   apply (simp only: INT_simps [symmetric])
   apply (rule Constrains_INT, auto)
done

lemma Finite_completion:
     "[| finite I;
         !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i \<union> C);
         !!i. i \<in> I ==> F \<in> (A' i) Co (A' i \<union> C) |]
      ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)"
by (blast intro: Finite_completion_lemma [THEN mp, THEN mp])

lemma Stable_completion:
     "[| F \ A LeadsTo A'; F \ Stable A';
         F \<in> B LeadsTo B';  F \<in> Stable B' |]
      ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B')"
apply (unfold Stable_def)
apply (rule_tac C1 = "{}" in Completion [THEN LeadsTo_weaken_R])
apply (force+)
done

lemma Finite_stable_completion:
     "[| finite I;
         !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i);
         !!i. i \<in> I ==> F \<in> Stable (A' i) |]
      ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo (\<Inter>i \<in> I. A' i)"
apply (unfold Stable_def)
apply (rule_tac C1 = "{}" in Finite_completion [THEN LeadsTo_weaken_R])
apply (simp_all, blast+)
done

end

¤ Dauer der Verarbeitung: 0.3 Sekunden (vorverarbeitet) ¤

Download des Quellennavigators
Download des sprechenden Kalenders
in der Quellcodebibliothek suchen

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung ist noch experimentell.