# Theory WFair

theory WFair
imports UNITY
```(*  Title:      HOL/UNITY/WFair.thy
Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
Copyright   1998  University of Cambridge

Conditional Fairness versions of transient, ensures, leadsTo.

From Misra, "A Logic for Concurrent Programming", 1994
*)

section‹Progress›

theory WFair imports UNITY begin

text‹The original version of this theory was based on weak fairness.  (Thus,
the entire UNITY development embodied this assumption, until February 2003.)
Weak fairness states that if a command is enabled continuously, then it is
eventually executed.  Ernie Cohen suggested that I instead adopt unconditional
fairness: every command is executed infinitely often.

In fact, Misra's paper on "Progress" seems to be ambiguous about the correct
interpretation, and says that the two forms of fairness are equivalent.  They
differ only on their treatment of partial transitions, which under
unconditional fairness behave magically.  That is because if there are partial
transitions then there may be no fair executions, making all leads-to
properties hold vacuously.

Unconditional fairness has some great advantages.  By distinguishing partial
transitions from total ones that are the identity on part of their domain, it
is more expressive.  Also, by simplifying the definition of the transient
property, it simplifies many proofs.  A drawback is that some laws only hold
under the assumption that all transitions are total.  The best-known of these
is the impossibility law for leads-to.
›

definition

― ‹This definition specifies conditional fairness.  The rest of the theory
is generic to all forms of fairness.  To get weak fairness, conjoin
the inclusion below with @{term "A ⊆ Domain act"}, which specifies
that the action is enabled over all of @{term A}.›
transient :: "'a set => 'a program set" where
"transient A == {F. ∃act∈Acts F. act``A ⊆ -A}"

definition
ensures :: "['a set, 'a set] => 'a program set"       (infixl "ensures" 60) where
"A ensures B == (A-B co A ∪ B) ∩ transient (A-B)"

inductive_set
leads :: "'a program => ('a set * 'a set) set"
― ‹LEADS-TO constant for the inductive definition›
for F :: "'a program"
where

Basis:  "F ∈ A ensures B ==> (A,B) ∈ leads F"

| Trans:  "[| (A,B) ∈ leads F;  (B,C) ∈ leads F |] ==> (A,C) ∈ leads F"

| Union:  "∀A ∈ S. (A,B) ∈ leads F ==> (Union S, B) ∈ leads F"

definition leadsTo :: "['a set, 'a set] => 'a program set" (infixl "leadsTo" 60) where
― ‹visible version of the LEADS-TO relation›
"A leadsTo B == {F. (A,B) ∈ leads F}"

definition wlt :: "['a program, 'a set] => 'a set" where
― ‹predicate transformer: the largest set that leads to @{term B}›
"wlt F B == ⋃{A. F ∈ A leadsTo B}"

notation leadsTo  (infixl "⟼" 60)

subsection‹transient›

lemma stable_transient:
"[| F ∈ stable A; F ∈ transient A |] ==> ∃act∈Acts F. A ⊆ - (Domain act)"
apply (simp add: stable_def constrains_def transient_def, clarify)
apply (rule rev_bexI, auto)
done

lemma stable_transient_empty:
"[| F ∈ stable A; F ∈ transient A; all_total F |] ==> A = {}"
apply (drule stable_transient, assumption)
apply (simp add: all_total_def)
done

lemma transient_strengthen:
"[| F ∈ transient A; B ⊆ A |] ==> F ∈ transient B"
apply (unfold transient_def, clarify)
apply (blast intro!: rev_bexI)
done

lemma transientI:
"[| act ∈ Acts F;  act``A ⊆ -A |] ==> F ∈ transient A"
by (unfold transient_def, blast)

lemma transientE:
"[| F ∈ transient A;
⋀act. [| act ∈ Acts F;  act``A ⊆ -A |] ==> P |]
==> P"
by (unfold transient_def, blast)

lemma transient_empty [simp]: "transient {} = UNIV"
by (unfold transient_def, auto)

text‹This equation recovers the notion of weak fairness.  A totalized
program satisfies a transient assertion just if the original program
contains a suitable action that is also enabled.›
lemma totalize_transient_iff:
"(totalize F ∈ transient A) = (∃act∈Acts F. A ⊆ Domain act & act``A ⊆ -A)"
apply (simp add: totalize_def totalize_act_def transient_def
Un_Image, safe)
apply (blast intro!: rev_bexI)+
done

lemma totalize_transientI:
"[| act ∈ Acts F;  A ⊆ Domain act;  act``A ⊆ -A |]
==> totalize F ∈ transient A"
by (simp add: totalize_transient_iff, blast)

subsection‹ensures›

lemma ensuresI:
"[| F ∈ (A-B) co (A ∪ B); F ∈ transient (A-B) |] ==> F ∈ A ensures B"
by (unfold ensures_def, blast)

lemma ensuresD:
"F ∈ A ensures B ==> F ∈ (A-B) co (A ∪ B) & F ∈ transient (A-B)"
by (unfold ensures_def, blast)

lemma ensures_weaken_R:
"[| F ∈ A ensures A'; A'<=B' |] ==> F ∈ A ensures B'"
apply (unfold ensures_def)
apply (blast intro: constrains_weaken transient_strengthen)
done

text‹The L-version (precondition strengthening) fails, but we have this›
lemma stable_ensures_Int:
"[| F ∈ stable C;  F ∈ A ensures B |]
==> F ∈ (C ∩ A) ensures (C ∩ B)"
apply (unfold ensures_def)
apply (auto simp add: ensures_def Int_Un_distrib [symmetric] Diff_Int_distrib [symmetric])
prefer 2 apply (blast intro: transient_strengthen)
apply (blast intro: stable_constrains_Int constrains_weaken)
done

lemma stable_transient_ensures:
"[| F ∈ stable A;  F ∈ transient C;  A ⊆ B ∪ C |] ==> F ∈ A ensures B"
apply (simp add: ensures_def stable_def)
apply (blast intro: constrains_weaken transient_strengthen)
done

lemma ensures_eq: "(A ensures B) = (A unless B) ∩ transient (A-B)"
by (simp (no_asm) add: ensures_def unless_def)

lemma leadsTo_Basis [intro]: "F ∈ A ensures B ==> F ∈ A leadsTo B"
apply (blast intro: leads.Basis)
done

"[| F ∈ A leadsTo B;  F ∈ B leadsTo C |] ==> F ∈ A leadsTo C"
apply (blast intro: leads.Trans)
done

"[| F ∈ A co A ∪ B; F ∈ transient A |] ==> F ∈ A leadsTo B"
apply (drule_tac B = "A-B" in constrains_weaken_L)
apply (drule_tac [2] B = "A-B" in transient_strengthen)
apply (rule_tac [3] ensuresI [THEN leadsTo_Basis])
apply (blast+)
done

lemma transient_imp_leadsTo: "F ∈ transient A ==> F ∈ A leadsTo (-A)"
by (simp (no_asm_simp) add: leadsTo_Basis ensuresI Compl_partition)

text‹Useful with cancellation, disjunction›
lemma leadsTo_Un_duplicate: "F ∈ A leadsTo (A' ∪ A') ==> F ∈ A leadsTo A'"
by (simp add: Un_ac)

"F ∈ A leadsTo (A' ∪ C ∪ C) ==> F ∈ A leadsTo (A' ∪ C)"
by (simp add: Un_ac)

text‹The Union introduction rule as we should have liked to state it›
"(!!A. A ∈ S ==> F ∈ A leadsTo B) ==> F ∈ (⋃S) leadsTo B"
apply (blast intro: leads.Union)
done

"(!!A. A ∈ S ==> F ∈ (A ∩ C) leadsTo B) ==> F ∈ (⋃S ∩ C) leadsTo B"
apply (simp only: Int_Union_Union)
apply (blast intro: leads.Union)
done

"(!!i. i ∈ I ==> F ∈ (A i) leadsTo B) ==> F ∈ (⋃i ∈ I. A i) leadsTo B"
apply (blast intro: leadsTo_Union)
done

text‹Binary union introduction rule›
"[| F ∈ A leadsTo C; F ∈ B leadsTo C |] ==> F ∈ (A ∪ B) leadsTo C"
using leadsTo_Union [of "{A, B}" F C] by auto

"(!!x. x ∈ A ==> F ∈ {x} leadsTo B) ==> F ∈ A leadsTo B"
by (subst UN_singleton [symmetric], rule leadsTo_UN, blast)

text‹The INDUCTION rule as we should have liked to state it›
"[| F ∈ za leadsTo zb;
!!A B. F ∈ A ensures B ==> P A B;
!!A B C. [| F ∈ A leadsTo B; P A B; F ∈ B leadsTo C; P B C |]
==> P A C;
!!B S. ∀A ∈ S. F ∈ A leadsTo B & P A B ==> P (⋃S) B
|] ==> P za zb"
apply (drule CollectD, erule leads.induct)
apply (blast+)
done

lemma subset_imp_ensures: "A ⊆ B ==> F ∈ A ensures B"
by (unfold ensures_def constrains_def transient_def, blast)

lemmas empty_leadsTo = empty_subsetI [THEN subset_imp_leadsTo, simp]

lemmas leadsTo_UNIV = subset_UNIV [THEN subset_imp_leadsTo, simp]

(** Variant induction rule: on the preconditions for B **)

text‹Lemma is the weak version: can't see how to do it in one step›
"[| F ∈ za leadsTo zb;
P zb;
!!A B. [| F ∈ A ensures B;  P B |] ==> P A;
!!S. ∀A ∈ S. P A ==> P (⋃S)
|] ==> P za"
txt‹by induction on this formula›
apply (subgoal_tac "P zb --> P za")
txt‹now solve first subgoal: this formula is sufficient›
apply (blast intro: leadsTo_refl)
apply (blast+)
done

"[| F ∈ za leadsTo zb;
P zb;
!!A B. [| F ∈ A ensures B;  F ∈ B leadsTo zb;  P B |] ==> P A;
!!S. ∀A ∈ S. F ∈ A leadsTo zb & P A ==> P (⋃S)
|] ==> P za"
apply (subgoal_tac "F ∈ za leadsTo zb & P za")
apply (erule conjunct2)
prefer 3 apply (blast intro: leadsTo_Union)
prefer 2 apply (blast intro: leadsTo_Trans)
apply (blast intro: leadsTo_refl)
done

lemma leadsTo_weaken_R: "[| F ∈ A leadsTo A'; A'<=B' |] ==> F ∈ A leadsTo B'"

"[| F ∈ A leadsTo A'; B ⊆ A |] ==> F ∈ B leadsTo A'"

text‹Distributes over binary unions›
"F ∈ (A ∪ B) leadsTo C  =  (F ∈ A leadsTo C & F ∈ B leadsTo C)"

"F ∈ (⋃i ∈ I. A i) leadsTo B  =  (∀i ∈ I. F ∈ (A i) leadsTo B)"

"F ∈ (⋃S) leadsTo B  =  (∀A ∈ S. F ∈ A leadsTo B)"

"[| F ∈ A leadsTo A'; B ⊆ A; A'<=B' |] ==> F ∈ B leadsTo B'"

text‹Set difference: maybe combine with ‹leadsTo_weaken_L›??›
"[| F ∈ (A-B) leadsTo C; F ∈ B leadsTo C |]   ==> F ∈ A leadsTo C"

"(!! i. i ∈ I ==> F ∈ (A i) leadsTo (A' i))
==> F ∈ (⋃i ∈ I. A i) leadsTo (⋃i ∈ I. A' i)"
done

text‹Binary union version›
"[| F ∈ A leadsTo A'; F ∈ B leadsTo B' |]
==> F ∈ (A ∪ B) leadsTo (A' ∪ B')"

(** The cancellation law **)

"[| F ∈ A leadsTo (A' ∪ B); F ∈ B leadsTo B' |]
==> F ∈ A leadsTo (A' ∪ B')"

"[| F ∈ A leadsTo (A' ∪ B); F ∈ (B-A') leadsTo B' |]
==> F ∈ A leadsTo (A' ∪ B')"
prefer 2 apply assumption
apply (simp_all (no_asm_simp))
done

"[| F ∈ A leadsTo (B ∪ A'); F ∈ B leadsTo B' |]
==> F ∈ A leadsTo (B' ∪ A')"
apply (simp add: Un_commute)
apply (blast intro!: leadsTo_cancel2)
done

"[| F ∈ A leadsTo (B ∪ A'); F ∈ (B-A') leadsTo B' |]
==> F ∈ A leadsTo (B' ∪ A')"
prefer 2 apply assumption
apply (simp_all (no_asm_simp))
done

text‹The impossibility law›
lemma leadsTo_empty: "[|F ∈ A leadsTo {}; all_total F|] ==> A={}"
apply (simp_all add: ensures_def constrains_def transient_def all_total_def, clarify)
apply (drule bspec, assumption)+
apply blast
done

subsection‹PSP: Progress-Safety-Progress›

text‹Special case of PSP: Misra's "stable conjunction"›
lemma psp_stable:
"[| F ∈ A leadsTo A'; F ∈ stable B |]
==> F ∈ (A ∩ B) leadsTo (A' ∩ B)"
apply (unfold stable_def)
prefer 3 apply (blast intro: leadsTo_Union_Int)
prefer 2 apply (blast intro: leadsTo_Trans)
apply (simp add: ensures_def Diff_Int_distrib2 [symmetric] Int_Un_distrib2 [symmetric])
apply (blast intro: transient_strengthen constrains_Int)
done

lemma psp_stable2:
"[| F ∈ A leadsTo A'; F ∈ stable B |] ==> F ∈ (B ∩ A) leadsTo (B ∩ A')"
by (simp add: psp_stable Int_ac)

lemma psp_ensures:
"[| F ∈ A ensures A'; F ∈ B co B' |]
==> F ∈ (A ∩ B') ensures ((A' ∩ B) ∪ (B' - B))"
apply (unfold ensures_def constrains_def, clarify) (*speeds up the proof*)
apply (blast intro: transient_strengthen)
done

lemma psp:
"[| F ∈ A leadsTo A'; F ∈ B co B' |]
==> F ∈ (A ∩ B') leadsTo ((A' ∩ B) ∪ (B' - B))"
prefer 3 apply (blast intro: leadsTo_Union_Int)
txt‹Basis case›
apply (blast intro: psp_ensures)
txt‹Transitivity case has a delicate argument involving "cancellation"›
apply (simp add: Int_Diff Diff_triv)
apply (blast intro: leadsTo_weaken_L dest: constrains_imp_subset)
done

lemma psp2:
"[| F ∈ A leadsTo A'; F ∈ B co B' |]
==> F ∈ (B' ∩ A) leadsTo ((B ∩ A') ∪ (B' - B))"
by (simp (no_asm_simp) add: psp Int_ac)

lemma psp_unless:
"[| F ∈ A leadsTo A';  F ∈ B unless B' |]
==> F ∈ (A ∩ B) leadsTo ((A' ∩ B) ∪ B')"

apply (unfold unless_def)
apply (drule psp, assumption)
apply (blast intro: leadsTo_weaken)
done

subsection‹Proving the induction rules›

(** The most general rule: r is any wf relation; f is any variant function **)

"[| wf r;
∀m. F ∈ (A ∩ f-`{m}) leadsTo
((A ∩ f-`(r¯ `` {m})) ∪ B) |]
==> F ∈ (A ∩ f-`{m}) leadsTo B"
apply (erule_tac a = m in wf_induct)
apply (subgoal_tac "F ∈ (A ∩ (f -` (r¯ `` {x}))) leadsTo B")
apply (subst vimage_eq_UN)
apply (simp only: UN_simps [symmetric])
apply (blast intro: leadsTo_UN)
done

(** Meta or object quantifier ? **)
"[| wf r;
∀m. F ∈ (A ∩ f-`{m}) leadsTo
((A ∩ f-`(r¯ `` {m})) ∪ B) |]
==> F ∈ A leadsTo B"
apply (rule_tac t = A in subst)
defer 1
apply assumption
apply fast (*Blast_tac: Function unknown's argument not a parameter*)
done

lemma bounded_induct:
"[| wf r;
∀m ∈ I. F ∈ (A ∩ f-`{m}) leadsTo
((A ∩ f-`(r¯ `` {m})) ∪ B) |]
==> F ∈ A leadsTo ((A - (f-`I)) ∪ B)"
apply (erule leadsTo_wf_induct, safe)
apply (case_tac "m ∈ I")
apply (blast intro: leadsTo_weaken)
apply (blast intro: subset_imp_leadsTo)
done

(*Alternative proof is via the lemma F ∈ (A ∩ f-`(lessThan m)) leadsTo B*)
lemma lessThan_induct:
"[| !!m::nat. F ∈ (A ∩ f-`{m}) leadsTo ((A ∩ f-`{..<m}) ∪ B) |]
==> F ∈ A leadsTo B"
apply (rule wf_less_than [THEN leadsTo_wf_induct])
apply (simp (no_asm_simp))
apply blast
done

lemma lessThan_bounded_induct:
"!!l::nat. [| ∀m ∈ greaterThan l.
F ∈ (A ∩ f-`{m}) leadsTo ((A ∩ f-`(lessThan m)) ∪ B) |]
==> F ∈ A leadsTo ((A ∩ (f-`(atMost l))) ∪ B)"
apply (simp only: Diff_eq [symmetric] vimage_Compl Compl_greaterThan [symmetric])
apply (rule wf_less_than [THEN bounded_induct])
apply (simp (no_asm_simp))
done

lemma greaterThan_bounded_induct:
"(!!l::nat. ∀m ∈ lessThan l.
F ∈ (A ∩ f-`{m}) leadsTo ((A ∩ f-`(greaterThan m)) ∪ B))
==> F ∈ A leadsTo ((A ∩ (f-`(atLeast l))) ∪ B)"
apply (rule_tac f = f and f1 = "%k. l - k"
in wf_less_than [THEN wf_inv_image, THEN leadsTo_wf_induct])
apply (simp (no_asm) add:Image_singleton)
apply clarify
apply (case_tac "m<l")
apply (blast intro: leadsTo_weaken_R diff_less_mono2)
apply (blast intro: not_le_imp_less subset_imp_leadsTo)
done

subsection‹wlt›

text‹Misra's property W3›
lemma wlt_leadsTo: "F ∈ (wlt F B) leadsTo B"
apply (unfold wlt_def)
apply (blast intro!: leadsTo_Union)
done

lemma leadsTo_subset: "F ∈ A leadsTo B ==> A ⊆ wlt F B"
apply (unfold wlt_def)
apply (blast intro!: leadsTo_Union)
done

text‹Misra's property W2›
lemma leadsTo_eq_subset_wlt: "F ∈ A leadsTo B = (A ⊆ wlt F B)"

text‹Misra's property W4›
lemma wlt_increasing: "B ⊆ wlt F B"
done

text‹Used in the Trans case below›
lemma lemma1:
"[| B ⊆ A2;
F ∈ (A1 - B) co (A1 ∪ B);
F ∈ (A2 - C) co (A2 ∪ C) |]
==> F ∈ (A1 ∪ A2 - C) co (A1 ∪ A2 ∪ C)"
by (unfold constrains_def, clarify,  blast)

text‹Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"›
"F ∈ A leadsTo A'
==> ∃B. A ⊆ B & F ∈ B leadsTo A' & F ∈ (B-A') co (B ∪ A')"
txt‹Basis›
apply (blast dest: ensuresD)
txt‹Trans›
apply clarify
apply (rule_tac x = "Ba ∪ Bb" in exI)
txt‹Union›
apply (clarify dest!: ball_conj_distrib [THEN iffD1] bchoice)
apply (rule_tac x = "⋃A ∈ S. f A" in exI)
apply (auto intro: leadsTo_UN)
(*Blast_tac says PROOF FAILED*)
apply (rule_tac I1=S and A1="%i. f i - B" and A'1="%i. f i ∪ B"
in constrains_UN [THEN constrains_weaken], auto)
done

text‹Misra's property W5›
lemma wlt_constrains_wlt: "F ∈ (wlt F B - B) co (wlt F B)"
proof -
from wlt_leadsTo [of F B, THEN leadsTo_123]
show ?thesis
proof (elim exE conjE)
(* assumes have to be in exactly the form as in the goal displayed at
this point.  Isar doesn't give you any automation. *)
fix C
assume wlt: "wlt F B ⊆ C"
and lt:  "F ∈ C leadsTo B"
and co:  "F ∈ C - B co C ∪ B"
have eq: "C = wlt F B"
proof -
from lt and wlt show ?thesis
by (blast dest: leadsTo_eq_subset_wlt [THEN iffD1])
qed
from co show ?thesis by (simp add: eq wlt_increasing Un_absorb2)
qed
qed

subsection‹Completion: Binary and General Finite versions›

lemma completion_lemma :
"[| W = wlt F (B' ∪ C);
F ∈ A leadsTo (A' ∪ C);  F ∈ A' co (A' ∪ C);
F ∈ B leadsTo (B' ∪ C);  F ∈ B' co (B' ∪ C) |]
==> F ∈ (A ∩ B) leadsTo ((A' ∩ B') ∪ C)"
apply (subgoal_tac "F ∈ (W-C) co (W ∪ B' ∪ C) ")
prefer 2
apply (blast intro: wlt_constrains_wlt [THEN [2] constrains_Un,
THEN constrains_weaken])
apply (subgoal_tac "F ∈ (W-C) co W")
prefer 2
apply (simp add: wlt_increasing Un_assoc Un_absorb2)
apply (subgoal_tac "F ∈ (A ∩ W - C) leadsTo (A' ∩ W ∪ C) ")
prefer 2 apply (blast intro: wlt_leadsTo psp [THEN leadsTo_weaken])
(** LEVEL 6 **)
apply (subgoal_tac "F ∈ (A' ∩ W ∪ C) leadsTo (A' ∩ B' ∪ C) ")
prefer 2
apply (blast intro: subset_imp_leadsTo)
apply (subgoal_tac "A ∩ B ⊆ A ∩ W")
prefer 2
apply (blast dest!: leadsTo_subset intro!: subset_refl [THEN Int_mono])
done

lemmas completion = completion_lemma [OF refl]

lemma finite_completion_lemma:
"finite I ==> (∀i ∈ I. F ∈ (A i) leadsTo (A' i ∪ C)) -->
(∀i ∈ I. F ∈ (A' i) co (A' i ∪ C)) -->
F ∈ (⋂i ∈ I. A i) leadsTo ((⋂i ∈ I. A' i) ∪ C)"
apply (erule finite_induct, auto)
apply (rule completion)
prefer 4
apply (simp only: INT_simps [symmetric])
apply (rule constrains_INT, auto)
done

lemma finite_completion:
"[| finite I;
!!i. i ∈ I ==> F ∈ (A i) leadsTo (A' i ∪ C);
!!i. i ∈ I ==> F ∈ (A' i) co (A' i ∪ C) |]
==> F ∈ (⋂i ∈ I. A i) leadsTo ((⋂i ∈ I. A' i) ∪ C)"
by (blast intro: finite_completion_lemma [THEN mp, THEN mp])

lemma stable_completion:
"[| F ∈ A leadsTo A';  F ∈ stable A';
F ∈ B leadsTo B';  F ∈ stable B' |]
==> F ∈ (A ∩ B) leadsTo (A' ∩ B')"
apply (unfold stable_def)
apply (rule_tac C1 = "{}" in completion [THEN leadsTo_weaken_R])
apply (force+)
done

lemma finite_stable_completion:
"[| finite I;
!!i. i ∈ I ==> F ∈ (A i) leadsTo (A' i);
!!i. i ∈ I ==> F ∈ stable (A' i) |]
==> F ∈ (⋂i ∈ I. A i) leadsTo (⋂i ∈ I. A' i)"
apply (unfold stable_def)
apply (rule_tac C1 = "{}" in finite_completion [THEN leadsTo_weaken_R])
apply (simp_all (no_asm_simp))
apply blast+
done

end
```