src/HOLCF/IOA/meta_theory/Automata.thy
changeset 40774 0437dbc127b3
parent 40773 6c12f5e24e34
child 40775 ed7a4eadb2f6
     1.1 --- a/src/HOLCF/IOA/meta_theory/Automata.thy	Sat Nov 27 14:34:54 2010 -0800
     1.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.3 @@ -1,691 +0,0 @@
     1.4 -(*  Title:      HOLCF/IOA/meta_theory/Automata.thy
     1.5 -    Author:     Olaf Müller, Konrad Slind, Tobias Nipkow
     1.6 -*)
     1.7 -
     1.8 -header {* The I/O automata of Lynch and Tuttle in HOLCF *}
     1.9 -
    1.10 -theory Automata
    1.11 -imports Asig
    1.12 -begin
    1.13 -
    1.14 -default_sort type
    1.15 -
    1.16 -types
    1.17 -  ('a, 's) transition = "'s * 'a * 's"
    1.18 -  ('a, 's) ioa = "'a signature * 's set * ('a,'s)transition set * ('a set set) * ('a set set)"
    1.19 -
    1.20 -consts
    1.21 -
    1.22 -  (* IO automata *)
    1.23 -
    1.24 -  asig_of        ::"('a,'s)ioa => 'a signature"
    1.25 -  starts_of      ::"('a,'s)ioa => 's set"
    1.26 -  trans_of       ::"('a,'s)ioa => ('a,'s)transition set"
    1.27 -  wfair_of       ::"('a,'s)ioa => ('a set) set"
    1.28 -  sfair_of       ::"('a,'s)ioa => ('a set) set"
    1.29 -
    1.30 -  is_asig_of     ::"('a,'s)ioa => bool"
    1.31 -  is_starts_of   ::"('a,'s)ioa => bool"
    1.32 -  is_trans_of    ::"('a,'s)ioa => bool"
    1.33 -  input_enabled  ::"('a,'s)ioa => bool"
    1.34 -  IOA            ::"('a,'s)ioa => bool"
    1.35 -
    1.36 -  (* constraints for fair IOA *)
    1.37 -
    1.38 -  fairIOA        ::"('a,'s)ioa => bool"
    1.39 -  input_resistant::"('a,'s)ioa => bool"
    1.40 -
    1.41 -  (* enabledness of actions and action sets *)
    1.42 -
    1.43 -  enabled        ::"('a,'s)ioa => 'a => 's => bool"
    1.44 -  Enabled    ::"('a,'s)ioa => 'a set => 's => bool"
    1.45 -
    1.46 -  (* action set keeps enabled until probably disabled by itself *)
    1.47 -
    1.48 -  en_persistent  :: "('a,'s)ioa => 'a set => bool"
    1.49 -
    1.50 - (* post_conditions for actions and action sets *)
    1.51 -
    1.52 -  was_enabled        ::"('a,'s)ioa => 'a => 's => bool"
    1.53 -  set_was_enabled    ::"('a,'s)ioa => 'a set => 's => bool"
    1.54 -
    1.55 -  (* invariants *)
    1.56 -  invariant     :: "[('a,'s)ioa, 's=>bool] => bool"
    1.57 -
    1.58 -  (* binary composition of action signatures and automata *)
    1.59 -  asig_comp    ::"['a signature, 'a signature] => 'a signature"
    1.60 -  compatible   ::"[('a,'s)ioa, ('a,'t)ioa] => bool"
    1.61 -  par          ::"[('a,'s)ioa, ('a,'t)ioa] => ('a,'s*'t)ioa"  (infixr "||" 10)
    1.62 -
    1.63 -  (* hiding and restricting *)
    1.64 -  hide_asig     :: "['a signature, 'a set] => 'a signature"
    1.65 -  hide          :: "[('a,'s)ioa, 'a set] => ('a,'s)ioa"
    1.66 -  restrict_asig :: "['a signature, 'a set] => 'a signature"
    1.67 -  restrict      :: "[('a,'s)ioa, 'a set] => ('a,'s)ioa"
    1.68 -
    1.69 -  (* renaming *)
    1.70 -  rename_set    :: "'a set => ('c => 'a option) => 'c set"
    1.71 -  rename        :: "('a, 'b)ioa => ('c => 'a option) => ('c,'b)ioa"
    1.72 -
    1.73 -notation (xsymbols)
    1.74 -  par  (infixr "\<parallel>" 10)
    1.75 -
    1.76 -
    1.77 -inductive
    1.78 -  reachable :: "('a, 's) ioa => 's => bool"
    1.79 -  for C :: "('a, 's) ioa"
    1.80 -  where
    1.81 -    reachable_0:  "s : starts_of C ==> reachable C s"
    1.82 -  | reachable_n:  "[| reachable C s; (s, a, t) : trans_of C |] ==> reachable C t"
    1.83 -
    1.84 -abbreviation
    1.85 -  trans_of_syn  ("_ -_--_-> _" [81,81,81,81] 100) where
    1.86 -  "s -a--A-> t == (s,a,t):trans_of A"
    1.87 -
    1.88 -notation (xsymbols)
    1.89 -  trans_of_syn  ("_ \<midarrow>_\<midarrow>_\<longrightarrow> _" [81,81,81,81] 100)
    1.90 -
    1.91 -abbreviation "act A == actions (asig_of A)"
    1.92 -abbreviation "ext A == externals (asig_of A)"
    1.93 -abbreviation int where "int A == internals (asig_of A)"
    1.94 -abbreviation "inp A == inputs (asig_of A)"
    1.95 -abbreviation "out A == outputs (asig_of A)"
    1.96 -abbreviation "local A == locals (asig_of A)"
    1.97 -
    1.98 -defs
    1.99 -
   1.100 -(* --------------------------------- IOA ---------------------------------*)
   1.101 -
   1.102 -asig_of_def:   "asig_of == fst"
   1.103 -starts_of_def: "starts_of == (fst o snd)"
   1.104 -trans_of_def:  "trans_of == (fst o snd o snd)"
   1.105 -wfair_of_def:  "wfair_of == (fst o snd o snd o snd)"
   1.106 -sfair_of_def:  "sfair_of == (snd o snd o snd o snd)"
   1.107 -
   1.108 -is_asig_of_def:
   1.109 -  "is_asig_of A == is_asig (asig_of A)"
   1.110 -
   1.111 -is_starts_of_def:
   1.112 -  "is_starts_of A ==  (~ starts_of A = {})"
   1.113 -
   1.114 -is_trans_of_def:
   1.115 -  "is_trans_of A ==
   1.116 -    (!triple. triple:(trans_of A) --> fst(snd(triple)):actions(asig_of A))"
   1.117 -
   1.118 -input_enabled_def:
   1.119 -  "input_enabled A ==
   1.120 -    (!a. (a:inputs(asig_of A)) --> (!s1. ? s2. (s1,a,s2):(trans_of A)))"
   1.121 -
   1.122 -
   1.123 -ioa_def:
   1.124 -  "IOA A == (is_asig_of A    &
   1.125 -             is_starts_of A  &
   1.126 -             is_trans_of A   &
   1.127 -             input_enabled A)"
   1.128 -
   1.129 -
   1.130 -invariant_def: "invariant A P == (!s. reachable A s --> P(s))"
   1.131 -
   1.132 -
   1.133 -(* ------------------------- parallel composition --------------------------*)
   1.134 -
   1.135 -
   1.136 -compatible_def:
   1.137 -  "compatible A B ==
   1.138 -  (((out A Int out B) = {}) &
   1.139 -   ((int A Int act B) = {}) &
   1.140 -   ((int B Int act A) = {}))"
   1.141 -
   1.142 -asig_comp_def:
   1.143 -  "asig_comp a1 a2 ==
   1.144 -     (((inputs(a1) Un inputs(a2)) - (outputs(a1) Un outputs(a2)),
   1.145 -       (outputs(a1) Un outputs(a2)),
   1.146 -       (internals(a1) Un internals(a2))))"
   1.147 -
   1.148 -par_def:
   1.149 -  "(A || B) ==
   1.150 -      (asig_comp (asig_of A) (asig_of B),
   1.151 -       {pr. fst(pr):starts_of(A) & snd(pr):starts_of(B)},
   1.152 -       {tr. let s = fst(tr); a = fst(snd(tr)); t = snd(snd(tr))
   1.153 -            in (a:act A | a:act B) &
   1.154 -               (if a:act A then
   1.155 -                  (fst(s),a,fst(t)):trans_of(A)
   1.156 -                else fst(t) = fst(s))
   1.157 -               &
   1.158 -               (if a:act B then
   1.159 -                  (snd(s),a,snd(t)):trans_of(B)
   1.160 -                else snd(t) = snd(s))},
   1.161 -        wfair_of A Un wfair_of B,
   1.162 -        sfair_of A Un sfair_of B)"
   1.163 -
   1.164 -
   1.165 -(* ------------------------ hiding -------------------------------------------- *)
   1.166 -
   1.167 -restrict_asig_def:
   1.168 -  "restrict_asig asig actns ==
   1.169 -    (inputs(asig) Int actns,
   1.170 -     outputs(asig) Int actns,
   1.171 -     internals(asig) Un (externals(asig) - actns))"
   1.172 -
   1.173 -(* Notice that for wfair_of and sfair_of nothing has to be changed, as
   1.174 -   changes from the outputs to the internals does not touch the locals as
   1.175 -   a whole, which is of importance for fairness only *)
   1.176 -
   1.177 -restrict_def:
   1.178 -  "restrict A actns ==
   1.179 -    (restrict_asig (asig_of A) actns,
   1.180 -     starts_of A,
   1.181 -     trans_of A,
   1.182 -     wfair_of A,
   1.183 -     sfair_of A)"
   1.184 -
   1.185 -hide_asig_def:
   1.186 -  "hide_asig asig actns ==
   1.187 -    (inputs(asig) - actns,
   1.188 -     outputs(asig) - actns,
   1.189 -     internals(asig) Un actns)"
   1.190 -
   1.191 -hide_def:
   1.192 -  "hide A actns ==
   1.193 -    (hide_asig (asig_of A) actns,
   1.194 -     starts_of A,
   1.195 -     trans_of A,
   1.196 -     wfair_of A,
   1.197 -     sfair_of A)"
   1.198 -
   1.199 -(* ------------------------- renaming ------------------------------------------- *)
   1.200 -
   1.201 -rename_set_def:
   1.202 -  "rename_set A ren == {b. ? x. Some x = ren b & x : A}"
   1.203 -
   1.204 -rename_def:
   1.205 -"rename ioa ren ==
   1.206 -  ((rename_set (inp ioa) ren,
   1.207 -    rename_set (out ioa) ren,
   1.208 -    rename_set (int ioa) ren),
   1.209 -   starts_of ioa,
   1.210 -   {tr. let s = fst(tr); a = fst(snd(tr));  t = snd(snd(tr))
   1.211 -        in
   1.212 -        ? x. Some(x) = ren(a) & (s,x,t):trans_of ioa},
   1.213 -   {rename_set s ren | s. s: wfair_of ioa},
   1.214 -   {rename_set s ren | s. s: sfair_of ioa})"
   1.215 -
   1.216 -(* ------------------------- fairness ----------------------------- *)
   1.217 -
   1.218 -fairIOA_def:
   1.219 -  "fairIOA A == (! S : wfair_of A. S<= local A) &
   1.220 -                (! S : sfair_of A. S<= local A)"
   1.221 -
   1.222 -input_resistant_def:
   1.223 -  "input_resistant A == ! W : sfair_of A. ! s a t.
   1.224 -                        reachable A s & reachable A t & a:inp A &
   1.225 -                        Enabled A W s & s -a--A-> t
   1.226 -                        --> Enabled A W t"
   1.227 -
   1.228 -enabled_def:
   1.229 -  "enabled A a s == ? t. s-a--A-> t"
   1.230 -
   1.231 -Enabled_def:
   1.232 -  "Enabled A W s == ? w:W. enabled A w s"
   1.233 -
   1.234 -en_persistent_def:
   1.235 -  "en_persistent A W == ! s a t. Enabled A W s &
   1.236 -                                 a ~:W &
   1.237 -                                 s -a--A-> t
   1.238 -                                 --> Enabled A W t"
   1.239 -was_enabled_def:
   1.240 -  "was_enabled A a t == ? s. s-a--A-> t"
   1.241 -
   1.242 -set_was_enabled_def:
   1.243 -  "set_was_enabled A W t == ? w:W. was_enabled A w t"
   1.244 -
   1.245 -
   1.246 -declare split_paired_Ex [simp del]
   1.247 -
   1.248 -lemmas ioa_projections = asig_of_def starts_of_def trans_of_def wfair_of_def sfair_of_def
   1.249 -
   1.250 -
   1.251 -subsection "asig_of, starts_of, trans_of"
   1.252 -
   1.253 -lemma ioa_triple_proj: 
   1.254 - "((asig_of (x,y,z,w,s)) = x)   &  
   1.255 -  ((starts_of (x,y,z,w,s)) = y) &  
   1.256 -  ((trans_of (x,y,z,w,s)) = z)  &  
   1.257 -  ((wfair_of (x,y,z,w,s)) = w) &  
   1.258 -  ((sfair_of (x,y,z,w,s)) = s)"
   1.259 -  apply (simp add: ioa_projections)
   1.260 -  done
   1.261 -
   1.262 -lemma trans_in_actions: 
   1.263 -  "[| is_trans_of A; (s1,a,s2):trans_of(A) |] ==> a:act A"
   1.264 -apply (unfold is_trans_of_def actions_def is_asig_def)
   1.265 -  apply (erule allE, erule impE, assumption)
   1.266 -  apply simp
   1.267 -done
   1.268 -
   1.269 -lemma starts_of_par: 
   1.270 -"starts_of(A || B) = {p. fst(p):starts_of(A) & snd(p):starts_of(B)}"
   1.271 -  apply (simp add: par_def ioa_projections)
   1.272 -done
   1.273 -
   1.274 -lemma trans_of_par: 
   1.275 -"trans_of(A || B) = {tr. let s = fst(tr); a = fst(snd(tr)); t = snd(snd(tr))  
   1.276 -             in (a:act A | a:act B) &  
   1.277 -                (if a:act A then        
   1.278 -                   (fst(s),a,fst(t)):trans_of(A)  
   1.279 -                 else fst(t) = fst(s))             
   1.280 -                &                                   
   1.281 -                (if a:act B then                     
   1.282 -                   (snd(s),a,snd(t)):trans_of(B)      
   1.283 -                 else snd(t) = snd(s))}"
   1.284 -
   1.285 -apply (simp add: par_def ioa_projections)
   1.286 -done
   1.287 -
   1.288 -
   1.289 -subsection "actions and par"
   1.290 -
   1.291 -lemma actions_asig_comp: 
   1.292 -  "actions(asig_comp a b) = actions(a) Un actions(b)"
   1.293 -  apply (simp (no_asm) add: actions_def asig_comp_def asig_projections)
   1.294 -  apply blast
   1.295 -  done
   1.296 -
   1.297 -lemma asig_of_par: "asig_of(A || B) = asig_comp (asig_of A) (asig_of B)"
   1.298 -  apply (simp add: par_def ioa_projections)
   1.299 -  done
   1.300 -
   1.301 -
   1.302 -lemma externals_of_par: "ext (A1||A2) =     
   1.303 -   (ext A1) Un (ext A2)"
   1.304 -apply (simp add: externals_def asig_of_par asig_comp_def
   1.305 -  asig_inputs_def asig_outputs_def Un_def set_diff_eq)
   1.306 -apply blast
   1.307 -done
   1.308 -
   1.309 -lemma actions_of_par: "act (A1||A2) =     
   1.310 -   (act A1) Un (act A2)"
   1.311 -apply (simp add: actions_def asig_of_par asig_comp_def
   1.312 -  asig_inputs_def asig_outputs_def asig_internals_def Un_def set_diff_eq)
   1.313 -apply blast
   1.314 -done
   1.315 -
   1.316 -lemma inputs_of_par: "inp (A1||A2) = 
   1.317 -          ((inp A1) Un (inp A2)) - ((out A1) Un (out A2))"
   1.318 -apply (simp add: actions_def asig_of_par asig_comp_def
   1.319 -  asig_inputs_def asig_outputs_def Un_def set_diff_eq)
   1.320 -done
   1.321 -
   1.322 -lemma outputs_of_par: "out (A1||A2) = 
   1.323 -          (out A1) Un (out A2)"
   1.324 -apply (simp add: actions_def asig_of_par asig_comp_def
   1.325 -  asig_outputs_def Un_def set_diff_eq)
   1.326 -done
   1.327 -
   1.328 -lemma internals_of_par: "int (A1||A2) = 
   1.329 -          (int A1) Un (int A2)"
   1.330 -apply (simp add: actions_def asig_of_par asig_comp_def
   1.331 -  asig_inputs_def asig_outputs_def asig_internals_def Un_def set_diff_eq)
   1.332 -done
   1.333 -
   1.334 -
   1.335 -subsection "actions and compatibility"
   1.336 -
   1.337 -lemma compat_commute: "compatible A B = compatible B A"
   1.338 -apply (simp add: compatible_def Int_commute)
   1.339 -apply auto
   1.340 -done
   1.341 -
   1.342 -lemma ext1_is_not_int2: 
   1.343 - "[| compatible A1 A2; a:ext A1|] ==> a~:int A2"
   1.344 -apply (unfold externals_def actions_def compatible_def)
   1.345 -apply simp
   1.346 -apply blast
   1.347 -done
   1.348 -
   1.349 -(* just commuting the previous one: better commute compatible *)
   1.350 -lemma ext2_is_not_int1: 
   1.351 - "[| compatible A2 A1 ; a:ext A1|] ==> a~:int A2"
   1.352 -apply (unfold externals_def actions_def compatible_def)
   1.353 -apply simp
   1.354 -apply blast
   1.355 -done
   1.356 -
   1.357 -lemmas ext1_ext2_is_not_act2 = ext1_is_not_int2 [THEN int_and_ext_is_act, standard]
   1.358 -lemmas ext1_ext2_is_not_act1 = ext2_is_not_int1 [THEN int_and_ext_is_act, standard]
   1.359 -
   1.360 -lemma intA_is_not_extB: 
   1.361 - "[| compatible A B; x:int A |] ==> x~:ext B"
   1.362 -apply (unfold externals_def actions_def compatible_def)
   1.363 -apply simp
   1.364 -apply blast
   1.365 -done
   1.366 -
   1.367 -lemma intA_is_not_actB: 
   1.368 -"[| compatible A B; a:int A |] ==> a ~: act B"
   1.369 -apply (unfold externals_def actions_def compatible_def is_asig_def asig_of_def)
   1.370 -apply simp
   1.371 -apply blast
   1.372 -done
   1.373 -
   1.374 -(* the only one that needs disjointness of outputs and of internals and _all_ acts *)
   1.375 -lemma outAactB_is_inpB: 
   1.376 -"[| compatible A B; a:out A ;a:act B|] ==> a : inp B"
   1.377 -apply (unfold asig_outputs_def asig_internals_def actions_def asig_inputs_def 
   1.378 -    compatible_def is_asig_def asig_of_def)
   1.379 -apply simp
   1.380 -apply blast
   1.381 -done
   1.382 -
   1.383 -(* needed for propagation of input_enabledness from A,B to A||B *)
   1.384 -lemma inpAAactB_is_inpBoroutB: 
   1.385 -"[| compatible A B; a:inp A ;a:act B|] ==> a : inp B | a: out B"
   1.386 -apply (unfold asig_outputs_def asig_internals_def actions_def asig_inputs_def 
   1.387 -    compatible_def is_asig_def asig_of_def)
   1.388 -apply simp
   1.389 -apply blast
   1.390 -done
   1.391 -
   1.392 -
   1.393 -subsection "input_enabledness and par"
   1.394 -
   1.395 -
   1.396 -(* ugly case distinctions. Heart of proof:
   1.397 -     1. inpAAactB_is_inpBoroutB ie. internals are really hidden.
   1.398 -     2. inputs_of_par: outputs are no longer inputs of par. This is important here *)
   1.399 -lemma input_enabled_par: 
   1.400 -"[| compatible A B; input_enabled A; input_enabled B|]  
   1.401 -      ==> input_enabled (A||B)"
   1.402 -apply (unfold input_enabled_def)
   1.403 -apply (simp add: Let_def inputs_of_par trans_of_par)
   1.404 -apply (tactic "safe_tac (global_claset_of @{theory Fun})")
   1.405 -apply (simp add: inp_is_act)
   1.406 -prefer 2
   1.407 -apply (simp add: inp_is_act)
   1.408 -(* a: inp A *)
   1.409 -apply (case_tac "a:act B")
   1.410 -(* a:act B *)
   1.411 -apply (erule_tac x = "a" in allE)
   1.412 -apply simp
   1.413 -apply (drule inpAAactB_is_inpBoroutB)
   1.414 -apply assumption
   1.415 -apply assumption
   1.416 -apply (erule_tac x = "a" in allE)
   1.417 -apply simp
   1.418 -apply (erule_tac x = "aa" in allE)
   1.419 -apply (erule_tac x = "b" in allE)
   1.420 -apply (erule exE)
   1.421 -apply (erule exE)
   1.422 -apply (rule_tac x = " (s2,s2a) " in exI)
   1.423 -apply (simp add: inp_is_act)
   1.424 -(* a~: act B*)
   1.425 -apply (simp add: inp_is_act)
   1.426 -apply (erule_tac x = "a" in allE)
   1.427 -apply simp
   1.428 -apply (erule_tac x = "aa" in allE)
   1.429 -apply (erule exE)
   1.430 -apply (rule_tac x = " (s2,b) " in exI)
   1.431 -apply simp
   1.432 -
   1.433 -(* a:inp B *)
   1.434 -apply (case_tac "a:act A")
   1.435 -(* a:act A *)
   1.436 -apply (erule_tac x = "a" in allE)
   1.437 -apply (erule_tac x = "a" in allE)
   1.438 -apply (simp add: inp_is_act)
   1.439 -apply (frule_tac A1 = "A" in compat_commute [THEN iffD1])
   1.440 -apply (drule inpAAactB_is_inpBoroutB)
   1.441 -back
   1.442 -apply assumption
   1.443 -apply assumption
   1.444 -apply simp
   1.445 -apply (erule_tac x = "aa" in allE)
   1.446 -apply (erule_tac x = "b" in allE)
   1.447 -apply (erule exE)
   1.448 -apply (erule exE)
   1.449 -apply (rule_tac x = " (s2,s2a) " in exI)
   1.450 -apply (simp add: inp_is_act)
   1.451 -(* a~: act B*)
   1.452 -apply (simp add: inp_is_act)
   1.453 -apply (erule_tac x = "a" in allE)
   1.454 -apply (erule_tac x = "a" in allE)
   1.455 -apply simp
   1.456 -apply (erule_tac x = "b" in allE)
   1.457 -apply (erule exE)
   1.458 -apply (rule_tac x = " (aa,s2) " in exI)
   1.459 -apply simp
   1.460 -done
   1.461 -
   1.462 -
   1.463 -subsection "invariants"
   1.464 -
   1.465 -lemma invariantI:
   1.466 -  "[| !!s. s:starts_of(A) ==> P(s);      
   1.467 -      !!s t a. [|reachable A s; P(s)|] ==> (s,a,t): trans_of(A) --> P(t) |]  
   1.468 -   ==> invariant A P"
   1.469 -apply (unfold invariant_def)
   1.470 -apply (rule allI)
   1.471 -apply (rule impI)
   1.472 -apply (rule_tac x = "s" in reachable.induct)
   1.473 -apply assumption
   1.474 -apply blast
   1.475 -apply blast
   1.476 -done
   1.477 -
   1.478 -lemma invariantI1:
   1.479 - "[| !!s. s : starts_of(A) ==> P(s);  
   1.480 -     !!s t a. reachable A s ==> P(s) --> (s,a,t):trans_of(A) --> P(t)  
   1.481 -  |] ==> invariant A P"
   1.482 -  apply (blast intro: invariantI)
   1.483 -  done
   1.484 -
   1.485 -lemma invariantE: "[| invariant A P; reachable A s |] ==> P(s)"
   1.486 -  apply (unfold invariant_def)
   1.487 -  apply blast
   1.488 -  done
   1.489 -
   1.490 -
   1.491 -subsection "restrict"
   1.492 -
   1.493 -
   1.494 -lemmas reachable_0 = reachable.reachable_0
   1.495 -  and reachable_n = reachable.reachable_n
   1.496 -
   1.497 -lemma cancel_restrict_a: "starts_of(restrict ioa acts) = starts_of(ioa) &      
   1.498 -          trans_of(restrict ioa acts) = trans_of(ioa)"
   1.499 -apply (simp add: restrict_def ioa_projections)
   1.500 -done
   1.501 -
   1.502 -lemma cancel_restrict_b: "reachable (restrict ioa acts) s = reachable ioa s"
   1.503 -apply (rule iffI)
   1.504 -apply (erule reachable.induct)
   1.505 -apply (simp add: cancel_restrict_a reachable_0)
   1.506 -apply (erule reachable_n)
   1.507 -apply (simp add: cancel_restrict_a)
   1.508 -(* <--  *)
   1.509 -apply (erule reachable.induct)
   1.510 -apply (rule reachable_0)
   1.511 -apply (simp add: cancel_restrict_a)
   1.512 -apply (erule reachable_n)
   1.513 -apply (simp add: cancel_restrict_a)
   1.514 -done
   1.515 -
   1.516 -lemma acts_restrict: "act (restrict A acts) = act A"
   1.517 -apply (simp (no_asm) add: actions_def asig_internals_def
   1.518 -  asig_outputs_def asig_inputs_def externals_def asig_of_def restrict_def restrict_asig_def)
   1.519 -apply auto
   1.520 -done
   1.521 -
   1.522 -lemma cancel_restrict: "starts_of(restrict ioa acts) = starts_of(ioa) &      
   1.523 -          trans_of(restrict ioa acts) = trans_of(ioa) &  
   1.524 -          reachable (restrict ioa acts) s = reachable ioa s &  
   1.525 -          act (restrict A acts) = act A"
   1.526 -  apply (simp (no_asm) add: cancel_restrict_a cancel_restrict_b acts_restrict)
   1.527 -  done
   1.528 -
   1.529 -
   1.530 -subsection "rename"
   1.531 -
   1.532 -lemma trans_rename: "s -a--(rename C f)-> t ==> (? x. Some(x) = f(a) & s -x--C-> t)"
   1.533 -apply (simp add: Let_def rename_def trans_of_def)
   1.534 -done
   1.535 -
   1.536 -
   1.537 -lemma reachable_rename: "[| reachable (rename C g) s |] ==> reachable C s"
   1.538 -apply (erule reachable.induct)
   1.539 -apply (rule reachable_0)
   1.540 -apply (simp add: rename_def ioa_projections)
   1.541 -apply (drule trans_rename)
   1.542 -apply (erule exE)
   1.543 -apply (erule conjE)
   1.544 -apply (erule reachable_n)
   1.545 -apply assumption
   1.546 -done
   1.547 -
   1.548 -
   1.549 -subsection "trans_of(A||B)"
   1.550 -
   1.551 -
   1.552 -lemma trans_A_proj: "[|(s,a,t):trans_of (A||B); a:act A|]  
   1.553 -              ==> (fst s,a,fst t):trans_of A"
   1.554 -apply (simp add: Let_def par_def trans_of_def)
   1.555 -done
   1.556 -
   1.557 -lemma trans_B_proj: "[|(s,a,t):trans_of (A||B); a:act B|]  
   1.558 -              ==> (snd s,a,snd t):trans_of B"
   1.559 -apply (simp add: Let_def par_def trans_of_def)
   1.560 -done
   1.561 -
   1.562 -lemma trans_A_proj2: "[|(s,a,t):trans_of (A||B); a~:act A|] 
   1.563 -              ==> fst s = fst t"
   1.564 -apply (simp add: Let_def par_def trans_of_def)
   1.565 -done
   1.566 -
   1.567 -lemma trans_B_proj2: "[|(s,a,t):trans_of (A||B); a~:act B|] 
   1.568 -              ==> snd s = snd t"
   1.569 -apply (simp add: Let_def par_def trans_of_def)
   1.570 -done
   1.571 -
   1.572 -lemma trans_AB_proj: "(s,a,t):trans_of (A||B)  
   1.573 -               ==> a :act A | a :act B"
   1.574 -apply (simp add: Let_def par_def trans_of_def)
   1.575 -done
   1.576 -
   1.577 -lemma trans_AB: "[|a:act A;a:act B; 
   1.578 -       (fst s,a,fst t):trans_of A;(snd s,a,snd t):trans_of B|] 
   1.579 -   ==> (s,a,t):trans_of (A||B)"
   1.580 -apply (simp add: Let_def par_def trans_of_def)
   1.581 -done
   1.582 -
   1.583 -lemma trans_A_notB: "[|a:act A;a~:act B; 
   1.584 -       (fst s,a,fst t):trans_of A;snd s=snd t|] 
   1.585 -   ==> (s,a,t):trans_of (A||B)"
   1.586 -apply (simp add: Let_def par_def trans_of_def)
   1.587 -done
   1.588 -
   1.589 -lemma trans_notA_B: "[|a~:act A;a:act B; 
   1.590 -       (snd s,a,snd t):trans_of B;fst s=fst t|] 
   1.591 -   ==> (s,a,t):trans_of (A||B)"
   1.592 -apply (simp add: Let_def par_def trans_of_def)
   1.593 -done
   1.594 -
   1.595 -lemmas trans_of_defs1 = trans_AB trans_A_notB trans_notA_B
   1.596 -  and trans_of_defs2 = trans_A_proj trans_B_proj trans_A_proj2 trans_B_proj2 trans_AB_proj
   1.597 -
   1.598 -
   1.599 -lemma trans_of_par4: 
   1.600 -"((s,a,t) : trans_of(A || B || C || D)) =                                     
   1.601 -  ((a:actions(asig_of(A)) | a:actions(asig_of(B)) | a:actions(asig_of(C)) |   
   1.602 -    a:actions(asig_of(D))) &                                                  
   1.603 -   (if a:actions(asig_of(A)) then (fst(s),a,fst(t)):trans_of(A)               
   1.604 -    else fst t=fst s) &                                                       
   1.605 -   (if a:actions(asig_of(B)) then (fst(snd(s)),a,fst(snd(t))):trans_of(B)     
   1.606 -    else fst(snd(t))=fst(snd(s))) &                                           
   1.607 -   (if a:actions(asig_of(C)) then                                             
   1.608 -      (fst(snd(snd(s))),a,fst(snd(snd(t)))):trans_of(C)                       
   1.609 -    else fst(snd(snd(t)))=fst(snd(snd(s)))) &                                 
   1.610 -   (if a:actions(asig_of(D)) then                                             
   1.611 -      (snd(snd(snd(s))),a,snd(snd(snd(t)))):trans_of(D)                       
   1.612 -    else snd(snd(snd(t)))=snd(snd(snd(s)))))"
   1.613 -  apply (simp (no_asm) add: par_def actions_asig_comp Pair_fst_snd_eq Let_def ioa_projections)
   1.614 -  done
   1.615 -
   1.616 -
   1.617 -subsection "proof obligation generator for IOA requirements"
   1.618 -
   1.619 -(* without assumptions on A and B because is_trans_of is also incorporated in ||def *)
   1.620 -lemma is_trans_of_par: "is_trans_of (A||B)"
   1.621 -apply (unfold is_trans_of_def)
   1.622 -apply (simp add: Let_def actions_of_par trans_of_par)
   1.623 -done
   1.624 -
   1.625 -lemma is_trans_of_restrict: 
   1.626 -"is_trans_of A ==> is_trans_of (restrict A acts)"
   1.627 -apply (unfold is_trans_of_def)
   1.628 -apply (simp add: cancel_restrict acts_restrict)
   1.629 -done
   1.630 -
   1.631 -lemma is_trans_of_rename: 
   1.632 -"is_trans_of A ==> is_trans_of (rename A f)"
   1.633 -apply (unfold is_trans_of_def restrict_def restrict_asig_def)
   1.634 -apply (simp add: Let_def actions_def trans_of_def asig_internals_def
   1.635 -  asig_outputs_def asig_inputs_def externals_def asig_of_def rename_def rename_set_def)
   1.636 -apply blast
   1.637 -done
   1.638 -
   1.639 -lemma is_asig_of_par: "[| is_asig_of A; is_asig_of B; compatible A B|]   
   1.640 -          ==> is_asig_of (A||B)"
   1.641 -apply (simp add: is_asig_of_def asig_of_par asig_comp_def compatible_def
   1.642 -  asig_internals_def asig_outputs_def asig_inputs_def actions_def is_asig_def)
   1.643 -apply (simp add: asig_of_def)
   1.644 -apply auto
   1.645 -done
   1.646 -
   1.647 -lemma is_asig_of_restrict: 
   1.648 -"is_asig_of A ==> is_asig_of (restrict A f)"
   1.649 -apply (unfold is_asig_of_def is_asig_def asig_of_def restrict_def restrict_asig_def 
   1.650 -           asig_internals_def asig_outputs_def asig_inputs_def externals_def o_def)
   1.651 -apply simp
   1.652 -apply auto
   1.653 -done
   1.654 -
   1.655 -lemma is_asig_of_rename: "is_asig_of A ==> is_asig_of (rename A f)"
   1.656 -apply (simp add: is_asig_of_def rename_def rename_set_def asig_internals_def
   1.657 -  asig_outputs_def asig_inputs_def actions_def is_asig_def asig_of_def)
   1.658 -apply auto
   1.659 -apply (drule_tac [!] s = "Some ?x" in sym)
   1.660 -apply auto
   1.661 -done
   1.662 -
   1.663 -lemmas [simp] = is_asig_of_par is_asig_of_restrict
   1.664 -  is_asig_of_rename is_trans_of_par is_trans_of_restrict is_trans_of_rename
   1.665 -
   1.666 -
   1.667 -lemma compatible_par: 
   1.668 -"[|compatible A B; compatible A C |]==> compatible A (B||C)"
   1.669 -apply (unfold compatible_def)
   1.670 -apply (simp add: internals_of_par outputs_of_par actions_of_par)
   1.671 -apply auto
   1.672 -done
   1.673 -
   1.674 -(*  better derive by previous one and compat_commute *)
   1.675 -lemma compatible_par2: 
   1.676 -"[|compatible A C; compatible B C |]==> compatible (A||B) C"
   1.677 -apply (unfold compatible_def)
   1.678 -apply (simp add: internals_of_par outputs_of_par actions_of_par)
   1.679 -apply auto
   1.680 -done
   1.681 -
   1.682 -lemma compatible_restrict: 
   1.683 -"[| compatible A B; (ext B - S) Int ext A = {}|]  
   1.684 -      ==> compatible A (restrict B S)"
   1.685 -apply (unfold compatible_def)
   1.686 -apply (simp add: ioa_triple_proj asig_triple_proj externals_def
   1.687 -  restrict_def restrict_asig_def actions_def)
   1.688 -apply auto
   1.689 -done
   1.690 -
   1.691 -
   1.692 -declare split_paired_Ex [simp]
   1.693 -
   1.694 -end