src/HOL/UNITY/Transformers.thy
changeset 13821 0fd39aa77095
child 13832 e7649436869c
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/src/HOL/UNITY/Transformers.thy	Tue Feb 18 15:09:14 2003 +0100
     1.3 @@ -0,0 +1,263 @@
     1.4 +(*  Title:      HOL/UNITY/Transformers
     1.5 +    ID:         $Id$
     1.6 +    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
     1.7 +    Copyright   2003  University of Cambridge
     1.8 +
     1.9 +Predicate Transformers from 
    1.10 +
    1.11 +    David Meier and Beverly Sanders,
    1.12 +    Composing Leads-to Properties
    1.13 +    Theoretical Computer Science 243:1-2 (2000), 339-361.
    1.14 +*)
    1.15 +
    1.16 +header{*Predicate Transformers*}
    1.17 +
    1.18 +theory Transformers = Comp:
    1.19 +
    1.20 +subsection{*Defining the Predicate Transformers @{term wp},
    1.21 +   @{term awp} and  @{term wens}*}
    1.22 +
    1.23 +constdefs
    1.24 +  wp :: "[('a*'a) set, 'a set] => 'a set"  
    1.25 +    --{*Dijkstra's weakest-precondition operator*}
    1.26 +    "wp act B == - (act^-1 `` (-B))"
    1.27 +
    1.28 +  awp :: "[ 'a program, 'a set] => 'a set"  
    1.29 +    "awp F B == (\<Inter>act \<in> Acts F. wp act B)"
    1.30 +
    1.31 +  wens :: "[ 'a program, ('a*'a) set, 'a set] => 'a set"  
    1.32 +    "wens F act B == gfp(\<lambda>X. (wp act B \<inter> awp F (B \<union> X)) \<union> B)"
    1.33 +
    1.34 +text{*The fundamental theorem for wp*}
    1.35 +theorem wp_iff: "(A <= wp act B) = (act `` A <= B)"
    1.36 +by (force simp add: wp_def) 
    1.37 +
    1.38 +lemma Compl_Domain_subset_wp: "- (Domain act) \<subseteq> wp act B"
    1.39 +by (force simp add: wp_def) 
    1.40 +
    1.41 +lemma awp_Int_eq: "awp F (A\<inter>B) = awp F A \<inter> awp F B"
    1.42 +by (simp add: awp_def wp_def, blast) 
    1.43 +
    1.44 +text{*The fundamental theorem for awp*}
    1.45 +theorem awp_iff: "(A <= awp F B) = (F \<in> A co B)"
    1.46 +by (simp add: awp_def constrains_def wp_iff INT_subset_iff) 
    1.47 +
    1.48 +theorem stable_iff_awp: "(A \<subseteq> awp F A) = (F \<in> stable A)"
    1.49 +by (simp add: awp_iff stable_def) 
    1.50 +
    1.51 +lemma awp_mono: "(A \<subseteq> B) ==> awp F A \<subseteq> awp F B"
    1.52 +by (simp add: awp_def wp_def, blast)
    1.53 +
    1.54 +lemma wens_unfold:
    1.55 +     "wens F act B = (wp act B \<inter> awp F (B \<union> wens F act B)) \<union> B"
    1.56 +apply (simp add: wens_def) 
    1.57 +apply (rule gfp_unfold) 
    1.58 +apply (simp add: mono_def wp_def awp_def, blast) 
    1.59 +done
    1.60 +
    1.61 +text{*These two theorems justify the claim that @{term wens} returns the
    1.62 +weakest assertion satisfying the ensures property*}
    1.63 +lemma ensures_imp_wens: "F \<in> A ensures B ==> \<exists>act \<in> Acts F. A \<subseteq> wens F act B"
    1.64 +apply (simp add: wens_def ensures_def transient_def, clarify) 
    1.65 +apply (rule rev_bexI, assumption) 
    1.66 +apply (rule gfp_upperbound)
    1.67 +apply (simp add: constrains_def awp_def wp_def, blast)
    1.68 +done
    1.69 +
    1.70 +lemma wens_ensures: "act \<in> Acts F ==> F \<in> (wens F act B) ensures B"
    1.71 +by (simp add: wens_def gfp_def constrains_def awp_def wp_def
    1.72 +              ensures_def transient_def, blast) 
    1.73 +
    1.74 +text{*These two results constitute assertion (4.13) of the thesis*}
    1.75 +lemma wens_mono: "(A \<subseteq> B) ==> wens F act A \<subseteq> wens F act B"
    1.76 +apply (simp add: wens_def wp_def awp_def) 
    1.77 +apply (rule gfp_mono, blast) 
    1.78 +done
    1.79 +
    1.80 +lemma wens_weakening: "B \<subseteq> wens F act B"
    1.81 +by (simp add: wens_def gfp_def, blast)
    1.82 +
    1.83 +text{*Assertion (6), or 4.16 in the thesis*}
    1.84 +lemma subset_wens: "A-B \<subseteq> wp act B \<inter> awp F (B \<union> A) ==> A \<subseteq> wens F act B" 
    1.85 +apply (simp add: wens_def wp_def awp_def) 
    1.86 +apply (rule gfp_upperbound, blast) 
    1.87 +done
    1.88 +
    1.89 +text{*Assertion 4.17 in the thesis*}
    1.90 +lemma Diff_wens_constrains: "F \<in> (wens F act A - A) co wens F act A" 
    1.91 +by (simp add: wens_def gfp_def wp_def awp_def constrains_def, blast)
    1.92 +
    1.93 +text{*Assertion (7): 4.18 in the thesis.  NOTE that many of these results
    1.94 +hold for an arbitrary action.  We often do not require @{term "act \<in> Acts F"}*}
    1.95 +lemma stable_wens: "F \<in> stable A ==> F \<in> stable (wens F act A)"
    1.96 +apply (simp add: stable_def)
    1.97 +apply (drule constrains_Un [OF Diff_wens_constrains [of F act A]]) 
    1.98 +apply (simp add: Un_Int_distrib2 Compl_partition2) 
    1.99 +apply (erule constrains_weaken) 
   1.100 + apply blast 
   1.101 +apply (simp add: Un_subset_iff wens_weakening) 
   1.102 +done
   1.103 +
   1.104 +text{*Assertion 4.20 in the thesis.*}
   1.105 +lemma wens_Int_eq_lemma:
   1.106 +      "[|T-B \<subseteq> awp F T; act \<in> Acts F|]
   1.107 +       ==> T \<inter> wens F act B \<subseteq> wens F act (T\<inter>B)"
   1.108 +apply (rule subset_wens) 
   1.109 +apply (rule_tac P="\<lambda>x. ?f x \<subseteq> ?b" in ssubst [OF wens_unfold])
   1.110 +apply (simp add: wp_def awp_def, blast)
   1.111 +done
   1.112 +
   1.113 +text{*Assertion (8): 4.21 in the thesis. Here we indeed require
   1.114 +      @{term "act \<in> Acts F"}*}
   1.115 +lemma wens_Int_eq:
   1.116 +      "[|T-B \<subseteq> awp F T; act \<in> Acts F|]
   1.117 +       ==> T \<inter> wens F act B = T \<inter> wens F act (T\<inter>B)"
   1.118 +apply (rule equalityI)
   1.119 + apply (simp_all add: Int_lower1 Int_subset_iff) 
   1.120 + apply (rule wens_Int_eq_lemma, assumption+) 
   1.121 +apply (rule subset_trans [OF _ wens_mono [of "T\<inter>B" B]], auto) 
   1.122 +done
   1.123 +
   1.124 +subsection{*Defining the Weakest Ensures Set*}
   1.125 +
   1.126 +consts
   1.127 +  wens_set :: "['a program, 'a set] => 'a set set"
   1.128 +
   1.129 +inductive "wens_set F B"
   1.130 + intros 
   1.131 +
   1.132 +  Basis: "B \<in> wens_set F B"
   1.133 +
   1.134 +  Wens:  "[|X \<in> wens_set F B; act \<in> Acts F|] ==> wens F act X \<in> wens_set F B"
   1.135 +
   1.136 +  Union: "W \<noteq> {} ==> \<forall>U \<in> W. U \<in> wens_set F B ==> \<Union>W \<in> wens_set F B"
   1.137 +
   1.138 +lemma wens_set_imp_co: "A \<in> wens_set F B ==> F \<in> (A-B) co A"
   1.139 +apply (erule wens_set.induct) 
   1.140 +  apply (simp add: constrains_def)
   1.141 + apply (drule_tac act1=act and A1=X 
   1.142 +        in constrains_Un [OF Diff_wens_constrains]) 
   1.143 + apply (erule constrains_weaken, blast) 
   1.144 + apply (simp add: Un_subset_iff wens_weakening) 
   1.145 +apply (rule constrains_weaken) 
   1.146 +apply (rule_tac I=W and A="\<lambda>v. v-B" and A'="\<lambda>v. v" in constrains_UN, blast+)
   1.147 +done
   1.148 +
   1.149 +lemma wens_set_imp_leadsTo: "A \<in> wens_set F B ==> F \<in> A leadsTo B"
   1.150 +apply (erule wens_set.induct)
   1.151 +  apply (rule leadsTo_refl)  
   1.152 + apply (blast intro: wens_ensures leadsTo_Basis leadsTo_Trans ) 
   1.153 +apply (blast intro: leadsTo_Union) 
   1.154 +done
   1.155 +
   1.156 +(*????????????????Set.thy Set.all_not_in_conv*)
   1.157 +lemma ex_in_conv: "(\<exists>x. x \<in> A) = (A \<noteq> {})"
   1.158 +by blast
   1.159 +
   1.160 +
   1.161 +lemma leadsTo_imp_wens_set: "F \<in> A leadsTo B ==> \<exists>C \<in> wens_set F B. A \<subseteq> C"
   1.162 +apply (erule leadsTo_induct_pre)
   1.163 +  apply (blast dest!: ensures_imp_wens intro: wens_set.Basis wens_set.Wens)
   1.164 + apply clarify 
   1.165 + apply (drule ensures_weaken_R, assumption)  
   1.166 + apply (blast dest!: ensures_imp_wens intro: wens_set.Wens)
   1.167 +apply (case_tac "S={}") 
   1.168 + apply (simp, blast intro: wens_set.Basis)
   1.169 +apply (clarsimp dest!: bchoice simp: ball_conj_distrib Bex_def) 
   1.170 +apply (rule_tac x = "\<Union>{Z. \<exists>U\<in>S. Z = f U}" in exI)
   1.171 +apply (blast intro: wens_set.Union) 
   1.172 +done
   1.173 +
   1.174 +text{*Assertion (9): 4.27 in the thesis.*}
   1.175 +
   1.176 +lemma leadsTo_iff_wens_set: "(F \<in> A leadsTo B) = (\<exists>C \<in> wens_set F B. A \<subseteq> C)"
   1.177 +by (blast intro: leadsTo_imp_wens_set leadsTo_weaken_L wens_set_imp_leadsTo) 
   1.178 +
   1.179 +text{*This is the result that requires the definition of @{term wens_set} to
   1.180 +require @{term W} to be non-empty in the Unio case, for otherwise we should
   1.181 +always have @{term "{} \<in> wens_set F B"}.*}
   1.182 +lemma wens_set_imp_subset: "A \<in> wens_set F B ==> B \<subseteq> A"
   1.183 +apply (erule wens_set.induct) 
   1.184 +  apply (blast intro: wens_weakening [THEN subsetD])+
   1.185 +done
   1.186 +
   1.187 +
   1.188 +subsection{*Properties Involving Program Union*}
   1.189 +
   1.190 +text{*Assertion (4.30) of thesis, reoriented*}
   1.191 +lemma awp_Join_eq: "awp (F\<squnion>G) B = awp F B \<inter> awp G B"
   1.192 +by (simp add: awp_def wp_def, blast)
   1.193 +
   1.194 +lemma wens_subset: 
   1.195 +     "wens F act B - B \<subseteq> wp act B \<inter> awp F (B \<union> wens F act B)"
   1.196 +by (subst wens_unfold, fast) 
   1.197 +
   1.198 +text{*Assertion (4.31)*}
   1.199 +lemma subset_wens_Join:
   1.200 +      "[|A = T \<inter> wens F act B;  T-B \<subseteq> awp F T; A-B \<subseteq> awp G (A \<union> B)|] 
   1.201 +       ==> A \<subseteq> wens (F\<squnion>G) act B"
   1.202 +apply (subgoal_tac "(T \<inter> wens F act B) - B \<subseteq> 
   1.203 +                    wp act B \<inter> awp F (B \<union> wens F act B) \<inter> awp F T") 
   1.204 + apply (rule subset_wens) 
   1.205 + apply (simp add: awp_Join_eq awp_Int_eq Int_subset_iff Un_commute)
   1.206 + apply (simp add: awp_def wp_def, blast) 
   1.207 +apply (insert wens_subset [of F act B], blast) 
   1.208 +done
   1.209 +
   1.210 +text{*Assertion (4.32)*}
   1.211 +lemma wens_Join_subset: "wens (F\<squnion>G) act B \<subseteq> wens F act B"
   1.212 +apply (simp add: wens_def) 
   1.213 +apply (rule gfp_mono)
   1.214 +apply (auto simp add: awp_Join_eq)  
   1.215 +done
   1.216 +
   1.217 +text{*Lemma, because the inductive step is just too messy.*}
   1.218 +lemma wens_Union_inductive_step:
   1.219 +  assumes awpF: "T-B \<subseteq> awp F T"
   1.220 +      and awpG: "!!X. X \<in> wens_set F B ==> (T\<inter>X) - B \<subseteq> awp G (T\<inter>X)"
   1.221 +  shows "[|X \<in> wens_set F B; act \<in> Acts F; Y \<subseteq> X; T\<inter>X = T\<inter>Y|]
   1.222 +         ==> wens (F\<squnion>G) act Y \<subseteq> wens F act X \<and>
   1.223 +             T \<inter> wens F act X = T \<inter> wens (F\<squnion>G) act Y"
   1.224 +apply (subgoal_tac "wens (F\<squnion>G) act Y \<subseteq> wens F act X")  
   1.225 + prefer 2
   1.226 + apply (blast dest: wens_mono intro: wens_Join_subset [THEN subsetD], simp)
   1.227 +apply (rule equalityI) 
   1.228 + prefer 2 apply blast
   1.229 +apply (simp add: Int_lower1 Int_subset_iff) 
   1.230 +apply (frule wens_set_imp_subset) 
   1.231 +apply (subgoal_tac "T-X \<subseteq> awp F T")  
   1.232 + prefer 2 apply (blast intro: awpF [THEN subsetD]) 
   1.233 +apply (rule_tac B = "wens (F\<squnion>G) act (T\<inter>X)" in subset_trans) 
   1.234 + prefer 2 apply (blast intro!: wens_mono)
   1.235 +apply (subst wens_Int_eq, assumption+) 
   1.236 +apply (rule subset_wens_Join [of _ T])
   1.237 +  apply simp 
   1.238 + apply blast
   1.239 +apply (subgoal_tac "T \<inter> wens F act (T\<inter>X) \<union> T\<inter>X = T \<inter> wens F act X")
   1.240 + prefer 2
   1.241 + apply (subst wens_Int_eq [symmetric], assumption+) 
   1.242 + apply (blast intro: wens_weakening [THEN subsetD], simp) 
   1.243 +apply (blast intro: awpG [THEN subsetD] wens_set.Wens)
   1.244 +done
   1.245 +
   1.246 +lemma wens_Union:
   1.247 +  assumes awpF: "T-B \<subseteq> awp F T"
   1.248 +      and awpG: "!!X. X \<in> wens_set F B ==> (T\<inter>X) - B \<subseteq> awp G (T\<inter>X)"
   1.249 +      and major: "X \<in> wens_set F B"
   1.250 +  shows "\<exists>Y \<in> wens_set (F\<squnion>G) B. Y \<subseteq> X & T\<inter>X = T\<inter>Y"
   1.251 +apply (rule wens_set.induct [OF major])
   1.252 +  txt{*Basis: trivial*}
   1.253 +  apply (blast intro: wens_set.Basis)
   1.254 + txt{*Inductive step*}
   1.255 + apply clarify 
   1.256 + apply (rule_tac x = "wens (F\<squnion>G) act Y" in rev_bexI)
   1.257 +  apply (force intro: wens_set.Wens)
   1.258 + apply (simp add: wens_Union_inductive_step [OF awpF awpG]) 
   1.259 +txt{*Union: by Axiom of Choice*}
   1.260 +apply (simp add: ball_conj_distrib Bex_def) 
   1.261 +apply (clarify dest!: bchoice) 
   1.262 +apply (rule_tac x = "\<Union>{Z. \<exists>U\<in>W. Z = f U}" in exI)
   1.263 +apply (blast intro: wens_set.Union) 
   1.264 +done
   1.265 +
   1.266 +end