src/HOL/IOA/IOA.thy
author wenzelm
Tue Sep 26 20:54:40 2017 +0200 (23 months ago)
changeset 66695 91500c024c7f
parent 63167 0909deb8059b
child 67613 ce654b0e6d69
permissions -rw-r--r--
tuned;
     1 (*  Title:      HOL/IOA/IOA.thy
     2     Author:     Tobias Nipkow & Konrad Slind
     3     Copyright   1994  TU Muenchen
     4 *)
     5 
     6 section \<open>The I/O automata of Lynch and Tuttle\<close>
     7 
     8 theory IOA
     9 imports Asig
    10 begin
    11 
    12 type_synonym 'a seq = "nat => 'a"
    13 type_synonym 'a oseq = "nat => 'a option"
    14 type_synonym ('a, 'b) execution = "'a oseq * 'b seq"
    15 type_synonym ('a, 's) transition = "('s * 'a * 's)"
    16 type_synonym ('a,'s) ioa = "'a signature * 's set * ('a, 's) transition set"
    17 
    18 (* IO automata *)
    19 
    20 definition state_trans :: "['action signature, ('action,'state)transition set] => bool"
    21   where "state_trans asig R ==
    22      (!triple. triple:R --> fst(snd(triple)):actions(asig)) &
    23      (!a. (a:inputs(asig)) --> (!s1. ? s2. (s1,a,s2):R))"
    24 
    25 definition asig_of :: "('action,'state)ioa => 'action signature"
    26   where "asig_of == fst"
    27 
    28 definition starts_of :: "('action,'state)ioa => 'state set"
    29   where "starts_of == (fst o snd)"
    30 
    31 definition trans_of :: "('action,'state)ioa => ('action,'state)transition set"
    32   where "trans_of == (snd o snd)"
    33 
    34 definition IOA :: "('action,'state)ioa => bool"
    35   where "IOA(ioa) == (is_asig(asig_of(ioa)) &
    36                 (~ starts_of(ioa) = {}) &
    37                 state_trans (asig_of ioa) (trans_of ioa))"
    38 
    39 
    40 (* Executions, schedules, and traces *)
    41 
    42 (* An execution fragment is modelled with a pair of sequences:
    43    the first is the action options, the second the state sequence.
    44    Finite executions have None actions from some point on. *)
    45 definition is_execution_fragment :: "[('action,'state)ioa, ('action,'state)execution] => bool"
    46   where "is_execution_fragment A ex ==
    47      let act = fst(ex); state = snd(ex)
    48      in !n a. (act(n)=None --> state(Suc(n)) = state(n)) &
    49               (act(n)=Some(a) --> (state(n),a,state(Suc(n))):trans_of(A))"
    50 
    51 definition executions :: "('action,'state)ioa => ('action,'state)execution set"
    52   where "executions(ioa) == {e. snd e 0:starts_of(ioa) & is_execution_fragment ioa e}"
    53 
    54 
    55 definition reachable :: "[('action,'state)ioa, 'state] => bool"
    56   where "reachable ioa s == (? ex:executions(ioa). ? n. (snd ex n) = s)"
    57 
    58 definition invariant :: "[('action,'state)ioa, 'state=>bool] => bool"
    59   where "invariant A P == (!s. reachable A s --> P(s))"
    60 
    61 
    62 (* Composition of action signatures and automata *)
    63 
    64 consts
    65   compatible_asigs ::"('a => 'action signature) => bool"
    66   asig_composition ::"('a => 'action signature) => 'action signature"
    67   compatible_ioas  ::"('a => ('action,'state)ioa) => bool"
    68   ioa_composition  ::"('a => ('action, 'state)ioa) =>('action,'a => 'state)ioa"
    69 
    70 
    71 (* binary composition of action signatures and automata *)
    72 
    73 definition compat_asigs ::"['action signature, 'action signature] => bool"
    74   where "compat_asigs a1 a2 ==
    75    (((outputs(a1) Int outputs(a2)) = {}) &
    76     ((internals(a1) Int actions(a2)) = {}) &
    77     ((internals(a2) Int actions(a1)) = {}))"
    78 
    79 definition compat_ioas  ::"[('action,'s)ioa, ('action,'t)ioa] => bool"
    80   where "compat_ioas ioa1 ioa2 == compat_asigs (asig_of(ioa1)) (asig_of(ioa2))"
    81 
    82 definition asig_comp :: "['action signature, 'action signature] => 'action signature"
    83   where "asig_comp a1 a2 ==
    84       (((inputs(a1) Un inputs(a2)) - (outputs(a1) Un outputs(a2)),
    85         (outputs(a1) Un outputs(a2)),
    86         (internals(a1) Un internals(a2))))"
    87 
    88 definition par :: "[('a,'s)ioa, ('a,'t)ioa] => ('a,'s*'t)ioa"  (infixr "||" 10)
    89   where "(ioa1 || ioa2) ==
    90      (asig_comp (asig_of ioa1) (asig_of ioa2),
    91       {pr. fst(pr):starts_of(ioa1) & snd(pr):starts_of(ioa2)},
    92       {tr. let s = fst(tr); a = fst(snd(tr)); t = snd(snd(tr))
    93            in (a:actions(asig_of(ioa1)) | a:actions(asig_of(ioa2))) &
    94               (if a:actions(asig_of(ioa1)) then
    95                  (fst(s),a,fst(t)):trans_of(ioa1)
    96                else fst(t) = fst(s))
    97               &
    98               (if a:actions(asig_of(ioa2)) then
    99                  (snd(s),a,snd(t)):trans_of(ioa2)
   100                else snd(t) = snd(s))})"
   101 
   102 
   103 (* Filtering and hiding *)
   104 
   105 (* Restrict the trace to those members of the set s *)
   106 definition filter_oseq :: "('a => bool) => 'a oseq => 'a oseq"
   107   where "filter_oseq p s ==
   108    (%i. case s(i)
   109          of None => None
   110           | Some(x) => if p x then Some x else None)"
   111 
   112 definition mk_trace :: "[('action,'state)ioa, 'action oseq] => 'action oseq"
   113   where "mk_trace(ioa) == filter_oseq(%a. a:externals(asig_of(ioa)))"
   114 
   115 (* Does an ioa have an execution with the given trace *)
   116 definition has_trace :: "[('action,'state)ioa, 'action oseq] => bool"
   117   where "has_trace ioa b == (? ex:executions(ioa). b = mk_trace ioa (fst ex))"
   118 
   119 definition NF :: "'a oseq => 'a oseq"
   120   where "NF(tr) == @nf. ? f. mono(f) & (!i. nf(i)=tr(f(i))) &
   121                     (!j. j ~: range(f) --> nf(j)= None) &
   122                     (!i. nf(i)=None --> (nf (Suc i)) = None)"
   123 
   124 (* All the traces of an ioa *)
   125 definition traces :: "('action,'state)ioa => 'action oseq set"
   126   where "traces(ioa) == {trace. ? tr. trace=NF(tr) & has_trace ioa tr}"
   127 
   128 
   129 definition restrict_asig :: "['a signature, 'a set] => 'a signature"
   130   where "restrict_asig asig actns ==
   131     (inputs(asig) Int actns, outputs(asig) Int actns,
   132      internals(asig) Un (externals(asig) - actns))"
   133 
   134 definition restrict :: "[('a,'s)ioa, 'a set] => ('a,'s)ioa"
   135   where "restrict ioa actns ==
   136     (restrict_asig (asig_of ioa) actns, starts_of(ioa), trans_of(ioa))"
   137 
   138 
   139 
   140 (* Notions of correctness *)
   141 
   142 definition ioa_implements :: "[('action,'state1)ioa, ('action,'state2)ioa] => bool"
   143   where "ioa_implements ioa1 ioa2 ==
   144   ((inputs(asig_of(ioa1)) = inputs(asig_of(ioa2))) &
   145      (outputs(asig_of(ioa1)) = outputs(asig_of(ioa2))) &
   146       traces(ioa1) <= traces(ioa2))"
   147 
   148 
   149 (* Instantiation of abstract IOA by concrete actions *)
   150 
   151 definition rename :: "('a, 'b)ioa => ('c => 'a option) => ('c,'b)ioa"
   152   where "rename ioa ren ==
   153     (({b. ? x. Some(x)= ren(b) & x : inputs(asig_of(ioa))},
   154       {b. ? x. Some(x)= ren(b) & x : outputs(asig_of(ioa))},
   155       {b. ? x. Some(x)= ren(b) & x : internals(asig_of(ioa))}),
   156                 starts_of(ioa)   ,
   157      {tr. let s = fst(tr); a = fst(snd(tr));  t = snd(snd(tr))
   158           in
   159           ? x. Some(x) = ren(a) & (s,x,t):trans_of(ioa)})"
   160 
   161 
   162 declare Let_def [simp]
   163 
   164 lemmas ioa_projections = asig_of_def starts_of_def trans_of_def
   165   and exec_rws = executions_def is_execution_fragment_def
   166 
   167 lemma ioa_triple_proj:
   168     "asig_of(x,y,z) = x & starts_of(x,y,z) = y & trans_of(x,y,z) = z"
   169   apply (simp add: ioa_projections)
   170   done
   171 
   172 lemma trans_in_actions:
   173   "[| IOA(A); (s1,a,s2):trans_of(A) |] ==> a:actions(asig_of(A))"
   174   apply (unfold IOA_def state_trans_def actions_def is_asig_def)
   175   apply (erule conjE)+
   176   apply (erule allE, erule impE, assumption)
   177   apply simp
   178   done
   179 
   180 
   181 lemma filter_oseq_idemp: "filter_oseq p (filter_oseq p s) = filter_oseq p s"
   182   apply (simp add: filter_oseq_def)
   183   apply (rule ext)
   184   apply (case_tac "s i")
   185   apply simp_all
   186   done
   187 
   188 lemma mk_trace_thm:
   189 "(mk_trace A s n = None) =
   190    (s(n)=None | (? a. s(n)=Some(a) & a ~: externals(asig_of(A))))
   191    &
   192    (mk_trace A s n = Some(a)) =
   193     (s(n)=Some(a) & a : externals(asig_of(A)))"
   194   apply (unfold mk_trace_def filter_oseq_def)
   195   apply (case_tac "s n")
   196   apply auto
   197   done
   198 
   199 lemma reachable_0: "s:starts_of(A) ==> reachable A s"
   200   apply (unfold reachable_def)
   201   apply (rule_tac x = "(%i. None, %i. s)" in bexI)
   202   apply simp
   203   apply (simp add: exec_rws)
   204   done
   205 
   206 lemma reachable_n:
   207   "!!A. [| reachable A s; (s,a,t) : trans_of(A) |] ==> reachable A t"
   208   apply (unfold reachable_def exec_rws)
   209   apply (simp del: bex_simps)
   210   apply (simp (no_asm_simp) only: split_tupled_all)
   211   apply safe
   212   apply (rename_tac ex1 ex2 n)
   213   apply (rule_tac x = "(%i. if i<n then ex1 i else (if i=n then Some a else None) , %i. if i<Suc n then ex2 i else t)" in bexI)
   214    apply (rule_tac x = "Suc n" in exI)
   215    apply (simp (no_asm))
   216   apply simp
   217   apply (metis ioa_triple_proj less_antisym)
   218   done
   219 
   220 
   221 lemma invariantI:
   222   assumes p1: "!!s. s:starts_of(A) ==> P(s)"
   223     and p2: "!!s t a. [|reachable A s; P(s)|] ==> (s,a,t): trans_of(A) --> P(t)"
   224   shows "invariant A P"
   225   apply (unfold invariant_def reachable_def Let_def exec_rws)
   226   apply safe
   227   apply (rename_tac ex1 ex2 n)
   228   apply (rule_tac Q = "reachable A (ex2 n) " in conjunct1)
   229   apply simp
   230   apply (induct_tac n)
   231    apply (fast intro: p1 reachable_0)
   232   apply (erule_tac x = na in allE)
   233   apply (case_tac "ex1 na", simp_all)
   234   apply safe
   235    apply (erule p2 [THEN mp])
   236     apply (fast dest: reachable_n)+
   237   done
   238 
   239 lemma invariantI1:
   240  "[| !!s. s : starts_of(A) ==> P(s);
   241      !!s t a. reachable A s ==> P(s) --> (s,a,t):trans_of(A) --> P(t)
   242   |] ==> invariant A P"
   243   apply (blast intro!: invariantI)
   244   done
   245 
   246 lemma invariantE:
   247   "[| invariant A P; reachable A s |] ==> P(s)"
   248   apply (unfold invariant_def)
   249   apply blast
   250   done
   251 
   252 lemma actions_asig_comp:
   253   "actions(asig_comp a b) = actions(a) Un actions(b)"
   254   apply (auto simp add: actions_def asig_comp_def asig_projections)
   255   done
   256 
   257 lemma starts_of_par:
   258   "starts_of(A || B) = {p. fst(p):starts_of(A) & snd(p):starts_of(B)}"
   259   apply (simp add: par_def ioa_projections)
   260   done
   261 
   262 (* Every state in an execution is reachable *)
   263 lemma states_of_exec_reachable:
   264   "ex:executions(A) ==> !n. reachable A (snd ex n)"
   265   apply (unfold reachable_def)
   266   apply fast
   267   done
   268 
   269 
   270 lemma trans_of_par4:
   271 "(s,a,t) : trans_of(A || B || C || D) =
   272   ((a:actions(asig_of(A)) | a:actions(asig_of(B)) | a:actions(asig_of(C)) |
   273     a:actions(asig_of(D))) &
   274    (if a:actions(asig_of(A)) then (fst(s),a,fst(t)):trans_of(A)
   275     else fst t=fst s) &
   276    (if a:actions(asig_of(B)) then (fst(snd(s)),a,fst(snd(t))):trans_of(B)
   277     else fst(snd(t))=fst(snd(s))) &
   278    (if a:actions(asig_of(C)) then
   279       (fst(snd(snd(s))),a,fst(snd(snd(t)))):trans_of(C)
   280     else fst(snd(snd(t)))=fst(snd(snd(s)))) &
   281    (if a:actions(asig_of(D)) then
   282       (snd(snd(snd(s))),a,snd(snd(snd(t)))):trans_of(D)
   283     else snd(snd(snd(t)))=snd(snd(snd(s)))))"
   284   (*SLOW*)
   285   apply (simp (no_asm) add: par_def actions_asig_comp prod_eq_iff ioa_projections)
   286   done
   287 
   288 lemma cancel_restrict: "starts_of(restrict ioa acts) = starts_of(ioa) &
   289               trans_of(restrict ioa acts) = trans_of(ioa) &
   290               reachable (restrict ioa acts) s = reachable ioa s"
   291   apply (simp add: is_execution_fragment_def executions_def
   292     reachable_def restrict_def ioa_projections)
   293   done
   294 
   295 lemma asig_of_par: "asig_of(A || B) = asig_comp (asig_of A) (asig_of B)"
   296   apply (simp add: par_def ioa_projections)
   297   done
   298 
   299 
   300 lemma externals_of_par: "externals(asig_of(A1||A2)) =
   301    (externals(asig_of(A1)) Un externals(asig_of(A2)))"
   302   apply (simp add: externals_def asig_of_par asig_comp_def
   303     asig_inputs_def asig_outputs_def Un_def set_diff_eq)
   304   apply blast
   305   done
   306 
   307 lemma ext1_is_not_int2:
   308   "[| compat_ioas A1 A2; a:externals(asig_of(A1))|] ==> a~:internals(asig_of(A2))"
   309   apply (unfold externals_def actions_def compat_ioas_def compat_asigs_def)
   310   apply auto
   311   done
   312 
   313 lemma ext2_is_not_int1:
   314  "[| compat_ioas A2 A1 ; a:externals(asig_of(A1))|] ==> a~:internals(asig_of(A2))"
   315   apply (unfold externals_def actions_def compat_ioas_def compat_asigs_def)
   316   apply auto
   317   done
   318 
   319 lemmas ext1_ext2_is_not_act2 = ext1_is_not_int2 [THEN int_and_ext_is_act]
   320   and ext1_ext2_is_not_act1 = ext2_is_not_int1 [THEN int_and_ext_is_act]
   321 
   322 end