author | wenzelm |
Sun, 15 Oct 2000 19:50:35 +0200 | |
changeset 10220 | 2a726de6e124 |
parent 10064 | 1a77667b21ef |
child 10797 | 028d22926a41 |
permissions | -rw-r--r-- |
7630 | 1 |
(* Title: HOL/UNITY/Project.ML |
2 |
ID: $Id$ |
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
|
4 |
Copyright 1999 University of Cambridge |
|
5 |
||
6 |
Projections of state sets (also of actions and programs) |
|
7 |
||
8 |
Inheritance of GUARANTEES properties under extension |
|
9 |
*) |
|
10 |
||
11 |
Open_locale "Extend"; |
|
12 |
||
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
13 |
Goal "F : A co B ==> project h C (extend h F) : A co B"; |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
14 |
by (auto_tac (claset(), |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
15 |
simpset() addsimps [extend_act_def, project_act_def, constrains_def])); |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
16 |
qed "project_extend_constrains_I"; |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
17 |
|
7630 | 18 |
|
19 |
(** Safety **) |
|
20 |
||
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
21 |
(*used below to prove Join_project_ensures*) |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
22 |
Goal "[| G : stable C; project h C G : A unless B |] \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
23 |
\ ==> G : (C Int extend_set h A) unless (extend_set h B)"; |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
24 |
by (asm_full_simp_tac |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
25 |
(simpset() addsimps [unless_def, project_constrains]) 1); |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
26 |
by (blast_tac (claset() addDs [stable_constrains_Int] |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
27 |
addIs [constrains_weaken]) 1); |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
28 |
qed_spec_mp "project_unless"; |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
29 |
|
9337
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
30 |
(*Generalizes project_constrains to the program F Join project h C G; |
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
31 |
useful with guarantees reasoning*) |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
32 |
Goal "(F Join project h C G : A co B) = \ |
7630 | 33 |
\ (extend h F Join G : (C Int extend_set h A) co (extend_set h B) & \ |
34 |
\ F : A co B)"; |
|
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
35 |
by (simp_tac (simpset() addsimps [project_constrains]) 1); |
7630 | 36 |
by (blast_tac (claset() addIs [extend_constrains RS iffD2 RS constrains_weaken] |
37 |
addDs [constrains_imp_subset]) 1); |
|
38 |
qed "Join_project_constrains"; |
|
39 |
||
40 |
(*The condition is required to prove the left-to-right direction; |
|
41 |
could weaken it to G : (C Int extend_set h A) co C*) |
|
42 |
Goalw [stable_def] |
|
43 |
"extend h F Join G : stable C \ |
|
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
44 |
\ ==> (F Join project h C G : stable A) = \ |
7630 | 45 |
\ (extend h F Join G : stable (C Int extend_set h A) & \ |
46 |
\ F : stable A)"; |
|
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
47 |
by (simp_tac (HOL_ss addsimps [Join_project_constrains]) 1); |
7630 | 48 |
by (blast_tac (claset() addIs [constrains_weaken] addDs [constrains_Int]) 1); |
49 |
qed "Join_project_stable"; |
|
50 |
||
7689 | 51 |
(*For using project_guarantees in particular cases*) |
52 |
Goal "extend h F Join G : extend_set h A co extend_set h B \ |
|
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
53 |
\ ==> F Join project h C G : A co B"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
54 |
by (asm_full_simp_tac |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
55 |
(simpset() addsimps [project_constrains, extend_constrains]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
56 |
by (blast_tac (claset() addIs [constrains_weaken] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
57 |
addDs [constrains_imp_subset]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
58 |
qed "project_constrains_I"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
59 |
|
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
60 |
Goalw [increasing_def, stable_def] |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
61 |
"extend h F Join G : increasing (func o f) \ |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
62 |
\ ==> F Join project h C G : increasing func"; |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
63 |
by (asm_full_simp_tac (simpset_of SubstAx.thy |
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
64 |
addsimps [project_constrains_I, extend_set_eq_Collect]) 1); |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
65 |
qed "project_increasing_I"; |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
66 |
|
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
67 |
Goal "(F Join project h UNIV G : increasing func) = \ |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
68 |
\ (extend h F Join G : increasing (func o f))"; |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
69 |
by (rtac iffI 1); |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
70 |
by (etac project_increasing_I 2); |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
71 |
by (asm_full_simp_tac (simpset_of SubstAx.thy |
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
72 |
addsimps [increasing_def, Join_project_stable]) 1); |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
73 |
by (auto_tac (claset(), |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
74 |
simpset() addsimps [extend_set_eq_Collect, |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
75 |
extend_stable RS iffD1])); |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
76 |
qed "Join_project_increasing"; |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
77 |
|
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
78 |
(*The UNIV argument is essential*) |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
79 |
Goal "F Join project h UNIV G : A co B \ |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
80 |
\ ==> extend h F Join G : extend_set h A co extend_set h B"; |
7689 | 81 |
by (asm_full_simp_tac |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
82 |
(simpset() addsimps [project_constrains, extend_constrains]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
83 |
qed "project_constrains_D"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
84 |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
85 |
|
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
86 |
(*** "projecting" and union/intersection (no converses) ***) |
7841 | 87 |
|
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
88 |
Goalw [projecting_def] |
7841 | 89 |
"[| projecting C h F XA' XA; projecting C h F XB' XB |] \ |
90 |
\ ==> projecting C h F (XA' Int XB') (XA Int XB)"; |
|
91 |
by (Blast_tac 1); |
|
92 |
qed "projecting_Int"; |
|
93 |
||
94 |
Goalw [projecting_def] |
|
95 |
"[| projecting C h F XA' XA; projecting C h F XB' XB |] \ |
|
96 |
\ ==> projecting C h F (XA' Un XB') (XA Un XB)"; |
|
97 |
by (Blast_tac 1); |
|
98 |
qed "projecting_Un"; |
|
99 |
||
100 |
val [prem] = Goalw [projecting_def] |
|
101 |
"[| !!i. i:I ==> projecting C h F (X' i) (X i) |] \ |
|
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
102 |
\ ==> projecting C h F (INT i:I. X' i) (INT i:I. X i)"; |
7841 | 103 |
by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
104 |
qed "projecting_INT"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
105 |
|
7841 | 106 |
val [prem] = Goalw [projecting_def] |
107 |
"[| !!i. i:I ==> projecting C h F (X' i) (X i) |] \ |
|
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
108 |
\ ==> projecting C h F (UN i:I. X' i) (UN i:I. X i)"; |
7841 | 109 |
by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
110 |
qed "projecting_UN"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
111 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
112 |
Goalw [projecting_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
113 |
"[| projecting C h F X' X; U'<=X'; X<=U |] ==> projecting C h F U' U"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
114 |
by Auto_tac; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
115 |
qed "projecting_weaken"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
116 |
|
8073 | 117 |
Goalw [projecting_def] |
118 |
"[| projecting C h F X' X; U'<=X' |] ==> projecting C h F U' X"; |
|
119 |
by Auto_tac; |
|
120 |
qed "projecting_weaken_L"; |
|
121 |
||
7841 | 122 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
123 |
"[| extending C h F YA' YA; extending C h F YB' YB |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
124 |
\ ==> extending C h F (YA' Int YB') (YA Int YB)"; |
7841 | 125 |
by (Blast_tac 1); |
126 |
qed "extending_Int"; |
|
127 |
||
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
128 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
129 |
"[| extending C h F YA' YA; extending C h F YB' YB |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
130 |
\ ==> extending C h F (YA' Un YB') (YA Un YB)"; |
7841 | 131 |
by (Blast_tac 1); |
132 |
qed "extending_Un"; |
|
133 |
||
134 |
val [prem] = Goalw [extending_def] |
|
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
135 |
"[| !!i. i:I ==> extending C h F (Y' i) (Y i) |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
136 |
\ ==> extending C h F (INT i:I. Y' i) (INT i:I. Y i)"; |
7841 | 137 |
by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
138 |
qed "extending_INT"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
139 |
|
7841 | 140 |
val [prem] = Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
141 |
"[| !!i. i:I ==> extending C h F (Y' i) (Y i) |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
142 |
\ ==> extending C h F (UN i:I. Y' i) (UN i:I. Y i)"; |
7841 | 143 |
by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
144 |
qed "extending_UN"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
145 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
146 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
147 |
"[| extending C h F Y' Y; Y'<=V'; V<=Y |] ==> extending C h F V' V"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
148 |
by Auto_tac; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
149 |
qed "extending_weaken"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
150 |
|
8073 | 151 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
152 |
"[| extending C h F Y' Y; Y'<=V' |] ==> extending C h F V' Y"; |
8073 | 153 |
by Auto_tac; |
154 |
qed "extending_weaken_L"; |
|
155 |
||
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
156 |
Goal "projecting C h F X' UNIV"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
157 |
by (simp_tac (simpset() addsimps [projecting_def]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
158 |
qed "projecting_UNIV"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
159 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
160 |
Goalw [projecting_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
161 |
"projecting C h F (extend_set h A co extend_set h B) (A co B)"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
162 |
by (blast_tac (claset() addIs [project_constrains_I]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
163 |
qed "projecting_constrains"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
164 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
165 |
Goalw [stable_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
166 |
"projecting C h F (stable (extend_set h A)) (stable A)"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
167 |
by (rtac projecting_constrains 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
168 |
qed "projecting_stable"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
169 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
170 |
Goalw [projecting_def] |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
171 |
"projecting C h F (increasing (func o f)) (increasing func)"; |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
172 |
by (blast_tac (claset() addIs [project_increasing_I]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
173 |
qed "projecting_increasing"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
174 |
|
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
175 |
Goal "extending C h F UNIV Y"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
176 |
by (simp_tac (simpset() addsimps [extending_def]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
177 |
qed "extending_UNIV"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
178 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
179 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
180 |
"extending (%G. UNIV) h F (extend_set h A co extend_set h B) (A co B)"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
181 |
by (blast_tac (claset() addIs [project_constrains_D]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
182 |
qed "extending_constrains"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
183 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
184 |
Goalw [stable_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
185 |
"extending (%G. UNIV) h F (stable (extend_set h A)) (stable A)"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
186 |
by (rtac extending_constrains 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
187 |
qed "extending_stable"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
188 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
189 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
190 |
"extending (%G. UNIV) h F (increasing (func o f)) (increasing func)"; |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
191 |
by (simp_tac (HOL_ss addsimps [Join_project_increasing]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
192 |
qed "extending_increasing"; |
7689 | 193 |
|
7630 | 194 |
|
195 |
(** Reachability and project **) |
|
196 |
||
9337
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
197 |
(*In practice, C = reachable(...): the inclusion is equality*) |
7630 | 198 |
Goal "[| reachable (extend h F Join G) <= C; \ |
199 |
\ z : reachable (extend h F Join G) |] \ |
|
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
200 |
\ ==> f z : reachable (F Join project h C G)"; |
7630 | 201 |
by (etac reachable.induct 1); |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
202 |
by (force_tac (claset() addSIs [reachable.Init], |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
203 |
simpset() addsimps [split_extended_all]) 1); |
7630 | 204 |
by Auto_tac; |
205 |
by (force_tac (claset() addIs [project_act_I RSN (3,reachable.Acts)], |
|
206 |
simpset()) 2); |
|
207 |
by (res_inst_tac [("act","x")] reachable.Acts 1); |
|
208 |
by Auto_tac; |
|
209 |
by (etac extend_act_D 1); |
|
210 |
qed "reachable_imp_reachable_project"; |
|
211 |
||
212 |
Goalw [Constrains_def] |
|
8128 | 213 |
"F Join project h (reachable (extend h F Join G)) G : A Co B \ |
7630 | 214 |
\ ==> extend h F Join G : (extend_set h A) Co (extend_set h B)"; |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
215 |
by (full_simp_tac (simpset_of SubstAx.thy addsimps [Join_project_constrains]) 1); |
7630 | 216 |
by (Clarify_tac 1); |
217 |
by (etac constrains_weaken 1); |
|
8128 | 218 |
by (auto_tac (claset() addIs [reachable_imp_reachable_project], simpset())); |
7630 | 219 |
qed "project_Constrains_D"; |
220 |
||
221 |
Goalw [Stable_def] |
|
8128 | 222 |
"F Join project h (reachable (extend h F Join G)) G : Stable A \ |
7630 | 223 |
\ ==> extend h F Join G : Stable (extend_set h A)"; |
224 |
by (asm_simp_tac (simpset() addsimps [project_Constrains_D]) 1); |
|
225 |
qed "project_Stable_D"; |
|
226 |
||
227 |
Goalw [Always_def] |
|
8128 | 228 |
"F Join project h (reachable (extend h F Join G)) G : Always A \ |
7630 | 229 |
\ ==> extend h F Join G : Always (extend_set h A)"; |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
230 |
by (force_tac (claset() addIs [reachable.Init], |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
231 |
simpset() addsimps [project_Stable_D, split_extended_all]) 1); |
7630 | 232 |
qed "project_Always_D"; |
233 |
||
234 |
Goalw [Increasing_def] |
|
8128 | 235 |
"F Join project h (reachable (extend h F Join G)) G : Increasing func \ |
7630 | 236 |
\ ==> extend h F Join G : Increasing (func o f)"; |
237 |
by Auto_tac; |
|
8251
9be357df93d4
New treatment of "guarantees" with polymorphic components and bijections.
paulson
parents:
8128
diff
changeset
|
238 |
by (stac (extend_set_eq_Collect RS sym) 1); |
7630 | 239 |
by (asm_simp_tac (simpset() addsimps [project_Stable_D]) 1); |
240 |
qed "project_Increasing_D"; |
|
241 |
||
242 |
||
243 |
(** Converse results for weak safety: benefits of the argument C *) |
|
244 |
||
9337
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
245 |
(*In practice, C = reachable(...): the inclusion is equality*) |
7630 | 246 |
Goal "[| C <= reachable(extend h F Join G); \ |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
247 |
\ x : reachable (F Join project h C G) |] \ |
7630 | 248 |
\ ==> EX y. h(x,y) : reachable (extend h F Join G)"; |
249 |
by (etac reachable.induct 1); |
|
250 |
by (ALLGOALS Asm_full_simp_tac); |
|
251 |
by (force_tac (claset() delrules [Id_in_Acts] |
|
252 |
addIs [reachable.Acts, extend_act_D], |
|
253 |
simpset() addsimps [project_act_def]) 2); |
|
254 |
by (force_tac (claset() addIs [reachable.Init], |
|
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
255 |
simpset()) 1); |
7630 | 256 |
qed "reachable_project_imp_reachable"; |
257 |
||
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
258 |
Goal "project_set h (reachable (extend h F Join G)) = \ |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
259 |
\ reachable (F Join project h (reachable (extend h F Join G)) G)"; |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
260 |
by (auto_tac (claset() addDs [subset_refl RS reachable_imp_reachable_project, |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
261 |
subset_refl RS reachable_project_imp_reachable], |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
262 |
simpset())); |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
263 |
qed "project_set_reachable_extend_eq"; |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
264 |
|
9337
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
265 |
(*UNUSED*) |
7947 | 266 |
Goal "reachable (extend h F Join G) <= C \ |
267 |
\ ==> reachable (extend h F Join G) <= \ |
|
268 |
\ extend_set h (reachable (F Join project h C G))"; |
|
269 |
by (auto_tac (claset() addDs [reachable_imp_reachable_project], |
|
270 |
simpset())); |
|
271 |
qed "reachable_extend_Join_subset"; |
|
272 |
||
7630 | 273 |
Goalw [Constrains_def] |
8128 | 274 |
"extend h F Join G : (extend_set h A) Co (extend_set h B) \ |
275 |
\ ==> F Join project h (reachable (extend h F Join G)) G : A Co B"; |
|
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
276 |
by (full_simp_tac (simpset_of SubstAx.thy addsimps [Join_project_constrains, |
7630 | 277 |
extend_set_Int_distrib]) 1); |
278 |
by (rtac conjI 1); |
|
8128 | 279 |
by (force_tac |
280 |
(claset() addEs [constrains_weaken_L] |
|
281 |
addSDs [extend_constrains_project_set, |
|
282 |
subset_refl RS reachable_project_imp_reachable], |
|
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
283 |
simpset()) 2); |
8128 | 284 |
by (blast_tac (claset() addIs [constrains_weaken_L]) 1); |
7630 | 285 |
qed "project_Constrains_I"; |
286 |
||
287 |
Goalw [Stable_def] |
|
8128 | 288 |
"extend h F Join G : Stable (extend_set h A) \ |
289 |
\ ==> F Join project h (reachable (extend h F Join G)) G : Stable A"; |
|
7630 | 290 |
by (asm_simp_tac (simpset() addsimps [project_Constrains_I]) 1); |
291 |
qed "project_Stable_I"; |
|
292 |
||
7689 | 293 |
Goalw [Always_def] |
8128 | 294 |
"extend h F Join G : Always (extend_set h A) \ |
295 |
\ ==> F Join project h (reachable (extend h F Join G)) G : Always A"; |
|
7689 | 296 |
by (auto_tac (claset(), simpset() addsimps [project_Stable_I])); |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
297 |
by (rewtac extend_set_def); |
7689 | 298 |
by (Blast_tac 1); |
299 |
qed "project_Always_I"; |
|
300 |
||
7630 | 301 |
Goalw [Increasing_def] |
8128 | 302 |
"extend h F Join G : Increasing (func o f) \ |
303 |
\ ==> F Join project h (reachable (extend h F Join G)) G : Increasing func"; |
|
7630 | 304 |
by Auto_tac; |
8251
9be357df93d4
New treatment of "guarantees" with polymorphic components and bijections.
paulson
parents:
8128
diff
changeset
|
305 |
by (asm_simp_tac (simpset() addsimps [extend_set_eq_Collect, |
7630 | 306 |
project_Stable_I]) 1); |
307 |
qed "project_Increasing_I"; |
|
308 |
||
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
309 |
Goal "(F Join project h (reachable (extend h F Join G)) G : A Co B) = \ |
7630 | 310 |
\ (extend h F Join G : (extend_set h A) Co (extend_set h B))"; |
311 |
by (blast_tac (claset() addIs [project_Constrains_I, project_Constrains_D]) 1); |
|
312 |
qed "project_Constrains"; |
|
313 |
||
314 |
Goalw [Stable_def] |
|
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
315 |
"(F Join project h (reachable (extend h F Join G)) G : Stable A) = \ |
7630 | 316 |
\ (extend h F Join G : Stable (extend_set h A))"; |
317 |
by (rtac project_Constrains 1); |
|
318 |
qed "project_Stable"; |
|
319 |
||
320 |
Goal |
|
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
321 |
"(F Join project h (reachable (extend h F Join G)) G : Increasing func) = \ |
7630 | 322 |
\ (extend h F Join G : Increasing (func o f))"; |
323 |
by (asm_simp_tac (simpset() addsimps [Increasing_def, project_Stable, |
|
8251
9be357df93d4
New treatment of "guarantees" with polymorphic components and bijections.
paulson
parents:
8128
diff
changeset
|
324 |
extend_set_eq_Collect]) 1); |
7630 | 325 |
qed "project_Increasing"; |
326 |
||
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
327 |
(** A lot of redundant theorems: all are proved to facilitate reasoning |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
328 |
about guarantees. **) |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
329 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
330 |
Goalw [projecting_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
331 |
"projecting (%G. reachable (extend h F Join G)) h F \ |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
332 |
\ (extend_set h A Co extend_set h B) (A Co B)"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
333 |
by (blast_tac (claset() addIs [project_Constrains_I]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
334 |
qed "projecting_Constrains"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
335 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
336 |
Goalw [Stable_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
337 |
"projecting (%G. reachable (extend h F Join G)) h F \ |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
338 |
\ (Stable (extend_set h A)) (Stable A)"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
339 |
by (rtac projecting_Constrains 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
340 |
qed "projecting_Stable"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
341 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
342 |
Goalw [projecting_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
343 |
"projecting (%G. reachable (extend h F Join G)) h F \ |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
344 |
\ (Always (extend_set h A)) (Always A)"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
345 |
by (blast_tac (claset() addIs [project_Always_I]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
346 |
qed "projecting_Always"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
347 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
348 |
Goalw [projecting_def] |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
349 |
"projecting (%G. reachable (extend h F Join G)) h F \ |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
350 |
\ (Increasing (func o f)) (Increasing func)"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
351 |
by (blast_tac (claset() addIs [project_Increasing_I]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
352 |
qed "projecting_Increasing"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
353 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
354 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
355 |
"extending (%G. reachable (extend h F Join G)) h F \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
356 |
\ (extend_set h A Co extend_set h B) (A Co B)"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
357 |
by (blast_tac (claset() addIs [project_Constrains_D]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
358 |
qed "extending_Constrains"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
359 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
360 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
361 |
"extending (%G. reachable (extend h F Join G)) h F \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
362 |
\ (Stable (extend_set h A)) (Stable A)"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
363 |
by (blast_tac (claset() addIs [project_Stable_D]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
364 |
qed "extending_Stable"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
365 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
366 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
367 |
"extending (%G. reachable (extend h F Join G)) h F \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
368 |
\ (Always (extend_set h A)) (Always A)"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
369 |
by (blast_tac (claset() addIs [project_Always_D]) 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
370 |
qed "extending_Always"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
371 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
372 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
373 |
"extending (%G. reachable (extend h F Join G)) h F \ |
8128 | 374 |
\ (Increasing (func o f)) (Increasing func)"; |
375 |
by (blast_tac (claset() addIs [project_Increasing_D]) 1); |
|
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
376 |
qed "extending_Increasing"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
377 |
|
7630 | 378 |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
379 |
(*** leadsETo in the precondition (??) ***) |
7630 | 380 |
|
381 |
(** transient **) |
|
382 |
||
383 |
Goalw [transient_def] |
|
8110 | 384 |
"[| G : transient (C Int extend_set h A); G : stable C |] \ |
385 |
\ ==> project h C G : transient (project_set h C Int A)"; |
|
386 |
by (auto_tac (claset(), simpset() addsimps [Domain_project_act])); |
|
387 |
by (subgoal_tac "act ^^ (C Int extend_set h A) <= - extend_set h A" 1); |
|
388 |
by (asm_full_simp_tac |
|
389 |
(simpset() addsimps [stable_def, constrains_def]) 2); |
|
390 |
by (Blast_tac 2); |
|
391 |
(*back to main goal*) |
|
392 |
by (thin_tac "?AA <= -C Un ?BB" 1); |
|
393 |
by (ball_tac 1); |
|
394 |
by (asm_full_simp_tac |
|
395 |
(simpset() addsimps [extend_set_def, project_act_def]) 1); |
|
396 |
by (Blast_tac 1); |
|
7630 | 397 |
qed "transient_extend_set_imp_project_transient"; |
398 |
||
8110 | 399 |
(*converse might hold too?*) |
400 |
Goalw [transient_def] |
|
401 |
"project h C (extend h F) : transient (project_set h C Int D) \ |
|
402 |
\ ==> F : transient (project_set h C Int D)"; |
|
403 |
by (auto_tac (claset(), simpset() addsimps [Domain_project_act])); |
|
404 |
by (rtac bexI 1); |
|
405 |
by (assume_tac 2); |
|
406 |
by Auto_tac; |
|
407 |
by (rewtac extend_act_def); |
|
408 |
by (Blast_tac 1); |
|
409 |
qed "project_extend_transient_D"; |
|
7630 | 410 |
|
8110 | 411 |
|
412 |
(** ensures -- a primitive combining progress with safety **) |
|
7630 | 413 |
|
8110 | 414 |
(*Used to prove project_leadsETo_I*) |
415 |
Goal "[| extend h F : stable C; G : stable C; \ |
|
416 |
\ extend h F Join G : A ensures B; A-B = C Int extend_set h D |] \ |
|
417 |
\ ==> F Join project h C G \ |
|
418 |
\ : (project_set h C Int project_set h A) ensures (project_set h B)"; |
|
7630 | 419 |
by (asm_full_simp_tac |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
420 |
(simpset() addsimps [ensures_def, project_constrains, |
8110 | 421 |
Join_transient, extend_transient]) 1); |
422 |
by (Clarify_tac 1); |
|
423 |
by (REPEAT_FIRST (rtac conjI)); |
|
424 |
(*first subgoal*) |
|
425 |
by (blast_tac (claset() addIs [extend_stable_project_set RS stableD RS |
|
426 |
constrains_Int RS constrains_weaken] |
|
427 |
addSDs [extend_constrains_project_set] |
|
428 |
addSDs [equalityD1]) 1); |
|
429 |
(*2nd subgoal*) |
|
430 |
by (etac (stableD RS constrains_Int RS constrains_weaken) 1); |
|
431 |
by (assume_tac 1); |
|
432 |
by (Blast_tac 3); |
|
433 |
by (full_simp_tac (simpset() addsimps [extend_set_Int_distrib, |
|
434 |
extend_set_Un_distrib]) 2); |
|
435 |
by (blast_tac (claset() addSIs [impOfSubs extend_set_project_set]) 2); |
|
436 |
by (full_simp_tac (simpset() addsimps [extend_set_def]) 1); |
|
9190 | 437 |
by (Blast_tac 1); |
8110 | 438 |
(*The transient part*) |
439 |
by Auto_tac; |
|
440 |
by (force_tac (claset() addSDs [equalityD1] |
|
441 |
addIs [transient_extend_set_imp_project_transient RS |
|
442 |
transient_strengthen], |
|
443 |
simpset()) 2); |
|
444 |
by (full_simp_tac (simpset() addsimps [Int_Diff]) 1); |
|
445 |
by (force_tac (claset() addSDs [equalityD1] |
|
446 |
addIs [transient_extend_set_imp_project_transient RS |
|
447 |
project_extend_transient_D RS transient_strengthen], |
|
448 |
simpset()) 1); |
|
7630 | 449 |
qed "ensures_extend_set_imp_project_ensures"; |
450 |
||
8110 | 451 |
(*Used to prove project_leadsETo_D*) |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
452 |
Goal "[| project h C G ~: transient (A-B) | A<=B; \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
453 |
\ extend h F Join G : stable C; \ |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
454 |
\ F Join project h C G : A ensures B |] \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
455 |
\ ==> extend h F Join G : (C Int extend_set h A) ensures (extend_set h B)"; |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
456 |
by (etac disjE 1); |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
457 |
by (blast_tac (claset() addIs [subset_imp_ensures]) 2); |
8002 | 458 |
by (auto_tac (claset() addDs [extend_transient RS iffD2] |
8041 | 459 |
addIs [transient_strengthen, project_set_I, |
8002 | 460 |
project_unless RS unlessD, unlessI, |
461 |
project_extend_constrains_I], |
|
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
462 |
simpset() addsimps [ensures_def, Join_transient])); |
7630 | 463 |
qed_spec_mp "Join_project_ensures"; |
464 |
||
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
465 |
(** Lemma useful for both STRONG and WEAK progress, but the transient |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
466 |
condition's very strong **) |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
467 |
|
7947 | 468 |
(*The strange induction formula allows induction over the leadsTo |
469 |
assumption's non-atomic precondition*) |
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
470 |
Goal "[| ALL D. project h C G : transient D --> D={}; \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
471 |
\ extend h F Join G : stable C; \ |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
472 |
\ F Join project h C G : (project_set h C Int A) leadsTo B |] \ |
7947 | 473 |
\ ==> extend h F Join G : \ |
474 |
\ C Int extend_set h (project_set h C Int A) leadsTo (extend_set h B)"; |
|
7630 | 475 |
by (etac leadsTo_induct 1); |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
476 |
by (asm_simp_tac (simpset() delsimps UN_simps |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
477 |
addsimps [Int_UN_distrib, leadsTo_UN, extend_set_Union]) 3); |
8041 | 478 |
by (blast_tac (claset() addIs [psp_stable2 RS leadsTo_weaken_L, |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
479 |
leadsTo_Trans]) 2); |
7630 | 480 |
by (blast_tac (claset() addIs [leadsTo_Basis, Join_project_ensures]) 1); |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
481 |
val lemma = result(); |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
482 |
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
483 |
Goal "[| ALL D. project h C G : transient D --> D={}; \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
484 |
\ extend h F Join G : stable C; \ |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
485 |
\ F Join project h C G : (project_set h C Int A) leadsTo B |] \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
486 |
\ ==> extend h F Join G : (C Int extend_set h A) leadsTo (extend_set h B)"; |
7689 | 487 |
by (rtac (lemma RS leadsTo_weaken) 1); |
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
488 |
by (auto_tac (claset(), simpset() addsimps [split_extended_all])); |
8110 | 489 |
qed "project_leadsTo_D_lemma"; |
7630 | 490 |
|
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
491 |
Goal "[| C = (reachable (extend h F Join G)); \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
492 |
\ ALL D. project h C G : transient D --> D={}; \ |
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
493 |
\ F Join project h C G : A LeadsTo B |] \ |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
494 |
\ ==> extend h F Join G : (extend_set h A) LeadsTo (extend_set h B)"; |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
495 |
by (asm_full_simp_tac |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
496 |
(simpset_of SubstAx.thy addsimps [LeadsTo_def, project_leadsTo_D_lemma, |
7660
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
497 |
project_set_reachable_extend_eq]) 1); |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
498 |
qed "Join_project_LeadsTo"; |
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
499 |
|
7e38237edfcb
now with (weak safety) guarantees (weak progress) with Extend
paulson
parents:
7630
diff
changeset
|
500 |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
501 |
(*** Towards project_Ensures_D ***) |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
502 |
|
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
503 |
|
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
504 |
Goalw [project_set_def, extend_set_def, project_act_def] |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
505 |
"act ^^ (C Int extend_set h A) <= B \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
506 |
\ ==> project_act h (Restrict C act) ^^ (project_set h C Int A) \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
507 |
\ <= project_set h B"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
508 |
by (Blast_tac 1); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
509 |
qed "act_subset_imp_project_act_subset"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
510 |
|
9610 | 511 |
(*This trivial proof is the complementation part of transferring a transient |
512 |
property upwards. The hard part would be to |
|
513 |
show that G's action has a big enough domain.*) |
|
514 |
Goal "[| act: Acts G; \ |
|
515 |
\ (project_act h (Restrict C act))^^ \ |
|
516 |
\ (project_set h C Int A - B) <= -(project_set h C Int A - B) |] \ |
|
517 |
\ ==> act^^(C Int extend_set h A - extend_set h B) \ |
|
518 |
\ <= -(C Int extend_set h A - extend_set h B)"; |
|
519 |
by (auto_tac (claset(), |
|
520 |
simpset() addsimps [project_set_def, extend_set_def, project_act_def])); |
|
521 |
result(); |
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
522 |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
523 |
Goal "[| G : stable ((C Int extend_set h A) - (extend_set h B)); \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
524 |
\ project h C G : transient (project_set h C Int A - B) |] \ |
9610 | 525 |
\ ==> (C Int extend_set h A) - extend_set h B = {}"; |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
526 |
by (auto_tac (claset(), |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
527 |
simpset() addsimps [transient_def, subset_Compl_self_eq, |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
528 |
Domain_project_act, split_extended_all])); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
529 |
by (Blast_tac 1); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
530 |
by (auto_tac (claset(), |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
531 |
simpset() addsimps [stable_def, constrains_def])); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
532 |
by (ball_tac 1); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
533 |
by (auto_tac (claset(), |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
534 |
simpset() addsimps [Int_Diff, |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
535 |
extend_set_Diff_distrib RS sym])); |
8128 | 536 |
by (dtac act_subset_imp_project_act_subset 1); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
537 |
by (subgoal_tac |
9610 | 538 |
"project_act h (Restrict C act) ^^ (project_set h C Int (A - B)) = {}" 1); |
539 |
by (REPEAT (thin_tac "?r^^?A <= ?B" 1)); |
|
8986 | 540 |
by (rewrite_goals_tac [project_set_def, extend_set_def, project_act_def]); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
541 |
by (Blast_tac 2); |
9083 | 542 |
by (rtac ccontr 1); |
543 |
by (dtac subsetD 1); |
|
9610 | 544 |
by (Blast_tac 1); |
9083 | 545 |
by (force_tac (claset(), simpset() addsimps [split_extended_all]) 1); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
546 |
qed "stable_project_transient"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
547 |
|
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
548 |
Goal "[| G : stable C; project h C G : (project_set h C Int A) unless B |] \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
549 |
\ ==> G : (C Int extend_set h A) unless (extend_set h B)"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
550 |
by (auto_tac |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
551 |
(claset() addDs [stable_constrains_Int] |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
552 |
addIs [constrains_weaken], |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
553 |
simpset() addsimps [unless_def, project_constrains, Diff_eq, |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
554 |
Int_assoc, Int_extend_set_lemma])); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
555 |
qed_spec_mp "project_unless2"; |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
556 |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
557 |
Goal "[| G : stable ((C Int extend_set h A) - (extend_set h B)); \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
558 |
\ F Join project h C G : (project_set h C Int A) ensures B; \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
559 |
\ extend h F Join G : stable C |] \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
560 |
\ ==> extend h F Join G : (C Int extend_set h A) ensures (extend_set h B)"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
561 |
(*unless*) |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
562 |
by (auto_tac (claset() addSIs [rewrite_rule [unless_def] project_unless2] |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
563 |
addIs [project_extend_constrains_I], |
9403
aad13b59b8d9
much tidying in connection with the 2nd UNITY paper
paulson
parents:
9337
diff
changeset
|
564 |
simpset() addsimps [ensures_def])); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
565 |
(*transient*) |
9610 | 566 |
(*A G-action cannot occur*) |
567 |
by (force_tac (claset() addDs [stable_project_transient], |
|
568 |
simpset() delsimps [Diff_eq_empty_iff] |
|
569 |
addsimps [Diff_eq_empty_iff RS sym]) 2); |
|
570 |
(*An F-action*) |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
571 |
by (force_tac (claset() addSEs [extend_transient RS iffD2 RS |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
572 |
transient_strengthen], |
9610 | 573 |
simpset() addsimps [split_extended_all]) 1); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
574 |
qed "project_ensures_D_lemma"; |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
575 |
|
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
576 |
Goal "[| F Join project h UNIV G : A ensures B; \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
577 |
\ G : stable (extend_set h A - extend_set h B) |] \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
578 |
\ ==> extend h F Join G : (extend_set h A) ensures (extend_set h B)"; |
8128 | 579 |
by (rtac (project_ensures_D_lemma RS revcut_rl) 1); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
580 |
by (stac stable_UNIV 3); |
8128 | 581 |
by Auto_tac; |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
582 |
qed "project_ensures_D"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
583 |
|
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
584 |
Goalw [Ensures_def] |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
585 |
"[| F Join project h (reachable (extend h F Join G)) G : A Ensures B; \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
586 |
\ G : stable (reachable (extend h F Join G) Int extend_set h A - \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
587 |
\ extend_set h B) |] \ |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
588 |
\ ==> extend h F Join G : (extend_set h A) Ensures (extend_set h B)"; |
8128 | 589 |
by (rtac (project_ensures_D_lemma RS revcut_rl) 1); |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
590 |
by (auto_tac (claset(), |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
591 |
simpset() addsimps [project_set_reachable_extend_eq RS sym])); |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
592 |
qed "project_Ensures_D"; |
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
593 |
|
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
594 |
|
8251
9be357df93d4
New treatment of "guarantees" with polymorphic components and bijections.
paulson
parents:
8128
diff
changeset
|
595 |
(*** Guarantees ***) |
7630 | 596 |
|
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
597 |
Goal "project_act h (Restrict C act) <= project_act h act"; |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
598 |
by (auto_tac (claset(), simpset() addsimps [project_act_def])); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
599 |
qed "project_act_Restrict_subset_project_act"; |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
600 |
|
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
601 |
|
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
602 |
Goal "[| extend h F ok G; subset_closed (AllowedActs F) |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
603 |
\ ==> F ok project h C G"; |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
604 |
by (auto_tac (claset(), simpset() addsimps [ok_def])); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
605 |
by (dtac subsetD 1); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
606 |
by (Blast_tac 1); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
607 |
by (force_tac (claset() addSIs [rev_image_eqI], simpset()) 1); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
608 |
by (cut_facts_tac [project_act_Restrict_subset_project_act] 1); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
609 |
by (auto_tac (claset(), simpset() addsimps [subset_closed_def])); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
610 |
qed "subset_closed_ok_extend_imp_ok_project"; |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
611 |
|
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
612 |
|
8251
9be357df93d4
New treatment of "guarantees" with polymorphic components and bijections.
paulson
parents:
8128
diff
changeset
|
613 |
(*Weak precondition and postcondition |
7630 | 614 |
Not clear that it has a converse [or that we want one!]*) |
7841 | 615 |
|
9337
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
616 |
(*The raw version; 3rd premise could be weakened by adding the |
58bd51302b21
used bounded quantification in definition of guarantees and other minor
paulson
parents:
9190
diff
changeset
|
617 |
precondition extend h F Join G : X' *) |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
618 |
val [xguary,closed,project,extend] = |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
619 |
Goal "[| F : X guarantees Y; subset_closed (AllowedActs F); \ |
8122
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
paulson
parents:
8110
diff
changeset
|
620 |
\ !!G. extend h F Join G : X' ==> F Join project h (C G) G : X; \ |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
621 |
\ !!G. [| F Join project h (C G) G : Y |] \ |
7841 | 622 |
\ ==> extend h F Join G : Y' |] \ |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
623 |
\ ==> extend h F : X' guarantees Y'"; |
7841 | 624 |
by (rtac (xguary RS guaranteesD RS extend RS guaranteesI) 1); |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
625 |
by (blast_tac (claset() addIs [closed, |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
626 |
subset_closed_ok_extend_imp_ok_project]) 1); |
7841 | 627 |
by (etac project 1); |
8041 | 628 |
qed "project_guarantees_raw"; |
7841 | 629 |
|
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
630 |
Goal "[| F : X guarantees Y; subset_closed (AllowedActs F); \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
631 |
\ projecting C h F X' X; extending C h F Y' Y |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
632 |
\ ==> extend h F : X' guarantees Y'"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
633 |
by (rtac guaranteesI 1); |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
634 |
by (auto_tac (claset(), |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
635 |
simpset() addsimps [guaranteesD, projecting_def, |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
636 |
extending_def, subset_closed_ok_extend_imp_ok_project])); |
7630 | 637 |
qed "project_guarantees"; |
638 |
||
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
639 |
|
7841 | 640 |
(*It seems that neither "guarantees" law can be proved from the other.*) |
7630 | 641 |
|
642 |
||
643 |
(*** guarantees corollaries ***) |
|
644 |
||
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
645 |
(** Some could be deleted: the required versions are easy to prove **) |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
646 |
|
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
647 |
Goal "[| F : UNIV guarantees increasing func; \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
648 |
\ subset_closed (AllowedActs F) |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
649 |
\ ==> extend h F : X' guarantees increasing (func o f)"; |
7630 | 650 |
by (etac project_guarantees 1); |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
651 |
by (rtac extending_increasing 3); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
652 |
by (rtac projecting_UNIV 2); |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
653 |
by Auto_tac; |
7630 | 654 |
qed "extend_guar_increasing"; |
655 |
||
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
656 |
Goal "[| F : UNIV guarantees Increasing func; \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
657 |
\ subset_closed (AllowedActs F) |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
658 |
\ ==> extend h F : X' guarantees Increasing (func o f)"; |
7630 | 659 |
by (etac project_guarantees 1); |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
660 |
by (rtac extending_Increasing 3); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
661 |
by (rtac projecting_UNIV 2); |
7630 | 662 |
by Auto_tac; |
663 |
qed "extend_guar_Increasing"; |
|
664 |
||
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
665 |
Goal "[| F : Always A guarantees Always B; \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
666 |
\ subset_closed (AllowedActs F) |] \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
667 |
\ ==> extend h F \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
668 |
\ : Always(extend_set h A) guarantees Always(extend_set h B)"; |
7689 | 669 |
by (etac project_guarantees 1); |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
670 |
by (rtac extending_Always 3); |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
671 |
by (rtac projecting_Always 2); |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
672 |
by Auto_tac; |
7689 | 673 |
qed "extend_guar_Always"; |
674 |
||
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
675 |
Goal "[| G : preserves f; project h C G : transient D |] ==> D={}"; |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
676 |
by (rtac stable_transient_empty 1); |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
677 |
by (assume_tac 2); |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
678 |
by (blast_tac (claset() addIs [project_preserves_id_I, |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
679 |
impOfSubs preserves_id_subset_stable]) 1); |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
680 |
qed "preserves_project_transient_empty"; |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
681 |
|
7630 | 682 |
|
8069
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
683 |
(** Guarantees with a leadsTo postcondition |
19b9f92ca503
working with weak LeadsTo in guarantees precondition\!
paulson
parents:
8065
diff
changeset
|
684 |
THESE ARE ALL TOO WEAK because G can't affect F's variables at all**) |
7630 | 685 |
|
7880
62fb24e28e5e
exchanged the first two args of "project" and "drop_prog"
paulson
parents:
7878
diff
changeset
|
686 |
Goal "[| F Join project h UNIV G : A leadsTo B; \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
687 |
\ G : preserves f |] \ |
7689 | 688 |
\ ==> extend h F Join G : (extend_set h A) leadsTo (extend_set h B)"; |
8110 | 689 |
by (res_inst_tac [("C1", "UNIV")] |
690 |
(project_leadsTo_D_lemma RS leadsTo_weaken) 1); |
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
691 |
by (auto_tac (claset() addDs [preserves_project_transient_empty], |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
692 |
simpset())); |
7689 | 693 |
qed "project_leadsTo_D"; |
694 |
||
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
695 |
Goal "[| F Join project h (reachable (extend h F Join G)) G : A LeadsTo B; \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
696 |
\ G : preserves f |] \ |
7689 | 697 |
\ ==> extend h F Join G : (extend_set h A) LeadsTo (extend_set h B)"; |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
698 |
by (rtac (refl RS Join_project_LeadsTo) 1); |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
699 |
by (auto_tac (claset() addDs [preserves_project_transient_empty], |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
700 |
simpset())); |
7689 | 701 |
qed "project_LeadsTo_D"; |
702 |
||
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
703 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
704 |
"(ALL G. extend h F ok G --> G : preserves f) \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
705 |
\ ==> extending (%G. UNIV) h F \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
706 |
\ (extend_set h A leadsTo extend_set h B) (A leadsTo B)"; |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
707 |
by (blast_tac (claset() addIs [project_leadsTo_D]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
708 |
qed "extending_leadsTo"; |
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
709 |
|
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
710 |
Goalw [extending_def] |
10064
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
711 |
"(ALL G. extend h F ok G --> G : preserves f) \ |
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
paulson
parents:
9610
diff
changeset
|
712 |
\ ==> extending (%G. reachable (extend h F Join G)) h F \ |
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
713 |
\ (extend_set h A LeadsTo extend_set h B) (A LeadsTo B)"; |
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
8041
diff
changeset
|
714 |
by (blast_tac (claset() addIs [project_LeadsTo_D]) 1); |
7826
c6a8b73b6c2a
working shapshot with "projecting" and "extending"
paulson
parents:
7689
diff
changeset
|
715 |
qed "extending_LeadsTo"; |
7689 | 716 |
|
7630 | 717 |
Close_locale "Extend"; |