| author | wenzelm |
| Tue, 16 Jan 2018 09:30:00 +0100 | |
| changeset 67443 | 3abf6a722518 |
| parent 63146 | f1ecba0272f9 |
| child 67613 | ce654b0e6d69 |
| permissions | -rw-r--r-- |
| 37936 | 1 |
(* Title: HOL/UNITY/WFair.thy |
| 4776 | 2 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
3 |
Copyright 1998 University of Cambridge |
|
4 |
||
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
5 |
Conditional Fairness versions of transient, ensures, leadsTo. |
| 4776 | 6 |
|
7 |
From Misra, "A Logic for Concurrent Programming", 1994 |
|
8 |
*) |
|
9 |
||
| 63146 | 10 |
section\<open>Progress\<close> |
| 13798 | 11 |
|
| 16417 | 12 |
theory WFair imports UNITY begin |
| 4776 | 13 |
|
| 63146 | 14 |
text\<open>The original version of this theory was based on weak fairness. (Thus, |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
15 |
the entire UNITY development embodied this assumption, until February 2003.) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
16 |
Weak fairness states that if a command is enabled continuously, then it is |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
17 |
eventually executed. Ernie Cohen suggested that I instead adopt unconditional |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
18 |
fairness: every command is executed infinitely often. |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
19 |
|
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
20 |
In fact, Misra's paper on "Progress" seems to be ambiguous about the correct |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
21 |
interpretation, and says that the two forms of fairness are equivalent. They |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
22 |
differ only on their treatment of partial transitions, which under |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
23 |
unconditional fairness behave magically. That is because if there are partial |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
24 |
transitions then there may be no fair executions, making all leads-to |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
25 |
properties hold vacuously. |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
26 |
|
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
27 |
Unconditional fairness has some great advantages. By distinguishing partial |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
28 |
transitions from total ones that are the identity on part of their domain, it |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
29 |
is more expressive. Also, by simplifying the definition of the transient |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
30 |
property, it simplifies many proofs. A drawback is that some laws only hold |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
31 |
under the assumption that all transitions are total. The best-known of these |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
32 |
is the impossibility law for leads-to. |
| 63146 | 33 |
\<close> |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
34 |
|
|
35416
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32693
diff
changeset
|
35 |
definition |
| 4776 | 36 |
|
|
67443
3abf6a722518
standardized towards new-style formal comments: isabelle update_comments;
wenzelm
parents:
63146
diff
changeset
|
37 |
\<comment> \<open>This definition specifies conditional fairness. The rest of the theory |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
38 |
is generic to all forms of fairness. To get weak fairness, conjoin |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
39 |
the inclusion below with @{term "A \<subseteq> Domain act"}, which specifies
|
| 63146 | 40 |
that the action is enabled over all of @{term A}.\<close>
|
|
35416
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32693
diff
changeset
|
41 |
transient :: "'a set => 'a program set" where |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
42 |
"transient A == {F. \<exists>act\<in>Acts F. act``A \<subseteq> -A}"
|
| 4776 | 43 |
|
|
35416
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32693
diff
changeset
|
44 |
definition |
|
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32693
diff
changeset
|
45 |
ensures :: "['a set, 'a set] => 'a program set" (infixl "ensures" 60) where |
| 13805 | 46 |
"A ensures B == (A-B co A \<union> B) \<inter> transient (A-B)" |
| 8006 | 47 |
|
| 6536 | 48 |
|
| 23767 | 49 |
inductive_set |
|
6801
9e0037839d63
renamed the underlying relation of leadsTo from "leadsto"
paulson
parents:
6536
diff
changeset
|
50 |
leads :: "'a program => ('a set * 'a set) set"
|
|
67443
3abf6a722518
standardized towards new-style formal comments: isabelle update_comments;
wenzelm
parents:
63146
diff
changeset
|
51 |
\<comment> \<open>LEADS-TO constant for the inductive definition\<close> |
| 23767 | 52 |
for F :: "'a program" |
53 |
where |
|
| 4776 | 54 |
|
| 13805 | 55 |
Basis: "F \<in> A ensures B ==> (A,B) \<in> leads F" |
| 4776 | 56 |
|
| 23767 | 57 |
| Trans: "[| (A,B) \<in> leads F; (B,C) \<in> leads F |] ==> (A,C) \<in> leads F" |
| 4776 | 58 |
|
| 23767 | 59 |
| Union: "\<forall>A \<in> S. (A,B) \<in> leads F ==> (Union S, B) \<in> leads F" |
| 4776 | 60 |
|
| 5155 | 61 |
|
|
35416
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32693
diff
changeset
|
62 |
definition leadsTo :: "['a set, 'a set] => 'a program set" (infixl "leadsTo" 60) where |
|
67443
3abf6a722518
standardized towards new-style formal comments: isabelle update_comments;
wenzelm
parents:
63146
diff
changeset
|
63 |
\<comment> \<open>visible version of the LEADS-TO relation\<close> |
| 13805 | 64 |
"A leadsTo B == {F. (A,B) \<in> leads F}"
|
| 5648 | 65 |
|
|
35416
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
haftmann
parents:
32693
diff
changeset
|
66 |
definition wlt :: "['a program, 'a set] => 'a set" where |
|
67443
3abf6a722518
standardized towards new-style formal comments: isabelle update_comments;
wenzelm
parents:
63146
diff
changeset
|
67 |
\<comment> \<open>predicate transformer: the largest set that leads to @{term B}\<close>
|
| 61952 | 68 |
"wlt F B == \<Union>{A. F \<in> A leadsTo B}"
|
| 4776 | 69 |
|
| 60773 | 70 |
notation leadsTo (infixl "\<longmapsto>" 60) |
| 13797 | 71 |
|
72 |
||
| 63146 | 73 |
subsection\<open>transient\<close> |
| 13797 | 74 |
|
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
75 |
lemma stable_transient: |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
76 |
"[| F \<in> stable A; F \<in> transient A |] ==> \<exists>act\<in>Acts F. A \<subseteq> - (Domain act)" |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
77 |
apply (simp add: stable_def constrains_def transient_def, clarify) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
78 |
apply (rule rev_bexI, auto) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
79 |
done |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
80 |
|
| 13797 | 81 |
lemma stable_transient_empty: |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
82 |
"[| F \<in> stable A; F \<in> transient A; all_total F |] ==> A = {}"
|
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
83 |
apply (drule stable_transient, assumption) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
84 |
apply (simp add: all_total_def) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
85 |
done |
| 13797 | 86 |
|
87 |
lemma transient_strengthen: |
|
| 13805 | 88 |
"[| F \<in> transient A; B \<subseteq> A |] ==> F \<in> transient B" |
| 13797 | 89 |
apply (unfold transient_def, clarify) |
90 |
apply (blast intro!: rev_bexI) |
|
91 |
done |
|
92 |
||
93 |
lemma transientI: |
|
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
94 |
"[| act: Acts F; act``A \<subseteq> -A |] ==> F \<in> transient A" |
| 13797 | 95 |
by (unfold transient_def, blast) |
96 |
||
97 |
lemma transientE: |
|
| 13805 | 98 |
"[| F \<in> transient A; |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
99 |
!!act. [| act: Acts F; act``A \<subseteq> -A |] ==> P |] |
| 13797 | 100 |
==> P" |
101 |
by (unfold transient_def, blast) |
|
102 |
||
103 |
lemma transient_empty [simp]: "transient {} = UNIV"
|
|
104 |
by (unfold transient_def, auto) |
|
105 |
||
106 |
||
| 63146 | 107 |
text\<open>This equation recovers the notion of weak fairness. A totalized |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
108 |
program satisfies a transient assertion just if the original program |
| 63146 | 109 |
contains a suitable action that is also enabled.\<close> |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
110 |
lemma totalize_transient_iff: |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
111 |
"(totalize F \<in> transient A) = (\<exists>act\<in>Acts F. A \<subseteq> Domain act & act``A \<subseteq> -A)" |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
112 |
apply (simp add: totalize_def totalize_act_def transient_def |
| 32693 | 113 |
Un_Image, safe) |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
114 |
apply (blast intro!: rev_bexI)+ |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
115 |
done |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
116 |
|
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
117 |
lemma totalize_transientI: |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
118 |
"[| act: Acts F; A \<subseteq> Domain act; act``A \<subseteq> -A |] |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
119 |
==> totalize F \<in> transient A" |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
120 |
by (simp add: totalize_transient_iff, blast) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
121 |
|
| 63146 | 122 |
subsection\<open>ensures\<close> |
| 13797 | 123 |
|
124 |
lemma ensuresI: |
|
| 13805 | 125 |
"[| F \<in> (A-B) co (A \<union> B); F \<in> transient (A-B) |] ==> F \<in> A ensures B" |
| 13797 | 126 |
by (unfold ensures_def, blast) |
127 |
||
128 |
lemma ensuresD: |
|
| 13805 | 129 |
"F \<in> A ensures B ==> F \<in> (A-B) co (A \<union> B) & F \<in> transient (A-B)" |
| 13797 | 130 |
by (unfold ensures_def, blast) |
131 |
||
132 |
lemma ensures_weaken_R: |
|
| 13805 | 133 |
"[| F \<in> A ensures A'; A'<=B' |] ==> F \<in> A ensures B'" |
| 13797 | 134 |
apply (unfold ensures_def) |
135 |
apply (blast intro: constrains_weaken transient_strengthen) |
|
136 |
done |
|
137 |
||
| 63146 | 138 |
text\<open>The L-version (precondition strengthening) fails, but we have this\<close> |
| 13797 | 139 |
lemma stable_ensures_Int: |
| 13805 | 140 |
"[| F \<in> stable C; F \<in> A ensures B |] |
141 |
==> F \<in> (C \<inter> A) ensures (C \<inter> B)" |
|
| 13797 | 142 |
apply (unfold ensures_def) |
143 |
apply (auto simp add: ensures_def Int_Un_distrib [symmetric] Diff_Int_distrib [symmetric]) |
|
144 |
prefer 2 apply (blast intro: transient_strengthen) |
|
145 |
apply (blast intro: stable_constrains_Int constrains_weaken) |
|
146 |
done |
|
147 |
||
148 |
lemma stable_transient_ensures: |
|
| 13805 | 149 |
"[| F \<in> stable A; F \<in> transient C; A \<subseteq> B \<union> C |] ==> F \<in> A ensures B" |
| 13797 | 150 |
apply (simp add: ensures_def stable_def) |
151 |
apply (blast intro: constrains_weaken transient_strengthen) |
|
152 |
done |
|
153 |
||
| 13805 | 154 |
lemma ensures_eq: "(A ensures B) = (A unless B) \<inter> transient (A-B)" |
| 13797 | 155 |
by (simp (no_asm) add: ensures_def unless_def) |
156 |
||
157 |
||
| 63146 | 158 |
subsection\<open>leadsTo\<close> |
| 13797 | 159 |
|
| 13805 | 160 |
lemma leadsTo_Basis [intro]: "F \<in> A ensures B ==> F \<in> A leadsTo B" |
| 13797 | 161 |
apply (unfold leadsTo_def) |
162 |
apply (blast intro: leads.Basis) |
|
163 |
done |
|
164 |
||
165 |
lemma leadsTo_Trans: |
|
| 13805 | 166 |
"[| F \<in> A leadsTo B; F \<in> B leadsTo C |] ==> F \<in> A leadsTo C" |
| 13797 | 167 |
apply (unfold leadsTo_def) |
168 |
apply (blast intro: leads.Trans) |
|
169 |
done |
|
170 |
||
| 14112 | 171 |
lemma leadsTo_Basis': |
172 |
"[| F \<in> A co A \<union> B; F \<in> transient A |] ==> F \<in> A leadsTo B" |
|
173 |
apply (drule_tac B = "A-B" in constrains_weaken_L) |
|
174 |
apply (drule_tac [2] B = "A-B" in transient_strengthen) |
|
175 |
apply (rule_tac [3] ensuresI [THEN leadsTo_Basis]) |
|
176 |
apply (blast+) |
|
177 |
done |
|
178 |
||
| 13805 | 179 |
lemma transient_imp_leadsTo: "F \<in> transient A ==> F \<in> A leadsTo (-A)" |
| 13797 | 180 |
by (simp (no_asm_simp) add: leadsTo_Basis ensuresI Compl_partition) |
181 |
||
| 63146 | 182 |
text\<open>Useful with cancellation, disjunction\<close> |
| 13805 | 183 |
lemma leadsTo_Un_duplicate: "F \<in> A leadsTo (A' \<union> A') ==> F \<in> A leadsTo A'" |
| 13797 | 184 |
by (simp add: Un_ac) |
185 |
||
186 |
lemma leadsTo_Un_duplicate2: |
|
| 13805 | 187 |
"F \<in> A leadsTo (A' \<union> C \<union> C) ==> F \<in> A leadsTo (A' \<union> C)" |
| 13797 | 188 |
by (simp add: Un_ac) |
189 |
||
| 63146 | 190 |
text\<open>The Union introduction rule as we should have liked to state it\<close> |
| 13797 | 191 |
lemma leadsTo_Union: |
| 61952 | 192 |
"(!!A. A \<in> S ==> F \<in> A leadsTo B) ==> F \<in> (\<Union>S) leadsTo B" |
| 13797 | 193 |
apply (unfold leadsTo_def) |
194 |
apply (blast intro: leads.Union) |
|
195 |
done |
|
196 |
||
197 |
lemma leadsTo_Union_Int: |
|
| 61952 | 198 |
"(!!A. A \<in> S ==> F \<in> (A \<inter> C) leadsTo B) ==> F \<in> (\<Union>S \<inter> C) leadsTo B" |
| 13797 | 199 |
apply (unfold leadsTo_def) |
200 |
apply (simp only: Int_Union_Union) |
|
201 |
apply (blast intro: leads.Union) |
|
202 |
done |
|
203 |
||
204 |
lemma leadsTo_UN: |
|
| 13805 | 205 |
"(!!i. i \<in> I ==> F \<in> (A i) leadsTo B) ==> F \<in> (\<Union>i \<in> I. A i) leadsTo B" |
| 13797 | 206 |
apply (blast intro: leadsTo_Union) |
207 |
done |
|
208 |
||
| 63146 | 209 |
text\<open>Binary union introduction rule\<close> |
| 13797 | 210 |
lemma leadsTo_Un: |
| 13805 | 211 |
"[| F \<in> A leadsTo C; F \<in> B leadsTo C |] ==> F \<in> (A \<union> B) leadsTo C" |
| 44106 | 212 |
using leadsTo_Union [of "{A, B}" F C] by auto
|
| 13797 | 213 |
|
214 |
lemma single_leadsTo_I: |
|
| 13805 | 215 |
"(!!x. x \<in> A ==> F \<in> {x} leadsTo B) ==> F \<in> A leadsTo B"
|
| 13797 | 216 |
by (subst UN_singleton [symmetric], rule leadsTo_UN, blast) |
217 |
||
218 |
||
| 63146 | 219 |
text\<open>The INDUCTION rule as we should have liked to state it\<close> |
| 13797 | 220 |
lemma leadsTo_induct: |
| 13805 | 221 |
"[| F \<in> za leadsTo zb; |
222 |
!!A B. F \<in> A ensures B ==> P A B; |
|
223 |
!!A B C. [| F \<in> A leadsTo B; P A B; F \<in> B leadsTo C; P B C |] |
|
| 13797 | 224 |
==> P A C; |
| 61952 | 225 |
!!B S. \<forall>A \<in> S. F \<in> A leadsTo B & P A B ==> P (\<Union>S) B |
| 13797 | 226 |
|] ==> P za zb" |
227 |
apply (unfold leadsTo_def) |
|
228 |
apply (drule CollectD, erule leads.induct) |
|
229 |
apply (blast+) |
|
230 |
done |
|
231 |
||
232 |
||
| 13805 | 233 |
lemma subset_imp_ensures: "A \<subseteq> B ==> F \<in> A ensures B" |
| 13797 | 234 |
by (unfold ensures_def constrains_def transient_def, blast) |
235 |
||
| 45605 | 236 |
lemmas subset_imp_leadsTo = subset_imp_ensures [THEN leadsTo_Basis] |
| 13797 | 237 |
|
| 45605 | 238 |
lemmas leadsTo_refl = subset_refl [THEN subset_imp_leadsTo] |
| 13797 | 239 |
|
| 45605 | 240 |
lemmas empty_leadsTo = empty_subsetI [THEN subset_imp_leadsTo, simp] |
| 13797 | 241 |
|
| 45605 | 242 |
lemmas leadsTo_UNIV = subset_UNIV [THEN subset_imp_leadsTo, simp] |
| 13797 | 243 |
|
244 |
||
245 |
||
246 |
(** Variant induction rule: on the preconditions for B **) |
|
247 |
||
| 63146 | 248 |
text\<open>Lemma is the weak version: can't see how to do it in one step\<close> |
| 13797 | 249 |
lemma leadsTo_induct_pre_lemma: |
| 13805 | 250 |
"[| F \<in> za leadsTo zb; |
| 13797 | 251 |
P zb; |
| 13805 | 252 |
!!A B. [| F \<in> A ensures B; P B |] ==> P A; |
| 61952 | 253 |
!!S. \<forall>A \<in> S. P A ==> P (\<Union>S) |
| 13797 | 254 |
|] ==> P za" |
| 63146 | 255 |
txt\<open>by induction on this formula\<close> |
| 13797 | 256 |
apply (subgoal_tac "P zb --> P za") |
| 63146 | 257 |
txt\<open>now solve first subgoal: this formula is sufficient\<close> |
| 13797 | 258 |
apply (blast intro: leadsTo_refl) |
259 |
apply (erule leadsTo_induct) |
|
260 |
apply (blast+) |
|
261 |
done |
|
262 |
||
263 |
lemma leadsTo_induct_pre: |
|
| 13805 | 264 |
"[| F \<in> za leadsTo zb; |
| 13797 | 265 |
P zb; |
| 13805 | 266 |
!!A B. [| F \<in> A ensures B; F \<in> B leadsTo zb; P B |] ==> P A; |
| 61952 | 267 |
!!S. \<forall>A \<in> S. F \<in> A leadsTo zb & P A ==> P (\<Union>S) |
| 13797 | 268 |
|] ==> P za" |
| 13805 | 269 |
apply (subgoal_tac "F \<in> za leadsTo zb & P za") |
| 13797 | 270 |
apply (erule conjunct2) |
271 |
apply (erule leadsTo_induct_pre_lemma) |
|
272 |
prefer 3 apply (blast intro: leadsTo_Union) |
|
273 |
prefer 2 apply (blast intro: leadsTo_Trans) |
|
274 |
apply (blast intro: leadsTo_refl) |
|
275 |
done |
|
276 |
||
277 |
||
| 13805 | 278 |
lemma leadsTo_weaken_R: "[| F \<in> A leadsTo A'; A'<=B' |] ==> F \<in> A leadsTo B'" |
| 13797 | 279 |
by (blast intro: subset_imp_leadsTo leadsTo_Trans) |
280 |
||
| 45477 | 281 |
lemma leadsTo_weaken_L: |
| 13805 | 282 |
"[| F \<in> A leadsTo A'; B \<subseteq> A |] ==> F \<in> B leadsTo A'" |
| 13797 | 283 |
by (blast intro: leadsTo_Trans subset_imp_leadsTo) |
284 |
||
| 63146 | 285 |
text\<open>Distributes over binary unions\<close> |
| 13797 | 286 |
lemma leadsTo_Un_distrib: |
| 13805 | 287 |
"F \<in> (A \<union> B) leadsTo C = (F \<in> A leadsTo C & F \<in> B leadsTo C)" |
| 13797 | 288 |
by (blast intro: leadsTo_Un leadsTo_weaken_L) |
289 |
||
290 |
lemma leadsTo_UN_distrib: |
|
| 13805 | 291 |
"F \<in> (\<Union>i \<in> I. A i) leadsTo B = (\<forall>i \<in> I. F \<in> (A i) leadsTo B)" |
| 13797 | 292 |
by (blast intro: leadsTo_UN leadsTo_weaken_L) |
293 |
||
294 |
lemma leadsTo_Union_distrib: |
|
| 61952 | 295 |
"F \<in> (\<Union>S) leadsTo B = (\<forall>A \<in> S. F \<in> A leadsTo B)" |
| 13797 | 296 |
by (blast intro: leadsTo_Union leadsTo_weaken_L) |
297 |
||
298 |
||
299 |
lemma leadsTo_weaken: |
|
| 13805 | 300 |
"[| F \<in> A leadsTo A'; B \<subseteq> A; A'<=B' |] ==> F \<in> B leadsTo B'" |
| 13797 | 301 |
by (blast intro: leadsTo_weaken_R leadsTo_weaken_L leadsTo_Trans) |
302 |
||
303 |
||
| 63146 | 304 |
text\<open>Set difference: maybe combine with \<open>leadsTo_weaken_L\<close>??\<close> |
| 13797 | 305 |
lemma leadsTo_Diff: |
| 13805 | 306 |
"[| F \<in> (A-B) leadsTo C; F \<in> B leadsTo C |] ==> F \<in> A leadsTo C" |
| 13797 | 307 |
by (blast intro: leadsTo_Un leadsTo_weaken) |
308 |
||
309 |
lemma leadsTo_UN_UN: |
|
| 13805 | 310 |
"(!! i. i \<in> I ==> F \<in> (A i) leadsTo (A' i)) |
311 |
==> F \<in> (\<Union>i \<in> I. A i) leadsTo (\<Union>i \<in> I. A' i)" |
|
| 13797 | 312 |
apply (blast intro: leadsTo_Union leadsTo_weaken_R) |
313 |
done |
|
314 |
||
| 63146 | 315 |
text\<open>Binary union version\<close> |
| 13797 | 316 |
lemma leadsTo_Un_Un: |
| 13805 | 317 |
"[| F \<in> A leadsTo A'; F \<in> B leadsTo B' |] |
318 |
==> F \<in> (A \<union> B) leadsTo (A' \<union> B')" |
|
| 13797 | 319 |
by (blast intro: leadsTo_Un leadsTo_weaken_R) |
320 |
||
321 |
||
322 |
(** The cancellation law **) |
|
323 |
||
324 |
lemma leadsTo_cancel2: |
|
| 13805 | 325 |
"[| F \<in> A leadsTo (A' \<union> B); F \<in> B leadsTo B' |] |
326 |
==> F \<in> A leadsTo (A' \<union> B')" |
|
| 13797 | 327 |
by (blast intro: leadsTo_Un_Un subset_imp_leadsTo leadsTo_Trans) |
328 |
||
329 |
lemma leadsTo_cancel_Diff2: |
|
| 13805 | 330 |
"[| F \<in> A leadsTo (A' \<union> B); F \<in> (B-A') leadsTo B' |] |
331 |
==> F \<in> A leadsTo (A' \<union> B')" |
|
| 13797 | 332 |
apply (rule leadsTo_cancel2) |
333 |
prefer 2 apply assumption |
|
334 |
apply (simp_all (no_asm_simp)) |
|
335 |
done |
|
336 |
||
337 |
lemma leadsTo_cancel1: |
|
| 13805 | 338 |
"[| F \<in> A leadsTo (B \<union> A'); F \<in> B leadsTo B' |] |
339 |
==> F \<in> A leadsTo (B' \<union> A')" |
|
| 13797 | 340 |
apply (simp add: Un_commute) |
341 |
apply (blast intro!: leadsTo_cancel2) |
|
342 |
done |
|
343 |
||
344 |
lemma leadsTo_cancel_Diff1: |
|
| 13805 | 345 |
"[| F \<in> A leadsTo (B \<union> A'); F \<in> (B-A') leadsTo B' |] |
346 |
==> F \<in> A leadsTo (B' \<union> A')" |
|
| 13797 | 347 |
apply (rule leadsTo_cancel1) |
348 |
prefer 2 apply assumption |
|
349 |
apply (simp_all (no_asm_simp)) |
|
350 |
done |
|
351 |
||
352 |
||
| 63146 | 353 |
text\<open>The impossibility law\<close> |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
354 |
lemma leadsTo_empty: "[|F \<in> A leadsTo {}; all_total F|] ==> A={}"
|
| 13797 | 355 |
apply (erule leadsTo_induct_pre) |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
356 |
apply (simp_all add: ensures_def constrains_def transient_def all_total_def, clarify) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
357 |
apply (drule bspec, assumption)+ |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
358 |
apply blast |
| 13797 | 359 |
done |
360 |
||
| 63146 | 361 |
subsection\<open>PSP: Progress-Safety-Progress\<close> |
| 13797 | 362 |
|
| 63146 | 363 |
text\<open>Special case of PSP: Misra's "stable conjunction"\<close> |
| 13797 | 364 |
lemma psp_stable: |
| 13805 | 365 |
"[| F \<in> A leadsTo A'; F \<in> stable B |] |
366 |
==> F \<in> (A \<inter> B) leadsTo (A' \<inter> B)" |
|
| 13797 | 367 |
apply (unfold stable_def) |
368 |
apply (erule leadsTo_induct) |
|
369 |
prefer 3 apply (blast intro: leadsTo_Union_Int) |
|
370 |
prefer 2 apply (blast intro: leadsTo_Trans) |
|
371 |
apply (rule leadsTo_Basis) |
|
372 |
apply (simp add: ensures_def Diff_Int_distrib2 [symmetric] Int_Un_distrib2 [symmetric]) |
|
373 |
apply (blast intro: transient_strengthen constrains_Int) |
|
374 |
done |
|
375 |
||
376 |
lemma psp_stable2: |
|
| 13805 | 377 |
"[| F \<in> A leadsTo A'; F \<in> stable B |] ==> F \<in> (B \<inter> A) leadsTo (B \<inter> A')" |
| 13797 | 378 |
by (simp add: psp_stable Int_ac) |
379 |
||
380 |
lemma psp_ensures: |
|
| 13805 | 381 |
"[| F \<in> A ensures A'; F \<in> B co B' |] |
382 |
==> F \<in> (A \<inter> B') ensures ((A' \<inter> B) \<union> (B' - B))" |
|
| 13797 | 383 |
apply (unfold ensures_def constrains_def, clarify) (*speeds up the proof*) |
384 |
apply (blast intro: transient_strengthen) |
|
385 |
done |
|
386 |
||
387 |
lemma psp: |
|
| 13805 | 388 |
"[| F \<in> A leadsTo A'; F \<in> B co B' |] |
389 |
==> F \<in> (A \<inter> B') leadsTo ((A' \<inter> B) \<union> (B' - B))" |
|
| 13797 | 390 |
apply (erule leadsTo_induct) |
391 |
prefer 3 apply (blast intro: leadsTo_Union_Int) |
|
| 63146 | 392 |
txt\<open>Basis case\<close> |
| 13797 | 393 |
apply (blast intro: psp_ensures) |
| 63146 | 394 |
txt\<open>Transitivity case has a delicate argument involving "cancellation"\<close> |
| 13797 | 395 |
apply (rule leadsTo_Un_duplicate2) |
396 |
apply (erule leadsTo_cancel_Diff1) |
|
397 |
apply (simp add: Int_Diff Diff_triv) |
|
398 |
apply (blast intro: leadsTo_weaken_L dest: constrains_imp_subset) |
|
399 |
done |
|
400 |
||
401 |
lemma psp2: |
|
| 13805 | 402 |
"[| F \<in> A leadsTo A'; F \<in> B co B' |] |
403 |
==> F \<in> (B' \<inter> A) leadsTo ((B \<inter> A') \<union> (B' - B))" |
|
| 13797 | 404 |
by (simp (no_asm_simp) add: psp Int_ac) |
405 |
||
406 |
lemma psp_unless: |
|
| 13805 | 407 |
"[| F \<in> A leadsTo A'; F \<in> B unless B' |] |
408 |
==> F \<in> (A \<inter> B) leadsTo ((A' \<inter> B) \<union> B')" |
|
| 13797 | 409 |
|
410 |
apply (unfold unless_def) |
|
411 |
apply (drule psp, assumption) |
|
412 |
apply (blast intro: leadsTo_weaken) |
|
413 |
done |
|
414 |
||
415 |
||
| 63146 | 416 |
subsection\<open>Proving the induction rules\<close> |
| 13797 | 417 |
|
418 |
(** The most general rule: r is any wf relation; f is any variant function **) |
|
419 |
||
420 |
lemma leadsTo_wf_induct_lemma: |
|
421 |
"[| wf r; |
|
| 13805 | 422 |
\<forall>m. F \<in> (A \<inter> f-`{m}) leadsTo
|
423 |
((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]
|
|
424 |
==> F \<in> (A \<inter> f-`{m}) leadsTo B"
|
|
| 13797 | 425 |
apply (erule_tac a = m in wf_induct) |
| 13805 | 426 |
apply (subgoal_tac "F \<in> (A \<inter> (f -` (r^-1 `` {x}))) leadsTo B")
|
| 13797 | 427 |
apply (blast intro: leadsTo_cancel1 leadsTo_Un_duplicate) |
428 |
apply (subst vimage_eq_UN) |
|
429 |
apply (simp only: UN_simps [symmetric]) |
|
430 |
apply (blast intro: leadsTo_UN) |
|
431 |
done |
|
432 |
||
433 |
||
434 |
(** Meta or object quantifier ? **) |
|
435 |
lemma leadsTo_wf_induct: |
|
436 |
"[| wf r; |
|
| 13805 | 437 |
\<forall>m. F \<in> (A \<inter> f-`{m}) leadsTo
|
438 |
((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]
|
|
439 |
==> F \<in> A leadsTo B" |
|
| 13797 | 440 |
apply (rule_tac t = A in subst) |
441 |
defer 1 |
|
442 |
apply (rule leadsTo_UN) |
|
443 |
apply (erule leadsTo_wf_induct_lemma) |
|
444 |
apply assumption |
|
445 |
apply fast (*Blast_tac: Function unknown's argument not a parameter*) |
|
446 |
done |
|
447 |
||
448 |
||
449 |
lemma bounded_induct: |
|
450 |
"[| wf r; |
|
| 13805 | 451 |
\<forall>m \<in> I. F \<in> (A \<inter> f-`{m}) leadsTo
|
452 |
((A \<inter> f-`(r^-1 `` {m})) \<union> B) |]
|
|
453 |
==> F \<in> A leadsTo ((A - (f-`I)) \<union> B)" |
|
| 13797 | 454 |
apply (erule leadsTo_wf_induct, safe) |
| 13805 | 455 |
apply (case_tac "m \<in> I") |
| 13797 | 456 |
apply (blast intro: leadsTo_weaken) |
457 |
apply (blast intro: subset_imp_leadsTo) |
|
458 |
done |
|
459 |
||
460 |
||
| 13805 | 461 |
(*Alternative proof is via the lemma F \<in> (A \<inter> f-`(lessThan m)) leadsTo B*) |
| 13797 | 462 |
lemma lessThan_induct: |
| 15045 | 463 |
"[| !!m::nat. F \<in> (A \<inter> f-`{m}) leadsTo ((A \<inter> f-`{..<m}) \<union> B) |]
|
| 13805 | 464 |
==> F \<in> A leadsTo B" |
| 13797 | 465 |
apply (rule wf_less_than [THEN leadsTo_wf_induct]) |
466 |
apply (simp (no_asm_simp)) |
|
467 |
apply blast |
|
468 |
done |
|
469 |
||
470 |
lemma lessThan_bounded_induct: |
|
| 13805 | 471 |
"!!l::nat. [| \<forall>m \<in> greaterThan l. |
472 |
F \<in> (A \<inter> f-`{m}) leadsTo ((A \<inter> f-`(lessThan m)) \<union> B) |]
|
|
473 |
==> F \<in> A leadsTo ((A \<inter> (f-`(atMost l))) \<union> B)" |
|
| 13797 | 474 |
apply (simp only: Diff_eq [symmetric] vimage_Compl Compl_greaterThan [symmetric]) |
475 |
apply (rule wf_less_than [THEN bounded_induct]) |
|
476 |
apply (simp (no_asm_simp)) |
|
477 |
done |
|
478 |
||
479 |
lemma greaterThan_bounded_induct: |
|
| 13805 | 480 |
"(!!l::nat. \<forall>m \<in> lessThan l. |
481 |
F \<in> (A \<inter> f-`{m}) leadsTo ((A \<inter> f-`(greaterThan m)) \<union> B))
|
|
482 |
==> F \<in> A leadsTo ((A \<inter> (f-`(atLeast l))) \<union> B)" |
|
| 13797 | 483 |
apply (rule_tac f = f and f1 = "%k. l - k" |
484 |
in wf_less_than [THEN wf_inv_image, THEN leadsTo_wf_induct]) |
|
|
19769
c40ce2de2020
Added [simp]-lemmas "in_inv_image" and "in_lex_prod" in the spirit of "in_measure".
krauss
parents:
16417
diff
changeset
|
485 |
apply (simp (no_asm) add:Image_singleton) |
| 13797 | 486 |
apply clarify |
487 |
apply (case_tac "m<l") |
|
| 13805 | 488 |
apply (blast intro: leadsTo_weaken_R diff_less_mono2) |
|
61824
dcbe9f756ae0
not_leE -> not_le_imp_less and other tidying
paulson <lp15@cam.ac.uk>
parents:
60773
diff
changeset
|
489 |
apply (blast intro: not_le_imp_less subset_imp_leadsTo) |
| 13797 | 490 |
done |
491 |
||
492 |
||
| 63146 | 493 |
subsection\<open>wlt\<close> |
| 13797 | 494 |
|
| 63146 | 495 |
text\<open>Misra's property W3\<close> |
| 13805 | 496 |
lemma wlt_leadsTo: "F \<in> (wlt F B) leadsTo B" |
| 13797 | 497 |
apply (unfold wlt_def) |
498 |
apply (blast intro!: leadsTo_Union) |
|
499 |
done |
|
500 |
||
| 13805 | 501 |
lemma leadsTo_subset: "F \<in> A leadsTo B ==> A \<subseteq> wlt F B" |
| 13797 | 502 |
apply (unfold wlt_def) |
503 |
apply (blast intro!: leadsTo_Union) |
|
504 |
done |
|
505 |
||
| 63146 | 506 |
text\<open>Misra's property W2\<close> |
| 13805 | 507 |
lemma leadsTo_eq_subset_wlt: "F \<in> A leadsTo B = (A \<subseteq> wlt F B)" |
| 13797 | 508 |
by (blast intro!: leadsTo_subset wlt_leadsTo [THEN leadsTo_weaken_L]) |
509 |
||
| 63146 | 510 |
text\<open>Misra's property W4\<close> |
| 13805 | 511 |
lemma wlt_increasing: "B \<subseteq> wlt F B" |
| 13797 | 512 |
apply (simp (no_asm_simp) add: leadsTo_eq_subset_wlt [symmetric] subset_imp_leadsTo) |
513 |
done |
|
514 |
||
515 |
||
| 63146 | 516 |
text\<open>Used in the Trans case below\<close> |
| 13797 | 517 |
lemma lemma1: |
| 13805 | 518 |
"[| B \<subseteq> A2; |
519 |
F \<in> (A1 - B) co (A1 \<union> B); |
|
520 |
F \<in> (A2 - C) co (A2 \<union> C) |] |
|
521 |
==> F \<in> (A1 \<union> A2 - C) co (A1 \<union> A2 \<union> C)" |
|
| 13797 | 522 |
by (unfold constrains_def, clarify, blast) |
523 |
||
| 63146 | 524 |
text\<open>Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"\<close> |
| 13797 | 525 |
lemma leadsTo_123: |
| 13805 | 526 |
"F \<in> A leadsTo A' |
527 |
==> \<exists>B. A \<subseteq> B & F \<in> B leadsTo A' & F \<in> (B-A') co (B \<union> A')" |
|
| 13797 | 528 |
apply (erule leadsTo_induct) |
| 63146 | 529 |
txt\<open>Basis\<close> |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
530 |
apply (blast dest: ensuresD) |
| 63146 | 531 |
txt\<open>Trans\<close> |
|
13812
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
532 |
apply clarify |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
533 |
apply (rule_tac x = "Ba \<union> Bb" in exI) |
|
91713a1915ee
converting HOL/UNITY to use unconditional fairness
paulson
parents:
13805
diff
changeset
|
534 |
apply (blast intro: lemma1 leadsTo_Un_Un leadsTo_cancel1 leadsTo_Un_duplicate) |
| 63146 | 535 |
txt\<open>Union\<close> |
| 13797 | 536 |
apply (clarify dest!: ball_conj_distrib [THEN iffD1] bchoice) |
| 13805 | 537 |
apply (rule_tac x = "\<Union>A \<in> S. f A" in exI) |
| 13797 | 538 |
apply (auto intro: leadsTo_UN) |
539 |
(*Blast_tac says PROOF FAILED*) |
|
| 13805 | 540 |
apply (rule_tac I1=S and A1="%i. f i - B" and A'1="%i. f i \<union> B" |
| 13798 | 541 |
in constrains_UN [THEN constrains_weaken], auto) |
| 13797 | 542 |
done |
543 |
||
544 |
||
| 63146 | 545 |
text\<open>Misra's property W5\<close> |
| 13805 | 546 |
lemma wlt_constrains_wlt: "F \<in> (wlt F B - B) co (wlt F B)" |
| 13798 | 547 |
proof - |
548 |
from wlt_leadsTo [of F B, THEN leadsTo_123] |
|
549 |
show ?thesis |
|
550 |
proof (elim exE conjE) |
|
551 |
(* assumes have to be in exactly the form as in the goal displayed at |
|
552 |
this point. Isar doesn't give you any automation. *) |
|
553 |
fix C |
|
554 |
assume wlt: "wlt F B \<subseteq> C" |
|
555 |
and lt: "F \<in> C leadsTo B" |
|
556 |
and co: "F \<in> C - B co C \<union> B" |
|
557 |
have eq: "C = wlt F B" |
|
558 |
proof - |
|
559 |
from lt and wlt show ?thesis |
|
560 |
by (blast dest: leadsTo_eq_subset_wlt [THEN iffD1]) |
|
561 |
qed |
|
562 |
from co show ?thesis by (simp add: eq wlt_increasing Un_absorb2) |
|
563 |
qed |
|
564 |
qed |
|
| 13797 | 565 |
|
566 |
||
| 63146 | 567 |
subsection\<open>Completion: Binary and General Finite versions\<close> |
| 13797 | 568 |
|
569 |
lemma completion_lemma : |
|
| 13805 | 570 |
"[| W = wlt F (B' \<union> C); |
571 |
F \<in> A leadsTo (A' \<union> C); F \<in> A' co (A' \<union> C); |
|
572 |
F \<in> B leadsTo (B' \<union> C); F \<in> B' co (B' \<union> C) |] |
|
573 |
==> F \<in> (A \<inter> B) leadsTo ((A' \<inter> B') \<union> C)" |
|
574 |
apply (subgoal_tac "F \<in> (W-C) co (W \<union> B' \<union> C) ") |
|
| 13797 | 575 |
prefer 2 |
576 |
apply (blast intro: wlt_constrains_wlt [THEN [2] constrains_Un, |
|
577 |
THEN constrains_weaken]) |
|
| 13805 | 578 |
apply (subgoal_tac "F \<in> (W-C) co W") |
| 13797 | 579 |
prefer 2 |
580 |
apply (simp add: wlt_increasing Un_assoc Un_absorb2) |
|
| 13805 | 581 |
apply (subgoal_tac "F \<in> (A \<inter> W - C) leadsTo (A' \<inter> W \<union> C) ") |
| 13797 | 582 |
prefer 2 apply (blast intro: wlt_leadsTo psp [THEN leadsTo_weaken]) |
583 |
(** LEVEL 6 **) |
|
| 13805 | 584 |
apply (subgoal_tac "F \<in> (A' \<inter> W \<union> C) leadsTo (A' \<inter> B' \<union> C) ") |
| 13797 | 585 |
prefer 2 |
586 |
apply (rule leadsTo_Un_duplicate2) |
|
587 |
apply (blast intro: leadsTo_Un_Un wlt_leadsTo |
|
588 |
[THEN psp2, THEN leadsTo_weaken] leadsTo_refl) |
|
589 |
apply (drule leadsTo_Diff) |
|
590 |
apply (blast intro: subset_imp_leadsTo) |
|
| 13805 | 591 |
apply (subgoal_tac "A \<inter> B \<subseteq> A \<inter> W") |
| 13797 | 592 |
prefer 2 |
593 |
apply (blast dest!: leadsTo_subset intro!: subset_refl [THEN Int_mono]) |
|
594 |
apply (blast intro: leadsTo_Trans subset_imp_leadsTo) |
|
595 |
done |
|
596 |
||
597 |
lemmas completion = completion_lemma [OF refl] |
|
598 |
||
599 |
lemma finite_completion_lemma: |
|
| 13805 | 600 |
"finite I ==> (\<forall>i \<in> I. F \<in> (A i) leadsTo (A' i \<union> C)) --> |
601 |
(\<forall>i \<in> I. F \<in> (A' i) co (A' i \<union> C)) --> |
|
602 |
F \<in> (\<Inter>i \<in> I. A i) leadsTo ((\<Inter>i \<in> I. A' i) \<union> C)" |
|
| 13797 | 603 |
apply (erule finite_induct, auto) |
604 |
apply (rule completion) |
|
605 |
prefer 4 |
|
606 |
apply (simp only: INT_simps [symmetric]) |
|
607 |
apply (rule constrains_INT, auto) |
|
608 |
done |
|
609 |
||
610 |
lemma finite_completion: |
|
611 |
"[| finite I; |
|
| 13805 | 612 |
!!i. i \<in> I ==> F \<in> (A i) leadsTo (A' i \<union> C); |
613 |
!!i. i \<in> I ==> F \<in> (A' i) co (A' i \<union> C) |] |
|
614 |
==> F \<in> (\<Inter>i \<in> I. A i) leadsTo ((\<Inter>i \<in> I. A' i) \<union> C)" |
|
| 13797 | 615 |
by (blast intro: finite_completion_lemma [THEN mp, THEN mp]) |
616 |
||
617 |
lemma stable_completion: |
|
| 13805 | 618 |
"[| F \<in> A leadsTo A'; F \<in> stable A'; |
619 |
F \<in> B leadsTo B'; F \<in> stable B' |] |
|
620 |
==> F \<in> (A \<inter> B) leadsTo (A' \<inter> B')" |
|
| 13797 | 621 |
apply (unfold stable_def) |
622 |
apply (rule_tac C1 = "{}" in completion [THEN leadsTo_weaken_R])
|
|
623 |
apply (force+) |
|
624 |
done |
|
625 |
||
626 |
lemma finite_stable_completion: |
|
627 |
"[| finite I; |
|
| 13805 | 628 |
!!i. i \<in> I ==> F \<in> (A i) leadsTo (A' i); |
629 |
!!i. i \<in> I ==> F \<in> stable (A' i) |] |
|
630 |
==> F \<in> (\<Inter>i \<in> I. A i) leadsTo (\<Inter>i \<in> I. A' i)" |
|
| 13797 | 631 |
apply (unfold stable_def) |
632 |
apply (rule_tac C1 = "{}" in finite_completion [THEN leadsTo_weaken_R])
|
|
633 |
apply (simp_all (no_asm_simp)) |
|
634 |
apply blast+ |
|
635 |
done |
|
| 9685 | 636 |
|
| 35422 | 637 |
end |