| author | paulson |
| Fri, 31 Jan 2003 20:12:44 +0100 | |
| changeset 13798 | 4c1a53627500 |
| parent 13797 | baefae13ad37 |
| child 13805 | 3786b2fd6808 |
| permissions | -rw-r--r-- |
| 4776 | 1 |
(* Title: HOL/UNITY/WFair |
2 |
ID: $Id$ |
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
|
4 |
Copyright 1998 University of Cambridge |
|
5 |
||
6 |
Weak Fairness versions of transient, ensures, leadsTo. |
|
7 |
||
8 |
From Misra, "A Logic for Concurrent Programming", 1994 |
|
9 |
*) |
|
10 |
||
| 13798 | 11 |
header{*Progress under Weak Fairness*}
|
12 |
||
| 13797 | 13 |
theory WFair = UNITY: |
| 4776 | 14 |
|
15 |
constdefs |
|
16 |
||
| 5155 | 17 |
(*This definition specifies weak fairness. The rest of the theory |
18 |
is generic to all forms of fairness.*) |
|
| 5648 | 19 |
transient :: "'a set => 'a program set" |
| 10834 | 20 |
"transient A == {F. EX act: Acts F. A <= Domain act & act``A <= -A}"
|
| 4776 | 21 |
|
| 13797 | 22 |
ensures :: "['a set, 'a set] => 'a program set" (infixl "ensures" 60) |
| 8006 | 23 |
"A ensures B == (A-B co A Un B) Int transient (A-B)" |
24 |
||
| 6536 | 25 |
|
26 |
consts |
|
27 |
||
28 |
(*LEADS-TO constant for the inductive definition*) |
|
|
6801
9e0037839d63
renamed the underlying relation of leadsTo from "leadsto"
paulson
parents:
6536
diff
changeset
|
29 |
leads :: "'a program => ('a set * 'a set) set"
|
| 5648 | 30 |
|
|
6801
9e0037839d63
renamed the underlying relation of leadsTo from "leadsto"
paulson
parents:
6536
diff
changeset
|
31 |
|
|
9e0037839d63
renamed the underlying relation of leadsTo from "leadsto"
paulson
parents:
6536
diff
changeset
|
32 |
inductive "leads F" |
| 13797 | 33 |
intros |
| 4776 | 34 |
|
| 13797 | 35 |
Basis: "F : A ensures B ==> (A,B) : leads F" |
| 4776 | 36 |
|
| 13797 | 37 |
Trans: "[| (A,B) : leads F; (B,C) : leads F |] ==> (A,C) : leads F" |
| 4776 | 38 |
|
| 13797 | 39 |
Union: "ALL A: S. (A,B) : leads F ==> (Union S, B) : leads F" |
| 4776 | 40 |
|
| 5155 | 41 |
|
| 8006 | 42 |
constdefs |
| 6536 | 43 |
|
| 8006 | 44 |
(*visible version of the LEADS-TO relation*) |
| 13797 | 45 |
leadsTo :: "['a set, 'a set] => 'a program set" (infixl "leadsTo" 60) |
| 8006 | 46 |
"A leadsTo B == {F. (A,B) : leads F}"
|
| 5648 | 47 |
|
48 |
(*wlt F B is the largest set that leads to B*) |
|
49 |
wlt :: "['a program, 'a set] => 'a set" |
|
| 6536 | 50 |
"wlt F B == Union {A. F: A leadsTo B}"
|
| 4776 | 51 |
|
| 9685 | 52 |
syntax (xsymbols) |
| 13797 | 53 |
"op leadsTo" :: "['a set, 'a set] => 'a program set" (infixl "\<longmapsto>" 60) |
54 |
||
55 |
||
| 13798 | 56 |
subsection{*transient*}
|
| 13797 | 57 |
|
58 |
lemma stable_transient_empty: |
|
59 |
"[| F : stable A; F : transient A |] ==> A = {}"
|
|
60 |
by (unfold stable_def constrains_def transient_def, blast) |
|
61 |
||
62 |
lemma transient_strengthen: |
|
63 |
"[| F : transient A; B<=A |] ==> F : transient B" |
|
64 |
apply (unfold transient_def, clarify) |
|
65 |
apply (blast intro!: rev_bexI) |
|
66 |
done |
|
67 |
||
68 |
lemma transientI: |
|
69 |
"[| act: Acts F; A <= Domain act; act``A <= -A |] ==> F : transient A" |
|
70 |
by (unfold transient_def, blast) |
|
71 |
||
72 |
lemma transientE: |
|
73 |
"[| F : transient A; |
|
74 |
!!act. [| act: Acts F; A <= Domain act; act``A <= -A |] ==> P |] |
|
75 |
==> P" |
|
76 |
by (unfold transient_def, blast) |
|
77 |
||
78 |
lemma transient_UNIV [simp]: "transient UNIV = {}"
|
|
79 |
by (unfold transient_def, blast) |
|
80 |
||
81 |
lemma transient_empty [simp]: "transient {} = UNIV"
|
|
82 |
by (unfold transient_def, auto) |
|
83 |
||
84 |
||
| 13798 | 85 |
subsection{*ensures*}
|
| 13797 | 86 |
|
87 |
lemma ensuresI: |
|
88 |
"[| F : (A-B) co (A Un B); F : transient (A-B) |] ==> F : A ensures B" |
|
89 |
by (unfold ensures_def, blast) |
|
90 |
||
91 |
lemma ensuresD: |
|
92 |
"F : A ensures B ==> F : (A-B) co (A Un B) & F : transient (A-B)" |
|
93 |
by (unfold ensures_def, blast) |
|
94 |
||
95 |
lemma ensures_weaken_R: |
|
96 |
"[| F : A ensures A'; A'<=B' |] ==> F : A ensures B'" |
|
97 |
apply (unfold ensures_def) |
|
98 |
apply (blast intro: constrains_weaken transient_strengthen) |
|
99 |
done |
|
100 |
||
101 |
(*The L-version (precondition strengthening) fails, but we have this*) |
|
102 |
lemma stable_ensures_Int: |
|
103 |
"[| F : stable C; F : A ensures B |] |
|
104 |
==> F : (C Int A) ensures (C Int B)" |
|
105 |
apply (unfold ensures_def) |
|
106 |
apply (auto simp add: ensures_def Int_Un_distrib [symmetric] Diff_Int_distrib [symmetric]) |
|
107 |
prefer 2 apply (blast intro: transient_strengthen) |
|
108 |
apply (blast intro: stable_constrains_Int constrains_weaken) |
|
109 |
done |
|
110 |
||
111 |
lemma stable_transient_ensures: |
|
112 |
"[| F : stable A; F : transient C; A <= B Un C |] ==> F : A ensures B" |
|
113 |
apply (simp add: ensures_def stable_def) |
|
114 |
apply (blast intro: constrains_weaken transient_strengthen) |
|
115 |
done |
|
116 |
||
117 |
lemma ensures_eq: "(A ensures B) = (A unless B) Int transient (A-B)" |
|
118 |
by (simp (no_asm) add: ensures_def unless_def) |
|
119 |
||
120 |
||
| 13798 | 121 |
subsection{*leadsTo*}
|
| 13797 | 122 |
|
123 |
lemma leadsTo_Basis [intro]: "F : A ensures B ==> F : A leadsTo B" |
|
124 |
apply (unfold leadsTo_def) |
|
125 |
apply (blast intro: leads.Basis) |
|
126 |
done |
|
127 |
||
128 |
lemma leadsTo_Trans: |
|
129 |
"[| F : A leadsTo B; F : B leadsTo C |] ==> F : A leadsTo C" |
|
130 |
apply (unfold leadsTo_def) |
|
131 |
apply (blast intro: leads.Trans) |
|
132 |
done |
|
133 |
||
134 |
lemma transient_imp_leadsTo: "F : transient A ==> F : A leadsTo (-A)" |
|
135 |
by (simp (no_asm_simp) add: leadsTo_Basis ensuresI Compl_partition) |
|
136 |
||
137 |
(*Useful with cancellation, disjunction*) |
|
138 |
lemma leadsTo_Un_duplicate: "F : A leadsTo (A' Un A') ==> F : A leadsTo A'" |
|
139 |
by (simp add: Un_ac) |
|
140 |
||
141 |
lemma leadsTo_Un_duplicate2: |
|
142 |
"F : A leadsTo (A' Un C Un C) ==> F : A leadsTo (A' Un C)" |
|
143 |
by (simp add: Un_ac) |
|
144 |
||
145 |
(*The Union introduction rule as we should have liked to state it*) |
|
146 |
lemma leadsTo_Union: |
|
147 |
"(!!A. A : S ==> F : A leadsTo B) ==> F : (Union S) leadsTo B" |
|
148 |
apply (unfold leadsTo_def) |
|
149 |
apply (blast intro: leads.Union) |
|
150 |
done |
|
151 |
||
152 |
lemma leadsTo_Union_Int: |
|
153 |
"(!!A. A : S ==> F : (A Int C) leadsTo B) ==> F : (Union S Int C) leadsTo B" |
|
154 |
apply (unfold leadsTo_def) |
|
155 |
apply (simp only: Int_Union_Union) |
|
156 |
apply (blast intro: leads.Union) |
|
157 |
done |
|
158 |
||
159 |
lemma leadsTo_UN: |
|
160 |
"(!!i. i : I ==> F : (A i) leadsTo B) ==> F : (UN i:I. A i) leadsTo B" |
|
161 |
apply (subst Union_image_eq [symmetric]) |
|
162 |
apply (blast intro: leadsTo_Union) |
|
163 |
done |
|
164 |
||
165 |
(*Binary union introduction rule*) |
|
166 |
lemma leadsTo_Un: |
|
167 |
"[| F : A leadsTo C; F : B leadsTo C |] ==> F : (A Un B) leadsTo C" |
|
168 |
apply (subst Un_eq_Union) |
|
169 |
apply (blast intro: leadsTo_Union) |
|
170 |
done |
|
171 |
||
172 |
lemma single_leadsTo_I: |
|
173 |
"(!!x. x : A ==> F : {x} leadsTo B) ==> F : A leadsTo B"
|
|
174 |
by (subst UN_singleton [symmetric], rule leadsTo_UN, blast) |
|
175 |
||
176 |
||
177 |
(*The INDUCTION rule as we should have liked to state it*) |
|
178 |
lemma leadsTo_induct: |
|
179 |
"[| F : za leadsTo zb; |
|
180 |
!!A B. F : A ensures B ==> P A B; |
|
181 |
!!A B C. [| F : A leadsTo B; P A B; F : B leadsTo C; P B C |] |
|
182 |
==> P A C; |
|
183 |
!!B S. ALL A:S. F : A leadsTo B & P A B ==> P (Union S) B |
|
184 |
|] ==> P za zb" |
|
185 |
apply (unfold leadsTo_def) |
|
186 |
apply (drule CollectD, erule leads.induct) |
|
187 |
apply (blast+) |
|
188 |
done |
|
189 |
||
190 |
||
191 |
lemma subset_imp_ensures: "A<=B ==> F : A ensures B" |
|
192 |
by (unfold ensures_def constrains_def transient_def, blast) |
|
193 |
||
194 |
lemmas subset_imp_leadsTo = subset_imp_ensures [THEN leadsTo_Basis, standard] |
|
195 |
||
196 |
lemmas leadsTo_refl = subset_refl [THEN subset_imp_leadsTo, standard] |
|
197 |
||
198 |
lemmas empty_leadsTo = empty_subsetI [THEN subset_imp_leadsTo, standard, simp] |
|
199 |
||
200 |
lemmas leadsTo_UNIV = subset_UNIV [THEN subset_imp_leadsTo, standard, simp] |
|
201 |
||
202 |
||
203 |
||
204 |
(** Variant induction rule: on the preconditions for B **) |
|
205 |
||
206 |
(*Lemma is the weak version: can't see how to do it in one step*) |
|
207 |
lemma leadsTo_induct_pre_lemma: |
|
208 |
"[| F : za leadsTo zb; |
|
209 |
P zb; |
|
210 |
!!A B. [| F : A ensures B; P B |] ==> P A; |
|
211 |
!!S. ALL A:S. P A ==> P (Union S) |
|
212 |
|] ==> P za" |
|
213 |
(*by induction on this formula*) |
|
214 |
apply (subgoal_tac "P zb --> P za") |
|
215 |
(*now solve first subgoal: this formula is sufficient*) |
|
216 |
apply (blast intro: leadsTo_refl) |
|
217 |
apply (erule leadsTo_induct) |
|
218 |
apply (blast+) |
|
219 |
done |
|
220 |
||
221 |
lemma leadsTo_induct_pre: |
|
222 |
"[| F : za leadsTo zb; |
|
223 |
P zb; |
|
224 |
!!A B. [| F : A ensures B; F : B leadsTo zb; P B |] ==> P A; |
|
225 |
!!S. ALL A:S. F : A leadsTo zb & P A ==> P (Union S) |
|
226 |
|] ==> P za" |
|
227 |
apply (subgoal_tac "F : za leadsTo zb & P za") |
|
228 |
apply (erule conjunct2) |
|
229 |
apply (erule leadsTo_induct_pre_lemma) |
|
230 |
prefer 3 apply (blast intro: leadsTo_Union) |
|
231 |
prefer 2 apply (blast intro: leadsTo_Trans) |
|
232 |
apply (blast intro: leadsTo_refl) |
|
233 |
done |
|
234 |
||
235 |
||
236 |
lemma leadsTo_weaken_R: "[| F : A leadsTo A'; A'<=B' |] ==> F : A leadsTo B'" |
|
237 |
by (blast intro: subset_imp_leadsTo leadsTo_Trans) |
|
238 |
||
| 13798 | 239 |
lemma leadsTo_weaken_L [rule_format]: |
| 13797 | 240 |
"[| F : A leadsTo A'; B<=A |] ==> F : B leadsTo A'" |
241 |
by (blast intro: leadsTo_Trans subset_imp_leadsTo) |
|
242 |
||
243 |
(*Distributes over binary unions*) |
|
244 |
lemma leadsTo_Un_distrib: |
|
245 |
"F : (A Un B) leadsTo C = (F : A leadsTo C & F : B leadsTo C)" |
|
246 |
by (blast intro: leadsTo_Un leadsTo_weaken_L) |
|
247 |
||
248 |
lemma leadsTo_UN_distrib: |
|
249 |
"F : (UN i:I. A i) leadsTo B = (ALL i : I. F : (A i) leadsTo B)" |
|
250 |
by (blast intro: leadsTo_UN leadsTo_weaken_L) |
|
251 |
||
252 |
lemma leadsTo_Union_distrib: |
|
253 |
"F : (Union S) leadsTo B = (ALL A : S. F : A leadsTo B)" |
|
254 |
by (blast intro: leadsTo_Union leadsTo_weaken_L) |
|
255 |
||
256 |
||
257 |
lemma leadsTo_weaken: |
|
258 |
"[| F : A leadsTo A'; B<=A; A'<=B' |] ==> F : B leadsTo B'" |
|
259 |
by (blast intro: leadsTo_weaken_R leadsTo_weaken_L leadsTo_Trans) |
|
260 |
||
261 |
||
262 |
(*Set difference: maybe combine with leadsTo_weaken_L?*) |
|
263 |
lemma leadsTo_Diff: |
|
264 |
"[| F : (A-B) leadsTo C; F : B leadsTo C |] ==> F : A leadsTo C" |
|
265 |
by (blast intro: leadsTo_Un leadsTo_weaken) |
|
266 |
||
267 |
lemma leadsTo_UN_UN: |
|
268 |
"(!! i. i:I ==> F : (A i) leadsTo (A' i)) |
|
269 |
==> F : (UN i:I. A i) leadsTo (UN i:I. A' i)" |
|
270 |
apply (simp only: Union_image_eq [symmetric]) |
|
271 |
apply (blast intro: leadsTo_Union leadsTo_weaken_R) |
|
272 |
done |
|
273 |
||
274 |
(*Binary union version*) |
|
275 |
lemma leadsTo_Un_Un: |
|
276 |
"[| F : A leadsTo A'; F : B leadsTo B' |] |
|
277 |
==> F : (A Un B) leadsTo (A' Un B')" |
|
278 |
by (blast intro: leadsTo_Un leadsTo_weaken_R) |
|
279 |
||
280 |
||
281 |
(** The cancellation law **) |
|
282 |
||
283 |
lemma leadsTo_cancel2: |
|
284 |
"[| F : A leadsTo (A' Un B); F : B leadsTo B' |] |
|
285 |
==> F : A leadsTo (A' Un B')" |
|
286 |
by (blast intro: leadsTo_Un_Un subset_imp_leadsTo leadsTo_Trans) |
|
287 |
||
288 |
lemma leadsTo_cancel_Diff2: |
|
289 |
"[| F : A leadsTo (A' Un B); F : (B-A') leadsTo B' |] |
|
290 |
==> F : A leadsTo (A' Un B')" |
|
291 |
apply (rule leadsTo_cancel2) |
|
292 |
prefer 2 apply assumption |
|
293 |
apply (simp_all (no_asm_simp)) |
|
294 |
done |
|
295 |
||
296 |
lemma leadsTo_cancel1: |
|
297 |
"[| F : A leadsTo (B Un A'); F : B leadsTo B' |] |
|
298 |
==> F : A leadsTo (B' Un A')" |
|
299 |
apply (simp add: Un_commute) |
|
300 |
apply (blast intro!: leadsTo_cancel2) |
|
301 |
done |
|
302 |
||
303 |
lemma leadsTo_cancel_Diff1: |
|
304 |
"[| F : A leadsTo (B Un A'); F : (B-A') leadsTo B' |] |
|
305 |
==> F : A leadsTo (B' Un A')" |
|
306 |
apply (rule leadsTo_cancel1) |
|
307 |
prefer 2 apply assumption |
|
308 |
apply (simp_all (no_asm_simp)) |
|
309 |
done |
|
310 |
||
311 |
||
312 |
||
313 |
(** The impossibility law **) |
|
314 |
||
315 |
lemma leadsTo_empty: "F : A leadsTo {} ==> A={}"
|
|
316 |
apply (erule leadsTo_induct_pre) |
|
317 |
apply (simp_all add: ensures_def constrains_def transient_def, blast) |
|
318 |
done |
|
319 |
||
320 |
||
321 |
(** PSP: Progress-Safety-Progress **) |
|
322 |
||
323 |
(*Special case of PSP: Misra's "stable conjunction"*) |
|
324 |
lemma psp_stable: |
|
325 |
"[| F : A leadsTo A'; F : stable B |] |
|
326 |
==> F : (A Int B) leadsTo (A' Int B)" |
|
327 |
apply (unfold stable_def) |
|
328 |
apply (erule leadsTo_induct) |
|
329 |
prefer 3 apply (blast intro: leadsTo_Union_Int) |
|
330 |
prefer 2 apply (blast intro: leadsTo_Trans) |
|
331 |
apply (rule leadsTo_Basis) |
|
332 |
apply (simp add: ensures_def Diff_Int_distrib2 [symmetric] Int_Un_distrib2 [symmetric]) |
|
333 |
apply (blast intro: transient_strengthen constrains_Int) |
|
334 |
done |
|
335 |
||
336 |
lemma psp_stable2: |
|
337 |
"[| F : A leadsTo A'; F : stable B |] ==> F : (B Int A) leadsTo (B Int A')" |
|
338 |
by (simp add: psp_stable Int_ac) |
|
339 |
||
340 |
lemma psp_ensures: |
|
341 |
"[| F : A ensures A'; F : B co B' |] |
|
342 |
==> F : (A Int B') ensures ((A' Int B) Un (B' - B))" |
|
343 |
apply (unfold ensures_def constrains_def, clarify) (*speeds up the proof*) |
|
344 |
apply (blast intro: transient_strengthen) |
|
345 |
done |
|
346 |
||
347 |
lemma psp: |
|
348 |
"[| F : A leadsTo A'; F : B co B' |] |
|
349 |
==> F : (A Int B') leadsTo ((A' Int B) Un (B' - B))" |
|
350 |
apply (erule leadsTo_induct) |
|
351 |
prefer 3 apply (blast intro: leadsTo_Union_Int) |
|
352 |
txt{*Basis case*}
|
|
353 |
apply (blast intro: psp_ensures) |
|
354 |
txt{*Transitivity case has a delicate argument involving "cancellation"*}
|
|
355 |
apply (rule leadsTo_Un_duplicate2) |
|
356 |
apply (erule leadsTo_cancel_Diff1) |
|
357 |
apply (simp add: Int_Diff Diff_triv) |
|
358 |
apply (blast intro: leadsTo_weaken_L dest: constrains_imp_subset) |
|
359 |
done |
|
360 |
||
361 |
lemma psp2: |
|
362 |
"[| F : A leadsTo A'; F : B co B' |] |
|
363 |
==> F : (B' Int A) leadsTo ((B Int A') Un (B' - B))" |
|
364 |
by (simp (no_asm_simp) add: psp Int_ac) |
|
365 |
||
366 |
lemma psp_unless: |
|
367 |
"[| F : A leadsTo A'; F : B unless B' |] |
|
368 |
==> F : (A Int B) leadsTo ((A' Int B) Un B')" |
|
369 |
||
370 |
apply (unfold unless_def) |
|
371 |
apply (drule psp, assumption) |
|
372 |
apply (blast intro: leadsTo_weaken) |
|
373 |
done |
|
374 |
||
375 |
||
| 13798 | 376 |
subsection{*Proving the induction rules*}
|
| 13797 | 377 |
|
378 |
(** The most general rule: r is any wf relation; f is any variant function **) |
|
379 |
||
380 |
lemma leadsTo_wf_induct_lemma: |
|
381 |
"[| wf r; |
|
382 |
ALL m. F : (A Int f-`{m}) leadsTo
|
|
383 |
((A Int f-`(r^-1 `` {m})) Un B) |]
|
|
384 |
==> F : (A Int f-`{m}) leadsTo B"
|
|
385 |
apply (erule_tac a = m in wf_induct) |
|
386 |
apply (subgoal_tac "F : (A Int (f -` (r^-1 `` {x}))) leadsTo B")
|
|
387 |
apply (blast intro: leadsTo_cancel1 leadsTo_Un_duplicate) |
|
388 |
apply (subst vimage_eq_UN) |
|
389 |
apply (simp only: UN_simps [symmetric]) |
|
390 |
apply (blast intro: leadsTo_UN) |
|
391 |
done |
|
392 |
||
393 |
||
394 |
(** Meta or object quantifier ? **) |
|
395 |
lemma leadsTo_wf_induct: |
|
396 |
"[| wf r; |
|
397 |
ALL m. F : (A Int f-`{m}) leadsTo
|
|
398 |
((A Int f-`(r^-1 `` {m})) Un B) |]
|
|
399 |
==> F : A leadsTo B" |
|
400 |
apply (rule_tac t = A in subst) |
|
401 |
defer 1 |
|
402 |
apply (rule leadsTo_UN) |
|
403 |
apply (erule leadsTo_wf_induct_lemma) |
|
404 |
apply assumption |
|
405 |
apply fast (*Blast_tac: Function unknown's argument not a parameter*) |
|
406 |
done |
|
407 |
||
408 |
||
409 |
lemma bounded_induct: |
|
410 |
"[| wf r; |
|
411 |
ALL m:I. F : (A Int f-`{m}) leadsTo
|
|
412 |
((A Int f-`(r^-1 `` {m})) Un B) |]
|
|
413 |
==> F : A leadsTo ((A - (f-`I)) Un B)" |
|
414 |
apply (erule leadsTo_wf_induct, safe) |
|
415 |
apply (case_tac "m:I") |
|
416 |
apply (blast intro: leadsTo_weaken) |
|
417 |
apply (blast intro: subset_imp_leadsTo) |
|
418 |
done |
|
419 |
||
420 |
||
421 |
(*Alternative proof is via the lemma F : (A Int f-`(lessThan m)) leadsTo B*) |
|
422 |
lemma lessThan_induct: |
|
423 |
"[| !!m::nat. F : (A Int f-`{m}) leadsTo ((A Int f-`{..m(}) Un B) |]
|
|
424 |
==> F : A leadsTo B" |
|
425 |
apply (rule wf_less_than [THEN leadsTo_wf_induct]) |
|
426 |
apply (simp (no_asm_simp)) |
|
427 |
apply blast |
|
428 |
done |
|
429 |
||
430 |
lemma lessThan_bounded_induct: |
|
431 |
"!!l::nat. [| ALL m:(greaterThan l). |
|
432 |
F : (A Int f-`{m}) leadsTo ((A Int f-`(lessThan m)) Un B) |]
|
|
433 |
==> F : A leadsTo ((A Int (f-`(atMost l))) Un B)" |
|
434 |
apply (simp only: Diff_eq [symmetric] vimage_Compl Compl_greaterThan [symmetric]) |
|
435 |
apply (rule wf_less_than [THEN bounded_induct]) |
|
436 |
apply (simp (no_asm_simp)) |
|
437 |
done |
|
438 |
||
439 |
lemma greaterThan_bounded_induct: |
|
440 |
"!!l::nat. [| ALL m:(lessThan l). |
|
441 |
F : (A Int f-`{m}) leadsTo ((A Int f-`(greaterThan m)) Un B) |]
|
|
442 |
==> F : A leadsTo ((A Int (f-`(atLeast l))) Un B)" |
|
443 |
apply (rule_tac f = f and f1 = "%k. l - k" |
|
444 |
in wf_less_than [THEN wf_inv_image, THEN leadsTo_wf_induct]) |
|
445 |
apply (simp (no_asm) add: inv_image_def Image_singleton) |
|
446 |
apply clarify |
|
447 |
apply (case_tac "m<l") |
|
448 |
prefer 2 apply (blast intro: not_leE subset_imp_leadsTo) |
|
449 |
apply (blast intro: leadsTo_weaken_R diff_less_mono2) |
|
450 |
done |
|
451 |
||
452 |
||
| 13798 | 453 |
subsection{*wlt*}
|
| 13797 | 454 |
|
455 |
(*Misra's property W3*) |
|
456 |
lemma wlt_leadsTo: "F : (wlt F B) leadsTo B" |
|
457 |
apply (unfold wlt_def) |
|
458 |
apply (blast intro!: leadsTo_Union) |
|
459 |
done |
|
460 |
||
461 |
lemma leadsTo_subset: "F : A leadsTo B ==> A <= wlt F B" |
|
462 |
apply (unfold wlt_def) |
|
463 |
apply (blast intro!: leadsTo_Union) |
|
464 |
done |
|
465 |
||
466 |
(*Misra's property W2*) |
|
467 |
lemma leadsTo_eq_subset_wlt: "F : A leadsTo B = (A <= wlt F B)" |
|
468 |
by (blast intro!: leadsTo_subset wlt_leadsTo [THEN leadsTo_weaken_L]) |
|
469 |
||
470 |
(*Misra's property W4*) |
|
471 |
lemma wlt_increasing: "B <= wlt F B" |
|
472 |
apply (simp (no_asm_simp) add: leadsTo_eq_subset_wlt [symmetric] subset_imp_leadsTo) |
|
473 |
done |
|
474 |
||
475 |
||
476 |
(*Used in the Trans case below*) |
|
477 |
lemma lemma1: |
|
478 |
"[| B <= A2; |
|
479 |
F : (A1 - B) co (A1 Un B); |
|
480 |
F : (A2 - C) co (A2 Un C) |] |
|
481 |
==> F : (A1 Un A2 - C) co (A1 Un A2 Un C)" |
|
482 |
by (unfold constrains_def, clarify, blast) |
|
483 |
||
484 |
(*Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"*) |
|
485 |
lemma leadsTo_123: |
|
486 |
"F : A leadsTo A' |
|
487 |
==> EX B. A<=B & F : B leadsTo A' & F : (B-A') co (B Un A')" |
|
488 |
apply (erule leadsTo_induct) |
|
489 |
(*Basis*) |
|
490 |
apply (blast dest: ensuresD) |
|
491 |
(*Trans*) |
|
492 |
apply clarify |
|
493 |
apply (rule_tac x = "Ba Un Bb" in exI) |
|
494 |
apply (blast intro: lemma1 leadsTo_Un_Un leadsTo_cancel1 leadsTo_Un_duplicate) |
|
495 |
(*Union*) |
|
496 |
apply (clarify dest!: ball_conj_distrib [THEN iffD1] bchoice) |
|
497 |
apply (rule_tac x = "UN A:S. f A" in exI) |
|
498 |
apply (auto intro: leadsTo_UN) |
|
499 |
(*Blast_tac says PROOF FAILED*) |
|
500 |
apply (rule_tac I1=S and A1="%i. f i - B" and A'1="%i. f i Un B" |
|
| 13798 | 501 |
in constrains_UN [THEN constrains_weaken], auto) |
| 13797 | 502 |
done |
503 |
||
504 |
||
505 |
(*Misra's property W5*) |
|
506 |
lemma wlt_constrains_wlt: "F : (wlt F B - B) co (wlt F B)" |
|
| 13798 | 507 |
proof - |
508 |
from wlt_leadsTo [of F B, THEN leadsTo_123] |
|
509 |
show ?thesis |
|
510 |
proof (elim exE conjE) |
|
511 |
(* assumes have to be in exactly the form as in the goal displayed at |
|
512 |
this point. Isar doesn't give you any automation. *) |
|
513 |
fix C |
|
514 |
assume wlt: "wlt F B \<subseteq> C" |
|
515 |
and lt: "F \<in> C leadsTo B" |
|
516 |
and co: "F \<in> C - B co C \<union> B" |
|
517 |
have eq: "C = wlt F B" |
|
518 |
proof - |
|
519 |
from lt and wlt show ?thesis |
|
520 |
by (blast dest: leadsTo_eq_subset_wlt [THEN iffD1]) |
|
521 |
qed |
|
522 |
from co show ?thesis by (simp add: eq wlt_increasing Un_absorb2) |
|
523 |
qed |
|
524 |
qed |
|
| 13797 | 525 |
|
526 |
||
| 13798 | 527 |
subsection{*Completion: Binary and General Finite versions*}
|
| 13797 | 528 |
|
529 |
lemma completion_lemma : |
|
530 |
"[| W = wlt F (B' Un C); |
|
531 |
F : A leadsTo (A' Un C); F : A' co (A' Un C); |
|
532 |
F : B leadsTo (B' Un C); F : B' co (B' Un C) |] |
|
533 |
==> F : (A Int B) leadsTo ((A' Int B') Un C)" |
|
534 |
apply (subgoal_tac "F : (W-C) co (W Un B' Un C) ") |
|
535 |
prefer 2 |
|
536 |
apply (blast intro: wlt_constrains_wlt [THEN [2] constrains_Un, |
|
537 |
THEN constrains_weaken]) |
|
538 |
apply (subgoal_tac "F : (W-C) co W") |
|
539 |
prefer 2 |
|
540 |
apply (simp add: wlt_increasing Un_assoc Un_absorb2) |
|
541 |
apply (subgoal_tac "F : (A Int W - C) leadsTo (A' Int W Un C) ") |
|
542 |
prefer 2 apply (blast intro: wlt_leadsTo psp [THEN leadsTo_weaken]) |
|
543 |
(** LEVEL 6 **) |
|
544 |
apply (subgoal_tac "F : (A' Int W Un C) leadsTo (A' Int B' Un C) ") |
|
545 |
prefer 2 |
|
546 |
apply (rule leadsTo_Un_duplicate2) |
|
547 |
apply (blast intro: leadsTo_Un_Un wlt_leadsTo |
|
548 |
[THEN psp2, THEN leadsTo_weaken] leadsTo_refl) |
|
549 |
apply (drule leadsTo_Diff) |
|
550 |
apply (blast intro: subset_imp_leadsTo) |
|
551 |
apply (subgoal_tac "A Int B <= A Int W") |
|
552 |
prefer 2 |
|
553 |
apply (blast dest!: leadsTo_subset intro!: subset_refl [THEN Int_mono]) |
|
554 |
apply (blast intro: leadsTo_Trans subset_imp_leadsTo) |
|
555 |
done |
|
556 |
||
557 |
lemmas completion = completion_lemma [OF refl] |
|
558 |
||
559 |
lemma finite_completion_lemma: |
|
560 |
"finite I ==> (ALL i:I. F : (A i) leadsTo (A' i Un C)) --> |
|
561 |
(ALL i:I. F : (A' i) co (A' i Un C)) --> |
|
562 |
F : (INT i:I. A i) leadsTo ((INT i:I. A' i) Un C)" |
|
563 |
apply (erule finite_induct, auto) |
|
564 |
apply (rule completion) |
|
565 |
prefer 4 |
|
566 |
apply (simp only: INT_simps [symmetric]) |
|
567 |
apply (rule constrains_INT, auto) |
|
568 |
done |
|
569 |
||
570 |
lemma finite_completion: |
|
571 |
"[| finite I; |
|
572 |
!!i. i:I ==> F : (A i) leadsTo (A' i Un C); |
|
573 |
!!i. i:I ==> F : (A' i) co (A' i Un C) |] |
|
574 |
==> F : (INT i:I. A i) leadsTo ((INT i:I. A' i) Un C)" |
|
575 |
by (blast intro: finite_completion_lemma [THEN mp, THEN mp]) |
|
576 |
||
577 |
lemma stable_completion: |
|
578 |
"[| F : A leadsTo A'; F : stable A'; |
|
579 |
F : B leadsTo B'; F : stable B' |] |
|
580 |
==> F : (A Int B) leadsTo (A' Int B')" |
|
581 |
apply (unfold stable_def) |
|
582 |
apply (rule_tac C1 = "{}" in completion [THEN leadsTo_weaken_R])
|
|
583 |
apply (force+) |
|
584 |
done |
|
585 |
||
586 |
lemma finite_stable_completion: |
|
587 |
"[| finite I; |
|
588 |
!!i. i:I ==> F : (A i) leadsTo (A' i); |
|
589 |
!!i. i:I ==> F : stable (A' i) |] |
|
590 |
==> F : (INT i:I. A i) leadsTo (INT i:I. A' i)" |
|
591 |
apply (unfold stable_def) |
|
592 |
apply (rule_tac C1 = "{}" in finite_completion [THEN leadsTo_weaken_R])
|
|
593 |
apply (simp_all (no_asm_simp)) |
|
594 |
apply blast+ |
|
595 |
done |
|
| 9685 | 596 |
|
| 4776 | 597 |
end |