|
11479
|
1 |
(* Title: ZF/UNITY/Constrains.thy
|
|
|
2 |
ID: $Id$
|
|
|
3 |
Author: Sidi O Ehmety, Computer Laboratory
|
|
|
4 |
Copyright 2001 University of Cambridge
|
|
|
5 |
|
|
|
6 |
Safety relations: restricted to the set of reachable states.
|
|
|
7 |
|
|
|
8 |
Theory ported from HOL.
|
|
|
9 |
*)
|
|
|
10 |
|
|
|
11 |
Constrains = UNITY +
|
|
|
12 |
consts traces :: "[i, i] => i"
|
|
|
13 |
(* Initial states and program => (final state, reversed trace to it)...
|
|
|
14 |
the domain might also be state*list(state) *)
|
|
|
15 |
inductive
|
|
|
16 |
domains
|
|
|
17 |
"traces(init, acts)" <=
|
|
|
18 |
"(init Un (UN act:acts. field(act)))*list(UN act:acts. field(act))"
|
|
|
19 |
intrs
|
|
|
20 |
(*Initial trace is empty*)
|
|
|
21 |
Init "s: init ==> <s,[]> : traces(init,acts)"
|
|
|
22 |
|
|
|
23 |
Acts "[| act:acts; <s,evs> : traces(init,acts); <s,s'>: act |]
|
|
|
24 |
==> <s', Cons(s,evs)> : traces(init, acts)"
|
|
|
25 |
|
|
|
26 |
type_intrs "list.intrs@[UnI1, UnI2, UN_I, fieldI2, fieldI1]"
|
|
|
27 |
|
|
|
28 |
consts reachable :: "i=>i"
|
|
|
29 |
|
|
|
30 |
inductive
|
|
|
31 |
domains
|
|
|
32 |
"reachable(F)" <= "Init(F) Un (UN act:Acts(F). field(act))"
|
|
|
33 |
intrs
|
|
|
34 |
Init "s:Init(F) ==> s:reachable(F)"
|
|
|
35 |
|
|
|
36 |
Acts "[| act: Acts(F); s:reachable(F); <s,s'>: act |]
|
|
|
37 |
==> s':reachable(F)"
|
|
|
38 |
|
|
|
39 |
type_intrs "[UnI1, UnI2, fieldI2, UN_I]"
|
|
|
40 |
|
|
|
41 |
|
|
|
42 |
consts
|
|
|
43 |
Constrains :: "[i,i] => i" (infixl "Co" 60)
|
|
|
44 |
op_Unless :: "[i, i] => i" (infixl "Unless" 60)
|
|
|
45 |
|
|
|
46 |
defs
|
|
|
47 |
Constrains_def
|
|
|
48 |
"A Co B == {F:program. F:(reachable(F) Int A) co B &
|
|
|
49 |
A:condition & B:condition}"
|
|
|
50 |
|
|
|
51 |
Unless_def
|
|
|
52 |
"A Unless B == (A-B) Co (A Un B)"
|
|
|
53 |
|
|
|
54 |
constdefs
|
|
|
55 |
Stable :: "i => i"
|
|
|
56 |
"Stable(A) == A Co A"
|
|
|
57 |
(*Always is the weak form of "invariant"*)
|
|
|
58 |
Always :: "i => i"
|
|
|
59 |
"Always(A) == {F:program. Init(F) <= A} Int Stable(A)"
|
|
|
60 |
|
|
|
61 |
(*
|
|
|
62 |
The constant Increasing_on defines a weak form of the Charpentier's
|
|
|
63 |
increasing notion. It should not be confused with the ZF's
|
|
|
64 |
increasing constant which have a different meaning.
|
|
|
65 |
Increasing's parameters: a state function f,
|
|
|
66 |
a domain A and a order relation r over the domain A.
|
|
|
67 |
Should f be a meta function instead ?
|
|
|
68 |
*)
|
|
|
69 |
Increasing_on :: [i,i, i] => i ("Increasing[_]'(_,_')")
|
|
|
70 |
"Increasing[A](f, r) == {F:program. f:state->A &
|
|
|
71 |
part_order(A,r) &
|
|
|
72 |
F: (INT z:A. Stable({s:state. <z, f`s>:r}))}"
|
|
|
73 |
|
|
|
74 |
end
|
|
|
75 |
|