isabelle: src/ZF/UNITY/WFair.ML@7ad150f5fc10 (annotated)

11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	1	(* Title: HOL/UNITY/WFair.ML
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	2	ID: $Id$
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	3	Author: Sidi O Ehmety, Computer Laboratory
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	4	Copyright 2001 University of Cambridge
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	5
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	6	Weak Fairness versions of transient, ensures, leadsTo.
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	7
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	8	From Misra, "A Logic for Concurrent Programming", 1994
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	9	*)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	10
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	11	(* transient *)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	12
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	13	Goalw [transient_def] "transient(A)<=program";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	14	by Auto_tac;
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	15	qed "transient_type";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	16
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	17	Goalw [transient_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	18	"F:transient(A) ==> F:program & st_set(A)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	19	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	20	qed "transientD2";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	21
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	22	Goalw [stable_def, constrains_def, transient_def]
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	23	"[\| F : stable(A); F : transient(A) \|] ==> A = 0";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	24	by Auto_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	25	by (Blast_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	26	qed "stable_transient_empty";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	27
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	28	Goalw [transient_def, st_set_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	29	"[\|F:transient(A); B<=A\|] ==> F:transient(B)";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	30	by Safe_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	31	by (res_inst_tac [("x", "act")] bexI 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	32	by (ALLGOALS(Asm_full_simp_tac));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	33	by (Blast_tac 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	34	by Auto_tac;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	35	qed "transient_strengthen";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	36
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	37	Goalw [transient_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	38	"[\|act:Acts(F); A <= domain(act); act``A <= state-A; \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	39	\ F:program; st_set(A)\|] ==> F:transient(A)";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	40	by (Blast_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	41	qed "transientI";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	42
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	43	val major::prems =
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	44	Goalw [transient_def] "[\| F:transient(A); \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	45	\ !!act. [\| act:Acts(F); A <= domain(act); act``A <= state-A\|]==>P\|]==>P";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	46	by (rtac (major RS CollectE) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	47	by (blast_tac (claset() addIs prems) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	48	qed "transientE";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	49
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	50	Goalw [transient_def] "transient(state) = 0";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	51	by (rtac equalityI 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	52	by (ALLGOALS(Clarify_tac));
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	53	by (cut_inst_tac [("F", "x")] Acts_type 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	54	by (asm_full_simp_tac (simpset() addsimps [Diff_cancel]) 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	55	by Auto_tac;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	56	qed "transient_state";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	57
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	58	Goalw [transient_def,st_set_def] "state<=B ==> transient(B) = 0";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	59	by (rtac equalityI 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	60	by (ALLGOALS(Clarify_tac));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	61	by (cut_inst_tac [("F", "x")] Acts_type 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	62	by (asm_full_simp_tac (simpset() addsimps [Diff_cancel]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	63	by (subgoal_tac "B=state" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	64	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	65	qed "transient_state2";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	66
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	67	Goalw [transient_def] "transient(0) = program";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	68	by (rtac equalityI 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	69	by Auto_tac;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	70	qed "transient_empty";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	71
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	72	Addsimps [transient_empty, transient_state, transient_state2];
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	73
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	74	(* ensures *)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	75
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	76	Goalw [ensures_def, constrains_def] "A ensures B <=program";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	77	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	78	qed "ensures_type";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	79
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	80	Goalw [ensures_def]
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	81	"[\|F:(A-B) co (A Un B); F:transient(A-B)\|]==>F:A ensures B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	82	by (auto_tac (claset(), simpset() addsimps [transient_type RS subsetD]));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	83	qed "ensuresI";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	84
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	85	(* Added by Sidi, from Misra's notes, Progress chapter, exercise 4 *)
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	86	Goal "[\| F:A co A Un B; F: transient(A) \|] ==> F: A ensures B";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	87	by (dres_inst_tac [("B", "A-B")] constrains_weaken_L 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	88	by (dres_inst_tac [("B", "A-B")] transient_strengthen 2);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	89	by (auto_tac (claset(), simpset() addsimps [ensures_def, transient_type RS subsetD]));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	90	qed "ensuresI2";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	91
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	92	Goalw [ensures_def] "F:A ensures B ==> F:(A-B) co (A Un B) & F:transient (A-B)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	93	by Auto_tac;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	94	qed "ensuresD";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	95
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	96	Goalw [ensures_def] "[\|F:A ensures A'; A'<=B' \|] ==> F:A ensures B'";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	97	by (blast_tac (claset()
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	98	addIs [transient_strengthen, constrains_weaken]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	99	qed "ensures_weaken_R";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	100
12215 55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	101	(The L-version (precondition strengthening) fails, but we have this)
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	102	Goalw [ensures_def]
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	103	"[\| F:stable(C); F:A ensures B \|] ==> F:(C Int A) ensures (C Int B)";
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	104	by (simp_tac (simpset() addsimps [Int_Un_distrib RS sym,
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	105	Diff_Int_distrib RS sym]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	106	by (blast_tac (claset()
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	107	addIs [transient_strengthen,
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	108	stable_constrains_Int, constrains_weaken]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	109	qed "stable_ensures_Int";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	110
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	111	Goal "[\|F:stable(A); F:transient(C); A<=B Un C\|] ==> F : A ensures B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	112	by (forward_tac [stable_type RS subsetD] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	113	by (asm_full_simp_tac (simpset() addsimps [ensures_def, stable_def]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	114	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	115	by (blast_tac (claset() addIs [transient_strengthen,
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	116	constrains_weaken]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	117	qed "stable_transient_ensures";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	118
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	119	Goal "(A ensures B) = (A unless B) Int transient (A-B)";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	120	by (auto_tac (claset(), simpset() addsimps [ensures_def, unless_def]));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	121	qed "ensures_eq";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	122
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	123	Goal "[\| F:program; A<=B \|] ==> F : A ensures B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	124	by (rewrite_goal_tac [ensures_def,constrains_def,transient_def, st_set_def] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	125	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	126	qed "subset_imp_ensures";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	127
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	128	(* leadsTo *)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	129	val leads_left = leads.dom_subset RS subsetD RS SigmaD1;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	130	val leads_right = leads.dom_subset RS subsetD RS SigmaD2;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	131
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	132	Goalw [leadsTo_def] "A leadsTo B <= program";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	133	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	134	qed "leadsTo_type";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	135
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	136	Goalw [leadsTo_def, st_set_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	137	"F: A leadsTo B ==> F:program & st_set(A) & st_set(B)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	138	by (blast_tac (claset() addDs [leads_left, leads_right]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	139	qed "leadsToD2";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	140
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	141	Goalw [leadsTo_def, st_set_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	142	"[\|F:A ensures B; st_set(A); st_set(B)\|] ==> F:A leadsTo B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	143	by (cut_facts_tac [ensures_type] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	144	by (auto_tac (claset() addIs [leads.Basis], simpset()));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	145	qed "leadsTo_Basis";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	146	AddIs [leadsTo_Basis];
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	147
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	148	(* Added by Sidi, from Misra's notes, Progress chapter, exercise number 4 *)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	149	(* [\| F:program; A<=B; st_set(A); st_set(B) \|] ==> A leadsTo B *)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	150	bind_thm ("subset_imp_leadsTo", subset_imp_ensures RS leadsTo_Basis);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	151
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	152	Goalw [leadsTo_def] "[\|F: A leadsTo B; F: B leadsTo C \|]==>F: A leadsTo C";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	153	by (auto_tac (claset() addIs [leads.Trans], simpset()));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	154	qed "leadsTo_Trans";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	155
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	156	(* Better when used in association with leadsTo_weaken_R *)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	157	Goalw [transient_def] "F:transient(A) ==> F : A leadsTo (state-A )";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	158	by (rtac (ensuresI RS leadsTo_Basis) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	159	by (ALLGOALS(Clarify_tac));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	160	by (blast_tac (claset() addIs [transientI]) 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	161	by (rtac constrains_weaken 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	162	by Auto_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	163	qed "transient_imp_leadsTo";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	164
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	165	(Useful with cancellation, disjunction)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	166	Goal "F : A leadsTo (A' Un A') ==> F : A leadsTo A'";
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	167	by (Asm_full_simp_tac 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	168	qed "leadsTo_Un_duplicate";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	169
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	170	Goal "F : A leadsTo (A' Un C Un C) ==> F : A leadsTo (A' Un C)";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	171	by (asm_full_simp_tac (simpset() addsimps Un_ac) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	172	qed "leadsTo_Un_duplicate2";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	173
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	174	(The Union introduction rule as we should have liked to state it)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	175	val [major, program,B]= Goalw [leadsTo_def, st_set_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	176	"[\|(!!A. A:S ==> F:A leadsTo B); F:program; st_set(B)\|]==>F:Union(S) leadsTo B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	177	by (cut_facts_tac [program, B] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	178	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	179	by (rtac leads.Union 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	180	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	181	by (ALLGOALS(dtac major));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	182	by (auto_tac (claset() addDs [leads_left], simpset()));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	183	qed "leadsTo_Union";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	184
12215 55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	185	val [major,program,B] = Goalw [leadsTo_def, st_set_def]
55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	186	"[\|(!!A. A:S ==>F:(A Int C) leadsTo B); F:program; st_set(B)\|] \
55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	187	\ ==>F:(Union(S)Int C)leadsTo B";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	188	by (cut_facts_tac [program, B] 1);
12215 55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	189	by (asm_simp_tac (simpset() delsimps UN_simps addsimps [Int_Union_Union]) 1);
55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	190	by (resolve_tac [leads.Union] 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	191	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	192	by (ALLGOALS(dtac major));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	193	by (auto_tac (claset() addDs [leads_left], simpset()));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	194	qed "leadsTo_Union_Int";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	195
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	196	val [major,program,B] = Goalw [leadsTo_def, st_set_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	197	"[\|(!!i. i:I ==> F : A(i) leadsTo B); F:program; st_set(B)\|]==>F:(UN i:I. A(i)) leadsTo B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	198	by (cut_facts_tac [program, B] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	199	by (asm_simp_tac (simpset() addsimps [Int_Union_Union]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	200	by (rtac leads.Union 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	201	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	202	by (ALLGOALS(dtac major));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	203	by (auto_tac (claset() addDs [leads_left], simpset()));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	204	qed "leadsTo_UN";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	205
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	206	(* Binary union introduction rule *)
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	207	Goal "[\| F: A leadsTo C; F: B leadsTo C \|] ==> F : (A Un B) leadsTo C";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	208	by (stac Un_eq_Union 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	209	by (blast_tac (claset() addIs [leadsTo_Union] addDs [leadsToD2]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	210	qed "leadsTo_Un";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	211
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	212	val [major, program, B] = Goal
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	213	"[\|(!!x. x:A==> F:{x} leadsTo B); F:program; st_set(B) \|] ==> F:A leadsTo B";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	214	by (res_inst_tac [("b", "A")] (UN_singleton RS subst) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	215	by (rtac leadsTo_UN 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	216	by (auto_tac (claset() addDs prems, simpset() addsimps [major, program, B]));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	217	qed "single_leadsTo_I";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	218
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	219	Goal "[\| F:program; st_set(A) \|] ==> F: A leadsTo A";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	220	by (blast_tac (claset() addIs [subset_imp_leadsTo]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	221	qed "leadsTo_refl";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	222
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	223	Goal "F: A leadsTo A <-> F:program & st_set(A)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	224	by (auto_tac (claset() addIs [leadsTo_refl]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	225	addDs [leadsToD2], simpset()));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	226	qed "leadsTo_refl_iff";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	227
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	228	Goal "F: 0 leadsTo B <-> (F:program & st_set(B))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	229	by (auto_tac (claset() addIs [subset_imp_leadsTo]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	230	addDs [leadsToD2], simpset()));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	231	qed "empty_leadsTo";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	232	AddIffs [empty_leadsTo];
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	233
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	234	Goal "F: A leadsTo state <-> (F:program & st_set(A))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	235	by (auto_tac (claset() addIs [subset_imp_leadsTo]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	236	addDs [leadsToD2, st_setD], simpset()));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	237	qed "leadsTo_state";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	238	AddIffs [leadsTo_state];
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	239
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	240	Goal "[\| F:A leadsTo A'; A'<=B'; st_set(B') \|] ==> F : A leadsTo B'";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	241	by (blast_tac (claset() addDs [leadsToD2]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	242	addIs [subset_imp_leadsTo,leadsTo_Trans]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	243	qed "leadsTo_weaken_R";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	244
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	245	Goal "[\| F:A leadsTo A'; B<=A \|] ==> F : B leadsTo A'";
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	246	by (ftac leadsToD2 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	247	by (blast_tac (claset() addIs [leadsTo_Trans,subset_imp_leadsTo, st_set_subset]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	248	qed_spec_mp "leadsTo_weaken_L";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	249
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	250	Goal "[\| F:A leadsTo A'; B<=A; A'<=B'; st_set(B')\|]==> F:B leadsTo B'";
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	251	by (ftac leadsToD2 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	252	by (blast_tac (claset() addIs [leadsTo_weaken_R, leadsTo_weaken_L,
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	253	leadsTo_Trans, leadsTo_refl]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	254	qed "leadsTo_weaken";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	255
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	256	(* This rule has a nicer conclusion *)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	257	Goal "[\| F:transient(A); state-A<=B; st_set(B)\|] ==> F:A leadsTo B";
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	258	by (ftac transientD2 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	259	by (rtac leadsTo_weaken_R 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	260	by (auto_tac (claset(), simpset() addsimps [transient_imp_leadsTo]));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	261	qed "transient_imp_leadsTo2";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	262
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	263	(Distributes over binary unions)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	264	Goal "F:(A Un B) leadsTo C <-> (F:A leadsTo C & F : B leadsTo C)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	265	by (blast_tac (claset() addIs [leadsTo_Un, leadsTo_weaken_L]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	266	qed "leadsTo_Un_distrib";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	267
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	268	Goal
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	269	"(F:(UN i:I. A(i)) leadsTo B)<-> ((ALL i : I. F: A(i) leadsTo B) & F:program & st_set(B))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	270	by (blast_tac (claset() addDs [leadsToD2]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	271	addIs [leadsTo_UN, leadsTo_weaken_L]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	272	qed "leadsTo_UN_distrib";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	273
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	274	Goal "(F: Union(S) leadsTo B) <-> (ALL A:S. F : A leadsTo B) & F:program & st_set(B)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	275	by (blast_tac (claset() addDs [leadsToD2]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	276	addIs [leadsTo_Union, leadsTo_weaken_L]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	277	qed "leadsTo_Union_distrib";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	278
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	279	(Set difference: maybe combine with leadsTo_weaken_L?)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	280	Goal "[\| F: (A-B) leadsTo C; F: B leadsTo C; st_set(C) \|] ==> F: A leadsTo C";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	281	by (blast_tac (claset() addIs [leadsTo_Un, leadsTo_weaken]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	282	addDs [leadsToD2]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	283	qed "leadsTo_Diff";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	284
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	285	val [major,minor] = Goal
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	286	"[\|(!!i. i:I ==> F: A(i) leadsTo A'(i)); F:program \|] \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	287	\ ==> F: (UN i:I. A(i)) leadsTo (UN i:I. A'(i))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	288	by (rtac leadsTo_Union 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	289	by (ALLGOALS(Asm_simp_tac));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	290	by Safe_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	291	by (simp_tac (simpset() addsimps [minor]) 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	292	by (blast_tac (claset() addDs [leadsToD2, major])2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	293	by (blast_tac (claset() addIs [leadsTo_weaken_R] addDs [major, leadsToD2]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	294	qed "leadsTo_UN_UN";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	295
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	296	(Binary union version)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	297	Goal "[\| F: A leadsTo A'; F:B leadsTo B' \|] ==> F : (A Un B) leadsTo (A' Un B')";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	298	by (subgoal_tac "st_set(A) & st_set(A') & st_set(B) & st_set(B')" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	299	by (blast_tac (claset() addDs [leadsToD2]) 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	300	by (blast_tac (claset() addIs [leadsTo_Un, leadsTo_weaken_R]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	301	qed "leadsTo_Un_Un";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	302
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	303	( The cancellation law )
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	304	Goal "[\|F: A leadsTo (A' Un B); F: B leadsTo B'\|] ==> F: A leadsTo (A' Un B')";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	305	by (subgoal_tac "st_set(A) & st_set(A') & st_set(B) & st_set(B') &F:program" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	306	by (blast_tac (claset() addDs [leadsToD2]) 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	307	by (blast_tac (claset() addIs [leadsTo_Trans, leadsTo_Un_Un, leadsTo_refl]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	308	qed "leadsTo_cancel2";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	309
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	310	Goal "[\|F: A leadsTo (A' Un B); F : (B-A') leadsTo B'\|]==> F: A leadsTo (A' Un B')";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	311	by (rtac leadsTo_cancel2 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	312	by (assume_tac 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	313	by (blast_tac (claset() addDs [leadsToD2] addIs [leadsTo_weaken_R]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	314	qed "leadsTo_cancel_Diff2";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	315
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	316
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	317	Goal "[\| F : A leadsTo (B Un A'); F : B leadsTo B' \|] ==> F:A leadsTo (B' Un A')";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	318	by (asm_full_simp_tac (simpset() addsimps [Un_commute]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	319	by (blast_tac (claset() addSIs [leadsTo_cancel2]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	320	qed "leadsTo_cancel1";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	321
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	322	Goal "[\|F: A leadsTo (B Un A'); F: (B-A') leadsTo B'\|]==> F : A leadsTo (B' Un A')";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	323	by (rtac leadsTo_cancel1 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	324	by (assume_tac 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	325	by (blast_tac (claset() addIs [leadsTo_weaken_R] addDs [leadsToD2]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	326	qed "leadsTo_cancel_Diff1";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	327
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	328	(The INDUCTION rule as we should have liked to state it)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	329	val [major, basis_prem, trans_prem, union_prem] = Goalw [leadsTo_def, st_set_def]
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	330	"[\| F: za leadsTo zb; \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	331	\ !!A B. [\| F: A ensures B; st_set(A); st_set(B) \|] ==> P(A, B); \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	332	\ !!A B C. [\| F: A leadsTo B; P(A, B); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	333	\ F: B leadsTo C; P(B, C) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	334	\ ==> P(A, C); \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	335	\ !!B S. [\| ALL A:S. F:A leadsTo B; ALL A:S. P(A, B); st_set(B); ALL A:S. st_set(A)\|] \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	336	\ ==> P(Union(S), B) \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	337	\ \|] ==> P(za, zb)";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	338	by (cut_facts_tac [major] 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	339	by (rtac (major RS CollectD2 RS leads.induct) 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	340	by (rtac union_prem 3);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	341	by (rtac trans_prem 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	342	by (rtac basis_prem 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	343	by Auto_tac;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	344	qed "leadsTo_induct";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	345
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	346	(* Added by Sidi, an induction rule without ensures *)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	347	val [major,imp_prem,basis_prem,trans_prem,union_prem] = Goal
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	348	"[\| F: za leadsTo zb; \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	349	\ !!A B. [\| A<=B; st_set(B) \|] ==> P(A, B); \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	350	\ !!A B. [\| F:A co A Un B; F:transient(A); st_set(B) \|] ==> P(A, B); \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	351	\ !!A B C. [\| F: A leadsTo B; P(A, B); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	352	\ F: B leadsTo C; P(B, C) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	353	\ ==> P(A, C); \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	354	\ !!B S. [\| ALL A:S. F:A leadsTo B; ALL A:S. P(A, B); st_set(B); ALL A:S. st_set(A) \|] \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	355	\ ==> P(Union(S), B) \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	356	\ \|] ==> P(za, zb)";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	357	by (cut_facts_tac [major] 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	358	by (etac leadsTo_induct 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	359	by (auto_tac (claset() addIs [trans_prem,union_prem], simpset()));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	360	by (rewrite_goal_tac [ensures_def] 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	361	by (Clarify_tac 1);
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	362	by (ftac constrainsD2 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	363	by (dres_inst_tac [("B'", "(A-B) Un B")] constrains_weaken_R 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	364	by (Blast_tac 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	365	by (forward_tac [ensuresI2 RS leadsTo_Basis] 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	366	by (dtac basis_prem 4);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	367	by (ALLGOALS(Asm_full_simp_tac));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	368	by (forw_inst_tac [("A1", "A"), ("B", "B")] (Int_lower2 RS imp_prem) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	369	by (subgoal_tac "A=Union({A - B, A Int B})" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	370	by (Blast_tac 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	371	by (etac ssubst 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	372	by (rtac union_prem 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	373	by (auto_tac (claset() addIs [subset_imp_leadsTo], simpset()));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	374	qed "leadsTo_induct2";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	375
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	376	( Variant induction rule: on the preconditions for B )
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	377	(Lemma is the weak version: can't see how to do it in one step)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	378	val major::prems = Goal
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	379	"[\| F : za leadsTo zb; \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	380	\ P(zb); \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	381	\ !!A B. [\| F : A ensures B; P(B); st_set(A); st_set(B) \|] ==> P(A); \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	382	\ !!S. [\| ALL A:S. P(A); ALL A:S. st_set(A) \|] ==> P(Union(S)) \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	383	\ \|] ==> P(za)";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	384	(by induction on this formula)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	385	by (subgoal_tac "P(zb) --> P(za)" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	386	(now solve first subgoal: this formula is sufficient)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	387	by (blast_tac (claset() addIs leadsTo_refl::prems) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	388	by (rtac (major RS leadsTo_induct) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	389	by (REPEAT (blast_tac (claset() addIs prems) 1));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	390	qed "lemma";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	391
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	392
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	393	val [major, zb_prem, basis_prem, union_prem] = Goal
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	394	"[\| F : za leadsTo zb; \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	395	\ P(zb); \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	396	\ !!A B. [\| F : A ensures B; F : B leadsTo zb; P(B); st_set(A) \|] ==> P(A); \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	397	\ !!S. ALL A:S. F : A leadsTo zb & P(A) & st_set(A) ==> P(Union(S)) \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	398	\ \|] ==> P(za)";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	399	by (cut_facts_tac [major] 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	400	by (subgoal_tac "(F : za leadsTo zb) & P(za)" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	401	by (etac conjunct2 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	402	by (rtac (major RS lemma) 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	403	by (blast_tac (claset() addDs [leadsToD2]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	404	addIs [leadsTo_Union,union_prem]) 3);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	405	by (blast_tac (claset() addIs [leadsTo_Trans,basis_prem, leadsTo_Basis]) 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	406	by (blast_tac (claset() addIs [leadsTo_refl,zb_prem]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	407	addDs [leadsToD2]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	408	qed "leadsTo_induct_pre";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	409
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	410	( The impossibility law )
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	411	Goal
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	412	"F : A leadsTo 0 ==> A=0";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	413	by (etac leadsTo_induct_pre 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	414	by (auto_tac (claset(), simpset() addsimps
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	415	[ensures_def, constrains_def, transient_def, st_set_def]));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	416	by (dtac bspec 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	417	by (REPEAT(Blast_tac 1));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	418	qed "leadsTo_empty";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	419	Addsimps [leadsTo_empty];
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	420
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	421	( PSP: Progress-Safety-Progress )
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	422
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	423	(Special case of PSP: Misra's "stable conjunction")
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	424	Goalw [stable_def]
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	425	"[\| F : A leadsTo A'; F : stable(B) \|] ==> F:(A Int B) leadsTo (A' Int B)";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	426	by (etac leadsTo_induct 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	427	by (rtac leadsTo_Union_Int 3);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	428	by (ALLGOALS(Asm_simp_tac));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	429	by (REPEAT(blast_tac (claset() addDs [constrainsD2]) 3));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	430	by (blast_tac (claset() addIs [leadsTo_Trans]) 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	431	by (rtac leadsTo_Basis 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	432	by (asm_full_simp_tac (simpset()
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	433	addsimps [ensures_def, Diff_Int_distrib RS sym,
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	434	Diff_Int_distrib2 RS sym, Int_Un_distrib2 RS sym]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	435	by (REPEAT(blast_tac (claset()
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	436	addIs [transient_strengthen,constrains_Int]
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	437	addDs [constrainsD2]) 1));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	438	qed "psp_stable";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	439
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	440
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	441	Goal "[\|F: A leadsTo A'; F : stable(B) \|]==>F: (B Int A) leadsTo (B Int A')";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	442	by (asm_simp_tac (simpset()
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	443	addsimps psp_stable::Int_ac) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	444	qed "psp_stable2";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	445
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	446	Goalw [ensures_def, constrains_def, st_set_def]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	447	"[\| F: A ensures A'; F: B co B' \|]==> F: (A Int B') ensures ((A' Int B) Un (B' - B))";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	448	(speeds up the proof)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	449	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	450	by (blast_tac (claset() addIs [transient_strengthen]) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	451	qed "psp_ensures";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	452
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	453	Goal
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	454	"[\|F:A leadsTo A'; F: B co B'; st_set(B')\|]==> F:(A Int B') leadsTo ((A' Int B) Un (B' - B))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	455	by (subgoal_tac "F:program & st_set(A) & st_set(A')& st_set(B)" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	456	by (blast_tac (claset() addSDs [constrainsD2, leadsToD2]) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	457	by (etac leadsTo_induct 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	458	by (blast_tac (claset() addIs [leadsTo_Union_Int]) 3);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	459	(Transitivity case has a delicate argument involving "cancellation")
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	460	by (rtac leadsTo_Un_duplicate2 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	461	by (etac leadsTo_cancel_Diff1 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	462	by (asm_full_simp_tac (simpset() addsimps [Int_Diff, Diff_triv]) 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	463	by (blast_tac (claset() addIs [leadsTo_weaken_L]
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	464	addDs [constrains_imp_subset]) 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	465	(Basis case)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	466	by (blast_tac (claset() addIs [psp_ensures, leadsTo_Basis]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	467	qed "psp";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	468
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	469
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	470	Goal "[\| F : A leadsTo A'; F : B co B'; st_set(B') \|] \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	471	\ ==> F : (B' Int A) leadsTo ((B Int A') Un (B' - B))";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	472	by (asm_simp_tac (simpset() addsimps psp::Int_ac) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	473	qed "psp2";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	474
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	475	Goalw [unless_def]
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	476	"[\| F : A leadsTo A'; F : B unless B'; st_set(B); st_set(B') \|] \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	477	\ ==> F : (A Int B) leadsTo ((A' Int B) Un B')";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	478	by (subgoal_tac "st_set(A)&st_set(A')" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	479	by (blast_tac (claset() addDs [leadsToD2]) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	480	by (dtac psp 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	481	by (assume_tac 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	482	by (Blast_tac 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	483	by (REPEAT(blast_tac (claset() addIs [leadsTo_weaken]) 1));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	484	qed "psp_unless";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	485
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	486	(* Proving the wf induction rules *)
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	487	( The most general rule: r is any wf relation; f is any variant function )
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	488	Goal "[\| wf(r); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	489	\ m:I; \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	490	\ field(r)<=I; \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	491	\ F:program; st_set(B);\
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	492	\ ALL m:I. F : (A Int f-``{m}) leadsTo \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	493	\ ((A Int f-``(converse(r)``{m})) Un B) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	494	\ ==> F : (A Int f-``{m}) leadsTo B";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	495	by (eres_inst_tac [("a","m")] wf_induct2 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	496	by (ALLGOALS(Asm_simp_tac));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	497	by (subgoal_tac "F : (A Int (f-``(converse(r)``{x}))) leadsTo B" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	498	by (stac vimage_eq_UN 2);
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	499	by (asm_simp_tac (simpset() delsimps UN_simps
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	500	addsimps [Int_UN_distrib]) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	501	by (blast_tac (claset() addIs [leadsTo_cancel1, leadsTo_Un_duplicate]) 1);
12215 55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	502	by (auto_tac (claset() addIs [leadsTo_UN],
55c084921240 Modified to make the files build with the new changes in ZF ehmety parents: 12195 diff changeset	503	simpset() delsimps UN_simps addsimps [Int_UN_distrib]));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	504	qed "lemma1";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	505
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	506	( Meta or object quantifier ? )
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	507	Goal "[\| wf(r); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	508	\ field(r)<=I; \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	509	\ A<=f-``I;\
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	510	\ F:program; st_set(A); st_set(B); \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	511	\ ALL m:I. F : (A Int f-``{m}) leadsTo \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	512	\ ((A Int f-``(converse(r)``{m})) Un B) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	513	\ ==> F : A leadsTo B";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	514	by (res_inst_tac [("b", "A")] subst 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	515	by (res_inst_tac [("I", "I")] leadsTo_UN 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	516	by (REPEAT (assume_tac 2));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	517	by (Clarify_tac 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	518	by (eres_inst_tac [("I", "I")] lemma1 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	519	by (REPEAT (assume_tac 2));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	520	by (rtac equalityI 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	521	by Safe_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	522	by (thin_tac "field(r)<=I" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	523	by (dres_inst_tac [("c", "x")] subsetD 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	524	by Safe_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	525	by (res_inst_tac [("b", "x")] UN_I 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	526	by Auto_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	527	qed "leadsTo_wf_induct";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	528
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	529	Goalw [field_def] "field(less_than(nat)) = nat";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	530	by (simp_tac (simpset() addsimps [less_than_equals]) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	531	by (rtac equalityI 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	532	by (force_tac (claset(), simpset()) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	533	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	534	by (thin_tac "x~:range(?y)" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	535	by (etac nat_induct 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	536	by (ALLGOALS(asm_full_simp_tac (simpset() addsimps [domain_def])));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	537	by (res_inst_tac [("x", "<succ(xa),succ(succ(xa))>")] ReplaceI 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	538	by (res_inst_tac [("x", "<0,1>")] ReplaceI 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	539	by (REPEAT(force_tac (claset() addIs [splitI], simpset()) 1));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	540	qed "nat_less_than_field";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	541
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	542	(Alternative proof is via the lemma F : (A Int f-`(lessThan m)) leadsTo B)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	543	Goal
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	544	"[\| A<=f-``nat;\
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	545	\ F:program; st_set(A); st_set(B); \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	546	\ ALL m:nat. F:(A Int f-``{m}) leadsTo ((A Int f-``lessThan(m,nat)) Un B) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	547	\ ==> F : A leadsTo B";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	548	by (res_inst_tac [("A1", "nat")]
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	549	(wf_less_than RS leadsTo_wf_induct) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	550	by (Clarify_tac 6);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	551	by (ALLGOALS(asm_full_simp_tac
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	552	(simpset() addsimps [nat_less_than_field])));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	553	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	554	by (ALLGOALS(asm_full_simp_tac
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	555	(simpset() addsimps [rewrite_rule [vimage_def] Image_inverse_less_than])));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	556	qed "lessThan_induct";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	557
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	558	(* wlt **)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	559
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	560	(Misra's property W3)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	561	Goalw [wlt_def] "wlt(F,B) <=state";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	562	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	563	qed "wlt_type";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	564
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	565	Goalw [st_set_def] "st_set(wlt(F, B))";
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	566	by (rtac wlt_type 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	567	qed "wlt_st_set";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	568	AddIffs [wlt_st_set];
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	569
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	570	Goalw [wlt_def] "F:wlt(F, B) leadsTo B <-> (F:program & st_set(B))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	571	by (blast_tac (claset() addDs [leadsToD2] addSIs [leadsTo_Union]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	572	qed "wlt_leadsTo_iff";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	573
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	574	(* [\| F:program; st_set(B) \|] ==> F:wlt(F, B) leadsTo B *)
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	575	bind_thm("wlt_leadsTo", conjI RS (wlt_leadsTo_iff RS iffD2));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	576
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	577	Goalw [wlt_def] "F : A leadsTo B ==> A <= wlt(F, B)";
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	578	by (ftac leadsToD2 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	579	by (auto_tac (claset(), simpset() addsimps [st_set_def]));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	580	qed "leadsTo_subset";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	581
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	582	(Misra's property W2)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	583	Goal "F : A leadsTo B <-> (A <= wlt(F,B) & F:program & st_set(B))";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	584	by Auto_tac;
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	585	by (REPEAT(blast_tac (claset() addDs [leadsToD2,leadsTo_subset]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	586	addIs [leadsTo_weaken_L, wlt_leadsTo]) 1));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	587	qed "leadsTo_eq_subset_wlt";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	588
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	589	(Misra's property W4)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	590	Goal "[\| F:program; st_set(B) \|] ==> B <= wlt(F,B)";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	591	by (rtac leadsTo_subset 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	592	by (asm_simp_tac (simpset()
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	593	addsimps [leadsTo_eq_subset_wlt RS iff_sym,
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	594	subset_imp_leadsTo]) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	595	qed "wlt_increasing";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	596
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	597	(Used in the Trans case below)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	598	Goalw [constrains_def, st_set_def]
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	599	"[\| B <= A2; \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	600	\ F : (A1 - B) co (A1 Un B); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	601	\ F : (A2 - C) co (A2 Un C) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	602	\ ==> F : (A1 Un A2 - C) co (A1 Un A2 Un C)";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	603	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	604	by (Blast_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	605	qed "lemma1";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	606
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	607	(Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress")
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	608	(* slightly different from the HOL one: B here is bounded *)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	609	Goal "F : A leadsTo A' \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	610	\ ==> EX B:Pow(state). A<=B & F:B leadsTo A' & F : (B-A') co (B Un A')";
12484 7ad150f5fc10 isatool expandshort; wenzelm parents: 12220 diff changeset	611	by (ftac leadsToD2 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	612	by (etac leadsTo_induct 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	613	(Basis)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	614	by (blast_tac (claset() addDs [ensuresD, constrainsD2, st_setD]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	615	(Trans)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	616	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	617	by (res_inst_tac [("x", "Ba Un Bb")] bexI 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	618	by (blast_tac (claset() addIs [lemma1,leadsTo_Un_Un, leadsTo_cancel1,
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	619	leadsTo_Un_duplicate]) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	620	by (Blast_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	621	(Union)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	622	by (clarify_tac (claset() addSDs [ball_conj_distrib RS iffD1]) 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	623	by (subgoal_tac "EX y. y:Pi(S, %A. {Ba:Pow(state). A<=Ba & \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	624	\ F:Ba leadsTo B & F:Ba - B co Ba Un B})" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	625	by (rtac AC_ball_Pi 2);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	626	by (ALLGOALS(Clarify_tac));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	627	by (rotate_tac 1 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	628	by (dres_inst_tac [("x", "x")] bspec 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	629	by (REPEAT(Blast_tac 2));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	630	by (res_inst_tac [("x", "UN A:S. y`A")] bexI 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	631	by Safe_tac;
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	632	by (res_inst_tac [("I1", "S")] (constrains_UN RS constrains_weaken) 3);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	633	by (rtac leadsTo_Union 2);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	634	by (blast_tac (claset() addSDs [apply_type]) 5);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	635	by (ALLGOALS(Asm_full_simp_tac));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	636	by (REPEAT(force_tac (claset() addSDs [apply_type], simpset()) 1));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	637	qed "leadsTo_123";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	638
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	639
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	640	(Misra's property W5)
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	641	Goal "[\| F:program; st_set(B) \|] ==>F : (wlt(F, B) - B) co (wlt(F,B))";
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	642	by (cut_inst_tac [("F","F")] (wlt_leadsTo RS leadsTo_123) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	643	by (assume_tac 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	644	by (Blast_tac 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	645	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	646	by (subgoal_tac "Ba = wlt(F,B)" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	647	by (blast_tac (claset() addDs [leadsTo_eq_subset_wlt RS iffD1]) 2);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	648	by (Clarify_tac 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	649	by (asm_full_simp_tac (simpset()
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	650	addsimps [wlt_increasing RS (subset_Un_iff2 RS iffD1)]) 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	651	qed "wlt_constrains_wlt";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	652
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	653	(* Completion: Binary and General Finite versions *)
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	654
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	655	Goal "[\| W = wlt(F, (B' Un C)); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	656	\ F : A leadsTo (A' Un C); F : A' co (A' Un C); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	657	\ F : B leadsTo (B' Un C); F : B' co (B' Un C) \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	658	\ ==> F : (A Int B) leadsTo ((A' Int B') Un C)";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	659	by (subgoal_tac "st_set(C)&st_set(W)&st_set(W-C)&st_set(A')&st_set(A)\
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	660	\ & st_set(B) & st_set(B') & F:program" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	661	by (Asm_simp_tac 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	662	by (blast_tac (claset() addSDs [leadsToD2]) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	663	by (subgoal_tac "F : (W-C) co (W Un B' Un C)" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	664	by (blast_tac (claset() addIs [[asm_rl, wlt_constrains_wlt]
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	665	MRS constrains_Un RS constrains_weaken]) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	666	by (subgoal_tac "F : (W-C) co W" 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	667	by (asm_full_simp_tac (simpset() addsimps [wlt_increasing RS
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	668	(subset_Un_iff2 RS iffD1), Un_assoc]) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	669	by (subgoal_tac "F : (A Int W - C) leadsTo (A' Int W Un C)" 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	670	by (blast_tac (claset() addIs [wlt_leadsTo, psp RS leadsTo_weaken]) 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	671	( LEVEL 9 )
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	672	by (subgoal_tac "F : (A' Int W Un C) leadsTo (A' Int B' Un C)" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	673	by (rtac leadsTo_Un_duplicate2 2);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	674	by (rtac leadsTo_Un_Un 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	675	by (blast_tac (claset() addIs [leadsTo_refl]) 3);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	676	by (res_inst_tac [("A'1", "B' Un C")] (wlt_leadsTo RS psp2 RS leadsTo_weaken) 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	677	by (REPEAT(Blast_tac 2));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	678	( LEVEL 17 )
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	679	by (dtac leadsTo_Diff 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	680	by (blast_tac (claset() addIs [subset_imp_leadsTo]
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	681	addDs [leadsToD2, constrainsD2]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	682	by (force_tac (claset(), simpset() addsimps [st_set_def]) 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	683	by (subgoal_tac "A Int B <= A Int W" 1);
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	684	by (blast_tac (claset() addSDs [leadsTo_subset]
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	685	addSIs [subset_refl RS Int_mono]) 2);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	686	by (blast_tac (claset() addIs [leadsTo_Trans, subset_imp_leadsTo]) 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	687	qed "completion_aux";
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	688	bind_thm("completion", refl RS completion_aux);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	689
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	690	Goal "[\| I:Fin(X); F:program; st_set(C) \|] ==> \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	691	\(ALL i:I. F : (A(i)) leadsTo (A'(i) Un C)) --> \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	692	\ (ALL i:I. F : (A'(i)) co (A'(i) Un C)) --> \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	693	\ F : (INT i:I. A(i)) leadsTo ((INT i:I. A'(i)) Un C)";
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	694	by (etac Fin_induct 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	695	by (auto_tac (claset(), simpset() addsimps [Inter_0]));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	696	by (rtac completion 1);
12220 9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	697	by (auto_tac (claset(),
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	698	simpset() delsimps INT_simps addsimps INT_extend_simps));
9dc4e8fec63d last-minute tidying paulson parents: 12215 diff changeset	699	by (rtac constrains_INT 1);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	700	by (REPEAT(Blast_tac 1));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	701	qed "lemma";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	702
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	703	val prems = Goal
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	704	"[\| I:Fin(X); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	705	\ !!i. i:I ==> F : A(i) leadsTo (A'(i) Un C); \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	706	\ !!i. i:I ==> F : A'(i) co (A'(i) Un C); F:program; st_set(C)\|] \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	707	\ ==> F : (INT i:I. A(i)) leadsTo ((INT i:I. A'(i)) Un C)";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	708	by (resolve_tac [lemma RS mp RS mp] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	709	by (resolve_tac prems 3);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	710	by (REPEAT(blast_tac (claset() addIs prems) 1));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	711	qed "finite_completion";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	712
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	713	Goalw [stable_def]
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	714	"[\| F : A leadsTo A'; F : stable(A'); \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	715	\ F : B leadsTo B'; F : stable(B') \|] \
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	716	\ ==> F : (A Int B) leadsTo (A' Int B')";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	717	by (res_inst_tac [("C1", "0")] (completion RS leadsTo_weaken_R) 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	718	by (REPEAT(blast_tac (claset() addDs [leadsToD2, constrainsD2]) 5));
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	719	by (ALLGOALS(Asm_full_simp_tac));
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	720	qed "stable_completion";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	721
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	722
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	723	val major::prems = Goalw [stable_def]
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	724	"[\| I:Fin(X); \
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	725	\ (!!i. i:I ==> F : A(i) leadsTo A'(i)); \
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	726	\ (!!i. i:I ==> F: stable(A'(i))); F:program \|] \
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	727	\ ==> F : (INT i:I. A(i)) leadsTo (INT i:I. A'(i))";
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	728	by (cut_facts_tac [major] 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	729	by (subgoal_tac "st_set(INT i:I. A'(i))" 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	730	by (blast_tac (claset() addDs [leadsToD2]@prems) 2);
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	731	by (res_inst_tac [("C1", "0")] (finite_completion RS leadsTo_weaken_R) 1);
12195 ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	732	by (Asm_simp_tac 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	733	by (assume_tac 6);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	734	by (ALLGOALS(asm_full_simp_tac (simpset() addsimps prems)));
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	735	by (resolve_tac prems 2);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	736	by (resolve_tac prems 1);
ed2893765a08 * empty log message * ehmety parents: 11479 diff changeset	737	by Auto_tac;
11479 697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	738	qed "finite_stable_completion";
697dcaaf478f new ZF/UNITY theory paulson parents: diff changeset	739

author	wenzelm
	Wed, 12 Dec 2001 20:37:31 +0100
changeset 12484	7ad150f5fc10
parent 12220	9dc4e8fec63d
child 13535	007559e981c7
permissions	-rw-r--r--