|
11479
|
1 |
(* Title: ZF/UNITY/UNITY.thy
|
|
|
2 |
ID: $Id$
|
|
|
3 |
Author: Sidi O Ehmety, Computer Laboratory
|
|
|
4 |
Copyright 2001 University of Cambridge
|
|
|
5 |
|
|
|
6 |
The basic UNITY theory (revised version, based upon the "co" operator)
|
|
|
7 |
From Misra, "A Logic for Concurrent Programming", 1994
|
|
|
8 |
|
|
|
9 |
Theory ported from HOL.
|
|
|
10 |
*)
|
|
|
11 |
|
|
12195
|
12 |
UNITY = State +
|
|
11479
|
13 |
consts
|
|
|
14 |
constrains :: "[i, i] => i" (infixl "co" 60)
|
|
|
15 |
op_unless :: "[i, i] => i" (infixl "unless" 60)
|
|
|
16 |
|
|
|
17 |
constdefs
|
|
|
18 |
program :: i
|
|
12195
|
19 |
"program == {<init, acts, allowed>:
|
|
|
20 |
Pow(state)*Pow(Pow(state*state))*Pow(Pow(state*state)).
|
|
|
21 |
id(state):acts & id(state):allowed}"
|
|
11479
|
22 |
|
|
12195
|
23 |
(* The definition below yields a program thanks to the coercions
|
|
|
24 |
init Int state, acts Int Pow(state*state), etc. *)
|
|
11479
|
25 |
mk_program :: [i,i,i]=>i
|
|
|
26 |
"mk_program(init, acts, allowed) ==
|
|
12195
|
27 |
<init Int state, cons(id(state), acts Int Pow(state*state)),
|
|
|
28 |
cons(id(state), allowed Int Pow(state*state))>"
|
|
11479
|
29 |
|
|
|
30 |
SKIP :: i
|
|
12195
|
31 |
"SKIP == mk_program(state, 0, Pow(state*state))"
|
|
11479
|
32 |
|
|
12195
|
33 |
(* Coercion from anything to program *)
|
|
11479
|
34 |
programify :: i=>i
|
|
|
35 |
"programify(F) == if F:program then F else SKIP"
|
|
12195
|
36 |
|
|
11479
|
37 |
RawInit :: i=>i
|
|
|
38 |
"RawInit(F) == fst(F)"
|
|
|
39 |
|
|
|
40 |
Init :: i=>i
|
|
|
41 |
"Init(F) == RawInit(programify(F))"
|
|
|
42 |
|
|
|
43 |
RawActs :: i=>i
|
|
12195
|
44 |
"RawActs(F) == cons(id(state), fst(snd(F)))"
|
|
11479
|
45 |
|
|
|
46 |
Acts :: i=>i
|
|
|
47 |
"Acts(F) == RawActs(programify(F))"
|
|
|
48 |
|
|
|
49 |
RawAllowedActs :: i=>i
|
|
12195
|
50 |
"RawAllowedActs(F) == cons(id(state), snd(snd(F)))"
|
|
11479
|
51 |
|
|
|
52 |
AllowedActs :: i=>i
|
|
|
53 |
"AllowedActs(F) == RawAllowedActs(programify(F))"
|
|
|
54 |
|
|
|
55 |
|
|
|
56 |
Allowed :: i =>i
|
|
|
57 |
"Allowed(F) == {G:program. Acts(G) <= AllowedActs(F)}"
|
|
|
58 |
|
|
12195
|
59 |
initially :: i=>i
|
|
|
60 |
"initially(A) == {F:program. Init(F)<=A}"
|
|
11479
|
61 |
|
|
|
62 |
stable :: i=>i
|
|
|
63 |
"stable(A) == A co A"
|
|
|
64 |
|
|
|
65 |
strongest_rhs :: [i, i] => i
|
|
|
66 |
"strongest_rhs(F, A) == Inter({B:Pow(state). F:A co B})"
|
|
|
67 |
|
|
|
68 |
invariant :: i => i
|
|
12195
|
69 |
"invariant(A) == initially(A) Int stable(A)"
|
|
|
70 |
|
|
|
71 |
(* The `increasing' relation of Charpentier. Increasing's parameters are:
|
|
|
72 |
a state function f, a domain A and an order relation r over the domain A. *)
|
|
|
73 |
|
|
|
74 |
increasing :: [i,i, i] => i
|
|
|
75 |
"increasing(A, r, f) == INT a:A. stable({s:state. <a, f`s>:r})"
|
|
11479
|
76 |
|
|
12195
|
77 |
(* The definition of a partial order in ZF (predicate part_ord in theory Order)
|
|
|
78 |
describes a strict order: irreflexive and transitive.
|
|
|
79 |
However, the order used in association with Charpentier's increasing
|
|
|
80 |
relation is not, hence the definition below: *)
|
|
11479
|
81 |
part_order :: [i, i] => o
|
|
|
82 |
"part_order(A, r) == refl(A,r) & trans[A](r) & antisym(r)"
|
|
|
83 |
|
|
|
84 |
defs
|
|
12195
|
85 |
(* Condition `st_set(A)' makes the definition slightly stronger than the HOL one *)
|
|
|
86 |
constrains_def "A co B == {F:program. (ALL act:Acts(F). act``A<=B) & st_set(A)}"
|
|
11479
|
87 |
unless_def "A unless B == (A - B) co (A Un B)"
|
|
|
88 |
end
|
|
|
89 |
|