| author | wenzelm | 
| Fri, 22 Sep 2023 16:12:10 +0200 | |
| changeset 78684 | aa532cf1c894 | 
| parent 69597 | ff784d5a5bfb | 
| child 80914 | d97fdabd9e2b | 
| permissions | -rw-r--r-- | 
| 32960 
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
 wenzelm parents: 
30198diff
changeset | 1 | (* Title: HOL/UNITY/UNITY.thy | 
| 4776 | 2 | Author: Lawrence C Paulson, Cambridge University Computer Laboratory | 
| 3 | Copyright 1998 University of Cambridge | |
| 4 | ||
| 32960 
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
 wenzelm parents: 
30198diff
changeset | 5 | The basic UNITY theory (revised version, based upon the "co" | 
| 
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
 wenzelm parents: 
30198diff
changeset | 6 | operator). | 
| 4776 | 7 | |
| 32960 
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
 wenzelm parents: 
30198diff
changeset | 8 | From Misra, "A Logic for Concurrent Programming", 1994. | 
| 4776 | 9 | *) | 
| 10 | ||
| 63146 | 11 | section \<open>The Basic UNITY Theory\<close> | 
| 13798 | 12 | |
| 16417 | 13 | theory UNITY imports Main begin | 
| 6535 | 14 | |
| 45694 
4a8743618257
prefer typedef without extra definition and alternative name;
 wenzelm parents: 
45605diff
changeset | 15 | definition | 
| 
4a8743618257
prefer typedef without extra definition and alternative name;
 wenzelm parents: 
45605diff
changeset | 16 | "Program = | 
| 
4a8743618257
prefer typedef without extra definition and alternative name;
 wenzelm parents: 
45605diff
changeset | 17 |     {(init:: 'a set, acts :: ('a * 'a)set set,
 | 
| 67613 | 18 |       allowed :: ('a * 'a)set set). Id \<in> acts & Id \<in> allowed}"
 | 
| 45694 
4a8743618257
prefer typedef without extra definition and alternative name;
 wenzelm parents: 
45605diff
changeset | 19 | |
| 49834 | 20 | typedef 'a program = "Program :: ('a set * ('a * 'a) set set * ('a * 'a) set set) set"
 | 
| 45694 
4a8743618257
prefer typedef without extra definition and alternative name;
 wenzelm parents: 
45605diff
changeset | 21 | morphisms Rep_Program Abs_Program | 
| 
4a8743618257
prefer typedef without extra definition and alternative name;
 wenzelm parents: 
45605diff
changeset | 22 | unfolding Program_def by blast | 
| 6536 | 23 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 24 | definition Acts :: "'a program => ('a * 'a)set set" where
 | 
| 14653 | 25 | "Acts F == (%(init, acts, allowed). acts) (Rep_Program F)" | 
| 26 | ||
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 27 | definition "constrains" :: "['a set, 'a set] => 'a program set" (infixl "co" 60) where | 
| 13805 | 28 |     "A co B == {F. \<forall>act \<in> Acts F. act``A \<subseteq> B}"
 | 
| 13797 | 29 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 30 | definition unless :: "['a set, 'a set] => 'a program set" (infixl "unless" 60) where | 
| 13805 | 31 | "A unless B == (A-B) co (A \<union> B)" | 
| 13797 | 32 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 33 | definition mk_program :: "('a set * ('a * 'a)set set * ('a * 'a)set set)
 | 
| 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 34 | => 'a program" where | 
| 10064 
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
 paulson parents: 
8948diff
changeset | 35 | "mk_program == %(init, acts, allowed). | 
| 
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
 paulson parents: 
8948diff
changeset | 36 | Abs_Program (init, insert Id acts, insert Id allowed)" | 
| 6535 | 37 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 38 | definition Init :: "'a program => 'a set" where | 
| 10064 
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
 paulson parents: 
8948diff
changeset | 39 | "Init F == (%(init, acts, allowed). init) (Rep_Program F)" | 
| 6535 | 40 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 41 | definition AllowedActs :: "'a program => ('a * 'a)set set" where
 | 
| 10064 
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
 paulson parents: 
8948diff
changeset | 42 | "AllowedActs F == (%(init, acts, allowed). allowed) (Rep_Program F)" | 
| 
1a77667b21ef
added compatibility relation: AllowedActs, Allowed, ok,
 paulson parents: 
8948diff
changeset | 43 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 44 | definition Allowed :: "'a program => 'a program set" where | 
| 13805 | 45 |     "Allowed F == {G. Acts G \<subseteq> AllowedActs F}"
 | 
| 4776 | 46 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 47 | definition stable :: "'a set => 'a program set" where | 
| 6536 | 48 | "stable A == A co A" | 
| 4776 | 49 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 50 | definition strongest_rhs :: "['a program, 'a set] => 'a set" where | 
| 61952 | 51 |     "strongest_rhs F A == \<Inter>{B. F \<in> A co B}"
 | 
| 4776 | 52 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 53 | definition invariant :: "'a set => 'a program set" where | 
| 13805 | 54 |     "invariant A == {F. Init F \<subseteq> A} \<inter> stable A"
 | 
| 4776 | 55 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 56 | definition increasing :: "['a => 'b::{order}] => 'a program set" where
 | 
| 67443 
3abf6a722518
standardized towards new-style formal comments: isabelle update_comments;
 wenzelm parents: 
63146diff
changeset | 57 | \<comment> \<open>Polymorphic in both states and the meaning of \<open>\<le>\<close>\<close> | 
| 13805 | 58 |     "increasing f == \<Inter>z. stable {s. z \<le> f s}"
 | 
| 4776 | 59 | |
| 6536 | 60 | |
| 63146 | 61 | subsubsection\<open>The abstract type of programs\<close> | 
| 13797 | 62 | |
| 63 | lemmas program_typedef = | |
| 64 | Rep_Program Rep_Program_inverse Abs_Program_inverse | |
| 65 | Program_def Init_def Acts_def AllowedActs_def mk_program_def | |
| 66 | ||
| 13805 | 67 | lemma Id_in_Acts [iff]: "Id \<in> Acts F" | 
| 13797 | 68 | apply (cut_tac x = F in Rep_Program) | 
| 69 | apply (auto simp add: program_typedef) | |
| 70 | done | |
| 71 | ||
| 72 | lemma insert_Id_Acts [iff]: "insert Id (Acts F) = Acts F" | |
| 46577 | 73 | by (simp add: insert_absorb) | 
| 13797 | 74 | |
| 13861 | 75 | lemma Acts_nonempty [simp]: "Acts F \<noteq> {}"
 | 
| 76 | by auto | |
| 77 | ||
| 13805 | 78 | lemma Id_in_AllowedActs [iff]: "Id \<in> AllowedActs F" | 
| 13797 | 79 | apply (cut_tac x = F in Rep_Program) | 
| 80 | apply (auto simp add: program_typedef) | |
| 81 | done | |
| 82 | ||
| 83 | lemma insert_Id_AllowedActs [iff]: "insert Id (AllowedActs F) = AllowedActs F" | |
| 46577 | 84 | by (simp add: insert_absorb) | 
| 13797 | 85 | |
| 63146 | 86 | subsubsection\<open>Inspectors for type "program"\<close> | 
| 13797 | 87 | |
| 88 | lemma Init_eq [simp]: "Init (mk_program (init,acts,allowed)) = init" | |
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 89 | by (simp add: program_typedef) | 
| 13797 | 90 | |
| 91 | lemma Acts_eq [simp]: "Acts (mk_program (init,acts,allowed)) = insert Id acts" | |
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 92 | by (simp add: program_typedef) | 
| 13797 | 93 | |
| 94 | lemma AllowedActs_eq [simp]: | |
| 95 | "AllowedActs (mk_program (init,acts,allowed)) = insert Id allowed" | |
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 96 | by (simp add: program_typedef) | 
| 13797 | 97 | |
| 63146 | 98 | subsubsection\<open>Equality for UNITY programs\<close> | 
| 13797 | 99 | |
| 100 | lemma surjective_mk_program [simp]: | |
| 101 | "mk_program (Init F, Acts F, AllowedActs F) = F" | |
| 102 | apply (cut_tac x = F in Rep_Program) | |
| 103 | apply (auto simp add: program_typedef) | |
| 104 | apply (drule_tac f = Abs_Program in arg_cong)+ | |
| 105 | apply (simp add: program_typedef insert_absorb) | |
| 106 | done | |
| 107 | ||
| 108 | lemma program_equalityI: | |
| 109 | "[| Init F = Init G; Acts F = Acts G; AllowedActs F = AllowedActs G |] | |
| 110 | ==> F = G" | |
| 111 | apply (rule_tac t = F in surjective_mk_program [THEN subst]) | |
| 112 | apply (rule_tac t = G in surjective_mk_program [THEN subst], simp) | |
| 113 | done | |
| 114 | ||
| 115 | lemma program_equalityE: | |
| 116 | "[| F = G; | |
| 117 | [| Init F = Init G; Acts F = Acts G; AllowedActs F = AllowedActs G |] | |
| 118 | ==> P |] ==> P" | |
| 119 | by simp | |
| 120 | ||
| 121 | lemma program_equality_iff: | |
| 122 | "(F=G) = | |
| 123 | (Init F = Init G & Acts F = Acts G &AllowedActs F = AllowedActs G)" | |
| 124 | by (blast intro: program_equalityI program_equalityE) | |
| 125 | ||
| 126 | ||
| 63146 | 127 | subsubsection\<open>co\<close> | 
| 13797 | 128 | |
| 129 | lemma constrainsI: | |
| 67613 | 130 | "(!!act s s'. [| act \<in> Acts F; (s,s') \<in> act; s \<in> A |] ==> s' \<in> A') | 
| 13805 | 131 | ==> F \<in> A co A'" | 
| 13797 | 132 | by (simp add: constrains_def, blast) | 
| 133 | ||
| 134 | lemma constrainsD: | |
| 67613 | 135 | "[| F \<in> A co A'; act \<in> Acts F; (s,s') \<in> act; s \<in> A |] ==> s' \<in> A'" | 
| 13797 | 136 | by (unfold constrains_def, blast) | 
| 137 | ||
| 13805 | 138 | lemma constrains_empty [iff]: "F \<in> {} co B"
 | 
| 13797 | 139 | by (unfold constrains_def, blast) | 
| 140 | ||
| 13805 | 141 | lemma constrains_empty2 [iff]: "(F \<in> A co {}) = (A={})"
 | 
| 13797 | 142 | by (unfold constrains_def, blast) | 
| 143 | ||
| 13805 | 144 | lemma constrains_UNIV [iff]: "(F \<in> UNIV co B) = (B = UNIV)" | 
| 13797 | 145 | by (unfold constrains_def, blast) | 
| 146 | ||
| 13805 | 147 | lemma constrains_UNIV2 [iff]: "F \<in> A co UNIV" | 
| 13797 | 148 | by (unfold constrains_def, blast) | 
| 149 | ||
| 63146 | 150 | text\<open>monotonic in 2nd argument\<close> | 
| 13797 | 151 | lemma constrains_weaken_R: | 
| 13805 | 152 | "[| F \<in> A co A'; A'<=B' |] ==> F \<in> A co B'" | 
| 13797 | 153 | by (unfold constrains_def, blast) | 
| 154 | ||
| 63146 | 155 | text\<open>anti-monotonic in 1st argument\<close> | 
| 13797 | 156 | lemma constrains_weaken_L: | 
| 13805 | 157 | "[| F \<in> A co A'; B \<subseteq> A |] ==> F \<in> B co A'" | 
| 13797 | 158 | by (unfold constrains_def, blast) | 
| 159 | ||
| 160 | lemma constrains_weaken: | |
| 13805 | 161 | "[| F \<in> A co A'; B \<subseteq> A; A'<=B' |] ==> F \<in> B co B'" | 
| 13797 | 162 | by (unfold constrains_def, blast) | 
| 163 | ||
| 63146 | 164 | subsubsection\<open>Union\<close> | 
| 13797 | 165 | |
| 166 | lemma constrains_Un: | |
| 13805 | 167 | "[| F \<in> A co A'; F \<in> B co B' |] ==> F \<in> (A \<union> B) co (A' \<union> B')" | 
| 13797 | 168 | by (unfold constrains_def, blast) | 
| 169 | ||
| 170 | lemma constrains_UN: | |
| 13805 | 171 | "(!!i. i \<in> I ==> F \<in> (A i) co (A' i)) | 
| 172 | ==> F \<in> (\<Union>i \<in> I. A i) co (\<Union>i \<in> I. A' i)" | |
| 13797 | 173 | by (unfold constrains_def, blast) | 
| 174 | ||
| 13805 | 175 | lemma constrains_Un_distrib: "(A \<union> B) co C = (A co C) \<inter> (B co C)" | 
| 13797 | 176 | by (unfold constrains_def, blast) | 
| 177 | ||
| 13805 | 178 | lemma constrains_UN_distrib: "(\<Union>i \<in> I. A i) co B = (\<Inter>i \<in> I. A i co B)" | 
| 13797 | 179 | by (unfold constrains_def, blast) | 
| 180 | ||
| 13805 | 181 | lemma constrains_Int_distrib: "C co (A \<inter> B) = (C co A) \<inter> (C co B)" | 
| 13797 | 182 | by (unfold constrains_def, blast) | 
| 183 | ||
| 13805 | 184 | lemma constrains_INT_distrib: "A co (\<Inter>i \<in> I. B i) = (\<Inter>i \<in> I. A co B i)" | 
| 13797 | 185 | by (unfold constrains_def, blast) | 
| 186 | ||
| 63146 | 187 | subsubsection\<open>Intersection\<close> | 
| 6536 | 188 | |
| 13797 | 189 | lemma constrains_Int: | 
| 13805 | 190 | "[| F \<in> A co A'; F \<in> B co B' |] ==> F \<in> (A \<inter> B) co (A' \<inter> B')" | 
| 13797 | 191 | by (unfold constrains_def, blast) | 
| 192 | ||
| 193 | lemma constrains_INT: | |
| 13805 | 194 | "(!!i. i \<in> I ==> F \<in> (A i) co (A' i)) | 
| 195 | ==> F \<in> (\<Inter>i \<in> I. A i) co (\<Inter>i \<in> I. A' i)" | |
| 13797 | 196 | by (unfold constrains_def, blast) | 
| 197 | ||
| 13805 | 198 | lemma constrains_imp_subset: "F \<in> A co A' ==> A \<subseteq> A'" | 
| 13797 | 199 | by (unfold constrains_def, auto) | 
| 200 | ||
| 63146 | 201 | text\<open>The reasoning is by subsets since "co" refers to single actions | 
| 202 | only. So this rule isn't that useful.\<close> | |
| 13797 | 203 | lemma constrains_trans: | 
| 13805 | 204 | "[| F \<in> A co B; F \<in> B co C |] ==> F \<in> A co C" | 
| 13797 | 205 | by (unfold constrains_def, blast) | 
| 206 | ||
| 207 | lemma constrains_cancel: | |
| 13805 | 208 | "[| F \<in> A co (A' \<union> B); F \<in> B co B' |] ==> F \<in> A co (A' \<union> B')" | 
| 13797 | 209 | by (unfold constrains_def, clarify, blast) | 
| 210 | ||
| 211 | ||
| 63146 | 212 | subsubsection\<open>unless\<close> | 
| 13797 | 213 | |
| 13805 | 214 | lemma unlessI: "F \<in> (A-B) co (A \<union> B) ==> F \<in> A unless B" | 
| 13797 | 215 | by (unfold unless_def, assumption) | 
| 216 | ||
| 13805 | 217 | lemma unlessD: "F \<in> A unless B ==> F \<in> (A-B) co (A \<union> B)" | 
| 13797 | 218 | by (unfold unless_def, assumption) | 
| 219 | ||
| 220 | ||
| 63146 | 221 | subsubsection\<open>stable\<close> | 
| 13797 | 222 | |
| 13805 | 223 | lemma stableI: "F \<in> A co A ==> F \<in> stable A" | 
| 13797 | 224 | by (unfold stable_def, assumption) | 
| 225 | ||
| 13805 | 226 | lemma stableD: "F \<in> stable A ==> F \<in> A co A" | 
| 13797 | 227 | by (unfold stable_def, assumption) | 
| 228 | ||
| 229 | lemma stable_UNIV [simp]: "stable UNIV = UNIV" | |
| 230 | by (unfold stable_def constrains_def, auto) | |
| 231 | ||
| 63146 | 232 | subsubsection\<open>Union\<close> | 
| 13797 | 233 | |
| 234 | lemma stable_Un: | |
| 13805 | 235 | "[| F \<in> stable A; F \<in> stable A' |] ==> F \<in> stable (A \<union> A')" | 
| 13797 | 236 | |
| 237 | apply (unfold stable_def) | |
| 238 | apply (blast intro: constrains_Un) | |
| 239 | done | |
| 240 | ||
| 241 | lemma stable_UN: | |
| 13805 | 242 | "(!!i. i \<in> I ==> F \<in> stable (A i)) ==> F \<in> stable (\<Union>i \<in> I. A i)" | 
| 13797 | 243 | apply (unfold stable_def) | 
| 244 | apply (blast intro: constrains_UN) | |
| 245 | done | |
| 246 | ||
| 13870 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 247 | lemma stable_Union: | 
| 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 248 | "(!!A. A \<in> X ==> F \<in> stable A) ==> F \<in> stable (\<Union>X)" | 
| 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 249 | by (unfold stable_def constrains_def, blast) | 
| 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 250 | |
| 63146 | 251 | subsubsection\<open>Intersection\<close> | 
| 13797 | 252 | |
| 253 | lemma stable_Int: | |
| 13805 | 254 | "[| F \<in> stable A; F \<in> stable A' |] ==> F \<in> stable (A \<inter> A')" | 
| 13797 | 255 | apply (unfold stable_def) | 
| 256 | apply (blast intro: constrains_Int) | |
| 257 | done | |
| 258 | ||
| 259 | lemma stable_INT: | |
| 13805 | 260 | "(!!i. i \<in> I ==> F \<in> stable (A i)) ==> F \<in> stable (\<Inter>i \<in> I. A i)" | 
| 13797 | 261 | apply (unfold stable_def) | 
| 262 | apply (blast intro: constrains_INT) | |
| 263 | done | |
| 264 | ||
| 13870 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 265 | lemma stable_Inter: | 
| 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 266 | "(!!A. A \<in> X ==> F \<in> stable A) ==> F \<in> stable (\<Inter>X)" | 
| 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 267 | by (unfold stable_def constrains_def, blast) | 
| 
cf947d1ec5ff
moved Exponent, Coset, Sylow from GroupTheory to Algebra, converting them
 paulson parents: 
13861diff
changeset | 268 | |
| 13797 | 269 | lemma stable_constrains_Un: | 
| 13805 | 270 | "[| F \<in> stable C; F \<in> A co (C \<union> A') |] ==> F \<in> (C \<union> A) co (C \<union> A')" | 
| 13797 | 271 | by (unfold stable_def constrains_def, blast) | 
| 272 | ||
| 273 | lemma stable_constrains_Int: | |
| 13805 | 274 | "[| F \<in> stable C; F \<in> (C \<inter> A) co A' |] ==> F \<in> (C \<inter> A) co (C \<inter> A')" | 
| 13797 | 275 | by (unfold stable_def constrains_def, blast) | 
| 276 | ||
| 13805 | 277 | (*[| F \<in> stable C; F \<in> (C \<inter> A) co A |] ==> F \<in> stable (C \<inter> A) *) | 
| 45605 | 278 | lemmas stable_constrains_stable = stable_constrains_Int[THEN stableI] | 
| 13797 | 279 | |
| 280 | ||
| 63146 | 281 | subsubsection\<open>invariant\<close> | 
| 13797 | 282 | |
| 13805 | 283 | lemma invariantI: "[| Init F \<subseteq> A; F \<in> stable A |] ==> F \<in> invariant A" | 
| 13797 | 284 | by (simp add: invariant_def) | 
| 285 | ||
| 69597 | 286 | text\<open>Could also say \<^term>\<open>invariant A \<inter> invariant B \<subseteq> invariant(A \<inter> B)\<close>\<close> | 
| 13797 | 287 | lemma invariant_Int: | 
| 13805 | 288 | "[| F \<in> invariant A; F \<in> invariant B |] ==> F \<in> invariant (A \<inter> B)" | 
| 13797 | 289 | by (auto simp add: invariant_def stable_Int) | 
| 290 | ||
| 291 | ||
| 63146 | 292 | subsubsection\<open>increasing\<close> | 
| 13797 | 293 | |
| 294 | lemma increasingD: | |
| 13805 | 295 |      "F \<in> increasing f ==> F \<in> stable {s. z \<subseteq> f s}"
 | 
| 13797 | 296 | by (unfold increasing_def, blast) | 
| 297 | ||
| 13805 | 298 | lemma increasing_constant [iff]: "F \<in> increasing (%s. c)" | 
| 13797 | 299 | by (unfold increasing_def stable_def, auto) | 
| 300 | ||
| 301 | lemma mono_increasing_o: | |
| 13805 | 302 | "mono g ==> increasing f \<subseteq> increasing (g o f)" | 
| 13797 | 303 | apply (unfold increasing_def stable_def constrains_def, auto) | 
| 304 | apply (blast intro: monoD order_trans) | |
| 305 | done | |
| 306 | ||
| 13805 | 307 | (*Holds by the theorem (Suc m \<subseteq> n) = (m < n) *) | 
| 13797 | 308 | lemma strict_increasingD: | 
| 13805 | 309 |      "!!z::nat. F \<in> increasing f ==> F \<in> stable {s. z < f s}"
 | 
| 13797 | 310 | by (simp add: increasing_def Suc_le_eq [symmetric]) | 
| 311 | ||
| 312 | ||
| 313 | (** The Elimination Theorem. The "free" m has become universally quantified! | |
| 13805 | 314 | Should the premise be !!m instead of \<forall>m ? Would make it harder to use | 
| 13797 | 315 | in forward proof. **) | 
| 316 | ||
| 317 | lemma elimination: | |
| 13805 | 318 |     "[| \<forall>m \<in> M. F \<in> {s. s x = m} co (B m) |]  
 | 
| 319 |      ==> F \<in> {s. s x \<in> M} co (\<Union>m \<in> M. B m)"
 | |
| 13797 | 320 | by (unfold constrains_def, blast) | 
| 321 | ||
| 63146 | 322 | text\<open>As above, but for the trivial case of a one-variable state, in which the | 
| 323 | state is identified with its one variable.\<close> | |
| 13797 | 324 | lemma elimination_sing: | 
| 13805 | 325 |     "(\<forall>m \<in> M. F \<in> {m} co (B m)) ==> F \<in> M co (\<Union>m \<in> M. B m)"
 | 
| 13797 | 326 | by (unfold constrains_def, blast) | 
| 327 | ||
| 328 | ||
| 329 | ||
| 63146 | 330 | subsubsection\<open>Theoretical Results from Section 6\<close> | 
| 13797 | 331 | |
| 332 | lemma constrains_strongest_rhs: | |
| 13805 | 333 | "F \<in> A co (strongest_rhs F A )" | 
| 13797 | 334 | by (unfold constrains_def strongest_rhs_def, blast) | 
| 335 | ||
| 336 | lemma strongest_rhs_is_strongest: | |
| 13805 | 337 | "F \<in> A co B ==> strongest_rhs F A \<subseteq> B" | 
| 13797 | 338 | by (unfold constrains_def strongest_rhs_def, blast) | 
| 339 | ||
| 340 | ||
| 63146 | 341 | subsubsection\<open>Ad-hoc set-theory rules\<close> | 
| 13797 | 342 | |
| 13805 | 343 | lemma Un_Diff_Diff [simp]: "A \<union> B - (A - B) = B" | 
| 13797 | 344 | by blast | 
| 345 | ||
| 61952 | 346 | lemma Int_Union_Union: "\<Union>B \<inter> A = \<Union>((%C. C \<inter> A)`B)" | 
| 13797 | 347 | by blast | 
| 348 | ||
| 63146 | 349 | text\<open>Needed for WF reasoning in WFair.thy\<close> | 
| 13797 | 350 | |
| 351 | lemma Image_less_than [simp]: "less_than `` {k} = greaterThan k"
 | |
| 352 | by blast | |
| 353 | ||
| 67613 | 354 | lemma Image_inverse_less_than [simp]: "less_than\<inverse> `` {k} = lessThan k"
 | 
| 13797 | 355 | by blast | 
| 6536 | 356 | |
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 357 | |
| 63146 | 358 | subsection\<open>Partial versus Total Transitions\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 359 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 360 | definition totalize_act :: "('a * 'a)set => ('a * 'a)set" where
 | 
| 30198 | 361 | "totalize_act act == act \<union> Id_on (-(Domain act))" | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 362 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 363 | definition totalize :: "'a program => 'a program" where | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 364 | "totalize F == mk_program (Init F, | 
| 32960 
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
 wenzelm parents: 
30198diff
changeset | 365 | totalize_act ` Acts F, | 
| 
69916a850301
eliminated hard tabulators, guessing at each author's individual tab-width;
 wenzelm parents: 
30198diff
changeset | 366 | AllowedActs F)" | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 367 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 368 | definition mk_total_program :: "('a set * ('a * 'a)set set * ('a * 'a)set set)
 | 
| 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 369 | => 'a program" where | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 370 | "mk_total_program args == totalize (mk_program args)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 371 | |
| 35416 
d8d7d1b785af
replaced a couple of constsdefs by definitions (also some old primrecs by modern ones)
 haftmann parents: 
32960diff
changeset | 372 | definition all_total :: "'a program => bool" where | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 373 | "all_total F == \<forall>act \<in> Acts F. Domain act = UNIV" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 374 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 375 | lemma insert_Id_image_Acts: "f Id = Id ==> insert Id (f`Acts F) = f ` Acts F" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 376 | by (blast intro: sym [THEN image_eqI]) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 377 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 378 | |
| 63146 | 379 | subsubsection\<open>Basic properties\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 380 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 381 | lemma totalize_act_Id [simp]: "totalize_act Id = Id" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 382 | by (simp add: totalize_act_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 383 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 384 | lemma Domain_totalize_act [simp]: "Domain (totalize_act act) = UNIV" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 385 | by (auto simp add: totalize_act_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 386 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 387 | lemma Init_totalize [simp]: "Init (totalize F) = Init F" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 388 | by (unfold totalize_def, auto) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 389 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 390 | lemma Acts_totalize [simp]: "Acts (totalize F) = (totalize_act ` Acts F)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 391 | by (simp add: totalize_def insert_Id_image_Acts) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 392 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 393 | lemma AllowedActs_totalize [simp]: "AllowedActs (totalize F) = AllowedActs F" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 394 | by (simp add: totalize_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 395 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 396 | lemma totalize_constrains_iff [simp]: "(totalize F \<in> A co B) = (F \<in> A co B)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 397 | by (simp add: totalize_def totalize_act_def constrains_def, blast) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 398 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 399 | lemma totalize_stable_iff [simp]: "(totalize F \<in> stable A) = (F \<in> stable A)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 400 | by (simp add: stable_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 401 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 402 | lemma totalize_invariant_iff [simp]: | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 403 | "(totalize F \<in> invariant A) = (F \<in> invariant A)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 404 | by (simp add: invariant_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 405 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 406 | lemma all_total_totalize: "all_total (totalize F)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 407 | by (simp add: totalize_def all_total_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 408 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 409 | lemma Domain_iff_totalize_act: "(Domain act = UNIV) = (totalize_act act = act)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 410 | by (force simp add: totalize_act_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 411 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 412 | lemma all_total_imp_totalize: "all_total F ==> (totalize F = F)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 413 | apply (simp add: all_total_def totalize_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 414 | apply (rule program_equalityI) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 415 | apply (simp_all add: Domain_iff_totalize_act image_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 416 | done | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 417 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 418 | lemma all_total_iff_totalize: "all_total F = (totalize F = F)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 419 | apply (rule iffI) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 420 | apply (erule all_total_imp_totalize) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 421 | apply (erule subst) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 422 | apply (rule all_total_totalize) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 423 | done | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 424 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 425 | lemma mk_total_program_constrains_iff [simp]: | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 426 | "(mk_total_program args \<in> A co B) = (mk_program args \<in> A co B)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 427 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 428 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 429 | |
| 63146 | 430 | subsection\<open>Rules for Lazy Definition Expansion\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 431 | |
| 63146 | 432 | text\<open>They avoid expanding the full program, which is a large expression\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 433 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 434 | lemma def_prg_Init: | 
| 36866 | 435 | "F = mk_total_program (init,acts,allowed) ==> Init F = init" | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 436 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 437 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 438 | lemma def_prg_Acts: | 
| 36866 | 439 | "F = mk_total_program (init,acts,allowed) | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 440 | ==> Acts F = insert Id (totalize_act ` acts)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 441 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 442 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 443 | lemma def_prg_AllowedActs: | 
| 36866 | 444 | "F = mk_total_program (init,acts,allowed) | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 445 | ==> AllowedActs F = insert Id allowed" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 446 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 447 | |
| 63146 | 448 | text\<open>An action is expanded if a pair of states is being tested against it\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 449 | lemma def_act_simp: | 
| 36866 | 450 |      "act = {(s,s'). P s s'} ==> ((s,s') \<in> act) = P s s'"
 | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 451 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 452 | |
| 63146 | 453 | text\<open>A set is expanded only if an element is being tested against it\<close> | 
| 36866 | 454 | lemma def_set_simp: "A = B ==> (x \<in> A) = (x \<in> B)" | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 455 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 456 | |
| 63146 | 457 | subsubsection\<open>Inspectors for type "program"\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 458 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 459 | lemma Init_total_eq [simp]: | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 460 | "Init (mk_total_program (init,acts,allowed)) = init" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 461 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 462 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 463 | lemma Acts_total_eq [simp]: | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 464 | "Acts(mk_total_program(init,acts,allowed)) = insert Id (totalize_act`acts)" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 465 | by (simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 466 | |
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 467 | lemma AllowedActs_total_eq [simp]: | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 468 | "AllowedActs (mk_total_program (init,acts,allowed)) = insert Id allowed" | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 469 | by (auto simp add: mk_total_program_def) | 
| 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 470 | |
| 4776 | 471 | end |