| author | wenzelm | 
| Thu, 13 Mar 2025 11:19:27 +0100 | |
| changeset 82266 | cca7113dcafc | 
| parent 80914 | d97fdabd9e2b | 
| permissions | -rw-r--r-- | 
| 37936 | 1 | (* Title: HOL/UNITY/SubstAx.thy | 
| 4776 | 2 | Author: Lawrence C Paulson, Cambridge University Computer Laboratory | 
| 3 | Copyright 1998 University of Cambridge | |
| 4 | ||
| 6536 | 5 | Weak LeadsTo relation (restricted to the set of reachable states) | 
| 4776 | 6 | *) | 
| 7 | ||
| 63146 | 8 | section\<open>Weak Progress\<close> | 
| 13798 | 9 | |
| 16417 | 10 | theory SubstAx imports WFair Constrains begin | 
| 4776 | 11 | |
| 80914 
d97fdabd9e2b
standardize mixfix annotations via "isabelle update -a -u mixfix_cartouches" --- to simplify systematic editing;
 wenzelm parents: 
67613diff
changeset | 12 | definition Ensures :: "['a set, 'a set] => 'a program set" (infixl \<open>Ensures\<close> 60) where | 
| 13805 | 13 |     "A Ensures B == {F. F \<in> (reachable F \<inter> A) ensures B}"
 | 
| 8122 
b43ad07660b9
working version, with Alloc now working on the same state space as the whole
 paulson parents: 
8041diff
changeset | 14 | |
| 80914 
d97fdabd9e2b
standardize mixfix annotations via "isabelle update -a -u mixfix_cartouches" --- to simplify systematic editing;
 wenzelm parents: 
67613diff
changeset | 15 | definition LeadsTo :: "['a set, 'a set] => 'a program set" (infixl \<open>LeadsTo\<close> 60) where | 
| 13805 | 16 |     "A LeadsTo B == {F. F \<in> (reachable F \<inter> A) leadsTo B}"
 | 
| 4776 | 17 | |
| 80914 
d97fdabd9e2b
standardize mixfix annotations via "isabelle update -a -u mixfix_cartouches" --- to simplify systematic editing;
 wenzelm parents: 
67613diff
changeset | 18 | notation LeadsTo (infixl \<open>\<longmapsto>w\<close> 60) | 
| 13796 | 19 | |
| 20 | ||
| 63146 | 21 | text\<open>Resembles the previous definition of LeadsTo\<close> | 
| 13796 | 22 | lemma LeadsTo_eq_leadsTo: | 
| 13805 | 23 |      "A LeadsTo B = {F. F \<in> (reachable F \<inter> A) leadsTo (reachable F \<inter> B)}"
 | 
| 13796 | 24 | apply (unfold LeadsTo_def) | 
| 25 | apply (blast dest: psp_stable2 intro: leadsTo_weaken) | |
| 26 | done | |
| 27 | ||
| 28 | ||
| 63146 | 29 | subsection\<open>Specialized laws for handling invariants\<close> | 
| 13796 | 30 | |
| 31 | (** Conjoining an Always property **) | |
| 32 | ||
| 33 | lemma Always_LeadsTo_pre: | |
| 13805 | 34 | "F \<in> Always INV ==> (F \<in> (INV \<inter> A) LeadsTo A') = (F \<in> A LeadsTo A')" | 
| 35 | by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 | |
| 36 | Int_assoc [symmetric]) | |
| 13796 | 37 | |
| 38 | lemma Always_LeadsTo_post: | |
| 13805 | 39 | "F \<in> Always INV ==> (F \<in> A LeadsTo (INV \<inter> A')) = (F \<in> A LeadsTo A')" | 
| 40 | by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2 | |
| 41 | Int_assoc [symmetric]) | |
| 13796 | 42 | |
| 13805 | 43 | (* [| F \<in> Always C; F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A' *) | 
| 45605 | 44 | lemmas Always_LeadsToI = Always_LeadsTo_pre [THEN iffD1] | 
| 13796 | 45 | |
| 13805 | 46 | (* [| F \<in> Always INV; F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (INV \<inter> A') *) | 
| 45605 | 47 | lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2] | 
| 13796 | 48 | |
| 49 | ||
| 63146 | 50 | subsection\<open>Introduction rules: Basis, Trans, Union\<close> | 
| 13796 | 51 | |
| 13805 | 52 | lemma leadsTo_imp_LeadsTo: "F \<in> A leadsTo B ==> F \<in> A LeadsTo B" | 
| 13796 | 53 | apply (simp add: LeadsTo_def) | 
| 54 | apply (blast intro: leadsTo_weaken_L) | |
| 55 | done | |
| 56 | ||
| 57 | lemma LeadsTo_Trans: | |
| 13805 | 58 | "[| F \<in> A LeadsTo B; F \<in> B LeadsTo C |] ==> F \<in> A LeadsTo C" | 
| 13796 | 59 | apply (simp add: LeadsTo_eq_leadsTo) | 
| 60 | apply (blast intro: leadsTo_Trans) | |
| 61 | done | |
| 62 | ||
| 63 | lemma LeadsTo_Union: | |
| 61952 | 64 | "(!!A. A \<in> S ==> F \<in> A LeadsTo B) ==> F \<in> (\<Union>S) LeadsTo B" | 
| 13796 | 65 | apply (simp add: LeadsTo_def) | 
| 66 | apply (subst Int_Union) | |
| 67 | apply (blast intro: leadsTo_UN) | |
| 68 | done | |
| 69 | ||
| 70 | ||
| 63146 | 71 | subsection\<open>Derived rules\<close> | 
| 13796 | 72 | |
| 13805 | 73 | lemma LeadsTo_UNIV [simp]: "F \<in> A LeadsTo UNIV" | 
| 13796 | 74 | by (simp add: LeadsTo_def) | 
| 75 | ||
| 63146 | 76 | text\<open>Useful with cancellation, disjunction\<close> | 
| 13796 | 77 | lemma LeadsTo_Un_duplicate: | 
| 13805 | 78 | "F \<in> A LeadsTo (A' \<union> A') ==> F \<in> A LeadsTo A'" | 
| 13796 | 79 | by (simp add: Un_ac) | 
| 80 | ||
| 81 | lemma LeadsTo_Un_duplicate2: | |
| 13805 | 82 | "F \<in> A LeadsTo (A' \<union> C \<union> C) ==> F \<in> A LeadsTo (A' \<union> C)" | 
| 13796 | 83 | by (simp add: Un_ac) | 
| 84 | ||
| 85 | lemma LeadsTo_UN: | |
| 13805 | 86 | "(!!i. i \<in> I ==> F \<in> (A i) LeadsTo B) ==> F \<in> (\<Union>i \<in> I. A i) LeadsTo B" | 
| 13796 | 87 | apply (blast intro: LeadsTo_Union) | 
| 88 | done | |
| 89 | ||
| 63146 | 90 | text\<open>Binary union introduction rule\<close> | 
| 13796 | 91 | lemma LeadsTo_Un: | 
| 13805 | 92 | "[| F \<in> A LeadsTo C; F \<in> B LeadsTo C |] ==> F \<in> (A \<union> B) LeadsTo C" | 
| 44106 | 93 |   using LeadsTo_UN [of "{A, B}" F id C] by auto
 | 
| 13796 | 94 | |
| 63146 | 95 | text\<open>Lets us look at the starting state\<close> | 
| 13796 | 96 | lemma single_LeadsTo_I: | 
| 13805 | 97 |      "(!!s. s \<in> A ==> F \<in> {s} LeadsTo B) ==> F \<in> A LeadsTo B"
 | 
| 13796 | 98 | by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast) | 
| 99 | ||
| 13805 | 100 | lemma subset_imp_LeadsTo: "A \<subseteq> B ==> F \<in> A LeadsTo B" | 
| 13796 | 101 | apply (simp add: LeadsTo_def) | 
| 102 | apply (blast intro: subset_imp_leadsTo) | |
| 103 | done | |
| 104 | ||
| 45605 | 105 | lemmas empty_LeadsTo = empty_subsetI [THEN subset_imp_LeadsTo, simp] | 
| 13796 | 106 | |
| 45477 | 107 | lemma LeadsTo_weaken_R: | 
| 13805 | 108 | "[| F \<in> A LeadsTo A'; A' \<subseteq> B' |] ==> F \<in> A LeadsTo B'" | 
| 109 | apply (simp add: LeadsTo_def) | |
| 13796 | 110 | apply (blast intro: leadsTo_weaken_R) | 
| 111 | done | |
| 112 | ||
| 45477 | 113 | lemma LeadsTo_weaken_L: | 
| 13805 | 114 | "[| F \<in> A LeadsTo A'; B \<subseteq> A |] | 
| 115 | ==> F \<in> B LeadsTo A'" | |
| 116 | apply (simp add: LeadsTo_def) | |
| 13796 | 117 | apply (blast intro: leadsTo_weaken_L) | 
| 118 | done | |
| 119 | ||
| 120 | lemma LeadsTo_weaken: | |
| 13805 | 121 | "[| F \<in> A LeadsTo A'; | 
| 122 | B \<subseteq> A; A' \<subseteq> B' |] | |
| 123 | ==> F \<in> B LeadsTo B'" | |
| 13796 | 124 | by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans) | 
| 125 | ||
| 126 | lemma Always_LeadsTo_weaken: | |
| 13805 | 127 | "[| F \<in> Always C; F \<in> A LeadsTo A'; | 
| 128 | C \<inter> B \<subseteq> A; C \<inter> A' \<subseteq> B' |] | |
| 129 | ==> F \<in> B LeadsTo B'" | |
| 13796 | 130 | by (blast dest: Always_LeadsToI intro: LeadsTo_weaken intro: Always_LeadsToD) | 
| 131 | ||
| 132 | (** Two theorems for "proof lattices" **) | |
| 133 | ||
| 13805 | 134 | lemma LeadsTo_Un_post: "F \<in> A LeadsTo B ==> F \<in> (A \<union> B) LeadsTo B" | 
| 13796 | 135 | by (blast intro: LeadsTo_Un subset_imp_LeadsTo) | 
| 136 | ||
| 137 | lemma LeadsTo_Trans_Un: | |
| 13805 | 138 | "[| F \<in> A LeadsTo B; F \<in> B LeadsTo C |] | 
| 139 | ==> F \<in> (A \<union> B) LeadsTo C" | |
| 13796 | 140 | by (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans) | 
| 141 | ||
| 142 | ||
| 143 | (** Distributive laws **) | |
| 144 | ||
| 145 | lemma LeadsTo_Un_distrib: | |
| 13805 | 146 | "(F \<in> (A \<union> B) LeadsTo C) = (F \<in> A LeadsTo C & F \<in> B LeadsTo C)" | 
| 13796 | 147 | by (blast intro: LeadsTo_Un LeadsTo_weaken_L) | 
| 148 | ||
| 149 | lemma LeadsTo_UN_distrib: | |
| 13805 | 150 | "(F \<in> (\<Union>i \<in> I. A i) LeadsTo B) = (\<forall>i \<in> I. F \<in> (A i) LeadsTo B)" | 
| 13796 | 151 | by (blast intro: LeadsTo_UN LeadsTo_weaken_L) | 
| 152 | ||
| 153 | lemma LeadsTo_Union_distrib: | |
| 61952 | 154 | "(F \<in> (\<Union>S) LeadsTo B) = (\<forall>A \<in> S. F \<in> A LeadsTo B)" | 
| 13796 | 155 | by (blast intro: LeadsTo_Union LeadsTo_weaken_L) | 
| 156 | ||
| 157 | ||
| 158 | (** More rules using the premise "Always INV" **) | |
| 159 | ||
| 13805 | 160 | lemma LeadsTo_Basis: "F \<in> A Ensures B ==> F \<in> A LeadsTo B" | 
| 13796 | 161 | by (simp add: Ensures_def LeadsTo_def leadsTo_Basis) | 
| 162 | ||
| 163 | lemma EnsuresI: | |
| 13805 | 164 | "[| F \<in> (A-B) Co (A \<union> B); F \<in> transient (A-B) |] | 
| 165 | ==> F \<in> A Ensures B" | |
| 13796 | 166 | apply (simp add: Ensures_def Constrains_eq_constrains) | 
| 167 | apply (blast intro: ensuresI constrains_weaken transient_strengthen) | |
| 168 | done | |
| 169 | ||
| 170 | lemma Always_LeadsTo_Basis: | |
| 13805 | 171 | "[| F \<in> Always INV; | 
| 172 | F \<in> (INV \<inter> (A-A')) Co (A \<union> A'); | |
| 173 | F \<in> transient (INV \<inter> (A-A')) |] | |
| 174 | ==> F \<in> A LeadsTo A'" | |
| 13796 | 175 | apply (rule Always_LeadsToI, assumption) | 
| 176 | apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen) | |
| 177 | done | |
| 178 | ||
| 63146 | 179 | text\<open>Set difference: maybe combine with \<open>leadsTo_weaken_L\<close>?? | 
| 180 | This is the most useful form of the "disjunction" rule\<close> | |
| 13796 | 181 | lemma LeadsTo_Diff: | 
| 13805 | 182 | "[| F \<in> (A-B) LeadsTo C; F \<in> (A \<inter> B) LeadsTo C |] | 
| 183 | ==> F \<in> A LeadsTo C" | |
| 13796 | 184 | by (blast intro: LeadsTo_Un LeadsTo_weaken) | 
| 185 | ||
| 186 | ||
| 187 | lemma LeadsTo_UN_UN: | |
| 13805 | 188 | "(!! i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i)) | 
| 189 | ==> F \<in> (\<Union>i \<in> I. A i) LeadsTo (\<Union>i \<in> I. A' i)" | |
| 13796 | 190 | apply (blast intro: LeadsTo_Union LeadsTo_weaken_R) | 
| 191 | done | |
| 192 | ||
| 193 | ||
| 63146 | 194 | text\<open>Version with no index set\<close> | 
| 13796 | 195 | lemma LeadsTo_UN_UN_noindex: | 
| 13805 | 196 | "(!!i. F \<in> (A i) LeadsTo (A' i)) ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)" | 
| 13796 | 197 | by (blast intro: LeadsTo_UN_UN) | 
| 198 | ||
| 63146 | 199 | text\<open>Version with no index set\<close> | 
| 13796 | 200 | lemma all_LeadsTo_UN_UN: | 
| 13805 | 201 | "\<forall>i. F \<in> (A i) LeadsTo (A' i) | 
| 202 | ==> F \<in> (\<Union>i. A i) LeadsTo (\<Union>i. A' i)" | |
| 13796 | 203 | by (blast intro: LeadsTo_UN_UN) | 
| 204 | ||
| 63146 | 205 | text\<open>Binary union version\<close> | 
| 13796 | 206 | lemma LeadsTo_Un_Un: | 
| 13805 | 207 | "[| F \<in> A LeadsTo A'; F \<in> B LeadsTo B' |] | 
| 208 | ==> F \<in> (A \<union> B) LeadsTo (A' \<union> B')" | |
| 13796 | 209 | by (blast intro: LeadsTo_Un LeadsTo_weaken_R) | 
| 210 | ||
| 211 | ||
| 212 | (** The cancellation law **) | |
| 213 | ||
| 214 | lemma LeadsTo_cancel2: | |
| 13805 | 215 | "[| F \<in> A LeadsTo (A' \<union> B); F \<in> B LeadsTo B' |] | 
| 216 | ==> F \<in> A LeadsTo (A' \<union> B')" | |
| 13796 | 217 | by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans) | 
| 218 | ||
| 219 | lemma LeadsTo_cancel_Diff2: | |
| 13805 | 220 | "[| F \<in> A LeadsTo (A' \<union> B); F \<in> (B-A') LeadsTo B' |] | 
| 221 | ==> F \<in> A LeadsTo (A' \<union> B')" | |
| 13796 | 222 | apply (rule LeadsTo_cancel2) | 
| 223 | prefer 2 apply assumption | |
| 224 | apply (simp_all (no_asm_simp)) | |
| 225 | done | |
| 226 | ||
| 227 | lemma LeadsTo_cancel1: | |
| 13805 | 228 | "[| F \<in> A LeadsTo (B \<union> A'); F \<in> B LeadsTo B' |] | 
| 229 | ==> F \<in> A LeadsTo (B' \<union> A')" | |
| 13796 | 230 | apply (simp add: Un_commute) | 
| 231 | apply (blast intro!: LeadsTo_cancel2) | |
| 232 | done | |
| 233 | ||
| 234 | lemma LeadsTo_cancel_Diff1: | |
| 13805 | 235 | "[| F \<in> A LeadsTo (B \<union> A'); F \<in> (B-A') LeadsTo B' |] | 
| 236 | ==> F \<in> A LeadsTo (B' \<union> A')" | |
| 13796 | 237 | apply (rule LeadsTo_cancel1) | 
| 238 | prefer 2 apply assumption | |
| 239 | apply (simp_all (no_asm_simp)) | |
| 240 | done | |
| 241 | ||
| 242 | ||
| 63146 | 243 | text\<open>The impossibility law\<close> | 
| 13796 | 244 | |
| 63146 | 245 | text\<open>The set "A" may be non-empty, but it contains no reachable states\<close> | 
| 13812 
91713a1915ee
converting HOL/UNITY to use unconditional fairness
 paulson parents: 
13805diff
changeset | 246 | lemma LeadsTo_empty: "[|F \<in> A LeadsTo {}; all_total F|] ==> F \<in> Always (-A)"
 | 
| 13805 | 247 | apply (simp add: LeadsTo_def Always_eq_includes_reachable) | 
| 13796 | 248 | apply (drule leadsTo_empty, auto) | 
| 249 | done | |
| 250 | ||
| 251 | ||
| 63146 | 252 | subsection\<open>PSP: Progress-Safety-Progress\<close> | 
| 13796 | 253 | |
| 63146 | 254 | text\<open>Special case of PSP: Misra's "stable conjunction"\<close> | 
| 13796 | 255 | lemma PSP_Stable: | 
| 13805 | 256 | "[| F \<in> A LeadsTo A'; F \<in> Stable B |] | 
| 257 | ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B)" | |
| 258 | apply (simp add: LeadsTo_eq_leadsTo Stable_eq_stable) | |
| 13796 | 259 | apply (drule psp_stable, assumption) | 
| 260 | apply (simp add: Int_ac) | |
| 261 | done | |
| 262 | ||
| 263 | lemma PSP_Stable2: | |
| 13805 | 264 | "[| F \<in> A LeadsTo A'; F \<in> Stable B |] | 
| 265 | ==> F \<in> (B \<inter> A) LeadsTo (B \<inter> A')" | |
| 13796 | 266 | by (simp add: PSP_Stable Int_ac) | 
| 267 | ||
| 268 | lemma PSP: | |
| 13805 | 269 | "[| F \<in> A LeadsTo A'; F \<in> B Co B' |] | 
| 270 | ==> F \<in> (A \<inter> B') LeadsTo ((A' \<inter> B) \<union> (B' - B))" | |
| 271 | apply (simp add: LeadsTo_def Constrains_eq_constrains) | |
| 13796 | 272 | apply (blast dest: psp intro: leadsTo_weaken) | 
| 273 | done | |
| 274 | ||
| 275 | lemma PSP2: | |
| 13805 | 276 | "[| F \<in> A LeadsTo A'; F \<in> B Co B' |] | 
| 277 | ==> F \<in> (B' \<inter> A) LeadsTo ((B \<inter> A') \<union> (B' - B))" | |
| 13796 | 278 | by (simp add: PSP Int_ac) | 
| 279 | ||
| 280 | lemma PSP_Unless: | |
| 13805 | 281 | "[| F \<in> A LeadsTo A'; F \<in> B Unless B' |] | 
| 282 | ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B) \<union> B')" | |
| 13796 | 283 | apply (unfold Unless_def) | 
| 284 | apply (drule PSP, assumption) | |
| 285 | apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo) | |
| 286 | done | |
| 287 | ||
| 288 | ||
| 289 | lemma Stable_transient_Always_LeadsTo: | |
| 13805 | 290 | "[| F \<in> Stable A; F \<in> transient C; | 
| 291 | F \<in> Always (-A \<union> B \<union> C) |] ==> F \<in> A LeadsTo B" | |
| 13796 | 292 | apply (erule Always_LeadsTo_weaken) | 
| 293 | apply (rule LeadsTo_Diff) | |
| 294 | prefer 2 | |
| 295 | apply (erule | |
| 296 | transient_imp_leadsTo [THEN leadsTo_imp_LeadsTo, THEN PSP_Stable2]) | |
| 297 | apply (blast intro: subset_imp_LeadsTo)+ | |
| 298 | done | |
| 299 | ||
| 300 | ||
| 63146 | 301 | subsection\<open>Induction rules\<close> | 
| 13796 | 302 | |
| 303 | (** Meta or object quantifier ????? **) | |
| 304 | lemma LeadsTo_wf_induct: | |
| 305 | "[| wf r; | |
| 13805 | 306 |          \<forall>m. F \<in> (A \<inter> f-`{m}) LeadsTo                      
 | 
| 67613 | 307 |                     ((A \<inter> f-`(r\<inverse> `` {m})) \<union> B) |]  
 | 
| 13805 | 308 | ==> F \<in> A LeadsTo B" | 
| 309 | apply (simp add: LeadsTo_eq_leadsTo) | |
| 13796 | 310 | apply (erule leadsTo_wf_induct) | 
| 311 | apply (blast intro: leadsTo_weaken) | |
| 312 | done | |
| 313 | ||
| 314 | ||
| 315 | lemma Bounded_induct: | |
| 316 | "[| wf r; | |
| 13805 | 317 |          \<forall>m \<in> I. F \<in> (A \<inter> f-`{m}) LeadsTo                    
 | 
| 67613 | 318 |                       ((A \<inter> f-`(r\<inverse> `` {m})) \<union> B) |]  
 | 
| 13805 | 319 | ==> F \<in> A LeadsTo ((A - (f-`I)) \<union> B)" | 
| 13796 | 320 | apply (erule LeadsTo_wf_induct, safe) | 
| 13805 | 321 | apply (case_tac "m \<in> I") | 
| 13796 | 322 | apply (blast intro: LeadsTo_weaken) | 
| 323 | apply (blast intro: subset_imp_LeadsTo) | |
| 324 | done | |
| 325 | ||
| 326 | ||
| 327 | lemma LessThan_induct: | |
| 13805 | 328 |      "(!!m::nat. F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(lessThan m)) \<union> B))
 | 
| 329 | ==> F \<in> A LeadsTo B" | |
| 330 | by (rule wf_less_than [THEN LeadsTo_wf_induct], auto) | |
| 13796 | 331 | |
| 63146 | 332 | text\<open>Integer version. Could generalize from 0 to any lower bound\<close> | 
| 13796 | 333 | lemma integ_0_le_induct: | 
| 13805 | 334 |      "[| F \<in> Always {s. (0::int) \<le> f s};   
 | 
| 335 |          !! z. F \<in> (A \<inter> {s. f s = z}) LeadsTo                      
 | |
| 336 |                    ((A \<inter> {s. f s < z}) \<union> B) |]  
 | |
| 337 | ==> F \<in> A LeadsTo B" | |
| 13796 | 338 | apply (rule_tac f = "nat o f" in LessThan_induct) | 
| 339 | apply (simp add: vimage_def) | |
| 340 | apply (rule Always_LeadsTo_weaken, assumption+) | |
| 341 | apply (auto simp add: nat_eq_iff nat_less_iff) | |
| 342 | done | |
| 343 | ||
| 344 | lemma LessThan_bounded_induct: | |
| 13805 | 345 | "!!l::nat. \<forall>m \<in> greaterThan l. | 
| 346 |                    F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(lessThan m)) \<union> B)
 | |
| 347 | ==> F \<in> A LeadsTo ((A \<inter> (f-`(atMost l))) \<union> B)" | |
| 348 | apply (simp only: Diff_eq [symmetric] vimage_Compl | |
| 349 | Compl_greaterThan [symmetric]) | |
| 350 | apply (rule wf_less_than [THEN Bounded_induct], simp) | |
| 13796 | 351 | done | 
| 352 | ||
| 353 | lemma GreaterThan_bounded_induct: | |
| 13805 | 354 | "!!l::nat. \<forall>m \<in> lessThan l. | 
| 355 |                  F \<in> (A \<inter> f-`{m}) LeadsTo ((A \<inter> f-`(greaterThan m)) \<union> B)
 | |
| 356 | ==> F \<in> A LeadsTo ((A \<inter> (f-`(atLeast l))) \<union> B)" | |
| 13796 | 357 | apply (rule_tac f = f and f1 = "%k. l - k" | 
| 358 | in wf_less_than [THEN wf_inv_image, THEN LeadsTo_wf_induct]) | |
| 19769 
c40ce2de2020
Added [simp]-lemmas "in_inv_image" and "in_lex_prod" in the spirit of "in_measure".
 krauss parents: 
16417diff
changeset | 359 | apply (simp add: Image_singleton, clarify) | 
| 13796 | 360 | apply (case_tac "m<l") | 
| 13805 | 361 | apply (blast intro: LeadsTo_weaken_R diff_less_mono2) | 
| 61824 
dcbe9f756ae0
not_leE -> not_le_imp_less and other tidying
 paulson <lp15@cam.ac.uk> parents: 
60773diff
changeset | 362 | apply (blast intro: not_le_imp_less subset_imp_LeadsTo) | 
| 13796 | 363 | done | 
| 364 | ||
| 365 | ||
| 63146 | 366 | subsection\<open>Completion: Binary and General Finite versions\<close> | 
| 13796 | 367 | |
| 368 | lemma Completion: | |
| 13805 | 369 | "[| F \<in> A LeadsTo (A' \<union> C); F \<in> A' Co (A' \<union> C); | 
| 370 | F \<in> B LeadsTo (B' \<union> C); F \<in> B' Co (B' \<union> C) |] | |
| 371 | ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B') \<union> C)" | |
| 372 | apply (simp add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib) | |
| 13796 | 373 | apply (blast intro: completion leadsTo_weaken) | 
| 374 | done | |
| 375 | ||
| 376 | lemma Finite_completion_lemma: | |
| 377 | "finite I | |
| 13805 | 378 | ==> (\<forall>i \<in> I. F \<in> (A i) LeadsTo (A' i \<union> C)) --> | 
| 379 | (\<forall>i \<in> I. F \<in> (A' i) Co (A' i \<union> C)) --> | |
| 380 | F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)" | |
| 13796 | 381 | apply (erule finite_induct, auto) | 
| 382 | apply (rule Completion) | |
| 383 | prefer 4 | |
| 384 | apply (simp only: INT_simps [symmetric]) | |
| 385 | apply (rule Constrains_INT, auto) | |
| 386 | done | |
| 387 | ||
| 388 | lemma Finite_completion: | |
| 389 | "[| finite I; | |
| 13805 | 390 | !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i \<union> C); | 
| 391 | !!i. i \<in> I ==> F \<in> (A' i) Co (A' i \<union> C) |] | |
| 392 | ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo ((\<Inter>i \<in> I. A' i) \<union> C)" | |
| 13796 | 393 | by (blast intro: Finite_completion_lemma [THEN mp, THEN mp]) | 
| 394 | ||
| 395 | lemma Stable_completion: | |
| 13805 | 396 | "[| F \<in> A LeadsTo A'; F \<in> Stable A'; | 
| 397 | F \<in> B LeadsTo B'; F \<in> Stable B' |] | |
| 398 | ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B')" | |
| 13796 | 399 | apply (unfold Stable_def) | 
| 400 | apply (rule_tac C1 = "{}" in Completion [THEN LeadsTo_weaken_R])
 | |
| 401 | apply (force+) | |
| 402 | done | |
| 403 | ||
| 404 | lemma Finite_stable_completion: | |
| 405 | "[| finite I; | |
| 13805 | 406 | !!i. i \<in> I ==> F \<in> (A i) LeadsTo (A' i); | 
| 407 | !!i. i \<in> I ==> F \<in> Stable (A' i) |] | |
| 408 | ==> F \<in> (\<Inter>i \<in> I. A i) LeadsTo (\<Inter>i \<in> I. A' i)" | |
| 13796 | 409 | apply (unfold Stable_def) | 
| 410 | apply (rule_tac C1 = "{}" in Finite_completion [THEN LeadsTo_weaken_R])
 | |
| 13805 | 411 | apply (simp_all, blast+) | 
| 13796 | 412 | done | 
| 413 | ||
| 4776 | 414 | end |