| author | paulson |
| Wed, 29 Jan 2003 16:34:51 +0100 | |
| changeset 13792 | d1811693899c |
| parent 12338 | de0f4a63baa5 |
| child 13798 | 4c1a53627500 |
| permissions | -rw-r--r-- |
| 5597 | 1 |
(* Title: HOL/UNITY/Comp.thy |
2 |
ID: $Id$ |
|
3 |
Author: Lawrence C Paulson, Cambridge University Computer Laboratory |
|
4 |
Copyright 1998 University of Cambridge |
|
5 |
||
6 |
Composition |
|
| 11190 | 7 |
From Chandy and Sanders, "Reasoning About Program Composition", |
8 |
Technical Report 2000-003, University of Florida, 2000. |
|
| 5597 | 9 |
|
| 11190 | 10 |
Revised by Sidi Ehmety on January 2001 |
11 |
||
12 |
Added: a strong form of the <= relation (component_of) and localize |
|
13 |
||
| 5597 | 14 |
*) |
15 |
||
| 13792 | 16 |
theory Comp = Union: |
| 5597 | 17 |
|
| 13792 | 18 |
instance program :: (type) ord .. |
| 5597 | 19 |
|
|
7399
cf780c2bcccf
changed "component" infix in HOL/UNITY/Comp.thy to be overloaded <
paulson
parents:
7364
diff
changeset
|
20 |
defs |
| 13792 | 21 |
component_def: "F <= H == EX G. F Join G = H" |
22 |
strict_component_def: "(F < (H::'a program)) == (F <= H & F ~= H)" |
|
|
5612
e981ca6f7332
Finished proofs to end of section 5.1 of Chandy and Sanders
paulson
parents:
5597
diff
changeset
|
23 |
|
| 11190 | 24 |
|
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
7399
diff
changeset
|
25 |
constdefs |
| 11190 | 26 |
component_of :: "'a program=>'a program=> bool" |
27 |
(infixl "component'_of" 50) |
|
28 |
"F component_of H == EX G. F ok G & F Join G = H" |
|
29 |
||
| 13792 | 30 |
strict_component_of :: "'a program\<Rightarrow>'a program=> bool" |
| 11190 | 31 |
(infixl "strict'_component'_of" 50) |
32 |
"F strict_component_of H == F component_of H & F~=H" |
|
33 |
||
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
7399
diff
changeset
|
34 |
preserves :: "('a=>'b) => 'a program set"
|
|
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
7399
diff
changeset
|
35 |
"preserves v == INT z. stable {s. v s = z}"
|
|
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
7399
diff
changeset
|
36 |
|
| 11190 | 37 |
localize :: "('a=>'b) => 'a program => 'a program"
|
38 |
"localize v F == mk_program(Init F, Acts F, |
|
39 |
AllowedActs F Int (UN G:preserves v. Acts G))" |
|
40 |
||
|
8055
bb15396278fb
abolition of localTo: instead "guarantees" has local vars as extra argument
paulson
parents:
7399
diff
changeset
|
41 |
funPair :: "['a => 'b, 'a => 'c, 'a] => 'b * 'c" |
| 11190 | 42 |
"funPair f g == %x. (f x, g x)" |
| 13792 | 43 |
|
44 |
||
45 |
(*** component <= ***) |
|
46 |
lemma componentI: |
|
47 |
"H <= F | H <= G ==> H <= (F Join G)" |
|
48 |
apply (unfold component_def, auto) |
|
49 |
apply (rule_tac x = "G Join Ga" in exI) |
|
50 |
apply (rule_tac [2] x = "G Join F" in exI) |
|
51 |
apply (auto simp add: Join_ac) |
|
52 |
done |
|
53 |
||
54 |
lemma component_eq_subset: |
|
55 |
"(F <= G) = |
|
56 |
(Init G <= Init F & Acts F <= Acts G & AllowedActs G <= AllowedActs F)" |
|
57 |
apply (unfold component_def) |
|
58 |
apply (force intro!: exI program_equalityI) |
|
59 |
done |
|
60 |
||
61 |
lemma component_SKIP [iff]: "SKIP <= F" |
|
62 |
apply (unfold component_def) |
|
63 |
apply (force intro: Join_SKIP_left) |
|
64 |
done |
|
65 |
||
66 |
lemma component_refl [iff]: "F <= (F :: 'a program)" |
|
67 |
apply (unfold component_def) |
|
68 |
apply (blast intro: Join_SKIP_right) |
|
69 |
done |
|
70 |
||
71 |
lemma SKIP_minimal: "F <= SKIP ==> F = SKIP" |
|
72 |
by (auto intro!: program_equalityI simp add: component_eq_subset) |
|
73 |
||
74 |
lemma component_Join1: "F <= (F Join G)" |
|
75 |
by (unfold component_def, blast) |
|
76 |
||
77 |
lemma component_Join2: "G <= (F Join G)" |
|
78 |
apply (unfold component_def) |
|
79 |
apply (simp (no_asm) add: Join_commute) |
|
80 |
apply blast |
|
81 |
done |
|
82 |
||
83 |
lemma Join_absorb1: "F<=G ==> F Join G = G" |
|
84 |
by (auto simp add: component_def Join_left_absorb) |
|
85 |
||
86 |
lemma Join_absorb2: "G<=F ==> F Join G = F" |
|
87 |
by (auto simp add: Join_ac component_def) |
|
88 |
||
89 |
lemma JN_component_iff: "((JOIN I F) <= H) = (ALL i: I. F i <= H)" |
|
90 |
apply (simp (no_asm) add: component_eq_subset) |
|
91 |
apply blast |
|
92 |
done |
|
93 |
||
94 |
lemma component_JN: "i : I ==> (F i) <= (JN i:I. (F i))" |
|
95 |
apply (unfold component_def) |
|
96 |
apply (blast intro: JN_absorb) |
|
97 |
done |
|
98 |
||
99 |
lemma component_trans: "[| F <= G; G <= H |] ==> F <= (H :: 'a program)" |
|
100 |
apply (unfold component_def) |
|
101 |
apply (blast intro: Join_assoc [symmetric]) |
|
102 |
done |
|
103 |
||
104 |
lemma component_antisym: "[| F <= G; G <= F |] ==> F = (G :: 'a program)" |
|
105 |
apply (simp (no_asm_use) add: component_eq_subset) |
|
106 |
apply (blast intro!: program_equalityI) |
|
107 |
done |
|
108 |
||
109 |
lemma Join_component_iff: "((F Join G) <= H) = (F <= H & G <= H)" |
|
110 |
apply (simp (no_asm) add: component_eq_subset) |
|
111 |
apply blast |
|
112 |
done |
|
113 |
||
114 |
lemma component_constrains: "[| F <= G; G : A co B |] ==> F : A co B" |
|
115 |
by (auto simp add: constrains_def component_eq_subset) |
|
116 |
||
117 |
(*Used in Guar.thy to show that programs are partially ordered*) |
|
118 |
lemmas program_less_le = strict_component_def [THEN meta_eq_to_obj_eq] |
|
119 |
||
120 |
||
121 |
(*** preserves ***) |
|
122 |
||
123 |
lemma preservesI: "(!!z. F : stable {s. v s = z}) ==> F : preserves v"
|
|
124 |
by (unfold preserves_def, blast) |
|
125 |
||
126 |
lemma preserves_imp_eq: |
|
127 |
"[| F : preserves v; act : Acts F; (s,s') : act |] ==> v s = v s'" |
|
128 |
apply (unfold preserves_def stable_def constrains_def, force) |
|
129 |
done |
|
130 |
||
131 |
lemma Join_preserves [iff]: |
|
132 |
"(F Join G : preserves v) = (F : preserves v & G : preserves v)" |
|
133 |
apply (unfold preserves_def, auto) |
|
134 |
done |
|
135 |
||
136 |
lemma JN_preserves [iff]: |
|
137 |
"(JOIN I F : preserves v) = (ALL i:I. F i : preserves v)" |
|
138 |
apply (simp (no_asm) add: JN_stable preserves_def) |
|
139 |
apply blast |
|
140 |
done |
|
141 |
||
142 |
lemma SKIP_preserves [iff]: "SKIP : preserves v" |
|
143 |
by (auto simp add: preserves_def) |
|
144 |
||
145 |
lemma funPair_apply [simp]: "(funPair f g) x = (f x, g x)" |
|
146 |
by (simp add: funPair_def) |
|
147 |
||
148 |
lemma preserves_funPair: "preserves (funPair v w) = preserves v Int preserves w" |
|
149 |
by (auto simp add: preserves_def stable_def constrains_def, blast) |
|
150 |
||
151 |
(* (F : preserves (funPair v w)) = (F : preserves v Int preserves w) *) |
|
152 |
declare preserves_funPair [THEN eqset_imp_iff, iff] |
|
153 |
||
154 |
||
155 |
lemma funPair_o_distrib: "(funPair f g) o h = funPair (f o h) (g o h)" |
|
156 |
apply (simp (no_asm) add: funPair_def o_def) |
|
157 |
done |
|
158 |
||
159 |
lemma fst_o_funPair [simp]: "fst o (funPair f g) = f" |
|
160 |
apply (simp (no_asm) add: funPair_def o_def) |
|
161 |
done |
|
162 |
||
163 |
lemma snd_o_funPair [simp]: "snd o (funPair f g) = g" |
|
164 |
apply (simp (no_asm) add: funPair_def o_def) |
|
165 |
done |
|
166 |
||
167 |
lemma subset_preserves_o: "preserves v <= preserves (w o v)" |
|
168 |
by (force simp add: preserves_def stable_def constrains_def) |
|
169 |
||
170 |
lemma preserves_subset_stable: "preserves v <= stable {s. P (v s)}"
|
|
171 |
apply (auto simp add: preserves_def stable_def constrains_def) |
|
172 |
apply (rename_tac s' s) |
|
173 |
apply (subgoal_tac "v s = v s'") |
|
174 |
apply (force+) |
|
175 |
done |
|
176 |
||
177 |
lemma preserves_subset_increasing: "preserves v <= increasing v" |
|
178 |
by (auto simp add: preserves_subset_stable [THEN subsetD] increasing_def) |
|
179 |
||
180 |
lemma preserves_id_subset_stable: "preserves id <= stable A" |
|
181 |
by (force simp add: preserves_def stable_def constrains_def) |
|
182 |
||
183 |
||
184 |
(** For use with def_UNION_ok_iff **) |
|
185 |
||
186 |
lemma safety_prop_preserves [iff]: "safety_prop (preserves v)" |
|
187 |
by (auto intro: safety_prop_INTER1 simp add: preserves_def) |
|
188 |
||
189 |
||
190 |
(** Some lemmas used only in Client.ML **) |
|
191 |
||
192 |
lemma stable_localTo_stable2: |
|
193 |
"[| F : stable {s. P (v s) (w s)};
|
|
194 |
G : preserves v; G : preserves w |] |
|
195 |
==> F Join G : stable {s. P (v s) (w s)}"
|
|
196 |
apply (simp (no_asm_simp)) |
|
197 |
apply (subgoal_tac "G: preserves (funPair v w) ") |
|
198 |
prefer 2 apply simp |
|
199 |
apply (drule_tac P1 = "split ?Q" in preserves_subset_stable [THEN subsetD], auto) |
|
200 |
done |
|
201 |
||
202 |
lemma Increasing_preserves_Stable: |
|
203 |
"[| F : stable {s. v s <= w s}; G : preserves v;
|
|
204 |
F Join G : Increasing w |] |
|
205 |
==> F Join G : Stable {s. v s <= w s}"
|
|
206 |
apply (auto simp add: stable_def Stable_def Increasing_def Constrains_def all_conj_distrib) |
|
207 |
apply (blast intro: constrains_weaken) |
|
208 |
(*The G case remains*) |
|
209 |
apply (auto simp add: preserves_def stable_def constrains_def) |
|
210 |
apply (case_tac "act: Acts F", blast) |
|
211 |
(*We have a G-action, so delete assumptions about F-actions*) |
|
212 |
apply (erule_tac V = "ALL act:Acts F. ?P act" in thin_rl) |
|
213 |
apply (erule_tac V = "ALL z. ALL act:Acts F. ?P z act" in thin_rl) |
|
214 |
apply (subgoal_tac "v x = v xa") |
|
215 |
prefer 2 apply blast |
|
216 |
apply auto |
|
217 |
apply (erule order_trans, blast) |
|
218 |
done |
|
219 |
||
220 |
(** component_of **) |
|
221 |
||
222 |
(* component_of is stronger than <= *) |
|
223 |
lemma component_of_imp_component: "F component_of H ==> F <= H" |
|
224 |
by (unfold component_def component_of_def, blast) |
|
225 |
||
226 |
||
227 |
(* component_of satisfies many of the <='s properties *) |
|
228 |
lemma component_of_refl [simp]: "F component_of F" |
|
229 |
apply (unfold component_of_def) |
|
230 |
apply (rule_tac x = SKIP in exI, auto) |
|
231 |
done |
|
232 |
||
233 |
lemma component_of_SKIP [simp]: "SKIP component_of F" |
|
234 |
by (unfold component_of_def, auto) |
|
235 |
||
236 |
lemma component_of_trans: |
|
237 |
"[| F component_of G; G component_of H |] ==> F component_of H" |
|
238 |
apply (unfold component_of_def) |
|
239 |
apply (blast intro: Join_assoc [symmetric]) |
|
240 |
done |
|
241 |
||
242 |
lemmas strict_component_of_eq = |
|
243 |
strict_component_of_def [THEN meta_eq_to_obj_eq, standard] |
|
244 |
||
245 |
(** localize **) |
|
246 |
lemma localize_Init_eq [simp]: "Init (localize v F) = Init F" |
|
247 |
apply (unfold localize_def) |
|
248 |
apply (simp (no_asm)) |
|
249 |
done |
|
250 |
||
251 |
lemma localize_Acts_eq [simp]: "Acts (localize v F) = Acts F" |
|
252 |
apply (unfold localize_def) |
|
253 |
apply (simp (no_asm)) |
|
254 |
done |
|
255 |
||
256 |
lemma localize_AllowedActs_eq [simp]: |
|
257 |
"AllowedActs (localize v F) = AllowedActs F Int (UN G:(preserves v). Acts G)" |
|
258 |
apply (unfold localize_def, auto) |
|
259 |
done |
|
260 |
||
| 5597 | 261 |
end |