118 "[| projecting C h F X' X; U'<=X' |] ==> projecting C h F U' X"; |
118 "[| projecting C h F X' X; U'<=X' |] ==> projecting C h F U' X"; |
119 by Auto_tac; |
119 by Auto_tac; |
120 qed "projecting_weaken_L"; |
120 qed "projecting_weaken_L"; |
121 |
121 |
122 Goalw [extending_def] |
122 Goalw [extending_def] |
123 "[| extending v C h F YA' YA; extending v C h F YB' YB |] \ |
123 "[| extending C h F YA' YA; extending C h F YB' YB |] \ |
124 \ ==> extending v C h F (YA' Int YB') (YA Int YB)"; |
124 \ ==> extending C h F (YA' Int YB') (YA Int YB)"; |
125 by (Blast_tac 1); |
125 by (Blast_tac 1); |
126 qed "extending_Int"; |
126 qed "extending_Int"; |
127 |
127 |
128 Goalw [extending_def] |
128 Goalw [extending_def] |
129 "[| extending v C h F YA' YA; extending v C h F YB' YB |] \ |
129 "[| extending C h F YA' YA; extending C h F YB' YB |] \ |
130 \ ==> extending v C h F (YA' Un YB') (YA Un YB)"; |
130 \ ==> extending C h F (YA' Un YB') (YA Un YB)"; |
131 by (Blast_tac 1); |
131 by (Blast_tac 1); |
132 qed "extending_Un"; |
132 qed "extending_Un"; |
133 |
133 |
134 val [prem] = Goalw [extending_def] |
134 val [prem] = Goalw [extending_def] |
135 "[| !!i. i:I ==> extending v C h F (Y' i) (Y i) |] \ |
135 "[| !!i. i:I ==> extending C h F (Y' i) (Y i) |] \ |
136 \ ==> extending v C h F (INT i:I. Y' i) (INT i:I. Y i)"; |
136 \ ==> extending C h F (INT i:I. Y' i) (INT i:I. Y i)"; |
137 by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
137 by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
138 qed "extending_INT"; |
138 qed "extending_INT"; |
139 |
139 |
140 val [prem] = Goalw [extending_def] |
140 val [prem] = Goalw [extending_def] |
141 "[| !!i. i:I ==> extending v C h F (Y' i) (Y i) |] \ |
141 "[| !!i. i:I ==> extending C h F (Y' i) (Y i) |] \ |
142 \ ==> extending v C h F (UN i:I. Y' i) (UN i:I. Y i)"; |
142 \ ==> extending C h F (UN i:I. Y' i) (UN i:I. Y i)"; |
143 by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
143 by (blast_tac (claset() addDs [prem RS spec RS mp]) 1); |
144 qed "extending_UN"; |
144 qed "extending_UN"; |
145 |
145 |
146 Goalw [extending_def] |
146 Goalw [extending_def] |
147 "[| extending v C h F Y' Y; Y'<=V'; V<=Y; \ |
147 "[| extending C h F Y' Y; Y'<=V'; V<=Y |] ==> extending C h F V' V"; |
148 \ preserves w <= preserves v |] \ |
|
149 \ ==> extending w C h F V' V"; |
|
150 by Auto_tac; |
148 by Auto_tac; |
151 qed "extending_weaken"; |
149 qed "extending_weaken"; |
152 |
150 |
153 Goalw [extending_def] |
151 Goalw [extending_def] |
154 "[| extending v C h F Y' Y; Y'<=V' |] ==> extending v C h F V' Y"; |
152 "[| extending C h F Y' Y; Y'<=V' |] ==> extending C h F V' Y"; |
155 by Auto_tac; |
153 by Auto_tac; |
156 qed "extending_weaken_L"; |
154 qed "extending_weaken_L"; |
157 |
155 |
158 Goal "projecting C h F X' UNIV"; |
156 Goal "projecting C h F X' UNIV"; |
159 by (simp_tac (simpset() addsimps [projecting_def]) 1); |
157 by (simp_tac (simpset() addsimps [projecting_def]) 1); |
172 Goalw [projecting_def] |
170 Goalw [projecting_def] |
173 "projecting C h F (increasing (func o f)) (increasing func)"; |
171 "projecting C h F (increasing (func o f)) (increasing func)"; |
174 by (blast_tac (claset() addIs [project_increasing_I]) 1); |
172 by (blast_tac (claset() addIs [project_increasing_I]) 1); |
175 qed "projecting_increasing"; |
173 qed "projecting_increasing"; |
176 |
174 |
177 Goal "extending v C h F UNIV Y"; |
175 Goal "extending C h F UNIV Y"; |
178 by (simp_tac (simpset() addsimps [extending_def]) 1); |
176 by (simp_tac (simpset() addsimps [extending_def]) 1); |
179 qed "extending_UNIV"; |
177 qed "extending_UNIV"; |
180 |
178 |
181 Goalw [extending_def] |
179 Goalw [extending_def] |
182 "extending v (%G. UNIV) h F (extend_set h A co extend_set h B) (A co B)"; |
180 "extending (%G. UNIV) h F (extend_set h A co extend_set h B) (A co B)"; |
183 by (blast_tac (claset() addIs [project_constrains_D]) 1); |
181 by (blast_tac (claset() addIs [project_constrains_D]) 1); |
184 qed "extending_constrains"; |
182 qed "extending_constrains"; |
185 |
183 |
186 Goalw [stable_def] |
184 Goalw [stable_def] |
187 "extending v (%G. UNIV) h F (stable (extend_set h A)) (stable A)"; |
185 "extending (%G. UNIV) h F (stable (extend_set h A)) (stable A)"; |
188 by (rtac extending_constrains 1); |
186 by (rtac extending_constrains 1); |
189 qed "extending_stable"; |
187 qed "extending_stable"; |
190 |
188 |
191 Goalw [extending_def] |
189 Goalw [extending_def] |
192 "extending v (%G. UNIV) h F (increasing (func o f)) (increasing func)"; |
190 "extending (%G. UNIV) h F (increasing (func o f)) (increasing func)"; |
193 by (simp_tac (HOL_ss addsimps [Join_project_increasing]) 1); |
191 by (simp_tac (HOL_ss addsimps [Join_project_increasing]) 1); |
194 qed "extending_increasing"; |
192 qed "extending_increasing"; |
195 |
193 |
196 |
194 |
197 (** Reachability and project **) |
195 (** Reachability and project **) |
352 \ (Increasing (func o f)) (Increasing func)"; |
350 \ (Increasing (func o f)) (Increasing func)"; |
353 by (blast_tac (claset() addIs [project_Increasing_I]) 1); |
351 by (blast_tac (claset() addIs [project_Increasing_I]) 1); |
354 qed "projecting_Increasing"; |
352 qed "projecting_Increasing"; |
355 |
353 |
356 Goalw [extending_def] |
354 Goalw [extending_def] |
357 "extending v (%G. reachable (extend h F Join G)) h F \ |
355 "extending (%G. reachable (extend h F Join G)) h F \ |
358 \ (extend_set h A Co extend_set h B) (A Co B)"; |
356 \ (extend_set h A Co extend_set h B) (A Co B)"; |
359 by (blast_tac (claset() addIs [project_Constrains_D]) 1); |
357 by (blast_tac (claset() addIs [project_Constrains_D]) 1); |
360 qed "extending_Constrains"; |
358 qed "extending_Constrains"; |
361 |
359 |
362 Goalw [extending_def] |
360 Goalw [extending_def] |
363 "extending v (%G. reachable (extend h F Join G)) h F \ |
361 "extending (%G. reachable (extend h F Join G)) h F \ |
364 \ (Stable (extend_set h A)) (Stable A)"; |
362 \ (Stable (extend_set h A)) (Stable A)"; |
365 by (blast_tac (claset() addIs [project_Stable_D]) 1); |
363 by (blast_tac (claset() addIs [project_Stable_D]) 1); |
366 qed "extending_Stable"; |
364 qed "extending_Stable"; |
367 |
365 |
368 Goalw [extending_def] |
366 Goalw [extending_def] |
369 "extending v (%G. reachable (extend h F Join G)) h F \ |
367 "extending (%G. reachable (extend h F Join G)) h F \ |
370 \ (Always (extend_set h A)) (Always A)"; |
368 \ (Always (extend_set h A)) (Always A)"; |
371 by (blast_tac (claset() addIs [project_Always_D]) 1); |
369 by (blast_tac (claset() addIs [project_Always_D]) 1); |
372 qed "extending_Always"; |
370 qed "extending_Always"; |
373 |
371 |
374 Goalw [extending_def] |
372 Goalw [extending_def] |
375 "extending v (%G. reachable (extend h F Join G)) h F \ |
373 "extending (%G. reachable (extend h F Join G)) h F \ |
376 \ (Increasing (func o f)) (Increasing func)"; |
374 \ (Increasing (func o f)) (Increasing func)"; |
377 by (blast_tac (claset() addIs [project_Increasing_D]) 1); |
375 by (blast_tac (claset() addIs [project_Increasing_D]) 1); |
378 qed "extending_Increasing"; |
376 qed "extending_Increasing"; |
379 |
377 |
380 |
378 |
594 qed "project_Ensures_D"; |
592 qed "project_Ensures_D"; |
595 |
593 |
596 |
594 |
597 (*** Guarantees ***) |
595 (*** Guarantees ***) |
598 |
596 |
|
597 Goal "project_act h (Restrict C act) <= project_act h act"; |
|
598 by (auto_tac (claset(), simpset() addsimps [project_act_def])); |
|
599 qed "project_act_Restrict_subset_project_act"; |
|
600 |
|
601 |
|
602 Goal "[| extend h F ok G; subset_closed (AllowedActs F) |] \ |
|
603 \ ==> F ok project h C G"; |
|
604 by (auto_tac (claset(), simpset() addsimps [ok_def])); |
|
605 by (dtac subsetD 1); |
|
606 by (Blast_tac 1); |
|
607 by (force_tac (claset() addSIs [rev_image_eqI], simpset()) 1); |
|
608 by (cut_facts_tac [project_act_Restrict_subset_project_act] 1); |
|
609 by (auto_tac (claset(), simpset() addsimps [subset_closed_def])); |
|
610 qed "subset_closed_ok_extend_imp_ok_project"; |
|
611 |
|
612 |
599 (*Weak precondition and postcondition |
613 (*Weak precondition and postcondition |
600 Not clear that it has a converse [or that we want one!]*) |
614 Not clear that it has a converse [or that we want one!]*) |
601 |
615 |
602 (*The raw version; 3rd premise could be weakened by adding the |
616 (*The raw version; 3rd premise could be weakened by adding the |
603 precondition extend h F Join G : X' *) |
617 precondition extend h F Join G : X' *) |
604 val [xguary,project,extend] = |
618 val [xguary,closed,project,extend] = |
605 Goal "[| F : X guarantees[v] Y; \ |
619 Goal "[| F : X guarantees Y; subset_closed (AllowedActs F); \ |
606 \ !!G. extend h F Join G : X' ==> F Join project h (C G) G : X; \ |
620 \ !!G. extend h F Join G : X' ==> F Join project h (C G) G : X; \ |
607 \ !!G. [| F Join project h (C G) G : Y; G : preserves (v o f) |] \ |
621 \ !!G. [| F Join project h (C G) G : Y |] \ |
608 \ ==> extend h F Join G : Y' |] \ |
622 \ ==> extend h F Join G : Y' |] \ |
609 \ ==> extend h F : X' guarantees[v o f] Y'"; |
623 \ ==> extend h F : X' guarantees Y'"; |
610 by (rtac (xguary RS guaranteesD RS extend RS guaranteesI) 1); |
624 by (rtac (xguary RS guaranteesD RS extend RS guaranteesI) 1); |
611 by (etac project_preserves_I 1); |
625 by (blast_tac (claset() addIs [closed, |
|
626 subset_closed_ok_extend_imp_ok_project]) 1); |
612 by (etac project 1); |
627 by (etac project 1); |
613 by Auto_tac; |
|
614 qed "project_guarantees_raw"; |
628 qed "project_guarantees_raw"; |
615 |
629 |
616 Goal "[| F : X guarantees[v] Y; \ |
630 Goal "[| F : X guarantees Y; subset_closed (AllowedActs F); \ |
617 \ projecting C h F X' X; extending w C h F Y' Y; \ |
631 \ projecting C h F X' X; extending C h F Y' Y |] \ |
618 \ preserves w <= preserves (v o f) |] \ |
632 \ ==> extend h F : X' guarantees Y'"; |
619 \ ==> extend h F : X' guarantees[w] Y'"; |
|
620 by (rtac guaranteesI 1); |
633 by (rtac guaranteesI 1); |
621 by (auto_tac (claset(), |
634 by (auto_tac (claset(), |
622 simpset() addsimps [project_preserves_I, guaranteesD, projecting_def, |
635 simpset() addsimps [guaranteesD, projecting_def, |
623 extending_def])); |
636 extending_def, subset_closed_ok_extend_imp_ok_project])); |
624 qed "project_guarantees"; |
637 qed "project_guarantees"; |
625 |
638 |
626 |
639 |
627 (*It seems that neither "guarantees" law can be proved from the other.*) |
640 (*It seems that neither "guarantees" law can be proved from the other.*) |
628 |
641 |
629 |
642 |
630 (*** guarantees corollaries ***) |
643 (*** guarantees corollaries ***) |
631 |
644 |
632 (** Some could be deleted: the required versions are easy to prove **) |
645 (** Some could be deleted: the required versions are easy to prove **) |
633 |
646 |
634 Goal "F : UNIV guarantees[v] increasing func \ |
647 Goal "[| F : UNIV guarantees increasing func; \ |
635 \ ==> extend h F : X' guarantees[v o f] increasing (func o f)"; |
648 \ subset_closed (AllowedActs F) |] \ |
|
649 \ ==> extend h F : X' guarantees increasing (func o f)"; |
636 by (etac project_guarantees 1); |
650 by (etac project_guarantees 1); |
637 by (rtac extending_increasing 2); |
651 by (rtac extending_increasing 3); |
638 by (rtac projecting_UNIV 1); |
652 by (rtac projecting_UNIV 2); |
639 by Auto_tac; |
653 by Auto_tac; |
640 qed "extend_guar_increasing"; |
654 qed "extend_guar_increasing"; |
641 |
655 |
642 Goal "F : UNIV guarantees[v] Increasing func \ |
656 Goal "[| F : UNIV guarantees Increasing func; \ |
643 \ ==> extend h F : X' guarantees[v o f] Increasing (func o f)"; |
657 \ subset_closed (AllowedActs F) |] \ |
|
658 \ ==> extend h F : X' guarantees Increasing (func o f)"; |
644 by (etac project_guarantees 1); |
659 by (etac project_guarantees 1); |
645 by (rtac extending_Increasing 2); |
660 by (rtac extending_Increasing 3); |
646 by (rtac projecting_UNIV 1); |
661 by (rtac projecting_UNIV 2); |
647 by Auto_tac; |
662 by Auto_tac; |
648 qed "extend_guar_Increasing"; |
663 qed "extend_guar_Increasing"; |
649 |
664 |
650 Goal "F : Always A guarantees[v] Always B \ |
665 Goal "[| F : Always A guarantees Always B; \ |
651 \ ==> extend h F : Always(extend_set h A) guarantees[v o f] \ |
666 \ subset_closed (AllowedActs F) |] \ |
652 \ Always(extend_set h B)"; |
667 \ ==> extend h F \ |
|
668 \ : Always(extend_set h A) guarantees Always(extend_set h B)"; |
653 by (etac project_guarantees 1); |
669 by (etac project_guarantees 1); |
654 by (rtac extending_Always 2); |
670 by (rtac extending_Always 3); |
655 by (rtac projecting_Always 1); |
671 by (rtac projecting_Always 2); |
656 by Auto_tac; |
672 by Auto_tac; |
657 qed "extend_guar_Always"; |
673 qed "extend_guar_Always"; |
658 |
674 |
659 Goal "[| G : preserves f; project h C G : transient D |] ==> D={}"; |
675 Goal "[| G : preserves f; project h C G : transient D |] ==> D={}"; |
660 by (rtac stable_transient_empty 1); |
676 by (rtac stable_transient_empty 1); |
674 (project_leadsTo_D_lemma RS leadsTo_weaken) 1); |
690 (project_leadsTo_D_lemma RS leadsTo_weaken) 1); |
675 by (auto_tac (claset() addDs [preserves_project_transient_empty], |
691 by (auto_tac (claset() addDs [preserves_project_transient_empty], |
676 simpset())); |
692 simpset())); |
677 qed "project_leadsTo_D"; |
693 qed "project_leadsTo_D"; |
678 |
694 |
679 Goal "[| F Join project h (reachable (extend h F Join G)) G : A LeadsTo B; \ |
695 Goal "[| F Join project h (reachable (extend h F Join G)) G : A LeadsTo B; \ |
680 \ G : preserves f |] \ |
696 \ G : preserves f |] \ |
681 \ ==> extend h F Join G : (extend_set h A) LeadsTo (extend_set h B)"; |
697 \ ==> extend h F Join G : (extend_set h A) LeadsTo (extend_set h B)"; |
682 by (rtac (refl RS Join_project_LeadsTo) 1); |
698 by (rtac (refl RS Join_project_LeadsTo) 1); |
683 by (auto_tac (claset() addDs [preserves_project_transient_empty], |
699 by (auto_tac (claset() addDs [preserves_project_transient_empty], |
684 simpset())); |
700 simpset())); |
685 qed "project_LeadsTo_D"; |
701 qed "project_LeadsTo_D"; |
686 |
702 |
687 Goalw [extending_def] |
703 Goalw [extending_def] |
688 "extending f (%G. UNIV) h F \ |
704 "(ALL G. extend h F ok G --> G : preserves f) \ |
|
705 \ ==> extending (%G. UNIV) h F \ |
689 \ (extend_set h A leadsTo extend_set h B) (A leadsTo B)"; |
706 \ (extend_set h A leadsTo extend_set h B) (A leadsTo B)"; |
690 by (blast_tac (claset() addIs [project_leadsTo_D]) 1); |
707 by (blast_tac (claset() addIs [project_leadsTo_D]) 1); |
691 qed "extending_leadsTo"; |
708 qed "extending_leadsTo"; |
692 |
709 |
693 Goalw [extending_def] |
710 Goalw [extending_def] |
694 "extending f (%G. reachable (extend h F Join G)) h F \ |
711 "(ALL G. extend h F ok G --> G : preserves f) \ |
|
712 \ ==> extending (%G. reachable (extend h F Join G)) h F \ |
695 \ (extend_set h A LeadsTo extend_set h B) (A LeadsTo B)"; |
713 \ (extend_set h A LeadsTo extend_set h B) (A LeadsTo B)"; |
696 by (blast_tac (claset() addIs [project_LeadsTo_D]) 1); |
714 by (blast_tac (claset() addIs [project_LeadsTo_D]) 1); |
697 qed "extending_LeadsTo"; |
715 qed "extending_LeadsTo"; |
698 |
716 |
699 (*STRONG precondition and postcondition*) |
|
700 Goal "F : (A co A') guarantees[v] (B leadsTo B') \ |
|
701 \ ==> extend h F : (extend_set h A co extend_set h A') \ |
|
702 \ guarantees[f] (extend_set h B leadsTo extend_set h B')"; |
|
703 by (etac project_guarantees 1); |
|
704 by (rtac subset_preserves_o 3); |
|
705 by (rtac extending_leadsTo 2); |
|
706 by (rtac projecting_constrains 1); |
|
707 qed "extend_co_guar_leadsTo"; |
|
708 |
|
709 (*WEAK precondition and postcondition*) |
|
710 Goal "F : (A Co A') guarantees[v] (B LeadsTo B') \ |
|
711 \ ==> extend h F : (extend_set h A Co extend_set h A') \ |
|
712 \ guarantees[f] (extend_set h B LeadsTo extend_set h B')"; |
|
713 by (etac project_guarantees 1); |
|
714 by (rtac subset_preserves_o 3); |
|
715 by (rtac extending_LeadsTo 2); |
|
716 by (rtac projecting_Constrains 1); |
|
717 qed "extend_Co_guar_LeadsTo"; |
|
718 |
|
719 Close_locale "Extend"; |
717 Close_locale "Extend"; |