197 "extend_act h Id = Id"; |
197 "extend_act h Id = Id"; |
198 by (force_tac (claset() addIs [h_f_g_eq RS sym], simpset()) 1); |
198 by (force_tac (claset() addIs [h_f_g_eq RS sym], simpset()) 1); |
199 qed "extend_act_Id"; |
199 qed "extend_act_Id"; |
200 |
200 |
201 Goalw [project_act_def] |
201 Goalw [project_act_def] |
202 "[| (z, z') : act; f z = f z' | z: C |] \ |
202 "[| (z, z') : act; z: C |] \ |
203 \ ==> (f z, f z') : project_act C h act"; |
203 \ ==> (f z, f z') : project_act C h act"; |
204 by (auto_tac (claset() addSIs [exI] addIs [h_f_g_eq RS ssubst], |
204 by (auto_tac (claset() addSIs [exI] addIs [h_f_g_eq RS ssubst], |
205 simpset())); |
205 simpset())); |
206 qed "project_act_I"; |
206 qed "project_act_I"; |
207 |
207 |
208 Goalw [project_set_def, project_act_def] |
208 Goalw [project_set_def, project_act_def] |
209 "project_act C h Id = Id"; |
209 "UNIV <= project_set h C \ |
|
210 \ ==> project_act C h Id = Id"; |
210 by (Force_tac 1); |
211 by (Force_tac 1); |
211 qed "project_act_Id"; |
212 qed "project_act_Id"; |
212 |
213 |
213 (*premise can be weakened*) |
214 (*premise can be weakened*) |
214 Goalw [project_set_def, project_act_def] |
215 Goalw [project_set_def, project_act_def] |
242 Goal "Acts (extend h F) = (extend_act h `` Acts F)"; |
243 Goal "Acts (extend h F) = (extend_act h `` Acts F)"; |
243 by (auto_tac (claset() addSIs [extend_act_Id RS sym], |
244 by (auto_tac (claset() addSIs [extend_act_Id RS sym], |
244 simpset() addsimps [extend_def, image_iff])); |
245 simpset() addsimps [extend_def, image_iff])); |
245 qed "Acts_extend"; |
246 qed "Acts_extend"; |
246 |
247 |
247 Goal "Acts (project C h F) = (project_act C h `` Acts F)"; |
248 Goal "Acts (project C h F) = insert Id (project_act C h `` Acts F)"; |
248 by (auto_tac (claset() addSIs [project_act_Id RS sym], |
249 by (auto_tac (claset(), |
249 simpset() addsimps [project_def, image_iff])); |
250 simpset() addsimps [project_def, image_iff])); |
250 qed "Acts_project"; |
251 qed "Acts_project"; |
251 |
252 |
252 Addsimps [Init_extend, Init_project, Acts_extend, Acts_project]; |
253 Addsimps [Init_extend, Init_project, Acts_extend, Acts_project]; |
253 |
254 |
254 Goalw [SKIP_def] "extend h SKIP = SKIP"; |
255 Goalw [SKIP_def] "extend h SKIP = SKIP"; |
255 by (rtac program_equalityI 1); |
256 by (rtac program_equalityI 1); |
256 by Auto_tac; |
257 by Auto_tac; |
257 qed "extend_SKIP"; |
258 qed "extend_SKIP"; |
258 |
|
259 Goalw [SKIP_def] "project C h SKIP = SKIP"; |
|
260 by (rtac program_equalityI 1); |
|
261 by (auto_tac (claset() addIs [h_f_g_eq RS sym], |
|
262 simpset() addsimps [project_set_def])); |
|
263 qed "project_SKIP"; |
|
264 |
259 |
265 Goalw [project_set_def] "UNIV <= project_set h UNIV"; |
260 Goalw [project_set_def] "UNIV <= project_set h UNIV"; |
266 by Auto_tac; |
261 by Auto_tac; |
267 qed "project_set_UNIV"; |
262 qed "project_set_UNIV"; |
268 |
263 |
334 \ (extend h F Join G : (C Int extend_set h A) co (extend_set h B) & \ |
329 \ (extend h F Join G : (C Int extend_set h A) co (extend_set h B) & \ |
335 \ F : A co B)"; |
330 \ F : A co B)"; |
336 by (auto_tac (claset() addSIs [project_act_I], simpset() addsimps [ball_Un])); |
331 by (auto_tac (claset() addSIs [project_act_I], simpset() addsimps [ball_Un])); |
337 by (force_tac (claset() addIs [extend_act_D], simpset()) 1); |
332 by (force_tac (claset() addIs [extend_act_D], simpset()) 1); |
338 by (force_tac (claset() addSIs [project_act_I] addSDs [subsetD], simpset()) 1); |
333 by (force_tac (claset() addSIs [project_act_I] addSDs [subsetD], simpset()) 1); |
|
334 by (force_tac (claset() addSDs [Id_in_Acts RSN (2,bspec)], simpset()) 1); |
339 (*the <== direction*) |
335 (*the <== direction*) |
340 by (ball_tac 1); |
336 by (ball_tac 1); |
341 by (rewtac project_act_def); |
337 by (rewtac project_act_def); |
342 by Auto_tac; |
|
343 by (force_tac (claset() addSDs [Id_in_Acts RSN (2,bspec)], simpset()) 1); |
|
344 by (force_tac (claset() addSDs [subsetD], simpset()) 1); |
338 by (force_tac (claset() addSDs [subsetD], simpset()) 1); |
345 qed "Join_project_constrains"; |
339 qed "Join_project_constrains"; |
346 |
340 |
347 (*The condition is required to prove the left-to-right direction; |
341 (*The condition is required to prove the left-to-right direction; |
348 could weaken it to G : (C Int extend_set h A) co C*) |
342 could weaken it to G : (C Int extend_set h A) co C*) |
359 \ (extend h F Join G : increasing (func o f))"; |
353 \ (extend h F Join G : increasing (func o f))"; |
360 by (simp_tac (simpset() addsimps [increasing_def, Join_project_stable]) 1); |
354 by (simp_tac (simpset() addsimps [increasing_def, Join_project_stable]) 1); |
361 by (auto_tac (claset(), |
355 by (auto_tac (claset(), |
362 simpset() addsimps [Join_stable, Collect_eq_extend_set RS sym, |
356 simpset() addsimps [Join_stable, Collect_eq_extend_set RS sym, |
363 extend_stable RS iffD1])); |
357 extend_stable RS iffD1])); |
364 |
|
365 qed "Join_project_increasing"; |
358 qed "Join_project_increasing"; |
366 |
359 |
367 Goal "(project C h F : A co B) = \ |
360 Goal "(project C h F : A co B) = \ |
368 \ (F : (C Int extend_set h A) co (extend_set h B) & A <= B)"; |
361 \ (F : (C Int extend_set h A) co (extend_set h B) & A <= B)"; |
369 by (cut_inst_tac [("F", "SKIP")] Join_project_constrains 1); |
362 by (cut_inst_tac [("F", "SKIP")] Join_project_constrains 1); |
480 |
473 |
481 Goal "[| reachable (extend h F Join G) <= C; \ |
474 Goal "[| reachable (extend h F Join G) <= C; \ |
482 \ z : reachable (extend h F Join G) |] \ |
475 \ z : reachable (extend h F Join G) |] \ |
483 \ ==> f z : reachable (F Join project C h G)"; |
476 \ ==> f z : reachable (F Join project C h G)"; |
484 by (etac reachable.induct 1); |
477 by (etac reachable.induct 1); |
485 by (force_tac (claset() delrules [Id_in_Acts] |
|
486 addIs [reachable.Acts, project_act_I, extend_act_D], |
|
487 simpset()) 2); |
|
488 by (force_tac (claset() addIs [reachable.Init, project_set_I], |
478 by (force_tac (claset() addIs [reachable.Init, project_set_I], |
489 simpset()) 1); |
479 simpset()) 1); |
|
480 by Auto_tac; |
|
481 by (force_tac (claset() addIs [project_act_I RSN (3,reachable.Acts)], |
|
482 simpset()) 2); |
|
483 by (res_inst_tac [("act","x")] reachable.Acts 1); |
|
484 by Auto_tac; |
|
485 by (etac extend_act_D 1); |
490 qed "reachable_imp_reachable_project"; |
486 qed "reachable_imp_reachable_project"; |
491 |
487 |
492 Goalw [Constrains_def] |
488 Goalw [Constrains_def] |
493 "[| reachable (extend h F Join G) <= C; \ |
489 "[| reachable (extend h F Join G) <= C; \ |
494 \ F Join project C h G : A Co B |] \ |
490 \ F Join project C h G : A Co B |] \ |
715 by (blast_tac (claset() addIs [guarantees_imp_extend_guarantees, |
711 by (blast_tac (claset() addIs [guarantees_imp_extend_guarantees, |
716 extend_guarantees_imp_guarantees]) 1); |
712 extend_guarantees_imp_guarantees]) 1); |
717 qed "extend_guarantees_eq"; |
713 qed "extend_guarantees_eq"; |
718 |
714 |
719 (*Weak precondition and postcondition; this is the good one! |
715 (*Weak precondition and postcondition; this is the good one! |
720 Not clear that it has a converse [or that we want one!] |
716 Not clear that it has a converse [or that we want one!]*) |
721 Can generalize project (C G) to the function variable "proj"*) |
|
722 val [xguary,project,extend] = |
717 val [xguary,project,extend] = |
723 Goal "[| F : X guarantees Y; \ |
718 Goal "[| F : X guarantees Y; \ |
724 \ !!G. extend h F Join G : X' ==> F Join project (C G) h G : X; \ |
719 \ !!G. extend h F Join G : X' ==> F Join proj G h G : X; \ |
725 \ !!G. F Join project (C G) h G : Y ==> extend h F Join G : Y' |] \ |
720 \ !!G. F Join proj G h G : Y ==> extend h F Join G : Y' |] \ |
726 \ ==> extend h F : X' guarantees Y'"; |
721 \ ==> extend h F : X' guarantees Y'"; |
727 by (rtac (xguary RS guaranteesD RS extend RS guaranteesI) 1); |
722 by (rtac (xguary RS guaranteesD RS extend RS guaranteesI) 1); |
728 by (etac project 1); |
723 by (etac project 1); |
729 qed "project_guarantees"; |
724 qed "project_guarantees"; |
730 |
725 |