Mercurial Mercurial > repos > isabelle / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
src/ZF/UNITY/SubstAx.thy
changeset 46823 57bf0cecb366
parent 42814 5af15f1e2ef6
child 46953 2b6e55924af3
equal deleted inserted replaced
46822:95f1e700b712 46823:57bf0cecb366 
    12 begin
 
    12 begin
 
    13 
    13 
    14 definition
 
    14 definition
 
    15   (* The definitions below are not `conventional', but yield simpler rules *)
 
    15   (* The definitions below are not `conventional', but yield simpler rules *)
 
    16   Ensures :: "[i,i] => i"            (infixl "Ensures" 60)  where
 
    16   Ensures :: "[i,i] => i"            (infixl "Ensures" 60)  where
 
    17   "A Ensures B == {F:program. F : (reachable(F) Int A) ensures (reachable(F) Int B) }"
 
    17   "A Ensures B == {F:program. F \<in> (reachable(F) \<inter> A) ensures (reachable(F) \<inter> B) }"
 
    18 
    18 
    19 definition
 
    19 definition
 
    20   LeadsTo :: "[i, i] => i"            (infixl "LeadsTo" 60)  where
 
    20   LeadsTo :: "[i, i] => i"            (infixl "LeadsTo" 60)  where
 
    21   "A LeadsTo B == {F:program. F:(reachable(F) Int A) leadsTo (reachable(F) Int B)}"
 
    21   "A LeadsTo B == {F:program. F:(reachable(F) \<inter> A) leadsTo (reachable(F) \<inter> B)}"
 
    22 
    22 
    23 notation (xsymbols)
 
    23 notation (xsymbols)
 
    24   LeadsTo  (infixl " \<longmapsto>w " 60)
 
    24   LeadsTo  (infixl " \<longmapsto>w " 60)
 
    25 
    25 
    26 
    26 
    27 
    27 
    28 (*Resembles the previous definition of LeadsTo*)
 
    28 (*Resembles the previous definition of LeadsTo*)
 
    29 
    29 
    30 (* Equivalence with the HOL-like definition *)
 
    30 (* Equivalence with the HOL-like definition *)
 
    31 lemma LeadsTo_eq: 
    31 lemma LeadsTo_eq: 
    32 "st_set(B)==> A LeadsTo B = {F \<in> program. F:(reachable(F) Int A) leadsTo B}"
 
    32 "st_set(B)==> A LeadsTo B = {F \<in> program. F:(reachable(F) \<inter> A) leadsTo B}"
 
    33 apply (unfold LeadsTo_def)
 
    33 apply (unfold LeadsTo_def)
 
    34 apply (blast dest: psp_stable2 leadsToD2 constrainsD2 intro: leadsTo_weaken)
 
    34 apply (blast dest: psp_stable2 leadsToD2 constrainsD2 intro: leadsTo_weaken)
 
    35 done
 
    35 done
 
    36 
    36 
    37 lemma LeadsTo_type: "A LeadsTo B <=program"
 
    37 lemma LeadsTo_type: "A LeadsTo B <=program"
 
    38 by (unfold LeadsTo_def, auto)
 
    38 by (unfold LeadsTo_def, auto)
 
    39 
    39 
    40 (*** Specialized laws for handling invariants ***)
 
    40 (*** Specialized laws for handling invariants ***)
 
    41 
    41 
    42 (** Conjoining an Always property **)
 
    42 (** Conjoining an Always property **)
 
    43 lemma Always_LeadsTo_pre: "F \<in> Always(I) ==> (F:(I Int A) LeadsTo A') <-> (F \<in> A LeadsTo A')"
 
    43 lemma Always_LeadsTo_pre: "F \<in> Always(I) ==> (F:(I \<inter> A) LeadsTo A') \<longleftrightarrow> (F \<in> A LeadsTo A')"
 
    44 by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric] leadsToD2)
 
    44 by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric] leadsToD2)
 
    45 
    45 
    46 lemma Always_LeadsTo_post: "F \<in> Always(I) ==> (F \<in> A LeadsTo (I Int A')) <-> (F \<in> A LeadsTo A')"
 
    46 lemma Always_LeadsTo_post: "F \<in> Always(I) ==> (F \<in> A LeadsTo (I \<inter> A')) \<longleftrightarrow> (F \<in> A LeadsTo A')"
 
    47 apply (unfold LeadsTo_def)
 
    47 apply (unfold LeadsTo_def)
 
    48 apply (simp add: Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric] leadsToD2)
 
    48 apply (simp add: Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric] leadsToD2)
 
    49 done
 
    49 done
 
    50 
    50 
    51 (* Like 'Always_LeadsTo_pre RS iffD1', but with premises in the good order *)
 
    51 (* Like 'Always_LeadsTo_pre RS iffD1', but with premises in the good order *)
 
    52 lemma Always_LeadsToI: "[| F \<in> Always(C); F \<in> (C Int A) LeadsTo A' |] ==> F \<in> A LeadsTo A'"
 
    52 lemma Always_LeadsToI: "[| F \<in> Always(C); F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A'"
 
    53 by (blast intro: Always_LeadsTo_pre [THEN iffD1])
 
    53 by (blast intro: Always_LeadsTo_pre [THEN iffD1])
 
    54 
    54 
    55 (* Like 'Always_LeadsTo_post RS iffD2', but with premises in the good order *)
 
    55 (* Like 'Always_LeadsTo_post RS iffD2', but with premises in the good order *)
 
    56 lemma Always_LeadsToD: "[| F \<in> Always(C);  F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (C Int A')"
 
    56 lemma Always_LeadsToD: "[| F \<in> Always(C);  F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (C \<inter> A')"
 
    57 by (blast intro: Always_LeadsTo_post [THEN iffD2])
 
    57 by (blast intro: Always_LeadsTo_post [THEN iffD2])
 
    58 
    58 
    59 (*** Introduction rules \<in> Basis, Trans, Union ***)
 
    59 (*** Introduction rules \<in> Basis, Trans, Union ***)
 
    60 
    60 
    61 lemma LeadsTo_Basis: "F \<in> A Ensures B ==> F \<in> A LeadsTo B"
 
    61 lemma LeadsTo_Basis: "F \<in> A Ensures B ==> F \<in> A LeadsTo B"
 
    66 apply (simp (no_asm_use) add: LeadsTo_def)
 
    66 apply (simp (no_asm_use) add: LeadsTo_def)
 
    67 apply (blast intro: leadsTo_Trans)
 
    67 apply (blast intro: leadsTo_Trans)
 
    68 done
 
    68 done
 
    69 
    69 
    70 lemma LeadsTo_Union:
 
    70 lemma LeadsTo_Union:
 
    71 "[|(!!A. A \<in> S ==> F \<in> A LeadsTo B); F \<in> program|]==>F \<in> Union(S) LeadsTo B"
 
    71 "[|(!!A. A \<in> S ==> F \<in> A LeadsTo B); F \<in> program|]==>F \<in> \<Union>(S) LeadsTo B"
 
    72 apply (simp add: LeadsTo_def)
 
    72 apply (simp add: LeadsTo_def)
 
    73 apply (subst Int_Union_Union2)
 
    73 apply (subst Int_Union_Union2)
 
    74 apply (rule leadsTo_UN, auto)
 
    74 apply (rule leadsTo_UN, auto)
 
    75 done
 
    75 done
 
    76 
    76 
    81 apply (simp (no_asm_simp) add: LeadsTo_eq)
 
    81 apply (simp (no_asm_simp) add: LeadsTo_eq)
 
    82 apply (blast intro: leadsTo_weaken_L)
 
    82 apply (blast intro: leadsTo_weaken_L)
 
    83 done
 
    83 done
 
    84 
    84 
    85 (*Useful with cancellation, disjunction*)
 
    85 (*Useful with cancellation, disjunction*)
 
    86 lemma LeadsTo_Un_duplicate: "F \<in> A LeadsTo (A' Un A') ==> F \<in> A LeadsTo A'"
 
    86 lemma LeadsTo_Un_duplicate: "F \<in> A LeadsTo (A' \<union> A') ==> F \<in> A LeadsTo A'"
 
    87 by (simp add: Un_ac)
 
    87 by (simp add: Un_ac)
 
    88 
    88 
    89 lemma LeadsTo_Un_duplicate2:
 
    89 lemma LeadsTo_Un_duplicate2:
 
    90      "F \<in> A LeadsTo (A' Un C Un C) ==> F \<in> A LeadsTo (A' Un C)"
 
    90      "F \<in> A LeadsTo (A' \<union> C \<union> C) ==> F \<in> A LeadsTo (A' \<union> C)"
 
    91 by (simp add: Un_ac)
 
    91 by (simp add: Un_ac)
 
    92 
    92 
    93 lemma LeadsTo_UN:
 
    93 lemma LeadsTo_UN:
 
    94     "[|(!!i. i \<in> I ==> F \<in> A(i) LeadsTo B); F \<in> program|]
 
    94     "[|(!!i. i \<in> I ==> F \<in> A(i) LeadsTo B); F \<in> program|]
 
    95      ==>F:(\<Union>i \<in> I. A(i)) LeadsTo B"
 
    95      ==>F:(\<Union>i \<in> I. A(i)) LeadsTo B"
 
    98 apply (rule leadsTo_UN, auto)
 
    98 apply (rule leadsTo_UN, auto)
 
    99 done
 
    99 done
 
   100 
   100 
   101 (*Binary union introduction rule*)
 
   101 (*Binary union introduction rule*)
 
   102 lemma LeadsTo_Un:
 
   102 lemma LeadsTo_Un:
 
   103      "[| F \<in> A LeadsTo C; F \<in> B LeadsTo C |] ==> F \<in> (A Un B) LeadsTo C"
 
   103      "[| F \<in> A LeadsTo C; F \<in> B LeadsTo C |] ==> F \<in> (A \<union> B) LeadsTo C"
 
   104 apply (subst Un_eq_Union)
 
   104 apply (subst Un_eq_Union)
 
   105 apply (rule LeadsTo_Union)
 
   105 apply (rule LeadsTo_Union)
 
   106 apply (auto dest: LeadsTo_type [THEN subsetD])
 
   106 apply (auto dest: LeadsTo_type [THEN subsetD])
 
   107 done
 
   107 done
 
   108 
   108 
   110 lemma single_LeadsTo_I: 
   110 lemma single_LeadsTo_I: 
   111     "[|(!!s. s \<in> A ==> F:{s} LeadsTo B); F \<in> program|]==>F \<in> A LeadsTo B"
 
   111     "[|(!!s. s \<in> A ==> F:{s} LeadsTo B); F \<in> program|]==>F \<in> A LeadsTo B"
 
   112 apply (subst UN_singleton [symmetric], rule LeadsTo_UN, auto)
 
   112 apply (subst UN_singleton [symmetric], rule LeadsTo_UN, auto)
 
   113 done
 
   113 done
 
   114 
   114 
   115 lemma subset_imp_LeadsTo: "[| A <= B; F \<in> program |] ==> F \<in> A LeadsTo B"
 
   115 lemma subset_imp_LeadsTo: "[| A \<subseteq> B; F \<in> program |] ==> F \<in> A LeadsTo B"
 
   116 apply (simp (no_asm_simp) add: LeadsTo_def)
 
   116 apply (simp (no_asm_simp) add: LeadsTo_def)
 
   117 apply (blast intro: subset_imp_leadsTo)
 
   117 apply (blast intro: subset_imp_leadsTo)
 
   118 done
 
   118 done
 
   119 
   119 
   120 lemma empty_LeadsTo: "F:0 LeadsTo A <-> F \<in> program"
 
   120 lemma empty_LeadsTo: "F:0 LeadsTo A \<longleftrightarrow> F \<in> program"
 
   121 by (auto dest: LeadsTo_type [THEN subsetD]
 
   121 by (auto dest: LeadsTo_type [THEN subsetD]
 
   122             intro: empty_subsetI [THEN subset_imp_LeadsTo])
 
   122             intro: empty_subsetI [THEN subset_imp_LeadsTo])
 
   123 declare empty_LeadsTo [iff]
 
   123 declare empty_LeadsTo [iff]
 
   124 
   124 
   125 lemma LeadsTo_state: "F \<in> A LeadsTo state <-> F \<in> program"
 
   125 lemma LeadsTo_state: "F \<in> A LeadsTo state \<longleftrightarrow> F \<in> program"
 
   126 by (auto dest: LeadsTo_type [THEN subsetD] simp add: LeadsTo_eq)
 
   126 by (auto dest: LeadsTo_type [THEN subsetD] simp add: LeadsTo_eq)
 
   127 declare LeadsTo_state [iff]
 
   127 declare LeadsTo_state [iff]
 
   128 
   128 
   129 lemma LeadsTo_weaken_R: "[| F \<in> A LeadsTo A';  A'<=B'|] ==> F \<in> A LeadsTo B'"
 
   129 lemma LeadsTo_weaken_R: "[| F \<in> A LeadsTo A';  A'<=B'|] ==> F \<in> A LeadsTo B'"
 
   130 apply (unfold LeadsTo_def)
 
   130 apply (unfold LeadsTo_def)
 
   131 apply (auto intro: leadsTo_weaken_R)
 
   131 apply (auto intro: leadsTo_weaken_R)
 
   132 done
 
   132 done
 
   133 
   133 
   134 lemma LeadsTo_weaken_L: "[| F \<in> A LeadsTo A'; B <= A |] ==> F \<in> B LeadsTo A'"
 
   134 lemma LeadsTo_weaken_L: "[| F \<in> A LeadsTo A'; B \<subseteq> A |] ==> F \<in> B LeadsTo A'"
 
   135 apply (unfold LeadsTo_def)
 
   135 apply (unfold LeadsTo_def)
 
   136 apply (auto intro: leadsTo_weaken_L)
 
   136 apply (auto intro: leadsTo_weaken_L)
 
   137 done
 
   137 done
 
   138 
   138 
   139 lemma LeadsTo_weaken: "[| F \<in> A LeadsTo A'; B<=A; A'<=B' |] ==> F \<in> B LeadsTo B'"
 
   139 lemma LeadsTo_weaken: "[| F \<in> A LeadsTo A'; B<=A; A'<=B' |] ==> F \<in> B LeadsTo B'"
 
   140 by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)
 
   140 by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)
 
   141 
   141 
   142 lemma Always_LeadsTo_weaken: 
   142 lemma Always_LeadsTo_weaken: 
   143 "[| F \<in> Always(C);  F \<in> A LeadsTo A'; C Int B <= A;   C Int A' <= B' |]  
   143 "[| F \<in> Always(C);  F \<in> A LeadsTo A'; C \<inter> B \<subseteq> A;   C \<inter> A' \<subseteq> B' |]  
   144       ==> F \<in> B LeadsTo B'"
 
   144       ==> F \<in> B LeadsTo B'"
 
   145 apply (blast dest: Always_LeadsToI intro: LeadsTo_weaken Always_LeadsToD)
 
   145 apply (blast dest: Always_LeadsToI intro: LeadsTo_weaken Always_LeadsToD)
 
   146 done
 
   146 done
 
   147 
   147 
   148 (** Two theorems for "proof lattices" **)
 
   148 (** Two theorems for "proof lattices" **)
 
   149 
   149 
   150 lemma LeadsTo_Un_post: "F \<in> A LeadsTo B ==> F:(A Un B) LeadsTo B"
 
   150 lemma LeadsTo_Un_post: "F \<in> A LeadsTo B ==> F:(A \<union> B) LeadsTo B"
 
   151 by (blast dest: LeadsTo_type [THEN subsetD]
 
   151 by (blast dest: LeadsTo_type [THEN subsetD]
 
   152              intro: LeadsTo_Un subset_imp_LeadsTo)
 
   152              intro: LeadsTo_Un subset_imp_LeadsTo)
 
   153 
   153 
   154 lemma LeadsTo_Trans_Un: "[| F \<in> A LeadsTo B;  F \<in> B LeadsTo C |]  
   154 lemma LeadsTo_Trans_Un: "[| F \<in> A LeadsTo B;  F \<in> B LeadsTo C |]  
   155       ==> F \<in> (A Un B) LeadsTo C"
 
   155       ==> F \<in> (A \<union> B) LeadsTo C"
 
   156 apply (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans dest: LeadsTo_type [THEN subsetD])
 
   156 apply (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans dest: LeadsTo_type [THEN subsetD])
 
   157 done
 
   157 done
 
   158 
   158 
   159 (** Distributive laws **)
 
   159 (** Distributive laws **)
 
   160 lemma LeadsTo_Un_distrib: "(F \<in> (A Un B) LeadsTo C)  <-> (F \<in> A LeadsTo C & F \<in> B LeadsTo C)"
 
   160 lemma LeadsTo_Un_distrib: "(F \<in> (A \<union> B) LeadsTo C)  \<longleftrightarrow> (F \<in> A LeadsTo C & F \<in> B LeadsTo C)"
 
   161 by (blast intro: LeadsTo_Un LeadsTo_weaken_L)
 
   161 by (blast intro: LeadsTo_Un LeadsTo_weaken_L)
 
   162 
   162 
   163 lemma LeadsTo_UN_distrib: "(F \<in> (\<Union>i \<in> I. A(i)) LeadsTo B) <->  (\<forall>i \<in> I. F \<in> A(i) LeadsTo B) & F \<in> program"
 
   163 lemma LeadsTo_UN_distrib: "(F \<in> (\<Union>i \<in> I. A(i)) LeadsTo B) \<longleftrightarrow>  (\<forall>i \<in> I. F \<in> A(i) LeadsTo B) & F \<in> program"
 
   164 by (blast dest: LeadsTo_type [THEN subsetD]
 
   164 by (blast dest: LeadsTo_type [THEN subsetD]
 
   165              intro: LeadsTo_UN LeadsTo_weaken_L)
 
   165              intro: LeadsTo_UN LeadsTo_weaken_L)
 
   166 
   166 
   167 lemma LeadsTo_Union_distrib: "(F \<in> Union(S) LeadsTo B)  <->  (\<forall>A \<in> S. F \<in> A LeadsTo B) & F \<in> program"
 
   167 lemma LeadsTo_Union_distrib: "(F \<in> \<Union>(S) LeadsTo B)  \<longleftrightarrow>  (\<forall>A \<in> S. F \<in> A LeadsTo B) & F \<in> program"
 
   168 by (blast dest: LeadsTo_type [THEN subsetD]
 
   168 by (blast dest: LeadsTo_type [THEN subsetD]
 
   169              intro: LeadsTo_Union LeadsTo_weaken_L)
 
   169              intro: LeadsTo_Union LeadsTo_weaken_L)
 
   170 
   170 
   171 (** More rules using the premise "Always(I)" **)
 
   171 (** More rules using the premise "Always(I)" **)
 
   172 
   172 
   173 lemma EnsuresI: "[| F:(A-B) Co (A Un B);  F \<in> transient (A-B) |] ==> F \<in> A Ensures B"
 
   173 lemma EnsuresI: "[| F:(A-B) Co (A \<union> B);  F \<in> transient (A-B) |] ==> F \<in> A Ensures B"
 
   174 apply (simp add: Ensures_def Constrains_eq_constrains)
 
   174 apply (simp add: Ensures_def Constrains_eq_constrains)
 
   175 apply (blast intro: ensuresI constrains_weaken transient_strengthen dest: constrainsD2)
 
   175 apply (blast intro: ensuresI constrains_weaken transient_strengthen dest: constrainsD2)
 
   176 done
 
   176 done
 
   177 
   177 
   178 lemma Always_LeadsTo_Basis: "[| F \<in> Always(I); F \<in> (I Int (A-A')) Co (A Un A');  
   178 lemma Always_LeadsTo_Basis: "[| F \<in> Always(I); F \<in> (I \<inter> (A-A')) Co (A \<union> A');  
   179          F \<in> transient (I Int (A-A')) |]    
   179          F \<in> transient (I \<inter> (A-A')) |]    
   180   ==> F \<in> A LeadsTo A'"
 
   180   ==> F \<in> A LeadsTo A'"
 
   181 apply (rule Always_LeadsToI, assumption)
 
   181 apply (rule Always_LeadsToI, assumption)
 
   182 apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
 
   182 apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
 
   183 done
 
   183 done
 
   184 
   184 
   185 (*Set difference: maybe combine with leadsTo_weaken_L??
 
   185 (*Set difference: maybe combine with leadsTo_weaken_L??
 
   186   This is the most useful form of the "disjunction" rule*)
 
   186   This is the most useful form of the "disjunction" rule*)
 
   187 lemma LeadsTo_Diff:
 
   187 lemma LeadsTo_Diff:
 
   188      "[| F \<in> (A-B) LeadsTo C;  F \<in> (A Int B) LeadsTo C |] ==> F \<in> A LeadsTo C"
 
   188      "[| F \<in> (A-B) LeadsTo C;  F \<in> (A \<inter> B) LeadsTo C |] ==> F \<in> A LeadsTo C"
 
   189 by (blast intro: LeadsTo_Un LeadsTo_weaken)
 
   189 by (blast intro: LeadsTo_Un LeadsTo_weaken)
 
   190 
   190 
   191 lemma LeadsTo_UN_UN:  
   191 lemma LeadsTo_UN_UN:  
   192      "[|(!!i. i \<in> I ==> F \<in> A(i) LeadsTo A'(i)); F \<in> program |]  
   192      "[|(!!i. i \<in> I ==> F \<in> A(i) LeadsTo A'(i)); F \<in> program |]  
   193       ==> F \<in> (\<Union>i \<in> I. A(i)) LeadsTo (\<Union>i \<in> I. A'(i))"
 
   193       ==> F \<in> (\<Union>i \<in> I. A(i)) LeadsTo (\<Union>i \<in> I. A'(i))"
 
   195 apply (blast intro: LeadsTo_weaken_R)
 
   195 apply (blast intro: LeadsTo_weaken_R)
 
   196 done
 
   196 done
 
   197 
   197 
   198 (*Binary union version*)
 
   198 (*Binary union version*)
 
   199 lemma LeadsTo_Un_Un:
 
   199 lemma LeadsTo_Un_Un:
 
   200   "[| F \<in> A LeadsTo A'; F \<in> B LeadsTo B' |] ==> F:(A Un B) LeadsTo (A' Un B')"
 
   200   "[| F \<in> A LeadsTo A'; F \<in> B LeadsTo B' |] ==> F:(A \<union> B) LeadsTo (A' \<union> B')"
 
   201 by (blast intro: LeadsTo_Un LeadsTo_weaken_R)
 
   201 by (blast intro: LeadsTo_Un LeadsTo_weaken_R)
 
   202 
   202 
   203 (** The cancellation law **)
 
   203 (** The cancellation law **)
 
   204 
   204 
   205 lemma LeadsTo_cancel2: "[| F \<in> A LeadsTo(A' Un B); F \<in> B LeadsTo B' |] ==> F \<in> A LeadsTo (A' Un B')"
 
   205 lemma LeadsTo_cancel2: "[| F \<in> A LeadsTo(A' \<union> B); F \<in> B LeadsTo B' |] ==> F \<in> A LeadsTo (A' \<union> B')"
 
   206 by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans dest: LeadsTo_type [THEN subsetD])
 
   206 by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans dest: LeadsTo_type [THEN subsetD])
 
   207 
   207 
   208 lemma Un_Diff: "A Un (B - A) = A Un B"
 
   208 lemma Un_Diff: "A \<union> (B - A) = A \<union> B"
 
   209 by auto
 
   209 by auto
 
   210 
   210 
   211 lemma LeadsTo_cancel_Diff2: "[| F \<in> A LeadsTo (A' Un B); F \<in> (B-A') LeadsTo B' |] ==> F \<in> A LeadsTo (A' Un B')"
 
   211 lemma LeadsTo_cancel_Diff2: "[| F \<in> A LeadsTo (A' \<union> B); F \<in> (B-A') LeadsTo B' |] ==> F \<in> A LeadsTo (A' \<union> B')"
 
   212 apply (rule LeadsTo_cancel2)
 
   212 apply (rule LeadsTo_cancel2)
 
   213 prefer 2 apply assumption
 
   213 prefer 2 apply assumption
 
   214 apply (simp (no_asm_simp) add: Un_Diff)
 
   214 apply (simp (no_asm_simp) add: Un_Diff)
 
   215 done
 
   215 done
 
   216 
   216 
   217 lemma LeadsTo_cancel1: "[| F \<in> A LeadsTo (B Un A'); F \<in> B LeadsTo B' |] ==> F \<in> A LeadsTo (B' Un A')"
 
   217 lemma LeadsTo_cancel1: "[| F \<in> A LeadsTo (B \<union> A'); F \<in> B LeadsTo B' |] ==> F \<in> A LeadsTo (B' \<union> A')"
 
   218 apply (simp add: Un_commute)
 
   218 apply (simp add: Un_commute)
 
   219 apply (blast intro!: LeadsTo_cancel2)
 
   219 apply (blast intro!: LeadsTo_cancel2)
 
   220 done
 
   220 done
 
   221 
   221 
   222 lemma Diff_Un2: "(B - A) Un A = B Un A"
 
   222 lemma Diff_Un2: "(B - A) \<union> A = B \<union> A"
 
   223 by auto
 
   223 by auto
 
   224 
   224 
   225 lemma LeadsTo_cancel_Diff1: "[| F \<in> A LeadsTo (B Un A'); F \<in> (B-A') LeadsTo B' |] ==> F \<in> A LeadsTo (B' Un A')"
 
   225 lemma LeadsTo_cancel_Diff1: "[| F \<in> A LeadsTo (B \<union> A'); F \<in> (B-A') LeadsTo B' |] ==> F \<in> A LeadsTo (B' \<union> A')"
 
   226 apply (rule LeadsTo_cancel1)
 
   226 apply (rule LeadsTo_cancel1)
 
   227 prefer 2 apply assumption
 
   227 prefer 2 apply assumption
 
   228 apply (simp (no_asm_simp) add: Diff_Un2)
 
   228 apply (simp (no_asm_simp) add: Diff_Un2)
 
   229 done
 
   229 done
 
   230 
   230 
   238 done
 
   238 done
 
   239 
   239 
   240 (** PSP \<in> Progress-Safety-Progress **)
 
   240 (** PSP \<in> Progress-Safety-Progress **)
 
   241 
   241 
   242 (*Special case of PSP \<in> Misra's "stable conjunction"*)
 
   242 (*Special case of PSP \<in> Misra's "stable conjunction"*)
 
   243 lemma PSP_Stable: "[| F \<in> A LeadsTo A';  F \<in> Stable(B) |]==> F:(A Int B) LeadsTo (A' Int B)"
 
   243 lemma PSP_Stable: "[| F \<in> A LeadsTo A';  F \<in> Stable(B) |]==> F:(A \<inter> B) LeadsTo (A' \<inter> B)"
 
   244 apply (simp add: LeadsTo_def Stable_eq_stable, clarify)
 
   244 apply (simp add: LeadsTo_def Stable_eq_stable, clarify)
 
   245 apply (drule psp_stable, assumption)
 
   245 apply (drule psp_stable, assumption)
 
   246 apply (simp add: Int_ac)
 
   246 apply (simp add: Int_ac)
 
   247 done
 
   247 done
 
   248 
   248 
   249 lemma PSP_Stable2: "[| F \<in> A LeadsTo A'; F \<in> Stable(B) |] ==> F \<in> (B Int A) LeadsTo (B Int A')"
 
   249 lemma PSP_Stable2: "[| F \<in> A LeadsTo A'; F \<in> Stable(B) |] ==> F \<in> (B \<inter> A) LeadsTo (B \<inter> A')"
 
   250 apply (simp (no_asm_simp) add: PSP_Stable Int_ac)
 
   250 apply (simp (no_asm_simp) add: PSP_Stable Int_ac)
 
   251 done
 
   251 done
 
   252 
   252 
   253 lemma PSP: "[| F \<in> A LeadsTo A'; F \<in> B Co B'|]==> F \<in> (A Int B') LeadsTo ((A' Int B) Un (B' - B))"
 
   253 lemma PSP: "[| F \<in> A LeadsTo A'; F \<in> B Co B'|]==> F \<in> (A \<inter> B') LeadsTo ((A' \<inter> B) \<union> (B' - B))"
 
   254 apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains)
 
   254 apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains)
 
   255 apply (blast dest: psp intro: leadsTo_weaken)
 
   255 apply (blast dest: psp intro: leadsTo_weaken)
 
   256 done
 
   256 done
 
   257 
   257 
   258 lemma PSP2: "[| F \<in> A LeadsTo A'; F \<in> B Co B' |]==> F:(B' Int A) LeadsTo ((B Int A') Un (B' - B))"
 
   258 lemma PSP2: "[| F \<in> A LeadsTo A'; F \<in> B Co B' |]==> F:(B' \<inter> A) LeadsTo ((B \<inter> A') \<union> (B' - B))"
 
   259 by (simp (no_asm_simp) add: PSP Int_ac)
 
   259 by (simp (no_asm_simp) add: PSP Int_ac)
 
   260 
   260 
   261 lemma PSP_Unless: 
   261 lemma PSP_Unless: 
   262 "[| F \<in> A LeadsTo A'; F \<in> B Unless B'|]==> F:(A Int B) LeadsTo ((A' Int B) Un B')"
 
   262 "[| F \<in> A LeadsTo A'; F \<in> B Unless B'|]==> F:(A \<inter> B) LeadsTo ((A' \<inter> B) \<union> B')"
 
   263 apply (unfold op_Unless_def)
 
   263 apply (unfold op_Unless_def)
 
   264 apply (drule PSP, assumption)
 
   264 apply (drule PSP, assumption)
 
   265 apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo)
 
   265 apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo)
 
   266 done
 
   266 done
 
   267 
   267 
   268 (*** Induction rules ***)
 
   268 (*** Induction rules ***)
 
   269 
   269 
   270 (** Meta or object quantifier ????? **)
 
   270 (** Meta or object quantifier ????? **)
 
   271 lemma LeadsTo_wf_induct: "[| wf(r);      
   271 lemma LeadsTo_wf_induct: "[| wf(r);      
   272          \<forall>m \<in> I. F \<in> (A Int f-``{m}) LeadsTo                      
   272          \<forall>m \<in> I. F \<in> (A \<inter> f-``{m}) LeadsTo                      
   273                             ((A Int f-``(converse(r) `` {m})) Un B);  
   273                             ((A \<inter> f-``(converse(r) `` {m})) \<union> B);  
   274          field(r)<=I; A<=f-``I; F \<in> program |]  
   274          field(r)<=I; A<=f-``I; F \<in> program |]  
   275       ==> F \<in> A LeadsTo B"
 
   275       ==> F \<in> A LeadsTo B"
 
   276 apply (simp (no_asm_use) add: LeadsTo_def)
 
   276 apply (simp (no_asm_use) add: LeadsTo_def)
 
   277 apply auto
 
   277 apply auto
 
   278 apply (erule_tac I = I and f = f in leadsTo_wf_induct, safe)
 
   278 apply (erule_tac I = I and f = f in leadsTo_wf_induct, safe)
 
   279 apply (drule_tac [2] x = m in bspec, safe)
 
   279 apply (drule_tac [2] x = m in bspec, safe)
 
   280 apply (rule_tac [2] A' = "reachable (F) Int (A Int f -`` (converse (r) ``{m}) Un B) " in leadsTo_weaken_R)
 
   280 apply (rule_tac [2] A' = "reachable (F) \<inter> (A \<inter> f -`` (converse (r) ``{m}) \<union> B) " in leadsTo_weaken_R)
 
   281 apply (auto simp add: Int_assoc) 
   281 apply (auto simp add: Int_assoc) 
   282 done
 
   282 done
 
   283 
   283 
   284 
   284 
   285 lemma LessThan_induct: "[| \<forall>m \<in> nat. F:(A Int f-``{m}) LeadsTo ((A Int f-``m) Un B);  
   285 lemma LessThan_induct: "[| \<forall>m \<in> nat. F:(A \<inter> f-``{m}) LeadsTo ((A \<inter> f-``m) \<union> B);  
   286       A<=f-``nat; F \<in> program |] ==> F \<in> A LeadsTo B"
 
   286       A<=f-``nat; F \<in> program |] ==> F \<in> A LeadsTo B"
 
   287 apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN LeadsTo_wf_induct])
 
   287 apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN LeadsTo_wf_induct])
 
   288 apply (simp_all add: nat_measure_field)
 
   288 apply (simp_all add: nat_measure_field)
 
   289 apply (simp add: ltI Image_inverse_lessThan vimage_def [symmetric])
 
   289 apply (simp add: ltI Image_inverse_lessThan vimage_def [symmetric])
 
   290 done
 
   290 done
 
   299 
   299 
   300 *****)
 
   300 *****)
 
   301 
   301 
   302 (*** Completion \<in> Binary and General Finite versions ***)
 
   302 (*** Completion \<in> Binary and General Finite versions ***)
 
   303 
   303 
   304 lemma Completion: "[| F \<in> A LeadsTo (A' Un C);  F \<in> A' Co (A' Un C);  
   304 lemma Completion: "[| F \<in> A LeadsTo (A' \<union> C);  F \<in> A' Co (A' \<union> C);  
   305          F \<in> B LeadsTo (B' Un C);  F \<in> B' Co (B' Un C) |]  
   305          F \<in> B LeadsTo (B' \<union> C);  F \<in> B' Co (B' \<union> C) |]  
   306       ==> F \<in> (A Int B) LeadsTo ((A' Int B') Un C)"
 
   306       ==> F \<in> (A \<inter> B) LeadsTo ((A' \<inter> B') \<union> C)"
 
   307 apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains Int_Un_distrib)
 
   307 apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains Int_Un_distrib)
 
   308 apply (blast intro: completion leadsTo_weaken)
 
   308 apply (blast intro: completion leadsTo_weaken)
 
   309 done
 
   309 done
 
   310 
   310 
   311 lemma Finite_completion_aux:
 
   311 lemma Finite_completion_aux:
 
   312      "[| I \<in> Fin(X);F \<in> program |]  
   312      "[| I \<in> Fin(X);F \<in> program |]  
   313       ==> (\<forall>i \<in> I. F \<in> (A(i)) LeadsTo (A'(i) Un C)) -->   
   313       ==> (\<forall>i \<in> I. F \<in> (A(i)) LeadsTo (A'(i) \<union> C)) \<longrightarrow>   
   314           (\<forall>i \<in> I. F \<in> (A'(i)) Co (A'(i) Un C)) -->  
   314           (\<forall>i \<in> I. F \<in> (A'(i)) Co (A'(i) \<union> C)) \<longrightarrow>  
   315           F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo ((\<Inter>i \<in> I. A'(i)) Un C)"
 
   315           F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo ((\<Inter>i \<in> I. A'(i)) \<union> C)"
 
   316 apply (erule Fin_induct)
 
   316 apply (erule Fin_induct)
 
   317 apply (auto simp del: INT_simps simp add: Inter_0)
 
   317 apply (auto simp del: INT_simps simp add: Inter_0)
 
   318 apply (rule Completion, auto) 
   318 apply (rule Completion, auto) 
   319 apply (simp del: INT_simps add: INT_extend_simps)
 
   319 apply (simp del: INT_simps add: INT_extend_simps)
 
   320 apply (blast intro: Constrains_INT)
 
   320 apply (blast intro: Constrains_INT)
 
   321 done
 
   321 done
 
   322 
   322 
   323 lemma Finite_completion: 
   323 lemma Finite_completion: 
   324      "[| I \<in> Fin(X); !!i. i \<in> I ==> F \<in> A(i) LeadsTo (A'(i) Un C);  
   324      "[| I \<in> Fin(X); !!i. i \<in> I ==> F \<in> A(i) LeadsTo (A'(i) \<union> C);  
   325          !!i. i \<in> I ==> F \<in> A'(i) Co (A'(i) Un C);  
   325          !!i. i \<in> I ==> F \<in> A'(i) Co (A'(i) \<union> C);  
   326          F \<in> program |]    
   326          F \<in> program |]    
   327       ==> F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo ((\<Inter>i \<in> I. A'(i)) Un C)"
 
   327       ==> F \<in> (\<Inter>i \<in> I. A(i)) LeadsTo ((\<Inter>i \<in> I. A'(i)) \<union> C)"
 
   328 by (blast intro: Finite_completion_aux [THEN mp, THEN mp])
 
   328 by (blast intro: Finite_completion_aux [THEN mp, THEN mp])
 
   329 
   329 
   330 lemma Stable_completion: 
   330 lemma Stable_completion: 
   331      "[| F \<in> A LeadsTo A';  F \<in> Stable(A');    
   331      "[| F \<in> A LeadsTo A';  F \<in> Stable(A');    
   332          F \<in> B LeadsTo B';  F \<in> Stable(B') |]  
   332          F \<in> B LeadsTo B';  F \<in> Stable(B') |]  
   333     ==> F \<in> (A Int B) LeadsTo (A' Int B')"
 
   333     ==> F \<in> (A \<inter> B) LeadsTo (A' \<inter> B')"
 
   334 apply (unfold Stable_def)
 
   334 apply (unfold Stable_def)
 
   335 apply (rule_tac C1 = 0 in Completion [THEN LeadsTo_weaken_R])
 
   335 apply (rule_tac C1 = 0 in Completion [THEN LeadsTo_weaken_R])
 
   336     prefer 5
 
   336     prefer 5
 
   337     apply blast 
   337     apply blast 
   338 apply auto 
   338 apply auto
isabelle