35 |
35 |
36 (*Existential and Universal properties. We formalize the two-program |
36 (*Existential and Universal properties. We formalize the two-program |
37 case, proving equivalence with Chandy and Sanders's n-ary definitions*) |
37 case, proving equivalence with Chandy and Sanders's n-ary definitions*) |
38 |
38 |
39 definition |
39 definition |
40 ex_prop :: "i => o" where |
40 ex_prop :: "i \<Rightarrow> o" where |
41 "ex_prop(X) \<equiv> X<=program \<and> |
41 "ex_prop(X) \<equiv> X<=program \<and> |
42 (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<in> X | G \<in> X \<longrightarrow> (F \<squnion> G) \<in> X)" |
42 (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<in> X | G \<in> X \<longrightarrow> (F \<squnion> G) \<in> X)" |
43 |
43 |
44 definition |
44 definition |
45 strict_ex_prop :: "i => o" where |
45 strict_ex_prop :: "i \<Rightarrow> o" where |
46 "strict_ex_prop(X) \<equiv> X<=program \<and> |
46 "strict_ex_prop(X) \<equiv> X<=program \<and> |
47 (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> (F \<in> X | G \<in> X) \<longleftrightarrow> (F \<squnion> G \<in> X))" |
47 (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> (F \<in> X | G \<in> X) \<longleftrightarrow> (F \<squnion> G \<in> X))" |
48 |
48 |
49 definition |
49 definition |
50 uv_prop :: "i => o" where |
50 uv_prop :: "i \<Rightarrow> o" where |
51 "uv_prop(X) \<equiv> X<=program \<and> |
51 "uv_prop(X) \<equiv> X<=program \<and> |
52 (SKIP \<in> X \<and> (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<in> X \<and> G \<in> X \<longrightarrow> (F \<squnion> G) \<in> X))" |
52 (SKIP \<in> X \<and> (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<in> X \<and> G \<in> X \<longrightarrow> (F \<squnion> G) \<in> X))" |
53 |
53 |
54 definition |
54 definition |
55 strict_uv_prop :: "i => o" where |
55 strict_uv_prop :: "i \<Rightarrow> o" where |
56 "strict_uv_prop(X) \<equiv> X<=program \<and> |
56 "strict_uv_prop(X) \<equiv> X<=program \<and> |
57 (SKIP \<in> X \<and> (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow>(F \<in> X \<and> G \<in> X) \<longleftrightarrow> (F \<squnion> G \<in> X)))" |
57 (SKIP \<in> X \<and> (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow>(F \<in> X \<and> G \<in> X) \<longleftrightarrow> (F \<squnion> G \<in> X)))" |
58 |
58 |
59 definition |
59 definition |
60 guar :: "[i, i] => i" (infixl \<open>guarantees\<close> 55) where |
60 guar :: "[i, i] \<Rightarrow> i" (infixl \<open>guarantees\<close> 55) where |
61 (*higher than membership, lower than Co*) |
61 (*higher than membership, lower than Co*) |
62 "X guarantees Y \<equiv> {F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<squnion> G \<in> X \<longrightarrow> F \<squnion> G \<in> Y}" |
62 "X guarantees Y \<equiv> {F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<squnion> G \<in> X \<longrightarrow> F \<squnion> G \<in> Y}" |
63 |
63 |
64 definition |
64 definition |
65 (* Weakest guarantees *) |
65 (* Weakest guarantees *) |
66 wg :: "[i,i] => i" where |
66 wg :: "[i,i] \<Rightarrow> i" where |
67 "wg(F,Y) \<equiv> \<Union>({X \<in> Pow(program). F:(X guarantees Y)})" |
67 "wg(F,Y) \<equiv> \<Union>({X \<in> Pow(program). F:(X guarantees Y)})" |
68 |
68 |
69 definition |
69 definition |
70 (* Weakest existential property stronger than X *) |
70 (* Weakest existential property stronger than X *) |
71 wx :: "i =>i" where |
71 wx :: "i \<Rightarrow>i" where |
72 "wx(X) \<equiv> \<Union>({Y \<in> Pow(program). Y<=X \<and> ex_prop(Y)})" |
72 "wx(X) \<equiv> \<Union>({Y \<in> Pow(program). Y<=X \<and> ex_prop(Y)})" |
73 |
73 |
74 definition |
74 definition |
75 (*Ill-defined programs can arise through "\<squnion>"*) |
75 (*Ill-defined programs can arise through "\<squnion>"*) |
76 welldef :: i where |
76 welldef :: i where |
77 "welldef \<equiv> {F \<in> program. Init(F) \<noteq> 0}" |
77 "welldef \<equiv> {F \<in> program. Init(F) \<noteq> 0}" |
78 |
78 |
79 definition |
79 definition |
80 refines :: "[i, i, i] => o" (\<open>(3_ refines _ wrt _)\<close> [10,10,10] 10) where |
80 refines :: "[i, i, i] \<Rightarrow> o" (\<open>(3_ refines _ wrt _)\<close> [10,10,10] 10) where |
81 "G refines F wrt X \<equiv> |
81 "G refines F wrt X \<equiv> |
82 \<forall>H \<in> program. (F ok H \<and> G ok H \<and> F \<squnion> H \<in> welldef \<inter> X) |
82 \<forall>H \<in> program. (F ok H \<and> G ok H \<and> F \<squnion> H \<in> welldef \<inter> X) |
83 \<longrightarrow> (G \<squnion> H \<in> welldef \<inter> X)" |
83 \<longrightarrow> (G \<squnion> H \<in> welldef \<inter> X)" |
84 |
84 |
85 definition |
85 definition |
86 iso_refines :: "[i,i, i] => o" (\<open>(3_ iso'_refines _ wrt _)\<close> [10,10,10] 10) where |
86 iso_refines :: "[i,i, i] \<Rightarrow> o" (\<open>(3_ iso'_refines _ wrt _)\<close> [10,10,10] 10) where |
87 "G iso_refines F wrt X \<equiv> F \<in> welldef \<inter> X \<longrightarrow> G \<in> welldef \<inter> X" |
87 "G iso_refines F wrt X \<equiv> F \<in> welldef \<inter> X \<longrightarrow> G \<in> welldef \<inter> X" |
88 |
88 |
89 |
89 |
90 (*** existential properties ***) |
90 (*** existential properties ***) |
91 |
91 |
92 lemma ex_imp_subset_program: "ex_prop(X) \<Longrightarrow> X\<subseteq>program" |
92 lemma ex_imp_subset_program: "ex_prop(X) \<Longrightarrow> X\<subseteq>program" |
93 by (simp add: ex_prop_def) |
93 by (simp add: ex_prop_def) |
94 |
94 |
95 lemma ex1 [rule_format]: |
95 lemma ex1 [rule_format]: |
96 "GG \<in> Fin(program) |
96 "GG \<in> Fin(program) |
97 \<Longrightarrow> ex_prop(X) \<longrightarrow> GG \<inter> X\<noteq>0 \<longrightarrow> OK(GG, (%G. G)) \<longrightarrow>(\<Squnion>G \<in> GG. G) \<in> X" |
97 \<Longrightarrow> ex_prop(X) \<longrightarrow> GG \<inter> X\<noteq>0 \<longrightarrow> OK(GG, (\<lambda>G. G)) \<longrightarrow>(\<Squnion>G \<in> GG. G) \<in> X" |
98 apply (unfold ex_prop_def) |
98 apply (unfold ex_prop_def) |
99 apply (erule Fin_induct) |
99 apply (erule Fin_induct) |
100 apply (simp_all add: OK_cons_iff) |
100 apply (simp_all add: OK_cons_iff) |
101 apply (safe elim!: not_emptyE, auto) |
101 apply (safe elim!: not_emptyE, auto) |
102 done |
102 done |
103 |
103 |
104 lemma ex2 [rule_format]: |
104 lemma ex2 [rule_format]: |
105 "X \<subseteq> program \<Longrightarrow> |
105 "X \<subseteq> program \<Longrightarrow> |
106 (\<forall>GG \<in> Fin(program). GG \<inter> X \<noteq> 0 \<longrightarrow> OK(GG,(%G. G))\<longrightarrow>(\<Squnion>G \<in> GG. G) \<in> X) |
106 (\<forall>GG \<in> Fin(program). GG \<inter> X \<noteq> 0 \<longrightarrow> OK(GG,(\<lambda>G. G))\<longrightarrow>(\<Squnion>G \<in> GG. G) \<in> X) |
107 \<longrightarrow> ex_prop(X)" |
107 \<longrightarrow> ex_prop(X)" |
108 apply (unfold ex_prop_def, clarify) |
108 apply (unfold ex_prop_def, clarify) |
109 apply (drule_tac x = "{F,G}" in bspec) |
109 apply (drule_tac x = "{F,G}" in bspec) |
110 apply (simp_all add: OK_iff_ok) |
110 apply (simp_all add: OK_iff_ok) |
111 apply (auto intro: ok_sym) |
111 apply (auto intro: ok_sym) |
136 apply (simp (no_asm_simp)) |
136 apply (simp (no_asm_simp)) |
137 done |
137 done |
138 |
138 |
139 lemma uv1 [rule_format]: |
139 lemma uv1 [rule_format]: |
140 "GG \<in> Fin(program) \<Longrightarrow> |
140 "GG \<in> Fin(program) \<Longrightarrow> |
141 (uv_prop(X)\<longrightarrow> GG \<subseteq> X \<and> OK(GG, (%G. G)) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X)" |
141 (uv_prop(X)\<longrightarrow> GG \<subseteq> X \<and> OK(GG, (\<lambda>G. G)) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X)" |
142 apply (unfold uv_prop_def) |
142 apply (unfold uv_prop_def) |
143 apply (erule Fin_induct) |
143 apply (erule Fin_induct) |
144 apply (auto simp add: OK_cons_iff) |
144 apply (auto simp add: OK_cons_iff) |
145 done |
145 done |
146 |
146 |
147 lemma uv2 [rule_format]: |
147 lemma uv2 [rule_format]: |
148 "X\<subseteq>program \<Longrightarrow> |
148 "X\<subseteq>program \<Longrightarrow> |
149 (\<forall>GG \<in> Fin(program). GG \<subseteq> X \<and> OK(GG,(%G. G)) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X) |
149 (\<forall>GG \<in> Fin(program). GG \<subseteq> X \<and> OK(GG,(\<lambda>G. G)) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X) |
150 \<longrightarrow> uv_prop(X)" |
150 \<longrightarrow> uv_prop(X)" |
151 apply (unfold uv_prop_def, auto) |
151 apply (unfold uv_prop_def, auto) |
152 apply (drule_tac x = 0 in bspec, simp+) |
152 apply (drule_tac x = 0 in bspec, simp+) |
153 apply (drule_tac x = "{F,G}" in bspec, simp) |
153 apply (drule_tac x = "{F,G}" in bspec, simp) |
154 apply (force dest: ok_sym simp add: OK_iff_ok) |
154 apply (force dest: ok_sym simp add: OK_iff_ok) |
155 done |
155 done |
156 |
156 |
157 (*Chandy \<and> Sanders take this as a definition*) |
157 (*Chandy \<and> Sanders take this as a definition*) |
158 lemma uv_prop_finite: |
158 lemma uv_prop_finite: |
159 "uv_prop(X) \<longleftrightarrow> X\<subseteq>program \<and> |
159 "uv_prop(X) \<longleftrightarrow> X\<subseteq>program \<and> |
160 (\<forall>GG \<in> Fin(program). GG \<subseteq> X \<and> OK(GG, %G. G) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X)" |
160 (\<forall>GG \<in> Fin(program). GG \<subseteq> X \<and> OK(GG, \<lambda>G. G) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X)" |
161 apply auto |
161 apply auto |
162 apply (blast dest: uv_imp_subset_program) |
162 apply (blast dest: uv_imp_subset_program) |
163 apply (blast intro: uv1) |
163 apply (blast intro: uv1) |
164 apply (blast intro!: uv2 dest:) |
164 apply (blast intro!: uv2 dest:) |
165 done |
165 done |