9 *) |
9 *) |
10 |
10 |
11 (*** component ***) |
11 (*** component ***) |
12 |
12 |
13 Goalw [component_def] |
13 Goalw [component_def] |
14 "H component F | H component G ==> H component (F Join G)"; |
14 "H <= F | H <= G ==> H <= (F Join G)"; |
15 by Auto_tac; |
15 by Auto_tac; |
16 by (res_inst_tac [("x", "G Join Ga")] exI 1); |
16 by (res_inst_tac [("x", "G Join Ga")] exI 1); |
17 by (res_inst_tac [("x", "G Join F")] exI 2); |
17 by (res_inst_tac [("x", "G Join F")] exI 2); |
18 by (auto_tac (claset(), simpset() addsimps Join_ac)); |
18 by (auto_tac (claset(), simpset() addsimps Join_ac)); |
19 qed "componentI"; |
19 qed "componentI"; |
20 |
20 |
21 Goalw [component_def] |
21 Goalw [component_def] |
22 "(F component G) = (Init G <= Init F & Acts F <= Acts G)"; |
22 "(F <= G) = (Init G <= Init F & Acts F <= Acts G)"; |
23 by (force_tac (claset() addSIs [exI, program_equalityI], |
23 by (force_tac (claset() addSIs [exI, program_equalityI], |
24 simpset() addsimps [Acts_Join]) 1); |
24 simpset() addsimps [Acts_Join]) 1); |
25 qed "component_eq_subset"; |
25 qed "component_eq_subset"; |
26 |
26 |
27 Goalw [component_def] "SKIP component F"; |
27 Goalw [component_def] "SKIP <= F"; |
28 by (force_tac (claset() addIs [Join_SKIP_left], simpset()) 1); |
28 by (force_tac (claset() addIs [Join_SKIP_left], simpset()) 1); |
29 qed "component_SKIP"; |
29 qed "component_SKIP"; |
30 |
30 |
31 Goalw [component_def] "F component F"; |
31 Goalw [component_def] "F <= (F :: 'a program)"; |
32 by (blast_tac (claset() addIs [Join_SKIP_right]) 1); |
32 by (blast_tac (claset() addIs [Join_SKIP_right]) 1); |
33 qed "component_refl"; |
33 qed "component_refl"; |
34 |
34 |
35 AddIffs [component_SKIP, component_refl]; |
35 AddIffs [component_SKIP, component_refl]; |
36 |
36 |
37 Goal "F component SKIP ==> F = SKIP"; |
37 Goal "F <= SKIP ==> F = SKIP"; |
38 by (auto_tac (claset() addSIs [program_equalityI], |
38 by (auto_tac (claset() addSIs [program_equalityI], |
39 simpset() addsimps [component_eq_subset])); |
39 simpset() addsimps [component_eq_subset])); |
40 qed "SKIP_minimal"; |
40 qed "SKIP_minimal"; |
41 |
41 |
42 Goalw [component_def] "F component (F Join G)"; |
42 Goalw [component_def] "F <= (F Join G)"; |
43 by (Blast_tac 1); |
43 by (Blast_tac 1); |
44 qed "component_Join1"; |
44 qed "component_Join1"; |
45 |
45 |
46 Goalw [component_def] "G component (F Join G)"; |
46 Goalw [component_def] "G <= (F Join G)"; |
47 by (simp_tac (simpset() addsimps [Join_commute]) 1); |
47 by (simp_tac (simpset() addsimps [Join_commute]) 1); |
48 by (Blast_tac 1); |
48 by (Blast_tac 1); |
49 qed "component_Join2"; |
49 qed "component_Join2"; |
50 |
50 |
51 Goalw [component_def] "i : I ==> (F i) component (JN i:I. (F i))"; |
51 Goalw [component_def] "i : I ==> (F i) <= (JN i:I. (F i))"; |
52 by (blast_tac (claset() addIs [JN_absorb]) 1); |
52 by (blast_tac (claset() addIs [JN_absorb]) 1); |
53 qed "component_JN"; |
53 qed "component_JN"; |
54 |
54 |
55 Goalw [component_def] "[| F component G; G component H |] ==> F component H"; |
55 Goalw [component_def] "[| F <= G; G <= H |] ==> F <= (H :: 'a program)"; |
56 by (blast_tac (claset() addIs [Join_assoc RS sym]) 1); |
56 by (blast_tac (claset() addIs [Join_assoc RS sym]) 1); |
57 qed "component_trans"; |
57 qed "component_trans"; |
58 |
58 |
59 Goal "[| F component G; G component F |] ==> F=G"; |
59 Goal "[| F <= G; G <= F |] ==> F = (G :: 'a program)"; |
60 by (full_simp_tac (simpset() addsimps [component_eq_subset]) 1); |
60 by (full_simp_tac (simpset() addsimps [component_eq_subset]) 1); |
61 by (blast_tac (claset() addSIs [program_equalityI]) 1); |
61 by (blast_tac (claset() addSIs [program_equalityI]) 1); |
62 qed "component_antisym"; |
62 qed "component_antisym"; |
63 |
63 |
64 Goalw [component_def] |
64 Goalw [component_def] |
65 "F component H = (EX G. F Join G = H & Disjoint F G)"; |
65 "F <= H = (EX G. F Join G = H & Disjoint F G)"; |
66 by (blast_tac (claset() addSIs [Diff_Disjoint, Join_Diff2]) 1); |
66 by (blast_tac (claset() addSIs [Diff_Disjoint, Join_Diff2]) 1); |
67 qed "component_eq"; |
67 qed "component_eq"; |
68 |
68 |
69 Goal "((F Join G) component H) = (F component H & G component H)"; |
69 Goal "((F Join G) <= H) = (F <= H & G <= H)"; |
70 by (simp_tac (simpset() addsimps [component_eq_subset, Acts_Join]) 1); |
70 by (simp_tac (simpset() addsimps [component_eq_subset, Acts_Join]) 1); |
71 by (Blast_tac 1); |
71 by (Blast_tac 1); |
72 qed "Join_component_iff"; |
72 qed "Join_component_iff"; |
73 |
73 |
74 Goal "[| F component G; G : A co B |] ==> F : A co B"; |
74 Goal "[| F <= G; G : A co B |] ==> F : A co B"; |
75 by (auto_tac (claset(), |
75 by (auto_tac (claset(), |
76 simpset() addsimps [constrains_def, component_eq_subset])); |
76 simpset() addsimps [constrains_def, component_eq_subset])); |
77 qed "component_constrains"; |
77 qed "component_constrains"; |
78 |
78 |
79 (*** existential properties ***) |
79 bind_thm ("program_less_le", strict_component_def RS meta_eq_to_obj_eq); |
80 |
|
81 Goalw [ex_prop_def] |
|
82 "[| ex_prop X; finite GG |] ==> GG Int X ~= {} --> (JN G:GG. G) : X"; |
|
83 by (etac finite_induct 1); |
|
84 by (auto_tac (claset(), simpset() addsimps [Int_insert_left])); |
|
85 qed_spec_mp "ex1"; |
|
86 |
|
87 Goalw [ex_prop_def] |
|
88 "ALL GG. finite GG & GG Int X ~= {} --> (JN G:GG. G) : X ==> ex_prop X"; |
|
89 by (Clarify_tac 1); |
|
90 by (dres_inst_tac [("x", "{F,G}")] spec 1); |
|
91 by Auto_tac; |
|
92 qed "ex2"; |
|
93 |
|
94 (*Chandy & Sanders take this as a definition*) |
|
95 Goal "ex_prop X = (ALL GG. finite GG & GG Int X ~= {} --> (JN G:GG. G) : X)"; |
|
96 by (blast_tac (claset() addIs [ex1,ex2]) 1); |
|
97 qed "ex_prop_finite"; |
|
98 |
|
99 (*Their "equivalent definition" given at the end of section 3*) |
|
100 Goal "ex_prop X = (ALL G. G:X = (ALL H. G component H --> H: X))"; |
|
101 by Auto_tac; |
|
102 by (rewrite_goals_tac [ex_prop_def, component_def]); |
|
103 by (Blast_tac 1); |
|
104 by Safe_tac; |
|
105 by (stac Join_commute 2); |
|
106 by (ALLGOALS Blast_tac); |
|
107 qed "ex_prop_equiv"; |
|
108 |
|
109 |
|
110 (*** universal properties ***) |
|
111 |
|
112 Goalw [uv_prop_def] |
|
113 "[| uv_prop X; finite GG |] ==> GG <= X --> (JN G:GG. G) : X"; |
|
114 by (etac finite_induct 1); |
|
115 by (auto_tac (claset(), simpset() addsimps [Int_insert_left])); |
|
116 qed_spec_mp "uv1"; |
|
117 |
|
118 Goalw [uv_prop_def] |
|
119 "ALL GG. finite GG & GG <= X --> (JN G:GG. G) : X ==> uv_prop X"; |
|
120 by (rtac conjI 1); |
|
121 by (Clarify_tac 2); |
|
122 by (dres_inst_tac [("x", "{F,G}")] spec 2); |
|
123 by (dres_inst_tac [("x", "{}")] spec 1); |
|
124 by Auto_tac; |
|
125 qed "uv2"; |
|
126 |
|
127 (*Chandy & Sanders take this as a definition*) |
|
128 Goal "uv_prop X = (ALL GG. finite GG & GG <= X --> (JN G:GG. G) : X)"; |
|
129 by (blast_tac (claset() addIs [uv1,uv2]) 1); |
|
130 qed "uv_prop_finite"; |
|
131 |
|
132 |
|
133 (*** guarantees ***) |
|
134 |
|
135 val prems = Goal |
|
136 "(!!G. [| F Join G : X; Disjoint F G |] ==> F Join G : Y) \ |
|
137 \ ==> F : X guarantees Y"; |
|
138 by (simp_tac (simpset() addsimps [guar_def, component_eq]) 1); |
|
139 by (blast_tac (claset() addIs prems) 1); |
|
140 qed "guaranteesI"; |
|
141 |
|
142 Goalw [guar_def, component_def] |
|
143 "[| F : X guarantees Y; F Join G : X |] ==> F Join G : Y"; |
|
144 by (Blast_tac 1); |
|
145 qed "guaranteesD"; |
|
146 |
|
147 (*This version of guaranteesD matches more easily in the conclusion*) |
|
148 Goalw [guar_def] |
|
149 "[| F : X guarantees Y; H : X; F component H |] ==> H : Y"; |
|
150 by (Blast_tac 1); |
|
151 qed "component_guaranteesD"; |
|
152 |
|
153 (*This equation is more intuitive than the official definition*) |
|
154 Goal "(F : X guarantees Y) = \ |
|
155 \ (ALL G. F Join G : X & Disjoint F G --> F Join G : Y)"; |
|
156 by (simp_tac (simpset() addsimps [guar_def, component_eq]) 1); |
|
157 by (Blast_tac 1); |
|
158 qed "guarantees_eq"; |
|
159 |
|
160 Goalw [guar_def] |
|
161 "[| F: X guarantees X'; Y <= X; X' <= Y' |] ==> F: Y guarantees Y'"; |
|
162 by (Blast_tac 1); |
|
163 qed "guarantees_weaken"; |
|
164 |
|
165 Goalw [guar_def] |
|
166 "[| F: X guarantees Y; F component F' |] ==> F': X guarantees Y"; |
|
167 by (blast_tac (claset() addIs [component_trans]) 1); |
|
168 qed "guarantees_weaken_prog"; |
|
169 |
|
170 Goalw [guar_def] "X <= Y ==> X guarantees Y = UNIV"; |
|
171 by (Blast_tac 1); |
|
172 qed "subset_imp_guarantees_UNIV"; |
|
173 |
|
174 (*Equivalent to subset_imp_guarantees_UNIV but more intuitive*) |
|
175 Goalw [guar_def] "X <= Y ==> F : X guarantees Y"; |
|
176 by (Blast_tac 1); |
|
177 qed "subset_imp_guarantees"; |
|
178 |
|
179 (*Remark at end of section 4.1*) |
|
180 Goalw [guar_def] "ex_prop Y = (Y = UNIV guarantees Y)"; |
|
181 by (simp_tac (simpset() addsimps [ex_prop_equiv]) 1); |
|
182 by (blast_tac (claset() addEs [equalityE]) 1); |
|
183 qed "ex_prop_equiv2"; |
|
184 |
|
185 (** Distributive laws. Re-orient to perform miniscoping **) |
|
186 |
|
187 Goalw [guar_def] |
|
188 "(UN i:I. X i) guarantees Y = (INT i:I. X i guarantees Y)"; |
|
189 by (Blast_tac 1); |
|
190 qed "guarantees_UN_left"; |
|
191 |
|
192 Goalw [guar_def] |
|
193 "(X Un Y) guarantees Z = (X guarantees Z) Int (Y guarantees Z)"; |
|
194 by (Blast_tac 1); |
|
195 qed "guarantees_Un_left"; |
|
196 |
|
197 Goalw [guar_def] |
|
198 "X guarantees (INT i:I. Y i) = (INT i:I. X guarantees Y i)"; |
|
199 by (Blast_tac 1); |
|
200 qed "guarantees_INT_right"; |
|
201 |
|
202 Goalw [guar_def] |
|
203 "Z guarantees (X Int Y) = (Z guarantees X) Int (Z guarantees Y)"; |
|
204 by (Blast_tac 1); |
|
205 qed "guarantees_Int_right"; |
|
206 |
|
207 Goalw [guar_def] "(X guarantees Y) = (UNIV guarantees (-X Un Y))"; |
|
208 by (Blast_tac 1); |
|
209 qed "shunting"; |
|
210 |
|
211 Goalw [guar_def] "(X guarantees Y) = -Y guarantees -X"; |
|
212 by (Blast_tac 1); |
|
213 qed "contrapositive"; |
|
214 |
|
215 (** The following two can be expressed using intersection and subset, which |
|
216 is more faithful to the text but looks cryptic. |
|
217 **) |
|
218 |
|
219 Goalw [guar_def] |
|
220 "[| F : V guarantees X; F : (X Int Y) guarantees Z |]\ |
|
221 \ ==> F : (V Int Y) guarantees Z"; |
|
222 by (Blast_tac 1); |
|
223 qed "combining1"; |
|
224 |
|
225 Goalw [guar_def] |
|
226 "[| F : V guarantees (X Un Y); F : Y guarantees Z |]\ |
|
227 \ ==> F : V guarantees (X Un Z)"; |
|
228 by (Blast_tac 1); |
|
229 qed "combining2"; |
|
230 |
|
231 (** The following two follow Chandy-Sanders, but the use of object-quantifiers |
|
232 does not suit Isabelle... **) |
|
233 |
|
234 (*Premise should be (!!i. i: I ==> F: X guarantees Y i) *) |
|
235 Goalw [guar_def] |
|
236 "ALL i:I. F : X guarantees (Y i) ==> F : X guarantees (INT i:I. Y i)"; |
|
237 by (Blast_tac 1); |
|
238 qed "all_guarantees"; |
|
239 |
|
240 (*Premises should be [| F: X guarantees Y i; i: I |] *) |
|
241 Goalw [guar_def] |
|
242 "EX i:I. F : X guarantees (Y i) ==> F : X guarantees (UN i:I. Y i)"; |
|
243 by (Blast_tac 1); |
|
244 qed "ex_guarantees"; |
|
245 |
|
246 (*** Additional guarantees laws, by lcp ***) |
|
247 |
|
248 Goalw [guar_def] |
|
249 "[| F: U guarantees V; G: X guarantees Y |] \ |
|
250 \ ==> F Join G: (U Int X) guarantees (V Int Y)"; |
|
251 by (simp_tac (simpset() addsimps [Join_component_iff]) 1); |
|
252 by (Blast_tac 1); |
|
253 qed "guarantees_Join_Int"; |
|
254 |
|
255 Goalw [guar_def] |
|
256 "[| F: U guarantees V; G: X guarantees Y |] \ |
|
257 \ ==> F Join G: (U Un X) guarantees (V Un Y)"; |
|
258 by (simp_tac (simpset() addsimps [Join_component_iff]) 1); |
|
259 by (Blast_tac 1); |
|
260 qed "guarantees_Join_Un"; |
|
261 |
|
262 Goal "((JOIN I F) component H) = (ALL i: I. F i component H)"; |
|
263 by (simp_tac (simpset() addsimps [component_eq_subset, Acts_JN]) 1); |
|
264 by (Blast_tac 1); |
|
265 qed "JN_component_iff"; |
|
266 |
|
267 Goalw [guar_def] |
|
268 "[| ALL i:I. F i : X i guarantees Y i |] \ |
|
269 \ ==> (JOIN I F) : (INTER I X) guarantees (INTER I Y)"; |
|
270 by (simp_tac (simpset() addsimps [JN_component_iff]) 1); |
|
271 by (Blast_tac 1); |
|
272 bind_thm ("guarantees_JN_INT", ballI RS result()); |
|
273 |
|
274 Goalw [guar_def] |
|
275 "[| ALL i:I. F i : X i guarantees Y i |] \ |
|
276 \ ==> (JOIN I F) : (UNION I X) guarantees (UNION I Y)"; |
|
277 by (simp_tac (simpset() addsimps [JN_component_iff]) 1); |
|
278 by (Blast_tac 1); |
|
279 bind_thm ("guarantees_JN_UN", ballI RS result()); |
|
280 |
|
281 |
|
282 (*** guarantees laws for breaking down the program, by lcp ***) |
|
283 |
|
284 Goalw [guar_def] |
|
285 "F: X guarantees Y | G: X guarantees Y ==> F Join G: X guarantees Y"; |
|
286 by (simp_tac (simpset() addsimps [Join_component_iff]) 1); |
|
287 by (Blast_tac 1); |
|
288 qed "guarantees_Join_I"; |
|
289 |
|
290 Goalw [guar_def] |
|
291 "[| i : I; F i: X guarantees Y |] ==> (JN i:I. (F i)) : X guarantees Y"; |
|
292 by (simp_tac (simpset() addsimps [JN_component_iff]) 1); |
|
293 by (Blast_tac 1); |
|
294 qed "guarantees_JN_I"; |
|
295 |
|
296 |
|
297 (*** well-definedness ***) |
|
298 |
|
299 Goalw [welldef_def] "F Join G: welldef ==> F: welldef"; |
|
300 by Auto_tac; |
|
301 qed "Join_welldef_D1"; |
|
302 |
|
303 Goalw [welldef_def] "F Join G: welldef ==> G: welldef"; |
|
304 by Auto_tac; |
|
305 qed "Join_welldef_D2"; |
|
306 |
|
307 (*** refinement ***) |
|
308 |
|
309 Goalw [refines_def] "F refines F wrt X"; |
|
310 by (Blast_tac 1); |
|
311 qed "refines_refl"; |
|
312 |
|
313 Goalw [refines_def] |
|
314 "[| H refines G wrt X; G refines F wrt X |] ==> H refines F wrt X"; |
|
315 by Auto_tac; |
|
316 qed "refines_trans"; |
|
317 |
|
318 Goalw [strict_ex_prop_def] |
|
319 "strict_ex_prop X \ |
|
320 \ ==> (ALL H. F Join H : X --> G Join H : X) = (F:X --> G:X)"; |
|
321 by (Blast_tac 1); |
|
322 qed "strict_ex_refine_lemma"; |
|
323 |
|
324 Goalw [strict_ex_prop_def] |
|
325 "strict_ex_prop X \ |
|
326 \ ==> (ALL H. F Join H : welldef & F Join H : X --> G Join H : X) = \ |
|
327 \ (F: welldef Int X --> G:X)"; |
|
328 by Safe_tac; |
|
329 by (eres_inst_tac [("x","SKIP"), ("P", "%H. ?PP H --> ?RR H")] allE 1); |
|
330 by (auto_tac (claset() addDs [Join_welldef_D1, Join_welldef_D2], simpset())); |
|
331 qed "strict_ex_refine_lemma_v"; |
|
332 |
|
333 Goal "[| strict_ex_prop X; \ |
|
334 \ ALL H. F Join H : welldef Int X --> G Join H : welldef |] \ |
|
335 \ ==> (G refines F wrt X) = (G iso_refines F wrt X)"; |
|
336 by (res_inst_tac [("x","SKIP")] allE 1 |
|
337 THEN assume_tac 1); |
|
338 by (asm_full_simp_tac |
|
339 (simpset() addsimps [refines_def, iso_refines_def, |
|
340 strict_ex_refine_lemma_v]) 1); |
|
341 qed "ex_refinement_thm"; |
|
342 |
|
343 |
|
344 Goalw [strict_uv_prop_def] |
|
345 "strict_uv_prop X \ |
|
346 \ ==> (ALL H. F Join H : X --> G Join H : X) = (F:X --> G:X)"; |
|
347 by (Blast_tac 1); |
|
348 qed "strict_uv_refine_lemma"; |
|
349 |
|
350 Goalw [strict_uv_prop_def] |
|
351 "strict_uv_prop X \ |
|
352 \ ==> (ALL H. F Join H : welldef & F Join H : X --> G Join H : X) = \ |
|
353 \ (F: welldef Int X --> G:X)"; |
|
354 by Safe_tac; |
|
355 by (eres_inst_tac [("x","SKIP"), ("P", "%H. ?PP H --> ?RR H")] allE 1); |
|
356 by (auto_tac (claset() addDs [Join_welldef_D1, Join_welldef_D2], |
|
357 simpset())); |
|
358 qed "strict_uv_refine_lemma_v"; |
|
359 |
|
360 Goal "[| strict_uv_prop X; \ |
|
361 \ ALL H. F Join H : welldef Int X --> G Join H : welldef |] \ |
|
362 \ ==> (G refines F wrt X) = (G iso_refines F wrt X)"; |
|
363 by (res_inst_tac [("x","SKIP")] allE 1 |
|
364 THEN assume_tac 1); |
|
365 by (asm_full_simp_tac (simpset() addsimps [refines_def, iso_refines_def, |
|
366 strict_uv_refine_lemma_v]) 1); |
|
367 qed "uv_refinement_thm"; |
|