diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/UNITY.thy --- a/src/HOL/UNITY/UNITY.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/UNITY.thy Wed May 25 11:50:58 2016 +0200 @@ -8,7 +8,7 @@ From Misra, "A Logic for Concurrent Programming", 1994. *) -section {*The Basic UNITY Theory*} +section \The Basic UNITY Theory\ theory UNITY imports Main begin @@ -54,11 +54,11 @@ "invariant A == {F. Init F \ A} \ stable A" definition increasing :: "['a => 'b::{order}] => 'a program set" where - --{*Polymorphic in both states and the meaning of @{text "\"}*} + \\Polymorphic in both states and the meaning of \\\\ "increasing f == \z. stable {s. z \ f s}" -subsubsection{*The abstract type of programs*} +subsubsection\The abstract type of programs\ lemmas program_typedef = Rep_Program Rep_Program_inverse Abs_Program_inverse @@ -83,7 +83,7 @@ lemma insert_Id_AllowedActs [iff]: "insert Id (AllowedActs F) = AllowedActs F" by (simp add: insert_absorb) -subsubsection{*Inspectors for type "program"*} +subsubsection\Inspectors for type "program"\ lemma Init_eq [simp]: "Init (mk_program (init,acts,allowed)) = init" by (simp add: program_typedef) @@ -95,7 +95,7 @@ "AllowedActs (mk_program (init,acts,allowed)) = insert Id allowed" by (simp add: program_typedef) -subsubsection{*Equality for UNITY programs*} +subsubsection\Equality for UNITY programs\ lemma surjective_mk_program [simp]: "mk_program (Init F, Acts F, AllowedActs F) = F" @@ -124,7 +124,7 @@ by (blast intro: program_equalityI program_equalityE) -subsubsection{*co*} +subsubsection\co\ lemma constrainsI: "(!!act s s'. [| act: Acts F; (s,s') \ act; s \ A |] ==> s': A') @@ -147,12 +147,12 @@ lemma constrains_UNIV2 [iff]: "F \ A co UNIV" by (unfold constrains_def, blast) -text{*monotonic in 2nd argument*} +text\monotonic in 2nd argument\ lemma constrains_weaken_R: "[| F \ A co A'; A'<=B' |] ==> F \ A co B'" by (unfold constrains_def, blast) -text{*anti-monotonic in 1st argument*} +text\anti-monotonic in 1st argument\ lemma constrains_weaken_L: "[| F \ A co A'; B \ A |] ==> F \ B co A'" by (unfold constrains_def, blast) @@ -161,7 +161,7 @@ "[| F \ A co A'; B \ A; A'<=B' |] ==> F \ B co B'" by (unfold constrains_def, blast) -subsubsection{*Union*} +subsubsection\Union\ lemma constrains_Un: "[| F \ A co A'; F \ B co B' |] ==> F \ (A \ B) co (A' \ B')" @@ -184,7 +184,7 @@ lemma constrains_INT_distrib: "A co (\i \ I. B i) = (\i \ I. A co B i)" by (unfold constrains_def, blast) -subsubsection{*Intersection*} +subsubsection\Intersection\ lemma constrains_Int: "[| F \ A co A'; F \ B co B' |] ==> F \ (A \ B) co (A' \ B')" @@ -198,8 +198,8 @@ lemma constrains_imp_subset: "F \ A co A' ==> A \ A'" by (unfold constrains_def, auto) -text{*The reasoning is by subsets since "co" refers to single actions - only. So this rule isn't that useful.*} +text\The reasoning is by subsets since "co" refers to single actions + only. So this rule isn't that useful.\ lemma constrains_trans: "[| F \ A co B; F \ B co C |] ==> F \ A co C" by (unfold constrains_def, blast) @@ -209,7 +209,7 @@ by (unfold constrains_def, clarify, blast) -subsubsection{*unless*} +subsubsection\unless\ lemma unlessI: "F \ (A-B) co (A \ B) ==> F \ A unless B" by (unfold unless_def, assumption) @@ -218,7 +218,7 @@ by (unfold unless_def, assumption) -subsubsection{*stable*} +subsubsection\stable\ lemma stableI: "F \ A co A ==> F \ stable A" by (unfold stable_def, assumption) @@ -229,7 +229,7 @@ lemma stable_UNIV [simp]: "stable UNIV = UNIV" by (unfold stable_def constrains_def, auto) -subsubsection{*Union*} +subsubsection\Union\ lemma stable_Un: "[| F \ stable A; F \ stable A' |] ==> F \ stable (A \ A')" @@ -248,7 +248,7 @@ "(!!A. A \ X ==> F \ stable A) ==> F \ stable (\X)" by (unfold stable_def constrains_def, blast) -subsubsection{*Intersection*} +subsubsection\Intersection\ lemma stable_Int: "[| F \ stable A; F \ stable A' |] ==> F \ stable (A \ A')" @@ -278,18 +278,18 @@ lemmas stable_constrains_stable = stable_constrains_Int[THEN stableI] -subsubsection{*invariant*} +subsubsection\invariant\ lemma invariantI: "[| Init F \ A; F \ stable A |] ==> F \ invariant A" by (simp add: invariant_def) -text{*Could also say @{term "invariant A \ invariant B \ invariant(A \ B)"}*} +text\Could also say @{term "invariant A \ invariant B \ invariant(A \ B)"}\ lemma invariant_Int: "[| F \ invariant A; F \ invariant B |] ==> F \ invariant (A \ B)" by (auto simp add: invariant_def stable_Int) -subsubsection{*increasing*} +subsubsection\increasing\ lemma increasingD: "F \ increasing f ==> F \ stable {s. z \ f s}" @@ -319,15 +319,15 @@ ==> F \ {s. s x \ M} co (\m \ M. B m)" by (unfold constrains_def, blast) -text{*As above, but for the trivial case of a one-variable state, in which the - state is identified with its one variable.*} +text\As above, but for the trivial case of a one-variable state, in which the + state is identified with its one variable.\ lemma elimination_sing: "(\m \ M. F \ {m} co (B m)) ==> F \ M co (\m \ M. B m)" by (unfold constrains_def, blast) -subsubsection{*Theoretical Results from Section 6*} +subsubsection\Theoretical Results from Section 6\ lemma constrains_strongest_rhs: "F \ A co (strongest_rhs F A )" @@ -338,7 +338,7 @@ by (unfold constrains_def strongest_rhs_def, blast) -subsubsection{*Ad-hoc set-theory rules*} +subsubsection\Ad-hoc set-theory rules\ lemma Un_Diff_Diff [simp]: "A \ B - (A - B) = B" by blast @@ -346,7 +346,7 @@ lemma Int_Union_Union: "\B \ A = \((%C. C \ A)`B)" by blast -text{*Needed for WF reasoning in WFair.thy*} +text\Needed for WF reasoning in WFair.thy\ lemma Image_less_than [simp]: "less_than `` {k} = greaterThan k" by blast @@ -355,7 +355,7 @@ by blast -subsection{*Partial versus Total Transitions*} +subsection\Partial versus Total Transitions\ definition totalize_act :: "('a * 'a)set => ('a * 'a)set" where "totalize_act act == act \ Id_on (-(Domain act))" @@ -376,7 +376,7 @@ by (blast intro: sym [THEN image_eqI]) -subsubsection{*Basic properties*} +subsubsection\Basic properties\ lemma totalize_act_Id [simp]: "totalize_act Id = Id" by (simp add: totalize_act_def) @@ -427,9 +427,9 @@ by (simp add: mk_total_program_def) -subsection{*Rules for Lazy Definition Expansion*} +subsection\Rules for Lazy Definition Expansion\ -text{*They avoid expanding the full program, which is a large expression*} +text\They avoid expanding the full program, which is a large expression\ lemma def_prg_Init: "F = mk_total_program (init,acts,allowed) ==> Init F = init" @@ -445,16 +445,16 @@ ==> AllowedActs F = insert Id allowed" by (simp add: mk_total_program_def) -text{*An action is expanded if a pair of states is being tested against it*} +text\An action is expanded if a pair of states is being tested against it\ lemma def_act_simp: "act = {(s,s'). P s s'} ==> ((s,s') \ act) = P s s'" by (simp add: mk_total_program_def) -text{*A set is expanded only if an element is being tested against it*} +text\A set is expanded only if an element is being tested against it\ lemma def_set_simp: "A = B ==> (x \ A) = (x \ B)" by (simp add: mk_total_program_def) -subsubsection{*Inspectors for type "program"*} +subsubsection\Inspectors for type "program"\ lemma Init_total_eq [simp]: "Init (mk_total_program (init,acts,allowed)) = init"