# HG changeset patch # User wenzelm # Date 1444507343 -7200 # Node ID 331be2820f902cd19bac42babe4288ff468e6eb0 # Parent 2332d9be352b0c33abce4959dde3ab5ac835ea8f tuned syntax -- more symbols; diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/AllocImpl.thy --- a/src/ZF/UNITY/AllocImpl.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/AllocImpl.thy Sat Oct 10 22:02:23 2015 +0200 @@ -248,7 +248,7 @@ alloc_prog \ G \ Incr(lift(rel)); k\nat |] ==> alloc_prog \ G \ {s\state. k \ length(s`rel)} \ {s\state. succ(s`NbR) = k} - LeadsTo {s\state. k \ s`NbR}" + \w {s\state. k \ s`NbR}" apply (subgoal_tac "alloc_prog \ G \ Stable ({s\state. k \ length (s`rel)})") apply (drule_tac [2] a = k and g1 = length in imp_Increasing_comp [THEN Increasing_imp_Stable]) apply (rule_tac [2] mono_length) @@ -268,7 +268,7 @@ k\nat; n \ nat; n < k |] ==> alloc_prog \ G \ {s\state . k \ length(s ` rel)} \ {s\state . s ` NbR = n} - LeadsTo {x \ state. k \ length(x`rel)} \ + \w {x \ state. k \ length(x`rel)} \ (\m \ greater_than(n). {x \ state. x ` NbR=m})" apply (unfold greater_than_def) apply (rule_tac A' = "{x \ state. k \ length(x`rel)} \ {x \ state. n < x`NbR}" @@ -301,7 +301,7 @@ "[|G \ program; alloc_prog ok G; alloc_prog \ G \ Incr(lift(rel)); k\nat|] ==> alloc_prog \ G \ - {s\state. k \ length(s`rel)} LeadsTo {s\state. k \ s`NbR}" + {s\state. k \ length(s`rel)} \w {s\state. k \ s`NbR}" (* Proof by induction over the difference between k and n *) apply (rule_tac f = "\s\state. k #- s`NbR" in LessThan_induct) apply (simp_all add: lam_def, auto) @@ -376,8 +376,8 @@ {s\state. nth(length(s`giv), s`ask) \ s`available_tok} \ {s\state. k < length(s`ask)} \ {s\state. length(s`giv) = k} - LeadsTo {s\state. k < length(s`giv)}" -apply (subgoal_tac "alloc_prog \ G \ {s\state. nth (length(s`giv), s`ask) \ s`available_tok} \ {s\state. k < length(s`ask) } \ {s\state. length(s`giv) = k} LeadsTo {s\state. ~ k {s\state. length(s`giv) \ k}") + \w {s\state. k < length(s`giv)}" +apply (subgoal_tac "alloc_prog \ G \ {s\state. nth (length(s`giv), s`ask) \ s`available_tok} \ {s\state. k < length(s`ask) } \ {s\state. length(s`giv) = k} \w {s\state. ~ k {s\state. length(s`giv) \ k}") prefer 2 apply (blast intro: alloc_prog_giv_Ensures_lemma [THEN LeadsTo_Basis]) apply (subgoal_tac "alloc_prog \ G \ Stable ({s\state. k < length(s`ask) }) ") apply (drule PSP_Stable, assumption) @@ -424,12 +424,12 @@ subsubsection\Main lemmas towards proving property (31)\ lemma LeadsTo_strength_R: - "[| F \ C LeadsTo B'; F \ A-C LeadsTo B; B'<=B |] ==> F \ A LeadsTo B" + "[| F \ C \w B'; F \ A-C \w B; B'<=B |] ==> F \ A \w B" by (blast intro: LeadsTo_weaken LeadsTo_Un_Un) lemma PSP_StableI: -"[| F \ Stable(C); F \ A - C LeadsTo B; - F \ A \ C LeadsTo B \ (state - C) |] ==> F \ A LeadsTo B" +"[| F \ Stable(C); F \ A - C \w B; + F \ A \ C \w B \ (state - C) |] ==> F \ A \w B" apply (rule_tac A = " (A-C) \ (A \ C)" in LeadsTo_weaken_L) prefer 2 apply blast apply (rule LeadsTo_Un, assumption) @@ -453,7 +453,7 @@ and safety: "alloc_prog \ G \ Always(\k \ nat. {s\state. nth(k, s`ask) \ NbT})" and progress: "alloc_prog \ G - \ (\k\nat. {s\state. k \ tokens(s`giv)} LeadsTo + \ (\k\nat. {s\state. k \ tokens(s`giv)} \w {s\state. k \ tokens(s`rel)})" (*First step in proof of (31) -- the corrected version from Charpentier. @@ -463,7 +463,7 @@ "k \ tokbag ==> alloc_prog \ G \ {s\state. k \ tokens(s`rel)} - LeadsTo {s\state. k \ tokens(take(s`NbR, s`rel))}" + \w {s\state. k \ tokens(take(s`NbR, s`rel))}" apply (rule single_LeadsTo_I, safe) apply (rule_tac a1 = "s`rel" in Increasing_imp_Stable [THEN PSP_StableI]) apply (rule_tac [4] k1 = "length(s`rel)" in alloc_prog_NbR_LeadsTo_lemma3 [THEN LeadsTo_strength_R]) @@ -477,12 +477,12 @@ (*** Rest of proofs done by lcp ***) (*Second step in proof of (31): by LHS of the guarantee and transivity of - LeadsTo *) + \w *) lemma (in alloc_progress) tokens_take_NbR_lemma2: "k \ tokbag ==> alloc_prog \ G \ {s\state. tokens(s`giv) = k} - LeadsTo {s\state. k \ tokens(take(s`NbR, s`rel))}" + \w {s\state. k \ tokens(take(s`NbR, s`rel))}" apply (rule LeadsTo_Trans) apply (rule_tac [2] tokens_take_NbR_lemma) prefer 2 apply assumption @@ -495,7 +495,7 @@ "[| k \ tokbag; n \ nat |] ==> alloc_prog \ G \ {s\state. length(s`giv) = n & tokens(s`giv) = k} - LeadsTo + \w {s\state. (length(s`giv) = n & tokens(s`giv) = k & k \ tokens(take(s`NbR, s`rel))) | n < length(s`giv)}" apply (rule single_LeadsTo_I, safe) @@ -515,7 +515,7 @@ "[|k \ tokbag; n \ nat|] ==> alloc_prog \ G \ {s\state. length(s`giv) = n & tokens(s`giv) = k} - LeadsTo + \w {s\state. (length(s`giv) = n & NbT \ s`available_tok) | n < length(s`giv)}" apply (rule LeadsTo_weaken_R) @@ -528,7 +528,7 @@ "n \ nat ==> alloc_prog \ G \ {s\state. length(s`giv) = n} - LeadsTo + \w {s\state. (length(s`giv) = n & NbT \ s`available_tok) | n < length(s`giv)}" apply (rule LeadsTo_weaken_L) @@ -543,7 +543,7 @@ "[|k \ nat; n < k|] ==> alloc_prog \ G \ {s\state. length(s`ask) = k & length(s`giv) = n} - LeadsTo + \w {s\state. (NbT \ s`available_tok & length(s`giv) < length(s`ask) & length(s`giv) = n) | n < length(s`giv)}" @@ -566,7 +566,7 @@ "[|k \ nat; n < k|] ==> alloc_prog \ G \ {s\state. length(s`ask) = k & length(s`giv) = n} - LeadsTo + \w {s\state. (nth(length(s`giv), s`ask) \ s`available_tok & length(s`giv) < length(s`ask) & length(s`giv) = n) | n < length(s`giv)}" @@ -583,7 +583,7 @@ "[| k \ nat; n < k|] ==> alloc_prog \ G \ {s\state. length(s`ask) = k & length(s`giv) = n} - LeadsTo {s\state. n < length(s`giv)}" + \w {s\state. n < length(s`giv)}" apply (rule LeadsTo_Un_duplicate) apply (rule LeadsTo_cancel1) apply (rule_tac [2] alloc_prog_giv_LeadsTo_lemma) @@ -598,7 +598,7 @@ lemma (in alloc_progress) alloc_prog_ask_LeadsTo_giv: "k \ nat ==> alloc_prog \ G \ - {s\state. k \ length(s`ask)} LeadsTo {s\state. k \ length(s`giv)}" + {s\state. k \ length(s`ask)} \w {s\state. k \ length(s`giv)}" (* Proof by induction over the difference between k and n *) apply (rule_tac f = "\s\state. k #- length(s`giv)" in LessThan_induct) apply (auto simp add: lam_def Collect_vimage_eq) @@ -623,7 +623,7 @@ lemma (in alloc_progress) final: "h \ list(tokbag) ==> alloc_prog \ G - \ {s\state. \ prefix(tokbag)} LeadsTo + \ {s\state. \ prefix(tokbag)} \w {s\state. \ prefix(tokbag)}" apply (rule single_LeadsTo_I) prefer 2 apply simp @@ -647,10 +647,10 @@ "alloc_prog \ Incr(lift(ask)) \ Incr(lift(rel)) \ Always(\k \ nat. {s\state. nth(k, s`ask) \ NbT}) \ - (\k\nat. {s\state. k \ tokens(s`giv)} LeadsTo + (\k\nat. {s\state. k \ tokens(s`giv)} \w {s\state. k \ tokens(s`rel)}) guarantees (\h \ list(tokbag). - {s\state. \ prefix(tokbag)} LeadsTo + {s\state. \ prefix(tokbag)} \w {s\state. \ prefix(tokbag)})" apply (rule guaranteesI) apply (rule INT_I) diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/ClientImpl.thy --- a/src/ZF/UNITY/ClientImpl.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/ClientImpl.thy Sat Oct 10 22:02:23 2015 +0200 @@ -219,7 +219,7 @@ ==> client_prog \ G \ {s \ state. s`rel = k & \ strict_prefix(nat) & \ prefix(nat) & h pfixGe s`ask} - LeadsTo {s \ state. \ strict_prefix(nat) + \w {s \ state. \ strict_prefix(nat) & \ prefix(nat) & \ prefix(nat) & h pfixGe s`ask}" @@ -248,7 +248,7 @@ ==> client_prog \ G \ {s \ state. \ strict_prefix(nat) & \ prefix(nat) & h pfixGe s`ask} - LeadsTo {s \ state. \ prefix(nat)}" + \w {s \ state. \ prefix(nat)}" apply (rule_tac f = "\x \ state. length(h) #- length(x`rel)" in LessThan_induct) apply (auto simp add: vimage_def) @@ -276,7 +276,7 @@ "[| client_prog \ G \ Incr(lift(giv)); client_prog ok G; G \ program |] ==> client_prog \ G \ {s \ state. \ prefix(nat) & h pfixGe s`ask} - LeadsTo {s \ state. \ prefix(nat)}" + \w {s \ state. \ prefix(nat)}" apply (rule client_prog_Join_Always_rel_le_giv [THEN Always_LeadsToI], assumption) apply (force simp add: client_prog_ok_iff) @@ -291,7 +291,7 @@ lemma client_prog_progress: "client_prog \ Incr(lift(giv)) guarantees (\h \ list(nat). {s \ state. \ prefix(nat) & - h pfixGe s`ask} LeadsTo {s \ state. \ prefix(nat)})" + h pfixGe s`ask} \w {s \ state. \ prefix(nat)})" apply (rule guaranteesI) apply (blast intro: progress_lemma, auto) done diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/Comp.thy --- a/src/ZF/UNITY/Comp.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/Comp.thy Sat Oct 10 22:02:23 2015 +0200 @@ -19,7 +19,7 @@ definition component :: "[i,i]=>o" (infixl "component" 65) where - "F component H == (\G. F Join G = H)" + "F component H == (\G. F \ G = H)" definition strict_component :: "[i,i]=>o" (infixl "strict'_component" 65) where @@ -28,7 +28,7 @@ definition (* A stronger form of the component relation *) component_of :: "[i,i]=>o" (infixl "component'_of" 65) where - "F component_of H == (\G. F ok G & F Join G = H)" + "F component_of H == (\G. F ok G & F \ G = H)" definition strict_component_of :: "[i,i]=>o" (infixl "strict'_component'_of" 65) where @@ -52,10 +52,10 @@ (*** component and strict_component relations ***) lemma componentI: - "H component F | H component G ==> H component (F Join G)" + "H component F | H component G ==> H component (F \ G)" apply (unfold component_def, auto) -apply (rule_tac x = "Ga Join G" in exI) -apply (rule_tac [2] x = "G Join F" in exI) +apply (rule_tac x = "Ga \ G" in exI) +apply (rule_tac [2] x = "G \ F" in exI) apply (auto simp add: Join_ac) done @@ -84,22 +84,22 @@ apply (simp_all add: component_eq_subset, blast) done -lemma component_Join1: "F component (F Join G)" +lemma component_Join1: "F component (F \ G)" by (unfold component_def, blast) -lemma component_Join2: "G component (F Join G)" +lemma component_Join2: "G component (F \ G)" apply (unfold component_def) apply (simp (no_asm) add: Join_commute) apply blast done -lemma Join_absorb1: "F component G ==> F Join G = G" +lemma Join_absorb1: "F component G ==> F \ G = G" by (auto simp add: component_def Join_left_absorb) -lemma Join_absorb2: "G component F ==> F Join G = F" +lemma Join_absorb2: "G component F ==> F \ G = F" by (auto simp add: Join_ac component_def) -lemma JN_component_iff: +lemma JOIN_component_iff: "H \ program==>(JOIN(I,F) component H) \ (\i \ I. F(i) component H)" apply (case_tac "I=0", force) apply (simp (no_asm_simp) add: component_eq_subset) @@ -110,9 +110,9 @@ apply (blast elim!: not_emptyE)+ done -lemma component_JN: "i \ I ==> F(i) component (\i \ I. (F(i)))" +lemma component_JOIN: "i \ I ==> F(i) component (\i \ I. (F(i)))" apply (unfold component_def) -apply (blast intro: JN_absorb) +apply (blast intro: JOIN_absorb) done lemma component_trans: "[| F component G; G component H |] ==> F component H" @@ -129,7 +129,7 @@ lemma Join_component_iff: "H \ program ==> - ((F Join G) component H) \ (F component H & G component H)" + ((F \ G) component H) \ (F component H & G component H)" apply (simp (no_asm_simp) add: component_eq_subset) apply blast done @@ -163,13 +163,13 @@ done lemma Join_preserves [iff]: -"(F Join G \ preserves(v)) \ +"(F \ G \ preserves(v)) \ (programify(F) \ preserves(v) & programify(G) \ preserves(v))" by (auto simp add: preserves_def INT_iff) -lemma JN_preserves [iff]: +lemma JOIN_preserves [iff]: "(JOIN(I,F): preserves(v)) \ (\i \ I. programify(F(i)):preserves(v))" -by (auto simp add: JN_stable preserves_def INT_iff) +by (auto simp add: JOIN_stable preserves_def INT_iff) lemma SKIP_preserves [iff]: "SKIP \ preserves(v)" by (auto simp add: preserves_def INT_iff) @@ -286,7 +286,7 @@ lemma stable_localTo_stable2: "[| F \ stable({s \ state. P(f(s), g(s))}); G \ preserves(f); G \ preserves(g) |] - ==> F Join G \ stable({s \ state. P(f(s), g(s))})" + ==> F \ G \ stable({s \ state. P(f(s), g(s))})" apply (auto dest: ActsD preserves_into_program simp add: stable_def constrains_def) apply (case_tac "act \ Acts (F) ") apply auto @@ -296,9 +296,9 @@ lemma Increasing_preserves_Stable: "[| F \ stable({s \ state. :r}); G \ preserves(f); - F Join G \ Increasing(A, r, g); + F \ G \ Increasing(A, r, g); \x \ state. f(x):A & g(x):A |] - ==> F Join G \ Stable({s \ state. :r})" + ==> F \ G \ Stable({s \ state. :r})" apply (auto simp add: stable_def Stable_def Increasing_def Constrains_def all_conj_distrib) apply (simp_all add: constrains_type [THEN subsetD] preserves_type [THEN subsetD]) apply (blast intro: constrains_weaken) @@ -321,9 +321,9 @@ lemma stable_Join_Stable: "[| F \ stable({s \ state. P(f(s), g(s))}); - \k \ A. F Join G \ Stable({s \ state. P(k, g(s))}); + \k \ A. F \ G \ Stable({s \ state. P(k, g(s))}); G \ preserves(f); \s \ state. f(s):A|] - ==> F Join G \ Stable({s \ state. P(f(s), g(s))})" + ==> F \ G \ Stable({s \ state. P(f(s), g(s))})" apply (unfold stable_def Stable_def preserves_def) apply (rule_tac A = "(\k \ A. {s \ state. f(s)=k} \ {s \ state. P (f (s), g (s))})" in Constrains_weaken_L) prefer 2 apply blast diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/Follows.thy --- a/src/ZF/UNITY/Follows.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/Follows.thy Sat Oct 10 22:02:23 2015 +0200 @@ -15,7 +15,7 @@ Increasing(A, r, g) Int Increasing(A, r,f) Int Always({s \ state. :r}) Int - (\k \ A. {s \ state. :r} LeadsTo {s \ state. :r})" + (\k \ A. {s \ state. :r} \w {s \ state. :r})" abbreviation Incr :: "[i=>i]=>i" where @@ -79,8 +79,8 @@ lemma subset_LeadsTo_comp: "[| mono1(A, r, B, s, h); refl(A,r); trans[B](s); \x \ state. f(x):A & g(x):A |] ==> - (\j \ A. {s \ state. \ r} LeadsTo {s \ state. \ r}) <= - (\k \ B. {x \ state. \ s} LeadsTo {x \ state. \ s})" + (\j \ A. {s \ state. \ r} \w {s \ state. \ r}) <= + (\k \ B. {x \ state. \ s} \w {x \ state. \ s})" apply (unfold mono1_def metacomp_def, clarify) apply (simp_all (no_asm_use) add: INT_iff) @@ -97,19 +97,19 @@ done lemma imp_LeadsTo_comp: -"[| F:(\j \ A. {s \ state. \ r} LeadsTo {s \ state. \ r}); +"[| F:(\j \ A. {s \ state. \ r} \w {s \ state. \ r}); mono1(A, r, B, s, h); refl(A,r); trans[B](s); \x \ state. f(x):A & g(x):A |] ==> - F:(\k \ B. {x \ state. \ s} LeadsTo {x \ state. \ s})" + F:(\k \ B. {x \ state. \ s} \w {x \ state. \ s})" apply (rule subset_LeadsTo_comp [THEN subsetD], auto) done lemma imp_LeadsTo_comp_right: "[| F \ Increasing(B, s, g); - \j \ A. F: {s \ state. \ r} LeadsTo {s \ state. \ r}; + \j \ A. F: {s \ state. \ r} \w {s \ state. \ r}; mono2(A, r, B, s, C, t, h); refl(A, r); refl(B, s); trans[C](t); \x \ state. f1(x):A & f(x):A & g(x):B; k \ C |] ==> - F:{x \ state. \ t} LeadsTo {x \ state. \ t}" + F:{x \ state. \ t} \w {x \ state. \ t}" apply (unfold mono2_def Increasing_def) apply (rule single_LeadsTo_I, auto) apply (drule_tac x = "g (sa) " and A = B in bspec) @@ -129,10 +129,10 @@ lemma imp_LeadsTo_comp_left: "[| F \ Increasing(A, r, f); - \j \ B. F: {x \ state. \ s} LeadsTo {x \ state. \ s}; + \j \ B. F: {x \ state. \ s} \w {x \ state. \ s}; mono2(A, r, B, s, C, t, h); refl(A,r); refl(B, s); trans[C](t); \x \ state. f(x):A & g1(x):B & g(x):B; k \ C |] ==> - F:{x \ state. \ t} LeadsTo {x \ state. \ t}" + F:{x \ state. \ t} \w {x \ state. \ t}" apply (unfold mono2_def Increasing_def) apply (rule single_LeadsTo_I, auto) apply (drule_tac x = "f (sa) " and P = "%k. F \ Stable (X (k))" for X in bspec) @@ -153,11 +153,11 @@ (** This general result is used to prove Follows Un, munion, etc. **) lemma imp_LeadsTo_comp2: "[| F \ Increasing(A, r, f1) \ Increasing(B, s, g); - \j \ A. F: {s \ state. \ r} LeadsTo {s \ state. \ r}; - \j \ B. F: {x \ state. \ s} LeadsTo {x \ state. \ s}; + \j \ A. F: {s \ state. \ r} \w {s \ state. \ r}; + \j \ B. F: {x \ state. \ s} \w {x \ state. \ s}; mono2(A, r, B, s, C, t, h); refl(A,r); refl(B, s); trans[C](t); \x \ state. f(x):A & g1(x):B & f1(x):A &g(x):B; k \ C |] - ==> F:{x \ state. \ t} LeadsTo {x \ state. \ t}" + ==> F:{x \ state. \ t} \w {x \ state. \ t}" apply (rule_tac B = "{x \ state. \ t}" in LeadsTo_Trans) apply (blast intro: imp_LeadsTo_comp_right) apply (blast intro: imp_LeadsTo_comp_left) @@ -259,17 +259,17 @@ lemma Follows_imp_LeadsTo: "[| F \ Follows(A, r, f, g); k \ A |] ==> - F: {s \ state. \ r } LeadsTo {s \ state. \ r}" + F: {s \ state. \ r } \w {s \ state. \ r}" by (unfold Follows_def, blast) lemma Follows_LeadsTo_pfixLe: "[| F \ Follows(list(nat), gen_prefix(nat, Le), f, g); k \ list(nat) |] - ==> F \ {s \ state. k pfixLe g(s)} LeadsTo {s \ state. k pfixLe f(s)}" + ==> F \ {s \ state. k pfixLe g(s)} \w {s \ state. k pfixLe f(s)}" by (blast intro: Follows_imp_LeadsTo) lemma Follows_LeadsTo_pfixGe: "[| F \ Follows(list(nat), gen_prefix(nat, Ge), f, g); k \ list(nat) |] - ==> F \ {s \ state. k pfixGe g(s)} LeadsTo {s \ state. k pfixGe f(s)}" + ==> F \ {s \ state. k pfixGe g(s)} \w {s \ state. k pfixGe f(s)}" by (blast intro: Follows_imp_LeadsTo) lemma Always_Follows1: diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/Guar.thy --- a/src/ZF/UNITY/Guar.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/Guar.thy Sat Oct 10 22:02:23 2015 +0200 @@ -25,7 +25,7 @@ (* To be moved to theory WFair???? *) -lemma leadsTo_Basis': "[| F \ A co A \ B; F \ transient(A); st_set(B) |] ==> F \ A leadsTo B" +lemma leadsTo_Basis': "[| F \ A co A \ B; F \ transient(A); st_set(B) |] ==> F \ A \ B" apply (frule constrainsD2) apply (drule_tac B = "A-B" in constrains_weaken_L, blast) apply (drule_tac B = "A-B" in transient_strengthen, blast) @@ -39,27 +39,27 @@ definition ex_prop :: "i => o" where "ex_prop(X) == X<=program & - (\F \ program. \G \ program. F ok G \ F \ X | G \ X \ (F Join G) \ X)" + (\F \ program. \G \ program. F ok G \ F \ X | G \ X \ (F \ G) \ X)" definition strict_ex_prop :: "i => o" where "strict_ex_prop(X) == X<=program & - (\F \ program. \G \ program. F ok G \ (F \ X | G \ X) \ (F Join G \ X))" + (\F \ program. \G \ program. F ok G \ (F \ X | G \ X) \ (F \ G \ X))" definition uv_prop :: "i => o" where "uv_prop(X) == X<=program & - (SKIP \ X & (\F \ program. \G \ program. F ok G \ F \ X & G \ X \ (F Join G) \ X))" + (SKIP \ X & (\F \ program. \G \ program. F ok G \ F \ X & G \ X \ (F \ G) \ X))" definition strict_uv_prop :: "i => o" where "strict_uv_prop(X) == X<=program & - (SKIP \ X & (\F \ program. \G \ program. F ok G \(F \ X & G \ X) \ (F Join G \ X)))" + (SKIP \ X & (\F \ program. \G \ program. F ok G \(F \ X & G \ X) \ (F \ G \ X)))" definition guar :: "[i, i] => i" (infixl "guarantees" 55) where (*higher than membership, lower than Co*) - "X guarantees Y == {F \ program. \G \ program. F ok G \ F Join G \ X \ F Join G \ Y}" + "X guarantees Y == {F \ program. \G \ program. F ok G \ F \ G \ X \ F \ G \ Y}" definition (* Weakest guarantees *) @@ -72,15 +72,15 @@ "wx(X) == \({Y \ Pow(program). Y<=X & ex_prop(Y)})" definition - (*Ill-defined programs can arise through "Join"*) + (*Ill-defined programs can arise through "\"*) welldef :: i where "welldef == {F \ program. Init(F) \ 0}" definition refines :: "[i, i, i] => o" ("(3_ refines _ wrt _)" [10,10,10] 10) where "G refines F wrt X == - \H \ program. (F ok H & G ok H & F Join H \ welldef \ X) - \ (G Join H \ welldef \ X)" + \H \ program. (F ok H & G ok H & F \ H \ welldef \ X) + \ (G \ H \ welldef \ X)" definition iso_refines :: "[i,i, i] => o" ("(3_ iso'_refines _ wrt _)" [10,10,10] 10) where @@ -166,14 +166,14 @@ (*** guarantees ***) lemma guaranteesI: - "[| (!!G. [| F ok G; F Join G \ X; G \ program |] ==> F Join G \ Y); + "[| (!!G. [| F ok G; F \ G \ X; G \ program |] ==> F \ G \ Y); F \ program |] ==> F \ X guarantees Y" by (simp add: guar_def component_def) lemma guaranteesD: - "[| F \ X guarantees Y; F ok G; F Join G \ X; G \ program |] - ==> F Join G \ Y" + "[| F \ X guarantees Y; F ok G; F \ G \ X; G \ program |] + ==> F \ G \ Y" by (simp add: guar_def component_def) @@ -181,7 +181,7 @@ The major premise can no longer be F\H since we need to reason about G*) lemma component_guaranteesD: - "[| F \ X guarantees Y; F Join G = H; H \ X; F ok G; G \ program |] + "[| F \ X guarantees Y; F \ G = H; H \ X; F ok G; G \ program |] ==> H \ Y" by (simp add: guar_def, blast) @@ -198,10 +198,10 @@ "[| X \ Y; F \ program |] ==> F \ X guarantees Y" by (unfold guar_def, blast) -lemma component_of_Join1: "F ok G ==> F component_of (F Join G)" +lemma component_of_Join1: "F ok G ==> F component_of (F \ G)" by (unfold component_of_def, blast) -lemma component_of_Join2: "F ok G ==> G component_of (F Join G)" +lemma component_of_Join2: "F ok G ==> G component_of (F \ G)" apply (subst Join_commute) apply (blast intro: ok_sym component_of_Join1) done @@ -305,82 +305,82 @@ lemma guarantees_Join_Int: "[| F \ U guarantees V; G \ X guarantees Y; F ok G |] - ==> F Join G: (U \ X) guarantees (V \ Y)" + ==> F \ G: (U \ X) guarantees (V \ Y)" apply (unfold guar_def) apply (simp (no_asm)) apply safe apply (simp add: Join_assoc) -apply (subgoal_tac "F Join G Join Ga = G Join (F Join Ga) ") +apply (subgoal_tac "F \ G \ Ga = G \ (F \ Ga) ") apply (simp add: ok_commute) apply (simp (no_asm_simp) add: Join_ac) done lemma guarantees_Join_Un: "[| F \ U guarantees V; G \ X guarantees Y; F ok G |] - ==> F Join G: (U \ X) guarantees (V \ Y)" + ==> F \ G: (U \ X) guarantees (V \ Y)" apply (unfold guar_def) apply (simp (no_asm)) apply safe apply (simp add: Join_assoc) -apply (subgoal_tac "F Join G Join Ga = G Join (F Join Ga) ") +apply (subgoal_tac "F \ G \ Ga = G \ (F \ Ga) ") apply (rotate_tac 4) -apply (drule_tac x = "F Join Ga" in bspec) +apply (drule_tac x = "F \ Ga" in bspec) apply (simp (no_asm)) apply (force simp add: ok_commute) apply (simp (no_asm_simp) add: Join_ac) done -lemma guarantees_JN_INT: +lemma guarantees_JOIN_INT: "[| \i \ I. F(i) \ X(i) guarantees Y(i); OK(I,F); i \ I |] ==> (\i \ I. F(i)) \ (\i \ I. X(i)) guarantees (\i \ I. Y(i))" apply (unfold guar_def, safe) prefer 2 apply blast apply (drule_tac x = xa in bspec) apply (simp_all add: INT_iff, safe) -apply (drule_tac x = "(\x \ (I-{xa}) . F (x)) Join G" and A=program in bspec) -apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JN_Join_diff JN_absorb) +apply (drule_tac x = "(\x \ (I-{xa}) . F (x)) \ G" and A=program in bspec) +apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JOIN_Join_diff JOIN_absorb) done -lemma guarantees_JN_UN: +lemma guarantees_JOIN_UN: "[| \i \ I. F(i) \ X(i) guarantees Y(i); OK(I,F) |] ==> JOIN(I,F) \ (\i \ I. X(i)) guarantees (\i \ I. Y(i))" apply (unfold guar_def, auto) apply (drule_tac x = y in bspec, simp_all, safe) apply (rename_tac G y) -apply (drule_tac x = "JOIN (I-{y}, F) Join G" and A=program in bspec) -apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JN_Join_diff JN_absorb) +apply (drule_tac x = "JOIN (I-{y}, F) \ G" and A=program in bspec) +apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JOIN_Join_diff JOIN_absorb) done (*** guarantees laws for breaking down the program, by lcp ***) lemma guarantees_Join_I1: - "[| F \ X guarantees Y; F ok G |] ==> F Join G \ X guarantees Y" + "[| F \ X guarantees Y; F ok G |] ==> F \ G \ X guarantees Y" apply (simp add: guar_def, safe) apply (simp add: Join_assoc) done lemma guarantees_Join_I2: - "[| G \ X guarantees Y; F ok G |] ==> F Join G \ X guarantees Y" + "[| G \ X guarantees Y; F ok G |] ==> F \ G \ X guarantees Y" apply (simp add: Join_commute [of _ G] ok_commute [of _ G]) apply (blast intro: guarantees_Join_I1) done -lemma guarantees_JN_I: +lemma guarantees_JOIN_I: "[| i \ I; F(i) \ X guarantees Y; OK(I,F) |] ==> (\i \ I. F(i)) \ X guarantees Y" apply (unfold guar_def, safe) -apply (drule_tac x = "JOIN (I-{i},F) Join G" in bspec) +apply (drule_tac x = "JOIN (I-{i},F) \ G" in bspec) apply (simp (no_asm)) -apply (auto intro: OK_imp_ok simp add: JN_Join_diff Join_assoc [symmetric]) +apply (auto intro: OK_imp_ok simp add: JOIN_Join_diff Join_assoc [symmetric]) done (*** well-definedness ***) -lemma Join_welldef_D1: "F Join G \ welldef ==> programify(F) \ welldef" +lemma Join_welldef_D1: "F \ G \ welldef ==> programify(F) \ welldef" by (unfold welldef_def, auto) -lemma Join_welldef_D2: "F Join G \ welldef ==> programify(G) \ welldef" +lemma Join_welldef_D2: "F \ G \ welldef ==> programify(G) \ welldef" by (unfold welldef_def, auto) (*** refinement ***) @@ -435,7 +435,7 @@ apply (force dest!: Fin.dom_subset [THEN subsetD, THEN PowD]) apply (simp_all add: component_of_def) apply (rule_tac x = "\F \ (FF-{F}) . F" in exI) -apply (auto intro: JN_Join_diff dest: ok_sym simp add: OK_iff_ok) +apply (auto intro: JOIN_Join_diff dest: ok_sym simp add: OK_iff_ok) done lemma wg_ex_prop: @@ -461,17 +461,17 @@ (* Proposition 6 *) lemma wx'_ex_prop: - "ex_prop({F \ program. \G \ program. F ok G \ F Join G \ X})" + "ex_prop({F \ program. \G \ program. F ok G \ F \ G \ X})" apply (unfold ex_prop_def, safe) - apply (drule_tac x = "G Join Ga" in bspec) + apply (drule_tac x = "G \ Ga" in bspec) apply (simp (no_asm)) apply (force simp add: Join_assoc) -apply (drule_tac x = "F Join Ga" in bspec) +apply (drule_tac x = "F \ Ga" in bspec) apply (simp (no_asm)) apply (simp (no_asm_use)) apply safe apply (simp (no_asm_simp) add: ok_commute) -apply (subgoal_tac "F Join G = G Join F") +apply (subgoal_tac "F \ G = G \ F") apply (simp (no_asm_simp) add: Join_assoc) apply (simp (no_asm) add: Join_commute) done @@ -479,12 +479,12 @@ (* Equivalence with the other definition of wx *) lemma wx_equiv: - "wx(X) = {F \ program. \G \ program. F ok G \ (F Join G) \ X}" + "wx(X) = {F \ program. \G \ program. F ok G \ (F \ G) \ X}" apply (unfold wx_def) apply (rule equalityI, safe, blast) apply (simp (no_asm_use) add: ex_prop_def) apply blast -apply (rule_tac B = "{F \ program. \G \ program. F ok G \ F Join G \ X}" +apply (rule_tac B = "{F \ program. \G \ program. F ok G \ F \ G \ X}" in UnionI, safe) apply (rule_tac [2] wx'_ex_prop) @@ -521,7 +521,7 @@ lemma constrains_guarantees_leadsTo: "[| F \ transient(A); st_set(B) |] - ==> F: (A co A \ B) guarantees (A leadsTo (B-A))" + ==> F: (A co A \ B) guarantees (A \ (B-A))" apply (rule guaranteesI) prefer 2 apply (blast dest: transient_type [THEN subsetD]) apply (rule leadsTo_Basis') diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/Mutex.thy --- a/src/ZF/UNITY/Mutex.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/Mutex.thy Sat Oct 10 22:02:23 2015 +0200 @@ -206,15 +206,15 @@ by (unfold op_Unless_def Mutex_def, safety) lemma U_F1: - "Mutex \ {s \ state. s`m=#1} LeadsTo {s \ state. s`p = s`v & s`m = #2}" + "Mutex \ {s \ state. s`m=#1} \w {s \ state. s`p = s`v & s`m = #2}" by (unfold Mutex_def, ensures U1) -lemma U_F2: "Mutex \ {s \ state. s`p =0 & s`m = #2} LeadsTo {s \ state. s`m = #3}" +lemma U_F2: "Mutex \ {s \ state. s`p =0 & s`m = #2} \w {s \ state. s`m = #3}" apply (cut_tac IU) apply (unfold Mutex_def, ensures U2) done -lemma U_F3: "Mutex \ {s \ state. s`m = #3} LeadsTo {s \ state. s`p=1}" +lemma U_F3: "Mutex \ {s \ state. s`m = #3} \w {s \ state. s`p=1}" apply (rule_tac B = "{s \ state. s`m = #4}" in LeadsTo_Trans) apply (unfold Mutex_def) apply (ensures U3) @@ -222,14 +222,14 @@ done -lemma U_lemma2: "Mutex \ {s \ state. s`m = #2} LeadsTo {s \ state. s`p=1}" +lemma U_lemma2: "Mutex \ {s \ state. s`m = #2} \w {s \ state. s`p=1}" apply (rule LeadsTo_Diff [OF LeadsTo_weaken_L Int_lower2 [THEN subset_imp_LeadsTo]]) apply (rule LeadsTo_Trans [OF U_F2 U_F3], auto) apply (auto dest!: p_value_type simp add: bool_def) done -lemma U_lemma1: "Mutex \ {s \ state. s`m = #1} LeadsTo {s \ state. s`p =1}" +lemma U_lemma1: "Mutex \ {s \ state. s`m = #1} \w {s \ state. s`p =1}" by (rule LeadsTo_Trans [OF U_F1 [THEN LeadsTo_weaken_R] U_lemma2], blast) lemma eq_123: "i \ int ==> (#1 $<= i & i $<= #3) \ (i=#1 | i=#2 | i=#3)" @@ -243,12 +243,12 @@ done -lemma U_lemma123: "Mutex \ {s \ state. #1 $<= s`m & s`m $<= #3} LeadsTo {s \ state. s`p=1}" +lemma U_lemma123: "Mutex \ {s \ state. #1 $<= s`m & s`m $<= #3} \w {s \ state. s`p=1}" by (simp add: eq_123 Collect_disj_eq LeadsTo_Un_distrib U_lemma1 U_lemma2 U_F3) (*Misra's F4*) -lemma u_Leadsto_p: "Mutex \ {s \ state. s`u = 1} LeadsTo {s \ state. s`p=1}" +lemma u_Leadsto_p: "Mutex \ {s \ state. s`u = 1} \w {s \ state. s`p=1}" by (rule Always_LeadsTo_weaken [OF IU U_lemma123], auto) @@ -257,43 +257,43 @@ lemma V_F0: "Mutex \ {s \ state. s`n=#2} Unless {s \ state. s`n=#3}" by (unfold op_Unless_def Mutex_def, safety) -lemma V_F1: "Mutex \ {s \ state. s`n=#1} LeadsTo {s \ state. s`p = not(s`u) & s`n = #2}" +lemma V_F1: "Mutex \ {s \ state. s`n=#1} \w {s \ state. s`p = not(s`u) & s`n = #2}" by (unfold Mutex_def, ensures "V1") -lemma V_F2: "Mutex \ {s \ state. s`p=1 & s`n = #2} LeadsTo {s \ state. s`n = #3}" +lemma V_F2: "Mutex \ {s \ state. s`p=1 & s`n = #2} \w {s \ state. s`n = #3}" apply (cut_tac IV) apply (unfold Mutex_def, ensures "V2") done -lemma V_F3: "Mutex \ {s \ state. s`n = #3} LeadsTo {s \ state. s`p=0}" +lemma V_F3: "Mutex \ {s \ state. s`n = #3} \w {s \ state. s`p=0}" apply (rule_tac B = "{s \ state. s`n = #4}" in LeadsTo_Trans) apply (unfold Mutex_def) apply (ensures V3) apply (ensures V4) done -lemma V_lemma2: "Mutex \ {s \ state. s`n = #2} LeadsTo {s \ state. s`p=0}" +lemma V_lemma2: "Mutex \ {s \ state. s`n = #2} \w {s \ state. s`p=0}" apply (rule LeadsTo_Diff [OF LeadsTo_weaken_L Int_lower2 [THEN subset_imp_LeadsTo]]) apply (rule LeadsTo_Trans [OF V_F2 V_F3], auto) apply (auto dest!: p_value_type simp add: bool_def) done -lemma V_lemma1: "Mutex \ {s \ state. s`n = #1} LeadsTo {s \ state. s`p = 0}" +lemma V_lemma1: "Mutex \ {s \ state. s`n = #1} \w {s \ state. s`p = 0}" by (rule LeadsTo_Trans [OF V_F1 [THEN LeadsTo_weaken_R] V_lemma2], blast) -lemma V_lemma123: "Mutex \ {s \ state. #1 $<= s`n & s`n $<= #3} LeadsTo {s \ state. s`p = 0}" +lemma V_lemma123: "Mutex \ {s \ state. #1 $<= s`n & s`n $<= #3} \w {s \ state. s`p = 0}" by (simp add: eq_123 Collect_disj_eq LeadsTo_Un_distrib V_lemma1 V_lemma2 V_F3) (*Misra's F4*) -lemma v_Leadsto_not_p: "Mutex \ {s \ state. s`v = 1} LeadsTo {s \ state. s`p = 0}" +lemma v_Leadsto_not_p: "Mutex \ {s \ state. s`v = 1} \w {s \ state. s`p = 0}" by (rule Always_LeadsTo_weaken [OF IV V_lemma123], auto) (** Absence of starvation **) (*Misra's F6*) -lemma m1_Leadsto_3: "Mutex \ {s \ state. s`m = #1} LeadsTo {s \ state. s`m = #3}" +lemma m1_Leadsto_3: "Mutex \ {s \ state. s`m = #1} \w {s \ state. s`m = #3}" apply (rule LeadsTo_cancel2 [THEN LeadsTo_Un_duplicate]) apply (rule_tac [2] U_F2) apply (simp add: Collect_conj_eq) @@ -306,7 +306,7 @@ (*The same for V*) -lemma n1_Leadsto_3: "Mutex \ {s \ state. s`n = #1} LeadsTo {s \ state. s`n = #3}" +lemma n1_Leadsto_3: "Mutex \ {s \ state. s`n = #1} \w {s \ state. s`n = #3}" apply (rule LeadsTo_cancel2 [THEN LeadsTo_Un_duplicate]) apply (rule_tac [2] V_F2) apply (simp add: Collect_conj_eq) diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/SubstAx.thy --- a/src/ZF/UNITY/SubstAx.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/SubstAx.thy Sat Oct 10 22:02:23 2015 +0200 @@ -17,58 +17,54 @@ "A Ensures B == {F \ program. F \ (reachable(F) \ A) ensures (reachable(F) \ B) }" definition - LeadsTo :: "[i, i] => i" (infixl "LeadsTo" 60) where - "A LeadsTo B == {F \ program. F:(reachable(F) \ A) leadsTo (reachable(F) \ B)}" - -notation (xsymbols) - LeadsTo (infixl " \w " 60) - + LeadsTo :: "[i, i] => i" (infixl "\w" 60) where + "A \w B == {F \ program. F:(reachable(F) \ A) \ (reachable(F) \ B)}" (*Resembles the previous definition of LeadsTo*) (* Equivalence with the HOL-like definition *) lemma LeadsTo_eq: -"st_set(B)==> A LeadsTo B = {F \ program. F:(reachable(F) \ A) leadsTo B}" +"st_set(B)==> A \w B = {F \ program. F:(reachable(F) \ A) \ B}" apply (unfold LeadsTo_def) apply (blast dest: psp_stable2 leadsToD2 constrainsD2 intro: leadsTo_weaken) done -lemma LeadsTo_type: "A LeadsTo B <=program" +lemma LeadsTo_type: "A \w B <=program" by (unfold LeadsTo_def, auto) (*** Specialized laws for handling invariants ***) (** Conjoining an Always property **) -lemma Always_LeadsTo_pre: "F \ Always(I) ==> (F:(I \ A) LeadsTo A') \ (F \ A LeadsTo A')" +lemma Always_LeadsTo_pre: "F \ Always(I) ==> (F:(I \ A) \w A') \ (F \ A \w A')" by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric] leadsToD2) -lemma Always_LeadsTo_post: "F \ Always(I) ==> (F \ A LeadsTo (I \ A')) \ (F \ A LeadsTo A')" +lemma Always_LeadsTo_post: "F \ Always(I) ==> (F \ A \w (I \ A')) \ (F \ A \w A')" apply (unfold LeadsTo_def) apply (simp add: Always_eq_includes_reachable Int_absorb2 Int_assoc [symmetric] leadsToD2) done (* Like 'Always_LeadsTo_pre RS iffD1', but with premises in the good order *) -lemma Always_LeadsToI: "[| F \ Always(C); F \ (C \ A) LeadsTo A' |] ==> F \ A LeadsTo A'" +lemma Always_LeadsToI: "[| F \ Always(C); F \ (C \ A) \w A' |] ==> F \ A \w A'" by (blast intro: Always_LeadsTo_pre [THEN iffD1]) (* Like 'Always_LeadsTo_post RS iffD2', but with premises in the good order *) -lemma Always_LeadsToD: "[| F \ Always(C); F \ A LeadsTo A' |] ==> F \ A LeadsTo (C \ A')" +lemma Always_LeadsToD: "[| F \ Always(C); F \ A \w A' |] ==> F \ A \w (C \ A')" by (blast intro: Always_LeadsTo_post [THEN iffD2]) (*** Introduction rules \ Basis, Trans, Union ***) -lemma LeadsTo_Basis: "F \ A Ensures B ==> F \ A LeadsTo B" +lemma LeadsTo_Basis: "F \ A Ensures B ==> F \ A \w B" by (auto simp add: Ensures_def LeadsTo_def) lemma LeadsTo_Trans: - "[| F \ A LeadsTo B; F \ B LeadsTo C |] ==> F \ A LeadsTo C" + "[| F \ A \w B; F \ B \w C |] ==> F \ A \w C" apply (simp (no_asm_use) add: LeadsTo_def) apply (blast intro: leadsTo_Trans) done lemma LeadsTo_Union: -"[|(!!A. A \ S ==> F \ A LeadsTo B); F \ program|]==>F \ \(S) LeadsTo B" +"[|(!!A. A \ S ==> F \ A \w B); F \ program|]==>F \ \(S) \w B" apply (simp add: LeadsTo_def) apply (subst Int_Union_Union2) apply (rule leadsTo_UN, auto) @@ -76,23 +72,23 @@ (*** Derived rules ***) -lemma leadsTo_imp_LeadsTo: "F \ A leadsTo B ==> F \ A LeadsTo B" +lemma leadsTo_imp_LeadsTo: "F \ A \ B ==> F \ A \w B" apply (frule leadsToD2, clarify) apply (simp (no_asm_simp) add: LeadsTo_eq) apply (blast intro: leadsTo_weaken_L) done (*Useful with cancellation, disjunction*) -lemma LeadsTo_Un_duplicate: "F \ A LeadsTo (A' \ A') ==> F \ A LeadsTo A'" +lemma LeadsTo_Un_duplicate: "F \ A \w (A' \ A') ==> F \ A \w A'" by (simp add: Un_ac) lemma LeadsTo_Un_duplicate2: - "F \ A LeadsTo (A' \ C \ C) ==> F \ A LeadsTo (A' \ C)" + "F \ A \w (A' \ C \ C) ==> F \ A \w (A' \ C)" by (simp add: Un_ac) lemma LeadsTo_UN: - "[|(!!i. i \ I ==> F \ A(i) LeadsTo B); F \ program|] - ==>F:(\i \ I. A(i)) LeadsTo B" + "[|(!!i. i \ I ==> F \ A(i) \w B); F \ program|] + ==>F:(\i \ I. A(i)) \w B" apply (simp add: LeadsTo_def) apply (simp (no_asm_simp) del: UN_simps add: Int_UN_distrib) apply (rule leadsTo_UN, auto) @@ -100,7 +96,7 @@ (*Binary union introduction rule*) lemma LeadsTo_Un: - "[| F \ A LeadsTo C; F \ B LeadsTo C |] ==> F \ (A \ B) LeadsTo C" + "[| F \ A \w C; F \ B \w C |] ==> F \ (A \ B) \w C" apply (subst Un_eq_Union) apply (rule LeadsTo_Union) apply (auto dest: LeadsTo_type [THEN subsetD]) @@ -108,63 +104,63 @@ (*Lets us look at the starting state*) lemma single_LeadsTo_I: - "[|(!!s. s \ A ==> F:{s} LeadsTo B); F \ program|]==>F \ A LeadsTo B" + "[|(!!s. s \ A ==> F:{s} \w B); F \ program|]==>F \ A \w B" apply (subst UN_singleton [symmetric], rule LeadsTo_UN, auto) done -lemma subset_imp_LeadsTo: "[| A \ B; F \ program |] ==> F \ A LeadsTo B" +lemma subset_imp_LeadsTo: "[| A \ B; F \ program |] ==> F \ A \w B" apply (simp (no_asm_simp) add: LeadsTo_def) apply (blast intro: subset_imp_leadsTo) done -lemma empty_LeadsTo: "F \ 0 LeadsTo A \ F \ program" +lemma empty_LeadsTo: "F \ 0 \w A \ F \ program" by (auto dest: LeadsTo_type [THEN subsetD] intro: empty_subsetI [THEN subset_imp_LeadsTo]) declare empty_LeadsTo [iff] -lemma LeadsTo_state: "F \ A LeadsTo state \ F \ program" +lemma LeadsTo_state: "F \ A \w state \ F \ program" by (auto dest: LeadsTo_type [THEN subsetD] simp add: LeadsTo_eq) declare LeadsTo_state [iff] -lemma LeadsTo_weaken_R: "[| F \ A LeadsTo A'; A'<=B'|] ==> F \ A LeadsTo B'" +lemma LeadsTo_weaken_R: "[| F \ A \w A'; A'<=B'|] ==> F \ A \w B'" apply (unfold LeadsTo_def) apply (auto intro: leadsTo_weaken_R) done -lemma LeadsTo_weaken_L: "[| F \ A LeadsTo A'; B \ A |] ==> F \ B LeadsTo A'" +lemma LeadsTo_weaken_L: "[| F \ A \w A'; B \ A |] ==> F \ B \w A'" apply (unfold LeadsTo_def) apply (auto intro: leadsTo_weaken_L) done -lemma LeadsTo_weaken: "[| F \ A LeadsTo A'; B<=A; A'<=B' |] ==> F \ B LeadsTo B'" +lemma LeadsTo_weaken: "[| F \ A \w A'; B<=A; A'<=B' |] ==> F \ B \w B'" by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans) lemma Always_LeadsTo_weaken: -"[| F \ Always(C); F \ A LeadsTo A'; C \ B \ A; C \ A' \ B' |] - ==> F \ B LeadsTo B'" +"[| F \ Always(C); F \ A \w A'; C \ B \ A; C \ A' \ B' |] + ==> F \ B \w B'" apply (blast dest: Always_LeadsToI intro: LeadsTo_weaken Always_LeadsToD) done (** Two theorems for "proof lattices" **) -lemma LeadsTo_Un_post: "F \ A LeadsTo B ==> F:(A \ B) LeadsTo B" +lemma LeadsTo_Un_post: "F \ A \w B ==> F:(A \ B) \w B" by (blast dest: LeadsTo_type [THEN subsetD] intro: LeadsTo_Un subset_imp_LeadsTo) -lemma LeadsTo_Trans_Un: "[| F \ A LeadsTo B; F \ B LeadsTo C |] - ==> F \ (A \ B) LeadsTo C" +lemma LeadsTo_Trans_Un: "[| F \ A \w B; F \ B \w C |] + ==> F \ (A \ B) \w C" apply (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans dest: LeadsTo_type [THEN subsetD]) done (** Distributive laws **) -lemma LeadsTo_Un_distrib: "(F \ (A \ B) LeadsTo C) \ (F \ A LeadsTo C & F \ B LeadsTo C)" +lemma LeadsTo_Un_distrib: "(F \ (A \ B) \w C) \ (F \ A \w C & F \ B \w C)" by (blast intro: LeadsTo_Un LeadsTo_weaken_L) -lemma LeadsTo_UN_distrib: "(F \ (\i \ I. A(i)) LeadsTo B) \ (\i \ I. F \ A(i) LeadsTo B) & F \ program" +lemma LeadsTo_UN_distrib: "(F \ (\i \ I. A(i)) \w B) \ (\i \ I. F \ A(i) \w B) & F \ program" by (blast dest: LeadsTo_type [THEN subsetD] intro: LeadsTo_UN LeadsTo_weaken_L) -lemma LeadsTo_Union_distrib: "(F \ \(S) LeadsTo B) \ (\A \ S. F \ A LeadsTo B) & F \ program" +lemma LeadsTo_Union_distrib: "(F \ \(S) \w B) \ (\A \ S. F \ A \w B) & F \ program" by (blast dest: LeadsTo_type [THEN subsetD] intro: LeadsTo_Union LeadsTo_weaken_L) @@ -177,7 +173,7 @@ lemma Always_LeadsTo_Basis: "[| F \ Always(I); F \ (I \ (A-A')) Co (A \ A'); F \ transient (I \ (A-A')) |] - ==> F \ A LeadsTo A'" + ==> F \ A \w A'" apply (rule Always_LeadsToI, assumption) apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen) done @@ -185,36 +181,36 @@ (*Set difference: maybe combine with leadsTo_weaken_L?? This is the most useful form of the "disjunction" rule*) lemma LeadsTo_Diff: - "[| F \ (A-B) LeadsTo C; F \ (A \ B) LeadsTo C |] ==> F \ A LeadsTo C" + "[| F \ (A-B) \w C; F \ (A \ B) \w C |] ==> F \ A \w C" by (blast intro: LeadsTo_Un LeadsTo_weaken) lemma LeadsTo_UN_UN: - "[|(!!i. i \ I ==> F \ A(i) LeadsTo A'(i)); F \ program |] - ==> F \ (\i \ I. A(i)) LeadsTo (\i \ I. A'(i))" + "[|(!!i. i \ I ==> F \ A(i) \w A'(i)); F \ program |] + ==> F \ (\i \ I. A(i)) \w (\i \ I. A'(i))" apply (rule LeadsTo_Union, auto) apply (blast intro: LeadsTo_weaken_R) done (*Binary union version*) lemma LeadsTo_Un_Un: - "[| F \ A LeadsTo A'; F \ B LeadsTo B' |] ==> F:(A \ B) LeadsTo (A' \ B')" + "[| F \ A \w A'; F \ B \w B' |] ==> F:(A \ B) \w (A' \ B')" by (blast intro: LeadsTo_Un LeadsTo_weaken_R) (** The cancellation law **) -lemma LeadsTo_cancel2: "[| F \ A LeadsTo(A' \ B); F \ B LeadsTo B' |] ==> F \ A LeadsTo (A' \ B')" +lemma LeadsTo_cancel2: "[| F \ A \w(A' \ B); F \ B \w B' |] ==> F \ A \w (A' \ B')" by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans dest: LeadsTo_type [THEN subsetD]) lemma Un_Diff: "A \ (B - A) = A \ B" by auto -lemma LeadsTo_cancel_Diff2: "[| F \ A LeadsTo (A' \ B); F \ (B-A') LeadsTo B' |] ==> F \ A LeadsTo (A' \ B')" +lemma LeadsTo_cancel_Diff2: "[| F \ A \w (A' \ B); F \ (B-A') \w B' |] ==> F \ A \w (A' \ B')" apply (rule LeadsTo_cancel2) prefer 2 apply assumption apply (simp (no_asm_simp) add: Un_Diff) done -lemma LeadsTo_cancel1: "[| F \ A LeadsTo (B \ A'); F \ B LeadsTo B' |] ==> F \ A LeadsTo (B' \ A')" +lemma LeadsTo_cancel1: "[| F \ A \w (B \ A'); F \ B \w B' |] ==> F \ A \w (B' \ A')" apply (simp add: Un_commute) apply (blast intro!: LeadsTo_cancel2) done @@ -222,7 +218,7 @@ lemma Diff_Un2: "(B - A) \ A = B \ A" by auto -lemma LeadsTo_cancel_Diff1: "[| F \ A LeadsTo (B \ A'); F \ (B-A') LeadsTo B' |] ==> F \ A LeadsTo (B' \ A')" +lemma LeadsTo_cancel_Diff1: "[| F \ A \w (B \ A'); F \ (B-A') \w B' |] ==> F \ A \w (B' \ A')" apply (rule LeadsTo_cancel1) prefer 2 apply assumption apply (simp (no_asm_simp) add: Diff_Un2) @@ -231,7 +227,7 @@ (** The impossibility law **) (*The set "A" may be non-empty, but it contains no reachable states*) -lemma LeadsTo_empty: "F \ A LeadsTo 0 ==> F \ Always (state -A)" +lemma LeadsTo_empty: "F \ A \w 0 ==> F \ Always (state -A)" apply (simp (no_asm_use) add: LeadsTo_def Always_eq_includes_reachable) apply (cut_tac reachable_type) apply (auto dest!: leadsTo_empty) @@ -240,26 +236,26 @@ (** PSP \ Progress-Safety-Progress **) (*Special case of PSP \ Misra's "stable conjunction"*) -lemma PSP_Stable: "[| F \ A LeadsTo A'; F \ Stable(B) |]==> F:(A \ B) LeadsTo (A' \ B)" +lemma PSP_Stable: "[| F \ A \w A'; F \ Stable(B) |]==> F:(A \ B) \w (A' \ B)" apply (simp add: LeadsTo_def Stable_eq_stable, clarify) apply (drule psp_stable, assumption) apply (simp add: Int_ac) done -lemma PSP_Stable2: "[| F \ A LeadsTo A'; F \ Stable(B) |] ==> F \ (B \ A) LeadsTo (B \ A')" +lemma PSP_Stable2: "[| F \ A \w A'; F \ Stable(B) |] ==> F \ (B \ A) \w (B \ A')" apply (simp (no_asm_simp) add: PSP_Stable Int_ac) done -lemma PSP: "[| F \ A LeadsTo A'; F \ B Co B'|]==> F \ (A \ B') LeadsTo ((A' \ B) \ (B' - B))" +lemma PSP: "[| F \ A \w A'; F \ B Co B'|]==> F \ (A \ B') \w ((A' \ B) \ (B' - B))" apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains) apply (blast dest: psp intro: leadsTo_weaken) done -lemma PSP2: "[| F \ A LeadsTo A'; F \ B Co B' |]==> F:(B' \ A) LeadsTo ((B \ A') \ (B' - B))" +lemma PSP2: "[| F \ A \w A'; F \ B Co B' |]==> F:(B' \ A) \w ((B \ A') \ (B' - B))" by (simp (no_asm_simp) add: PSP Int_ac) lemma PSP_Unless: -"[| F \ A LeadsTo A'; F \ B Unless B'|]==> F:(A \ B) LeadsTo ((A' \ B) \ B')" +"[| F \ A \w A'; F \ B Unless B'|]==> F:(A \ B) \w ((A' \ B) \ B')" apply (unfold op_Unless_def) apply (drule PSP, assumption) apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo) @@ -269,10 +265,10 @@ (** Meta or object quantifier ????? **) lemma LeadsTo_wf_induct: "[| wf(r); - \m \ I. F \ (A \ f-``{m}) LeadsTo + \m \ I. F \ (A \ f-``{m}) \w ((A \ f-``(converse(r) `` {m})) \ B); field(r)<=I; A<=f-``I; F \ program |] - ==> F \ A LeadsTo B" + ==> F \ A \w B" apply (simp (no_asm_use) add: LeadsTo_def) apply auto apply (erule_tac I = I and f = f in leadsTo_wf_induct, safe) @@ -282,8 +278,8 @@ done -lemma LessThan_induct: "[| \m \ nat. F:(A \ f-``{m}) LeadsTo ((A \ f-``m) \ B); - A<=f-``nat; F \ program |] ==> F \ A LeadsTo B" +lemma LessThan_induct: "[| \m \ nat. F:(A \ f-``{m}) \w ((A \ f-``m) \ B); + A<=f-``nat; F \ program |] ==> F \ A \w B" apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN LeadsTo_wf_induct]) apply (simp_all add: nat_measure_field) apply (simp add: ltI Image_inverse_lessThan vimage_def [symmetric]) @@ -301,18 +297,18 @@ (*** Completion \ Binary and General Finite versions ***) -lemma Completion: "[| F \ A LeadsTo (A' \ C); F \ A' Co (A' \ C); - F \ B LeadsTo (B' \ C); F \ B' Co (B' \ C) |] - ==> F \ (A \ B) LeadsTo ((A' \ B') \ C)" +lemma Completion: "[| F \ A \w (A' \ C); F \ A' Co (A' \ C); + F \ B \w (B' \ C); F \ B' Co (B' \ C) |] + ==> F \ (A \ B) \w ((A' \ B') \ C)" apply (simp (no_asm_use) add: LeadsTo_def Constrains_eq_constrains Int_Un_distrib) apply (blast intro: completion leadsTo_weaken) done lemma Finite_completion_aux: "[| I \ Fin(X);F \ program |] - ==> (\i \ I. F \ (A(i)) LeadsTo (A'(i) \ C)) \ + ==> (\i \ I. F \ (A(i)) \w (A'(i) \ C)) \ (\i \ I. F \ (A'(i)) Co (A'(i) \ C)) \ - F \ (\i \ I. A(i)) LeadsTo ((\i \ I. A'(i)) \ C)" + F \ (\i \ I. A(i)) \w ((\i \ I. A'(i)) \ C)" apply (erule Fin_induct) apply (auto simp del: INT_simps simp add: Inter_0) apply (rule Completion, auto) @@ -321,16 +317,16 @@ done lemma Finite_completion: - "[| I \ Fin(X); !!i. i \ I ==> F \ A(i) LeadsTo (A'(i) \ C); + "[| I \ Fin(X); !!i. i \ I ==> F \ A(i) \w (A'(i) \ C); !!i. i \ I ==> F \ A'(i) Co (A'(i) \ C); F \ program |] - ==> F \ (\i \ I. A(i)) LeadsTo ((\i \ I. A'(i)) \ C)" + ==> F \ (\i \ I. A(i)) \w ((\i \ I. A'(i)) \ C)" by (blast intro: Finite_completion_aux [THEN mp, THEN mp]) lemma Stable_completion: - "[| F \ A LeadsTo A'; F \ Stable(A'); - F \ B LeadsTo B'; F \ Stable(B') |] - ==> F \ (A \ B) LeadsTo (A' \ B')" + "[| F \ A \w A'; F \ Stable(A'); + F \ B \w B'; F \ Stable(B') |] + ==> F \ (A \ B) \w (A' \ B')" apply (unfold Stable_def) apply (rule_tac C1 = 0 in Completion [THEN LeadsTo_weaken_R]) prefer 5 @@ -340,9 +336,9 @@ lemma Finite_stable_completion: "[| I \ Fin(X); - (!!i. i \ I ==> F \ A(i) LeadsTo A'(i)); + (!!i. i \ I ==> F \ A(i) \w A'(i)); (!!i. i \ I ==>F \ Stable(A'(i))); F \ program |] - ==> F \ (\i \ I. A(i)) LeadsTo (\i \ I. A'(i))" + ==> F \ (\i \ I. A(i)) \w (\i \ I. A'(i))" apply (unfold Stable_def) apply (rule_tac C1 = 0 in Finite_completion [THEN LeadsTo_weaken_R], simp_all) apply (rule_tac [3] subset_refl, auto) diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/UNITY.thy --- a/src/ZF/UNITY/UNITY.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/UNITY.thy Sat Oct 10 22:02:23 2015 +0200 @@ -27,7 +27,7 @@ cons(id(state), allowed \ Pow(state*state))>" definition - SKIP :: i where + SKIP :: i ("\") where "SKIP == mk_program(state, 0, Pow(state*state))" (* Coercion from anything to program *) diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/Union.thy --- a/src/ZF/UNITY/Union.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/Union.thy Sat Oct 10 22:02:23 2015 +0200 @@ -31,8 +31,8 @@ \i \ I. AllowedActs(F(i)))" definition - Join :: "[i, i] => i" (infixl "Join" 65) where - "F Join G == mk_program (Init(F) \ Init(G), Acts(F) \ Acts(G), + Join :: "[i, i] => i" (infixl "\" 65) where + "F \ G == mk_program (Init(F) \ Init(G), Acts(F) \ Acts(G), AllowedActs(F) \ AllowedActs(G))" definition (*Characterizes safety properties. Used with specifying AllowedActs*) @@ -40,21 +40,14 @@ "safety_prop(X) == X\program & SKIP \ X & (\G \ program. Acts(G) \ (\F \ X. Acts(F)) \ G \ X)" -notation (xsymbols) - SKIP ("\") and - Join (infixl "\" 65) - syntax - "_JOIN1" :: "[pttrns, i] => i" ("(3JN _./ _)" 10) - "_JOIN" :: "[pttrn, i, i] => i" ("(3JN _ \ _./ _)" 10) -syntax (xsymbols) - "_JOIN1" :: "[pttrns, i] => i" ("(3\ _./ _)" 10) - "_JOIN" :: "[pttrn, i, i] => i" ("(3\ _ \ _./ _)" 10) + "_JOIN1" :: "[pttrns, i] => i" ("(3\_./ _)" 10) + "_JOIN" :: "[pttrn, i, i] => i" ("(3\_ \ _./ _)" 10) translations - "JN x \ A. B" == "CONST JOIN(A, (%x. B))" - "JN x y. B" == "JN x. JN y. B" - "JN x. B" == "CONST JOIN(CONST state,(%x. B))" + "\x \ A. B" == "CONST JOIN(A, (\x. B))" + "\x y. B" == "\x. \y. B" + "\x. B" == "CONST JOIN(CONST state, (\x. B))" subsection\SKIP\ @@ -62,7 +55,7 @@ lemma reachable_SKIP [simp]: "reachable(SKIP) = state" by (force elim: reachable.induct intro: reachable.intros) -text\Elimination programify from ok and Join\ +text\Elimination programify from ok and \\ lemma ok_programify_left [iff]: "programify(F) ok G \ F ok G" by (simp add: ok_def) @@ -70,10 +63,10 @@ lemma ok_programify_right [iff]: "F ok programify(G) \ F ok G" by (simp add: ok_def) -lemma Join_programify_left [simp]: "programify(F) Join G = F Join G" +lemma Join_programify_left [simp]: "programify(F) \ G = F \ G" by (simp add: Join_def) -lemma Join_programify_right [simp]: "F Join programify(G) = F Join G" +lemma Join_programify_right [simp]: "F \ programify(G) = F \ G" by (simp add: Join_def) subsection\SKIP and safety properties\ @@ -92,79 +85,79 @@ subsection\Join and JOIN types\ -lemma Join_in_program [iff,TC]: "F Join G \ program" +lemma Join_in_program [iff,TC]: "F \ G \ program" by (unfold Join_def, auto) lemma JOIN_in_program [iff,TC]: "JOIN(I,F) \ program" by (unfold JOIN_def, auto) subsection\Init, Acts, and AllowedActs of Join and JOIN\ -lemma Init_Join [simp]: "Init(F Join G) = Init(F) \ Init(G)" +lemma Init_Join [simp]: "Init(F \ G) = Init(F) \ Init(G)" by (simp add: Int_assoc Join_def) -lemma Acts_Join [simp]: "Acts(F Join G) = Acts(F) \ Acts(G)" +lemma Acts_Join [simp]: "Acts(F \ G) = Acts(F) \ Acts(G)" by (simp add: Int_Un_distrib2 cons_absorb Join_def) -lemma AllowedActs_Join [simp]: "AllowedActs(F Join G) = +lemma AllowedActs_Join [simp]: "AllowedActs(F \ G) = AllowedActs(F) \ AllowedActs(G)" apply (simp add: Int_assoc cons_absorb Join_def) done subsection\Join's algebraic laws\ -lemma Join_commute: "F Join G = G Join F" +lemma Join_commute: "F \ G = G \ F" by (simp add: Join_def Un_commute Int_commute) -lemma Join_left_commute: "A Join (B Join C) = B Join (A Join C)" +lemma Join_left_commute: "A \ (B \ C) = B \ (A \ C)" apply (simp add: Join_def Int_Un_distrib2 cons_absorb) apply (simp add: Un_ac Int_ac Int_Un_distrib2 cons_absorb) done -lemma Join_assoc: "(F Join G) Join H = F Join (G Join H)" +lemma Join_assoc: "(F \ G) \ H = F \ (G \ H)" by (simp add: Un_ac Join_def cons_absorb Int_assoc Int_Un_distrib2) subsection\Needed below\ lemma cons_id [simp]: "cons(id(state), Pow(state * state)) = Pow(state*state)" by auto -lemma Join_SKIP_left [simp]: "SKIP Join F = programify(F)" +lemma Join_SKIP_left [simp]: "SKIP \ F = programify(F)" apply (unfold Join_def SKIP_def) apply (auto simp add: Int_absorb cons_eq) done -lemma Join_SKIP_right [simp]: "F Join SKIP = programify(F)" +lemma Join_SKIP_right [simp]: "F \ SKIP = programify(F)" apply (subst Join_commute) apply (simp add: Join_SKIP_left) done -lemma Join_absorb [simp]: "F Join F = programify(F)" +lemma Join_absorb [simp]: "F \ F = programify(F)" by (rule program_equalityI, auto) -lemma Join_left_absorb: "F Join (F Join G) = F Join G" +lemma Join_left_absorb: "F \ (F \ G) = F \ G" by (simp add: Join_assoc [symmetric]) subsection\Join is an AC-operator\ lemmas Join_ac = Join_assoc Join_left_absorb Join_commute Join_left_commute -subsection\Eliminating programify form JN and OK expressions\ +subsection\Eliminating programify form JOIN and OK expressions\ lemma OK_programify [iff]: "OK(I, %x. programify(F(x))) \ OK(I, F)" by (simp add: OK_def) -lemma JN_programify [iff]: "JOIN(I, %x. programify(F(x))) = JOIN(I, F)" +lemma JOIN_programify [iff]: "JOIN(I, %x. programify(F(x))) = JOIN(I, F)" by (simp add: JOIN_def) -subsection\JN\ +subsection\JOIN\ -lemma JN_empty [simp]: "JOIN(0, F) = SKIP" +lemma JOIN_empty [simp]: "JOIN(0, F) = SKIP" by (unfold JOIN_def, auto) -lemma Init_JN [simp]: +lemma Init_JOIN [simp]: "Init(\i \ I. F(i)) = (if I=0 then state else (\i \ I. Init(F(i))))" by (simp add: JOIN_def INT_extend_simps del: INT_simps) -lemma Acts_JN [simp]: +lemma Acts_JOIN [simp]: "Acts(JOIN(I,F)) = cons(id(state), \i \ I. Acts(F(i)))" apply (unfold JOIN_def) apply (auto simp del: INT_simps UN_simps) @@ -172,7 +165,7 @@ apply (auto dest: Acts_type [THEN subsetD]) done -lemma AllowedActs_JN [simp]: +lemma AllowedActs_JOIN [simp]: "AllowedActs(\i \ I. F(i)) = (if I=0 then Pow(state*state) else (\i \ I. AllowedActs(F(i))))" apply (unfold JOIN_def, auto) @@ -180,42 +173,42 @@ apply (auto elim!: not_emptyE dest: AllowedActs_type [THEN subsetD]) done -lemma JN_cons [simp]: "(\i \ cons(a,I). F(i)) = F(a) Join (\i \ I. F(i))" +lemma JOIN_cons [simp]: "(\i \ cons(a,I). F(i)) = F(a) \ (\i \ I. F(i))" by (rule program_equalityI, auto) -lemma JN_cong [cong]: +lemma JOIN_cong [cong]: "[| I=J; !!i. i \ J ==> F(i) = G(i) |] ==> (\i \ I. F(i)) = (\i \ J. G(i))" by (simp add: JOIN_def) -subsection\JN laws\ -lemma JN_absorb: "k \ I ==>F(k) Join (\i \ I. F(i)) = (\i \ I. F(i))" -apply (subst JN_cons [symmetric]) +subsection\JOIN laws\ +lemma JOIN_absorb: "k \ I ==>F(k) \ (\i \ I. F(i)) = (\i \ I. F(i))" +apply (subst JOIN_cons [symmetric]) apply (auto simp add: cons_absorb) done -lemma JN_Un: "(\i \ I \ J. F(i)) = ((\i \ I. F(i)) Join (\i \ J. F(i)))" +lemma JOIN_Un: "(\i \ I \ J. F(i)) = ((\i \ I. F(i)) \ (\i \ J. F(i)))" apply (rule program_equalityI) apply (simp_all add: UN_Un INT_Un) apply (simp_all del: INT_simps add: INT_extend_simps, blast) done -lemma JN_constant: "(\i \ I. c) = (if I=0 then SKIP else programify(c))" +lemma JOIN_constant: "(\i \ I. c) = (if I=0 then SKIP else programify(c))" by (rule program_equalityI, auto) -lemma JN_Join_distrib: - "(\i \ I. F(i) Join G(i)) = (\i \ I. F(i)) Join (\i \ I. G(i))" +lemma JOIN_Join_distrib: + "(\i \ I. F(i) \ G(i)) = (\i \ I. F(i)) \ (\i \ I. G(i))" apply (rule program_equalityI) apply (simp_all add: INT_Int_distrib, blast) done -lemma JN_Join_miniscope: "(\i \ I. F(i) Join G) = ((\i \ I. F(i) Join G))" -by (simp add: JN_Join_distrib JN_constant) +lemma JOIN_Join_miniscope: "(\i \ I. F(i) \ G) = ((\i \ I. F(i) \ G))" +by (simp add: JOIN_Join_distrib JOIN_constant) -text\Used to prove guarantees_JN_I\ -lemma JN_Join_diff: "i \ I==>F(i) Join JOIN(I - {i}, F) = JOIN(I, F)" +text\Used to prove guarantees_JOIN_I\ +lemma JOIN_Join_diff: "i \ I==>F(i) \ JOIN(I - {i}, F) = JOIN(I, F)" apply (rule program_equalityI) apply (auto elim!: not_emptyE) done @@ -227,7 +220,7 @@ alternative precondition is A\B, but most proofs using this rule require I to be nonempty for other reasons anyway.*) -lemma JN_constrains: +lemma JOIN_constrains: "i \ I==>(\i \ I. F(i)) \ A co B \ (\i \ I. programify(F(i)) \ A co B)" apply (unfold constrains_def JOIN_def st_set_def, auto) @@ -238,34 +231,34 @@ done lemma Join_constrains [iff]: - "(F Join G \ A co B) \ (programify(F) \ A co B & programify(G) \ A co B)" + "(F \ G \ A co B) \ (programify(F) \ A co B & programify(G) \ A co B)" by (auto simp add: constrains_def) lemma Join_unless [iff]: - "(F Join G \ A unless B) \ + "(F \ G \ A unless B) \ (programify(F) \ A unless B & programify(G) \ A unless B)" by (simp add: Join_constrains unless_def) (*Analogous weak versions FAIL; see Misra [1994] 5.4.1, Substitution Axiom. - reachable (F Join G) could be much bigger than reachable F, reachable G + reachable (F \ G) could be much bigger than reachable F, reachable G *) lemma Join_constrains_weaken: "[| F \ A co A'; G \ B co B' |] - ==> F Join G \ (A \ B) co (A' \ B')" + ==> F \ G \ (A \ B) co (A' \ B')" apply (subgoal_tac "st_set (A) & st_set (B) & F \ program & G \ program") prefer 2 apply (blast dest: constrainsD2, simp) apply (blast intro: constrains_weaken) done (*If I=0, it degenerates to SKIP \ state co 0, which is false.*) -lemma JN_constrains_weaken: +lemma JOIN_constrains_weaken: assumes major: "(!!i. i \ I ==> F(i) \ A(i) co A'(i))" and minor: "i \ I" shows "(\i \ I. F(i)) \ (\i \ I. A(i)) co (\i \ I. A'(i))" apply (cut_tac minor) -apply (simp (no_asm_simp) add: JN_constrains) +apply (simp (no_asm_simp) add: JOIN_constrains) apply clarify apply (rename_tac "j") apply (frule_tac i = j in major) @@ -273,14 +266,14 @@ apply (blast intro: constrains_weaken) done -lemma JN_stable: +lemma JOIN_stable: "(\i \ I. F(i)) \ stable(A) \ ((\i \ I. programify(F(i)) \ stable(A)) & st_set(A))" apply (auto simp add: stable_def constrains_def JOIN_def) apply (cut_tac F = "F (i) " in Acts_type) apply (drule_tac x = act in bspec, auto) done -lemma initially_JN_I: +lemma initially_JOIN_I: assumes major: "(!!i. i \ I ==>F(i) \ initially(A))" and minor: "i \ I" shows "(\i \ I. F(i)) \ initially(A)" @@ -290,12 +283,12 @@ apply (auto simp add: initially_def) done -lemma invariant_JN_I: +lemma invariant_JOIN_I: assumes major: "(!!i. i \ I ==> F(i) \ invariant(A))" and minor: "i \ I" shows "(\i \ I. F(i)) \ invariant(A)" apply (cut_tac minor) -apply (auto intro!: initially_JN_I dest: major simp add: invariant_def JN_stable) +apply (auto intro!: initially_JOIN_I dest: major simp add: invariant_def JOIN_stable) apply (erule_tac V = "i \ I" in thin_rl) apply (frule major) apply (drule_tac [2] major) @@ -304,17 +297,17 @@ done lemma Join_stable [iff]: - " (F Join G \ stable(A)) \ + " (F \ G \ stable(A)) \ (programify(F) \ stable(A) & programify(G) \ stable(A))" by (simp add: stable_def) lemma initially_JoinI [intro!]: - "[| F \ initially(A); G \ initially(A) |] ==> F Join G \ initially(A)" + "[| F \ initially(A); G \ initially(A) |] ==> F \ G \ initially(A)" by (unfold initially_def, auto) lemma invariant_JoinI: "[| F \ invariant(A); G \ invariant(A) |] - ==> F Join G \ invariant(A)" + ==> F \ G \ invariant(A)" apply (subgoal_tac "F \ program&G \ program") prefer 2 apply (blast dest: invariantD2) apply (simp add: invariant_def) @@ -323,12 +316,12 @@ (* Fails if I=0 because \i \ 0. A(i) = 0 *) -lemma FP_JN: "i \ I ==> FP(\i \ I. F(i)) = (\i \ I. FP (programify(F(i))))" -by (auto simp add: FP_def Inter_def st_set_def JN_stable) +lemma FP_JOIN: "i \ I ==> FP(\i \ I. F(i)) = (\i \ I. FP (programify(F(i))))" +by (auto simp add: FP_def Inter_def st_set_def JOIN_stable) subsection\Progress: transient, ensures\ -lemma JN_transient: +lemma JOIN_transient: "i \ I ==> (\i \ I. F(i)) \ transient(A) \ (\i \ I. programify(F(i)) \ transient(A))" apply (auto simp add: transient_def JOIN_def) @@ -338,29 +331,29 @@ done lemma Join_transient [iff]: - "F Join G \ transient(A) \ + "F \ G \ transient(A) \ (programify(F) \ transient(A) | programify(G) \ transient(A))" apply (auto simp add: transient_def Join_def Int_Un_distrib2) done -lemma Join_transient_I1: "F \ transient(A) ==> F Join G \ transient(A)" +lemma Join_transient_I1: "F \ transient(A) ==> F \ G \ transient(A)" by (simp add: Join_transient transientD2) -lemma Join_transient_I2: "G \ transient(A) ==> F Join G \ transient(A)" +lemma Join_transient_I2: "G \ transient(A) ==> F \ G \ transient(A)" by (simp add: Join_transient transientD2) (*If I=0 it degenerates to (SKIP \ A ensures B) = False, i.e. to ~(A\B) *) -lemma JN_ensures: +lemma JOIN_ensures: "i \ I ==> (\i \ I. F(i)) \ A ensures B \ ((\i \ I. programify(F(i)) \ (A-B) co (A \ B)) & (\i \ I. programify(F(i)) \ A ensures B))" -by (auto simp add: ensures_def JN_constrains JN_transient) +by (auto simp add: ensures_def JOIN_constrains JOIN_transient) lemma Join_ensures: - "F Join G \ A ensures B \ + "F \ G \ A ensures B \ (programify(F) \ (A-B) co (A \ B) & programify(G) \ (A-B) co (A \ B) & (programify(F) \ transient (A-B) | programify(G) \ transient (A-B)))" @@ -370,7 +363,7 @@ lemma stable_Join_constrains: "[| F \ stable(A); G \ A co A' |] - ==> F Join G \ A co A'" + ==> F \ G \ A co A'" apply (unfold stable_def constrains_def Join_def st_set_def) apply (cut_tac F = F in Acts_type) apply (cut_tac F = G in Acts_type, force) @@ -379,7 +372,7 @@ (*Premise for G cannot use Always because F \ Stable A is weaker than G \ stable A *) lemma stable_Join_Always1: - "[| F \ stable(A); G \ invariant(A) |] ==> F Join G \ Always(A)" + "[| F \ stable(A); G \ invariant(A) |] ==> F \ G \ Always(A)" apply (subgoal_tac "F \ program & G \ program & st_set (A) ") prefer 2 apply (blast dest: invariantD2 stableD2) apply (simp add: Always_def invariant_def initially_def Stable_eq_stable) @@ -388,7 +381,7 @@ (*As above, but exchanging the roles of F and G*) lemma stable_Join_Always2: - "[| F \ invariant(A); G \ stable(A) |] ==> F Join G \ Always(A)" + "[| F \ invariant(A); G \ stable(A) |] ==> F \ G \ Always(A)" apply (subst Join_commute) apply (blast intro: stable_Join_Always1) done @@ -396,7 +389,7 @@ lemma stable_Join_ensures1: - "[| F \ stable(A); G \ A ensures B |] ==> F Join G \ A ensures B" + "[| F \ stable(A); G \ A ensures B |] ==> F \ G \ A ensures B" apply (subgoal_tac "F \ program & G \ program & st_set (A) ") prefer 2 apply (blast dest: stableD2 ensures_type [THEN subsetD]) apply (simp (no_asm_simp) add: Join_ensures) @@ -407,7 +400,7 @@ (*As above, but exchanging the roles of F and G*) lemma stable_Join_ensures2: - "[| F \ A ensures B; G \ stable(A) |] ==> F Join G \ A ensures B" + "[| F \ A ensures B; G \ stable(A) |] ==> F \ G \ A ensures B" apply (subst Join_commute) apply (blast intro: stable_Join_ensures1) done @@ -421,7 +414,7 @@ by (auto dest: Acts_type [THEN subsetD] simp add: ok_def) lemma ok_Join_commute: - "(F ok G & (F Join G) ok H) \ (G ok H & F ok (G Join H))" + "(F ok G & (F \ G) ok H) \ (G ok H & F ok (G \ H))" by (auto simp add: ok_def) lemma ok_commute: "(F ok G) \(G ok F)" @@ -429,24 +422,24 @@ lemmas ok_sym = ok_commute [THEN iffD1] -lemma ok_iff_OK: "OK({<0,F>,<1,G>,<2,H>}, snd) \ (F ok G & (F Join G) ok H)" +lemma ok_iff_OK: "OK({<0,F>,<1,G>,<2,H>}, snd) \ (F ok G & (F \ G) ok H)" by (simp add: ok_def Join_def OK_def Int_assoc cons_absorb Int_Un_distrib2 Ball_def, safe, force+) -lemma ok_Join_iff1 [iff]: "F ok (G Join H) \ (F ok G & F ok H)" +lemma ok_Join_iff1 [iff]: "F ok (G \ H) \ (F ok G & F ok H)" by (auto simp add: ok_def) -lemma ok_Join_iff2 [iff]: "(G Join H) ok F \ (G ok F & H ok F)" +lemma ok_Join_iff2 [iff]: "(G \ H) ok F \ (G ok F & H ok F)" by (auto simp add: ok_def) (*useful? Not with the previous two around*) -lemma ok_Join_commute_I: "[| F ok G; (F Join G) ok H |] ==> F ok (G Join H)" +lemma ok_Join_commute_I: "[| F ok G; (F \ G) ok H |] ==> F ok (G \ H)" by (auto simp add: ok_def) -lemma ok_JN_iff1 [iff]: "F ok JOIN(I,G) \ (\i \ I. F ok G(i))" +lemma ok_JOIN_iff1 [iff]: "F ok JOIN(I,G) \ (\i \ I. F ok G(i))" by (force dest: Acts_type [THEN subsetD] elim!: not_emptyE simp add: ok_def) -lemma ok_JN_iff2 [iff]: "JOIN(I,G) ok F \ (\i \ I. G(i) ok F)" +lemma ok_JOIN_iff2 [iff]: "JOIN(I,G) ok F \ (\i \ I. G(i) ok F)" apply (auto elim!: not_emptyE simp add: ok_def) apply (blast dest: Acts_type [THEN subsetD]) done @@ -475,12 +468,12 @@ by (auto dest: Acts_type [THEN subsetD] simp add: Allowed_def) lemma Allowed_Join [simp]: - "Allowed(F Join G) = + "Allowed(F \ G) = Allowed(programify(F)) \ Allowed(programify(G))" apply (auto simp add: Allowed_def) done -lemma Allowed_JN [simp]: +lemma Allowed_JOIN [simp]: "i \ I ==> Allowed(JOIN(I,F)) = (\i \ I. Allowed(programify(F(i))))" apply (auto simp add: Allowed_def, blast) diff -r 2332d9be352b -r 331be2820f90 src/ZF/UNITY/WFair.thy --- a/src/ZF/UNITY/WFair.thy Sat Oct 10 21:43:07 2015 +0200 +++ b/src/ZF/UNITY/WFair.thy Sat Oct 10 22:02:23 2015 +0200 @@ -43,16 +43,13 @@ definition (* The Visible version of the LEADS-TO relation*) - leadsTo :: "[i, i] => i" (infixl "leadsTo" 60) where - "A leadsTo B == {F \ program. :leads(state, F)}" + leadsTo :: "[i, i] => i" (infixl "\" 60) where + "A \ B == {F \ program. :leads(state, F)}" definition (* wlt(F, B) is the largest set that leads to B*) wlt :: "[i, i] => i" where - "wlt(F, B) == \({A \ Pow(state). F \ A leadsTo B})" - -notation (xsymbols) - leadsTo (infixl "\" 60) + "wlt(F, B) == \({A \ Pow(state). F \ A \ B})" (** Ad-hoc set-theory rules **) @@ -163,17 +160,17 @@ lemmas leads_left = leads.dom_subset [THEN subsetD, THEN SigmaD1] lemmas leads_right = leads.dom_subset [THEN subsetD, THEN SigmaD2] -lemma leadsTo_type: "A leadsTo B \ program" +lemma leadsTo_type: "A \ B \ program" by (unfold leadsTo_def, auto) lemma leadsToD2: -"F \ A leadsTo B ==> F \ program & st_set(A) & st_set(B)" +"F \ A \ B ==> F \ program & st_set(A) & st_set(B)" apply (unfold leadsTo_def st_set_def) apply (blast dest: leads_left leads_right) done lemma leadsTo_Basis: - "[|F \ A ensures B; st_set(A); st_set(B)|] ==> F \ A leadsTo B" + "[|F \ A ensures B; st_set(A); st_set(B)|] ==> F \ A \ B" apply (unfold leadsTo_def st_set_def) apply (cut_tac ensures_type) apply (auto intro: leads.Basis) @@ -181,152 +178,152 @@ declare leadsTo_Basis [intro] (* Added by Sidi, from Misra's notes, Progress chapter, exercise number 4 *) -(* [| F \ program; A<=B; st_set(A); st_set(B) |] ==> A leadsTo B *) +(* [| F \ program; A<=B; st_set(A); st_set(B) |] ==> A \ B *) lemmas subset_imp_leadsTo = subset_imp_ensures [THEN leadsTo_Basis] -lemma leadsTo_Trans: "[|F \ A leadsTo B; F \ B leadsTo C |]==>F \ A leadsTo C" +lemma leadsTo_Trans: "[|F \ A \ B; F \ B \ C |]==>F \ A \ C" apply (unfold leadsTo_def) apply (auto intro: leads.Trans) done (* Better when used in association with leadsTo_weaken_R *) -lemma transient_imp_leadsTo: "F \ transient(A) ==> F \ A leadsTo (state-A)" +lemma transient_imp_leadsTo: "F \ transient(A) ==> F \ A \ (state-A)" apply (unfold transient_def) apply (blast intro: ensuresI [THEN leadsTo_Basis] constrains_weaken transientI) done (*Useful with cancellation, disjunction*) -lemma leadsTo_Un_duplicate: "F \ A leadsTo (A' \ A') ==> F \ A leadsTo A'" +lemma leadsTo_Un_duplicate: "F \ A \ (A' \ A') ==> F \ A \ A'" by simp lemma leadsTo_Un_duplicate2: - "F \ A leadsTo (A' \ C \ C) ==> F \ A leadsTo (A' \ C)" + "F \ A \ (A' \ C \ C) ==> F \ A \ (A' \ C)" by (simp add: Un_ac) (*The Union introduction rule as we should have liked to state it*) lemma leadsTo_Union: - "[|!!A. A \ S ==> F \ A leadsTo B; F \ program; st_set(B)|] - ==> F \ \(S) leadsTo B" + "[|!!A. A \ S ==> F \ A \ B; F \ program; st_set(B)|] + ==> F \ \(S) \ B" apply (unfold leadsTo_def st_set_def) apply (blast intro: leads.Union dest: leads_left) done lemma leadsTo_Union_Int: - "[|!!A. A \ S ==>F \ (A \ C) leadsTo B; F \ program; st_set(B)|] - ==> F \ (\(S)Int C)leadsTo B" + "[|!!A. A \ S ==>F \ (A \ C) \ B; F \ program; st_set(B)|] + ==> F \ (\(S)Int C)\ B" apply (unfold leadsTo_def st_set_def) apply (simp only: Int_Union_Union) apply (blast dest: leads_left intro: leads.Union) done lemma leadsTo_UN: - "[| !!i. i \ I ==> F \ A(i) leadsTo B; F \ program; st_set(B)|] - ==> F:(\i \ I. A(i)) leadsTo B" + "[| !!i. i \ I ==> F \ A(i) \ B; F \ program; st_set(B)|] + ==> F:(\i \ I. A(i)) \ B" apply (simp add: Int_Union_Union leadsTo_def st_set_def) apply (blast dest: leads_left intro: leads.Union) done (* Binary union introduction rule *) lemma leadsTo_Un: - "[| F \ A leadsTo C; F \ B leadsTo C |] ==> F \ (A \ B) leadsTo C" + "[| F \ A \ C; F \ B \ C |] ==> F \ (A \ B) \ C" apply (subst Un_eq_Union) apply (blast intro: leadsTo_Union dest: leadsToD2) done lemma single_leadsTo_I: - "[|!!x. x \ A==> F:{x} leadsTo B; F \ program; st_set(B) |] - ==> F \ A leadsTo B" + "[|!!x. x \ A==> F:{x} \ B; F \ program; st_set(B) |] + ==> F \ A \ B" apply (rule_tac b = A in UN_singleton [THEN subst]) apply (rule leadsTo_UN, auto) done -lemma leadsTo_refl: "[| F \ program; st_set(A) |] ==> F \ A leadsTo A" +lemma leadsTo_refl: "[| F \ program; st_set(A) |] ==> F \ A \ A" by (blast intro: subset_imp_leadsTo) -lemma leadsTo_refl_iff: "F \ A leadsTo A \ F \ program & st_set(A)" +lemma leadsTo_refl_iff: "F \ A \ A \ F \ program & st_set(A)" by (auto intro: leadsTo_refl dest: leadsToD2) -lemma empty_leadsTo: "F \ 0 leadsTo B \ (F \ program & st_set(B))" +lemma empty_leadsTo: "F \ 0 \ B \ (F \ program & st_set(B))" by (auto intro: subset_imp_leadsTo dest: leadsToD2) declare empty_leadsTo [iff] -lemma leadsTo_state: "F \ A leadsTo state \ (F \ program & st_set(A))" +lemma leadsTo_state: "F \ A \ state \ (F \ program & st_set(A))" by (auto intro: subset_imp_leadsTo dest: leadsToD2 st_setD) declare leadsTo_state [iff] -lemma leadsTo_weaken_R: "[| F \ A leadsTo A'; A'<=B'; st_set(B') |] ==> F \ A leadsTo B'" +lemma leadsTo_weaken_R: "[| F \ A \ A'; A'<=B'; st_set(B') |] ==> F \ A \ B'" by (blast dest: leadsToD2 intro: subset_imp_leadsTo leadsTo_Trans) -lemma leadsTo_weaken_L: "[| F \ A leadsTo A'; B<=A |] ==> F \ B leadsTo A'" +lemma leadsTo_weaken_L: "[| F \ A \ A'; B<=A |] ==> F \ B \ A'" apply (frule leadsToD2) apply (blast intro: leadsTo_Trans subset_imp_leadsTo st_set_subset) done -lemma leadsTo_weaken: "[| F \ A leadsTo A'; B<=A; A'<=B'; st_set(B')|]==> F \ B leadsTo B'" +lemma leadsTo_weaken: "[| F \ A \ A'; B<=A; A'<=B'; st_set(B')|]==> F \ B \ B'" apply (frule leadsToD2) apply (blast intro: leadsTo_weaken_R leadsTo_weaken_L leadsTo_Trans leadsTo_refl) done (* This rule has a nicer conclusion *) -lemma transient_imp_leadsTo2: "[| F \ transient(A); state-A<=B; st_set(B)|] ==> F \ A leadsTo B" +lemma transient_imp_leadsTo2: "[| F \ transient(A); state-A<=B; st_set(B)|] ==> F \ A \ B" apply (frule transientD2) apply (rule leadsTo_weaken_R) apply (auto simp add: transient_imp_leadsTo) done (*Distributes over binary unions*) -lemma leadsTo_Un_distrib: "F:(A \ B) leadsTo C \ (F \ A leadsTo C & F \ B leadsTo C)" +lemma leadsTo_Un_distrib: "F:(A \ B) \ C \ (F \ A \ C & F \ B \ C)" by (blast intro: leadsTo_Un leadsTo_weaken_L) lemma leadsTo_UN_distrib: -"(F:(\i \ I. A(i)) leadsTo B)\ ((\i \ I. F \ A(i) leadsTo B) & F \ program & st_set(B))" +"(F:(\i \ I. A(i)) \ B)\ ((\i \ I. F \ A(i) \ B) & F \ program & st_set(B))" apply (blast dest: leadsToD2 intro: leadsTo_UN leadsTo_weaken_L) done -lemma leadsTo_Union_distrib: "(F \ \(S) leadsTo B) \ (\A \ S. F \ A leadsTo B) & F \ program & st_set(B)" +lemma leadsTo_Union_distrib: "(F \ \(S) \ B) \ (\A \ S. F \ A \ B) & F \ program & st_set(B)" by (blast dest: leadsToD2 intro: leadsTo_Union leadsTo_weaken_L) text\Set difference: maybe combine with @{text leadsTo_weaken_L}??\ lemma leadsTo_Diff: - "[| F: (A-B) leadsTo C; F \ B leadsTo C; st_set(C) |] - ==> F \ A leadsTo C" + "[| F: (A-B) \ C; F \ B \ C; st_set(C) |] + ==> F \ A \ C" by (blast intro: leadsTo_Un leadsTo_weaken dest: leadsToD2) lemma leadsTo_UN_UN: - "[|!!i. i \ I ==> F \ A(i) leadsTo A'(i); F \ program |] - ==> F: (\i \ I. A(i)) leadsTo (\i \ I. A'(i))" + "[|!!i. i \ I ==> F \ A(i) \ A'(i); F \ program |] + ==> F: (\i \ I. A(i)) \ (\i \ I. A'(i))" apply (rule leadsTo_Union) apply (auto intro: leadsTo_weaken_R dest: leadsToD2) done (*Binary union version*) -lemma leadsTo_Un_Un: "[| F \ A leadsTo A'; F \ B leadsTo B' |] ==> F \ (A \ B) leadsTo (A' \ B')" +lemma leadsTo_Un_Un: "[| F \ A \ A'; F \ B \ B' |] ==> F \ (A \ B) \ (A' \ B')" apply (subgoal_tac "st_set (A) & st_set (A') & st_set (B) & st_set (B') ") prefer 2 apply (blast dest: leadsToD2) apply (blast intro: leadsTo_Un leadsTo_weaken_R) done (** The cancellation law **) -lemma leadsTo_cancel2: "[|F \ A leadsTo (A' \ B); F \ B leadsTo B'|] ==> F \ A leadsTo (A' \ B')" +lemma leadsTo_cancel2: "[|F \ A \ (A' \ B); F \ B \ B'|] ==> F \ A \ (A' \ B')" apply (subgoal_tac "st_set (A) & st_set (A') & st_set (B) & st_set (B') &F \ program") prefer 2 apply (blast dest: leadsToD2) apply (blast intro: leadsTo_Trans leadsTo_Un_Un leadsTo_refl) done -lemma leadsTo_cancel_Diff2: "[|F \ A leadsTo (A' \ B); F \ (B-A') leadsTo B'|]==> F \ A leadsTo (A' \ B')" +lemma leadsTo_cancel_Diff2: "[|F \ A \ (A' \ B); F \ (B-A') \ B'|]==> F \ A \ (A' \ B')" apply (rule leadsTo_cancel2) prefer 2 apply assumption apply (blast dest: leadsToD2 intro: leadsTo_weaken_R) done -lemma leadsTo_cancel1: "[| F \ A leadsTo (B \ A'); F \ B leadsTo B' |] ==> F \ A leadsTo (B' \ A')" +lemma leadsTo_cancel1: "[| F \ A \ (B \ A'); F \ B \ B' |] ==> F \ A \ (B' \ A')" apply (simp add: Un_commute) apply (blast intro!: leadsTo_cancel2) done lemma leadsTo_cancel_Diff1: - "[|F \ A leadsTo (B \ A'); F: (B-A') leadsTo B'|]==> F \ A leadsTo (B' \ A')" + "[|F \ A \ (B \ A'); F: (B-A') \ B'|]==> F \ A \ (B' \ A')" apply (rule leadsTo_cancel1) prefer 2 apply assumption apply (blast intro: leadsTo_weaken_R dest: leadsToD2) @@ -334,11 +331,11 @@ (*The INDUCTION rule as we should have liked to state it*) lemma leadsTo_induct: - assumes major: "F \ za leadsTo zb" + assumes major: "F \ za \ zb" and basis: "!!A B. [|F \ A ensures B; st_set(A); st_set(B)|] ==> P(A,B)" - and trans: "!!A B C. [| F \ A leadsTo B; P(A, B); - F \ B leadsTo C; P(B, C) |] ==> P(A,C)" - and union: "!!B S. [| \A \ S. F \ A leadsTo B; \A \ S. P(A,B); + and trans: "!!A B C. [| F \ A \ B; P(A, B); + F \ B \ C; P(B, C) |] ==> P(A,C)" + and union: "!!B S. [| \A \ S. F \ A \ B; \A \ S. P(A,B); st_set(B); \A \ S. st_set(A)|] ==> P(\(S), B)" shows "P(za, zb)" apply (cut_tac major) @@ -352,13 +349,13 @@ (* Added by Sidi, an induction rule without ensures *) lemma leadsTo_induct2: - assumes major: "F \ za leadsTo zb" + assumes major: "F \ za \ zb" and basis1: "!!A B. [| A<=B; st_set(B) |] ==> P(A, B)" and basis2: "!!A B. [| F \ A co A \ B; F \ transient(A); st_set(B) |] ==> P(A, B)" - and trans: "!!A B C. [| F \ A leadsTo B; P(A, B); - F \ B leadsTo C; P(B, C) |] ==> P(A,C)" - and union: "!!B S. [| \A \ S. F \ A leadsTo B; \A \ S. P(A,B); + and trans: "!!A B C. [| F \ A \ B; P(A, B); + F \ B \ C; P(B, C) |] ==> P(A,C)" + and union: "!!B S. [| \A \ S. F \ A \ B; \A \ S. P(A,B); st_set(B); \A \ S. st_set(A)|] ==> P(\(S), B)" shows "P(za, zb)" apply (cut_tac major) @@ -382,7 +379,7 @@ (** Variant induction rule: on the preconditions for B **) (*Lemma is the weak version: can't see how to do it in one step*) lemma leadsTo_induct_pre_aux: - "[| F \ za leadsTo zb; + "[| F \ za \ zb; P(zb); !!A B. [| F \ A ensures B; P(B); st_set(A); st_set(B) |] ==> P(A); !!S. [| \A \ S. P(A); \A \ S. st_set(A) |] ==> P(\(S)) @@ -397,12 +394,12 @@ lemma leadsTo_induct_pre: - "[| F \ za leadsTo zb; + "[| F \ za \ zb; P(zb); - !!A B. [| F \ A ensures B; F \ B leadsTo zb; P(B); st_set(A) |] ==> P(A); - !!S. \A \ S. F \ A leadsTo zb & P(A) & st_set(A) ==> P(\(S)) + !!A B. [| F \ A ensures B; F \ B \ zb; P(B); st_set(A) |] ==> P(A); + !!S. \A \ S. F \ A \ zb & P(A) & st_set(A) ==> P(\(S)) |] ==> P(za)" -apply (subgoal_tac " (F \ za leadsTo zb) & P (za) ") +apply (subgoal_tac " (F \ za \ zb) & P (za) ") apply (erule conjunct2) apply (frule leadsToD2) apply (erule leadsTo_induct_pre_aux) @@ -413,7 +410,7 @@ (** The impossibility law **) lemma leadsTo_empty: - "F \ A leadsTo 0 ==> A=0" + "F \ A \ 0 ==> A=0" apply (erule leadsTo_induct_pre) apply (auto simp add: ensures_def constrains_def transient_def st_set_def) apply (drule bspec, assumption)+ @@ -426,7 +423,7 @@ text\Special case of PSP: Misra's "stable conjunction"\ lemma psp_stable: - "[| F \ A leadsTo A'; F \ stable(B) |] ==> F:(A \ B) leadsTo (A' \ B)" + "[| F \ A \ A'; F \ stable(B) |] ==> F:(A \ B) \ (A' \ B)" apply (unfold stable_def) apply (frule leadsToD2) apply (erule leadsTo_induct) @@ -438,7 +435,7 @@ done -lemma psp_stable2: "[|F \ A leadsTo A'; F \ stable(B) |]==>F: (B \ A) leadsTo (B \ A')" +lemma psp_stable2: "[|F \ A \ A'; F \ stable(B) |]==>F: (B \ A) \ (B \ A')" apply (simp (no_asm_simp) add: psp_stable Int_ac) done @@ -451,7 +448,7 @@ done lemma psp: -"[|F \ A leadsTo A'; F \ B co B'; st_set(B')|]==> F:(A \ B') leadsTo ((A' \ B) \ (B' - B))" +"[|F \ A \ A'; F \ B co B'; st_set(B')|]==> F:(A \ B') \ ((A' \ B) \ (B' - B))" apply (subgoal_tac "F \ program & st_set (A) & st_set (A') & st_set (B) ") prefer 2 apply (blast dest!: constrainsD2 leadsToD2) apply (erule leadsTo_induct) @@ -466,13 +463,13 @@ done -lemma psp2: "[| F \ A leadsTo A'; F \ B co B'; st_set(B') |] - ==> F \ (B' \ A) leadsTo ((B \ A') \ (B' - B))" +lemma psp2: "[| F \ A \ A'; F \ B co B'; st_set(B') |] + ==> F \ (B' \ A) \ ((B \ A') \ (B' - B))" by (simp (no_asm_simp) add: psp Int_ac) lemma psp_unless: - "[| F \ A leadsTo A'; F \ B unless B'; st_set(B); st_set(B') |] - ==> F \ (A \ B) leadsTo ((A' \ B) \ B')" + "[| F \ A \ A'; F \ B unless B'; st_set(B); st_set(B') |] + ==> F \ (A \ B) \ ((A' \ B) \ B')" apply (unfold unless_def) apply (subgoal_tac "st_set (A) &st_set (A') ") prefer 2 apply (blast dest: leadsToD2) @@ -488,11 +485,11 @@ m \ I; field(r)<=I; F \ program; st_set(B); - \m \ I. F \ (A \ f-``{m}) leadsTo + \m \ I. F \ (A \ f-``{m}) \ ((A \ f-``(converse(r)``{m})) \ B) |] - ==> F \ (A \ f-``{m}) leadsTo B" + ==> F \ (A \ f-``{m}) \ B" apply (erule_tac a = m in wf_induct2, simp_all) -apply (subgoal_tac "F \ (A \ (f-`` (converse (r) ``{x}))) leadsTo B") +apply (subgoal_tac "F \ (A \ (f-`` (converse (r) ``{x}))) \ B") apply (blast intro: leadsTo_cancel1 leadsTo_Un_duplicate) apply (subst vimage_eq_UN) apply (simp del: UN_simps add: Int_UN_distrib) @@ -504,9 +501,9 @@ field(r)<=I; A<=f-``I; F \ program; st_set(A); st_set(B); - \m \ I. F \ (A \ f-``{m}) leadsTo + \m \ I. F \ (A \ f-``{m}) \ ((A \ f-``(converse(r)``{m})) \ B) |] - ==> F \ A leadsTo B" + ==> F \ A \ B" apply (rule_tac b = A in subst) defer 1 apply (rule_tac I = I in leadsTo_UN) @@ -535,12 +532,12 @@ apply (blast intro: lt_trans) done -(*Alternative proof is via the lemma F \ (A \ f-`(lessThan m)) leadsTo B*) +(*Alternative proof is via the lemma F \ (A \ f-`(lessThan m)) \ B*) lemma lessThan_induct: "[| A<=f-``nat; F \ program; st_set(A); st_set(B); - \m \ nat. F:(A \ f-``{m}) leadsTo ((A \ f -`` m) \ B) |] - ==> F \ A leadsTo B" + \m \ nat. F:(A \ f-``{m}) \ ((A \ f -`` m) \ B) |] + ==> F \ A \ B" apply (rule_tac A1 = nat and f1 = "%x. x" in wf_measure [THEN leadsTo_wf_induct]) apply (simp_all add: nat_measure_field) apply (simp add: ltI Image_inverse_lessThan vimage_def [symmetric]) @@ -559,22 +556,22 @@ done declare wlt_st_set [iff] -lemma wlt_leadsTo_iff: "F \ wlt(F, B) leadsTo B \ (F \ program & st_set(B))" +lemma wlt_leadsTo_iff: "F \ wlt(F, B) \ B \ (F \ program & st_set(B))" apply (unfold wlt_def) apply (blast dest: leadsToD2 intro!: leadsTo_Union) done -(* [| F \ program; st_set(B) |] ==> F \ wlt(F, B) leadsTo B *) +(* [| F \ program; st_set(B) |] ==> F \ wlt(F, B) \ B *) lemmas wlt_leadsTo = conjI [THEN wlt_leadsTo_iff [THEN iffD2]] -lemma leadsTo_subset: "F \ A leadsTo B ==> A \ wlt(F, B)" +lemma leadsTo_subset: "F \ A \ B ==> A \ wlt(F, B)" apply (unfold wlt_def) apply (frule leadsToD2) apply (auto simp add: st_set_def) done (*Misra's property W2*) -lemma leadsTo_eq_subset_wlt: "F \ A leadsTo B \ (A \ wlt(F,B) & F \ program & st_set(B))" +lemma leadsTo_eq_subset_wlt: "F \ A \ B \ (A \ wlt(F,B) & F \ program & st_set(B))" apply auto apply (blast dest: leadsToD2 leadsTo_subset intro: leadsTo_weaken_L wlt_leadsTo)+ done @@ -596,8 +593,8 @@ (*Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"*) (* slightly different from the HOL one \ B here is bounded *) -lemma leadsTo_123: "F \ A leadsTo A' - ==> \B \ Pow(state). A<=B & F \ B leadsTo A' & F \ (B-A') co (B \ A')" +lemma leadsTo_123: "F \ A \ A' + ==> \B \ Pow(state). A<=B & F \ B \ A' & F \ (B-A') co (B \ A')" apply (frule leadsToD2) apply (erule leadsTo_induct) txt\Basis\ @@ -608,7 +605,7 @@ apply (blast intro: leadsTo_123_aux leadsTo_Un_Un leadsTo_cancel1 leadsTo_Un_duplicate, blast) txt\Union\ apply (clarify dest!: ball_conj_distrib [THEN iffD1]) -apply (subgoal_tac "\y. y \ Pi (S, %A. {Ba \ Pow (state) . A<=Ba & F \ Ba leadsTo B & F \ Ba - B co Ba \ B}) ") +apply (subgoal_tac "\y. y \ Pi (S, %A. {Ba \ Pow (state) . A<=Ba & F \ Ba \ B & F \ Ba - B co Ba \ B}) ") defer 1 apply (rule AC_ball_Pi, safe) apply (rotate_tac 1) @@ -634,9 +631,9 @@ subsection\Completion: Binary and General Finite versions\ lemma completion_aux: "[| W = wlt(F, (B' \ C)); - F \ A leadsTo (A' \ C); F \ A' co (A' \ C); - F \ B leadsTo (B' \ C); F \ B' co (B' \ C) |] - ==> F \ (A \ B) leadsTo ((A' \ B') \ C)" + F \ A \ (A' \ C); F \ A' co (A' \ C); + F \ B \ (B' \ C); F \ B' co (B' \ C) |] + ==> F \ (A \ B) \ ((A' \ B') \ C)" apply (subgoal_tac "st_set (C) &st_set (W) &st_set (W-C) &st_set (A') &st_set (A) & st_set (B) & st_set (B') & F \ program") prefer 2 apply simp @@ -647,10 +644,10 @@ apply (subgoal_tac "F \ (W-C) co W") prefer 2 apply (simp add: wlt_increasing [THEN subset_Un_iff2 [THEN iffD1]] Un_assoc) -apply (subgoal_tac "F \ (A \ W - C) leadsTo (A' \ W \ C) ") +apply (subgoal_tac "F \ (A \ W - C) \ (A' \ W \ C) ") prefer 2 apply (blast intro: wlt_leadsTo psp [THEN leadsTo_weaken]) (** step 13 **) -apply (subgoal_tac "F \ (A' \ W \ C) leadsTo (A' \ B' \ C) ") +apply (subgoal_tac "F \ (A' \ W \ C) \ (A' \ B' \ C) ") apply (drule leadsTo_Diff) apply (blast intro: subset_imp_leadsTo dest: leadsToD2 constrainsD2) apply (force simp add: st_set_def) @@ -669,9 +666,9 @@ lemma finite_completion_aux: "[| I \ Fin(X); F \ program; st_set(C) |] ==> - (\i \ I. F \ (A(i)) leadsTo (A'(i) \ C)) \ + (\i \ I. F \ (A(i)) \ (A'(i) \ C)) \ (\i \ I. F \ (A'(i)) co (A'(i) \ C)) \ - F \ (\i \ I. A(i)) leadsTo ((\i \ I. A'(i)) \ C)" + F \ (\i \ I. A(i)) \ ((\i \ I. A'(i)) \ C)" apply (erule Fin_induct) apply (auto simp add: Inter_0) apply (rule completion) @@ -681,15 +678,15 @@ lemma finite_completion: "[| I \ Fin(X); - !!i. i \ I ==> F \ A(i) leadsTo (A'(i) \ C); + !!i. i \ I ==> F \ A(i) \ (A'(i) \ C); !!i. i \ I ==> F \ A'(i) co (A'(i) \ C); F \ program; st_set(C)|] - ==> F \ (\i \ I. A(i)) leadsTo ((\i \ I. A'(i)) \ C)" + ==> F \ (\i \ I. A(i)) \ ((\i \ I. A'(i)) \ C)" by (blast intro: finite_completion_aux [THEN mp, THEN mp]) lemma stable_completion: - "[| F \ A leadsTo A'; F \ stable(A'); - F \ B leadsTo B'; F \ stable(B') |] - ==> F \ (A \ B) leadsTo (A' \ B')" + "[| F \ A \ A'; F \ stable(A'); + F \ B \ B'; F \ stable(B') |] + ==> F \ (A \ B) \ (A' \ B')" apply (unfold stable_def) apply (rule_tac C1 = 0 in completion [THEN leadsTo_weaken_R], simp+) apply (blast dest: leadsToD2) @@ -698,9 +695,9 @@ lemma finite_stable_completion: "[| I \ Fin(X); - (!!i. i \ I ==> F \ A(i) leadsTo A'(i)); + (!!i. i \ I ==> F \ A(i) \ A'(i)); (!!i. i \ I ==> F \ stable(A'(i))); F \ program |] - ==> F \ (\i \ I. A(i)) leadsTo (\i \ I. A'(i))" + ==> F \ (\i \ I. A(i)) \ (\i \ I. A'(i))" apply (unfold stable_def) apply (subgoal_tac "st_set (\i \ I. A' (i))") prefer 2 apply (blast dest: leadsToD2)