# HG changeset patch # User paulson # Date 1045394260 -3600 # Node ID 78f5885b76a99af7806f48781ff05fe399f7c62d # Parent 274fda8cca4b5c008c5da495e6c1770b169abb93 minor revisions diff -r 274fda8cca4b -r 78f5885b76a9 src/HOL/UNITY/Comp.thy --- a/src/HOL/UNITY/Comp.thy Sun Feb 16 12:16:07 2003 +0100 +++ b/src/HOL/UNITY/Comp.thy Sun Feb 16 12:17:40 2003 +0100 @@ -7,9 +7,9 @@ From Chandy and Sanders, "Reasoning About Program Composition", Technical Report 2000-003, University of Florida, 2000. -Revised by Sidi Ehmety on January 2001 +Revised by Sidi Ehmety on January 2001 -Added: a strong form of the \ relation (component_of) and localize +Added: a strong form of the \ relation (component_of) and localize *) @@ -20,19 +20,19 @@ instance program :: (type) ord .. defs - component_def: "F \ H == \G. F Join G = H" + component_def: "F \ H == \G. F\G = H" strict_component_def: "(F < (H::'a program)) == (F \ H & F \ H)" constdefs component_of :: "'a program =>'a program=> bool" (infixl "component'_of" 50) - "F component_of H == \G. F ok G & F Join G = H" + "F component_of H == \G. F ok G & F\G = H" strict_component_of :: "'a program\'a program=> bool" (infixl "strict'_component'_of" 50) "F strict_component_of H == F component_of H & F\H" - + preserves :: "('a=>'b) => 'a program set" "preserves v == \z. stable {s. v s = z}" @@ -45,15 +45,15 @@ subsection{*The component relation*} -lemma componentI: "H \ F | H \ G ==> H \ (F Join G)" +lemma componentI: "H \ F | H \ G ==> H \ (F\G)" apply (unfold component_def, auto) -apply (rule_tac x = "G Join Ga" in exI) -apply (rule_tac [2] x = "G Join F" in exI) +apply (rule_tac x = "G\Ga" in exI) +apply (rule_tac [2] x = "G\F" in exI) apply (auto simp add: Join_ac) done -lemma component_eq_subset: - "(F \ G) = +lemma component_eq_subset: + "(F \ G) = (Init G \ Init F & Acts F \ Acts G & AllowedActs G \ AllowedActs F)" apply (unfold component_def) apply (force intro!: exI program_equalityI) @@ -72,18 +72,18 @@ lemma SKIP_minimal: "F \ SKIP ==> F = SKIP" by (auto intro!: program_equalityI simp add: component_eq_subset) -lemma component_Join1: "F \ (F Join G)" +lemma component_Join1: "F \ (F\G)" by (unfold component_def, blast) -lemma component_Join2: "G \ (F Join G)" +lemma component_Join2: "G \ (F\G)" apply (unfold component_def) apply (simp add: Join_commute, blast) done -lemma Join_absorb1: "F \ G ==> F Join G = G" +lemma Join_absorb1: "F \ G ==> F\G = G" by (auto simp add: component_def Join_left_absorb) -lemma Join_absorb2: "G \ F ==> F Join G = F" +lemma Join_absorb2: "G \ F ==> F\G = F" by (auto simp add: Join_ac component_def) lemma JN_component_iff: "((JOIN I F) \ H) = (\i \ I. F i \ H)" @@ -104,7 +104,7 @@ apply (blast intro!: program_equalityI) done -lemma Join_component_iff: "((F Join G) \ H) = (F \ H & G \ H)" +lemma Join_component_iff: "((F\G) \ H) = (F \ H & G \ H)" by (simp add: component_eq_subset, blast) lemma component_constrains: "[| F \ G; G \ A co B |] ==> F \ A co B" @@ -119,20 +119,17 @@ lemma preservesI: "(!!z. F \ stable {s. v s = z}) ==> F \ preserves v" by (unfold preserves_def, blast) -lemma preserves_imp_eq: +lemma preserves_imp_eq: "[| F \ preserves v; act \ Acts F; (s,s') \ act |] ==> v s = v s'" -apply (unfold preserves_def stable_def constrains_def, force) -done +by (unfold preserves_def stable_def constrains_def, force) -lemma Join_preserves [iff]: - "(F Join G \ preserves v) = (F \ preserves v & G \ preserves v)" -apply (unfold preserves_def, auto) -done +lemma Join_preserves [iff]: + "(F\G \ preserves v) = (F \ preserves v & G \ preserves v)" +by (unfold preserves_def, auto) lemma JN_preserves [iff]: "(JOIN I F \ preserves v) = (\i \ I. F i \ preserves v)" -apply (simp add: JN_stable preserves_def, blast) -done +by (simp add: JN_stable preserves_def, blast) lemma SKIP_preserves [iff]: "SKIP \ preserves v" by (auto simp add: preserves_def) @@ -182,19 +179,19 @@ (** Some lemmas used only in Client.ML **) lemma stable_localTo_stable2: - "[| F \ stable {s. P (v s) (w s)}; - G \ preserves v; G \ preserves w |] - ==> F Join G \ stable {s. P (v s) (w s)}" + "[| F \ stable {s. P (v s) (w s)}; + G \ preserves v; G \ preserves w |] + ==> F\G \ stable {s. P (v s) (w s)}" apply simp apply (subgoal_tac "G \ preserves (funPair v w) ") - prefer 2 apply simp -apply (drule_tac P1 = "split ?Q" in preserves_subset_stable [THEN subsetD], auto) + prefer 2 apply simp +apply (drule_tac P1 = "split ?Q" in preserves_subset_stable [THEN subsetD], + auto) done lemma Increasing_preserves_Stable: - "[| F \ stable {s. v s \ w s}; G \ preserves v; - F Join G \ Increasing w |] - ==> F Join G \ Stable {s. v s \ w s}" + "[| F \ stable {s. v s \ w s}; G \ preserves v; F\G \ Increasing w |] + ==> F\G \ Stable {s. v s \ w s}" apply (auto simp add: stable_def Stable_def Increasing_def Constrains_def all_conj_distrib) apply (blast intro: constrains_weaken) (*The G case remains*) @@ -204,8 +201,7 @@ apply (erule_tac V = "\act \ Acts F. ?P act" in thin_rl) apply (erule_tac V = "\z. \act \ Acts F. ?P z act" in thin_rl) apply (subgoal_tac "v x = v xa") -prefer 2 apply blast -apply auto + apply auto apply (erule order_trans, blast) done @@ -225,7 +221,7 @@ lemma component_of_SKIP [simp]: "SKIP component_of F" by (unfold component_of_def, auto) -lemma component_of_trans: +lemma component_of_trans: "[| F component_of G; G component_of H |] ==> F component_of H" apply (unfold component_of_def) apply (blast intro: Join_assoc [symmetric]) @@ -241,8 +237,8 @@ lemma localize_Acts_eq [simp]: "Acts (localize v F) = Acts F" by (simp add: localize_def) -lemma localize_AllowedActs_eq [simp]: - "AllowedActs (localize v F) = AllowedActs F \ (\G \ preserves v. Acts G)" +lemma localize_AllowedActs_eq [simp]: + "AllowedActs (localize v F) = AllowedActs F \ (\G \ preserves v. Acts G)" by (unfold localize_def, auto) end diff -r 274fda8cca4b -r 78f5885b76a9 src/HOL/UNITY/ELT.thy --- a/src/HOL/UNITY/ELT.thy Sun Feb 16 12:16:07 2003 +0100 +++ b/src/HOL/UNITY/ELT.thy Sun Feb 16 12:17:40 2003 +0100 @@ -127,8 +127,7 @@ (*Useful with cancellation, disjunction*) lemma leadsETo_Un_duplicate: "F : A leadsTo[CC] (A' Un A') ==> F : A leadsTo[CC] A'" -apply (simp add: Un_ac) -done +by (simp add: Un_ac) lemma leadsETo_Un_duplicate2: "F : A leadsTo[CC] (A' Un C Un C) ==> F : A leadsTo[CC] (A' Un C)" @@ -195,12 +194,12 @@ lemma single_leadsETo_I: "(!!x. x : A ==> F : {x} leadsTo[CC] B) ==> F : A leadsTo[CC] B" -apply (subst UN_singleton [symmetric], rule leadsETo_UN, blast) -done +by (subst UN_singleton [symmetric], rule leadsETo_UN, blast) lemma subset_imp_leadsETo: "A<=B ==> F : A leadsTo[CC] B" -by (simp add: subset_imp_ensures [THEN leadsETo_Basis] Diff_eq_empty_iff [THEN iffD2]) +by (simp add: subset_imp_ensures [THEN leadsETo_Basis] + Diff_eq_empty_iff [THEN iffD2]) lemmas empty_leadsETo = empty_subsetI [THEN subset_imp_leadsETo, simp] @@ -210,37 +209,33 @@ lemma leadsETo_weaken_R: "[| F : A leadsTo[CC] A'; A'<=B' |] ==> F : A leadsTo[CC] B'" -apply (blast intro: subset_imp_leadsETo leadsETo_Trans) -done +by (blast intro: subset_imp_leadsETo leadsETo_Trans) lemma leadsETo_weaken_L [rule_format]: "[| F : A leadsTo[CC] A'; B<=A |] ==> F : B leadsTo[CC] A'" -apply (blast intro: leadsETo_Trans subset_imp_leadsETo) -done +by (blast intro: leadsETo_Trans subset_imp_leadsETo) (*Distributes over binary unions*) lemma leadsETo_Un_distrib: "F : (A Un B) leadsTo[CC] C = (F : A leadsTo[CC] C & F : B leadsTo[CC] C)" -apply (blast intro: leadsETo_Un leadsETo_weaken_L) -done +by (blast intro: leadsETo_Un leadsETo_weaken_L) lemma leadsETo_UN_distrib: "F : (UN i:I. A i) leadsTo[CC] B = (ALL i : I. F : (A i) leadsTo[CC] B)" -apply (blast intro: leadsETo_UN leadsETo_weaken_L) -done +by (blast intro: leadsETo_UN leadsETo_weaken_L) lemma leadsETo_Union_distrib: "F : (Union S) leadsTo[CC] B = (ALL A : S. F : A leadsTo[CC] B)" -apply (blast intro: leadsETo_Union leadsETo_weaken_L) -done +by (blast intro: leadsETo_Union leadsETo_weaken_L) lemma leadsETo_weaken: "[| F : A leadsTo[CC'] A'; B<=A; A'<=B'; CC' <= CC |] ==> F : B leadsTo[CC] B'" apply (drule leadsETo_mono [THEN subsetD], assumption) -apply (blast del: subsetCE intro: leadsETo_weaken_R leadsETo_weaken_L leadsETo_Trans) +apply (blast del: subsetCE + intro: leadsETo_weaken_R leadsETo_weaken_L leadsETo_Trans) done lemma leadsETo_givenBy: @@ -286,7 +281,6 @@ done - (** PSP: Progress-Safety-Progress **) (*Special case of PSP: Misra's "stable conjunction"*) @@ -299,7 +293,8 @@ prefer 2 apply (blast intro: leadsETo_Trans) apply (rule leadsETo_Basis) prefer 2 apply (force simp add: Diff_Int_distrib2 [symmetric]) -apply (simp add: ensures_def Diff_Int_distrib2 [symmetric] Int_Un_distrib2 [symmetric]) +apply (simp add: ensures_def Diff_Int_distrib2 [symmetric] + Int_Un_distrib2 [symmetric]) apply (blast intro: transient_strengthen constrains_Int) done @@ -339,8 +334,8 @@ (*??IS THIS NEEDED?? or is it just an example of what's provable??*) lemma gen_leadsETo_imp_Join_leadsETo: "[| F: (A leadsTo[givenBy v] B); G : preserves v; - F Join G : stable C |] - ==> F Join G : ((C Int A) leadsTo[(%D. C Int D) ` givenBy v] B)" + F\G : stable C |] + ==> F\G : ((C Int A) leadsTo[(%D. C Int D) ` givenBy v] B)" apply (erule leadsETo_induct) prefer 3 apply (subst Int_Union) @@ -348,7 +343,8 @@ prefer 2 apply (blast intro: e_psp_stable2 [THEN leadsETo_weaken_L] leadsETo_Trans) apply (rule leadsETo_Basis) -apply (auto simp add: Diff_eq_empty_iff [THEN iffD2] Int_Diff ensures_def givenBy_eq_Collect Join_transient) +apply (auto simp add: Diff_eq_empty_iff [THEN iffD2] + Int_Diff ensures_def givenBy_eq_Collect Join_transient) prefer 3 apply (blast intro: transient_strengthen) apply (drule_tac [2] P1 = P in preserves_subset_stable [THEN subsetD]) apply (drule_tac P1 = P in preserves_subset_stable [THEN subsetD]) @@ -363,8 +359,8 @@ lemma leadsETo_subset_leadsTo: "(A leadsTo[CC] B) <= (A leadsTo B)" apply safe apply (erule leadsETo_induct) -prefer 3 apply (blast intro: leadsTo_Union) -prefer 2 apply (blast intro: leadsTo_Trans, blast) + prefer 3 apply (blast intro: leadsTo_Union) + prefer 2 apply (blast intro: leadsTo_Trans, blast) done lemma leadsETo_UNIV_eq_leadsTo: "(A leadsTo[UNIV] B) = (A leadsTo B)" @@ -372,8 +368,8 @@ apply (erule leadsETo_subset_leadsTo [THEN subsetD]) (*right-to-left case*) apply (erule leadsTo_induct) -prefer 3 apply (blast intro: leadsETo_Union) -prefer 2 apply (blast intro: leadsETo_Trans, blast) + prefer 3 apply (blast intro: leadsETo_Union) + prefer 2 apply (blast intro: leadsETo_Trans, blast) done (**** weak ****) @@ -420,8 +416,7 @@ (*Lets us look at the starting state*) lemma single_LeadsETo_I: "(!!s. s : A ==> F : {s} LeadsTo[CC] B) ==> F : A LeadsTo[CC] B" -apply (subst UN_singleton [symmetric], rule LeadsETo_UN, blast) -done +by (subst UN_singleton [symmetric], rule LeadsETo_UN, blast) lemma subset_imp_LeadsETo: "A <= B ==> F : A LeadsTo[CC] B" @@ -482,10 +477,9 @@ (**** EXTEND/PROJECT PROPERTIES ****) -lemma (in Extend) givenBy_o_eq_extend_set: "givenBy (v o f) = extend_set h ` (givenBy v)" -apply (simp (no_asm) add: givenBy_eq_Collect) -apply best -done +lemma (in Extend) givenBy_o_eq_extend_set: + "givenBy (v o f) = extend_set h ` (givenBy v)" +by (simp add: givenBy_eq_Collect, best) lemma (in Extend) givenBy_eq_extend_set: "givenBy f = range (extend_set h)" apply (simp (no_asm) add: givenBy_eq_Collect) @@ -515,9 +509,9 @@ lemma (in Extend) Join_project_ensures_strong: "[| project h C G ~: transient (project_set h C Int (A-B)) | project_set h C Int (A - B) = {}; - extend h F Join G : stable C; - F Join project h C G : (project_set h C Int A) ensures B |] - ==> extend h F Join G : (C Int extend_set h A) ensures (extend_set h B)" + extend h F\G : stable C; + F\project h C G : (project_set h C Int A) ensures B |] + ==> extend h F\G : (C Int extend_set h A) ensures (extend_set h B)" apply (subst Int_extend_set_lemma [symmetric]) apply (rule Join_project_ensures) apply (auto simp add: Int_Diff) @@ -525,10 +519,10 @@ (*NOT WORKING. MODIFY AS IN Project.thy lemma (in Extend) pld_lemma: - "[| extend h F Join G : stable C; - F Join project h C G : (project_set h C Int A) leadsTo[(%D. project_set h C Int D)`givenBy v] B; + "[| extend h F\G : stable C; + F\project h C G : (project_set h C Int A) leadsTo[(%D. project_set h C Int D)`givenBy v] B; G : preserves (v o f) |] - ==> extend h F Join G : + ==> extend h F\G : (C Int extend_set h (project_set h C Int A)) leadsTo[(%D. C Int extend_set h D)`givenBy v] (extend_set h B)" apply (erule leadsETo_induct) @@ -548,21 +542,21 @@ done lemma (in Extend) project_leadsETo_D_lemma: - "[| extend h F Join G : stable C; - F Join project h C G : + "[| extend h F\G : stable C; + F\project h C G : (project_set h C Int A) leadsTo[(%D. project_set h C Int D)`givenBy v] B; G : preserves (v o f) |] - ==> extend h F Join G : (C Int extend_set h A) + ==> extend h F\G : (C Int extend_set h A) leadsTo[(%D. C Int extend_set h D)`givenBy v] (extend_set h B)" apply (rule pld_lemma [THEN leadsETo_weaken]) apply (auto simp add: split_extended_all) done lemma (in Extend) project_leadsETo_D: - "[| F Join project h UNIV G : A leadsTo[givenBy v] B; + "[| F\project h UNIV G : A leadsTo[givenBy v] B; G : preserves (v o f) |] - ==> extend h F Join G : (extend_set h A) + ==> extend h F\G : (extend_set h A) leadsTo[givenBy (v o f)] (extend_set h B)" apply (cut_tac project_leadsETo_D_lemma [of _ _ UNIV], auto) apply (erule leadsETo_givenBy) @@ -570,10 +564,10 @@ done lemma (in Extend) project_LeadsETo_D: - "[| F Join project h (reachable (extend h F Join G)) G + "[| F\project h (reachable (extend h F\G)) G : A LeadsTo[givenBy v] B; G : preserves (v o f) |] - ==> extend h F Join G : + ==> extend h F\G : (extend_set h A) LeadsTo[givenBy (v o f)] (extend_set h B)" apply (cut_tac subset_refl [THEN stable_reachable, THEN project_leadsETo_D_lemma]) apply (auto simp add: LeadsETo_def) @@ -593,7 +587,7 @@ lemma (in Extend) extending_LeadsETo: "(ALL G. extend h F ok G --> G : preserves (v o f)) - ==> extending (%G. reachable (extend h F Join G)) h F + ==> extending (%G. reachable (extend h F\G)) h F (extend_set h A LeadsTo[givenBy (v o f)] extend_set h B) (A LeadsTo[givenBy v] B)" apply (unfold extending_def) @@ -606,10 +600,10 @@ (*Lemma for the Trans case*) lemma (in Extend) pli_lemma: - "[| extend h F Join G : stable C; - F Join project h C G + "[| extend h F\G : stable C; + F\project h C G : project_set h C Int project_set h A leadsTo project_set h B |] - ==> F Join project h C G + ==> F\project h C G : project_set h C Int project_set h A leadsTo project_set h C Int project_set h B" apply (rule psp_stable2 [THEN leadsTo_weaken_L]) @@ -617,10 +611,10 @@ done lemma (in Extend) project_leadsETo_I_lemma: - "[| extend h F Join G : stable C; - extend h F Join G : + "[| extend h F\G : stable C; + extend h F\G : (C Int A) leadsTo[(%D. C Int D)`givenBy f] B |] - ==> F Join project h C G + ==> F\project h C G : (project_set h C Int project_set h (C Int A)) leadsTo (project_set h B)" apply (erule leadsETo_induct) prefer 3 @@ -633,14 +627,14 @@ done lemma (in Extend) project_leadsETo_I: - "extend h F Join G : (extend_set h A) leadsTo[givenBy f] (extend_set h B) - ==> F Join project h UNIV G : A leadsTo B" + "extend h F\G : (extend_set h A) leadsTo[givenBy f] (extend_set h B) + ==> F\project h UNIV G : A leadsTo B" apply (rule project_leadsETo_I_lemma [THEN leadsTo_weaken], auto) done lemma (in Extend) project_LeadsETo_I: - "extend h F Join G : (extend_set h A) LeadsTo[givenBy f] (extend_set h B) - ==> F Join project h (reachable (extend h F Join G)) G + "extend h F\G : (extend_set h A) LeadsTo[givenBy f] (extend_set h B) + ==> F\project h (reachable (extend h F\G)) G : A LeadsTo B" apply (simp (no_asm_use) add: LeadsTo_def LeadsETo_def) apply (rule project_leadsETo_I_lemma [THEN leadsTo_weaken]) @@ -656,7 +650,7 @@ done lemma (in Extend) projecting_LeadsTo: - "projecting (%G. reachable (extend h F Join G)) h F + "projecting (%G. reachable (extend h F\G)) h F (extend_set h A LeadsTo[givenBy f] extend_set h B) (A LeadsTo B)" apply (unfold projecting_def) diff -r 274fda8cca4b -r 78f5885b76a9 src/HOL/UNITY/Extend.thy --- a/src/HOL/UNITY/Extend.thy Sun Feb 16 12:16:07 2003 +0100 +++ b/src/HOL/UNITY/Extend.thy Sun Feb 16 12:17:40 2003 +0100 @@ -429,7 +429,7 @@ done lemma (in Extend) extend_Join [simp]: - "extend h (F Join G) = extend h F Join extend h G" + "extend h (F\G) = extend h F\extend h G" apply (rule program_equalityI) apply (simp (no_asm) add: extend_set_Int_distrib) apply (simp add: image_Un, auto) @@ -679,14 +679,14 @@ subsection{*Guarantees*} lemma (in Extend) project_extend_Join: - "project h UNIV ((extend h F) Join G) = F Join (project h UNIV G)" + "project h UNIV ((extend h F)\G) = F\(project h UNIV G)" apply (rule program_equalityI) apply (simp add: project_set_extend_set_Int) apply (simp add: image_eq_UN UN_Un, auto) done lemma (in Extend) extend_Join_eq_extend_D: - "(extend h F) Join G = extend h H ==> H = F Join (project h UNIV G)" + "(extend h F)\G = extend h H ==> H = F\(project h UNIV G)" apply (drule_tac f = "project h UNIV" in arg_cong) apply (simp add: project_extend_Join) done diff -r 274fda8cca4b -r 78f5885b76a9 src/HOL/UNITY/Guar.thy --- a/src/HOL/UNITY/Guar.thy Sun Feb 16 12:16:07 2003 +0100 +++ b/src/HOL/UNITY/Guar.thy Sun Feb 16 12:17:40 2003 +0100 @@ -32,21 +32,21 @@ case, proving equivalence with Chandy and Sanders's n-ary definitions*) ex_prop :: "'a program set => bool" - "ex_prop X == \F G. F ok G -->F \ X | G \ X --> (F Join G) \ X" + "ex_prop X == \F G. F ok G -->F \ X | G \ X --> (F\G) \ X" strict_ex_prop :: "'a program set => bool" - "strict_ex_prop X == \F G. F ok G --> (F \ X | G \ X) = (F Join G \ X)" + "strict_ex_prop X == \F G. F ok G --> (F \ X | G \ X) = (F\G \ X)" uv_prop :: "'a program set => bool" - "uv_prop X == SKIP \ X & (\F G. F ok G --> F \ X & G \ X --> (F Join G) \ X)" + "uv_prop X == SKIP \ X & (\F G. F ok G --> F \ X & G \ X --> (F\G) \ X)" strict_uv_prop :: "'a program set => bool" "strict_uv_prop X == - SKIP \ X & (\F G. F ok G --> (F \ X & G \ X) = (F Join G \ X))" + SKIP \ X & (\F G. F ok G --> (F \ X & G \ X) = (F\G \ X))" guar :: "['a program set, 'a program set] => 'a program set" (infixl "guarantees" 55) (*higher than membership, lower than Co*) - "X guarantees Y == {F. \G. F ok G --> F Join G \ X --> F Join G \ Y}" + "X guarantees Y == {F. \G. F ok G --> F\G \ X --> F\G \ Y}" (* Weakest guarantees *) @@ -64,8 +64,8 @@ refines :: "['a program, 'a program, 'a program set] => bool" ("(3_ refines _ wrt _)" [10,10,10] 10) "G refines F wrt X == - \H. (F ok H & G ok H & F Join H \ welldef \ X) --> - (G Join H \ welldef \ X)" + \H. (F ok H & G ok H & F\H \ welldef \ X) --> + (G\H \ welldef \ X)" iso_refines :: "['a program, 'a program, 'a program set] => bool" ("(3_ iso'_refines _ wrt _)" [10,10,10] 10) @@ -146,19 +146,19 @@ (*** guarantees ***) lemma guaranteesI: - "(!!G. [| F ok G; F Join G \ X |] ==> F Join G \ Y) + "(!!G. [| F ok G; F\G \ X |] ==> F\G \ Y) ==> F \ X guarantees Y" by (simp add: guar_def component_def) lemma guaranteesD: - "[| F \ X guarantees Y; F ok G; F Join G \ X |] - ==> F Join G \ Y" + "[| F \ X guarantees Y; F ok G; F\G \ X |] + ==> F\G \ Y" by (unfold guar_def component_def, blast) (*This version of guaranteesD matches more easily in the conclusion The major premise can no longer be F \ H since we need to reason about G*) lemma component_guaranteesD: - "[| F \ X guarantees Y; F Join G = H; H \ X; F ok G |] + "[| F \ X guarantees Y; F\G = H; H \ X; F ok G |] ==> H \ Y" by (unfold guar_def, blast) @@ -263,24 +263,24 @@ lemma guarantees_Join_Int: "[| F \ U guarantees V; G \ X guarantees Y; F ok G |] - ==> F Join G \ (U \ X) guarantees (V \ Y)" + ==> F\G \ (U \ X) guarantees (V \ Y)" apply (unfold guar_def) apply (simp (no_asm)) apply safe apply (simp add: Join_assoc) -apply (subgoal_tac "F Join G Join Ga = G Join (F Join Ga) ") +apply (subgoal_tac "F\G\Ga = G\(F\Ga) ") apply (simp add: ok_commute) apply (simp (no_asm_simp) add: Join_ac) done lemma guarantees_Join_Un: "[| F \ U guarantees V; G \ X guarantees Y; F ok G |] - ==> F Join G \ (U \ X) guarantees (V \ Y)" + ==> F\G \ (U \ X) guarantees (V \ Y)" apply (unfold guar_def) apply (simp (no_asm)) apply safe apply (simp add: Join_assoc) -apply (subgoal_tac "F Join G Join Ga = G Join (F Join Ga) ") +apply (subgoal_tac "F\G\Ga = G\(F\Ga) ") apply (simp add: ok_commute) apply (simp (no_asm_simp) add: Join_ac) done @@ -291,7 +291,7 @@ apply (unfold guar_def, auto) apply (drule bspec, assumption) apply (rename_tac "i") -apply (drule_tac x = "JOIN (I-{i}) F Join G" in spec) +apply (drule_tac x = "JOIN (I-{i}) F\G" in spec) apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JN_Join_diff JN_absorb) done @@ -302,7 +302,7 @@ apply (unfold guar_def, auto) apply (drule bspec, assumption) apply (rename_tac "i") -apply (drule_tac x = "JOIN (I-{i}) F Join G" in spec) +apply (drule_tac x = "JOIN (I-{i}) F\G" in spec) apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JN_Join_diff JN_absorb) done @@ -311,7 +311,7 @@ (*** guarantees laws for breaking down the program, by lcp ***) lemma guarantees_Join_I1: - "[| F \ X guarantees Y; F ok G |] ==> F Join G \ X guarantees Y" + "[| F \ X guarantees Y; F ok G |] ==> F\G \ X guarantees Y" apply (unfold guar_def) apply (simp (no_asm)) apply safe @@ -319,7 +319,7 @@ done lemma guarantees_Join_I2: - "[| G \ X guarantees Y; F ok G |] ==> F Join G \ X guarantees Y" + "[| G \ X guarantees Y; F ok G |] ==> F\G \ X guarantees Y" apply (simp add: Join_commute [of _ G] ok_commute [of _ G]) apply (blast intro: guarantees_Join_I1) done @@ -328,17 +328,17 @@ "[| i \ I; F i \ X guarantees Y; OK I F |] ==> (\i \ I. (F i)) \ X guarantees Y" apply (unfold guar_def, clarify) -apply (drule_tac x = "JOIN (I-{i}) F Join G" in spec) +apply (drule_tac x = "JOIN (I-{i}) F\G" in spec) apply (auto intro: OK_imp_ok simp add: JN_Join_diff JN_Join_diff Join_assoc [symmetric]) done (*** well-definedness ***) -lemma Join_welldef_D1: "F Join G \ welldef ==> F \ welldef" +lemma Join_welldef_D1: "F\G \ welldef ==> F \ welldef" by (unfold welldef_def, auto) -lemma Join_welldef_D2: "F Join G \ welldef ==> G \ welldef" +lemma Join_welldef_D2: "F\G \ welldef ==> G \ welldef" by (unfold welldef_def, auto) (*** refinement ***) @@ -356,13 +356,13 @@ lemma strict_ex_refine_lemma: "strict_ex_prop X - ==> (\H. F ok H & G ok H & F Join H \ X --> G Join H \ X) + ==> (\H. F ok H & G ok H & F\H \ X --> G\H \ X) = (F \ X --> G \ X)" by (unfold strict_ex_prop_def, auto) lemma strict_ex_refine_lemma_v: "strict_ex_prop X - ==> (\H. F ok H & G ok H & F Join H \ welldef & F Join H \ X --> G Join H \ X) = + ==> (\H. F ok H & G ok H & F\H \ welldef & F\H \ X --> G\H \ X) = (F \ welldef \ X --> G \ X)" apply (unfold strict_ex_prop_def, safe) apply (erule_tac x = SKIP and P = "%H. ?PP H --> ?RR H" in allE) @@ -371,7 +371,7 @@ lemma ex_refinement_thm: "[| strict_ex_prop X; - \H. F ok H & G ok H & F Join H \ welldef \ X --> G Join H \ welldef |] + \H. F ok H & G ok H & F\H \ welldef \ X --> G\H \ welldef |] ==> (G refines F wrt X) = (G iso_refines F wrt X)" apply (rule_tac x = SKIP in allE, assumption) apply (simp add: refines_def iso_refines_def strict_ex_refine_lemma_v) @@ -380,12 +380,12 @@ lemma strict_uv_refine_lemma: "strict_uv_prop X ==> - (\H. F ok H & G ok H & F Join H \ X --> G Join H \ X) = (F \ X --> G \ X)" + (\H. F ok H & G ok H & F\H \ X --> G\H \ X) = (F \ X --> G \ X)" by (unfold strict_uv_prop_def, blast) lemma strict_uv_refine_lemma_v: "strict_uv_prop X - ==> (\H. F ok H & G ok H & F Join H \ welldef & F Join H \ X --> G Join H \ X) = + ==> (\H. F ok H & G ok H & F\H \ welldef & F\H \ X --> G\H \ X) = (F \ welldef \ X --> G \ X)" apply (unfold strict_uv_prop_def, safe) apply (erule_tac x = SKIP and P = "%H. ?PP H --> ?RR H" in allE) @@ -394,8 +394,8 @@ lemma uv_refinement_thm: "[| strict_uv_prop X; - \H. F ok H & G ok H & F Join H \ welldef \ X --> - G Join H \ welldef |] + \H. F ok H & G ok H & F\H \ welldef \ X --> + G\H \ welldef |] ==> (G refines F wrt X) = (G iso_refines F wrt X)" apply (rule_tac x = SKIP in allE, assumption) apply (simp add: refines_def iso_refines_def strict_uv_refine_lemma_v) @@ -458,15 +458,15 @@ by (unfold wx_def, auto) (* Proposition 6 *) -lemma wx'_ex_prop: "ex_prop({F. \G. F ok G --> F Join G \ X})" +lemma wx'_ex_prop: "ex_prop({F. \G. F ok G --> F\G \ X})" apply (unfold ex_prop_def, safe) -apply (drule_tac x = "G Join Ga" in spec) +apply (drule_tac x = "G\Ga" in spec) apply (force simp add: ok_Join_iff1 Join_assoc) -apply (drule_tac x = "F Join Ga" in spec) +apply (drule_tac x = "F\Ga" in spec) apply (simp (no_asm_use) add: ok_Join_iff1) apply safe apply (simp (no_asm_simp) add: ok_commute) -apply (subgoal_tac "F Join G = G Join F") +apply (subgoal_tac "F\G = G\F") apply (simp (no_asm_simp) add: Join_assoc) apply (simp (no_asm) add: Join_commute) done @@ -474,15 +474,15 @@ (* Equivalence with the other definition of wx *) lemma wx_equiv: - "wx X = {F. \G. F ok G --> (F Join G):X}" + "wx X = {F. \G. F ok G --> (F\G):X}" apply (unfold wx_def, safe) apply (simp (no_asm_use) add: ex_prop_def) apply (drule_tac x = x in spec) apply (drule_tac x = G in spec) -apply (frule_tac c = "x Join G" in subsetD, safe) +apply (frule_tac c = "x\G" in subsetD, safe) apply (simp (no_asm)) -apply (rule_tac x = "{F. \G. F ok G --> F Join G \ X}" in exI, safe) +apply (rule_tac x = "{F. \G. F ok G --> F\G \ X}" in exI, safe) apply (rule_tac [2] wx'_ex_prop) apply (rotate_tac 1) apply (drule_tac x = SKIP in spec, auto) diff -r 274fda8cca4b -r 78f5885b76a9 src/HOL/UNITY/Project.thy --- a/src/HOL/UNITY/Project.thy Sun Feb 16 12:16:07 2003 +0100 +++ b/src/HOL/UNITY/Project.thy Sun Feb 16 12:17:40 2003 +0100 @@ -16,13 +16,13 @@ projecting :: "['c program => 'c set, 'a*'b => 'c, 'a program, 'c program set, 'a program set] => bool" "projecting C h F X' X == - \G. extend h F Join G \ X' --> F Join project h (C G) G \ X" + \G. extend h F\G \ X' --> F\project h (C G) G \ X" extending :: "['c program => 'c set, 'a*'b => 'c, 'a program, 'c program set, 'a program set] => bool" "extending C h F Y' Y == - \G. extend h F ok G --> F Join project h (C G) G \ Y - --> extend h F Join G \ Y'" + \G. extend h F ok G --> F\project h (C G) G \ Y + --> extend h F\G \ Y'" subset_closed :: "'a set set => bool" "subset_closed U == \A \ U. Pow A \ U" @@ -44,11 +44,11 @@ apply (blast dest: stable_constrains_Int intro: constrains_weaken) done -(*Generalizes project_constrains to the program F Join project h C G +(*Generalizes project_constrains to the program F\project h C G useful with guarantees reasoning*) lemma (in Extend) Join_project_constrains: - "(F Join project h C G \ A co B) = - (extend h F Join G \ (C \ extend_set h A) co (extend_set h B) & + "(F\project h C G \ A co B) = + (extend h F\G \ (C \ extend_set h A) co (extend_set h B) & F \ A co B)" apply (simp (no_asm) add: project_constrains) apply (blast intro: extend_constrains [THEN iffD2, THEN constrains_weaken] @@ -58,9 +58,9 @@ (*The condition is required to prove the left-to-right direction could weaken it to G \ (C \ extend_set h A) co C*) lemma (in Extend) Join_project_stable: - "extend h F Join G \ stable C - ==> (F Join project h C G \ stable A) = - (extend h F Join G \