# HG changeset patch # User wenzelm # Date 1464169858 -7200 # Node ID f1ecba0272f9bb6a2924276431e3bc68307d7176 # Parent 703edebd1d925381219bcf190342ed066c733a24 isabelle update_cartouches -c -t; diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp.thy --- a/src/HOL/UNITY/Comp.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp.thy Wed May 25 11:50:58 2016 +0200 @@ -8,7 +8,7 @@ Technical Report 2000-003, University of Florida, 2000. *) -section{*Composition: Basic Primitives*} +section\Composition: Basic Primitives\ theory Comp imports Union @@ -42,7 +42,7 @@ where "funPair f g == %x. (f x, g x)" -subsection{*The component relation*} +subsection\The component relation\ lemma componentI: "H \ F | H \ G ==> H \ (F\G)" apply (unfold component_def, auto) apply (rule_tac x = "G\Ga" in exI) @@ -115,7 +115,7 @@ lemmas program_less_le = strict_component_def -subsection{*The preserves property*} +subsection\The preserves property\ lemma preservesI: "(!!z. F \ stable {s. v s = z}) ==> F \ preserves v" by (unfold preserves_def, blast) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/Alloc.thy --- a/src/HOL/UNITY/Comp/Alloc.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/Alloc.thy Wed May 25 11:50:58 2016 +0200 @@ -9,55 +9,55 @@ imports AllocBase "../PPROD" begin -subsection{*State definitions. OUTPUT variables are locals*} +subsection\State definitions. OUTPUT variables are locals\ record clientState = - giv :: "nat list" --{*client's INPUT history: tokens GRANTED*} - ask :: "nat list" --{*client's OUTPUT history: tokens REQUESTED*} - rel :: "nat list" --{*client's OUTPUT history: tokens RELEASED*} + giv :: "nat list" \\client's INPUT history: tokens GRANTED\ + ask :: "nat list" \\client's OUTPUT history: tokens REQUESTED\ + rel :: "nat list" \\client's OUTPUT history: tokens RELEASED\ record 'a clientState_d = clientState + - dummy :: 'a --{*dummy field for new variables*} + dummy :: 'a \\dummy field for new variables\ definition - --{*DUPLICATED FROM Client.thy, but with "tok" removed*} - --{*Maybe want a special theory section to declare such maps*} + \\DUPLICATED FROM Client.thy, but with "tok" removed\ + \\Maybe want a special theory section to declare such maps\ non_dummy :: "'a clientState_d => clientState" where "non_dummy s = (|giv = giv s, ask = ask s, rel = rel s|)" definition - --{*Renaming map to put a Client into the standard form*} + \\Renaming map to put a Client into the standard form\ client_map :: "'a clientState_d => clientState*'a" where "client_map = funPair non_dummy dummy" record allocState = - allocGiv :: "nat => nat list" --{*OUTPUT history: source of "giv" for i*} - allocAsk :: "nat => nat list" --{*INPUT: allocator's copy of "ask" for i*} - allocRel :: "nat => nat list" --{*INPUT: allocator's copy of "rel" for i*} + allocGiv :: "nat => nat list" \\OUTPUT history: source of "giv" for i\ + allocAsk :: "nat => nat list" \\INPUT: allocator's copy of "ask" for i\ + allocRel :: "nat => nat list" \\INPUT: allocator's copy of "rel" for i\ record 'a allocState_d = allocState + - dummy :: 'a --{*dummy field for new variables*} + dummy :: 'a \\dummy field for new variables\ record 'a systemState = allocState + - client :: "nat => clientState" --{*states of all clients*} - dummy :: 'a --{*dummy field for new variables*} + client :: "nat => clientState" \\states of all clients\ + dummy :: 'a \\dummy field for new variables\ ---{** Resource allocation system specification **} +\\* Resource allocation system specification *\ definition - --{*spec (1)*} + \\spec (1)\ system_safety :: "'a systemState program set" where "system_safety = Always {s. (\i \ lessThan Nclients. (tokens o giv o sub i o client)s) \ NbT + (\i \ lessThan Nclients. (tokens o rel o sub i o client)s)}" definition - --{*spec (2)*} + \\spec (2)\ system_progress :: "'a systemState program set" where "system_progress = (INT i : lessThan Nclients. INT h. @@ -68,20 +68,20 @@ system_spec :: "'a systemState program set" where "system_spec = system_safety Int system_progress" ---{** Client specification (required) ***} +\\* Client specification (required) **\ definition - --{*spec (3)*} + \\spec (3)\ client_increasing :: "'a clientState_d program set" where "client_increasing = UNIV guarantees Increasing ask Int Increasing rel" definition - --{*spec (4)*} + \\spec (4)\ client_bounded :: "'a clientState_d program set" where "client_bounded = UNIV guarantees Always {s. ALL elt : set (ask s). elt \ NbT}" definition - --{*spec (5)*} + \\spec (5)\ client_progress :: "'a clientState_d program set" where "client_progress = Increasing giv guarantees @@ -89,12 +89,12 @@ LeadsTo {s. tokens h \ (tokens o rel) s})" definition - --{*spec: preserves part*} + \\spec: preserves part\ client_preserves :: "'a clientState_d program set" where "client_preserves = preserves giv Int preserves clientState_d.dummy" definition - --{*environmental constraints*} + \\environmental constraints\ client_allowed_acts :: "'a clientState_d program set" where "client_allowed_acts = {F. AllowedActs F = @@ -105,17 +105,17 @@ where "client_spec = client_increasing Int client_bounded Int client_progress Int client_allowed_acts Int client_preserves" ---{** Allocator specification (required) **} +\\* Allocator specification (required) *\ definition - --{*spec (6)*} + \\spec (6)\ alloc_increasing :: "'a allocState_d program set" where "alloc_increasing = UNIV guarantees (INT i : lessThan Nclients. Increasing (sub i o allocGiv))" definition - --{*spec (7)*} + \\spec (7)\ alloc_safety :: "'a allocState_d program set" where "alloc_safety = (INT i : lessThan Nclients. Increasing (sub i o allocRel)) @@ -124,7 +124,7 @@ \ NbT + (\i \ lessThan Nclients. (tokens o sub i o allocRel)s)}" definition - --{*spec (8)*} + \\spec (8)\ alloc_progress :: "'a allocState_d program set" where "alloc_progress = (INT i : lessThan Nclients. Increasing (sub i o allocAsk) Int @@ -151,13 +151,13 @@ looked at.*) definition - --{*spec: preserves part*} + \\spec: preserves part\ alloc_preserves :: "'a allocState_d program set" where "alloc_preserves = preserves allocRel Int preserves allocAsk Int preserves allocState_d.dummy" definition - --{*environmental constraints*} + \\environmental constraints\ alloc_allowed_acts :: "'a allocState_d program set" where "alloc_allowed_acts = {F. AllowedActs F = @@ -168,17 +168,17 @@ where "alloc_spec = alloc_increasing Int alloc_safety Int alloc_progress Int alloc_allowed_acts Int alloc_preserves" ---{** Network specification **} +\\* Network specification *\ definition - --{*spec (9.1)*} + \\spec (9.1)\ network_ask :: "'a systemState program set" where "network_ask = (INT i : lessThan Nclients. Increasing (ask o sub i o client) guarantees ((sub i o allocAsk) Fols (ask o sub i o client)))" definition - --{*spec (9.2)*} + \\spec (9.2)\ network_giv :: "'a systemState program set" where "network_giv = (INT i : lessThan Nclients. Increasing (sub i o allocGiv) @@ -186,7 +186,7 @@ ((giv o sub i o client) Fols (sub i o allocGiv)))" definition - --{*spec (9.3)*} + \\spec (9.3)\ network_rel :: "'a systemState program set" where "network_rel = (INT i : lessThan Nclients. Increasing (rel o sub i o client) @@ -194,7 +194,7 @@ ((sub i o allocRel) Fols (rel o sub i o client)))" definition - --{*spec: preserves part*} + \\spec: preserves part\ network_preserves :: "'a systemState program set" where "network_preserves = preserves allocGiv Int @@ -202,7 +202,7 @@ preserves (ask o sub i o client))" definition - --{*environmental constraints*} + \\environmental constraints\ network_allowed_acts :: "'a systemState program set" where "network_allowed_acts = {F. AllowedActs F = @@ -218,7 +218,7 @@ network_preserves" ---{** State mappings **} +\\* State mappings *\ definition sysOfAlloc :: "((nat => clientState) * 'a) allocState_d => 'a systemState" where "sysOfAlloc = (%s. let (cl,xtr) = allocState_d.dummy s @@ -300,7 +300,7 @@ bij_is_inj [THEN image_Int] bij_image_Collect_eq -ML {* +ML \ (*Splits up conjunctions & intersections: like CONJUNCTS in the HOL system*) fun list_of_Int th = (list_of_Int (th RS conjunct1) @ list_of_Int (th RS conjunct2)) @@ -308,11 +308,11 @@ handle THM _ => (list_of_Int (th RS @{thm INT_D})) handle THM _ => (list_of_Int (th RS bspec)) handle THM _ => [th]; -*} +\ lemmas lessThanBspec = lessThan_iff [THEN iffD2, THEN [2] bspec] -attribute_setup normalized = {* +attribute_setup normalized = \ let fun normalized th = normalized (th RS spec @@ -323,10 +323,10 @@ in Scan.succeed (Thm.rule_attribute [] (K normalized)) end -*} +\ (*** bijectivity of sysOfAlloc [MUST BE AUTOMATED] ***) -ML {* +ML \ fun record_auto_tac ctxt = let val ctxt' = ctxt addSWrapper Record.split_wrapper @@ -336,9 +336,9 @@ @{thm o_apply}, @{thm Let_def}] in auto_tac ctxt' end; -*} +\ -method_setup record_auto = {* Scan.succeed (SIMPLE_METHOD o record_auto_tac) *} +method_setup record_auto = \Scan.succeed (SIMPLE_METHOD o record_auto_tac)\ lemma inj_sysOfAlloc [iff]: "inj sysOfAlloc" apply (unfold sysOfAlloc_def Let_def) @@ -346,7 +346,7 @@ apply record_auto done -text{*We need the inverse; also having it simplifies the proof of surjectivity*} +text\We need the inverse; also having it simplifies the proof of surjectivity\ lemma inv_sysOfAlloc_eq [simp]: "!!s. inv sysOfAlloc s = (| allocGiv = allocGiv s, allocAsk = allocAsk s, @@ -366,7 +366,7 @@ done -subsubsection{*bijectivity of @{term sysOfClient}*} +subsubsection\bijectivity of @{term sysOfClient}\ lemma inj_sysOfClient [iff]: "inj sysOfClient" apply (unfold sysOfClient_def) @@ -394,7 +394,7 @@ done -subsubsection{*bijectivity of @{term client_map}*} +subsubsection\bijectivity of @{term client_map}\ lemma inj_client_map [iff]: "inj client_map" apply (unfold inj_on_def) @@ -418,14 +418,14 @@ done -text{*o-simprules for @{term client_map}*} +text\o-simprules for @{term client_map}\ lemma fst_o_client_map: "fst o client_map = non_dummy" apply (unfold client_map_def) apply (rule fst_o_funPair) done -ML {* ML_Thms.bind_thms ("fst_o_client_map'", make_o_equivs @{context} @{thm fst_o_client_map}) *} +ML \ML_Thms.bind_thms ("fst_o_client_map'", make_o_equivs @{context} @{thm fst_o_client_map})\ declare fst_o_client_map' [simp] lemma snd_o_client_map: "snd o client_map = clientState_d.dummy" @@ -433,90 +433,90 @@ apply (rule snd_o_funPair) done -ML {* ML_Thms.bind_thms ("snd_o_client_map'", make_o_equivs @{context} @{thm snd_o_client_map}) *} +ML \ML_Thms.bind_thms ("snd_o_client_map'", make_o_equivs @{context} @{thm snd_o_client_map})\ declare snd_o_client_map' [simp] -subsection{*o-simprules for @{term sysOfAlloc} [MUST BE AUTOMATED]*} +subsection\o-simprules for @{term sysOfAlloc} [MUST BE AUTOMATED]\ lemma client_o_sysOfAlloc: "client o sysOfAlloc = fst o allocState_d.dummy " apply record_auto done -ML {* ML_Thms.bind_thms ("client_o_sysOfAlloc'", make_o_equivs @{context} @{thm client_o_sysOfAlloc}) *} +ML \ML_Thms.bind_thms ("client_o_sysOfAlloc'", make_o_equivs @{context} @{thm client_o_sysOfAlloc})\ declare client_o_sysOfAlloc' [simp] lemma allocGiv_o_sysOfAlloc_eq: "allocGiv o sysOfAlloc = allocGiv" apply record_auto done -ML {* ML_Thms.bind_thms ("allocGiv_o_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocGiv_o_sysOfAlloc_eq}) *} +ML \ML_Thms.bind_thms ("allocGiv_o_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocGiv_o_sysOfAlloc_eq})\ declare allocGiv_o_sysOfAlloc_eq' [simp] lemma allocAsk_o_sysOfAlloc_eq: "allocAsk o sysOfAlloc = allocAsk" apply record_auto done -ML {* ML_Thms.bind_thms ("allocAsk_o_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocAsk_o_sysOfAlloc_eq}) *} +ML \ML_Thms.bind_thms ("allocAsk_o_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocAsk_o_sysOfAlloc_eq})\ declare allocAsk_o_sysOfAlloc_eq' [simp] lemma allocRel_o_sysOfAlloc_eq: "allocRel o sysOfAlloc = allocRel" apply record_auto done -ML {* ML_Thms.bind_thms ("allocRel_o_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocRel_o_sysOfAlloc_eq}) *} +ML \ML_Thms.bind_thms ("allocRel_o_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocRel_o_sysOfAlloc_eq})\ declare allocRel_o_sysOfAlloc_eq' [simp] -subsection{* o-simprules for @{term sysOfClient} [MUST BE AUTOMATED]*} +subsection\o-simprules for @{term sysOfClient} [MUST BE AUTOMATED]\ lemma client_o_sysOfClient: "client o sysOfClient = fst" apply record_auto done -ML {* ML_Thms.bind_thms ("client_o_sysOfClient'", make_o_equivs @{context} @{thm client_o_sysOfClient}) *} +ML \ML_Thms.bind_thms ("client_o_sysOfClient'", make_o_equivs @{context} @{thm client_o_sysOfClient})\ declare client_o_sysOfClient' [simp] lemma allocGiv_o_sysOfClient_eq: "allocGiv o sysOfClient = allocGiv o snd " apply record_auto done -ML {* ML_Thms.bind_thms ("allocGiv_o_sysOfClient_eq'", make_o_equivs @{context} @{thm allocGiv_o_sysOfClient_eq}) *} +ML \ML_Thms.bind_thms ("allocGiv_o_sysOfClient_eq'", make_o_equivs @{context} @{thm allocGiv_o_sysOfClient_eq})\ declare allocGiv_o_sysOfClient_eq' [simp] lemma allocAsk_o_sysOfClient_eq: "allocAsk o sysOfClient = allocAsk o snd " apply record_auto done -ML {* ML_Thms.bind_thms ("allocAsk_o_sysOfClient_eq'", make_o_equivs @{context} @{thm allocAsk_o_sysOfClient_eq}) *} +ML \ML_Thms.bind_thms ("allocAsk_o_sysOfClient_eq'", make_o_equivs @{context} @{thm allocAsk_o_sysOfClient_eq})\ declare allocAsk_o_sysOfClient_eq' [simp] lemma allocRel_o_sysOfClient_eq: "allocRel o sysOfClient = allocRel o snd " apply record_auto done -ML {* ML_Thms.bind_thms ("allocRel_o_sysOfClient_eq'", make_o_equivs @{context} @{thm allocRel_o_sysOfClient_eq}) *} +ML \ML_Thms.bind_thms ("allocRel_o_sysOfClient_eq'", make_o_equivs @{context} @{thm allocRel_o_sysOfClient_eq})\ declare allocRel_o_sysOfClient_eq' [simp] lemma allocGiv_o_inv_sysOfAlloc_eq: "allocGiv o inv sysOfAlloc = allocGiv" apply (simp add: o_def) done -ML {* ML_Thms.bind_thms ("allocGiv_o_inv_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocGiv_o_inv_sysOfAlloc_eq}) *} +ML \ML_Thms.bind_thms ("allocGiv_o_inv_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocGiv_o_inv_sysOfAlloc_eq})\ declare allocGiv_o_inv_sysOfAlloc_eq' [simp] lemma allocAsk_o_inv_sysOfAlloc_eq: "allocAsk o inv sysOfAlloc = allocAsk" apply (simp add: o_def) done -ML {* ML_Thms.bind_thms ("allocAsk_o_inv_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocAsk_o_inv_sysOfAlloc_eq}) *} +ML \ML_Thms.bind_thms ("allocAsk_o_inv_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocAsk_o_inv_sysOfAlloc_eq})\ declare allocAsk_o_inv_sysOfAlloc_eq' [simp] lemma allocRel_o_inv_sysOfAlloc_eq: "allocRel o inv sysOfAlloc = allocRel" apply (simp add: o_def) done -ML {* ML_Thms.bind_thms ("allocRel_o_inv_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocRel_o_inv_sysOfAlloc_eq}) *} +ML \ML_Thms.bind_thms ("allocRel_o_inv_sysOfAlloc_eq'", make_o_equivs @{context} @{thm allocRel_o_inv_sysOfAlloc_eq})\ declare allocRel_o_inv_sysOfAlloc_eq' [simp] lemma rel_inv_client_map_drop_map: "(rel o inv client_map o drop_map i o inv sysOfClient) = @@ -524,7 +524,7 @@ apply (simp add: o_def drop_map_def) done -ML {* ML_Thms.bind_thms ("rel_inv_client_map_drop_map'", make_o_equivs @{context} @{thm rel_inv_client_map_drop_map}) *} +ML \ML_Thms.bind_thms ("rel_inv_client_map_drop_map'", make_o_equivs @{context} @{thm rel_inv_client_map_drop_map})\ declare rel_inv_client_map_drop_map [simp] lemma ask_inv_client_map_drop_map: "(ask o inv client_map o drop_map i o inv sysOfClient) = @@ -532,17 +532,17 @@ apply (simp add: o_def drop_map_def) done -ML {* ML_Thms.bind_thms ("ask_inv_client_map_drop_map'", make_o_equivs @{context} @{thm ask_inv_client_map_drop_map}) *} +ML \ML_Thms.bind_thms ("ask_inv_client_map_drop_map'", make_o_equivs @{context} @{thm ask_inv_client_map_drop_map})\ declare ask_inv_client_map_drop_map [simp] -text{*Client : *} +text\Client : \ lemmas client_spec_simps = client_spec_def client_increasing_def client_bounded_def client_progress_def client_allowed_acts_def client_preserves_def guarantees_Int_right -ML {* +ML \ val [Client_Increasing_ask, Client_Increasing_rel, Client_Bounded, Client_Progress, Client_AllowedActs, Client_preserves_giv, Client_preserves_dummy] = @@ -556,7 +556,7 @@ ML_Thms.bind_thm ("Client_AllowedActs", Client_AllowedActs); ML_Thms.bind_thm ("Client_preserves_giv", Client_preserves_giv); ML_Thms.bind_thm ("Client_preserves_dummy", Client_preserves_dummy); -*} +\ declare Client_Increasing_ask [iff] @@ -566,13 +566,13 @@ Client_preserves_dummy [iff] -text{*Network : *} +text\Network : \ lemmas network_spec_simps = network_spec_def network_ask_def network_giv_def network_rel_def network_allowed_acts_def network_preserves_def ball_conj_distrib -ML {* +ML \ val [Network_Ask, Network_Giv, Network_Rel, Network_AllowedActs, Network_preserves_allocGiv, Network_preserves_rel, Network_preserves_ask] = @@ -586,7 +586,7 @@ ML_Thms.bind_thm ("Network_preserves_allocGiv", Network_preserves_allocGiv); ML_Thms.bind_thm ("Network_preserves_rel", Network_preserves_rel); ML_Thms.bind_thm ("Network_preserves_ask", Network_preserves_ask); -*} +\ declare Network_preserves_allocGiv [iff] @@ -598,12 +598,12 @@ Network_preserves_rel [simplified o_def, simp] Network_preserves_ask [simplified o_def, simp] -text{*Alloc : *} +text\Alloc : \ lemmas alloc_spec_simps = alloc_spec_def alloc_increasing_def alloc_safety_def alloc_progress_def alloc_allowed_acts_def alloc_preserves_def -ML {* +ML \ val [Alloc_Increasing_0, Alloc_Safety, Alloc_Progress, Alloc_AllowedActs, Alloc_preserves_allocRel, Alloc_preserves_allocAsk, Alloc_preserves_dummy] = @@ -617,9 +617,9 @@ ML_Thms.bind_thm ("Alloc_preserves_allocRel", Alloc_preserves_allocRel); ML_Thms.bind_thm ("Alloc_preserves_allocAsk", Alloc_preserves_allocAsk); ML_Thms.bind_thm ("Alloc_preserves_dummy", Alloc_preserves_dummy); -*} +\ -text{*Strip off the INT in the guarantees postcondition*} +text\Strip off the INT in the guarantees postcondition\ lemmas Alloc_Increasing = Alloc_Increasing_0 [normalized] @@ -629,7 +629,7 @@ Alloc_preserves_dummy [iff] -subsection{*Components Lemmas [MUST BE AUTOMATED]*} +subsection\Components Lemmas [MUST BE AUTOMATED]\ lemma Network_component_System: "Network \ ((rename sysOfClient @@ -654,7 +654,7 @@ Alloc_component_System [iff] -text{** These preservation laws should be generated automatically **} +text\* These preservation laws should be generated automatically *\ lemma Client_Allowed [simp]: "Allowed Client = preserves rel Int preserves ask" by (auto simp add: Allowed_def Client_AllowedActs safety_prop_Acts_iff) @@ -667,7 +667,7 @@ lemma Alloc_Allowed [simp]: "Allowed Alloc = preserves allocGiv" by (auto simp add: Allowed_def Alloc_AllowedActs safety_prop_Acts_iff) -text{*needed in @{text rename_client_map_tac}*} +text\needed in \rename_client_map_tac\\ lemma OK_lift_rename_Client [simp]: "OK I (%i. lift i (rename client_map Client))" apply (rule OK_lift_I) apply auto @@ -708,7 +708,7 @@ ad-hoc! *) ML -{* +\ fun rename_client_map_tac ctxt = EVERY [ simp_tac (ctxt addsimps [@{thm rename_guarantees_eq_rename_inv}]) 1, @@ -724,13 +724,13 @@ @{thm inv_inv_eq}]) 1, asm_simp_tac (ctxt addsimps [@{thm o_def}, @{thm non_dummy_def}, @{thm guarantees_Int_right}]) 1] -*} +\ -method_setup rename_client_map = {* +method_setup rename_client_map = \ Scan.succeed (fn ctxt => SIMPLE_METHOD (rename_client_map_tac ctxt)) -*} +\ -text{*Lifting @{text Client_Increasing} to @{term systemState}*} +text\Lifting \Client_Increasing\ to @{term systemState}\ lemma rename_Client_Increasing: "i : I ==> rename sysOfClient (plam x: I. rename client_map Client) : UNIV guarantees @@ -772,8 +772,8 @@ rename_sysOfClient_ok_Alloc [iff] rename_sysOfAlloc_ok_Network [iff] -text{*The "ok" laws, re-oriented. - But not sure this works: theorem @{text ok_commute} is needed below*} +text\The "ok" laws, re-oriented. + But not sure this works: theorem \ok_commute\ is needed below\ declare rename_sysOfClient_ok_Network [THEN ok_sym, iff] rename_sysOfClient_ok_Alloc [THEN ok_sym, iff] @@ -807,15 +807,15 @@ done -ML {* +ML \ ML_Thms.bind_thms ("System_Increasing'", list_of_Int @{thm System_Increasing}) -*} +\ declare System_Increasing' [intro!] -text{* Follows consequences. +text\Follows consequences. The "Always (INT ...) formulation expresses the general safety property - and allows it to be combined using @{text Always_Int_rule} below. *} + and allows it to be combined using \Always_Int_rule\ below.\ lemma System_Follows_rel: "i < Nclients ==> System : ((sub i o allocRel) Fols (rel o sub i o client))" @@ -857,11 +857,11 @@ by (auto intro!: Follows_Bounded System_Follows_rel) -subsection{*Proof of the safety property (1)*} +subsection\Proof of the safety property (1)\ -text{*safety (1), step 1 is @{text System_Follows_rel}*} +text\safety (1), step 1 is \System_Follows_rel\\ -text{*safety (1), step 2*} +text\safety (1), step 2\ (* i < Nclients ==> System : Increasing (sub i o allocRel) *) lemmas System_Increasing_allocRel = System_Follows_rel [THEN Follows_Increasing1] @@ -869,7 +869,7 @@ Simplifying with o_def gets rid of the translations but it unfortunately gets rid of the other "o"s too.*) -text{*safety (1), step 3*} +text\safety (1), step 3\ lemma System_sum_bounded: "System : Always {s. (\i \ lessThan Nclients. (tokens o sub i o allocGiv) s) \ NbT + (\i \ lessThan Nclients. (tokens o sub i o allocRel) s)}" @@ -880,7 +880,7 @@ apply (auto simp add: System_Increasing_allocRel [simplified sub_apply o_def]) done -text{* Follows reasoning*} +text\Follows reasoning\ lemma Always_tokens_giv_le_allocGiv: "System : Always (INT i: lessThan Nclients. {s. (tokens o giv o sub i o client) s @@ -896,12 +896,12 @@ apply (auto intro: tokens_mono_prefix simp add: o_apply) done -text{*safety (1), step 4 (final result!) *} +text\safety (1), step 4 (final result!)\ theorem System_safety: "System : system_safety" apply (unfold system_safety_def) - apply (tactic {* resolve_tac @{context} [Always_Int_rule [@{thm System_sum_bounded}, + apply (tactic \resolve_tac @{context} [Always_Int_rule [@{thm System_sum_bounded}, @{thm Always_tokens_giv_le_allocGiv}, @{thm Always_tokens_allocRel_le_rel}] RS - @{thm Always_weaken}] 1 *}) + @{thm Always_weaken}] 1\) apply auto apply (rule setsum_fun_mono [THEN order_trans]) apply (drule_tac [2] order_trans) @@ -910,16 +910,16 @@ apply auto done -subsection {* Proof of the progress property (2) *} +subsection \Proof of the progress property (2)\ -text{*progress (2), step 1 is @{text System_Follows_ask} and - @{text System_Follows_rel}*} +text\progress (2), step 1 is \System_Follows_ask\ and + \System_Follows_rel\\ -text{*progress (2), step 2; see also @{text System_Increasing_allocRel}*} +text\progress (2), step 2; see also \System_Increasing_allocRel\\ (* i < Nclients ==> System : Increasing (sub i o allocAsk) *) lemmas System_Increasing_allocAsk = System_Follows_ask [THEN Follows_Increasing1] -text{*progress (2), step 3: lifting @{text Client_Bounded} to systemState*} +text\progress (2), step 3: lifting \Client_Bounded\ to systemState\ lemma rename_Client_Bounded: "i : I ==> rename sysOfClient (plam x: I. rename client_map Client) : UNIV guarantees @@ -938,18 +938,18 @@ apply blast done -text{*progress (2), step 4*} +text\progress (2), step 4\ lemma System_Bounded_allocAsk: "System : Always {s. ALL i NbT}" apply (auto simp add: Collect_all_imp_eq) - apply (tactic {* resolve_tac @{context} [Always_Int_rule [@{thm Always_allocAsk_le_ask}, - @{thm System_Bounded_ask}] RS @{thm Always_weaken}] 1 *}) + apply (tactic \resolve_tac @{context} [Always_Int_rule [@{thm Always_allocAsk_le_ask}, + @{thm System_Bounded_ask}] RS @{thm Always_weaken}] 1\) apply (auto dest: set_mono) done -text{*progress (2), step 5 is @{text System_Increasing_allocGiv}*} +text\progress (2), step 5 is \System_Increasing_allocGiv\\ -text{*progress (2), step 6*} +text\progress (2), step 6\ (* i < Nclients ==> System : Increasing (giv o sub i o client) *) lemmas System_Increasing_giv = System_Follows_allocGiv [THEN Follows_Increasing1] @@ -966,7 +966,7 @@ done -text{*progress (2), step 7*} +text\progress (2), step 7\ lemma System_Client_Progress: "System : (INT i : (lessThan Nclients). INT h. {s. h \ (giv o sub i o client) s & @@ -1007,7 +1007,7 @@ done -text{*progress (2), step 8: Client i's "release" action is visible system-wide*} +text\progress (2), step 8: Client i's "release" action is visible system-wide\ lemma System_Alloc_Client_Progress: "i < Nclients ==> System : {s. h \ (sub i o allocGiv) s & h pfixGe (sub i o allocAsk) s} @@ -1025,9 +1025,9 @@ apply (erule System_lemma3) done -text{*Lifting @{text Alloc_Progress} up to the level of systemState*} +text\Lifting \Alloc_Progress\ up to the level of systemState\ -text{*progress (2), step 9*} +text\progress (2), step 9\ lemma System_Alloc_Progress: "System : (INT i : (lessThan Nclients). INT h. {s. h \ (sub i o allocAsk) s} @@ -1043,7 +1043,7 @@ System_Alloc_Client_Progress [simplified sub_apply o_def]) done -text{*progress (2), step 10 (final result!) *} +text\progress (2), step 10 (final result!)\ lemma System_Progress: "System : system_progress" apply (unfold system_progress_def) apply (cut_tac System_Alloc_Progress) @@ -1060,7 +1060,7 @@ done -text{* Some obsolete lemmas *} +text\Some obsolete lemmas\ lemma non_dummy_eq_o_funPair: "non_dummy = (% (g,a,r). (| giv = g, ask = a, rel = r |)) o (funPair giv (funPair ask rel))" @@ -1078,7 +1078,7 @@ apply (auto simp add: o_def) done -text{*Could go to Extend.ML*} +text\Could go to Extend.ML\ lemma bij_fst_inv_inv_eq: "bij f ==> fst (inv (%(x, u). inv f x) z) = f z" apply (rule fst_inv_equalityI) apply (rule_tac f = "%z. (f z, h z)" for h in surjI) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/AllocBase.thy --- a/src/HOL/UNITY/Comp/AllocBase.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/AllocBase.thy Wed May 25 11:50:58 2016 +0200 @@ -3,7 +3,7 @@ Copyright 1998 University of Cambridge *) -section{*Common Declarations for Chandy and Charpentier's Allocator*} +section\Common Declarations for Chandy and Charpentier's Allocator\ theory AllocBase imports "../UNITY_Main" "~~/src/HOL/Library/Multiset_Order" begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/AllocImpl.thy --- a/src/HOL/UNITY/Comp/AllocImpl.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/AllocImpl.thy Wed May 25 11:50:58 2016 +0200 @@ -3,7 +3,7 @@ Copyright 1998 University of Cambridge *) -section{*Implementation of a multiple-client allocator from a single-client allocator*} +section\Implementation of a multiple-client allocator from a single-client allocator\ theory AllocImpl imports AllocBase "../Follows" "../PPROD" begin @@ -238,7 +238,7 @@ declare o_apply [simp del] -subsection{*Theorems for Merge*} +subsection\Theorems for Merge\ context Merge begin @@ -307,7 +307,7 @@ end -subsection{*Theorems for Distributor*} +subsection\Theorems for Distributor\ context Distrib begin @@ -371,7 +371,7 @@ end -subsection{*Theorems for Allocator*} +subsection\Theorems for Allocator\ lemma alloc_refinement_lemma: "!!f::nat=>nat. (\i \ lessThan n. {s. f i \ g i s}) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/Client.thy --- a/src/HOL/UNITY/Comp/Client.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/Client.thy Wed May 25 11:50:58 2016 +0200 @@ -3,22 +3,22 @@ Copyright 1998 University of Cambridge *) -section{*Distributed Resource Management System: the Client*} +section\Distributed Resource Management System: the Client\ theory Client imports "../Rename" AllocBase begin type_synonym - tokbag = nat --{*tokbags could be multisets...or any ordered type?*} + tokbag = nat \\tokbags could be multisets...or any ordered type?\ record state = - giv :: "tokbag list" --{*input history: tokens granted*} - ask :: "tokbag list" --{*output history: tokens requested*} - rel :: "tokbag list" --{*output history: tokens released*} - tok :: tokbag --{*current token request*} + giv :: "tokbag list" \\input history: tokens granted\ + ask :: "tokbag list" \\output history: tokens requested\ + rel :: "tokbag list" \\output history: tokens released\ + tok :: tokbag \\current token request\ record 'a state_d = state + - dummy :: 'a --{*new variables*} + dummy :: 'a \\new variables\ (*Array indexing is translated to list indexing as A[n] == A!(n-1). *) @@ -82,7 +82,7 @@ by (auto simp add: ok_iff_Allowed Client_def [THEN def_total_prg_Allowed]) -text{*Safety property 1: ask, rel are increasing*} +text\Safety property 1: ask, rel are increasing\ lemma increasing_ask_rel: "Client \ UNIV guarantees Increasing ask Int Increasing rel" apply (auto intro!: increasing_imp_Increasing simp add: guar_def preserves_subset_increasing [THEN subsetD]) @@ -93,9 +93,9 @@ declare nth_append [simp] append_one_prefix [simp] -text{*Safety property 2: the client never requests too many tokens. +text\Safety property 2: the client never requests too many tokens. With no Substitution Axiom, we must prove the two invariants - simultaneously. *} + simultaneously.\ lemma ask_bounded_lemma: "Client ok G ==> Client \ G \ @@ -109,8 +109,8 @@ apply (cut_tac m = "tok s" in NbT_pos [THEN mod_less_divisor], auto) done -text{*export version, with no mention of tok in the postcondition, but - unfortunately tok must be declared local.*} +text\export version, with no mention of tok in the postcondition, but + unfortunately tok must be declared local.\ lemma ask_bounded: "Client \ UNIV guarantees Always {s. \elt \ set (ask s). elt \ NbT}" apply (rule guaranteesI) @@ -119,7 +119,7 @@ done -text{*** Towards proving the liveness property ***} +text\** Towards proving the liveness property **\ lemma stable_rel_le_giv: "Client \ stable {s. rel s \ giv s}" by (simp add: Client_def, safety, auto) @@ -189,7 +189,7 @@ apply (blast intro: order_less_le [THEN iffD2] dest: common_prefix_linear) done -text{*Progress property: all tokens that are given will be released*} +text\Progress property: all tokens that are given will be released\ lemma client_progress: "Client \ Increasing giv guarantees @@ -198,19 +198,19 @@ apply (blast intro: client_progress_lemma) done -text{*This shows that the Client won't alter other variables in any state - that it is combined with*} +text\This shows that the Client won't alter other variables in any state + that it is combined with\ lemma client_preserves_dummy: "Client \ preserves dummy" by (simp add: Client_def preserves_def, clarify, safety, auto) -text{** Obsolete lemmas from first version of the Client **} +text\* Obsolete lemmas from first version of the Client *\ lemma stable_size_rel_le_giv: "Client \ stable {s. size (rel s) \ size (giv s)}" by (simp add: Client_def, safety, auto) -text{*clients return the right number of tokens*} +text\clients return the right number of tokens\ lemma ok_guar_rel_prefix_giv: "Client \ Increasing giv guarantees Always {s. rel s \ giv s}" apply (rule guaranteesI) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/Counter.thy --- a/src/HOL/UNITY/Comp/Counter.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/Counter.thy Wed May 25 11:50:58 2016 +0200 @@ -8,7 +8,7 @@ Springer LNCS 1586 (1999), pages 1215-1227. *) -section{*A Family of Similar Counters: Original Version*} +section\A Family of Similar Counters: Original Version\ theory Counter imports "../UNITY_Main" begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/Counterc.thy --- a/src/HOL/UNITY/Comp/Counterc.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/Counterc.thy Wed May 25 11:50:58 2016 +0200 @@ -11,7 +11,7 @@ Spriner LNCS 1586 (1999), pages 1215-1227. *) -section{*A Family of Similar Counters: Version with Compatibility*} +section\A Family of Similar Counters: Version with Compatibility\ theory Counterc imports "../UNITY_Main" begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/Priority.thy --- a/src/HOL/UNITY/Comp/Priority.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/Priority.thy Wed May 25 11:50:58 2016 +0200 @@ -3,41 +3,41 @@ Copyright 2001 University of Cambridge *) -section{*The priority system*} +section\The priority system\ theory Priority imports PriorityAux begin -text{*From Charpentier and Chandy, +text\From Charpentier and Chandy, Examples of Program Composition Illustrating the Use of Universal Properties In J. Rolim (editor), Parallel and Distributed Processing, - Spriner LNCS 1586 (1999), pages 1215-1227.*} + Spriner LNCS 1586 (1999), pages 1215-1227.\ type_synonym state = "(vertex*vertex)set" type_synonym command = "vertex=>(state*state)set" consts init :: "(vertex*vertex)set" - --{* the initial state *} + \\the initial state\ -text{*Following the definitions given in section 4.4 *} +text\Following the definitions given in section 4.4\ definition highest :: "[vertex, (vertex*vertex)set]=>bool" where "highest i r \ A i r = {}" - --{* i has highest priority in r *} + \\i has highest priority in r\ definition lowest :: "[vertex, (vertex*vertex)set]=>bool" where "lowest i r \ R i r = {}" - --{* i has lowest priority in r *} + \\i has lowest priority in r\ definition act :: command where "act i = {(s, s'). s'=reverse i s & highest i s}" definition Component :: "vertex=>state program" where "Component i = mk_total_program({init}, {act i}, UNIV)" - --{* All components start with the same initial state *} + \\All components start with the same initial state\ -text{*Some Abbreviations *} +text\Some Abbreviations\ definition Highest :: "vertex=>state set" where "Highest i = {s. highest i s}" @@ -49,11 +49,11 @@ definition Maximal :: "state set" - --{* Every ``above'' set has a maximal vertex*} + \\Every ``above'' set has a maximal vertex\ where "Maximal = (\i. {s. ~highest i s-->(\j \ above i s. highest j s)})" definition Maximal' :: "state set" - --{* Maximal vertex: equivalent definition*} + \\Maximal vertex: equivalent definition\ where "Maximal' = (\i. Highest i Un (\j. {s. j \ above i s} Int Highest j))" @@ -77,18 +77,18 @@ -subsection{*Component correctness proofs*} +subsection\Component correctness proofs\ -text{* neighbors is stable *} +text\neighbors is stable\ lemma Component_neighbors_stable: "Component i \ stable {s. neighbors k s = n}" by (simp add: Component_def, safety, auto) -text{* property 4 *} +text\property 4\ lemma Component_waits_priority: "Component i: {s. ((i,j):s) = b} Int (- Highest i) co {s. ((i,j):s)=b}" by (simp add: Component_def, safety) -text{* property 5: charpentier and Chandy mistakenly express it as - 'transient Highest i'. Consider the case where i has neighbors *} +text\property 5: charpentier and Chandy mistakenly express it as + 'transient Highest i'. Consider the case where i has neighbors\ lemma Component_yields_priority: "Component i: {s. neighbors i s \ {}} Int Highest i ensures - Highest i" @@ -96,23 +96,23 @@ apply (ensures_tac "act i", blast+) done -text{* or better *} +text\or better\ lemma Component_yields_priority': "Component i \ Highest i ensures Lowest i" apply (simp add: Component_def) apply (ensures_tac "act i", blast+) done -text{* property 6: Component doesn't introduce cycle *} +text\property 6: Component doesn't introduce cycle\ lemma Component_well_behaves: "Component i \ Highest i co Highest i Un Lowest i" by (simp add: Component_def, safety, fast) -text{* property 7: local axiom *} +text\property 7: local axiom\ lemma locality: "Component i \ stable {s. \j k. j\i & k\i--> ((j,k):s) = b j k}" by (simp add: Component_def, safety) -subsection{*System properties*} -text{* property 8: strictly universal *} +subsection\System properties\ +text\property 8: strictly universal\ lemma Safety: "system \ stable Safety" apply (unfold Safety_def) @@ -120,12 +120,12 @@ apply (simp add: system_def, safety, fast) done -text{* property 13: universal *} +text\property 13: universal\ lemma p13: "system \ {s. s = q} co {s. s=q} Un {s. \i. derive i q s}" by (simp add: system_def Component_def mk_total_program_def totalize_JN, safety, blast) -text{* property 14: the 'above set' of a Component that hasn't got - priority doesn't increase *} +text\property 14: the 'above set' of a Component that hasn't got + priority doesn't increase\ lemma above_not_increase: "system \ -Highest i Int {s. j\above i s} co {s. j\above i s}" apply (insert reach_lemma [of concl: j]) @@ -142,7 +142,7 @@ -text{* p15: universal property: all Components well behave *} +text\p15: universal property: all Components well behave\ lemma system_well_behaves: "system \ Highest i co Highest i Un Lowest i" by (simp add: system_def Component_def mk_total_program_def totalize_JN, safety, auto) @@ -166,23 +166,23 @@ apply (drule above_lemma_b, auto) done -text{* property 17: original one is an invariant *} +text\property 17: original one is an invariant\ lemma Acyclic_Maximal_stable: "system \ stable (Acyclic Int Maximal)" by (simp add: Acyclic_subset_Maximal [THEN Int_absorb2] Acyclic_stable) -text{* property 5: existential property *} +text\property 5: existential property\ lemma Highest_leadsTo_Lowest: "system \ Highest i leadsTo Lowest i" apply (simp add: system_def Component_def mk_total_program_def totalize_JN) apply (ensures_tac "act i", auto) done -text{* a lowest i can never be in any abover set *} +text\a lowest i can never be in any abover set\ lemma Lowest_above_subset: "Lowest i <= (\k. {s. i\above k s})" by (auto simp add: image0_r_iff_image0_trancl trancl_converse) -text{* property 18: a simpler proof than the original, one which uses psp *} +text\property 18: a simpler proof than the original, one which uses psp\ lemma Highest_escapes_above: "system \ Highest i leadsTo (\k. {s. i\above k s})" apply (rule leadsTo_weaken_R) apply (rule_tac [2] Lowest_above_subset) @@ -193,9 +193,9 @@ "system \ Highest j Int {s. j \ above i s} leadsTo {s. j\above i s}" by (blast intro: leadsTo_weaken [OF Highest_escapes_above Int_lower1 INT_lower]) -subsection{*The main result: above set decreases*} +subsection\The main result: above set decreases\ -text{* The original proof of the following formula was wrong *} +text\The original proof of the following formula was wrong\ lemma Highest_iff_above0: "Highest i = {s. above i s ={}}" by (auto simp add: image0_trancl_iff_image0_r) @@ -253,10 +253,10 @@ done -text{*We have proved all (relevant) theorems given in the paper. We didn't +text\We have proved all (relevant) theorems given in the paper. We didn't assume any thing about the relation @{term r}. It is not necessary that @{term r} be a priority relation as assumed in the original proof. It -suffices that we start from a state which is finite and acyclic.*} +suffices that we start from a state which is finite and acyclic.\ end diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/PriorityAux.thy --- a/src/HOL/UNITY/Comp/PriorityAux.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/PriorityAux.thy Wed May 25 11:50:58 2016 +0200 @@ -13,11 +13,11 @@ definition symcl :: "(vertex*vertex)set=>(vertex*vertex)set" where "symcl r == r \ (r^-1)" - --{* symmetric closure: removes the orientation of a relation*} + \\symmetric closure: removes the orientation of a relation\ definition neighbors :: "[vertex, (vertex*vertex)set]=>vertex set" where "neighbors i r == ((r \ r^-1)``{i}) - {i}" - --{* Neighbors of a vertex i *} + \\Neighbors of a vertex i\ definition R :: "[vertex, (vertex*vertex)set]=>vertex set" where "R i r == r``{i}" @@ -27,7 +27,7 @@ definition reach :: "[vertex, (vertex*vertex)set]=> vertex set" where "reach i r == (r^+)``{i}" - --{* reachable and above vertices: the original notation was R* and A* *} + \\reachable and above vertices: the original notation was R* and A*\ definition above :: "[vertex, (vertex*vertex)set]=> vertex set" where "above i r == ((r^-1)^+)``{i}" @@ -36,28 +36,28 @@ "reverse i r == (r - {(x,y). x=i | y=i} \ r) \ ({(x,y). x=i|y=i} \ r)^-1" definition derive1 :: "[vertex, (vertex*vertex)set, (vertex*vertex)set]=>bool" where - --{* The original definition *} + \\The original definition\ "derive1 i r q == symcl r = symcl q & (\k k'. k\i & k'\i -->((k,k'):r) = ((k,k'):q)) & A i r = {} & R i q = {}" definition derive :: "[vertex, (vertex*vertex)set, (vertex*vertex)set]=>bool" where - --{* Our alternative definition *} + \\Our alternative definition\ "derive i r q == A i r = {} & (q = reverse i r)" axiomatization where finite_vertex_univ: "finite (UNIV :: vertex set)" - --{* we assume that the universe of vertices is finite *} + \\we assume that the universe of vertices is finite\ declare derive_def [simp] derive1_def [simp] symcl_def [simp] A_def [simp] R_def [simp] above_def [simp] reach_def [simp] reverse_def [simp] neighbors_def [simp] -text{*All vertex sets are finite*} +text\All vertex sets are finite\ declare finite_subset [OF subset_UNIV finite_vertex_univ, iff] -text{* and relatons over vertex are finite too *} +text\and relatons over vertex are finite too\ lemmas finite_UNIV_Prod = finite_Prod_UNIV [OF finite_vertex_univ finite_vertex_univ] diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Comp/Progress.thy --- a/src/HOL/UNITY/Comp/Progress.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Comp/Progress.thy Wed May 25 11:50:58 2016 +0200 @@ -5,12 +5,12 @@ David Meier's thesis *) -section{*Progress Set Examples*} +section\Progress Set Examples\ theory Progress imports "../UNITY_Main" begin -subsection {*The Composition of Two Single-Assignment Programs*} -text{*Thesis Section 4.4.2*} +subsection \The Composition of Two Single-Assignment Programs\ +text\Thesis Section 4.4.2\ definition FF :: "int program" where "FF = mk_total_program (UNIV, {range (\x. (x, x+1))}, UNIV)" @@ -18,7 +18,7 @@ definition GG :: "int program" where "GG = mk_total_program (UNIV, {range (\x. (x, 2*x))}, UNIV)" -subsubsection {*Calculating @{term "wens_set FF (atLeast k)"}*} +subsubsection \Calculating @{term "wens_set FF (atLeast k)"}\ lemma Domain_actFF: "Domain (range (\x::int. (x, x + 1))) = UNIV" by force @@ -62,7 +62,7 @@ apply (simp add: wens_single_finite_FF) done -subsubsection {*Proving @{term "FF \ UNIV leadsTo atLeast (k::int)"}*} +subsubsection \Proving @{term "FF \ UNIV leadsTo atLeast (k::int)"}\ lemma atLeast_ensures: "FF \ atLeast (k - 1) ensures atLeast (k::int)" apply (simp add: Progress.wens_FF [symmetric] wens_ensures) @@ -86,7 +86,7 @@ apply (rule leadsTo_UN [OF atLeast_leadsTo]) done -text{*Result (4.39): Applying the leadsTo-Join Theorem*} +text\Result (4.39): Applying the leadsTo-Join Theorem\ theorem "FF\GG \ atLeast 0 leadsTo atLeast (k::int)" apply (subgoal_tac "FF\GG \ (atLeast 0 \ atLeast 0) leadsTo atLeast k") apply simp diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Constrains.thy --- a/src/HOL/UNITY/Constrains.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Constrains.thy Wed May 25 11:50:58 2016 +0200 @@ -5,7 +5,7 @@ Weak safety relations: restricted to the set of reachable states. *) -section{*Weak Safety*} +section\Weak Safety\ theory Constrains imports UNITY begin @@ -50,7 +50,7 @@ "Increasing f == \z. Stable {s. z \ f s}" -subsection{*traces and reachable*} +subsection\traces and reachable\ lemma reachable_equiv_traces: "reachable F = {s. \evs. (s,evs) \ traces (Init F) (Acts F)}" @@ -82,7 +82,7 @@ done -subsection{*Co*} +subsection\Co\ (*F \ B co B' ==> F \ (reachable F \ B) co (reachable F \ B')*) lemmas constrains_reachable_Int = @@ -185,7 +185,7 @@ done -subsection{*Stable*} +subsection\Stable\ (*Useful because there's no Stable_weaken. [Tanja Vos]*) lemma Stable_eq: "[| F \ Stable A; A = B |] ==> F \ Stable B" @@ -239,7 +239,7 @@ -subsection{*Increasing*} +subsection\Increasing\ lemma IncreasingD: "F \ Increasing f ==> F \ Stable {s. x \ f s}" @@ -265,7 +265,7 @@ lemmas Increasing_constant = increasing_constant [THEN increasing_imp_Increasing, iff] -subsection{*The Elimination Theorem*} +subsection\The Elimination Theorem\ (*The "free" m has become universally quantified! Should the premise be !!m instead of \m ? Would make it harder to use in forward proof.*) @@ -282,7 +282,7 @@ by (unfold Constrains_def constrains_def, blast) -subsection{*Specialized laws for handling Always*} +subsection\Specialized laws for handling Always\ (** Natural deduction rules for "Always A" **) @@ -339,7 +339,7 @@ by (auto simp add: Always_eq_includes_reachable) -subsection{*"Co" rules involving Always*} +subsection\"Co" rules involving Always\ lemma Always_Constrains_pre: "F \ Always INV ==> (F \ (INV \ A) Co A') = (F \ A Co A')" @@ -390,7 +390,7 @@ lemmas Always_thin = thin_rl [of "F \ Always A"] -subsection{*Totalize*} +subsection\Totalize\ lemma reachable_imp_reachable_tot: "s \ reachable F ==> s \ reachable (totalize F)" diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Detects.thy --- a/src/HOL/UNITY/Detects.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Detects.thy Wed May 25 11:50:58 2016 +0200 @@ -5,7 +5,7 @@ Detects definition (Section 3.8 of Chandy & Misra) using LeadsTo *) -section{*The Detects Relation*} +section\The Detects Relation\ theory Detects imports FP SubstAx begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/ELT.thy --- a/src/HOL/UNITY/ELT.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/ELT.thy Wed May 25 11:50:58 2016 +0200 @@ -21,7 +21,7 @@ monos Pow_mono *) -section{*Progress Under Allowable Sets*} +section\Progress Under Allowable Sets\ theory ELT imports Project begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Extend.thy --- a/src/HOL/UNITY/Extend.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Extend.thy Wed May 25 11:50:58 2016 +0200 @@ -7,7 +7,7 @@ function g (forgotten) maps the extended state to the "extending part" *) -section{*Extending State Sets*} +section\Extending State Sets\ theory Extend imports Guar begin @@ -67,7 +67,7 @@ (** These we prove OUTSIDE the locale. **) -subsection{*Restrict*} +subsection\Restrict\ (*MOVE to Relation.thy?*) lemma Restrict_iff [iff]: "((x,y): Restrict A r) = ((x,y): r & x \ A)" @@ -130,7 +130,7 @@ by (metis UNIV_I f_inv_into_f prod.collapse prem surj_h) -subsection{*Trivial properties of f, g, h*} +subsection\Trivial properties of f, g, h\ context Extend begin @@ -167,7 +167,7 @@ end -subsection{*@{term extend_set}: basic properties*} +subsection\@{term extend_set}: basic properties\ lemma project_set_iff [iff]: "(x \ project_set h C) = (\y. h(x,y) \ C)" @@ -215,7 +215,7 @@ apply (auto simp add: split_extended_all) done -subsection{*@{term project_set}: basic properties*} +subsection\@{term project_set}: basic properties\ (*project_set is simply image!*) lemma project_set_eq: "project_set h C = f ` C" @@ -226,7 +226,7 @@ by (auto simp add: split_extended_all) -subsection{*More laws*} +subsection\More laws\ (*Because A and B could differ on the "other" part of the state, cannot generalize to @@ -262,7 +262,7 @@ by (auto simp: extend_set_def) -subsection{*@{term extend_act}*} +subsection\@{term extend_act}\ (*Can't strengthen it to ((h(s,y), h(s',y')) \ extend_act h act) = ((s, s') \ act & y=y') @@ -318,9 +318,9 @@ unfolding project_act_def by (force simp add: split_extended_all) -subsection{*extend*} +subsection\extend\ -text{*Basic properties*} +text\Basic properties\ lemma (in -) Init_extend [simp]: "Init (extend h F) = extend_set h (Init F)" @@ -431,7 +431,7 @@ lemma all_total_extend: "all_total F ==> all_total (extend h F)" by (simp add: all_total_def Domain_extend_act) -subsection{*Safety: co, stable*} +subsection\Safety: co, stable\ lemma extend_constrains: "(extend h F \ (extend_set h A) co (extend_set h B)) = @@ -457,7 +457,7 @@ by (simp add: stable_def extend_constrains_project_set) -subsection{*Weak safety primitives: Co, Stable*} +subsection\Weak safety primitives: Co, Stable\ lemma reachable_extend_f: "p \ reachable (extend h F) ==> f p \ reachable F" by (induct set: reachable) (auto intro: reachable.intros simp add: extend_act_def image_iff) @@ -539,7 +539,7 @@ by (simp add: stable_def project_constrains_project_set) -subsection{*Progress: transient, ensures*} +subsection\Progress: transient, ensures\ lemma extend_transient: "(extend h F \ transient (extend_set h A)) = (F \ transient A)" @@ -560,7 +560,7 @@ apply (simp add: leadsTo_UN extend_set_Union) done -subsection{*Proving the converse takes some doing!*} +subsection\Proving the converse takes some doing!\ lemma slice_iff [iff]: "(x \ slice C y) = (h(x,y) \ C)" by (simp add: slice_def) @@ -621,7 +621,7 @@ extend_set_Int_distrib [symmetric]) -subsection{*preserves*} +subsection\preserves\ lemma project_preserves_I: "G \ preserves (v o f) ==> project h C G \ preserves v" @@ -642,7 +642,7 @@ constrains_def g_def) -subsection{*Guarantees*} +subsection\Guarantees\ lemma project_extend_Join: "project h UNIV ((extend h F)\G) = F\(project h UNIV G)" apply (rule program_equalityI) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/FP.thy --- a/src/HOL/UNITY/FP.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/FP.thy Wed May 25 11:50:58 2016 +0200 @@ -5,7 +5,7 @@ From Misra, "A Logic for Concurrent Programming", 1994 *) -section{*Fixed Point of a Program*} +section\Fixed Point of a Program\ theory FP imports UNITY begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Follows.thy --- a/src/HOL/UNITY/Follows.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Follows.thy Wed May 25 11:50:58 2016 +0200 @@ -3,7 +3,7 @@ Copyright 1998 University of Cambridge *) -section{*The Follows Relation of Charpentier and Sivilotte*} +section\The Follows Relation of Charpentier and Sivilotte\ theory Follows imports SubstAx ListOrder "~~/src/HOL/Library/Multiset" @@ -62,7 +62,7 @@ done -subsection{*Destruction rules*} +subsection\Destruction rules\ lemma Follows_Increasing1: "F \ f Fols g ==> F \ Increasing f" by (simp add: Follows_def) @@ -118,7 +118,7 @@ done -subsection{*Union properties (with the subset ordering)*} +subsection\Union properties (with the subset ordering)\ (*Can replace "Un" by any sup. But existing max only works for linorders.*) @@ -174,7 +174,7 @@ done -subsection{*Multiset union properties (with the multiset ordering)*} +subsection\Multiset union properties (with the multiset ordering)\ (*TODO: remove when multiset is of sort ord again*) instantiation multiset :: (order) ordered_ab_semigroup_add begin diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Guar.thy --- a/src/HOL/UNITY/Guar.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Guar.thy Wed May 25 11:50:58 2016 +0200 @@ -10,7 +10,7 @@ Fifth International Conference on Mathematics of Program, 2000. *) -section{*Guarantees Specifications*} +section\Guarantees Specifications\ theory Guar imports Comp @@ -19,8 +19,8 @@ instance program :: (type) order by standard (auto simp add: program_less_le dest: component_antisym intro: component_trans) -text{*Existential and Universal properties. I formalize the two-program - case, proving equivalence with Chandy and Sanders's n-ary definitions*} +text\Existential and Universal properties. I formalize the two-program + case, proving equivalence with Chandy and Sanders's n-ary definitions\ definition ex_prop :: "'a program set => bool" where "ex_prop X == \F G. F ok G -->F \ X | G \ X --> (F\G) \ X" @@ -36,7 +36,7 @@ SKIP \ X & (\F G. F ok G --> (F \ X & G \ X) = (F\G \ X))" -text{*Guarantees properties*} +text\Guarantees properties\ definition guar :: "['a program set, 'a program set] => 'a program set" (infixl "guarantees" 55) where (*higher than membership, lower than Co*) @@ -73,7 +73,7 @@ by (auto intro: ok_sym simp add: OK_iff_ok) -subsection{*Existential Properties*} +subsection\Existential Properties\ lemma ex1: assumes "ex_prop X" and "finite GG" @@ -110,7 +110,7 @@ done -subsection{*Universal Properties*} +subsection\Universal Properties\ lemma uv1: assumes "uv_prop X" @@ -143,7 +143,7 @@ (\GG. finite GG & GG \ X & OK GG (%G. G) --> (\G \ GG. G): X)" by (blast intro: uv1 uv2) -subsection{*Guarantees*} +subsection\Guarantees\ lemma guaranteesI: "(!!G. [| F ok G; F\G \ X |] ==> F\G \ Y) ==> F \ X guarantees Y" @@ -191,7 +191,7 @@ done -subsection{*Distributive Laws. Re-Orient to Perform Miniscoping*} +subsection\Distributive Laws. Re-Orient to Perform Miniscoping\ lemma guarantees_UN_left: "(\i \ I. X i) guarantees Y = (\i \ I. X i guarantees Y)" @@ -252,7 +252,7 @@ by (unfold guar_def, blast) -subsection{*Guarantees: Additional Laws (by lcp)*} +subsection\Guarantees: Additional Laws (by lcp)\ lemma guarantees_Join_Int: "[| F \ U guarantees V; G \ X guarantees Y; F ok G |] @@ -297,7 +297,7 @@ done -subsection{*Guarantees Laws for Breaking Down the Program (by lcp)*} +subsection\Guarantees Laws for Breaking Down the Program (by lcp)\ lemma guarantees_Join_I1: "[| F \ X guarantees Y; F ok G |] ==> F\G \ X guarantees Y" @@ -440,7 +440,7 @@ apply (simp add: ok_commute Join_ac) done -text{* Equivalence with the other definition of wx *} +text\Equivalence with the other definition of wx\ lemma wx_equiv: "wx X = {F. \G. F ok G --> (F\G) \ X}" apply (unfold wx_def, safe) @@ -453,9 +453,9 @@ done -text{* Propositions 7 to 11 are about this second definition of wx. +text\Propositions 7 to 11 are about this second definition of wx. They are the same as the ones proved for the first definition of wx, - by equivalence *} + by equivalence\ (* Proposition 12 *) (* Main result of the paper *) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Lift_prog.thy --- a/src/HOL/UNITY/Lift_prog.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Lift_prog.thy Wed May 25 11:50:58 2016 +0200 @@ -5,7 +5,7 @@ lift_prog, etc: replication of components and arrays of processes. *) -section{*Replication of Components*} +section\Replication of Components\ theory Lift_prog imports Rename begin @@ -44,7 +44,7 @@ apply (auto split add: nat_diff_split) done -subsection{*Injectiveness proof*} +subsection\Injectiveness proof\ lemma insert_map_inject1: "(insert_map i x f) = (insert_map i y g) ==> x=y" by (drule_tac x = i in fun_cong, simp) @@ -77,7 +77,7 @@ apply (rule inj_onI, auto) done -subsection{*Surjectiveness proof*} +subsection\Surjectiveness proof\ lemma lift_map_drop_map_eq [simp]: "!!s. lift_map i (drop_map i s) = s" apply (unfold lift_map_def drop_map_def) @@ -121,7 +121,7 @@ else insert_map j t (f(i - Suc 0 := s)))" apply (rule ext) apply (simp split add: nat_diff_split) - txt{*This simplification is VERY slow*} + txt\This simplification is VERY slow\ done lemma insert_map_eq_diff: @@ -140,7 +140,7 @@ done -subsection{*The Operator @{term lift_set}*} +subsection\The Operator @{term lift_set}\ lemma lift_set_empty [simp]: "lift_set i {} = {}" by (unfold lift_set_def, auto) @@ -170,7 +170,7 @@ done -subsection{*The Lattice Operations*} +subsection\The Lattice Operations\ lemma bij_lift [iff]: "bij (lift i)" by (simp add: lift_def) @@ -184,7 +184,7 @@ lemma lift_JN [simp]: "lift j (JOIN I F) = (\i \ I. lift j (F i))" by (simp add: lift_def) -subsection{*Safety: constrains, stable, invariant*} +subsection\Safety: constrains, stable, invariant\ lemma lift_constrains: "(lift i F \ (lift_set i A) co (lift_set i B)) = (F \ A co B)" @@ -210,7 +210,7 @@ "(lift i F \ Always (lift_set i A)) = (F \ Always A)" by (simp add: lift_def lift_set_def rename_Always) -subsection{*Progress: transient, ensures*} +subsection\Progress: transient, ensures\ lemma lift_transient: "(lift i F \ transient (lift_set i A)) = (F \ transient A)" @@ -333,7 +333,7 @@ done -subsection{*Lemmas to Handle Function Composition (o) More Consistently*} +subsection\Lemmas to Handle Function Composition (o) More Consistently\ (*Lets us prove one version of a theorem and store others*) lemma o_equiv_assoc: "f o g = h ==> f' o f o g = f' o h" @@ -353,9 +353,9 @@ done -subsection{*More lemmas about extend and project*} +subsection\More lemmas about extend and project\ -text{*They could be moved to theory Extend or Project*} +text\They could be moved to theory Extend or Project\ lemma extend_act_extend_act: "extend_act h' (extend_act h act) = @@ -375,7 +375,7 @@ by (simp add: extend_act_def project_act_def, blast) -subsection{*OK and "lift"*} +subsection\OK and "lift"\ lemma act_in_UNION_preserves_fst: "act \ {(x,x'). fst x = fst x'} ==> act \ UNION (preserves fst) Acts" diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/ListOrder.thy --- a/src/HOL/UNITY/ListOrder.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/ListOrder.thy Wed May 25 11:50:58 2016 +0200 @@ -10,7 +10,7 @@ Also overloads <= and < for lists! *) -section {*The Prefix Ordering on Lists*} +section \The Prefix Ordering on Lists\ theory ListOrder imports Main @@ -57,7 +57,7 @@ "xs pfixGe ys == (xs,ys) : genPrefix Ge" -subsection{*preliminary lemmas*} +subsection\preliminary lemmas\ lemma Nil_genPrefix [iff]: "([], xs) : genPrefix r" by (cut_tac genPrefix.Nil [THEN genPrefix.append], auto) @@ -84,7 +84,7 @@ by (blast intro: genPrefix.prepend) -subsection{*genPrefix is a partial order*} +subsection\genPrefix is a partial order\ lemma refl_genPrefix: "refl r ==> refl (genPrefix r)" apply (unfold refl_on_def, auto) @@ -176,7 +176,7 @@ by (blast intro: antisymI genPrefix_antisym) -subsection{*recursion equations*} +subsection\recursion equations\ lemma genPrefix_Nil [simp]: "((xs, []) : genPrefix r) = (xs = [])" by (induct xs) auto @@ -216,7 +216,7 @@ apply (erule genPrefix.induct) apply blast apply simp -txt{*Append case is hardest*} +txt\Append case is hardest\ apply simp apply (frule genPrefix_length_le [THEN le_imp_less_or_eq]) apply (erule disjE) @@ -258,7 +258,7 @@ done -subsection{*The type of lists is partially ordered*} +subsection\The type of lists is partially ordered\ declare refl_Id [iff] antisym_Id [iff] @@ -376,7 +376,7 @@ shows "xs <= zs \ ys <= zs \ xs <= ys | ys <= xs" by (induct zs rule: rev_induct) auto -subsection{*pfixLe, pfixGe: properties inherited from the translations*} +subsection\pfixLe, pfixGe: properties inherited from the translations\ (** pfixLe **) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/PPROD.thy --- a/src/HOL/UNITY/PPROD.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/PPROD.thy Wed May 25 11:50:58 2016 +0200 @@ -68,7 +68,7 @@ PLam I F \ transient A = (\i \ I. lift i (F i) \ transient A)" by (simp add: JN_transient PLam_def) -text{*This holds because the @{term "F j"} cannot change @{term "lift_set i"}*} +text\This holds because the @{term "F j"} cannot change @{term "lift_set i"}\ lemma PLam_ensures: "[| i \ I; F i \ (A \ UNIV) ensures (B \ UNIV); \j. F j \ preserves snd |] @@ -114,11 +114,11 @@ (*** guarantees properties ***) -text{*This rule looks unsatisfactory because it refers to @{term lift}. +text\This rule looks unsatisfactory because it refers to @{term lift}. One must use - @{text lift_guarantees_eq_lift_inv} to rewrite the first subgoal and - something like @{text lift_preserves_sub} to rewrite the third. However - there's no obvious alternative for the third premise.*} + \lift_guarantees_eq_lift_inv\ to rewrite the first subgoal and + something like \lift_preserves_sub\ to rewrite the third. However + there's no obvious alternative for the third premise.\ lemma guarantees_PLam_I: "[| lift i (F i): X guarantees Y; i \ I; OK I (%i. lift i (F i)) |] diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/ProgressSets.thy --- a/src/HOL/UNITY/ProgressSets.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/ProgressSets.thy Wed May 25 11:50:58 2016 +0200 @@ -13,19 +13,19 @@ Swiss Federal Institute of Technology Zurich (1997) *) -section{*Progress Sets*} +section\Progress Sets\ theory ProgressSets imports Transformers begin -subsection {*Complete Lattices and the Operator @{term cl}*} +subsection \Complete Lattices and the Operator @{term cl}\ definition lattice :: "'a set set => bool" where - --{*Meier calls them closure sets, but they are just complete lattices*} + \\Meier calls them closure sets, but they are just complete lattices\ "lattice L == (\M. M \ L --> \M \ L) & (\M. M \ L --> \M \ L)" definition cl :: "['a set set, 'a set] => 'a set" where - --{*short for ``closure''*} + \\short for ``closure''\ "cl L r == \{x. x\L & r \ x}" lemma UNIV_in_lattice: "lattice L ==> UNIV \ L" @@ -59,8 +59,8 @@ lemma lattice_stable: "lattice {X. F \ stable X}" by (simp add: lattice_def stable_def constrains_def, blast) -text{*The next three results state that @{term "cl L r"} is the minimal - element of @{term L} that includes @{term r}.*} +text\The next three results state that @{term "cl L r"} is the minimal + element of @{term L} that includes @{term r}.\ lemma cl_in_lattice: "lattice L ==> cl L r \ L" apply (simp add: lattice_def cl_def) apply (erule conjE) @@ -70,18 +70,18 @@ lemma cl_least: "[|c\L; r\c|] ==> cl L r \ c" by (force simp add: cl_def) -text{*The next three lemmas constitute assertion (4.61)*} +text\The next three lemmas constitute assertion (4.61)\ lemma cl_mono: "r \ r' ==> cl L r \ cl L r'" by (simp add: cl_def, blast) lemma subset_cl: "r \ cl L r" by (simp add: cl_def le_Inf_iff) -text{*A reformulation of @{thm subset_cl}*} +text\A reformulation of @{thm subset_cl}\ lemma clI: "x \ r ==> x \ cl L r" by (simp add: cl_def, blast) -text{*A reformulation of @{thm cl_least}*} +text\A reformulation of @{thm cl_least}\ lemma clD: "[|c \ cl L r; B \ L; r \ B|] ==> c \ B" by (force simp add: cl_def) @@ -120,7 +120,7 @@ lemma cl_UNIV [simp]: "lattice L ==> cl L UNIV = UNIV" by (simp add: cl_ident UNIV_in_lattice) -text{*Assertion (4.62)*} +text\Assertion (4.62)\ lemma cl_ident_iff: "lattice L ==> (cl L r = r) = (r\L)" apply (rule iffI) apply (erule subst) @@ -132,9 +132,9 @@ by (simp add: cl_ident_iff [symmetric] equalityI subset_cl) -subsection {*Progress Sets and the Main Lemma*} -text{*A progress set satisfies certain closure conditions and is a -simple way of including the set @{term "wens_set F B"}.*} +subsection \Progress Sets and the Main Lemma\ +text\A progress set satisfies certain closure conditions and is a +simple way of including the set @{term "wens_set F B"}.\ definition closed :: "['a program, 'a set, 'a set, 'a set set] => bool" where "closed F T B L == \M. \act \ Acts F. B\M & T\M \ L --> @@ -149,15 +149,15 @@ ==> T \ (B \ wp act M) \ L" by (simp add: closed_def) -text{*Note: the formalization below replaces Meier's @{term q} by @{term B} -and @{term m} by @{term X}. *} +text\Note: the formalization below replaces Meier's @{term q} by @{term B} +and @{term m} by @{term X}.\ -text{*Part of the proof of the claim at the bottom of page 97. It's +text\Part of the proof of the claim at the bottom of page 97. It's proved separately because the argument requires a generalization over -all @{term "act \ Acts F"}.*} +all @{term "act \ Acts F"}.\ lemma lattice_awp_lemma: - assumes TXC: "T\X \ C" --{*induction hypothesis in theorem below*} - and BsubX: "B \ X" --{*holds in inductive step*} + assumes TXC: "T\X \ C" \\induction hypothesis in theorem below\ + and BsubX: "B \ X" \\holds in inductive step\ and latt: "lattice C" and TC: "T \ C" and BC: "B \ C" @@ -173,10 +173,10 @@ apply (blast intro: Un_in_lattice latt cl_in_lattice TXC) done -text{*Remainder of the proof of the claim at the bottom of page 97.*} +text\Remainder of the proof of the claim at the bottom of page 97.\ lemma lattice_lemma: - assumes TXC: "T\X \ C" --{*induction hypothesis in theorem below*} - and BsubX: "B \ X" --{*holds in inductive step*} + assumes TXC: "T\X \ C" \\induction hypothesis in theorem below\ + and BsubX: "B \ X" \\holds in inductive step\ and act: "act \ Acts F" and latt: "lattice C" and TC: "T \ C" @@ -202,9 +202,9 @@ done -text{*Induction step for the main lemma*} +text\Induction step for the main lemma\ lemma progress_induction_step: - assumes TXC: "T\X \ C" --{*induction hypothesis in theorem below*} + assumes TXC: "T\X \ C" \\induction hypothesis in theorem below\ and act: "act \ Acts F" and Xwens: "X \ wens_set F B" and latt: "lattice C" @@ -242,25 +242,25 @@ by (rule cl_subset_in_lattice [OF cl_subset latt]) qed -text{*Proved on page 96 of Meier's thesis. The special case when +text\Proved on page 96 of Meier's thesis. The special case when @{term "T=UNIV"} states that every progress set for the program @{term F} - and set @{term B} includes the set @{term "wens_set F B"}.*} + and set @{term B} includes the set @{term "wens_set F B"}.\ lemma progress_set_lemma: "[|C \ progress_set F T B; r \ wens_set F B; F \ stable T|] ==> T\r \ C" apply (simp add: progress_set_def, clarify) apply (erule wens_set.induct) - txt{*Base*} + txt\Base\ apply (simp add: Int_in_lattice) - txt{*The difficult @{term wens} case*} + txt\The difficult @{term wens} case\ apply (simp add: progress_induction_step) -txt{*Disjunctive case*} +txt\Disjunctive case\ apply (subgoal_tac "(\U\W. T \ U) \ C") apply simp apply (blast intro: UN_in_lattice) done -subsection {*The Progress Set Union Theorem*} +subsection \The Progress Set Union Theorem\ lemma closed_mono: assumes BB': "B \ B'" @@ -306,22 +306,22 @@ done -subsection {*Some Progress Sets*} +subsection \Some Progress Sets\ lemma UNIV_in_progress_set: "UNIV \ progress_set F T B" by (simp add: progress_set_def lattice_def closed_def) -subsubsection {*Lattices and Relations*} -text{*From Meier's thesis, section 4.5.3*} +subsubsection \Lattices and Relations\ +text\From Meier's thesis, section 4.5.3\ definition relcl :: "'a set set => ('a * 'a) set" where - -- {*Derived relation from a lattice*} + \ \Derived relation from a lattice\ "relcl L == {(x,y). y \ cl L {x}}" definition latticeof :: "('a * 'a) set => 'a set set" where - -- {*Derived lattice from a relation: the set of upwards-closed sets*} + \ \Derived lattice from a relation: the set of upwards-closed sets\ "latticeof r == {X. \s t. s \ X & (s,t) \ r --> t \ X}" @@ -350,7 +350,7 @@ apply (simp only: UN_in_lattice) done -text{*Equation (4.71) of Meier's thesis. He gives no proof.*} +text\Equation (4.71) of Meier's thesis. He gives no proof.\ lemma cl_latticeof: "[|refl r; trans r|] ==> cl (latticeof r) X = {t. \s. s\X & (s,t) \ r}" @@ -362,7 +362,7 @@ apply (unfold cl_def, blast) done -text{*Related to (4.71).*} +text\Related to (4.71).\ lemma cl_eq_Collect_relcl: "lattice L ==> cl L X = {t. \s. s\X & (s,t) \ relcl L}" apply (cut_tac UN_singleton [of X]) @@ -370,7 +370,7 @@ apply (force simp only: relcl_def cl_UN) done -text{*Meier's theorem of section 4.5.3*} +text\Meier's theorem of section 4.5.3\ theorem latticeof_relcl_eq: "lattice L ==> latticeof (relcl L) = L" apply (rule equalityI) prefer 2 apply (force simp add: latticeof_def relcl_def cl_def, clarify) @@ -394,14 +394,14 @@ by (simp add: relcl_def cl_latticeof) -subsubsection {*Decoupling Theorems*} +subsubsection \Decoupling Theorems\ definition decoupled :: "['a program, 'a program] => bool" where "decoupled F G == \act \ Acts F. \B. G \ stable B --> G \ stable (wp act B)" -text{*Rao's Decoupling Theorem*} +text\Rao's Decoupling Theorem\ lemma stableco: "F \ stable A ==> F \ A-B co A" by (simp add: stable_def constrains_def, blast) @@ -421,7 +421,7 @@ qed -text{*Rao's Weak Decoupling Theorem*} +text\Rao's Weak Decoupling Theorem\ theorem weak_decoupling: assumes leadsTo: "F \ A leadsTo B" and stable: "F\G \ stable B" @@ -439,12 +439,12 @@ thus ?thesis by simp qed -text{*The ``Decoupling via @{term G'} Union Theorem''*} +text\The ``Decoupling via @{term G'} Union Theorem''\ theorem decoupling_via_aux: assumes leadsTo: "F \ A leadsTo B" and prog: "{X. G' \ stable X} \ progress_set F UNIV B" and GG': "G \ G'" - --{*Beware! This is the converse of the refinement relation!*} + \\Beware! This is the converse of the refinement relation!\ shows "F\G \ A leadsTo B" proof - from prog have stable: "G' \ stable B" @@ -456,16 +456,16 @@ qed -subsection{*Composition Theorems Based on Monotonicity and Commutativity*} +subsection\Composition Theorems Based on Monotonicity and Commutativity\ -subsubsection{*Commutativity of @{term "cl L"} and assignment.*} +subsubsection\Commutativity of @{term "cl L"} and assignment.\ definition commutes :: "['a program, 'a set, 'a set, 'a set set] => bool" where "commutes F T B L == \M. \act \ Acts F. B \ M --> cl L (T \ wp act M) \ T \ (B \ wp act (cl L (T\M)))" -text{*From Meier's thesis, section 4.5.6*} +text\From Meier's thesis, section 4.5.6\ lemma commutativity1_lemma: assumes commutes: "commutes F T B L" and lattice: "lattice L" @@ -484,7 +484,7 @@ apply (blast intro: rev_subsetD [OF _ wp_mono]) done -text{*Version packaged with @{thm progress_set_Union}*} +text\Version packaged with @{thm progress_set_Union}\ lemma commutativity1: assumes leadsTo: "F \ A leadsTo B" and lattice: "lattice L" @@ -499,7 +499,7 @@ -text{*Possibly move to Relation.thy, after @{term single_valued}*} +text\Possibly move to Relation.thy, after @{term single_valued}\ definition funof :: "[('a*'b)set, 'a] => 'b" where "funof r == (\x. THE y. (x,y) \ r)" @@ -518,11 +518,11 @@ by (force simp add: in_wp_iff funof_eq) -subsubsection{*Commutativity of Functions and Relation*} -text{*Thesis, page 109*} +subsubsection\Commutativity of Functions and Relation\ +text\Thesis, page 109\ (*FIXME: this proof is still an ungodly mess*) -text{*From Meier's thesis, section 4.5.6*} +text\From Meier's thesis, section 4.5.6\ lemma commutativity2_lemma: assumes dcommutes: "\act s t. act \ Acts F \ s \ T \ (s, t) \ relcl L \ @@ -564,7 +564,7 @@ then show "commutes F T B L" unfolding commutes_def by clarify qed -text{*Version packaged with @{thm progress_set_Union}*} +text\Version packaged with @{thm progress_set_Union}\ lemma commutativity2: assumes leadsTo: "F \ A leadsTo B" and dcommutes: @@ -585,8 +585,8 @@ done -subsection {*Monotonicity*} -text{*From Meier's thesis, section 4.5.7, page 110*} +subsection \Monotonicity\ +text\From Meier's thesis, section 4.5.7, page 110\ (*to be continued?*) end diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Project.thy --- a/src/HOL/UNITY/Project.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Project.thy Wed May 25 11:50:58 2016 +0200 @@ -7,7 +7,7 @@ Inheritance of GUARANTEES properties under extension. *) -section{*Projections of State Sets*} +section\Projections of State Sets\ theory Project imports Extend begin @@ -35,7 +35,7 @@ done -subsection{*Safety*} +subsection\Safety\ (*used below to prove Join_project_ensures*) lemma project_unless: @@ -103,7 +103,7 @@ end -subsection{*"projecting" and union/intersection (no converses)*} +subsection\"projecting" and union/intersection (no converses)\ lemma projecting_Int: "[| projecting C h F XA' XA; projecting C h F XB' XB |] @@ -206,7 +206,7 @@ by (force simp only: extending_def Join_project_increasing) -subsection{*Reachability and project*} +subsection\Reachability and project\ (*In practice, C = reachable(...): the inclusion is equality*) lemma reachable_imp_reachable_project: @@ -255,7 +255,7 @@ done -subsection{*Converse results for weak safety: benefits of the argument C *} +subsection\Converse results for weak safety: benefits of the argument C\ (*In practice, C = reachable(...): the inclusion is equality*) lemma reachable_project_imp_reachable: @@ -337,8 +337,8 @@ apply (simp (no_asm_simp) add: Increasing_def project_Stable extend_set_eq_Collect) done -subsection{*A lot of redundant theorems: all are proved to facilitate reasoning - about guarantees.*} +subsection\A lot of redundant theorems: all are proved to facilitate reasoning + about guarantees.\ lemma projecting_Constrains: "projecting (%G. reachable (extend h F\G)) h F @@ -398,9 +398,9 @@ done -subsection{*leadsETo in the precondition (??)*} +subsection\leadsETo in the precondition (??)\ -subsubsection{*transient*} +subsubsection\transient\ lemma transient_extend_set_imp_project_transient: "[| G \ transient (C \ extend_set h A); G \ stable C |] @@ -424,7 +424,7 @@ done -subsubsection{*ensures -- a primitive combining progress with safety*} +subsubsection\ensures -- a primitive combining progress with safety\ (*Used to prove project_leadsETo_I*) lemma ensures_extend_set_imp_project_ensures: @@ -458,7 +458,7 @@ [THEN project_extend_transient_D, THEN transient_strengthen]) done -text{*Transferring a transient property upwards*} +text\Transferring a transient property upwards\ lemma project_transient_extend_set: "project h C G \ transient (project_set h C \ A - B) ==> G \ transient (C \ extend_set h A - extend_set h B)" @@ -496,8 +496,8 @@ apply (blast intro: project_transient_extend_set transient_strengthen) done -text{*Lemma useful for both STRONG and WEAK progress, but the transient - condition's very strong*} +text\Lemma useful for both STRONG and WEAK progress, but the transient + condition's very strong\ (*The strange induction formula allows induction over the leadsTo assumption's non-atomic precondition*) @@ -528,7 +528,7 @@ project_set_reachable_extend_eq) -subsection{*Towards the theorem @{text project_Ensures_D}*} +subsection\Towards the theorem \project_Ensures_D\\ lemma project_ensures_D_lemma: "[| G \ stable ((C \ extend_set h A) - (extend_set h B)); @@ -566,7 +566,7 @@ done -subsection{*Guarantees*} +subsection\Guarantees\ lemma project_act_Restrict_subset_project_act: "project_act h (Restrict C act) \ project_act h act" @@ -618,9 +618,9 @@ (*It seems that neither "guarantees" law can be proved from the other.*) -subsection{*guarantees corollaries*} +subsection\guarantees corollaries\ -subsubsection{*Some could be deleted: the required versions are easy to prove*} +subsubsection\Some could be deleted: the required versions are easy to prove\ lemma extend_guar_increasing: "[| F \ UNIV guarantees increasing func; @@ -651,7 +651,7 @@ done -subsubsection{*Guarantees with a leadsTo postcondition*} +subsubsection\Guarantees with a leadsTo postcondition\ lemma project_leadsTo_D: "F\project h UNIV G \ A leadsTo B diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Rename.thy --- a/src/HOL/UNITY/Rename.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Rename.thy Wed May 25 11:50:58 2016 +0200 @@ -3,7 +3,7 @@ Copyright 2000 University of Cambridge *) -section{*Renaming of State Sets*} +section\Renaming of State Sets\ theory Rename imports Extend begin @@ -39,7 +39,7 @@ by (simp add: rename_def) -subsection{*inverse properties*} +subsection\inverse properties\ lemma extend_set_inv: "bij h @@ -164,7 +164,7 @@ by (blast intro: bij_rename bij_rename_imp_bij) -subsection{*the lattice operations*} +subsection\the lattice operations\ lemma rename_SKIP [simp]: "bij h ==> rename h SKIP = SKIP" by (simp add: rename_def Extend.extend_SKIP) @@ -178,7 +178,7 @@ by (simp add: rename_def Extend.extend_JN) -subsection{*Strong Safety: co, stable*} +subsection\Strong Safety: co, stable\ lemma rename_constrains: "bij h ==> (rename h F \ (h`A) co (h`B)) = (F \ A co B)" @@ -203,7 +203,7 @@ done -subsection{*Weak Safety: Co, Stable*} +subsection\Weak Safety: Co, Stable\ lemma reachable_rename_eq: "bij h ==> reachable (rename h F) = h ` (reachable F)" @@ -228,7 +228,7 @@ bij_is_surj [THEN surj_f_inv_f]) -subsection{*Progress: transient, ensures*} +subsection\Progress: transient, ensures\ lemma rename_transient: "bij h ==> (rename h F \ transient (h`A)) = (F \ transient A)" @@ -288,7 +288,7 @@ by (simp add: Extend.OK_extend_iff rename_def) -subsection{*"image" versions of the rules, for lifting "guarantees" properties*} +subsection\"image" versions of the rules, for lifting "guarantees" properties\ (*All the proofs are similar. Better would have been to prove one meta-theorem, but how can we handle the polymorphism? E.g. in diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Simple/Common.thy --- a/src/HOL/UNITY/Simple/Common.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Simple/Common.thy Wed May 25 11:50:58 2016 +0200 @@ -97,7 +97,7 @@ then show ?case by simp qed next - from `n \ common` + from \n \ common\ show "{..n} \ id -` {n..} \ common \ common" by (simp add: atMost_Int_atLeast) qed diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Simple/Lift.thy --- a/src/HOL/UNITY/Simple/Lift.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Simple/Lift.thy Wed May 25 11:50:58 2016 +0200 @@ -10,21 +10,21 @@ begin record state = - floor :: "int" --{*current position of the lift*} - "open" :: "bool" --{*whether the door is opened at floor*} - stop :: "bool" --{*whether the lift is stopped at floor*} - req :: "int set" --{*for each floor, whether the lift is requested*} - up :: "bool" --{*current direction of movement*} - move :: "bool" --{*whether moving takes precedence over opening*} + floor :: "int" \\current position of the lift\ + "open" :: "bool" \\whether the door is opened at floor\ + stop :: "bool" \\whether the lift is stopped at floor\ + req :: "int set" \\for each floor, whether the lift is requested\ + up :: "bool" \\current direction of movement\ + move :: "bool" \\whether moving takes precedence over opening\ axiomatization - Min :: "int" and --{*least and greatest floors*} - Max :: "int" --{*least and greatest floors*} + Min :: "int" and \\least and greatest floors\ + Max :: "int" \\least and greatest floors\ where Min_le_Max [iff]: "Min \ Max" - --{*Abbreviations: the "always" part*} + \\Abbreviations: the "always" part\ definition above :: "state set" @@ -50,7 +50,7 @@ ready :: "state set" where "ready = {s. stop s & ~ open s & move s}" - --{*Further abbreviations*} + \\Further abbreviations\ definition moving :: "state set" @@ -65,7 +65,7 @@ where "opened = {s. stop s & open s & move s}" definition - closed :: "state set" --{*but this is the same as ready!!*} + closed :: "state set" \\but this is the same as ready!!\ where "closed = {s. stop s & ~ open s & move s}" definition @@ -78,7 +78,7 @@ - --{*The program*} + \\The program\ definition request_act :: "(state*state) set" @@ -128,12 +128,12 @@ definition button_press :: "(state*state) set" - --{*This action is omitted from prior treatments, which therefore are + \\This action is omitted from prior treatments, which therefore are unrealistic: nobody asks the lift to do anything! But adding this action invalidates many of the existing progress arguments: various "ensures" properties fail. Maybe it should be constrained to only allow button presses in the current direction of travel, like in a - real lift.*} + real lift.\ where "button_press = {(s,s'). \n. s' = s (|req := insert n (req s)|) & Min \ n & n \ Max}" @@ -141,7 +141,7 @@ definition Lift :: "state program" - --{*for the moment, we OMIT @{text button_press}*} + \\for the moment, we OMIT \button_press\\ where "Lift = mk_total_program ({s. floor s = Min & ~ up s & move s & stop s & ~ open s & req s = {}}, @@ -150,7 +150,7 @@ UNIV)" - --{*Invariants*} + \\Invariants\ definition bounded :: "state set" @@ -261,7 +261,7 @@ done -subsection{*Progress*} +subsection\Progress\ declare moving_def [THEN def_set_simp, simp] declare stopped_def [THEN def_set_simp, simp] @@ -271,7 +271,7 @@ declare Req_def [THEN def_set_simp, simp] -text{*The HUG'93 paper mistakenly omits the Req n from these!*} +text\The HUG'93 paper mistakenly omits the Req n from these!\ (** Lift_1 **) lemma E_thm01: "Lift \ (stopped \ atFloor n) LeadsTo (opened \ atFloor n)" diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Simple/NSP_Bad.thy --- a/src/HOL/UNITY/Simple/NSP_Bad.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Simple/NSP_Bad.thy Wed May 25 11:50:58 2016 +0200 @@ -5,15 +5,15 @@ Original file is ../Auth/NS_Public_Bad *) -section{*Analyzing the Needham-Schroeder Public-Key Protocol in UNITY*} +section\Analyzing the Needham-Schroeder Public-Key Protocol in UNITY\ theory NSP_Bad imports "../../Auth/Public" "../UNITY_Main" begin -text{*This is the flawed version, vulnerable to Lowe's attack. +text\This is the flawed version, vulnerable to Lowe's attack. From page 260 of Burrows, Abadi and Needham. A Logic of Authentication. Proc. Royal Soc. 426 (1989). -*} +\ type_synonym state = "event list" @@ -63,8 +63,8 @@ declare analz_into_parts [dest] declare Fake_parts_insert_in_Un [dest] -text{*For other theories, e.g. Mutex and Lift, using [iff] slows proofs down. - Here, it facilitates re-use of the Auth proofs.*} +text\For other theories, e.g. Mutex and Lift, using [iff] slows proofs down. + Here, it facilitates re-use of the Auth proofs.\ declare Fake_def [THEN def_act_simp, iff] declare NS1_def [THEN def_act_simp, iff] @@ -74,8 +74,8 @@ declare Nprg_def [THEN def_prg_Init, simp] -text{*A "possibility property": there are traces that reach the end. - Replace by LEADSTO proof!*} +text\A "possibility property": there are traces that reach the end. + Replace by LEADSTO proof!\ lemma "A \ B ==> \NB. \s \ reachable Nprg. Says A B (Crypt (pubK B) (Nonce NB)) \ set s" apply (intro exI bexI) @@ -88,7 +88,7 @@ done -subsection{*Inductive Proofs about @{term ns_public}*} +subsection\Inductive Proofs about @{term ns_public}\ lemma ns_constrainsI: "(!!act s s'. [| act \ {Id, Fake, NS1, NS2, NS3}; @@ -99,8 +99,8 @@ done -text{*This ML code does the inductions directly.*} -ML{* +text\This ML code does the inductions directly.\ +ML\ fun ns_constrains_tac ctxt i = SELECT_GOAL (EVERY @@ -121,17 +121,17 @@ (*"reachable" gets in here*) resolve_tac ctxt [@{thm Always_reachable} RS @{thm Always_ConstrainsI} RS @{thm StableI}] 1, ns_constrains_tac ctxt 1]; -*} +\ -method_setup ns_induct = {* - Scan.succeed (SIMPLE_METHOD' o ns_induct_tac) *} +method_setup ns_induct = \ + Scan.succeed (SIMPLE_METHOD' o ns_induct_tac)\ "for inductive reasoning about the Needham-Schroeder protocol" -text{*Converts invariants into statements about reachable states*} +text\Converts invariants into statements about reachable states\ lemmas Always_Collect_reachableD = Always_includes_reachable [THEN subsetD, THEN CollectD] -text{*Spy never sees another agent's private key! (unless it's bad at start)*} +text\Spy never sees another agent's private key! (unless it's bad at start)\ lemma Spy_see_priK: "Nprg \ Always {s. (Key (priK A) \ parts (spies s)) = (A \ bad)}" apply ns_induct @@ -145,10 +145,10 @@ declare Spy_analz_priK [THEN Always_Collect_reachableD, simp] -subsection{*Authenticity properties obtained from NS2*} +subsection\Authenticity properties obtained from NS2\ -text{*It is impossible to re-use a nonce in both NS1 and NS2 provided the - nonce is secret. (Honest users generate fresh nonces.)*} +text\It is impossible to re-use a nonce in both NS1 and NS2 provided the + nonce is secret. (Honest users generate fresh nonces.)\ lemma no_nonce_NS1_NS2: "Nprg \ Always {s. Crypt (pubK C) \NA', Nonce NA\ \ parts (spies s) --> @@ -158,12 +158,12 @@ apply (blast intro: analz_insertI)+ done -text{*Adding it to the claset slows down proofs...*} +text\Adding it to the claset slows down proofs...\ lemmas no_nonce_NS1_NS2_reachable = no_nonce_NS1_NS2 [THEN Always_Collect_reachableD, rule_format] -text{*Unicity for NS1: nonce NA identifies agents A and B*} +text\Unicity for NS1: nonce NA identifies agents A and B\ lemma unique_NA_lemma: "Nprg \ Always {s. Nonce NA \ analz (spies s) --> @@ -172,10 +172,10 @@ A=A' & B=B'}" apply ns_induct apply auto -txt{*Fake, NS1 are non-trivial*} +txt\Fake, NS1 are non-trivial\ done -text{*Unicity for NS1: nonce NA identifies agents A and B*} +text\Unicity for NS1: nonce NA identifies agents A and B\ lemma unique_NA: "[| Crypt(pubK B) \Nonce NA, Agent A\ \ parts(spies s); Crypt(pubK B') \Nonce NA, Agent A'\ \ parts(spies s); @@ -185,26 +185,26 @@ by (blast dest: unique_NA_lemma [THEN Always_Collect_reachableD]) -text{*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure*} +text\Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure\ lemma Spy_not_see_NA: "[| A \ bad; B \ bad |] ==> Nprg \ Always {s. Says A B (Crypt(pubK B) \Nonce NA, Agent A\) \ set s --> Nonce NA \ analz (spies s)}" apply ns_induct -txt{*NS3*} +txt\NS3\ prefer 4 apply (blast intro: no_nonce_NS1_NS2_reachable) -txt{*NS2*} +txt\NS2\ prefer 3 apply (blast dest: unique_NA) -txt{*NS1*} +txt\NS1\ prefer 2 apply blast -txt{*Fake*} +txt\Fake\ apply spy_analz done -text{*Authentication for A: if she receives message 2 and has used NA - to start a run, then B has sent message 2.*} +text\Authentication for A: if she receives message 2 and has used NA + to start a run, then B has sent message 2.\ lemma A_trusts_NS2: "[| A \ bad; B \ bad |] ==> Nprg \ Always @@ -217,7 +217,7 @@ done -text{*If the encrypted message appears then it originated with Alice in NS1*} +text\If the encrypted message appears then it originated with Alice in NS1\ lemma B_trusts_NS1: "Nprg \ Always {s. Nonce NA \ analz (spies s) --> @@ -228,10 +228,10 @@ done -subsection{*Authenticity properties obtained from NS2*} +subsection\Authenticity properties obtained from NS2\ -text{*Unicity for NS2: nonce NB identifies nonce NA and agent A. - Proof closely follows that of @{text unique_NA}.*} +text\Unicity for NS2: nonce NB identifies nonce NA and agent A. + Proof closely follows that of \unique_NA\.\ lemma unique_NB_lemma: "Nprg \ Always {s. Nonce NB \ analz (spies s) --> @@ -240,7 +240,7 @@ A=A' & NA=NA'}" apply ns_induct apply auto -txt{*Fake, NS2 are non-trivial*} +txt\Fake, NS2 are non-trivial\ done lemma unique_NB: @@ -253,7 +253,7 @@ done -text{*NB remains secret PROVIDED Alice never responds with round 3*} +text\NB remains secret PROVIDED Alice never responds with round 3\ lemma Spy_not_see_NB: "[| A \ bad; B \ bad |] ==> Nprg \ Always @@ -262,20 +262,20 @@ --> Nonce NB \ analz (spies s)}" apply ns_induct apply (simp_all (no_asm_simp) add: all_conj_distrib) -txt{*NS3: because NB determines A*} +txt\NS3: because NB determines A\ prefer 4 apply (blast dest: unique_NB) -txt{*NS2: by freshness and unicity of NB*} +txt\NS2: by freshness and unicity of NB\ prefer 3 apply (blast intro: no_nonce_NS1_NS2_reachable) -txt{*NS1: by freshness*} +txt\NS1: by freshness\ prefer 2 apply blast -txt{*Fake*} +txt\Fake\ apply spy_analz done -text{*Authentication for B: if he receives message 3 and has used NB - in message 2, then A has sent message 3--to somebody....*} +text\Authentication for B: if he receives message 3 and has used NB + in message 2, then A has sent message 3--to somebody....\ lemma B_trusts_NS3: "[| A \ bad; B \ bad |] ==> Nprg \ Always @@ -286,29 +286,29 @@ apply (insert Spy_not_see_NB [of A B NA NB], simp, ns_induct) apply (simp_all (no_asm_simp) add: ex_disj_distrib) apply auto -txt{*NS3: because NB determines A. This use of @{text unique_NB} is robust.*} +txt\NS3: because NB determines A. This use of \unique_NB\ is robust.\ apply (blast intro: unique_NB [THEN conjunct1]) done -text{*Can we strengthen the secrecy theorem? NO*} +text\Can we strengthen the secrecy theorem? NO\ lemma "[| A \ bad; B \ bad |] ==> Nprg \ Always {s. Says B A (Crypt (pubK A) \Nonce NA, Nonce NB\) \ set s --> Nonce NB \ analz (spies s)}" apply ns_induct apply auto -txt{*Fake*} +txt\Fake\ apply spy_analz -txt{*NS2: by freshness and unicity of NB*} +txt\NS2: by freshness and unicity of NB\ apply (blast intro: no_nonce_NS1_NS2_reachable) -txt{*NS3: unicity of NB identifies A and NA, but not B*} +txt\NS3: unicity of NB identifies A and NA, but not B\ apply (frule_tac A'=A in Says_imp_spies [THEN parts.Inj, THEN unique_NB]) apply (erule Says_imp_spies [THEN parts.Inj], auto) apply (rename_tac s B' C) -txt{*This is the attack! +txt\This is the attack! @{subgoals[display,indent=0,margin=65]} -*} +\ oops diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Simple/Reach.thy --- a/src/HOL/UNITY/Simple/Reach.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Simple/Reach.thy Wed May 25 11:50:58 2016 +0200 @@ -33,7 +33,7 @@ where "metric s = card {v. ~ s v}" -text{**We assume that the set of vertices is finite*} +text\*We assume that the set of vertices is finite\ axiomatization where finite_graph: "finite (UNIV :: vertex set)" @@ -52,7 +52,7 @@ declare asgt_def [THEN def_act_simp,simp] -text{*All vertex sets are finite*} +text\All vertex sets are finite\ declare finite_subset [OF subset_UNIV finite_graph, iff] declare reach_invariant_def [THEN def_set_simp, simp] diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Simple/Token.thy --- a/src/HOL/UNITY/Simple/Token.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Simple/Token.thy Wed May 25 11:50:58 2016 +0200 @@ -4,19 +4,19 @@ *) -section {*The Token Ring*} +section \The Token Ring\ theory Token imports "../WFair" begin -text{*From Misra, "A Logic for Concurrent Programming" (1994), sections 5.2 and 13.2.*} +text\From Misra, "A Logic for Concurrent Programming" (1994), sections 5.2 and 13.2.\ -subsection{*Definitions*} +subsection\Definitions\ datatype pstate = Hungry | Eating | Thinking - --{*process states*} + \\process states\ record state = token :: "nat" @@ -71,7 +71,7 @@ done -subsection{*Progress under Weak Fairness*} +subsection\Progress under Weak Fairness\ lemma wf_nodeOrder: "wf(nodeOrder j)" apply (unfold nodeOrder_def) @@ -85,8 +85,8 @@ apply (auto split add: nat_diff_split simp add: linorder_neq_iff mod_geq) done -text{*From "A Logic for Concurrent Programming", but not used in Chapter 4. - Note the use of @{text cases}. Reasoning about leadsTo takes practice!*} +text\From "A Logic for Concurrent Programming", but not used in Chapter 4. + Note the use of \cases\. Reasoning about leadsTo takes practice!\ lemma TR7_nodeOrder: "[| i F \ (HasTok i) leadsTo ({s. (token s, i) \ nodeOrder j} \ HasTok j)" @@ -97,7 +97,7 @@ done -text{*Chapter 4 variant, the one actually used below.*} +text\Chapter 4 variant, the one actually used below.\ lemma TR7_aux: "[| ij |] ==> F \ (HasTok i) leadsTo {s. (token s, i) \ nodeOrder j}" apply (rule TR7 [THEN leadsTo_weaken_R]) @@ -109,7 +109,7 @@ by auto -text{*Misra's TR9: the token reaches an arbitrary node*} +text\Misra's TR9: the token reaches an arbitrary node\ lemma leadsTo_j: "j F \ {s. token s < N} leadsTo (HasTok j)" apply (rule leadsTo_weaken_R) apply (rule_tac I = "-{j}" and f = token and B = "{}" @@ -121,7 +121,7 @@ apply (auto simp add: HasTok_def nodeOrder_def) done -text{*Misra's TR8: a hungry process eventually eats*} +text\Misra's TR8: a hungry process eventually eats\ lemma token_progress: "j F \ ({s. token s < N} \ H j) leadsTo (E j)" apply (rule leadsTo_cancel1 [THEN leadsTo_Un_duplicate]) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/SubstAx.thy --- a/src/HOL/UNITY/SubstAx.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/SubstAx.thy Wed May 25 11:50:58 2016 +0200 @@ -5,7 +5,7 @@ Weak LeadsTo relation (restricted to the set of reachable states) *) -section{*Weak Progress*} +section\Weak Progress\ theory SubstAx imports WFair Constrains begin @@ -18,7 +18,7 @@ notation LeadsTo (infixl "\w" 60) -text{*Resembles the previous definition of LeadsTo*} +text\Resembles the previous definition of LeadsTo\ lemma LeadsTo_eq_leadsTo: "A LeadsTo B = {F. F \ (reachable F \ A) leadsTo (reachable F \ B)}" apply (unfold LeadsTo_def) @@ -26,7 +26,7 @@ done -subsection{*Specialized laws for handling invariants*} +subsection\Specialized laws for handling invariants\ (** Conjoining an Always property **) @@ -47,7 +47,7 @@ lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2] -subsection{*Introduction rules: Basis, Trans, Union*} +subsection\Introduction rules: Basis, Trans, Union\ lemma leadsTo_imp_LeadsTo: "F \ A leadsTo B ==> F \ A LeadsTo B" apply (simp add: LeadsTo_def) @@ -68,12 +68,12 @@ done -subsection{*Derived rules*} +subsection\Derived rules\ lemma LeadsTo_UNIV [simp]: "F \ A LeadsTo UNIV" by (simp add: LeadsTo_def) -text{*Useful with cancellation, disjunction*} +text\Useful with cancellation, disjunction\ lemma LeadsTo_Un_duplicate: "F \ A LeadsTo (A' \ A') ==> F \ A LeadsTo A'" by (simp add: Un_ac) @@ -87,12 +87,12 @@ apply (blast intro: LeadsTo_Union) done -text{*Binary union introduction rule*} +text\Binary union introduction rule\ lemma LeadsTo_Un: "[| F \ A LeadsTo C; F \ B LeadsTo C |] ==> F \ (A \ B) LeadsTo C" using LeadsTo_UN [of "{A, B}" F id C] by auto -text{*Lets us look at the starting state*} +text\Lets us look at the starting state\ lemma single_LeadsTo_I: "(!!s. s \ A ==> F \ {s} LeadsTo B) ==> F \ A LeadsTo B" by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast) @@ -176,8 +176,8 @@ apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen) done -text{*Set difference: maybe combine with @{text leadsTo_weaken_L}?? - This is the most useful form of the "disjunction" rule*} +text\Set difference: maybe combine with \leadsTo_weaken_L\?? + This is the most useful form of the "disjunction" rule\ lemma LeadsTo_Diff: "[| F \ (A-B) LeadsTo C; F \ (A \ B) LeadsTo C |] ==> F \ A LeadsTo C" @@ -191,18 +191,18 @@ done -text{*Version with no index set*} +text\Version with no index set\ lemma LeadsTo_UN_UN_noindex: "(!!i. F \ (A i) LeadsTo (A' i)) ==> F \ (\i. A i) LeadsTo (\i. A' i)" by (blast intro: LeadsTo_UN_UN) -text{*Version with no index set*} +text\Version with no index set\ lemma all_LeadsTo_UN_UN: "\i. F \ (A i) LeadsTo (A' i) ==> F \ (\i. A i) LeadsTo (\i. A' i)" by (blast intro: LeadsTo_UN_UN) -text{*Binary union version*} +text\Binary union version\ lemma LeadsTo_Un_Un: "[| F \ A LeadsTo A'; F \ B LeadsTo B' |] ==> F \ (A \ B) LeadsTo (A' \ B')" @@ -240,18 +240,18 @@ done -text{*The impossibility law*} +text\The impossibility law\ -text{*The set "A" may be non-empty, but it contains no reachable states*} +text\The set "A" may be non-empty, but it contains no reachable states\ lemma LeadsTo_empty: "[|F \ A LeadsTo {}; all_total F|] ==> F \ Always (-A)" apply (simp add: LeadsTo_def Always_eq_includes_reachable) apply (drule leadsTo_empty, auto) done -subsection{*PSP: Progress-Safety-Progress*} +subsection\PSP: Progress-Safety-Progress\ -text{*Special case of PSP: Misra's "stable conjunction"*} +text\Special case of PSP: Misra's "stable conjunction"\ lemma PSP_Stable: "[| F \ A LeadsTo A'; F \ Stable B |] ==> F \ (A \ B) LeadsTo (A' \ B)" @@ -298,7 +298,7 @@ done -subsection{*Induction rules*} +subsection\Induction rules\ (** Meta or object quantifier ????? **) lemma LeadsTo_wf_induct: @@ -329,7 +329,7 @@ ==> F \ A LeadsTo B" by (rule wf_less_than [THEN LeadsTo_wf_induct], auto) -text{*Integer version. Could generalize from 0 to any lower bound*} +text\Integer version. Could generalize from 0 to any lower bound\ lemma integ_0_le_induct: "[| F \ Always {s. (0::int) \ f s}; !! z. F \ (A \ {s. f s = z}) LeadsTo @@ -363,7 +363,7 @@ done -subsection{*Completion: Binary and General Finite versions*} +subsection\Completion: Binary and General Finite versions\ lemma Completion: "[| F \ A LeadsTo (A' \ C); F \ A' Co (A' \ C); diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Transformers.thy --- a/src/HOL/UNITY/Transformers.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Transformers.thy Wed May 25 11:50:58 2016 +0200 @@ -13,30 +13,30 @@ Swiss Federal Institute of Technology Zurich (1997) *) -section{*Predicate Transformers*} +section\Predicate Transformers\ theory Transformers imports Comp begin -subsection{*Defining the Predicate Transformers @{term wp}, - @{term awp} and @{term wens}*} +subsection\Defining the Predicate Transformers @{term wp}, + @{term awp} and @{term wens}\ definition wp :: "[('a*'a) set, 'a set] => 'a set" where - --{*Dijkstra's weakest-precondition operator (for an individual command)*} + \\Dijkstra's weakest-precondition operator (for an individual command)\ "wp act B == - (act^-1 `` (-B))" definition awp :: "['a program, 'a set] => 'a set" where - --{*Dijkstra's weakest-precondition operator (for a program)*} + \\Dijkstra's weakest-precondition operator (for a program)\ "awp F B == (\act \ Acts F. wp act B)" definition wens :: "['a program, ('a*'a) set, 'a set] => 'a set" where - --{*The weakest-ensures transformer*} + \\The weakest-ensures transformer\ "wens F act B == gfp(\X. (wp act B \ awp F (B \ X)) \ B)" -text{*The fundamental theorem for wp*} +text\The fundamental theorem for wp\ theorem wp_iff: "(A <= wp act B) = (act `` A <= B)" by (force simp add: wp_def) -text{*This lemma is a good deal more intuitive than the definition!*} +text\This lemma is a good deal more intuitive than the definition!\ lemma in_wp_iff: "(a \ wp act B) = (\x. (a,x) \ act --> x \ B)" by (simp add: wp_def, blast) @@ -46,7 +46,7 @@ lemma wp_empty [simp]: "wp act {} = - (Domain act)" by (force simp add: wp_def) -text{*The identity relation is the skip action*} +text\The identity relation is the skip action\ lemma wp_Id [simp]: "wp Id B = B" by (simp add: wp_def) @@ -60,7 +60,7 @@ lemma awp_Int_eq: "awp F (A\B) = awp F A \ awp F B" by (simp add: awp_def wp_def, blast) -text{*The fundamental theorem for awp*} +text\The fundamental theorem for awp\ theorem awp_iff_constrains: "(A <= awp F B) = (F \ A co B)" by (simp add: awp_def constrains_def wp_iff INT_subset_iff) @@ -88,8 +88,8 @@ lemma wens_Id [simp]: "wens F Id B = B" by (simp add: wens_def gfp_def wp_def awp_def, blast) -text{*These two theorems justify the claim that @{term wens} returns the -weakest assertion satisfying the ensures property*} +text\These two theorems justify the claim that @{term wens} returns the +weakest assertion satisfying the ensures property\ lemma ensures_imp_wens: "F \ A ensures B ==> \act \ Acts F. A \ wens F act B" apply (simp add: wens_def ensures_def transient_def, clarify) apply (rule rev_bexI, assumption) @@ -101,7 +101,7 @@ by (simp add: wens_def gfp_def constrains_def awp_def wp_def ensures_def transient_def, blast) -text{*These two results constitute assertion (4.13) of the thesis*} +text\These two results constitute assertion (4.13) of the thesis\ lemma wens_mono: "(A \ B) ==> wens F act A \ wens F act B" apply (simp add: wens_def wp_def awp_def) apply (rule gfp_mono, blast) @@ -110,22 +110,22 @@ lemma wens_weakening: "B \ wens F act B" by (simp add: wens_def gfp_def, blast) -text{*Assertion (6), or 4.16 in the thesis*} +text\Assertion (6), or 4.16 in the thesis\ lemma subset_wens: "A-B \ wp act B \ awp F (B \ A) ==> A \ wens F act B" apply (simp add: wens_def wp_def awp_def) apply (rule gfp_upperbound, blast) done -text{*Assertion 4.17 in the thesis*} +text\Assertion 4.17 in the thesis\ lemma Diff_wens_constrains: "F \ (wens F act A - A) co wens F act A" by (simp add: wens_def gfp_def wp_def awp_def constrains_def, blast) - --{*Proved instantly, yet remarkably fragile. If @{text Un_subset_iff} + \\Proved instantly, yet remarkably fragile. If \Un_subset_iff\ is declared as an iff-rule, then it's almost impossible to prove. - One proof is via @{text meson} after expanding all definitions, but it's - slow!*} + One proof is via \meson\ after expanding all definitions, but it's + slow!\ -text{*Assertion (7): 4.18 in the thesis. NOTE that many of these results -hold for an arbitrary action. We often do not require @{term "act \ Acts F"}*} +text\Assertion (7): 4.18 in the thesis. NOTE that many of these results +hold for an arbitrary action. We often do not require @{term "act \ Acts F"}\ lemma stable_wens: "F \ stable A ==> F \ stable (wens F act A)" apply (simp add: stable_def) apply (drule constrains_Un [OF Diff_wens_constrains [of F act A]]) @@ -134,7 +134,7 @@ apply (simp add: wens_weakening) done -text{*Assertion 4.20 in the thesis.*} +text\Assertion 4.20 in the thesis.\ lemma wens_Int_eq_lemma: "[|T-B \ awp F T; act \ Acts F|] ==> T \ wens F act B \ wens F act (T\B)" @@ -143,8 +143,8 @@ apply (simp add: wp_def awp_def, blast) done -text{*Assertion (8): 4.21 in the thesis. Here we indeed require - @{term "act \ Acts F"}*} +text\Assertion (8): 4.21 in the thesis. Here we indeed require + @{term "act \ Acts F"}\ lemma wens_Int_eq: "[|T-B \ awp F T; act \ Acts F|] ==> T \ wens F act B = T \ wens F act (T\B)" @@ -155,7 +155,7 @@ done -subsection{*Defining the Weakest Ensures Set*} +subsection\Defining the Weakest Ensures Set\ inductive_set wens_set :: "['a program, 'a set] => 'a set set" @@ -198,29 +198,29 @@ apply (blast intro: wens_set.Union) done -text{*Assertion (9): 4.27 in the thesis.*} +text\Assertion (9): 4.27 in the thesis.\ lemma leadsTo_iff_wens_set: "(F \ A leadsTo B) = (\C \ wens_set F B. A \ C)" by (blast intro: leadsTo_imp_wens_set leadsTo_weaken_L wens_set_imp_leadsTo) -text{*This is the result that requires the definition of @{term wens_set} to +text\This is the result that requires the definition of @{term wens_set} to require @{term W} to be non-empty in the Unio case, for otherwise we should - always have @{term "{} \ wens_set F B"}.*} + always have @{term "{} \ wens_set F B"}.\ lemma wens_set_imp_subset: "A \ wens_set F B ==> B \ A" apply (erule wens_set.induct) apply (blast intro: wens_weakening [THEN subsetD])+ done -subsection{*Properties Involving Program Union*} +subsection\Properties Involving Program Union\ -text{*Assertion (4.30) of thesis, reoriented*} +text\Assertion (4.30) of thesis, reoriented\ lemma awp_Join_eq: "awp (F\G) B = awp F B \ awp G B" by (simp add: awp_def wp_def, blast) lemma wens_subset: "wens F act B - B \ wp act B \ awp F (B \ wens F act B)" by (subst wens_unfold, fast) -text{*Assertion (4.31)*} +text\Assertion (4.31)\ lemma subset_wens_Join: "[|A = T \ wens F act B; T-B \ awp F T; A-B \ awp G (A \ B)|] ==> A \ wens (F\G) act B" @@ -232,14 +232,14 @@ apply (insert wens_subset [of F act B], blast) done -text{*Assertion (4.32)*} +text\Assertion (4.32)\ lemma wens_Join_subset: "wens (F\G) act B \ wens F act B" apply (simp add: wens_def) apply (rule gfp_mono) apply (auto simp add: awp_Join_eq) done -text{*Lemma, because the inductive step is just too messy.*} +text\Lemma, because the inductive step is just too messy.\ lemma wens_Union_inductive_step: assumes awpF: "T-B \ awp F T" and awpG: "!!X. X \ wens_set F B ==> (T\X) - B \ awp G (T\X)" @@ -272,14 +272,14 @@ and major: "X \ wens_set F B" shows "\Y \ wens_set (F\G) B. Y \ X & T\X = T\Y" apply (rule wens_set.induct [OF major]) - txt{*Basis: trivial*} + txt\Basis: trivial\ apply (blast intro: wens_set.Basis) - txt{*Inductive step*} + txt\Inductive step\ apply clarify apply (rule_tac x = "wens (F\G) act Y" in rev_bexI) apply (force intro: wens_set.Wens) apply (simp add: wens_Union_inductive_step [OF awpF awpG]) -txt{*Union: by Axiom of Choice*} +txt\Union: by Axiom of Choice\ apply (simp add: ball_conj_distrib Bex_def) apply (clarify dest!: bchoice) apply (rule_tac x = "\{Z. \U\W. Z = f U}" in exI) @@ -299,10 +299,10 @@ done -subsection {*The Set @{term "wens_set F B"} for a Single-Assignment Program*} -text{*Thesis Section 4.3.3*} +subsection \The Set @{term "wens_set F B"} for a Single-Assignment Program\ +text\Thesis Section 4.3.3\ -text{*We start by proving laws about single-assignment programs*} +text\We start by proving laws about single-assignment programs\ lemma awp_single_eq [simp]: "awp (mk_program (init, {act}, allowed)) B = B \ wp act B" by (force simp add: awp_def wp_def) @@ -332,7 +332,7 @@ by (simp add: wens_def gfp_def wp_def, blast) -text{*Next, we express the @{term "wens_set"} for single-assignment programs*} +text\Next, we express the @{term "wens_set"} for single-assignment programs\ definition wens_single_finite :: "[('a*'a) set, 'a set, nat] => 'a set" where "wens_single_finite act B k == \i \ atMost k. (wp act ^^ i) B" @@ -416,7 +416,7 @@ apply (simp add: atMost_Suc, blast) done -text{*lemma for Union case*} +text\lemma for Union case\ lemma Union_eq_wens_single: "\\k. \ W \ wens_single_finite act B ` {..k}; W \ insert (wens_single act B) @@ -439,15 +439,15 @@ insert (wens_single act B) (range (wens_single_finite act B))" apply (rule subsetI) apply (erule wens_set.induct) - txt{*Basis*} + txt\Basis\ apply (fastforce simp add: wens_single_finite_def) - txt{*Wens inductive step*} + txt\Wens inductive step\ apply (case_tac "acta = Id", simp) apply (simp add: wens_single_eq) apply (elim disjE) apply (simp add: wens_single_Un_eq) apply (force simp add: wens_single_finite_Un_eq) -txt{*Union inductive step*} +txt\Union inductive step\ apply (case_tac "\k. W \ wens_single_finite act B ` (atMost k)") apply (blast dest!: subset_wens_single_finite, simp) apply (rule disjI1 [OF Union_eq_wens_single], blast+) @@ -471,7 +471,7 @@ apply (blast intro: wens_set.Union wens_single_finite_in_wens_set) done -text{*Theorem (4.29)*} +text\Theorem (4.29)\ theorem wens_set_single_eq: "[|F = mk_program (init, {act}, allowed); single_valued act|] ==> wens_set F B = @@ -481,7 +481,7 @@ apply (erule ssubst, erule single_subset_wens_set) done -text{*Generalizing Misra's Fixed Point Union Theorem (4.41)*} +text\Generalizing Misra's Fixed Point Union Theorem (4.41)\ lemma fp_leadsTo_Join: "[|T-B \ awp F T; T-B \ FP G; F \ A leadsTo B|] ==> F\G \ T\A leadsTo B" diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/UNITY.thy --- a/src/HOL/UNITY/UNITY.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/UNITY.thy Wed May 25 11:50:58 2016 +0200 @@ -8,7 +8,7 @@ From Misra, "A Logic for Concurrent Programming", 1994. *) -section {*The Basic UNITY Theory*} +section \The Basic UNITY Theory\ theory UNITY imports Main begin @@ -54,11 +54,11 @@ "invariant A == {F. Init F \ A} \ stable A" definition increasing :: "['a => 'b::{order}] => 'a program set" where - --{*Polymorphic in both states and the meaning of @{text "\"}*} + \\Polymorphic in both states and the meaning of \\\\ "increasing f == \z. stable {s. z \ f s}" -subsubsection{*The abstract type of programs*} +subsubsection\The abstract type of programs\ lemmas program_typedef = Rep_Program Rep_Program_inverse Abs_Program_inverse @@ -83,7 +83,7 @@ lemma insert_Id_AllowedActs [iff]: "insert Id (AllowedActs F) = AllowedActs F" by (simp add: insert_absorb) -subsubsection{*Inspectors for type "program"*} +subsubsection\Inspectors for type "program"\ lemma Init_eq [simp]: "Init (mk_program (init,acts,allowed)) = init" by (simp add: program_typedef) @@ -95,7 +95,7 @@ "AllowedActs (mk_program (init,acts,allowed)) = insert Id allowed" by (simp add: program_typedef) -subsubsection{*Equality for UNITY programs*} +subsubsection\Equality for UNITY programs\ lemma surjective_mk_program [simp]: "mk_program (Init F, Acts F, AllowedActs F) = F" @@ -124,7 +124,7 @@ by (blast intro: program_equalityI program_equalityE) -subsubsection{*co*} +subsubsection\co\ lemma constrainsI: "(!!act s s'. [| act: Acts F; (s,s') \ act; s \ A |] ==> s': A') @@ -147,12 +147,12 @@ lemma constrains_UNIV2 [iff]: "F \ A co UNIV" by (unfold constrains_def, blast) -text{*monotonic in 2nd argument*} +text\monotonic in 2nd argument\ lemma constrains_weaken_R: "[| F \ A co A'; A'<=B' |] ==> F \ A co B'" by (unfold constrains_def, blast) -text{*anti-monotonic in 1st argument*} +text\anti-monotonic in 1st argument\ lemma constrains_weaken_L: "[| F \ A co A'; B \ A |] ==> F \ B co A'" by (unfold constrains_def, blast) @@ -161,7 +161,7 @@ "[| F \ A co A'; B \ A; A'<=B' |] ==> F \ B co B'" by (unfold constrains_def, blast) -subsubsection{*Union*} +subsubsection\Union\ lemma constrains_Un: "[| F \ A co A'; F \ B co B' |] ==> F \ (A \ B) co (A' \ B')" @@ -184,7 +184,7 @@ lemma constrains_INT_distrib: "A co (\i \ I. B i) = (\i \ I. A co B i)" by (unfold constrains_def, blast) -subsubsection{*Intersection*} +subsubsection\Intersection\ lemma constrains_Int: "[| F \ A co A'; F \ B co B' |] ==> F \ (A \ B) co (A' \ B')" @@ -198,8 +198,8 @@ lemma constrains_imp_subset: "F \ A co A' ==> A \ A'" by (unfold constrains_def, auto) -text{*The reasoning is by subsets since "co" refers to single actions - only. So this rule isn't that useful.*} +text\The reasoning is by subsets since "co" refers to single actions + only. So this rule isn't that useful.\ lemma constrains_trans: "[| F \ A co B; F \ B co C |] ==> F \ A co C" by (unfold constrains_def, blast) @@ -209,7 +209,7 @@ by (unfold constrains_def, clarify, blast) -subsubsection{*unless*} +subsubsection\unless\ lemma unlessI: "F \ (A-B) co (A \ B) ==> F \ A unless B" by (unfold unless_def, assumption) @@ -218,7 +218,7 @@ by (unfold unless_def, assumption) -subsubsection{*stable*} +subsubsection\stable\ lemma stableI: "F \ A co A ==> F \ stable A" by (unfold stable_def, assumption) @@ -229,7 +229,7 @@ lemma stable_UNIV [simp]: "stable UNIV = UNIV" by (unfold stable_def constrains_def, auto) -subsubsection{*Union*} +subsubsection\Union\ lemma stable_Un: "[| F \ stable A; F \ stable A' |] ==> F \ stable (A \ A')" @@ -248,7 +248,7 @@ "(!!A. A \ X ==> F \ stable A) ==> F \ stable (\X)" by (unfold stable_def constrains_def, blast) -subsubsection{*Intersection*} +subsubsection\Intersection\ lemma stable_Int: "[| F \ stable A; F \ stable A' |] ==> F \ stable (A \ A')" @@ -278,18 +278,18 @@ lemmas stable_constrains_stable = stable_constrains_Int[THEN stableI] -subsubsection{*invariant*} +subsubsection\invariant\ lemma invariantI: "[| Init F \ A; F \ stable A |] ==> F \ invariant A" by (simp add: invariant_def) -text{*Could also say @{term "invariant A \ invariant B \ invariant(A \ B)"}*} +text\Could also say @{term "invariant A \ invariant B \ invariant(A \ B)"}\ lemma invariant_Int: "[| F \ invariant A; F \ invariant B |] ==> F \ invariant (A \ B)" by (auto simp add: invariant_def stable_Int) -subsubsection{*increasing*} +subsubsection\increasing\ lemma increasingD: "F \ increasing f ==> F \ stable {s. z \ f s}" @@ -319,15 +319,15 @@ ==> F \ {s. s x \ M} co (\m \ M. B m)" by (unfold constrains_def, blast) -text{*As above, but for the trivial case of a one-variable state, in which the - state is identified with its one variable.*} +text\As above, but for the trivial case of a one-variable state, in which the + state is identified with its one variable.\ lemma elimination_sing: "(\m \ M. F \ {m} co (B m)) ==> F \ M co (\m \ M. B m)" by (unfold constrains_def, blast) -subsubsection{*Theoretical Results from Section 6*} +subsubsection\Theoretical Results from Section 6\ lemma constrains_strongest_rhs: "F \ A co (strongest_rhs F A )" @@ -338,7 +338,7 @@ by (unfold constrains_def strongest_rhs_def, blast) -subsubsection{*Ad-hoc set-theory rules*} +subsubsection\Ad-hoc set-theory rules\ lemma Un_Diff_Diff [simp]: "A \ B - (A - B) = B" by blast @@ -346,7 +346,7 @@ lemma Int_Union_Union: "\B \ A = \((%C. C \ A)`B)" by blast -text{*Needed for WF reasoning in WFair.thy*} +text\Needed for WF reasoning in WFair.thy\ lemma Image_less_than [simp]: "less_than `` {k} = greaterThan k" by blast @@ -355,7 +355,7 @@ by blast -subsection{*Partial versus Total Transitions*} +subsection\Partial versus Total Transitions\ definition totalize_act :: "('a * 'a)set => ('a * 'a)set" where "totalize_act act == act \ Id_on (-(Domain act))" @@ -376,7 +376,7 @@ by (blast intro: sym [THEN image_eqI]) -subsubsection{*Basic properties*} +subsubsection\Basic properties\ lemma totalize_act_Id [simp]: "totalize_act Id = Id" by (simp add: totalize_act_def) @@ -427,9 +427,9 @@ by (simp add: mk_total_program_def) -subsection{*Rules for Lazy Definition Expansion*} +subsection\Rules for Lazy Definition Expansion\ -text{*They avoid expanding the full program, which is a large expression*} +text\They avoid expanding the full program, which is a large expression\ lemma def_prg_Init: "F = mk_total_program (init,acts,allowed) ==> Init F = init" @@ -445,16 +445,16 @@ ==> AllowedActs F = insert Id allowed" by (simp add: mk_total_program_def) -text{*An action is expanded if a pair of states is being tested against it*} +text\An action is expanded if a pair of states is being tested against it\ lemma def_act_simp: "act = {(s,s'). P s s'} ==> ((s,s') \ act) = P s s'" by (simp add: mk_total_program_def) -text{*A set is expanded only if an element is being tested against it*} +text\A set is expanded only if an element is being tested against it\ lemma def_set_simp: "A = B ==> (x \ A) = (x \ B)" by (simp add: mk_total_program_def) -subsubsection{*Inspectors for type "program"*} +subsubsection\Inspectors for type "program"\ lemma Init_total_eq [simp]: "Init (mk_total_program (init,acts,allowed)) = init" diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/UNITY_Main.thy --- a/src/HOL/UNITY/UNITY_Main.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/UNITY_Main.thy Wed May 25 11:50:58 2016 +0200 @@ -3,7 +3,7 @@ Copyright 2003 University of Cambridge *) -section{*Comprehensive UNITY Theory*} +section\Comprehensive UNITY Theory\ theory UNITY_Main imports Detects PPROD Follows ProgressSets @@ -11,19 +11,19 @@ ML_file "UNITY_tactics.ML" -method_setup safety = {* - Scan.succeed (SIMPLE_METHOD' o constrains_tac) *} +method_setup safety = \ + Scan.succeed (SIMPLE_METHOD' o constrains_tac)\ "for proving safety properties" -method_setup ensures_tac = {* +method_setup ensures_tac = \ Args.goal_spec -- Scan.lift Args.embedded_inner_syntax >> (fn (quant, s) => fn ctxt => SIMPLE_METHOD'' quant (ensures_tac ctxt s)) -*} "for proving progress properties" +\ "for proving progress properties" -setup {* +setup \ map_theory_simpset (fn ctxt => ctxt addsimps (make_o_equivs ctxt @{thm fst_o_funPair} @ make_o_equivs ctxt @{thm snd_o_funPair}) addsimps (make_o_equivs ctxt @{thm fst_o_lift_map} @ make_o_equivs ctxt @{thm snd_o_lift_map})) -*} +\ end diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/Union.thy --- a/src/HOL/UNITY/Union.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/Union.thy Wed May 25 11:50:58 2016 +0200 @@ -5,7 +5,7 @@ Partly from Misra's Chapter 5: Asynchronous Compositions of Programs. *) -section{*Unions of Programs*} +section\Unions of Programs\ theory Union imports SubstAx FP begin @@ -47,7 +47,7 @@ "\x. B" == "CONST JOIN (CONST UNIV) (\x. B)" -subsection{*SKIP*} +subsection\SKIP\ lemma Init_SKIP [simp]: "Init SKIP = UNIV" by (simp add: SKIP_def) @@ -61,7 +61,7 @@ lemma reachable_SKIP [simp]: "reachable SKIP = UNIV" by (force elim: reachable.induct intro: reachable.intros) -subsection{*SKIP and safety properties*} +subsection\SKIP and safety properties\ lemma SKIP_in_constrains_iff [iff]: "(SKIP \ A co B) = (A \ B)" by (unfold constrains_def, auto) @@ -75,7 +75,7 @@ declare SKIP_in_stable [THEN stable_imp_Stable, iff] -subsection{*Join*} +subsection\Join\ lemma Init_Join [simp]: "Init (F\G) = Init F \ Init G" by (simp add: Join_def) @@ -88,7 +88,7 @@ by (auto simp add: Join_def) -subsection{*JN*} +subsection\JN\ lemma JN_empty [simp]: "(\i\{}. F i) = SKIP" by (unfold JOIN_def SKIP_def, auto) @@ -114,7 +114,7 @@ by (simp add: JOIN_def) -subsection{*Algebraic laws*} +subsection\Algebraic laws\ lemma Join_commute: "F\G = G\F" by (simp add: Join_def Un_commute Int_commute) @@ -151,7 +151,7 @@ lemmas Join_ac = Join_assoc Join_left_absorb Join_commute Join_left_commute -subsection{*Laws Governing @{text "\"}*} +subsection\Laws Governing \\\\ (*Also follows by JN_insert and insert_absorb, but the proof is longer*) lemma JN_absorb: "k \ I ==> F k\(\i \ I. F i) = (\i \ I. F i)" @@ -178,7 +178,7 @@ done -subsection{*Safety: co, stable, FP*} +subsection\Safety: co, stable, FP\ (*Fails if I={} because it collapses to SKIP \ A co B, i.e. to A \ B. So an alternative precondition is A \ B, but most proofs using this rule require @@ -240,7 +240,7 @@ by (simp add: FP_def JN_stable INTER_eq) -subsection{*Progress: transient, ensures*} +subsection\Progress: transient, ensures\ lemma JN_transient: "i \ I ==> @@ -308,7 +308,7 @@ done -subsection{*the ok and OK relations*} +subsection\the ok and OK relations\ lemma ok_SKIP1 [iff]: "SKIP ok F" by (simp add: ok_def) @@ -355,7 +355,7 @@ by (auto simp add: OK_iff_ok) -subsection{*Allowed*} +subsection\Allowed\ lemma Allowed_SKIP [simp]: "Allowed SKIP = UNIV" by (auto simp add: Allowed_def) @@ -372,8 +372,8 @@ lemma OK_iff_Allowed: "OK I F = (\i \ I. \j \ I-{i}. F i \ Allowed(F j))" by (auto simp add: OK_iff_ok ok_iff_Allowed) -subsection{*@{term safety_prop}, for reasoning about - given instances of "ok"*} +subsection\@{term safety_prop}, for reasoning about + given instances of "ok"\ lemma safety_prop_Acts_iff: "safety_prop X ==> (Acts G \ insert Id (UNION X Acts)) = (G \ X)" @@ -418,7 +418,7 @@ moreover assume "Acts G \ (\j\\i\I. X i. Acts j)" ultimately have "Acts G \ (\i\X i. Acts i)" by auto - with * `i \ I` show "G \ X i" by blast + with * \i \ I\ show "G \ X i" by blast qed lemma safety_prop_INTER1 [simp]: @@ -443,7 +443,7 @@ ==> F ok G = (G \ X & acts \ AllowedActs G)" by (auto simp add: ok_def safety_prop_Acts_iff) -text{*The union of two total programs is total.*} +text\The union of two total programs is total.\ lemma totalize_Join: "totalize F\totalize G = totalize (F\G)" by (simp add: program_equalityI totalize_def Join_def image_Un) diff -r 703edebd1d92 -r f1ecba0272f9 src/HOL/UNITY/WFair.thy --- a/src/HOL/UNITY/WFair.thy Wed May 25 11:49:40 2016 +0200 +++ b/src/HOL/UNITY/WFair.thy Wed May 25 11:50:58 2016 +0200 @@ -7,11 +7,11 @@ From Misra, "A Logic for Concurrent Programming", 1994 *) -section{*Progress*} +section\Progress\ theory WFair imports UNITY begin -text{*The original version of this theory was based on weak fairness. (Thus, +text\The original version of this theory was based on weak fairness. (Thus, the entire UNITY development embodied this assumption, until February 2003.) Weak fairness states that if a command is enabled continuously, then it is eventually executed. Ernie Cohen suggested that I instead adopt unconditional @@ -30,14 +30,14 @@ property, it simplifies many proofs. A drawback is that some laws only hold under the assumption that all transitions are total. The best-known of these is the impossibility law for leads-to. -*} +\ definition - --{*This definition specifies conditional fairness. The rest of the theory + \\This definition specifies conditional fairness. The rest of the theory is generic to all forms of fairness. To get weak fairness, conjoin the inclusion below with @{term "A \ Domain act"}, which specifies - that the action is enabled over all of @{term A}.*} + that the action is enabled over all of @{term A}.\ transient :: "'a set => 'a program set" where "transient A == {F. \act\Acts F. act``A \ -A}" @@ -48,7 +48,7 @@ inductive_set leads :: "'a program => ('a set * 'a set) set" - --{*LEADS-TO constant for the inductive definition*} + \\LEADS-TO constant for the inductive definition\ for F :: "'a program" where @@ -60,17 +60,17 @@ definition leadsTo :: "['a set, 'a set] => 'a program set" (infixl "leadsTo" 60) where - --{*visible version of the LEADS-TO relation*} + \\visible version of the LEADS-TO relation\ "A leadsTo B == {F. (A,B) \ leads F}" definition wlt :: "['a program, 'a set] => 'a set" where - --{*predicate transformer: the largest set that leads to @{term B}*} + \\predicate transformer: the largest set that leads to @{term B}\ "wlt F B == \{A. F \ A leadsTo B}" notation leadsTo (infixl "\" 60) -subsection{*transient*} +subsection\transient\ lemma stable_transient: "[| F \ stable A; F \ transient A |] ==> \act\Acts F. A \ - (Domain act)" @@ -104,9 +104,9 @@ by (unfold transient_def, auto) -text{*This equation recovers the notion of weak fairness. A totalized +text\This equation recovers the notion of weak fairness. A totalized program satisfies a transient assertion just if the original program - contains a suitable action that is also enabled.*} + contains a suitable action that is also enabled.\ lemma totalize_transient_iff: "(totalize F \ transient A) = (\act\Acts F. A \ Domain act & act``A \ -A)" apply (simp add: totalize_def totalize_act_def transient_def @@ -119,7 +119,7 @@ ==> totalize F \ transient A" by (simp add: totalize_transient_iff, blast) -subsection{*ensures*} +subsection\ensures\ lemma ensuresI: "[| F \ (A-B) co (A \ B); F \ transient (A-B) |] ==> F \ A ensures B" @@ -135,7 +135,7 @@ apply (blast intro: constrains_weaken transient_strengthen) done -text{*The L-version (precondition strengthening) fails, but we have this*} +text\The L-version (precondition strengthening) fails, but we have this\ lemma stable_ensures_Int: "[| F \ stable C; F \ A ensures B |] ==> F \ (C \ A) ensures (C \ B)" @@ -155,7 +155,7 @@ by (simp (no_asm) add: ensures_def unless_def) -subsection{*leadsTo*} +subsection\leadsTo\ lemma leadsTo_Basis [intro]: "F \ A ensures B ==> F \ A leadsTo B" apply (unfold leadsTo_def) @@ -179,7 +179,7 @@ lemma transient_imp_leadsTo: "F \ transient A ==> F \ A leadsTo (-A)" by (simp (no_asm_simp) add: leadsTo_Basis ensuresI Compl_partition) -text{*Useful with cancellation, disjunction*} +text\Useful with cancellation, disjunction\ lemma leadsTo_Un_duplicate: "F \ A leadsTo (A' \ A') ==> F \ A leadsTo A'" by (simp add: Un_ac) @@ -187,7 +187,7 @@ "F \ A leadsTo (A' \ C \ C) ==> F \ A leadsTo (A' \ C)" by (simp add: Un_ac) -text{*The Union introduction rule as we should have liked to state it*} +text\The Union introduction rule as we should have liked to state it\ lemma leadsTo_Union: "(!!A. A \ S ==> F \ A leadsTo B) ==> F \ (\S) leadsTo B" apply (unfold leadsTo_def) @@ -206,7 +206,7 @@ apply (blast intro: leadsTo_Union) done -text{*Binary union introduction rule*} +text\Binary union introduction rule\ lemma leadsTo_Un: "[| F \ A leadsTo C; F \ B leadsTo C |] ==> F \ (A \ B) leadsTo C" using leadsTo_Union [of "{A, B}" F C] by auto @@ -216,7 +216,7 @@ by (subst UN_singleton [symmetric], rule leadsTo_UN, blast) -text{*The INDUCTION rule as we should have liked to state it*} +text\The INDUCTION rule as we should have liked to state it\ lemma leadsTo_induct: "[| F \ za leadsTo zb; !!A B. F \ A ensures B ==> P A B; @@ -245,16 +245,16 @@ (** Variant induction rule: on the preconditions for B **) -text{*Lemma is the weak version: can't see how to do it in one step*} +text\Lemma is the weak version: can't see how to do it in one step\ lemma leadsTo_induct_pre_lemma: "[| F \ za leadsTo zb; P zb; !!A B. [| F \ A ensures B; P B |] ==> P A; !!S. \A \ S. P A ==> P (\S) |] ==> P za" -txt{*by induction on this formula*} +txt\by induction on this formula\ apply (subgoal_tac "P zb --> P za") -txt{*now solve first subgoal: this formula is sufficient*} +txt\now solve first subgoal: this formula is sufficient\ apply (blast intro: leadsTo_refl) apply (erule leadsTo_induct) apply (blast+) @@ -282,7 +282,7 @@ "[| F \ A leadsTo A'; B \ A |] ==> F \ B leadsTo A'" by (blast intro: leadsTo_Trans subset_imp_leadsTo) -text{*Distributes over binary unions*} +text\Distributes over binary unions\ lemma leadsTo_Un_distrib: "F \ (A \ B) leadsTo C = (F \ A leadsTo C & F \ B leadsTo C)" by (blast intro: leadsTo_Un leadsTo_weaken_L) @@ -301,7 +301,7 @@ by (blast intro: leadsTo_weaken_R leadsTo_weaken_L leadsTo_Trans) -text{*Set difference: maybe combine with @{text leadsTo_weaken_L}??*} +text\Set difference: maybe combine with \leadsTo_weaken_L\??\ lemma leadsTo_Diff: "[| F \ (A-B) leadsTo C; F \ B leadsTo C |] ==> F \ A leadsTo C" by (blast intro: leadsTo_Un leadsTo_weaken) @@ -312,7 +312,7 @@ apply (blast intro: leadsTo_Union leadsTo_weaken_R) done -text{*Binary union version*} +text\Binary union version\ lemma leadsTo_Un_Un: "[| F \ A leadsTo A'; F \ B leadsTo B' |] ==> F \ (A \ B) leadsTo (A' \ B')" @@ -350,7 +350,7 @@ done -text{*The impossibility law*} +text\The impossibility law\ lemma leadsTo_empty: "[|F \ A leadsTo {}; all_total F|] ==> A={}" apply (erule leadsTo_induct_pre) apply (simp_all add: ensures_def constrains_def transient_def all_total_def, clarify) @@ -358,9 +358,9 @@ apply blast done -subsection{*PSP: Progress-Safety-Progress*} +subsection\PSP: Progress-Safety-Progress\ -text{*Special case of PSP: Misra's "stable conjunction"*} +text\Special case of PSP: Misra's "stable conjunction"\ lemma psp_stable: "[| F \ A leadsTo A'; F \ stable B |] ==> F \ (A \ B) leadsTo (A' \ B)" @@ -389,9 +389,9 @@ ==> F \ (A \ B') leadsTo ((A' \ B) \ (B' - B))" apply (erule leadsTo_induct) prefer 3 apply (blast intro: leadsTo_Union_Int) - txt{*Basis case*} + txt\Basis case\ apply (blast intro: psp_ensures) -txt{*Transitivity case has a delicate argument involving "cancellation"*} +txt\Transitivity case has a delicate argument involving "cancellation"\ apply (rule leadsTo_Un_duplicate2) apply (erule leadsTo_cancel_Diff1) apply (simp add: Int_Diff Diff_triv) @@ -413,7 +413,7 @@ done -subsection{*Proving the induction rules*} +subsection\Proving the induction rules\ (** The most general rule: r is any wf relation; f is any variant function **) @@ -490,9 +490,9 @@ done -subsection{*wlt*} +subsection\wlt\ -text{*Misra's property W3*} +text\Misra's property W3\ lemma wlt_leadsTo: "F \ (wlt F B) leadsTo B" apply (unfold wlt_def) apply (blast intro!: leadsTo_Union) @@ -503,17 +503,17 @@ apply (blast intro!: leadsTo_Union) done -text{*Misra's property W2*} +text\Misra's property W2\ lemma leadsTo_eq_subset_wlt: "F \ A leadsTo B = (A \ wlt F B)" by (blast intro!: leadsTo_subset wlt_leadsTo [THEN leadsTo_weaken_L]) -text{*Misra's property W4*} +text\Misra's property W4\ lemma wlt_increasing: "B \ wlt F B" apply (simp (no_asm_simp) add: leadsTo_eq_subset_wlt [symmetric] subset_imp_leadsTo) done -text{*Used in the Trans case below*} +text\Used in the Trans case below\ lemma lemma1: "[| B \ A2; F \ (A1 - B) co (A1 \ B); @@ -521,18 +521,18 @@ ==> F \ (A1 \ A2 - C) co (A1 \ A2 \ C)" by (unfold constrains_def, clarify, blast) -text{*Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"*} +text\Lemma (1,2,3) of Misra's draft book, Chapter 4, "Progress"\ lemma leadsTo_123: "F \ A leadsTo A' ==> \B. A \ B & F \ B leadsTo A' & F \ (B-A') co (B \ A')" apply (erule leadsTo_induct) - txt{*Basis*} + txt\Basis\ apply (blast dest: ensuresD) - txt{*Trans*} + txt\Trans\ apply clarify apply (rule_tac x = "Ba \ Bb" in exI) apply (blast intro: lemma1 leadsTo_Un_Un leadsTo_cancel1 leadsTo_Un_duplicate) -txt{*Union*} +txt\Union\ apply (clarify dest!: ball_conj_distrib [THEN iffD1] bchoice) apply (rule_tac x = "\A \ S. f A" in exI) apply (auto intro: leadsTo_UN) @@ -542,7 +542,7 @@ done -text{*Misra's property W5*} +text\Misra's property W5\ lemma wlt_constrains_wlt: "F \ (wlt F B - B) co (wlt F B)" proof - from wlt_leadsTo [of F B, THEN leadsTo_123] @@ -564,7 +564,7 @@ qed -subsection{*Completion: Binary and General Finite versions*} +subsection\Completion: Binary and General Finite versions\ lemma completion_lemma : "[| W = wlt F (B' \ C);