# HG changeset patch # User paulson # Date 1044448532 -3600 # Node ID fd40c9d9076bc17e05077624f2481b7b728922b8 # Parent 3786b2fd680800c64032056fff8b5aea71b55384 more tidying diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Channel.thy --- a/src/HOL/UNITY/Simple/Channel.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Channel.thy Wed Feb 05 13:35:32 2003 +0100 @@ -17,19 +17,19 @@ constdefs minSet :: "nat set => nat option" - "minSet A == if A={} then None else Some (LEAST x. x:A)" + "minSet A == if A={} then None else Some (LEAST x. x \ A)" axioms - UC1: "F : (minSet -` {Some x}) co (minSet -` (Some`atLeast x))" + UC1: "F \ (minSet -` {Some x}) co (minSet -` (Some`atLeast x))" - (* UC1 "F : {s. minSet s = x} co {s. x <= minSet s}" *) + (* UC1 "F \ {s. minSet s = x} co {s. x \ minSet s}" *) - UC2: "F : (minSet -` {Some x}) leadsTo {s. x ~: s}" + UC2: "F \ (minSet -` {Some x}) leadsTo {s. x \ s}" (*None represents "infinity" while Some represents proper integers*) -lemma minSet_eq_SomeD: "minSet A = Some x ==> x : A" +lemma minSet_eq_SomeD: "minSet A = Some x ==> x \ A" apply (unfold minSet_def) apply (simp split: split_if_asm) apply (fast intro: LeastI) @@ -38,11 +38,11 @@ lemma minSet_empty [simp]: " minSet{} = None" by (unfold minSet_def, simp) -lemma minSet_nonempty: "x:A ==> minSet A = Some (LEAST x. x: A)" +lemma minSet_nonempty: "x \ A ==> minSet A = Some (LEAST x. x \ A)" by (unfold minSet_def, auto) lemma minSet_greaterThan: - "F : (minSet -` {Some x}) leadsTo (minSet -` (Some`greaterThan x))" + "F \ (minSet -` {Some x}) leadsTo (minSet -` (Some`greaterThan x))" apply (rule leadsTo_weaken) apply (rule_tac x1=x in psp [OF UC2 UC1], safe) apply (auto dest: minSet_eq_SomeD simp add: linorder_neq_iff) @@ -50,7 +50,7 @@ (*The induction*) lemma Channel_progress_lemma: - "F : (UNIV-{{}}) leadsTo (minSet -` (Some`atLeast y))" + "F \ (UNIV-{{}}) leadsTo (minSet -` (Some`atLeast y))" apply (rule leadsTo_weaken_R) apply (rule_tac l = y and f = "the o minSet" and B = "{}" in greaterThan_bounded_induct, safe) @@ -63,7 +63,7 @@ done -lemma Channel_progress: "!!y::nat. F : (UNIV-{{}}) leadsTo {s. y ~: s}" +lemma Channel_progress: "!!y::nat. F \ (UNIV-{{}}) leadsTo {s. y \ s}" apply (rule Channel_progress_lemma [THEN leadsTo_weaken_R], clarify) apply (frule minSet_nonempty) apply (auto dest: Suc_le_lessD not_less_Least) diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Common.thy --- a/src/HOL/UNITY/Simple/Common.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Common.thy Wed Feb 05 13:35:32 2003 +0100 @@ -17,56 +17,56 @@ gtime :: "nat=>nat" axioms - fmono: "m <= n ==> ftime m <= ftime n" - gmono: "m <= n ==> gtime m <= gtime n" + fmono: "m \ n ==> ftime m \ ftime n" + gmono: "m \ n ==> gtime m \ gtime n" - fasc: "m <= ftime n" - gasc: "m <= gtime n" + fasc: "m \ ftime n" + gasc: "m \ gtime n" constdefs common :: "nat set" "common == {n. ftime n = n & gtime n = n}" maxfg :: "nat => nat set" - "maxfg m == {t. t <= max (ftime m) (gtime m)}" + "maxfg m == {t. t \ max (ftime m) (gtime m)}" (*Misra's property CMT4: t exceeds no common meeting time*) lemma common_stable: - "[| ALL m. F : {m} Co (maxfg m); n: common |] - ==> F : Stable (atMost n)" -apply (drule_tac M = "{t. t<=n}" in Elimination_sing) + "[| \m. F \ {m} Co (maxfg m); n \ common |] + ==> F \ Stable (atMost n)" +apply (drule_tac M = "{t. t \ n}" in Elimination_sing) apply (simp add: atMost_def Stable_def common_def maxfg_def le_max_iff_disj) apply (erule Constrains_weaken_R) apply (blast intro: order_eq_refl fmono gmono le_trans) done lemma common_safety: - "[| Init F <= atMost n; - ALL m. F : {m} Co (maxfg m); n: common |] - ==> F : Always (atMost n)" + "[| Init F \ atMost n; + \m. F \ {m} Co (maxfg m); n \ common |] + ==> F \ Always (atMost n)" by (simp add: AlwaysI common_stable) (*** Some programs that implement the safety property above ***) -lemma "SKIP : {m} co (maxfg m)" +lemma "SKIP \ {m} co (maxfg m)" by (simp add: constrains_def maxfg_def le_max_iff_disj fasc) (*This one is t := ftime t || t := gtime t*) lemma "mk_program (UNIV, {range(%t.(t,ftime t)), range(%t.(t,gtime t))}, UNIV) - : {m} co (maxfg m)" + \ {m} co (maxfg m)" by (simp add: constrains_def maxfg_def le_max_iff_disj fasc) (*This one is t := max (ftime t) (gtime t)*) lemma "mk_program (UNIV, {range(%t.(t, max (ftime t) (gtime t)))}, UNIV) - : {m} co (maxfg m)" + \ {m} co (maxfg m)" by (simp add: constrains_def maxfg_def max_def gasc) (*This one is t := t+1 if t {m} co (maxfg m)" by (simp add: constrains_def maxfg_def max_def gasc) @@ -79,10 +79,10 @@ declare atMost_Int_atLeast [simp] lemma leadsTo_common_lemma: - "[| ALL m. F : {m} Co (maxfg m); - ALL m: lessThan n. F : {m} LeadsTo (greaterThan m); - n: common |] - ==> F : (atMost n) LeadsTo common" + "[| \m. F \ {m} Co (maxfg m); + \m \ lessThan n. F \ {m} LeadsTo (greaterThan m); + n \ common |] + ==> F \ (atMost n) LeadsTo common" apply (rule LeadsTo_weaken_R) apply (rule_tac f = id and l = n in GreaterThan_bounded_induct) apply (simp_all (no_asm_simp)) @@ -90,12 +90,12 @@ apply (blast dest: PSP_Stable2 intro: common_stable LeadsTo_weaken_R) done -(*The "ALL m: -common" form echoes CMT6.*) +(*The "\m \ -common" form echoes CMT6.*) lemma leadsTo_common: - "[| ALL m. F : {m} Co (maxfg m); - ALL m: -common. F : {m} LeadsTo (greaterThan m); - n: common |] - ==> F : (atMost (LEAST n. n: common)) LeadsTo common" + "[| \m. F \ {m} Co (maxfg m); + \m \ -common. F \ {m} LeadsTo (greaterThan m); + n \ common |] + ==> F \ (atMost (LEAST n. n \ common)) LeadsTo common" apply (rule leadsTo_common_lemma) apply (simp_all (no_asm_simp)) apply (erule_tac [2] LeastI) diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Deadlock.thy --- a/src/HOL/UNITY/Simple/Deadlock.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Deadlock.thy Wed Feb 05 13:35:32 2003 +0100 @@ -10,66 +10,61 @@ theory Deadlock = UNITY: (*Trivial, two-process case*) -lemma "[| F : (A Int B) co A; F : (B Int A) co B |] ==> F : stable (A Int B)" +lemma "[| F \ (A \ B) co A; F \ (B \ A) co B |] ==> F \ stable (A \ B)" by (unfold constrains_def stable_def, blast) (*a simplification step*) lemma Collect_le_Int_equals: - "(INT i: atMost n. A(Suc i) Int A i) = (INT i: atMost (Suc n). A i)" + "(\i \ atMost n. A(Suc i) \ A i) = (\i \ atMost (Suc n). A i)" apply (induct_tac "n") -apply (simp_all (no_asm_simp) add: atMost_Suc) -apply auto +apply (auto simp add: atMost_Suc) done (*Dual of the required property. Converse inclusion fails.*) lemma UN_Int_Compl_subset: - "(UN i: lessThan n. A i) Int (- A n) <= - (UN i: lessThan n. (A i) Int (- A (Suc i)))" -apply (induct_tac "n") -apply (simp (no_asm_simp)) -apply (simp (no_asm) add: lessThan_Suc) -apply blast + "(\i \ lessThan n. A i) \ (- A n) \ + (\i \ lessThan n. (A i) \ (- A (Suc i)))" +apply (induct_tac "n", simp) +apply (simp add: lessThan_Suc, blast) done (*Converse inclusion fails.*) lemma INT_Un_Compl_subset: - "(INT i: lessThan n. -A i Un A (Suc i)) <= - (INT i: lessThan n. -A i) Un A n" -apply (induct_tac "n") -apply (simp (no_asm_simp)) -apply (simp (no_asm_simp) add: lessThan_Suc) -apply blast + "(\i \ lessThan n. -A i \ A (Suc i)) \ + (\i \ lessThan n. -A i) \ A n" +apply (induct_tac "n", simp) +apply (simp add: lessThan_Suc, blast) done (*Specialized rewriting*) lemma INT_le_equals_Int_lemma: - "A 0 Int (-(A n) Int (INT i: lessThan n. -A i Un A (Suc i))) = {}" + "A 0 \ (-(A n) \ (\i \ lessThan n. -A i \ A (Suc i))) = {}" by (blast intro: gr0I dest: INT_Un_Compl_subset [THEN subsetD]) (*Reverse direction makes it harder to invoke the ind hyp*) lemma INT_le_equals_Int: - "(INT i: atMost n. A i) = - A 0 Int (INT i: lessThan n. -A i Un A(Suc i))" + "(\i \ atMost n. A i) = + A 0 \ (\i \ lessThan n. -A i \ A(Suc i))" apply (induct_tac "n", simp) apply (simp add: Int_ac Int_Un_distrib Int_Un_distrib2 INT_le_equals_Int_lemma lessThan_Suc atMost_Suc) done lemma INT_le_Suc_equals_Int: - "(INT i: atMost (Suc n). A i) = - A 0 Int (INT i: atMost n. -A i Un A(Suc i))" + "(\i \ atMost (Suc n). A i) = + A 0 \ (\i \ atMost n. -A i \ A(Suc i))" by (simp add: lessThan_Suc_atMost INT_le_equals_Int) (*The final deadlock example*) lemma - assumes zeroprem: "F : (A 0 Int A (Suc n)) co (A 0)" + assumes zeroprem: "F \ (A 0 \ A (Suc n)) co (A 0)" and allprem: - "!!i. i: atMost n ==> F : (A(Suc i) Int A i) co (-A i Un A(Suc i))" - shows "F : stable (INT i: atMost (Suc n). A i)" + "!!i. i \ atMost n ==> F \ (A(Suc i) \ A i) co (-A i \ A(Suc i))" + shows "F \ stable (\i \ atMost (Suc n). A i)" apply (unfold stable_def) apply (rule constrains_Int [THEN constrains_weaken]) apply (rule zeroprem) diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Lift.thy --- a/src/HOL/UNITY/Simple/Lift.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Lift.thy Wed Feb 05 13:35:32 2003 +0100 @@ -21,26 +21,26 @@ Max :: "int" (*least and greatest floors*) axioms - Min_le_Max [iff]: "Min <= Max" + Min_le_Max [iff]: "Min \ Max" constdefs (** Abbreviations: the "always" part **) above :: "state set" - "above == {s. EX i. floor s < i & i <= Max & i : req s}" + "above == {s. \i. floor s < i & i \ Max & i \ req s}" below :: "state set" - "below == {s. EX i. Min <= i & i < floor s & i : req s}" + "below == {s. \i. Min \ i & i < floor s & i \ req s}" queueing :: "state set" - "queueing == above Un below" + "queueing == above \ below" goingup :: "state set" - "goingup == above Int ({s. up s} Un -below)" + "goingup == above \ ({s. up s} \ -below)" goingdown :: "state set" - "goingdown == below Int ({s. ~ up s} Un -above)" + "goingdown == below \ ({s. ~ up s} \ -above)" ready :: "state set" "ready == {s. stop s & ~ open s & move s}" @@ -63,7 +63,7 @@ "atFloor n == {s. floor s = n}" Req :: "int => state set" - "Req n == {s. n : req s}" + "Req n == {s. n \ req s}" @@ -71,15 +71,15 @@ request_act :: "(state*state) set" "request_act == {(s,s'). s' = s (|stop:=True, move:=False|) - & ~ stop s & floor s : req s}" + & ~ stop s & floor s \ req s}" open_act :: "(state*state) set" "open_act == {(s,s'). s' = s (|open :=True, req := req s - {floor s}, move := True|) - & stop s & ~ open s & floor s : req s - & ~(move s & s: queueing)}" + & stop s & ~ open s & floor s \ req s + & ~(move s & s \ queueing)}" close_act :: "(state*state) set" "close_act == {(s,s'). s' = s (|open := False|) & open s}" @@ -89,24 +89,24 @@ {(s,s'). s' = s (|stop :=False, floor := floor s + 1, up := True|) - & s : (ready Int goingup)}" + & s \ (ready \ goingup)}" req_down :: "(state*state) set" "req_down == {(s,s'). s' = s (|stop :=False, floor := floor s - 1, up := False|) - & s : (ready Int goingdown)}" + & s \ (ready \ goingdown)}" move_up :: "(state*state) set" "move_up == {(s,s'). s' = s (|floor := floor s + 1|) - & ~ stop s & up s & floor s ~: req s}" + & ~ stop s & up s & floor s \ req s}" move_down :: "(state*state) set" "move_down == {(s,s'). s' = s (|floor := floor s - 1|) - & ~ stop s & ~ up s & floor s ~: req s}" + & ~ stop s & ~ up s & floor s \ req s}" (*This action is omitted from prior treatments, which therefore are unrealistic: nobody asks the lift to do anything! But adding this @@ -114,8 +114,8 @@ "ensures" properties fail.*) button_press :: "(state*state) set" "button_press == - {(s,s'). EX n. s' = s (|req := insert n (req s)|) - & Min <= n & n <= Max}" + {(s,s'). \n. s' = s (|req := insert n (req s)|) + & Min \ n & n \ Max}" Lift :: "state program" @@ -130,7 +130,7 @@ (** Invariants **) bounded :: "state set" - "bounded == {s. Min <= floor s & floor s <= Max}" + "bounded == {s. Min \ floor s & floor s \ Max}" open_stop :: "state set" "open_stop == {s. open s --> stop s}" @@ -139,15 +139,15 @@ "open_move == {s. open s --> move s}" stop_floor :: "state set" - "stop_floor == {s. stop s & ~ move s --> floor s : req s}" + "stop_floor == {s. stop s & ~ move s --> floor s \ req s}" moving_up :: "state set" "moving_up == {s. ~ stop s & up s --> - (EX f. floor s <= f & f <= Max & f : req s)}" + (\f. floor s \ f & f \ Max & f \ req s)}" moving_down :: "state set" "moving_down == {s. ~ stop s & ~ up s --> - (EX f. Min <= f & f <= floor s & f : req s)}" + (\f. Min \ f & f \ floor s & f \ req s)}" metric :: "[int,state] => int" "metric == @@ -160,10 +160,10 @@ locale Floor = fixes n - assumes Min_le_n [iff]: "Min <= n" - and n_le_Max [iff]: "n <= Max" + assumes Min_le_n [iff]: "Min \ n" + and n_le_Max [iff]: "n \ Max" -lemma not_mem_distinct: "[| x ~: A; y : A |] ==> x ~= y" +lemma not_mem_distinct: "[| x \ A; y \ A |] ==> x \ y" by blast @@ -194,36 +194,36 @@ moving_up_def [simp] moving_down_def [simp] -lemma open_stop: "Lift : Always open_stop" +lemma open_stop: "Lift \ Always open_stop" apply (rule AlwaysI, force) apply (unfold Lift_def, constrains) done -lemma stop_floor: "Lift : Always stop_floor" +lemma stop_floor: "Lift \ Always stop_floor" apply (rule AlwaysI, force) apply (unfold Lift_def, constrains) done (*This one needs open_stop, which was proved above*) -lemma open_move: "Lift : Always open_move" +lemma open_move: "Lift \ Always open_move" apply (cut_tac open_stop) apply (rule AlwaysI, force) apply (unfold Lift_def, constrains) done -lemma moving_up: "Lift : Always moving_up" +lemma moving_up: "Lift \ Always moving_up" apply (rule AlwaysI, force) apply (unfold Lift_def, constrains) apply (auto dest: zle_imp_zless_or_eq simp add: add1_zle_eq) done -lemma moving_down: "Lift : Always moving_down" +lemma moving_down: "Lift \ Always moving_down" apply (rule AlwaysI, force) apply (unfold Lift_def, constrains) apply (blast dest: zle_imp_zless_or_eq) done -lemma bounded: "Lift : Always bounded" +lemma bounded: "Lift \ Always bounded" apply (cut_tac moving_up moving_down) apply (rule AlwaysI, force) apply (unfold Lift_def, constrains, auto) @@ -244,24 +244,24 @@ (** The HUG'93 paper mistakenly omits the Req n from these! **) (** Lift_1 **) -lemma E_thm01: "Lift : (stopped Int atFloor n) LeadsTo (opened Int atFloor n)" +lemma E_thm01: "Lift \ (stopped \ atFloor n) LeadsTo (opened \ atFloor n)" apply (cut_tac stop_floor) apply (unfold Lift_def, ensures_tac "open_act") done (*lem_lift_1_5*) -lemma E_thm02: "Lift : (Req n Int stopped - atFloor n) LeadsTo - (Req n Int opened - atFloor n)" +lemma E_thm02: "Lift \ (Req n \ stopped - atFloor n) LeadsTo + (Req n \ opened - atFloor n)" apply (cut_tac stop_floor) apply (unfold Lift_def, ensures_tac "open_act") done (*lem_lift_1_1*) -lemma E_thm03: "Lift : (Req n Int opened - atFloor n) LeadsTo - (Req n Int closed - (atFloor n - queueing))" +lemma E_thm03: "Lift \ (Req n \ opened - atFloor n) LeadsTo + (Req n \ closed - (atFloor n - queueing))" apply (unfold Lift_def, ensures_tac "close_act") done (*lem_lift_1_2*) -lemma E_thm04: "Lift : (Req n Int closed Int (atFloor n - queueing)) - LeadsTo (opened Int atFloor n)" +lemma E_thm04: "Lift \ (Req n \ closed \ (atFloor n - queueing)) + LeadsTo (opened \ atFloor n)" apply (unfold Lift_def, ensures_tac "open_act") done (*lem_lift_1_7*) @@ -283,14 +283,14 @@ NOT an ensures_tac property, but a mere inclusion don't know why script lift_2.uni says ENSURES*) lemma (in Floor) E_thm05c: - "Lift : (Req n Int closed - (atFloor n - queueing)) - LeadsTo ((closed Int goingup Int Req n) Un - (closed Int goingdown Int Req n))" + "Lift \ (Req n \ closed - (atFloor n - queueing)) + LeadsTo ((closed \ goingup \ Req n) \ + (closed \ goingdown \ Req n))" by (auto intro!: subset_imp_LeadsTo elim!: int_neqE) (*lift_2*) -lemma (in Floor) lift_2: "Lift : (Req n Int closed - (atFloor n - queueing)) - LeadsTo (moving Int Req n)" +lemma (in Floor) lift_2: "Lift \ (Req n \ closed - (atFloor n - queueing)) + LeadsTo (moving \ Req n)" apply (rule LeadsTo_Trans [OF E_thm05c LeadsTo_Un]) apply (unfold Lift_def) apply (ensures_tac [2] "req_down") @@ -306,13 +306,13 @@ (*lem_lift_4_1 *) lemma (in Floor) E_thm12a: "0 < N ==> - Lift : (moving Int Req n Int {s. metric n s = N} Int - {s. floor s ~: req s} Int {s. up s}) + Lift \ (moving \ Req n \ {s. metric n s = N} \ + {s. floor s \ req s} \ {s. up s}) LeadsTo - (moving Int Req n Int {s. metric n s < N})" + (moving \ Req n \ {s. metric n s < N})" apply (cut_tac moving_up) apply (unfold Lift_def, ensures_tac "move_up", safe) -(*this step consolidates two formulae to the goal metric n s' <= metric n s*) +(*this step consolidates two formulae to the goal metric n s' \ metric n s*) apply (erule linorder_leI [THEN order_antisym, symmetric]) apply (auto simp add: metric_def) done @@ -320,21 +320,21 @@ (*lem_lift_4_3 *) lemma (in Floor) E_thm12b: "0 < N ==> - Lift : (moving Int Req n Int {s. metric n s = N} Int - {s. floor s ~: req s} - {s. up s}) - LeadsTo (moving Int Req n Int {s. metric n s < N})" + Lift \ (moving \ Req n \ {s. metric n s = N} \ + {s. floor s \ req s} - {s. up s}) + LeadsTo (moving \ Req n \ {s. metric n s < N})" apply (cut_tac moving_down) apply (unfold Lift_def, ensures_tac "move_down", safe) -(*this step consolidates two formulae to the goal metric n s' <= metric n s*) +(*this step consolidates two formulae to the goal metric n s' \ metric n s*) apply (erule linorder_leI [THEN order_antisym, symmetric]) apply (auto simp add: metric_def) done (*lift_4*) lemma (in Floor) lift_4: - "0 Lift : (moving Int Req n Int {s. metric n s = N} Int - {s. floor s ~: req s}) LeadsTo - (moving Int Req n Int {s. metric n s < N})" + "0 Lift \ (moving \ Req n \ {s. metric n s = N} \ + {s. floor s \ req s}) LeadsTo + (moving \ Req n \ {s. metric n s < N})" apply (rule LeadsTo_Trans [OF subset_imp_LeadsTo LeadsTo_Un [OF E_thm12a E_thm12b]], auto) done @@ -344,8 +344,8 @@ (*lem_lift_5_3*) lemma (in Floor) E_thm16a: "0 Lift : (closed Int Req n Int {s. metric n s = N} Int goingup) LeadsTo - (moving Int Req n Int {s. metric n s < N})" + ==> Lift \ (closed \ Req n \ {s. metric n s = N} \ goingup) LeadsTo + (moving \ Req n \ {s. metric n s < N})" apply (cut_tac bounded) apply (unfold Lift_def, ensures_tac "req_up") apply (auto simp add: metric_def) @@ -354,8 +354,8 @@ (*lem_lift_5_1 has ~goingup instead of goingdown*) lemma (in Floor) E_thm16b: "0 - Lift : (closed Int Req n Int {s. metric n s = N} Int goingdown) LeadsTo - (moving Int Req n Int {s. metric n s < N})" + Lift \ (closed \ Req n \ {s. metric n s = N} \ goingdown) LeadsTo + (moving \ Req n \ {s. metric n s < N})" apply (cut_tac bounded) apply (unfold Lift_def, ensures_tac "req_down") apply (auto simp add: metric_def) @@ -365,14 +365,14 @@ (*lem_lift_5_0 proves an intersection involving ~goingup and goingup, i.e. the trivial disjunction, leading to an asymmetrical proof.*) lemma (in Floor) E_thm16c: - "0 Req n Int {s. metric n s = N} <= goingup Un goingdown" + "0 Req n \ {s. metric n s = N} \ goingup \ goingdown" by (force simp add: metric_def) (*lift_5*) lemma (in Floor) lift_5: - "0 Lift : (closed Int Req n Int {s. metric n s = N}) LeadsTo - (moving Int Req n Int {s. metric n s < N})" + "0 Lift \ (closed \ Req n \ {s. metric n s = N}) LeadsTo + (moving \ Req n \ {s. metric n s < N})" apply (rule LeadsTo_Trans [OF subset_imp_LeadsTo LeadsTo_Un [OF E_thm16a E_thm16b]]) apply (drule E_thm16c, auto) @@ -383,37 +383,37 @@ (*lemma used to prove lem_lift_3_1*) lemma (in Floor) metric_eq_0D [dest]: - "[| metric n s = 0; Min <= floor s; floor s <= Max |] ==> floor s = n" + "[| metric n s = 0; Min \ floor s; floor s \ Max |] ==> floor s = n" by (force simp add: metric_def) (*lem_lift_3_1*) -lemma (in Floor) E_thm11: "Lift : (moving Int Req n Int {s. metric n s = 0}) LeadsTo - (stopped Int atFloor n)" +lemma (in Floor) E_thm11: "Lift \ (moving \ Req n \ {s. metric n s = 0}) LeadsTo + (stopped \ atFloor n)" apply (cut_tac bounded) apply (unfold Lift_def, ensures_tac "request_act", auto) done (*lem_lift_3_5*) lemma (in Floor) E_thm13: - "Lift : (moving Int Req n Int {s. metric n s = N} Int {s. floor s : req s}) - LeadsTo (stopped Int Req n Int {s. metric n s = N} Int {s. floor s : req s})" + "Lift \ (moving \ Req n \ {s. metric n s = N} \ {s. floor s \ req s}) + LeadsTo (stopped \ Req n \ {s. metric n s = N} \ {s. floor s \ req s})" apply (unfold Lift_def, ensures_tac "request_act") apply (auto simp add: metric_def) done (*lem_lift_3_6*) lemma (in Floor) E_thm14: "0 < N ==> - Lift : - (stopped Int Req n Int {s. metric n s = N} Int {s. floor s : req s}) - LeadsTo (opened Int Req n Int {s. metric n s = N})" + Lift \ + (stopped \ Req n \ {s. metric n s = N} \ {s. floor s \ req s}) + LeadsTo (opened \ Req n \ {s. metric n s = N})" apply (unfold Lift_def, ensures_tac "open_act") apply (auto simp add: metric_def) done (*lem_lift_3_7*) -lemma (in Floor) E_thm15: "Lift : (opened Int Req n Int {s. metric n s = N}) - LeadsTo (closed Int Req n Int {s. metric n s = N})" +lemma (in Floor) E_thm15: "Lift \ (opened \ Req n \ {s. metric n s = N}) + LeadsTo (closed \ Req n \ {s. metric n s = N})" apply (unfold Lift_def, ensures_tac "close_act") apply (auto simp add: metric_def) done @@ -422,15 +422,15 @@ (** the final steps **) lemma (in Floor) lift_3_Req: "0 < N ==> - Lift : - (moving Int Req n Int {s. metric n s = N} Int {s. floor s : req s}) - LeadsTo (moving Int Req n Int {s. metric n s < N})" + Lift \ + (moving \ Req n \ {s. metric n s = N} \ {s. floor s \ req s}) + LeadsTo (moving \ Req n \ {s. metric n s < N})" apply (blast intro!: E_thm13 E_thm14 E_thm15 lift_5 intro: LeadsTo_Trans) done (*Now we observe that our integer metric is really a natural number*) -lemma (in Floor) Always_nonneg: "Lift : Always {s. 0 <= metric n s}" +lemma (in Floor) Always_nonneg: "Lift \ Always {s. 0 \ metric n s}" apply (rule bounded [THEN Always_weaken]) apply (auto simp add: metric_def) done @@ -438,10 +438,10 @@ lemmas (in Floor) R_thm11 = Always_LeadsTo_weaken [OF Always_nonneg E_thm11] lemma (in Floor) lift_3: - "Lift : (moving Int Req n) LeadsTo (stopped Int atFloor n)" + "Lift \ (moving \ Req n) LeadsTo (stopped \ atFloor n)" apply (rule Always_nonneg [THEN integ_0_le_induct]) apply (case_tac "0 < z") -(*If z <= 0 then actually z = 0*) +(*If z \ 0 then actually z = 0*) prefer 2 apply (force intro: R_thm11 order_antisym simp add: linorder_not_less) apply (rule LeadsTo_weaken_R [OF asm_rl Un_upper1]) apply (rule LeadsTo_Trans [OF subset_imp_LeadsTo @@ -449,7 +449,7 @@ done -lemma (in Floor) lift_1: "Lift : (Req n) LeadsTo (opened Int atFloor n)" +lemma (in Floor) lift_1: "Lift \ (Req n) LeadsTo (opened \ atFloor n)" apply (rule LeadsTo_Trans) prefer 2 apply (rule LeadsTo_Un [OF E_thm04 LeadsTo_Un_post]) diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Mutex.thy --- a/src/HOL/UNITY/Simple/Mutex.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Mutex.thy Wed Feb 05 13:35:32 2003 +0100 @@ -62,16 +62,16 @@ (** The correct invariants **) IU :: "state set" - "IU == {s. (u s = (1 <= m s & m s <= 3)) & (m s = 3 --> ~ p s)}" + "IU == {s. (u s = (1 \ m s & m s \ 3)) & (m s = 3 --> ~ p s)}" IV :: "state set" - "IV == {s. (v s = (1 <= n s & n s <= 3)) & (n s = 3 --> p s)}" + "IV == {s. (v s = (1 \ n s & n s \ 3)) & (n s = 3 --> p s)}" (** The faulty invariant (for U alone) **) bad_IU :: "state set" - "bad_IU == {s. (u s = (1 <= m s & m s <= 3)) & - (3 <= m s & m s <= 4 --> ~ p s)}" + "bad_IU == {s. (u s = (1 \ m s & m s \ 3)) & + (3 \ m s & m s \ 4 --> ~ p s)}" declare Mutex_def [THEN def_prg_Init, simp] @@ -91,26 +91,26 @@ declare IV_def [THEN def_set_simp, simp] declare bad_IU_def [THEN def_set_simp, simp] -lemma IU: "Mutex : Always IU" +lemma IU: "Mutex \ Always IU" apply (rule AlwaysI, force) apply (unfold Mutex_def, constrains) done -lemma IV: "Mutex : Always IV" +lemma IV: "Mutex \ Always IV" apply (rule AlwaysI, force) apply (unfold Mutex_def, constrains) done (*The safety property: mutual exclusion*) -lemma mutual_exclusion: "Mutex : Always {s. ~ (m s = 3 & n s = 3)}" +lemma mutual_exclusion: "Mutex \ Always {s. ~ (m s = 3 & n s = 3)}" apply (rule Always_weaken) apply (rule Always_Int_I [OF IU IV], auto) done (*The bad invariant FAILS in V1*) -lemma "Mutex : Always bad_IU" +lemma "Mutex \ Always bad_IU" apply (rule AlwaysI, force) apply (unfold Mutex_def, constrains, auto) (*Resulting state: n=1, p=false, m=4, u=false. @@ -119,90 +119,90 @@ oops -lemma eq_123: "((1::int) <= i & i <= 3) = (i = 1 | i = 2 | i = 3)" +lemma eq_123: "((1::int) \ i & i \ 3) = (i = 1 | i = 2 | i = 3)" by arith (*** Progress for U ***) -lemma U_F0: "Mutex : {s. m s=2} Unless {s. m s=3}" +lemma U_F0: "Mutex \ {s. m s=2} Unless {s. m s=3}" by (unfold Unless_def Mutex_def, constrains) -lemma U_F1: "Mutex : {s. m s=1} LeadsTo {s. p s = v s & m s = 2}" -by (unfold Mutex_def, ensures_tac "U1") +lemma U_F1: "Mutex \ {s. m s=1} LeadsTo {s. p s = v s & m s = 2}" +by (unfold Mutex_def, ensures_tac U1) -lemma U_F2: "Mutex : {s. ~ p s & m s = 2} LeadsTo {s. m s = 3}" +lemma U_F2: "Mutex \ {s. ~ p s & m s = 2} LeadsTo {s. m s = 3}" apply (cut_tac IU) apply (unfold Mutex_def, ensures_tac U2) done -lemma U_F3: "Mutex : {s. m s = 3} LeadsTo {s. p s}" +lemma U_F3: "Mutex \ {s. m s = 3} LeadsTo {s. p s}" apply (rule_tac B = "{s. m s = 4}" in LeadsTo_Trans) apply (unfold Mutex_def) apply (ensures_tac U3) apply (ensures_tac U4) done -lemma U_lemma2: "Mutex : {s. m s = 2} LeadsTo {s. p s}" +lemma U_lemma2: "Mutex \ {s. m s = 2} LeadsTo {s. p s}" apply (rule LeadsTo_Diff [OF LeadsTo_weaken_L Int_lower2 [THEN subset_imp_LeadsTo]]) apply (rule LeadsTo_Trans [OF U_F2 U_F3], auto) done -lemma U_lemma1: "Mutex : {s. m s = 1} LeadsTo {s. p s}" +lemma U_lemma1: "Mutex \ {s. m s = 1} LeadsTo {s. p s}" by (rule LeadsTo_Trans [OF U_F1 [THEN LeadsTo_weaken_R] U_lemma2], blast) -lemma U_lemma123: "Mutex : {s. 1 <= m s & m s <= 3} LeadsTo {s. p s}" +lemma U_lemma123: "Mutex \ {s. 1 \ m s & m s \ 3} LeadsTo {s. p s}" by (simp add: eq_123 Collect_disj_eq LeadsTo_Un_distrib U_lemma1 U_lemma2 U_F3) (*Misra's F4*) -lemma u_Leadsto_p: "Mutex : {s. u s} LeadsTo {s. p s}" +lemma u_Leadsto_p: "Mutex \ {s. u s} LeadsTo {s. p s}" by (rule Always_LeadsTo_weaken [OF IU U_lemma123], auto) (*** Progress for V ***) -lemma V_F0: "Mutex : {s. n s=2} Unless {s. n s=3}" +lemma V_F0: "Mutex \ {s. n s=2} Unless {s. n s=3}" by (unfold Unless_def Mutex_def, constrains) -lemma V_F1: "Mutex : {s. n s=1} LeadsTo {s. p s = (~ u s) & n s = 2}" +lemma V_F1: "Mutex \ {s. n s=1} LeadsTo {s. p s = (~ u s) & n s = 2}" by (unfold Mutex_def, ensures_tac "V1") -lemma V_F2: "Mutex : {s. p s & n s = 2} LeadsTo {s. n s = 3}" +lemma V_F2: "Mutex \ {s. p s & n s = 2} LeadsTo {s. n s = 3}" apply (cut_tac IV) apply (unfold Mutex_def, ensures_tac "V2") done -lemma V_F3: "Mutex : {s. n s = 3} LeadsTo {s. ~ p s}" +lemma V_F3: "Mutex \ {s. n s = 3} LeadsTo {s. ~ p s}" apply (rule_tac B = "{s. n s = 4}" in LeadsTo_Trans) apply (unfold Mutex_def) apply (ensures_tac V3) apply (ensures_tac V4) done -lemma V_lemma2: "Mutex : {s. n s = 2} LeadsTo {s. ~ p s}" +lemma V_lemma2: "Mutex \ {s. n s = 2} LeadsTo {s. ~ p s}" apply (rule LeadsTo_Diff [OF LeadsTo_weaken_L Int_lower2 [THEN subset_imp_LeadsTo]]) apply (rule LeadsTo_Trans [OF V_F2 V_F3], auto) done -lemma V_lemma1: "Mutex : {s. n s = 1} LeadsTo {s. ~ p s}" +lemma V_lemma1: "Mutex \ {s. n s = 1} LeadsTo {s. ~ p s}" by (rule LeadsTo_Trans [OF V_F1 [THEN LeadsTo_weaken_R] V_lemma2], blast) -lemma V_lemma123: "Mutex : {s. 1 <= n s & n s <= 3} LeadsTo {s. ~ p s}" +lemma V_lemma123: "Mutex \ {s. 1 \ n s & n s \ 3} LeadsTo {s. ~ p s}" by (simp add: eq_123 Collect_disj_eq LeadsTo_Un_distrib V_lemma1 V_lemma2 V_F3) (*Misra's F4*) -lemma v_Leadsto_not_p: "Mutex : {s. v s} LeadsTo {s. ~ p s}" +lemma v_Leadsto_not_p: "Mutex \ {s. v s} LeadsTo {s. ~ p s}" by (rule Always_LeadsTo_weaken [OF IV V_lemma123], auto) (** Absence of starvation **) (*Misra's F6*) -lemma m1_Leadsto_3: "Mutex : {s. m s = 1} LeadsTo {s. m s = 3}" +lemma m1_Leadsto_3: "Mutex \ {s. m s = 1} LeadsTo {s. m s = 3}" apply (rule LeadsTo_cancel2 [THEN LeadsTo_Un_duplicate]) apply (rule_tac [2] U_F2) apply (simp add: Collect_conj_eq) @@ -213,7 +213,7 @@ done (*The same for V*) -lemma n1_Leadsto_3: "Mutex : {s. n s = 1} LeadsTo {s. n s = 3}" +lemma n1_Leadsto_3: "Mutex \ {s. n s = 1} LeadsTo {s. n s = 3}" apply (rule LeadsTo_cancel2 [THEN LeadsTo_Un_duplicate]) apply (rule_tac [2] V_F2) apply (simp add: Collect_conj_eq) diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Network.thy --- a/src/HOL/UNITY/Simple/Network.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Network.thy Wed Feb 05 13:35:32 2003 +0100 @@ -20,13 +20,13 @@ locale F_props = fixes F - assumes rsA: "F : stable {s. s(Bproc,Rcvd) <= s(Aproc,Sent)}" - and rsB: "F : stable {s. s(Aproc,Rcvd) <= s(Bproc,Sent)}" - and sent_nondec: "F : stable {s. m <= s(proc,Sent)}" - and rcvd_nondec: "F : stable {s. n <= s(proc,Rcvd)}" - and rcvd_idle: "F : {s. s(proc,Idle) = Suc 0 & s(proc,Rcvd) = m} + assumes rsA: "F \ stable {s. s(Bproc,Rcvd) \ s(Aproc,Sent)}" + and rsB: "F \ stable {s. s(Aproc,Rcvd) \ s(Bproc,Sent)}" + and sent_nondec: "F \ stable {s. m \ s(proc,Sent)}" + and rcvd_nondec: "F \ stable {s. n \ s(proc,Rcvd)}" + and rcvd_idle: "F \ {s. s(proc,Idle) = Suc 0 & s(proc,Rcvd) = m} co {s. s(proc,Rcvd) = m --> s(proc,Idle) = Suc 0}" - and sent_idle: "F : {s. s(proc,Idle) = Suc 0 & s(proc,Sent) = n} + and sent_idle: "F \ {s. s(proc,Idle) = Suc 0 & s(proc,Sent) = n} co {s. s(proc,Sent) = n}" @@ -51,7 +51,7 @@ idle_AB] lemma (in F_props) - shows "F : stable {s. s(Aproc,Idle) = Suc 0 & s(Bproc,Idle) = Suc 0 & + shows "F \ stable {s. s(Aproc,Idle) = Suc 0 & s(Bproc,Idle) = Suc 0 & s(Aproc,Sent) = s(Bproc,Rcvd) & s(Bproc,Sent) = s(Aproc,Rcvd) & s(Aproc,Rcvd) = m & s(Bproc,Rcvd) = n}" @@ -60,7 +60,7 @@ apply (drule constrains_Int [OF rs_AB [unfolded stable_def] nondec_idle, THEN constrainsD], assumption) apply simp_all -apply (blast intro!: order_refl del: le0, clarify) +apply (blast del: le0, clarify) apply (subgoal_tac "s' (Aproc, Rcvd) = s (Aproc, Rcvd)") apply (subgoal_tac "s' (Bproc, Rcvd) = s (Bproc, Rcvd)") apply simp diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Reach.thy --- a/src/HOL/UNITY/Simple/Reach.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Reach.thy Wed Feb 05 13:35:32 2003 +0100 @@ -24,13 +24,13 @@ "asgt u v == {(s,s'). s' = s(v:= s u | s v)}" Rprg :: "state program" - "Rprg == mk_program ({%v. v=init}, UN (u,v): edges. {asgt u v}, UNIV)" + "Rprg == mk_program ({%v. v=init}, \(u,v)\edges. {asgt u v}, UNIV)" reach_invariant :: "state set" - "reach_invariant == {s. (ALL v. s v --> (init, v) : edges^*) & s init}" + "reach_invariant == {s. (\v. s v --> (init, v) \ edges^*) & s init}" fixedpoint :: "state set" - "fixedpoint == {s. ALL (u,v): edges. s u --> s v}" + "fixedpoint == {s. \(u,v)\edges. s u --> s v}" metric :: "state => nat" "metric s == card {v. ~ s v}" @@ -60,7 +60,7 @@ declare reach_invariant_def [THEN def_set_simp, simp] -lemma reach_invariant: "Rprg : Always reach_invariant" +lemma reach_invariant: "Rprg \ Always reach_invariant" apply (rule AlwaysI, force) apply (unfold Rprg_def, constrains) apply (blast intro: rtrancl_trans) @@ -71,7 +71,7 @@ (*If it reaches a fixedpoint, it has found a solution*) lemma fixedpoint_invariant_correct: - "fixedpoint Int reach_invariant = { %v. (init, v) : edges^* }" + "fixedpoint \ reach_invariant = { %v. (init, v) \ edges^* }" apply (unfold fixedpoint_def) apply (rule equalityI) apply (auto intro!: ext) @@ -80,7 +80,7 @@ done lemma lemma1: - "FP Rprg <= fixedpoint" + "FP Rprg \ fixedpoint" apply (unfold FP_def fixedpoint_def stable_def constrains_def Rprg_def, auto) apply (drule bspec, assumption) apply (simp add: Image_singleton image_iff) @@ -88,7 +88,7 @@ done lemma lemma2: - "fixedpoint <= FP Rprg" + "fixedpoint \ FP Rprg" apply (unfold FP_def fixedpoint_def stable_def constrains_def Rprg_def) apply (auto intro!: ext) done @@ -103,16 +103,15 @@ a LEADSTO assertion that the metric decreases if we are not at a fixedpoint. *) -lemma Compl_fixedpoint: "- fixedpoint = (UN (u,v): edges. {s. s u & ~ s v})" -apply (simp add: Compl_FP UN_UN_flatten FP_fixedpoint [symmetric] Rprg_def, auto) +lemma Compl_fixedpoint: "- fixedpoint = (\(u,v)\edges. {s. s u & ~ s v})" +apply (auto simp add: Compl_FP UN_UN_flatten FP_fixedpoint [symmetric] Rprg_def) apply (rule fun_upd_idem, force) apply (force intro!: rev_bexI simp add: fun_upd_idem_iff) done lemma Diff_fixedpoint: - "A - fixedpoint = (UN (u,v): edges. A Int {s. s u & ~ s v})" -apply (simp add: Diff_eq Compl_fixedpoint, blast) -done + "A - fixedpoint = (\(u,v)\edges. A \ {s. s u & ~ s v})" +by (simp add: Diff_eq Compl_fixedpoint, blast) (*** Progress ***) @@ -127,13 +126,13 @@ lemma metric_less [intro!]: "~ s x ==> metric (s(x:=True)) < metric s" by (erule Suc_metric [THEN subst], blast) -lemma metric_le: "metric (s(y:=s x | s y)) <= metric s" +lemma metric_le: "metric (s(y:=s x | s y)) \ metric s" apply (case_tac "s x --> s y") apply (auto intro: less_imp_le simp add: fun_upd_idem) done lemma LeadsTo_Diff_fixedpoint: - "Rprg : ((metric-`{m}) - fixedpoint) LeadsTo (metric-`(lessThan m))" + "Rprg \ ((metric-`{m}) - fixedpoint) LeadsTo (metric-`(lessThan m))" apply (simp (no_asm) add: Diff_fixedpoint Rprg_def) apply (rule LeadsTo_UN, auto) apply (ensures_tac "asgt a b") @@ -144,19 +143,19 @@ done lemma LeadsTo_Un_fixedpoint: - "Rprg : (metric-`{m}) LeadsTo (metric-`(lessThan m) Un fixedpoint)" + "Rprg \ (metric-`{m}) LeadsTo (metric-`(lessThan m) \ fixedpoint)" apply (rule LeadsTo_Diff [OF LeadsTo_Diff_fixedpoint [THEN LeadsTo_weaken_R] subset_imp_LeadsTo], auto) done (*Execution in any state leads to a fixedpoint (i.e. can terminate)*) -lemma LeadsTo_fixedpoint: "Rprg : UNIV LeadsTo fixedpoint" +lemma LeadsTo_fixedpoint: "Rprg \ UNIV LeadsTo fixedpoint" apply (rule LessThan_induct, auto) apply (rule LeadsTo_Un_fixedpoint) done -lemma LeadsTo_correct: "Rprg : UNIV LeadsTo { %v. (init, v) : edges^* }" +lemma LeadsTo_correct: "Rprg \ UNIV LeadsTo { %v. (init, v) \ edges^* }" apply (subst fixedpoint_invariant_correct [symmetric]) apply (rule Always_LeadsTo_weaken [OF reach_invariant LeadsTo_fixedpoint], auto) done diff -r 3786b2fd6808 -r fd40c9d9076b src/HOL/UNITY/Simple/Reachability.thy --- a/src/HOL/UNITY/Simple/Reachability.thy Tue Feb 04 18:12:40 2003 +0100 +++ b/src/HOL/UNITY/Simple/Reachability.thy Wed Feb 05 13:35:32 2003 +0100 @@ -23,8 +23,8 @@ inductive "REACHABLE" intros - base: "v : V ==> ((v,v) : REACHABLE)" - step: "((u,v) : REACHABLE) & (v,w) : E ==> ((u,w) : REACHABLE)" + base: "v \ V ==> ((v,v) \ REACHABLE)" + step: "((u,v) \ REACHABLE) & (v,w) \ E ==> ((u,w) \ REACHABLE)" constdefs reachable :: "vertex => state set" @@ -37,65 +37,64 @@ "nmsg_gt k == %e. {s. k < nmsg s e}" nmsg_gte :: "nat => edge => state set" - "nmsg_gte k == %e. {s. k <= nmsg s e}" + "nmsg_gte k == %e. {s. k \ nmsg s e}" nmsg_lte :: "nat => edge => state set" - "nmsg_lte k == %e. {s. nmsg s e <= k}" - - + "nmsg_lte k == %e. {s. nmsg s e \ k}" final :: "state set" - "final == (INTER V (%v. reachable v <==> {s. (root, v) : REACHABLE})) Int (INTER E (nmsg_eq 0))" + "final == (\v\V. reachable v <==> {s. (root, v) \ REACHABLE}) \ + (INTER E (nmsg_eq 0))" axioms - Graph1: "root : V" + Graph1: "root \ V" - Graph2: "(v,w) : E ==> (v : V) & (w : V)" + Graph2: "(v,w) \ E ==> (v \ V) & (w \ V)" - MA1: "F : Always (reachable root)" + MA1: "F \ Always (reachable root)" - MA2: "v: V ==> F : Always (- reachable v Un {s. ((root,v) : REACHABLE)})" + MA2: "v \ V ==> F \ Always (- reachable v \ {s. ((root,v) \ REACHABLE)})" - MA3: "[|v:V;w:V|] ==> F : Always (-(nmsg_gt 0 (v,w)) Un (reachable v))" + MA3: "[|v \ V;w \ V|] ==> F \ Always (-(nmsg_gt 0 (v,w)) \ (reachable v))" - MA4: "(v,w) : E ==> - F : Always (-(reachable v) Un (nmsg_gt 0 (v,w)) Un (reachable w))" + MA4: "(v,w) \ E ==> + F \ Always (-(reachable v) \ (nmsg_gt 0 (v,w)) \ (reachable w))" - MA5: "[|v:V; w:V|] - ==> F : Always (nmsg_gte 0 (v,w) Int nmsg_lte (Suc 0) (v,w))" + MA5: "[|v \ V; w \ V|] + ==> F \ Always (nmsg_gte 0 (v,w) \ nmsg_lte (Suc 0) (v,w))" - MA6: "[|v:V|] ==> F : Stable (reachable v)" + MA6: "[|v \ V|] ==> F \ Stable (reachable v)" - MA6b: "[|v:V;w:W|] ==> F : Stable (reachable v Int nmsg_lte k (v,w))" + MA6b: "[|v \ V;w \ W|] ==> F \ Stable (reachable v \ nmsg_lte k (v,w))" - MA7: "[|v:V;w:V|] ==> F : UNIV LeadsTo nmsg_eq 0 (v,w)" + MA7: "[|v \ V;w \ V|] ==> F \ UNIV LeadsTo nmsg_eq 0 (v,w)" lemmas E_imp_in_V_L = Graph2 [THEN conjunct1, standard] lemmas E_imp_in_V_R = Graph2 [THEN conjunct2, standard] lemma lemma2: - "(v,w) : E ==> F : reachable v LeadsTo nmsg_eq 0 (v,w) Int reachable v" + "(v,w) \ E ==> F \ reachable v LeadsTo nmsg_eq 0 (v,w) \ reachable v" apply (rule MA7 [THEN PSP_Stable, THEN LeadsTo_weaken_L]) apply (rule_tac [3] MA6) apply (auto simp add: E_imp_in_V_L E_imp_in_V_R) done -lemma Induction_base: "(v,w) : E ==> F : reachable v LeadsTo reachable w" +lemma Induction_base: "(v,w) \ E ==> F \ reachable v LeadsTo reachable w" apply (rule MA4 [THEN Always_LeadsTo_weaken]) apply (rule_tac [2] lemma2) apply (auto simp add: nmsg_eq_def nmsg_gt_def) done lemma REACHABLE_LeadsTo_reachable: - "(v,w) : REACHABLE ==> F : reachable v LeadsTo reachable w" + "(v,w) \ REACHABLE ==> F \ reachable v LeadsTo reachable w" apply (erule REACHABLE.induct) apply (rule subset_imp_LeadsTo, blast) apply (blast intro: LeadsTo_Trans Induction_base) done -lemma Detects_part1: "F : {s. (root,v) : REACHABLE} LeadsTo reachable v" +lemma Detects_part1: "F \ {s. (root,v) \ REACHABLE} LeadsTo reachable v" apply (rule single_LeadsTo_I) apply (simp split add: split_if_asm) apply (rule MA1 [THEN Always_LeadsToI]) @@ -104,7 +103,7 @@ lemma Reachability_Detected: - "v : V ==> F : (reachable v) Detects {s. (root,v) : REACHABLE}" + "v \ V ==> F \ (reachable v) Detects {s. (root,v) \ REACHABLE}" apply (unfold Detects_def, auto) prefer 2 apply (blast intro: MA2 [THEN Always_weaken]) apply (rule Detects_part1 [THEN LeadsTo_weaken_L], blast) @@ -112,7 +111,7 @@ lemma LeadsTo_Reachability: - "v : V ==> F : UNIV LeadsTo (reachable v <==> {s. (root,v) : REACHABLE})" + "v \ V ==> F \ UNIV LeadsTo (reachable v <==> {s. (root,v) \ REACHABLE})" by (erule Reachability_Detected [THEN Detects_Imp_LeadstoEQ]) @@ -121,17 +120,15 @@ (* Some lemmas about <==> *) lemma Eq_lemma1: - "(reachable v <==> {s. (root,v) : REACHABLE}) = - {s. ((s : reachable v) = ((root,v) : REACHABLE))}" -apply (unfold Equality_def, blast) -done + "(reachable v <==> {s. (root,v) \ REACHABLE}) = + {s. ((s \ reachable v) = ((root,v) \ REACHABLE))}" +by (unfold Equality_def, blast) lemma Eq_lemma2: - "(reachable v <==> (if (root,v) : REACHABLE then UNIV else {})) = - {s. ((s : reachable v) = ((root,v) : REACHABLE))}" -apply (unfold Equality_def, auto) -done + "(reachable v <==> (if (root,v) \ REACHABLE then UNIV else {})) = + {s. ((s \ reachable v) = ((root,v) \ REACHABLE))}" +by (unfold Equality_def, auto) (* ------------------------------------ *) @@ -139,37 +136,37 @@ (* Some lemmas about final (I don't need all of them!) *) lemma final_lemma1: - "(INT v: V. INT w:V. {s. ((s : reachable v) = ((root,v) : REACHABLE)) & - s : nmsg_eq 0 (v,w)}) - <= final" + "(\v \ V. \