--- a/src/HOL/Algebra/Lattice.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Algebra/Lattice.thy Fri Jun 26 18:51:39 2015 +0200
@@ -589,7 +589,7 @@
lemma (in weak_upper_semilattice) finite_sup_insertI:
assumes P: "!!l. least L l (Upper L (insert x A)) ==> P l"
and xA: "finite A" "x \<in> carrier L" "A \<subseteq> carrier L"
- shows "P (\<Squnion> (insert x A))"
+ shows "P (\<Squnion>(insert x A))"
proof (cases "A = {}")
case True with P and xA show ?thesis
by (simp add: finite_sup_least)
@@ -828,7 +828,7 @@
lemma (in weak_lower_semilattice) finite_inf_insertI:
assumes P: "!!i. greatest L i (Lower L (insert x A)) ==> P i"
and xA: "finite A" "x \<in> carrier L" "A \<subseteq> carrier L"
- shows "P (\<Sqinter> (insert x A))"
+ shows "P (\<Sqinter>(insert x A))"
proof (cases "A = {}")
case True with P and xA show ?thesis
by (simp add: finite_inf_greatest)
@@ -856,7 +856,7 @@
lemma (in weak_lower_semilattice) inf_of_two_greatest:
"[| x \<in> carrier L; y \<in> carrier L |] ==>
- greatest L (\<Sqinter> {x, y}) (Lower L {x, y})"
+ greatest L (\<Sqinter>{x, y}) (Lower L {x, y})"
proof (unfold inf_def)
assume L: "x \<in> carrier L" "y \<in> carrier L"
with inf_of_two_exists obtain s where "greatest L s (Lower L {x, y})" by fast
@@ -904,8 +904,8 @@
proof -
(* FIXME: improved simp, see weak_join_assoc above *)
have "(x \<sqinter> y) \<sqinter> z = z \<sqinter> (x \<sqinter> y)" by (simp only: meet_comm)
- also from L have "... .= \<Sqinter> {z, x, y}" by (simp add: weak_meet_assoc_lemma)
- also from L have "... = \<Sqinter> {x, y, z}" by (simp add: insert_commute)
+ also from L have "... .= \<Sqinter>{z, x, y}" by (simp add: weak_meet_assoc_lemma)
+ also from L have "... = \<Sqinter>{x, y, z}" by (simp add: insert_commute)
also from L have "... .= x \<sqinter> (y \<sqinter> z)" by (simp add: weak_meet_assoc_lemma [symmetric])
finally show ?thesis by (simp add: L)
qed
@@ -1286,15 +1286,15 @@
next
fix B
assume "B \<subseteq> carrier ?L"
- then have "least ?L (\<Union> B) (Upper ?L B)"
+ then have "least ?L (\<Union>B) (Upper ?L B)"
by (fastforce intro!: least_UpperI simp: Upper_def)
then show "EX s. least ?L s (Upper ?L B)" ..
next
fix B
assume "B \<subseteq> carrier ?L"
- then have "greatest ?L (\<Inter> B \<inter> A) (Lower ?L B)"
- txt {* @{term "\<Inter> B"} is not the infimum of @{term B}:
- @{term "\<Inter> {} = UNIV"} which is in general bigger than @{term "A"}! *}
+ then have "greatest ?L (\<Inter>B \<inter> A) (Lower ?L B)"
+ txt {* @{term "\<Inter>B"} is not the infimum of @{term B}:
+ @{term "\<Inter>{} = UNIV"} which is in general bigger than @{term "A"}! *}
by (fastforce intro!: greatest_LowerI simp: Lower_def)
then show "EX i. greatest ?L i (Lower ?L B)" ..
qed
--- a/src/HOL/BNF_Cardinal_Order_Relation.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/BNF_Cardinal_Order_Relation.thy Fri Jun 26 18:51:39 2015 +0200
@@ -1051,10 +1051,10 @@
lemma card_of_UNION_ordLeq_infinite:
assumes INF: "\<not>finite B" and
LEQ_I: "|I| \<le>o |B|" and LEQ: "\<forall>i \<in> I. |A i| \<le>o |B|"
-shows "|\<Union> i \<in> I. A i| \<le>o |B|"
+shows "|\<Union>i \<in> I. A i| \<le>o |B|"
proof(cases "I = {}", simp add: card_of_empty)
assume *: "I \<noteq> {}"
- have "|\<Union> i \<in> I. A i| \<le>o |SIGMA i : I. A i|"
+ have "|\<Union>i \<in> I. A i| \<le>o |SIGMA i : I. A i|"
using card_of_UNION_Sigma by blast
moreover have "|SIGMA i : I. A i| \<le>o |B|"
using assms card_of_Sigma_ordLeq_infinite by blast
@@ -1064,14 +1064,14 @@
corollary card_of_UNION_ordLeq_infinite_Field:
assumes INF: "\<not>finite (Field r)" and r: "Card_order r" and
LEQ_I: "|I| \<le>o r" and LEQ: "\<forall>i \<in> I. |A i| \<le>o r"
-shows "|\<Union> i \<in> I. A i| \<le>o r"
+shows "|\<Union>i \<in> I. A i| \<le>o r"
proof-
let ?B = "Field r"
have 1: "r =o |?B| \<and> |?B| =o r" using r card_of_Field_ordIso
ordIso_symmetric by blast
hence "|I| \<le>o |?B|" "\<forall>i \<in> I. |A i| \<le>o |?B|"
using LEQ_I LEQ ordLeq_ordIso_trans by blast+
- hence "|\<Union> i \<in> I. A i| \<le>o |?B|" using INF LEQ
+ hence "|\<Union>i \<in> I. A i| \<le>o |?B|" using INF LEQ
card_of_UNION_ordLeq_infinite by blast
thus ?thesis using 1 ordLeq_ordIso_trans by blast
qed
--- a/src/HOL/BNF_Wellorder_Embedding.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/BNF_Wellorder_Embedding.thy Fri Jun 26 18:51:39 2015 +0200
@@ -26,7 +26,7 @@
assumes WELL: "Well_order r" and
OF: "\<And> i. i \<in> I \<Longrightarrow> wo_rel.ofilter r (A i)" and
INJ: "\<And> i. i \<in> I \<Longrightarrow> inj_on f (A i)"
-shows "inj_on f (\<Union> i \<in> I. A i)"
+shows "inj_on f (\<Union>i \<in> I. A i)"
proof-
have "wo_rel r" using WELL by (simp add: wo_rel_def)
hence "\<And> i j. \<lbrakk>i \<in> I; j \<in> I\<rbrakk> \<Longrightarrow> A i <= A j \<or> A j <= A i"
@@ -487,7 +487,7 @@
have Well': "wo_rel r'" using WELL' unfolding wo_rel_def .
have OF: "wo_rel.ofilter r (underS r a)"
by (auto simp add: Well wo_rel.underS_ofilter)
- hence UN: "underS r a = (\<Union> b \<in> underS r a. under r b)"
+ hence UN: "underS r a = (\<Union>b \<in> underS r a. under r b)"
using Well wo_rel.ofilter_under_UNION[of r "underS r a"] by blast
(* Gather facts about elements of underS r a *)
{fix b assume *: "b \<in> underS r a"
@@ -520,13 +520,13 @@
(* *)
have OF': "wo_rel.ofilter r' (f`(underS r a))"
proof-
- have "f`(underS r a) = f`(\<Union> b \<in> underS r a. under r b)"
+ have "f`(underS r a) = f`(\<Union>b \<in> underS r a. under r b)"
using UN by auto
- also have "\<dots> = (\<Union> b \<in> underS r a. f`(under r b))" by blast
- also have "\<dots> = (\<Union> b \<in> underS r a. (under r' (f b)))"
+ also have "\<dots> = (\<Union>b \<in> underS r a. f`(under r b))" by blast
+ also have "\<dots> = (\<Union>b \<in> underS r a. (under r' (f b)))"
using bFact by auto
finally
- have "f`(underS r a) = (\<Union> b \<in> underS r a. (under r' (f b)))" .
+ have "f`(underS r a) = (\<Union>b \<in> underS r a. (under r' (f b)))" .
thus ?thesis
using Well' bFact
wo_rel.ofilter_UNION[of r' "underS r a" "\<lambda> b. under r' (f b)"] by fastforce
--- a/src/HOL/BNF_Wellorder_Relation.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/BNF_Wellorder_Relation.thy Fri Jun 26 18:51:39 2015 +0200
@@ -478,20 +478,20 @@
qed
lemma ofilter_UNION:
-"(\<And> i. i \<in> I \<Longrightarrow> ofilter(A i)) \<Longrightarrow> ofilter (\<Union> i \<in> I. A i)"
+"(\<And> i. i \<in> I \<Longrightarrow> ofilter(A i)) \<Longrightarrow> ofilter (\<Union>i \<in> I. A i)"
unfolding ofilter_def by blast
lemma ofilter_under_UNION:
assumes "ofilter A"
-shows "A = (\<Union> a \<in> A. under a)"
+shows "A = (\<Union>a \<in> A. under a)"
proof
have "\<forall>a \<in> A. under a \<le> A"
using assms ofilter_def by auto
- thus "(\<Union> a \<in> A. under a) \<le> A" by blast
+ thus "(\<Union>a \<in> A. under a) \<le> A" by blast
next
have "\<forall>a \<in> A. a \<in> under a"
using REFL Refl_under_in[of r] assms ofilter_def[of A] by blast
- thus "A \<le> (\<Union> a \<in> A. under a)" by blast
+ thus "A \<le> (\<Union>a \<in> A. under a)" by blast
qed
subsubsection{* Other properties *}
--- a/src/HOL/Cardinals/Cardinal_Arithmetic.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Cardinals/Cardinal_Arithmetic.thy Fri Jun 26 18:51:39 2015 +0200
@@ -297,8 +297,8 @@
assumes "|A| \<le>o k" and "\<forall> a \<in> A. |vimage f {a}| \<le>o k" and "Cinfinite k"
shows "|vimage f A| \<le>o k"
proof-
- have "vimage f A = (\<Union> a \<in> A. vimage f {a})" by auto
- also have "|\<Union> a \<in> A. vimage f {a}| \<le>o k"
+ have "vimage f A = (\<Union>a \<in> A. vimage f {a})" by auto
+ also have "|\<Union>a \<in> A. vimage f {a}| \<le>o k"
using UNION_Cinfinite_bound[OF assms] .
finally show ?thesis .
qed
--- a/src/HOL/Cardinals/Cardinal_Order_Relation.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Cardinals/Cardinal_Order_Relation.thy Fri Jun 26 18:51:39 2015 +0200
@@ -715,7 +715,7 @@
lemma lists_def2: "lists A = {l. set l \<le> A}"
using in_listsI by blast
-lemma lists_UNION_nlists: "lists A = (\<Union> n. nlists A n)"
+lemma lists_UNION_nlists: "lists A = (\<Union>n. nlists A n)"
unfolding lists_def2 nlists_def by blast
lemma card_of_lists: "|A| \<le>o |lists A|"
@@ -1455,7 +1455,7 @@
unfolding Func_option_def Pfunc_def by auto
lemma Pfunc_Func_option:
-"Pfunc A B = (\<Union> A' \<in> Pow A. Func_option A' B)"
+"Pfunc A B = (\<Union>A' \<in> Pow A. Func_option A' B)"
proof safe
fix f assume f: "f \<in> Pfunc A B"
show "f \<in> (\<Union>A'\<in>Pow A. Func_option A' B)"
@@ -1504,7 +1504,7 @@
assumes "B \<noteq> {}"
shows "|Pfunc A B| \<le>o |Pow A <*> Func_option A B|"
proof-
- have "|Pfunc A B| =o |\<Union> A' \<in> Pow A. Func_option A' B|" (is "_ =o ?K")
+ have "|Pfunc A B| =o |\<Union>A' \<in> Pow A. Func_option A' B|" (is "_ =o ?K")
unfolding Pfunc_Func_option by(rule card_of_refl)
also have "?K \<le>o |Sigma (Pow A) (\<lambda> A'. Func_option A' B)|" using card_of_UNION_Sigma .
also have "|Sigma (Pow A) (\<lambda> A'. Func_option A' B)| \<le>o |Pow A <*> Func_option A B|"
@@ -1635,14 +1635,14 @@
qed
lemma relChain_stabilize:
-assumes rc: "relChain r As" and AsB: "(\<Union> i \<in> Field r. As i) \<subseteq> B" and Br: "|B| <o r"
+assumes rc: "relChain r As" and AsB: "(\<Union>i \<in> Field r. As i) \<subseteq> B" and Br: "|B| <o r"
and ir: "\<not>finite (Field r)" and cr: "Card_order r"
shows "\<exists> i \<in> Field r. As (succ r i) = As i"
proof(rule ccontr, auto)
have 0: "wo_rel r" and 00: "Well_order r"
unfolding wo_rel_def by (metis card_order_on_well_order_on cr)+
have L: "isLimOrd r" using ir cr by (metis card_order_infinite_isLimOrd)
- have AsBs: "(\<Union> i \<in> Field r. As (succ r i)) \<subseteq> B"
+ have AsBs: "(\<Union>i \<in> Field r. As (succ r i)) \<subseteq> B"
using AsB L apply safe by (metis "0" UN_I set_mp wo_rel.isLimOrd_succ)
assume As_s: "\<forall>i\<in>Field r. As (succ r i) \<noteq> As i"
have 1: "\<forall>i j. (i,j) \<in> r \<and> i \<noteq> j \<longrightarrow> As i \<subset> As j"
@@ -1719,7 +1719,7 @@
obtain j0 where j0: "j0 \<in> Field r" using Fi by auto
def g \<equiv> "\<lambda> a. if F a \<noteq> {} then gg a else j0"
have g: "\<forall> a \<in> A. \<forall> u \<in> F a. (f (a,u),g a) \<in> r" using gg unfolding g_def by auto
- hence 1: "Field r \<subseteq> (\<Union> a \<in> A. under r (g a))"
+ hence 1: "Field r \<subseteq> (\<Union>a \<in> A. under r (g a))"
using f[symmetric] unfolding under_def image_def by auto
have gA: "g ` A \<subseteq> Field r" using gg j0 unfolding Field_def g_def by auto
moreover have "cofinal (g ` A) r" unfolding cofinal_def proof safe
@@ -1751,10 +1751,10 @@
{assume Kr: "|K| <o r"
then obtain f where "\<forall> a \<in> Field r. f a \<in> K \<and> a \<noteq> f a \<and> (a, f a) \<in> r"
using cof unfolding cofinal_def by metis
- hence "Field r \<subseteq> (\<Union> a \<in> K. underS r a)" unfolding underS_def by auto
- hence "r \<le>o |\<Union> a \<in> K. underS r a|" using cr
+ hence "Field r \<subseteq> (\<Union>a \<in> K. underS r a)" unfolding underS_def by auto
+ hence "r \<le>o |\<Union>a \<in> K. underS r a|" using cr
by (metis Card_order_iff_ordLeq_card_of card_of_mono1 ordLeq_transitive)
- also have "|\<Union> a \<in> K. underS r a| \<le>o |SIGMA a: K. underS r a|" by (rule card_of_UNION_Sigma)
+ also have "|\<Union>a \<in> K. underS r a| \<le>o |SIGMA a: K. underS r a|" by (rule card_of_UNION_Sigma)
also
{have "\<forall> a \<in> K. |underS r a| <o r" using K by (metis card_of_underS cr subsetD)
hence "|SIGMA a: K. underS r a| <o r" using st Kr unfolding stable_def by auto
@@ -1818,9 +1818,9 @@
lemma stable_UNION:
assumes ST: "stable r" and A_LESS: "|A| <o r" and
F_LESS: "\<And> a. a \<in> A \<Longrightarrow> |F a| <o r"
-shows "|\<Union> a \<in> A. F a| <o r"
+shows "|\<Union>a \<in> A. F a| <o r"
proof-
- have "|\<Union> a \<in> A. F a| \<le>o |SIGMA a : A. F a|"
+ have "|\<Union>a \<in> A. F a| \<le>o |SIGMA a : A. F a|"
using card_of_UNION_Sigma by blast
thus ?thesis using assms stable_elim ordLeq_ordLess_trans by blast
qed
--- a/src/HOL/Cardinals/Order_Relation_More.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Cardinals/Order_Relation_More.thy Fri Jun 26 18:51:39 2015 +0200
@@ -133,12 +133,12 @@
lemma Refl_under_Under:
assumes REFL: "Refl r" and NE: "A \<noteq> {}"
-shows "Under r A = (\<Inter> a \<in> A. under r a)"
+shows "Under r A = (\<Inter>a \<in> A. under r a)"
proof
- show "Under r A \<subseteq> (\<Inter> a \<in> A. under r a)"
+ show "Under r A \<subseteq> (\<Inter>a \<in> A. under r a)"
by(unfold Under_def under_def, auto)
next
- show "(\<Inter> a \<in> A. under r a) \<subseteq> Under r A"
+ show "(\<Inter>a \<in> A. under r a) \<subseteq> Under r A"
proof(auto)
fix x
assume *: "\<forall>xa \<in> A. x \<in> under r xa"
@@ -157,12 +157,12 @@
lemma Refl_underS_UnderS:
assumes REFL: "Refl r" and NE: "A \<noteq> {}"
-shows "UnderS r A = (\<Inter> a \<in> A. underS r a)"
+shows "UnderS r A = (\<Inter>a \<in> A. underS r a)"
proof
- show "UnderS r A \<subseteq> (\<Inter> a \<in> A. underS r a)"
+ show "UnderS r A \<subseteq> (\<Inter>a \<in> A. underS r a)"
by(unfold UnderS_def underS_def, auto)
next
- show "(\<Inter> a \<in> A. underS r a) \<subseteq> UnderS r A"
+ show "(\<Inter>a \<in> A. underS r a) \<subseteq> UnderS r A"
proof(auto)
fix x
assume *: "\<forall>xa \<in> A. x \<in> underS r xa"
@@ -181,12 +181,12 @@
lemma Refl_above_Above:
assumes REFL: "Refl r" and NE: "A \<noteq> {}"
-shows "Above r A = (\<Inter> a \<in> A. above r a)"
+shows "Above r A = (\<Inter>a \<in> A. above r a)"
proof
- show "Above r A \<subseteq> (\<Inter> a \<in> A. above r a)"
+ show "Above r A \<subseteq> (\<Inter>a \<in> A. above r a)"
by(unfold Above_def above_def, auto)
next
- show "(\<Inter> a \<in> A. above r a) \<subseteq> Above r A"
+ show "(\<Inter>a \<in> A. above r a) \<subseteq> Above r A"
proof(auto)
fix x
assume *: "\<forall>xa \<in> A. x \<in> above r xa"
@@ -205,12 +205,12 @@
lemma Refl_aboveS_AboveS:
assumes REFL: "Refl r" and NE: "A \<noteq> {}"
-shows "AboveS r A = (\<Inter> a \<in> A. aboveS r a)"
+shows "AboveS r A = (\<Inter>a \<in> A. aboveS r a)"
proof
- show "AboveS r A \<subseteq> (\<Inter> a \<in> A. aboveS r a)"
+ show "AboveS r A \<subseteq> (\<Inter>a \<in> A. aboveS r a)"
by(unfold AboveS_def aboveS_def, auto)
next
- show "(\<Inter> a \<in> A. aboveS r a) \<subseteq> AboveS r A"
+ show "(\<Inter>a \<in> A. aboveS r a) \<subseteq> AboveS r A"
proof(auto)
fix x
assume *: "\<forall>xa \<in> A. x \<in> aboveS r xa"
--- a/src/HOL/Cardinals/Wellorder_Embedding.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Cardinals/Wellorder_Embedding.thy Fri Jun 26 18:51:39 2015 +0200
@@ -17,7 +17,7 @@
assumes WELL: "Well_order r" and
OF: "\<And> i. i \<in> I \<Longrightarrow> ofilter r (A i)" and
BIJ: "\<And> i. i \<in> I \<Longrightarrow> bij_betw f (A i) (A' i)"
-shows "bij_betw f (\<Union> i \<in> I. A i) (\<Union> i \<in> I. A' i)"
+shows "bij_betw f (\<Union>i \<in> I. A i) (\<Union>i \<in> I. A' i)"
proof-
have "wo_rel r" using WELL by (simp add: wo_rel_def)
hence "\<And> i j. \<lbrakk>i \<in> I; j \<in> I\<rbrakk> \<Longrightarrow> A i \<le> A j \<or> A j \<le> A i"
--- a/src/HOL/Cardinals/Wellorder_Relation.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Cardinals/Wellorder_Relation.thy Fri Jun 26 18:51:39 2015 +0200
@@ -437,7 +437,7 @@
unfolding ofilter_def by blast
lemma ofilter_INTER:
-"\<lbrakk>I \<noteq> {}; \<And> i. i \<in> I \<Longrightarrow> ofilter(A i)\<rbrakk> \<Longrightarrow> ofilter (\<Inter> i \<in> I. A i)"
+"\<lbrakk>I \<noteq> {}; \<And> i. i \<in> I \<Longrightarrow> ofilter(A i)\<rbrakk> \<Longrightarrow> ofilter (\<Inter>i \<in> I. A i)"
unfolding ofilter_def by blast
lemma ofilter_Inter:
--- a/src/HOL/Complete_Lattices.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Complete_Lattices.thy Fri Jun 26 18:51:39 2015 +0200
@@ -1204,7 +1204,7 @@
"\<Union>(B ` A) = (\<Union>x\<in>A. B x)"
by (fact Sup_image_eq)
-lemma Union_SetCompr_eq: "\<Union> {f x| x. P x} = {a. \<exists>x. P x \<and> a \<in> f x}"
+lemma Union_SetCompr_eq: "\<Union>{f x| x. P x} = {a. \<exists>x. P x \<and> a \<in> f x}"
by blast
lemma UN_iff [simp]: "b \<in> (\<Union>x\<in>A. B x) \<longleftrightarrow> (\<exists>x\<in>A. b \<in> B x)"
@@ -1360,7 +1360,7 @@
lemma inj_on_UNION_chain:
assumes CH: "\<And> i j. \<lbrakk>i \<in> I; j \<in> I\<rbrakk> \<Longrightarrow> A i \<le> A j \<or> A j \<le> A i" and
INJ: "\<And> i. i \<in> I \<Longrightarrow> inj_on f (A i)"
- shows "inj_on f (\<Union> i \<in> I. A i)"
+ shows "inj_on f (\<Union>i \<in> I. A i)"
proof -
{
fix i j x y
@@ -1390,11 +1390,11 @@
lemma bij_betw_UNION_chain:
assumes CH: "\<And> i j. \<lbrakk>i \<in> I; j \<in> I\<rbrakk> \<Longrightarrow> A i \<le> A j \<or> A j \<le> A i" and
BIJ: "\<And> i. i \<in> I \<Longrightarrow> bij_betw f (A i) (A' i)"
- shows "bij_betw f (\<Union> i \<in> I. A i) (\<Union> i \<in> I. A' i)"
+ shows "bij_betw f (\<Union>i \<in> I. A i) (\<Union>i \<in> I. A' i)"
proof (unfold bij_betw_def, auto)
have "\<And> i. i \<in> I \<Longrightarrow> inj_on f (A i)"
using BIJ bij_betw_def[of f] by auto
- thus "inj_on f (\<Union> i \<in> I. A i)"
+ thus "inj_on f (\<Union>i \<in> I. A i)"
using CH inj_on_UNION_chain[of I A f] by auto
next
fix i x
--- a/src/HOL/Datatype_Examples/Derivation_Trees/Gram_Lang.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Datatype_Examples/Derivation_Trees/Gram_Lang.thy Fri Jun 26 18:51:39 2015 +0200
@@ -257,7 +257,7 @@
qed
corollary Fr_subtr:
-"Fr ns tr = \<Union> {Fr ns tr' | tr'. subtr ns tr' tr}"
+"Fr ns tr = \<Union>{Fr ns tr' | tr'. subtr ns tr' tr}"
unfolding Fr_def proof safe
fix t assume t: "inFr ns tr t" hence "root tr \<in> ns" by (rule inFr_root_in)
thus "t \<in> \<Union>{{t. inFr ns tr' t} |tr'. subtr ns tr' tr}"
@@ -272,7 +272,7 @@
by (metis (lifting) subtr.Step)
corollary Fr_subtr_cont:
-"Fr ns tr = \<Union> {Inl -` cont tr' | tr'. subtr ns tr' tr}"
+"Fr ns tr = \<Union>{Inl -` cont tr' | tr'. subtr ns tr' tr}"
unfolding Fr_def
apply safe
apply (frule inFr_subtr)
@@ -290,7 +290,7 @@
qed
corollary Itr_subtr:
-"Itr ns tr = \<Union> {Itr ns tr' | tr'. subtr ns tr' tr}"
+"Itr ns tr = \<Union>{Itr ns tr' | tr'. subtr ns tr' tr}"
unfolding Itr_def apply safe
apply (metis (lifting, mono_tags) UnionI inItr_root_in mem_Collect_eq subtr.Refl)
by (metis subtr_inItr)
@@ -1121,7 +1121,7 @@
assumes r: "regular tr" and In: "root tr \<in> ns"
shows "Fr ns tr =
Inl -` (cont tr) \<union>
- \<Union> {Fr (ns - {root tr}) tr' | tr'. Inr tr' \<in> cont tr}"
+ \<Union>{Fr (ns - {root tr}) tr' | tr'. Inr tr' \<in> cont tr}"
unfolding Fr_def
using In inFr.Base regular_inFr[OF assms] apply safe
apply (simp, metis (full_types) mem_Collect_eq)
@@ -1161,7 +1161,7 @@
lemma Lr_rec_in:
assumes n: "n \<in> ns"
shows "Lr ns n \<subseteq>
-{Inl -` tns \<union> (\<Union> {K n' | n'. Inr n' \<in> tns}) | tns K.
+{Inl -` tns \<union> (\<Union>{K n' | n'. Inr n' \<in> tns}) | tns K.
(n,tns) \<in> P \<and>
(\<forall> n'. Inr n' \<in> tns \<longrightarrow> K n' \<in> Lr (ns - {n}) n')}"
(is "Lr ns n \<subseteq> {?F tns K | tns K. (n,tns) \<in> P \<and> ?\<phi> tns K}")
@@ -1207,7 +1207,7 @@
lemma L_rec_in:
assumes n: "n \<in> ns"
shows "
-{Inl -` tns \<union> (\<Union> {K n' | n'. Inr n' \<in> tns}) | tns K.
+{Inl -` tns \<union> (\<Union>{K n' | n'. Inr n' \<in> tns}) | tns K.
(n,tns) \<in> P \<and>
(\<forall> n'. Inr n' \<in> tns \<longrightarrow> K n' \<in> L (ns - {n}) n')}
\<subseteq> L ns n"
@@ -1247,7 +1247,7 @@
function LL where
"LL ns n =
(if n \<notin> ns then {{}} else
- {Inl -` tns \<union> (\<Union> {K n' | n'. Inr n' \<in> tns}) | tns K.
+ {Inl -` tns \<union> (\<Union>{K n' | n'. Inr n' \<in> tns}) | tns K.
(n,tns) \<in> P \<and>
(\<forall> n'. Inr n' \<in> tns \<longrightarrow> K n' \<in> LL (ns - {n}) n')})"
by(pat_completeness, auto)
--- a/src/HOL/Datatype_Examples/Lambda_Term.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Datatype_Examples/Lambda_Term.thy Fri Jun 26 18:51:39 2015 +0200
@@ -27,14 +27,14 @@
"varsOf (Var a) = {a}"
| "varsOf (App f x) = varsOf f \<union> varsOf x"
| "varsOf (Lam x b) = {x} \<union> varsOf b"
-| "varsOf (Lt F t) = varsOf t \<union> (\<Union> { {x} \<union> X | x X. (x,X) |\<in>| fimage (map_prod id varsOf) F})"
+| "varsOf (Lt F t) = varsOf t \<union> (\<Union>{{x} \<union> X | x X. (x,X) |\<in>| fimage (map_prod id varsOf) F})"
primrec fvarsOf :: "'a trm \<Rightarrow> 'a set" where
"fvarsOf (Var x) = {x}"
| "fvarsOf (App t1 t2) = fvarsOf t1 \<union> fvarsOf t2"
| "fvarsOf (Lam x t) = fvarsOf t - {x}"
| "fvarsOf (Lt xts t) = fvarsOf t - {x | x X. (x,X) |\<in>| fimage (map_prod id varsOf) xts} \<union>
- (\<Union> {X | x X. (x,X) |\<in>| fimage (map_prod id varsOf) xts})"
+ (\<Union>{X | x X. (x,X) |\<in>| fimage (map_prod id varsOf) xts})"
lemma diff_Un_incl_triv: "\<lbrakk>A \<subseteq> D; C \<subseteq> E\<rbrakk> \<Longrightarrow> A - B \<union> C \<subseteq> D \<union> E" by blast
--- a/src/HOL/Filter.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Filter.thy Fri Jun 26 18:51:39 2015 +0200
@@ -245,7 +245,9 @@
(@{thm allI} RS @{thm always_eventually})
|> fold (fn thm1 => fn thm2 => thm2 RS thm1) mp_thms
|> fold (fn _ => fn thm => @{thm impI} RS thm) facts
- val cases_prop = Thm.prop_of (raw_elim_thm RS Goal.init (Thm.cterm_of ctxt goal))
+ val cases_prop =
+ Thm.prop_of
+ (Rule_Cases.internalize_params (raw_elim_thm RS Goal.init (Thm.cterm_of ctxt goal)))
val cases = Rule_Cases.make_common ctxt cases_prop [(("elim", []), [])]
in
CASES cases (rtac raw_elim_thm i)
--- a/src/HOL/Finite_Set.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Finite_Set.thy Fri Jun 26 18:51:39 2015 +0200
@@ -1433,7 +1433,7 @@
lemma insert_partition:
"\<lbrakk> x \<notin> F; \<forall>c1 \<in> insert x F. \<forall>c2 \<in> insert x F. c1 \<noteq> c2 \<longrightarrow> c1 \<inter> c2 = {} \<rbrakk>
- \<Longrightarrow> x \<inter> \<Union> F = {}"
+ \<Longrightarrow> x \<inter> \<Union>F = {}"
by auto
lemma finite_psubset_induct[consumes 1, case_names psubset]:
@@ -1486,13 +1486,13 @@
text{* main cardinality theorem *}
lemma card_partition [rule_format]:
"finite C ==>
- finite (\<Union> C) -->
+ finite (\<Union>C) -->
(\<forall>c\<in>C. card c = k) -->
(\<forall>c1 \<in> C. \<forall>c2 \<in> C. c1 \<noteq> c2 --> c1 \<inter> c2 = {}) -->
- k * card(C) = card (\<Union> C)"
+ k * card(C) = card (\<Union>C)"
apply (erule finite_induct, simp)
apply (simp add: card_Un_disjoint insert_partition
- finite_subset [of _ "\<Union> (insert x F)"])
+ finite_subset [of _ "\<Union>(insert x F)"])
done
lemma card_eq_UNIV_imp_eq_UNIV:
--- a/src/HOL/HOLCF/Cont.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/HOLCF/Cont.thy Fri Jun 26 18:51:39 2015 +0200
@@ -91,7 +91,7 @@
text {* continuity implies preservation of lubs *}
lemma cont2contlubE:
- "\<lbrakk>cont f; chain Y\<rbrakk> \<Longrightarrow> f (\<Squnion> i. Y i) = (\<Squnion> i. f (Y i))"
+ "\<lbrakk>cont f; chain Y\<rbrakk> \<Longrightarrow> f (\<Squnion>i. Y i) = (\<Squnion>i. f (Y i))"
apply (rule lub_eqI [symmetric])
apply (erule (1) contE)
done
--- a/src/HOL/HOLCF/Porder.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/HOLCF/Porder.thy Fri Jun 26 18:51:39 2015 +0200
@@ -126,7 +126,7 @@
"LUB n. t n == lub (range t)"
notation (xsymbols)
- Lub (binder "\<Squnion> " 10)
+ Lub (binder "\<Squnion>" 10)
text {* access to some definition as inference rule *}
--- a/src/HOL/Hilbert_Choice.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Hilbert_Choice.thy Fri Jun 26 18:51:39 2015 +0200
@@ -408,20 +408,20 @@
qed
lemma Ex_inj_on_UNION_Sigma:
- "\<exists>f. (inj_on f (\<Union> i \<in> I. A i) \<and> f ` (\<Union> i \<in> I. A i) \<le> (SIGMA i : I. A i))"
+ "\<exists>f. (inj_on f (\<Union>i \<in> I. A i) \<and> f ` (\<Union>i \<in> I. A i) \<le> (SIGMA i : I. A i))"
proof
let ?phi = "\<lambda> a i. i \<in> I \<and> a \<in> A i"
let ?sm = "\<lambda> a. SOME i. ?phi a i"
let ?f = "\<lambda>a. (?sm a, a)"
- have "inj_on ?f (\<Union> i \<in> I. A i)" unfolding inj_on_def by auto
+ have "inj_on ?f (\<Union>i \<in> I. A i)" unfolding inj_on_def by auto
moreover
{ { fix i a assume "i \<in> I" and "a \<in> A i"
hence "?sm a \<in> I \<and> a \<in> A(?sm a)" using someI[of "?phi a" i] by auto
}
- hence "?f ` (\<Union> i \<in> I. A i) \<le> (SIGMA i : I. A i)" by auto
+ hence "?f ` (\<Union>i \<in> I. A i) \<le> (SIGMA i : I. A i)" by auto
}
ultimately
- show "inj_on ?f (\<Union> i \<in> I. A i) \<and> ?f ` (\<Union> i \<in> I. A i) \<le> (SIGMA i : I. A i)"
+ show "inj_on ?f (\<Union>i \<in> I. A i) \<and> ?f ` (\<Union>i \<in> I. A i) \<le> (SIGMA i : I. A i)"
by auto
qed
--- a/src/HOL/Hoare/SchorrWaite.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Hoare/SchorrWaite.thy Fri Jun 26 18:51:39 2015 +0200
@@ -17,7 +17,7 @@
definition
relS :: "('a \<Rightarrow> 'a ref) set \<Rightarrow> ('a \<times> 'a) set"
- where "relS M = (\<Union> m \<in> M. rel m)"
+ where "relS M = (\<Union>m \<in> M. rel m)"
definition
addrs :: "'a ref set \<Rightarrow> 'a set"
--- a/src/HOL/Library/Indicator_Function.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Library/Indicator_Function.thy Fri Jun 26 18:51:39 2015 +0200
@@ -87,18 +87,18 @@
by auto
then have
"\<And>n. (indicator (A (n + i)) x :: 'a) = 1"
- "(indicator (\<Union> i. A i) x :: 'a) = 1"
+ "(indicator (\<Union>i. A i) x :: 'a) = 1"
using incseqD[OF \<open>incseq A\<close>, of i "n + i" for n] \<open>x \<in> A i\<close> by (auto simp: indicator_def)
then show ?thesis
by (rule_tac LIMSEQ_offset[of _ i]) simp
qed (auto simp: indicator_def)
lemma LIMSEQ_indicator_UN:
- "(\<lambda>k. indicator (\<Union> i<k. A i) x :: 'a :: {topological_space, one, zero}) ----> indicator (\<Union>i. A i) x"
+ "(\<lambda>k. indicator (\<Union>i<k. A i) x :: 'a :: {topological_space, one, zero}) ----> indicator (\<Union>i. A i) x"
proof -
- have "(\<lambda>k. indicator (\<Union> i<k. A i) x::'a) ----> indicator (\<Union>k. \<Union> i<k. A i) x"
+ have "(\<lambda>k. indicator (\<Union>i<k. A i) x::'a) ----> indicator (\<Union>k. \<Union>i<k. A i) x"
by (intro LIMSEQ_indicator_incseq) (auto simp: incseq_def intro: less_le_trans)
- also have "(\<Union>k. \<Union> i<k. A i) = (\<Union>i. A i)"
+ also have "(\<Union>k. \<Union>i<k. A i) = (\<Union>i. A i)"
by auto
finally show ?thesis .
qed
@@ -123,7 +123,7 @@
proof -
have "(\<lambda>k. indicator (\<Inter>i<k. A i) x::'a) ----> indicator (\<Inter>k. \<Inter>i<k. A i) x"
by (intro LIMSEQ_indicator_decseq) (auto simp: decseq_def intro: less_le_trans)
- also have "(\<Inter>k. \<Inter> i<k. A i) = (\<Inter>i. A i)"
+ also have "(\<Inter>k. \<Inter>i<k. A i) = (\<Inter>i. A i)"
by auto
finally show ?thesis .
qed
--- a/src/HOL/Multivariate_Analysis/Complex_Analysis_Basics.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Multivariate_Analysis/Complex_Analysis_Basics.thy Fri Jun 26 18:51:39 2015 +0200
@@ -604,7 +604,7 @@
lemma analytic_on_Un: "f analytic_on (s \<union> t) \<longleftrightarrow> f analytic_on s \<and> f analytic_on t"
by (auto simp: analytic_on_def)
-lemma analytic_on_Union: "f analytic_on (\<Union> s) \<longleftrightarrow> (\<forall>t \<in> s. f analytic_on t)"
+lemma analytic_on_Union: "f analytic_on (\<Union>s) \<longleftrightarrow> (\<forall>t \<in> s. f analytic_on t)"
by (auto simp: analytic_on_def)
lemma analytic_on_UN: "f analytic_on (\<Union>i\<in>I. s i) \<longleftrightarrow> (\<forall>i\<in>I. f analytic_on (s i))"
--- a/src/HOL/Multivariate_Analysis/Convex_Euclidean_Space.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Multivariate_Analysis/Convex_Euclidean_Space.thy Fri Jun 26 18:51:39 2015 +0200
@@ -384,7 +384,7 @@
lemma affine_UNIV[intro]: "affine UNIV"
unfolding affine_def by auto
-lemma affine_Inter[intro]: "(\<forall>s\<in>f. affine s) \<Longrightarrow> affine (\<Inter> f)"
+lemma affine_Inter[intro]: "(\<forall>s\<in>f. affine s) \<Longrightarrow> affine (\<Inter>f)"
unfolding affine_def by auto
lemma affine_Int[intro]: "affine s \<Longrightarrow> affine t \<Longrightarrow> affine (s \<inter> t)"
@@ -4552,7 +4552,7 @@
shows "\<exists>a. a \<noteq> 0 \<and> (\<forall>x\<in>s. 0 \<le> inner a x)"
proof -
let ?k = "\<lambda>c. {x::'a. 0 \<le> inner c x}"
- have "frontier (cball 0 1) \<inter> (\<Inter> (?k ` s)) \<noteq> {}"
+ have "frontier (cball 0 1) \<inter> (\<Inter>(?k ` s)) \<noteq> {}"
apply (rule compact_imp_fip)
apply (rule compact_frontier[OF compact_cball])
defer
@@ -4758,7 +4758,7 @@
lemma convex_halfspace_intersection:
fixes s :: "('a::euclidean_space) set"
assumes "closed s" "convex s"
- shows "s = \<Inter> {h. s \<subseteq> h \<and> (\<exists>a b. h = {x. inner a x \<le> b})}"
+ shows "s = \<Inter>{h. s \<subseteq> h \<and> (\<exists>a b. h = {x. inner a x \<le> b})}"
apply (rule set_eqI)
apply rule
unfolding Inter_iff Ball_def mem_Collect_eq
@@ -4935,7 +4935,7 @@
fixes f :: "'a::euclidean_space set set"
assumes "card f = n"
and "n \<ge> DIM('a) + 1"
- and "\<forall>s\<in>f. convex s" "\<forall>t\<subseteq>f. card t = DIM('a) + 1 \<longrightarrow> \<Inter> t \<noteq> {}"
+ and "\<forall>s\<in>f. convex s" "\<forall>t\<subseteq>f. card t = DIM('a) + 1 \<longrightarrow> \<Inter>t \<noteq> {}"
shows "\<Inter>f \<noteq> {}"
using assms
proof (induct n arbitrary: f)
@@ -5033,7 +5033,7 @@
lemma helly:
fixes f :: "'a::euclidean_space set set"
assumes "card f \<ge> DIM('a) + 1" "\<forall>s\<in>f. convex s"
- and "\<forall>t\<subseteq>f. card t = DIM('a) + 1 \<longrightarrow> \<Inter> t \<noteq> {}"
+ and "\<forall>t\<subseteq>f. card t = DIM('a) + 1 \<longrightarrow> \<Inter>t \<noteq> {}"
shows "\<Inter>f \<noteq> {}"
apply (rule helly_induct)
using assms
@@ -7756,7 +7756,7 @@
have "\<Inter>{closure S |S. S \<in> I} \<le> closure (\<Inter>{rel_interior S |S. S \<in> I})"
using convex_closure_rel_interior_inter assms by auto
moreover
- have "closure (\<Inter>{rel_interior S |S. S \<in> I}) \<le> closure (\<Inter> I)"
+ have "closure (\<Inter>{rel_interior S |S. S \<in> I}) \<le> closure (\<Inter>I)"
using rel_interior_inter_aux closure_mono[of "\<Inter>{rel_interior S |S. S \<in> I}" "\<Inter>I"]
by auto
ultimately show ?thesis
@@ -8750,7 +8750,7 @@
done
ultimately have "convex hull (\<Union>(K ` I)) \<supseteq> K0"
unfolding K0_def
- using hull_minimal[of _ "convex hull (\<Union> (K ` I))" "cone"]
+ using hull_minimal[of _ "convex hull (\<Union>(K ` I))" "cone"]
by blast
then have "K0 = convex hull (\<Union>(K ` I))"
using geq by auto
--- a/src/HOL/Multivariate_Analysis/Derivative.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Multivariate_Analysis/Derivative.thy Fri Jun 26 18:51:39 2015 +0200
@@ -879,7 +879,7 @@
have "\<forall>\<^sub>F x1 in ?F. norm (f x1 - f y) \<le> (\<phi> x1 - \<phi> y) + e * \<bar>x1 - y\<bar>"
(is "\<forall>\<^sub>F x1 in ?F. ?le' x1")
proof eventually_elim
- case elim
+ case (elim x1)
from norm_triangle_ineq2[THEN order_trans, OF elim(1)]
have "norm (f x1 - f y) \<le> norm (f' y) * \<bar>x1 - y\<bar> + e2 * \<bar>x1 - y\<bar>"
by (simp add: ac_simps)
--- a/src/HOL/Multivariate_Analysis/Integration.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Multivariate_Analysis/Integration.thy Fri Jun 26 18:51:39 2015 +0200
@@ -648,7 +648,7 @@
lemma gauge_inters:
assumes "finite s"
and "\<forall>d\<in>s. gauge (f d)"
- shows "gauge (\<lambda>x. \<Inter> {f d x | d. d \<in> s})"
+ shows "gauge (\<lambda>x. \<Inter>{f d x | d. d \<in> s})"
proof -
have *: "\<And>x. {f d x |d. d \<in> s} = (\<lambda>d. f d x) ` s"
by auto
@@ -871,7 +871,7 @@
assumes "finite f"
and "f \<noteq> {}"
and "\<forall>s\<in>f. \<exists>p. p division_of (s::('a::euclidean_space) set)"
- shows "\<exists>p. p division_of (\<Inter> f)"
+ shows "\<exists>p. p division_of (\<Inter>f)"
using assms
proof (induct f rule: finite_induct)
case (insert x f)
@@ -1066,7 +1066,7 @@
done }
then have "\<And>x. x \<in> p \<Longrightarrow> \<exists>d. d division_of \<Union>(q x - {x})"
by (meson Diff_subset division_of_subset)
- then have "\<exists>d. d division_of \<Inter> ((\<lambda>i. \<Union>(q i - {i})) ` p)"
+ then have "\<exists>d. d division_of \<Inter>((\<lambda>i. \<Union>(q i - {i})) ` p)"
apply -
apply (rule elementary_inters [OF finite_imageI[OF p(1)]])
apply (auto simp: False elementary_inters [OF finite_imageI[OF p(1)]])
@@ -1669,7 +1669,7 @@
unfolding fine_def by auto
lemma fine_inters:
- "(\<lambda>x. \<Inter> {f d x | d. d \<in> s}) fine p \<longleftrightarrow> (\<forall>d\<in>s. (f d) fine p)"
+ "(\<lambda>x. \<Inter>{f d x | d. d \<in> s}) fine p \<longleftrightarrow> (\<forall>d\<in>s. (f d) fine p)"
unfolding fine_def by blast
lemma fine_union: "d fine p1 \<Longrightarrow> d fine p2 \<Longrightarrow> d fine (p1 \<union> p2)"
@@ -1851,7 +1851,7 @@
by (blast intro: that)
}
assume as: "\<forall>c d. ?PP c d \<longrightarrow> P (cbox c d)"
- have "P (\<Union> ?A)"
+ have "P (\<Union>?A)"
proof (rule UN_cases)
let ?B = "(\<lambda>s. cbox (\<Sum>i\<in>Basis. (if i \<in> s then a\<bullet>i else (a\<bullet>i + b\<bullet>i) / 2) *\<^sub>R i::'a)
(\<Sum>i\<in>Basis. (if i \<in> s then (a\<bullet>i + b\<bullet>i) / 2 else b\<bullet>i) *\<^sub>R i)) ` {s. s \<subseteq> Basis}"
@@ -1926,7 +1926,7 @@
qed
qed
qed
- also have "\<Union> ?A = cbox a b"
+ also have "\<Union>?A = cbox a b"
proof (rule set_eqI,rule)
fix x
assume "x \<in> \<Union>?A"
--- a/src/HOL/Multivariate_Analysis/Topology_Euclidean_Space.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Multivariate_Analysis/Topology_Euclidean_Space.thy Fri Jun 26 18:51:39 2015 +0200
@@ -413,7 +413,7 @@
subsection \<open>General notion of a topology as a value\<close>
definition "istopology L \<longleftrightarrow>
- L {} \<and> (\<forall>S T. L S \<longrightarrow> L T \<longrightarrow> L (S \<inter> T)) \<and> (\<forall>K. Ball K L \<longrightarrow> L (\<Union> K))"
+ L {} \<and> (\<forall>S T. L S \<longrightarrow> L T \<longrightarrow> L (S \<inter> T)) \<and> (\<forall>K. Ball K L \<longrightarrow> L (\<Union>K))"
typedef 'a topology = "{L::('a set) \<Rightarrow> bool. istopology L}"
morphisms "openin" "topology"
@@ -462,7 +462,7 @@
lemma openin_Int[intro]: "openin U S \<Longrightarrow> openin U T \<Longrightarrow> openin U (S \<inter> T)"
using openin_clauses by simp
-lemma openin_Union[intro]: "(\<forall>S \<in>K. openin U S) \<Longrightarrow> openin U (\<Union> K)"
+lemma openin_Union[intro]: "(\<forall>S \<in>K. openin U S) \<Longrightarrow> openin U (\<Union>K)"
using openin_clauses by simp
lemma openin_Un[intro]: "openin U S \<Longrightarrow> openin U T \<Longrightarrow> openin U (S \<union> T)"
@@ -501,13 +501,13 @@
lemma closedin_Un[intro]: "closedin U S \<Longrightarrow> closedin U T \<Longrightarrow> closedin U (S \<union> T)"
by (auto simp add: Diff_Un closedin_def)
-lemma Diff_Inter[intro]: "A - \<Inter>S = \<Union> {A - s|s. s\<in>S}"
+lemma Diff_Inter[intro]: "A - \<Inter>S = \<Union>{A - s|s. s\<in>S}"
by auto
lemma closedin_Inter[intro]:
assumes Ke: "K \<noteq> {}"
and Kc: "\<forall>S \<in>K. closedin U S"
- shows "closedin U (\<Inter> K)"
+ shows "closedin U (\<Inter>K)"
using Ke Kc unfolding closedin_def Diff_Inter by auto
lemma closedin_Int[intro]: "closedin U S \<Longrightarrow> closedin U T \<Longrightarrow> closedin U (S \<inter> T)"
@@ -575,7 +575,7 @@
by blast
have "\<Union>K = (\<Union>Sk) \<inter> V"
using Sk by auto
- moreover have "openin U (\<Union> Sk)"
+ moreover have "openin U (\<Union>Sk)"
using Sk by (auto simp add: subset_eq)
ultimately have "?L (\<Union>K)" by blast
}
--- a/src/HOL/Nominal/Examples/Class2.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Nominal/Examples/Class2.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2888,8 +2888,8 @@
and X::"('a::pt_name) set set"
and pi2::"coname prm"
and Y::"('b::pt_coname) set set"
- shows "(pi1\<bullet>(\<Inter> X)) = \<Inter> (pi1\<bullet>X)"
- and "(pi2\<bullet>(\<Inter> Y)) = \<Inter> (pi2\<bullet>Y)"
+ shows "(pi1\<bullet>(\<Inter>X)) = \<Inter>(pi1\<bullet>X)"
+ and "(pi2\<bullet>(\<Inter>Y)) = \<Inter>(pi2\<bullet>Y)"
apply(auto simp add: perm_set_def)
apply(rule_tac x="(rev pi1)\<bullet>x" in exI)
apply(perm_simp)
--- a/src/HOL/Nominal/Nominal.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Nominal/Nominal.thy Fri Jun 26 18:51:39 2015 +0200
@@ -1888,9 +1888,9 @@
assumes pt: "pt TYPE('a) TYPE('x)"
and at: "at TYPE ('x)"
and fs: "fs TYPE('a) TYPE('x)"
- shows "((supp x)::'x set) = (\<Inter> {S. finite S \<and> S supports x})"
+ shows "((supp x)::'x set) = (\<Inter>{S. finite S \<and> S supports x})"
proof (rule equalityI)
- show "((supp x)::'x set) \<subseteq> (\<Inter> {S. finite S \<and> S supports x})"
+ show "((supp x)::'x set) \<subseteq> (\<Inter>{S. finite S \<and> S supports x})"
proof (clarify)
fix S c
assume b: "c\<in>((supp x)::'x set)" and "finite (S::'x set)" and "S supports x"
@@ -1898,7 +1898,7 @@
with b show "c\<in>S" by force
qed
next
- show "(\<Inter> {S. finite S \<and> S supports x}) \<subseteq> ((supp x)::'x set)"
+ show "(\<Inter>{S. finite S \<and> S supports x}) \<subseteq> ((supp x)::'x set)"
proof (clarify, simp)
fix c
assume d: "\<forall>(S::'x set). finite S \<and> S supports x \<longrightarrow> c\<in>S"
--- a/src/HOL/Probability/Bochner_Integration.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Probability/Bochner_Integration.thy Fri Jun 26 18:51:39 2015 +0200
@@ -83,7 +83,7 @@
by (rule finite_subset) auto }
{ fix N i n x assume "i \<le> N" "n \<le> N" "x \<in> B i n"
- then have 1: "\<exists>m\<le>N. x \<in> (\<Union> n\<le>N. B m n)" by auto
+ then have 1: "\<exists>m\<le>N. x \<in> (\<Union>n\<le>N. B m n)" by auto
from m[OF this] obtain n where n: "m N x \<le> N" "n \<le> N" "x \<in> B (m N x) n" by auto
moreover
def L \<equiv> "LEAST n. x \<in> B (m N x) n"
--- a/src/HOL/Probability/Caratheodory.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Probability/Caratheodory.thy Fri Jun 26 18:51:39 2015 +0200
@@ -804,7 +804,7 @@
with Ca Cb have "Ca \<inter> Cb \<subseteq> {{}}" by auto
then have C_Int_cases: "Ca \<inter> Cb = {{}} \<or> Ca \<inter> Cb = {}" by auto
- from `a \<inter> b = {}` have "\<mu>' (\<Union> (Ca \<union> Cb)) = (\<Sum>c\<in>Ca \<union> Cb. \<mu> c)"
+ from `a \<inter> b = {}` have "\<mu>' (\<Union>(Ca \<union> Cb)) = (\<Sum>c\<in>Ca \<union> Cb. \<mu> c)"
using Ca Cb by (intro \<mu>') (auto intro!: disjoint_union)
also have "\<dots> = (\<Sum>c\<in>Ca \<union> Cb. \<mu> c) + (\<Sum>c\<in>Ca \<inter> Cb. \<mu> c)"
using C_Int_cases volume_empty[OF `volume M \<mu>`] by (elim disjE) simp_all
@@ -915,7 +915,7 @@
then have "disjoint_family f"
by (auto simp: disjoint_family_on_def f_def)
moreover
- have Ai_eq: "A i = (\<Union> x<card C. f x)"
+ have Ai_eq: "A i = (\<Union>x<card C. f x)"
using f C Ai unfolding bij_betw_def by (simp add: Union_image_eq[symmetric])
then have "\<Union>range f = A i"
using f C Ai unfolding bij_betw_def by (auto simp: f_def)
--- a/src/HOL/Probability/Measure_Space.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Probability/Measure_Space.thy Fri Jun 26 18:51:39 2015 +0200
@@ -172,17 +172,17 @@
case empty thus ?case using f by (auto simp: positive_def)
next
case (insert x F)
- hence in_M: "A x \<in> M" "(\<Union> i\<in>F. A i) \<in> M" "(\<Union> i\<in>F. A i) - A x \<in> M" using A by force+
- have subs: "(\<Union> i\<in>F. A i) - A x \<subseteq> (\<Union> i\<in>F. A i)" by auto
- have "(\<Union> i\<in>(insert x F). A i) = A x \<union> ((\<Union> i\<in>F. A i) - A x)" by auto
- hence "f (\<Union> i\<in>(insert x F). A i) = f (A x \<union> ((\<Union> i\<in>F. A i) - A x))"
+ hence in_M: "A x \<in> M" "(\<Union>i\<in>F. A i) \<in> M" "(\<Union>i\<in>F. A i) - A x \<in> M" using A by force+
+ have subs: "(\<Union>i\<in>F. A i) - A x \<subseteq> (\<Union>i\<in>F. A i)" by auto
+ have "(\<Union>i\<in>(insert x F). A i) = A x \<union> ((\<Union>i\<in>F. A i) - A x)" by auto
+ hence "f (\<Union>i\<in>(insert x F). A i) = f (A x \<union> ((\<Union>i\<in>F. A i) - A x))"
by simp
- also have "\<dots> = f (A x) + f ((\<Union> i\<in>F. A i) - A x)"
+ also have "\<dots> = f (A x) + f ((\<Union>i\<in>F. A i) - A x)"
using f(2) by (rule additiveD) (insert in_M, auto)
- also have "\<dots> \<le> f (A x) + f (\<Union> i\<in>F. A i)"
+ also have "\<dots> \<le> f (A x) + f (\<Union>i\<in>F. A i)"
using additive_increasing[OF f] in_M subs by (auto simp: increasing_def intro: add_left_mono)
also have "\<dots> \<le> f (A x) + (\<Sum>i\<in>F. f (A i))" using insert by (auto intro: add_left_mono)
- finally show "f (\<Union> i\<in>(insert x F). A i) \<le> (\<Sum>i\<in>(insert x F). f (A i))" using insert by simp
+ finally show "f (\<Union>i\<in>(insert x F). A i) \<le> (\<Sum>i\<in>(insert x F). f (A i))" using insert by simp
qed
lemma (in ring_of_sets) countably_additive_additive:
@@ -292,7 +292,7 @@
have *: "(\<Union>n. (\<Union>i<n. A i)) = (\<Union>i. A i)" by auto
have "(\<lambda>n. f (\<Union>i<n. A i)) ----> f (\<Union>i. A i)"
proof (unfold *[symmetric], intro cont[rule_format])
- show "range (\<lambda>i. \<Union> i<i. A i) \<subseteq> M" "(\<Union>i. \<Union> i<i. A i) \<in> M"
+ show "range (\<lambda>i. \<Union>i<i. A i) \<subseteq> M" "(\<Union>i. \<Union>i<i. A i) \<in> M"
using A * by auto
qed (force intro!: incseq_SucI)
moreover have "\<And>n. f (\<Union>i<n. A i) = (\<Sum>i<n. f (A i))"
@@ -657,10 +657,10 @@
lemma emeasure_UN_eq_0:
assumes "\<And>i::nat. emeasure M (N i) = 0" and "range N \<subseteq> sets M"
- shows "emeasure M (\<Union> i. N i) = 0"
+ shows "emeasure M (\<Union>i. N i) = 0"
proof -
- have "0 \<le> emeasure M (\<Union> i. N i)" using assms by auto
- moreover have "emeasure M (\<Union> i. N i) \<le> 0"
+ have "0 \<le> emeasure M (\<Union>i. N i)" using assms by auto
+ moreover have "emeasure M (\<Union>i. N i) \<le> 0"
using emeasure_subadditive_countably[OF assms(2)] assms(1) by simp
ultimately show ?thesis by simp
qed
@@ -1173,9 +1173,9 @@
from F have "\<And>x. x \<in> space M \<Longrightarrow> \<exists>i. x \<in> F i" by auto
with F show ?thesis by fastforce
qed
- show "emeasure M (\<Union> i\<le>n. F i) \<noteq> \<infinity>" for n
+ show "emeasure M (\<Union>i\<le>n. F i) \<noteq> \<infinity>" for n
proof -
- have "emeasure M (\<Union> i\<le>n. F i) \<le> (\<Sum>i\<le>n. emeasure M (F i))"
+ have "emeasure M (\<Union>i\<le>n. F i) \<le> (\<Sum>i\<le>n. emeasure M (F i))"
using F by (auto intro!: emeasure_subadditive_finite)
also have "\<dots> < \<infinity>"
using F by (auto simp: setsum_Pinfty)
@@ -1579,12 +1579,12 @@
assumes "range f \<subseteq> sets M" "range g \<subseteq> sets M"
assumes "disjoint_family f" "disjoint_family g"
assumes "\<And> n :: nat. measure M (f n) = measure M (g n)"
- shows "measure M (\<Union> i. f i) = measure M (\<Union> i. g i)"
+ shows "measure M (\<Union>i. f i) = measure M (\<Union>i. g i)"
using assms
proof -
- have a: "(\<lambda> i. measure M (f i)) sums (measure M (\<Union> i. f i))"
+ have a: "(\<lambda> i. measure M (f i)) sums (measure M (\<Union>i. f i))"
by (rule finite_measure_UNION[OF assms(1,3)])
- have b: "(\<lambda> i. measure M (g i)) sums (measure M (\<Union> i. g i))"
+ have b: "(\<lambda> i. measure M (g i)) sums (measure M (\<Union>i. g i))"
by (rule finite_measure_UNION[OF assms(2,4)])
show ?thesis using sums_unique[OF b] sums_unique[OF a] assms by simp
qed
@@ -1592,9 +1592,9 @@
lemma (in finite_measure) measure_countably_zero:
assumes "range c \<subseteq> sets M"
assumes "\<And> i. measure M (c i) = 0"
- shows "measure M (\<Union> i :: nat. c i) = 0"
+ shows "measure M (\<Union>i :: nat. c i) = 0"
proof (rule antisym)
- show "measure M (\<Union> i :: nat. c i) \<le> 0"
+ show "measure M (\<Union>i :: nat. c i) \<le> 0"
using finite_measure_subadditive_countably[OF assms(1)] by (simp add: assms(2))
qed (simp add: measure_nonneg)
@@ -1633,12 +1633,12 @@
assumes "\<And> x. x \<in> s \<Longrightarrow> e \<inter> f x \<in> sets M"
assumes "finite s"
assumes disjoint: "\<And> x y. \<lbrakk>x \<in> s ; y \<in> s ; x \<noteq> y\<rbrakk> \<Longrightarrow> f x \<inter> f y = {}"
- assumes upper: "space M \<subseteq> (\<Union> i \<in> s. f i)"
+ assumes upper: "space M \<subseteq> (\<Union>i \<in> s. f i)"
shows "measure M e = (\<Sum> x \<in> s. measure M (e \<inter> f x))"
proof -
- have e: "e = (\<Union> i \<in> s. e \<inter> f i)"
+ have e: "e = (\<Union>i \<in> s. e \<inter> f i)"
using `e \<in> sets M` sets.sets_into_space upper by blast
- hence "measure M e = measure M (\<Union> i \<in> s. e \<inter> f i)" by simp
+ hence "measure M e = measure M (\<Union>i \<in> s. e \<inter> f i)" by simp
also have "\<dots> = (\<Sum> x \<in> s. measure M (e \<inter> f x))"
proof (rule finite_measure_finite_Union)
show "finite s" by fact
--- a/src/HOL/Probability/Projective_Limit.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Probability/Projective_Limit.thy Fri Jun 26 18:51:39 2015 +0200
@@ -282,15 +282,15 @@
have Y_notempty: "\<And>n. n \<ge> 1 \<Longrightarrow> (Y n) \<noteq> {}"
proof -
fix n::nat assume "n \<ge> 1" hence "Y n \<subseteq> Z n" by fact
- have "Y n = (\<Inter> i\<in>{1..n}. emb I (J n) (emb (J n) (J i) (K i)))" using J J_mono
+ have "Y n = (\<Inter>i\<in>{1..n}. emb I (J n) (emb (J n) (J i) (K i)))" using J J_mono
by (auto simp: Y_def Z'_def)
- also have "\<dots> = prod_emb I (\<lambda>_. borel) (J n) (\<Inter> i\<in>{1..n}. emb (J n) (J i) (K i))"
+ also have "\<dots> = prod_emb I (\<lambda>_. borel) (J n) (\<Inter>i\<in>{1..n}. emb (J n) (J i) (K i))"
using `n \<ge> 1`
by (subst prod_emb_INT) auto
finally
have Y_emb:
"Y n = prod_emb I (\<lambda>_. borel) (J n)
- (\<Inter> i\<in>{1..n}. prod_emb (J n) (\<lambda>_. borel) (J i) (K i))" .
+ (\<Inter>i\<in>{1..n}. prod_emb (J n) (\<lambda>_. borel) (J i) (K i))" .
hence "Y n \<in> ?G" using J J_mono K_sets `n \<ge> 1` by (intro generatorI[OF _ _ _ _ Y_emb]) auto
hence "\<bar>\<mu>G (Y n)\<bar> \<noteq> \<infinity>" unfolding Y_emb using J J_mono K_sets `n \<ge> 1`
by (subst mu_G_eq) (auto simp: limP_finite proj_sets mu_G_eq)
@@ -317,11 +317,11 @@
(auto dest!: bspec[where x=n]
simp: extensional_restrict emeasure_eq_measure prod_emb_iff simp del: limP_finite
intro!: measure_Diff[symmetric] set_mp[OF K_B])
- also have subs: "Z n - Y n \<subseteq> (\<Union> i\<in>{1..n}. (Z i - Z' i))" using Z' Z `n \<ge> 1`
+ also have subs: "Z n - Y n \<subseteq> (\<Union>i\<in>{1..n}. (Z i - Z' i))" using Z' Z `n \<ge> 1`
unfolding Y_def by (force simp: decseq_def)
- have "Z n - Y n \<in> ?G" "(\<Union> i\<in>{1..n}. (Z i - Z' i)) \<in> ?G"
+ have "Z n - Y n \<in> ?G" "(\<Union>i\<in>{1..n}. (Z i - Z' i)) \<in> ?G"
using `Z' _ \<in> ?G` `Z _ \<in> ?G` `Y _ \<in> ?G` by auto
- hence "\<mu>G (Z n - Y n) \<le> \<mu>G (\<Union> i\<in>{1..n}. (Z i - Z' i))"
+ hence "\<mu>G (Z n - Y n) \<le> \<mu>G (\<Union>i\<in>{1..n}. (Z i - Z' i))"
using subs G.additive_increasing[OF positive_mu_G[OF `I \<noteq> {}`] additive_mu_G[OF `I \<noteq> {}`]]
unfolding increasing_def by auto
also have "\<dots> \<le> (\<Sum> i\<in>{1..n}. \<mu>G (Z i - Z' i))" using `Z _ \<in> ?G` `Z' _ \<in> ?G`
--- a/src/HOL/Probability/Radon_Nikodym.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Probability/Radon_Nikodym.thy Fri Jun 26 18:51:39 2015 +0200
@@ -625,7 +625,7 @@
next
case (Suc n)
with `?O n \<in> ?Q` `?O (Suc n) \<in> ?Q`
- emeasure_Diff[OF _ _ _ O_mono, of N n] emeasure_nonneg[of N "(\<Union> x\<le>n. Q' x)"]
+ emeasure_Diff[OF _ _ _ O_mono, of N n] emeasure_nonneg[of N "(\<Union>x\<le>n. Q' x)"]
show ?thesis
by (auto simp: sets_eq ereal_minus_eq_PInfty_iff Q_def)
qed }
--- a/src/HOL/Probability/ex/Dining_Cryptographers.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Probability/ex/Dining_Cryptographers.thy Fri Jun 26 18:51:39 2015 +0200
@@ -289,12 +289,12 @@
have [simp]: "length xs = n" using assms
by (auto simp: dc_crypto inversion_def [abs_def])
- have "{dc \<in> dc_crypto. inversion dc = xs} = (\<Union> i < n. ?set i)"
+ have "{dc \<in> dc_crypto. inversion dc = xs} = (\<Union>i < n. ?set i)"
unfolding dc_crypto payer_def by auto
- also have "\<dots> = (\<Union> ?sets)" by auto
- finally have eq_Union: "{dc \<in> dc_crypto. inversion dc = xs} = (\<Union> ?sets)" by simp
+ also have "\<dots> = (\<Union>?sets)" by auto
+ finally have eq_Union: "{dc \<in> dc_crypto. inversion dc = xs} = (\<Union>?sets)" by simp
- have card_double: "2 * card ?sets = card (\<Union> ?sets)"
+ have card_double: "2 * card ?sets = card (\<Union>?sets)"
proof (rule card_partition)
show "finite ?sets" by simp
{ fix i assume "i < n"
--- a/src/HOL/Set_Interval.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Set_Interval.thy Fri Jun 26 18:51:39 2015 +0200
@@ -66,10 +66,10 @@
"_INTER_less" :: "'a => 'a => 'b set => 'b set" ("(3INT _<_./ _)" [0, 0, 10] 10)
syntax (xsymbols)
- "_UNION_le" :: "'a => 'a => 'b set => 'b set" ("(3\<Union> _\<le>_./ _)" [0, 0, 10] 10)
- "_UNION_less" :: "'a => 'a => 'b set => 'b set" ("(3\<Union> _<_./ _)" [0, 0, 10] 10)
- "_INTER_le" :: "'a => 'a => 'b set => 'b set" ("(3\<Inter> _\<le>_./ _)" [0, 0, 10] 10)
- "_INTER_less" :: "'a => 'a => 'b set => 'b set" ("(3\<Inter> _<_./ _)" [0, 0, 10] 10)
+ "_UNION_le" :: "'a => 'a => 'b set => 'b set" ("(3\<Union>_\<le>_./ _)" [0, 0, 10] 10)
+ "_UNION_less" :: "'a => 'a => 'b set => 'b set" ("(3\<Union>_<_./ _)" [0, 0, 10] 10)
+ "_INTER_le" :: "'a => 'a => 'b set => 'b set" ("(3\<Inter>_\<le>_./ _)" [0, 0, 10] 10)
+ "_INTER_less" :: "'a => 'a => 'b set => 'b set" ("(3\<Inter>_<_./ _)" [0, 0, 10] 10)
syntax (latex output)
"_UNION_le" :: "'a \<Rightarrow> 'a => 'b set => 'b set" ("(3\<Union>(00_ \<le> _)/ _)" [0, 0, 10] 10)
--- a/src/HOL/TLA/Action.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Action.thy Fri Jun 26 18:51:39 2015 +0200
@@ -1,9 +1,9 @@
-(* Title: HOL/TLA/Action.thy
+(* Title: HOL/TLA/Action.thy
Author: Stephan Merz
Copyright: 1998 University of Munich
*)
-section {* The action level of TLA as an Isabelle theory *}
+section \<open>The action level of TLA as an Isabelle theory\<close>
theory Action
imports Stfun
@@ -12,40 +12,40 @@
(** abstract syntax **)
-type_synonym 'a trfun = "(state * state) => 'a"
+type_synonym 'a trfun = "(state * state) \<Rightarrow> 'a"
type_synonym action = "bool trfun"
instance prod :: (world, world) world ..
consts
(** abstract syntax **)
- before :: "'a stfun => 'a trfun"
- after :: "'a stfun => 'a trfun"
- unch :: "'a stfun => action"
+ before :: "'a stfun \<Rightarrow> 'a trfun"
+ after :: "'a stfun \<Rightarrow> 'a trfun"
+ unch :: "'a stfun \<Rightarrow> action"
- SqAct :: "[action, 'a stfun] => action"
- AnAct :: "[action, 'a stfun] => action"
- enabled :: "action => stpred"
+ SqAct :: "[action, 'a stfun] \<Rightarrow> action"
+ AnAct :: "[action, 'a stfun] \<Rightarrow> action"
+ enabled :: "action \<Rightarrow> stpred"
(** concrete syntax **)
syntax
(* Syntax for writing action expressions in arbitrary contexts *)
- "_ACT" :: "lift => 'a" ("(ACT _)")
+ "_ACT" :: "lift \<Rightarrow> 'a" ("(ACT _)")
- "_before" :: "lift => lift" ("($_)" [100] 99)
- "_after" :: "lift => lift" ("(_$)" [100] 99)
- "_unchanged" :: "lift => lift" ("(unchanged _)" [100] 99)
+ "_before" :: "lift \<Rightarrow> lift" ("($_)" [100] 99)
+ "_after" :: "lift \<Rightarrow> lift" ("(_$)" [100] 99)
+ "_unchanged" :: "lift \<Rightarrow> lift" ("(unchanged _)" [100] 99)
(*** Priming: same as "after" ***)
- "_prime" :: "lift => lift" ("(_`)" [100] 99)
+ "_prime" :: "lift \<Rightarrow> lift" ("(_`)" [100] 99)
- "_SqAct" :: "[lift, lift] => lift" ("([_]'_(_))" [0,1000] 99)
- "_AnAct" :: "[lift, lift] => lift" ("(<_>'_(_))" [0,1000] 99)
- "_Enabled" :: "lift => lift" ("(Enabled _)" [100] 100)
+ "_SqAct" :: "[lift, lift] \<Rightarrow> lift" ("([_]'_(_))" [0,1000] 99)
+ "_AnAct" :: "[lift, lift] \<Rightarrow> lift" ("(<_>'_(_))" [0,1000] 99)
+ "_Enabled" :: "lift \<Rightarrow> lift" ("(Enabled _)" [100] 100)
translations
- "ACT A" => "(A::state*state => _)"
+ "ACT A" => "(A::state*state \<Rightarrow> _)"
"_before" == "CONST before"
"_after" == "CONST after"
"_prime" => "_after"
@@ -53,22 +53,22 @@
"_SqAct" == "CONST SqAct"
"_AnAct" == "CONST AnAct"
"_Enabled" == "CONST enabled"
- "w |= [A]_v" <= "_SqAct A v w"
- "w |= <A>_v" <= "_AnAct A v w"
- "s |= Enabled A" <= "_Enabled A s"
- "w |= unchanged f" <= "_unchanged f w"
+ "w \<Turnstile> [A]_v" <= "_SqAct A v w"
+ "w \<Turnstile> <A>_v" <= "_AnAct A v w"
+ "s \<Turnstile> Enabled A" <= "_Enabled A s"
+ "w \<Turnstile> unchanged f" <= "_unchanged f w"
axiomatization where
- unl_before: "(ACT $v) (s,t) == v s" and
- unl_after: "(ACT v$) (s,t) == v t" and
+ unl_before: "(ACT $v) (s,t) \<equiv> v s" and
+ unl_after: "(ACT v$) (s,t) \<equiv> v t" and
- unchanged_def: "(s,t) |= unchanged v == (v t = v s)"
+ unchanged_def: "(s,t) \<Turnstile> unchanged v \<equiv> (v t = v s)"
defs
- square_def: "ACT [A]_v == ACT (A | unchanged v)"
- angle_def: "ACT <A>_v == ACT (A & ~ unchanged v)"
+ square_def: "ACT [A]_v \<equiv> ACT (A \<or> unchanged v)"
+ angle_def: "ACT <A>_v \<equiv> ACT (A \<and> \<not> unchanged v)"
- enabled_def: "s |= Enabled A == EX u. (s,u) |= A"
+ enabled_def: "s \<Turnstile> Enabled A \<equiv> \<exists>u. (s,u) \<Turnstile> A"
(* The following assertion specializes "intI" for any world type
@@ -76,22 +76,22 @@
*)
lemma actionI [intro!]:
- assumes "!!s t. (s,t) |= A"
- shows "|- A"
+ assumes "\<And>s t. (s,t) \<Turnstile> A"
+ shows "\<turnstile> A"
apply (rule assms intI prod.induct)+
done
-lemma actionD [dest]: "|- A ==> (s,t) |= A"
+lemma actionD [dest]: "\<turnstile> A \<Longrightarrow> (s,t) \<Turnstile> A"
apply (erule intD)
done
lemma pr_rews [int_rewrite]:
- "|- (#c)` = #c"
- "!!f. |- f<x>` = f<x` >"
- "!!f. |- f<x,y>` = f<x`,y` >"
- "!!f. |- f<x,y,z>` = f<x`,y`,z` >"
- "|- (! x. P x)` = (! x. (P x)`)"
- "|- (? x. P x)` = (? x. (P x)`)"
+ "\<turnstile> (#c)` = #c"
+ "\<And>f. \<turnstile> f<x>` = f<x` >"
+ "\<And>f. \<turnstile> f<x,y>` = f<x`,y` >"
+ "\<And>f. \<turnstile> f<x,y,z>` = f<x`,y`,z` >"
+ "\<turnstile> (\<forall>x. P x)` = (\<forall>x. (P x)`)"
+ "\<turnstile> (\<exists>x. P x)` = (\<exists>x. (P x)`)"
by (rule actionI, unfold unl_after intensional_rews, rule refl)+
@@ -102,7 +102,7 @@
(* ================ Functions to "unlift" action theorems into HOL rules ================ *)
-ML {*
+ML \<open>
(* The following functions are specialized versions of the corresponding
functions defined in Intensional.ML in that they introduce a
"world" parameter of the form (s,t) and apply additional rewrites.
@@ -112,7 +112,7 @@
(rewrite_rule ctxt @{thms action_rews} (th RS @{thm actionD}))
handle THM _ => int_unlift ctxt th;
-(* Turn |- A = B into meta-level rewrite rule A == B *)
+(* Turn \<turnstile> A = B into meta-level rewrite rule A == B *)
val action_rewrite = int_rewrite
fun action_use ctxt th =
@@ -120,81 +120,81 @@
Const _ $ (Const (@{const_name Valid}, _) $ _) =>
(flatten (action_unlift ctxt th) handle THM _ => th)
| _ => th;
-*}
+\<close>
attribute_setup action_unlift =
- {* Scan.succeed (Thm.rule_attribute (action_unlift o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (action_unlift o Context.proof_of))\<close>
attribute_setup action_rewrite =
- {* Scan.succeed (Thm.rule_attribute (action_rewrite o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (action_rewrite o Context.proof_of))\<close>
attribute_setup action_use =
- {* Scan.succeed (Thm.rule_attribute (action_use o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (action_use o Context.proof_of))\<close>
(* =========================== square / angle brackets =========================== *)
-lemma idle_squareI: "(s,t) |= unchanged v ==> (s,t) |= [A]_v"
+lemma idle_squareI: "(s,t) \<Turnstile> unchanged v \<Longrightarrow> (s,t) \<Turnstile> [A]_v"
by (simp add: square_def)
-lemma busy_squareI: "(s,t) |= A ==> (s,t) |= [A]_v"
+lemma busy_squareI: "(s,t) \<Turnstile> A \<Longrightarrow> (s,t) \<Turnstile> [A]_v"
by (simp add: square_def)
-
+
lemma squareE [elim]:
- "[| (s,t) |= [A]_v; A (s,t) ==> B (s,t); v t = v s ==> B (s,t) |] ==> B (s,t)"
+ "\<lbrakk> (s,t) \<Turnstile> [A]_v; A (s,t) \<Longrightarrow> B (s,t); v t = v s \<Longrightarrow> B (s,t) \<rbrakk> \<Longrightarrow> B (s,t)"
apply (unfold square_def action_rews)
apply (erule disjE)
apply simp_all
done
-lemma squareCI [intro]: "[| v t ~= v s ==> A (s,t) |] ==> (s,t) |= [A]_v"
+lemma squareCI [intro]: "\<lbrakk> v t \<noteq> v s \<Longrightarrow> A (s,t) \<rbrakk> \<Longrightarrow> (s,t) \<Turnstile> [A]_v"
apply (unfold square_def action_rews)
apply (rule disjCI)
apply (erule (1) meta_mp)
done
-lemma angleI [intro]: "!!s t. [| A (s,t); v t ~= v s |] ==> (s,t) |= <A>_v"
+lemma angleI [intro]: "\<And>s t. \<lbrakk> A (s,t); v t \<noteq> v s \<rbrakk> \<Longrightarrow> (s,t) \<Turnstile> <A>_v"
by (simp add: angle_def)
-lemma angleE [elim]: "[| (s,t) |= <A>_v; [| A (s,t); v t ~= v s |] ==> R |] ==> R"
+lemma angleE [elim]: "\<lbrakk> (s,t) \<Turnstile> <A>_v; \<lbrakk> A (s,t); v t \<noteq> v s \<rbrakk> \<Longrightarrow> R \<rbrakk> \<Longrightarrow> R"
apply (unfold angle_def action_rews)
apply (erule conjE)
apply simp
done
lemma square_simulation:
- "!!f. [| |- unchanged f & ~B --> unchanged g;
- |- A & ~unchanged g --> B
- |] ==> |- [A]_f --> [B]_g"
+ "\<And>f. \<lbrakk> \<turnstile> unchanged f \<and> \<not>B \<longrightarrow> unchanged g;
+ \<turnstile> A \<and> \<not>unchanged g \<longrightarrow> B
+ \<rbrakk> \<Longrightarrow> \<turnstile> [A]_f \<longrightarrow> [B]_g"
apply clarsimp
apply (erule squareE)
apply (auto simp add: square_def)
done
-lemma not_square: "|- (~ [A]_v) = <~A>_v"
+lemma not_square: "\<turnstile> (\<not> [A]_v) = <\<not>A>_v"
by (auto simp: square_def angle_def)
-lemma not_angle: "|- (~ <A>_v) = [~A]_v"
+lemma not_angle: "\<turnstile> (\<not> <A>_v) = [\<not>A]_v"
by (auto simp: square_def angle_def)
(* ============================== Facts about ENABLED ============================== *)
-lemma enabledI: "|- A --> $Enabled A"
+lemma enabledI: "\<turnstile> A \<longrightarrow> $Enabled A"
by (auto simp add: enabled_def)
-lemma enabledE: "[| s |= Enabled A; !!u. A (s,u) ==> Q |] ==> Q"
+lemma enabledE: "\<lbrakk> s \<Turnstile> Enabled A; \<And>u. A (s,u) \<Longrightarrow> Q \<rbrakk> \<Longrightarrow> Q"
apply (unfold enabled_def)
apply (erule exE)
apply simp
done
-lemma notEnabledD: "|- ~$Enabled G --> ~ G"
+lemma notEnabledD: "\<turnstile> \<not>$Enabled G \<longrightarrow> \<not> G"
by (auto simp add: enabled_def)
(* Monotonicity *)
lemma enabled_mono:
- assumes min: "s |= Enabled F"
- and maj: "|- F --> G"
- shows "s |= Enabled G"
+ assumes min: "s \<Turnstile> Enabled F"
+ and maj: "\<turnstile> F \<longrightarrow> G"
+ shows "s \<Turnstile> Enabled G"
apply (rule min [THEN enabledE])
apply (rule enabledI [action_use])
apply (erule maj [action_use])
@@ -202,50 +202,50 @@
(* stronger variant *)
lemma enabled_mono2:
- assumes min: "s |= Enabled F"
- and maj: "!!t. F (s,t) ==> G (s,t)"
- shows "s |= Enabled G"
+ assumes min: "s \<Turnstile> Enabled F"
+ and maj: "\<And>t. F (s,t) \<Longrightarrow> G (s,t)"
+ shows "s \<Turnstile> Enabled G"
apply (rule min [THEN enabledE])
apply (rule enabledI [action_use])
apply (erule maj)
done
-lemma enabled_disj1: "|- Enabled F --> Enabled (F | G)"
+lemma enabled_disj1: "\<turnstile> Enabled F \<longrightarrow> Enabled (F \<or> G)"
by (auto elim!: enabled_mono)
-lemma enabled_disj2: "|- Enabled G --> Enabled (F | G)"
+lemma enabled_disj2: "\<turnstile> Enabled G \<longrightarrow> Enabled (F \<or> G)"
by (auto elim!: enabled_mono)
-lemma enabled_conj1: "|- Enabled (F & G) --> Enabled F"
+lemma enabled_conj1: "\<turnstile> Enabled (F \<and> G) \<longrightarrow> Enabled F"
by (auto elim!: enabled_mono)
-lemma enabled_conj2: "|- Enabled (F & G) --> Enabled G"
+lemma enabled_conj2: "\<turnstile> Enabled (F \<and> G) \<longrightarrow> Enabled G"
by (auto elim!: enabled_mono)
lemma enabled_conjE:
- "[| s |= Enabled (F & G); [| s |= Enabled F; s |= Enabled G |] ==> Q |] ==> Q"
+ "\<lbrakk> s \<Turnstile> Enabled (F \<and> G); \<lbrakk> s \<Turnstile> Enabled F; s \<Turnstile> Enabled G \<rbrakk> \<Longrightarrow> Q \<rbrakk> \<Longrightarrow> Q"
apply (frule enabled_conj1 [action_use])
apply (drule enabled_conj2 [action_use])
apply simp
done
-lemma enabled_disjD: "|- Enabled (F | G) --> Enabled F | Enabled G"
+lemma enabled_disjD: "\<turnstile> Enabled (F \<or> G) \<longrightarrow> Enabled F \<or> Enabled G"
by (auto simp add: enabled_def)
-lemma enabled_disj: "|- Enabled (F | G) = (Enabled F | Enabled G)"
+lemma enabled_disj: "\<turnstile> Enabled (F \<or> G) = (Enabled F \<or> Enabled G)"
apply clarsimp
apply (rule iffI)
apply (erule enabled_disjD [action_use])
apply (erule disjE enabled_disj1 [action_use] enabled_disj2 [action_use])+
done
-lemma enabled_ex: "|- Enabled (EX x. F x) = (EX x. Enabled (F x))"
+lemma enabled_ex: "\<turnstile> Enabled (\<exists>x. F x) = (\<exists>x. Enabled (F x))"
by (force simp add: enabled_def)
(* A rule that combines enabledI and baseE, but generates fewer instantiations *)
lemma base_enabled:
- "[| basevars vs; EX c. ! u. vs u = c --> A(s,u) |] ==> s |= Enabled A"
+ "\<lbrakk> basevars vs; \<exists>c. \<forall>u. vs u = c \<longrightarrow> A(s,u) \<rbrakk> \<Longrightarrow> s \<Turnstile> Enabled A"
apply (erule exE)
apply (erule baseE)
apply (rule enabledI [action_use])
@@ -256,7 +256,7 @@
(* ======================= action_simp_tac ============================== *)
-ML {*
+ML \<open>
(* A dumb simplification-based tactic with just a little first-order logic:
should plug in only "very safe" rules that can be applied blindly.
Note that it applies whatever simplifications are currently active.
@@ -267,11 +267,11 @@
@ [refl,impI,conjI,@{thm actionI},@{thm intI},allI]))
ORELSE' (eresolve_tac ctxt ((map (action_use ctxt) elims)
@ [conjE,disjE,exE]))));
-*}
+\<close>
(* ---------------- enabled_tac: tactic to prove (Enabled A) -------------------- *)
-ML {*
+ML \<open>
(* "Enabled A" can be proven as follows:
- Assume that we know which state variables are "base variables"
this should be expressed by a theorem of the form "basevars (x,y,z,...)".
@@ -284,17 +284,17 @@
fun enabled_tac ctxt base_vars =
clarsimp_tac (ctxt addSIs [base_vars RS @{thm base_enabled}]);
-*}
+\<close>
-method_setup enabled = {*
+method_setup enabled = \<open>
Attrib.thm >> (fn th => fn ctxt => SIMPLE_METHOD' (enabled_tac ctxt th))
-*}
+\<close>
(* Example *)
lemma
assumes "basevars (x,y,z)"
- shows "|- x --> Enabled ($x & (y$ = #False))"
+ shows "\<turnstile> x \<longrightarrow> Enabled ($x \<and> (y$ = #False))"
apply (enabled assms)
apply auto
done
--- a/src/HOL/TLA/Buffer/Buffer.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Buffer/Buffer.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,64 +2,64 @@
Author: Stephan Merz, University of Munich
*)
-section {* A simple FIFO buffer (synchronous communication, interleaving) *}
+section \<open>A simple FIFO buffer (synchronous communication, interleaving)\<close>
theory Buffer
-imports TLA
+imports "../TLA"
begin
consts
(* actions *)
- BInit :: "'a stfun => 'a list stfun => 'a stfun => stpred"
- Enq :: "'a stfun => 'a list stfun => 'a stfun => action"
- Deq :: "'a stfun => 'a list stfun => 'a stfun => action"
- Next :: "'a stfun => 'a list stfun => 'a stfun => action"
+ BInit :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> stpred"
+ Enq :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> action"
+ Deq :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> action"
+ Next :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> action"
(* temporal formulas *)
- IBuffer :: "'a stfun => 'a list stfun => 'a stfun => temporal"
- Buffer :: "'a stfun => 'a stfun => temporal"
+ IBuffer :: "'a stfun \<Rightarrow> 'a list stfun \<Rightarrow> 'a stfun \<Rightarrow> temporal"
+ Buffer :: "'a stfun \<Rightarrow> 'a stfun \<Rightarrow> temporal"
defs
BInit_def: "BInit ic q oc == PRED q = #[]"
- Enq_def: "Enq ic q oc == ACT (ic$ ~= $ic)
- & (q$ = $q @ [ ic$ ])
- & (oc$ = $oc)"
- Deq_def: "Deq ic q oc == ACT ($q ~= #[])
- & (oc$ = hd< $q >)
- & (q$ = tl< $q >)
- & (ic$ = $ic)"
- Next_def: "Next ic q oc == ACT (Enq ic q oc | Deq ic q oc)"
+ Enq_def: "Enq ic q oc == ACT (ic$ \<noteq> $ic)
+ \<and> (q$ = $q @ [ ic$ ])
+ \<and> (oc$ = $oc)"
+ Deq_def: "Deq ic q oc == ACT ($q \<noteq> #[])
+ \<and> (oc$ = hd< $q >)
+ \<and> (q$ = tl< $q >)
+ \<and> (ic$ = $ic)"
+ Next_def: "Next ic q oc == ACT (Enq ic q oc \<or> Deq ic q oc)"
IBuffer_def: "IBuffer ic q oc == TEMP Init (BInit ic q oc)
- & [][Next ic q oc]_(ic,q,oc)
- & WF(Deq ic q oc)_(ic,q,oc)"
- Buffer_def: "Buffer ic oc == TEMP (EEX q. IBuffer ic q oc)"
+ \<and> \<box>[Next ic q oc]_(ic,q,oc)
+ \<and> WF(Deq ic q oc)_(ic,q,oc)"
+ Buffer_def: "Buffer ic oc == TEMP (\<exists>\<exists>q. IBuffer ic q oc)"
(* ---------------------------- Data lemmas ---------------------------- *)
(*FIXME: move to theory List? Maybe as (tl xs = xs) = (xs = [])"?*)
-lemma tl_not_self [simp]: "xs ~= [] ==> tl xs ~= xs"
+lemma tl_not_self [simp]: "xs \<noteq> [] \<Longrightarrow> tl xs \<noteq> xs"
by (auto simp: neq_Nil_conv)
(* ---------------------------- Action lemmas ---------------------------- *)
(* Dequeue is visible *)
-lemma Deq_visible: "|- <Deq ic q oc>_(ic,q,oc) = Deq ic q oc"
+lemma Deq_visible: "\<turnstile> <Deq ic q oc>_(ic,q,oc) = Deq ic q oc"
apply (unfold angle_def Deq_def)
apply (safe, simp (asm_lr))+
done
(* Enabling condition for dequeue -- NOT NEEDED *)
lemma Deq_enabled:
- "!!q. basevars (ic,q,oc) ==> |- Enabled (<Deq ic q oc>_(ic,q,oc)) = (q ~= #[])"
+ "\<And>q. basevars (ic,q,oc) \<Longrightarrow> \<turnstile> Enabled (<Deq ic q oc>_(ic,q,oc)) = (q \<noteq> #[])"
apply (unfold Deq_visible [temp_rewrite])
apply (force elim!: base_enabled [temp_use] enabledE [temp_use] simp: Deq_def)
done
(* For the left-to-right implication, we don't need the base variable stuff *)
lemma Deq_enabledE:
- "|- Enabled (<Deq ic q oc>_(ic,q,oc)) --> (q ~= #[])"
+ "\<turnstile> Enabled (<Deq ic q oc>_(ic,q,oc)) \<longrightarrow> (q \<noteq> #[])"
apply (unfold Deq_visible [temp_rewrite])
apply (auto elim!: enabledE simp add: Deq_def)
done
--- a/src/HOL/TLA/Buffer/DBuffer.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Buffer/DBuffer.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* Two FIFO buffers in a row, with interleaving assumption *}
+section \<open>Two FIFO buffers in a row, with interleaving assumption\<close>
theory DBuffer
imports Buffer
@@ -29,17 +29,17 @@
(* the concatenation of the two buffers *)
qc_def: "PRED qc == PRED (q2 @ q1)" and
- DBInit_def: "DBInit == PRED (BInit inp q1 mid & BInit mid q2 out)" and
- DBEnq_def: "DBEnq == ACT Enq inp q1 mid & unchanged (q2,out)" and
- DBDeq_def: "DBDeq == ACT Deq mid q2 out & unchanged (inp,q1)" and
+ DBInit_def: "DBInit == PRED (BInit inp q1 mid \<and> BInit mid q2 out)" and
+ DBEnq_def: "DBEnq == ACT Enq inp q1 mid \<and> unchanged (q2,out)" and
+ DBDeq_def: "DBDeq == ACT Deq mid q2 out \<and> unchanged (inp,q1)" and
DBPass_def: "DBPass == ACT Deq inp q1 mid
- & (q2$ = $q2 @ [ mid$ ])
- & (out$ = $out)" and
- DBNext_def: "DBNext == ACT (DBEnq | DBDeq | DBPass)" and
+ \<and> (q2$ = $q2 @ [ mid$ ])
+ \<and> (out$ = $out)" and
+ DBNext_def: "DBNext == ACT (DBEnq \<or> DBDeq \<or> DBPass)" and
DBuffer_def: "DBuffer == TEMP Init DBInit
- & [][DBNext]_(inp,mid,out,q1,q2)
- & WF(DBDeq)_(inp,mid,out,q1,q2)
- & WF(DBPass)_(inp,mid,out,q1,q2)"
+ \<and> \<box>[DBNext]_(inp,mid,out,q1,q2)
+ \<and> WF(DBDeq)_(inp,mid,out,q1,q2)
+ \<and> WF(DBPass)_(inp,mid,out,q1,q2)"
declare qc_def [simp]
@@ -50,39 +50,39 @@
(*** Proper initialization ***)
-lemma DBInit: "|- Init DBInit --> Init (BInit inp qc out)"
+lemma DBInit: "\<turnstile> Init DBInit \<longrightarrow> Init (BInit inp qc out)"
by (auto simp: Init_def DBInit_def BInit_def)
(*** Step simulation ***)
-lemma DB_step_simulation: "|- [DBNext]_(inp,mid,out,q1,q2) --> [Next inp qc out]_(inp,qc,out)"
+lemma DB_step_simulation: "\<turnstile> [DBNext]_(inp,mid,out,q1,q2) \<longrightarrow> [Next inp qc out]_(inp,qc,out)"
apply (rule square_simulation)
apply clarsimp
apply (tactic
- {* action_simp_tac (@{context} addsimps (@{thm hd_append} :: @{thms db_defs})) [] [] 1 *})
+ \<open>action_simp_tac (@{context} addsimps (@{thm hd_append} :: @{thms db_defs})) [] [] 1\<close>)
done
(*** Simulation of fairness ***)
(* Compute enabledness predicates for DBDeq and DBPass actions *)
-lemma DBDeq_visible: "|- <DBDeq>_(inp,mid,out,q1,q2) = DBDeq"
+lemma DBDeq_visible: "\<turnstile> <DBDeq>_(inp,mid,out,q1,q2) = DBDeq"
apply (unfold angle_def DBDeq_def Deq_def)
apply (safe, simp (asm_lr))+
done
lemma DBDeq_enabled:
- "|- Enabled (<DBDeq>_(inp,mid,out,q1,q2)) = (q2 ~= #[])"
+ "\<turnstile> Enabled (<DBDeq>_(inp,mid,out,q1,q2)) = (q2 \<noteq> #[])"
apply (unfold DBDeq_visible [action_rewrite])
apply (force intro!: DB_base [THEN base_enabled, temp_use]
elim!: enabledE simp: angle_def DBDeq_def Deq_def)
done
-lemma DBPass_visible: "|- <DBPass>_(inp,mid,out,q1,q2) = DBPass"
+lemma DBPass_visible: "\<turnstile> <DBPass>_(inp,mid,out,q1,q2) = DBPass"
by (auto simp: angle_def DBPass_def Deq_def)
lemma DBPass_enabled:
- "|- Enabled (<DBPass>_(inp,mid,out,q1,q2)) = (q1 ~= #[])"
+ "\<turnstile> Enabled (<DBPass>_(inp,mid,out,q1,q2)) = (q1 \<noteq> #[])"
apply (unfold DBPass_visible [action_rewrite])
apply (force intro!: DB_base [THEN base_enabled, temp_use]
elim!: enabledE simp: angle_def DBPass_def Deq_def)
@@ -90,15 +90,15 @@
(* The plan for proving weak fairness at the higher level is to prove
- (0) DBuffer => (Enabled (Deq inp qc out) ~> (Deq inp qc out))
+ (0) DBuffer => (Enabled (Deq inp qc out) \<leadsto> (Deq inp qc out))
which is in turn reduced to the two leadsto conditions
- (1) DBuffer => (Enabled (Deq inp qc out) ~> q2 ~= [])
- (2) DBuffer => (q2 ~= [] ~> DBDeq)
+ (1) DBuffer => (Enabled (Deq inp qc out) \<leadsto> q2 \<noteq> [])
+ (2) DBuffer => (q2 \<noteq> [] \<leadsto> DBDeq)
and the fact that DBDeq implies <Deq inp qc out>_(inp,qc,out)
- (and therefore DBDeq ~> <Deq inp qc out>_(inp,qc,out) trivially holds).
+ (and therefore DBDeq \<leadsto> <Deq inp qc out>_(inp,qc,out) trivially holds).
Condition (1) is reduced to
- (1a) DBuffer => (qc ~= [] /\ q2 = [] ~> q2 ~= [])
+ (1a) DBuffer => (qc \<noteq> [] /\ q2 = [] \<leadsto> q2 \<noteq> [])
by standard leadsto rules (leadsto_classical) and rule Deq_enabledE.
Both (1a) and (2) are proved from DBuffer's WF conditions by standard
@@ -109,8 +109,8 @@
*)
(* Condition (1a) *)
-lemma DBFair_1a: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)
- --> (qc ~= #[] & q2 = #[] ~> q2 ~= #[])"
+lemma DBFair_1a: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) \<and> WF(DBPass)_(inp,mid,out,q1,q2)
+ \<longrightarrow> (qc \<noteq> #[] \<and> q2 = #[] \<leadsto> q2 \<noteq> #[])"
apply (rule WF1)
apply (force simp: db_defs)
apply (force simp: angle_def DBPass_def)
@@ -118,8 +118,8 @@
done
(* Condition (1) *)
-lemma DBFair_1: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)
- --> (Enabled (<Deq inp qc out>_(inp,qc,out)) ~> q2 ~= #[])"
+lemma DBFair_1: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) \<and> WF(DBPass)_(inp,mid,out,q1,q2)
+ \<longrightarrow> (Enabled (<Deq inp qc out>_(inp,qc,out)) \<leadsto> q2 \<noteq> #[])"
apply clarsimp
apply (rule leadsto_classical [temp_use])
apply (rule DBFair_1a [temp_use, THEN LatticeTransitivity [temp_use]])
@@ -130,8 +130,8 @@
done
(* Condition (2) *)
-lemma DBFair_2: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBDeq)_(inp,mid,out,q1,q2)
- --> (q2 ~= #[] ~> DBDeq)"
+lemma DBFair_2: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) \<and> WF(DBDeq)_(inp,mid,out,q1,q2)
+ \<longrightarrow> (q2 \<noteq> #[] \<leadsto> DBDeq)"
apply (rule WF_leadsto)
apply (force simp: DBDeq_enabled [temp_use])
apply (force simp: angle_def)
@@ -139,9 +139,9 @@
done
(* High-level fairness *)
-lemma DBFair: "|- [][DBNext]_(inp,mid,out,q1,q2) & WF(DBPass)_(inp,mid,out,q1,q2)
- & WF(DBDeq)_(inp,mid,out,q1,q2)
- --> WF(Deq inp qc out)_(inp,qc,out)"
+lemma DBFair: "\<turnstile> \<box>[DBNext]_(inp,mid,out,q1,q2) \<and> WF(DBPass)_(inp,mid,out,q1,q2)
+ \<and> WF(DBDeq)_(inp,mid,out,q1,q2)
+ \<longrightarrow> WF(Deq inp qc out)_(inp,qc,out)"
apply (auto simp del: qc_def intro!: leadsto_WF [temp_use]
DBFair_1 [temp_use, THEN [2] LatticeTransitivity [temp_use]]
DBFair_2 [temp_use, THEN [2] LatticeTransitivity [temp_use]])
@@ -150,7 +150,7 @@
done
(*** Main theorem ***)
-lemma DBuffer_impl_Buffer: "|- DBuffer --> Buffer inp out"
+lemma DBuffer_impl_Buffer: "\<turnstile> DBuffer \<longrightarrow> Buffer inp out"
apply (unfold DBuffer_def Buffer_def IBuffer_def)
apply (force intro!: eexI [temp_use] DBInit [temp_use]
DB_step_simulation [THEN STL4, temp_use] DBFair [temp_use])
--- a/src/HOL/TLA/Inc/Inc.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Inc/Inc.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,10 +2,10 @@
Author: Stephan Merz, University of Munich
*)
-section {* Lamport's "increment" example *}
+section \<open>Lamport's "increment" example\<close>
theory Inc
-imports TLA
+imports "../TLA"
begin
(* program counter as an enumeration type *)
@@ -45,38 +45,38 @@
Inc_base: "basevars (x, y, sem, pc1, pc2)" and
(* definitions for high-level program *)
- InitPhi_def: "InitPhi == PRED x = # 0 & y = # 0" and
- M1_def: "M1 == ACT x$ = Suc<$x> & y$ = $y" and
- M2_def: "M2 == ACT y$ = Suc<$y> & x$ = $x" and
- Phi_def: "Phi == TEMP Init InitPhi & [][M1 | M2]_(x,y)
- & WF(M1)_(x,y) & WF(M2)_(x,y)" and
+ InitPhi_def: "InitPhi == PRED x = # 0 \<and> y = # 0" and
+ M1_def: "M1 == ACT x$ = Suc<$x> \<and> y$ = $y" and
+ M2_def: "M2 == ACT y$ = Suc<$y> \<and> x$ = $x" and
+ Phi_def: "Phi == TEMP Init InitPhi \<and> \<box>[M1 \<or> M2]_(x,y)
+ \<and> WF(M1)_(x,y) \<and> WF(M2)_(x,y)" and
(* definitions for low-level program *)
- InitPsi_def: "InitPsi == PRED pc1 = #a & pc2 = #a
- & x = # 0 & y = # 0 & sem = # 1" and
- alpha1_def: "alpha1 == ACT $pc1 = #a & pc1$ = #b & $sem = Suc<sem$>
- & unchanged(x,y,pc2)" and
- alpha2_def: "alpha2 == ACT $pc2 = #a & pc2$ = #b & $sem = Suc<sem$>
- & unchanged(x,y,pc1)" and
- beta1_def: "beta1 == ACT $pc1 = #b & pc1$ = #g & x$ = Suc<$x>
- & unchanged(y,sem,pc2)" and
- beta2_def: "beta2 == ACT $pc2 = #b & pc2$ = #g & y$ = Suc<$y>
- & unchanged(x,sem,pc1)" and
- gamma1_def: "gamma1 == ACT $pc1 = #g & pc1$ = #a & sem$ = Suc<$sem>
- & unchanged(x,y,pc2)" and
- gamma2_def: "gamma2 == ACT $pc2 = #g & pc2$ = #a & sem$ = Suc<$sem>
- & unchanged(x,y,pc1)" and
- N1_def: "N1 == ACT (alpha1 | beta1 | gamma1)" and
- N2_def: "N2 == ACT (alpha2 | beta2 | gamma2)" and
+ InitPsi_def: "InitPsi == PRED pc1 = #a \<and> pc2 = #a
+ \<and> x = # 0 \<and> y = # 0 \<and> sem = # 1" and
+ alpha1_def: "alpha1 == ACT $pc1 = #a \<and> pc1$ = #b \<and> $sem = Suc<sem$>
+ \<and> unchanged(x,y,pc2)" and
+ alpha2_def: "alpha2 == ACT $pc2 = #a \<and> pc2$ = #b \<and> $sem = Suc<sem$>
+ \<and> unchanged(x,y,pc1)" and
+ beta1_def: "beta1 == ACT $pc1 = #b \<and> pc1$ = #g \<and> x$ = Suc<$x>
+ \<and> unchanged(y,sem,pc2)" and
+ beta2_def: "beta2 == ACT $pc2 = #b \<and> pc2$ = #g \<and> y$ = Suc<$y>
+ \<and> unchanged(x,sem,pc1)" and
+ gamma1_def: "gamma1 == ACT $pc1 = #g \<and> pc1$ = #a \<and> sem$ = Suc<$sem>
+ \<and> unchanged(x,y,pc2)" and
+ gamma2_def: "gamma2 == ACT $pc2 = #g \<and> pc2$ = #a \<and> sem$ = Suc<$sem>
+ \<and> unchanged(x,y,pc1)" and
+ N1_def: "N1 == ACT (alpha1 \<or> beta1 \<or> gamma1)" and
+ N2_def: "N2 == ACT (alpha2 \<or> beta2 \<or> gamma2)" and
Psi_def: "Psi == TEMP Init InitPsi
- & [][N1 | N2]_(x,y,sem,pc1,pc2)
- & SF(N1)_(x,y,sem,pc1,pc2)
- & SF(N2)_(x,y,sem,pc1,pc2)" and
+ \<and> \<box>[N1 \<or> N2]_(x,y,sem,pc1,pc2)
+ \<and> SF(N1)_(x,y,sem,pc1,pc2)
+ \<and> SF(N2)_(x,y,sem,pc1,pc2)" and
- PsiInv1_def: "PsiInv1 == PRED sem = # 1 & pc1 = #a & pc2 = #a" and
- PsiInv2_def: "PsiInv2 == PRED sem = # 0 & pc1 = #a & (pc2 = #b | pc2 = #g)" and
- PsiInv3_def: "PsiInv3 == PRED sem = # 0 & pc2 = #a & (pc1 = #b | pc1 = #g)" and
- PsiInv_def: "PsiInv == PRED (PsiInv1 | PsiInv2 | PsiInv3)"
+ PsiInv1_def: "PsiInv1 == PRED sem = # 1 \<and> pc1 = #a \<and> pc2 = #a" and
+ PsiInv2_def: "PsiInv2 == PRED sem = # 0 \<and> pc1 = #a \<and> (pc2 = #b \<or> pc2 = #g)" and
+ PsiInv3_def: "PsiInv3 == PRED sem = # 0 \<and> pc2 = #a \<and> (pc1 = #b \<or> pc1 = #g)" and
+ PsiInv_def: "PsiInv == PRED (PsiInv1 \<or> PsiInv2 \<or> PsiInv3)"
lemmas PsiInv_defs = PsiInv_def PsiInv1_def PsiInv2_def PsiInv3_def
@@ -86,31 +86,31 @@
(*** Invariant proof for Psi: "manual" proof proves individual lemmas ***)
-lemma PsiInv_Init: "|- InitPsi --> PsiInv"
+lemma PsiInv_Init: "\<turnstile> InitPsi \<longrightarrow> PsiInv"
by (auto simp: InitPsi_def PsiInv_defs)
-lemma PsiInv_alpha1: "|- alpha1 & $PsiInv --> PsiInv$"
+lemma PsiInv_alpha1: "\<turnstile> alpha1 \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: alpha1_def PsiInv_defs)
-lemma PsiInv_alpha2: "|- alpha2 & $PsiInv --> PsiInv$"
+lemma PsiInv_alpha2: "\<turnstile> alpha2 \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: alpha2_def PsiInv_defs)
-lemma PsiInv_beta1: "|- beta1 & $PsiInv --> PsiInv$"
+lemma PsiInv_beta1: "\<turnstile> beta1 \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: beta1_def PsiInv_defs)
-lemma PsiInv_beta2: "|- beta2 & $PsiInv --> PsiInv$"
+lemma PsiInv_beta2: "\<turnstile> beta2 \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: beta2_def PsiInv_defs)
-lemma PsiInv_gamma1: "|- gamma1 & $PsiInv --> PsiInv$"
+lemma PsiInv_gamma1: "\<turnstile> gamma1 \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: gamma1_def PsiInv_defs)
-lemma PsiInv_gamma2: "|- gamma2 & $PsiInv --> PsiInv$"
+lemma PsiInv_gamma2: "\<turnstile> gamma2 \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: gamma2_def PsiInv_defs)
-lemma PsiInv_stutter: "|- unchanged (x,y,sem,pc1,pc2) & $PsiInv --> PsiInv$"
+lemma PsiInv_stutter: "\<turnstile> unchanged (x,y,sem,pc1,pc2) \<and> $PsiInv \<longrightarrow> PsiInv$"
by (auto simp: PsiInv_defs)
-lemma PsiInv: "|- Psi --> []PsiInv"
+lemma PsiInv: "\<turnstile> Psi \<longrightarrow> \<box>PsiInv"
apply (invariant simp: Psi_def)
apply (force simp: PsiInv_Init [try_rewrite] Init_def)
apply (auto intro: PsiInv_alpha1 [try_rewrite] PsiInv_alpha2 [try_rewrite]
@@ -123,16 +123,16 @@
More realistic examples require user guidance anyway.
*)
-lemma "|- Psi --> []PsiInv"
+lemma "\<turnstile> Psi \<longrightarrow> \<box>PsiInv"
by (auto_invariant simp: PsiInv_defs Psi_defs)
(**** Step simulation ****)
-lemma Init_sim: "|- Psi --> Init InitPhi"
+lemma Init_sim: "\<turnstile> Psi \<longrightarrow> Init InitPhi"
by (auto simp: InitPhi_def Psi_def InitPsi_def Init_def)
-lemma Step_sim: "|- Psi --> [][M1 | M2]_(x,y)"
+lemma Step_sim: "\<turnstile> Psi \<longrightarrow> \<box>[M1 \<or> M2]_(x,y)"
by (auto simp: square_def M1_def M2_def Psi_defs elim!: STL4E [temp_use])
@@ -140,7 +140,7 @@
(*
The goal is to prove Fair_M1 far below, which asserts
- |- Psi --> WF(M1)_(x,y)
+ \<turnstile> Psi \<longrightarrow> WF(M1)_(x,y)
(the other fairness condition is symmetrical).
The strategy is to use WF2 (with beta1 as the helpful action). Proving its
@@ -154,10 +154,10 @@
the auxiliary lemmas are very similar.
*)
-lemma Stuck_at_b: "|- [][(N1 | N2) & ~ beta1]_(x,y,sem,pc1,pc2) --> stable(pc1 = #b)"
+lemma Stuck_at_b: "\<turnstile> \<box>[(N1 \<or> N2) \<and> \<not> beta1]_(x,y,sem,pc1,pc2) \<longrightarrow> stable(pc1 = #b)"
by (auto elim!: Stable squareE simp: Psi_defs)
-lemma N1_enabled_at_g: "|- pc1 = #g --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
+lemma N1_enabled_at_g: "\<turnstile> pc1 = #g \<longrightarrow> Enabled (<N1>_(x,y,sem,pc1,pc2))"
apply clarsimp
apply (rule_tac F = gamma1 in enabled_mono)
apply (enabled Inc_base)
@@ -166,20 +166,20 @@
done
lemma g1_leadsto_a1:
- "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N1)_(x,y,sem,pc1,pc2) & []#True
- --> (pc1 = #g ~> pc1 = #a)"
+ "\<turnstile> \<box>[(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2) \<and> SF(N1)_(x,y,sem,pc1,pc2) \<and> \<box>#True
+ \<longrightarrow> (pc1 = #g \<leadsto> pc1 = #a)"
apply (rule SF1)
apply (tactic
- {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
+ \<open>action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1\<close>)
apply (tactic
- {* action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs}) [] [] 1 *})
- (* reduce |- []A --> <>Enabled B to |- A --> Enabled B *)
+ \<open>action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs}) [] [] 1\<close>)
+ (* reduce \<turnstile> \<box>A \<longrightarrow> \<diamond>Enabled B to \<turnstile> A \<longrightarrow> Enabled B *)
apply (auto intro!: InitDmd_gen [temp_use] N1_enabled_at_g [temp_use]
dest!: STL2_gen [temp_use] simp: Init_def)
done
(* symmetrical for N2, and similar for beta2 *)
-lemma N2_enabled_at_g: "|- pc2 = #g --> Enabled (<N2>_(x,y,sem,pc1,pc2))"
+lemma N2_enabled_at_g: "\<turnstile> pc2 = #g \<longrightarrow> Enabled (<N2>_(x,y,sem,pc1,pc2))"
apply clarsimp
apply (rule_tac F = gamma2 in enabled_mono)
apply (enabled Inc_base)
@@ -188,17 +188,17 @@
done
lemma g2_leadsto_a2:
- "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True
- --> (pc2 = #g ~> pc2 = #a)"
+ "\<turnstile> \<box>[(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2) \<and> SF(N2)_(x,y,sem,pc1,pc2) \<and> \<box>#True
+ \<longrightarrow> (pc2 = #g \<leadsto> pc2 = #a)"
apply (rule SF1)
- apply (tactic {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
- apply (tactic {* action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs})
- [] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1\<close>)
+ apply (tactic \<open>action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs})
+ [] [] 1\<close>)
apply (auto intro!: InitDmd_gen [temp_use] N2_enabled_at_g [temp_use]
dest!: STL2_gen [temp_use] simp add: Init_def)
done
-lemma N2_enabled_at_b: "|- pc2 = #b --> Enabled (<N2>_(x,y,sem,pc1,pc2))"
+lemma N2_enabled_at_b: "\<turnstile> pc2 = #b \<longrightarrow> Enabled (<N2>_(x,y,sem,pc1,pc2))"
apply clarsimp
apply (rule_tac F = beta2 in enabled_mono)
apply (enabled Inc_base)
@@ -207,31 +207,31 @@
done
lemma b2_leadsto_g2:
- "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True
- --> (pc2 = #b ~> pc2 = #g)"
+ "\<turnstile> \<box>[(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2) \<and> SF(N2)_(x,y,sem,pc1,pc2) \<and> \<box>#True
+ \<longrightarrow> (pc2 = #b \<leadsto> pc2 = #g)"
apply (rule SF1)
apply (tactic
- {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
+ \<open>action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1\<close>)
apply (tactic
- {* action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs}) [] [] 1 *})
+ \<open>action_simp_tac (@{context} addsimps @{thm angle_def} :: @{thms Psi_defs}) [] [] 1\<close>)
apply (auto intro!: InitDmd_gen [temp_use] N2_enabled_at_b [temp_use]
dest!: STL2_gen [temp_use] simp: Init_def)
done
(* Combine above lemmas: the second component will eventually reach pc2 = a *)
lemma N2_leadsto_a:
- "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2) & []#True
- --> (pc2 = #a | pc2 = #b | pc2 = #g ~> pc2 = #a)"
+ "\<turnstile> \<box>[(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2) \<and> SF(N2)_(x,y,sem,pc1,pc2) \<and> \<box>#True
+ \<longrightarrow> (pc2 = #a \<or> pc2 = #b \<or> pc2 = #g \<leadsto> pc2 = #a)"
apply (auto intro!: LatticeDisjunctionIntro [temp_use])
apply (rule LatticeReflexivity [temp_use])
apply (rule LatticeTransitivity [temp_use])
apply (auto intro!: b2_leadsto_g2 [temp_use] g2_leadsto_a2 [temp_use])
done
-(* Get rid of disjunction on the left-hand side of ~> above. *)
+(* Get rid of disjunction on the left-hand side of \<leadsto> above. *)
lemma N2_live:
- "|- [][(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2) & SF(N2)_(x,y,sem,pc1,pc2)
- --> <>(pc2 = #a)"
+ "\<turnstile> \<box>[(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2) \<and> SF(N2)_(x,y,sem,pc1,pc2)
+ \<longrightarrow> \<diamond>(pc2 = #a)"
apply (auto simp: Init_defs intro!: N2_leadsto_a [temp_use, THEN [2] leadsto_init [temp_use]])
apply (case_tac "pc2 (st1 sigma)")
apply auto
@@ -240,7 +240,7 @@
(* Now prove that the first component will eventually reach pc1 = b from pc1 = a *)
lemma N1_enabled_at_both_a:
- "|- pc2 = #a & (PsiInv & pc1 = #a) --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
+ "\<turnstile> pc2 = #a \<and> (PsiInv \<and> pc1 = #a) \<longrightarrow> Enabled (<N1>_(x,y,sem,pc1,pc2))"
apply clarsimp
apply (rule_tac F = alpha1 in enabled_mono)
apply (enabled Inc_base)
@@ -249,13 +249,13 @@
done
lemma a1_leadsto_b1:
- "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))
- & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)
- --> (pc1 = #a ~> pc1 = #b)"
+ "\<turnstile> \<box>($PsiInv \<and> [(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2))
+ \<and> SF(N1)_(x,y,sem,pc1,pc2) \<and> \<box> SF(N2)_(x,y,sem,pc1,pc2)
+ \<longrightarrow> (pc1 = #a \<leadsto> pc1 = #b)"
apply (rule SF1)
- apply (tactic {* action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps @{thms Psi_defs}) [] [@{thm squareE}] 1\<close>)
apply (tactic
- {* action_simp_tac (@{context} addsimps (@{thm angle_def} :: @{thms Psi_defs})) [] [] 1 *})
+ \<open>action_simp_tac (@{context} addsimps (@{thm angle_def} :: @{thms Psi_defs})) [] [] 1\<close>)
apply (clarsimp intro!: N1_enabled_at_both_a [THEN DmdImpl [temp_use]])
apply (auto intro!: BoxDmd2_simple [temp_use] N2_live [temp_use]
simp: split_box_conj more_temp_simps)
@@ -263,9 +263,9 @@
(* Combine the leadsto properties for N1: it will arrive at pc1 = b *)
-lemma N1_leadsto_b: "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))
- & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)
- --> (pc1 = #b | pc1 = #g | pc1 = #a ~> pc1 = #b)"
+lemma N1_leadsto_b: "\<turnstile> \<box>($PsiInv \<and> [(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2))
+ \<and> SF(N1)_(x,y,sem,pc1,pc2) \<and> \<box> SF(N2)_(x,y,sem,pc1,pc2)
+ \<longrightarrow> (pc1 = #b \<or> pc1 = #g \<or> pc1 = #a \<leadsto> pc1 = #b)"
apply (auto intro!: LatticeDisjunctionIntro [temp_use])
apply (rule LatticeReflexivity [temp_use])
apply (rule LatticeTransitivity [temp_use])
@@ -273,15 +273,15 @@
simp: split_box_conj)
done
-lemma N1_live: "|- []($PsiInv & [(N1 | N2) & ~beta1]_(x,y,sem,pc1,pc2))
- & SF(N1)_(x,y,sem,pc1,pc2) & [] SF(N2)_(x,y,sem,pc1,pc2)
- --> <>(pc1 = #b)"
+lemma N1_live: "\<turnstile> \<box>($PsiInv \<and> [(N1 \<or> N2) \<and> \<not>beta1]_(x,y,sem,pc1,pc2))
+ \<and> SF(N1)_(x,y,sem,pc1,pc2) \<and> \<box> SF(N2)_(x,y,sem,pc1,pc2)
+ \<longrightarrow> \<diamond>(pc1 = #b)"
apply (auto simp: Init_defs intro!: N1_leadsto_b [temp_use, THEN [2] leadsto_init [temp_use]])
apply (case_tac "pc1 (st1 sigma)")
apply auto
done
-lemma N1_enabled_at_b: "|- pc1 = #b --> Enabled (<N1>_(x,y,sem,pc1,pc2))"
+lemma N1_enabled_at_b: "\<turnstile> pc1 = #b \<longrightarrow> Enabled (<N1>_(x,y,sem,pc1,pc2))"
apply clarsimp
apply (rule_tac F = beta1 in enabled_mono)
apply (enabled Inc_base)
@@ -291,9 +291,9 @@
(* Now assemble the bits and pieces to prove that Psi is fair. *)
-lemma Fair_M1_lemma: "|- []($PsiInv & [(N1 | N2)]_(x,y,sem,pc1,pc2))
- & SF(N1)_(x,y,sem,pc1,pc2) & []SF(N2)_(x,y,sem,pc1,pc2)
- --> SF(M1)_(x,y)"
+lemma Fair_M1_lemma: "\<turnstile> \<box>($PsiInv \<and> [(N1 \<or> N2)]_(x,y,sem,pc1,pc2))
+ \<and> SF(N1)_(x,y,sem,pc1,pc2) \<and> \<box>SF(N2)_(x,y,sem,pc1,pc2)
+ \<longrightarrow> SF(M1)_(x,y)"
apply (rule_tac B = beta1 and P = "PRED pc1 = #b" in SF2)
(* action premises *)
apply (force simp: angle_def M1_def beta1_def)
@@ -304,7 +304,7 @@
elim: STL4E [temp_use] simp: square_def)
done
-lemma Fair_M1: "|- Psi --> WF(M1)_(x,y)"
+lemma Fair_M1: "\<turnstile> Psi \<longrightarrow> WF(M1)_(x,y)"
by (auto intro!: SFImplWF [temp_use] Fair_M1_lemma [temp_use] PsiInv [temp_use]
simp: Psi_def split_box_conj [temp_use] more_temp_simps)
--- a/src/HOL/TLA/Init.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Init.thy Fri Jun 26 18:51:39 2015 +0200
@@ -18,60 +18,60 @@
consts
- Initial :: "('w::world => bool) => temporal"
- first_world :: "behavior => ('w::world)"
- st1 :: "behavior => state"
- st2 :: "behavior => state"
+ Initial :: "('w::world \<Rightarrow> bool) \<Rightarrow> temporal"
+ first_world :: "behavior \<Rightarrow> ('w::world)"
+ st1 :: "behavior \<Rightarrow> state"
+ st2 :: "behavior \<Rightarrow> state"
syntax
- "_TEMP" :: "lift => 'a" ("(TEMP _)")
- "_Init" :: "lift => lift" ("(Init _)"[40] 50)
+ "_TEMP" :: "lift \<Rightarrow> 'a" ("(TEMP _)")
+ "_Init" :: "lift \<Rightarrow> lift" ("(Init _)"[40] 50)
translations
- "TEMP F" => "(F::behavior => _)"
+ "TEMP F" => "(F::behavior \<Rightarrow> _)"
"_Init" == "CONST Initial"
- "sigma |= Init F" <= "_Init F sigma"
+ "sigma \<Turnstile> Init F" <= "_Init F sigma"
defs
- Init_def: "sigma |= Init F == (first_world sigma) |= F"
+ Init_def: "sigma \<Turnstile> Init F == (first_world sigma) \<Turnstile> F"
defs (overloaded)
- fw_temp_def: "first_world == %sigma. sigma"
+ fw_temp_def: "first_world == \<lambda>sigma. sigma"
fw_stp_def: "first_world == st1"
- fw_act_def: "first_world == %sigma. (st1 sigma, st2 sigma)"
+ fw_act_def: "first_world == \<lambda>sigma. (st1 sigma, st2 sigma)"
lemma const_simps [int_rewrite, simp]:
- "|- (Init #True) = #True"
- "|- (Init #False) = #False"
+ "\<turnstile> (Init #True) = #True"
+ "\<turnstile> (Init #False) = #False"
by (auto simp: Init_def)
lemma Init_simps1 [int_rewrite]:
- "!!F. |- (Init ~F) = (~ Init F)"
- "|- (Init (P --> Q)) = (Init P --> Init Q)"
- "|- (Init (P & Q)) = (Init P & Init Q)"
- "|- (Init (P | Q)) = (Init P | Init Q)"
- "|- (Init (P = Q)) = ((Init P) = (Init Q))"
- "|- (Init (!x. F x)) = (!x. (Init F x))"
- "|- (Init (? x. F x)) = (? x. (Init F x))"
- "|- (Init (?! x. F x)) = (?! x. (Init F x))"
+ "\<And>F. \<turnstile> (Init \<not>F) = (\<not> Init F)"
+ "\<turnstile> (Init (P \<longrightarrow> Q)) = (Init P \<longrightarrow> Init Q)"
+ "\<turnstile> (Init (P \<and> Q)) = (Init P \<and> Init Q)"
+ "\<turnstile> (Init (P \<or> Q)) = (Init P \<or> Init Q)"
+ "\<turnstile> (Init (P = Q)) = ((Init P) = (Init Q))"
+ "\<turnstile> (Init (\<forall>x. F x)) = (\<forall>x. (Init F x))"
+ "\<turnstile> (Init (\<exists>x. F x)) = (\<exists>x. (Init F x))"
+ "\<turnstile> (Init (\<exists>!x. F x)) = (\<exists>!x. (Init F x))"
by (auto simp: Init_def)
-lemma Init_stp_act: "|- (Init $P) = (Init P)"
+lemma Init_stp_act: "\<turnstile> (Init $P) = (Init P)"
by (auto simp add: Init_def fw_act_def fw_stp_def)
lemmas Init_simps2 = Init_stp_act [int_rewrite] Init_simps1
lemmas Init_stp_act_rev = Init_stp_act [int_rewrite, symmetric]
-lemma Init_temp: "|- (Init F) = F"
+lemma Init_temp: "\<turnstile> (Init F) = F"
by (auto simp add: Init_def fw_temp_def)
lemmas Init_simps = Init_temp [int_rewrite] Init_simps2
(* Trivial instances of the definitions that avoid introducing lambda expressions. *)
-lemma Init_stp: "(sigma |= Init P) = P (st1 sigma)"
+lemma Init_stp: "(sigma \<Turnstile> Init P) = P (st1 sigma)"
by (simp add: Init_def fw_stp_def)
-lemma Init_act: "(sigma |= Init A) = A (st1 sigma, st2 sigma)"
+lemma Init_act: "(sigma \<Turnstile> Init A) = A (st1 sigma, st2 sigma)"
by (simp add: Init_def fw_act_def)
lemmas Init_defs = Init_stp Init_act Init_temp [int_use]
--- a/src/HOL/TLA/Intensional.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Intensional.thy Fri Jun 26 18:51:39 2015 +0200
@@ -3,8 +3,8 @@
Copyright: 1998 University of Munich
*)
-section {* A framework for "intensional" (possible-world based) logics
- on top of HOL, with lifting of constants and functions *}
+section \<open>A framework for "intensional" (possible-world based) logics
+ on top of HOL, with lifting of constants and functions\<close>
theory Intensional
imports Main
@@ -14,79 +14,76 @@
(** abstract syntax **)
-type_synonym ('w,'a) expr = "'w => 'a" (* intention: 'w::world, 'a::type *)
+type_synonym ('w,'a) expr = "'w \<Rightarrow> 'a" (* intention: 'w::world, 'a::type *)
type_synonym 'w form = "('w, bool) expr"
consts
- Valid :: "('w::world) form => bool"
- const :: "'a => ('w::world, 'a) expr"
- lift :: "['a => 'b, ('w::world, 'a) expr] => ('w,'b) expr"
- lift2 :: "['a => 'b => 'c, ('w::world,'a) expr, ('w,'b) expr] => ('w,'c) expr"
- lift3 :: "['a => 'b => 'c => 'd, ('w::world,'a) expr, ('w,'b) expr, ('w,'c) expr] => ('w,'d) expr"
+ Valid :: "('w::world) form \<Rightarrow> bool"
+ const :: "'a \<Rightarrow> ('w::world, 'a) expr"
+ lift :: "['a \<Rightarrow> 'b, ('w::world, 'a) expr] \<Rightarrow> ('w,'b) expr"
+ lift2 :: "['a \<Rightarrow> 'b \<Rightarrow> 'c, ('w::world,'a) expr, ('w,'b) expr] \<Rightarrow> ('w,'c) expr"
+ lift3 :: "['a \<Rightarrow> 'b \<Rightarrow> 'c \<Rightarrow> 'd, ('w::world,'a) expr, ('w,'b) expr, ('w,'c) expr] \<Rightarrow> ('w,'d) expr"
(* "Rigid" quantification (logic level) *)
- RAll :: "('a => ('w::world) form) => 'w form" (binder "Rall " 10)
- REx :: "('a => ('w::world) form) => 'w form" (binder "Rex " 10)
- REx1 :: "('a => ('w::world) form) => 'w form" (binder "Rex! " 10)
+ RAll :: "('a \<Rightarrow> ('w::world) form) \<Rightarrow> 'w form" (binder "Rall " 10)
+ REx :: "('a \<Rightarrow> ('w::world) form) \<Rightarrow> 'w form" (binder "Rex " 10)
+ REx1 :: "('a \<Rightarrow> ('w::world) form) \<Rightarrow> 'w form" (binder "Rex! " 10)
(** concrete syntax **)
nonterminal lift and liftargs
syntax
- "" :: "id => lift" ("_")
- "" :: "longid => lift" ("_")
- "" :: "var => lift" ("_")
- "_applC" :: "[lift, cargs] => lift" ("(1_/ _)" [1000, 1000] 999)
- "" :: "lift => lift" ("'(_')")
- "_lambda" :: "[idts, 'a] => lift" ("(3%_./ _)" [0, 3] 3)
- "_constrain" :: "[lift, type] => lift" ("(_::_)" [4, 0] 3)
- "" :: "lift => liftargs" ("_")
- "_liftargs" :: "[lift, liftargs] => liftargs" ("_,/ _")
- "_Valid" :: "lift => bool" ("(|- _)" 5)
- "_holdsAt" :: "['a, lift] => bool" ("(_ |= _)" [100,10] 10)
+ "" :: "id \<Rightarrow> lift" ("_")
+ "" :: "longid \<Rightarrow> lift" ("_")
+ "" :: "var \<Rightarrow> lift" ("_")
+ "_applC" :: "[lift, cargs] \<Rightarrow> lift" ("(1_/ _)" [1000, 1000] 999)
+ "" :: "lift \<Rightarrow> lift" ("'(_')")
+ "_lambda" :: "[idts, 'a] \<Rightarrow> lift" ("(3\<lambda>_./ _)" [0, 3] 3)
+ "_constrain" :: "[lift, type] \<Rightarrow> lift" ("(_::_)" [4, 0] 3)
+ "" :: "lift \<Rightarrow> liftargs" ("_")
+ "_liftargs" :: "[lift, liftargs] \<Rightarrow> liftargs" ("_,/ _")
+ "_Valid" :: "lift \<Rightarrow> bool" ("(\<turnstile> _)" 5)
+ "_holdsAt" :: "['a, lift] \<Rightarrow> bool" ("(_ \<Turnstile> _)" [100,10] 10)
- (* Syntax for lifted expressions outside the scope of |- or |= *)
- "_LIFT" :: "lift => 'a" ("LIFT _")
+ (* Syntax for lifted expressions outside the scope of \<turnstile> or |= *)
+ "_LIFT" :: "lift \<Rightarrow> 'a" ("LIFT _")
(* generic syntax for lifted constants and functions *)
- "_const" :: "'a => lift" ("(#_)" [1000] 999)
- "_lift" :: "['a, lift] => lift" ("(_<_>)" [1000] 999)
- "_lift2" :: "['a, lift, lift] => lift" ("(_<_,/ _>)" [1000] 999)
- "_lift3" :: "['a, lift, lift, lift] => lift" ("(_<_,/ _,/ _>)" [1000] 999)
+ "_const" :: "'a \<Rightarrow> lift" ("(#_)" [1000] 999)
+ "_lift" :: "['a, lift] \<Rightarrow> lift" ("(_<_>)" [1000] 999)
+ "_lift2" :: "['a, lift, lift] \<Rightarrow> lift" ("(_<_,/ _>)" [1000] 999)
+ "_lift3" :: "['a, lift, lift, lift] \<Rightarrow> lift" ("(_<_,/ _,/ _>)" [1000] 999)
(* concrete syntax for common infix functions: reuse same symbol *)
- "_liftEqu" :: "[lift, lift] => lift" ("(_ =/ _)" [50,51] 50)
- "_liftNeq" :: "[lift, lift] => lift" ("(_ ~=/ _)" [50,51] 50)
- "_liftNot" :: "lift => lift" ("(~ _)" [40] 40)
- "_liftAnd" :: "[lift, lift] => lift" ("(_ &/ _)" [36,35] 35)
- "_liftOr" :: "[lift, lift] => lift" ("(_ |/ _)" [31,30] 30)
- "_liftImp" :: "[lift, lift] => lift" ("(_ -->/ _)" [26,25] 25)
- "_liftIf" :: "[lift, lift, lift] => lift" ("(if (_)/ then (_)/ else (_))" 10)
- "_liftPlus" :: "[lift, lift] => lift" ("(_ +/ _)" [66,65] 65)
- "_liftMinus" :: "[lift, lift] => lift" ("(_ -/ _)" [66,65] 65)
- "_liftTimes" :: "[lift, lift] => lift" ("(_ */ _)" [71,70] 70)
- "_liftDiv" :: "[lift, lift] => lift" ("(_ div _)" [71,70] 70)
- "_liftMod" :: "[lift, lift] => lift" ("(_ mod _)" [71,70] 70)
- "_liftLess" :: "[lift, lift] => lift" ("(_/ < _)" [50, 51] 50)
- "_liftLeq" :: "[lift, lift] => lift" ("(_/ <= _)" [50, 51] 50)
- "_liftMem" :: "[lift, lift] => lift" ("(_/ : _)" [50, 51] 50)
- "_liftNotMem" :: "[lift, lift] => lift" ("(_/ ~: _)" [50, 51] 50)
- "_liftFinset" :: "liftargs => lift" ("{(_)}")
+ "_liftEqu" :: "[lift, lift] \<Rightarrow> lift" ("(_ =/ _)" [50,51] 50)
+ "_liftNeq" :: "[lift, lift] \<Rightarrow> lift" ("(_ \<noteq>/ _)" [50,51] 50)
+ "_liftNot" :: "lift \<Rightarrow> lift" ("(\<not> _)" [40] 40)
+ "_liftAnd" :: "[lift, lift] \<Rightarrow> lift" ("(_ \<and>/ _)" [36,35] 35)
+ "_liftOr" :: "[lift, lift] \<Rightarrow> lift" ("(_ \<or>/ _)" [31,30] 30)
+ "_liftImp" :: "[lift, lift] \<Rightarrow> lift" ("(_ \<longrightarrow>/ _)" [26,25] 25)
+ "_liftIf" :: "[lift, lift, lift] \<Rightarrow> lift" ("(if (_)/ then (_)/ else (_))" 10)
+ "_liftPlus" :: "[lift, lift] \<Rightarrow> lift" ("(_ +/ _)" [66,65] 65)
+ "_liftMinus" :: "[lift, lift] \<Rightarrow> lift" ("(_ -/ _)" [66,65] 65)
+ "_liftTimes" :: "[lift, lift] \<Rightarrow> lift" ("(_ */ _)" [71,70] 70)
+ "_liftDiv" :: "[lift, lift] \<Rightarrow> lift" ("(_ div _)" [71,70] 70)
+ "_liftMod" :: "[lift, lift] \<Rightarrow> lift" ("(_ mod _)" [71,70] 70)
+ "_liftLess" :: "[lift, lift] \<Rightarrow> lift" ("(_/ < _)" [50, 51] 50)
+ "_liftLeq" :: "[lift, lift] \<Rightarrow> lift" ("(_/ \<le> _)" [50, 51] 50)
+ "_liftMem" :: "[lift, lift] \<Rightarrow> lift" ("(_/ \<in> _)" [50, 51] 50)
+ "_liftNotMem" :: "[lift, lift] \<Rightarrow> lift" ("(_/ \<notin> _)" [50, 51] 50)
+ "_liftFinset" :: "liftargs \<Rightarrow> lift" ("{(_)}")
(** TODO: syntax for lifted collection / comprehension **)
- "_liftPair" :: "[lift,liftargs] => lift" ("(1'(_,/ _'))")
+ "_liftPair" :: "[lift,liftargs] \<Rightarrow> lift" ("(1'(_,/ _'))")
(* infix syntax for list operations *)
- "_liftCons" :: "[lift, lift] => lift" ("(_ #/ _)" [65,66] 65)
- "_liftApp" :: "[lift, lift] => lift" ("(_ @/ _)" [65,66] 65)
- "_liftList" :: "liftargs => lift" ("[(_)]")
+ "_liftCons" :: "[lift, lift] \<Rightarrow> lift" ("(_ #/ _)" [65,66] 65)
+ "_liftApp" :: "[lift, lift] \<Rightarrow> lift" ("(_ @/ _)" [65,66] 65)
+ "_liftList" :: "liftargs \<Rightarrow> lift" ("[(_)]")
(* Rigid quantification (syntax level) *)
- "_ARAll" :: "[idts, lift] => lift" ("(3! _./ _)" [0, 10] 10)
- "_AREx" :: "[idts, lift] => lift" ("(3? _./ _)" [0, 10] 10)
- "_AREx1" :: "[idts, lift] => lift" ("(3?! _./ _)" [0, 10] 10)
- "_RAll" :: "[idts, lift] => lift" ("(3ALL _./ _)" [0, 10] 10)
- "_REx" :: "[idts, lift] => lift" ("(3EX _./ _)" [0, 10] 10)
- "_REx1" :: "[idts, lift] => lift" ("(3EX! _./ _)" [0, 10] 10)
+ "_RAll" :: "[idts, lift] \<Rightarrow> lift" ("(3\<forall>_./ _)" [0, 10] 10)
+ "_REx" :: "[idts, lift] \<Rightarrow> lift" ("(3\<exists>_./ _)" [0, 10] 10)
+ "_REx1" :: "[idts, lift] \<Rightarrow> lift" ("(3\<exists>!_./ _)" [0, 10] 10)
translations
"_const" == "CONST const"
@@ -97,19 +94,16 @@
"_RAll x A" == "Rall x. A"
"_REx x A" == "Rex x. A"
"_REx1 x A" == "Rex! x. A"
- "_ARAll" => "_RAll"
- "_AREx" => "_REx"
- "_AREx1" => "_REx1"
- "w |= A" => "A w"
- "LIFT A" => "A::_=>_"
+ "w \<Turnstile> A" => "A w"
+ "LIFT A" => "A::_\<Rightarrow>_"
"_liftEqu" == "_lift2 (op =)"
"_liftNeq u v" == "_liftNot (_liftEqu u v)"
"_liftNot" == "_lift (CONST Not)"
- "_liftAnd" == "_lift2 (op &)"
- "_liftOr" == "_lift2 (op | )"
- "_liftImp" == "_lift2 (op -->)"
+ "_liftAnd" == "_lift2 (op \<and>)"
+ "_liftOr" == "_lift2 (op \<or>)"
+ "_liftImp" == "_lift2 (op \<longrightarrow>)"
"_liftIf" == "_lift3 (CONST If)"
"_liftPlus" == "_lift2 (op +)"
"_liftMinus" == "_lift2 (op -)"
@@ -117,8 +111,8 @@
"_liftDiv" == "_lift2 (op div)"
"_liftMod" == "_lift2 (op mod)"
"_liftLess" == "_lift2 (op <)"
- "_liftLeq" == "_lift2 (op <=)"
- "_liftMem" == "_lift2 (op :)"
+ "_liftLeq" == "_lift2 (op \<le>)"
+ "_liftMem" == "_lift2 (op \<in>)"
"_liftNotMem x xs" == "_liftNot (_liftMem x xs)"
"_liftFinset (_liftargs x xs)" == "_lift2 (CONST insert) x (_liftFinset xs)"
"_liftFinset x" == "_lift2 (CONST insert) x (_const {})"
@@ -131,74 +125,47 @@
- "w |= ~A" <= "_liftNot A w"
- "w |= A & B" <= "_liftAnd A B w"
- "w |= A | B" <= "_liftOr A B w"
- "w |= A --> B" <= "_liftImp A B w"
- "w |= u = v" <= "_liftEqu u v w"
- "w |= ALL x. A" <= "_RAll x A w"
- "w |= EX x. A" <= "_REx x A w"
- "w |= EX! x. A" <= "_REx1 x A w"
-
-syntax (xsymbols)
- "_Valid" :: "lift => bool" ("(\<turnstile> _)" 5)
- "_holdsAt" :: "['a, lift] => bool" ("(_ \<Turnstile> _)" [100,10] 10)
- "_liftNeq" :: "[lift, lift] => lift" (infixl "\<noteq>" 50)
- "_liftNot" :: "lift => lift" ("\<not> _" [40] 40)
- "_liftAnd" :: "[lift, lift] => lift" (infixr "\<and>" 35)
- "_liftOr" :: "[lift, lift] => lift" (infixr "\<or>" 30)
- "_liftImp" :: "[lift, lift] => lift" (infixr "\<longrightarrow>" 25)
- "_RAll" :: "[idts, lift] => lift" ("(3\<forall>_./ _)" [0, 10] 10)
- "_REx" :: "[idts, lift] => lift" ("(3\<exists>_./ _)" [0, 10] 10)
- "_REx1" :: "[idts, lift] => lift" ("(3\<exists>!_./ _)" [0, 10] 10)
- "_liftLeq" :: "[lift, lift] => lift" ("(_/ \<le> _)" [50, 51] 50)
- "_liftMem" :: "[lift, lift] => lift" ("(_/ \<in> _)" [50, 51] 50)
- "_liftNotMem" :: "[lift, lift] => lift" ("(_/ \<notin> _)" [50, 51] 50)
-
-syntax (HTML output)
- "_liftNeq" :: "[lift, lift] => lift" (infixl "\<noteq>" 50)
- "_liftNot" :: "lift => lift" ("\<not> _" [40] 40)
- "_liftAnd" :: "[lift, lift] => lift" (infixr "\<and>" 35)
- "_liftOr" :: "[lift, lift] => lift" (infixr "\<or>" 30)
- "_RAll" :: "[idts, lift] => lift" ("(3\<forall>_./ _)" [0, 10] 10)
- "_REx" :: "[idts, lift] => lift" ("(3\<exists>_./ _)" [0, 10] 10)
- "_REx1" :: "[idts, lift] => lift" ("(3\<exists>!_./ _)" [0, 10] 10)
- "_liftLeq" :: "[lift, lift] => lift" ("(_/ \<le> _)" [50, 51] 50)
- "_liftMem" :: "[lift, lift] => lift" ("(_/ \<in> _)" [50, 51] 50)
- "_liftNotMem" :: "[lift, lift] => lift" ("(_/ \<notin> _)" [50, 51] 50)
+ "w \<Turnstile> \<not>A" <= "_liftNot A w"
+ "w \<Turnstile> A \<and> B" <= "_liftAnd A B w"
+ "w \<Turnstile> A \<or> B" <= "_liftOr A B w"
+ "w \<Turnstile> A \<longrightarrow> B" <= "_liftImp A B w"
+ "w \<Turnstile> u = v" <= "_liftEqu u v w"
+ "w \<Turnstile> \<forall>x. A" <= "_RAll x A w"
+ "w \<Turnstile> \<exists>x. A" <= "_REx x A w"
+ "w \<Turnstile> \<exists>!x. A" <= "_REx1 x A w"
defs
- Valid_def: "|- A == ALL w. w |= A"
+ Valid_def: "\<turnstile> A == \<forall>w. w \<Turnstile> A"
unl_con: "LIFT #c w == c"
unl_lift: "lift f x w == f (x w)"
unl_lift2: "LIFT f<x, y> w == f (x w) (y w)"
unl_lift3: "LIFT f<x, y, z> w == f (x w) (y w) (z w)"
- unl_Rall: "w |= ALL x. A x == ALL x. (w |= A x)"
- unl_Rex: "w |= EX x. A x == EX x. (w |= A x)"
- unl_Rex1: "w |= EX! x. A x == EX! x. (w |= A x)"
+ unl_Rall: "w \<Turnstile> \<forall>x. A x == \<forall>x. (w \<Turnstile> A x)"
+ unl_Rex: "w \<Turnstile> \<exists>x. A x == \<exists>x. (w \<Turnstile> A x)"
+ unl_Rex1: "w \<Turnstile> \<exists>!x. A x == \<exists>!x. (w \<Turnstile> A x)"
-subsection {* Lemmas and tactics for "intensional" logics. *}
+subsection \<open>Lemmas and tactics for "intensional" logics.\<close>
lemmas intensional_rews [simp] =
unl_con unl_lift unl_lift2 unl_lift3 unl_Rall unl_Rex unl_Rex1
-lemma inteq_reflection: "|- x=y ==> (x==y)"
+lemma inteq_reflection: "\<turnstile> x=y \<Longrightarrow> (x==y)"
apply (unfold Valid_def unl_lift2)
apply (rule eq_reflection)
apply (rule ext)
apply (erule spec)
done
-lemma intI [intro!]: "(!!w. w |= A) ==> |- A"
+lemma intI [intro!]: "(\<And>w. w \<Turnstile> A) \<Longrightarrow> \<turnstile> A"
apply (unfold Valid_def)
apply (rule allI)
apply (erule meta_spec)
done
-lemma intD [dest]: "|- A ==> w |= A"
+lemma intD [dest]: "\<turnstile> A \<Longrightarrow> w \<Turnstile> A"
apply (unfold Valid_def)
apply (erule spec)
done
@@ -206,53 +173,53 @@
(** Lift usual HOL simplifications to "intensional" level. **)
lemma int_simps:
- "|- (x=x) = #True"
- "|- (~#True) = #False" "|- (~#False) = #True" "|- (~~ P) = P"
- "|- ((~P) = P) = #False" "|- (P = (~P)) = #False"
- "|- (P ~= Q) = (P = (~Q))"
- "|- (#True=P) = P" "|- (P=#True) = P"
- "|- (#True --> P) = P" "|- (#False --> P) = #True"
- "|- (P --> #True) = #True" "|- (P --> P) = #True"
- "|- (P --> #False) = (~P)" "|- (P --> ~P) = (~P)"
- "|- (P & #True) = P" "|- (#True & P) = P"
- "|- (P & #False) = #False" "|- (#False & P) = #False"
- "|- (P & P) = P" "|- (P & ~P) = #False" "|- (~P & P) = #False"
- "|- (P | #True) = #True" "|- (#True | P) = #True"
- "|- (P | #False) = P" "|- (#False | P) = P"
- "|- (P | P) = P" "|- (P | ~P) = #True" "|- (~P | P) = #True"
- "|- (! x. P) = P" "|- (? x. P) = P"
- "|- (~Q --> ~P) = (P --> Q)"
- "|- (P|Q --> R) = ((P-->R)&(Q-->R))"
+ "\<turnstile> (x=x) = #True"
+ "\<turnstile> (\<not>#True) = #False" "\<turnstile> (\<not>#False) = #True" "\<turnstile> (\<not>\<not> P) = P"
+ "\<turnstile> ((\<not>P) = P) = #False" "\<turnstile> (P = (\<not>P)) = #False"
+ "\<turnstile> (P \<noteq> Q) = (P = (\<not>Q))"
+ "\<turnstile> (#True=P) = P" "\<turnstile> (P=#True) = P"
+ "\<turnstile> (#True \<longrightarrow> P) = P" "\<turnstile> (#False \<longrightarrow> P) = #True"
+ "\<turnstile> (P \<longrightarrow> #True) = #True" "\<turnstile> (P \<longrightarrow> P) = #True"
+ "\<turnstile> (P \<longrightarrow> #False) = (\<not>P)" "\<turnstile> (P \<longrightarrow> \<not>P) = (\<not>P)"
+ "\<turnstile> (P \<and> #True) = P" "\<turnstile> (#True \<and> P) = P"
+ "\<turnstile> (P \<and> #False) = #False" "\<turnstile> (#False \<and> P) = #False"
+ "\<turnstile> (P \<and> P) = P" "\<turnstile> (P \<and> \<not>P) = #False" "\<turnstile> (\<not>P \<and> P) = #False"
+ "\<turnstile> (P \<or> #True) = #True" "\<turnstile> (#True \<or> P) = #True"
+ "\<turnstile> (P \<or> #False) = P" "\<turnstile> (#False \<or> P) = P"
+ "\<turnstile> (P \<or> P) = P" "\<turnstile> (P \<or> \<not>P) = #True" "\<turnstile> (\<not>P \<or> P) = #True"
+ "\<turnstile> (\<forall>x. P) = P" "\<turnstile> (\<exists>x. P) = P"
+ "\<turnstile> (\<not>Q \<longrightarrow> \<not>P) = (P \<longrightarrow> Q)"
+ "\<turnstile> (P\<or>Q \<longrightarrow> R) = ((P\<longrightarrow>R)\<and>(Q\<longrightarrow>R))"
apply (unfold Valid_def intensional_rews)
apply blast+
done
declare int_simps [THEN inteq_reflection, simp]
-lemma TrueW [simp]: "|- #True"
+lemma TrueW [simp]: "\<turnstile> #True"
by (simp add: Valid_def unl_con)
(* ======== Functions to "unlift" intensional implications into HOL rules ====== *)
-ML {*
+ML \<open>
(* Basic unlifting introduces a parameter "w" and applies basic rewrites, e.g.
- |- F = G becomes F w = G w
- |- F --> G becomes F w --> G w
+ \<turnstile> F = G becomes F w = G w
+ \<turnstile> F \<longrightarrow> G becomes F w \<longrightarrow> G w
*)
fun int_unlift ctxt th =
rewrite_rule ctxt @{thms intensional_rews} (th RS @{thm intD} handle THM _ => th);
-(* Turn |- F = G into meta-level rewrite rule F == G *)
+(* Turn \<turnstile> F = G into meta-level rewrite rule F == G *)
fun int_rewrite ctxt th =
zero_var_indexes (rewrite_rule ctxt @{thms intensional_rews} (th RS @{thm inteq_reflection}))
-(* flattening turns "-->" into "==>" and eliminates conjunctions in the
+(* flattening turns "\<longrightarrow>" into "\<Longrightarrow>" and eliminates conjunctions in the
antecedent. For example,
- P & Q --> (R | S --> T) becomes [| P; Q; R | S |] ==> T
+ P & Q \<longrightarrow> (R | S \<longrightarrow> T) becomes \<lbrakk> P; Q; R | S \<rbrakk> \<Longrightarrow> T
Flattening can be useful with "intensional" lemmas (after unlifting).
Naive resolution with mp and conjI may run away because of higher-order
@@ -286,20 +253,20 @@
Const _ $ (Const (@{const_name Valid}, _) $ _) =>
(flatten (int_unlift ctxt th) handle THM _ => th)
| _ => th
-*}
+\<close>
attribute_setup int_unlift =
- {* Scan.succeed (Thm.rule_attribute (int_unlift o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (int_unlift o Context.proof_of))\<close>
attribute_setup int_rewrite =
- {* Scan.succeed (Thm.rule_attribute (int_rewrite o Context.proof_of)) *}
-attribute_setup flatten = {* Scan.succeed (Thm.rule_attribute (K flatten)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (int_rewrite o Context.proof_of))\<close>
+attribute_setup flatten = \<open>Scan.succeed (Thm.rule_attribute (K flatten))\<close>
attribute_setup int_use =
- {* Scan.succeed (Thm.rule_attribute (int_use o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (int_use o Context.proof_of))\<close>
-lemma Not_Rall: "|- (~(! x. F x)) = (? x. ~F x)"
+lemma Not_Rall: "\<turnstile> (\<not>(\<forall>x. F x)) = (\<exists>x. \<not>F x)"
by (simp add: Valid_def)
-lemma Not_Rex: "|- (~ (? x. F x)) = (! x. ~ F x)"
+lemma Not_Rex: "\<turnstile> (\<not> (\<exists>x. F x)) = (\<forall>x. \<not> F x)"
by (simp add: Valid_def)
end
--- a/src/HOL/TLA/Memory/MemClerk.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/MemClerk.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: specification of the memory clerk *}
+section \<open>RPC-Memory example: specification of the memory clerk\<close>
theory MemClerk
imports Memory RPC MemClerkParameters
@@ -11,59 +11,59 @@
(* The clerk takes the same arguments as the memory and sends requests to the RPC *)
type_synonym mClkSndChType = "memChType"
type_synonym mClkRcvChType = "rpcSndChType"
-type_synonym mClkStType = "(PrIds => mClkState) stfun"
+type_synonym mClkStType = "(PrIds \<Rightarrow> mClkState) stfun"
definition
(* state predicates *)
- MClkInit :: "mClkRcvChType => mClkStType => PrIds => stpred"
- where "MClkInit rcv cst p = PRED (cst!p = #clkA & ~Calling rcv p)"
+ MClkInit :: "mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> stpred"
+ where "MClkInit rcv cst p = PRED (cst!p = #clkA \<and> \<not>Calling rcv p)"
definition
(* actions *)
- MClkFwd :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
+ MClkFwd :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
where "MClkFwd send rcv cst p = ACT
$Calling send p
- & $(cst!p) = #clkA
- & Call rcv p MClkRelayArg<arg<send!p>>
- & (cst!p)$ = #clkB
- & unchanged (rtrner send!p)"
+ \<and> $(cst!p) = #clkA
+ \<and> Call rcv p MClkRelayArg<arg<send!p>>
+ \<and> (cst!p)$ = #clkB
+ \<and> unchanged (rtrner send!p)"
definition
- MClkRetry :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
+ MClkRetry :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
where "MClkRetry send rcv cst p = ACT
$(cst!p) = #clkB
- & res<$(rcv!p)> = #RPCFailure
- & Call rcv p MClkRelayArg<arg<send!p>>
- & unchanged (cst!p, rtrner send!p)"
+ \<and> res<$(rcv!p)> = #RPCFailure
+ \<and> Call rcv p MClkRelayArg<arg<send!p>>
+ \<and> unchanged (cst!p, rtrner send!p)"
definition
- MClkReply :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
+ MClkReply :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
where "MClkReply send rcv cst p = ACT
- ~$Calling rcv p
- & $(cst!p) = #clkB
- & Return send p MClkReplyVal<res<rcv!p>>
- & (cst!p)$ = #clkA
- & unchanged (caller rcv!p)"
+ \<not>$Calling rcv p
+ \<and> $(cst!p) = #clkB
+ \<and> Return send p MClkReplyVal<res<rcv!p>>
+ \<and> (cst!p)$ = #clkA
+ \<and> unchanged (caller rcv!p)"
definition
- MClkNext :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => action"
+ MClkNext :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> action"
where "MClkNext send rcv cst p = ACT
( MClkFwd send rcv cst p
- | MClkRetry send rcv cst p
- | MClkReply send rcv cst p)"
+ \<or> MClkRetry send rcv cst p
+ \<or> MClkReply send rcv cst p)"
definition
(* temporal *)
- MClkIPSpec :: "mClkSndChType => mClkRcvChType => mClkStType => PrIds => temporal"
+ MClkIPSpec :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> PrIds \<Rightarrow> temporal"
where "MClkIPSpec send rcv cst p = TEMP
Init MClkInit rcv cst p
- & [][ MClkNext send rcv cst p ]_(cst!p, rtrner send!p, caller rcv!p)
- & WF(MClkFwd send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)
- & SF(MClkReply send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)"
+ \<and> \<box>[ MClkNext send rcv cst p ]_(cst!p, rtrner send!p, caller rcv!p)
+ \<and> WF(MClkFwd send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)
+ \<and> SF(MClkReply send rcv cst p)_(cst!p, rtrner send!p, caller rcv!p)"
definition
- MClkISpec :: "mClkSndChType => mClkRcvChType => mClkStType => temporal"
- where "MClkISpec send rcv cst = TEMP (ALL p. MClkIPSpec send rcv cst p)"
+ MClkISpec :: "mClkSndChType \<Rightarrow> mClkRcvChType \<Rightarrow> mClkStType \<Rightarrow> temporal"
+ where "MClkISpec send rcv cst = TEMP (\<forall>p. MClkIPSpec send rcv cst p)"
lemmas MC_action_defs =
MClkInit_def MClkFwd_def MClkRetry_def MClkReply_def MClkNext_def
@@ -73,41 +73,41 @@
(* The Clerk engages in an action for process p only if there is an outstanding,
unanswered call for that process.
*)
-lemma MClkidle: "|- ~$Calling send p & $(cst!p) = #clkA --> ~MClkNext send rcv cst p"
+lemma MClkidle: "\<turnstile> \<not>$Calling send p \<and> $(cst!p) = #clkA \<longrightarrow> \<not>MClkNext send rcv cst p"
by (auto simp: Return_def MC_action_defs)
-lemma MClkbusy: "|- $Calling rcv p --> ~MClkNext send rcv cst p"
+lemma MClkbusy: "\<turnstile> $Calling rcv p \<longrightarrow> \<not>MClkNext send rcv cst p"
by (auto simp: Call_def MC_action_defs)
(* Enabledness of actions *)
-lemma MClkFwd_enabled: "!!p. basevars (rtrner send!p, caller rcv!p, cst!p) ==>
- |- Calling send p & ~Calling rcv p & cst!p = #clkA
- --> Enabled (MClkFwd send rcv cst p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
+lemma MClkFwd_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, cst!p) \<Longrightarrow>
+ \<turnstile> Calling send p \<and> \<not>Calling rcv p \<and> cst!p = #clkA
+ \<longrightarrow> Enabled (MClkFwd send rcv cst p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
@{thm Call_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI]
- [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
+ [@{thm base_enabled}, @{thm Pair_inject}] 1\<close>)
-lemma MClkFwd_ch_enabled: "|- Enabled (MClkFwd send rcv cst p) -->
+lemma MClkFwd_ch_enabled: "\<turnstile> Enabled (MClkFwd send rcv cst p) \<longrightarrow>
Enabled (<MClkFwd send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
by (auto elim!: enabled_mono simp: angle_def MClkFwd_def)
-lemma MClkReply_change: "|- MClkReply send rcv cst p -->
+lemma MClkReply_change: "\<turnstile> MClkReply send rcv cst p \<longrightarrow>
<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p)"
by (auto simp: angle_def MClkReply_def elim: Return_changed [temp_use])
-lemma MClkReply_enabled: "!!p. basevars (rtrner send!p, caller rcv!p, cst!p) ==>
- |- Calling send p & ~Calling rcv p & cst!p = #clkB
- --> Enabled (<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
- apply (tactic {* action_simp_tac @{context}
- [@{thm MClkReply_change} RSN (2, @{thm enabled_mono})] [] 1 *})
- apply (tactic {* action_simp_tac (@{context} addsimps
+lemma MClkReply_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, cst!p) \<Longrightarrow>
+ \<turnstile> Calling send p \<and> \<not>Calling rcv p \<and> cst!p = #clkB
+ \<longrightarrow> Enabled (<MClkReply send rcv cst p>_(cst!p, rtrner send!p, caller rcv!p))"
+ apply (tactic \<open>action_simp_tac @{context}
+ [@{thm MClkReply_change} RSN (2, @{thm enabled_mono})] [] 1\<close>)
+ apply (tactic \<open>action_simp_tac (@{context} addsimps
[@{thm MClkReply_def}, @{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}])
- [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
+ [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1\<close>)
done
-lemma MClkReplyNotRetry: "|- MClkReply send rcv cst p --> ~MClkRetry send rcv cst p"
+lemma MClkReplyNotRetry: "\<turnstile> MClkReply send rcv cst p \<longrightarrow> \<not>MClkRetry send rcv cst p"
by (auto simp: MClkReply_def MClkRetry_def)
end
--- a/src/HOL/TLA/Memory/MemClerkParameters.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/MemClerkParameters.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: Parameters of the memory clerk *}
+section \<open>RPC-Memory example: Parameters of the memory clerk\<close>
theory MemClerkParameters
imports RPCParameters
@@ -17,12 +17,12 @@
definition
(* translate a memory call to an RPC call *)
- MClkRelayArg :: "memOp => rpcOp"
+ MClkRelayArg :: "memOp \<Rightarrow> rpcOp"
where "MClkRelayArg marg = memcall marg"
definition
(* translate RPC failures to memory failures *)
- MClkReplyVal :: "Vals => Vals"
+ MClkReplyVal :: "Vals \<Rightarrow> Vals"
where "MClkReplyVal v = (if v = RPCFailure then MemFailure else v)"
end
--- a/src/HOL/TLA/Memory/Memory.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/Memory.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,132 +2,132 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: Memory specification *}
+section \<open>RPC-Memory example: Memory specification\<close>
theory Memory
imports MemoryParameters ProcedureInterface
begin
type_synonym memChType = "(memOp, Vals) channel"
-type_synonym memType = "(Locs => Vals) stfun" (* intention: MemLocs => MemVals *)
-type_synonym resType = "(PrIds => Vals) stfun"
+type_synonym memType = "(Locs \<Rightarrow> Vals) stfun" (* intention: MemLocs \<Rightarrow> MemVals *)
+type_synonym resType = "(PrIds \<Rightarrow> Vals) stfun"
consts
(* state predicates *)
- MInit :: "memType => Locs => stpred"
- PInit :: "resType => PrIds => stpred"
+ MInit :: "memType \<Rightarrow> Locs \<Rightarrow> stpred"
+ PInit :: "resType \<Rightarrow> PrIds \<Rightarrow> stpred"
(* auxiliary predicates: is there a pending read/write request for
some process id and location/value? *)
- RdRequest :: "memChType => PrIds => Locs => stpred"
- WrRequest :: "memChType => PrIds => Locs => Vals => stpred"
+ RdRequest :: "memChType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> stpred"
+ WrRequest :: "memChType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> stpred"
(* actions *)
- GoodRead :: "memType => resType => PrIds => Locs => action"
- BadRead :: "memType => resType => PrIds => Locs => action"
- ReadInner :: "memChType => memType => resType => PrIds => Locs => action"
- Read :: "memChType => memType => resType => PrIds => action"
- GoodWrite :: "memType => resType => PrIds => Locs => Vals => action"
- BadWrite :: "memType => resType => PrIds => Locs => Vals => action"
- WriteInner :: "memChType => memType => resType => PrIds => Locs => Vals => action"
- Write :: "memChType => memType => resType => PrIds => Locs => action"
- MemReturn :: "memChType => resType => PrIds => action"
- MemFail :: "memChType => resType => PrIds => action"
- RNext :: "memChType => memType => resType => PrIds => action"
- UNext :: "memChType => memType => resType => PrIds => action"
+ GoodRead :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
+ BadRead :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
+ ReadInner :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
+ Read :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
+ GoodWrite :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> action"
+ BadWrite :: "memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> action"
+ WriteInner :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> Vals \<Rightarrow> action"
+ Write :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> Locs \<Rightarrow> action"
+ MemReturn :: "memChType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
+ MemFail :: "memChType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
+ RNext :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
+ UNext :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> action"
(* temporal formulas *)
- RPSpec :: "memChType => memType => resType => PrIds => temporal"
- UPSpec :: "memChType => memType => resType => PrIds => temporal"
- MSpec :: "memChType => memType => resType => Locs => temporal"
- IRSpec :: "memChType => memType => resType => temporal"
- IUSpec :: "memChType => memType => resType => temporal"
+ RPSpec :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> temporal"
+ UPSpec :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> PrIds \<Rightarrow> temporal"
+ MSpec :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> Locs \<Rightarrow> temporal"
+ IRSpec :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> temporal"
+ IUSpec :: "memChType \<Rightarrow> memType \<Rightarrow> resType \<Rightarrow> temporal"
- RSpec :: "memChType => resType => temporal"
- USpec :: "memChType => temporal"
+ RSpec :: "memChType \<Rightarrow> resType \<Rightarrow> temporal"
+ USpec :: "memChType \<Rightarrow> temporal"
(* memory invariant: in the paper, the invariant is hidden in the definition of
the predicate S used in the implementation proof, but it is easier to verify
at this level. *)
- MemInv :: "memType => Locs => stpred"
+ MemInv :: "memType \<Rightarrow> Locs \<Rightarrow> stpred"
defs
MInit_def: "MInit mm l == PRED mm!l = #InitVal"
PInit_def: "PInit rs p == PRED rs!p = #NotAResult"
RdRequest_def: "RdRequest ch p l == PRED
- Calling ch p & (arg<ch!p> = #(read l))"
+ Calling ch p \<and> (arg<ch!p> = #(read l))"
WrRequest_def: "WrRequest ch p l v == PRED
- Calling ch p & (arg<ch!p> = #(write l v))"
+ Calling ch p \<and> (arg<ch!p> = #(write l v))"
(* a read that doesn't raise BadArg *)
GoodRead_def: "GoodRead mm rs p l == ACT
- #l : #MemLoc & ((rs!p)$ = $(mm!l))"
+ #l \<in> #MemLoc \<and> ((rs!p)$ = $(mm!l))"
(* a read that raises BadArg *)
BadRead_def: "BadRead mm rs p l == ACT
- #l ~: #MemLoc & ((rs!p)$ = #BadArg)"
+ #l \<notin> #MemLoc \<and> ((rs!p)$ = #BadArg)"
(* the read action with l visible *)
ReadInner_def: "ReadInner ch mm rs p l == ACT
$(RdRequest ch p l)
- & (GoodRead mm rs p l | BadRead mm rs p l)
- & unchanged (rtrner ch ! p)"
+ \<and> (GoodRead mm rs p l \<or> BadRead mm rs p l)
+ \<and> unchanged (rtrner ch ! p)"
(* the read action with l quantified *)
- Read_def: "Read ch mm rs p == ACT (EX l. ReadInner ch mm rs p l)"
+ Read_def: "Read ch mm rs p == ACT (\<exists>l. ReadInner ch mm rs p l)"
(* similar definitions for the write action *)
GoodWrite_def: "GoodWrite mm rs p l v == ACT
- #l : #MemLoc & #v : #MemVal
- & ((mm!l)$ = #v) & ((rs!p)$ = #OK)"
+ #l \<in> #MemLoc \<and> #v \<in> #MemVal
+ \<and> ((mm!l)$ = #v) \<and> ((rs!p)$ = #OK)"
BadWrite_def: "BadWrite mm rs p l v == ACT
- ~ (#l : #MemLoc & #v : #MemVal)
- & ((rs!p)$ = #BadArg) & unchanged (mm!l)"
+ \<not> (#l \<in> #MemLoc \<and> #v \<in> #MemVal)
+ \<and> ((rs!p)$ = #BadArg) \<and> unchanged (mm!l)"
WriteInner_def: "WriteInner ch mm rs p l v == ACT
$(WrRequest ch p l v)
- & (GoodWrite mm rs p l v | BadWrite mm rs p l v)
- & unchanged (rtrner ch ! p)"
- Write_def: "Write ch mm rs p l == ACT (EX v. WriteInner ch mm rs p l v)"
+ \<and> (GoodWrite mm rs p l v \<or> BadWrite mm rs p l v)
+ \<and> unchanged (rtrner ch ! p)"
+ Write_def: "Write ch mm rs p l == ACT (\<exists>v. WriteInner ch mm rs p l v)"
(* the return action *)
MemReturn_def: "MemReturn ch rs p == ACT
- ( ($(rs!p) ~= #NotAResult)
- & ((rs!p)$ = #NotAResult)
- & Return ch p (rs!p))"
+ ( ($(rs!p) \<noteq> #NotAResult)
+ \<and> ((rs!p)$ = #NotAResult)
+ \<and> Return ch p (rs!p))"
(* the failure action of the unreliable memory *)
MemFail_def: "MemFail ch rs p == ACT
$(Calling ch p)
- & ((rs!p)$ = #MemFailure)
- & unchanged (rtrner ch ! p)"
+ \<and> ((rs!p)$ = #MemFailure)
+ \<and> unchanged (rtrner ch ! p)"
(* next-state relations for reliable / unreliable memory *)
RNext_def: "RNext ch mm rs p == ACT
( Read ch mm rs p
- | (EX l. Write ch mm rs p l)
- | MemReturn ch rs p)"
+ \<or> (\<exists>l. Write ch mm rs p l)
+ \<or> MemReturn ch rs p)"
UNext_def: "UNext ch mm rs p == ACT
- (RNext ch mm rs p | MemFail ch rs p)"
+ (RNext ch mm rs p \<or> MemFail ch rs p)"
RPSpec_def: "RPSpec ch mm rs p == TEMP
Init(PInit rs p)
- & [][ RNext ch mm rs p ]_(rtrner ch ! p, rs!p)
- & WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p)
- & WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)"
+ \<and> \<box>[ RNext ch mm rs p ]_(rtrner ch ! p, rs!p)
+ \<and> WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p)
+ \<and> WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)"
UPSpec_def: "UPSpec ch mm rs p == TEMP
Init(PInit rs p)
- & [][ UNext ch mm rs p ]_(rtrner ch ! p, rs!p)
- & WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p)
- & WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)"
+ \<and> \<box>[ UNext ch mm rs p ]_(rtrner ch ! p, rs!p)
+ \<and> WF(RNext ch mm rs p)_(rtrner ch ! p, rs!p)
+ \<and> WF(MemReturn ch rs p)_(rtrner ch ! p, rs!p)"
MSpec_def: "MSpec ch mm rs l == TEMP
Init(MInit mm l)
- & [][ EX p. Write ch mm rs p l ]_(mm!l)"
+ \<and> \<box>[ \<exists>p. Write ch mm rs p l ]_(mm!l)"
IRSpec_def: "IRSpec ch mm rs == TEMP
- (ALL p. RPSpec ch mm rs p)
- & (ALL l. #l : #MemLoc --> MSpec ch mm rs l)"
+ (\<forall>p. RPSpec ch mm rs p)
+ \<and> (\<forall>l. #l \<in> #MemLoc \<longrightarrow> MSpec ch mm rs l)"
IUSpec_def: "IUSpec ch mm rs == TEMP
- (ALL p. UPSpec ch mm rs p)
- & (ALL l. #l : #MemLoc --> MSpec ch mm rs l)"
+ (\<forall>p. UPSpec ch mm rs p)
+ \<and> (\<forall>l. #l \<in> #MemLoc \<longrightarrow> MSpec ch mm rs l)"
- RSpec_def: "RSpec ch rs == TEMP (EEX mm. IRSpec ch mm rs)"
- USpec_def: "USpec ch == TEMP (EEX mm rs. IUSpec ch mm rs)"
+ RSpec_def: "RSpec ch rs == TEMP (\<exists>\<exists>mm. IRSpec ch mm rs)"
+ USpec_def: "USpec ch == TEMP (\<exists>\<exists>mm rs. IUSpec ch mm rs)"
- MemInv_def: "MemInv mm l == PRED #l : #MemLoc --> mm!l : #MemVal"
+ MemInv_def: "MemInv mm l == PRED #l \<in> #MemLoc \<longrightarrow> mm!l \<in> #MemVal"
lemmas RM_action_defs =
MInit_def PInit_def RdRequest_def WrRequest_def MemInv_def
@@ -142,19 +142,19 @@
(* The reliable memory is an implementation of the unreliable one *)
-lemma ReliableImplementsUnReliable: "|- IRSpec ch mm rs --> IUSpec ch mm rs"
+lemma ReliableImplementsUnReliable: "\<turnstile> IRSpec ch mm rs \<longrightarrow> IUSpec ch mm rs"
by (force simp: UNext_def UPSpec_def IUSpec_def RM_temp_defs elim!: STL4E [temp_use] squareE)
(* The memory spec implies the memory invariant *)
-lemma MemoryInvariant: "|- MSpec ch mm rs l --> [](MemInv mm l)"
+lemma MemoryInvariant: "\<turnstile> MSpec ch mm rs l \<longrightarrow> \<box>(MemInv mm l)"
by (auto_invariant simp: RM_temp_defs RM_action_defs)
(* The invariant is trivial for non-locations *)
-lemma NonMemLocInvariant: "|- #l ~: #MemLoc --> [](MemInv mm l)"
+lemma NonMemLocInvariant: "\<turnstile> #l \<notin> #MemLoc \<longrightarrow> \<box>(MemInv mm l)"
by (auto simp: MemInv_def intro!: necT [temp_use])
lemma MemoryInvariantAll:
- "|- (ALL l. #l : #MemLoc --> MSpec ch mm rs l) --> (ALL l. [](MemInv mm l))"
+ "\<turnstile> (\<forall>l. #l \<in> #MemLoc \<longrightarrow> MSpec ch mm rs l) \<longrightarrow> (\<forall>l. \<box>(MemInv mm l))"
apply clarify
apply (auto elim!: MemoryInvariant [temp_use] NonMemLocInvariant [temp_use])
done
@@ -164,52 +164,52 @@
We need this only for the reliable memory.
*)
-lemma Memoryidle: "|- ~$(Calling ch p) --> ~ RNext ch mm rs p"
+lemma Memoryidle: "\<turnstile> \<not>$(Calling ch p) \<longrightarrow> \<not> RNext ch mm rs p"
by (auto simp: Return_def RM_action_defs)
(* Enabledness conditions *)
-lemma MemReturn_change: "|- MemReturn ch rs p --> <MemReturn ch rs p>_(rtrner ch ! p, rs!p)"
+lemma MemReturn_change: "\<turnstile> MemReturn ch rs p \<longrightarrow> <MemReturn ch rs p>_(rtrner ch ! p, rs!p)"
by (force simp: MemReturn_def angle_def)
-lemma MemReturn_enabled: "!!p. basevars (rtrner ch ! p, rs!p) ==>
- |- Calling ch p & (rs!p ~= #NotAResult)
- --> Enabled (<MemReturn ch rs p>_(rtrner ch ! p, rs!p))"
+lemma MemReturn_enabled: "\<And>p. basevars (rtrner ch ! p, rs!p) \<Longrightarrow>
+ \<turnstile> Calling ch p \<and> (rs!p \<noteq> #NotAResult)
+ \<longrightarrow> Enabled (<MemReturn ch rs p>_(rtrner ch ! p, rs!p))"
apply (tactic
- {* action_simp_tac @{context} [@{thm MemReturn_change} RSN (2, @{thm enabled_mono}) ] [] 1 *})
+ \<open>action_simp_tac @{context} [@{thm MemReturn_change} RSN (2, @{thm enabled_mono}) ] [] 1\<close>)
apply (tactic
- {* action_simp_tac (@{context} addsimps [@{thm MemReturn_def}, @{thm Return_def},
- @{thm rtrner_def}]) [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
+ \<open>action_simp_tac (@{context} addsimps [@{thm MemReturn_def}, @{thm Return_def},
+ @{thm rtrner_def}]) [exI] [@{thm base_enabled}, @{thm Pair_inject}] 1\<close>)
done
-lemma ReadInner_enabled: "!!p. basevars (rtrner ch ! p, rs!p) ==>
- |- Calling ch p & (arg<ch!p> = #(read l)) --> Enabled (ReadInner ch mm rs p l)"
+lemma ReadInner_enabled: "\<And>p. basevars (rtrner ch ! p, rs!p) \<Longrightarrow>
+ \<turnstile> Calling ch p \<and> (arg<ch!p> = #(read l)) \<longrightarrow> Enabled (ReadInner ch mm rs p l)"
apply (case_tac "l : MemLoc")
apply (force simp: ReadInner_def GoodRead_def BadRead_def RdRequest_def
intro!: exI elim!: base_enabled [temp_use])+
done
-lemma WriteInner_enabled: "!!p. basevars (mm!l, rtrner ch ! p, rs!p) ==>
- |- Calling ch p & (arg<ch!p> = #(write l v))
- --> Enabled (WriteInner ch mm rs p l v)"
+lemma WriteInner_enabled: "\<And>p. basevars (mm!l, rtrner ch ! p, rs!p) \<Longrightarrow>
+ \<turnstile> Calling ch p \<and> (arg<ch!p> = #(write l v))
+ \<longrightarrow> Enabled (WriteInner ch mm rs p l v)"
apply (case_tac "l:MemLoc & v:MemVal")
apply (force simp: WriteInner_def GoodWrite_def BadWrite_def WrRequest_def
intro!: exI elim!: base_enabled [temp_use])+
done
-lemma ReadResult: "|- Read ch mm rs p & (!l. $(MemInv mm l)) --> (rs!p)` ~= #NotAResult"
+lemma ReadResult: "\<turnstile> Read ch mm rs p \<and> (\<forall>l. $(MemInv mm l)) \<longrightarrow> (rs!p)` \<noteq> #NotAResult"
by (force simp: Read_def ReadInner_def GoodRead_def BadRead_def MemInv_def)
-lemma WriteResult: "|- Write ch mm rs p l --> (rs!p)` ~= #NotAResult"
+lemma WriteResult: "\<turnstile> Write ch mm rs p l \<longrightarrow> (rs!p)` \<noteq> #NotAResult"
by (auto simp: Write_def WriteInner_def GoodWrite_def BadWrite_def)
-lemma ReturnNotReadWrite: "|- (ALL l. $MemInv mm l) & MemReturn ch rs p
- --> ~ Read ch mm rs p & (ALL l. ~ Write ch mm rs p l)"
+lemma ReturnNotReadWrite: "\<turnstile> (\<forall>l. $MemInv mm l) \<and> MemReturn ch rs p
+ \<longrightarrow> \<not> Read ch mm rs p \<and> (\<forall>l. \<not> Write ch mm rs p l)"
by (auto simp: MemReturn_def dest!: WriteResult [temp_use] ReadResult [temp_use])
-lemma RWRNext_enabled: "|- (rs!p = #NotAResult) & (!l. MemInv mm l)
- & Enabled (Read ch mm rs p | (? l. Write ch mm rs p l))
- --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
+lemma RWRNext_enabled: "\<turnstile> (rs!p = #NotAResult) \<and> (\<forall>l. MemInv mm l)
+ \<and> Enabled (Read ch mm rs p \<or> (\<exists>l. Write ch mm rs p l))
+ \<longrightarrow> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
by (force simp: RNext_def angle_def elim!: enabled_mono2
dest: ReadResult [temp_use] WriteResult [temp_use])
@@ -217,18 +217,18 @@
(* Combine previous lemmas: the memory can make a visible step if there is an
outstanding call for which no result has been produced.
*)
-lemma RNext_enabled: "!!p. !l. basevars (mm!l, rtrner ch!p, rs!p) ==>
- |- (rs!p = #NotAResult) & Calling ch p & (!l. MemInv mm l)
- --> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
+lemma RNext_enabled: "\<And>p. \<forall>l. basevars (mm!l, rtrner ch!p, rs!p) \<Longrightarrow>
+ \<turnstile> (rs!p = #NotAResult) \<and> Calling ch p \<and> (\<forall>l. MemInv mm l)
+ \<longrightarrow> Enabled (<RNext ch mm rs p>_(rtrner ch ! p, rs!p))"
apply (auto simp: enabled_disj [try_rewrite] intro!: RWRNext_enabled [temp_use])
apply (case_tac "arg (ch w p)")
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm Read_def},
- temp_rewrite @{context} @{thm enabled_ex}]) [@{thm ReadInner_enabled}, exI] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm Read_def},
+ temp_rewrite @{context} @{thm enabled_ex}]) [@{thm ReadInner_enabled}, exI] [] 1\<close>)
apply (force dest: base_pair [temp_use])
apply (erule contrapos_np)
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm Write_def},
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm Write_def},
temp_rewrite @{context} @{thm enabled_ex}])
- [@{thm WriteInner_enabled}, exI] [] 1 *})
+ [@{thm WriteInner_enabled}, exI] [] 1\<close>)
done
end
--- a/src/HOL/TLA/Memory/MemoryImplementation.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/MemoryImplementation.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: Memory implementation *}
+section \<open>RPC-Memory example: Memory implementation\<close>
theory MemoryImplementation
imports Memory RPC MemClerk
@@ -10,7 +10,7 @@
datatype histState = histA | histB
-type_synonym histType = "(PrIds => histState) stfun" (* the type of the history variable *)
+type_synonym histType = "(PrIds \<Rightarrow> histState) stfun" (* the type of the history variable *)
consts
(* the specification *)
@@ -32,15 +32,15 @@
definition
(* auxiliary predicates *)
- MVOKBARF :: "Vals => bool"
+ MVOKBARF :: "Vals \<Rightarrow> bool"
where "MVOKBARF v <-> (v : MemVal) | (v = OK) | (v = BadArg) | (v = RPCFailure)"
definition
- MVOKBA :: "Vals => bool"
+ MVOKBA :: "Vals \<Rightarrow> bool"
where "MVOKBA v <-> (v : MemVal) | (v = OK) | (v = BadArg)"
definition
- MVNROKBA :: "Vals => bool"
+ MVNROKBA :: "Vals \<Rightarrow> bool"
where "MVNROKBA v <-> (v : MemVal) | (v = NotAResult) | (v = OK) | (v = BadArg)"
definition
@@ -49,83 +49,83 @@
where "e p = PRED (caller memCh!p)"
definition
- c :: "PrIds => (mClkState * (bit * Vals) * (bit * rpcOp)) stfun"
+ c :: "PrIds \<Rightarrow> (mClkState * (bit * Vals) * (bit * rpcOp)) stfun"
where "c p = PRED (cst!p, rtrner memCh!p, caller crCh!p)"
definition
- r :: "PrIds => (rpcState * (bit * Vals) * (bit * memOp)) stfun"
+ r :: "PrIds \<Rightarrow> (rpcState * (bit * Vals) * (bit * memOp)) stfun"
where "r p = PRED (rst!p, rtrner crCh!p, caller rmCh!p)"
definition
- m :: "PrIds => ((bit * Vals) * Vals) stfun"
+ m :: "PrIds \<Rightarrow> ((bit * Vals) * Vals) stfun"
where "m p = PRED (rtrner rmCh!p, ires!p)"
definition
(* the environment action *)
- ENext :: "PrIds => action"
- where "ENext p = ACT (? l. #l : #MemLoc & Call memCh p #(read l))"
+ ENext :: "PrIds \<Rightarrow> action"
+ where "ENext p = ACT (\<exists>l. #l \<in> #MemLoc \<and> Call memCh p #(read l))"
definition
(* specification of the history variable *)
- HInit :: "histType => PrIds => stpred"
+ HInit :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "HInit rmhist p = PRED rmhist!p = #histA"
definition
- HNext :: "histType => PrIds => action"
+ HNext :: "histType \<Rightarrow> PrIds \<Rightarrow> action"
where "HNext rmhist p = ACT (rmhist!p)$ =
- (if (MemReturn rmCh ires p | RPCFail crCh rmCh rst p)
+ (if (MemReturn rmCh ires p \<or> RPCFail crCh rmCh rst p)
then #histB
else if (MClkReply memCh crCh cst p)
then #histA
else $(rmhist!p))"
definition
- HistP :: "histType => PrIds => temporal"
+ HistP :: "histType \<Rightarrow> PrIds \<Rightarrow> temporal"
where "HistP rmhist p = (TEMP Init HInit rmhist p
- & [][HNext rmhist p]_(c p,r p,m p, rmhist!p))"
+ \<and> \<box>[HNext rmhist p]_(c p,r p,m p, rmhist!p))"
definition
- Hist :: "histType => temporal"
- where "Hist rmhist = TEMP (ALL p. HistP rmhist p)"
+ Hist :: "histType \<Rightarrow> temporal"
+ where "Hist rmhist = TEMP (\<forall>p. HistP rmhist p)"
definition
(* the implementation *)
- IPImp :: "PrIds => temporal"
- where "IPImp p = (TEMP ( Init ~Calling memCh p & [][ENext p]_(e p)
- & MClkIPSpec memCh crCh cst p
- & RPCIPSpec crCh rmCh rst p
- & RPSpec rmCh mm ires p
- & (ALL l. #l : #MemLoc --> MSpec rmCh mm ires l)))"
+ IPImp :: "PrIds \<Rightarrow> temporal"
+ where "IPImp p = (TEMP ( Init \<not>Calling memCh p \<and> \<box>[ENext p]_(e p)
+ \<and> MClkIPSpec memCh crCh cst p
+ \<and> RPCIPSpec crCh rmCh rst p
+ \<and> RPSpec rmCh mm ires p
+ \<and> (\<forall>l. #l \<in> #MemLoc \<longrightarrow> MSpec rmCh mm ires l)))"
definition
- ImpInit :: "PrIds => stpred"
- where "ImpInit p = PRED ( ~Calling memCh p
- & MClkInit crCh cst p
- & RPCInit rmCh rst p
- & PInit ires p)"
+ ImpInit :: "PrIds \<Rightarrow> stpred"
+ where "ImpInit p = PRED ( \<not>Calling memCh p
+ \<and> MClkInit crCh cst p
+ \<and> RPCInit rmCh rst p
+ \<and> PInit ires p)"
definition
- ImpNext :: "PrIds => action"
+ ImpNext :: "PrIds \<Rightarrow> action"
where "ImpNext p = (ACT [ENext p]_(e p)
- & [MClkNext memCh crCh cst p]_(c p)
- & [RPCNext crCh rmCh rst p]_(r p)
- & [RNext rmCh mm ires p]_(m p))"
+ \<and> [MClkNext memCh crCh cst p]_(c p)
+ \<and> [RPCNext crCh rmCh rst p]_(r p)
+ \<and> [RNext rmCh mm ires p]_(m p))"
definition
- ImpLive :: "PrIds => temporal"
+ ImpLive :: "PrIds \<Rightarrow> temporal"
where "ImpLive p = (TEMP WF(MClkFwd memCh crCh cst p)_(c p)
- & SF(MClkReply memCh crCh cst p)_(c p)
- & WF(RPCNext crCh rmCh rst p)_(r p)
- & WF(RNext rmCh mm ires p)_(m p)
- & WF(MemReturn rmCh ires p)_(m p))"
+ \<and> SF(MClkReply memCh crCh cst p)_(c p)
+ \<and> WF(RPCNext crCh rmCh rst p)_(r p)
+ \<and> WF(RNext rmCh mm ires p)_(m p)
+ \<and> WF(MemReturn rmCh ires p)_(m p))"
definition
Implementation :: "temporal"
- where "Implementation = (TEMP ( (ALL p. Init (~Calling memCh p) & [][ENext p]_(e p))
- & MClkISpec memCh crCh cst
- & RPCISpec crCh rmCh rst
- & IRSpec rmCh mm ires))"
+ where "Implementation = (TEMP ( (\<forall>p. Init (\<not>Calling memCh p) \<and> \<box>[ENext p]_(e p))
+ \<and> MClkISpec memCh crCh cst
+ \<and> RPCISpec crCh rmCh rst
+ \<and> IRSpec rmCh mm ires))"
definition
(* the predicate S describes the states of the implementation.
@@ -134,54 +134,54 @@
NB: The second conjunct of the definition in the paper is taken care of by
the type definitions. The last conjunct is asserted separately as the memory
invariant MemInv, proved in Memory.thy. *)
- S :: "histType => bool => bool => bool => mClkState => rpcState => histState => histState => PrIds => stpred"
+ S :: "histType \<Rightarrow> bool \<Rightarrow> bool \<Rightarrow> bool \<Rightarrow> mClkState \<Rightarrow> rpcState \<Rightarrow> histState \<Rightarrow> histState \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S rmhist ecalling ccalling rcalling cs rs hs1 hs2 p = (PRED
Calling memCh p = #ecalling
- & Calling crCh p = #ccalling
- & (#ccalling --> arg<crCh!p> = MClkRelayArg<arg<memCh!p>>)
- & (~ #ccalling & cst!p = #clkB --> MVOKBARF<res<crCh!p>>)
- & Calling rmCh p = #rcalling
- & (#rcalling --> arg<rmCh!p> = RPCRelayArg<arg<crCh!p>>)
- & (~ #rcalling --> ires!p = #NotAResult)
- & (~ #rcalling & rst!p = #rpcB --> MVOKBA<res<rmCh!p>>)
- & cst!p = #cs
- & rst!p = #rs
- & (rmhist!p = #hs1 | rmhist!p = #hs2)
- & MVNROKBA<ires!p>)"
+ \<and> Calling crCh p = #ccalling
+ \<and> (#ccalling \<longrightarrow> arg<crCh!p> = MClkRelayArg<arg<memCh!p>>)
+ \<and> (\<not> #ccalling \<and> cst!p = #clkB \<longrightarrow> MVOKBARF<res<crCh!p>>)
+ \<and> Calling rmCh p = #rcalling
+ \<and> (#rcalling \<longrightarrow> arg<rmCh!p> = RPCRelayArg<arg<crCh!p>>)
+ \<and> (\<not> #rcalling \<longrightarrow> ires!p = #NotAResult)
+ \<and> (\<not> #rcalling \<and> rst!p = #rpcB \<longrightarrow> MVOKBA<res<rmCh!p>>)
+ \<and> cst!p = #cs
+ \<and> rst!p = #rs
+ \<and> (rmhist!p = #hs1 \<or> rmhist!p = #hs2)
+ \<and> MVNROKBA<ires!p>)"
definition
(* predicates S1 -- S6 define special instances of S *)
- S1 :: "histType => PrIds => stpred"
+ S1 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S1 rmhist p = S rmhist False False False clkA rpcA histA histA p"
definition
- S2 :: "histType => PrIds => stpred"
+ S2 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S2 rmhist p = S rmhist True False False clkA rpcA histA histA p"
definition
- S3 :: "histType => PrIds => stpred"
+ S3 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S3 rmhist p = S rmhist True True False clkB rpcA histA histB p"
definition
- S4 :: "histType => PrIds => stpred"
+ S4 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S4 rmhist p = S rmhist True True True clkB rpcB histA histB p"
definition
- S5 :: "histType => PrIds => stpred"
+ S5 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S5 rmhist p = S rmhist True True False clkB rpcB histB histB p"
definition
- S6 :: "histType => PrIds => stpred"
+ S6 :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
where "S6 rmhist p = S rmhist True False False clkB rpcA histB histB p"
definition
(* The invariant asserts that the system is always in one of S1 - S6, for every p *)
- ImpInv :: "histType => PrIds => stpred"
- where "ImpInv rmhist p = (PRED (S1 rmhist p | S2 rmhist p | S3 rmhist p
- | S4 rmhist p | S5 rmhist p | S6 rmhist p))"
+ ImpInv :: "histType \<Rightarrow> PrIds \<Rightarrow> stpred"
+ where "ImpInv rmhist p = (PRED (S1 rmhist p \<or> S2 rmhist p \<or> S3 rmhist p
+ \<or> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p))"
definition
- resbar :: "histType => resType" (* refinement mapping *)
+ resbar :: "histType \<Rightarrow> resType" (* refinement mapping *)
where"resbar rmhist s p =
(if (S1 rmhist p s | S2 rmhist p s)
then ires s p
@@ -223,17 +223,17 @@
THIS IS UNSAFE, BECAUSE IT DOESN'T RECORD THE CHOICES!!
(but it can be a lot faster than the default setup)
*)
-ML {*
+ML \<open>
val config_fast_solver = Attrib.setup_config_bool @{binding fast_solver} (K false);
val fast_solver = mk_solver "fast_solver" (fn ctxt =>
if Config.get ctxt config_fast_solver
then assume_tac ctxt ORELSE' (etac notE)
else K no_tac);
-*}
+\<close>
-setup {* map_theory_simpset (fn ctxt => ctxt addSSolver fast_solver) *}
+setup \<open>map_theory_simpset (fn ctxt => ctxt addSSolver fast_solver)\<close>
-ML {* val temp_elim = make_elim oo temp_use *}
+ML \<open>val temp_elim = make_elim oo temp_use\<close>
@@ -241,21 +241,21 @@
section "History variable"
-lemma HistoryLemma: "|- Init(ALL p. ImpInit p) & [](ALL p. ImpNext p)
- --> (EEX rmhist. Init(ALL p. HInit rmhist p)
- & [](ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))"
+lemma HistoryLemma: "\<turnstile> Init(\<forall>p. ImpInit p) \<and> \<box>(\<forall>p. ImpNext p)
+ \<longrightarrow> (\<exists>\<exists>rmhist. Init(\<forall>p. HInit rmhist p)
+ \<and> \<box>(\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p)))"
apply clarsimp
apply (rule historyI)
apply assumption+
apply (rule MI_base)
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm HInit_def}]) [] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HInit_def}]) [] [] 1\<close>)
apply (erule fun_cong)
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}])
- [@{thm busy_squareI}] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def}])
+ [@{thm busy_squareI}] [] 1\<close>)
apply (erule fun_cong)
done
-lemma History: "|- Implementation --> (EEX rmhist. Hist rmhist)"
+lemma History: "\<turnstile> Implementation \<longrightarrow> (\<exists>\<exists>rmhist. Hist rmhist)"
apply clarsimp
apply (rule HistoryLemma [temp_use, THEN eex_mono])
prefer 3
@@ -274,14 +274,14 @@
(* RPCFailure notin MemVals U {OK,BadArg} *)
-lemma MVOKBAnotRF: "MVOKBA x ==> x ~= RPCFailure"
+lemma MVOKBAnotRF: "MVOKBA x \<Longrightarrow> x \<noteq> RPCFailure"
apply (unfold MVOKBA_def)
apply auto
done
(* NotAResult notin MemVals U {OK,BadArg,RPCFailure} *)
-lemma MVOKBARFnotNR: "MVOKBARF x ==> x ~= NotAResult"
+lemma MVOKBARFnotNR: "MVOKBARF x \<Longrightarrow> x \<noteq> NotAResult"
apply (unfold MVOKBARF_def)
apply auto
done
@@ -294,32 +294,32 @@
*)
(* --- not used ---
-lemma S1_excl: "|- S1 rmhist p --> S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p &
- ~S4 rmhist p & ~S5 rmhist p & ~S6 rmhist p"
+lemma S1_excl: "\<turnstile> S1 rmhist p \<longrightarrow> S1 rmhist p & \<not>S2 rmhist p & \<not>S3 rmhist p &
+ \<not>S4 rmhist p & \<not>S5 rmhist p & \<not>S6 rmhist p"
by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
*)
-lemma S2_excl: "|- S2 rmhist p --> S2 rmhist p & ~S1 rmhist p"
+lemma S2_excl: "\<turnstile> S2 rmhist p \<longrightarrow> S2 rmhist p \<and> \<not>S1 rmhist p"
by (auto simp: S_def S1_def S2_def)
-lemma S3_excl: "|- S3 rmhist p --> S3 rmhist p & ~S1 rmhist p & ~S2 rmhist p"
+lemma S3_excl: "\<turnstile> S3 rmhist p \<longrightarrow> S3 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p"
by (auto simp: S_def S1_def S2_def S3_def)
-lemma S4_excl: "|- S4 rmhist p --> S4 rmhist p & ~S1 rmhist p & ~S2 rmhist p & ~S3 rmhist p"
+lemma S4_excl: "\<turnstile> S4 rmhist p \<longrightarrow> S4 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p \<and> \<not>S3 rmhist p"
by (auto simp: S_def S1_def S2_def S3_def S4_def)
-lemma S5_excl: "|- S5 rmhist p --> S5 rmhist p & ~S1 rmhist p & ~S2 rmhist p
- & ~S3 rmhist p & ~S4 rmhist p"
+lemma S5_excl: "\<turnstile> S5 rmhist p \<longrightarrow> S5 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p
+ \<and> \<not>S3 rmhist p \<and> \<not>S4 rmhist p"
by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def)
-lemma S6_excl: "|- S6 rmhist p --> S6 rmhist p & ~S1 rmhist p & ~S2 rmhist p
- & ~S3 rmhist p & ~S4 rmhist p & ~S5 rmhist p"
+lemma S6_excl: "\<turnstile> S6 rmhist p \<longrightarrow> S6 rmhist p \<and> \<not>S1 rmhist p \<and> \<not>S2 rmhist p
+ \<and> \<not>S3 rmhist p \<and> \<not>S4 rmhist p \<and> \<not>S5 rmhist p"
by (auto simp: S_def S1_def S2_def S3_def S4_def S5_def S6_def)
(* ==================== Lemmas about the environment ============================== *)
-lemma Envbusy: "|- $(Calling memCh p) --> ~ENext p"
+lemma Envbusy: "\<turnstile> $(Calling memCh p) \<longrightarrow> \<not>ENext p"
by (auto simp: ENext_def Call_def)
(* ==================== Lemmas about the implementation's states ==================== *)
@@ -331,220 +331,220 @@
(* ------------------------------ State S1 ---------------------------------------- *)
-lemma S1Env: "|- ENext p & $(S1 rmhist p) & unchanged (c p, r p, m p, rmhist!p)
- --> (S2 rmhist p)$"
+lemma S1Env: "\<turnstile> ENext p \<and> $(S1 rmhist p) \<and> unchanged (c p, r p, m p, rmhist!p)
+ \<longrightarrow> (S2 rmhist p)$"
by (force simp: ENext_def Call_def c_def r_def m_def
caller_def rtrner_def MVNROKBA_def S_def S1_def S2_def Calling_def)
-lemma S1ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S1 rmhist p) --> unchanged (c p)"
+lemma S1ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S1 rmhist p) \<longrightarrow> unchanged (c p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] dest!: MClkidle [temp_use] simp: S_def S1_def)
-lemma S1RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S1 rmhist p) --> unchanged (r p)"
+lemma S1RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $(S1 rmhist p) \<longrightarrow> unchanged (r p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] dest!: RPCidle [temp_use] simp: S_def S1_def)
-lemma S1MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S1 rmhist p) --> unchanged (m p)"
+lemma S1MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S1 rmhist p) \<longrightarrow> unchanged (m p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] dest!: Memoryidle [temp_use] simp: S_def S1_def)
-lemma S1Hist: "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S1 rmhist p)
- --> unchanged (rmhist!p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm S_def},
+lemma S1Hist: "\<turnstile> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> $(S1 rmhist p)
+ \<longrightarrow> unchanged (rmhist!p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def}, @{thm S_def},
@{thm S1_def}, @{thm MemReturn_def}, @{thm RPCFail_def}, @{thm MClkReply_def},
- @{thm Return_def}]) [] [temp_use @{context} @{thm squareE}] 1 *})
+ @{thm Return_def}]) [] [temp_use @{context} @{thm squareE}] 1\<close>)
(* ------------------------------ State S2 ---------------------------------------- *)
-lemma S2EnvUnch: "|- [ENext p]_(e p) & $(S2 rmhist p) --> unchanged (e p)"
+lemma S2EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S2 rmhist p) \<longrightarrow> unchanged (e p)"
by (auto dest!: Envbusy [temp_use] simp: S_def S2_def)
-lemma S2Clerk: "|- MClkNext memCh crCh cst p & $(S2 rmhist p) --> MClkFwd memCh crCh cst p"
+lemma S2Clerk: "\<turnstile> MClkNext memCh crCh cst p \<and> $(S2 rmhist p) \<longrightarrow> MClkFwd memCh crCh cst p"
by (auto simp: MClkNext_def MClkRetry_def MClkReply_def S_def S2_def)
-lemma S2Forward: "|- $(S2 rmhist p) & MClkFwd memCh crCh cst p
- & unchanged (e p, r p, m p, rmhist!p)
- --> (S3 rmhist p)$"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
+lemma S2Forward: "\<turnstile> $(S2 rmhist p) \<and> MClkFwd memCh crCh cst p
+ \<and> unchanged (e p, r p, m p, rmhist!p)
+ \<longrightarrow> (S3 rmhist p)$"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm MClkFwd_def},
@{thm Call_def}, @{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def},
- @{thm rtrner_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm rtrner_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S2RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S2 rmhist p) --> unchanged (r p)"
+lemma S2RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $(S2 rmhist p) \<longrightarrow> unchanged (r p)"
by (auto simp: S_def S2_def dest!: RPCidle [temp_use])
-lemma S2MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S2 rmhist p) --> unchanged (m p)"
+lemma S2MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S2 rmhist p) \<longrightarrow> unchanged (m p)"
by (auto simp: S_def S2_def dest!: Memoryidle [temp_use])
-lemma S2Hist: "|- [HNext rmhist p]_(c p,r p,m p,rmhist!p) & $(S2 rmhist p)
- --> unchanged (rmhist!p)"
+lemma S2Hist: "\<turnstile> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> $(S2 rmhist p)
+ \<longrightarrow> unchanged (rmhist!p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def
MClkReply_def Return_def S_def S2_def)
(* ------------------------------ State S3 ---------------------------------------- *)
-lemma S3EnvUnch: "|- [ENext p]_(e p) & $(S3 rmhist p) --> unchanged (e p)"
+lemma S3EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S3 rmhist p) \<longrightarrow> unchanged (e p)"
by (auto dest!: Envbusy [temp_use] simp: S_def S3_def)
-lemma S3ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S3 rmhist p) --> unchanged (c p)"
+lemma S3ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S3 rmhist p) \<longrightarrow> unchanged (c p)"
by (auto dest!: MClkbusy [temp_use] simp: square_def S_def S3_def)
-lemma S3LegalRcvArg: "|- S3 rmhist p --> IsLegalRcvArg<arg<crCh!p>>"
+lemma S3LegalRcvArg: "\<turnstile> S3 rmhist p \<longrightarrow> IsLegalRcvArg<arg<crCh!p>>"
by (auto simp: IsLegalRcvArg_def MClkRelayArg_def S_def S3_def)
-lemma S3RPC: "|- RPCNext crCh rmCh rst p & $(S3 rmhist p)
- --> RPCFwd crCh rmCh rst p | RPCFail crCh rmCh rst p"
+lemma S3RPC: "\<turnstile> RPCNext crCh rmCh rst p \<and> $(S3 rmhist p)
+ \<longrightarrow> RPCFwd crCh rmCh rst p \<or> RPCFail crCh rmCh rst p"
apply clarsimp
apply (frule S3LegalRcvArg [action_use])
apply (auto simp: RPCNext_def RPCReject_def RPCReply_def S_def S3_def)
done
-lemma S3Forward: "|- RPCFwd crCh rmCh rst p & HNext rmhist p & $(S3 rmhist p)
- & unchanged (e p, c p, m p)
- --> (S4 rmhist p)$ & unchanged (rmhist!p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFwd_def},
+lemma S3Forward: "\<turnstile> RPCFwd crCh rmCh rst p \<and> HNext rmhist p \<and> $(S3 rmhist p)
+ \<and> unchanged (e p, c p, m p)
+ \<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCFwd_def},
@{thm HNext_def}, @{thm MemReturn_def}, @{thm RPCFail_def},
@{thm MClkReply_def}, @{thm Return_def}, @{thm Call_def}, @{thm e_def},
@{thm c_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
- @{thm S3_def}, @{thm S4_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S3_def}, @{thm S4_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S3Fail: "|- RPCFail crCh rmCh rst p & $(S3 rmhist p) & HNext rmhist p
- & unchanged (e p, c p, m p)
- --> (S6 rmhist p)$"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def},
+lemma S3Fail: "\<turnstile> RPCFail crCh rmCh rst p \<and> $(S3 rmhist p) \<and> HNext rmhist p
+ \<and> unchanged (e p, c p, m p)
+ \<longrightarrow> (S6 rmhist p)$"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def},
@{thm RPCFail_def}, @{thm Return_def}, @{thm e_def}, @{thm c_def},
@{thm m_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm MVOKBARF_def},
- @{thm S_def}, @{thm S3_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S_def}, @{thm S3_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S3MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S3 rmhist p) --> unchanged (m p)"
+lemma S3MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S3 rmhist p) \<longrightarrow> unchanged (m p)"
by (auto simp: S_def S3_def dest!: Memoryidle [temp_use])
-lemma S3Hist: "|- HNext rmhist p & $(S3 rmhist p) & unchanged (r p) --> unchanged (rmhist!p)"
+lemma S3Hist: "\<turnstile> HNext rmhist p \<and> $(S3 rmhist p) \<and> unchanged (r p) \<longrightarrow> unchanged (rmhist!p)"
by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
Return_def r_def rtrner_def S_def S3_def Calling_def)
(* ------------------------------ State S4 ---------------------------------------- *)
-lemma S4EnvUnch: "|- [ENext p]_(e p) & $(S4 rmhist p) --> unchanged (e p)"
+lemma S4EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S4 rmhist p) \<longrightarrow> unchanged (e p)"
by (auto simp: S_def S4_def dest!: Envbusy [temp_use])
-lemma S4ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S4 rmhist p) --> unchanged (c p)"
+lemma S4ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S4 rmhist p) \<longrightarrow> unchanged (c p)"
by (auto simp: S_def S4_def dest!: MClkbusy [temp_use])
-lemma S4RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $(S4 rmhist p) --> unchanged (r p)"
+lemma S4RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $(S4 rmhist p) \<longrightarrow> unchanged (r p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] dest!: RPCbusy [temp_use] simp: S_def S4_def)
-lemma S4ReadInner: "|- ReadInner rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
- & HNext rmhist p & $(MemInv mm l)
- --> (S4 rmhist p)$ & unchanged (rmhist!p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
+lemma S4ReadInner: "\<turnstile> ReadInner rmCh mm ires p l \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p)
+ \<and> HNext rmhist p \<and> $(MemInv mm l)
+ \<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
@{thm GoodRead_def}, @{thm BadRead_def}, @{thm HNext_def}, @{thm MemReturn_def},
@{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def},
@{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def},
@{thm MVNROKBA_def}, @{thm S_def}, @{thm S4_def}, @{thm RdRequest_def},
- @{thm Calling_def}, @{thm MemInv_def}]) [] [] 1 *})
+ @{thm Calling_def}, @{thm MemInv_def}]) [] [] 1\<close>)
-lemma S4Read: "|- Read rmCh mm ires p & $(S4 rmhist p) & unchanged (e p, c p, r p)
- & HNext rmhist p & (!l. $MemInv mm l)
- --> (S4 rmhist p)$ & unchanged (rmhist!p)"
+lemma S4Read: "\<turnstile> Read rmCh mm ires p \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p)
+ \<and> HNext rmhist p \<and> (\<forall>l. $MemInv mm l)
+ \<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
by (auto simp: Read_def dest!: S4ReadInner [temp_use])
-lemma S4WriteInner: "|- WriteInner rmCh mm ires p l v & $(S4 rmhist p) & unchanged (e p, c p, r p) & HNext rmhist p
- --> (S4 rmhist p)$ & unchanged (rmhist!p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm WriteInner_def},
+lemma S4WriteInner: "\<turnstile> WriteInner rmCh mm ires p l v \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p) \<and> HNext rmhist p
+ \<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm WriteInner_def},
@{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm HNext_def}, @{thm MemReturn_def},
@{thm RPCFail_def}, @{thm MClkReply_def}, @{thm Return_def}, @{thm e_def},
@{thm c_def}, @{thm r_def}, @{thm rtrner_def}, @{thm caller_def}, @{thm MVNROKBA_def},
- @{thm S_def}, @{thm S4_def}, @{thm WrRequest_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S_def}, @{thm S4_def}, @{thm WrRequest_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S4Write: "|- Write rmCh mm ires p l & $(S4 rmhist p) & unchanged (e p, c p, r p)
- & (HNext rmhist p)
- --> (S4 rmhist p)$ & unchanged (rmhist!p)"
+lemma S4Write: "\<turnstile> Write rmCh mm ires p l \<and> $(S4 rmhist p) \<and> unchanged (e p, c p, r p)
+ \<and> (HNext rmhist p)
+ \<longrightarrow> (S4 rmhist p)$ \<and> unchanged (rmhist!p)"
by (auto simp: Write_def dest!: S4WriteInner [temp_use])
-lemma WriteS4: "|- $ImpInv rmhist p & Write rmCh mm ires p l --> $S4 rmhist p"
+lemma WriteS4: "\<turnstile> $ImpInv rmhist p \<and> Write rmCh mm ires p l \<longrightarrow> $S4 rmhist p"
by (auto simp: Write_def WriteInner_def ImpInv_def
WrRequest_def S_def S1_def S2_def S3_def S4_def S5_def S6_def)
-lemma S4Return: "|- MemReturn rmCh ires p & $S4 rmhist p & unchanged (e p, c p, r p)
- & HNext rmhist p
- --> (S5 rmhist p)$"
+lemma S4Return: "\<turnstile> MemReturn rmCh ires p \<and> $S4 rmhist p \<and> unchanged (e p, c p, r p)
+ \<and> HNext rmhist p
+ \<longrightarrow> (S5 rmhist p)$"
by (auto simp: HNext_def MemReturn_def Return_def e_def c_def r_def
rtrner_def caller_def MVNROKBA_def MVOKBA_def S_def S4_def S5_def Calling_def)
-lemma S4Hist: "|- HNext rmhist p & $S4 rmhist p & (m p)$ = $(m p) --> (rmhist!p)$ = $(rmhist!p)"
+lemma S4Hist: "\<turnstile> HNext rmhist p \<and> $S4 rmhist p \<and> (m p)$ = $(m p) \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
by (auto simp: HNext_def MemReturn_def RPCFail_def MClkReply_def
Return_def m_def rtrner_def S_def S4_def Calling_def)
(* ------------------------------ State S5 ---------------------------------------- *)
-lemma S5EnvUnch: "|- [ENext p]_(e p) & $(S5 rmhist p) --> unchanged (e p)"
+lemma S5EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S5 rmhist p) \<longrightarrow> unchanged (e p)"
by (auto simp: S_def S5_def dest!: Envbusy [temp_use])
-lemma S5ClerkUnch: "|- [MClkNext memCh crCh cst p]_(c p) & $(S5 rmhist p) --> unchanged (c p)"
+lemma S5ClerkUnch: "\<turnstile> [MClkNext memCh crCh cst p]_(c p) \<and> $(S5 rmhist p) \<longrightarrow> unchanged (c p)"
by (auto simp: S_def S5_def dest!: MClkbusy [temp_use])
-lemma S5RPC: "|- RPCNext crCh rmCh rst p & $(S5 rmhist p)
- --> RPCReply crCh rmCh rst p | RPCFail crCh rmCh rst p"
+lemma S5RPC: "\<turnstile> RPCNext crCh rmCh rst p \<and> $(S5 rmhist p)
+ \<longrightarrow> RPCReply crCh rmCh rst p \<or> RPCFail crCh rmCh rst p"
by (auto simp: RPCNext_def RPCReject_def RPCFwd_def S_def S5_def)
-lemma S5Reply: "|- RPCReply crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
- --> (S6 rmhist p)$"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
+lemma S5Reply: "\<turnstile> RPCReply crCh rmCh rst p \<and> $(S5 rmhist p) \<and> unchanged (e p, c p, m p,rmhist!p)
+ \<longrightarrow> (S6 rmhist p)$"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
@{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}, @{thm MVOKBA_def},
@{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def}, @{thm S_def},
- @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S5Fail: "|- RPCFail crCh rmCh rst p & $(S5 rmhist p) & unchanged (e p, c p, m p,rmhist!p)
- --> (S6 rmhist p)$"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
+lemma S5Fail: "\<turnstile> RPCFail crCh rmCh rst p \<and> $(S5 rmhist p) \<and> unchanged (e p, c p, m p,rmhist!p)
+ \<longrightarrow> (S6 rmhist p)$"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
@{thm Return_def}, @{thm e_def}, @{thm c_def}, @{thm m_def},
@{thm MVOKBARF_def}, @{thm caller_def}, @{thm rtrner_def},
- @{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S_def}, @{thm S5_def}, @{thm S6_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S5MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S5 rmhist p) --> unchanged (m p)"
+lemma S5MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S5 rmhist p) \<longrightarrow> unchanged (m p)"
by (auto simp: S_def S5_def dest!: Memoryidle [temp_use])
-lemma S5Hist: "|- [HNext rmhist p]_(c p, r p, m p, rmhist!p) & $(S5 rmhist p)
- --> (rmhist!p)$ = $(rmhist!p)"
+lemma S5Hist: "\<turnstile> [HNext rmhist p]_(c p, r p, m p, rmhist!p) \<and> $(S5 rmhist p)
+ \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] simp: HNext_def MemReturn_def RPCFail_def
MClkReply_def Return_def S_def S5_def)
(* ------------------------------ State S6 ---------------------------------------- *)
-lemma S6EnvUnch: "|- [ENext p]_(e p) & $(S6 rmhist p) --> unchanged (e p)"
+lemma S6EnvUnch: "\<turnstile> [ENext p]_(e p) \<and> $(S6 rmhist p) \<longrightarrow> unchanged (e p)"
by (auto simp: S_def S6_def dest!: Envbusy [temp_use])
-lemma S6Clerk: "|- MClkNext memCh crCh cst p & $(S6 rmhist p)
- --> MClkRetry memCh crCh cst p | MClkReply memCh crCh cst p"
+lemma S6Clerk: "\<turnstile> MClkNext memCh crCh cst p \<and> $(S6 rmhist p)
+ \<longrightarrow> MClkRetry memCh crCh cst p \<or> MClkReply memCh crCh cst p"
by (auto simp: MClkNext_def MClkFwd_def S_def S6_def)
-lemma S6Retry: "|- MClkRetry memCh crCh cst p & HNext rmhist p & $S6 rmhist p
- & unchanged (e p,r p,m p)
- --> (S3 rmhist p)$ & unchanged (rmhist!p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def},
+lemma S6Retry: "\<turnstile> MClkRetry memCh crCh cst p \<and> HNext rmhist p \<and> $S6 rmhist p
+ \<and> unchanged (e p,r p,m p)
+ \<longrightarrow> (S3 rmhist p)$ \<and> unchanged (rmhist!p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def},
@{thm MClkReply_def}, @{thm MClkRetry_def}, @{thm Call_def}, @{thm Return_def},
@{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
- @{thm S_def}, @{thm S6_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S_def}, @{thm S6_def}, @{thm S3_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S6Reply: "|- MClkReply memCh crCh cst p & HNext rmhist p & $S6 rmhist p
- & unchanged (e p,r p,m p)
- --> (S1 rmhist p)$"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm HNext_def},
+lemma S6Reply: "\<turnstile> MClkReply memCh crCh cst p \<and> HNext rmhist p \<and> $S6 rmhist p
+ \<and> unchanged (e p,r p,m p)
+ \<longrightarrow> (S1 rmhist p)$"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm HNext_def},
@{thm MemReturn_def}, @{thm RPCFail_def}, @{thm Return_def}, @{thm MClkReply_def},
@{thm e_def}, @{thm r_def}, @{thm m_def}, @{thm caller_def}, @{thm rtrner_def},
- @{thm S_def}, @{thm S6_def}, @{thm S1_def}, @{thm Calling_def}]) [] [] 1 *})
+ @{thm S_def}, @{thm S6_def}, @{thm S1_def}, @{thm Calling_def}]) [] [] 1\<close>)
-lemma S6RPCUnch: "|- [RPCNext crCh rmCh rst p]_(r p) & $S6 rmhist p --> unchanged (r p)"
+lemma S6RPCUnch: "\<turnstile> [RPCNext crCh rmCh rst p]_(r p) \<and> $S6 rmhist p \<longrightarrow> unchanged (r p)"
by (auto simp: S_def S6_def dest!: RPCidle [temp_use])
-lemma S6MemUnch: "|- [RNext rmCh mm ires p]_(m p) & $(S6 rmhist p) --> unchanged (m p)"
+lemma S6MemUnch: "\<turnstile> [RNext rmCh mm ires p]_(m p) \<and> $(S6 rmhist p) \<longrightarrow> unchanged (m p)"
by (auto simp: S_def S6_def dest!: Memoryidle [temp_use])
-lemma S6Hist: "|- HNext rmhist p & $S6 rmhist p & (c p)$ = $(c p) --> (rmhist!p)$ = $(rmhist!p)"
+lemma S6Hist: "\<turnstile> HNext rmhist p \<and> $S6 rmhist p \<and> (c p)$ = $(c p) \<longrightarrow> (rmhist!p)$ = $(rmhist!p)"
by (auto simp: HNext_def MClkReply_def Return_def c_def rtrner_def S_def S6_def Calling_def)
@@ -554,7 +554,7 @@
(* ========== Step 1.1 ================================================= *)
(* The implementation's initial condition implies the state predicate S1 *)
-lemma Step1_1: "|- ImpInit p & HInit rmhist p --> S1 rmhist p"
+lemma Step1_1: "\<turnstile> ImpInit p \<and> HInit rmhist p \<longrightarrow> S1 rmhist p"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] simp: MVNROKBA_def
MClkInit_def RPCInit_def PInit_def HInit_def ImpInit_def S_def S1_def)
@@ -562,72 +562,72 @@
(* ========== Step 1.2 ================================================== *)
(* Figure 16 is a predicate-action diagram for the implementation. *)
-lemma Step1_2_1: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
- & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S1 rmhist p
- --> (S2 rmhist p)$ & ENext p & unchanged (c p, r p, m p)"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
+lemma Step1_2_1: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
+ \<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S1 rmhist p
+ \<longrightarrow> (S2 rmhist p)$ \<and> ENext p \<and> unchanged (c p, r p, m p)"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
(map (temp_elim @{context})
- [@{thm S1ClerkUnch}, @{thm S1RPCUnch}, @{thm S1MemUnch}, @{thm S1Hist}]) 1 *})
+ [@{thm S1ClerkUnch}, @{thm S1RPCUnch}, @{thm S1MemUnch}, @{thm S1Hist}]) 1\<close>)
using [[fast_solver]]
apply (auto elim!: squareE [temp_use] intro!: S1Env [temp_use])
done
-lemma Step1_2_2: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
- & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S2 rmhist p
- --> (S3 rmhist p)$ & MClkFwd memCh crCh cst p
- & unchanged (e p, r p, m p, rmhist!p)"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
+lemma Step1_2_2: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
+ \<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S2 rmhist p
+ \<longrightarrow> (S3 rmhist p)$ \<and> MClkFwd memCh crCh cst p
+ \<and> unchanged (e p, r p, m p, rmhist!p)"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
(map (temp_elim @{context})
- [@{thm S2EnvUnch}, @{thm S2RPCUnch}, @{thm S2MemUnch}, @{thm S2Hist}]) 1 *})
+ [@{thm S2EnvUnch}, @{thm S2RPCUnch}, @{thm S2MemUnch}, @{thm S2Hist}]) 1\<close>)
using [[fast_solver]]
apply (auto elim!: squareE [temp_use] intro!: S2Clerk [temp_use] S2Forward [temp_use])
done
-lemma Step1_2_3: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
- & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S3 rmhist p
- --> ((S4 rmhist p)$ & RPCFwd crCh rmCh rst p & unchanged (e p, c p, m p, rmhist!p))
- | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
- (map (temp_elim @{context}) [@{thm S3EnvUnch}, @{thm S3ClerkUnch}, @{thm S3MemUnch}]) 1 *})
- apply (tactic {* action_simp_tac @{context} []
+lemma Step1_2_3: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
+ \<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S3 rmhist p
+ \<longrightarrow> ((S4 rmhist p)$ \<and> RPCFwd crCh rmCh rst p \<and> unchanged (e p, c p, m p, rmhist!p))
+ \<or> ((S6 rmhist p)$ \<and> RPCFail crCh rmCh rst p \<and> unchanged (e p, c p, m p))"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
+ (map (temp_elim @{context}) [@{thm S3EnvUnch}, @{thm S3ClerkUnch}, @{thm S3MemUnch}]) 1\<close>)
+ apply (tactic \<open>action_simp_tac @{context} []
(@{thm squareE} ::
- map (temp_elim @{context}) [@{thm S3RPC}, @{thm S3Forward}, @{thm S3Fail}]) 1 *})
+ map (temp_elim @{context}) [@{thm S3RPC}, @{thm S3Forward}, @{thm S3Fail}]) 1\<close>)
apply (auto dest!: S3Hist [temp_use])
done
-lemma Step1_2_4: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
- & ~unchanged (e p, c p, r p, m p, rmhist!p)
- & $S4 rmhist p & (!l. $(MemInv mm l))
- --> ((S4 rmhist p)$ & Read rmCh mm ires p & unchanged (e p, c p, r p, rmhist!p))
- | ((S4 rmhist p)$ & (? l. Write rmCh mm ires p l) & unchanged (e p, c p, r p, rmhist!p))
- | ((S5 rmhist p)$ & MemReturn rmCh ires p & unchanged (e p, c p, r p))"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
- (map (temp_elim @{context}) [@{thm S4EnvUnch}, @{thm S4ClerkUnch}, @{thm S4RPCUnch}]) 1 *})
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm RNext_def}]) []
+lemma Step1_2_4: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
+ \<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p)
+ \<and> $S4 rmhist p \<and> (\<forall>l. $(MemInv mm l))
+ \<longrightarrow> ((S4 rmhist p)$ \<and> Read rmCh mm ires p \<and> unchanged (e p, c p, r p, rmhist!p))
+ \<or> ((S4 rmhist p)$ \<and> (\<exists>l. Write rmCh mm ires p l) \<and> unchanged (e p, c p, r p, rmhist!p))
+ \<or> ((S5 rmhist p)$ \<and> MemReturn rmCh ires p \<and> unchanged (e p, c p, r p))"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
+ (map (temp_elim @{context}) [@{thm S4EnvUnch}, @{thm S4ClerkUnch}, @{thm S4RPCUnch}]) 1\<close>)
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RNext_def}]) []
(@{thm squareE} ::
- map (temp_elim @{context}) [@{thm S4Read}, @{thm S4Write}, @{thm S4Return}]) 1 *})
+ map (temp_elim @{context}) [@{thm S4Read}, @{thm S4Write}, @{thm S4Return}]) 1\<close>)
apply (auto dest!: S4Hist [temp_use])
done
-lemma Step1_2_5: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
- & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S5 rmhist p
- --> ((S6 rmhist p)$ & RPCReply crCh rmCh rst p & unchanged (e p, c p, m p))
- | ((S6 rmhist p)$ & RPCFail crCh rmCh rst p & unchanged (e p, c p, m p))"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
- (map (temp_elim @{context}) [@{thm S5EnvUnch}, @{thm S5ClerkUnch}, @{thm S5MemUnch}, @{thm S5Hist}]) 1 *})
- apply (tactic {* action_simp_tac @{context} [] [@{thm squareE}, temp_elim @{context} @{thm S5RPC}] 1 *})
+lemma Step1_2_5: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
+ \<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S5 rmhist p
+ \<longrightarrow> ((S6 rmhist p)$ \<and> RPCReply crCh rmCh rst p \<and> unchanged (e p, c p, m p))
+ \<or> ((S6 rmhist p)$ \<and> RPCFail crCh rmCh rst p \<and> unchanged (e p, c p, m p))"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
+ (map (temp_elim @{context}) [@{thm S5EnvUnch}, @{thm S5ClerkUnch}, @{thm S5MemUnch}, @{thm S5Hist}]) 1\<close>)
+ apply (tactic \<open>action_simp_tac @{context} [] [@{thm squareE}, temp_elim @{context} @{thm S5RPC}] 1\<close>)
using [[fast_solver]]
apply (auto elim!: squareE [temp_use] dest!: S5Reply [temp_use] S5Fail [temp_use])
done
-lemma Step1_2_6: "|- [HNext rmhist p]_(c p,r p,m p, rmhist!p) & ImpNext p
- & ~unchanged (e p, c p, r p, m p, rmhist!p) & $S6 rmhist p
- --> ((S1 rmhist p)$ & MClkReply memCh crCh cst p & unchanged (e p, r p, m p))
- | ((S3 rmhist p)$ & MClkRetry memCh crCh cst p & unchanged (e p,r p,m p,rmhist!p))"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
- (map (temp_elim @{context}) [@{thm S6EnvUnch}, @{thm S6RPCUnch}, @{thm S6MemUnch}]) 1 *})
- apply (tactic {* action_simp_tac @{context} []
- (@{thm squareE} :: map (temp_elim @{context}) [@{thm S6Clerk}, @{thm S6Retry}, @{thm S6Reply}]) 1 *})
+lemma Step1_2_6: "\<turnstile> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> ImpNext p
+ \<and> \<not>unchanged (e p, c p, r p, m p, rmhist!p) \<and> $S6 rmhist p
+ \<longrightarrow> ((S1 rmhist p)$ \<and> MClkReply memCh crCh cst p \<and> unchanged (e p, r p, m p))
+ \<or> ((S3 rmhist p)$ \<and> MClkRetry memCh crCh cst p \<and> unchanged (e p,r p,m p,rmhist!p))"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ImpNext_def}]) []
+ (map (temp_elim @{context}) [@{thm S6EnvUnch}, @{thm S6RPCUnch}, @{thm S6MemUnch}]) 1\<close>)
+ apply (tactic \<open>action_simp_tac @{context} []
+ (@{thm squareE} :: map (temp_elim @{context}) [@{thm S6Clerk}, @{thm S6Retry}, @{thm S6Reply}]) 1\<close>)
apply (auto dest: S6Hist [temp_use])
done
@@ -637,9 +637,9 @@
section "Initialization (Step 1.3)"
-lemma Step1_3: "|- S1 rmhist p --> PInit (resbar rmhist) p"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm resbar_def},
- @{thm PInit_def}, @{thm S_def}, @{thm S1_def}]) [] [] 1 *})
+lemma Step1_3: "\<turnstile> S1 rmhist p \<longrightarrow> PInit (resbar rmhist) p"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm resbar_def},
+ @{thm PInit_def}, @{thm S_def}, @{thm S1_def}]) [] [] 1\<close>)
(* ----------------------------------------------------------------------
Step 1.4: Implementation's next-state relation simulates specification's
@@ -648,30 +648,30 @@
section "Step simulation (Step 1.4)"
-lemma Step1_4_1: "|- ENext p & $S1 rmhist p & (S2 rmhist p)$ & unchanged (c p, r p, m p)
- --> unchanged (rtrner memCh!p, resbar rmhist!p)"
+lemma Step1_4_1: "\<turnstile> ENext p \<and> $S1 rmhist p \<and> (S2 rmhist p)$ \<and> unchanged (c p, r p, m p)
+ \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
using [[fast_solver]]
by (auto elim!: squareE [temp_use] simp: c_def r_def m_def resbar_def)
-lemma Step1_4_2: "|- MClkFwd memCh crCh cst p & $S2 rmhist p & (S3 rmhist p)$
- & unchanged (e p, r p, m p, rmhist!p)
- --> unchanged (rtrner memCh!p, resbar rmhist!p)"
- by (tactic {* action_simp_tac
+lemma Step1_4_2: "\<turnstile> MClkFwd memCh crCh cst p \<and> $S2 rmhist p \<and> (S3 rmhist p)$
+ \<and> unchanged (e p, r p, m p, rmhist!p)
+ \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
+ by (tactic \<open>action_simp_tac
(@{context} addsimps [@{thm MClkFwd_def}, @{thm e_def}, @{thm r_def}, @{thm m_def},
- @{thm resbar_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}]) [] [] 1 *})
+ @{thm resbar_def}, @{thm S_def}, @{thm S2_def}, @{thm S3_def}]) [] [] 1\<close>)
-lemma Step1_4_3a: "|- RPCFwd crCh rmCh rst p & $S3 rmhist p & (S4 rmhist p)$
- & unchanged (e p, c p, m p, rmhist!p)
- --> unchanged (rtrner memCh!p, resbar rmhist!p)"
+lemma Step1_4_3a: "\<turnstile> RPCFwd crCh rmCh rst p \<and> $S3 rmhist p \<and> (S4 rmhist p)$
+ \<and> unchanged (e p, c p, m p, rmhist!p)
+ \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (drule S3_excl [temp_use] S4_excl [temp_use])+
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def},
- @{thm c_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S3_def}]) [] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def},
+ @{thm c_def}, @{thm m_def}, @{thm resbar_def}, @{thm S_def}, @{thm S3_def}]) [] [] 1\<close>)
done
-lemma Step1_4_3b: "|- RPCFail crCh rmCh rst p & $S3 rmhist p & (S6 rmhist p)$
- & unchanged (e p, c p, m p)
- --> MemFail memCh (resbar rmhist) p"
+lemma Step1_4_3b: "\<turnstile> RPCFail crCh rmCh rst p \<and> $S3 rmhist p \<and> (S6 rmhist p)$
+ \<and> unchanged (e p, c p, m p)
+ \<longrightarrow> MemFail memCh (resbar rmhist) p"
apply clarsimp
apply (drule S6_excl [temp_use])
apply (auto simp: RPCFail_def MemFail_def e_def c_def m_def resbar_def)
@@ -679,101 +679,101 @@
apply (auto simp: Return_def)
done
-lemma Step1_4_4a1: "|- $S4 rmhist p & (S4 rmhist p)$ & ReadInner rmCh mm ires p l
- & unchanged (e p, c p, r p, rmhist!p) & $MemInv mm l
- --> ReadInner memCh mm (resbar rmhist) p l"
+lemma Step1_4_4a1: "\<turnstile> $S4 rmhist p \<and> (S4 rmhist p)$ \<and> ReadInner rmCh mm ires p l
+ \<and> unchanged (e p, c p, r p, rmhist!p) \<and> $MemInv mm l
+ \<longrightarrow> ReadInner memCh mm (resbar rmhist) p l"
apply clarsimp
apply (drule S4_excl [temp_use])+
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
- @{thm GoodRead_def}, @{thm BadRead_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}]) [] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm ReadInner_def},
+ @{thm GoodRead_def}, @{thm BadRead_def}, @{thm e_def}, @{thm c_def}, @{thm m_def}]) [] [] 1\<close>)
apply (auto simp: resbar_def)
- apply (tactic {* ALLGOALS (action_simp_tac
+ apply (tactic \<open>ALLGOALS (action_simp_tac
(@{context} addsimps [@{thm RPCRelayArg_def}, @{thm MClkRelayArg_def},
@{thm S_def}, @{thm S4_def}, @{thm RdRequest_def}, @{thm MemInv_def}])
- [] [@{thm impE}, @{thm MemValNotAResultE}]) *})
+ [] [@{thm impE}, @{thm MemValNotAResultE}])\<close>)
done
-lemma Step1_4_4a: "|- Read rmCh mm ires p & $S4 rmhist p & (S4 rmhist p)$
- & unchanged (e p, c p, r p, rmhist!p) & (!l. $(MemInv mm l))
- --> Read memCh mm (resbar rmhist) p"
+lemma Step1_4_4a: "\<turnstile> Read rmCh mm ires p \<and> $S4 rmhist p \<and> (S4 rmhist p)$
+ \<and> unchanged (e p, c p, r p, rmhist!p) \<and> (\<forall>l. $(MemInv mm l))
+ \<longrightarrow> Read memCh mm (resbar rmhist) p"
by (force simp: Read_def elim!: Step1_4_4a1 [temp_use])
-lemma Step1_4_4b1: "|- $S4 rmhist p & (S4 rmhist p)$ & WriteInner rmCh mm ires p l v
- & unchanged (e p, c p, r p, rmhist!p)
- --> WriteInner memCh mm (resbar rmhist) p l v"
+lemma Step1_4_4b1: "\<turnstile> $S4 rmhist p \<and> (S4 rmhist p)$ \<and> WriteInner rmCh mm ires p l v
+ \<and> unchanged (e p, c p, r p, rmhist!p)
+ \<longrightarrow> WriteInner memCh mm (resbar rmhist) p l v"
apply clarsimp
apply (drule S4_excl [temp_use])+
- apply (tactic {* action_simp_tac (@{context} addsimps
+ apply (tactic \<open>action_simp_tac (@{context} addsimps
[@{thm WriteInner_def}, @{thm GoodWrite_def}, @{thm BadWrite_def}, @{thm e_def},
- @{thm c_def}, @{thm m_def}]) [] [] 1 *})
+ @{thm c_def}, @{thm m_def}]) [] [] 1\<close>)
apply (auto simp: resbar_def)
- apply (tactic {* ALLGOALS (action_simp_tac (@{context} addsimps
+ apply (tactic \<open>ALLGOALS (action_simp_tac (@{context} addsimps
[@{thm RPCRelayArg_def}, @{thm MClkRelayArg_def}, @{thm S_def},
- @{thm S4_def}, @{thm WrRequest_def}]) [] []) *})
+ @{thm S4_def}, @{thm WrRequest_def}]) [] [])\<close>)
done
-lemma Step1_4_4b: "|- Write rmCh mm ires p l & $S4 rmhist p & (S4 rmhist p)$
- & unchanged (e p, c p, r p, rmhist!p)
- --> Write memCh mm (resbar rmhist) p l"
+lemma Step1_4_4b: "\<turnstile> Write rmCh mm ires p l \<and> $S4 rmhist p \<and> (S4 rmhist p)$
+ \<and> unchanged (e p, c p, r p, rmhist!p)
+ \<longrightarrow> Write memCh mm (resbar rmhist) p l"
by (force simp: Write_def elim!: Step1_4_4b1 [temp_use])
-lemma Step1_4_4c: "|- MemReturn rmCh ires p & $S4 rmhist p & (S5 rmhist p)$
- & unchanged (e p, c p, r p)
- --> unchanged (rtrner memCh!p, resbar rmhist!p)"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def},
- @{thm c_def}, @{thm r_def}, @{thm resbar_def}]) [] [] 1 *})
+lemma Step1_4_4c: "\<turnstile> MemReturn rmCh ires p \<and> $S4 rmhist p \<and> (S5 rmhist p)$
+ \<and> unchanged (e p, c p, r p)
+ \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def},
+ @{thm c_def}, @{thm r_def}, @{thm resbar_def}]) [] [] 1\<close>)
apply (drule S4_excl [temp_use] S5_excl [temp_use])+
using [[fast_solver]]
apply (auto elim!: squareE [temp_use] simp: MemReturn_def Return_def)
done
-lemma Step1_4_5a: "|- RPCReply crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
- & unchanged (e p, c p, m p)
- --> unchanged (rtrner memCh!p, resbar rmhist!p)"
+lemma Step1_4_5a: "\<turnstile> RPCReply crCh rmCh rst p \<and> $S5 rmhist p \<and> (S6 rmhist p)$
+ \<and> unchanged (e p, c p, m p)
+ \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (drule S5_excl [temp_use] S6_excl [temp_use])+
apply (auto simp: e_def c_def m_def resbar_def)
apply (auto simp: RPCReply_def Return_def S5_def S_def dest!: MVOKBAnotRF [temp_use])
done
-lemma Step1_4_5b: "|- RPCFail crCh rmCh rst p & $S5 rmhist p & (S6 rmhist p)$
- & unchanged (e p, c p, m p)
- --> MemFail memCh (resbar rmhist) p"
+lemma Step1_4_5b: "\<turnstile> RPCFail crCh rmCh rst p \<and> $S5 rmhist p \<and> (S6 rmhist p)$
+ \<and> unchanged (e p, c p, m p)
+ \<longrightarrow> MemFail memCh (resbar rmhist) p"
apply clarsimp
apply (drule S6_excl [temp_use])
apply (auto simp: e_def c_def m_def RPCFail_def Return_def MemFail_def resbar_def)
apply (auto simp: S5_def S_def)
done
-lemma Step1_4_6a: "|- MClkReply memCh crCh cst p & $S6 rmhist p & (S1 rmhist p)$
- & unchanged (e p, r p, m p)
- --> MemReturn memCh (resbar rmhist) p"
+lemma Step1_4_6a: "\<turnstile> MClkReply memCh crCh cst p \<and> $S6 rmhist p \<and> (S1 rmhist p)$
+ \<and> unchanged (e p, r p, m p)
+ \<longrightarrow> MemReturn memCh (resbar rmhist) p"
apply clarsimp
apply (drule S6_excl [temp_use])+
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def},
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def},
@{thm r_def}, @{thm m_def}, @{thm MClkReply_def}, @{thm MemReturn_def},
- @{thm Return_def}, @{thm resbar_def}]) [] [] 1 *})
+ @{thm Return_def}, @{thm resbar_def}]) [] [] 1\<close>)
apply simp_all (* simplify if-then-else *)
- apply (tactic {* ALLGOALS (action_simp_tac (@{context} addsimps
- [@{thm MClkReplyVal_def}, @{thm S6_def}, @{thm S_def}]) [] [@{thm MVOKBARFnotNR}]) *})
+ apply (tactic \<open>ALLGOALS (action_simp_tac (@{context} addsimps
+ [@{thm MClkReplyVal_def}, @{thm S6_def}, @{thm S_def}]) [] [@{thm MVOKBARFnotNR}])\<close>)
done
-lemma Step1_4_6b: "|- MClkRetry memCh crCh cst p & $S6 rmhist p & (S3 rmhist p)$
- & unchanged (e p, r p, m p, rmhist!p)
- --> MemFail memCh (resbar rmhist) p"
+lemma Step1_4_6b: "\<turnstile> MClkRetry memCh crCh cst p \<and> $S6 rmhist p \<and> (S3 rmhist p)$
+ \<and> unchanged (e p, r p, m p, rmhist!p)
+ \<longrightarrow> MemFail memCh (resbar rmhist) p"
apply clarsimp
apply (drule S3_excl [temp_use])+
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm e_def}, @{thm r_def},
- @{thm m_def}, @{thm MClkRetry_def}, @{thm MemFail_def}, @{thm resbar_def}]) [] [] 1 *})
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm e_def}, @{thm r_def},
+ @{thm m_def}, @{thm MClkRetry_def}, @{thm MemFail_def}, @{thm resbar_def}]) [] [] 1\<close>)
apply (auto simp: S6_def S_def)
done
-lemma S_lemma: "|- unchanged (e p, c p, r p, m p, rmhist!p)
- --> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
+lemma S_lemma: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
+ \<longrightarrow> unchanged (S rmhist ec cc rc cs rs hs1 hs2 p)"
by (auto simp: e_def c_def r_def m_def caller_def rtrner_def S_def Calling_def)
-lemma Step1_4_7H: "|- unchanged (e p, c p, r p, m p, rmhist!p)
- --> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p,
+lemma Step1_4_7H: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
+ \<longrightarrow> unchanged (rtrner memCh!p, S1 rmhist p, S2 rmhist p, S3 rmhist p,
S4 rmhist p, S5 rmhist p, S6 rmhist p)"
apply clarsimp
apply (rule conjI)
@@ -781,8 +781,8 @@
apply (force simp: S1_def S2_def S3_def S4_def S5_def S6_def intro!: S_lemma [temp_use])
done
-lemma Step1_4_7: "|- unchanged (e p, c p, r p, m p, rmhist!p)
- --> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p,
+lemma Step1_4_7: "\<turnstile> unchanged (e p, c p, r p, m p, rmhist!p)
+ \<longrightarrow> unchanged (rtrner memCh!p, resbar rmhist!p, S1 rmhist p, S2 rmhist p,
S3 rmhist p, S4 rmhist p, S5 rmhist p, S6 rmhist p)"
apply (rule actionI)
apply (unfold action_rews)
@@ -794,20 +794,20 @@
(* Frequently needed abbreviation: distinguish between idling and non-idling
steps of the implementation, and try to solve the idling case by simplification
*)
-ML {*
+ML \<open>
fun split_idle_tac ctxt =
SELECT_GOAL
(TRY (rtac @{thm actionI} 1) THEN
- Induct_Tacs.case_tac ctxt "(s,t) |= unchanged (e p, c p, r p, m p, rmhist!p)" [] NONE 1 THEN
+ Induct_Tacs.case_tac ctxt "(s,t) \<Turnstile> unchanged (e p, c p, r p, m p, rmhist!p)" [] NONE 1 THEN
rewrite_goals_tac ctxt @{thms action_rews} THEN
forward_tac ctxt [temp_use ctxt @{thm Step1_4_7}] 1 THEN
asm_full_simp_tac ctxt 1);
-*}
+\<close>
-method_setup split_idle = {*
+method_setup split_idle = \<open>
Method.sections (Simplifier.simp_modifiers @ Splitter.split_modifiers)
>> (K (SIMPLE_METHOD' o split_idle_tac))
-*}
+\<close>
(* ----------------------------------------------------------------------
Combine steps 1.2 and 1.4 to prove that the implementation satisfies
@@ -816,42 +816,42 @@
(* Steps that leave all variables unchanged are safe, so I may assume
that some variable changes in the proof that a step is safe. *)
-lemma unchanged_safe: "|- (~unchanged (e p, c p, r p, m p, rmhist!p)
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p))
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma unchanged_safe: "\<turnstile> (\<not>unchanged (e p, c p, r p, m p, rmhist!p)
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p))
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply (split_idle simp: square_def)
apply force
done
(* turn into (unsafe, looping!) introduction rule *)
lemmas unchanged_safeI = impI [THEN unchanged_safe [action_use]]
-lemma S1safe: "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma S1safe: "\<turnstile> $S1 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (rule unchanged_safeI)
apply (rule idle_squareI)
apply (auto dest!: Step1_2_1 [temp_use] Step1_4_1 [temp_use])
done
-lemma S2safe: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma S2safe: "\<turnstile> $S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (rule unchanged_safeI)
apply (rule idle_squareI)
apply (auto dest!: Step1_2_2 [temp_use] Step1_4_2 [temp_use])
done
-lemma S3safe: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma S3safe: "\<turnstile> $S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (rule unchanged_safeI)
apply (auto dest!: Step1_2_3 [temp_use])
apply (auto simp: square_def UNext_def dest!: Step1_4_3a [temp_use] Step1_4_3b [temp_use])
done
-lemma S4safe: "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- & (!l. $(MemInv mm l))
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma S4safe: "\<turnstile> $S4 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<and> (\<forall>l. $(MemInv mm l))
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (rule unchanged_safeI)
apply (auto dest!: Step1_2_4 [temp_use])
@@ -859,16 +859,16 @@
dest!: Step1_4_4a [temp_use] Step1_4_4b [temp_use] Step1_4_4c [temp_use])
done
-lemma S5safe: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma S5safe: "\<turnstile> $S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (rule unchanged_safeI)
apply (auto dest!: Step1_2_5 [temp_use])
apply (auto simp: square_def UNext_def dest!: Step1_4_5a [temp_use] Step1_4_5b [temp_use])
done
-lemma S6safe: "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma S6safe: "\<turnstile> $S6 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> [UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
apply clarsimp
apply (rule unchanged_safeI)
apply (auto dest!: Step1_2_6 [temp_use])
@@ -889,8 +889,8 @@
(* ------------------------------ State S1 ------------------------------ *)
-lemma S1_successors: "|- $S1 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> (S1 rmhist p)$ | (S2 rmhist p)$"
+lemma S1_successors: "\<turnstile> $S1 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> (S1 rmhist p)$ \<or> (S2 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_1 [temp_use])
done
@@ -899,215 +899,215 @@
by entering the state S1 infinitely often.
*)
-lemma S1_RNextdisabled: "|- S1 rmhist p -->
- ~Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
- apply (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def},
- @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}, temp_elim @{context} @{thm Memoryidle}] 1 *})
+lemma S1_RNextdisabled: "\<turnstile> S1 rmhist p \<longrightarrow>
+ \<not>Enabled (<RNext memCh mm (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
+ apply (tactic \<open>action_simp_tac (@{context} addsimps [@{thm angle_def},
+ @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}, temp_elim @{context} @{thm Memoryidle}] 1\<close>)
apply force
done
-lemma S1_Returndisabled: "|- S1 rmhist p -->
- ~Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def}, @{thm MemReturn_def},
- @{thm Return_def}, @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}] 1 *})
+lemma S1_Returndisabled: "\<turnstile> S1 rmhist p \<longrightarrow>
+ \<not>Enabled (<MemReturn memCh (resbar rmhist) p>_(rtrner memCh!p, resbar rmhist!p))"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm angle_def}, @{thm MemReturn_def},
+ @{thm Return_def}, @{thm S_def}, @{thm S1_def}]) [notI] [@{thm enabledE}] 1\<close>)
-lemma RNext_fair: "|- []<>S1 rmhist p
- --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
+lemma RNext_fair: "\<turnstile> \<box>\<diamond>S1 rmhist p
+ \<longrightarrow> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
by (auto simp: WF_alt [try_rewrite] intro!: S1_RNextdisabled [temp_use]
elim!: STL4E [temp_use] DmdImplE [temp_use])
-lemma Return_fair: "|- []<>S1 rmhist p
- --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
+lemma Return_fair: "\<turnstile> \<box>\<diamond>S1 rmhist p
+ \<longrightarrow> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
by (auto simp: WF_alt [try_rewrite]
intro!: S1_Returndisabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
(* ------------------------------ State S2 ------------------------------ *)
-lemma S2_successors: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> (S2 rmhist p)$ | (S3 rmhist p)$"
+lemma S2_successors: "\<turnstile> $S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> (S2 rmhist p)$ \<or> (S3 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_2 [temp_use])
done
-lemma S2MClkFwd_successors: "|- ($S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & <MClkFwd memCh crCh cst p>_(c p)
- --> (S3 rmhist p)$"
+lemma S2MClkFwd_successors: "\<turnstile> ($S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> <MClkFwd memCh crCh cst p>_(c p)
+ \<longrightarrow> (S3 rmhist p)$"
by (auto simp: angle_def dest!: Step1_2_2 [temp_use])
-lemma S2MClkFwd_enabled: "|- $S2 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
+lemma S2MClkFwd_enabled: "\<turnstile> $S2 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> $Enabled (<MClkFwd memCh crCh cst p>_(c p))"
apply (auto simp: c_def intro!: MClkFwd_ch_enabled [temp_use] MClkFwd_enabled [temp_use])
apply (cut_tac MI_base)
apply (blast dest: base_pair)
apply (simp_all add: S_def S2_def)
done
-lemma S2_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & WF(MClkFwd memCh crCh cst p)_(c p)
- --> (S2 rmhist p ~> S3 rmhist p)"
+lemma S2_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> WF(MClkFwd memCh crCh cst p)_(c p)
+ \<longrightarrow> (S2 rmhist p \<leadsto> S3 rmhist p)"
by (rule WF1 S2_successors S2MClkFwd_successors S2MClkFwd_enabled)+
(* ------------------------------ State S3 ------------------------------ *)
-lemma S3_successors: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> (S3 rmhist p)$ | (S4 rmhist p | S6 rmhist p)$"
+lemma S3_successors: "\<turnstile> $S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> (S3 rmhist p)$ \<or> (S4 rmhist p \<or> S6 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_3 [temp_use])
done
-lemma S3RPC_successors: "|- ($S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & <RPCNext crCh rmCh rst p>_(r p)
- --> (S4 rmhist p | S6 rmhist p)$"
+lemma S3RPC_successors: "\<turnstile> ($S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> <RPCNext crCh rmCh rst p>_(r p)
+ \<longrightarrow> (S4 rmhist p \<or> S6 rmhist p)$"
apply (auto simp: angle_def dest!: Step1_2_3 [temp_use])
done
-lemma S3RPC_enabled: "|- $S3 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
+lemma S3RPC_enabled: "\<turnstile> $S3 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
apply (cut_tac MI_base)
apply (blast dest: base_pair)
apply (simp_all add: S_def S3_def)
done
-lemma S3_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & WF(RPCNext crCh rmCh rst p)_(r p)
- --> (S3 rmhist p ~> S4 rmhist p | S6 rmhist p)"
+lemma S3_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> WF(RPCNext crCh rmCh rst p)_(r p)
+ \<longrightarrow> (S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p)"
by (rule WF1 S3_successors S3RPC_successors S3RPC_enabled)+
(* ------------- State S4 -------------------------------------------------- *)
-lemma S4_successors: "|- $S4 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- & (ALL l. $MemInv mm l)
- --> (S4 rmhist p)$ | (S5 rmhist p)$"
+lemma S4_successors: "\<turnstile> $S4 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<and> (\<forall>l. $MemInv mm l)
+ \<longrightarrow> (S4 rmhist p)$ \<or> (S5 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_4 [temp_use])
done
(* --------- State S4a: S4 /\ (ires p = NotAResult) ------------------------ *)
-lemma S4a_successors: "|- $(S4 rmhist p & ires!p = #NotAResult)
- & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (ALL l. $MemInv mm l)
- --> (S4 rmhist p & ires!p = #NotAResult)$
- | ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)$"
+lemma S4a_successors: "\<turnstile> $(S4 rmhist p \<and> ires!p = #NotAResult)
+ \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> (\<forall>l. $MemInv mm l)
+ \<longrightarrow> (S4 rmhist p \<and> ires!p = #NotAResult)$
+ \<or> ((S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_4 [temp_use])
done
-lemma S4aRNext_successors: "|- ($(S4 rmhist p & ires!p = #NotAResult)
- & ImpNext p & [HNext rmhist p]_(c p,r p,m p,rmhist!p) & (ALL l. $MemInv mm l))
- & <RNext rmCh mm ires p>_(m p)
- --> ((S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)$"
+lemma S4aRNext_successors: "\<turnstile> ($(S4 rmhist p \<and> ires!p = #NotAResult)
+ \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p,rmhist!p) \<and> (\<forall>l. $MemInv mm l))
+ \<and> <RNext rmCh mm ires p>_(m p)
+ \<longrightarrow> ((S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p)$"
by (auto simp: angle_def
dest!: Step1_2_4 [temp_use] ReadResult [temp_use] WriteResult [temp_use])
-lemma S4aRNext_enabled: "|- $(S4 rmhist p & ires!p = #NotAResult)
- & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (ALL l. $MemInv mm l)
- --> $Enabled (<RNext rmCh mm ires p>_(m p))"
+lemma S4aRNext_enabled: "\<turnstile> $(S4 rmhist p \<and> ires!p = #NotAResult)
+ \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> (\<forall>l. $MemInv mm l)
+ \<longrightarrow> $Enabled (<RNext rmCh mm ires p>_(m p))"
apply (auto simp: m_def intro!: RNext_enabled [temp_use])
apply (cut_tac MI_base)
apply (blast dest: base_pair)
apply (simp add: S_def S4_def)
done
-lemma S4a_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- & (ALL l. $MemInv mm l)) & WF(RNext rmCh mm ires p)_(m p)
- --> (S4 rmhist p & ires!p = #NotAResult
- ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p)"
+lemma S4a_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<and> (\<forall>l. $MemInv mm l)) \<and> WF(RNext rmCh mm ires p)_(m p)
+ \<longrightarrow> (S4 rmhist p \<and> ires!p = #NotAResult
+ \<leadsto> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p)"
by (rule WF1 S4a_successors S4aRNext_successors S4aRNext_enabled)+
(* ---------- State S4b: S4 /\ (ires p # NotAResult) --------------------------- *)
-lemma S4b_successors: "|- $(S4 rmhist p & ires!p ~= #NotAResult)
- & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (ALL l. $MemInv mm l)
- --> (S4 rmhist p & ires!p ~= #NotAResult)$ | (S5 rmhist p)$"
+lemma S4b_successors: "\<turnstile> $(S4 rmhist p \<and> ires!p \<noteq> #NotAResult)
+ \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> (\<forall>l. $MemInv mm l)
+ \<longrightarrow> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult)$ \<or> (S5 rmhist p)$"
apply (split_idle simp: m_def)
apply (auto dest!: WriteResult [temp_use] Step1_2_4 [temp_use] ReadResult [temp_use])
done
-lemma S4bReturn_successors: "|- ($(S4 rmhist p & ires!p ~= #NotAResult)
- & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- & (ALL l. $MemInv mm l)) & <MemReturn rmCh ires p>_(m p)
- --> (S5 rmhist p)$"
+lemma S4bReturn_successors: "\<turnstile> ($(S4 rmhist p \<and> ires!p \<noteq> #NotAResult)
+ \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<and> (\<forall>l. $MemInv mm l)) \<and> <MemReturn rmCh ires p>_(m p)
+ \<longrightarrow> (S5 rmhist p)$"
by (force simp: angle_def dest!: Step1_2_4 [temp_use] dest: ReturnNotReadWrite [temp_use])
-lemma S4bReturn_enabled: "|- $(S4 rmhist p & ires!p ~= #NotAResult)
- & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- & (ALL l. $MemInv mm l)
- --> $Enabled (<MemReturn rmCh ires p>_(m p))"
+lemma S4bReturn_enabled: "\<turnstile> $(S4 rmhist p \<and> ires!p \<noteq> #NotAResult)
+ \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<and> (\<forall>l. $MemInv mm l)
+ \<longrightarrow> $Enabled (<MemReturn rmCh ires p>_(m p))"
apply (auto simp: m_def intro!: MemReturn_enabled [temp_use])
apply (cut_tac MI_base)
apply (blast dest: base_pair)
apply (simp add: S_def S4_def)
done
-lemma S4b_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & (!l. $MemInv mm l))
- & WF(MemReturn rmCh ires p)_(m p)
- --> (S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p)"
+lemma S4b_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> (\<forall>l. $MemInv mm l))
+ \<and> WF(MemReturn rmCh ires p)_(m p)
+ \<longrightarrow> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p)"
by (rule WF1 S4b_successors S4bReturn_successors S4bReturn_enabled)+
(* ------------------------------ State S5 ------------------------------ *)
-lemma S5_successors: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> (S5 rmhist p)$ | (S6 rmhist p)$"
+lemma S5_successors: "\<turnstile> $S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> (S5 rmhist p)$ \<or> (S6 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_5 [temp_use])
done
-lemma S5RPC_successors: "|- ($S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & <RPCNext crCh rmCh rst p>_(r p)
- --> (S6 rmhist p)$"
+lemma S5RPC_successors: "\<turnstile> ($S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> <RPCNext crCh rmCh rst p>_(r p)
+ \<longrightarrow> (S6 rmhist p)$"
by (auto simp: angle_def dest!: Step1_2_5 [temp_use])
-lemma S5RPC_enabled: "|- $S5 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
+lemma S5RPC_enabled: "\<turnstile> $S5 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> $Enabled (<RPCNext crCh rmCh rst p>_(r p))"
apply (auto simp: r_def intro!: RPCFail_Next_enabled [temp_use] RPCFail_enabled [temp_use])
apply (cut_tac MI_base)
apply (blast dest: base_pair)
apply (simp_all add: S_def S5_def)
done
-lemma S5_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & WF(RPCNext crCh rmCh rst p)_(r p)
- --> (S5 rmhist p ~> S6 rmhist p)"
+lemma S5_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> WF(RPCNext crCh rmCh rst p)_(r p)
+ \<longrightarrow> (S5 rmhist p \<leadsto> S6 rmhist p)"
by (rule WF1 S5_successors S5RPC_successors S5RPC_enabled)+
(* ------------------------------ State S6 ------------------------------ *)
-lemma S6_successors: "|- $S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p)
- --> (S1 rmhist p)$ | (S3 rmhist p)$ | (S6 rmhist p)$"
+lemma S6_successors: "\<turnstile> $S6 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p)
+ \<longrightarrow> (S1 rmhist p)$ \<or> (S3 rmhist p)$ \<or> (S6 rmhist p)$"
apply split_idle
apply (auto dest!: Step1_2_6 [temp_use])
done
lemma S6MClkReply_successors:
- "|- ($S6 rmhist p & ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p))
- & <MClkReply memCh crCh cst p>_(c p)
- --> (S1 rmhist p)$"
+ "\<turnstile> ($S6 rmhist p \<and> ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p))
+ \<and> <MClkReply memCh crCh cst p>_(c p)
+ \<longrightarrow> (S1 rmhist p)$"
by (auto simp: angle_def dest!: Step1_2_6 [temp_use] MClkReplyNotRetry [temp_use])
lemma MClkReplyS6:
- "|- $ImpInv rmhist p & <MClkReply memCh crCh cst p>_(c p) --> $S6 rmhist p"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm angle_def},
+ "\<turnstile> $ImpInv rmhist p \<and> <MClkReply memCh crCh cst p>_(c p) \<longrightarrow> $S6 rmhist p"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm angle_def},
@{thm MClkReply_def}, @{thm Return_def}, @{thm ImpInv_def}, @{thm S_def},
- @{thm S1_def}, @{thm S2_def}, @{thm S3_def}, @{thm S4_def}, @{thm S5_def}]) [] [] 1 *})
+ @{thm S1_def}, @{thm S2_def}, @{thm S3_def}, @{thm S4_def}, @{thm S5_def}]) [] [] 1\<close>)
-lemma S6MClkReply_enabled: "|- S6 rmhist p --> Enabled (<MClkReply memCh crCh cst p>_(c p))"
+lemma S6MClkReply_enabled: "\<turnstile> S6 rmhist p \<longrightarrow> Enabled (<MClkReply memCh crCh cst p>_(c p))"
apply (auto simp: c_def intro!: MClkReply_enabled [temp_use])
apply (cut_tac MI_base)
apply (blast dest: base_pair)
- apply (tactic {* ALLGOALS (action_simp_tac (@{context}
- addsimps [@{thm S_def}, @{thm S6_def}]) [] []) *})
+ apply (tactic \<open>ALLGOALS (action_simp_tac (@{context}
+ addsimps [@{thm S_def}, @{thm S6_def}]) [] [])\<close>)
done
-lemma S6_live: "|- [](ImpNext p & [HNext rmhist p]_(c p,r p,m p, rmhist!p) & $(ImpInv rmhist p))
- & SF(MClkReply memCh crCh cst p)_(c p) & []<>(S6 rmhist p)
- --> []<>(S1 rmhist p)"
+lemma S6_live: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p,r p,m p, rmhist!p) \<and> $(ImpInv rmhist p))
+ \<and> SF(MClkReply memCh crCh cst p)_(c p) \<and> \<box>\<diamond>(S6 rmhist p)
+ \<longrightarrow> \<box>\<diamond>(S1 rmhist p)"
apply clarsimp
- apply (subgoal_tac "sigma |= []<> (<MClkReply memCh crCh cst p>_ (c p))")
+ apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond> (<MClkReply memCh crCh cst p>_ (c p))")
apply (erule InfiniteEnsures)
apply assumption
- apply (tactic {* action_simp_tac @{context} []
- (map (temp_elim @{context}) [@{thm MClkReplyS6}, @{thm S6MClkReply_successors}]) 1 *})
+ apply (tactic \<open>action_simp_tac @{context} []
+ (map (temp_elim @{context}) [@{thm MClkReplyS6}, @{thm S6MClkReply_successors}]) 1\<close>)
apply (auto simp: SF_def)
apply (erule contrapos_np)
apply (auto intro!: S6MClkReply_enabled [temp_use] elim!: STL4E [temp_use] DmdImplE [temp_use])
@@ -1115,26 +1115,26 @@
(* --------------- aggregate leadsto properties----------------------------- *)
-lemma S5S6LeadstoS6: "sigma |= S5 rmhist p ~> S6 rmhist p
- ==> sigma |= (S5 rmhist p | S6 rmhist p) ~> S6 rmhist p"
+lemma S5S6LeadstoS6: "sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p
+ \<Longrightarrow> sigma \<Turnstile> (S5 rmhist p \<or> S6 rmhist p) \<leadsto> S6 rmhist p"
by (auto intro!: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
-lemma S4bS5S6LeadstoS6: "[| sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
- sigma |= S5 rmhist p ~> S6 rmhist p |]
- ==> sigma |= (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p
- ~> S6 rmhist p"
+lemma S4bS5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
+ sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p \<or> S6 rmhist p
+ \<leadsto> S6 rmhist p"
by (auto intro!: LatticeDisjunctionIntro [temp_use]
S5S6LeadstoS6 [temp_use] intro: LatticeTransitivity [temp_use])
-lemma S4S5S6LeadstoS6: "[| sigma |= S4 rmhist p & ires!p = #NotAResult
- ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p;
- sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
- sigma |= S5 rmhist p ~> S6 rmhist p |]
- ==> sigma |= S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p"
- apply (subgoal_tac "sigma |= (S4 rmhist p & ires!p = #NotAResult) |
- (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p ~> S6 rmhist p")
- apply (erule_tac G = "PRED ((S4 rmhist p & ires!p = #NotAResult) |
- (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p | S6 rmhist p)" in
+lemma S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
+ \<leadsto> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
+ sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p \<leadsto> S6 rmhist p"
+ apply (subgoal_tac "sigma \<Turnstile> (S4 rmhist p \<and> ires!p = #NotAResult) \<or>
+ (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p \<or> S6 rmhist p \<leadsto> S6 rmhist p")
+ apply (erule_tac G = "PRED ((S4 rmhist p \<and> ires!p = #NotAResult) \<or>
+ (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p \<or> S6 rmhist p)" in
LatticeTransitivity [temp_use])
apply (force simp: Init_defs intro!: ImplLeadsto_gen [temp_use] necT [temp_use])
apply (rule LatticeDisjunctionIntro [temp_use])
@@ -1144,12 +1144,12 @@
apply (auto intro!: S4bS5S6LeadstoS6 [temp_use])
done
-lemma S3S4S5S6LeadstoS6: "[| sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;
- sigma |= S4 rmhist p & ires!p = #NotAResult
- ~> (S4 rmhist p & ires!p ~= #NotAResult) | S5 rmhist p;
- sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
- sigma |= S5 rmhist p ~> S6 rmhist p |]
- ==> sigma |= S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p ~> S6 rmhist p"
+lemma S3S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
+ \<leadsto> (S4 rmhist p \<and> ires!p \<noteq> #NotAResult) \<or> S5 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
+ sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> S3 rmhist p \<or> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p \<leadsto> S6 rmhist p"
apply (rule LatticeDisjunctionIntro [temp_use])
apply (erule LatticeTriangle2 [temp_use])
apply (rule S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
@@ -1157,14 +1157,14 @@
intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
done
-lemma S2S3S4S5S6LeadstoS6: "[| sigma |= S2 rmhist p ~> S3 rmhist p;
- sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;
- sigma |= S4 rmhist p & ires!p = #NotAResult
- ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p;
- sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
- sigma |= S5 rmhist p ~> S6 rmhist p |]
- ==> sigma |= S2 rmhist p | S3 rmhist p | S4 rmhist p | S5 rmhist p | S6 rmhist p
- ~> S6 rmhist p"
+lemma S2S3S4S5S6LeadstoS6: "\<lbrakk> sigma \<Turnstile> S2 rmhist p \<leadsto> S3 rmhist p;
+ sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
+ \<leadsto> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<or> S5 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
+ sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> S2 rmhist p \<or> S3 rmhist p \<or> S4 rmhist p \<or> S5 rmhist p \<or> S6 rmhist p
+ \<leadsto> S6 rmhist p"
apply (rule LatticeDisjunctionIntro [temp_use])
apply (rule LatticeTransitivity [temp_use])
prefer 2 apply assumption
@@ -1173,14 +1173,14 @@
intro: ImplLeadsto_gen [temp_use] simp: Init_defs)
done
-lemma NotS1LeadstoS6: "[| sigma |= []ImpInv rmhist p;
- sigma |= S2 rmhist p ~> S3 rmhist p;
- sigma |= S3 rmhist p ~> S4 rmhist p | S6 rmhist p;
- sigma |= S4 rmhist p & ires!p = #NotAResult
- ~> S4 rmhist p & ires!p ~= #NotAResult | S5 rmhist p;
- sigma |= S4 rmhist p & ires!p ~= #NotAResult ~> S5 rmhist p;
- sigma |= S5 rmhist p ~> S6 rmhist p |]
- ==> sigma |= ~S1 rmhist p ~> S6 rmhist p"
+lemma NotS1LeadstoS6: "\<lbrakk> sigma \<Turnstile> \<box>ImpInv rmhist p;
+ sigma \<Turnstile> S2 rmhist p \<leadsto> S3 rmhist p;
+ sigma \<Turnstile> S3 rmhist p \<leadsto> S4 rmhist p \<or> S6 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p = #NotAResult
+ \<leadsto> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<or> S5 rmhist p;
+ sigma \<Turnstile> S4 rmhist p \<and> ires!p \<noteq> #NotAResult \<leadsto> S5 rmhist p;
+ sigma \<Turnstile> S5 rmhist p \<leadsto> S6 rmhist p \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> \<not>S1 rmhist p \<leadsto> S6 rmhist p"
apply (rule S2S3S4S5S6LeadstoS6 [THEN LatticeTransitivity [temp_use]])
apply assumption+
apply (erule INV_leadsto [temp_use])
@@ -1189,12 +1189,12 @@
apply (auto simp: ImpInv_def Init_defs intro!: necT [temp_use])
done
-lemma S1Infinite: "[| sigma |= ~S1 rmhist p ~> S6 rmhist p;
- sigma |= []<>S6 rmhist p --> []<>S1 rmhist p |]
- ==> sigma |= []<>S1 rmhist p"
+lemma S1Infinite: "\<lbrakk> sigma \<Turnstile> \<not>S1 rmhist p \<leadsto> S6 rmhist p;
+ sigma \<Turnstile> \<box>\<diamond>S6 rmhist p \<longrightarrow> \<box>\<diamond>S1 rmhist p \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>S1 rmhist p"
apply (rule classical)
- apply (tactic {* asm_lr_simp_tac (@{context} addsimps
- [temp_use @{context} @{thm NotBox}, temp_rewrite @{context} @{thm NotDmd}]) 1 *})
+ apply (tactic \<open>asm_lr_simp_tac (@{context} addsimps
+ [temp_use @{context} @{thm NotBox}, temp_rewrite @{context} @{thm NotDmd}]) 1\<close>)
apply (auto elim!: leadsto_infinite [temp_use] mp dest!: DBImplBD [temp_use])
done
@@ -1204,12 +1204,12 @@
a. memory invariant
b. "implementation invariant": always in states S1,...,S6
*)
-lemma Step1_5_1a: "|- IPImp p --> (ALL l. []$MemInv mm l)"
+lemma Step1_5_1a: "\<turnstile> IPImp p \<longrightarrow> (\<forall>l. \<box>$MemInv mm l)"
by (auto simp: IPImp_def box_stp_act [temp_use] intro!: MemoryInvariantAll [temp_use])
-lemma Step1_5_1b: "|- Init(ImpInit p & HInit rmhist p) & [](ImpNext p)
- & [][HNext rmhist p]_(c p, r p, m p, rmhist!p) & [](ALL l. $MemInv mm l)
- --> []ImpInv rmhist p"
+lemma Step1_5_1b: "\<turnstile> Init(ImpInit p \<and> HInit rmhist p) \<and> \<box>(ImpNext p)
+ \<and> \<box>[HNext rmhist p]_(c p, r p, m p, rmhist!p) \<and> \<box>(\<forall>l. $MemInv mm l)
+ \<longrightarrow> \<box>ImpInv rmhist p"
apply invariant
apply (auto simp: Init_def ImpInv_def box_stp_act [temp_use]
dest!: Step1_1 [temp_use] dest: S1_successors [temp_use] S2_successors [temp_use]
@@ -1218,26 +1218,26 @@
done
(*** Initialization ***)
-lemma Step1_5_2a: "|- Init(ImpInit p & HInit rmhist p) --> Init(PInit (resbar rmhist) p)"
+lemma Step1_5_2a: "\<turnstile> Init(ImpInit p \<and> HInit rmhist p) \<longrightarrow> Init(PInit (resbar rmhist) p)"
by (auto simp: Init_def intro!: Step1_1 [temp_use] Step1_3 [temp_use])
(*** step simulation ***)
-lemma Step1_5_2b: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
- & $ImpInv rmhist p & (!l. $MemInv mm l))
- --> [][UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
+lemma Step1_5_2b: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p)
+ \<and> $ImpInv rmhist p \<and> (\<forall>l. $MemInv mm l))
+ \<longrightarrow> \<box>[UNext memCh mm (resbar rmhist) p]_(rtrner memCh!p, resbar rmhist!p)"
by (auto simp: ImpInv_def elim!: STL4E [temp_use]
dest!: S1safe [temp_use] S2safe [temp_use] S3safe [temp_use] S4safe [temp_use]
S5safe [temp_use] S6safe [temp_use])
(*** Liveness ***)
-lemma GoodImpl: "|- IPImp p & HistP rmhist p
- --> Init(ImpInit p & HInit rmhist p)
- & [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
- & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p)
- & ImpLive p"
+lemma GoodImpl: "\<turnstile> IPImp p \<and> HistP rmhist p
+ \<longrightarrow> Init(ImpInit p \<and> HInit rmhist p)
+ \<and> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
+ \<and> \<box>(\<forall>l. $MemInv mm l) \<and> \<box>($ImpInv rmhist p)
+ \<and> ImpLive p"
apply clarsimp
- apply (subgoal_tac "sigma |= Init (ImpInit p & HInit rmhist p) & [] (ImpNext p) &
- [][HNext rmhist p]_ (c p, r p, m p, rmhist!p) & [] (ALL l. $MemInv mm l)")
+ apply (subgoal_tac "sigma \<Turnstile> Init (ImpInit p \<and> HInit rmhist p) \<and> \<box> (ImpNext p) \<and>
+ \<box>[HNext rmhist p]_ (c p, r p, m p, rmhist!p) \<and> \<box> (\<forall>l. $MemInv mm l)")
apply (auto simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
dest!: Step1_5_1b [temp_use])
apply (force simp: IPImp_def MClkIPSpec_def RPCIPSpec_def RPSpec_def
@@ -1251,10 +1251,10 @@
done
(* The implementation is infinitely often in state S1... *)
-lemma Step1_5_3a: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
- & [](ALL l. $MemInv mm l)
- & []($ImpInv rmhist p) & ImpLive p
- --> []<>S1 rmhist p"
+lemma Step1_5_3a: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
+ \<and> \<box>(\<forall>l. $MemInv mm l)
+ \<and> \<box>($ImpInv rmhist p) \<and> ImpLive p
+ \<longrightarrow> \<box>\<diamond>S1 rmhist p"
apply (clarsimp simp: ImpLive_def)
apply (rule S1Infinite)
apply (force simp: split_box_conj [try_rewrite] box_stp_act [try_rewrite]
@@ -1264,18 +1264,18 @@
done
(* ... and therefore satisfies the fairness requirements of the specification *)
-lemma Step1_5_3b: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
- & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p
- --> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
+lemma Step1_5_3b: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
+ \<and> \<box>(\<forall>l. $MemInv mm l) \<and> \<box>($ImpInv rmhist p) \<and> ImpLive p
+ \<longrightarrow> WF(RNext memCh mm (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
by (auto intro!: RNext_fair [temp_use] Step1_5_3a [temp_use])
-lemma Step1_5_3c: "|- [](ImpNext p & [HNext rmhist p]_(c p, r p, m p, rmhist!p))
- & [](ALL l. $MemInv mm l) & []($ImpInv rmhist p) & ImpLive p
- --> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
+lemma Step1_5_3c: "\<turnstile> \<box>(ImpNext p \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p))
+ \<and> \<box>(\<forall>l. $MemInv mm l) \<and> \<box>($ImpInv rmhist p) \<and> ImpLive p
+ \<longrightarrow> WF(MemReturn memCh (resbar rmhist) p)_(rtrner memCh!p, resbar rmhist!p)"
by (auto intro!: Return_fair [temp_use] Step1_5_3a [temp_use])
(* QED step of step 1 *)
-lemma Step1: "|- IPImp p & HistP rmhist p --> UPSpec memCh mm (resbar rmhist) p"
+lemma Step1: "\<turnstile> IPImp p \<and> HistP rmhist p \<longrightarrow> UPSpec memCh mm (resbar rmhist) p"
by (auto simp: UPSpec_def split_box_conj [temp_use]
dest!: GoodImpl [temp_use] intro!: Step1_5_2a [temp_use] Step1_5_2b [temp_use]
Step1_5_3b [temp_use] Step1_5_3c [temp_use])
@@ -1283,10 +1283,10 @@
(* ------------------------------ Step 2 ------------------------------ *)
section "Step 2"
-lemma Step2_2a: "|- Write rmCh mm ires p l & ImpNext p
- & [HNext rmhist p]_(c p, r p, m p, rmhist!p)
- & $ImpInv rmhist p
- --> (S4 rmhist p)$ & unchanged (e p, c p, r p, rmhist!p)"
+lemma Step2_2a: "\<turnstile> Write rmCh mm ires p l \<and> ImpNext p
+ \<and> [HNext rmhist p]_(c p, r p, m p, rmhist!p)
+ \<and> $ImpInv rmhist p
+ \<longrightarrow> (S4 rmhist p)$ \<and> unchanged (e p, c p, r p, rmhist!p)"
apply clarsimp
apply (drule WriteS4 [action_use])
apply assumption
@@ -1296,26 +1296,26 @@
apply (auto simp: square_def dest: S4Write [temp_use])
done
-lemma Step2_2: "|- (ALL p. ImpNext p)
- & (ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
- & (ALL p. $ImpInv rmhist p)
- & [EX q. Write rmCh mm ires q l]_(mm!l)
- --> [EX q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
+lemma Step2_2: "\<turnstile> (\<forall>p. ImpNext p)
+ \<and> (\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
+ \<and> (\<forall>p. $ImpInv rmhist p)
+ \<and> [\<exists>q. Write rmCh mm ires q l]_(mm!l)
+ \<longrightarrow> [\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
apply (auto intro!: squareCI elim!: squareE)
apply (assumption | rule exI Step1_4_4b [action_use])+
apply (force intro!: WriteS4 [temp_use])
apply (auto dest!: Step2_2a [temp_use])
done
-lemma Step2_lemma: "|- []( (ALL p. ImpNext p)
- & (ALL p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
- & (ALL p. $ImpInv rmhist p)
- & [EX q. Write rmCh mm ires q l]_(mm!l))
- --> [][EX q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
+lemma Step2_lemma: "\<turnstile> \<box>( (\<forall>p. ImpNext p)
+ \<and> (\<forall>p. [HNext rmhist p]_(c p, r p, m p, rmhist!p))
+ \<and> (\<forall>p. $ImpInv rmhist p)
+ \<and> [\<exists>q. Write rmCh mm ires q l]_(mm!l))
+ \<longrightarrow> \<box>[\<exists>q. Write memCh mm (resbar rmhist) q l]_(mm!l)"
by (force elim!: STL4E [temp_use] dest!: Step2_2 [temp_use])
-lemma Step2: "|- #l : #MemLoc & (ALL p. IPImp p & HistP rmhist p)
- --> MSpec memCh mm (resbar rmhist) l"
+lemma Step2: "\<turnstile> #l \<in> #MemLoc \<and> (\<forall>p. IPImp p \<and> HistP rmhist p)
+ \<longrightarrow> MSpec memCh mm (resbar rmhist) l"
apply (auto simp: MSpec_def)
apply (force simp: IPImp_def MSpec_def)
apply (auto intro!: Step2_lemma [temp_use] simp: split_box_conj [temp_use] all_box [temp_use])
@@ -1334,12 +1334,12 @@
(* Implementation of internal specification by combination of implementation
and history variable with explicit refinement mapping
*)
-lemma Impl_IUSpec: "|- Implementation & Hist rmhist --> IUSpec memCh mm (resbar rmhist)"
+lemma Impl_IUSpec: "\<turnstile> Implementation \<and> Hist rmhist \<longrightarrow> IUSpec memCh mm (resbar rmhist)"
by (auto simp: IUSpec_def Implementation_def IPImp_def MClkISpec_def
RPCISpec_def IRSpec_def Hist_def intro!: Step1 [temp_use] Step2 [temp_use])
(* The main theorem: introduce hiding and eliminate history variable. *)
-lemma Implementation: "|- Implementation --> USpec memCh"
+lemma Implementation: "\<turnstile> Implementation \<longrightarrow> USpec memCh"
apply clarsimp
apply (frule History [temp_use])
apply (auto simp: USpec_def intro: eexI [temp_use] Impl_IUSpec [temp_use]
--- a/src/HOL/TLA/Memory/MemoryParameters.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/MemoryParameters.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: Memory parameters *}
+section \<open>RPC-Memory example: Memory parameters\<close>
theory MemoryParameters
imports RPCMemoryParams
@@ -27,20 +27,20 @@
axiomatization where
(* basic assumptions about the above constants and predicates *)
- BadArgNoMemVal: "BadArg ~: MemVal" and
- MemFailNoMemVal: "MemFailure ~: MemVal" and
+ BadArgNoMemVal: "BadArg \<notin> MemVal" and
+ MemFailNoMemVal: "MemFailure \<notin> MemVal" and
InitValMemVal: "InitVal : MemVal" and
- NotAResultNotVal: "NotAResult ~: MemVal" and
- NotAResultNotOK: "NotAResult ~= OK" and
- NotAResultNotBA: "NotAResult ~= BadArg" and
- NotAResultNotMF: "NotAResult ~= MemFailure"
+ NotAResultNotVal: "NotAResult \<notin> MemVal" and
+ NotAResultNotOK: "NotAResult \<noteq> OK" and
+ NotAResultNotBA: "NotAResult \<noteq> BadArg" and
+ NotAResultNotMF: "NotAResult \<noteq> MemFailure"
lemmas [simp] =
BadArgNoMemVal MemFailNoMemVal InitValMemVal NotAResultNotVal
NotAResultNotOK NotAResultNotBA NotAResultNotMF
NotAResultNotOK [symmetric] NotAResultNotBA [symmetric] NotAResultNotMF [symmetric]
-lemma MemValNotAResultE: "[| x : MemVal; (x ~= NotAResult ==> P) |] ==> P"
+lemma MemValNotAResultE: "\<lbrakk> x \<in> MemVal; (x \<noteq> NotAResult \<Longrightarrow> P) \<rbrakk> \<Longrightarrow> P"
using NotAResultNotVal by blast
end
--- a/src/HOL/TLA/Memory/ProcedureInterface.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/ProcedureInterface.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* Procedure interface for RPC-Memory components *}
+section \<open>Procedure interface for RPC-Memory components\<close>
theory ProcedureInterface
imports "../TLA" RPCMemoryParams
@@ -14,40 +14,40 @@
rather than a single array-valued variable because the
notation gets a little simpler.
*)
-type_synonym ('a,'r) channel =" (PrIds => ('a,'r) chan) stfun"
+type_synonym ('a,'r) channel =" (PrIds \<Rightarrow> ('a,'r) chan) stfun"
consts
(* data-level functions *)
- cbit :: "('a,'r) chan => bit"
- rbit :: "('a,'r) chan => bit"
- arg :: "('a,'r) chan => 'a"
- res :: "('a,'r) chan => 'r"
+ cbit :: "('a,'r) chan \<Rightarrow> bit"
+ rbit :: "('a,'r) chan \<Rightarrow> bit"
+ arg :: "('a,'r) chan \<Rightarrow> 'a"
+ res :: "('a,'r) chan \<Rightarrow> 'r"
(* state functions *)
- caller :: "('a,'r) channel => (PrIds => (bit * 'a)) stfun"
- rtrner :: "('a,'r) channel => (PrIds => (bit * 'r)) stfun"
+ caller :: "('a,'r) channel \<Rightarrow> (PrIds \<Rightarrow> (bit * 'a)) stfun"
+ rtrner :: "('a,'r) channel \<Rightarrow> (PrIds \<Rightarrow> (bit * 'r)) stfun"
(* state predicates *)
- Calling :: "('a,'r) channel => PrIds => stpred"
+ Calling :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> stpred"
(* actions *)
- ACall :: "('a,'r) channel => PrIds => 'a stfun => action"
- AReturn :: "('a,'r) channel => PrIds => 'r stfun => action"
+ ACall :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> 'a stfun \<Rightarrow> action"
+ AReturn :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> 'r stfun \<Rightarrow> action"
(* temporal formulas *)
- PLegalCaller :: "('a,'r) channel => PrIds => temporal"
- LegalCaller :: "('a,'r) channel => temporal"
- PLegalReturner :: "('a,'r) channel => PrIds => temporal"
- LegalReturner :: "('a,'r) channel => temporal"
+ PLegalCaller :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> temporal"
+ LegalCaller :: "('a,'r) channel \<Rightarrow> temporal"
+ PLegalReturner :: "('a,'r) channel \<Rightarrow> PrIds \<Rightarrow> temporal"
+ LegalReturner :: "('a,'r) channel \<Rightarrow> temporal"
(* slice through array-valued state function *)
- slice :: "('a => 'b) stfun => 'a => 'b stfun"
+ slice :: "('a \<Rightarrow> 'b) stfun \<Rightarrow> 'a \<Rightarrow> 'b stfun"
syntax
- "_slice" :: "[lift, 'a] => lift" ("(_!_)" [70,70] 70)
+ "_slice" :: "[lift, 'a] \<Rightarrow> lift" ("(_!_)" [70,70] 70)
- "_Call" :: "['a, 'b, lift] => lift" ("(Call _ _ _)" [90,90,90] 90)
- "_Return" :: "['a, 'b, lift] => lift" ("(Return _ _ _)" [90,90,90] 90)
+ "_Call" :: "['a, 'b, lift] \<Rightarrow> lift" ("(Call _ _ _)" [90,90,90] 90)
+ "_Return" :: "['a, 'b, lift] \<Rightarrow> lift" ("(Return _ _ _)" [90,90,90] 90)
translations
"_slice" == "CONST slice"
@@ -58,23 +58,23 @@
defs
slice_def: "(PRED (x!i)) s == x s i"
- caller_def: "caller ch == %s p. (cbit (ch s p), arg (ch s p))"
- rtrner_def: "rtrner ch == %s p. (rbit (ch s p), res (ch s p))"
+ caller_def: "caller ch == \<lambda>s p. (cbit (ch s p), arg (ch s p))"
+ rtrner_def: "rtrner ch == \<lambda>s p. (rbit (ch s p), res (ch s p))"
- Calling_def: "Calling ch p == PRED cbit< ch!p > ~= rbit< ch!p >"
- Call_def: "(ACT Call ch p v) == ACT ~ $Calling ch p
- & (cbit<ch!p>$ ~= $rbit<ch!p>)
- & (arg<ch!p>$ = $v)"
+ Calling_def: "Calling ch p == PRED cbit< ch!p > \<noteq> rbit< ch!p >"
+ Call_def: "(ACT Call ch p v) == ACT \<not> $Calling ch p
+ \<and> (cbit<ch!p>$ \<noteq> $rbit<ch!p>)
+ \<and> (arg<ch!p>$ = $v)"
Return_def: "(ACT Return ch p v) == ACT $Calling ch p
- & (rbit<ch!p>$ = $cbit<ch!p>)
- & (res<ch!p>$ = $v)"
+ \<and> (rbit<ch!p>$ = $cbit<ch!p>)
+ \<and> (res<ch!p>$ = $v)"
PLegalCaller_def: "PLegalCaller ch p == TEMP
- Init(~ Calling ch p)
- & [][ ? a. Call ch p a ]_((caller ch)!p)"
- LegalCaller_def: "LegalCaller ch == TEMP (! p. PLegalCaller ch p)"
+ Init(\<not> Calling ch p)
+ \<and> \<box>[\<exists>a. Call ch p a ]_((caller ch)!p)"
+ LegalCaller_def: "LegalCaller ch == TEMP (\<forall>p. PLegalCaller ch p)"
PLegalReturner_def: "PLegalReturner ch p == TEMP
- [][ ? v. Return ch p v ]_((rtrner ch)!p)"
- LegalReturner_def: "LegalReturner ch == TEMP (! p. PLegalReturner ch p)"
+ \<box>[\<exists>v. Return ch p v ]_((rtrner ch)!p)"
+ LegalReturner_def: "LegalReturner ch == TEMP (\<forall>p. PLegalReturner ch p)"
declare slice_def [simp]
@@ -82,10 +82,10 @@
PLegalCaller_def LegalCaller_def PLegalReturner_def LegalReturner_def
(* Calls and returns change their subchannel *)
-lemma Call_changed: "|- Call ch p v --> <Call ch p v>_((caller ch)!p)"
+lemma Call_changed: "\<turnstile> Call ch p v \<longrightarrow> <Call ch p v>_((caller ch)!p)"
by (auto simp: angle_def Call_def caller_def Calling_def)
-lemma Return_changed: "|- Return ch p v --> <Return ch p v>_((rtrner ch)!p)"
+lemma Return_changed: "\<turnstile> Return ch p v \<longrightarrow> <Return ch p v>_((rtrner ch)!p)"
by (auto simp: angle_def Return_def rtrner_def Calling_def)
end
--- a/src/HOL/TLA/Memory/RPC.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/RPC.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: RPC specification *}
+section \<open>RPC-Memory example: RPC specification\<close>
theory RPC
imports RPCParameters ProcedureInterface Memory
@@ -10,65 +10,65 @@
type_synonym rpcSndChType = "(rpcOp,Vals) channel"
type_synonym rpcRcvChType = "memChType"
-type_synonym rpcStType = "(PrIds => rpcState) stfun"
+type_synonym rpcStType = "(PrIds \<Rightarrow> rpcState) stfun"
consts
(* state predicates *)
- RPCInit :: "rpcRcvChType => rpcStType => PrIds => stpred"
+ RPCInit :: "rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> stpred"
(* actions *)
- RPCFwd :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
- RPCReject :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
- RPCFail :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
- RPCReply :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
- RPCNext :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => action"
+ RPCFwd :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
+ RPCReject :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
+ RPCFail :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
+ RPCReply :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
+ RPCNext :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> action"
(* temporal *)
- RPCIPSpec :: "rpcSndChType => rpcRcvChType => rpcStType => PrIds => temporal"
- RPCISpec :: "rpcSndChType => rpcRcvChType => rpcStType => temporal"
+ RPCIPSpec :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> PrIds \<Rightarrow> temporal"
+ RPCISpec :: "rpcSndChType \<Rightarrow> rpcRcvChType \<Rightarrow> rpcStType \<Rightarrow> temporal"
defs
- RPCInit_def: "RPCInit rcv rst p == PRED ((rst!p = #rpcA) & ~Calling rcv p)"
+ RPCInit_def: "RPCInit rcv rst p == PRED ((rst!p = #rpcA) \<and> \<not>Calling rcv p)"
RPCFwd_def: "RPCFwd send rcv rst p == ACT
$(Calling send p)
- & $(rst!p) = # rpcA
- & IsLegalRcvArg<arg<$(send!p)>>
- & Call rcv p RPCRelayArg<arg<send!p>>
- & (rst!p)$ = # rpcB
- & unchanged (rtrner send!p)"
+ \<and> $(rst!p) = # rpcA
+ \<and> IsLegalRcvArg<arg<$(send!p)>>
+ \<and> Call rcv p RPCRelayArg<arg<send!p>>
+ \<and> (rst!p)$ = # rpcB
+ \<and> unchanged (rtrner send!p)"
RPCReject_def: "RPCReject send rcv rst p == ACT
$(rst!p) = # rpcA
- & ~IsLegalRcvArg<arg<$(send!p)>>
- & Return send p #BadCall
- & unchanged ((rst!p), (caller rcv!p))"
+ \<and> \<not>IsLegalRcvArg<arg<$(send!p)>>
+ \<and> Return send p #BadCall
+ \<and> unchanged ((rst!p), (caller rcv!p))"
RPCFail_def: "RPCFail send rcv rst p == ACT
- ~$(Calling rcv p)
- & Return send p #RPCFailure
- & (rst!p)$ = #rpcA
- & unchanged (caller rcv!p)"
+ \<not>$(Calling rcv p)
+ \<and> Return send p #RPCFailure
+ \<and> (rst!p)$ = #rpcA
+ \<and> unchanged (caller rcv!p)"
RPCReply_def: "RPCReply send rcv rst p == ACT
- ~$(Calling rcv p)
- & $(rst!p) = #rpcB
- & Return send p res<rcv!p>
- & (rst!p)$ = #rpcA
- & unchanged (caller rcv!p)"
+ \<not>$(Calling rcv p)
+ \<and> $(rst!p) = #rpcB
+ \<and> Return send p res<rcv!p>
+ \<and> (rst!p)$ = #rpcA
+ \<and> unchanged (caller rcv!p)"
RPCNext_def: "RPCNext send rcv rst p == ACT
( RPCFwd send rcv rst p
- | RPCReject send rcv rst p
- | RPCFail send rcv rst p
- | RPCReply send rcv rst p)"
+ \<or> RPCReject send rcv rst p
+ \<or> RPCFail send rcv rst p
+ \<or> RPCReply send rcv rst p)"
RPCIPSpec_def: "RPCIPSpec send rcv rst p == TEMP
Init RPCInit rcv rst p
- & [][ RPCNext send rcv rst p ]_(rst!p, rtrner send!p, caller rcv!p)
- & WF(RPCNext send rcv rst p)_(rst!p, rtrner send!p, caller rcv!p)"
+ \<and> \<box>[ RPCNext send rcv rst p ]_(rst!p, rtrner send!p, caller rcv!p)
+ \<and> WF(RPCNext send rcv rst p)_(rst!p, rtrner send!p, caller rcv!p)"
- RPCISpec_def: "RPCISpec send rcv rst == TEMP (ALL p. RPCIPSpec send rcv rst p)"
+ RPCISpec_def: "RPCISpec send rcv rst == TEMP (\<forall>p. RPCIPSpec send rcv rst p)"
lemmas RPC_action_defs =
@@ -81,33 +81,33 @@
unanswered call for that process.
*)
-lemma RPCidle: "|- ~$(Calling send p) --> ~RPCNext send rcv rst p"
+lemma RPCidle: "\<turnstile> \<not>$(Calling send p) \<longrightarrow> \<not>RPCNext send rcv rst p"
by (auto simp: Return_def RPC_action_defs)
-lemma RPCbusy: "|- $(Calling rcv p) & $(rst!p) = #rpcB --> ~RPCNext send rcv rst p"
+lemma RPCbusy: "\<turnstile> $(Calling rcv p) \<and> $(rst!p) = #rpcB \<longrightarrow> \<not>RPCNext send rcv rst p"
by (auto simp: RPC_action_defs)
(* RPC failure actions are visible. *)
-lemma RPCFail_vis: "|- RPCFail send rcv rst p -->
+lemma RPCFail_vis: "\<turnstile> RPCFail send rcv rst p \<longrightarrow>
<RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p)"
by (auto dest!: Return_changed [temp_use] simp: angle_def RPCNext_def RPCFail_def)
-lemma RPCFail_Next_enabled: "|- Enabled (RPCFail send rcv rst p) -->
+lemma RPCFail_Next_enabled: "\<turnstile> Enabled (RPCFail send rcv rst p) \<longrightarrow>
Enabled (<RPCNext send rcv rst p>_(rst!p, rtrner send!p, caller rcv!p))"
by (force elim!: enabled_mono [temp_use] RPCFail_vis [temp_use])
(* Enabledness of some actions *)
-lemma RPCFail_enabled: "!!p. basevars (rtrner send!p, caller rcv!p, rst!p) ==>
- |- ~Calling rcv p & Calling send p --> Enabled (RPCFail send rcv rst p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
+lemma RPCFail_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, rst!p) \<Longrightarrow>
+ \<turnstile> \<not>Calling rcv p \<and> Calling send p \<longrightarrow> Enabled (RPCFail send rcv rst p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCFail_def},
@{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI]
- [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
+ [@{thm base_enabled}, @{thm Pair_inject}] 1\<close>)
-lemma RPCReply_enabled: "!!p. basevars (rtrner send!p, caller rcv!p, rst!p) ==>
- |- ~Calling rcv p & Calling send p & rst!p = #rpcB
- --> Enabled (RPCReply send rcv rst p)"
- by (tactic {* action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
+lemma RPCReply_enabled: "\<And>p. basevars (rtrner send!p, caller rcv!p, rst!p) \<Longrightarrow>
+ \<turnstile> \<not>Calling rcv p \<and> Calling send p \<and> rst!p = #rpcB
+ \<longrightarrow> Enabled (RPCReply send rcv rst p)"
+ by (tactic \<open>action_simp_tac (@{context} addsimps [@{thm RPCReply_def},
@{thm Return_def}, @{thm caller_def}, @{thm rtrner_def}]) [exI]
- [@{thm base_enabled}, @{thm Pair_inject}] 1 *})
+ [@{thm base_enabled}, @{thm Pair_inject}] 1\<close>)
end
--- a/src/HOL/TLA/Memory/RPCMemoryParams.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/RPCMemoryParams.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* Basic declarations for the RPC-memory example *}
+section \<open>Basic declarations for the RPC-memory example\<close>
theory RPCMemoryParams
imports Main
--- a/src/HOL/TLA/Memory/RPCParameters.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Memory/RPCParameters.thy Fri Jun 26 18:51:39 2015 +0200
@@ -2,7 +2,7 @@
Author: Stephan Merz, University of Munich
*)
-section {* RPC-Memory example: RPC parameters *}
+section \<open>RPC-Memory example: RPC parameters\<close>
theory RPCParameters
imports MemoryParameters
@@ -25,23 +25,23 @@
is legal for the receiver (i.e., the memory). This can now be a little
simpler than for the generic RPC component. RelayArg returns an arbitrary
memory call for illegal arguments. *)
- IsLegalRcvArg :: "rpcOp => bool"
- RPCRelayArg :: "rpcOp => memOp"
+ IsLegalRcvArg :: "rpcOp \<Rightarrow> bool"
+ RPCRelayArg :: "rpcOp \<Rightarrow> memOp"
axiomatization where
(* RPCFailure is different from MemVals and exceptions *)
- RFNoMemVal: "RPCFailure ~: MemVal" and
- NotAResultNotRF: "NotAResult ~= RPCFailure" and
- OKNotRF: "OK ~= RPCFailure" and
- BANotRF: "BadArg ~= RPCFailure"
+ RFNoMemVal: "RPCFailure \<notin> MemVal" and
+ NotAResultNotRF: "NotAResult \<noteq> RPCFailure" and
+ OKNotRF: "OK \<noteq> RPCFailure" and
+ BANotRF: "BadArg \<noteq> RPCFailure"
defs
IsLegalRcvArg_def: "IsLegalRcvArg ra ==
- case ra of (memcall m) => True
- | (othercall v) => False"
+ case ra of (memcall m) \<Rightarrow> True
+ | (othercall v) \<Rightarrow> False"
RPCRelayArg_def: "RPCRelayArg ra ==
- case ra of (memcall m) => m
- | (othercall v) => undefined"
+ case ra of (memcall m) \<Rightarrow> m
+ | (othercall v) \<Rightarrow> undefined"
lemmas [simp] = RFNoMemVal NotAResultNotRF OKNotRF BANotRF
NotAResultNotRF [symmetric] OKNotRF [symmetric] BANotRF [symmetric]
--- a/src/HOL/TLA/Stfun.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/Stfun.thy Fri Jun 26 18:51:39 2015 +0200
@@ -3,7 +3,7 @@
Copyright: 1998 University of Munich
*)
-section {* States and state functions for TLA as an "intensional" logic *}
+section \<open>States and state functions for TLA as an "intensional" logic\<close>
theory Stfun
imports Intensional
@@ -12,7 +12,7 @@
typedecl state
instance state :: world ..
-type_synonym 'a stfun = "state => 'a"
+type_synonym 'a stfun = "state \<Rightarrow> 'a"
type_synonym stpred = "bool stfun"
@@ -30,14 +30,14 @@
identifies (tuples of) "base" state variables in a specification via the
"meta predicate" basevars, which is defined here.
*)
- stvars :: "'a stfun => bool"
+ stvars :: "'a stfun \<Rightarrow> bool"
syntax
- "_PRED" :: "lift => 'a" ("PRED _")
- "_stvars" :: "lift => bool" ("basevars _")
+ "_PRED" :: "lift \<Rightarrow> 'a" ("PRED _")
+ "_stvars" :: "lift \<Rightarrow> bool" ("basevars _")
translations
- "PRED P" => "(P::state => _)"
+ "PRED P" => "(P::state \<Rightarrow> _)"
"_stvars" == "CONST stvars"
defs
@@ -50,31 +50,31 @@
basevars_def: "stvars vs == range vs = UNIV"
-lemma basevars: "!!vs. basevars vs ==> EX u. vs u = c"
+lemma basevars: "\<And>vs. basevars vs \<Longrightarrow> \<exists>u. vs u = c"
apply (unfold basevars_def)
apply (rule_tac b = c and f = vs in rangeE)
apply auto
done
-lemma base_pair1: "!!x y. basevars (x,y) ==> basevars x"
+lemma base_pair1: "\<And>x y. basevars (x,y) \<Longrightarrow> basevars x"
apply (simp (no_asm) add: basevars_def)
apply (rule equalityI)
apply (rule subset_UNIV)
apply (rule subsetI)
- apply (drule_tac c = "(xa, arbitrary) " in basevars)
+ apply (drule_tac c = "(xa, _) " in basevars)
apply auto
done
-lemma base_pair2: "!!x y. basevars (x,y) ==> basevars y"
+lemma base_pair2: "\<And>x y. basevars (x,y) \<Longrightarrow> basevars y"
apply (simp (no_asm) add: basevars_def)
apply (rule equalityI)
apply (rule subset_UNIV)
apply (rule subsetI)
- apply (drule_tac c = "(arbitrary, xa) " in basevars)
+ apply (drule_tac c = "(_, xa) " in basevars)
apply auto
done
-lemma base_pair: "!!x y. basevars (x,y) ==> basevars x & basevars y"
+lemma base_pair: "\<And>x y. basevars (x,y) \<Longrightarrow> basevars x & basevars y"
apply (rule conjI)
apply (erule base_pair1)
apply (erule base_pair2)
@@ -89,7 +89,7 @@
apply auto
done
-lemma baseE: "[| basevars v; !!x. v x = c ==> Q |] ==> Q"
+lemma baseE: "\<lbrakk> basevars v; \<And>x. v x = c \<Longrightarrow> Q \<rbrakk> \<Longrightarrow> Q"
apply (erule basevars [THEN exE])
apply blast
done
@@ -99,7 +99,7 @@
The following shows that there should not be duplicates in a "stvars" tuple:
*)
-lemma "!!v. basevars (v::bool stfun, v) ==> False"
+lemma "\<And>v. basevars (v::bool stfun, v) \<Longrightarrow> False"
apply (erule baseE)
apply (subgoal_tac "(LIFT (v,v)) x = (True, False)")
prefer 2
--- a/src/HOL/TLA/TLA.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/TLA/TLA.thy Fri Jun 26 18:51:39 2015 +0200
@@ -3,7 +3,7 @@
Copyright: 1998 University of Munich
*)
-section {* The temporal level of TLA *}
+section \<open>The temporal level of TLA\<close>
theory TLA
imports Init
@@ -11,28 +11,28 @@
consts
(** abstract syntax **)
- Box :: "('w::world) form => temporal"
- Dmd :: "('w::world) form => temporal"
- leadsto :: "['w::world form, 'v::world form] => temporal"
- Stable :: "stpred => temporal"
- WF :: "[action, 'a stfun] => temporal"
- SF :: "[action, 'a stfun] => temporal"
+ Box :: "('w::world) form \<Rightarrow> temporal"
+ Dmd :: "('w::world) form \<Rightarrow> temporal"
+ leadsto :: "['w::world form, 'v::world form] \<Rightarrow> temporal"
+ Stable :: "stpred \<Rightarrow> temporal"
+ WF :: "[action, 'a stfun] \<Rightarrow> temporal"
+ SF :: "[action, 'a stfun] \<Rightarrow> temporal"
(* Quantification over (flexible) state variables *)
- EEx :: "('a stfun => temporal) => temporal" (binder "Eex " 10)
- AAll :: "('a stfun => temporal) => temporal" (binder "Aall " 10)
+ EEx :: "('a stfun \<Rightarrow> temporal) \<Rightarrow> temporal" (binder "Eex " 10)
+ AAll :: "('a stfun \<Rightarrow> temporal) \<Rightarrow> temporal" (binder "Aall " 10)
(** concrete syntax **)
syntax
- "_Box" :: "lift => lift" ("([]_)" [40] 40)
- "_Dmd" :: "lift => lift" ("(<>_)" [40] 40)
- "_leadsto" :: "[lift,lift] => lift" ("(_ ~> _)" [23,22] 22)
- "_stable" :: "lift => lift" ("(stable/ _)")
- "_WF" :: "[lift,lift] => lift" ("(WF'(_')'_(_))" [0,60] 55)
- "_SF" :: "[lift,lift] => lift" ("(SF'(_')'_(_))" [0,60] 55)
+ "_Box" :: "lift \<Rightarrow> lift" ("(\<box>_)" [40] 40)
+ "_Dmd" :: "lift \<Rightarrow> lift" ("(\<diamond>_)" [40] 40)
+ "_leadsto" :: "[lift,lift] \<Rightarrow> lift" ("(_ \<leadsto> _)" [23,22] 22)
+ "_stable" :: "lift \<Rightarrow> lift" ("(stable/ _)")
+ "_WF" :: "[lift,lift] \<Rightarrow> lift" ("(WF'(_')'_(_))" [0,60] 55)
+ "_SF" :: "[lift,lift] \<Rightarrow> lift" ("(SF'(_')'_(_))" [0,60] 55)
- "_EEx" :: "[idts, lift] => lift" ("(3EEX _./ _)" [0,10] 10)
- "_AAll" :: "[idts, lift] => lift" ("(3AALL _./ _)" [0,10] 10)
+ "_EEx" :: "[idts, lift] \<Rightarrow> lift" ("(3\<exists>\<exists> _./ _)" [0,10] 10)
+ "_AAll" :: "[idts, lift] \<Rightarrow> lift" ("(3\<forall>\<forall> _./ _)" [0,10] 10)
translations
"_Box" == "CONST Box"
@@ -44,76 +44,65 @@
"_EEx v A" == "Eex v. A"
"_AAll v A" == "Aall v. A"
- "sigma |= []F" <= "_Box F sigma"
- "sigma |= <>F" <= "_Dmd F sigma"
- "sigma |= F ~> G" <= "_leadsto F G sigma"
- "sigma |= stable P" <= "_stable P sigma"
- "sigma |= WF(A)_v" <= "_WF A v sigma"
- "sigma |= SF(A)_v" <= "_SF A v sigma"
- "sigma |= EEX x. F" <= "_EEx x F sigma"
- "sigma |= AALL x. F" <= "_AAll x F sigma"
-
-syntax (xsymbols)
- "_Box" :: "lift => lift" ("(\<box>_)" [40] 40)
- "_Dmd" :: "lift => lift" ("(\<diamond>_)" [40] 40)
- "_leadsto" :: "[lift,lift] => lift" ("(_ \<leadsto> _)" [23,22] 22)
- "_EEx" :: "[idts, lift] => lift" ("(3\<exists>\<exists> _./ _)" [0,10] 10)
- "_AAll" :: "[idts, lift] => lift" ("(3\<forall>\<forall> _./ _)" [0,10] 10)
-
-syntax (HTML output)
- "_EEx" :: "[idts, lift] => lift" ("(3\<exists>\<exists> _./ _)" [0,10] 10)
- "_AAll" :: "[idts, lift] => lift" ("(3\<forall>\<forall> _./ _)" [0,10] 10)
+ "sigma \<Turnstile> \<box>F" <= "_Box F sigma"
+ "sigma \<Turnstile> \<diamond>F" <= "_Dmd F sigma"
+ "sigma \<Turnstile> F \<leadsto> G" <= "_leadsto F G sigma"
+ "sigma \<Turnstile> stable P" <= "_stable P sigma"
+ "sigma \<Turnstile> WF(A)_v" <= "_WF A v sigma"
+ "sigma \<Turnstile> SF(A)_v" <= "_SF A v sigma"
+ "sigma \<Turnstile> \<exists>\<exists>x. F" <= "_EEx x F sigma"
+ "sigma \<Turnstile> \<forall>\<forall>x. F" <= "_AAll x F sigma"
axiomatization where
(* Definitions of derived operators *)
- dmd_def: "\<And>F. TEMP <>F == TEMP ~[]~F"
+ dmd_def: "\<And>F. TEMP \<diamond>F == TEMP \<not>\<box>\<not>F"
axiomatization where
- boxInit: "\<And>F. TEMP []F == TEMP []Init F" and
- leadsto_def: "\<And>F G. TEMP F ~> G == TEMP [](Init F --> <>G)" and
- stable_def: "\<And>P. TEMP stable P == TEMP []($P --> P$)" and
- WF_def: "TEMP WF(A)_v == TEMP <>[] Enabled(<A>_v) --> []<><A>_v" and
- SF_def: "TEMP SF(A)_v == TEMP []<> Enabled(<A>_v) --> []<><A>_v" and
- aall_def: "TEMP (AALL x. F x) == TEMP ~ (EEX x. ~ F x)"
+ boxInit: "\<And>F. TEMP \<box>F == TEMP \<box>Init F" and
+ leadsto_def: "\<And>F G. TEMP F \<leadsto> G == TEMP \<box>(Init F \<longrightarrow> \<diamond>G)" and
+ stable_def: "\<And>P. TEMP stable P == TEMP \<box>($P \<longrightarrow> P$)" and
+ WF_def: "TEMP WF(A)_v == TEMP \<diamond>\<box> Enabled(<A>_v) \<longrightarrow> \<box>\<diamond><A>_v" and
+ SF_def: "TEMP SF(A)_v == TEMP \<box>\<diamond> Enabled(<A>_v) \<longrightarrow> \<box>\<diamond><A>_v" and
+ aall_def: "TEMP (\<forall>\<forall>x. F x) == TEMP \<not> (\<exists>\<exists>x. \<not> F x)"
axiomatization where
(* Base axioms for raw TLA. *)
- normalT: "\<And>F G. |- [](F --> G) --> ([]F --> []G)" and (* polymorphic *)
- reflT: "\<And>F. |- []F --> F" and (* F::temporal *)
- transT: "\<And>F. |- []F --> [][]F" and (* polymorphic *)
- linT: "\<And>F G. |- <>F & <>G --> (<>(F & <>G)) | (<>(G & <>F))" and
- discT: "\<And>F. |- [](F --> <>(~F & <>F)) --> (F --> []<>F)" and
- primeI: "\<And>P. |- []P --> Init P`" and
- primeE: "\<And>P F. |- [](Init P --> []F) --> Init P` --> (F --> []F)" and
- indT: "\<And>P F. |- [](Init P & ~[]F --> Init P` & F) --> Init P --> []F" and
- allT: "\<And>F. |- (ALL x. [](F x)) = ([](ALL x. F x))"
+ normalT: "\<And>F G. \<turnstile> \<box>(F \<longrightarrow> G) \<longrightarrow> (\<box>F \<longrightarrow> \<box>G)" and (* polymorphic *)
+ reflT: "\<And>F. \<turnstile> \<box>F \<longrightarrow> F" and (* F::temporal *)
+ transT: "\<And>F. \<turnstile> \<box>F \<longrightarrow> \<box>\<box>F" and (* polymorphic *)
+ linT: "\<And>F G. \<turnstile> \<diamond>F \<and> \<diamond>G \<longrightarrow> (\<diamond>(F \<and> \<diamond>G)) \<or> (\<diamond>(G \<and> \<diamond>F))" and
+ discT: "\<And>F. \<turnstile> \<box>(F \<longrightarrow> \<diamond>(\<not>F \<and> \<diamond>F)) \<longrightarrow> (F \<longrightarrow> \<box>\<diamond>F)" and
+ primeI: "\<And>P. \<turnstile> \<box>P \<longrightarrow> Init P`" and
+ primeE: "\<And>P F. \<turnstile> \<box>(Init P \<longrightarrow> \<box>F) \<longrightarrow> Init P` \<longrightarrow> (F \<longrightarrow> \<box>F)" and
+ indT: "\<And>P F. \<turnstile> \<box>(Init P \<and> \<not>\<box>F \<longrightarrow> Init P` \<and> F) \<longrightarrow> Init P \<longrightarrow> \<box>F" and
+ allT: "\<And>F. \<turnstile> (\<forall>x. \<box>(F x)) = (\<box>(\<forall> x. F x))"
axiomatization where
- necT: "\<And>F. |- F ==> |- []F" (* polymorphic *)
+ necT: "\<And>F. \<turnstile> F \<Longrightarrow> \<turnstile> \<box>F" (* polymorphic *)
axiomatization where
(* Flexible quantification: refinement mappings, history variables *)
- eexI: "|- F x --> (EEX x. F x)" and
- eexE: "[| sigma |= (EEX x. F x); basevars vs;
- (!!x. [| basevars (x, vs); sigma |= F x |] ==> (G sigma)::bool)
- |] ==> G sigma" and
- history: "|- EEX h. Init(h = ha) & [](!x. $h = #x --> h` = hb x)"
+ eexI: "\<turnstile> F x \<longrightarrow> (\<exists>\<exists>x. F x)" and
+ eexE: "\<lbrakk> sigma \<Turnstile> (\<exists>\<exists>x. F x); basevars vs;
+ (\<And>x. \<lbrakk> basevars (x, vs); sigma \<Turnstile> F x \<rbrakk> \<Longrightarrow> (G sigma)::bool)
+ \<rbrakk> \<Longrightarrow> G sigma" and
+ history: "\<turnstile> \<exists>\<exists>h. Init(h = ha) \<and> \<box>(\<forall>x. $h = #x \<longrightarrow> h` = hb x)"
(* Specialize intensional introduction/elimination rules for temporal formulas *)
-lemma tempI [intro!]: "(!!sigma. sigma |= (F::temporal)) ==> |- F"
+lemma tempI [intro!]: "(\<And>sigma. sigma \<Turnstile> (F::temporal)) \<Longrightarrow> \<turnstile> F"
apply (rule intI)
apply (erule meta_spec)
done
-lemma tempD [dest]: "|- (F::temporal) ==> sigma |= F"
+lemma tempD [dest]: "\<turnstile> (F::temporal) \<Longrightarrow> sigma \<Turnstile> F"
by (erule intD)
(* ======== Functions to "unlift" temporal theorems ====== *)
-ML {*
+ML \<open>
(* The following functions are specialized versions of the corresponding
functions defined in theory Intensional in that they introduce a
"world" parameter of type "behavior".
@@ -122,7 +111,7 @@
(rewrite_rule ctxt @{thms action_rews} (th RS @{thm tempD}))
handle THM _ => action_unlift ctxt th;
-(* Turn |- F = G into meta-level rewrite rule F == G *)
+(* Turn \<turnstile> F = G into meta-level rewrite rule F == G *)
val temp_rewrite = int_rewrite
fun temp_use ctxt th =
@@ -132,33 +121,33 @@
| _ => th;
fun try_rewrite ctxt th = temp_rewrite ctxt th handle THM _ => temp_use ctxt th;
-*}
+\<close>
attribute_setup temp_unlift =
- {* Scan.succeed (Thm.rule_attribute (temp_unlift o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (temp_unlift o Context.proof_of))\<close>
attribute_setup temp_rewrite =
- {* Scan.succeed (Thm.rule_attribute (temp_rewrite o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (temp_rewrite o Context.proof_of))\<close>
attribute_setup temp_use =
- {* Scan.succeed (Thm.rule_attribute (temp_use o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (temp_use o Context.proof_of))\<close>
attribute_setup try_rewrite =
- {* Scan.succeed (Thm.rule_attribute (try_rewrite o Context.proof_of)) *}
+ \<open>Scan.succeed (Thm.rule_attribute (try_rewrite o Context.proof_of))\<close>
(* ------------------------------------------------------------------------- *)
-(*** "Simple temporal logic": only [] and <> ***)
+(*** "Simple temporal logic": only \<box> and \<diamond> ***)
(* ------------------------------------------------------------------------- *)
section "Simple temporal logic"
-(* []~F == []~Init F *)
-lemmas boxNotInit = boxInit [of "LIFT ~F", unfolded Init_simps] for F
+(* \<box>\<not>F == \<box>\<not>Init F *)
+lemmas boxNotInit = boxInit [of "LIFT \<not>F", unfolded Init_simps] for F
-lemma dmdInit: "TEMP <>F == TEMP <> Init F"
+lemma dmdInit: "TEMP \<diamond>F == TEMP \<diamond> Init F"
apply (unfold dmd_def)
- apply (unfold boxInit [of "LIFT ~F"])
+ apply (unfold boxInit [of "LIFT \<not>F"])
apply (simp (no_asm) add: Init_simps)
done
-lemmas dmdNotInit = dmdInit [of "LIFT ~F", unfolded Init_simps] for F
+lemmas dmdNotInit = dmdInit [of "LIFT \<not>F", unfolded Init_simps] for F
(* boxInit and dmdInit cannot be used as rewrites, because they loop.
Non-looping instances for state predicates and actions are occasionally useful.
@@ -180,21 +169,21 @@
lemmas STL2 = reflT
(* The "polymorphic" (generic) variant *)
-lemma STL2_gen: "|- []F --> Init F"
+lemma STL2_gen: "\<turnstile> \<box>F \<longrightarrow> Init F"
apply (unfold boxInit [of F])
apply (rule STL2)
done
-(* see also STL2_pr below: "|- []P --> Init P & Init (P`)" *)
+(* see also STL2_pr below: "\<turnstile> \<box>P \<longrightarrow> Init P & Init (P`)" *)
-(* Dual versions for <> *)
-lemma InitDmd: "|- F --> <> F"
+(* Dual versions for \<diamond> *)
+lemma InitDmd: "\<turnstile> F \<longrightarrow> \<diamond> F"
apply (unfold dmd_def)
apply (auto dest!: STL2 [temp_use])
done
-lemma InitDmd_gen: "|- Init F --> <>F"
+lemma InitDmd_gen: "\<turnstile> Init F \<longrightarrow> \<diamond>F"
apply clarsimp
apply (drule InitDmd [temp_use])
apply (simp add: dmdInitD)
@@ -202,17 +191,17 @@
(* ------------------------ STL3 ------------------------------------------- *)
-lemma STL3: "|- ([][]F) = ([]F)"
+lemma STL3: "\<turnstile> (\<box>\<box>F) = (\<box>F)"
by (auto elim: transT [temp_use] STL2 [temp_use])
(* corresponding elimination rule introduces double boxes:
- [| (sigma |= []F); (sigma |= [][]F) ==> PROP W |] ==> PROP W
+ \<lbrakk> (sigma \<Turnstile> \<box>F); (sigma \<Turnstile> \<box>\<box>F) \<Longrightarrow> PROP W \<rbrakk> \<Longrightarrow> PROP W
*)
lemmas dup_boxE = STL3 [temp_unlift, THEN iffD2, elim_format]
lemmas dup_boxD = STL3 [temp_unlift, THEN iffD1]
-(* dual versions for <> *)
-lemma DmdDmd: "|- (<><>F) = (<>F)"
+(* dual versions for \<diamond> *)
+lemma DmdDmd: "\<turnstile> (\<diamond>\<diamond>F) = (\<diamond>F)"
by (auto simp add: dmd_def [try_rewrite] STL3 [try_rewrite])
lemmas dup_dmdE = DmdDmd [temp_unlift, THEN iffD2, elim_format]
@@ -221,8 +210,8 @@
(* ------------------------ STL4 ------------------------------------------- *)
lemma STL4:
- assumes "|- F --> G"
- shows "|- []F --> []G"
+ assumes "\<turnstile> F \<longrightarrow> G"
+ shows "\<turnstile> \<box>F \<longrightarrow> \<box>G"
apply clarsimp
apply (rule normalT [temp_use])
apply (rule assms [THEN necT, temp_use])
@@ -230,38 +219,38 @@
done
(* Unlifted version as an elimination rule *)
-lemma STL4E: "[| sigma |= []F; |- F --> G |] ==> sigma |= []G"
+lemma STL4E: "\<lbrakk> sigma \<Turnstile> \<box>F; \<turnstile> F \<longrightarrow> G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>G"
by (erule (1) STL4 [temp_use])
-lemma STL4_gen: "|- Init F --> Init G ==> |- []F --> []G"
+lemma STL4_gen: "\<turnstile> Init F \<longrightarrow> Init G \<Longrightarrow> \<turnstile> \<box>F \<longrightarrow> \<box>G"
apply (drule STL4)
apply (simp add: boxInitD)
done
-lemma STL4E_gen: "[| sigma |= []F; |- Init F --> Init G |] ==> sigma |= []G"
+lemma STL4E_gen: "\<lbrakk> sigma \<Turnstile> \<box>F; \<turnstile> Init F \<longrightarrow> Init G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>G"
by (erule (1) STL4_gen [temp_use])
(* see also STL4Edup below, which allows an auxiliary boxed formula:
- []A /\ F => G
+ \<box>A /\ F => G
-----------------
- []A /\ []F => []G
+ \<box>A /\ \<box>F => \<box>G
*)
-(* The dual versions for <> *)
+(* The dual versions for \<diamond> *)
lemma DmdImpl:
- assumes prem: "|- F --> G"
- shows "|- <>F --> <>G"
+ assumes prem: "\<turnstile> F \<longrightarrow> G"
+ shows "\<turnstile> \<diamond>F \<longrightarrow> \<diamond>G"
apply (unfold dmd_def)
apply (fastforce intro!: prem [temp_use] elim!: STL4E [temp_use])
done
-lemma DmdImplE: "[| sigma |= <>F; |- F --> G |] ==> sigma |= <>G"
+lemma DmdImplE: "\<lbrakk> sigma \<Turnstile> \<diamond>F; \<turnstile> F \<longrightarrow> G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<diamond>G"
by (erule (1) DmdImpl [temp_use])
(* ------------------------ STL5 ------------------------------------------- *)
-lemma STL5: "|- ([]F & []G) = ([](F & G))"
+lemma STL5: "\<turnstile> (\<box>F \<and> \<box>G) = (\<box>(F \<and> G))"
apply auto
- apply (subgoal_tac "sigma |= [] (G --> (F & G))")
+ apply (subgoal_tac "sigma \<Turnstile> \<box> (G \<longrightarrow> (F \<and> G))")
apply (erule normalT [temp_use])
apply (fastforce elim!: STL4E [temp_use])+
done
@@ -275,9 +264,9 @@
Use "addSE2" etc. if you want to add this to a claset, otherwise it will loop!
*)
lemma box_conjE:
- assumes "sigma |= []F"
- and "sigma |= []G"
- and "sigma |= [](F&G) ==> PROP R"
+ assumes "sigma \<Turnstile> \<box>F"
+ and "sigma \<Turnstile> \<box>G"
+ and "sigma \<Turnstile> \<box>(F\<and>G) \<Longrightarrow> PROP R"
shows "PROP R"
by (rule assms STL5 [temp_unlift, THEN iffD1] conjI)+
@@ -292,9 +281,9 @@
a bit kludgy in order to simulate "double elim-resolution".
*)
-lemma box_thin: "[| sigma |= []F; PROP W |] ==> PROP W" .
+lemma box_thin: "\<lbrakk> sigma \<Turnstile> \<box>F; PROP W \<rbrakk> \<Longrightarrow> PROP W" .
-ML {*
+ML \<open>
fun merge_box_tac i =
REPEAT_DETERM (EVERY [etac @{thm box_conjE} i, atac i, etac @{thm box_thin} i])
@@ -309,37 +298,37 @@
fun merge_act_box_tac ctxt i =
REPEAT_DETERM (EVERY [etac @{thm box_conjE_act} i, atac i,
Rule_Insts.eres_inst_tac ctxt [((("'a", 0), Position.none), "state * state")] [] @{thm box_thin} i])
-*}
+\<close>
-method_setup merge_box = {* Scan.succeed (K (SIMPLE_METHOD' merge_box_tac)) *}
-method_setup merge_temp_box = {* Scan.succeed (SIMPLE_METHOD' o merge_temp_box_tac) *}
-method_setup merge_stp_box = {* Scan.succeed (SIMPLE_METHOD' o merge_stp_box_tac) *}
-method_setup merge_act_box = {* Scan.succeed (SIMPLE_METHOD' o merge_act_box_tac) *}
+method_setup merge_box = \<open>Scan.succeed (K (SIMPLE_METHOD' merge_box_tac))\<close>
+method_setup merge_temp_box = \<open>Scan.succeed (SIMPLE_METHOD' o merge_temp_box_tac)\<close>
+method_setup merge_stp_box = \<open>Scan.succeed (SIMPLE_METHOD' o merge_stp_box_tac)\<close>
+method_setup merge_act_box = \<open>Scan.succeed (SIMPLE_METHOD' o merge_act_box_tac)\<close>
(* rewrite rule to push universal quantification through box:
- (sigma |= [](! x. F x)) = (! x. (sigma |= []F x))
+ (sigma \<Turnstile> \<box>(\<forall>x. F x)) = (\<forall>x. (sigma \<Turnstile> \<box>F x))
*)
lemmas all_box = allT [temp_unlift, symmetric]
-lemma DmdOr: "|- (<>(F | G)) = (<>F | <>G)"
+lemma DmdOr: "\<turnstile> (\<diamond>(F \<or> G)) = (\<diamond>F \<or> \<diamond>G)"
apply (auto simp add: dmd_def split_box_conj [try_rewrite])
apply (erule contrapos_np, merge_box, fastforce elim!: STL4E [temp_use])+
done
-lemma exT: "|- (EX x. <>(F x)) = (<>(EX x. F x))"
+lemma exT: "\<turnstile> (\<exists>x. \<diamond>(F x)) = (\<diamond>(\<exists>x. F x))"
by (auto simp: dmd_def Not_Rex [try_rewrite] all_box [try_rewrite])
lemmas ex_dmd = exT [temp_unlift, symmetric]
-lemma STL4Edup: "!!sigma. [| sigma |= []A; sigma |= []F; |- F & []A --> G |] ==> sigma |= []G"
+lemma STL4Edup: "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<box>A; sigma \<Turnstile> \<box>F; \<turnstile> F \<and> \<box>A \<longrightarrow> G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>G"
apply (erule dup_boxE)
apply merge_box
apply (erule STL4E)
apply assumption
done
-lemma DmdImpl2:
- "!!sigma. [| sigma |= <>F; sigma |= [](F --> G) |] ==> sigma |= <>G"
+lemma DmdImpl2:
+ "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<diamond>F; sigma \<Turnstile> \<box>(F \<longrightarrow> G) \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<diamond>G"
apply (unfold dmd_def)
apply auto
apply (erule notE)
@@ -348,10 +337,10 @@
done
lemma InfImpl:
- assumes 1: "sigma |= []<>F"
- and 2: "sigma |= []G"
- and 3: "|- F & G --> H"
- shows "sigma |= []<>H"
+ assumes 1: "sigma \<Turnstile> \<box>\<diamond>F"
+ and 2: "sigma \<Turnstile> \<box>G"
+ and 3: "\<turnstile> F \<and> G \<longrightarrow> H"
+ shows "sigma \<Turnstile> \<box>\<diamond>H"
apply (insert 1 2)
apply (erule_tac F = G in dup_boxE)
apply merge_box
@@ -360,7 +349,7 @@
(* ------------------------ STL6 ------------------------------------------- *)
(* Used in the proof of STL6, but useful in itself. *)
-lemma BoxDmd: "|- []F & <>G --> <>([]F & G)"
+lemma BoxDmd: "\<turnstile> \<box>F \<and> \<diamond>G \<longrightarrow> \<diamond>(\<box>F \<and> G)"
apply (unfold dmd_def)
apply clarsimp
apply (erule dup_boxE)
@@ -370,14 +359,14 @@
done
(* weaker than BoxDmd, but more polymorphic (and often just right) *)
-lemma BoxDmd_simple: "|- []F & <>G --> <>(F & G)"
+lemma BoxDmd_simple: "\<turnstile> \<box>F \<and> \<diamond>G \<longrightarrow> \<diamond>(F \<and> G)"
apply (unfold dmd_def)
apply clarsimp
apply merge_box
apply (fastforce elim!: notE STL4E [temp_use])
done
-lemma BoxDmd2_simple: "|- []F & <>G --> <>(G & F)"
+lemma BoxDmd2_simple: "\<turnstile> \<box>F \<and> \<diamond>G \<longrightarrow> \<diamond>(G \<and> F)"
apply (unfold dmd_def)
apply clarsimp
apply merge_box
@@ -385,15 +374,15 @@
done
lemma DmdImpldup:
- assumes 1: "sigma |= []A"
- and 2: "sigma |= <>F"
- and 3: "|- []A & F --> G"
- shows "sigma |= <>G"
+ assumes 1: "sigma \<Turnstile> \<box>A"
+ and 2: "sigma \<Turnstile> \<diamond>F"
+ and 3: "\<turnstile> \<box>A \<and> F \<longrightarrow> G"
+ shows "sigma \<Turnstile> \<diamond>G"
apply (rule 2 [THEN 1 [THEN BoxDmd [temp_use]], THEN DmdImplE])
apply (rule 3)
done
-lemma STL6: "|- <>[]F & <>[]G --> <>[](F & G)"
+lemma STL6: "\<turnstile> \<diamond>\<box>F \<and> \<diamond>\<box>G \<longrightarrow> \<diamond>\<box>(F \<and> G)"
apply (auto simp: STL5 [temp_rewrite, symmetric])
apply (drule linT [temp_use])
apply assumption
@@ -414,13 +403,13 @@
(* ------------------------ True / False ----------------------------------------- *)
section "Simplification of constants"
-lemma BoxConst: "|- ([]#P) = #P"
+lemma BoxConst: "\<turnstile> (\<box>#P) = #P"
apply (rule tempI)
apply (cases P)
apply (auto intro!: necT [temp_use] dest: STL2_gen [temp_use] simp: Init_simps)
done
-lemma DmdConst: "|- (<>#P) = #P"
+lemma DmdConst: "\<turnstile> (\<diamond>#P) = #P"
apply (unfold dmd_def)
apply (cases P)
apply (simp_all add: BoxConst [try_rewrite])
@@ -432,23 +421,23 @@
(* ------------------------ Further rewrites ----------------------------------------- *)
section "Further rewrites"
-lemma NotBox: "|- (~[]F) = (<>~F)"
+lemma NotBox: "\<turnstile> (\<not>\<box>F) = (\<diamond>\<not>F)"
by (simp add: dmd_def)
-lemma NotDmd: "|- (~<>F) = ([]~F)"
+lemma NotDmd: "\<turnstile> (\<not>\<diamond>F) = (\<box>\<not>F)"
by (simp add: dmd_def)
(* These are not declared by default, because they could be harmful,
- e.g. []F & ~[]F becomes []F & <>~F !! *)
+ e.g. \<box>F & \<not>\<box>F becomes \<box>F & \<diamond>\<not>F !! *)
lemmas more_temp_simps1 =
STL3 [temp_rewrite] DmdDmd [temp_rewrite] NotBox [temp_rewrite] NotDmd [temp_rewrite]
NotBox [temp_unlift, THEN eq_reflection]
NotDmd [temp_unlift, THEN eq_reflection]
-lemma BoxDmdBox: "|- ([]<>[]F) = (<>[]F)"
+lemma BoxDmdBox: "\<turnstile> (\<box>\<diamond>\<box>F) = (\<diamond>\<box>F)"
apply (auto dest!: STL2 [temp_use])
apply (rule ccontr)
- apply (subgoal_tac "sigma |= <>[][]F & <>[]~[]F")
+ apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box>\<box>F \<and> \<diamond>\<box>\<not>\<box>F")
apply (erule thin_rl)
apply auto
apply (drule STL6 [temp_use])
@@ -457,7 +446,7 @@
apply (simp_all add: more_temp_simps1)
done
-lemma DmdBoxDmd: "|- (<>[]<>F) = ([]<>F)"
+lemma DmdBoxDmd: "\<turnstile> (\<diamond>\<box>\<diamond>F) = (\<box>\<diamond>F)"
apply (unfold dmd_def)
apply (auto simp: BoxDmdBox [unfolded dmd_def, try_rewrite])
done
@@ -467,11 +456,11 @@
(* ------------------------ Miscellaneous ----------------------------------- *)
-lemma BoxOr: "!!sigma. [| sigma |= []F | []G |] ==> sigma |= [](F | G)"
+lemma BoxOr: "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<box>F \<or> \<box>G \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>(F \<or> G)"
by (fastforce elim!: STL4E [temp_use])
(* "persistently implies infinitely often" *)
-lemma DBImplBD: "|- <>[]F --> []<>F"
+lemma DBImplBD: "\<turnstile> \<diamond>\<box>F \<longrightarrow> \<box>\<diamond>F"
apply clarsimp
apply (rule ccontr)
apply (simp add: more_temp_simps2)
@@ -480,13 +469,13 @@
apply simp
done
-lemma BoxDmdDmdBox: "|- []<>F & <>[]G --> []<>(F & G)"
+lemma BoxDmdDmdBox: "\<turnstile> \<box>\<diamond>F \<and> \<diamond>\<box>G \<longrightarrow> \<box>\<diamond>(F \<and> G)"
apply clarsimp
apply (rule ccontr)
apply (unfold more_temp_simps2)
apply (drule STL6 [temp_use])
apply assumption
- apply (subgoal_tac "sigma |= <>[]~F")
+ apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box>\<not>F")
apply (force simp: dmd_def)
apply (fastforce elim: DmdImplE [temp_use] STL4E [temp_use])
done
@@ -498,11 +487,11 @@
section "priming"
(* ------------------------ TLA2 ------------------------------------------- *)
-lemma STL2_pr: "|- []P --> Init P & Init P`"
+lemma STL2_pr: "\<turnstile> \<box>P \<longrightarrow> Init P \<and> Init P`"
by (fastforce intro!: STL2_gen [temp_use] primeI [temp_use])
(* Auxiliary lemma allows priming of boxed actions *)
-lemma BoxPrime: "|- []P --> []($P & P$)"
+lemma BoxPrime: "\<turnstile> \<box>P \<longrightarrow> \<box>($P \<and> P$)"
apply clarsimp
apply (erule dup_boxE)
apply (unfold boxInit_act)
@@ -511,18 +500,18 @@
done
lemma TLA2:
- assumes "|- $P & P$ --> A"
- shows "|- []P --> []A"
+ assumes "\<turnstile> $P \<and> P$ \<longrightarrow> A"
+ shows "\<turnstile> \<box>P \<longrightarrow> \<box>A"
apply clarsimp
apply (drule BoxPrime [temp_use])
apply (auto simp: Init_stp_act_rev [try_rewrite] intro!: assms [temp_use]
elim!: STL4E [temp_use])
done
-lemma TLA2E: "[| sigma |= []P; |- $P & P$ --> A |] ==> sigma |= []A"
+lemma TLA2E: "\<lbrakk> sigma \<Turnstile> \<box>P; \<turnstile> $P \<and> P$ \<longrightarrow> A \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>A"
by (erule (1) TLA2 [temp_use])
-lemma DmdPrime: "|- (<>P`) --> (<>P)"
+lemma DmdPrime: "\<turnstile> (\<diamond>P`) \<longrightarrow> (\<diamond>P)"
apply (unfold dmd_def)
apply (fastforce elim!: TLA2E [temp_use])
done
@@ -533,13 +522,13 @@
section "stable, invariant"
lemma ind_rule:
- "[| sigma |= []H; sigma |= Init P; |- H --> (Init P & ~[]F --> Init(P`) & F) |]
- ==> sigma |= []F"
+ "\<lbrakk> sigma \<Turnstile> \<box>H; sigma \<Turnstile> Init P; \<turnstile> H \<longrightarrow> (Init P \<and> \<not>\<box>F \<longrightarrow> Init(P`) \<and> F) \<rbrakk>
+ \<Longrightarrow> sigma \<Turnstile> \<box>F"
apply (rule indT [temp_use])
apply (erule (2) STL4E)
done
-lemma box_stp_act: "|- ([]$P) = ([]P)"
+lemma box_stp_act: "\<turnstile> (\<box>$P) = (\<box>P)"
by (simp add: boxInit_act Init_simps)
lemmas box_stp_actI = box_stp_act [temp_use, THEN iffD2]
@@ -547,32 +536,32 @@
lemmas more_temp_simps3 = box_stp_act [temp_rewrite] more_temp_simps2
-lemma INV1:
- "|- (Init P) --> (stable P) --> []P"
+lemma INV1:
+ "\<turnstile> (Init P) \<longrightarrow> (stable P) \<longrightarrow> \<box>P"
apply (unfold stable_def boxInit_stp boxInit_act)
apply clarsimp
apply (erule ind_rule)
apply (auto simp: Init_simps elim: ind_rule)
done
-lemma StableT:
- "!!P. |- $P & A --> P` ==> |- []A --> stable P"
+lemma StableT:
+ "\<And>P. \<turnstile> $P \<and> A \<longrightarrow> P` \<Longrightarrow> \<turnstile> \<box>A \<longrightarrow> stable P"
apply (unfold stable_def)
apply (fastforce elim!: STL4E [temp_use])
done
-lemma Stable: "[| sigma |= []A; |- $P & A --> P` |] ==> sigma |= stable P"
+lemma Stable: "\<lbrakk> sigma \<Turnstile> \<box>A; \<turnstile> $P \<and> A \<longrightarrow> P` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> stable P"
by (erule (1) StableT [temp_use])
(* Generalization of INV1 *)
-lemma StableBox: "|- (stable P) --> [](Init P --> []P)"
+lemma StableBox: "\<turnstile> (stable P) \<longrightarrow> \<box>(Init P \<longrightarrow> \<box>P)"
apply (unfold stable_def)
apply clarsimp
apply (erule dup_boxE)
apply (force simp: stable_def elim: STL4E [temp_use] INV1 [temp_use])
done
-lemma DmdStable: "|- (stable P) & <>P --> <>[]P"
+lemma DmdStable: "\<turnstile> (stable P) \<and> \<diamond>P \<longrightarrow> \<diamond>\<box>P"
apply clarsimp
apply (rule DmdImpl2)
prefer 2
@@ -582,8 +571,8 @@
(* ---------------- (Semi-)automatic invariant tactics ---------------------- *)
-ML {*
-(* inv_tac reduces goals of the form ... ==> sigma |= []P *)
+ML \<open>
+(* inv_tac reduces goals of the form ... \<Longrightarrow> sigma \<Turnstile> \<box>P *)
fun inv_tac ctxt =
SELECT_GOAL
(EVERY
@@ -593,7 +582,7 @@
TRYALL (etac @{thm Stable})]);
(* auto_inv_tac applies inv_tac and then tries to attack the subgoals
- in simple cases it may be able to handle goals like |- MyProg --> []Inv.
+ in simple cases it may be able to handle goals like \<turnstile> MyProg \<longrightarrow> \<box>Inv.
In these simple cases the simplifier seems to be more useful than the
auto-tactic, which applies too much propositional logic and simplifies
too late.
@@ -603,17 +592,17 @@
(inv_tac ctxt 1 THEN
(TRYALL (action_simp_tac
(ctxt addsimps [@{thm Init_stp}, @{thm Init_act}]) [] [@{thm squareE}])));
-*}
+\<close>
-method_setup invariant = {*
+method_setup invariant = \<open>
Method.sections Clasimp.clasimp_modifiers >> (K (SIMPLE_METHOD' o inv_tac))
-*}
+\<close>
-method_setup auto_invariant = {*
+method_setup auto_invariant = \<open>
Method.sections Clasimp.clasimp_modifiers >> (K (SIMPLE_METHOD' o auto_inv_tac))
-*}
+\<close>
-lemma unless: "|- []($P --> P` | Q`) --> (stable P) | <>Q"
+lemma unless: "\<turnstile> \<box>($P \<longrightarrow> P` \<or> Q`) \<longrightarrow> (stable P) \<or> \<diamond>Q"
apply (unfold dmd_def)
apply (clarsimp dest!: BoxPrime [temp_use])
apply merge_box
@@ -625,29 +614,29 @@
(* --------------------- Recursive expansions --------------------------------------- *)
section "recursive expansions"
-(* Recursive expansions of [] and <> for state predicates *)
-lemma BoxRec: "|- ([]P) = (Init P & []P`)"
+(* Recursive expansions of \<box> and \<diamond> for state predicates *)
+lemma BoxRec: "\<turnstile> (\<box>P) = (Init P \<and> \<box>P`)"
apply (auto intro!: STL2_gen [temp_use])
apply (fastforce elim!: TLA2E [temp_use])
apply (auto simp: stable_def elim!: INV1 [temp_use] STL4E [temp_use])
done
-lemma DmdRec: "|- (<>P) = (Init P | <>P`)"
+lemma DmdRec: "\<turnstile> (\<diamond>P) = (Init P \<or> \<diamond>P`)"
apply (unfold dmd_def BoxRec [temp_rewrite])
apply (auto simp: Init_simps)
done
-lemma DmdRec2: "!!sigma. [| sigma |= <>P; sigma |= []~P` |] ==> sigma |= Init P"
+lemma DmdRec2: "\<And>sigma. \<lbrakk> sigma \<Turnstile> \<diamond>P; sigma \<Turnstile> \<box>\<not>P` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> Init P"
apply (force simp: DmdRec [temp_rewrite] dmd_def)
done
-lemma InfinitePrime: "|- ([]<>P) = ([]<>P`)"
+lemma InfinitePrime: "\<turnstile> (\<box>\<diamond>P) = (\<box>\<diamond>P`)"
apply auto
apply (rule classical)
apply (rule DBImplBD [temp_use])
- apply (subgoal_tac "sigma |= <>[]P")
+ apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box>P")
apply (fastforce elim!: DmdImplE [temp_use] TLA2E [temp_use])
- apply (subgoal_tac "sigma |= <>[] (<>P & []~P`)")
+ apply (subgoal_tac "sigma \<Turnstile> \<diamond>\<box> (\<diamond>P \<and> \<box>\<not>P`)")
apply (force simp: boxInit_stp [temp_use]
elim!: DmdImplE [temp_use] STL4E [temp_use] DmdRec2 [temp_use])
apply (force intro!: STL6 [temp_use] simp: more_temp_simps3)
@@ -655,7 +644,7 @@
done
lemma InfiniteEnsures:
- "[| sigma |= []N; sigma |= []<>A; |- A & N --> P` |] ==> sigma |= []<>P"
+ "\<lbrakk> sigma \<Turnstile> \<box>N; sigma \<Turnstile> \<box>\<diamond>A; \<turnstile> A \<and> N \<longrightarrow> P` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>P"
apply (unfold InfinitePrime [temp_rewrite])
apply (rule InfImpl)
apply assumption+
@@ -665,69 +654,69 @@
section "fairness"
(* alternative definitions of fairness *)
-lemma WF_alt: "|- WF(A)_v = ([]<>~Enabled(<A>_v) | []<><A>_v)"
+lemma WF_alt: "\<turnstile> WF(A)_v = (\<box>\<diamond>\<not>Enabled(<A>_v) \<or> \<box>\<diamond><A>_v)"
apply (unfold WF_def dmd_def)
apply fastforce
done
-lemma SF_alt: "|- SF(A)_v = (<>[]~Enabled(<A>_v) | []<><A>_v)"
+lemma SF_alt: "\<turnstile> SF(A)_v = (\<diamond>\<box>\<not>Enabled(<A>_v) \<or> \<box>\<diamond><A>_v)"
apply (unfold SF_def dmd_def)
apply fastforce
done
(* theorems to "box" fairness conditions *)
-lemma BoxWFI: "|- WF(A)_v --> []WF(A)_v"
+lemma BoxWFI: "\<turnstile> WF(A)_v \<longrightarrow> \<box>WF(A)_v"
by (auto simp: WF_alt [try_rewrite] more_temp_simps3 intro!: BoxOr [temp_use])
-lemma WF_Box: "|- ([]WF(A)_v) = WF(A)_v"
+lemma WF_Box: "\<turnstile> (\<box>WF(A)_v) = WF(A)_v"
by (fastforce intro!: BoxWFI [temp_use] dest!: STL2 [temp_use])
-lemma BoxSFI: "|- SF(A)_v --> []SF(A)_v"
+lemma BoxSFI: "\<turnstile> SF(A)_v \<longrightarrow> \<box>SF(A)_v"
by (auto simp: SF_alt [try_rewrite] more_temp_simps3 intro!: BoxOr [temp_use])
-lemma SF_Box: "|- ([]SF(A)_v) = SF(A)_v"
+lemma SF_Box: "\<turnstile> (\<box>SF(A)_v) = SF(A)_v"
by (fastforce intro!: BoxSFI [temp_use] dest!: STL2 [temp_use])
lemmas more_temp_simps = more_temp_simps3 WF_Box [temp_rewrite] SF_Box [temp_rewrite]
-lemma SFImplWF: "|- SF(A)_v --> WF(A)_v"
+lemma SFImplWF: "\<turnstile> SF(A)_v \<longrightarrow> WF(A)_v"
apply (unfold SF_def WF_def)
apply (fastforce dest!: DBImplBD [temp_use])
done
(* A tactic that "boxes" all fairness conditions. Apply more_temp_simps to "unbox". *)
-ML {*
+ML \<open>
fun box_fair_tac ctxt =
SELECT_GOAL (REPEAT (dresolve_tac ctxt [@{thm BoxWFI}, @{thm BoxSFI}] 1))
-*}
+\<close>
(* ------------------------------ leads-to ------------------------------ *)
-section "~>"
+section "\<leadsto>"
-lemma leadsto_init: "|- (Init F) & (F ~> G) --> <>G"
+lemma leadsto_init: "\<turnstile> (Init F) \<and> (F \<leadsto> G) \<longrightarrow> \<diamond>G"
apply (unfold leadsto_def)
apply (auto dest!: STL2 [temp_use])
done
-(* |- F & (F ~> G) --> <>G *)
+(* \<turnstile> F & (F \<leadsto> G) \<longrightarrow> \<diamond>G *)
lemmas leadsto_init_temp = leadsto_init [where 'a = behavior, unfolded Init_simps]
-lemma streett_leadsto: "|- ([]<>Init F --> []<>G) = (<>(F ~> G))"
+lemma streett_leadsto: "\<turnstile> (\<box>\<diamond>Init F \<longrightarrow> \<box>\<diamond>G) = (\<diamond>(F \<leadsto> G))"
apply (unfold leadsto_def)
apply auto
apply (simp add: more_temp_simps)
apply (fastforce elim!: DmdImplE [temp_use] STL4E [temp_use])
apply (fastforce intro!: InitDmd [temp_use] elim!: STL4E [temp_use])
- apply (subgoal_tac "sigma |= []<><>G")
+ apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond>\<diamond>G")
apply (simp add: more_temp_simps)
apply (drule BoxDmdDmdBox [temp_use])
apply assumption
apply (fastforce elim!: DmdImplE [temp_use] STL4E [temp_use])
done
-lemma leadsto_infinite: "|- []<>F & (F ~> G) --> []<>G"
+lemma leadsto_infinite: "\<turnstile> \<box>\<diamond>F \<and> (F \<leadsto> G) \<longrightarrow> \<box>\<diamond>G"
apply clarsimp
apply (erule InitDmd [temp_use, THEN streett_leadsto [temp_unlift, THEN iffD2, THEN mp]])
apply (simp add: dmdInitD)
@@ -736,18 +725,18 @@
(* In particular, strong fairness is a Streett condition. The following
rules are sometimes easier to use than WF2 or SF2 below.
*)
-lemma leadsto_SF: "|- (Enabled(<A>_v) ~> <A>_v) --> SF(A)_v"
+lemma leadsto_SF: "\<turnstile> (Enabled(<A>_v) \<leadsto> <A>_v) \<longrightarrow> SF(A)_v"
apply (unfold SF_def)
apply (clarsimp elim!: leadsto_infinite [temp_use])
done
-lemma leadsto_WF: "|- (Enabled(<A>_v) ~> <A>_v) --> WF(A)_v"
+lemma leadsto_WF: "\<turnstile> (Enabled(<A>_v) \<leadsto> <A>_v) \<longrightarrow> WF(A)_v"
by (clarsimp intro!: SFImplWF [temp_use] leadsto_SF [temp_use])
(* introduce an invariant into the proof of a leadsto assertion.
- []I --> ((P ~> Q) = (P /\ I ~> Q))
+ \<box>I \<longrightarrow> ((P \<leadsto> Q) = (P /\ I \<leadsto> Q))
*)
-lemma INV_leadsto: "|- []I & (P & I ~> Q) --> (P ~> Q)"
+lemma INV_leadsto: "\<turnstile> \<box>I \<and> (P \<and> I \<leadsto> Q) \<longrightarrow> (P \<leadsto> Q)"
apply (unfold leadsto_def)
apply clarsimp
apply (erule STL4Edup)
@@ -755,24 +744,24 @@
apply (auto simp: Init_simps dest!: STL2_gen [temp_use])
done
-lemma leadsto_classical: "|- (Init F & []~G ~> G) --> (F ~> G)"
+lemma leadsto_classical: "\<turnstile> (Init F \<and> \<box>\<not>G \<leadsto> G) \<longrightarrow> (F \<leadsto> G)"
apply (unfold leadsto_def dmd_def)
apply (force simp: Init_simps elim!: STL4E [temp_use])
done
-lemma leadsto_false: "|- (F ~> #False) = ([]~F)"
+lemma leadsto_false: "\<turnstile> (F \<leadsto> #False) = (\<box>\<not>F)"
apply (unfold leadsto_def)
apply (simp add: boxNotInitD)
done
-lemma leadsto_exists: "|- ((EX x. F x) ~> G) = (ALL x. (F x ~> G))"
+lemma leadsto_exists: "\<turnstile> ((\<exists>x. F x) \<leadsto> G) = (\<forall>x. (F x \<leadsto> G))"
apply (unfold leadsto_def)
apply (auto simp: allT [try_rewrite] Init_simps elim!: STL4E [temp_use])
done
(* basic leadsto properties, cf. Unity *)
-lemma ImplLeadsto_gen: "|- [](Init F --> Init G) --> (F ~> G)"
+lemma ImplLeadsto_gen: "\<turnstile> \<box>(Init F \<longrightarrow> Init G) \<longrightarrow> (F \<leadsto> G)"
apply (unfold leadsto_def)
apply (auto intro!: InitDmd_gen [temp_use]
elim!: STL4E_gen [temp_use] simp: Init_simps)
@@ -781,19 +770,19 @@
lemmas ImplLeadsto =
ImplLeadsto_gen [where 'a = behavior and 'b = behavior, unfolded Init_simps]
-lemma ImplLeadsto_simple: "!!F G. |- F --> G ==> |- F ~> G"
+lemma ImplLeadsto_simple: "\<And>F G. \<turnstile> F \<longrightarrow> G \<Longrightarrow> \<turnstile> F \<leadsto> G"
by (auto simp: Init_def intro!: ImplLeadsto_gen [temp_use] necT [temp_use])
lemma EnsuresLeadsto:
- assumes "|- A & $P --> Q`"
- shows "|- []A --> (P ~> Q)"
+ assumes "\<turnstile> A \<and> $P \<longrightarrow> Q`"
+ shows "\<turnstile> \<box>A \<longrightarrow> (P \<leadsto> Q)"
apply (unfold leadsto_def)
apply (clarsimp elim!: INV_leadsto [temp_use])
apply (erule STL4E_gen)
apply (auto simp: Init_defs intro!: PrimeDmd [temp_use] assms [temp_use])
done
-lemma EnsuresLeadsto2: "|- []($P --> Q`) --> (P ~> Q)"
+lemma EnsuresLeadsto2: "\<turnstile> \<box>($P \<longrightarrow> Q`) \<longrightarrow> (P \<leadsto> Q)"
apply (unfold leadsto_def)
apply clarsimp
apply (erule STL4E_gen)
@@ -801,15 +790,15 @@
done
lemma ensures:
- assumes 1: "|- $P & N --> P` | Q`"
- and 2: "|- ($P & N) & A --> Q`"
- shows "|- []N & []([]P --> <>A) --> (P ~> Q)"
+ assumes 1: "\<turnstile> $P \<and> N \<longrightarrow> P` \<or> Q`"
+ and 2: "\<turnstile> ($P \<and> N) \<and> A \<longrightarrow> Q`"
+ shows "\<turnstile> \<box>N \<and> \<box>(\<box>P \<longrightarrow> \<diamond>A) \<longrightarrow> (P \<leadsto> Q)"
apply (unfold leadsto_def)
apply clarsimp
apply (erule STL4Edup)
apply assumption
apply clarsimp
- apply (subgoal_tac "sigmaa |= [] ($P --> P` | Q`) ")
+ apply (subgoal_tac "sigmaa \<Turnstile> \<box>($P \<longrightarrow> P` \<or> Q`) ")
apply (drule unless [temp_use])
apply (clarsimp dest!: INV1 [temp_use])
apply (rule 2 [THEN DmdImpl, temp_use, THEN DmdPrime [temp_use]])
@@ -819,16 +808,16 @@
done
lemma ensures_simple:
- "[| |- $P & N --> P` | Q`;
- |- ($P & N) & A --> Q`
- |] ==> |- []N & []<>A --> (P ~> Q)"
+ "\<lbrakk> \<turnstile> $P \<and> N \<longrightarrow> P` \<or> Q`;
+ \<turnstile> ($P \<and> N) \<and> A \<longrightarrow> Q`
+ \<rbrakk> \<Longrightarrow> \<turnstile> \<box>N \<and> \<box>\<diamond>A \<longrightarrow> (P \<leadsto> Q)"
apply clarsimp
apply (erule (2) ensures [temp_use])
apply (force elim!: STL4E [temp_use])
done
lemma EnsuresInfinite:
- "[| sigma |= []<>P; sigma |= []A; |- A & $P --> Q` |] ==> sigma |= []<>Q"
+ "\<lbrakk> sigma \<Turnstile> \<box>\<diamond>P; sigma \<Turnstile> \<box>A; \<turnstile> A \<and> $P \<longrightarrow> Q` \<rbrakk> \<Longrightarrow> sigma \<Turnstile> \<box>\<diamond>Q"
apply (erule leadsto_infinite [temp_use])
apply (erule EnsuresLeadsto [temp_use])
apply assumption
@@ -838,65 +827,65 @@
(*** Gronning's lattice rules (taken from TLP) ***)
section "Lattice rules"
-lemma LatticeReflexivity: "|- F ~> F"
+lemma LatticeReflexivity: "\<turnstile> F \<leadsto> F"
apply (unfold leadsto_def)
apply (rule necT InitDmd_gen)+
done
-lemma LatticeTransitivity: "|- (G ~> H) & (F ~> G) --> (F ~> H)"
+lemma LatticeTransitivity: "\<turnstile> (G \<leadsto> H) \<and> (F \<leadsto> G) \<longrightarrow> (F \<leadsto> H)"
apply (unfold leadsto_def)
apply clarsimp
- apply (erule dup_boxE) (* [][] (Init G --> H) *)
+ apply (erule dup_boxE) (* \<box>\<box>(Init G \<longrightarrow> H) *)
apply merge_box
apply (clarsimp elim!: STL4E [temp_use])
apply (rule dup_dmdD)
- apply (subgoal_tac "sigmaa |= <>Init G")
+ apply (subgoal_tac "sigmaa \<Turnstile> \<diamond>Init G")
apply (erule DmdImpl2)
apply assumption
apply (simp add: dmdInitD)
done
-lemma LatticeDisjunctionElim1: "|- (F | G ~> H) --> (F ~> H)"
+lemma LatticeDisjunctionElim1: "\<turnstile> (F \<or> G \<leadsto> H) \<longrightarrow> (F \<leadsto> H)"
apply (unfold leadsto_def)
apply (auto simp: Init_simps elim!: STL4E [temp_use])
done
-lemma LatticeDisjunctionElim2: "|- (F | G ~> H) --> (G ~> H)"
+lemma LatticeDisjunctionElim2: "\<turnstile> (F \<or> G \<leadsto> H) \<longrightarrow> (G \<leadsto> H)"
apply (unfold leadsto_def)
apply (auto simp: Init_simps elim!: STL4E [temp_use])
done
-lemma LatticeDisjunctionIntro: "|- (F ~> H) & (G ~> H) --> (F | G ~> H)"
+lemma LatticeDisjunctionIntro: "\<turnstile> (F \<leadsto> H) \<and> (G \<leadsto> H) \<longrightarrow> (F \<or> G \<leadsto> H)"
apply (unfold leadsto_def)
apply clarsimp
apply merge_box
apply (auto simp: Init_simps elim!: STL4E [temp_use])
done
-lemma LatticeDisjunction: "|- (F | G ~> H) = ((F ~> H) & (G ~> H))"
+lemma LatticeDisjunction: "\<turnstile> (F \<or> G \<leadsto> H) = ((F \<leadsto> H) \<and> (G \<leadsto> H))"
by (auto intro: LatticeDisjunctionIntro [temp_use]
LatticeDisjunctionElim1 [temp_use]
LatticeDisjunctionElim2 [temp_use])
-lemma LatticeDiamond: "|- (A ~> B | C) & (B ~> D) & (C ~> D) --> (A ~> D)"
+lemma LatticeDiamond: "\<turnstile> (A \<leadsto> B \<or> C) \<and> (B \<leadsto> D) \<and> (C \<leadsto> D) \<longrightarrow> (A \<leadsto> D)"
apply clarsimp
- apply (subgoal_tac "sigma |= (B | C) ~> D")
- apply (erule_tac G = "LIFT (B | C)" in LatticeTransitivity [temp_use])
+ apply (subgoal_tac "sigma \<Turnstile> (B \<or> C) \<leadsto> D")
+ apply (erule_tac G = "LIFT (B \<or> C)" in LatticeTransitivity [temp_use])
apply (fastforce intro!: LatticeDisjunctionIntro [temp_use])+
done
-lemma LatticeTriangle: "|- (A ~> D | B) & (B ~> D) --> (A ~> D)"
+lemma LatticeTriangle: "\<turnstile> (A \<leadsto> D \<or> B) \<and> (B \<leadsto> D) \<longrightarrow> (A \<leadsto> D)"
apply clarsimp
- apply (subgoal_tac "sigma |= (D | B) ~> D")
- apply (erule_tac G = "LIFT (D | B)" in LatticeTransitivity [temp_use])
+ apply (subgoal_tac "sigma \<Turnstile> (D \<or> B) \<leadsto> D")
+ apply (erule_tac G = "LIFT (D \<or> B)" in LatticeTransitivity [temp_use])
apply assumption
apply (auto intro: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
done
-lemma LatticeTriangle2: "|- (A ~> B | D) & (B ~> D) --> (A ~> D)"
+lemma LatticeTriangle2: "\<turnstile> (A \<leadsto> B \<or> D) \<and> (B \<leadsto> D) \<longrightarrow> (A \<leadsto> D)"
apply clarsimp
- apply (subgoal_tac "sigma |= B | D ~> D")
- apply (erule_tac G = "LIFT (B | D)" in LatticeTransitivity [temp_use])
+ apply (subgoal_tac "sigma \<Turnstile> B \<or> D \<leadsto> D")
+ apply (erule_tac G = "LIFT (B \<or> D)" in LatticeTransitivity [temp_use])
apply assumption
apply (auto intro: LatticeDisjunctionIntro [temp_use] LatticeReflexivity [temp_use])
done
@@ -905,10 +894,10 @@
section "Fairness rules"
lemma WF1:
- "[| |- $P & N --> P` | Q`;
- |- ($P & N) & <A>_v --> Q`;
- |- $P & N --> $(Enabled(<A>_v)) |]
- ==> |- []N & WF(A)_v --> (P ~> Q)"
+ "\<lbrakk> \<turnstile> $P \<and> N \<longrightarrow> P` \<or> Q`;
+ \<turnstile> ($P \<and> N) \<and> <A>_v \<longrightarrow> Q`;
+ \<turnstile> $P \<and> N \<longrightarrow> $(Enabled(<A>_v)) \<rbrakk>
+ \<Longrightarrow> \<turnstile> \<box>N \<and> WF(A)_v \<longrightarrow> (P \<leadsto> Q)"
apply (clarsimp dest!: BoxWFI [temp_use])
apply (erule (2) ensures [temp_use])
apply (erule (1) STL4Edup)
@@ -921,10 +910,10 @@
(* Sometimes easier to use; designed for action B rather than state predicate Q *)
lemma WF_leadsto:
- assumes 1: "|- N & $P --> $Enabled (<A>_v)"
- and 2: "|- N & <A>_v --> B"
- and 3: "|- [](N & [~A]_v) --> stable P"
- shows "|- []N & WF(A)_v --> (P ~> B)"
+ assumes 1: "\<turnstile> N \<and> $P \<longrightarrow> $Enabled (<A>_v)"
+ and 2: "\<turnstile> N \<and> <A>_v \<longrightarrow> B"
+ and 3: "\<turnstile> \<box>(N \<and> [\<not>A]_v) \<longrightarrow> stable P"
+ shows "\<turnstile> \<box>N \<and> WF(A)_v \<longrightarrow> (P \<leadsto> B)"
apply (unfold leadsto_def)
apply (clarsimp dest!: BoxWFI [temp_use])
apply (erule (1) STL4Edup)
@@ -943,10 +932,10 @@
done
lemma SF1:
- "[| |- $P & N --> P` | Q`;
- |- ($P & N) & <A>_v --> Q`;
- |- []P & []N & []F --> <>Enabled(<A>_v) |]
- ==> |- []N & SF(A)_v & []F --> (P ~> Q)"
+ "\<lbrakk> \<turnstile> $P \<and> N \<longrightarrow> P` \<or> Q`;
+ \<turnstile> ($P \<and> N) \<and> <A>_v \<longrightarrow> Q`;
+ \<turnstile> \<box>P \<and> \<box>N \<and> \<box>F \<longrightarrow> \<diamond>Enabled(<A>_v) \<rbrakk>
+ \<Longrightarrow> \<turnstile> \<box>N \<and> SF(A)_v \<and> \<box>F \<longrightarrow> (P \<leadsto> Q)"
apply (clarsimp dest!: BoxSFI [temp_use])
apply (erule (2) ensures [temp_use])
apply (erule_tac F = F in dup_boxE)
@@ -961,11 +950,11 @@
done
lemma WF2:
- assumes 1: "|- N & <B>_f --> <M>_g"
- and 2: "|- $P & P` & <N & A>_f --> B"
- and 3: "|- P & Enabled(<M>_g) --> Enabled(<A>_f)"
- and 4: "|- [](N & [~B]_f) & WF(A)_f & []F & <>[]Enabled(<M>_g) --> <>[]P"
- shows "|- []N & WF(A)_f & []F --> WF(M)_g"
+ assumes 1: "\<turnstile> N \<and> <B>_f \<longrightarrow> <M>_g"
+ and 2: "\<turnstile> $P \<and> P` \<and> <N \<and> A>_f \<longrightarrow> B"
+ and 3: "\<turnstile> P \<and> Enabled(<M>_g) \<longrightarrow> Enabled(<A>_f)"
+ and 4: "\<turnstile> \<box>(N \<and> [\<not>B]_f) \<and> WF(A)_f \<and> \<box>F \<and> \<diamond>\<box>Enabled(<M>_g) \<longrightarrow> \<diamond>\<box>P"
+ shows "\<turnstile> \<box>N \<and> WF(A)_f \<and> \<box>F \<longrightarrow> WF(M)_g"
apply (clarsimp dest!: BoxWFI [temp_use] BoxDmdBox [temp_use, THEN iffD2]
simp: WF_def [where A = M])
apply (erule_tac F = F in dup_boxE)
@@ -974,7 +963,7 @@
apply assumption
apply (clarsimp intro!: BoxDmd_simple [temp_use, THEN 1 [THEN DmdImpl, temp_use]])
apply (rule classical)
- apply (subgoal_tac "sigmaa |= <> (($P & P` & N) & <A>_f)")
+ apply (subgoal_tac "sigmaa \<Turnstile> \<diamond> (($P \<and> P` \<and> N) \<and> <A>_f)")
apply (force simp: angle_def intro!: 2 [temp_use] elim!: DmdImplE [temp_use])
apply (rule BoxDmd_simple [THEN DmdImpl, unfolded DmdDmd [temp_rewrite], temp_use])
apply (simp add: NotDmd [temp_use] not_angle [try_rewrite])
@@ -983,10 +972,10 @@
apply assumption+
apply (drule STL6 [temp_use])
apply assumption
- apply (erule_tac V = "sigmaa |= <>[]P" in thin_rl)
- apply (erule_tac V = "sigmaa |= []F" in thin_rl)
+ apply (erule_tac V = "sigmaa \<Turnstile> \<diamond>\<box>P" in thin_rl)
+ apply (erule_tac V = "sigmaa \<Turnstile> \<box>F" in thin_rl)
apply (drule BoxWFI [temp_use])
- apply (erule_tac F = "ACT N & [~B]_f" in dup_boxE)
+ apply (erule_tac F = "ACT N \<and> [\<not>B]_f" in dup_boxE)
apply merge_temp_box
apply (erule DmdImpldup)
apply assumption
@@ -999,30 +988,30 @@
done
lemma SF2:
- assumes 1: "|- N & <B>_f --> <M>_g"
- and 2: "|- $P & P` & <N & A>_f --> B"
- and 3: "|- P & Enabled(<M>_g) --> Enabled(<A>_f)"
- and 4: "|- [](N & [~B]_f) & SF(A)_f & []F & []<>Enabled(<M>_g) --> <>[]P"
- shows "|- []N & SF(A)_f & []F --> SF(M)_g"
+ assumes 1: "\<turnstile> N \<and> <B>_f \<longrightarrow> <M>_g"
+ and 2: "\<turnstile> $P \<and> P` \<and> <N \<and> A>_f \<longrightarrow> B"
+ and 3: "\<turnstile> P \<and> Enabled(<M>_g) \<longrightarrow> Enabled(<A>_f)"
+ and 4: "\<turnstile> \<box>(N \<and> [\<not>B]_f) \<and> SF(A)_f \<and> \<box>F \<and> \<box>\<diamond>Enabled(<M>_g) \<longrightarrow> \<diamond>\<box>P"
+ shows "\<turnstile> \<box>N \<and> SF(A)_f \<and> \<box>F \<longrightarrow> SF(M)_g"
apply (clarsimp dest!: BoxSFI [temp_use] simp: 2 [try_rewrite] SF_def [where A = M])
apply (erule_tac F = F in dup_boxE)
- apply (erule_tac F = "TEMP <>Enabled (<M>_g) " in dup_boxE)
+ apply (erule_tac F = "TEMP \<diamond>Enabled (<M>_g) " in dup_boxE)
apply merge_temp_box
apply (erule STL4Edup)
apply assumption
apply (clarsimp intro!: BoxDmd_simple [temp_use, THEN 1 [THEN DmdImpl, temp_use]])
apply (rule classical)
- apply (subgoal_tac "sigmaa |= <> (($P & P` & N) & <A>_f)")
+ apply (subgoal_tac "sigmaa \<Turnstile> \<diamond> (($P \<and> P` \<and> N) \<and> <A>_f)")
apply (force simp: angle_def intro!: 2 [temp_use] elim!: DmdImplE [temp_use])
apply (rule BoxDmd_simple [THEN DmdImpl, unfolded DmdDmd [temp_rewrite], temp_use])
apply (simp add: NotDmd [temp_use] not_angle [try_rewrite])
apply merge_act_box
apply (frule 4 [temp_use])
apply assumption+
- apply (erule_tac V = "sigmaa |= []F" in thin_rl)
+ apply (erule_tac V = "sigmaa \<Turnstile> \<box>F" in thin_rl)
apply (drule BoxSFI [temp_use])
- apply (erule_tac F = "TEMP <>Enabled (<M>_g)" in dup_boxE)
- apply (erule_tac F = "ACT N & [~B]_f" in dup_boxE)
+ apply (erule_tac F = "TEMP \<diamond>Enabled (<M>_g)" in dup_boxE)
+ apply (erule_tac F = "ACT N \<and> [\<not>B]_f" in dup_boxE)
apply merge_temp_box
apply (erule DmdImpldup)
apply assumption
@@ -1041,22 +1030,22 @@
lemma wf_leadsto:
assumes 1: "wf r"
- and 2: "!!x. sigma |= F x ~> (G | (EX y. #((y,x):r) & F y)) "
- shows "sigma |= F x ~> G"
+ and 2: "\<And>x. sigma \<Turnstile> F x \<leadsto> (G \<or> (\<exists>y. #((y,x)\<in>r) \<and> F y)) "
+ shows "sigma \<Turnstile> F x \<leadsto> G"
apply (rule 1 [THEN wf_induct])
apply (rule LatticeTriangle [temp_use])
apply (rule 2)
apply (auto simp: leadsto_exists [try_rewrite])
- apply (case_tac "(y,x) :r")
+ apply (case_tac "(y,x) \<in> r")
apply force
apply (force simp: leadsto_def Init_simps intro!: necT [temp_use])
done
(* If r is well-founded, state function v cannot decrease forever *)
-lemma wf_not_box_decrease: "!!r. wf r ==> |- [][ (v`, $v) : #r ]_v --> <>[][#False]_v"
+lemma wf_not_box_decrease: "\<And>r. wf r \<Longrightarrow> \<turnstile> \<box>[ (v`, $v) \<in> #r ]_v \<longrightarrow> \<diamond>\<box>[#False]_v"
apply clarsimp
apply (rule ccontr)
- apply (subgoal_tac "sigma |= (EX x. v=#x) ~> #False")
+ apply (subgoal_tac "sigma \<Turnstile> (\<exists>x. v=#x) \<leadsto> #False")
apply (drule leadsto_false [temp_use, THEN iffD1, THEN STL2_gen [temp_use]])
apply (force simp: Init_defs)
apply (clarsimp simp: leadsto_exists [try_rewrite] not_square [try_rewrite] more_temp_simps)
@@ -1065,7 +1054,7 @@
apply (auto simp: square_def angle_def)
done
-(* "wf r ==> |- <>[][ (v`, $v) : #r ]_v --> <>[][#False]_v" *)
+(* "wf r \<Longrightarrow> \<turnstile> \<diamond>\<box>[ (v`, $v) : #r ]_v \<longrightarrow> \<diamond>\<box>[#False]_v" *)
lemmas wf_not_dmd_box_decrease =
wf_not_box_decrease [THEN DmdImpl, unfolded more_temp_simps]
@@ -1074,14 +1063,14 @@
*)
lemma wf_box_dmd_decrease:
assumes 1: "wf r"
- shows "|- []<>((v`, $v) : #r) --> []<><(v`, $v) ~: #r>_v"
+ shows "\<turnstile> \<box>\<diamond>((v`, $v) \<in> #r) \<longrightarrow> \<box>\<diamond><(v`, $v) \<notin> #r>_v"
apply clarsimp
apply (rule ccontr)
apply (simp add: not_angle [try_rewrite] more_temp_simps)
apply (drule 1 [THEN wf_not_dmd_box_decrease [temp_use]])
apply (drule BoxDmdDmdBox [temp_use])
apply assumption
- apply (subgoal_tac "sigma |= []<> ((#False) ::action)")
+ apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond> ((#False) ::action)")
apply force
apply (erule STL4E)
apply (rule DmdImpl)
@@ -1091,9 +1080,9 @@
(* In particular, for natural numbers, if n decreases infinitely often
then it has to increase infinitely often.
*)
-lemma nat_box_dmd_decrease: "!!n::nat stfun. |- []<>(n` < $n) --> []<>($n < n`)"
+lemma nat_box_dmd_decrease: "\<And>n::nat stfun. \<turnstile> \<box>\<diamond>(n` < $n) \<longrightarrow> \<box>\<diamond>($n < n`)"
apply clarsimp
- apply (subgoal_tac "sigma |= []<><~ ((n`,$n) : #less_than) >_n")
+ apply (subgoal_tac "sigma \<Turnstile> \<box>\<diamond><\<not> ((n`,$n) \<in> #less_than)>_n")
apply (erule thin_rl)
apply (erule STL4E)
apply (rule DmdImpl)
@@ -1110,11 +1099,11 @@
lemma aallI:
assumes 1: "basevars vs"
- and 2: "(!!x. basevars (x,vs) ==> sigma |= F x)"
- shows "sigma |= (AALL x. F x)"
+ and 2: "(\<And>x. basevars (x,vs) \<Longrightarrow> sigma \<Turnstile> F x)"
+ shows "sigma \<Turnstile> (\<forall>\<forall>x. F x)"
by (auto simp: aall_def elim!: eexE [temp_use] intro!: 1 dest!: 2 [temp_use])
-lemma aallE: "|- (AALL x. F x) --> F x"
+lemma aallE: "\<turnstile> (\<forall>\<forall>x. F x) \<longrightarrow> F x"
apply (unfold aall_def)
apply clarsimp
apply (erule contrapos_np)
@@ -1123,18 +1112,18 @@
(* monotonicity of quantification *)
lemma eex_mono:
- assumes 1: "sigma |= EEX x. F x"
- and 2: "!!x. sigma |= F x --> G x"
- shows "sigma |= EEX x. G x"
+ assumes 1: "sigma \<Turnstile> \<exists>\<exists>x. F x"
+ and 2: "\<And>x. sigma \<Turnstile> F x \<longrightarrow> G x"
+ shows "sigma \<Turnstile> \<exists>\<exists>x. G x"
apply (rule unit_base [THEN 1 [THEN eexE]])
apply (rule eexI [temp_use])
apply (erule 2 [unfolded intensional_rews, THEN mp])
done
lemma aall_mono:
- assumes 1: "sigma |= AALL x. F(x)"
- and 2: "!!x. sigma |= F(x) --> G(x)"
- shows "sigma |= AALL x. G(x)"
+ assumes 1: "sigma \<Turnstile> \<forall>\<forall>x. F(x)"
+ and 2: "\<And>x. sigma \<Turnstile> F(x) \<longrightarrow> G(x)"
+ shows "sigma \<Turnstile> \<forall>\<forall>x. G(x)"
apply (rule unit_base [THEN aallI])
apply (rule 2 [unfolded intensional_rews, THEN mp])
apply (rule 1 [THEN aallE [temp_use]])
@@ -1142,12 +1131,12 @@
(* Derived history introduction rule *)
lemma historyI:
- assumes 1: "sigma |= Init I"
- and 2: "sigma |= []N"
+ assumes 1: "sigma \<Turnstile> Init I"
+ and 2: "sigma \<Turnstile> \<box>N"
and 3: "basevars vs"
- and 4: "!!h. basevars(h,vs) ==> |- I & h = ha --> HI h"
- and 5: "!!h s t. [| basevars(h,vs); N (s,t); h t = hb (h s) (s,t) |] ==> HN h (s,t)"
- shows "sigma |= EEX h. Init (HI h) & [](HN h)"
+ and 4: "\<And>h. basevars(h,vs) \<Longrightarrow> \<turnstile> I \<and> h = ha \<longrightarrow> HI h"
+ and 5: "\<And>h s t. \<lbrakk> basevars(h,vs); N (s,t); h t = hb (h s) (s,t) \<rbrakk> \<Longrightarrow> HN h (s,t)"
+ shows "sigma \<Turnstile> \<exists>\<exists>h. Init (HI h) \<and> \<box>(HN h)"
apply (rule history [temp_use, THEN eexE])
apply (rule 3)
apply (rule eexI [temp_use])
@@ -1165,7 +1154,7 @@
example of a history variable: existence of a clock
*)
-lemma "|- EEX h. Init(h = #True) & [](h` = (~$h))"
+lemma "\<turnstile> \<exists>\<exists>h. Init(h = #True) \<and> \<box>(h` = (\<not>$h))"
apply (rule tempI)
apply (rule historyI)
apply (force simp: Init_defs intro!: unit_base [temp_use] necT [temp_use])+
--- a/src/HOL/Topological_Spaces.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/Topological_Spaces.thy Fri Jun 26 18:51:39 2015 +0200
@@ -20,7 +20,7 @@
class topological_space = "open" +
assumes open_UNIV [simp, intro]: "open UNIV"
assumes open_Int [intro]: "open S \<Longrightarrow> open T \<Longrightarrow> open (S \<inter> T)"
- assumes open_Union [intro]: "\<forall>S\<in>K. open S \<Longrightarrow> open (\<Union> K)"
+ assumes open_Union [intro]: "\<forall>S\<in>K. open S \<Longrightarrow> open (\<Union>K)"
begin
definition
@@ -66,7 +66,7 @@
lemma closed_INT [continuous_intros, intro]: "\<forall>x\<in>A. closed (B x) \<Longrightarrow> closed (\<Inter>x\<in>A. B x)"
unfolding closed_def by auto
-lemma closed_Inter [continuous_intros, intro]: "\<forall>S\<in>K. closed S \<Longrightarrow> closed (\<Inter> K)"
+lemma closed_Inter [continuous_intros, intro]: "\<forall>S\<in>K. closed S \<Longrightarrow> closed (\<Inter>K)"
unfolding closed_def uminus_Inf by auto
lemma closed_Union [continuous_intros, intro]: "finite S \<Longrightarrow> \<forall>T\<in>S. closed T \<Longrightarrow> closed (\<Union>S)"
@@ -1067,12 +1067,12 @@
by (auto simp: decseq_def)
show "\<And>n. x \<in> (\<Inter>i\<le>n. A i)" "\<And>n. open (\<Inter>i\<le>n. A i)"
using A by auto
- show "nhds x = (INF n. principal (\<Inter> i\<le>n. A i))"
+ show "nhds x = (INF n. principal (\<Inter>i\<le>n. A i))"
using A unfolding nhds_def
apply (intro INF_eq)
apply simp_all
apply force
- apply (intro exI[of _ "\<Inter> i\<le>n. A i" for n] conjI open_INT)
+ apply (intro exI[of _ "\<Inter>i\<le>n. A i" for n] conjI open_INT)
apply auto
done
qed
@@ -1521,7 +1521,7 @@
"compact S \<longleftrightarrow> (\<forall>C. (\<forall>c\<in>C. open c) \<and> S \<subseteq> \<Union>C \<longrightarrow> (\<exists>D\<subseteq>C. finite D \<and> S \<subseteq> \<Union>D))"
lemma compactI:
- assumes "\<And>C. \<forall>t\<in>C. open t \<Longrightarrow> s \<subseteq> \<Union> C \<Longrightarrow> \<exists>C'. C' \<subseteq> C \<and> finite C' \<and> s \<subseteq> \<Union> C'"
+ assumes "\<And>C. \<forall>t\<in>C. open t \<Longrightarrow> s \<subseteq> \<Union>C \<Longrightarrow> \<exists>C'. C' \<subseteq> C \<and> finite C' \<and> s \<subseteq> \<Union>C'"
shows "compact s"
unfolding compact_eq_heine_borel using assms by metis
@@ -1584,8 +1584,8 @@
qed
lemma compact_imp_fip:
- "compact s \<Longrightarrow> \<forall>t \<in> f. closed t \<Longrightarrow> \<forall>f'. finite f' \<and> f' \<subseteq> f \<longrightarrow> (s \<inter> (\<Inter> f') \<noteq> {}) \<Longrightarrow>
- s \<inter> (\<Inter> f) \<noteq> {}"
+ "compact s \<Longrightarrow> \<forall>t \<in> f. closed t \<Longrightarrow> \<forall>f'. finite f' \<and> f' \<subseteq> f \<longrightarrow> (s \<inter> (\<Inter>f') \<noteq> {}) \<Longrightarrow>
+ s \<inter> (\<Inter>f) \<noteq> {}"
unfolding compact_fip by auto
lemma compact_imp_fip_image:
--- a/src/HOL/UNITY/Union.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/UNITY/Union.thy Fri Jun 26 18:51:39 2015 +0200
@@ -47,8 +47,8 @@
"_JOIN1" :: "[pttrns, 'b set] => 'b set" ("(3JN _./ _)" 10)
"_JOIN" :: "[pttrn, 'a set, 'b set] => 'b set" ("(3JN _:_./ _)" 10)
syntax (xsymbols)
- "_JOIN1" :: "[pttrns, 'b set] => 'b set" ("(3\<Squnion> _./ _)" 10)
- "_JOIN" :: "[pttrn, 'a set, 'b set] => 'b set" ("(3\<Squnion> _\<in>_./ _)" 10)
+ "_JOIN1" :: "[pttrns, 'b set] => 'b set" ("(3\<Squnion>_./ _)" 10)
+ "_JOIN" :: "[pttrn, 'a set, 'b set] => 'b set" ("(3\<Squnion>_\<in>_./ _)" 10)
translations
"JN x: A. B" == "CONST JOIN A (%x. B)"
--- a/src/HOL/ZF/Games.thy Fri Jun 26 11:08:33 2015 +0200
+++ b/src/HOL/ZF/Games.thy Fri Jun 26 18:51:39 2015 +0200
@@ -831,10 +831,10 @@
Pg_less_def: "G < H \<longleftrightarrow> G \<le> H \<and> G \<noteq> (H::Pg)"
definition
- Pg_minus_def: "- G = the_elem (\<Union> g \<in> Rep_Pg G. {Abs_Pg (eq_game_rel `` {neg_game g})})"
+ Pg_minus_def: "- G = the_elem (\<Union>g \<in> Rep_Pg G. {Abs_Pg (eq_game_rel `` {neg_game g})})"
definition
- Pg_plus_def: "G + H = the_elem (\<Union> g \<in> Rep_Pg G. \<Union> h \<in> Rep_Pg H. {Abs_Pg (eq_game_rel `` {plus_game g h})})"
+ Pg_plus_def: "G + H = the_elem (\<Union>g \<in> Rep_Pg G. \<Union>h \<in> Rep_Pg H. {Abs_Pg (eq_game_rel `` {plus_game g h})})"
definition
Pg_diff_def: "G - H = G + (- (H::Pg))"