(* Title: ZF/UNITY/Guar.thy 
2 
Author: Sidi O Ehmety, Computer Laboratory 

3 
Copyright 2001 University of Cambridge 

4 

5 
Guarantees, etc. 

6 

7 
From Chandy and Sanders, "Reasoning About Program Composition", 

8 
Technical Report 2000003, University of Florida, 2000. 

9 

10 
Revised by Sidi Ehmety on January 2001 

11 

12 
Added \<in> Compatibility, weakest guarantees, etc. 
11479  13 

14 
and Weakest existential property, 

15 
from Charpentier and Chandy "Theorems about Composition", 

16 
Fifth International Conference on Mathematics of Program, 2000. 

17 

18 
Theory ported from HOL. 

19 
*) 

21 

22 
header{*The ChandySanders Guarantees Operator*} 
23 

16417  24 
theory Guar imports Comp begin 
25 

26 

27 
(* To be moved to theory WFair???? *) 
46823  28 
lemma leadsTo_Basis': "[ F \<in> A co A \<union> B; F \<in> transient(A); st_set(B) ] ==> F \<in> A leadsTo B" 
29 
apply (frule constrainsD2) 
30 
apply (drule_tac B = "AB" in constrains_weaken_L, blast) 
31 
apply (drule_tac B = "AB" in transient_strengthen, blast) 
32 
apply (blast intro: ensuresI [THEN leadsTo_Basis]) 
33 
done 
34 

35 

36 
(*Existential and Universal properties. We formalize the twoprogram 
11479  37 
case, proving equivalence with Chandy and Sanders's nary definitions*) 
38 

24893  39 
definition 
40 
ex_prop :: "i => o" where 

12195  41 
"ex_prop(X) == X<=program & 
46823  42 
(\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<in> X  G \<in> X \<longrightarrow> (F Join G) \<in> X)" 
11479  43 

24893  44 
definition 
45 
strict_ex_prop :: "i => o" where 

12195  46 
"strict_ex_prop(X) == X<=program & 
46823  47 
(\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> (F \<in> X  G \<in> X) \<longleftrightarrow> (F Join G \<in> X))" 
11479  48 

24893  49 
definition 
50 
uv_prop :: "i => o" where 

12195  51 
"uv_prop(X) == X<=program & 
46823  52 
(SKIP \<in> X & (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F \<in> X & G \<in> X \<longrightarrow> (F Join G) \<in> X))" 
11479  53 

24893  54 
definition 
55 
strict_uv_prop :: "i => o" where 

12195  56 
"strict_uv_prop(X) == X<=program & 
46823  57 
(SKIP \<in> X & (\<forall>F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow>(F \<in> X & G \<in> X) \<longleftrightarrow> (F Join G \<in> X)))" 
11479  58 

24893  59 
definition 
60 
guar :: "[i, i] => i" (infixl "guarantees" 55) where 

11479  61 
(*higher than membership, lower than Co*) 
46823  62 
"X guarantees Y == {F \<in> program. \<forall>G \<in> program. F ok G \<longrightarrow> F Join G \<in> X \<longrightarrow> F Join G \<in> Y}" 
11479  63 

24893  64 
definition 
11479  65 
(* Weakest guarantees *) 
24893  66 
wg :: "[i,i] => i" where 
46823  67 
"wg(F,Y) == \<Union>({X \<in> Pow(program). F:(X guarantees Y)})" 
11479  68 

24893  69 
definition 
11479  70 
(* Weakest existential property stronger than X *) 
24893  71 
wx :: "i =>i" where 
46823  72 
"wx(X) == \<Union>({Y \<in> Pow(program). Y<=X & ex_prop(Y)})" 
11479  73 

24893  74 
definition 
11479  75 
(*Illdefined programs can arise through "Join"*) 
24893  76 
welldef :: i where 
77 
"welldef == {F \<in> program. Init(F) \<noteq> 0}" 
11479  78 

24893  79 
definition 
80 
refines :: "[i, i, i] => o" ("(3_ refines _ wrt _)" [10,10,10] 10) where 

11479  81 
"G refines F wrt X == 
46823  82 
\<forall>H \<in> program. (F ok H & G ok H & F Join H \<in> welldef \<inter> X) 
83 
\<longrightarrow> (G Join H \<in> welldef \<inter> X)" 

84 

24893  85 
definition 
86 
iso_refines :: "[i,i, i] => o" ("(3_ iso'_refines _ wrt _)" [10,10,10] 10) where 

46823  87 
"G iso_refines F wrt X == F \<in> welldef \<inter> X \<longrightarrow> G \<in> welldef \<inter> X" 
88 

89 

90 
(*** existential properties ***) 
91 

92 
lemma ex_imp_subset_program: "ex_prop(X) ==> X\<subseteq>program" 
93 
by (simp add: ex_prop_def) 
94 

95 
lemma ex1 [rule_format]: 
96 
"GG \<in> Fin(program) 
46823  97 
==> ex_prop(X) \<longrightarrow> GG \<inter> X\<noteq>0 \<longrightarrow> OK(GG, (%G. G)) \<longrightarrow>(\<Squnion>G \<in> GG. G) \<in> X" 
98 
apply (unfold ex_prop_def) 
99 
apply (erule Fin_induct) 
100 
apply (simp_all add: OK_cons_iff) 
101 
apply (safe elim!: not_emptyE, auto) 
102 
done 
103 

104 
lemma ex2 [rule_format]: 
105 
"X \<subseteq> program ==> 
paulson
parents:
12195
diff
changeset

108 
apply (unfold ex_prop_def, clarify) 
109 
apply (drule_tac x = "{F,G}" in bspec) 
110 
apply (simp_all add: OK_iff_ok) 
111 
apply (auto intro: ok_sym) 
112 
done 
113 

114 
(*Chandy & Sanders take this as a definition*) 
115 

116 
lemma ex_prop_finite: 
46823  117 
"ex_prop(X) \<longleftrightarrow> (X\<subseteq>program & 
118 
(\<forall>GG \<in> Fin(program). GG \<inter> X \<noteq> 0 & OK(GG,(%G. G))\<longrightarrow>(\<Squnion>G \<in> GG. G) \<in> X))" 

119 
apply auto 
120 
apply (blast intro: ex1 ex2 dest: ex_imp_subset_program)+ 
121 
done 
122 

123 
(* Equivalent definition of ex_prop given at the end of section 3*) 
124 
lemma ex_prop_equiv: 
46823  125 
"ex_prop(X) \<longleftrightarrow> 
126 
X\<subseteq>program & (\<forall>G \<in> program. (G \<in> X \<longleftrightarrow> (\<forall>H \<in> program. (G component_of H) \<longrightarrow> H \<in> X)))" 

14093
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

127 
apply (unfold ex_prop_def component_of_def, safe, force, force, blast) 
128 
apply (subst Join_commute) 
129 
apply (blast intro: ok_sym) 
130 
done 
131 

132 
(*** universal properties ***) 
133 

134 
lemma uv_imp_subset_program: "uv_prop(X)==> X\<subseteq>program" 
135 
apply (unfold uv_prop_def) 
136 
apply (simp (no_asm_simp)) 
137 
done 
138 

139 
lemma uv1 [rule_format]: 
140 
"GG \<in> Fin(program) ==> 
46823  141 
(uv_prop(X)\<longrightarrow> GG \<subseteq> X & OK(GG, (%G. G)) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X)" 
142 
apply (unfold uv_prop_def) 
143 
apply (erule Fin_induct) 
144 
apply (auto simp add: OK_cons_iff) 
145 
done 
146 

147 
lemma uv2 [rule_format]: 
148 
"X\<subseteq>program ==> 
46823  149 
(\<forall>GG \<in> Fin(program). GG \<subseteq> X & OK(GG,(%G. G)) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X) 
150 
\<longrightarrow> uv_prop(X)" 

151 
apply (unfold uv_prop_def, auto) 
152 
apply (drule_tac x = 0 in bspec, simp+) 
153 
apply (drule_tac x = "{F,G}" in bspec, simp) 
154 
apply (force dest: ok_sym simp add: OK_iff_ok) 
155 
done 
156 

157 
(*Chandy & Sanders take this as a definition*) 
158 
lemma uv_prop_finite: 
46823  159 
"uv_prop(X) \<longleftrightarrow> X\<subseteq>program & 
160 
(\<forall>GG \<in> Fin(program). GG \<subseteq> X & OK(GG, %G. G) \<longrightarrow> (\<Squnion>G \<in> GG. G) \<in> X)" 

161 
apply auto 
162 
apply (blast dest: uv_imp_subset_program) 
163 
apply (blast intro: uv1) 
164 
apply (blast intro!: uv2 dest:) 
165 
done 
166 

167 
(*** guarantees ***) 
168 
lemma guaranteesI: 
169 
"[ (!!G. [ F ok G; F Join G \<in> X; G \<in> program ] ==> F Join G \<in> Y); 
170 
F \<in> program ] 
171 
==> F \<in> X guarantees Y" 
172 
by (simp add: guar_def component_def) 
173 

174 
lemma guaranteesD: 
175 
"[ F \<in> X guarantees Y; F ok G; F Join G \<in> X; G \<in> program ] 
176 
==> F Join G \<in> Y" 
177 
by (simp add: guar_def component_def) 
178 

179 

180 
(*This version of guaranteesD matches more easily in the conclusion 
181 
The major premise can no longer be F\<subseteq>H since we need to reason about G*) 
182 

183 
lemma component_guaranteesD: 
184 
"[ F \<in> X guarantees Y; F Join G = H; H \<in> X; F ok G; G \<in> program ] 
185 
==> H \<in> Y" 
186 
by (simp add: guar_def, blast) 
187 

188 
lemma guarantees_weaken: 
189 
"[ F \<in> X guarantees X'; Y \<subseteq> X; X' \<subseteq> Y' ] ==> F \<in> Y guarantees Y'" 
190 
by (simp add: guar_def, auto) 
191 

192 
lemma subset_imp_guarantees_program: 
193 
"X \<subseteq> Y ==> X guarantees Y = program" 
194 
by (unfold guar_def, blast) 
195 

196 
(*Equivalent to subset_imp_guarantees_UNIV but more intuitive*) 
197 
lemma subset_imp_guarantees: 
198 
"[ X \<subseteq> Y; F \<in> program ] ==> F \<in> X guarantees Y" 
199 
by (unfold guar_def, blast) 
200 

201 
lemma component_of_Join1: "F ok G ==> F component_of (F Join G)" 
202 
by (unfold component_of_def, blast) 
203 

204 
lemma component_of_Join2: "F ok G ==> G component_of (F Join G)" 
205 
apply (subst Join_commute) 
206 
apply (blast intro: ok_sym component_of_Join1) 
207 
done 
208 

209 
(*Remark at end of section 4.1 *) 
210 
lemma ex_prop_imp: 
211 
"ex_prop(Y) ==> (Y = (program guarantees Y))" 
212 
apply (simp (no_asm_use) add: ex_prop_equiv guar_def component_of_def) 
213 
apply clarify 
214 
apply (rule equalityI, blast, safe) 
215 
apply (drule_tac x = x in bspec, assumption, force) 
216 
done 
217 

218 
lemma guarantees_imp: "(Y = program guarantees Y) ==> ex_prop(Y)" 
219 
apply (unfold guar_def) 
220 
apply (simp (no_asm_simp) add: ex_prop_equiv) 
221 
apply safe 
222 
apply (blast intro: elim: equalityE) 
223 
apply (simp_all (no_asm_use) add: component_of_def) 
224 
apply (force elim: equalityE)+ 
225 
done 
226 

46823  227 
lemma ex_prop_equiv2: "(ex_prop(Y)) \<longleftrightarrow> (Y = program guarantees Y)" 
228 
by (blast intro: ex_prop_imp guarantees_imp) 
229 

230 
(** Distributive laws. Reorient to perform miniscoping **) 
231 

232 
lemma guarantees_UN_left: 
233 
"i \<in> I ==>(\<Union>i \<in> I. X(i)) guarantees Y = (\<Inter>i \<in> I. X(i) guarantees Y)" 
234 
apply (unfold guar_def) 
235 
apply (rule equalityI, safe) 
236 
prefer 2 apply force 
237 
apply blast+ 
238 
done 
239 

240 
lemma guarantees_Un_left: 
242 
apply (unfold guar_def) 
243 
apply (rule equalityI, safe, blast+) 
244 
done 
245 

246 
lemma guarantees_INT_right: 
247 
"i \<in> I ==> X guarantees (\<Inter>i \<in> I. Y(i)) = (\<Inter>i \<in> I. X guarantees Y(i))" 
248 
apply (unfold guar_def) 
249 
apply (rule equalityI, safe, blast+) 
250 
done 
251 

252 
lemma guarantees_Int_right: 
254 
by (unfold guar_def, blast) 
255 

256 
lemma guarantees_Int_right_I: 
257 
"[ F \<in> Z guarantees X; F \<in> Z guarantees Y ] 
259 
by (simp (no_asm_simp) add: guarantees_Int_right) 
260 

261 
lemma guarantees_INT_right_iff: 
263 
(\<forall>i \<in> I. F \<in> X guarantees Y(i))" 
264 
by (simp add: guarantees_INT_right INT_iff, blast) 
265 

266 

46823  267 
lemma shunting: "(X guarantees Y) = (program guarantees ((programX) \<union> Y))" 
268 
by (unfold guar_def, auto) 
269 

24382760fd89
270 
lemma contrapositive: 
271 
"(X guarantees Y) = (program  Y) guarantees (program X)" 
272 
by (unfold guar_def, blast) 
273 

274 
(** The following two can be expressed using intersection and subset, which 
275 
is more faithful to the text but looks cryptic. 
276 
**) 
277 

278 
lemma combining1: 
281 
by (unfold guar_def, blast) 
282 

283 
lemma combining2: 
286 
by (unfold guar_def, blast) 
287 

288 

24382760fd89
289 
(** The following two follow ChandySanders, but the use of objectquantifiers 
290 
does not suit Isabelle... **) 
291 

292 
(*Premise should be (!!i. i \<in> I ==> F \<in> X guarantees Y i) *) 
293 
lemma all_guarantees: 
294 
"[ \<forall>i \<in> I. F \<in> X guarantees Y(i); i \<in> I ] 
295 
==> F \<in> X guarantees (\<Inter>i \<in> I. Y(i))" 
296 
by (unfold guar_def, blast) 
297 

298 
(*Premises should be [ F \<in> X guarantees Y i; i \<in> I ] *) 
299 
lemma ex_guarantees: 
300 
"\<exists>i \<in> I. F \<in> X guarantees Y(i) ==> F \<in> X guarantees (\<Union>i \<in> I. Y(i))" 
301 
by (unfold guar_def, blast) 
302 

303 

304 
(*** Additional guarantees laws, by lcp ***) 
11479  305 

306 
lemma guarantees_Join_Int: 
307 
"[ F \<in> U guarantees V; G \<in> X guarantees Y; F ok G ] 
46823  308 
==> F Join G: (U \<inter> X) guarantees (V \<inter> Y)" 
14093
309 

310 
apply (unfold guar_def) 
311 
apply (simp (no_asm)) 
312 
apply safe 
313 
apply (simp add: Join_assoc) 
314 
apply (subgoal_tac "F Join G Join Ga = G Join (F Join Ga) ") 
315 
apply (simp add: ok_commute) 
316 
apply (simp (no_asm_simp) add: Join_ac) 
317 
done 
318 

319 
lemma guarantees_Join_Un: 
320 
"[ F \<in> U guarantees V; G \<in> X guarantees Y; F ok G ] 
46823  321 
==> F Join G: (U \<union> X) guarantees (V \<union> Y)" 
322 
apply (unfold guar_def) 
323 
apply (simp (no_asm)) 
324 
apply safe 
325 
apply (simp add: Join_assoc) 
326 
apply (subgoal_tac "F Join G Join Ga = G Join (F Join Ga) ") 
327 
apply (rotate_tac 4) 
328 
apply (drule_tac x = "F Join Ga" in bspec) 
329 
apply (simp (no_asm)) 
330 
apply (force simp add: ok_commute) 
331 
apply (simp (no_asm_simp) add: Join_ac) 
332 
done 
333 

334 
lemma guarantees_JN_INT: 
335 
"[ \<forall>i \<in> I. F(i) \<in> X(i) guarantees Y(i); OK(I,F); i \<in> I ] 
336 
==> (\<Squnion>i \<in> I. F(i)) \<in> (\<Inter>i \<in> I. X(i)) guarantees (\<Inter>i \<in> I. Y(i))" 
337 
apply (unfold guar_def, safe) 
338 
prefer 2 apply blast 
339 
apply (drule_tac x = xa in bspec) 
340 
apply (simp_all add: INT_iff, safe) 
341 
apply (drule_tac x = "(\<Squnion>x \<in> (I{xa}) . F (x)) Join G" and A=program in bspec) 
342 
apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JN_Join_diff JN_absorb) 
343 
done 
344 

345 
lemma guarantees_JN_UN: 
346 
"[ \<forall>i \<in> I. F(i) \<in> X(i) guarantees Y(i); OK(I,F) ] 
347 
==> JOIN(I,F) \<in> (\<Union>i \<in> I. X(i)) guarantees (\<Union>i \<in> I. Y(i))" 
348 
apply (unfold guar_def, auto) 
349 
apply (drule_tac x = y in bspec, simp_all, safe) 
350 
apply (rename_tac G y) 
351 
apply (drule_tac x = "JOIN (I{y}, F) Join G" and A=program in bspec) 
352 
apply (auto intro: OK_imp_ok simp add: Join_assoc [symmetric] JN_Join_diff JN_absorb) 
353 
done 
354 

355 
(*** guarantees laws for breaking down the program, by lcp ***) 
356 

357 
lemma guarantees_Join_I1: 
358 
"[ F \<in> X guarantees Y; F ok G ] ==> F Join G \<in> X guarantees Y" 
359 
apply (simp add: guar_def, safe) 
360 
apply (simp add: Join_assoc) 
361 
done 
362 

363 
lemma guarantees_Join_I2: 
364 
"[ G \<in> X guarantees Y; F ok G ] ==> F Join G \<in> X guarantees Y" 
365 
apply (simp add: Join_commute [of _ G] ok_commute [of _ G]) 
366 
apply (blast intro: guarantees_Join_I1) 
367 
done 
368 

369 
lemma guarantees_JN_I: 
370 
"[ i \<in> I; F(i) \<in> X guarantees Y; OK(I,F) ] 
371 
==> (\<Squnion>i \<in> I. F(i)) \<in> X guarantees Y" 
372 
apply (unfold guar_def, safe) 
373 
apply (drule_tac x = "JOIN (I{i},F) Join G" in bspec) 
374 
apply (simp (no_asm)) 
375 
apply (auto intro: OK_imp_ok simp add: JN_Join_diff Join_assoc [symmetric]) 
376 
done 
377 

378 
(*** welldefinedness ***) 
379 

380 
lemma Join_welldef_D1: "F Join G \<in> welldef ==> programify(F) \<in> welldef" 
381 
by (unfold welldef_def, auto) 
382 

383 
lemma Join_welldef_D2: "F Join G \<in> welldef ==> programify(G) \<in> welldef" 
384 
by (unfold welldef_def, auto) 
385 

386 
(*** refinement ***) 
387 

388 
lemma refines_refl: "F refines F wrt X" 
389 
by (unfold refines_def, blast) 
390 

391 
(* More results on guarantees, added by Sidi Ehmety from Chandy & Sander, section 6 *) 
392 

393 
lemma wg_type: "wg(F, X) \<subseteq> program" 
394 
by (unfold wg_def, auto) 
395 

396 
lemma guarantees_type: "X guarantees Y \<subseteq> program" 
397 
by (unfold guar_def, auto) 
398 

399 
lemma wgD2: "G \<in> wg(F, X) ==> G \<in> program & F \<in> program" 
400 
apply (unfold wg_def, auto) 
401 
apply (blast dest: guarantees_type [THEN subsetD]) 
402 
done 
403 

404 
lemma guarantees_equiv: 
407 
by (unfold guar_def component_of_def, force) 
408 

24382760fd89
lemma wg_weakest: 
24382760fd89
"!!X. [ F \<in> (X guarantees Y); X \<subseteq> program ] ==> X \<subseteq> wg(F,Y)" 
24382760fd89
by (unfold wg_def, auto) 
24382760fd89
24382760fd89
converting more theories to Isar scripts, and tidying
24382760fd89
converting more theories to Isar scripts, and tidying
24382760fd89
converting more theories to Isar scripts, and tidying
converting more theories to Isar scripts, and tidying
paulson
"H \<in> wg(F,X) \<longleftrightarrow> 
418 
419 
apply (simp add: wg_def guarantees_equiv) 
420 
apply (rule iffI, safe) 
421 
apply (rule_tac [4] x = "{H}" in bexI) 
422 
apply (rule_tac [3] x = "{H}" in bexI, blast+) 
423 
done 
424 

425 
lemma component_of_wg: 
427 
by (simp (no_asm_simp) add: wg_equiv) 
428 

24382760fd89
429 
lemma wg_finite [rule_format]: 
432 
apply clarify 
433 
apply (subgoal_tac "F component_of (\<Squnion>F \<in> FF. F) ") 
434 
apply (drule_tac X = X in component_of_wg) 
435 
apply (force dest!: Fin.dom_subset [THEN subsetD, THEN PowD]) 
436 
apply (simp_all add: component_of_def) 
437 
apply (rule_tac x = "\<Squnion>F \<in> (FF{F}) . F" in exI) 
438 
apply (auto intro: JN_Join_diff dest: ok_sym simp add: OK_iff_ok) 
439 
done 
440 

441 
lemma wg_ex_prop: 
443 
apply (simp (no_asm_use) add: ex_prop_equiv wg_equiv) 
444 
apply blast 
445 
done 
446 

447 
(** From Charpentier and Chandy "Theorems About Composition" **) 
448 
(* Proposition 2 *) 
449 
lemma wx_subset: "wx(X)\<subseteq>X" 
450 
by (unfold wx_def, auto) 
451 

452 
lemma wx_ex_prop: "ex_prop(wx(X))" 
453 
apply (simp (no_asm_use) add: ex_prop_def wx_def) 
454 
apply safe 
455 
apply blast 
456 
apply (rule_tac x=x in bexI, force, simp)+ 
457 
done 
458 

460 
by (unfold wx_def, auto) 
461 

24382760fd89
(* Proposition 6 *) 
24382760fd89
lemma wx'_ex_prop: 
46823  464 
465 
apply (unfold ex_prop_def, safe) 
466 
apply (drule_tac x = "G Join Ga" in bspec) 
467 
apply (simp (no_asm)) 
468 
apply (force simp add: Join_assoc) 
469 
apply (drule_tac x = "F Join Ga" in bspec) 
470 
apply (simp (no_asm)) 
471 
apply (simp (no_asm_use)) 
472 
apply safe 
473 
apply (simp (no_asm_simp) add: ok_commute) 
474 
apply (subgoal_tac "F Join G = G Join F") 
475 
apply (simp (no_asm_simp) add: Join_assoc) 
476 
apply (simp (no_asm) add: Join_commute) 
477 
done 
478 

479 
(* Equivalence with the other definition of wx *) 
480 

481 
lemma wx_equiv: 
483 
apply (unfold wx_def) 
484 
apply (rule equalityI, safe, blast) 
485 
apply (simp (no_asm_use) add: ex_prop_def) 
486 
apply blast 
488 
in UnionI, 
489 
safe) 
490 
apply (rule_tac [2] wx'_ex_prop) 
491 
apply (drule_tac x=SKIP in bspec, simp)+ 
492 
apply auto 
493 
done 
494 

495 
(* Propositions 7 to 11 are all about this second definition of wx. And 
496 
by equivalence between the two definition, they are the same as the ones proved *) 
497 

498 

24382760fd89
499 
(* Proposition 12 *) 
500 
(* Main result of the paper *) 
24382760fd89
converting more theories to Isar scripts, and tidying
24382760fd89
converting more theories to Isar scripts, and tidying
504 
(* 
505 
{* Corollary, but this result has already been proved elsewhere *} 
506 
"ex_prop(X guarantees Y)" 
507 
*) 
508 

509 
(* Rules given in section 7 of Chandy and Sander's 
510 
Reasoning About Program composition paper *) 
511 

512 
lemma stable_guarantees_Always: 
513 
"[ Init(F) \<subseteq> A; F \<in> program ] ==> F \<in> stable(A) guarantees Always(A)" 
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

514 
apply (rule guaranteesI) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

515 
prefer 2 apply assumption 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

516 
apply (simp (no_asm) add: Join_commute) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

517 
apply (rule stable_Join_Always1) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

518 
apply (simp_all add: invariant_def) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

519 
apply (auto simp add: programify_def initially_def) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

520 
done 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

521 

24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

522 
lemma constrains_guarantees_leadsTo: 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

523 
"[ F \<in> transient(A); st_set(B) ] 
46823  524 
==> F: (A co A \<union> B) guarantees (A leadsTo (BA))" 
14093
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

525 
apply (rule guaranteesI) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

526 
prefer 2 apply (blast dest: transient_type [THEN subsetD]) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

527 
apply (rule leadsTo_Basis') 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

528 
apply (blast intro: constrains_weaken_R) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

529 
apply (blast intro!: Join_transient_I1, blast) 
24382760fd89
converting more theories to Isar scripts, and tidying
paulson
parents:
12195
diff
changeset

530 
done 
11479  531 

532 
end 