(* Title: HOL/UNITY/SubstAx.thy Author: Lawrence C Paulson, Cambridge University Computer Laboratory Copyright 1998 University of Cambridge Weak LeadsTo relation (restricted to the set of reachable states) *)
section‹Weak Progress›
theory SubstAx imports WFair Constrainsbegin
definition Ensures :: "['a set, 'a set] => 'a program set" (infixl‹Ensures› 60) where "A Ensures B == {F. F ∈ (reachable F ∩ A) ensures B}"
definition LeadsTo :: "['a set, 'a set] => 'a program set" (infixl‹LeadsTo› 60) where "A LeadsTo B == {F. F ∈ (reachable F ∩ A) leadsTo B}"
notation LeadsTo (infixl‹⟼w› 60)
text‹Resembles the previous definition of LeadsTo› lemma LeadsTo_eq_leadsTo: "A LeadsTo B = {F. F ∈ (reachable F ∩ A) leadsTo (reachable F ∩ B)}" apply (unfold LeadsTo_def) apply (blast dest: psp_stable2 intro: leadsTo_weaken) done
subsection‹Specialized laws for handling invariants›
(** Conjoining an Always property **)
lemma Always_LeadsTo_pre: "F ∈ Always INV ==> (F ∈ (INV ∩ A) LeadsTo A') = (F ∈ A LeadsTo A')" by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2
Int_assoc [symmetric])
lemma Always_LeadsTo_post: "F ∈ Always INV ==> (F ∈ A LeadsTo (INV ∩ A')) = (F ∈ A LeadsTo A')" by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2
Int_assoc [symmetric])
(* [| F \<in> Always C; F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A' *) lemmas Always_LeadsToI = Always_LeadsTo_pre [THEN iffD1]
(* [| F \<in> Always INV; F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (INV \<inter> A') *) lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2]
lemma leadsTo_imp_LeadsTo: "F ∈ A leadsTo B ==> F ∈ A LeadsTo B" apply (simp add: LeadsTo_def) apply (blast intro: leadsTo_weaken_L) done
lemma LeadsTo_Trans: "[| F ∈ A LeadsTo B; F ∈ B LeadsTo C |] ==> F ∈ A LeadsTo C" apply (simp add: LeadsTo_eq_leadsTo) apply (blast intro: leadsTo_Trans) done
lemma LeadsTo_Union: "(!!A. A ∈ S ==> F ∈ A LeadsTo B) ==> F ∈ (∪S) LeadsTo B" apply (simp add: LeadsTo_def) apply (subst Int_Union) apply (blast intro: leadsTo_UN) done
subsection‹Derived rules›
lemma LeadsTo_UNIV [simp]: "F ∈ A LeadsTo UNIV" by (simp add: LeadsTo_def)
text‹Useful with cancellation, disjunction› lemma LeadsTo_Un_duplicate: "F ∈ A LeadsTo (A' ∪ A') ==> F ∈ A LeadsTo A'" by (simp add: Un_ac)
lemma LeadsTo_Un_duplicate2: "F ∈ A LeadsTo (A' ∪ C ∪ C) ==> F ∈ A LeadsTo (A' ∪ C)" by (simp add: Un_ac)
lemma LeadsTo_UN: "(!!i. i ∈ I ==> F ∈ (A i) LeadsTo B) ==> F ∈ (∪i ∈ I. A i) LeadsTo B" apply (blast intro: LeadsTo_Union) done
text‹Binary union introduction rule› lemma LeadsTo_Un: "[| F ∈ A LeadsTo C; F ∈ B LeadsTo C |] ==> F ∈ (A ∪ B) LeadsTo C" using LeadsTo_UN [of "{A, B}" F id C] by auto
text‹Lets us look at the starting state› lemma single_LeadsTo_I: "(!!s. s ∈ A ==> F ∈ {s} LeadsTo B) ==> F ∈ A LeadsTo B" by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast)
lemma subset_imp_LeadsTo: "A ⊆ B ==> F ∈ A LeadsTo B" apply (simp add: LeadsTo_def) apply (blast intro: subset_imp_leadsTo) done
lemma LeadsTo_weaken_R: "[| F ∈ A LeadsTo A'; A' ⊆ B' |] ==> F ∈ A LeadsTo B'" apply (simp add: LeadsTo_def) apply (blast intro: leadsTo_weaken_R) done
lemma LeadsTo_weaken_L: "[| F ∈ A LeadsTo A'; B ⊆ A |] ==> F ∈ B LeadsTo A'" apply (simp add: LeadsTo_def) apply (blast intro: leadsTo_weaken_L) done
lemma LeadsTo_weaken: "[| F ∈ A LeadsTo A'; B ⊆ A; A' ⊆ B' |] ==> F ∈ B LeadsTo B'" by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)
lemma Always_LeadsTo_weaken: "[| F ∈ Always C; F ∈ A LeadsTo A'; C ∩ B ⊆ A; C ∩ A' ⊆ B' |] ==> F ∈ B LeadsTo B'" by (blast dest: Always_LeadsToI intro: LeadsTo_weaken intro: Always_LeadsToD)
(** Two theorems for "proof lattices" **)
lemma LeadsTo_Un_post: "F ∈ A LeadsTo B ==> F ∈ (A ∪ B) LeadsTo B" by (blast intro: LeadsTo_Un subset_imp_LeadsTo)
lemma LeadsTo_Trans_Un: "[| F ∈ A LeadsTo B; F ∈ B LeadsTo C |] ==> F ∈ (A ∪ B) LeadsTo C" by (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans)
(** Distributive laws **)
lemma LeadsTo_Un_distrib: "(F ∈ (A ∪ B) LeadsTo C) = (F ∈ A LeadsTo C & F ∈ B LeadsTo C)" by (blast intro: LeadsTo_Un LeadsTo_weaken_L)
lemma LeadsTo_UN_distrib: "(F ∈ (∪i ∈ I. A i) LeadsTo B) = (∀i ∈ I. F ∈ (A i) LeadsTo B)" by (blast intro: LeadsTo_UN LeadsTo_weaken_L)
lemma LeadsTo_Union_distrib: "(F ∈ (∪S) LeadsTo B) = (∀A ∈ S. F ∈ A LeadsTo B)" by (blast intro: LeadsTo_Union LeadsTo_weaken_L)
(** More rules using the premise "Always INV" **)
lemma LeadsTo_Basis: "F ∈ A Ensures B ==> F ∈ A LeadsTo B" by (simp add: Ensures_def LeadsTo_def leadsTo_Basis)
lemma EnsuresI: "[| F ∈ (A-B) Co (A ∪ B); F ∈ transient (A-B) |] ==> F ∈ A Ensures B" apply (simp add: Ensures_def Constrains_eq_constrains) apply (blast intro: ensuresI constrains_weaken transient_strengthen) done
lemma Always_LeadsTo_Basis: "[| F ∈ Always INV; F ∈ (INV ∩ (A-A')) Co (A ∪ A'); F ∈ transient (INV ∩ (A-A')) |] ==> F ∈ A LeadsTo A'" apply (rule Always_LeadsToI, assumption) apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen) done
text‹Set difference: maybe combine with ‹leadsTo_weaken_L›??
This is the most useful form of the "disjunction" rule› lemma LeadsTo_Diff: "[| F ∈ (A-B) LeadsTo C; F ∈ (A ∩ B) LeadsTo C |] ==> F ∈ A LeadsTo C" by (blast intro: LeadsTo_Un LeadsTo_weaken)
lemma LeadsTo_UN_UN: "(!! i. i ∈ I ==> F ∈ (A i) LeadsTo (A' i)) ==> F ∈ (∪i ∈ I. A i) LeadsTo (∪i ∈ I. A' i)" apply (blast intro: LeadsTo_Union LeadsTo_weaken_R) done
text‹Version with no index set› lemma LeadsTo_UN_UN_noindex: "(!!i. F ∈ (A i) LeadsTo (A' i)) ==> F ∈ (∪i. A i) LeadsTo (∪i. A' i)" by (blast intro: LeadsTo_UN_UN)
text‹Version with no index set› lemma all_LeadsTo_UN_UN: "∀i. F ∈ (A i) LeadsTo (A' i) ==> F ∈ (∪i. A i) LeadsTo (∪i. A' i)" by (blast intro: LeadsTo_UN_UN)
text‹Binary union version› lemma LeadsTo_Un_Un: "[| F ∈ A LeadsTo A'; F ∈ B LeadsTo B' |] ==> F ∈ (A ∪ B) LeadsTo (A' ∪ B')" by (blast intro: LeadsTo_Un LeadsTo_weaken_R)
(** The cancellation law **)
lemma LeadsTo_cancel2: "[| F ∈ A LeadsTo (A' ∪ B); F ∈ B LeadsTo B' |] ==> F ∈ A LeadsTo (A' ∪ B')" by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans)
lemma LeadsTo_cancel_Diff2: "[| F ∈ A LeadsTo (A' ∪ B); F ∈ (B-A') LeadsTo B' |] ==> F ∈ A LeadsTo (A' ∪ B')" apply (rule LeadsTo_cancel2) prefer 2 apply assumption apply (simp_all (no_asm_simp)) done
lemma LeadsTo_cancel1: "[| F ∈ A LeadsTo (B ∪ A'); F ∈ B LeadsTo B' |] ==> F ∈ A LeadsTo (B' ∪ A')" apply (simp add: Un_commute) apply (blast intro!: LeadsTo_cancel2) done
lemma LeadsTo_cancel_Diff1: "[| F ∈ A LeadsTo (B ∪ A'); F ∈ (B-A') LeadsTo B' |] ==> F ∈ A LeadsTo (B' ∪ A')" apply (rule LeadsTo_cancel1) prefer 2 apply assumption apply (simp_all (no_asm_simp)) done
text‹The impossibility law›
text‹The set "A" may be non-empty, but it contains no reachable states› lemma LeadsTo_empty: "[|F ∈ A LeadsTo {}; all_total F|] ==> F ∈ Always (-A)" apply (simp add: LeadsTo_def Always_eq_includes_reachable) apply (drule leadsTo_empty, auto) done
subsection‹PSP: Progress-Safety-Progress›
text‹Special case of PSP: Misra's "stable conjunction"› lemma PSP_Stable: "[| F ∈ A LeadsTo A'; F ∈ Stable B |] ==> F ∈ (A ∩ B) LeadsTo (A' ∩ B)" apply (simp add: LeadsTo_eq_leadsTo Stable_eq_stable) apply (drule psp_stable, assumption) apply (simp add: Int_ac) done
lemma PSP_Stable2: "[| F ∈ A LeadsTo A'; F ∈ Stable B |] ==> F ∈ (B ∩ A) LeadsTo (B ∩ A')" by (simp add: PSP_Stable Int_ac)
lemma PSP: "[| F ∈ A LeadsTo A'; F ∈ B Co B' |] ==> F ∈ (A ∩ B') LeadsTo ((A' ∩ B) ∪ (B' - B))" apply (simp add: LeadsTo_def Constrains_eq_constrains) apply (blast dest: psp intro: leadsTo_weaken) done
lemma PSP2: "[| F ∈ A LeadsTo A'; F ∈ B Co B' |] ==> F ∈ (B' ∩ A) LeadsTo ((B ∩ A') ∪ (B' - B))" by (simp add: PSP Int_ac)
lemma PSP_Unless: "[| F ∈ A LeadsTo A'; F ∈ B Unless B' |] ==> F ∈ (A ∩ B) LeadsTo ((A' ∩ B) ∪ B')" apply (unfold Unless_def) apply (drule PSP, assumption) apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo) done
lemma Stable_transient_Always_LeadsTo: "[| F ∈ Stable A; F ∈ transient C; F ∈ Always (-A ∪ B ∪ C) |] ==> F ∈ A LeadsTo B" apply (erule Always_LeadsTo_weaken) apply (rule LeadsTo_Diff) prefer 2 apply (erule
transient_imp_leadsTo [THEN leadsTo_imp_LeadsTo, THEN PSP_Stable2]) apply (blast intro: subset_imp_LeadsTo)+ done
subsection‹Induction rules›
(** Meta or object quantifier ????? **) lemma LeadsTo_wf_induct: "[| wf r; ∀m. F ∈ (A ∩ f-`{m}) LeadsTo ((A ∩ f-`(r-1 `` {m})) ∪ B) |] ==> F ∈ A LeadsTo B" apply (simp add: LeadsTo_eq_leadsTo) apply (erule leadsTo_wf_induct) apply (blast intro: leadsTo_weaken) done
lemma Bounded_induct: "[| wf r; ∀m ∈ I. F ∈ (A ∩ f-`{m}) LeadsTo ((A ∩ f-`(r-1 `` {m})) ∪ B) |] ==> F ∈ A LeadsTo ((A - (f-`I)) ∪ B)" apply (erule LeadsTo_wf_induct, safe) apply (case_tac "m ∈ I") apply (blast intro: LeadsTo_weaken) apply (blast intro: subset_imp_LeadsTo) done
lemma LessThan_induct: "(!!m::nat. F ∈ (A ∩ f-`{m}) LeadsTo ((A ∩ f-`(lessThan m)) ∪ B)) ==> F ∈ A LeadsTo B" by (rule wf_less_than [THEN LeadsTo_wf_induct], auto)
text‹Integer version. Could generalize from 0 to any lower bound› lemma integ_0_le_induct: "[| F ∈ Always {s. (0::int) ≤ f s}; !! z. F ∈ (A ∩ {s. f s = z}) LeadsTo ((A ∩ {s. f s < z}) ∪ B) |] ==> F ∈ A LeadsTo B" apply (rule_tac f = "nat o f"in LessThan_induct) apply (simp add: vimage_def) apply (rule Always_LeadsTo_weaken, assumption+) apply (auto simp add: nat_eq_iff nat_less_iff) done
lemma LessThan_bounded_induct: "!!l::nat. ∀m ∈ greaterThan l. F ∈ (A ∩ f-`{m}) LeadsTo ((A ∩ f-`(lessThan m)) ∪ B) ==> F ∈ A LeadsTo ((A ∩ (f-`(atMost l))) ∪ B)" apply (simp only: Diff_eq [symmetric] vimage_Compl
Compl_greaterThan [symmetric]) apply (rule wf_less_than [THEN Bounded_induct], simp) done
lemma GreaterThan_bounded_induct: "!!l::nat. ∀m ∈ lessThan l. F ∈ (A ∩ f-`{m}) LeadsTo ((A ∩ f-`(greaterThan m)) ∪ B) ==> F ∈ A LeadsTo ((A ∩ (f-`(atLeast l))) ∪ B)" apply (rule_tac f = f and f1 = "%k. l - k" in wf_less_than [THEN wf_inv_image, THEN LeadsTo_wf_induct]) apply (simp add: Image_singleton, clarify) apply (case_tac "m) apply (blast intro: LeadsTo_weaken_R diff_less_mono2) apply (blast intro: not_le_imp_less subset_imp_LeadsTo) done
subsection‹Completion: Binary and General Finite versions›
lemma Completion: "[| F ∈ A LeadsTo (A' ∪ C); F ∈ A' Co (A' ∪ C); F ∈ B LeadsTo (B' ∪ C); F ∈ B' Co (B' ∪ C) |] ==> F ∈ (A ∩ B) LeadsTo ((A' ∩ B') ∪ C)" apply (simp add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib) apply (blast intro: completion leadsTo_weaken) done
lemma Finite_completion_lemma: "finite I ==> (∀i ∈ I. F ∈ (A i) LeadsTo (A' i ∪ C)) --> (∀i ∈ I. F ∈ (A' i) Co (A' i ∪ C)) --> F ∈ (∩i ∈ I. A i) LeadsTo ((∩i ∈ I. A' i) ∪ C)" apply (erule finite_induct, auto) apply (rule Completion) prefer 4 apply (simp only: INT_simps [symmetric]) apply (rule Constrains_INT, auto) done
lemma Finite_completion: "[| finite I; !!i. i ∈ I ==> F ∈ (A i) LeadsTo (A' i ∪ C); !!i. i ∈ I ==> F ∈ (A' i) Co (A' i ∪ C) |] ==> F ∈ (∩i ∈ I. A i) LeadsTo ((∩i ∈ I. A' i) ∪ C)" by (blast intro: Finite_completion_lemma [THEN mp, THEN mp])
lemma Stable_completion: "[| F ∈ A LeadsTo A'; F ∈ Stable A'; F ∈ B LeadsTo B'; F ∈ Stable B' |] ==> F ∈ (A ∩ B) LeadsTo (A' ∩ B')" apply (unfold Stable_def) apply (rule_tac C1 = "{}"in Completion [THEN LeadsTo_weaken_R]) apply (force+) done
lemma Finite_stable_completion: "[| finite I; !!i. i ∈ I ==> F ∈ (A i) LeadsTo (A' i); !!i. i ∈ I ==> F ∈ Stable (A' i) |] ==> F ∈ (∩i ∈ I. A i) LeadsTo (∩i ∈ I. A' i)" apply (unfold Stable_def) apply (rule_tac C1 = "{}"in Finite_completion [THEN LeadsTo_weaken_R]) apply (simp_all, blast+) done
end
Messung V0.5 in Prozent
¤ Dauer der Verarbeitung: 0.15 Sekunden
(vorverarbeitet am 2026-04-28)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
