Anforderungen  |   Konzepte  |   Entwurf  |   Entwicklung  |   Qualitätssicherung  |   Lebenszyklus  |   Steuerung
 
 
 
 

products/Sources/formale Sprachen/Isabelle/HOL/UNITY/   (Beweissystem Isabelle Version 2025-1©)  Datei vom 16.11.2025 mit Größe 14 kB image not shown  

Quelle  SubstAx.thy   Sprache: Isabelle

 
(*  Title:      HOL/UNITY/SubstAx.thy
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
    Copyright   1998  University of Cambridge

Weak LeadsTo relation (restricted to the set of reachable states)
*)

sectionWeak Progress

theory SubstAx imports WFair Constrains begin

definition Ensures :: "['a set, 'a set] => 'a program set" (infixl Ensures 60) where
    "A Ensures B == {F. F \ (reachable F \ A) ensures B}"

definition LeadsTo :: "['a set, 'a set] => 'a program set" (infixl LeadsTo 60) where
    "A LeadsTo B == {F. F \ (reachable F \ A) leadsTo B}"

notation LeadsTo  (infixl w 60)


textResembles the previous definition of LeadsTo
lemma LeadsTo_eq_leadsTo: 
     "A LeadsTo B = {F. F \ (reachable F \ A) leadsTo (reachable F \ B)}"
apply (unfold LeadsTo_def)
apply (blast dest: psp_stable2 intro: leadsTo_weaken)
done


subsectionSpecialized laws for handling invariants

(** Conjoining an Always property **)

lemma Always_LeadsTo_pre:
     "F \ Always INV ==> (F \ (INV \ A) LeadsTo A') = (F \ A LeadsTo A')"
by (simp add: LeadsTo_def Always_eq_includes_reachable Int_absorb2 
              Int_assoc [symmetric])

lemma Always_LeadsTo_post:
     "F \ Always INV ==> (F \ A LeadsTo (INV \ A')) = (F \ A LeadsTo A')"
by (simp add: LeadsTo_eq_leadsTo Always_eq_includes_reachable Int_absorb2 
              Int_assoc [symmetric])

(* [| F \<in> Always C;  F \<in> (C \<inter> A) LeadsTo A' |] ==> F \<in> A LeadsTo A' *)
lemmas Always_LeadsToI = Always_LeadsTo_pre [THEN iffD1]

(* [| F \<in> Always INV;  F \<in> A LeadsTo A' |] ==> F \<in> A LeadsTo (INV \<inter> A') *)
lemmas Always_LeadsToD = Always_LeadsTo_post [THEN iffD2]


subsectionIntroduction rules: Basis, Trans, Union

lemma leadsTo_imp_LeadsTo: "F \ A leadsTo B ==> F \ A LeadsTo B"
apply (simp add: LeadsTo_def)
apply (blast intro: leadsTo_weaken_L)
done

lemma LeadsTo_Trans:
     "[| F \ A LeadsTo B; F \ B LeadsTo C |] ==> F \ A LeadsTo C"
apply (simp add: LeadsTo_eq_leadsTo)
apply (blast intro: leadsTo_Trans)
done

lemma LeadsTo_Union: 
     "(!!A. A \ S ==> F \ A LeadsTo B) ==> F \ (\S) LeadsTo B"
apply (simp add: LeadsTo_def)
apply (subst Int_Union)
apply (blast intro: leadsTo_UN)
done


subsectionDerived rules

lemma LeadsTo_UNIV [simp]: "F \ A LeadsTo UNIV"
by (simp add: LeadsTo_def)

textUseful with cancellation, disjunction
lemma LeadsTo_Un_duplicate:
     "F \ A LeadsTo (A' \ A') ==> F \ A LeadsTo A'"
by (simp add: Un_ac)

lemma LeadsTo_Un_duplicate2:
     "F \ A LeadsTo (A' \ C \ C) ==> F \ A LeadsTo (A' \ C)"
by (simp add: Un_ac)

lemma LeadsTo_UN: 
     "(!!i. i \ I ==> F \ (A i) LeadsTo B) ==> F \ (\i \ I. A i) LeadsTo B"
apply (blast intro: LeadsTo_Union)
done

textBinary union introduction rule
lemma LeadsTo_Un:
     "[| F \ A LeadsTo C; F \ B LeadsTo C |] ==> F \ (A \ B) LeadsTo C"
  using LeadsTo_UN [of "{A, B}" F id C] by auto

textLets us look at the starting state
lemma single_LeadsTo_I:
     "(!!s. s \ A ==> F \ {s} LeadsTo B) ==> F \ A LeadsTo B"
by (subst UN_singleton [symmetric], rule LeadsTo_UN, blast)

lemma subset_imp_LeadsTo: "A \ B ==> F \ A LeadsTo B"
apply (simp add: LeadsTo_def)
apply (blast intro: subset_imp_leadsTo)
done

lemmas empty_LeadsTo = empty_subsetI [THEN subset_imp_LeadsTo, simp]

lemma LeadsTo_weaken_R:
     "[| F \ A LeadsTo A'; A' \ B' |] ==> F \ A LeadsTo B'"
apply (simp add: LeadsTo_def)
apply (blast intro: leadsTo_weaken_R)
done

lemma LeadsTo_weaken_L:
     "[| F \ A LeadsTo A'; B \ A |]
      ==> F  B LeadsTo A'"
apply (simp add: LeadsTo_def)
apply (blast intro: leadsTo_weaken_L)
done

lemma LeadsTo_weaken:
     "[| F \ A LeadsTo A';
         B   A;   A' \ B' |]  
      ==> F  B LeadsTo B'"
by (blast intro: LeadsTo_weaken_R LeadsTo_weaken_L LeadsTo_Trans)

lemma Always_LeadsTo_weaken:
     "[| F \ Always C; F \ A LeadsTo A';
         C  B  A;   C  A' \ B' |]  
      ==> F  B LeadsTo B'"
by (blast dest: Always_LeadsToI intro: LeadsTo_weaken intro: Always_LeadsToD)

(** Two theorems for "proof lattices" **)

lemma LeadsTo_Un_post: "F \ A LeadsTo B ==> F \ (A \ B) LeadsTo B"
by (blast intro: LeadsTo_Un subset_imp_LeadsTo)

lemma LeadsTo_Trans_Un:
     "[| F \ A LeadsTo B; F \ B LeadsTo C |]
      ==> F  (A  B) LeadsTo C"
by (blast intro: LeadsTo_Un subset_imp_LeadsTo LeadsTo_weaken_L LeadsTo_Trans)


(** Distributive laws **)

lemma LeadsTo_Un_distrib:
     "(F \ (A \ B) LeadsTo C) = (F \ A LeadsTo C & F \ B LeadsTo C)"
by (blast intro: LeadsTo_Un LeadsTo_weaken_L)

lemma LeadsTo_UN_distrib:
     "(F \ (\i \ I. A i) LeadsTo B) = (\i \ I. F \ (A i) LeadsTo B)"
by (blast intro: LeadsTo_UN LeadsTo_weaken_L)

lemma LeadsTo_Union_distrib:
     "(F \ (\S) LeadsTo B) = (\A \ S. F \ A LeadsTo B)"
by (blast intro: LeadsTo_Union LeadsTo_weaken_L)


(** More rules using the premise "Always INV" **)

lemma LeadsTo_Basis: "F \ A Ensures B ==> F \ A LeadsTo B"
by (simp add: Ensures_def LeadsTo_def leadsTo_Basis)

lemma EnsuresI:
     "[| F \ (A-B) Co (A \ B); F \ transient (A-B) |]
      ==> F  A Ensures B"
apply (simp add: Ensures_def Constrains_eq_constrains)
apply (blast intro: ensuresI constrains_weaken transient_strengthen)
done

lemma Always_LeadsTo_Basis:
     "[| F \ Always INV;
         F  (INV  (A-A')) Co (A \ A');  
         F  transient (INV  (A-A')) |]
  ==> F  A LeadsTo A'"
apply (rule Always_LeadsToI, assumption)
apply (blast intro: EnsuresI LeadsTo_Basis Always_ConstrainsD [THEN Constrains_weaken] transient_strengthen)
done

textSet difference: maybe combine with leadsTo_weaken_L??
  This is the most useful form of the "disjunction" rule
lemma LeadsTo_Diff:
     "[| F \ (A-B) LeadsTo C; F \ (A \ B) LeadsTo C |]
      ==> F  A LeadsTo C"
by (blast intro: LeadsTo_Un LeadsTo_weaken)


lemma LeadsTo_UN_UN: 
     "(!! i. i \ I ==> F \ (A i) LeadsTo (A' i))
      ==> F  ( I. A i) LeadsTo ( I. A' i)"
apply (blast intro: LeadsTo_Union LeadsTo_weaken_R)
done


textVersion with no index set
lemma LeadsTo_UN_UN_noindex: 
     "(!!i. F \ (A i) LeadsTo (A' i)) ==> F \ (\i. A i) LeadsTo (\i. A' i)"
by (blast intro: LeadsTo_UN_UN)

textVersion with no index set
lemma all_LeadsTo_UN_UN:
     "\i. F \ (A i) LeadsTo (A' i)
      ==> F  (i. A i) LeadsTo (i. A' i)"
by (blast intro: LeadsTo_UN_UN)

textBinary union version
lemma LeadsTo_Un_Un:
     "[| F \ A LeadsTo A'; F \ B LeadsTo B' |]
            ==> F  (A  B) LeadsTo (A' \ B')"
by (blast intro: LeadsTo_Un LeadsTo_weaken_R)


(** The cancellation law **)

lemma LeadsTo_cancel2:
     "[| F \ A LeadsTo (A' \ B); F \ B LeadsTo B' |]
      ==> F  A LeadsTo (A' \ B')"
by (blast intro: LeadsTo_Un_Un subset_imp_LeadsTo LeadsTo_Trans)

lemma LeadsTo_cancel_Diff2:
     "[| F \ A LeadsTo (A' \ B); F \ (B-A') LeadsTo B' |]
      ==> F  A LeadsTo (A' \ B')"
apply (rule LeadsTo_cancel2)
prefer 2 apply assumption
apply (simp_all (no_asm_simp))
done

lemma LeadsTo_cancel1:
     "[| F \ A LeadsTo (B \ A'); F \ B LeadsTo B' |]
      ==> F  A LeadsTo (B' \ A')"
apply (simp add: Un_commute)
apply (blast intro!: LeadsTo_cancel2)
done

lemma LeadsTo_cancel_Diff1:
     "[| F \ A LeadsTo (B \ A'); F \ (B-A') LeadsTo B' |]
      ==> F  A LeadsTo (B' \ A')"
apply (rule LeadsTo_cancel1)
prefer 2 apply assumption
apply (simp_all (no_asm_simp))
done


textThe impossibility law

textThe set "A" may be non-empty, but it contains no reachable states
lemma LeadsTo_empty: "[|F \ A LeadsTo {}; all_total F|] ==> F \ Always (-A)"
apply (simp add: LeadsTo_def Always_eq_includes_reachable)
apply (drule leadsTo_empty, auto)
done


subsectionPSP: Progress-Safety-Progress

textSpecial case of PSP: Misra's "stable conjunction"\
lemma PSP_Stable:
     "[| F \ A LeadsTo A'; F \ Stable B |]
      ==> F  (A  B) LeadsTo (A' \ B)"
apply (simp add: LeadsTo_eq_leadsTo Stable_eq_stable)
apply (drule psp_stable, assumption)
apply (simp add: Int_ac)
done

lemma PSP_Stable2:
     "[| F \ A LeadsTo A'; F \ Stable B |]
      ==> F  (B  A) LeadsTo (B  A')"
by (simp add: PSP_Stable Int_ac)

lemma PSP:
     "[| F \ A LeadsTo A'; F \ B Co B' |]
      ==> F  (A  B') LeadsTo ((A'  B)  (B' - B))"
apply (simp add: LeadsTo_def Constrains_eq_constrains)
apply (blast dest: psp intro: leadsTo_weaken)
done

lemma PSP2:
     "[| F \ A LeadsTo A'; F \ B Co B' |]
      ==> F  (B' \ A) LeadsTo ((B \ A' (B' - B))"
by (simp add: PSP Int_ac)

lemma PSP_Unless: 
     "[| F \ A LeadsTo A'; F \ B Unless B' |]
      ==> F  (A  B) LeadsTo ((A' \ B) \ B')"
apply (unfold Unless_def)
apply (drule PSP, assumption)
apply (blast intro: LeadsTo_Diff LeadsTo_weaken subset_imp_LeadsTo)
done


lemma Stable_transient_Always_LeadsTo:
     "[| F \ Stable A; F \ transient C;
         F  Always (-A  B  C) |] ==> F  A LeadsTo B"
apply (erule Always_LeadsTo_weaken)
apply (rule LeadsTo_Diff)
   prefer 2
   apply (erule
          transient_imp_leadsTo [THEN leadsTo_imp_LeadsTo, THEN PSP_Stable2])
   apply (blast intro: subset_imp_LeadsTo)+
done


subsectionInduction rules

(** Meta or object quantifier ????? **)
lemma LeadsTo_wf_induct:
     "[| wf r;
         m. F  (A  f-`{m}) LeadsTo                      
                    ((A  f-`(r-1 `` {m}))  B) |]  
      ==> F  A LeadsTo B"
apply (simp add: LeadsTo_eq_leadsTo)
apply (erule leadsTo_wf_induct)
apply (blast intro: leadsTo_weaken)
done


lemma Bounded_induct:
     "[| wf r;
          I. F  (A  f-`{m}) LeadsTo                    
                      ((A  f-`(r-1 `` {m}))  B) |]  
      ==> F  A LeadsTo ((A - (f-`I))  B)"
apply (erule LeadsTo_wf_induct, safe)
apply (case_tac "m \ I")
apply (blast intro: LeadsTo_weaken)
apply (blast intro: subset_imp_LeadsTo)
done


lemma LessThan_induct:
     "(!!m::nat. F \ (A \ f-`{m}) LeadsTo ((A \ f-`(lessThan m)) \ B))
      ==> F  A LeadsTo B"
by (rule wf_less_than [THEN LeadsTo_wf_induct], auto)

textInteger version.  Could generalize from 0 to any lower bound
lemma integ_0_le_induct:
     "[| F \ Always {s. (0::int) \ f s};
         !! z. F  (A  {s. f s = z}) LeadsTo                      
                   ((A  {s. f s < z})  B) |]  
      ==> F  A LeadsTo B"
apply (rule_tac f = "nat o f" in LessThan_induct)
apply (simp add: vimage_def)
apply (rule Always_LeadsTo_weaken, assumption+)
apply (auto simp add: nat_eq_iff nat_less_iff)
done

lemma LessThan_bounded_induct:
     "!!l::nat. \m \ greaterThan l.
                   F  (A  f-`{m}) LeadsTo ((A  f-`(lessThan m))  B)
            ==> F  A LeadsTo ((A  (f-`(atMost l)))  B)"
apply (simp only: Diff_eq [symmetric] vimage_Compl 
                  Compl_greaterThan [symmetric])
apply (rule wf_less_than [THEN Bounded_induct], simp)
done

lemma GreaterThan_bounded_induct:
     "!!l::nat. \m \ lessThan l.
                 F  (A  f-`{m}) LeadsTo ((A  f-`(greaterThan m))  B)
      ==> F  A LeadsTo ((A  (f-`(atLeast l)))  B)"
apply (rule_tac f = f and f1 = "%k. l - k" 
       in wf_less_than [THEN wf_inv_image, THEN LeadsTo_wf_induct])
apply (simp add: Image_singleton, clarify)
apply (case_tac "m)
 apply (blast intro: LeadsTo_weaken_R diff_less_mono2)
apply (blast intro: not_le_imp_less subset_imp_LeadsTo)
done


subsectionCompletion: Binary and General Finite versions

lemma Completion:
     "[| F \ A LeadsTo (A' \ C); F \ A' Co (A' \ C);
         F  B LeadsTo (B' \ C); F \ B' Co (B' \ C) |]
      ==> F  (A  B) LeadsTo ((A' \ B' C)"
apply (simp add: LeadsTo_eq_leadsTo Constrains_eq_constrains Int_Un_distrib)
apply (blast intro: completion leadsTo_weaken)
done

lemma Finite_completion_lemma:
     "finite I
      ==> ( I. F  (A i) LeadsTo (A' i \ C)) -->
          ( I. F  (A' i) Co (A' i  C)) -->  
          F  ( I. A i) LeadsTo (( I. A' i) \ C)"
apply (erule finite_induct, auto)
apply (rule Completion)
   prefer 4
   apply (simp only: INT_simps [symmetric])
   apply (rule Constrains_INT, auto)
done

lemma Finite_completion: 
     "[| finite I;
         !!i. i  I ==> F  (A i) LeadsTo (A' i \ C);
         !!i. i  I ==> F  (A' i) Co (A' i  C) |]    
      ==> F  ( I. A i) LeadsTo (( I. A' i) \ C)"
by (blast intro: Finite_completion_lemma [THEN mp, THEN mp])

lemma Stable_completion: 
     "[| F \ A LeadsTo A'; F \ Stable A';
         F  B LeadsTo B'; F \ Stable B' |]  
      ==> F  (A  B) LeadsTo (A' \ B')"
apply (unfold Stable_def)
apply (rule_tac C1 = "{}" in Completion [THEN LeadsTo_weaken_R])
apply (force+)
done

lemma Finite_stable_completion: 
     "[| finite I;
         !!i. i  I ==> F  (A i) LeadsTo (A' i);
         !!i. i  I ==> F  Stable (A' i) |]
      ==> F  ( I. A i) LeadsTo ( I. A' i)"
apply (unfold Stable_def)
apply (rule_tac C1 = "{}" in Finite_completion [THEN LeadsTo_weaken_R])
apply (simp_all, blast+)
done

end

Messung V0.5
C=99 H=99 G=98

¤ Dauer der Verarbeitung: 0.12 Sekunden  (vorverarbeitet)  ¤

*© Formatika GbR, Deutschland




Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.





                                                                                                                                                                                                                                                                                                                                                                                                     

Neuigkeiten

     Aktuelles
     Motto des Tages

Software

     Produkte
     Quellcodebibliothek

Aktivitäten

     Artikel über Sicherheit
     Anleitung zur Aktivierung von SSL

Muße

     Gedichte
     Musik
     Bilder
Jenseits des Üblichen ....
    

Besucherstatistik

Besucherstatistik

Monitoring

Montastic status badge