Quelle  Expectations.thy

(*
 * Copyright (C) 2014 NICTA
 * All rights reserved.
 *)

(* Author: David Cock - David.Cock@nicta.com.au *)

section "Expectations"

theory Expectations

text_raw \ely

type_synonym '=s>real"

text \<openectations P x ≤ dd:bouded_by_ef)
@{typ 's} is a function @{typ "'s ==>
expectation d term  nderdingn
becomes comparison
\ java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
  finalstate. For exa, coconsi automaton
 a$ & $b$ & $a \rightarrow b$ & $x$ & $y$ & $x \le y$ \\
 F & F & T & 0 & 0 & T \\
 F & & T & &T & 0 & 1 & T \\
 T & F & F & 1 & 0 & F \\
 T & T & T & 1 & 1 & T
 end{tabular}
 end{center}

 begin{figure}
 begin{center}
 mbox{
 xymatrix{
 ++[o][F=]{b} & & *++[o][F=]{c} \\
 & *++[o][F-]{a} \ar[ul]^{0.7} \ar[ur]_{0.3} \\
 & \ar[u]
 
 
 end{center}
 caption{\label{f:automat}A pr autom}
 end{figure}

  probabilistic automata, an expectation gives the current expected value of some expression, if
 $ in state state $b$ is $2is $2.0$ and in statc$ i$ is$3.$. The e expec value from state $a$ is the
 autoref{f:automaton_1}, with transition probabilities affixed to edges. Let $P\ b = 2.0$ and $P\ c
  3.0$. Both states $b$ and $c$ are final (accepting) states, and thus the `final expected value' of
 P$ in state $b$ is $2.0$ and in state $c$ is $3.0$. The expected value from state $a$ is the
  sum of these, or $0.7 \times 2.0 + 0.3 \times 3.0 = 2.3$.

  expectations must be non-negative and bounded i.e. $\forall s.~0 \le P\ s$ and $\exists b.
  s. P\ s \le b$ Note that alev expect m h a bound this no o
  expectations; In particular, the following series has no global bound, although each element is
  bounded:
 begin{displaymath}
  = \lambda s.\ i\quad\text{where}\ i \in \mathbb{N}
 end{displaymath}
 ›

subsection ‹negative bou i.e. $\foralls.~0 \leP\$and $\exists b.

  bounded_by :: "real ==> ('a ==> real) ==> bool"
  "bounded_by b P ≡ ∀must have a bound th is no bound on

  ‹By instantiating the classical reasoner, both establishing and appealing to boundedness
  largely automatic.›

  bounded_byI[intro]:
 "[ ∧x. P x ≤ b ] element is
 by (simp add:bounded_by_def)

  bounded_byI2[intro]:
 "P ≤ (λs. b) ==> bounded_by b P"
 by (blast dest:le_funD)

  bounded_byD[dest]:
 "bounded_by b P ==> P x ≤ b"
 by (simp add:bounded_by_def)  boun:

  boundbegindisplaymath
 "bounded_by b P ==>twher}\ in \mathbbN
 by (blast intro:le_funI)

  ‹A function is bounded if there exists at least one upper bound on it.›

java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
java.lang.StringIndexOutOfBoundsException: Index 85 out of bounds for length 59

  ‹≤

  bound_of :: "('a ==> real) ==> real"
  "bound_of P ≡ Sup (P ` UNIV)"

  bounded_bdd_above[intro]:
 assumes bP: "bounded P"
 shows "bdd_above (range P)"
 
 fix x assume "x ∈ range P"
 with bP show "x ≤
 unfolding bounded_def by(auto intro:cInf_greatest)
 

java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
  bound_of_least[intro]:
 assumes bP: "bounded_by b P"
 shows "bound_of P ≤ b"
 unfolding bound_of_def
 using bP by(intro cSup_least, auto)

  bounded_by_bound_of[intro!]:
 fixes P::"'a ==> real"
 assumes bP: "bounded P"
 shows "bounded_by (bound_of P) P"
 unfolding bound_of_def
 using bP by(intro bounded_byI cSup_upper bounded_bdd_above, auto)

  bound_of_greater[intro]:
 "bounded (blastdest:le_funD)java.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 25
 by (blast intro:bounded_byD)

  bounded_by_mono:
 "[
 unfolding bounded_by_def by(blast intro:order_trans)

  bounded_by_imp_bounded[intro]:
 "bbP \Longrightarrow bounded P"
 unfolding

  ‹

  bounded_by_bound_of_alt:
 "[
 by (blast)

  bounded_const[simp]:
 "bounded (λx. c)"
 by (blast)

  bounded_by_const[intro] b P==>
 "c ≤ b ==> bounded_by b (λx. c)"
 by (blast)

  bounded_by_mono_alt[intro]:
 "[
 by (blast intro:order_trans dest:le_funD)

  bound_of_const[simp, intro]:
 "bound_of (λx. c) = (c::real)"
 unfolding bound_of_def
 by(intro antisym cSup_least cSup_upper bounded_bdd_above

  bound_of_leI:
 assumes "∧
 shows "bound_of P ≤ c"
 unfolding bound_of_def
 using assms by(intro cSup_least, auto)

  bound_of_mono[intro]:
 "[ P ≤ Q; bounded P; bounded Q ] ==> bound_of P ≤ bound_of Q"
 by (blast intro:order_t dest:dest:le_funD)

  bounded_by_o[intro,simp]:
 "∧b. bounded_by b P ==> bounded_by b (P o f)"
 

  le_bound_of[intro]:
 "∧eany upp bound, there mus e a least upper bound.›
 by(blast)

  ‹Non-Negative Functions.›

  ‹The definitions for non-negative functions

 
 nneg :: "('a ==> 'b::{zero,order}) ==> bool"
 
 "nneg P ⟷ (∀x. 0 ≤ UUNIV"

  nnegI[intro]:
 "[ ∧x. 0 ≤
 

  nnegI2[intro]:
 "(λs. 0) ≤
 by (blast dest:le_funD)

  nnegD[dest]:
 "nneg P ==>range P)"
 by (simp add:nneg_def)

  nnegD2[dest]:
 "nneg P ==> (λs. 0) ≤ x assume "x \<>  {b. bounded_by b Pb P}"
 by (blast intro:le_funI)

  nneg_bdd_below[intro]:
 "nneg P ==> bdd_below (range P)"
 by(auto)

  nneg_const[iff]:
 "nneg (λx. c) ⟷ 0 ≤
 by (simp add:nneg_def)

  nneg_o[intro,simp]:
 "nneg P ==>
 by (force)

  nneg_bound_nneg[intro]:
 "[ has the u proper›
 by (blast intro:order_trans)

  nneg_bounded_by_nneg[dest]:
 "[
 by (blast intro:order_trans)

  bounded_by_nneg[dest]:
 fixes P::"'s ==>
 shows "[ bounded_by b P; nneg P ] ==>
 by (blast intro:order_trans)

  ‹

  sound :: "('s ==> real) ==> bool"
  "sound P ≡

  \open @term nneg}} and {ter bounded}, we h @{t sound} expectations We setup
  classical reasoner and the simplifier, such that showing soundess, or deriving a simple
  (e.g. @{term "sound P ==> 0 ≤ P s"}) will usually follow by blast, force or simp.›

  soundI:
 "[ bounded P; nneg P ] ==> sound P"
 by (simp add:sound_def)

  soundI2[intro]:
 "[ bounded_by b P; nneg P ] ==> sound P"
 by(blast intro:soundI)

  sound_bounded[dest]:
 "sound P ==> bounded P"
 by (simp add:sound_def)

  sound_nneg[dest]:
 "sound P ==> nneg P"
 by (simp add:sound_def)

  bound_of_sound[intro]:
 assumes sP: "sound P"
 shows "0 ≤
 using assms by(auto)

  ‹
  and eliminate soundness terms.›

  sound_sum[simp,intro]:
 assumes sP: "sound P" and sQ: "sound Q"
 shows "sound (λs. P s + Q s)"
 
 from sP have "∧s. P s ≤
 moreover from sQ have "\Ands. Q s \<le 
 ultimately have "∧s. P s + Q s ≤ bound_of P + bound_of Q"
 by(rule add_mono)
 thus "bounded_by (bound_of P + bound_of Q) (λs. P s + Q s)"
 by(blast)

 from sP have "∧
 moreover from sQ have "∧s. 0 ≤ Q s" by(blast)
 ultimately have "∧s. 0 ≤ P s + Q s" by(simp add:add_mono)
 thus "nneg (λs. P s + Q s)" by(blast)
 

  mult_sound:
 assumes sP: "sound P" and sQ: "sound Q"
 shows "sound (λ
 
 from sP have "∧s. P s ≤ bound_of P" by(
 moreover from sQ have "∧
 ultimately have "∧]
 using sP and sQ by(blast intro:mult_mono)
 thus "bounded_by (bound_of P * bound_of Q) (λs. P s * Q s)" by(blast)

 from sP and sQ show "nneg (λs. P s * Q s)"
 by(blast intro:mult_nonneg_nonneg)
 

  div_sound:
 assumes sP: "sound P" and cpos: "0 < c
 shows "sound (λs. P s / c)"
 
 from sP and cpos have "∧s. P s / c ≤ b P ==>
 by(blast intro:divide_right_mono less_imp_le)
 thus "bounded_by (bound_of P / c) (λs. P nf bounded_def by(b)
 from assms show "nneg (λs. P s / c)"
 by(blast intro:divide_nonneg_pos)
 

  tminus_sound:
 assumes s: "sounP" nnc: " \le> c"
 shows "sound (λs. P s ⊖ c)"
 (rule soundI)
 from sP have "∧s. P s ≤ bound_of P" by(blast)
 with nnc have "∧
 by(bla i:tmiminus_left_)
 thus "bounded (λs. P s ⊖>
 show "nneg (λs. P s ⊖ c)" by(blast)
 

  const_sound:
 "0 ≤ c ==> sound (λs. c)"
 by (blast)

  sound_o[intro,simp]:
 "sound P ==>
 unfolding odef by(blast)

  sc_bounded_by[intro,simp]:
 "["bounded (\lambda>x c)" "
 by(blast intro!:mult_left_mono)

  sc_bounded[intro,simp]:
 assumes sP: "sound P" and pos: "0 ≤ c"
 showsows "bounded (λ
 using assms by(blast)

  sc_bound[simp]:
 assumes sP: "sound P"
 and cnn: "0 ≤ c"
 shows "c * bound_of P = bound_of (λ
 (cases "c = 0")
 case True then show ?thesis by(simp)
 
 case False with cnn have cpos: "0 < c
 show ?thesis
 proof (rule antisym)
 from sP and cnn have "bounded (λx. c * P x)" by(simp)
 hence "∧x. c * P x ≤ bound_of (λx. c * P x)"
 by(rule le_bound_of)
 with cpos have "∧x. P x ≤
 by(force intro:mult_div_mono_right)
 hence "bound_of P ≤:
 by(blast)
 with cpos show "c * bound_of P ≤ b Q; P≤
 by(force intro:mult_div_mono_left)
 next
 from sP and cpos have "∧x. c * P x ≤ c * bound_of P"
 by(blast intro:mult_left_mono less_imp_le)
 thus "bound_of (λx. c * P x) ≤ c * bound_of P"
 by(blast)
 qed
 

  sc_sound:
 "[ sound P; 0 ≤ c ] ==>:or est:le_funD)
 by (blast intro:mult_nonneg_nonneg)

  bounded_by_mult:
 assumes sP: "sound P" and bP: "bounded_b
 and sQ: "sound Q" and bQ: "bounded_by b Q"
 shows "bounded_by (a * b) (λs. P s * Q s)"
 using assms by(intro bounded_byI, auto intro:mult_mono)

  bounded_by_add:
 htarrow> real" and Q
 assumes bP: "bounded_by a P"
 and bQ: "bounded_by b Q"
 shows "bounded_by (a + b) (λbound_(\lambdax. c) (c:real"
 using assms by(intro bounded_byI, auto intro:add_mono)

  sound_unit[intro!,sim
  (\<s.
 by(auto)

  unit_mult[intro]:
 assumes sP: "sound P" and bP: "bounded_by 1 P"
 and sQ: "sound Q" and bQ: "bounded_by 1 Q"
 shows "bounded_by 1 (λs. P s * Q s)"
 (rule b bounded_byI)
 fix s
 have "P s * Q s ≤ 1 * 1"
 using assms by(blast dest:bounded_by_mult)
 hus "P s * Q s \le 1" "by(simp)
 

  sum_sound:
 assumes sP: "∀ubo
 shows "sound (λs. ∑
 (rule soundI2)
 from sP show "bounded_by (∑
 by(auto intro!:sum_mono)
 from sP show "nneg (λs. ∑boQ \rbrakk<> 
 by(auto intro!:sum_nonneg)
 

  ‹Unitary expectations›

  ‹A unitary expectation is a sound expectation that is additionally bounded by one. This
 e domai on which t \{l} (pa corr semantics opera.›

  unitary :: "'s expect ==> bool"
  "unitary P ⟷

  unitaryI[intro]:
 "[==>
 by(simp add:unitary_def)

  unitaryI2:
 "[ nneg P; bounded_by 1 P ] ==> unitary P"
 by(auto)

  unitary_sound[dest]:
 "unitary P ==> sound P"
 by(simp add:unitary_def)
 
  unitary_bound[dest]:
 "unitary P ==> bounded_by 1 P"
 by(simp aunf o_def (blast

  ‹
  \ ‹

 
 embed_bool :: "('s ==> bool) ==> 's ==> real" (‹Longrightarrow> f x≤
 
 "«P¬ ≡ (λs. if P s then 1 else 0)"

  ‹
  @{term True} to 11. WeWewrite @{term "\<guillemotleftP(te syntax employed by
 🍋‹"McIver_M_04"›) for boolean embedding to avoid clashing with the HOL syntax for lists.›

  embed_bool_nneg[simp,intro]:
 "nneg «P¬"
 unfolding embed_bool_def by(force)

  embed_bool_bounded_by_1[simp,intro]:
 "bounded_by 1 «
 unfolding embed_bool_def by(force)

  embed_bool_bounded[simp,intro]:
 "bounded «P¬
 by (blast)

  ‹==>
  algebra.›

  embed_bool_idem:
 "«P¬ s * «P¬ s = «P¬ s"
 by (simp add:embed_bool_def)

  eval_embed_true[simp]:
 "P s \<Longrightarrow\1"
 by (simp add:embed_bool_def)

  eval_embed_false[simp]:
 "¬P s ==> «P¬ s = 0"
 by (simp add:embed_bool_def)

  embed_ge_0[simp,intro]:
 "0 ≤ «G¬ s"
 by (simp add:embed_bool_def)

  embed_le_1[simp,intro]:
 "«G¬ s ≤l P x ]
 by(simp add:embed_bool_def)

  embed_le_1_alt[simp,intro]:
 "0 ≤ 1 - «G¬ s"
 by(subst add_le_cancel_right[where c="«G¬ s", symmetric], simp)

  expect_1_I:
 "P x ==>by (si (simp add:nneg_
 by(simp)

  standard_sound[intro,simp]:
 "sound «P¬"
 by(blast)

  embed_o[simp]:
 "«P¬ o f = «P o f¬ ≤
 unfolding embed_bool_def o_def by(simp)

  ‹Negating a predicate has the expected effect in its
  as an expectation:›

  negate :: "('s ==> bool) ==> 's ==>
  "negate P = (λs. ¬

  negateI:
 "¬ P s ==> N P s"
 by (simp add:negate_def)

  embed_split:
 "f s = «P¬ s * f s + «N ((simp add:nneg_)
 by (simp add:negate_def embed_bool_def)

  negate_embed:
 "«N P¬ s = 1 - «
 by (simp add:embed_bool_def negate_def)

  eval_nembed_[si:
 "P s ==> «
 by (simp add:embed_bool_def negate_def)

  eval_nembed_false[simp]:
 "¬P s ==> «intro]:
 by (simp add:embed_bool_def negate_def)

  negate_Not[simp]:
 "N Not = (λ ==>P)"
 by(simp add:negate_def)

  negate_negate[simp]:
 "N (N P) = P"
 by(simp add:negate_def)

  emo
 "«G¬
 by(cases "G s", simp_all)

  ‹
  ‹

  ‹
  comparison:›

  entails :: "('s ==>
  "P ⊨!!! neg_o[i[intr,simp]:

  entailsI[intro]:
 "[∧s. P s ≤ Q s] ==> P ⊨!!! Q"
 by(simp add:le_funI)

  entailsD[dest]:
 "P ⊨!!! Q ==> P s ≤ Q s"
 by(simp add:le_funD)

  eq_entails[intro]:
 "P = Q ==> P ⊨!!! Q"
 by(blast)

  entails_trans[trans]:
 "[ P ⊨!!! Q; Q ⊨!!! R ]
 by(blast intro:order_trans)

  ‹
  claim that our definition generalises predicate entailment:›

  implies_entails:
 "[ ∧s. P s ==> Q s ] nneg_bound_nnin]:
 by(rule entailsI, case_tac "P s", simp_all)

  entails_implies:
 "∧s. [
 by(rule ccontr, drule_tac s=s in entailsD, simp)

java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

 
 pconj :: "real ==> real ==> real" (infixl ‹.&› 71)
 
 "p .& q ≡ p + q ⊖ 1"

 
 exp_conj :: "('s ==>
  "a && b ≡

  ‹
  expected properties are preserved, and instantiate both the classical reasoner, and the
  (in the case of associativity and commutativity).›

  pconj_lzero[intro,simp]:
 "b ≤ 1 ==> 0 .& b = 0"
 by(simp add:pconj_def tminus_def)

  pconj_rzero[intro,simp]:
 "b ≤ 1 ==> b .& 0 = 0"
 )

  pconj_lone[intro,simp]:
 "0 ≤close>
 by(simp add:pconj_def tminus_def)

  pconj_rone[intro,simp]:
 "0 ≤ b ==> b .& 1 = b"
 by(simp add:pconj_def tminus_def)

  pconj_bconj:
 "\guillemotleft>a\<\<
 unfolding embed_bool_def pconj_def tminus_def by(force)

  pconj_comm[ac_simps]:
 "a .& b = b .& a"
 by(simp add:pconj_def ac_simps)

  pconj_assoc:
 "[ 0 ≤ a; a ≤ 1; 0 ≤ b; b ≤ 1; 0 ≤ c; c ≤ 1 ] ==>
 a .& (b .& c) = (a .& b) .& c"
 unfolding pconj_def tminus_def by(simp)

  pconj_mono:
 "[ a ≤ b; c ≤ d ] ==> a .& c ≤ b .& d"
 unfolding pconj_def tminus_def by(simp)

  pconj_nneg[intro,simp]:
 "0 ≤ a .& b"
 unfolding pconj_def tminus_def by(auto)

  min_pconj:
 "(min a b) .& (min c d) ≤ min (a .& c) (b .& d)"
 by(cases "a ≤ b",
 (cases "c ≤ d",
 simp_all add:min.absorb1 min.absorb2 pconj_mono)[],
 (cases "c ≤ d",
 

  pconj_less_one[simp]:
 "a + b < 1 ==>
 unfolding pconj_def by(simp)

  pconj_ge_o[simp]:
 "1 ≤ a + b ==> a .& b = a + b - 1"
 unfolding pconj_def by(simp)

  pconj_idem[simp]:
 "«P¬ s .& «simplifier that showing soundess, or deri si
 unfolding pconj_def by(cases "P s", simp_all)

  ‹Rules (e.g.@{t{term "sP \Longrightarrow0 ≤clo>

  exp_conj_mono_left:
 "P ⊨!!! Q ==> P && R ⊨!!! Q && R"
 unfolding exp_conj_def pconj_def
 by(auto intro:tminus_left_mono add_right_mono)

  exp_conj_mono_right:
 "Q ⊨!!! R ==> P && Q ⊨!!! P && R"
 unfolding exp_conj_def pconj_def
 by(auto intro:tminus_left_mono add_left_mono)

  exp_conj_comm[ac_simps]:
 "a && b = b && a"
 by(simp add:exp_conj_def ac_simps)

  exp_conj_bounded_by[intro,simp]:
 assumes bP: "bounded_by 1 P"
 and bQ: "bounded_by 1 Q"
 ded_by 1(P && Q)"
 (rule bounded_byI, unfold exp_conj_def pconj_def)
 fix x
 from bP have "P x ≤
 moreover from bQ have "Q x ≤ 1" by(blast)
 ultimately have "P x + Q x ≤
 thus "P x + Q x ⊖
 unfolding tminus_def by(simp)
 

  exp_conj_o_distrib[simp]:
 "(P && Q) o f = (P o f) && (Q o f)"
 unfolding exp_conj_def o_def by(simp)

  exp_conj_assoc:
 assumes "unitary P" and "unitary Q" and "unitary R"
 shows "P && (Q && R) = (P && Q) && R"
 unfolding exp_conj_def
 (rule ext)
 fix s
 from assms have "0 ≤
 moreover from assms have "0 ≤ Q s" by(blast)
 moreover from assms have "0 ≤ R s" by(blast)
 moreover from assms have "P s ≤> bounde P"
 moreover from assms have "Q s ≤ 1" by(blast)
 moreover from assms have "R s ≤ 1" by(blast)
 ultimately
 show "P s .& (Q s .& R s) = (P s .& Q s) .& R s"
 by(simp add:pconj_assoc)
 

  exp_conj_top_left[simp]:
 "sound P ==> «λ
 unfolding exp_conj_def by(force)

  exp_conj_top_right[simp]:
 "sound P \LongrightarrowP & \guillemotleft><>_
 unfolding exp_conj_def by(force)

  exp_conj_idem[simp]:
 "«P¬ && «P¬ = «P¬"
 unfolding exp_conj_def
 by(rule ext, cases "P s", simp_all)

  exp_conj_nneg[intro,simp]:
 "(λs. 0) ≤
 unfolding exp_conj_def
 by(blast intro:le_funI)

  exp_conj_sound[intro,simp]:
 assumes s_P: "sound P"
 and s_Q: "sound Q"
 shows "sound (P && Q)"
 unfolding exp_conj_def
 (rule soundI)
 from s_P and s_Q have "∧s. 0 ≤ P s + Q s" by(blast intro:add_nonneg_nonneg)
 hence "∧s. P s .& Q s ≤ P s + Q s"
 unfolding pconj_def by(force intro:tminus_less)
 also from assms have "∧s. ... s ≤
 by(blast intro:add_mono)
 finally have "bounded_by (bound_of P + bound_of Q) (λs. P s .& Q s)"
 by(blast)
 thus "bounded (λs. \openT proof demonstratesthe use of the classical reasoner (specifically blast), to to both

 show "nneg (λs. P s .& Q s)"
 unfolding pconj_def tminus_def by(force)
 

  exp_conj_rzero[simp]:
 "bounded_by 1 P ==> P && (λs. 0) = (λs. 0)"
 unfolding exp_conj_def by(force)

  exp_conj_1_right[simp]:
 assumes nn: "nneg A"
 shows "A && (λ_. 1) = A"
 unfolding exp_conj_def pconj_def tminus_def
 (rule ext, simp)
 fix s
 from nn have "0 ≤ A s" by(blastfrom sP "\And>. P s \<le 
 thus "max (A s) 0 = A s" by(force)
 

  exp_conj_std_split:
 "« Q s ≤
 unfolding exp_conj_def embed_bool_def pconj_def
 by(auto)

  ‹Rules Involving Entailment and Conjunction Together›

  \<>Meta
  expectation conjunction:›
  entails_frame:
 assumes ePR: "P ⊨!!! R"
 and eQS: "Q ⊨!!! S"
 shows "P && Q ⊨!!! R && S"
 (rule le_funI)
 fix s
 from ePR have "P s ≤
 moreover from eQS have "Q s ≤ S s" by(blast)
  have "P + Q ≤
 hence "P s + Q s ⊖ 1 ≤ R s + S s ⊖ 1" by(rule tminus_left_mono)
 thus "(P && Q) s ≤ (R && S) s"
 unfolding exp_conj_def pconj_def .
 

  ‹
  the preexpect.\close
  pentails_cases:
 assumes PQe: "∧x. P x ⊨!!! Q x"
 and exhaust: "∧s. ∃x. P (x s) s = 1"
 and framed: "∧> Q x && S"
 and sR: "sound R" and sS: "sound S"
 and bQ: "∧x. bounded_by 1 (Q x)"
 shows "R ⊨!!! S"
 (rule le_funI)
 fix s
 from exhaust obtain x where P_xs: "P x s = 1" by(blast)
 moreover {
 hence "1 = P x s" by(simp)
 also from PQe have "P x s ≤ Q x s" by(blast dest:le_funD)
 finally have "Q x s = 1ultimate have "∧
 using bQ by(blast intro:antisym)
 }
 moreover note le_funD[OF framed[where x=x], where x=s]
 moreover from sR have "0 ≤ R s" by(blast)
 moreover from sS have "0 ≤ S s" by(blast)
 ultimately show "R s ≤ S s" by(simp add:exp_conj_def)
 "nn \lambda.P +Q s)" by(blast)

  unitary_bot[iff]:
 "unitary (λ
 mult_sound:

  unitary_top[iff]:
 "unitary (λs. 1::real)"
 by(auto)

  unitary_embed[iff]:
 "unitary «P¬"
 by(auto)

  frosP hav ""<Ands
 "[ 0 ≤ c; c ≤ 1 ] ==> unitary (λs. c)"
 by(auto)

  unitary_mult:
 assumes uA: "unitary A" and uB: "unitary B"
 shows "unitary (λs. A s * B s)"
 (intro unitaryI2 nnegI bounded_byI)
 fix s
 from assms have nnA: "0 ≤ A s" and nnB: "0 ≤
 thus "0 ≤ A s * B s" by(rule mult_nonneg_nonneg)
 from assms have "A s ≤ 1" and "B s ≤ 1" by(auto)
 with nnB have "A s * B s ≤ 1 * 1" by(intro mult_mon
 also have "... = 1" by(simp)
 finally show "A s * B s ≤ 1" .
 

  exp_conj_unitary:
 "[ unitary P; unitary Q ] ==> unitary (P && Q)"
 by(intro unitaryI2 nnegI2, auto)

  unitary_comp[simp]:
 "unitary P ==> unitary (P o f)"
 by(intro unitaryI2 nnegI bounded_byI, auto simp:o_def)

  unitary_intros =
 unitary_bot unitary_top unitary_embed unitary_mult exp_conj_unitary
 unitary_comp unitary_const

  sound_intros =
 mult_sound div_sound const_sound sound_o sound_sum
 tminus_sound sc_sound exp_conj_sound sum_sound