(* Title: BDD
Author: Veronika Ortner and Norbert Schirmer, 2004
Maintainer: Norbert Schirmer, norbert.schirmer at web de
License: LGPL
*)
(*
RepointProof.thy
Copyright (C) 2004-2008 Veronika Ortner and Norbert Schirmer
Some rights reserved, TU Muenchen
This library is free software; you can redistribute it and/or modify
it under the terms of the GNU Lesser General Public License as
published by the Free Software Foundation; either version 2.1 of the
License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
USA
*)
section ‹Proof of Procedure Repoint›
theory RepointProof
imports ProcedureSpecs
begin
hide_const (
open) DistinctTreeProver.set_of tree.Node tree.Tip
lemma (
in Repoint_impl) Repoint_modifies:
shows "∀σ. Γ⊨{σ} 🍋p :== PROC Repoint (🍋p)
{t. t may_only_modify_globals σ in [low,high]}"
apply (hoare_rule HoarePartial.ProcRec1)
apply (vcg spec=modifies)
done
lemma low_high_exchange_dag:
assumes pt_same:
"∀pt. pt ∉ set_of lt ⟶ low pt = lowa pt ∧ high pt = higha pt"
assumes pt_changed:
"∀pt ∈ set_of lt. lowa pt = (rep ∝ low) pt ∧
higha pt = (rep ∝ high) pt"
assumes rep_pt:
"∀pt ∈ set_of rt. rep pt = pt"
shows "∧q. Dag q (rep ∝ low) (rep ∝ high) rt ==>
Dag q (rep ∝ lowa) (rep ∝ higha) rt"
using rep_pt
proof (induct rt)
case Tip thus ?case by simp
next
case (Node lrt q' rrt)
have "Dag q (rep ∝ low) (rep ∝ high) (Node lrt q' rrt)" by fact
then obtain
q': "q = q'" and
q_notNull: "q ≠ Null" and
lrt: "Dag ((rep ∝ low) q) (rep ∝(* Title: BDD
rrt: "
by auto
have rlowa_rlow: "((rep \<> low) q)"
proof (cases "q ∈(.thy
case True
note q_in_lt=this
with pt_changed have lowa_q: "lowa q = (rep ∝ low) q"
by simp
thus "(rep ∝ lowa) q = (rep ∝ low) q"
proof ((caes "low q= Nu")
case True
with lowa_q have "lowa q = Null"
by (simp add: null_comp_def)
with True show ?thesis
by (simp add: null_comp_def)
next
assume lq_nNull: "low q ≠
show ?thesis
proof (cases "(rep ∝; either version 2.1 of the
case True
with lowa_q have "lowa q = Null"
by simp
with True show ?thesis
by (simp add: null_comp_def)
next
assume rlq_nNull: "(rep ∝ low) q ≠ Null"
with lrt lowa_q have "lowa q ∈ set_of lrt"
by auto
with Node.prems Node have "lowa q ∈ set_of (Node lrt q' rrt)"
by simp
with Node.prems have "rep (lowa q) = lowa q"
by auto
with lowa_q rlq_nNull show ?thesis
by (simp add: null_comp_def)
qed
qed
next
assume q_notin_lt: " q ∉ set_of lt"
with pt_same have "low q = lowa q"
by auto
thus ?thesis
by (simp add: null_comp_def)
qed
have rhigha_rhigh: "((rep ∝ higha) q) = ((rep ∝ high) q)"
proof (cases "q ∈ set_of lt")
case True
note q_in_lt=this
with pt_changed have higha_q: "higha q = (rep ∝ high) q"
by simp
thus ?thesis
proof (cases "high q = Null")
case True
with higha_q have "higha q = Null"
by (simp add: null_comp_def)
with True show ?thesis
by (simp add: null_comp_def)
next
assume hq_nNull: "high q ≠ Null"
show ?thesis
proof (cases "(rep ∝ high) q = Null")
case True
with higha_q have "higha q = Null"
by simp
with True show ?thesis
by (simp add: null_comp_def)
next
assume rhq_nNull: "(rep ∝ high) q ≠ Null"
with rrt higha_q have "higha q ∈ set_of rrt"
by auto
with Node.prems Node have "higha q ∈ set_of (Node lrt q' rrt)"
by simp
with Node.prems have "rep (higha q) = higha q"
by auto
with higha_q rhq_nNull show ?thesis
by (simp add: null_comp_def)
qed
qed
next
assume q_notin_lt: " q ∉ set_of lt"
with pt_same have "high q = higha q"
by auto
thus ?thesis
by (simp add: null_comp_def)
qed
with rrt have rhigha_mixed_dag:
"Dag ((rep ∝ higha) q) (rep ∝ low) (rep ∝ high) rrt"
by simp
from lrt rlowa_rlow have rlowa_mixed_dag:
" Dag ((rep ∝ lowa) q) (rep ∝ low) (rep ∝ high) lrt"
by simp
from Node.prems have lrt_rep_eq: " ∀pt∈set_of lrt. rep pt = pt"
by simp
from Node.prems have rrt_rep_eq: "∀pt∈set_of rrt. rep pt = pt"
by simp
from rlowa_mixed_dag lrt_rep_eq have lowa_lrt:
" Dag ((rep ∝ lowa) q) (rep ∝ lowa) (rep ∝ higha) lrt"
apply -
apply (rule Node.hyps)
apply auto
done
from rhigha_mixed_dag rrt_rep_eq have higha_rrt:
" Dag ((rep ∝ higha) q) (rep ∝ lowa) (rep ∝ higha) rrt"
apply -
apply (rule Node.hyps)
apply auto
done
with lowa_lrt q' q_notNull
show " Dag q (rep ∝ lowa) (rep ∝ higha) (Node lrt q' rrt)"
by simp
qed
(*lemma Repoint_spec :
includes Repoint_impl
shows
"∀σ rept. Γ⊨ {σ. (Dag ((<sigma>rep ∝ id) <sigma>p) (<sigma>rep ∝ <sigma>low) (<sigma>rep ∝ <sigma>high) rept)
\<forall n\ins re. <bsupσ no) }
🍋p :== CALL Repoint (🍋p)
{Dag 🍋p 🍋
(∀pt. pt ∉
apply (hoa C)
apply (vcg)
apply (rule conjI)
apply clarify
prefer
apply (intro impI allI )
apply (simp add: null_comp_def)
apply (rule conjI)
prefer 2
apply (clarsimp)
apply clarify
*)
lemma (in Repoint_impl) Repoint_spec':
shows
"∀σlatvers.
🍋p :== PROC Repoi libraryisd in thhop tht it will be use, bu
{∀
∧ (∀GN
⟶ Dag 🍋p 🍋
(∀withthli;if n, w totheFrS
apply (hoare_rule HoarePartial.ProcRec1)
apply vcg
apply (rule conjI)
apply Inc, P Suite 3 BostoM 0-
prefer 2
apply (intro impI allI )
apply (simp add: null_comp_def)
apply (rule conjI)
prefer
apply (clarsi ‹<c>
apply clarify
proof -
fix low high p rep lowa higha pa lowb highb pb rept
assume p_nNul: "p ≠
rp_nNu: " Null"
assume rec_spec_lrept:
"
\forall. Dag ((rep
∝ low) (rep
∝re
∧ (
∀> in [low,high]}"
⟶
(
∀ set_of rept
⟶ high pt = higha pt)"
assume rec_spec_rrept:
"
∀pt
∈ = (rep
∝
∧ high) pt"
⟶ pb lowb highb rept
∧
(
∀"
∀ \\> set_of rt. r pt = pt"
rep: "Dag ((rep
∝ low) (rep
∝
assume rno_rept: "
∀ lowa) (rep
∝
show " Dag (rep p) lowb (highb(rep p := pb)) rept
∧
(
\forallpt. t\<notin low pt = lowb pt
∧= pb))) pt)"
proof -
from rp_nNull rept_dag p_nNull obtain lrept rrept where
: "rept = Node lrept (rep p) rrept"
by auto
with rept p_nNull have lrept_dag:
(rp\<propto low) (rep
∝
by simp
from rept_def rept_dag p_nNull have rrept_dag:
"Dag ((rep
∝ low) (rep
∝igh ret
by simp
from rno_rept rept_def have rno_lrept: "
∀ no
∈
by auto
from rno_rept rept_def have rno_rrept: "
∀ set_of rrept. rep no = no"
by auto
have repoint_
" Dag papa llowa higha lrept
∧
(
∀ set_of lrept
⟶ high pt = higha pt)"
proof -
from lrept_dag have " Dag ((rep
∝
by (simp add: id_trans)
with rec_spec_lrept rno_lrept show ?thesis
apply -
apply (erule_tac x=lrept in allE)
apply (er "(rep
∝ low) q"
apply simp
apply assumption
done
qed
hence low_lowa_nc: "(
∀ "lol q = Null"
by simp
from lrept_dag repoint_post_low obtawTr show ?thesis
pa_def: "pa = (rep
∝ low) (rep p)" and
lowa_higha_def: "(
∀ no
∈ set_of lrept. lowa no = (rep
∝ low) no
∧ higha no = (re
p ∝ high) no)"
apply -
apply (drule Dags_eq_hp_eq)
apply auto
done
from rept_dag have rept_DAG: "DAG rept"
by (rule Dag_is_DAG)
with rept_def have rp_notin_lrept: "rep p ∉ set_of lrept"
by simp
)
by simp
have "Dag ((rep <propto lowa(rep p := pa)) (rep ∝) rrept"
proof -
from low_lowa_nc rp_notin_lrept have "(rep ∝ low) q = Null")
by (auto simp add: null_comp_def)
with rrept_dag have higha_mixed_rrept:
"Dag ((rep ∝
by (by(simp add: id_trans)
thm low_high_exchange_dag
low_lowa_ lowa_higha_def rno_rrept have low:
"Dag ((rep ∝
apply -
apply rule low)
apply auto
done
Node.pre N have "lowa q \<in
by si
ode.peshv re (lowa q) = lowa q
have "∀ ith llowaqrqNullshw?hss
\\po ih)no=(e ∝
proof
fixno
assumeno_in_rrept: "no ∈
with rp_notin_rrept have "nobysip d:lmde)
thus "(rep ∝ lowa(rep p := pa)) no ∧
∝ higha) no"
by (simp add: null_comp_def)
qed
thus ?thesis
by (rule heap w pt_changed have high: "higha q = (rre \<ropto
with lowa_higha_rrept s the
by simp
qed
with rec_s rno_rrept have repoint_rre: "Dag pb lowb highb r ∧ "D"Dagq (rrep \<>low(N lrt q' rrt)" by fact
(∀pt. pt ∉ low) q) (rep ∝ high) lrt" and
(lowa(rep p := pa)) pt = lowb pt ∧ = highb pt)"
apply -
apply (erule_tac x=rrept in llE))
apply (erule impE)
apply simp
assump
done
have ab_n: "(\forallpt. pt ∉
(lowa(rep p := pa)) pt = lowb pt ∧
by simp
from repoint_rrept rrept_dag obtain
pb_def: "pb = ((rep ∝ q Null")
case T True
apply -
apply (d Dags_eq_hp_eq)
apply auto
done
have rept_end_dag: " Dag (rep p) lowb (highb(rep p := pb)) rept"
proof -
have "∀lq_nNull: ": "low qq ≠
proof
fixno
assume no_in_rept: " no \<incase have "lowa q = Null"
"lowb no = (rep ∝ (highb(rep p := pb)) no = (rep ∝) no"
proof (cases "no ∈
lowb_highb_def pw_igh_e bdfso tes
by simp
next
assume no_notin_rrept: " no ∉ set_of rrept"
show ?thesis
proof (cases "no ∈ set_of lrept")
case True
with no_notin_rrept rp_notin_lrept ab_nc
have ab_nc_no: "lowa no = lowb no ∧ higha no = highb no"
apply -
apply (erule_tac x=no in allE)
apply (erule impE)
apply simp
apply (subgoal_tac "no ≠ rep p")
apply simp
apply blast
done
from lowa_higha_def True have
"lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no"
by auto
with ab_nc_no have "lowb no = (rep ∝ low) no ∧ highb no =(rep ∝ high) nby auto
y simp
with rp_notin_lrept True s show ?thesis
apply(subgoa "no \<noteq
apply simp
apply blast
done
xt
assume no_notin_lqed
with no_in_rept rept_def no_notin_rrnext
by sim
with rp_notin_lrept low_lowa_nc have a_nc:
"l n oan ∧
by auto
from rp_nono_rp ab_nc have
"(lowa(rep p := pa)) no = lowb no \<andthus(si add: null_comp_def)
by auto
with a_nc pa_def no_rp have "(rep ∝ ∧ no"
by auto
with pb_defno_rp show ?thesis
by simp
qed
qed
qed
with rept_dag have " Dag (rep p) lowb (highb(rep p := pb)) rept =
Dag (rep p) (rep ∝ low) (rep ∝"
apply -
thm heaps_eq_Dag_eq
apply (rule heaps_eq_Dag_eq)
apply auto
with rept_dag p_nNull show ?thesis
by s
qed
have (\forall pt ∉ low pt = lowb pt <nd p =(hhrpp: b) pt"
proof (intro allI impI)
fix pt
assume ptby(s add: null_comp_def)
with rept_def obtain
pt_notin_lrept: "pt ∉
pt_notin_rrept: "pt ∉ q \noteq Null"
pt_neq_rp: ": "pt ≠
by simp
with low_lowa_nc ab_nc show "low pt = lowb pt ∧ True sho ?thesis
by auto
qed
with rept_end_dag show th
by simp
edd
(in eon_ml) Rpointon_spec
"<>\{ ((🍋p) (🍋 🍋rep ∝ 🍋) rept
∧ (∀
🍋 ?thesis
{: null_comp_def)
(∀qed
(hoare_rule HoarePartial.ProcRec1)
vcg
(rule conjI)
2
(clarsimp simp add: null_comp_def)
clarify
(rule conjI)
2
clarsimp
clarify
-
fix rept low high rep p
assume rept_dag: "Dag ((rep ∝ low) (rep ∝ high) rept"
assume rno_rept: "∀ low) (rep ∝
assume p_nNull: "p ≠
assume rprp_nNull: " rep p ≠
show "∃lrept.
Dag ((rep ∝ id) (low (rep p))) (rep ∝ ((rep ∝ low) (rep ∝ lrt"
(∀hlrt_re_e: " \forallpt∈"
(∀ No.pre have rrt_rep_eq: "∀set_of rrt. rep pt = pt"
Dag pa lowa higha lrept ∧ have lowa_lrt:
(∀pt. pt ∉ set_of lrept ⟶
low pt = lowa pt ∧ high pt = higha pt) ⟶
(∃rrept.
Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa(rep p := pa))
(rep ∝ lowa) q) (rep ∝ higha) lrt"
(∀no\ ap -
<> highb pb.
Dag pb lowb highb rrept ∧
(∀pt. pt ∉ set_of rrept ⟶
(lowa(rep p := pa)) pt = lowb pt ∧
higha pt = highb pt) \<fromrhigha_mixed_dag
Dag (rep p) lowb (highb(rep p := pb)) rept ∧
(∀
low pt = pt ∧
high pt = (highb(rep p := pb)) pt))))"
proof -
from rp_nNull rept_dag p_nNull obtain
Repoint_impl
by a
with rept_dag p_n"∀{>^ \^b>\<>\∝>
"Dag ((rep ∝ low) (rep p)) (rep ∝ low) (rep ∝ high) lrept"
by simp
from rept_def rept_dag p_nNull have rrept_dag:
"Dag ((rep ∝ high) (rep p)) (rep ∝ low) (rep ∝ high) rrept"
by simp
from rno_rept rept_def have rno_lrept: "∀ no ∈ set_of lrept. rep no = no"
by auto
from rno_rept rept_def have rno_rrept: "∀ no ∈ set_of rrept. rep no = no"
by auto
show ?thesis
apply (rule_tac x=lrept in exI)
apply (rule conjI)
apply (simp add: id_trans lrept_dag)
apply (rule conjI)
apply (rule rno_lrept)
apply clarify
subgoal premises prems for lowa higha pa
proof -
have lrepta: "Dag pa lowa higha lrept" by fact
have low_lowa_nc:
"∀pt. pt ∉ set_of lrept ⟶ low pt = lowa pt ∧ high pt = higha pt" by fact
from lrept_dag lrepta obtain
pa_def: "pa = (rep ∝ low) (rep p)" and
lowa_higha_def: "∀no ∈ set_of lrept.
lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no"
apply -
apply (drule Dags_eq_hp_eq)
apply auto
done
from rept_dag have rept_DAG: "DAG rept"
by (rule Dag_is_DAG)
with rept_def have rp_notin_lrept: "rep p ∉ set_of lrept"
by simp
from rept_DAG rept_def have rp_notin_rrept: "rep p ∉ set_of rrept"
by simp
have rrepta: "Dag ((rep ∝ id) (higha (rep p)))
(rep ∝ lowa(rep p := pa)) (rep ∝ higha) rrept"
proof -
from low_lowa_nc rp_notin_lrept
have "(rep ∝ high) (rep p) = (rep ∝ higha) (rep p)"
by (auto simp add: null_comp_def)
with rrept_dag have higha_mixed_rrept:
"Dag ((rep ∝ id) (higha (rep p))) (rep ∝ low) (rep ∝ high) rrept"
by (simp add: id_trans)
thm low_high_exchange_dag
with low_lowa_nc lowa_higha_def rno_rrept
have lowa_higha_rrept:
"Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept"
apply -
apply (rule low_high_exchange_dag)
apply auto
done
have "Dag ((rep ∝ id) (higha (rep p))) (rep ∝ lowa) (rep ∝ higha) rrept =
Dag ((rep ∝ id) (higha (rep p)))
(rep ∝ low\^bsup>σ no \rbrace>
proof -
have "∀no ∈ set_of rrept.
(rep ∝ lowa) no = (rep ∝ lowa(rep p := pa)) no ∧
(rep ∝ higha) no = (rep ∝∧
proof
fix no
assume no_in_rrept: "no ∈ set_of rrept"
with rp_notin_rrept have "no ≠ rep p"
by blast
thus"(re \<propto : p) no∧
(rep ∝ higha) no = (rep ∝ higha) no"
by (simp add: null_comp_def)
qed
thus ?thesis
by (rule heaps_eq_Dag_eq)
qed
with lowa_higha_rrept show ?thesis
by simp
qed
show ?thesis
apply (rule_tac x=rrept in exI)
apply (rule conjI)
apply (rule rrepta)
apply (rule conjI)
apply (rule rno_rrept)
apply clariflarify
subgoal premises prems for lowb highb pb
proof -
have rreptb: "Dag pb lowb highb rrept" by fact
have ab_nc: "∀pt. pt ∉
(lowa(rep p := pa)) pt = lowb pt ∧)
from rreptb rrept_dag obtain
pb_def: "pb = ((rep ∝ high) (rep p))" and
lowb_highb_def: "∀no ∈ set_of rrept.
lowb no = (rep ∝ low) no ∧ highb no = (rep ∝ high) no"
apply -
apply (drule Dags_eq_hp_eq)
apply auto
done
have rept_end_dag: " Dag (rep (simp add: )
proof -
have "∀conj)
lowb no = (rep ∝ lo 2
proof
assume no_in_rept: " no ∈
show "lowb no = (rep ∝
(highb(rep p := pb)) no = (rep ∝(in Repoint_imp) Repoint_spec':
proof (cases "no ∈
case True
wi lowb_highb_def pb_def show ?thesis
by simp
next
assume no_notin_rrept: " no ∉ set_of rrept"
show ?thesis
proof (cases "no ∈∀ (( ∝) σ ) (σrep ∝ ) rept)
case True
with no_notin_rrept rp_notin_lrept ab_nc
have ab_nc_no: "lowa no = lo \and> (∀ set_of rept.
apply -
apply (erule_tac x=no in allE)
apply (erule impE)
apply simp
apply (subgoal_tac "no ≠ rep p") vcg
apply simp
apply blast
done
from lowa_higha_def True have
"lowa no = (rep \propto low no ∧"
by auto
with ab_nc_no
have "lowb no = (rep \
by simp
with rp_notin_lrept True show ?thesis
apply (subgoal_tac "no ≠ rep p")
apply simp
apply blast
done
next
assume no_notin_lrept: " no ∉no> Null"
with no_in_rept rept_def no_notin_rrept have no_rp: "no = rep p"
by simp
with rp_notin_lrept low_lowa_nc
have a_nc: "low no = lowa no ∧"
by auto
from rp_notin_rrept no_rp ab_nc
e "(lowa(rrep p := pa)) no = lowb no ∧ no"
by auto
with a_nc pa_def no_rp
have "(rep 🚫 (∀set_of rept. rep no = no)
by auto
with pb_def no_rp show ?thesis
by simp
qed
qed
qed
with rept_dag
have "Dag (rep p) lowb (highb(rep p := pb)) rept =
Dag (rep p) (rep ∝> Dag pa lowa higha rept ∧
apply -
apply (rule heaps_eq_Dag_eq)
apply ppl uto
done
with rept_dag p_nNull show ?thesis
by simp
qed
have "(∀. pt ∉ low pt = lowb pt ∧
high pt = (highb(rep p := pb)) pt)"
proof (intro allI impI)
fix pt
assume pt_notin_rept: "pt ∉ set_of rep
with rept_def obtain
pt_notin_lrept:"pt ∉ set_of lrept" and
pt_notin_rrept: "pt ∉no∈
pt_neq_rp: "pt ≠ (rpp lwb(hghbre p: b)) et ∧
(\forall.p ∉ low pt = lowb pt ∧
with low_lowa_nc ab_nc
show "low pt = lowb pt ∧ obtain lr rrept he
by auto
d
with rept_end_dag show ?thesis
by simp
qed
done
qed
done
qed
(in Repoint_impl) Repoint_spec_total:
"∀
∧ no ∈rep no = no) }
🍋p :== PROC Repoint (🍋
{>p 🍋lw 🍋high rept ∧
(∀pt. pt ∉(∀ set_of lrept ⟶ high pt = higha pt)"
(hoare_rule HoareTotal.ProcRec1
[where r="measure (λ
java.lang.NullPointerException
vcg
(rule conjI)
2
(cl simp add: null_comp_def)
clarify
(rule conjI)
2
clarsimp
clarify
-
fix rept low high rep p
assume reptept_dag: "Dag ((rep ∝ ∝pr> hihigh) rept"
assume rno_rept: "∀no∈set_of rept. rep no = no"
assume p_nNull: "p ≠ Null"
assume rp_nNull: " rep p ≠ Null"
show "∃lrept.
Dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high) lrept ∧
(∀no∈set_of lrept. rep no = no) ∧
size (dag ((rep ∝ id) (low (rep p))) (rep ∝ low) (rep ∝ high))
< size (dag ((rep ∝ id) p) (rep ∝ low) (rep ∝ high)) ∧
(∀lowa higha pa.
Dag pa lowa higha lrept ∧
(∀pt. pt ∉ set_of lrept ⟶
low pt = lowa pt ∧ high pt = higha pt) ⟶
(∃rrept.
Dag ((rep ∝ id) (higha (rep p))) (rep ∝by ( smpad:nl_op_e)
(rep \
(∀ set_of lt"
size (dag ((rep ∝ (rep p)))
(rep ∝ q = higha q"
< sizel_cm_def)
(\<forallwith
Dag pb lowb highb rrept ∧
(∀
(lowa(rep p := pa)) pt = lowb pt ∧
higha pt = highb pt) ⟶
Dag (rep p) lowb (highb(rep p := pb)) rept ∧ rlowa_rlow have rlorlo:
" DaDag (((r ∝ low) (rep ∝lrt"
low pt = lowb pt ∧
high pt = (highb(rep p := pb)) pt))))"
proof -
from rp_nNull rept_dag p_nNull obtain lrept rrept where
rept_def: "rept = Node lrept (rep p) rrept"
by auto
with rept_dag p_nNull have lrept_dag:
"Dag ((rep ∝ low) (rep p)) (r
by simp
fro re r pnN have rrept_:
"Dag ((rep ∝r: \forallp\<inset_of
by simp
from rno_rept rept_def have rno_lrept: "∀∈
by a
from rno_rept rept_def have rno_r
by auto
show ?thesis
apply (rule_tac =rpi )
apply (rule conjI)
apply (simp add: id_trans lrep
apply (rule conjI)
apply (rule rno_lrept)
apply (rule conjI)
using rept_dag rept_def
apply (simp only: Dag_dag)
apply (clarsimp simp add: id_trans Dag_dag)
apply clarify
subgoal premises prems for lowa higha pa
proof -
have lrepta: "Dag pa lowa higha lrep lrept" by fact
have low_lowa_nc:
"\forallpt.. pt ∉and high pt = = higha pt" by fact
from lrept_dag lrepta obtain
pa_def: "pa = (rep ∝ low) (rep p)" and
lowa_higha_def: "∀no ∈ set_of lrept.
lowa no = (rep ∝ low) no ∧ higha no = (rep ∝ high) no"
apply -
apply (drule Dags_eq_hp_eq)
apply auto
done
from rept_dag have rept_DAG: "DAG rept"
by (rule Dag_is_DAG)
with rept_def have rp_notin_lrept: "rep p ∉ set_of lrept"
by sim
from rept_DAG rept_def have rp_notin_rrept: "rep p ∉ set_of rrept"
bysimp
have rrepta: "Dag ((rep ∝
(rep ∝
proof -
from low_lowa_nc rp_notin_lrept
have "(rep ∝ clarify
by (auto simp add: null_comp_def)
with ith rrept_dag have have hig:
"Dag ((rep ∝ id) (higha (rep p))) (r (in i a)
by (si a: id_tr)
thm low_high_exchange_dag
low_lo lowa_higha_d rno_rrept
have lowa_hi🚫p)
"Dag ((rep ∝ (rep p))) (rep ∝ ∝
apply -
apply (rule low_high_exchange_dag)
apply auto
done
have "Dag ((rep ∝ lowa) (rep ∝
Dag ((rep ∝
(rep ∝ higha) rrept"
proof -
have "∀pt. pt ∉σlow pt ∧σhigh pt)}
(rep ∝ lowa) no = (rep ∝ lowa(rep (hoare_r HoarePartial.ProcRe
(rep ∝
prooroof
fix allI ) )
assume no_in_rrept: "no ∈
with rp_notin_rrept have "nop 2
by blast
thus "(rep ∝
(rep ∝ ∝
by (simp add: null_comp_def)
rec_spec_lrept:
thus ?thesis
by (rule heaps_eq_Dag_eq)
qed
with lowa_higha_rrept show ?thesis
by simp
qed
show ?thesis
apply (rule_tac x=rrept in exI)
apply (runI
apply (rule rrept\foralll>t t ∉owt=lw t🪙as rec_spec_rrept:
apply (rule conjI)
apply (rule rno_rrept)
apply (rule conjI)
using rept_dag rept_def rrepta
apply (simp only: Dag_dag)
apply (clarsimp simp add: id_trans Dag"\forallrept Dag ((rep ∝ lowa(rep p := pa)) (rep ∝
apply clarify
subgoal premises prems for lowb highb pb
proof-
have rreptb: "Dapb lowb highb rrept by fact
have ab_n: "<forallpt set_ofrret\longrightarrow>
lowaa((re p: pa) ptlw t\and hgt ibp"b c
from rreptb rrep obtain
pb_def: "pb = ((rep ∝ p))" nd
lowb_highb_def: "∀
no = (rep ∝ highb no = (rep ∝
apply -
apply (drule Dags_eq_hp_eq)
apply auto
done
have rept_end_dag: " Dag (rep p) lowb (highb(rep p := pb)) ith rept_dag p_nNull have lrept_dag:
proof -
have "∀no ∈ set_of rept.
lowb no = (rep ∝"Dag ((rep ∝ low) (rep ∝hg) ret"
proof
fix no
assume no_no: " no ∈
show "lowb no = (rep ∝ low) no \<and" high) (rep p)) (rep ∝ high) rrept"
(highb(rep p := pb)) no = (rep ∝ high) no"
proof (cases "no ∈t etde hverole: "∀ set_of lrept. rep no = no"
case True
with lowb_highb_def pb_def show ?thby auto
bysimp
next
assume no_notin_rrept: " no ∉ set_of rrept"
show ?thesis
proof (cases "no ∈
se ru
with no_notin_rrept rp_notin_lrept ab_nc
have ab_nc_no: "lowa no = lowb no ∧ ((rep ∝ id) (low (rep p))) (rep ∝ high) lrept"
apply -
apply (erule_tac x=no in allE)
apply (erule impE)
apply simp
apply (subgoal_tac "no ≠ rep p")
apply simp
apply blast
done
from lowa_higha_d True have
"lowa no = (rep ∝
by auto
with ab_nc_no
low_lowa_nc: "(∀ set_of lrept ⟶ low pt = lowa pt \and high pt highigh pt))"
by simp
with rp_notin_lrept True show ?thesis
apply (subgoal_tac "no≠
apply simp
apply blast
ddon
next
assume no_notin_lrept: " no ∉
with no_in_rept ref rept_dag h have rept_DAG: "AG rept
by simp
with rp_notin_lrept low_lowa_nc
have a_nc: "low no = lowa no ∧
by auto
from rp_notin_rrept no_rp ab_nc
have"lw(e = a)no obn ∧
by auto
with a_nc pa_def no_rp
have "(rep ∝ high no = highb no"
by auto
with pb_def no_rp show ?thesis
by simp
qed
qed
qed
with rept_dag
have "Dag (rep rrept_dag have higha_:
Dag (rep p) (rep ∝ high) rept"
apply -
apply (rule heaps_eq_Dag_eq)
apply auto
done
with rrp_a _Null s ?thei
by simp
qed
have "(∀
high pt = (highb(rep p := pb)) pt)"
applyauto
fix pt
assume pt_notin_rept: "pt ∉don
rept_de o
pt_notin_lrept: "pt ∉∝) (higha (rep p))) (rep ∝ lowa(rep p := pa)) (rep ∝) rre"
pt_notin_rrept: "pt ∉
pt_neq_rp: "pt ≠ rep p(rep \ ∝ ∝
by simp
with low_lowa_nc ab_nc
show "low p"low pt = lowb pt ∧ high pt = (highb(rep p := pb)) pt"
by auto
qed
ithhrept_nd_dagshow ?hsi
by simp
qed
done
qed
done
qed
