(*<*)
―‹ ********************************************************************
* Project : HOL-CSP - A Shallow Embedding of CSP in Isabelle/HOL
* Version : 2.0
*
* Author : Benoît Ballenghien, Safouan Taha, Burkhart Wolff, Lina Ye.
* (Based on HOL-CSP 1.0 by Haykal Tej and Burkhart Wolff)
*
* This file : Algebraic laws
*
* Copyright (c) 2009 Université Paris-Sud, France
* Copyright (c) 2025 Université Paris-Saclay, France
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* * Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above
* copyright notice, this list of conditions and the following
* disclaimer in the documentation and/or other materials provided
* with the distribution.
*
* * Neither the name of the copyright holders nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
******************************************************************************› (*>*)
section‹ Powerful Laws of CSP ›
(*<*) theory CSP_Laws imports Basic_CSP_Laws Step_CSP_Laws_Extended begin (*>*)
subsection‹ Laws for Mndetprefix and Sync›
lemma Mndetprefix_Sync_Det_distr_FD :
java.lang.NullPointerException
(⊓ b ∈ B → ((⊓ a ∈ A → P a) [ C ] Q b)) ⊑FD (⊓ a ∈ A → P a) [ C ] (⊓ b ∈ B → Q b)›
(is‹?lhs1 ◻ ?lhs2 ⊑FD ?rhs›) if‹A ≠ {}›‹B ≠ {}›‹A ∩ C = {}›‹B ∩ C = {}› proof - have‹?lhs1 = ⊓ b∈B. ⊓ a∈A. (a → (P a [C] (b → Q b)))› (is‹_ = ?lhs1'›) by (simp add: ‹A ≠ {}›‹B ≠ {}› Mndetprefix_GlobalNdet
Sync_distrib_GlobalNdet_left Sync_distrib_GlobalNdet_right
write0_def GlobalNdet_Mprefix_distr[OF ‹B ≠ {}›, symmetric])
(subst GlobalNdet_sets_commute, simp) moreoverhave‹?lhs2 = ⊓ b∈B. ⊓ a∈A. (b → (a → P a [C] Q b))› (is‹_ = ?lhs2'›) by (simp add: ‹A ≠ {}›‹B ≠ {}› Mndetprefix_GlobalNdet
Sync_distrib_GlobalNdet_left Sync_distrib_GlobalNdet_right
write0_def GlobalNdet_Mprefix_distr[OF ‹A ≠ {}›, symmetric]) ultimatelyhave‹?lhs1 ◻ ?lhs2 = ?lhs1' ◻ ?lhs2'›by simp moreoverhave‹?lhs1' ◻ ?lhs2' ⊑FD⊓ b∈B. ⊓ a∈A. (a → (P a [C] (b → Q b))) ◻ (b → ((a → P a) [C] Q b))› by (auto simp add: ‹A ≠ {}›‹]Ordinary.GEN "\ →
moreover have ‹… = ⊓ b∈B. ⊓ a∈A. ((a → P a) [C] (b → Q b))›
by (rule mono_GlobalNdet_eq, rule mono_GlobalNdet_eq,
simp add: write0_def, subst Mprefix_Sync_Mprefix_indep)
(use ‹A ∩ C = {}›‹B ∩ C = {}› in auto)
moreover have ‹… = ?rhs›
by (simp add: ‹A ≠ {}›‹B ≠ {}› Mndetprefix_GlobalNdet
Sync_distrib_GlobalNdet_left Sync_distrib_GlobalNdet_right)
ultimately show ‹?lhs1 ◻ ?lhs2 ⊑FD ?rhs› by argo
Mndetprefix_Sync_Det_distr_F = Mndetprefix_Sync_Det_distr_FD[THEN leFD_imp_leF]
and Mndetprefix_Sync_Det_distr_D = Mndetprefix_Sync_Det_distr_FD[THEN leFD_imp_leD]
Mndetprefix_Sync_Det_distr_DT : ‹[A ≠ {}; B ≠ {}; A ∩ C = {}; B ∩ C = {}]==>
(⊓ a ∈ A → (P a [ C ] (⊓ b ∈ B → Q b))) ◻
(⊓ b ∈ B → ((⊓ a ∈ A → P a) [ C ] Q b)) ⊑DT (⊓ a ∈ A → P a) [ C ] (⊓ b ∈ B → Q b)›
Mndetp Mndetprefix_Sync_Det_distr_T leD_
‹Hiding Operator Laws›
Hiding_Hiding_less_eq_process_Hiding_Un : ‹P \ A \ B ⊑FD P \ (A ∪ B)›
(rule failure_divergence_refine_optimizedI)
fix s assume ‹s ∈D (P \ (A ∪ B))›
then obtain t u
where * : ‹ftF u›‹tF t›‹s = trace_hide t (ev ` (A ∪ B)) @ u› ‹t ∈D P ∨ (∃f. isInfHiddenRun f P (A ∪ B) ∧ t ∈ range f)›
using \zeta[THEN "\forall(2)] by (met"\<quivE
have ** : ‹trace_hide t (ev ` (A ∪ B)) = trace_hide (trace_hide t (ev ` A)) (ev ` B)›
using trace_hide_ev_union by blast
from "*"(4) show ‹s ∈D (P \ A \ B)›
proof (elim disjE exE)
assume ‹t ∈D P›
with mem_D_imp_mem_D_Hiding have ‹trace_hide t (ev ` A) ∈D (P \ A)› by blast
thus ‹s ∈D (P \ A \ B)›
by (subst D_Hiding) (use"*"(1, 2, 3) "**" Hiding_tickFree in blast)
next
fix f assume ** : ‹isInfHiddenRun f P (A ∪ B) ∧ t ∈ range f›
hence ‹strict_mono f› by simp
define ff where ‹ff i ≡ take (i + length (f 0)) (f i)› for i
have *** : ‹isInfHiddenRun ff P (A ∪ B) ∧ t ∈ range ff›
proof (intro conjI allI)
show ‹strict_mono ff›
proof (unfold strict_mono_Suc_iff, rule allI, unfold ff_def)
fix i nat
from length_strict_mono[of f ‹Suc i›, OF ‹strict_mono f›]
have $ $ (ff (Suc i)) <take(
by (simp add: take_Suc_conv_app_nth)
from ‹strict_mono f›[THEN strict_monoD, of i ‹Suc i›, simplified]
obtain t where ‹f (Suc i) = f i @ t› by (meson strict_prefixE')
with length_strict_mono[of f i, OF ‹strict_mono f›]
have ‹take (i + length (f 0)) (f i) = take (i + length (f 0)) (f (Suc i))› by simp
with "$" show ‹take (i + length (f 0)) (f i) < take (Suc i + length (f 0)) (f (Suc i))› by simp
qed
next
show ‹ff i ∈T P› for i
by (unfold ff_def) (metis "**" prefixI append_take_drop_id is_processT3_TR)
next
show ‹trace_hide (ff i) (ev ` (A ∪ B)) = trace_hide (ff 0) (ev ` (A ∪ B))› for i
proof (rule order_antisym)
have ‹f 0 ≤ f i› by (simp add: "**" strict_mono_less_eq)
hence ‹f 0 ≤ take (i + length (f 0)) (f i)›
by (metis prefixE Prefix_Order.prefixI le_add2 take_all_iff take_append)
from mono_trace_hide[OF this]
show ‹trace_hide (ff 0) (ev ` (A ∪ B)) ≤ trace_hide (ff i) (ev ` (A ∪ B))›
by (unfold ff_def) (metis le_add2 take_all_iff)
next
have ‹take (i + length (f 0)) (f i) ≤ f i›
by (metis prefixI append_take_drop_id)
from mono_trace_hide[OF this]
show ‹
by (unfold ff_def) (metis "**" le_add2 take_all_iff)
qed
next
from "**" obtain i where ‹t = f i› by blast
moreover have ‹f 0 ≤ f i› by (simp add: "**" strict_mono_less_eq)
ultimately have ‹t = ff (max i (length t - length (f 0)))›
by (simp add: ff_def max_def le_length_mono)
(metis "**" prefixE append_eq_conv_conj strict_mono_less_eq)
thus ‹t ∈ range ff› by blast
qed
show ‹s ∈D (P \ A \ B)›
proof (cases ‹∃m. ∀i>m. last (ff i) ∈ ev ` A›)
assume ‹∃m. ∀i>m. last (ff i) ∈ ev ` A›
then obtain m where $ : ‹m < i ==> last (ff i) ∈ ev ` A› for i by blast
hence ‹tF (ff m)›
by (metis "***" strict_prefixE' append_T_imp_tickFree list.distinct(1) strict_mono_Suc_iff)
have $$ : ‹∃t. ff (i + m) = ff m @ t ∧ set t ⊆ ev ` A› for i
show ‹∃t. ff (0 + m) = ff m @ t ∧ set t ⊆ ev ` A› by simp
next
fix i assume ‹∃t. ff (i + m) = ff m @ t ∧ set t ⊆ ev ` A›
then obtain t where ‹ff (i + m) = ff m @ t›‹set t ⊆ ev ` A› by blast
obtain r where ‹ff (Suc i + m) = ff (i + m) @ r›
by (metis "***" strict_prefixE' add_Suc strict_mono_Suc_iff)
moreover have ‹length (ff (Suc i + m)) = Suc (length (ff (i + m)))›
by (simp add: ff_def) (metis "**" add_Suc length_strict_mono min_absorb2)
ultimately have ‹length r = 1› by (metis Suc_eq_plus1 add_left_cancel length_append)
with ‹ff (Suc i + m) = ff (i + m) @ r›
have ‹ff (Suc i + m) = ff (i + m) @ [last (ff (Suc i + m))]› by (cases r) simp_all
with ‹ff (i + m) = ff m @ t›
have ‹ff (Suc i + m) = ff m @ t @ [last (ff (Suc i + m))]› by simp
moreover have ‹ ORi].
ultimately show ‹∃t. ff (Suc i + m) = ff m @ t ∧ set t ⊆ ev ` A›
by (intro exI[of _ ‹t @ [last (ff (Suc i + m))]›]) (simp add: ‹set t ⊆ ev ` A›)
qed
then obtain fff where $$$$ : ‹ff (i + m) = ff m @ fff i›‹set (fff i) ⊆ ev ` A›for i by metis
show ‹s ∈D (P \ A \ B)›
apply (simp add: D_Hiding)
apply (rule exI[of _ ‹trace_hide (ff m) (ev ` A)›], rule exI[of _ u], intro conjI)
subgoal by (fact ‹ftF u›)
subgoal using Hiding_tickFree ‹tF (ff m)› by blast
subgoal by (metis (no_types) "*"(3) "*
apply (rule disjI1)
apply (rule exI[of _ ‹ff m›], rule exI[of _ ‹[]›], simp add: ‹tF (ff m)›)
apply (rule disjI2)
apply (rule exI[of _ ‹λi. ff (i + m)›], intro conjI)
subgoal by (metis (mono_tags, lifting) "***" add_Suc strict_mono_Suc_iff)
subgoal using "***" by blast
subgoal using "$$$$" by (simp add: subset_iff)
by (metis (mono_tags) add_0 rangeI)
next
assume ‹∄m. ∀i>m. last (ff i) ∈ ev ` A›
{ fix i :: nat assume ‹0 < i›
from "***" obtain t where ‹ff i = ff 0 @ t›‹set t ⊆ ev ` (A ∪ B)›
unfolding isInfHiddenRun_1 by blast
with ‹0 < i› have ‹last (ff i) ∈ ev ` (A ∪ B)›
by (cases t) (auto simp add: "***" strict_mono_eq)
}
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
by (metis Un_Diff_cancel2 Un_iff gr0I image_Un not_less0)
define fff where ‹fff = rec_nat t (λi t. ff (SOME j. t < ff j ∧ last (ff j) ∈ ev ` B - ev ` A))›
hence ‹fff i ∈ range ff› for i
unfolding fff_def
by (metis (mono_tags, lifting) "***" gr0_conv_Suc nat.rec(2)
old.nat.simps(6) rangeI zero_less_iff_neq_zero)
have $$$ : ‹strict_mono (λi. trace_hide (fff i) (ev ` A))›
proof (unfold strict_mono_Suc_iff, rule allI)
fix i
have "£" : ‹fff (Suc i) = ff (SOME j. fff i < ff j ∧ last (ff j) ∈ ev ` B - ev ` A)›
by (simp add: fff_def)
java.lang.NullPointerException
hence ‹∃j. fff i < ff j ∧ last (ff j) ∈ ev ` B - ev ` A› by (metis "$" "***" monotoneD)
hence "££" : ‹fff i < fff (Suc i) ∧ last (fff (Suc i)) ∉ ev ` A›
by (metis (no_types, lifting) Diff_iff "£" someI_ex)
then obtain r where ‹fff (Suc i) = fff i @ r›‹last r ∉ ev ` A›
by (metis append_self_conv last_append less_eq_list_def prefix_def less_list_def)
thus ‹trace_hide (fff i) (ev ` A) < trace_hide (fff (Suc i)) (ev ` A)›
by (metis (mono_tags, lifting) prefixI "££" empty_filter_conv
filter_append last_in_set nless_le self_append_conv)
qed
show ‹s ∈D (P \ A \ B)›
apply (simp add: D_Hiding)
apply (rule exI[of _ ‹trace_hide t (ev ` A)›], rule exI[of _ u], intro conjI)
subgoal by (fact ‹ftF u›)
subgoal using Hiding_tickFree ‹tF t› by blast
subgoal by (simp add: "*"(3))
apply (rule disjI2)
apply (rule exI[of _ ‹λi. trace_hide (fff i) (ev ` A)›], intro conjI)
subgoal by (fact "$$$")
subgoal by (metis "***" ‹∧i. fff i ∈ range ff› mem_T_imp_mem_T_Hiding rangeE)
subgoal by (metis (no_types) "***" ‹
by (metis (mono_tags, lifting) fff_def old.nat.simps(6) rangeI)
qed
qed
assume subset_div : ‹D (P \ (A ∪ B)) ⊆D (P \ A \ B)›
fix s X assume ‹(s, X) ∈F (P \ (A ∪ B))›
then consider ‹s ∈D (P \ (A ∪ B))›
| t where ‹s = trace_hide t (ev ` (A ∪ B))›‹(t, X ∪ ev ` (A ∪ B)) ∈F P›
unfolding F_Hiding D_Hiding by blast
thus ‹(s, X) ∈F (P \ A \ B)›
proof cases
>P (A \union B)(s, X) ∈›
next
fix t assume ‹s = trace_hide t (ev ` (A ∪ B))›‹(t, X ∪ ev ` (A ∪ B)) ∈F P›
hence * : ‹s = trace_hide (trace_hide t (ev ` A)) (ev ` B)› ‹(t, X ∪ ev ` B ∪ ev ` A) ∈F P›
by (simp_all add: image_Un sup_commute sup_left_commute)
show ‹(s, X) ∈F (P \ A \ B)›
by (simp add: F_Hiding) (use "*" in blast)
qed
Hiding_Un : ‹P \ (A ∪ B) = P \ A \ B›
if ‹finite A› for P :: ‹('a, 'r) processptick›
(rule order_antisym)
show ‹P \ (A ∪ B) ≤ P \ A \ B›
proof (rule failure_divergence_refine_optimizedI)
fix s assume ‹s ∈D (P \ A \ B)›
then obtain t u
where * : ‹ftF u›‹ proof (rule RM; safe intro!: !: "🚫 ‹t ∈D (P \ A) ∨ (∃x. isInfHidden_seqRun_strong x (P \ A) B t)›
by (elim D_Hiding_seqRunE)
from "*"(4) show ‹s ∈D (P \ (A ∪ B))›
proof (elim disjE exE)
assume ‹t ∈D (P \ A)›
then obtain t' u'
where ** : ‹ftF u'›‹tF t'›‹t = trace_hide t' (ev ` A) @ u'› ‹t' ∈D P ∨ (∃x. isInfHidden_seqRun_strong x P A t')›
by (elim D_Hiding_seqRunE)
from "*"(1, 2) "**"(3) have *** : ‹
using Hiding_tickFree front_tickFree_append tickFree_append_iff by blast
show ‹s ∈D (P \ (A ∪ B))›
apply (unfold D_Hiding_seqRun, clarify)
apply (rule exI[of _ t'], rule exI[of _ ‹trace_hide u' (ev ` B) @ u›])
apply (intro conjI)
subgoal by (fact "***")
subgoal by (fact "**"(2))
subgoal by (simp add: "*"(3) "**"(3))
by (metis "**"(4) Un_iff image_Un)
next
fix x assume ** : ‹isInfHidden_seqRun_strong x (P \ A) B t›
have trH_x : ‹trace_hide (seqRun t x i) (ev ` B) = trace_hide t (ev ` B)› for i
using "**" trace_hide_seqRun_eq_iff by blast
from "**" have ‹∀i. seqRun t x i ∈ {trace_hide t (ev ` A) |t. (t, ev ` A) ∈F P}›
unfolding T_Hiding D_Hiding by blast
with F_T have ‹∀i. ∃w. seqRun t x i = trace_hide w (ev ` A) ∧ w ∈T P› by blast
then obtain f where *** : ‹seqRun t x i = trace_hide (f i) (ev ` A)›‹f i ∈T P› for i by metis
have ‹inj f› by (rule injI) (metis "***"(1) seqRun_eq_iff)
with finite_imageD have ‹infinite (range f)› by blast
have $ : ‹set (take i t') ⊆ set (seqRun t x i) ∪ ev ` A› if ‹t' ∈ range f› for i t'
proof -
from ‹t' ∈ range f› obtain j where ‹t' = f j› ..
hence "£" : ‹seqRun t x j = trace_hide t' (ev ` A)›‹t' ∈T P› by (simp_all add: "***")
consider ‹i ≤ j› | ‹j ≤ i› by linarith
thus ‹set (take i t') ⊆ set (seqRun t x i) ∪ ev ` A›
proof cases
assume ‹j ≤ i›
hence ‹seqRun t x j ≤ seqRun t x i› by simp
hence ‹set (seqRun t x j) ⊆ set (seqRun t x i)›
by (metis prefixE Un_iff set_append subsetI)
moreover have ‹set (take i t') ⊆ set (seqRun t x j) ∪ ev ` A›
by (rule subsetI, drule in_set_takeD) (simp add: "£"(1))
ultimately show ‹set (take i t') ⊆ set (seqRun t x i) ∪ ev ` A› by blast
next
assume ‹i ≤ j›
hence ‹seqRun t x i ≤ seqRun t x j› by simp
hence ‹take i (seqRun t x j) ≤ seqRun t x i› by simp
have ‹seqRun t x j = trace_hide (take i t') (ev ` A) @ trace_hide (drop i t') (ev ` A)›
by (metis "£"(1) append_take_drop_id filter_append)
moreover have ‹length (trace_hide (take i t') (ev ` A)) ≤ i›
by (metis length_filter_le length_take min.bounded_iff)
ultimately have ‹trace_hide (take i t') (ev ` A) ≤ take i (seqRun t x j)› by simp
with ‹
where ‹seqRun t x i = trace_hide (take i t') (ev ` A) @ t''›
by (meson prefixE dual_order.trans)
thus ‹set (take i t') ⊆ set (seqRun t x i) ∪ ev ` A› by (simp add: subsetI)
qed
qed
have ‹finite {take i w |w. w ∈ range f}› for i
proof (induct i)
show ‹finite {take 0 w |w. w ∈ range f}› by simp
next
fix i assume hyp : ‹finite {take i w |w. w ∈ range f}›
show ‹finite {take (Suc i) w |w. w ∈ range f}›
proof (rule finite_subset)
show ‹ {take (Suc i) w |w. w ∈ range f} ⊆ {take i w |w. w ∈ range f} ∪ (∪e∈set (seqRun t x (Suc i)) ∪ ev ` A. {take i w @ [e] |w. w ∈ range f})›
(is ‹?lhs ⊆ {take i w |w. w ∈ range f} ∪ (∪e∈?S1. ?S2 e)›)
proof (intro subsetI)
fix t' assume ‹t' ∈ ?lhs›
then obtain w where "£" : ‹t' = take (Suc i) w›A \<pen[
show ‹t' ∈ {take i w |w. w ∈ range f} ∪ (∪e∈?S1. ?S2 e)›
proof (cases ‹i < length t'›)
assume ‹i < length t'›
with "£"(1) take_Suc_conv_app_nth
have ‹take (Suc i) t' = take i w @ [t' ! i]› by auto
moreover from "£" "$" ‹i < length t'› nth_mem have ‹t' ! i ∈ ?S1› by blast
ultimately have ‹t' ∈ (∪e∈?S1. ?S2 e)›
by (intro UN_I[of ‹t' ! i›], simp_all)
(metis "£" less_not_refl min.absorb2 not_le_imp_less take_take)
thus ‹t' ∈ {take i w |w. w ∈ range f} ∪ (∪e∈?S1. ?S2 e)› by simp
next
assume ‹¬ i < length t'›
hence ‹take (Suc i) t' = take i t'› by simp
with "£" show ‹t' ∈ {take i w |w. w ∈ range f} ∪ (∪e∈?S1. ?S2 e)› by auto
qed
qed
next
show ‹finite ({take i w |w. w ∈ range f} ∪
(∪e∈set (seqRun t x (Suc i)) ∪ ev ` A.
{take i w @ [e] |w. w ∈ range f}))›
proof (rule finite_UnI)
show ‹finite {take i w |w. w ∈ range f}› by (fact hyp)
next
show ‹finite (∪e∈set (seqRun t x (Suc i)) ∪ ev ` A. {take i w @ [e] |w. w ∈ range f})›
proof (rule finite_UN_I)
show ‹finite (set (seqRun t x (Suc i)) ∪ ev ` A)›
by (simp add: ‹finite A›) ―‹Here we use that term‹A›
next
fix e assume ‹e ∈ set (seqRun t x (Suc i)) ∪ ev ` A›
have ‹ {take i w @ [e] |w. w ∈ range f}
= (λt'. t' @ [e]) ` {take i w |w. w ∈ range f}› by auto
also have ‹finite …› by (rule finite_imageI) (fact hyp)
finally show ‹finite {take i w @ [e] |w. w ∈ range f}› .
qed
qed
qed
qed
also have ‹{take i w |w. w ∈ range f} = {w. ∃t'∈range f. w = take i t'}› for i by auto
finally have ‹∀i. finite {w. ∃t'∈range f. w = take i t'}› ..
from KoenigLemma[OF ‹infinite (range f)› this]
obtain ff :: ‹( )
where $$ : ‹strict_mono ff›‹range ff ⊆ {t. ∃t'∈range f. t ≤ t'}› by blast
from "$$"(2) have $$$ : ‹∃t'. ff (Suc j) ≤ t' ∧ t' ∈ range f› for j by blast
hence ‹ftF (ff (Suc j))› for j
by (metis "***"(2) imageE is_processT2_TR is_processT3_TR)
hence ‹tF (ff j)› for j
using strict_monoD[OF "$$"(1), of j ‹Suc j›, simplified]
by (metis strict_prefixE' front_tickFree_append_iff list.distinct(1))
from "$$"(2) "***"(2) have ‹ff (j + i) ∈T P› for i j
by (simp add: subset_iff) (meson is_processT3_TR rangeI)
have $$$$ : ‹∃w. trace_hide (ff i) (ev ` A) ≤ t @ w› for i
proof -
from "$$"(2) obtain j where ‹ff i ≤ f j› by auto
moreover from "**" isInfHiddenRun_1 have ‹∃w. seqRun t x j = t @ w›
by (simp add: seqRun_def)
AOT_hence \open & x 🚫
by (metis "***"(1) mono_trace_hide)
qed
have ‹∃i. t ≤ trace_hide (ff i) (ev ` A)›
proof (rule ccontr)
define fff where ‹fff i ≡ trace_hide (ff i) (ev ` A)› for i
assume assm : ‹∄i. t ≤ fff i›
moreover from "$$$$" have ‹∀i. ∃w. fff i ≤ t @ w› unfolding fff_def ..
ultimately have assm_bis : ‹∀i. fff i ≤ t›
by (metis prefixI le_same_imp_eq_or_less order.order_iff_strict)
have ‹mono fff›
by (rule monoI, simp add: fff_def)
(metis "$$"(1) prefixE prefixI filter_append strict_mono_less_eq)
from mono_constant[OF this assm_bis]
obtain j where ‹j ≤ i ==> fff i = fff j› for i by blast
have ‹fff j ∈D (P \ A)›
apply (unfold D_Hiding, clarify)
apply (rule exI[of _ ‹ff j›], rule exI[of _ ‹[]›])
apply (simp add: fff_def ‹
apply (rule disjI2)
apply (rule exI[of _ ‹λi. ff (j + i)›])
apply (intro conjI)
subgoal by (simp add: "$$"(1) strict_monoI strict_mono_less)
subgoal by (simp add: ‹∧i. ff (j + i) ∈T P›)
subgoal by (metis ‹∧i. j ≤ i ==> fff i = fff j› fff_def le_add1)
subgoal by (metis Nat.add_0_right rangeI) .
thus False
by (metis (no_types) "**" prefixE T_imp_front_tickFree append.right_neutral assm_bis
front_tickFree_append_iff is_processT3_TR is_processT7 t_le_seqRun)
qed
then obtain j where ‹t ≤ trace_hide (ff j) (ev ` A)› ..
have "£" : ‹s = trace_hide (ff j) (ev ` (A ∪ B)) @ u›
proof (unfold "*"(3), rule arg_cong[where f = ‹λx. x @ _›])
from "$$"(1) "$$$" obtain l where ‹ff j ≤ f l›
by (metis dual_order.trans order_less_imp_le rangeE strict_mono_Suc_iff)
from mono_trace_hide[OF this] have ‹trace_hide (ff j) (ev ` A) ≤ seqRun t x l›
unfolding "***"(1) by presburger
with mono_trace_hide[OF this] mono_trace_hide[OF ‹t ≤ trace_hide (ff j) (ev ` A)›
show ‹trace_hide t (ev ` B) = trace_hide (ff j) (ev ` (A ∪ B))›
by (metis trH_x dual_order.eq_iff trace_hide_ev_union)
qed
have "££" : ‹trace_hide (ff (j + i)) (ev ` (A ∪ B)) = trace_hide (ff (j + 0)) (ev ` (A ∪ B))› for i
proof -
from "$$"(1) "$$$" obtain l where ‹ff (j + i) ≤ f l›
by (metis dual_order.trans order_less_imp_le rangeE strict_mono_Suc_iff)
from mono_trace_hide[OF this] have ‹trace_hide (ff (j + i)) (ev ` A) ≤ seqRun t x l›
unfolding "***"(1) by presburger
from mono_trace_hide[OF this, of B]
mono_trace_hide[THEN mono_trace_hide, of _ _ B A,
OF ‹strict_mono ff›[THEN strict_mono_mono, THEN monoD, of j ‹j + i›, simplified]]
mono_trace_hide[OF ‹t ≤ trace_hide (ff j) (ev ` A)›, of B]
show ‹trace_hide (ff (j + i)) (ev ` (A ∪ B)) =
trace_hide (ff (j + 0)) (ev ` (A ∪ B))› by (simp add: trH_x)
qed
show ‹s ∈D (P \ (A ∪ B))›
, clarify)
apply (rule exI[of _ ‹ff j›], rule exI[of _ u])
apply (intro conjI)
subgoal by (fact ‹ftF u›)
subgoal by (fact ‹tF (ff j)›)
subgoal by (fact "£")
apply (rule disjI2)
apply (rule exI[of _ ‹λi. ff (j + i)›])
apply (intro conjI)
subgoal by (simp add: "$$"(1) strict_monoI strict_mono_less)
subgoal by (simp add: ‹∧i. ff (j + i) ∈T P›)
subgoal by (use "££" in blast)
by (metis Nat.add_0_right rangeI)
qed
next
assume subset_div : ‹D (P \ A \ B) ⊆D (P \ (A ∪ B))›
fix s X assume ‹(s, X) ∈F (P \ A \ B)›
from this[simplified F_Hiding[of ‹P \ A› B]] D_Hiding[of ‹P \ A› B]
consider ‹s ∈D (P \ A \ B)›
| t where ‹s = trace_hide t (ev ` B)›‹(t, X ∪ ev ` B) ∈F (P \ A)› by blast
thus ‹(s, X) ∈F (P \ (A ∪ B))›
proof cases
from subset_div D_F show ‹s ∈D (P \ A \ B) ==> (s, X) ∈F (P \ (A ∪ B))› by blast
next
fix t assume * : ‹s = trace_hide t (ev ` B)›‹(t, X ∪ ev ` B) ∈F (P \ A)›
from "*"(2) consider ‹t ∈D (P \ A)›
| u where ‹t = trace_hide u (ev ` A)›‹(u, X ∪ ev ` B ∪ ev ` A) ∈F P›
unfolding F_Hiding D_Hiding by blast
thus ‹(s, X) ∈F (P \ (A ∪ B))›
assume ‹t ∈D (P \ A)›
with "*"(1) mem_D_imp_mem_D_Hiding have ‹s ∈D (P \ A \ B)› by fast
with subset_div D_F show ‹(s, X) ∈F (P \ (A ∪ B))› by blast
next
fix u assume ** : ‹t = trace_hide u (ev ` A)›‹(u, X ∪ ev ` B ∪ ev ` A) ∈F P›
from "*"(1) "**"(1) have ‹s = trace_hide u (ev ` (A ∪ B))› by simp
moreover from "**"(2) have ‹(u, X ∪ ev ` (A ∪ B)) ∈F P›
by (simp add: image_Un sup_commute sup_left_commute)
ultimately show ‹(s, X) ∈F (P \ (A ∪ B))› unfolding F_Hiding by blast
qed
qed
qed
show ‹P \ A \ B ≤ P \ (A ∪ B)› by (fact Hiding_Hiding_less_eq_process_Hiding_Un)
‹ Sync Operator Laws ›
‹ Preliminaries ›
tickFree_isInfHiddenRun : ‹tF s›
if ‹isInfHiddenRun f P A› and ‹s ∈ range f›
-
from ‹s ∈ range f› obtain i where ‹s = f i› ..
moreover have ‹f i < f (Suc i)› by (meson ‹isInfHiddenRun f P A› strict_mono_Suc_iff)
ultimately obtain t where ‹
moreover from ‹isInfHiddenRun f P A› is_processT2_TR
have ‹ftF (f (Suc i))› by blast
ultimately show ‹tF s› by (simp add: front_tickFree_append_iff)
Hiding_interleave: ‹r setinterleaves ((t, u), C) ==>
(trace_hide r A) setinterleaves ((trace_hide t A, trace_hide u A), C)›
(* The hypothesis \<open>A \<inter> C = {}\<close> was useless, see if we can obtain more powerful results *) proof (induct ‹(t, C, u)› arbitrary: r t u rule: setinterleaving.induct) case1thus ?caseby simp next case (2 x t) thus ?caseby auto next case (3 y u) thus ?caseby auto next case (4 x t y u) thus ?case by (simp split: if_splits)
(safe, simp_all, (use SyncSingleHeadAdd setinterleaving_sym in blast)+) qed
lemma non_Sync_interleaving: ‹(set t ∪ set u) ∩ apply (rule "beta-C-meta"["[THEN "\\right>E"])
by (induct ‹(t, C, u)› arbitrary: t u rule: setinterleaving.induct) simp_all
interleave_Hiding: ‹s setinterleaves ((trace_hide t A, trace_hide u A), C) ==>∃r. s = trace_hide r A ∧ r setinterleaves ((t, u), C)› if ‹A ∩ C = {}›
(induct ‹(t, C, u)› arbitrary: t u s rule: setinterleaving.induct)
case 1
thus ?case by simp
case (2 y u)
from "2.prems" ‹A ∩ C = {}› show ?case
by (simp add: disjoint_iff split: if_split_asm)
(metis "2.hyps" "2.prems" emptyLeftProperty filter.simps(1))+
case (3 x t)
from "3.prems" ‹A ∩ C = {}› show ?case
by (simp add: disjoint_iff split: if_split_asm)
(metis "3.hyps" "3.prems" emptyRightProperty filter.simps(1))+
case (4 x t y u)
from "4.prems" ‹A ∩ C = {}› show ?case
apply (cases ‹x = y›, simp_all add: disjoint_iff split: if_split_asm)
subgoal using "4.hyps"(1) by force
subgoal by (metis (no_types, lifting) "4.hyps"(3) "4.hyps"(4) filter.simps(2))
subgoal by (metis (no_types, lifting) "4.hyps"(3) filter.simps(2))
subgoal using "4.hyps"(2) by force
subgoal by (metis (no_types, lifting) "4.hyps"(3) "4.hyps"(4) filter.simps(2))
subgoal using "4.hyps"(5) by force
subgoal by (metis (no_types, lifting) "4.hyps"(2) "4.hyps"(4) filter.simps(2))
subgoal by (metis (no_types, lifting) "4.hyps"(3) "4.hyps"(5) filter.simps(2))
subgoal by (metis (no_types, lifting) "4.hyps"(4) filter.simps(2))
done
le_trace_hide : ‹u ≤ trace_hide t S ==>∃u'. u = trace_hide u' S ∧ u' ≤ t›
(induct t arbitrary: u)
show ‹u ≤ trace_hide [] S ==>∃u'. u = trace_hide u' S ∧ u' ≤ []› for u by simp
fix a t u assume prem: ‹u ≤ trace_hide (a # t) S›
assume hyp : ‹u ≤ trace_hide t S ==>∃u'. u = trace_hide u' S ∧ u' ≤ t› for u
from prem consider ‹u = []› | ‹a ∈ S›‹u ≤ trace_hide t S›
| v where ‹a ∉ S›‹u = a # v›‹v ≤ trace_hide t S›
by (cases u) (simp_all split: if_split_asm)
thus ‹∃u'. u = trace_hide u' S ∧ u' ≤ a # t›
proof cases
show ‹u = [] ==>∃u'. u = trace_hide u' S ∧ u' ≤ a # t›
by (metis filter.simps(1) nil_le)
next
assume ‹a ∈ S›‹u ≤ trace_hide t S›
from hyp[OF ‹u ≤ trace_hide t S›] obtain u' where ‹u = trace_hide u' S ∧ u' ≤ t› ..
with ‹a ∈ S› have ‹u = trace_hide (a # u') S ∧ a # u' ≤ a # t› by simp
thus ‹∃u'. u = trace_hide u' S ∧ u' ≤ a # t› ..
next
fix v assume ‹a ∉ S›‹
from hyp[OF ‹v ≤ trace_hide t S›] obtain v' where ‹v = trace_hide v' S ∧ v' ≤ t› ..
with ‹a ∉ S›‹u = a # v› have ‹u = trace_hide (a # v') S ∧ a # v' ≤ a # t› by simp
thus ‹∃u'. u = trace_hide u' S ∧ u' ≤ a # t› ..
qed
case (2 y u1)
thus ?case by (auto split: if_split_asm)
(use SyncSingleHeadAdd setinterleaving_sym in blast)
case (3 x t1)
thus ?case by (auto split: if_split_asm) (blast intro: SyncSingleHeadAdd)
case (4 x t2 y u2)
thus ?case by auto
‹
Hiding_Sync : ‹(P [S] Q) \ A = (P \ A) [S] (Q \ A)›
if ‹finite A› and ‹A ∩ S = {}› for P Q :: ‹('a, 'r) processptick›
― ‹Monster theorem!›
(subst Process_eq_spec_optimized, safe)
let ?trH_A = ‹λt. trace_hide t (ev ` A)› and ?tick_S = ‹range tick ∪ ev ` S›
fix s assume ‹s ∈D (P [S] Q \ A)›
then obtain t u
where * : ‹ftF u›‹tF t›‹s = ?trH_A t @ u›
>\D(P \lbrakk\<rbrakk r> Q) t)›
by (elim D_Hiding_seqRunE)
from "*"(4) show ‹s ∈D ((P \ A) [S] (Q \ A))›
proof (elim disjE exE)
assume ‹t ∈D (P [S] Q)›
then obtain t' u' r' v'
where ** : ‹ftF v'›‹tF r' ∨ v' = []› ‹t = r' @ v'›‹r' setinterleaves ((t', u'), ?tick_S)› ‹t' ∈D P ∧ u' ∈T Q ∨ t' ∈D Q ∧ u' ∈T P›
unfolding D_Sync by blast
{ fix t' u' and P Q
assume *** : ‹r' setinterleaves ((t', u'), ?tick_S)› ‹t' ∈D P›‹u' ∈T Q›
have ‹
using "***"(1) Hiding_interleave by blast
moreover from "***"(2) mem_D_imp_mem_D_Hiding have ‹?trH_A t' ∈D (P \ A)› by blast
moreover from "***"(3) mem_T_imp_mem_T_Hiding have ‹?trH_A u' ∈T (Q \ A)› by blast
ultimately have ‹s ∈D ((P \ A) [S] (Q \ A))›
apply (simp add: "*"(3) D_Sync)
apply (rule exI[of _ ‹?trH_A t'›], rule exI[of _ ‹?trH_A u'›],
rule exI[of _ ‹?trH_A r'›], rule exI[of _ ‹?trH_A v' @ u›])
apply (simp add: "*"(3) "**"(3) Hiding_tickFree)
using "*"(1, 2) "**"(3) Hiding_tickFree front_tickFree_append tickFree_append_iff by blast
} note $ = this
from "**"(5) show ‹s ∈D ((P \ A) [S] (Q \ A))›
proof (elim disjE conjE)
show ‹
by (metis "$" "**"(4))
show ‹t' ∈D Q ==> u' ∈T P ==> s ∈D ((P \ A) [S] (Q \ A))›
by (metis "$" "**"(4) Sync_commute)
qed
next
fix x assume ** : ‹isInfHidden_seqRun_strong x (P [S] Q) A t›
from "**" have *** : ‹∃t' u'. t' ∈T P ∧ u' ∈T Q ∧
seqRun t x i setinterleaves ((t', u'), ?tick_S)› for i
unfolding T_Sync D_Sync by blast
define ftu where ‹ftu i ≡ SOME (t', u'). t' ∈T P ∧ u' ∈T Q ∧
seqRun t x i setinterleaves ((t', u'), ?tick_S)› for i
define ft fu where ‹ft ≡ λi. fst (ftu i)› and ‹
have **** : ‹ft i ∈T P›‹fu i ∈T Q› ‹seqRun t x i setinterleaves ((ft i, fu i), ?tick_S)› for i
by (use "***"[of i] in ‹simp add: ft_def fu_def,
cases ‹ftu i›, simp add: ftu_def,
metis (mono_tags, lifting) case_prod_conv someI_ex›)+
from "**" have ‹set (seqRun t x i) ⊆ set t ∪ ev ` A› for i
by (auto simp add: seqRun_def)
have ‹set (ft i) ∪ set (fu i) ⊆ set t ∪ ev ` A› for i
by (rule subset_trans[OF interleave_set[OF "****"(3)]])
(fact ‹set (seqRun t x i) ⊆ set t ∪ ev ` A›)
have ‹inj ftu›
proof (rule injI)
fix i j assume ‹ftu i = ftu j›
obtain t' u' where ‹(t', u') = ftu i› by (metis surj_pair)
with ‹ftu i = ftu j› have ‹seqRun t x i setinterleaves ((t', u'), ?tick_S)› ‹seqRun t x j setinterleaves ((t', u'), ?tick_S)›
by (metis "****"(3) fst_conv ft_def fu_def snd_conv)+
from interleave_eq_size[OF this] have ‹length (seqRun t x i) = length (seqRun t x j)› .
thus ‹i = j› by simp
qed
hence ‹infinite (range ftu)› using finite_imageD by blast
moreover have ‹range ftu ⊆ range ft × range fu›
by (clarify, metis fst_conv ft_def fu_def rangeI snd_conv)
ultimately have ‹infinite (range ft) ∨ infinite (range fu)›
by (meson finite_SigmaI infinite_super)
{ fix ft fu P Q
assume assms : ‹infinite (range ft)› ‹∧i. set (ft i) ∪ set (fu i) ⊆ set t ∪ ev ` A› ‹∧i. ft i ∈T P›‹∧i. fu i ∈T Q› ‹∧i. seqRun t x i setinterleaves ((ft i, fu i), ?tick_S)›
have ‹finite {t. ∃t'∈range ft. t = take i t'}› for i
proof (rule finite_subset)
show ‹ {w. ∃t'∈range ft. w = take i t'} ⊆ {w. set w ⊆ set t ∪ ev ` A ∧ length w ≤ i}›
by auto (meson Un_iff assms(2) in_set_takeD subsetD)
next
show ‹finite {w. set w ⊆ set t ∪ ev ` A ∧ length w ≤ i}›
by (rule finite_lists_length_le) (simp add: ‹finite A›)
― ‹Here we use the assumption @{thm ‹finite A›}.›
qed
with assms(1) obtain ft' :: ‹nat ==> _›
where $ : ‹strict_mono ft'›‹range ft' ⊆ {w. ∃t'∈range ft. w ≤ t'}›
using KoenigLemma by blast
from "$"(2) assms(3) is_processT3_TR have ‹range ft' ⊆T P› by blast
define ft'' where ‹ft'' i ≡ ft' (i + length t)› for i
from ‹range ft' ⊆T P› have ‹range ft'' ⊆T P› and ‹strict_mono ft''›
by (auto simp add: ft''_def "$"(1) strict_monoD strict_monoI)
have $$ : ‹?trH_A (ft'' i) = ?trH_A (ft'' 0)› for i
proof -
have ‹length t ≤ length (ft'' 0)›
by (metis "$"(1) add_0 add_leD1 ft''_def length_strict_mono)
obtain t' where ‹ft'' i = ft'' 0 @ t'›
by (meson prefixE ‹strict_mono ft''› strict_mono_less_eq zero_order(1))
moreover from "$"(2) obtain j where ‹ft'' i ≤ ft j› by (auto simp add: ft''_def)
ultimately obtain t'' where ‹ft j = ft'' 0 @ t' @ t''› by (metis prefixE append.assoc)
>set ('@ t') <>set
proof (rule subset_trans)
show ‹set (t' @ t'') ⊆ set (drop (length (ft'' 0)) (seqRun t x j))›
by (rule interleave_order, fold ‹ft j = ft'' 0 @ t' @ t''›, fact assms(5))
next
show ‹set (drop (length (ft'' 0)) (seqRun t x j)) ⊆ set (drop (length t) (seqRun t x j))›
by (simp add: ‹length t ≤ length (ft'' 0)› set_drop_subset_set_drop)
qed
also from "**" have ‹set (drop (length t) (seqRun t x j)) ⊆ ev ` A›
by (auto simp add: seqRun_def)
finally show ‹?trH_A (ft'' i) = ?trH_A (ft'' 0)›
by (simp add: ‹ft'' i = ft'' 0 @ t'› subset_iff)
qed
from "$"(2) obtain i where ‹ft'' 0 ≤ ft i› by (auto simp add: ft''_def)
with prefixE obtain v where ‹ft i = ft'' 0 @ v› by blast
have ‹
moreover have ‹tF (?trH_A (seqRun t x i)) ∨ u = []›
by (metis "*"(2) "**" Hiding_tickFree trace_hide_seqRun_eq_iff)
moreover have ‹s = ?trH_A (seqRun t x i) @ u›
by (metis "*"(3) "**" trace_hide_seqRun_eq_iff)
moreover have ‹?trH_A (seqRun t x i) setinterleaves ((?trH_A (ft i), ?trH_A (fu i)), ?tick_S)›
using assms(5) Hiding_interleave by blast
moreover have ‹?trH_A (ft i) ∈D (P \ A)›
apply (unfold D_Hiding, clarify)
apply (rule exI[of _ ‹ft'' 0›])
apply (rule exI[of _ ‹?trH_A v›])
apply (intro conjI)
subgoal by (metis assms(3) Hiding_front_tickFree ‹ft i = ft'' 0 @ v›
front_tickFree_Nil front_tickFree_nonempty_append_imp is_processT2_TR)
subgoal by (metis strict_prefixE' T_imp_front_tickFree ‹range ft'' ⊆T P›‹strict_mono ft''›
front_tickFree_append_iff list.distinct(1) range_subsetD strict_mono_Suc_iff)
subgoal by (simp add: ‹ft i = ft'' 0 @ v›)
subgoal using "$$" ‹range ft'' ⊆T AOT_henAOT_hence ‹
moreover have ‹?trH_A (fu i) ∈T (Q \ A)›
proof (cases ‹∃t'. ?trH_A t' = ?trH_A (fu i) ∧ (t', ev ` A) ∈F Q›)
assume ‹∃t'. ?trH_A t' = ?trH_A (fu i) ∧ (t', ev ` A) ∈F Q›
then obtain t' where ‹?trH_A (fu i) = ?trH_A t'›‹(t', ev ` A) ∈F Q› by metis
thus ‹?trH_A (fu i) ∈T (Q \ A)› unfolding T_Hiding by blast
next
assume ‹∄t'. ?trH_A t' = ?trH_A (fu i) ∧ (t', ev ` A) ∈F Q›
with assms(4) inf_hidden obtain fu' j
where $$$ : ‹isInfHiddenRun fu' Q A›‹fu i = fu' j› by blast
show ‹
apply (unfold T_Hiding, simp)
apply (rule disjI2)
apply (rule exI[of _ ‹fu' j›], rule exI[of _ ‹[]›])
apply (intro conjI)
subgoal by simp
subgoal by (metis "$$$"(1) strict_prefixE' T_imp_front_tickFree neq_Nil_conv
front_tickFree_nonempty_append_imp strict_mono_Suc_iff)
subgoal by (simp add: "$$$"(2))
subgoal using "$$$"(1) by blast .
qed
ultimately have ‹s ∈D ((P \ A) [S] (Q \ A))› unfolding D_Sync by blast
} note $ = this
from ‹infinite (range ft) ∨ infinite (range fu)›
show ‹s ∈D ((P \ A) [S] (Q \ A))›
proof (elim disjE)
from "$" "****" ‹∧i. set (ft i) ∪ set (fu i) ⊆ set t ∪ ev ` A›
show ‹infinite (range ft) ==> s ∈D ((P \ A) [S] (Q \ A))› by blast
next
from "$" "****" ‹∧i. set (ft i) ∪ set (fu i) ⊆ set t ∪ ev ` A›
show ‹infinite (range fu) ==> s ∈D ((P \ A) [S] (Q \ A))›
by (metis Sync_commute setinterleaving_sym sup_commute)
qed
qed
let ?trH_A = ‹λt. trace_hide t (ev ` A)› and ?tick_S = ‹range tick ∪ ev ` S›
assume same_div : ‹D (P [S] Q \ A) = D ((P \ A) [S] (Q \ A))›
fix s X assume ‹(s, X) ∈F (P [S] Q \ A)›
then consider ‹s ∈D (P [S] Q \ A)›
| t where ‹s = trace_hide t (ev ` A)›‹(t, X ∪ ev ` A) ∈F (P [S] Q)›
unfolding F_Hiding D_Hiding by blast
thus ‹(s, X) ∈F ((P \ A) [S] (Q \ A))›
proof cases
from same_div D_F show ‹s ∈D (P [S] Q \ A) ==> (s, X) ∈F ((P \ A) [S] (Q \ A))› by blast
next
fix t assume * : ‹s = ?trH_A t›‹(t, X ∪ ev ` A) ∈F (P [S] Q)›
then consider ‹t ∈D (P [S] Q)›
| (F) t_P X_P t_Q X_Q
where ‹(t_P, X_P) ∈F P›‹(t_Q, X_Q) ∈F Q› ‹t setinterleaves ((t_P, t_Q), ?tick_S)› ‹X ∪ ev ` A = (X_P ∪ X_Q) ∩ ?tick_S ∪ X_P ∩ X_Q›
by (auto simp add: F_Sync D_Sync)
thus ‹(s, X) ∈F ((P \ A) [S] (Q \ A))›
proof cases
assume ‹t ∈D (P [S] Q)›
with "*"(1) mem_D_imp_mem_D_Hiding have ‹s ∈D (P [S] Q \ A)› by blast
with same_div D_F show ‹(s, X) ∈F ((P \ A) [S] (Q \ A))› by blast
next
case F
from inf_hidden[OF _ F(1)[THEN F_T], of A] inf_hidden[OF _ F(2)[THEN F_T], of A]
consider (D_P) f_P where ‹isInfHiddenRun f_P P A›‹t_P ∈ range f_P›
| (D_Q) f_Q where ‹isInfHiddenRun f_Q Q A›‹t_Q ∈ range f_Q›
| (F_both) t_P' t_Q'
where ‹?trH_A t_P' = ?trH_A t_P›‹(t_P', ev ` A) ∈F P› ‹?trH_A t_Q' = ?trH_A t_Q›‹(t_Q', ev ` A) ∈F Q›
by blast
thus ‹(s, X) ∈F ((P \ A) [S] (Q \ A))›
proof cases
case D_P
have $ : ‹?trH_A t_P ∈D (P \ A)›
apply (unfold D_Hiding, clarify)
apply (rule exI[of _ ‹t_P›], rule exI[of _ ‹[]›])
using tickFree_isInfHiddenRun D_P front_tickFree_Nil by blast
from F(2) F_T mem_T_imp_mem_T_Hiding
have $$ : ‹?trH_A t_Q ∈T (Q \ A)› by blast
show ‹(s, X) ∈F ((P \ A) [S] (Q \ A))›
apply (simp add: F_Sync)
apply (rule disjI2)
apply (rule exI[of _ ‹?trH_A t_P›])
apply (rule exI[of _ ‹?trH_A t_Q›])
apply (rule exI[of _ ‹?trH_A t›], rule exI[of _ ‹[]›])
by (simp add: "*"(1) F(3) Hiding_interleave "$" "$$")
next
case D_Q
from F(1) F_T mem_T_imp_mem_T_Hiding
have $ : ‹?trH_A t_P∈T (P \ A)› by blast
have $$ : ‹?trH_A t_Q ∈D (Q \ A)›
apply (unfold D_Hiding, clarify)
apply (rule exI[of _ ‹t_Q›], rule exI[of _ ‹[]›])
using tickFree_isInfHiddenRun D_Q front_tickFree_Nil by blast
show ‹(s, X) ∈F ((P \ A) [S] (Q \ A))›
apply (simp add: F_Sync)
apply (rule disjI2)
apply (rule exI[of _ ‹?trH_A t_Q›])
apply (rule exI[of _ ‹?trH_A t_P›])
apply (rule exI[of _ ‹?trH_A t›], rule exI[of _ ‹[]›])
by (simp add: "*"(1) F(3) Hiding_interleave setinterleaving_sym "$" "$$")
next
case F_both
from F(4) ‹A ∩ S = {}› have ‹ev ` A ⊆ X_P› and ‹ev ` A ⊆ X_Q› by auto
have ‹(?trH_A t_P, X_P) ∈F (P \ A)›
by (simp add: F_Hiding) (metis F(1) F_both(1) ‹ev ` A ⊆ X_P› sup.orderE)
moreover have ‹(?trH_A t_Q, X_Q) ∈F (Q \ A)›
by (simp add: F_Hiding) (metis F(2) F_both(3) ‹ev ` A ⊆ X_Q› sup.orderE)
moreover from F(3) Hiding_interleave
have ‹s setinterleaves ((?trH_A t_P, ?trH_A t_Q), ?tick_S)›
unfolding "*"(1) by blast
ultimately have ‹(s, (X_P ∪ X_Q) ∩ ?tick_S ∪ X_P ∩ X_Q) ∈F ((P \ A) [S] (Q \ A))›
unfolding F_Sync by blast
moreover from F(4) have ‹X ⊆ (X_P ∪ X_Q) ∩ ?tick_S ∪ X_P ∩ X_Q› by blast
ultimately show ‹(s, X) ∈F ((P \ A) [S] (Q \ A))› by (fact is_processT4)
qed
qed
qed
let ?trH_A = ‹λt. trace_hide t (ev ` A)› and ?tick_S = ‹range tick ∪ ev ` S›
fix s assume ‹s ∈D ((P \ A) [S] (Q \ A))›
then obtain t_P t_Q r v
where * : ‹ ‹t_P ∈D (P \ A) ∧ t_Q ∈T (Q \ A) ∨ t_P ∈D (Q \ A) ∧ t_Q ∈T (P \ A)›
unfolding D_Sync by blast
from ‹s ∈D ((P \ A) [S] (Q \ A))› have ‹ftF s›
by (simp add: D_imp_front_tickFree)
{ fix t_P t_Q and P Q
assume ** : ‹r setinterleaves ((t_P, t_Q), ?tick_S)› ‹t_P ∈D (P \ A)›‹t_Q ∈T (Q \ A)›
from **(2) obtain t u
where *** : ‹ftF u›‹tF t›‹t_P = ?trH_A t @ u› ‹t ∈D P ∨ (∃x. isInfHidden_seqRun_strong x P A t)›
by (elim D_Hiding_seqRunE)
from interleave_append_left[OF "**"(1)[unfolded "***"(3)]]
obtain t_Q1 t_Q2 r1 r2
where **** : ‹t_Q = t_Q1 @ t_Q2›‹r = r1 @ r2› ‹r1 setinterleaves ((?trH_A t, t_Q1), ?tick_S)› ‹r2 setinterleaves ((u, t_Q2), ?tick_S)› by bla nextnext
from "**"(3) consider t_Q' where ‹t_Q = ?trH_A t_Q'›‹(t_Q', ev ` A) ∈F Q›
| (D_Q) t' u' where ‹ftF u'›‹tF t'›‹t_Q = ?trH_A t' @ u'› ‹t' ∈D Q ∨ (∃y. isInfHidden_seqRun_strong y Q A t')›
by (elim T_Hiding_seqRunE)
hence ‹s ∈D (P [S] Q \ A)›
proof cases
fix t_Q' assume ‹t_Q = ?trH_A t_Q'›‹(t_Q', ev ` A) ∈F Q›
from trace_hide_append[OF this(1)[unfolded "****"(1)]]
obtain t_Q1' t_Q2' where $ : ‹t_Q' = t_Q1' @ t_Q2'›‹t_Q1 = ?trH_A t_Q1'› ‹t_Q2 = ?trH_A t_Q2'› by blast
from ‹A ∩ S = {}› have ‹ev ` A ∩ ?tick_S = {}› by blast
from interleave_Hiding[OF this "****"(3)[unfolded "$"(2)]]
obtain r1' where $$ : ‹r1 = ?trH_A r1'› ‹
show ‹s ∈D (P [S] Q \ A)›
proof (rule D_Hiding_seqRunI)
show ‹ftF (r2 @ v)›
by (metis "*"(1, 3) "****"(2) ‹ftF s›
front_tickFree_append_iff tickFree_append_iff)
next
show ‹tF r1'›
by (metis "$"(1) "$$"(2) "***"(2) F_imp_front_tickFree SyncWithTick_imp_NTF ‹(t_Q', ev ` A) ∈F Q› front_tickFree_dw_closed nonTickFree_n_frontTickFree
non_tickFree_tick tickFree_append_iff ftf_Sync tickFree_imp_front_tickFree)
next
from "$$"(1) "*"(3) "****"(2) append.assoc
show ‹s = ?trH_A r1' @ r2 @ v› by blast
next
from "***"(4) show ‹r1' ∈D (P [S] Q) ∨
(∃x. ∀i. seqRun r1' x i ∈T (P [S] Q) ∧ x i ∈ ev ` A)›
proof (elim disjE exE)
assume ‹t ∈D P›
moreover have ‹t_Q1' ∈T Q›
by (metis "$"(1) F_T prefixI ‹(t_Q', ev ` A) ∈F Q› is_processT3_TR)
ultimately have ‹r1' ∈D (P [S] Q)›
unfolding D_Sync using "$$"(2) front_tickFree_Nil by blast
thus ‹r1' ∈D (P [S] Q) ∨ (∃x. isInfHidden_seqRun x (P [S] Q) A r1')› ..
next
fix x assume "£" : ‹isInfHidden_seqRun_strong x P A t›
from "£" ‹A ∩ S = {}› have ‹set (map x [0..<i]) ∩ ?tick_S = {}› for i
by (simp add: disjoint_iff image_iff)
(metis eventptick.distinct(1) eventptick.inject(1))
from "$$"(2)[THEN interleave_append_tail_left, OF this, folded seqRun_def]
have "££" : ‹seqRun r1' x i setinterleaves ((seqRun t x i, t_Q1'), ?tick_S)› for i .
have ‹isInfHidden_seqRun x (P [S] Q) A r1'›
proof (intro allI conjI)
have ‹t_Q1' ∈T Q›
by (metis "$"(1) F_T prefixI ‹(t_Q', ev ` A) ∈F Q› is_processT3_TR)
with "£" "££" show ‹seqRun r1' x i ∈T (P [S] Q)› for i
unfolding T_Sync by blast
next
show ‹x i ∈ ev ` A› for i by (simp add: "£") AOT_hence ‹
qed
thus ‹r1' ∈D (P [S] Q) ∨ (∃x. isInfHidden_seqRun x (P [S] Q) A r1')› by blast
qed
qed
next
case D_Q
have ‹t ∈T P› using "***"(4) D_T by (metis seqRun_0)
consider ‹?trH_A t' ≤ t_Q1› | ‹t_Q1 ≤ ?trH_A t'›
by (metis "****"(1) D_Q(3) prefixI dual_order.eq_iff le_same_imp_eq_or_less nless_le)
thus ‹s ∈D (P [S] Q \ A)›
proof cases
assume ‹?trH_A t' ≤ t_Q1›
from interleave_le_right[OF "****"(3) this]
obtain r1_bis t_hidden_bis
java.lang.NullPointerException ‹r1_bis setinterleaves ((t_hidden_bis, ?trH_A t'), ?tick_S)› by blast
moreover from le_trace_hide[OF ‹t_hidden_bis ≤ ?trH_A t›]
obtain t_bis where ‹t_hidden_bis = ?trH_A t_bis ∧ t_bis ≤ t› ..
ultimately have $ : ‹r1_bis ≤ r1›‹t_bis ≤ t› ‹r1_bis setinterleaves ((?trH_A t_bis, ?trH_A t'), ?tick_S)› by blast+
from interleave_Hiding[OF _ "$"(3)] ‹A ∩ S = {}›
obtain r1_bis_unhidden
where $$ : ‹r1_bis = ?trH_A r1_bis_unhidden› ‹r1_bis_unhidden setinterleaves ((t_bis, t'), ?tick_S)› by blast
from "$"(2) ‹t ∈T P› is_processT3_TR have ‹t_bis ∈T P› by blast
from D_Q(4) have ‹r1_bis ∈D (P [S] Q \ A)›
proof (elim disjE exE)
assume ‹t' ∈D Q›
with "$$"(2) ‹t_bis ∈T P› have ‹r1_bis_unhidden ∈D (P [S] Q)›
by (simp add: D_Sync)
(use front_tickFree_Nil setinterleaving_sym in blast)
with "$$"(1) mem_D_imp_mem_D_Hiding show ‹r1_bis ∈D (P [S] Q \ A)› by blast
next
fix y assume £ : ‹isInfHidden_seqRun_strong y Q A t'›
(* with exists_suff obtain g_suff
where g_suff_props : ‹g i = g 0 @ g_suff i›‹set (g_suff i) ⊆ ev ` A›
\<open>set (g_suff i) \<inter> ?tick_S = {}\<close> \<open>strict_mono g_suff\<close> for i by metis *) from"£"‹A ∩ S = {}›have‹set (map y [0..<i]) ∩ ?tick_S = {}›for i by (simp add: disjoint_iff image_iff)
(metis eventptick.distinct(1) eventptick.inject(1)) from"$$"(2)[THEN interleave_append_tail_right, OF this, folded seqRun_def] have $$$ : ‹seqRun r1_bis_unhidden y i setinterleaves ((t_bis, seqRun t' y i), ?tick_S)›for i . have $$$$ : ‹isInfHidden_seqRun y (P [S] Q) A r1_bis_unhidden› proof (intro allI conjI) from"$$$""£"‹t_bis ∈T P› show‹seqRun r1_bis_unhidden y i ∈T (P [S] Q)›for i unfolding T_Sync by blast next show‹y i ∈ ev ` A›for i by (simp add: "£") qed show‹r1_bis ∈D (P [S] Q \ A)› proof (rule D_Hiding_seqRunI) show‹ftF []›by simp next show‹tF r1_bis_unhidden› by (metis "$$"(2) D_Q(2) SyncWithTick_imp_NTF T_imp_front_tickFree ‹t_bis ∈T P›
ftf_Sync nonTickFree_n_frontTickFree non_tickFree_tick
tickFree_append_iff tickFree_imp_front_tickFree) next show‹r1_bis = ?trH_A r1_bis_unhidden @ []›by (simp add: $$(1)) next from"$$$$"show‹r1_bis_unhidden ∈D (P [S] Q) ∨AOT_hence ‹
(∃x. isInfHidden_seqRun x (P [S] Q) A r1_bis_unhidden)› by blast
qed
qed
with "$"(1) show ‹s ∈D (P [S] Q \ A)›
unfolding less_eq_list_def prefix_def
by (metis (no_types, opaque_lifting) "*"(3) "****"(2) ‹ftF s›
append_Nil2 front_tickFree_append_iff front_tickFree_dw_closed is_processT7)
next
assume ‹t_Q1 ≤ ?trH_A t'›
from le_trace_hide[OF this] obtain t_Q1_unhidden
where $ : ‹t_Q1 = ?trH_A t_Q1_unhidden›‹t_Q1_unhidden ≤ t'› by blast
from ‹A ∩ S = {}› have ‹
from "****"(3)[unfolded "$"(1)]
have ‹r1 setinterleaves ((?trH_A t, ?trH_A t_Q1_unhidden), ?tick_S)› .
from interleave_Hiding[OF ‹ev ` A ∩ ?tick_S = {}› this] obtainr1_unhidden where$$:\<open>r1=?trH_Ar1_unhidden\<close> \<open>r1_unhiddensetinterleaves((t,t_Q1_unhidden),?tick_S)\<close>byblast from\<open>t_Q1_unhidden\<le>t'\<close>have\<open>t_Q1_unhidden\<in>\<T>Q\<close> by(metisD_Q(4)D_Tis_processT3_TRt_le_seqRun)
from"***"(4)have\<open>r1\<in>\<D>(P\<lbrakk>S\<rbrakk>Q\A)\<close> proof(elimdisjEexE) assume\<open>t\<in>\<D>P\<close> have\<open>r1_unhidden\<in>\<D>(P\<lbrakk>S\<rbrakk>Q)\<close> proof(unfoldD_Sync,clarify,introexIconjI) show\<open>ftF[]\<close>\<open>tFr1_unhidden\<or>[]=[]\<close> \<open>r1_unhidden=r1_unhidden@[]\<close>bysimp_all next show\<open>r1_unhiddensetinterleaves((t,t_Q1_unhidden),?tick_S)\<close>by(fact"$$"(2)) next show\<open>t\<in>\<D>P\<and>t_Q1_unhidden\<in>\<T>Q\<or>t\<in>\<D>Q\<and>t_Q1_unhidden\<in>\<T>P\<close> by(simpadd:\<open>t\<in>\<D>P\<close>\<open>t_Q1_unhidden\<in>\<T>Q\<close>) qed thus\<open>r1\<in>\<D>(P\<lbrakk>S\<rbrakk>Q\A)\<close>unfolding"$$"(1)by(factmem_D_imp_mem_D_Hiding) next fixxassume\<pounds>:\<open>isInfHidden_seqRun_strongxPAt\<close> from"\<pounds>"\<open>A\<inter>S={}\<close>have\<open>set(mapx[0..<i])\<inter>?tick_S={}\<close>fori by(simpadd:disjoint_iffimage_iff) (metisevent\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k.distinct(1)event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k.inject(1)) from"$$"(2)[THENinterleave_append_tail_left,OFthis,foldedseqRun_def] have"\<pounds>\<pounds>":\<open>seqRunr1_unhiddenxisetinterleaves((seqRuntxi,t_Q1_unhidden),?tick_S)\<close>fori. have"\<pounds>\<pounds>\<pounds>":\<open>isInfHidden_seqRunx(P\<lbrakk>S\<rbrakk>Q)Ar1_unhidden\<close> proof(introallIconjI) from"\<pounds>""\<pounds>\<pounds>"\<open>t_Q1_unhidden\<in>\<T>Q\<close> show\<open>seqRunr1_unhiddenxi\<in>\<T>(P\<lbrakk>S\<rbrakk>Q)\<close>foriunfoldingT_Syncbyblast next from"\<pounds>"show\<open>xi\<in>ev`A\<close>foribyblast qed show\<open>r1\<in>\<D>(P\<lbrakk>S\<rbrakk>Q\A)\<close> proof(unfoldD_Hiding_seqRun,clarify,introexIconjI) show\<open>ftF[]\<close>bysimp next fromisInfHidden_seqRun_imp_tickFree[OF"\<pounds>\<pounds>\<pounds>"]show\<open>tFr1_unhidden\<close>. next show\<open>r1=?trH_Ar1_unhidden@[]\<close>by(simpadd:"$$"(1)) next from"\<pounds>\<pounds>\<pounds>"show\<open>r1_unhidden\<in>\<D>(P\<lbrakk>S\<rbrakk>Q)\<or> (\<exists>x.isInfHidden_seqRunx(P\<lbrakk>S\<rbrakk>Q)Ar1_unhidden)\<close>byblast qed qed thus<><>\D>(\lbrakkS\<rbrakk>Q\A\<close> by(metis"*"(3)"****"(2)\<open>ftFs\<close>append.right_neutral front_tickFree_append_ifffront_tickFree_dw_closedis_processT7) qed qed }note$=this from"*"(5)show\<open>s\<in>\<D>(P\<lbrakk>S\<rbrakk>Q\A)\<close> by(elimdisjEconjE)(metis"$""*"(4),metis"$""*"(4)Sync_commute) next let?trH_A=\<open>\<lambda>t.trace_hidet(ev`A)\<close>and?tick_S=\<open>rangetick\<union>ev`S\<close> assumesame_div:\<open>\<D>(P\<lbrakk>S\<rbrakk>Q\A)=\<D>((P\A)\<lbrakk>S\<rbrakk>(Q\A))\<close> fixsXassume\<open>(s,X)\<in>\<F>((P\A)\<lbrakk>S\<rbrakk>(Q\A))\<close> thenconsider\<open>s\<in>\<D>((P\A)\<lbrakk>S\<rbrakk>(Q\A))\<close> |(F)s_PX_Ps_QX_Q where\<open>(s_P,X_P)\<in>\<F>(P\A)\<close>\<open>(s_Q,X_Q)\<in>\<F>(Q\A)\<close> \<open>ssetinterleaves((s_P,s_Q),?tick_S)\<close> \<open>X=(X_P\<union>X_Q)\<inter>?tick_S\<union>X_P\<inter>X_Q\<close> unfoldingF_SyncD_Syncbyblast thus\<open>(s,X)\<in>\<F>(P\<lbrakk>S\<rbrakk>Q\A)\<close> proofcases fromsame_divD_Fshow\<open>s\<in>\<D>((P\A)\<lbrakk>S\<rbrakk>(Q\A))\<Longrightarrow>(s,X)\<in>\<F>(P\<lbrakk>S\<rbrakk>Q\A)\<close>byblast next caseF fromF(1,2)consider\<open>s_P\<in>\<D>(P\A)\<close>|\<open>s_Q\<in>\<D>(Q\A)\<close> |(F_both)s_P's_Q' where\<open>s_P=?trH_As_P'\<close>\<open>(s_P',X_P\<union>ev`A)\<in>\<F>P\<close> \<open>s_Q=?trH_As_Q'\<close>\<open>(s_Q',X_Q\<union>ev`A)\<in>\<F>Q\<close> unfoldingF_HidingD_Hidingbyblast thus\<open>(s,X)\<in>\<F>(P\<lbrakk>S\<rbrakk>Q\A)\<close> proofcases assume\<open>s_P\<in>\<D>(P\A)\<close> moreoverfromF(2)F_Thave\<open>s_Q\<in>\<T>(Q\A)\<close>byblast ultimatelyhave\<open>s\<in>\<D>((P\A)\<lbrakk>S\<rbrakk>(Q\A))\<close> usingF(3)front_tickFree_NilunfoldingD_Syncbyblast withsame_divD_Fshow\<open>(s,X)\<in>\<F>(P\<lbrakk>S\<rbrakk>Q\A)\<close>byblast next fromF(1)F_Thave\<open>s_P\<in>\<T>(P\A)\<close>byblast moreoverassume\<open>s_Q\<in>\<D>(Q\A)\<close> moreoverhave\<open>ssetinterleaves((s_Q,s_P),rangetick\<union>ev`S)\<close> by(simpadd:F(3)setinterleaving_sym) ultimatelyhave\<open>s\<in>\<D>((P\A)\<lbrakk>S\<rbrakk>(Q\A))\<close> usingfront_tickFree_NilunfoldingD_Syncbyblast withsame_divD_Fshow\<open>(s,X)\<in>\<F>(P\<lbrakk>S\<rbrakk>Q\A)\<close>byblast next caseF_both from\<open>A\<inter>S={}\<close>have\<open>ev`A\<inter>(rangetick\<union>ev`S)={}\<close>byblast frominterleave_Hiding[OFthisF(3)[unfoldedF_both(1,3)]] obtains'where*:\<open>s=?trH_As'\<close> \<open>s'setinterleaves((s_P',s_Q'),rangetick\<union>ev`S)\<close>byblast have\<open>X\<union>ev`A=(X_P\<union>ev`A\<union>(X_Q\<union>ev`A))\<inter>(rangetick\<union>ev`S) \<union>(X_P\<union>ev`A)\<inter>(X_Q\<union>ev`A)\<close> by(simpadd:F(4)Un_Int_distrib2Un_assocsup_left_commute) thus\<open>(s,X)\<in>\<F>(P\<lbrakk>S\<rbrakk>Q\A)\<close> by(simpadd:"*"(1)F_HidingF_Sync)(use"*"(2)F_both(2,4)inblast) qed qed qed
lemmaHiding_distrib_FD_GlobalNdet: \<open>(\<sqinter>a\<in>A.Pa)\S\<sqsubseteq>\<^sub>F\<^sub>D\<sqinter>a\<in>A.(Pa\S)\<close>(is\<open>?lhs\<sqsubseteq>\<^sub>F\<^sub>D?rhs\<close>) proof(cases\<open>A={}\<close>) show\<open>A={}\<Longrightarrow>?lhs\<sqsubseteq>\<^sub>F\<^sub>D?rhs\<close>bysimp next show\<open>?lhs\<sqsubseteq>\<^sub>F\<^sub>D?rhs\<close>if\<open>A\<noteq>{}\<close> proof(rulefailure_divergence_refine_optimizedI) show\<open>s\<in>\<D>?rhs\<Longrightarrow>s\<in>\<D>?lhs\<close>fors by(simpadd:GlobalNdet_projsD_Hiding_seqRun)blast next assumesubset_div:\<open>\<D>?rhs\<subseteq>\<D>?lhs\<close> fixsXassume\<open>(s,X)\<in>\<F>?rhs\<close> thenobtainawhere\<open>a\<in>A\<close>\<open>(s,X)\<in>\<F>(Pa\S)\<close> by(autosimpadd:F_GlobalNdet\<open>A\<noteq>{}\<close>) from\<open>(s,X)\<in>\<F>(Pa\S)\<close>consider\<open>s\<in>\<D>(Pa\S)\<close> |twhere\<open>s=trace_hidet(ev`S)\<close>\<open>(t,X\<union>ev`S)\<in>\<F>(Pa)\<close> unfoldingD_HidingF_Hidingbyblast thus\<open>(s,X)\<in>\<F>?lhs\<close> proofcases assume\<open>s\<in>\<D>(Pa\S)\<close> with\<open>a\<in>A\<close>have\<open>s\<in>\<D>?rhs\<close>by(autosimpadd:D_GlobalNdet) withsubset_divD_Fshow\<open>(s,X)\<in>\<F>?lhs\<close>byblast next from\<open>a\<in>A\<close>show\<open>s=trace_hidet(ev`S)\<Longrightarrow>(t,X\<union>ev`S)\<in>\<F>(Pa) \<Longrightarrow>(s,X)\<in>\<F>?lhs\<close>fort by(simpadd:F_Hiding_seqRunF_GlobalNdet)blast qed qed qed
lemmaRenaming_Seq: \<open>Renaming(P\<^bold>;Q)fg=RenamingPfg\<^bold>;RenamingQfg\<close>(is\<open>?lhs=?rhs\<close>) proof(ruleProcess_eq_optimizedI) fixtassume\<open>t\<in>\<D>?lhs\<close> thenobtainuvwhere\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u@v\<close>\<open>tFu\<close>\<open>ftFv\<close>\<open>u\<in>\<D>(P\<^bold>;Q)\<close> unfoldingD_Renamingbyblast from\<open>u\<in>\<D>(P\<^bold>;Q)\<close>consider\<open>u\<in>\<D>P\<close> |u1u2rwhere\<open>u=u1@u2\<close>\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>\<open>u2\<in>\<D>Q\<close> unfoldingD_Seqbyblast thus\<open>t\<in>\<D>?rhs\<close> proofcases from\<open>ftFv\<close>\<open>t=map(map_event\<sub>\<^ubt\^>i<^subc\^>kfg)u@<><>\closejava.lang.StringIndexOutOfBoundsException: Index 134 out of bounds for length 134 show\<open>u\<in>\<D>P\<Longrightarrow>t\<in>\<D>?rhs\<close>by(autosimpadd:D_SeqD_Renaming) next fixu1u2rassume\<open>u=u1@u2\<close>\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>\<open>u2\<in>\<D>Q\<close> from\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>have\<open>map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u1@[\<checkmark>(gr)]\<in>\<T>(RenamingPfg)\<close> by(autosimpadd:T_Renaming) moreoverfrom\<open>u2\<in>\<D>Q\<close>\<open>tFu\<close>\<open>u=u1@u2\<close> have\<open>map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u2\<in>\<D>(RenamingQfg)\<close> by(simpadd:D_Renaming)(usefront_tickFree_Nilinblast) ultimatelyhave\<open>map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u\<in>\<D>?rhs\<close>by(autosimpadd:\<open>u=u1@u2\<close>D_Seq) thus\<open>t\<in>\<D>?rhs\<close>by(simpadd:\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u@v\<close>\<open>ftFv\<close> \<open>tFu\<close>is_processT7map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k_tickFree) qed next fixtassume\<open>t\<in>\<D>?rhs\<close> thmthis[simplifiedD_Seq,simplified] thenconsider\<open>t\<in>\<D>(RenamingPfg)\<close> |t1t2swhere\<open>t=t1@t2\<close>\<open>t1@[\<checkmark>(s)]\<in>\<T>(RenamingPfg)\<close> \<open>t1@[\<checkmark>(s)]\<notin>\<D>(RenamingPfg)\<close>\<open>t2\<in>\<D>(RenamingQfg)\<close> by(simpadd:D_Seq)(metisD_imp_front_tickFreeappend_T_imp_tickFree is_processT7is_processT9list.distinct(1)) \xi[THEN"qml2[axiom_instTHEN"<rightarrowE,THEN"<>E(2)THEN"<>E"] proofcases show\<open>t\<in>\<D>(RenamingPfg)\<Longrightarrow>t\<in>\<D>?lhs\<close> by(autosimpadd:D_RenamingD_Seq) next fixt1t2sassume\<open>t=t1@t2\<close>\<open>t1@[\<checkmark>(s)]\<in>\<T>(RenamingPfg)\<close> \<open>t1@[\<checkmark>(s)]\<notin>\<D>(RenamingPfg)\<close>\<open>t2\<in>\<D>(RenamingQfg)\<close> fromthis(2,3)obtainu1'where\<open>t1@[\<checkmark>(s)]=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u1'\<close>\<open>u1'\<in>\<T>P\<close> by(autosimpadd:Renaming_projs) thenobtainu1rwhere\<open>s=gr\<close>\<open>t1=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u1\<close>\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close> by(casesu1'rule:rev_cases)(autosimpadd:tick_eq_map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k_iff) from\<open>t2\<in>\<D>(RenamingQfg)\<close>obtainu2u3 where\<open>t2=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u2@u3\<close>\<open>tFu2\<close>\<open>ftFu3\<close>\<open>u2\<in>\<D>Q\<close> unfoldingD_Renamingbyblast from\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>\<open>u2\<in>\<D>Q\<close>have\<open>u1@u2\<in>\<D>(P\<^bold>;Q)\<close> by(autosimpadd:D_Seq) with\<open>ftFu3\<close>\<open>tFu2\<close>\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>show\<open>t\<in>\<D>?lhs\<close> by(simpadd:\<open>t=t1@t2\<close>\<open>t1=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u1\<close> \<open>t2=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u2@u3\<close>D_Renaming) (metisappend_T_imp_tickFreeappend_eq_appendImap_appendnot_Cons_selftickFree_append_iff) qed next fixtXassume\<open>(t,X)\<in>\<F>?lhs\<close>\<open>t\<notin>\<D>?lhs\<close> from\<open>(t,X)\<in>\<F>?lhs\<close>\<open>t\<notin>\<D>?lhs\<close>obtainu where\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u\<close>\<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X)\<in>\<F>(P\<^bold>;Q)\<close> unfoldingRenaming_projsbyblast from\<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X)\<in>\<F>(P\<^bold>;Q)\<close>\<open>t\<notin>\<D>?lhs\<close> consider\<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>rangetick)\<in>\<F>P\<close>\<open>tFu\<close> |u1ru2where\<open>u=u1@u2\<close>\<open>u1@T_hence:\<><><>\existsu(Fu&Numbersy,F(,F\<sup>\<sup by(autosimpadd:\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u\<close>Seq_projsD_Renaming) (metisD_imp_front_tickFreebutlast_snocfront_tickFree_iff_tickFree_butlastfront_tickFree_single is_processT8is_processT9map_appendmap_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k_front_tickFreenonTickFree_n_frontTickFree) thus\<open>(t,X)\<in>\<F>?rhs\<close> proofcases assume\<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>rangetick)\<in>\<F>P\<close>\<open>tFu\<close> have\<open>map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`rangetick\<subseteq>map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>rangetick\<close> by(autosimpadd:map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k_eq_tick_iff) with\<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>rangetick)\<in>\<F>P\<close> have\<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`rangetick)\<in>\<F>P\<close> by(mesonis_processT4) with\<open>tFu\<close>show\<open>(t,X)\<in>\<F>?rhs\<close> by(autosimpadd:F_Seq\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u\<close>F_Renamingmap_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>k_tickFree) next fixu1u2rassume\<open>u=u1@u2\<close>\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>\<open>(u2,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X)\<in>\<F>Q\<close> from\<open>u1@[\<checkmark>(r)]\<in>\<T>P\<close>have\<open>map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u1@[\<checkmark>(gr)]\<in>\<T>(RenamingPfg)\<close> by(autosimpadd:T_Renaming) moreoverfrom\<open>(u2,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X)\<in>\<F>Q\<close> have\<open>(map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u2,X)\<in>\<F>(RenamingQfg)\<close>by(autosimpadd:F_Renaming) ultimatelyshow\<open>(t,X)\<in>\<F>?rhs\<close> by(autosimpadd:\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u\<close>\<open>u=u1@u2\<close>F_Seq) qed next fixtXassume\<open>(t,X)\<in>\<F>?rhs\<close>\<open>t\<notin>\<D>?rhs\<close>\<open>t\<notin>\<D>?lhs\<close> thenconsider\<open>(t,X\<union>rangetick)\<in>\<F>(RenamingPfg)\<close>\<open>tFt\<close> |t1t2swhere\<open>t=t1@t2\<close>\<open>t1@[\<checkmark>(s)]\<in>\<T>(RenamingPfg)\<close>\<open>(t2,X)\<in>\<F>(RenamingQfg)\<close> unfoldingSeq_projsbyblast thus\<open>(t,X)\<in>\<F>?lhs\<close> proofcases assume\<open>(t,X\<union>rangetick)\<in>\<F>(RenamingPfg)\<close>\<open>tFt\<close> with\<open>t\<notin>\<D>?rhs\<close>obtainu where\<open>t=map(map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg)u\<close> \<open>(u,map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`X\<union>map_event\<^sub>p\<^sub>t\<^sub>i\<^sub>c\<^sub>kfg-`rangetick)\<in>\<F>P\<close>
by (auto simp add: D_Seq Renaming_projs)
from this(2) have ‹(u, map_eventptick f g -` X ∪ range tick) ∈F P›
by (rule is_processT4) auto
with ‹tF t› show ‹(t, X) ∈F ?lhs›
by (auto simp add: F_Renaming F_Seq ‹t = map (map_eventptick f g) u› map_eventptick_tickFree)
next
fix t1 t2 s assume ‹
from ‹t ∉D ?rhs› have ‹t1 @ [🍋(s)] ∉D (Renaming P f g)›
by (simp add: ‹t = t1 @ t2› D_Seq)
(metis D_imp_front_tickFree F_imp_front_tickFree ‹(t2, X) ∈F (Renaming Q f g)›
front_tickFree_append_iff is_processT7 is_processT9 not_Cons_self)
with ‹t1 @ [🍋(s)] ∈T (Renaming P f g)› obtain u1'
where ‹t1 @ [🍋(s)] = map (map_eventptick f g) u1'›‹u1' ∈T P›
unfolding Renaming_projs by blast
then obtain u1 r where ‹s = g r›‹t1 = map (map_eventptick f g) u1›‹u1 @ [🍋(r)] ∈T P›
by (cases u1' rule: rev_cases) (auto simp add: tick_eq_map_eventptick_iff)
from ‹t ∉D ?rhs›]xz›
by (auto simp add: ‹t = t1 @ t2› D_Seq)
with ‹(t2, X) ∈F (Renaming Q f g)› obtain u2
where ‹t2 = map (map_eventptick f g) u2›‹(u2, map_eventptick f g -` X) ∈F Q›
unfolding Renaming_projs by blast
from ‹(u2, map_eventptick f g -` X) ∈F Q›‹u1 @ [🍋(r)] ∈T P›
java.lang.NullPointerException
thus ‹(t, X) ∈F ?lhs›
by (auto simp add: ‹t = t1 @ t2›‹t1 = map (map_eventptick f g) u1› ‹t2 = map (map_eventptick f g) u2› F_Renaming)
qed
Renaming_fix : ‹Renaming (μ X. φ X) f g = (μ X. ((λP. Renaming P f g) ∘ φ ∘ (λP. Renaming P (inv f) (inv g))) X)›
(is ‹Renaming (μ X. φ X) f g = (μ X. ?φ' X)›) if ‹cont φ›
and ‹bij f› and ‹bij g› for φ :: ‹('a, 'r) processptick==> ('a, 'r) processptick›
-
― ‹Some facts first.›
have * : ‹φ = (λP. Renaming P (inv f) (inv g)) ∘ ?φ' ∘ (λP. Renaming P f g)›
by (rule ext) (simp add: Renaming_inv bij_is_inj ‹bij f›‹bij g›)
java.lang.NullPointerException
by (simp add: cont2monofunE ‹cont φ›)
have mono_φ' : ‹P ⊑ Q ==> ?φ' P ⊑ ?φ' Q› for P Q
by (simp add: mono_Renaming mono_φ)
have finitary_props : ‹finitary f›‹finitary g›‹finitary (inv f)›‹finitary (inv g)›
by (simp_all add: bij_is_inj bij_is_surj surj_imp_inj_inv ‹bij f›‹bij g›)
have ‹cont (λX. Renaming (φ X) f g)› by (simp add: finitary_props(1, 2) ‹cont φ›)
moreover have ‹cont (λX. Renaming X (inv f) (inv g))› by (simp add: finitary_props(3, 4))
ultimately have ‹cont ?φ'› unfolding comp_def by (rule cont_compose)
from ‹cont φ›‹cont ?φ'› cont_process_rec
have ** : ‹(μ X. φ X) = φ (μ X. φ X)›‹(μ X. ?φ' X) = ?φ' (μ X. ?φ' X)› by blast+
show ‹Renaming (μ X. φ X) f g = (μ X. ?φ' X)›
proof (rule below_antisym)
show ‹Renaming (μ X. φ X) f g ⊑ (μ X. ?φ' X)›
proof (induct rule: fix_ind[where F = ‹Λ X. φ X›])
show ‹adm (λa. Renaming a f g ⊑ (μ X. ?φ' X))›
by (simp add: ‹finitary f›‹finitary g› monofunI)
next
show ‹Renaming ⊥ f g ⊑ (μ X. ?φ' X)› by simp
next using "Ordinary.∃
fix X assume ‹Renaming X f g ⊑ (μ X. ?φ' X)›
hence ‹?φ' (Renaming X f g) ⊑ ?φ' (μ X. ?φ' X)› by (fact mono_φ')
hence ‹Renaming (?φ' (Renaming X f g)) (inv f) (inv g) ⊑
Renaming (?φ' (μ X. ?φ' X)) (inv f) (inv g)› by (fact mono_Renaming)
also from "*" have ‹Renaming (?φ' (Renaming X f g)) (inv f) (inv g) = φ X›
unfolding comp_def by metis
also from "**"(2) have ‹?φ' (μ X. ?φ' X) = (μ X. ?φ' X)› by argo
finally have ‹Renaming (φ X) f g ⊑ Renaming (Renaming (μ X. ?φ' X) (inv f) (inv g)) f g›
by (fact mono_Renaming)
also have ‹… = (μ X. ?φ' X)› by (simp add: inv_Renaming ‹bij f›‹bij g›)
finally show ‹Renaming ((Λ X. φ X)⋅X) f g ⊑ (μ X. ?φ' X)›
by (subst beta_cfun[OF ‹cont φ›]) (simp add: comp_def)
qed
next
show ‹(μ X. ?φ' X) ⊑ Renaming (μ X. φ X) f g›
proof (induct rule: fix_ind[where F = ‹Λ X. ?φ' X›])
show ‹adm (λa. a ⊑ Renaming (μ x. φ x) f g)› by (simp add: monofunI)
next
show ‹⊥⊑ Renaming (μ x. φ x) f g› by simp
next
fix X assume hyp : ‹X ⊑ Renaming (μ X. φ X) f g›
hence ‹Renaming X (inv f) (inv g) ⊑ Renaming (Renaming (μ X. φ X) f g) (inv f) (inv g)›
by (fact mono_Renaming)
also have ‹… = (μ X. φ X)› by (simp add: Renaming_inv bij_is_inj ‹bij f›‹bij g›)
finally have ‹φ (Renaming X (inv f) (inv g)) ⊑ φ (μ X. φ X)› by (fact mono_φ)
hence ‹Renaming (φ (Renaming X (inv f) (inv g))) f g ⊑
Renaming (φ (μ x. φ x)) f g› by (fact mono_Renaming)
also from "**"(1) have ‹φ (μ x. φ x) = (μ X. φ X)› by presburger
finally show ‹(Λ X. ?φ' X)⋅X ⊑ Renaming (μ X. φ X) f g›
by (subst beta_cfun[OF ‹cont ?φ'›]) (simp add: comp_def)
qed
qed
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
