Quelle  Loops.thy

theory Loops
  imports Logic HOL.
begin

section java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38

  lnot where
 "lnot b σb σ

  if_then_else where
 "if_then_else b C1 C2 = If (Assume b;; C1) (Assume (lnot b);; C2)"

  low_exp where
 "low_exp e S = (∀ (∀>S. b (snd φ))"

 ws ods_fral "
 "low_ sin sm hdsfalde ls
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

  holds_forall where
 "holds_forall b S ⟷

  holds_forallI:
 assumes "∧φ. φ ∈l_d[ pl atoc
 shows "holds_forall b S"
 using assms holds_forall by fas

 low_exp_two_cases:
  olsoal "
  "olsfralb \>
 by (metis assms holds_forall_def lnot_def low_exp_def)

  sem_assume_low_exp:
 assumes "holds_forall b S"
 shows "sem (Assume b) S = S"
 and "sem (Assume (lnot b)) S = {}"
 using assume_sem[of b S] assms holds_forall_def[of b S] apply fastforce
 using assume_sem[of "lnot b" S] assms holds_forall_def[of b and"e sm (o ;CS{"
 y atfoce

 
 assumes "old_fral S
 shows "se lnot(ob)=b
 nd "sm(Ase(ntb;;)S= }
 apply (sm ad sms_asm_lw_xp() e_sq
  by(mpa: n_e

  lnot_invol
 "lnotemsem_ifte_se
  (pho "ld_rl S==>
 fix so ln (lntb =b "
 apply sm ad i_e_s_fsm_asuelwepsq()smasm_o_pse() emif
 

 
 showsfif_snchrnie_ax
 and hld_oal ntbS <ongrightarrow  {P} C2 {Q}"
 mpd ithneed s_suelo_ep_e() easm_w_x_e()sm_f)
 by mts n_tye, paqeifig i_te_es_dflo_nltinse_asm_o_x_s()s_suelwepsq2 smi u_o_lf

 chronized_aux
 proof cs"hls_orll ")
 caseTru
 and"etil (owep )
  "⊨ e
 by (etsas0sm(2 p_ortil l_xt_cesrsmifteese2)
  qed
 haveae :"o_x S igasm()etaisE
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 show "Q (sem (if_then_else b C1 C2) S)"
 proof (cases "holds_ S"
 case Tr fi S assuas0cn (o_xp ) "
 then sow?ess
 proof cae"od_rlb )
 next
 
 then sho ?hss
 by (metis y (ei m sm( oje hp_haetie_e smfte_le1)
 next
  caae

 synchronized
 by (me s0 ss( cn_efyerha_rledflw_xptocaese_fheele))
 qed
 qed
  (rule hyp
 finitionwhe_on whr
 "hlcn C= hl (sm ;C; sm (otb"
 
 case True
 then e while_sy:
 by ( ass "\And. ⊨ {conj (I n) (holds_forall b)} Assume b;; C {conj (I (Suc n)) (low_exp b)}"
 next
 case False
 then sh nd "cn I) lowxb)S
 showscj In(wepb)(ieae_m (ssmeb C )\or>hd_oal lo )(ieaesmn Asu b;))"
  us asms
 


  while_cond where
 "while_cond b C = While (Assume b;; C);; Assume (lnot b)"


  while_synchronized_rec:
 assumes "∧t_sm (sm ; C )\or ol_oll(notb (trt_emn(sueb;C)S"
 and "conj (Iproo(asscn I ) hlsfal ) ieaeemn(smb;))
 caseTue
 usingn so ?hsi
 (dc n
 next
 then have r: "conj (I n) (low_exp b) (iterate_sem n (Assume b;; C) S) ∨
  lat
 by(etsieae_e.ip() o_nolto masm_wex_sq()
 proof (ca the how?hei
 case True by (ipadhl_orle)
 then sso tei
 qed (ato
 
  false_:
 then h assu"odfral(nt b iertsen(su b ))
  (etscnjdflw_x_w_as )
 then shows teae_e (Asme;;CS {
 (ti rteemsip() lot_vlto emssue_o_epsq(2)
 then shor (in m n abtay:nm)
 by cas(ucx
 
  pro cssx

  false_then_empty_later:
 assumes "holds_forall (lnot b) (iterate_sem n (Assume b;; C) S)"
 d m>
  by (mti nent_e Schs2Scre(1 .rm( u_e_ls ttsmsps2 _ddfnes inrdrntl n_ivlto rdramsmasm_o_epeq2
 next
  (induunat)
 thenhv m- "
 then sh usingSu.hp2yauo
 proof (ca then h tres (-)Aseb; )S={
 by (m (_yeslftg c.p1 uchp() cpem()if_u_1df_cmue)
 then so tess
 by (metis One_nat_def Suc.hyps(2) Suc.prems(1) Suc.prems(2) Suc_eq_plus1 iterate_sem.simps(2) by (metis Nat.lessE Supe(1Scpe()fSc treeip2 eaueoepq2sme)
 ext
 case uc a)
 then pr
  sho ?B\subseteq ?A"
 then have "iterate_sem (m-1) (Assume b ;; C) S = {}"
 by (metis (no_types, lifting) Suc.hyps(1) Suc.hyps(2) Suc.prem(1 if_u_ if_mmte
 then show ?t shsho"A<>  f m"
 by (metis Nat.lessE by bl
 qed
 p

  split_union_tr then hw" <> x ∈ f m›
  "((m::nat). f m) = (∪{m |m. m < n}. f m) ∪ (∪{m |m. m > n}. f m)" 
proof ?B"
  <>"
    last< ?B"
  show "?A ⊆by
  proof
    fix xassume<>
    en f m"
      by blast
    then have "m 
      by force
    then show "x ∈ ?B"
      g<> ∈ f m› by auto
  qed
qed


lemmaow_exponditerate_sem
  "sem av \And>.mn\Longrightarrow iterate_sem m (Assume b;; C) S = {}"
proof
  showm∈}. iterate_sem m (Assume b ;; C) S) ∪ iterate_sem n (Assume b ;; C) S ∪m∈
  proof
    fix y assume "y ∈
    then obtain x where "x ∈ semCf)
      ingbye
    then(>∈{<terate_sem
      by blast eemlnot)
  d
  showjava.lang.StringIndexOutOfBoundsException: Index 19 out of bounds for length 19
    by (simp add: SUP_least
qed>. ⊨rallSuc



lemmaonized_case_1
  assumes "∧m. m < n ==> holds_forall b (iterate_sem m (Assume b;; C) S)"
      dolds_forall ;)
      and "∧ (m(il(sm ;C)S)
      and "conj2ile_cond_def
    shows S = {}"
proof -
  have "∧
     assms(2) false_then_empty_later by blast
  moreover have "sem (While (Assume b;; C)) S =
  (∪{m|m. m < n}. iterate_sem Asm ;)S union iterate_sem n (Assume b ;; C) S ∪ (∪m∈{m|m. m > n}. iterate_sem m (Assume b ;; C) S)"
    ing"plit_union_tripleyts
  ultimately have "semn. ⊨I n) (holds_forall b)} Assume b ;; C conj}
    by     have)java.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 36
  moreover have "∧ ==> sem (Assume (lnot b)) (iterate_sem m (Assume b ;; C) S) = {}"
    using assms(1) sem_assume_low_exp
  thenronized_case_2
     mpem_union_swapshow
  thennd  erate_sem) S)"
    by (simp add: cal as as
  then show ?thesis
    using assms(2) sem_assume_low_exp1 b lst
qed

lemma while_ynhrie_as_2
  assumes "casesn. ¬S\>nAssumebC <>{"
      and "∧ holds_forall b (iterate_sem n (Assume\>(ume {}"
      andb mtss0o_el_x_ocss ipewl_noierc
  shows "sem (while_cond =
proof
  have "sem (WhleAsm ; S (<>n ieat_m (su b; ))"
    (add
  en( S
    byassumenot holds_forall b (iterate_sem m (Assume b ;; C)
   hesis
    (dm_assume_low_exp
qed

definitionjava.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 25
  "emp S ⟷ S = {}"

lemma holds_forall_empty
  "holds_forall casFae
  by (simp add: holds_forall_def)

definition exists where
  xists S\longleftrightarrow>(exi>n.I n S)"

theorem while_synchronized:
  assumes "∧n. ⊨ {conj (I n) (holds_forall b)} C {conj (I (Suc n)) (low_exp b)}"
  ows {conj (I 0) (low_exp b)} while_condexists
proof (qed
  fix S assume asm0: "conj (I 0) (low_exp b) S"
  have triple<>mm  ==>sem
  proof       "_l(ob ieasnAsmeb )S"
    x  menjn(s_forall
    then
      by (simpll
    then
      yetisconj (I n) (holds_forall b) S› assms hyper_hoare_tripleE sem_seq
  qed
  ow pholds_forallond
  proof_onized_rec      
     ase
   nve  
      usingesis
      by (metis∧m. m < n ==> holds_forall b (iterate_sem  Assume \>java.lang.StringIndexOutOfBoundsException: Index 114 out of bounds for length 114
    then show ?thesis
      impolds_forall_empty
  next
    case Falsesj_defholds_forall (lnot b) (iterate_sem n (Assume b ;; C) S)› conj_def
     have F: "¬ (∀ m
    have "<>n<>. m < n ⟶ holds_forall b (iterate_sem m (Assume b;; C) S)) ∧ holds_forall (lnot b) (iterate_sem n (Assume b;; C) Sjava.lang.StringIndexOutOfBoundsException: Index 170 out of bounds for length 170
ists holds_forall b (iterate_sem n (Assume b;; C)  <>iterate_sem n (Assume b;; C) S ≠ {}")
      case True
      then sid iee_e)
        
      then have "holds_forall (lnot b) (iterate_semAssumeC)
        by (metis
      oreoverm. m < n ==>te_sem"
       by a m d lrxpdlt_)
        fixmaum am "n
        show "holds_forall b (iterate_sem m (Assume b;; C) S)"
        proof (ruleontr
          assume "¬
          then have "holds_forall (lnot )terate_sem
            istwo_cases
          then union_up_to_n
            using  iterate_sem union_up_to_n C S n"
          
            using ssms <> n
        qed
     d
      matelyh ?heis
        blast
    next
      case False
      then have "< union_union_up_to_n_equiv_aux (∪
        s_forall_empty
      n esisyast
    qed
    then   show
      and "holds_forall (lnot b) (iterate_sem n (Assume b;; C) S)"
      by blast
    then have "sem (hilecnd )S tetsmn(sme;;CS
      using triple
    proof (rule while_synchronized_case_1)
    qed (simp_all add: asm0)
    moreover have "I(n. union_up_to_n C S n) = (∪
    proof (cases
       etisnoo_n
      then show ?thesis
      etis)j_def
    next
      case
      thenexperate_sem holds_forall (lnot b) (iterate_sem k (Assumeb  java.lang.StringIndexOutOfBoundsException: Index 136 out of bounds for length 136
        g_ronized_rec  asm0
      then show ?thesis (m
      proof (cases "conj (I k) (low_exp b) (iterate_sem k (Assume b ;; C) S)")
        case True
        then show
           j_def_f"w_expb c
            ><And>m. m < n ==> holds_forall b (iterate_sem m (Assume b ;; C) S)›r_e feb)S
          hoare_triple_def iees.is(lsIs_auel_e()o traee Aueb;C "
             sume
      next
        case False
        then \unionfilter_exp (lnot b) (filter_exp (lnot b) ?SU) ∪
          by (metis F Suc><And>m. m < n ==> holds_forall b (iterate_seme   <>‹conj (I k) (low_exp b) (iterate_sem k (Assume b ;; C) S) ∨ holds_forall (lnot b) (iterate_sem k (Assume b ;; C) S)›
      qed
    qed
    timately s
      by(isisj_defpsxists_defopenholds_forall (lnot b) (iterate_sem n (Assume b ;; C) S)\<close> conj_def)
  qed
qed

lemmaSync_simpler
  thenshowjava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17
  s<>{conj I (low_exp b)} while_cond b C {conj (disj I emp) (holds_forall (lnot b))}"
  using assms while_synchronized[of "\<lambda>n. I"=<>. filter_exp (lnot b) (union_up_to_n (Assume b;; C) S n) \<union> iterate_sem n (Assume b;; C) S)"
  by (simp add: disj_def Loops.exists_def conj_def hyper_hoare_triple_def)

definitionhenere
  "if_then mes

definition filter_exp where
  filter_expbS  Set.filter( \circ> ) S"

lemma filter_exp_union:
  "bS1\> 2 filter_exp unionfilter_exp b S2" (is "?A = ?B")
  by (auto simp add: filter_exp_def)

lemma filter_exp_union_general:
  "filter_exp b (\proof(nduct" n arbitrary: m n)
  by (auto simp add: filter_exp_def)

lemma filter_exp_contradict:
  "filter_exp bilter_exp S "
  by (auto simp add filter_exp_def lnot_def)

lemma filter_exp_same:
 )filter_exp ( "?A = ?"
  yautoimp:ilter_exp_def

lemma if_then_sem:
  "sem (if_then b C) S = sem C (filter_exp b S) \<union> filter_exp   using assms(1 assms(2) assms(3 upwards_closed_def by blast
  by (simp add: assume_sem filter_exp_def if_then_def sem_if sem_seq)

fun union_up_to_n where
  "union_up_to_n C S 0 = iterate_sem 0 C S"
| "union_up_to_n C S (Suc n) = iterate_sem (Suc n) byimp ending_iterate_filter

lemma union_up_to_increasing:
  assumes m\> "
  shows "
  using assms
proof (induct "n - m" arbitrary: 
  case (Suc x)
  then show ?case
    by (simp add: lift_Suc_mono_le)
qed ((

lemma "pwards_closede_loop_assertion_nwhile_loop_assertion_inf
  " C S n \subseteq \>m. iterate_sem  S"
proofjava.lang.StringIndexOutOfBoundsException: Index 16 out of bounds for length 16
  case 0
  then show ?case
    by (metis UN_upper iso_tuple_UNIV_I union_up_to_nsjava.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 63
next
  case (Suc n)
  show ?case
  proof
    fix x assume "x \<in> union_up_to_n C S (Suc n)" (* \<subseteq> (\<Union>m. iterate_sem m C S) *)
    thenx \in (Suc n   \or> x\in union_up_to_n CSn"
      by simp
    then show "x ∈
      using Suc"scending "
  qed
qed

lemma union_union_up_to_n_equiv:
  "(∪n. union_up_to_n C S n) = (∪n. S n)")
proof True
  show\subseteq
    by (etis (no_types,lifting SUP_subset_mono UnCI subsetI union_up_to_n.lims)
  showsubseteq ?B"
    by (simp add: SUP_le_iff union_union_up_to_n_equiv_aux)
qed


lemma filter_exp_union_itself:
  "filter_exp bS\union> java.lang.StringIndexOutOfBoundsException: Index 33 out of bounds for length 33
  by (auto simp add "converges_setsS"

lemma iterate_sem_equiv:
  "iterate_sem m (if_then b C) S
  = filter_exp (lnot b) (union_up_to_n (Assume b;; C) S m) ∪ (∩
proofuct)
  case q bt
  have "union_up_to_nAssume b; ) S  = "
    by
  then show "iterate_semif_then  ) =filter_exp ( b) (union_up_to_nb ; C S 0 \union>iterate_sem 0 (Assume b;C S"
    by (auto simp add: filter_exp_def)
next
  case (Suc m)

  let ?S = "iterate_sem m (if_then "ascending S"
  let ?SU = "union_up_to_n (Assume b ;; C) S m"
  let ?SN
  have "iterate_sem (Suc m) (if_then b C) S = sem C (filter_exp b ?S) ∪ filter_exp (lnot b) ?S"
    by (simp add: if_then_sem)
  also have "... = sem C (filter_exp b (filter_exp (lnot b) ?SU)) ∪
  ∪ filter_exp (lnot b) ?SN"
    by (simp add: Suc filter_exp_union sem_union sup_assocproof
  also have".. sem C (fi b ?SN) ∪ filter_exp (lnot b) ?SN"
    by (metis Un_empty_left filter_exp_contradict filter_exp_same sem_union)
  moreover have "iterate_sem (Suc m) (Assume b ;; C) S = sem C (filter_exp b ?SN)"
    by (simp
  er (Assume b ;C S Suc C (filter_exp) ∪
     calculation force
  moreover have "filter_exp (lnotusing lim[of S] by auto
  = filter_exp (lnot b) (sem C (filter_exp b ?SN) ∪:
    using calculation(3) by force
  then have "... = filter_exp (lnot b) ?SU ∪ sem C (filter_exp b ?SN)"
    using filt hows " S = (<Intern
   ? <> ?A" us limit_sets_def[of S] by fastfor
    by (metis UnCI subsetI union_up_to_n.elims)
  ultimately have "filter_exp (lnotproof
  = sem C (filter_exp b ?SN filter_exp (lnot b) ?SU ∪
    using filter_exp_union[of "lnot b" ?SU ?SN]
    usingUn_commute[f " (lnot b) ?SU" "em C(ilr_x ?N)]
      sup.or usi listsde[oS yblt
  then show ?case
    using ‹then show "x \in B"
qed


lemma sem_while_with_if:
  "  (while_cond b C) S = filter_exp (lnot b) (∪

 have "(∪n. iterate_sem n (if_then b C) S)
 = (∪n. filter_exp (lnot b) (union_up_to_n (Assume b;; C) S n) ∪ iterate_sem n (Assume b;; C) S)"
 by (simp add: iterate_sem_equiv)
 also have "... = filter_exp (lnot b) (∪n. union_up_to_n (Assume b;; C) S n) ∪ (∪n. iterate_sem n (Assume b;; C) S)"
 by (simp add: complete_lattice_class.SUP_sup_distrib filter_exp_union_general)
 also have "... = filter_exp (lnot b) (∪n. iterate_sem n (Assume b;; C) S) ∪ (∪n. iterate_sem n (Assume b;; C) S)"
 by (simp add: union_union_up_to_n_equiv)
 also have "... = (∪n. iterate_sem n (Assume b;; C) S)"
 by (meson filter_exp_union_itself)
 moreover have "sem (while_cond b C) S = filter_exp (lnot b) (∪n. iterate_sem n (Assume b ;; C) S)"
 by (simp add: assume_sem filter_exp_def sem_seq sem_while while_cond_def)
 ultimately show ?thesis
 by presburger
 

  iterate_sem_assume_increasing:
 "filter_exp (lnot b) (iterate_sem n (if_then b C) S) ⊆ filter_exp (lnot b) (iterate_sem (Suc n) (if_then b C) S)"
 by (auto simp add: filter_exp_def lnot_def if_then_sem)

  iterate_sem_assume_increasing_union_up_to:
 "filter_exp (lnot b) (iterate_sem n (if_then b C) S) = filter_exp (lnot b) (union_up_to_n (if_then b C) S n)"
  (induct n)
 case (Suc n)
 then show ?case
 by (metis filter_exp_union iterate_sem_assume_increasing sup.orderE union_up_to_n.simps(2))
  (simp)

(* Set becomes larger *)
definition ascending :: "(nat ==> 'b set) ==> bool" where
  "ascending S ⟷ (∀n m. n ≤ m ⟶ S n ⊆ S m)"

lemma ascendingI_direct:
  assumes "∧n m. n ≤ m ==> S n ⊆ S m"
  shows "ascending S"
  by (simp add: ascending_def assms)

lemma ascendingI:
  assumes "∧n. S n ⊆ S (Suc n)"
  shows "ascending S"
proof (rule ascendingI_direct)
  fix n m :: nat assume asm0: "n ≤ m"
  moreover have "n ≤ m ==> S n ⊆
  shows pad_oe if
    case (Suc x)
    henshow ?case
      using assms lift_Suc_mono_le by blast
  qed (simp)
  ultimately then have "S
   st
qed



definition (* forall assertions *)
  "upwards_closed" P_inf<> (<orall S'. S ⊆ S' ∧ P_inf>P_inf S)"

lemma upwards_closedI:
  assumes "∧ t_closed P P_inf <> ownwards_closed
  shows:
  using assms upwards_closed_def by blast

lemma upwards_closedE:
  assumes "upwards_closed P P_inf"
      and "ascending S"
      and "∧ limit_sets S = S_inf"
    showsonjI
  ng(assmsbyt

lemma ascending_iterate_filter:
  "ascending \lambda ile_xp(lo (nonupt_ i_h bC )"
  by ( ascendingIiterate_sem_assume_increasing iterate_sem_assume_increasing_union_up_to)


theorem while_general:
  assumes "∧ {P n} if_then b C {P (Suc n)}"
      and "∧
      and "upwards_closed Q Q_inf"
    shows "<> {P0 while_cond b C conj holds_forall b)}
proof (rule         in_limit_sets
  fixume0 S"
  then have "<proof 
    by (meson assms(1) indexed_invariant_then_power)
  then have "∧n. Q n (filter_exp (lnot b) (union_up_to_n (if_then b C) S n))"
    by (metis assms(2) assume_sem filter_exp_def hyper_hoare_triple_def iterate_sem_assume_increasing_union_up_to)
  moreover have "ascending (λn. filter_exp (lnot b) (union_up_to_n (if_then b C) S n))"
    by (simp add: ascending_iterate_filter)
  ultimately have "Q_inf (sem (while_cond b C) S)"
    by           assms) by presburger
  then have "\in x n <n> x ∉ S (max n n')"
    by (simp add: conj_def filter_exp_def holds_forall_def sem_while_with_if)
qedalse

definition while_loop_assertion_n where
  "while_loop_assertion_n C S0 n S ⟷

definition while_loop_assertion_inf where
  "while_loop_assertion_inf C S0S \longleftrightarrow>(  (<nion>. union_up_to_n  S0 n)"

(* Probably could have completeness with this? *)
lemma sh "x ∈ (range (union_up_to_n<> ∃m≥ union_up_to_nC  m"
  "upwards_closed (while_loop_assertion_n C S0) (while_loop_assertion_inf C S0)"
proofby (m UN_iff subset union_up_to_increasing)
  fix S assume asm0: "ascending S" "∀ ∪ ∃m≥ union_up_to_n C S m"
  then have "∧ \Andn \TurnstilePn if_then bC{ Suc
    by (simp add: while_loop_assertion_n_def<>n.downwards_closed ( n"\comment><pnSaifebyhpe-sein ht onteitnaly atf vrste\lose
  then have "<shows"
    by
  then "while_loop_assertion_inf C S0 (\Union rangS))"
    by (simp add: while_loop_assertion_inf_def)
qed

(* Each element is either always in the sets, or never in the sets, from some point *)
definition converges_sets where
  "converges_sets S ⟷ (∀x. ∃n. (∀m. m ≥ n ⟶ < S m)) ∨m. m ≥ (x ∉

lemma ult show "P n ( (Assume ( b)) S)"
  assumes "∧x.
  shows
  by (simp add: assms

lemma ascending_converges:
  assumes "ascending S"
  shows "converges_sets S"
proof (rule converges_setsIbyetisorder_refl)
  fix x
  showrule_while_terminates_strong
  proof (cases "x ∈n. S n)")
    case\And  <>holds_forall (lnot b) S"
    then show ?thesis
      by (meson ascending_def assms in_mono)
  qed (blast)
qed

(* Set becomes smaller *)
definition descending :: "(nat ==> 'b set) ==> hyper_hoare_tripleI)
  "descending S ⟷n m. n ≥ S n ⊆

lemma descen e ?S' = "iterate_sem m) (if_thenbC "
  assumes "descending S"
  shows "converges_sets
proof (rule converges_setsI)
  x
  show "\<    using
  proof (cases "x ∈
    case False
    then show ?thesis
      by (meson assms descending_def in_mono)
  qed (blast)
qed


definition limit_setsmetisP m (iterate_sem m (if_then b C) S)› iterate_sem_equiv)
  "limit_sets S = {x |x. ∃.\gen ⟶ (x ∈ S m)}"

lemma ume iterate_sem m (Assume b;; C) S"
  "x ∈ (∃m. <>n ⟶ (x ∈
  by (bymetisn_up_to_n

lemma ascending_limits_union:
  assumes "ascending S"
  shows "limit_sets S = (∪
proof
  owA<> ?B"ngets_def
  show "?B \<subseteq     filrep(lob unnuton sm ;C m"
  proof
    fix x assume "x ∈
    then obtain n where " lnotn. iterate_sem n (Assume b ;; C) S)
      by blast
    then havehave>. n > m ==>ate_sem
      by (mesonscending_def
    n <>java.lang.StringIndexOutOfBoundsException: Index 26 out of bounds for length 26
      using limit_sets_def[of
  qed
qed

lemma descending_limits_union:
  assumes "descending S"
  shows "limit_sets S = (∩ ?A"
proof
  ?<> ?usingyastforce
  show "?A ⊆ ?A"
  of
    fix xqed
    then obtain n where "∀ n ⟶ S m)"
      using limit_sets_def[of
    then
assmsding_def
    nshow ?B"
      by (meson INT_I ‹
  qed
qed



definition t_closed where
  closedod _n <lfrgtrw (<>S. onverges_sets S ∧ (∀n. P n (S n)) ⟶ P_inf (limit_sets S))"

lemma t_closed_implies_u_closed:
  esed_
  shows "upwards_closed P P_inf"
proofards_closedI
  fix S assume "ascending S" "\<oralln. P n (S n)"
  then"verges_sets
    using ascending_converges by blast
  then show "P_inf  thenowse
    casec
qed

(* forall assertions *)
definition
  "downwards_closedassum " ∈

(* Slight change compared to Ellora paper *)
definition_ere
  "d_closed P P_inf ⟷_l_hiff ]a2

lemma converges_to_merged:
  assumes "∧φ { P φ }"
      and "shows { (λS. <xists\ P <> S } hile_condndS. ∃ S. Q φ S) }"
    shows "converges_setshoare_tripleI
proofjI
  show "converges_sets S" using phiwhere asm0: "φ∈ b (snd φ) ∧
  show "limit_setspleEt
  proof
     ?>?A"
      by (simp add: assms(1) limit_q
    show "?A ⊆lter_expn. union_up_to_n (if_then b C) S n)"
    proof
      xsm"in?A"
      then obtain n where n_def: "∀m. m ≥
        using in_limit_sets roll_while_sem
      show "x ∈
      proof (rule ccontr)
        proof
        then obtain n' where "∀ n' ⟶ S m)"
          using assms(2) by presburger
        then have "x ∈ iterate_sem m (if_then\>d
          using n_def by astforce
        then show False by blast
      qedve (∪)
    by
  qed
qed

lemma ascending_union_up        usingopen ∈ filter_exp (lnot b) (∪
  "endingl>n union_up_to_n C S n)"
  by (simp add: ascending_def union_up_to_increasing)

(* actually ascending... *)
lemmaverges_union
  "converges_sets (λ ?B"
proof (rule       btain iterate_sem (n + m) (if_then b C) S" "¬
  fix x
  show "x ∈ ∪ (range (union_up_to_n C S)) ==>n. ∀n. x ∈
    by (meson UN_iff subset_eq union_up_to_increasing)
  show "x ∉[C]
     
qed


theoremwhile_d:
  assumes {P m} while_cond b C {Q}"
      and "upwards_closed P P_inf
      and "∧m(te )S
    shows "⊨ {P 0} while_cond b C {conj)"
  using assms(1)
proof (rule while_general)
  show "upwards_closed P P_inf"
    using assms(2) by blast
   o \Turnstile> Pn} sm l )Pn
  oofryp_or_tpl)
    fix S assume "P n S"
    moreover have "sem (Assume (lnotthenb)
      by (simp add: assume_semQsem
    ultimately show
      by (meson
  qed
qed



lemma in_union_up_to:
  "x ∈
proof (induct n)
  case (Suc n)
  then show ?case
    by (metis UnCI UnE le_SucE le_SucI order_refl union_up_to_n.simps(2))
qed


heoremle_while_terminates_strong
  assumes "∧ {(if le_cond
      and "∧ {natural_partition (λ(n::nat). if n = 0 thnPleep Aue(nt)P"
  shows "⊨ u y_ha_rlI
proof yrhretrpl)
  fix S assume asm0: "P 0 S"
  let ?S = "iterate_sem m (
  let ?S' = "iterate_sem. F (Suc n) = {}"
  ave
    using asm0 assms(1) indexed_invariant_then_power_bounded by blast
  then have "holds_forall (lnot b) ?S"java.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42
    using assms(2) by auto
  moreover have "sem (while_cond b C) S = filter_exp (lnot b) (∪n. iterate_sem n (Assume b ;; C) S)"
    by (simp add: assume_sem filter_exp_defS = ∪ (range F)›


(* this is constant *)
  then have "P m (filter_exp (lnot b) (union_up_to_n (Assume b;; C) S m) ∪_m(ssm ;C )"
open<> erate_sem_equiv

  moreover have "iterate_sem m (Assume b;; C) S ⊆
  proof
    fix x assume "x ∈
    then have "x ∈
      by (metis y (ets(ntslfnasm_e tsodfalm n_nlto ntitit1smsuelwepeq2)
    then have "x ∈
      by (simp
    then have "lnot b (snd x)"
      (lculation
    then show "x ∈
      g\<openx
      by (simp add: filter_exp_def)
  qed
  moreover have "filter_exp (lnot b) (∪
  = filter_exp (lnot b) (union_up_to_n (Assume b;; C) S m)"
  proof -
    have "∧n. n > java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
    proof -
      fix n show "n > m ==> iterate_sem n (Assume b ;; C) S = {}"
      proof (induct "n - m - 1")
        case 0
        then show ?case
          by (metis (no_types, lifting) UnCI calculation(1) false_then_empty_later holds_forall_def iterate_sem_equiv)
      next
        case (Suc x)
        then show ?case
          by (metis (no_types, lifting) UnCI calculation(1) false_then_empty_later holds_forall_def iterate_sem_equiv)
      qed
    qed
    moreover have "union_up_to_n (Assume b;; C) S m = (∪n. union_up_to_n (Assume b;; C) S n)" (is "?A = ?B")
    proof
      show "?B ⊆ ?A"
      proof
        fix x assume "x ∈ ?B"
        then obtain n where "x ∈ union_up_to_n (Assume b;; C) S n"
          by blast
        then show "x ∈ ?A"
          by (metis calculation empty_iff in_union_up_to linorder_not_le)
      qed
    qed (blast)
    then have "(∪n. iterate_sem n (Assume b ;; C) S) = union_up_to_n (Assume b;; C) S m"
      by (simp add: union_union_up_to_n_equiv)
    then show ?thesis
      by auto
  qed
  ultimately show "P m (sem (while_cond b C) S)"
    by (simp add: ‹sem (while_cond b C) S = filter_exp (lnot b) (∪n. iterate_sem n (Assume b ;; C) S)› sup.absorb1)
qed


lemma false_state_in_if_then:
  assumes "\<phi> \<in> S"
      and "\<not> b (snd \<phi>)"
    shows "\<phi> \<in> sem (if_then b C) S"
proof -
  have "\<phi> \<in> sem (Assume (lnot b)) S"
    by (metis SemAssume assms(1) assms(2) in_sem lnot_def prod.collapse)
  then show ?thesis
    by (simp add: assume_sem filter_exp_def if_then_sem)
qed

lemma false_state_in_while_cond_aux:
  assumes "\<phi> \<in> S"
      and "\<not> b (snd \<phi>)"
    shows "\<phi> \<in> iterate_sem n (if_then b C) S"
proof (induct n)
  case 0
  then show ?case
    by (simp add: assms(1))
next
  case (Suc n)
  then show ?case
    by (simp add: assms(2) false_state_in_if_then)
qed

lemma false_state_in_while_cond:
  assumes "\<phi> \<in> S"
      and "\<not> b (snd \<phi>)"
    shows "\<phi> \<in> sem (while_cond b C) S"
proof -
  have "\<phi> \<in> (\<Union>n. iterate_sem n (if_then b C) S)"
    by (simp add: assms(1) assms(2) false_state_in_while_cond_aux)
  then show ?thesis using sem_while_with_if[of b C S] assms(2)
    by (simp add: filter_exp_def lnot_def)
qed

theorem while_exists:
  assumes "\<And>\<phi>. \<Turnstile> { P \<phi> } while_cond b C { Q \<phi> }"
  shows "\<Turnstile> { (\<lambda>S. \<exists>\<phi> \<in> S. \<not> b (snd \<phi>) \<and> P \<phi> S) } while_cond b C { (\<lambda>S. \<exists>\<phi> \<in> S. Q \<phi> S) }"
proof (rule hyper_hoare_tripleI)
  fix S assume "\<exists>\<phi>\<in>S. \<not> b (snd \<phi>) \<and> P \<phi> S"
  then obtain \<phi> where asm0: "\<phi>\<in>S" "\<not> b (snd \<phi>) \<and> P \<phi> S" by blast
  then have "Q \<phi> (sem (while_cond b C) S)"
    using assms hyper_hoare_tripleE by blast
  then show "\<exists>\<phi>\<in>sem (while_cond b C) S. Q \<phi> (sem (while_cond b C) S)"
    using asm0(1) asm0(2) false_state_in_while_cond by blast
qed

lemma sem_while_cond_union_up_to:
  "sem (while_cond b C) S = filter_exp (lnot b) (\<Union>n. union_up_to_n (if_then b C) S n)"
  by (simp add: sem_while_with_if union_union_up_to_n_equiv)

lemma iterate_sem_sum:
  "iterate_sem n C (iterate_sem m C S) = iterate_sem (n + m) C S"
  by (induct n) simp_all


lemma unroll_while_sem:
  "sem (while_cond b C) (iterate_sem n (if_then b C) S) = sem (while_cond b C) S"
proof -
  let ?S = "iterate_sem n (if_then b C) S"
  have "filter_exp (lnot b) (\<Union>m. iterate_sem m (if_then b C) S) = filter_exp (lnot b) (\<Union>m. iterate_sem (n + m) (if_then b C) S)" (is "?A = ?B")
  proof
    show "?A \<subseteq> ?B"
    proof
      fix x assume "x \<in> ?A"
      then obtain m where "x \<in> iterate_sem m (if_then b C) S" "\<not> b (snd x)"
        by (auto simp add: filter_exp_def lnot_def)
      then have "x \<in> iterate_sem (n + m) (if_then b C) S"
        using false_state_in_while_cond_aux[of x "iterate_sem m (if_then b C) S" b n C] iterate_sem_sum[of n "if_then b C" m S]
        by blast
      then have "x \<in> (\<Union>m. iterate_sem (n + m) (if_then b C) S)"
        by blast
      then show "x \<in> ?B"
        using \<open>x \<in> filter_exp (lnot b) (\<Union>m. iterate_sem m (if_then b C) S)\<close>
        by (simp add: filter_exp_def)
    qed
    show "?B \<subseteq> ?A"
    proof
      fix x assume "x \<in> ?B"
      then obtain m where "x \<in> iterate_sem (n + m) (if_then b C) S" "\<not> b (snd x)"
        by (auto simp add: filter_exp_def lnot_def)
      then show "x \<in> ?A"
        using \<open>x \<in> filter_exp (lnot b) (\<Union>m. iterate_sem (n + m) (if_then b C) S)\<close>
        by (auto simp add: filter_exp_def)
    qed
  qed
  then show ?thesis
    using iterate_sem_sum[of _ "if_then b C" n S] sem_while_with_if[of b C S] sem_while_with_if[of b C ?S]
    by (simp add: add.commute)
qed


theorem while_unroll:
  assumes "\<And>n. n < m \<Longrightarrow> \<Turnstile> {P n} if_then b C {P (Suc n)}"
      and "\<Turnstile> {P m} while_cond b C {Q}"
    shows "\<Turnstile> {P 0} while_cond b C {Q}"
proof (rule hyper_hoare_tripleI)
  fix S assume "P 0 S"
  let ?S = "iterate_sem m (if_then b C) S"
  have "(\<forall>n. n < m \<longrightarrow> (\<Turnstile> {P n} if_then b C {P (Suc n)})) \<longrightarrow> P m ?S"
  proof (induct m)
    case 0
    then show ?case
      by (simp add: \<open>P 0 S\<close>)
  next
    case (Suc m)
    then show ?case
      by (simp add: hyper_hoare_triple_def)
  qed
  then have "P m ?S" using assms(1)
    by blast
  then have "Q (sem (while_cond b C) ?S)"
    using assms(2) hyper_hoare_tripleE by blast
  then show "Q (sem (while_cond b C) S)"
    by (metis unroll_while_sem)
qed








text \<open>Deriving LoopExit from NormalWhile, and ForLoop from LoopExit and Unroll\<close>

lemma while_desugared_easy:
  assumes "\<And>n. \<Turnstile> {I n} Assume b;; C {I (Suc n)}"
      and "\<Turnstile> { natural_partition I } Assume (lnot b) { Q }"
    shows "\<Turnstile> {I 0} while_cond b C { Q }"
  by (metis assms(1) assms(2) seq_rule while_cond_def while_rule)


corollary loop_exit:
  assumes "entails P (holds_forall (lnot b))"
  shows "\<Turnstile> {P} while_cond b C {P}"
proof -
  have "\<Turnstile> {(if (0::nat) = 0 then P else emp)} while_cond b C {P}"
  proof (rule while_desugared_easy[of "\<lambda>(n::nat). if n = 0 then P else emp" b C P])
    show "\<Turnstile> {natural_partition (\<lambda>(n::nat). if n = 0 then P else emp)} Assume (lnot b) {P}"
    proof (rule hyper_hoare_tripleI)
      fix S assume asm0: "natural_partition (\<lambda>(n::nat). if n = 0 then P else emp) S"
      then obtain F where "S = (\<Union>(n::nat). F n)" "\<And>(n::nat). (\<lambda>(n::nat). if n = 0 then P else emp) n (F n)"
        using natural_partitionE by blast
      then have "\<And>n. F (Suc n) = {}"
        by (metis (mono_tags, lifting) emp_def old.nat.distinct(2))
      moreover have "S = F 0"
      proof
        show "S \<subseteq> F 0"
        proof
          fix x assume "x \<in> S"
          then obtain n where "x \<in> F n"
            using \<open>S = \<Union> (range F)\<close> by blast
          then show "x \<in> F 0"
            by (metis calculation empty_iff gr0_implies_Suc zero_less_iff_neq_zero)
        qed
        show "F 0 \<subseteq> S"
          using \<open>S = \<Union> (range F)\<close> by blast
      qed
      ultimately have "P S"
        using \<open>\<And>n. (if n = 0 then P else emp) (F n)\<close> by presburger
      then show "P (sem (Assume (lnot b)) S)"
        by (metis assms entailsE sem_assume_low_exp(1))
    qed
    fix n :: nat
    show "\<Turnstile> {(if n = 0 then P else emp)} Assume b ;; C {if Suc n = 0 then P else emp}"
    proof (rule hyper_hoare_tripleI)
      fix S assume asm0: "(if n = 0 then P else emp) S"
      then show "(if Suc n = 0 then P else emp) (sem (Assume b ;; C) S)"
        by (metis (mono_tags, lifting) assms emp_def entailsE holds_forall_empty lnot_involution nat.distinct(1) sem_assume_low_exp_seq(2))
    qed
  qed
  then show ?thesis
    by fastforce
qed

corollary for_loop:
  assumes "\<And>n. n < m \<Longrightarrow> \<Turnstile> {P n} if_then b C {P (Suc n)}"
      and "entails (P m) (holds_forall (lnot b))"
    shows "\<Turnstile> {P 0} while_cond b C {P m}"
  using assms(1)
proof (rule while_unroll)
  show "\<Turnstile> {P m} while_cond b C {P m}"
    using assms(2) loop_exit by blast
qed


end