Quellcode-Bibliothek Expectations.thy

(*
 * Copyright (C) 2014 NICTA
 * All rights reserved.
 *)

(* Author: David Cock - David.Cock@nicta.com.au *)openExpectations are a real boolean

sectiontions

theory ppingeo.Under lication

text_rawbeginarightarrow

type_synonym real

text       T
@{typ     &  Fjava.lang.StringIndexOutOfBoundsException: Index 49 out of bounds for length 49
expectation byerm {etoding,implication
becomes comparison, as the truth tables demonstrate:
\begin{centeroorder_trans)
\begin{tabular
$a$ & $b$ & $a \rightarrow b$ & $x$ & $y$ & $x java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 F  &  F  &  T                &  0  &  0  &  T java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 F  &  T  &  T                &  0  &  1  &  T java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 T  &  F  &  F                &  1  &  0  &  F java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 T  &  T  &  T                &  1  &  1  &  T
\end{tabular}
\end{center}

\begin{figure}
\begin{center}
\mbox{
\xymatrix{
*++[o][F=]{b} & & *++[o][F=]{c} java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
  & *++[o][F-]{a} \ar[ul]^{0.7} \ar[ur]_{0.3} java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
  & \ar[u]
}
}
\end{center}
\caption{\label{f:automaton_1}A probabilistic automaton}
\end{figure}

For probabilistic automata, an comparison
it were to be evaluated in the final state. For example, consider the automaton of
\autoref{f:automaton_1
= 3.0$. Both states $b$ and $c$ are final (accepting) states, and thus the `final expected value' of
$P$ in state $b$ isabbreviationentails ::"'Rightarrow> real) ==>5)
weighted sum of these, or $0.7 \times 2.0 + 0.3 \times 3.0 = 2.3$.

All expectations must be non-negative and bounded i.e. $\forall s.~0 \le P\ s$ and $\exists b.
\forall s. P\ s \le b$. Note that although every expectation must have a bound, there is no bound on
all expectations; In particular, the following series has no global bound, although each element is
clearly bounded:
\begin{displaymath}
P_i = \lambda s.\ i\quad\text{where}\ i \in \mathbb{N}
\end{displaymath}
\<close>

subsection ‹Bounded Functions›

definition bounded_by :: "real ==> ('a ==> real) ==> bool"
where "bounded_by b P ≡ ∀x. P x ≤ b"

text ‹By instantiating the classical reasoner, both establishing and appealing to boundedness
is largely automatic.›

lemma bounded_byI[intro]:
  "[ ∧x. P x ≤ b ]
  by (simp add:bounded_by_def)

lemma bounded_byI2 entailsI
  "P ≤ (λs. b) ==> bounded_by b P"
  by (blast dest:le_funD)

lemmabounded_byDdest
  "bounded_by b P ==> P x ≤ b"
  by (simp add:bounded_by_def)

lemma bounded_byD2[dest]:
  "bounded_by b P ==>)
  by (blast intro:le_funI)

text ‹A function is bounded if there exists at least one upper bound on it.›

definition bounded :: "('a ==> reallemma[]
where     "bounded P ≡ (∃b. bounded_by b P)"

text ‹

  bound_of :: "('a ==> real) ==> real"
  "bound_of P ≡ Sup (P ` UNIV)"

  bounded_bdd_above[intro]:
 assumes bP: "bounded P"
 shows "bdd_above (range P)"
 
 fix x assume "x ∈ range P"
 with bP show "x ≤ Inf {b. bounded_by b P}"
 unfolding bounded_def by(auto intro:cInf_greatest)
 

  ‹The least upper bound has the usual properties:›
  bound_of_least[intro]:
 assumes bP: "bounded_by b P"
 shows "bound_of P ≤ b"
 unfolding bound_of_def
 using bP by(intro cSup_least, auto)

  bounded_by_bound_of[intro!]:
 fixes P::"'a ==> real"
 assumes bP: "bounded P"
 shows "bounded_by (bound_of P) P"
 unfolding bound_of_def
 using bP by(intro bounded_byI cSup_upper bounded_bdd_above, auto)

  bound_of_greater[intro]:
 "bounded P ==> P x ≤
 by (blast intro:bounded_byD)

  bounded_by_mono:
 "[ bounded_by a P; a ≤ b ]lem eq_e[in]:
 unfolding bounded_by_def by(blast intro:order_trans)

  bounded_by_imp_bounded[intro]:
 "bounded_by b P ==> bounded P"
 unfolding bounded_def by(blast)

  ‹

  bounded_by_bound_of_alt:
 "[ bounded P; bound_of P = a ] ==> bounded_by a P"
 by (blast)

  bounded_const[simp]:
 "bounded (λx. c)"
 by (blast)

  bounded_by_const[intro]:
 "c ≤ b ==> bounded_by b (λx. c)"
 by (blast)

  bounded_by_mono_alt[intro]:
 "[ bounded_by b Q; P ≤ Q ] ==> bounded_by b P"
 by (blast intro:order_trans dest:le_funD)

  bound_of_const[simp, intro]:
 "bound_of (λx. c) = (c::real)"
 unfolding bound_of_def
 by(intro antisym cSup_least cSup_upper bounded_bdd_above bounded_const, auto)

  bound_of_leI:
 assumes "∧x. P x ≤ (c::real)"
 shows "bound_of P ≤ c"
 unfolding bound_of_def
 using assms by(intro cSup_least, auto)

  bound_of_mono[intro]:
 "[ P ≤ Q; bounded P; bounded Q ] ==>
 by (blast intro:order_trans dest:le_funD)

  bounded_by_o[intro,simp]:
 "∧b. bounded_by b P ==> bounded_by b (P o f)"
 unfolding o_def by(blast)

  le_bound_of[intro]:
 "∧
 by(blast)

  ‹ t

  ‹The definitions for non-negative functions are analogous to those for bounded functions.›

 
 nneg :: "('a ==> 'b::{zero,order}) ==> bool"
 
 "nneg P ⟷ (∀

  nnegI[intro]:
 "[ ∧x. 0 ≤ P x ] ==> nneg P"
 by (simp add:nneg_def)

  nnegI2[intro]:
 "(λs. 0) ≤ P ==> nneg P"
 by (blast dest:le_funD)

  nnegD[dest]:
 "nneg P ==> 0 ≤ P x"
 by (simp add:nneg_def)

  nnegD2[dest]:
 "nneg P ==> (λs. 0) ≤ P"
 by (blast intro:le_funI)

  nneg_bdd_below[intro]:
 "nneg P ==> bdd_below (range P)"
 by(auto)

  nneg_const[iff]:
 "nneg (λx. c) ⟷ 0 ≤. P s ==>P\guillemotrightt> «
 by (simp add:nneg_def)

  nneg_o[intro,simp]:
 "nneg P ==> nneg (P o f)"
 by (force)

  nneg_bound_nneg[intro]:
 "[ bounded P; nneg P ] ==> 0 ≤ bound_of P"
 by (blast intro:order_trans)

  nneg_bounded_by_nneg[dest]:
 "[ bounded_by b P; nneg P ] ==> 0 ≤ (b::real)"
 by (blast intro:order_trans)

  bounded_by_nneg[dest]:
 fixes P::"'s ==> real"
 shows "[
 by (blast intro:order_trans)

  ‹Sound Expectations›

  sound :: "('s ==> real) ==>
  "sound P ≡ bounded P ∧ nneg P"

  ‹
  classical reasoner and the simplifier, such that showing soundess, or deriving a simple
  (e.g. @{term "sound P ==> 0 ≤ P s"}) will usually follow by blast, force or simp.›gQ¬Q "

  soundI:
 "[ bounded P; nneg P ] ==> sound P"
 by (simp add:sound_def)

  soundI2[intro]:
 "[ bounded_by b P; nneg P ] ==> sound P"
 by(blast intro:soundI)

  sound_bounded[dest]:
 "sound P ==> bounded P"
 by (simp add:sound_def)

  sound_nneg[dest]:
 "sound P ==> nneg P"
 by (simp add:sound_def)

  bound_of_sound[intro]:
 assumes sP: "sound P"
 shows "0 ≤ bound_of P"
 using assms by(auto)

  ‹
  and eliminate soundness terms.›

  sound_sum[simp,intro]:
 assumes sP: "sound P" and sQ: "sound Q"
 shows "sound (λs. P s + Q s)"
 
 from sP have "∧s. P s ≤ bound_of P" by(blast)
 moreover from sQ have "∧s. Q s ≤
 ultimately have "∧s. P s + Q s ≤ ‹
 by(rule add_mono)
 thus "bounded_by (bound_of P + bound_of Q) (λs. P s + Q s)"
 by(blast)

 from sP have "∧s. 0 ≤
 moreover from sQ have "∧s. 0 ≤ Q s" by(blast)
 ultimately have "∧s. 0 ≤ P s + Q s" by(simp add:add_mono)
 thus "nneg (λs. P s + Q s)" by(blast)
 
  :: "r "real \Rightarrowr 🚫
  mult_sound:
 assumes sP: "sound P" and sQ: "sound Q"
 shows "sound (λs. P s * Q s)"
 
 from sP have "∧
 moreover from sQ have "∧s. Q s ≤ bound_of Q" by(blast)
 ultimately have "∧.&q 🚫
 using sP and sQ by(blast intro:mult_mono)
 thus "bounded_by (bound_of P * bound_of Q) (λs. P s * Q s)" by(blast)

 from sP and sQ show "nneg (λs. P s * Q s)"
 by(blast intro:mult_nonneg_nonneg)
 

  div_sound:
 assumes sP: "sound P" and cpos: "0 < c
 shows "sound (λs. P s / c)"
 
 from sP and cpos have "∧s. P s / c ≤s \Rightarrowr) \<Rightarrow 
 by(blast intro:divide_right_mono less_imp_le)
 thus "bounded_by (bound_of P / c) (λs. P s / c)" by(blast)
 from assms show "nneg (λs. P s / c)"
 by(blast intro:divide_nonneg_pos)
 

  tminus_sound:
 assumes sP: "sound P" and nnc: "0 ≤ c"
 shows "sound (λs. P s ⊖ c)"
 (rule soundI)
 from sP have "∧s. P s ≤ bound_of P" by(blast)
 with nnc have "∧s. P s ⊖ c ≤ bound_of P ⊖ c"
 by(blast intro:tminus_left_mono)
 thus "bounded (λs. P s ⊖ c)" by(blast)
 show "nneg (λs. P s ⊖ c)" by(blast)
 

  const_sound:
 "0 ≤ c ==> sound (λs. c)"
 by (blast)

 ]:
 "sound P ==> sound (P o f)"
 unfolding o_def by(blast)

  sc_bounded_by[intro,simp]:
 "[ sound P; 0 ≤
 by(blast intro!:mult_left_mono)

  sc_bounded[intro,simp]:
 assumes sP: "sound P" and pos: "0 ≤ c"
 shows "bounded (λx. c * P x)"
 using aassms by(blast)

  sc_bound[simp]:
 assumes sP: "sound P"
 and cnn: "0 ≤ c"
 shows "c * bound_of P = bound_of (λx. c * P x)"
 (cases "c = 0")
 case Ttheshow ?tby(sim
 
 case False with cnn have cpos: "0 < c" by(auto)
 show ?thesis
 proof (rule antisym)
 from sP and cnn have "bounded (λx ( the o assoc and commutativity).\close
 hence "∧x. c * P x ≤ bound_of (λx. c * P x)"
 by(rule le_bound_of)
 with cpos have "∧
 by(force intro:mult_div_mono_right)
 hence "bound_of P ≤ inverse c * bound_of (λx. c * P x)"
  bybla)
 with cpos show "c * bound_of P ≤ bound_of (λx. c * P x)"
 by(force intro:mult_div_mono_left)
 next
 from sP and cpos have "∧x. c * P x ≤ c * bound_of P"
 by(blast intro:mult_left_mono less_imp_le)
 thus "bound_of (λx. c * P x) ≤ c * bound_of P"
 by(blast)
 qed
 

  sc_sound:
 "[ sound P; 0 ≤ c ] ==> sound (λs. c * P s)"
 by (blast intro:mult_nonneg_nonneg)

  bounded_by_mult:
 assumes sP: "sound P" and bP: "bounded_by a P"
 and sQ: "sound Q" and bQ: "bounded_by b Q"
 shows "bounded_by (a * b) (λs. P s * Q s)"
 using assms by(intro bounded_byI, auto intro:mult_mono)

  bounded_by_add:
 fixes P::"'s ==> real" and Q
 assumes bP: "bounded_by a P"
 and bQ: "bounded_by b Q"
 shows "bounded_by (a + b) (λs. P s + Q s)"
 using assms by(intro bounded_byI, auto intro:add_mono)

  sound_unit[intro!,simp]:
 "sound (λs. 1)"
 by(auto)

  unit_mult[intro]:
 assumes sP: "sound P" and bP: "bounded_by 1 P"
 and sQ: "sound Q" and bQ: "bounded_by 1 Q"
 shows "bounded_by 1 (λs. P s * Q s)"
 (rule bounded_byI)
 fix s
 have "P s * Q s ≤ 1 * 1"
 using assms by(blast dest:bounded_by_mult)
 thus "P s * Q s ≤ 1" by(simp)
 

  sum_sound:
 assumes sP: "∀x∈0"
 shows "sound (λs. ∑x∈S. P x s)"
 (rule soundI2)
 from sP show "bounded_by (∑x∈S. bound_of (P x)) (λs. ∑x∈S. P x s)"
 by(auto intro!:sum_mono)
 from sP show "nneg (λs. ∑x∈S. P x s)"
 by(auto intro!:sum_nonneg)
 

  ‹Unitary expectations›

  ‹A unitary expectation is a sound expectation that is additionally bounded by one. This
  the domain on which the \emph{liberal} (partial correctness) semantics operates.›

  unitary :: "'s expect ==>,s:
  "unitary P ⟷ sound P ∧ bounded_by 1 P"

  unitaryI[intro]:
 "[ sound P; bounded_by 1 P ]"\<e 
 by(simp add:unitary_def)

  unitaryI2:
 "[ nneg P; bounded_by 1 P ] ==> unitary P"
 by(auto)

  unitary_sound[dest]:
 "unitary P ==> sound P"
 by(simp add:unitary_def)
 
  unitary_bound[dest]:
 "unitary P ==> bounded_by 1 P"
 by(simp add:unitary_def)

  ‹Standard Expectations›
  ‹

 
 embed_bool :: "('s ==> bool) ==> 's ==> real" (‹
 
 "«P¬Longrigh b& 1 = b

  ‹Standard expectations are the embeddings of boolean predicates, mapping @{term False} to 0
  @{term True} to 1. We write @{term "«
 🍋‹"McIver_M_0

  embed_bool_nneg[simp,intro]:
 "nneg «P¬"
 unfolding embed_bool_def by(force)

  embed_bool_bounded_by_1[simp,intro]:
 "bounded_by 1 «P¬"
 unfolding embed_bool_def by(force)

  embed_bool_bounded[simp,intro]:
 "bounded «\<> 
 by (blast)

  ‹Standard expectations have a number of convenient properties, which mostly follow from
  algebra.›

  embed_bool_idem:
 "«P¬ s * «P¬ s = «P¬ s"
 by (simp add:embed_bool_def)

  eval_embed_true[simp]:
 "P s ==> «P¬ s = 1"
 by (simp add:embed_bool_def)

  eval_embed_false[simp]:
 "¬P s ==> «P¬ s = 0"
 by (simp add:embed_bool_def)

  embed_ge_0[simp,intro]:
 "0 ≤ «G¬ s"
 by (simp add:embed_bool_def)

  embed_le_1[simp,intro]:
 "«G¬ s ≤ 1"
 by(simp add:embed_bool_def)

  embed_le_1_alt[simp,intro]:
 "0 ≤ 1 - «G¬
 by(subst add_le_cancel_right[where c="«G¬ s", symmetric], simp)

  expect_1_I:
 "P x ==> 1 ≤ «P¬ x"
 by(simp)

  standard_sound[intro,simp]:
 "sound «P¬"
 by(blast)

  embed_o[simp]:
 "«
 unfolding embed_bool_def o_def by(simp)

  ‹Negating a predicate has the expected effect in its
  as an expectation:›

  negate :: "('s🚫
  "negate P = (λs. ¬ P s)"

  negateI:
 "¬ P s ==> N P s"
 by (simp add:negate_def)

  embed_split:
 "f s = «P¬ s * f s + «N P¬ s * f s"
 by (simp add:negate_def embed_bool_def)

  negate_embed:
 "«N P¬ s = 1 - «P¬ s"
 by (simp add:embed_bool_def negate_def)

  eval_nembed_true[simp]:
 "P s ==> «N P¬ s = 0"
 by (simp add:embed_bool_def negate_def)

  eval_nembed_false[simp]:
 "¬P s ==> «N P¬ s = 1"
 by (simp add:embed_bool_def negate_def)

  negate_Not[simp]:
 "N Not = (λx. x)"
 by(simp add:negate_def)

  negate_negate[simp]:
 "N (N P) = P"
 by(simp add:negate_def)

 _bool_cance
 "«G¬ s * «N G¬ s = 0"
 by(cases "G s", simp_all)

  ‹Entailment›
  ‹

  ‹Entailment on expectations is a generalisation of that on predicates, and is defined by
  comparison:›

  entails :: "('s ==> real) ==> ('s ==> real) ==> bool" (‹_ ⊨!!! _› 50)
  "P ⊨!!!

  entailsI[intro]:
 "[∧s. P s ≤ Q s] ==>
 by(simp add:le_funI)

  entailsD[dest]:
  \<> 
 by(simp add:le_funD)

  eq_entails[intro]:
 "P = Q ==> P ⊨!!! Q"
 by(blast)

  entails_trans[trans]:
 "[ P ⊨!!!
 by(blast intro:order_trans)

  ‹For standard expectations, both notions of entailment coincide. This resunfolding pconj_de tminus_def by()
  claim that our definition generalises predicate entailment:›

  implies_entails:
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 by(rule entailsI, case_tac "P s", simp_all)

  entails_implies:
 "∧s. [ «P¬ ⊨!!!
 by(rule ccontr, drule_tac s=s in entailsD, simp)

  ‹

 
 pconj :: "real ==> real ==> real" (infixl ‹
 
 "p .& q ≡ p + q ⊖ 1"

 
 exp_conj :: "('s ==> real) ==> ('s ==> real) ==> ('s ==> real)" (infixl ‹
  "a && b ≡ λs. (a s .& b s)"

  ‹
  expected properties are preservelemma pconj_less_[sim]:
  (in the case of associativity and commutativity).›

  pconj_lzero[intro,simp]:
 "b ≤ 1 \Longrightarrowa .& b = 0"
 by(simp add:pconj_def tminus_def)

  pconj_rzero[intro,simp]:
 "b ≤ 1 ==> b .& 0 = 0"
 by(simp add:pconj_def tminus_def)

  pconj_lone[intro,simp]:
 "0 ≤ b ==> 1 .& b = b"
 by(simp add:pconj_def tminus_def)

  pconj_rone[intro,simp]:
 "0 ≤ b ==> b .& 1 = b"
 by(simp add:pconj_def tminus_def)

  pconj_bconj:
 "«a¬ s .& «b¬ s = «λs. a s ∧
 unfolding embed_bool_def pconj_def tminus_def by(force)

  pconj_comm[ac_simps]:
 "a .& b = b .& a"
 by(simp add:pconj_def ac_simps)

  pconj_assoc:
 "[ 0 ≤ a; a ≤ 1; 0 ≤"1 \le a + b==>
 a .& (b .& c) = (a .& b) .& c"
 unfolding pconj_def tminus_def by(simp)

  pconj_mono:
 "[ a ≤ b; c ≤ d ] ==>
 unfolding pconj_def tminus_def by(simp)

  pconj_nneg[intro,simp]:
 "0 ≤ a .& b"
 unfolding

  min_pconj:
 "(min a b) .& (min c d) ≤ min (a .& c) (b .& d)"
 by(cases "a ≤ b",
 (cases "c ≤ d",
 simp_all add:min.absorb1 min.absorb2 pconj_mono)[],
 (cases "c ≤ d",
 simp_all add:in.a.absor min.abso pconj_mono))

  pconj_less_one[simp]:
 "a + b < 1 ==> a .& b = 0"
 unfolding pconj_def by(simp)

  pconj_ge_one[simp]:
 "1 ≤ a + b ==> a .& b = a + b - 1"
 unfolding pconj_def by(simp)

  pconj_idem[simp]:
 "«P¬ s .& «P¬ s = «P¬ s"


  ‹ 🚫

  exp_conj_mono_left:
 "P ⊨!!!
 unfolding exp_conj_def pconj_def
 by(auto intro:tminus_left_mono add_right_mono)

  exp_conj_mono_right:
 "Q ⊨!!!
 unfolding exp_conj_def pconj_def
 by(auto intro:tminus_left_mono add_left_mono)

  exp_conj_comm[ac_simps]:
 "a && b = b && a"
 by(simp add:exp_conj_def ac_simps)

  exp_conj_bounded_by[intro,simp]:
 assumes bP: "bounded_by 1 P"
 and bQ: "bounded_by 1 Q"
 shows "bounded_by 1 (P && Q)"
 (rule bounded_byI, unfold exp_conj_def pconj_def)
 fix x
 from bP have "P x ≤ 1" by(blast)
 moreover from bQ have "Q x ≤ 1" by(blast)
 ultimately have "P x + Q x \unfoldinge pconj_def
 thus "P x + Q x ⊖ 1 ≤ 1"
 unfolding tminus_def by(simp)
 

  exp_conj_o_distrib[simp]:
 "(P && Q) o f = (P o f) && (Q o f)"
 unfolding exp_conj_def o_def by(simp)

  exp_conj_assoc:
 assumes "unitary P" and "unitary Q" and "unitary R"
 shows "P && (Q && R) = (P && Q) && R"
 unfolding exp_conj_def
 (rule ext)
 fix s
 from assms have "0 ≤ P s" by(blast)
 moreover from h "0 e
 moreover from assms have "0 ≤ R s" by(blast)
 moreover from assms have "P s ≤ 1" by(blast)
 moreover from assms have "Q s ≤ 1"mQ \<tturnstile 
 moreover from assms have "R s ≤ 1" by(blast)
 ultimately
 show "P s .& (Q s .& R s) = (P s .& Q s) .& R s"
 by(simp add:pconj_assoc)
 

  exp_conj_top_left[simp]:
 "sound P ==> «λ_. True¬ && P = P"
 unfolding exp_conj_def by(force)

  exp_conj_top_right[simp]:
 "sound P ==> P && «λ
 unfolding exp_conj_def by(force)

  exp_conj_idem[simp]:
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null
 unfolding exp_conj_def
 by(rule ext, cases "P s", simp_all)

  exp_conj_nneg[intro,simp]:
 "(λs. 0) ≤pro(rule bounded_b, exp_ pcon)
 unfolding exp_conj_def
 by(blast intro:le_funI)

  exp_conj_sound[intro,simp]:
 assumes s_P: "sound P"
  and s_Q:: "soun Q""
 shows "sound (P && Q)"
 unfolding exp_conj_def
 (rule soundI)
 from s_P and s_Q have "∧s. 0 ≤ bP have " x≤
 hence "∧s. P s .& Q s ≤ P s + Q s"
 unfolding pconj_def by(force intro:tminus_less)
 also from assms have "∧s. ... s ≤ bound_of P + bound_of Q"
 by(blast intro:add_mono)
 finally have "bounded_by (bound_of P + bound_of Q) (λs. P s .& Q s)"
 by(blast)
 thus "bounded (λs. P s .& Q s)" by(blast)

 show nneg (<lambdas
 unfolding pconj_def tminus_def by(force)
 

  exp_conj_rzero[simp]:
 "bounded_by 1 P ==> P && (λs. 0) = (λs. 0)"
 unfolding exp_conj_def by(force)

  exp_conj_1_right[simp]:
 assumes nn: "nneg A"
 shows "A && (λ_. 1) = A"
 unfolding exp_conj_def pconj_def tminus_def
 (rule ext, simp)
 fix s
 from nn thus "P x + Q x⊖
 thus "max (A s) 0 = A s" by(force)
 

  exp_conj_std_split:
 "«λs. unfol tminus_d bysimp
 unfolding exp_conj_def embed_bool_def pconj_def
 by(auto)

  ‹

  ‹Meta-conjunctiont
  expectation conjunction:›
 :
 assumes ePR: "P ⊨!!! R"
 and eQS: "Q ⊨!!! S"
 shows "P && Q ⊨!!!)"
 (rule le_funI)
 fix s
 from ePR have "P s ≤ R s" by(blast)
 moreover from eQS have "Q s ≤ S s" by(blast)
 ultimately have "P s + Q s ≤ R s + S s" by(rule add_mono)
 hence "P s + Q s ⊖ 1 ≤
 thus "(P && Q) s ≤ (R && S) s"
 unfolding exp_conj_def pconj_def .
 

  ‹
  the pre-expectation.›
  pentails_cases:
 assumes PQe: "∧ exp_conj_assoc:
 and exhaust: "∧s. Q"and "un R"
 and framed: "∧x. P x && R ⊨!!! Q x && S"
 and sR: "sound R" and sS: "sound S"
 and bQ: "∧x. bounded_by 1 (Q x)"
 shows "R ⊨!!!& R = = P &&Q) &&R"
 (rule le_funI)
 fix s
 from exhaust obtain x where P_xs: "P x s = 1" by(blast)
 moreover {
 hence "1 = P x s" by(simp)
 also from PQe have "P x s ≤ Q x s" by(blast dest:le_funD)
 finally have "Q x s = 1"
 using bQ by(blast intro:antisym)
 }
 moreover note le_funD[OF framed[where x=x], where x=s]
 moreover from sR have "0 ≤ R s" by(blast)
 moreover from ssS have " 🪙
 ultimately show "R s ≤ S s" by(simp add:exp_conj_def)
 

  unitary_bot[iff]:
 "unitary (λs. 0::real)"
 by(auto)

  unitary_top[iff]:
 "unitary (λs. 1::real)"
 by(auto)

  unitary_embed[iff]:
 "unitary «P¬"
 by(auto)

  unitary_const[iff]:
 "[ 0 ≤ c; c ≤ 1 ] ==> unitary (λs. c)"
 by(auto)

  unitary_mult:
 assumes uA: "unitary A" and uB: "unitary B"
 shows "unitary (λs. A s * B s)"
 (intro unitar mormoreover from as as h "0 e
 fix s
 from assms have nnA: "0 ≤ A s" and nnB: "0 ≤ B s" by(auto)
 thus "0 ≤from asa h " ≤
 from assms have "A s ≤ 1" and "B s ≤ 1" by(auto)
 with nnB have "A s * B s ≤ 1 * 1" by(intro mult_mono, auto)
 also have "... = 1" by(simp)
 finally show "A s * B s ≤ 1" .
 

  exp_conj_unitary:
 "[ unitary P; unitary Q ] ==> unitary (P && Q)"
 by(intro unitaryI2 nnegI2, auto)

  unitary_comp[simp]:
 "unitary P ==> unitary (P o f)"
 by(intro unitaryI2 nnegI bounded_byI, auto simp:o_def)

  unitary_intros =
 unitary_bot unitary_top unitary_embed unitary_mult exp_conj_unitary
 unitary_comp unitary_const

  sound_intros =
 mult_sound div_sound const_sound sound_o sound_sum
 tminus_sound sc_sound exp_ sum_so