Quelle Loops.thy

Sprache: Isabelle

theory Loops
  imports Logic HOL.ellfounded Expressivitybegin
begin

section ‹Rules o os🚫

lnot where
"lnot b σ = (¬b σ)"

if_then_else where
"if_then_else b C1 C2 = If (Assume b;; C1) (Assume (lnot b);; C2)"

low_exp where
"low_exp e S = (∀φ φ'. φ ∈ = (¬)"

low_exp_lnot:
"low_exp b S ⟷ low_exp (lnot b) S"
by (simp add: lnot_def low_exp_def)

holds_forall where
"holds_forall b S ⟷φ\<inS

holds_forallI:

ws hodllb "
gasmhls_rl_e ybat

low_exp_two_cases:
assumes "low_exp b S"
shows "holds_forall b S ∨ holds_forall (lnot b)
by (metis assms holds_forall_def lnot_def low_exp_def)

sem_assume_low_exp:
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
shows "sem (Assume b) S = S"
and "sem (Assume (lnot b)) S = {}"
using assume_sem[of b S] assms holds_foralldf[fbS]apyfatre
using assume_sem[of "lnot b" S] assms holds_forall_def[of b S] lnot_def[of b]
fastforce

low_exp_two_cases:
assumes hlsfrl S
shows "hlsfl bS or>holds_forall (lnot b) S"
d"e Asue(no ); C S }"
apply (simp add: assms sem_assume_low_expby afre

assumes"ldfa S
tlno b="
smAsmeln b;C {"
applysmadasm smssmlep esq
y (i dd otde)

_fhn_le
ows"od_orlbS\Longrightarrow sem (if_then_else b C1 C2) S = sem C1 S"
f ho"nt(n )x "
apply sm ad i_he_le_e s_suelwx_e()smasm_o_x_e2smf
by (

_crieax
and osfrl lo ) 🚫sem (if_then_else b C1 C2) S = sem C2 S"
and "⊨
apply (simp ad:f_e_es_dfsm_sm_oep_q1 e_auelo_x_e()s_f
by(mi nye aqelfi)fheesd no_noui masm_oepsq()smasmelwepsq2 e_isp_tlf)
(rule hyper_hoare_tripleI)
fix S assume asm0: "P S"
then have r: "low_exp b S" using assms(3) entailsE
by metis
show lif_synch:
proof ass olfr bS
case e
eal l_xp"
by shows \Turnstile {P} if_then_else b C1 C2 {Q}"
next
case False
then show ?thess
(i s ass2 yerharetplElw_x_tocssrs_ifte_le2)
ed
hvr lo_xbS sngss( naisE

if_synchronized:
assumes "⊨ {conj P (holds_forall b)} C1 {Q}"
and "⊨ {conj P (holds_forall (lnot b))} C2 {Q}"
shows "⊨ {conj P (low_exp b)} if_then_else b C1 C2 {Q}"
lds_forallb)
ssume s: "on (oep "
thensw?hs
proof(ae "od_orl "
case Trls
how ?hes
y tiasm sm()cnjdf hprhaetile_esmi_he_le1
next
caseFlse
then show ?thesisthif_syn
metisam ss(2cjdfhyrhaetrp_dfl_xt_se se__te_le2)
qed

hl_cnwr
"hl_odb C hl(sueb; C; sum(nt)"

le_synchronized_rec
<>ns
"n I0(loex b)S
shows "cn n (owepb)(tet_smn(sueb;C \or>olsfrl(lo )iet_s sueb;C)S"
singass

java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
then have r: "conj (I n) (low_exp b) (iterat_e (sseb;) \or>hls_oallnt)(eaese (smeb;)S
by blast
then show ?case
oof(ss"oj ( olsfrlb(ieaesmn(ssm ;;C)S))
case re
ho hs
(idtn
java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 6
case False
then have "holds_forall (lnot b) (iterate_sem n (Assume b;; C) S)"
by (metis conj_def low_exp_two_cases r)
then have "iterate_sem (Suc n) (Assume b;; C) S = {}"by ba
by mt irt_e.ms2 noivlin e_sse_owes()
hensow?hei
(mpad odsfrl_df
thenhw?tsi
(o

false_then_empty_later
sumes"od_oa (nt b tre_e (sueb; )S"
and " y (t cn_d oep_ocss
ws iea_m Aueb;C S={"
by (ei teaes.sis2l_nouin e_sm_wx_e(2)
induct" nairr: m)
aseSuc)
then sqed
oof(cs )
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
then show ?t nd "
mti en_eS.hp() Scpes1 ucpem()Sc__us teat_em.im(2 e_d_dffiveslinrdrn_llntivuto rd.aymsmsumlwepsq2)
next
t
then hv "
uhs() b auo
have itrtesm(-)(Assm b; C)S={}
metis(o_yes itng u.yp()Scyp()ucpm()df_u1dfcmt)
thenso?tss
ucpes1 Sc.pes()dif_uc1iertese.smp() e_asmelo_xpse() smseq)
qed
(simp)

split_union_trnex
Su a

ow"B⊆s)df_c_ f_omt)
by blast
ow?A\subseteq?B"
proof
fix x assume "x ∈ ?A"
then obtain m where "x ∈
blast
then have q (simp
by force
nso x\in ?B"
using ‹ by auto
qed

sem_union_swap:
"sem C (∪∪m∈ f n ∪m∈ (is "?A = ?B")

show "?A ⊆
proof
fix y assume "y \in>?A
then obtain xby bl
using UN_iff in_sem[of y C] by force
then show "y n ?B"
by blast
qed
show "?B ⊆ "x \in>?A"
by (simp add: theobtain m where "x ∈
java.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 3

while_synchronized_case_1:
assumes using‹
and "holds_forall (lnot b) (iterate_sem n (Assume b;; C) S)"
and "∧
and "conj (I 0) (low_b) S"
shows "sem (while_c b C) S = iten (Assume b;; C) S"
-
ve \And>.m> n==>
using assms(2) false_then_empty_later by blast
moreover have "sem r
(∪{m|m. m < n (∪{m|m. m > n}. iterate_sem m (Assume b ;; C) S)"
using sem_while[of "Assume b;; C" S] split_union_triple by metis
ultimately have "sem (While (Assume b;; C)) S = (∪m∈{m|m. m < n ?A"
by auto
moreover have "∧ S" "y ∈ C (fx"
using assms(1) sem_assum usin UN_iff in_sem[of y C] b force
have "sem (Assume (lnot b)) \<Unionm{|m. m n}. iterm (Assume b ;; C) S) = {}"
by (simp add: sem_union_swap)
then have "se (while_cond b C) S = sem (Assume (l b)) (iterate_sem n (Assume b ;; C)S)"
by (simp add: calculation sem_seq sem_unionqed
then show ?thesis
using assms(2) sem_assume_low_exp(1) by blast

while_synchronized_case_2:
assumes "∧ SUP_upper sem_monotonic)
and "∧ {conj (I n) (holds_forab)} Assume b;; C {conj (I (S n)) (low_exp b)}"
and
lemma while_synchroniz:
-
have "sem (While (Assume b ;; C)) S = (∪n. iterate_sem n (Ass and "hold(lnot b) (iterate_sem n (Assume b;;C) S)
by (simp add: sem_while)
then have "holds_forall (e Whil Asum ; ) )"
by (metis (no_types, lifting) UN_iff assms(1) holds_forall_def)
then show ?thesis
by (simp add: sem_assume_low_exp(2) sem_seq while

emp where
"emp S ⟷

holds_forall_empty:
"holds_forall b {}"
by (simp add: holds_forall_def)

exists where
"exists I S \<longleftrightarrowusing

while_synchronized:
assumes "∧
shows "⊨m∈m sue ;C ) <ionon
(rule hyper_ho usi sem_while[of "Assume b;; C" ] splbymei
fix S assume asm0: "conj (I 0) (low_exp b) S"
have triple: "∧ {conj ( c (I (Suc n)) (low_exp b)}
proof (rule hyper_hoare_tripleI)
fix n S assume "conj (I n) (holds_forall b) S"
then h "sem (Assume b)S = S"
by (simp add: conj_def sem_assume_low_exp(1))
then show "conj (I (Suc n)) (low_exp b) (sem (Assume b ;; C) S)"
by (metis ‹m. m < n
qed
show "conj (disj (exists I) emp) (holds_forall (lnot b)) (sem (while_cond b C) S)"
proof (cases "∀(2) by blast
case True
then have "sem (while_cond b C) S = {}"
using while_synchronize[of b C S I]
by (metis (no_ by ((simpadd: sem)
then sh?thesis
then have "sem (while_con b C) S = sem (Assume (lnotb))(itera n (Assume b ;; C)
next
se le
then have F: "¬()bbat
have "∃sconzecs2
proof (ca "∃ holds_forall b (iterate_sem n (Assume b;; C) S) \and iterate_sem n (Assume b;;; C) S \noteq }"
case True
then obtain n where "¬ b;; C) S) \and iterate_sem n (ssu b;; C) S ≠
by blast
then have "holds_forall (lnot b) (iterate_sem n (Assume b;; C) S)"
y(mei am cojde lwep_w_cs rpewie_ychrnze_rc
moreover have "∧ b C) S ={}"
proof -
fix m assume asm1: "m < nie(sue b; )) =\Union.tre_e nAsmeb; )S"
show "holds_forall b (iterate_sem by simp ad sem_while)
then have "holds_forall b (sem (While (Assme b;; C)) S)"
assume "¬C S)
then have "holds_forall (lnot b) (iterate_sem m (Assume b;; C) S)"
by (metis asm0 conj_def low_exp_two_cases triple hen show ??the
then have "iterate_sem n (As by (imp add:: sem_assume_l2) sem_seq while_cond_def)

then show False
using ‹
qed
qed
ultimately show ?thesis
by blast
next
seFas
then have "\<Andby
using holds_forall_empty by "exi S\longleftrightarrow>(<ists.
then shosho "⊨ b C {conj (disj (e I) emp) (holds_forall (lnot b))}"
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
then obtain n where "\Andm. <n holds_forall b (iterate_sm (Assume b;; C) S)"
and holds_oral (no ) trae_em n(sueb;C)S"
by blast
then have "sem (while_cond b C) S = iterate_sem n (Assume b;; fi n S assum "conj(I n)) (olds b) S"
using triple
proof (rule while_synchronized_case_1)
qed (simp_al add: asm0)
moreover have "I n (iterate_sem n (Assume b;; C) S)"
proof (cases n)
b (m ‹)
then show ?thesis
by (metis asm0 iterate_sem.simps(1) conj_def)
next
case (Suc k)
then ha sho "conj (disj (exists I) emp) (ho (lnot b)) (sem (while_con b C) S)"
using while_ynchroni[of I b C S k] asm0 triple by blast
then show ?thesis
proof (cases cas True
case True then hav "sem (while_cond b C) S = {}"
then show ?thesi
using conj_def[of _ "holds_forall b"] conj_def[of _ "low_exp b"] Suc
‹m(Asb ;; C)S)\close assms
hyper_hoare_triple_def[of ] iterate_sem.simps(2) lessI sem_assume_low_exp(1)[of b "iterate_sem k (Assume b ;; C) S"]
sem_seq[of "Assume b" C] by metis
next
case False
then show ?thesis
by (metis F Suc ‹
qed by (sim add: disj_def conj_def emp_def holds_
qed
ultimately show ?thesis
by (metis disj_de Loops.exists_def ‹)
qed

WhileSync_simpler:
assumes "\<then m. holds_forall b (iterate_sem m (Assume b;; C) S))" bysim
shows "⊨\existsn (\<orallm)"
using assms while_synchronized[of "λn. I"]
by (simp add: disj_def Loops.exists_def conj_def hyper_hoare_triple_def)

if_then where
"if_then b C = If (Assume b;; C) (Assume (lnot b))"

filter_exp where
"filter_exp b S = Set.filter (b ∘ snd) S"

filter_exp_unioxi>n. ¬S) 🪙
"filter_exp b (S1 ∪
simpad:flte_epdf

filter_exp_uni by blast
"filter_exp b (∪ n (As b;; C) S)
by (auto simp add: filter_exp_def)

filter_exp_contradict:
"filter_exp b (filter_exp (lnot b) mor have "∧ holds_forall b (iterate_sem m (Assume b;; C) S)"
y(atosim d:fite_expde no_ef

fix mssmam:" < " cco)
"filter_exp b (filter_exp b S) = filter_exp b S" (is "?A = ?B")
by (auto simp add: filter_exp_def)

if_then_sem:
"sem (if_then b C) S = sem C (filter_exp b S) ∪b)(item (Assume b;; C) S)"
by (simp add: assume_sem filter_exp_d by (meti asm0 conj_def low_exp_tw triple while_synchronized_rec)

union_up_to_n where
"union_up_to_n C S 0 = iterate_sem 0 C S"
"union_up_to_n C S (Suc n) = iter (Suc n) C S ∪

union_up_to_increasing:
sumesues"m\len
shows "union_up_to_n C S m ⊆
using qed
(induct "n - m" arbit ltim sow?ss
case (Suc x)
by b
by (simp add: lift_Suc_mono_le)
(simp)

union_union_up_to_n_equiv_aux:
"union_up_to_n C S n ⊆m. iterate_sem m C S)"
(induct n)
case 0
then s using holds_fora by fastforce
by (metis UN_upper iso_tuplethe show ??thesiusing F by blas

case (Suc n)
show ?case
proof
fix x assume "x ∈
then have "x ∈
by simp
then show "x ∈(e_odbC = irat_emnAsseb;C "
using Suc by blast
qed

union_union_up_to_n_equiv:
"∪n. iterate_sem n C S)" (is "?A = ?B")

show "?B ⊆ n)
(met(no_types, lifting) SUP_subset_mo UnCI subsetI union_up_to_.elims)
show "?A ⊆
by (simp add: SUP_le_iff u by (me asm0 iterate_sem.simps(1 conj)

thhave "conj (I k) (low_exb) (itera k (Assume b ;; C) S) ∨ b ;; C) S)"
"filter_exp b S ∪ S = S"
by (auto simp add: filter_exp_def)

iterate_sem_equiv:
"iterate_sem m (if_then b C) S
= filter_exp (lnot b) (union_up_to_n (Assu using whilesynchro[of I b C S k] a triple by blast
induct )
case 0
have "union_up_to_n (Assume b ;; C) S 0 = S"
by auto
then show "iterate_sem 0 (if_then b C) S = filter_exp (lnot b) (union_up usingconj_[of _ "holds_forall b"] conj_ef[o _ low b] u
by (auto simp add: filter \<open\ assms

case (Suc m)

let ?S = "iterte_sem m ((i_thn bC)S
let ?SU = "union_up_to_n (Assume b ;; C) S m"
let ?SN = "iterate_sem m (Assume b ;; C) S"
have "iterate_sem (Suc m) (if_then b C) S = sem hyper_hoa[of] teat_em.mp() es emssm_ow_xp(1[fb iea_smk (Asm b; )S"
by (simp ad sem_seq[of"Ass b" C] by metis
also have "... = sem C (filter_exp b (filter_exp (lnot b) ?SU)) ∪
<> filter_exp (lnot b) ?SN"
by (simp add: Suc filter_exp_union sem_union sup_assoc)
also have "... = sem C (filter_exp b ?SN) ∪ \<open\ m (Assume b ;;C)S)\<lose empty_iff false_then_empty_later holds_forall_def not_less_eq)
by (metis Un_empty_left filter_exp_contradict filter_exp_same sem_union)
moreover have "iterate_sem (Suc m) (Assume b ;; C) S = sem C (filter_exp b ?SN)"
by (simp add: assume_sem filter_exp_def sem_seq)
moreover have "union_up_to_n (Assume b ;; C) S (Suc m) = sem C (filter_exp b ?SN) ∪ ?SU"
using calculation(3) by force
moreover have "filter_exp (lnot b) (union_up_to_n (Assume b ;; C) S (Suult show ?thesis
= filter_exp (lnot b) (sem C (filter_exp b ?SN) \       (et disLoop.exi \<>holds_forall
using calculation(3) by force
then have "... = filter_exp (lnot b) ?SU ∪ sem C (filter_exp b ?SN)"
using filter_exp_union_itself[of "lnot b"] filter_exp_union[of "lnot b"] Un_commute sup_assoc by blast
moreover have "?SN ⊆ ?SU"
by (metis UnCI subsetI union_up_to_n.elims)
ultimately have "filter_exp (lnot b) ?SU ∪ sem C (filter_exp b ?SN)
= sem C (filter_exp b ?SN) ∪
using filter_exp_union[of "lnot
using Un_commute[of "f
sup.orderE sup_asslemWhileSyn:
then s ?case
using ‹filter_exp (lnot b) (sem C (filtshows "🚫

sem_while_with_if:
"sem (while_cond b C) S = filter_exp (lnot b) (∪n. iterate_sem n (if_then b C) S)"
-
have "(∪n. iterate_sem n (if_then b C) S)
(🚫
by (simp add: iterate_sem_equiv)
also have "... = filter_exp (lnot b) (∪n. union_up_to_n (Assume b;; C) S n) ∪ (∪n. iterate_sem n (Assume b;; C) S)"
by (simp add: complete_lattice_class.SUP_sup_distrib filter_exp_union_general)
also have "... = filter_exp (lnot b) (∪n. iterate_sem n (Assume b;; C) S) ∪ (∪n. iterate_sem n (Assume b;; C) S)"
by (simp add: union_union_up_to_n_equiv)
also have "... = (∪n. iterate_sem n (Assume b;; C) S)"
by (meson filter_exp_union_itself)
moreover have "sem (while_cond b C) S = filter_exp (lnot b) (∪n. iterate_sem n (Assume b ;; C) S)"
by (simp add: assume_sem filter_exp_def sem_seq sem_while while_cond_def)
ultimately show ?thesis
by presburger

iterate_sem_assume_increasing:
"filter_exp (lnot b) (iterate_sem n (if_then b C) S) ⊆ filter_exp (lnot b) (iterate_sem (Suc n) (if_then b C) S)"
by (auto simp add: filter_exp_def lnot_def if_then_sem)

iterate_sem_assume_increasing_union_up_to:
"filter_exp (lnot b) (iterate_sem n (if_then b C) S) = filter_exp (lnot b) (union_up_to_n (if_then b C) S n)"
(induct n)
case (Suc n)
then show ?case
by (metis filter_exp_union itdif_th wher
(simp)

(* Set becomes larger *)
definition ascending
  "ascending S ⟷

lemma ascendingI_direct:"  S= ( \circsnd
  assumes "∧n m. n ≤ m ==> S n ⊆ S m"
  shows "ascending S""ilter_exp (S1 \unionS2) = fi b S1\<>
  by (simp add: ascending_def assms)

lemma ascendingI:
  assumes "∧n. S n ⊆ S (Suc n)"
  shows "ascending S"
proof (rule ascendingI_direct)
  fix n m :: nat assume asm0: "n ≤ m"
  moreover have "n ≤
   ( " - "arbitrary)
    case (Suc x)
    then show ?case
      using assms lift_Suc_mono_le by blast
  qed (simp)
  ultimatelyadd
    by blast
qed

definition upwards_closed where
  "upwards_closed P P_inf ⟷b(fi (lnot ) S) = {}"

lemma upwards_closedI:
  assumes:filter_exp_def
  shows "upwards_closed P P_inf"
  using assms upwards_closed_def by blast

lemma upwards_closedE:
  assumes "upwards_closed P b S)= fib S"isB)
      and "ascending S"
      and "∧ by (a si add fil)
    shows "P_inf (∪
  using)assms)upwards_closed_def

lemma ascending_iterate_filter:
  "ascending (λn. filter_exp (lnot b) (union_up_to_n (if_then b C) S n))"
  by (metis ascendingI iterate_sem_assume_increasing iterate_sem_assume_increasing_union_up_to)

theorem while_general:
  assumes "∧n. ⊨ {P n} if_then b C {P (Suc n)}"
      and "∧n. ⊨ {P n} Assume (lnot b) {Q n}"
      and "upwards_closed Q Q_inf"
    shows "⊨ {P 0} while_cond b C {conj Q_inf (holds_forall (lnot b))}"
proof (rule hyper_hoare_tripleI)
  fix S assume asm0: "P 0 S"
  then have "∧n. P n (iterate_sem n (if_then b C) S)"
    by (meson assms(1) indexed_invariant_then_power
  then have "∧
    by (metis assms(2) assume_sem filter_exp_def hyper_hoare_triple_def iterate_sem_assume_increasing_union_up_to)
  moreover have "ascending (λn. filter_exp (lnot b) (union_up_to_n (if_then b C) S n))"
     (si add: scend)
  ultimately have "Q_inf (sem (while_cond b C) S)"
    by (metis (no_types, lifting) SUP_cong assms(3) filter_exp_union_general iterate_sem_assume_increasing_union_up_to sem_while_with_if upwards_closed_def)
  then show "Logic.conj Q_inf (holds_forall (lnot b)) (sem (while_cond
    by (simp add: conj_def filter_exp_def holds_forall_def"m \len"
qed

definition while_loop_assertion_n where
  "while_loop_assertion_n C S0 n S ⟷:m n)

definition while_loop_assertion_inf where
  "while_loop_assertion_inf C S0 S ⟷ (S = (∪

(* Probably could have completeness with this? *)
lemma while_loop_assertion_upwards_closed
  "pwards_closed (while_loo C S0) (whi C S0)"
proof (rule upwards_closedI)
  fixunion_up_to_n<>(<Union mC S)
  then have "∧n. S n = union_up_to_n C S0 p (induct n)
    by (simp add: while_loop_assertion_n_def)
  then have "∪ (range S) = (∪n. union_up_to_n0
    by auto
  then show "while_loop_assertion_inf C S0 (∪u.simps(1))
    by (simp add: while_loop_assertion_inf_def)
qed

(* Each element is either always in the sets, or never in the sets, from some point *)
definition converges_sets where
  "converges_sets S ⟷ (∀

lemma
  assumes "∧x. ∃ have "<> iterate_sem)CS\orx <>union_up_to_n   "
  shows "converges_sets S"
  by (simp add: assms converges_sets_def)

lemma ascending_converges:
  assumes "S
  shows "converges_sets S"
proof (rule converges_setsI)
  fix x
  show "∃n. (∀
  proof (cases "x ∈ (∪
    case True
    then "?B <> ?A"
      by (etis no_types lifting)SUP_subset_mono UnCI subsetI union_up_to_n.lims)
  qed "?A ⊆
qed

(* Set becomes smaller *)
definition descending :: "(nat ==>
  "descending S ⟷ S \union S = S"

lemma descending_converges:
  assumes "descending S"
  shows S
proof (rule converges_setsI)
  fix x
  show "∃
  proof (cases "x ∈n. S n)")
    case False
    then show ?thesis
      by p (indum)
  qed(las)
qed

definition limit_sets where
  "limit_sets S = {x |x. ∃ (Assume  ;C S0S

lemma in_limit_sets 0 (if_then bC S=filter_exp lnot (Assume b ; C)S 0)\union>iterate_sem 0 (Assume  ; C)S"
  "x <in
  case

lemma ascending_limits_union:
  assumesascending
  shows "limit_sets S = (∪
java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 5
  show "?A ⊆xpSU sem C (filter_exp b ?SN)
  show "?B ⊆ filter_exp (lnot b) (filter_exp (lnot b) ?SU) ∪
  proof
    fix x assume "x ∈ .= mfilter_exp filter_exp (lnot b) ?SU ∪
    then obtain n where "x ∈
      by blast
    then have "union_up_to_n; )S( m) = sem b ?SN<>?SU"
      by (meson ascending_def assms subsetD)
    then show "xusing(3) byforce
      gimit_sets_def
  qed
qed

lemma descending_limits_union
  assumes "descending S"
  limit_sets>. S n)" (is "?A = ?B")
proof
  show"B\subseteqA singforce
  show "?A ⊆
  proof
    fix x assume "x ∈) ∪ filter_exp (lnot b) ?SN"
    then obtain n where "∀ Un_commute[f filter_exp"em Cfie_pbS)]
      ingimite_ff ]b blst
    then have "∀
      by (meson assms descending_def lessI less_imp_le_nat subsetD)
    then<> B
      by (meson INT_I ‹
qed

t_closed where
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "macro" is null

t_closed_implies_u_closed:
assumes "t_closed P P_inf"
shows "upas_lsd PP_if
(rule upwards_closedI)
fix S assume "ascending S" "\< w
converges_sets "
using ascending_converges by bla
then show "P_inf (∪
by (me

(* forall assertions *)
definition downwards_closed where
  downwards_closed \longleftrightarrow<>S S' <longrightarrow

(* Slight change compared to Ellora paper *)
definition d_closed where
  "d_closed P P_inf ⟷\anddo P_inf"

lemma converges_to_merged
  assumes "∧
      and "java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
    shows "converges_sets S ∧
proof (rule co)
  show "converges_sets S" using converges_setsI assms by musingassms(1) assms2) ass(3) upwards_closed_def blast
  show "limit_sets S = S_inf" (is "?A = ?B")
  proofascending(<>n.flr_e (no )(in_on(f_hnb) )"
    showmetis iterate_sem_assume_increasing iterate_sem_assume_increasing_union_up_to)
      java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
    show "?A ⊆n. ⊨
    proof
      fix x assume "x ∈ ?A"
      then obtain n where n_def: "∀\Turnstile } while_cond b C{ Q_inf( (lnotb)}
        using by metis
      show "x \fix S assu asm0: "P 0 S
      proof(rule ccontr)
        assume "x \<    by
        then obtain n' where "∀
          using(2 by presburger
        then" <> S(ma nn)\<ndx
          using n_def by fastforce
        then show Fal by blast
      qed
    qed
  qed
qed

lemma ascending_union_up:
  "ascending (λ
  by (simp add: ascending_def union_up_to_increasing)

(* actually ascending... *)
lemmawhile_loop_assertion_infC S0  \longleftrightarrow>S=(<nionn. union_up_to_nCS0 n)"
  "converges_sets (
proof
  fix x
  how ∪ C S)) \Longrightarrow>. ∀n. x ∈ C Smjava.lang.StringIndexOutOfBoundsException: Index 129 out of bounds for length 129
    byesonbset_eq
  show "x ∉ (range (union_up_to_n C S)) ==>n. ∀n. x ∉
    by blast
qed

theorem while_d:
  assumes"\And>. <> { }if_then  C P( n)}"
      and "upwards_closed P P_inf"
      and "\Andn.downwards_closed ( )"\comment><pntifd b ye-setintht ootxittil uatfovrsae<cl>
     "<Turnstile> {P 0} while_cond b C {conj P_inf (holds_forall (lnot b))}"
  using assms(1)
proof (rule while_general)
  show "upwards_closed P P_inf"
    using assms(2) by blast
  fix n show "⊨ auto
  proof show0<>(nge
    fix S assume "P n S"
    moreover have "sem (Assume (lnot b)) S ⊆ (x ∈ (∀ n ⟶ S m)))"
      by (simp
    ltimatelysemlnot
      by (meson assms(3) downwards_closed_def)
  qed
qed

lemma in_union_up_to:
  "x ∈
proof (induct n)
  case (Suc n)
  then show ?case
    by (met UnCI UnE le_SucE le_SucI o union_up_to_n.simps(2)
qed (simp)

theorem rul
  assumes "∧ (∪
      d "<>S. P S\<ongrightarrow
  shows "java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
proof (rulehyper_hoare_tripleIjava.lang.StringIndexOutOfBoundsException: Index 32 out of bounds for length 32
  fix S assume asm0 (∀ m ⟶< S m)"
  let ?S = "iterate_sem m (if_then
  et (Sucif_then  )S
  have "P m ?S"
    using asm0 assms(1) indexed_invariant_then_power_bounded S"
  then have "holds_forall (lnot b) ?S" fix x
    using assms(2) by auto
  moreover have "sem (while_cond b C) S = filter_exp (lnot b) (∪n. iterate_sem n (Assume b ;; C) S)"
    by (simp add: assume_sem filter_exp_def sem_seq sem_while while_cond_def)

(* this is constant *)
  then have "P m (filter_exp (lnot b) (union_up_to_n (Assume b;; C) S mjava.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13
    by ( ‹

moreover have "iterate_sem m (Assume b;; C) S ⊆n. ∀m m <>
proof
fix x aassum "x ∈
then have "x ∈ limit_sets S ⟷n. ∀ m e S m))"
(meUnCI union_up.elims)
then have "x ∈
by (simp add: ‹n. S n)" (is "?A = ?B")
then h
by (metis calculation(1) holds_forsh "? \subseteq usinlimit_set[of S] by auto
then show "x ∈lere lt b no_p__ Asueb;;C S)"
using ‹ ?B"
by (simp add: filter_exp_def)
qed
(lb) (∪
= filter_exp (lnot b) (union_up_to_n (Assume b;; C) S m)"
proof -
"\<Andn iteratn (Assume b ;; C) S = {}"
proof -
fix n show "n > m ==> as assms subsetD)
proof (induct "n - m - 1") hen show "x \in>?A"
case 0
then show ?case
by (metis (no_types, lifting) UnCI calculation(1) false_then_empty_later holds_forall_def iterate_sem_equiv)
next
case (Suc x)
then show ?case
by (metis (no_types, lifting) UnCI calculation(1) false_then_empty_later holds_forall_def iterate_qe
qed
qed
moreover have "union_up_to_n (Assume b;; C) S m = (∪
proof
show "?B ⊆
proof
fix x assume "x ∈
? \subseteq?" u limit_sets_def[of S] by fa
by blast
then show "x ∈
by (metis calculation empty_iff in_union_up_to linorder_not_leproo
qed
qed (blast)
then have "(∪m. m ≥ (x ∈
by (simp add: union_union_up_to_n_equiv)
then show ?thesis
by auto
qed
ultimately shoassdescend lessI less_imp_le_nat subsetD)
bythen s "x ∈

false_state_in_if_then:
assumes "φ ∈
and "¬ b (sn
shows "
-
have "φ
by (metis SemAss t_closdP _n longltrgtro>(<orall.
then show ?thesis
by (simp add: assume_sem filter_exp_de assumes "t_clos P P_nf"

f (rule upwards)
assumes "φ🚫
and "¬ b (snd φt have converS"
shows "φ
(induct n)
case 0
then show ?cas
by (simp add: assms(1))

case (Suc n)
then show ?case
by (simp add: assms(2) false_state_in_if_then)

downwards_closed where
sumesφ S"
and "¬ b (snd φ)"
shows "φ
-
have "φ dclosed whe
by (simp add: assms(1) assms(2) false_state_in_while_cond_aux)
then show ?thesis using sem_whil_it_[o bC ]asms()
by (simp add: filter_exp_def lnot_def)

while_exists:
assumes "∧. ⊨ } while_cond b C { Q φ
shows "⊨<><phi> ∈ S. ¬ b (snd φ) ∧\phi S) } wwhile_co b C { (λφ ∈
(rule hyper_hoar)
fix S assume "∃ (rule conjI
then obtain \<> S" "¬ P φ S" by blast
then have "Q φ (sem (while_cond b C) S)"
using assms hyper_hoare_triplby blast
then show "∃
show "?B ⊆

sem_while_cond_union_up_to:
"sem (while_cond b C) S = fil (lnot b) (∪
by (simp add: sem_while_with_if union_union_up_to_n_equiv)

iterate_sem_sum:
"iterate_sem n C (iterate_sem m C S) = iterate_sem (n + m) C S ix x asue " \<>
by (induct n) simp_all

unr
"sem (while_cond b C) (iterate_sem n (if_then b C) S) = sem (while_cond b C) S"
-
let ?S = "iterate_sem n (if_then b C) S"
have "filter_exp (lnot b) (∪
proof
show "?A ⊆m. m ≥ (x ∉
proof
fix x assume "x ∈ ?A"
then obtain m where "x ∈ b C) S" "\not b (snd x)"
by (auto simp add: filter_exp_def lnot_def)
then have "x ∈fas
using false_state_in_while_cond_aux[of x "iterate_sem m (if_then b C) S" b n C] iterate_sem_sum[of n "if_then b C" m S]
by blast
then have "x ∈m. iterate_sem (n + m) (if_then b C) S)
by blast
then show "x ∈
\<>xm. iterate_sem m (if_then b C) S)›
"sce (\<ambda.
qed
show "?B ⊆ conve:
proof
fix x assume "x ∈
theno m where "x ∈ b (snd x)"
by (auto simp add: filter_exp_def lnot_def)
then show "x ∈ ?A"
using ‹ ∃m≥ union_up_to_n C S m"
by (auto simp add: filter_exp_def)
qed
qed
then show ?thesis
using iterate_sem_sum[of _ "if_then b C" n S] sem_while_with_if[of b C S] sem_while_with_ifof b C ?S]
byblast

assumes "\<And
and "⊨
shows "⊨"
(rule hyper_hoare_tripleI)
fix S assume "P 0 S"
let ?S = "iterate_sem m(f_te b )"
have "(∀n. n < mc P_inf (holds_forall (lnot b)}"
proof (induct m)
case 0
then show ?case
by (simp add: ‹
next
case (Suc m)
then fix n show"\Turnstile>{ sue lot {Pn"
by (simp add: hyper_hoare_triple_d pro (rue hprhortieI
qed
then have "P m ?S" using assms(1)
by blast
then have "Q (sem (while_cond b C) ?S)"
using assms(2) hyper_hoare_tripleE by blast
then show "Q(sem (while_cond b C) S)"
by (metis unroll_while_sem)

‹

while_desugared_easy:
assumes "∧
and "⊨
shows "⊨ {I 0} while_cond b C { Q }"
by (metis assms(1) assms(2) seq_rule while_cond_def while_rule)

loop_exit:
assumes "entails P (holds_forall (lnot b))"
shows "⊨ rule_wh:
-
have "⊨i (0::nat) = 0 then P else emp)} hile_ b C {P}"
proof (rule while_desugared_easy[of "λ(n::nat). if n = 0 then P else emp" b C P])
show "⊨e el m)}Asuelotb){}"
proof rle yerhaetrpl)
fix S assume asm0: "natural_partition (λ(n::na r (rule hhyeroa_ieI
then obtain F where "S = (∪(n::nat). F n)" "∧if_then b C) S"
using natural_partitionE by blast

by (metis (mono_tags, lifting) emp_def old.nat.distinct(2ha "P m ?S"
moreover have "S = F 0"
proof
show "S ⊆
proof
fix x assume "x ∈ S"
then obtain n where "x ∈ F n"
using ‹ by blast
then show "x ∈ F 0"
by (metis calculation empty_iff gr0_implies_Suc zero_less_iff_neq_zero)
qed
show "F 0 ⊆ S"
using ‹ iterate_e m Aum ;;CS
qed
ultimately>P m (iterate_sem m (if_then b C) S)\close ter)
using
then show "P (sem (Assume (lnot b)) S)"
by (metis assms entailsE sem_assume_low_exp(1))
qed
fix n :: nat
show "⊨ iterate_sem m (Assume b;; C) S"
proof (rule hyper_hoare_tripleI)
fix S assume asm0: "(if n = 0 then P else emp) S"
then show "(if Suc n = 0 then P else emp) (sem (Assume b ;; C) S)"
(t (onoags itin) sss epdfentilsEhld_fra_emtylntivolio ntdstict1) emassmeo_x_sq2
qed
qed
then show ?thesis
by fastforce

metis calcu(1) holds_forall_def)
assumes "∧ filter_exp (lnot b) (union_up_to_n (Assume b;; C) S m)"
and "entails (P m) (h sing \ >x ∈ union_up_to_n (Assume b;; C) S m›
shows "⊨ {P 0} while_cond b C {P m}"
using assms(1)
(rule while_unroll)
show "⊨ {P m} while_cond b C {P m}"
using assms(2) loop_exit by blast

Messung V0.5 in Prozent

¤ Dauer der Verarbeitung: 0.14 Sekunden ¤

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.