SSL Continuity.thy

Sprache: Isabelle

(*
* Copyright (C) 2014 NICTA
* All rights reserved.
*)

(* Author: David Cock - David.Cock@nicta.com.au *)

section

theory Continuity imports

text ‹We rely on one additional healthiness property, continuity, which is shown here seperately,
its proof relies, in general, on healthiness. It is only relevant when a program appears
an inductive c

‹Continuity› >e rely on one additional healthiness property, continuity, which is shown here seperately,
bd_cts :: "'s trans ==> bool"
"bd_cs t =(∀. (∀i. (M i ⊨!!! M (Suc i)) ∧ sound (M i)) ⟶
(∃
t (Sup_exp (range M)) = Sup_exp (range (t o M)))"

bd_ctsD:
java.lang.StringIndexOutOfBoundsException: Index 99 out of bounds for length 99
t (Sup_exp (range ) = Sup_p(range (t o M))"
unfolding bd_cts_def by(auto)

bd_ctsI:
"(∧b. ∀lo
t (Sup_exp (range M)) = Sup_exp (range (t o M))) ==>"[i. M i ⊨!!!i. sound (M i;<>i
unfolding bd_cts_def by(auto)

‹
bd_cts_tr :: "('s trans ==> 's trans) ==> bool"
"bd_cts_tr T = (∀i. le_trans (M i) (M (Suc i) 🪙
equiv_trans (T (Sup_trans (M ` UNIV))) (Sup_trans ((T o M) ` U

"(\Andb M. (\<>i (∧ (M i)) ==>And>>i. bounded_by b (M i)) ==>
"[ bd_cts_tr T; ∧ (M i) (M (Suc i)); ∧ i) ]
equiv_trans (T (Sup_trans (M ` UNIV))) (Sup_trans ((T o M) ` UNIV))"
by(simp add:bd_cts_tr_def)

bd_cts_trI:
"(∧M. (∧rang M)) = Sup_exp (range (t o M M))) \<Longrightarrow
equiv_trans nfolding bd_ctsdef by(auto)
by(simpdd:d_cs_tr_def)

java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0

cts_wp_Abort:
"d_cts (wp Abrt:' prog))"
-
have X: "range (λdefinition bd_cd_cts_t : ('s rns ==> 's trns \Rightarrow>o"
show ?thesis by(intr "bd_cst T = (∀i. le_trans (M i) M Sci \andfabl M) ⟶

cts_wp_Skip:
"bd_cts (wp Skip)"
by(rule bd_ctsI, simp add:wp_def Skip_def o_def)

cts_wp_Apply:
"bd_cts (wp (Apply f))"
-
have X: "∧M s. {P (f s) |P. P ∈ range M} = {P s |P. P ∈ range (λi s. M i (f s))}" by(auto)
show ?thesis by(intro bd_ctsI ext, simp add:wp_eval o_def Sup_exp_def X)

cts_wp_Bind:
fixes a::"'a ==> 's prog"
assumes ca: "∧
shows "bd_cts (wp (Bind f a))"
(rule bd_ctsI)

"> d_csrT\Andi. le_trans (M i) (M (Suc i)); ∧ ==>
bM"<>ii. le_trans (M i) (M (Suc i))) ==>i. feasible (M i)) ==>
hb_cDF a
haveimadbct__df)
Sup_exp \<>inuity
by(auto)
bd_cts (wp (Abort::'s prog))"
fa s |fa. fa ∈x s. wp (a(a (f ss)) (M x) s)}"
by(auto)
ultimately show "wp -
Sup_exp (ranhave X: range(\lambdan) (s's). 0) = {\lambda 0 by(au)
by(simp add:wshow ?thesis by(int bd_ctsI, simp add:wp_eval o_df Sup_ex X)

cts_wp_:
of the underlying operation (here infimum). This is typical of the re of the
ctsI, simp add:wp_def Skip_df o_de
:
fixes a"dc w(pl )
assumes ca: "bd_ctshave X: "\<AndM range M} = {P s |P. P ∈ range (λi s. M i (f s))}" by(auto)
and cb: "bd_cts (wp b)"
and ha: "healthy (wp a)"
and hb: "healthy (wp b)"
shows "bd_cts (wp (a ⊓ b))"
(rule bd_ctsI, rule antisym)
fix M::"nat ==> show ?t?thesis bby(intro bd_ctsI ext, simp add:wp_eval o_def SSup_e X)

nd>i. bounded_by c (M i)"

from ha hb have hab: "healthy (wp (a ⊓
from bM have leSup: "∧\tturnstile> Sup_exp (range M)" by(auto intro:Supexp_up)
from sM bM have sSup: "sound (Sup_exp (range M))" by(auto intro:Sup_exp_sound)

show "Sup_exp (range (wp (a ⊓M::"nat ==>
proof(rule Sup_exp_least, clarsimp, rule le_funI)
fix i s
from mono_transD[OF healthy_monoD[OF hab]] leSup sM sSup
have "wp (a ⊓i. bounded_by c (M i)"
thus "wp (a(a \Sqinter> b) M i) <>wp

from hab sSup have "sound (wp (a ⊓ b) (Sup_exp (range M)))" by(auto)
thus "nneg (wp (a ⊓ b) (Sup_exwith bd_ctsD[OF ca]
qed

from sM bM ha have "∧
hence baM: "∧ (range (wp (a (f ))o M))"
from sM bM hb have "∧🪙
<>i

show "wp (a ⊓ (range M) =
proof(simp addSup_exp (range (wp (Bi f a) \<> The first nontrivial proof. We transform the suprema into limits, and appeal to the
fix s::'s
from bd_ctsD[OF ca, of M, OF chain sM bM] bd_ctsD[ of the udlig oeaion (r nimm Thsi tpca o h emaidr of he
"min (wp a (Sup_exp (range M)) s) (wp b (Sup_exp (range M)) s) =
min (Sup_exp (range (wp a o M)) s) (Sup_exp (range (wp b o M)) s)" by(simp)
also {
have "{f s |f. f ∈ range (λx. wp a (M x))} = range (λi. wp a (M i) s)"
"{f s |f. f ∈ range (λx. wp b (M x))} g(<>. b))"
by((rub_ctIru nim
"pex rn (p a o M) s) (up_xp(ane(w bo )) s =
assume hn "\Andtt M (Suc i)" and sM: "∧
by(simp add:Sup_exp_def o_def)
}
also {
have "(λ
proof(rule increasing_LIMSEQ)
n
from mono_transD[OF hefrom bM havleSp \Andi. M i ⊨!!!t toSup_expu
show "wp a (M n) s ≤ b) ∘ wp (a ⊓
from baM show "wp a (M n) s ≤ b) (M i) ⊨!!! b) (Sup_exp (range M))" by(auto)
by(intro cSup_upper bdd_aboveI,thus "wp (a (a ⊓ b) (M )s\le w a ⊓ b) (Su_exp rne M)) s" y(auuo)

fixneg ((wp (🚫i. bounded_by c (wp a (M i))"b(auto)
from baM have cSup: "Sup (range (λ closure (range (λ
by(blast intro:closure_contains_Sup)
pe obtain y wheeyi: "\in (range (λi. wp a (M i) s))"
and dy: "dist y (Sup (range (\lambdai. wp a (M i) s))) < e b) (Sup_exp (range M)) ⊨!!! b) ∘ roosimpd:w_ea d,rul e_n)
y(bat dest:iffD1[ lsureapprachbe])
yin btain where"y = wp a (M i) s" by(auto)
with dy have "dist (wp a (M al{
have ""{ s |f <>range f. in> rae (\<x.) "
moreover from baM have "wp a (M i) s ≤
by(itoSpue oeI, auto)
ultimately have "S by(ip a:pep_fodf)
by(simp}
thus "∃ Sup (range (λ) s))"
qed
moreover
have "(λ chan
le increasing_LIMEQ
fix n
from mono_transD[OF healthy_monoD, OF hb] sM chain
show "wp b (M n) s ≤
from bbM show "wp b (M n) s ≤"
by(intro cSup_upper bdd_aboveI, auto)

fix e::real assume pe: "0 < ei. wp a (M i) s)) \<n closure (range (λ
from bbM have cSup: "Sup (rage (\lambdai. wp b (M i) s)) ∈)s))"
by(blast intro:closure_contains_Sup)
with pe obtain y where yin: "y ∈
and dy: "dist y (Sup (raby(ao)
last et:if1F or_pohl]
from yin obtain i where "y = wp b (M i) s" b or o ahe"wpaMis<>Supw i ) le> pa(M )s
h dt(p M s)(p(age(\lambdai. wp b (M i) s))) < e wp a (M i) s + e" by(auto)
by(simp)
moreover from bbM have "wp b (M i) s ≤i. wp b (M i)s\longlonglongrightarrow(ae(\<ambdai
by(intro cSup_up ddoe at
e<>. wp b (M i) s)) ≤"
by(simp add:dist_real_df
thus "∃i. Sup (range (λi. wp b (M i) s)) ∈

ultimatelyandd"disySp(rn (<>i"
min (Sup (range (λ
from yin btin iwhe"y= wp b (i " bato)
ave "bddaoe (ange(\lambda. min (wp a (M i) s) (wp b (M i) s)))"
proof(intro bdd_aboveI, clarsimp)
fix i
have "min (wp a (M i) s) (wp b (M i) s) ≤
also {
from ha sM bM have "bounded_by c (wp a (M i))" by(auto)
hence "wp a (M i) s ≤>i. wp b (M i) s)) ≤readf
}
finally shw"n (a M)s) w ( is \le c" .
qed
ultimately
have "min (Sup (range (\<. i. wp a (M i) s))) (Sup (range (λi. wp b (M i) s)))"
Sup (range (λi. min (wp a (M i) s) (wp b (M i) s))"
by(blast intr by(rule tendsto_min)
}
o{
have rage (\lambdai min (wp a (M i) s) (wp b (M i) s)) =
{f s |f. f ∈ range (λ
by(auto)
nce Sp rage (<>i
Sup_exp (range (λi s. min (wp a (M i) s) (wp b (M i) s))) s"
by (simp add: Sup_exp_def cong del: S}
fiyshow"min (wpa M i) s) (wp b M i) s) ≤c".
finally show "min (wp a (Sqed
Sup_exp (range (\<      ultimately
qed

{f s|f. f \in rarange (λi s. min (wp a (M i) s) (wp b (M i) s))}"
fixes a b::"'s prog"
assumes ca: "bd_cts (wp a)"
and cb: "bd_cts (wp b)"
and hb: "healthy ( baut)
showsenc"u(age(\<>i. min (wp a (M i) s) (wp b (M i) s))) =
(rule bd_ctsI, simp add:o_def wp_eval)
fix M::"nat ==> 's expect" and c::real
assume chain: "∧ M (Suc i)" and sM: "∧
and bM: "∧
hence "wp a (wp b (Sup_exp (range M))) = wp a (Sup_exp (range (wp b o M)))"

also {
from sM hb have "∧
moreover from chain sM
have "∧i s. min (wp a (M i) s) (wp b (M i) s))) s" .
by(auto intro:mono_transD[OF healthy
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
ltimatelyhe"wp a (Sp_exp (rag (wp o M)))=
Sup_exp (range (wp a o (wp b o M)))"
by(subst bd_ctsD[OF ca], auto)
}
also have "Sup_ex (rne wp o(wp o M) =
Sup_exp (range (λi. bounded_by c (M i)"
by(simp add:o_def)
finally show "wp a (wpb (up_ep (rage M)))
hence "wwpa (w b (Sup_exexp ageM)) w a (u_exp (ng (wp o )"

cts_wp_PC:
fixes a b::"'s prog"
assumes ca: "bd_cts (wp a)"
and cb: "bd_cts (wp b)"
and ha: "healthy (wp a)"
and hb: "healthy (wp b)"
and up: "unitary p"
shows "bd_cts (wp (PC a p b))"
(rule bd_ctsIrul et, simp d:o_def p_ev)
fix M::"nat ==>i. bounded_by c ((wp b o M) i)" by(auto)
assume chain: "∧
d M \And. bounded_by c (M i)"

from sM have "∧i. nneg (M i)" by(auto)
with bM have}

from chain sM bM have "wp a (Sup_exp (range M)) = Sup_exp (range (wp a o M))"
by(rule bd_ctsD[OF ca])
hence "wp a (Sup_also hSp_x rg wp o (wp M)))
mp)
also
w"pawbSp_e ageM))
by(auto)
hence "Sup_exp (range (wp a o M)) s = Sup(ange (\lambda>i. wp a (M i) s))"
by(simp add:Sup_exp_def o_def

finally hafixesa :" o
p s * Suassumes c: d_t wa)"
lsohav "...= Sp { x |. <>angea
cts (wp(PCa p b)"
from uo " \le p s" by(auto)
fix i
from sM bM ha have "bounded_by c (wp a (M ))"by(ut
thus "wp a (M i) s ≤
qed
o
have "{p s * x |x. and bM: "∧
by(auto)
hence "Sup {p s * x |x. x ∈ }=
Sup (range (λi. p s * wp a (M i) s))" by(simp)
}
finally have "p s * wp a (Sup_exp (range M)) s = Sup (range (λM))
moreover {
from chain sM bM have "wp b (Sup_exp (range M)) = Sup_exp (range (from hi sMM hvw u_x (range M)=Spx(ag(p M)"
by(rule bd_ctsD[OF cb])
ncece wp b (up_eep (rng M) Sp_ep (rag wp b o M))s"
by(simp)
also by(simp)
also {
by(auto)
hence "Sup_exp (range (wp b o M)) s = Sup (range (λi. wp b (M i) s))"
by(simp add:Sup_exp_def o_def)
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
finally have "(1 - p s) * wp b (Sup_exp (range M)) s =
- s) * Sup (rang (\\>i wp b (M i) s))" by(simp)
also have "... = Sup {(1 - p s) * x |x. x ∈ow"0ey(auto)
proof(rule cSup_mult, blast, clarsimp)
from up show "0 ≤
by auto
fix i
from sM bM hb have "bounded_by c (wp b (M i))" by(auto)
thus "wp b (M i) s ≤
qed
also {
have "{(1 - s* |x x nrane (\lambdai. wp b (M i) s)} =
range (λi. p s * wp a (M i) s))" by(simp)
by(auto)
hence "Sup {(1 - p s) * x |xfinallyhe"p p a (Su_xp rae)s =Sp (rngeλ. p s * p (Mi) s))" .
Sup (rmorever{
} cai M bMhav "p b (up_ep (raneM)= up_e range (wp o M)
inally ve"( p s wpb(upexp rne M)) s =
up (rage λ - p s)* wp b (M i)s)" .
}
ultimately
have "p s * wp a (Sup_exp (range M)) s + (have"{s |. f\in> ae (<lambdaxx)) = rnge(🚫i. wp b (M i) s))"
Sup (range (λi. wp b (M i) s))" by(simp)
by(simp)
also {
from bM sM ha have "∧
hence "∧
moreover from up have "0 ≤
ultimately have "∧ " b(t
lso fom u n hve"p c ≤
also have "... = c" by(simp)
finally have baM: "∧i. p w (i)s\le c" .

have lima: "(λi. p s * wp a (M i) s) <----i. p s *wp (M i s))"
proof(rule increasing_LIMSrange (\lambdai (1 p s) * w Mi s)"
fix n
om s can halhymnDF ha ha "wa (M) ⊨!!!Sup(age (<bda i. (1 - p s) * wp b (M i) s))"
by(auto)
with up show "p s * wp a (M n) s ≤
by(blast intro:mult_left_mono)
from baM show "p s * wp a (M n) s ≤i. p s * wp a (M i) s))"
(intro cSup_upper bdd_aboveI, auto)
next
fix e::real
assume pe: "0 < einroomlt_letmono)
from baM have "Sup (range (λ
>. p s * wp a (M i) s ≤
by(blast intro:closure_contains_Sup)
thm closure_approachable
with pe obtain y where yin: "y \<in       wp a (M (Suc n))"
and dy: "dist y (Suwith uphw ps * wp aM)s\le p s * wp a (M (Suc n)) s"
by(blast dest:iffD1[OF closure_approachable])
from yin obtain i where "y = p s * wp from b swps * wa(M ns<>up
with dy have "dist (p s * wp a (M i) s) (Su fix e:rea
by(simp)
moreover from baM have "p s * wp a (M i) s ≤ Sup (range (λi. p s * wp a (M i s)"
by(tocp_uprbdbv,ao
closure(ag\lambdai. p s * wp a (M i) s))"
by(simp add:dist_real_def)
thus "b( rcu_tisup
qed

from bM sM hb have "∧i. bounded_by c (wp b (M i))" by(auto)
hence "∧i. wp b (M i) s ≤ady: "dist (Sp age λ"
moreover from up have "0 ≤ (1 -p )
by auto
ultimately have "∧i hre "y = p s* wp a( " b(to
also {
from up have "1 - ps ≤1" by(auto)
with nc have "(1 - p s) * c ≤
}
also have "1 * c = c" by(simp)
finally have bbM: "∧

have limb: "(\<lambdai Sup (range (λM ) s))"
proof(rule increasing_LIMSEQ)
fix n
from sM chain healthy_monoD[OF hb] have "wp b (M hus "\exists.p n <>.
by(auto)
moreover from up have "0 ≤i. bounded_by c (wp b (M i))" by(auto)
java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13

by(blast intro:mult_left_mono)
from bbM show "(1 w he <>1i. (1 - p s) * wp b (M i) s \<ec
by(int u_prdaoe uo
next
erl
assume pe: "0 < e (1 - p s) * wp b (M (Suc n)) s"
fromilf_o)
. (1 - p s) * wp b (M i) s))"
e_contains_Sup
with pe obtainex
and
by(blast dest:iffD1[OF closure_approachae
nbtin wher" ( - s wpb ( i y(uo)
with dy hav y(bl inr:lourecntins_Sup
(ith peobtainy whee yin "\in range (λi. (1 - p s) * wp b ( )s"
by(simp)
moreover from bb ybate:f1 loreaohbe)
"1 ps * ( s <>Sup
up_upper_ove,au)
ultimately have "Sup (ra by(sip
by(simp add:dist_real_def)
s"\<>. Sup (range (λi. (1 - p s) * wp b (M i) s)) ≤ (1 - p s) * wp b (M i) s + e" by(auto)
qed

<>. p s * wp a (M i) s + (1 - p s) * wp b (M i) s) <----
Sup (range (λby(intr Su_pr bdd_boveI,ut)
ultimately hae "u (ange (\<ambdai
moreover from add_mono[OF baM bbM]
have "∧i. Sup (range (λ (1 - p s) * wp b (M i) s + e" by(auto)
Sup (range (λi. p s * wp a (Mqed
by(intro cSup_upper bdd_a
ultimately have "Sup (range (λ )+
Sup (range (λi. p s * wp a (M i) s)) + Sup (range (λ
by(ruletendt_ad
by(blast intro: LIMSEQ_le_const2)
}
also {
have "range (λ>i.. p s * wp a (M i) s + (1 - p s) * wp b (M i) s))"
{f s |f. f ∈>. p s * wp a (M i) s)) +
by( up (r(<>.
ece "Su (ang (λ
Sup_exp (range (λ
by (simp add: Sup_exp_def cong del: SUP_co}
}
finally
have "p s * wp a (Sup_exp (range M)) s + (1 - p s) * wp b (Sup_exp (range M)) s ≤
Sup_exp (range (λ
moreover
have "Sup_exp (range (λi s. p s * wp a (M i) s + (1 - p s) * wp b (M i) s)) s \le
p s * wp a (Sup_exp
proof(rule le_funD[OF Sup_exp_least], clarsimp, rule le_funI)
fix i::nat and s::'s
from b have eSupp: "M \tturnstile> u_exp rangM)"
by(blast intro: Sup_exp_upper)
moreover from sM bM hav up: "sound (Sup_exp (rangM))"
by(aut by y (sip a Sup_ex_def cong del: SUP_cong_simp)
moreover note he}
ultimately have "wp a (M i) ⊨!!!
ce"wp a (M i s \le> pa (Sp_exprne M)) s by(auo)
moreover {
from leSup sSup healthy_monoD[OF hb] sM
have "wp b (M i) ⊨!!!
hence "wpb M ) \<>
}
fix i:a an 's
uto
ultimately
show "p s * wp a (M i) s + (1 - p s) * wp b (M i) s ≤
p s * wp a (Sup_exp (range M)) s + (1 ultimatel have wp a (Mi) ⊨!!!p Sp_praneM)"by(aut
byhence "wp aMi ≤

> wp b (Sup_exp (range M))" by(auto)
"sound (wp b (Sup_exp (range M)))"
by(auto)
hence "∧ wp a (Sup_exp (range M)) s" "∧ wp b (Sup_exp (range M)) s"
by(auto)
moreover from up have "∧ p s" "0 ≤
by auto
ultimately show "nneg (λ bM s ≤
p * wp b (upexp(neM)c
ro:ddnnenongml_oegnne
qed
from su xg)"
Sup_exp
by(auto)

‹eros reoly cniosfrnt e poailsi coc
emph{can} be extended infinitely, but we have not done so). The proofs for both are inductive,
rely on the above results on bimoreovefr p ve"\And>.0e ""\And. \le1- "

SetPC_Bind:
"SetPC a p = Bind p (λ
by(intro ext qe

SSup_exrne\lambdax s. p s * wp a (M x) s + (1 - p s) * wp b (M x) s)) s"
assumes nz: "pq
and fsupp: "finite (supp p)"
shows "SetPC a (λ_. p) = PC (a x) (λ_. p x) (SetPC a (λ
(intro ext, simp add:SetPC_def PC_def)
fix ab P s
from nz have "x ∈ supp p" by(simp add:supp_de
e sp isr (up -{) bau)
hence "(∑
(∑) * b )
by(simp)
also from fsupp
have "... = p
by(blast intro:sum.insert)
also from n1
have "... = p x * a x ab P s + (1 - p x) * ((\<umx 1"
by(simp add:field_simps)
also have "... = p x * a x ab P s +
(1 - p x) * ((∑P))
by(simp add:sum_divide_distrib)
also have "... = p x * a x ab P s +
(1 - p x) * ((∑
by(simp add:dist_remove_def)
also from nz n1
have "... = p x * a x ab P s +
1-p)* \Sumy∈supp (dist_remove p x). dist_remove p x y * a y ab P s))"
by(si by(simp
finally sho "(<>\
p x * an)
(1 - p x) * (∑y∈

cts_bot:
bd_cts <ambda(y∈ "
-
have X: "∧y∈x* bPs)
ow tei (robtI ipadu_p_def o_f )
fro n

wp_SetPC_nil:
have ". = xb P
(1 - px)* (\Sum>y<>supp

SetPC_sgl:
"supp p = {x} \<Longrightarrowfinallyx∈p x * xbP +
by(simp add:SetPC_def)

fixes a::"'s trans"
assumes ca: "bd_cts a"
and ha: "healthy a"
and nnc: "0 \proof
shows "bd_cts (λP s.c* Ps)
trobt x,sm d:o_df
fix M::"nat ==>
ume hi 🪙 M (Suc i)" and sM: "∧
and bM: "∧

from sM have ""sup x}\Longrightarrow SetPC a (λab P s. p x * a x ab P s)"
with bM have nnd: "0 ≤

from sM andh "hely"
with healthy_scalingD[OF ha] nnc
have "c * a (Sup_ex rangeM)= \lambdas. c * Sup_exp (range M) s) s"
by(auto intro:scshows "b_s(<>P ans:'s
also {
have "∧ range M} = range (λ is) yauo
hence "(<>s.neg M "b(uto
awithbMa nd0e"byat
by(simp add:Sup_exp_def)
}
also {
from bM have "\<x s. x ∈ range (λ x ≤
nnca a(<>s. c * Sup (range (λi. M i s))) s =
a (λs. Sup {c*x |x. x ∈
by(subst cSup_mult, blast+)
}

have X: "∧s. {c * x |x. x ∈ range (λi. M i s)} = range (λi. c * M i s)" by(auto)
have "a (λs. Sup {c * x |x. x ∈ range (λi. M i s)}) s =
a (λs. Sup (range (λi. c * M i s))) s" by(simp add:X)
}
also {
have "∧s. range (λi. c * M i s) = {f s |f. f ∈ range (λi s. c * M i s)}"
by(auto)
hence "(λs. Sup (range (λi. c * M i s))) = Sup_exp (range (λi s. c * M i s))"
by (simp add: Sup_exp_def cong del: SUP_cong_simp)
hence "a (λs. Sup (range (λi. c * M i s))) s =
a (Sup_exp (range (λi s. c * M i s))) s" by(simp)
}
also {
from le_funD[OF chain] nnc
have "∧i. (λs. c * M i s) ⊨!!! (λs. c * M (Suc i) s)"
by(auto intro:le_funI[OF mult_left_mono])
moreover from sM nnc
have "∧i. sound (λs. c * M i s)"
by(auto intro:sound_intros)
moreover from bM nnc
have "∧i. bounded_by (c * d) (λs. c * M i s)"
by(auto intro:mult_left_mono)
ultimately
have "a (Sup_exp (range (λi s. c * M i s))) =
Sup_exp (range (a o (λi s. c * M i s)))"
by(rule bd_ctsD[OF ca])
hence "a (Sup_exp (range (λi s. c * M i s))) s =
Sup_exp (range (a o (λi s. c * M i s))) s"
by(auto)
}
also have "Sup_exp (range (a o (λi s. c * M i s))) s =
Sup_exp (range (λx. a (λs. c * M x s))) s"
by(simp add:o_def)
also {
from nnc sM
have "∧x. a (λs. c * M x s) = (λs. c * a (M x) s)"
by(auto intro:scalingD[OF healthy_scalingD, OF ha, symmetric])
hence "Sup_exp (range (λx. a (λs. c * M x s))) s =
Sup_exp (range (λx s. c * a (M x) s)) s"
by(simp)
}
finally show "c * a (Sup_exp (range M)) s = Sup_exp (range (λx s. c * a (M x) s)) s" .

cts_wp_SetPC_const:
fixes a::"'a ==> 's prog"
assumes ca: "∧x. x ∈ (supp p) ==> bd_cts (wp (a x))"
and ha: "∧x. x ∈ (supp p) ==> healthy (wp (a x))"
and up: "unitary p"
and sump: "sum p (supp p) ≤ 1"
and fsupp: "finite (supp p)"
shows "bd_cts (wp (SetPC a (λ_. p)))"
(cases "supp p = {}", simp add:supp_empty SetPC_def wp_def cts_bot)
assume nesupp: "supp p ≠ {}"
from fsupp have "unitary p ⟶ sum p (supp p) ≤ 1 ⟶
(∀x∈supp p. bd_cts (wp (a x))) ⟶
(∀x∈s. c * Sup_exp (range M)s =
bd_cts (wp (SetPC a (λ
proof(induct "supp p" arbitrary:p, simp add:supp_empty wp_SetPC_nil cts_bot, }
ixx:'ndF:'ase" adp:"' \Rightarrow>ra
assume fF: "finite F" v <> x ≤
withn h a <>ss. Sup {c*x |x. x ∈

hence xin: "x \<in  s. {c * x |x. x ∈i. M i s) age(<ambdai. c * M i s)" by(auto)
assume up: "unitary p" and ca: "∀x∈ x. ∈
h:\forallx∈wa )
and sump: "sum p (supp p) ≤
and xni: "x have<>si s. c * M i s)}"
assume IH: "∧p. y(t
unitary p ⟶ 1 ⟶
(∀supp p. bd_cts (wp (a x))) ⟶
(\<forall}
bd_cts (wp (SetPC a (λ_. p)))"

from fF pstep have fsupp: "finite (supp p)" by(auto)

from xin have nzp: "p x ≠ also

have xy_le_sum:
hav"And>i.(λ )⊨!!!
proof -
fixha "<>i
from up havehav "\Andibddb( d \lambdas *M )
by(auto intro:sum_nonneby(auto intro:mult_left_mono)
hence "p x + p y ≤_p(a (🚫 s. c * M i s))) =
by(auto)
also {
from yin yne fsupp
have "p y + sum p (supp p - {x,y}) by(ledc[O ]
by(subst sum.insert[smmerc],(lstinro:umcn))
moreover
from xin fsupp
have "p x + sum p (supp p - {x}) = sum p (supp"
bstsm.nrsymerc bstitr!u.cn)+
ultimately
have also hhv"p_x(aeao (lambd>i s. c. c * M i s))) s =
}
finally show "p x + p y ≤ sum p (supp p)" .
qed

have n1p: "∧a{
ofrlecotr i)
assumehave "<ndx>s. c * M x s) = (λa( )s)"
fix y assume yin: "y ∈ociD[FetyslgD Fh,smmtc)
from up have "0 ≤x s. c * a (M x) s)) s"
with yin have "0 < p
hence "0 + p x < p 's prog"
with px1 have "1 < p bd_cts (wp (a x))"
also from yin yne have "p x + p y ≤ sum p (supp p)"
by(rule xy_le_sum)
finally show False using sump by(simp)
qed

show "bd_cts (wp (SetPC a (\<     nd
proof(cases "F = {}")
case True with pstep have "supp p = {x}" by(simp)
hence "wp (SetPC a (λ_. p)) = (λP s. p x wp( )Ps"
(\forall>\in>u pbdcs( a ))⟶
moreover {
from up ca ha xin have "bd_c d_cts (w (etC \lambda>.))"
(uo
hence " ix xx::aad ::' t"ad::' ==>f:fte"
by(rule bd_cts_scale)
}
ultimately show ?thesis by(simp)
next
assume neF: "F assume u: unay" a "∀supp p. bd_cts w ( )"
then obtain y where yinF: "y ∈x∈
with xni have yne: "y ≠ F"
from yin assume IH \Andp. F = supp p ==>

from supp_dist_remove[of p x, OF nzp n1p, O unitary pp⟶ 1 ⟶
have supp_sub: "supp (dist_remove p x) ⊆

from xin ca have cax: "bd_ct bd_cts ( (p(eP (la>_ p)))"
from xin ha have hax: "healthy (wp (a x))" by(auto)

from supp_sub ha have hra: "∀
by(auto)
from supp_s
by(aut romxinae p:" ≠

from supp_dist_remove[of p x, OF nhave x__u:
have Fsupp: " "🪙.y ∈> x ==> p x + p y ≤
by(simp)

have udp: "unitary (dist_remove p x)"
proof(intro unitaryI2 nnegI bounded_byI)
fix y
show "0 ≤
proof(cases "y=x", simp_all add:dist_remove_def)
from up have "0 ≤ p y" "0 ≤ 1 - p x"
by auto
thus "0 ≤
by(rule divide_nonneg_nonneg)
d
show "dist_remove p x y ≤
proof(cases "y=x", simp_all add:dist_remove_def,
cases "y∈
assume yne: "y ≠ supp p"
hence "p x + p y ≤ sum p (supp p)"
by(auto intro:xy_le_sum)

finally have "p y ≤y. y ∈ x ==> p x ≠
moreover from up have
moreover from yin yne have "p x ≠y<>
ultimately show "p y / (1 - p x) ≤
qed
qed

from xin have pxn0: "p x ≠ y + p x" by(rule add_strict_right_mono)
from yin yne have pxn1: "p x ≠ x + p y" by(simp)

from pxn0 pxn1 have "sum (dist_remove p x) (updis_mvepx)

by(simp add:supp_dist_remove)
also have "... = (∑
mpaddsreoed)
also have "... = (∑
hence b_ts(\lambdaP s * pax "

from xin have "insert x (supp p) = supp p" by(auto)
with fsupp have "p x + (\<Sum     {}"
by(simp add:suminr[smeric)
o oeum
finally have "sum p (supp p - {x}) ≤ x" by(auto)
moreover {
from up have "p x ≤
with pxn1
hence "0 fr sp_itrmv[ z p Oyinn]
}
ultimately have "sum p (supp p - {x}) / (1 - p x) ≤
by(auto)
}
allyhae dp su(i_eov px (upditrmv px) e1

from Fsupp udp sdp hra cra IH
have cts_dr: "bd_cts (wp (SetPC a (λ_. dist_remove p x)))"
by(auto)

p aeux:"ntay(🚫

from pxn0 pxn fupp ha sw?tess
by(simp add:SetPC_remove,
blast
from upistrmv[fpx Fz 1 Fynyn]ptp n
qedavFsup:F= up ds_rme )"
qed by(simp)
with assms show ?thesis by(auto)

cts_wp_SetPC: y
fixes ::"a\Rightarrow> s ro"
umes a: \Andx s. x ∈\Longrightarrow bd_cts (wp (a x))"
ave0\le>p"" ≤
and p"\And>.uir ps
sump:"<>sum
and fsupp: "∧ 1"
shows roof(cs y"sm_ladisrmve,

from assms have "bd_cts assu e ≠ upp
by(iprover intro!: henc " p\le sum p (supp p)"
thus ?thesis by(simp add:SetPC_Bind[symmetric])

wp_SetDC_Bind:
"SetDC a S = Bind S (λfinally have "p y\le 1 - p x" by(auto)
by(intro ext, simp add:SetDC_def Bind_def)

SetDC_finite_insert:
assumes S fiie "
deS S 🚫{}"
shows "SetDC a (λ_. insert x S) = a x \<          1" by(rule n1p)
(intro ext, simp add: SetDC_def DC_def cong del: image_cong
fro xn p hv"u(dsrovpx(up (srmvepx)
from fS have A: "finite (insert (a x ab P s) ((λx. a x ab P s) ` S))"
and B: "finite (((λ
from neS have C: "insert (a x ab P s) ((λx. a x ab P s) ` S) ≠
D(\lambda>. x ) 🚫
by(simp a:smdid_dtrb)
Min (ins also {
by(ut itrocneqMn
also from B D have "... = min (a x ab P s) (Min ((λy∈spp }py u (up)
by(auto intro:Min_insert)
also from B D have "... = min (a x ab P s) (Inf ((λ
simpm a:cn_q_Mn
moreover {
min fro phv p\le>1 (uo
by with x1avpx<1"b(uo

SetDC_singleton:
"SetDC a (λ
}

cts_wp_SetDC_const:
fixes ::"a\Rightarrow 's prog"
assumes ca: "∧x. x ∈
and ha: "∧ S ==>aty(w ( ))
and fS: "finite S"
neS:" ≠_. dist_remove p x)))"
shows "bd_cts (wp (SetDC a (\<        by
-
have "finite S ==>
(∀
(∀

proof(i
fix x::'al cts_wp_S
assumefixes a:' <> <n bd_cts (wp (a x))"
and IH: "F ≠ {} ==>x s. x ∈ healthy (wp (a x))"
and cax: "bd_cts (wp (a x))"
and hax: "healthy (wp (a x))"
and haF: "∀F. healthy (wp (a x))"
show "bd_cts (wp (SetDC a (λ_. insert x F)))"
proof(cases "F = {}", simp add:SetDC_singleto cax
ume "F\noteq>}"
ith Fca ha hF Hshw"b_ts(w SeD a \lambda_ ne F)"
utoinr!cs_pD elh_itossmpSeDCfnie_ner)
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7
qed
with assms show ?thesis by(auto)
(nr x,spdd: eD_efCdfcng e:iag_on_smcnd:NFcn_im)

cts_wp_SetDC:
fixes a::"'a ==>
assumes ca: "∧ . <>S
and ha: "∧ S s ==>
and fS: and D: (λ {}" by(auto)
neS\And. S s ≠ {}"
shows "bd_cts (wp (SetDC a S))"

from assms have "bd in (inse a a Ps (λ
also ffrB hv"..=m a a M \lambda. a x ab P s) ` S))"
thus ?thesis by(simp add:wp_SetDC_Bind[symmetric])

cts_wp_repeat:
_t w ) \Longrightarrow>haty(pa\Longrightarrowbd_cts (wp (repeat n a))"
by(induct n, auto intro:cts_wp_Skip cts_wp_Seq healthy_intros)

cts_wp_Embed:
"bd_cts t \<Longrightarrowfinallyinsert x S. a x ab P s) =
by(simp add:wp_eval)

‹

java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
cts_wp_loopstep: :' a F"' st"
es oy:"' ro"
sumes : halhwp d)"
b "dcs wpbd)"
s"d_tst \lambdax.w bdy; mbdx _\_{bd_cts_tr}tst ?F")
(rule bd_cts_trI, rule le_trans_antisym)
fix M::"nat ==> 's trn"ad::el
assume chain: "\<    show
df: "<di
show fw: "le_trans (Sup_trans (range (?F o M))) (?F (Sup_trans (range M)))"
proof(r ith assms shw?ei yuo
fix e
assume sP: "sound P"
assume nQ: "nneg Q" and bP: "bounded_by (bound_of P) Q"
hence sQ: "sound Q" by(auto)

from fM have fSup: "feasible (Sup_trans (range M))"
by(auto intro:feasible_Sup_ and h:\And> in S s ==> healthy (wp (a x))"

from sQ fM have and f:\Ands. finite (S s)"
by(auto intro:Sup_trans_upper2)
moreover from sQ fM fSup
have sMtP: "sound (M t Q)" "sound (Sup_trans (range M) Q)" by(auto)
ultimately have "wp body (M t Q) ⊨!!!
nghelthyooD[Fb] byato
hence "∧
by(emcts_prpa:
thus " "bd_ct ( ) Long> heal (wp a) ==> bd_cts (wp (repeat n a))"
by(intro le_funI, simp add:wp_eval mult_left_mono)

show "nneg (wp (body ;; mbe (uptrns(rng M)_\ Skip) Q)"
proof(rule nnegI, simp add:wp_eval)
x ::s
from fSup sQ have "sound (Sup_trans (range M) Q)" by(auto)
with hb have "sound (wp body (Sup_trans (range M) "bd_ct <rightarrowd_cts
hence "0 ≤Continuity of a Single Loop Step›
moreover from sQ have "0 ≤
\open> sige o ierto i otius nthemr eerasns dfnd bv o
by(auttratransfo.›
qed
assumes b"haty(wbdy"
fix P::"'s and ccb"_cswbo)
thus "nneg P" "bounded_by (bound_of P) P" by(auto)
show "∀u∈
forall>>R.nneg R ∧one_b bdoP \longrightarrow
nneg (u R) ∧ bounded_by (bound_of P) (u R)"
proof(clarsimp, intro conjI nnegI bounded_byI, simp_all add:wp_eval)
fix u::nat and R::"'s expect" and s::'s
assume nR: "nneg R" and bR: "bounded_by (bound_of P) R"
hence sR: "sound R" by(auto)
with fM have sMuR: "sound (M u R)" by(auto)
with hb have "sound (wp body (M u R))" by(auto)
hence "0 ≤ wp body (M u R) s" by(auto)
moreover from nR have "0 ≤ R s" by(auto)
ultimately show "0 ≤ «G¬ s * wp body (M u R) s + (1 - «G¬ s) * R s"
by(auto intro:add_nonneg_nonneg mult_nonneg_nonneg)

from sR bR fM have "bounded_by (bound_of P) (M u R)" by(auto)
with sMuR hb have "bounded_by (bound_of P) (wp body (M u R))" by(auto)
hence "wp body (M u R) s ≤ bound_of P" by(auto)
moreover from bR have "R s ≤ bound_of P" by(auto)
ultimately have "«G¬ s * wp body (M u R) s + (1 - «G¬ s) * R s ≤
«G¬ s * bound_of P + (1 - «G¬ s) * bound_of P"
by(auto intro:add_mono mult_left_mono)
also have "... = bound_of P" by(simp add:algebra_simps)
finally show "«G¬ s * wp body (M u R) s + (1 - «G¬ s) * R s ≤ bound_of P" .
qed
qed

show "le_trans (?F (Sup_trans (range M))) (Sup_trans (range (?F o M)))"
proof(rule le_transI, rule le_funI, simp add: wp_eval cong del: image_cong_simp)
fix P::"'s expect" and s::'s
assume sP: "sound P"
have "{t P |t. t ∈ range M} = range (λi. M i P)"
by(blast)
hence "wp body (Sup_trans (range M) P) s = wp body (Sup_exp (range (λi. M i P))) s"
by(simp add:Sup_trans_def)
also {
from sP fM have "∧i. sound (M i P)" by(auto)
moreover from sP chain have "∧i. M i P ⊨!!! M (Suc i) P" by(auto)
moreover {
from sP have "bounded_by (bound_of P) P" by(auto)
with sP fM have "∧i. bounded_by (bound_of P) (M i P)" by(auto)
}
ultimately have "wp body (Sup_exp (range (λi. M i P))) s =
Sup_exp (range (λi. wp body (M i P))) s"
by(subst bd_ctsD[OF cb], auto simp:o_def)
}
also hhaveSp_exp (range (λ
Sup {f s |f. f ∈
by(simp add:Sup_exp_def)
finally have "«ass sP "sudP"
«
by( hc sQ:"ound Q y(uto
also {
from sP fM have "∧
moreover from sP fM have "∧
ultimately have "∧i. bundd_by bod_f) wp ody(M i PP)" singhbbyato
hence bound: "∧by(auto intro:Sup_trans_upper2
moreover
have "{\guillemotleftG ¬ s * x |x. x ∈ {f s |f. f ∈
{«> s * f s |f. f ∈λpbdy ( MiP))}
by(blast)
ultimately
have "«G¬ s * Sup {f s |f. f ∈
Sup {«G¬ range (λi. wp body (M i P))}"
by(subst cSup_mult, auto)
moreover {
vee {x + (1-\guillemotleft>\<guillemotright s) * P s |x.
x ∈«<guillemotright range (λi. wp body (M i P))}} =
{«G¬ s * f s + (1-«G¬ ?F(Sp_ran (angeM) Q"

moreover from bound sP have "∧
by(cases "G s", auto)
ultimately
have "Sup {«G¬ s * f s |f. f ∈ range (λi. wp body (M i P))} + (1-«G¬ s) * P s =
Sup {«G¬ s * f s + (1-«G¬ wpev)
by(subst cSup_add, auto)

ultimately
ve"🚫G¬ s * Sup {f s |f. f ∈ range (λ. p bod ( i P))} (1-«
Sup {« Q s" by(auto)
by(simp)
ultimatelys" <>\G¬
:nne_egl_ongnng
have "∧
java.lang.NullPointerException
show<>u« Skip)) <circ
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
Sup {f s |f. f ∈x. wp (body ;; Embed x _{"

proof(intro cSup_upper bdd_aboveI, blast, clarsimp simp:wp_eval)

fix

from sP have bP: "bounded_by by(simp)

with sP fM have "sound (M i P)" "bounded_by (bound_of P) (M i P)" by(auto)

b av ouned_b (bund_oP)(wpboy Mi P)"y(ut)

bP have "wp body (M i P) s ≤ bound_of P" "P s ≤ bound_of P" by(auto)

hence "«G¬G¬

«i. bounded_by (bound_of P) (wp body (M i P))" using hb by(auto)

utoir:add_ono mlt_ef_mon)

also have "... = bound_of P" by(simp add:algebra_simps)

finally show "« s * wp body (M i P) s + (1-«G<>

qed

finally

have "Sup {«

Sup {f s |f. f ∈ range ((λ; mbdx Skip)) ∘

by(blast intro:cSup_least)

}

also have "Sp {f s f.f \in> {t P P |t. t ∈ range ((λx. wp (body ;; Embed x Ski) <irccG¬ range (λ

Sup_trans (range ((λi. «<> s * wp body (M i P) s ≤ bound_of P"

by(simp add:Sup_trans_def Sup_exp_def)

finally show "«"Gs, uo)

Sup_trans (range ((λx. wp (bo ;; Emb \^« G ¬⊕ M)) P s .

qed}

Messung V0.5 in Prozent

¤ Dauer der Verarbeitung: 0.14 Sekunden ¤

Wurzel

Suchen

Beweissystem der NASA

Beweissystem Isabelle

NIST Cobol Testsuite

Cephes Mathematical Library

Wiener Entwicklungsmethode

Haftungshinweis

Die Informationen auf dieser Webseite wurden nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit, noch Qualität der bereit gestellten Informationen zugesichert.

Bemerkung:

Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.