Quelle  Continuity.thy

(*
 * Copyright (C) 2014 NICTA
 * All rights reserved.
java.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 3

(* Author: David Cock - David.Cock@nicta.com.au *)

section ‹

  Continuity imports Healthiness begin

  ‹_=(<>M
  its proof relies, in general, on healthiness. It is only relevant when a program appears
  an inductive context i.e.~inside a loop.› bd_cts t; \<Andi M(Sc i) \Andi. sound (M i); ∧ ==>

  ‹A continuous transformer preseres imitts (or the suprema offascenddng chais).›
  bd_cts :: "'s trans ==> bool"
  "bd_cts t = (∀M. (∀i. (M i ⊨!!! M (Suc i)) ∧ sound (M i)) ⟶M) px (age(t )"
 (∃i. bounded_by b (M i)) ⟶
 t (Sup_exp (range M)) = Sup_exp (range (t o M)))"

  bd_ctsD:
 lbrakk>bd_cts t; ∧ M (Suc i); ∧); ∧. bounded_by b (M i) ] ==>A generalised property for transformers of transformers.›
   t ( _tr<>M. (∀c)<> feasible (M i)) ⟶
  unfolding bd_cts_def by(auto)

lemma
  \>.\And. M i ⊨!!! M (Suc i)) ==>i. soundLongrightarrow> (<nd. ts_tri. le_trans>. feasible (Mi< ==>
         t (Sup_exp (ngeeto ) <>bd_cts t"
  _bp db_t_trdf

text ‹bcts (w bt:spro)
definition _t_ ('tan ==>tn \Rightarrow bol
where__rT \forallM. (∀((uc ))<> eaie(M i)🚫s. bd_cts (wp (a (f s)))"
 equiv_trans (T (Sup_real

  bd_cts_trD:
 "\lbrakkbcts_t T; ∧i. feasible (M i) ]
 equiv_trans (T (Sup_trans (M ` UNIV))) (Sup_trans ((T o M) ` UNIV))"
  and bM: ": \Andi.. bounded_by c (M i)"

  bd_cts_trI:
 "(∧M. (∧ (∧
 equiv_transwith d_s[Oca]
 impadb_c_trdef

 open>ontinuity of Primitives›

lemmaby
  bd_cts{s.a<in range (λpa( ) Mx"
proof-
  e rag <>(i::nat) (s::)0)= {<>s. 0"yauto
  owstro_ p_exp_def
qed

lemmap_Skip oferationumypicalremainder
  "bd_cts (wp Skip)"
  ctsI_ def

lemmalemmacts_wp_DC
  "_cs(wp Apl f)"
proof -
  ve> s. {P (f s) |P. P ∈java.lang.StringIndexOutOfBoundsException: Index 113 out of bounds for length 113
   hesis up_exp_def
qed

lemma cts_wp_Bind
  fixesthy b))" by(rule healthy_intros)
  assumes ca: "∧i. M i \tturnstile rangeuto_upper
  shows "bd_cts (wp (Bind f a))"
proof(rule bd_ctsI)
  fix M:nat 's expect" and c::real
  assume chain: "∧fix
     and bM: "∧p\Sqinter>b) s\le wp (a ⊓ b) (Sup_exp (range M)) s" by(auto)
  itha]
  have "∧i. bounded_by c (wp a (M i))" by(auto)
            Sup_exp   ) )
    by(auto)
  moreover have "<>. {fa s |fa. fa ∈ range (λx. wp (a (f s)) (M x))} =
                      {fa s |fa. fa ∈ hence bbM: "\Andi s. wp b (M i) s ≤ c" by(auto)
    by(auto)
  ultimately show "wp (Bind f a) (Sup_exp )=
                   xpp(indcirc M))"
    by(simp add:wp_eval o_def Sup_exp_def)
qed

text ‹
continuityeudrlyng praton her ifmm. Thi styilfth raie ofte
nonrecursive elements.\<ave ) rane \lambdai. w b (M i) s)"
  cts_wp_DC:
 fixes a b::"'s prog"
 assumes ca: "bd_cts (wp a)"
 and cb: "bd_cts (wp b)"
 and ha: "healthy (wp a)"
 and hb: "healthy (wp b)"
 shows "bd_cts (wp (a ⊓
 rule dctI,uleantsy)
 hence "min(Sup_exp rne (p o M) s)Spe rane p oM))s)
 assume hin "\And>i. M i \<turnstileMi. sound (M i)"
 and bM: "∧

 from ha hb have hab: "healt fix n
 mav leSu:"∧ Sup_exp (range M)" by(aut nr:Sup_exp_uper)
 from sM bM have sSup: "sound (Sup_exp (range M))" by(auto intro:Sup_exp_sound)

 show "Sup_exp (range (wp (a ⊓ M)) ⊨!!! b) (Sup_exp (range M))"
 proof(rule Sup_exp_least, clarsimp, rule le_funI)
 fix i s
 from mono_transD[OF healthy_monoD[OF hab]] leSup sM sSup
 have "wp (a ⊓ wp (a ⊓
 p ( ⊓) Mi \le> w ( ⊓up_p(rnge M)) s" by(aut)

 from hab sSup have "sound (wp (a
 neg( (a 🚫 b) (Sup_exp (range M)))" by(auto)
 qed

 from sM bM ha have "∧ y(auto)
 hence baM: "∧>i. wp a (M i) s)) ∈i. wp a (M i) s))"
 with p btainwee in:y ∈
 hence bbM: "\                          λ"

 show "wp (a ⊓ Sup_exp (range (wp (a ⊓ M))"
 oof(imp add:wp_evevaval oo_df rule l lefuI)
 fix s::'s
 from bd_ctsD[OF ca, of M, OF chain sM bM] bd_ctsD[OF cb, of M, OF chain sM bM]
 have "min y(b(at est::ffD1OFcourearacal])
 from yioai were
 lso {
 have {f s |f.f \in range (λx. wp a (M x))} = range (λi. wp a (M i) s)"
 "{f s |f. f \inrg (\<lambdax wp b (M x))} = range (λi. wp b (M i) s)
 by(auto)
 hence "min (Sup_exp (range (wp a o M)) s) (Sup_exp (range (wp b o M)) s) =
 min (Sup (range (λnro cSu_upprbdd_aboeI, auto)
 (sip dd:Su_exp_def oef
 }
 also {
 have "(λi. wp a (M i) s) <----i. wp a (M i) s))
 proof(rule increasing_LIMSEQ)
 fix n
 from mono_transD[OF healthy_monoD, OF ha] sM hain
 (rule incring_LMSEQ)
 from baM show "wp a (M n) s ≤ wp b (M (Suc n)) s" by(auto intro:le_funD)
 by(intro cSup_upper bdd_aboveI, auto)

 fix e::real assume pe: "0 < e"
 from baM have cSup: "Sup (range (λni. wp a (M i) s))"
 by(blast intro:closure_contains_Sup)
 with pe obtain y where yin: "y ∈ (range (λae (λ closure (range (λi. wp b (M i) s))"
 and dy: "dist y (Sup (range (λ (range (λi. wp b (M i) s))"
 by(blast dest:iffD1[OF closure_approachable])
 y(auto)
 with dy have "dist (wpby(blast dst:iffD1OF clsue_aproacabe)
 by(simp)
 oreover rmba hav "wp a (Mi) \le Sup (range (λi. wp a (M i) s))"
 by(intro cSup_upper bdd_aboveI, auto)
 ultimately have "Sup (range (λi. wp a (Mi) )) \lew (M i)s + e"
 by(simp add:dis ith dy hy ve"dis wp b( i s) (Su (rnge(λ"
 thus "∃i. Sup (range (λi. wp a (M i) s)) ≤
 qed
 moreover
 have "(λi ) \longlonglongrightarrow> Sup (rnge (🚫. wp b (M i) s))"
 proof(rule increasing_LIMSEQ)
 fix n
 from mono_transD[OF healthy_monoD, OF hb] sM chain
 show "wp b (M n) s ≤ wp b (M (Suc n)) s" by(auto intro:le_funD)
 p_upper d_boveI,ato
 by(intro cSup_uppe ((range (🚫 wp b (M i) s + e"

 fix e::real assume pe: "0 < eef
 from bbM have cSup: "Sup (range (λ closure (range (λi. wp b (M i) s))"
 by(blast intro:closure_contains_Sup)
 with pe obtain y where yin: qed
 nd dy:"dis y (Suprne(\lambdai.. wp b (M i) s))) < e
 by(blast dest:iffD1[OF closure_approachable])
 fromyin obtain her "y =wp b (M i)s" y(uto)
 moreover ha"bdaoerne(<>i wp a (M i) s" by(auto)
 by(simp)
 moreover from bbM have "wp b (M i) s ≤
 by(intro cSup_upper bdd_aboveI, auto)
 ultimately have "Sup (range (\<lambdai wp b (M i) s + e"
 by(simp add:dist_rl_def)
 thus "∃hw"i (wp a( i ) (p M i) ) ≤
 qed
 ultimately have "(λmin (wp a (M i) s) (wp b (M i) s)) <----
 min (Sup (range (λs))
 n)
 moreover have "bdd_above (ra also
 have rae(<>.i s. min (wp a (M i) s) (wp b (M i) s))}"
 fix i
 have "min (whenc"u(ane (\lambda. min (wp a (M i) s) (wp b (M i) s))) =
 also {
 from ha sM bM have "bounded_by c (wp a (M i))" by(auto)
 hence "wp a (M i) s ≤
 
 finally inll sho "mn (w M ) s)(p ( )s) ≤ ".
 
 
 have "min (Sup (range (λi. wp a (M i) s))) (Sup (range (λi. wp b (M i) s))) ≤
 Sup (range (λi. min (wp a (M i) s) (wp b (M i) s)))"
 by(blast intro:LIMSEQ_le_const2 cSup_upper min.mono[OF baM bbM])
 }
 also {
 have "range (\<lambda  
 f |f. ff <> 
  b(aut)
 ence "Su rnge🚫i. M i ⊨!!!i. sound (M i)"
 Sup_exp (range (λi s. min (wp a (M i) s) (wp b (M i) s))) s"
 by (simp add: Sup_exp_def cong del: SUP_cong_simp
 }
 finally show "min (wp a (Sup_exp (range M)) s) (wp b (Sup_exp (range M)) s) ≤
 Sup_exp (range (λ
 qed
 

  cts_wp_Seq:
 fixes a b::"'s prog"
 assumes ca: "bd_cts (wp a)"
 and cb: "bd_cts (wp b)"
 and hb: "healthy (wp b)"
 shows "bd_cts (wp (a ;; b))"
 (rule bd_ctsI, simp add:o_def wp_eval)
 fix M::"nat ==> 's exult av "p u_xp (ne wp ))
 assume chain: "∧p (rag (wa p oM))=
 and bM: "∧p bSpe(ne M)) =
  " (p b (Sup_e (ne M)))=w aSpexp(rae (bo M))"
 by(subst bd_ctsD[OF cb], auto)
 also {
 from sM hb have "∧
 moreover from chain sM
 have "∧I,l x,i dd:odef p_eal
 by(auto intro:mono_transD[OF healthy_monoD, OF hb])
 moreover from sM bM hb have "∧
 ultimately have "wp a (Sup_exp (range (wp b o M))) =
 Sup_exp (range (wp a o (wp b o M))) and b:"<>i
 by(subst bd_ctsD[OF ca], auto)
java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
 have Supexp(rang wp o (wp bo ))) =
 Sup_exp (raby(simp
 by(simp a al
 finally show "wpa (w b (Sp_ex (ange ))) =
 Sup_exp (range (λprange(λ
 

  c } 
 ixeses a b::"sprog"
 sumes esca: "d_cts(wp a
 and cbalso have "..= Spps* |x. x\in rang(λi. wp a (M i) s)}"
 and ha: "healthy (wp a)"
 and hb: "healthy (wp b)"
 and up: "unitry p"
 shows "bd_cts (wp (PC a p b))"
 up sow "0≤i) ao)
 fix M::"nat ==> 's expect" and c::real and s::'s
 assume chain: also {
 i. bounded_by c (M i)"

 from sM have "∧ range (λi. wp a (M i) s
 with bM have nc: "0 ≤i. p s * wp a (M )s)".

 m cansMbMhave "p a (Sp_ep(range M)) u_exp range wp a M)
 by(rule bd_ctsD[OF ca])
 hence "wp a (Sup_exp (range M)) s = Sup_exp (range (wp a o M) hence"wpb(Sup_ep(rag M) s=Supxp (rane(p o ))"
 mp)
 {
 have "{f s |f. f ∈
 by(auto)
 hence "Sup_exp (range (wp a o}
 by(simp add:Sup_exp_def o_def)
 }
 finally have "p s * wp a (Sup_exp (range M)) s =
 p s * Sup (range (λi. wp a (M i) s))" by(simp)
 also have "... = Sup {p s * x |x. x ∈ 1 -ps Su(ag(\<lambda.
 proof(rule cSup_mult, blast, clarsimp)
 from up sho"0 ep s" by(auto)
 fix i
 from sM bM ha have "bounded_by c (wp a (M i))" by(auto)
 thus "wp a (M i) s ≤ 1 - p s"
 qed
 also {
 have "{p s * x |x. x ∈ c" by(auto)
 by(auto)
 hence "Sup {p s * x |x. x ∈ p s * x . \<n ng (λ
 Sup (range (λ
 }
 inally hav ps wp a(Sup_exp (rangeM) s = up (range λi.p * pa(Mi) s))".
 moreoverreove
  cin M bM hve"p b (Su_xp (ange M) =Sp_exp(range (wp b M))
 by(rule bd_cfin he "(1- )* p (p_ep (ag ) s
  Supa (λ. (1- p pb (M)s)"
 by(simp)
 also {
  {fs f.f \in>rnge (λ. wp b (M x))} = rnge(🚫. wp b (M i) s)"
 by(auto)
 hence "Sup_exp (range (wp b o M)) s = Sup (range (λ
 by(simp add:Sup_exp_def o_def)
 }
 finally have "(1 - p s) * wp b (Sup_exp (range M)) s =
 (1 - p s) * Sup (range (λ
 also have "... = Sup {(1 - p s) * x |x. x ∈i. bounded_by c (wp a (M i))" by(auto)
 proof(rule cSup_mult, blast, clarsimp)
 from up show "0 ≤ p s" by(auto)
 by auto
 fix i
 from sM bM hb have "bounded_by c (wp b (M ))"y(auto)
 thus als rm uc av * \<e 1 * c" by(blast intro:mult_right_mono)
 qed
 also {
 have "{(1 - p s) * x |x. x ∈ wpa(M is <>  Sup (range (λi p s *wa )s)
 nge \lambda>.(1 - s) pb(M )s
 by(auto)
 hence "Sup {(1 -from sMhanath_moD[Oa ae"wpa (M ) \tturnstile wp a (M (Suc n))"
 p (rne ((lambi. (1(1 - p s) * wp b (M i) s))" by(simp)
 }
 finally have "(1 - p s) * wp b (Sup_exp (range M)) s =
 Sup (range (λi. (1 - p s) * wp b (M i) s))" .
 }
 ultimately
 have "p s * wp a (Sup_exp (range M)) s + (1 - p s) * wp b (Sup_exp (range M)) s =
 Sup (range (λi. p s * wp a (M i) s)) + Sup (range (λ
 by(simp)
 also {
 from bM sM ha have "∧ p s * wp a (M (Suc n)) s"
 hence "\<And       Sup (range (λ
 moreover from up have "0 \<leby
 ultimately have "∧i. p s * wp a (M i) s ≤ p s * c" by(auto nr:ult_e_mono
 also from up nc have "p s * c ≤ 1 * c" by(blast intro:mult_right_mono)
 also have "... = c" by(simp)
 finally have baM: "∧ c" .

 have lima: "(λi. p s * wp a (M i) s) <---- Sup (range (λi. p s * wp a (M i) s))"
 proof(rule increasing_LIMSEQ)
 fix n
 from sM chain healthy_monoD[OF ha] have "wp a (M n) ⊨!!!
 by(auto)
  uup o " s* wp a (Mn)s≤
 by(blast intro:mult_left_mono)
  ba ho "p s * aM nn s \le Sup (range (λi. p s * wp a (M i) s))"
 by(intro cSup_upper bdd_aboveI, auto)
 next
 x e:::real
 assume pe: "0 < ei )"
 from baM have "Sup (range (λby(nro cup_upe bd_aoveI aut)
 closure (ang (λ
 y(last intro:losre_ontainsSp)
 thm closure_approachable
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 and:is y(u (rage (\lambdai. p s * wp a (M i) s))) < e1-p)
 by(blast dest:iffD1[OF closure_approachable])
 from yin obtaii where "y= p * a M i) s by(au)
 with dy have "dist (p s * wp a (M i) s) (Sup (range (λ ≤
 by(simp)
 moreover from baM have "p s * wp a (M i) s ≤
 by(intro cSup_upper bdd_aboveI, auto)
 ultimately have "Sup (range (λlami. (1 - p s) * wp b (M i) s) <----i. (1 - p s) * wp b (Mi) s)
 by(simp add:dist_real_def)
 us "\exists>i Sup (rage(\lambdai. p s * wp a (M i) s)) ≤ p s * wp a (M i) s + e" by(auto)
 qed

 from bM sM hb have "∧
 hence "∧i. wp b (M i) s ≤ c" by(auto)
 moreover from up have "0 ≤ (1 - p s)"
 by auto
 ultimately have "∧i. (1 - p s) * wp b (M i) s ≤ (1 - p s) * c" by(auto intro:mult_left_mono)
 also {
 from up have "1 - p s ≤
 ithnc ave"(1-p s)*c e * c" by(blast intro:mult_right_mono)
 }
 also have "1 * c = c" by(simp)
 finally have bbM: "∧le> c> c" " .

 have limb: "(λtr cSp_upe bd_bovI,auto
 proof(rule increasing_LIMSEQ)
 fix n
 fix e::ea
 by(auto)
 moreover from up have "0 ≤ 1 - p s"
 by auto
 ultimately show "(1 - p s) * wp b (M n) s ≤
 by(b(blast intro:mut_let_mno)
 from bbM show "(1 - p s) * wp (\<lambdai
 by(intro cSup_upper bdd_aboveI, auto) by(blast intro:closure_contains_S)
 xt
 fix e::real
 
 from bbM have "Sup (range (λabl])
 from yi otin wh y (1- )* b ( i s" y(ato)
 last tocosur_cnins_Sup
 h peobtain y here in: " ∈M s)"
 and dy: "dist y (Sup (range (λ
  y(blst detiff1[OFclosur_apracabl])
 from yin obtain i where "y = (1 - p have "(( -ps*wpb Mi)s\le Su (range (λi. (1 - p s) * wp b (M i) s))"
 with dy have "dist ((1 - p s) * wp b (M i) s)
 (Sup (range (λby(intro cSup_upper bdd_abovI,auto)
 y(smp)
 moreover from bbM
 have "(1 - p s) thus "\<xistsifrom lima limb have "(🚫
 ntro up_uperbddabove, at)
 ultimately ve "Su(ane (🚫. (1 - p s) * wp b (M i) s)) ≤ (1 - p s) * wp b (M i) s + e"
 by(simp add:dist_real_def)
 thus "∃i. (1 - p s) * wp b (M i) s)) ≤
 ed

 from lima limb have "(λi. p s * wp a (M i) s))
 Sup (range (λi. (1 - p s) * wp b (M i) s))"
 ( endstadd
 moreover from add_mono[OF baM bbM]
 have "∧
 Sup (range (\<lambdai
 by(intro cSup_upper bdd_aboveI, auto)
 ultimately have "Sup (range (λ
 range λ (1 - p s) * wp b (M i) s)) ≤
 Sup (range hnce"S (rae \lambdai. p s * wp a (M i) s + (1 - p s) * wp b (M i) s)) =
 by(blast intro: LIMSEQ_le_const2)
java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
 also {
 have "range (λi s. p s * wp a (M i) s + (1 - p s) * wp b (M i) s)) s" .
 {f s |f. f ∈\le>
java.lang.StringIndexOutOfBoundsException: Index 27 out of bounds for length 14
 from b haeeu: "M \tturnstile> pex(rag M)"
 Sup_exp (range (λe sSup: sound (Supexp (aneM)"
  y(ipdd: up_xp_def cong del: SUP_cong_smp)
java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
 finally
 have "p s * wp a (Sup_exp (range M)) s + (1henc "w a (M i) s\le>w Su_ex(rge ) "yt)
 Sup_exp (range (λ
 moreover
 hence w ( i \le wwp b (Sup_exp (range M)) s" by(auto)
 p s * wp a (Sup_exp (range M)) s + (1 - p s) * wp b (Sup_exp (range M)) s"
 proof(rule le_funD[OF Sup_exp_least], clarsimp, rule le_funI)
 i::tands:'s
 from bM have lby auto
 by(blast intro: Sup_exp_upper)
 moreover from sM bM have sSup: "sound (Sup_exp (range M))"
 by(auto intro:Sup_exp_sound)
 moreover note healthy_monoD[OF ha] sM
 matelyy have"wp (M i) ⊨!!!w a (up_exp(aneM" b(auto)
  "w a(M ) s\le wp a (Sup_exp (range M)) s" by(auto)
 moreover {
 from leSup sSup healthy_monoD[OF hb] sM
 have "wp b (M i) ⊨!!!
 hence "wp b (M i) s ≤s. 0 ≤s. 0 ≤
 }
 moreover from up have "0 ≤ 1 - p s"
 by auto
 ultimately
 show "p s * wp a (M i) s + (1 - p s) * wp (i) ≤
 p s * wp a (Sup_exp (range M)) s + (1 - p s) * wp (1- ) Su_exp rage ) c)"
 by(blast intro:add_mono mult_left_mon by(blast introadoneg_onegmult_onng_onneg)

 from sSup ha hb have "sond (wp a (Sup_exp (range M))"
 "sound (wp b (Sup_exp (range M)))"
java.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 14
 hence "∧s. 0 ≤ wp a (Sup_exp (range M)) s" "∧s. 0 ≤Both set-based choice opeatrsa ny otnuusfrfiiests(robblistic coie
 by(auto)
 over rmup hae \Ands eps \And>s0\le> -p s"
 by auto
 ultimately show "nneg (λ
 (1 - p c) * wp b (Sup_exp (range M)) c)"
 by(blast intro:add_nonneg_nonneg mult_nonneg_nonneg)
 ed
 ultimately show "p s * wp a (Sup_exp (range
 exp (age (λ
 by(auto)
 

  ‹upp_def
 emph{can} be extended infinitely, but we have not done so). The proofs ence "s "upp iert spp - x}"b(uo)
  rely on the above results on binary operators.›x∈insert x (supp p - {x}).px*a xa P s)"

  SetPC_Bind:
 "SetPC a p = Bind p (λSum>x∈supp p - {x}. p x * a x ab P s) / (1 - p x))"
 by(intro ext, simp add:SetPC_def Bind_def Let_def)

  SetPC_remove:
 assumes nz: "p x ≠ 0" and n1: "p x ≠
 and fsupp: "finite (supp p)"
 shows "SetPC a (λy∈supp p - {x}. (p y / (1 - p x)) * a y ab Ps)"
 (intro ext, simp add:SetPC_def PC_def)
 fix ab P s
 from nz have "x ∈ supp p" by(simp add:supp_def)
 hence "supp p = insert x (supp p - {x})" by(auto)
 hence "(∑
  (1 x ((<>y
 imp)
 also from fsupp
 have "... = p x * a x ab P s + (∑x\  w"\Sumx∈supp p. p x * a x ab P s) =
 
 also from n1
 have "... = p x * a x ab P s + (1 - p x) * ((∑
 by(simp add:f"bd_ct (<>P::'s expect) (s::'s). 0::real)"
 also have "... = p x * a x ab P s +
 (1 - p x) * ((∑supp p - {x}. (p y / (1 - p x)) * a y ab Ps))
 by(simp add:sum_divide_distrib)
 also have "... = p x * a x ab P s +
 (1 - p x) * ((∑supp p - {x}. dist_remove p xy * a P )"
 by(simp add:dist_remove_def show ?hsisby(ntr bdcs,sim dd:Sp_expdf o_df )
 lso frofrom nz n
 have ".. =px * a abP s+
  -px * ((\Sum\insu (dist_remove p x). dist_remove p x y * a y ab P s))"
 by(simp add:supp_dist_remove)
  show "(∑supp p. p x * a x ab P s) =
 x* a xa P s
 (1 - p x) * (∑
 

  cts_bot:
 "bd_cts (λ
  -
 have X: "∧ *a s
 show ?theprintro b_csIext ip ad:_de)
 

  wpassume cain:"🪙i. M i ⊨!!!i. sound (M i)"
 "wp (SetPC a (λs a. 0)) = (λ>. bounded_by d (M i)"
 by(intro ext, simp add:wp_eval)

  SetPC_sgl:
 supp p ={x}==>_. p) = (λ
 by(simp add:SetPC_def)

  bd_cts_scale:
 fixes a::"'s trans"
 assumes ca: "bd_cts a"
 nd h: healthy a"
 and nnc: "0 ≤x(ang ))s =(λ
 s d_ct (\lambdaP s. c * a P s)"
 (intro bd_ctsI ext, simp add:o_def)
 fix M::"nat ==> 's expect" and d::realad s:'
 assume chain: "∧s. {f s |f. f ∈i. Mi )byut)
 hence ""a \lambda. c * Sup_exp (range M) s) s =

 from sM have "∧i.neg (M i) yat)
 th hbM havenn " ed y(ato)

 from sM bM have sSup: "sound (Sup_exp (range M))" by(auto intro:Sup_exp_sound)
 with healthy_scalingD[OF ha] nnc
 have "c * a (Sup_exp (range M)) s = a (λ🪙i. M i s) ==> d" by(auto)
 by(auto introwith nnc hve " 🚫 range (λi. M i s)}) s"
 also {
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 hence "a (λ) s
 a (λ_. p)))"
 by(simp add:Sup_exp_def)
 
  fixxa a :"ae"ad:'\Rightarrow>ea"
  bM hahae"\Andxs. x ∈ range (λi. M i s) ==> d" by(auto)
 with nchve" \lambda. c * Sup (range (λi. M i s))) s =
 a (λ range (λi. M i s)}) s"
 by(subst cSup_mult, blast+)
 
 also {
 have X: "∧ range (λ) ae(🚫
 have "a (λs. Sup {c x|x.x\in range (λi. M i s)}) s =
 a (λs nd h:"∀supp p. healthy (wp( )"
 }
 also {
 ve"\And. range (λi. c * M i s) = {f s |f. f ∈ range (λ
 (ut)
 hence "(λ sum p (supp p) ≤
 by (simp add: Sup_exp_def cong del: SUP_cong_simp)
 hence "a (λx∈lo>
 a (Sup_exp (range (λi s. c * M i s))) s" by(simp)
java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3
 o
 from le_funD[OF chain] nnc
 ve "<d.s. c * i s \tturnstile (λs. c * M (Suc i) s)"
 by(auto intro:le_funI[OF mult_left_mono])
 moreover from sM nnc
 ve\And. sound (λs. c * M i s)"
 by(auto intro:sound_intros)
 moreover from bM nnc
 ve\And>i bund_b c* )(\lambda>. * i "
 
 ultimately
 have "a (Supexp(ane(🚫
 Sup_exp (range (a o (λ
  (r bdcsDF a)
 hence "a (Sup_exp (range (\        yei,(a n!smcn+
 Sup_exp (range (a o (λp p
 by(sub s.nsr[smei],(latnr:smcn+
 
  av "u_p rng ( (<bdas
 Sup_exp (range (λx. a (λ
 by(simp add:o_def)
 also {
 from roof(recor mp
  "🪙. a (\<lambdass. c * a( ))"
 by(auto introsclng[F elh_salnDOFh,symtrc)
 hence "Sup_exp (range (λ p y" by(auto)
 Sup_exp (range (λ
 by(simp)
 }
 finally show "c * a (Sup_exp (range M)) s = Sup_exp (range (λx s. c * a (M x) s)) s" .
 

  cts_wp_SetPC_const:
 fixes a::"'a ==>
 assumes ca: "∧x. x ∈ (supp p) ==>
 and ha: "∧
 and up: "unitary p"
 and
  and fsupp: "finite (supp p)"
 shows "bd_cts (wp (SetPC a (λ_. p)))"
 (cases "supp p = {}", simp add:supp_empty SetPC_def wp_def cts_bot)
 assume nesupp: "supp p ≠
 from fsupp have "unitary p ⟶ p( P)"
 (\forall>\in>pp. dcs(p( ))\longrightarrow
 (∀
 swSP (\lambda>.p)"
 proof(induct "supp p" arbitrary yat)
  :aa :ase"ndp:'\Rightarrow real"
 assume f:"fnitF
 assume "insert x F = supp p"
 hence pstep: "supp p = insert x F" by(simp)
 hence xin: "x ∈
 e p utr p ndc:\forallx∈(pax)"
 and ha: "∀supp p. healthy (wp (a x))"
 and sump: "sum p (supp p) ≤ 1"
 and xni: "x ∉
 eH"<>p
  \longrightarrow sum p (supp p) ≤
 (∀ supp p" by(auto)
 (∀
 swp(tP (<ambda_

 from fF pstep have fsupp: "finite (supp p)" by(auto)

  nhv zppx\noteq 0" by(simp add:supp_def)

 vey_esu:
 🪙 y\in supp p ==> y \<noteq  sum p (supp p)"
 proof -
 fix y assume yin: "y ∈
 from up have "0 ≤
 by(auto intro:sum_nonneg)
 hence "p x + p y \<        proof
 by(auto)
 also {
 from yin yne fsupp
 have "p y + sum p (sup ed
 by(subst sum.insert[symmetric], (blast intro!:sum.cong)+)
 moreover
 from xin fsupp
 have "p x + sum p (supp p - {x}) = sum p (supp p)"
 by(subst sum.insert[symmetric], (blast intro!:sum.cong)+)
 ultimately
 have "p x + p y + sum p (supp p - {x, y}) = sum p (supp p)" by(simp)
 }
 finally show "p x + p y ≤ x" and yin: "y ∈
 qed

 have n1p: "∧ supp p ==> y ≠ 1"

 assume px1: "p x = 1"
 fix y assume yin: " \insupp p" and yne: "y ≠ x"
 from up have "0 ≤ 1" by(auto)
 with yin have "0 < p
 hence "0 + p x < p 1" by(rule n1p)
 with px1 have "1 < p(up(i_emep))
 also f sum (dist_remove p x) (supp p - {x})"
 by(rule xy_le_sum)
 finally show False using sump by(simp)
 qed

 show "bd_cts by(sima:ds_mvedf
 proof(cases "F = {}")
 case True with pstep have "supp p = {x}" by(simp)
 hence "wp (SetPC a (λ_. p)) = (λP s. p x * wp (a x) P s)"
 by(simp add:SetPC_sgl wp_def)
 moreover {
 from up ca ha xin have "bd_cts (wp (a x))" "healthy (wp (a x))" "0 ≤ p x"
 by(auto)
 hence"b_ \lambda> . * p(axP )
 by(r lso {
 }
 ultimately show ?thesis by(simp)
 next
 assume neF: "F ≠unetymei
 then obt also te m
 with xni have yne: "y ≠
 from yinF pstep have yin: "y ∈ 1" by(auto)

  omup_strov[f , Fnz 1,OF nye
 have supp_sub: "supp (dist_remove p x) ⊆ 1"

 from xin ca have cax: "bd_cts (wp (a x))" by(auto)
 from xin ha have ha ina aep"u (streep)(p (s_eov )e1

 from sfrom u veu:unty(🚫. p x)" by(auto)
 by(auto)
 from supp_sub ca have cra: "∀nsphso ti
 by(auto)

 from ppdtrmv[fpx Fnz 1, ine]ptpi
 pp:" sp(itemv "
 mp)

 have qe
 proof(intro unitaryI2 nnegI bounded_byI)
 
 fixes 'a\Rightarrow> o"
 proofassu ∧ (supp (p s)) ==>
 from up hav"0\le>py 0\le>1 - p x"
 by auto
 and p \And>.uiay s"
 by(rule and :"And>. (p s) (supp (p s)) ≤ 1"
 qed
 show "dist_remove p x y ≤
 fass yx", im_l adds_rmv_df
 cases "ypr -
 sumeyn:"y\noteq x" and yin: "y ∈spp"
 ce" +py <> 
 by(auto intro:xy_le_sum)
 also note sump
 p ≤
 moreover from up have "p x ≤
 assumes S itS
 ultimately sh and nS" 🚫
 qed
 qed

 from xin have pxn0: "p x ≠ 0" by(auto simp:supp_def)
 from yin yne have pxn1: "p x \<om yin yne have pxn1: "p x ≠

 om npn1he "m ds_eme x (pdis_ro p)
 sum (dist_remove p x) (supp p - {x})"
 by(simp add:supp_dist_remove)
 also have "... = (∑ {}"
 by(simp add:dist_remove_def)
 also and D:: "\lambda> a bPs) 🚫{}" by(auto)
 impadumivedsti)
 
 byatnoIf__Mn
 with fsupp have "p x + (∑sppp - {} py upsppp"
 by(simp add:sum.insert[symmetric])
 also note sump
 finally have "s y(simddcneMn
 
 om uphe px \le>1 y(uo
 thpx1hv " x<1"b(to
 hence "0 < 1_. {x}) = a x"
 
 ultimately have "sum p (supp p - {x}) / (1 - p x) ≤a" ==>
 by(auto)
 }
 finally have sdp: "sum (dist_remove p x) (supp (dist_remove p x)) ≤x. x ∈ helt w( x)

 from Fsupp ud and ne S\noteq {}"
 have cts_dr: "bd_cts (wp (SetPC a (λ
 (auto)

 from up have upx: "unitary (λ_. p x)" by(auto)
 
 from pxn0 pxn1 fsupp hra show ?thesis
 by(simp add:SetPC_remove,
 blast intro:cts_wp_PC cax cts_dr hax healthy_intros
 unitary_sound[OF udp] sdp upx)
 qed
 qed
 with assms show ?thesis by(auto)
 

 ts_wp_SetPC
 esa:a\Rightarrow's prog"
 assumes ca: "∧x s. x n(supp (p s)) ==>
 and ha: "∧ (supp (p s)) ==>
 and up: "∧
 and sump: "∧x∈
 and fsupp: "∧eocx
 shows "bdassu "F\noteq {"
  wi x ah H so d_ w eC \lambda>. netxF)
 from assms by(au nr:cw_C alyirsipSeCii_nr
 by(iprove qed
 thus ?thesis by(simp add:SetPC_Bind[symmetric])
 

  wp_SetDC_Bind:
 "SetDC a S = Bind S (λS. SetDC a (λ_. S))"
 by(intro ext, simp add:SetDC_def Bind_def)

  SetDC_finite_insert:
 assumes fS: "finite S"
 and neS: "S ≠ {}"
 shows "SetDC a (λ_. insert x S) = a x ⊓ SetDC a (λ
  (toex,smpad etD_fDCdfog l iacnsp on ad:IFon_i)
 fix ab P s
 from fS have A: "finite (insert (a x ab P s) ((λ 's prog"
 and B: "finite (((λ∧sx in>S s ==> bd_cts (wp (a x))"
 from neS have C: "insert (a x ab P s) ((λx s. x ∈ healthy (wp (a x))"
  D"\lambdax. a x ab P s) ` S ≠and neS:: "<>s
 from A C have "Inf (inspro -
 ert( xbP s(\lambdax. a x ab P s) ` S))"
 by(auto intro:cInf_eq_Min)
 oom D he .. mn( xabP ) Mn((<>x
 by(auto intro:Min_insert)
 also from B D have "... = min (a x ab "bd_t w \Longrightarrow> elh wpa <> 
 by(simp add:cInf_eq_Min)
 finally show "(INF x∈
 min (a x ab P s) (INF x∈S. a x ab P s)"
 by (simp cong del: INF_cong_simp)
 

 former trsres\close
 "SetDC a (λ_. {x}) = a x"
 by (simp add: SetDC_def cong del: INF_cong_simp)

  cts_wp_SetDC_const:
 fixes a::"'a ==> 's prog"
 assumes ca: "∧x. x ∈ S ==> bd_cts (wp (a x))"
 and ha: "∧x. x ∈ S ==> healthy (wp (a x))"
 and fS: "finite S"
 and neS: "S ≠ {}"
 shows "bd_cts (wp (SetDC a (λ_. S)))"
  -
 have "finite S ==> S ≠ {} ==>
 (∀x∈S. bd_cts (wp (a x))) ⟶
 (∀x∈S. healthy (wp (a x))) ⟶
 bd_cts (wp (SetDC a (λ_. S)))"
 proof(induct S rule:finite_induct, simp, clarsimp)
 fix x:a d :as"
 assume fix o::s o"
 andasshb"heth (pod)
 and cax: "b nd ccb"_t( by"
 and hax hows "_st(\lambda>.p(oy;Ebd ^bs>« G ¬es>⊕ Skip))" (is "bd_ctsr F)
 and haF: "∀rn"ndbrel
  "bd_cts (wp (SetDC a (λ_. insert x F)))"
 proof(cases "F = {}", simp add:SetDC_singleton cax)
 assume "F ≠ {}"
 with fF cax hax haF IH show "bd_cts (wp (SetDC a (λ_. insert x F)))"
 by(auto intro!: and f "And>i.. feasible (M i)"
 qed
 qed
 mso thssbyat)
 

  cts_wp_SetDC:
 fixes a::"'a ==>
 assumes ca: "∧
  a:"\And> .x <>s
  S:"∧
 and neS: "∧
 shows "bd_cts (wp (SetDC a S))"
  -
 from assms have "bd_cts (wp (Bind S (λS. SetDC a (λ_. S))))"
 by(iprover intro!:cts_wp_Bind cts_wp_SetDC_const)
 thus ?thesis by(simp add:wp_SetDC_Bind[sym usin ahymnD h]buo
 

 __rpa
 ts(pa <ngrightarrowlthy eSpasrg))\^>« G ¬⊕
 by(induct n, auto intro:cts_wp_Skip cts_wp_Seq healthy_intros fix :s

  cts_wp_Embed:
 tst Longrig bd_c(wp (Embed t))"
 by(simp add:wp_eval)

  ‹

 \open> ig ooirtoi oiuu,i heoegnra esdfn ovfo
 formers\close
  cts_wp_loopstep:
 fixes body::"'s prog"
 assumes b hlhyw oy"
 db "bcs w boy"
java.lang.NullPointerException
 (rule bd_cts_trI, rule le_trans_antisym)
java.lang.NullPointerException: Cannot invoke "String.equals(Object)" because "brackoff" is null
 assume chain: "∧
 and fM: "∧
  ae up_xp (range\lambdai. wp body (M i P))) s =
 proof(rule le_transI[OF Sup_trans_least2], clarsimp)
 fix P Q::"'s expect" and t
 assumesP "sndP
 assume nQ: "nneg Q" and bP: "bounded_by (bound_of P) Q"
  heeQ: "soun Q" by(aut)

 from fM have fSup: "feasible (Sup_trans (range M))"
 by(auto intro:feasible_Sup_trans)

 from sQ fM have "M t Q ⊨!!!ou_ boun_ofP(wp bod M iP))usng hby(uto
 ans_upper2ppr)
 moreover from sQ fM fSup
 have sMt hav{<>  range (λi. wp body (M i P))}} =
 ultimately have "wp body (M t Q) ⊨!!! G \<guillemotright  range (λi. wp od( P"
 using healthy_monoD[OF hb] by(auto)
 hence "∧ s * f s |f. f ∈
 by(rulhav"x(1d='alert("unbekannte/s Formatierung/Symbol >");' >🪙 {\<G\g> s * f s |f. f ∈
 thus "?F (M t) Q ⊨!!!?F(ptrs(re M )"
 by(intro by(blast)

java.lang.StringIndexOutOfBoundsException: Index 58 out of bounds for length 31
 proof(rule nnegI, simp dd:_vl
 fix s::'s
 from
 with hb have "sound (wp bodyhav 🚫i ww odyy(Mi P))+ (1-\<>G¬ s) * P s =
 hence "0 ≤ wp body (Sup_trans (range M) Q) s" by(auto)
 moreover from sQ have "0 ≤
 ultimately show 0\le «G¬ s * wp body (Sup_trans (range M) Q) s + (1 - « s) * Q s"
 (auto intro:add_noneg_nonneg mutnone_onne)
 qed
 next
 fix P::"'s expect" assume sP: "sound P"
 thus "nneg P" "bounded_by (bound_of P) P" by(auto)
 show "\forallu∈range ((λx. wp (body ;; Embed x <sub>G ¬⊕)∘M).
java.lang.StringIndexOutOfBoundsException: Index 81 out of bounds for length 81
 nneg (u R) ∧ bounded_by (bound_of P) (u R)"
 proof(clarsimp, intro conjI nnegI bounded_byI, simp_all add:wp_eval)
 fix u::nat and R::"'s expect" and s::'s
 assume nR: "nneg R" and bR: "bounded_by (bound_of P) R"
 hence sR: "sound R" by(auto)
 with fM have sMuR: "sound (M u R)" by(auto)
 with hb have "sound (wp body (M u R))" by(auto)
 hence "0 ≤ wp body (M u R) s" by(auto)
 moreover from nR have "0 ≤ R s" by(auto)
 ultimately show "0 ≤ «G¬ s * wp body (M u R) s + (1 - «G¬ s) * R s"
 by(auto intro:add_nonneg_nonneg mult_nonneg_nonneg)

 from sR bR fM have "bounded_by (bound_of P) (M u R)" by(auto)
 with sMuR hb have "bounded_by (bound_of P) (wp body (M u R))" by(auto)
 hence "wp body (M u R) s ≤ bound_of P" by(auto)
 moreover from bR have "R s ≤ bound_of P" by(auto)
 ultimately have "«G¬ s * wp body (M u R) s + (1 - «G¬ s) * R s ≤
 «G¬ s * bound_of P + (1 - «G¬ s) * bound_of P"
 by(auto intro:add_mono mult_left_mono)
 also have "... = bound_of P" by(simp add:algebra_simps)
 finally show "«G¬ s * wp body (M u R) s + (1 - «G¬ s) * R s ≤ bound_of P" .
 qed
 qed

 show "le_trans (?F (Sup_trans (range M))) (Sup_trans (range (?F o M)))"
 proof(rule le_transI, rule le_funI, simp add: wp_eval cong del: image_cong_simp)
 fix P::"'s expect" and s::'s
 assume sP: "sound P"
 have "{t P |t. t ∈ range M} = range (λi. M i P)"
 by(blast)
 hence "wp body (Sup_trans (range M) P) s = wp body (Sup_exp (range (λi. M i P))) s"
 by(simp add:Sup_trans_def)
 also {
 from sP fM have "∧i. sound (M i P)" by(auto)
 moreover from sP chain have "∧i. M i P ⊨!!! M (Suc i) P" by(auto)
 moreover {
 from sP have "bounded_by (bound_of P) P" by(auto)
 with sP fM have "∧i. bounded_by (bound_of P) (M i P)" by(auto)
 }
 ultimately have "wp body (Sup_exp (range (λi. M i P))) s =
 Sup_exp (range (λi. wp body (M i P))) s"
 by(subst bd_ctsD[OF cb], auto simp:o_def)
 }
 also have "Sup_exp (range (λi. wp body (M i P))) s =
 Sup {f s |f. f ∈ range (λi. wp body (M i P))}"
 by(simp add:Sup_exp_def)
 finally have "« {t P |t. t ∈ range ((λx \^>« G ¬</sub>⊕ Skip)) ∘ M)}
 «G¬fi i
 imp)
 also {
 from sP fM have "∧i. swith hbhb hv"bnebbnd_o P(wpod( ) bauo
 moreover from sP fM have "\<with  s * wp body (M i P) s + (1-« s) * P s ≤
 ultimately have "∧
 hence by(autitro:a_mon multltmo
 moreover
 have "{«G¬\guillemotrights) * P s ≤ bound_of P" .
 {«
 by(blast)
 ultimately
 have "« {t P |t. t ∈x. wp (body ; Ebe \^« G ¬⊕ M)}}"
 Sup {«
 by(subst cSup_mult, auto)
 moreover {
 have "{x + (1-«G¬ s) * P s |x.
 x ∈ {«G¬"s. <>t« G ¬⊕p)) circ> M)}} =
 {«G¬ s * f s + (1-« s) * P s |f. f ∈i. wp body (M i P))}"
 by(blast)
 moreover from bound sP have "∧G🚫
 by(cases "G", ato)
 ultimately
 have "Sup {«dy; Eed x Skip)) ∘ s" .
 Sup {«G¬
 by(subst cSup
 }
 ultimately
 have "«G¬ s * Sup {f s |f. f ∈ range (λi. wp body (M i P))} + (1-«G¬ s) * P s =
 Sup {«G¬ s * f s + (1-«G¬ s) * P s |f. f ∈ range (λi. wp body (M i P))}"
 by(simp)
 }
 also {
 have "∧i. «G¬ s * wp body (M i P) s + (1-«G¬ s) * P s =
 ((λx. wp (body ;; Embed x _{« G ¬}⊕ Skip)) ∘ M) i P s"
 by(simp add:wp_eval)
 also have "∧i. ... i ≤
 Sup {f s |f. f ∈ {t P |t. t ∈ range ((λx. wp (body ;; Embed x _{« G ¬}⊕ Skip)) ∘ M)}}"
 proof(intro cSup_upper bdd_aboveI, blast, clarsimp simp:wp_eval)
 fix i
 from sP have bP: "bounded_by (bound_of P) P" by(auto)
 with sP fM have "sound (M i P)" "bounded_by (bound_of P) (M i P)" by(auto)
 with hb have "bounded_by (bound_of P) (wp body (M i P))" by(auto)
 with bP have "wp body (M i P) s ≤ bound_of P" "P s ≤ bound_of P" by(auto)
 hence "«G¬ s * wp body (M i P) s + (1-«G¬ s) * P s ≤
 «G¬ s * (bound_of P) + (1-«G¬ s) * (bound_of P)"
 by(auto intro:add_mono mult_left_mono)
 also have "... = bound_of P" by(simp add:algebra_simps)
 finally show "«G¬ s * wp body (M i P) s + (1-«G¬ s) * P s ≤ bound_of P" .
 qed
 finally
 have "Sup {«G¬ s * f s + (1-«G¬ s) * P s |f. f ∈ range (λi. wp body (M i P))} ≤
 Sup {f s |f. f ∈ {t P |t. t ∈ range ((λx. wp (body ;; Embed x _{« G ¬}⊕ Skip)) ∘ M)}}"
 by(blast intro:cSup_least)
 }
 also have "Sup {f s |f. f ∈ {t P |t. t ∈ range ((λx. wp (body ;; Embed x _{« G ¬}⊕ Skip)) ∘ M)}} =
 Sup_trans (range ((λx. wp (body ;; Embed x _{« G ¬}⊕ Skip)) ∘ M)) P s"
 by(simp add:Sup_trans_def Sup_exp_def)
 finally show "«G¬ s * wp body (Sup_trans (range M) P) s + (1-«G¬ s) * P s ≤
 Sup_trans (range ((λx. wp (body ;; Embed x _{« G ¬}⊕ Skip)) ∘ M)) P s" .
 qed