├── model └── uds │ ├── comments │ ├── commLines │ ├── connections │ └── .svn │ ├── text-base │ ├── commLines.svn-base │ ├── comments.svn-base │ └── connections.svn-base │ ├── all-wcprops │ └── entries ├── Sim2HCSP.jar ├── main ├── goal.thy ├── assertionDef.thy ├── processDef.thy ├── varDef.thy ├── controlVarDef.thy ├── controlPDef.thy └── controlADef.thy ├── readme.md ├── proof └── assertionDef.thy └── HHLProver ├── DCSequents ├── DModal0.thy ├── DCSequent.thy ├── Dmodal.ML ├── DS4.thy ├── DSequents.thy ├── LSyntax.thy ├── ILSequent.thy ├── Dprover.ML └── DLK0.thy ├── State.thy ├── Assertion.thy ├── op.thy ├── HCSP_Com.thy ├── HHL.thy └── Sound.thy /model/uds/comments: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /model/uds/commLines: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /model/uds/connections: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /model/uds/.svn/text-base/commLines.svn-base: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /model/uds/.svn/text-base/comments.svn-base: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /model/uds/.svn/text-base/connections.svn-base: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Sim2HCSP.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/submission/Sim2HCSP/master/Sim2HCSP.jar -------------------------------------------------------------------------------- /main/goal.thy: -------------------------------------------------------------------------------- 1 | theory goal 2 | imports "processDef" 3 | begin 4 | 5 | (*Assistance for defining goal, user may need to modify it for proof.*) 6 | consts 7 | pre :: fform 8 | post :: fform 9 | H :: fform 10 | 11 | (*Goal for the whole process.*) 12 | lemma goal : "{pre} P {post; H}" 13 | sorry 14 | 15 | end 16 | -------------------------------------------------------------------------------- /model/uds/.svn/all-wcprops: -------------------------------------------------------------------------------- 1 | K 25 2 | svn:wc:ra_dav:version-url 3 | V 44 4 | /svn/simulink/!svn/ver/141/newCase/model/uds 5 | END 6 | connections 7 | K 25 8 | svn:wc:ra_dav:version-url 9 | V 56 10 | /svn/simulink/!svn/ver/141/newCase/model/uds/connections 11 | END 12 | comments 13 | K 25 14 | svn:wc:ra_dav:version-url 15 | V 53 16 | /svn/simulink/!svn/ver/141/newCase/model/uds/comments 17 | END 18 | commLines 19 | K 25 20 | svn:wc:ra_dav:version-url 21 | V 54 22 | /svn/simulink/!svn/ver/141/newCase/model/uds/commLines 23 | END 24 | -------------------------------------------------------------------------------- /main/assertionDef.thy: -------------------------------------------------------------------------------- 1 | theory assertionDef 2 | imports "varDef" 3 | begin 4 | 5 | (*Define consts for processes definition.*) 6 | consts diff :: "exp => exp" 7 | 8 | definition assertion1 :: mid where 9 | "assertion1 == (WTrue,l[=](Real 0))" 10 | definition assertion2 :: mid where 11 | "assertion2 == (WTrue,l[=](Real 0))" 12 | definition assertion3 :: mid where 13 | "assertion3 == (WTrue,l[=](Real 0))" 14 | definition assertion4 :: mid where 15 | "assertion4 == (WTrue,l[=](Real 0))" 16 | 17 | definition rg1 :: fform where 18 | "rg1 == (l[=](Real 0))" 19 | definition rg2 :: fform where 20 | "rg2 == (l[=](Real 0))" 21 | 22 | definition inv1 :: fform where 23 | "inv1 == WTrue" 24 | definition inv2 :: fform where 25 | "inv2 == WTrue" 26 | 27 | end 28 | -------------------------------------------------------------------------------- /main/processDef.thy: -------------------------------------------------------------------------------- 1 | theory processDef 2 | imports "controlPDef" 3 | begin 4 | 5 | (*Define continuous processes*) 6 | definition PC1_1 :: proc where 7 | "PC1_1 == plant_v_1:=(Real 0);assertion1; 8 | plant_s_1:=(Real 0) 9 | " 10 | definition commI1 :: proc where 11 | "commI1 == Ch_plant_v_1_1!!plant_v_1 [[ Ch_plant_s_1_1!!plant_s_1 [[ Ch_control_1_0??control_1_0" 12 | definition PC1_2 :: proc where 13 | "PC1_2 == (:WTrue) [[> (commI1)" 14 | definition domain1 :: fform where 15 | "domain1 == (plant_and_1[=](Bool False))" 16 | definition PC1_3 :: proc where 17 | "PC1_3 == (:rg1) 18 | [[>commI1" 19 | definition domain2 :: fform where 20 | "domain2 == (plant_and_1[=](Bool True))" 21 | definition PC1_4 :: proc where 22 | "PC1_4 == (:rg2) 23 | [[>commI1" 24 | definition PC1_init :: proc where 25 | "PC1_init == PC1_1;assertion2;PC1_2" 26 | definition PC1_rep :: proc where 27 | "PC1_rep == PC1_3;assertion3;PC1_4" 28 | definition PC1 :: proc where 29 | "PC1 == PC1_init;assertion4;(PC1_rep)*" 30 | 31 | (*Define discrete processes*) 32 | (*Define the whole process.*) 33 | definition P :: proc where 34 | "P == PC1||Pcontrol" 35 | end 36 | -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | ### **This repository can be downloaded by the following commands:** ### 2 | 3 | ``` 4 | $ mkdir /path/to/your/project 5 | $ cd /path/to/your/project 6 | $ git init 7 | $ git remote add origin git@github.com:liangdzou/Sim2HCSP.git 8 | $ git pull origin master 9 | ``` 10 | 11 | ### **File struct:** ### 12 | 13 | * HHLProver: A theory prover for HCSP. 14 | * Sim2HCSP: A tool translating Simulink/Stateflow diagrams into HCSP process. 15 | * model: Simulink model for the CTCS case study. (including the xml format.) 16 | * main: Generated files for the CTCS case study by *Sim2HCSP*. 17 | * proof: The interactive proof we have done for the CTCS case study. 18 | 19 | 20 | ### **Settings for Sim2HCSP:** ### 21 | 22 | 1. Install Java JRE because *Sim2HCSP* is implemented in Java. 23 | 2. Set the following environment variables, so *Sim2HCSP* can invoke *Isabelle* and import *HHLProver* automatically. 24 | 25 | ``` 26 | export IsarHOME=".../Isabelle2013" 27 | export HCSPHOME=".../HHLProver" 28 | ``` 29 | 30 | ### **Run Sim2HCSP with the following command:** ### 31 | 32 | ``` 33 | $ Sim2HCSP -xml fsco.xml -uds uds/ 34 | ``` 35 | 36 | ### **How to check the proof:** ### 37 | 38 | 1. Replace files *assertionDef.thy* *controlADef.thy* *goal.thy* with files in proof. (replace those files which are generated automatically.) 39 | 2. Check it in *Isabelle*. 40 | -------------------------------------------------------------------------------- /model/uds/.svn/entries: -------------------------------------------------------------------------------- 1 | 10 2 | 3 | dir 4 | 149 5 | http://124.16.137.63/svn/simulink/newCase/model/uds 6 | http://124.16.137.63/svn/simulink 7 | 8 | 9 | 10 | 2013-12-12T14:43:08.104211Z 11 | 141 12 | zoul 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 751ec3a4-dfa2-453f-a096-b290d33287e5 28 | 29 | comments 30 | file 31 | 32 | 33 | 34 | 35 | 2013-12-12T14:50:35.500634Z 36 | d41d8cd98f00b204e9800998ecf8427e 37 | 2013-12-12T14:43:08.104211Z 38 | 141 39 | zoul 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 0 62 | 63 | commLines 64 | file 65 | 66 | 67 | 68 | 69 | 2013-12-12T14:50:35.500634Z 70 | d41d8cd98f00b204e9800998ecf8427e 71 | 2013-12-12T14:43:08.104211Z 72 | 141 73 | zoul 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 0 96 | 97 | connections 98 | file 99 | 100 | 101 | 102 | 103 | 2013-12-12T14:50:35.500634Z 104 | d41d8cd98f00b204e9800998ecf8427e 105 | 2013-12-12T14:43:08.104211Z 106 | 141 107 | zoul 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 0 130 | 131 | -------------------------------------------------------------------------------- /proof/assertionDef.thy: -------------------------------------------------------------------------------- 1 | theory assertionDef 2 | imports "varDef" 3 | begin 4 | 5 | (*Define consts for processes definition.*) 6 | consts diff :: "exp => exp" 7 | definition impF :: fform where 8 | "impF == (plant_v_1[*]plant_v_1 [+] (Real 2)[*]plant_s_1[<=](Real 128000))" 9 | definition impF1 :: fform where 10 | "impF1 == (plant_v_1[*]plant_v_1 [+] (Real 2)[*]plant_s_1[<=](Real 128000)) [&] (control_1_0[=](Real -1))" 11 | definition impF2 :: fform where 12 | "impF2 == (plant_v_1[>=](Real 0))[&](plant_v_1[*]plant_v_1 [+] (Real 1/2)[*]plant_v_1 [+] (Real 1/32) [+] (Real 2)[*]plant_s_1[<=](Real 128000)) [&] (control_1_0[>=](Real -1) [&] (control_1_0[<=](Real 1)))" 13 | definition aVal :: fform where 14 | "aVal == (control_1_0 [>=] (Real -1)) [&] (control_1_0 [<=] (Real 1)) " 15 | 16 | definition assertion1 :: mid where 17 | "assertion1 == (plant_v_1 [=] (Real 0),l[=](Real 0))" 18 | definition assertion2 :: mid where 19 | "assertion2 == ((plant_v_1 [=] (Real 0)) [&] (plant_s_1 [=] (Real 0)),l[=](Real 0))" 20 | definition assertion3 :: mid where 21 | "assertion3 == (impF,WTrue)" 22 | definition assertion4 :: mid where 23 | "assertion4 == ((impF1 [|] impF2) [&] aVal,l[=](Real 0))" 24 | 25 | definition rg1 :: fform where 26 | "rg1 == WTrue" 27 | definition rg2 :: fform where 28 | "rg2 == WTrue" 29 | 30 | definition inv1 :: fform where 31 | "inv1 == (plant_v_1[>=](Real 0))[&](plant_v_1[*]plant_v_1 [+] (Real 2)[*]plant_s_1[<=](Real 128000))" 32 | definition inv2 :: fform where 33 | "inv2 == inv1" 34 | 35 | end 36 | -------------------------------------------------------------------------------- /main/varDef.thy: -------------------------------------------------------------------------------- 1 | theory varDef 2 | imports "/home/liang/workspace/s2h/HHLProver/HHL" 3 | begin 4 | 5 | (*Define channel names.*) 6 | definition Ch_plant_v_1_1 :: cname where 7 | "Ch_plant_v_1_1 == ''Ch_plant_v_1_1''" 8 | definition Ch_control_1_0 :: cname where 9 | "Ch_control_1_0 == ''Ch_control_1_0''" 10 | definition Ch_plant_s_1_1 :: cname where 11 | "Ch_plant_s_1_1 == ''Ch_plant_s_1_1''" 12 | 13 | (*Define receiving variables.*) 14 | definition plant_v_1_1 :: exp where 15 | "plant_v_1_1 == RVar ''plant_v_1_1''" 16 | definition control_1_0 :: exp where 17 | "control_1_0 == RVar ''control_1_0''" 18 | definition plant_s_1_1 :: exp where 19 | "plant_s_1_1 == RVar ''plant_s_1_1''" 20 | 21 | (*Define local and sending variables.*) 22 | definition t1 :: exp where 23 | "t1 == RVar ''t1''" 24 | definition temp1 :: exp where 25 | "temp1 == RVar ''temp1''" 26 | definition plant_v_1 :: exp where 27 | "plant_v_1 == RVar ''plant_v_1''" 28 | definition plant_Switch_1 :: exp where 29 | "plant_Switch_1 == RVar ''plant_Switch_1''" 30 | definition plant_co1_1 :: exp where 31 | "plant_co1_1 == RVar ''plant_co1_1''" 32 | definition control_1 :: exp where 33 | "control_1 == RVar ''control_1''" 34 | definition plant_co2_1 :: exp where 35 | "plant_co2_1 == RVar ''plant_co2_1''" 36 | definition plant_and_1 :: exp where 37 | "plant_and_1 == RVar ''plant_and_1''" 38 | definition plant_mul_1 :: exp where 39 | "plant_mul_1 == RVar ''plant_mul_1''" 40 | definition plant_s_1 :: exp where 41 | "plant_s_1 == RVar ''plant_s_1''" 42 | 43 | (*Definitions in comments, including extra functions defined by user or used during translation.*) 44 | definition max :: "exp => exp => exp" 45 | where "max(a,b) == if formT(a[<]b) then b else a" 46 | end 47 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/DModal0.thy: -------------------------------------------------------------------------------- 1 | (* Adapted from implementation by: 2 | Title: Sequents/Modal0.thy 3 | Author: Martin Coen 4 | Copyright 1991 University of Cambridge 5 | *) 6 | 7 | theory DModal0 8 | imports DLK0 9 | uses "Dmodal.ML" 10 | begin 11 | 12 | (*Think future which of "consts" and $datatype$ is better. *) 13 | consts 14 | box :: "fform => fform" ("[]_" [50] 50) 15 | dia :: "fform => fform" ("<>_" [50] 50) 16 | strimp :: "[fform, fform] => fform" (infixr "--<" 25) 17 | streqv :: "[fform, fform] => fform" (infixr ">-<" 25) 18 | Lstar :: "two_seqi" 19 | Rstar :: "two_seqi" 20 | 21 | syntax 22 | "_Lstar" :: "two_seqe" ("(_)|L>(_)" [6,6] 5) 23 | "_Rstar" :: "two_seqe" ("(_)|R>(_)" [6,6] 5) 24 | 25 | ML {* 26 | fun star_tr c [s1, s2] = Const(c, dummyT) $ seq_tr s1 $ seq_tr s2; 27 | fun star_tr' c [s1, s2] = Const(c, dummyT) $ seq_tr' s1 $ seq_tr' s2; 28 | *} 29 | 30 | parse_translation {* 31 | [(@{syntax_const "_Lstar"}, star_tr @{const_syntax Lstar}), 32 | (@{syntax_const "_Rstar"}, star_tr @{const_syntax Rstar})] 33 | *} 34 | 35 | print_translation {* 36 | [(@{const_syntax Lstar}, star_tr' @{syntax_const "_Lstar"}), 37 | (@{const_syntax Rstar}, star_tr' @{syntax_const "_Rstar"})] 38 | *} 39 | 40 | defs 41 | strimp_def: "P --< Q == [](P [-->] Q)" 42 | streqv_def: "P >-< Q == (P --< Q) [&] (Q --< P)" 43 | 44 | 45 | lemmas rewrite_rls = strimp_def streqv_def 46 | 47 | lemma iffR: 48 | "[| $H,P |- $E,Q,$F; $H,Q |- $E,P,$F |] ==> $H |- $E, P [<->] Q, $F" 49 | apply (unfold iff_def) 50 | apply (assumption | rule conjR impR)+ 51 | done 52 | 53 | lemma iffL: 54 | "[| $H,$G |- $E,P,Q; $H,Q,P,$G |- $E |] ==> $H, P [<->] Q, $G |- $E" 55 | apply (unfold iff_def) 56 | apply (assumption | rule conjL impL basic)+ 57 | done 58 | 59 | lemmas safe_rls = basic conjL conjR disjL disjR impL impR notL notR iffL iffR 60 | and unsafe_rls = allR exL 61 | and bound_rls = allL exR 62 | 63 | end 64 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/DCSequent.thy: -------------------------------------------------------------------------------- 1 | theory DCSequent 2 | imports ILSequent 3 | begin 4 | 5 | 6 | type_synonym s = fform 7 | 8 | (*State durations*) 9 | consts 10 | dur :: "s => exp" 11 | 12 | (*Point formula: s holds in the considered point interval. *) 13 | consts 14 | pf :: "s => fform" 15 | consts 16 | (* Everywhere: s holds everywhere in the considered interval of positive range. *) 17 | high :: "s => fform" ("high _") 18 | (*Almost everywhere: s holds almost everywhere in the considered positive interval.*) 19 | almost :: "s=>fform" ("almost _") 20 | 21 | axiomatization where 22 | high_def : " high S == ((dur (S) [=] l) [&] [~](l [=] Real 0) [&] [~] ((l[>]Real 0) [^] pf([~]S) [^] (l[>]Real 0)))" and 23 | almost_def : "almost S == ((dur (S) [=] l) [&] [~](l [=] Real 0))" 24 | 25 | (* Axioms for DC for reasoning about state durations.*) 26 | axiomatization where 27 | DA1 : "|-dur (WFalse) [=] Real 0" and 28 | DA2 : "|- dur (WTrue) [=] l" and 29 | DA3a : " (l [<=] Real 0) |- (dur (S) [<=] Real 0)" and 30 | DA3b : " (Real 0 [<=] l) |- (Real 0 [<=] dur (S)) " and 31 | DA4 : " |- dur (S1) [+] dur (S2) [=] dur (S1 [|] S2) [+] dur (S1 [&] S2)" and 32 | DA5 : " [|RI s; RI t|] ==> |- (dur (S) [=] s [^] dur (S) [=] t) [<->] dur (S) [=] s [+] t" and 33 | DA6 : "|- s1 [<->] s2 ==> |- dur (s1) [=] dur (s2)" 34 | 35 | (*Part of theorems given in [Zhou&Hansen03] for DC.*) 36 | axiomatization where 37 | DC11 : "$H, (high WFalse) |- $H, WFalse" and 38 | DC12 : "$H |- $E, (high ([~]s)) ==> $H |- $E, (dur (s) [=] (Real 0))" and 39 | DC18 : "$H, s |- t ==> $H, (high s) |- (high t)" and 40 | DCR3 : "$H |- (high S) [^] (high S),$E ==> $H |- (high S),$E" and 41 | DCL3 : "$H, (high S)|-$E ==> $H,(high S)[^](high S) |- $E" and 42 | DCR4 : "$H |- (high S),$E ==> $H |- (high S)[^] (high S),$E" and 43 | DCL4 : "$H, (high S)[^](high S) |-$E ==> $H,(high S) |- $E" and 44 | 45 | DCM : "[|$H,(high Q),$F |- $E; $H,P,$F |- Q|] ==> $H,(high P),$F |- $E" 46 | end 47 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/Dmodal.ML: -------------------------------------------------------------------------------- 1 | (* Title: Sequents/modal.ML 2 | Author: Lawrence C Paulson, Cambridge University Computer Laboratory 3 | Copyright 1992 University of Cambridge 4 | 5 | Simple modal reasoner. 6 | *) 7 | 8 | signature MODAL_PROVER_RULE = 9 | sig 10 | val rewrite_rls : thm list 11 | val safe_rls : thm list 12 | val unsafe_rls : thm list 13 | val bound_rls : thm list 14 | val aside_rls : thm list 15 | end; 16 | 17 | signature MODAL_PROVER = 18 | sig 19 | val rule_tac : thm list -> int ->tactic 20 | val step_tac : int -> tactic 21 | val solven_tac : int -> int -> tactic 22 | val solve_tac : int -> tactic 23 | end; 24 | 25 | functor Modal_ProverFun (Modal_Rule: MODAL_PROVER_RULE) : MODAL_PROVER = 26 | struct 27 | 28 | (*Returns the list of all formulas in the sequent*) 29 | fun forms_of_seq (Const(@{const_name SeqO'},_) $ P $ u) = P :: forms_of_seq u 30 | | forms_of_seq (H $ u) = forms_of_seq u 31 | | forms_of_seq _ = []; 32 | 33 | (*Tests whether two sequences (left or right sides) could be resolved. 34 | seqp is a premise (subgoal), seqc is a conclusion of an object-rule. 35 | Assumes each formula in seqc is surrounded by sequence variables 36 | -- checks that each concl formula looks like some subgoal formula.*) 37 | fun could_res (seqp,seqc) = 38 | forall (fn Qc => exists (fn Qp => Term.could_unify (Qp,Qc)) 39 | (forms_of_seq seqp)) 40 | (forms_of_seq seqc); 41 | 42 | (*Tests whether two sequents G|-H could be resolved, comparing each side.*) 43 | fun could_resolve_seq (prem,conc) = 44 | case (prem,conc) of 45 | (_ $ Abs(_,_,leftp) $ Abs(_,_,rightp), 46 | _ $ Abs(_,_,leftc) $ Abs(_,_,rightc)) => 47 | could_res (leftp,leftc) andalso could_res (rightp,rightc) 48 | | _ => false; 49 | 50 | (*Like filt_resolve_tac, using could_resolve_seq 51 | Much faster than resolve_tac when there are many rules. 52 | Resolve subgoal i using the rules, unless more than maxr are compatible. *) 53 | fun filseq_resolve_tac rules maxr = SUBGOAL(fn (prem,i) => 54 | let val rls = filter_thms could_resolve_seq (maxr+1, prem, rules) 55 | in if length rls > maxr then no_tac else resolve_tac rls i 56 | end); 57 | 58 | fun fresolve_tac rls n = filseq_resolve_tac rls 999 n; 59 | 60 | (* NB No back tracking possible with aside rules *) 61 | 62 | fun aside_tac n = DETERM(REPEAT (filt_resolve_tac Modal_Rule.aside_rls 999 n)); 63 | fun rule_tac rls n = fresolve_tac rls n THEN aside_tac n; 64 | 65 | val fres_safe_tac = fresolve_tac Modal_Rule.safe_rls; 66 | val fres_unsafe_tac = fresolve_tac Modal_Rule.unsafe_rls THEN' aside_tac; 67 | val fres_bound_tac = fresolve_tac Modal_Rule.bound_rls; 68 | 69 | fun UPTOGOAL n tf = let fun tac i = if i tac (nprems_of st) st end; 72 | 73 | (* Depth first search bounded by d *) 74 | fun solven_tac d n state = state |> 75 | (if d<0 then no_tac 76 | else if (nprems_of state = 0) then all_tac 77 | else (DETERM(fres_safe_tac n) THEN UPTOGOAL n (solven_tac d)) ORELSE 78 | ((fres_unsafe_tac n THEN UPTOGOAL n (solven_tac d)) APPEND 79 | (fres_bound_tac n THEN UPTOGOAL n (solven_tac (d-1))))); 80 | 81 | fun solve_tac d = rewrite_goals_tac Modal_Rule.rewrite_rls THEN solven_tac d 1; 82 | 83 | fun step_tac n = 84 | COND (has_fewer_prems 1) all_tac 85 | (DETERM(fres_safe_tac n) ORELSE 86 | (fres_unsafe_tac n APPEND fres_bound_tac n)); 87 | 88 | end; 89 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/DS4.thy: -------------------------------------------------------------------------------- 1 | (* Adapted from implementation by: 2 | Title: Sequents/S4.thy 3 | Author: Martin Coen 4 | Copyright 1991 University of Cambridge 5 | *) 6 | 7 | theory DS4 8 | imports DModal0 9 | begin 10 | 11 | axioms 12 | (* Definition of the star operation using a set of Horn clauses *) 13 | (* For system S4: gamma * == {[]P | []P : gamma} *) 14 | (* delta * == {<>P | <>P : delta} *) 15 | 16 | lstar0: "|L>" 17 | lstar1: "$G |L> $H ==> []P, $G |L> []P, $H" 18 | lstar2: "$G |L> $H ==> P, $G |L> $H" 19 | rstar0: "|R>" 20 | rstar1: "$G |R> $H ==> <>P, $G |R> <>P, $H" 21 | rstar2: "$G |R> $H ==> P, $G |R> $H" 22 | 23 | (* Rules for [] and <> *) 24 | 25 | boxR: 26 | "[| $E |L> $E'; $F |R> $F'; $G |R> $G'; 27 | $E' |- $F', P, $G'|] ==> $E |- $F, []P, $G" 28 | boxL: "$E,P,$F,[]P |- $G ==> $E, []P, $F |- $G" 29 | 30 | diaR: "$E |- $F,P,$G,<>P ==> $E |- $F, <>P, $G" 31 | diaL: 32 | "[| $E |L> $E'; $F |L> $F'; $G |R> $G'; 33 | $E', P, $F' |- $G'|] ==> $E, <>P, $F |- $G" 34 | 35 | ML {* 36 | structure S4_Prover = Modal_ProverFun 37 | ( 38 | val rewrite_rls = @{thms rewrite_rls} 39 | val safe_rls = @{thms safe_rls} 40 | val unsafe_rls = @{thms unsafe_rls} @ [@{thm boxR}, @{thm diaL}] 41 | val bound_rls = @{thms bound_rls} @ [@{thm boxL}, @{thm diaR}] 42 | val aside_rls = [@{thm lstar0}, @{thm lstar1}, @{thm lstar2}, @{thm rstar0}, 43 | @{thm rstar1}, @{thm rstar2}] 44 | ) 45 | *} 46 | 47 | method_setup S4_solve = {* Scan.succeed (K (SIMPLE_METHOD (S4_Prover.solve_tac 2))) *} 48 | 49 | 50 | (* Theorems of system T from Hughes and Cresswell and Hailpern, LNCS 129 *) 51 | 52 | lemma "|- []P [-->] P" by S4_solve 53 | lemma "|- [](P[-->]Q) [-->] ([]P[-->][]Q)" by S4_solve (* normality*) 54 | lemma "|- (P--] []P [-->] []Q" by S4_solve 55 | lemma "|- P [-->] <>P" by S4_solve 56 | 57 | lemma "|- [](P [&] Q) [<->] []P [&] []Q" by S4_solve 58 | lemma "|- <>(P [|] Q) [<->] <>P [|] <>Q" by S4_solve 59 | lemma "|- [](P[<->]Q) [<->] (P>-(P[-->]Q) [<->] ([]P[-->]<>Q)" by S4_solve 61 | lemma "|- []P [<->] [~]<>([~]P)" by S4_solve 62 | lemma "|- []([~]P) [<->] [~]<>P" by S4_solve 63 | lemma "|- [~][]P [<->] <>([~]P)" by S4_solve 64 | lemma "|- [][]P [<->] [~]<><>([~]P)" by S4_solve 65 | lemma "|- [~]<>(P [|] Q) [<->] [~]<>P [&] [~]<>Q" by S4_solve 66 | 67 | lemma "|- []P [|] []Q [-->] [](P [|] Q)" by S4_solve 68 | lemma "|- <>(P [&] Q) [-->] <>P [&] <>Q" by S4_solve 69 | lemma "|- [](P [|] Q) [-->] []P [|] <>Q" by S4_solve 70 | lemma "|- <>P [&] []Q [-->] <>(P [&] Q)" by S4_solve 71 | lemma "|- [](P [|] Q) [-->] <>P [|] []Q" by S4_solve 72 | lemma "|- <>(P[-->](Q [&] R)) [-->] ([]P [-->] <>Q) [&] ([]P[-->]<>R)" by S4_solve 73 | lemma "|- (P--] (P--] <>Q [-->] <>(P [&] Q)" by S4_solve 75 | 76 | 77 | (* Theorems of system S4 from Hughes and Cresswell, p.46 *) 78 | 79 | lemma "|- []A [-->] A" by S4_solve (* refexivity *) 80 | lemma "|- []A [-->] [][]A" by S4_solve (* transitivity *) 81 | lemma "|- []A [-->] <>A" by S4_solve (* seriality *) 82 | lemma "|- <>[](<>A [-->] []<>A)" by S4_solve 83 | lemma "|- <>[](<>[]A [-->] []A)" by S4_solve 84 | lemma "|- []P [<->] [][]P" by S4_solve 85 | lemma "|- <>P [<->] <><>P" by S4_solve 86 | lemma "|- <>[]<>P [-->] <>P" by S4_solve 87 | lemma "|- []<>P [<->] []<>[]<>P" by S4_solve 88 | lemma "|- <>[]P [<->] <>[]<>[]P" by S4_solve 89 | 90 | (* Theorems for system S4 from Hughes and Cresswell, p.60 *) 91 | 92 | lemma "|- []P [|] []Q [<->] []([]P [|] []Q)" by S4_solve 93 | lemma "|- ((P>-] ((P>-] []P [&] []Q" by S4_solve 98 | lemma "|- <>(P [|] Q) [<->] <>P [|] <>Q" by S4_solve 99 | lemma "|- <>(P [-->] Q) [<->] ([]P [-->] <>Q)" by S4_solve 100 | 101 | lemma "|- [](P [-->] Q) [-->] (<>P [-->] <>Q)" by S4_solve 102 | lemma "|- []P [-->] []<>P" by S4_solve 103 | lemma "|- <>[]P [-->] <>P" by S4_solve 104 | 105 | lemma "|- []P [|] []Q [-->] [](P [|] Q)" by S4_solve 106 | lemma "|- <>(P [&] Q) [-->] <>P [&] <>Q" by S4_solve 107 | lemma "|- [](P [|] Q) [-->] []P [|] <>Q" by S4_solve 108 | lemma "|- <>P [&] []Q [-->] <>(P [&] Q)" by S4_solve 109 | lemma "|- [](P [|] Q) [-->] <>P [|] []Q" by S4_solve 110 | 111 | end 112 | -------------------------------------------------------------------------------- /HHLProver/State.thy: -------------------------------------------------------------------------------- 1 | theory State 2 | imports Main 3 | "DCSequents/LSyntax" 4 | "HCSP_Com" 5 | (*This file defines states for HCSP programs, also regardes as interpretations for Duration Calculus.*) 6 | 7 | begin 8 | 9 | (*datatype interval = CC real real | CO real real | OO real real | OC real real*) 10 | 11 | (*definition "CC l u == {l .. u}"*) 12 | 13 | type_synonym now = real 14 | type_synonym state = "string => typeid => val" 15 | type_synonym cstate = "now => (state list)" 16 | 17 | axiomatization where 18 | state_spec : "!!g::state. g(x, i) == case i of R => RR (_) | S => SS (_) | B => BB (_)" 19 | 20 | primrec evalE :: "state => exp => val" where 21 | "evalE (f, RVar (x)) = f (x, R)" | 22 | "evalE (f, SVar (x)) = f (x, S)" | 23 | "evalE (f, BVar (x)) = f (x, B)" | 24 | "evalE (f, Real (x)) = RR (x)" | 25 | "evalE (f, String (x)) = SS (x)" | 26 | "evalE (f, Bool (x)) = BB (x)" | 27 | "evalE (f, e1 [+] e2) = (case (evalE (f, e1)) of RR (x) => 28 | (case (evalE (f, e2)) of RR (y) => RR (x + y) | 29 | _ => Err)| 30 | _ => Err)" | 31 | "evalE (f, e1 [-] e2) = (case (evalE (f, e1)) of RR (x) => 32 | (case (evalE (f, e2)) of RR (y) => RR (x - y) | 33 | _ => Err)| 34 | _ => Err)" | 35 | "evalE (f, e1 [*] e2) = (case (evalE (f, e1)) of RR (x) => 36 | (case (evalE (f, e2)) of RR (y) => RR (x * y) | 37 | _ => Err)| 38 | _ => Err)" 39 | 40 | 41 | 42 | (*The function varE may return a list which may has repetitions of variables. However, it does not matter, because it still can judge if one variable is in the expression.*) 43 | primrec varE :: "exp => ((typeid*string) list)" where 44 | "varE (RVar (x)) = [(R,x)]" | 45 | "varE (SVar (x)) = [(S,x)]" | 46 | "varE (BVar (x)) = [(B,x)]" | 47 | "varE (Real (x)) = []" | 48 | "varE (String (x)) = []" | 49 | "varE (Bool (x)) = []" | 50 | "varE (e1 [+] e2) = (varE(e1))@(varE(e2))" | 51 | "varE (e1 [-] e2) = (varE(e1))@(varE(e2))" | 52 | "varE (e1 [*] e2) = (varE(e1))@(varE(e2))" 53 | 54 | (*The function varF may return a list which may has repetitions of variables. However, it does not matter, because it still can judge if one variable is in the form.*) 55 | primrec varF :: "fform => ((typeid*string) list)" where 56 | "varF (WTrue) = ([])" | 57 | "varF (WFalse) = ([])" | 58 | "varF (e1 [=] e2) = (varE(e1)@varE(e2))" | 59 | "varF (e1 [<] e2) = (varE(e1)@varE(e2))" | 60 | "varF (e1 [>] e2) = (varE(e1)@varE(e2))" | 61 | "varF ([~] form1) = (varF(form1))" | 62 | "varF (form1 [&] form2) = (varF(form1)@varF(form2))" | 63 | "varF (form1 [|] form2) = (varF(form1)@varF(form2))" | 64 | "varF (form1 [-->] form2) = (varF(form1)@varF(form2))" | 65 | "varF (form1 [<->] form2) = (varF(form1)@varF(form2))" | 66 | "varF (WALL x form1)= removeAll((R,x),varF(form1))" | 67 | "varF (WEX x form1)= removeAll((R,x),varF(form1))" 68 | 69 | primrec varP :: "proc => ((typeid*string) list)" where 70 | "varP (Skip) = []" | 71 | "varP (Stop) = []" | 72 | "varP (exp1 := exp2) = varE(exp1)@varE(exp2)" | 73 | "varP (cname !! exp) = varE(exp)" | 74 | "varP (cname ?? exp) = varE(exp)" | 75 | "varP (proc1; mid; proc2) = varP(proc1)@varP(proc2)" | 76 | "varP (IF form proc) = varF(form)@varP(proc)" | 77 | "varP (NON type x : form proc) = removeAll((type,x),varP(proc))" | 78 | "varP (proc1 \ proc2) = varP(proc1)@varP(proc2)" | 79 | "varP (proc1 [[ proc2) = varP(proc1)@varP(proc2)" | 80 | "varP (proc1 << proc2) = varP(proc1)@varP(proc2)" | 81 | "varP (proc1 || proc2) = varP(proc1)@varP(proc2)" | 82 | "varP (proc *) = varP(proc)" | 83 | "varP ( : Rg) = varF(Inv)" | 84 | "varP (proc1 |> time proc2) = varP(proc1)@varP(proc2)" | 85 | "varP (proc1 [[> proc2) = varP(proc1)@varP(proc2)" 86 | 87 | primrec inList :: "'a => 'a list => bool" where 88 | "inList(a,[]) = False " | 89 | "inList(a,x#xs) = (if (a=x) then True else inList(a,xs))" 90 | 91 | definition inE :: "exp => typeid => string => bool" where 92 | "inE == %e. %t. %s. inList((t,s),varE(e))" 93 | 94 | definition inF :: "fform => typeid => string => bool" where 95 | "inF == %f. %t. %s. inList((t,s),varF(f))" 96 | 97 | definition inP :: "proc => typeid => string => bool" where 98 | "inP == %p. %t. %s. inList((t,s),varP(p))" 99 | 100 | end -------------------------------------------------------------------------------- /HHLProver/Assertion.thy: -------------------------------------------------------------------------------- 1 | theory Assertion imports 2 | "State" 3 | 4 | begin 5 | 6 | (*evalF defines the semantics of assertions written in first-order logic*) 7 | primrec evalF :: "state => fform => bool" where 8 | "evalF (f,WTrue) = (True)" | 9 | "evalF (f,WFalse) = (False)" | 10 | "evalF (f,e1 [=] e2) = (case (evalE (f,e1), evalE (f,e2)) of 11 | (RR (r1),RR (r2)) => ((r1::real) = r2) | 12 | (SS (r1),SS (r2)) => ((r1::string) = r2) | 13 | (BB (r1),BB (r2)) => ((r1::bool) = r2) | 14 | (_,_) => False)" | 15 | "evalF (f,e1 [<] e2) = (case (evalE (f,e1), evalE (f,e2)) of 16 | (RR (r1),RR (r2)) => ((r1::real) < r2) | 17 | (_,_) => False)" | 18 | "evalF (f,e1 [>] e2) = (case (evalE (f,e1), evalE (f,e2)) of 19 | (RR (r1),RR (r2)) => (r1::real) > r2 | 20 | (_,_) => False)" | 21 | "evalF (f,[~] form1) = (~ (evalF (f,form1)))" | 22 | "evalF (f,form1 [&] form2) = ((evalF (f,form1)) & (evalF (f,form2)))" | 23 | "evalF (f,form1 [|] form2) = ((evalF (f,form1)) | (evalF (f,form2)))" | 24 | "evalF (f,form1 [-->] form2) = ((evalF (f,form1)) --> (evalF (f,form2)))" | 25 | "evalF (f,form1 [<->] form2) = ((evalF (f,form1)) <-> (evalF (f,form2)))" | 26 | "evalF (f,WALL x form1)= (ALL (v::real). (evalF((%a. %i. (if (a=x) then (RR (v)) else (f(a, i)))), form1)))" | 27 | "evalF (f,WEX x form1)= (EX (v::real). evalF((%a. %i. (if (a=x) then (RR (v)) else f(a, i))), form1))" 28 | 29 | 30 | definition evalFP :: "cstate => fform => now => bool" where 31 | "evalFP(f,P,c) == ALL s. inList(s,f(c)) --> evalF(s,P)" 32 | 33 | (*ievalF defines the semantics of assertions written in interval logic and duration calculus*) 34 | consts ievalF :: "cstate => fform => now => now => bool" 35 | axiomatization where 36 | chop_eval: "ievalF (f, P[^]Q, c, d) = (EX k s1 s2. s1@s2=f(k) & ievalF (%t. if t=k then s1 else f(t), P, c, k) 37 | & ievalF (%t. if t=k then s2 else f(t), Q, k, d))" and 38 | chop_sep: "ievalF (f, P, c, d) = (ALL k s1 s2. s1@s2=f(k) --> ievalF (%t. if t=k then s1 else f(t), P, c, k) 39 | & ievalF (%t. if t=k then s2 else f(t), P, k, d))" and 40 | pf_eval: "ievalF (f, pf (P), c, d) = (c=d & (EX s. inList(s, f(c))) & evalF (s, P))" and 41 | high_eval: "ievalF (f, high P, c, d) = ((ALL (k::real). (c evalFP (f, P, k)))" and 42 | chop_interval: "(ALL t. (c=d --> f(c)=g(c)) & (c<=t & t<=d --> f(t)=g(t))) ==> ievalF(f,P,c,d)=ievalF(g,P,c,d)" 43 | 44 | lemma chop_eval1: "(EX k. ievalF (f, P, c, k) & ievalF (f, Q, k, d)) ==> ievalF (f, P[^]Q, c, d)" 45 | apply (simp add: chop_eval,auto) 46 | apply (cut_tac x=k in exI,auto) 47 | apply (cut_tac x="f(k)" in exI,auto) 48 | apply (subgoal_tac "f = (%t. if t = k then f(k) else f(t))",auto) 49 | apply (subgoal_tac "(ALL ka s1 s2. s1@s2=f(ka) --> ievalF (%t. if t=ka then s1 else f(t), Q, k, ka) 50 | & ievalF (%t. if t=ka then s2 else f(t), Q, ka, d))") 51 | apply (subgoal_tac "ievalF(%t. if t = k then f(k) else f(t), Q, k, k) & 52 | ievalF(%t. if t = k then [] else f(t), Q, k, d)") 53 | apply blast 54 | apply (erule allE)+ 55 | apply blast 56 | apply (cut_tac f=f and P=Q and c=k and d=d in chop_sep,auto) 57 | done 58 | 59 | (*The following axioms define the evaluation of formulas of part of first-order interval logic.*) 60 | axiomatization where 61 | True_eval : "ievalF (f,WTrue, c, d) = (True)" and 62 | False_eval : "ievalF (f,WFalse,c,d) = (False)" and 63 | L_eval : "ievalF (f, (l [=] Real L), c, d) = (d-c = L)" and 64 | (*Equal_eval : "ievalF (f,e1 [=] e2,c,d) = evalFP(f,e1 [=] e2,c)" and 65 | Less_eval : "ievalF (f,e1 [<] e2,c,d) = evalFP(f,e1 [<] e2,c)" and 66 | Great_eval: "ievalF (f,e1 [>] e2,c,d) = evalFP(f,e1 [>] e2,c)" and*) 67 | Not_eval: "ievalF (f,[~] form1,c,d) = (~ (ievalF (f,form1,c,d)))" and 68 | And_eval: "ievalF (f,form1 [&] form2,c,d) = ((ievalF (f,form1,c,d)) & (ievalF (f,form2,c,d)))" and 69 | Or_eval: "ievalF (f,F [|] G,c,d) = ((ievalF (f,F,c,d)) | (ievalF (f,G,c,d)))" and 70 | Imply_eval: "ievalF (f,form1 [-->] form2,c,d) = ((ievalF (f,form1,c,d)) --> (ievalF (f,form2,c,d)))" and 71 | Equiv_eval: "ievalF (f,form1 [<->] form2,c,d) = ((ievalF (f,form1,c,d)) <-> (ievalF (f,form2,c,d)))" and 72 | ALL_eval: "ievalF (f,WALL x form1,c,d)= (ALL (v::real). ievalF((%t. List.map(%s. %y i. if y=x & i=R then RR(v) else s(y,i),f(t))), form1, c, d))" and 73 | EX_eval: "ievalF (f,WEX x form1,c,d)= (EX (v::real). ievalF((%t. List.map(%s. %y i. if y=x & i=R then RR(v) else s(y,i),f(t))), form1, c, d))" 74 | 75 | (*The following axioms define the semantic meanings of closure of formulas.*) 76 | axiomatization where 77 | close_fact1: "ALL t. (t>=b & t evalF (f, p)) --> (evalF (f, close(p)))" and 78 | close_fact2: "ALL t. (t>=b & t evalF (f, p)) --> (evalF (f, close([~]p)))" and 79 | close_fact3: "evalF (s,p) ==> evalF (s,close(p))" 80 | 81 | end -------------------------------------------------------------------------------- /HHLProver/DCSequents/DSequents.thy: -------------------------------------------------------------------------------- 1 | (* Title: Sequents/Sequents.thy 2 | Author: Lawrence C Paulson, Cambridge University Computer Laboratory 3 | Copyright 1993 University of Cambridge 4 | *) 5 | 6 | header {* Parsing and pretty-printing of sequences *} 7 | 8 | theory DSequents 9 | imports Pure LSyntax 10 | uses ("Dprover.ML") 11 | begin 12 | 13 | setup Pure_Thy.old_appl_syntax_setup 14 | 15 | declare [[unify_trace_bound = 20, unify_search_bound = 40]] 16 | 17 | 18 | (* Sequences *) 19 | 20 | typedecl 21 | seq' 22 | 23 | consts 24 | SeqO' :: "[fform, seq']=>seq'" 25 | Seq1' :: "fform => seq'" 26 | 27 | (* concrete syntax *) 28 | nonterminal seq and seqobj and seqcont 29 | 30 | syntax 31 | "_SeqEmp" :: seq ("") 32 | "_SeqApp" :: "[seqobj,seqcont] => seq" ("__") 33 | 34 | "_SeqContEmp" :: seqcont ("") 35 | "_SeqContApp" :: "[seqobj,seqcont] => seqcont" (",/ __") 36 | 37 | "_SeqO" :: "fform => seqobj" ("_") 38 | "_SeqId" :: "'a => seqobj" ("$_") 39 | 40 | type_synonym single_seqe = "[seq,seqobj] => prop" 41 | type_synonym single_seqi = "[seq'=>seq',seq'=>seq'] => prop" 42 | type_synonym two_seqi = "[seq'=>seq', seq'=>seq'] => prop" 43 | type_synonym two_seqe = "[seq, seq] => prop" 44 | type_synonym three_seqi = "[seq'=>seq', seq'=>seq', seq'=>seq'] => prop" 45 | type_synonym three_seqe = "[seq, seq, seq] => prop" 46 | type_synonym four_seqi = "[seq'=>seq', seq'=>seq', seq'=>seq', seq'=>seq'] => prop" 47 | type_synonym four_seqe = "[seq, seq, seq, seq] => prop" 48 | type_synonym sequence_name = "seq'=>seq'" 49 | 50 | 51 | syntax 52 | (*Constant to allow definitions of SEQUENCES of formulas*) 53 | "_Side" :: "seq=>(seq'=>seq')" ("<<(_)>>") 54 | 55 | ML {* 56 | 57 | (* parse translation for sequences *) 58 | 59 | fun abs_seq' t = Abs ("s", Type (@{type_name seq'}, []), t); 60 | 61 | fun seqobj_tr (Const (@{syntax_const "_SeqO"}, _) $ f) = 62 | Const (@{const_syntax SeqO'}, dummyT) $ f 63 | | seqobj_tr (_ $ i) = i; 64 | 65 | fun seqcont_tr (Const (@{syntax_const "_SeqContEmp"}, _)) = Bound 0 66 | | seqcont_tr (Const (@{syntax_const "_SeqContApp"}, _) $ so $ sc) = 67 | seqobj_tr so $ seqcont_tr sc; 68 | 69 | fun seq_tr (Const (@{syntax_const "_SeqEmp"}, _)) = abs_seq' (Bound 0) 70 | | seq_tr (Const (@{syntax_const "_SeqApp"}, _) $ so $ sc) = 71 | abs_seq'(seqobj_tr so $ seqcont_tr sc); 72 | 73 | fun singlobj_tr (Const (@{syntax_const "_SeqO"},_) $ f) = 74 | abs_seq' ((Const (@{const_syntax SeqO'}, dummyT) $ f) $ Bound 0); 75 | 76 | 77 | (* print translation for sequences *) 78 | 79 | fun seqcont_tr' (Bound 0) = 80 | Const (@{syntax_const "_SeqContEmp"}, dummyT) 81 | | seqcont_tr' (Const (@{const_syntax SeqO'}, _) $ f $ s) = 82 | Const (@{syntax_const "_SeqContApp"}, dummyT) $ 83 | (Const (@{syntax_const "_SeqO"}, dummyT) $ f) $ seqcont_tr' s 84 | | seqcont_tr' (i $ s) = 85 | Const (@{syntax_const "_SeqContApp"}, dummyT) $ 86 | (Const (@{syntax_const "_SeqId"}, dummyT) $ i) $ seqcont_tr' s; 87 | 88 | fun seq_tr' s = 89 | let 90 | fun seq_itr' (Bound 0) = Const (@{syntax_const "_SeqEmp"}, dummyT) 91 | | seq_itr' (Const (@{const_syntax SeqO'}, _) $ f $ s) = 92 | Const (@{syntax_const "_SeqApp"}, dummyT) $ 93 | (Const (@{syntax_const "_SeqO"}, dummyT) $ f) $ seqcont_tr' s 94 | | seq_itr' (i $ s) = 95 | Const (@{syntax_const "_SeqApp"}, dummyT) $ 96 | (Const (@{syntax_const "_SeqId"}, dummyT) $ i) $ seqcont_tr' s 97 | in 98 | case s of 99 | Abs (_, _, t) => seq_itr' t 100 | | _ => s $ Bound 0 101 | end; 102 | 103 | 104 | fun single_tr c [s1, s2] = 105 | Const (c, dummyT) $ seq_tr s1 $ singlobj_tr s2; 106 | 107 | fun two_seq_tr c [s1, s2] = 108 | Const (c, dummyT) $ seq_tr s1 $ seq_tr s2; 109 | 110 | fun three_seq_tr c [s1, s2, s3] = 111 | Const (c, dummyT) $ seq_tr s1 $ seq_tr s2 $ seq_tr s3; 112 | 113 | fun four_seq_tr c [s1, s2, s3, s4] = 114 | Const (c, dummyT) $ seq_tr s1 $ seq_tr s2 $ seq_tr s3 $ seq_tr s4; 115 | 116 | 117 | fun singlobj_tr' (Const (@{const_syntax SeqO'},_) $ fm) = fm 118 | | singlobj_tr' id = Const (@{syntax_const "_SeqId"}, dummyT) $ id; 119 | 120 | 121 | fun single_tr' c [s1, s2] = 122 | Const (c, dummyT) $ seq_tr' s1 $ seq_tr' s2; 123 | 124 | fun two_seq_tr' c [s1, s2] = 125 | Const (c, dummyT) $ seq_tr' s1 $ seq_tr' s2; 126 | 127 | fun three_seq_tr' c [s1, s2, s3] = 128 | Const (c, dummyT) $ seq_tr' s1 $ seq_tr' s2 $ seq_tr' s3; 129 | 130 | fun four_seq_tr' c [s1, s2, s3, s4] = 131 | Const (c, dummyT) $ seq_tr' s1 $ seq_tr' s2 $ seq_tr' s3 $ seq_tr' s4; 132 | 133 | 134 | 135 | (** for the <<...>> notation **) 136 | 137 | fun side_tr [s1] = seq_tr s1; 138 | *} 139 | 140 | parse_translation {* [(@{syntax_const "_Side"}, side_tr)] *} 141 | 142 | use "Dprover.ML" 143 | 144 | end 145 | 146 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/LSyntax.thy: -------------------------------------------------------------------------------- 1 | header {* Abstract syntax for Logic. *} 2 | 3 | theory LSyntax 4 | imports Main 5 | "~~/HOL/Real" 6 | begin 7 | 8 | (*Expressions of HCSP language.*) 9 | datatype exp = RVar string ("RVar _" 75 ) 10 | | SVar string ("SVar _" 75) 11 | | BVar string ("BVar _" 75) 12 | | List "exp list" ("List _" 75) 13 | | Real real ("Real _" 75) 14 | | String string ("String _" 75) 15 | | Bool bool ("Bool _" 75) 16 | | Add exp exp (infixr "[+]" 70) 17 | | Sub exp exp (infixr "[-]" 70) 18 | | Mul exp exp (infixr "[*]" 71) 19 | | Div exp exp (infixr "[**]" 71) 20 | 21 | (*Logic formulas.*) 22 | datatype fform = WTrue | WFalse 23 | | WEq exp exp (infixl "[=]" 50) 24 | | Less exp exp (infixl "[<]" 50) 25 | | Great exp exp (infixl "[>]" 50) 26 | | WNot fform ("[~] _" [40] 40) 27 | | WConj fform fform (infixr "[&]" 35) 28 | | WDisj fform fform (infixr "[|]" 30) 29 | | WImp fform fform (infixr "[-->]" 30) 30 | | WIff fform fform (infixr "[<->]" 25) 31 | | WAll string fform ("WALL _ _ " 10) 32 | | WEx string fform ("WEX _ _" 10) 33 | 34 | definition 35 | equal_less (infixl "[<=]" 50) where 36 | "x [<=] y == (x [<] y) [|] (x [=] y)" 37 | definition 38 | equal_greater (infixl "[>=]" 50) where 39 | "x [>=] y == (x [>] y) [|] (x [=] y)" 40 | 41 | (*Define the closure of a formula*) 42 | fun NotForm :: "fform => fform" 43 | and close :: "fform => fform" where 44 | "NotForm (WTrue) = (WFalse)" | 45 | "NotForm (WFalse) = (WTrue)" | 46 | "NotForm (WEq e1 e2) = (WTrue)" | 47 | "NotForm (Less e1 e2) = ((Great e1 e2) [|] (WEq e1 e2))" | 48 | "NotForm (Great e1 e2) = ((Less e1 e2) [|] (WEq e1 e2))" | 49 | "NotForm (WNot f1) = close(f1)" | 50 | "NotForm (WConj f1 f2) = (NotForm(f1) [|] NotForm(f2))" | 51 | "NotForm (WDisj f1 f2) = (NotForm(f1) [&] NotForm(f2))" | 52 | "NotForm (WImp f1 f2) = ((close(f1)) [&] NotForm(f2))" | 53 | "NotForm (WIff f1 f2) = (((close(f1)) [&] NotForm(f2)) [|] (close( f2) [&] NotForm(f1)))" | 54 | "NotForm (WAll x f1) = (WEx x (NotForm(f1)))" | 55 | "NotForm (WEx x f1) = (WAll x (NotForm(f1)))" | 56 | "close (WTrue) = (WTrue)" | 57 | "close (WFalse) = (WFalse)" | 58 | "close (WEq e1 e2) = (WEq e1 e2)" | 59 | "close (Less e1 e2) = ((Less e1 e2) [|] (WEq e1 e2))" | 60 | "close (Great e1 e2) = ((Great e1 e2) [|] (WEq e1 e2))" | 61 | "close (WNot f1) = NotForm(f1)" | 62 | "close (WConj f1 f2) = (close(f1) [&] close(f2))" | 63 | "close (WDisj f1 f2) = (close(f1) [|] close(f2))" | 64 | "close (WImp f1 f2) = ((NotForm(f1)) [|] close(f2))" | 65 | "close (WIff f1 f2) = (((NotForm(f1)) [|] close(f2)) [&] (close(f2) [|] close(f1)))" | 66 | "close (WAll x f1) = (WAll x (close(f1)))" | 67 | "close (WEx x f1) = (WEx x (close(f1)))" 68 | 69 | (* Transfform our formulea to the formulea in isabelle for proving arith props*) 70 | consts rvar :: "string => real" 71 | consts svar :: "string => string" 72 | consts bvar :: "string => bool" 73 | 74 | datatype val = RR real | SS string | BB bool | LL "exp list" | Err 75 | 76 | (*Transformation of expressions*) 77 | primrec expTrans :: "exp => val" where 78 | "expTrans (RVar s) = RR (rvar s)" | 79 | "expTrans (SVar s) = SS (svar s)" | 80 | "expTrans (BVar s) = BB (bvar s)" | 81 | "expTrans (List ls) = LL ls" | 82 | "expTrans (Real r) = RR r" | 83 | "expTrans (String s) = SS s" | 84 | "expTrans (Bool b) = BB b" | 85 | "expTrans (Add e1 e2) = (case (expTrans e1, expTrans e2) of 86 | (RR r1,RR r2) => RR (r1+r2) | 87 | (_,_) => Err)" | 88 | "expTrans (Sub e1 e2) = (case (expTrans e1, expTrans e2) of 89 | (RR r1,RR r2) => RR (r1-r2) | 90 | (_,_) => Err)" | 91 | "expTrans (Mul e1 e2) = (case (expTrans e1, expTrans e2) of 92 | (RR r1,RR r2) => RR (r1*r2) | 93 | (_,_) => Err)" | 94 | "expTrans (Div e1 e2) = (case (expTrans e1, expTrans e2) of 95 | (RR r1,RR r2) => RR (r1/r2) | 96 | (_,_) => Err)" 97 | 98 | (*Transformation of formulas*) 99 | primrec formT :: "fform => bool" where 100 | "formT (WTrue) = True" | 101 | "formT (WFalse) = False" | 102 | "formT (e1 [=] e2) = (case (expTrans e1, expTrans e2) of 103 | (RR r1,RR r2) => ((r1::real) = r2) | 104 | (SS r1,SS r2) => ((r1::string) = r2) | 105 | (BB r1,BB r2) => ((r1::bool) = r2) | 106 | (LL r1,LL r2) => ((r1::(exp list)) = r2) | 107 | (_,_) => False)" | 108 | "formT (e1 [<] e2) = (case (expTrans e1, expTrans e2) of 109 | (RR r1,RR r2) => ((r1::real) < r2) | 110 | (_,_) => False)" | 111 | "formT (e1 [>] e2) = (case (expTrans e1, expTrans e2) of 112 | (RR r1,RR r2) => (r1::real) > r2 | 113 | (_,_) => False)" | 114 | "formT ([~] fform1) = (~ (formT fform1))" | 115 | "formT (fform1 [&] fform2) = ((formT fform1) & (formT fform2))" | 116 | "formT (fform1 [|] fform2) = ((formT fform1) | (formT fform2))" | 117 | "formT (fform1 [-->] fform2) = ((formT fform1) --> (formT fform2))" | 118 | "formT (fform1 [<->] fform2) = ((formT fform1) <-> (formT fform2))" | 119 | "formT (WALL x fform1)= (let (r::real) = rvar(x) in (ALL r::real. (formT fform1)))" | 120 | "formT (WEX x fform1)= (let (r::real) = rvar(x) in (EX r::real. (formT fform1)))" 121 | 122 | end 123 | 124 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/ILSequent.thy: -------------------------------------------------------------------------------- 1 | header {*The sequent calculus for interval logic*} 2 | 3 | theory ILSequent 4 | imports DS4 5 | begin 6 | 7 | 8 | consts 9 | (*Chop modality and interval variable *) 10 | chop :: "[fform, fform] => fform" (infixr "[^]" 38) 11 | l :: exp 12 | 13 | (*the special variable l is real*) 14 | axiomatization where 15 | ltrans : "l = RVar (''l'')" and 16 | l_pos : "|- l[>=]Real 0" 17 | 18 | axiomatization where 19 | dia_def : "<>P == WTrue [^] P [^] WTrue" and 20 | box_def : "[]P == [~] (<> ([~]P))" 21 | 22 | (*datatype non = fform | exp*) 23 | 24 | 25 | section {*Definitions and rules for rigid and chop-free.*} 26 | consts 27 | RI :: "'a => prop" ("(RI _)") 28 | CF :: "fform => prop" ("(CF _)") 29 | 30 | (* Rules for RI and CF , the rules for all constructs are given, not just finalconsts.*) 31 | axiomatization where 32 | (* Rigid RI *) 33 | RIfalse: "RI WFalse" and 34 | RIchopI: "[| RI P :: fform; RI Q |] ==> RI (P[^]Q)" and 35 | RIchopE1: "RI P[^]Q ==> RI P::fform" and 36 | RIchopE2: "RI P[^]Q ==> RI Q::fform" and 37 | RIconjI: "[| RI P; RI Q |] ==> RI P [&] Q" and 38 | RIconjE1: "RI P [&] Q ==> RI P" and 39 | RIconjE2: "RI P [&] Q ==> RI Q" and 40 | RIdisjI: "[| RI P; RI Q |] ==> RI P [|] Q" and 41 | RIdisjE1: "RI P [|] Q ==> RI P" and 42 | RIdisjE2: "RI P [|] Q ==> RI Q" and 43 | RIimpI: "[| RI P; RI Q |] ==> RI P [-->] Q" and 44 | RIimpE1: "RI P[-->]Q ==> RI P" and 45 | RIimpE2: "RI P[-->]Q ==> RI Q" and 46 | RInotI: "RI P ==> RI ([~]P)" and 47 | RInotE: "RI ([~]P) ==> RI P" 48 | 49 | axiomatization where 50 | (* Quantifiers *) 51 | RIallI: "[| RI s; RI P(s) |] ==> RI (ALL x. P(x))" and 52 | RIallE: "[| RI s; RI (ALL x. P(x)) |] ==> RI P(s)" and 53 | RIequI: "[| RI s; RI t |] ==> RI (s = t)" and 54 | RIequE1: "RI (s = t) ==> RI s" and 55 | RIequE2: "RI (s = t) ==> RI t" and 56 | RInegI: "RI s ==> RI (-s)" and 57 | RInegE: "RI (-s) ==> RI s" and 58 | RIzero: "RI 0" and 59 | RIone: "RI 1" and 60 | RIadd: "[|RI s; RI t|] ==> RI (s+t)" and 61 | RImult: "[|RI s; RI t|] ==> RI (s*t)" and 62 | RIdev: "[|RI s; RI t|] ==> RI (s/t)" 63 | 64 | 65 | axiomatization where 66 | (* Chop free CF *) 67 | CFfalse: "CF WFalse" and 68 | CFimpI: "[| CF P; CF Q |] ==> (CF P [-->] Q)" and 69 | CFimpE1: "CF (P [-->] Q) ==> CF P" and 70 | CFimpE2: "CF (P [-->] Q) ==> CF Q" and 71 | CFequ: "CF (s [=] t)" and 72 | CFconjI: "[| CF P; CF Q |] ==> CF P[&]Q" and 73 | CFconjE1: "CF P[&]Q ==> CF P" and 74 | CFconjE2: "CF P[&]Q ==> CF Q" and 75 | CFdisjI: "[| CF P; CF Q |] ==> CF P[|]Q" and 76 | CFdisjE1: "CF P[|]Q ==> CF P" and 77 | CFdisjE2: "CF P[|]Q ==> CF Q" and 78 | CFnotI: "CF P ==> CF ([~]P)" and 79 | CFnotE: "CF ([~]P) ==> CF P" 80 | 81 | axiomatization where 82 | (* Quantifiers *) 83 | CFexI: "CF P(s) ==> CF (WEX x P(x))" and 84 | CFexE: "CF (WEX x P(x)) ==> CF P(s)" and 85 | CFallI: "CF P(s) ==> CF (WALL x P(x))" and 86 | CFallE: "CF (WALL x P(x)) ==> CF P(s)" 87 | 88 | section {*Sequent rules for chop modality [Zhou and Hansen modified].*} 89 | axiomatization where 90 | LL2: "[| RI s; RI t; $H, l [=] s [+] t |- $E |] ==> $H, (l [=] s) [^] (l [=] t) |- $E" and 91 | RL2: "[| RI s; RI t; $H |- l [=] s [+] t, $E |] ==> $H |- (l [=] s) [^] (l [=] t), $E" and 92 | 93 | LL3: " $H |- P, $E ==> $H |- P [^] (l [=] (Real 0)), $E" and 94 | RL3: " $H, P [^] (l [=] Real 0) |- $E ==> $H, P |- $E" and 95 | LL4: " $H, P |- $E ==> $H, P [^] (l [=] Real 0) |- $E" and 96 | RL4: " $H |- P, $E ==> $H |- P [^] (l [=] (Real 0)), $E" and 97 | LL3a: " $H, P |- $E ==> $H, (l [=] (Real 0)) [^] P |- $E" and 98 | RL3a: " $H |- P, $E ==> $H |- (l [=] (Real 0)) [^] P, $E" and 99 | LL1: "[| RI s; $H |- (l [=] s) [^] P, $E |] ==> $H, (l [=] s) [^] ([~]P) |- $E" and 100 | RL1: "[| RI s; $H , (l [=] s) [^] P |- $E |] ==> $H |- (l [=] s) [^] ([~]P), $E" and 101 | LL1a: "[| RI s; $H |- P [^] (l [=] s) , $E |] ==> $H, ([~]P) [^] (l [=] s) |- $E" and 102 | RL1a: "[| RI s; $H , P [^] (l [=] s) |- $E |] ==> $H |- ([~]P) [^] (l [=] s), $E" and 103 | 104 | LT1: "[| $H, P [^] Q |- $E; $H, R [^] Q |- $E|] ==> $H, (P [|] R) [^] Q |- $E" and 105 | RT1: "$H |- P [^] Q, R [^] Q, $E ==> $H |- (P [|] R) [^] Q, $E" and 106 | LT1a: "[| $H, P [^] Q |- $E; $H, P [^] R |- $E|] ==> $H, P [^] (Q [|] R) |- $E" and 107 | RT1a: "$H |- P [^] Q, P [^] R, $E ==> $H |- P [^] (Q [|] R), $E" and 108 | 109 | LA2: "$H, P [^] (Q [^] R) |- $E ==> $H, (P [^] Q) [^] R |- $E" and 110 | RA2: "$H |- P [^] (Q [^] R), $E ==> $H |- (P [^] Q) [^] R, $E" 111 | 112 | axiomatization where 113 | LB1: "(!!x. $H, (P(x) [^] Q) |- $E) ==> $H, ((WEX x P(x)) [^] Q) |- $E" and 114 | RB1: "[|RI s; CF P(x); $H |- P(x) [^] Q, $E|] ==> $H |- (WEX x P(x)) [^] Q, $E" 115 | 116 | axiomatization where 117 | LBr: "(!!x. $H, (P [^] Q(x)) |- $E) ==> $H, (P [^] (WEX x Q(x))) |- $E" and 118 | RBr: "[|RI s; CF Q(x); $H |- P [^] Q(x), $E|] ==> $H |- P [^] (WEX x Q(x)), $E" 119 | 120 | (*Zouliang: add for conjunction*) 121 | axiomatization where 122 | LC1: "$H, P [^] Q, $E |- $F ==> $H, (P [&] R) [^] Q, $E |- $F" and 123 | LC2: "$H, R [^] Q, $E |- $F ==> $H, (P [&] R) [^] Q, $E |- $F" and 124 | LC3: "$H, Q [^] P, $E |- $F ==> $H, Q [^] (P [&] R), $E |- $F" and 125 | LC4: "$H, Q [^] R, $E |- $F ==> $H, Q [^] (P [&] R), $E |- $F" and 126 | 127 | TT: "WTrue [^] WTrue == WTrue" and 128 | LT: "l[<](Real m) [^] WTrue == WTrue" and 129 | LTa: "l[=](Real m) [^] WTrue == WTrue" and 130 | CML: "[|$H, R [^] Q, $E |- $F; P|-R|] ==> $H, P [^] Q, $E |- $F" and 131 | CMR: "[|$H, P [^] R, $E |- $F; Q|-R|] ==> $H, P [^] Q, $E |- $F" 132 | end 133 | -------------------------------------------------------------------------------- /HHLProver/op.thy: -------------------------------------------------------------------------------- 1 | theory op 2 | imports Assertion 3 | (*This file defines the operation semantics of HCSP.*) 4 | 5 | begin 6 | 7 | consts evalP :: "proc => cstate => now => proc * cstate * now" 8 | consts evalPP :: "proc => cstate => cstate => now => proc * cstate * cstate * now * now" 9 | 10 | (*We use `skip' to denote empty statement, so the opration semantics for skip is not nessary.*) 11 | 12 | (*operation semantics for stop*) 13 | axiomatization where 14 | stop : "!!d'. evalP (Stop, f, d) = (Stop, f, d+d')" 15 | 16 | (*operation semantics for *) 17 | axiomatization where 18 | assignR : "evalP (((RVar (x)) := e),f,d) = 19 | (Skip, (%t. if t = d then f(t)@[%y i. if y=x & i=R then evalE(last(f(t)),e) else last(f(t))(y,i)] else f(t)), d)" and 20 | assignS : "evalP (((SVar (x)) := e),f,d) = 21 | (Skip, (%t. if t = d then f(t)@[%y i. if y=x & i=S then evalE(last(f(t)),e) else last(f(t))(y,i)] else f(t)), d)" and 22 | assignB : "evalP (((BVar (x)) := e),f,d) = 23 | (Skip, (%t. if t = d then f(t)@[%y i. if y=x & i=B then evalE(last(f(t)),e) else last(f(t))(y,i)] else f(t)), d)" 24 | 25 | (*disj p F represents that p does not contain variable of F.*) 26 | consts disj :: "fform => fform => bool" 27 | 28 | (*Zouliang: revise the first rule continueY same as continue.*) 29 | (*operation semantics for continue*) 30 | axiomatization where 31 | continue : "(ievalF(f',high(F[&]b),d,d') 32 | & ievalF(f', Rg, d, d') 33 | & evalF(last(f'(d')), ([~]b)) 34 | & (ALL p. disj(p,F) --> ievalF(f',high p,d,d') & evalF(last(f'(d')),p)) ) 35 | == evalP (( : Rg), f, d) = (Skip, f', d')" 36 | 37 | (*operation semantics for sequential*) 38 | axiomatization where 39 | sequence : "(evalP (P, f, d) = (Skip, f', d') & evalP (Q, f', d') = (Skip, F, D)) 40 | == (evalP ((P;mid;Q),f,d) = (Skip,F,D))" 41 | 42 | (*operation semantics for condition*) 43 | axiomatization where 44 | conditionT : "evalF(last(f(d)), be) 45 | ==> (evalP(P, f, d) = (Skip,f',d') == evalP ((IF be P), f, d) = (Skip,f',d'))" and 46 | conditionF : "(~ evalF(last(f(d)), be)) 47 | ==> (evalP ((IF be P), f, d) = (Skip,f,d))" 48 | 49 | (*operation semantics for nondeterminitic*) 50 | axiomatization where 51 | nondeterR : "(ALL v. evalF(last(f(d)), ((%x. b)(v))) & 52 | (evalP (P, f, d) = (Skip, f', d'))) 53 | == evalP ((NON R x : b P),f,d) = (Skip,f',d')" and 54 | nondeterS : "(ALL v. evalF(last(f(d)), ((%x. b)(v))) & 55 | (evalP (P, f, d) = (Skip, f', d'))) 56 | == evalP ((NON S x : b P),f,d) = (Skip,f',d')" and 57 | nondeterB : "(ALL v. evalF(last(f(d)), ((%x. b)(v))) & 58 | (evalP (P, f, d) = (Skip, f', d'))) 59 | == evalP ((NON B x : b P),f,d) = (Skip,f',d')" 60 | 61 | (*operation semantics for communication*) 62 | (*It is valid only when there are no communications occurring in P and Q.*) 63 | axiomatization where 64 | communicationR : "evalPP(Px||Py,f,g,d) = (Skip,F,G,Da,Db) 65 | == evalPP(((Px;m;ch!!e) || (Py;M;ch??(RVar(x)))),f,g,d) = (Skip, 66 | (if DaDa & t<=Db then [last(F(Da))] else F(t)) else F), 67 | (if Da>Db then 68 | (%t. if t=Da then last(G(Db))#[%y i. if y=x & i=R then evalE(last(G(Db)),e) 69 | else last(G(Db))(y,i)] 70 | else (if tDb then [last(G(Db))] else G(t))) 71 | else 72 | (%t. if t=Db then G(Db)@[%y i. if y=x & i=R then evalE(last(G(Db)),e) 73 | else last(G(Db))(y,i)] 74 | else G(t))) 75 | ,if Da>Db then Da else Db,if Da>Db then Da else Db)" and 76 | communicationS : "evalPP(Px||Py,f,g,d) = (Skip,F,G,Da,Db) 77 | == evalPP(((Px;m;ch!!e) || (Py;M;ch??(SVar(x)))),f,g,d) = (Skip, 78 | (if DaDa & t<=Db then [last(F(Da))] else F(t)) else F), 79 | (if Da>Db then 80 | (%t. if t=Da then last(G(Db))#[%y i. if y=x & i=S then evalE(last(G(Db)),e) 81 | else last(G(Db))(y,i)] 82 | else (if tDb then [last(G(Db))] else G(t))) 83 | else 84 | (%t. if t=Db then G(Db)@[%y i. if y=x & i=S then evalE(last(G(Db)),e) 85 | else last(G(Db))(y,i)] 86 | else G(t))) 87 | ,if Da>Db then Da else Db,if Da>Db then Da else Db)" and 88 | communicationB : "evalPP(Px||Py,f,g,d) = (Skip,F,G,Da,Db) 89 | == evalPP(((Px;m;ch!!e) || (Py;M;ch??(BVar(x)))),f,g,d) = (Skip, 90 | (if DaDa & t<=Db then [last(F(Da))] else F(t)) else F), 91 | (if Da>Db then 92 | (%t. if t=Da then last(G(Db))#[%y i. if y=x & i=B then evalE(last(G(Db)),e) 93 | else last(G(Db))(y,i)] 94 | else (if tDb then [last(G(Db))] else G(t))) 95 | else 96 | (%t. if t=Db then G(Db)@[%y i. if y=x & i=B then evalE(last(G(Db)),e) 97 | else last(G(Db))(y,i)] 98 | else G(t))) 99 | ,if Da>Db then Da else Db,if Da>Db then Da else Db)" 100 | 101 | (*operation semantics for parallel*) 102 | (*It is valid only when there are no communications occurring in P2 and Q2.*) 103 | axiomatization where 104 | parallelN1 : "evalP (P,f,d) = (Skip,f',d') & evalP (Q,g,d) = (Skip,g',d'') 105 | == evalPP((P||Q),f,g,d) = (Skip,f',g',d',d'')" and 106 | parallelN2 : "evalPP ((Px||Py),f,g,d) = (Skip,f'',g'',d'',D'') & evalP(Qx,f'',d'') = (Skip,f',d') & 107 | evalP (Qy,g'',D'') = (Skip,g',D') & 108 | (ievalF(f'',H,d,d'') --> ievalF(f',H,d,d'')) & 109 | (ievalF(g'',G,d,D'') --> ievalF(g',G,d,D'')) 110 | == evalPP(((Px;m;Qx)||(Py;M;Qy)),f,g,d) = 111 | (Skip,f',g',d',D')" 112 | 113 | (*operation semantics for repetition*) 114 | axiomatization where 115 | repetition : "(evalP(P*, f, d) = (Skip, f', d')) 116 | == EX n::nat. ALL k::nat. (f=F(0) & d=D(0) & f'=F(n) & d'=D(n) & 117 | (k evalP(P,F(k),D(k)) = (Skip, F(k+1), D(k+1)) & 118 | (ievalF(F(k),H,D(0),D(k)) --> ievalF(F(k+1),H,D(0),D(k)))))" 119 | 120 | end -------------------------------------------------------------------------------- /main/controlVarDef.thy: -------------------------------------------------------------------------------- 1 | theory controlVarDef 2 | imports "assertionDef" 3 | begin 4 | 5 | (*Define channel names.*) 6 | definition BC_1 :: cname where 7 | "BC_1 == ''BC_1''" 8 | definition BR_1 :: cname where 9 | "BR_1 == ''BR_1''" 10 | definition BO_1 :: cname where 11 | "BO_1 == ''BO_1''" 12 | definition VO1 :: cname where 13 | "VO1 == ''VO1''" 14 | definition VI1 :: cname where 15 | "VI1 == ''VI1''" 16 | definition vBO1 :: exp where 17 | "vBO1 == SVar ''vBO1''" 18 | definition BC_2 :: cname where 19 | "BC_2 == ''BC_2''" 20 | definition BR_2 :: cname where 21 | "BR_2 == ''BR_2''" 22 | definition BO_2 :: cname where 23 | "BO_2 == ''BO_2''" 24 | definition VO2 :: cname where 25 | "VO2 == ''VO2''" 26 | definition VI2 :: cname where 27 | "VI2 == ''VI2''" 28 | definition vBO2 :: exp where 29 | "vBO2 == SVar ''vBO2''" 30 | definition BC_3 :: cname where 31 | "BC_3 == ''BC_3''" 32 | definition BR_3 :: cname where 33 | "BR_3 == ''BR_3''" 34 | definition BO_3 :: cname where 35 | "BO_3 == ''BO_3''" 36 | definition VO3 :: cname where 37 | "VO3 == ''VO3''" 38 | definition VI3 :: cname where 39 | "VI3 == ''VI3''" 40 | definition vBO3 :: exp where 41 | "vBO3 == SVar ''vBO3''" 42 | definition BC_4 :: cname where 43 | "BC_4 == ''BC_4''" 44 | definition BR_4 :: cname where 45 | "BR_4 == ''BR_4''" 46 | definition BO_4 :: cname where 47 | "BO_4 == ''BO_4''" 48 | definition VO4 :: cname where 49 | "VO4 == ''VO4''" 50 | definition VI4 :: cname where 51 | "VI4 == ''VI4''" 52 | definition vBO4 :: exp where 53 | "vBO4 == SVar ''vBO4''" 54 | definition Ch_control_1 :: cname where 55 | "Ch_control_1 == ''Ch_control_1''" 56 | 57 | (*Define event variables assistent.*) 58 | consts eL :: "exp list" 59 | consts nL :: "exp list" 60 | (*Define event variables.*) 61 | definition E1 :: exp where 62 | "E1 == SVar ''E1''" 63 | definition done1 :: exp where 64 | "done1 == RVar ''done1''" 65 | definition E2 :: exp where 66 | "E2 == SVar ''E2''" 67 | definition done2 :: exp where 68 | "done2 == RVar ''done2''" 69 | definition E3 :: exp where 70 | "E3 == SVar ''E3''" 71 | definition done3 :: exp where 72 | "done3 == RVar ''done3''" 73 | definition E4 :: exp where 74 | "E4 == SVar ''E4''" 75 | definition done4 :: exp where 76 | "done4 == RVar ''done4''" 77 | definition E :: exp where 78 | "E == SVar ''E''" 79 | definition num :: exp where 80 | "num == RVar ''num''" 81 | definition EL :: exp where 82 | "EL == List eL" 83 | definition NL :: exp where 84 | "NL == List nL" 85 | (*Define local and sending variables.*) 86 | definition sfTemp1 :: exp where 87 | "sfTemp1 == RVar ''sfTemp1''" 88 | definition s :: exp where 89 | "s == RVar ''s''" 90 | definition v :: exp where 91 | "v == RVar ''v''" 92 | definition a :: exp where 93 | "a == RVar ''a''" 94 | definition CONFR :: exp where 95 | "CONFR == RVar ''CONFR''" 96 | definition MAA2 :: exp where 97 | "MAA2 == RVar ''MAA2''" 98 | definition MAA2c :: exp where 99 | "MAA2c == RVar ''MAA2c''" 100 | definition MAA3 :: exp where 101 | "MAA3 == RVar ''MAA3''" 102 | definition MAA3c :: exp where 103 | "MAA3c == RVar ''MAA3c''" 104 | definition LU :: exp where 105 | "LU == RVar ''LU''" 106 | definition LUA :: exp where 107 | "LUA == RVar ''LUA''" 108 | definition CONF :: exp where 109 | "CONF == RVar ''CONF''" 110 | definition C_b :: exp where 111 | "C_b == RVar ''C_b''" 112 | definition C_A :: exp where 113 | "C_A == RVar ''C_A''" 114 | definition C_a :: exp where 115 | "C_a == RVar ''C_a''" 116 | definition vr2 :: exp where 117 | "vr2 == RVar ''vr2''" 118 | definition vr1 :: exp where 119 | "vr1 == RVar ''vr1''" 120 | definition v332 :: exp where 121 | "v332 == RVar ''v332''" 122 | definition v331 :: exp where 123 | "v331 == RVar ''v331''" 124 | definition v322 :: exp where 125 | "v322 == RVar ''v322''" 126 | definition v321 :: exp where 127 | "v321 == RVar ''v321''" 128 | definition v312 :: exp where 129 | "v312 == RVar ''v312''" 130 | definition v311 :: exp where 131 | "v311 == RVar ''v311''" 132 | definition v232 :: exp where 133 | "v232 == RVar ''v232''" 134 | definition v231 :: exp where 135 | "v231 == RVar ''v231''" 136 | definition v222 :: exp where 137 | "v222 == RVar ''v222''" 138 | definition v221 :: exp where 139 | "v221 == RVar ''v221''" 140 | definition v212 :: exp where 141 | "v212 == RVar ''v212''" 142 | definition v211 :: exp where 143 | "v211 == RVar ''v211''" 144 | definition e33 :: exp where 145 | "e33 == RVar ''e33''" 146 | definition e32 :: exp where 147 | "e32 == RVar ''e32''" 148 | definition e31 :: exp where 149 | "e31 == RVar ''e31''" 150 | definition e23 :: exp where 151 | "e23 == RVar ''e23''" 152 | definition e22 :: exp where 153 | "e22 == RVar ''e22''" 154 | definition e21 :: exp where 155 | "e21 == RVar ''e21''" 156 | definition mode33 :: exp where 157 | "mode33 == RVar ''mode33''" 158 | definition mode32 :: exp where 159 | "mode32 == RVar ''mode32''" 160 | definition mode31 :: exp where 161 | "mode31 == RVar ''mode31''" 162 | definition mode23 :: exp where 163 | "mode23 == RVar ''mode23''" 164 | definition mode22 :: exp where 165 | "mode22 == RVar ''mode22''" 166 | definition mode21 :: exp where 167 | "mode21 == RVar ''mode21''" 168 | definition mode3 :: exp where 169 | "mode3 == RVar ''mode3''" 170 | definition mode2 :: exp where 171 | "mode2 == RVar ''mode2''" 172 | definition i :: exp where 173 | "i == RVar ''i''" 174 | definition fv :: exp where 175 | "fv == RVar ''fv''" 176 | definition x2 :: exp where 177 | "x2 == RVar ''x2''" 178 | definition x1 :: exp where 179 | "x1 == RVar ''x1''" 180 | definition T :: exp where 181 | "T == RVar ''T''" 182 | definition actl3 :: exp where 183 | "actl3 == RVar ''actl3''" 184 | definition actRBC :: exp where 185 | "actRBC == RVar ''actRBC''" 186 | definition actl2a :: exp where 187 | "actl2a == RVar ''actl2a''" 188 | definition actTCC :: exp where 189 | "actTCC == RVar ''actTCC''" 190 | definition actTrain :: exp where 191 | "actTrain == RVar ''actTrain''" 192 | definition actl2 :: exp where 193 | "actl2 == RVar ''actl2''" 194 | definition actDriver :: exp where 195 | "actDriver == RVar ''actDriver''" 196 | (*Define input variables.*) 197 | definition s1 :: exp where 198 | "s1 == RVar ''s1''" 199 | definition s2 :: exp where 200 | "s2 == RVar ''s2''" 201 | definition s3 :: exp where 202 | "s3 == RVar ''s3''" 203 | definition s4 :: exp where 204 | "s4 == RVar ''s4''" 205 | definition v1 :: exp where 206 | "v1 == RVar ''v1''" 207 | definition v2 :: exp where 208 | "v2 == RVar ''v2''" 209 | definition v3 :: exp where 210 | "v3 == RVar ''v3''" 211 | definition v4 :: exp where 212 | "v4 == RVar ''v4''" 213 | (*Define output variables.*) 214 | definition a1 :: exp where 215 | "a1 == RVar ''a1''" 216 | definition a2 :: exp where 217 | "a2 == RVar ''a2''" 218 | definition a3 :: exp where 219 | "a3 == RVar ''a3''" 220 | definition a4 :: exp where 221 | "a4 == RVar ''a4''" 222 | (*Define local variables.*) 223 | 224 | end 225 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/Dprover.ML: -------------------------------------------------------------------------------- 1 | (* Title: Sequents/prover.ML 2 | Author: Lawrence C Paulson, Cambridge University Computer Laboratory 3 | Copyright 1992 University of Cambridge 4 | 5 | Simple classical reasoner for the sequent calculus, based on "theorem packs". 6 | *) 7 | 8 | 9 | (*Higher precedence than := facilitates use of references*) 10 | infix 4 add_safes add_unsafes; 11 | 12 | structure Cla = 13 | struct 14 | 15 | datatype pack = Pack of thm list * thm list; 16 | 17 | val trace = Unsynchronized.ref false; 18 | 19 | (*A theorem pack has the form (safe rules, unsafe rules) 20 | An unsafe rule is incomplete or introduces variables in subgoals, 21 | and is tried only when the safe rules are not applicable. *) 22 | 23 | fun less (rl1,rl2) = (nprems_of rl1) < (nprems_of rl2); 24 | 25 | val empty_pack = Pack([],[]); 26 | 27 | fun warn_duplicates [] = [] 28 | | warn_duplicates dups = 29 | (warning (cat_lines ("Ignoring duplicate theorems:" :: 30 | map Display.string_of_thm_without_context dups)); 31 | dups); 32 | 33 | fun (Pack(safes,unsafes)) add_safes ths = 34 | let val dups = warn_duplicates (inter Thm.eq_thm_prop ths safes) 35 | val ths' = subtract Thm.eq_thm_prop dups ths 36 | in 37 | Pack(sort (make_ord less) (ths'@safes), unsafes) 38 | end; 39 | 40 | fun (Pack(safes,unsafes)) add_unsafes ths = 41 | let val dups = warn_duplicates (inter Thm.eq_thm_prop unsafes ths) 42 | val ths' = subtract Thm.eq_thm_prop dups ths 43 | in 44 | Pack(safes, sort (make_ord less) (ths'@unsafes)) 45 | end; 46 | 47 | fun merge_pack (Pack(safes,unsafes), Pack(safes',unsafes')) = 48 | Pack(sort (make_ord less) (safes@safes'), 49 | sort (make_ord less) (unsafes@unsafes')); 50 | 51 | 52 | fun print_pack (Pack(safes,unsafes)) = 53 | writeln (cat_lines 54 | (["Safe rules:"] @ map Display.string_of_thm_without_context safes @ 55 | ["Unsafe rules:"] @ map Display.string_of_thm_without_context unsafes)); 56 | 57 | (*Returns the list of all formulas in the sequent*) 58 | fun forms_of_seq (Const(@{const_name "SeqO'"},_) $ P $ u) = P :: forms_of_seq u 59 | | forms_of_seq (H $ u) = forms_of_seq u 60 | | forms_of_seq _ = []; 61 | 62 | (*Tests whether two sequences (left or right sides) could be resolved. 63 | seqp is a premise (subgoal), seqc is a conclusion of an object-rule. 64 | Assumes each formula in seqc is surrounded by sequence variables 65 | -- checks that each concl formula looks like some subgoal formula. 66 | It SHOULD check order as well, using recursion rather than forall/exists*) 67 | fun could_res (seqp,seqc) = 68 | forall (fn Qc => exists (fn Qp => Term.could_unify (Qp,Qc)) 69 | (forms_of_seq seqp)) 70 | (forms_of_seq seqc); 71 | 72 | 73 | (*Tests whether two sequents or pairs of sequents could be resolved*) 74 | fun could_resolve_seq (prem,conc) = 75 | case (prem,conc) of 76 | (_ $ Abs(_,_,leftp) $ Abs(_,_,rightp), 77 | _ $ Abs(_,_,leftc) $ Abs(_,_,rightc)) => 78 | could_res (leftp,leftc) andalso could_res (rightp,rightc) 79 | | (_ $ Abs(_,_,leftp) $ rightp, 80 | _ $ Abs(_,_,leftc) $ rightc) => 81 | could_res (leftp,leftc) andalso Term.could_unify (rightp,rightc) 82 | | _ => false; 83 | 84 | 85 | (*Like filt_resolve_tac, using could_resolve_seq 86 | Much faster than resolve_tac when there are many rules. 87 | Resolve subgoal i using the rules, unless more than maxr are compatible. *) 88 | fun filseq_resolve_tac rules maxr = SUBGOAL(fn (prem,i) => 89 | let val rls = filter_thms could_resolve_seq (maxr+1, prem, rules) 90 | in if length rls > maxr then no_tac 91 | else (*((rtac derelict 1 THEN rtac impl 1 92 | THEN (rtac identity 2 ORELSE rtac ll_mp 2) 93 | THEN rtac context1 1) 94 | ORELSE *) resolve_tac rls i 95 | end); 96 | 97 | 98 | (*Predicate: does the rule have n premises? *) 99 | fun has_prems n rule = (nprems_of rule = n); 100 | 101 | (*Continuation-style tactical for resolution. 102 | The list of rules is partitioned into 0, 1, 2 premises. 103 | The resulting tactic, gtac, tries to resolve with rules. 104 | If successful, it recursively applies nextac to the new subgoals only. 105 | Else fails. (Treatment of goals due to Ph. de Groote) 106 | Bind (RESOLVE_THEN rules) to a variable: it preprocesses the rules. *) 107 | 108 | (*Takes rule lists separated in to 0, 1, 2, >2 premises. 109 | The abstraction over state prevents needless divergence in recursion. 110 | The 9999 should be a parameter, to delay treatment of flexible goals. *) 111 | 112 | fun RESOLVE_THEN rules = 113 | let val [rls0,rls1,rls2] = partition_list has_prems 0 2 rules; 114 | fun tac nextac i state = state |> 115 | (filseq_resolve_tac rls0 9999 i 116 | ORELSE 117 | (DETERM(filseq_resolve_tac rls1 9999 i) THEN TRY(nextac i)) 118 | ORELSE 119 | (DETERM(filseq_resolve_tac rls2 9999 i) THEN TRY(nextac(i+1)) 120 | THEN TRY(nextac i))) 121 | in tac end; 122 | 123 | 124 | 125 | (*repeated resolution applied to the designated goal*) 126 | fun reresolve_tac rules = 127 | let val restac = RESOLVE_THEN rules; (*preprocessing done now*) 128 | fun gtac i = restac gtac i 129 | in gtac end; 130 | 131 | (*tries the safe rules repeatedly before the unsafe rules. *) 132 | fun repeat_goal_tac (Pack(safes,unsafes)) = 133 | let val restac = RESOLVE_THEN safes 134 | and lastrestac = RESOLVE_THEN unsafes; 135 | fun gtac i = restac gtac i 136 | ORELSE (if !trace then 137 | (print_tac "" THEN lastrestac gtac i) 138 | else lastrestac gtac i) 139 | in gtac end; 140 | 141 | 142 | (*Tries safe rules only*) 143 | fun safe_tac (Pack(safes,unsafes)) = reresolve_tac safes; 144 | 145 | val safe_goal_tac = safe_tac; (*backwards compatibility*) 146 | 147 | (*Tries a safe rule or else a unsafe rule. Single-step for tracing. *) 148 | fun step_tac (pack as Pack(safes,unsafes)) = 149 | safe_tac pack ORELSE' 150 | filseq_resolve_tac unsafes 9999; 151 | 152 | 153 | (* Tactic for reducing a goal, using Predicate Calculus rules. 154 | A decision procedure for Propositional Calculus, it is incomplete 155 | for Predicate-Calculus because of allL_thin and exR_thin. 156 | Fails if it can do nothing. *) 157 | fun pc_tac pack = SELECT_GOAL (DEPTH_SOLVE (repeat_goal_tac pack 1)); 158 | 159 | 160 | (*The following two tactics are analogous to those provided by 161 | Provers/classical. In fact, pc_tac is usually FASTER than fast_tac!*) 162 | fun fast_tac pack = 163 | SELECT_GOAL (DEPTH_SOLVE (step_tac pack 1)); 164 | 165 | fun best_tac pack = 166 | SELECT_GOAL (BEST_FIRST (has_fewer_prems 1, size_of_thm) 167 | (step_tac pack 1)); 168 | 169 | end; 170 | 171 | 172 | open Cla; 173 | -------------------------------------------------------------------------------- /HHLProver/HCSP_Com.thy: -------------------------------------------------------------------------------- 1 | 2 | header {* Abstract syntax for Hybrid CSP. *} 3 | 4 | theory HCSP_Com 5 | imports Main 6 | "DCSequents/DCSequent" 7 | begin 8 | 9 | 10 | 11 | type_synonym cname = string 12 | type_synonym time = real 13 | type_synonym bexp = fform 14 | type_synonym Inv = fform 15 | type_synonym Rg = fform 16 | type_synonym mid = "fform * fform" 17 | 18 | datatype typeid = R | S | B 19 | 20 | datatype proc 21 | = "Skip" 22 | | "Stop" 23 | | Ass "exp" "exp" ("_ := _" [99, 95] 94) 24 | | Send "cname" "exp" ("_!!_" [110,108] 100) 25 | | Receive "cname" "exp" ("_??_" [110,108] 100) 26 | | Seq "proc" "mid" " proc" ("_; _ ; _" [91,90 ] 90) 27 | | Cond "bexp" "proc" ("IF _ _" [95,94]93) 28 | | Nondeter "typeid" "string" "bexp" "proc" ("NON _ _ : _ _" [95,94]93) 29 | | Pref "proc" "proc" ("_\_" [95,94]93) 30 | | join "proc" "proc" (infixr "[[" 90) 31 | | meet "proc" "proc" ("_<<_" [90,90] 90) 32 | | Par "proc" "proc" (infixr "||" 89) 33 | | Rep "proc" ("_*"[91] 90) 34 | | RepA "proc" ("_***"[91] 90) 35 | | RepN "proc" "nat" ("_**_"[91,92] 90) 36 | | Cont "Inv" "bexp" "Rg" ("<_&&_> : _" [95,96]94) 37 | | TimeOut "proc" "time" "proc" ("_|>_ _" [95,96,94]94) 38 | | Interp "proc" "proc" ("_[[>_"[95,94]94) 39 | | empty "exp" ("empty _" 94) 40 | | addL "exp" "exp" ("addL _ _" 94) 41 | | delL "exp" ("delL _" 94) 42 | 43 | definition isEmpty :: "exp => fform" where 44 | "isEmpty(e1) == (case e1 of 45 | (List ls) => (case ls of [] => WTrue | _ => WFalse) | 46 | _ => WFalse)" 47 | 48 | definition readL :: "exp => exp" where 49 | "readL(e1) == (case e1 of 50 | (List ls) => hd(ls) | 51 | _ => (Real 0))" 52 | 53 | type_synonym pair = "exp * exp" 54 | 55 | 56 | primrec map :: "pair list => exp => exp" where 57 | "map ([]) (a) = a" | 58 | "map (x#xs) (a) = (if (fst (x) = a) then (snd (x)) else (map (xs) (a)))" 59 | 60 | 61 | lemma "map ([(RVar ''x'', Real 2), (RVar ''y'', RVar z)], RVar ''x'') = (Real 2)" 62 | apply (induct, auto) 63 | done 64 | 65 | lemma fact1 : "map ([(RVar ''x'', Real 2), (RVar ''y'', RVar z)]) (RVar ''z'') = RVar ''z''" 66 | apply (induct, auto) 67 | done 68 | 69 | (*Expression substitution: "map" records the substitution mapping.*) 70 | primrec substE :: "pair list => exp => exp" where 71 | "substE (mp, (RVar x)) = map (mp, (RVar x))" | 72 | "substE (mp, (SVar x)) = map (mp, (SVar x))" | 73 | "substE (mp, (BVar x)) = map (mp, (BVar x))" | 74 | "substE (mp, (List x)) = List x" | 75 | "substE (mp, (Real m)) = map (mp, (Real m))" | 76 | "substE (mp, (Bool b)) = map (mp, (Bool b))" | 77 | "substE (mp, (String s)) = map (mp, (String s))" | 78 | "substE (mp, (e1 [+] e2)) = substE (mp, e1) [+] substE (mp, e2)" | 79 | "substE (mp, (e1 [-] e2)) = substE (mp, e1) [-] substE (mp, e2)"| 80 | "substE (mp, (e1 [*] e2)) = substE (mp, e1) [*] substE (mp, e2)"| 81 | "substE (mp, (e1 [**] e2)) = substE (mp, e1) [**] substE (mp, e2)" 82 | 83 | lemma "(% x. x [+] x = RVar ''z'' [+] RVar ''z'') (RVar ''z'')" 84 | apply auto 85 | done 86 | 87 | lemma "substE ([(RVar ''x'', Real 1), (RVar ''y'', RVar ''z'')], (RVar ''y'' [+] RVar ''z'')) 88 | = RVar ''z'' [+] RVar ''z''" 89 | apply (induct, auto) 90 | done 91 | 92 | 93 | (*Tip: for theory built on Pure, application is written by f(x) rather than f x as usual. *) 94 | 95 | primrec lVarE :: "pair list => string => pair list" where 96 | "lVarE ([],s) = []" | 97 | "lVarE (x#xs,s) = (if (fst (x) = (RVar s)) then xs else x#lVarE(xs, s))" 98 | 99 | primrec inExp :: "string => exp => bool" where 100 | "inExp (s, (RVar x)) = (s=x)" | 101 | "inExp (s, (SVar x)) = (s=x)" | 102 | "inExp (s, (BVar x)) = (s=x)" | 103 | "inExp (s, (Real m)) = (False)" | 104 | "inExp (s, (Bool b)) = (False)" | 105 | "inExp (s, (String r)) = (False)" | 106 | "inExp (s, (e1 [+] e2)) = (inExp (s, e1) | inExp (s, e2))" | 107 | "inExp (s, (e1 [-] e2)) = (inExp (s, e1) | inExp (s, e2))"| 108 | "inExp (s, (e1 [*] e2)) = (inExp (s, e1) | inExp (s, e2))" 109 | 110 | primrec inPairL :: "pair list => string => bool" where 111 | "inPairL ([],s) = False" | 112 | "inPairL (x#xs,s) = (if (inExp (s, fst (x))) then True else inPairL(xs, s))" 113 | 114 | primrec inPairR :: "pair list => string => bool" where 115 | "inPairR ([],s) = False" | 116 | "inPairR (x#xs,s) = (if (inExp (s, snd (x))) then True else inPairR(xs, s))" 117 | 118 | (*Check if the quantifiers of a formula occur in mp*) 119 | primrec inPairForm :: "pair list => fform => bool" where 120 | "inPairForm (mp) (WTrue) = False" | 121 | "inPairForm (mp) (WFalse) = False" | 122 | "inPairForm (mp) (e1 [=] e2) =False" | 123 | "inPairForm (mp) (e1 [<] e2) = False" | 124 | "inPairForm (mp) (e1 [>] e2) =False" | 125 | "inPairForm (mp) ([~]p) = (inPairForm (mp) (p))" | 126 | "inPairForm (mp) (p [&] q) = ((inPairForm (mp) (p)) | (inPairForm (mp) (q)))" | 127 | "inPairForm (mp) (p [|] q) = ((inPairForm (mp) (p)) | (inPairForm (mp) (q)))" | 128 | "inPairForm (mp) (p [-->] q) = ((inPairForm (mp) (p)) | (inPairForm (mp) (q)))" | 129 | "inPairForm (mp) (p [<->] q) = ((inPairForm (mp) (p)) | (inPairForm (mp) (q)))" | 130 | "inPairForm (mp) (WALL i p) = (inPairL (mp, i) | inPairR (mp, i) | inPairForm (mp)(p))" | 131 | "inPairForm (mp) (WEX i p) = (inPairL (mp, i) | inPairR (mp, i) | inPairForm (mp)(p))" 132 | 133 | (*Formula sustitution.*) 134 | primrec substF :: "pair list => fform => fform" where 135 | "substF (mp) (WTrue) = WTrue" | 136 | "substF (mp) (WFalse) = WFalse" | 137 | "substF (mp) (e1 [=] e2) = ((substE (mp, e1)) [=] (substE (mp, e2)))" | 138 | "substF (mp) (e1 [<] e2) = ((substE (mp, e1)) [<] (substE (mp, e2)))" | 139 | "substF (mp) (e1 [>] e2) = (substE (mp, e1) [>] substE (mp, e2))" | 140 | "substF (mp) ([~]p) = ([~](substF (mp) (p)))" | 141 | "substF (mp) (p [&] q) = ((substF (mp) (p)) [&] (substF (mp) (q)))" | 142 | "substF (mp) (p [|] q) = ((substF (mp) (p)) [|] (substF (mp) (q)))" | 143 | "substF (mp) (p [-->] q) = ((substF (mp) (p)) [-->] (substF (mp) (q)))" | 144 | "substF (mp) (p [<->] q) = ((substF (mp) (p)) [<->] (substF (mp) (q)))" | 145 | "substF (mp) (WALL i p) = (if ((~inPairL (mp, i)) & (~inPairR (mp, i))) then (WALL i (substF (mp)(p))) 146 | else WFalse)" | 147 | "substF (mp) (WEX i p) = (if ((~inPairL (mp, i)) & (~inPairR (mp, i))) then (WEX i (substF (mp)(p))) 148 | else WFalse)" 149 | 150 | lemma allEX : "substF([(RVar ''x'', RVar ''m''), (RVar ''y'', RVar ''z'')], 151 | ((RVar ''x'')[=]Real 2) [&] (WALL ''w'' ((RVar ''w'') [>] (RVar ''z'')))) 152 | = (((RVar ''m'')[=]Real 2) [&] (WALL ''w'' ((RVar ''w'') [>] (RVar ''z''))))" 153 | apply auto 154 | done 155 | 156 | 157 | lemma fact : "substF ([(RVar ''x'', Real 2), (RVar ''y'', RVar ''z'')]) (RVar ''x'' [>] Real 1) = (Real 2 [>] Real 1)" 158 | apply (induct, auto) 159 | done 160 | 161 | 162 | end 163 | 164 | 165 | 166 | 167 | -------------------------------------------------------------------------------- /HHLProver/DCSequents/DLK0.thy: -------------------------------------------------------------------------------- 1 | (* I borrow the implementation by 2 | [Title: Sequents/LK0.thy 3 | Author: Lawrence C Paulson, Cambridge University Computer Laboratory 4 | Copyright 1993 University of Cambridge] 5 | 6 | But make a modification to adapt to our application. 7 | *) 8 | 9 | header {* Classical First-Order Sequent Calculus *} 10 | 11 | theory DLK0 12 | imports DSequents 13 | begin 14 | 15 | consts Trueprop :: "two_seqi" 16 | 17 | syntax 18 | "_Trueprop" :: "two_seqe" ("((_)/ |- (_))" [6,6] 5) 19 | 20 | parse_translation {* [(@{syntax_const "_Trueprop"}, two_seq_tr @{const_syntax Trueprop})] *} 21 | print_translation {* [(@{const_syntax Trueprop}, two_seq_tr' @{syntax_const "_Trueprop"})] *} 22 | 23 | 24 | axioms 25 | 26 | (*Structural rules: contraction, thinning, exchange [Soren Heilmann] *) 27 | 28 | contRS: "$H |- $E, $S, $S, $F ==> $H |- $E, $S, $F" 29 | contLS: "$H, $S, $S, $G |- $E ==> $H, $S, $G |- $E" 30 | 31 | thinRS: "$H |- $E, $F ==> $H |- $E, $S, $F" 32 | thinLS: "$H, $G |- $E ==> $H, $S, $G |- $E" 33 | 34 | exchRS: "$H |- $E, $R, $S, $F ==> $H |- $E, $S, $R, $F" 35 | exchLS: "$H, $R, $S, $G |- $E ==> $H, $S, $R, $G |- $E" 36 | 37 | cut: "[| $H |- $E, P; $H, P |- $E |] ==> $H |- $E" 38 | 39 | axioms 40 | (*Propositional rules*) 41 | 42 | basic: "$H, P, $G |- $E, P, $F" 43 | 44 | conjR: "[| $H|- $E, P, $F; $H|- $E, Q, $F |] ==> $H|- $E, P [&] Q, $F" 45 | conjL: "$H, P, Q, $G |- $E ==> $H, P [&] Q, $G |- $E" 46 | 47 | disjR: "$H |- $E, P, Q, $F ==> $H |- $E, P [|] Q, $F" 48 | disjL: "[| $H, P, $G |- $E; $H, Q, $G |- $E |] ==> $H, P [|] Q, $G |- $E" 49 | 50 | impR: "$H, P |- $E, Q, $F ==> $H |- $E, P [-->] Q, $F" 51 | impL: "[| $H,$G |- $E,P; $H, Q, $G |- $E |] ==> $H, P [-->] Q, $G |- $E" 52 | 53 | notR: "$H, P |- $E, $F ==> $H |- $E, [~] P, $F" 54 | notL: "$H, $G |- $E, P ==> $H, [~] P, $G |- $E" 55 | 56 | FalseL: "$H, WFalse, $G |- $E" 57 | 58 | True_def: "WTrue == WFalse [-->] WFalse" 59 | iff_def: "P [<->] Q == (P [-->] Q) [&] (Q [-->] P)" 60 | 61 | axioms 62 | (*Quantifiers*) 63 | 64 | allR: "(!!x.$H |- $E, P(x), $F) ==> $H |- $E, WALL x P(x), $F" 65 | allL: "$H, P(x), $G, WALL x P(x) |- $E ==> $H, WALL x P(x), $G |- $E" 66 | 67 | exR: "$H |- $E, P(x), $F, WEX x P(x) ==> $H |- $E, WEX x P(x), $F" 68 | exL: "(!!x.$H, P(x), $G |- $E) ==> $H, WEX x P(x), $G |- $E" 69 | 70 | axioms 71 | (*Equality*) 72 | 73 | refl: "$H |- $E, a [=] a, $F" 74 | subst: "$H(a), $G(a) |- $E(a) ==> $H(b), a [=] b, $G(b) |- $E(b)" 75 | 76 | (* Reflection *) 77 | 78 | eq_reflection: "|- x [=] y ==> (x==y)" 79 | iff_reflection: "|- P [<->] Q ==> (P==Q)" 80 | 81 | 82 | (** Structural Rules on formulas **) 83 | 84 | (*contraction*) 85 | 86 | lemma contR: "$H |- $E, P, P, $F ==> $H |- $E, P, $F" 87 | by (rule contRS) 88 | 89 | lemma contL: "$H, P, P, $G |- $E ==> $H, P, $G |- $E" 90 | by (rule contLS) 91 | 92 | (*thinning*) 93 | 94 | lemma thinR: "$H |- $E, $F ==> $H |- $E, P, $F" 95 | by (rule thinRS) 96 | 97 | lemma thinL: "$H, $G |- $E ==> $H, P, $G |- $E" 98 | by (rule thinLS) 99 | 100 | (*exchange*) 101 | 102 | lemma exchR: "$H |- $E, Q, P, $F ==> $H |- $E, P, Q, $F" 103 | by (rule exchRS) 104 | 105 | lemma exchL: "$H, Q, P, $G |- $E ==> $H, P, Q, $G |- $E" 106 | by (rule exchLS) 107 | 108 | ML {* 109 | (*Cut and thin, replacing the right-side formula*) 110 | fun cutR_tac ctxt s i = 111 | res_inst_tac ctxt [(("P", 0), s) ] @{thm cut} i THEN rtac @{thm thinR} i 112 | 113 | (*Cut and thin, replacing the left-side formula*) 114 | fun cutL_tac ctxt s i = 115 | res_inst_tac ctxt [(("P", 0), s)] @{thm cut} i THEN rtac @{thm thinL} (i+1) 116 | *} 117 | 118 | 119 | (** If-and-only-if rules **) 120 | lemma iffR: 121 | "[| $H,P |- $E,Q,$F; $H,Q |- $E,P,$F |] ==> $H |- $E, P [<->] Q, $F" 122 | apply (unfold iff_def) 123 | apply (assumption | rule conjR impR)+ 124 | done 125 | 126 | lemma iffL: 127 | "[| $H,$G |- $E,P,Q; $H,Q,P,$G |- $E |] ==> $H, P [<->] Q, $G |- $E" 128 | apply (unfold iff_def) 129 | apply (assumption | rule conjL impL basic)+ 130 | done 131 | 132 | lemma iff_refl: "$H |- $E, (P [<->] P), $F" 133 | apply (rule iffR basic)+ 134 | done 135 | 136 | lemma TrueR: "$H |- $E, WTrue, $F" 137 | apply (unfold True_def) 138 | apply (rule impR) 139 | apply (rule basic) 140 | done 141 | 142 | (*(*Descriptions*) 143 | lemma the_equality: 144 | assumes p1: "$H |- $E, P(a), $F" 145 | and p2: "!!x. $H, P(x) |- $E, x=a, $F" 146 | shows "$H |- $E, (THE x. P(x)) = a, $F" 147 | apply (rule cut) 148 | apply (rule_tac [2] p2) 149 | apply (rule The, rule thinR, rule exchRS, rule p1) 150 | apply (rule thinR, rule exchRS, rule p2) 151 | done 152 | *) 153 | 154 | (** Weakened quantifier rules. Incomplete, they let the search terminate.**) 155 | 156 | lemma allL_thin: "$H, P(x), $G |- $E ==> $H, WALL x P(x), $G |- $E" 157 | apply (rule allL) 158 | apply (erule thinL) 159 | done 160 | 161 | lemma exR_thin: "$H |- $E, P(x), $F ==> $H |- $E, WEX x P(x), $F" 162 | apply (rule exR) 163 | apply (erule thinR) 164 | done 165 | 166 | (*The rules of LK*) 167 | 168 | ML {* 169 | val prop_pack = empty_pack add_safes 170 | [@{thm basic}, @{thm refl}, @{thm TrueR}, @{thm FalseL}, 171 | @{thm conjL}, @{thm conjR}, @{thm disjL}, @{thm disjR}, @{thm impL}, @{thm impR}, 172 | @{thm notL}, @{thm notR}, @{thm iffL}, @{thm iffR}]; 173 | 174 | val LK_pack = prop_pack add_safes [@{thm allR}, @{thm exL}] 175 | add_unsafes [@{thm allL_thin}, @{thm exR_thin}, @{thm the_equality}]; 176 | 177 | val LK_dup_pack = prop_pack add_safes [@{thm allR}, @{thm exL}] 178 | add_unsafes [@{thm allL}, @{thm exR}, @{thm the_equality}]; 179 | 180 | 181 | fun lemma_tac th i = 182 | rtac (@{thm thinR} RS @{thm cut}) i THEN REPEAT (rtac @{thm thinL} i) THEN rtac th i; 183 | *} 184 | 185 | method_setup fast_prop = {* Scan.succeed (K (SIMPLE_METHOD' (fast_tac prop_pack))) *} 186 | method_setup fast = {* Scan.succeed (K (SIMPLE_METHOD' (fast_tac LK_pack))) *} 187 | method_setup fast_dup = {* Scan.succeed (K (SIMPLE_METHOD' (fast_tac LK_dup_pack))) *} 188 | method_setup best = {* Scan.succeed (K (SIMPLE_METHOD' (best_tac LK_pack))) *} 189 | method_setup best_dup = {* Scan.succeed (K (SIMPLE_METHOD' (best_tac LK_dup_pack))) *} 190 | 191 | 192 | lemma mp_R: 193 | assumes major: "$H |- $E, $F, P [-->] Q" 194 | and minor: "$H |- $E, $F, P" 195 | shows "$H |- $E, Q, $F" 196 | apply (rule thinRS [THEN cut], rule major) 197 | apply (tactic "step_tac LK_pack 1") 198 | apply (rule thinR, rule minor) 199 | done 200 | 201 | lemma mp_L: 202 | assumes major: "$H, $G |- $E, P [-->] Q" 203 | and minor: "$H, $G, Q |- $E" 204 | shows "$H, P, $G |- $E" 205 | apply (rule thinL [THEN cut], rule major) 206 | apply (tactic "step_tac LK_pack 1") 207 | apply (rule thinL, rule minor) 208 | done 209 | 210 | 211 | (** Two rules to generate left- and right- rules from implications **) 212 | 213 | lemma R_of_imp: 214 | assumes major: "|- P [-->] Q" 215 | and minor: "$H |- $E, $F, P" 216 | shows "$H |- $E, Q, $F" 217 | apply (rule mp_R) 218 | apply (rule_tac [2] minor) 219 | apply (rule thinRS, rule major [THEN thinLS]) 220 | done 221 | 222 | lemma L_of_imp: 223 | assumes major: "|- P [-->] Q" 224 | and minor: "$H, $G, Q |- $E" 225 | shows "$H, P, $G |- $E" 226 | apply (rule mp_L) 227 | apply (rule_tac [2] minor) 228 | apply (rule thinRS, rule major [THEN thinLS]) 229 | done 230 | 231 | (*Can be used to create implications in a subgoal*) 232 | lemma backwards_impR: 233 | assumes prem: "$H, $G |- $E, $F, P [-->] Q" 234 | shows "$H, P, $G |- $E, Q, $F" 235 | apply (rule mp_L) 236 | apply (rule_tac [2] basic) 237 | apply (rule thinR, rule prem) 238 | done 239 | 240 | lemma conjunct1: "|-P [&] Q ==> |-P" 241 | apply (erule thinR [THEN cut]) 242 | apply fast 243 | done 244 | 245 | lemma conjunct2: "|-P [&] Q ==> |-Q" 246 | apply (erule thinR [THEN cut]) 247 | apply fast 248 | done 249 | 250 | lemma spec: "|- (WALL x P(x)) ==> |- P(x)" 251 | apply (erule thinR [THEN cut]) 252 | apply fast 253 | done 254 | 255 | 256 | (** Equality **) 257 | 258 | lemma sym: "|- a [=] b [-->] b [=] a" 259 | by (tactic {* safe_tac (LK_pack add_safes [@{thm subst}]) 1 *}) 260 | 261 | lemma trans: "|- a [=] b [-->] b [=] c [-->] a [=] c" 262 | by (tactic {* safe_tac (LK_pack add_safes [@{thm subst}]) 1 *}) 263 | 264 | (* Symmetry of equality in hypotheses *) 265 | lemmas symL = sym [THEN L_of_imp, standard] 266 | 267 | (* Symmetry of equality in hypotheses *) 268 | lemmas symR = sym [THEN R_of_imp, standard] 269 | 270 | lemma transR: "[| $H|- $E, $F, a [=] b; $H|- $E, $F, b [=] c |] ==> $H|- $E, a [=] c, $F" 271 | by (rule trans [THEN R_of_imp, THEN mp_R]) 272 | 273 | (* Two theorms for rewriting only one instance of a definition: 274 | the first for definitions of formulae and the second for terms *) 275 | 276 | lemma def_imp_iff: "(A == B) ==> |- A [<->] B" 277 | apply unfold 278 | apply (rule iff_refl) 279 | done 280 | 281 | lemma meta_eq_to_obj_eq: "(A == B) ==> |- A [=] B" 282 | apply (unfold) 283 | apply (rule refl) 284 | done 285 | 286 | (*New added axioms for formulas of our syntax*) 287 | (*Arith*) 288 | axiomatization where 289 | Trans: "formT (f::fform) ==> |- f" and 290 | Trans1: "(formT (f1::fform) ==> formT (f::fform)) ==> f1 |- f" and 291 | Trans2: "(formT (f1::fform) & formT (f2::fform) ==> formT (f::fform)) ==> f1, f2 |- f" and 292 | Trans3: "(formT (f1::fform) & formT (f2::fform) & formT (f3::fform) ==> formT (f::fform)) ==> f1, f2, f3 |- f" and 293 | Trans4: "(formT (f1::fform) & formT (f2::fform) & formT (f3::fform) & formT (f4::fform) ==> formT (f::fform)) ==> f1, f2, f3, f4 |- f" 294 | 295 | axiomatization where 296 | TransR: "|- f ==> formT (f::fform)" and 297 | TransR1: "f1 |- f ==> (formT (f1::fform) --> formT (f::fform))" and 298 | TransR2: "f1, f2 |- f ==> (formT (f1::fform) & formT (f2::fform) --> formT (f::fform))" and 299 | TransR3: "f1, f2, f3 |- f ==> (formT (f1::fform) & formT (f2::fform) & formT (f3::fform) --> formT (f::fform))" 300 | 301 | axiomatization where 302 | le_square : "[|0<=a; (a::real)<=b; 0<=c; (c::real)<=d|] ==> a*c<=b*d" 303 | 304 | lemma le_square1 : "[|0<=(a::real); a<=1|] ==> a*a<=1" 305 | apply (cut_tac a=a and c=a and b=1 and d=1 in le_square,auto) 306 | done 307 | 308 | end 309 | -------------------------------------------------------------------------------- /main/controlPDef.thy: -------------------------------------------------------------------------------- 1 | theory controlPDef 2 | imports "controlADef" 3 | begin 4 | 5 | (*Define the processes for fuctions.*) 6 | definition min :: "exp => exp => exp" where"min(exp1, exp2) == (if formT(exp1[<]exp2) then exp1 else exp2)" 7 | definition Fcontrol1 :: proc where 8 | "Fcontrol1 == 9 | e31 := e32;assSF1; 10 | e32 := e33;assSF2; 11 | e33 := (e33 [+] (Real 32000));assSF3; 12 | v311 := v321;assSF4; 13 | v312 := v322" 14 | definition Fcontrol2 :: proc where 15 | "Fcontrol2 == 16 | v321 := v331;assSF5; 17 | v322 := v332;assSF6; 18 | v331 := (Real 255);assSF7; 19 | v332 := (Real 250);assSF8; 20 | mode31 := mode32" 21 | definition Fcontrol3 :: proc where 22 | "Fcontrol3 == 23 | mode32 := mode33;assSF9; 24 | mode33 := (Real 0)" 25 | definition FMA3 :: proc where 26 | "FMA3 == Fcontrol1;assSF10;Fcontrol2;assSF11;Fcontrol3" 27 | definition Fcontrol4 :: proc where 28 | "Fcontrol4 == 29 | T := (Real 1/8);assSF12; 30 | vr1 := ((v211 [+] (Real 2)[*]T) [*] (v211 [+] (Real 2)[*]T));assSF13; 31 | vr1 := min(vr1, ((v221[*]v221[-](Real 2)[*]C_b[*]e21)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 32 | definition Fcontrol5 :: proc where 33 | "Fcontrol5 == 34 | vr1 := min(vr1, ((v231[*]v231[-](Real 2)[*]C_b[*]e22)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 35 | definition Fcontrol6 :: proc where 36 | "Fcontrol6 == 37 | vr1 := min(vr1, (((Real 2)[*]C_b[*]s[-](Real 2)[*]C_b[*]e32) [+] (Real 2)[*]T[*]T))" 38 | definition Fcontrol7 :: proc where 39 | "Fcontrol7 == 40 | vr2 := ((v212 [+] (Real 2)[*]T) [*] (v212 [+] (Real 2)[*]T));assSF14; 41 | vr2 := min(vr2, ((v222 [*]v222[-](Real 2)[*]C_b[*]e21)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 42 | definition Fcontrol8 :: proc where 43 | "Fcontrol8 == 44 | vr2 := min(vr2, ((v232 [*]v232[-](Real 2)[*]C_b[*]e22)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 45 | definition Fcontrol9 :: proc where 46 | "Fcontrol9 == 47 | vr2 := min(vr2, (((Real 2)[*]C_b[*]s[-](Real 2)[*]C_b[*]e23) [+] (Real 2)[*]T[*]T))" 48 | definition Fcontrol10 :: proc where 49 | "Fcontrol10 == 50 | fv := (v[*]v [+] (Real 1/2)[*]v [+] (Real 4)[*]T[*]T)" 51 | definition FB2 :: proc where 52 | "FB2 == Fcontrol4;assSF15;Fcontrol5;assSF16;Fcontrol6;assSF17;Fcontrol7;assSF18;Fcontrol8;assSF19;Fcontrol9;assSF20;Fcontrol10" 53 | definition Fcontrol11 :: proc where 54 | "Fcontrol11 == 55 | T := (Real 1/8);assSF21; 56 | vr1 := ((v311 [+] (Real 2)[*]T) [*] (v311 [+] (Real 2)[*]T));assSF22; 57 | vr1 := min(vr1, ((v321[*]v321[-](Real 2)[*]C_b[*]e31)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 58 | definition Fcontrol12 :: proc where 59 | "Fcontrol12 == 60 | vr1 := min(vr1, ((v331[*]v331[-](Real 2)[*]C_b[*]e32)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 61 | definition Fcontrol13 :: proc where 62 | "Fcontrol13 == 63 | vr1 := min(vr1, (((Real 2)[*]C_b[*]s[-](Real 2)[*]C_b[*]e33) [+] (Real 2)[*]T[*]T))" 64 | definition Fcontrol14 :: proc where 65 | "Fcontrol14 == 66 | vr2 := ((v312 [+] (Real 2)[*]T) [*] (v312 [+] (Real 2)[*]T));assSF23; 67 | vr2 := min(vr2, ((v322 [*]v322[-](Real 2)[*]C_b[*]e31)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 68 | definition Fcontrol15 :: proc where 69 | "Fcontrol15 == 70 | vr2 := min(vr2, ((v332 [*]v332[-](Real 2)[*]C_b[*]e32)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 71 | definition Fcontrol16 :: proc where 72 | "Fcontrol16 == 73 | vr2 := min(vr2, (((Real 2)[*]C_b[*]s[-](Real 2)[*]C_b[*]e33) [+] (Real 2)[*]T[*]T))" 74 | definition Fcontrol17 :: proc where 75 | "Fcontrol17 == 76 | fv:=((v [+] (Real 2)[*]T)[*](v [+] (Real 2)[*]T))" 77 | definition FB3 :: proc where 78 | "FB3 == Fcontrol11;assSF24;Fcontrol12;assSF25;Fcontrol13;assSF26;Fcontrol14;assSF27;Fcontrol15;assSF28;Fcontrol16;assSF29;Fcontrol17" 79 | definition Fcontrol18 :: proc where 80 | "Fcontrol18 == 81 | e21 := e22;assSF30; 82 | e22 := e23;assSF31; 83 | e23 := (e23 [+] (Real 32000));assSF32; 84 | v211 := v221;assSF33; 85 | v212 := v222" 86 | definition Fcontrol19 :: proc where 87 | "Fcontrol19 == 88 | v221 := v231;assSF34; 89 | v222 := v232;assSF35; 90 | v231 := (Real 105);assSF36; 91 | v232 := (Real 100);assSF37; 92 | mode21 := mode22" 93 | definition Fcontrol20 :: proc where 94 | "Fcontrol20 == 95 | mode22 := mode23;assSF38; 96 | mode23 := (Real 0)" 97 | definition FMA2 :: proc where 98 | "FMA2 == Fcontrol18;assSF39;Fcontrol19;assSF40;Fcontrol20" 99 | definition Fcontrol21 :: proc where 100 | "Fcontrol21 == 101 | T := (Real 1/8);assSF41; 102 | vr1 := ((v211 [+] (Real 2)[*]T) [*] (v211 [+] (Real 2)[*]T));assSF42; 103 | vr1 := min(vr1, (v311 [+] (Real 2)[*]T) [*] (v311 [+] (Real 2)[*]T))" 104 | definition Fcontrol22 :: proc where 105 | "Fcontrol22 == 106 | vr1 := min(vr1, (((Real 2)[*]C_b[*]s[-](Real 2)[*]C_b[*]e33) [+] (Real 2)[*]T[*]T))" 107 | definition Fcontrol23 :: proc where 108 | "Fcontrol23 == 109 | vr1 := min(vr1, ((v331[*]v331[-](Real 2)[*]C_b[*]e32)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 110 | definition Fcontrol24 :: proc where 111 | "Fcontrol24 == 112 | vr2 := ((v212 [+] (Real 2)[*]T) [*] (v212 [+] (Real 2)[*]T));assSF43; 113 | vr2 := min(vr2,(v312 [+] (Real 2)[*]T) [*] (v312 [+] (Real 2)[*]T))" 114 | definition Fcontrol25 :: proc where 115 | "Fcontrol25 == 116 | vr2 := min(vr2, ((v332 [*]v332[-](Real 2)[*]C_b[*]e32)[+](Real 2)[*]C_b[*]s [+] (Real 2)[*]T[*]T))" 117 | definition Fcontrol26 :: proc where 118 | "Fcontrol26 == 119 | vr2 := min(vr2, (((Real 2)[*]C_b[*]s[-](Real 2)[*]C_b[*]e33) [+] (Real 2)[*]T[*]T))" 120 | definition Fcontrol27 :: proc where 121 | "Fcontrol27 == 122 | fv := (v[*]v [+] (Real 1/2)[*]v [+] (Real 4)[*]T[*]T)" 123 | definition FB22 :: proc where 124 | "FB22 == Fcontrol21;assSF44;Fcontrol22;assSF45;Fcontrol23;assSF46;Fcontrol24;assSF47;Fcontrol25;assSF48;Fcontrol26;assSF49;Fcontrol27" 125 | (*Define the process.*) 126 | definition Pcontrol1 :: proc where 127 | "Pcontrol1 == IF (num[=](Real 0)) (((<(WTrue) && (WTrue)>:(l[=](Real 0.125));assSF50;Ch_plant_s_1_1??s);assSF51;Ch_plant_v_1_1??v);assSF52;(num:=(Real 1);assSF53;empty(EL);assSF54;(addL EL E);assSF55;empty(NL);assSF56;(addL NL (Real 1))))" 128 | definition Pcontrol2 :: proc where 129 | "Pcontrol2 == IF (num[=](Real 1)) (BC_1!!E ;assSF57; ((BR_1??E;assSF58;(addL EL E);assSF59;(addL NL (Real 1));assSF60;num:=(Real 1)) [[ BO_1??vBO1);assSF61;num:=(num[+](Real 1));assSF62;delL(NL);assSF63;(addL NL num))" 130 | definition Pcontrol3 :: proc where 131 | "Pcontrol3 == IF (num[=](Real 2)) (BC_2!!E ;assSF64; ((BR_2??E;assSF65;(addL EL E);assSF66;(addL NL (Real 1));assSF67;num:=(Real 1)) [[ BO_2??vBO2);assSF68;num:=(num[+](Real 1));assSF69;delL(NL);assSF70;(addL NL num))" 132 | definition Pcontrol4 :: proc where 133 | "Pcontrol4 == IF (num[=](Real 3)) (BC_3!!E ;assSF71; ((BR_3??E;assSF72;(addL EL E);assSF73;(addL NL (Real 1));assSF74;num:=(Real 1)) [[ BO_3??vBO3);assSF75;num:=(num[+](Real 1));assSF76;delL(NL);assSF77;(addL NL num))" 134 | definition Pcontrol5 :: proc where 135 | "Pcontrol5 == IF (num[=](Real 4)) (BC_4!!E ;assSF78; ((BR_4??E;assSF79;(addL EL E);assSF80;(addL NL (Real 1));assSF81;num:=(Real 1)) [[ BO_4??vBO4);assSF82;num:=(num[+](Real 1));assSF83;delL(NL);assSF84;(addL NL num))" 136 | definition Pcontrol6 :: proc where 137 | "Pcontrol6 == IF (num[=](Real 5)) (delL(EL);assSF85;delL(NL);assSF86;IF isEmpty(EL) (num:=(Real 0);assSF87;E:=(String '''');assSF88;Ch_control_1_0!!a;assSF89;Ch_control_1_0!!a);assSF90;IF([~]isEmpty(EL)) (E:=readL(EL);assSF91;num:=readL(NL)))" 138 | definition Pcontrol7 :: proc where 139 | "Pcontrol7 == ((num:=(Real 0);assSF92;E:=(String '''');assSF93;(a:=(Real 0)));assSF94;Ch_control_1_0!!a);assSF95;(Pcontrol1;assSF96;Pcontrol2;assSF97;Pcontrol3;assSF98;Pcontrol4;assSF99;Pcontrol5;assSF100;Pcontrol6)*" 140 | definition Pcontrol8 :: proc where 141 | "Pcontrol8 == IF ((done2[=](Real 0))[&]E2[=](String ''LUA'')) (actRBC:=(Real 0);assSF101;actRBC:=(Real 1);assSF102;BR_2!!(String ''LU'');assSF103;done2:=(Real 1))" 142 | definition Pcontrol9 :: proc where 143 | "Pcontrol9 == 144 | IF ((done2[=](Real 0))[&]E2[=](String ''MAA3'')) (actRBC:=(Real 0);assSF104;actRBC:=(Real 1);assSF105;BR_2!!(String ''MAA3c'');assSF106;done2:=(Real 1))" 145 | definition Pcontrol10 :: proc where 146 | "Pcontrol10 == done2:=(Real 0)" 147 | definition Pcontrol11 :: proc where 148 | "Pcontrol11 == Pcontrol10;assSF107;(BC_2??E2;assSF108;(Pcontrol8;assSF109;Pcontrol9;assSF110;done2:=(Real 0));assSF111;BO_2!!(String ''''))*" 149 | definition Pcontrol12 :: proc where 150 | "Pcontrol12 == IF ((done3[=](Real 0))[&]E3[=](String ''MAA2'')) (actTCC:=(Real 0);assSF112;actTCC:=(Real 1);assSF113;BR_3!!(String ''MAA2c'');assSF114;done3:=(Real 1))" 151 | definition Pcontrol13 :: proc where 152 | "Pcontrol13 == done3:=(Real 0)" 153 | definition Pcontrol14 :: proc where 154 | "Pcontrol14 == Pcontrol13;assSF115;(BC_3??E3;assSF116;(Pcontrol12;assSF117;done3:=(Real 0));assSF118;BO_3!!(String ''''))*" 155 | definition Pcontrol15 :: proc where 156 | "Pcontrol15 == (C_b:=(Real -1));assSF119;(C_A:=(Real 1));assSF120;(C_a:=(Real -0.2));assSF121;(v332:=(Real 0));assSF122;(v331:=(Real 0));assSF123;(v322:=(Real 250));assSF124;(v321:=(Real 255));assSF125; 157 | (v312:=(Real 250));assSF126;(v311:=(Real 255))" 158 | definition Pcontrol16 :: proc where 159 | "Pcontrol16 == (v232:=(Real 40));assSF127;(v231:=(Real 45));assSF128;(v222:=(Real 100));assSF129;(v221:=(Real 105));assSF130; 160 | (v212:=(Real 100));assSF131;(v211:=(Real 105));assSF132;(e33:=(Real 96000));assSF133;(e32:=(Real 64000))" 161 | definition Pcontrol17 :: proc where 162 | "Pcontrol17 == (e31:=(Real 32000));assSF134;(e23:=(Real 96000));assSF135; 163 | (e22:=(Real 64000));assSF136;(e21:=(Real 32000));assSF137;(mode33:=(Real 1));assSF138;(mode32:=(Real 0));assSF139;(mode31:=(Real 0));assSF140;(mode23:=(Real 1))" 164 | definition Pcontrol18 :: proc where 165 | "Pcontrol18 == 166 | (mode22:=(Real 0));assSF141;(mode21:=(Real 0));assSF142;(mode3:=(Real 0));assSF143;(mode2:=(Real 0));assSF144;(i:=(Real 2));assSF145;(x2:=(Real 64000));assSF146;(x1:=(Real 32000));assSF147;(actl3:=(Real 0));assSF148;(actl2a:=(Real 0))" 167 | definition Pcontrol19 :: proc where 168 | "Pcontrol19 == (actl2:=(Real 0))" 169 | definition Pcontrol20 :: proc where 170 | "Pcontrol20 == Pcontrol15;assSF149;Pcontrol16;assSF150;Pcontrol17;assSF151;Pcontrol18;assSF152;Pcontrol19" 171 | definition Pcontrol21 :: proc where 172 | "Pcontrol21 == (actl2:=(Real 1))" 173 | definition Pcontrol22 :: proc where 174 | "Pcontrol22 == v321:=(Real 45);assSF153;v322:=(Real 40);assSF154;FB3;assSF155;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl3:=(Real 0);assSF156;actl3:=(Real 1);assSF157;a:=C_b;assSF158;done1:=(Real 1))" 175 | definition Pcontrol23 :: proc where 176 | "Pcontrol23 == 177 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl3:=(Real 0);assSF159;actl3:=(Real 1);assSF160;a:=C_a;assSF161;done1:=(Real 1))" 178 | definition Pcontrol24 :: proc where 179 | "Pcontrol24 == 180 | IF ((done1[=](Real 0))) (actl3:=(Real 0);assSF162;actl3:=(Real 1);assSF163;a:=C_A;assSF164;done1:=(Real 1))" 181 | definition Pcontrol25 :: proc where 182 | "Pcontrol25 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl3:=(Real 0);assSF165;actl3:=(Real 1);assSF166;a:=C_b;assSF167;done1:=(Real 1))" 183 | definition Pcontrol26 :: proc where 184 | "Pcontrol26 == 185 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl3:=(Real 0);assSF168;actl3:=(Real 1);assSF169;a:=C_a;assSF170;done1:=(Real 1))" 186 | definition Pcontrol27 :: proc where 187 | "Pcontrol27 == 188 | IF ((done1[=](Real 0))) (actl3:=(Real 0);assSF171;actl3:=(Real 1);assSF172;a:=C_A;assSF173;done1:=(Real 1))" 189 | definition Pcontrol28 :: proc where 190 | "Pcontrol28 == FMA3;assSF174;FB3;assSF175;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl3:=(Real 0);assSF176;actl3:=(Real 1);assSF177;a:=C_b;assSF178;done1:=(Real 1))" 191 | definition Pcontrol29 :: proc where 192 | "Pcontrol29 == 193 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl3:=(Real 0);assSF179;actl3:=(Real 1);assSF180;a:=C_a;assSF181;done1:=(Real 1))" 194 | definition Pcontrol30 :: proc where 195 | "Pcontrol30 == 196 | IF ((done1[=](Real 0))) (actl3:=(Real 0);assSF182;actl3:=(Real 1);assSF183;a:=C_A;assSF184;done1:=(Real 1))" 197 | definition Pcontrol31 :: proc where 198 | "Pcontrol31 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl3:=(Real 0);assSF185;actl3:=(Real 1);assSF186;a:=C_b;assSF187;done1:=(Real 1))" 199 | definition Pcontrol32 :: proc where 200 | "Pcontrol32 == 201 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl3:=(Real 0);assSF188;actl3:=(Real 1);assSF189;a:=C_a;assSF190;done1:=(Real 1))" 202 | definition Pcontrol33 :: proc where 203 | "Pcontrol33 == 204 | IF ((done1[=](Real 0))) (actl3:=(Real 0);assSF191;actl3:=(Real 1);assSF192;a:=C_A;assSF193;done1:=(Real 1))" 205 | definition Pcontrol34 :: proc where 206 | "Pcontrol34 == FB3;assSF194;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl3:=(Real 0);assSF195;actl3:=(Real 1);assSF196;a:=C_b;assSF197;done1:=(Real 1))" 207 | definition Pcontrol35 :: proc where 208 | "Pcontrol35 == 209 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl3:=(Real 0);assSF198;actl3:=(Real 1);assSF199;a:=C_a;assSF200;done1:=(Real 1))" 210 | definition Pcontrol36 :: proc where 211 | "Pcontrol36 == 212 | IF ((done1[=](Real 0))) (actl3:=(Real 0);assSF201;actl3:=(Real 1);assSF202;a:=C_A;assSF203;done1:=(Real 1))" 213 | definition Pcontrol37 :: proc where 214 | "Pcontrol37 == IF ((done1[=](Real 0))[&]E1[=](String ''CONF'')) (Pcontrol22;assSF204;Pcontrol23;assSF205;Pcontrol24)" 215 | definition Pcontrol38 :: proc where 216 | "Pcontrol38 == 217 | IF ((done1[=](Real 0))[&]mode32[=](Real 1) [&] v321[=](Real 0)) (Pcontrol25;assSF206;Pcontrol26;assSF207;Pcontrol27)" 218 | definition Pcontrol39 :: proc where 219 | "Pcontrol39 == 220 | IF ((done1[=](Real 0))[&]E1[=](String ''MAA3c'')) (Pcontrol28;assSF208;Pcontrol29;assSF209;Pcontrol30)" 221 | definition Pcontrol40 :: proc where 222 | "Pcontrol40 == 223 | IF ((done1[=](Real 0))[&]s[>]e32) (Pcontrol31;assSF210;Pcontrol32;assSF211;Pcontrol33)" 224 | definition Pcontrol41 :: proc where 225 | "Pcontrol41 == 226 | IF ((done1[=](Real 0))) (Pcontrol34;assSF212;Pcontrol35;assSF213;Pcontrol36)" 227 | definition Pcontrol42 :: proc where 228 | "Pcontrol42 == IF ((done1[=](Real 0))[&]s[>]x2) (actl2a:=(Real 0);assSF214;actl3:=(Real 1);assSF215;done1:=(Real 1))" 229 | definition Pcontrol43 :: proc where 230 | "Pcontrol43 == FMA3;assSF216;FB22;assSF217;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2a:=(Real 0);assSF218;actl2a:=(Real 1);assSF219;a:=C_b;assSF220;done1:=(Real 1))" 231 | definition Pcontrol44 :: proc where 232 | "Pcontrol44 == 233 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2a:=(Real 0);assSF221;actl2a:=(Real 1);assSF222;a:=C_a;assSF223;done1:=(Real 1))" 234 | definition Pcontrol45 :: proc where 235 | "Pcontrol45 == 236 | IF ((done1[=](Real 0))) (actl2a:=(Real 0);assSF224;actl2a:=(Real 1);assSF225;a:=C_A;assSF226;done1:=(Real 1))" 237 | definition Pcontrol46 :: proc where 238 | "Pcontrol46 == FMA2;assSF227;FB22;assSF228;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2a:=(Real 0);assSF229;actl2a:=(Real 1);assSF230;a:=C_b;assSF231;done1:=(Real 1))" 239 | definition Pcontrol47 :: proc where 240 | "Pcontrol47 == 241 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2a:=(Real 0);assSF232;actl2a:=(Real 1);assSF233;a:=C_a;assSF234;done1:=(Real 1))" 242 | definition Pcontrol48 :: proc where 243 | "Pcontrol48 == 244 | IF ((done1[=](Real 0))) (actl2a:=(Real 0);assSF235;actl2a:=(Real 1);assSF236;a:=C_A;assSF237;done1:=(Real 1))" 245 | definition Pcontrol49 :: proc where 246 | "Pcontrol49 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2a:=(Real 0);assSF238;actl2a:=(Real 1);assSF239;a:=C_b;assSF240;done1:=(Real 1))" 247 | definition Pcontrol50 :: proc where 248 | "Pcontrol50 == 249 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2a:=(Real 0);assSF241;actl2a:=(Real 1);assSF242;a:=C_a;assSF243;done1:=(Real 1))" 250 | definition Pcontrol51 :: proc where 251 | "Pcontrol51 == 252 | IF ((done1[=](Real 0))) (actl2a:=(Real 0);assSF244;actl2a:=(Real 1);assSF245;a:=C_A;assSF246;done1:=(Real 1))" 253 | definition Pcontrol52 :: proc where 254 | "Pcontrol52 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2a:=(Real 0);assSF247;actl2a:=(Real 1);assSF248;a:=C_b;assSF249;done1:=(Real 1))" 255 | definition Pcontrol53 :: proc where 256 | "Pcontrol53 == 257 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2a:=(Real 0);assSF250;actl2a:=(Real 1);assSF251;a:=C_a;assSF252;done1:=(Real 1))" 258 | definition Pcontrol54 :: proc where 259 | "Pcontrol54 == 260 | IF ((done1[=](Real 0))) (actl2a:=(Real 0);assSF253;actl2a:=(Real 1);assSF254;a:=C_A;assSF255;done1:=(Real 1))" 261 | definition Pcontrol55 :: proc where 262 | "Pcontrol55 == FB22;assSF256;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2a:=(Real 0);assSF257;actl2a:=(Real 1);assSF258;a:=C_b;assSF259;done1:=(Real 1))" 263 | definition Pcontrol56 :: proc where 264 | "Pcontrol56 == 265 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2a:=(Real 0);assSF260;actl2a:=(Real 1);assSF261;a:=C_a;assSF262;done1:=(Real 1))" 266 | definition Pcontrol57 :: proc where 267 | "Pcontrol57 == 268 | IF ((done1[=](Real 0))) (actl2a:=(Real 0);assSF263;actl2a:=(Real 1);assSF264;a:=C_A;assSF265;done1:=(Real 1))" 269 | definition Pcontrol58 :: proc where 270 | "Pcontrol58 == Pcontrol42;assSF266; 271 | IF ((done1[=](Real 0))[&]E1[=](String ''MAA3c'')) (Pcontrol43;assSF267;Pcontrol44;assSF268;Pcontrol45)" 272 | definition Pcontrol59 :: proc where 273 | "Pcontrol59 == 274 | IF ((done1[=](Real 0))[&]E1[=](String ''MAA2c'')) (Pcontrol46;assSF269;Pcontrol47;assSF270;Pcontrol48)" 275 | definition Pcontrol60 :: proc where 276 | "Pcontrol60 == 277 | IF ((done1[=](Real 0))[&]s[>]e22) (Pcontrol49;assSF271;Pcontrol50;assSF272;Pcontrol51)" 278 | definition Pcontrol61 :: proc where 279 | "Pcontrol61 == 280 | IF ((done1[=](Real 0))[&]s[>]e32) (Pcontrol52;assSF273;Pcontrol53;assSF274;Pcontrol54)" 281 | definition Pcontrol62 :: proc where 282 | "Pcontrol62 == 283 | IF ((done1[=](Real 0))) (Pcontrol55;assSF275;Pcontrol56;assSF276;Pcontrol57)" 284 | definition Pcontrol63 :: proc where 285 | "Pcontrol63 == IF ((done1[=](Real 0))[&]i[=](Real 2) [&] s[>=]x1) (actl2:=(Real 0);assSF277;actl2a:=(Real 1);assSF278;a:=C_b;assSF279;done1:=(Real 1))" 286 | definition Pcontrol64 :: proc where 287 | "Pcontrol64 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2:=(Real 0);assSF280;actl2:=(Real 1);assSF281;a:=C_b;assSF282;done1:=(Real 1))" 288 | definition Pcontrol65 :: proc where 289 | "Pcontrol65 == 290 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2:=(Real 0);assSF283;actl2:=(Real 1);assSF284;a:=C_a;assSF285;done1:=(Real 1))" 291 | definition Pcontrol66 :: proc where 292 | "Pcontrol66 == 293 | IF ((done1[=](Real 0))) (actl2:=(Real 0);assSF286;actl2:=(Real 1);assSF287;a:=C_A;assSF288;done1:=(Real 1))" 294 | definition Pcontrol67 :: proc where 295 | "Pcontrol67 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2:=(Real 0);assSF289;actl2:=(Real 1);assSF290;a:=C_b;assSF291;done1:=(Real 1))" 296 | definition Pcontrol68 :: proc where 297 | "Pcontrol68 == 298 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2:=(Real 0);assSF292;actl2:=(Real 1);assSF293;a:=C_a;assSF294;done1:=(Real 1))" 299 | definition Pcontrol69 :: proc where 300 | "Pcontrol69 == 301 | IF ((done1[=](Real 0))) (actl2:=(Real 0);assSF295;actl2:=(Real 1);assSF296;a:=C_A;assSF297;done1:=(Real 1))" 302 | definition Pcontrol70 :: proc where 303 | "Pcontrol70 == FMA2;assSF298;FB2;assSF299;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2:=(Real 0);assSF300;actl2:=(Real 1);assSF301;a:=C_b;assSF302;done1:=(Real 1))" 304 | definition Pcontrol71 :: proc where 305 | "Pcontrol71 == 306 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2:=(Real 0);assSF303;actl2:=(Real 1);assSF304;a:=C_a;assSF305;done1:=(Real 1))" 307 | definition Pcontrol72 :: proc where 308 | "Pcontrol72 == 309 | IF ((done1[=](Real 0))) (actl2:=(Real 0);assSF306;actl2:=(Real 1);assSF307;a:=C_A;assSF308;done1:=(Real 1))" 310 | definition Pcontrol73 :: proc where 311 | "Pcontrol73 == IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2:=(Real 0);assSF309;actl2:=(Real 1);assSF310;a:=C_b;assSF311;done1:=(Real 1))" 312 | definition Pcontrol74 :: proc where 313 | "Pcontrol74 == 314 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2:=(Real 0);assSF312;actl2:=(Real 1);assSF313;a:=C_a;assSF314;done1:=(Real 1))" 315 | definition Pcontrol75 :: proc where 316 | "Pcontrol75 == 317 | IF ((done1[=](Real 0))) (actl2:=(Real 0);assSF315;actl2:=(Real 1);assSF316;a:=C_A;assSF317;done1:=(Real 1))" 318 | definition Pcontrol76 :: proc where 319 | "Pcontrol76 == FB2;assSF318;IF ((done1[=](Real 0))[&]fv[>=]vr1) (actl2:=(Real 0);assSF319;actl2:=(Real 1);assSF320;a:=C_b;assSF321;done1:=(Real 1))" 320 | definition Pcontrol77 :: proc where 321 | "Pcontrol77 == 322 | IF ((done1[=](Real 0))[&]fv[>=]vr2) (actl2:=(Real 0);assSF322;actl2:=(Real 1);assSF323;a:=C_a;assSF324;done1:=(Real 1))" 323 | definition Pcontrol78 :: proc where 324 | "Pcontrol78 == 325 | IF ((done1[=](Real 0))) (actl2:=(Real 0);assSF325;actl2:=(Real 1);assSF326;a:=C_A;assSF327;done1:=(Real 1))" 326 | definition Pcontrol79 :: proc where 327 | "Pcontrol79 == Pcontrol63;assSF328; 328 | IF ((done1[=](Real 0))[&]E1[=](String ''LU'')) (Pcontrol64;assSF329;Pcontrol65;assSF330;Pcontrol66)" 329 | definition Pcontrol80 :: proc where 330 | "Pcontrol80 == 331 | IF ((done1[=](Real 0))[&]i[=](Real 0) [&] s[>](Real 200)) (Pcontrol67;assSF331;Pcontrol68;assSF332;Pcontrol69)" 332 | definition Pcontrol81 :: proc where 333 | "Pcontrol81 == 334 | IF ((done1[=](Real 0))[&]E1[=](String ''MAA2c'')) (Pcontrol70;assSF333;Pcontrol71;assSF334;Pcontrol72)" 335 | definition Pcontrol82 :: proc where 336 | "Pcontrol82 == 337 | IF ((done1[=](Real 0))[&]s[>]e22) (Pcontrol73;assSF335;Pcontrol74;assSF336;Pcontrol75)" 338 | definition Pcontrol83 :: proc where 339 | "Pcontrol83 == 340 | IF ((done1[=](Real 0))) (Pcontrol76;assSF337;Pcontrol77;assSF338;Pcontrol78)" 341 | definition Pcontrol84 :: proc where 342 | "Pcontrol84 == IF (done1[=](Real 0)) (IF (actl3[=](Real 1)) (Pcontrol37;assSF339;Pcontrol38;assSF340;Pcontrol39;assSF341;Pcontrol40;assSF342;Pcontrol41);assSF343; 343 | IF (actl2a[=](Real 1)) (Pcontrol58;assSF344;Pcontrol59;assSF345;Pcontrol60;assSF346;Pcontrol61;assSF347;Pcontrol62);assSF348; 344 | IF (actl2[=](Real 1)) (Pcontrol79;assSF349;Pcontrol80;assSF350;Pcontrol81;assSF351;Pcontrol82;assSF352;Pcontrol83))" 345 | definition Pcontrol85 :: proc where 346 | "Pcontrol85 == Pcontrol20;assSF353;Pcontrol21;assSF354;done1:=(Real 0)" 347 | definition Pcontrol86 :: proc where 348 | "Pcontrol86 == Pcontrol85;assSF355;(BC_1??E1;assSF356;(Pcontrol84;assSF357;done1:=(Real 0));assSF358;BO_1!!(String ''''))*" 349 | definition Pcontrol87 :: proc where 350 | "Pcontrol87 == IF ((done4[=](Real 0))[&]E4[=](String ''CONFR'')) (actDriver:=(Real 0);assSF359;actDriver:=(Real 1);assSF360;BR_4!!(String ''CONF'');assSF361;done4:=(Real 1))" 351 | definition Pcontrol88 :: proc where 352 | "Pcontrol88 == done4:=(Real 0)" 353 | definition Pcontrol89 :: proc where 354 | "Pcontrol89 == Pcontrol88;assSF362;(BC_4??E4;assSF363;(Pcontrol87;assSF364;done4:=(Real 0));assSF365;BO_4!!(String ''''))*" 355 | definition Pcontrol :: proc where 356 | "Pcontrol == Pcontrol7||Pcontrol11||Pcontrol14||Pcontrol86||Pcontrol89" 357 | end 358 | -------------------------------------------------------------------------------- /main/controlADef.thy: -------------------------------------------------------------------------------- 1 | theory controlADef 2 | imports "controlVarDef" 3 | begin 4 | 5 | definition assSF1 :: mid where 6 | "assSF1 == (WTrue,l[=](Real 0))" 7 | definition assSF2 :: mid where 8 | "assSF2 == (WTrue,l[=](Real 0))" 9 | definition assSF3 :: mid where 10 | "assSF3 == (WTrue,l[=](Real 0))" 11 | definition assSF4 :: mid where 12 | "assSF4 == (WTrue,l[=](Real 0))" 13 | definition assSF5 :: mid where 14 | "assSF5 == (WTrue,l[=](Real 0))" 15 | definition assSF6 :: mid where 16 | "assSF6 == (WTrue,l[=](Real 0))" 17 | definition assSF7 :: mid where 18 | "assSF7 == (WTrue,l[=](Real 0))" 19 | definition assSF8 :: mid where 20 | "assSF8 == (WTrue,l[=](Real 0))" 21 | definition assSF9 :: mid where 22 | "assSF9 == (WTrue,l[=](Real 0))" 23 | definition assSF10 :: mid where 24 | "assSF10 == (WTrue,l[=](Real 0))" 25 | definition assSF11 :: mid where 26 | "assSF11 == (WTrue,l[=](Real 0))" 27 | definition assSF12 :: mid where 28 | "assSF12 == (WTrue,l[=](Real 0))" 29 | definition assSF13 :: mid where 30 | "assSF13 == (WTrue,l[=](Real 0))" 31 | definition assSF14 :: mid where 32 | "assSF14 == (WTrue,l[=](Real 0))" 33 | definition assSF15 :: mid where 34 | "assSF15 == (WTrue,l[=](Real 0))" 35 | definition assSF16 :: mid where 36 | "assSF16 == (WTrue,l[=](Real 0))" 37 | definition assSF17 :: mid where 38 | "assSF17 == (WTrue,l[=](Real 0))" 39 | definition assSF18 :: mid where 40 | "assSF18 == (WTrue,l[=](Real 0))" 41 | definition assSF19 :: mid where 42 | "assSF19 == (WTrue,l[=](Real 0))" 43 | definition assSF20 :: mid where 44 | "assSF20 == (WTrue,l[=](Real 0))" 45 | definition assSF21 :: mid where 46 | "assSF21 == (WTrue,l[=](Real 0))" 47 | definition assSF22 :: mid where 48 | "assSF22 == (WTrue,l[=](Real 0))" 49 | definition assSF23 :: mid where 50 | "assSF23 == (WTrue,l[=](Real 0))" 51 | definition assSF24 :: mid where 52 | "assSF24 == (WTrue,l[=](Real 0))" 53 | definition assSF25 :: mid where 54 | "assSF25 == (WTrue,l[=](Real 0))" 55 | definition assSF26 :: mid where 56 | "assSF26 == (WTrue,l[=](Real 0))" 57 | definition assSF27 :: mid where 58 | "assSF27 == (WTrue,l[=](Real 0))" 59 | definition assSF28 :: mid where 60 | "assSF28 == (WTrue,l[=](Real 0))" 61 | definition assSF29 :: mid where 62 | "assSF29 == (WTrue,l[=](Real 0))" 63 | definition assSF30 :: mid where 64 | "assSF30 == (WTrue,l[=](Real 0))" 65 | definition assSF31 :: mid where 66 | "assSF31 == (WTrue,l[=](Real 0))" 67 | definition assSF32 :: mid where 68 | "assSF32 == (WTrue,l[=](Real 0))" 69 | definition assSF33 :: mid where 70 | "assSF33 == (WTrue,l[=](Real 0))" 71 | definition assSF34 :: mid where 72 | "assSF34 == (WTrue,l[=](Real 0))" 73 | definition assSF35 :: mid where 74 | "assSF35 == (WTrue,l[=](Real 0))" 75 | definition assSF36 :: mid where 76 | "assSF36 == (WTrue,l[=](Real 0))" 77 | definition assSF37 :: mid where 78 | "assSF37 == (WTrue,l[=](Real 0))" 79 | definition assSF38 :: mid where 80 | "assSF38 == (WTrue,l[=](Real 0))" 81 | definition assSF39 :: mid where 82 | "assSF39 == (WTrue,l[=](Real 0))" 83 | definition assSF40 :: mid where 84 | "assSF40 == (WTrue,l[=](Real 0))" 85 | definition assSF41 :: mid where 86 | "assSF41 == (WTrue,l[=](Real 0))" 87 | definition assSF42 :: mid where 88 | "assSF42 == (WTrue,l[=](Real 0))" 89 | definition assSF43 :: mid where 90 | "assSF43 == (WTrue,l[=](Real 0))" 91 | definition assSF44 :: mid where 92 | "assSF44 == (WTrue,l[=](Real 0))" 93 | definition assSF45 :: mid where 94 | "assSF45 == (WTrue,l[=](Real 0))" 95 | definition assSF46 :: mid where 96 | "assSF46 == (WTrue,l[=](Real 0))" 97 | definition assSF47 :: mid where 98 | "assSF47 == (WTrue,l[=](Real 0))" 99 | definition assSF48 :: mid where 100 | "assSF48 == (WTrue,l[=](Real 0))" 101 | definition assSF49 :: mid where 102 | "assSF49 == (WTrue,l[=](Real 0))" 103 | definition assSF50 :: mid where 104 | "assSF50 == (WTrue,l[=](Real 0))" 105 | definition assSF51 :: mid where 106 | "assSF51 == (WTrue,l[=](Real 0))" 107 | definition assSF52 :: mid where 108 | "assSF52 == (WTrue,l[=](Real 0))" 109 | definition assSF53 :: mid where 110 | "assSF53 == (WTrue,l[=](Real 0))" 111 | definition assSF54 :: mid where 112 | "assSF54 == (WTrue,l[=](Real 0))" 113 | definition assSF55 :: mid where 114 | "assSF55 == (WTrue,l[=](Real 0))" 115 | definition assSF56 :: mid where 116 | "assSF56 == (WTrue,l[=](Real 0))" 117 | definition assSF57 :: mid where 118 | "assSF57 == (WTrue,l[=](Real 0))" 119 | definition assSF58 :: mid where 120 | "assSF58 == (WTrue,l[=](Real 0))" 121 | definition assSF59 :: mid where 122 | "assSF59 == (WTrue,l[=](Real 0))" 123 | definition assSF60 :: mid where 124 | "assSF60 == (WTrue,l[=](Real 0))" 125 | definition assSF61 :: mid where 126 | "assSF61 == (WTrue,l[=](Real 0))" 127 | definition assSF62 :: mid where 128 | "assSF62 == (WTrue,l[=](Real 0))" 129 | definition assSF63 :: mid where 130 | "assSF63 == (WTrue,l[=](Real 0))" 131 | definition assSF64 :: mid where 132 | "assSF64 == (WTrue,l[=](Real 0))" 133 | definition assSF65 :: mid where 134 | "assSF65 == (WTrue,l[=](Real 0))" 135 | definition assSF66 :: mid where 136 | "assSF66 == (WTrue,l[=](Real 0))" 137 | definition assSF67 :: mid where 138 | "assSF67 == (WTrue,l[=](Real 0))" 139 | definition assSF68 :: mid where 140 | "assSF68 == (WTrue,l[=](Real 0))" 141 | definition assSF69 :: mid where 142 | "assSF69 == (WTrue,l[=](Real 0))" 143 | definition assSF70 :: mid where 144 | "assSF70 == (WTrue,l[=](Real 0))" 145 | definition assSF71 :: mid where 146 | "assSF71 == (WTrue,l[=](Real 0))" 147 | definition assSF72 :: mid where 148 | "assSF72 == (WTrue,l[=](Real 0))" 149 | definition assSF73 :: mid where 150 | "assSF73 == (WTrue,l[=](Real 0))" 151 | definition assSF74 :: mid where 152 | "assSF74 == (WTrue,l[=](Real 0))" 153 | definition assSF75 :: mid where 154 | "assSF75 == (WTrue,l[=](Real 0))" 155 | definition assSF76 :: mid where 156 | "assSF76 == (WTrue,l[=](Real 0))" 157 | definition assSF77 :: mid where 158 | "assSF77 == (WTrue,l[=](Real 0))" 159 | definition assSF78 :: mid where 160 | "assSF78 == (WTrue,l[=](Real 0))" 161 | definition assSF79 :: mid where 162 | "assSF79 == (WTrue,l[=](Real 0))" 163 | definition assSF80 :: mid where 164 | "assSF80 == (WTrue,l[=](Real 0))" 165 | definition assSF81 :: mid where 166 | "assSF81 == (WTrue,l[=](Real 0))" 167 | definition assSF82 :: mid where 168 | "assSF82 == (WTrue,l[=](Real 0))" 169 | definition assSF83 :: mid where 170 | "assSF83 == (WTrue,l[=](Real 0))" 171 | definition assSF84 :: mid where 172 | "assSF84 == (WTrue,l[=](Real 0))" 173 | definition assSF85 :: mid where 174 | "assSF85 == (WTrue,l[=](Real 0))" 175 | definition assSF86 :: mid where 176 | "assSF86 == (WTrue,l[=](Real 0))" 177 | definition assSF87 :: mid where 178 | "assSF87 == (WTrue,l[=](Real 0))" 179 | definition assSF88 :: mid where 180 | "assSF88 == (WTrue,l[=](Real 0))" 181 | definition assSF89 :: mid where 182 | "assSF89 == (WTrue,l[=](Real 0))" 183 | definition assSF90 :: mid where 184 | "assSF90 == (WTrue,l[=](Real 0))" 185 | definition assSF91 :: mid where 186 | "assSF91 == (WTrue,l[=](Real 0))" 187 | definition assSF92 :: mid where 188 | "assSF92 == (WTrue,l[=](Real 0))" 189 | definition assSF93 :: mid where 190 | "assSF93 == (WTrue,l[=](Real 0))" 191 | definition assSF94 :: mid where 192 | "assSF94 == (WTrue,l[=](Real 0))" 193 | definition assSF95 :: mid where 194 | "assSF95 == (WTrue,l[=](Real 0))" 195 | definition assSF96 :: mid where 196 | "assSF96 == (WTrue,l[=](Real 0))" 197 | definition assSF97 :: mid where 198 | "assSF97 == (WTrue,l[=](Real 0))" 199 | definition assSF98 :: mid where 200 | "assSF98 == (WTrue,l[=](Real 0))" 201 | definition assSF99 :: mid where 202 | "assSF99 == (WTrue,l[=](Real 0))" 203 | definition assSF100 :: mid where 204 | "assSF100 == (WTrue,l[=](Real 0))" 205 | definition assSF101 :: mid where 206 | "assSF101 == (WTrue,l[=](Real 0))" 207 | definition assSF102 :: mid where 208 | "assSF102 == (WTrue,l[=](Real 0))" 209 | definition assSF103 :: mid where 210 | "assSF103 == (WTrue,l[=](Real 0))" 211 | definition assSF104 :: mid where 212 | "assSF104 == (WTrue,l[=](Real 0))" 213 | definition assSF105 :: mid where 214 | "assSF105 == (WTrue,l[=](Real 0))" 215 | definition assSF106 :: mid where 216 | "assSF106 == (WTrue,l[=](Real 0))" 217 | definition assSF107 :: mid where 218 | "assSF107 == (WTrue,l[=](Real 0))" 219 | definition assSF108 :: mid where 220 | "assSF108 == (WTrue,l[=](Real 0))" 221 | definition assSF109 :: mid where 222 | "assSF109 == (WTrue,l[=](Real 0))" 223 | definition assSF110 :: mid where 224 | "assSF110 == (WTrue,l[=](Real 0))" 225 | definition assSF111 :: mid where 226 | "assSF111 == (WTrue,l[=](Real 0))" 227 | definition assSF112 :: mid where 228 | "assSF112 == (WTrue,l[=](Real 0))" 229 | definition assSF113 :: mid where 230 | "assSF113 == (WTrue,l[=](Real 0))" 231 | definition assSF114 :: mid where 232 | "assSF114 == (WTrue,l[=](Real 0))" 233 | definition assSF115 :: mid where 234 | "assSF115 == (WTrue,l[=](Real 0))" 235 | definition assSF116 :: mid where 236 | "assSF116 == (WTrue,l[=](Real 0))" 237 | definition assSF117 :: mid where 238 | "assSF117 == (WTrue,l[=](Real 0))" 239 | definition assSF118 :: mid where 240 | "assSF118 == (WTrue,l[=](Real 0))" 241 | definition assSF119 :: mid where 242 | "assSF119 == (WTrue,l[=](Real 0))" 243 | definition assSF120 :: mid where 244 | "assSF120 == (WTrue,l[=](Real 0))" 245 | definition assSF121 :: mid where 246 | "assSF121 == (WTrue,l[=](Real 0))" 247 | definition assSF122 :: mid where 248 | "assSF122 == (WTrue,l[=](Real 0))" 249 | definition assSF123 :: mid where 250 | "assSF123 == (WTrue,l[=](Real 0))" 251 | definition assSF124 :: mid where 252 | "assSF124 == (WTrue,l[=](Real 0))" 253 | definition assSF125 :: mid where 254 | "assSF125 == (WTrue,l[=](Real 0))" 255 | definition assSF126 :: mid where 256 | "assSF126 == (WTrue,l[=](Real 0))" 257 | definition assSF127 :: mid where 258 | "assSF127 == (WTrue,l[=](Real 0))" 259 | definition assSF128 :: mid where 260 | "assSF128 == (WTrue,l[=](Real 0))" 261 | definition assSF129 :: mid where 262 | "assSF129 == (WTrue,l[=](Real 0))" 263 | definition assSF130 :: mid where 264 | "assSF130 == (WTrue,l[=](Real 0))" 265 | definition assSF131 :: mid where 266 | "assSF131 == (WTrue,l[=](Real 0))" 267 | definition assSF132 :: mid where 268 | "assSF132 == (WTrue,l[=](Real 0))" 269 | definition assSF133 :: mid where 270 | "assSF133 == (WTrue,l[=](Real 0))" 271 | definition assSF134 :: mid where 272 | "assSF134 == (WTrue,l[=](Real 0))" 273 | definition assSF135 :: mid where 274 | "assSF135 == (WTrue,l[=](Real 0))" 275 | definition assSF136 :: mid where 276 | "assSF136 == (WTrue,l[=](Real 0))" 277 | definition assSF137 :: mid where 278 | "assSF137 == (WTrue,l[=](Real 0))" 279 | definition assSF138 :: mid where 280 | "assSF138 == (WTrue,l[=](Real 0))" 281 | definition assSF139 :: mid where 282 | "assSF139 == (WTrue,l[=](Real 0))" 283 | definition assSF140 :: mid where 284 | "assSF140 == (WTrue,l[=](Real 0))" 285 | definition assSF141 :: mid where 286 | "assSF141 == (WTrue,l[=](Real 0))" 287 | definition assSF142 :: mid where 288 | "assSF142 == (WTrue,l[=](Real 0))" 289 | definition assSF143 :: mid where 290 | "assSF143 == (WTrue,l[=](Real 0))" 291 | definition assSF144 :: mid where 292 | "assSF144 == (WTrue,l[=](Real 0))" 293 | definition assSF145 :: mid where 294 | "assSF145 == (WTrue,l[=](Real 0))" 295 | definition assSF146 :: mid where 296 | "assSF146 == (WTrue,l[=](Real 0))" 297 | definition assSF147 :: mid where 298 | "assSF147 == (WTrue,l[=](Real 0))" 299 | definition assSF148 :: mid where 300 | "assSF148 == (WTrue,l[=](Real 0))" 301 | definition assSF149 :: mid where 302 | "assSF149 == (WTrue,l[=](Real 0))" 303 | definition assSF150 :: mid where 304 | "assSF150 == (WTrue,l[=](Real 0))" 305 | definition assSF151 :: mid where 306 | "assSF151 == (WTrue,l[=](Real 0))" 307 | definition assSF152 :: mid where 308 | "assSF152 == (WTrue,l[=](Real 0))" 309 | definition assSF153 :: mid where 310 | "assSF153 == (WTrue,l[=](Real 0))" 311 | definition assSF154 :: mid where 312 | "assSF154 == (WTrue,l[=](Real 0))" 313 | definition assSF155 :: mid where 314 | "assSF155 == (WTrue,l[=](Real 0))" 315 | definition assSF156 :: mid where 316 | "assSF156 == (WTrue,l[=](Real 0))" 317 | definition assSF157 :: mid where 318 | "assSF157 == (WTrue,l[=](Real 0))" 319 | definition assSF158 :: mid where 320 | "assSF158 == (WTrue,l[=](Real 0))" 321 | definition assSF159 :: mid where 322 | "assSF159 == (WTrue,l[=](Real 0))" 323 | definition assSF160 :: mid where 324 | "assSF160 == (WTrue,l[=](Real 0))" 325 | definition assSF161 :: mid where 326 | "assSF161 == (WTrue,l[=](Real 0))" 327 | definition assSF162 :: mid where 328 | "assSF162 == (WTrue,l[=](Real 0))" 329 | definition assSF163 :: mid where 330 | "assSF163 == (WTrue,l[=](Real 0))" 331 | definition assSF164 :: mid where 332 | "assSF164 == (WTrue,l[=](Real 0))" 333 | definition assSF165 :: mid where 334 | "assSF165 == (WTrue,l[=](Real 0))" 335 | definition assSF166 :: mid where 336 | "assSF166 == (WTrue,l[=](Real 0))" 337 | definition assSF167 :: mid where 338 | "assSF167 == (WTrue,l[=](Real 0))" 339 | definition assSF168 :: mid where 340 | "assSF168 == (WTrue,l[=](Real 0))" 341 | definition assSF169 :: mid where 342 | "assSF169 == (WTrue,l[=](Real 0))" 343 | definition assSF170 :: mid where 344 | "assSF170 == (WTrue,l[=](Real 0))" 345 | definition assSF171 :: mid where 346 | "assSF171 == (WTrue,l[=](Real 0))" 347 | definition assSF172 :: mid where 348 | "assSF172 == (WTrue,l[=](Real 0))" 349 | definition assSF173 :: mid where 350 | "assSF173 == (WTrue,l[=](Real 0))" 351 | definition assSF174 :: mid where 352 | "assSF174 == (WTrue,l[=](Real 0))" 353 | definition assSF175 :: mid where 354 | "assSF175 == (WTrue,l[=](Real 0))" 355 | definition assSF176 :: mid where 356 | "assSF176 == (WTrue,l[=](Real 0))" 357 | definition assSF177 :: mid where 358 | "assSF177 == (WTrue,l[=](Real 0))" 359 | definition assSF178 :: mid where 360 | "assSF178 == (WTrue,l[=](Real 0))" 361 | definition assSF179 :: mid where 362 | "assSF179 == (WTrue,l[=](Real 0))" 363 | definition assSF180 :: mid where 364 | "assSF180 == (WTrue,l[=](Real 0))" 365 | definition assSF181 :: mid where 366 | "assSF181 == (WTrue,l[=](Real 0))" 367 | definition assSF182 :: mid where 368 | "assSF182 == (WTrue,l[=](Real 0))" 369 | definition assSF183 :: mid where 370 | "assSF183 == (WTrue,l[=](Real 0))" 371 | definition assSF184 :: mid where 372 | "assSF184 == (WTrue,l[=](Real 0))" 373 | definition assSF185 :: mid where 374 | "assSF185 == (WTrue,l[=](Real 0))" 375 | definition assSF186 :: mid where 376 | "assSF186 == (WTrue,l[=](Real 0))" 377 | definition assSF187 :: mid where 378 | "assSF187 == (WTrue,l[=](Real 0))" 379 | definition assSF188 :: mid where 380 | "assSF188 == (WTrue,l[=](Real 0))" 381 | definition assSF189 :: mid where 382 | "assSF189 == (WTrue,l[=](Real 0))" 383 | definition assSF190 :: mid where 384 | "assSF190 == (WTrue,l[=](Real 0))" 385 | definition assSF191 :: mid where 386 | "assSF191 == (WTrue,l[=](Real 0))" 387 | definition assSF192 :: mid where 388 | "assSF192 == (WTrue,l[=](Real 0))" 389 | definition assSF193 :: mid where 390 | "assSF193 == (WTrue,l[=](Real 0))" 391 | definition assSF194 :: mid where 392 | "assSF194 == (WTrue,l[=](Real 0))" 393 | definition assSF195 :: mid where 394 | "assSF195 == (WTrue,l[=](Real 0))" 395 | definition assSF196 :: mid where 396 | "assSF196 == (WTrue,l[=](Real 0))" 397 | definition assSF197 :: mid where 398 | "assSF197 == (WTrue,l[=](Real 0))" 399 | definition assSF198 :: mid where 400 | "assSF198 == (WTrue,l[=](Real 0))" 401 | definition assSF199 :: mid where 402 | "assSF199 == (WTrue,l[=](Real 0))" 403 | definition assSF200 :: mid where 404 | "assSF200 == (WTrue,l[=](Real 0))" 405 | definition assSF201 :: mid where 406 | "assSF201 == (WTrue,l[=](Real 0))" 407 | definition assSF202 :: mid where 408 | "assSF202 == (WTrue,l[=](Real 0))" 409 | definition assSF203 :: mid where 410 | "assSF203 == (WTrue,l[=](Real 0))" 411 | definition assSF204 :: mid where 412 | "assSF204 == (WTrue,l[=](Real 0))" 413 | definition assSF205 :: mid where 414 | "assSF205 == (WTrue,l[=](Real 0))" 415 | definition assSF206 :: mid where 416 | "assSF206 == (WTrue,l[=](Real 0))" 417 | definition assSF207 :: mid where 418 | "assSF207 == (WTrue,l[=](Real 0))" 419 | definition assSF208 :: mid where 420 | "assSF208 == (WTrue,l[=](Real 0))" 421 | definition assSF209 :: mid where 422 | "assSF209 == (WTrue,l[=](Real 0))" 423 | definition assSF210 :: mid where 424 | "assSF210 == (WTrue,l[=](Real 0))" 425 | definition assSF211 :: mid where 426 | "assSF211 == (WTrue,l[=](Real 0))" 427 | definition assSF212 :: mid where 428 | "assSF212 == (WTrue,l[=](Real 0))" 429 | definition assSF213 :: mid where 430 | "assSF213 == (WTrue,l[=](Real 0))" 431 | definition assSF214 :: mid where 432 | "assSF214 == (WTrue,l[=](Real 0))" 433 | definition assSF215 :: mid where 434 | "assSF215 == (WTrue,l[=](Real 0))" 435 | definition assSF216 :: mid where 436 | "assSF216 == (WTrue,l[=](Real 0))" 437 | definition assSF217 :: mid where 438 | "assSF217 == (WTrue,l[=](Real 0))" 439 | definition assSF218 :: mid where 440 | "assSF218 == (WTrue,l[=](Real 0))" 441 | definition assSF219 :: mid where 442 | "assSF219 == (WTrue,l[=](Real 0))" 443 | definition assSF220 :: mid where 444 | "assSF220 == (WTrue,l[=](Real 0))" 445 | definition assSF221 :: mid where 446 | "assSF221 == (WTrue,l[=](Real 0))" 447 | definition assSF222 :: mid where 448 | "assSF222 == (WTrue,l[=](Real 0))" 449 | definition assSF223 :: mid where 450 | "assSF223 == (WTrue,l[=](Real 0))" 451 | definition assSF224 :: mid where 452 | "assSF224 == (WTrue,l[=](Real 0))" 453 | definition assSF225 :: mid where 454 | "assSF225 == (WTrue,l[=](Real 0))" 455 | definition assSF226 :: mid where 456 | "assSF226 == (WTrue,l[=](Real 0))" 457 | definition assSF227 :: mid where 458 | "assSF227 == (WTrue,l[=](Real 0))" 459 | definition assSF228 :: mid where 460 | "assSF228 == (WTrue,l[=](Real 0))" 461 | definition assSF229 :: mid where 462 | "assSF229 == (WTrue,l[=](Real 0))" 463 | definition assSF230 :: mid where 464 | "assSF230 == (WTrue,l[=](Real 0))" 465 | definition assSF231 :: mid where 466 | "assSF231 == (WTrue,l[=](Real 0))" 467 | definition assSF232 :: mid where 468 | "assSF232 == (WTrue,l[=](Real 0))" 469 | definition assSF233 :: mid where 470 | "assSF233 == (WTrue,l[=](Real 0))" 471 | definition assSF234 :: mid where 472 | "assSF234 == (WTrue,l[=](Real 0))" 473 | definition assSF235 :: mid where 474 | "assSF235 == (WTrue,l[=](Real 0))" 475 | definition assSF236 :: mid where 476 | "assSF236 == (WTrue,l[=](Real 0))" 477 | definition assSF237 :: mid where 478 | "assSF237 == (WTrue,l[=](Real 0))" 479 | definition assSF238 :: mid where 480 | "assSF238 == (WTrue,l[=](Real 0))" 481 | definition assSF239 :: mid where 482 | "assSF239 == (WTrue,l[=](Real 0))" 483 | definition assSF240 :: mid where 484 | "assSF240 == (WTrue,l[=](Real 0))" 485 | definition assSF241 :: mid where 486 | "assSF241 == (WTrue,l[=](Real 0))" 487 | definition assSF242 :: mid where 488 | "assSF242 == (WTrue,l[=](Real 0))" 489 | definition assSF243 :: mid where 490 | "assSF243 == (WTrue,l[=](Real 0))" 491 | definition assSF244 :: mid where 492 | "assSF244 == (WTrue,l[=](Real 0))" 493 | definition assSF245 :: mid where 494 | "assSF245 == (WTrue,l[=](Real 0))" 495 | definition assSF246 :: mid where 496 | "assSF246 == (WTrue,l[=](Real 0))" 497 | definition assSF247 :: mid where 498 | "assSF247 == (WTrue,l[=](Real 0))" 499 | definition assSF248 :: mid where 500 | "assSF248 == (WTrue,l[=](Real 0))" 501 | definition assSF249 :: mid where 502 | "assSF249 == (WTrue,l[=](Real 0))" 503 | definition assSF250 :: mid where 504 | "assSF250 == (WTrue,l[=](Real 0))" 505 | definition assSF251 :: mid where 506 | "assSF251 == (WTrue,l[=](Real 0))" 507 | definition assSF252 :: mid where 508 | "assSF252 == (WTrue,l[=](Real 0))" 509 | definition assSF253 :: mid where 510 | "assSF253 == (WTrue,l[=](Real 0))" 511 | definition assSF254 :: mid where 512 | "assSF254 == (WTrue,l[=](Real 0))" 513 | definition assSF255 :: mid where 514 | "assSF255 == (WTrue,l[=](Real 0))" 515 | definition assSF256 :: mid where 516 | "assSF256 == (WTrue,l[=](Real 0))" 517 | definition assSF257 :: mid where 518 | "assSF257 == (WTrue,l[=](Real 0))" 519 | definition assSF258 :: mid where 520 | "assSF258 == (WTrue,l[=](Real 0))" 521 | definition assSF259 :: mid where 522 | "assSF259 == (WTrue,l[=](Real 0))" 523 | definition assSF260 :: mid where 524 | "assSF260 == (WTrue,l[=](Real 0))" 525 | definition assSF261 :: mid where 526 | "assSF261 == (WTrue,l[=](Real 0))" 527 | definition assSF262 :: mid where 528 | "assSF262 == (WTrue,l[=](Real 0))" 529 | definition assSF263 :: mid where 530 | "assSF263 == (WTrue,l[=](Real 0))" 531 | definition assSF264 :: mid where 532 | "assSF264 == (WTrue,l[=](Real 0))" 533 | definition assSF265 :: mid where 534 | "assSF265 == (WTrue,l[=](Real 0))" 535 | definition assSF266 :: mid where 536 | "assSF266 == (WTrue,l[=](Real 0))" 537 | definition assSF267 :: mid where 538 | "assSF267 == (WTrue,l[=](Real 0))" 539 | definition assSF268 :: mid where 540 | "assSF268 == (WTrue,l[=](Real 0))" 541 | definition assSF269 :: mid where 542 | "assSF269 == (WTrue,l[=](Real 0))" 543 | definition assSF270 :: mid where 544 | "assSF270 == (WTrue,l[=](Real 0))" 545 | definition assSF271 :: mid where 546 | "assSF271 == (WTrue,l[=](Real 0))" 547 | definition assSF272 :: mid where 548 | "assSF272 == (WTrue,l[=](Real 0))" 549 | definition assSF273 :: mid where 550 | "assSF273 == (WTrue,l[=](Real 0))" 551 | definition assSF274 :: mid where 552 | "assSF274 == (WTrue,l[=](Real 0))" 553 | definition assSF275 :: mid where 554 | "assSF275 == (WTrue,l[=](Real 0))" 555 | definition assSF276 :: mid where 556 | "assSF276 == (WTrue,l[=](Real 0))" 557 | definition assSF277 :: mid where 558 | "assSF277 == (WTrue,l[=](Real 0))" 559 | definition assSF278 :: mid where 560 | "assSF278 == (WTrue,l[=](Real 0))" 561 | definition assSF279 :: mid where 562 | "assSF279 == (WTrue,l[=](Real 0))" 563 | definition assSF280 :: mid where 564 | "assSF280 == (WTrue,l[=](Real 0))" 565 | definition assSF281 :: mid where 566 | "assSF281 == (WTrue,l[=](Real 0))" 567 | definition assSF282 :: mid where 568 | "assSF282 == (WTrue,l[=](Real 0))" 569 | definition assSF283 :: mid where 570 | "assSF283 == (WTrue,l[=](Real 0))" 571 | definition assSF284 :: mid where 572 | "assSF284 == (WTrue,l[=](Real 0))" 573 | definition assSF285 :: mid where 574 | "assSF285 == (WTrue,l[=](Real 0))" 575 | definition assSF286 :: mid where 576 | "assSF286 == (WTrue,l[=](Real 0))" 577 | definition assSF287 :: mid where 578 | "assSF287 == (WTrue,l[=](Real 0))" 579 | definition assSF288 :: mid where 580 | "assSF288 == (WTrue,l[=](Real 0))" 581 | definition assSF289 :: mid where 582 | "assSF289 == (WTrue,l[=](Real 0))" 583 | definition assSF290 :: mid where 584 | "assSF290 == (WTrue,l[=](Real 0))" 585 | definition assSF291 :: mid where 586 | "assSF291 == (WTrue,l[=](Real 0))" 587 | definition assSF292 :: mid where 588 | "assSF292 == (WTrue,l[=](Real 0))" 589 | definition assSF293 :: mid where 590 | "assSF293 == (WTrue,l[=](Real 0))" 591 | definition assSF294 :: mid where 592 | "assSF294 == (WTrue,l[=](Real 0))" 593 | definition assSF295 :: mid where 594 | "assSF295 == (WTrue,l[=](Real 0))" 595 | definition assSF296 :: mid where 596 | "assSF296 == (WTrue,l[=](Real 0))" 597 | definition assSF297 :: mid where 598 | "assSF297 == (WTrue,l[=](Real 0))" 599 | definition assSF298 :: mid where 600 | "assSF298 == (WTrue,l[=](Real 0))" 601 | definition assSF299 :: mid where 602 | "assSF299 == (WTrue,l[=](Real 0))" 603 | definition assSF300 :: mid where 604 | "assSF300 == (WTrue,l[=](Real 0))" 605 | definition assSF301 :: mid where 606 | "assSF301 == (WTrue,l[=](Real 0))" 607 | definition assSF302 :: mid where 608 | "assSF302 == (WTrue,l[=](Real 0))" 609 | definition assSF303 :: mid where 610 | "assSF303 == (WTrue,l[=](Real 0))" 611 | definition assSF304 :: mid where 612 | "assSF304 == (WTrue,l[=](Real 0))" 613 | definition assSF305 :: mid where 614 | "assSF305 == (WTrue,l[=](Real 0))" 615 | definition assSF306 :: mid where 616 | "assSF306 == (WTrue,l[=](Real 0))" 617 | definition assSF307 :: mid where 618 | "assSF307 == (WTrue,l[=](Real 0))" 619 | definition assSF308 :: mid where 620 | "assSF308 == (WTrue,l[=](Real 0))" 621 | definition assSF309 :: mid where 622 | "assSF309 == (WTrue,l[=](Real 0))" 623 | definition assSF310 :: mid where 624 | "assSF310 == (WTrue,l[=](Real 0))" 625 | definition assSF311 :: mid where 626 | "assSF311 == (WTrue,l[=](Real 0))" 627 | definition assSF312 :: mid where 628 | "assSF312 == (WTrue,l[=](Real 0))" 629 | definition assSF313 :: mid where 630 | "assSF313 == (WTrue,l[=](Real 0))" 631 | definition assSF314 :: mid where 632 | "assSF314 == (WTrue,l[=](Real 0))" 633 | definition assSF315 :: mid where 634 | "assSF315 == (WTrue,l[=](Real 0))" 635 | definition assSF316 :: mid where 636 | "assSF316 == (WTrue,l[=](Real 0))" 637 | definition assSF317 :: mid where 638 | "assSF317 == (WTrue,l[=](Real 0))" 639 | definition assSF318 :: mid where 640 | "assSF318 == (WTrue,l[=](Real 0))" 641 | definition assSF319 :: mid where 642 | "assSF319 == (WTrue,l[=](Real 0))" 643 | definition assSF320 :: mid where 644 | "assSF320 == (WTrue,l[=](Real 0))" 645 | definition assSF321 :: mid where 646 | "assSF321 == (WTrue,l[=](Real 0))" 647 | definition assSF322 :: mid where 648 | "assSF322 == (WTrue,l[=](Real 0))" 649 | definition assSF323 :: mid where 650 | "assSF323 == (WTrue,l[=](Real 0))" 651 | definition assSF324 :: mid where 652 | "assSF324 == (WTrue,l[=](Real 0))" 653 | definition assSF325 :: mid where 654 | "assSF325 == (WTrue,l[=](Real 0))" 655 | definition assSF326 :: mid where 656 | "assSF326 == (WTrue,l[=](Real 0))" 657 | definition assSF327 :: mid where 658 | "assSF327 == (WTrue,l[=](Real 0))" 659 | definition assSF328 :: mid where 660 | "assSF328 == (WTrue,l[=](Real 0))" 661 | definition assSF329 :: mid where 662 | "assSF329 == (WTrue,l[=](Real 0))" 663 | definition assSF330 :: mid where 664 | "assSF330 == (WTrue,l[=](Real 0))" 665 | definition assSF331 :: mid where 666 | "assSF331 == (WTrue,l[=](Real 0))" 667 | definition assSF332 :: mid where 668 | "assSF332 == (WTrue,l[=](Real 0))" 669 | definition assSF333 :: mid where 670 | "assSF333 == (WTrue,l[=](Real 0))" 671 | definition assSF334 :: mid where 672 | "assSF334 == (WTrue,l[=](Real 0))" 673 | definition assSF335 :: mid where 674 | "assSF335 == (WTrue,l[=](Real 0))" 675 | definition assSF336 :: mid where 676 | "assSF336 == (WTrue,l[=](Real 0))" 677 | definition assSF337 :: mid where 678 | "assSF337 == (WTrue,l[=](Real 0))" 679 | definition assSF338 :: mid where 680 | "assSF338 == (WTrue,l[=](Real 0))" 681 | definition assSF339 :: mid where 682 | "assSF339 == (WTrue,l[=](Real 0))" 683 | definition assSF340 :: mid where 684 | "assSF340 == (WTrue,l[=](Real 0))" 685 | definition assSF341 :: mid where 686 | "assSF341 == (WTrue,l[=](Real 0))" 687 | definition assSF342 :: mid where 688 | "assSF342 == (WTrue,l[=](Real 0))" 689 | definition assSF343 :: mid where 690 | "assSF343 == (WTrue,l[=](Real 0))" 691 | definition assSF344 :: mid where 692 | "assSF344 == (WTrue,l[=](Real 0))" 693 | definition assSF345 :: mid where 694 | "assSF345 == (WTrue,l[=](Real 0))" 695 | definition assSF346 :: mid where 696 | "assSF346 == (WTrue,l[=](Real 0))" 697 | definition assSF347 :: mid where 698 | "assSF347 == (WTrue,l[=](Real 0))" 699 | definition assSF348 :: mid where 700 | "assSF348 == (WTrue,l[=](Real 0))" 701 | definition assSF349 :: mid where 702 | "assSF349 == (WTrue,l[=](Real 0))" 703 | definition assSF350 :: mid where 704 | "assSF350 == (WTrue,l[=](Real 0))" 705 | definition assSF351 :: mid where 706 | "assSF351 == (WTrue,l[=](Real 0))" 707 | definition assSF352 :: mid where 708 | "assSF352 == (WTrue,l[=](Real 0))" 709 | definition assSF353 :: mid where 710 | "assSF353 == (WTrue,l[=](Real 0))" 711 | definition assSF354 :: mid where 712 | "assSF354 == (WTrue,l[=](Real 0))" 713 | definition assSF355 :: mid where 714 | "assSF355 == (WTrue,l[=](Real 0))" 715 | definition assSF356 :: mid where 716 | "assSF356 == (WTrue,l[=](Real 0))" 717 | definition assSF357 :: mid where 718 | "assSF357 == (WTrue,l[=](Real 0))" 719 | definition assSF358 :: mid where 720 | "assSF358 == (WTrue,l[=](Real 0))" 721 | definition assSF359 :: mid where 722 | "assSF359 == (WTrue,l[=](Real 0))" 723 | definition assSF360 :: mid where 724 | "assSF360 == (WTrue,l[=](Real 0))" 725 | definition assSF361 :: mid where 726 | "assSF361 == (WTrue,l[=](Real 0))" 727 | definition assSF362 :: mid where 728 | "assSF362 == (WTrue,l[=](Real 0))" 729 | definition assSF363 :: mid where 730 | "assSF363 == (WTrue,l[=](Real 0))" 731 | definition assSF364 :: mid where 732 | "assSF364 == (WTrue,l[=](Real 0))" 733 | definition assSF365 :: mid where 734 | "assSF365 == (WTrue,l[=](Real 0))" 735 | 736 | end 737 | -------------------------------------------------------------------------------- /HHLProver/HHL.thy: -------------------------------------------------------------------------------- 1 | header {* Abstract syntax for Hybrid CSP. *} 2 | 3 | theory HHL 4 | imports HCSP_Com 5 | begin 6 | 7 | consts 8 | spec :: "fform => proc => fform => fform => prop" ("{_}_{_;_}" 80) 9 | specP2 :: "fform => fform => proc => fform => fform => fform => fform => prop" ("{_, _}_{_, _ ; _, _}" 80) 10 | specP3 :: "fform => fform => fform => proc => fform => fform => fform => fform => fform => fform => prop"("{_,_,_}_{_,_,_; _,_,_}" 80) 11 | specP4 :: "fform => fform => fform => fform => proc => fform => fform => fform => fform => fform => fform => fform => fform => prop" ("{_,_,_,_}_{_,_,_,_ ; _,_,_,_}" 80) 12 | specP5 :: "fform => fform => fform => fform => fform => proc => fform => fform => fform => fform => fform => fform => fform => fform => fform => fform => prop" ("{_,_,_,_,_}_{_,_,_,_,_ ; _,_,_,_,_}" 80) 13 | specP6 :: "fform => fform => fform => fform => fform => fform => proc => fform => fform => fform => fform => fform => fform => fform => fform => fform => fform => fform => fform => prop" ("{_,_,_,_,_,_}_{_,_,_,_,_,_ ; _,_,_,_,_,_}" 80) 14 | 15 | (*List rules, p do not have exp1. If p have exp1, it must be eliminated by consequence rule firstly.*) 16 | axiomatization where 17 | ListEmpty : "{p} empty(exp1) {exp1[=](List [])[&]p; (l [=] (Real 0))}" and 18 | ListAdd : "{exp1[=](List ls)[&]p} (addL exp1 exp2) {(exp1[=](List (exp2#ls)))[&]p; (l [=] (Real 0))}" and 19 | ListDel : "|- exp1[=](List (tl(ls)))[&]p [-->] post 20 | ==> {exp1[=](List ls)[&]p} (delL(exp1)) {post; (l [=] (Real 0))}" and 21 | ListEmptya : "{p} empty(exp1) {p; (l [=] (Real 0))}" and 22 | ListAdda : "{p} (addL exp1 exp2) {p; (l [=] (Real 0))}" and 23 | ListDela : "{p} (delL(exp1)) {p; (l [=] (Real 0))}" 24 | axiomatization where 25 | Empty: "EL [=] List [] |- isEmpty(EL)" 26 | 27 | (*Skip rule*) 28 | axiomatization where 29 | Skip : "|- ((l [=] (Real 0)) [-->] G) ==> {p} Skip {p; G}" 30 | 31 | 32 | (*Assignment rule*) 33 | axiomatization where 34 | Assign :" [| ~inPairForm ([(e, f)], q); |-(p [-->] (substF ([(e, f)]) (q))) 35 | [&] ((l [=] (Real 0)) [-->] G)|] ==> 36 | {p} (e := f) {q; G}" 37 | 38 | 39 | (*Example*) 40 | lemma "{WTrue} (RVar ''x'') := (Real 2) {((RVar ''x'') [=] (Real 2)); (l [=] (Real 0))}" 41 | apply (cut_tac p = "WTrue" and e = "(RVar ''x'')" and f = "(Real 2)" and 42 | q = "((RVar ''x'') [=] (Real 2))" and G = "(l [=] (Real 0))" in Assign, auto) 43 | apply (rule Trans,auto) 44 | done 45 | 46 | 47 | (*Continuous rule*) 48 | axiomatization where 49 | Continue : "|- (Init [-->] F) 50 | [&] ((p [&] close(F) [&] close([~]b)) [-->] q) 51 | [&] ((((l [=] Real 0) [|] (high (close(F) [&] p [&] close(b)))) [&] Rg) [-->] G) 52 | ==> {Init [&] p} : Rg {q; G}" 53 | 54 | (*Sequential rule*) 55 | axiomatization where 56 | Sequence : "[| {p} P {m; H}; {m} Q {q; G} |] ==> 57 | {p} P; (m, H); Q {q; H [^] G}" 58 | 59 | 60 | (*Conditional rule*) 61 | axiomatization where 62 | ConditionF : " [| |-(p [-->] [~] b); |- (p [-->] q); |- ((l [=] Real 0) [-->] G) |] 63 | ==> {p} IF b P {q; G}" 64 | and 65 | ConditionT : "[| |-(p [-->] b); {p} P {q; G} |] 66 | ==> {p} IF b P {q; G}" 67 | and 68 | Condition : "[| {p [&] b} IF b P {q; G}; {p [&] ([~]b)} IF b P {q; G}|] 69 | ==> {p} IF b P {q; G}" 70 | axiomatization where 71 | ConditionT2 : "[| |-(pn [-->] b); {pm,pn} (Pm||Pn) {qm,qn; Gm,Gn} |] 72 | ==> {pm,pn} (Pm||(IF b Pn)) {qm,qn; Gm,Gn}" and 73 | ConditionT2a : "[| |-(pm [-->] b); {pm,pn} (Pm||Pn) {qm,qn; Gm,Gn} |] 74 | ==> {pm,pn} ((IF b Pm)||Pn) {qm,qn; Gm,Gn}" 75 | 76 | 77 | (*Nondeterministic rule*) 78 | axiomatization where 79 | Nondeterministic : 80 | "{p [&] b} P {q;G} 81 | ==> {p} NON i x : b P {q; G}" 82 | 83 | (*Communication rule*) 84 | (*H in the rule denotes the common interval range.*) 85 | axiomatization where 86 | Communication : "[| ~inPairForm ([(x, e)], ry); 87 | {px, py} (Px || Py) {qx, qy; Hx, Hy}; 88 | |- (qx [-->] rx) [&] (qy [-->] (substF ([(x, e)]) (ry))); 89 | |- ((Hx [^] (high (qx))) [-->] Gx) [&] ((Hy [^] (high (qy))) [-->] Gy); 90 | |- ((((Hx [^] (high (qx))) [&] Hy) [|]((Hy [^] (high (qy))) [&] Hx)) [-->] H) 91 | |] 92 | ==> {px, py} ((Px; (qx, Hx); ch !! e) || (Py; (qy, Hy); ch ?? x)) {rx, ry; 93 | Gx [&] H, Gy [&] H}" 94 | axiomatization where 95 | CommunicationSim : "[| ~inPairForm ([(x, e)], ry); 96 | |- (px [-->] rx) [&] (px[&]py [-->] (substF ([(x, e)]) (ry))) |] 97 | ==> {px, py} ((ch !! e) || (ch ?? x)) {rx, ry;(l[=](Real 0)), (l[=](Real 0))}" 98 | axiomatization where 99 | CommunicationC : "[| ~inPairForm ([(x, e)], ry); 100 | {qx} (Px) {rx; (l[=](Real 0))}; 101 | |- (px [&] py) [-->] (substF ([(x, e)]) (qx)); 102 | |- py [-->] ry; 103 | |- (l[=](Real 0)) [-->] Hx; 104 | |- (l[=](Real 0)) [-->] My; 105 | |- (l[=](Real 0)) [-->] My; 106 | contain(Pm,(ch ?? x))|] 107 | ==> {px, py} (( Pm; (qx, Hx); Px) || (ch !! e)) 108 | {rx, ry; Mx, My}" 109 | 110 | (*Communication interrupt rule*) 111 | primrec contain :: "proc => proc => bool" where 112 | "contain (Skip,p) = False" | 113 | "contain (Stop,p) = False" | 114 | "contain (x:=e,p) = False" | 115 | "contain ((Ch!!e),p) = ((Ch!!e)=p)" | 116 | "contain ((Ch??x),p) = ((Ch??x)=p)" | 117 | "contain ((q;m;r),p) = False" | 118 | "contain ((IF b q),p) = False" | 119 | "contain ((NON i x : b q),p) = False" | 120 | "contain ((q [[ r),p) = (if contain(q,p) then True else contain(r,p))" | 121 | "contain ((q << r),p) = False" | 122 | "contain ((q || r),p) = False" | 123 | "contain ((q*),p) = False" | 124 | "contain ((q**n),p) = False" | 125 | "contain (( : g),p) = False" | 126 | "contain ((q |> b r),p) = False" | 127 | "contain ((q [[> r),p) = False" 128 | 129 | (**) 130 | axiomatization where 131 | CommunicationI1 : "[| ~inPairForm ([(x, e)], ry); 132 | |- Hy [-->] H; 133 | |- rg [-->] H[^]WTrue; 134 | {px, py} (Px || Py) {qx, qy; Hx, Hy}; 135 | |- Init [&] pre [<->] qx; 136 | |- pre [&] Init [&] b [-->] F; 137 | |- (pre [&] close(F) [&] close(b)) [-->] rx; 138 | |- (qy [&] pre [&] close(F) [&] close(b)) [-->] (substF ([(x, e)]) (ry)); 139 | |- (Hx [^] ((((l [=] Real 0) [|] (high (close(F) [&] pre [&] close(b)))) [&] H)) [-->] Gx); 140 | |- Hy [-->] Gy; 141 | |- Hx [-->] Hxm; 142 | |- Hy [-->] Hym; 143 | contain(P,(ch !! e)) 144 | |] 145 | ==> {px, py} (( Px; (qx, Hxm); ( :rg) [[> P) || (Py; (qy, Hym); ch ?? x)) 146 | {rx, ry; Gx, Gy}" 147 | axiomatization where 148 | CommunicationI2 : "[| ~inPairForm ([(x, e)], ry); 149 | |- Hy [-->] H; 150 | |- rg [-->] H[^]WTrue; 151 | {px, py} (Px || Py) {qx, qy; Hx, Hy}; 152 | |- Init [&] pre [<->] qx; 153 | |- pre [&] Init [&] b [-->] F; 154 | |- (qy [&] pre [&] close(F) [&] close(b)) [-->] (substF ([(x, e)]) (rx)); 155 | |- qy [-->] ry; 156 | |- Hx [^] ((((l [=] Real 0) [|] (high (close(F) [&] pre [&] close(b)))) [&] H)) [-->] Gx; 157 | |- Hy [-->] Gy; 158 | |- Hx [-->] Hxm; 159 | |- Hy [-->] Hym; 160 | contain(P,(ch ?? x)) 161 | |] 162 | ==> {px, py} (( Px; (qx, Hxm); ( :rg) [[> P) || (Py; (qy, Hym); ch !! e)) 163 | {rx, ry; Gx, Gy}" 164 | 165 | (*Parallel rule*) 166 | (*It is valid only when there are not communications occurring in P3 and P4.*) 167 | axiomatization where 168 | Parallel1: "[| {px, py} (Px || Py) {qx, qy; Hx, Hy}; {qx} Qx {rx; Gx}; {qy} Qy {ry; Gy} |] 169 | ==> {px, py} ((Px; (qx, Hx); Qx) || (Py; (qy, Hy); Qy)) {rx, ry; Hx [^] Gx, Hy [^] Gy}" 170 | 171 | (*It is valid only when there are no communications occurring in P1 and P2.*) 172 | axiomatization where 173 | Parallel2: "[| {px} Px {qx; Hx}; {py} Py {qy; Hy}|] 174 | ==> {px, py} (Px || Py) {qx, qy; Hx, Hy}" 175 | (*It is valid in any case*) 176 | axiomatization where 177 | Parallel3: "[| {px, py} (Px || Py) {qx, qy; Hx[&](l[=](Real m)), Hy[&](l[=](Real m))}; 178 | {qx, qy} (Qx || Qy) {rx, ry; Mx, My}; 179 | |- (Hx[&](l[=](Real m))) [-->] HL; 180 | |- (Hy[&](l[=](Real m))) [-->] HR; 181 | |- ((Hx[&](l[=](Real m))) [^] Mx) [-->] Gx; 182 | |- ((Hy[&](l[=](Real m))) [^] My) [-->] Gy 183 | |] 184 | ==> {px, py} (Px;(qx,HL);Qx) || (Py;(qy,HR);Qy) {rx, ry; Gx, Gy}" 185 | 186 | (*Repetition rule*) 187 | axiomatization where 188 | Repetition : "[| {px, py} (Px || Py) {px, py; Hx, Hy}; 189 | |- Hx [^] Hx [-->] Hx; |- Hy [^] Hy [-->] Hy|] 190 | ==> {px, py} ((Px*) || (Py*)) {px, py; Hx, Hy} " 191 | 192 | axiomatization where 193 | Repetition0 : "(Pm**(0)) == Skip" and 194 | Repetition1 : "(Pm**(Suc(0))) == Pm" and 195 | RepetitionN : "(Pm**(am+1)) == (Pm; M; Pm**am)" 196 | 197 | axiomatization where 198 | RepetitionA2 : "{p1,p2} ((Pm**(am+1))||(Pn**(an+1))) {p1,p2; Ha,Hb} 199 | ==> {p1,p2} ((Pm***)||(Pn***)) {p1,p2; Ha,Hb}" 200 | 201 | axiomatization where 202 | RepetitionG2 : "[| {p1,p2} ((Pm***)||(Pn***)) {p1,p2; Ha,Hb}; |- Ha [^] Ha [-->] Ha; |- Hb [^] Hb [-->] Hb|] 203 | ==> {p1,p2} (Pm*||Pn*) {p1,p2; Ha,Hb}" 204 | 205 | axiomatization where 206 | RepetitionA6 : "{p1,p2,p3,p4,p5,p6} ((Pm**(am+1))||(Pn**(an+1))||(Po**(ao+1))||(Pp**(ap+1))||(Pq**(aq+1))||(Pr**(ar+1))) {p1,p2,p3,p4,p5,p6; Ha,Hb,Hc,Hd,He,Hf} 207 | ==> {p1,p2,p3,p4,p5,p6} ((Pm***)||(Pn***)||(Po***)||(Pp***)||(Pq***)||(Pr***)) {p1,p2,p3,p4,p5,p6; Ha,Hb,Hc,Hd,He,Hf}" 208 | 209 | axiomatization where 210 | RepetitionG6 : "[| {p1,p2,p3,p4,p5,p6} ((Pm***)||(Pn***)||(Po***)||(Pp***)||(Pq***)||(Pr***)) {p1,p2,p3,p4,p5,p6; Ha,Hb,Hc,Hd,He,Hf}; |- Ha [^] Ha [-->] Ha; |- Hb [^] Hb [-->] Hb; |- Hc [^] Hc [-->] Hc; |- Hd [^] Hd [-->] Hd; |- He [^] He [-->] He; |- Hf [^] Hf [-->] Hf|] 211 | ==> {p1,p2,p3,p4,p5,p6} (Pm*||Pn*||Po*||Pp*||Pq*||Pr*) {p1,p2,p3,p4,p5,p6; Ha,Hb,Hc,Hd,He,Hf}" 212 | 213 | (*N times repetition request post and history holds for any middle state to ensure RepetitionG holds.*) 214 | axiomatization where 215 | RepetitionT1a : "{px, py} ((Px;M;Pz) || Py) {qx, qy; Hx, Hy} 216 | ==> {px, py} (((Px**1);M;Pz) || Py) {qx, qy; Hx, Hy}" and 217 | RepetitionTna : "[| {px, py} (((Px**m);(qx,H);Px;M;P) || Py) {qx, qy; Hx, Hy}; 218 | |- Hx [^] Hx [-->] Hx; 219 | |- H [-->] Hx|] 220 | ==> {px, py} (((Px**(m+1));M;P) || Py) {qx, qy; Hx, Hy}" and 221 | RepetitionG : "[| {px, py} (Px**(m+1) || Py**(n+1)) {px, py; Hx, Hy}; 222 | |- Hx [^] Hx [-->] Hx; |- Hy [^] Hy [-->] Hy|] 223 | ==> {px, py} ((Px* ) || (Py* )) {px, py; Hx, Hy} " and 224 | RepetitionE : "[| {px, py} (((P;M;(Px**(n+1)));(qx,Hx);(Px* )) || Py) {qx, qy; Hx, Hy}|] 225 | ==> {px, py} ((P;M;(Px* )) || Py) {qx, qy; Hx, Hy} " 226 | 227 | (*Structure rule*) 228 | axiomatization where 229 | Structure : "{px, py} (Px || Py) {qx, qy; Hx, Hy} 230 | ==> {py, px} (Py || Px) {qy, qx; Hy, Hx}" and 231 | structR : "{px, py} Q||((Px;Mx;Py);My;Pz) {qx, qy; Hx, Hy} 232 | ==> {px, py} Q||(Px;Mx;Py;My;Pz){qx, qy; Hx, Hy}" and 233 | structL : "{px, py} ((Px;Mx;Py);My;Pz)||Q {qx, qy; Hx, Hy} 234 | ==> {px, py} (Px;Mx;Py;My;Pz)||Q{qx, qy; Hx, Hy}" and 235 | structSkipL : "{px, py} (Skip;(px,l[=](Real 0));P)||Q {qx, qy; Hx, Hy} 236 | == {px, py} P||Q{qx, qy; Hx, Hy}" and 237 | structSkipR : "{px, py} (P;(qx,Hx);Skip)||Q {qx, qy; Hx, Hy} 238 | == {px, py} P||Q{qx, qy; Hx, Hy}" and 239 | Equality2: "[| Pm==Qm; Pn==Qn; {p1,p2} (Qm||Qn) {p1,p2; Ha,Hb}|] 240 | ==> {p1,p2} (Pm||Pn) {p1,p2; Ha,Hb}" and 241 | Equality6: "[| Pm==Qm; Pn==Qn; Po==Qo; Pp==Qp; Pq==Qq; Pr==Qr; {p1,p2,p3,p4,p5,p6} (Qm||Qn||Qo||Qp||Qq||Qr) {p1,p2,p3,p4,p5,p6; Ha,Hb,Hc,Hd,He,Hf}|] 242 | ==> {p1,p2,p3,p4,p5,p6} (Pm||Pn||Po||Pp||Pq||Pr) {p1,p2,p3,p4,p5,p6; Ha,Hb,Hc,Hd,He,Hf}" 243 | 244 | 245 | (*Consequence rule*) 246 | axiomatization where 247 | ConsequenceS : "[| {px} P {qx; Hx}; |- ((p [-->] px) [&] (qx [-->] q) [&] (Hx [-->] H))|] 248 | ==> {p} P {q; H}" 249 | and 250 | ConsequenceP : "[| {px, py} (Px || Py) {qx, qy; Hx, Hy}; 251 | |- ((p [-->] px) [&] (r [-->] py) [&] (qx [-->] q) [&] (qy [-->] s) 252 | [&] (Hx [-->] H) [&] (Hy [-->] G))|] 253 | ==> {p, r} (Px || Py) {q, s; H, G}" 254 | and 255 | Consequence6 : "[|{qa,qb,qc,qd,qe,qf} (Pm||Pn||Po||Pp||Pq||Pr) {ra,rb,rc,rd,re,rf; Ha,Hb,Hc,Hd,He,Hf}; |- (q1[-->]qa) [&] (q2[-->]qb) [&] (q3[-->]qc) [&] (q4[-->]qd) [&] (q5[-->]qe) [&] (q6[-->]qf); |- (ra[-->]r1) [&] (rb[-->]r2) [&] (rc[-->]r3) [&] (rd[-->]r4) [&] (re[-->]r5) [&] (rf[-->]r6); |- (Ha[-->]H1) [&] (Hb[-->]H2) [&] (Hc[-->]H3) [&] (Hd[-->]H4) [&] (He[-->]H5) [&] (Hf[-->]H6)|] 256 | ==> {q1,q2,q3,q4,q5,q6} (Pm||Pn||Po||Pp||Pq||Pr) {r1,r2,r3,r4,r5,r6; H1,H2,H3,H4,H5,H6}" 257 | 258 | (*added rules for parallel with more entities*) 259 | axiomatization where 260 | Parallel23: "[| {p1,p2} (Pm||Pn) {q1,q2; H1,H2}; 261 | {p3} Po {q3; H3}|] 262 | ==> {p1,p2,p3} (Pm||Pn||Po) {q1,q2,q3; H1,H2,H3}" and 263 | Parallel24: "[| {p1,p2,p3} (Pm||Pn||Po) {q1,q2,q3; H1,H2,H3}; 264 | {p4} Pp {q4; H4}|] 265 | ==> {p1,p2,p3,p4} (Pm||Pn||Po||Pp) {q1,q2,q3,q4; H1,H2,H3,H4}" and 266 | Parallel25: "[| {p1,p2,p3,p4} (Pm||Pn||Po||Pp) {q1,q2,q3,q4; H1,H2,H3,H4}; 267 | {p5} Pq {q5; H5}|] 268 | ==> {p1,p2,p3,p4,p5} (Pm||Pn||Po||Pp||Pq) {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}" and 269 | Parallel26: "[| {p1,p2,p3,p4,p5} (Pm||Pn||Po||Pp||Pq) {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}; 270 | {p6} Pr {q6; H6}|] 271 | ==> {p1,p2,p3,p4,p5,p6} (Pm||Pn||Po||Pp||Pq||Pr) {q1,q2,q3,q4,q5,q6; H1,H2,H3,H4,H5,H6}" 272 | axiomatization where 273 | ParallelSeq6: "[| {p1,p2,p3,p4,p5,p6} (Pm||Pn||Po||Pp||Pq||Pr) {q1,q2,q3,q4,q5,q6; Ha,Hb,Hc,Hd,He,Hf}; {r1,r2,r3,r4,r5,r6} (Qm||Qn||Qo||Qp||Qq||Qr) {p1,p2,p3,p4,p5,p6; G1,G2,G3,G4,G5,G6}; |- (G1[^]Ha) [-->] M1; |- (G2[^]Hb) [-->] M2; |- (G3[^]Hc) [-->] M3; |- (G4[^]Hd) [-->] M4; |- (G5[^]He) [-->] M5; |- (G6[^]Hf) [-->] M6|] 274 | ==> {r1,r2,r3,r4,r5,r6} ((Qm;(p1,G1);Pm)||(Qn;(p2,G2);Pn)||(Qo;(p3,G3);Po)||(Qp;(p4,G4);Pp)||(Qq;(p5,G5);Pq)||(Qr;(p6,G6);Pr)) {q1,q2,q3,q4,q5,q6; M1,M2,M3,M4,M5,M6}" 275 | 276 | axiomatization where 277 | ParallelSeq6a: "[|{p1}Pm{q1; Ha}; {p2}Pn{q2; Hb}; {p3}Po{q3; Hc}; {p4}Pp{q4; Hd}; {p5}Pq{q5; He}; {p6}Pr{q6; Hf}|] 278 | ==> {p1,p2,p3,p4,p5,p6} (Pm||Pn||Po||Pp||Pq||Pr) {q1,q2,q3,q4,q5,q6; Ha,Hb,Hc,Hd,He,Hf}" 279 | 280 | axiomatization where 281 | ParallelSeq12a: "[| {p1,p2,p3,p4,p5,p6} (Pm||Pn||Po||Pp||Pq||Pr) {q1,q2,q3,q4,q5,q6; Ha,Hb,Hc,Hd,He,Hf}; {r1,r2} (Qm||Qn) {p1,p2; G1,G2}; |- (G1[^]Ha) [-->] M1; |- (G2[^]Hb) [-->] M2|] 282 | ==> {r1,r2,p3,p4,p5,p6} ((Qm;(p1,G1);Pm)||(Qn;(p2,G2);Pn)||(Po)||(Pp)||(Pq)||(Pr)) {q1,q2,q3,q4,q5,q6; M1,M2,Hc,Hd,He,Hf}" and 283 | ParallelSeq25a: "[| {p1,p2,p3,p4,p6} (Pm||Pn||Po||Pp||Pr) {q1,q2,q3,q4,q6; Ha,Hb,Hc,Hd,Hf}; {r2,r5} (Qn||Qq) {p2,p5; G2,G5}; |- (G2[^]Hb) [-->] M2|] 284 | ==> {p1,r2,p3,p4,r5,p6} ((Pm)||(Qn;(p2,G2);Pn)||(Po)||(Pp)||(Qq)||(Pr)) {q1,q2,q3,q4,p5,q6; Ha,M2,Hc,Hd,G5,Hf}" and 285 | ParallelSeq23a: "[| {p1,p2,p4,p6} (Pm||Pn||Pp||Pr) {q1,q2,q4,q6; Ha,Hb,Hd,Hf}; {r2,r3} (Qn||Qo) {p2,p3; G2,G3}; |- (G2[^]Hb) [-->] M2|] 286 | ==> {p1,r2,r3,p4,p6} ((Pm)||(Qn;(p2,G2);Pn)||(Qo)||(Pp)||(Pr)) {q1,q2,p3,q4,q6; Ha,M2,G3,Hd,Hf}" and 287 | ParallelSeq23b: "[| {p1,p2,p6} (Pm||Pn||Pr) {q1,q2,q6; Ha,Hb,Hf}; {r2,r4} (Qn||Qp) {p2,p4; G2,G4}; |- (G2[^]Hb) [-->] M2|] 288 | ==> {p1,r2,r4,p6} ((Pm)||(Qn;(p2,G2);Pn)||(Qp)||(Pr)) {q1,q2,p4,q6; Ha,M2,G4,Hf}" and 289 | ParallelSeq23c: "[| {p1,p2} (Pm||Pn) {q1,q2; Ha,Hb}; {r2,r6} (Qn||Qr) {p2,p6; G2,G6}; |- (G2[^]Hb) [-->] M2|] 290 | ==> {p1,r2,r6} ((Pm)||(Qn;(p2,G2);Pn)||(Qr)) {q1,q2,p6; Ha,M2,G6}" 291 | 292 | axiomatization where 293 | ParallelSeq6b: "[| {p1,p2,p3,p4,p5,p6} (Pm||Pn||Po||Pp||Pq||Pr) {q1,q2,q3,q4,q5,q6; Ha,Hb,Hc,Hd,He,Hf}; {q1,q2}Qn||Rn{r1,r2; Ga,Gb}; |- Ha[^]Ga [-->]Ma; |- Hb[^]Gb [-->]Mb|] 294 | ==> {p1,p2,p3,p4,p5,p6} ((Pm;(q1,Ha);Qn)||(Pn;(q2,Hb);Rn)||Po||Pp||Pq||Pr) {r1,r2,q3,q4,q5,q6; Ma,Mb,Hc,Hd,He,Hf}" 295 | axiomatization where 296 | ConsequenceP5 : "[| {pa,pb,pc,pd,pe} P {qa,qb,qc,qd,qe; Ha,Hb,Hc,Hd,He}; 297 | |- (p1 [-->] pa) [&] (p2 [-->] pb) [&] (p3 [-->] pc) [&] (p4 [-->] pd) [&] (p5 [-->] pe); 298 | |- (qa [-->] q1) [&] (qb [-->] q2) [&] (qc [-->] q3) [&] (qd [-->] q4) [&] (qe [-->] q5); 299 | |- (Ha [-->] H1) [&] (Hb [-->] H2) [&] (Hc [-->] H3) [&] 300 | (Hd [-->] H4) [&] (He [-->] H5) |] 301 | ==> {p1,p2,p3,p4,p5} P {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}" 302 | axiomatization where 303 | Repetition5 : "[| {p1,p2,p3,p4,p5} (((Pm||Pn)||Po)||Pp)||Pq {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}; 304 | |- H1 [^] H1 [-->] H1; |- H2 [^] H2 [-->] H2; |- H3 [^] H3 [-->] H3; 305 | |- H4 [^] H4 [-->] H4; |- H5 [^] H5 [-->] H5|] 306 | ==> {p1,p2,p3,p4,p5} (((Pm*||Pn*)||Po*)||Pp*)||Pq* {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}" 307 | axiomatization where 308 | Parallel113: "[| {p1,p2,p3} ((Pm||Pn)||Po) {q,q2,q3; H,H2,H3}; 309 | {q} Q {qx; Hx}; |- (H[^]Hx) [-->] Hy|] 310 | ==> {p1,p2,p3} (((Pm;(q,H);Q)||Pn)||Po) {qx,q2,q3; Hy,H2,H3}" 311 | axiomatization where 312 | Parallel115: "[| {p1,p2,p3,p4,p5} (((Pm||Pn)||Po)||Pp)||Pq {q,q2,q3,q4,q5; H,H2,H3,H4,H5}; 313 | {q} Q {qx; Hx}; |- (H[^]Hx) [-->] Hy|] 314 | ==> {p1,p2,p3,p4,p5} ((((Pm;(q,H);Q)||Pn)||Po)||Pp)||Pq {qx,q2,q3,q4,q5; Hy,H2,H3,H4,H5}" 315 | axiomatization where 316 | Parallel13: "[| {p1,p2,p3} (Pm||Pn)||Po {q1,q2,q3; H1,H2,H3}; 317 | {q3} Q {qx; Hx}; |- (H3[^]Hx) [-->] Hy|] 318 | ==> {p1,p2,p3} (Pm||Pn)||(Po;(q3,H3);Q) {q1,q2,qx; H1,H2,Hy}" 319 | axiomatization where 320 | Parallel14: "[| {p1,p2,p3,p4} ((Pm||Pn)||Po)||Pp {q1,q2,q3,q4; H1,H2,H3,H4}; 321 | {q4} Q {qx; Hx}; |- (H4[^]Hx) [-->] Hy|] 322 | ==> {p1,p2,p3,p4} ((Pm||Pn)||Po)||(Pp;(q4,H4);Q) {q1,q2,q3,qx; H1,H2,H3,Hy}" 323 | axiomatization where 324 | Parallel15: "[| {p1,p2,p3,p4,p5} (((Pm||Pn)||Po)||Pp)||Pq {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}; 325 | {q5} Q {qx; Hx}; |- (H5[^]Hx) [-->] Hy|] 326 | ==> {p1,p2,p3,p4,p5} (((Pm||Pn)||Po)||Pp)||(Pq;(q5,H5);Q) {q1,q2,q3,q4,qx; H1,H2,H3,H4,Hy}" 327 | axiomatization where 328 | Communication3 : "[| ~inPairForm ([(x, e)], qy); 329 | {p1,p2,p3} (Pm||Pn)||Po {q1,q2,q3; H1,H2,H3}; 330 | |- (q1 [-->] qx) [&] (q3 [-->] (substF ([(x, e)]) (qy))); 331 | |- ((H1 [^] (high (q1))) [-->] Hx) [&] ((H3 [^] (high (q3))) [-->] Hy); 332 | |- ((((H1 [^] (high (q1))) [&] H3) [|]((H3 [^] (high (q3))) [&] H1)) [-->] H); 333 | |- Hx [&] H [-->] Ha; 334 | |- Hy [&] H [-->] Hb 335 | |] 336 | ==> {p1,p2,p3} ((Pm;(q1, H1);ch!!e)||Pn)||(Po;(q3, H3);ch??x) 337 | {qx,q2,qy; Ha,H2,Hb}" 338 | axiomatization where 339 | Communication4 : "[| ~inPairForm ([(x, e)], qy); 340 | {p1,p2,p3,p4} ((Pm||Pn)||Po)||Pp {q1,q2,q3,q4; H1,H2,H3,H4}; 341 | |- (q1 [-->] qx) [&] (q4 [-->] (substF ([(x, e)]) (qy))); 342 | |- ((H1 [^] (high (q1))) [-->] Hx) [&] ((H4 [^] (high (q4))) [-->] Hy); 343 | |- ((((H1 [^] (high (q1))) [&] H4) [|]((H4 [^] (high (q4))) [&] H1)) [-->] H); 344 | |- Hx [&] H [-->] Ha; 345 | |- Hy [&] H [-->] Hb 346 | |] 347 | ==> {p1,p2,p3,p4} (((Pm;(q1, H1);ch!!e)||Pn)||Po)||(Pp;(q4, H4);ch??x) 348 | {qx,q2,q3,qy; Ha,H2,H3,Hb}" 349 | axiomatization where 350 | Communication5 : "[| ~inPairForm ([(x, e)], qy); 351 | {p1,p2,p3,p4,p5} (((Pm||Pn)||Po)||Pp)||Pq {q1,q2,q3,q4,q5; H1,H2,H3,H4,H5}; 352 | |- (q1 [-->] qx) [&] (q5 [-->] (substF ([(x, e)]) (qy))); 353 | |- ((H1 [^] (high (q1))) [-->] Hx) [&] ((H5 [^] (high (q5))) [-->] Hy); 354 | |- ((((H1 [^] (high (q1))) [&] H5) [|]((H5 [^] (high (q5))) [&] H1)) [-->] H); 355 | |- Hx [&] H [-->] Ha; 356 | |- Hy [&] H [-->] Hb 357 | |] 358 | ==> {p1,p2,p3,p4,p5} ((((Pm;(q1, H1);ch!!e)||Pn)||Po)||Pp)||(Pq;(q5, H5);ch??x) 359 | {qx,q2,q3,q4,qy; Ha,H2,H3,H4,Hb}" 360 | 361 | (*important derived rules*) 362 | lemma structSkipEL : "{px, py} (Skip;(px,l[=](Real 0));P)||Q {qx, qy; Hx, Hy} 363 | ==> {px, py} P||Q{qx, qy; Hx, Hy}" 364 | apply (cut_tac px=px and py=py and P=P and Q=Q and qx=qx and qy=qy and Hx=Hx and Hy=Hy in structSkipL,auto) 365 | done 366 | 367 | lemma structSkipIL : "{px, py} P||Q{qx, qy; Hx, Hy} 368 | ==> {px, py} (Skip;(px,l[=](Real 0));P)||Q {qx, qy; Hx, Hy}" 369 | apply (cut_tac px=px and py=py and P=P and Q=Q and qx=qx and qy=qy and Hx=Hx and Hy=Hy in structSkipL,auto) 370 | done 371 | 372 | lemma structSkipER : "{px, py} (P;(qx,Hx);Skip)||Q {qx, qy; Hx, Hy} 373 | ==> {px, py} P||Q{qx, qy; Hx, Hy}" 374 | apply (cut_tac px=px and py=py and P=P and Q=Q and qx=qx and qy=qy and Hx=Hx and Hy=Hy in structSkipR,auto) 375 | done 376 | 377 | lemma structSkipIR : "{px, py} P||Q{qx, qy; Hx, Hy} 378 | ==> {px, py} (P;(qx,Hx);Skip)||Q {qx, qy; Hx, Hy}" 379 | apply (cut_tac px=px and py=py and P=P and Q=Q and qx=qx and qy=qy and Hx=Hx and Hy=Hy in structSkipR,auto) 380 | done 381 | 382 | lemma RepetitionT1 : "{px, py} (Px || Py) {qx, qy; Hx, Hy} 383 | ==> {px, py} (Px**1 || Py) {qx, qy; Hx, Hy}" 384 | apply (rule structSkipER) 385 | apply (rule RepetitionT1a) 386 | apply (rule structSkipIR,auto) 387 | done 388 | 389 | lemma RepetitionTn : "[| {px, py} (((Px**m);(qx,H);Px) || Py) {qx, qy; Hx, Hy}; 390 | |- Hx [^] Hx [-->] Hx; 391 | |- H [-->] Hx|] 392 | ==> {px, py} (Px**(m+1) || Py) {qx, qy; Hx, Hy}" 393 | apply (rule structSkipER) 394 | apply (cut_tac H="H" in RepetitionTna,auto) 395 | apply (rule structL) 396 | apply (rule structSkipIR,auto) 397 | done 398 | 399 | lemma Parallel4: "[| {py} Py {qy; Hy[&](l[=](Real 0))}; 400 | {qx, qy} (Qx || Qy) {rx, ry; Mx, My}; 401 | |- (Hy[&](l[=](Real 0))) [-->] HR; 402 | |- ((Hy[&](l[=](Real 0))) [^] My) [-->] Gy 403 | |] 404 | ==> {qx, py} (Qx) || (Py;(qy,HR);Qy) {rx, ry; Mx, Gy}" 405 | apply (rule structSkipEL) 406 | apply (cut_tac m=0 and Hx="l [=] Real 0" in Parallel3,auto) 407 | apply (rule Parallel2,auto) 408 | apply (rule Skip) 409 | (*1*) 410 | apply (rule impR) 411 | apply (rule conjR) 412 | apply (rule basic)+ 413 | apply (rule impR) 414 | apply (rule conjL) 415 | apply (rule basic) 416 | apply (rule impR) 417 | apply (rule LC1) 418 | apply (rule LL3a) 419 | apply (rule basic) 420 | done 421 | 422 | lemma Parallel1a: "[| {px, py} (Px || Py) {qx, qy; Hx, Hy}; {qy} Qy {ry; Gy}; |- Hy [^] Gy [-->] G |] 423 | ==> {px, py} ((Px) || (Py; (qy, Hy); Qy)) {qx, ry; Hx, G}" 424 | apply (rule structSkipER) 425 | apply (subgoal_tac "{px, py}(Px;(qx, Hx);Skip)||(Py;(qy, Hy);Qy){qx,ry; (Hx [^] l [=] Real 0), Hy [^] Gy}") 426 | apply (cut_tac px=px and py=py and qx=qx and qy=ry and Hx="Hx [^] l [=] Real 0" and Hy="Hy [^] Gy" in ConsequenceP,auto) 427 | apply (rule conjR) 428 | apply (rule impR) 429 | apply (rule basic) 430 | apply (rule conjR) 431 | apply (rule impR) 432 | apply (rule basic) 433 | apply (rule conjR) 434 | apply (rule impR) 435 | apply (rule basic) 436 | apply (rule conjR) 437 | apply (rule impR) 438 | apply (rule basic) 439 | apply (rule conjR) 440 | apply (rule impR) 441 | apply (rule LL4) 442 | apply (rule basic) 443 | apply assumption 444 | (*start*) 445 | apply (cut_tac px=px and py=py and Px=Px and qx=qx and Hx="Hx" and Qx=Skip and Py=Py and qy=qy and Hy=Hy and Qy=Qy and rx=qx and ry=ry and Gx="(l [=] Real 0)" and Gy=Gy in Parallel1,auto) 446 | apply (rule Skip) 447 | apply (rule impR) 448 | apply (rule basic) 449 | done 450 | 451 | lemma CommunicationI1b : "[| ~inPairForm ([(x, e)], ry); 452 | |- Hy [-->] H; 453 | |- rg [-->] H[^]WTrue; 454 | {py} ( Py) {qy; Hy}; 455 | |- Init [&] pre [<->] qx; 456 | |- pre [&] Init [&] b [-->] F; 457 | |- (pre [&] close(F) [&] close(b)) [-->] rx; 458 | |- (qy [&] pre [&] close(F) [&] close(b) [-->] (substF ([(x, e)]) (ry))); 459 | |- ((((l [=] Real 0) [|] (high (close(F) [&] pre [&] close(b)))) [&] H) [-->] Gx); 460 | |- Hy [-->] Gy; 461 | |- Hx [-->] Hxm; 462 | |- Hy [-->] Hym; 463 | contain(P,(ch !! e)) 464 | |] 465 | ==> {qx, py} ((( :rg) [[> P) || (Py; (qy, Hym); ch ?? x)) 466 | {rx, ry; Gx, Gy}" 467 | apply (rule structSkipEL) 468 | apply (cut_tac Hx="l [=] Real 0" and Init=Init in CommunicationI1,auto) 469 | apply (rule Parallel2,auto) 470 | apply (rule Skip) 471 | apply (rule impR) 472 | apply (rule basic) 473 | apply (cut_tac P="((l [=] Real 0 [|] high (close(F) [&] pre [&] close(b))) [&] H) [-->] Gx" in cut,auto) 474 | apply (rule thinR,auto) 475 | apply (rule impR) 476 | apply (rule LL3a) 477 | apply (rule impL) 478 | apply (rule basic)+ 479 | apply (rule impR) 480 | apply (rule basic) 481 | done 482 | 483 | lemma structSkipELR : "{px, py} Q||(Skip;(py,l[=](Real 0));P) {qx, qy; Hx, Hy} 484 | ==> {px, py} Q||P{qx, qy; Hx, Hy}" 485 | apply (rule Structure) 486 | apply (rule structSkipEL) 487 | apply (rule Structure) 488 | apply assumption 489 | done 490 | 491 | lemma CommunicationI1a : "[| ~inPairForm ([(x, e)], ry); 492 | |- Init [&] pre [<->] px; 493 | |- pre [&] Init [&] b [-->] F; 494 | |- (pre [&] close(F) [&] close(b)) [-->] rx; 495 | (*|- px [-->] rx;*) 496 | |- py [&] pre [&] close(F) [&] close(b) [-->] (substF ([(x, e)]) (ry)); 497 | |- (l[=]Real 0) [-->] Gx; 498 | |- (l[=]Real 0) [-->] Gy; 499 | contain(Px,(ch !! e))|] 500 | ==> {px, py} ((( :rg) [[> Px) || (ch ?? x)) {rx, ry; Gx, Gy}" 501 | apply (rule structSkipEL) 502 | apply (rule structSkipELR) 503 | apply (cut_tac H="l [=] Real 0" and Hx="l [=] Real 0" in CommunicationI1,auto) 504 | apply (rule impR) 505 | apply (rule basic) 506 | apply (rule impR) 507 | apply (rule RL3a) 508 | apply (simp add: True_def) 509 | apply (rule impR) 510 | apply (rule basic) 511 | apply (rule Parallel2) 512 | apply (rule Skip) 513 | apply (rule impR) 514 | apply (rule basic) 515 | apply (rule Skip) 516 | apply (rule impR) 517 | apply (rule basic) 518 | apply (rule impR) 519 | apply (rule LL3a) 520 | apply (rule conjL) 521 | apply (rule thinL) 522 | apply (cut_tac P="l [=] Real 0 [-->] Gx" in cut,auto) 523 | apply (rule thinL) 524 | apply (rule thinR,auto) 525 | apply (rule impL) 526 | apply (rule basic)+ 527 | apply (rule impR) 528 | apply (rule basic) 529 | apply (rule impR) 530 | apply (rule basic) 531 | done 532 | 533 | lemma CommunicationI2a : "[| ~inPairForm ([(x, e)], ry); 534 | |- Init [&] pre [<->] px; 535 | |- pre [&] Init [&] b [-->] F; 536 | |- py [&] pre [&] close(F) [&] close(b) [-->] (substF ([(x, e)]) (rx)); 537 | |- py [-->] ry; 538 | |- (l[=]Real 0) [-->] Gx; 539 | |- (l[=]Real 0) [-->] Gy; 540 | contain(Px,(ch ?? x))|] 541 | ==> {px, py} (( ( :rg) [[> Px) || (ch !! e)) {rx, ry; Gx, Gy}" 542 | apply (rule structSkipEL) 543 | apply (rule structSkipELR) 544 | apply (cut_tac H="l [=] Real 0" and Hx="l [=] Real 0" in CommunicationI2,auto) 545 | apply (rule impR) 546 | apply (rule basic) 547 | apply (rule impR) 548 | apply (rule RL3a) 549 | apply (simp add: True_def) 550 | apply (rule impR) 551 | apply (rule basic) 552 | apply (rule Parallel2) 553 | apply (rule Skip) 554 | apply (rule impR) 555 | apply (rule basic) 556 | apply (rule Skip) 557 | apply (rule impR) 558 | apply (rule basic) 559 | apply (rule impR) 560 | apply (rule LL3a) 561 | apply (rule conjL) 562 | apply (rule thinL) 563 | apply (cut_tac P="l [=] Real 0 [-->] Gx" in cut,auto) 564 | apply (rule thinL) 565 | apply (rule thinR,auto) 566 | apply (rule impL) 567 | apply (rule basic)+ 568 | apply (rule impR) 569 | apply (rule basic) 570 | apply (rule impR) 571 | apply (rule basic) 572 | done 573 | 574 | end -------------------------------------------------------------------------------- /HHLProver/Sound.thy: -------------------------------------------------------------------------------- 1 | theory Sound 2 | imports op HHL 3 | begin 4 | 5 | (*The definition for the soundness of sequtial process*) 6 | definition Valid :: "fform => proc => fform => fform => bool" ("Valid _ _ _ _") 7 | where "Valid p Q q H = 8 | (ALL f d f' d'. (evalP (Q, f, d) = (Skip, f', d')) --> evalF (last(f(d)), p) 9 | --> (evalF (last(f'(d')), q) & ievalF (f', H, d, d')))" 10 | 11 | (*The definition for the soundness of parallel process*) 12 | definition ValidP :: "fform => fform => proc => proc => fform => fform => fform => fform => bool" 13 | ("ValidP _ _ _ _ _ _ _ _") 14 | where "ValidP p1 p2 P Q q1 q2 H1 H2 = 15 | (ALL f g f' g' d d1 d2. (evalPP (P||Q,f,g,d) = (Skip,f',g',d1,d2)) 16 | --> evalF (last(f(d)), p1) --> evalF (last(g(d)), p2) 17 | --> (evalF (last(f'(d1)), q1) & evalF (last(g'(d2)), q2) & 18 | ievalF (f', H1, d, d1)& ievalF (g', H2, d, d2)))" 19 | 20 | (*soundness for consequence rule of sequtial*) 21 | lemma ConsequenceS_sound: "Valid px P qx Hx 22 | --> (ALL f1 d1. evalF (last(f1(d1)),(p [-->] px))) 23 | --> (ALL f1 d1. evalF (last(f1(d1)),(qx [-->] q))) 24 | --> (ALL f1 d1 d2. ievalF (f1,(Hx [-->] H),d1,d2)) 25 | --> Valid p P q H" 26 | apply (simp add: Imply_eval) 27 | apply (unfold Valid_def,auto) 28 | apply (subgoal_tac "evalF(last(f'(d')), qx)",auto) 29 | apply (subgoal_tac "evalF(last(f(d)), px)",auto) 30 | apply (subgoal_tac "ievalF(f', Hx, d, d')",auto) 31 | apply (subgoal_tac "evalF(last(f(d)), px)",auto) 32 | done 33 | 34 | (*soundness for consequence rule of parallel*) 35 | lemma ConsequenceP_sound: "ValidP px py Px Py qx qy Hx Hy 36 | --> (ALL f1 d1. evalF (last(f1(d1)),(p [-->] px))) 37 | --> (ALL f1 d1. evalF (last(f1(d1)),(r [-->] py))) 38 | --> (ALL f1 d1. evalF (last(f1(d1)),(qx [-->] q))) 39 | --> (ALL f1 d1. evalF (last(f1(d1)),(qy [-->] s))) 40 | --> (ALL f1 d1 d2. ievalF (f1,(Hx [-->] H),d1,d2)) 41 | --> (ALL f1 d1 d2. ievalF (f1,(Hy [-->] G),d1,d2)) 42 | --> ValidP p r Px Py q s H G" 43 | apply (simp add: Imply_eval) 44 | apply (unfold ValidP_def,auto) 45 | apply blast 46 | apply (subgoal_tac "evalF(last(g'(d2)), qy)",auto) 47 | apply (subgoal_tac "evalF(last(f(d)), px)",auto) 48 | apply (subgoal_tac "evalF(last(g(d)), py)",auto) 49 | apply (subgoal_tac "ievalF(f', Hx, d, d1)",auto) 50 | apply (subgoal_tac "evalF(last(f(d)), px)",auto) 51 | apply (subgoal_tac "evalF(last(g(d)), py)",auto) 52 | apply (subgoal_tac "ievalF(g', Hy, d, d2)",auto) 53 | apply (subgoal_tac "evalF(last(f(d)), px)",auto) 54 | apply (subgoal_tac "evalF(last(g(d)), py)",auto) 55 | done 56 | 57 | (*The following rules from substR_fact1 to substR are for syntatical substitution, 58 | and are used for proving soundness of assignment rule and communiction rule.*) 59 | lemma substR_fact1 : " ALL f. evalE(f, substE([(RVar x, e)], v)) 60 | = evalE(%y i. if y = x & i = R then evalE(f, e) else f(y, i), v)" 61 | apply (induct v, auto) 62 | apply (case_tac "evalE(%y i. if y = x & i = R then evalE(f, e) else f(y, i), v1)", auto)+ 63 | done 64 | 65 | lemma substR_fact2: "substE([], e) = e" 66 | apply (induct "e", auto) 67 | done 68 | 69 | lemma substR_fact3: "substF([], q) = q" 70 | apply (induct "q", auto) 71 | apply (simp add:substR_fact2)+ 72 | done 73 | 74 | lemma substR_fact4: " ~ inPairForm([(RVar x, e)], WALL list q) 75 | ==> ((substF([(RVar x, e)], WALL list q)) = (WALL list (substF ([(RVar x, e)], q))))" 76 | apply (simp add:inPairForm_def) 77 | done 78 | 79 | lemma substR_fact5 : "~inExp(list, e) 80 | ==> ALL f v. evalE(f, e) = evalE(%a i. if a = list then RR(v) else f(a, i), e)" 81 | apply (induct e, auto) 82 | apply (case_tac "evalE(f, e1)", auto)+ 83 | done 84 | 85 | lemma substR_ALL : " [| ~ inPairForm([(RVar x, e)], q) 86 | ==> ALL f. evalF(f, substF([(RVar x, e)], q)) 87 | = evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), q); 88 | ~ inPairForm([(RVar x, e)], WALL list q ) |] 89 | ==> ALL f. evalF(f, substF([(RVar x, e)], WALL list q )) 90 | = evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), WALL list q )" 91 | apply (rule allI) 92 | apply (cut_tac x = x and e = e and q = q and list = "list" in substR_fact4, simp) 93 | apply (subgoal_tac "evalF(f, substF([(RVar x, e)], WALL list q )) 94 | = evalF (f, (WALL list substF([(RVar x, e)], q)))") 95 | defer apply simp 96 | apply (subgoal_tac "evalF(f, substF([(RVar x, e)], WALL list q )) 97 | = (ALL (v::real). (evalF((%a. %i. (if (a=list) then (RR (v)) else (f(a, i)))) 98 | , substF([(RVar x, e)], q))))") 99 | defer apply simp 100 | apply (subgoal_tac "evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), WALL list q) = 101 | (let f1 = (%y i. if y = x & i = R then evalE(f, e) else f(y, i)) in 102 | (ALL (v::real). (evalF((%a. %i. (if (a=list) then (RR (v)) else (f1(a, i)))), q))))") 103 | defer apply simp 104 | apply (subgoal_tac "~ inPairForm([(RVar x, e)], q)") 105 | defer apply simp 106 | apply (subgoal_tac "ALL v. let f2 = %a i. if a = list then RR(v) else f(a, i) in 107 | (evalF(f2, substF([(RVar x, e)], q)) 108 | = evalF(%y i. if y = x & i = R then evalE(f2, e) else f2(y, i), q))") 109 | defer apply simp 110 | apply (subgoal_tac "(let f1 = %y i. if y = x & i = R then evalE(f, e) else f(y, i) in 111 | ALL v. evalF(%a i. if a = list then RR(v) else f1(a, i), q)) = 112 | (ALL v. let f2 = %a i. if a = list then RR(v) else f(a, i) in 113 | evalF(%y i. if y = x & i = R then evalE(f2, e) else f2(y, i), q))", simp) 114 | apply (subgoal_tac "~x=list") 115 | apply (simp add:Let_def) 116 | apply (subgoal_tac "ALL v t. evalE(f, e) = evalE(%a i. if a = list then RR(v) else f(a, i), e)") 117 | apply (subgoal_tac "ALL v. (%a i. if a = list then RR(v) else if a = x & i = R then evalE(f, e) else f(a, i)) 118 | = (%y i. if y = x & i = R then evalE(%a i. if a = list then RR(v) else f(a, i), e) 119 | else if y = list then RR(v) else f(y, i))", simp) 120 | apply (simp add:fun_eq_iff) 121 | apply (cut_tac list = "list" and e = e in substR_fact5, auto) 122 | done 123 | 124 | lemma substR_fact6: " ~ inPairForm([(RVar x, e)], WEX list q) ==> 125 | ((substF([(RVar x, e)], WEX list q)) = (WEX list (substF ([(RVar x, e)], q))))" 126 | apply (simp add:inPairForm_def) 127 | done 128 | 129 | lemma substR_EX : "[| ~ inPairForm([(RVar x, e)], q) 130 | ==> ALL f. evalF(f, substF([(RVar x, e)], q)) 131 | = evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), q); 132 | ~ inPairForm([(RVar x, e)], WEX list q) |] 133 | ==> ALL f. evalF(f, substF([(RVar x, e)], WEX list q)) 134 | = evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), WEX list q)" 135 | apply (rule allI) 136 | apply (cut_tac x = x and e = e and q = q and list = "list" in substR_fact6, simp) 137 | apply (subgoal_tac "evalF(f, substF([(RVar x, e)], WEX list q )) 138 | = evalF ( f, (WEX list substF([(RVar x, e)], q)))") 139 | defer apply simp 140 | apply (subgoal_tac "evalF(f, substF([(RVar x, e)], WEX list q )) 141 | = (EX (v::real). (evalF((%a. %i. (if (a=list) then (RR (v)) else (f(a, i)))) 142 | , substF([(RVar x, e)], q))))") 143 | defer apply simp 144 | apply (subgoal_tac "evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), WEX list q) 145 | = (let f1 = (%y i. if y = x & i = R then evalE(f, e) else f(y, i)) in 146 | (EX (v::real) . (evalF((%a. %i. (if (a=list) then (RR (v)) else (f1(a, i)))), q))))") 147 | defer apply simp 148 | apply (subgoal_tac "~ inPairForm([(RVar x, e)], q)") 149 | defer apply simp 150 | apply (subgoal_tac "EX v. let f2 = %a i. if a = list then RR(v) else f(a, i) in 151 | (evalF(f2, substF([(RVar x, e)], q)) 152 | = evalF(%y i. if y = x & i = R then evalE(f2, e) else f2(y, i), q))") 153 | defer apply simp 154 | apply (subgoal_tac "(let f1 = %y i. if y = x & i = R then evalE(f, e) else f(y, i) 155 | in EX v. evalF(%a i. if a = list then RR(v) else f1(a, i), q)) = 156 | (EX v. let f2 = %a i. if a = list then RR(v) else f(a, i) 157 | in evalF(%y i. if y = x & i = R then evalE(f2, e) else f2(y, i), q))", simp) 158 | apply (subgoal_tac "~x=list") 159 | apply (simp add:Let_def) 160 | apply (subgoal_tac "ALL v. evalE(f, e) = evalE(%a i. if a = list then RR(v) else f(a, i), e)") 161 | apply (subgoal_tac "ALL v. (%a i. if a = list then RR(v) else if a = x & i = R then evalE(f, e) else f(a, i)) 162 | = (%y i. if y = x & i = R then evalE(%a i. if a = list then RR(v) else f(a, i), e) 163 | else if y = list then RR(v) else f(y, i))", auto) 164 | apply (simp add:fun_eq_iff) 165 | apply (cut_tac list = "list" and e = e in substR_fact5, auto) 166 | done 167 | 168 | (*lemma used for proving the soundness of assignment rule and communication rule. 169 | This lemma means that the substitution for a variable is equivlant to change the state.*) 170 | lemma substR: "~inPairForm ([(RVar x, e)], q) ==> ALL f. evalF(f, substF([(RVar x, e)], q)) = 171 | evalF(%y i. if y = x & i = R then evalE(f, e) else f(y, i), q)" 172 | apply (induct q) 173 | apply simp 174 | apply simp 175 | defer defer defer 176 | apply simp 177 | apply simp 178 | apply simp 179 | apply simp 180 | apply simp 181 | defer defer 182 | apply (simp add:substF_def) 183 | apply (cut_tac x = x and e=e and v = "exp1" in substR_fact1) 184 | apply (cut_tac x = x and e=e and v = "exp2" in substR_fact1) 185 | apply (rule allI) 186 | apply (case_tac "evalE(%y i. if y = x & i = R then evalE(f, e) else f(y, i), exp1)") 187 | apply simp 188 | apply simp 189 | apply simp 190 | apply simp 191 | apply (simp add:substF_def) 192 | apply (cut_tac x = x and e=e and v = "exp1" in substR_fact1) 193 | apply (cut_tac x = x and e=e and v = "exp2" in substR_fact1) 194 | apply (rule allI) 195 | apply (case_tac "evalE(%y i. if y = x & i = R then evalE(f, e) else f(y, i), exp1)") 196 | apply simp 197 | apply simp 198 | apply simp 199 | apply simp 200 | apply (simp add:substF_def) 201 | apply (cut_tac x = x and e=e and v = "exp1" in substR_fact1) 202 | apply (cut_tac x = x and e=e and v = "exp2" in substR_fact1) 203 | apply (rule allI) 204 | apply (case_tac "evalE(%y i. if y = x & i = R then evalE(f, e) else f(y, i), exp1)") 205 | apply simp 206 | apply simp 207 | apply simp 208 | apply simp 209 | apply (cut_tac x = x and e = e and q = q and list = "list" in substR_ALL, simp) 210 | apply simp 211 | apply simp 212 | apply (cut_tac x = x and e = e and q = q and list = "list" in substR_EX, auto) 213 | done 214 | 215 | (*soundness for assign rule of real variable, others are in the end of this file*) 216 | lemma AssignR_sound: "~inPairForm ([(RVar x, e)], q) & 217 | (ALL f. evalF (f, p [-->] (substF ([((RVar (x)), e)]) (q)))) 218 | & (ALL f d1 d2. ievalF (f, (l [=] (Real 0)) [-->] G, d1, d2)) --> Valid p (RVar (x)):=e q G" 219 | apply (simp add:Imply_eval) 220 | apply (unfold Valid_def, auto) 221 | (*1st*) 222 | apply (cut_tac x = "x" and e = "e" and f = "f" and d = "d" in assignR,auto) 223 | apply (cut_tac x = x and e = e and q = q in substR,auto) 224 | (*2nd*) 225 | apply (cut_tac x = "x" and e = "e" and f = "f" and d = "d" in assignR,simp) 226 | apply (subgoal_tac "ievalF(f', l [=] Real 0, d', d')",auto) 227 | apply (cut_tac L=0 in L_eval,auto) 228 | done 229 | 230 | (*soundness for continue rule*) 231 | lemma continue_sound: "(ALL f1 d1 d2. evalF (last(f1(d1)),Init [-->] F)) 232 | & (ALL f1 d1 d2. evalF (last(f1(d1)),((p [&] close(F) [&] close([~]b)) [-->] q))) 233 | & (ALL f1 d1 d2. ievalF (f1,((((l [=] Real 0) [|] (high (close(F) [&] p [&] close(b)))) [&] Rg) [-->] G),d1,d2)) 234 | & (disj (p, F)) 235 | --> Valid (Init [&] p) ( : Rg) q G" 236 | apply (unfold Valid_def, auto) 237 | (*1st*) 238 | apply (cut_tac F = F and b = b and Rg = "Rg" and f = f and d = d and f' = "f'" and d' = "d'" in continue, auto) 239 | apply (subgoal_tac "evalF(last(f'(d')), p) & evalF(last(f'(d')), close(F)) & evalF(last(f'(d')), NotForm(b))",auto) 240 | apply (cut_tac f = "last(f'(d'))" and b = d and c = "d'" and p = F in close_fact1, auto) 241 | apply (cut_tac f = "last(f'(d'))" and b = d and c = "d'" and p = b in close_fact2, auto) 242 | (*2nd*) 243 | apply (simp add:Imply_eval And_eval Or_eval) 244 | apply (cut_tac F = F and b = b and Rg = "Rg" and f = f and d = d and f' = "f'" and d' = "d'" in continue, auto) 245 | apply (subgoal_tac "( ((ievalF(f', (l [=] Real 0), d, d')) | (ievalF(f', (high (close(F) [&] p [&] close(b))), d, d')) ) & 246 | (ievalF(f', Rg, d, d')) ) --> (ievalF(f',G,d,d'))") 247 | prefer 2 248 | apply simp 249 | apply (subgoal_tac "( ((ievalF(f', (l [=] Real 0), d, d')) | (ievalF(f', (high (close(F) [&] p [&] close(b))), d, d')) ) & 250 | (ievalF(f', Rg, d, d')) )",simp) 251 | apply auto 252 | apply (case_tac "d=d'",auto) 253 | apply (cut_tac L=0 in L_eval,auto) 254 | apply (subgoal_tac "ievalF(f', high (close(F) [&] p [&] close(b)), d, d')",simp) 255 | apply (simp add: high_eval And_eval,auto) 256 | apply (subgoal_tac "evalFP(f', F [&] b, ka)",auto) 257 | apply (simp add: evalFP_def And_eval) 258 | apply (rule allI) 259 | apply (subgoal_tac "inList(s, f'(ka)) --> evalF(s, F) & evalF(s, b)") 260 | defer 261 | apply blast 262 | apply (rule impI) 263 | apply (subgoal_tac "evalF(s, F) & evalF(s, b)") 264 | defer 265 | apply blast 266 | apply (rule conjI) 267 | apply (cut_tac s=s and p=F in close_fact3,simp) 268 | apply assumption 269 | apply (rule conjI) 270 | defer 271 | apply (cut_tac s=s and p=b in close_fact3,simp) 272 | apply assumption 273 | apply blast 274 | done 275 | 276 | (*soundness for sequence rule*) 277 | lemma Sequence_sound: "(Valid p P m H 278 | & Valid m Q q G) 279 | --> Valid p (P;(m,H);Q) q H[^]G" 280 | apply (simp add:Valid_def, auto) 281 | apply (cut_tac P = P and mid = "(m, H)" and Q = Q and f = f and 282 | d = d and F = "f'" and D = "d'" in sequence, auto) 283 | apply blast 284 | apply (cut_tac P = P and mid = "(m, H)" and Q = Q and f = f and 285 | d = d and F = "f'" and D = "d'" in sequence, auto) 286 | apply (cut_tac f = "f'" and P = H and Q = G and c = d and d = "d'" in chop_eval1, auto) 287 | apply blast 288 | done 289 | 290 | (*soundness for condition rule in case b is false, 291 | later it is used to prove the soundness of condition rule*) 292 | lemma ConditionF_sound: "(ALL f1 d1 d2. evalF (last(f1(d1)),(p [-->] [~] b)) 293 | & evalF (last(f1(d1)),(p [-->] q)) 294 | & ievalF (f1,((l [=] Real 0) [-->] G),d1,d2)) 295 | --> Valid p (IF b P) q G" 296 | apply (simp add:Imply_eval) 297 | apply (simp add:Valid_def, auto) 298 | apply (simp add:conditionF)+ 299 | apply (subgoal_tac " ievalF(f', l[=]Real 0, d', d')",auto) 300 | apply (simp add:L_eval) 301 | done 302 | 303 | (*soundness for condition rule in case b is true, 304 | later it is used to prove the soundness of condition rule*) 305 | lemma ConditionT_sound: "(ALL f1 d1 d2. evalF (last(f1(d1)),(p [-->] b)) 306 | & Valid p P q G) 307 | --> Valid p (IF b P) q G" 308 | apply (simp add:Imply_eval) 309 | apply (simp add:Valid_def, auto) 310 | apply (cut_tac f = f and be = b and d = d and P = P and f' = "f'" and d' = "d'" in conditionT, auto) 311 | apply (blast) 312 | apply (cut_tac f = f and be = b and d = d and P = P and f' = "f'" and d' = "d'" in conditionT, auto) 313 | apply blast 314 | done 315 | 316 | (*soundness for condition rule*) 317 | lemma Condition_sound: "(Valid (p [&] b) (IF b P) q G 318 | & Valid (p [&] ([~]b)) (IF b P) q G) 319 | --> Valid p (IF b P) q G" 320 | apply (simp add:Valid_def, auto) 321 | apply blast+ 322 | done 323 | 324 | (*soundness for nondeterministic rule of real variable*) 325 | lemma NondeterministicR_sound: "Valid (p [&] b) P q G 326 | --> Valid p (NON R x : b P) q G" 327 | apply (simp add:Valid_def,auto) 328 | apply (cut_tac f = f and d = d and b = b and x = x and P = P and f' = "f'" and d' = "d'" in nondeterR, auto)+ 329 | done 330 | 331 | (*soundness for nondeterministic rule of string variable*) 332 | lemma NondeterministicS_sound: "Valid (p [&] b) P q G 333 | --> Valid p (NON S x : b P) q G" 334 | apply (simp add:Valid_def,auto) 335 | apply (cut_tac f = f and d = d and b = b and x = x and P = P and f' = "f'" and d' = "d'" in nondeterS, auto)+ 336 | done 337 | 338 | (*soundness for nondeterministic rule of bool variable*) 339 | lemma NondeterministicB_sound: "Valid (p [&] b) P q G 340 | --> Valid p (NON B x : b P) q G" 341 | apply (simp add:Valid_def,auto) 342 | apply (cut_tac f = f and d = d and b = b and x = x and P = P and f' = "f'" and d' = "d'" in nondeterB, auto)+ 343 | done 344 | 345 | (*soundness for communication rule of real variable, others are in the end of this file.*) 346 | lemma CommR_sound: "(ValidP px py Px Py qx qy Hx Hy) 347 | --> ~inPairForm([(RVar x, e)], ry) 348 | --> (ALL f g d. EX F G Da Db. evalPP(Px||Py,f,g,d) = (Skip,F,G,Da,Db)) 349 | --> (ALL f1 d1. evalF (last(f1(d1)),(qx [-->] rx) [&] (qy [-->] (substF ([(RVar(x), e)]) (ry))))) 350 | --> (ALL f1 d1 d2. ievalF (f1,((Hx [^] (high (qx))) [-->] Gx) [&] ((Hy [^] (high(qy))) [-->] Gy),d1,d2)) 351 | --> (ALL f1 f2 d1 d2. (ievalF(f1,(Hx[^](high (qx))),d1,d2) & ievalF(f2,Hy[^](l[=]Real 0),d1,d2)) | 352 | (ievalF(f2,(Hy[^](high (qy))),d1,d2) & ievalF(f1,Hx,d1,d2)) --> 353 | (ievalF(f1,H,d1,d2) & ievalF(f2,H,d1,d2))) 354 | --> ValidP px py (Px;m;ch!!e) (Py;M;ch??(RVar(x))) rx ry (Gx[&]H) (Gy[&]H)" 355 | apply (simp add:Imply_eval And_eval) 356 | apply (unfold ValidP_def,auto) 357 | (*Proving for the 1st postcondition*) 358 | apply (subgoal_tac "EX F G Da Db. evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db)") 359 | prefer 2 360 | apply simp 361 | apply (erule exE)+ 362 | apply (subgoal_tac "evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)") 363 | prefer 2 364 | apply simp 365 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 366 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) 367 | (*Proving for the 2nd postcondition*) 368 | apply (subgoal_tac "EX F G Da Db. evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db)") 369 | prefer 2 370 | apply simp 371 | apply (erule exE)+ 372 | apply (subgoal_tac "evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)") 373 | prefer 2 374 | apply simp 375 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 376 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) 377 | apply (case_tac "Db < Da",auto) 378 | apply (cut_tac x = x and e = e and q = ry in substR,auto) 379 | apply (subgoal_tac "evalF(last(G(Db)), substF([(RVar x, e)], ry))") 380 | prefer 2 381 | apply (subgoal_tac "evalF(last(G(Db)), qy) --> evalF(last(G(Db)), substF([(RVar x, e)], ry))",simp) 382 | apply blast 383 | apply (cut_tac x=x and e=e and q=ry in substR,auto) 384 | (*Proving for the 1st history, it is a conjunction of two formulae Gx and H*) 385 | (*Start to prove Gx*) 386 | apply (subgoal_tac "EX F G Da Db. evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db)") 387 | prefer 2 388 | apply simp 389 | apply (erule exE)+ 390 | apply (simp add:And_eval Imply_eval) 391 | apply (subgoal_tac "ievalF(f', Hx [^] high qx, d, d1)") 392 | apply simp 393 | prefer 2 394 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 395 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) 396 | (*start for the 1st case "Da < Db"*) 397 | apply (cut_tac f = "%t. if Da < t & t <= Db then [last(F(Da))] else F(t)" and 398 | P = Hx and Q = "high qx" and c = d and d = Db in chop_eval1, auto) 399 | apply (cut_tac x=Da in exI,auto) 400 | apply (subgoal_tac "ievalF(%t. if Da < t & t <= Db then [last(F(Da))] else F(t), Hx, d, Da) 401 | = ievalF(F,Hx,d,Da)",simp) 402 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 403 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 404 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 405 | apply blast 406 | apply (cut_tac c=d and d=Da and f="%t. if Da < t & t <= Db then [last(F(Da))] else F(t)" and 407 | g=F and P=Hx in chop_interval,auto) 408 | apply (cut_tac f="%t. if Da < t & t <= Db then [last(F(Da))] else F(t)" and P=qx and c=Da and d=Db in high_eval,auto) 409 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 410 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 411 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 412 | prefer 2 413 | apply blast 414 | apply (simp add: evalFP_def) 415 | (*start for the 2nd case "Db < Da"*) 416 | apply (cut_tac f = F and P = Hx and Q = "high qx" and c = d and d = Da in chop_eval1, auto) 417 | apply (cut_tac x=Da in exI,auto) 418 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 419 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 420 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 421 | apply blast 422 | apply (simp add: high_eval,auto) 423 | (*start for the 2nd case "Db = Da"*) 424 | apply (cut_tac f = F and P = Hx and Q = "high qx" and c = d and d = Da in chop_eval1, auto) 425 | apply (cut_tac x=Da in exI,auto) 426 | apply blast 427 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 428 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 429 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 430 | prefer 2 431 | apply blast 432 | apply (cut_tac f=F and P=qx and c=Da and d=Da in high_eval,auto) (*end for Gx*) 433 | (*For proving H, we first prove "(Hy[^] high (qy))"*) 434 | apply (subgoal_tac "ievalF(g', (Hy [^] high(qy)), d, d1)") 435 | prefer 2 436 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 437 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) (*1*) 438 | (*start for the 1st case "Db < Da"*) 439 | apply (cut_tac f = "%t. if t = Da 440 | then [last(G(Db)), 441 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 442 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and P = Hy and Q = "high qy" and 443 | c = d and d = Da in chop_eval1, auto) 444 | apply (cut_tac x=Db in exI,auto) (*1a*) 445 | apply (subgoal_tac "ievalF(%t. if t = Da 446 | then [last(G(Db)), 447 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 448 | else if t < Da & Db < t then [last(G(Db))] else G(t),Hy, d, Db) 449 | = ievalF(G,Hy,d,Db)",simp) 450 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 451 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 452 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 453 | apply blast 454 | apply (cut_tac c=d and d=Db and f="%t. if t = Da 455 | then [last(G(Db)), 456 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 457 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and 458 | g=G and P=Hy in chop_interval,simp) 459 | apply (cut_tac f = "%t. if t = Db then [] 460 | else if t = Da 461 | then [last(G(Db)), 462 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 463 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and P = "high qy" and 464 | Q = "l [=] Real 0" and c = Db and d = Da in chop_eval,simp) 465 | apply (cut_tac f="%t. if t = Da 466 | then [last(G(Db)), 467 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 468 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and 469 | P=qy and c=Db and d=Da in high_eval,auto) 470 | apply (simp add: evalFP_def) 471 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 472 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 473 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 474 | apply blast 475 | (*start for the 2nd case "Db >= Da"*) 476 | apply (simp add: chop_eval) 477 | apply (cut_tac x=Db in exI,auto) 478 | apply (cut_tac x="G(Db)" in exI,auto) 479 | apply (cut_tac c=d and d=Db and f="%t. if t = Db then G(Db) 480 | else if t = Db 481 | then G(Db) @ 482 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 483 | else G(t)" and 484 | g=G and P=Hy in chop_interval,auto) 485 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 486 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 487 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 488 | apply blast 489 | apply (cut_tac f="%t. if t = Db 490 | then [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 491 | else if t = Db 492 | then G(Db) @ 493 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 494 | else G(t)" and P=qy and c=Db and d=Db in high_eval,auto) 495 | (*start for H*) 496 | apply (subgoal_tac "ievalF(g', Hy[^](l[=]Real 0), d, d1) | ievalF(f', Hx, d, d1)",auto) 497 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 498 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) 499 | (*start for the 1st case Db < Da*) 500 | apply (subgoal_tac "ievalF(F, Hx, d, Da)") 501 | apply blast 502 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 503 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 504 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 505 | apply blast 506 | (*start for the 2nd case Db >= Da*) 507 | apply (case_tac "d=Db",auto) (*2a*) 508 | apply (simp add: chop_eval) 509 | apply (cut_tac x=Db in exI,auto) 510 | apply (cut_tac x="G(Db)" in exI,auto) 511 | apply (cut_tac c=Db and d=Db and f="%t. if t = Db then G(Db) 512 | else if t = Db 513 | then G(Db) @ 514 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 515 | else G(t)" and 516 | g=G and P=Hy in chop_interval,auto) 517 | apply (subgoal_tac "evalPP(Px||Py, f, g, Db) = (Skip, F, G, Da, Db) --> 518 | evalF(last(f(Db)), px) --> evalF(last(g(Db)), py) --> 519 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, Db, Da) & ievalF(G, Hy, Db, Db)",simp) 520 | apply blast 521 | apply (cut_tac L=0 in L_eval,auto) (*2b*) 522 | apply (cut_tac f = "%t. if t = Db 523 | then G(Db) @ 524 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 525 | else G(t)" and P = Hy and Q = "l [=] Real 0" and c = d and d = Db in chop_eval, auto) 526 | apply (cut_tac x=Db in exI,auto) 527 | apply (cut_tac x="G(Db)" in exI,auto) 528 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 529 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 530 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 531 | prefer 2 532 | apply blast 533 | apply (cut_tac c=d and d=Db and f="%t. if t = Db then G(Db) 534 | else if t = Db 535 | then G(Db) @ 536 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 537 | else G(t)" and 538 | g=G and P=Hy in chop_interval,auto) 539 | apply (cut_tac L=0 in L_eval,auto) 540 | apply (cut_tac x=Db in exI,auto) 541 | apply (cut_tac x="G(Db)" in exI,auto) 542 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 543 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 544 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 545 | prefer 2 546 | apply blast 547 | apply (cut_tac c=d and d=Db and f="%t. if t = Db then G(Db) 548 | else if t = Db 549 | then G(Db) @ 550 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 551 | else G(t)" and 552 | g=G and P=Hy in chop_interval,auto) 553 | apply (cut_tac L=0 in L_eval,auto) 554 | (*Proving for the 1st history, it is a conjunction of two formulae Gx and H*) 555 | (*Start to prove Gx*) 556 | apply (subgoal_tac "EX F G Da Db. evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db)") 557 | prefer 2 558 | apply simp 559 | apply (erule exE)+ 560 | apply (simp add:And_eval Imply_eval) 561 | apply (subgoal_tac "ievalF(g', (Hy [^] high(qy)), d, d2)") 562 | prefer 2 563 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 564 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) (*1*) 565 | (*start for the 1st case "Db < Da"*) 566 | apply (cut_tac f = "%t. if t = Da 567 | then [last(G(Db)), 568 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 569 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and P = Hy and Q = "high qy" and 570 | c = d and d = Da in chop_eval1, auto) 571 | apply (cut_tac x=Db in exI,auto) (*1a*) 572 | apply (subgoal_tac "ievalF(%t. if t = Da 573 | then [last(G(Db)), 574 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 575 | else if t < Da & Db < t then [last(G(Db))] else G(t),Hy, d, Db) 576 | = ievalF(G,Hy,d,Db)",simp) 577 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 578 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 579 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 580 | apply blast 581 | apply (cut_tac c=d and d=Db and f="%t. if t = Da 582 | then [last(G(Db)), 583 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 584 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and 585 | g=G and P=Hy in chop_interval,simp) 586 | apply (cut_tac f = "%t. if t = Db then [] 587 | else if t = Da 588 | then [last(G(Db)), 589 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 590 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and P = "high qy" and 591 | Q = "l [=] Real 0" and c = Db and d = Da in chop_eval,simp) 592 | apply (cut_tac f="%t. if t = Da 593 | then [last(G(Db)), 594 | %y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 595 | else if t < Da & Db < t then [last(G(Db))] else G(t)" and 596 | P=qy and c=Db and d=Da in high_eval,auto) 597 | apply (simp add: evalFP_def) 598 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 599 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 600 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 601 | apply blast 602 | (*start for the 2nd case "Db >= Da"*) 603 | apply (simp add: chop_eval) 604 | apply (cut_tac x=Db in exI,auto) 605 | apply (cut_tac x="G(Db)" in exI,auto) 606 | apply (cut_tac c=d and d=Db and f="%t. if t = Db then G(Db) 607 | else if t = Db 608 | then G(Db) @ 609 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 610 | else G(t)" and 611 | g=G and P=Hy in chop_interval,auto) 612 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 613 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 614 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 615 | apply blast 616 | apply (cut_tac f="%t. if t = Db 617 | then [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 618 | else if t = Db 619 | then G(Db) @ 620 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 621 | else G(t)" and P=qy and c=Db and d=Db in high_eval,auto) 622 | (*For proving H, we first prove "(Hx[^] high (qx))"*) 623 | apply (subgoal_tac "ievalF(f', Hx [^] high qx, d, d2)") 624 | prefer 2 625 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 626 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) 627 | (*start for the 1st case "Da < Db"*) 628 | apply (cut_tac f = "%t. if Da < t & t <= Db then [last(F(Da))] else F(t)" and 629 | P = Hx and Q = "high qx" and c = d and d = Db in chop_eval1, auto) 630 | apply (cut_tac x=Da in exI,auto) 631 | apply (subgoal_tac "ievalF(%t. if Da < t & t <= Db then [last(F(Da))] else F(t), Hx, d, Da) 632 | = ievalF(F,Hx,d,Da)",simp) 633 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 634 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 635 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 636 | apply blast 637 | apply (cut_tac c=d and d=Da and f="%t. if Da < t & t <= Db then [last(F(Da))] else F(t)" and 638 | g=F and P=Hx in chop_interval,auto) 639 | apply (cut_tac f="%t. if Da < t & t <= Db then [last(F(Da))] else F(t)" and P=qx and c=Da and d=Db in high_eval,auto) 640 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 641 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 642 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 643 | prefer 2 644 | apply blast 645 | apply (simp add: evalFP_def) 646 | (*start for the 2nd case "Db < Da"*) 647 | apply (cut_tac f = F and P = Hx and Q = "high qx" and c = d and d = Da in chop_eval1, auto) 648 | apply (cut_tac x=Da in exI,auto) 649 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 650 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 651 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 652 | apply blast 653 | apply (simp add: high_eval,auto) 654 | (*start for the 2nd case "Db = Da"*) 655 | apply (cut_tac f = F and P = Hx and Q = "high qx" and c = d and d = Da in chop_eval1, auto) 656 | apply (cut_tac x=Da in exI,auto) 657 | apply blast 658 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 659 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 660 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 661 | prefer 2 662 | apply blast 663 | apply (cut_tac f=F and P=qx and c=Da and d=Da in high_eval,auto) (*end for Gx*) 664 | (*start for H*) 665 | apply (subgoal_tac "ievalF(g', Hy[^](l[=]Real 0), d, d2) | ievalF(f', Hx, d, d2)",auto) 666 | apply (cut_tac Px=Px and Py=Py and f=f and g=g and d=d and ch=ch and e=e and x=x and 667 | F=F and G=G and Da=Da and Db=Db and m=m and M=M in communicationR,auto) 668 | (*start for the 1st case Db < Da*) 669 | apply (subgoal_tac "ievalF(F, Hx, d, Da)") 670 | apply blast 671 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 672 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 673 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 674 | apply blast 675 | (*start for the 2nd case Db >= Da*) 676 | apply (case_tac "d=Db",auto) (*2a*) 677 | apply (simp add: chop_eval) 678 | apply (cut_tac x=Db in exI,auto) 679 | apply (cut_tac x="G(Db)" in exI,auto) 680 | apply (cut_tac c=Db and d=Db and f="%t. if t = Db then G(Db) 681 | else if t = Db 682 | then G(Db) @ 683 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 684 | else G(t)" and 685 | g=G and P=Hy in chop_interval,auto) 686 | apply (subgoal_tac "evalPP(Px||Py, f, g, Db) = (Skip, F, G, Da, Db) --> 687 | evalF(last(f(Db)), px) --> evalF(last(g(Db)), py) --> 688 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, Db, Da) & ievalF(G, Hy, Db, Db)",simp) 689 | apply blast 690 | apply (cut_tac L=0 in L_eval,auto) (*2b*) 691 | apply (cut_tac f = "%t. if t = Db 692 | then G(Db) @ 693 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 694 | else G(t)" and P = Hy and Q = "l [=] Real 0" and c = d and d = Db in chop_eval, auto) 695 | apply (cut_tac x=Db in exI,auto) 696 | apply (cut_tac x="G(Db)" in exI,auto) 697 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 698 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 699 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 700 | prefer 2 701 | apply blast 702 | apply (cut_tac c=d and d=Db and f="%t. if t = Db then G(Db) 703 | else if t = Db 704 | then G(Db) @ 705 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 706 | else G(t)" and 707 | g=G and P=Hy in chop_interval,auto) 708 | apply (cut_tac L=0 in L_eval,auto) 709 | apply (cut_tac x=Db in exI,auto) 710 | apply (cut_tac x="G(Db)" in exI,auto) 711 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, F, G, Da, Db) --> 712 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> 713 | evalF(last(F(Da)), qx) & evalF(last(G(Db)), qy) & ievalF(F, Hx, d, Da) & ievalF(G, Hy, d, Db)",simp) 714 | prefer 2 715 | apply blast 716 | apply (cut_tac c=d and d=Db and f="%t. if t = Db then G(Db) 717 | else if t = Db 718 | then G(Db) @ 719 | [%y i. if y = x & i = R then evalE(last(G(Db)), e) else last(G(Db), y, i)] 720 | else G(t)" and 721 | g=G and P=Hy in chop_interval,auto) 722 | apply (cut_tac L=0 in L_eval,auto) 723 | done 724 | 725 | (*soundness for 1st paralle rule*) 726 | lemma Parallel1_sound: "ValidP px py Px Py qx qy Hx Hy 727 | --> Valid qx Qx rx Gx 728 | --> Valid qy Qy ry Gy 729 | --> ValidP px py (Px; m; Qx) (Py; M; Qy) rx ry (Hx [^] Gx) (Hy [^] Gy)" 730 | apply (simp add: ValidP_def Valid_def) 731 | apply auto 732 | (*1st*) 733 | apply (cut_tac Px=Px and Py=Py and Qx=Qx and Qy=Qy and f=f and g=g and d=d and f'=f' and 734 | g'=g' and d'=d1 and D'=d2 and f''=f'' and g''=g'' and d''=d'' and D''=D'' and 735 | m=m and M=M in parallelN2,auto) 736 | apply (subgoal_tac "evalP(Qx, f'', d'') = (Skip, f', d1) --> evalF(last(f''(d'')), qx) --> evalF(last(f'(d1)), rx)") 737 | apply blast 738 | apply auto 739 | (*2nd*) 740 | apply (cut_tac Px=Px and Py=Py and Qx=Qx and Qy=Qy and f=f and g=g and d=d and f'=f' and 741 | g'=g' and d'=d1 and D'=d2 and f''=f'' and g''=g'' and d''=d'' and D''=D'' and 742 | m=m and M=M in parallelN2,auto) 743 | apply (subgoal_tac "evalP(Qy, f'', d'') = (Skip, g', d2) --> evalF(last(f''(d'')), qy) --> evalF(last(g'(d2)), ry)") 744 | apply blast 745 | apply auto 746 | (*3rd*) 747 | apply (cut_tac Px=Px and Py=Py and Qx=Qx and Qy=Qy and f=f and g=g and d=d and f'=f' and 748 | g'=g' and d'=d1 and D'=d2 and f''=f'' and g''=g'' and d''=d'' and D''=D'' and 749 | m=m and M=M in parallelN2,auto) 750 | apply (subgoal_tac "ievalF(f', Hx, d, d'') & ievalF(f', Gx, d'', d1)",auto) 751 | apply (cut_tac f=f' and P=Hx and Q=Gx and c=d and d=d1 in chop_eval1,auto) 752 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, f'', g'', d'', D'') --> 753 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> ievalF(f'', Hx, d, d'')") 754 | apply blast 755 | apply auto 756 | apply (subgoal_tac "evalP(Qx, f'', d'') = (Skip, f', d1) --> 757 | evalF(last(f''(d'')), qx) --> evalF(last(f'(d1)), rx) & ievalF(f', Gx, d'', d1)") 758 | apply blast 759 | apply auto 760 | (*4th*) 761 | apply (cut_tac Px=Px and Py=Py and Qx=Qx and Qy=Qy and f=f and g=g and d=d and f'=f' and 762 | g'=g' and d'=d1 and D'=d2 and f''=f'' and g''=g'' and d''=d'' and D''=D'' and 763 | m=m and M=M and H=Hx and G=Hy in parallelN2,auto) 764 | apply (subgoal_tac "ievalF(g', Hy, d, D'') & ievalF(g', Gy, D'', d2)",auto) 765 | apply (cut_tac f=g' and P=Hy and Q=Gy and c=d and d=d2 in chop_eval1,auto) 766 | apply (subgoal_tac "evalPP(Px||Py, f, g, d) = (Skip, f'', g'', d'', D'') --> 767 | evalF(last(f(d)), px) --> evalF(last(g(d)), py) --> ievalF(g'', Hy, d, D'')") 768 | apply blast 769 | apply auto 770 | apply (subgoal_tac "evalP(Qy, g'', D'') = (Skip, g', d2) --> 771 | evalF(last(g''(D'')), qy) --> evalF(last(g'(d2)), ry) & ievalF(g', Gy, D'', d2)") 772 | apply blast 773 | apply auto 774 | done 775 | 776 | (*soundness for 2nd paralle rule*) 777 | lemma Parallel2_sound: "Valid px Px qx Hx 778 | --> Valid py Py qy Hy 779 | --> ValidP px py Px Py qx qy Hx Hy" 780 | apply (simp add: ValidP_def Valid_def) 781 | apply auto 782 | apply (cut_tac P=Px and Q=Py and d'="d1" and d''=d2 in parallelN1,auto) 783 | apply (cut_tac P=Px and Q=Py and f=f and g=g and d=d and f'="f'" and g'=g' 784 | and d'="d1" and d''=d2 in parallelN1,auto) 785 | apply (subgoal_tac "evalP(Py, g, d) = (Skip, g', d2) --> evalF(last(g(d)), py) --> evalF(last(g'(d2)), qy) & ievalF(g', Hy, d, d2)") 786 | apply blast 787 | apply auto 788 | apply (cut_tac P=Px and Q=Py and d'="d1" and d''=d2 in parallelN1,auto) 789 | apply (cut_tac P=Px and Q=Py and f=f and g=g and d=d and f'="f'" and g'=g' 790 | and d'="d1" and d''=d2 in parallelN1,auto) 791 | apply (subgoal_tac "evalP(Py, g, d) = (Skip, g', d2) --> evalF(last(g(d)), py) --> evalF(last(g'(d2)), qy) & ievalF(g', Hy, d, d2)") 792 | apply blast 793 | apply auto 794 | done 795 | 796 | (*assists for proving the soundness of repetition rule*) 797 | lemma Repetition_assist1: "[| ALL f1 d1 d2. ievalF(f1, Hx [^] Hx, d1, d2) --> ievalF(f1, Hx, d1, d2); 798 | ievalF(F(Suc(na)), l [=] Real 0 [|] Hx, D(0), D(na)) & 799 | ievalF(F(Suc(na)), l [=] Real 0 [|] Hx, D(na), D(Suc(na))) |] 800 | ==> ievalF(F(Suc(na)), l [=] Real 0 [|] Hx, D(0), D(Suc(na)))" 801 | apply (simp add: Or_eval L_eval,auto) 802 | apply (subgoal_tac "ievalF(F(Suc(na)), Hx [^] Hx, D(0), D(Suc(na))) --> ievalF(F(Suc(na)), Hx, D(0), D(Suc(na)))",auto) 803 | apply (subgoal_tac "ievalF(F(Suc(na)), Hx [^] Hx, D(0), D(Suc(na)))",simp) 804 | apply (rule chop_eval1,auto) 805 | done 806 | 807 | (*soundness for repetition rule*) 808 | lemma Repetition_sound: "Valid px Px px Hx 809 | --> (ALL f1 d1 d2. ievalF (f1,(Hx [^] Hx [-->] Hx),d1,d2)) 810 | --> Valid px (Px*) px ((l [=] Real 0) [|] Hx)" 811 | apply (simp add: Imply_eval) 812 | apply (unfold Valid_def,auto) 813 | (*1st*) 814 | apply (cut_tac P = Px and f = f and d = d and f' = "f'" and d' = "d'" and F=F and D=D and 815 | H = "l [=] Real 0 [|] Hx" in repetition,auto) 816 | apply (subgoal_tac "(ALL k evalF(last(F(n)(D(n))), px)") 817 | apply blast 818 | apply (induct_tac n,auto) 819 | (*2nd*) 820 | apply (cut_tac P = Px and f = f and d = d and f' = "f'" and d' = "d'" and F=F and D=D and 821 | H = "l [=] Real 0 [|] Hx" in repetition,auto) 822 | apply (subgoal_tac "(ALL k 824 | ievalF(F(Suc(k)), l [=] Real 0 [|] Hx, D(0), D(k)))) 825 | --> evalF(last(F(n)(D(n))), px) & ievalF(F(n), l [=] Real 0 [|] Hx, D(0), D(n))") 826 | apply blast 827 | apply (induct_tac n,auto) 828 | apply (simp add: Or_eval,auto) 829 | apply (cut_tac f="F(0)" and L=0 and c="D(0)" and d="D(0)" in L_eval,auto) 830 | apply (subgoal_tac "ievalF(F(Suc(na)), l [=] Real 0 [|] Hx, D(0), D(na)) & 831 | ievalF(F(Suc(na)), l [=] Real 0 [|] Hx, D(na), D(Suc(na)))") 832 | apply (rule Repetition_assist1,auto) 833 | apply (subgoal_tac "ievalF(F(Suc(na)), Hx, D(na), D(Suc(na)))") 834 | apply (cut_tac f="F(Suc(na))" and F="l [=] Real 0" and G="Hx" and c="D(na)" and d="D(Suc(na))" in Or_eval,auto) 835 | done 836 | 837 | end 838 | --------------------------------------------------------------------------------