The Theory RCwellf Parents -- HOL Constants -- order ":(* -> (* -> bool)) -> bool" minimal ":* -> ((* -> bool) -> ((* -> (* -> bool)) -> bool))" wellf ":(* -> (* -> bool)) -> bool" Definitions -- order_DEF |- !po. order po = (!x y. po x y ==> ~(x = y)) /\ (!x y z. po x y /\ po y z ==> po x z) minimal_DEF |- !x M po. minimal x M po = M x /\ (!y. M y ==> ~po y x) wellf_DEF |- !po. wellf po = order po /\ (!M. (?x. M x) ==> (?x. minimal x M po)) Theorems -- wellf_INDUCT wellf po |- (!x. (!y. po y x ==> P y) ==> P x) ==> (!x. P x) strong_induct |- !P. (!n. (!m. m < n ==> P m) ==> P n) ==> (!n. P n) num_wellf |- wellf $< wellf_0_grt |- wellf(\x y. 0 < x /\ (x < y \/ (y = 0))) ******************** RCwellf ******************** The Theory RCpredicate Parents -- HOL Constants -- andd ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" or ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" imp ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" implies ":(*s -> bool) -> ((*s -> bool) -> bool)" false ":*s -> bool" true ":*s -> bool" not ":(*s -> bool) -> (*s -> bool)" glb ":((*s -> bool) -> bool) -> (*s -> bool)" lub ":((*s -> bool) -> bool) -> (*s -> bool)" monotonic ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" fix ":((*s -> bool) -> (*s -> bool)) -> (*s -> bool)" gfix ":((*s -> bool) -> (*s -> bool)) -> (*s -> bool)" Infixes -- andd ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" or ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" imp ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" implies ":(*s -> bool) -> ((*s -> bool) -> bool)" Definitions -- false_DEF |- false = (\u. F) true_DEF |- true = (\u. T) not_DEF |- !p. not p = (\u. ~p u) and_DEF |- !p q. p andd q = (\u. p u /\ q u) or_DEF |- !p q. p or q = (\u. p u \/ q u) imp_DEF |- !p q. p imp q = (\u. p u ==> q u) implies_DEF |- !p q. p implies q = (!u. p u ==> q u) glb_DEF |- !P. glb P = (\u. !p. P p ==> p u) lub_DEF |- !P. lub P = (\u. ?p. P p /\ p u) monotonic_DEF |- !f. monotonic f = (!p q. p implies q ==> (f p) implies (f q)) fix_DEF |- !f. fix f = glb(\p. (f p) implies p) gfix_DEF |- !f. gfix f = lub(\p. p implies (f p)) Theorems -- shunt |- (b andd p) implies q = p implies ((not b) or q) implies_prop |- (!p. p implies p) /\ (!p q. p implies q /\ q implies p ==> (p = q)) /\ (!p q r. p implies q /\ q implies r ==> p implies r) and_glb |- p andd q = glb(\p'. (p' = p) \/ (p' = q)) glb_bound |- !P p. P p ==> (glb P) implies p glb_greatest |- !P q. (!p. P p ==> q implies p) ==> q implies (glb P) glb_mono |- (!p. P p ==> (f p) implies (g p)) ==> (glb(\q. ?p. P p /\ (q = f p))) implies (glb(\q. ?p. P p /\ (q = g p))) fix_least |- !p. (f p) implies p ==> (fix f) implies p fix_fp |- monotonic f ==> (f(fix f) = fix f) fix_char |- monotonic f ==> (f a) implies a /\ (!x. (f x = x) ==> a implies x) ==> (a = fix f) gfix_greatest |- !p. p implies (f p) ==> p implies (gfix f) gfix_fp |- monotonic f ==> (f(gfix f) = gfix f) gfix_char |- monotonic f ==> a implies (f a) /\ (!x. (f x = x) ==> x implies a) ==> (a = gfix f) or_into_glb |- q or (glb P) = glb(\p'. ?p. P p /\ (p' = q or p)) glb_and |- !f g. glb(\q. ?p. P p /\ (q = (f p) andd (g p))) = (glb(\q. ?p. P p /\ (q = f p))) andd (glb(\q. ?p. P p /\ (q = g p))) ******************** RCpredicate ******************** The Theory RCcommand Parents -- HOL RCpredicate Constants -- ref ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> bool)" dch ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool)))" ach ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool)))" seq ":((*s2 -> bool) -> (*s3 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s3 -> bool)))" guard ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" Dch ":(((*s1 -> bool) -> (*s2 -> bool)) -> bool) -> ((*s1 -> bool) -> (*s2 -> bool))" Ach ":(((*s1 -> bool) -> (*s2 -> bool)) -> bool) -> ((*s1 -> bool) -> (*s2 -> bool))" mu ":(((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool))) -> ((*s1 -> bool) -> (*s2 -> bool))" dolib ":(*s -> bool) -> (((*s -> bool) -> (*s -> bool)) -> ((*s -> bool) -> (*s -> bool)))" abort ":(*s1 -> bool) -> (*s2 -> bool)" assert ":(*s -> bool) -> ((*s -> bool) -> (*s -> bool))" nondass ":(*s1 -> (*s2 -> bool)) -> ((*s2 -> bool) -> (*s1 -> bool))" assign ":(*s1 -> *s2) -> ((*s2 -> bool) -> (*s1 -> bool))" skip ":(*s -> bool) -> (*s -> bool)" cond ":(*s2 -> bool) -> (((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool))))" do ":(*s -> bool) -> (((*s -> bool) -> (*s -> bool)) -> ((*s -> bool) -> (*s -> bool)))" block ":(* # *s -> bool) -> (((* # *s -> bool) -> (* # *s -> bool)) -> ((*s -> bool) -> (*s -> bool)))" strict ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" terminating ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" biconjunctive ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" uniconjunctive ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" conjunctive ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" pmonotonic ":(((*s1 -> bool) -> (*s2 -> bool)) -> ((*s3 -> bool) -> (*s4 -> bool))) -> bool" mono_mono ":(((*s1 -> bool) -> (*s2 -> bool)) -> ((*s3 -> bool) -> (*s4 -> bool))) -> bool" regular ":(((*s1 -> bool) -> (*s2 -> bool)) -> ((*s3 -> bool) -> (*s4 -> bool))) -> bool" Infixes -- ref ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> bool)" dch ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool)))" ach ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool)))" seq ":((*s2 -> bool) -> (*s3 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s3 -> bool)))" Definitions -- ref_DEF |- !c c'. c ref c' = (!q. (c q) implies (c' q)) guard_DEF |- !b q. guard b q = b imp q dch_DEF |- !c1 c2 q. (c1 dch c2)q = (c1 q) andd (c2 q) Dch_DEF |- !C q. Dch C q = glb(\p. ?c. C c /\ (p = c q)) ach_DEF |- !c1 c2 q. (c1 ach c2)q = (c1 q) or (c2 q) Ach_DEF |- !C q. Ach C q = lub(\p. ?c. C c /\ (p = c q)) mu_DEF |- !f. mu f = Dch(\c. monotonic c /\ (f c) ref c) dolib_DEF |- !g c q. dolib g c q = gfix(\p. (g andd (c p)) or ((not g) andd q)) abort_DEF |- !q. abort q = false assert_DEF |- !p q. assert p q = p andd q nondass_DEF |- !P q. nondass P q = (\u. !u'. P u u' ==> q u') assign_DEF |- !e q. assign e q = (\u. q(e u)) skip_DEF |- !q. skip q = q seq_DEF |- !c1 c2 q. (c1 seq c2)q = c1(c2 q) cond_DEF |- !g c1 c2 q. cond g c1 c2 q = (g andd (c1 q)) or ((not g) andd (c2 q)) do_DEF |- !g c. do g c = mu(\x. cond g(c seq x)skip) block_DEF |- !p c q. block p c q = (\v. !x. p(x,v) ==> c(\(x',v'). q v')(x,v)) strict_DEF |- !c. strict c = (c false = false) terminating_DEF |- !c. terminating c = (c true = true) biconjunctive_DEF |- !c. biconjunctive c = (!p q. c(p andd q) = (c p) andd (c q)) uniconjunctive_DEF |- !c. uniconjunctive c = (!P. c(glb P) = glb(\q. ?p. P p /\ (q = c p))) conjunctive_DEF |- !c. conjunctive c = (!P. (?p. P p) ==> (c(glb P) = glb(\q. ?p. P p /\ (q = c p)))) pmonotonic_DEF |- !f. pmonotonic f = (!c c'. monotonic c /\ monotonic c' /\ c ref c' ==> (f c) ref (f c')) mono_mono_DEF |- !f. mono_mono f = (!c. monotonic c ==> monotonic(f c)) regular_DEF |- !f. regular f = pmonotonic f /\ mono_mono f Theorems -- ref_prop |- (!c. c ref c) /\ (!c c'. c ref c' /\ c' ref c ==> (c = c')) /\ (!c c' c''. c ref c' /\ c' ref c'' ==> c ref c'') mono_Dch |- (!c. C c ==> monotonic c) ==> monotonic(Dch C) Dch_bound |- !C c. C c ==> (Dch C) ref c Dch_greatest |- !C c. (!c'. C c' ==> c ref c') ==> c ref (Dch C) mono_mu |- !f. monotonic(mu f) mu_least |- !c. monotonic c /\ (f c) ref c ==> (mu f) ref c mu_fp |- regular f ==> (f(mu f) = mu f) mu_char |- regular f /\ monotonic a /\ (f a) ref a /\ (!x. (f x = x) ==> a ref x) ==> (a = mu f) do_thm |- !c. monotonic c ==> (do g c q = fix(\p. (g andd (c p)) or ((not g) andd q))) seq_assoc |- c1 seq (c2 seq c3) = (c1 seq c2) seq c3 skip_unit |- (skip seq c = c) /\ (c seq skip = c) do_unfold |- monotonic c ==> (do g c p = (g andd (c(do g c p))) or ((not g) andd p)) do_implies |- monotonic c ==> ((g andd (c q)) or ((not g) andd p)) implies q ==> (do g c p) implies q dolib_unfold |- monotonic c ==> (dolib g c p = (g andd (c(dolib g c p))) or ((not g) andd p)) dolib_implies |- p implies ((g andd (c p)) or ((not g) andd q)) ==> p implies (dolib g c q) assign_skip |- assign(\u. u) = skip cond_true |- cond true c1 c2 = c1 cond_false |- cond false c1 c2 = c2 cond_same |- cond g c c = c do_false |- monotonic c ==> (do false c = skip) do_true |- monotonic c /\ strict c ==> (do true c = abort) skip_eq_assert |- skip = assert true assign_eq_nondass |- assign e = nondass(\u u'. u' = e u) assign_seq |- !e f. (assign e) seq (assign f) = assign(\u. f(e u)) mono_subuniconj |- monotonic c ==> (c(glb P)) implies (glb(\q. ?p. P p /\ (q = c p))) biconj_mono |- biconjunctive c ==> monotonic c conj_biconj |- conjunctive c ==> biconjunctive c conj_mono |- conjunctive c ==> monotonic c uniconj_conjterm |- uniconjunctive c = conjunctive c /\ terminating c uniconj_conj |- uniconjunctive c ==> conjunctive c uniconj_biconj |- uniconjunctive c ==> biconjunctive c uniconj_mono |- uniconjunctive c ==> monotonic c mono_abort |- monotonic abort mono_skip |- monotonic skip mono_assert |- !b. monotonic(assert b) mono_assign |- !e. monotonic(assign e) mono_nondass |- !p. monotonic(nondass p) mono_seq |- !c c'. monotonic c /\ monotonic c' ==> monotonic(c seq c') mono_cond |- !g c1 c2. monotonic c1 /\ monotonic c2 ==> monotonic(cond g c1 c2) mono_do |- !g c. monotonic c ==> monotonic(do g c) mono_dolib |- monotonic c ==> monotonic(dolib g c) mono_block |- !p c. monotonic c ==> monotonic(block p c) do_dolib biconjunctive c |- do g c q = (dolib g c q) andd (do g c true) strict_abort |- strict abort strict_skip |- strict skip strict_assert |- !b. strict(assert b) strict_assign |- !e. strict(assign e) strict_nondass |- strict(nondass P) = (!u. ?v. P u v) strict_seq |- !c c'. strict c /\ strict c' ==> strict(c seq c') strict_cond |- !b c1 c2. strict c1 /\ strict c2 ==> strict(cond b c1 c2) strict_do |- !g c. monotonic c /\ strict c ==> strict(do g c) strict_block |- !p c. (!u. ?x. p(x,u)) ==> strict c ==> strict(block p c) conj_abort |- conjunctive abort conj_skip |- conjunctive skip conj_assert |- !b. conjunctive(assert b) conj_assign |- !e. conjunctive(assign e) conj_nondass |- !p. conjunctive(nondass p) conj_seq |- !c c'. conjunctive c /\ conjunctive c' ==> conjunctive(c seq c') conj_cond |- !b c1 c2. conjunctive c1 /\ conjunctive c2 ==> conjunctive(cond b c1 c2) conj_dolib |- !g c. conjunctive c ==> conjunctive(dolib g c) conj_do |- !g c. conjunctive c ==> conjunctive(do g c) conj_block |- !p c. conjunctive c ==> conjunctive(block p c) nondass_complete |- uniconjunctive c ==> (c = nondass(\u u'. glb(\q. c q u)u')) ******************** RCcommand ******************** The Theory RCcorrect Parents -- HOL RCcommand RCwellf Constants -- correct ":(*s2 -> bool) -> (((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> bool))" Definitions -- correct_DEF |- !p c q. correct p c q = p implies (c q) Theorems -- correct_assign |- (!u. p u ==> q(e u)) ==> correct p(assign e)q correct_nondass |- (!u. p u ==> (!u'. n u u' ==> q u')) ==> correct p(nondass n)q correct_seq |- !c1 c2 p q r. monotonic c1 /\ correct p c1 q /\ correct q c2 r ==> correct p(c1 seq c2)r correct_cond |- !g c1 c2 p q. correct(g andd p)c1 q /\ correct((not g) andd p)c2 q ==> correct p(cond g c1 c2)q wellf_do_rule |- monotonic c /\ wellf po /\ (!x. (p andd (g andd (\u. t u = x))) implies (c(p andd (\u. po(t u)x)))) ==> p implies (do g c p) correct_do_wellf |- !g c po inv t p q. monotonic c /\ wellf po /\ p implies inv /\ ((not g) andd inv) implies q /\ (!x. correct (inv andd (g andd (\u. t u = x))) c (inv andd (\u. po(t u)x))) ==> correct p(do g c)q num_do_rule |- monotonic c /\ (!x. (p andd (g andd (\u. t u = x))) implies (c(p andd (\u. (t u) < x)))) ==> p implies (do g c p) correct_do |- !g c inv t p q. monotonic c /\ p implies inv /\ ((not g) andd inv) implies q /\ (!x. correct (inv andd (g andd (\u. t u = x))) c (inv andd (\u. (t u) < x))) ==> correct p(do g c)q correct_block |- !p0 c p q. correct(\(x,u). p u /\ p0(x,u))c(\(x,u). q u) ==> correct p(block p0 c)q ******************** RCcorrect ******************** The Theory RCrefine Parents -- HOL RCcorrect Theorems -- ref_correct |- !c c'. (!p q. correct p c q ==> correct p c' q) = c ref c' impl_assign |- monotonic c /\ (!u0. correct(\u. u = u0)c(\u. u = e u0)) ==> (assign e) ref c impl_nondass |- monotonic c /\ (!u0. correct(\u. u = u0)c(\v. P u0 v)) ==> (nondass P) ref c assert_fwd |- !p q c. conjunctive c /\ correct p c q ==> ((assert p) seq c) ref (c seq (assert q)) assert_weaken |- p implies q ==> (assert p) ref (assert q) assert_split |- assert(p andd q) = (assert p) seq (assert q) assert_remove |- (assert p) ref skip assert_intro |- !g c. conjunctive c /\ correct true c g ==> (c = c seq (assert g)) assert_bwd |- !p c. conjunctive c ==> (c seq (assert p) = (assert(c p)) seq c) assert_cond |- ((assert p) seq (cond g c1 c2)) ref (cond g ((assert(p andd g)) seq c1) ((assert(p andd (not g))) seq c2)) assert_do |- conjunctive c /\ correct(p andd g)c p ==> ((assert p) seq (do g c)) ref (do g((assert(p andd g)) seq c)) ******************** RCrefine ******************** The Theory RCfunction Parents -- HOL RCrefine Constants -- fcall ":((*s1 -> bool) -> (*s2 -> bool)) -> (*s2 -> *s1)" Definitions -- fcall_DEF |- !c. fcall c = (\u. @v. glb(\q. c q u)v) Theorems -- assign_fcall |- fcall(assign e) = e fcall_thm |- !c f. conjunctive c /\ strict c /\ (!u0. correct(\u. u = u0)c(\v. v = f u0)) ==> (fcall c = f) fcall_rule |- !c f. conjunctive c /\ strict c /\ (assign f) ref c ==> (fcall c = f) fcall_thm_pre |- !g c f. conjunctive c /\ strict c /\ (!u0. g u0 ==> correct(\u. u = u0)c(\v. v = f u0)) ==> (!u. g u ==> (fcall c u = f u)) fcall_rule_pre |- !g c f. conjunctive c /\ strict c /\ ((assert g) seq (assign f)) ref c ==> (!u. g u ==> (fcall c u = f u)) ******************** RCfunction ******************** The Theory RCrecursion Parents -- HOL RCrefine Theorems -- regular_const |- !c. monotonic c ==> regular(\x. c) regular_id |- regular(\x. x) regular_seq |- !f f'. regular f /\ regular f' ==> regular(\x. (f x) seq (f' x)) regular_cond |- !g f f'. regular f /\ regular f' ==> regular(\x. cond g(f x)(f' x)) mu_thm |- !c. regular f /\ monotonic c /\ (?t. !i. ((assert(\u. t u = i)) seq c) ref (f((assert(\u. (t u) < i)) seq c))) ==> c ref (mu f) strict_mu |- (!c. strict c ==> strict(f c)) ==> strict(mu f) ******************** RCrecursion ******************** The Theory RCprocedure Parents -- HOL RCrecursion Constants -- pcall ":((*sa -> bool) -> (*sa -> bool)) -> ((*s -> *sa) -> ((*s -> *sb) -> ((*s -> bool) -> (*s -> bool))))" xpcall ":(* -> ((*sa -> bool) -> (*sa -> bool))) -> ((*s -> *sa) -> ((*s -> *sb) -> ((*s -> *) -> ((*s -> bool) -> (*s -> bool)))))" Definitions -- pcall_DEF |- !c G R q u. pcall c G R q u = (?p. (!u'. p(G u') /\ (R u' = R u) ==> q u') /\ c p(G u)) xpcall_DEF |- !c G R V q u. xpcall c G R V q u = (?p. (!u'. p(G u') /\ (R u' = R u) ==> q u') /\ c(V u)p(G u)) Theorems -- pcall_mono |- !c c'. c ref c' ==> (!G R. (pcall c G R) ref (pcall c' G R)) regular_pcall |- !G R. regular(\x. pcall x G R) xpcall_mono |- !c c'. (!a. (c a) ref (c' a)) ==> (!G R V. (xpcall c G R V) ref (xpcall c' G R V)) ******************** RCprocedure ******************** The Theory RCdataref Parents -- HOL RCrecursion Constants -- abst ":(*a # (*c # *s) -> bool) -> ((*a # *s -> bool) -> (*c # *s -> bool))" repr ":(*a # (*c # *s) -> bool) -> ((*c # *s -> bool) -> (*a # *s -> bool))" dataref ":(*a # (*c # *s) -> bool) -> (((*a # *s -> bool) -> (*a # *s -> bool)) -> (((*c # *s -> bool) -> (*c # *s -> bool)) -> bool))" Definitions -- abst_DEF |- !r q. abst r q = (\(k,u). ?a. r(a,k,u) /\ q(a,u)) repr_DEF |- !r q. repr r q = (\(a,u). !k. r(a,k,u) ==> q(k,u)) dataref_DEF |- !r c c'. dataref r c c' = ((abst r) seq c) ref (c' seq (abst r)) Theorems -- mono_abst |- !r. monotonic(abst r) mono_repr |- !r. monotonic(repr r) abst_repr |- !r. ((abst r) seq (repr r)) ref skip /\ skip ref ((repr r) seq (abst r)) dataref_alt |- monotonic c /\ monotonic c' ==> (dataref r c c' = ((abst r) seq (c seq (repr r))) ref c') dataref_ba |- dataref r c c' = c ref ((repr r) seq (c' seq (abst r))) nondass_dataref |- (!a k k' u u'. r(a,k,u) /\ Q(k,u)(k',u') ==> (?a'. r(a',k',u') /\ P(a,u)(a',u'))) ==> dataref r(nondass P)(nondass Q) abort_dataref |- dataref r abort abort skip_dataref |- dataref r skip skip seq_dataref |- monotonic c1' /\ dataref r c1 c1' /\ dataref r c2 c2' ==> dataref r(c1 seq c2)(c1' seq c2') cond_dataref |- dataref r c1 c1' /\ dataref r c2 c2' /\ (!a k u. r(a,k,u) ==> (g(a,u) = g'(k,u))) ==> dataref r(cond g c1 c2)(cond g' c1' c2') mu_dataref |- regular f' /\ (!c c'. dataref r c c' ==> dataref r(f c)(f' c')) ==> dataref r(mu f)(mu f') do_dataref |- monotonic c' /\ dataref r c c' /\ (!a k u. r(a,k,u) ==> (g(a,u) = g'(k,u))) ==> dataref r(do g c)(do g' c') block_dataref |- !p c p' c' r. monotonic c' /\ (!k u. p'(k,u) ==> (?a. r(a,k,u) /\ p(a,u))) /\ dataref r c c' ==> (block p c) ref (block p' c') nondass_dataref_eq |- dataref r(nondass P)(nondass Q) = (!a k k' u u'. r(a,k,u) /\ Q(k,u)(k',u') ==> (?a'. r(a',k',u') /\ P(a,u)(a',u'))) spec_dataref |- (!a k u. r(a,k,u) /\ p(a,u) ==> q(k,u)) /\ (!a k k' u u'. r(a,k,u) /\ p(a,u) /\ Q(k,u)(k',u') ==> (?a'. r(a',k',u') /\ P(a,u)(a',u'))) ==> dataref r((assert p) seq (nondass P))((assert q) seq (nondass Q)) spec_dataref_eq |- dataref r((assert p) seq (nondass P))((assert q) seq (nondass Q)) = (!a k u. r(a,k,u) /\ p(a,u) ==> q(k,u)) /\ (!a k k' u u'. r(a,k,u) /\ p(a,u) /\ Q(k,u)(k',u') ==> (?a'. r(a',k',u') /\ P(a,u)(a',u'))) ******************** RCdataref ******************** The Theory RCactsys Parents -- HOL RCdataref Constants -- EVERY2 ":(* -> (** -> bool)) -> ((*)list -> ((**)list -> bool))" magic ":(*s1 -> bool) -> (*s2 -> bool)" ldch ":((*s1 -> bool) -> (*s2 -> bool))list -> ((*s1 -> bool) -> (*s2 -> bool))" lguard ":((*s -> bool) # ((*s -> bool) -> (*s -> bool)))list -> (*s -> bool)" if2 ":(*s2 -> bool) # ((*s1 -> bool) -> (*s2 -> bool)) -> ((*s2 -> bool) # ((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool)))" lif ":((*s -> bool) # ((*s -> bool) -> (*s -> bool)))list -> ((*s -> bool) -> (*s -> bool))" ldo ":((*s -> bool) # ((*s -> bool) -> (*s -> bool)))list -> ((*s -> bool) -> (*s -> bool))" Definitions -- EVERY2_DEF |- (!P yl. EVERY2 P[]yl = T) /\ (!P x xl yl. EVERY2 P(CONS x xl)yl = P x(HD yl) /\ EVERY2 P xl(TL yl)) magic_DEF |- !q. magic q = true ldch_DEF |- (ldch[] = magic) /\ (!c cl. ldch(CONS c cl) = c dch (ldch cl)) lguard_DEF |- (lguard[] = false) /\ (!a al. lguard(CONS a al) = (FST a) or (lguard al)) if2_DEF |- !g1 c1 g2 c2 q. if2(g1,c1)(g2,c2)q = (g1 or g2) andd ((g1 imp (c1 q)) andd (g2 imp (c2 q))) lif_DEF |- (lif[] = abort) /\ (!a al. lif(CONS a al) = if2 a(lguard al,lif al)) ldo_DEF |- !al. ldo al = do(lguard al)(lif al) Theorems -- EVERY2 |- (!P. EVERY2 P[][] = T) /\ (!P x xl y yl. EVERY2 P(CONS x xl)(CONS y yl) = P x y /\ EVERY2 P xl yl) EVERY2_MAP |- !l1 l2 P f g. (LENGTH l1 = LENGTH l2) ==> (EVERY2 P(MAP f l1)(MAP g l2) = EVERY2(\x y. P(f x)(g y))l1 l2) if2_reduce |- if2(g1,c1)(g2,c2) = (assert(g1 or g2)) seq (((guard g1) seq c1) dch ((guard g2) seq c2)) lif_reduce |- !al. lif al = (assert(lguard al)) seq (ldch(MAP(\(g,c). (guard g) seq c)al)) mono_magic |- monotonic magic mono_guard |- !g. monotonic(guard g) mono_if2 |- !g1 c1 g2 c2. monotonic c1 /\ monotonic c2 ==> monotonic(if2(g1,c1)(g2,c2)) mono_lif |- !al. EVERY monotonic(MAP SND al) ==> monotonic(lif al) mono_ldo |- !al. EVERY monotonic(MAP SND al) ==> monotonic(ldo al) correct_if2 |- !p g1 c1 g2 c2 q. correct(g1 andd p)c1 q /\ correct(g2 andd p)c2 q ==> correct((g1 or g2) andd p)(if2(g1,c1)(g2,c2))q correct_ldo |- !al inv t p q. EVERY monotonic(MAP SND al) /\ p implies inv /\ ((not(lguard al)) andd inv) implies q /\ EVERY (\(g,c). !x. correct (inv andd (g andd (\s. t s = x))) c (inv andd (\s. (t s) < x))) al ==> correct p(ldo al)q correct_ldo_wellf |- !al inv po t p q. EVERY monotonic(MAP SND al) /\ wellf po /\ p implies inv /\ ((not(lguard al)) andd inv) implies q /\ EVERY (\(g,c). !x. correct (inv andd (g andd (\s. t s = x))) c (inv andd (\s. po(t s)x))) al ==> correct p(ldo al)q abort_dataref |- dataref r abort abort magic_dataref |- dataref r magic magic ldch_dataref |- !cl' cl r. (LENGTH cl = LENGTH cl') /\ EVERY2(\c c'. dataref r c c')cl cl' ==> dataref r(ldch cl)(ldch cl') assert_dataref |- (!a k u. r(a,k,u) /\ g(a,u) ==> g'(k,u)) ==> dataref r(assert g)(assert g') dch_dataref |- dataref r c1 c1' /\ dataref r c2 c2' ==> dataref r(c1 dch c2)(c1' dch c2') lif_dataref |- !al' al r. EVERY monotonic(MAP SND al') /\ (LENGTH al = LENGTH al') /\ EVERY2(\(g,c) (g',c'). dataref r c((guard g') seq c'))al al' /\ EVERY2 (\(g,c) (g',c'). !a k u. r(a,k,u) /\ g'(k,u) ==> g(a,u)) al al' /\ (!a k u. r(a,k,u) /\ lguard al(a,u) ==> lguard al'(k,u)) ==> dataref r(lif al)(lif al') ldo_dataref |- !al' al r. EVERY monotonic(MAP SND al') /\ (LENGTH al = LENGTH al') /\ EVERY2(\(g,c) (g',c'). dataref r c((guard g') seq c'))al al' /\ EVERY2 (\(g,c) (g',c'). !a k u. r(a,k,u) /\ g'(k,u) ==> g(a,u)) al al' /\ (!a k u. r(a,k,u) /\ lguard al(a,u) ==> lguard al'(k,u)) ==> dataref r(ldo al)(ldo al') actsys_dataref |- !p p' al al' r. (LENGTH al = LENGTH al') /\ EVERY monotonic(MAP SND al') /\ (!k u. p'(k,u) ==> (?a. r(a,k,u) /\ p(a,u))) /\ EVERY2(\(g,c) (g',c'). dataref r c((guard g') seq c'))al al' /\ EVERY2 (\(g,c) (g',c'). !a k u. r(a,k,u) /\ g'(k,u) ==> g(a,u)) al al' /\ (!a k u. r(a,k,u) /\ lguard al(a,u) ==> lguard al'(k,u)) ==> (block p(ldo al)) ref (block p'(ldo al')) ******************** RCactsys ******************** The Theory RCbounded Parents -- HOL RCdataref Constants -- uchain ":(num -> (*s -> bool)) -> bool" ulimit ":(num -> (*s -> bool)) -> (*s -> bool)" ucontinuous ":((*s1 -> bool) -> (*s2 -> bool)) -> bool" H ":(*s -> bool) -> (((*s -> bool) -> (*s -> bool)) -> (num -> ((*s -> bool) -> (*s -> bool))))" dual ":((*s1 -> bool) -> (*s2 -> bool)) -> ((*s1 -> bool) -> (*s2 -> bool))" bwdref ":(*a # (*c # *s) -> bool) -> (((*a # *s -> bool) -> (*a # *s -> bool)) -> (((*c # *s -> bool) -> (*c # *s -> bool)) -> bool))" max ":(num -> num) -> (num -> num)" finite ":(* -> bool) -> bool" Definitions -- uchain_DEF |- !Q. uchain Q = (!n. (Q n) implies (Q(SUC n))) ulimit_DEF |- !Q. ulimit Q = (\s. ?n. Q n s) ucontinuous_DEF |- !f. ucontinuous f = (!Q. uchain Q ==> (f(ulimit Q) = ulimit(\n. f(Q n)))) H_DEF |- (!g c q. H g c 0 q = (not g) andd q) /\ (!g c n q. H g c(SUC n)q = ((not g) andd q) or (g andd (c(H g c n q)))) dual_DEF |- !c q. dual c q = not(c(not q)) bwdref_DEF |- !r c c'. bwdref r c c' = ((dual(abst r)) seq c) ref (c' seq (dual(abst r))) max_DEF |- (!N. max N 0 = N 0) /\ (!N n. max N(SUC n) = ((max N n) < (N(SUC n)) => N(SUC n) | max N n)) finite_DEF |- !A. finite A = (?f n. !a. A a ==> (?i. i < n /\ (f i = a))) Theorems -- ucont_mono |- ucontinuous c ==> monotonic c dual_abst |- dual(abst r)q = (\(k,u). !a. r(a,k,u) ==> q(a,u)) max_prop |- i <= n ==> (N i) <= (max N n) uchain_lemma |- uchain Q ==> (!i j. i <= j ==> (Q i) implies (Q j)) mono_H |- monotonic c ==> monotonic(H g c n) uchain_H |- monotonic c ==> uchain(\n. H g c n q) do_bounded |- ucontinuous c ==> (do g c q = ulimit(\n. H g c n q)) ucont_abort |- ucontinuous abort ucont_skip |- ucontinuous skip ucont_assign |- ucontinuous(assign e) ucont_dch |- ucontinuous c /\ ucontinuous c' ==> ucontinuous(c dch c') ucont_seq |- ucontinuous c /\ ucontinuous c' ==> ucontinuous(c seq c') ucont_cond |- ucontinuous c /\ ucontinuous c' ==> ucontinuous(cond g c c') ucont_assert |- ucontinuous(assert b) ucont_guard |- ucontinuous(guard b) ucont_do |- ucontinuous c ==> ucontinuous(do g c) ucont_abst |- ucontinuous(abst r) ucont_nondass |- (!u. finite(\v. P u v)) ==> ucontinuous(nondass P) ucont_block |- !p c. ucontinuous c /\ (!u. finite(\x. p(x,u))) ==> ucontinuous(block p c) ucont_dualabst |- (!k u. finite(\a. r(a,k,u))) ==> ucontinuous(dual(abst r)) abort_bwdref |- (!k u. ?a. r(a,k,u)) ==> bwdref r abort abort skip_bwdref |- bwdref r skip skip seq_bwdref |- !c1 c1' c2 c2' r. monotonic c1' /\ bwdref r c1 c1' /\ bwdref r c2 c2' ==> bwdref r(c1 seq c2)(c1' seq c2') cond_bwdref |- !g g' c1 c1' c2 c2' r. bwdref r c1 c1' /\ bwdref r c2 c2' /\ (!a k u. r(a,k,u) ==> (g(a,u) = g'(k,u))) ==> bwdref r(cond g c1 c2)(cond g' c1' c2') nondass_bwdref |- (!a' c c' u u'. r(a',c',u') /\ Q(c,u)(c',u') ==> (?a. r(a,c,u) /\ P(a,u)(a',u'))) ==> bwdref r(nondass P)(nondass Q) do_bwdref |- !g c g' c' r. ucontinuous c /\ ucontinuous c' /\ bwdref r c((guard g') seq c') /\ (!a k u. r(a,k,u) ==> (g(a,u) = g'(k,u))) /\ ucontinuous(dual(abst r)) /\ (!k u. ?a. r(a,k,u)) ==> bwdref r(do g c)(do g' c') block_bwdref |- !p c p' c' r. monotonic c' /\ (!a k u. r(a,k,u) /\ p'(k,u) ==> p(a,u)) /\ bwdref r c c' /\ (!k u. ?a. r(a,k,u)) ==> (block p c) ref (block p' c') actsys_bwdref |- !p g c p' g' c' r. ucontinuous c /\ ucontinuous c' /\ (!k u. ?a. r(a,k,u)) /\ ucontinuous(dual(abst r)) /\ (!a k u. r(a,k,u) /\ p'(k,u) ==> p(a,u)) /\ (!a k u. r(a,k,u) ==> (g(a,u) = g'(k,u))) /\ bwdref r c((guard g') seq c') ==> (block p(do g c)) ref (block p'(do g' c')) nondass_bwdref_eq |- bwdref r(nondass P)(nondass Q) = (!a' k k' u u'. r(a',k',u') /\ Q(k,u)(k',u') ==> (?a. r(a,k,u) /\ P(a,u)(a',u'))) spec_bwdref |- (!k u. (!a. r(a,k,u) ==> p(a,u)) ==> q(k,u)) /\ (!a' k k' u u'. (!a. r(a,k,u) ==> p(a,u)) /\ r(a',k',u') /\ Q(k,u)(k',u') ==> (?a. r(a,k,u) /\ P(a,u)(a',u'))) ==> bwdref r((assert p) seq (nondass P))((assert q) seq (nondass Q)) spec_bwdref_eq |- bwdref r((assert p) seq (nondass P))((assert q) seq (nondass Q)) = (!k u. (!a. r(a,k,u) ==> p(a,u)) ==> q(k,u)) /\ (!a' k k' u u'. (!a. r(a,k,u) ==> p(a,u)) /\ r(a',k',u') /\ Q(k,u)(k',u') ==> (?a. r(a,k,u) /\ P(a,u)(a',u'))) ******************** RCbounded ******************** The Theory RCwintool Parents -- HOL RCdataref win Constants -- refines ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> bool)" implies2 ":(*s1 -> (*s2 -> bool)) -> ((*s1 -> (*s2 -> bool)) -> bool)" implied_by ":(*s -> bool) -> ((*s -> bool) -> bool)" Infixes -- refines ":((*s1 -> bool) -> (*s2 -> bool)) -> (((*s1 -> bool) -> (*s2 -> bool)) -> bool)" implies2 ":(*s1 -> (*s2 -> bool)) -> ((*s1 -> (*s2 -> bool)) -> bool)" implied_by ":(*s -> bool) -> ((*s -> bool) -> bool)" Definitions -- refines_DEF |- !c' c. c' refines c = c ref c' implies2_DEF |- !P Q. P implies2 Q = (!u v. P u v ==> Q u v) implied_by_DEF |- !p' p. p' implied_by p = p implies p' Theorems -- refines_refl |- !c. c refines c refines_trans |- !c'' c' c. c'' refines c' /\ c' refines c ==> c'' refines c implies_refl |- !p. p implies p implies_trans |- !p q r. p implies q /\ q implies r ==> p implies r implies2_refl |- !P. P implies2 P implies2_trans |- !P Q R. P implies2 Q /\ Q implies2 R ==> P implies2 R implied_by_refl |- !p. p implied_by p implied_by_trans |- !r q p. r implied_by q /\ q implied_by p ==> r implied_by p spec_to_loop |- !p0 q g c inv t p. monotonic c ==> (\(x,u). p0 u /\ q(x,u)) implies inv ==> ((not g) andd inv) implies (\(x,u). p u) ==> (!x. correct (inv andd (g andd (\s. t s = x))) c (inv andd (\s. (t s) < x))) ==> ((nondass(\u u'. p0 u')) seq (block q(do g c))) refines (nondass(\u u'. p u')) guard_into_cond1 |- cond g c c' = cond g((assert g) seq c)c' guard_into_cond2 |- cond g c c' = cond g c((assert(not g)) seq c') guard_into_do |- do g c = do g((assert g) seq c) add_assert |- !p c. conjunctive c /\ (c p = true) ==> (c seq (assert p)) refines c remove_assert_left |- !p c. c refines ((assert p) seq c) remove_assert_right |- !p c. monotonic c ==> c refines (c seq (assert p)) nondass_to_assign |- !e p. (!u. p u(e u)) ==> (assign e) refines (nondass p) dr_block |- !r p c. monotonic c ==> (block(abst r p)((abst r) seq (c seq (repr r)))) refines (block p c) dr_do |- !r g c. monotonic c ==> (!a a' k u. r(a,k,u) /\ r(a',k,u) /\ g(a',u) ==> g(a,u)) ==> (do(abst r g)((abst r) seq (c seq (repr r)))) refines ((abst r) seq ((do g c) seq (repr r))) dr_seq |- !r c1 c2. monotonic c1 ==> (((abst r) seq (c1 seq (repr r))) seq ((abst r) seq (c2 seq (repr r)))) refines ((abst r) seq ((c1 seq c2) seq (repr r))) dr_cond |- !r g c1 c2. (!a a' k u. r(a,k,u) /\ r(a',k,u) /\ g(a',u) ==> g(a,u)) ==> (cond (abst r g) ((abst r) seq (c1 seq (repr r))) ((abst r) seq (c2 seq (repr r)))) refines ((abst r) seq ((cond g c1 c2) seq (repr r))) dr_nondass_rule |- !r Q P. (!a k k' u u'. r(a,k,u) /\ Q(k,u)(k',u') ==> (?a'. r(a',k',u') /\ P(a,u)(a',u'))) ==> (nondass Q) refines ((abst r) seq ((nondass P) seq (repr r))) dr_spec |- ((assert(abst r p)) seq (nondass (\(k,u) (k',u'). !a. ?a'. r(a,k,u) /\ p(a,u) /\ r(a',k',u') /\ P(a,u)(a',u')))) refines ((abst r) seq (((assert p) seq (nondass P)) seq (repr r))) dr_spec_rule |- (!a k u. r(a,k,u) /\ p(a,u) ==> q(k,u)) /\ (!a k k' u u'. r(a,k,u) /\ p(a,u) /\ q(k,u) /\ Q(k,u)(k',u') ==> (?a'. r(a',k',u') /\ P(a,u)(a',u'))) ==> ((assert q) seq (nondass Q)) refines ((abst r) seq (((assert p) seq (nondass P)) seq (repr r))) dr_nondass |- (nondass (\(k,u) (k',u'). !a. ?a'. r(a,k,u) /\ r(a',k',u') /\ P(a,u)(a',u'))) refines ((abst r) seq ((nondass P) seq (repr r))) ******************** RCwintool ********************