Theory Corecursive_Prop
text‹\chapter[Semantics Equivalence]{Equivalence of the Operational and Denotational Semantics}›
theory Corecursive_Prop
imports
SymbolicPrimitive
Operational
Denotational
begin
section ‹Stepwise denotational interpretation of TESL atoms›
text ‹
In order to prove the equivalence of the denotational and operational semantics,
we need to be able to ignore the past (for which the constraints are encoded
in the context) and consider only the satisfaction of the constraints from
a given instant index.
For this purpose, we define an interpretation of TESL formulae for a suffix of a run.
That interpretation is closely related to the denotational semantics as
defined in the preceding chapters.
›
fun TESL_interpretation_atomic_stepwise
:: ‹('τ::linordered_field) TESL_atomic ⇒ nat ⇒ 'τ run set› (‹⟦ _ ⟧⇩T⇩E⇩S⇩L⇗≥ _⇖›)
where
‹⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∃n≥i. hamlet ((Rep_run ρ) n K⇩1) ∧ time ((Rep_run ρ) n K⇩2) = τ}›
| ‹⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. R (time ((Rep_run ρ) n K⇩1), time ((Rep_run ρ) n K⇩2))}›
| ‹⟦ master implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. hamlet ((Rep_run ρ) n master) ⟶ hamlet ((Rep_run ρ) n slave)}›
| ‹⟦ master implies not slave ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. hamlet ((Rep_run ρ) n master) ⟶ ¬ hamlet ((Rep_run ρ) n slave)}›
| ‹⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. hamlet ((Rep_run ρ) n master) ⟶
(let measured_time = time ((Rep_run ρ) n measuring) in
∀m ≥ n. first_time ρ measuring m (measured_time + δτ)
⟶ hamlet ((Rep_run ρ) m slave)
)
}›
| ‹⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. (run_tick_count ρ K⇩2 n) ≤ (run_tick_count ρ K⇩1 n)}›
| ‹⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. (run_tick_count ρ K⇩2 n) ≤ (run_tick_count_strictly ρ K⇩1 n)}›
| ‹⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ i⇖ =
{ρ. ∀n≥i. hamlet ((Rep_run ρ) n K⇩1) ⟶ (∀m≥n. ¬ hamlet ((Rep_run ρ) m K⇩2))}›
text ‹
The denotational interpretation of TESL formulae can be unfolded into the
stepwise interpretation.
›
lemma TESL_interp_unfold_stepwise_sporadicon:
‹⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L = ⋃ {Y. ∃n::nat. Y = ⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_tagrelgen:
‹⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L
= ⋂ {Y. ∃n::nat. Y = ⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_implies:
‹⟦ master implies slave ⟧⇩T⇩E⇩S⇩L
= ⋂ {Y. ∃n::nat. Y = ⟦ master implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_implies_not:
‹⟦ master implies not slave ⟧⇩T⇩E⇩S⇩L
= ⋂ {Y. ∃n::nat. Y = ⟦ master implies not slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_timedelayed:
‹⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L
= ⋂ {Y. ∃n::nat.
Y = ⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_weakly_precedes:
‹⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L
= ⋂ {Y. ∃n::nat. Y = ⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_strictly_precedes:
‹⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L
= ⋂ {Y. ∃n::nat. Y = ⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
lemma TESL_interp_unfold_stepwise_kills:
‹⟦ master kills slave ⟧⇩T⇩E⇩S⇩L = ⋂ {Y. ∃n::nat. Y = ⟦ master kills slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
by auto
text ‹
Positive atomic formulae (the ones that create ticks from nothing) are unfolded
as the union of the stepwise interpretations.
›
theorem TESL_interp_unfold_stepwise_positive_atoms:
assumes ‹positive_atom φ›
shows ‹⟦ φ::'τ::linordered_field TESL_atomic ⟧⇩T⇩E⇩S⇩L
= ⋃ {Y. ∃n::nat. Y = ⟦ φ ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
proof -
from positive_atom.elims(2)[OF assms]
obtain u v w where ‹φ = (u sporadic v on w)› by blast
with TESL_interp_unfold_stepwise_sporadicon show ?thesis by simp
qed
text ‹
Negative atomic formulae are unfolded
as the intersection of the stepwise interpretations.
›
theorem TESL_interp_unfold_stepwise_negative_atoms:
assumes ‹¬ positive_atom φ›
shows ‹⟦ φ ⟧⇩T⇩E⇩S⇩L = ⋂ {Y. ∃n::nat. Y = ⟦ φ ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖}›
proof (cases φ)
case SporadicOn thus ?thesis using assms by simp
next
case TagRelation
thus ?thesis using TESL_interp_unfold_stepwise_tagrelgen by simp
next
case Implies
thus ?thesis using TESL_interp_unfold_stepwise_implies by simp
next
case ImpliesNot
thus ?thesis using TESL_interp_unfold_stepwise_implies_not by simp
next
case TimeDelayedBy
thus ?thesis using TESL_interp_unfold_stepwise_timedelayed by simp
next
case WeaklyPrecedes
thus ?thesis
using TESL_interp_unfold_stepwise_weakly_precedes by simp
next
case StrictlyPrecedes
thus ?thesis
using TESL_interp_unfold_stepwise_strictly_precedes by simp
next
case Kills
thus ?thesis
using TESL_interp_unfold_stepwise_kills by simp
qed
text ‹
Some useful lemmas for reasoning on properties of sequences.
›
lemma forall_nat_expansion:
‹(∀n ≥ (n⇩0::nat). P n) = (P n⇩0 ∧ (∀n ≥ Suc n⇩0. P n))›
proof -
have ‹(∀n ≥ (n⇩0::nat). P n) = (∀n. (n = n⇩0 ∨ n > n⇩0) ⟶ P n)›
using le_less by blast
also have ‹... = (P n⇩0 ∧ (∀n > n⇩0. P n))› by blast
finally show ?thesis using Suc_le_eq by simp
qed
lemma exists_nat_expansion:
‹(∃n ≥ (n⇩0::nat). P n) = (P n⇩0 ∨ (∃n ≥ Suc n⇩0. P n))›
proof -
have ‹(∃n ≥ (n⇩0::nat). P n) = (∃n. (n = n⇩0 ∨ n > n⇩0) ∧ P n)›
using le_less by blast
also have ‹... = (∃n. (P n⇩0) ∨ (n > n⇩0 ∧ P n))› by blast
finally show ?thesis using Suc_le_eq by simp
qed
lemma forall_nat_set_suc:‹{x. ∀m ≥ n. P x m} = {x. P x n} ∩ {x. ∀m ≥ Suc n. P x m}›
proof
{ fix x assume h:‹x ∈ {x. ∀m ≥ n. P x m}›
hence ‹P x n› by simp
moreover from h have ‹x ∈ {x. ∀m ≥ Suc n. P x m}› by simp
ultimately have ‹x ∈ {x. P x n} ∩ {x. ∀m ≥ Suc n. P x m}› by simp
} thus ‹{x. ∀m ≥ n. P x m} ⊆ {x. P x n} ∩ {x. ∀m ≥ Suc n. P x m}› ..
next
{ fix x assume h:‹x ∈ {x. P x n} ∩ {x. ∀m ≥ Suc n. P x m}›
hence ‹P x n› by simp
moreover from h have ‹∀m ≥ Suc n. P x m› by simp
ultimately have ‹∀m ≥ n. P x m› using forall_nat_expansion by blast
hence ‹x ∈ {x. ∀m ≥ n. P x m}› by simp
} thus ‹{x. P x n} ∩ {x. ∀m ≥ Suc n. P x m} ⊆ {x. ∀m ≥ n. P x m}› ..
qed
lemma exists_nat_set_suc:‹{x. ∃m ≥ n. P x m} = {x. P x n} ∪ {x. ∃m ≥ Suc n. P x m}›
proof
{ fix x assume h:‹x ∈ {x. ∃m ≥ n. P x m}›
hence ‹x ∈ {x. ∃m. (m = n ∨ m ≥ Suc n) ∧ P x m}›
using Suc_le_eq antisym_conv2 by fastforce
hence ‹x ∈ {x. P x n} ∪ {x. ∃m ≥ Suc n. P x m}› by blast
} thus ‹{x. ∃m ≥ n. P x m} ⊆ {x. P x n} ∪ {x. ∃m ≥ Suc n. P x m}› ..
next
{ fix x assume h:‹x ∈ {x. P x n} ∪ {x. ∃m ≥ Suc n. P x m}›
hence ‹x ∈ {x. ∃m ≥ n. P x m}› using Suc_leD by blast
} thus ‹{x. P x n} ∪ {x. ∃m ≥ Suc n. P x m} ⊆ {x. ∃m ≥ n. P x m}› ..
qed
section ‹Coinduction Unfolding Properties›
text ‹
The following lemmas show how to shorten a suffix, i.e. to unfold one instant
in the construction of a run. They correspond to the rules of the operational
semantics.
›
lemma TESL_interp_stepwise_sporadicon_coind_unfold:
‹⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ⇓ n @ τ ⟧⇩p⇩r⇩i⇩m
∪ ⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
unfolding TESL_interpretation_atomic_stepwise.simps(1)
symbolic_run_interpretation_primitive.simps(1,6)
using exists_nat_set_suc[of ‹n› ‹λρ n. hamlet (Rep_run ρ n K⇩1)
∧ time (Rep_run ρ n K⇩2) = τ›]
by (simp add: Collect_conj_eq)
lemma TESL_interp_stepwise_tagrel_coind_unfold:
‹⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
⟦ ⌊τ⇩v⇩a⇩r(K⇩1, n), τ⇩v⇩a⇩r(K⇩2, n)⌋ ∈ R ⟧⇩p⇩r⇩i⇩m
∩ ⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
have ‹{ρ. ∀m≥n. R (time ((Rep_run ρ) m K⇩1), time ((Rep_run ρ) m K⇩2))}
= {ρ. R (time ((Rep_run ρ) n K⇩1), time ((Rep_run ρ) n K⇩2))}
∩ {ρ. ∀m≥Suc n. R (time ((Rep_run ρ) m K⇩1), time ((Rep_run ρ) m K⇩2))}›
using forall_nat_set_suc[of ‹n› ‹λx y. R (time ((Rep_run x) y K⇩1),
time ((Rep_run x) y K⇩2))›] by simp
thus ?thesis by auto
qed
lemma TESL_interp_stepwise_implies_coind_unfold:
‹⟦ master implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
( ⟦ master ¬⇑ n ⟧⇩p⇩r⇩i⇩m
∪ ⟦ master ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ slave ⇑ n ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ master implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
have ‹{ρ. ∀m≥n. hamlet ((Rep_run ρ) m master) ⟶ hamlet ((Rep_run ρ) m slave)}
= {ρ. hamlet ((Rep_run ρ) n master) ⟶ hamlet ((Rep_run ρ) n slave)}
∩ {ρ. ∀m≥Suc n. hamlet ((Rep_run ρ) m master)
⟶ hamlet ((Rep_run ρ) m slave)}›
using forall_nat_set_suc[of ‹n› ‹λx y. hamlet ((Rep_run x) y master)
⟶ hamlet ((Rep_run x) y slave)›] by simp
thus ?thesis by auto
qed
lemma TESL_interp_stepwise_implies_not_coind_unfold:
‹⟦ master implies not slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
( ⟦ master ¬⇑ n ⟧⇩p⇩r⇩i⇩m
∪ ⟦ master ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ slave ¬⇑ n ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ master implies not slave ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
have ‹{ρ. ∀m≥n. hamlet ((Rep_run ρ) m master) ⟶ ¬ hamlet ((Rep_run ρ) m slave)}
= {ρ. hamlet ((Rep_run ρ) n master) ⟶ ¬ hamlet ((Rep_run ρ) n slave)}
∩ {ρ. ∀m≥Suc n. hamlet ((Rep_run ρ) m master)
⟶ ¬ hamlet ((Rep_run ρ) m slave)}›
using forall_nat_set_suc[of ‹n› ‹λx y. hamlet ((Rep_run x) y master)
⟶ ¬hamlet ((Rep_run x) y slave)›] by simp
thus ?thesis by auto
qed
lemma TESL_interp_stepwise_timedelayed_coind_unfold:
‹⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
( ⟦ master ¬⇑ n ⟧⇩p⇩r⇩i⇩m
∪ (⟦ master ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ measuring @ n ⊕ δτ ⇒ slave ⟧⇩p⇩r⇩i⇩m))
∩ ⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
let ?prop = ‹λρ m. hamlet ((Rep_run ρ) m master) ⟶
(let measured_time = time ((Rep_run ρ) m measuring) in
∀p ≥ m. first_time ρ measuring p (measured_time + δτ)
⟶ hamlet ((Rep_run ρ) p slave))›
have ‹{ρ. ∀m ≥ n. ?prop ρ m} = {ρ. ?prop ρ n} ∩ {ρ. ∀m ≥ Suc n. ?prop ρ m}›
using forall_nat_set_suc[of ‹n› ?prop] by blast
also have ‹... = {ρ. ?prop ρ n}
∩ ⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
finally show ?thesis by auto
qed
lemma TESL_interp_stepwise_weakly_precedes_coind_unfold:
‹⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
⟦ (⌈#⇧≤ K⇩2 n, #⇧≤ K⇩1 n⌉ ∈ (λ(x,y). x≤y)) ⟧⇩p⇩r⇩i⇩m
∩ ⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
have ‹{ρ. ∀p≥n. (run_tick_count ρ K⇩2 p) ≤ (run_tick_count ρ K⇩1 p)}
= {ρ. (run_tick_count ρ K⇩2 n) ≤ (run_tick_count ρ K⇩1 n)}
∩ {ρ. ∀p≥Suc n. (run_tick_count ρ K⇩2 p) ≤ (run_tick_count ρ K⇩1 p)}›
using forall_nat_set_suc[of ‹n› ‹λρ n. (run_tick_count ρ K⇩2 n)
≤ (run_tick_count ρ K⇩1 n)›]
by simp
thus ?thesis by auto
qed
lemma TESL_interp_stepwise_strictly_precedes_coind_unfold:
‹⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
⟦ (⌈#⇧≤ K⇩2 n, #⇧< K⇩1 n⌉ ∈ (λ(x,y). x≤y)) ⟧⇩p⇩r⇩i⇩m
∩ ⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
have ‹{ρ. ∀p≥n. (run_tick_count ρ K⇩2 p) ≤ (run_tick_count_strictly ρ K⇩1 p)}
= {ρ. (run_tick_count ρ K⇩2 n) ≤ (run_tick_count_strictly ρ K⇩1 n)}
∩ {ρ. ∀p≥Suc n. (run_tick_count ρ K⇩2 p) ≤ (run_tick_count_strictly ρ K⇩1 p)}›
using forall_nat_set_suc[of ‹n› ‹λρ n. (run_tick_count ρ K⇩2 n)
≤ (run_tick_count_strictly ρ K⇩1 n)›]
by simp
thus ?thesis by auto
qed
lemma TESL_interp_stepwise_kills_coind_unfold:
‹⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ =
( ⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m
∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ¬⇑ ≥ n ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
proof -
let ?kills = ‹λn ρ. ∀p≥n. hamlet ((Rep_run ρ) p K⇩1)
⟶ (∀m≥p. ¬ hamlet ((Rep_run ρ) m K⇩2))›
let ?ticks = ‹λn ρ c. hamlet ((Rep_run ρ) n c)›
let ?dead = ‹λn ρ c. ∀m ≥ n. ¬hamlet ((Rep_run ρ) m c)›
have ‹⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = {ρ. ?kills n ρ}› by simp
also have ‹... = ({ρ. ¬ ?ticks n ρ K⇩1} ∩ {ρ. ?kills (Suc n) ρ})
∪ ({ρ. ?ticks n ρ K⇩1} ∩ {ρ. ?dead n ρ K⇩2})›
proof
{ fix ρ::‹'τ::linordered_field run›
assume ‹ρ ∈ {ρ. ?kills n ρ}›
hence ‹?kills n ρ› by simp
hence ‹(?ticks n ρ K⇩1 ∧ ?dead n ρ K⇩2) ∨ (¬?ticks n ρ K⇩1 ∧ ?kills (Suc n) ρ)›
using Suc_leD by blast
hence ‹ρ ∈ ({ρ. ?ticks n ρ K⇩1} ∩ {ρ. ?dead n ρ K⇩2})
∪ ({ρ. ¬ ?ticks n ρ K⇩1} ∩ {ρ. ?kills (Suc n) ρ})›
by blast
} thus ‹{ρ. ?kills n ρ}
⊆ {ρ. ¬ ?ticks n ρ K⇩1} ∩ {ρ. ?kills (Suc n) ρ}
∪ {ρ. ?ticks n ρ K⇩1} ∩ {ρ. ?dead n ρ K⇩2}› by blast
next
{ fix ρ::‹'τ::linordered_field run›
assume ‹ρ ∈ ({ρ. ¬ ?ticks n ρ K⇩1} ∩ {ρ. ?kills (Suc n) ρ})
∪ ({ρ. ?ticks n ρ K⇩1} ∩ {ρ. ?dead n ρ K⇩2})›
hence ‹¬ ?ticks n ρ K⇩1 ∧ ?kills (Suc n) ρ
∨ ?ticks n ρ K⇩1 ∧ ?dead n ρ K⇩2› by blast
moreover have ‹((¬ ?ticks n ρ K⇩1) ∧ (?kills (Suc n) ρ)) ⟶ ?kills n ρ›
using dual_order.antisym not_less_eq_eq by blast
ultimately have ‹?kills n ρ ∨ ?ticks n ρ K⇩1 ∧ ?dead n ρ K⇩2› by blast
hence ‹?kills n ρ› using le_trans by blast
} thus ‹({ρ. ¬ ?ticks n ρ K⇩1} ∩ {ρ. ?kills (Suc n) ρ})
∪ ({ρ. ?ticks n ρ K⇩1} ∩ {ρ. ?dead n ρ K⇩2})
⊆ {ρ. ?kills n ρ}› by blast
qed
also have ‹... = {ρ. ¬ ?ticks n ρ K⇩1} ∩ {ρ. ?kills (Suc n) ρ}
∪ {ρ. ?ticks n ρ K⇩1} ∩ {ρ. ?dead n ρ K⇩2} ∩ {ρ. ?kills (Suc n) ρ}›
using Collect_cong Collect_disj_eq by auto
also have ‹... = ⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖
∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ¬⇑ ≥ n ⟧⇩p⇩r⇩i⇩m
∩ ⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
finally show ?thesis by blast
qed
text ‹
The stepwise interpretation of a TESL formula is the intersection of the
interpretation of its atomic components.
›
fun TESL_interpretation_stepwise
::‹'τ::linordered_field TESL_formula ⇒ nat ⇒ 'τ run set›
(‹⟦⟦ _ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ _⇖›)
where
‹⟦⟦ [] ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = {ρ. True}›
| ‹⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = ⟦ φ ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
lemma TESL_interpretation_stepwise_fixpoint:
‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = ⋂ ((λφ. ⟦ φ ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖) ` set Φ)›
by (induction Φ, simp, auto)
text ‹
The global interpretation of a TESL formula is its interpretation starting
at the first instant.
›
lemma TESL_interpretation_stepwise_zero:
‹⟦ φ ⟧⇩T⇩E⇩S⇩L = ⟦ φ ⟧⇩T⇩E⇩S⇩L⇗≥ 0⇖›
by (induction φ, simp+)
lemma TESL_interpretation_stepwise_zero':
‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ 0⇖›
by (induction Φ, simp, simp add: TESL_interpretation_stepwise_zero)
lemma TESL_interpretation_stepwise_cons_morph:
‹⟦ φ ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = ⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
by auto
theorem TESL_interp_stepwise_composition:
shows ‹⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = ⟦⟦ Φ⇩1 ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
by (induction Φ⇩1, simp, auto)
section ‹Interpretation of configurations›
text ‹
The interpretation of a configuration of the operational semantics abstract
machine is the intersection of:
▪ the interpretation of its context (the past),
▪ the interpretation of its present from the current instant,
▪ the interpretation of its future from the next instant.
›
fun HeronConf_interpretation
::‹'τ::linordered_field config ⇒ 'τ run set› (‹⟦ _ ⟧⇩c⇩o⇩n⇩f⇩i⇩g› 71)
where
‹⟦ Γ, n ⊢ Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
lemma HeronConf_interp_composition:
‹⟦ Γ⇩1, n ⊢ Ψ⇩1 ▹ Φ⇩1 ⟧⇩c⇩o⇩n⇩f⇩i⇩g ∩ ⟦ Γ⇩2, n ⊢ Ψ⇩2 ▹ Φ⇩2 ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ (Γ⇩1 @ Γ⇩2), n ⊢ (Ψ⇩1 @ Ψ⇩2) ▹ (Φ⇩1 @ Φ⇩2) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
using TESL_interp_stepwise_composition symrun_interp_expansion
by (simp add: TESL_interp_stepwise_composition
symrun_interp_expansion inf_assoc inf_left_commute)
text ‹
When there are no remaining constraints on the present, the interpretation of
a configuration is the same as the configuration at the next instant of its future.
This corresponds to the introduction rule of the operational semantics.
›
lemma HeronConf_interp_stepwise_instant_cases:
‹⟦ Γ, n ⊢ [] ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g = ⟦ Γ, Suc n ⊢ Φ ▹ [] ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ [] ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ [] ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ Γ, Suc n ⊢ Φ ▹ [] ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ ⟦⟦ [] ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ [] ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ ⟦⟦ [] ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
ultimately show ?thesis by blast
qed
text ‹
The following lemmas use the unfolding properties of the stepwise denotational
semantics to give rewriting rules for the interpretation of configurations that
match the elimination rules of the operational semantics.
›
lemma HeronConf_interp_stepwise_sporadicon_cases:
‹⟦ Γ, n ⊢ ((K⇩1 sporadic τ on K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ Γ, n ⊢ Ψ ▹ ((K⇩1 sporadic τ on K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
∪ ⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇓ n @ τ) # Γ), n ⊢ Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ (K⇩1 sporadic τ on K⇩2) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 sporadic τ on K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ Γ, n ⊢ Ψ ▹ ((K⇩1 sporadic τ on K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 sporadic τ on K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇓ n @ τ) # Γ), n ⊢ Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇓ n @ τ) # Γ) ⟧⟧⇩p⇩r⇩i⇩m
∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
ultimately show ?thesis
proof -
have ‹(⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ⇓ n @ τ ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖)
∩ (⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖)
= ⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ (⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m)›
using TESL_interp_stepwise_sporadicon_coind_unfold by blast
hence ‹⟦⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇓ n @ τ) # Γ) ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∪ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖
= ⟦⟦ (K⇩1 sporadic τ on K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m› by auto
thus ?thesis by auto
qed
qed
lemma HeronConf_interp_stepwise_tagrel_cases:
‹⟦ Γ, n ⊢ ((time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((⌊τ⇩v⇩a⇩r(K⇩1, n), τ⇩v⇩a⇩r(K⇩2, n)⌋ ∈ R) # Γ), n
⊢ Ψ ▹ ((time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ (time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((⌊τ⇩v⇩a⇩r(K⇩1, n), τ⇩v⇩a⇩r(K⇩2, n)⌋ ∈ R) # Γ), n
⊢ Ψ ▹ ((time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (⌊τ⇩v⇩a⇩r(K⇩1, n), τ⇩v⇩a⇩r(K⇩2, n)⌋ ∈ R) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
ultimately show ?thesis
proof -
have ‹⟦ ⌊τ⇩v⇩a⇩r(K⇩1, n), τ⇩v⇩a⇩r(K⇩2, n)⌋ ∈ R ⟧⇩p⇩r⇩i⇩m
∩ ⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖
∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ = ⟦⟦ (time-relation ⌊K⇩1, K⇩2⌋ ∈ R) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
using TESL_interp_stepwise_tagrel_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
thus ?thesis by auto
qed
qed
lemma HeronConf_interp_stepwise_implies_cases:
‹⟦ Γ, n ⊢ ((K⇩1 implies K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
∪ ⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ (K⇩1 implies K⇩2) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 implies K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (K⇩1 ¬⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 implies K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ ((K⇩1 ⇑ n) # (K⇩2 ⇑ n) # Γ) ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 implies K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
ultimately show ?thesis
proof -
have f1: ‹(⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ⇑ n ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ K⇩1 implies K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ (⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖)
= ⟦⟦ (K⇩1 implies K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
using TESL_interp_stepwise_implies_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
have ‹⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩2 ⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m
= (⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ⇑ n ⟧⇩p⇩r⇩i⇩m) ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
by force
hence ‹⟦ Γ, n ⊢ ((K⇩1 implies K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= (⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩2 ⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m)
∩ (⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ (K⇩1 implies K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖)›
using f1 by (simp add: inf_left_commute inf_assoc)
thus ?thesis by (simp add: Int_Un_distrib2 inf_assoc)
qed
qed
lemma HeronConf_interp_stepwise_implies_not_cases:
‹⟦ Γ, n ⊢ ((K⇩1 implies not K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies not K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
∪ ⟦ ((K⇩1 ⇑ n) # (K⇩2 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies not K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ (K⇩1 implies not K⇩2) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 implies not K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies not K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (K⇩1 ¬⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 implies not K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((K⇩1 ⇑ n) # (K⇩2 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 implies not K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ ((K⇩1 ⇑ n) # (K⇩2 ¬⇑ n) # Γ) ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 implies not K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
ultimately show ?thesis
proof -
have f1: ‹(⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ¬⇑ n ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ K⇩1 implies not K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖
∩ (⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖)
= ⟦⟦ (K⇩1 implies not K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
using TESL_interp_stepwise_implies_not_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
have ‹⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩2 ¬⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m
= (⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 ¬⇑ n ⟧⇩p⇩r⇩i⇩m) ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
by force
then have ‹⟦ Γ, n ⊢ ((K⇩1 implies not K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= (⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m
∩ ⟦⟦ (K⇩2 ¬⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m) ∩ (⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 implies not K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖)›
using f1 by (simp add: inf_left_commute inf_assoc)
thus ?thesis by (simp add: Int_Un_distrib2 inf_assoc)
qed
qed
lemma HeronConf_interp_stepwise_timedelayed_cases:
‹⟦ Γ, n ⊢ ((K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
∪ ⟦ ((K⇩1 ⇑ n) # (K⇩2 @ n ⊕ δτ ⇒ K⇩3) # Γ), n
⊢ Ψ ▹ ((K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have 1:‹⟦ Γ, n ⊢ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((K⇩1 ¬⇑ n) # Γ), n
⊢ Ψ ▹ ((K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (K⇩1 ¬⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ ((K⇩1 ⇑ n) # (K⇩2 @ n ⊕ δτ ⇒ K⇩3) # Γ), n
⊢ Ψ ▹ ((K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (K⇩1 ⇑ n) # (K⇩2 @ n ⊕ δτ ⇒ K⇩3) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
ultimately show ?thesis
proof -
have ‹⟦ Γ, n ⊢ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ (⟦⟦ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖)›
using 1 by blast
hence ‹⟦ Γ, n ⊢ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= (⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 @ n ⊕ δτ ⇒ K⇩3 ⟧⇩p⇩r⇩i⇩m)
∩ (⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ (⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖))›
using TESL_interpretation_stepwise_cons_morph
TESL_interp_stepwise_timedelayed_coind_unfold
proof -
have ‹⟦⟦ (K⇩1 time-delayed by δτ on K⇩2 implies K⇩3) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
= (⟦ K⇩1 ¬⇑ n ⟧⇩p⇩r⇩i⇩m ∪ ⟦ K⇩1 ⇑ n ⟧⇩p⇩r⇩i⇩m ∩ ⟦ K⇩2 @ n ⊕ δτ ⇒ K⇩3 ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ K⇩1 time-delayed by δτ on K⇩2 implies K⇩3 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
using TESL_interp_stepwise_timedelayed_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
then show ?thesis
by (simp add: Int_assoc Int_left_commute)
qed
then show ?thesis by (simp add: inf_assoc inf_sup_distrib2)
qed
qed
lemma HeronConf_interp_stepwise_weakly_precedes_cases:
‹⟦ Γ, n ⊢ ((K⇩1 weakly precedes K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((⌈#⇧≤ K⇩2 n, #⇧≤ K⇩1 n⌉ ∈ (λ(x,y). x≤y)) # Γ), n
⊢ Ψ ▹ ((K⇩1 weakly precedes K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ (K⇩1 weakly precedes K⇩2) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 weakly precedes K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((⌈#⇧≤ K⇩2 n, #⇧≤ K⇩1 n⌉ ∈ (λ(x,y). x≤y)) # Γ), n
⊢ Ψ ▹ ((K⇩1 weakly precedes K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (⌈#⇧≤ K⇩2 n, #⇧≤ K⇩1 n⌉ ∈ (λ(x,y). x≤y)) # Γ ⟧⟧⇩p⇩r⇩i⇩m
∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ (K⇩1 weakly precedes K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
ultimately show ?thesis
proof -
have ‹⟦ ⌈#⇧≤ K⇩2 n, #⇧≤ K⇩1 n⌉ ∈ (λ(x,y). x≤y) ⟧⇩p⇩r⇩i⇩m
∩ ⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
= ⟦⟦ (K⇩1 weakly precedes K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
using TESL_interp_stepwise_weakly_precedes_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
thus ?thesis by auto
qed
qed
lemma HeronConf_interp_stepwise_strictly_precedes_cases:
‹⟦ Γ, n ⊢ ((K⇩1 strictly precedes K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((⌈#⇧≤ K⇩2 n, #⇧< K⇩1 n⌉ ∈ (λ(x,y). x≤y)) # Γ), n
⊢ Ψ ▹ ((K⇩1 strictly precedes K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ (K⇩1 strictly precedes K⇩2) # Ψ ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 strictly precedes K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((⌈#⇧≤ K⇩2 n, #⇧< K⇩1 n⌉ ∈ (λ(x,y). x≤y)) # Γ), n
⊢ Ψ ▹ ((K⇩1 strictly precedes K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (⌈#⇧≤ K⇩2 n, #⇧< K⇩1 n⌉ ∈ (λ(x,y). x≤y)) # Γ ⟧⟧⇩p⇩r⇩i⇩m
∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 strictly precedes K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
ultimately show ?thesis
proof -
have ‹⟦ ⌈#⇧≤ K⇩2 n, #⇧< K⇩1 n⌉ ∈ (λ(x,y). x≤y) ⟧⇩p⇩r⇩i⇩m
∩ ⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
= ⟦⟦ (K⇩1 strictly precedes K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
using TESL_interp_stepwise_strictly_precedes_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
thus ?thesis by auto
qed
qed
lemma HeronConf_interp_stepwise_kills_cases:
‹⟦ Γ, n ⊢ ((K⇩1 kills K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 kills K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
∪ ⟦ ((K⇩1 ⇑ n) # (K⇩2 ¬⇑ ≥ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 kills K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g›
proof -
have ‹⟦ Γ, n ⊢ ((K⇩1 kills K⇩2) # Ψ) ▹ Φ ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ (K⇩1 kills K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖ ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖›
by simp
moreover have ‹⟦ ((K⇩1 ¬⇑ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 kills K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (K⇩1 ¬⇑ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 kills K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
moreover have ‹⟦ ((K⇩1 ⇑ n) # (K⇩2 ¬⇑ ≥ n) # Γ), n ⊢ Ψ ▹ ((K⇩1 kills K⇩2) # Φ) ⟧⇩c⇩o⇩n⇩f⇩i⇩g
= ⟦⟦ (K⇩1 ⇑ n) # (K⇩2 ¬⇑ ≥ n) # Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
∩ ⟦⟦ (K⇩1 kills K⇩2) # Φ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖› by simp
ultimately show ?thesis
proof -
have ‹⟦⟦ (K⇩1 kills K⇩2) # Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖
= (⟦ (K⇩1 ¬⇑ n) ⟧⇩p⇩r⇩i⇩m ∪ ⟦ (K⇩1 ⇑ n) ⟧⇩p⇩r⇩i⇩m ∩ ⟦ (K⇩2 ¬⇑ ≥ n) ⟧⇩p⇩r⇩i⇩m)
∩ ⟦ (K⇩1 kills K⇩2) ⟧⇩T⇩E⇩S⇩L⇗≥ Suc n⇖ ∩ ⟦⟦ Ψ ⟧⟧⇩T⇩E⇩S⇩L⇗≥ n⇖›
using TESL_interp_stepwise_kills_coind_unfold
TESL_interpretation_stepwise_cons_morph by blast
thus ?thesis by auto
qed
qed
end