Theory DataRefinement
section ‹Data Refinement of Diagrams›
theory DataRefinement
imports Diagram
begin
text‹
Next definition introduces the concept of data refinement of $S1$
to $S2$ using the data abstractions $R$ and $R'$.
›
definition
DataRefinement :: "('a::type ⇒ 'b::type)
⇒ ('b::type ⇒ 'c::ord) ⇒ ('a::type ⇒ 'd::type)
⇒ ('d::type ⇒ 'c::ord) ⇒ bool" where
"DataRefinement S1 R R' S2 = ((R o S1) ≤ (S2 o R'))"
text‹
If $\mathit{demonic}\ Q$ is correct with respect to $p$ and $q$, and
$(\mathit{assert} \ p)\circ (\mathit{demonic}\ Q)$ is data refined
by $S$, then $S$ is correct with respect to $\mathit{angelic}\ R\ p$ and
$\mathit{angelic} \ R' \ q$.
›
theorem data_refinement:
"mono R ⟹ ⊨ p {| S |} q ⟹ DataRefinement S R R' S' ⟹
⊨ (R p) {| S' |} (R' q)"
apply (simp add: DataRefinement_def Hoare_def le_fun_def)
apply (drule_tac x = q in spec)
apply (rule_tac y = "R (S q)" in order_trans)
apply (drule_tac x = p and y = "S q" in monoD)
by simp_all
theorem data_refinement2:
"mono R ⟹ ⊨ p {| S |} q ⟹ DataRefinement ({.p.} o S) R R' S' ⟹
⊨ (R p) {| S' |} (R' q)"
apply (simp add: DataRefinement_def Hoare_def le_fun_def assert_def)
apply (drule_tac x = q in spec)
apply (subgoal_tac "p ⊓ S q = p")
apply simp
apply (rule antisym)
by simp_all
theorem data_refinement_hoare:
"mono S ⟹ mono D ⟹ DataRefinement ({.p.} o [:Q:]) {:R:} D S =
(∀ s . ⊨ {s' . s ∈ R s' ∧ s ∈ p} {| S |} (D ((Q s)::'a::order)))"
apply (simp add: le_fun_def assert_def angelic_def demonic_def Hoare_def DataRefinement_def)
apply safe
apply (simp_all)
apply (drule_tac x = "Q s" in spec)
apply auto [1]
apply (drule_tac x = "xb" in spec)
apply simp
apply (simp add: less_eq_set_def le_fun_def)
apply (drule_tac x = xa in spec)
apply (simp_all add: mono_def)
by auto
theorem data_refinement_choice1:
"DataRefinement S1 D D' S2 ⟹ DataRefinement S1 D D' S2' ⟹ DataRefinement S1 D D' ( S2 ⊓ S2') "
by (simp add: DataRefinement_def hoare_choice le_fun_def inf_fun_def)
theorem data_refinement_choice2:
"mono D ⟹ DataRefinement S1 D D' S2 ⟹ DataRefinement S1' D D' S2' ⟹
DataRefinement (S1 ⊓ S1') D D' (S2 ⊓ S2')"
apply (simp add: DataRefinement_def inf_fun_def le_fun_def)
apply safe
apply (rule_tac y = "D (S1 x)" in order_trans)
apply (drule_tac x = "S1 x ⊓ S1' x" and y = "S1 x" in monoD)
apply simp_all
apply (rule_tac y = "D (S1' x)" in order_trans)
apply (drule_tac x = "S1 x ⊓ S1' x" and y = "S1' x" in monoD)
by simp_all
theorem data_refinement_top [simp]:
"DataRefinement S1 D D' (⊤::_::order_top)"
by (simp add: DataRefinement_def le_fun_def top_fun_def)
definition apply_fun::"('a⇒'b⇒'c)⇒('a⇒'b)⇒'a⇒'c" (infixl ".." 5) where
"(A .. B) = (λ x . (A x) (B x))"
definition
"Disjunctive_fun R = (∀ i . (R i) ∈ Apply.Disjunctive)"
lemma Disjunctive_Sup:
"Disjunctive_fun R ⟹ (R .. (Sup X)) = Sup {y . ∃ x ∈ X . y = (R .. x)}"
apply (subst fun_eq_iff)
apply (simp add: apply_fun_def)
apply safe
apply (subst (asm) Disjunctive_fun_def)
apply (drule_tac x = x in spec)
apply (simp add: Apply.Disjunctive_def)
apply (subgoal_tac "(R x ` (λf. f x) ` X) =((λf. f x) ` {y. ∃x∈X. y = (λxa. R xa (x xa))})")
apply (auto simp add: image_image cong del: SUP_cong_simp)
done
lemma (in DiagramTermination) disjunctive_SUP_L_P:
"Disjunctive_fun R ⟹ (R .. (SUP_L_P P (pair u i))) = (SUP_L_P (λ w . (R .. (P w)))) (pair u i)"
by (simp add: SUP_L_P_def apply_fun_def Disjunctive_fun_def Apply.Disjunctive_def fun_eq_iff image_comp)
lemma apply_fun_range: "{y. ∃x. y = (R .. P x)} = range (λ x . R .. P x)"
by (fact full_SetCompr_eq)
lemma [simp]: "Disjunctive_fun R ⟹ mono ((R i)::'a::complete_lattice ⇒ 'b::complete_lattice)"
by (simp add: Disjunctive_fun_def)
theorem (in DiagramTermination) dgr_data_refinement_1:
"dmono D' ⟹ Disjunctive_fun R ⟹
(∀ w i j . ⊨ P w i {| D(i,j) |} SUP_L_P P (pair w i) j) ⟹
(∀ w i j . DataRefinement ((assert (P w i)) o (D (i,j))) (R i) (R j) (D' (i, j))) ⟹
⊨ (R .. (Sup (range P))) {| pt D' |} ((R .. (Sup (range P))) ⊓ (-(grd (step D'))))"
apply (simp add: Disjunctive_Sup apply_fun_range)
apply (rule hoare_diagram2)
apply simp_all
apply safe
apply (simp add: disjunctive_SUP_L_P [THEN sym])
apply (simp add: apply_fun_def)
apply (rule_tac S = "D (i, j)" in data_refinement2)
by auto
definition
"DgrDataRefinement1 D R D' = (∀ i j . DataRefinement (D (i , j)) (R i) (R j) (D' (i, j)))"
definition
"DgrDataRefinement2 P D R D' = (∀ i j . DataRefinement ({.P i.} o D (i , j)) (R i) (R j) (D' (i, j)))"
theorem DataRefinement_mono:
"T ≤ S ⟹ mono R ⟹ DataRefinement S R R' S' ⟹ DataRefinement T R R' S' "
apply (simp add: DataRefinement_def mono_def)
apply (subst le_fun_def)
apply (simp add: le_fun_def)
apply safe
apply (rule_tac y = "R (S x)" in order_trans)
by simp_all
definition
"mono_fun R = (∀ i . mono (R i))"
theorem DgrDataRefinement_mono:
"Q ≤ P ⟹ mono_fun R ⟹ DgrDataRefinement2 P D R D' ⟹ DgrDataRefinement2 Q D R D'"
apply (simp add: DgrDataRefinement2_def)
apply auto
apply (rule_tac S = "{.P i.} o D(i, j)" in DataRefinement_mono)
apply (simp_all add: le_fun_def assert_def)
apply safe
apply (rule_tac y = "Q i" in order_trans)
by (simp_all add: mono_fun_def)
text‹
Next theorem is the diagram version of the data refinement theorem. If the
diagram demonic choice $T$ is correct, and it is refined by $D$, then
$D$ is also correct. One important point in this theorem is that
if the diagram demonic choice $T$ terminates, then $D$ also terminates.
›
theorem (in DiagramTermination) Diagram_DataRefinement1:
"dmono D ⟹ Disjunctive_fun R ⟹ ⊢ P {| D |} Q ⟹ DgrDataRefinement1 D R D' ⟹
⊢ (R .. P) {| D' |} ((R .. P) ⊓ (-(grd (step D'))))"
apply (unfold Hoare_dgr_def DgrDataRefinement1_def dgr_demonic_def)
apply safe
apply (rule_tac x="λ w . R .. (X w)" in exI)
apply safe
apply (unfold disjunctive_SUP_L_P [THEN sym])
apply (simp add: apply_fun_def)
apply (rule_tac S = "D (i,j)" and R = "R i" and R' = "R j" in data_refinement)
by (simp_all add: Disjunctive_Sup apply_fun_range)
lemma comp_left_mono [simp]: "S ≤ S' ⟹ S o T ≤ S' o T"
by (simp add: le_fun_def)
lemma assert_pred_mono [simp]: "p ≤ q ⟹ {.p.} ≤ {.q.}"
apply (simp add: le_fun_def assert_def)
apply safe
apply (rule_tac y = p in order_trans)
by simp_all
theorem (in DiagramTermination) Diagram_DataRefinement2:
"dmono D ⟹ Disjunctive_fun R ⟹ ⊢ P {| D |} Q ⟹ DgrDataRefinement2 P D R D' ⟹
⊢ (R .. P) {| D' |} ((R .. P) ⊓ (-(grd (step D'))))"
apply (unfold Hoare_dgr_def DgrDataRefinement2_def dgr_demonic_def)
apply auto
apply (rule_tac x="λ w . R .. (X w)" in exI)
apply safe
apply (unfold disjunctive_SUP_L_P [THEN sym])
apply (simp add: apply_fun_def)
apply (rule_tac S = "D (i,j)" and R = "R i" and R' = "R j" in data_refinement2)
apply (simp_all add: Disjunctive_Sup)
apply (rule_tac S = "{.Sup (range X) i.} ∘ D (i, j)" in DataRefinement_mono)
apply (rule comp_left_mono)
apply (rule assert_pred_mono)
apply (simp add: Sup_fun_def comp_def)
apply (rule SUP_upper)
apply (auto simp add: apply_fun_def apply_fun_range image_image fun_eq_iff)
apply (auto intro!: arg_cong [where f = Sup] arg_cong2 [where f = inf])
done
lemma "(R'::'a::complete_lattice ⇒ 'b::complete_lattice) ∈ Apply.Disjunctive ⟹
DataRefinement S R R' S' ⟹ R (- grd S) ≤ - grd S'"
apply (simp add: DataRefinement_def grd_def le_fun_def)
apply (drule_tac x = "⊥" in spec)
by simp
end