Theory Eg1RefinementTrivial

theory Eg1RefinementTrivial
imports Eg1
        "../CompositionalRefinement"
        Dependent_SIFUM_Type_Systems.TypeSystem
begin

sublocale sifum_example ⊆
    sifum_refinement_same_mem dma 𝒞_vars 𝒞 eval⇩_w eval⇩_w
      by(unfold_locales)

context sifum_example begin

text ‹This predicate can be used to express arbitrary relational invariants for
  compiler-specific features, but for this trivial case the vacuous one is fine.
›
definition P_true :: "('a × 'a) set"
where
  "P_true  ≡ UNIV"

lemma Id_secure_refinement:
  "secure_refinement R Id P_true"
  unfolding secure_refinement_def
  proof(safe)
    show "closed_others Id"
    unfolding closed_others_def Id_def by blast
  next
    show "preserves_modes_mem Id"
    unfolding preserves_modes_mem_def Id_def by blast
  next
    fix c⇩₁⇩_A mds mem⇩₁ c⇩₁⇩_C c⇩₁⇩_C' mds' mem⇩₁'
    assume step: "(⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C, ⟨c⇩₁⇩_C', mds', mem⇩₁'⟩⇩_C) ∈ eval⇩_w"
    show
      "∃n c⇩₁⇩_A'.
          neval ⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C n ⟨c⇩₁⇩_A', mds', mem⇩₁'⟩⇩_C ∧
          (⟨c⇩₁⇩_A', mds', mem⇩₁'⟩⇩_C, ⟨c⇩₁⇩_C', mds', mem⇩₁'⟩⇩_C) ∈ Id ∧
          (∀c⇩₂⇩_A mem⇩₂ c⇩₂⇩_C c⇩₂⇩_A' mem⇩₂'.
              (⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C, ⟨c⇩₂⇩_A, mds, mem⇩₂⟩⇩_C) ∈ R ∧
              (⟨c⇩₂⇩_A, mds, mem⇩₂⟩⇩_C, ⟨c⇩₂⇩_C, mds, mem⇩₂⟩⇩_C) ∈ Id ∧
              (⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C, ⟨c⇩₂⇩_C, mds, mem⇩₂⟩⇩_C) ∈ P_true ∧
              neval ⟨c⇩₂⇩_A, mds, mem⇩₂⟩⇩_C n ⟨c⇩₂⇩_A', mds', mem⇩₂'⟩⇩_C ⟶
              (∃c⇩₂⇩_C'.
                  (⟨c⇩₂⇩_C, mds, mem⇩₂⟩⇩_C, ⟨c⇩₂⇩_C', mds', mem⇩₂'⟩⇩_C)
                  ∈ eval⇩_w ∧
                  (⟨c⇩₂⇩_A', mds', mem⇩₂'⟩⇩_C, ⟨c⇩₂⇩_C', mds', mem⇩₂'⟩⇩_C) ∈ Id ∧
                  (⟨c⇩₁⇩_C', mds', mem⇩₁'⟩⇩_C, ⟨c⇩₂⇩_C', mds', mem⇩₂'⟩⇩_C) ∈ P_true))"
    proof -
      let ?n = "Suc 0"
      let ?c⇩₁⇩_A' = c⇩₁⇩_C'
      from step have "neval ⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C ?n ⟨?c⇩₁⇩_A', mds', mem⇩₁'⟩⇩_C"
        by simp
      moreover have "(⟨?c⇩₁⇩_A', mds', mem⇩₁'⟩⇩_C, ⟨c⇩₁⇩_C', mds', mem⇩₁'⟩⇩_C) ∈ Id"
        by simp
      moreover have "(∀c⇩₂⇩_A mem⇩₂ c⇩₂⇩_C c⇩₂⇩_A' mem⇩₂'.
              (⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C, ⟨c⇩₂⇩_A, mds, mem⇩₂⟩⇩_C) ∈ R ∧
              (⟨c⇩₂⇩_A, mds, mem⇩₂⟩⇩_C, ⟨c⇩₂⇩_C, mds, mem⇩₂⟩⇩_C) ∈ Id ∧
              (⟨c⇩₁⇩_C, mds, mem⇩₁⟩⇩_C, ⟨c⇩₂⇩_C, mds, mem⇩₂⟩⇩_C) ∈ P_true ∧
              neval ⟨c⇩₂⇩_A, mds, mem⇩₂⟩⇩_C ?n ⟨c⇩₂⇩_A', mds', mem⇩₂'⟩⇩_C ⟶
              (∃c⇩₂⇩_C'.
                  (⟨c⇩₂⇩_C, mds, mem⇩₂⟩⇩_C, ⟨c⇩₂⇩_C', mds', mem⇩₂'⟩⇩_C)
                  ∈ eval⇩_w ∧
                  (⟨c⇩₂⇩_A', mds', mem⇩₂'⟩⇩_C, ⟨c⇩₂⇩_C', mds', mem⇩₂'⟩⇩_C) ∈ Id ∧
                  (⟨c⇩₁⇩_C', mds', mem⇩₁'⟩⇩_C, ⟨c⇩₂⇩_C', mds', mem⇩₂'⟩⇩_C) ∈ P_true))"
        using step
        unfolding P_true_def
        by clarsimp
      ultimately show ?thesis by blast
    qed
  next
    show "closed_glob_consistent P_true"
      by(auto simp: closed_glob_consistent_def P_true_def)
  qed

text ‹
  This doesn't really mean much, but shows the lemmas in action.
  (I suspect that @{term "R⇩_C_of R Id"} is equivalent to @{term R}. But who cares?)
›
lemma "strong_low_bisim_mm (gen_refine.R⇩_C_of (ℛ Γ 𝒮 P) Id P_true)"
  apply(rule R⇩_C_of_strong_low_bisim_mm)
   apply(rule ℛ_bisim)
  apply(rule Id_secure_refinement)
  unfolding P_true_def sym_def apply blast
  done

end

end