tm: comparison turing

equal deleted inserted replaced

-:b388dceee892
+:816e84ca16d6
+(* Title: Turing machines
+Author: Xu Jian <xujian817@hotmail.com>
+Maintainer: Xu Jian
+*)
 theory turing_basic
 imports Main
 begin
 section {* Basic definitions of Turing machine *}
-(* Title: Turing machine's definition and its charater
+datatype action = W0 | W1 | L | R | Nop
-Author: Xu Jian <xujian817@hotmail.com>
-Maintainer: Xu Jian
+datatype cell = Bk | Oc
-*)
+type_synonym tape = "cell list \<times> cell list"
-text {*
-Actions of Turing machine (Abbreviated TM in the following* ).
+type_synonym state = nat
-*}
+type_synonym instr = "action \<times> state"
-datatype taction =
--- {* Write zero *}
+type_synonym tprog = "instr list \<times> nat"
-W0 |
--- {* Write one *}
+type_synonym config = "state \<times> tape"
-W1 |
--- {* Move left *}
+fun nth_of where
-L |
+"nth_of xs i = (if i \<ge> length xs then None
--- {* Move right *}
+else Some (xs ! i))"
-R |
--- {* Do nothing *}
+lemma nth_of_map [simp]:
-Nop
+shows "nth_of (map f p) n = (case (nth_of p n) of None \<Rightarrow> None | Some x \<Rightarrow> Some (f x))"
+apply(induct p arbitrary: n)
-text {*
+apply(auto)
-Tape contents in every block.
+apply(case_tac n)
-*}
+apply(auto)
+done
-datatype block =
--- {* Blank *}
+fun
-Bk |
+fetch :: "instr list \<Rightarrow> state \<Rightarrow> cell \<Rightarrow> instr"
--- {* Occupied *}
+where
-Oc
+"fetch p 0 b = (Nop, 0)"
+| "fetch p (Suc s) Bk =
-text {*
+(case nth_of p (2 * s) of
-Tape is represented as a pair of lists $(L_{left}, L_{right})$,
+Some i \<Rightarrow> i
-where $L_left$, named {\em left list}, is used to represent
+| None \<Rightarrow> (Nop, 0))"
-the tape to the left of RW-head and
+|"fetch p (Suc s) Oc =
-$L_{right}$, named {\em right list}, is used to represent the tape
+(case nth_of p ((2 * s) + 1) of
-under and to the right of RW-head.
+Some i \<Rightarrow> i
-*}
+| None \<Rightarrow> (Nop, 0))"
-type_synonym tape = "block list \<times> block list"
+lemma fetch_Nil [simp]:
+shows "fetch [] s b = (Nop, 0)"
-text {* The state of turing machine.*}
+apply(case_tac s)
-type_synonym tstate = nat
+apply(auto)
+apply(case_tac b)
-text {*
+apply(auto)
-Turing machine instruction is represented as a
+done
-pair @{text "(action, next_state)"},
-where @{text "action"} is the action to take at the current state
+fun
-and @{text "next_state"} is the next state the machine is getting into
+update :: "action \<Rightarrow> tape \<Rightarrow> tape"
-after the action.
-*}
-type_synonym tinst = "taction \<times> tstate"
-text {*
-Program of Turing machine is represented as a list of Turing instructions
-and the execution of the program starts from the head of the list.
-*}
-type_synonym tprog = "tinst list"
-text {*
-Turing machine configuration, which consists of the current state
-and the tape.
-*}
-type_synonym t_conf = "tstate \<times> tape"
-fun nth_of ::  "'a list \<Rightarrow> nat \<Rightarrow> 'a option"
-where
-"nth_of xs n = (if n < length xs then Some (xs!n)
-else None)"
-text {*
-The function used to fetech instruction out of Turing program.
-*}
-fun fetch :: "tprog \<Rightarrow> tstate \<Rightarrow> block \<Rightarrow> tinst"
-where
-"fetch p s b = (if s = 0 then (Nop, 0) else
-case b of
-Bk \<Rightarrow> case nth_of p (2 * (s - 1)) of
-Some i \<Rightarrow> i
-| None \<Rightarrow> (Nop, 0)
-| Oc \<Rightarrow> case nth_of p (2 * (s - 1) +1) of
-Some i \<Rightarrow> i
-| None \<Rightarrow> (Nop, 0))"
-fun new_tape :: "taction \<Rightarrow> tape \<Rightarrow> tape"
 where
-"new_tape action (leftn, rightn) = (case action of
+"update W0 (l, r) = (l, Bk # (tl r))"
-W0 \<Rightarrow> (leftn, Bk#(tl rightn)) |
+| "update W1 (l, r) = (l, Oc # (tl r))"
-W1 \<Rightarrow> (leftn, Oc#(tl rightn)) |
+| "update L (l, r) = (if l = [] then ([], Bk # r) else (tl l, (hd l) # r))"
-L  \<Rightarrow>  (if leftn = [] then (tl leftn, Bk#rightn)
+| "update R (l, r) = (if r = [] then (Bk # l, []) else ((hd r) # l, tl r))"
-else (tl leftn, (hd leftn) # rightn)) |
+| "update Nop (l, r) = (l, r)"
-R  \<Rightarrow> if rightn = [] then (Bk#leftn,tl rightn)
-else ((hd rightn)#leftn, tl rightn) |
+abbreviation
-Nop \<Rightarrow> (leftn, rightn)
+"read r == if (r = []) then Bk else hd r"
-)"
+fun step :: "config \<Rightarrow> tprog \<Rightarrow> config"
-text {*
+where
-The one step function used to transfer Turing machine configuration.
+"step (s, l, r) (p, off) =
-*}
+(let (a, s') = fetch p (s - off) (read r) in (s', update a (l, r)))"
-fun tstep :: "t_conf \<Rightarrow> tprog \<Rightarrow> t_conf"
-where
+fun steps :: "config \<Rightarrow> tprog \<Rightarrow> nat \<Rightarrow> config"
-"tstep c p = (let (s, l, r) = c in
-let (ac, ns) = (fetch p s (case r of [] \<Rightarrow> Bk |
-x # xs \<Rightarrow> x)) in
-(ns, new_tape ac (l, r)))"
-text {*
-The many-step function.
-*}
-fun steps :: "t_conf \<Rightarrow> tprog \<Rightarrow> nat \<Rightarrow> t_conf"
 where
 "steps c p 0 = c" |
-"steps c p (Suc n) = steps (tstep c p) p n"
+"steps c p (Suc n) = steps (step c p) p n"
-lemma tstep_red: "steps c p (Suc n) = tstep (steps c p n) p"
+lemma step_red [simp]:
-proof(induct n arbitrary: c)
+shows "steps c p (Suc n) = step (steps c p n) p"
-fix c
+by (induct n arbitrary: c) (auto)
-show "steps c p (Suc 0) = tstep (steps c p 0) p" by(simp add: steps.simps)
-next
+lemma steps_add [simp]:
-fix n c
+shows "steps c p (m + n) = steps (steps c p m) p n"
-assume ind: "\<And> c. steps c p (Suc n) = tstep (steps c p n) p"
+by (induct m arbitrary: c) (auto)
-have "steps (tstep c p) p (Suc n) = tstep (steps (tstep c p) p n) p"
-by(rule ind)
+fun
-thus "steps c p (Suc (Suc n)) = tstep (steps c p (Suc n)) p" by(simp add: steps.simps)
+tm_wf :: "tprog \<Rightarrow> bool"
-qed
+where
+"tm_wf (p, off) = (length p \<ge> 2 \<and> length p mod 2 = 0 \<and>
-declare Let_def[simp] option.split[split]
+(\<forall>(a, s) \<in> set p. s \<le> length p div 2
++ off \<and> s \<ge> off))"
-definition
-"iseven n \<equiv> \<exists> x. n = 2 * x"
+(* FIXME: needed? *)
+lemma halt_lemma:
+"\<lbrakk>wf LE; \<forall>n. (\<not> P (f n) \<longrightarrow> (f (Suc n), (f n)) \<in> LE)\<rbrakk> \<Longrightarrow> \<exists>n. P (f n)"
+by (metis wf_iff_no_infinite_down_chain)
+abbreviation exponent :: "'a \<Rightarrow> nat \<Rightarrow> 'a list" ("_ \<up> _" [100, 99] 100)
+where "x \<up> n == replicate n x"
+consts tape_of :: "'a \<Rightarrow> cell list" ("<_>" 100)
+fun tape_of_nat_list :: "nat list \<Rightarrow> cell list"
+where
+"tape_of_nat_list [] = []" |
+"tape_of_nat_list [n] = Oc\<up>(Suc n)" |
+"tape_of_nat_list (n#ns) = Oc\<up>(Suc n) @ Bk # (tape_of_nat_list ns)"
+defs (overloaded)
+tape_of_nl_abv: "<am> \<equiv> tape_of_nat_list am"
+tape_of_nat_abv : "<(n::nat)> \<equiv> Oc\<up>(Suc n)"
+definition tinres :: "cell list \<Rightarrow> cell list \<Rightarrow> bool"
+where
+"tinres xs ys = (\<exists>n. xs = ys @ Bk \<up> n \<or> ys = xs @ Bk \<up> n)"
+fun
+shift :: "instr list \<Rightarrow> nat \<Rightarrow> instr list"
+where
+"shift p n = (map (\<lambda> (a, s). (a, (if s = 0 then 0 else s + n))) p)"
+lemma length_shift [simp]:
+"length (shift p n) = length p"
+by (simp)
+fun
+adjust :: "instr list \<Rightarrow> instr list"
+where
+"adjust p = map (\<lambda> (a, s). (a, if s = 0 then (Suc (length p div 2)) else s)) p"
+lemma length_adjust[simp]:
+shows "length (adjust p) = length p"
+by (induct p) (auto)
+fun
+tm_comp :: "instr list \<Rightarrow> instr list \<Rightarrow> instr list" ("_ |+| _" [0, 0] 100)
+where
+"tm_comp p1 p2 = ((adjust p1) @ (shift p2 ((length p1) div 2)))"
+fun
+is_final :: "config \<Rightarrow> bool"
+where
+"is_final (s, l, r) = (s = 0)"
+lemma is_final_steps:
+assumes "is_final (s, l, r)"
+shows "is_final (steps (s, l, r) (p, off) n)"
+using assms by (induct n) (auto)
+fun
+holds_for :: "(tape \<Rightarrow> bool) \<Rightarrow> config \<Rightarrow> bool" ("_ holds'_for _" [100, 99] 100)
+where
+"P holds_for (s, l, r) = P (l, r)"
+(*
+lemma step_0 [simp]:
+shows "step (0, (l, r)) p = (0, (l, r))"
+by simp
+lemma steps_0 [simp]:
+shows "steps (0, (l, r)) p n = (0, (l, r))"
+by (induct n) (simp_all)
+*)
+lemma is_final_holds[simp]:
+assumes "is_final c"
+shows "Q holds_for (steps c (p, off) n) = Q holds_for c"
+using assms
+apply(induct n)
+apply(case_tac [!] c)
+apply(auto)
+done
+type_synonym assert = "tape \<Rightarrow> bool"
+definition assert_imp :: "assert \<Rightarrow> assert \<Rightarrow> bool" ("_ \<mapsto> _" [0, 0] 100)
+where
+"assert_imp P Q = (\<forall>l r. P (l, r) \<longrightarrow> Q (l, r))"
+lemma holds_for_imp:
+assumes "P holds_for c"
+and "P \<mapsto> Q"
+shows "Q holds_for c"
+using assms unfolding assert_imp_def by (case_tac c, auto)
+lemma test:
+assumes "is_final (steps (1, (l, r)) p n1)"
+and     "is_final (steps (1, (l, r)) p n2)"
+shows "Q holds_for (steps (1, (l, r)) p n1) \<longleftrightarrow> Q holds_for (steps (1, (l, r)) p n2)"
+proof -
+obtain n3 where "n1 = n2 + n3 \<or> n2 = n1 + n3"
+by (metis le_iff_add nat_le_linear)
+with assms show "Q holds_for (steps (1, (l, r)) p n1) \<longleftrightarrow> Q holds_for (steps (1, (l, r)) p n2)"
+by(case_tac p) (auto)
+qed
+definition
+Hoare :: "assert \<Rightarrow> tprog \<Rightarrow> assert \<Rightarrow> bool" ("({(1_)}/ (_)/ {(1_)})" 50)
+where
+"{P} p {Q} \<equiv>
+(\<forall>l r. P (l, r) \<longrightarrow> (\<exists>n. is_final (steps (1, (l, r)) p n) \<and> Q holds_for (steps (1, (l, r)) p n)))"
+lemma HoareI:
+assumes "\<And>l r. P (l, r) \<Longrightarrow> \<exists>n. is_final (steps (1, (l, r)) p n) \<and> Q holds_for (steps (1, (l, r)) p n)"
+shows "{P} p {Q}"
+unfolding Hoare_def using assms by auto
 text {*
-The following @{text "t_correct"} function is used to specify the wellformedness of Turing
+{P1} A {Q1}   {P2} B {Q2}  Q1 \<mapsto> P2
-machine.
+-----------------------------------
+{P1} A |+| B {Q2}
 *}
-fun t_correct :: "tprog \<Rightarrow> bool"
-where
+lemma step_0 [simp]:
-"t_correct p = (length p \<ge> 2 \<and> iseven (length p) \<and>
+shows "step (0, (l, r)) p = (0, (l, r))"
-list_all (\<lambda> (acn, s). s \<le> length p div 2) p)"
+by (case_tac p, simp)
-declare t_correct.simps[simp del]
+lemma steps_0 [simp]:
+shows "steps (0, (l, r)) p n = (0, (l, r))"
-lemma allimp: "\<lbrakk>\<forall>x. P x \<longrightarrow> Q x; \<forall>x. P x\<rbrakk> \<Longrightarrow> \<forall>x. Q x"
+by (induct n) (simp_all)
-by(auto elim: allE)
+declare steps.simps[simp del]
-lemma halt_lemma: "\<lbrakk>wf LE; \<forall> n. (\<not> P (f n) \<longrightarrow> (f (Suc n), (f n)) \<in> LE)\<rbrakk> \<Longrightarrow> \<exists> n. P (f n)"
-apply(rule exCI, drule allimp, auto)
+lemma before_final:
-apply(drule_tac f = f  in wf_inv_image, simp add: inv_image_def)
+assumes "steps (1, tp) A n = (0, tp')"
-apply(erule wf_induct, auto)
+obtains n' where "\<not> is_final (steps (1, tp) A n')"
-done
+and "steps (1, tp) A (Suc n') = (0, tp')"
-lemma steps_add: "steps c t (x + y) = steps (steps c t x) t y"
-by(induct x arbitrary: c, auto simp: steps.simps tstep_red)
-lemma listall_set: "list_all p t \<Longrightarrow> \<forall> a \<in> set t. p a"
-by(induct t, auto)
-lemma fetch_ex: "\<exists>b a. fetch T aa ab = (b, a)"
-by(simp add: fetch.simps)
-definition exponent :: "'a \<Rightarrow> nat \<Rightarrow> 'a list" ("_\<^bsup>_\<^esup>" [0, 0]100)
-where "exponent x n = replicate n x"
-text {*
-@{text "tinres l1 l2"} means left list @{text "l1"} is congruent with
-@{text "l2"} with respect to the execution of Turing machine.
-Appending Blank to the right of eigther one does not affect the
-outcome of excution.
-*}
-definition tinres :: "block list \<Rightarrow> block list \<Rightarrow> bool"
-where
-"tinres bx by = (\<exists> n. bx = by@Bk\<^bsup>n\<^esup> \<or> by = bx @ Bk\<^bsup>n\<^esup>)"
-lemma exp_zero: "a\<^bsup>0\<^esup> = []"
-by(simp add: exponent_def)
-lemma exp_ind_def: "a\<^bsup>Suc x \<^esup> = a # a\<^bsup>x\<^esup>"
-by(simp add: exponent_def)
-text {*
-The following lemma shows the meaning of @{text "tinres"} with respect to
-one step execution.
-*}
-lemma tinres_step:
-"\<lbrakk>tinres l l'; tstep (ss, l, r) t = (sa, la, ra); tstep (ss, l', r) t = (sb, lb, rb)\<rbrakk>
-\<Longrightarrow> tinres la lb \<and> ra = rb \<and> sa = sb"
-apply(auto simp: tstep.simps fetch.simps new_tape.simps
-split: if_splits taction.splits list.splits
-block.splits)
-apply(case_tac [!] "t ! (2 * (ss - Suc 0))",
-auto simp: exponent_def tinres_def split: if_splits taction.splits list.splits
-block.splits)
-apply(case_tac [!] "t ! (2 * (ss - Suc 0) + Suc 0)",
-auto simp: exponent_def tinres_def split: if_splits taction.splits list.splits
-block.splits)
-done
-declare tstep.simps[simp del] steps.simps[simp del]
-text {*
-The following lemma shows the meaning of @{text "tinres"} with respect to
-many step execution.
-*}
-lemma tinres_steps:
-"\<lbrakk>tinres l l'; steps (ss, l, r) t stp = (sa, la, ra); steps (ss, l', r) t stp = (sb, lb, rb)\<rbrakk>
-\<Longrightarrow> tinres la lb \<and> ra = rb \<and> sa = sb"
-apply(induct stp arbitrary: sa la ra sb lb rb, simp add: steps.simps)
-apply(simp add: tstep_red)
-apply(case_tac "(steps (ss, l, r) t stp)")
-apply(case_tac "(steps (ss, l', r) t stp)")
 proof -
-fix stp sa la ra sb lb rb a b c aa ba ca
+from assms have "\<exists> n'. \<not> is_final (steps (1, tp) A n') \<and>
-assume ind: "\<And>sa la ra sb lb rb. \<lbrakk>steps (ss, l, r) t stp = (sa, la, ra);
+steps (1, tp) A (Suc n') = (0, tp')"
-steps (ss, l', r) t stp = (sb, lb, rb)\<rbrakk> \<Longrightarrow> tinres la lb \<and> ra = rb \<and> sa = sb"
+proof(induct n arbitrary: tp', simp add: steps.simps)
-and h: " tinres l l'" "tstep (steps (ss, l, r) t stp) t = (sa, la, ra)"
+fix n tp'
-"tstep (steps (ss, l', r) t stp) t = (sb, lb, rb)" "steps (ss, l, r) t stp = (a, b, c)"
+assume ind:
-"steps (ss, l', r) t stp = (aa, ba, ca)"
+"\<And>tp'. steps (1, tp) A n = (0, tp') \<Longrightarrow>
-have "tinres b ba \<and> c = ca \<and> a = aa"
+\<exists>n'. \<not> is_final (steps (1, tp) A n') \<and> steps (1, tp) A (Suc n') = (0, tp')"
-apply(rule_tac ind, simp_all add: h)
+and h: " steps (1, tp) A (Suc n) = (0, tp')"
-done
+from h show  "\<exists>n'. \<not> is_final (steps (1, tp) A n') \<and> steps (1, tp) A (Suc n') = (0, tp')"
-thus "tinres la lb \<and> ra = rb \<and> sa = sb"
+proof(simp add: step_red del: steps.simps,
-apply(rule_tac l = b and l' = ba and r = c  and ss = a
+case_tac "(steps (Suc 0, tp) A n)", case_tac "a = 0", simp)
-and t = t in tinres_step)
+fix a b c
-using h
+assume " steps (Suc 0, tp) A n = (0, tp')"
-apply(simp, simp, simp)
+hence "\<exists>n'. \<not> is_final (steps (1, tp) A n') \<and> steps (1, tp) A (Suc n') = (0, tp')"
-done
+apply(rule_tac ind, simp)
-qed
+done
+thus "\<exists>n'. \<not> is_final (steps (Suc 0, tp) A n') \<and> step (steps (Suc 0, tp) A n') A = (0, tp')"
-text {*
+apply(simp)
-The following function @{text "tshift tp n"} is used to shift Turing programs
-@{text "tp"} by @{text "n"} when it is going to be combined with others.
-*}
-fun tshift :: "tprog \<Rightarrow> nat \<Rightarrow> tprog"
-where
-"tshift tp off = (map (\<lambda> (action, state). (action, (if state = 0 then 0
-else state + off))) tp)"
-text {*
-When two Turing programs are combined, the end state (state @{text "0"}) of the one
-at the prefix position needs to be connected to the start state
-of the one at postfix position. If @{text "tp"} is the Turing program
-to be at the prefix, @{text "change_termi_state tp"} is the transformed Turing program.
-*}
-fun change_termi_state :: "tprog \<Rightarrow> tprog"
-where
-"change_termi_state t =
-(map (\<lambda> (acn, ns). if ns = 0 then (acn, Suc ((length t) div 2)) else (acn, ns)) t)"
-text {*
-@{text "t_add tp1 tp2"} is the combined Truing program.
-*}
-fun t_add :: "tprog \<Rightarrow> tprog \<Rightarrow> tprog" ("_ |+| _" [0, 0] 100)
-where
-"t_add t1 t2 = ((change_termi_state t1) @ (tshift t2 ((length t1) div 2)))"
-text {*
-Tests whether the current configuration is at state @{text "0"}.
-*}
-definition isS0 :: "t_conf \<Rightarrow> bool"
-where
-"isS0 c = (let (s, l, r) = c in s = 0)"
-declare tstep.simps[simp del] steps.simps[simp del]
-t_add.simps[simp del] fetch.simps[simp del]
-new_tape.simps[simp del]
-text {*
-Single step execution starting from state @{text "0"} will not make any progress.
-*}
-lemma tstep_0: "tstep (0, tp) p = (0, tp)"
-apply(simp add: tstep.simps fetch.simps new_tape.simps)
-done
-text {*
-Many step executions starting from state @{text "0"} will not make any progress.
-*}
-lemma steps_0: "steps (0, tp) p stp = (0, tp)"
-apply(induct stp)
-apply(simp add: steps.simps)
-apply(simp add: tstep_red tstep_0)
-done
-lemma s_keep_step: "\<lbrakk>a \<le> length A div 2; tstep (a, b, c) A = (s, l, r); t_correct A\<rbrakk>
-\<Longrightarrow> s \<le> length A div 2"
-apply(simp add: tstep.simps fetch.simps t_correct.simps iseven_def
-split: if_splits block.splits list.splits)
-apply(case_tac [!] a, auto simp: list_all_length)
-apply(erule_tac x = "2 * nat" in allE, auto)
-apply(erule_tac x = "2 * nat" in allE, auto)
-apply(erule_tac x = "Suc (2 * nat)" in allE, auto)
-done
-lemma s_keep: "\<lbrakk>steps (Suc 0, tp) A stp = (s, l, r);  t_correct A\<rbrakk> \<Longrightarrow> s \<le> length A div 2"
-proof(induct stp arbitrary: s l r)
-case 0 thus "?case" by(auto simp: t_correct.simps steps.simps)
-next
-fix stp s l r
-assume ind: "\<And>s l r. \<lbrakk>steps (Suc 0, tp) A stp = (s, l, r); t_correct A\<rbrakk> \<Longrightarrow> s \<le> length A div 2"
-and h1: "steps (Suc 0, tp) A (Suc stp) = (s, l, r)"
-and h2: "t_correct A"
-from h1 h2 show "s \<le> length A div 2"
-proof(simp add: tstep_red, cases "(steps (Suc 0, tp) A stp)", simp)
-fix a b c
-assume h3: "tstep (a, b, c) A = (s, l, r)"
-and h4: "steps (Suc 0, tp) A stp = (a, b, c)"
-have "a \<le> length A div 2"
-using h2 h4
-by(rule_tac l = b and r = c in ind, auto)
-thus "?thesis"
-using h3 h2
-by(simp add: s_keep_step)
-qed
-qed
-lemma t_merge_fetch_pre:
-"\<lbrakk>fetch A s b = (ac, ns); s \<le> length A div 2; t_correct A; s \<noteq> 0\<rbrakk> \<Longrightarrow>
-fetch (A |+| B) s b = (ac, if ns = 0 then Suc (length A div 2) else ns)"
-apply(subgoal_tac "2 * (s - Suc 0) < length A \<and> Suc (2 * (s - Suc 0)) < length A")
-apply(auto simp: fetch.simps t_add.simps split: if_splits block.splits)
-apply(simp_all add: nth_append change_termi_state.simps)
-done
-lemma [simp]:  "\<lbrakk>\<not> a \<le> length A div 2; t_correct A\<rbrakk> \<Longrightarrow> fetch A a b = (Nop, 0)"
-apply(auto simp: fetch.simps del: nth_of.simps split: block.splits)
-apply(case_tac [!] a, auto simp: t_correct.simps iseven_def)
-done
-lemma  [elim]: "\<lbrakk>t_correct A; \<not> isS0 (tstep (a, b, c) A)\<rbrakk> \<Longrightarrow> a \<le> length A div 2"
-apply(rule_tac classical, auto simp: tstep.simps new_tape.simps isS0_def)
-done
-lemma [elim]: "\<lbrakk>t_correct A; \<not> isS0 (tstep (a, b, c) A)\<rbrakk> \<Longrightarrow> 0 < a"
-apply(rule_tac classical, simp add: tstep_0 isS0_def)
-done
-lemma t_merge_pre_eq_step: "\<lbrakk>tstep (a, b, c) A = cf; t_correct A; \<not> isS0 cf\<rbrakk>
-\<Longrightarrow> tstep (a, b, c) (A |+| B) = cf"
-apply(subgoal_tac "a \<le> length A div 2 \<and> a \<noteq> 0")
-apply(simp add: tstep.simps)
-apply(case_tac "fetch A a (case c of [] \<Rightarrow> Bk | x # xs \<Rightarrow> x)", simp)
-apply(drule_tac B = B in t_merge_fetch_pre, simp, simp, simp, simp add: isS0_def, auto)
-done
-lemma t_merge_pre_eq:  "\<lbrakk>steps (Suc 0, tp) A stp = cf; \<not> isS0 cf; t_correct A\<rbrakk>
-\<Longrightarrow> steps (Suc 0, tp) (A |+| B) stp = cf"
-proof(induct stp arbitrary: cf)
-case 0 thus "?case" by(simp add: steps.simps)
-next
-fix stp cf
-assume ind: "\<And>cf. \<lbrakk>steps (Suc 0, tp) A stp = cf; \<not> isS0 cf; t_correct A\<rbrakk>
-\<Longrightarrow> steps (Suc 0, tp) (A |+| B) stp = cf"
-and h1: "steps (Suc 0, tp) A (Suc stp) = cf"
-and h2: "\<not> isS0 cf"
-and h3: "t_correct A"
-from h1 h2 h3 show "steps (Suc 0, tp) (A |+| B) (Suc stp) = cf"
-proof(simp add: tstep_red, cases "steps (Suc 0, tp) (A) stp", simp)
-fix a b c
-assume h4: "tstep (a, b, c) A = cf"
-and h5: "steps (Suc 0, tp) A stp = (a, b, c)"
-have "steps (Suc 0, tp) (A |+| B) stp = (a, b, c)"
-proof(cases a)
-case 0 thus "?thesis"
-using h4 h2
-apply(simp add: tstep_0, cases cf, simp add: isS0_def)
 done
 next
-case (Suc n) thus "?thesis"
+fix a b c
-using h5 h3
+assume "steps (Suc 0, tp) A n = (a, b, c)"
-apply(rule_tac ind, auto simp: isS0_def)
+"step (steps (Suc 0, tp) A n) A = (0, tp')"
+"a \<noteq> 0"
+thus "\<exists>n'. \<not> is_final (steps (Suc 0, tp) A n') \<and>
+step (steps (Suc 0, tp) A n') A = (0, tp')"
+apply(rule_tac x = n in exI, simp)
 done
 qed
-thus "tstep (steps (Suc 0, tp) (A |+| B) stp) (A |+| B) = cf"
+qed
-using h4 h5 h3 h2
+thus "(\<And>n'. \<lbrakk>\<not> is_final (steps (1, tp) A n');
+steps (1, tp) A (Suc n') = (0, tp')\<rbrakk> \<Longrightarrow> thesis) \<Longrightarrow> thesis"
+by auto
+qed
+declare tm_comp.simps [simp del] adjust.simps[simp del] shift.simps[simp del]
+lemma length_comp:
+"length (A |+| B) = length A + length B"
+apply(auto simp: tm_comp.simps)
+done
+lemma tmcomp_fetch_in_first:
+assumes "case (fetch A a x) of (ac, ns) \<Rightarrow> ns \<noteq> 0"
+shows "fetch (A |+| B) a x = fetch A a x"
+using assms
+apply(case_tac a, case_tac [!] x,
+auto simp: length_comp tm_comp.simps length_adjust nth_append)
+apply(simp_all add: adjust.simps)
+done
+lemma is_final_eq: "is_final (ba, tp) = (ba = 0)"
+apply(case_tac tp, simp add: is_final.simps)
+done
+lemma t_merge_pre_eq_step:
+assumes step: "step (a, b, c) (A, 0) = cf"
+and     tm_wf: "tm_wf (A, 0)"
+and     unfinal: "\<not> is_final cf"
+shows "step (a, b, c) (A |+| B, 0) = cf"
+proof -
+have "fetch (A |+| B) a (read c) = fetch A a (read c)"
+proof(rule_tac tmcomp_fetch_in_first)
+from step and unfinal show "case fetch A a (read c) of (ac, ns) \<Rightarrow> ns \<noteq> 0"
+apply(auto simp: is_final.simps)
+apply(case_tac "fetch A a (read c)", simp_all add: is_final_eq)
+done
+qed
+thus "?thesis"
+using step
+apply(auto simp: step.simps is_final.simps)
+done
+qed
+declare tm_wf.simps[simp del] step.simps[simp del]
+lemma t_merge_pre_eq:
+"\<lbrakk>steps (Suc 0, tp) (A, 0) stp = cf; \<not> is_final cf; tm_wf (A, 0)\<rbrakk>
+\<Longrightarrow> steps (Suc 0, tp) (A |+| B, 0) stp = cf"
+proof(induct stp arbitrary: cf, simp add: steps.simps)
+fix stp cf
+assume ind: "\<And>cf. \<lbrakk>steps (Suc 0, tp) (A, 0) stp = cf; \<not> is_final cf; tm_wf (A, 0)\<rbrakk>
+\<Longrightarrow> steps (Suc 0, tp) (A |+| B, 0) stp = cf"
+and h: "steps (Suc 0, tp) (A, 0) (Suc stp) = cf"
+"\<not> is_final cf" "tm_wf (A, 0)"
+from h show "steps (Suc 0, tp) (A |+| B, 0) (Suc stp) = cf"
+proof(simp add: step_red, case_tac "(steps (Suc 0, tp) (A, 0) stp)", simp)
+fix a b c
+assume g: "steps (Suc 0, tp) (A, 0) stp = (a, b, c)"
+"step (a, b, c) (A, 0) = cf"
+have "(steps (Suc 0, tp) (A |+| B, 0) stp) = (a, b, c)"
+proof(rule ind, simp_all add: h g)
+show "0 < a"
+using g h
+apply(simp add: step_red)
+apply(case_tac a, auto simp: step_0)
+apply(case_tac "steps (Suc 0, tp) (A, 0) stp", simp)
+done
+qed
+thus "step (steps (Suc 0, tp) (A |+| B, 0) stp) (A |+| B, 0) = cf"
 apply(simp)
-apply(rule t_merge_pre_eq_step, auto)
+apply(rule_tac t_merge_pre_eq_step, simp_all add: g h)
 done
 qed
 qed
-declare nth.simps[simp del] tshift.simps[simp del] change_termi_state.simps[simp del]
+lemma tmcomp_fetch_in_first2:
+assumes "fetch A a x = (ac, 0)"
-lemma [simp]: "length (change_termi_state A) = length A"
+"tm_wf (A, 0)"
-by(simp add: change_termi_state.simps)
+"a \<le> length A div 2" "a > 0"
+shows "fetch (A |+| B) a x = (ac, Suc (length A div 2))"
-lemma first_halt_point: "steps (Suc 0, tp) A stp = (0, tp')
+using assms
-\<Longrightarrow> \<exists>stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> steps (Suc 0, tp) A (Suc stp) = (0, tp')"
+apply(case_tac a, case_tac [!] x,
-proof(induct stp)
+auto simp: length_comp tm_comp.simps length_adjust nth_append)
-case 0  thus "?case" by(simp add: steps.simps)
+apply(simp_all add: adjust.simps)
+done
+lemma tmcomp_exec_after_first:
+"\<lbrakk>0 < a; step (a, b, c) (A, 0) = (0, tp'); tm_wf (A, 0);
+a \<le> length A div 2\<rbrakk>
+\<Longrightarrow> step (a, b, c) (A |+| B, 0) = (Suc (length A div 2), tp')"
+apply(simp add: step.simps, auto)
+apply(case_tac "fetch A a Bk", simp add: tmcomp_fetch_in_first2)
+apply(case_tac "fetch A a (hd c)", simp add: tmcomp_fetch_in_first2)
+done
+lemma step_nothalt_pre: "\<lbrakk>step (aa, ba, ca) (A, 0) = (a, b, c);  0 < a\<rbrakk> \<Longrightarrow> 0 < aa"
+apply(case_tac "aa = 0", simp add: step_0, simp)
+done
+lemma nth_in_set:
+"\<lbrakk> A ! i = x; i <  length A\<rbrakk> \<Longrightarrow> x \<in> set A"
+by auto
+lemma step_nothalt:
+"\<lbrakk>step (aa, ba, ca) (A, 0) = (a, b, c); 0 < a; tm_wf (A, 0)\<rbrakk> \<Longrightarrow>
+a \<le> length A div 2"
+apply(simp add: step.simps)
+apply(case_tac aa, case_tac [!] aa, auto split: if_splits simp: tm_wf.simps)
+apply(case_tac "A ! (2 * nat)", simp)
+apply(erule_tac x = "(aa, a)" in ballE, simp_all add: nth_in_set)
+apply(case_tac "hd ca", auto split: if_splits simp: tm_wf.simps)
+apply(case_tac "A ! (2 * nat)", simp)
+apply(erule_tac x = "(aa, a)" in ballE, simp_all add: nth_in_set)
+apply(case_tac "A ! (Suc (2 * nat))")
+apply(erule_tac x = "(aa,bb)" in ballE, simp_all add: nth_in_set)
+done
+lemma steps_in_range:
+" \<lbrakk>0 < a; steps (Suc 0, tp) (A, 0) stp = (a, b, c); tm_wf (A, 0)\<rbrakk>
+\<Longrightarrow> a \<le> length A div 2"
+proof(induct stp arbitrary: a b c)
+fix a b c
+assume h: "0 < a" "steps (Suc 0, tp) (A, 0) 0 = (a, b, c)"
+"tm_wf (A, 0)"
+thus "a \<le> length A div 2"
+apply(simp add: steps.simps tm_wf.simps, auto)
+done
 next
-case (Suc n)
+fix stp a b c
-fix stp
+assume ind: "\<And>a b c. \<lbrakk>0 < a; steps (Suc 0, tp) (A, 0) stp = (a, b, c);
-assume ind: "steps (Suc 0, tp) A stp = (0, tp') \<Longrightarrow>
+tm_wf (A, 0)\<rbrakk> \<Longrightarrow> a \<le> length A div 2"
-\<exists>stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> steps (Suc 0, tp) A (Suc stp) = (0, tp')"
+and h: "0 < a" "steps (Suc 0, tp) (A, 0) (Suc stp) = (a, b, c)" "tm_wf (A, 0)"
-and h: "steps (Suc 0, tp) A (Suc stp) = (0, tp')"
+from h show "a \<le> length A div 2"
-from h show "\<exists>stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> steps (Suc 0, tp) A (Suc stp) = (0, tp')"
+proof(simp add: step_red, case_tac "(steps (Suc 0, tp) (A, 0) stp)", simp)
-proof(simp add: tstep_red, cases "steps (Suc 0, tp) A stp", simp, case_tac a)
+fix aa ba ca
-fix a b c
+assume g: "step (aa, ba, ca) (A, 0) = (a, b, c)"
-assume g1: "a = (0::nat)"
+"steps (Suc 0, tp) (A, 0) stp = (aa, ba, ca)"
-and g2: "tstep (a, b, c) A = (0, tp')"
+hence "aa \<le> length A div 2"
-and g3: "steps (Suc 0, tp) A stp = (a, b, c)"
+apply(rule_tac ind, auto simp: h step_nothalt_pre)
-have "steps (Suc 0, tp) A stp = (0, tp')"
+done
-using g2 g1 g3
+thus "?thesis"
-by(simp add: tstep_0)
+using g h
-hence "\<exists> stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> steps (Suc 0, tp) A (Suc stp) = (0, tp')"
+apply(rule_tac step_nothalt, auto)
-by(rule ind)
+done
-thus "\<exists>stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> tstep (steps (Suc 0, tp) A stp) A = (0, tp')"
+qed
-apply(simp add: tstep_red)
+qed
+lemma t_merge_pre_halt_same:
+assumes a_ht: "steps (1, tp) (A, 0) n = (0, tp')"
+and a_wf: "tm_wf (A, 0)"
+obtains n' where "steps (1, tp) (A |+| B, 0) n' = (Suc (length A div 2), tp')"
+proof -
+assume a: "\<And>n. steps (1, tp) (A |+| B, 0) n = (Suc (length A div 2), tp') \<Longrightarrow> thesis"
+obtain stp' where "\<not> is_final (steps (1, tp) (A, 0) stp')" and
+"steps (1, tp) (A, 0) (Suc stp') = (0, tp')"
+using a_ht before_final by blast
+then have "steps (1, tp) (A |+| B, 0) (Suc stp') = (Suc (length A div 2), tp')"
+proof(simp add: step_red)
+assume "\<not> is_final (steps (Suc 0, tp) (A, 0) stp')"
+" step (steps (Suc 0, tp) (A, 0) stp') (A, 0) = (0, tp')"
+moreover hence "(steps (Suc 0, tp) (A |+| B, 0) stp') = (steps (Suc 0, tp) (A, 0) stp')"
+apply(rule_tac t_merge_pre_eq)
+apply(simp_all add: a_wf a_ht)
+done
+ultimately show "step (steps (Suc 0, tp) (A |+| B, 0) stp') (A |+| B, 0) = (Suc (length A div 2), tp')"
+apply(case_tac " steps (Suc 0, tp) (A, 0) stp'", simp)
+apply(rule tmcomp_exec_after_first, simp_all add: a_wf)
+apply(erule_tac steps_in_range, auto simp: a_wf)
+done
+qed
+with a show thesis by blast
+qed
+lemma tm_comp_fetch_second_zero:
+"\<lbrakk>fetch B sa' x = (a, 0); tm_wf (A, 0); tm_wf (B, 0); sa' > 0\<rbrakk>
+\<Longrightarrow> fetch (A |+| B) (sa' + (length A div 2)) x = (a, 0)"
+apply(case_tac x)
+apply(case_tac [!] sa',
+auto simp: fetch.simps length_comp length_adjust nth_append tm_comp.simps
+tm_wf.simps shift.simps split: if_splits)
+done
+lemma tm_comp_fetch_second_inst:
+"\<lbrakk>sa > 0; s > 0;  tm_wf (A, 0); tm_wf (B, 0); fetch B sa x = (a, s)\<rbrakk>
+\<Longrightarrow> fetch (A |+| B) (sa + length A div 2) x = (a, s + length A div 2)"
+apply(case_tac x)
+apply(case_tac [!] sa,
+auto simp: fetch.simps length_comp length_adjust nth_append tm_comp.simps
+tm_wf.simps shift.simps split: if_splits)
+done
+lemma t_merge_second_same:
+assumes a_wf: "tm_wf (A, 0)"
+and b_wf: "tm_wf (B, 0)"
+and steps: "steps (Suc 0, l, r) (B, 0) stp = (s, l', r')"
+shows "steps (Suc (length A div 2), l, r)  (A |+| B, 0) stp
+= (if s = 0 then 0
+else s + length A div 2, l', r')"
+using a_wf b_wf steps
+proof(induct stp arbitrary: s l' r', simp add: steps.simps, simp)
+fix stpa sa l'a r'a
+assume ind: "\<And>s l' r'. steps (Suc 0, l, r) (B, 0) stpa = (s, l', r') \<Longrightarrow>
+steps (Suc (length A div 2), l, r) (A |+| B, 0) stpa =
+(if s = 0 then 0 else s + length A div 2, l', r')"
+and h: "step (steps (Suc 0, l, r) (B, 0) stpa) (B, 0) = (sa, l'a, r'a)"
+obtain sa' l'' r'' where a: "(steps (Suc 0, l, r) (B, 0) stpa) = (sa', l'', r'')"
+apply(case_tac "steps (Suc 0, l, r) (B, 0) stpa", auto)
+done
+from this have b: "steps (Suc (length A div 2), l, r) (A |+| B, 0) stpa =
+(if sa' = 0 then 0 else sa' + length A div 2, l'', r'')"
+apply(erule_tac ind)
+done
+from a b h show
+"(sa = 0 \<longrightarrow> step (steps (Suc (length A div 2), l, r) (A |+| B, 0) stpa) (A |+| B, 0) = (0, l'a, r'a)) \<and>
+(0 < sa \<longrightarrow> step (steps (Suc (length A div 2), l, r) (A |+| B, 0) stpa) (A |+| B, 0) = (sa + length A div 2, l'a, r'a))"
+proof(case_tac "sa' = 0", auto)
+assume "step (sa', l'', r'') (B, 0) = (0, l'a, r'a)" "0 < sa'"
+thus "step (sa' + length A div 2, l'', r'') (A |+| B, 0) = (0, l'a, r'a)"
+using a_wf b_wf
+apply(simp add:  step.simps)
+apply(case_tac "fetch B sa' (read r'')", auto)
+apply(simp_all add: step.simps tm_comp_fetch_second_zero)
 done
 next
-fix a b c nat
+assume "step (sa', l'', r'') (B, 0) = (sa, l'a, r'a)" "0 < sa'" "0 < sa"
-assume g1: "steps (Suc 0, tp) A stp = (a, b, c)"
+thus "step (sa' + length A div 2, l'', r'') (A |+| B, 0) = (sa + length A div 2, l'a, r'a)"
-and g2: "steps (Suc 0, tp) A (Suc stp) = (0, tp')" "a= Suc nat"
+using a_wf b_wf
-thus "\<exists>stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> tstep (steps (Suc 0, tp) A stp) A = (0, tp')"
+apply(simp add: step.simps)
-apply(rule_tac x = stp in exI)
+apply(case_tac "fetch B sa' (read r'')", auto)
-apply(simp add: isS0_def tstep_red)
+apply(simp_all add: step.simps tm_comp_fetch_second_inst)
 done
 qed
 qed
-lemma t_merge_pre_halt_same':
+lemma t_merge_second_halt_same:
-"\<lbrakk>\<not> isS0 (steps (Suc 0, tp) A stp) ; steps (Suc 0, tp) A (Suc stp) = (0, tp'); t_correct A\<rbrakk>
+"\<lbrakk>tm_wf (A, 0); tm_wf (B, 0);
-\<Longrightarrow> steps (Suc 0, tp) (A |+| B) (Suc stp) = (Suc (length A div 2), tp')"
+steps (1, l, r) (B, 0) stp = (0, l', r')\<rbrakk>
-proof(simp add: tstep_red, cases "steps (Suc 0, tp) A stp", simp)
+\<Longrightarrow> steps (Suc (length A div 2), l, r)  (A |+| B, 0) stp
-fix a b c
+= (0, l', r')"
-assume h1: "\<not> isS0 (a, b, c)"
+using t_merge_second_same[where s = "0"]
-and h2: "tstep (a, b, c) A = (0, tp')"
+apply(auto)
-and h3: "t_correct A"
+done
-and h4: "steps (Suc 0, tp) A stp = (a, b, c)"
-have "steps (Suc 0, tp) (A |+| B) stp = (a, b, c)"
+lemma Hoare_plus_halt:
-using h1 h4 h3
+assumes aimpb: "Q1 \<mapsto> P2"
-apply(rule_tac  t_merge_pre_eq, auto)
+and A_wf : "tm_wf (A, 0)"
+and B_wf : "tm_wf (B, 0)"
+and A_halt : "{P1} (A, 0) {Q1}"
+and B_halt : "{P2} (B, 0) {Q2}"
+shows "{P1} (A |+| B, 0) {Q2}"
+proof(rule HoareI)
+fix l r
+assume h: "P1 (l, r)"
+then obtain n1 where a: "is_final (steps (1, l, r) (A, 0) n1)" and b: "Q1 holds_for (steps (1, l, r) (A, 0) n1)"
+using A_halt unfolding Hoare_def by auto
+then obtain l' r' where "steps (1, l, r) (A, 0) n1 = (0, l', r')" and c: "Q1 holds_for (0, l', r')"
+by(case_tac "steps (1, l, r) (A, 0) n1", auto)
+then obtain stpa where d: "steps (1, l, r) (A |+| B, 0) stpa = (Suc (length A div 2), l', r')"
+using A_wf
+by(rule_tac t_merge_pre_halt_same, auto)
+from c aimpb have "P2 holds_for (0, l', r')"
+by(rule holds_for_imp)
+from this have "P2 (l', r')" by auto
+from this obtain n2 where e: "is_final (steps (1, l', r') (B, 0) n2)" and f: "Q2 holds_for (steps (1, l', r') (B, 0) n2)"
+using B_halt unfolding Hoare_def
+by auto
+then obtain l'' r'' where "steps (1, l', r') (B, 0) n2 = (0, l'', r'')" and g: "Q2 holds_for (0, l'', r'')"
+by(case_tac "steps (1, l', r') (B, 0) n2", auto)
+from this have "steps (Suc (length A div 2), l', r')  (A |+| B, 0) n2
+= (0, l'', r'')"
+apply(rule_tac t_merge_second_halt_same, auto simp: A_wf B_wf)
 done
-moreover have "tstep (a, b, c) (A |+| B) = (Suc (length A div 2), tp')"
+thus "\<exists>n. is_final (steps (1, l, r) (A |+| B, 0) n) \<and> Q2 holds_for (steps (1, l, r) (A |+| B, 0) n)"
-using h2 h3 h1 h4
+using d g
-apply(simp add: tstep.simps)
+apply(rule_tac x = "stpa + n2" in exI)
-apply(case_tac " fetch A a (case c of [] \<Rightarrow> Bk | x # xs \<Rightarrow> x)", simp)
+apply(simp add: steps_add)
-apply(drule_tac B = B in t_merge_fetch_pre, auto simp: isS0_def intro: s_keep)
 done
-ultimately show "tstep (steps (Suc 0, tp) (A |+| B) stp) (A |+| B) = (Suc (length A div 2), tp')"
+qed
-by(simp)
-qed
+definition
+Hoare_unhalt :: "assert \<Rightarrow> tprog \<Rightarrow> bool" ("({(1_)}/ (_))" 50)
-text {*
+where
-When Turing machine @{text "A"} and @{text "B"} are combined and the execution
+"{P} p \<equiv>
-of @{text "A"} can termination within @{text "stp"} steps,
+(\<forall>l r. P (l, r) \<longrightarrow> (\<forall> n . \<not> (is_final (steps (1, (l, r)) p n))))"
-the combined machine @{text "A |+| B"} will eventually get into the starting
-state of machine @{text "B"}.
+lemma Hoare_unhalt_I:
-*}
+assumes "\<And>l r. P (l, r) \<Longrightarrow> \<forall> n. \<not> is_final (steps (1, (l, r)) p n)"
-lemma t_merge_pre_halt_same: "
+shows "{P} p"
-\<lbrakk>steps (Suc 0, tp) A stp = (0, tp'); t_correct A; t_correct B\<rbrakk>
+unfolding Hoare_unhalt_def using assms by auto
-\<Longrightarrow> \<exists> stp. steps (Suc 0, tp) (A |+| B) stp = (Suc (length A div 2), tp')"
-proof -
+lemma Hoare_plus_unhalt:
-assume a_wf: "t_correct A"
+assumes aimpb: "Q1 \<mapsto> P2"
-and b_wf: "t_correct B"
+and A_wf : "tm_wf (A, 0)"
-and a_ht: "steps (Suc 0, tp) A stp = (0, tp')"
+and B_wf : "tm_wf (B, 0)"
-have halt_point: "\<exists> stp. \<not> isS0 (steps (Suc 0, tp) A stp) \<and> steps (Suc 0, tp) A (Suc stp) = (0, tp')"
+and A_halt : "{P1} (A, 0) {Q1}"
-using a_ht
+and B_uhalt : "{P2} (B, 0)"
-by(erule_tac first_halt_point)
+shows "{P1} (A |+| B, 0)"
-then obtain stp' where "\<not> isS0 (steps (Suc 0, tp) A stp') \<and> steps (Suc 0, tp) A (Suc stp') = (0, tp')"..
+proof(rule_tac Hoare_unhalt_I)
-hence "steps (Suc 0, tp) (A |+| B) (Suc stp') = (Suc (length A div 2), tp')"
+fix l r
-using a_wf
+assume h: "P1 (l, r)"
-apply(rule_tac t_merge_pre_halt_same', auto)
+then obtain n1 where a: "is_final (steps (1, l, r) (A, 0) n1)" and b: "Q1 holds_for (steps (1, l, r) (A, 0) n1)"
-done
+using A_halt unfolding Hoare_def by auto
-thus "?thesis" ..
+then obtain l' r' where "steps (1, l, r) (A, 0) n1 = (0, l', r')" and c: "Q1 holds_for (0, l', r')"
-qed
+by(case_tac "steps (1, l, r) (A, 0) n1", auto)
+then obtain stpa where d: "steps (1, l, r) (A |+| B, 0) stpa = (Suc (length A div 2), l', r')"
-lemma fetch_0: "fetch p 0 b = (Nop, 0)"
+using A_wf
-by(simp add: fetch.simps)
+by(rule_tac t_merge_pre_halt_same, auto)
+from c aimpb have "P2 holds_for (0, l', r')"
-lemma [simp]: "length (tshift B x) = length B"
+by(rule holds_for_imp)
-by(simp add: tshift.simps)
+from this have "P2 (l', r')" by auto
+from this have e: "\<forall> n. \<not> is_final (steps (Suc 0, l', r') (B, 0) n)  "
-lemma [simp]: "t_correct A \<Longrightarrow> 2 * (length A div 2) = length A"
+using B_uhalt unfolding Hoare_unhalt_def
-apply(simp add: t_correct.simps iseven_def, auto)
+by auto
-done
+from e show "\<forall>n. \<not> is_final (steps (1, l, r) (A |+| B, 0) n)"
+proof(rule_tac allI, case_tac "n > stpa")
-lemma t_merge_fetch_snd:
+fix n
-"\<lbrakk>fetch B a b = (ac, ns); t_correct A; t_correct B; a > 0 \<rbrakk>
+assume h2: "stpa < n"
-\<Longrightarrow> fetch (A |+| B) (a + length A div 2) b
+hence "\<not> is_final (steps (Suc 0, l', r') (B, 0) (n - stpa))"
-= (ac, if ns = 0 then 0 else ns + length A div 2)"
+using e
-apply(auto simp: fetch.simps t_add.simps split: if_splits block.splits)
+apply(erule_tac x = "n - stpa" in allE) by simp
-apply(case_tac [!] a, simp_all)
+then obtain s'' l'' r'' where f: "steps (Suc 0, l', r') (B, 0) (n - stpa) = (s'', l'', r'')" and g: "s'' \<noteq> 0"
-apply(simp_all add: nth_append change_termi_state.simps tshift.simps)
+apply(case_tac "steps (Suc 0, l', r') (B, 0) (n - stpa)", auto)
 done
+have k: "steps (Suc (length A div 2), l', r') (A |+| B, 0) (n - stpa) = (s''+ length A div 2, l'', r'') "
-lemma t_merge_snd_eq_step:
+using A_wf B_wf f g
-"\<lbrakk>tstep (s, l, r) B = (s', l', r'); t_correct A; t_correct B; s > 0\<rbrakk>
+apply(drule_tac t_merge_second_same, auto)
-\<Longrightarrow> tstep (s + length A div 2, l, r) (A |+| B) =
+done
-(if s' = 0 then 0 else s' + length A div 2, l' ,r') "
+show "\<not> is_final (steps (1, l, r) (A |+| B, 0) n)"
-apply(simp add: tstep.simps)
+proof -
-apply(cases "fetch B s (case r of [] \<Rightarrow> Bk | x # xs \<Rightarrow> x)")
+have "\<not> is_final (steps (1, l, r) (A |+| B, 0) (stpa + (n  - stpa)))"
-apply(auto simp: t_merge_fetch_snd)
+using d k A_wf
-apply(frule_tac [!] t_merge_fetch_snd, auto)
+apply(simp only: steps_add d, simp add: tm_wf.simps)
 done
+thus "\<not> is_final (steps (1, l, r) (A |+| B, 0) n)"
-text {*
+using h2 by simp
-Relates the executions of TM @{text "B"}, one is when @{text "B"} is executed alone,
-the other is the execution when @{text "B"} is in the combined TM.
-*}
-lemma t_merge_snd_eq_steps:
-"\<lbrakk>t_correct A; t_correct B; steps (s, l, r) B stp = (s', l', r'); s > 0\<rbrakk>
-\<Longrightarrow> steps (s + length A div 2, l, r) (A |+| B) stp =
-(if s' = 0 then 0 else s' + length A div 2, l', r')"
-proof(induct stp arbitrary: s' l' r')
-case 0 thus "?case"
-by(simp add: steps.simps)
-next
-fix stp s' l' r'
-assume ind: "\<And>s' l' r'. \<lbrakk>t_correct A; t_correct B; steps (s, l, r) B stp = (s', l', r'); 0 < s\<rbrakk>
-\<Longrightarrow> steps (s + length A div 2, l, r) (A |+| B) stp =
-(if s' = 0 then 0 else s' + length A div 2, l', r')"
-and h1: "steps (s, l, r) B (Suc stp) = (s', l', r')"
-and h2: "t_correct A"
-and h3: "t_correct B"
-and h4: "0 < s"
-from h1 show "steps (s + length A div 2, l, r) (A |+| B) (Suc stp)
-= (if s' = 0 then 0 else s' + length A div 2, l', r')"
-proof(simp only: tstep_red, cases "steps (s, l, r) B stp")
-fix a b c
-assume h5: "steps (s, l, r) B stp = (a, b, c)" "tstep (steps (s, l, r) B stp) B = (s', l', r')"
-hence h6: "(steps (s + length A div 2, l, r) (A |+| B) stp) =
-((if a = 0 then 0 else a + length A div 2, b, c))"
-using h2 h3 h4
-by(rule_tac ind, auto)
-thus "tstep (steps (s + length A div 2, l, r) (A |+| B) stp) (A |+| B) =
-(if s' = 0 then 0 else s'+ length A div 2, l', r')"
-using h5
-proof(auto)
-assume "tstep (0, b, c) B = (0, l', r')" thus "tstep (0, b, c) (A |+| B) = (0, l', r')"
-by(simp add: tstep_0)
-next
-assume "tstep (0, b, c) B = (s', l', r')" "0 < s'"
-thus "tstep (0, b, c) (A |+| B) = (s' + length A div 2, l', r')"
-by(simp add: tstep_0)
-next
-assume "tstep (a, b, c) B = (0, l', r')" "0 < a"
-thus "tstep (a + length A div 2, b, c) (A |+| B) = (0, l', r')"
-using h2 h3
-by(drule_tac t_merge_snd_eq_step, auto)
-next
-assume "tstep (a, b, c) B = (s', l', r')" "0 < a" "0 < s'"
-thus "tstep (a + length A div 2, b, c) (A |+| B) = (s' + length A div 2, l', r')"
-using h2 h3
-by(drule_tac t_merge_snd_eq_step, auto)
 qed
+next
+fix n
+assume h2: "\<not> stpa < n"
+with d show "\<not> is_final (steps (1, l, r) (A |+| B, 0) n)"
+apply(auto)
+apply(subgoal_tac "\<exists> d. stpa = n + d", auto)
+apply(case_tac "(steps (Suc 0, l, r) (A |+| B, 0) n)", simp)
+apply(rule_tac x = "stpa - n" in exI, simp)
+done
 qed
 qed
-lemma t_merge_snd_halt_eq:
-"\<lbrakk>steps (Suc 0, tp) B stp = (0, tp'); t_correct A; t_correct B\<rbrakk>
-\<Longrightarrow> \<exists>stp. steps (Suc (length A div 2), tp) (A |+| B) stp = (0, tp')"
-apply(case_tac tp, cases tp', simp)
-apply(drule_tac  s = "Suc 0" in t_merge_snd_eq_steps, auto)
-done
-lemma t_inj: "\<lbrakk>steps (Suc 0, tp) A stpa = (0, tp1); steps (Suc 0, tp) A stpb = (0, tp2)\<rbrakk>
-\<Longrightarrow> tp1 = tp2"
-proof -
-assume h1: "steps (Suc 0, tp) A stpa = (0, tp1)"
-and h2: "steps (Suc 0, tp) A stpb = (0, tp2)"
-thus "?thesis"
-proof(cases "stpa < stpb")
-case True thus "?thesis"
-using h1 h2
-apply(drule_tac less_imp_Suc_add, auto)
-apply(simp del: add_Suc_right add_Suc add: add_Suc_right[THEN sym] steps_add steps_0)
-done
-next
-case False thus "?thesis"
-using h1 h2
-apply(drule_tac leI)
-apply(case_tac "stpb = stpa", auto)
-apply(subgoal_tac "stpb < stpa")
-apply(drule_tac less_imp_Suc_add, auto)
-apply(simp del: add_Suc_right add_Suc add: add_Suc_right[THEN sym] steps_add steps_0)
-done
-qed
-qed
-type_synonym t_assert = "tape \<Rightarrow> bool"
-definition t_imply :: "t_assert \<Rightarrow> t_assert \<Rightarrow> bool" ("_ \<turnstile>-> _" [0, 0] 100)
-where
-"t_imply a1 a2 = (\<forall> tp. a1 tp \<longrightarrow> a2 tp)"
-locale turing_merge =
-fixes A :: "tprog" and B :: "tprog" and P1 :: "t_assert"
-and P2 :: "t_assert"
-and P3 :: "t_assert"
-and P4 :: "t_assert"
-and Q1:: "t_assert"
-and Q2 :: "t_assert"
-assumes
-A_wf : "t_correct A"
-and B_wf : "t_correct B"
-and A_halt : "P1 tp \<Longrightarrow> \<exists> stp. let (s, tp') = steps (Suc 0, tp) A stp in s = 0 \<and> Q1 tp'"
-and B_halt : "P2 tp \<Longrightarrow> \<exists> stp. let (s, tp') = steps (Suc 0, tp) B stp in s = 0 \<and> Q2 tp'"
-and A_uhalt : "P3 tp \<Longrightarrow> \<not> (\<exists> stp. isS0 (steps (Suc 0, tp) A stp))"
-and B_uhalt: "P4 tp \<Longrightarrow> \<not> (\<exists> stp. isS0 (steps (Suc 0, tp) B stp))"
-begin
-text {*
-The following lemma tries to derive the Hoare logic rule for sequentially combined TMs.
-It deals with the situtation when both @{text "A"} and @{text "B"} are terminated.
-*}
-thm t_merge_pre_halt_same
-lemma t_merge_halt:
-assumes aimpb: "Q1 \<turnstile>-> P2"
-shows "P1 \<turnstile>->  \<lambda> tp. (\<exists> stp tp'. steps (Suc 0, tp) (A |+| B)  stp = (0, tp') \<and> Q2 tp')"
-proof(simp add: t_imply_def, auto)
-fix a b
-assume h: "P1 (a, b)"
-hence "\<exists> stp. let (s, tp') = steps (Suc 0, a, b) A stp in s = 0 \<and> Q1 tp'"
-using A_halt by simp
-from this obtain stp1 where "let (s, tp') = steps (Suc 0, a, b) A stp1 in s = 0 \<and> Q1 tp'" ..
-thus "\<exists>stp aa ba. steps (Suc 0, a, b) (A |+| B) stp = (0, aa, ba) \<and> Q2 (aa, ba)"
-proof(case_tac "steps (Suc 0, a, b) A stp1", simp, erule_tac conjE)
-fix aa ba c
-assume g1: "Q1 (ba, c)"
-and g2: "steps (Suc 0, a, b) A stp1 = (0, ba, c)"
-hence "P2 (ba, c)"
-using aimpb apply(simp add: t_imply_def)
-done
-hence "\<exists> stp. let (s, tp') = steps (Suc 0, ba, c) B stp in s = 0 \<and> Q2 tp'"
-using B_halt by simp
-from this obtain stp2 where "let (s, tp') = steps (Suc 0, ba, c) B stp2 in s = 0 \<and> Q2 tp'" ..
-thus "?thesis"
-proof(case_tac "steps (Suc 0, ba, c) B stp2", simp, erule_tac conjE)
-fix aa bb ca
-assume g3: " Q2 (bb, ca)" "steps (Suc 0, ba, c) B stp2 = (0, bb, ca)"
-have "\<exists> stp. steps (Suc 0, a, b) (A |+| B) stp = (Suc (length A div 2), ba , c)"
-using g2 A_wf B_wf
-by(rule_tac t_merge_pre_halt_same, auto)
-moreover have "\<exists> stp. steps (Suc (length A div 2), ba, c) (A |+| B) stp = (0, bb, ca)"
-using g3 A_wf B_wf
-apply(rule_tac t_merge_snd_halt_eq, auto)
-done
-ultimately show "\<exists>stp aa ba. steps (Suc 0, a, b) (A |+| B) stp = (0, aa, ba) \<and> Q2 (aa, ba)"
-apply(erule_tac exE, erule_tac exE)
-apply(rule_tac x = "stp + stpa" in exI, simp add: steps_add)
-using g3 by simp
-qed
-qed
-qed
-lemma  t_merge_uhalt_tmp:
-assumes B_uh: "\<forall>stp. \<not> isS0 (steps (Suc 0, b, c) B stp)"
-and merge_ah: "steps (Suc 0, tp) (A |+| B) stpa = (Suc (length A div 2), b, c)"
-shows "\<forall> stp. \<not> isS0 (steps (Suc 0, tp) (A |+| B) stp)"
-using B_uh merge_ah
-apply(rule_tac allI)
-apply(case_tac "stp > stpa")
-apply(erule_tac x = "stp - stpa" in allE)
-apply(case_tac "(steps (Suc 0, b, c) B (stp - stpa))", simp)
-proof -
-fix stp a ba ca
-assume h1: "\<not> isS0 (a, ba, ca)" "stpa < stp"
-and h2: "steps (Suc 0, b, c) B (stp - stpa) = (a, ba, ca)"
-have "steps (Suc 0 + length A div 2, b, c) (A |+| B) (stp - stpa) =
-(if a = 0 then 0 else a + length A div 2, ba, ca)"
-using A_wf B_wf h2
-by(rule_tac t_merge_snd_eq_steps, auto)
-moreover have "a > 0" using h1 by(simp add: isS0_def)
-moreover have "\<exists> stpb. stp = stpa + stpb"
-using h1 by(rule_tac x = "stp - stpa" in exI, simp)
-ultimately show "\<not> isS0 (steps (Suc 0, tp) (A |+| B) stp)"
-using merge_ah
-by(auto simp: steps_add isS0_def)
-next
-fix stp
-assume h: "steps (Suc 0, tp) (A |+| B) stpa = (Suc (length A div 2), b, c)" "\<not> stpa < stp"
-hence "\<exists> stpb. stpa = stp + stpb" apply(rule_tac x = "stpa - stp" in exI, auto) done
-thus "\<not> isS0 (steps (Suc 0, tp) (A |+| B) stp)"
-using h
-apply(auto)
-apply(cases "steps (Suc 0, tp) (A |+| B) stp", simp add: steps_add isS0_def steps_0)
-done
-qed
-text {*
-The following lemma deals with the situation when TM @{text "B"} can not terminate.
-*}
-lemma t_merge_uhalt:
-assumes aimpb: "Q1 \<turnstile>-> P4"
-shows "P1 \<turnstile>-> \<lambda> tp. \<not> (\<exists> stp. isS0 (steps (Suc 0, tp) (A |+| B) stp))"
-proof(simp only: t_imply_def, rule_tac allI, rule_tac impI)
-fix tp
-assume init_asst: "P1 tp"
-show "\<not> (\<exists>stp. isS0 (steps (Suc 0, tp) (A |+| B) stp))"
-proof -
-have "\<exists> stp. let (s, tp') = steps (Suc 0, tp) A stp in s = 0 \<and> Q1 tp'"
-using A_halt[of tp] init_asst
-by(simp)
-from this obtain stpx where "let (s, tp') = steps (Suc 0, tp) A stpx in s = 0 \<and> Q1 tp'" ..
-thus "?thesis"
-proof(cases "steps (Suc 0, tp) A stpx", simp, erule_tac conjE)
-fix a b c
-assume "Q1 (b, c)"
-and h3: "steps (Suc 0, tp) A stpx = (0, b, c)"
-hence h2: "P4 (b, c)"  using aimpb
-by(simp add: t_imply_def)
-have "\<exists> stp. steps (Suc 0, tp) (A |+| B) stp = (Suc (length A div 2), b, c)"
-using h3 A_wf B_wf
-apply(rule_tac stp = stpx in t_merge_pre_halt_same, auto)
-done
-from this obtain stpa where h4:"steps (Suc 0, tp) (A |+| B) stpa = (Suc (length A div 2), b, c)" ..
-have " \<not> (\<exists> stp. isS0 (steps (Suc 0, b, c) B stp))"
-using B_uhalt [of "(b, c)"] h2 apply simp
-done
-from this and h4 show "\<forall>stp. \<not> isS0 (steps (Suc 0, tp) (A |+| B) stp)"
-by(rule_tac t_merge_uhalt_tmp, auto)
-qed
-qed
-qed
 end
-end

changeset 50	816e84ca16d6
parent 41	6d89ed67ba27