tm2: comparison Separation_Algebra/Separation_Algebra

equal deleted inserted replaced

-:77daf1b85cf0
+:a5f5b9336007
+(* Author: Gerwin Klein, 2012
+Maintainers: Gerwin Klein <kleing at cse.unsw.edu.au>
+Rafal Kolanski <rafal.kolanski at nicta.com.au>
+*)
+header "Abstract Separation Logic, Alternative Definition"
+theory Separation_Algebra_Alt
+imports Main
+begin
+text {*
+This theory contains an alternative definition of speration algebra,
+following Calcagno et al very closely. While some of the abstract
+development is more algebraic, it is cumbersome to instantiate.
+We only use it to prove equivalence and to give an impression of how
+it would look like.
+*}
+(* The @{text "++"} notation is a horrible choice, but this theory is
+only intended to show how the development would look like, not to
+actually use it. We remove the notation for map-add so it doesn't
+conflict.
+*)
+no_notation map_add (infixl "++" 100)
+definition
+lift2 :: "('a => 'b => 'c option) \<Rightarrow> 'a option => 'b option => 'c option"
+where
+"lift2 f a b \<equiv> case (a,b) of (Some a, Some b) \<Rightarrow> f a b | _ \<Rightarrow> None"
+class sep_algebra_alt = zero +
+fixes add :: "'a => 'a => 'a option" (infixr "\<oplus>" 65)
+assumes add_zero [simp]: "x \<oplus> 0 = Some x"
+assumes add_comm: "x \<oplus> y = y \<oplus> x"
+assumes add_assoc: "lift2 add a (lift2 add b c) = lift2 add (lift2 add a b) c"
+begin
+definition
+disjoint :: "'a => 'a => bool" (infix "##" 60)
+where
+"a ## b \<equiv> a \<oplus> b \<noteq> None"
+lemma disj_com: "x ## y = y ## x"
+by (auto simp: disjoint_def add_comm)
+lemma disj_zero [simp]: "x ## 0"
+by (auto simp: disjoint_def)
+lemma disj_zero2 [simp]: "0 ## x"
+by (subst disj_com) simp
+lemma add_zero2 [simp]: "0 \<oplus> x = Some x"
+by (subst add_comm) auto
+definition
+substate :: "'a => 'a => bool" (infix "\<preceq>" 60) where
+"a \<preceq> b \<equiv> \<exists>c. a \<oplus> c = Some b"
+definition
+sep_conj :: "('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> bool)" (infixl "**" 61)
+where
+"P ** Q \<equiv> \<lambda>s. \<exists>p q. p \<oplus> q = Some s \<and> P p \<and> Q q"
+definition emp :: "'a \<Rightarrow> bool" ("\<box>") where
+"\<box> \<equiv> \<lambda>s. s = 0"
+definition
+sep_impl :: "('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> bool)" (infixr "\<longrightarrow>\<^sup>*" 25)
+where
+"P \<longrightarrow>\<^sup>* Q \<equiv> \<lambda>h. \<forall>h' h''. h \<oplus> h' = Some h'' \<and> P h' \<longrightarrow> Q h''"
+definition
+"sep_true \<equiv> \<lambda>s. True"
+definition
+"sep_false \<equiv> \<lambda>s. False"
+abbreviation
+add2 :: "'a option => 'a option => 'a option" (infixr "++" 65)
+where
+"add2 == lift2 add"
+lemma add2_comm:
+"a ++ b = b ++ a"
+by (simp add: lift2_def add_comm split: option.splits)
+lemma add2_None [simp]:
+"x ++ None = None"
+by (simp add: lift2_def split: option.splits)
+lemma None_add2 [simp]:
+"None ++ x = None"
+by (simp add: lift2_def split: option.splits)
+lemma add2_Some_Some:
+"Some x ++ Some y = x \<oplus> y"
+by (simp add: lift2_def)
+lemma add2_zero [simp]:
+"Some x ++ Some 0 = Some x"
+by (simp add: add2_Some_Some)
+lemma zero_add2 [simp]:
+"Some 0 ++ Some x = Some x"
+by (simp add: add2_Some_Some)
+lemma sep_conjE:
+"\<lbrakk> (P ** Q) s; \<And>p q. \<lbrakk> P p; Q q; p \<oplus> q = Some s \<rbrakk> \<Longrightarrow> X \<rbrakk> \<Longrightarrow> X"
+by (auto simp: sep_conj_def)
+lemma sep_conjI:
+"\<lbrakk> P p; Q q; p \<oplus> q = Some s \<rbrakk> \<Longrightarrow> (P ** Q) s"
+by (auto simp: sep_conj_def)
+lemma sep_conj_comI:
+"(P ** Q) s \<Longrightarrow> (Q ** P) s"
+by (auto intro!: sep_conjI elim!: sep_conjE simp: add_comm)
+lemma sep_conj_com:
+"P ** Q = Q ** P"
+by (auto intro: sep_conj_comI intro!: ext)
+lemma lift_to_add2:
+"\<lbrakk>z \<oplus> q = Some s; x \<oplus> y = Some q\<rbrakk> \<Longrightarrow> Some z ++ Some x ++ Some y = Some s"
+by (simp add: add2_Some_Some)
+lemma lift_to_add2':
+"\<lbrakk>q \<oplus> z = Some s; x \<oplus> y = Some q\<rbrakk> \<Longrightarrow> (Some x ++ Some y) ++ Some z = Some s"
+by (simp add: add2_Some_Some)
+lemma add2_Some:
+"(x ++ Some y = Some z) = (\<exists>x'. x = Some x' \<and> x' \<oplus> y = Some z)"
+by (simp add: lift2_def split: option.splits)
+lemma Some_add2:
+"(Some x ++ y = Some z) = (\<exists>y'. y = Some y' \<and> x \<oplus> y' = Some z)"
+by (simp add: lift2_def split: option.splits)
+lemma sep_conj_assoc:
+"P ** (Q ** R) = (P ** Q) ** R"
+unfolding sep_conj_def
+apply (rule ext)
+apply (rule iffI)
+apply clarsimp
+apply (drule (1) lift_to_add2)
+apply (subst (asm) add_assoc)
+apply (fastforce simp: add2_Some_Some add2_Some)
+apply clarsimp
+apply (drule (1) lift_to_add2')
+apply (subst (asm) add_assoc [symmetric])
+apply (fastforce simp: add2_Some_Some Some_add2)
+done
+lemma sep_true[simp]: "sep_true s" by (simp add: sep_true_def)
+lemma sep_false[simp]: "\<not>sep_false x" by (simp add: sep_false_def)
+lemma sep_conj_sep_true:
+"P s \<Longrightarrow> (P ** sep_true) s"
+by (auto simp: sep_conjI [where q=0])
+lemma sep_conj_sep_true':
+"P s \<Longrightarrow> (sep_true ** P) s"
+by (auto simp: sep_conjI [where p=0])
+lemma disjoint_submaps_exist:
+"\<exists>h\<^isub>0 h\<^isub>1. h\<^isub>0 \<oplus> h\<^isub>1 = Some h"
+by (rule_tac x=0 in exI, auto)
+lemma sep_conj_true[simp]:
+"(sep_true ** sep_true) = sep_true"
+unfolding sep_conj_def
+by (auto intro!: ext intro: disjoint_submaps_exist)
+lemma sep_conj_false_right[simp]:
+"(P ** sep_false) = sep_false"
+by (force elim: sep_conjE intro!: ext)
+lemma sep_conj_false_left[simp]:
+"(sep_false ** P) = sep_false"
+by (subst sep_conj_com) (rule sep_conj_false_right)
+lemma sep_conj_left_com:
+"(P ** (Q ** R)) = (Q ** (P ** R))" (is "?x = ?y")
+proof -
+have "?x = ((Q ** R) ** P)" by (simp add: sep_conj_com)
+also have "\<dots> = (Q ** (R ** P))" by (subst sep_conj_assoc, simp)
+finally show ?thesis by (simp add: sep_conj_com)
+qed
+lemmas sep_conj_ac = sep_conj_com sep_conj_assoc sep_conj_left_com
+lemma empty_empty[simp]: "\<box> 0"
+by (simp add: emp_def)
+lemma sep_conj_empty[simp]:
+"(P ** \<box>) = P"
+by (simp add: sep_conj_def emp_def)
+lemma sep_conj_empty'[simp]:
+"(\<box> ** P) = P"
+by (subst sep_conj_com, rule sep_conj_empty)
+lemma sep_conj_sep_emptyI:
+"P s \<Longrightarrow> (P ** \<box>) s"
+by simp
+lemma sep_conj_true_P[simp]:
+"(sep_true ** (sep_true ** P)) = (sep_true ** P)"
+by (simp add: sep_conj_assoc)
+lemma sep_conj_disj:
+"((\<lambda>s. P s \<or> Q s) ** R) s = ((P ** R) s \<or> (Q ** R) s)" (is "?x = (?y \<or> ?z)")
+by (auto simp: sep_conj_def)
+lemma sep_conj_conj:
+"((\<lambda>s. P s \<and> Q s) ** R) s \<Longrightarrow> (P ** R) s \<and> (Q ** R) s"
+by (force intro: sep_conjI elim!: sep_conjE)
+lemma sep_conj_exists1:
+"((\<lambda>s. \<exists>x. P x s) ** Q) s = (\<exists>x. (P x ** Q) s)"
+by (force intro: sep_conjI elim: sep_conjE)
+lemma sep_conj_exists2:
+"(P ** (\<lambda>s. \<exists>x. Q x s)) = (\<lambda>s. (\<exists>x. (P ** Q x) s))"
+by (force intro!: sep_conjI ext elim!: sep_conjE)
+lemmas sep_conj_exists = sep_conj_exists1 sep_conj_exists2
+lemma sep_conj_forall:
+"((\<lambda>s. \<forall>x. P x s) ** Q) s \<Longrightarrow> (P x ** Q) s"
+by (force intro: sep_conjI elim: sep_conjE)
+lemma sep_conj_impl:
+"\<lbrakk> (P ** Q) s; \<And>s. P s \<Longrightarrow> P' s; \<And>s. Q s \<Longrightarrow> Q' s \<rbrakk> \<Longrightarrow> (P' ** Q') s"
+by (erule sep_conjE, auto intro!: sep_conjI)
+lemma sep_conj_impl1:
+assumes P: "\<And>s. P s \<Longrightarrow> I s"
+shows "(P ** R) s \<Longrightarrow> (I ** R) s"
+by (auto intro: sep_conj_impl P)
+lemma sep_conj_sep_true_left:
+"(P ** Q) s \<Longrightarrow> (sep_true ** Q) s"
+by (erule sep_conj_impl, simp+)
+lemma sep_conj_sep_true_right:
+"(P ** Q) s \<Longrightarrow> (P ** sep_true) s"
+by (subst (asm) sep_conj_com, drule sep_conj_sep_true_left,
+simp add: sep_conj_ac)
+lemma sep_globalise:
+"\<lbrakk> (P ** R) s; (\<And>s. P s \<Longrightarrow> Q s) \<rbrakk> \<Longrightarrow> (Q ** R) s"
+by (fast elim: sep_conj_impl)
+lemma sep_implI:
+assumes a: "\<And>h' h''. \<lbrakk> h \<oplus> h' = Some h''; P h' \<rbrakk> \<Longrightarrow> Q h''"
+shows "(P \<longrightarrow>\<^sup>* Q) h"
+unfolding sep_impl_def by (auto elim: a)
+lemma sep_implD:
+"(x \<longrightarrow>\<^sup>* y) h \<Longrightarrow> \<forall>h' h''. h \<oplus> h' = Some h'' \<and> x h' \<longrightarrow> y h''"
+by (force simp: sep_impl_def)
+lemma sep_impl_sep_true[simp]:
+"(P \<longrightarrow>\<^sup>* sep_true) = sep_true"
+by (force intro!: sep_implI ext)
+lemma sep_impl_sep_false[simp]:
+"(sep_false \<longrightarrow>\<^sup>* P) = sep_true"
+by (force intro!: sep_implI ext)
+lemma sep_impl_sep_true_P:
+"(sep_true \<longrightarrow>\<^sup>* P) s \<Longrightarrow> P s"
+apply (drule sep_implD)
+apply (erule_tac x=0 in allE)
+apply simp
+done
+lemma sep_impl_sep_true_false[simp]:
+"(sep_true \<longrightarrow>\<^sup>* sep_false) = sep_false"
+by (force intro!: ext dest: sep_impl_sep_true_P)
+lemma sep_conj_sep_impl:
+"\<lbrakk> P s; \<And>s. (P ** Q) s \<Longrightarrow> R s \<rbrakk> \<Longrightarrow> (Q \<longrightarrow>\<^sup>* R) s"
+proof (rule sep_implI)
+fix h' h h''
+assume "P h" and "h \<oplus> h' = Some h''" and "Q h'"
+hence "(P ** Q) h''" by (force intro: sep_conjI)
+moreover assume "\<And>s. (P ** Q) s \<Longrightarrow> R s"
+ultimately show "R h''" by simp
+qed
+lemma sep_conj_sep_impl2:
+"\<lbrakk> (P ** Q) s; \<And>s. P s \<Longrightarrow> (Q \<longrightarrow>\<^sup>* R) s \<rbrakk> \<Longrightarrow> R s"
+by (force dest: sep_implD elim: sep_conjE)
+lemma sep_conj_sep_impl_sep_conj2:
+"(P ** R) s \<Longrightarrow> (P ** (Q \<longrightarrow>\<^sup>* (Q ** R))) s"
+by (erule (1) sep_conj_impl, erule sep_conj_sep_impl, simp add: sep_conj_ac)
+lemma sep_conj_triv_strip2:
+"Q = R \<Longrightarrow> (Q ** P) = (R ** P)" by simp
+end
+end