diff --git a/metadata/metadata b/metadata/metadata --- a/metadata/metadata +++ b/metadata/metadata @@ -1,8158 +1,8255 @@ [Generic_Deriving] title = Deriving generic class instances for datatypes author = Jonas Rädle , Lars Hupel topic = Computer Science/Data Structures date = 2018-11-06 notify = jonas.raedle@gmail.com abstract =

We provide a framework for automatically deriving instances for generic type classes. Our approach is inspired by Haskell's generic-deriving package and Scala's shapeless library. In addition to generating the code for type class functions, we also attempt to automatically prove type class laws for these instances. As of now, however, some manual proofs are still required for recursive datatypes.

Note: There are already articles in the AFP that provide automatic instantiation for a number of classes. Concretely, Deriving allows the automatic instantiation of comparators, linear orders, equality, and hashing. Show instantiates a Haskell-style show class.

Our approach works for arbitrary classes (with some Isabelle/HOL overhead for each class), but a smaller set of datatypes.

[Partial_Order_Reduction] title = Partial Order Reduction author = Julian Brunner topic = Computer Science/Automata and Formal Languages date = 2018-06-05 notify = brunnerj@in.tum.de abstract = This entry provides a formalization of the abstract theory of ample set partial order reduction. The formalization includes transition systems with actions, trace theory, as well as basics on finite, infinite, and lazy sequences. We also provide a basic framework for static analysis on concurrent systems with respect to the ample set condition. [CakeML] title = CakeML author = Lars Hupel , Yu Zhang <> contributors = Johannes Åman Pohjola <> topic = Computer Science/Programming Languages/Language Definitions date = 2018-03-12 notify = hupel@in.tum.de abstract = CakeML is a functional programming language with a proven-correct compiler and runtime system. This entry contains an unofficial version of the CakeML semantics that has been exported from the Lem specifications to Isabelle. Additionally, there are some hand-written theory files that adapt the exported code to Isabelle and port proofs from the HOL4 formalization, e.g. termination and equivalence proofs. [DiscretePricing] title = Pricing in discrete financial models author = Mnacho Echenim topic = Mathematics/Probability Theory, Mathematics/Economics date = 2018-07-16 notify = mnacho.echenim@univ-grenoble-alpes.fr abstract = We have formalized the computation of fair prices for derivative products in discrete financial models. As an application, we derive a way to compute fair prices of derivative products in the Cox-Ross-Rubinstein model of a financial market, thus completing the work that was presented in this paper. extra-history = Change history: [2019-05-12]: Renamed discr_mkt predicate to stk_strict_subs and got rid of predicate A for a more natural definition of the type discrete_market; renamed basic quantity processes for coherent notation; renamed value_process into val_process and closing_value_process to cls_val_process; relaxed hypothesis of lemma CRR_market_fair_price. Added functions to price some basic options. (revision 0b813a1a833f)
[Pell] title = Pell's Equation author = Manuel Eberl topic = Mathematics/Number Theory date = 2018-06-23 notify = eberlm@in.tum.de abstract =

This article gives the basic theory of Pell's equation x2 = 1 + Dy2, where D ∈ ℕ is a parameter and x, y are integer variables.

The main result that is proven is the following: If D is not a perfect square, then there exists a fundamental solution (x0, y0) that is not the trivial solution (1, 0) and which generates all other solutions (x, y) in the sense that there exists some n ∈ ℕ such that |x| + |y| √D = (x0 + y0 √D)n. This also implies that the set of solutions is infinite, and it gives us an explicit and executable characterisation of all the solutions.

Based on this, simple executable algorithms for computing the fundamental solution and the infinite sequence of all non-negative solutions are also provided.

[WebAssembly] title = WebAssembly author = Conrad Watt topic = Computer Science/Programming Languages/Language Definitions date = 2018-04-29 notify = caw77@cam.ac.uk abstract = This is a mechanised specification of the WebAssembly language, drawn mainly from the previously published paper formalisation of Haas et al. Also included is a full proof of soundness of the type system, together with a verified type checker and interpreter. We include only a partial procedure for the extraction of the type checker and interpreter here. For more details, please see our paper in CPP 2018. [Knuth_Morris_Pratt] title = The string search algorithm by Knuth, Morris and Pratt author = Fabian Hellauer , Peter Lammich topic = Computer Science/Algorithms date = 2017-12-18 notify = hellauer@in.tum.de, lammich@in.tum.de abstract = The Knuth-Morris-Pratt algorithm is often used to show that the problem of finding a string s in a text t can be solved deterministically in O(|s| + |t|) time. We use the Isabelle Refinement Framework to formulate and verify the algorithm. Via refinement, we apply some optimisations and finally use the Sepref tool to obtain executable code in Imperative/HOL. [Minkowskis_Theorem] title = Minkowski's Theorem author = Manuel Eberl topic = Mathematics/Geometry, Mathematics/Number Theory date = 2017-07-13 notify = eberlm@in.tum.de abstract =

Minkowski's theorem relates a subset of ℝn, the Lebesgue measure, and the integer lattice ℤn: It states that any convex subset of ℝn with volume greater than 2n contains at least one lattice point from ℤn\{0}, i. e. a non-zero point with integer coefficients.

A related theorem which directly implies this is Blichfeldt's theorem, which states that any subset of ℝn with a volume greater than 1 contains two different points whose difference vector has integer components.

The entry contains a proof of both theorems.

[Name_Carrying_Type_Inference] title = Verified Metatheory and Type Inference for a Name-Carrying Simply-Typed Lambda Calculus author = Michael Rawson topic = Computer Science/Programming Languages/Type Systems date = 2017-07-09 notify = mr644@cam.ac.uk, michaelrawson76@gmail.com abstract = I formalise a Church-style simply-typed \(\lambda\)-calculus, extended with pairs, a unit value, and projection functions, and show some metatheory of the calculus, such as the subject reduction property. Particular attention is paid to the treatment of names in the calculus. A nominal style of binding is used, but I use a manual approach over Nominal Isabelle in order to extract an executable type inference algorithm. More information can be found in my undergraduate dissertation. [Propositional_Proof_Systems] title = Propositional Proof Systems author = Julius Michaelis , Tobias Nipkow topic = Logic date = 2017-06-21 notify = maintainafpppt@liftm.de abstract = We formalize a range of proof systems for classical propositional logic (sequent calculus, natural deduction, Hilbert systems, resolution) and prove the most important meta-theoretic results about semantics and proofs: compactness, soundness, completeness, translations between proof systems, cut-elimination, interpolation and model existence. [Optics] title = Optics author = Simon Foster , Frank Zeyda topic = Computer Science/Functional Programming, Mathematics/Algebra date = 2017-05-25 notify = simon.foster@york.ac.uk abstract = Lenses provide an abstract interface for manipulating data types through spatially-separated views. They are defined abstractly in terms of two functions, get, the return a value from the source type, and put that updates the value. We mechanise the underlying theory of lenses, in terms of an algebraic hierarchy of lenses, including well-behaved and very well-behaved lenses, each lens class being characterised by a set of lens laws. We also mechanise a lens algebra in Isabelle that enables their composition and comparison, so as to allow construction of complex lenses. This is accompanied by a large library of algebraic laws. Moreover we also show how the lens classes can be applied by instantiating them with a number of Isabelle data types. [Game_Based_Crypto] title = Game-based cryptography in HOL author = Andreas Lochbihler , S. Reza Sefidgar <>, Bhargav Bhatt topic = Computer Science/Security/Cryptography date = 2017-05-05 notify = mail@andreas-lochbihler.de abstract =

In this AFP entry, we show how to specify game-based cryptographic security notions and formally prove secure several cryptographic constructions from the literature using the CryptHOL framework. Among others, we formalise the notions of a random oracle, a pseudo-random function, an unpredictable function, and of encryption schemes that are indistinguishable under chosen plaintext and/or ciphertext attacks. We prove the random-permutation/random-function switching lemma, security of the Elgamal and hashed Elgamal public-key encryption scheme and correctness and security of several constructions with pseudo-random functions.

Our proofs follow the game-hopping style advocated by Shoup and Bellare and Rogaway, from which most of the examples have been taken. We generalise some of their results such that they can be reused in other proofs. Thanks to CryptHOL's integration with Isabelle's parametricity infrastructure, many simple hops are easily justified using the theory of representation independence.

extra-history = Change history: [2018-09-28]: added the CryptHOL tutorial for game-based cryptography (revision 489a395764ae) [Multi_Party_Computation] title = Multi-Party Computation author = David Aspinall , David Butler topic = Computer Science/Security date = 2019-05-09 notify = dbutler@turing.ac.uk abstract = We use CryptHOL to consider Multi-Party Computation (MPC) protocols. MPC was first considered by Yao in 1983 and recent advances in efficiency and an increased demand mean it is now deployed in the real world. Security is considered using the real/ideal world paradigm. We first define security in the semi-honest security setting where parties are assumed not to deviate from the protocol transcript. In this setting we prove multiple Oblivious Transfer (OT) protocols secure and then show security for the gates of the GMW protocol. We then define malicious security, this is a stronger notion of security where parties are assumed to be fully corrupted by an adversary. In this setting we again consider OT, as it is a fundamental building block of almost all MPC protocols. [CryptHOL] title = CryptHOL author = Andreas Lochbihler topic = Computer Science/Security/Cryptography, Computer Science/Functional Programming, Mathematics/Probability Theory date = 2017-05-05 notify = mail@andreas-lochbihler.de abstract =

CryptHOL provides a framework for formalising cryptographic arguments in Isabelle/HOL. It shallowly embeds a probabilistic functional programming language in higher order logic. The language features monadic sequencing, recursion, random sampling, failures and failure handling, and black-box access to oracles. Oracles are probabilistic functions which maintain hidden state between different invocations. All operators are defined in the new semantic domain of generative probabilistic values, a codatatype. We derive proof rules for the operators and establish a connection with the theory of relational parametricity. Thus, the resuting proofs are trustworthy and comprehensible, and the framework is extensible and widely applicable.

The framework is used in the accompanying AFP entry "Game-based Cryptography in HOL". There, we show-case our framework by formalizing different game-based proofs from the literature. This formalisation continues the work described in the author's ESOP 2016 paper.

[Constructive_Cryptography] title = Constructive Cryptography in HOL author = Andreas Lochbihler , S. Reza Sefidgar<> topic = Computer Science/Security/Cryptography, Mathematics/Probability Theory date = 2018-12-17 notify = mail@andreas-lochbihler.de, reza.sefidgar@inf.ethz.ch abstract = Inspired by Abstract Cryptography, we extend CryptHOL, a framework for formalizing game-based proofs, with an abstract model of Random Systems and provide proof rules about their composition and equality. This foundation facilitates the formalization of Constructive Cryptography proofs, where the security of a cryptographic scheme is realized as a special form of construction in which a complex random system is built from simpler ones. This is a first step towards a fully-featured compositional framework, similar to Universal Composability framework, that supports formalization of simulation-based proofs. [Probabilistic_While] title = Probabilistic while loop author = Andreas Lochbihler topic = Computer Science/Functional Programming, Mathematics/Probability Theory, Computer Science/Algorithms date = 2017-05-05 notify = mail@andreas-lochbihler.de abstract = This AFP entry defines a probabilistic while operator based on sub-probability mass functions and formalises zero-one laws and variant rules for probabilistic loop termination. As applications, we implement probabilistic algorithms for the Bernoulli, geometric and arbitrary uniform distributions that only use fair coin flips, and prove them correct and terminating with probability 1. extra-history = Change history: [2018-02-02]: Added a proof that probabilistic conditioning can be implemented by repeated sampling. (revision 305867c4e911)
[Monad_Normalisation] title = Monad normalisation author = Joshua Schneider <>, Manuel Eberl , Andreas Lochbihler topic = Tools, Computer Science/Functional Programming, Logic/Rewriting date = 2017-05-05 notify = mail@andreas-lochbihler.de abstract = The usual monad laws can directly be used as rewrite rules for Isabelle’s simplifier to normalise monadic HOL terms and decide equivalences. In a commutative monad, however, the commutativity law is a higher-order permutative rewrite rule that makes the simplifier loop. This AFP entry implements a simproc that normalises monadic expressions in commutative monads using ordered rewriting. The simproc can also permute computations across control operators like if and case. [Monomorphic_Monad] title = Effect polymorphism in higher-order logic author = Andreas Lochbihler topic = Computer Science/Functional Programming date = 2017-05-05 notify = mail@andreas-lochbihler.de abstract = The notion of a monad cannot be expressed within higher-order logic (HOL) due to type system restrictions. We show that if a monad is used with values of only one type, this notion can be formalised in HOL. Based on this idea, we develop a library of effect specifications and implementations of monads and monad transformers. Hence, we can abstract over the concrete monad in HOL definitions and thus use the same definition for different (combinations of) effects. We illustrate the usefulness of effect polymorphism with a monadic interpreter for a simple language. extra-history = Change history: [2018-02-15]: added further specifications and implementations of non-determinism; more examples (revision bc5399eea78e)
[Constructor_Funs] title = Constructor Functions author = Lars Hupel topic = Tools date = 2017-04-19 notify = hupel@in.tum.de abstract = Isabelle's code generator performs various adaptations for target languages. Among others, constructor applications have to be fully saturated. That means that for constructor calls occuring as arguments to higher-order functions, synthetic lambdas have to be inserted. This entry provides tooling to avoid this construction altogether by introducing constructor functions. [Lazy_Case] title = Lazifying case constants author = Lars Hupel topic = Tools date = 2017-04-18 notify = hupel@in.tum.de abstract = Isabelle's code generator performs various adaptations for target languages. Among others, case statements are printed as match expressions. Internally, this is a sophisticated procedure, because in HOL, case statements are represented as nested calls to the case combinators as generated by the datatype package. Furthermore, the procedure relies on laziness of match expressions in the target language, i.e., that branches guarded by patterns that fail to match are not evaluated. Similarly, if-then-else is printed to the corresponding construct in the target language. This entry provides tooling to replace these special cases in the code generator by ignoring these target language features, instead printing case expressions and if-then-else as functions. [Dict_Construction] title = Dictionary Construction author = Lars Hupel topic = Tools date = 2017-05-24 notify = hupel@in.tum.de abstract = Isabelle's code generator natively supports type classes. For targets that do not have language support for classes and instances, it performs the well-known dictionary translation, as described by Haftmann and Nipkow. This translation happens outside the logic, i.e., there is no guarantee that it is correct, besides the pen-and-paper proof. This work implements a certified dictionary translation that produces new class-free constants and derives equality theorems. [Higher_Order_Terms] title = An Algebra for Higher-Order Terms author = Lars Hupel contributors = Yu Zhang <> topic = Computer Science/Programming Languages/Lambda Calculi date = 2019-01-15 notify = lars@hupel.info abstract = In this formalization, I introduce a higher-order term algebra, generalizing the notions of free variables, matching, and substitution. The need arose from the work on a verified compiler from Isabelle to CakeML. Terms can be thought of as consisting of a generic (free variables, constants, application) and a specific part. As example applications, this entry provides instantiations for de-Bruijn terms, terms with named variables, and Blanchette’s λ-free higher-order terms. Furthermore, I implement translation functions between de-Bruijn terms and named terms and prove their correctness. [Subresultants] title = Subresultants author = Sebastiaan Joosten , René Thiemann , Akihisa Yamada topic = Mathematics/Algebra date = 2017-04-06 notify = rene.thiemann@uibk.ac.at abstract = We formalize the theory of subresultants and the subresultant polynomial remainder sequence as described by Brown and Traub. As a result, we obtain efficient certified algorithms for computing the resultant and the greatest common divisor of polynomials. [Comparison_Sort_Lower_Bound] title = Lower bound on comparison-based sorting algorithms author = Manuel Eberl topic = Computer Science/Algorithms date = 2017-03-15 notify = eberlm@in.tum.de abstract =

This article contains a formal proof of the well-known fact that number of comparisons that a comparison-based sorting algorithm needs to perform to sort a list of length n is at least log2 (n!) in the worst case, i. e. Ω(n log n).

For this purpose, a shallow embedding for comparison-based sorting algorithms is defined: a sorting algorithm is a recursive datatype containing either a HOL function or a query of a comparison oracle with a continuation containing the remaining computation. This makes it possible to force the algorithm to use only comparisons and to track the number of comparisons made.

[Quick_Sort_Cost] title = The number of comparisons in QuickSort author = Manuel Eberl topic = Computer Science/Algorithms date = 2017-03-15 notify = eberlm@in.tum.de abstract =

We give a formal proof of the well-known results about the number of comparisons performed by two variants of QuickSort: first, the expected number of comparisons of randomised QuickSort (i. e. QuickSort with random pivot choice) is 2 (n+1) Hn - 4 n, which is asymptotically equivalent to 2 n ln n; second, the number of comparisons performed by the classic non-randomised QuickSort has the same distribution in the average case as the randomised one.

[Random_BSTs] title = Expected Shape of Random Binary Search Trees author = Manuel Eberl topic = Computer Science/Data Structures date = 2017-04-04 notify = eberlm@in.tum.de abstract =

This entry contains proofs for the textbook results about the distributions of the height and internal path length of random binary search trees (BSTs), i. e. BSTs that are formed by taking an empty BST and inserting elements from a fixed set in random order.

In particular, we prove a logarithmic upper bound on the expected height and the Θ(n log n) closed-form solution for the expected internal path length in terms of the harmonic numbers. We also show how the internal path length relates to the average-case cost of a lookup in a BST.

[Randomised_BSTs] title = Randomised Binary Search Trees author = Manuel Eberl topic = Computer Science/Data Structures date = 2018-10-19 notify = eberlm@in.tum.de abstract =

This work is a formalisation of the Randomised Binary Search Trees introduced by Martínez and Roura, including definitions and correctness proofs.

Like randomised treaps, they are a probabilistic data structure that behaves exactly as if elements were inserted into a non-balancing BST in random order. However, unlike treaps, they only use discrete probability distributions, but their use of randomness is more complicated.

[E_Transcendental] title = The Transcendence of e author = Manuel Eberl topic = Mathematics/Analysis, Mathematics/Number Theory date = 2017-01-12 notify = eberlm@in.tum.de abstract =

This work contains a proof that Euler's number e is transcendental. The proof follows the standard approach of assuming that e is algebraic and then using a specific integer polynomial to derive two inconsistent bounds, leading to a contradiction.

This kind of approach can be found in many different sources; this formalisation mostly follows a PlanetMath article by Roger Lipsett.

[Pi_Transcendental] title = The Transcendence of π author = Manuel Eberl topic = Mathematics/Number Theory date = 2018-09-28 notify = eberlm@in.tum.de abstract =

This entry shows the transcendence of π based on the classic proof using the fundamental theorem of symmetric polynomials first given by von Lindemann in 1882, but the formalisation mostly follows the version by Niven. The proof reuses much of the machinery developed in the AFP entry on the transcendence of e.

[DFS_Framework] title = A Framework for Verifying Depth-First Search Algorithms author = Peter Lammich , René Neumann notify = lammich@in.tum.de date = 2016-07-05 topic = Computer Science/Algorithms abstract =

This entry presents a framework for the modular verification of DFS-based algorithms, which is described in our [CPP-2015] paper. It provides a generic DFS algorithm framework, that can be parameterized with user-defined actions on certain events (e.g. discovery of new node). It comes with an extensible library of invariants, which can be used to derive invariants of a specific parameterization. Using refinement techniques, efficient implementations of the algorithms can easily be derived. Here, the framework comes with templates for a recursive and a tail-recursive implementation, and also with several templates for implementing the data structures required by the DFS algorithm. Finally, this entry contains a set of re-usable DFS-based algorithms, which illustrate the application of the framework.

[CPP-2015] Peter Lammich, René Neumann: A Framework for Verifying Depth-First Search Algorithms. CPP 2015: 137-146

[Flow_Networks] title = Flow Networks and the Min-Cut-Max-Flow Theorem author = Peter Lammich , S. Reza Sefidgar <> topic = Mathematics/Graph Theory date = 2017-06-01 notify = lammich@in.tum.de abstract = We present a formalization of flow networks and the Min-Cut-Max-Flow theorem. Our formal proof closely follows a standard textbook proof, and is accessible even without being an expert in Isabelle/HOL, the interactive theorem prover used for the formalization. [Prpu_Maxflow] title = Formalizing Push-Relabel Algorithms author = Peter Lammich , S. Reza Sefidgar <> topic = Computer Science/Algorithms, Mathematics/Graph Theory date = 2017-06-01 notify = lammich@in.tum.de abstract = We present a formalization of push-relabel algorithms for computing the maximum flow in a network. We start with Goldberg's et al.~generic push-relabel algorithm, for which we show correctness and the time complexity bound of O(V^2E). We then derive the relabel-to-front and FIFO implementation. Using stepwise refinement techniques, we derive an efficient verified implementation. Our formal proof of the abstract algorithms closely follows a standard textbook proof. It is accessible even without being an expert in Isabelle/HOL, the interactive theorem prover used for the formalization. [Buildings] title = Chamber Complexes, Coxeter Systems, and Buildings author = Jeremy Sylvestre notify = jeremy.sylvestre@ualberta.ca date = 2016-07-01 topic = Mathematics/Algebra, Mathematics/Geometry abstract = We provide a basic formal framework for the theory of chamber complexes and Coxeter systems, and for buildings as thick chamber complexes endowed with a system of apartments. Along the way, we develop some of the general theory of abstract simplicial complexes and of groups (relying on the group_add class for the basics), including free groups and group presentations, and their universal properties. The main results verified are that the deletion condition is both necessary and sufficient for a group with a set of generators of order two to be a Coxeter system, and that the apartments in a (thick) building are all uniformly Coxeter. [Algebraic_VCs] title = Program Construction and Verification Components Based on Kleene Algebra author = Victor B. F. Gomes , Georg Struth notify = victor.gomes@cl.cam.ac.uk, g.struth@sheffield.ac.uk date = 2016-06-18 topic = Mathematics/Algebra abstract = Variants of Kleene algebra support program construction and verification by algebraic reasoning. This entry provides a verification component for Hoare logic based on Kleene algebra with tests, verification components for weakest preconditions and strongest postconditions based on Kleene algebra with domain and a component for step-wise refinement based on refinement Kleene algebra with tests. In addition to these components for the partial correctness of while programs, a verification component for total correctness based on divergence Kleene algebras and one for (partial correctness) of recursive programs based on domain quantales are provided. Finally we have integrated memory models for programs with pointers and a program trace semantics into the weakest precondition component. [Card_Equiv_Relations] title = Cardinality of Equivalence Relations author = Lukas Bulwahn notify = lukas.bulwahn@gmail.com date = 2016-05-24 topic = Mathematics/Combinatorics abstract = This entry provides formulae for counting the number of equivalence relations and partial equivalence relations over a finite carrier set with given cardinality. To count the number of equivalence relations, we provide bijections between equivalence relations and set partitions, and then transfer the main results of the two AFP entries, Cardinality of Set Partitions and Spivey's Generalized Recurrence for Bell Numbers, to theorems on equivalence relations. To count the number of partial equivalence relations, we observe that counting partial equivalence relations over a set A is equivalent to counting all equivalence relations over all subsets of the set A. From this observation and the results on equivalence relations, we show that the cardinality of partial equivalence relations over a finite set of cardinality n is equal to the n+1-th Bell number. [Twelvefold_Way] title = The Twelvefold Way author = Lukas Bulwahn topic = Mathematics/Combinatorics date = 2016-12-29 notify = lukas.bulwahn@gmail.com abstract = This entry provides all cardinality theorems of the Twelvefold Way. The Twelvefold Way systematically classifies twelve related combinatorial problems concerning two finite sets, which include counting permutations, combinations, multisets, set partitions and number partitions. This development builds upon the existing formal developments with cardinality theorems for those structures. It provides twelve bijections from the various structures to different equivalence classes on finite functions, and hence, proves cardinality formulae for these equivalence classes on finite functions. [Chord_Segments] title = Intersecting Chords Theorem author = Lukas Bulwahn notify = lukas.bulwahn@gmail.com date = 2016-10-11 topic = Mathematics/Geometry abstract = This entry provides a geometric proof of the intersecting chords theorem. The theorem states that when two chords intersect each other inside a circle, the products of their segments are equal. After a short review of existing proofs in the literature, I decided to use a proof approach that employs reasoning about lengths of line segments, the orthogonality of two lines and the Pythagoras Law. Hence, one can understand the formalized proof easily with the knowledge of a few general geometric facts that are commonly taught in high-school. This theorem is the 55th theorem of the Top 100 Theorems list. [Category3] title = Category Theory with Adjunctions and Limits author = Eugene W. Stark notify = stark@cs.stonybrook.edu date = 2016-06-26 topic = Mathematics/Category Theory abstract = This article attempts to develop a usable framework for doing category theory in Isabelle/HOL. Our point of view, which to some extent differs from that of the previous AFP articles on the subject, is to try to explore how category theory can be done efficaciously within HOL, rather than trying to match exactly the way things are done using a traditional approach. To this end, we define the notion of category in an "object-free" style, in which a category is represented by a single partial composition operation on arrows. This way of defining categories provides some advantages in the context of HOL, including the ability to avoid the use of records and the possibility of defining functors and natural transformations simply as certain functions on arrows, rather than as composite objects. We define various constructions associated with the basic notions, including: dual category, product category, functor category, discrete category, free category, functor composition, and horizontal and vertical composite of natural transformations. A "set category" locale is defined that axiomatizes the notion "category of all sets at a type and all functions between them," and a fairly extensive set of properties of set categories is derived from the locale assumptions. The notion of a set category is used to prove the Yoneda Lemma in a general setting of a category equipped with a "hom embedding," which maps arrows of the category to the "universe" of the set category. We also give a treatment of adjunctions, defining adjunctions via left and right adjoint functors, natural bijections between hom-sets, and unit and counit natural transformations, and showing the equivalence of these definitions. We also develop the theory of limits, including representations of functors, diagrams and cones, and diagonal functors. We show that right adjoint functors preserve limits, and that limits can be constructed via products and equalizers. We characterize the conditions under which limits exist in a set category. We also examine the case of limits in a functor category, ultimately culminating in a proof that the Yoneda embedding preserves limits. extra-history = Change history: [2018-05-29]: Revised axioms for the category locale. Introduced notation for composition and "in hom". (revision 8318366d4575)
[MonoidalCategory] title = Monoidal Categories author = Eugene W. Stark topic = Mathematics/Category Theory date = 2017-05-04 notify = stark@cs.stonybrook.edu abstract = Building on the formalization of basic category theory set out in the author's previous AFP article, the present article formalizes some basic aspects of the theory of monoidal categories. Among the notions defined here are monoidal category, monoidal functor, and equivalence of monoidal categories. The main theorems formalized are MacLane's coherence theorem and the constructions of the free monoidal category and free strict monoidal category generated by a given category. The coherence theorem is proved syntactically, using a structurally recursive approach to reduction of terms that might have some novel aspects. We also give proofs of some results given by Etingof et al, which may prove useful in a formal setting. In particular, we show that the left and right unitors need not be taken as given data in the definition of monoidal category, nor does the definition of monoidal functor need to take as given a specific isomorphism expressing the preservation of the unit object. Our definitions of monoidal category and monoidal functor are stated so as to take advantage of the economy afforded by these facts. extra-history = Change history: [2017-05-18]: Integrated material from MonoidalCategory/Category3Adapter into Category3/ and deleted adapter. (revision 015543cdd069)
[2018-05-29]: Modifications required due to 'Category3' changes. Introduced notation for "in hom". (revision 8318366d4575)
[Card_Multisets] title = Cardinality of Multisets author = Lukas Bulwahn notify = lukas.bulwahn@gmail.com date = 2016-06-26 topic = Mathematics/Combinatorics abstract =

This entry provides three lemmas to count the number of multisets of a given size and finite carrier set. The first lemma provides a cardinality formula assuming that the multiset's elements are chosen from the given carrier set. The latter two lemmas provide formulas assuming that the multiset's elements also cover the given carrier set, i.e., each element of the carrier set occurs in the multiset at least once.

The proof of the first lemma uses the argument of the recurrence relation for counting multisets. The proof of the second lemma is straightforward, and the proof of the third lemma is easily obtained using the first cardinality lemma. A challenge for the formalization is the derivation of the required induction rule, which is a special combination of the induction rules for finite sets and natural numbers. The induction rule is derived by defining a suitable inductive predicate and transforming the predicate's induction rule.

[Posix-Lexing] title = POSIX Lexing with Derivatives of Regular Expressions author = Fahad Ausaf , Roy Dyckhoff , Christian Urban notify = christian.urban@kcl.ac.uk date = 2016-05-24 topic = Computer Science/Automata and Formal Languages abstract = Brzozowski introduced the notion of derivatives for regular expressions. They can be used for a very simple regular expression matching algorithm. Sulzmann and Lu cleverly extended this algorithm in order to deal with POSIX matching, which is the underlying disambiguation strategy for regular expressions needed in lexers. In this entry we give our inductive definition of what a POSIX value is and show (i) that such a value is unique (for given regular expression and string being matched) and (ii) that Sulzmann and Lu's algorithm always generates such a value (provided that the regular expression matches the string). We also prove the correctness of an optimised version of the POSIX matching algorithm. [LocalLexing] title = Local Lexing author = Steven Obua topic = Computer Science/Automata and Formal Languages date = 2017-04-28 notify = steven@recursivemind.com abstract = This formalisation accompanies the paper Local Lexing which introduces a novel parsing concept of the same name. The paper also gives a high-level algorithm for local lexing as an extension of Earley's algorithm. This formalisation proves the algorithm to be correct with respect to its local lexing semantics. As a special case, this formalisation thus also contains a proof of the correctness of Earley's algorithm. The paper contains a short outline of how this formalisation is organised. [MFMC_Countable] title = A Formal Proof of the Max-Flow Min-Cut Theorem for Countable Networks author = Andreas Lochbihler date = 2016-05-09 topic = Mathematics/Graph Theory abstract = This article formalises a proof of the maximum-flow minimal-cut theorem for networks with countably many edges. A network is a directed graph with non-negative real-valued edge labels and two dedicated vertices, the source and the sink. A flow in a network assigns non-negative real numbers to the edges such that for all vertices except for the source and the sink, the sum of values on incoming edges equals the sum of values on outgoing edges. A cut is a subset of the vertices which contains the source, but not the sink. Our theorem states that in every network, there is a flow and a cut such that the flow saturates all the edges going out of the cut and is zero on all the incoming edges. The proof is based on the paper The Max-Flow Min-Cut theorem for countable networks by Aharoni et al. Additionally, we prove a characterisation of the lifting operation for relations on discrete probability distributions, which leads to a concise proof of its distributivity over relation composition. notify = mail@andreas-lochbihler.de extra-history = Change history: [2017-09-06]: derive characterisation for the lifting operations on discrete distributions from finite version of the max-flow min-cut theorem (revision a7a198f5bab0)
[Liouville_Numbers] title = Liouville numbers author = Manuel Eberl date = 2015-12-28 topic = Mathematics/Analysis, Mathematics/Number Theory abstract =

Liouville numbers are a class of transcendental numbers that can be approximated particularly well with rational numbers. Historically, they were the first numbers whose transcendence was proven.

In this entry, we define the concept of Liouville numbers as well as the standard construction to obtain Liouville numbers (including Liouville's constant) and we prove their most important properties: irrationality and transcendence.

The proof is very elementary and requires only standard arithmetic, the Mean Value Theorem for polynomials, and the boundedness of polynomials on compact intervals.

notify = eberlm@in.tum.de [Triangle] title = Basic Geometric Properties of Triangles author = Manuel Eberl date = 2015-12-28 topic = Mathematics/Geometry abstract =

This entry contains a definition of angles between vectors and between three points. Building on this, we prove basic geometric properties of triangles, such as the Isosceles Triangle Theorem, the Law of Sines and the Law of Cosines, that the sum of the angles of a triangle is π, and the congruence theorems for triangles.

The definitions and proofs were developed following those by John Harrison in HOL Light. However, due to Isabelle's type class system, all definitions and theorems in the Isabelle formalisation hold for all real inner product spaces.

notify = eberlm@in.tum.de [Prime_Harmonic_Series] title = The Divergence of the Prime Harmonic Series author = Manuel Eberl date = 2015-12-28 topic = Mathematics/Number Theory abstract =

In this work, we prove the lower bound ln(H_n) - ln(5/3) for the partial sum of the Prime Harmonic series and, based on this, the divergence of the Prime Harmonic Series ∑[p prime] · 1/p.

The proof relies on the unique squarefree decomposition of natural numbers. This is similar to Euler's original proof (which was highly informal and morally questionable). Its advantage over proofs by contradiction, like the famous one by Paul Erdős, is that it provides a relatively good lower bound for the partial sums.

notify = eberlm@in.tum.de [Descartes_Sign_Rule] title = Descartes' Rule of Signs author = Manuel Eberl date = 2015-12-28 topic = Mathematics/Analysis abstract =

Descartes' Rule of Signs relates the number of positive real roots of a polynomial with the number of sign changes in its coefficient sequence.

Our proof follows the simple inductive proof given by Rob Arthan, which was also used by John Harrison in his HOL Light formalisation. We proved most of the lemmas for arbitrary linearly-ordered integrity domains (e.g. integers, rationals, reals); the main result, however, requires the intermediate value theorem and was therefore only proven for real polynomials.

notify = eberlm@in.tum.de [Euler_MacLaurin] title = The Euler–MacLaurin Formula author = Manuel Eberl topic = Mathematics/Analysis date = 2017-03-10 notify = eberlm@in.tum.de abstract =

The Euler-MacLaurin formula relates the value of a discrete sum to that of the corresponding integral in terms of the derivatives at the borders of the summation and a remainder term. Since the remainder term is often very small as the summation bounds grow, this can be used to compute asymptotic expansions for sums.

This entry contains a proof of this formula for functions from the reals to an arbitrary Banach space. Two variants of the formula are given: the standard textbook version and a variant outlined in Concrete Mathematics that is more useful for deriving asymptotic estimates.

As example applications, we use that formula to derive the full asymptotic expansion of the harmonic numbers and the sum of inverse squares.

[Card_Partitions] title = Cardinality of Set Partitions author = Lukas Bulwahn date = 2015-12-12 topic = Mathematics/Combinatorics abstract = The theory's main theorem states that the cardinality of set partitions of size k on a carrier set of size n is expressed by Stirling numbers of the second kind. In Isabelle, Stirling numbers of the second kind are defined in the AFP entry `Discrete Summation` through their well-known recurrence relation. The main theorem relates them to the alternative definition as cardinality of set partitions. The proof follows the simple and short explanation in Richard P. Stanley's `Enumerative Combinatorics: Volume 1` and Wikipedia, and unravels the full details and implicit reasoning steps of these explanations. notify = lukas.bulwahn@gmail.com [Card_Number_Partitions] title = Cardinality of Number Partitions author = Lukas Bulwahn date = 2016-01-14 topic = Mathematics/Combinatorics abstract = This entry provides a basic library for number partitions, defines the two-argument partition function through its recurrence relation and relates this partition function to the cardinality of number partitions. The main proof shows that the recursively-defined partition function with arguments n and k equals the cardinality of number partitions of n with exactly k parts. The combinatorial proof follows the proof sketch of Theorem 2.4.1 in Mazur's textbook `Combinatorics: A Guided Tour`. This entry can serve as starting point for various more intrinsic properties about number partitions, the partition function and related recurrence relations. notify = lukas.bulwahn@gmail.com [Multirelations] title = Binary Multirelations author = Hitoshi Furusawa , Georg Struth date = 2015-06-11 topic = Mathematics/Algebra abstract = Binary multirelations associate elements of a set with its subsets; hence they are binary relations from a set to its power set. Applications include alternating automata, models and logics for games, program semantics with dual demonic and angelic nondeterministic choices and concurrent dynamic logics. This proof document supports an arXiv article that formalises the basic algebra of multirelations and proposes axiom systems for them, ranging from weak bi-monoids to weak bi-quantales. notify = [Noninterference_Generic_Unwinding] title = The Generic Unwinding Theorem for CSP Noninterference Security author = Pasquale Noce date = 2015-06-11 topic = Computer Science/Security, Computer Science/Concurrency/Process Calculi abstract =

The classical definition of noninterference security for a deterministic state machine with outputs requires to consider the outputs produced by machine actions after any trace, i.e. any indefinitely long sequence of actions, of the machine. In order to render the verification of the security of such a machine more straightforward, there is a need of some sufficient condition for security such that just individual actions, rather than unbounded sequences of actions, have to be considered.

By extending previous results applying to transitive noninterference policies, Rushby has proven an unwinding theorem that provides a sufficient condition of this kind in the general case of a possibly intransitive policy. This condition has to be satisfied by a generic function mapping security domains into equivalence relations over machine states.

An analogous problem arises for CSP noninterference security, whose definition requires to consider any possible future, i.e. any indefinitely long sequence of subsequent events and any indefinitely large set of refused events associated to that sequence, for each process trace.

This paper provides a sufficient condition for CSP noninterference security, which indeed requires to just consider individual accepted and refused events and applies to the general case of a possibly intransitive policy. This condition follows Rushby's one for classical noninterference security, and has to be satisfied by a generic function mapping security domains into equivalence relations over process traces; hence its name, Generic Unwinding Theorem. Variants of this theorem applying to deterministic processes and trace set processes are also proven. Finally, the sufficient condition for security expressed by the theorem is shown not to be a necessary condition as well, viz. there exists a secure process such that no domain-relation map satisfying the condition exists.

notify = [Noninterference_Ipurge_Unwinding] title = The Ipurge Unwinding Theorem for CSP Noninterference Security author = Pasquale Noce date = 2015-06-11 topic = Computer Science/Security abstract =

The definition of noninterference security for Communicating Sequential Processes requires to consider any possible future, i.e. any indefinitely long sequence of subsequent events and any indefinitely large set of refused events associated to that sequence, for each process trace. In order to render the verification of the security of a process more straightforward, there is a need of some sufficient condition for security such that just individual accepted and refused events, rather than unbounded sequences and sets of events, have to be considered.

Of course, if such a sufficient condition were necessary as well, it would be even more valuable, since it would permit to prove not only that a process is secure by verifying that the condition holds, but also that a process is not secure by verifying that the condition fails to hold.

This paper provides a necessary and sufficient condition for CSP noninterference security, which indeed requires to just consider individual accepted and refused events and applies to the general case of a possibly intransitive policy. This condition follows Rushby's output consistency for deterministic state machines with outputs, and has to be satisfied by a specific function mapping security domains into equivalence relations over process traces. The definition of this function makes use of an intransitive purge function following Rushby's one; hence the name given to the condition, Ipurge Unwinding Theorem.

Furthermore, in accordance with Hoare's formal definition of deterministic processes, it is shown that a process is deterministic just in case it is a trace set process, i.e. it may be identified by means of a trace set alone, matching the set of its traces, in place of a failures-divergences pair. Then, variants of the Ipurge Unwinding Theorem are proven for deterministic processes and trace set processes.

notify = [List_Interleaving] title = Reasoning about Lists via List Interleaving author = Pasquale Noce date = 2015-06-11 topic = Computer Science/Data Structures abstract =

Among the various mathematical tools introduced in his outstanding work on Communicating Sequential Processes, Hoare has defined "interleaves" as the predicate satisfied by any three lists such that the first list may be split into sublists alternately extracted from the other two ones, whatever is the criterion for extracting an item from either one list or the other in each step.

This paper enriches Hoare's definition by identifying such criterion with the truth value of a predicate taking as inputs the head and the tail of the first list. This enhanced "interleaves" predicate turns out to permit the proof of equalities between lists without the need of an induction. Some rules that allow to infer "interleaves" statements without induction, particularly applying to the addition or removal of a prefix to the input lists, are also proven. Finally, a stronger version of the predicate, named "Interleaves", is shown to fulfil further rules applying to the addition or removal of a suffix to the input lists.

notify = [Residuated_Lattices] title = Residuated Lattices author = Victor B. F. Gomes , Georg Struth date = 2015-04-15 topic = Mathematics/Algebra abstract = The theory of residuated lattices, first proposed by Ward and Dilworth, is formalised in Isabelle/HOL. This includes concepts of residuated functions; their adjoints and conjugates. It also contains necessary and sufficient conditions for the existence of these operations in an arbitrary lattice. The mathematical components for residuated lattices are linked to the AFP entry for relation algebra. In particular, we prove Jonsson and Tsinakis conditions for a residuated boolean algebra to form a relation algebra. notify = g.struth@sheffield.ac.uk [ConcurrentGC] title = Relaxing Safely: Verified On-the-Fly Garbage Collection for x86-TSO author = Peter Gammie , Tony Hosking , Kai Engelhardt <> date = 2015-04-13 topic = Computer Science/Algorithms/Concurrent abstract =

We use ConcurrentIMP to model Schism, a state-of-the-art real-time garbage collection scheme for weak memory, and show that it is safe on x86-TSO.

This development accompanies the PLDI 2015 paper of the same name.

notify = peteg42@gmail.com [List_Update] title = Analysis of List Update Algorithms author = Maximilian P.L. Haslbeck , Tobias Nipkow date = 2016-02-17 topic = Computer Science/Algorithms/Online abstract =

These theories formalize the quantitative analysis of a number of classical algorithms for the list update problem: 2-competitiveness of move-to-front, the lower bound of 2 for the competitiveness of deterministic list update algorithms and 1.6-competitiveness of the randomized COMB algorithm, the best randomized list update algorithm known to date. The material is based on the first two chapters of Online Computation and Competitive Analysis by Borodin and El-Yaniv.

For an informal description see the FSTTCS 2016 publication Verified Analysis of List Update Algorithms by Haslbeck and Nipkow.

notify = nipkow@in.tum.de [ConcurrentIMP] title = Concurrent IMP author = Peter Gammie date = 2015-04-13 topic = Computer Science/Programming Languages/Logics abstract = ConcurrentIMP extends the small imperative language IMP with control non-determinism and constructs for synchronous message passing. notify = peteg42@gmail.com [TortoiseHare] title = The Tortoise and Hare Algorithm author = Peter Gammie date = 2015-11-18 topic = Computer Science/Algorithms abstract = We formalize the Tortoise and Hare cycle-finding algorithm ascribed to Floyd by Knuth, and an improved version due to Brent. notify = peteg42@gmail.com [UPF] title = The Unified Policy Framework (UPF) author = Achim D. Brucker , Lukas Brügger , Burkhart Wolff date = 2014-11-28 topic = Computer Science/Security abstract = We present the Unified Policy Framework (UPF), a generic framework for modelling security (access-control) policies. UPF emphasizes the view that a policy is a policy decision function that grants or denies access to resources, permissions, etc. In other words, instead of modelling the relations of permitted or prohibited requests directly, we model the concrete function that implements the policy decision point in a system. In more detail, UPF is based on the following four principles: 1) Functional representation of policies, 2) No conflicts are possible, 3) Three-valued decision type (allow, deny, undefined), 4) Output type not containing the decision only. notify = adbrucker@0x5f.org, wolff@lri.fr, lukas.a.bruegger@gmail.com [UPF_Firewall] title = Formal Network Models and Their Application to Firewall Policies author = Achim D. Brucker , Lukas Brügger<>, Burkhart Wolff topic = Computer Science/Security, Computer Science/Networks date = 2017-01-08 notify = adbrucker@0x5f.org abstract = We present a formal model of network protocols and their application to modeling firewall policies. The formalization is based on the Unified Policy Framework (UPF). The formalization was originally developed with for generating test cases for testing the security configuration actual firewall and router (middle-boxes) using HOL-TestGen. Our work focuses on modeling application level protocols on top of tcp/ip. [AODV] title = Loop freedom of the (untimed) AODV routing protocol author = Timothy Bourke , Peter Höfner date = 2014-10-23 topic = Computer Science/Concurrency/Process Calculi abstract =

The Ad hoc On-demand Distance Vector (AODV) routing protocol allows the nodes in a Mobile Ad hoc Network (MANET) or a Wireless Mesh Network (WMN) to know where to forward data packets. Such a protocol is ‘loop free’ if it never leads to routing decisions that forward packets in circles.

This development mechanises an existing pen-and-paper proof of loop freedom of AODV. The protocol is modelled in the Algebra of Wireless Networks (AWN), which is the subject of an earlier paper and AFP mechanization. The proof relies on a novel compositional approach for lifting invariants to networks of nodes.

We exploit the mechanization to analyse several variants of AODV and show that Isabelle/HOL can re-establish most proof obligations automatically and identify exactly the steps that are no longer valid.

notify = tim@tbrk.org [Show] title = Haskell's Show Class in Isabelle/HOL author = Christian Sternagel , René Thiemann date = 2014-07-29 topic = Computer Science/Functional Programming license = LGPL abstract = We implemented a type class for "to-string" functions, similar to Haskell's Show class. Moreover, we provide instantiations for Isabelle/HOL's standard types like bool, prod, sum, nats, ints, and rats. It is further possible, to automatically derive show functions for arbitrary user defined datatypes similar to Haskell's "deriving Show". extra-history = Change history: [2015-03-11]: Adapted development to new-style (BNF-based) datatypes.
[2015-04-10]: Moved development for old-style datatypes into subdirectory "Old_Datatype".
notify = christian.sternagel@uibk.ac.at, rene.thiemann@uibk.ac.at [Certification_Monads] title = Certification Monads author = Christian Sternagel , René Thiemann date = 2014-10-03 topic = Computer Science/Functional Programming abstract = This entry provides several monads intended for the development of stand-alone certifiers via code generation from Isabelle/HOL. More specifically, there are three flavors of error monads (the sum type, for the case where all monadic functions are total; an instance of the former, the so called check monad, yielding either success without any further information or an error message; as well as a variant of the sum type that accommodates partial functions by providing an explicit bottom element) and a parser monad built on top. All of this monads are heavily used in the IsaFoR/CeTA project which thus provides many examples of their usage. notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at [CISC-Kernel] title = Formal Specification of a Generic Separation Kernel author = Freek Verbeek , Sergey Tverdyshev , Oto Havle , Holger Blasum , Bruno Langenstein , Werner Stephan , Yakoub Nemouchi , Abderrahmane Feliachi , Burkhart Wolff , Julien Schmaltz date = 2014-07-18 topic = Computer Science/Security abstract =

Intransitive noninterference has been a widely studied topic in the last few decades. Several well-established methodologies apply interactive theorem proving to formulate a noninterference theorem over abstract academic models. In joint work with several industrial and academic partners throughout Europe, we are helping in the certification process of PikeOS, an industrial separation kernel developed at SYSGO. In this process, established theories could not be applied. We present a new generic model of separation kernels and a new theory of intransitive noninterference. The model is rich in detail, making it suitable for formal verification of realistic and industrial systems such as PikeOS. Using a refinement-based theorem proving approach, we ensure that proofs remain manageable.

This document corresponds to the deliverable D31.1 of the EURO-MILS Project http://www.euromils.eu.

notify = [pGCL] title = pGCL for Isabelle author = David Cock date = 2014-07-13 topic = Computer Science/Programming Languages/Language Definitions abstract =

pGCL is both a programming language and a specification language that incorporates both probabilistic and nondeterministic choice, in a unified manner. Program verification is by refinement or annotation (or both), using either Hoare triples, or weakest-precondition entailment, in the style of GCL.

This package provides both a shallow embedding of the language primitives, and an annotation and refinement framework. The generated document includes a brief tutorial.

notify = [Noninterference_CSP] title = Noninterference Security in Communicating Sequential Processes author = Pasquale Noce date = 2014-05-23 topic = Computer Science/Security abstract =

An extension of classical noninterference security for deterministic state machines, as introduced by Goguen and Meseguer and elegantly formalized by Rushby, to nondeterministic systems should satisfy two fundamental requirements: it should be based on a mathematically precise theory of nondeterminism, and should be equivalent to (or at least not weaker than) the classical notion in the degenerate deterministic case.

This paper proposes a definition of noninterference security applying to Hoare's Communicating Sequential Processes (CSP) in the general case of a possibly intransitive noninterference policy, and proves the equivalence of this security property to classical noninterference security for processes representing deterministic state machines.

Furthermore, McCullough's generalized noninterference security is shown to be weaker than both the proposed notion of CSP noninterference security for a generic process, and classical noninterference security for processes representing deterministic state machines. This renders CSP noninterference security preferable as an extension of classical noninterference security to nondeterministic systems.

notify = pasquale.noce.lavoro@gmail.com [Floyd_Warshall] title = The Floyd-Warshall Algorithm for Shortest Paths author = Simon Wimmer , Peter Lammich topic = Computer Science/Algorithms date = 2017-05-08 notify = wimmers@in.tum.de abstract = The Floyd-Warshall algorithm [Flo62, Roy59, War62] is a classic dynamic programming algorithm to compute the length of all shortest paths between any two vertices in a graph (i.e. to solve the all-pairs shortest path problem, or APSP for short). Given a representation of the graph as a matrix of weights M, it computes another matrix M' which represents a graph with the same path lengths and contains the length of the shortest path between any two vertices i and j. This is only possible if the graph does not contain any negative cycles. However, in this case the Floyd-Warshall algorithm will detect the situation by calculating a negative diagonal entry. This entry includes a formalization of the algorithm and of these key properties. The algorithm is refined to an efficient imperative version using the Imperative Refinement Framework. [Roy_Floyd_Warshall] title = Transitive closure according to Roy-Floyd-Warshall author = Makarius Wenzel <> date = 2014-05-23 topic = Computer Science/Algorithms abstract = This formulation of the Roy-Floyd-Warshall algorithm for the transitive closure bypasses matrices and arrays, but uses a more direct mathematical model with adjacency functions for immediate predecessors and successors. This can be implemented efficiently in functional programming languages and is particularly adequate for sparse relations. notify = [GPU_Kernel_PL] title = Syntax and semantics of a GPU kernel programming language author = John Wickerson date = 2014-04-03 topic = Computer Science/Programming Languages/Language Definitions abstract = This document accompanies the article "The Design and Implementation of a Verification Technique for GPU Kernels" by Adam Betts, Nathan Chong, Alastair F. Donaldson, Jeroen Ketema, Shaz Qadeer, Paul Thomson and John Wickerson. It formalises all of the definitions provided in Sections 3 and 4 of the article. notify = [AWN] title = Mechanization of the Algebra for Wireless Networks (AWN) author = Timothy Bourke date = 2014-03-08 topic = Computer Science/Concurrency/Process Calculi abstract =

AWN is a process algebra developed for modelling and analysing protocols for Mobile Ad hoc Networks (MANETs) and Wireless Mesh Networks (WMNs). AWN models comprise five distinct layers: sequential processes, local parallel compositions, nodes, partial networks, and complete networks.

This development mechanises the original operational semantics of AWN and introduces a variant 'open' operational semantics that enables the compositional statement and proof of invariants across distinct network nodes. It supports labels (for weakening invariants) and (abstract) data state manipulations. A framework for compositional invariant proofs is developed, including a tactic (inv_cterms) for inductive invariant proofs of sequential processes, lifting rules for the open versions of the higher layers, and a rule for transferring lifted properties back to the standard semantics. A notion of 'control terms' reduces proof obligations to the subset of subterms that act directly (in contrast to operators for combining terms and joining processes).

notify = tim@tbrk.org [Selection_Heap_Sort] title = Verification of Selection and Heap Sort Using Locales author = Danijela Petrovic date = 2014-02-11 topic = Computer Science/Algorithms abstract = Stepwise program refinement techniques can be used to simplify program verification. Programs are better understood since their main properties are clearly stated, and verification of rather complex algorithms is reduced to proving simple statements connecting successive program specifications. Additionally, it is easy to analyze similar algorithms and to compare their properties within a single formalization. Usually, formal analysis is not done in educational setting due to complexity of verification and a lack of tools and procedures to make comparison easy. Verification of an algorithm should not only give correctness proof, but also better understanding of an algorithm. If the verification is based on small step program refinement, it can become simple enough to be demonstrated within the university-level computer science curriculum. In this paper we demonstrate this and give a formal analysis of two well known algorithms (Selection Sort and Heap Sort) using proof assistant Isabelle/HOL and program refinement techniques. notify = [Real_Impl] title = Implementing field extensions of the form Q[sqrt(b)] author = René Thiemann date = 2014-02-06 license = LGPL topic = Mathematics/Analysis abstract = We apply data refinement to implement the real numbers, where we support all numbers in the field extension Q[sqrt(b)], i.e., all numbers of the form p + q * sqrt(b) for rational numbers p and q and some fixed natural number b. To this end, we also developed algorithms to precisely compute roots of a rational number, and to perform a factorization of natural numbers which eliminates duplicate prime factors.

Our results have been used to certify termination proofs which involve polynomial interpretations over the reals. extra-history = Change history: [2014-07-11]: Moved NthRoot_Impl to Sqrt-Babylonian. notify = rene.thiemann@uibk.ac.at [ShortestPath] title = An Axiomatic Characterization of the Single-Source Shortest Path Problem author = Christine Rizkallah date = 2013-05-22 topic = Mathematics/Graph Theory abstract = This theory is split into two sections. In the first section, we give a formal proof that a well-known axiomatic characterization of the single-source shortest path problem is correct. Namely, we prove that in a directed graph with a non-negative cost function on the edges the single-source shortest path function is the only function that satisfies a set of four axioms. In the second section, we give a formal proof of the correctness of an axiomatic characterization of the single-source shortest path problem for directed graphs with general cost functions. The axioms here are more involved because we have to account for potential negative cycles in the graph. The axioms are summarized in three Isabelle locales. notify = [Launchbury] title = The Correctness of Launchbury's Natural Semantics for Lazy Evaluation author = Joachim Breitner date = 2013-01-31 topic = Computer Science/Programming Languages/Lambda Calculi, Computer Science/Semantics abstract = In his seminal paper "Natural Semantics for Lazy Evaluation", John Launchbury proves his semantics correct with respect to a denotational semantics, and outlines an adequacy proof. We have formalized both semantics and machine-checked the correctness proof, clarifying some details. Furthermore, we provide a new and more direct adequacy proof that does not require intermediate operational semantics. extra-history = Change history: [2014-05-24]: Added the proof of adequacy, as well as simplified and improved the existing proofs. Adjusted abstract accordingly. [2015-03-16]: Booleans and if-then-else added to syntax and semantics, making this entry suitable to be used by the entry "Call_Arity". notify = [Call_Arity] title = The Safety of Call Arity author = Joachim Breitner date = 2015-02-20 topic = Computer Science/Programming Languages/Transformations abstract = We formalize the Call Arity analysis, as implemented in GHC, and prove both functional correctness and, more interestingly, safety (i.e. the transformation does not increase allocation).

We use syntax and the denotational semantics from the entry "Launchbury", where we formalized Launchbury's natural semantics for lazy evaluation.

The functional correctness of Call Arity is proved with regard to that denotational semantics. The operational properties are shown with regard to a small-step semantics akin to Sestoft's mark 1 machine, which we prove to be equivalent to Launchbury's semantics.

We use Christian Urban's Nominal2 package to define our terms and make use of Brian Huffman's HOLCF package for the domain-theoretical aspects of the development. extra-history = Change history: [2015-03-16]: This entry now builds on top of the Launchbury entry, and the equivalency proof of the natural and the small-step semantics was added. notify = [CCS] title = CCS in nominal logic author = Jesper Bengtson date = 2012-05-29 topic = Computer Science/Concurrency/Process Calculi abstract = We formalise a large portion of CCS as described in Milner's book 'Communication and Concurrency' using the nominal datatype package in Isabelle. Our results include many of the standard theorems of bisimulation equivalence and congruence, for both weak and strong versions. One main goal of this formalisation is to keep the machine-checked proofs as close to their pen-and-paper counterpart as possible.

This entry is described in detail in Bengtson's thesis. notify = [Pi_Calculus] title = The pi-calculus in nominal logic author = Jesper Bengtson date = 2012-05-29 topic = Computer Science/Concurrency/Process Calculi abstract = We formalise the pi-calculus using the nominal datatype package, based on ideas from the nominal logic by Pitts et al., and demonstrate an implementation in Isabelle/HOL. The purpose is to derive powerful induction rules for the semantics in order to conduct machine checkable proofs, closely following the intuitive arguments found in manual proofs. In this way we have covered many of the standard theorems of bisimulation equivalence and congruence, both late and early, and both strong and weak in a uniform manner. We thus provide one of the most extensive formalisations of a the pi-calculus ever done inside a theorem prover.

A significant gain in our formulation is that agents are identified up to alpha-equivalence, thereby greatly reducing the arguments about bound names. This is a normal strategy for manual proofs about the pi-calculus, but that kind of hand waving has previously been difficult to incorporate smoothly in an interactive theorem prover. We show how the nominal logic formalism and its support in Isabelle accomplishes this and thus significantly reduces the tedium of conducting completely formal proofs. This improves on previous work using weak higher order abstract syntax since we do not need extra assumptions to filter out exotic terms and can keep all arguments within a familiar first-order logic.

This entry is described in detail in Bengtson's thesis. notify = [Psi_Calculi] title = Psi-calculi in Isabelle author = Jesper Bengtson date = 2012-05-29 topic = Computer Science/Concurrency/Process Calculi abstract = Psi-calculi are extensions of the pi-calculus, accommodating arbitrary nominal datatypes to represent not only data but also communication channels, assertions and conditions, giving it an expressive power beyond the applied pi-calculus and the concurrent constraint pi-calculus.

We have formalised psi-calculi in the interactive theorem prover Isabelle using its nominal datatype package. One distinctive feature is that the framework needs to treat binding sequences, as opposed to single binders, in an efficient way. While different methods for formalising single binder calculi have been proposed over the last decades, representations for such binding sequences are not very well explored.

The main effort in the formalisation is to keep the machine checked proofs as close to their pen-and-paper counterparts as possible. This includes treating all binding sequences as atomic elements, and creating custom induction and inversion rules that to remove the bulk of manual alpha-conversions.

This entry is described in detail in Bengtson's thesis. notify = [Encodability_Process_Calculi] title = Analysing and Comparing Encodability Criteria for Process Calculi author = Kirstin Peters , Rob van Glabbeek date = 2015-08-10 topic = Computer Science/Concurrency/Process Calculi abstract = Encodings or the proof of their absence are the main way to compare process calculi. To analyse the quality of encodings and to rule out trivial or meaningless encodings, they are augmented with quality criteria. There exists a bunch of different criteria and different variants of criteria in order to reason in different settings. This leads to incomparable results. Moreover it is not always clear whether the criteria used to obtain a result in a particular setting do indeed fit to this setting. We show how to formally reason about and compare encodability criteria by mapping them on requirements on a relation between source and target terms that is induced by the encoding function. In particular we analyse the common criteria full abstraction, operational correspondence, divergence reflection, success sensitiveness, and respect of barbs; e.g. we analyse the exact nature of the simulation relation (coupled simulation versus bisimulation) that is induced by different variants of operational correspondence. This way we reduce the problem of analysing or comparing encodability criteria to the better understood problem of comparing relations on processes. notify = kirstin.peters@tu-berlin.de [Circus] title = Isabelle/Circus author = Abderrahmane Feliachi , Burkhart Wolff , Marie-Claude Gaudel contributors = Makarius Wenzel date = 2012-05-27 topic = Computer Science/Concurrency/Process Calculi, Computer Science/System Description Languages abstract = The Circus specification language combines elements for complex data and behavior specifications, using an integration of Z and CSP with a refinement calculus. Its semantics is based on Hoare and He's Unifying Theories of Programming (UTP). Isabelle/Circus is a formalization of the UTP and the Circus language in Isabelle/HOL. It contains proof rules and tactic support that allows for proofs of refinement for Circus processes (involving both data and behavioral aspects).

The Isabelle/Circus environment supports a syntax for the semantic definitions which is close to textbook presentations of Circus. This article contains an extended version of corresponding VSTTE Paper together with the complete formal development of its underlying commented theories. extra-history = Change history: [2014-06-05]: More polishing, shorter proofs, added Circus syntax, added Makarius Wenzel as contributor. notify = [Dijkstra_Shortest_Path] title = Dijkstra's Shortest Path Algorithm author = Benedikt Nordhoff , Peter Lammich topic = Computer Science/Algorithms date = 2012-01-30 abstract = We implement and prove correct Dijkstra's algorithm for the single source shortest path problem, conceived in 1956 by E. Dijkstra. The algorithm is implemented using the data refinement framework for monadic, nondeterministic programs. An efficient implementation is derived using data structures from the Isabelle Collection Framework. notify = lammich@in.tum.de [Refine_Monadic] title = Refinement for Monadic Programs author = Peter Lammich topic = Computer Science/Programming Languages/Logics date = 2012-01-30 abstract = We provide a framework for program and data refinement in Isabelle/HOL. The framework is based on a nondeterminism-monad with assertions, i.e., the monad carries a set of results or an assertion failure. Recursion is expressed by fixed points. For convenience, we also provide while and foreach combinators.

The framework provides tools to automatize canonical tasks, such as verification condition generation, finding appropriate data refinement relations, and refine an executable program to a form that is accepted by the Isabelle/HOL code generator.

This submission comes with a collection of examples and a user-guide, illustrating the usage of the framework. extra-history = Change history: [2012-04-23] Introduced ordered FOREACH loops
[2012-06] New features: REC_rule_arb and RECT_rule_arb allow for generalizing over variables. prepare_code_thms - command extracts code equations for recursion combinators.
[2012-07] New example: Nested DFS for emptiness check of Buchi-automata with witness.
New feature: fo_rule method to apply resolution using first-order matching. Useful for arg_conf, fun_cong.
[2012-08] Adaptation to ICF v2.
[2012-10-05] Adaptations to include support for Automatic Refinement Framework.
[2013-09] This entry now depends on Automatic Refinement
[2014-06] New feature: vc_solve method to solve verification conditions. Maintenace changes: VCG-rules for nfoldli, improved setup for FOREACH-loops.
[2014-07] Now defining recursion via flat domain. Dropped many single-valued prerequisites. Changed notion of data refinement. In single-valued case, this matches the old notion. In non-single valued case, the new notion allows for more convenient rules. In particular, the new definitions allow for projecting away ghost variables as a refinement step.
[2014-11] New features: le-or-fail relation (leof), modular reasoning about loop invariants. notify = lammich@in.tum.de [Refine_Imperative_HOL] title = The Imperative Refinement Framework author = Peter Lammich notify = lammich@in.tum.de date = 2016-08-08 topic = Computer Science/Programming Languages/Transformations,Computer Science/Data Structures abstract = We present the Imperative Refinement Framework (IRF), a tool that supports a stepwise refinement based approach to imperative programs. This entry is based on the material we presented in [ITP-2015, CPP-2016]. It uses the Monadic Refinement Framework as a frontend for the specification of the abstract programs, and Imperative/HOL as a backend to generate executable imperative programs. The IRF comes with tool support to synthesize imperative programs from more abstract, functional ones, using efficient imperative implementations for the abstract data structures. This entry also includes the Imperative Isabelle Collection Framework (IICF), which provides a library of re-usable imperative collection data structures. Moreover, this entry contains a quickstart guide and a reference manual, which provide an introduction to using the IRF for Isabelle/HOL experts. It also provids a collection of (partly commented) practical examples, some highlights being Dijkstra's Algorithm, Nested-DFS, and a generic worklist algorithm with subsumption. Finally, this entry contains benchmark scripts that compare the runtime of some examples against reference implementations of the algorithms in Java and C++. [ITP-2015] Peter Lammich: Refinement to Imperative/HOL. ITP 2015: 253--269 [CPP-2016] Peter Lammich: Refinement based verification of imperative data structures. CPP 2016: 27--36 [Automatic_Refinement] title = Automatic Data Refinement author = Peter Lammich topic = Computer Science/Programming Languages/Logics date = 2013-10-02 abstract = We present the Autoref tool for Isabelle/HOL, which automatically refines algorithms specified over abstract concepts like maps and sets to algorithms over concrete implementations like red-black-trees, and produces a refinement theorem. It is based on ideas borrowed from relational parametricity due to Reynolds and Wadler. The tool allows for rapid prototyping of verified, executable algorithms. Moreover, it can be configured to fine-tune the result to the user~s needs. Our tool is able to automatically instantiate generic algorithms, which greatly simplifies the implementation of executable data structures.

This AFP-entry provides the basic tool, which is then used by the Refinement and Collection Framework to provide automatic data refinement for the nondeterminism monad and various collection datastructures. notify = lammich@in.tum.de [EdmondsKarp_Maxflow] title = Formalizing the Edmonds-Karp Algorithm author = Peter Lammich , S. Reza Sefidgar<> notify = lammich@in.tum.de date = 2016-08-12 topic = Computer Science/Algorithms abstract = We present a formalization of the Ford-Fulkerson method for computing the maximum flow in a network. Our formal proof closely follows a standard textbook proof, and is accessible even without being an expert in Isabelle/HOL--- the interactive theorem prover used for the formalization. We then use stepwise refinement to obtain the Edmonds-Karp algorithm, and formally prove a bound on its complexity. Further refinement yields a verified implementation, whose execution time compares well to an unverified reference implementation in Java. This entry is based on our ITP-2016 paper with the same title. [VerifyThis2018] title = VerifyThis 2018 - Polished Isabelle Solutions author = Peter Lammich , Simon Wimmer topic = Computer Science/Algorithms date = 2018-04-27 notify = lammich@in.tum.de abstract = VerifyThis 2018 was a program verification competition associated with ETAPS 2018. It was the 7th event in the VerifyThis competition series. In this entry, we present polished and completed versions of our solutions that we created during the competition. [PseudoHoops] title = Pseudo Hoops author = George Georgescu <>, Laurentiu Leustean <>, Viorel Preoteasa topic = Mathematics/Algebra date = 2011-09-22 abstract = Pseudo-hoops are algebraic structures introduced by B. Bosbach under the name of complementary semigroups. In this formalization we prove some properties of pseudo-hoops and we define the basic concepts of filter and normal filter. The lattice of normal filters is isomorphic with the lattice of congruences of a pseudo-hoop. We also study some important classes of pseudo-hoops. Bounded Wajsberg pseudo-hoops are equivalent to pseudo-Wajsberg algebras and bounded basic pseudo-hoops are equivalent to pseudo-BL algebras. Some examples of pseudo-hoops are given in the last section of the formalization. notify = viorel.preoteasa@aalto.fi [MonoBoolTranAlgebra] title = Algebra of Monotonic Boolean Transformers author = Viorel Preoteasa topic = Computer Science/Programming Languages/Logics date = 2011-09-22 abstract = Algebras of imperative programming languages have been successful in reasoning about programs. In general an algebra of programs is an algebraic structure with programs as elements and with program compositions (sequential composition, choice, skip) as algebra operations. Various versions of these algebras were introduced to model partial correctness, total correctness, refinement, demonic choice, and other aspects. We formalize here an algebra which can be used to model total correctness, refinement, demonic and angelic choice. The basic model of this algebra are monotonic Boolean transformers (monotonic functions from a Boolean algebra to itself). notify = viorel.preoteasa@aalto.fi [LatticeProperties] title = Lattice Properties author = Viorel Preoteasa topic = Mathematics/Order date = 2011-09-22 abstract = This formalization introduces and collects some algebraic structures based on lattices and complete lattices for use in other developments. The structures introduced are modular, and lattice ordered groups. In addition to the results proved for the new lattices, this formalization also introduces theorems about latices and complete lattices in general. extra-history = Change history: [2012-01-05]: Removed the theory about distributive complete lattices which is in the standard library now. Added a theory about well founded and transitive relations and a result about fixpoints in complete lattices and well founded relations. Moved the results about conjunctive and disjunctive functions to a new theory. Removed the syntactic classes for inf and sup which are in the standard library now. notify = viorel.preoteasa@aalto.fi [Impossible_Geometry] title = Proving the Impossibility of Trisecting an Angle and Doubling the Cube author = Ralph Romanos , Lawrence C. Paulson topic = Mathematics/Algebra, Mathematics/Geometry date = 2012-08-05 abstract = Squaring the circle, doubling the cube and trisecting an angle, using a compass and straightedge alone, are classic unsolved problems first posed by the ancient Greeks. All three problems were proved to be impossible in the 19th century. The following document presents the proof of the impossibility of solving the latter two problems using Isabelle/HOL, following a proof by Carrega. The proof uses elementary methods: no Galois theory or field extensions. The set of points constructible using a compass and straightedge is defined inductively. Radical expressions, which involve only square roots and arithmetic of rational numbers, are defined, and we find that all constructive points have radical coordinates. Finally, doubling the cube and trisecting certain angles requires solving certain cubic equations that can be proved to have no rational roots. The Isabelle proofs require a great many detailed calculations. notify = ralph.romanos@student.ecp.fr, lp15@cam.ac.uk [IP_Addresses] title = IP Addresses author = Cornelius Diekmann , Julius Michaelis , Lars Hupel notify = diekmann@net.in.tum.de date = 2016-06-28 topic = Computer Science/Networks abstract = This entry contains a definition of IP addresses and a library to work with them. Generic IP addresses are modeled as machine words of arbitrary length. Derived from this generic definition, IPv4 addresses are 32bit machine words, IPv6 addresses are 128bit words. Additionally, IPv4 addresses can be represented in dot-decimal notation and IPv6 addresses in (compressed) colon-separated notation. We support toString functions and parsers for both notations. Sets of IP addresses can be represented with a netmask (e.g. 192.168.0.0/255.255.0.0) or in CIDR notation (e.g. 192.168.0.0/16). To provide executable code for set operations on IP address ranges, the library includes a datatype to work on arbitrary intervals of machine words. [Simple_Firewall] title = Simple Firewall author = Cornelius Diekmann , Julius Michaelis , Maximilian Haslbeck notify = diekmann@net.in.tum.de, max.haslbeck@gmx.de date = 2016-08-24 topic = Computer Science/Networks abstract = We present a simple model of a firewall. The firewall can accept or drop a packet and can match on interfaces, IP addresses, protocol, and ports. It was designed to feature nice mathematical properties: The type of match expressions was carefully crafted such that the conjunction of two match expressions is only one match expression. This model is too simplistic to mirror all aspects of the real world. In the upcoming entry "Iptables Semantics", we will translate the Linux firewall iptables to this model. For a fixed service (e.g. ssh, http), we provide an algorithm to compute an overview of the firewall's filtering behavior. The algorithm computes minimal service matrices, i.e. graphs which partition the complete IPv4 and IPv6 address space and visualize the allowed accesses between partitions. For a detailed description, see Verified iptables Firewall Analysis, IFIP Networking 2016. [Iptables_Semantics] title = Iptables Semantics author = Cornelius Diekmann , Lars Hupel notify = diekmann@net.in.tum.de, hupel@in.tum.de date = 2016-09-09 topic = Computer Science/Networks abstract = We present a big step semantics of the filtering behavior of the Linux/netfilter iptables firewall. We provide algorithms to simplify complex iptables rulests to a simple firewall model (c.f. AFP entry Simple_Firewall) and to verify spoofing protection of a ruleset. Internally, we embed our semantics into ternary logic, ultimately supporting every iptables match condition by abstracting over unknowns. Using this AFP entry and all entries it depends on, we created an easy-to-use, stand-alone haskell tool called fffuu. The tool does not require any input —except for the iptables-save dump of the analyzed firewall— and presents interesting results about the user's ruleset. Real-Word firewall errors have been uncovered, and the correctness of rulesets has been proved, with the help of our tool. [Routing] title = Routing author = Julius Michaelis , Cornelius Diekmann notify = afp@liftm.de date = 2016-08-31 topic = Computer Science/Networks abstract = This entry contains definitions for routing with routing tables/longest prefix matching. A routing table entry is modelled as a record of a prefix match, a metric, an output port, and an optional next hop. A routing table is a list of entries, sorted by prefix length and metric. Additionally, a parser and serializer for the output of the ip-route command, a function to create a relation from output port to corresponding destination IP space, and a model of a Linux-style router are included. [KBPs] title = Knowledge-based programs author = Peter Gammie topic = Computer Science/Automata and Formal Languages date = 2011-05-17 abstract = Knowledge-based programs (KBPs) are a formalism for directly relating agents' knowledge and behaviour. Here we present a general scheme for compiling KBPs to executable automata with a proof of correctness in Isabelle/HOL. We develop the algorithm top-down, using Isabelle's locale mechanism to structure these proofs, and show that two classic examples can be synthesised using Isabelle's code generator. extra-history = Change history: [2012-03-06]: Add some more views and revive the code generation. notify = kleing@cse.unsw.edu.au [Tarskis_Geometry] title = The independence of Tarski's Euclidean axiom author = T. J. M. Makarios topic = Mathematics/Geometry date = 2012-10-30 abstract = Tarski's axioms of plane geometry are formalized and, using the standard real Cartesian model, shown to be consistent. A substantial theory of the projective plane is developed. Building on this theory, the Klein-Beltrami model of the hyperbolic plane is defined and shown to satisfy all of Tarski's axioms except his Euclidean axiom; thus Tarski's Euclidean axiom is shown to be independent of his other axioms of plane geometry.

An earlier version of this work was the subject of the author's MSc thesis, which contains natural-language explanations of some of the more interesting proofs. notify = tjm1983@gmail.com [General-Triangle] title = The General Triangle Is Unique author = Joachim Breitner topic = Mathematics/Geometry date = 2011-04-01 abstract = Some acute-angled triangles are special, e.g. right-angled or isoscele triangles. Some are not of this kind, but, without measuring angles, look as if they were. In that sense, there is exactly one general triangle. This well-known fact is proven here formally. notify = mail@joachim-breitner.de [LightweightJava] title = Lightweight Java author = Rok Strniša , Matthew Parkinson topic = Computer Science/Programming Languages/Language Definitions date = 2011-02-07 abstract = A fully-formalized and extensible minimal imperative fragment of Java. notify = rok@strnisa.com [Lower_Semicontinuous] title = Lower Semicontinuous Functions author = Bogdan Grechuk topic = Mathematics/Analysis date = 2011-01-08 abstract = We define the notions of lower and upper semicontinuity for functions from a metric space to the extended real line. We prove that a function is both lower and upper semicontinuous if and only if it is continuous. We also give several equivalent characterizations of lower semicontinuity. In particular, we prove that a function is lower semicontinuous if and only if its epigraph is a closed set. Also, we introduce the notion of the lower semicontinuous hull of an arbitrary function and prove its basic properties. notify = hoelzl@in.tum.de [RIPEMD-160-SPARK] title = RIPEMD-160 author = Fabian Immler topic = Computer Science/Programming Languages/Static Analysis date = 2011-01-10 abstract = This work presents a verification of an implementation in SPARK/ADA of the cryptographic hash-function RIPEMD-160. A functional specification of RIPEMD-160 is given in Isabelle/HOL. Proofs for the verification conditions generated by the static-analysis toolset of SPARK certify the functional correctness of the implementation. extra-history = Change history: [2015-11-09]: Entry is now obsolete, moved to Isabelle distribution. notify = immler@in.tum.de [Regular-Sets] title = Regular Sets and Expressions author = Alexander Krauss , Tobias Nipkow contributors = Manuel Eberl topic = Computer Science/Automata and Formal Languages date = 2010-05-12 abstract = This is a library of constructions on regular expressions and languages. It provides the operations of concatenation, Kleene star and derivative on languages. Regular expressions and their meaning are defined. An executable equivalence checker for regular expressions is verified; it does not need automata but works directly on regular expressions. By mapping regular expressions to binary relations, an automatic and complete proof method for (in)equalities of binary relations over union, concatenation and (reflexive) transitive closure is obtained.

Extended regular expressions with complement and intersection are also defined and an equivalence checker is provided. extra-history = Change history: [2011-08-26]: Christian Urban added a theory about derivatives and partial derivatives of regular expressions
[2012-05-10]: Tobias Nipkow added extended regular expressions
[2012-05-10]: Tobias Nipkow added equivalence checking with partial derivatives notify = nipkow@in.tum.de, krauss@in.tum.de, christian.urban@kcl.ac.uk [Regex_Equivalence] title = Unified Decision Procedures for Regular Expression Equivalence author = Tobias Nipkow , Dmitriy Traytel topic = Computer Science/Automata and Formal Languages date = 2014-01-30 abstract = We formalize a unified framework for verified decision procedures for regular expression equivalence. Five recently published formalizations of such decision procedures (three based on derivatives, two on marked regular expressions) can be obtained as instances of the framework. We discover that the two approaches based on marked regular expressions, which were previously thought to be the same, are different, and one seems to produce uniformly smaller automata. The common framework makes it possible to compare the performance of the different decision procedures in a meaningful way. The formalization is described in a paper of the same name presented at Interactive Theorem Proving 2014. notify = nipkow@in.tum.de, traytel@in.tum.de [MSO_Regex_Equivalence] title = Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions author = Dmitriy Traytel , Tobias Nipkow topic = Computer Science/Automata and Formal Languages, Logic date = 2014-06-12 abstract = Monadic second-order logic on finite words (MSO) is a decidable yet expressive logic into which many decision problems can be encoded. Since MSO formulas correspond to regular languages, equivalence of MSO formulas can be reduced to the equivalence of some regular structures (e.g. automata). We verify an executable decision procedure for MSO formulas that is not based on automata but on regular expressions.

Decision procedures for regular expression equivalence have been formalized before, usually based on Brzozowski derivatives. Yet, for a straightforward embedding of MSO formulas into regular expressions an extension of regular expressions with a projection operation is required. We prove total correctness and completeness of an equivalence checker for regular expressions extended in that way. We also define a language-preserving translation of formulas into regular expressions with respect to two different semantics of MSO.

The formalization is described in this ICFP 2013 functional pearl. notify = traytel@in.tum.de, nipkow@in.tum.de [Formula_Derivatives] title = Derivatives of Logical Formulas author = Dmitriy Traytel topic = Computer Science/Automata and Formal Languages, Logic date = 2015-05-28 abstract = We formalize new decision procedures for WS1S, M2L(Str), and Presburger Arithmetics. Formulas of these logics denote regular languages. Unlike traditional decision procedures, we do not translate formulas into automata (nor into regular expressions), at least not explicitly. Instead we devise notions of derivatives (inspired by Brzozowski derivatives for regular expressions) that operate on formulas directly and compute a syntactic bisimulation using these derivatives. The treatment of Boolean connectives and quantifiers is uniform for all mentioned logics and is abstracted into a locale. This locale is then instantiated by different atomic formulas and their derivatives (which may differ even for the same logic under different encodings of interpretations as formal words).

The WS1S instance is described in the draft paper A Coalgebraic Decision Procedure for WS1S by the author. notify = traytel@in.tum.de [Myhill-Nerode] title = The Myhill-Nerode Theorem Based on Regular Expressions author = Chunhan Wu <>, Xingyuan Zhang <>, Christian Urban contributors = Manuel Eberl topic = Computer Science/Automata and Formal Languages date = 2011-08-26 abstract = There are many proofs of the Myhill-Nerode theorem using automata. In this library we give a proof entirely based on regular expressions, since regularity of languages can be conveniently defined using regular expressions (it is more painful in HOL to define regularity in terms of automata). We prove the first direction of the Myhill-Nerode theorem by solving equational systems that involve regular expressions. For the second direction we give two proofs: one using tagging-functions and another using partial derivatives. We also establish various closure properties of regular languages. Most details of the theories are described in our ITP 2011 paper. notify = christian.urban@kcl.ac.uk [Universal_Turing_Machine] title = Universal Turing Machine author = Jian Xu<>, Xingyuan Zhang<>, Christian Urban , Sebastiaan J. C. Joosten topic = Logic, Computer Science/Automata and Formal Languages date = 2019-02-08 notify = sjcjoosten@gmail.com, christian.urban@kcl.ac.uk abstract = We formalise results from computability theory: recursive functions, undecidability of the halting problem, and the existence of a universal Turing machine. This formalisation is the AFP entry corresponding to the paper Mechanising Turing Machines and Computability Theory in Isabelle/HOL, ITP 2013. [CYK] title = A formalisation of the Cocke-Younger-Kasami algorithm author = Maksym Bortin date = 2016-04-27 topic = Computer Science/Algorithms, Computer Science/Automata and Formal Languages abstract = The theory provides a formalisation of the Cocke-Younger-Kasami algorithm (CYK for short), an approach to solving the word problem for context-free languages. CYK decides if a word is in the languages generated by a context-free grammar in Chomsky normal form. The formalized algorithm is executable. notify = maksym.bortin@nicta.com.au [Boolean_Expression_Checkers] title = Boolean Expression Checkers author = Tobias Nipkow date = 2014-06-08 topic = Computer Science/Algorithms, Logic abstract = This entry provides executable checkers for the following properties of boolean expressions: satisfiability, tautology and equivalence. Internally, the checkers operate on binary decision trees and are reasonably efficient (for purely functional algorithms). extra-history = Change history: [2015-09-23]: Salomon Sickert added an interface that does not require the usage of the Boolean formula datatype. Furthermore the general Mapping type is used instead of an association list. notify = nipkow@in.tum.de [Presburger-Automata] title = Formalizing the Logic-Automaton Connection author = Stefan Berghofer , Markus Reiter <> date = 2009-12-03 topic = Computer Science/Automata and Formal Languages, Logic abstract = This work presents a formalization of a library for automata on bit strings. It forms the basis of a reflection-based decision procedure for Presburger arithmetic, which is efficiently executable thanks to Isabelle's code generator. With this work, we therefore provide a mechanized proof of a well-known connection between logic and automata theory. The formalization is also described in a publication [TPHOLs 2009]. notify = berghofe@in.tum.de [Functional-Automata] title = Functional Automata author = Tobias Nipkow date = 2004-03-30 topic = Computer Science/Automata and Formal Languages abstract = This theory defines deterministic and nondeterministic automata in a functional representation: the transition function/relation and the finality predicate are just functions. Hence the state space may be infinite. It is shown how to convert regular expressions into such automata. A scanner (generator) is implemented with the help of functional automata: the scanner chops the input up into longest recognized substrings. Finally we also show how to convert a certain subclass of functional automata (essentially the finite deterministic ones) into regular sets. notify = nipkow@in.tum.de [Statecharts] title = Formalizing Statecharts using Hierarchical Automata author = Steffen Helke , Florian Kammüller topic = Computer Science/Automata and Formal Languages date = 2010-08-08 abstract = We formalize in Isabelle/HOL the abtract syntax and a synchronous step semantics for the specification language Statecharts. The formalization is based on Hierarchical Automata which allow a structural decomposition of Statecharts into Sequential Automata. To support the composition of Statecharts, we introduce calculating operators to construct a Hierarchical Automaton in a stepwise manner. Furthermore, we present a complete semantics of Statecharts including a theory of data spaces, which enables the modelling of racing effects. We also adapt CTL for Statecharts to build a bridge for future combinations with model checking. However the main motivation of this work is to provide a sound and complete basis for reasoning on Statecharts. As a central meta theorem we prove that the well-formedness of a Statechart is preserved by the semantics. notify = nipkow@in.tum.de [Stuttering_Equivalence] title = Stuttering Equivalence author = Stephan Merz topic = Computer Science/Automata and Formal Languages date = 2012-05-07 abstract =

Two omega-sequences are stuttering equivalent if they differ only by finite repetitions of elements. Stuttering equivalence is a fundamental concept in the theory of concurrent and distributed systems. Notably, Lamport argues that refinement notions for such systems should be insensitive to finite stuttering. Peled and Wilke showed that all PLTL (propositional linear-time temporal logic) properties that are insensitive to stuttering equivalence can be expressed without the next-time operator. Stuttering equivalence is also important for certain verification techniques such as partial-order reduction for model checking.

We formalize stuttering equivalence in Isabelle/HOL. Our development relies on the notion of stuttering sampling functions that may skip blocks of identical sequence elements. We also encode PLTL and prove the theorem due to Peled and Wilke.

extra-history = Change history: [2013-01-31]: Added encoding of PLTL and proved Peled and Wilke's theorem. Adjusted abstract accordingly. notify = Stephan.Merz@loria.fr [Coinductive_Languages] title = A Codatatype of Formal Languages author = Dmitriy Traytel topic = Computer Science/Automata and Formal Languages date = 2013-11-15 abstract =

We define formal languages as a codataype of infinite trees branching over the alphabet. Each node in such a tree indicates whether the path to this node constitutes a word inside or outside of the language. This codatatype is isormorphic to the set of lists representation of languages, but caters for definitions by corecursion and proofs by coinduction.

Regular operations on languages are then defined by primitive corecursion. A difficulty arises here, since the standard definitions of concatenation and iteration from the coalgebraic literature are not primitively corecursive-they require guardedness up-to union/concatenation. Without support for up-to corecursion, these operation must be defined as a composition of primitive ones (and proved being equal to the standard definitions). As an exercise in coinduction we also prove the axioms of Kleene algebra for the defined regular operations.

Furthermore, a language for context-free grammars given by productions in Greibach normal form and an initial nonterminal is constructed by primitive corecursion, yielding an executable decision procedure for the word problem without further ado.

notify = traytel@in.tum.de [Tree-Automata] title = Tree Automata author = Peter Lammich date = 2009-11-25 topic = Computer Science/Automata and Formal Languages abstract = This work presents a machine-checked tree automata library for Standard-ML, OCaml and Haskell. The algorithms are efficient by using appropriate data structures like RB-trees. The available algorithms for non-deterministic automata include membership query, reduction, intersection, union, and emptiness check with computation of a witness for non-emptiness. The executable algorithms are derived from less-concrete, non-executable algorithms using data-refinement techniques. The concrete data structures are from the Isabelle Collections Framework. Moreover, this work contains a formalization of the class of tree-regular languages and its closure properties under set operations. notify = peter.lammich@uni-muenster.de, nipkow@in.tum.de [Depth-First-Search] title = Depth First Search author = Toshiaki Nishihara <>, Yasuhiko Minamide <> date = 2004-06-24 topic = Computer Science/Algorithms abstract = Depth-first search of a graph is formalized with recdef. It is shown that it visits all of the reachable nodes from a given list of nodes. Executable ML code of depth-first search is obtained using the code generation feature of Isabelle/HOL. notify = lp15@cam.ac.uk, krauss@in.tum.de [FFT] title = Fast Fourier Transform author = Clemens Ballarin date = 2005-10-12 topic = Computer Science/Algorithms abstract = We formalise a functional implementation of the FFT algorithm over the complex numbers, and its inverse. Both are shown equivalent to the usual definitions of these operations through Vandermonde matrices. They are also shown to be inverse to each other, more precisely, that composition of the inverse and the transformation yield the identity up to a scalar. notify = ballarin@in.tum.de [Gauss-Jordan-Elim-Fun] title = Gauss-Jordan Elimination for Matrices Represented as Functions author = Tobias Nipkow date = 2011-08-19 topic = Computer Science/Algorithms, Mathematics/Algebra abstract = This theory provides a compact formulation of Gauss-Jordan elimination for matrices represented as functions. Its distinctive feature is succinctness. It is not meant for large computations. notify = nipkow@in.tum.de [UpDown_Scheme] title = Verification of the UpDown Scheme author = Johannes Hölzl date = 2015-01-28 topic = Computer Science/Algorithms abstract = The UpDown scheme is a recursive scheme used to compute the stiffness matrix on a special form of sparse grids. Usually, when discretizing a Euclidean space of dimension d we need O(n^d) points, for n points along each dimension. Sparse grids are a hierarchical representation where the number of points is reduced to O(n * log(n)^d). One disadvantage of such sparse grids is that the algorithm now operate recursively in the dimensions and levels of the sparse grid.

The UpDown scheme allows us to compute the stiffness matrix on such a sparse grid. The stiffness matrix represents the influence of each representation function on the L^2 scalar product. For a detailed description see Dirk Pflüger's PhD thesis. This formalization was developed as an interdisciplinary project (IDP) at the Technische Universität München. notify = hoelzl@in.tum.de [GraphMarkingIBP] title = Verification of the Deutsch-Schorr-Waite Graph Marking Algorithm using Data Refinement author = Viorel Preoteasa , Ralph-Johan Back date = 2010-05-28 topic = Computer Science/Algorithms abstract = The verification of the Deutsch-Schorr-Waite graph marking algorithm is used as a benchmark in many formalizations of pointer programs. The main purpose of this mechanization is to show how data refinement of invariant based programs can be used in verifying practical algorithms. The verification starts with an abstract algorithm working on a graph given by a relation next on nodes. Gradually the abstract program is refined into Deutsch-Schorr-Waite graph marking algorithm where only one bit per graph node of additional memory is used for marking. extra-history = Change history: [2012-01-05]: Updated for the new definition of data refinement and the new syntax for demonic and angelic update statements notify = viorel.preoteasa@aalto.fi [Efficient-Mergesort] title = Efficient Mergesort topic = Computer Science/Algorithms date = 2011-11-09 author = Christian Sternagel abstract = We provide a formalization of the mergesort algorithm as used in GHC's Data.List module, proving correctness and stability. Furthermore, experimental data suggests that generated (Haskell-)code for this algorithm is much faster than for previous algorithms available in the Isabelle distribution. extra-history = Change history: [2012-10-24]: Added reference to journal article.
[2018-09-17]: Added theory Efficient_Mergesort that works exclusively with the mutual induction schemas generated by the function package.
[2018-09-19]: Added theory Mergesort_Complexity that proves an upper bound on the number of comparisons that are required by mergesort.
[2018-09-19]: Theory Efficient_Mergesort replaces theory Efficient_Sort but keeping the old name Efficient_Sort. notify = c.sternagel@gmail.com [SATSolverVerification] title = Formal Verification of Modern SAT Solvers author = Filip Maric date = 2008-07-23 topic = Computer Science/Algorithms abstract = This document contains formal correctness proofs of modern SAT solvers. Following (Krstic et al, 2007) and (Nieuwenhuis et al., 2006), solvers are described using state-transition systems. Several different SAT solver descriptions are given and their partial correctness and termination is proved. These include:

  • a solver based on classical DPLL procedure (using only a backtrack-search with unit propagation),
  • a very general solver with backjumping and learning (similar to the description given in (Nieuwenhuis et al., 2006)), and
  • a solver with a specific conflict analysis algorithm (similar to the description given in (Krstic et al., 2007)).
Within the SAT solver correctness proofs, a large number of lemmas about propositional logic and CNF formulae are proved. This theory is self-contained and could be used for further exploring of properties of CNF based SAT algorithms. notify = [Transitive-Closure] title = Executable Transitive Closures of Finite Relations topic = Computer Science/Algorithms date = 2011-03-14 author = Christian Sternagel , René Thiemann license = LGPL abstract = We provide a generic work-list algorithm to compute the transitive closure of finite relations where only successors of newly detected states are generated. This algorithm is then instantiated for lists over arbitrary carriers and red black trees (which are faster but require a linear order on the carrier), respectively. Our formalization was performed as part of the IsaFoR/CeTA project where reflexive transitive closures of large tree automata have to be computed. extra-history = Change history: [2014-09-04] added example simprocs in Finite_Transitive_Closure_Simprocs notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at [Transitive-Closure-II] title = Executable Transitive Closures topic = Computer Science/Algorithms date = 2012-02-29 author = René Thiemann license = LGPL abstract =

We provide a generic work-list algorithm to compute the (reflexive-)transitive closure of relations where only successors of newly detected states are generated. In contrast to our previous work, the relations do not have to be finite, but each element must only have finitely many (indirect) successors. Moreover, a subsumption relation can be used instead of pure equality. An executable variant of the algorithm is available where the generic operations are instantiated with list operations.

This formalization was performed as part of the IsaFoR/CeTA project, and it has been used to certify size-change termination proofs where large transitive closures have to be computed.

notify = rene.thiemann@uibk.ac.at [MuchAdoAboutTwo] title = Much Ado About Two author = Sascha Böhme date = 2007-11-06 topic = Computer Science/Algorithms abstract = This article is an Isabelle formalisation of a paper with the same title. In a similar way as Knuth's 0-1-principle for sorting algorithms, that paper develops a 0-1-2-principle for parallel prefix computations. notify = boehmes@in.tum.de [DiskPaxos] title = Proving the Correctness of Disk Paxos date = 2005-06-22 author = Mauro Jaskelioff , Stephan Merz topic = Computer Science/Algorithms/Distributed abstract = Disk Paxos is an algorithm for building arbitrary fault-tolerant distributed systems. The specification of Disk Paxos has been proved correct informally and tested using the TLC model checker, but up to now, it has never been fully formally verified. In this work we have formally verified its correctness using the Isabelle theorem prover and the HOL logic system, showing that Isabelle is a practical tool for verifying properties of TLA+ specifications. notify = kleing@cse.unsw.edu.au [GenClock] title = Formalization of a Generalized Protocol for Clock Synchronization author = Alwen Tiu date = 2005-06-24 topic = Computer Science/Algorithms/Distributed abstract = We formalize the generalized Byzantine fault-tolerant clock synchronization protocol of Schneider. This protocol abstracts from particular algorithms or implementations for clock synchronization. This abstraction includes several assumptions on the behaviors of physical clocks and on general properties of concrete algorithms/implementations. Based on these assumptions the correctness of the protocol is proved by Schneider. His proof was later verified by Shankar using the theorem prover EHDM (precursor to PVS). Our formalization in Isabelle/HOL is based on Shankar's formalization. notify = kleing@cse.unsw.edu.au [ClockSynchInst] title = Instances of Schneider's generalized protocol of clock synchronization author = Damián Barsotti date = 2006-03-15 topic = Computer Science/Algorithms/Distributed abstract = F. B. Schneider ("Understanding protocols for Byzantine clock synchronization") generalizes a number of protocols for Byzantine fault-tolerant clock synchronization and presents a uniform proof for their correctness. In Schneider's schema, each processor maintains a local clock by periodically adjusting each value to one computed by a convergence function applied to the readings of all the clocks. Then, correctness of an algorithm, i.e. that the readings of two clocks at any time are within a fixed bound of each other, is based upon some conditions on the convergence function. To prove that a particular clock synchronization algorithm is correct it suffices to show that the convergence function used by the algorithm meets Schneider's conditions. Using the theorem prover Isabelle, we formalize the proofs that the convergence functions of two algorithms, namely, the Interactive Convergence Algorithm (ICA) of Lamport and Melliar-Smith and the Fault-tolerant Midpoint algorithm of Lundelius-Lynch, meet Schneider's conditions. Furthermore, we experiment on handling some parts of the proofs with fully automatic tools like ICS and CVC-lite. These theories are part of a joint work with Alwen Tiu and Leonor P. Nieto "Verification of Clock Synchronization Algorithms: Experiments on a combination of deductive tools" in proceedings of AVOCS 2005. In this work the correctness of Schneider schema was also verified using Isabelle (entry GenClock in AFP). notify = kleing@cse.unsw.edu.au [Heard_Of] title = Verifying Fault-Tolerant Distributed Algorithms in the Heard-Of Model date = 2012-07-27 author = Henri Debrat , Stephan Merz topic = Computer Science/Algorithms/Distributed abstract = Distributed computing is inherently based on replication, promising increased tolerance to failures of individual computing nodes or communication channels. Realizing this promise, however, involves quite subtle algorithmic mechanisms, and requires precise statements about the kinds and numbers of faults that an algorithm tolerates (such as process crashes, communication faults or corrupted values). The landmark theorem due to Fischer, Lynch, and Paterson shows that it is impossible to achieve Consensus among N asynchronously communicating nodes in the presence of even a single permanent failure. Existing solutions must rely on assumptions of "partial synchrony".

Indeed, there have been numerous misunderstandings on what exactly a given algorithm is supposed to realize in what kinds of environments. Moreover, the abundance of subtly different computational models complicates comparisons between different algorithms. Charron-Bost and Schiper introduced the Heard-Of model for representing algorithms and failure assumptions in a uniform framework, simplifying comparisons between algorithms.

In this contribution, we represent the Heard-Of model in Isabelle/HOL. We define two semantics of runs of algorithms with different unit of atomicity and relate these through a reduction theorem that allows us to verify algorithms in the coarse-grained semantics (where proofs are easier) and infer their correctness for the fine-grained one (which corresponds to actual executions). We instantiate the framework by verifying six Consensus algorithms that differ in the underlying algorithmic mechanisms and the kinds of faults they tolerate. notify = Stephan.Merz@loria.fr [Consensus_Refined] title = Consensus Refined date = 2015-03-18 author = Ognjen Maric <>, Christoph Sprenger topic = Computer Science/Algorithms/Distributed abstract = Algorithms for solving the consensus problem are fundamental to distributed computing. Despite their brevity, their ability to operate in concurrent, asynchronous and failure-prone environments comes at the cost of complex and subtle behaviors. Accordingly, understanding how they work and proving their correctness is a non-trivial endeavor where abstraction is immensely helpful. Moreover, research on consensus has yielded a large number of algorithms, many of which appear to share common algorithmic ideas. A natural question is whether and how these similarities can be distilled and described in a precise, unified way. In this work, we combine stepwise refinement and lockstep models to provide an abstract and unified view of a sizeable family of consensus algorithms. Our models provide insights into the design choices underlying the different algorithms, and classify them based on those choices. notify = sprenger@inf.ethz.ch [Key_Agreement_Strong_Adversaries] title = Refining Authenticated Key Agreement with Strong Adversaries author = Joseph Lallemand , Christoph Sprenger topic = Computer Science/Security license = LGPL date = 2017-01-31 notify = joseph.lallemand@loria.fr, sprenger@inf.ethz.ch abstract = We develop a family of key agreement protocols that are correct by construction. Our work substantially extends prior work on developing security protocols by refinement. First, we strengthen the adversary by allowing him to compromise different resources of protocol participants, such as their long-term keys or their session keys. This enables the systematic development of protocols that ensure strong properties such as perfect forward secrecy. Second, we broaden the class of protocols supported to include those with non-atomic keys and equationally defined cryptographic operators. We use these extensions to develop key agreement protocols including signed Diffie-Hellman and the core of IKEv1 and SKEME. [Security_Protocol_Refinement] title = Developing Security Protocols by Refinement author = Christoph Sprenger , Ivano Somaini<> topic = Computer Science/Security license = LGPL date = 2017-05-24 notify = sprenger@inf.ethz.ch abstract = We propose a development method for security protocols based on stepwise refinement. Our refinement strategy transforms abstract security goals into protocols that are secure when operating over an insecure channel controlled by a Dolev-Yao-style intruder. As intermediate levels of abstraction, we employ messageless guard protocols and channel protocols communicating over channels with security properties. These abstractions provide insights on why protocols are secure and foster the development of families of protocols sharing common structure and properties. We have implemented our method in Isabelle/HOL and used it to develop different entity authentication and key establishment protocols, including realistic features such as key confirmation, replay caches, and encrypted tickets. Our development highlights that guard protocols and channel protocols provide fundamental abstractions for bridging the gap between security properties and standard protocol descriptions based on cryptographic messages. It also shows that our refinement approach scales to protocols of nontrivial size and complexity. [Abortable_Linearizable_Modules] title = Abortable Linearizable Modules author = Rachid Guerraoui , Viktor Kuncak , Giuliano Losa date = 2012-03-01 topic = Computer Science/Algorithms/Distributed abstract = We define the Abortable Linearizable Module automaton (ALM for short) and prove its key composition property using the IOA theory of HOLCF. The ALM is at the heart of the Speculative Linearizability framework. This framework simplifies devising correct speculative algorithms by enabling their decomposition into independent modules that can be analyzed and proved correct in isolation. It is particularly useful when working in a distributed environment, where the need to tolerate faults and asynchrony has made current monolithic protocols so intricate that it is no longer tractable to check their correctness. Our theory contains a typical example of a refinement proof in the I/O-automata framework of Lynch and Tuttle. notify = giuliano@losa.fr, nipkow@in.tum.de [Amortized_Complexity] title = Amortized Complexity Verified author = Tobias Nipkow date = 2014-07-07 topic = Computer Science/Data Structures abstract = A framework for the analysis of the amortized complexity of functional data structures is formalized in Isabelle/HOL and applied to a number of standard examples and to the folowing non-trivial ones: skew heaps, splay trees, splay heaps and pairing heaps.

A preliminary version of this work (without pairing heaps) is described in a paper published in the proceedings of the conference on Interactive Theorem Proving ITP 2015. An extended version of this publication is available here. extra-history = Change history: [2015-03-17]: Added pairing heaps by Hauke Brinkop.
[2016-07-12]: Moved splay heaps from here to Splay_Tree
[2016-07-14]: Moved pairing heaps from here to the new Pairing_Heap notify = nipkow@in.tum.de [Dynamic_Tables] title = Parameterized Dynamic Tables author = Tobias Nipkow date = 2015-06-07 topic = Computer Science/Data Structures abstract = This article formalizes the amortized analysis of dynamic tables parameterized with their minimal and maximal load factors and the expansion and contraction factors.

A full description is found in a companion paper. notify = nipkow@in.tum.de [AVL-Trees] title = AVL Trees author = Tobias Nipkow , Cornelia Pusch <> date = 2004-03-19 topic = Computer Science/Data Structures abstract = Two formalizations of AVL trees with room for extensions. The first formalization is monolithic and shorter, the second one in two stages, longer and a bit simpler. The final implementation is the same. If you are interested in developing this further, please contact gerwin.klein@nicta.com.au. extra-history = Change history: [2011-04-11]: Ondrej Kuncar added delete function notify = kleing@cse.unsw.edu.au [BDD] title = BDD Normalisation author = Veronika Ortner <>, Norbert Schirmer <> date = 2008-02-29 topic = Computer Science/Data Structures abstract = We present the verification of the normalisation of a binary decision diagram (BDD). The normalisation follows the original algorithm presented by Bryant in 1986 and transforms an ordered BDD in a reduced, ordered and shared BDD. The verification is based on Hoare logics. notify = kleing@cse.unsw.edu.au, norbert.schirmer@web.de [BinarySearchTree] title = Binary Search Trees author = Viktor Kuncak date = 2004-04-05 topic = Computer Science/Data Structures abstract = The correctness is shown of binary search tree operations (lookup, insert and remove) implementing a set. Two versions are given, for both structured and linear (tactic-style) proofs. An implementation of integer-indexed maps is also verified. notify = lp15@cam.ac.uk [Splay_Tree] title = Splay Tree author = Tobias Nipkow notify = nipkow@in.tum.de date = 2014-08-12 topic = Computer Science/Data Structures abstract = Splay trees are self-adjusting binary search trees which were invented by Sleator and Tarjan [JACM 1985]. This entry provides executable and verified functional splay trees as well as the related splay heaps (due to Okasaki).

The amortized complexity of splay trees and heaps is analyzed in the AFP entry Amortized Complexity. extra-history = Change history: [2016-07-12]: Moved splay heaps here from Amortized_Complexity [Root_Balanced_Tree] title = Root-Balanced Tree author = Tobias Nipkow notify = nipkow@in.tum.de date = 2017-08-20 topic = Computer Science/Data Structures abstract =

Andersson introduced general balanced trees, search trees based on the design principle of partial rebuilding: perform update operations naively until the tree becomes too unbalanced, at which point a whole subtree is rebalanced. This article defines and analyzes a functional version of general balanced trees, which we call root-balanced trees. Using a lightweight model of execution time, amortized logarithmic complexity is verified in the theorem prover Isabelle.

This is the Isabelle formalization of the material decribed in the APLAS 2017 article Verified Root-Balanced Trees by the same author, which also presents experimental results that show competitiveness of root-balanced with AVL and red-black trees.

[Skew_Heap] title = Skew Heap author = Tobias Nipkow date = 2014-08-13 topic = Computer Science/Data Structures abstract = Skew heaps are an amazingly simple and lightweight implementation of priority queues. They were invented by Sleator and Tarjan [SIAM 1986] and have logarithmic amortized complexity. This entry provides executable and verified functional skew heaps.

The amortized complexity of skew heaps is analyzed in the AFP entry Amortized Complexity. notify = nipkow@in.tum.de [Pairing_Heap] title = Pairing Heap author = Hauke Brinkop , Tobias Nipkow date = 2016-07-14 topic = Computer Science/Data Structures abstract = This library defines three different versions of pairing heaps: a functional version of the original design based on binary trees [Fredman et al. 1986], the version by Okasaki [1998] and a modified version of the latter that is free of structural invariants.

The amortized complexity of pairing heaps is analyzed in the AFP article Amortized Complexity. extra-0 = Origin: This library was extracted from Amortized Complexity and extended. notify = nipkow@in.tum.de [Priority_Queue_Braun] title = Priority Queues Based on Braun Trees author = Tobias Nipkow date = 2014-09-04 topic = Computer Science/Data Structures abstract = This theory implements priority queues via Braun trees. Insertion and deletion take logarithmic time and preserve the balanced nature of Braun trees. notify = nipkow@in.tum.de [Binomial-Queues] title = Functional Binomial Queues author = René Neumann date = 2010-10-28 topic = Computer Science/Data Structures abstract = Priority queues are an important data structure and efficient implementations of them are crucial. We implement a functional variant of binomial queues in Isabelle/HOL and show its functional correctness. A verification against an abstract reference specification of priority queues has also been attempted, but could not be achieved to the full extent. notify = florian.haftmann@informatik.tu-muenchen.de, rene.neumann@informatik.tu-muenchen.de [Binomial-Heaps] title = Binomial Heaps and Skew Binomial Heaps author = Rene Meis , Finn Nielsen , Peter Lammich date = 2010-10-28 topic = Computer Science/Data Structures abstract = We implement and prove correct binomial heaps and skew binomial heaps. Both are data-structures for priority queues. While binomial heaps have logarithmic findMin, deleteMin, insert, and meld operations, skew binomial heaps have constant time findMin, insert, and meld operations, and only the deleteMin-operation is logarithmic. This is achieved by using skew links to avoid cascading linking on insert-operations, and data-structural bootstrapping to get constant-time findMin and meld operations. Our implementation follows the paper by Brodal and Okasaki. notify = peter.lammich@uni-muenster.de [Finger-Trees] title = Finger Trees author = Benedikt Nordhoff , Stefan Körner , Peter Lammich date = 2010-10-28 topic = Computer Science/Data Structures abstract = We implement and prove correct 2-3 finger trees. Finger trees are a general purpose data structure, that can be used to efficiently implement other data structures, such as priority queues. Intuitively, a finger tree is an annotated sequence, where the annotations are elements of a monoid. Apart from operations to access the ends of the sequence, the main operation is to split the sequence at the point where a monotone predicate over the sum of the left part of the sequence becomes true for the first time. The implementation follows the paper of Hinze and Paterson. The code generator can be used to get efficient, verified code. notify = peter.lammich@uni-muenster.de [Trie] title = Trie author = Andreas Lochbihler , Tobias Nipkow date = 2015-03-30 topic = Computer Science/Data Structures abstract = This article formalizes the ``trie'' data structure invented by Fredkin [CACM 1960]. It also provides a specialization where the entries in the trie are lists. extra-0 = Origin: This article was extracted from existing articles by the authors. notify = nipkow@in.tum.de [FinFun] title = Code Generation for Functions as Data author = Andreas Lochbihler date = 2009-05-06 topic = Computer Science/Data Structures abstract = FinFuns are total functions that are constant except for a finite set of points, i.e. a generalisation of finite maps. They are formalised as a new type in Isabelle/HOL such that the code generator can handle equality tests and quantification on FinFuns. On the code output level, FinFuns are explicitly represented by constant functions and pointwise updates, similarly to associative lists. Inside the logic, they behave like ordinary functions with extensionality. Via the update/constant pattern, a recursion combinator and an induction rule for FinFuns allow for defining and reasoning about operators on FinFun that are also executable. extra-history = Change history: [2010-08-13]: new concept domain of a FinFun as a FinFun (revision 34b3517cbc09)
[2010-11-04]: new conversion function from FinFun to list of elements in the domain (revision 0c167102e6ed)
[2012-03-07]: replace sets as FinFuns by predicates as FinFuns because the set type constructor has been reintroduced (revision b7aa87989f3a) notify = nipkow@in.tum.de [Collections] title = Collections Framework author = Peter Lammich contributors = Andreas Lochbihler , Thomas Tuerk <> date = 2009-11-25 topic = Computer Science/Data Structures abstract = This development provides an efficient, extensible, machine checked collections framework. The library adopts the concepts of interface, implementation and generic algorithm from object-oriented programming and implements them in Isabelle/HOL. The framework features the use of data refinement techniques to refine an abstract specification (using high-level concepts like sets) to a more concrete implementation (using collection datastructures, like red-black-trees). The code-generator of Isabelle/HOL can be used to generate efficient code. extra-history = Change history: [2010-10-08]: New Interfaces: OrderedSet, OrderedMap, List. Fifo now implements list-interface: Function names changed: put/get --> enqueue/dequeue. New Implementations: ArrayList, ArrayHashMap, ArrayHashSet, TrieMap, TrieSet. Invariant-free datastructures: Invariant implicitely hidden in typedef. Record-interfaces: All operations of an interface encapsulated as record. Examples moved to examples subdirectory.
[2010-12-01]: New Interfaces: Priority Queues, Annotated Lists. Implemented by finger trees, (skew) binomial queues.
[2011-10-10]: SetSpec: Added operations: sng, isSng, bexists, size_abort, diff, filter, iterate_rule_insertP MapSpec: Added operations: sng, isSng, iterate_rule_insertP, bexists, size, size_abort, restrict, map_image_filter, map_value_image_filter Some maintenance changes
[2012-04-25]: New iterator foundation by Tuerk. Various maintenance changes.
[2012-08]: Collections V2. New features: Polymorphic iterators. Generic algorithm instantiation where required. Naming scheme changed from xx_opname to xx.opname. A compatibility file CollectionsV1 tries to simplify porting of existing theories, by providing old naming scheme and the old monomorphic iterator locales.
[2013-09]: Added Generic Collection Framework based on Autoref. The GenCF provides: Arbitrary nesting, full integration with Autoref.
[2014-06]: Maintenace changes to GenCF: Optimized inj_image on list_set. op_set_cart (Cartesian product). big-Union operation. atLeastLessThan - operation ({a..<b})
notify = lammich@in.tum.de [Containers] title = Light-weight Containers author = Andreas Lochbihler contributors = René Thiemann date = 2013-04-15 topic = Computer Science/Data Structures abstract = This development provides a framework for container types like sets and maps such that generated code implements these containers with different (efficient) data structures. Thanks to type classes and refinement during code generation, this light-weight approach can seamlessly replace Isabelle's default setup for code generation. Heuristics automatically pick one of the available data structures depending on the type of elements to be stored, but users can also choose on their own. The extensible design permits to add more implementations at any time.

To support arbitrary nesting of sets, we define a linear order on sets based on a linear order of the elements and provide efficient implementations. It even allows to compare complements with non-complements. extra-history = Change history: [2013-07-11]: add pretty printing for sets (revision 7f3f52c5f5fa)
[2013-09-20]: provide generators for canonical type class instantiations (revision 159f4401f4a8 by René Thiemann)
[2014-07-08]: add support for going from partial functions to mappings (revision 7a6fc957e8ed)
[2018-03-05]: add two application examples: depth-first search and 2SAT (revision e5e1a1da2411) notify = mail@andreas-lochbihler.de [FileRefinement] title = File Refinement author = Karen Zee , Viktor Kuncak date = 2004-12-09 topic = Computer Science/Data Structures abstract = These theories illustrates the verification of basic file operations (file creation, file read and file write) in the Isabelle theorem prover. We describe a file at two levels of abstraction: an abstract file represented as a resizable array, and a concrete file represented using data blocks. notify = kkz@mit.edu [Datatype_Order_Generator] title = Generating linear orders for datatypes author = René Thiemann date = 2012-08-07 topic = Computer Science/Data Structures abstract = We provide a framework for registering automatic methods to derive class instances of datatypes, as it is possible using Haskell's ``deriving Ord, Show, ...'' feature.

We further implemented such automatic methods to derive (linear) orders or hash-functions which are required in the Isabelle Collection Framework. Moreover, for the tactic of Huffman and Krauss to show that a datatype is countable, we implemented a wrapper so that this tactic becomes accessible in our framework.

Our formalization was performed as part of the IsaFoR/CeTA project. With our new tactic we could completely remove tedious proofs for linear orders of two datatypes.

This development is aimed at datatypes generated by the "old_datatype" command. notify = rene.thiemann@uibk.ac.at [Deriving] title = Deriving class instances for datatypes author = Christian Sternagel , René Thiemann date = 2015-03-11 topic = Computer Science/Data Structures abstract =

We provide a framework for registering automatic methods to derive class instances of datatypes, as it is possible using Haskell's ``deriving Ord, Show, ...'' feature.

We further implemented such automatic methods to derive comparators, linear orders, parametrizable equality functions, and hash-functions which are required in the Isabelle Collection Framework and the Container Framework. Moreover, for the tactic of Blanchette to show that a datatype is countable, we implemented a wrapper so that this tactic becomes accessible in our framework. All of the generators are based on the infrastructure that is provided by the BNF-based datatype package.

Our formalization was performed as part of the IsaFoR/CeTA project. With our new tactics we could remove several tedious proofs for (conditional) linear orders, and conditional equality operators within IsaFoR and the Container Framework.

notify = rene.thiemann@uibk.ac.at [List-Index] title = List Index date = 2010-02-20 author = Tobias Nipkow topic = Computer Science/Data Structures abstract = This theory provides functions for finding the index of an element in a list, by predicate and by value. notify = nipkow@in.tum.de [List-Infinite] title = Infinite Lists date = 2011-02-23 author = David Trachtenherz <> topic = Computer Science/Data Structures abstract = We introduce a theory of infinite lists in HOL formalized as functions over naturals (folder ListInf, theories ListInf and ListInf_Prefix). It also provides additional results for finite lists (theory ListInf/List2), natural numbers (folder CommonArith, esp. division/modulo, naturals with infinity), sets (folder CommonSet, esp. cutting/truncating sets, traversing sets of naturals). notify = nipkow@in.tum.de [Matrix] title = Executable Matrix Operations on Matrices of Arbitrary Dimensions topic = Computer Science/Data Structures date = 2010-06-17 author = Christian Sternagel , René Thiemann license = LGPL abstract = We provide the operations of matrix addition, multiplication, transposition, and matrix comparisons as executable functions over ordered semirings. Moreover, it is proven that strongly normalizing (monotone) orders can be lifted to strongly normalizing (monotone) orders over matrices. We further show that the standard semirings over the naturals, integers, and rationals, as well as the arctic semirings satisfy the axioms that are required by our matrix theory. Our formalization is part of the CeTA system which contains several termination techniques. The provided theories have been essential to formalize matrix-interpretations and arctic interpretations. extra-history = Change history: [2010-09-17]: Moved theory on arbitrary (ordered) semirings to Abstract Rewriting. notify = rene.thiemann@uibk.ac.at, christian.sternagel@uibk.ac.at [Matrix_Tensor] title = Tensor Product of Matrices topic = Computer Science/Data Structures, Mathematics/Algebra date = 2016-01-18 author = T.V.H. Prathamesh abstract = In this work, the Kronecker tensor product of matrices and the proofs of some of its properties are formalized. Properties which have been formalized include associativity of the tensor product and the mixed-product property. notify = prathamesh@imsc.res.in [Huffman] title = The Textbook Proof of Huffman's Algorithm author = Jasmin Christian Blanchette date = 2008-10-15 topic = Computer Science/Data Structures abstract = Huffman's algorithm is a procedure for constructing a binary tree with minimum weighted path length. This report presents a formal proof of the correctness of Huffman's algorithm written using Isabelle/HOL. Our proof closely follows the sketches found in standard algorithms textbooks, uncovering a few snags in the process. Another distinguishing feature of our formalization is the use of custom induction rules to help Isabelle's automatic tactics, leading to very short proofs for most of the lemmas. notify = jasmin.blanchette@gmail.com [Partial_Function_MR] title = Mutually Recursive Partial Functions author = René Thiemann topic = Computer Science/Functional Programming date = 2014-02-18 license = LGPL abstract = We provide a wrapper around the partial-function command that supports mutual recursion. notify = rene.thiemann@uibk.ac.at [Lifting_Definition_Option] title = Lifting Definition Option author = René Thiemann topic = Computer Science/Functional Programming date = 2014-10-13 license = LGPL abstract = We implemented a command that can be used to easily generate elements of a restricted type {x :: 'a. P x}, provided the definition is of the form f ys = (if check ys then Some(generate ys :: 'a) else None) where ys is a list of variables y1 ... yn and check ys ==> P(generate ys) can be proved.

In principle, such a definition is also directly possible using the lift_definition command. However, then this definition will not be suitable for code-generation. To this end, we automated a more complex construction of Joachim Breitner which is amenable for code-generation, and where the test check ys will only be performed once. In the automation, one auxiliary type is created, and Isabelle's lifting- and transfer-package is invoked several times. notify = rene.thiemann@uibk.ac.at [Coinductive] title = Coinductive topic = Computer Science/Functional Programming author = Andreas Lochbihler contributors = Johannes Hölzl date = 2010-02-12 abstract = This article collects formalisations of general-purpose coinductive data types and sets. Currently, it contains coinductive natural numbers, coinductive lists, i.e. lazy lists or streams, infinite streams, coinductive terminated lists, coinductive resumptions, a library of operations on coinductive lists, and a version of König's lemma as an application for coinductive lists.
The initial theory was contributed by Paulson and Wenzel. Extensions and other coinductive formalisations of general interest are welcome. extra-history = Change history: [2010-06-10]: coinductive lists: setup for quotient package (revision 015574f3bf3c)
[2010-06-28]: new codatatype terminated lazy lists (revision e12de475c558)
[2010-08-04]: terminated lazy lists: setup for quotient package; more lemmas (revision 6ead626f1d01)
[2010-08-17]: Koenig's lemma as an example application for coinductive lists (revision f81ce373fa96)
[2011-02-01]: lazy implementation of coinductive (terminated) lists for the code generator (revision 6034973dce83)
[2011-07-20]: new codatatype resumption (revision 811364c776c7)
[2012-06-27]: new codatatype stream with operations (with contributions by Peter Gammie) (revision dd789a56473c)
[2013-03-13]: construct codatatypes with the BNF package and adjust the definitions and proofs, setup for lifting and transfer packages (revision f593eda5b2c0)
[2013-09-20]: stream theory uses type and operations from HOL/BNF/Examples/Stream (revision 692809b2b262)
[2014-04-03]: ccpo structure on codatatypes used to define ldrop, ldropWhile, lfilter, lconcat as least fixpoint; ccpo topology on coinductive lists contributed by Johannes Hölzl; added examples (revision 23cd8156bd42)
notify = mail@andreas-lochbihler.de [Stream-Fusion] title = Stream Fusion author = Brian Huffman topic = Computer Science/Functional Programming date = 2009-04-29 abstract = Stream Fusion is a system for removing intermediate list structures from Haskell programs; it consists of a Haskell library along with several compiler rewrite rules. (The library is available online.)

These theories contain a formalization of much of the Stream Fusion library in HOLCF. Lazy list and stream types are defined, along with coercions between the two types, as well as an equivalence relation for streams that generate the same list. List and stream versions of map, filter, foldr, enumFromTo, append, zipWith, and concatMap are defined, and the stream versions are shown to respect stream equivalence. notify = brianh@cs.pdx.edu [Tycon] title = Type Constructor Classes and Monad Transformers author = Brian Huffman date = 2012-06-26 topic = Computer Science/Functional Programming abstract = These theories contain a formalization of first class type constructors and axiomatic constructor classes for HOLCF. This work is described in detail in the ICFP 2012 paper Formal Verification of Monad Transformers by the author. The formalization is a revised and updated version of earlier joint work with Matthews and White.

Based on the hierarchy of type classes in Haskell, we define classes for functors, monads, monad-plus, etc. Each one includes all the standard laws as axioms. We also provide a new user command, tycondef, for defining new type constructors in HOLCF. Using tycondef, we instantiate the type class hierarchy with various monads and monad transformers. notify = huffman@in.tum.de [CoreC++] title = CoreC++ author = Daniel Wasserrab date = 2006-05-15 topic = Computer Science/Programming Languages/Language Definitions abstract = We present an operational semantics and type safety proof for multiple inheritance in C++. The semantics models the behavior of method calls, field accesses, and two forms of casts in C++ class hierarchies. For explanations see the OOPSLA 2006 paper by Wasserrab, Nipkow, Snelting and Tip. notify = nipkow@in.tum.de [FeatherweightJava] title = A Theory of Featherweight Java in Isabelle/HOL author = J. Nathan Foster , Dimitrios Vytiniotis date = 2006-03-31 topic = Computer Science/Programming Languages/Language Definitions abstract = We formalize the type system, small-step operational semantics, and type soundness proof for Featherweight Java, a simple object calculus, in Isabelle/HOL. notify = kleing@cse.unsw.edu.au [Jinja] title = Jinja is not Java author = Gerwin Klein , Tobias Nipkow date = 2005-06-01 topic = Computer Science/Programming Languages/Language Definitions abstract = We introduce Jinja, a Java-like programming language with a formal semantics designed to exhibit core features of the Java language architecture. Jinja is a compromise between realism of the language and tractability and clarity of the formal semantics. The following aspects are formalised: a big and a small step operational semantics for Jinja and a proof of their equivalence; a type system and a definite initialisation analysis; a type safety proof of the small step semantics; a virtual machine (JVM), its operational semantics and its type system; a type safety proof for the JVM; a bytecode verifier, i.e. data flow analyser for the JVM; a correctness proof of the bytecode verifier w.r.t. the type system; a compiler and a proof that it preserves semantics and well-typedness. The emphasis of this work is not on particular language features but on providing a unified model of the source language, the virtual machine and the compiler. The whole development has been carried out in the theorem prover Isabelle/HOL. notify = kleing@cse.unsw.edu.au, nipkow@in.tum.de [JinjaThreads] title = Jinja with Threads author = Andreas Lochbihler date = 2007-12-03 topic = Computer Science/Programming Languages/Language Definitions abstract = We extend the Jinja source code semantics by Klein and Nipkow with Java-style arrays and threads. Concurrency is captured in a generic framework semantics for adding concurrency through interleaving to a sequential semantics, which features dynamic thread creation, inter-thread communication via shared memory, lock synchronisation and joins. Also, threads can suspend themselves and be notified by others. We instantiate the framework with the adapted versions of both Jinja source and byte code and show type safety for the multithreaded case. Equally, the compiler from source to byte code is extended, for which we prove weak bisimilarity between the source code small step semantics and the defensive Jinja virtual machine. On top of this, we formalise the JMM and show the DRF guarantee and consistency. For description of the different parts, see Lochbihler's papers at FOOL 2008, ESOP 2010, ITP 2011, and ESOP 2012. extra-history = Change history: [2008-04-23]: added bytecode formalisation with arrays and threads, added thread joins (revision f74a8be156a7)
[2009-04-27]: added verified compiler from source code to bytecode; encapsulate native methods in separate semantics (revision e4f26541e58a)
[2009-11-30]: extended compiler correctness proof to infinite and deadlocking computations (revision e50282397435)
[2010-06-08]: added thread interruption; new abstract memory model with sequential consistency as implementation (revision 0cb9e8dbd78d)
[2010-06-28]: new thread interruption model (revision c0440d0a1177)
[2010-10-15]: preliminary version of the Java memory model for source code (revision 02fee0ef3ca2)
[2010-12-16]: improved version of the Java memory model, also for bytecode executable scheduler for source code semantics (revision 1f41c1842f5a)
[2011-02-02]: simplified code generator setup new random scheduler (revision 3059dafd013f)
[2011-07-21]: new interruption model, generalized JMM proof of DRF guarantee, allow class Object to declare methods and fields, simplified subtyping relation, corrected division and modulo implementation (revision 46e4181ed142)
[2012-02-16]: added example programs (revision bf0b06c8913d)
[2012-11-21]: type safety proof for the Java memory model, allow spurious wake-ups (revision 76063d860ae0)
[2013-05-16]: support for non-deterministic memory allocators (revision cc3344a49ced)
[2017-10-20]: add an atomic compare-and-swap operation for volatile fields (revision a6189b1d6b30)
notify = mail@andreas-lochbihler.de [Locally-Nameless-Sigma] title = Locally Nameless Sigma Calculus author = Ludovic Henrio , Florian Kammüller , Bianca Lutz , Henry Sudhof date = 2010-04-30 topic = Computer Science/Programming Languages/Language Definitions abstract = We present a Theory of Objects based on the original functional sigma-calculus by Abadi and Cardelli but with an additional parameter to methods. We prove confluence of the operational semantics following the outline of Nipkow's proof of confluence for the lambda-calculus reusing his theory Commutation, a generic diamond lemma reduction. We furthermore formalize a simple type system for our sigma-calculus including a proof of type safety. The entire development uses the concept of Locally Nameless representation for binders. We reuse an earlier proof of confluence for a simpler sigma-calculus based on de Bruijn indices and lists to represent objects. notify = nipkow@in.tum.de [AutoFocus-Stream] title = AutoFocus Stream Processing for Single-Clocking and Multi-Clocking Semantics author = David Trachtenherz <> date = 2011-02-23 topic = Computer Science/Programming Languages/Language Definitions abstract = We formalize the AutoFocus Semantics (a time-synchronous subset of the Focus formalism) as stream processing functions on finite and infinite message streams represented as finite/infinite lists. The formalization comprises both the conventional single-clocking semantics (uniform global clock for all components and communications channels) and its extension to multi-clocking semantics (internal execution clocking of a component may be a multiple of the external communication clocking). The semantics is defined by generic stream processing functions making it suitable for simulation/code generation in Isabelle/HOL. Furthermore, a number of AutoFocus semantics properties are formalized using definitions from the IntervalLogic theories. notify = nipkow@in.tum.de [FocusStreamsCaseStudies] title = Stream Processing Components: Isabelle/HOL Formalisation and Case Studies author = Maria Spichkova date = 2013-11-14 topic = Computer Science/Programming Languages/Language Definitions abstract = This set of theories presents an Isabelle/HOL formalisation of stream processing components introduced in Focus, a framework for formal specification and development of interactive systems. This is an extended and updated version of the formalisation, which was elaborated within the methodology "Focus on Isabelle". In addition, we also applied the formalisation on three case studies that cover different application areas: process control (Steam Boiler System), data transmission (FlexRay communication protocol), memory and processing components (Automotive-Gateway System). notify = lp15@cam.ac.uk, maria.spichkova@rmit.edu.au [Isabelle_Meta_Model] title = A Meta-Model for the Isabelle API author = Frédéric Tuong , Burkhart Wolff date = 2015-09-16 topic = Computer Science/Programming Languages/Language Definitions abstract = We represent a theory of (a fragment of) Isabelle/HOL in Isabelle/HOL. The purpose of this exercise is to write packages for domain-specific specifications such as class models, B-machines, ..., and generally speaking, any domain-specific languages whose abstract syntax can be defined by a HOL "datatype". On this basis, the Isabelle code-generator can then be used to generate code for global context transformations as well as tactic code.

Consequently the package is geared towards parsing, printing and code-generation to the Isabelle API. It is at the moment not sufficiently rich for doing meta theory on Isabelle itself. Extensions in this direction are possible though.

Moreover, the chosen fragment is fairly rudimentary. However it should be easily adapted to one's needs if a package is written on top of it. The supported API contains types, terms, transformation of global context like definitions and data-type declarations as well as infrastructure for Isar-setups.

This theory is drawn from the Featherweight OCL project where it is used to construct a package for object-oriented data-type theories generated from UML class diagrams. The Featherweight OCL, for example, allows for both the direct execution of compiled tactic code by the Isabelle API as well as the generation of ".thy"-files for debugging purposes.

Gained experience from this project shows that the compiled code is sufficiently efficient for practical purposes while being based on a formal model on which properties of the package can be proven such as termination of certain transformations, correctness, etc. notify = tuong@users.gforge.inria.fr, wolff@lri.fr [PCF] title = Logical Relations for PCF author = Peter Gammie date = 2012-07-01 topic = Computer Science/Programming Languages/Lambda Calculi abstract = We apply Andy Pitts's methods of defining relations over domains to several classical results in the literature. We show that the Y combinator coincides with the domain-theoretic fixpoint operator, that parallel-or and the Plotkin existential are not definable in PCF, that the continuation semantics for PCF coincides with the direct semantics, and that our domain-theoretic semantics for PCF is adequate for reasoning about contextual equivalence in an operational semantics. Our version of PCF is untyped and has both strict and non-strict function abstractions. The development is carried out in HOLCF. notify = peteg42@gmail.com [POPLmark-deBruijn] title = POPLmark Challenge Via de Bruijn Indices author = Stefan Berghofer date = 2007-08-02 topic = Computer Science/Programming Languages/Lambda Calculi abstract = We present a solution to the POPLmark challenge designed by Aydemir et al., which has as a goal the formalization of the meta-theory of System F<:. The formalization is carried out in the theorem prover Isabelle/HOL using an encoding based on de Bruijn indices. We start with a relatively simple formalization covering only the basic features of System F<:, and explain how it can be extended to also cover records and more advanced binding constructs. notify = berghofe@in.tum.de [Lam-ml-Normalization] title = Strong Normalization of Moggis's Computational Metalanguage author = Christian Doczkal date = 2010-08-29 topic = Computer Science/Programming Languages/Lambda Calculi abstract = Handling variable binding is one of the main difficulties in formal proofs. In this context, Moggi's computational metalanguage serves as an interesting case study. It features monadic types and a commuting conversion rule that rearranges the binding structure. Lindley and Stark have given an elegant proof of strong normalization for this calculus. The key construction in their proof is a notion of relational TT-lifting, using stacks of elimination contexts to obtain a Girard-Tait style logical relation. I give a formalization of their proof in Isabelle/HOL-Nominal with a particular emphasis on the treatment of bound variables. notify = doczkal@ps.uni-saarland.de, nipkow@in.tum.de [MiniML] title = Mini ML author = Wolfgang Naraschewski <>, Tobias Nipkow date = 2004-03-19 topic = Computer Science/Programming Languages/Type Systems abstract = This theory defines the type inference rules and the type inference algorithm W for MiniML (simply-typed lambda terms with let) due to Milner. It proves the soundness and completeness of W w.r.t. the rules. notify = kleing@cse.unsw.edu.au [Simpl] title = A Sequential Imperative Programming Language Syntax, Semantics, Hoare Logics and Verification Environment author = Norbert Schirmer <> date = 2008-02-29 topic = Computer Science/Programming Languages/Language Definitions, Computer Science/Programming Languages/Logics license = LGPL abstract = We present the theory of Simpl, a sequential imperative programming language. We introduce its syntax, its semantics (big and small-step operational semantics) and Hoare logics for both partial as well as total correctness. We prove soundness and completeness of the Hoare logic. We integrate and automate the Hoare logic in Isabelle/HOL to obtain a practically usable verification environment for imperative programs. Simpl is independent of a concrete programming language but expressive enough to cover all common language features: mutually recursive procedures, abrupt termination and exceptions, runtime faults, local and global variables, pointers and heap, expressions with side effects, pointers to procedures, partial application and closures, dynamic method invocation and also unbounded nondeterminism. notify = kleing@cse.unsw.edu.au, norbert.schirmer@web.de [Separation_Algebra] title = Separation Algebra author = Gerwin Klein , Rafal Kolanski , Andrew Boyton date = 2012-05-11 topic = Computer Science/Programming Languages/Logics license = BSD abstract = We present a generic type class implementation of separation algebra for Isabelle/HOL as well as lemmas and generic tactics which can be used directly for any instantiation of the type class.

The ex directory contains example instantiations that include structures such as a heap or virtual memory.

The abstract separation algebra is based upon "Abstract Separation Logic" by Calcagno et al. These theories are also the basis of the ITP 2012 rough diamond "Mechanised Separation Algebra" by the authors.

The aim of this work is to support and significantly reduce the effort for future separation logic developments in Isabelle/HOL by factoring out the part of separation logic that can be treated abstractly once and for all. This includes developing typical default rule sets for reasoning as well as automated tactic support for separation logic. notify = kleing@cse.unsw.edu.au, rafal.kolanski@nicta.com.au [Separation_Logic_Imperative_HOL] title = A Separation Logic Framework for Imperative HOL author = Peter Lammich , Rene Meis date = 2012-11-14 topic = Computer Science/Programming Languages/Logics license = BSD abstract = We provide a framework for separation-logic based correctness proofs of Imperative HOL programs. Our framework comes with a set of proof methods to automate canonical tasks such as verification condition generation and frame inference. Moreover, we provide a set of examples that show the applicability of our framework. The examples include algorithms on lists, hash-tables, and union-find trees. We also provide abstract interfaces for lists, maps, and sets, that allow to develop generic imperative algorithms and use data-refinement techniques.
As we target Imperative HOL, our programs can be translated to efficiently executable code in various target languages, including ML, OCaml, Haskell, and Scala. notify = lammich@in.tum.de [Inductive_Confidentiality] title = Inductive Study of Confidentiality author = Giampaolo Bella date = 2012-05-02 topic = Computer Science/Security abstract = This document contains the full theory files accompanying article Inductive Study of Confidentiality --- for Everyone in Formal Aspects of Computing. They aim at an illustrative and didactic presentation of the Inductive Method of protocol analysis, focusing on the treatment of one of the main goals of security protocols: confidentiality against a threat model. The treatment of confidentiality, which in fact forms a key aspect of all protocol analysis tools, has been found cryptic by many learners of the Inductive Method, hence the motivation for this work. The theory files in this document guide the reader step by step towards design and proof of significant confidentiality theorems. These are developed against two threat models, the standard Dolev-Yao and a more audacious one, the General Attacker, which turns out to be particularly useful also for teaching purposes. notify = giamp@dmi.unict.it [Possibilistic_Noninterference] title = Possibilistic Noninterference author = Andrei Popescu , Johannes Hölzl date = 2012-09-10 topic = Computer Science/Security, Computer Science/Programming Languages/Type Systems abstract = We formalize a wide variety of Volpano/Smith-style noninterference notions for a while language with parallel composition. We systematize and classify these notions according to compositionality w.r.t. the language constructs. Compositionality yields sound syntactic criteria (a.k.a. type systems) in a uniform way.

An article about these proofs is published in the proceedings of the conference Certified Programs and Proofs 2012. notify = hoelzl@in.tum.de [SIFUM_Type_Systems] title = A Formalization of Assumptions and Guarantees for Compositional Noninterference author = Sylvia Grewe , Heiko Mantel , Daniel Schoepe date = 2014-04-23 topic = Computer Science/Security, Computer Science/Programming Languages/Type Systems abstract = Research in information-flow security aims at developing methods to identify undesired information leaks within programs from private (high) sources to public (low) sinks. For a concurrent system, it is desirable to have compositional analysis methods that allow for analyzing each thread independently and that nevertheless guarantee that the parallel composition of successfully analyzed threads satisfies a global security guarantee. However, such a compositional analysis should not be overly pessimistic about what an environment might do with shared resources. Otherwise, the analysis will reject many intuitively secure programs.

The paper "Assumptions and Guarantees for Compositional Noninterference" by Mantel et. al. presents one solution for this problem: an approach for compositionally reasoning about non-interference in concurrent programs via rely-guarantee-style reasoning. We present an Isabelle/HOL formalization of the concepts and proofs of this approach. notify = grewe@cs.tu-darmstadt.de [Dependent_SIFUM_Type_Systems] title = A Dependent Security Type System for Concurrent Imperative Programs author = Toby Murray , Robert Sison<>, Edward Pierzchalski<>, Christine Rizkallah notify = toby.murray@unimelb.edu.au date = 2016-06-25 topic = Computer Science/Security, Computer Science/Programming Languages/Type Systems abstract = The paper "Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference" by Murray et. al. (CSF 2016) presents a dependent security type system for compositionally verifying a value-dependent noninterference property, defined in (Murray, PLAS 2015), for concurrent programs. This development formalises that security definition, the type system and its soundness proof, and demonstrates its application on some small examples. It was derived from the SIFUM_Type_Systems AFP entry, by Sylvia Grewe, Heiko Mantel and Daniel Schoepe, and whose structure it inherits. extra-history = Change history: [2016-08-19]: Removed unused "stop" parameter and "stop_no_eval" assumption from the sifum_security locale. (revision dbc482d36372) [2016-09-27]: Added security locale support for the imposition of requirements on the initial memory. (revision cce4ceb74ddb) [Dependent_SIFUM_Refinement] title = Compositional Security-Preserving Refinement for Concurrent Imperative Programs author = Toby Murray , Robert Sison<>, Edward Pierzchalski<>, Christine Rizkallah notify = toby.murray@unimelb.edu.au date = 2016-06-28 topic = Computer Science/Security abstract = The paper "Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference" by Murray et. al. (CSF 2016) presents a compositional theory of refinement for a value-dependent noninterference property, defined in (Murray, PLAS 2015), for concurrent programs. This development formalises that refinement theory, and demonstrates its application on some small examples. extra-history = Change history: [2016-08-19]: Removed unused "stop" parameters from the sifum_refinement locale. (revision dbc482d36372) [2016-09-02]: TobyM extended "simple" refinement theory to be usable for all bisimulations. (revision 547f31c25f60) [Strong_Security] title = A Formalization of Strong Security author = Sylvia Grewe , Alexander Lux , Heiko Mantel , Jens Sauer date = 2014-04-23 topic = Computer Science/Security, Computer Science/Programming Languages/Type Systems abstract = Research in information-flow security aims at developing methods to identify undesired information leaks within programs from private sources to public sinks. Noninterference captures this intuition. Strong security from Sabelfeld and Sands formalizes noninterference for concurrent systems.

We present an Isabelle/HOL formalization of strong security for arbitrary security lattices (Sabelfeld and Sands use a two-element security lattice in the original publication). The formalization includes compositionality proofs for strong security and a soundness proof for a security type system that checks strong security for programs in a simple while language with dynamic thread creation.

Our formalization of the security type system is abstract in the language for expressions and in the semantic side conditions for expressions. It can easily be instantiated with different syntactic approximations for these side conditions. The soundness proof of such an instantiation boils down to showing that these syntactic approximations imply the semantic side conditions. notify = grewe@cs.tu-darmstadt.de [WHATandWHERE_Security] title = A Formalization of Declassification with WHAT-and-WHERE-Security author = Sylvia Grewe , Alexander Lux , Heiko Mantel , Jens Sauer date = 2014-04-23 topic = Computer Science/Security, Computer Science/Programming Languages/Type Systems abstract = Research in information-flow security aims at developing methods to identify undesired information leaks within programs from private sources to public sinks. Noninterference captures this intuition by requiring that no information whatsoever flows from private sources to public sinks. However, in practice this definition is often too strict: Depending on the intuitive desired security policy, the controlled declassification of certain private information (WHAT) at certain points in the program (WHERE) might not result in an undesired information leak.

We present an Isabelle/HOL formalization of such a security property for controlled declassification, namely WHAT&WHERE-security from "Scheduler-Independent Declassification" by Lux, Mantel, and Perner. The formalization includes compositionality proofs for and a soundness proof for a security type system that checks for programs in a simple while language with dynamic thread creation.

Our formalization of the security type system is abstract in the language for expressions and in the semantic side conditions for expressions. It can easily be instantiated with different syntactic approximations for these side conditions. The soundness proof of such an instantiation boils down to showing that these syntactic approximations imply the semantic side conditions.

This Isabelle/HOL formalization uses theories from the entry Strong Security. notify = grewe@cs.tu-darmstadt.de [VolpanoSmith] title = A Correctness Proof for the Volpano/Smith Security Typing System author = Gregor Snelting , Daniel Wasserrab date = 2008-09-02 topic = Computer Science/Programming Languages/Type Systems, Computer Science/Security abstract = The Volpano/Smith/Irvine security type systems requires that variables are annotated as high (secret) or low (public), and provides typing rules which guarantee that secret values cannot leak to public output ports. This property of a program is called confidentiality. For a simple while-language without threads, our proof shows that typeability in the Volpano/Smith system guarantees noninterference. Noninterference means that if two initial states for program execution are low-equivalent, then the final states are low-equivalent as well. This indeed implies that secret values cannot leak to public ports. The proof defines an abstract syntax and operational semantics for programs, formalizes noninterference, and then proceeds by rule induction on the operational semantics. The mathematically most intricate part is the treatment of implicit flows. Note that the Volpano/Smith system is not flow-sensitive and thus quite unprecise, resulting in false alarms. However, due to the correctness property, all potential breaks of confidentiality are discovered. notify = [Abstract-Hoare-Logics] title = Abstract Hoare Logics author = Tobias Nipkow date = 2006-08-08 topic = Computer Science/Programming Languages/Logics abstract = These therories describe Hoare logics for a number of imperative language constructs, from while-loops to mutually recursive procedures. Both partial and total correctness are treated. In particular a proof system for total correctness of recursive procedures in the presence of unbounded nondeterminism is presented. notify = nipkow@in.tum.de [Stone_Algebras] title = Stone Algebras author = Walter Guttmann notify = walter.guttmann@canterbury.ac.nz date = 2016-09-06 topic = Mathematics/Order abstract = A range of algebras between lattices and Boolean algebras generalise the notion of a complement. We develop a hierarchy of these pseudo-complemented algebras that includes Stone algebras. Independently of this theory we study filters based on partial orders. Both theories are combined to prove Chen and Grätzer's construction theorem for Stone algebras. The latter involves extensive reasoning about algebraic structures in addition to reasoning in algebraic structures. [Kleene_Algebra] title = Kleene Algebra author = Alasdair Armstrong <>, Georg Struth , Tjark Weber date = 2013-01-15 topic = Computer Science/Programming Languages/Logics, Computer Science/Automata and Formal Languages, Mathematics/Algebra abstract = These files contain a formalisation of variants of Kleene algebras and their most important models as axiomatic type classes in Isabelle/HOL. Kleene algebras are foundational structures in computing with applications ranging from automata and language theory to computational modeling, program construction and verification.

We start with formalising dioids, which are additively idempotent semirings, and expand them by axiomatisations of the Kleene star for finite iteration and an omega operation for infinite iteration. We show that powersets over a given monoid, (regular) languages, sets of paths in a graph, sets of computation traces, binary relations and formal power series form Kleene algebras, and consider further models based on lattices, max-plus semirings and min-plus semirings. We also demonstrate that dioids are closed under the formation of matrices (proofs for Kleene algebras remain to be completed).

On the one hand we have aimed at a reference formalisation of variants of Kleene algebras that covers a wide range of variants and the core theorems in a structured and modular way and provides readable proofs at text book level. On the other hand, we intend to use this algebraic hierarchy and its models as a generic algebraic middle-layer from which programming applications can quickly be explored, implemented and verified. notify = g.struth@sheffield.ac.uk, tjark.weber@it.uu.se [KAT_and_DRA] title = Kleene Algebra with Tests and Demonic Refinement Algebras author = Alasdair Armstrong <>, Victor B. F. Gomes , Georg Struth date = 2014-01-23 topic = Computer Science/Programming Languages/Logics, Computer Science/Automata and Formal Languages, Mathematics/Algebra abstract = We formalise Kleene algebra with tests (KAT) and demonic refinement algebra (DRA) in Isabelle/HOL. KAT is relevant for program verification and correctness proofs in the partial correctness setting. While DRA targets similar applications in the context of total correctness. Our formalisation contains the two most important models of these algebras: binary relations in the case of KAT and predicate transformers in the case of DRA. In addition, we derive the inference rules for Hoare logic in KAT and its relational model and present a simple formally verified program verification tool prototype based on the algebraic approach. notify = g.struth@dcs.shef.ac.uk [KAD] title = Kleene Algebras with Domain author = Victor B. F. Gomes , Walter Guttmann , Peter Höfner , Georg Struth , Tjark Weber date = 2016-04-12 topic = Computer Science/Programming Languages/Logics, Computer Science/Automata and Formal Languages, Mathematics/Algebra abstract = Kleene algebras with domain are Kleene algebras endowed with an operation that maps each element of the algebra to its domain of definition (or its complement) in abstract fashion. They form a simple algebraic basis for Hoare logics, dynamic logics or predicate transformer semantics. We formalise a modular hierarchy of algebras with domain and antidomain (domain complement) operations in Isabelle/HOL that ranges from domain and antidomain semigroups to modal Kleene algebras and divergence Kleene algebras. We link these algebras with models of binary relations and program traces. We include some examples from modal logics, termination and program analysis. notify = walter.guttman@canterbury.ac.nz, g.struth@sheffield.ac.uk, tjark.weber@it.uu.se [Regular_Algebras] title = Regular Algebras author = Simon Foster , Georg Struth date = 2014-05-21 topic = Computer Science/Automata and Formal Languages, Mathematics/Algebra abstract = Regular algebras axiomatise the equational theory of regular expressions as induced by regular language identity. We use Isabelle/HOL for a detailed systematic study of regular algebras given by Boffa, Conway, Kozen and Salomaa. We investigate the relationships between these classes, formalise a soundness proof for the smallest class (Salomaa's) and obtain completeness of the largest one (Boffa's) relative to a deep result by Krob. In addition we provide a large collection of regular identities in the general setting of Boffa's axiom. Our regular algebra hierarchy is orthogonal to the Kleene algebra hierarchy in the Archive of Formal Proofs; we have not aimed at an integration for pragmatic reasons. notify = simon.foster@york.ac.uk, g.struth@sheffield.ac.uk [BytecodeLogicJmlTypes] title = A Bytecode Logic for JML and Types author = Lennart Beringer <>, Martin Hofmann date = 2008-12-12 topic = Computer Science/Programming Languages/Logics abstract = This document contains the Isabelle/HOL sources underlying the paper A bytecode logic for JML and types by Beringer and Hofmann, updated to Isabelle 2008. We present a program logic for a subset of sequential Java bytecode that is suitable for representing both, features found in high-level specification language JML as well as interpretations of high-level type systems. To this end, we introduce a fine-grained collection of assertions, including strong invariants, local annotations and VDM-reminiscent partial-correctness specifications. Thanks to a goal-oriented structure and interpretation of judgements, verification may proceed without recourse to an additional control flow analysis. The suitability for interpreting intensional type systems is illustrated by the proof-carrying-code style encoding of a type system for a first-order functional language which guarantees a constant upper bound on the number of objects allocated throughout an execution, be the execution terminating or non-terminating. Like the published paper, the formal development is restricted to a comparatively small subset of the JVML, lacking (among other features) exceptions, arrays, virtual methods, and static fields. This shortcoming has been overcome meanwhile, as our paper has formed the basis of the Mobius base logic, a program logic for the full sequential fragment of the JVML. Indeed, the present formalisation formed the basis of a subsequent formalisation of the Mobius base logic in the proof assistant Coq, which includes a proof of soundness with respect to the Bicolano operational semantics by Pichardie. notify = [DataRefinementIBP] title = Semantics and Data Refinement of Invariant Based Programs author = Viorel Preoteasa , Ralph-Johan Back date = 2010-05-28 topic = Computer Science/Programming Languages/Logics abstract = The invariant based programming is a technique of constructing correct programs by first identifying the basic situations (pre- and post-conditions and invariants) that can occur during the execution of the program, and then defining the transitions and proving that they preserve the invariants. Data refinement is a technique of building correct programs working on concrete datatypes as refinements of more abstract programs. In the theories presented here we formalize the predicate transformer semantics for invariant based programs and their data refinement. extra-history = Change history: [2012-01-05]: Moved some general complete lattice properties to the AFP entry Lattice Properties. Changed the definition of the data refinement relation to be more general and updated all corresponding theorems. Added new syntax for demonic and angelic update statements. notify = viorel.preoteasa@aalto.fi [RefinementReactive] title = Formalization of Refinement Calculus for Reactive Systems author = Viorel Preoteasa date = 2014-10-08 topic = Computer Science/Programming Languages/Logics abstract = We present a formalization of refinement calculus for reactive systems. Refinement calculus is based on monotonic predicate transformers (monotonic functions from sets of post-states to sets of pre-states), and it is a powerful formalism for reasoning about imperative programs. We model reactive systems as monotonic property transformers that transform sets of output infinite sequences into sets of input infinite sequences. Within this semantics we can model refinement of reactive systems, (unbounded) angelic and demonic nondeterminism, sequential composition, and other semantic properties. We can model systems that may fail for some inputs, and we can model compatibility of systems. We can specify systems that have liveness properties using linear temporal logic, and we can refine system specifications into systems based on symbolic transitions systems, suitable for implementations. notify = viorel.preoteasa@aalto.fi [SIFPL] title = Secure information flow and program logics author = Lennart Beringer <>, Martin Hofmann date = 2008-11-10 topic = Computer Science/Programming Languages/Logics, Computer Science/Security abstract = We present interpretations of type systems for secure information flow in Hoare logic, complementing previous encodings in relational program logics. We first treat the imperative language IMP, extended by a simple procedure call mechanism. For this language we consider base-line non-interference in the style of Volpano et al. and the flow-sensitive type system by Hunt and Sands. In both cases, we show how typing derivations may be used to automatically generate proofs in the program logic that certify the absence of illicit flows. We then add instructions for object creation and manipulation, and derive appropriate proof rules for base-line non-interference. As a consequence of our work, standard verification technology may be used for verifying that a concrete program satisfies the non-interference property.

The present proof development represents an update of the formalisation underlying our paper [CSF 2007] and is intended to resolve any ambiguities that may be present in the paper. notify = lennart.beringer@ifi.lmu.de [TLA] title = A Definitional Encoding of TLA* in Isabelle/HOL author = Gudmund Grov , Stephan Merz date = 2011-11-19 topic = Computer Science/Programming Languages/Logics abstract = We mechanise the logic TLA* [Merz 1999], an extension of Lamport's Temporal Logic of Actions (TLA) [Lamport 1994] for specifying and reasoning about concurrent and reactive systems. Aiming at a framework for mechanising] the verification of TLA (or TLA*) specifications, this contribution reuses some elements from a previous axiomatic encoding of TLA in Isabelle/HOL by the second author [Merz 1998], which has been part of the Isabelle distribution. In contrast to that previous work, we give here a shallow, definitional embedding, with the following highlights:

  • a theory of infinite sequences, including a formalisation of the concepts of stuttering invariance central to TLA and TLA*;
  • a definition of the semantics of TLA*, which extends TLA by a mutually-recursive definition of formulas and pre-formulas, generalising TLA action formulas;
  • a substantial set of derived proof rules, including the TLA* axioms and Lamport's proof rules for system verification;
  • a set of examples illustrating the usage of Isabelle/TLA* for reasoning about systems.
Note that this work is unrelated to the ongoing development of a proof system for the specification language TLA+, which includes an encoding of TLA+ as a new Isabelle object logic [Chaudhuri et al 2010]. notify = ggrov@inf.ed.ac.uk [Compiling-Exceptions-Correctly] title = Compiling Exceptions Correctly author = Tobias Nipkow date = 2004-07-09 topic = Computer Science/Programming Languages/Compiling abstract = An exception compilation scheme that dynamically creates and removes exception handler entries on the stack. A formalization of an article of the same name by Hutton and Wright. notify = nipkow@in.tum.de [NormByEval] title = Normalization by Evaluation author = Klaus Aehlig , Tobias Nipkow date = 2008-02-18 topic = Computer Science/Programming Languages/Compiling abstract = This article formalizes normalization by evaluation as implemented in Isabelle. Lambda calculus plus term rewriting is compiled into a functional program with pattern matching. It is proved that the result of a successful evaluation is a) correct, i.e. equivalent to the input, and b) in normal form. notify = nipkow@in.tum.de [Program-Conflict-Analysis] title = Formalization of Conflict Analysis of Programs with Procedures, Thread Creation, and Monitors topic = Computer Science/Programming Languages/Static Analysis author = Peter Lammich , Markus Müller-Olm date = 2007-12-14 abstract = In this work we formally verify the soundness and precision of a static program analysis that detects conflicts (e. g. data races) in programs with procedures, thread creation and monitors with the Isabelle theorem prover. As common in static program analysis, our program model abstracts guarded branching by nondeterministic branching, but completely interprets the call-/return behavior of procedures, synchronization by monitors, and thread creation. The analysis is based on the observation that all conflicts already occur in a class of particularly restricted schedules. These restricted schedules are suited to constraint-system-based program analysis. The formalization is based upon a flowgraph-based program model with an operational semantics as reference point. notify = peter.lammich@uni-muenster.de [Shivers-CFA] title = Shivers' Control Flow Analysis topic = Computer Science/Programming Languages/Static Analysis author = Joachim Breitner date = 2010-11-16 abstract = In his dissertation, Olin Shivers introduces a concept of control flow graphs for functional languages, provides an algorithm to statically derive a safe approximation of the control flow graph and proves this algorithm correct. In this research project, Shivers' algorithms and proofs are formalized in the HOLCF extension of HOL. notify = mail@joachim-breitner.de, nipkow@in.tum.de [Slicing] title = Towards Certified Slicing author = Daniel Wasserrab date = 2008-09-16 topic = Computer Science/Programming Languages/Static Analysis abstract = Slicing is a widely-used technique with applications in e.g. compiler technology and software security. Thus verification of algorithms in these areas is often based on the correctness of slicing, which should ideally be proven independent of concrete programming languages and with the help of well-known verifying techniques such as proof assistants. As a first step in this direction, this contribution presents a framework for dynamic and static intraprocedural slicing based on control flow and program dependence graphs. Abstracting from concrete syntax we base the framework on a graph representation of the program fulfilling certain structural and well-formedness properties.

The formalization consists of the basic framework (in subdirectory Basic/), the correctness proof for dynamic slicing (in subdirectory Dynamic/), the correctness proof for static intraprocedural slicing (in subdirectory StaticIntra/) and instantiations of the framework with a simple While language (in subdirectory While/) and the sophisticated object-oriented bytecode language of Jinja (in subdirectory JinjaVM/). For more information on the framework, see the TPHOLS 2008 paper by Wasserrab and Lochbihler and the PLAS 2009 paper by Wasserrab et al. notify = [HRB-Slicing] title = Backing up Slicing: Verifying the Interprocedural Two-Phase Horwitz-Reps-Binkley Slicer author = Daniel Wasserrab date = 2009-11-13 topic = Computer Science/Programming Languages/Static Analysis abstract = After verifying dynamic and static interprocedural slicing, we present a modular framework for static interprocedural slicing. To this end, we formalized the standard two-phase slicer from Horwitz, Reps and Binkley (see their TOPLAS 12(1) 1990 paper) together with summary edges as presented by Reps et al. (see FSE 1994). The framework is again modular in the programming language by using an abstract CFG, defined via structural and well-formedness properties. Using a weak simulation between the original and sliced graph, we were able to prove the correctness of static interprocedural slicing. We also instantiate our framework with a simple While language with procedures. This shows that the chosen abstractions are indeed valid. notify = nipkow@in.tum.de [WorkerWrapper] title = The Worker/Wrapper Transformation author = Peter Gammie date = 2009-10-30 topic = Computer Science/Programming Languages/Transformations abstract = Gill and Hutton formalise the worker/wrapper transformation, building on the work of Launchbury and Peyton-Jones who developed it as a way of changing the type at which a recursive function operates. This development establishes the soundness of the technique and several examples of its use. notify = peteg42@gmail.com, nipkow@in.tum.de [JiveDataStoreModel] title = Jive Data and Store Model author = Nicole Rauch , Norbert Schirmer <> date = 2005-06-20 license = LGPL topic = Computer Science/Programming Languages/Misc abstract = This document presents the formalization of an object-oriented data and store model in Isabelle/HOL. This model is being used in the Java Interactive Verification Environment, Jive. notify = kleing@cse.unsw.edu.au, schirmer@in.tum.de [HotelKeyCards] title = Hotel Key Card System author = Tobias Nipkow date = 2006-09-09 topic = Computer Science/Security abstract = Two models of an electronic hotel key card system are contrasted: a state based and a trace based one. Both are defined, verified, and proved equivalent in the theorem prover Isabelle/HOL. It is shown that if a guest follows a certain safety policy regarding her key cards, she can be sure that nobody but her can enter her room. notify = nipkow@in.tum.de [RSAPSS] title = SHA1, RSA, PSS and more author = Christina Lindenberg <>, Kai Wirt <> date = 2005-05-02 topic = Computer Science/Security/Cryptography abstract = Formal verification is getting more and more important in computer science. However the state of the art formal verification methods in cryptography are very rudimentary. These theories are one step to provide a tool box allowing the use of formal methods in every aspect of cryptography. Moreover we present a proof of concept for the feasibility of verification techniques to a standard signature algorithm. notify = nipkow@in.tum.de [InformationFlowSlicing] title = Information Flow Noninterference via Slicing author = Daniel Wasserrab date = 2010-03-23 topic = Computer Science/Security abstract =

In this contribution, we show how correctness proofs for intra- and interprocedural slicing can be used to prove that slicing is able to guarantee information flow noninterference. Moreover, we also illustrate how to lift the control flow graphs of the respective frameworks such that they fulfil the additional assumptions needed in the noninterference proofs. A detailed description of the intraprocedural proof and its interplay with the slicing framework can be found in the PLAS'09 paper by Wasserrab et al.

This entry contains the part for intra-procedural slicing. See entry InformationFlowSlicing_Inter for the inter-procedural part.

extra-history = Change history: [2016-06-10]: The original entry InformationFlowSlicing contained both the inter- and intra-procedural case was split into two for easier maintenance. notify = [InformationFlowSlicing_Inter] title = Inter-Procedural Information Flow Noninterference via Slicing author = Daniel Wasserrab date = 2010-03-23 topic = Computer Science/Security abstract =

In this contribution, we show how correctness proofs for intra- and interprocedural slicing can be used to prove that slicing is able to guarantee information flow noninterference. Moreover, we also illustrate how to lift the control flow graphs of the respective frameworks such that they fulfil the additional assumptions needed in the noninterference proofs. A detailed description of the intraprocedural proof and its interplay with the slicing framework can be found in the PLAS'09 paper by Wasserrab et al.

This entry contains the part for inter-procedural slicing. See entry InformationFlowSlicing for the intra-procedural part.

extra-history = Change history: [2016-06-10]: The original entry InformationFlowSlicing contained both the inter- and intra-procedural case was split into two for easier maintenance. notify = [ComponentDependencies] title = Formalisation and Analysis of Component Dependencies author = Maria Spichkova date = 2014-04-28 topic = Computer Science/System Description Languages abstract = This set of theories presents a formalisation in Isabelle/HOL of data dependencies between components. The approach allows to analyse system structure oriented towards efficient checking of system: it aims at elaborating for a concrete system, which parts of the system are necessary to check a given property. notify = maria.spichkova@rmit.edu.au [Verified-Prover] title = A Mechanically Verified, Efficient, Sound and Complete Theorem Prover For First Order Logic author = Tom Ridge <> date = 2004-09-28 topic = Logic abstract = Soundness and completeness for a system of first order logic are formally proved, building on James Margetson's formalization of work by Wainer and Wallen. The completeness proofs naturally suggest an algorithm to derive proofs. This algorithm, which can be implemented tail recursively, is formalized in Isabelle/HOL. The algorithm can be executed via the rewriting tactics of Isabelle. Alternatively, the definitions can be exported to OCaml, yielding a directly executable program. notify = lp15@cam.ac.uk [Completeness] title = Completeness theorem author = James Margetson <>, Tom Ridge <> date = 2004-09-20 topic = Logic abstract = The completeness of first-order logic is proved, following the first five pages of Wainer and Wallen's chapter of the book Proof Theory by Aczel et al., CUP, 1992. Their presentation of formulas allows the proofs to use symmetry arguments. Margetson formalized this theorem by early 2000. The Isar conversion is thanks to Tom Ridge. A paper describing the formalization is available [pdf]. notify = lp15@cam.ac.uk [Ordinal] title = Countable Ordinals author = Brian Huffman date = 2005-11-11 topic = Logic abstract = This development defines a well-ordered type of countable ordinals. It includes notions of continuous and normal functions, recursively defined functions over ordinals, least fixed-points, and derivatives. Much of ordinal arithmetic is formalized, including exponentials and logarithms. The development concludes with formalizations of Cantor Normal Form and Veblen hierarchies over normal functions. notify = lcp@cl.cam.ac.uk [Ordinals_and_Cardinals] title = Ordinals and Cardinals author = Andrei Popescu <> date = 2009-09-01 topic = Logic abstract = We develop a basic theory of ordinals and cardinals in Isabelle/HOL, up to the point where some cardinality facts relevant for the ``working mathematician" become available. Unlike in set theory, here we do not have at hand canonical notions of ordinal and cardinal. Therefore, here an ordinal is merely a well-order relation and a cardinal is an ordinal minim w.r.t. order embedding on its field. extra-history = Change history: [2012-09-25]: This entry has been discontinued because it is now part of the Isabelle distribution. notify = uuomul@yahoo.com, nipkow@in.tum.de [FOL-Fitting] title = First-Order Logic According to Fitting author = Stefan Berghofer contributors = Andreas Halkjær From date = 2007-08-02 topic = Logic abstract = We present a formalization of parts of Melvin Fitting's book "First-Order Logic and Automated Theorem Proving". The formalization covers the syntax of first-order logic, its semantics, the model existence theorem, a natural deduction proof calculus together with a proof of correctness and completeness, as well as the Löwenheim-Skolem theorem. extra-history = Change history: [2018-07-21]: Proved completeness theorem for open formulas. Proofs are now written in the declarative style. Enumeration of pairs and datatypes is automated using the Countable theory. notify = berghofe@in.tum.de [Epistemic_Logic] title = Epistemic Logic author = Andreas Halkjær From topic = Logic date = 2018-10-29 notify = s144442@student.dtu.dk abstract = This work is a formalization of epistemic logic with countably many agents. It includes proofs of soundness and completeness for the axiom system K. The completeness proof is based on the textbook "Reasoning About Knowledge" by Fagin, Halpern, Moses and Vardi (MIT Press 1995). [SequentInvertibility] title = Invertibility in Sequent Calculi author = Peter Chapman <> date = 2009-08-28 topic = Logic license = LGPL abstract = The invertibility of the rules of a sequent calculus is important for guiding proof search and can be used in some formalised proofs of Cut admissibility. We present sufficient conditions for when a rule is invertible with respect to a calculus. We illustrate the conditions with examples. It must be noted we give purely syntactic criteria; no guarantees are given as to the suitability of the rules. notify = pc@cs.st-andrews.ac.uk, nipkow@in.tum.de [LinearQuantifierElim] title = Quantifier Elimination for Linear Arithmetic author = Tobias Nipkow date = 2008-01-11 topic = Logic abstract = This article formalizes quantifier elimination procedures for dense linear orders, linear real arithmetic and Presburger arithmetic. In each case both a DNF-based non-elementary algorithm and one or more (doubly) exponential NNF-based algorithms are formalized, including the well-known algorithms by Ferrante and Rackoff and by Cooper. The NNF-based algorithms for dense linear orders are new but based on Ferrante and Rackoff and on an algorithm by Loos and Weisspfenning which simulates infenitesimals. All algorithms are directly executable. In particular, they yield reflective quantifier elimination procedures for HOL itself. The formalization makes heavy use of locales and is therefore highly modular. notify = nipkow@in.tum.de [Nat-Interval-Logic] title = Interval Temporal Logic on Natural Numbers author = David Trachtenherz <> date = 2011-02-23 topic = Logic abstract = We introduce a theory of temporal logic operators using sets of natural numbers as time domain, formalized in a shallow embedding manner. The theory comprises special natural intervals (theory IL_Interval: open and closed intervals, continuous and modulo intervals, interval traversing results), operators for shifting intervals to left/right on the number axis as well as expanding/contracting intervals by constant factors (theory IL_IntervalOperators.thy), and ultimately definitions and results for unary and binary temporal operators on arbitrary natural sets (theory IL_TemporalOperators). notify = nipkow@in.tum.de [Recursion-Theory-I] title = Recursion Theory I author = Michael Nedzelsky <> date = 2008-04-05 topic = Logic abstract = This document presents the formalization of introductory material from recursion theory --- definitions and basic properties of primitive recursive functions, Cantor pairing function and computably enumerable sets (including a proof of existence of a one-complete computably enumerable set and a proof of the Rice's theorem). notify = MichaelNedzelsky@yandex.ru [Free-Boolean-Algebra] topic = Logic title = Free Boolean Algebra author = Brian Huffman date = 2010-03-29 abstract = This theory defines a type constructor representing the free Boolean algebra over a set of generators. Values of type (α)formula represent propositional formulas with uninterpreted variables from type α, ordered by implication. In addition to all the standard Boolean algebra operations, the library also provides a function for building homomorphisms to any other Boolean algebra type. notify = brianh@cs.pdx.edu [Sort_Encodings] title = Sound and Complete Sort Encodings for First-Order Logic author = Jasmin Christian Blanchette , Andrei Popescu date = 2013-06-27 topic = Logic abstract = This is a formalization of the soundness and completeness properties for various efficient encodings of sorts in unsorted first-order logic used by Isabelle's Sledgehammer tool.

Essentially, the encodings proceed as follows: a many-sorted problem is decorated with (as few as possible) tags or guards that make the problem monotonic; then sorts can be soundly erased.

The development employs a formalization of many-sorted first-order logic in clausal form (clauses, structures and the basic properties of the satisfaction relation), which could be of interest as the starting point for other formalizations of first-order logic metatheory. notify = uuomul@yahoo.com [Lambda_Free_RPOs] title = Formalization of Recursive Path Orders for Lambda-Free Higher-Order Terms author = Jasmin Christian Blanchette , Uwe Waldmann , Daniel Wand date = 2016-09-23 topic = Logic/Rewriting abstract = This Isabelle/HOL formalization defines recursive path orders (RPOs) for higher-order terms without lambda-abstraction and proves many useful properties about them. The main order fully coincides with the standard RPO on first-order terms also in the presence of currying, distinguishing it from previous work. An optimized variant is formalized as well. It appears promising as the basis of a higher-order superposition calculus. notify = jasmin.blanchette@gmail.com [Lambda_Free_KBOs] title = Formalization of Knuth–Bendix Orders for Lambda-Free Higher-Order Terms author = Heiko Becker , Jasmin Christian Blanchette , Uwe Waldmann , Daniel Wand date = 2016-11-12 topic = Logic/Rewriting abstract = This Isabelle/HOL formalization defines Knuth–Bendix orders for higher-order terms without lambda-abstraction and proves many useful properties about them. The main order fully coincides with the standard transfinite KBO with subterm coefficients on first-order terms. It appears promising as the basis of a higher-order superposition calculus. notify = jasmin.blanchette@gmail.com [Lambda_Free_EPO] title = Formalization of the Embedding Path Order for Lambda-Free Higher-Order Terms author = Alexander Bentkamp topic = Logic/Rewriting date = 2018-10-19 notify = a.bentkamp@vu.nl abstract = This Isabelle/HOL formalization defines the Embedding Path Order (EPO) for higher-order terms without lambda-abstraction and proves many useful properties about it. In contrast to the lambda-free recursive path orders, it does not fully coincide with RPO on first-order terms, but it is compatible with arbitrary higher-order contexts. [Nested_Multisets_Ordinals] title = Formalization of Nested Multisets, Hereditary Multisets, and Syntactic Ordinals author = Jasmin Christian Blanchette , Mathias Fleury , Dmitriy Traytel date = 2016-11-12 topic = Logic/Rewriting abstract = This Isabelle/HOL formalization introduces a nested multiset datatype and defines Dershowitz and Manna's nested multiset order. The order is proved well founded and linear. By removing one constructor, we transform the nested multisets into hereditary multisets. These are isomorphic to the syntactic ordinals—the ordinals can be recursively expressed in Cantor normal form. Addition, subtraction, multiplication, and linear orders are provided on this type. notify = jasmin.blanchette@gmail.com [Abstract-Rewriting] title = Abstract Rewriting topic = Logic/Rewriting date = 2010-06-14 author = Christian Sternagel , René Thiemann license = LGPL abstract = We present an Isabelle formalization of abstract rewriting (see, e.g., the book by Baader and Nipkow). First, we define standard relations like joinability, meetability, conversion, etc. Then, we formalize important properties of abstract rewrite systems, e.g., confluence and strong normalization. Our main concern is on strong normalization, since this formalization is the basis of CeTA (which is mainly about strong normalization of term rewrite systems). Hence lemmas involving strong normalization constitute by far the biggest part of this theory. One of those is Newman's lemma. extra-history = Change history: [2010-09-17]: Added theories defining several (ordered) semirings related to strong normalization and giving some standard instances.
[2013-10-16]: Generalized delta-orders from rationals to Archimedean fields. notify = christian.sternagel@uibk.ac.at, rene.thiemann@uibk.ac.at [First_Order_Terms] title = First-Order Terms author = Christian Sternagel , René Thiemann topic = Logic/Rewriting, Computer Science/Algorithms license = LGPL date = 2018-02-06 notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at abstract = We formalize basic results on first-order terms, including matching and a first-order unification algorithm, as well as well-foundedness of the subsumption order. This entry is part of the Isabelle Formalization of Rewriting IsaFoR, where first-order terms are omni-present: the unification algorithm is used to certify several confluence and termination techniques, like critical-pair computation and dependency graph approximations; and the subsumption order is a crucial ingredient for completion. [Free-Groups] title = Free Groups author = Joachim Breitner date = 2010-06-24 topic = Mathematics/Algebra abstract = Free Groups are, in a sense, the most generic kind of group. They are defined over a set of generators with no additional relations in between them. They play an important role in the definition of group presentations and in other fields. This theory provides the definition of Free Group as the set of fully canceled words in the generators. The universal property is proven, as well as some isomorphisms results about Free Groups. extra-history = Change history: [2011-12-11]: Added the Ping Pong Lemma. notify = [CofGroups] title = An Example of a Cofinitary Group in Isabelle/HOL author = Bart Kastermans date = 2009-08-04 topic = Mathematics/Algebra abstract = We formalize the usual proof that the group generated by the function k -> k + 1 on the integers gives rise to a cofinitary group. notify = nipkow@in.tum.de [Group-Ring-Module] title = Groups, Rings and Modules author = Hidetsune Kobayashi <>, L. Chen <>, H. Murao <> date = 2004-05-18 topic = Mathematics/Algebra abstract = The theory of groups, rings and modules is developed to a great depth. Group theory results include Zassenhaus's theorem and the Jordan-Hoelder theorem. The ring theory development includes ideals, quotient rings and the Chinese remainder theorem. The module development includes the Nakayama lemma, exact sequences and Tensor products. notify = lp15@cam.ac.uk [Robbins-Conjecture] title = A Complete Proof of the Robbins Conjecture author = Matthew Wampler-Doty <> date = 2010-05-22 topic = Mathematics/Algebra abstract = This document gives a formalization of the proof of the Robbins conjecture, following A. Mann, A Complete Proof of the Robbins Conjecture, 2003. notify = nipkow@in.tum.de [Valuation] title = Fundamental Properties of Valuation Theory and Hensel's Lemma author = Hidetsune Kobayashi <> date = 2007-08-08 topic = Mathematics/Algebra abstract = Convergence with respect to a valuation is discussed as convergence of a Cauchy sequence. Cauchy sequences of polynomials are defined. They are used to formalize Hensel's lemma. notify = lp15@cam.ac.uk [Rank_Nullity_Theorem] title = Rank-Nullity Theorem in Linear Algebra author = Jose Divasón , Jesús Aransay topic = Mathematics/Algebra date = 2013-01-16 abstract = In this contribution, we present some formalizations based on the HOL-Multivariate-Analysis session of Isabelle. Firstly, a generalization of several theorems of such library are presented. Secondly, some definitions and proofs involving Linear Algebra and the four fundamental subspaces of a matrix are shown. Finally, we present a proof of the result known in Linear Algebra as the ``Rank-Nullity Theorem'', which states that, given any linear map f from a finite dimensional vector space V to a vector space W, then the dimension of V is equal to the dimension of the kernel of f (which is a subspace of V) and the dimension of the range of f (which is a subspace of W). The proof presented here is based on the one given by Sheldon Axler in his book Linear Algebra Done Right. As a corollary of the previous theorem, and taking advantage of the relationship between linear maps and matrices, we prove that, for every matrix A (which has associated a linear map between finite dimensional vector spaces), the sum of its null space and its column space (which is equal to the range of the linear map) is equal to the number of columns of A. extra-history = Change history: [2014-07-14]: Added some generalizations that allow us to formalize the Rank-Nullity Theorem over finite dimensional vector spaces, instead of over the more particular euclidean spaces. Updated abstract. notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es [Affine_Arithmetic] title = Affine Arithmetic author = Fabian Immler date = 2014-02-07 topic = Mathematics/Analysis abstract = We give a formalization of affine forms as abstract representations of zonotopes. We provide affine operations as well as overapproximations of some non-affine operations like multiplication and division. Expressions involving those operations can automatically be turned into (executable) functions approximating the original expression in affine arithmetic. extra-history = Change history: [2015-01-31]: added algorithm for zonotope/hyperplane intersection
[2017-09-20]: linear approximations for all symbols from the floatarith data type notify = immler@in.tum.de [Cauchy] title = Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality author = Benjamin Porter <> date = 2006-03-14 topic = Mathematics/Analysis abstract = This document presents the mechanised proofs of two popular theorems attributed to Augustin Louis Cauchy - Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality. notify = kleing@cse.unsw.edu.au [Integration] title = Integration theory and random variables author = Stefan Richter date = 2004-11-19 topic = Mathematics/Analysis abstract = Lebesgue-style integration plays a major role in advanced probability. We formalize concepts of elementary measure theory, real-valued random variables as Borel-measurable functions, and a stepwise inductive definition of the integral itself. All proofs are carried out in human readable style using the Isar language. extra-note = Note: This article is of historical interest only. Lebesgue-style integration and probability theory are now available as part of the Isabelle/HOL distribution (directory Probability). notify = richter@informatik.rwth-aachen.de, nipkow@in.tum.de, hoelzl@in.tum.de [Ordinary_Differential_Equations] title = Ordinary Differential Equations author = Fabian Immler , Johannes Hölzl topic = Mathematics/Analysis date = 2012-04-26 abstract =

Session Ordinary-Differential-Equations formalizes ordinary differential equations (ODEs) and initial value problems. This work comprises proofs for local and global existence of unique solutions (Picard-Lindelöf theorem). Moreover, it contains a formalization of the (continuous or even differentiable) dependency of the flow on initial conditions as the flow of ODEs.

Not in the generated document are the following sessions:

  • HOL-ODE-Numerics: Rigorous numerical algorithms for computing enclosures of solutions based on Runge-Kutta methods and affine arithmetic. Reachability analysis with splitting and reduction at hyperplanes.
  • HOL-ODE-Examples: Applications of the numerical algorithms to concrete systems of ODEs.
  • Lorenz_C0, Lorenz_C1: Verified algorithms for checking C1-information according to Tucker's proof, computation of C0-information.

extra-history = Change history: [2014-02-13]: added an implementation of the Euler method based on affine arithmetic
[2016-04-14]: added flow and variational equation
[2016-08-03]: numerical algorithms for reachability analysis (using second-order Runge-Kutta methods, splitting, and reduction) implemented using Lammich's framework for automatic refinement
[2017-09-20]: added Poincare map and propagation of variational equation in reachability analysis, verified algorithms for C1-information and computations for C0-information of the Lorenz attractor. notify = immler@in.tum.de, hoelzl@in.tum.de [Polynomials] title = Executable Multivariate Polynomials author = Christian Sternagel , René Thiemann , Alexander Maletzky , Fabian Immler , Florian Haftmann , Andreas Lochbihler , Alexander Bentkamp date = 2010-08-10 topic = Mathematics/Analysis, Mathematics/Algebra, Computer Science/Algorithms license = LGPL abstract = We define multivariate polynomials over arbitrary (ordered) semirings in combination with (executable) operations like addition, multiplication, and substitution. We also define (weak) monotonicity of polynomials and comparison of polynomials where we provide standard estimations like absolute positiveness or the more recent approach of Neurauter, Zankl, and Middeldorp. Moreover, it is proven that strongly normalizing (monotone) orders can be lifted to strongly normalizing (monotone) orders over polynomials. Our formalization was performed as part of the IsaFoR/CeTA-system which contains several termination techniques. The provided theories have been essential to formalize polynomial interpretations.

This formalization also contains an abstract representation as coefficient functions with finite support and a type of power-products. If this type is ordered by a linear (term) ordering, various additional notions, such as leading power-product, leading coefficient etc., are introduced as well. Furthermore, a lot of generic properties of, and functions on, multivariate polynomials are formalized, including the substitution and evaluation homomorphisms, embeddings of polynomial rings into larger rings (i.e. with one additional indeterminate), homogenization and dehomogenization of polynomials, and the canonical isomorphism between R[X,Y] and R[X][Y]. extra-history = Change history: [2010-09-17]: Moved theories on arbitrary (ordered) semirings to Abstract Rewriting.
[2016-10-28]: Added abstract representation of polynomials and authors Maletzky/Immler.
[2018-01-23]: Added authors Haftmann, Lochbihler after incorporating their formalization of multivariate polynomials based on Polynomial mappings. Moved material from Bentkamp's entry "Deep Learning".
[2019-04-18]: Added material about polynomials whose power-products are represented themselves by polynomial mappings. notify = rene.thiemann@uibk.ac.at, christian.sternagel@uibk.ac.at, alexander.maletzky@risc.jku.at, immler@in.tum.de [Sqrt_Babylonian] title = Computing N-th Roots using the Babylonian Method author = René Thiemann date = 2013-01-03 topic = Mathematics/Analysis license = LGPL abstract = We implement the Babylonian method to compute n-th roots of numbers. We provide precise algorithms for naturals, integers and rationals, and offer an approximation algorithm for square roots over linear ordered fields. Moreover, there are precise algorithms to compute the floor and the ceiling of n-th roots. extra-history = Change history: [2013-10-16]: Added algorithms to compute floor and ceiling of sqrt of integers. [2014-07-11]: Moved NthRoot_Impl from Real-Impl to this entry. notify = rene.thiemann@uibk.ac.at [Sturm_Sequences] title = Sturm's Theorem author = Manuel Eberl date = 2014-01-11 topic = Mathematics/Analysis abstract = Sturm's Theorem states that polynomial sequences with certain properties, so-called Sturm sequences, can be used to count the number of real roots of a real polynomial. This work contains a proof of Sturm's Theorem and code for constructing Sturm sequences efficiently. It also provides the “sturm” proof method, which can decide certain statements about the roots of real polynomials, such as “the polynomial P has exactly n roots in the interval I” or “P(x) > Q(x) for all x ∈ ℝ”. notify = eberlm@in.tum.de [Sturm_Tarski] title = The Sturm-Tarski Theorem author = Wenda Li date = 2014-09-19 topic = Mathematics/Analysis abstract = We have formalized the Sturm-Tarski theorem (also referred as the Tarski theorem), which generalizes Sturm's theorem. Sturm's theorem is usually used as a way to count distinct real roots, while the Sturm-Tarksi theorem forms the basis for Tarski's classic quantifier elimination for real closed field. notify = wl302@cam.ac.uk [Markov_Models] title = Markov Models author = Johannes Hölzl , Tobias Nipkow date = 2012-01-03 topic = Mathematics/Probability Theory, Computer Science/Automata and Formal Languages abstract = This is a formalization of Markov models in Isabelle/HOL. It builds on Isabelle's probability theory. The available models are currently Discrete-Time Markov Chains and a extensions of them with rewards.

As application of these models we formalize probabilistic model checking of pCTL formulas, analysis of IPv4 address allocation in ZeroConf and an analysis of the anonymity of the Crowds protocol. See here for the corresponding paper. notify = hoelzl@in.tum.de [Probabilistic_System_Zoo] title = A Zoo of Probabilistic Systems author = Johannes Hölzl , Andreas Lochbihler , Dmitriy Traytel date = 2015-05-27 topic = Computer Science/Automata and Formal Languages abstract = Numerous models of probabilistic systems are studied in the literature. Coalgebra has been used to classify them into system types and compare their expressiveness. We formalize the resulting hierarchy of probabilistic system types by modeling the semantics of the different systems as codatatypes. This approach yields simple and concise proofs, as bisimilarity coincides with equality for codatatypes.

This work is described in detail in the ITP 2015 publication by the authors. notify = traytel@in.tum.de [Density_Compiler] title = A Verified Compiler for Probability Density Functions author = Manuel Eberl , Johannes Hölzl , Tobias Nipkow date = 2014-10-09 topic = Mathematics/Probability Theory, Computer Science/Programming Languages/Compiling abstract = Bhat et al. [TACAS 2013] developed an inductive compiler that computes density functions for probability spaces described by programs in a probabilistic functional language. In this work, we implement such a compiler for a modified version of this language within the theorem prover Isabelle and give a formal proof of its soundness w.r.t. the semantics of the source and target language. Together with Isabelle's code generation for inductive predicates, this yields a fully verified, executable density compiler. The proof is done in two steps: First, an abstract compiler working with abstract functions modelled directly in the theorem prover's logic is defined and proved sound. Then, this compiler is refined to a concrete version that returns a target-language expression.

An article with the same title and authors is published in the proceedings of ESOP 2015. A detailed presentation of this work can be found in the first author's master's thesis. notify = hoelzl@in.tum.de [CAVA_Automata] title = The CAVA Automata Library author = Peter Lammich date = 2014-05-28 topic = Computer Science/Automata and Formal Languages abstract = We report on the graph and automata library that is used in the fully verified LTL model checker CAVA. As most components of CAVA use some type of graphs or automata, a common automata library simplifies assembly of the components and reduces redundancy.

The CAVA Automata Library provides a hierarchy of graph and automata classes, together with some standard algorithms. Its object oriented design allows for sharing of algorithms, theorems, and implementations between its classes, and also simplifies extensions of the library. Moreover, it is integrated into the Automatic Refinement Framework, supporting automatic refinement of the abstract automata types to efficient data structures.

Note that the CAVA Automata Library is work in progress. Currently, it is very specifically tailored towards the requirements of the CAVA model checker. Nevertheless, the formalization techniques presented here allow an extension of the library to a wider scope. Moreover, they are not limited to graph libraries, but apply to class hierarchies in general.

The CAVA Automata Library is described in the paper: Peter Lammich, The CAVA Automata Library, Isabelle Workshop 2014. notify = lammich@in.tum.de [LTL] title = Linear Temporal Logic author = Salomon Sickert contributors = Benedikt Seidl date = 2016-03-01 topic = Logic, Computer Science/Automata and Formal Languages abstract = This theory provides a formalisation of linear temporal logic (LTL) and unifies previous formalisations within the AFP. This entry establishes syntax and semantics for this logic and decouples it from existing entries, yielding a common environment for theories reasoning about LTL. Furthermore a parser written in SML and an executable simplifier are provided. extra-history = Change history: [2019-03-12]: Support for additional operators, implementation of common equivalence relations, definition of syntactic fragments of LTL and the minimal disjunctive normal form.
notify = sickert@in.tum.de [LTL_to_GBA] title = Converting Linear-Time Temporal Logic to Generalized Büchi Automata author = Alexander Schimpf , Peter Lammich date = 2014-05-28 topic = Computer Science/Automata and Formal Languages abstract = We formalize linear-time temporal logic (LTL) and the algorithm by Gerth et al. to convert LTL formulas to generalized Büchi automata. We also formalize some syntactic rewrite rules that can be applied to optimize the LTL formula before conversion. Moreover, we integrate the Stuttering Equivalence AFP-Entry by Stefan Merz, adapting the lemma that next-free LTL formula cannot distinguish between stuttering equivalent runs to our setting.

We use the Isabelle Refinement and Collection framework, as well as the Autoref tool, to obtain a refined version of our algorithm, from which efficiently executable code can be extracted. notify = lammich@in.tum.de [Gabow_SCC] title = Verified Efficient Implementation of Gabow's Strongly Connected Components Algorithm author = Peter Lammich date = 2014-05-28 topic = Computer Science/Algorithms, Mathematics/Graph Theory abstract = We present an Isabelle/HOL formalization of Gabow's algorithm for finding the strongly connected components of a directed graph. Using data refinement techniques, we extract efficient code that performs comparable to a reference implementation in Java. Our style of formalization allows for re-using large parts of the proofs when defining variants of the algorithm. We demonstrate this by verifying an algorithm for the emptiness check of generalized Büchi automata, re-using most of the existing proofs. notify = lammich@in.tum.de [Promela] title = Promela Formalization author = René Neumann date = 2014-05-28 topic = Computer Science/System Description Languages abstract = We present an executable formalization of the language Promela, the description language for models of the model checker SPIN. This formalization is part of the work for a completely verified model checker (CAVA), but also serves as a useful (and executable!) description of the semantics of the language itself, something that is currently missing. The formalization uses three steps: It takes an abstract syntax tree generated from an SML parser, removes syntactic sugar and enriches it with type information. This further gets translated into a transition system, on which the semantic engine (read: successor function) operates. notify = rene.neumann@in.tum.de [CAVA_LTL_Modelchecker] title = A Fully Verified Executable LTL Model Checker author = Javier Esparza , Peter Lammich , René Neumann , Tobias Nipkow , Alexander Schimpf , Jan-Georg Smaus date = 2014-05-28 topic = Computer Science/Automata and Formal Languages abstract = We present an LTL model checker whose code has been completely verified using the Isabelle theorem prover. The checker consists of over 4000 lines of ML code. The code is produced using the Isabelle Refinement Framework, which allows us to split its correctness proof into (1) the proof of an abstract version of the checker, consisting of a few hundred lines of ``formalized pseudocode'', and (2) a verified refinement step in which mathematical sets and other abstract structures are replaced by implementations of efficient structures like red-black trees and functional arrays. This leads to a checker that, while still slower than unverified checkers, can already be used as a trusted reference implementation against which advanced implementations can be tested.

An early version of this model checker is described in the CAV 2013 paper with the same title. notify = rene.neumann@in.tum.de, lammich@in.tum.de [Fermat3_4] title = Fermat's Last Theorem for Exponents 3 and 4 and the Parametrisation of Pythagorean Triples author = Roelof Oosterhuis <> date = 2007-08-12 topic = Mathematics/Number Theory abstract = This document presents the mechanised proofs of

  • Fermat's Last Theorem for exponents 3 and 4 and
  • the parametrisation of Pythagorean Triples.
notify = nipkow@in.tum.de, roelofoosterhuis@gmail.com [Perfect-Number-Thm] title = Perfect Number Theorem author = Mark Ijbema date = 2009-11-22 topic = Mathematics/Number Theory abstract = These theories present the mechanised proof of the Perfect Number Theorem. notify = nipkow@in.tum.de [SumSquares] title = Sums of Two and Four Squares author = Roelof Oosterhuis <> date = 2007-08-12 topic = Mathematics/Number Theory abstract = This document presents the mechanised proofs of the following results:
  • any prime number of the form 4m+1 can be written as the sum of two squares;
  • any natural number can be written as the sum of four squares
notify = nipkow@in.tum.de, roelofoosterhuis@gmail.com [Lehmer] title = Lehmer's Theorem author = Simon Wimmer , Lars Noschinski date = 2013-07-22 topic = Mathematics/Number Theory abstract = In 1927, Lehmer presented criterions for primality, based on the converse of Fermat's litte theorem. This work formalizes the second criterion from Lehmer's paper, a necessary and sufficient condition for primality.

As a side product we formalize some properties of Euler's phi-function, the notion of the order of an element of a group, and the cyclicity of the multiplicative group of a finite field. notify = noschinl@in.tum.de, simon.wimmer@tum.de [Pratt_Certificate] title = Pratt's Primality Certificates author = Simon Wimmer , Lars Noschinski date = 2013-07-22 topic = Mathematics/Number Theory abstract = In 1975, Pratt introduced a proof system for certifying primes. He showed that a number p is prime iff a primality certificate for p exists. By showing a logarithmic upper bound on the length of the certificates in size of the prime number, he concluded that the decision problem for prime numbers is in NP. This work formalizes soundness and completeness of Pratt's proof system as well as an upper bound for the size of the certificate. notify = noschinl@in.tum.de, simon.wimmer@tum.de [Monad_Memo_DP] title = Monadification, Memoization and Dynamic Programming author = Simon Wimmer , Shuwei Hu , Tobias Nipkow topic = Computer Science/Programming Languages/Transformations, Computer Science/Algorithms, Computer Science/Functional Programming date = 2018-05-22 notify = wimmers@in.tum.de abstract = We present a lightweight framework for the automatic verified (functional or imperative) memoization of recursive functions. Our tool can turn a pure Isabelle/HOL function definition into a monadified version in a state monad or the Imperative HOL heap monad, and prove a correspondence theorem. We provide a variety of memory implementations for the two types of monads. A number of simple techniques allow us to achieve bottom-up computation and space-efficient memoization. The framework’s utility is demonstrated on a number of representative dynamic programming problems. A detailed description of our work can be found in the accompanying paper [2]. [Probabilistic_Timed_Automata] title = Probabilistic Timed Automata author = Simon Wimmer , Johannes Hölzl topic = Mathematics/Probability Theory, Computer Science/Automata and Formal Languages date = 2018-05-24 notify = wimmers@in.tum.de, hoelzl@in.tum.de abstract = We present a formalization of probabilistic timed automata (PTA) for which we try to follow the formula MDP + TA = PTA as far as possible: our work starts from our existing formalizations of Markov decision processes (MDP) and timed automata (TA) and combines them modularly. We prove the fundamental result for probabilistic timed automata: the region construction that is known from timed automata carries over to the probabilistic setting. In particular, this allows us to prove that minimum and maximum reachability probabilities can be computed via a reduction to MDP model checking, including the case where one wants to disregard unrealizable behavior. Further information can be found in our ITP paper [2]. [Hidden_Markov_Models] title = Hidden Markov Models author = Simon Wimmer topic = Mathematics/Probability Theory, Computer Science/Algorithms date = 2018-05-25 notify = wimmers@in.tum.de abstract = This entry contains a formalization of hidden Markov models [3] based on Johannes Hölzl's formalization of discrete time Markov chains [1]. The basic definitions are provided and the correctness of two main (dynamic programming) algorithms for hidden Markov models is proved: the forward algorithm for computing the likelihood of an observed sequence, and the Viterbi algorithm for decoding the most probable hidden state sequence. The Viterbi algorithm is made executable including memoization. Hidden markov models have various applications in natural language processing. For an introduction see Jurafsky and Martin [2]. [ArrowImpossibilityGS] title = Arrow and Gibbard-Satterthwaite author = Tobias Nipkow date = 2008-09-01 topic = Mathematics/Economics abstract = This article formalizes two proofs of Arrow's impossibility theorem due to Geanakoplos and derives the Gibbard-Satterthwaite theorem as a corollary. One formalization is based on utility functions, the other one on strict partial orders.

An article about these proofs is found here. notify = nipkow@in.tum.de [SenSocialChoice] title = Some classical results in Social Choice Theory author = Peter Gammie date = 2008-11-09 topic = Mathematics/Economics abstract = Drawing on Sen's landmark work "Collective Choice and Social Welfare" (1970), this development proves Arrow's General Possibility Theorem, Sen's Liberal Paradox and May's Theorem in a general setting. The goal was to make precise the classical statements and proofs of these results, and to provide a foundation for more recent results such as the Gibbard-Satterthwaite and Duggan-Schwartz theorems. notify = nipkow@in.tum.de [Vickrey_Clarke_Groves] title = VCG - Combinatorial Vickrey-Clarke-Groves Auctions author = Marco B. Caminati <>, Manfred Kerber , Christoph Lange, Colin Rowat date = 2015-04-30 topic = Mathematics/Economics abstract = A VCG auction (named after their inventors Vickrey, Clarke, and Groves) is a generalization of the single-good, second price Vickrey auction to the case of a combinatorial auction (multiple goods, from which any participant can bid on each possible combination). We formalize in this entry VCG auctions, including tie-breaking and prove that the functions for the allocation and the price determination are well-defined. Furthermore we show that the allocation function allocates goods only to participants, only goods in the auction are allocated, and no good is allocated twice. We also show that the price function is non-negative. These properties also hold for the automatically extracted Scala code. notify = mnfrd.krbr@gmail.com [Topology] title = Topology author = Stefan Friedrich <> date = 2004-04-26 topic = Mathematics/Topology abstract = This entry contains two theories. The first, Topology, develops the basic notions of general topology. The second, which can be viewed as a demonstration of the first, is called LList_Topology. It develops the topology of lazy lists. notify = lcp@cl.cam.ac.uk [Knot_Theory] title = Knot Theory author = T.V.H. Prathamesh date = 2016-01-20 topic = Mathematics/Topology abstract = This work contains a formalization of some topics in knot theory. The concepts that were formalized include definitions of tangles, links, framed links and link/tangle equivalence. The formalization is based on a formulation of links in terms of tangles. We further construct and prove the invariance of the Bracket polynomial. Bracket polynomial is an invariant of framed links closely linked to the Jones polynomial. This is perhaps the first attempt to formalize any aspect of knot theory in an interactive proof assistant. notify = prathamesh@imsc.res.in [Graph_Theory] title = Graph Theory author = Lars Noschinski date = 2013-04-28 topic = Mathematics/Graph Theory abstract = This development provides a formalization of directed graphs, supporting (labelled) multi-edges and infinite graphs. A polymorphic edge type allows edges to be treated as pairs of vertices, if multi-edges are not required. Formalized properties are i.a. walks (and related concepts), connectedness and subgraphs and basic properties of isomorphisms.

This formalization is used to prove characterizations of Euler Trails, Shortest Paths and Kuratowski subgraphs. notify = noschinl@in.tum.de [Planarity_Certificates] title = Planarity Certificates author = Lars Noschinski date = 2015-11-11 topic = Mathematics/Graph Theory abstract = This development provides a formalization of planarity based on combinatorial maps and proves that Kuratowski's theorem implies combinatorial planarity. Moreover, it contains verified implementations of programs checking certificates for planarity (i.e., a combinatorial map) or non-planarity (i.e., a Kuratowski subgraph). notify = noschinl@in.tum.de [Max-Card-Matching] title = Maximum Cardinality Matching author = Christine Rizkallah date = 2011-07-21 topic = Mathematics/Graph Theory abstract =

A matching in a graph G is a subset M of the edges of G such that no two share an endpoint. A matching has maximum cardinality if its cardinality is at least as large as that of any other matching. An odd-set cover OSC of a graph G is a labeling of the nodes of G with integers such that every edge of G is either incident to a node labeled 1 or connects two nodes labeled with the same number i ≥ 2.

This article proves Edmonds theorem:
Let M be a matching in a graph G and let OSC be an odd-set cover of G. For any i ≥ 0, let n(i) be the number of nodes labeled i. If |M| = n(1) + ∑i ≥ 2(n(i) div 2), then M is a maximum cardinality matching.

notify = nipkow@in.tum.de [Girth_Chromatic] title = A Probabilistic Proof of the Girth-Chromatic Number Theorem author = Lars Noschinski date = 2012-02-06 topic = Mathematics/Graph Theory abstract = This works presents a formalization of the Girth-Chromatic number theorem in graph theory, stating that graphs with arbitrarily large girth and chromatic number exist. The proof uses the theory of Random Graphs to prove the existence with probabilistic arguments. notify = noschinl@in.tum.de [Random_Graph_Subgraph_Threshold] title = Properties of Random Graphs -- Subgraph Containment author = Lars Hupel date = 2014-02-13 topic = Mathematics/Graph Theory, Mathematics/Probability Theory abstract = Random graphs are graphs with a fixed number of vertices, where each edge is present with a fixed probability. We are interested in the probability that a random graph contains a certain pattern, for example a cycle or a clique. A very high edge probability gives rise to perhaps too many edges (which degrades performance for many algorithms), whereas a low edge probability might result in a disconnected graph. We prove a theorem about a threshold probability such that a higher edge probability will asymptotically almost surely produce a random graph with the desired subgraph. notify = hupel@in.tum.de [Flyspeck-Tame] title = Flyspeck I: Tame Graphs author = Gertrud Bauer <>, Tobias Nipkow date = 2006-05-22 topic = Mathematics/Graph Theory abstract = These theories present the verified enumeration of tame plane graphs as defined by Thomas C. Hales in his proof of the Kepler Conjecture in his book Dense Sphere Packings. A Blueprint for Formal Proofs. [CUP 2012]. The values of the constants in the definition of tameness are identical to those in the Flyspeck project. The IJCAR 2006 paper by Nipkow, Bauer and Schultz refers to the original version of Hales' proof, the ITP 2011 paper by Nipkow refers to the Blueprint version of the proof. extra-history = Change history: [2010-11-02]: modified theories to reflect the modified definition of tameness in Hales' revised proof.
[2014-07-03]: modified constants in def of tameness and Archive according to the final state of the Flyspeck proof. notify = nipkow@in.tum.de [Well_Quasi_Orders] title = Well-Quasi-Orders author = Christian Sternagel date = 2012-04-13 topic = Mathematics/Combinatorics abstract = Based on Isabelle/HOL's type class for preorders, we introduce a type class for well-quasi-orders (wqo) which is characterized by the absence of "bad" sequences (our proofs are along the lines of the proof of Nash-Williams, from which we also borrow terminology). Our main results are instantiations for the product type, the list type, and a type of finite trees, which (almost) directly follow from our proofs of (1) Dickson's Lemma, (2) Higman's Lemma, and (3) Kruskal's Tree Theorem. More concretely:
  • If the sets A and B are wqo then their Cartesian product is wqo.
  • If the set A is wqo then the set of finite lists over A is wqo.
  • If the set A is wqo then the set of finite trees over A is wqo.
The research was funded by the Austrian Science Fund (FWF): J3202. extra-history = Change history: [2012-06-11]: Added Kruskal's Tree Theorem.
[2012-12-19]: New variant of Kruskal's tree theorem for terms (as opposed to variadic terms, i.e., trees), plus finite version of the tree theorem as corollary.
[2013-05-16]: Simplified construction of minimal bad sequences.
[2014-07-09]: Simplified proofs of Higman's lemma and Kruskal's tree theorem, based on homogeneous sequences.
[2016-01-03]: An alternative proof of Higman's lemma by open induction.
[2017-06-08]: Proved (classical) equivalence to inductive definition of almost-full relations according to the ITP 2012 paper "Stop When You Are Almost-Full" by Vytiniotis, Coquand, and Wahlstedt. notify = c.sternagel@gmail.com [Marriage] title = Hall's Marriage Theorem author = Dongchen Jiang , Tobias Nipkow date = 2010-12-17 topic = Mathematics/Combinatorics abstract = Two proofs of Hall's Marriage Theorem: one due to Halmos and Vaughan, one due to Rado. extra-history = Change history: [2011-09-09]: Added Rado's proof notify = nipkow@in.tum.de [Bondy] title = Bondy's Theorem author = Jeremy Avigad , Stefan Hetzl date = 2012-10-27 topic = Mathematics/Combinatorics abstract = A proof of Bondy's theorem following B. Bollabas, Combinatorics, 1986, Cambridge University Press. notify = avigad@cmu.edu, hetzl@logic.at [Ramsey-Infinite] title = Ramsey's theorem, infinitary version author = Tom Ridge <> date = 2004-09-20 topic = Mathematics/Combinatorics abstract = This formalization of Ramsey's theorem (infinitary version) is taken from Boolos and Jeffrey, Computability and Logic, 3rd edition, Chapter 26. It differs slightly from the text by assuming a slightly stronger hypothesis. In particular, the induction hypothesis is stronger, holding for any infinite subset of the naturals. This avoids the rather peculiar mapping argument between kj and aikj on p.263, which is unnecessary and slightly mars this really beautiful result. notify = lp15@cam.ac.uk [Derangements] title = Derangements Formula author = Lukas Bulwahn date = 2015-06-27 topic = Mathematics/Combinatorics abstract = The Derangements Formula describes the number of fixpoint-free permutations as a closed formula. This theorem is the 88th theorem in a list of the ``Top 100 Mathematical Theorems''. notify = lukas.bulwahn@gmail.com [Euler_Partition] title = Euler's Partition Theorem author = Lukas Bulwahn date = 2015-11-19 topic = Mathematics/Combinatorics abstract = Euler's Partition Theorem states that the number of partitions with only distinct parts is equal to the number of partitions with only odd parts. The combinatorial proof follows John Harrison's HOL Light formalization. This theorem is the 45th theorem of the Top 100 Theorems list. notify = lukas.bulwahn@gmail.com [Discrete_Summation] title = Discrete Summation author = Florian Haftmann contributors = Amine Chaieb <> date = 2014-04-13 topic = Mathematics/Combinatorics abstract = These theories introduce basic concepts and proofs about discrete summation: shifts, formal summation, falling factorials and stirling numbers. As proof of concept, a simple summation conversion is provided. notify = florian.haftmann@informatik.tu-muenchen.de [Open_Induction] title = Open Induction author = Mizuhito Ogawa <>, Christian Sternagel date = 2012-11-02 topic = Mathematics/Combinatorics abstract = A proof of the open induction schema based on J.-C. Raoult, Proving open properties by induction, Information Processing Letters 29, 1988, pp.19-23.

This research was supported by the Austrian Science Fund (FWF): J3202.

notify = c.sternagel@gmail.com [Category] title = Category Theory to Yoneda's Lemma author = Greg O'Keefe date = 2005-04-21 topic = Mathematics/Category Theory license = LGPL abstract = This development proves Yoneda's lemma and aims to be readable by humans. It only defines what is needed for the lemma: categories, functors and natural transformations. Limits, adjunctions and other important concepts are not included. extra-history = Change history: [2010-04-23]: The definition of the constant equinumerous was slightly too weak in the original submission and has been fixed in revision 8c2b5b3c995f. notify = lcp@cl.cam.ac.uk [Category2] title = Category Theory author = Alexander Katovsky date = 2010-06-20 topic = Mathematics/Category Theory abstract = This article presents a development of Category Theory in Isabelle/HOL. A Category is defined using records and locales. Functors and Natural Transformations are also defined. The main result that has been formalized is that the Yoneda functor is a full and faithful embedding. We also formalize the completeness of many sorted monadic equational logic. Extensive use is made of the HOLZF theory in both cases. For an informal description see here [pdf]. notify = alexander.katovsky@cantab.net [FunWithFunctions] title = Fun With Functions author = Tobias Nipkow date = 2008-08-26 topic = Mathematics/Misc abstract = This is a collection of cute puzzles of the form ``Show that if a function satisfies the following constraints, it must be ...'' Please add further examples to this collection! notify = nipkow@in.tum.de [FunWithTilings] title = Fun With Tilings author = Tobias Nipkow , Lawrence C. Paulson date = 2008-11-07 topic = Mathematics/Misc abstract = Tilings are defined inductively. It is shown that one form of mutilated chess board cannot be tiled with dominoes, while another one can be tiled with L-shaped tiles. Please add further fun examples of this kind! notify = nipkow@in.tum.de [Lazy-Lists-II] title = Lazy Lists II author = Stefan Friedrich <> date = 2004-04-26 topic = Computer Science/Data Structures abstract = This theory contains some useful extensions to the LList (lazy list) theory by Larry Paulson, including finite, infinite, and positive llists over an alphabet, as well as the new constants take and drop and the prefix order of llists. Finally, the notions of safety and liveness in the sense of Alpern and Schneider (1985) are defined. notify = lcp@cl.cam.ac.uk [Ribbon_Proofs] title = Ribbon Proofs author = John Wickerson <> date = 2013-01-19 topic = Computer Science/Programming Languages/Logics abstract = This document concerns the theory of ribbon proofs: a diagrammatic proof system, based on separation logic, for verifying program correctness. We include the syntax, proof rules, and soundness results for two alternative formalisations of ribbon proofs.

Compared to traditional proof outlines, ribbon proofs emphasise the structure of a proof, so are intelligible and pedagogical. Because they contain less redundancy than proof outlines, and allow each proof step to be checked locally, they may be more scalable. Where proof outlines are cumbersome to modify, ribbon proofs can be visually manoeuvred to yield proofs of variant programs. notify = [Koenigsberg_Friendship] title = The Königsberg Bridge Problem and the Friendship Theorem author = Wenda Li date = 2013-07-19 topic = Mathematics/Graph Theory abstract = This development provides a formalization of undirected graphs and simple graphs, which are based on Benedikt Nordhoff and Peter Lammich's simple formalization of labelled directed graphs in the archive. Then, with our formalization of graphs, we show both necessary and sufficient conditions for Eulerian trails and circuits as well as the fact that the Königsberg Bridge Problem does not have a solution. In addition, we show the Friendship Theorem in simple graphs. notify = [Tree_Decomposition] title = Tree Decomposition author = Christoph Dittmann notify = date = 2016-05-31 topic = Mathematics/Graph Theory abstract = We formalize tree decompositions and tree width in Isabelle/HOL, proving that trees have treewidth 1. We also show that every edge of a tree decomposition is a separation of the underlying graph. As an application of this theorem we prove that complete graphs of size n have treewidth n-1. [Menger] title = Menger's Theorem author = Christoph Dittmann topic = Mathematics/Graph Theory date = 2017-02-26 notify = isabelle@christoph-d.de abstract = We present a formalization of Menger's Theorem for directed and undirected graphs in Isabelle/HOL. This well-known result shows that if two non-adjacent distinct vertices u, v in a directed graph have no separator smaller than n, then there exist n internally vertex-disjoint paths from u to v. The version for undirected graphs follows immediately because undirected graphs are a special case of directed graphs. [IEEE_Floating_Point] title = A Formal Model of IEEE Floating Point Arithmetic author = Lei Yu contributors = Fabian Hellauer , Fabian Immler date = 2013-07-27 topic = Computer Science/Data Structures abstract = This development provides a formal model of IEEE-754 floating-point arithmetic. This formalization, including formal specification of the standard and proofs of important properties of floating-point arithmetic, forms the foundation for verifying programs with floating-point computation. There is also a code generation setup for floats so that we can execute programs using this formalization in functional programming languages. notify = lp15@cam.ac.uk, immler@in.tum.de extra-history = Change history: [2017-09-25]: Added conversions from and to software floating point numbers (by Fabian Hellauer and Fabian Immler).
[2018-02-05]: 'Modernized' representation following the formalization in HOL4: former "float_format" and predicate "is_valid" is now encoded in a type "('e, 'f) float" where 'e and 'f encode the size of exponent and fraction. [Native_Word] title = Native Word author = Andreas Lochbihler contributors = Peter Lammich date = 2013-09-17 topic = Computer Science/Data Structures abstract = This entry makes machine words and machine arithmetic available for code generation from Isabelle/HOL. It provides a common abstraction that hides the differences between the different target languages. The code generator maps these operations to the APIs of the target languages. Apart from that, we extend the available bit operations on types int and integer, and map them to the operations in the target languages. extra-history = Change history: [2013-11-06]: added conversion function between native words and characters (revision fd23d9a7fe3a)
[2014-03-31]: added words of default size in the target language (by Peter Lammich) (revision 25caf5065833)
[2014-10-06]: proper test setup with compilation and execution of tests in all target languages (revision 5d7a1c9ae047)
[2017-09-02]: added 64-bit words (revision c89f86244e3c)
[2018-07-15]: added cast operators for default-size words (revision fc1f1fb8dd30)
notify = mail@andreas-lochbihler.de [XML] title = XML author = Christian Sternagel , René Thiemann date = 2014-10-03 topic = Computer Science/Functional Programming, Computer Science/Data Structures abstract = This entry provides an XML library for Isabelle/HOL. This includes parsing and pretty printing of XML trees as well as combinators for transforming XML trees into arbitrary user-defined data. The main contribution of this entry is an interface (fit for code generation) that allows for communication between verified programs formalized in Isabelle/HOL and the outside world via XML. This library was developed as part of the IsaFoR/CeTA project to which we refer for examples of its usage. notify = c.sternagel@gmail.com, rene.thiemann@uibk.ac.at [HereditarilyFinite] title = The Hereditarily Finite Sets author = Lawrence C. Paulson date = 2013-11-17 topic = Logic abstract = The theory of hereditarily finite sets is formalised, following the development of Swierczkowski. An HF set is a finite collection of other HF sets; they enjoy an induction principle and satisfy all the axioms of ZF set theory apart from the axiom of infinity, which is negated. All constructions that are possible in ZF set theory (Cartesian products, disjoint sums, natural numbers, functions) without using infinite sets are possible here. The definition of addition for the HF sets follows Kirby. This development forms the foundation for the Isabelle proof of Gödel's incompleteness theorems, which has been formalised separately. extra-history = Change history: [2015-02-23]: Added the theory "Finitary" defining the class of types that can be embedded in hf, including int, char, option, list, etc. notify = lp15@cam.ac.uk [Incompleteness] title = Gödel's Incompleteness Theorems author = Lawrence C. Paulson date = 2013-11-17 topic = Logic abstract = Gödel's two incompleteness theorems are formalised, following a careful presentation by Swierczkowski, in the theory of hereditarily finite sets. This represents the first ever machine-assisted proof of the second incompleteness theorem. Compared with traditional formalisations using Peano arithmetic (see e.g. Boolos), coding is simpler, with no need to formalise the notion of multiplication (let alone that of a prime number) in the formalised calculus upon which the theorem is based. However, other technical problems had to be solved in order to complete the argument. notify = lp15@cam.ac.uk [Finite_Automata_HF] title = Finite Automata in Hereditarily Finite Set Theory author = Lawrence C. Paulson date = 2015-02-05 topic = Computer Science/Automata and Formal Languages abstract = Finite Automata, both deterministic and non-deterministic, for regular languages. The Myhill-Nerode Theorem. Closure under intersection, concatenation, etc. Regular expressions define regular languages. Closure under reversal; the powerset construction mapping NFAs to DFAs. Left and right languages; minimal DFAs. Brzozowski's minimization algorithm. Uniqueness up to isomorphism of minimal DFAs. notify = lp15@cam.ac.uk [Decreasing-Diagrams] title = Decreasing Diagrams author = Harald Zankl license = LGPL date = 2013-11-01 topic = Logic/Rewriting abstract = This theory contains a formalization of decreasing diagrams showing that any locally decreasing abstract rewrite system is confluent. We consider the valley (van Oostrom, TCS 1994) and the conversion version (van Oostrom, RTA 2008) and closely follow the original proofs. As an application we prove Newman's lemma. notify = Harald.Zankl@uibk.ac.at [Decreasing-Diagrams-II] title = Decreasing Diagrams II author = Bertram Felgenhauer license = LGPL date = 2015-08-20 topic = Logic/Rewriting abstract = This theory formalizes the commutation version of decreasing diagrams for Church-Rosser modulo. The proof follows Felgenhauer and van Oostrom (RTA 2013). The theory also provides important specializations, in particular van Oostrom’s conversion version (TCS 2008) of decreasing diagrams. notify = bertram.felgenhauer@uibk.ac.at [GoedelGod] title = Gödel's God in Isabelle/HOL author = Christoph Benzmüller , Bruno Woltzenlogel Paleo date = 2013-11-12 topic = Logic/Philosophy abstract = Dana Scott's version of Gödel's proof of God's existence is formalized in quantified modal logic KB (QML KB). QML KB is modeled as a fragment of classical higher-order logic (HOL); thus, the formalization is essentially a formalization in HOL. notify = lp15@cam.ac.uk, c.benzmueller@fu-berlin.de [Types_Tableaus_and_Goedels_God] title = Types, Tableaus and Gödel’s God in Isabelle/HOL author = David Fuenmayor , Christoph Benzmüller topic = Logic/Philosophy date = 2017-05-01 notify = davfuenmayor@gmail.com, c.benzmueller@gmail.com abstract = A computer-formalisation of the essential parts of Fitting's textbook "Types, Tableaus and Gödel's God" in Isabelle/HOL is presented. In particular, Fitting's (and Anderson's) variant of the ontological argument is verified and confirmed. This variant avoids the modal collapse, which has been criticised as an undesirable side-effect of Kurt Gödel's (and Dana Scott's) versions of the ontological argument. Fitting's work is employing an intensional higher-order modal logic, which we shallowly embed here in classical higher-order logic. We then utilize the embedded logic for the formalisation of Fitting's argument. (See also the earlier AFP entry ``Gödel's God in Isabelle/HOL''.) [GewirthPGCProof] title = Formalisation and Evaluation of Alan Gewirth's Proof for the Principle of Generic Consistency in Isabelle/HOL author = David Fuenmayor , Christoph Benzmüller topic = Logic/Philosophy date = 2018-10-30 notify = davfuenmayor@gmail.com, c.benzmueller@gmail.com abstract = An ambitious ethical theory ---Alan Gewirth's "Principle of Generic Consistency"--- is encoded and analysed in Isabelle/HOL. Gewirth's theory has stirred much attention in philosophy and ethics and has been proposed as a potential means to bound the impact of artificial general intelligence. extra-history = Change history: [2019-04-09]: added proof for a stronger variant of the PGC and examplary inferences (revision 88182cb0a2f6)
[Lowe_Ontological_Argument] title = Computer-assisted Reconstruction and Assessment of E. J. Lowe's Modal Ontological Argument author = David Fuenmayor , Christoph Benzmüller topic = Logic/Philosophy date = 2017-09-21 notify = davfuenmayor@gmail.com, c.benzmueller@gmail.com abstract = Computers may help us to understand --not just verify-- philosophical arguments. By utilizing modern proof assistants in an iterative interpretive process, we can reconstruct and assess an argument by fully formal means. Through the mechanization of a variant of St. Anselm's ontological argument by E. J. Lowe, which is a paradigmatic example of a natural-language argument with strong ties to metaphysics and religion, we offer an ideal showcase for our computer-assisted interpretive method. [AnselmGod] title = Anselm's God in Isabelle/HOL author = Ben Blumson topic = Logic/Philosophy date = 2017-09-06 notify = benblumson@gmail.com abstract = Paul Oppenheimer and Edward Zalta's formalisation of Anselm's ontological argument for the existence of God is automated by embedding a free logic for definite descriptions within Isabelle/HOL. [Tail_Recursive_Functions] title = A General Method for the Proof of Theorems on Tail-recursive Functions author = Pasquale Noce date = 2013-12-01 topic = Computer Science/Functional Programming abstract =

Tail-recursive function definitions are sometimes more straightforward than alternatives, but proving theorems on them may be roundabout because of the peculiar form of the resulting recursion induction rules.

This paper describes a proof method that provides a general solution to this problem by means of suitable invariants over inductive sets, and illustrates the application of such method by examining two case studies.

notify = pasquale.noce.lavoro@gmail.com [CryptoBasedCompositionalProperties] title = Compositional Properties of Crypto-Based Components author = Maria Spichkova date = 2014-01-11 topic = Computer Science/Security abstract = This paper presents an Isabelle/HOL set of theories which allows the specification of crypto-based components and the verification of their composition properties wrt. cryptographic aspects. We introduce a formalisation of the security property of data secrecy, the corresponding definitions and proofs. Please note that here we import the Isabelle/HOL theory ListExtras.thy, presented in the AFP entry FocusStreamsCaseStudies-AFP. notify = maria.spichkova@rmit.edu.au [Featherweight_OCL] title = Featherweight OCL: A Proposal for a Machine-Checked Formal Semantics for OCL 2.5 author = Achim D. Brucker , Frédéric Tuong , Burkhart Wolff date = 2014-01-16 topic = Computer Science/System Description Languages abstract = The Unified Modeling Language (UML) is one of the few modeling languages that is widely used in industry. While UML is mostly known as diagrammatic modeling language (e.g., visualizing class models), it is complemented by a textual language, called Object Constraint Language (OCL). The current version of OCL is based on a four-valued logic that turns UML into a formal language. Any type comprises the elements "invalid" and "null" which are propagated as strict and non-strict, respectively. Unfortunately, the former semi-formal semantics of this specification language, captured in the "Annex A" of the OCL standard, leads to different interpretations of corner cases. We formalize the core of OCL: denotational definitions, a logical calculus and operational rules that allow for the execution of OCL expressions by a mixture of term rewriting and code compilation. Our formalization reveals several inconsistencies and contradictions in the current version of the OCL standard. Overall, this document is intended to provide the basis for a machine-checked text "Annex A" of the OCL standard targeting at tool implementors. extra-history = Change history: [2015-10-13]: afp-devel@ea3b38fc54d6 and hol-testgen@12148
   Update of Featherweight OCL including a change in the abstract.
[2014-01-16]: afp-devel@9091ce05cb20 and hol-testgen@10241
   New Entry: Featherweight OCL notify = brucker@spamfence.net, tuong@users.gforge.inria.fr, wolff@lri.fr [Relation_Algebra] title = Relation Algebra author = Alasdair Armstrong <>, Simon Foster , Georg Struth , Tjark Weber date = 2014-01-25 topic = Mathematics/Algebra abstract = Tarski's algebra of binary relations is formalised along the lines of the standard textbooks of Maddux and Schmidt and Ströhlein. This includes relation-algebraic concepts such as subidentities, vectors and a domain operation as well as various notions associated to functions. Relation algebras are also expanded by a reflexive transitive closure operation, and they are linked with Kleene algebras and models of binary relations and Boolean matrices. notify = g.struth@sheffield.ac.uk, tjark.weber@it.uu.se [PSemigroupsConvolution] title = Partial Semigroups and Convolution Algebras author = Brijesh Dongol , Victor B. F. Gomes , Ian J. Hayes , Georg Struth topic = Mathematics/Algebra date = 2017-06-13 notify = g.struth@sheffield.ac.uk, victor.gomes@cl.cam.ac.uk abstract = Partial Semigroups are relevant to the foundations of quantum mechanics and combinatorics as well as to interval and separation logics. Convolution algebras can be understood either as algebras of generalised binary modalities over ternary Kripke frames, in particular over partial semigroups, or as algebras of quantale-valued functions which are equipped with a convolution-style operation of multiplication that is parametrised by a ternary relation. Convolution algebras provide algebraic semantics for various substructural logics, including categorial, relevance and linear logics, for separation logic and for interval logics; they cover quantitative and qualitative applications. These mathematical components for partial semigroups and convolution algebras provide uniform foundations from which models of computation based on relations, program traces or pomsets, and verification components for separation or interval temporal logics can be built with little effort. [Secondary_Sylow] title = Secondary Sylow Theorems author = Jakob von Raumer date = 2014-01-28 topic = Mathematics/Algebra abstract = These theories extend the existing proof of the first Sylow theorem (written by Florian Kammueller and L. C. Paulson) by what are often called the second, third and fourth Sylow theorems. These theorems state propositions about the number of Sylow p-subgroups of a group and the fact that they are conjugate to each other. The proofs make use of an implementation of group actions and their properties. notify = psxjv4@nottingham.ac.uk [Jordan_Hoelder] title = The Jordan-Hölder Theorem author = Jakob von Raumer date = 2014-09-09 topic = Mathematics/Algebra abstract = This submission contains theories that lead to a formalization of the proof of the Jordan-Hölder theorem about composition series of finite groups. The theories formalize the notions of isomorphism classes of groups, simple groups, normal series, composition series, maximal normal subgroups. Furthermore, they provide proofs of the second isomorphism theorem for groups, the characterization theorem for maximal normal subgroups as well as many useful lemmas about normal subgroups and factor groups. The proof is inspired by course notes of Stuart Rankin. notify = psxjv4@nottingham.ac.uk [Cayley_Hamilton] title = The Cayley-Hamilton Theorem author = Stephan Adelsberger , Stefan Hetzl , Florian Pollak date = 2014-09-15 topic = Mathematics/Algebra abstract = This document contains a proof of the Cayley-Hamilton theorem based on the development of matrices in HOL/Multivariate Analysis. notify = stvienna@gmail.com [Probabilistic_Noninterference] title = Probabilistic Noninterference author = Andrei Popescu , Johannes Hölzl date = 2014-03-11 topic = Computer Science/Security abstract = We formalize a probabilistic noninterference for a multi-threaded language with uniform scheduling, where probabilistic behaviour comes from both the scheduler and the individual threads. We define notions probabilistic noninterference in two variants: resumption-based and trace-based. For the resumption-based notions, we prove compositionality w.r.t. the language constructs and establish sound type-system-like syntactic criteria. This is a formalization of the mathematical development presented at CPP 2013 and CALCO 2013. It is the probabilistic variant of the Possibilistic Noninterference AFP entry. notify = hoelzl@in.tum.de [HyperCTL] title = A shallow embedding of HyperCTL* author = Markus N. Rabe , Peter Lammich , Andrei Popescu date = 2014-04-16 topic = Computer Science/Security, Logic abstract = We formalize HyperCTL*, a temporal logic for expressing security properties. We first define a shallow embedding of HyperCTL*, within which we prove inductive and coinductive rules for the operators. Then we show that a HyperCTL* formula captures Goguen-Meseguer noninterference, a landmark information flow property. We also define a deep embedding and connect it to the shallow embedding by a denotational semantics, for which we prove sanity w.r.t. dependence on the free variables. Finally, we show that under some finiteness assumptions about the model, noninterference is given by a (finitary) syntactic formula. notify = uuomul@yahoo.com [Bounded_Deducibility_Security] title = Bounded-Deducibility Security author = Andrei Popescu , Peter Lammich date = 2014-04-22 topic = Computer Science/Security abstract = This is a formalization of bounded-deducibility security (BD security), a flexible notion of information-flow security applicable to arbitrary input-output automata. It generalizes Sutherland's classic notion of nondeducibility by factoring in declassification bounds and trigger, whereas nondeducibility states that, in a system, information cannot flow between specified sources and sinks, BD security indicates upper bounds for the flow and triggers under which these upper bounds are no longer guaranteed. notify = uuomul@yahoo.com, lammich@in.tum.de [Network_Security_Policy_Verification] title = Network Security Policy Verification author = Cornelius Diekmann date = 2014-07-04 topic = Computer Science/Security abstract = We present a unified theory for verifying network security policies. A security policy is represented as directed graph. To check high-level security goals, security invariants over the policy are expressed. We cover monotonic security invariants, i.e. prohibiting more does not harm security. We provide the following contributions for the security invariant theory.
  • Secure auto-completion of scenario-specific knowledge, which eases usability.
  • Security violations can be repaired by tightening the policy iff the security invariants hold for the deny-all policy.
  • An algorithm to compute a security policy.
  • A formalization of stateful connection semantics in network security mechanisms.
  • An algorithm to compute a secure stateful implementation of a policy.
  • An executable implementation of all the theory.
  • Examples, ranging from an aircraft cabin data network to the analysis of a large real-world firewall.
  • More examples: A fully automated translation of high-level security goals to both firewall and SDN configurations (see Examples/Distributed_WebApp.thy).
For a detailed description, see extra-history = Change history: [2015-04-14]: Added Distributed WebApp example and improved graphviz visualization (revision 4dde08ca2ab8)
notify = diekmann@net.in.tum.de [Abstract_Completeness] title = Abstract Completeness author = Jasmin Christian Blanchette , Andrei Popescu , Dmitriy Traytel date = 2014-04-16 topic = Logic abstract = A formalization of an abstract property of possibly infinite derivation trees (modeled by a codatatype), representing the core of a proof (in Beth/Hintikka style) of the first-order logic completeness theorem, independent of the concrete syntax or inference rules. This work is described in detail in the IJCAR 2014 publication by the authors. The abstract proof can be instantiated for a wide range of Gentzen and tableau systems as well as various flavors of FOL---e.g., with or without predicates, equality, or sorts. Here, we give only a toy example instantiation with classical propositional logic. A more serious instance---many-sorted FOL with equality---is described elsewhere [Blanchette and Popescu, FroCoS 2013]. notify = traytel@in.tum.de [Pop_Refinement] title = Pop-Refinement author = Alessandro Coglio date = 2014-07-03 topic = Computer Science/Programming Languages/Misc abstract = Pop-refinement is an approach to stepwise refinement, carried out inside an interactive theorem prover by constructing a monotonically decreasing sequence of predicates over deeply embedded target programs. The sequence starts with a predicate that characterizes the possible implementations, and ends with a predicate that characterizes a unique program in explicit syntactic form. Pop-refinement enables more requirements (e.g. program-level and non-functional) to be captured in the initial specification and preserved through refinement. Security requirements expressed as hyperproperties (i.e. predicates over sets of traces) are always preserved by pop-refinement, unlike the popular notion of refinement as trace set inclusion. Two simple examples in Isabelle/HOL are presented, featuring program-level requirements, non-functional requirements, and hyperproperties. notify = coglio@kestrel.edu [VectorSpace] title = Vector Spaces author = Holden Lee date = 2014-08-29 topic = Mathematics/Algebra abstract = This formalisation of basic linear algebra is based completely on locales, building off HOL-Algebra. It includes basic definitions: linear combinations, span, linear independence; linear transformations; interpretation of function spaces as vector spaces; the direct sum of vector spaces, sum of subspaces; the replacement theorem; existence of bases in finite-dimensional; vector spaces, definition of dimension; the rank-nullity theorem. Some concepts are actually defined and proved for modules as they also apply there. Infinite-dimensional vector spaces are supported, but dimension is only supported for finite-dimensional vector spaces. The proofs are standard; the proofs of the replacement theorem and rank-nullity theorem roughly follow the presentation in Linear Algebra by Friedberg, Insel, and Spence. The rank-nullity theorem generalises the existing development in the Archive of Formal Proof (originally using type classes, now using a mix of type classes and locales). notify = holdenl@princeton.edu [Special_Function_Bounds] title = Real-Valued Special Functions: Upper and Lower Bounds author = Lawrence C. Paulson date = 2014-08-29 topic = Mathematics/Analysis abstract = This development proves upper and lower bounds for several familiar real-valued functions. For sin, cos, exp and sqrt, it defines and verifies infinite families of upper and lower bounds, mostly based on Taylor series expansions. For arctan, ln and exp, it verifies a finite collection of upper and lower bounds, originally obtained from the functions' continued fraction expansions using the computer algebra system Maple. A common theme in these proofs is to take the difference between a function and its approximation, which should be zero at one point, and then consider the sign of the derivative. The immediate purpose of this development is to verify axioms used by MetiTarski, an automatic theorem prover for real-valued special functions. Crucial to MetiTarski's operation is the provision of upper and lower bounds for each function of interest. notify = lp15@cam.ac.uk [Landau_Symbols] title = Landau Symbols author = Manuel Eberl date = 2015-07-14 topic = Mathematics/Analysis abstract = This entry provides Landau symbols to describe and reason about the asymptotic growth of functions for sufficiently large inputs. A number of simplification procedures are provided for additional convenience: cancelling of dominated terms in sums under a Landau symbol, cancelling of common factors in products, and a decision procedure for Landau expressions containing products of powers of functions like x, ln(x), ln(ln(x)) etc. notify = eberlm@in.tum.de [Error_Function] title = The Error Function author = Manuel Eberl topic = Mathematics/Analysis date = 2018-02-06 notify = eberlm@in.tum.de abstract =

This entry provides the definitions and basic properties of the complex and real error function erf and the complementary error function erfc. Additionally, it gives their full asymptotic expansions.

[Akra_Bazzi] title = The Akra-Bazzi theorem and the Master theorem author = Manuel Eberl date = 2015-07-14 topic = Mathematics/Analysis abstract = This article contains a formalisation of the Akra-Bazzi method based on a proof by Leighton. It is a generalisation of the well-known Master Theorem for analysing the complexity of Divide & Conquer algorithms. We also include a generalised version of the Master theorem based on the Akra-Bazzi theorem, which is easier to apply than the Akra-Bazzi theorem itself.

Some proof methods that facilitate applying the Master theorem are also included. For a more detailed explanation of the formalisation and the proof methods, see the accompanying paper (publication forthcoming). notify = eberlm@in.tum.de [Dirichlet_Series] title = Dirichlet Series author = Manuel Eberl topic = Mathematics/Number Theory date = 2017-10-12 notify = eberlm@in.tum.de abstract = This entry is a formalisation of much of Chapters 2, 3, and 11 of Apostol's “Introduction to Analytic Number Theory”. This includes:

  • Definitions and basic properties for several number-theoretic functions (Euler's φ, Möbius μ, Liouville's λ, the divisor function σ, von Mangoldt's Λ)
  • Executable code for most of these functions, the most efficient implementations using the factoring algorithm by Thiemann et al.
  • Dirichlet products and formal Dirichlet series
  • Analytic results connecting convergent formal Dirichlet series to complex functions
  • Euler product expansions
  • Asymptotic estimates of number-theoretic functions including the density of squarefree integers and the average number of divisors of a natural number
These results are useful as a basis for developing more number-theoretic results, such as the Prime Number Theorem. [Zeta_Function] title = The Hurwitz and Riemann ζ Functions author = Manuel Eberl topic = Mathematics/Number Theory, Mathematics/Analysis date = 2017-10-12 notify = eberlm@in.tum.de abstract =

This entry builds upon the results about formal and analytic Dirichlet series to define the Hurwitz ζ function and, based on that, the Riemann ζ function. This is done by first defining them for ℜ(z) > 1 and then successively extending the domain to the left using the Euler–MacLaurin formula.

Some basic results about these functions are also shown, such as their analyticity on ℂ∖{1}, that they have a simple pole with residue 1 at 1, their relation to the Γ function, and the special values at negative integers and positive even integers – including the famous ζ(-1) = -1/12 and ζ(2) = π²/6.

Lastly, the entry also contains Euler's analytic proof of the infinitude of primes, based on the fact that ζ(s) has a pole at s = 1.

[Linear_Recurrences] title = Linear Recurrences author = Manuel Eberl topic = Mathematics/Analysis date = 2017-10-12 notify = eberlm@in.tum.de abstract =

Linear recurrences with constant coefficients are an interesting class of recurrence equations that can be solved explicitly. The most famous example are certainly the Fibonacci numbers with the equation f(n) = f(n-1) + f(n - 2) and the quite non-obvious closed form (φn - (-φ)-n) / √5 where φ is the golden ratio.

In this work, I build on existing tools in Isabelle – such as formal power series and polynomial factorisation algorithms – to develop a theory of these recurrences and derive a fully executable solver for them that can be exported to programming languages like Haskell.

[Cartan_FP] title = The Cartan Fixed Point Theorems author = Lawrence C. Paulson date = 2016-03-08 topic = Mathematics/Analysis abstract = The Cartan fixed point theorems concern the group of holomorphic automorphisms on a connected open set of Cn. Ciolli et al. have formalised the one-dimensional case of these theorems in HOL Light. This entry contains their proofs, ported to Isabelle/HOL. Thus it addresses the authors' remark that "it would be important to write a formal proof in a language that can be read by both humans and machines". notify = lp15@cam.ac.uk [Gauss_Jordan] title = Gauss-Jordan Algorithm and Its Applications author = Jose Divasón , Jesús Aransay topic = Computer Science/Algorithms date = 2014-09-03 abstract = The Gauss-Jordan algorithm states that any matrix over a field can be transformed by means of elementary row operations to a matrix in reduced row echelon form. The formalization is based on the Rank Nullity Theorem entry of the AFP and on the HOL-Multivariate-Analysis session of Isabelle, where matrices are represented as functions over finite types. We have set up the code generator to make this representation executable. In order to improve the performance, a refinement to immutable arrays has been carried out. We have formalized some of the applications of the Gauss-Jordan algorithm. Thanks to this development, the following facts can be computed over matrices whose elements belong to a field: Ranks, Determinants, Inverses, Bases and dimensions and Solutions of systems of linear equations. Code can be exported to SML and Haskell. notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es [Echelon_Form] title = Echelon Form author = Jose Divasón , Jesús Aransay topic = Computer Science/Algorithms, Mathematics/Algebra date = 2015-02-12 abstract = We formalize an algorithm to compute the Echelon Form of a matrix. We have proved its existence over Bézout domains and made it executable over Euclidean domains, such as the integer ring and the univariate polynomials over a field. This allows us to compute determinants, inverses and characteristic polynomials of matrices. The work is based on the HOL-Multivariate Analysis library, and on both the Gauss-Jordan and Cayley-Hamilton AFP entries. As a by-product, some algebraic structures have been implemented (principal ideal domains, Bézout domains...). The algorithm has been refined to immutable arrays and code can be generated to functional languages as well. notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es [QR_Decomposition] title = QR Decomposition author = Jose Divasón , Jesús Aransay topic = Computer Science/Algorithms, Mathematics/Algebra date = 2015-02-12 abstract = QR decomposition is an algorithm to decompose a real matrix A into the product of two other matrices Q and R, where Q is orthogonal and R is invertible and upper triangular. The algorithm is useful for the least squares problem; i.e., the computation of the best approximation of an unsolvable system of linear equations. As a side-product, the Gram-Schmidt process has also been formalized. A refinement using immutable arrays is presented as well. The development relies, among others, on the AFP entry "Implementing field extensions of the form Q[sqrt(b)]" by René Thiemann, which allows execution of the algorithm using symbolic computations. Verified code can be generated and executed using floats as well. extra-history = Change history: [2015-06-18]: The second part of the Fundamental Theorem of Linear Algebra has been generalized to more general inner product spaces. notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es [Hermite] title = Hermite Normal Form author = Jose Divasón , Jesús Aransay topic = Computer Science/Algorithms, Mathematics/Algebra date = 2015-07-07 abstract = Hermite Normal Form is a canonical matrix analogue of Reduced Echelon Form, but involving matrices over more general rings. In this work we formalise an algorithm to compute the Hermite Normal Form of a matrix by means of elementary row operations, taking advantage of the Echelon Form AFP entry. We have proven the correctness of such an algorithm and refined it to immutable arrays. Furthermore, we have also formalised the uniqueness of the Hermite Normal Form of a matrix. Code can be exported and some examples of execution involving integer matrices and polynomial matrices are presented as well. notify = jose.divasonm@unirioja.es, jesus-maria.aransay@unirioja.es [Imperative_Insertion_Sort] title = Imperative Insertion Sort author = Christian Sternagel date = 2014-09-25 topic = Computer Science/Algorithms abstract = The insertion sort algorithm of Cormen et al. (Introduction to Algorithms) is expressed in Imperative HOL and proved to be correct and terminating. For this purpose we also provide a theory about imperative loop constructs with accompanying induction/invariant rules for proving partial and total correctness. Furthermore, the formalized algorithm is fit for code generation. notify = lp15@cam.ac.uk [Stream_Fusion_Code] title = Stream Fusion in HOL with Code Generation author = Andreas Lochbihler , Alexandra Maximova date = 2014-10-10 topic = Computer Science/Functional Programming abstract = Stream Fusion is a system for removing intermediate list data structures from functional programs, in particular Haskell. This entry adapts stream fusion to Isabelle/HOL and its code generator. We define stream types for finite and possibly infinite lists and stream versions for most of the fusible list functions in the theories List and Coinductive_List, and prove them correct with respect to the conversion functions between lists and streams. The Stream Fusion transformation itself is implemented as a simproc in the preprocessor of the code generator. [Brian Huffman's AFP entry formalises stream fusion in HOLCF for the domain of lazy lists to prove the GHC compiler rewrite rules correct. In contrast, this work enables Isabelle's code generator to perform stream fusion itself. To that end, it covers both finite and coinductive lists from the HOL library and the Coinductive entry. The fusible list functions require specification and proof principles different from Huffman's.] notify = mail@andreas-lochbihler.de [Case_Labeling] title = Generating Cases from Labeled Subgoals author = Lars Noschinski date = 2015-07-21 topic = Tools, Computer Science/Programming Languages/Misc abstract = Isabelle/Isar provides named cases to structure proofs. This article contains an implementation of a proof method casify, which can be used to easily extend proof tools with support for named cases. Such a proof tool must produce labeled subgoals, which are then interpreted by casify.

As examples, this work contains verification condition generators producing named cases for three languages: The Hoare language from HOL/Library, a monadic language for computations with failure (inspired by the AutoCorres tool), and a language of conditional expressions. These VCGs are demonstrated by a number of example programs. notify = noschinl@in.tum.de [DPT-SAT-Solver] title = A Fast SAT Solver for Isabelle in Standard ML topic = Tools author = Armin Heller <> date = 2009-12-09 abstract = This contribution contains a fast SAT solver for Isabelle written in Standard ML. By loading the theory DPT_SAT_Solver, the SAT solver installs itself (under the name ``dptsat'') and certain Isabelle tools like Refute will start using it automatically. This is a port of the DPT (Decision Procedure Toolkit) SAT Solver written in OCaml. notify = jasmin.blanchette@gmail.com [Rep_Fin_Groups] title = Representations of Finite Groups topic = Mathematics/Algebra author = Jeremy Sylvestre date = 2015-08-12 abstract = We provide a formal framework for the theory of representations of finite groups, as modules over the group ring. Along the way, we develop the general theory of groups (relying on the group_add class for the basics), modules, and vector spaces, to the extent required for theory of group representations. We then provide formal proofs of several important introductory theorems in the subject, including Maschke's theorem, Schur's lemma, and Frobenius reciprocity. We also prove that every irreducible representation is isomorphic to a submodule of the group ring, leading to the fact that for a finite group there are only finitely many isomorphism classes of irreducible representations. In all of this, no restriction is made on the characteristic of the ring or field of scalars until the definition of a group representation, and then the only restriction made is that the characteristic must not divide the order of the group. notify = jsylvest@ualberta.ca [Noninterference_Inductive_Unwinding] title = The Inductive Unwinding Theorem for CSP Noninterference Security topic = Computer Science/Security author = Pasquale Noce date = 2015-08-18 abstract =

The necessary and sufficient condition for CSP noninterference security stated by the Ipurge Unwinding Theorem is expressed in terms of a pair of event lists varying over the set of process traces. This does not render it suitable for the subsequent application of rule induction in the case of a process defined inductively, since rule induction may rather be applied to a single variable ranging over an inductively defined set.

Starting from the Ipurge Unwinding Theorem, this paper derives a necessary and sufficient condition for CSP noninterference security that involves a single event list varying over the set of process traces, and is thus suitable for rule induction; hence its name, Inductive Unwinding Theorem. Similarly to the Ipurge Unwinding Theorem, the new theorem only requires to consider individual accepted and refused events for each process trace, and applies to the general case of a possibly intransitive noninterference policy. Specific variants of this theorem are additionally proven for deterministic processes and trace set processes.

notify = pasquale.noce.lavoro@gmail.com [Password_Authentication_Protocol] title = Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method author = Pasquale Noce topic = Computer Science/Security date = 2017-01-03 notify = pasquale.noce.lavoro@gmail.com abstract = This paper constructs a formal model of a Diffie-Hellman password-based authentication protocol between a user and a smart card, and proves its security. The protocol provides for the dispatch of the user's password to the smart card on a secure messaging channel established by means of Password Authenticated Connection Establishment (PACE), where the mapping method being used is Chip Authentication Mapping. By applying and suitably extending Paulson's Inductive Method, this paper proves that the protocol establishes trustworthy secure messaging channels, preserves the secrecy of users' passwords, and provides an effective mutual authentication service. What is more, these security properties turn out to hold independently of the secrecy of the PACE authentication key. [Jordan_Normal_Form] title = Matrices, Jordan Normal Forms, and Spectral Radius Theory topic = Mathematics/Algebra author = René Thiemann , Akihisa Yamada contributors = Alexander Bentkamp date = 2015-08-21 abstract =

Matrix interpretations are useful as measure functions in termination proving. In order to use these interpretations also for complexity analysis, the growth rate of matrix powers has to examined. Here, we formalized a central result of spectral radius theory, namely that the growth rate is polynomially bounded if and only if the spectral radius of a matrix is at most one.

To formally prove this result we first studied the growth rates of matrices in Jordan normal form, and prove the result that every complex matrix has a Jordan normal form using a constructive prove via Schur decomposition.

The whole development is based on a new abstract type for matrices, which is also executable by a suitable setup of the code generator. It completely subsumes our former AFP-entry on executable matrices, and its main advantage is its close connection to the HMA-representation which allowed us to easily adapt existing proofs on determinants.

All the results have been applied to improve CeTA, our certifier to validate termination and complexity proof certificates.

extra-history = Change history: [2016-01-07]: Added Schur-decomposition, Gram-Schmidt orthogonalization, uniqueness of Jordan normal forms
[2018-04-17]: Integrated lemmas from deep-learning AFP-entry of Alexander Bentkamp notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp [LTL_to_DRA] title = Converting Linear Temporal Logic to Deterministic (Generalized) Rabin Automata topic = Computer Science/Automata and Formal Languages author = Salomon Sickert date = 2015-09-04 abstract = Recently, Javier Esparza and Jan Kretinsky proposed a new method directly translating linear temporal logic (LTL) formulas to deterministic (generalized) Rabin automata. Compared to the existing approaches of constructing a non-deterministic Buechi-automaton in the first step and then applying a determinization procedure (e.g. some variant of Safra's construction) in a second step, this new approach preservers a relation between the formula and the states of the resulting automaton. While the old approach produced a monolithic structure, the new method is compositional. Furthermore, in some cases the resulting automata are much smaller than the automata generated by existing approaches. In order to ensure the correctness of the construction, this entry contains a complete formalisation and verification of the translation. Furthermore from this basis executable code is generated. extra-history = Change history: [2015-09-23]: Enable code export for the eager unfolding optimisation and reduce running time of the generated tool. Moreover, add support for the mlton SML compiler.
[2016-03-24]: Make use of the LTL entry and include the simplifier. notify = sickert@in.tum.de [Timed_Automata] title = Timed Automata author = Simon Wimmer date = 2016-03-08 topic = Computer Science/Automata and Formal Languages abstract = Timed automata are a widely used formalism for modeling real-time systems, which is employed in a class of successful model checkers such as UPPAAL [LPY97], HyTech [HHWt97] or Kronos [Yov97]. This work formalizes the theory for the subclass of diagonal-free timed automata, which is sufficient to model many interesting problems. We first define the basic concepts and semantics of diagonal-free timed automata. Based on this, we prove two types of decidability results for the language emptiness problem. The first is the classic result of Alur and Dill [AD90, AD94], which uses a finite partitioning of the state space into so-called `regions`. Our second result focuses on an approach based on `Difference Bound Matrices (DBMs)`, which is practically used by model checkers. We prove the correctness of the basic forward analysis operations on DBMs. One of these operations is the Floyd-Warshall algorithm for the all-pairs shortest paths problem. To obtain a finite search space, a widening operation has to be used for this kind of analysis. We use Patricia Bouyer's [Bou04] approach to prove that this widening operation is correct in the sense that DBM-based forward analysis in combination with the widening operation also decides language emptiness. The interesting property of this proof is that the first decidability result is reused to obtain the second one. notify = wimmers@in.tum.de [Parity_Game] title = Positional Determinacy of Parity Games author = Christoph Dittmann date = 2015-11-02 topic = Computer Science/Games abstract = We present a formalization of parity games (a two-player game on directed graphs) and a proof of their positional determinacy in Isabelle/HOL. This proof works for both finite and infinite games. notify = [Ergodic_Theory] title = Ergodic Theory author = Sebastien Gouezel date = 2015-12-01 topic = Mathematics/Probability Theory abstract = Ergodic theory is the branch of mathematics that studies the behaviour of measure preserving transformations, in finite or infinite measure. It interacts both with probability theory (mainly through measure theory) and with geometry as a lot of interesting examples are from geometric origin. We implement the first definitions and theorems of ergodic theory, including notably Poicaré recurrence theorem for finite measure preserving systems (together with the notion of conservativity in general), induced maps, Kac's theorem, Birkhoff theorem (arguably the most important theorem in ergodic theory), and variations around it such as conservativity of the corresponding skew product, or Atkinson lemma. notify = sebastien.gouezel@univ-rennes1.fr, hoelzl@in.tum.de [Latin_Square] title = Latin Square author = Alexander Bentkamp date = 2015-12-02 topic = Mathematics/Combinatorics abstract = A Latin Square is a n x n table filled with integers from 1 to n where each number appears exactly once in each row and each column. A Latin Rectangle is a partially filled n x n table with r filled rows and n-r empty rows, such that each number appears at most once in each row and each column. The main result of this theory is that any Latin Rectangle can be completed to a Latin Square. notify = bentkamp@gmail.com [Deep_Learning] title = Expressiveness of Deep Learning author = Alexander Bentkamp date = 2016-11-10 topic = Computer Science/Algorithms abstract = Deep learning has had a profound impact on computer science in recent years, with applications to search engines, image recognition and language processing, bioinformatics, and more. Recently, Cohen et al. provided theoretical evidence for the superiority of deep learning over shallow learning. This formalization of their work simplifies and generalizes the original proof, while working around the limitations of the Isabelle type system. To support the formalization, I developed reusable libraries of formalized mathematics, including results about the matrix rank, the Lebesgue measure, and multivariate polynomials, as well as a library for tensor analysis. notify = bentkamp@gmail.com [Applicative_Lifting] title = Applicative Lifting author = Andreas Lochbihler , Joshua Schneider <> date = 2015-12-22 topic = Computer Science/Functional Programming abstract = Applicative functors augment computations with effects by lifting function application to types which model the effects. As the structure of the computation cannot depend on the effects, applicative expressions can be analysed statically. This allows us to lift universally quantified equations to the effectful types, as observed by Hinze. Thus, equational reasoning over effectful computations can be reduced to pure types.

This entry provides a package for registering applicative functors and two proof methods for lifting of equations over applicative functors. The first method normalises applicative expressions according to the laws of applicative functors. This way, equations whose two sides contain the same list of variables can be lifted to every applicative functor.

To lift larger classes of equations, the second method exploits a number of additional properties (e.g., commutativity of effects) provided the properties have been declared for the concrete applicative functor at hand upon registration.

We declare several types from the Isabelle library as applicative functors and illustrate the use of the methods with two examples: the lifting of the arithmetic type class hierarchy to streams and the verification of a relabelling function on binary trees. We also formalise and verify the normalisation algorithm used by the first proof method.

extra-history = Change history: [2016-03-03]: added formalisation of lifting with combinators
[2016-06-10]: implemented automatic derivation of lifted combinator reductions; support arbitrary lifted relations using relators; improved compatibility with locale interpretation (revision ec336f354f37)
notify = mail@andreas-lochbihler.de [Stern_Brocot] title = The Stern-Brocot Tree author = Peter Gammie , Andreas Lochbihler date = 2015-12-22 topic = Mathematics/Number Theory abstract = The Stern-Brocot tree contains all rational numbers exactly once and in their lowest terms. We formalise the Stern-Brocot tree as a coinductive tree using recursive and iterative specifications, which we have proven equivalent, and show that it indeed contains all the numbers as stated. Following Hinze, we prove that the Stern-Brocot tree can be linearised looplessly into Stern's diatonic sequence (also known as Dijkstra's fusc function) and that it is a permutation of the Bird tree.

The reasoning stays at an abstract level by appealing to the uniqueness of solutions of guarded recursive equations and lifting algebraic laws point-wise to trees and streams using applicative functors.

notify = mail@andreas-lochbihler.de [Algebraic_Numbers] title = Algebraic Numbers in Isabelle/HOL topic = Mathematics/Algebra author = René Thiemann , Akihisa Yamada , Sebastiaan Joosten date = 2015-12-22 abstract = Based on existing libraries for matrices, factorization of rational polynomials, and Sturm's theorem, we formalized algebraic numbers in Isabelle/HOL. Our development serves as an implementation for real and complex numbers, and it admits to compute roots and completely factorize real and complex polynomials, provided that all coefficients are rational numbers. Moreover, we provide two implementations to display algebraic numbers, an injective and expensive one, or a faster but approximative version.

To this end, we mechanized several results on resultants, which also required us to prove that polynomials over a unique factorization domain form again a unique factorization domain.

extra-history = Change history: [2016-01-29]: Split off Polynomial Interpolation and Polynomial Factorization
[2017-04-16]: Use certified Berlekamp-Zassenhaus factorization, use subresultant algorithm for computing resultants, improved bisection algorithm notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp, sebastiaan.joosten@uibk.ac.at [Polynomial_Interpolation] title = Polynomial Interpolation topic = Mathematics/Algebra author = René Thiemann , Akihisa Yamada date = 2016-01-29 abstract = We formalized three algorithms for polynomial interpolation over arbitrary fields: Lagrange's explicit expression, the recursive algorithm of Neville and Aitken, and the Newton interpolation in combination with an efficient implementation of divided differences. Variants of these algorithms for integer polynomials are also available, where sometimes the interpolation can fail; e.g., there is no linear integer polynomial p such that p(0) = 0 and p(2) = 1. Moreover, for the Newton interpolation for integer polynomials, we proved that all intermediate results that are computed during the algorithm must be integers. This admits an early failure detection in the implementation. Finally, we proved the uniqueness of polynomial interpolation.

The development also contains improved code equations to speed up the division of integers in target languages. notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp [Polynomial_Factorization] title = Polynomial Factorization topic = Mathematics/Algebra author = René Thiemann , Akihisa Yamada date = 2016-01-29 abstract = Based on existing libraries for polynomial interpolation and matrices, we formalized several factorization algorithms for polynomials, including Kronecker's algorithm for integer polynomials, Yun's square-free factorization algorithm for field polynomials, and Berlekamp's algorithm for polynomials over finite fields. By combining the last one with Hensel's lifting, we derive an efficient factorization algorithm for the integer polynomials, which is then lifted for rational polynomials by mechanizing Gauss' lemma. Finally, we assembled a combined factorization algorithm for rational polynomials, which combines all the mentioned algorithms and additionally uses the explicit formula for roots of quadratic polynomials and a rational root test.

As side products, we developed division algorithms for polynomials over integral domains, as well as primality-testing and prime-factorization algorithms for integers. notify = rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp [Perron_Frobenius] title = Perron-Frobenius Theorem for Spectral Radius Analysis author = Jose Divasón , Ondřej Kunčar , René Thiemann , Akihisa Yamada notify = rene.thiemann@uibk.ac.at date = 2016-05-20 topic = Mathematics/Algebra abstract =

The spectral radius of a matrix A is the maximum norm of all eigenvalues of A. In previous work we already formalized that for a complex matrix A, the values in An grow polynomially in n if and only if the spectral radius is at most one. One problem with the above characterization is the determination of all complex eigenvalues. In case A contains only non-negative real values, a simplification is possible with the help of the Perron–Frobenius theorem, which tells us that it suffices to consider only the real eigenvalues of A, i.e., applying Sturm's method can decide the polynomial growth of An.

We formalize the Perron–Frobenius theorem based on a proof via Brouwer's fixpoint theorem, which is available in the HOL multivariate analysis (HMA) library. Since the results on the spectral radius is based on matrices in the Jordan normal form (JNF) library, we further develop a connection which allows us to easily transfer theorems between HMA and JNF. With this connection we derive the combined result: if A is a non-negative real matrix, and no real eigenvalue of A is strictly larger than one, then An is polynomially bounded in n.

extra-history = Change history: [2017-10-18]: added Perron-Frobenius theorem for irreducible matrices with generalization (revision bda1f1ce8a1c)
[2018-05-17]: prove conjecture of CPP'18 paper: Jordan blocks of spectral radius have maximum size (revision ffdb3794e5d5) [Stochastic_Matrices] title = Stochastic Matrices and the Perron-Frobenius Theorem author = René Thiemann topic = Mathematics/Algebra, Computer Science/Automata and Formal Languages date = 2017-11-22 notify = rene.thiemann@uibk.ac.at abstract = Stochastic matrices are a convenient way to model discrete-time and finite state Markov chains. The Perron–Frobenius theorem tells us something about the existence and uniqueness of non-negative eigenvectors of a stochastic matrix. In this entry, we formalize stochastic matrices, link the formalization to the existing AFP-entry on Markov chains, and apply the Perron–Frobenius theorem to prove that stationary distributions always exist, and they are unique if the stochastic matrix is irreducible. [Formal_SSA] title = Verified Construction of Static Single Assignment Form author = Sebastian Ullrich , Denis Lohner date = 2016-02-05 topic = Computer Science/Algorithms, Computer Science/Programming Languages/Transformations abstract =

We define a functional variant of the static single assignment (SSA) form construction algorithm described by Braun et al., which combines simplicity and efficiency. The definition is based on a general, abstract control flow graph representation using Isabelle locales.

We prove that the algorithm's output is semantically equivalent to the input according to a small-step semantics, and that it is in minimal SSA form for the common special case of reducible inputs. We then show the satisfiability of the locale assumptions by giving instantiations for a simple While language.

Furthermore, we use a generic instantiation based on typedefs in order to extract OCaml code and replace the unverified SSA construction algorithm of the CompCertSSA project with it.

A more detailed description of the verified SSA construction can be found in the paper Verified Construction of Static Single Assignment Form, CC 2016.

notify = denis.lohner@kit.edu [Minimal_SSA] title = Minimal Static Single Assignment Form author = Max Wagner , Denis Lohner topic = Computer Science/Programming Languages/Transformations date = 2017-01-17 notify = denis.lohner@kit.edu abstract =

This formalization is an extension to "Verified Construction of Static Single Assignment Form". In their work, the authors have shown that Braun et al.'s static single assignment (SSA) construction algorithm produces minimal SSA form for input programs with a reducible control flow graph (CFG). However Braun et al. also proposed an extension to their algorithm that they claim produces minimal SSA form even for irreducible CFGs.
In this formalization we support that claim by giving a mechanized proof.

As the extension of Braun et al.'s algorithm aims for removing so-called redundant strongly connected components of phi functions, we show that this suffices to guarantee minimality according to Cytron et al..

[PropResPI] title = Propositional Resolution and Prime Implicates Generation author = Nicolas Peltier notify = Nicolas.Peltier@imag.fr date = 2016-03-11 topic = Logic abstract = We provide formal proofs in Isabelle-HOL (using mostly structured Isar proofs) of the soundness and completeness of the Resolution rule in propositional logic. The completeness proofs take into account the usual redundancy elimination rules (tautology elimination and subsumption), and several refinements of the Resolution rule are considered: ordered resolution (with selection functions), positive and negative resolution, semantic resolution and unit resolution (the latter refinement is complete only for clause sets that are Horn- renamable). We also define a concrete procedure for computing saturated sets and establish its soundness and completeness. The clause sets are not assumed to be finite, so that the results can be applied to formulas obtained by grounding sets of first-order clauses (however, a total ordering among atoms is assumed to be given). Next, we show that the unrestricted Resolution rule is deductive- complete, in the sense that it is able to generate all (prime) implicates of any set of propositional clauses (i.e., all entailment- minimal, non-valid, clausal consequences of the considered set). The generation of prime implicates is an important problem, with many applications in artificial intelligence and verification (for abductive reasoning, knowledge compilation, diagnosis, debugging etc.). We also show that implicates can be computed in an incremental way, by fixing an ordering among all the atoms in the considered sets and resolving upon these atoms one by one in the considered order (with no backtracking). This feature is critical for the efficient computation of prime implicates. Building on these results, we provide a procedure for computing such implicates and establish its soundness and completeness. [SuperCalc] title = A Variant of the Superposition Calculus author = Nicolas Peltier notify = Nicolas.Peltier@imag.fr date = 2016-09-06 topic = Logic abstract = We provide a formalization of a variant of the superposition calculus, together with formal proofs of soundness and refutational completeness (w.r.t. the usual redundancy criteria based on clause ordering). This version of the calculus uses all the standard restrictions of the superposition rules, together with the following refinement, inspired by the basic superposition calculus: each clause is associated with a set of terms which are assumed to be in normal form -- thus any application of the replacement rule on these terms is blocked. The set is initially empty and terms may be added or removed at each inference step. The set of terms that are assumed to be in normal form includes any term introduced by previous unifiers as well as any term occurring in the parent clauses at a position that is smaller (according to some given ordering on positions) than a previously replaced term. The standard superposition calculus corresponds to the case where the set of irreducible terms is always empty. [Nominal2] title = Nominal 2 author = Christian Urban , Stefan Berghofer , Cezary Kaliszyk date = 2013-02-21 topic = Tools abstract =

Dealing with binders, renaming of bound variables, capture-avoiding substitution, etc., is very often a major problem in formal proofs, especially in proofs by structural and rule induction. Nominal Isabelle is designed to make such proofs easy to formalise: it provides an infrastructure for declaring nominal datatypes (that is alpha-equivalence classes) and for defining functions over them by structural recursion. It also provides induction principles that have Barendregt’s variable convention already built in.

This entry can be used as a more advanced replacement for HOL/Nominal in the Isabelle distribution.

notify = christian.urban@kcl.ac.uk [First_Welfare_Theorem] title = Microeconomics and the First Welfare Theorem author = Julian Parsert , Cezary Kaliszyk topic = Mathematics/Economics license = LGPL date = 2017-09-01 notify = julian.parsert@uibk.ac.at, cezary.kaliszyk@uibk.ac.at abstract = Economic activity has always been a fundamental part of society. Due to modern day politics, economic theory has gained even more influence on our lives. Thus we want models and theories to be as precise as possible. This can be achieved using certification with the help of formal proof technology. Hence we will use Isabelle/HOL to construct two economic models, that of the the pure exchange economy and a version of the Arrow-Debreu Model. We will prove that the First Theorem of Welfare Economics holds within both. The theorem is the mathematical formulation of Adam Smith's famous invisible hand and states that a group of self-interested and rational actors will eventually achieve an efficient allocation of goods and services. extra-history = Change history: [2018-06-17]: Added some lemmas and a theory file, also introduced Microeconomics folder.
[Noninterference_Sequential_Composition] title = Conservation of CSP Noninterference Security under Sequential Composition author = Pasquale Noce date = 2016-04-26 topic = Computer Science/Security, Computer Science/Concurrency/Process Calculi abstract =

In his outstanding work on Communicating Sequential Processes, Hoare has defined two fundamental binary operations allowing to compose the input processes into another, typically more complex, process: sequential composition and concurrent composition. Particularly, the output of the former operation is a process that initially behaves like the first operand, and then like the second operand once the execution of the first one has terminated successfully, as long as it does.

This paper formalizes Hoare's definition of sequential composition and proves, in the general case of a possibly intransitive policy, that CSP noninterference security is conserved under this operation, provided that successful termination cannot be affected by confidential events and cannot occur as an alternative to other events in the traces of the first operand. Both of these assumptions are shown, by means of counterexamples, to be necessary for the theorem to hold.

notify = pasquale.noce.lavoro@gmail.com [Noninterference_Concurrent_Composition] title = Conservation of CSP Noninterference Security under Concurrent Composition author = Pasquale Noce notify = pasquale.noce.lavoro@gmail.com date = 2016-06-13 topic = Computer Science/Security, Computer Science/Concurrency/Process Calculi abstract =

In his outstanding work on Communicating Sequential Processes, Hoare has defined two fundamental binary operations allowing to compose the input processes into another, typically more complex, process: sequential composition and concurrent composition. Particularly, the output of the latter operation is a process in which any event not shared by both operands can occur whenever the operand that admits the event can engage in it, whereas any event shared by both operands can occur just in case both can engage in it.

This paper formalizes Hoare's definition of concurrent composition and proves, in the general case of a possibly intransitive policy, that CSP noninterference security is conserved under this operation. This result, along with the previous analogous one concerning sequential composition, enables the construction of more and more complex processes enforcing noninterference security by composing, sequentially or concurrently, simpler secure processes, whose security can in turn be proven using either the definition of security, or unwinding theorems.

[ROBDD] title = Algorithms for Reduced Ordered Binary Decision Diagrams author = Julius Michaelis , Maximilian Haslbeck , Peter Lammich , Lars Hupel date = 2016-04-27 topic = Computer Science/Algorithms, Computer Science/Data Structures abstract = We present a verified and executable implementation of ROBDDs in Isabelle/HOL. Our implementation relates pointer-based computation in the Heap monad to operations on an abstract definition of boolean functions. Internally, we implemented the if-then-else combinator in a recursive fashion, following the Shannon decomposition of the argument functions. The implementation mixes and adapts known techniques and is built with efficiency in mind. notify = bdd@liftm.de, haslbecm@in.tum.de [No_FTL_observers] title = No Faster-Than-Light Observers author = Mike Stannett , István Németi date = 2016-04-28 topic = Mathematics/Physics abstract = We provide a formal proof within First Order Relativity Theory that no observer can travel faster than the speed of light. Originally reported in Stannett & Németi (2014) "Using Isabelle/HOL to verify first-order relativity theory", Journal of Automated Reasoning 52(4), pp. 361-378. notify = m.stannett@sheffield.ac.uk [Groebner_Bases] title = Gröbner Bases Theory author = Fabian Immler , Alexander Maletzky date = 2016-05-02 topic = Mathematics/Algebra, Computer Science/Algorithms abstract = This formalization is concerned with the theory of Gröbner bases in (commutative) multivariate polynomial rings over fields, originally developed by Buchberger in his 1965 PhD thesis. Apart from the statement and proof of the main theorem of the theory, the formalization also implements Buchberger's algorithm for actually computing Gröbner bases as a tail-recursive function, thus allowing to effectively decide ideal membership in finitely generated polynomial ideals. Furthermore, all functions can be executed on a concrete representation of multivariate polynomials as association lists. extra-history = Change history: [2019-04-18]: Specialized Gröbner bases to less abstract representation of polynomials, where power-products are represented as polynomial mappings.
notify = alexander.maletzky@risc.jku.at [Nullstellensatz] title = Hilbert's Nullstellensatz author = Alexander Maletzky topic = Mathematics/Algebra, Mathematics/Geometry date = 2019-06-16 notify = alexander.maletzky@risc-software.at abstract = This entry formalizes Hilbert's Nullstellensatz, an important theorem in algebraic geometry that can be viewed as the generalization of the Fundamental Theorem of Algebra to multivariate polynomials: If a set of (multivariate) polynomials over an algebraically closed field has no common zero, then the ideal it generates is the entire polynomial ring. The formalization proves several equivalent versions of this celebrated theorem: the weak Nullstellensatz, the strong Nullstellensatz (connecting algebraic varieties and radical ideals), and the field-theoretic Nullstellensatz. The formalization follows Chapter 4.1. of Ideals, Varieties, and Algorithms by Cox, Little and O'Shea. [Bell_Numbers_Spivey] title = Spivey's Generalized Recurrence for Bell Numbers author = Lukas Bulwahn date = 2016-05-04 topic = Mathematics/Combinatorics abstract = This entry defines the Bell numbers as the cardinality of set partitions for a carrier set of given size, and derives Spivey's generalized recurrence relation for Bell numbers following his elegant and intuitive combinatorial proof.

As the set construction for the combinatorial proof requires construction of three intermediate structures, the main difficulty of the formalization is handling the overall combinatorial argument in a structured way. The introduced proof structure allows us to compose the combinatorial argument from its subparts, and supports to keep track how the detailed proof steps are related to the overall argument. To obtain this structure, this entry uses set monad notation for the set construction's definition, introduces suitable predicates and rules, and follows a repeating structure in its Isar proof. notify = lukas.bulwahn@gmail.com [Randomised_Social_Choice] title = Randomised Social Choice Theory author = Manuel Eberl date = 2016-05-05 topic = Mathematics/Economics abstract = This work contains a formalisation of basic Randomised Social Choice, including Stochastic Dominance and Social Decision Schemes (SDSs) along with some of their most important properties (Anonymity, Neutrality, ex-post- and SD-Efficiency, SD-Strategy-Proofness) and two particular SDSs – Random Dictatorship and Random Serial Dictatorship (with proofs of the properties that they satisfy). Many important properties of these concepts are also proven – such as the two equivalent characterisations of Stochastic Dominance and the fact that SD-efficiency of a lottery only depends on the support. The entry also provides convenient commands to define Preference Profiles, prove their well-formedness, and automatically derive restrictions that sufficiently nice SDSs need to satisfy on the defined profiles. Currently, the formalisation focuses on weak preferences and Stochastic Dominance, but it should be easy to extend it to other domains – such as strict preferences – or other lottery extensions – such as Bilinear Dominance or Pairwise Comparison. notify = eberlm@in.tum.de [SDS_Impossibility] title = The Incompatibility of SD-Efficiency and SD-Strategy-Proofness author = Manuel Eberl date = 2016-05-04 topic = Mathematics/Economics abstract = This formalisation contains the proof that there is no anonymous and neutral Social Decision Scheme for at least four voters and alternatives that fulfils both SD-Efficiency and SD-Strategy- Proofness. The proof is a fully structured and quasi-human-redable one. It was derived from the (unstructured) SMT proof of the case for exactly four voters and alternatives by Brandl et al. Their proof relies on an unverified translation of the original problem to SMT, and the proof that lifts the argument for exactly four voters and alternatives to the general case is also not machine-checked. In this Isabelle proof, on the other hand, all of these steps are fully proven and machine-checked. This is particularly important seeing as a previously published informal proof of a weaker statement contained a mistake in precisely this lifting step. notify = eberlm@in.tum.de [Median_Of_Medians_Selection] title = The Median-of-Medians Selection Algorithm author = Manuel Eberl topic = Computer Science/Algorithms date = 2017-12-21 notify = eberlm@in.tum.de abstract =

This entry provides an executable functional implementation of the Median-of-Medians algorithm for selecting the k-th smallest element of an unsorted list deterministically in linear time. The size bounds for the recursive call that lead to the linear upper bound on the run-time of the algorithm are also proven.

[Mason_Stothers] title = The Mason–Stothers Theorem author = Manuel Eberl topic = Mathematics/Algebra date = 2017-12-21 notify = eberlm@in.tum.de abstract =

This article provides a formalisation of Snyder’s simple and elegant proof of the Mason–Stothers theorem, which is the polynomial analogue of the famous abc Conjecture for integers. Remarkably, Snyder found this very elegant proof when he was still a high-school student.

In short, the statement of the theorem is that three non-zero coprime polynomials A, B, C over a field which sum to 0 and do not all have vanishing derivatives fulfil max{deg(A), deg(B), deg(C)} < deg(rad(ABC)) where the rad(P) denotes the radical of P, i. e. the product of all unique irreducible factors of P.

This theorem also implies a kind of polynomial analogue of Fermat’s Last Theorem for polynomials: except for trivial cases, An + Bn + Cn = 0 implies n ≤ 2 for coprime polynomials A, B, C over a field.

[FLP] title = A Constructive Proof for FLP author = Benjamin Bisping , Paul-David Brodmann , Tim Jungnickel , Christina Rickmann , Henning Seidler , Anke Stüber , Arno Wilhelm-Weidner , Kirstin Peters , Uwe Nestmann date = 2016-05-18 topic = Computer Science/Concurrency abstract = The impossibility of distributed consensus with one faulty process is a result with important consequences for real world distributed systems e.g., commits in replicated databases. Since proofs are not immune to faults and even plausible proofs with a profound formalism can conclude wrong results, we validate the fundamental result named FLP after Fischer, Lynch and Paterson. We present a formalization of distributed systems and the aforementioned consensus problem. Our proof is based on Hagen Völzer's paper "A constructive proof for FLP". In addition to the enhanced confidence in the validity of Völzer's proof, we contribute the missing gaps to show the correctness in Isabelle/HOL. We clarify the proof details and even prove fairness of the infinite execution that contradicts consensus. Our Isabelle formalization can also be reused for further proofs of properties of distributed systems. notify = henning.seidler@mailbox.tu-berlin.de [IMAP-CRDT] title = The IMAP CmRDT author = Tim Jungnickel , Lennart Oldenburg <>, Matthias Loibl <> topic = Computer Science/Algorithms, Computer Science/Data Structures date = 2017-11-09 notify = tim.jungnickel@tu-berlin.de abstract = We provide our Isabelle/HOL formalization of a Conflict-free Replicated Datatype for Internet Message Access Protocol commands. We show that Strong Eventual Consistency (SEC) is guaranteed by proving the commutativity of concurrent operations. We base our formalization on the recently proposed "framework for establishing Strong Eventual Consistency for Conflict-free Replicated Datatypes" (AFP.CRDT) from Gomes et al. Hence, we provide an additional example of how the recently proposed framework can be used to design and prove CRDTs. [Incredible_Proof_Machine] title = The meta theory of the Incredible Proof Machine author = Joachim Breitner , Denis Lohner date = 2016-05-20 topic = Logic abstract = The Incredible Proof Machine is an interactive visual theorem prover which represents proofs as port graphs. We model this proof representation in Isabelle, and prove that it is just as powerful as natural deduction. notify = mail@joachim-breitner.de [Word_Lib] title = Finite Machine Word Library author = Joel Beeren<>, Matthew Fernandez<>, Xin Gao<>, Gerwin Klein , Rafal Kolanski<>, Japheth Lim<>, Corey Lewis<>, Daniel Matichuk<>, Thomas Sewell<> notify = kleing@unsw.edu.au date = 2016-06-09 topic = Computer Science/Data Structures abstract = This entry contains an extension to the Isabelle library for fixed-width machine words. In particular, the entry adds quickcheck setup for words, printing as hexadecimals, additional operations, reasoning about alignment, signed words, enumerations of words, normalisation of word numerals, and an extensive library of properties about generic fixed-width words, as well as an instantiation of many of these to the commonly used 32 and 64-bit bases. [Catalan_Numbers] title = Catalan Numbers author = Manuel Eberl notify = eberlm@in.tum.de date = 2016-06-21 topic = Mathematics/Combinatorics abstract =

In this work, we define the Catalan numbers Cn and prove several equivalent definitions (including some closed-form formulae). We also show one of their applications (counting the number of binary trees of size n), prove the asymptotic growth approximation Cn ∼ 4n / (√π · n1.5), and provide reasonably efficient executable code to compute them.

The derivation of the closed-form formulae uses algebraic manipulations of the ordinary generating function of the Catalan numbers, and the asymptotic approximation is then done using generalised binomial coefficients and the Gamma function. Thanks to these highly non-elementary mathematical tools, the proofs are very short and simple.

[Fisher_Yates] title = Fisher–Yates shuffle author = Manuel Eberl notify = eberlm@in.tum.de date = 2016-09-30 topic = Computer Science/Algorithms abstract =

This work defines and proves the correctness of the Fisher–Yates algorithm for shuffling – i.e. producing a random permutation – of a list. The algorithm proceeds by traversing the list and in each step swapping the current element with a random element from the remaining list.

[Bertrands_Postulate] title = Bertrand's postulate author = Julian Biendarra<>, Manuel Eberl contributors = Lawrence C. Paulson topic = Mathematics/Number Theory date = 2017-01-17 notify = eberlm@in.tum.de abstract =

Bertrand's postulate is an early result on the distribution of prime numbers: For every positive integer n, there exists a prime number that lies strictly between n and 2n. The proof is ported from John Harrison's formalisation in HOL Light. It proceeds by first showing that the property is true for all n greater than or equal to 600 and then showing that it also holds for all n below 600 by case distinction.

[Rewriting_Z] title = The Z Property author = Bertram Felgenhauer<>, Julian Nagele<>, Vincent van Oostrom<>, Christian Sternagel<> notify = bertram.felgenhauer@uibk.ac.at, julian.nagele@uibk.ac.at, c.sternagel@gmail.com date = 2016-06-30 topic = Logic/Rewriting abstract = We formalize the Z property introduced by Dehornoy and van Oostrom. First we show that for any abstract rewrite system, Z implies confluence. Then we give two examples of proofs using Z: confluence of lambda-calculus with respect to beta-reduction and confluence of combinatory logic. [Resolution_FOL] title = The Resolution Calculus for First-Order Logic author = Anders Schlichtkrull notify = andschl@dtu.dk date = 2016-06-30 topic = Logic abstract = This theory is a formalization of the resolution calculus for first-order logic. It is proven sound and complete. The soundness proof uses the substitution lemma, which shows a correspondence between substitutions and updates to an environment. The completeness proof uses semantic trees, i.e. trees whose paths are partial Herbrand interpretations. It employs Herbrand's theorem in a formulation which states that an unsatisfiable set of clauses has a finite closed semantic tree. It also uses the lifting lemma which lifts resolution derivation steps from the ground world up to the first-order world. The theory is presented in a paper in the Journal of Automated Reasoning [Sch18] which extends a paper presented at the International Conference on Interactive Theorem Proving [Sch16]. An earlier version was presented in an MSc thesis [Sch15]. The formalization mostly follows textbooks by Ben-Ari [BA12], Chang and Lee [CL73], and Leitsch [Lei97]. The theory is part of the IsaFoL project [IsaFoL].

[Sch18] Anders Schlichtkrull. "Formalization of the Resolution Calculus for First-Order Logic". Journal of Automated Reasoning, 2018.
[Sch16] Anders Schlichtkrull. "Formalization of the Resolution Calculus for First-Order Logic". In: ITP 2016. Vol. 9807. LNCS. Springer, 2016.
[Sch15] Anders Schlichtkrull. "Formalization of Resolution Calculus in Isabelle". https://people.compute.dtu.dk/andschl/Thesis.pdf. MSc thesis. Technical University of Denmark, 2015.
[BA12] Mordechai Ben-Ari. Mathematical Logic for Computer Science. 3rd. Springer, 2012.
[CL73] Chin-Liang Chang and Richard Char-Tung Lee. Symbolic Logic and Mechanical Theorem Proving. 1st. Academic Press, Inc., 1973.
[Lei97] Alexander Leitsch. The Resolution Calculus. Texts in theoretical computer science. Springer, 1997.
[IsaFoL] IsaFoL authors. IsaFoL: Isabelle Formalization of Logic. https://bitbucket.org/jasmin_blanchette/isafol. extra-history = Change history: [2018-01-24]: added several new versions of the soundness and completeness theorems as described in the paper [Sch18].
[2018-03-20]: added a concrete instance of the unification and completeness theorems using the First-Order Terms AFP-entry from IsaFoR as described in the papers [Sch16] and [Sch18]. [Surprise_Paradox] title = Surprise Paradox author = Joachim Breitner notify = mail@joachim-breitner.de date = 2016-07-17 topic = Logic abstract = In 1964, Fitch showed that the paradox of the surprise hanging can be resolved by showing that the judge’s verdict is inconsistent. His formalization builds on Gödel’s coding of provability. In this theory, we reproduce his proof in Isabelle, building on Paulson’s formalisation of Gödel’s incompleteness theorems. [Ptolemys_Theorem] title = Ptolemy's Theorem author = Lukas Bulwahn notify = lukas.bulwahn@gmail.com date = 2016-08-07 topic = Mathematics/Geometry abstract = This entry provides an analytic proof to Ptolemy's Theorem using polar form transformation and trigonometric identities. In this formalization, we use ideas from John Harrison's HOL Light formalization and the proof sketch on the Wikipedia entry of Ptolemy's Theorem. This theorem is the 95th theorem of the Top 100 Theorems list. [Falling_Factorial_Sum] title = The Falling Factorial of a Sum author = Lukas Bulwahn topic = Mathematics/Combinatorics date = 2017-12-22 notify = lukas.bulwahn@gmail.com abstract = This entry shows that the falling factorial of a sum can be computed with an expression using binomial coefficients and the falling factorial of its summands. The entry provides three different proofs: a combinatorial proof, an induction proof and an algebraic proof using the Vandermonde identity. The three formalizations try to follow their informal presentations from a Mathematics Stack Exchange page as close as possible. The induction and algebraic formalization end up to be very close to their informal presentation, whereas the combinatorial proof first requires the introduction of list interleavings, and significant more detail than its informal presentation. [InfPathElimination] title = Infeasible Paths Elimination by Symbolic Execution Techniques: Proof of Correctness and Preservation of Paths author = Romain Aissat<>, Frederic Voisin<>, Burkhart Wolff notify = wolff@lri.fr date = 2016-08-18 topic = Computer Science/Programming Languages/Static Analysis abstract = TRACER is a tool for verifying safety properties of sequential C programs. TRACER attempts at building a finite symbolic execution graph which over-approximates the set of all concrete reachable states and the set of feasible paths. We present an abstract framework for TRACER and similar CEGAR-like systems. The framework provides 1) a graph- transformation based method for reducing the feasible paths in control-flow graphs, 2) a model for symbolic execution, subsumption, predicate abstraction and invariant generation. In this framework we formally prove two key properties: correct construction of the symbolic states and preservation of feasible paths. The framework focuses on core operations, leaving to concrete prototypes to “fit in” heuristics for combining them. The accompanying paper (published in ITP 2016) can be found at https://www.lri.fr/∼wolff/papers/conf/2016-itp-InfPathsNSE.pdf. [Stirling_Formula] title = Stirling's formula author = Manuel Eberl notify = eberlm@in.tum.de date = 2016-09-01 topic = Mathematics/Analysis abstract = This work contains a proof of Stirling's formula both for the factorial n! ∼ √2πn (n/e)n on natural numbers and the real Gamma function Γ(x) ∼ √2π/x (x/e)x. The proof is based on work by Graham Jameson. [Lp] title = Lp spaces author = Sebastien Gouezel notify = sebastien.gouezel@univ-rennes1.fr date = 2016-10-05 topic = Mathematics/Analysis abstract = Lp is the space of functions whose p-th power is integrable. It is one of the most fundamental Banach spaces that is used in analysis and probability. We develop a framework for function spaces, and then implement the Lp spaces in this framework using the existing integration theory in Isabelle/HOL. Our development contains most fundamental properties of Lp spaces, notably the Hölder and Minkowski inequalities, completeness of Lp, duality, stability under almost sure convergence, multiplication of functions in Lp and Lq, stability under conditional expectation. [Berlekamp_Zassenhaus] title = The Factorization Algorithm of Berlekamp and Zassenhaus author = Jose Divasón , Sebastiaan Joosten , René Thiemann , Akihisa Yamada notify = rene.thiemann@uibk.ac.at date = 2016-10-14 topic = Mathematics/Algebra abstract =

We formalize the Berlekamp-Zassenhaus algorithm for factoring square-free integer polynomials in Isabelle/HOL. We further adapt an existing formalization of Yun’s square-free factorization algorithm to integer polynomials, and thus provide an efficient and certified factorization algorithm for arbitrary univariate polynomials.

The algorithm first performs a factorization in the prime field GF(p) and then performs computations in the integer ring modulo p^k, where both p and k are determined at runtime. Since a natural modeling of these structures via dependent types is not possible in Isabelle/HOL, we formalize the whole algorithm using Isabelle’s recent addition of local type definitions.

Through experiments we verify that our algorithm factors polynomials of degree 100 within seconds.

[Allen_Calculus] title = Allen's Interval Calculus author = Fadoua Ghourabi <> notify = fadouaghourabi@gmail.com date = 2016-09-29 topic = Logic, Mathematics/Order abstract = Allen’s interval calculus is a qualitative temporal representation of time events. Allen introduced 13 binary relations that describe all the possible arrangements between two events, i.e. intervals with non-zero finite length. The compositions are pertinent to reasoning about knowledge of time. In particular, a consistency problem of relation constraints is commonly solved with a guideline from these compositions. We formalize the relations together with an axiomatic system. We proof the validity of the 169 compositions of these relations. We also define nests as the sets of intervals that share a meeting point. We prove that nests give the ordering properties of points without introducing a new datatype for points. [1] J.F. Allen. Maintaining Knowledge about Temporal Intervals. In Commun. ACM, volume 26, pages 832–843, 1983. [2] J. F. Allen and P. J. Hayes. A Common-sense Theory of Time. In Proceedings of the 9th International Joint Conference on Artificial Intelligence (IJCAI’85), pages 528–531, 1985. [Source_Coding_Theorem] title = Source Coding Theorem author = Quentin Hibon , Lawrence C. Paulson notify = qh225@cl.cam.ac.uk date = 2016-10-19 topic = Mathematics/Probability Theory abstract = This document contains a proof of the necessary condition on the code rate of a source code, namely that this code rate is bounded by the entropy of the source. This represents one half of Shannon's source coding theorem, which is itself an equivalence. [Buffons_Needle] title = Buffon's Needle Problem author = Manuel Eberl topic = Mathematics/Probability Theory, Mathematics/Geometry date = 2017-06-06 notify = eberlm@in.tum.de abstract = In the 18th century, Georges-Louis Leclerc, Comte de Buffon posed and later solved the following problem, which is often called the first problem ever solved in geometric probability: Given a floor divided into vertical strips of the same width, what is the probability that a needle thrown onto the floor randomly will cross two strips? This entry formally defines the problem in the case where the needle's position is chosen uniformly at random in a single strip around the origin (which is equivalent to larger arrangements due to symmetry). It then provides proofs of the simple solution in the case where the needle's length is no greater than the width of the strips and the more complicated solution in the opposite case. [SPARCv8] title = A formal model for the SPARCv8 ISA and a proof of non-interference for the LEON3 processor author = Zhe Hou , David Sanan , Alwen Tiu , Yang Liu notify = zhe.hou@ntu.edu.sg, sanan@ntu.edu.sg date = 2016-10-19 topic = Computer Science/Security, Computer Science/Hardware abstract = We formalise the SPARCv8 instruction set architecture (ISA) which is used in processors such as LEON3. Our formalisation can be specialised to any SPARCv8 CPU, here we use LEON3 as a running example. Our model covers the operational semantics for all the instructions in the integer unit of the SPARCv8 architecture and it supports Isabelle code export, which effectively turns the Isabelle model into a SPARCv8 CPU simulator. We prove the language-based non-interference property for the LEON3 processor. Our model is based on deterministic monad, which is a modified version of the non-deterministic monad from NICTA/l4v. [Separata] title = Separata: Isabelle tactics for Separation Algebra author = Zhe Hou , David Sanan , Alwen Tiu , Rajeev Gore , Ranald Clouston notify = zhe.hou@ntu.edu.sg date = 2016-11-16 topic = Computer Science/Programming Languages/Logics, Tools abstract = We bring the labelled sequent calculus $LS_{PASL}$ for propositional abstract separation logic to Isabelle. The tactics given here are directly applied on an extension of the Separation Algebra in the AFP. In addition to the cancellative separation algebra, we further consider some useful properties in the heap model of separation logic, such as indivisible unit, disjointness, and cross-split. The tactics are essentially a proof search procedure for the calculus $LS_{PASL}$. We wrap the tactics in an Isabelle method called separata, and give a few examples of separation logic formulae which are provable by separata. [LOFT] title = LOFT — Verified Migration of Linux Firewalls to SDN author = Julius Michaelis , Cornelius Diekmann notify = isabelleopenflow@liftm.de date = 2016-10-21 topic = Computer Science/Networks abstract = We present LOFT — Linux firewall OpenFlow Translator, a system that transforms the main routing table and FORWARD chain of iptables of a Linux-based firewall into a set of static OpenFlow rules. Our implementation is verified against a model of a simplified Linux-based router and we can directly show how much of the original functionality is preserved. [Stable_Matching] title = Stable Matching author = Peter Gammie notify = peteg42@gmail.com date = 2016-10-24 topic = Mathematics/Economics abstract = We mechanize proofs of several results from the matching with contracts literature, which generalize those of the classical two-sided matching scenarios that go by the name of stable marriage. Our focus is on game theoretic issues. Along the way we develop executable algorithms for computing optimal stable matches. [Modal_Logics_for_NTS] title = Modal Logics for Nominal Transition Systems author = Tjark Weber , Lars-Henrik Eriksson , Joachim Parrow , Johannes Borgström , Ramunas Gutkovas notify = tjark.weber@it.uu.se date = 2016-10-25 topic = Computer Science/Concurrency/Process Calculi, Logic abstract = We formalize a uniform semantic substrate for a wide variety of process calculi where states and action labels can be from arbitrary nominal sets. A Hennessy-Milner logic for these systems is defined, and proved adequate for bisimulation equivalence. A main novelty is the construction of an infinitary nominal data type to model formulas with (finitely supported) infinite conjunctions and actions that may contain binding names. The logic is generalized to treat different bisimulation variants such as early, late and open in a systematic way. extra-history = Change history: [2017-01-29]: Formalization of weak bisimilarity added (revision c87cc2057d9c) [Abs_Int_ITP2012] title = Abstract Interpretation of Annotated Commands author = Tobias Nipkow notify = nipkow@in.tum.de date = 2016-11-23 topic = Computer Science/Programming Languages/Static Analysis abstract = This is the Isabelle formalization of the material decribed in the eponymous ITP 2012 paper. It develops a generic abstract interpreter for a while-language, including widening and narrowing. The collecting semantics and the abstract interpreter operate on annotated commands: the program is represented as a syntax tree with the semantic information directly embedded, without auxiliary labels. The aim of the formalization is simplicity, not efficiency or precision. This is motivated by the inclusion of the material in a theorem prover based course on semantics. A similar (but more polished) development is covered in the book Concrete Semantics. [Complx] title = COMPLX: A Verification Framework for Concurrent Imperative Programs author = Sidney Amani<>, June Andronick<>, Maksym Bortin<>, Corey Lewis<>, Christine Rizkallah<>, Joseph Tuong<> notify = sidney.amani@data61.csiro.au, corey.lewis@data61.csiro.au date = 2016-11-29 topic = Computer Science/Programming Languages/Logics, Computer Science/Programming Languages/Language Definitions abstract = We propose a concurrency reasoning framework for imperative programs, based on the Owicki-Gries (OG) foundational shared-variable concurrency method. Our framework combines the approaches of Hoare-Parallel, a formalisation of OG in Isabelle/HOL for a simple while-language, and Simpl, a generic imperative language embedded in Isabelle/HOL, allowing formal reasoning on C programs. We define the Complx language, extending the syntax and semantics of Simpl with support for parallel composition and synchronisation. We additionally define an OG logic, which we prove sound w.r.t. the semantics, and a verification condition generator, both supporting involved low-level imperative constructs such as function calls and abrupt termination. We illustrate our framework on an example that features exceptions, guards and function calls. We aim to then target concurrent operating systems, such as the interruptible eChronos embedded operating system for which we already have a model-level OG proof using Hoare-Parallel. extra-history = Change history: [2017-01-13]: Improve VCG for nested parallels and sequential sections (revision 30739dbc3dcb) [Paraconsistency] title = Paraconsistency author = Anders Schlichtkrull , Jørgen Villadsen topic = Logic date = 2016-12-07 notify = andschl@dtu.dk, jovi@dtu.dk abstract = Paraconsistency is about handling inconsistency in a coherent way. In classical and intuitionistic logic everything follows from an inconsistent theory. A paraconsistent logic avoids the explosion. Quite a few applications in computer science and engineering are discussed in the Intelligent Systems Reference Library Volume 110: Towards Paraconsistent Engineering (Springer 2016). We formalize a paraconsistent many-valued logic that we motivated and described in a special issue on logical approaches to paraconsistency (Journal of Applied Non-Classical Logics 2005). We limit ourselves to the propositional fragment of the higher-order logic. The logic is based on so-called key equalities and has a countably infinite number of truth values. We prove theorems in the logic using the definition of validity. We verify truth tables and also counterexamples for non-theorems. We prove meta-theorems about the logic and finally we investigate a case study. [Proof_Strategy_Language] title = Proof Strategy Language author = Yutaka Nagashima<> topic = Tools date = 2016-12-20 notify = Yutaka.Nagashima@data61.csiro.au abstract = Isabelle includes various automatic tools for finding proofs under certain conditions. However, for each conjecture, knowing which automation to use, and how to tweak its parameters, is currently labour intensive. We have developed a language, PSL, designed to capture high level proof strategies. PSL offloads the construction of human-readable fast-to-replay proof scripts to automatic search, making use of search-time information about each conjecture. Our preliminary evaluations show that PSL reduces the labour cost of interactive theorem proving. This submission contains the implementation of PSL and an example theory file, Example.thy, showing how to write poof strategies in PSL. [Concurrent_Ref_Alg] title = Concurrent Refinement Algebra and Rely Quotients author = Julian Fell , Ian J. Hayes , Andrius Velykis topic = Computer Science/Concurrency date = 2016-12-30 notify = Ian.Hayes@itee.uq.edu.au abstract = The concurrent refinement algebra developed here is designed to provide a foundation for rely/guarantee reasoning about concurrent programs. The algebra builds on a complete lattice of commands by providing sequential composition, parallel composition and a novel weak conjunction operator. The weak conjunction operator coincides with the lattice supremum providing its arguments are non-aborting, but aborts if either of its arguments do. Weak conjunction provides an abstract version of a guarantee condition as a guarantee process. We distinguish between models that distribute sequential composition over non-deterministic choice from the left (referred to as being conjunctive in the refinement calculus literature) and those that don't. Least and greatest fixed points of monotone functions are provided to allow recursion and iteration operators to be added to the language. Additional iteration laws are available for conjunctive models. The rely quotient of processes c and i is the process that, if executed in parallel with i implements c. It represents an abstract version of a rely condition generalised to a process. [FOL_Harrison] title = First-Order Logic According to Harrison author = Alexander Birch Jensen , Anders Schlichtkrull , Jørgen Villadsen topic = Logic date = 2017-01-01 notify = aleje@dtu.dk, andschl@dtu.dk, jovi@dtu.dk abstract =

We present a certified declarative first-order prover with equality based on John Harrison's Handbook of Practical Logic and Automated Reasoning, Cambridge University Press, 2009. ML code reflection is used such that the entire prover can be executed within Isabelle as a very simple interactive proof assistant. As examples we consider Pelletier's problems 1-46.

Reference: Programming and Verifying a Declarative First-Order Prover in Isabelle/HOL. Alexander Birch Jensen, John Bruntse Larsen, Anders Schlichtkrull & Jørgen Villadsen. AI Communications 31:281-299 2018. https://content.iospress.com/articles/ai-communications/aic764

See also: Students' Proof Assistant (SPA). https://github.com/logic-tools/spa

extra-history = Change history: [2018-07-21]: Proof of Pelletier's problem 34 (Andrews's Challenge) thanks to Andreas Halkjær From. [Bernoulli] title = Bernoulli Numbers author = Lukas Bulwahn, Manuel Eberl topic = Mathematics/Analysis, Mathematics/Number Theory date = 2017-01-24 notify = eberlm@in.tum.de abstract =

Bernoulli numbers were first discovered in the closed-form expansion of the sum 1m + 2m + … + nm for a fixed m and appear in many other places. This entry provides three different definitions for them: a recursive one, an explicit one, and one through their exponential generating function.

In addition, we prove some basic facts, e.g. their relation to sums of powers of integers and that all odd Bernoulli numbers except the first are zero, and some advanced facts like their relationship to the Riemann zeta function on positive even integers.

We also prove the correctness of the Akiyama–Tanigawa algorithm for computing Bernoulli numbers with reasonable efficiency, and we define the periodic Bernoulli polynomials (which appear e.g. in the Euler–MacLaurin summation formula and the expansion of the log-Gamma function) and prove their basic properties.

[Stone_Relation_Algebras] title = Stone Relation Algebras author = Walter Guttmann topic = Mathematics/Algebra date = 2017-02-07 notify = walter.guttmann@canterbury.ac.nz abstract = We develop Stone relation algebras, which generalise relation algebras by replacing the underlying Boolean algebra structure with a Stone algebra. We show that finite matrices over extended real numbers form an instance. As a consequence, relation-algebraic concepts and methods can be used for reasoning about weighted graphs. We also develop a fixpoint calculus and apply it to compare different definitions of reflexive-transitive closures in semirings. [Stone_Kleene_Relation_Algebras] title = Stone-Kleene Relation Algebras author = Walter Guttmann topic = Mathematics/Algebra date = 2017-07-06 notify = walter.guttmann@canterbury.ac.nz abstract = We develop Stone-Kleene relation algebras, which expand Stone relation algebras with a Kleene star operation to describe reachability in weighted graphs. Many properties of the Kleene star arise as a special case of a more general theory of iteration based on Conway semirings extended by simulation axioms. This includes several theorems representing complex program transformations. We formally prove the correctness of Conway's automata-based construction of the Kleene star of a matrix. We prove numerous results useful for reasoning about weighted graphs. [Abstract_Soundness] title = Abstract Soundness author = Jasmin Christian Blanchette , Andrei Popescu , Dmitriy Traytel topic = Logic date = 2017-02-10 notify = jasmin.blanchette@gmail.com abstract = A formalized coinductive account of the abstract development of Brotherston, Gorogiannis, and Petersen [APLAS 2012], in a slightly more general form since we work with arbitrary infinite proofs, which may be acyclic. This work is described in detail in an article by the authors, published in 2017 in the Journal of Automated Reasoning. The abstract proof can be instantiated for various formalisms, including first-order logic with inductive predicates. [Differential_Dynamic_Logic] title = Differential Dynamic Logic author = Brandon Bohrer topic = Logic, Computer Science/Programming Languages/Logics date = 2017-02-13 notify = bbohrer@cs.cmu.edu abstract = We formalize differential dynamic logic, a logic for proving properties of hybrid systems. The proof calculus in this formalization is based on the uniform substitution principle. We show it is sound with respect to our denotational semantics, which provides increased confidence in the correctness of the KeYmaera X theorem prover based on this calculus. As an application, we include a proof term checker embedded in Isabelle/HOL with several example proofs. Published in: Brandon Bohrer, Vincent Rahli, Ivana Vukotic, Marcus Völp, André Platzer: Formally verified differential dynamic logic. CPP 2017. [Elliptic_Curves_Group_Law] title = The Group Law for Elliptic Curves author = Stefan Berghofer topic = Computer Science/Security/Cryptography date = 2017-02-28 notify = berghofe@in.tum.de abstract = We prove the group law for elliptic curves in Weierstrass form over fields of characteristic greater than 2. In addition to affine coordinates, we also formalize projective coordinates, which allow for more efficient computations. By specializing the abstract formalization to prime fields, we can apply the curve operations to parameters used in standard security protocols. [Example-Submission] title = Example Submission author = Gerwin Klein topic = Mathematics/Analysis, Mathematics/Number Theory date = 2004-02-25 notify = kleing@cse.unsw.edu.au abstract = This is an example submission to the Archive of Formal Proofs. It shows submission requirements and explains the structure of a simple typical submission. extra-no-index = no-index: true [CRDT] title = A framework for establishing Strong Eventual Consistency for Conflict-free Replicated Datatypes author = Victor B. F. Gomes , Martin Kleppmann, Dominic P. Mulligan, Alastair R. Beresford topic = Computer Science/Algorithms/Distributed, Computer Science/Data Structures date = 2017-07-07 notify = vb358@cam.ac.uk, dominic.p.mulligan@googlemail.com abstract = In this work, we focus on the correctness of Conflict-free Replicated Data Types (CRDTs), a class of algorithm that provides strong eventual consistency guarantees for replicated data. We develop a modular and reusable framework for verifying the correctness of CRDT algorithms. We avoid correctness issues that have dogged previous mechanised proofs in this area by including a network model in our formalisation, and proving that our theorems hold in all possible network behaviours. Our axiomatic network model is a standard abstraction that accurately reflects the behaviour of real-world computer networks. Moreover, we identify an abstract convergence theorem, a property of order relations, which provides a formal definition of strong eventual consistency. We then obtain the first machine-checked correctness theorems for three concrete CRDTs: the Replicated Growable Array, the Observed-Remove Set, and an Increment-Decrement Counter. [HOLCF-Prelude] title = HOLCF-Prelude author = Joachim Breitner, Brian Huffman<>, Neil Mitchell<>, Christian Sternagel topic = Computer Science/Functional Programming date = 2017-07-15 notify = c.sternagel@gmail.com, joachim@cis.upenn.edu, hupel@in.tum.de abstract = The Isabelle/HOLCF-Prelude is a formalization of a large part of Haskell's standard prelude in Isabelle/HOLCF. We use it to prove the correctness of the Eratosthenes' Sieve, in its self-referential implementation commonly used to showcase Haskell's laziness; prove correctness of GHC's "fold/build" rule and related rewrite rules; and certify a number of hints suggested by HLint. [Decl_Sem_Fun_PL] title = Declarative Semantics for Functional Languages author = Jeremy Siek topic = Computer Science/Programming Languages date = 2017-07-21 notify = jsiek@indiana.edu abstract = We present a semantics for an applied call-by-value lambda-calculus that is compositional, extensional, and elementary. We present four different views of the semantics: 1) as a relational (big-step) semantics that is not operational but instead declarative, 2) as a denotational semantics that does not use domain theory, 3) as a non-deterministic interpreter, and 4) as a variant of the intersection type systems of the Torino group. We prove that the semantics is correct by showing that it is sound and complete with respect to operational semantics on programs and that is sound with respect to contextual equivalence. We have not yet investigated whether it is fully abstract. We demonstrate that this approach to semantics is useful with three case studies. First, we use the semantics to prove correctness of a compiler optimization that inlines function application. Second, we adapt the semantics to the polymorphic lambda-calculus extended with general recursion and prove semantic type soundness. Third, we adapt the semantics to the call-by-value lambda-calculus with mutable references.
The paper that accompanies these Isabelle theories is available on arXiv. [DynamicArchitectures] title = Dynamic Architectures author = Diego Marmsoler topic = Computer Science/System Description Languages date = 2017-07-28 notify = diego.marmsoler@tum.de abstract = The architecture of a system describes the system's overall organization into components and connections between those components. With the emergence of mobile computing, dynamic architectures have become increasingly important. In such architectures, components may appear or disappear, and connections may change over time. In the following we mechanize a theory of dynamic architectures and verify the soundness of a corresponding calculus. Therefore, we first formalize the notion of configuration traces as a model for dynamic architectures. Then, the behavior of single components is formalized in terms of behavior traces and an operator is introduced and studied to extract the behavior of a single component out of a given configuration trace. Then, behavior trace assertions are introduced as a temporal specification technique to specify behavior of components. Reasoning about component behavior in a dynamic context is formalized in terms of a calculus for dynamic architectures. Finally, the soundness of the calculus is verified by introducing an alternative interpretation for behavior trace assertions over configuration traces and proving the rules of the calculus. Since projection may lead to finite as well as infinite behavior traces, they are formalized in terms of coinductive lists. Thus, our theory is based on Lochbihler's formalization of coinductive lists. The theory may be applied to verify properties for dynamic architectures. extra-history = Change history: [2018-06-07]: adding logical operators to specify configuration traces (revision 09178f08f050)
[Stewart_Apollonius] title = Stewart's Theorem and Apollonius' Theorem author = Lukas Bulwahn topic = Mathematics/Geometry date = 2017-07-31 notify = lukas.bulwahn@gmail.com abstract = This entry formalizes the two geometric theorems, Stewart's and Apollonius' theorem. Stewart's Theorem relates the length of a triangle's cevian to the lengths of the triangle's two sides. Apollonius' Theorem is a specialisation of Stewart's theorem, restricting the cevian to be the median. The proof applies the law of cosines, some basic geometric facts about triangles and then simply transforms the terms algebraically to yield the conjectured relation. The formalization in Isabelle can closely follow the informal proofs described in the Wikipedia articles of those two theorems. [LambdaMu] title = The LambdaMu-calculus author = Cristina Matache , Victor B. F. Gomes , Dominic P. Mulligan topic = Computer Science/Programming Languages/Lambda Calculi, Logic date = 2017-08-16 notify = victorborgesfg@gmail.com, dominic.p.mulligan@googlemail.com abstract = The propositions-as-types correspondence is ordinarily presented as linking the metatheory of typed λ-calculi and the proof theory of intuitionistic logic. Griffin observed that this correspondence could be extended to classical logic through the use of control operators. This observation set off a flurry of further research, leading to the development of Parigots λμ-calculus. In this work, we formalise λμ- calculus in Isabelle/HOL and prove several metatheoretical properties such as type preservation and progress. [Orbit_Stabiliser] title = Orbit-Stabiliser Theorem with Application to Rotational Symmetries author = Jonas Rädle topic = Mathematics/Algebra date = 2017-08-20 notify = jonas.raedle@tum.de abstract = The Orbit-Stabiliser theorem is a basic result in the algebra of groups that factors the order of a group into the sizes of its orbits and stabilisers. We formalize the notion of a group action and the related concepts of orbits and stabilisers. This allows us to prove the orbit-stabiliser theorem. In the second part of this work, we formalize the tetrahedral group and use the orbit-stabiliser theorem to prove that there are twelve (orientation-preserving) rotations of the tetrahedron. [PLM] title = Representation and Partial Automation of the Principia Logico-Metaphysica in Isabelle/HOL author = Daniel Kirchner topic = Logic/Philosophy date = 2017-09-17 notify = daniel@ekpyron.org abstract =

We present an embedding of the second-order fragment of the Theory of Abstract Objects as described in Edward Zalta's upcoming work Principia Logico-Metaphysica (PLM) in the automated reasoning framework Isabelle/HOL. The Theory of Abstract Objects is a metaphysical theory that reifies property patterns, as they for example occur in the abstract reasoning of mathematics, as abstract objects and provides an axiomatic framework that allows to reason about these objects. It thereby serves as a fundamental metaphysical theory that can be used to axiomatize and describe a wide range of philosophical objects, such as Platonic forms or Leibniz' concepts, and has the ambition to function as a foundational theory of mathematics. The target theory of our embedding as described in chapters 7-9 of PLM employs a modal relational type theory as logical foundation for which a representation in functional type theory is known to be challenging.

Nevertheless we arrive at a functioning representation of the theory in the functional logic of Isabelle/HOL based on a semantical representation of an Aczel-model of the theory. Based on this representation we construct an implementation of the deductive system of PLM which allows to automatically and interactively find and verify theorems of PLM.

Our work thereby supports the concept of shallow semantical embeddings of logical systems in HOL as a universal tool for logical reasoning as promoted by Christoph Benzmüller.

The most notable result of the presented work is the discovery of a previously unknown paradox in the formulation of the Theory of Abstract Objects. The embedding of the theory in Isabelle/HOL played a vital part in this discovery. Furthermore it was possible to immediately offer several options to modify the theory to guarantee its consistency. Thereby our work could provide a significant contribution to the development of a proper grounding for object theory.

[KD_Tree] title = Multidimensional Binary Search Trees author = Martin Rau<> topic = Computer Science/Data Structures date = 2019-05-30 notify = martin.rau@tum.de, mrtnrau@googlemail.com abstract = This entry provides a formalization of multidimensional binary trees, also known as k-d trees. It includes a balanced build algorithm as well as the nearest neighbor algorithm and the range search algorithm. It is based on the papers Multidimensional binary search trees used for associative searching and An Algorithm for Finding Best Matches in Logarithmic Expected Time. [Diophantine_Eqns_Lin_Hom] title = Homogeneous Linear Diophantine Equations author = Florian Messner , Julian Parsert , Jonas Schöpf , Christian Sternagel topic = Computer Science/Algorithms, Mathematics/Number Theory, Tools license = LGPL date = 2017-10-14 notify = c.sternagel@gmail.com, julian.parsert@gmail.com abstract = We formalize the theory of homogeneous linear diophantine equations, focusing on two main results: (1) an abstract characterization of minimal complete sets of solutions, and (2) an algorithm computing them. Both, the characterization and the algorithm are based on previous work by Huet. Our starting point is a simple but inefficient variant of Huet's lexicographic algorithm incorporating improved bounds due to Clausen and Fortenbacher. We proceed by proving its soundness and completeness. Finally, we employ code equations to obtain a reasonably efficient implementation. Thus, we provide a formally verified solver for homogeneous linear diophantine equations. [Winding_Number_Eval] title = Evaluate Winding Numbers through Cauchy Indices author = Wenda Li topic = Mathematics/Analysis date = 2017-10-17 notify = wl302@cam.ac.uk, liwenda1990@hotmail.com abstract = In complex analysis, the winding number measures the number of times a path (counterclockwise) winds around a point, while the Cauchy index can approximate how the path winds. This entry provides a formalisation of the Cauchy index, which is then shown to be related to the winding number. In addition, this entry also offers a tactic that enables users to evaluate the winding number by calculating Cauchy indices. [Count_Complex_Roots] title = Count the Number of Complex Roots author = Wenda Li topic = Mathematics/Analysis date = 2017-10-17 notify = wl302@cam.ac.uk, liwenda1990@hotmail.com abstract = Based on evaluating Cauchy indices through remainder sequences, this entry provides an effective procedure to count the number of complex roots (with multiplicity) of a polynomial within a rectangle box or a half-plane. Potential applications of this entry include certified complex root isolation (of a polynomial) and testing the Routh-Hurwitz stability criterion (i.e., to check whether all the roots of some characteristic polynomial have negative real parts). [Buchi_Complementation] title = Büchi Complementation author = Julian Brunner topic = Computer Science/Automata and Formal Languages date = 2017-10-19 notify = brunnerj@in.tum.de abstract = This entry provides a verified implementation of rank-based Büchi Complementation. The verification is done in three steps:
  1. Definition of odd rankings and proof that an automaton rejects a word iff there exists an odd ranking for it.
  2. Definition of the complement automaton and proof that it accepts exactly those words for which there is an odd ranking.
  3. Verified implementation of the complement automaton using the Isabelle Collections Framework.
[Transition_Systems_and_Automata] title = Transition Systems and Automata author = Julian Brunner topic = Computer Science/Automata and Formal Languages date = 2017-10-19 notify = brunnerj@in.tum.de abstract = This entry provides a very abstract theory of transition systems that can be instantiated to express various types of automata. A transition system is typically instantiated by providing a set of initial states, a predicate for enabled transitions, and a transition execution function. From this, it defines the concepts of finite and infinite paths as well as the set of reachable states, among other things. Many useful theorems, from basic path manipulation rules to coinduction and run construction rules, are proven in this abstract transition system context. The library comes with instantiations for DFAs, NFAs, and Büchi automata. [Kuratowski_Closure_Complement] title = The Kuratowski Closure-Complement Theorem author = Peter Gammie , Gianpaolo Gioiosa<> topic = Mathematics/Topology date = 2017-10-26 notify = peteg42@gmail.com abstract = We discuss a topological curiosity discovered by Kuratowski (1922): the fact that the number of distinct operators on a topological space generated by compositions of closure and complement never exceeds 14, and is exactly 14 in the case of R. In addition, we prove a theorem due to Chagrov (1982) that classifies topological spaces according to the number of such operators they support. [Hybrid_Multi_Lane_Spatial_Logic] title = Hybrid Multi-Lane Spatial Logic author = Sven Linker topic = Logic date = 2017-11-06 notify = s.linker@liverpool.ac.uk abstract = We present a semantic embedding of a spatio-temporal multi-modal logic, specifically defined to reason about motorway traffic, into Isabelle/HOL. The semantic model is an abstraction of a motorway, emphasising local spatial properties, and parameterised by the types of sensors deployed in the vehicles. We use the logic to define controller constraints to ensure safety, i.e., the absence of collisions on the motorway. After proving safety with a restrictive definition of sensors, we relax these assumptions and show how to amend the controller constraints to still guarantee safety. [Dirichlet_L] title = Dirichlet L-Functions and Dirichlet's Theorem author = Manuel Eberl topic = Mathematics/Number Theory, Mathematics/Algebra date = 2017-12-21 notify = eberlm@in.tum.de abstract =

This article provides a formalisation of Dirichlet characters and Dirichlet L-functions including proofs of their basic properties – most notably their analyticity, their areas of convergence, and their non-vanishing for ℜ(s) ≥ 1. All of this is built in a very high-level style using Dirichlet series. The proof of the non-vanishing follows a very short and elegant proof by Newman, which we attempt to reproduce faithfully in a similar level of abstraction in Isabelle.

This also leads to a relatively short proof of Dirichlet’s Theorem, which states that, if h and n are coprime, there are infinitely many primes p with ph (mod n).

[Symmetric_Polynomials] title = Symmetric Polynomials author = Manuel Eberl topic = Mathematics/Algebra date = 2018-09-25 notify = eberlm@in.tum.de abstract =

A symmetric polynomial is a polynomial in variables X1,…,Xn that does not discriminate between its variables, i. e. it is invariant under any permutation of them. These polynomials are important in the study of the relationship between the coefficients of a univariate polynomial and its roots in its algebraic closure.

This article provides a definition of symmetric polynomials and the elementary symmetric polynomials e1,…,en and proofs of their basic properties, including three notable ones:

  • Vieta's formula, which gives an explicit expression for the k-th coefficient of a univariate monic polynomial in terms of its roots x1,…,xn, namely ck = (-1)n-k en-k(x1,…,xn).
  • Second, the Fundamental Theorem of Symmetric Polynomials, which states that any symmetric polynomial is itself a uniquely determined polynomial combination of the elementary symmetric polynomials.
  • Third, as a corollary of the previous two, that given a polynomial over some ring R, any symmetric polynomial combination of its roots is also in R even when the roots are not.

Both the symmetry property itself and the witness for the Fundamental Theorem are executable.

[Taylor_Models] title = Taylor Models author = Christoph Traut<>, Fabian Immler topic = Computer Science/Algorithms, Computer Science/Data Structures, Mathematics/Analysis, Mathematics/Algebra date = 2018-01-08 notify = immler@in.tum.de abstract = We present a formally verified implementation of multivariate Taylor models. Taylor models are a form of rigorous polynomial approximation, consisting of an approximation polynomial based on Taylor expansions, combined with a rigorous bound on the approximation error. Taylor models were introduced as a tool to mitigate the dependency problem of interval arithmetic. Our implementation automatically computes Taylor models for the class of elementary functions, expressed by composition of arithmetic operations and basic functions like exp, sin, or square root. [Green] title = An Isabelle/HOL formalisation of Green's Theorem author = Mohammad Abdulaziz , Lawrence C. Paulson topic = Mathematics/Analysis date = 2018-01-11 notify = mohammad.abdulaziz8@gmail.com, lp15@cam.ac.uk abstract = We formalise a statement of Green’s theorem—the first formalisation to our knowledge—in Isabelle/HOL. The theorem statement that we formalise is enough for most applications, especially in physics and engineering. Our formalisation is made possible by a novel proof that avoids the ubiquitous line integral cancellation argument. This eliminates the need to formalise orientations and region boundaries explicitly with respect to the outwards-pointing normal vector. Instead we appeal to a homological argument about equivalences between paths. [Gromov_Hyperbolicity] title = Gromov Hyperbolicity author = Sebastien Gouezel<> topic = Mathematics/Geometry date = 2018-01-16 notify = sebastien.gouezel@univ-rennes1.fr abstract = A geodesic metric space is Gromov hyperbolic if all its geodesic triangles are thin, i.e., every side is contained in a fixed thickening of the two other sides. While this definition looks innocuous, it has proved extremely important and versatile in modern geometry since its introduction by Gromov. We formalize the basic classical properties of Gromov hyperbolic spaces, notably the Morse lemma asserting that quasigeodesics are close to geodesics, the invariance of hyperbolicity under quasi-isometries, we define and study the Gromov boundary and its associated distance, and prove that a quasi-isometry between Gromov hyperbolic spaces extends to a homeomorphism of the boundaries. We also prove a less classical theorem, by Bonk and Schramm, asserting that a Gromov hyperbolic space embeds isometrically in a geodesic Gromov-hyperbolic space. As the original proof uses a transfinite sequence of Cauchy completions, this is an interesting formalization exercise. Along the way, we introduce basic material on isometries, quasi-isometries, Lipschitz maps, geodesic spaces, the Hausdorff distance, the Cauchy completion of a metric space, and the exponential on extended real numbers. [Ordered_Resolution_Prover] title = Formalization of Bachmair and Ganzinger's Ordered Resolution Prover author = Anders Schlichtkrull , Jasmin Christian Blanchette , Dmitriy Traytel , Uwe Waldmann topic = Logic date = 2018-01-18 notify = andschl@dtu.dk, j.c.blanchette@vu.nl abstract = This Isabelle/HOL formalization covers Sections 2 to 4 of Bachmair and Ganzinger's "Resolution Theorem Proving" chapter in the Handbook of Automated Reasoning. This includes soundness and completeness of unordered and ordered variants of ground resolution with and without literal selection, the standard redundancy criterion, a general framework for refutational theorem proving, and soundness and completeness of an abstract first-order prover. [BNF_Operations] title = Operations on Bounded Natural Functors author = Jasmin Christian Blanchette , Andrei Popescu , Dmitriy Traytel topic = Tools date = 2017-12-19 notify = jasmin.blanchette@gmail.com,uuomul@yahoo.com,traytel@inf.ethz.ch abstract = This entry formalizes the closure property of bounded natural functors (BNFs) under seven operations. These operations and the corresponding proofs constitute the core of Isabelle's (co)datatype package. To be close to the implemented tactics, the proofs are deliberately formulated as detailed apply scripts. The (co)datatypes together with (co)induction principles and (co)recursors are byproducts of the fixpoint operations LFP and GFP. Composition of BNFs is subdivided into four simpler operations: Compose, Kill, Lift, and Permute. The N2M operation provides mutual (co)induction principles and (co)recursors for nested (co)datatypes. [LLL_Basis_Reduction] title = A verified LLL algorithm author = Ralph Bottesch <>, Jose Divasón , Maximilian Haslbeck <>, Sebastiaan Joosten , René Thiemann , Akihisa Yamada<> topic = Computer Science/Algorithms, Mathematics/Algebra date = 2018-02-02 notify = ralph.bottesch@uibk.ac.at, jose.divason@unirioja.es, maximilian.haslbeck@uibk.ac.at, s.j.c.joosten@utwente.nl, rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp abstract = The Lenstra-Lenstra-Lovász basis reduction algorithm, also known as LLL algorithm, is an algorithm to find a basis with short, nearly orthogonal vectors of an integer lattice. Thereby, it can also be seen as an approximation to solve the shortest vector problem (SVP), which is an NP-hard problem, where the approximation quality solely depends on the dimension of the lattice, but not the lattice itself. The algorithm also possesses many applications in diverse fields of computer science, from cryptanalysis to number theory, but it is specially well-known since it was used to implement the first polynomial-time algorithm to factor polynomials. In this work we present the first mechanized soundness proof of the LLL algorithm to compute short vectors in lattices. The formalization follows a textbook by von zur Gathen and Gerhard. extra-history = Change history: [2018-04-16]: Integrated formal complexity bounds (Haslbeck, Thiemann) [2018-05-25]: Integrated much faster LLL implementation based on integer arithmetic (Bottesch, Haslbeck, Thiemann) [LLL_Factorization] title = A verified factorization algorithm for integer polynomials with polynomial complexity author = Jose Divasón , Sebastiaan Joosten , René Thiemann , Akihisa Yamada topic = Mathematics/Algebra date = 2018-02-06 notify = jose.divason@unirioja.es, s.j.c.joosten@utwente.nl, rene.thiemann@uibk.ac.at, ayamada@trs.cm.is.nagoya-u.ac.jp abstract = Short vectors in lattices and factors of integer polynomials are related. Each factor of an integer polynomial belongs to a certain lattice. When factoring polynomials, the condition that we are looking for an irreducible polynomial means that we must look for a small element in a lattice, which can be done by a basis reduction algorithm. In this development we formalize this connection and thereby one main application of the LLL basis reduction algorithm: an algorithm to factor square-free integer polynomials which runs in polynomial time. The work is based on our previous Berlekamp–Zassenhaus development, where the exponential reconstruction phase has been replaced by the polynomial-time basis reduction algorithm. Thanks to this formalization we found a serious flaw in a textbook. [Treaps] title = Treaps author = Maximilian Haslbeck , Manuel Eberl , Tobias Nipkow topic = Computer Science/Data Structures date = 2018-02-06 notify = eberlm@in.tum.de abstract =

A Treap is a binary tree whose nodes contain pairs consisting of some payload and an associated priority. It must have the search-tree property w.r.t. the payloads and the heap property w.r.t. the priorities. Treaps are an interesting data structure that is related to binary search trees (BSTs) in the following way: if one forgets all the priorities of a treap, the resulting BST is exactly the same as if one had inserted the elements into an empty BST in order of ascending priority. This means that a treap behaves like a BST where we can pretend the elements were inserted in a different order from the one in which they were actually inserted.

In particular, by choosing these priorities at random upon insertion of an element, we can pretend that we inserted the elements in random order, so that the shape of the resulting tree is that of a random BST no matter in what order we insert the elements. This is the main result of this formalisation.

[Hoare_Time] title = Hoare Logics for Time Bounds author = Maximilian P. L. Haslbeck , Tobias Nipkow topic = Computer Science/Programming Languages/Logics date = 2018-02-26 notify = haslbema@in.tum.de abstract = We study three different Hoare logics for reasoning about time bounds of imperative programs and formalize them in Isabelle/HOL: a classical Hoare like logic due to Nielson, a logic with potentials due to Carbonneaux et al. and a separation logic following work by Atkey, Chaguérand and Pottier. These logics are formally shown to be sound and complete. Verification condition generators are developed and are shown sound and complete too. We also consider variants of the systems where we abstract from multiplicative constants in the running time bounds, thus supporting a big-O style of reasoning. Finally we compare the expressive power of the three systems. [Architectural_Design_Patterns] title = A Theory of Architectural Design Patterns author = Diego Marmsoler topic = Computer Science/System Description Languages date = 2018-03-01 notify = diego.marmsoler@tum.de abstract = The following document formalizes and verifies several architectural design patterns. Each pattern specification is formalized in terms of a locale where the locale assumptions correspond to the assumptions which a pattern poses on an architecture. Thus, pattern specifications may build on top of each other by interpreting the corresponding locale. A pattern is verified using the framework provided by the AFP entry Dynamic Architectures. Currently, the document consists of formalizations of 4 different patterns: the singleton, the publisher subscriber, the blackboard pattern, and the blockchain pattern. Thereby, the publisher component of the publisher subscriber pattern is modeled as an instance of the singleton pattern and the blackboard pattern is modeled as an instance of the publisher subscriber pattern. In general, this entry provides the first steps towards an overall theory of architectural design patterns. extra-history = Change history: [2018-05-25]: changing the major assumption for blockchain architectures from alternative minings to relative mining frequencies (revision 5043c5c71685)
[2019-04-08]: adapting the terminology: honest instead of trusted, dishonest instead of untrusted (revision 7af3431a22ae) [Weight_Balanced_Trees] title = Weight-Balanced Trees author = Tobias Nipkow , Stefan Dirix<> topic = Computer Science/Data Structures date = 2018-03-13 notify = nipkow@in.tum.de abstract = This theory provides a verified implementation of weight-balanced trees following the work of Hirai and Yamamoto who proved that all parameters in a certain range are valid, i.e. guarantee that insertion and deletion preserve weight-balance. Instead of a general theorem we provide parameterized proofs of preservation of the invariant that work for many (all?) valid parameters. [Fishburn_Impossibility] title = The Incompatibility of Fishburn-Strategyproofness and Pareto-Efficiency author = Felix Brandt , Manuel Eberl , Christian Saile , Christian Stricker topic = Mathematics/Economics date = 2018-03-22 notify = eberlm@in.tum.de abstract =

This formalisation contains the proof that there is no anonymous Social Choice Function for at least three agents and alternatives that fulfils both Pareto-Efficiency and Fishburn-Strategyproofness. It was derived from a proof of Brandt et al., which relies on an unverified translation of a fixed finite instance of the original problem to SAT. This Isabelle proof contains a machine-checked version of both the statement for exactly three agents and alternatives and the lifting to the general case.

[BNF_CC] title = Bounded Natural Functors with Covariance and Contravariance author = Andreas Lochbihler , Joshua Schneider topic = Computer Science/Functional Programming, Tools date = 2018-04-24 notify = mail@andreas-lochbihler.de, joshua.schneider@inf.ethz.ch abstract = Bounded natural functors (BNFs) provide a modular framework for the construction of (co)datatypes in higher-order logic. Their functorial operations, the mapper and relator, are restricted to a subset of the parameters, namely those where recursion can take place. For certain applications, such as free theorems, data refinement, quotients, and generalised rewriting, it is desirable that these operations do not ignore the other parameters. In this article, we formalise the generalisation BNFCC that extends the mapper and relator to covariant and contravariant parameters. We show that
  1. BNFCCs are closed under functor composition and least and greatest fixpoints,
  2. subtypes inherit the BNFCC structure under conditions that generalise those for the BNF case, and
  3. BNFCCs preserve quotients under mild conditions.
These proofs are carried out for abstract BNFCCs similar to the AFP entry BNF Operations. In addition, we apply the BNFCC theory to several concrete functors. [Modular_Assembly_Kit_Security] title = An Isabelle/HOL Formalization of the Modular Assembly Kit for Security Properties author = Oliver Bračevac , Richard Gay , Sylvia Grewe , Heiko Mantel , Henning Sudbrock , Markus Tasch topic = Computer Science/Security date = 2018-05-07 notify = tasch@mais.informatik.tu-darmstadt.de abstract = The "Modular Assembly Kit for Security Properties" (MAKS) is a framework for both the definition and verification of possibilistic information-flow security properties at the specification-level. MAKS supports the uniform representation of a wide range of possibilistic information-flow properties and provides support for the verification of such properties via unwinding results and compositionality results. We provide a formalization of this framework in Isabelle/HOL. [AxiomaticCategoryTheory] title = Axiom Systems for Category Theory in Free Logic author = Christoph Benzmüller , Dana Scott topic = Mathematics/Category Theory date = 2018-05-23 notify = c.benzmueller@gmail.com abstract = This document provides a concise overview on the core results of our previous work on the exploration of axioms systems for category theory. Extending the previous studies (http://arxiv.org/abs/1609.01493) we include one further axiomatic theory in our experiments. This additional theory has been suggested by Mac Lane in 1948. We show that the axioms proposed by Mac Lane are equivalent to the ones we studied before, which includes an axioms set suggested by Scott in the 1970s and another axioms set proposed by Freyd and Scedrov in 1990, which we slightly modified to remedy a minor technical issue. [OpSets] title = OpSets: Sequential Specifications for Replicated Datatypes author = Martin Kleppmann , Victor B. F. Gomes , Dominic P. Mulligan , Alastair R. Beresford topic = Computer Science/Algorithms/Distributed, Computer Science/Data Structures date = 2018-05-10 notify = vb358@cam.ac.uk abstract = We introduce OpSets, an executable framework for specifying and reasoning about the semantics of replicated datatypes that provide eventual consistency in a distributed system, and for mechanically verifying algorithms that implement these datatypes. Our approach is simple but expressive, allowing us to succinctly specify a variety of abstract datatypes, including maps, sets, lists, text, graphs, trees, and registers. Our datatypes are also composable, enabling the construction of complex data structures. To demonstrate the utility of OpSets for analysing replication algorithms, we highlight an important correctness property for collaborative text editing that has traditionally been overlooked; algorithms that do not satisfy this property can exhibit awkward interleaving of text. We use OpSets to specify this correctness property and prove that although one existing replication algorithm satisfies this property, several other published algorithms do not. [Irrationality_J_Hancl] title = Irrational Rapidly Convergent Series author = Angeliki Koutsoukou-Argyraki , Wenda Li topic = Mathematics/Number Theory, Mathematics/Analysis date = 2018-05-23 notify = ak2110@cam.ac.uk, wl302@cam.ac.uk abstract = We formalize with Isabelle/HOL a proof of a theorem by J. Hancl asserting the irrationality of the sum of a series consisting of rational numbers, built up by sequences that fulfill certain properties. Even though the criterion is a number theoretic result, the proof makes use only of analytical arguments. We also formalize a corollary of the theorem for a specific series fulfilling the assumptions of the theorem. [Optimal_BST] title = Optimal Binary Search Trees author = Tobias Nipkow , Dániel Somogyi <> topic = Computer Science/Algorithms, Computer Science/Data Structures date = 2018-05-27 notify = nipkow@in.tum.de abstract = This article formalizes recursive algorithms for the construction of optimal binary search trees given fixed access frequencies. We follow Knuth (1971), Yao (1980) and Mehlhorn (1984). The algorithms are memoized with the help of the AFP article Monadification, Memoization and Dynamic Programming, thus yielding dynamic programming algorithms. [Projective_Geometry] title = Projective Geometry author = Anthony Bordg topic = Mathematics/Geometry date = 2018-06-14 notify = apdb3@cam.ac.uk abstract = We formalize the basics of projective geometry. In particular, we give a proof of the so-called Hessenberg's theorem in projective plane geometry. We also provide a proof of the so-called Desargues's theorem based on an axiomatization of (higher) projective space geometry using the notion of rank of a matroid. This last approach allows to handle incidence relations in an homogeneous way dealing only with points and without the need of talking explicitly about lines, planes or any higher entity. [Localization_Ring] title = The Localization of a Commutative Ring author = Anthony Bordg topic = Mathematics/Algebra date = 2018-06-14 notify = apdb3@cam.ac.uk abstract = We formalize the localization of a commutative ring R with respect to a multiplicative subset (i.e. a submonoid of R seen as a multiplicative monoid). This localization is itself a commutative ring and we build the natural homomorphism of rings from R to its localization. [Minsky_Machines] title = Minsky Machines author = Bertram Felgenhauer<> topic = Logic date = 2018-08-14 notify = int-e@gmx.de abstract =

We formalize undecidablity results for Minsky machines. To this end, we also formalize recursive inseparability.

We start by proving that Minsky machines can compute arbitrary primitive recursive and recursive functions. We then show that there is a deterministic Minsky machine with one argument and two final states such that the set of inputs that are accepted in one state is recursively inseparable from the set of inputs that are accepted in the other state.

As a corollary, the set of Minsky configurations that reach the first state but not the second recursively inseparable from the set of Minsky configurations that reach the second state but not the first. In particular both these sets are undecidable.

We do not prove that recursive functions can simulate Minsky machines.

[Neumann_Morgenstern_Utility] title = Von-Neumann-Morgenstern Utility Theorem author = Julian Parsert, Cezary Kaliszyk topic = Mathematics/Economics license = LGPL date = 2018-07-04 notify = julian.parsert@uibk.ac.at, cezary.kaliszyk@uibk.ac.at abstract = Utility functions form an essential part of game theory and economics. In order to guarantee the existence of utility functions most of the time sufficient properties are assumed in an axiomatic manner. One famous and very common set of such assumptions is that of expected utility theory. Here, the rationality, continuity, and independence of preferences is assumed. The von-Neumann-Morgenstern Utility theorem shows that these assumptions are necessary and sufficient for an expected utility function to exists. This theorem was proven by Neumann and Morgenstern in ``Theory of Games and Economic Behavior'' which is regarded as one of the most influential works in game theory. The formalization includes formal definitions of the underlying concepts including continuity and independence of preferences. [Simplex] title = An Incremental Simplex Algorithm with Unsatisfiable Core Generation author = Filip Marić , Mirko Spasić , René Thiemann topic = Computer Science/Algorithms date = 2018-08-24 notify = rene.thiemann@uibk.ac.at abstract = We present an Isabelle/HOL formalization and total correctness proof for the incremental version of the Simplex algorithm which is used in most state-of-the-art SMT solvers. It supports extraction of satisfying assignments, extraction of minimal unsatisfiable cores, incremental assertion of constraints and backtracking. The formalization relies on stepwise program refinement, starting from a simple specification, going through a number of refinement steps, and ending up in a fully executable functional implementation. Symmetries present in the algorithm are handled with special care. [Budan_Fourier] title = The Budan-Fourier Theorem and Counting Real Roots with Multiplicity author = Wenda Li topic = Mathematics/Analysis date = 2018-09-02 notify = wl302@cam.ac.uk, liwenda1990@hotmail.com abstract = This entry is mainly about counting and approximating real roots (of a polynomial) with multiplicity. We have first formalised the Budan-Fourier theorem: given a polynomial with real coefficients, we can calculate sign variations on Fourier sequences to over-approximate the number of real roots (counting multiplicity) within an interval. When all roots are known to be real, the over-approximation becomes tight: we can utilise this theorem to count real roots exactly. It is also worth noting that Descartes' rule of sign is a direct consequence of the Budan-Fourier theorem, and has been included in this entry. In addition, we have extended previous formalised Sturm's theorem to count real roots with multiplicity, while the original Sturm's theorem only counts distinct real roots. Compared to the Budan-Fourier theorem, our extended Sturm's theorem always counts roots exactly but may suffer from greater computational cost. [Quaternions] title = Quaternions author = Lawrence C. Paulson topic = Mathematics/Algebra, Mathematics/Geometry date = 2018-09-05 notify = lp15@cam.ac.uk abstract = This theory is inspired by the HOL Light development of quaternions, but follows its own route. Quaternions are developed coinductively, as in the existing formalisation of the complex numbers. Quaternions are quickly shown to belong to the type classes of real normed division algebras and real inner product spaces. And therefore they inherit a great body of facts involving algebraic laws, limits, continuity, etc., which must be proved explicitly in the HOL Light version. The development concludes with the geometric interpretation of the product of imaginary quaternions. [Octonions] title = Octonions author = Angeliki Koutsoukou-Argyraki topic = Mathematics/Algebra, Mathematics/Geometry date = 2018-09-14 notify = ak2110@cam.ac.uk abstract = We develop the basic theory of Octonions, including various identities and properties of the octonions and of the octonionic product, a description of 7D isometries and representations of orthogonal transformations. To this end we first develop the theory of the vector cross product in 7 dimensions. The development of the theory of Octonions is inspired by that of the theory of Quaternions by Lawrence Paulson. However, we do not work within the type class real_algebra_1 because the octonionic product is not associative. [Aggregation_Algebras] title = Aggregation Algebras author = Walter Guttmann topic = Mathematics/Algebra date = 2018-09-15 notify = walter.guttmann@canterbury.ac.nz abstract = We develop algebras for aggregation and minimisation for weight matrices and for edge weights in graphs. We verify the correctness of Prim's and Kruskal's minimum spanning tree algorithms based on these algebras. We also show numerous instances of these algebras based on linearly ordered commutative semigroups. [Prime_Number_Theorem] title = The Prime Number Theorem author = Manuel Eberl , Lawrence C. Paulson topic = Mathematics/Number Theory date = 2018-09-19 notify = eberlm@in.tum.de abstract =

This article provides a short proof of the Prime Number Theorem in several equivalent forms, most notably π(x) ~ x/ln x where π(x) is the number of primes no larger than x. It also defines other basic number-theoretic functions related to primes like Chebyshev's functions ϑ and ψ and the “n-th prime number” function pn. We also show various bounds and relationship between these functions are shown. Lastly, we derive Mertens' First and Second Theorem, i. e. ∑px ln p/p = ln x + O(1) and ∑px 1/p = ln ln x + M + O(1/ln x). We also give explicit bounds for the remainder terms.

The proof of the Prime Number Theorem builds on a library of Dirichlet series and analytic combinatorics. We essentially follow the presentation by Newman. The core part of the proof is a Tauberian theorem for Dirichlet series, which is proven using complex analysis and then used to strengthen Mertens' First Theorem to ∑px ln p/p = ln x + c + o(1).

A variant of this proof has been formalised before by Harrison in HOL Light, and formalisations of Selberg's elementary proof exist both by Avigad et al. in Isabelle and by Carneiro in Metamath. The advantage of the analytic proof is that, while it requires more powerful mathematical tools, it is considerably shorter and clearer. This article attempts to provide a short and clear formalisation of all components of that proof using the full range of mathematical machinery available in Isabelle, staying as close as possible to Newman's simple paper proof.

[Signature_Groebner] title = Signature-Based Gröbner Basis Algorithms author = Alexander Maletzky topic = Mathematics/Algebra, Computer Science/Algorithms date = 2018-09-20 notify = alexander.maletzky@risc.jku.at abstract =

This article formalizes signature-based algorithms for computing Gröbner bases. Such algorithms are, in general, superior to other algorithms in terms of efficiency, and have not been formalized in any proof assistant so far. The present development is both generic, in the sense that most known variants of signature-based algorithms are covered by it, and effectively executable on concrete input thanks to Isabelle's code generator. Sample computations of benchmark problems show that the verified implementation of signature-based algorithms indeed outperforms the existing implementation of Buchberger's algorithm in Isabelle/HOL.

Besides total correctness of the algorithms, the article also proves that under certain conditions they a-priori detect and avoid all useless zero-reductions, and always return 'minimal' (in some sense) Gröbner bases if an input parameter is chosen in the right way.

The formalization follows the recent survey article by Eder and Faugère.

[Factored_Transition_System_Bounding] title = Upper Bounding Diameters of State Spaces of Factored Transition Systems author = Friedrich Kurz <>, Mohammad Abdulaziz topic = Computer Science/Automata and Formal Languages, Mathematics/Graph Theory date = 2018-10-12 notify = friedrich.kurz@tum.de, mohammad.abdulaziz@in.tum.de abstract = A completeness threshold is required to guarantee the completeness of planning as satisfiability, and bounded model checking of safety properties. One valid completeness threshold is the diameter of the underlying transition system. The diameter is the maximum element in the set of lengths of all shortest paths between pairs of states. The diameter is not calculated exactly in our setting, where the transition system is succinctly described using a (propositionally) factored representation. Rather, an upper bound on the diameter is calculated compositionally, by bounding the diameters of small abstract subsystems, and then composing those. We port a HOL4 formalisation of a compositional algorithm for computing a relatively tight upper bound on the system diameter. This compositional algorithm exploits acyclicity in the state space to achieve compositionality, and it was introduced by Abdulaziz et. al. The formalisation that we port is described as a part of another paper by Abdulaziz et. al. As a part of this porting we developed a libray about transition systems, which shall be of use in future related mechanisation efforts. [Smooth_Manifolds] title = Smooth Manifolds author = Fabian Immler , Bohua Zhan topic = Mathematics/Analysis, Mathematics/Topology date = 2018-10-22 notify = immler@in.tum.de, bzhan@ios.ac.cn abstract = We formalize the definition and basic properties of smooth manifolds in Isabelle/HOL. Concepts covered include partition of unity, tangent and cotangent spaces, and the fundamental theorem of path integrals. We also examine some concrete manifolds such as spheres and projective spaces. The formalization makes extensive use of the analysis and linear algebra libraries in Isabelle/HOL, in particular its “types-to-sets” mechanism. [Matroids] title = Matroids author = Jonas Keinholz<> topic = Mathematics/Combinatorics date = 2018-11-16 notify = eberlm@in.tum.de abstract =

This article defines the combinatorial structures known as Independence Systems and Matroids and provides basic concepts and theorems related to them. These structures play an important role in combinatorial optimisation, e. g. greedy algorithms such as Kruskal's algorithm. The development is based on Oxley's `What is a Matroid?'.

[Graph_Saturation] title = Graph Saturation author = Sebastiaan J. C. Joosten<> topic = Logic/Rewriting, Mathematics/Graph Theory date = 2018-11-23 notify = sjcjoosten@gmail.com abstract = This is an Isabelle/HOL formalisation of graph saturation, closely following a paper by the author on graph saturation. Nine out of ten lemmas of the original paper are proven in this formalisation. The formalisation additionally includes two theorems that show the main premise of the paper: that consistency and entailment are decided through graph saturation. This formalisation does not give executable code, and it did not implement any of the optimisations suggested in the paper. [Functional_Ordered_Resolution_Prover] title = A Verified Functional Implementation of Bachmair and Ganzinger's Ordered Resolution Prover author = Anders Schlichtkrull , Jasmin Christian Blanchette , Dmitriy Traytel topic = Logic date = 2018-11-23 notify = andschl@dtu.dk,j.c.blanchette@vu.nl,traytel@inf.ethz.ch abstract = This Isabelle/HOL formalization refines the abstract ordered resolution prover presented in Section 4.3 of Bachmair and Ganzinger's "Resolution Theorem Proving" chapter in the Handbook of Automated Reasoning. The result is a functional implementation of a first-order prover. [Auto2_HOL] title = Auto2 Prover author = Bohua Zhan topic = Tools date = 2018-11-20 notify = bzhan@ios.ac.cn abstract = Auto2 is a saturation-based heuristic prover for higher-order logic, implemented as a tactic in Isabelle. This entry contains the instantiation of auto2 for Isabelle/HOL, along with two basic examples: solutions to some of the Pelletier’s problems, and elementary number theory of primes. [Order_Lattice_Props] title = Properties of Orderings and Lattices author = Georg Struth topic = Mathematics/Order date = 2018-12-11 notify = g.struth@sheffield.ac.uk abstract = These components add further fundamental order and lattice-theoretic concepts and properties to Isabelle's libraries. They follow by and large the introductory sections of the Compendium of Continuous Lattices, covering directed and filtered sets, down-closed and up-closed sets, ideals and filters, Galois connections, closure and co-closure operators. Some emphasis is on duality and morphisms between structures, as in the Compendium. To this end, three ad-hoc approaches to duality are compared. [Quantales] title = Quantales author = Georg Struth topic = Mathematics/Algebra date = 2018-12-11 notify = g.struth@sheffield.ac.uk abstract = These mathematical components formalise basic properties of quantales, together with some important models, constructions, and concepts, including quantic nuclei and conuclei. [Transformer_Semantics] title = Transformer Semantics author = Georg Struth topic = Mathematics/Algebra, Computer Science/Semantics date = 2018-12-11 notify = g.struth@sheffield.ac.uk abstract = These mathematical components formalise predicate transformer semantics for programs, yet currently only for partial correctness and in the absence of faults. A first part for isotone (or monotone), Sup-preserving and Inf-preserving transformers follows Back and von Wright's approach, with additional emphasis on the quantalic structure of algebras of transformers. The second part develops Sup-preserving and Inf-preserving predicate transformers from the powerset monad, via its Kleisli category and Eilenberg-Moore algebras, with emphasis on adjunctions and dualities, as well as isomorphisms between relations, state transformers and predicate transformers. [Concurrent_Revisions] title = Formalization of Concurrent Revisions author = Roy Overbeek topic = Computer Science/Concurrency date = 2018-12-25 notify = Roy.Overbeek@cwi.nl abstract = Concurrent revisions is a concurrency control model developed by Microsoft Research. It has many interesting properties that distinguish it from other well-known models such as transactional memory. One of these properties is determinacy: programs written within the model always produce the same outcome, independent of scheduling activity. The concurrent revisions model has an operational semantics, with an informal proof of determinacy. This document contains an Isabelle/HOL formalization of this semantics and the proof of determinacy. [Core_DOM] title = A Formal Model of the Document Object Model author = Achim D. Brucker , Michael Herzberg topic = Computer Science/Data Structures date = 2018-12-26 notify = adbrucker@0x5f.org abstract = In this AFP entry, we formalize the core of the Document Object Model (DOM). At its core, the DOM defines a tree-like data structure for representing documents in general and HTML documents in particular. It is the heart of any modern web browser. Formalizing the key concepts of the DOM is a prerequisite for the formal reasoning over client-side JavaScript programs and for the analysis of security concepts in modern web browsers. We present a formalization of the core DOM, with focus on the node-tree and the operations defined on node-trees, in Isabelle/HOL. We use the formalization to verify the functional correctness of the most important functions defined in the DOM standard. Moreover, our formalization is 1) extensible, i.e., can be extended without the need of re-proving already proven properties and 2) executable, i.e., we can generate executable code from our specification. [Store_Buffer_Reduction] title = A Reduction Theorem for Store Buffers author = Ernie Cohen , Norbert Schirmer topic = Computer Science/Concurrency date = 2019-01-07 notify = norbert.schirmer@web.de abstract = When verifying a concurrent program, it is usual to assume that memory is sequentially consistent. However, most modern multiprocessors depend on store buffering for efficiency, and provide native sequential consistency only at a substantial performance penalty. To regain sequential consistency, a programmer has to follow an appropriate programming discipline. However, naïve disciplines, such as protecting all shared accesses with locks, are not flexible enough for building high-performance multiprocessor software. We present a new discipline for concurrent programming under TSO (total store order, with store buffer forwarding). It does not depend on concurrency primitives, such as locks. Instead, threads use ghost operations to acquire and release ownership of memory addresses. A thread can write to an address only if no other thread owns it, and can read from an address only if it owns it or it is shared and the thread has flushed its store buffer since it last wrote to an address it did not own. This discipline covers both coarse-grained concurrency (where data is protected by locks) as well as fine-grained concurrency (where atomic operations race to memory). We formalize this discipline in Isabelle/HOL, and prove that if every execution of a program in a system without store buffers follows the discipline, then every execution of the program with store buffers is sequentially consistent. Thus, we can show sequential consistency under TSO by ordinary assertional reasoning about the program, without having to consider store buffers at all. [IMP2] title = IMP2 – Simple Program Verification in Isabelle/HOL author = Peter Lammich , Simon Wimmer topic = Computer Science/Programming Languages/Logics, Computer Science/Algorithms date = 2019-01-15 notify = lammich@in.tum.de abstract = IMP2 is a simple imperative language together with Isabelle tooling to create a program verification environment in Isabelle/HOL. The tools include a C-like syntax, a verification condition generator, and Isabelle commands for the specification of programs. The framework is modular, i.e., it allows easy reuse of already proved programs within larger programs. This entry comes with a quickstart guide and a large collection of examples, spanning basic algorithms with simple proofs to more advanced algorithms and proof techniques like data refinement. Some highlights from the examples are:
  • Bisection Square Root,
  • Extended Euclid,
  • Exponentiation by Squaring,
  • Binary Search,
  • Insertion Sort,
  • Quicksort,
  • Depth First Search.
The abstract syntax and semantics are very simple and well-documented. They are suitable to be used in a course, as extension to the IMP language which comes with the Isabelle distribution. While this entry is limited to a simple imperative language, the ideas could be extended to more sophisticated languages. [Farkas] title = Farkas' Lemma and Motzkin's Transposition Theorem author = Ralph Bottesch , Max W. Haslbeck , René Thiemann topic = Mathematics/Algebra date = 2019-01-17 notify = rene.thiemann@uibk.ac.at abstract = We formalize a proof of Motzkin's transposition theorem and Farkas' lemma in Isabelle/HOL. Our proof is based on the formalization of the simplex algorithm which, given a set of linear constraints, either returns a satisfying assignment to the problem or detects unsatisfiability. By reusing facts about the simplex algorithm we show that a set of linear constraints is unsatisfiable if and only if there is a linear combination of the constraints which evaluates to a trivially unsatisfiable inequality. [Auto2_Imperative_HOL] title = Verifying Imperative Programs using Auto2 author = Bohua Zhan topic = Computer Science/Algorithms, Computer Science/Data Structures date = 2018-12-21 notify = bzhan@ios.ac.cn abstract = This entry contains the application of auto2 to verifying functional and imperative programs. Algorithms and data structures that are verified include linked lists, binary search trees, red-black trees, interval trees, priority queue, quicksort, union-find, Dijkstra's algorithm, and a sweep-line algorithm for detecting rectangle intersection. The imperative verification is based on Imperative HOL and its separation logic framework. A major goal of this work is to set up automation in order to reduce the length of proof that the user needs to provide, both for verifying functional programs and for working with separation logic. [UTP] title = Isabelle/UTP: Mechanised Theory Engineering for Unifying Theories of Programming author = Simon Foster , Frank Zeyda<>, Yakoub Nemouchi , Pedro Ribeiro<>, Burkhart Wolff topic = Computer Science/Programming Languages/Logics date = 2019-02-01 notify = simon.foster@york.ac.uk abstract = Isabelle/UTP is a mechanised theory engineering toolkit based on Hoare and He’s Unifying Theories of Programming (UTP). UTP enables the creation of denotational, algebraic, and operational semantics for different programming languages using an alphabetised relational calculus. We provide a semantic embedding of the alphabetised relational calculus in Isabelle/HOL, including new type definitions, relational constructors, automated proof tactics, and accompanying algebraic laws. Isabelle/UTP can be used to both capture laws of programming for different languages, and put these fundamental theorems to work in the creation of associated verification tools, using calculi like Hoare logics. This document describes the relational core of the UTP in Isabelle/HOL. [HOL-CSP] title = HOL-CSP Version 2.0 author = Safouan Taha , Lina Ye , Burkhart Wolff topic = Computer Science/Concurrency/Process Calculi, Computer Science/Semantics date = 2019-04-26 notify = wolff@lri.fr abstract = This is a complete formalization of the work of Hoare and Roscoe on the denotational semantics of the Failure/Divergence Model of CSP. It follows essentially the presentation of CSP in Roscoe’s Book ”Theory and Practice of Concurrency” [8] and the semantic details in a joint Paper of Roscoe and Brooks ”An improved failures model for communicating processes". The present work is based on a prior formalization attempt, called HOL-CSP 1.0, done in 1997 by H. Tej and B. Wolff with the Isabelle proof technology available at that time. This work revealed minor, but omnipresent foundational errors in key concepts like the process invariant. The present version HOL-CSP profits from substantially improved libraries (notably HOLCF), improved automated proof techniques, and structured proof techniques in Isar and is substantially shorter but more complete. [Probabilistic_Prime_Tests] title = Probabilistic Primality Testing author = Daniel Stüwe<>, Manuel Eberl topic = Mathematics/Number Theory date = 2019-02-11 notify = eberlm@in.tum.de abstract =

The most efficient known primality tests are probabilistic in the sense that they use randomness and may, with some probability, mistakenly classify a composite number as prime – but never a prime number as composite. Examples of this are the Miller–Rabin test, the Solovay–Strassen test, and (in most cases) Fermat's test.

This entry defines these three tests and proves their correctness. It also develops some of the number-theoretic foundations, such as Carmichael numbers and the Jacobi symbol with an efficient executable algorithm to compute it.

[Kruskal] title = Kruskal's Algorithm for Minimum Spanning Forest author = Maximilian P.L. Haslbeck , Peter Lammich , Julian Biendarra<> topic = Computer Science/Algorithms date = 2019-02-14 notify = haslbema@in.tum.de, lammich@in.tum.de abstract = This Isabelle/HOL formalization defines a greedy algorithm for finding a minimum weight basis on a weighted matroid and proves its correctness. This algorithm is an abstract version of Kruskal's algorithm. We interpret the abstract algorithm for the cycle matroid (i.e. forests in a graph) and refine it to imperative executable code using an efficient union-find data structure. Our formalization can be instantiated for different graph representations. We provide instantiations for undirected graphs and symmetric directed graphs. [List_Inversions] title = The Inversions of a List author = Manuel Eberl topic = Computer Science/Algorithms date = 2019-02-01 notify = eberlm@in.tum.de abstract =

This entry defines the set of inversions of a list, i.e. the pairs of indices that violate sortedness. It also proves the correctness of the well-known O(n log n) divide-and-conquer algorithm to compute the number of inversions.

[Prime_Distribution_Elementary] title = Elementary Facts About the Distribution of Primes author = Manuel Eberl topic = Mathematics/Number Theory date = 2019-02-21 notify = eberlm@in.tum.de abstract =

This entry is a formalisation of Chapter 4 (and parts of Chapter 3) of Apostol's Introduction to Analytic Number Theory. The main topics that are addressed are properties of the distribution of prime numbers that can be shown in an elementary way (i. e. without the Prime Number Theorem), the various equivalent forms of the PNT (which imply each other in elementary ways), and consequences that follow from the PNT in elementary ways. The latter include, most notably, asymptotic bounds for the number of distinct prime factors of n, the divisor function d(n), Euler's totient function φ(n), and lcm(1,…,n).

[Safe_OCL] title = Safe OCL author = Denis Nikiforov <> topic = Computer Science/Programming Languages/Language Definitions license = LGPL date = 2019-03-09 notify = denis.nikif@gmail.com abstract =

The theory is a formalization of the OCL type system, its abstract syntax and expression typing rules. The theory does not define a concrete syntax and a semantics. In contrast to Featherweight OCL, it is based on a deep embedding approach. The type system is defined from scratch, it is not based on the Isabelle HOL type system.

The Safe OCL distincts nullable and non-nullable types. Also the theory gives a formal definition of safe navigation operations. The Safe OCL typing rules are much stricter than rules given in the OCL specification. It allows one to catch more errors on a type checking phase.

The type theory presented is four-layered: classes, basic types, generic types, errorable types. We introduce the following new types: non-nullable types (T[1]), nullable types (T[?]), OclSuper. OclSuper is a supertype of all other types (basic types, collections, tuples). This type allows us to define a total supremum function, so types form an upper semilattice. It allows us to define rich expression typing rules in an elegant manner.

The Preliminaries Chapter of the theory defines a number of helper lemmas for transitive closures and tuples. It defines also a generic object model independent from OCL. It allows one to use the theory as a reference for formalization of analogous languages.

[QHLProver] title = Quantum Hoare Logic author = Junyi Liu<>, Bohua Zhan , Shuling Wang<>, Shenggang Ying<>, Tao Liu<>, Yangjia Li<>, Mingsheng Ying<>, Naijun Zhan<> topic = Computer Science/Programming Languages/Logics, Computer Science/Semantics date = 2019-03-24 notify = bzhan@ios.ac.cn abstract = We formalize quantum Hoare logic as given in [1]. In particular, we specify the syntax and denotational semantics of a simple model of quantum programs. Then, we write down the rules of quantum Hoare logic for partial correctness, and show the soundness and completeness of the resulting proof system. As an application, we verify the correctness of Grover’s algorithm. [Transcendence_Series_Hancl_Rucki] title = The Transcendence of Certain Infinite Series author = Angeliki Koutsoukou-Argyraki , Wenda Li topic = Mathematics/Analysis, Mathematics/Number Theory date = 2019-03-27 notify = wl302@cam.ac.uk, ak2110@cam.ac.uk abstract = We formalize the proofs of two transcendence criteria by J. Hančl and P. Rucki that assert the transcendence of the sums of certain infinite series built up by sequences that fulfil certain properties. Both proofs make use of Roth's celebrated theorem on diophantine approximations to algebraic numbers from 1955 which we implement as an assumption without having formalised its proof. [Binding_Syntax_Theory] title = A General Theory of Syntax with Bindings author = Lorenzo Gheri , Andrei Popescu topic = Computer Science/Programming Languages/Lambda Calculi, Computer Science/Functional Programming, Logic date = 2019-04-06 notify = a.popescu@mdx.ac.uk, lor.gheri@gmail.com abstract = We formalize a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory includes many properties of the standard operators on terms: substitution, swapping and freshness. It also includes bindings-aware induction and recursion principles and support for semantic interpretation. This work has been presented in the ITP 2017 paper “A Formalized General Theory of Syntax with Bindings”. [LTL_Master_Theorem] title = A Compositional and Unified Translation of LTL into ω-Automata author = Benedikt Seidl , Salomon Sickert topic = Computer Science/Automata and Formal Languages date = 2019-04-16 notify = benedikt.seidl@tum.de, s.sickert@tum.de abstract = We present a formalisation of the unified translation approach of linear temporal logic (LTL) into ω-automata from [1]. This approach decomposes LTL formulas into ``simple'' languages and allows a clear separation of concerns: first, we formalise the purely logical result yielding this decomposition; second, we instantiate this generic theory to obtain a construction for deterministic (state-based) Rabin automata (DRA). We extract from this particular instantiation an executable tool translating LTL to DRAs. To the best of our knowledge this is the first verified translation from LTL to DRAs that is proven to be double exponential in the worst case which asymptotically matches the known lower bound.

[1] Javier Esparza, Jan Kretínský, Salomon Sickert. One Theorem to Rule Them All: A Unified Translation of LTL into ω-Automata. LICS 2018 [LambdaAuth] title = Formalization of Generic Authenticated Data Structures author = Matthias Brun<>, Dmitriy Traytel topic = Computer Science/Security, Computer Science/Programming Languages/Lambda Calculi date = 2019-05-14 notify = traytel@inf.ethz.ch abstract = Authenticated data structures are a technique for outsourcing data storage and maintenance to an untrusted server. The server is required to produce an efficiently checkable and cryptographically secure proof that it carried out precisely the requested computation. Miller et al. introduced λ• (pronounced lambda auth)—a functional programming language with a built-in primitive authentication construct, which supports a wide range of user-specified authenticated data structures while guaranteeing certain correctness and security properties for all well-typed programs. We formalize λ• and prove its correctness and security properties. With Isabelle's help, we uncover and repair several mistakes in the informal proofs and lemma statements. Our findings are summarized in a paper draft. [IMP2_Binary_Heap] title = Binary Heaps for IMP2 author = Simon Griebel<> topic = Computer Science/Data Structures, Computer Science/Algorithms date = 2019-06-13 notify = s.griebel@tum.de abstract = In this submission array-based binary minimum heaps are formalized. The correctness of the following heap operations is proved: insert, get-min, delete-min and make-heap. These are then used to verify an in-place heapsort. The formalization is based on IMP2, an imperative program verification framework implemented in Isabelle/HOL. The verified heap functions are iterative versions of the partly recursive functions found in "Algorithms and Data Structures – The Basic Toolbox" by K. Mehlhorn and P. Sanders and "Introduction to Algorithms" by T. H. Cormen, C. E. Leiserson, R. L. Rivest and C. Stein. [Groebner_Macaulay] title = Gröbner Bases, Macaulay Matrices and Dubé's Degree Bounds author = Alexander Maletzky topic = Mathematics/Algebra date = 2019-06-15 notify = alexander.maletzky@risc.jku.at abstract = This entry formalizes the connection between Gröbner bases and Macaulay matrices (sometimes also referred to as `generalized Sylvester matrices'). In particular, it contains a method for computing Gröbner bases, which proceeds by first constructing some Macaulay matrix of the initial set of polynomials, then row-reducing this matrix, and finally converting the result back into a set of polynomials. The output is shown to be a Gröbner basis if the Macaulay matrix constructed in the first step is sufficiently large. In order to obtain concrete upper bounds on the size of the matrix (and hence turn the method into an effectively executable algorithm), Dubé's degree bounds on Gröbner bases are utilized; consequently, they are also part of the formalization. [Linear_Inequalities] title = Linear Inequalities author = Ralph Bottesch , Alban Reynaud <>, René Thiemann topic = Mathematics/Algebra date = 2019-06-21 notify = rene.thiemann@uibk.ac.at abstract = We formalize results about linear inqualities, mainly from Schrijver's book. The main results are the proof of the fundamental theorem on linear inequalities, Farkas' lemma, Carathéodory's theorem, the Farkas-Minkowsky-Weyl theorem, the decomposition theorem of polyhedra, and Meyer's result that the integer hull of a polyhedron is a polyhedron itself. Several theorems include bounds on the appearing numbers, and in particular we provide an a-priori bound on mixed-integer solutions of linear inequalities. +[Differential_Game_Logic] +title = Differential Game Logic +author = André Platzer +topic = Computer Science/Programming Languages/Logics +date = 2019-06-03 +notify = aplatzer@cs.cmu.edu +abstract = + This formalization provides differential game logic (dGL), a logic for + proving properties of hybrid game. In addition to the syntax and + semantics, it formalizes a uniform substitution calculus for dGL. + Church's uniform substitutions substitute a term or formula for a + function or predicate symbol everywhere. The uniform substitutions for + dGL also substitute hybrid games for a game symbol everywhere. We + prove soundness of one-pass uniform substitutions and the axioms of + differential game logic with respect to their denotational semantics. + One-pass uniform substitutions are faster by postponing + soundness-critical admissibility checks with a linear pass homomorphic + application and regain soundness by a variable condition at the + replacements. The formalization is based on prior non-mechanized + soundness proofs for dGL. + +[Complete_Non_Orders] +title = Complete Non-Orders and Fixed Points +author = Akihisa Yamada , Jérémy Dubut +topic = Mathematics/Order +date = 2019-06-27 +notify = akihisayamada@nii.ac.jp, dubut@nii.ac.jp +abstract = + We develop an Isabelle/HOL library of order-theoretic concepts, such + as various completeness conditions and fixed-point theorems. We keep + our formalization as general as possible: we reprove several + well-known results about complete orders, often without any properties + of ordering, thus complete non-orders. In particular, we generalize + the Knaster–Tarski theorem so that we ensure the existence of a + quasi-fixed point of monotone maps over complete non-orders, and show + that the set of quasi-fixed points is complete under a mild + condition—attractivity—which is implied by either antisymmetry or + transitivity. This result generalizes and strengthens a result by + Stauti and Maaden. Finally, we recover Kleene’s fixed-point theorem + for omega-complete non-orders, again using attractivity to prove that + Kleene’s fixed points are least quasi-fixed points. + +[Priority_Search_Trees] +title = Priority Search Trees +author = Peter Lammich , Tobias Nipkow +topic = Computer Science/Data Structures +date = 2019-06-25 +notify = lammich@in.tum.de +abstract = + We present a new, purely functional, simple and efficient data + structure combining a search tree and a priority queue, which we call + a priority search tree. The salient feature of priority search + trees is that they offer a decrease-key operation, something that is + missing from other simple, purely functional priority queue + implementations. Priority search trees can be implemented on top of + any search tree. This entry does the implementation for red-black + trees. This entry formalizes the first part of our ITP-2019 proof + pearl Purely Functional, Simple and Efficient Priority + Search Trees and Applications to Prim and Dijkstra. + +[Prim_Dijkstra_Simple] +title = Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra +author = Peter Lammich , Tobias Nipkow +topic = Computer Science/Algorithms +date = 2019-06-25 +notify = lammich@in.tum.de +abstract = + We verify purely functional, simple and efficient implementations of + Prim's and Dijkstra's algorithms. This constitutes the first + verification of an executable and even efficient version of + Prim's algorithm. This entry formalizes the second part of our + ITP-2019 proof pearl Purely Functional, Simple and Efficient + Priority Search Trees and Applications to Prim and Dijkstra. + +[MFOTL_Monitor] +title = Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic +author = Joshua Schneider , Dmitriy Traytel +topic = Computer Science/Algorithms, Logic, Computer Science/Automata and Formal Languages +date = 2019-07-04 +notify = joshua.schneider@inf.ethz.ch, traytel@inf.ethz.ch +abstract = + A monitor is a runtime verification tool that solves the following + problem: Given a stream of time-stamped events and a policy formulated + in a specification language, decide whether the policy is satisfied at + every point in the stream. We verify the correctness of an executable + monitor for specifications given as formulas in metric first-order + temporal logic (MFOTL), an expressive extension of linear temporal + logic with real-time constraints and first-order quantification. The + verified monitor implements a simplified variant of the algorithm used + in the efficient MonPoly monitoring tool. The formalization is + presented in a forthcoming RV + 2019 paper, which also compares the output of the verified + monitor to that of other monitoring tools on randomly generated + inputs. This case study revealed several errors in the optimized but + unverified tools. + diff --git a/thys/Complete_Non_Orders/Binary_Relations.thy b/thys/Complete_Non_Orders/Binary_Relations.thy new file mode 100755 --- /dev/null +++ b/thys/Complete_Non_Orders/Binary_Relations.thy @@ -0,0 +1,992 @@ +(* +Author: Akihisa Yamada (2018-2019) +License: LGPL (see file COPYING.LESSER) +*) +section \Binary Relations\ + +text \We start with basic properties of binary relations.\ + +theory Binary_Relations +imports Main +(* uses mainly concepts from the theories Complete_Partial_Order, Wellfounded, Partial_Function *) +begin + +text \Below we introduce an Isabelle-notation for $\{ \ldots x\ldots \mid x \in X \}$.\ + +syntax + "_range" :: "'a \ pttrn \ 'a set" ("(1{_ /|./ _})") + "_image" :: "'a \ pttrn \ 'a set \ 'a set" ("(1{_ /|./ (_/ \ _)})") +translations + "{e |. p}" \ "CONST range (\p. e)" + "{e |. p \ A}" \ "CONST image (\p. e) A" + +lemma image_constant: + assumes "\i. i \ I \ f i = y" + shows "f ` I = (if I = {} then {} else {y})" + using assms by auto + + +subsection \Various Definitions\ + +text \Here we introduce various definitions for binary relations. +The first one is our abbreviation for the dual of a relation.\ + +abbreviation(input) dual ("(_\<^sup>-)" [1000] 1000) where "r\<^sup>- x y \ r y x" + +lemma conversep_as_dual[simp]: "conversep r = r\<^sup>-" by auto + +text \Monotonicity is already defined in the library.\ +lemma monotone_dual: "monotone r s f \ monotone r\<^sup>- s\<^sup>- f" + by (auto simp: monotone_def) + +lemma monotone_id: "monotone r r id" + by (auto simp: monotone_def) + +text \So is the chain, but it is somehow hidden. We reactivate it.\ +abbreviation "chain \ Complete_Partial_Order.chain" + +context fixes r :: "'a \ 'a \ bool" (infix "\" 50) begin + +text \Here we define the following notions in a standard manner: +(upper) bounds of a set:\ +definition "bound X b \ \x \ X. x \ b" + +lemma boundI[intro!]: "(\x. x \ X \ x \ b) \ bound X b" + and boundE[elim]: "bound X b \ ((\x. x \ X \ x \ b) \ thesis) \ thesis" + by (auto simp: bound_def) + +lemma bound_empty: "bound {} = (\x. True)" by auto +lemma bound_insert[simp]: "bound (insert x X) b \ x \ b \ bound X b" by auto + +lemma bound_cmono: assumes "X \ Y" shows "bound Y x \ bound X x" + using assms by auto + +text \Extreme (greatest) elements in a set:\ +definition "extreme X e \ e \ X \ (\x \ X. x \ e)" + +lemma extremeI[intro]: "e \ X \ (\x. x \ X \ x \ e) \ extreme X e" + and extremeD: "extreme X e \ e \ X" "extreme X e \ (\x. x \ X \ x \ e)" + and extremeE[elim]: "extreme X e \ (e \ X \ (\x. x \ X \ x \ e) \ thesis) \ thesis" + by (auto simp: extreme_def) + +lemma extreme_UNIV[simp]: "extreme UNIV t \ (\x. x \ t)" by auto + +lemma extremes_equiv: "extreme X b \ extreme X c \ b \ c \ c \ b" by auto + +text \Directed sets:\ +definition "directed X \ \x \ X. \ y \ X. \z \ X. x \ z \ y \ z" + +lemma directedE: + assumes "directed X" and "x \ X" and "y \ X" + and "\z. z \ X \ x \ z \ y \ z \ thesis" + shows "thesis" + using assms by (auto simp: directed_def) + +lemma directedI[intro]: + assumes "\x y. x \ X \ y \ X \ \z \ X. x \ z \ y \ z" + shows "directed X" + using assms by (auto simp: directed_def) + +lemma chain_imp_directed: "chain (\) X \ directed X" + by (intro directedI, auto elim: chainE) + +text \And sets of elements which are self-related:\ +definition "reflexive_on X \ \x \ X. x \ x" + +lemma reflexive_onI[intro]: + assumes "\x. x \ X \ x \ x" shows "reflexive_on X" using assms reflexive_on_def by auto + +lemma reflexive_onE[elim]: + assumes "reflexive_on X" and "(\x. x \ X \ x \ x) \ thesis" shows thesis + using assms reflexive_on_def by auto + +lemma chain_imp_reflexive: "chain (\) X \ reflexive_on X" by (auto elim: chainE) + +end + +context fixes r :: "'a \ 'a \ bool" (infix "\" 50) +begin + +text \Now suprema and infima are given uniformly as follows. \ +abbreviation "extreme_bound X \ extreme (\x y. y \ x) {b. bound (\) X b}" + +lemma extreme_boundI[intro]: + assumes "\b. bound (\) X b \ s \ b" and "\x. x \ X \ x \ s" + shows "extreme_bound X s" + using assms by auto + +lemma extreme_bound_mono: + assumes XY: "X \ Y" + and bX: "extreme_bound X bX" + and bY: "extreme_bound Y bY" + shows "bX \ bY" +proof- + have "bound (\) X bY" using XY bY by force + with bX show ?thesis by auto +qed + +lemma extreme_bound_iff: + shows "extreme_bound X b \ (\c. (\x\X. x \ c) \ b \ c) \ (\x \ X. x \ b)" + by (auto simp: extreme_def) + +lemma extreme_bound_singleton_refl[simp]: + "extreme_bound {x} x \ x \ x" by auto + +lemma extreme_bound_equiv: "extreme_bound X b \ c \ X \ b \ c \ c \ b" + by auto + +lemma extreme_bound_image_const: + "x \ x \ C \ {} \ (\i. i \ C \ f i = x) \ extreme_bound (f ` C) x" + by (auto simp: image_constant) + +lemma extreme_bound_UN_const: + "x \ x \ C \ {} \ (\i y. i \ C \ P i y \ x = y) \ + extreme_bound (\i\C. {y. P i y}) x" + by auto + +end + +context + fixes r :: "'a \ 'a \ bool" (infix "\" 50) +begin + +lemma fun_ordI: "(\x. f x \ g x) \ fun_ord (\) f g" + and fun_ordD: "fun_ord (\) f g \ f x \ g x" + by (auto simp: fun_ord_def) + +lemma dual_fun_ord: "(fun_ord (\))\<^sup>- = fun_ord (\)\<^sup>-" by (auto intro!:ext simp: fun_ord_def) + +lemma fun_extreme_bound_iff: + shows "extreme_bound (fun_ord (\)) F e \ (\x. extreme_bound (\) {f x |. f \ F} (e x))" (is "?l \ ?r") +proof(intro iffI allI extreme_boundI fun_ordI) + fix f x + assume ?r + then have e: "extreme_bound (\) {f x |. f \ F} (e x)" by auto + show "f \ F \ f x \ e x" using extremeD(1)[OF e] by auto + assume "bound (fun_ord (\)) F f" + then have "bound (\) {f x |. f \ F} (f x)" by (auto simp: fun_ord_def) + with e show "e x \ f x" by auto +next + fix x y + assume l: ?l + from l have e: "f \ F \ f x \ e x" for f by (auto dest!:extremeD simp: fun_ord_def) + then show "y \ {f x |. f \ F} \ y \ e x" by auto + assume "bound (\) {f x |. f \ F} y" + with extremeD(1)[OF l] have "bound (fun_ord (\)) F (e(x:=y))" by (auto simp: fun_ord_def elim!:boundE) + with l have "fun_ord (\) e (e(x:=y))" by auto + from fun_ordD[OF this, of x] + show "e x \ y" by auto +qed + +context + fixes ir :: "'i \ 'i \ bool" (infix "\" 50) + fixes f + assumes mono: "monotone (\) (\) f" +begin + +lemma monotone_chain_image: + assumes chain: "chain (\) C" shows "chain (\) (f ` C)" +proof (rule chainI) + fix x y + assume "x \ f ` C" and "y \ f ` C" + then obtain i j where ij: "i \ C" "j \ C" and [simp]: "x = f i" "y = f j" by auto + from chain ij have "i \ j \ j \ i" by (auto elim: chainE) + with ij mono show "x \ y \ y \ x" by (elim disjE, auto dest: monotoneD) +qed + +lemma monotone_directed_image: + assumes dir: "directed (\) D" shows "directed (\) (f ` D)" +proof (rule directedI, safe) + fix x y assume "x \ D" and "y \ D" + with dir obtain z where z: "z \ D" and "x \ z" and "y \ z" by (auto elim: directedE) + with mono have "f x \ f z" and "f y \ f z" by (auto dest: monotoneD) + with z show "\fz \ f ` D. f x \ fz \ f y \ fz" by auto +qed + +context + fixes e C + assumes e: "extreme (\) C e" +begin + +lemma monotone_extreme_imp_extreme_bound: + shows "extreme_bound (\) (f ` C) (f e)" + using monotoneD[OF mono] e + by (auto simp: image_def intro!:extreme_boundI elim!:extremeE boundE) + +lemma monotone_extreme_extreme_boundI: + "x = f e \ extreme_bound (\) (f ` C) x" + using monotone_extreme_imp_extreme_bound by auto + +end + +end + +end + +subsection \Locales for Binary Relations\ + +text \We now define basic properties of binary relations, +in form of \emph{locales}~\cite{Kammuller00,locale}.\ + +subsubsection \Syntactic Locales\ + +text \The following locales do not assume anything, but provide infix notations for +relations. \ + +locale less_eq_syntax = fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) + +locale less_syntax = fixes less :: "'a \ 'a \ bool" (infix "\" 50) + +locale equivalence_syntax = fixes equiv :: "'a \ 'a \ bool" (infix "\" 50) +begin + +abbreviation equiv_class ("[_]\<^sub>\") where "[x]\<^sub>\ \ { y. x \ y }" + +end + +text \Next ones introduce abbreviations for dual etc. +To avoid needless constants, one should be careful when declaring them as sublocales.\ + +locale less_eq_dualize = less_eq_syntax +begin + +abbreviation (input) greater_eq (infix "\" 50) where "x \ y \ y \ x" +abbreviation (input) equiv (infix "\" 50) where "x \ y \ x \ y \ y \ x" + +lemma equiv_sym[sym]: "x \ y \ y \ x" by auto + +end + +locale less_dualize = less_syntax +begin + +abbreviation (input) greater (infix "\" 50) where "x \ y \ y \ x" + +end + +subsubsection \Basic Properties of Relations\ + +text \In the following we define basic properties in form of locales.\ + +locale reflexive = less_eq_syntax + assumes refl[iff]: "x \ x" +begin + +lemma eq_implies: "x = y \ x \ y" by auto + +lemma extreme_singleton[simp]: "extreme (\) {x} y \ x = y" by auto + +lemma extreme_bound_singleton[iff]: "extreme_bound (\) {x} x" by auto + +end +lemmas reflexiveI[intro] = reflexive.intro + +locale irreflexive = less_syntax + assumes irrefl[iff]: "\ x \ x" +begin + +lemma implies_not_eq: "x \ y \ x \ y" by auto + +end +lemmas irreflexiveI[intro] = irreflexive.intro + +locale transitive = less_eq_syntax + assumes trans[trans]: "x \ y \ y \ z \ x \ z" +lemmas [intro?] = transitive.intro + +locale symmetric = equivalence_syntax + assumes sym[sym]: "x \ y \ y \ x" +begin + +lemma dual_sym: "(\)\<^sup>- = (\)" using sym by auto + +end +lemmas [intro] = symmetric.intro + +locale antisymmetric = less_eq_syntax + assumes antisym[dest]: "x \ y \ y \ x \ x = y" +begin + +interpretation less_eq_dualize. + +lemma equiv_iff_eq_refl: "x \ y \ x = y \ y \ y" by auto + +lemma extreme_unique: "extreme (\) X x \ extreme (\) X y \ x = y" + by (auto elim!: extremeE) + +lemma ex_extreme_iff_ex1: "Ex (extreme (\) X) \ Ex1 (extreme (\) X)" by (auto simp: extreme_unique) + +lemma ex_extreme_iff_the: + "Ex (extreme (\) X) \ extreme (\) X (The (extreme (\) X))" + apply (rule iffI) + apply (rule theI') + using extreme_unique by auto + +end +lemmas antisymmetricI[intro] = antisymmetric.intro + +text \The following notion is new, generalizing antisymmetry and transitivity.\ + +locale semiattractive = less_eq_syntax + + assumes attract: "x \ y \ y \ x \ x \ z \ y \ z" +begin + +interpretation less_eq_dualize. + +lemma equiv_trans: + assumes xy: "x \ y" and yz: "y \ z" shows "x \ z" + using attract[of y x z] attract[of y z x] xy yz by auto + +lemma extreme_bound_quasi_const: + assumes C: "C \ {}" and const: "\y \ C. y \ x" shows "extreme_bound (\) C x" +proof (intro extreme_boundI) + from C obtain c where c: "c \ C" by auto + with const have cx: "c \ x" by auto + fix b assume "bound (\) C b" + with c have cb: "c \ b" by auto + from attract[of c x b] cb cx show "x \ b" by auto +next + fix c assume "c \ C" + with const show "c \ x" by auto +qed + +lemma extreme_bound_quasi_const_iff: + assumes C: "C \ {}" and const: "\z \ C. z \ x" + shows "extreme_bound (\) C y \ x \ y" +proof (intro iffI) + assume "extreme_bound (\) C y" + with const show "x \ y" + by (metis C extreme_bound_quasi_const extremes_equiv) +next + assume xy: "x \ y" + with const equiv_trans[of _ x y] have Cy: "\z \ C. z \ y" by auto + show "extreme_bound (\) C y" + using extreme_bound_quasi_const[OF C Cy]. +qed + +end + +locale attractive = semiattractive + dual: semiattractive "(\)\<^sup>-" + +sublocale transitive \ attractive by (unfold_locales, auto dest: trans) + +sublocale antisymmetric \ attractive by (unfold_locales, auto) + +locale asymmetric = irreflexive + strict: antisymmetric "(\)" +begin + +lemma asym[trans]: "x \ y \ y \ x \ thesis" by auto + +end + +context + fixes less :: "'a \ 'a \ bool" (infix "\" 50) +begin + +lemma asymmetricI[intro]: + assumes "\x y. x \ y \ y \ x \ False" + shows "asymmetric (\)" + apply unfold_locales using assms by auto + +lemma asymmetric_def': "asymmetric (\) \ \x y. \ (x \ y \ y \ x)" + by (auto simp: atomize_eq dest!: asymmetric.asym) + +end + +locale well_founded = less_syntax + + assumes induct: "\P a. (\x. (\y. y \ x \ P y) \ P x) \ P a" +begin + +lemma wfP[intro!]: "wfP (\)" using induct wfPUNIVI by blast + +sublocale asymmetric +proof (intro asymmetricI notI) + show "x \ y \ y \ x \ False" for x y by (induct x arbitrary: y rule: induct) +qed + +end + +subsubsection \Combined Properties\ + +text \Some combinations of the above basic properties are given names.\ + +locale quasi_order = reflexive + transitive + +locale near_order = antisymmetric + transitive + +locale pseudo_order = reflexive + antisymmetric +begin + +lemma equiv_eq[simp]: "x \ y \ y \ x \ x = y" by auto + +lemma extreme_bound_singleton_eq[simp]: "extreme_bound (\) {x} y \ x = y" by auto + +lemma eq_iff: "x = y \ x \ y \ y \ x" by auto + +lemma extreme_order_iff_eq[simp]: "extreme (\) {x. x \ e} s \ e = s" by auto + +end + +locale partial_order = quasi_order + antisymmetric + +sublocale partial_order \ pseudo_order + near_order .. + +locale strict_order = irreflexive + transitive "(\)" + +sublocale strict_order \ asymmetric by (auto dest: trans) +sublocale strict_order \ near_order "(\)" .. + +locale well_founded_order = well_founded + transitive "(\)" + +sublocale well_founded_order \ strict_order .. + +locale tolerance = equivalence_syntax + reflexive "(\)" + symmetric "(\)" + +locale partial_equivalence = equivalence_syntax + symmetric "(\)" + transitive "(\)" + +locale equivalence = equivalence_syntax + symmetric "(\)" + quasi_order "(\)" + +sublocale equivalence \ partial_equivalence .. + +text \Some combinations lead to uninteresting relations.\ + +proposition reflexive_irreflexive_is_empty: + assumes "reflexive r" and "irreflexive r" + shows "r = (\x y. False)" +proof(intro ext iffI) + interpret irreflexive r + reflexive r using assms by auto + fix x y + assume "r x y" + with irrefl have "x \ y" by auto + with refl show False by auto +qed auto + +proposition symmetric_antisymmetric_imp_eq: + assumes "symmetric r" and "antisymmetric r" + shows "r x y \ x = y" +proof- + interpret symmetric r + antisymmetric r using assms by auto + fix x y + assume "r x y" + with sym[OF this] show "x = y" by auto +qed + +proposition nontolerance: + fixes r (infix "\" 50) + shows "irreflexive (\) \ symmetric (\) \ tolerance (\x y. \ x \ y)" +proof safe + assume "irreflexive (\)" and "symmetric (\)" + then interpret irreflexive "(\)" + symmetric "(\)". + show "tolerance (\x y. \ x \ y)" by (unfold_locales, auto dest: sym) +next + assume "tolerance (\x y. \ x \ y)" + then interpret tolerance "\x y. \ x \ y". + show "irreflexive (\)" by auto + show "symmetric (\)" using sym by auto +qed + +proposition irreflexive_transitive_symmetric_is_empty: + assumes "irreflexive r" and "transitive r" and "symmetric r" + shows "r = (\x y. False)" +proof(intro ext iffI) + interpret strict_order r using assms by (unfold strict_order_def, auto) + interpret symmetric r using assms by auto + fix x y + assume "r x y" + also note sym[OF this] + finally have "r x x". + then show False by auto +qed auto + +subsection \Totality\ + +locale total = less_syntax + assumes total: "x \ y \ x = y \ y \ x" +begin + +lemma cases[case_names less eq greater]: + assumes "x \ y \ P" and "x = y \ P" and "y \ x \ P" + shows "P" using total assms by auto + +lemma neqE: "x \ y \ (x \ y \ P) \ (y \ x \ P) \ P" by (cases x y rule: cases, auto) + +end +lemmas totalI[intro] = total.intro + +text \Totality is negated antisymmetry \cite[Proposition 2.2.4]{Schmidt1993}.\ +proposition total_iff_neg_antisymmetric: + fixes less (infix "\" 50) + shows "total (\) \ antisymmetric (\x y. \ x \ y)" (is "?l \ ?r") +proof (intro iffI totalI antisymmetricI) + assume ?l + then interpret total. + fix x y + assume "\ x \ y" and "\ y \ x" + then show "x = y" by (cases x y rule: cases, auto) +next + assume ?r + then interpret neg: antisymmetric "(\x y. \ x \ y)". + fix x y + show "x \ y \ x = y \ y \ x" using neg.antisym by auto +qed + +locale total_irreflexive = total + irreflexive +begin + +lemma neq_iff: "x \ y \ x \ y \ y \ x" by (auto elim:neqE) + +end + +locale total_reflexive = reflexive + weak: total "(\)" +begin + +lemma comparable: "x \ y \ y \ x" by (cases x y rule:weak.cases, auto) + +lemma comparable_cases[case_names le ge]: + assumes "x \ y \ P" and "y \ x \ P" shows "P" using assms comparable by auto + +lemma chain_UNIV: "chain (\) UNIV" by (intro chainI comparable) + +end + +context + fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +lemma total_reflexiveI[intro]: + assumes "\x y. x \ y \ y \ x" shows "total_reflexive (\)" + using assms by (unfold_locales, auto) + +lemma total_reflexive_def': "total_reflexive (\) \ \x y. x \ y \ y \ x" + by (unfold atomize_eq, auto dest: total_reflexive.comparable) + +end + +locale total_pseudo_order = total_reflexive + antisymmetric +begin + +sublocale pseudo_order .. + +lemma not_weak_iff: "\ y \ x \ x \ y \ x \ y" by (cases x y rule:comparable_cases, auto) + +end + +locale total_quasi_order = total_reflexive + transitive +begin + +sublocale quasi_order .. + +end + +locale total_order = total_quasi_order + antisymmetric +begin + +sublocale partial_order + total_pseudo_order .. + +end + +text \A strict total order defines a total weak order, so we will formalize +it after giving locales for pair of weak and strict parts.\ + +subsection \Order Pairs\ + +locale compatible_ordering = less_eq_syntax + less_syntax + reflexive "(\)" + irreflexive "(\)" + + assumes weak_strict_trans[trans]: "x \ y \ y \ z \ x \ z" + assumes strict_weak_trans[trans]: "x \ y \ y \ z \ x \ z" + assumes strict_implies_weak: "x \ y \ x \ y" +begin + +text \The strict part is necessarily transitive.\ + +sublocale strict: transitive "(\)" + using weak_strict_trans[OF strict_implies_weak] by unfold_locales + +text \The following sequence of declarations are in order to obtain fact names in a manner +similar to the Isabelle/HOL facts of orders.\ + +interpretation strict_order "(\)" .. + +sublocale strict: near_order "(\)" by unfold_locales + +sublocale asymmetric "(\)" by unfold_locales + +sublocale strict_order "(\)" .. + +thm strict.antisym strict.trans asym irrefl + +lemma strict_implies_not_weak: "x \ y \ \ y \ x" by (auto dest: strict_weak_trans) + +end + +locale attractive_ordering = compatible_ordering + attractive + +locale pseudo_ordering = compatible_ordering + antisymmetric +begin + +sublocale pseudo_order + attractive_ordering .. + +end + +locale quasi_ordering = compatible_ordering + transitive +begin + +sublocale quasi_order + attractive_ordering .. + +end + +locale partial_ordering = compatible_ordering + near_order +begin + +sublocale partial_order + pseudo_ordering + quasi_ordering .. + +end + +locale well_founded_ordering = quasi_ordering + well_founded + +locale total_ordering = compatible_ordering + total_order +begin + +sublocale partial_ordering .. + +end + +locale strict_total_ordering = partial_ordering + total "(\)" +begin + +sublocale total_irreflexive "(\)" .. + +sublocale total_reflexive "(\)" +proof + fix x y show "x \ y \ y \ x" by (cases x y rule: cases, auto dest: strict_implies_weak) +qed + +sublocale total_ordering .. + +sublocale old: ordering "(\)" "(\)" +proof- + have "a \ b \ a \ b \ a \ b" for a b + by (cases a b rule: cases, auto dest: strict_implies_weak) + then show "ordering (\) (\)" + by (unfold_locales, auto dest:strict_implies_weak trans) +qed + +lemma not_weak[simp]: "\ x \ y \ y \ x" by (simp add: not_weak_iff old.strict_iff_order) + +lemma not_strict[simp]: "\ x \ y \ y \ x" by (auto simp: old.strict_iff_order) + +end + + +text \A locale which defines an equivalence relation. Be careful when declaring simp rules etc., +as the equivalence will often be rewritten to equality.\ + +locale quasi_order_equivalence = quasi_order + equivalence_syntax + + assumes equiv_def: "x \ y \ x \ y \ y \ x" +begin + +sublocale equiv: equivalence by (unfold_locales, auto simp: equiv_def dest: trans) + +lemma [trans]: + shows equiv_weak_trans: "x \ y \ y \ z \ x \ z" + and weak_equiv_trans: "x \ y \ y \ z \ x \ z" + by (auto simp: equiv_def dest: trans) + +lemma extreme_order_iff_equiv[simp]: "extreme (\) {x. x \ e} y \ e \ y" + by (auto simp: equiv_def intro!: extremeI dest: trans) + +lemma extreme_bound_iff_equiv: + assumes bX: "extreme_bound (\) X b" shows "extreme_bound (\) X c \ b \ c" +proof(rule iffI) + from bX have bX: "bound (\) X b" and leastb: "\x. bound (\) X x \ b \ x" by auto + { fix c assume "extreme_bound (\) X c" + then have cbounds: "bound (\) X c" and leastc: "\b. bound (\) X b \ c \ b" by auto + from leastb[OF cbounds] leastc[OF bX] show "b \ c" by (auto simp: equiv_def) + } + { fix c assume bc: "b \ c" + show "extreme_bound (\) X c" + proof(intro extreme_boundI) + fix x assume "x \ X" + with bX have "x \ b" by auto + with bc show "x \ c" by (auto dest: trans simp: equiv_def) + next + fix x assume "bound (\) X x" + from leastb[OF this] bc show "c \ x" by (auto dest: trans simp: equiv_def) + qed + } +qed + +lemma extremes_are_equiv: "extreme (\) X x \ extreme (\) X y \ x \ y" + by (auto simp: equiv_def) + +end + +locale quasi_ordering_equivalence = compatible_ordering + quasi_order_equivalence +begin + +lemma [trans]: + shows equiv_strict_trans: "x \ y \ y \ z \ x \ z" + and strict_equiv_trans: "x \ y \ y \ z \ x \ z" + by (auto simp: equiv_def dest: weak_strict_trans strict_weak_trans) + +end + +subsection \Relating to Classes\ + +text \In Isabelle 2019 (and earlier), we should declare sublocales in class before declaring dual +sublocales, since otherwise facts would be prefixed by ``dual.dual.''\ + +context ord begin + +abbreviation upper_bound where "upper_bound \ bound (\)" + +abbreviation least where "least \ extreme (\x y. y \ x)" + +abbreviation lower_bound where "lower_bound \ bound (\x y. y \ x)" + +abbreviation greatest where "greatest \ extreme (\)" + +abbreviation supremum where "supremum \ extreme_bound (\)" + +abbreviation infimum where "infimum \ extreme_bound (\x y. y \ x)" + +lemma Least_eq_The_least: "Least P = The (least {x. P x})" + by (auto simp: Least_def extreme_def[unfolded atomize_eq, THEN ext]) + +lemma Greatest_eq_The_greatest: "Greatest P = The (greatest {x. P x})" + by (auto simp: Greatest_def extreme_def[unfolded atomize_eq, THEN ext]) + +end + +lemma fun_ord_le: "fun_ord (\) = (\)" by (intro ext, simp add: fun_ord_def le_fun_def) +lemma fun_ord_ge: "fun_ord (\) = (\)" by (intro ext, simp add: fun_ord_def le_fun_def) + +lemmas fun_supremum_iff = fun_extreme_bound_iff[of "(\)", unfolded fun_ord_le] +lemmas fun_infimum_iff = fun_extreme_bound_iff[of "(\)", unfolded fun_ord_ge] + +class compat = ord + assumes "compatible_ordering (\) (<)" +begin + +sublocale order: compatible_ordering using compat_axioms unfolding class.compat_def. + +end + +text \We should have imported locale-based facts in classes, e.g.:\ +thm order.trans order.strict.trans order.refl order.irrefl order.asym order.extreme_bound_singleton + +class attractive_order = ord + assumes "attractive_ordering (\) (<)" +begin + +interpretation order: attractive_ordering + using attractive_order_axioms unfolding class.attractive_order_def. + +subclass compat .. + +sublocale order: attractive_ordering .. + +end + +thm order.extreme_bound_quasi_const + +class psorder = ord + assumes "pseudo_ordering (\) (<)" +begin + +text \We need to declare subclasses before sublocales in order to preserve facts for superclasses.\ + +interpretation order: pseudo_ordering using psorder_axioms unfolding class.psorder_def. + +subclass attractive_order .. + +sublocale order: pseudo_ordering .. + +end + +class qorder = ord + assumes "quasi_ordering (\) (<)" +begin + +interpretation order: quasi_ordering using qorder_axioms unfolding class.qorder_def. + +subclass attractive_order .. + +sublocale order: quasi_ordering .. + +end + +class porder = ord + assumes "partial_ordering (\) (<)" +begin + +interpretation order: partial_ordering using porder_axioms unfolding class.porder_def. + +subclass psorder .. +subclass qorder .. + +sublocale order: partial_ordering .. + +end + +class wf_qorder = ord + assumes "well_founded_ordering (\) (<)" +begin + +interpretation order: well_founded_ordering using wf_qorder_axioms unfolding class.wf_qorder_def. + +subclass qorder .. + +sublocale order: well_founded_ordering .. + +end + +class totalorder = ord + assumes "total_ordering (\) (<)" +begin + +interpretation order: total_ordering using totalorder_axioms unfolding class.totalorder_def. + +subclass porder .. + +sublocale order: total_ordering .. + +end + +text \Isabelle/HOL's @{class preorder} belongs to @{class qorder}, but not vice versa.\ + +subclass (in preorder) qorder + apply unfold_locales + apply (fact order_refl) + apply simp + apply (fact le_less_trans) + apply (fact less_le_trans) + apply (fact less_imp_le) + apply (fact order_trans) + done + +subclass (in order) porder by (unfold_locales, auto) + +subclass (in wellorder) wf_qorder by (unfold_locales, fact less_induct) + +text \Isabelle/HOL's @{class linorder} is equivalent to our locale @{locale strict_total_ordering}.\ + +context linorder begin + +interpretation order: strict_total_ordering by (unfold_locales, auto) + +subclass totalorder .. + +sublocale order: strict_total_ordering .. + +end + +text \Tests: facts should be available in the most general classes.\ + +thm order.strict.trans[where 'a="'a::compat"] +thm order.extreme_bound_quasi_const[where 'a="'a::attractive_order"] +thm order.extreme_bound_singleton_eq[where 'a="'a::psorder"] +thm order.trans[where 'a="'a::qorder"] +thm order.comparable_cases[where 'a="'a::totalorder"] +thm order.cases[where 'a="'a::linorder"] + +subsection \Declaring Duals\ + +text \At this point, we declare dual as sublocales.\ + +sublocale less_eq_syntax \ dual: less_eq_syntax "(\)\<^sup>-". + +sublocale reflexive \ dual: reflexive "(\)\<^sup>-" by auto + +sublocale attractive \ dual: attractive "(\)\<^sup>-" by unfold_locales + +sublocale irreflexive \ dual: irreflexive "(\)\<^sup>-" by (unfold_locales, auto) + +sublocale transitive \ dual: transitive "(\)\<^sup>-" by (unfold_locales, erule trans) + +sublocale antisymmetric \ dual: antisymmetric "(\)\<^sup>-" by auto + +sublocale asymmetric \ dual: asymmetric "(\)\<^sup>-" by unfold_locales + +sublocale total \ dual: total "(\)\<^sup>-" using total by auto + +sublocale total_reflexive \ dual: total_reflexive "(\)\<^sup>-" by unfold_locales + +sublocale total_irreflexive \ dual: total_irreflexive "(\)\<^sup>-" by unfold_locales + +sublocale pseudo_order \ dual: pseudo_order "(\)\<^sup>-" by unfold_locales + +sublocale quasi_order \ dual: quasi_order "(\)\<^sup>-" by unfold_locales + +sublocale partial_order \ dual: partial_order "(\)\<^sup>-" by unfold_locales + +text \In the following dual sublocale declaration, ``rewrites'' eventually cleans up redundant +facts.\ + +sublocale symmetric \ dual: symmetric "(\)\<^sup>-" rewrites "(\)\<^sup>- = (\)" + using symmetric_axioms by (auto simp: dual_sym) + +sublocale equivalence \ dual: equivalence "(\)\<^sup>-" rewrites "(\)\<^sup>- = (\)" + by (unfold_locales, auto simp: dual_sym sym) + +sublocale total_pseudo_order \ dual: total_pseudo_order "(\)\<^sup>-" by unfold_locales + +sublocale total_quasi_order \ dual: total_quasi_order "(\)\<^sup>-" by unfold_locales + +sublocale compatible_ordering \ dual: compatible_ordering "(\)\<^sup>-" "(\)\<^sup>-" + using weak_strict_trans strict_weak_trans strict_implies_weak by unfold_locales + +sublocale attractive_ordering \ dual: attractive_ordering "(\)\<^sup>-" "(\)\<^sup>-" by unfold_locales + +sublocale pseudo_ordering \ dual: pseudo_ordering "(\)\<^sup>-" "(\)\<^sup>-" by unfold_locales + +sublocale quasi_ordering \ dual: quasi_ordering "(\)\<^sup>-" "(\)\<^sup>-" by unfold_locales + +sublocale partial_ordering \ dual: partial_ordering "(\)\<^sup>-" "(\)\<^sup>-" by unfold_locales + +sublocale total_ordering \ dual: total_ordering "(\)\<^sup>-" "(\)\<^sup>-" by unfold_locales + + +lemma(in antisymmetric) monotone_extreme_imp_extreme_bound_iff: + fixes ir (infix "\" 50) + assumes "monotone (\) (\) f" and i: "extreme (\) C i" + shows "extreme_bound (\) (f ` C) x \ f i = x" + using dual.extreme_unique monotone_extreme_extreme_boundI[OF assms] by auto + + +subsection \Instantiations\ + +text \Finally, we instantiate our classes for sanity check.\ + +instance nat :: linorder .. + +text \Pointwise ordering of functions are compatible only if the weak part is transitive.\ + +instance "fun" :: (type,qorder) compat +proof (intro_classes, unfold_locales) + note [simp] = le_fun_def less_fun_def + fix f g h :: "'a \ 'b" + { assume fg: "f \ g" and gh: "g < h" + show "f < h" + proof (unfold less_fun_def, intro conjI le_funI notI) + from fg have "f x \ g x" for x by auto + also from gh have "g x \ h x" for x by auto + finally show "f x \ h x" for x. + assume hf: "h \ f" + then have "h x \ f x" for x by auto + also from fg have "f x \ g x" for x by auto + finally have "h \ g" by auto + with gh show False by auto + qed + } + { assume fg: "f < g" and gh: "g \ h" + show "f < h" + proof (unfold less_fun_def, intro conjI le_funI notI) + from fg have "f x \ g x" for x by auto + also from gh have "g x \ h x" for x by auto + finally show "f x \ h x" for x. + assume hf: "h \ f" + then have "h x \ f x" for x by auto + also from gh have "g x \ h x" for x by auto + finally have "g \ f" by auto + with fg show False by auto + qed + } + show "f < g \ f \ g" by auto + show "\f < f" by auto + show "f \ f" by auto +qed + +instance "fun" :: (type,qorder) qorder + by (intro_classes, unfold_locales, auto simp: le_fun_def dest: order.trans) + +instance "fun" :: (type,porder) porder + by (intro_classes, unfold_locales, auto simp: less_fun_def le_fun_def) + +end diff --git a/thys/Complete_Non_Orders/Complete_Relations.thy b/thys/Complete_Non_Orders/Complete_Relations.thy new file mode 100755 --- /dev/null +++ b/thys/Complete_Non_Orders/Complete_Relations.thy @@ -0,0 +1,737 @@ +(* +Author: Akihisa Yamada (2018-2019) +License: LGPL (see file COPYING.LESSER) +*) +section \ Completeness of Relations \ + +text \Here we formalize various order-theoretic completeness conditions.\ + +theory Complete_Relations + imports HOL.Real Binary_Relations +begin + +subsection \Completeness Conditions\ + +text \Order-theoretic completeness demands certain subsets of elements to admit suprema or infima. + +A related set $\tp{A,\SLE}$ is called \emph{bounded} if there is a ``top'' element $\top \in A$, +a greatest element in $A$. +Note that there might be multiple tops if $(\SLE)$ is not antisymmetric.\ + +locale bounded = less_eq_syntax + assumes bounded: "\t. \x. x \ t" +begin + +lemma ex_bound[intro!]: "Ex (bound (\) X)" using bounded by auto + +lemma ex_extreme_UNIV[intro!]: "Ex (extreme (\) UNIV)" using bounded by auto + +lemma UNIV_complete[intro!]: "Ex (extreme_bound (\) UNIV)" using bounded by blast + +lemma dual_empty_complete[intro!]: "Ex (extreme_bound (\)\<^sup>- {})" by (auto simp: bound_empty) + +end + +context + fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +lemma bounded_iff_extreme_UNIV: "bounded (\) \ Ex (extreme (\) UNIV)" + by (auto simp:bounded_def) + +text\Boundedness can be also seen as a completeness condition, +since it is equivalent to saying that the universe has a supremum.\ + +lemma bounded_iff_UNIV_complete: "bounded (\) \ Ex (extreme_bound (\) UNIV)" + by (unfold bounded_def, blast) + +text \The dual notion of bounded is called ``pointed'', equivalently ensuring a supremum +of the empty set.\ + +lemma pointed_iff_empty_complete: "bounded (\) \ Ex (extreme_bound (\)\<^sup>- {})" + by (auto simp:bounded_def) + +end + + +text \One of the most well-studied notion of completeness would be the semilattice condition: +every pair of elements $x$ and $y$ has a supremum $x \sqcup y$ +(not necessarily unique if the underlying relation is not antisymmetric).\ + +locale pair_complete = less_eq_syntax + + assumes pair_complete: "Ex (extreme_bound (\) {x,y})" +begin + +lemma directed_UNIV[intro!]: "directed (\) UNIV" +proof + fix x y :: 'a + from pair_complete[of x y] show "\z \ UNIV. x \ z \ y \ z" by auto +qed + +end + +sublocale total_reflexive \ pair_complete +proof (unfold_locales) + fix x y + show "Ex (extreme_bound (\) {x, y})" by (cases x y rule:comparable_cases, auto) +qed + +text \The next one assumes that every nonempty finite set has a supremum.\ + +locale finite_complete = less_eq_syntax + + assumes finite_nonempty_complete: "finite X \ X \ {} \ Ex (extreme_bound (\) X)" + +sublocale finite_complete \ pair_complete + by (unfold_locales, intro finite_nonempty_complete, auto) + +text \The next one assumes that every nonempty bounded set has a supremum. +It is also called the Dedekind completeness.\ + +locale conditionally_complete = less_eq_syntax + + assumes bounded_nonempty_complete: + "Ex (bound (\) X) \ X \ {} \ Ex (extreme_bound (\) X)" +begin + +lemma bounded_nonemptyE[elim!]: + assumes "Ex (bound (\) X)" and "X \ {}" + and "Ex (extreme_bound (\) X) \ X \ {} \ thesis" + shows thesis + using assms bounded_nonempty_complete by auto + +lemma nonempty_imp_complete_iff_bounded: + assumes "X \ {}" shows "Ex (extreme_bound (\) X) \ Ex (bound (\) X)" + using assms by (auto intro: bounded_nonempty_complete) + +end + +text \The $\omega$-completeness condition demands a supremum for an $\omega$-chain, + $a_1 \sqsubseteq a_2 \sqsubseteq \dots$. + We model $\omega$-chain as the range of a monotone map $f : i \mapsto a_i$.\ + +locale omega_complete = less_eq_syntax + + assumes monotone_seq_complete: + "\f :: nat \ 'a. monotone (\) (\) f \ Ex (extreme_bound (\) (range f))" + +locale chain_complete = less_eq_syntax + + assumes chain_nonempty_complete: "chain (\) X \ X \ {} \ Ex (extreme_bound (\) X)" +begin + +lemma monotone_chain_complete: + assumes C0: "C \ {}" and chain: "chain r C" and mono: "monotone r (\) f" + shows "Ex (extreme_bound (\) (f ` C))" + apply (rule chain_nonempty_complete[OF monotone_chain_image[OF mono chain]]) + using C0 by auto + +end + +sublocale chain_complete \ omega_complete + by (unfold_locales, rule monotone_chain_complete, auto intro:chainI) + +text\\emph{Directed completeness} is an important notion in domain theory~\cite{abramski94}, +asserting that every nonempty directed set has a supremum. +Here, a set $X$ is \emph{directed} if any pair of two elements in $X$ has a bound in $X$.\ + +locale directed_complete = less_eq_syntax + + assumes directed_nonempty_complete: "directed (\) X \ X \ {} \ Ex (extreme_bound (\) X)" +begin + +lemma monotone_directed_complete: + assumes dir: "directed r C" and c0: "C \ {}" and mono: "monotone r (\) f" + shows "Ex (extreme_bound (\) (f ` C))" + apply (rule directed_nonempty_complete[OF monotone_directed_image[OF mono dir]]) + using c0 by auto + +end + +sublocale directed_complete \ chain_complete + by (unfold_locales, intro directed_nonempty_complete, auto dest: chain_imp_directed) + +text \The next one is quite complete, only the empty set may fail to have a supremum. +The terminology follows \cite{Bergman2015}, +although there it is defined more generally depending on a cardinal $\alpha$ +such that a nonempty set $X$ of cardinality below $\alpha$ has a supremum.\ + +locale semicomplete = less_eq_syntax + + assumes nonempty_complete: "X \ {} \ Ex (extreme_bound (\) X)" + +sublocale semicomplete \ conditionally_complete + finite_complete + directed_complete + by (unfold_locales, auto intro!: nonempty_complete) + +sublocale semicomplete \ bounded + unfolding bounded_iff_UNIV_complete using nonempty_complete[of UNIV] by auto + +subsection \Pointed Ones\ + +text \The term `pointed' refers to the dual notion of boundedness, i.e., there is a global least element. + This serves as the supremum of the empty set.\ + +locale pointed_chain_complete = chain_complete + dual: bounded "(\)\<^sup>-" +begin + +lemma chain_complete: "chain (\) X \ Ex (extreme_bound (\) X)" + by (cases "X = {}", auto intro:chain_nonempty_complete) + +end + +lemma pointed_chain_complete_def': + fixes less_eq (infix "\" 50) + shows "pointed_chain_complete (\) \ \X. chain (\) X \ Ex (extreme_bound (\) X)" (is "?l \ ?r") + apply (unfold atomize_eq, intro iffI) + apply (force intro: pointed_chain_complete.chain_complete) + by (unfold_locales, auto intro!: chain_empty simp: pointed_iff_empty_complete[unfolded bounded_def]) + +locale pointed_directed_complete = directed_complete + dual: bounded "(\)\<^sup>-" +begin + +lemma directed_complete: "directed (\) X \ Ex (extreme_bound (\) X)" + by (cases "X = {}", auto intro: directed_nonempty_complete) + +sublocale pointed_chain_complete .. + +end + +lemma pointed_directed_complete_def': + fixes less_eq (infix "\" 50) + shows "pointed_directed_complete (\) \ \X. directed (\) X \ Ex (extreme_bound (\) X)" + apply (unfold atomize_eq, intro iffI) + apply (force intro: pointed_directed_complete.directed_complete) + by (unfold_locales, auto simp: pointed_iff_empty_complete[unfolded bounded_def]) + +text \``Bounded complete'' refers to pointed conditional complete, +but this notion is just the dual of semicompleteness. We prove this later. + +Following is the strongest completeness that requires any subset of elements to have suprema +and infima.\ + +locale complete = less_eq_syntax + assumes complete: "Ex (extreme_bound (\) X)" +begin + +sublocale semicomplete + pointed_directed_complete + by (auto simp: pointed_directed_complete_def' intro: semicomplete.intro complete) + +end + +subsection \Relations between Completeness Conditions\ + +context + fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +interpretation less_eq_dualize. + +text \Pair-completeness implies that the universe is directed. Thus, with directed completeness +implies boundedness.\ + +proposition directed_complete_pair_complete_imp_bounded: + assumes "directed_complete (\)" and "pair_complete (\)" + shows "bounded (\)" +proof- + from assms interpret directed_complete + pair_complete by auto + have "Ex (extreme_bound (\) UNIV)" by (rule directed_nonempty_complete, auto) + then obtain t where "extreme_bound (\) UNIV t" by auto + then have "\x. x \ t" by auto + then show ?thesis by (unfold_locales, auto) +qed + +text \Semicomplete is conditional complete and bounded.\ + +proposition semicomplete_iff_conditionally_complete_bounded: + "semicomplete (\) \ conditionally_complete (\) \ bounded (\)" (is "?l \ ?r") +proof + assume ?r + then interpret conditionally_complete "(\)" + bounded "(\)" by auto + show ?l by (unfold_locales, rule bounded_nonempty_complete, auto) +next + assume ?l + then interpret semicomplete. + show ?r by (intro conjI, unfold_locales) +qed + +proposition complete_iff_pointed_semicomplete: + "complete (\) \ semicomplete (\) \ bounded (\)" (is "?l \ ?r") +proof + assume "complete (\)" + then interpret complete. + show ?r by (intro conjI, unfold_locales) +next + assume ?r + then interpret semicomplete + bounded "(\)" by auto + show ?l + proof + fix X show "Ex (extreme_bound (\) X)" by (cases "X = {}", auto intro:nonempty_complete) + qed +qed + +text \Conditional completeness only lacks top and bottom to be complete.\ + +proposition complete_iff_conditionally_complete_bounded_pointed: + "complete (\) \ conditionally_complete (\) \ bounded (\) \ bounded (\)" + unfolding complete_iff_pointed_semicomplete + semicomplete_iff_conditionally_complete_bounded by auto + +end + + +text \If the universe is directed, then every pair is bounded, and thus has a supremum. + On the other hand, supremum gives an upper bound, witnessing directedness.\ + +proposition (in conditionally_complete) pair_complete_iff_directed: + "pair_complete (\) \ directed (\) UNIV" +proof(intro iffI) + assume "directed (\) UNIV" + then show "pair_complete (\)" + by (unfold_locales, intro bounded_nonempty_complete, auto elim: directedE) +next + assume "pair_complete (\)" + then interpret pair_complete. + show "directed (\) UNIV" + proof (intro directedI) + fix x y + from pair_complete obtain z where "extreme_bound (\) {x,y} z" by auto + then show "\z\UNIV. x \ z \ y \ z" by auto + qed +qed + + +subsection \Completeness Results Requiring Order-Like Properties\ + +text \Above results hold without any assumption on the relation. +This part demands some order-like properties.\ + +text \It is well known that in a semilattice, i.e., a pair-complete partial order, +every finite nonempty subset of elements has a supremum. +We prove the result assuming transitivity, but only that.\ + +locale trans_semilattice = transitive + pair_complete + +sublocale trans_semilattice \ finite_complete + apply (unfold_locales) + subgoal for X + proof (induct X rule:finite_induct) + case empty + then show ?case by auto + next + case (insert x X) + show ?case + proof (cases "X = {}") + case True + obtain x' where "extreme_bound (\) {x,x} x'" using pair_complete[of x x] by auto + with True show ?thesis by (auto intro!: exI[of _ x']) + next + case False + with insert obtain b where b: "extreme_bound (\) X b" by auto + from pair_complete obtain c where c: "extreme_bound (\) {x,b} c" by auto + show ?thesis + proof (intro exI extreme_boundI) + from c have "x \ c" and "b \ c" by auto + with b show "xb \ insert x X \ xb \ c" for xb by (auto dest: trans) + fix d assume "bound (\) (insert x X) d" + with b have "bound (\) {x,b} d" by auto + with c show "c \ d" by auto + qed + qed + qed +done + + +text \Gierz et al.~\cite{gierz03} showed that a directed complete partial order is semicomplete +if and only if it is also a semilattice. +We generalize the claim so that the underlying relation is only transitive.\ + +proposition(in transitive) semicomplete_iff_directed_complete_pair_complete: + "semicomplete (\) \ directed_complete (\) \ pair_complete (\)" (is "?l \ ?r") +proof (intro iffI semicomplete.intro) + assume ?l + then interpret semicomplete. + show ?r by (intro conjI, unfold_locales) +next + assume ?r + then interpret directed_complete + pair_complete by auto + interpret trans_semilattice .. + fix X :: "'a set" + have 1: "directed (\) {x. \Y \ X. finite Y \ Y \ {} \ extreme_bound (\) Y x}" (is "directed _ ?B") + proof (intro directedI) + fix a b assume a: "a \ ?B" and b: "b \ ?B" + from a obtain A where A: "extreme_bound (\) A a" "finite A" "A \ {}" "A \ X" by auto + from b obtain B where B: "extreme_bound (\) B b" "finite B" "B \ {}" "B \ X" by auto + from A B have AB: "finite (A \ B)" "A \ B \ {}" "A \ B \ X" by auto + with finite_nonempty_complete have "Ex (extreme_bound (\) (A \ B))" by auto + then obtain c where c: "extreme_bound (\) (A \ B) c" by auto + show "\c \ ?B. a \ c \ b \ c" + proof (intro bexI conjI) + from A B c show "a \ c" and "b \ c" by (auto simp: extreme_bound_iff) + from AB c show "c \ ?B" by (auto intro!: exI[of _ "A \ B"]) + qed + qed + assume "X \ {}" + then obtain x where xX: "x \ X" by auto + from finite_nonempty_complete[of "{x}"] + obtain x' where "extreme_bound (\) {x} x'" by auto + with xX have x'B: "x' \ ?B" by (auto intro!: exI[of _ "{x}"] extreme_boundI) + then have 2: "?B \ {}" by auto + from directed_nonempty_complete[OF 1 2] + obtain b where b: "extreme_bound (\) ?B b" by auto + show "Ex (extreme_bound (\) X)" + proof (intro exI extreme_boundI UNIV_I) + fix x + assume xX: "x \ X" + from finite_nonempty_complete[of "{x}"] + obtain c where c: "extreme_bound (\) {x} c" by auto + then have xc: "x \ c" by auto + from c xX have cB: "c \ ?B" by (auto intro!: exI[of _ "{x}"] extreme_boundI) + with b have cb: "c \ b" by auto + from xc cb show "x \ b" by (rule trans) text\ Here transitivity is needed. \ + next + fix x + assume Xx: "bound (\) X x" + have "bound (\) ?B x" + proof (intro boundI UNIV_I, clarify) + fix c Y + assume "finite Y" and YX: "Y \ X" and "Y \ {}" and c: "extreme_bound (\) Y c" + from YX Xx have "bound (\) Y x" by auto + with c show "c \ x" by auto + qed + with b show "b \ x" by auto + qed +qed + +text\The last argument in the above proof requires transitivity, +but if we had reflexivity then $x$ itself is a supremum of $\set{x}$ +(see @{thm reflexive.extreme_bound_singleton}) and so $x \SLE s$ would be immediate. +Thus we can replace transitivity by reflexivity, +but then pair-completeness does not imply finite completeness. +We obtain the following result.\ + +proposition (in reflexive) semicomplete_iff_directed_complete_finite_complete: + "semicomplete (\) \ directed_complete (\) \ finite_complete (\)" (is "?l \ ?r") +proof (intro iffI semicomplete.intro) + assume ?l + then interpret semicomplete. + show ?r by (safe, unfold_locales) +next + assume ?r + then interpret directed_complete + finite_complete by auto + fix X :: "'a set" + have 1: "directed (\) {x. \Y \ X. finite Y \ Y \ {} \ extreme_bound (\) Y x}" (is "directed _ ?B") + proof (intro directedI) + fix a b assume a: "a \ ?B" and b: "b \ ?B" + from a obtain A where A: "extreme_bound (\) A a" "finite A" "A \ {}" "A \ X" by auto + from b obtain B where B: "extreme_bound (\) B b" "finite B" "B \ {}" "B \ X" by auto + from A B have AB: "finite (A \ B)" "A \ B \ {}" "A \ B \ X" by auto + with finite_nonempty_complete have "Ex (extreme_bound (\) (A \ B))" by auto + then obtain c where c: "extreme_bound (\) (A \ B) c" by auto + show "\c \ ?B. a \ c \ b \ c" + proof (intro bexI conjI) + from A B c show "a \ c" and "b \ c" by (auto simp: extreme_bound_iff) + from AB c show "c \ ?B" by (auto intro!: exI[of _ "A \ B"]) + qed + qed + assume "X \ {}" + then obtain x where xX: "x \ X" by auto + then have "extreme_bound (\) {x} x" by auto + with xX have xB: "x \ ?B" by (auto intro!: exI[of _ "{x}"]) + then have 2: "?B \ {}" by auto + from directed_nonempty_complete[OF 1 2] + obtain b where b: "extreme_bound (\) ?B b" by auto + show "Ex (extreme_bound (\) X)" + proof (intro exI extreme_boundI UNIV_I) + fix x + assume xX: "x \ X" + have x: "extreme_bound (\) {x} x" by auto + from x xX have cB: "x \ ?B" by (auto intro!: exI[of _ "{x}"]) + with b show "x \ b" by auto + next + fix x + assume Xx: "bound (\) X x" + have "bound (\) ?B x" + proof (intro boundI UNIV_I, clarify) + fix c Y + assume "finite Y" and YX: "Y \ X" and "Y \ {}" and c: "extreme_bound (\) Y c" + from YX Xx have "bound (\) Y x" by auto + with c show "c \ x" by auto + qed + with b show "b \ x" by auto + qed +qed + +locale complete_attractive = complete + attractive + +locale complete_antisymmetric = complete + antisymmetric + +sublocale complete_antisymmetric \ complete_attractive .. + +text \Complete pseudo orders are called complete trellises~\cite{trellis}, +but let us reserve the name for introducing classes (in the future).\ + +locale complete_pseudo_order = complete + pseudo_order + +sublocale complete_pseudo_order \ complete_antisymmetric .. + +text \Finally, we (re)define complete lattices as a complete partial order.\ + +locale complete_partial_order = complete + partial_order + +sublocale complete_partial_order \ trans_semilattice + complete_pseudo_order .. + +subsection \Relating to Classes\ + +class ccomplete = ord + assumes "conditionally_complete (\)" +begin + +sublocale order: conditionally_complete using ccomplete_axioms unfolding class.ccomplete_def. + +end + +class complete_ord = ord + assumes "complete (\)" +begin + +interpretation order: complete using complete_ord_axioms unfolding class.complete_ord_def. + +subclass ccomplete .. + +sublocale order: complete .. + +end + +text \Isabelle's class @{class conditionally_complete_lattice} is @{class ccomplete}. +The other direction does not hold, since for the former, +@{term "Sup {}"} and @{term "Inf {}"} are arbitrary even if there are top or bottom elements.\ + +subclass (in conditionally_complete_lattice) ccomplete +proof + fix X + assume "Ex (upper_bound X)" and X0: "X \ {}" + from this(1) have "bdd_above X" by auto + from cSup_upper[OF _ this] cSup_least[OF X0] + have "supremum X (Sup X)" by (intro extremeI boundI, auto) + then show "Ex (supremum X)" by auto +qed + +text \Isabelle's class @{class complete_lattice} is precisely @{locale complete_partial_order}.\ + +context complete_lattice begin + +interpretation order: complete_partial_order + by (unfold_locales, auto intro!: Sup_upper Sup_least Inf_lower Inf_greatest) + +subclass complete_ord .. + +sublocale order: complete_partial_order .. + +end + + +subsection \Duality of Completeness Conditions\ + +text \Conditional completeness is symmetric.\ + +sublocale conditionally_complete \ dual: conditionally_complete "(\)\<^sup>-" +proof + interpret less_eq_dualize. + fix X :: "'a set" + assume bound: "Ex (bound (\) X)" and nonemp: "X \ {}" + then have "Ex (bound (\) {b. bound (\) X b})" and "{b. bound (\) X b} \ {}" by auto + from bounded_nonempty_complete[OF this] + obtain s where "extreme_bound (\) {b. bound (\) X b} s" by auto + then show "Ex (extreme_bound (\) X)" by (intro exI[of _ s] extremeI, auto) +qed + +text \Full completeness is symmetric.\ + +sublocale complete \ dual: complete "(\)\<^sup>-" +proof + fix X :: "'a set" + obtain s where "extreme_bound (\) {b. bound (\)\<^sup>- X b} s" using complete by auto + then show "Ex (extreme_bound (\)\<^sup>- X)" by (intro exI[of _ s] extreme_boundI, auto) +qed + +sublocale complete_attractive \ dual: complete_attractive "(\)\<^sup>-" .. + +sublocale complete_antisymmetric \ dual: complete_antisymmetric "(\)\<^sup>-" .. + +sublocale complete_pseudo_order \ dual: complete_pseudo_order "(\)\<^sup>-" .. + +sublocale complete_partial_order \ dual: complete_partial_order "(\)\<^sup>-" .. + +text \Now we show that bounded completeness is the dual of semicompleteness.\ + +context fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +interpretation less_eq_dualize. + +definition "bounded_complete \ \X. Ex (bound (\) X) \ Ex (extreme_bound (\) X)" + +lemma pointed_conditionally_complete_iff_bounded_complete: + "conditionally_complete (\) \ bounded (\) \ bounded_complete" +proof safe + assume "bounded_complete" + note * = this[unfolded bounded_complete_def, rule_format] + from * show "conditionally_complete (\)" by (unfold_locales, auto) + from *[of "{}"] show "bounded (\)" by (unfold_locales, auto simp:bound_empty) +next + assume "conditionally_complete (\)" and "bounded (\)" + then interpret conditionally_complete "(\)" + dual: bounded "(\)". + show "bounded_complete" unfolding bounded_complete_def + proof (intro allI impI) + fix X + assume X: "Ex (bound (\) X)" + show "Ex (extreme_bound (\) X)" + proof (cases "X = {}") + case True + then show ?thesis by auto + next + case False + with bounded_nonempty_complete X show ?thesis by auto + qed + qed +qed + +proposition bounded_complete_iff_dual_semicomplete: + "bounded_complete \ semicomplete (\)" +proof (fold pointed_conditionally_complete_iff_bounded_complete, safe) + assume "conditionally_complete (\)" and "bounded (\)" + then interpret conditionally_complete + bounded "(\)". + from dual.conditionally_complete_axioms bounded_axioms + semicomplete_iff_conditionally_complete_bounded + show "semicomplete (\)" by auto +next + assume "semicomplete (\)" + then interpret semicomplete "(\)". + show "conditionally_complete (\)" .. + show "bounded (\)" .. +qed + +end + + +subsection \Completeness in Function Spaces\ + +text \Here we lift completeness to functions. As we do not assume an operator to choose suprema, +we need the axiom of choice for most of the following results. In antisymmetric cases we do not +need the axiom but we do not formalize this fact.\ + +lemma (in bounded) bounded_fun[intro!]: "bounded (fun_ord (\))" +proof- + from bounded obtain t where "\x. x \ t" by auto + then have "\f. fun_ord (\) f (\x. t)" by (auto intro: fun_ordI) + then show ?thesis by (auto intro: bounded.intro) +qed + +lemma (in pair_complete) pair_complete_fun[intro!]: + "pair_complete (fun_ord (\) :: ('i \ _) \ _)" +proof + fix f g :: "'i \ _" + from pair_complete have "\x. \sx. extreme_bound (\) {f x, g x} sx" by auto + from choice[OF this] + obtain s where "\x. extreme_bound (\) {f x, g x} (s x)" by auto + then show "Ex (extreme_bound (fun_ord (\)) {f, g})" + by (unfold fun_extreme_bound_iff, intro exI[of _ s], auto 1 4) +qed + +lemma (in finite_complete) finite_complete_fun[intro!]: + "finite_complete (fun_ord (\) :: ('i \ 'a) \ _)" +proof + fix F :: "('i \ 'a) set" + assume "finite F" and "F \ {}" + with finite_nonempty_complete + have "\x. \sx. extreme_bound (\) {f x |. f \ F} sx" by auto + from choice[OF this] + show "Ex (extreme_bound (fun_ord (\)) F)" by (unfold fun_extreme_bound_iff, auto) +qed + +lemma (in omega_complete) omega_complete_fun[intro!]: + "omega_complete (fun_ord (\) :: ('i \ 'a) \ _)" +proof + fix ff :: "nat \ 'i \ 'a" + assume ff: "monotone (\) (fun_ord (\)) ff" + then have "\i. Ex (extreme_bound (\) {ff n i |. n})" + by (intro allI monotone_seq_complete, auto simp: monotone_def fun_ord_def) + from choice[OF this] + obtain s where "\i. extreme_bound (\) {ff n i |. n} (s i)" by auto + then have "extreme_bound (fun_ord (\)) (range ff) s" + by (auto simp: fun_extreme_bound_iff image_image) + then show "Ex (extreme_bound (fun_ord (\)) (range ff))" by auto +qed + +lemma (in chain_complete) chain_complete_fun[intro!]: + "chain_complete (fun_ord (\) :: ('i \ 'a) \ _)" +proof + fix F :: "('i \ 'a) set" + assume F: "chain (fun_ord (\)) F" and "F \ {}" + then have "\i. Ex (extreme_bound (\) {f i |. f \ F})" + by (intro allI chain_nonempty_complete, auto simp: chain_def fun_ord_def) + from choice[OF this] + obtain s where "\i. extreme_bound (\) {f i |. f \ F} (s i)" by auto + then show "Ex (extreme_bound (fun_ord (\)) F)" by (auto simp: fun_extreme_bound_iff) +qed + +lemma (in directed_complete) directed_complete_fun[intro!]: + "directed_complete (fun_ord (\) :: ('i \ 'a) \ _)" +proof + fix F :: "('i \ 'a) set" + assume dir: "directed (fun_ord (\)) F" and F0: "F \ {}" + have "\i. Ex (extreme_bound (\) {f i |. f \ F})" + proof (intro allI directed_nonempty_complete directedI, safe) + fix i f g assume "f \ F" "g \ F" + with dir obtain h + where h: "h \ F" and "fun_ord (\) f h" and "fun_ord (\) g h" by (auto elim:directedE) + then have "f i \ h i" and "g i \ h i" by (auto dest: fun_ordD) + with h show "\hi\{f i |. f \ F}. f i \ hi \ g i \ hi" by (intro bexI[of _ "h i"], auto) + qed (insert F0, auto) + from choice[OF this] + obtain s where "\i. extreme_bound (\) {f i |. f \ F} (s i)" by auto + then show "Ex (extreme_bound (fun_ord (\)) F)" by (auto simp: fun_extreme_bound_iff) +qed + +lemma (in conditionally_complete) conditionally_complete_fun[intro!]: + "conditionally_complete (fun_ord (\) :: ('i \ 'a) \ _)" +proof + fix F :: "('i \ 'a) set" + assume bF: "Ex (bound (fun_ord (\)) F)" and F: "F \ {}" + from bF obtain b where b: "bound (fun_ord (\)) F b" by auto + have "\x. \sx. extreme_bound (\) {f x |. f \ F} sx" + proof + fix x + from b have "bound (\) {f x |. f \ F} (b x)" by (auto simp: fun_ord_def) + with bounded_nonempty_complete F + show "Ex (extreme_bound (\) {f x |. f \ F})" by auto + qed + from choice[OF this] + show "Ex (extreme_bound (fun_ord (\)) F)" by (unfold fun_extreme_bound_iff, auto) +qed + +lemma (in semicomplete) semicomplete_fun[intro!]: "semicomplete (fun_ord (\))" + by (auto simp: semicomplete_iff_conditionally_complete_bounded) + +lemma (in pointed_chain_complete) pointed_chain_complete_fun[intro!]: + "pointed_chain_complete (fun_ord (\))" + by (auto intro!: pointed_chain_complete.intro simp: dual_fun_ord) + +lemma (in pointed_directed_complete) pointed_directed_complete_fun[intro!]: + "pointed_directed_complete (fun_ord (\))" + by (auto intro!: pointed_directed_complete.intro simp: dual_fun_ord) + +lemma (in complete) complete_fun[intro!]: "complete (fun_ord (\))" + by (auto simp: complete_iff_pointed_semicomplete dual_fun_ord) + +subsection \Interpretations\ + +context complete_lattice begin + +lemma Sup_eq_The_supremum: "Sup X = The (supremum X)" + using order.complete[unfolded order.dual.ex_extreme_iff_ex1] + by (rule the1_equality[symmetric], auto intro!: Sup_upper Sup_least) + +lemma Inf_eq_The_infimum: "Inf X = The (infimum X)" + using order.dual.complete[unfolded order.ex_extreme_iff_ex1] + by (rule the1_equality[symmetric], auto intro!: Inf_lower Inf_greatest) + +end + +instance real :: ccomplete by (intro_classes, unfold_locales) + +instance "fun" :: (type, ccomplete) ccomplete by (intro_classes, fold fun_ord_le, auto) + +instance "fun" :: (type, complete_ord) complete_ord by (intro_classes, fold fun_ord_le, auto) + +end \ No newline at end of file diff --git a/thys/Complete_Non_Orders/Fixed_Points.thy b/thys/Complete_Non_Orders/Fixed_Points.thy new file mode 100644 --- /dev/null +++ b/thys/Complete_Non_Orders/Fixed_Points.thy @@ -0,0 +1,714 @@ +(* +Author: Jérémy Dubut (2019) +Author: Akihisa Yamada (2019) +License: LGPL (see file COPYING.LESSER) +*) +section \Knaster--Tarski-Style Fixed-Point Theorem\ + +theory Fixed_Points + imports Complete_Relations +begin + +text \Given a monotone map +$f : A \to A$ on a complete lattice $\tp{A,\SLE}$, +the Knaster--Tarski theorem~\cite{tarski55} states that +\begin{enumerate} +\item $f$ has a fixed point in $A$, and +\item the set of fixed points forms a complete lattice. +\end{enumerate} +Stauti and Maaden \cite{SM13} generalized statement (1) where $\tp{A,\SLE}$ +is a complete \emph{trellis}---a complete pseudo-order---% +relaxing transitivity. +They also proved a restricted version of (2), +namely there exists a least (and by duality a greatest) fixed point in $A$. + +In the following Section~\ref{sec:qfp-exists} we further generalize claim (1) +so that any complete relation +admits a \emph{quasi-fixed point} $f(x) \sim x$, that is, $f(x) \SLE x$ and $x \SLE f(x)$. +Quasi-fixed points are fixed points for antisymmetric relations; +hence the Stauti--Maaden theorem is further generalized by relaxing reflexivity. + +In Section \ref{sec:qfp-complete} +we also generalize claim (2) so that only a mild condition, which we call \emph{attractivity}, +is assumed. In this attractive setting quasi-fixed points are complete. +Since attractivity is implied by either of transitivity or antisymmetry, +in particular fixed points are complete in complete trellis, +thus completing Stauti and Maaden's result. We then further generalize the result, proving that +antisymmetry is sufficient for \emph{strict} fixed points +$f(x) = x$ to be complete.\ + +subsection \Completeness of a Subset\ + +text \We start by formalizing what it means for a subset to have an extreme bound inside +a set, and for this subset to be complete. We prove that this completeness is also auto-dual.\ + +context + fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +interpretation less_eq_dualize. + +abbreviation "extreme_bound_in S X \ extreme (\) {b \ S. bound (\) X b}" + +lemma extreme_bound_inI[intro]: + assumes "\b. bound (\) X b \ b \ S \ s \ b" and "s \ S" and "\x. x \ X \ x \ s" + shows "extreme_bound_in S X s" + using assms by auto + +definition "complete_in S \ \X \ S. Ex (extreme_bound_in S X)" + +lemma complete_inE[elim]: + assumes "complete_in S" and "(\X. X \ S \ Ex (extreme_bound_in S X)) \ thesis" + shows "thesis" + using assms by (auto simp: complete_in_def) + +lemma complete_inD: + shows "complete_in S \ X \ S \ Ex (extreme_bound_in S X)" + by (auto simp: complete_in_def) + +lemma complete_inI[intro?]: + assumes "\X. X \ S \ Ex (extreme_bound_in S X)" + shows "complete_in S" + using assms by (auto simp: complete_in_def) + +end + +context + fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +interpretation less_eq_dualize. + +lemma complete_in_dual: + assumes complete: "complete_in (\) S" shows "complete_in (\) S" +proof + fix A :: "'a set" + assume AS: "A \ S" + define B where "B \ {b\S. bound (\) A b}" + then have "B \ S" by auto + then obtain b where "extreme_bound_in (\) S B b" + using complete by force + with AS show "Ex (extreme_bound_in (\) S A)" + apply (intro exI[of _ b], unfold extreme_def B_def) by auto +qed + +end + +subsection \Existence of Quasi-Fixed Points\ +text \\label{sec:qfp-exists}\ + +text \The following proof is simplified and generalized from + Stouti--Maaden \cite{SM13}. We generalize so that the underlying +relation is not even reflexive or antisymmetric.\ + +locale fixed_point_proof = less_eq_dualize +begin + +context + fixes f :: "'a \ 'a" and S :: "'a set" + assumes mono: "monotone (\) (\) f" + assumes f_closed_S: "f ` S \ S" + assumes S_comp: "complete_in (\) S" +begin + +definition AA where "AA \ + {A. A \ S \ f ` A \ A \ (\B \ A. \b. extreme_bound_in (\) S B b \ b \ A)}" +definition C where "C \ \ AA" + +qualified lemma S_AA: "S \ AA" by (auto simp: AA_def f_closed_S) + +qualified lemma C_AA: "C \ AA" +proof (unfold AA_def, intro CollectI conjI allI impI) + show "C \ S" using C_def S_AA f_closed_S by auto + show "f ` C \ C" unfolding C_def AA_def by auto + fix B b assume BC: "B \ C" and EBS: "extreme_bound_in (\) S B b" + { fix X assume "X \ AA" + with EBS have "b\X" + apply (unfold AA_def,safe) by (metis BC C_def Inf_lower subset_trans) + } + then show "b \ C" by (auto simp: C_def AA_def) +qed + +lemma quasi_fixed_point_in_C: "\c \ C. f c \ c" +proof- + obtain c where c: "extreme_bound_in (\) S C c" + using S_comp unfolding complete_in_def C_def + by (metis InterE S_AA subset_iff) + then have cS: "c \ S" by auto + show "\c \ C. f c \ c" + proof (intro conjI bexI) + show cCS: "c \ C" using AA_def C_AA c by auto + then have "f c \ C" using AA_def C_AA by auto + then show "f c \ c" using f_closed_S cS c by auto + show "c \ f c" + proof- + define D where "D \ {x \ C. x \ f c}" + have "D \ AA" + proof (unfold AA_def, intro CollectI conjI allI impI) + show "D \ S" + unfolding D_def C_def using S_AA f_closed_S by auto + have fxC: "x \ C \ x \ f c \ f x \ C" for x using C_AA by (auto simp: AA_def) + show "f ` D \ D" + proof (unfold D_def, safe intro!: fxC) + fix x assume xC: "x \ C" + have "x \ c" using c xC by auto + then show "f x \ f c" using mono by (auto dest:monotoneD) + qed + have DC: "D \ C" unfolding D_def by auto + fix B b assume BD: "B \ D" and BS: "extreme_bound_in (\) S B b" + have "B \ C" using DC BD by auto + then have bC: "b \ C" using C_AA BS by (auto simp: AA_def) + have bfc: "\a\B. a \ f c" using BD unfolding D_def by auto + with f_closed_S cS BS + have "b \ f c" by (auto simp: extreme_def image_subset_iff) + with bC show "b \ D" unfolding D_def by auto + qed + then have "C \ D" unfolding C_def by auto + then show "c \ f c" using cCS unfolding D_def by auto + qed + qed +qed + +lemma quasi_fixed_point: "\s \ S. f s \ s" using quasi_fixed_point_in_C S_AA C_def by auto + +lemma ex_extreme_quasi_fixed_point: + assumes attract: "\q x. f q \ q \ x \ f q \ x \ q" + shows "Ex (extreme (\) {q \ S. f q \ q})" +proof- + define A where "A \ {a \ S. \s \ S. f s \ s \ a \ s}" + have "A \ AA" + proof (unfold AA_def, intro CollectI conjI allI impI) + show AS: "A \ S" unfolding A_def by auto + { fix x assume xA: "x \ A" + have "f x \ A" + proof (unfold A_def, intro CollectI conjI) + have "x \ S" using xA unfolding A_def by auto + then show "f x \ S" using f_closed_S by auto + { fix s assume sS: "s \ S" and sf: "f s \ s" + then have "x \ s" using xA sS sf A_def by auto + then have "f x \ s" using attract mono + unfolding A_def by (meson monotoneD sf) + } + then show "\s\S. f s \ s \ f x \ s" by auto + qed + } + then show "f ` A \ A" by auto + fix B b assume BA: "B \ A" and b: "extreme_bound_in (\) S B b" + then have "B \ S" unfolding A_def using BA AS by auto + with BA b have bS: "b \ S" by auto + { fix s assume sS: "s \ S" and sf: "f s \ s" + have "bound (\) B s" using sS BA b A_def sf by auto + } + with b have "\s\S. f s \ s \ b \ s" by auto + then show "b \ A" using bS by (auto simp: A_def) + qed + then have "C \ A" by (simp add: C_def Inf_lower) + then have "\a \ A. f a \ a" + using quasi_fixed_point_in_C by auto + then obtain a where aA: "a \ A" and faa: "f a \ a" by auto + with aA A_def have "extreme (\) {q \ S. f q \ q} a" by (auto simp: extreme_def) + then show ?thesis by auto +qed + +end + +end + + +context complete begin + +lemma complete_in_UNIV[intro!]: "complete_in (\) UNIV" + unfolding complete_in_def using complete by auto + +interpretation fixed_point_proof. + +theorem monotone_imp_ex_quasi_fixed_point: + assumes mono: "monotone (\) (\) f" + shows "\s. f s \ s" +proof- + have Ucl: "f ` UNIV \ UNIV" by auto + obtain s where sC: "s \ C f UNIV" and fss: "f s \ s" + using quasi_fixed_point_in_C[OF mono Ucl complete_in_UNIV] by auto + show "\s. f s \ s" using fss by auto +qed + +end + +context complete_antisymmetric begin + +corollary monotone_imp_ex_fixed_point: + assumes mono: "monotone (\) (\) f" + shows "\s. f s = s" + using monotone_imp_ex_quasi_fixed_point[OF mono] by auto + +end + +subsection \Completeness of Quasi-Fixed Points\ +text \\label{sec:qfp-complete}\ + +text \We now show that fixed points are complete in a complete trellis, +which strengthens the existing result by Stouti and Maaden who showed the existence of +the least fixed point. Below we derive an even more general result by dropping reflexivity.\ + +text \We first prove that, under attractivity, the set of quasi-fixed points is complete.\ + +context fixed_point_proof begin + +lemma attract_imp_qfp_complete: + assumes comp: "complete (\)" + assumes mono: "monotone (\) (\) f" + assumes attract: "\q x. f q \ q \ x \ f q \ x \ q" + assumes dual_attract: "\q x. f q \ q \ f q \ x \ q \ x" + shows "complete_in (\) {s. f s \ s}" +proof (intro complete_inI) + interpret complete using comp. + fix A assume Afix: "A \ {s. f s \ s}" + define S where "S \ {s. \a \ A. a \ s}" + { fix s a assume as: "\a \ A. a \ s" and aA: "a \ A" + have "a \ f s" + proof (rule dual_attract[rule_format]) + have "a \ s" using as aA by auto + then show "f a \ f s" using mono by (simp add: monotone_def) + show "f a \ a" using Afix aA by auto + qed + } + then have f_closed_S: "f ` S \ S" unfolding S_def by auto + have comp_S_dual: "complete_in (\) S" + proof (unfold complete_in_def, intro allI impI) + fix B assume BS: "B \ S" + then obtain b where bB: "extreme_bound (\) B b" using dual.complete by auto + show "Ex (extreme_bound_in (\) S B)" + proof (intro exI extreme_bound_inI) + { fix a assume aA: "a \ A" + then have "\c \ B. a \ c" using BS aA S_def by auto + then have "a \ b" using bB by blast + } + then show "b \ S" unfolding S_def by auto + show "x \ B \ b \ x" for x using bB by auto + fix c assume "bound (\) B c" + then show "c \ b" using bB by blast + qed + qed + then have comp_S: "complete_in (\) S" using complete_in_dual by auto + then obtain L where LefpS: "extreme (\) {q \ S. f q \ q} L" + using ex_extreme_quasi_fixed_point[OF mono f_closed_S comp_S attract] + by auto + show "Ex (extreme_bound_in (\) {s. f s \ s} A)" + proof (intro exI extreme_bound_inI) + show "L \ {s. f s \ s}" using LefpS by auto + fix a assume "a \ A" + with LefpS show "a \ L" by (auto simp: S_def) + next + fix c assume c: "bound (\) A c" and cfix: "c \ {s. f s \ s}" + from c have "c \ S" by (auto simp: S_def) + with cfix show "L \ c" using LefpS c by auto + qed +qed + +end + +context complete_attractive begin + +interpretation fixed_point_proof. + +theorem monotone_imp_quasi_fixed_points_complete: + assumes mono: "monotone (\) (\) f" + shows "complete_in (\) {s. f s \ s}" + by (rule attract_imp_qfp_complete[OF complete_axioms mono], auto dest: attract dual.attract) + +end + + +text \The next lemma shows that in a complete relation, two related sets of +strict fixed points have a quasi-fixed point in between.\ + +context fixed_point_proof begin + +lemma qfp_interpolant: + assumes comp: "complete (\)" and mono: "monotone (\) (\) f" + and AB: "\a \ A. \b \ B. a \ b" + and Afp: "\a \ A. f a = a" + and Bfp: "\b \ B. f b = b" + shows "\t. (f t \ t) \ (\a \ A. a \ t) \ (\b \ B. t \ b)" +proof- + interpret complete using comp. + define T where "T \ {t. (\a \ A. a \ t) \ (\b \ B. t \ b)}" + have f_closed_T: "f ` T \ T" + proof safe + fix t assume tT: "t \ T" + show "f t \ T" + proof (unfold T_def, safe) + fix a assume aA: "a \ A" + with tT monotoneD[OF mono] + have "f a \ f t" by (auto simp: T_def) + with Afp aA show "a \ f t" by auto + next + fix b assume bB: "b \ B" + with tT monotoneD[OF mono] + have "f t \ f b" by (auto simp: T_def) + with Bfp bB show "f t \ b" by auto + qed + qed + have T_comp: "complete_in (\) T" + proof + fix U assume UT: "U \ T" + obtain k where k: "extreme_bound (\) (U \ A) k" using complete by auto + have "extreme_bound_in (\) T U k" + proof (intro extreme_bound_inI) + { fix b assume "b \ B" + with AB T_def UT have "\x \ U \ A. x \ b" by auto + with k have "k \ b" by auto + } + with k T_def show "k \ T" by auto + next + fix x assume "x \ U" + with k show "x \ k" by auto + next + fix l + assume "bound (\) U l" and "l \ T" + then have "\a \ U \ A. a \ l" by (auto simp: T_def) + with k show "k \ l" by auto + qed + then show "Ex (extreme_bound_in (\) T U)" by auto + qed + obtain t where "t \ T" and "f t \ t" + using quasi_fixed_point + by (meson T_comp f_closed_T mono) + then show ?thesis by (auto simp: T_def) +qed + +end + +text \From this, we deduce that the set of strict fixed-points is also complete, assuming +only antisymmetry and attractivity.\ + +context complete_antisymmetric begin + +interpretation fixed_point_proof. + +context + fixes f assumes mono: "monotone (\) (\) f" +begin + +theorem monotone_imp_fixed_points_complete: + shows "complete_in (\) {s. f s = s}" +proof + fix A assume "A \ {s. f s = s}" + then have Afp: "\a\A. f a = a" by auto + define S where "S \ {s. \a \ A. a \ s}" + have f_closed_S: "f ` S \ S" + proof safe + fix s assume sS: "s \ S" + show "f s \ S" + proof(unfold S_def, safe) + fix a assume aA: "a \ A" + then have "f a \ f s" using S_def sS mono by (auto dest:monotoneD) + then show "a \ f s" using Afp aA by auto + qed + qed + have "complete_in (\) S" + proof + fix B assume BS: "B \ S" + obtain L where BL: "extreme_bound (\) B L" using dual.complete by blast + have "extreme_bound_in (\) S B L" + proof (intro extreme_bound_inI) + { fix a assume aA: "a \ A" + then have "\s \ B. a \ s" using BS S_def by auto + } + then have "\a \ A. a \ L" using BL by (simp add: extreme_bound_iff) + then show "L \ S" using S_def by auto + show "b \ B \ L \ b" for b using BL by auto + show "\c. bound (\) B c \ c \ L" using BL by (auto elim!: boundE) + qed + then show "Ex (extreme_bound_in (\) S B)" by auto + qed + then have comp_S: "complete_in (\) S" using complete_in_dual by auto + have "Ex (extreme (\) {q \ S. f q \ q})" + apply (rule ex_extreme_quasi_fixed_point[OF mono f_closed_S comp_S]) + by auto + then obtain q where q: "extreme (\) {q \ S. f q \ q \ q \ f q} q" by auto + have "extreme_bound_in (\) {s. f s = s} A q" + proof (intro extreme_bound_inI) + show qfp: "q \ {s. f s = s}" using q by auto + show Aq: "\a. a \ A \ a \ q" using q S_def by auto + fix c assume "bound (\) A c" and "c \ {s. f s = s}" + then have cfp: "f c = c" and Ac: "\a \ A. a \ c" by auto + define D where [simp]: "D \ {c,q}" + have AD: "\a \ A. \d \ D. a \ d" using Aq Ac by auto + then have Dfp: "\d\D. f d = d" using qfp cfp by auto + then obtain t where t: "(f t \ t) \ (\a \ A. a \ t) \ (\d \ D. t \ d)" + using qfp_interpolant[OF complete_axioms mono AD Afp Dfp] + by auto + then have tq: "t \ q" by auto + have "q \ t" using t q by (auto simp: S_def) + with tq have "q = t" by auto + also have "t \ c" using t by auto + finally show "q \ c". + qed + then show "Ex (extreme_bound_in (\) {s. f s = s} A)" by auto +qed + +corollary monotone_imp_ex_extreme_fixed_point: + shows "Ex (extreme (\) {s. f s = s})" + using complete_inD[OF monotone_imp_fixed_points_complete, of "{}"] + by auto + +end + +end + +section \Kleene-Style Fixed Point Theorem\ + +text \Kleene's fixed-point theorem states that, +for a pointed directed complete partial order $\tp{A,\SLE}$ +and a Scott-continous map $f: A \to A$, +the supremum of $\set{f^n(\bot) \mid n\in\Nat}$ exists in $A$ and is a least +fixed point. +Mashburn \cite{mashburn83} generalized the result so that +$\tp{A,\SLE}$ is a $\omega$-complete partial order +and $f$ is $\omega$-continuous. + +In this section we further generalize the result and show that +for $\omega$-complete relation $\tp{A,\SLE}$ +and for every bottom element $\bot \in A$, +the set $\set{f^n(\bot) \mid n\in\Nat}$ has suprema (not necessarily unique, of +course) and, +they are quasi-fixed points. +Moreover, if $(\SLE)$ is attractive, then the suprema are precisely the least +quasi-fixed points.\ + +subsection \Scott Continuity, $\omega$-Completeness, $\omega$-Continuity\ + +text \In this Section, we formalize $\omega$-completeness, Scott continuity and $\omega$-continuity. +We then prove that a Scott continuous map is $\omega$-continuous and that an $\omega$-continuous +map is ``nearly'' monotone.\ + +context + fixes less_eq :: "'a \ 'a \ bool" (infix "\" 50) +begin + +definition "omega_continuous f \ \c :: nat \ 'a. \ b. + monotone (\) (\) c \ + extreme_bound (\) (range c) b \ extreme_bound (\) (f ` range c) (f b)" + +lemma omega_continuousI[intro?]: + assumes "\c :: nat \ 'a. \ b. + monotone (\) (\) c \ + extreme_bound (\) (range c) b \ extreme_bound (\) (f ` range c) (f b)" + shows "omega_continuous f" + using assms by (auto simp: omega_continuous_def) + +lemma omega_continuousE[elim]: + assumes "omega_continuous f" + and "(\c :: nat \ 'a. \ b. monotone (\) (\) c \ + extreme_bound (\) (range c) b \ extreme_bound (\) (f ` range c) (f b) + ) \ thesis" + shows "thesis" + using assms by (auto simp: omega_continuous_def) + +lemma omega_continuous_imp_mono_refl: + assumes cont: "omega_continuous f" + and xy: "x \ y" and xx: "x \ x" and yy: "y \ y" + shows "f x \ f y" +proof- + define c :: "nat \ 'a" where "c \ \i. if i = 0 then x else y" + from xx xy yy have monoc: "monotone (\) (\) c" + by (auto simp: c_def intro!: monotoneI) + have "extreme_bound (\) (range c) y" using xy yy by (auto simp: c_def) + then have fboy: "extreme_bound (\) (f ` range c) (f y)" using monoc cont by auto + then show "f x \ f y" by (auto simp: c_def) +qed + +definition "scott_continuous f \ + \D b. directed (\) D \ extreme_bound (\) D b \ extreme_bound (\) (f ` D) (f b)" + +lemma scott_continuousI[intro?]: + assumes "\D b. directed (\) D \ extreme_bound (\) D b \ extreme_bound (\) (f ` D) (f b)" + shows "scott_continuous f" + using assms by (auto simp: scott_continuous_def) + +lemma scott_continuousE[elim]: + assumes "scott_continuous f" + and "(\D b. directed (\) D \ + extreme_bound (\) D b \ extreme_bound (\) (f ` D) (f b)) \ thesis" + shows "thesis" + using assms by (auto simp: scott_continuous_def) + +lemma scott_continous_imp_mono_refl: + assumes scott: "scott_continuous f" + and xy: "x \ y" and yy: "y \ y" + shows "f x \ f y" +proof- + define D where "D \ {x,y}" + from xy yy have dir_D +: "directed (\) D" by (auto simp: D_def intro!: bexI[of _ y]) + have "extreme_bound (\) D y" using xy yy by (auto simp: D_def) + then have fboy: "extreme_bound (\) (f ` D) (f y)" using dir_D scott by auto + then show "f x \ f y" by (auto simp: D_def) +qed + +lemma scott_continous_imp_omega_continous: + assumes scott: "scott_continuous f" shows "omega_continuous f" +proof + fix c :: "nat \ 'a" + assume "monotone (\) (\) c" + from monotone_directed_image[OF this order.dual.dual.directed_UNIV] scott + show "extreme_bound (\) (range c) b \ extreme_bound (\) (f ` range c) (f b)" for b + by auto +qed + +end + +subsection \Kleene's Fixed-Point Theorem\ + +text \The first part of Kleene's theorem demands to prove that the set +$\set{f^n(\bot) \mid n \in \Nat}$ has a supremum and +that all such are quasi-fixed points. We prove this claim without assuming +anything on the relation $\SLE$ besides $\omega$-completeness and one bottom element.\ + +context fixed_point_proof begin + +context + fixes f + assumes comp: "omega_complete (\)" + assumes cont: "omega_continuous (\) f" + fixes bot ("\<^bold>\") + assumes bot: "\q. \<^bold>\ \ q" +begin + +interpretation omega_complete "(\)" using comp. + +abbreviation(input) fn where "fn n \ (f ^^ n) \<^bold>\" + +abbreviation(input) "Fn \ range fn" + +lemma fn_ref: "fn n \ fn n" + using omega_continuous_imp_mono_refl[OF cont] bot by (induct n, auto) + +lemma fn_monotone: "monotone (\) (\) fn" +proof + fix n m :: nat + assume "n \ m" + from le_Suc_ex[OF this] obtain k where m: "m = n + k" by auto + from bot fn_ref omega_continuous_imp_mono_refl[OF cont] + show "fn n \ fn m" by (unfold m, induct n, auto) +qed + +lemma ex_kleene_fixed_point: + shows "Ex (extreme_bound (\) Fn)" + using monotone_seq_complete[OF fn_monotone] by auto + +lemma kleene_fixed_point_is_fixed: + assumes q: "extreme_bound (\) Fn q" + shows "f q \ q" +proof + have fq: "extreme_bound (\) (f ` Fn) (f q)" + using q cont fn_monotone by auto + with bot have nq: "fn n \ f q" for n + by(induct n, auto simp: extreme_bound_iff) + then show "q \ f q" using q by blast + have "f (fn n) \ range fn" for n by (auto intro!: range_eqI[of _ _ "Suc n"]) + then have "f ` Fn \ Fn" by auto + then show "f q \ q" using q fq + by (metis (no_types, lifting) bound_cmono extreme_def mem_Collect_eq) +qed + +lemma kleene_fixed_point_is_dual_extreme: + assumes attract: "\q x. f q \ q \ x \ f q \ x \ q" + assumes q: "extreme_bound (\) Fn q" + shows "extreme (\) {s. f s \ s} q" +proof(intro extremeI, unfold mem_Collect_eq, intro kleene_fixed_point_is_fixed[OF q]) + fix c assume cqfp: "f c \ c" + { + fix n::nat + have "fn n \ c" + proof(induct n) + case 0 + show ?case using bot by auto + next + case IH: (Suc n) + have "c \ c" using attract cqfp by blast + with IH have "fn (Suc n) \ f c" + using omega_continuous_imp_mono_refl[OF cont] fn_ref by auto + then show ?case using attract cqfp by blast + qed + } + then show "q \ c" using q by blast +qed + +lemma kleene_fixed_point_iff_dual_extreme: + assumes attract: "\q x. f q \ q \ x \ f q \ x \ q" + assumes dual_attract: "\p q x. p \ q \ q \ x \ p \ x" + shows "extreme_bound (\) Fn = extreme (\) {s. f s \ s}" +proof (intro ext iffI kleene_fixed_point_is_dual_extreme[OF attract]) + fix q + assume q: "extreme (\) {s. f s \ s} q" + from q have fqq: "f q \ q" by auto + from ex_kleene_fixed_point obtain k where k: "extreme_bound (\) Fn k" by auto + have qk: "q \ k" + proof + from kleene_fixed_point_is_fixed[OF k] q + show "q \ k" by auto + from kleene_fixed_point_is_dual_extreme[OF _ k] q attract + show "k \ q" by blast + qed + show "extreme_bound (\) Fn q" + proof (intro extreme_boundI,safe) + fix n + show "(f ^^ n) \<^bold>\ \ q" + apply (induct n, auto intro: bot[rule_format]) + by (meson attract fn_ref fqq omega_continuous_imp_mono_refl[OF cont]) + next + fix x + assume "bound (\) Fn x" + with k have kx: "k \ x" by auto + with dual_attract[rule_format, OF qk] + show "q \ x" by auto + qed +qed + +end + +end + +context omega_complete begin + +interpretation fixed_point_proof. + +theorem kleene_quasi_fixed_point: + assumes "omega_continuous (\) f" and "\x. bo \ x" + shows "\p. extreme_bound (\) {(f ^^ n) bo |. n :: nat} p" + and "extreme_bound (\) {(f ^^ n) bo |. n :: nat} p \ f p \ p" + using ex_kleene_fixed_point[OF omega_complete_axioms assms] + using kleene_fixed_point_is_fixed[OF omega_complete_axioms assms]. + +end + +text \Kleene's theorem also states that the quasi-fixed point found this way is a least one. +Again, attractivity is needed to prove this statement.\ + +context attractive begin + +interpretation fixed_point_proof. + +corollary kleene_quasi_fixed_point_dual_extreme: + assumes "omega_complete (\)" and "omega_continuous (\) f" and "\x. bo \ x" + shows "extreme_bound (\) {(f ^^ n) bo |. n :: nat} = extreme (\) {s. f s \ s}" + apply (rule kleene_fixed_point_iff_dual_extreme[OF assms]) + by (auto dest: attract dual.attract) + +end + +context antisymmetric begin + +interpretation fixed_point_proof. + +corollary kleene_fixed_point_is_fixed: + assumes "omega_complete (\)" and "omega_continuous (\) f" and "\x. bo \ x" + and "extreme_bound (\) {(f ^^ n) bo |. n :: nat} p" + shows "f p = p" + using kleene_fixed_point_is_fixed[OF assms] by auto + +end + +end \ No newline at end of file diff --git a/thys/Complete_Non_Orders/ROOT b/thys/Complete_Non_Orders/ROOT new file mode 100644 --- /dev/null +++ b/thys/Complete_Non_Orders/ROOT @@ -0,0 +1,10 @@ +chapter AFP + +session Complete_Non_Orders (AFP) = HOL + + description {* Theory of Complete Non-Orders and their Fixed-Points Theorems *} + options [timeout = 300] + theories + Fixed_Points + document_files + "root.tex" + "root.bib" diff --git a/thys/Complete_Non_Orders/document/root.bib b/thys/Complete_Non_Orders/document/root.bib new file mode 100644 --- /dev/null +++ b/thys/Complete_Non_Orders/document/root.bib @@ -0,0 +1,289 @@ +%% This BibTeX bibliography file was created using BibDesk. +%% http://bibdesk.sourceforge.net/ + +%% Created for Jeremy Dubut at 2019-03-29 18:38:21 +0900 + + +%% Saved with string encoding Unicode (UTF-8) + +@Inbook{Bergman2015, +author="Bergman, George M.", +title="Lattices, Closure Operators, and Galois Connections", +bookTitle="An Invitation to General Algebra and Universal Constructions", +year="2015", +publisher="Springer International Publishing", +address="Cham", +pages="173--212", +isbn="978-3-319-11478-1", +doi="10.1007/978-3-319-11478-1_6", +url="https://doi.org/10.1007/978-3-319-11478-1_6" +} + +@book{Schmidt1993, +author="Schmidt, Gunther +and Str{\"o}hlein, Thomas", +title="Relations and Graphs: Discrete Mathematics for Computer Scientists", +year="1993", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="5--27", +} + +@book{gierz03, + Author = {G. Gierz and K. H. Hofmann and K. Keimel and J. D. Lawson and M. W. Mislove and D. S. Scott}, + Date-Added = {2019-03-29 18:36:56 +0900}, + Date-Modified = {2019-03-29 18:38:15 +0900}, + Publisher = {Cambridge University Press}, + Title = {Continuous Lattices and Domains}, + Year = {2003}} + +@book{abramski94, + Author = {Samson Abramsky and Achim Jung}, + Date-Added = {2019-03-29 18:27:24 +0900}, + Date-Modified = {2019-03-29 18:30:21 +0900}, + Number = {III}, + Publisher = {Oxford University Press}, + Series = {Handbook of Logic in Computer Science}, + Title = {Domain Theory}, + Year = {1994}} + +@book{davey02, + Author = {B. A. Davey and H. A. Priestley}, + Date-Added = {2019-03-29 18:24:39 +0900}, + Date-Modified = {2019-03-29 18:25:37 +0900}, + Publisher = {Cambridge University Press}, + Title = {Introduction to Lattices and Order}, + Year = {2002}} + +@article{mashburn83, + Author = {J. D. Mashburn}, + Date-Added = {2019-03-27 22:36:00 +0900}, + Date-Modified = {2019-03-27 22:38:19 +0900}, + Journal = {Houston Journal of Mathematics}, + Number = {2}, + Pages = {231--244}, + Title = {The least fixed point property for omega-chain continuous functions}, + Volume = {9}, + Year = {1983}} + +@article{tarski55, + Author = {Alfred Tarski}, + Date-Added = {2019-03-27 11:16:30 +0900}, + Date-Modified = {2019-03-27 11:17:45 +0900}, + Journal = {Pacific Journal of Mathematics}, + Number = {2}, + Pages = {285--309}, + Title = {A lattice-theoretical fixpoint theorem and its applications}, + Volume = {5}, + Year = {1955}} + +@article{trellis, + Author = {Skala, H.L.}, + Doi = {10.1007/BF02944982}, + Issue = 1, + Journal = {Algebra Univ.}, + Pages = {218--233}, + Title = {Trellis theory}, + Volume = 1, + Year = 1971, + Bdsk-Url-1 = {https://doi.org/10.1007/BF02944982}} + +@article{SM13, + Author = {Stouti, Abdelkader and Maaden, Abdelhakim}, + Doi = {10.4067/S0716-09172013000400008}, + Journal = {Proyecciones. Revista de Matem{\'a}tica}, + Number = {4}, + Pages = {409-418}, + Title = {Fixed points and common fixed points theorems in pseudo-ordered sets}, + Volume = {32}, + Year = {2013}, + Bdsk-Url-1 = {https://doi.org/10.4067/S0716-09172013000400008}} + +@article{LN83, + Author = {Leutola, K and Nieminen, J}, + Journal = {Algebra Universalis}, + Number = {1}, + Pages = {344--354}, + Publisher = {Springer}, + Title = {Posets and generalized lattices}, + Volume = {16}, + Year = {1983}} + +@article{Bhatta05, + Author = {Bhatta, S Parameshwara}, + Journal = {Czechoslovak Mathematical Journal}, + Number = {2}, + Pages = {365--369}, + Publisher = {Springer}, + Title = {Weak chain-completeness and fixed point property for pseudo-ordered sets}, + Volume = {55}, + Year = {2005}} + +@article{PG11, + Author = {Parameshwara Bhatta, S and George, Shiju}, + Journal = {Algebra and Discrete Mathematics}, + Number = {1}, + Pages = {17--22}, + Publisher = {Луганский национальный университет им. Т. Шевченко}, + Title = {Some fixed point theorems for pseudo ordered sets}, + Volume = {11}, + Year = {2011}} + +@article{flyspeck, + Author = {Hales, Thomas and Adams, Mark and Bauer, Gertrud and Dang, Tat Dat and Harrison, John and Le Truong, Hoang and Kaliszyk, Cezary and Magron, Victor and McLaughlin, Sean and Nguyen, Tat Thang and others}, + Journal = {Forum of Mathematics, Pi}, + Publisher = {Cambridge University Press}, + Title = {A formal proof of the {K}epler conjecture}, + Volume = {5}, + Year = {2017}} + +@article{4color, + Author = {Gonthier, Georges}, + Journal = {Notices of the AMS}, + Number = {11}, + Pages = {1382--1393}, + Title = {Formal proof -- the four-color theorem}, + Volume = {55}, + Year = {2008}} + +@inproceedings{sel4, + Author = {Klein, Gerwin and Elphinstone, Kevin and Heiser, Gernot and Andronick, June and Cock, David and Derrin, Philip and Elkaduwe, Dhammika and Engelhardt, Kai and Kolanski, Rafal and Norrish, Michael and others}, + Booktitle = {Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems principles}, + Organization = {ACM}, + Pages = {207--220}, + Title = {se{L}4: Formal verification of an {OS} kernel}, + Year = {2009}} + +@inproceedings{isabelle/jedit, + Author = {Wenzel, Makarius}, + Booktitle = {International Conference on Intelligent Computer Mathematics}, + Organization = {Springer}, + Pages = {468--471}, + Title = {{I}sabelle/j{E}dit--a Prover {IDE} within the {PIDE} framework}, + Year = {2012}} + +@inproceedings{quickcheck, + Acmid = {1030056}, + Address = {Washington, DC, USA}, + Author = {Berghofer, Stefan and Nipkow, Tobias}, + Booktitle = {Proceedings of the Software Engineering and Formal Methods, Second International Conference}, + Doi = {10.1109/SEFM.2004.36}, + OPIsbn = {0-7695-2222-X}, + Numpages = {10}, + Pages = {230--239}, + Publisher = {IEEE Computer Society}, + Series = {SEFM '04}, + Title = {Random Testing in {I}sabelle/{HOL}}, + Year = {2004}, + Bdsk-Url-1 = {http://dx.doi.org/10.1109/SEFM.2004.36}} + +@inproceedings{nitpick, + Address = {Berlin, Heidelberg}, + Author = {Blanchette, Jasmin Christian and Nipkow, Tobias}, + Booktitle = {Interactive Theorem Proving}, + Editor = {Kaufmann, Matt and Paulson, Lawrence C.}, + OPIsbn = {978-3-642-14052-5}, + Pages = {131--146}, + Publisher = {Springer Berlin Heidelberg}, + Title = {Nitpick: A Counterexample Generator for Higher-Order Logic Based on a Relational Model Finder}, + Year = {2010}} + +@inproceedings{codegen, + Author = {Haftmann, Florian and Nipkow, Tobias}, + Booktitle = {Theorem Proving in Higher Order Logics (TPHOLs 2007)}, + Pages = {128--143}, + Series = {Lecture Notes in Computer Science}, + Title = {A code generator framework for {I}sabelle/{HOL}}, + Volume = {4732}, + Year = {2007}} + +@inproceedings{locale, + Address = {Berlin, Heidelberg}, + Author = {Ballarin, Clemens}, + Booktitle = {Mathematical Knowledge Management}, + Doi = {10.1007/11812289_4}, + Editor = {Borwein, Jonathan M. and Farmer, William M.}, + OPIsbn = {978-3-540-37106-9}, + Pages = {31--43}, + Publisher = {Springer Berlin Heidelberg}, + Title = {Interpretation of Locales in {I}sabelle: Theories and Proof Contexts}, + Year = {2006}, + Bdsk-Url-1 = {https://doi.org/10.1007/11812289_4}} + +@inproceedings{Kammuller00, + Address = {Berlin, Heidelberg}, + Author = {Kamm{\"u}ller, Florian}, + Booktitle = {Automated Deduction - CADE-17}, + Doi = {10.1007/10721959_7}, + Editor = {McAllester, David}, + OPIsbn = {978-3-540-45101-3}, + Pages = {99--114}, + Publisher = {Springer Berlin Heidelberg}, + Title = {Modular Reasoning in {I}sabelle}, + Year = {2000}, + Bdsk-Url-1 = {https://doi.org/10.1007/10721959_7}} +@inproceedings{isafor, + title={Certification of termination proofs using {CeTA}}, + author={Thiemann, Ren{\'e} and Sternagel, Christian}, + booktitle={International Conference on Theorem Proving in Higher Order Logics}, + pages={452--468}, + year={2009}, + organization={Springer} +} +@book{Isabelle, + Author = {T.~Nipkow and L.C.~Paulson and M.~Wenzel}, + Publisher = {Springer}, + Series = {LNCS}, + Title = {{Isabelle/HOL} -- A Proof Assistant for Higher-Order Logic}, + Volume = 2283, + Year = 2002 +} +@inproceedings{hol4, + title={A brief overview of {HOL4}}, + author={Slind, Konrad and Norrish, Michael}, + booktitle={International Conference on Theorem Proving in Higher Order Logics}, + pages={28--32}, + year={2008}, + organization={Springer} +} +@inproceedings{hol-light, + title={{HOL} light: An overview}, + author={Harrison, John}, + booktitle={International Conference on Theorem Proving in Higher Order Logics}, + pages={60--66}, + year={2009}, + organization={Springer} +} +@inproceedings{agda, + title={A brief overview of {A}gda -- a functional language with dependent types}, + author={Bove, Ana and Dybjer, Peter and Norell, Ulf}, + booktitle={International Conference on Theorem Proving in Higher Order Logics}, + pages={73--78}, + year={2009}, + organization={Springer} +} +@book{coq, + title={Certified programming with dependent types: a pragmatic introduction to the Coq proof assistant}, + author={Chlipala, Adam}, + year={2013}, + publisher={MIT Press} +} +@inproceedings{compcert, + title={Formal {C} semantics: {C}omp{C}ert and the {C} standard}, + author={Krebbers, Robbert and Leroy, Xavier and Wiedijk, Freek}, + booktitle={International Conference on Interactive Theorem Proving}, + pages={543--548}, + year={2014}, + organization={Springer} +} +@inproceedings{sledgehammer, + title={Sledgehammer: judgement day}, + author={B{\"o}hme, Sascha and Nipkow, Tobias}, + booktitle={International Joint Conference on Automated Reasoning}, + pages={107--121}, + year={2010}, + organization={Springer} +} + + + diff --git a/thys/Complete_Non_Orders/document/root.tex b/thys/Complete_Non_Orders/document/root.tex new file mode 100644 --- /dev/null +++ b/thys/Complete_Non_Orders/document/root.tex @@ -0,0 +1,193 @@ +\documentclass[11pt,a4paper]{article} +\usepackage{isabelle,isabellesym} +\usepackage{amssymb,amsmath,stmaryrd} +\usepackage{tikz} +\usetikzlibrary{backgrounds} +\usetikzlibrary{positioning} +\usetikzlibrary{shapes} + +% this should be the last package used +\usepackage{pdfsetup} + +% urls in roman style, theory text in math-similar italics +\urlstyle{rm} +\isabellestyle{it} + +\newcommand\SLE{\sqsubseteq} +\newcommand\Nat{\mathbb{N}} + + +\makeatletter + +\def\tp@#1#2{\@ifnextchar[{\tp@@{#1}{#2}}{\tp@@@{#1}{#2}}} +\def\tp@@#1#2[#3]#4{#3#1\def\mid{\mathrel{#3|}}#4#3#2} +\def\tp@@@#1#2#3{\bgroup\left#1\def\mid{\;\middle|\;}#3\right#2\egroup} +\def\pa{\tp@()} +\def\tp{\tp@\langle\rangle} +\def\set{\tp@\{\}} + +\makeatother + + +\begin{document} + +\title{Complete Non-Orders and Fixed Points} +\author{Akihisa Yamada and Jérémy Dubut} +\maketitle + +\begin{abstract} + We develop an Isabelle/HOL library of order-theoretic concepts, such as various completeness conditions and + fixed-point theorems. We keep our formalization as general as possible: we reprove several well-known results + about complete orders, often without any properties of ordering, thus complete non-orders. In particular, we + generalize the Knaster--Tarski theorem so that we ensure the existence of a quasi-fixed point of monotone maps + over complete non-orders, and show that the set of quasi-fixed points is complete under a mild condition---% + attractivity---which is implied by either antisymmetry or transitivity. This result generalizes and strengthens a result + by Stauti and Maaden. Finally, we recover Kleene's fixed-point theorem for omega-complete non-orders, again + using attractivity to prove that Kleene's fixed points are least quasi-fixed points. +\end{abstract} + +\tableofcontents + +\section{Introduction} + +The main driving force towards mechanizing mathematics using proof assistants +has been the reliability they offer, +exemplified prominently by~\cite{4color},~\cite{flyspeck},~\cite{sel4}, etc. +In this work, we utilize another aspect of Isabelle/JEdit~\cite{isabelle/jedit} +as engineering tools for developing mathematical theories. +We formalize order-theoretic concepts and results, +adhering to an \emph{as-general-as-possible} approach: +most results concerning order-theoretic completeness and fixed-point theorems +are proved without assuming the underlying relations to be orders (non-orders). +In particular, we provide the following: +\begin{itemize} +\item +A locale-based library for binary relations, +as partly depicted in Figure~\ref{fig:non-orders}. +\item +Various completeness results that generalize known theorems in order theory: +Actually most relationships and duality of completeness conditions are proved without +\emph{any} properties of the underlying relations. +\item Existence of fixed points: +We show that a relation-preserving mapping $f : A \to A$ +over a complete non-order $\tp{A,\SLE}$ +admits a \emph{quasi-fixed point} $f(x) \sim x$, +meaning $x \SLE f(x) \wedge f(x) \SLE x$. +Clearly if $\SLE$ is antisymmetric then this implies the existence of fixed points $f(x) = x$. +\item Completeness of the set of fixed points: +We further show that +if $\SLE$ satisfies a mild condition, which we call \emph{attractivity} and +which is implied by either transitivity or antisymmetry, +then the set of quasi-fixed points is complete. +Furthermore, we also show that if $\SLE$ is antisymmetric, +then the set of \emph{strict} fixed points $f(x) = x$ is complete. +\item Kleene-style fixed-point theorems: +For an $\omega$-complete non-order $\tp{A,\SLE}$ with a bottom element $\bot \in A$ (not necessarily unique) +and for every $\omega$-continuous map $f : A \to A$, +a supremum exists for the set $\set{ f^n(\bot) \mid n \in \Nat}$, +and it is a quasi-fixed point. +If $\SLE$ is attractive, then +the quasi-fixed points obtained this way are precisely the least quasi-fixed points. +\end{itemize} +We remark that all these results would have required much more effort than we spent +(if possible at all), +if we were not with the smart assistance by Isabelle. +Our workflow was often the following: first we formalize existing proofs, try relaxing assumptions, see where proof breaks, +and at some point ask for a counterexample. + +\begin{figure} +\small +\centering +\def\isa#1{\textsf{#1}} +\def\t{-1.8} +\def\a{3.6} +\def\at{1.8} +\def\s{-3.6} +\def\st{-5.4} +\begin{tikzpicture} +\tikzstyle{every node}=[draw,ellipse] +\tikzstyle{every edge}=[draw] +\draw + (0,0) node[fill] (rel) {} + (\t,1) node (trans) {\isa{transitive}} + (0,-2) node (refl) {\isa{reflexive}} + (0,2) node (irr) {\isa{irreflexive}} + (\s,0) node (sym) {\isa{symmetric}} + (\a,0) node (anti) {\isa{antisymmetric}} + (\at,1) node (near) {\isa{near\_order}} + (\a,2) node (asym) {\isa{asymmetric}} + (\a,-2) node (pso) {\isa{pseudo\_order}} + (\at,-1) node (po) {\isa{partial\_order}} + (\t,-1) node (qo) {\isa{quasi\_order}} + (0,3) node (str) {\hspace{3em}\isa{strict\_order}\mbox{\hspace{3em}}} + (\st,-1) node (equiv) {\isa{equivalence}} + (\st,1) node (peq) {\hspace{-.8em}\isa{partial\_equivalence}\mbox{\hspace{-.8em}}} + (\st,3) node (emp) {$\emptyset$} + (\s,-2) node (tol) {\isa{tolerance}} + (\s,2) node (ntol) {$\neg$\isa{tolerance}} + ; +\draw[->] + (near) edge[color=blue] ([xshift=51,yshift=-7]str) + (irr) edge[color=red] ([xshift=-46,yshift=-8]str) + (trans) edge[color=blue] ([xshift=-51,yshift=-7]str) + (asym) edge[color=red] ([xshift=55,yshift=-7]str) + (trans) edge[color=green] (near) + (anti) edge[color=red] (near) + (irr) edge[color=green] (asym) + (anti) edge[color=blue] (asym) + (anti) edge[color=blue] (pso) + (near) edge[color=blue] (po) + (pso) edge[color=red] (po) + (refl) edge[color=green] (pso) + (trans) edge[color=blue] (qo) + (refl) edge[color=red] (qo) + (qo) edge[color=green] (po) + (qo) edge[color=green] (equiv) + (peq) edge[color=blue] (equiv) + (trans) edge[color=green] (peq) + (peq) edge[color=blue] (emp) + (str) edge[color=green] (emp) + (sym) edge[color=red] (peq) + (sym) edge[color=blue] (tol) + (sym) edge[color=blue] (ntol) + (irr) edge[color=green] (ntol) + (refl) edge[color=green] (tol) + (ntol) edge[color=red] (emp) + (tol) edge[color=red] (equiv) + (rel) edge[color=red, line width=1.5pt] (trans) + (rel) edge[color=blue, line width=1.5pt] (irr) + (rel) edge[color=blue, line width=1.5pt] (refl) + (rel) edge[color=green, line width=1.5pt] (sym) + (rel) edge[color=green, line width=1.5pt] (anti) + ; +\end{tikzpicture} +\caption{\label{fig:non-orders} +Combinations of basic properties. +The black dot around the center represents arbitrary binary relations, +and the five outgoing arrows indicate atomic assumptions. +We do not present the combination +of \isa{reflexive} and \isa{irreflexive}, which is empty, +and one of \isa{symmetric} and \isa{antisymmetric}, +which is a subset of equality. +Node ``$\neg$\isa{tolerance}'' indicates the negated relation is \isa{tolerance}, +and ``$\emptyset$'' is the empty relation. +} +\end{figure} + +\paragraph*{Related Work} +Many attempts have been made to generalize the notion of completeness for lattices, conducted in different directions: by relaxing the notion of order itself, removing transitivity (pseudo-orders \cite{trellis}); by relaxing the notion of lattice, considering minimal upper bounds instead of least upper bounds ($\chi$-posets \cite{LN83}); by relaxing the notion of completeness, requiring the existence of least upper bounds for restricted classes of subsets (e.g., directed complete and $\omega$-complete, see \cite{davey02} for a textbook). Considering those generalizations, it was natural to prove new versions of classical fixed-point theorems for maps preserving those structures, e.g., existence of least fixed points for monotone maps on (weak chain) complete pseudo-orders \cite{Bhatta05, SM13}, construction of least fixed points for $\omega$-continuous functions for $\omega$-complete lattices \cite{mashburn83}, (weak chain) completeness of the set of fixed points for monotone functions on (weak chain) complete pseudo-orders \cite{PG11}. + +Concerning Isabelle formalization, +one can easily find several formalizations of complete partial orders or lattices in Isabelle's standard library. +They are, however, defined on partial orders, either in form of classes or locales, +and thus not directly reusable for non-orders. +Nevertheless we tried to make our formalization compatible with the existing ones, +and various correspondences are ensured. + +% include generated text of all theories +\input{session} + +\bibliographystyle{abbrv} +\bibliography{root} + +\end{document} diff --git a/thys/Differential_Game_Logic/Axioms.thy b/thys/Differential_Game_Logic/Axioms.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Axioms.thy @@ -0,0 +1,141 @@ +theory "Axioms" +imports + "Syntax" + "Denotational_Semantics" + "Ids" +begin + +section \Axioms and Axiomatic Proof Rules of Differential Game Logic\ + +subsection \Axioms\ + +abbreviation pusall:: "fml" + where "pusall \ \Game hgidc\TT" + +abbreviation nothing:: "trm" + where "nothing \ Number 0" + + +named_theorems axiom_defs "Axiom definitions" + +definition box_axiom :: "fml" + where [axiom_defs]: +"box_axiom \ (Box (Game hgid1) pusall) \ Not(Diamond (Game hgid1) (Not(pusall)))" + +definition assigneq_axiom :: "fml" + where [axiom_defs]: +"assigneq_axiom \ (Diamond (Assign xid1 (Const fid1)) pusall) \ Exists xid1 (Equals (Var xid1) (Const fid1) && pusall)" + +definition stutterd_axiom :: "fml" + where [axiom_defs]: +"stutterd_axiom \ (Diamond (Assign xid1 (Var xid1)) pusall) \ pusall" + +definition test_axiom :: "fml" + where [axiom_defs]: +"test_axiom \ Diamond (Test (Pred pid2 nothing)) (Pred pid1 nothing) \ (Pred pid2 nothing && Pred pid1 nothing)" + +definition choice_axiom :: "fml" + where [axiom_defs]: +"choice_axiom \ Diamond (Choice (Game hgid1) (Game hgid2)) pusall \ (Diamond (Game hgid1) pusall || Diamond (Game hgid2) pusall)" + +definition compose_axiom :: "fml" + where [axiom_defs]: +"compose_axiom \ Diamond (Compose (Game hgid1) (Game hgid2)) pusall \ Diamond (Game hgid1) (Diamond (Game hgid2) pusall)" + +definition iterate_axiom :: "fml" + where [axiom_defs]: +"iterate_axiom \ Diamond (Loop (Game hgid1)) pusall \ (pusall || Diamond (Game hgid1) (Diamond (Loop (Game hgid1)) pusall))" + +definition dual_axiom :: "fml" + where [axiom_defs]: +"dual_axiom \ Diamond (Dual (Game hgid1)) pusall \ !(Diamond (Game hgid1) (!pusall))" + + +subsection \Axiomatic Rules\ + +named_theorems rule_defs "Rule definitions" + +definition mon_rule :: "inference" + where [rule_defs]: +"mon_rule \ ([(\Game hgidc\TT) \ (\Game hgidd\TT)], (\Game hgid1\(\Game hgidc\TT)) \ (\Game hgid1\(\Game hgidd\TT)))" + +definition FP_rule :: "inference" + where [rule_defs]: +"FP_rule \ ([((\Game hgidc\TT) || \Game hgid1\\Game hgidd\TT) \ \Game hgidd\TT], (\Loop (Game hgid1)\\Game hgidc\TT) \ (\Game hgidd\TT))" + +definition MP_rule :: "inference" + where [rule_defs]: +"MP_rule \ ([Pred pid1 nothing , Pred pid1 nothing \ Pred pid2 nothing], Pred pid2 nothing)" + +definition gena_rule :: "inference" + where [rule_defs]: +"gena_rule \ ([pusall], Exists xid1 pusall)" + + +subsection \Soundness / Validity Proofs for Axioms\ + +text \Because an axiom in a uniform substitution calculus is an individual formula, + proving the validity of that formula suffices to prove soundness\ + +lemma box_valid: "valid box_axiom" + unfolding box_axiom_def Box_def Or_def by simp + +(*lemma assign_equal: "game_sem I (Assign x (Const f)) (fml_sem I \) = fml_sem I (Exists x (Equals (Var x) (Const f) && \))" + by simp*) + +lemma assigneq_valid: "valid assigneq_axiom" + unfolding assigneq_axiom_def by (auto simp add: valid_equiv) + +(*lemma game_sem_stutter: "game_sem I (Assign x (Var x)) X = X" + by (auto simp add: repv_self)*) + +lemma stutterd_valid: "valid stutterd_axiom" + unfolding stutterd_axiom_def by (auto simp add: valid_equiv) + +lemma test_valid: "valid test_axiom" + unfolding test_axiom_def Or_def using valid_equiv by fastforce + +lemma choice_valid: "valid choice_axiom" + unfolding choice_axiom_def Or_def by (auto simp add: valid_equiv) + +lemma compose_valid: "valid compose_axiom" + unfolding compose_axiom_def Or_def by (simp add: valid_equiv) + +lemma dual_valid: "valid dual_axiom" +unfolding dual_axiom_def using valid_equiv fml_sem_not using fml_sem.simps(6) game_sem.simps(7) by presburger + +lemma iterate_valid: "valid iterate_axiom" +(*unfolding iterate_axiom_def using valid_equiv fml_sem.simps(6) game_equiv_subst[OF loop_iterate_equiv]*) +proof- + have "\I. fml_sem I (Diamond (Loop (Game hgid1)) pusall) = fml_sem I (pusall || Diamond (Game hgid1) (Diamond (Loop (Game hgid1)) pusall))" + proof + fix I + have "fml_sem I (Diamond (Loop (Game hgid1)) pusall) = game_sem I (Loop (Game hgid1)) (fml_sem I pusall)" by (rule fml_sem.simps(6)) + also have "... = game_sem I (Choice Skip (Compose (Game hgid1) (Loop (Game hgid1)))) (fml_sem I pusall)" + using game_equiv_subst[where I=I and X=\fml_sem I pusall\, OF loop_iterate_equiv[where \=\Game hgid1\]] by blast + also have "... = fml_sem I (Diamond (Choice Skip (Compose (Game hgid1) (Loop (Game hgid1)))) pusall)" by simp + also have "... = fml_sem I (Diamond Skip pusall || Diamond (Compose (Game hgid1) (Loop (Game hgid1))) pusall)" by simp + also have "... = fml_sem I (pusall || Diamond (Compose (Game hgid1) (Loop (Game hgid1))) pusall)" by simp + also have "... = fml_sem I (pusall || Diamond (Game hgid1) (Diamond (Loop (Game hgid1)) pusall))" by simp + finally show "fml_sem I (Diamond (Loop (Game hgid1)) pusall) = fml_sem I (pusall || Diamond (Game hgid1) (Diamond (Loop (Game hgid1)) pusall))" . + qed + then have "valid ((Diamond (Loop (Game hgid1)) pusall) \ (pusall || Diamond (Game hgid1) (Diamond (Loop (Game hgid1)) pusall)))" using valid_equiv by (rule rev_iffD2) + then show "valid iterate_axiom" unfolding iterate_axiom_def by auto +qed + + +subsection \Local Soundness Proofs for Axiomatic Rules\ + +lemma mon_locsound: "locally_sound mon_rule" + unfolding mon_rule_def locally_sound_def using valid_in_impl monotone by simp + +lemma FP_locsound: "locally_sound FP_rule" + unfolding FP_rule_def locally_sound_def using valid_in_impl game_sem_loop by auto + +lemma MP_locsound: "locally_sound MP_rule" + unfolding MP_rule_def locally_sound_def valid_in_def using fml_sem_implies less_Suc_eq by auto + +lemma gena_locsound: "locally_sound gena_rule" + unfolding gena_rule_def locally_sound_def valid_in_def using fml_sem_implies less_Suc_eq by auto + +end diff --git a/thys/Differential_Game_Logic/Coincidence.thy b/thys/Differential_Game_Logic/Coincidence.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Coincidence.thy @@ -0,0 +1,787 @@ +theory "Coincidence" +imports + "Lib" + "Syntax" + "Denotational_Semantics" + "Static_Semantics" + "HOL.Finite_Set" +begin +section \Static Semantics Properties\ + +subsection Auxiliaries + +text \The state interpolating \stateinterpol \ \ S\ between \\\ and \\\ that is \\\ on \S\ and \\\ elsewhere\ + +definition stateinterpol:: "state \ state \ variable set \ state" + where + "stateinterpol \ \ S = (\x. if (x\S) then \(x) else \(x))" + +definition statediff:: "state \ state \ variable set" + where "statediff \ \ = {x. \(x)\\(x)}" + +lemma nostatediff: "x\statediff \ \ \ \(x)=\(x)" + by (simp add: statediff_def) + +lemma stateinterpol_empty: "stateinterpol \ \ {} = \" +proof + fix x + have empty: "\x. \(x\{})" by auto + show "\x. stateinterpol \ \ {} x = \ x" using empty by (simp add: stateinterpol_def) +qed + +lemma stateinterpol_left [simp]: "x\S \ (stateinterpol \ \ S)(x)=\(x)" + by (simp add: stateinterpol_def) + +lemma stateinterpol_right [simp]: "x\S \ (stateinterpol \ \ S)(x)=\(x)" + by (simp add: stateinterpol_def) + +lemma Vagree_stateinterpol [simp]: "Vagree (stateinterpol \ \ S) \ S" + and "Vagree (stateinterpol \ \ S) \ (-S)" + unfolding Vagree_def by auto + +lemma Vagree_ror: "Vagree \ \' (V\W) \ (\\. (Vagree \ \ V \ Vagree \ \' W))" +proof - + assume "Vagree \ \' (V\W)" + hence "\x. x\V\W \ \(x)=\'(x)" by (simp add: Vagree_def) + let ?w="stateinterpol \ \' V" + have l: "Vagree \ ?w V" by (simp add: Vagree_def) + have r: "Vagree ?w \' W \ Vagree ?w \' W" by (simp add: Vagree_def stateinterpol_def \\x. x\V\W \ \ x = \' x\) + have "Vagree \ ?w V \ Vagree ?w \' W" using l and r by blast + thus ?thesis by auto +qed + + +text \Remark 8 \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\ about simple properties of projections\ + +lemma restrictto_extends [simp]: "restrictto X V \ X" + by (auto simp add: restrictto_def) + +lemma restrictto_compose [simp]: "restrictto (restrictto X V) W = restrictto X (V\W)" +proof + show "restrictto (restrictto X V) W \ restrictto X (V\W)" + by (auto simp add: restrictto_def Vagree_def) +next + show "restrictto X (V\W) \ restrictto (restrictto X V) W" + (*by (smt Vagree_ror mem_Collect_eq restrictto_def subsetI)*) + proof - (* sledgehammer *) + obtain rr :: "(variable \ real) set \ (variable \ real) set \ variable \ real" where + "\x0 x1. (\v2. v2 \ x1 \ v2 \ x0) = (rr x0 x1 \ x1 \ rr x0 x1 \ x0)" + by moura + then have f1: "\F Fa. rr Fa F \ F \ rr Fa F \ Fa \ F \ Fa" + by (meson subsetI) + obtain rra :: "(variable \ real) \ variable set \ (variable \ real) set \ variable \ real" where + "\x0 x1 x2. (\v3. v3 \ x2 \ Vagree v3 x0 x1) = (rra x0 x1 x2 \ x2 \ Vagree (rra x0 x1 x2) x0 x1)" + by moura + then have f2: "\F V f. (f \ {f. \fa. fa \ F \ Vagree fa f V} \ rra f V F \ F \ Vagree (rra f V F) f V) \ (f \ {f. \fa. fa \ F \ Vagree fa f V} \ (\fa. fa \ F \ \ Vagree fa f V))" + by blast + moreover + { assume "\f. f \ X \ Vagree f (v4_1 W V (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (rra (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (V \ W) X)) V" + moreover + { assume "\f. f \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree f (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) W" + then have "rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)} \ {f. \fa. fa \ X \ Vagree fa f (V \ W)} \ rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)} \ {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W}" + by blast + then have "{f. \fa. fa \ X \ Vagree fa f (V \ W)} \ {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W}" + using f1 by meson } + ultimately have "(\ Vagree (rra (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (V \ W) X) (v4_1 W V (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (rra (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (V \ W) X)) V \ \ Vagree (v4_1 W V (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (rra (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) (V \ W) X)) (rr {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W} {f. \fa. fa \ X \ Vagree fa f (V \ W)}) W) \ {f. \fa. fa \ X \ Vagree fa f (V \ W)} \ {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W}" + using f2 by meson } + ultimately have "{f. \fa. fa \ X \ Vagree fa f (V \ W)} \ {f. \fa. fa \ {f. \fa. fa \ X \ Vagree fa f V} \ Vagree fa f W}" + using f1 by (meson Vagree_ror) + then show ?thesis + using restrictto_def by presburger + qed +qed + +lemma restrictto_antimon [simp]: "W\V \ restrictto X W \ restrictto X V" +proof - + assume "W\V" + then have "\U. V=W\U" by auto + then obtain U where "V=W\U" by auto + hence "restrictto X V = restrictto (restrictto X W) U" by simp + hence "restrictto X V \ restrictto X W" using restrictto_extends by blast + thus ?thesis by auto +qed + +lemma restrictto_empty [simp]: "X\{} \ restrictto X {} = worlds" + by (auto simp add: restrictto_def worlds_def) + +lemma selectlike_shrinks [simp]: "selectlike X \ V \ X" + by (auto simp add: selectlike_def) + +lemma selectlike_compose [simp]: "selectlike (selectlike X \ V) \ W = selectlike X \ (V\W)" + by (auto simp add: selectlike_def) + +lemma selectlike_antimon [simp]: "W\V \ selectlike X \ W \ selectlike X \ V" + by (auto simp add: selectlike_def) + +lemma selectlike_empty [simp]: "selectlike X \ {} = X" + by (auto simp add: selectlike_def) + +lemma selectlike_self [simp]: "(\ \ selectlike X \ V) = (\\X)" + by (auto simp add: selectlike_def) + +lemma selectlike_complement [simp]: "selectlike (-X) \ V \ -selectlike X \ V" + by (auto simp add: selectlike_def) + +lemma selectlike_union: "selectlike (X\Y) \ V = selectlike X \ V \ selectlike Y \ V" + by (auto simp add: selectlike_def) + +lemma selectlike_Sup: "selectlike (Sup M) \ V = Sup {selectlike X \ V | X. X\M}" + using selectlike_def by auto + +lemma selectlike_equal_cond: "(selectlike X \ V = selectlike Y \ V) = (\\. Uvariation \ \ (-V) \ (\\X) = (\\Y))" + unfolding selectlike_def using Uvariation_Vagree by auto + +lemma selectlike_equal_cocond: "(selectlike X \ (-V) = selectlike Y \ (-V)) = (\\. Uvariation \ \ V \ (\\X) = (\\Y))" + using selectlike_equal_cond[where V=\-V\] by simp + +lemma selectlike_equal_cocond_rule: "(\\. Uvariation \ \ (-V) \ (\\X) = (\\Y)) + \ (selectlike X \ V = selectlike Y \ V)" + using selectlike_equal_cond[where V=\V\] by simp + +lemma selectlike_equal_cocond_corule: "(\\. Uvariation \ \ V \ (\\X) = (\\Y)) + \ (selectlike X \ (-V) = selectlike Y \ (-V))" + using selectlike_equal_cond[where V=\-V\] by simp + +lemma co_selectlike: "-(selectlike X \ V) = (-X) \ {\. \Vagree \ \ V}" + unfolding selectlike_def by auto + +lemma selectlike_co_selectlike: "selectlike (-(selectlike X \ V)) \ V = selectlike (-X) \ V" + unfolding selectlike_def by auto + +lemma selectlike_Vagree: "Vagree \ \ V \ selectlike X \ V = selectlike X \ V" + using Vagree_def selectlike_def by auto + +lemma similar_selectlike_mem: "Vagree \ \ V \ (\\selectlike X \ V) = (\\X)" + unfolding selectlike_def using Vagree_sym_rel by blast + +(* also see nonBVG_rule *) +lemma BVG_nonelem [simp] :"(x\BVG \) = (\I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ {x})))" + using BVG_elem monotone selectlike_shrinks + by (metis subset_iff) + + +text \\statediff\ interoperability\ + +lemma Vagree_statediff [simp]: "Vagree \ \' S \ statediff \ \' \ -S" + by (auto simp add: Vagree_def statediff_def) + +lemma stateinterpol_diff [simp]: "stateinterpol \ \ (statediff \ \) = \" +proof + fix x + show sp: "(stateinterpol \ \ (statediff \ \))(x) = \(x)" + proof (cases "x\statediff \ \") + case True + then show ?thesis by simp + next + case False + then show ?thesis by (simp add: stateinterpol_def nostatediff) + qed +qed + +lemma stateinterpol_insert: "Vagree (stateinterpol v w S) (stateinterpol v w (insert z S)) (-{z})" + by (simp add: Vagree_def stateinterpol_def) + + +lemma stateinterpol_FVT [simp]: "z\FVT(t) \ term_sem I t (stateinterpol \ \' S) = term_sem I t (stateinterpol \ \' (insert z S))" +proof - + assume a: "z\FVT(t)" + have fvc: "\v. \w. Vagree v w (-{z}) \ (term_sem I t v = term_sem I t w)" using a by (simp add: FVT_def) + then show "term_sem I t (stateinterpol \ \' S) = term_sem I t (stateinterpol \ \' (insert z S))" + using fvc and stateinterpol_insert by blast +qed + +subsection \Coincidence Lemmas\ + +paragraph \Coincidence for Terms\ + +text \Lemma 10 \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\\ + +theorem coincidence_term: "Vagree \ \' (FVT \) \ term_sem I \ \ = term_sem I \ \'" +proof - + assume a: "Vagree \ \' (FVT \)" + have isS: "statediff \ \' \ -FVT(\)" using a and Vagree_statediff by simp + have gen: "S\-FVT(\) \ (term_sem I \ \' = term_sem I \ (stateinterpol \ \' S))" if "finite S" for S + using that + proof (induction S) + case empty + show ?case by (simp add: stateinterpol_empty) + next + case (insert z S) + thus ?case by auto + qed + from isS have finS: "finite (statediff \ \')" using allvars_finite by (metis FVT_finite UNIV_def finite_compl rev_finite_subset) + show ?thesis using gen[where S=\statediff \ \'\, OF finS, OF isS] by simp +qed + +corollary coincidence_term_cor: "Uvariation \ \' U \ (FVT \)\U={} \ term_sem I \ \ = term_sem I \ \'" +using coincidence_term Uvariation_Vagree + by (metis Vagree_antimon disjoint_eq_subset_Compl double_compl) + + +lemma stateinterpol_FVF [simp]: "z\FVF(e) \ + ((stateinterpol \ \' S) \ fml_sem I e \ (stateinterpol \ \' (insert z S)) \ fml_sem I e)" +proof - + assume a: "z\FVF(e)" + have agr: "Vagree (stateinterpol \ \' S) (stateinterpol \ \' (insert z S)) (-{z})" by (simp add: Vagree_def stateinterpol_def) + have fvc: "\v. \w. (Vagree v w (-{z}) \ (v\fml_sem I e \ w\fml_sem I e))" using a by (simp add: FVF_def) + then have fvce: "\v. \w. (Vagree v w (-{z}) \ ((v\fml_sem I e) = (w\fml_sem I e)))" using Vagree_sym_rel by blast + then show "(stateinterpol \ \' S) \ fml_sem I e \ (stateinterpol \ \' (insert z S)) \ fml_sem I e" + using agr by simp +qed + + +paragraph \Coincidence for Formulas\ + +text \Lemma 11 \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\\ + +theorem coincidence_formula: "Vagree \ \' (FVF \) \ (\ \ fml_sem I \ \ \' \ fml_sem I \)" +proof - + assume a: "Vagree \ \' (FVF \)" + have isS: "statediff \ \' \ -FVF(\)" using a and Vagree_statediff by simp + have gen: "S\-FVF(\) \ (\' \ fml_sem I \ \ (stateinterpol \ \' S) \ fml_sem I \)" if "finite S" for S + using that + proof (induction S) + case empty + show ?case by (simp add: stateinterpol_empty) + next + case (insert z S) + thus ?case by auto + qed + from isS have finS: "finite (statediff \ \')" using allvars_finite by (metis FVF_finite UNIV_def finite_compl rev_finite_subset) + show ?thesis using gen[where S=\statediff \ \'\, OF finS, OF isS] by simp +qed + +corollary coincidence_formula_cor: "Uvariation \ \' U \ (FVF \)\U={} \ (\ \ fml_sem I \ \ \' \ fml_sem I \)" + using coincidence_formula Uvariation_Vagree + by (metis Uvariation_def disjoint_eq_subset_Compl inf.commute subsetCE) + + +paragraph \Coincidence for Games\ + +text \\Cignorabimus \ V\ is the set of all sets of variables that can be ignored for the coincidence game lemma\ +definition Cignorabimus:: "game \ variable set \ variable set set" + where +"Cignorabimus \ V = {M. \I.\\.\\'.\X. (Vagree \ \' (-M) \ (\\game_sem I \ (restrictto X V)) \ (\'\game_sem I \ (restrictto X V)))}" + +lemma Cignorabimus_finite [simp]: "finite (Cignorabimus \ V)" + unfolding Cignorabimus_def using finite_powerset[OF allvars_finite] finite_subset using Finite_Set.finite_subset by fastforce + +lemma Cignorabimus_equiv [simp]: "Cignorabimus \ V = {M. \I.\\.\\'.\X. (Vagree \ \' (-M) \ (\\game_sem I \ (restrictto X V)) = (\'\game_sem I \ (restrictto X V)))}" + unfolding Cignorabimus_def by (metis (no_types, lifting) Vagree_sym_rel) + +lemma Cignorabimus_antimon [simp]: "M \ Cignorabimus \ V \ N\M \ N \ Cignorabimus \ V" + unfolding Cignorabimus_def + using Vagree_antimon by blast + +lemma coempty: "-{}=allvars" + by simp + +lemma Cignorabimus_empty [simp]: "{} \ Cignorabimus \ V" + unfolding Cignorabimus_def using coempty Vagree_univ + by simp + +text \Cignorabimus contains nonfree variables\ +lemma Cignorabimus_init: "V\FVG(\) \ x\V \ {x}\Cignorabimus \ V" +proof- + assume "V\FVG(\)" + assume a0: "x\V" + hence a1: "x\FVG(\)" using \FVG \ \ V\ by blast + hence "\I v w. Vagree v w (-{x}) \ (v \ game_sem I \ (restrictto X (-{x})) \ w \ game_sem I \ (restrictto X (-{x})))" + by (metis (mono_tags, lifting) CollectI FVG_def Vagree_sym_rel) + show "{x}\Cignorabimus \ V" + proof- + { + fix I \ \' X + have "Vagree \ \' (-{x}) \ (\\game_sem I \ (restrictto X V)) \ (\'\game_sem I \ (restrictto X V))" + proof + assume a2: "Vagree \ \' (-{x})" + show "(\\game_sem I \ (restrictto X V)) \ (\'\game_sem I \ (restrictto X V))" + proof + assume "\\game_sem I \ (restrictto X V)" + hence "\\game_sem I \ (restrictto (restrictto X V) (-{x}))" by (simp add: Int_absorb2 \x\V\) + hence "\'\game_sem I \ (restrictto (restrictto X V) (-{x}))" using FVG_def a1 a2 by blast + hence "\'\game_sem I \ (restrictto X (V\-{x}))" by simp + show "\'\game_sem I \ (restrictto X V)" using a0 + by (metis Int_absorb2 \\' \ game_sem I \ (restrictto X (V \ - {x}))\ subset_Compl_singleton) + qed + qed + } + thus ?thesis + unfolding Cignorabimus_def + by auto + qed +qed + + +text \Cignorabimus is closed under union\ +lemma Cignorabimus_union: "M\Cignorabimus \ V \ N\Cignorabimus \ V \ (M\N)\Cignorabimus \ V" +proof- + assume a1: "M\Cignorabimus \ V" + assume a2: "N\Cignorabimus \ V" + show "(M\N)\Cignorabimus \ V" (*using a1 a2 unfolding Cignorabimus_def *) + proof- + { + fix I \ \' X + assume a3: "Vagree \ \' (-(M\N))" + have h1: "\I \ \'.\X. (Vagree \ \' (-M) \ (\\game_sem I \ (restrictto X V)) \ (\'\game_sem I \ (restrictto X V)))" using a1 by simp + have h2: "\I \ \'.\X. (Vagree \ \' (-N) \ (\\game_sem I \ (restrictto X V)) \ (\'\game_sem I \ (restrictto X V)))" using a2 by simp + let ?s = "stateinterpol \' \ M" + have v1: "Vagree \ ?s (-(M\N))" using a3 by (simp add: Vagree_def) + have v2: "Vagree ?s \' (-(M\N))" using a3 by (simp add: Vagree_def) + have r1: "\\game_sem I \ (restrictto X V) \ ?s\game_sem I \ (restrictto X V)" + by (metis ComplD Vagree_def h1 stateinterpol_right) + have r2: "?s\game_sem I \ (restrictto X V) \ \'\game_sem I \ (restrictto X V)" + by (metis Vagree_ror compl_sup h1 h2 v2) + have res: "\\game_sem I \ (restrictto X V) \ \'\game_sem I \ (restrictto X V)" using r1 r2 by blast + } + thus ?thesis + unfolding Cignorabimus_def + by auto + qed +qed + + +lemma powersetup_induct [case_names Base Cup]: + "\C. (\M. M\C \ P M) \ + (\S. (\M. M\S \ P M) \ P (\S)) \ + P (\C)" + by simp + +lemma Union_insert: "\(insert x S) = x\\S" + by simp + +lemma powerset2up_induct [case_names Finite Nonempty Base Cup]: + "(finite C) \ (C\{}) \ (\M. M\C \ P M) \ + (\M N. P M \ P N \ P (M\N)) \ + P (\C)" +proof (induction rule: finite_induct) + case empty + then show ?case by simp +next + case (insert x F) + then show ?case by force +qed + +lemma Cignorabimus_step: "(\M. M\S \ M\Cignorabimus \ V) \ (\S)\Cignorabimus \ V" +proof (cases "S={}") + case True + then show ?thesis using Cignorabimus_empty by simp +next + case nonem: False + then show "\S\Cignorabimus \ V" if "\M. M\S \ M\Cignorabimus \ V" and nonemp:"S\{}" for S + proof (induction rule: powerset2up_induct) + case Finite + then show ?case using Cignorabimus_finite by (meson infinite_super subset_eq that(1)) + next + case Nonempty + then show ?case using nonemp by simp + next + case (Base M) + then show ?case using that by simp + next + case (Cup S) + then show ?case using that Cignorabimus_union by blast + qed +qed + +text \Lemma 12 \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\\ + +theorem coincidence_game: "Vagree \ \' V \ V\FVG(\) \ (\ \ game_sem I \ (restrictto X V)) = (\' \ game_sem I \ (restrictto X V))" +proof- + assume a1: "Vagree \ \' V" + assume a2: "V \ FVG \" + have base: "{x}\Cignorabimus \ V" if a3: "x\V" and a4: "V \ FVG \" for x V + using a3 and a4 and Cignorabimus_init by simp + have h: "-V = \{xx. \x. xx={x} \ x\V}" by auto (* finite *) + have "(-V)\Cignorabimus \ V" using a2 base h using Cignorabimus_step + (*by (smt Cignorabimus_step mem_Collect_eq)*) + proof - (*sledgehammer*) + have f1: "\v V. v \ V \ \ FVG \ \ V \ {v} \ Cignorabimus \ V" + using base by satx + obtain VV :: "variable set \ game \ variable set set \ variable set" where + f2: "\x0 x1 x2. (\v3. v3 \ x2 \ v3 \ Cignorabimus x1 x0) = (VV x0 x1 x2 \ x2 \ VV x0 x1 x2 \ Cignorabimus x1 x0)" + by moura + obtain vv :: "variable set \ variable" where + f3: "((\v. VV V \ {{v} |v. v \ V} = {v} \ v \ V) \ VV V \ {{v} |v. v \ V} = {vv (VV V \ {{v} |v. v \ V})} \ vv (VV V \ {{v} |v. v \ V}) \ V) \ ((\v. VV V \ {{v} |v. v \ V} = {v} \ v \ V) \ (\v. VV V \ {{v} |v. v \ V} \ {v} \ v \ V))" + by moura + moreover + { assume "{vv (VV V \ {{v} |v. v \ V})} \ Cignorabimus \ V" + then have "(VV V \ {{v} |v. v \ V} \ {vv (VV V \ {{v} |v. v \ V})} \ vv (VV V \ {{v} |v. v \ V}) \ V) \ VV V \ {{v} |v. v \ V} \ {{v} |v. v \ V} \ VV V \ {{v} |v. v \ V} \ Cignorabimus \ V" + by metis + then have "(\v. VV V \ {{v} |v. v \ V} = {v} \ v \ V) \ VV V \ {{v} |v. v \ V} \ {{v} |v. v \ V} \ VV V \ {{v} |v. v \ V} \ Cignorabimus \ V" + using f3 by blast } + ultimately have "VV V \ {{v} |v. v \ V} \ {{v} |v. v \ V} \ VV V \ {{v} |v. v \ V} \ Cignorabimus \ V" + using f1 a2 by blast + then have "\{{v} |v. v \ V} \ Cignorabimus \ V" + using f2 by (meson Cignorabimus_step) + then show ?thesis + using h by presburger + qed + from this show ?thesis by (simp add: a1) +qed + +corollary coincidence_game_cor: "Uvariation \ \' U \ U\FVG(\)={} \ (\ \ game_sem I \ (restrictto X (-U))) = (\' \ game_sem I \ (restrictto X (-U)))" + using coincidence_game Uvariation_Vagree + by (metis Uvariation_Vagree coincidence_game compl_le_swap1 disjoint_eq_subset_Compl double_compl) + + +subsection \Bound Effect Lemmas\ + +text \\Bignorabimus \ V\ is the set of all sets of variables that can be ignored for boundeffect\ +definition Bignorabimus:: "game \ variable set set" + where + "Bignorabimus \ = {M. \I.\\.\X. \\game_sem I \ X \ \\game_sem I \ (selectlike X \ M)}" + +lemma Bignorabimus_finite [simp]: "finite (Bignorabimus \)" + unfolding Bignorabimus_def using finite_powerset[OF allvars_finite] finite_subset using Finite_Set.finite_subset by fastforce + +lemma Bignorabimus_single [simp]: "game_sem I \ (selectlike X \ M) \ game_sem I \ X" + by (meson monotone selectlike_shrinks subsetCE) + +lemma Bignorabimus_equiv [simp]: "Bignorabimus \ = {M. \I.\\.\X. (\\game_sem I \ X \ \\game_sem I \ (selectlike X \ M))}" + (*by (smt Bignorabimus_def Bignorabimus_single Collect_cong subsetCE)*) +proof - (*sledgehammer transformed*) + obtain VV :: "(variable set \ bool) \ (variable set \ bool) \ variable set" where + f1: "\p pa. (\ p (VV pa p)) = pa (VV pa p) \ Collect p = Collect pa" + by (metis (no_types) Collect_cong) + obtain rr :: "variable set \ game \ variable \ real" and ii :: "variable set \ game \ interp" and FF :: "variable set \ game \ (variable \ real) set" where + f2: "\x0 x1. (\v2 v3 v4. (v3 \ game_sem v2 x1 v4) \ (v3 \ game_sem v2 x1 (selectlike v4 v3 x0))) = ((rr x0 x1 \ game_sem (ii x0 x1) x1 (FF x0 x1)) \ (rr x0 x1 \ game_sem (ii x0 x1) x1 (selectlike (FF x0 x1) (rr x0 x1) x0)))" + by moura + have fact: "{V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))} = {V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)}" + using f1 by (metis (no_types, hide_lams) Bignorabimus_single subsetCE) + have f3: "rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \ \ game_sem (ii (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (selectlike (FF (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) (rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))) \ rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \ \ game_sem (ii (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (FF (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \)" + using Bignorabimus_single by blast + have f4: "(\ (\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))) \ (\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))))) \ ((\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))) \ (rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \ \ game_sem (ii (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (FF (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \)) = (rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \ \ game_sem (ii (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (selectlike (FF (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) (rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))))" + using f2 by blast + have "rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \ \ game_sem (ii (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (FF (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (\i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))) \ rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \ \ game_sem (ii (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) \ (selectlike (FF (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) (rr (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))) \) (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))" + by blast + moreover + { assume "\i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))" + then have "\ (\i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))" + by blast + moreover + { assume "(\ (\i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))) \ (\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))))" + then have "{V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))} = {V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)}" + using fact by simp } + ultimately have "(\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))) \ {V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))} = {V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)}" + by satx } + moreover + { assume "\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))" + then have "(\ (\i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)))))) \ (\i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f (VV (\V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))) (\V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V))))))" + by blast + then have "{V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))} = {V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)}" + using fact by simp} + ultimately have "{V. \i f F. (f \ game_sem i \ F) = (f \ game_sem i \ (selectlike F f V))} = {V. \i f F. f \ game_sem i \ F \ f \ game_sem i \ (selectlike F f V)}" + using f4 f3 by satx + then show ?thesis + using Bignorabimus_def by presburger +qed + +lemma Bignorabimus_empty [simp]: "{} \ Bignorabimus \" + unfolding Bignorabimus_def using coempty selectlike_empty + by simp + +lemma Bignorabimus_init: "x\BVG(\) \ {x}\Bignorabimus \" + unfolding Bignorabimus_def BVG_def +proof- + assume "x \ {x. \I \ X. \ \ game_sem I \ X \ \ \ game_sem I \ (selectlike X \ {x})}" + hence "\(\I \ X. \ \ game_sem I \ X \ \ \ game_sem I \ (selectlike X \ {x}))" by simp + hence "\I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ {x}))" using Bignorabimus_single by blast + thus "{x} \ {M. \I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ M))}" by simp +qed + +text \Bignorabimus is closed under union\ +lemma Bignorabimus_union: "M\Bignorabimus \ \ N\Bignorabimus \ \ (M\N)\Bignorabimus \" +proof - + assume a1: "M\Bignorabimus \" + assume a2: "N\Bignorabimus \" + have h1: "\I.\\.\X. (\\game_sem I \ X) \ (\\game_sem I \ (selectlike X \ M))" using a1 + using Bignorabimus_equiv Bignorabimus_single by blast + have h2: "\I.\\.\X. (\\game_sem I \ X) \ (\\game_sem I \ (selectlike X \ N))" using a2 + using Bignorabimus_equiv Bignorabimus_single by blast + have c: "\I.\\.\X. (\\game_sem I \ X) \ (\\game_sem I \ (selectlike X \ (M\N)))" by (metis h1 h2 selectlike_compose) + then show "(M\N)\Bignorabimus \" unfolding Bignorabimus_def using c by fastforce +qed + +lemma Bignorabimus_step: "(\M. M\S \ M\Bignorabimus \) \ (\S)\Bignorabimus \" +proof (cases "S={}") + case True + then show ?thesis using Bignorabimus_empty by simp +next + case nonem: False + then show "\S\Bignorabimus \" if "\M. M\S \ M\Bignorabimus \" and nonemp:"S\{}" for S + proof (induction rule: powerset2up_induct) + case Finite + then show ?case using Bignorabimus_finite by (meson infinite_super subset_eq that(1)) + next + case Nonempty + then show ?case using nonemp by simp + next + case (Base M) + then show ?case using that by simp + next + case (Cup S) + then show ?case using that Bignorabimus_union by blast + qed +qed + + +text \Lemma 13 \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\\ + +theorem boundeffect: "(\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ (-BVG(\))))" +proof- + have base: "{x}\Bignorabimus \" if a3: "x\BVG \" for x using a3 and Bignorabimus_init by simp + have h: "-BVG \ = \{xx. \x. xx={x} \ x\BVG \}" by blast (* finite *) + have "(-BVG \)\Bignorabimus \" using base h + (*by (smt Bignorabimus_step mem_Collect_eq)*) + proof - (*sledgehammer*) + obtain VV :: "game \ variable set set \ variable set" where + f1: "\x0 x1. (\v2. v2 \ x1 \ v2 \ Bignorabimus x0) = (VV x0 x1 \ x1 \ VV x0 x1 \ Bignorabimus x0)" + by moura + have "VV \ {{v} |v. v \ BVG \} \ {{v} |v. v \ BVG \} \ VV \ {{v} |v. v \ BVG \} \ Bignorabimus \" + by fastforce + then have "\{{v} |v. v \ BVG \} \ Bignorabimus \" + using f1 by (meson Bignorabimus_step) + then show ?thesis + using h by presburger + qed + from this show ?thesis using Bignorabimus_def by blast +qed + +corollary boundeffect_cor: "V\BVG(\)={} \ (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ V))" + using boundeffect + by (metis disjoint_eq_subset_Compl selectlike_compose sup.absorb_iff2) + + +subsection \Static Analysis Observations\ + +lemma BVG_equiv: "game_equiv \ \ \ BVG(\) = BVG(\)" +proof- + assume a: "game_equiv \ \" + show "BVG(\) = BVG(\)" unfolding BVG_def using game_equiv_subst_eq[OF a] by metis +qed + +lemmas union_or = Set.Un_iff + +lemma not_union_or: "(x\A\B) = (x\A \ x\B)" + by simp + +lemma repv_selectlike_self: "(repv \ x d \ selectlike X \ {x}) = (d=\(x) \ \ \ X)" + unfolding selectlike_def using Vagree_repv_self Vagree_sym + by (metis (no_types, lifting) mem_Collect_eq repv_self) + +lemma repv_selectlike_other: "x\y \ (repv \ x d \ selectlike X \ {y}) = (repv \ x d \ X)" +proof + assume a: "x\y" + then have h: "{y}\-{x}" by simp + show "(repv \ x d \ selectlike X \ {y}) \ (repv \ x d \ X)" using a selectlike_def Vagree_repv[of \ x d] + by auto + show "(repv \ x d \ X) \ (repv \ x d \ selectlike X \ {y})" + using selectlike_def[where X=X and \=\ and V=\-{x}\] Vagree_repv[where \=\ and x=x and d=d] + selectlike_antimon[where X=X and \=\ and V=\{y}\ and W=\-{x}\, OF h] Vagree_sym[where \=\repv \ x d\ and V=\-{x}\] + by auto +qed + +lemma repv_selectlike_other_converse: "x\y \ (repv \ x d \ X) = (repv \ x d \ selectlike X \ {y})" + using repv_selectlike_other HOL.eq_commute by blast + + +lemma BVG_assign_other: "x\y \ y\BVG(Assign x \)" + using repv_selectlike_other_converse[where x=x and y=y] by simp + +lemma BVG_assign_meta: "(\I \. term_sem I \ \ = \(x)) \ BVG(Assign x \) = {}" + and "term_sem I \ \ \ \(x) \ BVG(Assign x \) = {x}" + (*using repv_selectlike_self BVG_assign_other BVG_def BVG_elem*) +proof- + have fact: "BVG(Assign x \) \ {x}" using BVG_assign_other by (metis singleton_iff subsetI) + from fact show "(\I \. term_sem I \ \ = \(x)) \ BVG(Assign x \) = {}" using BVG_def by simp + have h2: "\I \. term_sem I \ \ \ \(x) \ x \ BVG(Assign x \)" using repv_selectlike_self by auto + from fact show "term_sem I \ \ \ \(x) \ BVG(Assign x \) = {x}" using BVG_elem h2 by blast +qed + +lemma BVG_assign: "BVG(Assign x \) = (if (\I \. term_sem I \ \ = \(x)) then {} else {x})" +using repv_selectlike_self repv_selectlike_other BVG_assign_other +proof- + have c0: "BVG(Assign x \) \ {x}" using BVG_assign_other by (metis singletonI subsetI) + have c1: "\I \. term_sem I \ \ = \(x) \ BVG(Assign x \) = {}" using BVG_assign_other by auto + have h2: "\I \. term_sem I \ \ \ \(x) \ x \ BVG(Assign x \)" using repv_selectlike_self by auto + have c2: "\I \. term_sem I \ \ \ \(x) \ BVG(Assign x \) = {x}" using c0 h2 by blast + from c1 and c2 show ?thesis by simp +qed + +lemma BVG_ODE_other: "y\RVar x \ y\DVar x \ y\BVG(ODE x \)" + (*using nonBVG_rule selectlike_equal_cocond_rule solves_ODE_def*) +proof- + assume yx: "y\RVar x" + assume yxp: "y\DVar x" + show "y\BVG(ODE x \)" + proof (rule nonBVG_inc_rule) + fix I \ X + assume "\ \ game_sem I (ODE x \) X" + then have "\F T. Vagree \ (F(0)) (-{DVar x}) \ F(T) \ X \ solves_ODE I F x \" by simp + then obtain F T where "Vagree \ (F(0)) (-{DVar x}) \ F(T) \ X \ solves_ODE I F x \" by blast + then have "Vagree \ (F(0)) (-{DVar x}) \ F(T) \ (selectlike X \ {y}) \ solves_ODE I F x \" + using yx yxp solves_Vagree Vagree_def similar_selectlike_mem by auto + then have "\F T. Vagree \ (F(0)) (-{DVar x}) \ F(T) \ (selectlike X \ {y}) \ solves_ODE I F x \" by blast + then show "\ \ game_sem I (ODE x \) (selectlike X \ {y})" by simp + qed +qed + +text \This result could be strengthened to a conditional equality based on the RHS values\ + +lemma BVG_ODE: "BVG(ODE x \) \ {RVar x,DVar x}" + using BVG_ODE_other by blast + + +lemma BVG_test: "BVG(Test \) = {}" + unfolding BVG_def game_sem.simps by auto + + +lemma BVG_choice: "BVG(Choice \ \) \ BVG(\) \ BVG(\)" + unfolding BVG_def game_sem.simps using not_union_or by auto +(*proof- + have f1: "\\ I X. (\ \ game_sem I \ X \ game_sem I \ X) = + (\ \ game_sem I \ X \ \ \ game_sem I \ X)" by (rule union_or) + have f2: "\\ I X. (\ \ game_sem I \ (selectlike X \ {x}) \ game_sem I \ (selectlike X \ {x})) = + (\ \ game_sem I \ (selectlike X \ {x}) \ \ \ game_sem I \ (selectlike X \ {x}))" by (rule not_union_or) + let ?lhs = "{x. \I \ X. + \ \ game_sem I \ X \ game_sem I \ X \ + \ \ game_sem I \ (selectlike X \ {x}) \ game_sem I \ (selectlike X \ {x})}" + let ?rhs = "{x. \I \ X. \ \ game_sem I \ X \ \ \ game_sem I \ (selectlike X \ {x})} \ + {x. \I \ X. \ \ game_sem I \ X \ \ \ game_sem I \ (selectlike X \ {x})}" + show "?lhs\?rhs" using f1 f2 by auto +qed*) + +lemma select_nonBV: "x\BVG(\) \ selectlike (game_sem I \ (selectlike X \ {x})) \ {x} = selectlike (game_sem I \ X) \ {x}" +proof + show "selectlike (game_sem I \ (selectlike X \ {x})) \ {x} \ selectlike (game_sem I \ X) \ {x}" + using game_sem_mono selectlike_shrinks selectlike_antimon Bignorabimus_single + by (metis selectlike_union sup.absorb_iff1) + next + assume nonbound: "x\BVG(\)" + then have fact: "{x}\BVG(\)={}" by auto + show "selectlike (game_sem I \ X) \ {x} \ selectlike (game_sem I \ (selectlike X \ {x})) \ {x}" + proof + fix \ + assume "\ \ selectlike (game_sem I \ X) \ {x}" + (* "V\BVG(\)={} \ (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ V))" *) + then have "\ \ selectlike (game_sem I \ (selectlike X \ {x})) \ {x}" + using boundeffect_cor[where \=\ and V=\{x}\ and \=\, OF fact] nonbound + by (metis ComplD ComplI co_selectlike not_union_or) + then show "\ \ selectlike (game_sem I \ (selectlike X \ {x})) \ {x}" using selectlike_Vagree selectlike_def by fastforce + qed +qed + +lemma BVG_compose: "BVG(Compose \ \) \ BVG(\) \ BVG(\)" + (*unfolding BVG_def game_sem.simps using game_union union_or not_union_or selectlike_shrinks monotone selectlike_compose*) +proof + fix x + assume a: "x\BVG(Compose \ \)" + show "x \ BVG \ \ BVG \" + proof (rule ccontr) + assume "x\BVG \ \ BVG(\)" + then have n\: "x\BVG(\)" + and n\: "x\BVG(\)" by simp_all + from a have "\I.\\.\X. \ \ game_sem I (Compose \ \) X \ \ \ game_sem I (Compose \ \) (selectlike X \ {x})" by simp + then obtain I \ X where adef: "\ \ game_sem I (Compose \ \) X \ \ \ game_sem I (Compose \ \) (selectlike X \ {x})" by blast + from adef have a1: "\ \ game_sem I \ (game_sem I \ X)" by simp + from adef have a2: "\ \ game_sem I \ (game_sem I \ (selectlike X \ {x}))" by simp + let ?Y = "selectlike X \ {x}" + from n\ have n\c: "\I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ {x}))" using BVG_nonelem by simp + from n\ have n\c: "\I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ {x}))" using BVG_nonelem by simp + have c1: "\ \ game_sem I \ (selectlike (game_sem I \ X) \ {x})" using a1 n\c[where I=I and \=\ and X=\game_sem I \ X\] by blast + have c2: "\ \ game_sem I \ (selectlike (game_sem I \ ?Y) \ {x})" using a2 n\c[where I=I and \=\ and X=\game_sem I \ ?Y\] by blast + from c2 have c3: "\ \ game_sem I \ (selectlike (game_sem I \ X) \ {x})" using n\ selectlike_Vagree + proof- + have "selectlike (game_sem I \ ?Y) \ {x} = selectlike (game_sem I \ X) \ {x}" using n\ by (rule select_nonBV) + thus ?thesis using c2 by simp + qed + show "False" using c1 c3 n\c[where I=I] by auto + qed +qed + + +text \The converse inclusion does not hold generally, because + \BVG(x := x+1; x:= x-1) = {} \ BVG(x := x+1) \ BVG(x := x-1) = {x}\\ + +lemma "BVG(Compose (Assign x (Plus (Var x) (Number 1))) (Assign x (Plus (Var x) (Number (-1))))) + \ BVG(Assign x (Plus (Var x) (Number 1))) \ BVG(Assign x (Plus (Var x) (Number (-1))))" + unfolding BVG_def selectlike_def repv_def Vagree_def by auto + + +lemma BVG_loop: "BVG(Loop \) \ BVG(\)" +proof + fix x + assume a: "x\BVG(Loop \)" + show "x \ BVG(\)" + proof (rule ccontr) + assume "\ (x \ BVG(\))" + then have n\: "x\BVG \" by simp + from n\ have n\c: "\I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ {x}))" using BVG_nonelem by simp + have "x\BVG(Loop \)" (*using BVG_nonelem*) + proof (rule nonBVG_rule) + fix I \ X + let ?f = "\Z. X \ game_sem I \ Z" + let ?g = "\Y. (selectlike X \ {x}) \ game_sem I \ Y" + let ?R = "\Z Y. selectlike Z \ {x} = selectlike Y \ {x}" + have "?R (lfp ?f) (lfp ?g)" + proof (induction rule: lfp_lockstep_induct[where f=\?f\ and g=\?g\ and R=\?R\]) + case monof + then show ?case using game_sem_loop_fixpoint_mono by simp + next + case monog + then show ?case using game_sem_loop_fixpoint_mono by simp + next + case (step A B) + then have IH: "selectlike A \ {x} = selectlike B \ {x}" by simp + then show ?case + (* using selectlike_union n\ select_nonBV IH by (smt insert_absorb2 insert_def selectlike_compose singleton_conv smt_solver=cvc4) *) + proof- + have "selectlike (X \ game_sem I \ A) \ {x} = selectlike X \ {x} \ selectlike (game_sem I \ A) \ {x}" using selectlike_union by simp + also have "... = selectlike X \ {x} \ selectlike (game_sem I \ (selectlike A \ {x})) \ {x}" using n\ select_nonBV by blast + also have "... = selectlike X \ {x} \ selectlike (game_sem I \ (selectlike B \ {x})) \ {x}" using IH by simp + also have "... = selectlike (selectlike X \ {x} \ game_sem I \ B) \ {x}" using selectlike_union n\ select_nonBV by auto + finally show "selectlike (X \ game_sem I \ A) \ {x} = selectlike (selectlike X \ {x} \ game_sem I \ B) \ {x}" . + qed + next + case (union M) + then have IH: "\(A,B)\M. selectlike A \ {x} = selectlike B \ {x}" . + then show ?case + using fst_proj_mem[where M=M] snd_proj_mem[where M=M] + selectlike_Sup[where \=\ and V=\{x}\] sup_corr_eq_chain by simp + (*proof- + have "selectlike (\fst_proj M) \ {x} = \{selectlike A \ {x} | A. A\fst_proj M}" using selectlike_Sup by simp + also have "... = \{selectlike B \ {x} | B. B\snd_proj M}" using sup_corr_eq_chain[OF IH] by simp + also have "... = selectlike (\snd_proj M) \ {x}" using selectlike_Sup by simp + finally show "selectlike (\fst_proj M) \ {x} = selectlike (\snd_proj M) \ {x}" . + qed*) + qed + from this show "(\ \ game_sem I (Loop \) X) = (\ \ game_sem I (Loop \) (selectlike X \ {x}))" + by (metis (mono_tags) game_sem.simps(6) lfp_def selectlike_self) + (*by (simp add: selectlike_self game_sem_loop_back)*) + qed + then show "False" using a by blast + qed +qed + + +lemma BVG_dual: "BVG(Dual \) \ BVG(\)" + (*unfolding game_sem.simps using BVG_elem selectlike_co_selectlike co_selectlike selectlike_complement selectlike_antimon*) +proof + fix x + assume a: "x\BVG(Dual \)" + show "x\BVG \" + proof- + from a have "\I.\\.\X. \ \ game_sem I (Dual \) X \ \ \ game_sem I (Dual \) (selectlike X \ {x})" by simp + then obtain I \ X where adef: "\ \ game_sem I (Dual \) X \ \ \ game_sem I (Dual \) (selectlike X \ {x})" by blast + from adef have a1: "\ \ game_sem I \ (- X)" by simp + from adef have a2: "\ \ game_sem I \ (- selectlike X \ {x})" by simp + let ?Y = "- selectlike X \ {x}" + have f1: "\ \ game_sem I \ ?Y" by (rule a2) + have f2: "\ \ game_sem I \ (selectlike ?Y \ {x})" using a1 selectlike_co_selectlike + by (metis (no_types, lifting) selectlike_shrinks monotone dual_order.trans subset_Compl_singleton) + show "x\BVG(\)" using f1 f2 by auto + qed +qed + +end diff --git a/thys/Differential_Game_Logic/Denotational_Semantics.thy b/thys/Differential_Game_Logic/Denotational_Semantics.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Denotational_Semantics.thy @@ -0,0 +1,475 @@ +theory "Denotational_Semantics" +imports + "HOL-Analysis.Derivative" + "Syntax" +begin +section \Denotational Semantics\ + +text \Defines the denotational semantics of Differential Game Logic. \<^url>\https://doi.org/10.1145/2817824\ \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\\ + +subsection \States\ + +text \Vector of reals over ident\ +type_synonym Rvec = "variable \ real" +type_synonym state = "Rvec" + + +text \the set of all worlds\ +definition worlds:: "state set" + where "worlds = {\. True}" + +text \the set of all variables\ +abbreviation allvars:: "variable set" + where "allvars \ {x::variable. True}" + +text \the set of all real variables\ +abbreviation allrvars:: "variable set" + where "allrvars \ {RVar x | x. True}" + +text \the set of all differential variables\ +abbreviation alldvars:: "variable set" + where "alldvars \ {DVar x | x. True}" + + +lemma ident_finite: "finite({x::ident. True})" + by auto + +lemma allvar_cases: "allvars = allrvars \ alldvars" + using variable.exhaust by blast + +lemma rvar_finite: "finite allrvars" + using finite_imageI[OF ident_finite, where h=\\x. RVar x\] by (simp add: full_SetCompr_eq) + +lemma dvar_finite: "finite alldvars" + using finite_imageI[OF ident_finite, where h=\\x. DVar x\] by (simp add: full_SetCompr_eq) + +lemma allvars_finite [simp]: "finite(allvars)" + using allvar_cases dvar_finite rvar_finite by (metis finite_Un) + + +definition Vagree :: "state \ state \ variable set \ bool" + where "Vagree \ \' V \ (\i. i\V \ \(i) = \'(i))" + +definition Uvariation :: "state \ state \ variable set \ bool" + where "Uvariation \ \' U \ (\i. ~(i\U) \ \(i) = \'(i))" + +lemma Uvariation_Vagree [simp]: "Uvariation \ \' (-V) = Vagree \ \' V" + unfolding Vagree_def Uvariation_def by simp + + +lemma Vagree_refl [simp]: "Vagree \ \ V" + by (auto simp add: Vagree_def) + +lemma Vagree_sym: "Vagree \ \' V = Vagree \' \ V" + by (auto simp add: Vagree_def) + +lemma Vagree_sym_rel [sym]: "Vagree \ \' V \ Vagree \' \ V" + using Vagree_sym by auto + +lemma Vagree_union [trans]: "Vagree \ \' V \ Vagree \ \' W \ Vagree \ \' (V\W)" + by (auto simp add: Vagree_def) + +lemma Vagree_trans [trans]: "Vagree \ \' V \ Vagree \' \'' W \ Vagree \ \'' (V\W)" + by (auto simp add: Vagree_def) + +lemma Vagree_antimon [simp]: "Vagree \ \' V \ W\V \ Vagree \ \' W" + by (auto simp add: Vagree_def) + +lemma Vagree_empty [simp]: "Vagree \ \' {}" + by (auto simp add: Vagree_def) + +lemma Uvariation_empty [simp]: "Uvariation \ \' {} = (\=\')" + by (auto simp add: Uvariation_def) + +lemma Vagree_univ [simp]: "Vagree \ \' allvars = (\=\')" + by (auto simp add: Vagree_def) + +lemma Uvariation_univ [simp]: "Uvariation \ \' allvars" + by (auto simp add: Uvariation_def) + +lemma Vagree_and [simp]: "Vagree \ \' V \ Vagree \ \' W \ Vagree \ \' (V\W)" + by (auto simp add: Vagree_def) + +lemma Vagree_or: "Vagree \ \' V \ Vagree \ \' W \ Vagree \ \' (V\W)" + by (auto simp add: Vagree_def) + +lemma Uvariation_refl [simp]: "Uvariation \ \ V" + by (auto simp add: Uvariation_def) + +lemma Uvariation_sym: "Uvariation \ \ U = Uvariation \ \ U" + unfolding Uvariation_def by auto + +lemma Uvariation_sym_rel [sym]: "Uvariation \ \ U \ Uvariation \ \ U" + using Uvariation_sym by auto + +lemma Uvariation_trans [trans]: "Uvariation \ \ U \ Uvariation \ \ V \ Uvariation \ \ (U\V)" + unfolding Uvariation_def by simp + +lemma Uvariation_mon [simp]: "V \ U \ Uvariation \ \ U \ Uvariation \ \ V" + unfolding Uvariation_def by auto + + + +subsection Interpretations + +lemma mon_mono: "mono r = ((\X Y. (X\Y \ r(X)\r(Y))))" + unfolding mono_def by simp + +text \interpretations of symbols in ident\ +type_synonym interp_rep = + "(ident \ real) \ (ident \ (real \ real)) \ (ident \ (real \ bool)) \ (ident \ (state set \ state set))" + +definition is_interp :: "interp_rep \ bool" + where "is_interp I \ case I of (_, _, _, G) \ (\a. mono (G a))" + +typedef interp = "{I:: interp_rep. is_interp I}" + morphisms raw_interp well_interp +proof + show "(\f. 0, \f x. 0, \p x. True, \a. \X. X) \ {I. is_interp I}" unfolding is_interp_def mono_def by simp +qed + +setup_lifting type_definition_interp + +lift_definition Consts::"interp \ ident \ (real)" is "\(F0, _, _, _). F0" . +lift_definition Funcs:: "interp \ ident \ (real \ real)" is "\(_, F, _, _). F" . +lift_definition Preds:: "interp \ ident \ (real \ bool)" is "\(_, _, P, _). P" . +lift_definition Games:: "interp \ ident \ (state set \ state set)" is "\(_, _, _, G). G" . + +text \make interpretations\ +lift_definition mkinterp:: "(ident \ real) \ (ident \ (real \ real)) \ (ident \ (real \ bool)) \ (ident \ (state set \ state set)) +\ interp" + is "\(C, F, P, G). if \a. mono (G a) then (C, F, P, G) else (C, F, P, \_ _. {})" + by (auto split: prod.splits simp: mono_def is_interp_def) + +lemma Consts_mkinterp [simp]: "Consts (mkinterp(C,F,P,G)) = C" + apply (transfer fixing: C F P G) + apply (auto simp add: is_interp_def mono_def) + done + +lemma Funcs_mkinterp [simp]: "Funcs (mkinterp(C,F,P,G)) = F" + apply (transfer fixing: C F P G) + apply (auto simp add: is_interp_def mono_def) + done + +lemma Preds_mkinterp [simp]: "Preds (mkinterp(C,F,P,G)) = P" + apply (transfer fixing: C F P G) + apply (auto simp add: is_interp_def mono_def) + done + +lemma Games_mkinterp [simp]: "(\a. mono (G a) ) \ Games (mkinterp(C,F,P,G)) = G" + apply (transfer fixing: C F P G) + apply (auto simp add: is_interp_def mono_def) + done + +lemma mkinterp_eq [iff]: "(Consts I = Consts J \ Funcs I = Funcs J \ Preds I = Preds J \ Games I = Games J) = (I=J)" + apply (transfer fixing: C F P G) + apply (auto simp add: is_interp_def mono_def) + done + +lemma [simp]: "X\Y \ (Games I a)(X)\(Games I a)(Y)" + apply (transfer fixing: a X Y) + apply (auto simp add: is_interp_def mono_def) + apply (blast) + done + +lifting_update interp.lifting +lifting_forget interp.lifting + + +subsection Semantics + +text \Semantic modification \repv \ x r\ replaces the value of variable \x\ in the state \\\ with r\ +definition repv :: "state \ variable \ real \ state" + where "repv \ x r = fun_upd \ x r" + +lemma repv_def_correct: "repv \ x r = (\y. if x = y then r else \(y))" + unfolding repv_def by auto + +lemma repv_access [simp]: "(repv \ x r)(y) = (if (x=y) then r else \(y))" + unfolding repv_def by simp + +lemma repv_self [simp]: "repv \ x (\(x)) = \" + unfolding repv_def by auto + +lemma Vagree_repv: "Vagree \ (repv \ x d) (-{x})" + unfolding repv_def Vagree_def by simp + +lemma Vagree_repv_self: "Vagree \ (repv \ x d) {x} = (d=\(x))" + unfolding repv_def Vagree_def by auto + +lemma Uvariation_repv: "Uvariation \ (repv \ x d) {x}" + unfolding repv_def Uvariation_def by simp + +paragraph \Semantics of Terms\ + +fun term_sem :: "interp \ trm \ (state \ real)" +where + "term_sem I (Var x) = (\\. \(x))" +| "term_sem I (Number r) = (\\. r)" +| "term_sem I (Const f) = (\\. (Consts I f))" +| "term_sem I (Func f \) = (\\. (Funcs I f)(term_sem I \ \))" +| "term_sem I (Plus \ \) = (\\. term_sem I \ \ + term_sem I \ \)" +| "term_sem I (Times \ \) = (\\. term_sem I \ \ * term_sem I \ \)" +| "term_sem I (Differential \) = (\\. sum(\x. \(DVar x)*deriv(\X. term_sem I \ (repv \ (RVar x) X))(\(RVar x)))(allidents))" + +paragraph \Solutions of Differential Equations\ + +(*@note For simplicity, solutions are not limited to a smaller interval of existence*) +type_synonym solution = "real \ state" + +definition solves_ODE :: "interp \ solution \ ident \ trm \ bool" +where "solves_ODE I F x \ \ (\\::real. + Vagree (F(0)) (F(\)) (-{RVar x, DVar x}) + \ F(\)(DVar x) = deriv(\t. F(t)(RVar x))(\) + \ F(\)(DVar x) = term_sem I \ (F(\)))" + +paragraph \Semantics of Formulas and Games\ + +fun fml_sem :: "interp \ fml \ (state set)" and + game_sem :: "interp \ game \ (state set \ state set)" +where + "fml_sem I (Pred p \) = {\. (Preds I p)(term_sem I \ \)}" +| "fml_sem I (Geq \ \) = {\. term_sem I \ \ \ term_sem I \ \}" +| "fml_sem I (Not \) = {\. \ \ fml_sem I \}" +| "fml_sem I (And \ \) = fml_sem I \ \ fml_sem I \" +| "fml_sem I (Exists x \) = {\. \r. (repv \ x r) \ fml_sem I \}" +| "fml_sem I (Diamond \ \) = game_sem I \ (fml_sem I \)" + +| "game_sem I (Game a) = (\X. (Games I a)(X))" +| "game_sem I (Assign x \) = (\X. {\. (repv \ x (term_sem I \ \)) \ X})" +| "game_sem I (Test \) = (\X. fml_sem I \ \ X)" +| "game_sem I (Choice \ \) = (\X. game_sem I \ X \ game_sem I \ X)" +| "game_sem I (Compose \ \) = (\X. game_sem I \ (game_sem I \ X))" +| "game_sem I (Loop \) = (\X. \{Z. X \ game_sem I \ Z \ Z})" +| "game_sem I (Dual \) = (\X. -(game_sem I \ (-X)))" +| "game_sem I (ODE x \) = (\X. {\. \F T. Vagree \ (F(0)) (-{DVar x}) \ F(T) \ X \ solves_ODE I F x \})" + + +text \Validity\ + +definition valid_in :: "interp \ fml \ bool" +where "valid_in I \ \ (\\. \ \ fml_sem I \)" + +definition valid :: "fml \ bool" + where "valid \ \ (\I.\\. \ \ fml_sem I \)" + +lemma valid_is_valid_in_all: "valid \ = (\I. valid_in I \)" + unfolding valid_def valid_in_def by auto + +definition locally_sound :: "inference \ bool" + where "locally_sound R \ + (\I. (\k. 0\k \ k valid_in I (nth (fst R) k)) \ valid_in I (snd R))" + +definition sound :: "inference \ bool" + where "sound R \ + (\k. 0\k \ k valid (nth (fst R) k)) \ valid (snd R)" + +lemma locally_sound_is_sound: "locally_sound R \ sound R" + unfolding locally_sound_def sound_def using valid_is_valid_in_all by auto + + +subsection \Monotone Semantics\ + +lemma monotone_Test [simp]: "X\Y \ game_sem I (Test \) X \ game_sem I (Test \) Y" + by auto + +lemma monotone [simp]: "X\Y \ game_sem I \ X \ game_sem I \ Y" +proof (induction \ arbitrary: X Y rule: game_induct) + case (Game a) + then show ?case by simp +next + case (Assign x \) + then show ?case by auto +next + case (Test \) + then show ?case by auto +next + case (Choice \1 \2) + then show ?case by (metis Un_mono game_sem.simps(4)) +next + case (Compose \1 \2) + then show ?case by auto +next + case (Loop \) + then show ?case by auto +next + case (Dual \) + then show ?case by auto +next + case (ODE x \) + then show ?case by auto +qed + +corollary game_sem_mono [simp]: "mono (\X. game_sem I \ X)" + by (simp add: mon_mono) + +corollary game_union: "game_sem I \ (X\Y) \ game_sem I \ X \ game_sem I \ Y" + by simp + +lemmas game_sem_union = game_union + + +subsection \Fixpoint Semantics Alternative for Loops\ + +lemma game_sem_loop_fixpoint_mono: "mono (\Z. X \ game_sem I \ Z)" + using game_sem_mono by (metis Un_mono mon_mono order_refl) + +text \Consequence of Knaster-Tarski Theorem 3.5 of \<^url>\https://doi.org/10.1145/2817824\\ + +lemma game_sem_loop: "game_sem I (Loop \) = (\X. lfp(\Z. X \ game_sem I \ Z))" +proof- + have "\{Z. X \ game_sem I \ Z \ Z} = lfp(\Z. X \ game_sem I \ Z)" by (simp add: lfp_def) + then show ?thesis by (simp add: lfp_def) +qed + +corollary game_sem_loop_back: "(\X. lfp(\Z. X \ game_sem I \ Z)) = game_sem I (Loop \)" + using game_sem_loop by simp + +corollary game_sem_loop_iterate: "game_sem I (Loop \) = (\X. X \ game_sem I \ (game_sem I (Loop \) X))" + by (metis (no_types) game_sem_loop game_sem_loop_fixpoint_mono lfp_fixpoint) + +corollary game_sem_loop_unwind: "game_sem I (Loop \) = (\X. X \ game_sem I (Compose \ (Loop \)) X)" +using game_sem_loop_iterate by (metis game_sem.simps(5)) + +corollary game_sem_loop_unwind_reduce: "(\X. X \ game_sem I (Compose \ (Loop \)) X) = game_sem I (Loop \)" + using game_sem_loop_unwind by (rule sym) + +lemmas lfp_ordinal_induct_set_cases = lfp_ordinal_induct_set [case_names mono step union] + +(* Read off a fixpoint induction scheme from the fact that loops have a least fixpoint semantics *) +lemma game_loop_induct [case_names step union]: + "(\Z. Z \ game_sem I (Loop \) X \ P(Z) \ P(X \ game_sem I \ Z)) + \ (\M. (\Z\M. P(Z)) \ P(Sup M)) + \ P(game_sem I (Loop \) X)" +proof- + assume loopstep: "\Z. Z \ game_sem I (Loop \) X \ P(Z) \ P(X \ game_sem I \ Z)" + assume loopsup: "\M. (\Z\M. P(Z)) \ P(Sup M)" + have "P(lfp(\Z. X \ game_sem I \ Z))" + proof (induction rule: lfp_ordinal_induct[where f=\\Z. X \ game_sem I \ Z\]) + case mono + then show ?case using game_sem_loop_fixpoint_mono by simp + next + case (step S) + then show ?case using loopstep[where Z=S] game_sem_loop[where I=I and \=\] by (simp add: loopstep) + next + case (union M) + then show ?case using loopsup game_sem_loop by auto + qed + then show "P(game_sem I (Loop \) X)" using game_sem_loop by simp + (*proof (induction rule: lfp_ordinal_induct_set_cases[where f=\\Z. X \ game_sem I \ Z\]) + case mono + then show ?case using game_sem_loop_fixpoint_mono by simp + next + case (step S) + then show ?case using loopstep by auto + next + case (union M) + then show ?case using loopsup game_sem_loop by auto + qed*) +qed + + +subsection \Some Simple Obvious Observations\ + +lemma fml_sem_not [simp]: "fml_sem I (Not \) = -fml_sem I \" + by auto + +lemma fml_sem_not_not [simp]: "fml_sem I (Not (Not \)) = fml_sem I \" + by simp + +lemma fml_sem_or [simp]: "fml_sem I (Or \ \) = fml_sem I \ \ fml_sem I \" + unfolding Or_def by auto + +lemma fml_sem_implies [simp]: "fml_sem I (Implies \ \) = (-fml_sem I \) \ fml_sem I \" + unfolding Implies_def by auto + +lemma TT_valid [simp]: "valid TT" + unfolding valid_def TT_def by simp + +paragraph \Semantic equivalence of formulas\ + +definition fml_equiv:: "fml => fml => bool" + where "fml_equiv \ \ \ (\I. fml_sem I \ = fml_sem I \)" + +text \Substitutionality for Equivalent Formulas\ + +lemma fml_equiv_subst: "fml_equiv \ \ \ P (fml_sem I \) \ P (fml_sem I \)" +proof- + assume a1: "fml_equiv \ \" + assume a2: "P (fml_sem I \)" + from a1 have "fml_sem I \ = fml_sem I \" using fml_equiv_def by blast + then show ?thesis using forw_subst a2 by simp +qed + +lemma valid_fml_equiv: "valid (\ \ \) = fml_equiv \ \" + unfolding valid_def Equiv_def Or_def fml_equiv_def by auto + +lemma valid_in_equiv: "valid_in I (\ \ \) = ((fml_sem I \) = (fml_sem I \))" + using valid_in_def Equiv_def Or_def by auto + +lemma valid_in_impl: "valid_in I (\ \ \) = ((fml_sem I \) \ (fml_sem I \))" + unfolding valid_in_def Implies_def Or_def by auto + +lemma valid_equiv: "valid (\ \ \) = (\I. fml_sem I \ = fml_sem I \)" + using valid_fml_equiv fml_equiv_def by auto + +lemma valid_impl: "valid (\ \ \) = (\I. (fml_sem I \) \ (fml_sem I \))" + unfolding valid_def Implies_def Or_def by auto + +lemma fml_sem_equals [simp]: "(\ \ fml_sem I (Equals \ \)) = (term_sem I \ \ = term_sem I \ \)" + unfolding valid_def Equals_def Or_def by auto + +lemma equiv_refl_valid [simp]: "valid (\ \ \)" + unfolding valid_def Equiv_def Or_def by simp + +lemma equal_refl_valid [simp]: "valid (Equals \ \)" + unfolding valid_def Equals_def Or_def by simp + +lemma solves_ODE_alt : "solves_ODE I F x \ \ (\\::real. + Vagree (F(0)) (F(\)) (-{RVar x, DVar x}) + \ F(\)(DVar x) = deriv(\t. F(t)(RVar x))(\) + \ F(\) \ fml_sem I (Equals (Var (DVar x)) \))" + unfolding solves_ODE_def using fml_sem_equals by simp + +paragraph \Semantic equivalence of games\ + +definition game_equiv:: "game => game => bool" + where "game_equiv \ \ \ (\I X. game_sem I \ X = game_sem I \ X)" + + +text \Substitutionality for Equivalent Games\ + +lemma game_equiv_subst: "game_equiv \ \ \ P (game_sem I \ X) \ P (game_sem I \ X)" +proof- + assume a1: "game_equiv \ \" + assume a2: "P (game_sem I \ X)" + from a1 have "game_sem I \ X = game_sem I \ X" using game_equiv_def by blast + then show ?thesis using forw_subst a2 by simp +qed + +lemma game_equiv_subst_eq: "game_equiv \ \ \ P (game_sem I \ X) == P (game_sem I \ X)" + by (simp add: game_equiv_def) + +lemma skip_id [simp]: "game_sem I Skip X = X" + unfolding Skip_def TT_def by auto + +lemma loop_iterate_equiv: "game_equiv (Loop \) (Choice Skip (Compose \ (Loop \)))" +unfolding game_equiv_def +proof (clarify) + fix I X + from game_sem_loop_unwind_reduce have "X \ game_sem I (Compose \ (Loop \)) X = game_sem I (Loop \) X" by metis + then show "game_sem I (Loop \) X = game_sem I (Choice Skip (Compose \ (Loop \))) X" using skip_id by auto +qed + + +lemma fml_equiv_valid: "fml_equiv \ \ \ valid \ = valid \" + unfolding valid_def using fml_equiv_subst by blast + +lemma solves_Vagree: "solves_ODE I F x \ \ (\\. Vagree (F(\)) (F(0)) (-{RVar x,DVar x}))" + using solves_ODE_def Vagree_sym_rel by blast + +lemma solves_Vagree_trans: "Uvariation (F(0)) \ U \ solves_ODE I F x \ \ Uvariation (F(\)) \ (U\{RVar x,DVar x})" + using solves_Vagree Uvariation_Vagree solves_ODE_def + by (metis Uvariation_sym_rel Uvariation_trans double_complement) + +end diff --git a/thys/Differential_Game_Logic/Differential_Game_Logic.thy b/thys/Differential_Game_Logic/Differential_Game_Logic.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Differential_Game_Logic.thy @@ -0,0 +1,17 @@ +section \dGL Formalization\ + +theory "Differential_Game_Logic" +imports + Complex_Main + "Lib" + "Identifiers" + "Syntax" + "Denotational_Semantics" + "Static_Semantics" + "Coincidence" + "USubst" + "Axioms" +begin +text \This formalization of Differential Game Logic \<^url>\http://arxiv.org/abs/1902.07230\ \cite{DBLP:conf/cade/Platzer19} consists of +the syntax, denotational semantics, static semantics, uniform substitution lemmas, uniform substitution soundness proofs, and soundness proofs for axioms.\ +end diff --git a/thys/Differential_Game_Logic/Identifiers.thy b/thys/Differential_Game_Logic/Identifiers.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Identifiers.thy @@ -0,0 +1,40 @@ +theory "Identifiers" +imports Complex_Main +begin +subsection \Identifier Namespace Configuration\ + +text \Different configurations are possible for the namespace of identifiers. Finite support is the only important aspect of it.\ + +(* Identifiers, easiest finite case *) +type_synonym ident = char + +(* Identifiers, bigger finite case with longer identifiers *) +(* +definition max_str:"MAX_STR = 1" +typedef ident = "{s::string. size s \ MAX_STR}" + morphisms Rep_ident Abs_ident + apply(auto) + apply(rule exI[where x=Nil]) + by(auto simp add: max_str) + +setup_lifting ident.type_definition_ident + +lift_definition ilength::"ident \ nat" is size done + +lemma ident_bounded_length: "ilength x \ MAX_STR" + apply (transfer fixing: s) + apply (auto) + done + +lemma finite_identifiers [simp]: "finite {x:ident . True}" +using ident_bounded_length + +lifting_update ident.lifting +lifting_forget ident.lifting +*) + +text \The identifier used for the replacement marker in uniform substitutions\ +abbreviation dotid:: "ident" +where "dotid \ CHR ''.''" + +end diff --git a/thys/Differential_Game_Logic/Ids.thy b/thys/Differential_Game_Logic/Ids.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Ids.thy @@ -0,0 +1,14 @@ +theory "Ids" +imports Complex_Main + "Syntax" +begin +text \Some specific identifiers used in Axioms\ +abbreviation hgid1::ident where "hgid1 \ CHR ''a''" +abbreviation hgid2::ident where "hgid2 \ CHR ''b''" +abbreviation hgidc::ident where "hgidc \ CHR ''c''" +abbreviation hgidd::ident where "hgidd \ CHR ''d''" +abbreviation pid1::ident where "pid1 \ CHR ''p''" +abbreviation pid2::ident where "pid2 \ CHR ''q''" +abbreviation fid1::ident where "fid1 \ CHR ''f''" +abbreviation xid1::variable where "xid1 \ RVar (CHR ''x'')" +end diff --git a/thys/Differential_Game_Logic/Lib.thy b/thys/Differential_Game_Logic/Lib.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Lib.thy @@ -0,0 +1,98 @@ +theory "Lib" +imports + Complex_Main +begin +section \Generic Mathematical Background Lemmas\ + +lemma finite_subset [simp]: "finite M \ finite {x\M. P x}" + by simp + +lemma finite_powerset [simp]: "finite M \ finite {S. S\M}" + by simp + +definition fst_proj:: "('a*'b) set \ 'a set" + where "fst_proj M \ {A. \B. (A,B)\M}" + +definition snd_proj:: "('a*'b) set \ 'b set" + where "snd_proj M \ {B. \A. (A,B)\M}" + +lemma fst_proj_mem [simp]: "(A \ fst_proj M) = (\B. (A,B)\M)" + unfolding fst_proj_def by auto + +lemma snd_proj_mem [simp]: "(B \ snd_proj M) = (\A. (A,B)\M)" + unfolding snd_proj_def by auto + +lemma fst_proj_prop: "\x\fst_proj {(A,B)| A B. P A \ R A B}. P(x)" + unfolding fst_proj_def by auto + +lemma snd_proj_prop: "\x\snd_proj {(A,B) | A B. P B \ R A B}. P(x)" + unfolding snd_proj_def by auto + +lemma map_cons: "map f (Cons x xs) = Cons (f x) (map f xs)" + by (rule List.list.map) +lemma map_append: "map f (append xs ys) = append (map f xs) (map f ys)" + by simp + + + +text\Lockstep induction schema for two simultaneous least fixpoints. + If the successor step and supremum step of two least fixpoint inflations + preserve a relation, then that relation holds of the two respective least fixpoints.\ + +lemma lfp_lockstep_induct [case_names monof monog step union]: + fixes f :: "'a::complete_lattice \ 'a" + and g :: "'b::complete_lattice \ 'b" + assumes monof: "mono f" + and monog: "mono g" + and R_step: "\A B. A \ lfp(f) \ B \ lfp(g) \ R A B \ R (f(A)) (g(B))" + and R_Union: "\M::('a*'b) set. (\(A,B)\M. R A B) \ R (Sup (fst_proj M)) (Sup (snd_proj M))" + shows "R (lfp f) (lfp g)" +proof- + (*using idea of proof of "Inductive.thy:lfp_ordinal_induct"*) + let ?M = "{(A,B). A \ lfp f \ B \ lfp g \ R A B}" + from R_Union have supdoes: "R (Sup (fst_proj ?M)) (Sup (snd_proj ?M))" by simp + also have "Sup (fst_proj ?M) = lfp f" and "Sup (snd_proj ?M) = lfp g" + proof (rule antisym) + show fle: "Sup (fst_proj ?M) \ lfp f" + using fst_proj_prop Sup_le_iff by fastforce + then have "f (Sup (fst_proj ?M)) \ f (lfp f)" + by (rule monof [THEN monoD]) + then have fsup: "f (Sup (fst_proj ?M)) \ lfp f" + using monof [THEN lfp_unfold] by simp + + have gle: "Sup (snd_proj ?M) \ lfp g" + using snd_proj_prop Sup_le_iff by fastforce + then have "g (Sup (snd_proj ?M)) \ g (lfp g)" + by (rule monog [THEN monoD]) + then have gsup: "g (Sup (snd_proj ?M)) \ lfp g" + using monog [THEN lfp_unfold] by simp + + from fsup and gsup have fgsup: "(f(Sup(fst_proj ?M)), g(Sup(snd_proj ?M))) \ ?M" + using R_Union R_step Sup_le_iff + using calculation fle gle by blast + + from fgsup have "f (Sup (fst_proj ?M)) \ Sup (fst_proj ?M)" + using Sup_upper by (metis (mono_tags, lifting) fst_proj_def mem_Collect_eq) + then show fge: "lfp f \ Sup (fst_proj ?M)" + by (rule lfp_lowerbound) + show "Sup (snd_proj ?M) = lfp g" + proof (rule antisym) + show "Sup (snd_proj ?M) \ lfp g" by (rule gle) + from fgsup have "g (Sup (snd_proj ?M)) \ Sup (snd_proj ?M)" + using Sup_upper by (metis (mono_tags, lifting) snd_proj_def mem_Collect_eq) + then show gge: "lfp g \ Sup (snd_proj ?M)" + by (rule lfp_lowerbound) + qed + qed + then show ?thesis using supdoes by simp +qed + + +lemma sup_eq_all: "(\A. (A\M \ f(A)=g(A))) + \ Sup {f(A) | A. A\M} = Sup {g(A) | A. A\M}" + by metis + +lemma sup_corr_eq_chain: "\M::('a::complete_lattice*'a) set. (\(A,B)\M. f(A)=g(B)) \ (Sup {f(A) | A. A\fst_proj M} = Sup {g(B) | B. B\snd_proj M})" + by (metis (mono_tags, lifting) case_prod_conv fst_proj_mem snd_proj_mem) + +end \ No newline at end of file diff --git a/thys/Differential_Game_Logic/ROOT b/thys/Differential_Game_Logic/ROOT new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/ROOT @@ -0,0 +1,19 @@ +chapter AFP + +session Differential_Game_Logic (AFP) = "HOL-Analysis" + + options [timeout = 1200] + theories + "Lib" + "Identifiers" + "Syntax" + "Denotational_Semantics" + "Static_Semantics" + "Coincidence" + "USubst" + "Ids" + "Axioms" + "Differential_Game_Logic" + document_files + "root.tex" + "root.bib" + diff --git a/thys/Differential_Game_Logic/Static_Semantics.thy b/thys/Differential_Game_Logic/Static_Semantics.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Static_Semantics.thy @@ -0,0 +1,66 @@ +theory "Static_Semantics" +imports + "Syntax" + "Denotational_Semantics" +begin +section \Static Semantics\ + +subsection \Semantically-defined Static Semantics\ +paragraph \Auxiliary notions of projection of winning conditions\ + +text\upward projection: \restrictto X V\ is extends X to the states that agree on V with some state in X, +so variables outside V can assume arbitrary values.\ +definition restrictto :: "state set \ variable set \ state set" +where + "restrictto X V = {\. \\. \\X \ Vagree \ \ V}" + +text\downward projection: \selectlike X \ V\ selects state \\\ on V in X, +so all variables of V are required to remain constant\ +definition selectlike :: "state set \ state \ variable set \ state set" + where + "selectlike X \ V = {\\X. Vagree \ \ V}" + +paragraph \Free variables, semantically characterized.\ +text\Free variables of a term\ +definition FVT :: "trm \ variable set" +where + "FVT t = {x. \I.\\.\\. Vagree \ \ (-{x}) \ \(term_sem I t \ = term_sem I t \)}" + +text\Free variables of a formula\ +definition FVF :: "fml \ variable set" +where + "FVF \ = {x. \I.\\.\\. Vagree \ \ (-{x}) \ \ \ fml_sem I \ \ \ \ fml_sem I \}" + +text\Free variables of a hybrid game\ +definition FVG :: "game \ variable set" +where + "FVG \ = {x. \I.\\.\\.\X. Vagree \ \ (-{x}) \ \ \ game_sem I \ (restrictto X (-{x})) \ \ \ game_sem I \ (restrictto X (-{x}))}" + +paragraph \Bound variables, semantically characterized.\ +text\Bound variables of a hybrid game\ +definition BVG :: "game \ variable set" +where + "BVG \ = {x. \I.\\.\X. \ \ game_sem I \ X \ \ \ game_sem I \ (selectlike X \ {x})}" + + +subsection \Simple Observations\ + +lemma BVG_elem [simp] :"(x\BVG \) = (\I \ X. \ \ game_sem I \ X \ \ \ game_sem I \ (selectlike X \ {x}))" + unfolding BVG_def by simp + +lemma nonBVG_rule: "(\I \ X. (\ \ game_sem I \ X) = (\ \ game_sem I \ (selectlike X \ {x}))) + \ x\BVG \" + using BVG_elem by simp + +lemma nonBVG_inc_rule: "(\I \ X. (\ \ game_sem I \ X) \ (\ \ game_sem I \ (selectlike X \ {x}))) + \ x\BVG \" + using BVG_elem by simp + +lemma FVT_finite: "finite(FVT t)" + using allvars_finite by (metis finite_subset mem_Collect_eq subsetI) +lemma FVF_finite: "finite(FVF e)" + using allvars_finite by (metis finite_subset mem_Collect_eq subsetI) +lemma FVG_finite: "finite(FVG a)" + using allvars_finite by (metis finite_subset mem_Collect_eq subsetI) + +end diff --git a/thys/Differential_Game_Logic/Syntax.thy b/thys/Differential_Game_Logic/Syntax.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/Syntax.thy @@ -0,0 +1,134 @@ +theory "Syntax" +imports + Complex_Main + "Identifiers" +begin +section \Syntax\ + +text \ + Defines the syntax of Differential Game Logic as inductively defined data types. + \<^url>\https://doi.org/10.1145/2817824\ \<^url>\https://doi.org/10.1007/978-3-319-94205-6_15\ +\ + +subsection \Terms\ + +text \Numeric literals\ +type_synonym lit = real + +text \the set of all real variables\ +abbreviation allidents:: "ident set" + where "allidents \ {x | x. True}" + +text \Variables and differential variables\ + +datatype variable = + RVar ident +| DVar ident + +datatype trm = + Var variable +| Number lit +| Const ident +| Func ident trm +| Plus trm trm +| Times trm trm +| Differential trm + +subsection \Formulas and Hybrid Games\ + +datatype fml = + Pred ident trm +| Geq trm trm +| Not fml ("!") +| And fml fml (infixr "&&" 8) +| Exists variable fml +| Diamond game fml ("(\ _ \ _)" 20) +and game = + Game ident +| Assign variable trm (infixr ":=" 20) +| Test fml ("?") +| Choice game game (infixr "\\" 10) +| Compose game game (infixr ";;" 8) +| Loop game ("_**") +| Dual game ("_^d") +| ODE ident trm + + +paragraph \Derived operators\ +definition Neg ::"trm \ trm" +where "Neg \ = Times (Number (-1)) \" + +definition Minus ::"trm \ trm \ trm" +where "Minus \ \ = Plus \ (Neg \)" + +definition Or :: "fml \ fml \ fml" (infixr "||" 7) +where "Or P Q = Not (And (Not P) (Not Q))" + +definition Implies :: "fml \ fml \ fml" (infixr "\" 10) +where "Implies P Q = Or Q (Not P)" + +definition Equiv :: "fml \ fml \ fml" (infixr "\" 10) +where "Equiv P Q = Or (And P Q) (And (Not P) (Not Q))" + +definition Forall :: "variable \ fml \ fml" +where "Forall x P = Not (Exists x (Not P))" + +definition Equals :: "trm \ trm \ fml" +where "Equals \ \' = ((Geq \ \') && (Geq \' \))" + +definition Greater :: "trm \ trm \ fml" +where "Greater \ \' = ((Geq \ \') && (Not (Geq \' \)))" + +text \Justification: determinacy theorem justifies this equivalent syntactic abbreviation for box modalities from diamond modalities + Theorem 3.1 \<^url>\https://doi.org/10.1145/2817824\\ +definition Box :: "game \ fml \ fml" ("([[_]]_)" 20) +where "Box \ P = Not (Diamond \ (Not P))" + +definition TT ::"fml" +where "TT = Geq (Number 0) (Number 0)" + +definition FF ::"fml" +where "FF = Geq (Number 0) (Number 1)" + +definition Skip ::"game" +where "Skip = Test TT" + +text \Inference: premises, then conclusion\ +type_synonym inference = "fml list * fml" + +type_synonym sequent = "fml list * fml list" +text \Rule: premises, then conclusion\ +type_synonym rule = "sequent list * sequent" + + +subsection \Structural Induction\ + +text \Induction principles for hybrid games owing to their mutually recursive definition with formulas \ + +lemma game_induct [case_names Game Assign ODE Test Choice Compose Loop Dual]: + "(\a. P (Game a)) + \ (\x \. P (Assign x \)) + \ (\x \. P (ODE x \)) + \ (\\. P (? \)) + \ (\\ \. P \ \ P \ \ P (\ \\ \)) + \ (\\ \. P \ \ P \ \ P (\ ;; \)) + \ (\\. P \ \ P (\**)) + \ (\\. P \ \ P (\^d)) + \ P \" + by(induction rule: game.induct) (auto) + +lemma fml_induct [case_names Pred Geq Not And Exists Diamond]: + "(\x \. P (Pred x \)) + \ (\\ \. P (Geq \ \)) + \ (\\. P \ \ P (Not \)) + \ (\\ \. P \ \ P \ \ P (And \ \)) + \ (\x \. P \ \ P (Exists x \)) + \ (\\ \. P \ \ P (Diamond \ \)) + \ P \" + by (induction rule: fml.induct) (auto) + +text \the set of all variables\ +abbreviation allvars:: "variable set" + where "allvars \ {x::variable. True}" + +end diff --git a/thys/Differential_Game_Logic/USubst.thy b/thys/Differential_Game_Logic/USubst.thy new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/USubst.thy @@ -0,0 +1,1751 @@ +theory "USubst" +imports + Complex_Main + "Syntax" + "Static_Semantics" + "Coincidence" + "Denotational_Semantics" +begin +section \Uniform Substitution\ + +text \uniform substitution representation as tuple of partial maps from identifiers to type-compatible replacements.\ +type_synonym usubst = + "(ident \ trm) \ (ident \ trm) \ (ident \ fml) \ (ident \ game)" + +abbreviation SConst:: "usubst \ (ident \ trm)" +where "SConst \ (\(F0, _, _, _). F0)" +abbreviation SFuncs:: "usubst \ (ident \ trm)" +where "SFuncs \ (\(_, F, _, _). F)" +abbreviation SPreds:: "usubst \ (ident \ fml)" +where "SPreds \ (\(_, _, P, _). P)" +abbreviation SGames:: "usubst \ (ident \ game)" +where "SGames \ (\(_, _, _, G). G)" + +text \crude approximation of size which is enough for termination arguments\ +definition usubstsize:: "usubst \ nat" +where "usubstsize \ = (if (dom (SFuncs \) = {} \ dom (SPreds \) = {}) then 1 else 2)" + + +text \dot is some fixed constant function symbol that is reserved for the purposes of the substitution\ +definition dot:: "trm" + where "dot = Const (dotid)" + + +subsection \Strict Mechanism for Handling Substitution Partiality in Isabelle\ + +text \Optional terms that result from a substitution, either actually a term or just none to indicate that the substitution clashed\ +type_synonym trmo = "trm option" + +abbreviation undeft:: trmo where "undeft \ None" +abbreviation Aterm:: "trm \ trmo" where "Aterm \ Some" + +lemma undeft_None: "undeft=None" by simp +lemma Aterm_Some: "Aterm \=Some \" by simp + +lemma undeft_equiv: "(\\undeft) = (\t. \=Aterm t)" + by simp + +text \Plus on defined terms, strict undeft otherwise \ +fun Pluso :: "trmo \ trmo \ trmo" +where + "Pluso (Aterm \) (Aterm \) = Aterm(Plus \ \)" +| "Pluso undeft \ = undeft" +| "Pluso \ undeft = undeft" + +text \Times on defined terms, strict undeft otherwise \ +fun Timeso :: "trmo \ trmo \ trmo" +where + "Timeso (Aterm \) (Aterm \) = Aterm(Times \ \)" +| "Timeso undeft \ = undeft" +| "Timeso \ undeft = undeft" + +fun Differentialo :: "trmo \ trmo" +where + "Differentialo (Aterm \) = Aterm(Differential \)" +| "Differentialo undeft = undeft" + +lemma Pluso_undef: "(Pluso \ \ = undeft) = (\=undeft \ \=undeft)" by (metis Pluso.elims option.distinct(1)) +lemma Timeso_undef: "(Timeso \ \ = undeft) = (\=undeft \ \=undeft)" by (metis Timeso.elims option.distinct(1)) +lemma Differentialo_undef: "(Differentialo \ = undeft) = (\=undeft)" by (metis Differentialo.elims option.distinct(1)) + + +type_synonym fmlo = "fml option" + +abbreviation undeff:: fmlo where "undeff \ None" +abbreviation Afml:: "fml \ fmlo" where "Afml \ Some" + +type_synonym gameo = "game option" + +abbreviation undefg:: gameo where "undefg \ None" +abbreviation Agame:: "game \ gameo" where "Agame \ Some" + +lemma undeff_equiv: "(\\undeff) = (\f. \=Afml f)" + by simp + +lemma undefg_equiv: "(\\undefg) = (\g. \=Agame g)" + by simp + + +text \Geq on defined terms, strict undeft otherwise \ +fun Geqo :: "trmo \ trmo \ fmlo" +where + "Geqo (Aterm \) (Aterm \) = Afml(Geq \ \)" +| "Geqo undeft \ = undeff" +| "Geqo \ undeft = undeff" + +text \Not on defined formulas, strict undeft otherwise \ +fun Noto :: "fmlo \ fmlo" +where + "Noto (Afml \) = Afml(Not \)" +| "Noto undeff = undeff" + +text \And on defined formulas, strict undeft otherwise \ +fun Ando :: "fmlo \ fmlo \ fmlo" +where + "Ando (Afml \) (Afml \) = Afml(And \ \)" +| "Ando undeff \ = undeff" +| "Ando \ undeff = undeff" + +text \Exists on defined formulas, strict undeft otherwise \ +fun Existso :: "variable \ fmlo \ fmlo" +where + "Existso x (Afml \) = Afml(Exists x \)" +| "Existso x undeff = undeff" + +text \Diamond on defined games/formulas, strict undeft otherwise \ +fun Diamondo :: "gameo \ fmlo \ fmlo" +where + "Diamondo (Agame \) (Afml \) = Afml(Diamond \ \)" +| "Diamondo undefg \ = undeff" +| "Diamondo \ undeff = undeff" + +lemma Geqo_undef: "(Geqo \ \ = undeff) = (\=undeft \ \=undeft)" + by (metis Geqo.elims option.distinct(1)) +lemma Noto_undef: "(Noto \ = undeff) = (\=undeff)" + by (metis Noto.elims option.distinct(1)) +lemma Ando_undef: "(Ando \ \ = undeff) = (\=undeff \ \=undeff)" + by (metis Ando.elims option.distinct(1)) +lemma Existso_undef: "(Existso x \ = undeff) = (\=undeff)" + by (metis Existso.elims option.distinct(1)) +lemma Diamondo_undef: "(Diamondo \ \ = undeff) = (\=undefg \ \=undeff)" + by (metis Diamondo.elims option.distinct(1)) + + +text \Assign on defined terms, strict undefg otherwise \ +fun Assigno :: "variable \ trmo \ gameo" +where + "Assigno x (Aterm \) = Agame(Assign x \)" +| "Assigno x undeft = undefg" + +fun ODEo :: "ident \ trmo \ gameo" +where + "ODEo x (Aterm \) = Agame(ODE x \)" +| "ODEo x undeft = undefg" + +text \Test on defined formulas, strict undefg otherwise \ +fun Testo :: "fmlo \ gameo" +where + "Testo (Afml \) = Agame(Test \)" +| "Testo undeff = undefg" + +text \Choice on defined games, strict undefg otherwise \ +fun Choiceo :: "gameo \ gameo \ gameo" +where + "Choiceo (Agame \) (Agame \) = Agame(Choice \ \)" +| "Choiceo \ undefg = undefg" +| "Choiceo undefg \ = undefg" + +text \Compose on defined games, strict undefg otherwise \ +fun Composeo :: "gameo \ gameo \ gameo" +where + "Composeo (Agame \) (Agame \) = Agame(Compose \ \)" +| "Composeo \ undefg = undefg" +| "Composeo undefg \ = undefg" + +text \Loop on defined games, strict undefg otherwise \ +fun Loopo :: "gameo \ gameo" +where + "Loopo (Agame \) = Agame(Loop \)" +| "Loopo undefg = undefg" + +text \Dual on defined games, strict undefg otherwise \ +fun Dualo :: "gameo \ gameo" +where + "Dualo (Agame \) = Agame(Dual \)" +| "Dualo undefg = undefg" + + +lemma Assigno_undef: "(Assigno x \ = undefg) = (\=undeft)" by (metis Assigno.elims option.distinct(1)) +lemma ODEo_undef: "(ODEo x \ = undefg) = (\=undeft)" by (metis ODEo.elims option.distinct(1)) +lemma Testo_undef: "(Testo \ = undefg) = (\=undeff)" by (metis Testo.elims option.distinct(1)) +lemma Choiceo_undef: "(Choiceo \ \ = undefg) = (\=undefg \ \=undefg)" by (metis Choiceo.elims option.distinct(1)) +lemma Composeo_undef: "(Composeo \ \ = undefg) = (\=undefg \ \=undefg)" by (metis Composeo.elims option.distinct(1)) +lemma Loopo_undef: "(Loopo \ = undefg) = (\=undefg)" by (metis Loopo.elims option.distinct(1)) +lemma Dualo_undef: "(Dualo \ = undefg) = (\=undefg)" by (metis Dualo.elims option.distinct(1)) + + + +subsection \Recursive Application of One-Pass Uniform Substitution\ + +text \\dotsubstt \\ is the dot substitution \{. ~> \}\ substituting a term for the . function symbol\ +definition dotsubstt:: "trm \ usubst" + where "dotsubstt \ = ( + (\f. (if f=dotid then (Some(\)) else None)), + (\_. None), + (\_. None), + (\_. None) + )" + +definition usappconst:: "usubst \ variable set \ ident \ (trmo)" +where "usappconst \ U f \ (case SConst \ f of Some r \ if FVT(r)\U={} then Aterm(r) else undeft | None \ Aterm(Const f))" + +function usubstappt:: "usubst \ variable set \ (trm \ trmo)" +where + "usubstappt \ U (Var x) = Aterm (Var x)" +| "usubstappt \ U (Number r) = Aterm (Number r)" +| "usubstappt \ U (Const f) = usappconst \ U f" +| "usubstappt \ U (Func f \) = + (case usubstappt \ U \ of undeft \ undeft + | Aterm \\ \ (case SFuncs \ f of Some r \ if FVT(r)\U={} then usubstappt(dotsubstt \\) {} r else undeft | None \ Aterm(Func f \\)))" +| "usubstappt \ U (Plus \ \) = Pluso (usubstappt \ U \) (usubstappt \ U \)" +| "usubstappt \ U (Times \ \) = Timeso (usubstappt \ U \) (usubstappt \ U \)" +| "usubstappt \ U (Differential \) = Differentialo (usubstappt \ allvars \)" + by pat_completeness auto +termination + by (relation "measures [\(\,U,\). usubstsize \ , \(\,U,\). size \]") + (auto simp add: usubstsize_def dotsubstt_def) + +(* Expand let constructs automatically *) +declare Let_def [simp] + +function usubstappf:: "usubst \ variable set \ (fml \ fmlo)" + and usubstappp:: "usubst \ variable set \ (game \ variable set \ gameo)" +where + "usubstappf \ U (Pred p \) = + (case usubstappt \ U \ of undeft \ undeff + | Aterm \\ \ (case SPreds \ p of Some r \ if FVF(r)\U={} then usubstappf(dotsubstt \\) {} r else undeff | None \ Afml(Pred p \\)))" +| "usubstappf \ U (Geq \ \) = Geqo (usubstappt \ U \) (usubstappt \ U \)" +| "usubstappf \ U (Not \) = Noto (usubstappf \ U \)" +| "usubstappf \ U (And \ \) = Ando (usubstappf \ U \) (usubstappf \ U \)" +| "usubstappf \ U (Exists x \) = Existso x (usubstappf \ (U\{x}) \)" +| "usubstappf \ U (Diamond \ \) = (let V\ = usubstappp \ U \ in Diamondo (snd V\) (usubstappf \ (fst V\) \))" + +| "usubstappp \ U (Game a) = + (case SGames \ a of Some r \ (U\BVG(r),Agame r) + | None \ (allvars,Agame(Game a)))" +| "usubstappp \ U (Assign x \) = (U\{x}, Assigno x (usubstappt \ U \))" +| "usubstappp \ U (Test \) = (U, Testo (usubstappf \ U \))" +| "usubstappp \ U (Choice \ \) = + (let V\ = usubstappp \ U \ in + let W\ = usubstappp \ U \ in + (fst V\\fst W\, Choiceo (snd V\) (snd W\)))" +| "usubstappp \ U (Compose \ \) = + (let V\ = usubstappp \ U \ in + let W\ = usubstappp \ (fst V\) \ in + (fst W\, Composeo (snd V\) (snd W\)))" +| "usubstappp \ U (Loop \) = + (let V = fst(usubstappp \ U \) in + (V, Loopo (snd(usubstappp \ V \))))" +| "usubstappp \ U (Dual \) = + (let V\ = usubstappp \ U \ in (fst V\, Dualo (snd V\)))" +| "usubstappp \ U (ODE x \) = (U\{RVar x,DVar x}, ODEo x (usubstappt \ (U\{RVar x,DVar x}) \))" +by pat_completeness auto +termination + by (relation "measures [(\k. usubstsize (case k of Inl(\,U,\) \ \ | Inr(\,U,\) \ \)) , (\k. case k of Inl (\,U,\) \ size \ | Inr (\,U,\) \ size \)]") + (auto simp add: usubstsize_def dotsubstt_def) + +text \Induction Principles for Uniform Substitutions\ +lemmas usubstappt_induct = usubstappt.induct [case_names Var Number Const FuncMatch Plus Times Differential] +lemmas usubstappfp_induct = usubstappf_usubstappp.induct [case_names Pred Geq Not And Exists Diamond Game Assign Test Choice Compose Loop Dual ODE] + + +paragraph \Simple Observations for Automation\ + +text \More automation for Case\ + +lemma usappconst_simp [simp]: "SConst \ f = Some r \ FVT(r)\U={} \ usappconst \ U f = Aterm(r)" + and "SConst \ f = None \ usappconst \ U f = Aterm(Const f)" + and "SConst \ f = Some r \ FVT(r)\U\{} \ usappconst \ U f = undeft" + unfolding usappconst_def by auto + +lemma usappconst_conv: "usappconst \ U f\undeft \ + SConst \ f = None \ (\r. SConst \ f = Some r \ FVT(r)\U={})" + (*by (smt option.case_eq_if option.collapse usappconst_def)*) +proof- + assume as: "usappconst \ U f\undeft" + show "SConst \ f = None \ (\r. SConst \ f = Some r \ FVT(r)\U={})" + proof (cases "SConst \ f") + case None + then show ?thesis + by auto + next + case (Some a) + then show ?thesis using as usappconst_def[where \=\ and U=U and f=f] option.distinct(1) by fastforce + qed +qed + +lemma usubstappt_const [simp]: "SConst \ f = Some r \ FVT(r)\U={} \ usubstappt \ U (Const f) = Aterm(r)" + and "SConst \ f = None \ usubstappt \ U (Const f) = Aterm(Const f)" + and "SConst \ f = Some r \ FVT(r)\U\{} \ usubstappt \ U (Const f) = undeft" + by (auto simp add: usappconst_def) + +lemma usubstappt_const_conv: "usubstappt \ U (Const f)\undeft \ + SConst \ f = None \ (\r. SConst \ f = Some r \ FVT(r)\U={})" + using usappconst_conv by auto + +lemma usubstappt_func [simp]: "SFuncs \ f = Some r \ FVT(r)\U={} \ usubstappt \ U \ = Aterm \\ \ + usubstappt \ U (Func f \) = usubstappt (dotsubstt \\) {} r" + and "SFuncs \ f=None \ usubstappt \ U \ = Aterm \\ \ usubstappt \ U (Func f \) = Aterm(Func f \\)" + and "usubstappt \ U \ = undeft \ usubstappt \ U (Func f \) = undeft" + by auto + +lemma usubstappt_func2 [simp]: "SFuncs \ f = Some r \ FVT(r)\U\{} \ usubstappt \ U (Func f \) = undeft" + by (cases "usubstappt \ U \") (auto) + +lemma usubstappt_func_conv: "usubstappt \ U (Func f \) \ undeft \ + usubstappt \ U \ \ undeft \ + (SFuncs \ f = None \ (\r. SFuncs \ f = Some r \ FVT(r)\U={}))" + by (metis (lifting) option.simps(4) undeft_equiv usubstappt.simps(4) usubstappt_func2) + (*by (cases "usubstappt \ U \") (auto) *) + +lemma usubstappt_plus_conv: "usubstappt \ U (Plus \ \) \ undeft \ + usubstappt \ U \ \ undeft \ usubstappt \ U \ \ undeft" + by (simp add: Pluso_undef) + +lemma usubstappt_times_conv: "usubstappt \ U (Times \ \) \ undeft \ + usubstappt \ U \ \ undeft \ usubstappt \ U \ \ undeft" + by (simp add: Timeso_undef) + +lemma usubstappt_differential_conv: "usubstappt \ U (Differential \) \ undeft \ + usubstappt \ allvars \ \ undeft" + by (simp add: Differentialo_undef) + + +lemma usubstappf_pred [simp]: "SPreds \ p = Some r \ FVF(r)\U={} \ usubstappt \ U \ = Aterm \\ \ + usubstappf \ U (Pred p \) = usubstappf (dotsubstt \\) {} r" + and "SPreds \ p = None \ usubstappt \ U \ = Aterm \\ \ usubstappf \ U (Pred p \) = Afml(Pred p \\)" + and "usubstappt \ U \ = undeft \ usubstappf \ U (Pred p \) = undeff" + by auto + +lemma usubstappf_pred2 [simp]: "SPreds \ p = Some r \ FVF(r)\U\{} \ usubstappf \ U (Pred p \) = undeff" + by (cases "usubstappt \ U \") (auto) + +lemma usubstappf_pred_conv: "usubstappf \ U (Pred p \) \ undeff \ + usubstappt \ U \ \ undeft \ + (SPreds \ p = None \ (\r. SPreds \ p = Some r \ FVF(r)\U={}))" + by (metis (lifting) option.simps(4) undeff_equiv usubstappf.simps(1) usubstappf_pred2) + +lemma usubstappf_geq: "usubstappt \ U \ \ undeft \ usubstappt \ U \ \ undeft \ + usubstappf \ U (Geq \ \) = Afml(Geq (the (usubstappt \ U \)) (the (usubstappt \ U \)))" + by fastforce + +lemma usubstappf_geq_conv: "usubstappf \ U (Geq \ \) \ undeff \ + usubstappt \ U \ \ undeft \ usubstappt \ U \ \ undeft" + by (simp add: Geqo_undef) + +lemma usubstappf_geqr: "usubstappf \ U (Geq \ \) \ undeff \ + usubstappf \ U (Geq \ \) = Afml(Geq (the (usubstappt \ U \)) (the (usubstappt \ U \)))" + using usubstappf_geq usubstappf_geq_conv by blast + +lemma usubstappf_exists: "usubstappf \ U (Exists x \) \ undeff \ + usubstappf \ U (Exists x \) = Afml(Exists x (the (usubstappf \ (U\{x}) \)))" + using Existso_undef by auto + +lemma usubstappp_game [simp]: "SGames \ a = Some r \ usubstappp \ U (Game a) = (U\BVG(r),Agame(r))" + and "SGames \ a = None \ usubstappp \ U (Game a) = (allvars,Agame(Game a))" + by auto + +lemma usubstappp_choice [simp]: "usubstappp \ U (Choice \ \) = + (fst(usubstappp \ U \)\fst(usubstappp \ U \), Choiceo (snd(usubstappp \ U \)) (snd(usubstappp \ U \)))" + by auto + +lemma usubstappp_choice_conv : "snd(usubstappp \ U (Choice \ \)) \ undefg \ + snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ U \) \ undefg" + by (simp add: Choiceo_undef) + +lemma usubstappp_compose [simp]: "usubstappp \ U (Compose \ \) = + (fst(usubstappp \ (fst(usubstappp \ U \)) \), Composeo (snd(usubstappp \ U \)) (snd(usubstappp \ (fst(usubstappp \ U \)) \)))" + by simp + +lemma usubstappp_loop: "usubstappp \ U (Loop \) = + (fst(usubstappp \ U \), Loopo (snd(usubstappp \ (fst(usubstappp \ U \)) \)))" + by auto + +lemma usubstappp_dual [simp]: "usubstappp \ U (Dual \) = + (fst(usubstappp \ U \), Dualo (snd (usubstappp \ U \)))" + by simp + + + +section \Soundness of Uniform Substitution\ + + +subsection \USubst Application is a Function of Deterministic Result\ + +lemma usubstappt_det: "usubstappt \ U \ \ undeft \ usubstappt \ V \ \ undeft \ + usubstappt \ U \ = usubstappt \ V \" +proof (induction \) + case (Var x) + then show ?case by simp +next + case (Number x) + then show ?case by simp +next + case (Const f) + then show ?case + (*by (smt option.case_eq_if usappconst_def usubstappt.simps(3))*) + proof - (*sledgehammer*) + have f1: "usubstappt \ U (Const f) = (case SConst \ f of None \ Aterm (Const f) | Some t \ if FVT t \ U = {} then Aterm t else undeft)" + by (simp add: usappconst_def) + have f2: "\z f za. if za = undeft then (case za of None \ z::trm option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by force + then have "SConst \ f \ undeft \ (if FVT (the (SConst \ f)) \ U = {} then Aterm (the (SConst \ f)) else undeft) = usappconst \ U f" + by (simp add: usappconst_def) + then have f3: "SConst \ f \ undeft \ FVT (the (SConst \ f)) \ U = {}" + by (metis Const.prems(1) usubstappt.simps(3)) + have "SConst \ f \ undeft \ (if FVT (the (SConst \ f)) \ V = {} then Aterm (the (SConst \ f)) else undeft) = usappconst \ V f" + using f2 usappconst_def by presburger + then have "SConst \ f \ undeft \ FVT (the (SConst \ f)) \ V = {}" + by (metis (no_types) Const.prems(2) usubstappt.simps(3)) + then have f4: "SConst \ f \ undeft \ usubstappt \ U (Const f) = usappconst \ V f" + using f3 f2 f1 usappconst_def by presburger + { assume "usubstappt \ U (Const f) \ usubstappt \ V (Const f)" + then have "usubstappt \ U (Const f) \ (case SConst \ f of None \ Aterm (Const f) | Some t \ if FVT t \ V = {} then Aterm t else undeft)" + by (simp add: usappconst_def) + then have "SConst \ f \ undeft" + using f2 f1 by (metis (no_types)) + then have ?thesis + using f4 by simp } + then show ?thesis + by blast + qed +next + case (Func f \) + then show ?case using usubstappt_func + (*by (cases "SFuncs \ f") (auto simp add: usubstappt_func)*) + (*by (smt option.case_eq_if usubstappt.simps(4))*) + proof - (*sledgehammer*) + have f1: "(case usubstappt \ U \ of None \ undeft | Some t \ (case SFuncs \ f of None \ Aterm (trm.Func f t) | Some ta \ if FVT ta \ U = {} then usubstappt (dotsubstt t) {} ta else undeft)) \ undeft" + using Func(2) by auto + have f2: "\z f za. if za = undeft then (case za of None \ z::trm option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by force + then have f3: "usubstappt \ U \ \ undeft" + using f1 by meson + have "(case usubstappt \ V \ of None \ undeft | Some t \ (case SFuncs \ f of None \ Aterm (trm.Func f t) | Some ta \ if FVT ta \ V = {} then usubstappt (dotsubstt t) {} ta else undeft)) \ undeft" + using Func(3) by auto + then have f4: "usubstappt \ V \ \ undeft" + using f2 by meson + then have f5: "usubstappt \ U (trm.Func f \) = (case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ U = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft)" + using f3 f2 Func(1) usubstappt.simps(4) by presburger + have "SFuncs \ f \ undeft \ (if FVT (the (SFuncs \ f)) \ U = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} (the (SFuncs \ f)) else undeft) = usubstappt \ U (trm.Func f \)" + using f4 f3 f2 Func(1) usubstappt.simps(4) by presburger + then have f6: "SFuncs \ f \ undeft \ FVT (the (SFuncs \ f)) \ U = {}" + by (metis Func(2)) + have f7: "(case usubstappt \ V \ of None \ undeft | Some t \ (case SFuncs \ f of None \ Aterm (trm.Func f t) | Some ta \ if FVT ta \ V = {} then usubstappt (dotsubstt t) {} ta else undeft)) = (case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ V = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft)" + using f4 f2 by presburger + then have "SFuncs \ f \ undeft \ (if FVT (the (SFuncs \ f)) \ V = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} (the (SFuncs \ f)) else undeft) = usubstappt \ V (trm.Func f \)" + using f2 by simp + then have f8: "SFuncs \ f \ undeft \ FVT (the (SFuncs \ f)) \ V = {}" + by (metis (full_types) Func(3)) + { assume "usubstappt \ U (trm.Func f \) \ usubstappt \ V (trm.Func f \)" + moreover + { assume "(case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ V = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft) \ Aterm (trm.Func f (the (usubstappt \ V \)))" + then have "SFuncs \ f \ undeft" + using f2 by meson } + ultimately have "SFuncs \ f \ undeft" + using f7 f5 by fastforce + then have ?thesis + using f8 f7 f6 f5 f2 by simp } + then show ?thesis + by blast + qed +next + case (Plus \1 \2) + then show ?case using Pluso_undef by auto +next + case (Times \1 \2) + then show ?case using Timeso_undef by auto +next + case (Differential \) + then show ?case using Differentialo_undef by auto +qed + + +lemma usubstappf_and_usubstappp_det: +shows "usubstappf \ U \ \ undeff \ usubstappf \ V \ \ undeff \ usubstappf \ U \ = usubstappf \ V \" +and "snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ V \) \ undefg \ snd(usubstappp \ U \) = snd(usubstappp \ V \)" +proof (induction \ and \ arbitrary: U V and U V) + case (Pred p \) + then show ?case using usubstappt_det usubstappf_pred + (*by (metis usubstappf.simps(1)) *) + (*by (smt option.case_eq_if usubstappf.simps(1)) *) + proof - (*sledgehammer*) + have f1: "(case usubstappt \ U \ of None \ undeff | Some t \ (case SPreds \ p of None \ Afml (Pred p t) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt t) {} f else undeff)) \ undeff" + using Pred.prems(1) by auto + have f2: "\z f za. if za = undeft then (case za of None \ z::fml option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by (simp add: option.case_eq_if) + then have f3: "(case usubstappt \ U \ of None \ undeff | Some t \ (case SPreds \ p of None \ Afml (Pred p t) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt t) {} f else undeff)) = (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ U \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ U \))) {} f else undeff)" + using f1 by meson + have f4: "(case usubstappt \ V \ of None \ undeff | Some t \ (case SPreds \ p of None \ Afml (Pred p t) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt t) {} f else undeff)) \ undeff" + using Pred.prems(2) by auto + then have f5: "usubstappt \ U \ = usubstappt \ V \" + using f2 f1 by (meson usubstappt_det) + then have f6: "usubstappf \ U (Pred p \) = (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff)" + using f3 usubstappf.simps(1) by presburger + have f7: "\z f za. if za = undeff then (case za of None \ z::fml option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by (simp add: option.case_eq_if) + have f8: "(case usubstappt \ V \ of None \ undeff | Some t \ (case SPreds \ p of None \ Afml (Pred p t) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt t) {} f else undeff)) = (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff)" + using f4 f2 by meson + then have f9: "SPreds \ p = undeff \ usubstappf \ U (Pred p \) = usubstappf \ V (Pred p \)" + using f6 by fastforce + { assume "usubstappf \ U (Pred p \) \ usubstappf \ V (Pred p \)" + then have "usubstappf \ U (Pred p \) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff)" + using f8 by simp + moreover + { assume "usubstappf \ U (Pred p \) \ (if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + moreover + { assume "usubstappf \ U (Pred p \) \ usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p))" + moreover + { assume "usubstappf \ U (Pred p \) \ (if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + then have "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + using f6 by force + then have "SPreds \ p = undeff" + using f7 by (metis (no_types, lifting) Pred.prems(1) calculation f5 option.collapse usubstappf_pred usubstappf_pred2 usubstappf_pred_conv) } + moreover + { assume "(if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p))" + then have "(if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ U \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ U \))) {} f else undeff)" + using f3 Pred.prems(1) by auto + then have "(if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff)" + using f5 using Pred.prems(1) \(if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p))\ f6 by auto + then have "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + by simp + then have "SPreds \ p = undeff" + using f7 proof - + show ?thesis + using \(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)\ calculation(2) f6 by presburger + qed} + ultimately have "SPreds \ p = undeff" + by fastforce } + moreover + { assume "(if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p))" + then have "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + using f8 Pred.prems(2) by auto + then have "SPreds \ p = undeff" + using f7 by (metis (no_types, lifting) Pred.prems(2) \(if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p))\ option.collapse usubstappf_pred2)} + ultimately have "SPreds \ p = undeff" + by fastforce } + moreover + { assume "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + then have "SPreds \ p = undeff" + using f7 by (metis (no_types, lifting) Pred.prems(1) Pred.prems(2) \usubstappf \ U (Pred p \) \ usubstappf \ V (Pred p \)\ calculation(2) option.collapse usubstappf_pred usubstappf_pred_conv)} + ultimately have ?thesis + using f9 by fastforce } + then show ?thesis + by blast + qed + next + case (Geq \ \) + then show ?case using usubstappt_det by (metis Geqo_undef usubstappf.simps(2)) + next + case (Not x) + then show ?case by (metis Noto.simps(2) usubstappf.simps(3)) + next + case (And x1 x2) + then show ?case by (metis Ando_undef usubstappf.simps(4)) + next + case (Exists x1 x2) + then show ?case by (metis Existso_undef usubstappf.simps(5)) + next + case (Diamond x1 x2) + then show ?case by (metis Diamondo_undef usubstappf.simps(6)) + next + case (Game a) + then show ?case by (cases "SGames \ a") (auto) + next + case (Assign x \) + then show ?case using usubstappt_det by (metis Assigno_undef snd_conv usubstappp.simps(2)) + next + case (ODE x \) + then show ?case using usubstappt_det by (metis ODEo_undef snd_conv usubstappp.simps(8)) + next + case (Test \) + then show ?case by (metis Testo_undef snd_conv usubstappp.simps(3)) + next + case (Choice \ \) + then show ?case by (metis Choiceo_undef snd_conv usubstappp.simps(4)) + next + case (Compose \ \) + then show ?case by (metis Composeo_undef snd_conv usubstappp.simps(5)) + next + case (Loop \) + then show ?case by (metis Loopo_undef snd_conv usubstappp.simps(6)) + next + case (Dual \) + then show ?case by (metis Dualo_undef snd_conv usubstappp.simps(7)) +qed + +lemma usubstappf_det: "usubstappf \ U \ \ undeff \ usubstappf \ V \ \ undeff \ usubstappf \ U \ = usubstappf \ V \" + using usubstappf_and_usubstappp_det by simp + +lemma usubstappp_det: "snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ V \) \ undefg \ snd(usubstappp \ U \) = snd(usubstappp \ V \)" + using usubstappf_and_usubstappp_det by simp + + +subsection \Uniform Substitutions are Antimonotone in Taboos\ + + +lemma usubst_taboos_mon: "fst(usubstappp \ U \) \ U" +proof (induction \ arbitrary: U rule: game_induct) + case (Game a) + then show ?case by (cases "SGames \ a") (auto) +next + case (Assign x \) + then show ?case by fastforce +next + case (ODE x \) + then show ?case by fastforce +next + case (Test \) + then show ?case by fastforce +next + case (Choice \ \) + then show ?case by fastforce +next + case (Compose \ \) + then show ?case by fastforce +next + case (Loop \) + then show ?case by fastforce +next + case (Dual \) + then show ?case by fastforce +qed + +lemma fst_pair [simp]: "fst (a,b) = a" + by simp + +lemma snd_pair [simp]: "snd (a,b) = b" + by simp + + +lemma usubstappt_antimon: "V\U \ usubstappt \ U \ \ undeft \ + usubstappt \ U \ = usubstappt \ V \" +proof (induction \) + case (Var x) + then show ?case by simp +next + case (Number x) + then show ?case by simp +next + case (Const f) + then show ?case + (*by (smt disjoint_iff_not_equal option.case_eq_if set_rev_mp usappconst_def usubstappt.simps(3))*) + proof - (*sledgehammer*) + have f1: "usubstappt \ U (Const f) = (case SConst \ f of None \ Aterm (Const f) | Some t \ if FVT t \ U = {} then Aterm t else undeft)" + by (simp add: usappconst_def) + have f2: "\z f za. if za = undeft then (case za of None \ z::trm option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by force + then have "SConst \ f \ undeft \ (if FVT (the (SConst \ f)) \ U = {} then Aterm (the (SConst \ f)) else undeft) = usappconst \ U f" + using usappconst_def by presburger + then have f3: "SConst \ f \ undeft \ FVT (the (SConst \ f)) \ U = {}" + by (metis (no_types) Const.prems(2) usubstappt.simps(3)) + have f4: "\V Va. (V \ Va = {}) = (\v. (v::variable) \ V \ (\va. va \ Va \ v \ va))" + by blast + { assume "usubstappt \ U (Const f) \ usubstappt \ V (Const f)" + then have "usubstappt \ U (Const f) \ (case SConst \ f of None \ Aterm (Const f) | Some t \ if FVT t \ V = {} then Aterm t else undeft)" + by (simp add: usappconst_def) + then have "SConst \ f \ undeft" + using f2 f1 by metis + then have "SConst \ f \ undeft \ FVT (the (SConst \ f)) \ V = {}" + using f4 f3 by (meson Const.prems(1) subsetD) + then have ?thesis + using f3 f2 usappconst_def usubstappt.simps(3) by presburger } + then show ?thesis + by blast + qed +next + case (Func f \) + then show ?case using usubstappt_func + (*by (smt disjoint_iff_not_equal option.case_eq_if subset_iff usubstappt.simps(4))*) + proof - (*sledgehammer*) + have f1: "(case usubstappt \ U \ of None \ undeft | Some t \ (case SFuncs \ f of None \ Aterm (trm.Func f t) | Some ta \ if FVT ta \ U = {} then usubstappt (dotsubstt t) {} ta else undeft)) \ undeft" + using Func.prems(2) by fastforce + have f2: "\z f za. if za = undeft then (case za of None \ z::trm option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by fastforce + then have f3: "usubstappt \ U \ \ undeft" + using f1 by meson + then have f4: "(case usubstappt \ U \ of None \ undeft | Some t \ (case SFuncs \ f of None \ Aterm (trm.Func f t) | Some ta \ if FVT ta \ U = {} then usubstappt (dotsubstt t) {} ta else undeft)) = (case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ U \))) | Some t \ if FVT t \ U = {} then usubstappt (dotsubstt (the (usubstappt \ U \))) {} t else undeft)" + using f2 by presburger + have f5: "usubstappt \ U \ = undeft \ usubstappt \ U \ = usubstappt \ V \" + using Func.IH Func.prems(1) by fastforce + have "SFuncs \ f \ undeft \ (if FVT (the (SFuncs \ f)) \ U = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} (the (SFuncs \ f)) else undeft) = (case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ U = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft)" + using f2 by presburger + then have "SFuncs \ f \ undeft \ (if FVT (the (SFuncs \ f)) \ U = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} (the (SFuncs \ f)) else undeft) = usubstappt \ U (trm.Func f \)" + using f5 f4 f3 usubstappt.simps(4) by presburger + then have f6: "SFuncs \ f \ undeft \ FVT (the (SFuncs \ f)) \ U = {}" + by (metis (no_types) Func.prems(2)) + then have f7: "SFuncs \ f \ undeft \ V \ - FVT (the (SFuncs \ f))" + using Func.prems(1) by blast + have f8: "(case usubstappt \ V \ of None \ undeft | Some t \ (case SFuncs \ f of None \ Aterm (trm.Func f t) | Some ta \ if FVT ta \ V = {} then usubstappt (dotsubstt t) {} ta else undeft)) = (case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ V = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft)" + using f5 f3 f2 by presburger + have "SFuncs \ f \ undeft \ usubstappt (dotsubstt (the (usubstappt \ V \))) {} (the (SFuncs \ f)) = (case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ U = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft)" + using f6 f2 by presburger + then have f9: "SFuncs \ f \ undeft \ usubstappt (dotsubstt (the (usubstappt \ V \))) {} (the (SFuncs \ f)) = usubstappt \ U (trm.Func f \)" + using f5 f4 f3 usubstappt.simps(4) by presburger + { assume "usubstappt \ U (trm.Func f \) \ usubstappt \ V (trm.Func f \)" + moreover + { assume "(case SFuncs \ f of None \ Aterm (trm.Func f (the (usubstappt \ V \))) | Some t \ if FVT t \ V = {} then usubstappt (dotsubstt (the (usubstappt \ V \))) {} t else undeft) \ Aterm (trm.Func f (the (usubstappt \ V \)))" + then have "SFuncs \ f \ undeft" + using f2 by meson } + ultimately have "SFuncs \ f \ undeft" + using f5 f3 by fastforce + then have ?thesis + using f9 f8 f7 f2 by (simp add: disjoint_eq_subset_Compl inf.commute) } + then show ?thesis + by blast + qed +next + case (Plus \1 \2) + then show ?case using Pluso_undef by auto +next + case (Times \1 \2) + then show ?case using Timeso_undef by auto +next + case (Differential \) + then show ?case using Differentialo_undef by auto +qed + +text \Uniform Substitutions of Games have monotone taboo output\ + +lemma usubstappp_fst_mon: "U\V \ fst(usubstappp \ U \) \ fst(usubstappp \ V \)" +proof (induction \ arbitrary: U V rule: game_induct) + case (Game a) + then show ?case by (cases "SGames \ a") (auto) +next + case (Assign x \) + then show ?case by auto +next + case (ODE x \) + then show ?case by auto +next + case (Test \) + then show ?case by auto +next + case (Choice \ \) + then show ?case by (metis Un_mono fst_pair usubstappp_choice) +next + case (Compose \ \) + then show ?case by (metis fst_pair usubstappp_compose) +next + case (Loop \) + then show ?case by (metis fst_pair usubstappp_loop) +next + case (Dual \) + then show ?case by (metis fst_pair usubstappp_dual) +qed + + +lemma usubstappf_and_usubstappp_antimon: +shows "V\U \ usubstappf \ U \ \ undeff \ usubstappf \ U \ = usubstappf \ V \" +and "V\U \ snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ U \) = snd(usubstappp \ V \)" +proof- + have "V\U \ usubstappf \ U \ \ undeff \ usubstappf \ V \ \ undeff" + and "V\U \ snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ V \) \ undefg" + proof (induction \ and \ arbitrary: U V and U V) + case (Pred p \) + then show ?case using usubstappt_antimon usubstappf_pred + (*by (smt Un_mono disjoint_eq_subset_Compl empty_subsetI inf.commute option.case_eq_if sup.absorb_iff1 sup.absorb_iff2 usubstappf.simps(1)) *) + proof - (*sledgehammer*) + have f1: "\v. v \ V \ v \ U" + using Pred.prems(1) by auto + have f2: "\z f za. if za = undeff then (case za of None \ z::fml option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by (simp add: option.case_eq_if) + have f3: "(case usubstappt \ U \ of None \ undeff | Some t \ (case SPreds \ p of None \ Afml (Pred p t) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt t) {} f else undeff)) \ undeff" + using Pred.prems(2) by auto + have f4: "\z f za. if za = undeft then (case za of None \ z::fml option | Some x \ f x) = z else (case za of None \ z | Some x \ f x) = f (the za)" + by (simp add: option.case_eq_if) + then have f5: "usubstappt \ U \ \ undeft" + using f3 by meson + then have f6: "(case usubstappt \ U \ of None \ undeff | Some t \ (case SPreds \ p of None \ Afml (Pred p t) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt t) {} f else undeff)) = (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ U \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ U \))) {} f else undeff)" + using f4 by presburger + have f7: "usubstappt \ U \ = usubstappt \ V \" + using f5 by (meson Pred.prems(1) usubstappt_antimon) + then have f8: "SPreds \ p = undeff \ usubstappf \ U (Pred p \) = usubstappf \ V (Pred p \)" + using f2 usubstappf.simps(1) by presburger + obtain vv :: "variable set \ variable set \ variable" where + "\x0 x1. (\v2. v2 \ x1 \ (\v3. v3 \ x0 \ v2 = v3)) = (vv x0 x1 \ x1 \ (\v3. v3 \ x0 \ vv x0 x1 = v3))" + by moura + then obtain vva :: "variable set \ variable set \ variable" where + f9: "\V Va. (V \ Va \ {} \ (\v. v \ V \ (\va. va \ Va \ v \ va))) \ (V \ Va = {} \ vv Va V \ V \ vva Va V \ Va \ vv Va V = vva Va V)" + by moura + then have f10: "(FVF (the (SPreds \ p)) \ V \ {} \ (\v. v \ FVF (the (SPreds \ p)) \ (\va. va \ V \ v \ va))) \ (FVF (the (SPreds \ p)) \ V = {} \ vv V (FVF (the (SPreds \ p))) \ FVF (the (SPreds \ p)) \ vva V (FVF (the (SPreds \ p))) \ V \ vv V (FVF (the (SPreds \ p))) = vva V (FVF (the (SPreds \ p))))" + by presburger + { assume "vv V (FVF (the (SPreds \ p))) \ FVF (the (SPreds \ p)) \ vva V (FVF (the (SPreds \ p))) \ V \ vv V (FVF (the (SPreds \ p))) \ vva V (FVF (the (SPreds \ p)))" + moreover + { assume "(if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ undeff" + moreover + { assume "(if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ usubstappf \ V (Pred p \)" + then have "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + using f7 f5 f4 by simp + then have "SPreds \ p = undeff" + using f2 by (metis (no_types, lifting) \(if FVF (the (SPreds \ p)) \ V = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ usubstappf \ V (Pred p \)\ calculation f5 f7 option.collapse usubstappf_pred)} + ultimately have "usubstappf \ V (Pred p \) = undeff \ SPreds \ p = undeff" + by fastforce } + moreover + { assume "usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) \ usubstappf \ U (Pred p \)" + then have "usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ U \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ U \))) {} f else undeff)" + using f6 by simp + then have "usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff)" + using f7 by (metis f7) + moreover + { assume "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + then have "SPreds \ p = undeff" + using f2 by (metis (no_types, lifting) Pred.prems(2) \usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) \ usubstappf \ U (Pred p \)\ f5 f7 option.collapse usubstappf_pred usubstappf_pred2)} + ultimately have "FVF (the (SPreds \ p)) \ U = {} \ SPreds \ p = undeff" + by force } + ultimately have "FVF (the (SPreds \ p)) \ U = {} \ usubstappf \ V (Pred p \) = undeff \ SPreds \ p = undeff" + using f10 by (metis Pred.prems(2)) } + moreover + { assume "FVF (the (SPreds \ p)) \ U \ {}" + then have "(if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ U \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ U \))) {} f else undeff)" + using f6 Pred.prems(2) by auto + then have "(if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff) \ (case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff)" + using f7 by (metis \FVF (the (SPreds \ p)) \ U \ {}\) + then have "(case SPreds \ p of None \ Afml (Pred p (the (usubstappt \ V \))) | Some f \ if FVF f \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} f else undeff) \ (if FVF (the (SPreds \ p)) \ U = {} then usubstappf (dotsubstt (the (usubstappt \ V \))) {} (the (SPreds \ p)) else undeff)" + by simp + then have "SPreds \ p = undeff" + using f2 + proof - + show ?thesis + by (metis (no_types) Pred.prems(2) \FVF (the (SPreds \ p)) \ U \ {}\ option.discI option.expand option.sel usubstappf_pred2) + qed } + ultimately have "usubstappf \ V (Pred p \) = undeff \ SPreds \ p = undeff" + using f9 f1 by meson + then show ?thesis + using f8 by (metis (full_types) Pred.prems(2)) + qed + + next + case (Geq \ \) + then show ?case using usubstappt_antimon using Geqo_undef by auto + next + case (Not x) + then show ?case using Noto_undef by auto + next + case (And x1 x2) + then show ?case using Ando_undef by auto + next + case (Exists x1 x2) + then show ?case using Existso_undef + by (metis (no_types, lifting) Un_mono subsetI usubstappf.simps(5)) + next + case (Diamond x1 x2) + then show ?case using Diamondo_undef usubstappf.simps(6) usubstappp_fst_mon by metis + next + case (Game a) + then show ?case by (cases "SGames \ a") (auto) + next + case (Assign x \) + then show ?case using usubstappt_antimon by (metis Assigno_undef snd_conv usubstappp.simps(2)) + next + case (ODE x \) + then show ?case using usubstappt_antimon ODEo_undef + by (metis (no_types, hide_lams) Un_mono order_refl snd_conv usubstappp.simps(8)) + next + case (Test \) + then show ?case by (metis Testo_undef snd_conv usubstappp.simps(3)) + next + case (Choice \ \) + then show ?case using Choiceo_undef by auto + next + case (Compose \ \) + then show ?case + using usubstappp_compose[where \=\ and U=U and \=\ and \=\] usubstappp_compose[where \=\ and U=V and \=\ and \=\] + Composeo_undef[where \=\snd (usubstappp \ U \)\ and \=\snd (usubstappp \ (fst (usubstappp \ U \)) \)\] + Composeo_undef[where \=\snd (usubstappp \ V \)\ and \=\snd (usubstappp \ (fst (usubstappp \ V \)) \)\] + snd_conv usubstappp_fst_mon by metis + (*proof- + from Compose have ca: "snd (usubstappp \ U (\ ;; \)) \ undefg" by simp + have decU: "snd (usubstappp \ U (\ ;; \)) = Composeo (snd(usubstappp \ U \)) (snd(usubstappp \ (fst(usubstappp \ U \)) \))" using usubstappp_compose by simp + have decV: "snd (usubstappp \ V (\ ;; \)) = Composeo (snd(usubstappp \ V \)) (snd(usubstappp \ (fst(usubstappp \ V \)) \))" using usubstappp_compose by simp + from Compose have fact1: "snd(usubstappp \ V \) \ undefg" using Composeo_undef by auto + from Compose have fact2: "snd(usubstappp \ (fst(usubstappp \ U \)) \) \ undefg" using Composeo_undef by auto + have rel: "fst(usubstappp \ V \) \ fst(usubstappp \ U \)" using \V\U\ usubstappp_fst_mon by auto + from Compose have fact3: "snd(usubstappp \ (fst(usubstappp \ V \)) \) \ undefg" using fact2 rel by auto + then show ?thesis by (simp add: Composeo_undef fact1) + qed*) + next + case (Loop \) + then show ?case using Loopo_undef snd_conv usubstappp.simps(6) usubstappp_fst_mon by metis + next + case (Dual \) + then show ?case by (metis Dualo_undef snd_conv usubstappp.simps(7)) + qed + from this show "V\U \ usubstappf \ U \ \ undeff \ usubstappf \ U \ = usubstappf \ V \" + and "V\U \ snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ U \) = snd(usubstappp \ V \)" using usubstappf_and_usubstappp_det by auto + qed + +lemma usubstappf_antimon: "V\U \ usubstappf \ U \ \ undeff \ usubstappf \ U \ = usubstappf \ V \" + using usubstappf_and_usubstappp_antimon by simp + +lemma usubstappp_antimon: "V\U \ snd(usubstappp \ U \) \ undefg \ snd(usubstappp \ U \) = snd(usubstappp \ V \)" + using usubstappf_and_usubstappp_antimon by simp + + +subsection \Taboo Lemmas\ + +lemma usubstappp_loop_conv: "snd (usubstappp \ U (Loop \)) \ undefg \ + snd(usubstappp \ U \) \ undefg \ + snd(usubstappp \ (fst(usubstappp \ U \)) \) \ undefg" + (*using usubstappp_loop Loopo_undef*) +proof + assume a: "snd (usubstappp \ U (Loop \)) \ undefg" + have fact: "fst(usubstappp \ U \) \ U" using usubst_taboos_mon by simp + show "snd(usubstappp \ (fst(usubstappp \ U \)) \) \ undefg" using a usubstappp_loop Loopo_undef by simp + then show "snd(usubstappp \ U \) \ undefg" using a usubstappp_loop Loopo_undef fact usubstappp_antimon by auto +qed + + +text \Lemma 13 of \<^url>\http://arxiv.org/abs/1902.07230\\ + +lemma usubst_taboos: "snd(usubstappp \ U \)\undefg \ fst(usubstappp \ U \) \ U \ BVG(the (snd(usubstappp \ U \)))" +proof (induction \ arbitrary: U rule: game_induct) + case (Game a) + then show ?case by (cases "SGames \ a") (auto) +next + case (Assign x \) + then show ?case + using BVG_assign Assigno_undef + by (metis (no_types, lifting) Assigno.elims BVG_assign_other fst_pair option.sel singletonI snd_pair subsetI union_or usubstappp.simps(2)) +next + case (ODE x \) + then show ?case + using BVG_ODE ODEo_undef + by (metis (no_types, lifting) ODEo.elims Un_least fst_pair option.sel snd_conv sup.coboundedI2 usubst_taboos_mon usubstappp.simps(8)) +next + case (Test p) + then show ?case + using BVG_test Testo_undef usubst_taboos_mon by auto +next + case (Choice \ \) + then show ?case (*using usubstappp.simps Product_Type.fst_conv Product_Type.snd_conv BVG_choice*) + proof- + from Choice have IHa: "fst(usubstappp \ U \) \ U \ BVG(the (snd(usubstappp \ U \)))" by (simp add: Choiceo_undef) + from Choice have IHb: "fst(usubstappp \ U \) \ U \ BVG(the (snd(usubstappp \ U \)))" by (simp add: Choiceo_undef) + have fact: "BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ U (Choice \ \))))" using BVG_choice + (*by (smt Choice.prems Choiceo.simps(1) Choiceo_undef option.collapse option.sel snd_pair usubstappp_choice)*) + proof - + have "Agame (the (snd (usubstappp \ U \)) \\ the (snd (usubstappp \ U \))) = Choiceo (snd (usubstappp \ U \)) (snd (usubstappp \ U \))" + by (metis (no_types) Choice.prems Choiceo.simps(1) option.collapse usubstappp_choice_conv) + then show ?thesis + by (metis (no_types) BVG_choice Choice.prems Pair_inject option.collapse option.inject surjective_pairing usubstappp.simps(4)) + qed + from IHa and IHb have "fst(usubstappp \ U \) \ fst(usubstappp \ U \) \ U \ BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ U \)))" by auto + then have "fst(usubstappp \ U (Choice \ \)) \ U \ BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ U \)))" using usubstappp.simps Let_def by auto + then show "fst(usubstappp \ U (Choice \ \)) \ U \ BVG(the (snd(usubstappp \ U (Choice \ \))))" using usubstappp.simps fact by auto + qed +next + case (Compose \ \) + then show ?case + proof- + let ?V = "fst(usubstappp \ U \)" + let ?W = "fst(usubstappp \ ?V \)" + from Compose have IHa: "?V \ U \ BVG(the (snd(usubstappp \ U \)))" by (simp add: Composeo_undef) + from Compose have IHb: "?W \ ?V \ BVG(the (snd(usubstappp \ ?V \)))" by (simp add: Composeo_undef) + have fact: "BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ ?V \))) \ BVG(the (snd(usubstappp \ U (Compose \ \))))" using usubstappp.simps BVG_compose + (*by (smt Compose.prems Composeo.simps(1) Composeo_undef option.collapse option.sel snd_pair)*) + proof - + have f1: "\z. z = undefg \ Agame (the z) = z" + using option.collapse by blast + then have "Agame (the (snd (usubstappp \ U \)) ;; the (snd (usubstappp \ (fst (usubstappp \ U \)) \))) = snd (usubstappp \ U (\ ;; \))" + using Compose.prems Composeo_undef by auto + then show ?thesis + using f1 by (metis (no_types) BVG_compose Compose.prems option.inject) + qed + have "?W \ U \ BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ ?V \)))" using usubstappp.simps Let_def IHa IHb by auto + then have "?W \ U \ BVG(the (snd(usubstappp \ U (Compose \ \))))" using fact by auto + then show "fst(usubstappp \ U (Compose \ \)) \ U \ BVG(the (snd(usubstappp \ U (Compose \ \))))" using usubstappp.simps Let_def by simp + qed +next + case (Loop \) + then show ?case + proof- + let ?V = "fst(usubstappp \ U \)" + let ?W = "fst(usubstappp \ ?V \)" + from Loop have def\: "snd(usubstappp \ U \) \ undefg" using usubstappp_loop_conv by simp + from Loop have IHdef: "?V \ U \ BVG(the (snd(usubstappp \ U \)))" + using def\ usubstappp_loop[where \=\ and U=U and \=\] Loopo_undef[where \=\snd (usubstappp \ (fst (usubstappp \ U \)) \)\] by auto + from Loop have IH: "?W \ ?V \ BVG(the (snd(usubstappp \ ?V \)))" by (simp add: Loopo_undef) + then have Vfix: "?V \ BVG(the (snd(usubstappp \ ?V \)))" + using usubstappp_det by (metis IHdef Loop.prems le_sup_iff usubstappp_loop_conv) + then have "?V \ U \ BVG(the (snd(usubstappp \ U (Loop \))))" + using usubstappp.simps Vfix IHdef BVG_loop usubst_taboos_mon usubstappp_loop_conv + (*by (smt Loop.prems Loopo.simps(1) Un_mono option.collapse option.sel snd_pair sup.absorb_iff1)*) + proof - (*sledgehammer*) + have f1: "\z. z = undefg \ Agame (the z) = z" + using option.collapse by blast + have "snd (usubstappp \ U \) \ undefg \ snd (usubstappp \ (fst (usubstappp \ U \)) \) \ undefg" + using Loop.prems usubstappp_loop_conv by blast + then have "Agame (Loop (the (snd (usubstappp \ (fst (usubstappp \ U \)) \)))) = snd (usubstappp \ U (Loop \))" + by force + then show ?thesis + using f1 by (metis (no_types) BVG_loop Loop.prems Vfix option.inject sup.absorb_iff1 sup.mono usubst_taboos_mon) + qed + then show "fst(usubstappp \ U (Loop \)) \ U \ BVG(the (snd(usubstappp \ U (Loop \))))" using usubstappp.simps Let_def by simp + qed +next + case (Dual \) + then show ?case + (*using BVG_dual usubstappp.simps Let_def by auto*) + proof- + let ?V = "fst(usubstappp \ U \)" + from Dual have IH: "?V \ U \ BVG(the (snd(usubstappp \ U \)))" by (simp add: Dualo_undef) + have fact: "BVG(the (snd(usubstappp \ U \))) \ BVG(the (snd(usubstappp \ U (Dual \))))" using usubstappp.simps BVG_dual + by (metis (no_types, lifting) Dual.prems Dualo.simps(1) Dualo.simps(2) option.collapse option.sel snd_pair) + then have "?V \ U \ BVG(the (snd(usubstappp \ U (Dual \))))" using IH fact by auto + then show "fst(usubstappp \ U (Dual \)) \ U \ BVG(the (snd(usubstappp \ U (Dual \))))" using usubstappp.simps Let_def by simp + qed +qed + + + +subsection \Substitution Adjoints\ + +text \Modified interpretation \repI I f d\ replaces the interpretation of constant function \f\ in the interpretation \I\ with \d\\ +definition repc :: " interp \ ident \ real \ interp" + where "repc I f d \ mkinterp((\c. if c = f then d else Consts I c), Funcs I, Preds I, Games I)" + +lemma repc_consts [simp]: "Consts (repc I f d) c = (if (c=f) then d else Consts I c)" + unfolding repc_def by auto +lemma repc_funcs [simp]: "Funcs (repc I f d) = Funcs I" + unfolding repc_def by simp +lemma repc_preds [simp]: "Preds (repc I f d) = Preds I" + unfolding repc_def by simp +lemma repc_games [simp]: "Games (repc I f d) = Games I" + unfolding repc_def by (simp add: mon_mono) + +lemma adjoint_stays_mon: "mono (case SGames \ a of None \ Games I a | Some r \ \X. game_sem I r X)" + using game_sem_mono game_sem.simps(1) + by (metis disjE_realizer2 option.case_distrib) + (*proof - + have "\z p b i f. (mono (case z of None \ f | Some x \ game_sem i x) \ \ (case z of None \ b | Some x \ p x)) \ \ mono f" + by (metis (no_types) disjE_realizer2 game_sem_mono) + then show ?thesis + by (metis (no_types) game_sem.simps(1) game_sem_mono option.case_distrib) + qed*) + +text \adjoint interpretation \adjoint \ I \\ to \\\ of interpretation \I\ in state \\\\ + +definition adjoint:: "usubst \ (interp \ state \ interp)" +where "adjoint \ I \ = mkinterp( + (\f. (case SConst \ f of None \ Consts I f| Some r \ term_sem I r \)), + (\f. (case SFuncs \ f of None \ Funcs I f | Some r \ \d. term_sem (repc I dotid d) r \)), + (\p. (case SPreds \ p of None \ Preds I p | Some r \ \d. \\fml_sem (repc I dotid d) r)), + (\a. (case SGames \ a of None \ Games I a | Some r \ \X. game_sem I r X)) + )" + + +paragraph \Simple Observations about Adjoints\ + +lemma adjoint_consts: "Consts (adjoint \ I \) f = term_sem I (case SConst \ f of Some r \ r | None \ Const f) \" + unfolding adjoint_def by (cases "SConst \ f=None") (auto) + +lemma adjoint_funcs: "Funcs (adjoint \ I \) f = (case SFuncs \ f of None \ Funcs I f | Some r \ \d. term_sem (repc I dotid d) r \)" + unfolding adjoint_def by auto + +lemma adjoint_funcs_match: "SFuncs \ f=Some r \ Funcs (adjoint \ I \) f = (\d. term_sem (repc I dotid d) r \)" + using adjoint_funcs by auto + +lemma adjoint_funcs_skip: "SFuncs \ f=None \ Funcs (adjoint \ I \) f = Funcs I f" + using adjoint_funcs by auto + +lemma adjoint_preds: "Preds (adjoint \ I \) p = (case SPreds \ p of None \ Preds I p | Some r \ \d. \\fml_sem (repc I dotid d) r)" + unfolding adjoint_def by auto + +lemma adjoint_preds_skip: "SPreds \ p=None \ Preds (adjoint \ I \) p = Preds I p" + using adjoint_preds by simp + +lemma adjoint_preds_match: "SPreds \ p=Some r \ Preds (adjoint \ I \) p = (\d. \\fml_sem (repc I dotid d) r)" + using adjoint_preds by simp + +lemma adjoint_games [simp]: "Games (adjoint \ I \) a = (case SGames \ a of None \ Games I a | Some r \ \X. game_sem I r X)" + unfolding adjoint_def using adjoint_stays_mon Games_mkinterp by simp + +lemma adjoint_dotsubstt: "adjoint (dotsubstt \) I \ = repc I dotid (term_sem I \ \)" + (*unfolding adjoint_def dotsubstt_def adjoint_consts adjoint_funcs_skip adjoint_preds adjoint_games*) +proof- + let ?lhs = "adjoint (dotsubstt \) I \" + let ?rhs = "repc I dotid (term_sem I \ \)" + have feq: "Funcs ?lhs = Funcs ?rhs" using repc_funcs adjoint_funcs dotsubstt_def by auto + moreover have peq: "Preds ?lhs = Preds ?rhs" using repc_preds adjoint_preds dotsubstt_def by auto + moreover have geq: "Games ?lhs = Games ?rhs" using repc_games adjoint_games dotsubstt_def by auto + moreover have ceq: "Consts ?lhs = Consts ?rhs" using repc_consts adjoint_consts dotsubstt_def by auto + show ?thesis using mkinterp_eq[where I=\?lhs\ and J=\?rhs\] feq peq geq ceq by simp +qed + + +subsection \Uniform Substitution for Terms\ + +text \Lemma 15 of \<^url>\http://arxiv.org/abs/1902.07230\\ +theorem usubst_term: "Uvariation \ \ U \ usubstappt \ U \\undeft \ + term_sem I (the (usubstappt \ U \)) \ = term_sem (adjoint \ I \) \ \" +proof- + assume vaouter: "Uvariation \ \ U" + assume defouter: "usubstappt \ U \\undeft" + show "usubstappt \ U \\undeft \ term_sem I (the (usubstappt \ U \)) \ = term_sem (adjoint \ I \) \ \" for \ \ + using vaouter proof (induction arbitrary: \ \ rule: usubstappt_induct) + case (Var \ U x) + then show ?case by simp + next + case (Number \ U r) + then show ?case by simp + next + case (Const \ U f) + then show ?case + proof (cases "SConst \ f") + case None + then show ?thesis using adjoint_consts by (simp add: usappconst_def) + next + case (Some r) + then have varcond: "FVT(r)\U={}" using Const usubstappt_const usubstappt_const_conv by (metis option.inject option.simps(3)) + from Some have "term_sem I (the (usubstappt \ U (Const f))) \ = term_sem I r \" by (simp add: varcond) + also have "... = term_sem I r \" using Const coincidence_term_cor[of \ \ U r] varcond by simp + also have "... = Consts (adjoint \ I \) f" using Some adjoint_consts by simp + also have "... = term_sem (adjoint \ I \) (Const f) \" by auto + finally show "term_sem I (the (usubstappt \ U (Const f))) \ = term_sem (adjoint \ I \) (Const f) \" . + qed + next + case (FuncMatch \ U f \) + then have va: "Uvariation \ \ U" by simp + then show ?case + proof (cases "SFuncs \ f") + case None + from FuncMatch and None have IHsubterm: "term_sem I (the (usubstappt \ U \)) \ = term_sem (adjoint \ I \) \ \" using va + by (simp add: FuncMatch.IH(1) usubstappt_func_conv) + from None show ?thesis using usubstappt_func IHsubterm adjoint_funcs + by (metis (no_types, lifting) FuncMatch.prems(1) option.case_eq_if option.sel term_sem.simps(4) usubstappt.simps(4)) + next + case (Some r) + then have varcond: "FVT(r)\U={}" using FuncMatch usubstappt_func usubstappt_func2 usubstappt_func_conv by meson + from FuncMatch have subdef: "usubstappt \ U \ \ undeft" using usubstappt_func_conv by auto + from FuncMatch and Some + have IHsubterm: "term_sem I (the (usubstappt \ U \)) \ = term_sem (adjoint \ I \) \ \" using va subdef by blast + from FuncMatch and Some + have IHsubsubst: "\\ \. Uvariation \ \ {} \ term_sem I (the (usubstappt (dotsubstt (the (usubstappt \ U \))) {} r)) \ = term_sem (adjoint (dotsubstt (the (usubstappt \ U \))) I \) r \" + using subdef varcond by fastforce + + let ?d = "term_sem I (the (usubstappt \ U \)) \" + have deq: "?d = term_sem (adjoint \ I \) \ \" by (rule IHsubterm) + let ?dotIa = "adjoint (dotsubstt (the (usubstappt \ U \))) I \" + + from Some + have "term_sem I (the (usubstappt \ U (Func f \))) \ = term_sem I (the (usubstappt (dotsubstt (the (usubstappt \ U \))) {} r)) \" using subdef varcond by force + also have "... = term_sem ?dotIa r \" using IHsubsubst[where \=\ and \=\] Uvariation_empty by auto + also have "... = term_sem (repc I dotid ?d) r \" using adjoint_dotsubstt[where \=\the (usubstappt \ U \)\ and I=I and \=\] by simp + also have "... = term_sem (repc I dotid ?d) r \" using coincidence_term_cor[where \=\ and \'=\ and U=U and \=r and I=\repc I dotid ?d\] va varcond by simp + (*I.^d\\\f(\)\ also have "... = term_sem ?dotIa r \" using coincidence_term_cor[of \ \ U r ?dotIa] uv varcond by simp*) + also have "... = (Funcs (adjoint \ I \) f)(?d)" using adjoint_funcs_match Some by simp + also have "... = (Funcs (adjoint \ I \) f)(term_sem (adjoint \ I \) \ \)" using deq by simp + also have "... = term_sem (adjoint \ I \) (Func f \) \" by simp + finally show "term_sem I (the (usubstappt \ U (Func f \))) \ = term_sem (adjoint \ I \) (Func f \) \" . + qed + next + case (Plus \ U \ \) + then show ?case using Pluso_undef by auto + next + case (Times \ U \ \) + then show ?case using Timeso_undef by auto + next + case (Differential \ U \) + from Differential have subdef: "usubstappt \ allvars \ \ undeft" using usubstappt_differential_conv by simp + from Differential have IH: "\\. term_sem I (the (usubstappt \ allvars \)) \ = term_sem (adjoint \ I \) \ \" using subdef Uvariation_univ by blast (*by auto*) + + have "term_sem I (the (usubstappt \ U (Differential \))) \ = term_sem I (Differential (the (usubstappt \ allvars \))) \" using subdef by force + also have "... = sum(\x. \(DVar x)*deriv(\X. term_sem I (the (usubstappt \ allvars \)) (repv \ (RVar x) X))(\(RVar x)))(allidents)" by simp + also have "... = sum(\x. \(DVar x)*deriv(\X. term_sem (adjoint \ I \) \ (repv \ (RVar x) X))(\(RVar x)))(allidents)" using IH by auto + also have "... = term_sem (adjoint \ I \) (Differential \) \" by simp + finally show "term_sem I (the (usubstappt \ U (Differential \))) \ = term_sem (adjoint \ I \) (Differential \) \" . + qed +qed + +subsection \Uniform Substitution for Formulas and Games\ + +paragraph \Separately Prove Crucial Ingredient for the ODE Case of \usubst_fml_game\\ + +lemma same_ODE_same_sol: + "(\\. Uvariation \ (F(0)) {RVar x,DVar x} \ term_sem I \ \ = term_sem J \ \) + \ solves_ODE I F x \ = solves_ODE J F x \" + using Uvariation_Vagree Vagree_def solves_ODE_def + (*by (smt double_complement)*) +proof- + assume va: "\\. Uvariation \ (F(0)) {RVar x,DVar x} \ term_sem I \ \ = term_sem J \ \" + then have va2: "\\. Uvariation \ (F(0)) {RVar x,DVar x} \ term_sem J \ \ = term_sem I \ \" by simp + have one: "\I J \ \. (\\. Uvariation \ (F(0)) {RVar x,DVar x} \ term_sem I \ \ = term_sem J \ \) + \ solves_ODE I F x \ \ solves_ODE J F x \" + proof- + fix I J \ \ + assume vaflow: "\\. Uvariation \ (F(0)) {RVar x,DVar x} \ term_sem I \ \ = term_sem J \ \" + assume sol: "solves_ODE I F x \" + from vaflow and sol show "solves_ODE J F x \" unfolding solves_ODE_def using Uvariation_Vagree coincidence_term + by (metis double_complement solves_Vagree sol) + qed + show "solves_ODE I F x \ = solves_ODE J F x \" using one[where \=\ and \=\, OF va] one[where \=\ and \=\, OF va2] + by force +qed + + +lemma usubst_ode: + assumes subdef: "usubstappt \ {RVar x,DVar x} \ \ undeft" + shows "solves_ODE I F x (the (usubstappt \ {RVar x,DVar x} \)) = solves_ODE (adjoint \ I (F(0))) F x \" +proof- + have vaflow: "\F \ \. solves_ODE I F x \ \ Uvariation (F(\)) (F(0)) {RVar x,DVar x}" using solves_Vagree_trans by simp + from subdef have IH: "\\. Uvariation \ (F(0)) {RVar x,DVar x} \ term_sem I (the (usubstappt \ {RVar x,DVar x} \)) \ = term_sem (adjoint \ I (F(0))) \ \" by (simp add: usubst_term) + then show ?thesis using IH vaflow solves_ODE_def Uvariation_Vagree same_ODE_same_sol by blast +qed + +lemma usubst_ode_ext: + assumes uv: "Uvariation (F(0)) \ (U\{RVar x,DVar x})" + assumes subdef: "usubstappt \ (U\{RVar x,DVar x}) \ \ undeft" + shows "solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \)) = solves_ODE (adjoint \ I \) F x \" + (*using usubst_ode usubstappt_det usubstappt_antimon Uvariation_Vagree Uvariation_mon *) +proof- + have vaflow1: "\F \ \. solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \)) \ Uvariation (F(\)) (F(0)) {RVar x,DVar x}" using solves_Vagree_trans by simp + have vaflow2: "\F \ \. solves_ODE (adjoint \ I \) F x \ \ Uvariation (F(\)) (F(0)) {RVar x,DVar x}" using solves_Vagree_trans by simp + from subdef have IH: "\\. Uvariation \ (F(0)) (U\{RVar x,DVar x}) \ term_sem I (the (usubstappt \ (U\{RVar x,DVar x}) \)) \ = term_sem (adjoint \ I (F(0))) \ \" using Uvariation_refl Uvariation_trans usubst_term by blast + have l2r: "solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \)) \ solves_ODE (adjoint \ I \) F x \" + using vaflow1 subdef same_ODE_same_sol Uvariation_trans usubst_term uv + (*by (smt sup_commute sup_left_idem)*) + proof - (*sledgehammer*) + assume a1: "solves_ODE I F x (the (usubstappt \ (U \ {RVar x, DVar x}) \))" + obtain rr :: "trm \ interp \ trm \ interp \ char \ (real \ variable \ real) \ variable \ real" where + f2: "\x0 x1 x2 x3 x4 x5. (\v6. Uvariation v6 (x5 0) {RVar x4, DVar x4} \ term_sem x3 x2 v6 \ term_sem x1 x0 v6) = (Uvariation (rr x0 x1 x2 x3 x4 x5) (x5 0) {RVar x4, DVar x4} \ term_sem x3 x2 (rr x0 x1 x2 x3 x4 x5) \ term_sem x1 x0 (rr x0 x1 x2 x3 x4 x5))" + by moura + have f3: "Uvariation (F 0) \ (insert (RVar x) (U \ {DVar x}))" + using uv by auto + have f4: "{DVar x} \ {} \ {DVar x} = insert (DVar x) ({DVar x} \ {} \ {}) \ {RVar x} \ {DVar x} \ insert (RVar x) (U \ {DVar x}) = insert (RVar x) (U \ {DVar x})" + by fastforce + { assume "{DVar x} \ {} \ {DVar x} = insert (DVar x) ({DVar x} \ {} \ {}) \ Uvariation (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F) \ ({RVar x} \ {DVar x} \ insert (RVar x) (U \ {DVar x}))" + then have "\ Uvariation (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F) (F 0) {RVar x, DVar x} \ term_sem (USubst.adjoint \ I \) \ (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F) = term_sem I (the (usubstappt \ (U \ {RVar x, DVar x}) \)) (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F)" + using f4 subdef usubst_term by auto } + then have "\ Uvariation (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F) (F 0) {RVar x, DVar x} \ term_sem (USubst.adjoint \ I \) \ (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F) = term_sem I (the (usubstappt \ (U \ {RVar x, DVar x}) \)) (rr (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I \ (USubst.adjoint \ I \) x F)" + using f3 by (metis (no_types) Uvariation_trans insert_is_Un) + then show ?thesis + using f2 a1 by (meson same_ODE_same_sol) + qed + have r2l: "solves_ODE (adjoint \ I \) F x \ \ solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \))" + using vaflow2 subdef same_ODE_same_sol Uvariation_trans usubst_term uv + (*by (smt sup_commute sup_left_idem)*) + proof - (*sledgehammer*) + assume a1: "solves_ODE (USubst.adjoint \ I \) F x \" + obtain rr :: "trm \ interp \ trm \ interp \ char \ (real \ variable \ real) \ variable \ real" where + "\x0 x1 x2 x3 x4 x5. (\v6. Uvariation v6 (x5 0) {RVar x4, DVar x4} \ term_sem x3 x2 v6 \ term_sem x1 x0 v6) = (Uvariation (rr x0 x1 x2 x3 x4 x5) (x5 0) {RVar x4, DVar x4} \ term_sem x3 x2 (rr x0 x1 x2 x3 x4 x5) \ term_sem x1 x0 (rr x0 x1 x2 x3 x4 x5))" + by moura + then have f2: "\f c i t ia ta. Uvariation (rr ta ia t i c f) (f 0) {RVar c, DVar c} \ term_sem i t (rr ta ia t i c f) \ term_sem ia ta (rr ta ia t i c f) \ solves_ODE i f c t = solves_ODE ia f c ta" + by (meson same_ODE_same_sol) + have f3: "Uvariation (F 0) \ ({RVar x, DVar x} \ U)" + using uv by force + have f4: "usubstappt \ ({RVar x, DVar x} \ U) \ \ undeft" + using subdef by auto + { assume "Uvariation (rr \ (USubst.adjoint \ I \) (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I x F) \ ({RVar x, DVar x} \ ({RVar x, DVar x} \ U))" + then have "\ Uvariation (rr \ (USubst.adjoint \ I \) (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I x F) (F 0) {RVar x, DVar x} \ term_sem I (the (usubstappt \ (U \ {RVar x, DVar x}) \)) (rr \ (USubst.adjoint \ I \) (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I x F) = term_sem (USubst.adjoint \ I \) \ (rr \ (USubst.adjoint \ I \) (the (usubstappt \ (U \ {RVar x, DVar x}) \)) I x F)" + using f4 by (simp add: Un_commute usubst_term) } + then show ?thesis + using f3 f2 a1 by (meson Uvariation_trans) + qed + from l2r and r2l show ?thesis by auto +qed + +lemma usubst_ode_ext2: + assumes subdef: "usubstappt \ (U\{RVar x,DVar x}) \ \ undeft" + assumes uv: "Uvariation (F(0)) \ (U\{RVar x,DVar x})" + shows "solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \)) = solves_ODE (adjoint \ I \) F x \" + using usubst_ode_ext subdef uv by blast + +paragraph \Separately Prove the Loop Case of \usubst_fml_game\\ + +lemma union_comm: "A\B=B\A" + by auto + + +definition loopfp\:: "game \ interp \ (state set \ state set)" + where "loopfp\ \ I X = lfp(\Z. X \ game_sem I \ Z)" + +lemma usubst_game_loop: + assumes uv: "Uvariation \ \ U" + and IH\rec: "\\ \ X. Uvariation \ \ (fst(usubstappp \ U \)) \ snd (usubstappp \ (fst(usubstappp \ U \)) \)\undefg \ + (\ \ game_sem I (the (snd (usubstappp \ (fst(usubstappp \ U \)) \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" + shows "snd (usubstappp \ U (Loop \))\undefg \ (\ \ game_sem I (the (snd (usubstappp \ U (Loop \)))) X) = (\ \ game_sem (adjoint \ I \) (Loop \) X)" +proof- + assume def: "snd (usubstappp \ U (Loop \))\undefg" + have loopfix: "\\ I X. loopfp\ \ I X = game_sem I (Loop \) X" unfolding loopfp\_def using game_sem_loop by metis + let ?\\loopoff = "the (snd (usubstappp \ U (Loop \)))" + let ?\\ = "the (snd(usubstappp \ (fst(usubstappp \ U \)) \))" + let ?\\loop = "Loop ?\\" + have loopform: "?\\loopoff = ?\\loop" using usubstappp_loop + by (metis (mono_tags, lifting) Loopo.simps(1) def option.exhaust_sel option.inject snd_conv usubstappp_loop_conv) + let ?\ = "loopfp\ ?\\loop I" + let ?\ = "loopfp\ \ (adjoint \ I \)" + let ?V = "fst(usubstappp \ U \)" + have fact1: "\V. snd(usubstappp \ V \)\undefg \ fst(usubstappp \ V \) \ BVG(the (snd(usubstappp \ V \)))" using usubst_taboos by simp + have fact2: "\V W. snd(usubstappp \ V \)\undefg \ snd(usubstappp \ W \)\undefg \ (fst(usubstappp \ V \) \ BVG(the (snd(usubstappp \ W \))))" using fact1 usubst_taboos usubstappp_det by metis + have VgeqBV: "?V \ BVG(?\\)" using usubst_taboos fact2 def usubstappp_loop_conv by simp + have uvV: "Vagree \ \ (-?V)" using uv + by (metis Uvariation_Vagree Uvariation_mon double_compl usubst_taboos_mon) + have \eq: "?\(X) = game_sem I ?\\loop X" using loopfix by auto + have \eq: "?\(X) = game_sem (adjoint \ I \) (Loop \) X" using loopfix by auto + have \is\: "selectlike (?\(X)) \ (-?V)= selectlike (?\(X)) \ (-?V)" + proof- + let ?f = "\Z. X \ game_sem I ?\\ Z" + let ?g = "\Y. X \ game_sem (adjoint \ I \) \ Y" + let ?R = "\Z Y. selectlike Z \ (-?V) = selectlike Y \ (-?V)" + have "?R (lfp ?f) (lfp ?g)" + proof (induction rule: lfp_lockstep_induct[where f=\?f\ and g=\?g\ and R=\?R\]) + case monof + then show ?case using game_sem_loop_fixpoint_mono by simp + next + case monog + then show ?case using game_sem_loop_fixpoint_mono by simp + next + case (step A B) + then have IHfp: "selectlike A \ (-?V) = selectlike B \ (-?V)" by simp + show "selectlike (X \ game_sem I ?\\ A) \ (-?V) = selectlike (X \ game_sem (adjoint \ I \) \ B) \ (-?V)" + proof (rule selectlike_equal_cocond_corule + (*[where \=\ and V=\?V\ and X=\X \ game_sem I ?\\ A\ and Y=\X \ game_sem (adjoint \ I \) \ B\]*)) + fix \ + assume muvar: "Uvariation \ \ ?V" + have forw: "(\ \ X \ game_sem I ?\\ A) = (\ \ X \ game_sem I ?\\ (selectlike A \ (-BVG(?\\))))" using boundeffect by auto + + have "(\ \ X \ game_sem (adjoint \ I \) \ B) = (\ \ X \ game_sem I ?\\ B)" using IH\rec[OF muvar] + using def usubstappp_loop_conv by auto + also have "... = (\ \ X \ game_sem I ?\\ (selectlike B \ (-BVG(?\\))))" using boundeffect by simp + finally have backw: "(\ \ X \ game_sem (adjoint \ I \) \ B) = (\ \ X \ game_sem I ?\\ (selectlike B \ (-BVG(?\\))))" . + + have samewin: "selectlike A \ (-BVG(?\\)) = selectlike B \ (-BVG(?\\))" using IHfp selectlike_antimon VgeqBV muvar Uvariation_trans selectlike_equal_cocond + (*by (smt le_iff_sup)*) + proof - + have "Vagree \ \ (- fst (usubstappp \ U \))" + by (metis Uvariation_Vagree double_complement muvar) + then have "selectlike A \ (- fst (usubstappp \ U \)) = selectlike B \ (- fst (usubstappp \ U \))" + using IHfp selectlike_Vagree by presburger + then show ?thesis + by (metis (no_types) Compl_subset_Compl_iff VgeqBV selectlike_compose sup.absorb_iff2) + qed + from forw and backw show "(\ \ X \ game_sem I ?\\ A) = (\ \ X \ game_sem (adjoint \ I \) \ B)" using samewin by auto + qed + + next + case (union M) + then show ?case using selectlike_Sup[where \=\ and V=\-?V\] fst_proj_def snd_proj_def by (simp) (blast) + qed + then show ?thesis + using \eq loopfix loopfp\_def by auto + qed + show ?thesis using \eq \eq \is\ similar_selectlike_mem[OF uvV] by (metis loopform) +qed + + + +lemma usubst_fml_game: + assumes vaouter: "Uvariation \ \ U" + shows "usubstappf \ U \\undeff \ (\ \ fml_sem I (the (usubstappf \ U \))) = (\ \ fml_sem (adjoint \ I \) \)" + and "snd (usubstappp \ U \)\undefg \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" +proof- + show "usubstappf \ U \\undeff \ (\ \ fml_sem I (the (usubstappf \ U \))) = (\ \ fml_sem (adjoint \ I \) \)" + and "snd (usubstappp \ U \)\undefg \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" for \ \ \ + using vaouter proof (induction \ and \ arbitrary: \ \ and \ \ X rule: usubstappfp_induct) + case (Pred \ U p \) + then have va: "Uvariation \ \ U" by simp + then show ?case + proof (cases "SPreds \ p") + case None + then show ?thesis using usubst_term[OF va] adjoint_preds_skip + (*by (smt Pred.prems(1) fml_sem.simps(1) mem_Collect_eq option.case_eq_if option.sel usubstappf.simps(1))*) + proof - (*sledgehammer*) + have "\p V c t. usubstappf p V (Pred c t) = (if usubstappt p V t = undeft then undeff else case SPreds p c of None \ Afml (Pred c (the (usubstappt p V t))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt p V t))) {} f else undeff)" + by (simp add: option.case_eq_if) + then have f1: "\p V c t. if usubstappt p V t = undeft then usubstappf p V (Pred c t) = undeff else usubstappf p V (Pred c t) = (case SPreds p c of None \ Afml (Pred c (the (usubstappt p V t))) | Some f \ if FVF f \ V = {} then usubstappf (dotsubstt (the (usubstappt p V t))) {} f else undeff)" + by presburger + then have "usubstappt \ U \ \ undeft" + by (meson Pred.prems(1)) + then have f2: "usubstappf \ U (Pred p \) = Afml (Pred p (the (usubstappt \ U \)))" + using None by force + have "usubstappt \ U \ \ undeft" + using f1 by (meson Pred.prems(1)) + then show ?thesis + using f2 by (simp add: None \\\ \ I. usubstappt \ U \ \ undeft \ term_sem I (the (usubstappt \ U \)) \ = term_sem (USubst.adjoint \ I \) \ \\ adjoint_preds_skip) + qed + + next + case (Some r) + then have varcond: "FVF(r)\U={}" using Pred usubstappf_pred usubstappf_pred2 usubstappf_pred_conv by meson + from Pred have subdef: "usubstappt \ U \ \ undeft" using usubstappf_pred_conv by auto + from Pred and Some + have IHsubsubst: "\\ \. Uvariation \ \ {} \ (\ \ fml_sem I (the (usubstappf (dotsubstt (the (usubstappt \ U \))) {} r))) = (\ \ fml_sem (adjoint (dotsubstt (the (usubstappt \ U \))) I \) r)" + using subdef varcond by fastforce + + let ?d = "term_sem I (the (usubstappt \ U \)) \" + have deq: "?d = term_sem (adjoint \ I \) \ \" by (rule usubst_term[OF va subdef]) + let ?dotIa = "adjoint (dotsubstt (the (usubstappt \ U \))) I \" + + from Some + have "(\\fml_sem I (the (usubstappf \ U (Pred p \)))) = (\\fml_sem I (the (usubstappf (dotsubstt (the (usubstappt \ U \))) {} r)))" + using subdef varcond by force + also have "... = (\\fml_sem ?dotIa r)" using IHsubsubst[where \=\ and \=\] Uvariation_empty by auto + also have "... = (\\fml_sem (repc I dotid ?d) r)" using adjoint_dotsubstt[where \=\the (usubstappt \ U \)\ and I=I and \=\] by simp + also have "... = (\\fml_sem (repc I dotid ?d) r)" using coincidence_formula_cor[where \=\ and \'=\ and U=U and \=r and I=\repc I dotid ?d\] va varcond by simp + (*I.^d\\\f(\)\ also have "... = term_sem ?dotIa r \" using coincidence_term_cor[of \ \ U r ?dotIa] uv varcond by simp*) + also have "... = (Preds (adjoint \ I \) p)(?d)" using adjoint_preds_match Some by simp + also have "... = (Preds (adjoint \ I \) p)(term_sem (adjoint \ I \) \ \)" using deq by simp + also have "... = (\\fml_sem (adjoint \ I \) (Pred p \))" by simp + finally show "(\\fml_sem I (the (usubstappf \ U (Pred p \)))) = (\\fml_sem (adjoint \ I \) (Pred p \))" . + qed + + next + case (Geq \ U \ \) + (* then show ?case using usubst_term usubstappf_geq usubstappf_geq_conv + by (smt fml_sem.simps(2) mem_Collect_eq option.sel)*) + then have def1: "usubstappt \ U \ \ undeft" using usubstappf_geq_conv by simp + moreover have def2: "usubstappt \ U \ \ undeft" using usubstappf_geq_conv Geq.prems(1) by blast + show ?case + using usubst_term[OF \Uvariation \ \ U\, OF def1] usubst_term[OF \Uvariation \ \ U\,OF def2] usubstappf_geqr[OF \usubstappf \ U (Geq \ \) \ undeff\] by force + next + case (Not \ U \) + then show ?case using Noto_undef by auto + next + case (And \ U \ \) + then show ?case using Ando_undef by auto + + next + case (Exists \ U x \) + then have IH: "\\ \. Uvariation \ \ (U\{x}) \ (\ \ fml_sem I (the (usubstappf \ (U\{x}) \))) = (\ \ fml_sem (adjoint \ I \) \)" by force + from Exists have "Uvariation \ \ U" by simp + (*from Exists have subdef: "usubstappt \ (U\{x}) \ \ undeft" by auto*) + + then have Uvar: "\d. Uvariation (repv \ x d) \ (U\{x})" using Uvariation_repv Uvariation_trans Uvariation_sym + using Exists.prems(2) Uvariation_def by auto + have "(\\fml_sem I (the (usubstappf \ U (Exists x \)))) = (\\fml_sem I (Exists x (the (usubstappf \ (U\{x}) \))))" + using usubstappf_exists Exists.prems(1) by fastforce + also have "... = (\d. (repv \ x d)\fml_sem I (the (usubstappf \ (U\{x}) \)))" by simp + also have "... = (\d. (repv \ x d)\fml_sem (adjoint \ I \) \)" using IH Uvar by auto + also have "... = (\\fml_sem (adjoint \ I \) (Exists x \))" by auto + finally have "(\\fml_sem I (the (usubstappf \ U (Exists x \)))) = (\\fml_sem (adjoint \ I \) (Exists x \))" . + from this show ?case by simp + + next + case (Diamond \ U \ \) + let ?V = "fst(usubstappp \ U \)" + from Diamond have IH\: "\X. Uvariation \ \ U \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by fastforce + from Diamond have IH\: "\\ \. Uvariation \ \ (fst(usubstappp \ U \)) \ (\ \ fml_sem I (the (usubstappf \ (fst(usubstappp \ U \)) \))) = (\ \ fml_sem (adjoint \ I \) \)" + by (simp add: Diamondo_undef) + from Diamond have uv: "Uvariation \ \ U" by simp + have "(\ \ fml_sem I (the (usubstappf \ U (Diamond \ \)))) = (\ \ fml_sem I (let V\ = usubstappp \ U \ in Diamond (the (snd V\)) (the (usubstappf \ (fst V\) \))))" + by (metis Diamond.prems(1) Diamondo.elims option.sel usubstappf.simps(6)) + also have "... = (\ \ fml_sem I (Diamond (the (snd(usubstappp \ U \))) (the (usubstappf \ (fst(usubstappp \ U \)) \))))" by simp + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (fml_sem I (the (usubstappf \ (fst(usubstappp \ U \)) \))))" by simp + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike (fml_sem I (the (usubstappf \ (fst(usubstappp \ U \)) \))) \ (-BVG(the (snd(usubstappp \ U \))))))" using boundeffect by auto + finally have forw: "(\ \ fml_sem I (the (usubstappf \ U (Diamond \ \)))) = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike (fml_sem I (the (usubstappf \ (fst(usubstappp \ U \)) \))) \ (-BVG(the (snd(usubstappp \ U \))))))" . + + have "(\ \ fml_sem (adjoint \ I \) (Diamond \ \)) = (\ \ game_sem (adjoint \ I \) \ (fml_sem (adjoint \ I \) \))" by simp + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (fml_sem (adjoint \ I \) \))" using IH\ uv by simp + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike (fml_sem (adjoint \ I \) \) \ (-BVG(the (snd(usubstappp \ U \))))))" using boundeffect by auto + finally have backw: "(\ \ fml_sem (adjoint \ I \) (Diamond \ \)) = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike (fml_sem (adjoint \ I \) \) \ (-BVG(the (snd(usubstappp \ U \))))))" . + + have samewin: "selectlike (fml_sem I (the (usubstappf \ (fst(usubstappp \ U \)) \))) \ (-BVG(the (snd(usubstappp \ U \)))) = selectlike (fml_sem (adjoint \ I \) \) \ (-BVG(the (snd(usubstappp \ U \))))" + proof (rule selectlike_equal_cocond_corule) + fix \ + assume muvar: "Uvariation \ \ (BVG(the (snd(usubstappp \ U \))))" + have U\\: "Uvariation \ \ ?V" using muvar uv Uvariation_trans union_comm usubst_taboos Uvariation_mon + (*by (smt Diamond.prems(1) Diamondo.simps(2) usubstappf.simps(6))*) + proof- + have U\\: "Uvariation \ \ (BVG(the (snd(usubstappp \ U \))))" by (rule muvar) + have U\\: "Uvariation \ \ U" by (rule uv) + have "Uvariation \ \ (U \ BVG(the (snd(usubstappp \ U \))))" using Uvariation_trans[OF U\\ U\\] union_comm by (rule HOL.back_subst) + thus ?thesis using usubst_taboos Uvariation_mon by (metis (mono_tags, lifting) Diamond.prems(1) Diamondo_undef Uvariation_mon usubst_taboos usubstappf.simps(6)) + qed + have "(\ \ fml_sem (adjoint \ I \) \) = (\ \ fml_sem I (the (usubstappf \ (fst(usubstappp \ U \)) \)))" + using muvar Uvariation_trans uv IH\ boundeffect Uvariation_mon usubst_taboos U\\ by auto + then show "(\ \ fml_sem I (the (usubstappf \ (fst (usubstappp \ U \)) \))) = (\ \ fml_sem (adjoint \ I \) \)" by simp + qed + from forw and backw show "(\ \ fml_sem I (the (usubstappf \ U (Diamond \ \)))) = (\ \ fml_sem (adjoint \ I \) (Diamond \ \))" using samewin by auto + + next (* games *) + + case (Game \ U a) + then show ?case using adjoint_games usubstappp_game by (cases "SGames \ a") auto + + next + case (Assign \ U x \) + then show ?case using usubst_term Assigno_undef + (*by (smt Assigno.elims game_sem.simps(2) mem_Collect_eq option.sel snd_pair usubstappp.simps(2))*) + proof - (*sledgehammer*) + have f1: "usubstappt \ U \ \ undeft" + using Assign.prems(1) Assigno_undef by auto + { assume "repv \ x (term_sem (USubst.adjoint \ I \) \ \) \ X" + then have "repv \ x (term_sem I (the (usubstappt \ U \)) \) \ X" + using f1 Assign.prems(2) usubst_term by auto + then have "repv \ x (term_sem (USubst.adjoint \ I \) \ \) \ X \ (\ \ game_sem I (the (snd (usubstappp \ U (x := \)))) X) = (\ \ game_sem (USubst.adjoint \ I \) (x := \) X)" + using f1 by force } + moreover + { assume "repv \ x (term_sem (USubst.adjoint \ I \) \ \) \ X" + then have "repv \ x (term_sem I (the (usubstappt \ U \)) \) \ X \ repv \ x (term_sem (USubst.adjoint \ I \) \ \) \ X" + using f1 Assign.prems(2) usubst_term by presburger + then have ?thesis + using f1 by force } + ultimately show ?thesis + by fastforce + qed + + next + case (Test \ U \) + then show ?case using Testo_undef by auto + + next + case (Choice \ U \ \) + from Choice have IH\: "\X. Uvariation \ \ U \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by (simp add: Choiceo_undef) + from Choice have IH\: "\X. Uvariation \ \ U \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by (simp add: Choiceo_undef) + from Choice have uv: "Uvariation \ \ U" by simp + show ?case using IH\ IH\ uv + (*by (smt Choice.prems(1) Choiceo.elims game_sem.simps(4) option.sel snd_pair union_or usubstappp_choice) *) + proof - + have f1: "Agame (the (snd (usubstappp \ U \))) = snd (usubstappp \ U \)" + by (meson Choice(3) option.collapse usubstappp_choice_conv) + have "Agame (the (snd (usubstappp \ U \))) = snd (usubstappp \ U \)" + by (meson Choice(3) option.collapse usubstappp_choice_conv) + then have "snd (usubstappp \ U (\ \\ \)) = Agame (the (snd (usubstappp \ U \)) \\ the (snd (usubstappp \ U \)))" + using f1 by (metis Choiceo.simps(1) snd_conv usubstappp.simps(4)) + then have f2: "game_sem I (the (snd (usubstappp \ U \))) X \ game_sem I (the (snd (usubstappp \ U \))) X = game_sem I (the (snd (usubstappp \ U (\ \\ \)))) X" + by simp + moreover + { assume "\ \ game_sem I (the (snd (usubstappp \ U \))) X" + have "(\ \ game_sem I (the (snd (usubstappp \ U (\ \\ \)))) X) = (\ \ game_sem (adjoint \ I \) (\ \\ \) X) \ \ \ game_sem I (the (snd (usubstappp \ U \))) X \ \ \ game_sem (adjoint \ I \) (\ \\ \) X" + using f2 Choice(4) IH\ IH\ by auto + then have "(\ \ game_sem I (the (snd (usubstappp \ U (\ \\ \)))) X) \ (\ \ game_sem (adjoint \ I \) (\ \\ \) X)" + using f2 Choice(4) IH\ by auto } + ultimately show ?thesis + using Choice(4) IH\ by auto + qed + + next + case (Compose \ U \ \) + let ?V = "fst(usubstappp \ U \)" + from Compose have IH\: "\X. Uvariation \ \ U \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by (simp add: Composeo_undef) + from Compose have IH\: "\\ \ X. Uvariation \ \ ?V \ (\ \ game_sem I (the (snd (usubstappp \ ?V \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by (simp add: Composeo_undef) + from Compose have uv: "Uvariation \ \ U" by simp + have "(\ \ game_sem I (the (snd (usubstappp \ U (Compose \ \)))) X) = (\ \ game_sem I (Compose (the (snd(usubstappp \ U \))) (the (snd(usubstappp \ ?V \)))) X)" + by (metis (no_types, lifting) Compose.prems(1) Composeo.elims option.sel snd_pair usubstappp.simps(5)) + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (game_sem I (the (snd(usubstappp \ ?V \))) X))" by simp + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike (game_sem I (the (snd(usubstappp \ ?V \))) X) \ (-BVG(the(snd(usubstappp \ U \))))))" using boundeffect by auto + finally have forw: "(\ \ game_sem I (the (snd (usubstappp \ U (Compose \ \)))) X) = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike (game_sem I (the (snd(usubstappp \ ?V \))) X) \ (-BVG(the(snd(usubstappp \ U \))))))" . + + have "(\ \ game_sem (adjoint \ I \) (Compose \ \) X) = (\ \ game_sem (adjoint \ I \) \ ((game_sem (adjoint \ I \) \) X))" by simp + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) ((game_sem (adjoint \ I \) \) X))" using IH\[OF uv] by auto + also have "... = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike ((game_sem (adjoint \ I \) \) X) \ (-BVG(the(snd(usubstappp \ U \))))))" using boundeffect by auto + finally have backw: "(\ \ game_sem (adjoint \ I \) (Compose \ \) X) = (\ \ game_sem I (the (snd(usubstappp \ U \))) (selectlike ((game_sem (adjoint \ I \) \) X) \ (-BVG(the(snd(usubstappp \ U \))))))" . + + have samewin: "selectlike (game_sem I (the (snd(usubstappp \ ?V \))) X) \ (-BVG(the(snd(usubstappp \ U \)))) = selectlike ((game_sem (adjoint \ I \) \) X) \ (-BVG(the(snd(usubstappp \ U \))))" + proof (rule selectlike_equal_cocond_corule) + fix \ + assume muvar: "Uvariation \ \ (BVG(the(snd(usubstappp \ U \))))" + have U\\: "Uvariation \ \ ?V" using muvar uv Uvariation_trans union_comm usubst_taboos Uvariation_mon + (*by (smt Compose.prems(1) Composeo_undef snd_pair usubstappp.simps(5))*) + proof - + have "Uvariation \ \ (BVG (the (snd (usubstappp \ U \))) \ U)" by (meson Uvariation_trans muvar uv) + then show ?thesis using Uvariation_mon union_comm usubst_taboos + by (metis (no_types, lifting) Compose.prems(1) Composeo_undef Pair_inject prod.collapse usubstappp_compose) + (*by (metis (no_types) Uvariation_mon union_comm usubst_taboos)*) + qed + have "(\ \ game_sem I (the(snd(usubstappp \ ?V \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" + using muvar Uvariation_trans uv IH\ boundeffect Uvariation_mon usubst_taboos U\\ by auto + then show "(\ \ game_sem I (the(snd(usubstappp \ ?V \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by simp + qed + from forw and backw show "(\ \ game_sem I (the(snd (usubstappp \ U (Compose \ \)))) X) = (\ \ game_sem (adjoint \ I \) (Compose \ \) X)" using samewin by auto + + next + case (Loop \ U \) + let ?V = "fst(usubstappp \ U \)" + from Loop have selfdef: "snd (usubstappp \ U (Loop \)) \ undefg" by auto + from Loop have IH\rec: "\\ \ X. Uvariation \ \ ?V \ (\ \ game_sem I (the (snd (usubstappp \ ?V \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by fastforce + from Loop have uv: "Uvariation \ \ U" by simp + show "(\ \ game_sem I (the (snd (usubstappp \ U (Loop \)))) X) = (\ \ game_sem (adjoint \ I \) (Loop \) X)" + using usubst_game_loop IH\rec Loop.prems(2) selfdef by blast + (*by (rule usubst_game_loop[OF uv (*IH\*) IH\rec])*) + + next + case (Dual \ U \) + from Dual have IH\: "\X. Uvariation \ \ U \ (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" by force + from Dual have uv: "Uvariation \ \ U" by simp + from Dual have def: "snd (usubstappp \ U (\^d)) \ undefg" by simp + (*show ?case using IH\[OF uv] + by (smt Compl_iff Dual.prems(1) Dualo.elims game_sem.simps(7) option.sel snd_pair usubstappp.simps(7))*) + have "(\ \ -game_sem I (the (snd (usubstappp \ U \))) (-X)) = (\ \ -game_sem (adjoint \ I \) \ (-X))" using IH\[OF uv] by simp + then have "(\ \ game_sem I ((the (snd (usubstappp \ U \)))^d) X) = (\ \ game_sem (adjoint \ I \) (\^d) X)" using game_sem.simps(7) by auto + then show ?case using usubstappp_dual Dualo_undef + proof - + have "\\ V \. snd (usubstappp \ U (\^d)) = Dualo (snd (usubstappp \ U \))" by simp + then have "snd (usubstappp \ U \) \ undefg" using Dualo_undef def by presburger + then show ?thesis + using \(\ \ game_sem I ((the (snd (usubstappp \ U \)))^d) X) = (\ \ game_sem (USubst.adjoint \ I \) (\^d) X)\ by force + qed + + next + case (ODE \ U x \) + then have va: "Uvariation \ \ U" by simp + from ODE have subdef: "usubstappt \ (U\{RVar x,DVar x}) \ \ undeft" by (simp add: ODEo_undef) + from ODE have IH: "term_sem I (the (usubstappt \ (U\{RVar x,DVar x}) \)) \ = term_sem (adjoint \ I \) \ \" using va + by (metis ODEo_undef fst_pair snd_conv usubst_taboos_mon usubst_term usubstappp.simps(8) usubstappt_antimon) + have "(\ \ game_sem I (the (snd (usubstappp \ U (ODE x \)))) X) = (\ \ game_sem I (the (ODEo x (usubstappt \ (U\{RVar x,DVar x}) \))) X)" by simp + also have "... = (\ \ game_sem I (ODE x (the (usubstappt \ (U\{RVar x,DVar x}) \))) X)" using subdef by force + also have "... = (\F T. Vagree \ (F(0)) (-{DVar x}) \ F(T) \ X \ solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \)))" by simp + also have "... = (\F T. Uvariation \ (F(0)) {DVar x} \ F(T) \ X \ solves_ODE I F x (the (usubstappt \ (U\{RVar x,DVar x}) \)))" using Uvariation_Vagree by (metis double_compl) + also have "... = (\F T. Uvariation \ (F(0)) {DVar x} \ F(T) \ X \ solves_ODE (adjoint \ I \) F x \)" + using usubst_ode_ext2[OF subdef] va solves_Vagree_trans Uvariation_trans Uvariation_sym_rel Uvariation_mon by (meson subset_insertI) + also have "... = (\F T. Vagree \ (F(0)) (-{DVar x}) \ F(T) \ X \ solves_ODE (adjoint \ I \) F x \)" using Uvariation_Vagree by (metis double_compl) + also have "... = (\ \ game_sem (adjoint \ I \) (ODE x \) X)" using solves_ODE_def by simp + finally show "(\ \ game_sem I (the (snd (usubstappp \ U (ODE x \)))) X) = (\ \ game_sem (adjoint \ I \) (ODE x \) X)" . + qed +qed + +text \Lemma 16 of \<^url>\http://arxiv.org/abs/1902.07230\\ +theorem usubst_fml: "Uvariation \ \ U \ usubstappf \ U \ \ undeff \ + (\ \ fml_sem I (the (usubstappf \ U \))) = (\ \ fml_sem (adjoint \ I \) \)" + using usubst_fml_game by simp + +text \Lemma 17 of \<^url>\http://arxiv.org/abs/1902.07230\\ +theorem usubst_game: "Uvariation \ \ U \ snd (usubstappp \ U \) \ undefg \ + (\ \ game_sem I (the (snd (usubstappp \ U \))) X) = (\ \ game_sem (adjoint \ I \) \ X)" + using usubst_fml_game by simp + + +subsection \Soundness of Uniform Substitution of Formulas\ + +abbreviation usubsta:: "usubst \ fml \ fmlo" + where "usubsta \ \ \ usubstappf \ {} \" + + +text \Theorem 18 of \<^url>\http://arxiv.org/abs/1902.07230\\ +theorem usubst_sound: "usubsta \ \ \ undeff \ valid \ \ valid (the (usubsta \ \))" +proof- + assume def: "usubsta \ \ \ undeff" + assume prem: "valid \" + from prem have premc: "\I \. \ \ fml_sem I \" using valid_def by auto + show "valid (the (usubsta \ \))" unfolding valid_def + proof (clarify) + fix I \ + have "(\ \ fml_sem I (the (usubsta \ \))) = (\ \ fml_sem (adjoint \ I \) \)" using usubst_fml by (simp add: usubst_fml def) + also have "... = True" using premc by simp + finally have "(\ \ fml_sem I (the (usubsta \ \))) = True" . + from this show "\ \ fml_sem I (the (usubstappf \ {} \))" by simp + qed +qed + +subsection \Soundness of Uniform Substitution of Rules\ + +text \Uniform Substitution applied to a rule or inference\ +definition usubstr:: "usubst \ inference \ inference option" + where "usubstr \ R \ if (usubstappf \ allvars (snd R) \ undeff \ (\\\set (fst R). usubstappf \ allvars \ \ undeff)) then + Some(map(the o (usubstappf \ allvars))(fst R), the (usubstappf \ allvars (snd R))) + else + None" + +text \Simple observations about applying uniform substitutions to a rule\ + +lemma usubstr_conv: "usubstr \ R \ None \ + usubstappf \ allvars (snd R) \ undeff \ + (\\\set (fst R). usubstappf \ allvars \ \ undeff)" + by (metis usubstr_def) + +lemma usubstr_union_undef: "(usubstr \ ((append A B), C) \ None) = (usubstr \ (A, C) \ None \ usubstr \ (B, C) \ None)" + using usubstr_def by auto +lemma usubstr_union_undef2: "(usubstr \ ((append A B), C) \ None) \ (usubstr \ (A, C) \ None \ usubstr \ (B, C) \ None)" + using usubstr_union_undef by blast + +lemma usubstr_cons_undef: "(usubstr \ ((Cons A B), C) \ None) = (usubstr \ ([A], C) \ None \ usubstr \ (B, C) \ None)" + using usubstr_def by auto +lemma usubstr_cons_undef2: "(usubstr \ ((Cons A B), C) \ None) \ (usubstr \ ([A], C) \ None \ usubstr \ (B, C) \ None)" + using usubstr_cons_undef by blast + +lemma usubstr_cons: "(usubstr \ ((Cons A B), C) \ None) \ + the (usubstr \ ((Cons A B), C)) = (Cons (the (usubstappf \ allvars A)) (fst (the (usubstr \ (B, C)))), snd (the (usubstr \ ([A], C))))" + using usubstr_union_undef map_cons usubstr_def +proof- + assume def: "(usubstr \ ((Cons A B), C) \ None)" + let ?R = "((Cons A B), C)" + have "the (usubstr \ ?R) = (map(the o (usubstappf \ allvars))(fst ?R) , the (usubstappf \ allvars (snd ?R)))" using def usubstr_def by (metis option.sel) + also have "... = (Cons (the (usubstappf \ allvars A)) (map(the o (usubstappf \ allvars))(B)) , the (usubstappf \ allvars (snd ?R)))" using map_cons by auto + also have "... = (Cons (the (usubstappf \ allvars A)) (fst (the (usubstr \ (B, C)))) , the (usubstappf \ allvars (snd ?R)))" using usubstr_cons_undef2[OF def] usubstr_def by (metis (no_types, lifting) fst_conv option.sel) + also have "... = (Cons (the (usubstappf \ allvars A)) (fst (the (usubstr \ (B, C)))) , snd (the (usubstr \ ([A], C))))" using def usubstr_def by auto + ultimately show "the (usubstr \ ((Cons A B), C)) = (Cons (the (usubstappf \ allvars A)) (fst (the (usubstr \ (B, C)))) , snd (the (usubstr \ ([A], C))))" by simp +qed + +lemma usubstr_union: "(usubstr \ ((append A B), C) \ None) \ + the (usubstr \ ((append A B), C)) = (append (fst (the (usubstr \ (A, C)))) (fst (the (usubstr \ (B, C)))), snd (the (usubstr \ (A, C))))" + using usubstr_union_undef2 + (*by (smt fst_pair map_append option.sel snd_pair usubstr_def)*) +proof- + assume def: "(usubstr \ ((append A B), C) \ None)" + let ?R = "((append A B), C)" + have "the (usubstr \ ?R) = (map(the o (usubstappf \ allvars))(fst ?R) , the (usubstappf \ allvars (snd ?R)))" using def usubstr_def by (metis option.sel) + also have "... = (map(the o (usubstappf \ allvars))(fst ?R) , snd (the (usubstr \ (A, C))))" using usubstr_union_undef2[OF def] usubstr_def by (metis option.sel sndI) + also have "... = (append (map(the o (usubstappf \ allvars))(A)) (map(the o (usubstappf \ allvars))(B)) , snd (the (usubstr \ (A, C))))" using usubstr_union_undef2[OF def] map_append by simp + also have "... = (append (fst (the (usubstr \ (A, C)))) (fst (the (usubstr \ (B, C)))), snd (the (usubstr \ (A, C))))" using usubstr_union_undef2[OF def] usubstr_def by (metis (no_types, lifting) fst_conv option.sel) + ultimately show "the (usubstr \ ((append A B), C)) = (append (fst (the (usubstr \ (A, C)))) (fst (the (usubstr \ (B, C)))), snd (the (usubstr \ (A, C))))" by simp +qed + +lemma usubstr_length: "usubstr \ R \ None \ length (fst (the (usubstr \ R))) = length (fst R)" + by (metis fst_pair length_map option.sel usubstr_def) + +lemma usubstr_nth: "usubstr \ R \ None \ 0\k \ k + nth (fst (the (usubstr \ R))) k = the (usubstappf \ allvars (nth (fst R) k))" + (*unfolding usubstr_def using usubstr_length + by (smt comp_apply fst_pair nth_map option.sel)*) +proof- + assume a1: "usubstr \ R \ None" + assume a2: "0\k" + assume a3: "k R))) k = the (usubstappf \ allvars (nth (fst R) k))" + using a1 a2 a3 proof (induction R arbitrary: k) + case (Pair A C) + then show ?case + proof (induction A arbitrary: k) + case Nil + then show ?case by simp + next + case (Cons D E) + then have IH: "\k. usubstr \ (E, C) \ None \ 0 \ k \ k < length E \ nth (fst (the (usubstr \ (E, C)))) k = the (usubstappf \ allvars (nth E k))" by simp + then show ?case + proof (cases k) + case 0 + then show ?thesis using Cons usubstr_cons by simp + next + case (Suc n) + then have smaller: "nn" by simp + have def: "usubstr \ (E, C) \ None" using usubstr_cons_undef2[OF Cons.prems(1)] by blast + have "nth (fst (the (usubstr \ (E, C)))) n = the (usubstappf \ allvars (nth (fst (E,C)) n))" using IH[OF def, OF nati, OF smaller] by simp + then show ?thesis using Cons usubstr_cons by (simp add: Suc) + qed + qed + qed +qed + +text \Theorem 19 of \<^url>\http://arxiv.org/abs/1902.07230\\ + +theorem usubst_rule_sound: "usubstr \ R \ None \ locally_sound R \ locally_sound (the (usubstr \ R))" +proof- + assume def: "usubstr \ R \ None" + assume prem: "locally_sound R" + let ?\D = "usubstr \ R" + fix \ + from usubst_fml have substeq: "\I \ \. usubstappf \ allvars \ \ undeff \ (\ \ fml_sem I (the (usubstappf \ allvars \))) = (\ \ fml_sem (adjoint \ I \) \)" using Uvariation_univ by blast + then have substval: "\I. usubstappf \ allvars \ \ undeff \ valid_in I (the (usubstappf \ allvars \)) = valid_in (adjoint \ I \) \" unfolding valid_in_def by auto + show "locally_sound (the (usubstr \ R))" unfolding locally_sound_def + proof (clarify) + fix I + assume "\k\0. k < length (fst (the (usubstr \ R))) \ valid_in I (nth (fst (the (usubstr \ R))) k)" + then have "\k\0. k < length (fst R) \ valid_in (adjoint \ I \) (nth (fst R) k)" using substval usubstr_nth usubstr_length substeq valid_in_def by (metis def nth_mem usubstr_def) + then have "valid_in (adjoint \ I \) (snd R)" using prem unfolding locally_sound_def by simp + from this show "valid_in I (snd (the (usubstr \ R)))" using usubst_fml substeq usubstr_def valid_in_def by (metis def option.sel snd_conv) + qed +qed + +end diff --git a/thys/Differential_Game_Logic/document/root.bib b/thys/Differential_Game_Logic/document/root.bib new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/document/root.bib @@ -0,0 +1,91 @@ +@ARTICLE{DBLP:journals/tocl/Platzer15, + author = {Andr{\'{e}} Platzer}, + title = {Differential Game Logic}, + journal = {{ACM} Trans. Comput. Log.}, + volume = {17}, + number = {1}, + year = {2015}, + pages = {1:1--1:51}, + doi = {10.1145/2817824}, + issn = {1529-3785}, + isijournal = {{ACM} T. Comput. Log.}, + ownjournal = {{ACM} Trans. Comput. Logic}, + optnote = {Preprint at arXiv 1408.1980} +} + +@ARTICLE{DBLP:journals/corr/Platzer18:usubst, + author = {Andr{\'{e}} Platzer}, + title = {Uniform Substitution + for Differential Game Logic}, + journal = {CoRR}, + volume = {abs/1804.05880}, + year = {2018}, + eprint = {1804.05880} +} + +@INPROCEEDINGS{DBLP:conf/cade/Platzer18, + author = {Andr{\'{e}} Platzer}, + title = {Uniform Substitution for Differential Game Logic}, + booktitle = {IJCAR}, + longbooktitle = {Automated Reasoning, 9th International Joint Conference, + IJCAR 2018, Oxford, UK, Proceedings}, + year = {2018}, + pages = {211-227}, + doi = {10.1007/978-3-319-94205-6_15}, + crossref = {DBLP:conf/cade/2018}, +} + +@PROCEEDINGS{DBLP:conf/cade/2018, + editor = {Didier Galmiche and + Stephan Schulz and + Roberto Sebastiani}, + title = {Automated Reasoning, 9th International Joint Conference, + IJCAR 2018, Oxford, UK, Proceedings}, + booktitle = {IJCAR}, + publisher = {Springer}, + series = {LNCS}, + volume = {10900}, + year = {2018}, + subseries = {LNAI}, + doi = {10.1007/978-3-319-94205-6}, + address = {}, +} + +@ARTICLE{DBLP:journals/corr/abs-1902-07230, + author = {Andr{\'{e}} Platzer}, + title = {Uniform Substitution At One Fell Swoop}, + journal = {CoRR}, + volume = {abs/1902.07230}, + year = {2019}, + url = {http://arxiv.org/abs/1902.07230}, + archivePrefix = {arXiv}, + eprint = {1902.07230}, + timestamp = {Sat, 02 Mar 2019 16:35:41 +0100}, +} + +@INPROCEEDINGS{DBLP:conf/cade/Platzer19, + author = {Andr{\'{e}} Platzer}, + title = {Uniform Substitution At One Fell Swoop}, + booktitle = {CADE}, + longbooktitle = {International Conference on Automated Deduction, CADE'19, Natal, Brazil, Proceedings}, + year = {2019}, + pages = {}, + crossref = {DBLP:conf/cade/2019}, + doi = {}, +} + +@PROCEEDINGS{DBLP:conf/cade/2019, + editor = {Pascal Fontaine}, + longtitle = {Automated Deduction - CADE-27, 27nd International Conference + on Automated Deduction, Natal, Brazil, August 23-30, 2019. + Proceedings}, + title = {International Conference on Automated Deduction, CADE'19, Natal, Brazil, Proceedings}, + booktitle = {CADE}, + publisher = {Springer}, + series = {LNCS}, + volume = {}, + year = {2019}, + address = {}, + isbn = {}, + doi = {}, +} diff --git a/thys/Differential_Game_Logic/document/root.tex b/thys/Differential_Game_Logic/document/root.tex new file mode 100644 --- /dev/null +++ b/thys/Differential_Game_Logic/document/root.tex @@ -0,0 +1,73 @@ +\documentclass[11pt,a4paper]{article} +\usepackage{isabelle,isabellesym} + +% further packages required for unusual symbols (see also +% isabellesym.sty), use only when needed + +\usepackage{amssymb} + %for \, \, \, \, \, \, + %\, \, \, \, \, + %\, \, \ + +%\usepackage{eurosym} + %for \ + +%\usepackage[only,bigsqcap]{stmaryrd} + %for \ + +%\usepackage{eufrak} + %for \ ... \, \ ... \ (also included in amssymb) + +%\usepackage{textcomp} + %for \, \, \, \, \, + %\ + +% this should be the last package used +\usepackage{pdfsetup} + +% urls in roman style, theory text in math-similar italics +\urlstyle{rm} +\isabellestyle{it} + +% for uniform font size +%\renewcommand{\isastyle}{\isastyleminor} + +\begin{document} + +\title{Differential-Game-Logic} +\author{Andr\'e Platzer} +\maketitle + +\begin{abstract} +This formalization provides differential game logic (\textsf{dGL}), a logic for proving properties of hybrid game. In addition to the syntax and semantics, it formalizes a uniform substitution calculus for \textsf{dGL}. Church's uniform substitutions substitute a term or formula for a function or predicate symbol everywhere. The uniform substitutions for \textsf{dGL} also substitute hybrid games for a game symbol everywhere. We prove soundness of one-pass uniform substitutions and the axioms of differential game logic with respect to their denotational semantics. One-pass uniform substitutions are faster by postponing soundness-critical admissibility checks with a linear pass homomorphic application and regain soundness by a variable condition at the replacements. + +The formalization is based on prior non-mechanized soundness proofs for \textsf{dGL} \cite{DBLP:journals/tocl/Platzer15,DBLP:conf/cade/Platzer18,DBLP:conf/cade/Platzer19,DBLP:journals/tocl/Platzer15,DBLP:journals/corr/Platzer18:usubst}. This AFP entry formalizes the mathematical proofs \cite{DBLP:conf/cade/Platzer19,DBLP:journals/corr/abs-1902-07230} till Theorem 19. +\end{abstract} + +\tableofcontents +\newpage + +% sane default for proof documents +\parindent 0pt\parskip 0.5ex + +This formalization provides \emph{Differential Game Logic} \textsf{dGL} \cite{DBLP:journals/corr/abs-1902-07230,DBLP:conf/cade/Platzer19} till Theorem 19, +including the corresponding results from \cite{DBLP:conf/cade/Platzer18} till Lemma 13. +Differential Game Logic originates from \cite{DBLP:journals/tocl/Platzer15}.\\[1em] + + +% generated text of all theories +\input{session} + +\paragraph{Acknowledgment.} +I very much appreciate all the kind advice of the entire Isabelle Group at TU Munich and Fabian Immler and Brandon Bohrer for how to best formalize the mathematical proofs in Isabelle/HOL. + +% optional bibliography +\bibliographystyle{abbrv} +\bibliography{root} + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: diff --git a/thys/MFOTL_Monitor/Abstract_Monitor.thy b/thys/MFOTL_Monitor/Abstract_Monitor.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Abstract_Monitor.thy @@ -0,0 +1,176 @@ +(*<*) +theory Abstract_Monitor + imports MFOTL +begin +(*>*) + +section \Abstract Specification of a Monitor\ + +locale monitorable = + fixes monitorable :: "'a MFOTL.formula \ bool" + +text \The following locale specifies the desired behavior ouf a monitor abstractly.\ + +locale monitor = monitorable + + fixes + M :: "'a MFOTL.formula \ 'a MFOTL.prefix \ (nat \ 'a option list) set" + assumes + mono_monitor: "monitorable \ \ \ \ \' \ M \ \ \ M \ \'" + and sound_monitor: "monitorable \ \ (i, v) \ M \ \ \ + i < plen \ \ wf_tuple (MFOTL.nfv \) (MFOTL.fv \) v \ (\\. prefix_of \ \ \ MFOTL.sat \ (map the v) i \)" + and complete_monitor: "monitorable \ \ prefix_of \ \ \ + i < plen \ \ wf_tuple (MFOTL.nfv \) (MFOTL.fv \) v \ + (\\. prefix_of \ \ \ MFOTL.sat \ (map the v) i \) \ \\'. prefix_of \' \ \ (i, v) \ M \ \'" + +locale slicable_monitor = monitor + + assumes monitor_slice: "mem_restr S v \ (i, v) \ M \ (MFOTL.pslice \ S \) \ (i, v) \ M \ \" + +locale monitor_pre_progress = monitorable + + fixes progress :: "'a MFOTL.trace \ 'a MFOTL.formula \ nat \ nat" + assumes + progress_mono: "j \ j' \ progress \ \ j \ progress \ \ j'" + and progress_le: "progress \ \ j \ j" + and progress_ge: "monitorable \ \ \j. i \ progress \ \ j" + +locale monitor_progress = monitor_pre_progress + + assumes progress_prefix_conv: "prefix_of \ \ \ prefix_of \ \' \ + progress \ \ (plen \) = progress \' \ (plen \)" +begin + +definition verdicts :: "'a MFOTL.formula \ 'a MFOTL.prefix \ (nat \ 'a tuple) set" where + "verdicts \ \ = {(i, v). wf_tuple (MFOTL.nfv \) (MFOTL.fv \) v \ + (\\. prefix_of \ \ \ i < progress \ \ (plen \) \ MFOTL.sat \ (map the v) i \)}" + +lemma verdicts_mono: "\ \ \' \ verdicts \ \ \ verdicts \ \'" + unfolding verdicts_def + by (auto dest: prefix_of_antimono elim!: order.strict_trans2 intro!: progress_mono plen_mono) + +end + +lemma stake_eq_mono: "stake b x = stake b y \ a \ b \ stake a x = stake a y" +proof (induction a arbitrary: b x y) + case 0 + then show ?case by simp +next + case Suca: (Suc a) + show ?case proof (cases b) + case 0 + with Suca show ?thesis by (simp del: stake.simps) + next + case (Suc b') + with Suca show ?thesis by (auto simp only: stake.simps list.inject) + qed +qed + +sublocale monitor_progress \ monitor monitorable verdicts +proof (standard, goal_cases) + case (1 \ \ \') + from 1(2) show ?case by (rule verdicts_mono) +next + case (2 \ i v \) + from \(i, v) \ verdicts \ \\ show ?case + unfolding verdicts_def + using ex_prefix_of[of \] + by (auto elim!: order.strict_trans2 intro!: progress_le) +next + case complete: (3 \ \ \ i v) + from \monitorable \\ obtain j where eval: "i < progress \ \ j" + unfolding less_eq_Suc_le + using progress_ge by blast + define j' where "j' = max (plen \) j" + then have "plen \ \ j'" by simp + from eval have eval': "i < progress \ \ j'" + unfolding j'_def + by (auto elim: order.strict_trans2 intro!: progress_mono) + from complete(2) \plen \ \ j'\ have "\ \ take_prefix j' \" + proof (transfer fixing: j', goal_cases prefix) + case (prefix \ \) + then have "stake j' \ = stake (length \) \ @ stake (j' - length \) (sdrop (length \) \)" + by (unfold stake_add) auto + with \stake (length \) \ = \\ show ?case + by auto + qed + with complete(4) eval' show ?case using progress_prefix_conv[of "take_prefix j' \" \ \' \ for \'] + unfolding verdicts_def + by (auto intro!: exI[where x="take_prefix j' \"] complete(5)[rule_format] elim: prefix_of_antimono) +qed + +locale monitor_timed_progress = monitor_pre_progress + + assumes progress_time_conv: "\i \ i = \ \' i \ progress \ \ j = progress \' \ j" + and progress_sat_cong: "prefix_of \ \ \ prefix_of \ \' \ i < progress \ \ (plen \) \ + MFOTL.sat \ v i \ \ MFOTL.sat \' v i \" +begin + +lemma progress_map_conv: "progress (map_\ f \) \ j = progress (map_\ g \) \ j" + by (auto intro: progress_time_conv) + +lemma progress_slice_conv: "progress (MFOTL.slice \' R \) \ j = progress (MFOTL.slice \' R' \) \ j" + unfolding MFOTL.slice_def using progress_map_conv . + +lemma progress_slice: "progress (MFOTL.slice \ R \) \ j = progress \ \ j" + using progress_map_conv[where g=id] by (simp add: MFOTL.slice_def) + +end + +sublocale monitor_timed_progress \ monitor_progress + by (unfold_locales, auto intro: progress_time_conv \_prefix_conv) + +lemma (in monitor_timed_progress) verdicts_alt: + "verdicts \ \ = {(i, v). wf_tuple (MFOTL.nfv \) (MFOTL.fv \) v \ + (\\. prefix_of \ \ \ i < progress \ \ (plen \) \ MFOTL.sat \ (map the v) i \)}" + unfolding verdicts_def + using ex_prefix_of[of \] + by (auto dest: progress_prefix_conv[of \ _ _ \] elim!: progress_sat_cong[THEN iffD1, rotated -1]) + +sublocale monitor_timed_progress \ slicable_monitor monitorable verdicts +proof + fix S :: "'a list set" and v i \ \ + assume *: "mem_restr S v" + show "((i, v) \ verdicts \ (MFOTL.pslice \ S \)) = ((i, v) \ verdicts \ \)" (is "?L = ?R") + proof + assume ?L + with * show ?R unfolding verdicts_def + by (auto simp: progress_slice fvi_less_nfv wf_tuple_def elim!: mem_restrE + box_equals[OF sat_slice_iff sat_fvi_cong sat_fvi_cong, symmetric, THEN iffD1, rotated -1] + dest: spec[of _ "MFOTL.slice \ S _"] prefix_of_pslice_slice) + next + assume ?R + with * show ?L unfolding verdicts_alt + by (auto simp: progress_slice fvi_less_nfv wf_tuple_def elim!: mem_restrE + box_equals[OF sat_slice_iff sat_fvi_cong sat_fvi_cong, symmetric, THEN iffD2, rotated -1] + intro: exI[of _ "MFOTL.slice \ S _"] prefix_of_pslice_slice) + qed +qed + +text \Past-only Formulas.\ + +fun past_only :: "'a MFOTL.formula \ bool" where + "past_only (MFOTL.Pred _ _) = True" +| "past_only (MFOTL.Eq _ _) = True" +| "past_only (MFOTL.Neg \) = past_only \" +| "past_only (MFOTL.Or \ \) = (past_only \ \ past_only \)" +| "past_only (MFOTL.Exists \) = past_only \" +| "past_only (MFOTL.Prev _ \) = past_only \" +| "past_only (MFOTL.Next _ _) = False" +| "past_only (MFOTL.Since \ _ \) = (past_only \ \ past_only \)" +| "past_only (MFOTL.Until \ _ \) = False" + +interpretation past_only_monitor: monitor_timed_progress past_only "\\ \ j. if past_only \ then j else 0" +proof (unfold_locales, goal_cases) + case (5 \ \ \' i \ v) + then have "past_only \" and "i < plen \" by (simp_all split: if_splits) + then show ?case proof (induction \ arbitrary: v i) + case (Pred e ts) + with \_prefix_conv[OF 5(1,2)] show ?case by simp + next + case (Prev I \) + with \_prefix_conv[OF 5(1,2)] show ?case by (simp split: nat.split) + next + case (Since \1 I \2) + with Since \_prefix_conv[OF 5(1,2)] show ?case by auto + qed simp_all +qed auto + +(*<*) +end +(*>*) diff --git a/thys/MFOTL_Monitor/Examples.thy b/thys/MFOTL_Monitor/Examples.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Examples.thy @@ -0,0 +1,71 @@ +(*<*) +theory Examples + imports Monitor_Code +begin +(*>*) + +section \Examples\ + +abbreviation "TT \ MFOTL.Eq (MFOTL.Const ''_'') (MFOTL.Const ''_'')" +abbreviation "Eventually I \ \ MFOTL.Until TT I \" + +definition "\\<^sub>e\<^sub>x = MFOTL.And_Not (MFOTL.Pred ''A'' [MFOTL.Var 0]) + (Eventually (interval 1 2) (MFOTL.Exists (MFOTL.Pred ''B'' [MFOTL.Var 1, MFOTL.Var 0])))" + +lemma "mmonitorable \\<^sub>e\<^sub>x" by eval + +text \Offline monitoring:\ + +lift_definition \\<^sub>e\<^sub>x :: "string MFOTL.prefix" is + "[ ({(''A'', [''d'']), (''A'', [''e''])}, 1) + , ({(''B'', [''d'', ''f''])}, 2) + , ({(''B'', [''e'', ''f''])}, 5) + ]" + by simp + +lemma "monitor \\<^sub>e\<^sub>x \\<^sub>e\<^sub>x = {(0, [Some ''e''])}" by eval + +text \Online monitoring:\ + +definition "m1 = mstep ({(''A'', [''d'']), (''A'', [''e''])}, 1) (minit \\<^sub>e\<^sub>x)" +definition "m2 = mstep ({(''B'', [''d'', ''f''])}, 2) (snd m1)" +definition "m3 = mstep ({(''B'', [''e'', ''f''])}, 5) (snd m2)" + +lemma "fst m1 = {}" by eval +lemma "fst m2 = {}" by eval +lemma "fst m3 = {(0, [Some ''e''])}" by eval + + +text \Operation of the monitor:\ + +lemma "minit \\<^sub>e\<^sub>x = \ + mstate_i = 0, + mstate_m = + MAnd (MPred ''A'' [MFOTL.Var 0]) False + (MUntil True (MRel {[None]}) (interval 1 2) (MExists (MPred ''B'' [MFOTL.Var 1, MFOTL.Var 0])) + ([], []) [] []) + ([], []), + mstate_n = 1\" + by eval + +lemma "mstate_m (snd m1) = MAnd (MPred ''A'' [MFOTL.Var 0]) False + (MUntil True (MRel {[None]}) (interval 1 2) (MExists (MPred ''B'' [MFOTL.Var 1, MFOTL.Var 0])) + ([], []) [] [(1, {[None]}, {})]) + ([{[Some ''d''], [Some ''e'']}], [])" + by eval + +lemma "mstate_m (snd m2) = MAnd (MPred ''A'' [MFOTL.Var 0]) False + (MUntil True (MRel {[None]}) (interval 1 2) (MExists (MPred ''B'' [MFOTL.Var 1, MFOTL.Var 0])) + ([], []) [] [(1, {[None]}, {[Some ''d'']}), (2, {[None]}, {})]) + ([{[Some ''d''], [Some ''e'']}, {}], [])" + by eval + +lemma "mstate_m (snd m3) = MAnd (MPred ''A'' [MFOTL.Var 0]) False + (MUntil True (MRel {[None]}) (interval 1 2) (MExists (MPred ''B'' [MFOTL.Var 1, MFOTL.Var 0])) + ([], []) [] [(5, {[None]}, {})]) + ([{}], [])" + by eval + +(*<*) +end +(*>*) diff --git a/thys/MFOTL_Monitor/Interval.thy b/thys/MFOTL_Monitor/Interval.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Interval.thy @@ -0,0 +1,79 @@ +(*<*) +theory Interval + imports "HOL-Library.Extended_Nat" "HOL-Library.Product_Lexorder" +begin +(*>*) + +section \Intervals\ + +typedef \ = "{(i :: nat, j :: enat). i \ j}" + by (intro exI[of _ "(0, \)"]) auto + +setup_lifting type_definition_\ + +instantiation \ :: equal begin +lift_definition equal_\ :: "\ \ \ \ bool" is "(=)" . +instance by standard (transfer, auto) +end + +instantiation \ :: linorder begin +lift_definition less_eq_\ :: "\ \ \ \ bool" is "(\)" . +lift_definition less_\ :: "\ \ \ \ bool" is "(<)" . +instance by standard (transfer, auto)+ +end + + +lift_definition all :: \ is "(0, \)" by simp +lift_definition left :: "\ \ nat" is fst . +lift_definition right :: "\ \ enat" is snd . +lift_definition point :: "nat \ \" is "\n. (n, enat n)" by simp +lift_definition init :: "nat \ \" is "\n. (0, enat n)" by auto +abbreviation mem where "mem n I \ (left I \ n \ n \ right I)" +lift_definition subtract :: "nat \ \ \ \" is + "\n (i, j). (i - n, j - enat n)" by (auto simp: diff_enat_def split: enat.splits) +lift_definition add :: "nat \ \ \ \" is + "\n (a, b). (a, b + enat n)" by (auto simp add: add_increasing2) + +lemma left_right: "left I \ right I" + by transfer auto + +lemma point_simps[simp]: + "left (point n) = n" + "right (point n) = n" + by (transfer; auto)+ + +lemma init_simps[simp]: + "left (init n) = 0" + "right (init n) = n" + by (transfer; auto)+ + +lemma subtract_simps[simp]: + "left (subtract n I) = left I - n" + "right (subtract n I) = right I - n" + "subtract 0 I = I" + "subtract x (point y) = point (y - x)" + by (transfer; auto)+ + +definition shifted :: "\ \ \ set" where + "shifted I = (\n. subtract n I) ` {0 .. (case right I of \ \ left I | enat n \ n)}" + +lemma subtract_too_much: "i > (case right I of \ \ left I | enat n \ n) \ + subtract i I = subtract (case right I of \ \ left I | enat n \ n) I" + by transfer (auto split: enat.splits) + +lemma subtract_shifted: "subtract n I \ shifted I" + by (cases "n \ (case right I of \ \ left I | enat n \ n)") + (auto simp: shifted_def subtract_too_much) + +lemma finite_shifted: "finite (shifted I)" + unfolding shifted_def by auto + +definition interval :: "nat \ enat \ \" where + "interval l r = (if l \ r then Abs_\ (l, r) else undefined)" + +lemma [code abstract]: "Rep_\ (interval l r) = (if l \ r then (l, r) else Rep_\ undefined)" + unfolding interval_def using Abs_\_inverse by simp + +(*<*) +end +(*>*) \ No newline at end of file diff --git a/thys/MFOTL_Monitor/MFOTL.thy b/thys/MFOTL_Monitor/MFOTL.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/MFOTL.thy @@ -0,0 +1,429 @@ +(*<*) +theory MFOTL + imports Interval Trace Table +begin +(*>*) + +section \Metric First-order Temporal Logic\ + +context begin + +subsection \Formulas and Satisfiability\ + +qualified type_synonym name = string +qualified type_synonym 'a event = "(name \ 'a list)" +qualified type_synonym 'a database = "'a event set" +qualified type_synonym 'a prefix = "(name \ 'a list) prefix" +qualified type_synonym 'a trace = "(name \ 'a list) trace" + +qualified type_synonym 'a env = "'a list" + +qualified datatype 'a trm = Var nat | is_Const: Const 'a + +qualified primrec fvi_trm :: "nat \ 'a trm \ nat set" where + "fvi_trm b (Var x) = (if b \ x then {x - b} else {})" +| "fvi_trm b (Const _) = {}" + +abbreviation "fv_trm \ fvi_trm 0" + +qualified primrec eval_trm :: "'a env \ 'a trm \ 'a" where + "eval_trm v (Var x) = v ! x" +| "eval_trm v (Const x) = x" + +lemma eval_trm_cong: "\x\fv_trm t. v ! x = v' ! x \ eval_trm v t = eval_trm v' t" + by (cases t) simp_all + +qualified datatype (discs_sels) 'a formula = Pred name "'a trm list" | Eq "'a trm" "'a trm" + | Neg "'a formula" | Or "'a formula" "'a formula" | Exists "'a formula" + | Prev \ "'a formula" | Next \ "'a formula" + | Since "'a formula" \ "'a formula" | Until "'a formula" \ "'a formula" + +qualified primrec fvi :: "nat \ 'a formula \ nat set" where + "fvi b (Pred r ts) = (\t\set ts. fvi_trm b t)" +| "fvi b (Eq t1 t2) = fvi_trm b t1 \ fvi_trm b t2" +| "fvi b (Neg \) = fvi b \" +| "fvi b (Or \ \) = fvi b \ \ fvi b \" +| "fvi b (Exists \) = fvi (Suc b) \" +| "fvi b (Prev I \) = fvi b \" +| "fvi b (Next I \) = fvi b \" +| "fvi b (Since \ I \) = fvi b \ \ fvi b \" +| "fvi b (Until \ I \) = fvi b \ \ fvi b \" + +abbreviation "fv \ fvi 0" + +lemma finite_fvi_trm[simp]: "finite (fvi_trm b t)" + by (cases t) simp_all + +lemma finite_fvi[simp]: "finite (fvi b \)" + by (induction \ arbitrary: b) simp_all + +lemma fvi_trm_Suc: "x \ fvi_trm (Suc b) t \ Suc x \ fvi_trm b t" + by (cases t) auto + +lemma fvi_Suc: "x \ fvi (Suc b) \ \ Suc x \ fvi b \" + by (induction \ arbitrary: b) (simp_all add: fvi_trm_Suc) + +lemma fvi_Suc_bound: + assumes "\i\fvi (Suc b) \. i < n" + shows "\i\fvi b \. i < Suc n" +proof + fix i + assume "i \ fvi b \" + with assms show "i < Suc n" by (cases i) (simp_all add: fvi_Suc) +qed + +qualified definition nfv :: "'a formula \ nat" where + "nfv \ = Max (insert 0 (Suc ` fv \))" + +qualified definition envs :: "'a formula \ 'a env set" where + "envs \ = {v. length v = nfv \}" + +lemma nfv_simps[simp]: + "nfv (Neg \) = nfv \" + "nfv (Or \ \) = max (nfv \) (nfv \)" + "nfv (Prev I \) = nfv \" + "nfv (Next I \) = nfv \" + "nfv (Since \ I \) = max (nfv \) (nfv \)" + "nfv (Until \ I \) = max (nfv \) (nfv \)" + unfolding nfv_def by (simp_all add: image_Un Max_Un[symmetric]) + +lemma fvi_less_nfv: "\i\fv \. i < nfv \" + unfolding nfv_def + by (auto simp add: Max_gr_iff intro: max.strict_coboundedI2) + + +qualified primrec future_reach :: "'a formula \ enat" where + "future_reach (Pred _ _) = 0" +| "future_reach (Eq _ _) = 0" +| "future_reach (Neg \) = future_reach \" +| "future_reach (Or \ \) = max (future_reach \) (future_reach \)" +| "future_reach (Exists \) = future_reach \" +| "future_reach (Prev I \) = future_reach \ - left I" +| "future_reach (Next I \) = future_reach \ + right I + 1" +| "future_reach (Since \ I \) = max (future_reach \) (future_reach \ - left I)" +| "future_reach (Until \ I \) = max (future_reach \) (future_reach \) + right I + 1" + + +qualified primrec sat :: "'a trace \ 'a env \ nat \ 'a formula \ bool" where + "sat \ v i (Pred r ts) = ((r, map (eval_trm v) ts) \ \ \ i)" +| "sat \ v i (Eq t1 t2) = (eval_trm v t1 = eval_trm v t2)" +| "sat \ v i (Neg \) = (\ sat \ v i \)" +| "sat \ v i (Or \ \) = (sat \ v i \ \ sat \ v i \)" +| "sat \ v i (Exists \) = (\z. sat \ (z # v) i \)" +| "sat \ v i (Prev I \) = (case i of 0 \ False | Suc j \ mem (\ \ i - \ \ j) I \ sat \ v j \)" +| "sat \ v i (Next I \) = (mem (\ \ (Suc i) - \ \ i) I \ sat \ v (Suc i) \)" +| "sat \ v i (Since \ I \) = (\j\i. mem (\ \ i - \ \ j) I \ sat \ v j \ \ (\k \ {j <.. i}. sat \ v k \))" +| "sat \ v i (Until \ I \) = (\j\i. mem (\ \ j - \ \ i) I \ sat \ v j \ \ (\k \ {i ..< j}. sat \ v k \))" + +lemma sat_Until_rec: "sat \ v i (Until \ I \) \ + mem 0 I \ sat \ v i \ \ + (\ \ (i + 1) \ right I \ sat \ v i \ \ sat \ v (i + 1) (Until \ (subtract (\ \ (i + 1)) I) \))" + (is "?L \ ?R") +proof (rule iffI; (elim disjE conjE)?) + assume ?L + then obtain j where j: "i \ j" "mem (\ \ j - \ \ i) I" "sat \ v j \" "\k \ {i ..< j}. sat \ v k \" + by auto + then show ?R + proof (cases "i = j") + case False + with j(1,2) have "\ \ (i + 1) \ right I" + by (auto elim: order_trans[rotated] simp: diff_le_mono) + moreover from False j(1,4) have "sat \ v i \" by auto + moreover from False j have "sat \ v (i + 1) (Until \ (subtract (\ \ (i + 1)) I) \)" + by (cases "right I") (auto simp: le_diff_conv le_diff_conv2 intro!: exI[of _ j]) + ultimately show ?thesis by blast + qed simp +next + assume \: "\ \ (i + 1) \ right I" and now: "sat \ v i \" and + "next": "sat \ v (i + 1) (Until \ (subtract (\ \ (i + 1)) I) \)" + from "next" obtain j where j: "i + 1 \ j" "mem (\ \ j - \ \ (i + 1)) ((subtract (\ \ (i + 1)) I))" + "sat \ v j \" "\k \ {i + 1 ..< j}. sat \ v k \" + by auto + from \ j(1,2) have "mem (\ \ j - \ \ i) I" + by (cases "right I") (auto simp: le_diff_conv2) + with now j(1,3,4) show ?L by (auto simp: le_eq_less_or_eq[of i] intro!: exI[of _ j]) +qed auto + +lemma sat_Since_rec: "sat \ v i (Since \ I \) \ + mem 0 I \ sat \ v i \ \ + (i > 0 \ \ \ i \ right I \ sat \ v i \ \ sat \ v (i - 1) (Since \ (subtract (\ \ i) I) \))" + (is "?L \ ?R") +proof (rule iffI; (elim disjE conjE)?) + assume ?L + then obtain j where j: "j \ i" "mem (\ \ i - \ \ j) I" "sat \ v j \" "\k \ {j <.. i}. sat \ v k \" + by auto + then show ?R + proof (cases "i = j") + case False + with j(1) obtain k where [simp]: "i = k + 1" + by (cases i) auto + with j(1,2) False have "\ \ i \ right I" + by (auto elim: order_trans[rotated] simp: diff_le_mono2 le_Suc_eq) + moreover from False j(1,4) have "sat \ v i \" by auto + moreover from False j have "sat \ v (i - 1) (Since \ (subtract (\ \ i) I) \)" + by (cases "right I") (auto simp: le_diff_conv le_diff_conv2 intro!: exI[of _ j]) + ultimately show ?thesis by auto + qed simp +next + assume i: "0 < i" and \: "\ \ i \ right I" and now: "sat \ v i \" and + "prev": "sat \ v (i - 1) (Since \ (subtract (\ \ i) I) \)" + from "prev" obtain j where j: "j \ i - 1" "mem (\ \ (i - 1) - \ \ j) ((subtract (\ \ i) I))" + "sat \ v j \" "\k \ {j <.. i - 1}. sat \ v k \" + by auto + from \ i j(1,2) have "mem (\ \ i - \ \ j) I" + by (cases "right I") (auto simp: le_diff_conv2) + with now i j(1,3,4) show ?L by (auto simp: le_Suc_eq gr0_conv_Suc intro!: exI[of _ j]) +qed auto + +lemma sat_Since_0: "sat \ v 0 (Since \ I \) \ mem 0 I \ sat \ v 0 \" + by auto + +lemma sat_Since_point: "sat \ v i (Since \ I \) \ + (\j. j \ i \ mem (\ \ i - \ \ j) I \ sat \ v i (Since \ (point (\ \ i - \ \ j)) \) \ P) \ P" + by (auto intro: diff_le_self) + +lemma sat_Since_pointD: "sat \ v i (Since \ (point t) \) \ mem t I \ sat \ v i (Since \ I \)" + by auto + +lemma eval_trm_fvi_cong: "\x\fv_trm t. v!x = v'!x \ eval_trm v t = eval_trm v' t" + by (cases t) simp_all + +lemma sat_fvi_cong: "\x\fv \. v!x = v'!x \ sat \ v i \ = sat \ v' i \" +proof (induct \ arbitrary: v v' i) + case (Pred n ts) + show ?case by (simp cong: map_cong eval_trm_fvi_cong[OF Pred[simplified, THEN bspec]]) +next + case (Eq x1 x2) + then show ?case unfolding fvi.simps sat.simps by (metis UnCI eval_trm_fvi_cong) +next + case (Exists \) + then show ?case unfolding sat.simps by (intro iff_exI) (simp add: fvi_Suc nth_Cons') +qed (auto 8 0 simp add: nth_Cons' split: nat.splits intro!: iff_exI) + + +subsection \Defined Connectives\ + +qualified definition "And \ \ = Neg (Or (Neg \) (Neg \))" + +lemma fvi_And: "fvi b (And \ \) = fvi b \ \ fvi b \" + unfolding And_def by simp + +lemma nfv_And[simp]: "nfv (And \ \) = max (nfv \) (nfv \)" + unfolding nfv_def by (simp add: fvi_And image_Un Max_Un[symmetric]) + +lemma future_reach_And: "future_reach (And \ \) = max (future_reach \) (future_reach \)" + unfolding And_def by simp + +lemma sat_And: "sat \ v i (And \ \) = (sat \ v i \ \ sat \ v i \)" + unfolding And_def by simp + +qualified definition "And_Not \ \ = Neg (Or (Neg \) \)" + +lemma fvi_And_Not: "fvi b (And_Not \ \) = fvi b \ \ fvi b \" + unfolding And_Not_def by simp + +lemma nfv_And_Not[simp]: "nfv (And_Not \ \) = max (nfv \) (nfv \)" + unfolding nfv_def by (simp add: fvi_And_Not image_Un Max_Un[symmetric]) + +lemma future_reach_And_Not: "future_reach (And_Not \ \) = max (future_reach \) (future_reach \)" + unfolding And_Not_def by simp + +lemma sat_And_Not: "sat \ v i (And_Not \ \) = (sat \ v i \ \ \ sat \ v i \)" + unfolding And_Not_def by simp + + +subsection \Safe Formulas\ + +fun safe_formula :: "'a MFOTL.formula \ bool" where + "safe_formula (MFOTL.Eq t1 t2) = (MFOTL.is_Const t1 \ MFOTL.is_Const t2)" +| "safe_formula (MFOTL.Neg (MFOTL.Eq (MFOTL.Const x) (MFOTL.Const y))) = True" +| "safe_formula (MFOTL.Neg (MFOTL.Eq (MFOTL.Var x) (MFOTL.Var y))) = (x = y)" +| "safe_formula (MFOTL.Pred e ts) = True" +| "safe_formula (MFOTL.Neg (MFOTL.Or (MFOTL.Neg \) \)) = (safe_formula \ \ + (safe_formula \ \ MFOTL.fv \ \ MFOTL.fv \ \ (case \ of MFOTL.Neg \' \ safe_formula \' | _ \ False)))" +| "safe_formula (MFOTL.Or \ \) = (MFOTL.fv \ = MFOTL.fv \ \ safe_formula \ \ safe_formula \)" +| "safe_formula (MFOTL.Exists \) = (safe_formula \)" +| "safe_formula (MFOTL.Prev I \) = (safe_formula \)" +| "safe_formula (MFOTL.Next I \) = (safe_formula \)" +| "safe_formula (MFOTL.Since \ I \) = (MFOTL.fv \ \ MFOTL.fv \ \ + (safe_formula \ \ (case \ of MFOTL.Neg \' \ safe_formula \' | _ \ False)) \ safe_formula \)" +| "safe_formula (MFOTL.Until \ I \) = (MFOTL.fv \ \ MFOTL.fv \ \ + (safe_formula \ \ (case \ of MFOTL.Neg \' \ safe_formula \' | _ \ False)) \ safe_formula \)" +| "safe_formula _ = False" + +lemma disjE_Not2: "P \ Q \ (P \ R) \ (\P \ Q \ R) \ R" + by blast + +lemma safe_formula_induct[consumes 1]: + assumes "safe_formula \" + and "\t1 t2. MFOTL.is_Const t1 \ P (MFOTL.Eq t1 t2)" + and "\t1 t2. MFOTL.is_Const t2 \ P (MFOTL.Eq t1 t2)" + and "\x y. P (MFOTL.Neg (MFOTL.Eq (MFOTL.Const x) (MFOTL.Const y)))" + and "\x y. x = y \ P (MFOTL.Neg (MFOTL.Eq (MFOTL.Var x) (MFOTL.Var y)))" + and "\e ts. P (MFOTL.Pred e ts)" + and "\\ \. \ (safe_formula (MFOTL.Neg \) \ MFOTL.fv \ \ MFOTL.fv \) \ P \ \ P \ \ P (MFOTL.And \ \)" + and "\\ \. safe_formula \ \ MFOTL.fv \ \ MFOTL.fv \ \ P \ \ P \ \ P (MFOTL.And_Not \ \)" + and "\\ \. MFOTL.fv \ = MFOTL.fv \ \ P \ \ P \ \ P (MFOTL.Or \ \)" + and "\\. P \ \ P (MFOTL.Exists \)" + and "\I \. P \ \ P (MFOTL.Prev I \)" + and "\I \. P \ \ P (MFOTL.Next I \)" + and "\\ I \. MFOTL.fv \ \ MFOTL.fv \ \ safe_formula \ \ P \ \ P \ \ P (MFOTL.Since \ I \)" + and "\\ I \. MFOTL.fv (MFOTL.Neg \) \ MFOTL.fv \ \ + \ safe_formula (MFOTL.Neg \) \ P \ \ P \ \ P (MFOTL.Since (MFOTL.Neg \) I \ )" + and "\\ I \. MFOTL.fv \ \ MFOTL.fv \ \ safe_formula \ \ P \ \ P \ \ P (MFOTL.Until \ I \)" + and "\\ I \. MFOTL.fv (MFOTL.Neg \) \ MFOTL.fv \ \ + \ safe_formula (MFOTL.Neg \) \ P \ \ P \ \ P (MFOTL.Until (MFOTL.Neg \) I \)" + shows "P \" + using assms(1) +proof (induction rule: safe_formula.induct) + case (5 \ \) + then show ?case + by (cases \) + (auto 0 3 elim!: disjE_Not2 intro: assms[unfolded MFOTL.And_def MFOTL.And_Not_def]) +next + case (10 \ I \) + then show ?case + by (cases \) (auto 0 3 elim!: disjE_Not2 intro: assms) +next + case (11 \ I \) + then show ?case + by (cases \) (auto 0 3 elim!: disjE_Not2 intro: assms) +qed (auto intro: assms) + + +subsection \Slicing Traces\ + +qualified primrec matches :: "'a env \ 'a formula \ name \ 'a list \ bool" where + "matches v (Pred r ts) e = (r = fst e \ map (eval_trm v) ts = snd e)" +| "matches v (Eq _ _) e = False" +| "matches v (Neg \) e = matches v \ e" +| "matches v (Or \ \) e = (matches v \ e \ matches v \ e)" +| "matches v (Exists \) e = (\z. matches (z # v) \ e)" +| "matches v (Prev I \) e = matches v \ e" +| "matches v (Next I \) e = matches v \ e" +| "matches v (Since \ I \) e = (matches v \ e \ matches v \ e)" +| "matches v (Until \ I \) e = (matches v \ e \ matches v \ e)" + +lemma matches_fvi_cong: "\x\fv \. v!x = v'!x \ matches v \ e = matches v' \ e" +proof (induct \ arbitrary: v v') + case (Pred n ts) + show ?case by (simp cong: map_cong eval_trm_fvi_cong[OF Pred[simplified, THEN bspec]]) +next + case (Exists \) + then show ?case unfolding matches.simps by (intro iff_exI) (simp add: fvi_Suc nth_Cons') +qed (auto 5 0 simp add: nth_Cons') + +abbreviation relevant_events where + "relevant_events \ S \ {e. S \ {v. matches v \ e} \ {}}" + +qualified definition slice :: "'a formula \ 'a env set \ 'a trace \ 'a trace" where + "slice \ S \ = map_\ (\D. D \ relevant_events \ S) \" + +lemma \_slice[simp]: "\ (slice \ S \) = \ \" + unfolding slice_def by (simp add: fun_eq_iff) + +lemma sat_slice_strong: "relevant_events \ S \ E \ v \ S \ + sat \ v i \ \ sat (map_\ (\D. D \ E) \) v i \" +proof (induction \ arbitrary: v S i) + case (Pred r ts) + then show ?case by (auto simp: subset_eq) +next + case (Eq t1 t2) + show ?case + unfolding sat.simps + by simp +next + case (Neg \) + then show ?case by simp +next + case (Or \ \) + show ?case using Or.IH[of S] Or.prems + by (auto simp: Collect_disj_eq Int_Un_distrib subset_iff) +next + case (Exists \) + have "sat \ (z # v) i \ = sat (map_\ (\D. D \ E) \) (z # v) i \" for z + using Exists.prems by (auto intro!: Exists.IH[of "{z # v | v. v \ S}"]) + then show ?case by simp +next + case (Prev I \) + then show ?case by (auto cong: nat.case_cong) +next + case (Next I \) + then show ?case by simp +next + case (Since \ I \) + show ?case using Since.IH[of S] Since.prems + by (auto simp: Collect_disj_eq Int_Un_distrib subset_iff) +next + case (Until \ I \) + show ?case using Until.IH[of S] Until.prems + by (auto simp: Collect_disj_eq Int_Un_distrib subset_iff) +qed + +lemma sat_slice_iff: + assumes "v \ S" + shows "sat \ v i \ \ sat (slice \ S \) v i \" + unfolding slice_def + by (rule sat_slice_strong[of S, OF subset_refl assms]) + +qualified lift_definition pslice :: "'a formula \ 'a env set \ 'a prefix \ 'a prefix" is + "\\ S \. map (\(D, t). (D \ relevant_events \ S, t)) \" + by (auto simp: o_def split_beta) + +lemma prefix_of_pslice_slice: "prefix_of \ \ \ prefix_of (pslice \ R \) (MFOTL.slice \ R \)" + unfolding MFOTL.slice_def + by transfer simp + +lemma plen_pslice[simp]: "plen (pslice \ R \) = plen \" + by transfer simp + +lemma pslice_pnil[simp]: "pslice \ R pnil = pnil" + by transfer simp + +lemma last_ts_pslice[simp]: "last_ts (pslice \ R \) = last_ts \" + by transfer (simp add: last_map case_prod_beta split: list.split) + +lemma prefix_of_replace_prefix: + "prefix_of (pslice \ R \) \ \ prefix_of \ (replace_prefix \ \)" +proof (transfer; safe; goal_cases) + case (1 \ R \ \) + then show ?case + by (subst (asm) (2) stake_sdrop[symmetric, of _ "length \"]) + (auto 0 3 simp: ssorted_shift split_beta o_def stake_shift sdrop_smap[symmetric] + ssorted_sdrop not_le pslice_def simp del: sdrop_smap) +qed + +lemma slice_replace_prefix: + "prefix_of (pslice \ R \) \ \ slice \ R (replace_prefix \ \) = slice \ R \" +unfolding slice_def proof (transfer; safe; goal_cases) + case (1 \ R \ \) + then show ?case + by (subst (asm) (2) stake_sdrop[symmetric, of \ "length \"], + subst (3) stake_sdrop[symmetric, of \ "length \"]) + (auto simp: ssorted_shift split_beta o_def stake_shift sdrop_smap[symmetric] ssorted_sdrop + not_le pslice_def simp del: sdrop_smap cong: map_cong) +qed + +lemma prefix_of_psliceD: + assumes "prefix_of (pslice \ R \) \" + shows "\\'. prefix_of \ \' \ prefix_of (pslice \ R \) (slice \ R \')" +proof - + from assms(1) obtain \' where 1: "prefix_of \ \'" + using ex_prefix_of by blast + then have "prefix_of (pslice \ R \) (slice \ R \')" + unfolding MFOTL.slice_def + by transfer simp + with 1 show ?thesis by blast +qed + +lemma prefix_of_sliceD: + assumes "prefix_of \' (slice \ R \)" + shows "\\''. \' = pslice \ R \'' \ prefix_of \'' \" + using assms unfolding slice_def + by transfer (auto intro!: exI[of _ "stake (length _) _"] elim: sym dest: sorted_stake) + +end (*context*) + +(*<*) +end +(*>*) \ No newline at end of file diff --git a/thys/MFOTL_Monitor/Monitor.thy b/thys/MFOTL_Monitor/Monitor.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Monitor.thy @@ -0,0 +1,1544 @@ +(*<*) +theory Monitor + imports Abstract_Monitor Table +begin +(*>*) + +section \Concrete Monitor\ + +subsection \Monitorable Formulas\ + +definition "mmonitorable \ \ safe_formula \ \ MFOTL.future_reach \ \ \" + +fun mmonitorable_exec :: "'a MFOTL.formula \ bool" where + "mmonitorable_exec (MFOTL.Eq t1 t2) = (MFOTL.is_Const t1 \ MFOTL.is_Const t2)" +| "mmonitorable_exec (MFOTL.Neg (MFOTL.Eq (MFOTL.Const x) (MFOTL.Const y))) = True" +| "mmonitorable_exec (MFOTL.Neg (MFOTL.Eq (MFOTL.Var x) (MFOTL.Var y))) = (x = y)" +| "mmonitorable_exec (MFOTL.Pred e ts) = True" +| "mmonitorable_exec (MFOTL.Neg (MFOTL.Or (MFOTL.Neg \) \)) = (mmonitorable_exec \ \ + (mmonitorable_exec \ \ MFOTL.fv \ \ MFOTL.fv \ \ (case \ of MFOTL.Neg \' \ mmonitorable_exec \' | _ \ False)))" +| "mmonitorable_exec (MFOTL.Or \ \) = (MFOTL.fv \ = MFOTL.fv \ \ mmonitorable_exec \ \ mmonitorable_exec \)" +| "mmonitorable_exec (MFOTL.Exists \) = (mmonitorable_exec \)" +| "mmonitorable_exec (MFOTL.Prev I \) = (mmonitorable_exec \)" +| "mmonitorable_exec (MFOTL.Next I \) = (mmonitorable_exec \ \ right I \ \)" +| "mmonitorable_exec (MFOTL.Since \ I \) = (MFOTL.fv \ \ MFOTL.fv \ \ + (mmonitorable_exec \ \ (case \ of MFOTL.Neg \' \ mmonitorable_exec \' | _ \ False)) \ mmonitorable_exec \)" +| "mmonitorable_exec (MFOTL.Until \ I \) = (MFOTL.fv \ \ MFOTL.fv \ \ right I \ \ \ + (mmonitorable_exec \ \ (case \ of MFOTL.Neg \' \ mmonitorable_exec \' | _ \ False)) \ mmonitorable_exec \)" +| "mmonitorable_exec _ = False" + +lemma plus_eq_enat_iff: "a + b = enat i \ (\j k. a = enat j \ b = enat k \ j + k = i)" + by (cases a; cases b) auto + +lemma minus_eq_enat_iff: "a - enat k = enat i \ (\j. a = enat j \ j - k = i)" + by (cases a) auto + +lemma safe_formula_mmonitorable_exec: "safe_formula \ \ MFOTL.future_reach \ \ \ \ mmonitorable_exec \" +proof (induct \ rule: safe_formula.induct) + case (5 \ \) + then show ?case + unfolding safe_formula.simps future_reach.simps mmonitorable_exec.simps + by (fastforce split: formula.splits) +next + case (6 \ \) + then show ?case + unfolding safe_formula.simps future_reach.simps mmonitorable_exec.simps + by (fastforce split: formula.splits) +next + case (10 \ I \) + then show ?case + unfolding safe_formula.simps future_reach.simps mmonitorable_exec.simps + by (fastforce split: formula.splits) +next + case (11 \ I \) + then show ?case + unfolding safe_formula.simps future_reach.simps mmonitorable_exec.simps + by (fastforce simp: plus_eq_enat_iff split: formula.splits) +qed (auto simp add: plus_eq_enat_iff minus_eq_enat_iff) + +lemma mmonitorable_exec_mmonitorable: "mmonitorable_exec \ \ mmonitorable \" +proof (induct \ rule: mmonitorable_exec.induct) + case (5 \ \) + then show ?case + unfolding mmonitorable_def mmonitorable_exec.simps safe_formula.simps + by (fastforce split: formula.splits) +next + case (10 \ I \) + then show ?case + unfolding mmonitorable_def mmonitorable_exec.simps safe_formula.simps + by (fastforce split: formula.splits) +next + case (11 \ I \) + then show ?case + unfolding mmonitorable_def mmonitorable_exec.simps safe_formula.simps + by (fastforce simp: one_enat_def split: formula.splits) +qed (auto simp add: mmonitorable_def one_enat_def) + +lemma monitorable_formula_code[code]: "mmonitorable \ = mmonitorable_exec \" + using mmonitorable_exec_mmonitorable safe_formula_mmonitorable_exec mmonitorable_def + by blast + + + +subsection \The Executable Monitor\ + +type_synonym ts = nat + +type_synonym 'a mbuf2 = "'a table list \ 'a table list" +type_synonym 'a msaux = "(ts \ 'a table) list" +type_synonym 'a muaux = "(ts \ 'a table \ 'a table) list" + +datatype 'a mformula = + MRel "'a table" + | MPred MFOTL.name "'a MFOTL.trm list" + | MAnd "'a mformula" bool "'a mformula" "'a mbuf2" + | MOr "'a mformula" "'a mformula" "'a mbuf2" + | MExists "'a mformula" + | MPrev \ "'a mformula" bool "'a table list" "ts list" + | MNext \ "'a mformula" bool "ts list" + | MSince bool "'a mformula" \ "'a mformula" "'a mbuf2" "ts list" "'a msaux" + | MUntil bool "'a mformula" \ "'a mformula" "'a mbuf2" "ts list" "'a muaux" + +record 'a mstate = + mstate_i :: nat + mstate_m :: "'a mformula" + mstate_n :: nat + +fun eq_rel :: "nat \ 'a MFOTL.trm \ 'a MFOTL.trm \ 'a table" where + "eq_rel n (MFOTL.Const x) (MFOTL.Const y) = (if x = y then unit_table n else empty_table)" +| "eq_rel n (MFOTL.Var x) (MFOTL.Const y) = singleton_table n x y" +| "eq_rel n (MFOTL.Const x) (MFOTL.Var y) = singleton_table n y x" +| "eq_rel n (MFOTL.Var x) (MFOTL.Var y) = undefined" + +fun neq_rel :: "nat \ 'a MFOTL.trm \ 'a MFOTL.trm \ 'a table" where + "neq_rel n (MFOTL.Const x) (MFOTL.Const y) = (if x = y then empty_table else unit_table n)" +| "neq_rel n (MFOTL.Var x) (MFOTL.Var y) = (if x = y then empty_table else undefined)" +| "neq_rel _ _ _ = undefined" + +fun minit0 :: "nat \ 'a MFOTL.formula \ 'a mformula" where + "minit0 n (MFOTL.Neg \) = (case \ of + MFOTL.Eq t1 t2 \ MRel (neq_rel n t1 t2) + | MFOTL.Or (MFOTL.Neg \) \ \ (if safe_formula \ \ MFOTL.fv \ \ MFOTL.fv \ + then MAnd (minit0 n \) False (minit0 n \) ([], []) + else (case \ of MFOTL.Neg \ \ MAnd (minit0 n \) True (minit0 n \) ([], []) | _ \ undefined)) + | _ \ undefined)" +| "minit0 n (MFOTL.Eq t1 t2) = MRel (eq_rel n t1 t2)" +| "minit0 n (MFOTL.Pred e ts) = MPred e ts" +| "minit0 n (MFOTL.Or \ \) = MOr (minit0 n \) (minit0 n \) ([], [])" +| "minit0 n (MFOTL.Exists \) = MExists (minit0 (Suc n) \)" +| "minit0 n (MFOTL.Prev I \) = MPrev I (minit0 n \) True [] []" +| "minit0 n (MFOTL.Next I \) = MNext I (minit0 n \) True []" +| "minit0 n (MFOTL.Since \ I \) = (if safe_formula \ + then MSince True (minit0 n \) I (minit0 n \) ([], []) [] [] + else (case \ of + MFOTL.Neg \ \ MSince False (minit0 n \) I (minit0 n \) ([], []) [] [] + | _ \ undefined))" +| "minit0 n (MFOTL.Until \ I \) = (if safe_formula \ + then MUntil True (minit0 n \) I (minit0 n \) ([], []) [] [] + else (case \ of + MFOTL.Neg \ \ MUntil False (minit0 n \) I (minit0 n \) ([], []) [] [] + | _ \ undefined))" + +definition minit :: "'a MFOTL.formula \ 'a mstate" where + "minit \ = (let n = MFOTL.nfv \ in \mstate_i = 0, mstate_m = minit0 n \, mstate_n = n\)" + +fun mprev_next :: "\ \ 'a table list \ ts list \ 'a table list \ 'a table list \ ts list" where + "mprev_next I [] ts = ([], [], ts)" +| "mprev_next I xs [] = ([], xs, [])" +| "mprev_next I xs [t] = ([], xs, [t])" +| "mprev_next I (x # xs) (t # t' # ts) = (let (ys, zs) = mprev_next I xs (t' # ts) + in ((if mem (t' - t) I then x else empty_table) # ys, zs))" + +fun mbuf2_add :: "'a table list \ 'a table list \ 'a mbuf2 \ 'a mbuf2" where + "mbuf2_add xs' ys' (xs, ys) = (xs @ xs', ys @ ys')" + +fun mbuf2_take :: "('a table \ 'a table \ 'b) \ 'a mbuf2 \ 'b list \ 'a mbuf2" where + "mbuf2_take f (x # xs, y # ys) = (let (zs, buf) = mbuf2_take f (xs, ys) in (f x y # zs, buf))" +| "mbuf2_take f (xs, ys) = ([], (xs, ys))" + +fun mbuf2t_take :: "('a table \ 'a table \ ts \ 'b \ 'b) \ 'b \ + 'a mbuf2 \ ts list \ 'b \ 'a mbuf2 \ ts list" where + "mbuf2t_take f z (x # xs, y # ys) (t # ts) = mbuf2t_take f (f x y t z) (xs, ys) ts" +| "mbuf2t_take f z (xs, ys) ts = (z, (xs, ys), ts)" + +fun match :: "'a MFOTL.trm list \ 'a list \ (nat \ 'a) option" where + "match [] [] = Some Map.empty" +| "match (MFOTL.Const x # ts) (y # ys) = (if x = y then match ts ys else None)" +| "match (MFOTL.Var x # ts) (y # ys) = (case match ts ys of + None \ None + | Some f \ (case f x of + None \ Some (f(x \ y)) + | Some z \ if y = z then Some f else None))" +| "match _ _ = None" + +definition update_since :: "\ \ bool \ 'a table \ 'a table \ ts \ + 'a msaux \ 'a table \ 'a msaux" where + "update_since I pos rel1 rel2 nt aux = + (let aux = (case [(t, join rel pos rel1). (t, rel) \ aux, nt - t \ right I] of + [] \ [(nt, rel2)] + | x # aux' \ (if fst x = nt then (fst x, snd x \ rel2) # aux' else (nt, rel2) # x # aux')) + in (foldr (\) [rel. (t, rel) \ aux, left I \ nt - t] {}, aux))" + +definition update_until :: "\ \ bool \ 'a table \ 'a table \ ts \ 'a muaux \ 'a muaux" where + "update_until I pos rel1 rel2 nt aux = + (map (\x. case x of (t, a1, a2) \ (t, if pos then join a1 True rel1 else a1 \ rel1, + if mem (nt - t) I then a2 \ join rel2 pos a1 else a2)) aux) @ + [(nt, rel1, if left I = 0 then rel2 else empty_table)]" + +fun eval_until :: "\ \ ts \ 'a muaux \ 'a table list \ 'a muaux" where + "eval_until I nt [] = ([], [])" +| "eval_until I nt ((t, a1, a2) # aux) = (if t + right I < nt then + (let (xs, aux) = eval_until I nt aux in (a2 # xs, aux)) else ([], (t, a1, a2) # aux))" + +primrec meval :: "nat \ ts \ 'a MFOTL.database \ 'a mformula \ 'a table list \ 'a mformula" where + "meval n t db (MRel rel) = ([rel], MRel rel)" +| "meval n t db (MPred e ts) = ([(\f. tabulate f 0 n) ` Option.these + (match ts ` (\(e', x)\db. if e = e' then {x} else {}))], MPred e ts)" +| "meval n t db (MAnd \ pos \ buf) = + (let (xs, \) = meval n t db \; (ys, \) = meval n t db \; + (zs, buf) = mbuf2_take (\r1 r2. join r1 pos r2) (mbuf2_add xs ys buf) + in (zs, MAnd \ pos \ buf))" +| "meval n t db (MOr \ \ buf) = + (let (xs, \) = meval n t db \; (ys, \) = meval n t db \; + (zs, buf) = mbuf2_take (\r1 r2. r1 \ r2) (mbuf2_add xs ys buf) + in (zs, MOr \ \ buf))" +| "meval n t db (MExists \) = + (let (xs, \) = meval (Suc n) t db \ in (map (\r. tl ` r) xs, MExists \))" +| "meval n t db (MPrev I \ first buf nts) = + (let (xs, \) = meval n t db \; + (zs, buf, nts) = mprev_next I (buf @ xs) (nts @ [t]) + in (if first then empty_table # zs else zs, MPrev I \ False buf nts))" +| "meval n t db (MNext I \ first nts) = + (let (xs, \) = meval n t db \; + (xs, first) = (case (xs, first) of (_ # xs, True) \ (xs, False) | a \ a); + (zs, _, nts) = mprev_next I xs (nts @ [t]) + in (zs, MNext I \ first nts))" +| "meval n t db (MSince pos \ I \ buf nts aux) = + (let (xs, \) = meval n t db \; (ys, \) = meval n t db \; + ((zs, aux), buf, nts) = mbuf2t_take (\r1 r2 t (zs, aux). + let (z, aux) = update_since I pos r1 r2 t aux + in (zs @ [z], aux)) ([], aux) (mbuf2_add xs ys buf) (nts @ [t]) + in (zs, MSince pos \ I \ buf nts aux))" +| "meval n t db (MUntil pos \ I \ buf nts aux) = + (let (xs, \) = meval n t db \; (ys, \) = meval n t db \; + (aux, buf, nts) = mbuf2t_take (update_until I pos) aux (mbuf2_add xs ys buf) (nts @ [t]); + (zs, aux) = eval_until I (case nts of [] \ t | nt # _ \ nt) aux + in (zs, MUntil pos \ I \ buf nts aux))" + +definition mstep :: "'a MFOTL.database \ ts \ 'a mstate \ (nat \ 'a tuple) set \ 'a mstate" where + "mstep tdb st = + (let (xs, m) = meval (mstate_n st) (snd tdb) (fst tdb) (mstate_m st) + in (\ (set (map (\(i, X). (\v. (i, v)) ` X) (List.enumerate (mstate_i st) xs))), + \mstate_i = mstate_i st + length xs, mstate_m = m, mstate_n = mstate_n st\))" + +lemma mstep_alt: "mstep tdb st = + (let (xs, m) = meval (mstate_n st) (snd tdb) (fst tdb) (mstate_m st) + in (\(i, X) \ set (List.enumerate (mstate_i st) xs). \v \ X. {(i,v)}, + \mstate_i = mstate_i st + length xs, mstate_m = m, mstate_n = mstate_n st\))" + unfolding mstep_def + by (auto split: prod.split) + + +subsection \Verdict Delay\ + +primrec progress :: "'a MFOTL.trace \ 'a MFOTL.formula \ nat \ nat" where + "progress \ (MFOTL.Pred e ts) j = j" +| "progress \ (MFOTL.Eq t1 t2) j = j" +| "progress \ (MFOTL.Neg \) j = progress \ \ j" +| "progress \ (MFOTL.Or \ \) j = min (progress \ \ j) (progress \ \ j)" +| "progress \ (MFOTL.Exists \) j = progress \ \ j" +| "progress \ (MFOTL.Prev I \) j = (if j = 0 then 0 else min (Suc (progress \ \ j)) j)" +| "progress \ (MFOTL.Next I \) j = progress \ \ j - 1" +| "progress \ (MFOTL.Since \ I \) j = min (progress \ \ j) (progress \ \ j)" +| "progress \ (MFOTL.Until \ I \) j = + Inf {i. \k. k < j \ k \ min (progress \ \ j) (progress \ \ j) \ \ \ i + right I \ \ \ k}" + +lemma progress_And[simp]: "progress \ (MFOTL.And \ \) j = min (progress \ \ j) (progress \ \ j)" + unfolding MFOTL.And_def by simp + +lemma progress_And_Not[simp]: "progress \ (MFOTL.And_Not \ \) j = min (progress \ \ j) (progress \ \ j)" + unfolding MFOTL.And_Not_def by simp + +lemma progress_mono: "j \ j' \ progress \ \ j \ progress \ \ j'" +proof (induction \) + case (Until \ I \) + then show ?case + by (cases "right I") + (auto dest: trans_le_add1[OF \_mono] intro!: cInf_superset_mono) +qed auto + +lemma progress_le: "progress \ \ j \ j" +proof (induction \) + case (Until \ I \) + then show ?case + by (cases "right I") + (auto intro: trans_le_add1[OF \_mono] intro!: cInf_lower) +qed auto + +lemma progress_0[simp]: "progress \ \ 0 = 0" + using progress_le by auto + +lemma progress_ge: "MFOTL.future_reach \ \ \ \ \j. i \ progress \ \ j" +proof (induction \ arbitrary: i) + case (Pred e ts) + then show ?case by auto +next + case (Eq t1 t2) + then show ?case by auto +next + case (Neg \) + then show ?case by simp +next + case (Or \1 \2) + from Or.prems have "MFOTL.future_reach \1 \ \" + by (cases "MFOTL.future_reach \1") (auto) + moreover from Or.prems have "MFOTL.future_reach \2 \ \" + by (cases "MFOTL.future_reach \2") (auto) + ultimately obtain j1 j2 where "i \ progress \ \1 j1" and "i \ progress \ \2 j2" + using Or.IH[of i] by blast + then have "i \ progress \ (MFOTL.Or \1 \2) (max j1 j2)" + by (cases "j1 \ j2") (auto elim!: order.trans[OF _ progress_mono]) + then show ?case by blast +next + case (Exists \) + then show ?case by simp +next + case (Prev I \) + from Prev.prems have "MFOTL.future_reach \ \ \" + by (cases "MFOTL.future_reach \") (auto) + then obtain j where "i \ progress \ \ j" + using Prev.IH[of i] by blast + then show ?case by (auto intro!: exI[of _ j] elim!: order.trans[OF _ progress_le]) +next + case (Next I \) + from Next.prems have "MFOTL.future_reach \ \ \" + by (cases "MFOTL.future_reach \") (auto) + then obtain j where "Suc i \ progress \ \ j" + using Next.IH[of "Suc i"] by blast + then show ?case by (auto intro!: exI[of _ j]) +next + case (Since \1 I \2) + from Since.prems have "MFOTL.future_reach \1 \ \" + by (cases "MFOTL.future_reach \1") (auto) + moreover from Since.prems have "MFOTL.future_reach \2 \ \" + by (cases "MFOTL.future_reach \2") (auto) + ultimately obtain j1 j2 where "i \ progress \ \1 j1" and "i \ progress \ \2 j2" + using Since.IH[of i] by blast + then have "i \ progress \ (MFOTL.Since \1 I \2) (max j1 j2)" + by (cases "j1 \ j2") (auto elim!: order.trans[OF _ progress_mono]) + then show ?case by blast +next + case (Until \1 I \2) + from Until.prems obtain b where [simp]: "right I = enat b" + by (cases "right I") (auto) + obtain i' where "i < i'" and "\ \ i + b + 1 \ \ \ i'" + using ex_le_\[where x="\ \ i + b + 1"] by (auto simp add: less_eq_Suc_le) + then have 1: "\ \ i + b < \ \ i'" by simp + from Until.prems have "MFOTL.future_reach \1 \ \" + by (cases "MFOTL.future_reach \1") (auto) + moreover from Until.prems have "MFOTL.future_reach \2 \ \" + by (cases "MFOTL.future_reach \2") (auto) + ultimately obtain j1 j2 where "Suc i' \ progress \ \1 j1" and "Suc i' \ progress \ \2 j2" + using Until.IH[of "Suc i'"] by blast + then have "i \ progress \ (MFOTL.Until \1 I \2) (max j1 j2)" + unfolding progress.simps + proof (intro cInf_greatest, goal_cases nonempty greatest) + case nonempty + then show ?case + by (auto simp: trans_le_add1[OF \_mono] intro!: exI[of _ "max j1 j2"]) + next + case (greatest x) + with \i < i'\ 1 show ?case + by (cases "j1 \ j2") + (auto dest!: spec[of _ i'] simp: max_absorb1 max_absorb2 less_eq_Suc_le + elim: order.trans[OF _ progress_le] order.trans[OF _ progress_mono, rotated] + dest!: not_le_imp_less[THEN less_imp_le] intro!: less_\D[THEN less_imp_le, of \ i x]) + qed + then show ?case by blast +qed + +lemma cInf_restrict_nat: + fixes x :: nat + assumes "x \ A" + shows "Inf A = Inf {y \ A. y \ x}" + using assms by (auto intro!: antisym intro: cInf_greatest cInf_lower Inf_nat_def1) + +lemma progress_time_conv: + assumes "\i \ i = \ \' i" + shows "progress \ \ j = progress \' \ j" +proof (induction \) + case (Until \1 I \2) + have *: "i \ j - 1 \ i < j" if "j \ 0" for i + using that by auto + with Until show ?case + proof (cases "right I") + case (enat b) + then show ?thesis + proof (cases "j") + case (Suc n) + with enat * Until show ?thesis + using assms \_mono[THEN trans_le_add1] + by (auto 6 0 + intro!: box_equals[OF arg_cong[where f=Inf] + cInf_restrict_nat[symmetric, where x=n] cInf_restrict_nat[symmetric, where x=n]]) + qed simp + qed simp +qed simp_all + +lemma Inf_UNIV_nat: "(Inf UNIV :: nat) = 0" + by (simp add: cInf_eq_minimum) + +lemma progress_prefix_conv: + assumes "prefix_of \ \" and "prefix_of \ \'" + shows "progress \ \ (plen \) = progress \' \ (plen \)" + using assms by (auto intro: progress_time_conv \_prefix_conv) + +lemma sat_prefix_conv: + assumes "prefix_of \ \" and "prefix_of \ \'" and "i < progress \ \ (plen \)" + shows "MFOTL.sat \ v i \ \ MFOTL.sat \' v i \" +using assms(3) proof (induction \ arbitrary: v i) + case (Pred e ts) + with \_prefix_conv[OF assms(1,2)] show ?case by simp +next + case (Eq t1 t2) + show ?case by simp +next + case (Neg \) + then show ?case by simp +next + case (Or \1 \2) + then show ?case by simp +next + case (Exists \) + then show ?case by simp +next + case (Prev I \) + with \_prefix_conv[OF assms(1,2)] show ?case + by (cases i) (auto split: if_splits) +next + case (Next I \) + then have "Suc i < plen \" + by (auto intro: order.strict_trans2[OF _ progress_le[of \ \]]) + with Next \_prefix_conv[OF assms(1,2)] show ?case by simp +next + case (Since \1 I \2) + then have "i < plen \" + by (auto elim!: order.strict_trans2[OF _ progress_le]) + with Since \_prefix_conv[OF assms(1,2)] show ?case by auto +next + case (Until \1 I \2) + from Until.prems obtain b where [simp]: "right I = enat b" + by (cases "right I") (auto simp add: Inf_UNIV_nat) + from Until.prems obtain j where "\ \ i + b + 1 \ \ \ j" + "j \ progress \ \1 (plen \)" "j \ progress \ \2 (plen \)" + by atomize_elim (auto 0 4 simp add: less_eq_Suc_le not_le intro: Suc_leI dest: spec[of _ "i"] + dest!: le_cInf_iff[THEN iffD1, rotated -1]) + then have 1: "k < progress \ \1 (plen \)" and 2: "k < progress \ \2 (plen \)" + if "\ \ k \ \ \ i + b" for k + using that by (fastforce elim!: order.strict_trans2[rotated] intro: less_\D[of \])+ + have 3: "k < plen \" if "\ \ k \ \ \ i + b" for k + using 1[OF that] by (simp add: less_eq_Suc_le order.trans[OF _ progress_le]) + + from Until.prems have "i < progress \' (MFOTL.Until \1 I \2) (plen \)" + unfolding progress_prefix_conv[OF assms(1,2)] . + then obtain j where "\ \' i + b + 1 \ \ \' j" + "j \ progress \' \1 (plen \)" "j \ progress \' \2 (plen \)" + by atomize_elim (auto 0 4 simp add: less_eq_Suc_le not_le intro: Suc_leI dest: spec[of _ "i"] + dest!: le_cInf_iff[THEN iffD1, rotated -1]) + then have 11: "k < progress \ \1 (plen \)" and 21: "k < progress \ \2 (plen \)" + if "\ \' k \ \ \' i + b" for k + unfolding progress_prefix_conv[OF assms(1,2)] + using that by (fastforce elim!: order.strict_trans2[rotated] intro: less_\D[of \'])+ + have 31: "k < plen \" if "\ \' k \ \ \' i + b" for k + using 11[OF that] by (simp add: less_eq_Suc_le order.trans[OF _ progress_le]) + + show ?case unfolding sat.simps + proof ((intro ex_cong iffI; elim conjE), goal_cases LR RL) + case (LR j) + with Until.IH(1)[OF 1] Until.IH(2)[OF 2] \_prefix_conv[OF assms(1,2) 3] show ?case + by (auto 0 4 simp: le_diff_conv add.commute dest: less_imp_le order.trans[OF \_mono, rotated]) + next + case (RL j) + with Until.IH(1)[OF 11] Until.IH(2)[OF 21] \_prefix_conv[OF assms(1,2) 31] show ?case + by (auto 0 4 simp: le_diff_conv add.commute dest: less_imp_le order.trans[OF \_mono, rotated]) + qed +qed + +interpretation verimon: monitor_timed_progress "\\. MFOTL.future_reach \ \ \" progress + by (unfold_locales, (fact progress_mono progress_le progress_time_conv sat_prefix_conv | + simp add: mmonitorable_def progress_ge)+) + +abbreviation "mverdicts \ verimon.verdicts" + + +subsection \Correctness\ + +subsubsection \Invariants\ + +definition wf_mbuf2 :: "nat \ nat \ nat \ (nat \ 'a table \ bool) \ (nat \ 'a table \ bool) \ + 'a mbuf2 \ bool" where + "wf_mbuf2 i ja jb P Q buf \ i \ ja \ i \ jb \ (case buf of (xs, ys) \ + list_all2 P [i.. list_all2 Q [i.. nat \ nat \ 'a list set \ + 'a MFOTL.formula \ 'a MFOTL.formula \ 'a mbuf2 \ bool" where + "wf_mbuf2' \ j n R \ \ buf \ wf_mbuf2 (min (progress \ \ j) (progress \ \ j)) + (progress \ \ j) (progress \ \ j) + (\i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + (\i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) buf" + +lemma wf_mbuf2'_UNIV_alt: "wf_mbuf2' \ j n UNIV \ \ buf \ (case buf of (xs, ys) \ + list_all2 (\i. wf_table n (MFOTL.fv \) (\v. MFOTL.sat \ (map the v) i \)) + [min (progress \ \ j) (progress \ \ j) ..< (progress \ \ j)] xs \ + list_all2 (\i. wf_table n (MFOTL.fv \) (\v. MFOTL.sat \ (map the v) i \)) + [min (progress \ \ j) (progress \ \ j) ..< (progress \ \ j)] ys)" + unfolding wf_mbuf2'_def wf_mbuf2_def + by (simp add: mem_restr_UNIV[THEN eqTrueI, abs_def] split: prod.split) + +definition wf_ts :: "'a MFOTL.trace \ nat \ 'a MFOTL.formula \ 'a MFOTL.formula \ ts list \ bool" where + "wf_ts \ j \ \ ts \ list_all2 (\i t. t = \ \ i) [min (progress \ \ j) (progress \ \ j).. I \ \ MFOTL.Since (if pos then \ else MFOTL.Neg \) I \" + +definition wf_since_aux :: "'a MFOTL.trace \ nat \ 'a list set \ bool \ + 'a MFOTL.formula \ \ \ 'a MFOTL.formula \ 'a msaux \ nat \ bool" where + "wf_since_aux \ n R pos \ I \ aux ne \ sorted_wrt (\x y. fst x > fst y) aux \ + (\t X. (t, X) \ set aux \ ne \ 0 \ t \ \ \ (ne-1) \ \ \ (ne-1) - t \ right I \ (\i. \ \ i = t) \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) (ne-1) (Sincep pos \ (point (\ \ (ne-1) - t)) \)) X) \ + (\t. ne \ 0 \ t \ \ \ (ne-1) \ \ \ (ne-1) - t \ right I \ (\i. \ \ i = t) \ + (\X. (t, X) \ set aux))" + +lemma qtable_mem_restr_UNIV: "qtable n A (mem_restr UNIV) Q X = wf_table n A Q X" + unfolding qtable_def by auto + +lemma wf_since_aux_UNIV_alt: + "wf_since_aux \ n UNIV pos \ I \ aux ne \ sorted_wrt (\x y. fst x > fst y) aux \ + (\t X. (t, X) \ set aux \ ne \ 0 \ t \ \ \ (ne-1) \ \ \ (ne-1) - t \ right I \ (\i. \ \ i = t) \ + wf_table n (MFOTL.fv \) + (\v. MFOTL.sat \ (map the v) (ne-1) (Sincep pos \ (point (\ \ (ne-1) - t)) \)) X) \ + (\t. ne \ 0 \ t \ \ \ (ne-1) \ \ \ (ne-1) - t \ right I \ (\i. \ \ i = t) \ + (\X. (t, X) \ set aux))" + unfolding wf_since_aux_def qtable_mem_restr_UNIV .. + +definition wf_until_aux :: "'a MFOTL.trace \ nat \ 'a list set \ bool \ + 'a MFOTL.formula \ \ \ 'a MFOTL.formula \ 'a muaux \ nat \ bool" where + "wf_until_aux \ n R pos \ I \ aux ne \ list_all2 (\x i. case x of (t, r1, r2) \ t = \ \ i \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. if pos then (\k\{i.. (map the v) k \) + else (\k\{i.. (map the v) k \)) r1 \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. (\j. i \ j \ j < ne + length aux \ mem (\ \ j - \ \ i) I \ + MFOTL.sat \ (map the v) j \ \ + (\k\{i.. (map the v) k \ else \ MFOTL.sat \ (map the v) k \))) r2) + aux [ne.. n UNIV pos \ I \ aux ne \ list_all2 (\x i. case x of (t, r1, r2) \ t = \ \ i \ + wf_table n (MFOTL.fv \) (\v. if pos + then (\k\{i.. (map the v) k \) + else (\k\{i.. (map the v) k \)) r1 \ + wf_table n (MFOTL.fv \) (\v. \j. i \ j \ j < ne + length aux \ mem (\ \ j - \ \ i) I \ + MFOTL.sat \ (map the v) j \ \ + (\k\{i.. (map the v) k \ else \ MFOTL.sat \ (map the v) k \)) r2) + aux [ne.. nat \ + nat \ 'a list set \ 'a mformula \ 'a MFOTL.formula \ bool" + for \ j where + Eq: "MFOTL.is_Const t1 \ MFOTL.is_Const t2 \ + \x\MFOTL.fv_trm t1. x < n \ \x\MFOTL.fv_trm t2. x < n \ + wf_mformula \ j n R (MRel (eq_rel n t1 t2)) (MFOTL.Eq t1 t2)" +| neq_Const: "\ = MRel (neq_rel n (MFOTL.Const x) (MFOTL.Const y)) \ + wf_mformula \ j n R \ (MFOTL.Neg (MFOTL.Eq (MFOTL.Const x) (MFOTL.Const y)))" +| neq_Var: "x < n \ + wf_mformula \ j n R (MRel empty_table) (MFOTL.Neg (MFOTL.Eq (MFOTL.Var x) (MFOTL.Var x)))" +| Pred: "\x\MFOTL.fv (MFOTL.Pred e ts). x < n \ + wf_mformula \ j n R (MPred e ts) (MFOTL.Pred e ts)" +| And: "wf_mformula \ j n R \ \' \ wf_mformula \ j n R \ \' \ + if pos then \ = MFOTL.And \' \' \ \ (safe_formula (MFOTL.Neg \') \ MFOTL.fv \' \ MFOTL.fv \') + else \ = MFOTL.And_Not \' \' \ safe_formula \' \ MFOTL.fv \' \ MFOTL.fv \' \ + wf_mbuf2' \ j n R \' \' buf \ + wf_mformula \ j n R (MAnd \ pos \ buf) \" +| Or: "wf_mformula \ j n R \ \' \ wf_mformula \ j n R \ \' \ + MFOTL.fv \' = MFOTL.fv \' \ + wf_mbuf2' \ j n R \' \' buf \ + wf_mformula \ j n R (MOr \ \ buf) (MFOTL.Or \' \')" +| Exists: "wf_mformula \ j (Suc n) (lift_envs R) \ \' \ + wf_mformula \ j n R (MExists \) (MFOTL.Exists \')" +| Prev: "wf_mformula \ j n R \ \' \ + first \ j = 0 \ + list_all2 (\i. qtable n (MFOTL.fv \') (mem_restr R) (\v. MFOTL.sat \ (map the v) i \')) + [min (progress \ \' j) (j-1).. \' j] buf \ + list_all2 (\i t. t = \ \ i) [min (progress \ \' j) (j-1).. + wf_mformula \ j n R (MPrev I \ first buf nts) (MFOTL.Prev I \')" +| Next: "wf_mformula \ j n R \ \' \ + first \ progress \ \' j = 0 \ + list_all2 (\i t. t = \ \ i) [progress \ \' j - 1.. + wf_mformula \ j n R (MNext I \ first nts) (MFOTL.Next I \')" +| Since: "wf_mformula \ j n R \ \' \ wf_mformula \ j n R \ \' \ + if pos then \'' = \' else \'' = MFOTL.Neg \' \ + safe_formula \'' = pos \ + MFOTL.fv \' \ MFOTL.fv \' \ + wf_mbuf2' \ j n R \' \' buf \ + wf_ts \ j \' \' nts \ + wf_since_aux \ n R pos \' I \' aux (progress \ (MFOTL.Since \'' I \') j) \ + wf_mformula \ j n R (MSince pos \ I \ buf nts aux) (MFOTL.Since \'' I \')" +| Until: "wf_mformula \ j n R \ \' \ wf_mformula \ j n R \ \' \ + if pos then \'' = \' else \'' = MFOTL.Neg \' \ + safe_formula \'' = pos \ + MFOTL.fv \' \ MFOTL.fv \' \ + wf_mbuf2' \ j n R \' \' buf \ + wf_ts \ j \' \' nts \ + wf_until_aux \ n R pos \' I \' aux (progress \ (MFOTL.Until \'' I \') j) \ + progress \ (MFOTL.Until \'' I \') j + length aux = min (progress \ \' j) (progress \ \' j) \ + wf_mformula \ j n R (MUntil pos \ I \ buf nts aux) (MFOTL.Until \'' I \')" + +definition wf_mstate :: "'a MFOTL.formula \ 'a MFOTL.prefix \ 'a list set \ 'a mstate \ bool" where + "wf_mstate \ \ R st \ mstate_n st = MFOTL.nfv \ \ (\\. prefix_of \ \ \ + mstate_i st = progress \ \ (plen \) \ + wf_mformula \ (plen \) (mstate_n st) R (mstate_m st) \)" + + +subsubsection \Initialisation\ + +lemma minit0_And: "\ (safe_formula (MFOTL.Neg \) \ MFOTL.fv \ \ MFOTL.fv \) \ + minit0 n (MFOTL.And \ \) = MAnd (minit0 n \) True (minit0 n \) ([], [])" + unfolding MFOTL.And_def by simp + +lemma minit0_And_Not: "safe_formula \ \ MFOTL.fv \ \ MFOTL.fv \ \ + minit0 n (MFOTL.And_Not \ \) = (MAnd (minit0 n \) False (minit0 n \) ([], []))" + unfolding MFOTL.And_Not_def MFOTL.is_Neg_def by (simp split: formula.split) + +lemma wf_mbuf2'_0: "wf_mbuf2' \ 0 n R \ \ ([], [])" + unfolding wf_mbuf2'_def wf_mbuf2_def by simp + +lemma wf_ts_0: "wf_ts \ 0 \ \ []" + unfolding wf_ts_def by simp + +lemma wf_since_aux_Nil: "wf_since_aux \ n R pos \' I \' [] 0" + unfolding wf_since_aux_def by simp + +lemma wf_until_aux_Nil: "wf_until_aux \ n R pos \' I \' [] 0" + unfolding wf_until_aux_def by simp + +lemma wf_minit0: "safe_formula \ \ \x\MFOTL.fv \. x < n \ + wf_mformula \ 0 n R (minit0 n \) \" + by (induction arbitrary: n R rule: safe_formula_induct) + (auto simp add: minit0_And fvi_And minit0_And_Not fvi_And_Not + intro!: wf_mformula.intros wf_mbuf2'_0 wf_ts_0 wf_since_aux_Nil wf_until_aux_Nil + dest: fvi_Suc_bound) + +lemma wf_mstate_minit: "safe_formula \ \ wf_mstate \ pnil R (minit \)" + unfolding wf_mstate_def minit_def Let_def + by (auto intro!: wf_minit0 fvi_less_nfv) + + +subsubsection \Evaluation\ + +lemma match_wf_tuple: "Some f = match ts xs \ wf_tuple n (\t\set ts. MFOTL.fv_trm t) (tabulate f 0 n)" + by (induction ts xs arbitrary: f rule: match.induct) + (fastforce simp: wf_tuple_def split: if_splits option.splits)+ + +lemma match_fvi_trm_None: "Some f = match ts xs \ \t\set ts. x \ MFOTL.fv_trm t \ f x = None" + by (induction ts xs arbitrary: f rule: match.induct) (auto split: if_splits option.splits) + +lemma match_fvi_trm_Some: "Some f = match ts xs \ t \ set ts \ x \ MFOTL.fv_trm t \ f x \ None" + by (induction ts xs arbitrary: f rule: match.induct) (auto split: if_splits option.splits) + +lemma match_eval_trm: "\t\set ts. \i\MFOTL.fv_trm t. i < n \ Some f = match ts xs \ + map (MFOTL.eval_trm (tabulate (\i. the (f i)) 0 n)) ts = xs" +proof (induction ts xs arbitrary: f rule: match.induct) + case (3 x ts y ys) + from 3(1)[symmetric] 3(2,3) show ?case + by (auto 0 3 dest: match_fvi_trm_Some sym split: option.splits if_splits intro!: eval_trm_cong) +qed (auto split: if_splits) + +lemma wf_tuple_tabulate_Some: "wf_tuple n A (tabulate f 0 n) \ x \ A \ x < n \ \y. f x = Some y" + unfolding wf_tuple_def by auto + +lemma ex_match: "wf_tuple n (\t\set ts. MFOTL.fv_trm t) v \ \t\set ts. \x\MFOTL.fv_trm t. x < n \ + \f. match ts (map (MFOTL.eval_trm (map the v)) ts) = Some f \ v = tabulate f 0 n" +proof (induction ts "map (MFOTL.eval_trm (map the v)) ts" arbitrary: v rule: match.induct) + case (3 x ts y ys) + then show ?case + proof (cases "x \ (\t\set ts. MFOTL.fv_trm t)") + case True + with 3 show ?thesis + by (auto simp: insert_absorb dest!: wf_tuple_tabulate_Some meta_spec[of _ v]) + next + case False + with 3(3,4) have + *: "map (MFOTL.eval_trm (map the v)) ts = map (MFOTL.eval_trm (map the (v[x := None]))) ts" + by (auto simp: wf_tuple_def nth_list_update intro!: eval_trm_cong) + from False 3(2-4) obtain f where + "match ts (map (MFOTL.eval_trm (map the v)) ts) = Some f" "v[x := None] = tabulate f 0 n" + unfolding * + by (atomize_elim, intro 3(1)[of "v[x := None]"]) + (auto simp: wf_tuple_def nth_list_update intro!: eval_trm_cong) + moreover from False this have "f x = None" "length v = n" + by (auto dest: match_fvi_trm_None[OF sym] arg_cong[of _ _ length]) + ultimately show ?thesis using 3(3) + by (auto simp: list_eq_iff_nth_eq wf_tuple_def) + qed +qed (auto simp: wf_tuple_def intro: nth_equalityI) + +lemma eq_rel_eval_trm: "v \ eq_rel n t1 t2 \ MFOTL.is_Const t1 \ MFOTL.is_Const t2 \ + \x\MFOTL.fv_trm t1 \ MFOTL.fv_trm t2. x < n \ + MFOTL.eval_trm (map the v) t1 = MFOTL.eval_trm (map the v) t2" + by (cases t1; cases t2) (simp_all add: singleton_table_def split: if_splits) + +lemma in_eq_rel: "wf_tuple n (MFOTL.fv_trm t1 \ MFOTL.fv_trm t2) v \ + MFOTL.is_Const t1 \ MFOTL.is_Const t2 \ + MFOTL.eval_trm (map the v) t1 = MFOTL.eval_trm (map the v) t2 \ + v \ eq_rel n t1 t2" + by (cases t1; cases t2) + (auto simp: singleton_table_def wf_tuple_def unit_table_def intro!: nth_equalityI split: if_splits) + +lemma table_eq_rel: "MFOTL.is_Const t1 \ MFOTL.is_Const t2 \ + table n (MFOTL.fv_trm t1 \ MFOTL.fv_trm t2) (eq_rel n t1 t2)" + by (cases t1; cases t2; simp) + +lemma wf_tuple_Suc_fviD: "wf_tuple (Suc n) (MFOTL.fvi b \) v \ wf_tuple n (MFOTL.fvi (Suc b) \) (tl v)" + unfolding wf_tuple_def by (simp add: fvi_Suc nth_tl) + +lemma table_fvi_tl: "table (Suc n) (MFOTL.fvi b \) X \ table n (MFOTL.fvi (Suc b) \) (tl ` X)" + unfolding table_def by (auto intro: wf_tuple_Suc_fviD) + +lemma wf_tuple_Suc_fvi_SomeI: "0 \ MFOTL.fvi b \ \ wf_tuple n (MFOTL.fvi (Suc b) \) v \ + wf_tuple (Suc n) (MFOTL.fvi b \) (Some x # v)" + unfolding wf_tuple_def + by (auto simp: fvi_Suc less_Suc_eq_0_disj) + +lemma wf_tuple_Suc_fvi_NoneI: "0 \ MFOTL.fvi b \ \ wf_tuple n (MFOTL.fvi (Suc b) \) v \ + wf_tuple (Suc n) (MFOTL.fvi b \) (None # v)" + unfolding wf_tuple_def + by (auto simp: fvi_Suc less_Suc_eq_0_disj) + +lemma qtable_project_fv: "qtable (Suc n) (fv \) (mem_restr (lift_envs R)) P X \ + qtable n (MFOTL.fvi (Suc 0) \) (mem_restr R) + (\v. \x. P ((if 0 \ fv \ then Some x else None) # v)) (tl ` X)" + using neq0_conv by (fastforce simp: image_iff Bex_def fvi_Suc elim!: qtable_cong dest!: qtable_project) + +lemma mprev: "mprev_next I xs ts = (ys, xs', ts') \ + list_all2 P [i.. list_all2 (\i t. t = \ \ i) [i.. i \ j' \ i < j \ + list_all2 (\i X. if mem (\ \ (Suc i) - \ \ i) I then P i X else X = empty_table) + [i.. + list_all2 P [min j' (j-1).. + list_all2 (\i t. t = \ \ i) [min j' (j-1).. + list_all2 P [Suc i.. list_all2 (\i t. t = \ \ i) [i.. Suc i \ j' \ i < j \ + list_all2 (\i X. if mem (\ \ (Suc i) - \ \ i) I then P (Suc i) X else X = empty_table) + [i.. + list_all2 P [Suc (min (j'-1) (j-1)).. + list_all2 (\i t. t = \ \ i) [min (j'-1) (j-1).. A \ A \ set xs \ x \ foldr (\) xs {}" + by (induction xs) auto + +lemma in_foldr_UnE: "x \ foldr (\) xs {} \ (\A. A \ set xs \ x \ A \ P) \ P" + by (induction xs) auto + +lemma sat_the_restrict: "fv \ \ A \ MFOTL.sat \ (map the (restrict A v)) i \ = MFOTL.sat \ (map the v) i \" + by (rule sat_fvi_cong) (auto intro!: map_the_restrict) + +lemma update_since: + assumes pre: "wf_since_aux \ n R pos \ I \ aux ne" + and qtable1: "qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) ne \) rel1" + and qtable2: "qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) ne \) rel2" + and result_eq: "(rel, aux') = update_since I pos rel1 rel2 (\ \ ne) aux" + and fvi_subset: "MFOTL.fv \ \ MFOTL.fv \" + shows "wf_since_aux \ n R pos \ I \ aux' (Suc ne)" + and "qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) ne (Sincep pos \ I \)) rel" +proof - + let ?wf_tuple = "\v. wf_tuple n (MFOTL.fv \) v" + note sat.simps[simp del] + + define aux0 where "aux0 = [(t, join rel pos rel1). (t, rel) \ aux, \ \ ne - t \ right I]" + have sorted_aux0: "sorted_wrt (\x y. fst x > fst y) aux0" + using pre[unfolded wf_since_aux_def, THEN conjunct1] + unfolding aux0_def + by (induction aux) (auto simp add: sorted_wrt_append) + have in_aux0_1: "(t, X) \ set aux0 \ ne \ 0 \ t \ \ \ (ne-1) \ \ \ ne - t \ right I \ + (\i. \ \ i = t) \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. (MFOTL.sat \ (map the v) (ne-1) (Sincep pos \ (point (\ \ (ne-1) - t)) \) \ + (if pos then MFOTL.sat \ (map the v) ne \ else \ MFOTL.sat \ (map the v) ne \))) X" for t X + unfolding aux0_def using fvi_subset + by (auto 0 1 elim!: qtable_join[OF _ qtable1] simp: sat_the_restrict + dest!: assms(1)[unfolded wf_since_aux_def, THEN conjunct2, THEN conjunct1, rule_format]) + then have in_aux0_le_\: "(t, X) \ set aux0 \ t \ \ \ ne" for t X + by (meson \_mono diff_le_self le_trans) + have in_aux0_2: "ne \ 0 \ t \ \ \ (ne-1) \ \ \ ne - t \ right I \ \i. \ \ i = t \ + \X. (t, X) \ set aux0" for t + proof - + fix t + assume "ne \ 0" "t \ \ \ (ne-1)" "\ \ ne - t \ right I" "\i. \ \ i = t" + then obtain X where "(t, X) \ set aux" + by (atomize_elim, intro assms(1)[unfolded wf_since_aux_def, THEN conjunct2, THEN conjunct2, rule_format]) + (auto simp: gr0_conv_Suc elim!: order_trans[rotated] intro!: diff_le_mono \_mono) + with \\ \ ne - t \ right I\ have "(t, join X pos rel1) \ set aux0" + unfolding aux0_def by (auto elim!: bexI[rotated] intro!: exI[of _ X]) + then show "\X. (t, X) \ set aux0" + by blast + qed + have aux0_Nil: "aux0 = [] \ ne = 0 \ ne \ 0 \ (\t. t \ \ \ (ne-1) \ \ \ ne - t \ right I \ + (\i. \ \ i = t))" + using in_aux0_2 by (cases "ne = 0") (auto) + + have aux'_eq: "aux' = (case aux0 of + [] \ [(\ \ ne, rel2)] + | x # aux' \ (if fst x = \ \ ne then (fst x, snd x \ rel2) # aux' else (\ \ ne, rel2) # x # aux'))" + using result_eq unfolding aux0_def update_since_def Let_def by simp + have sorted_aux': "sorted_wrt (\x y. fst x > fst y) aux'" + unfolding aux'_eq + using sorted_aux0 in_aux0_le_\ by (cases aux0) (fastforce)+ + have in_aux'_1: "t \ \ \ ne \ \ \ ne - t \ right I \ (\i. \ \ i = t) \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) ne (Sincep pos \ (point (\ \ ne - t)) \)) X" + if aux': "(t, X) \ set aux'" for t X + proof (cases aux0) + case Nil + with aux' show ?thesis + unfolding aux'_eq using qtable2 aux0_Nil + by (auto simp: zero_enat_def[symmetric] sat_Since_rec[where i=ne] + dest: spec[of _ "\ \ (ne-1)"] elim!: qtable_cong[OF _ refl]) + next + case (Cons a as) + show ?thesis + proof (cases "t = \ \ ne") + case t: True + show ?thesis + proof (cases "fst a = \ \ ne") + case True + with aux' Cons t have "X = snd a \ rel2" + unfolding aux'_eq using sorted_aux0 by auto + moreover from in_aux0_1[of "fst a" "snd a"] Cons have "ne \ 0" + "fst a \ \ \ (ne - 1)" "\ \ ne - fst a \ right I" "\i. \ \ i = fst a" + "qtable n (fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) (ne - 1) + (Sincep pos \ (point (\ \ (ne - 1) - fst a)) \) \ (if pos then MFOTL.sat \ (map the v) ne \ + else \ MFOTL.sat \ (map the v) ne \)) (snd a)" + by auto + ultimately show ?thesis using qtable2 t True + by (auto simp: sat_Since_rec[where i=ne] sat.simps(3) elim!: qtable_union) + next + case False + with aux' Cons t have "X = rel2" + unfolding aux'_eq using sorted_aux0 in_aux0_le_\[of "fst a" "snd a"] by auto + with aux' Cons t False show ?thesis + unfolding aux'_eq using qtable2 in_aux0_2[of "\ \ (ne-1)"] in_aux0_le_\[of "fst a" "snd a"] sorted_aux0 + by (auto simp: sat_Since_rec[where i=ne] sat.simps(3) zero_enat_def[symmetric] enat_0_iff not_le + elim!: qtable_cong[OF _ refl] dest!: le_\_less meta_mp) + qed + next + case False + with aux' Cons have "(t, X) \ set aux0" + unfolding aux'_eq by (auto split: if_splits) + then have "ne \ 0" "t \ \ \ (ne - 1)" "\ \ ne - t \ right I" "\i. \ \ i = t" + "qtable n (fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) (ne - 1) (Sincep pos \ (point (\ \ (ne - 1) - t)) \) \ + (if pos then MFOTL.sat \ (map the v) ne \ else \ MFOTL.sat \ (map the v) ne \)) X" + using in_aux0_1 by blast+ + with False aux' Cons show ?thesis + unfolding aux'_eq using qtable2 + by (fastforce simp: sat_Since_rec[where i=ne] sat.simps(3) + diff_diff_right[where i="\ \ ne" and j="\ \ _ + \ \ ne" and k="\ \ (ne - 1)", + OF trans_le_add2, simplified] elim!: qtable_cong[OF _ refl] order_trans dest: le_\_less) + qed + qed + + have in_aux'_2: "\X. (t, X) \ set aux'" if "t \ \ \ ne" "\ \ ne - t \ right I" "\i. \ \ i = t" for t + proof (cases "t = \ \ ne") + case True + then show ?thesis + proof (cases aux0) + case Nil + with True show ?thesis unfolding aux'_eq by simp + next + case (Cons a as) + with True show ?thesis unfolding aux'_eq + by (cases "fst a = \ \ ne") auto + qed + next + case False + with that have "ne \ 0" + using le_\_less neq0_conv by blast + moreover from False that have "t \ \ \ (ne-1)" + by (metis One_nat_def Suc_leI Suc_pred \_mono diff_is_0_eq' order.antisym neq0_conv not_le) + ultimately obtain X where "(t, X) \ set aux0" using \\ \ ne - t \ right I\ \\i. \ \ i = t\ + by atomize_elim (auto intro!: in_aux0_2) + then show ?thesis unfolding aux'_eq using False + by (auto intro: exI[of _ X] split: list.split) + qed + + show "wf_since_aux \ n R pos \ I \ aux' (Suc ne)" + unfolding wf_since_aux_def + by (auto dest: in_aux'_1 intro: sorted_aux' in_aux'_2) + + have rel_eq: "rel = foldr (\) [rel. (t, rel) \ aux', left I \ \ \ ne - t] {}" + unfolding aux'_eq aux0_def + using result_eq by (simp add: update_since_def Let_def) + have rel_alt: "rel = (\(t, rel) \ set aux'. if left I \ \ \ ne - t then rel else empty_table)" + unfolding rel_eq + by (auto elim!: in_foldr_UnE bexI[rotated] intro!: in_foldr_UnI) + show "qtable n (fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) ne (Sincep pos \ I \)) rel" + unfolding rel_alt + proof (rule qtable_Union[where Qi="\(t, X) v. + left I \ \ \ ne - t \ MFOTL.sat \ (map the v) ne (Sincep pos \ (point (\ \ ne - t)) \)"], + goal_cases finite qtable equiv) + case (equiv v) + show ?case + proof (rule iffI, erule sat_Since_point, goal_cases left right) + case (left j) + then show ?case using in_aux'_2[of "\ \ j", OF _ _ exI, OF _ _ refl] by auto + next + case right + then show ?case by (auto elim!: sat_Since_pointD dest: in_aux'_1) + qed + qed (auto dest!: in_aux'_1 intro!: qtable_empty) +qed + +lemma length_update_until: "length (update_until pos I rel1 rel2 nt aux) = Suc (length aux)" + unfolding update_until_def by simp + +lemma wf_update_until: + assumes pre: "wf_until_aux \ n R pos \ I \ aux ne" + and qtable1: "qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) (ne + length aux) \) rel1" + and qtable2: "qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) (ne + length aux) \) rel2" + and fvi_subset: "MFOTL.fv \ \ MFOTL.fv \" + shows "wf_until_aux \ n R pos \ I \ (update_until I pos rel1 rel2 (\ \ (ne + length aux)) aux) ne" + unfolding wf_until_aux_def length_update_until + unfolding update_until_def list.rel_map add_Suc_right upt.simps eqTrueI[OF le_add1] if_True +proof (rule list_all2_appendI, unfold list.rel_map, goal_cases old new) + case old + show ?case + proof (rule list.rel_mono_strong[OF assms(1)[unfolded wf_until_aux_def]]; safe, goal_cases mono1 mono2) + case (mono1 i X Y v) + then show ?case + by (fastforce simp: sat_the_restrict less_Suc_eq + elim!: qtable_join[OF _ qtable1] qtable_union[OF _ qtable1]) + next + case (mono2 i X Y v) + then show ?case using fvi_subset + by (auto 0 3 simp: sat_the_restrict less_Suc_eq split: if_splits + elim!: qtable_union[OF _ qtable_join_fixed[OF qtable2]] + elim: qtable_cong[OF _ refl] intro: exI[of _ "ne + length aux"]) (* slow 8 sec*) + qed +next + case new + then show ?case + by (auto intro!: qtable_empty qtable1 qtable2[THEN qtable_cong] exI[of _ "ne + length aux"] + simp: less_Suc_eq zero_enat_def[symmetric]) +qed + +lemma wf_until_aux_Cons: "wf_until_aux \ n R pos \ I \ (a # aux) ne \ + wf_until_aux \ n R pos \ I \ aux (Suc ne)" + unfolding wf_until_aux_def + by (simp add: upt_conv_Cons del: upt_Suc cong: if_cong) + +lemma wf_until_aux_Cons1: "wf_until_aux \ n R pos \ I \ ((t, a1, a2) # aux) ne \ t = \ \ ne" + unfolding wf_until_aux_def + by (simp add: upt_conv_Cons del: upt_Suc) + +lemma wf_until_aux_Cons3: "wf_until_aux \ n R pos \ I \ ((t, a1, a2) # aux) ne \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. (\j. ne \ j \ j < Suc (ne + length aux) \ mem (\ \ j - \ \ ne) I \ + MFOTL.sat \ (map the v) j \ \ (\k\{ne.. (map the v) k \ else \ MFOTL.sat \ (map the v) k \))) a2" + unfolding wf_until_aux_def + by (simp add: upt_conv_Cons del: upt_Suc) + +lemma upt_append: "a \ b \ b \ c \ [a.. ja'" "jb \ jb'" + shows "wf_mbuf2 i ja' jb' P Q (mbuf2_add xs ys buf)" + using assms unfolding wf_mbuf2_def + by (auto 0 3 simp: list_all2_append2 upt_append dest: list_all2_lengthD + intro: exI[where x="[i..i z. \x y. P i x \ Q i y \ z = f x y) [i.. j" "jb \ j" + shows "wf_mbuf2 (min ja jb) ja jb P Q buf'" + and "list_all2 R [min ja jb.. j" "jb \ j" + and "U i z" + and "\k x y t z. i \ k \ Suc k \ ja \ Suc k \ jb \ + P k x \ Q k y \ R k t \ U k z \ U (Suc k) (f x y t z)" + shows "U (min ja jb) z'" + using assms unfolding wf_mbuf2_def + by (induction f z buf nts arbitrary: i z' buf' nts' rule: mbuf2t_take.induct) + (auto simp add: list_all2_Cons2 upt_eq_Cons_conv less_eq_Suc_le min_absorb1 min_absorb2 + elim!: arg_cong2[of _ _ _ _ U, OF _ refl, THEN iffD1, rotated] split: prod.split) + +lemma mbuf2_take_add': + assumes eq: "mbuf2_take f (mbuf2_add xs ys buf) = (zs, buf')" + and pre: "wf_mbuf2' \ j n R \ \ buf" + and xs: "list_all2 (\i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ j.. \ j'] xs" + and ys: "list_all2 (\i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ j.. \ j'] ys" + and "j \ j'" + shows "wf_mbuf2' \ j' n R \ \ buf'" + and "list_all2 (\i Z. \X Y. + qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \) X \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \) Y \ + Z = f X Y) + [min (progress \ \ j) (progress \ \ j).. \ j') (progress \ \ j')] zs" + using pre unfolding wf_mbuf2'_def + by (force intro!: mbuf2_take_eqD[OF eq] wf_mbuf2_add[OF _ xs ys] progress_mono[OF \j \ j'\])+ + +lemma mbuf2t_take_add': + assumes eq: "mbuf2t_take f z (mbuf2_add xs ys buf) nts = (z', buf', nts')" + and pre_buf: "wf_mbuf2' \ j n R \ \ buf" + and pre_nts: "list_all2 (\i t. t = \ \ i) [min (progress \ \ j) (progress \ \ j)..i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ j.. \ j'] xs" + and ys: "list_all2 (\i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ j.. \ j'] ys" + and "j \ j'" + shows "wf_mbuf2' \ j' n R \ \ buf'" + and "wf_ts \ j' \ \ nts'" + using pre_buf pre_nts unfolding wf_mbuf2'_def wf_ts_def + by (blast intro!: mbuf2t_take_eqD[OF eq] wf_mbuf2_add[OF _ xs ys] progress_mono[OF \j \ j'\] + progress_le)+ + +lemma mbuf2t_take_add_induct'[consumes 6, case_names base step]: + assumes eq: "mbuf2t_take f z (mbuf2_add xs ys buf) nts = (z', buf', nts')" + and pre_buf: "wf_mbuf2' \ j n R \ \ buf" + and pre_nts: "list_all2 (\i t. t = \ \ i) [min (progress \ \ j) (progress \ \ j)..i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ j.. \ j'] xs" + and ys: "list_all2 (\i. qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ j.. \ j'] ys" + and "j \ j'" + and base: "U (min (progress \ \ j) (progress \ \ j)) z" + and step: "\k X Y z. min (progress \ \ j) (progress \ \ j) \ k \ + Suc k \ progress \ \ j' \ Suc k \ progress \ \ j' \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) k \) X \ + qtable n (MFOTL.fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) k \) Y \ + U k z \ U (Suc k) (f X Y (\ \ k) z)" + shows "U (min (progress \ \ j') (progress \ \ j')) z'" + using pre_buf pre_nts unfolding wf_mbuf2'_def wf_ts_def + by (blast intro!: mbuf2t_take_induct[OF eq] wf_mbuf2_add[OF _ xs ys] progress_mono[OF \j \ j'\] + progress_le base step) + +lemma progress_Until_le: "progress \ (formula.Until \ I \) j \ min (progress \ \ j) (progress \ \ j)" + by (cases "right I") (auto simp: trans_le_add1 intro!: cInf_lower) + +lemma list_all2_upt_Cons: "P a x \ list_all2 P [Suc a.. Suc a \ b \ + list_all2 P [a.. list_all2 P [b.. + a \ b \ b \ c \ list_all2 P [a.. j n R \ \'" + shows "case meval n (\ \ j) (\ \ j) \ of (xs, \\<^sub>n) \ wf_mformula \ (Suc j) n R \\<^sub>n \' \ + list_all2 (\i. qtable n (MFOTL.fv \') (mem_restr R) (\v. MFOTL.sat \ (map the v) i \')) + [progress \ \' j.. \' (Suc j)] xs" +using assms proof (induction \ arbitrary: n R \') + case (MRel rel) + then show ?case + by (cases pred: wf_mformula) + (auto simp add: ball_Un intro: wf_mformula.intros qtableI table_eq_rel eq_rel_eval_trm + in_eq_rel qtable_empty qtable_unit_table) +next + case (MPred e ts) + then show ?case + by (cases pred: wf_mformula) + (auto 0 4 simp: table_def in_these_eq match_wf_tuple match_eval_trm image_iff dest: ex_match + split: if_splits intro!: wf_mformula.intros qtableI elim!: bexI[rotated]) +next + case (MAnd \ pos \ buf) + from MAnd.prems show ?case + by (cases pred: wf_mformula) + (auto simp: fvi_And sat_And fvi_And_Not sat_And_Not sat_the_restrict + dest!: MAnd.IH split: if_splits prod.splits intro!: wf_mformula.And qtable_join + dest: mbuf2_take_add' elim!: list.rel_mono_strong) +next + case (MOr \ \ buf) + from MOr.prems show ?case + by (cases pred: wf_mformula) + (auto dest!: MOr.IH split: if_splits prod.splits intro!: wf_mformula.Or qtable_union + dest: mbuf2_take_add' elim!: list.rel_mono_strong) +next + case (MExists \) + from MExists.prems show ?case + by (cases pred: wf_mformula) + (force simp: list.rel_map fvi_Suc sat_fvi_cong nth_Cons' + intro!: wf_mformula.Exists dest!: MExists.IH qtable_project_fv + elim!: list.rel_mono_strong table_fvi_tl qtable_cong sat_fvi_cong[THEN iffD1, rotated -1] + split: if_splits)+ +next + case (MPrev I \ first buf nts) + from MPrev.prems show ?case + proof (cases pred: wf_mformula) + case (Prev \) + let ?xs = "fst (meval n (\ \ j) (\ \ j) \)" + let ?\ = "snd (meval n (\ \ j) (\ \ j) \)" + let ?ls = "fst (mprev_next I (buf @ ?xs) (nts @ [\ \ j]))" + let ?rs = "fst (snd (mprev_next I (buf @ ?xs) (nts @ [\ \ j])))" + let ?ts = "snd (snd (mprev_next I (buf @ ?xs) (nts @ [\ \ j])))" + let ?P = "\i X. qtable n (fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \) X" + let ?min = "min (progress \ \ (Suc j)) (Suc j - 1)" + from Prev MPrev.IH[of n R \] have IH: "wf_mformula \ (Suc j) n R ?\ \" and + "list_all2 ?P [progress \ \ j.. \ (Suc j)] ?xs" by auto + with Prev(4,5) have "list_all2 (\i X. if mem (\ \ (Suc i) - \ \ i) I then ?P i X else X = empty_table) + [min (progress \ \ j) (j - 1).. + list_all2 ?P [?min.. \ (Suc j)] ?rs \ + list_all2 (\i t. t = \ \ i) [?min.. \ j)) j = Suc (min (progress \ \ j) (j-1))" if "j > 0" + using that by auto + ultimately show ?thesis using progress_mono[of j "Suc j" \ \] Prev(1,3) IH + by (auto simp: map_Suc_upt[symmetric] upt_Suc[of 0] list.rel_map qtable_empty_iff + simp del: upt_Suc elim!: wf_mformula.Prev list.rel_mono_strong + split: prod.split if_split_asm) + qed simp +next + case (MNext I \ first nts) + from MNext.prems show ?case + proof (cases pred: wf_mformula) + case (Next \) + + have min[simp]: + "min (progress \ \ j - Suc 0) (j - Suc 0) = progress \ \ j - Suc 0" + "min (progress \ \ (Suc j) - Suc 0) j = progress \ \ (Suc j) - Suc 0" for j + using progress_le[of \ \ j] progress_le[of \ \ "Suc j"] by auto + + let ?xs = "fst (meval n (\ \ j) (\ \ j) \)" + let ?ys = "case (?xs, first) of (_ # xs, True) \ xs | _ \ ?xs" + let ?\ = "snd (meval n (\ \ j) (\ \ j) \)" + let ?ls = "fst (mprev_next I ?ys (nts @ [\ \ j]))" + let ?rs = "fst (snd (mprev_next I ?ys (nts @ [\ \ j])))" + let ?ts = "snd (snd (mprev_next I ?ys (nts @ [\ \ j])))" + let ?P = "\i X. qtable n (fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \) X" + let ?min = "min (progress \ \ (Suc j) - 1) (Suc j - 1)" + from Next MNext.IH[of n R \] have IH: "wf_mformula \ (Suc j) n R ?\ \" + "list_all2 ?P [progress \ \ j.. \ (Suc j)] ?xs" by auto + with Next have "list_all2 (\i X. if mem (\ \ (Suc i) - \ \ i) I then ?P (Suc i) X else X = empty_table) + [progress \ \ j - 1.. + list_all2 ?P [Suc ?min.. \ (Suc j)] ?rs \ + list_all2 (\i t. t = \ \ i) [?min.. \ j < progress \ \ (Suc j)" + using progress_le[of \ \ j] that + by (intro mnext) + (auto simp: progress_mono list_all2_Cons2 upt_eq_Cons_conv + intro!: list_all2_upt_append list_all2_appendI split: list.splits) + then show ?thesis using progress_mono[of j "Suc j" \ \] progress_le[of \ \ "Suc j"] Next IH + by (cases "progress \ \ (Suc j) > progress \ \ j") + (auto 0 3 simp: qtable_empty_iff le_Suc_eq le_diff_conv + elim!: wf_mformula.Next list.rel_mono_strong list_all2_appendI + split: prod.split list.splits if_split_asm) (* slow 5 sec*) + qed simp +next + case (MSince pos \ I \ buf nts aux) + note sat.simps[simp del] + from MSince.prems obtain \'' \''' \'' where Since_eq: "\' = MFOTL.Since \''' I \''" + and pos: "if pos then \''' = \'' else \''' = MFOTL.Neg \''" + and pos_eq: "safe_formula \''' = pos" + and \: "wf_mformula \ j n R \ \''" + and \: "wf_mformula \ j n R \ \''" + and fvi_subset: "MFOTL.fv \'' \ MFOTL.fv \''" + and buf: "wf_mbuf2' \ j n R \'' \'' buf" + and nts: "wf_ts \ j \'' \'' nts" + and aux: "wf_since_aux \ n R pos \'' I \'' aux (progress \ (formula.Since \''' I \'') j)" + by (cases pred: wf_mformula) (auto) + have \''': "MFOTL.fv \''' = MFOTL.fv \''" "progress \ \''' j = progress \ \'' j" for j + using pos by (simp_all split: if_splits) + have nts_snoc: "list_all2 (\i t. t = \ \ i) + [min (progress \ \'' j) (progress \ \'' j).. \ j])" + using nts unfolding wf_ts_def + by (auto simp add: progress_le[THEN min.coboundedI1] intro: list_all2_appendI) + have update: "wf_since_aux \ n R pos \'' I \'' (snd (zs, aux')) (progress \ (formula.Since \''' I \'') (Suc j)) \ + list_all2 (\i. qtable n (MFOTL.fv \''' \ MFOTL.fv \'') (mem_restr R) + (\v. MFOTL.sat \ (map the v) i (formula.Since \''' I \''))) + [progress \ (formula.Since \''' I \'') j.. (formula.Since \''' I \'') (Suc j)] (fst (zs, aux'))" + if eval_\: "fst (meval n (\ \ j) (\ \ j) \) = xs" + and eval_\: "fst (meval n (\ \ j) (\ \ j) \) = ys" + and eq: "mbuf2t_take (\r1 r2 t (zs, aux). + case update_since I pos r1 r2 t aux of (z, x) \ (zs @ [z], x)) + ([], aux) (mbuf2_add xs ys buf) (nts @ [\ \ j]) = ((zs, aux'), buf', nts')" + for xs ys zs aux' buf' nts' + unfolding progress.simps \''' + proof (rule mbuf2t_take_add_induct'[where j'="Suc j" and z'="(zs, aux')", OF eq buf nts_snoc], + goal_cases xs ys _ base step) + case xs + then show ?case + using MSince.IH(1)[OF \] eval_\ by auto + next + case ys + then show ?case + using MSince.IH(2)[OF \] eval_\ by auto + next + case base + then show ?case + using aux by (simp add: \''') + next + case (step k X Y z) + then show ?case + using fvi_subset pos + by (auto simp: Un_absorb1 elim!: update_since(1) list_all2_appendI dest!: update_since(2) + split: prod.split if_splits) + qed simp + with MSince.IH(1)[OF \] MSince.IH(2)[OF \] show ?case + by (auto 0 3 simp: Since_eq split: prod.split + intro: wf_mformula.Since[OF _ _ pos pos_eq fvi_subset] + elim: mbuf2t_take_add'(1)[OF _ buf nts_snoc] mbuf2t_take_add'(2)[OF _ buf nts_snoc]) +next + case (MUntil pos \ I \ buf nts aux) + note sat.simps[simp del] progress.simps[simp del] + from MUntil.prems obtain \'' \''' \'' where Until_eq: "\' = MFOTL.Until \''' I \''" + and pos: "if pos then \''' = \'' else \''' = MFOTL.Neg \''" + and pos_eq: "safe_formula \''' = pos" + and \: "wf_mformula \ j n R \ \''" + and \: "wf_mformula \ j n R \ \''" + and fvi_subset: "MFOTL.fv \'' \ MFOTL.fv \''" + and buf: "wf_mbuf2' \ j n R \'' \'' buf" + and nts: "wf_ts \ j \'' \'' nts" + and aux: "wf_until_aux \ n R pos \'' I \'' aux (progress \ (formula.Until \''' I \'') j)" + and length_aux: "progress \ (formula.Until \''' I \'') j + length aux = + min (progress \ \'' j) (progress \ \'' j)" + by (cases pred: wf_mformula) (auto) + have \''': "progress \ \''' j = progress \ \'' j" for j + using pos by (simp_all add: progress.simps split: if_splits) + have nts_snoc: "list_all2 (\i t. t = \ \ i) + [min (progress \ \'' j) (progress \ \'' j).. \ j])" + using nts unfolding wf_ts_def + by (auto simp add: progress_le[THEN min.coboundedI1] intro: list_all2_appendI) + { + fix xs ys zs aux' aux'' buf' nts' + assume eval_\: "fst (meval n (\ \ j) (\ \ j) \) = xs" + and eval_\: "fst (meval n (\ \ j) (\ \ j) \) = ys" + and eq1: "mbuf2t_take (update_until I pos) aux (mbuf2_add xs ys buf) (nts @ [\ \ j]) = + (aux', buf', nts')" + and eq2: "eval_until I (case nts' of [] \ \ \ j | nt # _ \ nt) aux' = (zs, aux'')" + have update1: "wf_until_aux \ n R pos \'' I \'' aux' (progress \ (formula.Until \''' I \'') j) \ + progress \ (formula.Until \''' I \'') j + length aux' = + min (progress \ \''' (Suc j)) (progress \ \'' (Suc j))" + using MUntil.IH(1)[OF \] eval_\ MUntil.IH(2)[OF \] + eval_\ nts_snoc nts_snoc length_aux aux fvi_subset + unfolding \''' + by (elim mbuf2t_take_add_induct'[where j'="Suc j", OF eq1 buf]) + (auto simp: length_update_until elim: wf_update_until) + have nts': "wf_ts \ (Suc j) \'' \'' nts'" + using MUntil.IH(1)[OF \] eval_\ MUntil.IH(2)[OF \] eval_\ nts_snoc + unfolding wf_ts_def + by (intro mbuf2t_take_eqD(2)[OF eq1]) (auto simp: progress_mono progress_le + intro: wf_mbuf2_add buf[unfolded wf_mbuf2'_def]) + have "i \ progress \ (formula.Until \''' I \'') (Suc j) \ + wf_until_aux \ n R pos \'' I \'' aux' i \ + i + length aux' = min (progress \ \''' (Suc j)) (progress \ \'' (Suc j)) \ + wf_until_aux \ n R pos \'' I \'' aux'' (progress \ (formula.Until \''' I \'') (Suc j)) \ + i + length zs = progress \ (formula.Until \''' I \'') (Suc j) \ + i + length zs + length aux'' = min (progress \ \''' (Suc j)) (progress \ \'' (Suc j)) \ + list_all2 (\i. qtable n (MFOTL.fv \'') (mem_restr R) + (\v. MFOTL.sat \ (map the v) i (formula.Until (if pos then \'' else MFOTL.Neg \'') I \''))) + [i.. n R pos \'' I \'' aux' (Suc i)" + by (rule wf_until_aux_Cons) + from Cons.prems(2) have 1: "t = \ \ i" + unfolding \a = (t, a1, a2)\ by (rule wf_until_aux_Cons1) + from Cons.prems(2) have 3: "qtable n (MFOTL.fv \'') (mem_restr R) (\v. + (\j\i. j < Suc (i + length aux') \ mem (\ \ j - \ \ i) I \ MFOTL.sat \ (map the v) j \'' \ + (\k\{i.. (map the v) k \'' else \ MFOTL.sat \ (map the v) k \''))) a2" + unfolding \a = (t, a1, a2)\ by (rule wf_until_aux_Cons3) + from Cons.prems(3) have Suc_i_aux': "Suc i + length aux' = + min (progress \ \''' (Suc j)) (progress \ \'' (Suc j))" + by simp + have "i \ progress \ (formula.Until \''' I \'') (Suc j)" + if "enat (case nts' of [] \ \ \ j | nt # x \ nt) \ enat t + right I" + using that nts' unfolding wf_ts_def progress.simps + by (auto simp add: 1 list_all2_Cons2 upt_eq_Cons_conv \''' + intro!: cInf_lower \_mono elim!: order.trans[rotated] simp del: upt_Suc split: if_splits list.splits) + moreover + have "Suc i \ progress \ (formula.Until \''' I \'') (Suc j)" + if "enat t + right I < enat (case nts' of [] \ \ \ j | nt # x \ nt)" + proof - + from that obtain m where m: "right I = enat m" by (cases "right I") auto + have \_min: "\ \ (min j k) = min (\ \ j) (\ \ k)" for k + by (simp add: min_of_mono monoI) + have le_progress_iff[simp]: "i \ progress \ \ i \ progress \ \ i = i" for \ i + using progress_le[of \ \ i] by auto + have min_Suc[simp]: "min j (Suc j) = j" by auto + let ?X = "{i. \k. k < Suc j \ k \min (progress \ \''' (Suc j)) (progress \ \'' (Suc j)) \ enat (\ \ k) \ enat (\ \ i) + right I}" + let ?min = "min j (min (progress \ \'' (Suc j)) (progress \ \'' (Suc j)))" + have "\ \ ?min \ \ \ j" + by (rule \_mono) auto + from m have "?X \ {}" + by (auto dest!: \_mono[of _ "progress \ \'' (Suc j)" \] + simp: not_le not_less \''' intro!: exI[of _ "progress \ \'' (Suc j)"]) + thm less_le_trans[of "\ \ i + m" "\ \ _" "\ \ _ + m"] + from m show ?thesis + using that nts' unfolding wf_ts_def progress.simps + by (intro cInf_greatest[OF \?X \ {}\]) + (auto simp: 1 \''' not_le not_less list_all2_Cons2 upt_eq_Cons_conv less_Suc_eq + simp del: upt_Suc split: list.splits if_splits + dest!: spec[of _ "?min"] less_le_trans[of "\ \ i + m" "\ \ _" "\ \ _ + m"] less_\D) + qed + moreover have *: "k < progress \ \ (Suc j)" if + "enat (\ \ i) + right I < enat (case nts' of [] \ \ \ j | nt # x \ nt)" + "enat (\ \ k - \ \ i) \ right I" "\ = \'' \ \ = \''" for k \ + proof - + from that(1,2) obtain m where "right I = enat m" + "\ \ i + m < (case nts' of [] \ \ \ j | nt # x \ nt)" "\ \ k - \ \ i \ m" + by (cases "right I") auto + with that(3) nts' progress_le[of \ \'' "Suc j"] progress_le[of \ \'' "Suc j"] + show ?thesis + unfolding wf_ts_def le_diff_conv + by (auto simp: not_le list_all2_Cons2 upt_eq_Cons_conv less_Suc_eq add.commute + simp del: upt_Suc split: list.splits if_splits dest!: le_less_trans[of "\ \ k"] less_\D) + qed + ultimately show ?case using Cons.prems Suc_i_aux'[simplified] + unfolding \a = (t, a1, a2)\ + by (auto simp: \''' 1 sat.simps upt_conv_Cons dest!: Cons.IH[OF _ aux' Suc_i_aux'] + simp del: upt_Suc split: if_splits prod.splits intro!: iff_exI qtable_cong[OF 3 refl]) + qed + note this[OF progress_mono[OF le_SucI, OF order.refl] conjunct1[OF update1] conjunct2[OF update1]] + } + note update = this + from MUntil.IH(1)[OF \] MUntil.IH(2)[OF \] pos pos_eq fvi_subset show ?case + by (auto 0 4 simp: Until_eq \''' progress.simps(3) split: prod.split if_splits + dest!: update[OF refl refl, rotated] + intro!: wf_mformula.Until + elim!: list.rel_mono_strong qtable_cong + elim: mbuf2t_take_add'(1)[OF _ buf nts_snoc] mbuf2t_take_add'(2)[OF _ buf nts_snoc]) +qed + + +subsubsection \Monitor Step\ + +lemma wf_mstate_mstep: "wf_mstate \ \ R st \ last_ts \ \ snd tdb \ + wf_mstate \ (psnoc \ tdb) R (snd (mstep tdb st))" + unfolding wf_mstate_def mstep_def Let_def + by (fastforce simp add: progress_mono le_imp_diff_is_add split: prod.splits + elim!: prefix_of_psnocE dest: meval list_all2_lengthD) + +lemma mstep_output_iff: + assumes "wf_mstate \ \ R st" "last_ts \ \ snd tdb" "prefix_of (psnoc \ tdb) \" "mem_restr R v" + shows "(i, v) \ fst (mstep tdb st) \ + progress \ \ (plen \) \ i \ i < progress \ \ (Suc (plen \)) \ + wf_tuple (MFOTL.nfv \) (MFOTL.fv \) v \ MFOTL.sat \ (map the v) i \" +proof - + from prefix_of_psnocE[OF assms(3,2)] have "prefix_of \ \" + "\ \ (plen \) = fst tdb" "\ \ (plen \) = snd tdb" by auto + moreover from assms(1) \prefix_of \ \\ have "mstate_n st = MFOTL.nfv \" + "mstate_i st = progress \ \ (plen \)" "wf_mformula \ (plen \) (mstate_n st) R (mstate_m st) \" + unfolding wf_mstate_def by blast+ + moreover from meval[OF \wf_mformula \ (plen \) (mstate_n st) R (mstate_m st) \\] obtain Vs st' where + "meval (mstate_n st) (\ \ (plen \)) (\ \ (plen \)) (mstate_m st) = (Vs, st')" + "wf_mformula \ (Suc (plen \)) (mstate_n st) R st' \" + "list_all2 (\i. qtable (mstate_n st) (fv \) (mem_restr R) (\v. MFOTL.sat \ (map the v) i \)) + [progress \ \ (plen \).. \ (Suc (plen \))] Vs" by blast + moreover from this assms(4) have "qtable (mstate_n st) (fv \) (mem_restr R) + (\v. MFOTL.sat \ (map the v) i \) (Vs ! (i - progress \ \ (plen \)))" + if "progress \ \ (plen \) \ i" "i < progress \ \ (Suc (plen \))" + using that by (auto simp: list_all2_conv_all_nth + dest!: spec[of _ "(i - progress \ \ (plen \))"]) + ultimately show ?thesis + using assms(4) unfolding mstep_def Let_def + by (auto simp: in_set_enumerate_eq list_all2_conv_all_nth progress_mono le_imp_diff_is_add + elim!: in_qtableE in_qtableI intro!: bexI[of _ "(i, Vs ! (i - progress \ \ (plen \)))"]) +qed + + +subsubsection \Monitor Function\ + +definition minit_safe where + "minit_safe \ = (if mmonitorable_exec \ then minit \ else undefined)" + +lemma minit_safe_minit: "mmonitorable \ \ minit_safe \ = minit \" + unfolding minit_safe_def monitorable_formula_code by simp + +lemma mstep_mverdicts: + assumes wf: "wf_mstate \ \ R st" + and le[simp]: "last_ts \ \ snd tdb" + and restrict: "mem_restr R v" + shows "(i, v) \ fst (mstep tdb st) \ (i, v) \ mverdicts \ (psnoc \ tdb) - mverdicts \ \" +proof - + obtain \ where p2: "prefix_of (psnoc \ tdb) \" + using ex_prefix_of by blast + with le have p1: "prefix_of \ \" by (blast elim!: prefix_of_psnocE) + show ?thesis + unfolding verimon.verdicts_def + by (auto 0 3 simp: p2 progress_prefix_conv[OF _ p1] sat_prefix_conv[OF _ p1] not_less + dest: mstep_output_iff[OF wf le p2 restrict, THEN iffD1] spec[of _ \] + mstep_output_iff[OF wf le _ restrict, THEN iffD1] verimon.progress_sat_cong[OF p1] + intro: mstep_output_iff[OF wf le p2 restrict, THEN iffD2] p1) +qed + +primrec msteps0 where + "msteps0 [] st = ({}, st)" +| "msteps0 (tdb # \) st = + (let (V', st') = mstep tdb st; (V'', st'') = msteps0 \ st' in (V' \ V'', st''))" + +primrec msteps0_stateless where + "msteps0_stateless [] st = {}" +| "msteps0_stateless (tdb # \) st = (let (V', st') = mstep tdb st in V' \ msteps0_stateless \ st')" + +lemma msteps0_msteps0_stateless: "fst (msteps0 w st) = msteps0_stateless w st" + by (induct w arbitrary: st) (auto simp: split_beta) + +lift_definition msteps :: "'a MFOTL.prefix \ 'a mstate \ (nat \ 'a option list) set \ 'a mstate" + is msteps0 . + +lift_definition msteps_stateless :: "'a MFOTL.prefix \ 'a mstate \ (nat \ 'a option list) set" + is msteps0_stateless . + +lemma msteps_msteps_stateless: "fst (msteps w st) = msteps_stateless w st" + by transfer (rule msteps0_msteps0_stateless) + +lemma msteps0_snoc: "msteps0 (\ @ [tdb]) st = + (let (V', st') = msteps0 \ st; (V'', st'') = mstep tdb st' in (V' \ V'', st''))" + by (induct \ arbitrary: st) (auto split: prod.splits) + +lemma msteps_psnoc: "last_ts \ \ snd tdb \ msteps (psnoc \ tdb) st = + (let (V', st') = msteps \ st; (V'', st'') = mstep tdb st' in (V' \ V'', st''))" + by transfer (auto simp: msteps0_snoc split: list.splits prod.splits if_splits) + +definition monitor where + "monitor \ \ = msteps_stateless \ (minit_safe \)" + +lemma Suc_length_conv_snoc: "(Suc n = length xs) = (\y ys. xs = ys @ [y] \ length ys = n)" + by (cases xs rule: rev_cases) auto + +lemma wf_mstate_msteps: "wf_mstate \ \ R st \ mem_restr R v \ \ \ \' \ + X = msteps (pdrop (plen \) \') st \ wf_mstate \ \' R (snd X) \ + ((i, v) \ fst X) = ((i, v) \ mverdicts \ \' - mverdicts \ \)" +proof (induct "plen \' - plen \" arbitrary: X st \ \') + case 0 + from 0(1,4,5) have "\ = \'" "X = ({}, st)" + by (transfer; auto)+ + with 0(2) show ?case by simp +next + case (Suc x) + from Suc(2,5) obtain \'' tdb where "x = plen \'' - plen \" "\ \ \''" + "\' = psnoc \'' tdb" "pdrop (plen \) (psnoc \'' tdb) = psnoc (pdrop (plen \) \'') tdb" + "last_ts (pdrop (plen \) \'') \ snd tdb" "last_ts \'' \ snd tdb" + "\'' \ psnoc \'' tdb" + proof (atomize_elim, transfer, elim exE, goal_cases prefix) + case (prefix _ _ \' _ \_tdb) + then show ?case + proof (cases \_tdb rule: rev_cases) + case (snoc \ tdb) + with prefix show ?thesis + by (intro bexI[of _ "\' @ \"] exI[of _ tdb]) + (force simp: sorted_append append_eq_Cons_conv split: list.splits if_splits)+ + qed simp + qed + with Suc(1)[OF this(1) Suc.prems(1,2) this(2) refl] Suc.prems show ?case + unfolding msteps_msteps_stateless[symmetric] + by (auto simp: msteps_psnoc split_beta mstep_mverdicts + dest: verimon.verdicts_mono[THEN set_mp, rotated] intro!: wf_mstate_mstep) +qed + +lemma wf_mstate_msteps_stateless: + assumes "wf_mstate \ \ R st" "mem_restr R v" "\ \ \'" + shows "(i, v) \ msteps_stateless (pdrop (plen \) \') st \ (i, v) \ mverdicts \ \' - mverdicts \ \" + using wf_mstate_msteps[OF assms refl] unfolding msteps_msteps_stateless by simp + +lemma wf_mstate_msteps_stateless_UNIV: "wf_mstate \ \ UNIV st \ \ \ \' \ + msteps_stateless (pdrop (plen \) \') st = mverdicts \ \' - mverdicts \ \" + by (auto dest: wf_mstate_msteps_stateless[OF _ mem_restr_UNIV]) + +lemma mverdicts_Nil: "mverdicts \ pnil = {}" + unfolding verimon.verdicts_def + by (auto intro: ex_prefix_of) + +lemma wf_mstate_minit_safe: "mmonitorable \ \ wf_mstate \ pnil R (minit_safe \)" + using wf_mstate_minit minit_safe_minit mmonitorable_def by metis + +lemma monitor_mverdicts: "mmonitorable \ \ monitor \ \ = mverdicts \ \" + unfolding monitor_def + by (subst wf_mstate_msteps_stateless_UNIV[OF wf_mstate_minit_safe, simplified]) + (auto simp: mmonitorable_def mverdicts_Nil) + +subsection \Collected Correctness Results\ + +text \We summarize the main results proved above. +\begin{enumerate} +\item The term @{term mverdicts} describes semantically the monitor's expected behaviour: +\begin{itemize} +\item @{thm[source] verimon.mono_monitor}: @{thm verimon.mono_monitor[no_vars]} +\item @{thm[source] verimon.sound_monitor}: @{thm verimon.sound_monitor[no_vars]} +\item @{thm[source] verimon.complete_monitor}: @{thm verimon.complete_monitor[no_vars]} +\item @{thm[source] verimon.monitor_slice}: @{thm verimon.monitor_slice[no_vars]} +\end{itemize} +\item The executable monitor's online interface @{term minit_safe} and @{term mstep} + preserves the invariant @{term wf_mstate} and produces the the verdicts according + to @{term mverdicts}: +\begin{itemize} +\item @{thm[source] wf_mstate_minit_safe}: @{thm wf_mstate_minit_safe[no_vars]} +\item @{thm[source] wf_mstate_mstep}: @{thm wf_mstate_mstep[no_vars]} +\item @{thm[source] mstep_mverdicts}: @{thm mstep_mverdicts[no_vars]} +\end{itemize} +\item The executable monitor's offline interface @{term monitor} implements @{term mverdicts}: +\begin{itemize} +\item @{thm[source] monitor_mverdicts}: @{thm monitor_mverdicts[no_vars]} +\end{itemize} +\end{enumerate} +\ + +(*<*) +end +(*>*) diff --git a/thys/MFOTL_Monitor/Monitor_Code.thy b/thys/MFOTL_Monitor/Monitor_Code.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Monitor_Code.thy @@ -0,0 +1,58 @@ +(*<*) +theory Monitor_Code + imports Monitor + "HOL-Library.Code_Target_Nat" + "HOL.String" + Containers.Containers +begin +(*>*) + +derive ccompare MFOTL.trm +derive (eq) ceq MFOTL.trm +derive (rbt) set_impl MFOTL.trm + +lemma image_these: "f ` Option.these X = Option.these (map_option f ` X)" + by (force simp: in_these_eq Bex_def image_iff map_option_case split: option.splits) + +lemma meval_MPred: "meval n t db (MPred e ts) = ([Option.these + ((map_option (\f. tabulate f 0 n) o match ts) ` (\(e', x)\db. if e = e' then {x} else {}))], MPred e ts)" + unfolding meval.simps image_these image_image o_def .. + +lemma meval_MPred': "meval n t db (MPred e ts) = ([Option.these + (\(e', x)\db. if e = e' then {map_option (\f. tabulate f 0 n) (match ts x)} else {})], MPred e ts)" + unfolding meval_MPred image_UN split_beta if_distrib[of "image _"] image_insert image_empty o_apply + .. + +lemma these_UNION: "Option.these (\ (B ` A)) = (\ ((Option.these o B) ` A))" + by (auto simp: Option.these_def) + +lemma meval_MPred'': "meval n t db (MPred e ts) = ([ + (\(e', x)\db. if e = e' then set_option (map_option (\f. tabulate f 0 n) (match ts x)) else {})], MPred e ts)" + unfolding meval_MPred' these_UNION o_def prod.case_distrib[of Option.these] + by (auto simp: Option.these_def map_option_case image_iff split: if_splits option.splits) + +lemmas meval_code[code] = meval.simps(1) meval_MPred'' meval.simps(3-9) + +definition db_code :: "(char list \ 'a list) list \ (char list \ 'a list) set" where + "db_code = set" + +definition verdict_code :: "_ \ (nat \ 'a :: ccompare option list) list" where + "verdict_code = RBT_Set2.keys" + +export_code HOL.equal Collection_Eq.ceq Collection_Order.ccompare Eq Lt Gt set_RBT set_impl phantom + nat_of_integer integer_of_nat enat literal.explode db_code set interval RBT_set verdict_code + MFOTL.Var MFOTL.Const + MFOTL.Pred MFOTL.Eq MFOTL.Neg MFOTL.Or MFOTL.Exists + MFOTL.Prev MFOTL.Next MFOTL.Since MFOTL.Until + checking OCaml? + +export_code HOL.equal Collection_Eq.ceq Collection_Order.ccompare Eq Lt Gt set_RBT set_impl phantom + nat_of_integer integer_of_nat enat literal.explode db_code set interval RBT_set verdict_code + MFOTL.Var MFOTL.Const + MFOTL.Pred MFOTL.Eq MFOTL.Neg MFOTL.Or MFOTL.Exists + MFOTL.Prev MFOTL.Next MFOTL.Since MFOTL.Until + minit_safe mstep in OCaml module_name Monitor file_prefix "verified" + +(*<*) +end +(*>*) diff --git a/thys/MFOTL_Monitor/ROOT b/thys/MFOTL_Monitor/ROOT new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/ROOT @@ -0,0 +1,14 @@ +chapter AFP + +session MFOTL_Monitor (AFP) = "Containers" + + options [timeout = 1200] + theories + Monitor + theories [condition = ISABELLE_OCAMLFIND, document=false] + Monitor_Code + Examples + document_files + "root.tex" + "root.bib" +(* export_files (in ".") [2] + "Monitor.Monitor_Code:code/**" *) diff --git a/thys/MFOTL_Monitor/Table.thy b/thys/MFOTL_Monitor/Table.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Table.thy @@ -0,0 +1,372 @@ +(*<*) +theory Table + imports Main +begin +(*>*) + +section \Finite Tables\ + +primrec tabulate :: "(nat \ 'a) \ nat \ nat \ 'a list" where + "tabulate f x 0 = []" +| "tabulate f x (Suc n) = f x # tabulate f (Suc x) n" + +lemma tabulate_alt: "tabulate f x n = map f [x ..< x + n]" + by (induct n arbitrary: x) (auto simp: not_le Suc_le_eq upt_rec) + +lemma length_tabulate[simp]: "length (tabulate f x n) = n" + by (induction n arbitrary: x) simp_all + +lemma map_tabulate[simp]: "map f (tabulate g x n) = tabulate (\x. f (g x)) x n" + by (induction n arbitrary: x) simp_all + +lemma nth_tabulate[simp]: "k < n \ tabulate f x n ! k = f (x + k)" +proof (induction n arbitrary: x k) + case (Suc n) + then show ?case by (cases k) simp_all +qed simp + +type_synonym 'a tuple = "'a option list" +type_synonym 'a table = "'a tuple set" + +definition wf_tuple :: "nat \ nat set \ 'a tuple \ bool" where + "wf_tuple n V x \ length x = n \ (\i i \ V)" + +definition table :: "nat \ nat set \ 'a table \ bool" where + "table n V X \ (\x\X. wf_tuple n V x)" + +definition "empty_table = {}" + +definition "unit_table n = {replicate n None}" + +definition "singleton_table n i x = {tabulate (\j. if i = j then Some x else None) 0 n}" + +lemma in_empty_table[simp]: "\ x \ empty_table" + unfolding empty_table_def by simp + +lemma empty_table[simp]: "table n V empty_table" + unfolding table_def empty_table_def by simp + +lemma unit_table_wf_tuple[simp]: "V = {} \ x \ unit_table n \ wf_tuple n V x" + unfolding unit_table_def wf_tuple_def by simp + +lemma unit_table[simp]: "V = {} \ table n V (unit_table n)" + unfolding table_def by simp + +lemma in_unit_table: "v \ unit_table n \ wf_tuple n {} v" + unfolding unit_table_def wf_tuple_def by (auto intro!: nth_equalityI) + +lemma singleton_table_wf_tuple[simp]: "V = {i} \ x \ singleton_table n i z \ wf_tuple n V x" + unfolding singleton_table_def wf_tuple_def by simp + +lemma singleton_table[simp]: "V = {i} \ table n V (singleton_table n i z)" + unfolding table_def by simp + +lemma table_Un[simp]: "table n V X \ table n V Y \ table n V (X \ Y)" + unfolding table_def by auto + +lemma wf_tuple_length: "wf_tuple n V x \ length x = n" + unfolding wf_tuple_def by simp + + +fun join1 :: "'a tuple \ 'a tuple \ 'a tuple option" where + "join1 ([], []) = Some []" +| "join1 (None # xs, None # ys) = map_option (Cons None) (join1 (xs, ys))" +| "join1 (Some x # xs, None # ys) = map_option (Cons (Some x)) (join1 (xs, ys))" +| "join1 (None # xs, Some y # ys) = map_option (Cons (Some y)) (join1 (xs, ys))" +| "join1 (Some x # xs, Some y # ys) = (if x = y + then map_option (Cons (Some x)) (join1 (xs, ys)) + else None)" +| "join1 _ = None" + +definition join :: "'a table \ bool \ 'a table \ 'a table" where + "join A pos B = (if pos then Option.these (join1 ` (A \ B)) + else A - Option.these (join1 ` (A \ B)))" + +lemma join_True_code[code]: "join A True B = (\a \ A. \b \ B. set_option (join1 (a, b)))" + unfolding join_def by (force simp: Option.these_def image_iff) + +lemma join_False_alt: "join X False Y = X - join X True Y" + unfolding join_def by auto + +lemma self_join1: "join1 (xs, ys) \ Some xs \ join1 (zs, ys) \ Some xs" + by (induct "(zs, ys)" arbitrary: zs ys xs rule: join1.induct; auto; auto) + +lemma join_False_code[code]: "join A False B = {a \ A. \b \ B. join1 (a, b) \ Some a}" + unfolding join_False_alt join_True_code + by (auto simp: Option.these_def image_iff dest: self_join1) + +lemma wf_tuple_Nil[simp]: "wf_tuple n A [] = (n = 0)" + unfolding wf_tuple_def by auto + +lemma Suc_pred': "Suc (x - Suc 0) = (case x of 0 \ Suc 0 | _ \ x)" + by (auto split: nat.splits) + +lemma wf_tuple_Cons[simp]: + "wf_tuple n A (x # xs) \ ((if x = None then 0 \ A else 0 \ A) \ + (\m. n = Suc m \ wf_tuple m ((\x. x - 1) ` (A - {0})) xs))" + unfolding wf_tuple_def + by (auto 0 3 simp: nth_Cons image_iff Ball_def gr0_conv_Suc Suc_pred' split: nat.splits) + +lemma join1_wf_tuple: + "join1 (v1, v2) = Some v \ wf_tuple n A v1 \ wf_tuple n B v2 \ wf_tuple n (A \ B) v" + by (induct "(v1, v2)" arbitrary: n v v1 v2 A B rule: join1.induct) + (auto simp: image_Un Un_Diff split: if_splits) + +lemma join_wf_tuple: "x \ join X b Y \ + \v \ X. wf_tuple n A v \ \v \ Y. wf_tuple n B v \ (\ b \ B \ A) \ A \ B = C \ wf_tuple n C x" + unfolding join_def + by (fastforce simp: Option.these_def image_iff sup_absorb1 dest: join1_wf_tuple split: if_splits) + +lemma join_table: "table n A X \ table n B Y \ (\ b \ B \ A) \ A \ B = C \ + table n C (join X b Y)" + unfolding table_def by (auto elim!: join_wf_tuple) + +lemma wf_tuple_Suc: "wf_tuple (Suc m) A a \ a \ [] \ + wf_tuple m ((\x. x - 1) ` (A - {0})) (tl a) \ (0 \ A \ hd a \ None)" + by (cases a) (auto simp: nth_Cons image_iff split: nat.splits) + +lemma table_project: "table (Suc n) A X \ table n ((\x. x - Suc 0) ` (A - {0})) (tl ` X)" + unfolding table_def + by (auto simp: wf_tuple_Suc) + +definition restrict where + "restrict A v = map (\i. if i \ A then v ! i else None) [0 ..< length v]" + +lemma restrict_Nil[simp]: "restrict A [] = []" + unfolding restrict_def by auto + +lemma restrict_Cons[simp]: "restrict A (x # xs) = + (if 0 \ A then x # restrict ((\x. x - 1) ` (A - {0})) xs else None # restrict ((\x. x - 1) ` A) xs)" + unfolding restrict_def + by (auto simp: map_upt_Suc image_iff Suc_pred' Ball_def simp del: upt_Suc split: nat.splits) + +lemma wf_tuple_restrict: "wf_tuple n B v \ A \ B = C \ wf_tuple n C (restrict A v)" + unfolding restrict_def wf_tuple_def by auto + +lemma wf_tuple_restrict_simple: "wf_tuple n B v \ A \ B \ wf_tuple n A (restrict A v)" + unfolding restrict_def wf_tuple_def by auto + +lemma nth_restrict: "i \ A \ i < length v \ restrict A v ! i = v ! i" + unfolding restrict_def by auto + +lemma restrict_eq_Nil[simp]: "restrict A v = [] \ v = []" + unfolding restrict_def by auto + +lemma length_restrict[simp]: "length (restrict A v) = length v" + unfolding restrict_def by auto + +lemma join1_Some_restrict: + fixes x y :: "'a tuple" + assumes "wf_tuple n A x" "wf_tuple n B y" + shows "join1 (x, y) = Some z \ wf_tuple n (A \ B) z \ restrict A z = x \ restrict B z = y" + using assms +proof (induct "(x, y)" arbitrary: n x y z A B rule: join1.induct) + case (2 xs ys) + then show ?case + by (cases z) (auto 4 0 simp: image_Un Un_Diff)+ +next + case (3 x xs ys) + then show ?case + by (cases z) (auto 4 0 simp: image_Un Un_Diff)+ +next + case (4 xs y ys) + then show ?case + by (cases z) (auto 4 0 simp: image_Un Un_Diff)+ +next + case (5 x xs y ys) + then show ?case + by (cases z) (auto 4 0 simp: image_Un Un_Diff)+ +qed auto + +lemma restrict_idle: "wf_tuple n A v \ restrict A v = v" + by (induct v arbitrary: n A) (auto split: if_splits) + +lemma map_the_restrict: + "i \ A \ map the (restrict A v) ! i = map the v ! i" + by (induct v arbitrary: A i) (auto simp: nth_Cons' gr0_conv_Suc split: option.splits) + +lemma join_restrict: + fixes X Y :: "'a tuple set" + assumes "\v. v \ X \ wf_tuple n A v" "\v. v \ Y \ wf_tuple n B v" "\ b \ B \ A" + shows "v \ join X b Y \ + wf_tuple n (A \ B) v \ restrict A v \ X \ (if b then restrict B v \ Y else restrict B v \ Y)" + by (auto 4 4 simp: join_def Option.these_def image_iff assms wf_tuple_restrict sup_absorb1 restrict_idle + restrict_idle[OF assms(1)] elim: assms + dest: join1_Some_restrict[OF assms(1,2), THEN iffD1, rotated -1] + dest!: spec[of _ "Some v"] + intro!: exI[of _ "Some v"] join1_Some_restrict[THEN iffD2, symmetric] bexI[rotated]) + +lemma join_restrict_table: + assumes "table n A X" "table n B Y" "\ b \ B \ A" + shows "v \ join X b Y \ + wf_tuple n (A \ B) v \ restrict A v \ X \ (if b then restrict B v \ Y else restrict B v \ Y)" + using assms unfolding table_def + by (simp add: join_restrict) + +lemma join_restrict_annotated: + fixes X Y :: "'a tuple set" + assumes "\ b =simp=> B \ A" + shows "join {v. wf_tuple n A v \ P v} b {v. wf_tuple n B v \ Q v} = + {v. wf_tuple n (A \ B) v \ P (restrict A v) \ (if b then Q (restrict B v) else \ Q (restrict B v))}" + using assms + by (intro set_eqI, subst join_restrict) (auto simp: wf_tuple_restrict_simple simp_implies_def) + +lemma in_joinI: "table n A X \ table n B Y \ (\b \ B \ A) \ wf_tuple n (A \ B) v \ + restrict A v \ X \ (b \ restrict B v \ Y) \ (\b \ restrict B v \ Y) \ v \ join X b Y" + unfolding table_def + by (subst join_restrict) (auto) + +lemma in_joinE: "v \ join X b Y \ table n A X \ table n B Y \ (\ b \ B \ A) \ + (wf_tuple n (A \ B) v \ restrict A v \ X \ if b then restrict B v \ Y else restrict B v \ Y \ P) \ P" + unfolding table_def + by (subst (asm) join_restrict) (auto) + +definition qtable :: "nat \ nat set \ ('a tuple \ bool) \ ('a tuple \ bool) \ + 'a table \ bool" where + "qtable n A P Q X \ table n A X \ (\x. (x \ X \ P x \ Q x) \ (wf_tuple n A x \ P x \ Q x \ x \ X))" + +abbreviation wf_table where + "wf_table n A Q X \ qtable n A (\_. True) Q X" + +lemma wf_table_iff: "wf_table n A Q X \ (\x. x \ X \ (Q x \ wf_tuple n A x))" + unfolding qtable_def table_def by auto + +lemma table_wf_table: "table n A X = wf_table n A (\v. v \ X) X" + unfolding table_def wf_table_iff by auto + +lemma qtableI: "table n A X \ + (\x. x \ X \ wf_tuple n A x \ P x \ Q x) \ + (\x. wf_tuple n A x \ P x \ Q x \ x \ X) \ + qtable n A P Q X" + unfolding qtable_def table_def by auto + +lemma in_qtableI: "qtable n A P Q X \ wf_tuple n A x \ P x \ Q x \ x \ X" + unfolding qtable_def by blast + +lemma in_qtableE: "qtable n A P Q X \ x \ X \ P x \ (wf_tuple n A x \ Q x \ R) \ R" + unfolding qtable_def table_def by blast + +lemma qtable_empty: "(\x. wf_tuple n A x \ P x \ Q x \ False) \ qtable n A P Q empty_table" + unfolding qtable_def table_def empty_table_def by auto + +lemma qtable_empty_iff: "qtable n A P Q empty_table = (\x. wf_tuple n A x \ P x \ Q x \ False)" + unfolding qtable_def table_def empty_table_def by auto + +lemma qtable_unit_table: "(\x. wf_tuple n {} x \ P x \ Q x) \ qtable n {} P Q (unit_table n)" + unfolding qtable_def table_def in_unit_table by auto + +lemma qtable_union: "qtable n A P Q1 X \ qtable n A P Q2 Y \ + (\x. wf_tuple n A x \ P x \ Q x \ Q1 x \ Q2 x) \ qtable n A P Q (X \ Y)" + unfolding qtable_def table_def by blast + +lemma qtable_Union: "finite I \ (\i. i \ I \ qtable n A P (Qi i) (Xi i)) \ + (\x. wf_tuple n A x \ P x \ Q x \ (\i \ I. Qi i x)) \ qtable n A P Q (\i \ I. Xi i)" +proof (induct I arbitrary: Q rule: finite_induct) + case (insert i F) + then show ?case + by (auto intro!: qtable_union[where ?Q1.0 = "Qi i" and ?Q2.0 = "\x. \i\F. Qi i x"]) +qed (auto intro!: qtable_empty[unfolded empty_table_def]) + +lemma qtable_join: + assumes "qtable n A P Q1 X" "qtable n B P Q2 Y" "\ b \ B \ A" "C = A \ B" + "\x. wf_tuple n C x \ P x \ P (restrict A x) \ P (restrict B x)" + "\x. b \ wf_tuple n C x \ P x \ Q x \ Q1 (restrict A x) \ Q2 (restrict B x)" + "\x. \ b \ wf_tuple n C x \ P x \ Q x \ Q1 (restrict A x) \ \ Q2 (restrict B x)" + shows "qtable n C P Q (join X b Y)" +proof (rule qtableI) + from assms(1-4) show "table n C (join X b Y)" + unfolding qtable_def by (auto simp: join_table) +next + fix x assume "x \ join X b Y" "wf_tuple n C x" "P x" + with assms(1-3) assms(5-7)[of x] show "Q x" unfolding qtable_def + by (auto 0 2 simp: wf_tuple_restrict_simple elim!: in_joinE split: if_splits) +next + fix x assume "wf_tuple n C x" "P x" "Q x" + with assms(1-4) assms(5-7)[of x] show "x \ join X b Y" unfolding qtable_def + by (auto dest: wf_tuple_restrict_simple intro!: in_joinI[of n A X B Y]) +qed + +lemma qtable_join_fixed: + assumes "qtable n A P Q1 X" "qtable n B P Q2 Y" "\ b \ B \ A" "C = A \ B" + "\x. wf_tuple n C x \ P x \ P (restrict A x) \ P (restrict B x)" + shows "qtable n C P (\x. Q1 (restrict A x) \ (if b then Q2 (restrict B x) else \ Q2 (restrict B x))) (join X b Y)" + by (rule qtable_join[OF assms]) auto + +lemma wf_tuple_cong: + assumes "wf_tuple n A v" "wf_tuple n A w" "\x \ A. map the v ! x = map the w ! x" + shows "v = w" +proof - + from assms(1,2) have "length v = length w" unfolding wf_tuple_def by simp + from this assms show "v = w" + proof (induct v w arbitrary: n A rule: list_induct2) + case (Cons x xs y ys) + let ?n = "n - 1" and ?A = "(\x. x - 1) ` (A - {0})" + have *: "map the xs ! z = map the ys ! z" if "z \ ?A" for z + using that Cons(5)[THEN bspec, of "Suc z"] + by (cases z) (auto simp: le_Suc_eq split: if_splits) + from Cons(1,3-5) show ?case + by (auto intro!: Cons(2)[of ?n ?A] * split: if_splits) + qed simp +qed + +definition mem_restr :: "'a list set \ 'a tuple \ bool" where + "mem_restr A x \ (\y\A. list_all2 (\a b. a \ None \ a = Some b) x y)" + +lemma mem_restrI: "y \ A \ length y = n \ wf_tuple n V x \ \i\V. x ! i = Some (y ! i) \ mem_restr A x" + unfolding mem_restr_def wf_tuple_def by (force simp add: list_all2_conv_all_nth) + +lemma mem_restrE: "mem_restr A x \ wf_tuple n V x \ \i\V. i < n \ + (\y. y \ A \ \i\V. x ! i = Some (y ! i) \ P) \ P" + unfolding mem_restr_def wf_tuple_def by (fastforce simp add: list_all2_conv_all_nth) + +lemma mem_restr_IntD: "mem_restr (A \ B) v \ mem_restr A v \ mem_restr B v" + unfolding mem_restr_def by auto + +lemma mem_restr_Un_iff: "mem_restr (A \ B) x \ mem_restr A x \ mem_restr B x" + unfolding mem_restr_def by blast + +lemma mem_restr_UNIV [simp]: "mem_restr UNIV x" + unfolding mem_restr_def + by (auto simp add: list.rel_map intro!: exI[of _ "map the x"] list.rel_refl) + +lemma restrict_mem_restr[simp]: "mem_restr A x \ mem_restr A (restrict V x)" + unfolding mem_restr_def restrict_def + by (auto simp: list_all2_conv_all_nth elim!: bexI[rotated]) + +definition lift_envs :: "'a list set \ 'a list set" where + "lift_envs R = (\(a,b). a # b) ` (UNIV \ R)" + +lemma lift_envs_mem_restr[simp]: "mem_restr A x \ mem_restr (lift_envs A) (a # x)" + by (auto simp: mem_restr_def lift_envs_def) + +lemma qtable_project: + assumes "qtable (Suc n) A (mem_restr (lift_envs R)) P X" + shows "qtable n ((\x. x - Suc 0) ` (A - {0})) (mem_restr R) + (\v. \x. P ((if 0 \ A then Some x else None) # v)) (tl ` X)" + (is "qtable n ?A (mem_restr R) ?P ?X") +proof ((rule qtableI; (elim exE)?), goal_cases table left right) + case table + with assms show ?case + unfolding qtable_def by (simp add: table_project) +next + case (left v) + from assms have "[] \ X" + unfolding qtable_def table_def by fastforce + with left(1) obtain x where "x # v \ X" + by (metis (no_types, hide_lams) image_iff hd_Cons_tl) + with assms show ?case + by (rule in_qtableE) (auto simp: left(3) split: if_splits) +next + case (right v x) + with assms have "(if 0 \ A then Some x else None) # v \ X" + by (elim in_qtableI) auto + then show ?case + by (auto simp: image_iff elim: bexI[rotated]) +qed + +lemma qtable_cong: "qtable n A P Q X \ A = B \ (\v. P v \ Q v \ Q' v) \ qtable n B P Q' X" + by (auto simp: qtable_def) + +(*<*) +end +(*>*) diff --git a/thys/MFOTL_Monitor/Trace.thy b/thys/MFOTL_Monitor/Trace.thy new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/Trace.thy @@ -0,0 +1,300 @@ +(*<*) +theory Trace + imports "HOL-Library.Stream" +begin +(*>*) + +section \Infinite Traces\ + +coinductive ssorted :: "'a :: linorder stream \ bool" where + "shd s \ shd (stl s) \ ssorted (stl s) \ ssorted s" + +lemma ssorted_siterate[simp]: "(\n. n \ f n) \ ssorted (siterate f n)" + by (coinduction arbitrary: n) auto + +lemma ssortedD: "ssorted s \ s !! i \ stl s !! i" + by (induct i arbitrary: s) (auto elim: ssorted.cases) + +lemma ssorted_sdrop: "ssorted s \ ssorted (sdrop i s)" + by (coinduction arbitrary: i s) (auto elim: ssorted.cases ssortedD) + +lemma ssorted_monoD: "ssorted s \ i \ j \ s !! i \ s !! j" +proof (induct "j - i" arbitrary: j) + case (Suc x) + from Suc(1)[of "j - 1"] Suc(2-4) ssortedD[of s "j - 1"] + show ?case by (cases j) (auto simp: le_Suc_eq Suc_diff_le) +qed simp + +lemma sorted_stake: "ssorted s \ sorted (stake i s)" + by (induct i arbitrary: s) + (auto elim: ssorted.cases simp: in_set_conv_nth + intro!: ssorted_monoD[of _ 0, simplified, THEN order_trans, OF _ ssortedD]) + +lemma ssorted_monoI: "\i j. i \ j \ s !! i \ s !! j \ ssorted s" + by (coinduction arbitrary: s) + (auto dest: spec2[of _ "Suc _" "Suc _"] spec2[of _ 0 "Suc 0"]) + +lemma ssorted_iff_mono: "ssorted s \ (\i j. i \ j \ s !! i \ s !! j)" + using ssorted_monoI ssorted_monoD by metis + +definition "sincreasing s = (\i. \j>i. s !! i < s !! j)" + +lemma sincreasing_siterate[simp]: + assumes "(\n. n < f n)" + shows "sincreasing (siterate f n)" +unfolding sincreasing_def proof + fix i + show "\j>i. siterate f n !! i < siterate f n !! j" (is "\j. ?P n i j") + proof (induct i arbitrary: n) + case (Suc i) + from Suc[of "f n"] obtain j where "?P (f n) i j" by blast + then show ?case + by (intro exI[of _ "Suc j"]) auto + qed (auto intro!: exI[of _ "Suc 0"] assms) +qed + +typedef 'a trace = "{s :: ('a set \ nat) stream. ssorted (smap snd s) \ sincreasing (smap snd s)}" + by (intro exI[of _ "smap (\i. ({}, i)) nats"]) + (auto simp: stream.map_comp stream.map_ident cong: stream.map_cong) + +setup_lifting type_definition_trace + +lift_definition \ :: "'a trace \ nat \ 'a set" is + "\s i. fst (s !! i)" . +lift_definition \ :: "'a trace \ nat \ nat" is + "\s i. snd (s !! i)" . + +lemma \_mono[simp]: "i \ j \ \ s i \ \ s j" + by transfer (auto simp: ssorted_iff_mono) + +lemma ex_le_\: "\j\i. x \ \ s j" +proof (transfer fixing: i x) + fix s :: "('a set \ nat) stream" + presume sincreasing: "sincreasing (smap snd s)" + show "\j\i. x \ snd (s !! j)" proof (induction x) + case 0 + show ?case by auto + next + case (Suc x) + then show ?case + using sincreasing unfolding sincreasing_def + by (metis Suc_le_eq le_less_trans less_imp_le_nat snth_smap) + qed +qed simp + +lemma le_\_less: "\ \ i \ \ \ j \ j < i \ \ \ i = \ \ j" + by (simp add: antisym) + +lemma less_\D: "\ \ i < \ \ j \ i < j" + by (meson \_mono less_le_not_le not_le_imp_less) + +abbreviation "\ s i \ \ s i - \ s (i - 1)" + +lift_definition map_\ :: "('a set \ 'b set) \ 'a trace \ 'b trace" is + "\f s. smap (\(x, i). (f x, i)) s" + by (auto simp: stream.map_comp prod.case_eq_if cong: stream.map_cong) + +lemma \_map_\[simp]: "\ (map_\ f s) i = f (\ s i)" + by transfer (simp add: prod.case_eq_if) + +lemma \_map_\[simp]: "\ (map_\ f s) i = \ s i" + by transfer (simp add: prod.case_eq_if) + +lemma map_\_id[simp]: "map_\ id s = s" + by transfer (simp add: stream.map_id) + +lemma map_\_comp: "map_\ g (map_\ f s) = map_\ (g \ f) s" + by transfer (simp add: stream.map_comp comp_def prod.case_eq_if case_prod_beta') + +lemma map_\_cong: "\\<^sub>1 = \\<^sub>2 \ (\x. f\<^sub>1 x = f\<^sub>2 x) \ map_\ f\<^sub>1 \\<^sub>1 = map_\ f\<^sub>2 \\<^sub>2" + by transfer (auto intro!: stream.map_cong) + + +section \Finite Trace Prefixes\ + +typedef 'a prefix = "{p :: ('a set \ nat) list. sorted (map snd p)}" + by (auto intro!: exI[of _ "[]"]) + +setup_lifting type_definition_prefix + +lift_definition last_ts :: "'a prefix \ nat" is + "\p. (case p of [] \ 0 | _ \ snd (last p))" . + +lift_definition first_ts :: "nat \ 'a prefix \ nat" is + "\n p. (case p of [] \ n | _ \ snd (hd p))" . + +lift_definition pnil :: "'a prefix" is "[]" by simp + +lift_definition plen :: "'a prefix \ nat" is "length" . + +lift_definition psnoc :: "'a prefix \ 'a set \ nat \ 'a prefix" is + "\p x. if (case p of [] \ 0 | _ \ snd (last p)) \ snd x then p @ [x] else []" +proof (goal_cases sorted_psnoc) + case (sorted_psnoc p x) + then show ?case + by (induction p) (auto split: if_splits list.splits) +qed + +instantiation prefix :: (type) order begin + +lift_definition less_eq_prefix :: "'a prefix \ 'a prefix \ bool" is + "\p q. \r. q = p @ r" . + +definition less_prefix :: "'a prefix \ 'a prefix \ bool" where + "less_prefix x y = (x \ y \ \ y \ x)" + +instance +proof (standard, goal_cases less refl trans antisym) + case (less x y) + then show ?case unfolding less_prefix_def .. +next + case (refl x) + then show ?case by transfer auto +next + case (trans x y z) + then show ?case by transfer auto +next + case (antisym x y) + then show ?case by transfer auto +qed + +end + +lemma psnoc_inject[simp]: + "last_ts p \ snd x \ last_ts q \ snd y \ psnoc p x = psnoc q y \ (p = q \ x = y)" + by transfer auto + +lift_definition prefix_of :: "'a prefix \ 'a trace \ bool" is "\p s. stake (length p) s = p" . + +lemma prefix_of_pnil[simp]: "prefix_of pnil \" + by transfer auto + +lemma plen_pnil[simp]: "plen pnil = 0" + by transfer auto + +lemma plen_mono: "\ \ \' \ plen \ \ plen \'" + by transfer auto + +lemma prefix_of_psnocE: "prefix_of (psnoc p x) s \ last_ts p \ snd x \ + (prefix_of p s \ \ s (plen p) = fst x \ \ s (plen p) = snd x \ P) \ P" + by transfer (simp del: stake.simps add: stake_Suc) + +lemma le_pnil[simp]: "pnil \ \" + by transfer auto + +lift_definition take_prefix :: "nat \ 'a trace \ 'a prefix" is stake + by (auto dest: sorted_stake) + +lemma plen_take_prefix[simp]: "plen (take_prefix i \) = i" + by transfer auto + +lemma plen_psnoc[simp]: "last_ts \ \ snd x \ plen (psnoc \ x) = plen \ + 1" + by transfer auto + +lemma prefix_of_take_prefix[simp]: "prefix_of (take_prefix i \) \" + by transfer auto + +lift_definition pdrop :: "nat \ 'a prefix \ 'a prefix" is drop + by (auto simp: drop_map[symmetric] sorted_drop) + +lemma pdrop_0[simp]: "pdrop 0 \ = \" + by transfer auto + +lemma prefix_of_antimono: "\ \ \' \ prefix_of \' s \ prefix_of \ s" + by transfer (auto simp del: stake_add simp add: stake_add[symmetric]) + +lemma ex_prefix_of: "\s. prefix_of p s" +proof (transfer, intro bexI CollectI conjI) + fix p :: "('a set \ nat) list" + assume *: "sorted (map snd p)" + let ?\ = "p @- smap (Pair undefined) (fromN (snd (last p)))" + show "stake (length p) ?\ = p" by (simp add: stake_shift) + have le_last: "snd (p ! i) \ snd (last p)" if "i < length p" for i + using sorted_nth_mono[OF *, of i "length p - 1"] that + by (cases p) (auto simp: last_conv_nth nth_Cons') + with * show "ssorted (smap snd ?\)" + by (force simp: ssorted_iff_mono sorted_iff_nth_mono shift_snth) + show "sincreasing (smap snd ?\)" unfolding sincreasing_def + proof (rule allI) + fix i + show "\j > i. smap snd ?\ !! i < smap snd ?\ !! j" + proof (cases "i < length p") + case True + with le_last[of i] show ?thesis + by (auto intro!: exI[of _ "Suc (length p)"]) + next + case False + then show ?thesis + by (auto simp: neq_Nil_conv intro!: exI[of _ "Suc i"]) + qed + qed +qed + +lemma \_prefix_conv: "prefix_of p s \ prefix_of p s' \ i < plen p \ \ s i = \ s' i" + by transfer (simp add: stake_nth[symmetric]) + +lemma \_prefix_conv: "prefix_of p s \ prefix_of p s' \ i < plen p \ \ s i = \ s' i" + by transfer (simp add: stake_nth[symmetric]) + +lemma sincreasing_sdrop: + assumes "sincreasing s" + shows "sincreasing (sdrop n s)" +proof (unfold sincreasing_def; safe) + fix i + from assms obtain j where "n + i < j" "s !! (n + i) < s !! j" + unfolding sincreasing_def by auto + then show "\j>i. sdrop n s !! i < sdrop n s !! j" + by (auto simp: sdrop_snth intro!: exI[of _ "j - n"]) +qed + +lemma ssorted_shift: + "ssorted (xs @- s) = (sorted xs \ ssorted s \ (\x\set xs. \y\sset s. x \ y))" +proof safe + assume *: "ssorted (xs @- s)" + then show "sorted xs" + by (auto simp: ssorted_iff_mono shift_snth sorted_iff_nth_mono split: if_splits) + from ssorted_sdrop[OF *, of "length xs"] show "ssorted s" + by (auto simp: sdrop_shift) + fix x y assume "x \ set xs" "y \ sset s" + then obtain i j where "i < length xs" "xs ! i = x" "s !! j = y" + by (auto simp: set_conv_nth sset_range) + with ssorted_monoD[OF *, of i "j + length xs"] show "x \ y" by auto +next + assume "sorted xs" "ssorted s" "\x\set xs. \y\sset s. x \ y" + then show "ssorted (xs @- s)" + proof (coinduction arbitrary: xs s) + case (ssorted xs s) + with \ssorted s\ show ?case + by (subst (asm) ssorted.simps) (auto 0 4 simp: neq_Nil_conv shd_sset intro: exI[of _ "_ # _"]) + qed +qed + +lemma sincreasing_shift: + assumes "ssorted (xs @- s)" "sincreasing s" + shows "sincreasing (xs @- s)" +proof (unfold sincreasing_def; safe) + fix i + show "\j>i. (xs @- s) !! i < (xs @- s) !! j" + proof (cases "i < length xs") + case True + with assms(1) have "xs ! i \ shd s" unfolding ssorted_shift by (auto simp: shd_sset) + also obtain j where "\ < s !! j" + using assms(2) by (auto simp: sincreasing_def dest: spec[of _ 0]) + finally show ?thesis using True by (auto intro!: exI[of _ "j + length xs"]) + next + case False + then obtain j where "i - length xs < j" "s !! (i - length xs) < s !! j" + using assms(2) by (auto simp: sincreasing_def) + then show ?thesis using False by (auto simp: not_less intro!: exI[of _ "j + length xs"]) + qed +qed + +lift_definition replace_prefix :: "'a prefix \ 'a trace \ 'a trace" is + "\\ \. if ssorted (smap snd (\ @- sdrop (length \) \)) then + \ @- sdrop (length \) \ else smap (\i. ({}, i)) nats" + by (auto split: if_splits simp: stream.map_comp stream.map_ident sdrop_smap[symmetric] + simp del: sdrop_smap intro!: sincreasing_shift sincreasing_sdrop cong: stream.map_cong) + +(*<*) +end +(*>*) diff --git a/thys/MFOTL_Monitor/document/root.bib b/thys/MFOTL_Monitor/document/root.bib new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/document/root.bib @@ -0,0 +1,38 @@ +@article{BasinKMZ-JACM15, + author = {Basin, David and Klaedtke, Felix and M{\"u}ller, Samuel and Z{\u a}linescu, Eugen}, + title = {Monitoring Metric First-Order Temporal Properties}, + journal = {J.\ ACM}, + volume = {62}, + number = {2}, + year = {2015}, + pages = {15:1--15:45}, + doi = {10.1145/2699444}, +} + +@inproceedings{monpoly, + author = {David Basin and Felix Klaedtke and Eugen Z\u{a}linescu}, + title = {The {MonPoly} Monitoring Tool}, + booktitle = {RV-CuBES 2017}, + editor = {Giles Reger and Klaus Havelund}, + series = {Kalpa Publications in Computing}, + volume = {3}, + pages = {19--28}, + year = {2017}, + publisher = {EasyChair}, + url = {http://www.easychair.org/publications/paper/62MC} +} + +@inproceedings{SchneiderBKT-RV19, + author = {Joshua Schneider and + David A. Basin and + Sr\dj{}an Krsti\'{c} and + Dmitriy Traytel}, + editor = {Bernd Finkbeiner and + Leonardo Mariani}, + title = {A Formally Verified Monitor for Metric First-Order Temporal Logic}, + booktitle = {RV 2019}, + series = {LNCS}, + publisher = {Springer}, + year = {2019}, + note = {To appear. Preprint at \url{http://people.inf.ethz.ch/trayteld/papers/rv19-verimon/verimon.pdf}} +} \ No newline at end of file diff --git a/thys/MFOTL_Monitor/document/root.tex b/thys/MFOTL_Monitor/document/root.tex new file mode 100644 --- /dev/null +++ b/thys/MFOTL_Monitor/document/root.tex @@ -0,0 +1,52 @@ +\documentclass[10pt,a4paper]{article} +\usepackage{isabelle,isabellesym} + +\usepackage{a4wide} +\usepackage[english]{babel} +\usepackage{eufrak} +\usepackage{amssymb} + +% this should be the last package used +\usepackage{pdfsetup} + +% urls in roman style, theory text in math-similar italics +\urlstyle{rm} +\isabellestyle{literal} + + +\begin{document} + +\title{Formalization of a Monitoring Algorithm for\\ Metric First-Order Temporal Logic} +\author{Joshua Schneider \and Dmitriy Traytel} + +\maketitle + +\begin{abstract} A monitor is a runtime verification tool that solves the following +problem: Given a stream of time-stamped events and a policy formulated in a specification +language, decide whether the policy is satisfied at every point in the stream. We verify +the correctness of an executable monitor for specifications given as formulas in metric +first-order temporal logic (MFOTL)~\cite{BasinKMZ-JACM15}, an expressive extension of +linear temporal logic with real-time constraints and +first-order quantification. The verified monitor implements a simplified variant of the algorithm +used in the efficient MonPoly monitoring tool~\cite{monpoly}. The formalization is presented in a +forthcoming RV 2019 paper~\cite{SchneiderBKT-RV19}, which also compares the output of the +verified monitor to that of other monitoring tools on randomly generated inputs. This +case study revealed several errors in the optimized but unverified tools. \end{abstract} + +\tableofcontents + +% sane default for proof documents +\parindent 0pt\parskip 0.5ex + +% generated text of all theories +\input{session} + +\bibliographystyle{abbrv} +\bibliography{root} + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: diff --git a/thys/Prim_Dijkstra_Simple/Chapter_Dijkstra.thy b/thys/Prim_Dijkstra_Simple/Chapter_Dijkstra.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Chapter_Dijkstra.thy @@ -0,0 +1,17 @@ +chapter \Dijkstra's Shortest Path Algorithm\ +text \\noindent + Dijkstra's algorithm~\cite{Dijk59} is a classical algorithm to determine the shortest + paths from a root node to all other nodes in a weighted directed graph. + Although it solves a different problem, and works on a different type of graphs, + its structure is very similar to Prim's algorithm. + In particular, like Prim's algorithm, it has a simple loop structure and can be efficiently + implemented by a priority queue. + + Again, our formalization of Dijkstra's algorithm follows the presentation + of Cormen et al.~\cite{Cormen-Leiserson-Rivest}. However, for the sake of simplicity, + our algorithm does not compute actual shortest paths, but only their weights. +\ +(*<*) +theory Chapter_Dijkstra +imports Main begin end +(*>*) diff --git a/thys/Prim_Dijkstra_Simple/Chapter_Prim.thy b/thys/Prim_Dijkstra_Simple/Chapter_Prim.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Chapter_Prim.thy @@ -0,0 +1,29 @@ +chapter \Prim's Minimum Spanning Tree Algorithm\ +text \ + Prim's algorithm~\cite{Prim57} is a classical algorithm to find a minimum spanning + tree of an undirected graph. In this section we describe our formalization + of Prim's algorithm, roughly following the presentation of Cormen et al.~\cite{Cormen-Leiserson-Rivest}. + + Our approach features stepwise refinement. We start by a generic MST algorithm (Section~\ref{sec:generic_mst}) + that covers both Prim's and Kruskal's algorithms. It maintains a subgraph \A\ of an MST. + Initially, \A\ contains no edges and only the root node. In each iteration, the algorithm adds a new edge to \A\, + maintaining the property that \A\ is a subgraph of an MST. + In a next refinement step, we only add edges that are adjacent to the current \A\, thus + maintaining the invariant that \A\ is always a tree (Section~\ref{sec:prim_algo}). + Next, we show how to use a priority queue to efficiently determine a next edge to be + added (Section~\ref{sec:using_pq}), and implement + the necessary update of the priority queue using a foreach-loop (Section~\ref{sec:using_foreach}). + Finally we parameterize our algorithm over ADTs for graphs, maps, and priority queues + (Section~\ref{sec:prim_data_structs}), instantiate these with actual data structures (Section~\ref{sec:prim_inst_ds}), and extract + executable ML code (Section~\ref{sec:prim_exec}). + + The advantage of this stepwise refinement approach is that the proof obligations of + each step are mostly independent from the other steps. This modularization greatly helps + to keep the proof manageable. Moreover, the steps also correspond to a natural split + of the ideas behind Prim's algorithm: The same structuring is also done in the presentation + of Cormen et al.~\cite{Cormen-Leiserson-Rivest}, though not as detailed as ours. +\ +(*<*) +theory Chapter_Prim +imports Main begin end +(*>*) diff --git a/thys/Prim_Dijkstra_Simple/Common.thy b/thys/Prim_Dijkstra_Simple/Common.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Common.thy @@ -0,0 +1,212 @@ +section \Commonly used Lemmas\ +theory Common +imports + Main + "HOL-Library.Extended_Nat" + "HOL-Eisbach.Eisbach" +begin + +declare [[coercion_enabled = false]] + +subsection \Miscellaneous\ + +lemma split_sym_rel: + fixes G :: "'a rel" + assumes "sym G" "irrefl G" + obtains E where "E\E\ = {}" "G = E \ E\" +proof - + obtain R :: "'a rel" + where WO: "well_order_on UNIV R" using Zorn.well_order_on .. + + let ?E = "G \ R" + + from \irrefl G\ have [simp, intro!]: "(x,x)\G" for x + by (auto simp: irrefl_def) + + have "?E \ ?E\ = {}" + using WO + unfolding well_order_on_def linear_order_on_def + partial_order_on_def antisym_def + by fastforce + moreover + have "G = ?E \ ?E\" + apply safe + apply (simp_all add: symD[OF \sym G\]) + using WO unfolding well_order_on_def linear_order_on_def total_on_def + by force + ultimately show ?thesis by (rule that) +qed + + +lemma least_antimono: "X\{} \ X\Y \ (LEAST y::_::wellorder. y\Y) \ (LEAST x. x\X)" + by (metis LeastI_ex Least_le equals0I rev_subsetD) + +lemma distinct_map_snd_inj: "distinct (map snd l) \ (a,b)\set l \ (a',b)\set l \ a=a'" + by (metis distinct_map inj_onD prod.sel(2) prod.simps(1)) + +lemma map_add_apply: "(m\<^sub>1 ++ m\<^sub>2) k = (case m\<^sub>2 k of None \ m\<^sub>1 k | Some x \ Some x)" + by (auto simp: map_add_def) + +lemma map_eq_append_conv: "map f xs = ys\<^sub>1@ys\<^sub>2 + \ (\xs\<^sub>1 xs\<^sub>2. xs = xs\<^sub>1@xs\<^sub>2 \ map f xs\<^sub>1 = ys\<^sub>1 \ map f xs\<^sub>2 = ys\<^sub>2)" + apply rule + subgoal + apply (rule exI[where x="take (length ys\<^sub>1) xs"]) + apply (rule exI[where x="drop (length ys\<^sub>1) xs"]) + apply (drule sym) + by (auto simp: append_eq_conv_conj take_map drop_map) + subgoal by auto + done + + +lemma prod_case_const[simp]: "case_prod (\_ _. c) = (\_. c)" by auto + +lemma card2_eq: "card e = 2 \ (\u v. u\v \ e={u,v})" + by (auto simp: eval_nat_numeral card_Suc_eq) + +lemma in_ranE: + assumes "v \ ran m" + obtains k where "m k = Some v" + using assms unfolding ran_def by auto + + +lemma Inf_in: + fixes A :: "'a::{linorder,complete_lattice} set" + assumes "finite A" "A\{}" + shows "Inf A \ A" + using assms + proof (induction A rule: finite_induct) + case empty + then show ?case by simp + next + have [simp]: "inf a b = (if a\b then a else b)" for a b :: 'a + by (meson inf_absorb2 le_iff_inf linear) + + case (insert x F) + show ?case proof cases + assume "F={}" thus ?thesis by auto + next + assume "F\{}" + with insert.IH have "Inf F \ F" . + then show ?thesis + using le_less_linear[of x "Inf F"] + by auto + + qed +qed + +lemma INF_of_enat_infty_iff1: "(INF x:A. enat (f x)) = \ \ A={}" + apply (cases "A={}") + subgoal by (simp add: top_enat_def) + subgoal by safe (metis INF_top_conv(2) enat.distinct(1) top_enat_def)+ + done + +lemma INF_of_enat_infty_iff2: + "\ = (INF x:A. enat (f x)) \ A={}" + by (metis INF_of_enat_infty_iff1) + +lemmas INF_of_enat_infty_iff[simp] = INF_of_enat_infty_iff1 INF_of_enat_infty_iff2 + +lemma INF_of_enat_nat_conv1: + assumes "finite A" + shows "(INF x:A. enat (f x)) = enat d \ (\x\A. d = f x \ (\y\A. f x \ f y))" +proof - + from assms have F: "finite (enat`f`A)" by auto + + show ?thesis proof (cases "A={}") + case True thus ?thesis by (auto simp: top_enat_def) + next + case [simp]: False + note * = Inf_in[OF F, simplified] + show ?thesis + apply (rule iffI) + subgoal by (smt False Inf_in assms enat.inject enat_ord_simps(1) finite_imageI imageE image_is_empty le_INF_iff order_refl) + subgoal by clarsimp (meson INF_greatest INF_lower antisym enat_ord_simps(1)) + done + qed +qed + +lemma INF_of_enat_nat_conv2: + assumes "finite A" + shows "enat d = (INF x:A. enat (f x)) \ (\x\A. d = f x \ (\y\A. f x \ f y))" + using INF_of_enat_nat_conv1[OF assms] by metis + +lemmas INF_of_enat_nat_conv = INF_of_enat_nat_conv1 INF_of_enat_nat_conv2 + +lemma finite_inf_linorder_ne_ex: + fixes f :: "_ \ _::{complete_lattice,linorder}" + assumes "finite S" + assumes "S\{}" + shows "\x\S. (INF x:S. f x) = f x" + using assms + by (meson Inf_in finite_imageI imageE image_is_empty) + + + +lemma finite_linorder_eq_INF_conv: "finite S + \ a = (INF x:S. f x) \ (if S={} then a=top else \x\S. a=f x \ (\y\S. a \ f y))" + for a :: "_::{complete_lattice,linorder}" + by (auto + simp: INF_greatest INF_lower + intro: finite_inf_linorder_ne_ex antisym) + +lemma sym_inv_eq[simp]: "sym E \ E\ = E" unfolding sym_def by auto + +lemma insert_inv[simp]: "(insert e E)\ = insert (prod.swap e) (E\)" + by (cases e) auto + +lemma inter_compl_eq_diff[simp]: "x \ - s = x - s" + by auto + +lemma inter_same_diff[simp]: "A\(A-S) = A-S" by blast + +lemma minus_inv_sym_aux[simp]: "(- {(a, b), (b, a)})\ = -{(a,b),(b,a)}" + by auto + + +subsection \The-Default\ +fun the_default :: "'a \ 'a option \ 'a" where + "the_default d None = d" +| "the_default _ (Some x) = x" + +lemma the_default_alt: "the_default d x = (case x of None \ d | Some v \ v)" by (auto split: option.split) + + +subsection \Implementing \enat\ by Option\ + +text \Our maps are functions to \nat option\,which are interpreted as \enat\, + \None\ being \\\\ + +fun enat_of_option :: "nat option \ enat" where + "enat_of_option None = \" +| "enat_of_option (Some n) = enat n" + +lemma enat_of_option_inj[simp]: "enat_of_option x = enat_of_option y \ x=y" + by (cases x; cases y; simp) + +lemma enat_of_option_simps[simp]: + "enat_of_option x = enat n \ x = Some n" + "enat_of_option x = \ \ x = None" + "enat n = enat_of_option x \ x = Some n" + "\ = enat_of_option x \ x = None" + by (cases x; auto; fail)+ + +lemma enat_of_option_le_conv: "enat_of_option m \ enat_of_option n \ (case (m,n) of + (_,None) \ True + | (Some a, Some b) \ a\b + | (_, _) \ False +)" + by (auto split: option.split) + + +subsection \Foldr-Refine\ +lemma foldr_refine: + assumes "I s" + assumes "\s x. I s \ x\set l \ I (f x s) \ \ (f x s) = f' x (\ s)" + shows "I (foldr f l s) \ \ (foldr f l s) = foldr f' l (\ s)" + using assms + by (induction l arbitrary: s) auto + + + +end diff --git a/thys/Prim_Dijkstra_Simple/Dijkstra_Abstract.thy b/thys/Prim_Dijkstra_Simple/Dijkstra_Abstract.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Dijkstra_Abstract.thy @@ -0,0 +1,387 @@ +section \Abstract Dijkstra Algorithm\ +theory Dijkstra_Abstract +imports Directed_Graph +begin + +subsection \Abstract Algorithm\ + +type_synonym 'v estimate = "'v \ enat" +text \We fix a start node and a weighted graph\ +locale Dijkstra = WGraph w for w :: "('v) wgraph" + + fixes s :: 'v +begin + +text \Relax all outgoing edges of node \u\\ +definition relax_outgoing :: "'v \ 'v estimate \ 'v estimate" + where "relax_outgoing u D \ \v. min (D v) (D u + w (u,v))" + +text \Initialization\ +definition "initD \ (\_. \)(s:=0)" +definition "initS \ {}" + + +text \Relaxing will never increase estimates\ +lemma relax_mono: "relax_outgoing u D v \ D v" + by (auto simp: relax_outgoing_def) + + +definition "all_dnodes \ Set.insert s { v . \u. w (u,v)\\ }" +definition "unfinished_dnodes S \ all_dnodes - S " + +lemma unfinished_nodes_subset: "unfinished_dnodes S \ all_dnodes" + by (auto simp: unfinished_dnodes_def) + +end + +subsubsection \Invariant\ +text \The invariant is defined as locale\ + +locale Dijkstra_Invar = Dijkstra w s for w and s :: 'v + + fixes D :: "'v estimate" and S :: "'v set" + assumes upper_bound: \\ s u \ D u\ \ \\D\ is a valid estimate\ + assumes s_in_S: \s\S \ (D=(\_. \)(s:=0) \ S={})\ \ \The start node is + finished, or we are in initial state\ + assumes S_precise: "u\S \ D u = \ s u" \ \Finished nodes have precise + estimate\ + assumes S_relaxed: \v\S \ D u \ \ s v + w (v,u)\ \ \Outgoing edges of + finished nodes have been relaxed, using precise distance\ +begin + +abbreviation (in Dijkstra) "D_invar \ Dijkstra_Invar w s" + +text \The invariant holds for the initial state\ +theorem (in Dijkstra) invar_init: "D_invar initD initS" + apply unfold_locales + unfolding initD_def initS_def + by (auto simp: relax_outgoing_def distance_direct) + + +text \Relaxing some edges maintains the upper bound property\ +lemma maintain_upper_bound: "\ s u \ (relax_outgoing v D) u" + apply (clarsimp simp: relax_outgoing_def upper_bound split: prod.splits) + using triangle upper_bound add_right_mono dual_order.trans by blast + +text \Relaxing edges will not affect nodes with already precise estimates\ +lemma relax_precise_id: "D v = \ s v \ relax_outgoing u D v = \ s v" + using maintain_upper_bound upper_bound relax_mono + by (metis antisym) + +text \In particular, relaxing edges will not affect finished nodes\ +lemma relax_finished_id: "v\S \ relax_outgoing u D v = D v" + by (simp add: S_precise relax_precise_id) + +text \The least (finite) estimate among all nodes \u\ not in \S\ is already precise. + This will allow us to add the node \u\ to \S\. \ +lemma maintain_S_precise_and_connected: + assumes UNS: "u\S" + assumes MIN: "\v. v\S \ D u \ D v" + shows "D u = \ s u" + text \We start with a case distinction whether we are in the first + step of the loop, where we process the start node, or in subsequent steps, + where the start node has already been finished.\ +proof (cases "u=s") + assume [simp]: "u=s" \ \First step of loop\ + then show ?thesis using \u\S\ s_in_S by simp +next + assume \u\s\ \ \Later step of loop\ + text \The start node has already been finished\ + with s_in_S MIN have \s\S\ apply clarsimp using infinity_ne_i0 by metis + + show ?thesis + text \Next, we handle the case that \u\ is unreachable.\ + proof (cases \\ s u < \\) + assume "\(\ s u < \)" \ \Node is unreachable (infinite distance)\ + text \By the upper-bound property, we get \D u = \ s u = \\\ + then show ?thesis using upper_bound[of u] by auto + next + assume "\ s u < \" \ \Main case: Node has finite distance\ + + text \Consider a shortest path from \s\ to \u\\ + obtain p where "path s p u" and DSU: "\ s u = sum_list p" + by (rule obtain_shortest_path) + text \It goes from inside \S\ to outside \S\, so there must be an edge at the border. + Let \(x,y)\ be such an edge, with \x\S\ and \y\S\.\ + from find_leave_edgeE[OF \path s p u\ \s\S\ \u\S\] obtain p1 x y p2 where + [simp]: "p = p1 @ w (x, y) # p2" + and DECOMP: "x \ S" "y \ S" "path s p1 x" "path y p2 u" . + text \As prefixes of shortest paths are again shortest paths, the shortest + path to \y\ ends with edge \(x,y)\ \ + have DSX: "\ s x = sum_list p1" and DSY: "\ s y = \ s x + w (x, y)" + using shortest_path_prefix[of s p1 x "w (x,y)#p2" u] + and shortest_path_prefix[of s "p1@[w (x,y)]" y p2 u] + and \\ s u < \\ DECOMP + by (force simp: DSU)+ + text \Upon adding \x\ to \S\, this edge has been relaxed with the precise + estimate for \x\. At this point the estimate for \y\ has become + precise, too\ + with \x\S\ have "D y = \ s y" + by (metis S_relaxed antisym_conv upper_bound) + moreover text \The shortest path to \y\ is a prefix of that to \u\, thus + it shorter or equal\ + have "\ \ \ s u" using DSU by (simp add: DSX DSY) + moreover text \The estimate for \u\ is an upper bound\ + have "\ \ D u" using upper_bound by (auto) + moreover text \\u\ was a node with smallest estimate\ + have "\ \ D y" using \u\S\ \y\S\ MIN by auto + ultimately text \This closed a cycle in the inequation chain. Thus, by + antisymmetry, all items are equal. In particular, \D u = \ s u\, qed.\ + show "D u = \ s u" by simp + qed +qed + +text \A step of Dijkstra's algorithm maintains the invariant. + More precisely, in a step of Dijkstra's algorithm, + we pick a node \u\S\ with least finite estimate, relax the outgoing + edges of \u\, and add \u\ to \S\.\ +theorem maintain_D_invar: + assumes UNS: "u\S" + assumes UNI: "D u < \" + assumes MIN: "\v. v\S \ D u \ D v" + shows "D_invar (relax_outgoing u D) (Set.insert u S)" + apply (cases \s\S\) + subgoal + apply (unfold_locales) + subgoal by (simp add: maintain_upper_bound) + subgoal by simp + subgoal + using maintain_S_precise_and_connected[OF UNS MIN] S_precise + by (auto simp: relax_precise_id) + subgoal + using maintain_S_precise_and_connected[OF UNS MIN] + by (auto simp: relax_outgoing_def S_relaxed min.coboundedI1) + done + subgoal + apply unfold_locales + using s_in_S UNI distance_direct + by (auto simp: relax_outgoing_def split: if_splits) + done + + +text \When the algorithm is finished, i.e., when there are + no unfinished nodes with finite estimates left, + then all estimates are accurate.\ +lemma invar_finish_imp_correct: + assumes F: "\u. u\S \ D u = \" + shows "D u = \ s u" +proof (cases "u\S") + assume "u\S" text \The estimates of finished nodes are accurate\ + then show ?thesis using S_precise by simp +next + assume \u\S\ text \\D u\ is minimal, and minimal estimates are precise\ + then show ?thesis + using F maintain_S_precise_and_connected[of u] by auto + +qed + + +text \A step decreases the set of unfinished nodes.\ +lemma unfinished_nodes_decr: + assumes UNS: "u\S" + assumes UNI: "D u < \" + shows "unfinished_dnodes (Set.insert u S) \ unfinished_dnodes S" +proof - + text \There is a path to \u\\ + from UNI have "\ s u < \" using upper_bound[of u] leD by fastforce + + text \Thus, \u\ is among \all_dnodes\\ + have "u\all_dnodes" + proof - + obtain p where "path s p u" "sum_list p < \" + apply (rule obtain_shortest_path[of s u]) + using \\ s u < \\ by auto + with \u\S\ show ?thesis + apply (cases p rule: rev_cases) + by (auto simp: Dijkstra.all_dnodes_def) + qed + text \Which implies the proposition\ + with \u\S\ show ?thesis by (auto simp: unfinished_dnodes_def) +qed + + +end + + +subsection \Refinement by Priority Map and Map\ +text \ + In a second step, we implement \D\ and \S\ by a priority map \Q\ and a map \V\. + Both map nodes to finite weights, where \Q\ maps unfinished nodes, and \V\ + maps finished nodes. + + Note that this implementation is slightly non-standard: + In the standard implementation, \Q\ contains also unfinished nodes with + infinite weight. + + We chose this implementation because it avoids enumerating all nodes of + the graph upon initialization of \Q\. + However, on relaxing an edge to a node not in \Q\, we require an extra + lookup to check whether the node is finished. +\ + +subsubsection \Implementing \enat\ by Option\ + +text \Our maps are functions to \nat option\,which are interpreted as \enat\, + \None\ being \\\\ + +fun enat_of_option :: "nat option \ enat" where + "enat_of_option None = \" +| "enat_of_option (Some n) = enat n" + +lemma enat_of_option_inj[simp]: "enat_of_option x = enat_of_option y \ x=y" + by (cases x; cases y; simp) + +lemma enat_of_option_simps[simp]: + "enat_of_option x = enat n \ x = Some n" + "enat_of_option x = \ \ x = None" + "enat n = enat_of_option x \ x = Some n" + "\ = enat_of_option x \ x = None" + by (cases x; auto; fail)+ + +lemma enat_of_option_le_conv: + "enat_of_option m \ enat_of_option n \ (case (m,n) of + (_,None) \ True + | (Some a, Some b) \ a\b + | (_, _) \ False + )" + by (auto split: option.split) + + + +subsubsection \Implementing \D,S\ by Priority Map and Map\ +context Dijkstra begin + +text \We define a coupling relation, that connects the concrete with the + abstract data. \ +definition "coupling Q V D S \ + D = enat_of_option o (V ++ Q) +\ S = dom V +\ dom V \ dom Q = {}" + +text \Note that our coupling relation is functional.\ +(* TODO: Why not use functions instead? *) +lemma coupling_fun: "coupling Q V D S \ coupling Q V D' S' \ D'=D \ S'=S" + by (auto simp: coupling_def) + +text \The concrete version of the invariant.\ +definition "D_invar' Q V \ + \D S. coupling Q V D S \ D_invar D S" + + +text \Refinement of \relax-outgoing\\ + +definition "relax_outgoing' u du V Q v \ + case w (u,v) of + \ \ Q v + | enat d \ (case Q v of + None \ if v\dom V then None else Some (du+d) + | Some d' \ Some (min d' (du+d))) +" + + +text \A step preserves the coupling relation.\ +lemma (in Dijkstra_Invar) coupling_step: + assumes C: "coupling Q V D S" + assumes UNS: "u\S" + assumes UNI: "D u = enat du" + + shows "coupling + ((relax_outgoing' u du V Q)(u:=None)) (V(u\du)) + (relax_outgoing u D) (Set.insert u S)" + using C unfolding coupling_def +proof (intro ext conjI; elim conjE) + assume \: "D = enat_of_option \ V ++ Q" "S = dom V" + and DD: "dom V \ dom Q = {}" + + show "Set.insert u S = dom (V(u \ du))" + by (auto simp: \) + + have [simp]: "Q u = Some du" "V u = None" + using DD UNI UNS by (auto simp: \) + + from DD + show "dom (V(u \ du)) \ dom ((relax_outgoing' u du V Q)(u := None)) = {}" + by (auto 0 3 + simp: relax_outgoing'_def dom_def + split: if_splits enat.splits option.splits) + + fix v + + show "relax_outgoing u D v + = (enat_of_option \ V(u \ du) ++ (relax_outgoing' u du V Q)(u := None)) v" + proof (cases "v\S") + case True + then show ?thesis using DD + apply (simp add: relax_finished_id) + by (auto + simp: relax_outgoing'_def map_add_apply \ min_def + split: option.splits enat.splits) + next + case False + then show ?thesis + by (auto + simp: relax_outgoing_def relax_outgoing'_def map_add_apply \ min_def + split: option.splits enat.splits) + qed +qed + +text \Refinement of initial state\ +definition "initQ \ Map.empty(s\0)" +definition "initV \ Map.empty" + +lemma coupling_init: + "coupling initQ initV initD initS" + unfolding coupling_def initD_def initQ_def initS_def initV_def + by (auto + simp: coupling_def relax_outgoing_def map_add_apply enat_0 + split: option.split enat.split + del: ext intro!: ext) + +lemma coupling_cond: + assumes "coupling Q V D S" + shows "(Q = Map.empty) \ (\u. u\S \ D u = \)" + using assms + by (fastforce simp add: coupling_def) + + +text \Termination argument: Refinement of unfinished nodes.\ +definition "unfinished_dnodes' V \ unfinished_dnodes (dom V)" + +lemma coupling_unfinished: + "coupling Q V D S \ unfinished_dnodes' V = unfinished_dnodes S" + by (auto simp: coupling_def unfinished_dnodes'_def unfinished_dnodes_def) + +subsubsection \Implementing graph by successor list\ + +definition "relax_outgoing'' l du V Q = fold (\(d,v) Q. + case Q v of None \ if v\dom V then Q else Q(v\du+d) + | Some d' \ Q(v\min (du+d) d')) l Q" + + +lemma relax_outgoing''_refine: + assumes "set l = {(d,v). w (u,v) = enat d}" + shows "relax_outgoing'' l du V Q = relax_outgoing' u du V Q" +proof + fix v + + have aux1: + "relax_outgoing'' l du V Q v + = (if v\snd`set l then relax_outgoing' u du V Q v else Q v)" + if "set l \ {(d,v). w (u,v) = enat d}" + using that + apply (induction l arbitrary: Q v) + by (auto + simp: relax_outgoing''_def relax_outgoing'_def image_iff + split!: if_splits option.splits) + + have aux2: + "relax_outgoing' u du V Q v = Q v" if "w (u,v) = \" + using that by (auto simp: relax_outgoing'_def) + + show "relax_outgoing'' l du V Q v = relax_outgoing' u du V Q v" + using aux1 + apply (cases "w (u,v)") + by (all \force simp: aux2 assms\) +qed + +end + +end diff --git a/thys/Prim_Dijkstra_Simple/Dijkstra_Impl.thy b/thys/Prim_Dijkstra_Simple/Dijkstra_Impl.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Dijkstra_Impl.thy @@ -0,0 +1,285 @@ +section \Implementation of Dijkstra's Algorithm\ +theory Dijkstra_Impl +imports + Dijkstra_Abstract + "Directed_Graph_Impl" + "HOL-Library.While_Combinator" + "Priority_Search_Trees.PST_RBT" + "HOL-Data_Structures.RBT_Map" +begin + +subsection \Implementation using ADT Interfaces\ + +locale Dijkstra_Impl_Adts = + G: adt_finite_wgraph G_invar G_succ G_empty G_add G_\ ++ M: Map M_empty M_update M_delete M_lookup M_invar ++ Q: PrioMap Q_empty Q_update Q_delete Q_invar Q_lookup Q_is_empty Q_getmin + + for G_\ :: "'g \ ('v) wgraph" and G_invar G_succ G_empty G_add + + and M_empty M_update M_delete and M_lookup :: "'m \ 'v \ nat option" + and M_invar + + and Q_empty Q_update Q_delete Q_invar and Q_lookup :: "'q \ 'v \ nat option" + and Q_is_empty Q_getmin +begin + +text \Simplifier setup\ +lemmas [simp] = G.wgraph_specs +lemmas [simp] = M.map_specs +lemmas [simp] = Q.prio_map_specs + +end + + +context PrioMap begin + +lemma map_getminE: + assumes "getmin m = (k,p)" "invar m" "lookup m \ Map.empty" + obtains "lookup m k = Some p" "\k' p'. lookup m k' = Some p' \ p\p'" + using map_getmin[OF assms] + by (auto simp: ran_def) + +end + +locale Dijkstra_Impl_Defs = Dijkstra_Impl_Adts where G_\ = G_\ + + Dijkstra \G_\ g\ s + for G_\ :: "'g \ ('v::linorder) wgraph" and g s + + +locale Dijkstra_Impl = Dijkstra_Impl_Defs where G_\ = G_\ + for G_\ :: "'g \ ('v::linorder) wgraph" + + + assumes G_invar[simp]: "G_invar g" +begin + +lemma finite_all_dnodes[simp, intro!]: "finite all_dnodes" +proof - + have "all_dnodes \ Set.insert s (snd ` edges)" + by (fastforce simp: all_dnodes_def edges_def image_iff) + also have "finite \" by (auto simp: G.finite) + finally (finite_subset) show ?thesis . +qed + +lemma finite_unfinished_dnodes[simp, intro!]: "finite (unfinished_dnodes S)" + using finite_subset[OF unfinished_nodes_subset] by auto + + +lemma (in -) fold_refine: + assumes "I s" + assumes "\s x. I s \ x\set l \ I (f x s) \ \ (f x s) = f' x (\ s)" + shows "I (fold f l s) \ \ (fold f l s) = fold f' l (\ s)" + using assms + by (induction l arbitrary: s) auto + +definition (in Dijkstra_Impl_Defs) "Q_relax_outgoing u du V Q = fold (\(d,v) Q. + case Q_lookup Q v of + None \ if M_lookup V v \ None then Q else Q_update v (du+d) Q + | Some d' \ Q_update v (min (du+d) d') Q) ((G_succ g u)) Q" + +lemma Q_relax_outgoing[simp]: + assumes [simp]: "Q_invar Q" + shows "Q_invar (Q_relax_outgoing u du V Q) + \ Q_lookup (Q_relax_outgoing u du V Q) + = relax_outgoing' u du (M_lookup V) (Q_lookup Q)" + apply (subst relax_outgoing''_refine[symmetric, where l="G_succ g u"]) + apply simp + unfolding Q_relax_outgoing_def relax_outgoing''_def + apply (rule fold_refine[where I=Q_invar and \=Q_lookup]) + by (auto split: option.split) + +definition (in Dijkstra_Impl_Defs) "D_invar_impl Q V \ + Q_invar Q \ M_invar V \ D_invar' (Q_lookup Q) (M_lookup V)" + +definition (in Dijkstra_Impl_Defs) + "Q_initQ \ Q_update s 0 Q_empty" + +lemma Q_init_Q[simp]: + shows "Q_invar (Q_initQ)" "Q_lookup (Q_initQ) = initQ" + by (auto simp: Q_initQ_def initQ_def) + +definition (in Dijkstra_Impl_Defs) + "M_initV \ M_empty" + +lemma M_initS[simp]: "M_invar M_initV" "M_lookup M_initV = initV" + unfolding M_initV_def initV_def by auto + +term Q_getmin + +definition (in Dijkstra_Impl_Defs) + "dijkstra_loop \ while (\(Q,V). \ Q_is_empty Q) (\(Q,V). + let + (u,du) = Q_getmin Q; + Q = Q_relax_outgoing u du V Q; + Q = Q_delete u Q; + V = M_update u du V + in + (Q,V) + ) (Q_initQ,M_initV)" + +definition (in Dijkstra_Impl_Defs) "dijkstra \ snd dijkstra_loop" + +lemma transfer_preconditions: + assumes "coupling Q V D S" + shows "Q u = Some du \ D u = enat du \ u\S" + using assms + by (auto simp: coupling_def) + + +lemma dijkstra_loop_invar_and_empty: + shows "case dijkstra_loop of (Q,V) \ D_invar_impl Q V \ Q_is_empty Q" + unfolding dijkstra_loop_def + apply (rule while_rule[where + P="case_prod D_invar_impl" + and r="inv_image finite_psubset (unfinished_dnodes' o M_lookup o snd)"]) + apply (all \(clarsimp split: prod.splits)?\) + subgoal + apply (simp add: D_invar_impl_def) + apply (simp add: D_invar'_def) + apply (intro exI conjI) + apply (rule coupling_init) + using initD_def initS_def invar_init by auto +proof - + fix Q V u du + assume "\ Q_is_empty Q" "D_invar_impl Q V" "Q_getmin Q = (u, du)" + hence "Q_lookup Q \ Map.empty" "D_invar' (Q_lookup Q) (M_lookup V)" + and [simp]: "Q_invar Q" "M_invar V" + and "Q_lookup Q u = Some du" "\k' p'. Q_lookup Q k' = Some p' \ du \ p'" + by (auto simp: D_invar_impl_def elim: Q.map_getminE) + + then obtain D S where + "D_invar D S" + and COUPLING: "coupling (Q_lookup Q) (M_lookup V) D S" + and ABS_PRE: "D u = enat du" "u\S" "\v. v \ S \ D u \ D v" + by (auto + simp: D_invar'_def transfer_preconditions less_eq_enat_def + split: enat.splits) + + then interpret Dijkstra_Invar "G_\ g" s D S by simp + + have COUPLING': "coupling + ((relax_outgoing' u du (M_lookup V) (Q_lookup Q))(u := None)) + (M_lookup V(u \ du)) + (relax_outgoing u D) + (Set.insert u S)" + using coupling_step[OF COUPLING \u\S\ \D u = enat du\] by auto + + show "D_invar_impl (Q_delete u (Q_relax_outgoing u du V Q)) (M_update u du V)" + using maintain_D_invar[OF \u\S\] ABS_PRE + using COUPLING' + by (auto simp: D_invar_impl_def D_invar'_def) + + show "unfinished_dnodes' (M_lookup (M_update u du V)) + \ unfinished_dnodes' (M_lookup V) + \ finite (unfinished_dnodes' (M_lookup V))" + using coupling_unfinished[OF COUPLING] coupling_unfinished[OF COUPLING'] + using unfinished_nodes_decr[OF \u\S\] ABS_PRE + by simp +qed + +lemma dijkstra_correct: + "M_invar dijkstra" + "M_lookup dijkstra u = Some d \ \ s u = enat d" + using dijkstra_loop_invar_and_empty + unfolding dijkstra_def + apply - + apply (all \clarsimp simp: D_invar_impl_def\) + apply (clarsimp simp: D_invar'_def) + subgoal for Q V D S + using Dijkstra_Invar.invar_finish_imp_correct[of "G_\ g" s D S u] + apply (clarsimp simp: coupling_def) + by (auto simp: domIff) + done + + +end + + +subsection \Instantiation of ADTs and Code Generation\ + +global_interpretation + G: wgraph_by_map RBT_Set.empty RBT_Map.update + RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + defines G_empty = G.empty_graph + and G_add_edge = G.add_edge + and G_succ = G.succ + by unfold_locales + +global_interpretation Dijkstra_Impl_Adts + G.\ G.invar G.succ G.empty_graph G.add_edge + + RBT_Set.empty RBT_Map.update RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + + PST_RBT.empty PST_RBT.update PST_RBT.delete PST_RBT.PM.invar + Lookup2.lookup PST_RBT.rbt_is_empty pst_getmin + .. + +global_interpretation D: Dijkstra_Impl_Defs + G.invar G.succ G.empty_graph G.add_edge + + RBT_Set.empty RBT_Map.update RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + + PST_RBT.empty PST_RBT.update PST_RBT.delete PST_RBT.PM.invar + Lookup2.lookup PST_RBT.rbt_is_empty pst_getmin + + G.\ g s for g and s::"'v::linorder" + defines dijkstra = D.dijkstra + and dijkstra_loop = D.dijkstra_loop + and Q_relax_outgoing = D.Q_relax_outgoing + and M_initV = D.M_initV + and Q_initQ = D.Q_initQ + .. + +(* TODO: Why is this fix necessary? *) +lemmas [code] = + D.dijkstra_def D.dijkstra_loop_def + +context + fixes g + assumes [simp]: "G.invar g" +begin + +interpretation AUX: Dijkstra_Impl + G.invar G.succ G.empty_graph G.add_edge + + RBT_Set.empty RBT_Map.update RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + + PST_RBT.empty PST_RBT.update PST_RBT.delete PST_RBT.PM.invar + Lookup2.lookup PST_RBT.rbt_is_empty pst_getmin + + g s G.\ for s + by unfold_locales simp_all + +lemmas dijkstra_correct = AUX.dijkstra_correct[folded dijkstra_def] + +end + +subsection \Combination with Graph Parser\ +text \We combine the algorithm with a parser from lists to graphs\ + +global_interpretation + G: wgraph_from_list_algo G.\ G.invar G.succ G.empty_graph G.add_edge + defines from_list = G.from_list + .. + + +definition "dijkstra_list l s \ + if valid_graph_rep l then Some (dijkstra (from_list l) s) else None" + +theorem dijkstra_list_correct: + "case dijkstra_list l s of + None \ \valid_graph_rep l + | Some D \ + valid_graph_rep l + \ M.invar D + \ (\u d. lookup D u = Some d \ WGraph.\ (wgraph_of_list l) s u = enat d)" + unfolding dijkstra_list_def + by (auto simp: dijkstra_correct G.from_list_correct) + +export_code dijkstra_list checking SML OCaml? Scala Haskell? + +value "dijkstra_list [(1::nat,2,7),(1,3,1),(3,2,2)] 1" +value "dijkstra_list [(1::nat,2,7),(1,3,1),(3,2,2)] 3" + + +end diff --git a/thys/Prim_Dijkstra_Simple/Directed_Graph.thy b/thys/Prim_Dijkstra_Simple/Directed_Graph.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Directed_Graph.thy @@ -0,0 +1,141 @@ +section \Weighted Directed Graphs\ +theory Directed_Graph +imports Common +begin + +text \ + A weighted graph is represented by a function from edges to weights. + + For simplicity, we use @{typ enat} as weights, @{term \\\} meaning + that there is no edge. +\ + +type_synonym ('v) wgraph = "('v \ 'v) \ enat" + +text \We encapsulate weighted graphs into a locale that fixes a graph\ +locale WGraph = fixes w :: "'v wgraph" +begin +text \Set of edges with finite weight\ +definition "edges \ {(u,v) . w (u,v) \ \}" + +subsection \Paths\ +text \A path between nodes \u\ and \v\ is a list of edge weights + of a sequence of edges from \u\ to \v\. + + Note that a path may also contain edges with weight \\\. +\ + +fun path :: "'v \ enat list \ 'v \ bool" where + "path u [] v \ u=v" +| "path u (l#ls) v \ (\uh. l = w (u,uh) \ path uh ls v)" + +lemma path_append[simp]: + "path u (ls1@ls2) v \ (\w. path u ls1 w \ path w ls2 v)" + by (induction ls1 arbitrary: u) auto + +text \There is a singleton path between every two nodes + (it's weight might be \\\).\ +lemma triv_path: "path u [w (u,v)] v" by auto + +text \Shortcut for the set of all paths between two nodes\ +definition "paths u v \ {p . path u p v}" + +lemma paths_ne: "paths u v \ {}" using triv_path unfolding paths_def by blast + +text \If there is a path from a node inside a set \S\, to a node outside + a set \S\, this path must contain an edge from inside \S\ to outside \S\. +\ +lemma find_leave_edgeE: + assumes "path u p v" + assumes "u\S" "v\S" + obtains p1 x y p2 + where "p = p1@w (x,y)#p2" "x\S" "y\S" "path u p1 x" "path y p2 v" +proof - + have "\p1 x y p2. p = p1@w (x,y)#p2 \ x\S \ y\S \ path u p1 x \ path y p2 v" + using assms + proof (induction p arbitrary: u) + case Nil + then show ?case by auto + next + case (Cons a p) + from Cons.prems obtain x where [simp]: "a=w (u,x)" and PX: "path x p v" + by auto + + show ?case proof (cases "x\S") + case False with PX \u\S\ show ?thesis by fastforce + next + case True from Cons.IH[OF PX True \v\S\] show ?thesis + by clarsimp (metis WGraph.path.simps(2) append_Cons) + qed + qed + thus ?thesis by (fast intro: that) +qed + +subsection \Distance\ + +text \The (minimum) distance between two nodes \u\ and \v\ is called \\ u v\.\ + +definition "\ u v \ LEAST w::enat. w\sum_list`paths u v" + +lemma obtain_shortest_path: + obtains p where "path s p u" "\ s u = sum_list p" + unfolding \_def using paths_ne + by (smt Collect_empty_eq LeastI_ex WGraph.paths_def imageI image_iff + mem_Collect_eq paths_def) + +lemma shortest_path_least: + "path s p u \ \ s u \ sum_list p" + unfolding \_def paths_def + by (simp add: Least_le) + +lemma distance_refl[simp]: "\ s s = 0" + using shortest_path_least[of s "[]" s] by auto + +lemma distance_direct: "\ s u \ w (s, u)" + using shortest_path_least[of s "[w (s,u)]" u] by auto + +text \Triangle inequality: The distance from \s\ to \v\ is shorter than + the distance from \s\ to \u\ and the edge weight from \u\ to \v\. \ +lemma triangle: "\ s v \ \ s u + w (u,v)" +proof - + have "path s (p@[w (u,v)]) v" if "path s p u" for p using that by auto + then have "(+) (w (u,v)) ` sum_list ` paths s u \ sum_list ` paths s v" + by (fastforce simp: paths_def image_iff simp del: path.simps path_append) + from least_antimono[OF _ this] paths_ne have + "(LEAST y::enat. y \ sum_list ` paths s v) + \ (LEAST x::enat. x \ (+) (w (u,v)) ` sum_list ` paths s u)" + by (auto simp: paths_def) + also have "\ = (LEAST x. x \ sum_list ` paths s u) + w (u,v)" + apply (subst Least_mono[of "(+) (w (u,v))" "sum_list`paths s u"]) + subgoal by (auto simp: mono_def) + subgoal by simp (metis paths_def mem_Collect_eq + obtain_shortest_path shortest_path_least) + subgoal by auto + done + finally show ?thesis unfolding \_def . +qed + +text \Any prefix of a shortest path is a shortest path itself. + Note: The \< \\ conditions are required to avoid saturation in adding to \\\! +\ +lemma shortest_path_prefix: + assumes "path s p\<^sub>1 x" "path x p\<^sub>2 u" + and DSU: "\ s u = sum_list p\<^sub>1 + sum_list p\<^sub>2" "\ s u < \" + shows "\ s x = sum_list p\<^sub>1" "\ s x < \" +proof - + have "\ s x \ sum_list p\<^sub>1" using assms shortest_path_least by blast + moreover have "\\ s x < sum_list p\<^sub>1" proof + assume "\ s x < sum_list p\<^sub>1" + then obtain p\<^sub>1' where "path s p\<^sub>1' x" "sum_list p\<^sub>1' < sum_list p\<^sub>1" + by (auto intro: obtain_shortest_path[of s x]) + with \path x p\<^sub>2 u\ shortest_path_least[of s "p\<^sub>1'@p\<^sub>2" u] DSU show False + by fastforce + qed + ultimately show "\ s x = sum_list p\<^sub>1" by auto + with DSU show "\ s x < \" using le_iff_add by fastforce +qed + + +end + +end diff --git a/thys/Prim_Dijkstra_Simple/Directed_Graph_Impl.thy b/thys/Prim_Dijkstra_Simple/Directed_Graph_Impl.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Directed_Graph_Impl.thy @@ -0,0 +1,68 @@ +section \Weighted Digraph Implementation by Adjacency Map\ +theory Directed_Graph_Impl +imports + Directed_Graph_Specs + "HOL-Data_Structures.Map_Specs" +begin + +locale wgraph_by_map = + M: Map M_empty M_update M_delete M_lookup M_invar + + for M_empty M_update M_delete + and M_lookup :: "'m \ 'v \ ((nat\'v) list) option" and M_invar +begin + +definition \ :: "'m \ ('v) wgraph" where + "\ g \ \(u,v). case M_lookup g u of + None \ \ + | Some l \ if \d. (d,v)\set l then enat (SOME d. (d,v)\set l) else \" + +definition invar :: "'m \ bool" where "invar g \ + M_invar g + \ (\l\ran (M_lookup g). distinct (map snd l)) + \ finite (WGraph.edges (\ g))" + +definition succ :: "'m \ 'v \ (nat \ 'v) list" where + "succ g v = the_default [] (M_lookup g v)" + +definition empty_graph :: "'m" where "empty_graph = M_empty" + +definition add_edge :: "'v\'v \ nat \ 'm \ 'm" where + "add_edge \ \(u,v) d g. M_update u ((d,v) # the_default [] (M_lookup g u)) g" + +sublocale adt_finite_wgraph invar succ empty_graph add_edge \ + apply unfold_locales + subgoal for g u + by (cases "M_lookup g u") + (auto + simp: invar_def \_def succ_def ran_def + intro: distinct_map_snd_inj someI + split: option.splits + ) + subgoal by (auto + simp: invar_def \_def empty_graph_def add_edge_def M.map_specs + split: option.split) + subgoal by (auto + simp: invar_def \_def empty_graph_def add_edge_def M.map_specs + split: option.split) +proof - + text \Explicit proof to nicely handle finiteness constraint, using already + proved shape of abstract result\ + fix g e d + assume A: "invar g" "\ g e = \" + then show AAE: "\ (add_edge e d g) = (\ g)(e := enat d)" + by (auto + simp: invar_def \_def add_edge_def M.map_specs + split: option.splits if_splits prod.splits + ) + + from A show "invar (add_edge e d g)" + apply (simp add: invar_def AAE) + by (force + simp: invar_def \_def empty_graph_def add_edge_def M.map_specs ran_def + split: option.splits if_splits prod.splits) +qed (simp add: invar_def) + +end + +end diff --git a/thys/Prim_Dijkstra_Simple/Directed_Graph_Specs.thy b/thys/Prim_Dijkstra_Simple/Directed_Graph_Specs.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Directed_Graph_Specs.thy @@ -0,0 +1,129 @@ +section \Abstract Datatype for Weighted Directed Graphs\ +theory Directed_Graph_Specs +imports Directed_Graph +begin + +locale adt_wgraph = + fixes \ :: "'g \ ('v) wgraph" + and invar :: "'g \ bool" + and succ :: "'g \ 'v \ (nat\'v) list" + and empty_graph :: 'g + and add_edge :: "'v\'v \ nat \ 'g \ 'g" + assumes succ_correct: "invar g \ set (succ g u) = {(d,v). \ g (u,v) = enat d}" + assumes empty_graph_correct: + "invar empty_graph" + "\ empty_graph = (\_. \)" + assumes add_edge_correct: + "invar g \ \ g e = \ \ invar (add_edge e d g)" + "invar g \ \ g e = \ \ \ (add_edge e d g) = (\ g)(e:=enat d)" +begin + +lemmas wgraph_specs = succ_correct empty_graph_correct add_edge_correct + +end + +locale adt_finite_wgraph = adt_wgraph where \=\ for \ :: "'g \ ('v) wgraph" + + assumes finite: "invar g \ finite (WGraph.edges (\ g))" + + +subsection \Constructing Weighted Graphs from Lists\ +lemma edges_empty[simp]: "WGraph.edges (\_. \) = {}" + by (auto simp: WGraph.edges_def) + +lemma edges_insert[simp]: + "WGraph.edges (g(e:=enat d)) = Set.insert e (WGraph.edges g)" + by (auto simp: WGraph.edges_def) + +text \A list represents a graph if there are no multi-edges or duplicate edges\ +definition "valid_graph_rep l \ + (\u d d' v. (u,v,d)\set l \ (u,v,d')\set l \ d=d') +\ distinct l + " + +text \Alternative characterization: all node pairs must be distinct\ +lemma valid_graph_rep_code[code]: + "valid_graph_rep l \ distinct (map (\(u,v,_). (u,v)) l)" + by (auto simp: valid_graph_rep_def distinct_map inj_on_def) + +lemma valid_graph_rep_simps[simp]: + "valid_graph_rep []" + "valid_graph_rep ((u,v,d) # l) \ valid_graph_rep l \ (\d'. (u,v,d')\set l)" + by (auto simp: valid_graph_rep_def) + + +text \For a valid graph representation, there is exactly one graph that + corresponds to it\ +lemma valid_graph_rep_ex1: + "valid_graph_rep l \ \! w. \u v d. w (u,v) = enat d \ (u,v,d)\set l" + unfolding valid_graph_rep_code + apply safe + subgoal + apply (rule exI[where x="\(u,v). + if \d. (u,v,d)\set l then enat (SOME d. (u,v,d)\set l) else \"]) + by (auto intro: someI simp: distinct_map inj_on_def split: prod.splits; + blast) + subgoal for w w' + apply (simp add: fun_eq_iff) + by (metis (mono_tags, hide_lams) not_enat_eq) + done + +text \We define this graph using determinate choice\ +definition "wgraph_of_list l \ THE w. \u v d. w (u,v) = enat d \ (u,v,d)\set l" + +locale wgraph_from_list_algo = adt_wgraph +begin + +definition "from_list l \ fold (\(u,v,d). add_edge (u,v) d) l empty_graph" + +definition "edges_undef l w \ \u v d. (u,v,d)\set l \ w (u,v) = \" + +lemma edges_undef_simps[simp]: + "edges_undef [] w" + "edges_undef l (\_. \)" + "edges_undef ((u,v,d)#l) w \ edges_undef l w \ w (u,v) = \" + "edges_undef l (w((u,v) := enat d)) \ edges_undef l w \ (\d'. (u,v,d')\set l)" + by (auto simp: edges_undef_def) + +lemma from_list_correct_aux: + assumes "valid_graph_rep l" + assumes "edges_undef l (\ g)" + assumes "invar g" + defines "g' \ fold (\(u,v,d). add_edge (u,v) d) l g" + shows "invar g'" + and "(\u v d. \ g' (u,v) = enat d \ \ g (u,v) = enat d \ (u,v,d)\set l)" + using assms(1-3) unfolding g'_def + apply (induction l arbitrary: g) + by (auto simp: wgraph_specs split: if_splits) + +lemma from_list_correct': + assumes "valid_graph_rep l" + shows "invar (from_list l)" + and "(u,v,d)\set l \ \ (from_list l) (u,v) = enat d" + unfolding from_list_def + using from_list_correct_aux[OF assms, where g=empty_graph] + by (auto simp: wgraph_specs) + +lemma from_list_correct: + assumes "valid_graph_rep l" + shows "invar (from_list l)" "\ (from_list l) = wgraph_of_list l" +proof - + from theI'[OF valid_graph_rep_ex1[OF assms], folded wgraph_of_list_def] + have "(wgraph_of_list l (u, v) = enat d) = ((u, v, d) \ set l)" for u v d + by blast + + then show "\ (from_list l) = wgraph_of_list l" + using from_list_correct_aux[OF assms, where g=empty_graph] + apply (clarsimp simp: fun_eq_iff wgraph_specs from_list_def) + apply (metis (no_types) enat.exhaust) + done + + show "invar (from_list l)" + by (simp add: assms from_list_correct') + +qed + +end + + + +end diff --git a/thys/Prim_Dijkstra_Simple/Prim_Abstract.thy b/thys/Prim_Dijkstra_Simple/Prim_Abstract.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Prim_Abstract.thy @@ -0,0 +1,922 @@ +section \Abstract Prim Algorithm\ +theory Prim_Abstract +imports + Main + Common + Undirected_Graph + "HOL-Eisbach.Eisbach" +begin + +subsection \Generic Algorithm: Light Edges\label{sec:generic_mst}\ + +definition "is_subset_MST w g A \ \t. is_MST w g t \ A \ edges t" + +lemma is_subset_MST_empty[simp]: "connected g \ is_subset_MST w g {}" + using exists_MST unfolding is_subset_MST_def by blast + +text \We fix a start node and a weighted graph\ +locale Prim = + fixes w :: "'v set \ nat" and g :: "'v ugraph" and r :: 'v +begin + +text \Reachable part of the graph\ +definition "rg \ component_of g r" + +lemma reachable_connected[simp, intro!]: "connected rg" + unfolding rg_def by auto + +lemma reachable_edges_subset: "edges rg \ edges g" + unfolding rg_def by (rule component_edges_subset) + +definition "light_edge C u v + \ u\C \ v\C \ (u,v)\edges rg + \ (\(u',v')\edges rg \ C\-C. w {u,v} \ w {u',v'})" + +definition "respects_cut A C \ A \ C\C \ (-C)\(-C)" + +lemma light_edge_is_safe: + fixes A :: "('v\'v) set" and C :: "'v set" + assumes subset_MST: "is_subset_MST w rg A" + assumes respects_cut: "respects_cut A C" + assumes light_edge: "light_edge C u v" + shows "is_subset_MST w rg ({(v,u)} \ A)" +proof - + have crossing_edge: "u\C" "v\C" "(u,v)\edges rg" + and min_edge: "\(u',v')\edges rg \ C\-C. w {u,v} \ w {u',v'}" + using light_edge unfolding light_edge_def by auto + + from subset_MST obtain T where T: "is_MST w rg T" "A \ edges T" + unfolding is_subset_MST_def by auto + hence "tree T" "edges T \ edges rg" "nodes T = nodes rg" + by (simp_all add: is_MST_def is_spanning_tree_def) + hence "connected T" by(simp_all add: tree_def) + show ?thesis + proof cases + assume "(u,v) \ edges T" + thus ?thesis unfolding is_subset_MST_def using T by (auto simp: edges_sym') + next + assume "(u,v) \ edges T" hence "(v,u)\edges T" by (auto simp: edges_sym') + from \(u,v)\edges rg\ obtain p where p: "path T u p v" "simple p" + by (metis connectedD \connected T\ \nodes T = nodes rg\ nodesI + rtrancl_edges_iff_path simplify_pathE) + + have [simp]: "u\v" using crossing_edge by blast + + from find_crossing_edge_on_path[OF p(1), where P="\x. x\C"] + crossing_edge(1,2) + obtain x y p1 p2 where xy: "(x,y) \ set p" "x \ C" "y \ C" + and ux: "path (restrict_edges T (-{(x,y),(y,x)})) u p1 x" + and yv: "path (restrict_edges T (-{(x,y),(y,x)})) y p2 v" + using path_change[OF crossing_edge(1,2) p] by blast + have "(x,y) \ edges T" + by (meson contra_subsetD p(1) path_edges xy(1)) + + let ?E' = "edges T - {(x,y),(y,x)}" + + from split_tree[OF \tree T\ \(x,y)\edges T\] + obtain T1 T2 where T12: + "tree T1" "tree T2" + and "nodes T1 \ nodes T2 = {}" + and "nodes T = nodes T1 \ nodes T2" + and "edges T1 \ edges T2 = ?E'" + and "nodes T1 = { u . (x,u)\?E'\<^sup>*}" + and "nodes T2 = { u . (y,u)\?E'\<^sup>*}" + and "x\nodes T1" "y\nodes T2" . + + let ?T' = "ins_edge (u,v) (graph_join T1 T2)" + + have "is_spanning_tree rg ?T'" proof - + + have E'_sym: "sym (?E'\<^sup>*)" + by (meson edgesT_diff_sng_inv_eq sym_conv_converse_eq sym_rtrancl) + + have "u\nodes T1" + unfolding \nodes T1 = _\ + using path_rtrancl_edgesD[OF ux] by (auto dest: symD[OF E'_sym]) + + have "v\nodes T2" + unfolding \nodes T2 = _\ + using path_rtrancl_edgesD[OF yv] by auto + + have "tree ?T'" by (rule join_trees) fact+ + + show "is_spanning_tree rg ?T'" + unfolding is_spanning_tree_def + using \nodes T = nodes rg\ \nodes T = nodes T1 \ nodes T2\[symmetric] + using \tree ?T'\ \u\v\ + using \edges T \ edges rg\ \edges T1 \ edges T2 = ?E'\ + apply simp + by (metis Diff_subset crossing_edge(3) edges_sym' insert_absorb + nodesI(2) subset_trans) + qed + moreover + + have "weight w ?T' \ weight w T'" if "is_spanning_tree rg T'" for T' + proof - + have ww: "w {u,v} \ w{x,y}" + using min_edge \(x,y)\edges T\ \edges T \ edges rg\ \x\C\ \y\C\ + by blast + + have "weight w ?T' = weight w T - w {x,y} + w{u,v}" + using \(u, v) \ edges T\ \(x, y) \ edges T\ + using \edges T1 \ edges T2 = edges T - {(x, y), (y, x)}\ \u \ v\ + by (smt Diff_eq Diff_subset add.commute contra_subsetD edges_join + edges_restrict_edges minus_inv_sym_aux sup.idem weight_cong + weight_del_edge weight_ins_edge) + also have "\ \ weight w T" + using weight_ge_edge[OF \(x,y)\edges T\, of w] ww by auto + also have "weight w T \ weight w T'" using T(1) \is_spanning_tree rg T'\ + unfolding is_MST_def by simp + finally show ?thesis . + qed + ultimately have "is_MST w rg ?T'" using is_MST_def by blast + have "{(u,v),(v,u)} \ A \ edges ?T'" + using T(2) respects_cut xy(2,3) \edges T1 \ edges T2 = ?E'\ + unfolding respects_cut_def + by auto + + with \is_MST w rg ?T'\ show ?thesis unfolding is_subset_MST_def by force + qed +qed + +end + +subsection \Abstract Prim: Growing a Tree\label{sec:prim_algo}\ +context Prim begin + +text \The current nodes\ +definition "S A \ {r} \ fst`A \ snd`A" + +lemma respects_cut': "A \ S A \ S A" + unfolding S_def by force + +corollary respects_cut: "respects_cut A (S A)" + unfolding respects_cut_def using respects_cut' by auto + +text \Refined invariant: Adds connectedness of \A\\ +definition "prim_invar1 A \ is_subset_MST w rg A \ (\(u,v)\A. (v,r)\A\<^sup>*)" + +text \Measure: Number of nodes not in tree\ +definition "T_measure1 A = card (nodes rg - S A)" + +end + +text \We use a locale that fixes a state and assumes the invariant\ +locale Prim_Invar1_loc = + Prim w g r for w g and r :: 'v + + fixes A :: "('v\'v) set" + assumes invar1: "prim_invar1 A" +begin +lemma subset_MST: "is_subset_MST w rg A" + using invar1 unfolding prim_invar1_def by auto + +lemma A_connected: "(u,v)\A \ (v,r)\A\<^sup>*" + using invar1 unfolding prim_invar1_def by auto + +lemma S_alt_def: "S A = {r} \ fst`A" + unfolding S_def + apply (safe;simp) + by (metis A_connected Domain_fst Not_Domain_rtrancl) + +lemma finite_rem_nodes[simp,intro!]: "finite (nodes rg - S A)" by auto + +lemma A_edges: "A \ edges g" + using subset_MST + by (meson is_MST_def is_spanning_tree_def is_subset_MST_def + reachable_edges_subset subset_eq) + +lemma S_reachable: "S A \ nodes rg" + unfolding S_alt_def + by (smt DomainE Un_insert_left fst_eq_Domain insert_subset is_MST_def + is_spanning_tree_def is_subset_MST_def nodesI(1) nodes_of_component + reachable_nodes_refl rg_def subset_MST subset_iff sup_bot.left_neutral) + +lemma S_edge_reachable: "\u\S A; (u,v)\edges g \ \ (u,v)\edges rg" + using S_reachable unfolding rg_def + using reachable_nodes_step'(2) by fastforce + +lemma edges_S_rg_edges: "edges g \ S A\-S A = edges rg \ S A\-S A" + using S_edge_reachable reachable_edges_subset by auto + +lemma T_measure1_less: "T_measure1 A < card (nodes rg)" + unfolding T_measure1_def S_def + by (metis Diff_subset S_def S_reachable Un_insert_left le_supE nodes_finite + psubsetI psubset_card_mono singletonI subset_Diff_insert) + + +lemma finite_A[simp, intro!]: "finite A" + using A_edges finite_subset by auto + +lemma finite_S[simp, intro!]: "finite (S A)" + using S_reachable rev_finite_subset by blast + +(* TODO: Used? *) +lemma S_A_consistent[simp, intro!]: "nodes_edges_consistent (S A) (A\A\)" + unfolding nodes_edges_consistent_def + apply (intro conjI) + subgoal by simp + subgoal using A_edges irrefl_def by fastforce + subgoal by (simp add: sym_Un_converse) + using respects_cut' by auto + + +end + +context Prim begin + +lemma invar1_initial: "prim_invar1 {}" + by (auto simp: is_subset_MST_def prim_invar1_def exists_MST) + +lemma maintain_invar1: + assumes invar: "prim_invar1 A" + assumes light_edge: "light_edge (S A) u v" + shows "prim_invar1 ({(v,u)}\A) + \ T_measure1 ({(v,u)}\A) < T_measure1 A" (is "?G1 \ ?G2") +proof + + from invar interpret Prim_Invar1_loc w g r A by unfold_locales + + from light_edge have "u\S A" "v\S A" by (simp_all add: light_edge_def) + + show ?G1 + unfolding prim_invar1_def + proof (intro conjI) + show "is_subset_MST w rg ({(v, u)} \ A)" + by (rule light_edge_is_safe[OF subset_MST respects_cut light_edge]) + + next + show "\(ua, va)\{(v, u)} \ A. (va, r) \ ({(v, u)} \ A)\<^sup>*" + apply safe + subgoal + using A_connected + by (simp add: rtrancl_insert) + (metis DomainE S_alt_def converse_rtrancl_into_rtrancl \u\S A\ + fst_eq_Domain insertE insert_is_Un rtrancl_eq_or_trancl) + subgoal using A_connected by (simp add: rtrancl_insert) + done + qed + then interpret N: Prim_Invar1_loc w g r "{(v,u)}\A" by unfold_locales + + have "S A \ S ({(v,u)}\A)" using \v\S A\ + unfolding S_def by auto + then show "?G2" unfolding T_measure1_def + using S_reachable N.S_reachable + by (auto intro!: psubset_card_mono) + +qed + +lemma invar1_finish: + assumes INV: "prim_invar1 A" + assumes FIN: "edges g \ S A\-S A = {}" + shows "is_MST w rg (graph {r} A)" +proof - + from INV interpret Prim_Invar1_loc w g r A by unfold_locales + + from subset_MST obtain t where MST: "is_MST w rg t" and "A \ edges t" + unfolding is_subset_MST_def by auto + + have "S A = nodes t" + proof safe + fix u + show "u\S A \ u\nodes t" using MST + unfolding is_MST_def is_spanning_tree_def + using S_reachable by auto + next + fix u + assume "u\nodes t" + hence "u\nodes rg" + using MST is_MST_def is_spanning_tree_def by force + hence 1: "(u,r)\(edges rg)\<^sup>*" by (simp add: connectedD rg_def) + have "r\S A" by (simp add: S_def) + show "u\S A" proof (rule ccontr) + assume "u\S A" + from find_crossing_edge_rtrancl[where P="\u. u\S A", OF 1 \u\S A\ \r\S A\] + FIN reachable_edges_subset + show False + by (smt ComplI IntI contra_subsetD edges_sym' emptyE mem_Sigma_iff) + + qed + qed + also have "nodes t = nodes rg" + using MST unfolding is_MST_def is_spanning_tree_def + by auto + finally have S_eq: "S A = nodes rg" . + + define t' where "t' = graph {r} A" + + have [simp]: "nodes t' = S A" and Et': "edges t' = (A\A\)" unfolding t'_def + using A_edges + by (auto simp: graph_accs S_def) + + hence "edges t' \ edges t" + by (smt UnE \A \ edges t\ converseD edges_sym' subrelI subset_eq) + + have "is_spanning_tree rg t'" + proof - + have "connected t'" + apply rule + apply (simp add: Et' S_def) + apply safe + apply ((simp add: A_connected converse_rtrancl_into_rtrancl + in_rtrancl_UnI rtrancl_converse + )+ + ) [4] + apply simp_all [4] + apply ((meson A_connected in_rtrancl_UnI r_into_rtrancl + rtrancl_converseI rtrancl_trans + )+ + ) [4] + done + + moreover have "cycle_free t'" + by (meson MST \edges t' \ edges t\ cycle_free_antimono is_MST_def + is_spanning_tree_def tree_def) + moreover have "edges t' \ edges rg" + by (meson MST \edges t' \ edges t\ dual_order.trans is_MST_def + is_spanning_tree_def) + ultimately show ?thesis + unfolding is_spanning_tree_def tree_def + by (auto simp: S_eq) + qed + then show ?thesis + using MST weight_mono[OF \edges t' \ edges t\] + unfolding t'_def is_MST_def + using dual_order.trans by blast +qed + +end + +subsection \Prim: Using a Priority Queue\label{sec:using_pq}\ +text \We define a new locale. Note that we could also reuse @{locale Prim}, however, + this would complicate referencing the constants later in the theories from + which we generate the paper. +\ +locale Prim2 = Prim w g r for w :: "'v set \ nat" and g :: "'v ugraph" and r :: 'v +begin + +text \Abstraction to edge set\ +definition "A Q \ \ {(u,v). \ u = Some v \ Q u = \}" + + +text \Initialization\ +definition initQ :: "'v \ enat" where "initQ \ (\_. \)(r := 0)" +definition init\ :: "'v \ 'v option" where "init\ \ Map.empty" + + +text \Step\ +definition "upd_cond Q \ u v' \ + (v',u) \ edges g + \ v'\r \ (Q v' = \ \ \ v' = None) + \ enat (w {v',u}) < Q v'" + +text \State after inner loop\ +definition "Qinter Q \ u v' + = (if upd_cond Q \ u v' then enat (w {v',u}) else Q v')" + +text \State after one step\ +definition "Q' Q \ u \ (Qinter Q \ u)(u:=\)" +definition "\' Q \ u v' = (if upd_cond Q \ u v' then Some u else \ v')" + +definition "prim_invar2_init Q \ \ Q=initQ \ \=init\" + +definition "prim_invar2_ctd Q \ \ let A = A Q \; S = S A in + prim_invar1 A +\ \ r = None \ Q r = \ +\ (\(u,v)\edges rg \ (-S)\S. Q u \ \) +\ (\u. Q u \ \ \ \ u \ None) +\ (\u v. \ u = Some v \ v\S \ (u,v)\edges rg) +\ (\u v d. Q u = enat d \ \ u = Some v + \ d=w {u,v} \ (\v'\S. (u,v')\edges rg \ d \ w {u,v'})) +" + +lemma prim_invar2_ctd_alt_aux1: + assumes "prim_invar1 (A Q \)" + assumes "Q u \ \" "u\r" + shows "u\S (A Q \)" +proof - + interpret Prim_Invar1_loc w g r "A Q \" by unfold_locales fact + show ?thesis + unfolding S_alt_def unfolding A_def using assms + by auto +qed + +lemma prim_invar2_ctd_alt: "prim_invar2_ctd Q \ \ ( + let A = A Q \; S = S A; cE=edges rg \ (-S)\S in + prim_invar1 A + \ \ r = None \ Q r = \ + \ (\(u,v)\cE. Q u \ \) + \ (\u v. \ u = Some v \ v\S \ (u,v)\edges rg) + \ (\u d. Q u = enat d + \ (\v. \ u = Some v \ d=w {u,v} \ (\v'. (u,v')\cE \ d \ w {u,v'}))) +)" + unfolding prim_invar2_ctd_def Let_def + using prim_invar2_ctd_alt_aux1[of Q \] + apply safe + subgoal by auto + subgoal by (auto 0 3) + subgoal by (auto 0 3) + subgoal by clarsimp (metis (no_types,lifting) option.simps(3)) + done + +definition "prim_invar2 Q \ \ prim_invar2_init Q \ \ prim_invar2_ctd Q \" + +definition "T_measure2 Q \ + \ if Q r = \ then T_measure1 (A Q \) else card (nodes rg)" + + +lemma Q'_init_eq: + "Q' initQ init\ r = (\u. if (u,r)\edges rg then enat (w {u,r}) else \)" + apply (rule ext) + using reachable_edges_subset + apply (simp add: Q'_def Qinter_def upd_cond_def initQ_def init\_def) + by (auto simp: Prim.rg_def edges_sym' reachable_nodes_step'(2)) + +lemma \'_init_eq: + "\' initQ init\ r = (\u. if (u,r)\edges rg then Some r else None)" + apply (rule ext) + using reachable_edges_subset + apply (simp add: \'_def upd_cond_def initQ_def init\_def) + by (auto simp: Prim.rg_def edges_sym' reachable_nodes_step'(2)) + +lemma A_init_eq: "A initQ init\ = {}" + unfolding A_def init\_def + by auto + +lemma S_empty: "S {} = {r}" unfolding S_def by (auto simp: A_init_eq) + +lemma maintain_invar2_first_step: + assumes INV: "prim_invar2_init Q \" + assumes UNS: "Q u = enat d" + shows "prim_invar2_ctd (Q' Q \ u) (\' Q \ u)" (is ?G1) + and "T_measure2 (Q' Q \ u) (\' Q \ u) < T_measure2 Q \" (is ?G2) +proof - + from INV have [simp]: "Q=initQ" "\=init\" + unfolding prim_invar2_init_def by auto + from UNS have [simp]: "u=r" by (auto simp: initQ_def split: if_splits) + + + note Q'_init_eq \'_init_eq A_init_eq + + have [simp]: "(A (Q' initQ init\ r) (\' initQ init\ r)) = {}" + apply (simp add: Q'_init_eq \'_init_eq) + by (auto simp: A_def split: if_splits) + + show ?G1 + apply (simp add: prim_invar2_ctd_def Let_def invar1_initial) + by (auto simp: Q'_init_eq \'_init_eq S_empty split: if_splits) + + have [simp]: "Q' initQ init\ r r = \" + by (auto simp: Q'_init_eq) + + have [simp]: "initQ r = 0" by (simp add: initQ_def) + + show ?G2 + unfolding T_measure2_def + apply simp + apply (simp add: T_measure1_def S_empty) + by (metis card_Diff1_less nodes_finite nodes_of_component + reachable_nodes_refl rg_def) + +qed + +lemma maintain_invar2_first_step_presentation: + assumes INV: "prim_invar2_init Q \" + assumes UNS: "Q u = enat d" + shows "prim_invar2_ctd (Q' Q \ u) (\' Q \ u) + \ T_measure2 (Q' Q \ u) (\' Q \ u) < T_measure2 Q \" + using maintain_invar2_first_step assms by blast + +end + +(*<*) +(* + This locale is only used to present the invariant in the paper. +*) +locale Prim_Invar2_ctd_Presentation_Loc = + fixes w g and r :: 'v and Q \ A S rg cE + assumes I: "Prim2.prim_invar2_ctd w g r Q \" + defines local_A_def: "A \ Prim2.A Q \" + defines local_S_def: "S \ Prim.S r A" + defines local_rg_def: "rg \ Prim.rg g r" + defines local_cE_def: "cE \ edges rg \ (-S)\S" +begin + +lemma + invar1: "Prim.prim_invar1 w g r A" (is ?G1) + and root_contained: "\ r = None \ Q r = \" (is ?G2) + and Q_defined: "\(u,v)\cE. Q u \ \" (is ?G3) + and \_edges: "\u v. \ u = Some v \ v\S \ (u,v)\edges rg" (is ?G4) + and Q_min: "\u d. Q u = enat d + \ (\v. \ u = Some v \ d=w {u,v} \ (\v'. (u,v')\cE \ d \ w {u,v'}))" + (is ?G5) +proof - + interpret Prim2 w g r . + + show ?G1 ?G2 ?G3 ?G4 ?G5 + using I + unfolding local_A_def local_S_def local_rg_def local_cE_def + prim_invar2_ctd_alt Let_def + by simp_all +qed + +end + +lemma (in Prim2) Prim_Invar2_ctd_Presentation_Loc_eq: + "Prim_Invar2_ctd_Presentation_Loc w g r Q \ \ prim_invar2_ctd Q \" + unfolding Prim_Invar2_ctd_Presentation_Loc_def .. + +(*>*) + +text \Again, we define a locale to fix a state and assume the invariant\ +locale Prim_Invar2_ctd_loc = + Prim2 w g r for w g and r :: 'v + + fixes Q \ + assumes invar2: "prim_invar2_ctd Q \" +begin + +sublocale Prim_Invar1_loc w g r "A Q \" + using invar2 unfolding prim_invar2_ctd_def + apply unfold_locales by (auto simp: Let_def) + +lemma upd_cond_alt: "upd_cond Q \ u v' \ + (v',u) \ edges g \ v'\S (A Q \) \ enat (w {v',u}) < Q v'" + unfolding upd_cond_def S_alt_def unfolding A_def + by (auto simp: fst_eq_Domain) + +lemma \_root: "\ r = None" + and Q_root: "Q r = \" + and Q_defined: "\ (u,v)\edges rg; u\S (A Q \); v\S (A Q \) \ \ Q u \ \" + and \_defined: "\ Q u \ \ \ \ \ u \ None" + and frontier: "\ u = Some v \ v\S (A Q \)" + and edges: "\ u = Some v \ (u,v)\edges rg" + and Q_\_consistent: "\ Q u = enat d; \ u = Some v \ \ d = w {u,v}" + and Q_min: "Q u = enat d + \ (\v'\S (A Q \). (u,v')\edges rg \ d \ w {u,v'})" + using invar2 unfolding prim_invar2_ctd_def Let_def by auto + +lemma \_def_on_S: "\u\S (A Q \); u\r\ \ \ u \ None" + unfolding S_alt_def + unfolding A_def + by auto + +lemma \_def_on_edges_to_S: "\v\S (A Q \); u\r; (u,v)\edges rg\ \ \ u \ None" + apply (cases "u\S (A Q \)") + subgoal using \_def_on_S by auto + subgoal by (simp add: Q_defined \_defined) + done + +lemma Q_min_is_light: + assumes UNS: "Q u = enat d" + assumes MIN: "\v. enat d \ Q v" + obtains v where "\ u = Some v" "light_edge (S (A Q \)) v u" +proof - + let ?A = "A Q \" + let ?S = "S ?A" + + from UNS obtain v where + S1[simp]: "\ u = Some v" "d = w {u,v}" + using \_defined Q_\_consistent + by blast + + have "v\?S" using frontier[of u v] by auto + + have [simp]: "u\r" using \_root using S1 by (auto simp del: S1) + + have "u\?S" unfolding S_alt_def unfolding A_def using UNS by auto + + have "(v,u)\edges rg" using edges[OF S1(1)] + by (meson edges_sym' rev_subsetD) + + have M: "\(u', v')\edges rg \ ?S \ - ?S. w {v, u} \ w {u', v'}" + proof safe + fix a b + assume "(a,b)\edges rg" "a\?S" "b\?S" + hence "(b,a)\edges rg" by (simp add: edges_sym') + + from Q_defined[OF \(b,a)\edges rg\ \b\?S\ \a\?S\] + obtain d' where 1: "Q b = enat d'" by blast + with \_defined obtain a' where "\ b = Some a'" by auto + from MIN 1 have "d\d'" by (metis enat_ord_simps(1)) + also from Q_min[OF 1] \(b,a)\edges rg\ \a\?S\ have "d'\w {b,a}" by blast + finally show "w {v,u} \ w {a,b}" by (simp add: insert_commute) + qed + + have LE: "light_edge ?S v u" using invar1 \v\?S\ \u\?S\ \(v,u)\edges rg\ M + unfolding light_edge_def by blast + + thus ?thesis using that by auto +qed + +lemma maintain_invar_ctd: + assumes UNS: "Q u = enat d" + assumes MIN: "\v. enat d \ Q v" + shows "prim_invar2_ctd (Q' Q \ u) (\' Q \ u)" (is ?G1) + and "T_measure2 (Q' Q \ u) (\' Q \ u) < T_measure2 Q \" (is ?G2) +proof - + let ?A = "A Q \" + let ?S = "S ?A" + + from Q_min_is_light[OF UNS MIN] obtain v where + [simp]: "\ u = Some v" and LE: "light_edge ?S v u" . + + let ?Q' = "Q' Q \ u" + let ?\' = "\' Q \ u" + let ?A' = "A ?Q' ?\'" + let ?S' = "S ?A'" + + have NA: "?A' = {(u,v)} \ ?A" + unfolding A_def + unfolding Q'_def \'_def upd_cond_def Qinter_def + by (auto split: if_splits) + + from maintain_invar1[OF invar1 LE] + have "prim_invar1 ?A'" and M1: "T_measure1 ?A' < T_measure1 ?A" + by (auto simp: NA) + then interpret N: Prim_Invar1_loc w g r ?A' by unfold_locales + + have [simp]: "?S' = insert u ?S" + unfolding S_alt_def N.S_alt_def + unfolding Q'_def Qinter_def \'_def upd_cond_def + unfolding A_def + by (auto split: if_splits simp: image_iff) + + show ?G1 + unfolding prim_invar2_ctd_def Let_def + apply safe + subgoal by fact + subgoal + unfolding \'_def upd_cond_def + by (auto simp: \_root) + subgoal + by (simp add: Prim2.Q'_def Prim2.Qinter_def Prim2.upd_cond_def Q_root) + subgoal for a b + apply simp + apply safe + subgoal + unfolding Q'_def Qinter_def upd_cond_def + apply (simp add: S_alt_def A_def) + apply safe + subgoal using reachable_edges_subset by blast + subgoal by (simp add: Prim.S_def) + subgoal by (metis (no_types) A_def Q_defined edges frontier) + subgoal using not_infinity_eq by fastforce + done + subgoal + unfolding S_alt_def N.S_alt_def + unfolding A_def Q'_def Qinter_def upd_cond_def + apply (simp; safe; (auto;fail)?) + subgoal + proof - + assume a1: "(a, r) \ edges rg" + assume "a \ fst ` {(u, v). \ u = Some v \ Q u = \}" + then have "a \ fst ` A Q \" + by (simp add: A_def) + then show ?thesis + using a1 + by (metis (no_types) S_alt_def Q_defined Un_insert_left + edges_irrefl' insert_iff not_infinity_eq sup_bot.left_neutral) + qed + subgoal by (simp add: fst_eq_Domain) + subgoal + apply clarsimp + by (smt Domain.intros Q_defined \_def_on_edges_to_S case_prod_conv + edges enat.exhaust frontier fst_eq_Domain mem_Collect_eq + option.exhaust) + subgoal by (simp add: fst_eq_Domain) + done + done + subgoal + by (metis Q'_def Qinter_def \'_def \_defined enat.distinct(2) + fun_upd_apply not_None_eq) + + subgoal + by (metis \S (A (Q' Q \ u) (\' Q \ u)) = insert u (S (A Q \))\ \'_def + frontier insertCI option.inject) + subgoal + by (metis N.S_edge_reachable upd_cond_def + \S (A (Q' Q \ u) (\' Q \ u)) = insert u (S (A Q \))\ \'_def edges + edges_sym' insertI1 option.inject) + subgoal + by (smt Q'_def \'_def Q_\_consistent Qinter_def fun_upd_apply + insert_absorb not_enat_eq option.inject the_enat.simps) + subgoal for v' d' + apply clarsimp + unfolding Q'_def Qinter_def upd_cond_def + using Q_min + apply (clarsimp split: if_splits; safe) + apply (all \(auto;fail)?\) + subgoal by (simp add: le_less less_le_trans) + subgoal using \_def_on_edges_to_S by auto + subgoal using reachable_edges_subset by auto + subgoal by (simp add: Q_root) + done + done + then interpret N: Prim_Invar2_ctd_loc w g r ?Q' ?\' by unfold_locales + + show ?G2 + unfolding T_measure2_def + by (auto simp: Q_root N.Q_root M1) + +qed + +end + + +context Prim2 begin + +lemma maintain_invar2_ctd: + assumes INV: "prim_invar2_ctd Q \" + assumes UNS: "Q u = enat d" + assumes MIN: "\v. enat d \ Q v" + shows "prim_invar2_ctd (Q' Q \ u) (\' Q \ u)" (is ?G1) + and "T_measure2 (Q' Q \ u) (\' Q \ u) < T_measure2 Q \" (is ?G2) +proof - + interpret Prim_Invar2_ctd_loc w g r Q \ using INV by unfold_locales + from maintain_invar_ctd[OF UNS MIN] show ?G1 ?G2 by auto +qed + +lemma Q_min_is_light_presentation: + assumes INV: "prim_invar2_ctd Q \" + assumes UNS: "Q u = enat d" + assumes MIN: "\v. enat d \ Q v" + obtains v where "\ u = Some v" "light_edge (S (A Q \)) v u" +proof - + interpret Prim_Invar2_ctd_loc w g r Q \ using INV by unfold_locales + from Q_min_is_light[OF UNS MIN] show ?thesis using that . +qed + +lemma maintain_invar2_ctd_presentation: + assumes INV: "prim_invar2_ctd Q \" + assumes UNS: "Q u = enat d" + assumes MIN: "\v. enat d \ Q v" + shows "prim_invar2_ctd (Q' Q \ u) (\' Q \ u) + \ T_measure2 (Q' Q \ u) (\' Q \ u) < T_measure2 Q \" + using maintain_invar2_ctd assms by blast + +lemma not_invar2_ctd_init: + "prim_invar2_init Q \ \ \prim_invar2_ctd Q \" + unfolding prim_invar2_init_def prim_invar2_ctd_def initQ_def Let_def + by (auto) + +lemma invar2_init_init: "prim_invar2_init initQ init\" + unfolding prim_invar2_init_def by auto + +lemma invar2_init: "prim_invar2 initQ init\" + unfolding prim_invar2_def using invar2_init_init by auto + +lemma maintain_invar2: + assumes A: "prim_invar2 Q \" + assumes UNS: "Q u = enat d" + assumes MIN: "\v. enat d \ Q v" + shows "prim_invar2 (Q' Q \ u) (\' Q \ u)" (is ?G1) + and "T_measure2 (Q' Q \ u) (\' Q \ u) < T_measure2 Q \" (is ?G2) + using A unfolding prim_invar2_def + using maintain_invar2_first_step[of Q,OF _ UNS] + using maintain_invar2_ctd[OF _ UNS MIN] + using not_invar2_ctd_init + apply blast+ + done + +lemma invar2_ctd_finish: + assumes INV: "prim_invar2_ctd Q \" + assumes FIN: "Q = (\_. \)" + shows "is_MST w rg (graph {r} {(u, v). \ u = Some v})" +proof - + from INV interpret Prim_Invar2_ctd_loc w g r Q \ by unfold_locales + + let ?A = "A Q \" let ?S="S ?A" + + have FC: "edges g \ ?S \ - ?S = {}" + proof (safe; simp) + fix a b + assume "(a,b)\edges g" "a\?S" "b\?S" + with Q_defined[OF edges_sym'] S_edge_reachable have "Q b \ \" + by blast + with FIN show False by auto + qed + + have Aeq: "?A = {(u, v). \ u = Some v}" + unfolding A_def using FIN by auto + + from invar1_finish[OF invar1 FC, unfolded Aeq] show ?thesis . +qed + + +lemma invar2_finish: + assumes INV: "prim_invar2 Q \" + assumes FIN: "Q = (\_. \)" + shows "is_MST w rg (graph {r} {(u, v). \ u = Some v})" +proof - + from INV have "prim_invar2_ctd Q \" + unfolding prim_invar2_def prim_invar2_init_def initQ_def + by (auto simp: fun_eq_iff FIN split: if_splits) + with FIN invar2_ctd_finish show ?thesis by blast +qed + +end + + +subsection \Refinement of Inner Foreach Loop\label{sec:using_foreach}\ + +context Prim2 begin + +definition "foreach_body u \ \(v,d) (Q,\). + if v=r then (Q,\) + else + case (Q v, \ v) of + (\,None) \ (Q(v:=enat d), \(v\u)) + | (enat d',_) \ if d(v\u)) else (Q,\) + | (\,Some _) \ (Q,\) + " + +lemma foreach_body_alt: "foreach_body u = (\(v,d) (Q,\). + if v\r \ (\ v = None \ Q v \ \) \ enat d < Q v then + (Q(v:=enat d), \(v\u)) + else + (Q,\) +)" + unfolding foreach_body_def S_def + by (auto split: enat.splits option.splits simp: fst_eq_Domain fun_eq_iff) + +definition foreach where + "foreach u adjs Q\ = foldr (foreach_body u) adjs Q\" + +definition "\Q V. + Qigen Q \ u adjs v = (if v \ fst`set adjs then Q v else Qinter Q \ u v)" +definition "\Q V \. + \'gen Q \ u adjs v = (if v \ fst`set adjs then \ v else \' Q \ u v)" + +context begin + +private lemma Qc: + "Qigen Q \ u ((v, w {u, v}) # adjs) x + = (if x=v then Qinter Q \ u v else Qigen Q \ u adjs x)" for x + unfolding Qigen_def by auto + +private lemma \c: + "\'gen Q \ u ((v, w {u, v}) # adjs) x + = (if x=v then \' Q \ u v else \'gen Q \ u adjs x)" for x + unfolding \'gen_def by auto + +lemma foreach_refine_gen: + assumes "set adjs \ {(v,d). (u,v)\edges g \ w {u,v} = d}" + shows "foreach u adjs (Q,\) = (Qigen Q \ u adjs,\'gen Q \ u adjs)" + using assms + unfolding foreach_def +proof (induction adjs arbitrary: Q \) + case Nil + have INVAR_INIT: "Qigen Q \ u [] = Q" "\'gen Q \ u [] = \" for Q \ + unfolding assms Qigen_def \'gen_def + by (auto simp: fun_eq_iff image_def Q'_def \'_def edges_def) + with Nil show ?case by (simp add: INVAR_INIT) +next + case (Cons a adjs) + obtain v d where [simp]: "a=(v,d)" by (cases a) + + have [simp]: "u\v" "v\u" using Cons.prems by auto + + have QinfD: "Qigen Q \ u adjs v = \ \ Q v = \" + unfolding Qigen_def Q'_def Qinter_def by (auto split: if_splits) + + show ?case using Cons.prems + apply (cases a) + apply (clarsimp simp: Cons.IH) + unfolding foreach_body_def + apply (clarsimp; safe) + subgoal by (auto simp: Qigen_def Qinter_def upd_cond_def) + subgoal by (auto simp: \'gen_def \'_def upd_cond_def) + subgoal + apply (clarsimp split: enat.split option.split simp: \c Qc fun_eq_iff) + unfolding Qinter_def Qigen_def \'_def \'gen_def upd_cond_def + apply (safe; simp split: if_splits add: insert_commute) + by (auto dest: edges_sym') + done + +qed + +lemma foreach_refine: + assumes "set adjs = {(v,d). (u,v)\edges g \ w {u,v} = d}" + shows "foreach u adjs (Q,\) = (Qinter Q \ u,\' Q \ u)" +proof - + have INVAR_INIT: "Qigen Q \ u [] = Q" "\'gen Q \ u [] = \" for Q \ + unfolding assms Qigen_def \'gen_def + by (auto simp: fun_eq_iff image_def Q'_def \'_def edges_def) + from assms have 1: "set adjs \ {(v,d). (u,v)\edges g \ w {u,v} = d}" + by simp + have [simp]: + "v \ fst ` {(v, d). (u, v) \ edges g \ w {u, v} = d} + \ (u,v)\edges g" + for v + by force + + show ?thesis + unfolding foreach_refine_gen[OF 1] + unfolding Qigen_def \'gen_def assms upd_cond_def Qinter_def \'_def + by (auto simp: fun_eq_iff image_def dest: edges_sym') + +qed + +end +end + +end diff --git a/thys/Prim_Dijkstra_Simple/Prim_Impl.thy b/thys/Prim_Dijkstra_Simple/Prim_Impl.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Prim_Impl.thy @@ -0,0 +1,490 @@ +section \Implementation of Prim's Algorithm\ +theory Prim_Impl +imports + Prim_Abstract + Undirected_Graph_Impl + "HOL-Library.While_Combinator" + "Priority_Search_Trees.PST_RBT" + "HOL-Data_Structures.RBT_Map" +begin + + +subsection \Implementation using ADT Interfaces\label{sec:prim_data_structs}\ + +locale Prim_Impl_Adts = + G: adt_wgraph G_\w G_\g G_invar G_adj G_empty G_add_edge ++ M: Map M_empty M_update M_delete M_lookup M_invar +(*+ S: Set S_empty S_insert S_delete S_isin S_\ S_invar*) ++ Q: PrioMap Q_empty Q_update Q_delete Q_invar Q_lookup Q_is_empty Q_getmin + + for typG :: "'g itself" and typM :: "'m itself" and typQ :: "'q itself" + and G_\w and G_\g :: "'g \ ('v) ugraph" and G_invar G_adj G_empty G_add_edge + + and M_empty M_update M_delete and M_lookup :: "'m \ 'v \ 'v option" and M_invar + + and Q_empty Q_update Q_delete Q_invar and Q_lookup :: "'q \ 'v \ nat option" + and Q_is_empty Q_getmin + +begin + +text \Simplifier setup\ +lemmas [simp] = G.wgraph_specs +lemmas [simp] = M.map_specs +lemmas [simp] = Q.prio_map_specs + +end + +locale Prim_Impl_Defs = Prim_Impl_Adts + where typG = typG and typM = typM and typQ = typQ and G_\w = G_\w and G_\g = G_\g + for typG :: "'g itself" and typM :: "'m itself" and typQ :: "'q itself" + and G_\w and G_\g :: "'g \ ('v::linorder) ugraph" and g :: 'g and r :: 'v +begin + +subsubsection \Concrete Algorithm\ +term M_lookup +definition "foreach_impl_body u \ (\(v,d) (Qi,\i). + if v=r then (Qi,\i) + else + case (Q_lookup Qi v, M_lookup \i v) of + (None,None) \ (Q_update v d Qi, M_update v u \i) + | (Some d',_) \ (if di) else (Qi,\i)) + | (None, Some _) \ (Qi,\i) + )" + +definition foreach_impl :: "'q \ 'm \ 'v \ ('v\nat) list \ 'q \ 'm" where + "foreach_impl Qi \i u adjs = foldr (foreach_impl_body u) adjs (Qi,\i)" + + +definition "outer_loop_impl Qi \i \ while (\(Qi,\i). \Q_is_empty Qi) (\(Qi,\i). + let + (u,_) = Q_getmin Qi; + adjs = G_adj g u; + (Qi,\i) = foreach_impl Qi \i u adjs; + Qi = Q_delete u Qi + in (Qi,\i)) (Qi,\i)" + +definition "prim_impl = (let + Qi = Q_update r 0 Q_empty; + \i = M_empty; + (Qi,\i) = outer_loop_impl Qi \i + in \i) +" + +text \The whole algorithm as one function\ +lemma prim_impl_alt: "prim_impl = (let + \ \Initialization\ + (Q,\) = (Q_update r 0 Q_empty, M_empty); + \ \Main loop: Iterate until PQ is empty\ + (Q, \) = + while (\(Q, \). \ Q_is_empty Q) (\(Q, \). let + (u, _) = Q_getmin Q; + \ \Inner loop: Update for adjacent nodes\ + (Q, \) = + foldr ((\(v, d) (Q, \). let + qv = Q_lookup Q v; + \v = M_lookup \ v + in + if v\r \ (qv\None \ \v=None) \ enat d < enat_of_option qv + then (Q_update v d Q, M_update v u \) + else (Q, \)) + ) (G_adj g u) (Q, \); + Q = Q_delete u Q + in (Q, \)) (Q, \) + in \ +)" +proof - + + have 1: "foreach_impl_body u = (\(v,d) (Qi,\i). let + qiv = (Q_lookup Qi v); + \iv = M_lookup \i v + in + if v\r \ (qiv\None \ \iv=None) \ enat d < enat_of_option qiv + then (Q_update v d Qi, M_update v u \i) + else (Qi, \i))" for u + unfolding foreach_impl_body_def + apply (intro ext) + by (auto split: option.split) + + show ?thesis + unfolding prim_impl_def outer_loop_impl_def foreach_impl_def 1 + by (simp) +qed + + +subsubsection \Abstraction of Result\ + +text \Invariant for the result, and its interpretation as (minimum spanning) tree: + \<^item> The map \\i\ and set \Vi\ satisfy their implementation invariants + \<^item> The \\i\ encodes irreflexive edges consistent with the nodes determined + by \Vi\. Note that the edges in \\i\ will not be symmetric, thus we take + their symmetric closure \E\E\\. + +\ + +definition "invar_MST \i \ M_invar \i" + +definition "\_MST \i \ graph {r} {(u,v) | u v. M_lookup \i u = Some v}" + +end + + +subsection \Refinement of State\ + +locale Prim_Impl = Prim_Impl_Defs + where typG = typG and typM = typM and typQ = typQ and G_\w = G_\w and G_\g = G_\g + for typG :: "'g itself" and typM :: "'m itself" and typQ :: "'q itself" + and G_\w and G_\g :: "'g \ ('v::linorder) ugraph" + + + assumes G_invar[simp]: "G_invar g" +begin + +sublocale Prim2 "G_\w g" "G_\g g" r . + +subsubsection \Abstraction of \Q\\ +text \The priority map implements a function of type @{typ \'v\enat\}, + mapping @{const None} to @{term \}. +\ + +definition "Q_\ Qi \ enat_of_option o Q_lookup Qi :: 'v \ enat" + +lemma Q_\_empty: "Q_\ Q_empty = (\_. \)" + unfolding Q_\_def by (auto) + +lemma Q_\_update: "Q_invar Q \ Q_\ (Q_update u d Q) = (Q_\ Q)(u := enat d)" + unfolding Q_\_def by (auto) + +lemma Q_\_is_empty: "Q_invar Q \ Q_lookup Q = Map.empty \ Q_\ Q = (\_. \)" + unfolding Q_\_def by (auto simp: fun_eq_iff) + +lemma Q_\_delete: "Q_invar Q \ Q_\ (Q_delete u Q) = (Q_\ Q)(u:=\)" + unfolding Q_\_def by (auto simp: fun_eq_iff) + +lemma Q_\_min: + assumes MIN: "Q_getmin Qi = (u, d)" + assumes I: "Q_invar Qi" + assumes NE: "\ Q_is_empty Qi" + shows "Q_\ Qi u = enat d" (is ?G1) and + "\v. enat d \ Q_\ Qi v" (is ?G2) +proof - + from Q.map_getmin[OF MIN] + have "Q_lookup Qi u = Some d" "(\x\ran (Q_lookup Qi). d \ x)" + using NE I by auto + thus "?G1" "?G2" + unfolding Q_\_def apply simp_all + by (metis enat_of_option.elims enat_ord_simps(1) enat_ord_simps(3) ranI) +qed + + +lemmas Q_\_specs = Q_\_empty Q_\_update Q_\_is_empty Q_\_delete + + +subsubsection \Concrete Invariant\ + +text \The implementation invariants of the concrete state's components, + and the abstract invariant of the state's abstraction\ +definition "prim_invar_impl Qi \i \ + Q_invar Qi \ M_invar \i \ prim_invar2 (Q_\ Qi) (M_lookup \i)" + + +end + + +subsection \Refinement of Algorithm\ + +context Prim_Impl +begin + +lemma foreach_impl_correct: + fixes Qi Vi \i defines "Q \ Q_\ Qi" and "\ \ M_lookup \i" + assumes A: "foreach_impl Qi \i u (G_adj g u) = (Qi',\i')" + assumes I: "prim_invar_impl Qi \i" + shows "Q_invar Qi'" and "M_invar \i'" + and "Q_\ Qi' = Qinter Q \ u" and "M_lookup \i' = \' Q \ u" +proof - + from I have [simp]: "Q_invar Qi" "M_invar \i" + unfolding prim_invar_impl_def Q_def \_def by auto + + { + fix Qi \i d v and adjs :: "('v \ nat) list" + assume "Q_invar Qi" "M_invar \i" "(v, d) \ set adjs" + then have + "(case foreach_impl_body u (v, d) (Qi, \i) of + (Qi, \i) \ Q_invar Qi \ M_invar \i) + \ map_prod Q_\ M_lookup (foreach_impl_body u (v, d) (Qi, \i)) + = foreach_body u (v, d) (Q_\ Qi, M_lookup \i)" + unfolding foreach_impl_body_def foreach_body_def + unfolding Q_\_def + by (auto simp: fun_eq_iff split: option.split) + + } note aux=this + + from foldr_refine[ + where I="\(Qi,\i). Q_invar Qi \ M_invar \i" and \="map_prod Q_\ M_lookup", + of "(Qi,\i)" "(G_adj g u)" "foreach_impl_body u" "foreach_body u" + ] + and A aux[where ?adjs3="(G_adj g u)"] + have "Q_invar Qi'" "M_invar \i'" + and 1: "foreach u (G_adj g u) (Q_\ Qi, M_lookup \i) + = (Q_\ Qi', M_lookup \i')" + unfolding foreach_impl_def foreach_def + unfolding Q_def \_def + by (auto split: prod.splits) + then show "Q_invar Qi'" "M_invar \i'" by auto + + from 1 foreach_refine[where adjs="G_adj g u" and u=u] show + "Q_\ Qi' = Qinter Q \ u" and "M_lookup \i' = \' Q \ u" + by (auto simp: Q_def \_def) + +qed + +(*<*) +lemma foreach_impl_correct_presentation: + fixes Qi Vi \i defines "Q \ Q_\ Qi" and "\ \ M_lookup \i" + assumes A: "foreach_impl Qi \i u (G_adj g u) = (Qi',\i')" + assumes I: "prim_invar_impl Qi \i" + shows "Q_invar Qi' \ M_invar \i' + \ Q_\ Qi' = Qinter Q \ u \ M_lookup \i' = \' Q \ u" + using foreach_impl_correct assms by blast +(*>*) + +definition "T_measure_impl \ \(Qi,\i). T_measure2 (Q_\ Qi) (M_lookup \i)" + +lemma prim_invar_impl_init: "prim_invar_impl (Q_update r 0 Q_empty) M_empty" + using invar2_init + by (auto simp: prim_invar_impl_def Q_\_specs initQ_def init\_def zero_enat_def) + +lemma maintain_prim_invar_impl: + assumes + I: "prim_invar_impl Qi \i" and + NE: "\ Q_is_empty Qi" and + MIN: "Q_getmin Qi = (u, d)" and + FOREACH: "foreach_impl Qi \i u (G_adj g u) = (Qi', \i')" + shows "prim_invar_impl (Q_delete u Qi') \i'" (is ?G1) + and "T_measure_impl (Q_delete u Qi', \i') < T_measure_impl (Qi,\i)" (is "?G2") +proof - + note II[simp] = I[unfolded prim_invar_impl_def] + note FI[simp] = foreach_impl_correct[OF FOREACH I] + note MIN' = Q_\_min[OF MIN _ NE, simplified] + + show ?G1 + unfolding prim_invar_impl_def + using Q_\_delete maintain_invar2[OF _ MIN'] + by (simp add: Q'_def) + + show ?G2 + unfolding prim_invar_impl_def T_measure_impl_def + using Q_\_delete maintain_invar2[OF _ MIN'] + apply (simp add: Q'_def Q_\_def) + by (metis FI(3) II Q'_def Q_\_def + \\\. prim_invar2 (Q_\ Qi) \ + \ T_measure2 (Q' (Q_\ Qi) \ u) (\' (Q_\ Qi) \ u) + < T_measure2 (Q_\ Qi) \\) + +qed + +lemma maintain_prim_invar_impl_presentation: + assumes + I: "prim_invar_impl Qi \i" and + NE: "\ Q_is_empty Qi" and + MIN: "Q_getmin Qi = (u, d)" and + FOREACH: "foreach_impl Qi \i u (G_adj g u) = (Qi', \i')" + shows "prim_invar_impl (Q_delete u Qi') \i' + \ T_measure_impl (Q_delete u Qi', \i') < T_measure_impl (Qi,\i)" + using maintain_prim_invar_impl assms by blast + +lemma prim_invar_impl_finish: + "\Q_is_empty Q; prim_invar_impl Q \\ + \ invar_MST \ \ is_MST (G_\w g) rg (\_MST \)" + using invar2_finish + by (auto simp: Q_\_specs prim_invar_impl_def invar_MST_def \_MST_def Let_def) + +lemma prim_impl_correct: + assumes "prim_impl = \i" + shows + "invar_MST \i" (is ?G1) + "is_MST (G_\w g) (component_of (G_\g g) r) (\_MST \i)" (is ?G2) +proof - + have "let (Qi, \i) = outer_loop_impl (Q_update r 0 Q_empty) M_empty in + invar_MST \i \ is_MST (G_\w g) rg (\_MST \i)" + unfolding outer_loop_impl_def + apply (rule while_rule[where + P="\(Qi,\i). prim_invar_impl Qi \i" and r="measure T_measure_impl"]) + apply (all \clarsimp split: prod.splits simp: Q_\_specs\) + apply (simp_all add: prim_invar_impl_init maintain_prim_invar_impl + prim_invar_impl_finish) + done + with assms show ?G1 ?G2 + unfolding rg_def prim_impl_def by (simp_all split: prod.splits) +qed + +(*<*) +lemma prim_impl_correct_presentation: + "invar_MST prim_impl + \ is_MST (G_\w g) (component_of (G_\g g) r) (\_MST prim_impl)" + using prim_impl_correct by blast +(*>*) + +end + + +subsection \Instantiation with Actual Data Structures\label{sec:prim_inst_ds}\ + +global_interpretation + G: wgraph_by_map RBT_Set.empty RBT_Map.update RBT_Map.delete + Lookup2.lookup RBT_Map.M.invar + defines G_empty = G.empty + and G_add_edge = G.add_edge + and G_add_edge1 = G.add_edge1 + and G_adj = G.adj + and G_from_list = G.from_list + and G_valid_wgraph_repr = G.valid_wgraph_repr + by unfold_locales + +(* FIXME: Something is strange with generated constants. *) +lemma G_from_list_unfold: "G_from_list = G.from_list" + by (simp add: G_add_edge_def G_empty_def G_from_list_def) + +(* FIXME: The interpretation does not generate a code theorem at all!? *) +lemma [code]: "G_from_list l = foldr (\(e, d). G_add_edge e d) l G_empty" + by (simp add: G.from_list_def G_from_list_unfold) + + +global_interpretation Prim_Impl_Adts _ _ _ + G.\w G.\g G.invar G.adj G.empty G.add_edge + + RBT_Set.empty RBT_Map.update RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + + PST_RBT.empty PST_RBT.update PST_RBT.delete PST_RBT.PM.invar + Lookup2.lookup PST_RBT.rbt_is_empty pst_getmin + .. + +global_interpretation P: Prim_Impl_Defs G.invar G.adj G.empty G.add_edge + RBT_Set.empty RBT_Map.update RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + + PST_RBT.empty PST_RBT.update PST_RBT.delete PST_RBT.PM.invar + Lookup2.lookup PST_RBT.rbt_is_empty pst_getmin + + _ _ _ G.\w G.\g g r + for g and r::"'a::linorder" + defines prim_impl = P.prim_impl + and outer_loop_impl = P.outer_loop_impl + and foreach_impl = P.foreach_impl + and foreach_impl_body = P.foreach_impl_body + by unfold_locales + + +lemmas [code] = P.prim_impl_alt + + +context + fixes g + assumes [simp]: "G.invar g" +begin + +interpretation AUX: Prim_Impl + G.invar G.adj G.empty G.add_edge + + RBT_Set.empty RBT_Map.update RBT_Map.delete Lookup2.lookup RBT_Map.M.invar + + PST_RBT.empty PST_RBT.update PST_RBT.delete PST_RBT.PM.invar + Lookup2.lookup PST_RBT.rbt_is_empty pst_getmin + + g r _ _ _ G.\w G.\g for r::"'a::linorder" + by unfold_locales simp_all + +lemmas prim_impl_correct = AUX.prim_impl_correct[folded prim_impl_def] + +end + +subsubsection \Adding a Graph-From-List Parser\ + +definition "prim_list_impl l r + \ if G_valid_wgraph_repr l then Some (prim_impl (G_from_list l) r) else None" + + +subsection \Main Correctness Theorem\ + +text \ + The @{const prim_list_impl} algorithm returns @{const None}, if the input was + invalid. Otherwise it returns @{term \Some (\i,Vi)\}, which satisfy the + map/set invariants and encode a minimum spanning tree of the component of the + graph that contains \r\. + + Notes: + \<^item> If \r\ is n ot a node of the graph, \component_of\ will return the graph + with the only node \r\. (@{thm [source] component_of_not_node}) +\ + +theorem prim_list_impl_correct: + shows "case prim_list_impl l r of + None \ \G.valid_wgraph_repr l \ \Invalid input\ + | Some \i \ + G.valid_wgraph_repr l \ (let Gi = G.from_list l in G.invar Gi \ \Valid input\ + \ P.invar_MST \i \ \Output satisfies invariants\ + \ is_MST (G.\w Gi) (component_of (G.\g Gi) r) (P.\_MST r \i)) \ \and represents MST\" + unfolding prim_list_impl_def G_from_list_unfold + using prim_impl_correct[of "G.from_list l" r] G.from_list_correct[of l] + by (auto simp: Let_def) + +theorem prim_list_impl_correct_presentation: + shows "case prim_list_impl l r of + None \ \G.valid_wgraph_repr l \ \Invalid input\ + | Some \i \ let + g=G.\g (G.from_list l); + w=G.\w (G.from_list l); + rg=component_of g r; + t=P.\_MST r \i + in + G.valid_wgraph_repr l \ \Valid input\ + \ P.invar_MST \i \ \Output satisfies invariants\ + \ is_MST w rg t \ \and represents MST\" + using prim_list_impl_correct[of l r] unfolding Let_def + by (auto split: option.splits) + + +subsection \Code Generation and Test\label{sec:prim_exec}\ + +definition prim_list_impl_int :: "_ \ int \ _" + where "prim_list_impl_int \ prim_list_impl" + + +export_code prim_list_impl prim_list_impl_int checking SML + + +experiment begin + + +abbreviation "a \ 1" +abbreviation "b \ 2" +abbreviation "c \ 3" +abbreviation "d \ 4" +abbreviation "e \ 5" +abbreviation "f \ 6" +abbreviation "g \ 7" +abbreviation "h \ 8" +abbreviation "i \ 9" + + +value "(prim_list_impl_int [ + ((a,b),4), + ((a,h),8), + ((b,h),11), + ((b,c),8), + ((h,i),7), + ((h,g),1), + ((c,i),2), + ((g,i),6), + ((c,d),7), + ((c,f),4), + ((g,f),2), + ((d,f),14), + ((d,e),9), + ((e,f),10) +] 1)" + +end + + + + +end diff --git a/thys/Prim_Dijkstra_Simple/ROOT b/thys/Prim_Dijkstra_Simple/ROOT new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/ROOT @@ -0,0 +1,26 @@ +chapter AFP + +session Prim_Dijkstra_Simple (AFP) = Priority_Search_Trees + + options [timeout=300] + sessions + "HOL-Data_Structures" + "HOL-Eisbach" + theories [document=false] + Common + theories + Chapter_Prim + Undirected_Graph + Undirected_Graph_Specs + Prim_Abstract + Undirected_Graph_Impl + Prim_Impl + + Chapter_Dijkstra + Directed_Graph + Directed_Graph_Specs + Dijkstra_Abstract + Directed_Graph_Impl + Dijkstra_Impl + document_files + "root.tex" + "root.bib" diff --git a/thys/Prim_Dijkstra_Simple/Undirected_Graph.thy b/thys/Prim_Dijkstra_Simple/Undirected_Graph.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Undirected_Graph.thy @@ -0,0 +1,1165 @@ +section \Undirected Graphs\ +theory Undirected_Graph +imports + Common +begin +subsection \Nodes and Edges\ + +typedef 'v ugraph + = "{ (V::'v set , E). E \ V\V \ finite V \ sym E \ irrefl E }" + unfolding sym_def irrefl_def by blast + +setup_lifting type_definition_ugraph + +lift_definition nodes_internal :: "'v ugraph \ 'v set" is fst . +lift_definition edges_internal :: "'v ugraph \ ('v\'v) set" is snd . +lift_definition graph_internal :: "'v set \ ('v\'v) set \ 'v ugraph" + is "\V E. if finite V \ finite E then (V\fst`E\snd`E, (E\E\)-Id) else ({},{})" + by (auto simp: sym_def irrefl_def; force) + +definition nodes :: "'v ugraph \ 'v set" + where "nodes = nodes_internal" +definition edges :: "'v ugraph \ ('v\'v) set" + where "edges = edges_internal" +definition graph :: "'v set \ ('v\'v) set \ 'v ugraph" + where "graph = graph_internal" + +lemma edges_subset: "edges g \ nodes g \ nodes g" + unfolding edges_def nodes_def by transfer auto + +lemma nodes_finite[simp, intro!]: "finite (nodes g)" + unfolding edges_def nodes_def by transfer auto + +lemma edges_sym: "sym (edges g)" + unfolding edges_def nodes_def by transfer auto + +lemma edges_irrefl: "irrefl (edges g)" + unfolding edges_def nodes_def by transfer auto + +lemma nodes_graph: "\finite V; finite E\ \ nodes (graph V E) = V\fst`E\snd`E" + unfolding edges_def nodes_def graph_def by transfer auto + +lemma edges_graph: "\finite V; finite E\ \ edges (graph V E) = (E\E\)-Id" + unfolding edges_def nodes_def graph_def by transfer auto + +lemmas graph_accs = nodes_graph edges_graph + +lemma nodes_edges_graph_presentation: "\finite V; finite E\ + \ nodes (graph V E) = V \ fst`E \ snd`E \ edges (graph V E) = E\E\ - Id" + by (simp add: graph_accs) + +lemma graph_eq[simp]: "graph (nodes g) (edges g) = g" + unfolding edges_def nodes_def graph_def + apply transfer + unfolding sym_def irrefl_def + apply (clarsimp split: prod.splits) + by (fastforce simp: finite_subset) + +lemma edges_finite[simp, intro!]: "finite (edges g)" + using edges_subset finite_subset by fastforce + +lemma graph_cases[cases type]: obtains V E + where "g = graph V E" "finite V" "finite E" "E\V\V" "sym E" "irrefl E" +proof - + show ?thesis + apply (rule that[of "nodes g" "edges g"]) + using edges_subset edges_sym edges_irrefl[of g] + by auto +qed + +lemma graph_eq_iff: "g=g' \ nodes g = nodes g' \ edges g = edges g'" + unfolding edges_def nodes_def graph_def by transfer auto + + + +lemma edges_sym': "(u,v)\edges g \ (v,u)\edges g" using edges_sym + by (blast intro: symD) + +lemma edges_irrefl'[simp,intro!]: "(u,u)\edges g" + by (meson edges_irrefl irrefl_def) + +lemma edges_irreflI[simp, intro]: "(u,v)\edges g \ u\v" by auto + +lemma edgesT_diff_sng_inv_eq[simp]: + "(edges T - {(x, y), (y, x)})\ = edges T - {(x, y), (y, x)}" + using edges_sym' by fast + +lemma nodesI[simp,intro]: assumes "(u,v)\edges g" shows "u\nodes g" "v\nodes g" + using assms edges_subset by auto + +lemma split_edges_sym: "\E. E\E\ = {} \ edges g = E \ E\" + using split_sym_rel[OF edges_sym edges_irrefl, of g] by metis + + +subsection \Connectedness Relation\ + +lemma rtrancl_edges_sym': "(u,v)\(edges g)\<^sup>* \ (v,u)\(edges g)\<^sup>*" + by (simp add: edges_sym symD sym_rtrancl) + +lemma trancl_edges_subset: "(edges g)\<^sup>+ \ nodes g \ nodes g" + by (simp add: edges_subset trancl_subset_Sigma) + +lemma find_crossing_edge: + assumes "(u,v)\E\<^sup>*" "u\V" "v\V" + obtains u' v' where "(u',v')\E\V\-V" + using assms apply (induction rule: converse_rtrancl_induct) + by auto + + + + +subsection \Constructing Graphs\ + +definition "graph_empty \ graph {} {}" +definition "ins_node v g \ graph (insert v (nodes g)) (edges g)" +definition "ins_edge e g \ graph (nodes g) (insert e (edges g))" +definition "graph_join g\<^sub>1 g\<^sub>2 \ graph (nodes g\<^sub>1 \ nodes g\<^sub>2) (edges g\<^sub>1 \ edges g\<^sub>2)" +definition "restrict_nodes g V \ graph (nodes g \ V) (edges g \ V\V)" +definition "restrict_edges g E \ graph (nodes g) (edges g \ (E\E\))" + + +definition "nodes_edges_consistent V E \ finite V \ irrefl E \ sym E \ E \ V\V" + +lemma [simp]: + assumes "nodes_edges_consistent V E" + shows nodes_graph': "nodes (graph V E) = V" (is ?G1) + and edges_graph': "edges (graph V E) = E" (is ?G2) +proof - + from assms have [simp]: "finite E" unfolding nodes_edges_consistent_def + by (meson finite_SigmaI rev_finite_subset) + + show ?G1 ?G2 using assms + by (auto simp: nodes_edges_consistent_def nodes_graph edges_graph irrefl_def) + +qed + +lemma nec_empty[simp]: "nodes_edges_consistent {} {}" + by (auto simp: nodes_edges_consistent_def irrefl_def sym_def) + +lemma graph_empty_accs[simp]: + "nodes graph_empty = {}" + "edges graph_empty = {}" + unfolding graph_empty_def by (auto) + +lemma graph_empty[simp]: "graph {} {} = graph_empty" + by (simp add: graph_empty_def) + +lemma nodes_empty_iff_empty[simp]: + "nodes G = {} \ G=graph {} {}" + "{} = nodes G \ G=graph_empty" + using edges_subset + by (auto simp: graph_eq_iff) + +lemma nodes_ins_nodes[simp]: "nodes (ins_node v g) = insert v (nodes g)" + and edges_ins_nodes[simp]: "edges (ins_node v g) = edges g" + unfolding ins_node_def by (auto simp: graph_accs edges_sym') + + +lemma nodes_ins_edge[simp]: "nodes (ins_edge e g) = {fst e, snd e} \ nodes g" + and edges_ins_edge: + "edges (ins_edge e g) + = (if fst e = snd e then edges g else {e,prod.swap e}\(edges g))" + unfolding ins_edge_def + apply (all \cases e\) + by (auto simp: graph_accs dest: edges_sym') + +lemma edges_ins_edge'[simp]: + "u\v \ edges (ins_edge (u,v) g) = {(u,v),(v,u)} \ edges g" + by (auto simp: edges_ins_edge) + +lemma edges_ins_edge_ss: "edges g \ edges (ins_edge e g)" + by (auto simp: edges_ins_edge) + + +lemma nodes_join[simp]: "nodes (graph_join g\<^sub>1 g\<^sub>2) = nodes g\<^sub>1 \ nodes g\<^sub>2" + and edges_join[simp]: "edges (graph_join g\<^sub>1 g\<^sub>2) = edges g\<^sub>1 \ edges g\<^sub>2" + unfolding graph_join_def + by (auto simp: graph_accs dest: edges_sym') + +lemma nodes_restrict_nodes[simp]: "nodes (restrict_nodes g V) = nodes g \ V" + and edges_restrict_nodes[simp]: "edges (restrict_nodes g V) = edges g \ V\V" + unfolding restrict_nodes_def + by (auto simp: graph_accs dest: edges_sym') + +lemma nodes_restrict_edges[simp]: "nodes (restrict_edges g E) = nodes g" + and edges_restrict_edges[simp]: "edges (restrict_edges g E) = edges g \ (E\E\)" + unfolding restrict_edges_def + by (auto simp: graph_accs dest: edges_sym') + +lemma unrestricte_edges: "edges (restrict_edges g E) \ edges g" by auto +lemma unrestrictn_edges: "edges (restrict_nodes g V) \ edges g" by auto + +lemma unrestrict_nodes: "nodes (restrict_edges g E) \ nodes g" by auto + + + +subsection \Paths\ + +fun path where + "path g u [] v \ u=v" +| "path g u (e#ps) w \ (\v. e=(u,v) \ e\edges g \ path g v ps w)" + +lemma path_emptyI[intro!]: "path g u [] u" by auto + +lemma path_append[simp]: + "path g u (p1@p2) w \ (\v. path g u p1 v \ path g v p2 w)" + by (induction p1 arbitrary: u) auto + +lemma path_transs1[trans]: + "path g u p v \ (v,w)\edges g \ path g u (p@[(v,w)]) w" + "(u,v)\edges g \ path g v p w \ path g u ((u,v)#p) w" + "path g u p1 v \ path g v p2 w \ path g u (p1@p2) w" + by auto + +lemma path_graph_empty[simp]: "path graph_empty u p v \ v=u \ p=[]" + by (cases p) auto + +abbreviation "revp p \ rev (map prod.swap p)" +lemma revp_alt: "revp p = rev (map (\(u,v). (v,u)) p)" by auto + +lemma path_rev[simp]: "path g u (revp p) v \ path g v p u" + by (induction p arbitrary: v) (auto dest: edges_sym') + +lemma path_rev_sym[sym]: "path g v p u \ path g u (revp p) v" by simp + +lemma path_transs2[trans]: + "path g u p v \ (w,v)\edges g \ path g u (p@[(v,w)]) w" + "(v,u)\edges g \ path g v p w \ path g u ((u,v)#p) w" + "path g u p1 v \ path g w p2 v \ path g u (p1@revp p2) w" + by (auto dest: edges_sym') + + +lemma path_edges: "path g u p v \ set p \ edges g" + by (induction p arbitrary: u) auto + +lemma path_graph_cong: + "\path g\<^sub>1 u p v; set p \ edges g\<^sub>1 \ set p \ edges g\<^sub>2\ \ path g\<^sub>2 u p v" + apply (frule path_edges; simp) + apply (induction p arbitrary: u) + by auto + + +lemma path_endpoints: + assumes "path g u p v" "p\[]" shows "u\nodes g" "v\nodes g" + subgoal using assms by (cases p) (auto intro: nodesI) + subgoal using assms by (cases p rule: rev_cases) (auto intro: nodesI) + done + +lemma path_mono: "edges g \ edges g' \ path g u p v \ path g' u p v" + by (meson path_edges path_graph_cong subset_trans) + + + +lemmas unrestricte_path = path_mono[OF unrestricte_edges] +lemmas unrestrictn_path = path_mono[OF unrestrictn_edges] + +lemma unrestrict_path_edges: "path (restrict_edges g E) u p v \ path g u p v" + by (induction p arbitrary: u) auto + +lemma unrestrict_path_nodes: "path (restrict_nodes g E) u p v \ path g u p v" + by (induction p arbitrary: u) auto + + + +subsubsection \Paths and Connectedness\ + +lemma rtrancl_edges_iff_path: "(u,v)\(edges g)\<^sup>* \ (\p. path g u p v)" + apply rule + subgoal + apply (induction rule: converse_rtrancl_induct) + by (auto dest: path_transs1) + apply clarify + subgoal for p by (induction p arbitrary: u; force) + done + +lemma rtrancl_edges_pathE: + assumes "(u,v)\(edges g)\<^sup>*" obtains p where "path g u p v" + using assms by (auto simp: rtrancl_edges_iff_path) + +lemma path_rtrancl_edgesD: "path g u p v \ (u,v)\(edges g)\<^sup>*" + by (auto simp: rtrancl_edges_iff_path) + + +subsubsection \Simple Paths\ + +definition "uedge \ \(a,b). {a,b}" + +definition "simple p \ distinct (map uedge p)" + + +lemma in_uedge_conv[simp]: "x\uedge (u,v) \ x=u \ x=v" + by (auto simp: uedge_def) + +lemma uedge_eq_iff: "uedge (a,b) = uedge (c,d) \ a=c \ b=d \ a=d \ b=c" + by (auto simp: uedge_def doubleton_eq_iff) + +lemma uedge_degen[simp]: "uedge (a,a) = {a}" + by (auto simp: uedge_def) + +lemma uedge_in_set_eq: "uedge (u, v) \ uedge ` S \ (u,v)\S \ (v,u)\S" + by (auto simp: uedge_def doubleton_eq_iff) + +lemma uedge_commute: "uedge (a,b) = uedge (b,a)" by auto + +lemma simple_empty[simp]: "simple []" + by (auto simp: simple_def) + +lemma simple_cons[simp]: "simple (e#p) \ uedge e \ uedge ` set p \ simple p" + by (auto simp: simple_def) + +lemma simple_append[simp]: "simple (p\<^sub>1@p\<^sub>2) + \ simple p\<^sub>1 \ simple p\<^sub>2 \ uedge ` set p\<^sub>1 \ uedge ` set p\<^sub>2 = {}" + by (auto simp: simple_def) + + +lemma simplify_pathD: + "path g u p v \ \p'. path g u p' v \ simple p' \ set p' \ set p" +proof (induction p arbitrary: u v rule: length_induct) + case A: (1 p) + then show ?case proof (cases "simple p") + assume "simple p" with A.prems show ?case by blast + next + assume "\simple p" + then consider p\<^sub>1 a b p\<^sub>2 p\<^sub>3 where "p=p\<^sub>1@[(a,b)]@p\<^sub>2@[(a,b)]@p\<^sub>3" + | p\<^sub>1 a b p\<^sub>2 p\<^sub>3 where "p=p\<^sub>1@[(a,b)]@p\<^sub>2@[(b,a)]@p\<^sub>3" + by (auto + simp: simple_def map_eq_append_conv uedge_eq_iff + dest!: not_distinct_decomp) + then obtain p' where "path g u p' v" "length p' < length p" "set p' \ set p" + proof cases + case [simp]: 1 + from A.prems have "path g u (p\<^sub>1@[(a,b)]@p\<^sub>3) v" by auto + from that[OF this] show ?thesis by auto + next + case [simp]: 2 + from A.prems have "path g u (p\<^sub>1@p\<^sub>3) v" by auto + from that[OF this] show ?thesis by auto + qed + with A.IH show ?thesis by blast + qed +qed + +lemma simplify_pathE: + assumes "path g u p v" + obtains p' where "path g u p' v" "simple p'" "set p' \ set p" + using assms by (auto dest: simplify_pathD) + + +subsubsection \Splitting Paths\ + +lemma find_crossing_edge_on_path: + assumes "path g u p v" "\P u" "P v" + obtains u' v' where "(u',v')\set p" "\P u'" "P v'" + using assms by (induction p arbitrary: u) auto + +lemma find_crossing_edges_on_path: + assumes P: "path g u p v" and "P u" "P v" + obtains "\(u,v)\set p. P u \ P v" + | u\<^sub>1 v\<^sub>1 v\<^sub>2 u\<^sub>2 p\<^sub>1 p\<^sub>2 p\<^sub>3 + where "p=p\<^sub>1@[(u\<^sub>1,v\<^sub>1)]@p\<^sub>2@[(u\<^sub>2,v\<^sub>2)]@p\<^sub>3" "P u\<^sub>1" "\P v\<^sub>1" "\P u\<^sub>2" "P v\<^sub>2" +proof (cases "\(u,v)\set p. P u \ P v") + case True with that show ?thesis by blast +next + case False + with P \P u\ have "\(u\<^sub>1,v\<^sub>1)\set p. P u\<^sub>1 \ \P v\<^sub>1" + apply clarsimp apply (induction p arbitrary: u) by auto + then obtain u\<^sub>1 v\<^sub>1 where "(u\<^sub>1,v\<^sub>1)\set p" and PRED1: "P u\<^sub>1" "\P v\<^sub>1" by blast + then obtain p\<^sub>1 p\<^sub>2\<^sub>3 where [simp]: "p=p\<^sub>1@[(u\<^sub>1,v\<^sub>1)]@p\<^sub>2\<^sub>3" + by (auto simp: in_set_conv_decomp) + with P have "path g v\<^sub>1 p\<^sub>2\<^sub>3 v" by auto + from find_crossing_edge_on_path[where P=P, OF this \\P v\<^sub>1\ \P v\] obtain u\<^sub>2 v\<^sub>2 + where "(u\<^sub>2,v\<^sub>2)\set p\<^sub>2\<^sub>3" "\P u\<^sub>2" "P v\<^sub>2" . + then show thesis using PRED1 + by (auto simp: in_set_conv_decomp intro: that) +qed + +lemma find_crossing_edge_rtrancl: + assumes "(u,v)\(edges g)\<^sup>*" "\P u" "P v" + obtains u' v' where "(u',v')\edges g" "\P u'" "P v'" + using assms + by (metis converse_rtrancl_induct) + + +lemma path_change: + assumes "u\S" "v\S" "path g u p v" "simple p" + obtains x y p1 p2 where + "(x,y) \ set p" "x \ S" "y \ S" + "path (restrict_edges g (-{(x,y),(y,x)})) u p1 x" + "path (restrict_edges g (-{(x,y),(y,x)})) y p2 v" +proof - + from find_crossing_edge_on_path[where P="\x. x\S"] assms obtain x y where + 1: "(x,y)\set p" "x\S" "y\S" by blast + then obtain p1 p2 where [simp]: "p=p1@[(x,y)]@p2" + by (auto simp: in_set_conv_decomp) + + let ?g' = "restrict_edges g (-{(x,y),(y,x)})" + + from \path g u p v\ have P1: "path g u p1 x" and P2: "path g y p2 v" by auto + from \simple p\ + have "uedge (x,y)\set (map uedge p1)" "uedge (x,y)\set (map uedge p2)" + by auto + then have "path ?g' u p1 x" "path ?g' y p2 v" + using path_graph_cong[OF P1, of ?g'] path_graph_cong[OF P2, of ?g'] + by (auto simp: uedge_in_set_eq) + with 1 show ?thesis by (blast intro: that) +qed + + + + + +subsection \Cycles\ + +definition "cycle_free g \ \p u. p\[] \ simple p \ path g u p u" + +lemma cycle_free_alt_in_nodes: + "cycle_free g \ \p u. p\[] \ u\nodes g \ simple p \ path g u p u" + by (smt cycle_free_def path_endpoints(2)) + +lemma cycle_freeI: + assumes "\p u. \ path g u p u; p\[]; simple p \ \ False" + shows "cycle_free g" + using assms unfolding cycle_free_def by auto + +lemma cycle_freeD: + assumes "cycle_free g" "path g u p u" "p\[]" "simple p" + shows False + using assms unfolding cycle_free_def by auto + + +lemma cycle_free_antimono: "edges g \ edges g' \ cycle_free g' \ cycle_free g" + unfolding cycle_free_def + by (auto dest: path_mono) + +lemma cycle_free_empty[simp]: "cycle_free graph_empty" + unfolding cycle_free_def by auto + +lemma cycle_free_no_edges: "edges g = {} \ cycle_free g" + by (rule cycle_freeI) (auto simp: neq_Nil_conv) + +lemma simple_path_cycle_free_unique: + assumes CF: "cycle_free g" + assumes P: "path g u p v" "path g u p' v" "simple p" "simple p'" + shows "p=p'" + using P +proof (induction p arbitrary: u p') + case Nil + then show ?case using cycle_freeD[OF CF] by auto +next + case (Cons e p) + + note CF = cycle_freeD[OF CF] + + from Cons.prems obtain u' where + [simp]: "e=(u,u')" + and P': "(u,u')\set p" "(u',u)\set p" "(u,u')\edges g" + by (auto simp: uedge_in_set_eq) + with Cons.prems obtain sp\<^sub>1 where + SP1: "path g u ((u,u')#sp\<^sub>1) v" "simple ((u,u')#sp\<^sub>1)" + by blast + + from Cons.prems obtain u'' p'' where + [simp]: "p' = (u,u'')#p''" + and P'': "(u,u'')\set p''" "(u'',u)\set p''" "(u,u'')\edges g" + apply (cases p') + subgoal by auto (metis Cons.prems(1) Cons.prems(3) CF list.distinct(1)) + by (auto simp: uedge_in_set_eq) + with Cons.prems obtain sp\<^sub>2 where + SP2: "path g u ((u,u'')#sp\<^sub>2) v" "simple ((u,u'')#sp\<^sub>2)" + by blast + + have "u''=u'" proof (rule ccontr) + assume [simp, symmetric, simp]: "u''\u'" + + have AUX1: "(u,x)\set sp\<^sub>1" for x + proof + assume "(u, x) \ set sp\<^sub>1" + with SP1 obtain sp' where "path g u ((u,u')#sp') u" and "simple ((u,u')#sp')" + by (clarsimp simp: in_set_conv_decomp; blast) + with CF show False by blast + qed + + have AUX2:"(x,u)\set sp\<^sub>1" for x + proof + assume "(x, u) \ set sp\<^sub>1" + + with SP1 obtain sp' where "path g u ((u,u')#sp') u" and "simple ((u,u')#sp')" + apply (clarsimp simp: in_set_conv_decomp) + (* TODO: Do more explicit, like other AUXes*) + by (metis Cons.prems(1) Cons.prems(3) Un_iff + AUX1 \e = (u, u')\ insert_iff list.simps(15) + path.elims(2) path.simps(2) prod.sel(2) set_append simple_cons) + with CF show False by blast + qed + + have AUX3:"(u,x)\set sp\<^sub>2" for x + proof + assume "(u, x) \ set sp\<^sub>2" + then obtain sp' sp'' where [simp]: "sp\<^sub>2 = sp'@[(u,x)]@sp''" + by (auto simp: in_set_conv_decomp) + from SP2 have "path g u ((u,u'')#sp') u" "simple ((u,u'')#sp')" by auto + with CF show False by blast + qed + + have AUX4:"(x,u)\set sp\<^sub>2" for x + proof + assume "(x, u) \ set sp\<^sub>2" + then obtain sp' sp'' where [simp]: "sp\<^sub>2 = sp'@[(x,u)]@sp''" + by (auto simp: in_set_conv_decomp) + from SP2 + have "path g u ((u,u'')#sp'@[(x,u)]) u" "simple ((u,u'')#sp'@[(x,u)])" + by auto + with CF show False by blast + qed + + have [simp]: "set (revp p) = (set p)\" by auto + + from SP1 SP2 have "path g u' (sp\<^sub>1@revp sp\<^sub>2) u''" by auto + then obtain sp where + SP: "path g u' sp u''" "simple sp" "set sp \ set sp\<^sub>1 \ set (revp sp\<^sub>2)" + by (erule_tac simplify_pathE) auto + with \(u,u')\edges g\ \(u,u'')\edges g\ + have "path g u ((u,u')#sp@[(u'',u)]) u" + by (auto dest: edges_sym' simp: uedge_eq_iff) + moreover + from SP SP1 SP2 AUX1 AUX2 AUX3 AUX4 have "simple (((u,u')#sp@[(u'',u)]))" + by (auto 0 3 simp: uedge_eq_iff) + ultimately show False using CF by blast + qed + + with Cons.IH[of u' p''] Cons.prems show ?case by simp +qed + + + +subsubsection \Characterization by Removing Edge\ + + + +lemma cycle_free_alt: "cycle_free g + \ (\e\edges g. e\(edges (restrict_edges g (-{e,prod.swap e})))\<^sup>*)" + apply (rule) + apply (clarsimp simp del: edges_restrict_edges) + subgoal premises prems for u v proof - + note edges_restrict_edges[simp del] + let ?rg = "(restrict_edges g (- {(u,v), (v,u)}))" + from \(u, v) \ (edges ?rg)\<^sup>*\ + obtain p where P: "path ?rg u p v" and "simple p" + by (auto simp: rtrancl_edges_iff_path elim: simplify_pathE) + from P have "path g u p v" by (rule unrestricte_path) + also note \(u, v) \ edges g\ finally have "path g u (p @ [(v, u)]) u" . + moreover from path_edges[OF P] have "uedge (u,v) \ set (map uedge p)" + by (auto simp: uedge_eq_iff edges_restrict_edges) + with \simple p\ have "simple (p @ [(v, u)])" + by (auto simp: uedge_eq_iff uedge_in_set_eq) + ultimately show ?thesis using \cycle_free g\ + unfolding cycle_free_def by blast + qed + apply (clarsimp simp: cycle_free_def) + subgoal premises prems for p u proof - + from \p\[]\ \path g u p u\ obtain v p' where + [simp]: "p=(u,v)#p'" and "(u,v)\edges g" "path g v p' u" + by (cases p) auto + from \simple p\ have "simple p'" "uedge (u,v) \ set (map uedge p')" by auto + hence "(u,v)\set p'" "(v,u)\set p'" by (auto simp: uedge_in_set_eq) + with \path g v p' u\ + have "path (restrict_edges g (-{(u,v),(v,u)})) v p' u" (is "path ?rg _ _ _") + by (erule_tac path_graph_cong) auto + + hence "(u,v)\(edges ?rg)\<^sup>*" + by (meson path_rev rtrancl_edges_iff_path) + with prems(1) \(u,v)\edges g\ show False by auto + qed + done + +lemma cycle_free_altI: + assumes "\u v. \ (u,v)\edges g; (u,v)\(edges g - {(u,v),(v,u)})\<^sup>* \ \ False" + shows "cycle_free g" + unfolding cycle_free_alt using assms by (force) + +lemma cycle_free_altD: + assumes "cycle_free g" + assumes "(u,v)\edges g" + shows "(u,v)\(edges g - {(u,v),(v,u)})\<^sup>*" + using assms unfolding cycle_free_alt by (auto) + + + +lemma remove_redundant_edge: + assumes "(u, v) \ (edges g - {(u, v), (v, u)})\<^sup>*" + shows "(edges g - {(u, v), (v, u)})\<^sup>* = (edges g)\<^sup>*" (is "?E'\<^sup>* = _") +proof + show "?E'\<^sup>* \ (edges g)\<^sup>*" + by (simp add: Diff_subset rtrancl_mono) +next + show "(edges g)\<^sup>* \ ?E'\<^sup>*" + proof clarify + fix a b assume "(a,b)\(edges g)\<^sup>*" then + show "(a,b)\?E'\<^sup>*" + proof induction + case base + then show ?case by simp + next + case (step b c) + then show ?case + proof (cases "(b,c)\{(u,v),(v,u)}") + case True + + have SYME: "sym (?E'\<^sup>*)" + apply (rule sym_rtrancl) + using edges_sym[of g] + by (auto simp: sym_def) + with step.IH assms have + IH': "(b,a) \ ?E'\<^sup>*" + by (auto intro: symD) + + from True show ?thesis apply safe + subgoal using assms step.IH by simp + subgoal using assms IH' apply (rule_tac symD[OF SYME]) by simp + done + + next + case False + then show ?thesis + by (meson DiffI rtrancl.rtrancl_into_rtrancl step.IH step.hyps(2)) + qed + + qed + qed +qed + + + + + +subsection \Connected Graphs\ + + +definition connected + where "connected g \ nodes g \ nodes g \ (edges g)\<^sup>*" + +lemma connectedI[intro?]: + assumes "\u v. \u\nodes g; v\nodes g\ \ (u,v)\(edges g)\<^sup>*" + shows "connected g" + using assms unfolding connected_def by auto + +lemma connectedD[intro?]: + assumes "connected g" "u\nodes g" "v\nodes g" + shows "(u,v)\(edges g)\<^sup>*" + using assms unfolding connected_def by auto + +lemma connected_empty[simp]: "connected graph_empty" + unfolding connected_def by auto + +subsection \Component Containing Node\ +definition "reachable_nodes g r \ (edges g)\<^sup>*``{r}" +definition "component_of g r + \ ins_node r (restrict_nodes g (reachable_nodes g r))" + +lemma reachable_nodes_refl[simp, intro!]: "r \ reachable_nodes g r" + by (auto simp: reachable_nodes_def) + +lemma reachable_nodes_step: + "edges g `` reachable_nodes g r \ reachable_nodes g r" + by (auto simp: reachable_nodes_def) + +lemma reachable_nodes_steps: + "(edges g)\<^sup>* `` reachable_nodes g r \ reachable_nodes g r" + by (auto simp: reachable_nodes_def) + +lemma reachable_nodes_step': + assumes "u \ reachable_nodes g r" "(u, v) \ edges g" + shows "v\reachable_nodes g r" "(u, v) \ edges (component_of g r)" +proof - + show "v \ reachable_nodes g r" + by (meson ImageI assms(1) assms(2) reachable_nodes_step rev_subsetD) + then show "(u, v) \ edges (component_of g r)" + by (simp add: assms(1) assms(2) component_of_def) +qed + +lemma reachable_nodes_steps': + assumes "u \ reachable_nodes g r" "(u, v) \ (edges g)\<^sup>*" + shows "v\reachable_nodes g r" "(u, v) \ (edges (component_of g r))\<^sup>*" +proof - + show "v\reachable_nodes g r" using reachable_nodes_steps assms by fast + show "(u, v) \ (edges (component_of g r))\<^sup>*" + using assms(2,1) + apply (induction rule: converse_rtrancl_induct) + subgoal by auto + subgoal by (smt converse_rtrancl_into_rtrancl reachable_nodes_step') + done +qed + +lemma reachable_not_node: "r\nodes g \ reachable_nodes g r = {r}" + by (force elim: converse_rtranclE simp: reachable_nodes_def intro: nodesI) + + +lemma nodes_of_component[simp]: "nodes (component_of g r) = reachable_nodes g r" + apply (rule equalityI) + unfolding component_of_def reachable_nodes_def + subgoal by auto + subgoal by clarsimp (metis nodesI(2) rtranclE) + done + +lemma component_connected[simp, intro!]: "connected (component_of g r)" +proof (rule connectedI; simp) + fix u v + assume A: "u \ reachable_nodes g r" "v \ reachable_nodes g r" + hence "(u,r)\(edges g)\<^sup>*" "(r,v)\(edges g)\<^sup>*" + by (auto simp: reachable_nodes_def dest: rtrancl_edges_sym') + hence "(u,v)\(edges g)\<^sup>*" by (rule rtrancl_trans) + with A show "(u, v) \ (edges (component_of g r))\<^sup>*" + by (rule_tac reachable_nodes_steps'(2)) +qed + +lemma component_edges_subset: "edges (component_of g r) \ edges g" + by (auto simp: component_of_def) + +lemma component_path: "u\nodes (component_of g r) \ + path (component_of g r) u p v \ path g u p v" + apply rule + subgoal by (erule path_mono[OF component_edges_subset]) + subgoal by (induction p arbitrary: u) (auto simp: reachable_nodes_step') + done + +lemma component_cycle_free: "cycle_free g \ cycle_free (component_of g r)" + by (meson component_edges_subset cycle_free_antimono) + +lemma component_of_connected_graph: + "\connected g; r\nodes g\ \ component_of g r = g" + unfolding graph_eq_iff + apply safe + subgoal by simp (metis Image_singleton_iff nodesI(2) reachable_nodes_def rtranclE) + subgoal by (simp add: connectedD reachable_nodes_def) + subgoal by (simp add: component_of_def) + subgoal by (simp add: connectedD reachable_nodes_def reachable_nodes_step'(2)) + done + +lemma component_of_not_node: "r\nodes g \ component_of g r = graph {r} {}" + by (clarsimp simp: graph_eq_iff component_of_def reachable_not_node graph_accs) + + +subsection \Trees\ + +definition "tree g \ connected g \ cycle_free g " + +lemma tree_empty[simp]: "tree graph_empty" by (simp add: tree_def) + +lemma component_of_tree: "tree T \ tree (component_of T r)" + unfolding tree_def using component_connected component_cycle_free by auto + + +subsubsection \Joining and Splitting Trees on Single Edge\ + +lemma join_connected: + assumes CONN: "connected g\<^sub>1" "connected g\<^sub>2" + assumes IN_NODES: "u\nodes g\<^sub>1" "v\nodes g\<^sub>2" + shows "connected (ins_edge (u,v) (graph_join g\<^sub>1 g\<^sub>2))" (is "connected ?g'") + unfolding connected_def +proof clarify + fix a b + assume A: "a\nodes ?g'" "b\nodes ?g'" + + have ESS: "(edges g\<^sub>1)\<^sup>* \ (edges ?g')\<^sup>*" "(edges g\<^sub>2)\<^sup>* \ (edges ?g')\<^sup>*" + using edges_ins_edge_ss + by (force intro!: rtrancl_mono)+ + + have UV: "(u,v)\(edges ?g')\<^sup>*" + by (simp add: edges_ins_edge r_into_rtrancl) + + show "(a,b)\(edges ?g')\<^sup>*" + proof - + { + assume "a\nodes g\<^sub>1" "b\nodes g\<^sub>1" + hence ?thesis using \connected g\<^sub>1\ ESS(1) unfolding connected_def by blast + } moreover { + assume "a\nodes g\<^sub>2" "b\nodes g\<^sub>2" + hence ?thesis using \connected g\<^sub>2\ ESS(2) unfolding connected_def by blast + } moreover { + assume "a\nodes g\<^sub>1" "b\nodes g\<^sub>2" + with connectedD[OF CONN(1)] connectedD[OF CONN(2)] ESS + have ?thesis by (meson UV IN_NODES contra_subsetD rtrancl_trans) + } moreover { + assume "a\nodes g\<^sub>2" "b\nodes g\<^sub>1" + with connectedD[OF CONN(1)] connectedD[OF CONN(2)] ESS + have ?thesis + by (meson UV IN_NODES contra_subsetD rtrancl_edges_sym' rtrancl_trans) + } + ultimately show ?thesis using A IN_NODES by auto + qed +qed + + +lemma join_cycle_free: + assumes CYCF: "cycle_free g\<^sub>1" "cycle_free g\<^sub>2" + assumes DJ: "nodes g\<^sub>1 \ nodes g\<^sub>2 = {}" + assumes IN_NODES: "u\nodes g\<^sub>1" "v\nodes g\<^sub>2" + shows "cycle_free (ins_edge (u,v) (graph_join g\<^sub>1 g\<^sub>2))" (is "cycle_free ?g'") +proof (rule cycle_freeI) + fix p a + assume P: "path ?g' a p a" "p\[]" "simple p" + from path_endpoints[OF this(1,2)] IN_NODES + have A_NODE: "a\nodes g\<^sub>1 \ nodes g\<^sub>2" + by auto + thus False proof + assume N1: "a\nodes g\<^sub>1" + have "set p \ nodes g\<^sub>1 \ nodes g\<^sub>1" + proof (cases + rule: find_crossing_edges_on_path[where P="\x. x\nodes g\<^sub>1", OF P(1) N1 N1]) + case 1 + then show ?thesis by auto + next + case (2 u\<^sub>1 v\<^sub>1 v\<^sub>2 u\<^sub>2 p\<^sub>1 p\<^sub>2 p\<^sub>3) + then show ?thesis using \simple p\ P + apply clarsimp + apply (drule path_edges)+ + apply (cases "u=v"; clarsimp simp: edges_ins_edge uedge_in_set_eq) + apply (metis DJ IntI IN_NODES empty_iff) + by (metis DJ IntI empty_iff nodesI uedge_eq_iff) + + qed + hence "set p \ edges g\<^sub>1" using DJ edges_subset path_edges[OF P(1)] IN_NODES + by (auto simp: edges_ins_edge split: if_splits; blast) + hence "path g\<^sub>1 a p a" by (meson P(1) path_graph_cong) + thus False using cycle_freeD[OF CYCF(1)] P(2,3) by blast + next + assume N2: "a\nodes g\<^sub>2" + have "set p \ nodes g\<^sub>2 \ nodes g\<^sub>2" + proof (cases + rule: find_crossing_edges_on_path[where P="\x. x\nodes g\<^sub>2", OF P(1) N2 N2]) + case 1 + then show ?thesis by auto + next + case (2 u\<^sub>1 v\<^sub>1 v\<^sub>2 u\<^sub>2 p\<^sub>1 p\<^sub>2 p\<^sub>3) + then show ?thesis using \simple p\ P + apply clarsimp + apply (drule path_edges)+ + apply (cases "u=v"; clarsimp simp: edges_ins_edge uedge_in_set_eq) + apply (metis DJ IntI IN_NODES empty_iff) + by (metis DJ IntI empty_iff nodesI uedge_eq_iff) + + qed + hence "set p \ edges g\<^sub>2" using DJ edges_subset path_edges[OF P(1)] IN_NODES + by (auto simp: edges_ins_edge split: if_splits; blast) + hence "path g\<^sub>2 a p a" by (meson P(1) path_graph_cong) + thus False using cycle_freeD[OF CYCF(2)] P(2,3) by blast + qed +qed + +lemma join_trees: + assumes TREE: "tree g\<^sub>1" "tree g\<^sub>2" + assumes DJ: "nodes g\<^sub>1 \ nodes g\<^sub>2 = {}" + assumes IN_NODES: "u\nodes g\<^sub>1" "v\nodes g\<^sub>2" + shows "tree (ins_edge (u,v) (graph_join g\<^sub>1 g\<^sub>2))" + using assms join_cycle_free join_connected unfolding tree_def by metis + + +lemma split_tree: + assumes "tree T" "(x,y)\edges T" + defines "E' \ (edges T - {(x,y),(y,x)})" + obtains T1 T2 where + "tree T1" "tree T2" + "nodes T1 \ nodes T2 = {}" "nodes T = nodes T1 \ nodes T2" + "edges T1 \ edges T2 = E'" + "nodes T1 = { u. (x,u)\E'\<^sup>*}" "nodes T2 = { u. (y,u)\E'\<^sup>*}" + "x\nodes T1" "y\nodes T2" +proof - + (* TODO: Use component_of here! *) + define N1 where "N1 = { u. (x,u)\E'\<^sup>* }" + define N2 where "N2 = { u. (y,u)\E'\<^sup>* }" + + define T1 where "T1 = restrict_nodes T N1" + define T2 where "T2 = restrict_nodes T N2" + + have SYME: "sym (E'\<^sup>*)" + apply (rule sym_rtrancl) + using edges_sym[of T] by (auto simp: sym_def E'_def) + + + from assms have "connected T" "cycle_free T" unfolding tree_def by auto + from \cycle_free T\ have "cycle_free T1" "cycle_free T2" + unfolding T1_def T2_def + using cycle_free_antimono unrestrictn_edges by blast+ + + from \(x,y) \ edges T\ have XYN: "x\nodes T" "y\nodes T" + using edges_subset by auto + from XYN have [simp]: "nodes T1 = N1" "nodes T2 = N2" + unfolding T1_def T2_def N1_def N2_def unfolding E'_def + apply (safe) + apply (all \clarsimp\) + by (metis DiffD1 nodesI(2) rtrancl.simps)+ + + have "x\N1" "y\N2" by (auto simp: N1_def N2_def) + + have "N1 \ N2 = {}" + proof (safe;simp) + fix u + assume "u\N1" "u\N2" + hence "(x,u)\E'\<^sup>*" "(u,y)\E'\<^sup>*" by (auto simp: N1_def N2_def symD[OF SYME]) + with cycle_free_altD[OF \cycle_free T\ \(x,y)\edges T\] show False + unfolding E'_def by (meson rtrancl_trans) + qed + + + have N1C: "E'``N1 \ N1" + unfolding N1_def + apply clarsimp + by (simp add: rtrancl.rtrancl_into_rtrancl) + + have N2C: "E'``N2 \ N2" + unfolding N2_def + apply clarsimp + by (simp add: rtrancl.rtrancl_into_rtrancl) + + have XE1: "(x,u) \ (edges T1)\<^sup>*" if "u\N1" for u + proof - + from that have "(x,u)\E'\<^sup>*" by (auto simp: N1_def) + then show ?thesis using \x\N1\ + unfolding T1_def + proof (induction rule: converse_rtrancl_induct) + case (step y z) + with N1C have "z\N1" by auto + with step.hyps(1) step.prems have "(y,z)\Restr (edges T) N1" + unfolding E'_def by auto + with step.IH[OF \z\N1\] show ?case + by (metis converse_rtrancl_into_rtrancl edges_restrict_nodes) + qed auto + qed + + have XE2: "(y,u) \ (edges T2)\<^sup>*" if "u\N2" for u + proof - + from that have "(y,u)\E'\<^sup>*" by (auto simp: N2_def) + then show ?thesis using \y\N2\ + unfolding T2_def + proof (induction rule: converse_rtrancl_induct) + case (step y z) + with N2C have "z\N2" by auto + with step.hyps(1) step.prems have "(y,z)\Restr (edges T) N2" + unfolding E'_def by auto + with step.IH[OF \z\N2\] show ?case + by (metis converse_rtrancl_into_rtrancl edges_restrict_nodes) + qed auto + qed + + + have "connected T1" + apply rule + apply simp + apply (drule XE1)+ + by (meson rtrancl_edges_sym' rtrancl_trans) + + have "connected T2" + apply rule + apply simp + apply (drule XE2)+ + by (meson rtrancl_edges_sym' rtrancl_trans) + + have "u\N1 \ N2" if "u\nodes T" for u + proof - + from connectedD[OF \connected T\ \x\nodes T\ that ] + obtain p where P: "path T x p u" "simple p" + by (auto simp: rtrancl_edges_iff_path elim: simplify_pathE) + show ?thesis proof cases + assume "(x,y)\set p \ (y,x)\set p" + with P(1) have "path (restrict_edges T E') x p u" + unfolding E'_def by (erule_tac path_graph_cong) auto + from path_rtrancl_edgesD[OF this] + show ?thesis unfolding N1_def E'_def by auto + next + assume "\((x,y)\set p \ (y,x)\set p)" + with P obtain p' where + "uedge (x,y)\set (map uedge p')" "path T y p' u \ path T x p' u" + by (auto simp: in_set_conv_decomp uedge_commute) + hence "path (restrict_edges T E') y p' u \ path (restrict_edges T E') x p' u" + apply (clarsimp simp: uedge_in_set_eq E'_def) + by (smt ComplD DiffI Int_iff UnCI edges_restrict_edges insertE + path_graph_cong subset_Compl_singleton subset_iff) + then show ?thesis unfolding N1_def N2_def E'_def + by (auto dest: path_rtrancl_edgesD) + qed + qed + then have "nodes T = N1 \ N2" + unfolding N1_def N2_def using XYN + unfolding E'_def + apply (safe) + subgoal by auto [] + subgoal by (metis DiffD1 nodesI(2) rtrancl.cases) + subgoal by (metis DiffD1 nodesI(2) rtrancl.cases) + done + + have "edges T1 \ edges T2 \ E'" + unfolding T1_def T2_def E'_def using \N1 \ N2 = {}\ \x \ N1\ \y \ N2\ + by auto + also have "edges T1 \ edges T2 \ E'" + proof - + note ED1 = nodesI[where g=T, unfolded \nodes T = N1\N2\] + have "E' \ edges T" by (auto simp: E'_def) + thus "edges T1 \ edges T2 \ E'" + unfolding T1_def T2_def + using ED1 N1C N2C by (auto; blast) + qed + finally have "edges T1 \ edges T2 = E'" . + + show ?thesis + apply (rule that[of T1 T2, unfolded tree_def]; (intro conjI)?; fact?) + apply simp_all + apply fact+ + done +qed + + + + +subsection \Spanning Trees\ + +definition "is_spanning_tree G T + \ tree T \ nodes T = nodes G \ edges T \ edges G" + +(* TODO: Move *) +lemma connected_singleton[simp]: "connected (ins_node u graph_empty)" + unfolding connected_def by auto + +lemma path_singleton[simp]: "path (ins_node u graph_empty) v p w \ v=w \ p=[]" + by (cases p) auto + +lemma tree_singleton[simp]: "tree (ins_node u graph_empty)" + by (simp add: cycle_free_no_edges tree_def) + +(* TODO: Move *) +lemma tree_add_edge_in_out: + assumes "tree T" + assumes "u\nodes T" "v\nodes T" + shows "tree (ins_edge (u,v) T)" +proof - + from assms have [simp]: "u\v" by auto + have "ins_edge (u,v) T = ins_edge (u,v) (graph_join T (ins_node v graph_empty))" + by (auto simp: graph_eq_iff) + also have "tree \" + apply (rule join_trees) + using assms + by auto + finally show ?thesis . +qed + +text \Remove edges on cycles until the graph is cycle free\ +lemma ex_spanning_tree: + "connected g \ \t. is_spanning_tree g t" + using edges_finite[of g] +proof (induction "edges g" arbitrary: g rule: finite_psubset_induct) + case psubset + show ?case proof (cases "cycle_free g") + case True + with \connected g\ show ?thesis by (auto simp: is_spanning_tree_def tree_def) + next + case False + then obtain u v where + EDGE: "(u,v)\edges g" + and RED: "(u,v)\(edges g - {(u,v),(v,u)})\<^sup>*" + using cycle_free_altI by metis + from \connected g\ + have "connected (restrict_edges g (- {(u,v),(v,u)}))" (is "connected ?g'") + unfolding connected_def + by (auto simp: remove_redundant_edge[OF RED]) + moreover have "edges ?g' \ edges g" using EDGE by auto + ultimately obtain t where "is_spanning_tree ?g' t" + using psubset.hyps(2)[of ?g'] by blast + hence "is_spanning_tree g t" by (auto simp: is_spanning_tree_def) + thus ?thesis .. + qed +qed + + +section \Weighted Undirected Graphs\ + +definition weight :: "('v set \ nat) \ 'v ugraph \ nat" + where "weight w g \ (\e\edges g. w (uedge e)) div 2" + + +lemma weight_alt: "weight w g = (\e\uedge`edges g. w e)" +proof - + from split_edges_sym[of g] obtain E where + "edges g = E \ E\" and "E\E\={}" by auto + hence [simp, intro!]: "finite E" by (metis edges_finite finite_Un) + hence [simp, intro!]: "finite (E\)" by blast + + have [simp]: "(\e\E\. w (uedge e)) = (\e\E. w (uedge e))" + apply (rule sum.reindex_cong[where l=prod.swap and A="E\" and B="E"]) + by (auto simp: uedge_def insert_commute) + + have [simp]: "inj_on uedge E" using \E\E\=_\ + by (auto simp: uedge_def inj_on_def doubleton_eq_iff) + + have "weight w g = (\e\E. w (uedge e))" + unfolding weight_def \edges g = _\ using \E\E\={}\ + by (auto simp: sum.union_disjoint) + also have "\ = (\e\uedge`E. w e)" + using sum.reindex[of uedge E w] + by auto + also have "uedge`E = uedge`(edges g)" + unfolding \edges g = _\ uedge_def using \E\E\={}\ + by auto + finally show ?thesis . +qed + +lemma weight_empty[simp]: "weight w graph_empty = 0" unfolding weight_def by auto + +lemma weight_ins_edge[simp]: "\u\v; (u,v)\edges g\ + \ weight w (ins_edge (u,v) g) = w {u,v} + weight w g" + unfolding weight_def + apply clarsimp + apply (subst sum.insert) + by (auto dest: edges_sym' simp: uedge_def insert_commute) + +lemma uedge_img_disj_iff[simp]: + "uedge`edges g\<^sub>1 \ uedge`edges g\<^sub>2 = {} \ edges g\<^sub>1 \ edges g\<^sub>2 = {}" + by (auto simp: uedge_eq_iff dest: edges_sym')+ + +lemma weight_join[simp]: "edges g\<^sub>1 \ edges g\<^sub>2 = {} + \ weight w (graph_join g\<^sub>1 g\<^sub>2) = weight w g\<^sub>1 + weight w g\<^sub>2" + unfolding weight_alt by (auto simp: sum.union_disjoint image_Un) + +lemma weight_cong: "edges g\<^sub>1 = edges g\<^sub>2 \ weight w g\<^sub>1 = weight w g\<^sub>2" + by (auto simp: weight_def) + +lemma weight_mono: "edges g \ edges g' \ weight w g \ weight w g'" + unfolding weight_alt by (rule sum_mono2) auto + +lemma weight_ge_edge: + assumes "(x,y)\edges T" + shows "weight w T \ w {x,y}" + using assms unfolding weight_alt + by (auto simp: uedge_def intro: member_le_sum) + + + +lemma weight_del_edge[simp]: + assumes "(x,y)\edges T" + shows "weight w (restrict_edges T (- {(x, y), (y, x)})) = weight w T - w {x,y}" +proof - + define E where "E = uedge ` edges T - {{x,y}}" + have [simp]: "(uedge ` (edges T - {(x, y), (y, x)})) = E" + by (safe; simp add: E_def uedge_def doubleton_eq_iff; blast) + + from assms have [simp]: "uedge ` edges T = insert {x,y} E" + unfolding E_def by force + + have [simp]: "{x,y}\E" unfolding E_def by blast + + then show ?thesis + unfolding weight_alt + apply simp + by (metis E_def \uedge ` edges T = insert {x, y} E\ insertI1 sum_diff1_nat) +qed + + +subsection \Minimum Spanning Trees\ + +definition "is_MST w g t \ is_spanning_tree g t + \ (\t'. is_spanning_tree g t' \ weight w t \ weight w t')" + +lemma exists_MST: "connected g \ \t. is_MST w g t" + using ex_has_least_nat[of "is_spanning_tree g"] ex_spanning_tree + unfolding is_MST_def + by blast + +end diff --git a/thys/Prim_Dijkstra_Simple/Undirected_Graph_Impl.thy b/thys/Prim_Dijkstra_Simple/Undirected_Graph_Impl.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Undirected_Graph_Impl.thy @@ -0,0 +1,192 @@ +section \Implementation of Weighted Undirected Graph by Map\ +theory Undirected_Graph_Impl +imports + "HOL-Data_Structures.Map_Specs" + Common + Undirected_Graph_Specs +begin + +subsection \Doubleton Set to Pair\ +definition "epair e = (if card e = 2 then Some (SOME (u,v). e={u,v}) else None)" + +lemma epair_eqD: "epair e = Some (x,y) \ (x\y \ e={x,y})" + apply (cases "card e = 2") + unfolding epair_def + apply simp_all + apply (clarsimp simp: card_Suc_eq eval_nat_numeral doubleton_eq_iff) + by (smt case_prodD case_prodI someI) + +lemma epair_not_sng[simp]: "epair e \ Some (x,x)" + by (auto dest: epair_eqD) + +lemma epair_None[simp]: "epair {a,b} = None \ a=b" + unfolding epair_def by (auto simp: card2_eq) + +subsection \Generic Implementation\ + +text \ + When instantiated with a map ADT, this locale provides a weighted graph ADT. +\ +locale wgraph_by_map = + M: Map M_empty M_update M_delete M_lookup M_invar + + for M_empty M_update M_delete + and M_lookup :: "'m \ 'v \ (('v\nat) list) option" + and M_invar +begin + +definition "\nodes_aux g \ dom (M_lookup g)" + +definition "\edges_aux g + \ ({(u,v). \xs d. M_lookup g u = Some xs \ (v,d)\set xs })" + + +definition "\g g \ graph (\nodes_aux g) (\edges_aux g)" + +definition "\w g e \ case epair e of + Some (u,v) \ ( + case M_lookup g u of + None \ 0 + | Some xs \ the_default 0 (map_of xs v) + ) +| None \ 0" + +definition invar :: "'m \ bool" where + "invar g \ + M_invar g \ finite (dom (M_lookup g)) + \ (\u xs. M_lookup g u = Some xs \ + distinct (map fst xs) + \ u\set (map fst xs) + \ (\(v,d)\set xs. (u,d)\set (the_default [] (M_lookup g v))) + )" + + +lemma in_the_default_empty_conv[simp]: + "x\set (the_default [] m) \ (\xs. m=Some xs \ x\set xs)" + by (cases m) auto + +lemma \edges_irrefl: "invar g \ irrefl (\edges_aux g)" + unfolding invar_def irrefl_def \edges_aux_def + by (force) + +lemma \edges_sym: "invar g \ sym (\edges_aux g)" + unfolding invar_def sym_def \edges_aux_def + by force + +lemma \edges_subset: "invar g \ \edges_aux g \ \nodes_aux g \ \nodes_aux g" + unfolding invar_def \nodes_aux_def \edges_aux_def + by force + +lemma \nodes_finite[simp, intro!]: "invar g \ finite (\nodes_aux g)" + unfolding invar_def \nodes_aux_def by simp + +lemma \edges_finite[simp, intro!]: "invar g \ finite (\edges_aux g)" + using finite_subset[OF \edges_subset] by blast + +definition adj :: "'m \ 'v \ ('v\nat) list" where + "adj g v = the_default [] (M_lookup g v)" + +definition empty :: "'m" where "empty = M_empty" + +definition add_edge1 :: "'v\'v \ nat \ 'm \ 'm" where + "add_edge1 \ \(u,v) d g. M_update u ((v,d) # the_default [] (M_lookup g u)) g" + +definition add_edge :: "'v\'v \ nat \ 'm \ 'm" where + "add_edge \ \(u,v) d g. add_edge1 (v,u) d (add_edge1 (u,v) d g)" + + +lemma edges_\g_aux: "invar g \ edges (\g g) = \edges_aux g" + unfolding \g_def using \edges_sym \edges_irrefl + by (auto simp: irrefl_def graph_accs) + +lemma nodes_\g_aux: "invar g \ nodes (\g g) = \nodes_aux g" + unfolding \g_def using \edges_subset + by (force simp: graph_accs) + +lemma card_doubleton_eq2[simp]: "card {a,b} = 2 \ a\b" by auto + +lemma the_dflt_Z_eq: "the_default 0 m = d \ (m=None \ d=0 \ m=Some d)" + by (cases m) auto + +lemma adj_correct_aux: + "invar g \ set (adj g u) = {(v, d). (u, v) \ edges (\g g) \ \w g {u, v} = d}" + apply (simp add: edges_\g_aux) + apply safe + subgoal unfolding adj_def \edges_aux_def by auto + subgoal for a d + unfolding adj_def \w_def + apply (clarsimp split: prod.splits option.splits simp: the_dflt_Z_eq) + unfolding invar_def + by (force dest!: epair_eqD simp: doubleton_eq_iff)+ + subgoal for a + unfolding adj_def \w_def + using \edges_irrefl[of g] + apply (clarsimp split: prod.splits option.splits) + apply safe + subgoal by (auto simp: irrefl_def) + subgoal + apply (clarsimp dest!: epair_eqD simp: doubleton_eq_iff) + unfolding invar_def \edges_aux_def + by force + subgoal + apply (clarsimp dest!: epair_eqD simp: doubleton_eq_iff) + unfolding invar_def \edges_aux_def + apply clarsimp + by (smt case_prod_conv map_of_is_SomeI the_default.simps(2)) + done + done + +lemma invar_empty_aux: "invar empty" + by (simp add: invar_def empty_def M.map_specs) + +lemma dist_fst_the_dflt_aux: "distinct (map fst (the_default [] m)) + \ (\xs. m = Some xs \ distinct (map fst xs))" + by (cases m; auto) + +lemma invar_add_edge_aux: + "\invar g; (u, v) \ edges (\g g); u \ v\ \ invar (add_edge (u, v) d g)" + apply (simp add: edges_\g_aux) + unfolding add_edge_def add_edge1_def invar_def \edges_aux_def + by (auto simp: M.map_specs dist_fst_the_dflt_aux; force) + + + +sublocale adt_wgraph \w \g invar adj empty add_edge + apply unfold_locales + subgoal by (simp add: adj_correct_aux) + subgoal by (simp add: invar_empty_aux) + subgoal + apply (simp + add: graph_eq_iff nodes_\g_aux invar_empty_aux edges_\g_aux + add: \nodes_aux_def \edges_aux_def + ) + apply (simp add: empty_def M.map_specs) + done + subgoal + unfolding \w_def + by (auto simp: empty_def M.map_specs fun_eq_iff split: option.splits) + subgoal by (simp add: invar_add_edge_aux) + subgoal for g u v d + apply (simp add: edges_\g_aux nodes_\g_aux graph_eq_iff invar_add_edge_aux) + apply (rule conjI) + subgoal + unfolding add_edge_def add_edge1_def invar_def \nodes_aux_def + by (auto simp: M.map_specs) + subgoal + unfolding add_edge_def add_edge1_def invar_def \edges_aux_def + by (fastforce simp: M.map_specs split!: if_splits) + done + subgoal for g u v d + apply (simp add: edges_\g_aux invar_add_edge_aux) + unfolding invar_def \w_def add_edge_def add_edge1_def + by (auto + dest: epair_eqD + simp: fun_eq_iff M.map_specs + split!: prod.splits option.splits if_splits) + done + + +end + + +end diff --git a/thys/Prim_Dijkstra_Simple/Undirected_Graph_Specs.thy b/thys/Prim_Dijkstra_Simple/Undirected_Graph_Specs.thy new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/Undirected_Graph_Specs.thy @@ -0,0 +1,185 @@ +section \Abstract Graph Datatype\ +theory Undirected_Graph_Specs +imports Undirected_Graph +begin + +subsection \Abstract Weighted Graph\ + +locale adt_wgraph = + fixes \w :: "'g \ 'v set \ nat" and \g :: "'g \ 'v ugraph" + and invar :: "'g \ bool" + and adj :: "'g \ 'v \ ('v\nat) list" + and empty :: 'g + and add_edge :: "'v\'v \ nat \ 'g \ 'g" + assumes adj_correct: "invar g + \ set (adj g u) = {(v,d). (u,v)\edges (\g g) \ \w g {u,v} = d}" + assumes empty_correct: + "invar empty" + "\g empty = graph_empty" + "\w empty = (\_. 0)" + assumes add_edge_correct: + "\invar g; (u,v)\edges (\g g); u\v\ \ invar (add_edge (u,v) d g)" + "\invar g; (u,v)\edges (\g g); u\v\ + \ \g (add_edge (u,v) d g) = ins_edge (u,v) (\g g)" + "\invar g; (u,v)\edges (\g g); u\v\ + \ \w (add_edge (u,v) d g) = (\w g)({u,v}:=d)" + +begin + +lemmas wgraph_specs = adj_correct empty_correct add_edge_correct + +lemma empty_spec_presentation: + "invar empty \ \g empty = graph {} {} \ \w empty = (\_. 0)" + by (auto simp: wgraph_specs) + +lemma add_edge_spec_presentation: + "\invar g; (u,v)\edges (\g g); u\v\ \ + invar (add_edge (u,v) d g) + \ \g (add_edge (u,v) d g) = ins_edge (u,v) (\g g) + \ \w (add_edge (u,v) d g) = (\w g)({u,v}:=d)" + by (auto simp: wgraph_specs) + +end + + + +subsection \Generic From-List Algorithm\ + +definition valid_graph_repr :: "('v\'v) list \ bool" + where "valid_graph_repr l \ (\(u,v)\set l. u\v)" + +definition graph_from_list :: "('v\'v) list \ 'v ugraph" + where "graph_from_list l = foldr ins_edge l graph_empty" + +lemma graph_from_list_foldl: "graph_from_list l = fold ins_edge l graph_empty" + unfolding graph_from_list_def + apply (rule foldr_fold[THEN fun_cong]) + by (auto simp: fun_eq_iff graph_eq_iff edges_ins_edge) + + +lemma nodes_of_graph_from_list: "nodes (graph_from_list l) = fst`set l \ snd`set l" + apply (induction l) + unfolding graph_from_list_def + by auto + +lemma edges_of_graph_from_list: + assumes valid: "valid_graph_repr l" + shows "edges (graph_from_list l) = set l \ (set l)\" + using valid apply (induction l) + unfolding graph_from_list_def valid_graph_repr_def + by auto + + + +definition "valid_weight_repr l \ distinct (map (uedge o fst) l)" + +definition weight_from_list :: "(('v\'v)\nat) list \ 'v set \ nat" where + "weight_from_list l \ foldr (\((u,v),d) w. w({u,v}:=d)) l (\_. 0)" + +lemma graph_from_list_simps: + "graph_from_list [] = graph_empty" + "graph_from_list ((u,v)#l) = ins_edge (u,v) (graph_from_list l)" + by (auto simp: graph_from_list_def) + +lemma weight_from_list_simps: + "weight_from_list [] = (\_. 0)" + "weight_from_list (((u,v),d)#xs) = (weight_from_list xs)({u,v}:=d)" + by (auto simp: weight_from_list_def) + +lemma valid_graph_repr_simps: + "valid_graph_repr []" + "valid_graph_repr ((u,v)#xs) \ u\v \ valid_graph_repr xs" + unfolding valid_graph_repr_def by auto + +lemma valid_weight_repr_simps: + "valid_weight_repr []" + "valid_weight_repr (((u,v),w)#xs) + \ uedge (u,v)\uedge`fst`set xs \ valid_weight_repr xs" + unfolding valid_weight_repr_def + by (force simp: uedge_def doubleton_eq_iff)+ + + +lemma weight_from_list_correct: + assumes "valid_weight_repr l" + assumes "((u,v),d)\set l" + shows "weight_from_list l {u,v} = d" +proof - + from assms show ?thesis + apply (induction l) + unfolding valid_weight_repr_def weight_from_list_def + subgoal by simp + by (force simp: doubleton_eq_iff) + +qed + + + +context adt_wgraph +begin + +definition "valid_wgraph_repr l + \ valid_graph_repr (map fst l) \ valid_weight_repr l" + +definition "from_list l = foldr (\(e,d). add_edge e d) l empty" + + +lemma from_list_refine: "valid_wgraph_repr l \ + invar (from_list l) + \ \g (from_list l) = graph_from_list (map fst l) + \ \w (from_list l) = weight_from_list l" + unfolding from_list_def valid_wgraph_repr_def + supply [simp] = wgraph_specs graph_from_list_simps weight_from_list_simps + apply (induction l) + subgoal by auto + subgoal by ( + intro conjI; + clarsimp + simp: uedge_def valid_graph_repr_simps valid_weight_repr_simps + split: prod.splits; + subst wgraph_specs; + auto simp: edges_of_graph_from_list + ) + done + +lemma from_list_correct: + assumes "valid_wgraph_repr l" + shows + "invar (from_list l)" + "nodes (\g (from_list l)) = fst`fst`set l \ snd`fst`set l" + "edges (\g (from_list l)) = (fst`set l) \ (fst`set l)\" + "((u,v),d)\set l \ \w (from_list l) {u,v} = d" + apply (simp_all add: from_list_refine[OF assms]) + using assms unfolding valid_wgraph_repr_def + apply (simp_all add: + edges_of_graph_from_list nodes_of_graph_from_list weight_from_list_correct) + done + +lemma valid_wgraph_repr_presentation: "valid_wgraph_repr l \ + (\((u,v),d)\set l. u\v) \ distinct [ {u,v}. ((u,v),d)\l ]" +proof - + have [simp]: "uedge \ fst = (\((u, v), w). {u, v})" + unfolding uedge_def by auto + show ?thesis + unfolding valid_wgraph_repr_def valid_graph_repr_def valid_weight_repr_def + by (auto split: prod.splits) +qed + +lemma from_list_correct_presentation: + assumes "valid_wgraph_repr l" + shows "let gi=from_list l; g=\g gi; w=\w gi in + invar gi + \ nodes g = \{{u,v} | u v. \d. ((u,v),d)\set l} + \ edges g = \{{(u,v),(v,u)} | u v. \d. ((u,v),d)\set l} + \ (\((u,v),d)\set l. w {u,v}=d) + " + unfolding Let_def from_list_correct(2-3)[OF assms] + apply (intro conjI) + subgoal by (simp add: from_list_correct(1)[OF assms]) + subgoal by (auto 0 0 simp: in_set_conv_decomp; blast) + subgoal by (auto 0 0 simp: in_set_conv_decomp; blast) + subgoal using from_list_correct(4)[OF assms] by auto + done + +end + +end diff --git a/thys/Prim_Dijkstra_Simple/document/root.bib b/thys/Prim_Dijkstra_Simple/document/root.bib new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/document/root.bib @@ -0,0 +1,356 @@ +@string{IPL="Information Processing Letters"} +@string{Springer="Springer"} +@string{LNCS="LNCS"} + +@inproceedings{LaNi19, + author = {Peter Lammich and Tobias Nipkow}, + title = {Proof Pearl: Purely Functional, Simple and Efficient {P}riority {S}earch {T}rees and Applications to {P}rim and {D}ijkstra}, + booktitle = {Proc. of ITP}, + year = {2019}, + note = {to appear} +} + + +@inproceedings{LaTu12, + author = {Peter Lammich and Thomas Tuerk}, + title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, + booktitle = {Proc. of ITP}, + year = {2012}, + publisher = Springer, + volume = {7406}, + pages = {166--182}, + series = LNCS +} + + +@ARTICLE{Prim57, +author={R. C. {Prim}}, +journal={The Bell System Technical Journal}, +title={Shortest connection networks and some generalizations}, +year={1957}, +volume={36}, +number={6}, +pages={1389-1401}, +keywords={}, +doi={10.1002/j.1538-7305.1957.tb01515.x}, +ISSN={0005-8580}, +month={Nov}} + +@inproceedings{HaNi10, +author={Florian Haftmann and Tobias Nipkow}, +title={Code Generation via Higher-Order Rewrite Systems}, +booktitle={Functional and Logic Programming (FLOPS 2010)}, +editor={M. Blume and N. Kobayashi and G. Vidal}, +publisher=Springer,series=LNCS,volume={6009},pages={103-117},year=2010} + +@article{Soz07, + author = {Sozeau, Matthieu}, + title = {Program-ing Finger Trees in Coq}, + journal = {SIGPLAN Not.}, + issue_date = {September 2007}, + volume = {42}, + number = {9}, + month = oct, + year = {2007}, + issn = {0362-1340}, + pages = {13--24}, + numpages = {12}, + url = {http://doi.acm.org/10.1145/1291220.1291156}, + doi = {10.1145/1291220.1291156}, + acmid = {1291156}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {C\oq\, certification, dependent types, finger trees}, +} + +@incollection{NKP10, + author = {Benedikt Nordhoff and Stefan K{\"o}rner and Peter Lammich}, + title = {Finger Trees}, + booktitle = {Archive of Formal Proofs}, + editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, + publisher = {\url{http://afp.sf.net/entries/Tree-Automata.shtml}}, + month = Oct, + year = {2010}, + note = {Formal proof development}, + ISSN = {2150-914x} +} + + +@article{HiPa06, + title = "Finger Trees: A Simple General-purpose Data Structure", + author = "Ralf Hinze and Ross Paterson", + journal = "Journal of Functional Programming", + volume = 16, + number = 2, + pages = "197-217", + year = 2006 +} + +@article{Dijkstra_Shortest_Path-AFP, + author = {Benedikt Nordhoff and Peter Lammich}, + title = {Dijkstra's Shortest Path Algorithm}, + journal = {Archive of Formal Proofs}, + month = jan, + year = 2012, + note = {\url{http://isa-afp.org/entries/Dijkstra_Shortest_Path.html}, + Formal proof development}, + ISSN = {2150-914x}, +} + +@InProceedings{BLW08, +author="B{\"o}hme, Sascha +and Leino, K. Rustan M. +and Wolff, Burkhart", +editor="Mohamed, Otmane Ait +and Mu{\~{n}}oz, C{\'e}sar +and Tahar, Sofi{\`e}ne", +title="HOL-Boogie --- An Interactive Prover for the Boogie Program-Verifier", +booktitle="Theorem Proving in Higher Order Logics", +year="2008", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="150--166", +abstract="Boogie is a program verification condition generator for an imperative core language. It has front-ends for the programming languages C{\#} and C enriched by annotations in first-order logic.", +isbn="978-3-540-71067-7" +} + + +@inproceedings{AbrialCM03, + author = {Jean{-}Raymond Abrial and + Dominique Cansell and + Dominique M{\'{e}}ry}, + title = {Formal Derivation of Spanning Trees Algorithms}, + booktitle = {{ZB} 2003: Formal Specification and Development in {Z} and B, Third + International Conference of {B} and {Z} Users, Turku, Finland, June + 4-6, 2003, Proceedings}, + pages = {457--476}, + year = {2003}, + crossref = {DBLP:conf/zum/2003}, + url = {https://doi.org/10.1007/3-540-44880-2\_27}, + doi = {10.1007/3-540-44880-2\_27}, +} + +@proceedings{DBLP:conf/zum/2003, + editor = {Didier Bert and + Jonathan P. Bowen and + Steve King and + Marina Wald{\'{e}}n}, + title = {{ZB} 2003: Formal Specification and Development in {Z} and B, Third + International Conference of {B} and {Z} Users, Turku, Finland, June + 4-6, 2003, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {2651}, + publisher = {Springer}, + year = {2003}, + url = {https://doi.org/10.1007/3-540-44880-2}, + doi = {10.1007/3-540-44880-2}, +} + +@inproceedings{La16, + author = {Peter Lammich}, + title = {Refinement based verification of imperative data structures}, + booktitle = {{CPP} 2016}, + editor = "Jeremy Avigad and Adam Chlipala", + pages = {27--36}, + publisher = {{ACM}}, + year = {2016} +} + + +@Article{Dijk59, +author="Dijkstra, E. W.", +title="A note on two problems in connexion with graphs", +journal="Numerische Mathematik", +year="1959", +month="Dec", +day="01", +volume="1", +number="1", +pages="269--271", +issn="0945-3245", +doi="10.1007/BF01386390", +url="https://doi.org/10.1007/BF01386390" +} + + +@book{Cormen-Leiserson-Rivest, +author="Thomas H. Cormen and Charles E. Leiserson and Ronald L. Rivest and Clifford Stein", +title="Introduction to Algorithms",publisher="MIT Press",year=2009} + +@inproceedings{Guttmann16, + author = {Walter Guttmann}, + title = {Relation-Algebraic Verification of Prim's Minimum Spanning Tree Algorithm}, + booktitle = {Theoretical Aspects of Computing - {ICTAC} 2016 - 13th International + Colloquium, Taipei, Taiwan, ROC, October 24-31, 2016, Proceedings}, + pages = {51--68}, + year = {2016}, + crossref = {DBLP:conf/ictac/2016}, + url = {https://doi.org/10.1007/978-3-319-46750-4\_4}, + doi = {10.1007/978-3-319-46750-4\_4}, +} + +@proceedings{DBLP:conf/ictac/2016, + editor = {Augusto Sampaio and + Farn Wang}, + title = {Theoretical Aspects of Computing - {ICTAC} 2016 - 13th International + Colloquium, Taipei, Taiwan, ROC, October 24-31, 2016, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {9965}, + year = {2016}, + url = {https://doi.org/10.1007/978-3-319-46750-4}, + doi = {10.1007/978-3-319-46750-4}, + isbn = {978-3-319-46749-8}, +} + +@inproceedings{HaftmannKKN-ITP13, +author={Florian Haftmann and Alexander Krauss and Ond\v{r}ej Kun\v{c}ar and Tobias Nipkow}, +title={Data Refinement in {Isabelle/HOL}}, +booktitle={ITP 2013},editor={S. Blazy and C. Paulin-Mohring and D. Pichardie}, +publisher=Springer,series=LNCS,volume={7998},pages={100-115},year=2013} + +@article{Hoare-AI72, + author = {C.A.R. Hoare}, + journal = {Acta Informatica}, + pages = {271--281}, + title = {Proof of Correctness of Data Representations}, + volume = 1, + year = 1972 +} + +@inproceedings{DBLP:conf/icfp/Hinze01, + author = {Ralf Hinze}, + title = {A Simple Implementation Technique for Priority Search Queues}, + booktitle = {Proceedings of the Sixth {ACM} {SIGPLAN} International Conference + on Functional Programming {(ICFP} '01), Firenze (Florence), Italy, + September 3-5, 2001.}, + pages = {110--121}, + year = {2001}, + crossref = {DBLP:conf/icfp/2001}, + url = {https://doi.org/10.1145/507635.507650}, + doi = {10.1145/507635.507650}, +} + +@proceedings{DBLP:conf/icfp/2001, + editor = {Benjamin C. Pierce}, + title = {Proceedings of the Sixth {ACM} {SIGPLAN} International Conference + on Functional Programming {(ICFP} '01), Firenze (Florence), Italy, + September 3-5, 2001}, + publisher = {{ACM}}, + year = {2001}, +} + +@book{Jones-SDRA, + author = {Cliff B. Jones}, + publisher = {Prentice Hall}, + title = {Software Development. A Rigourous Approach}, + year = 1980 +} + +@article{McCreight85, + author = {Edward M. McCreight}, + title = {Priority Search Trees}, + journal = {{SIAM} J. Comput.}, + volume = {14}, + number = {2}, + pages = {257--276}, + year = {1985}, + url = {https://doi.org/10.1137/0214021}, + doi = {10.1137/0214021}, +} + +@book{Concrete,author={Tobias Nipkow and Gerwin Klein}, +title="Concrete Semantics with Isabelle/HOL",publisher="Springer",year=2014, +note={\url{http://concrete-semantics.org}}} + +@misc{RBT,key={Isabelle},note={\url{http://isabelle.in.tum.de/library/HOL/HOL-Data_Structures/RBT.html}}} + +@inproceedings{Char11, + author = {Chargu{\'e}raud, Arthur}, + title = {Characteristic Formulae for the Verification of Imperative Programs}, + booktitle = {Proceedings of the 16th ACM SIGPLAN International Conference on Functional Programming}, + series = {ICFP '11}, + year = {2011}, + isbn = {978-1-4503-0865-6}, + location = {Tokyo, Japan}, + pages = {418--430}, + numpages = {13}, + url = {http://doi.acm.org/10.1145/2034773.2034828}, + doi = {10.1145/2034773.2034828}, + acmid = {2034828}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {characteristic formula, interactive verification, total correctness}, +} + +@inproceedings{FiPa13, + TITLE = {{Why3 -- Where Programs Meet Provers}}, + AUTHOR = {Filli{\^a}tre, Jean-Christophe and Paskevich, Andrei}, + URL = {https://hal.inria.fr/hal-00789533}, + BOOKTITLE = {ESOP}, + PUBLISHER = Springer, + VOLUME = {7792}, + YEAR = {2013}, + MONTH = Mar, + PDF = {https://hal.inria.fr/hal-00789533/file/main.pdf}, + HAL_ID = {hal-00789533}, + HAL_VERSION = {v1}, +} + +@misc{Fill_Dijkstra_Why3, + title="Dijkstra's shortest path algorithm", + author="Jean-Christophe Filli\^atre", + note={From the Toccata gallery, \url{http://toccata.lri.fr/gallery/dijkstra.en.html}} +} + +@book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, +title="Isabelle/HOL --- A Proof Assistant for Higher-Order Logic", +publisher="Springer",series="LNCS",volume=2283,year=2002} + +@inproceedings{BerghoferN-TYPES00, +author={Stefan Berghofer and Tobias Nipkow}, +title={Executing Higher Order Logic}, +booktitle={Types for Proofs and Programs (TYPES 2000)}, +editor={P. Callaghan and Z. Luo and J. McKinna and R. Pollack}, +year=2002,publisher=Springer,series=LNCS,volume=2277,pages="24--40"} + +@book{Okasaki,author="Chris Okasaki",title="Purely Functional Data Structures", +publisher="Cambridge University Press",year=1998} + +@article{Noschinski15, + author = {Lars Noschinski}, + title = {A Graph Library for Isabelle}, + journal = {Mathematics in Computer Science}, + volume = {9}, + number = {1}, + pages = {23--39}, + year = {2015}, + url = {https://doi.org/10.1007/s11786-014-0183-z}, + doi = {10.1007/s11786-014-0183-z}, +} + + + +@inproceedings{Chou94, + author = {Ching{-}Tsun Chou}, + title = {A Formal Theory of Undirected Graphs in Higher-Order Logic}, + booktitle = {Higher Order Logic Theorem Proving and Its Applications, 7th International + Workshop, Valletta, Malta, September 19-22, 1994, Proceedings}, + pages = {144--157}, + year = {1994}, + crossref = {DBLP:conf/tphol/1994}, + url = {https://doi.org/10.1007/3-540-58450-1\_40}, + doi = {10.1007/3-540-58450-1\_40}, +} + +@proceedings{DBLP:conf/tphol/1994, + editor = {Thomas F. Melham and + Juanito Camilleri}, + title = {Higher Order Logic Theorem Proving and Its Applications, 7th International + Workshop, Valletta, Malta, September 19-22, 1994, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {859}, + publisher = {Springer}, + year = {1994}, + url = {https://doi.org/10.1007/3-540-58450-1}, + doi = {10.1007/3-540-58450-1}, +} diff --git a/thys/Prim_Dijkstra_Simple/document/root.tex b/thys/Prim_Dijkstra_Simple/document/root.tex new file mode 100644 --- /dev/null +++ b/thys/Prim_Dijkstra_Simple/document/root.tex @@ -0,0 +1,69 @@ +\documentclass[11pt,a4paper,notitlepage]{report} +\usepackage{isabelle,isabellesym} + + +% further packages required for unusual symbols (see also +% isabellesym.sty), use only when needed + +\usepackage{amssymb} + %for \, \, \, \, \, \, + %\, \, \, \, \, + %\, \, \ + +%\usepackage{eurosym} + %for \ + +%\usepackage[only,bigsqcap]{stmaryrd} + %for \ + +%\usepackage{eufrak} + %for \ ... \, \ ... \ (also included in amssymb) + +%\usepackage{textcomp} + %for \, \, \, \, \, + %\ + +% this should be the last package used +\usepackage{pdfsetup} + +% urls in roman style, theory text in math-similar italics +\urlstyle{rm} +\isabellestyle{it} + +% for uniform font size +%\renewcommand{\isastyle}{\isastyleminor} + +\begin{document} + +\title{Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra} +\author{Peter Lammich \and Tobias Nipkow} +\maketitle + +\begin{abstract} +We verify purely functional, simple and efficient implementations of Prim's and Dijkstra's algorithms. +This constitutes the first verification of an executable and even efficient version of Prim's algorithm. +This entry formalizes the second part of our ITP-2019 proof +pearl \emph{Purely Functional, Simple and Efficient Priority Search Trees and Applications to Prim and Dijkstra} +~\cite{LaNi19}. +\end{abstract} + +\clearpage +\tableofcontents + +% sane default for proof documents +\parindent 0pt\parskip 0.5ex + +% generated text of all theories +\input{session} + +% optional bibliography +\clearpage +\bibliographystyle{abbrv} +\bibliography{root} + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: diff --git a/thys/Priority_Search_Trees/PST_General.thy b/thys/Priority_Search_Trees/PST_General.thy new file mode 100644 --- /dev/null +++ b/thys/Priority_Search_Trees/PST_General.thy @@ -0,0 +1,116 @@ +section \General Priority Search Trees\ + +theory PST_General +imports + "HOL-Data_Structures.Tree2" + Prio_Map_Specs +begin + +text \\noindent + We show how to implement priority maps + by augmented binary search trees. That is, the basic data structure is some + arbitrary binary search tree, e.g.\ a red-black tree, implementing the map + from @{typ 'a} to @{typ 'b} by storing pairs \(k,p)\ in each node. At this + point we need to assume that the keys are also linearly ordered. To + implement \getmin\ efficiently we annotate/augment each node with another pair + \(k',p')\, the intended result of \getmin\ when applied to that subtree. The + specification of \getmin\ tells us that \(k',p')\ must be in that subtree and + that \p'\ is the minimal priority in that subtree. Thus the annotation can be + computed by passing the \(k',p')\ with the minimal \p'\ up the tree. We will + now make this more precise for balanced binary trees in general. + + We assume that our trees are either leaves of the form @{term Leaf} or nodes + of the form @{term "Node l kp b r"} where \l\ and \r\ are subtrees, \kp\ is + the contents of the node (a key-priority pair) and \b\ is some additional + balance information (e.g.\ colour, height, size, \dots). Augmented nodes are + of the form \<^term>\Node l kp (b,kp') r\. +\ + +type_synonym ('k,'p,'c) pstree = "('k\'p, 'c \ ('k \ 'p)) tree" + +text \ + The following invariant states that a node annotation is actually a minimal + key-priority pair for the node's subtree. +\ + +fun invpst :: "('k,'p::linorder,'c) pstree \ bool" where + "invpst Leaf = True" +| "invpst (Node l x (_,mkp) r) \ invpst l \ invpst r + \ is_min2 mkp (set (inorder l @ x # inorder r))" + +text \The implementation of \getmin\ is trivial:\ + +fun pst_getmin where +"pst_getmin (Node _ _ (_,a) _) = a" + +lemma pst_getmin_ismin: + "invpst t \ t\Leaf \ is_min2 (pst_getmin t) (set (inorder t))" +by (cases t rule: pst_getmin.cases) auto + + +text \ + It remains to upgrade the existing map operations to work with augmented nodes. + Therefore we now show how to transform any function definition on un-augmented + trees into one on trees augmented with \(k',p')\ pairs. A defining equation + \f pats = e\ for the original type of nodes is transformed into an equation + \f pats' = e'\ on the augmented type of nodes as follows: + \<^item> Every pattern @{term "Node l kp b r"} in \pats\ and \e\ is replaced by + @{term "Node l kp (b,DUMMY) r"} to obtain \pats'\ and \e\<^sub>2\. + \<^item> To obtain \e'\, every expression @{term "Node l kp b r"} in \e\<^sub>2\ is + replaced by \mkNode l kp b r\ where: +\ + +definition "min2 \ \(k,p) (k',p'). if p\p' then (k,p) else (k',p')" + +definition "min_kp a l r \ case (l,r) of + (Leaf,Leaf) \ a +| (Leaf,Node _ _ (_,kpr) _) \ min2 a kpr +| (Node _ _ (_,kpl) _,Leaf) \ min2 a kpl +| (Node _ _ (_,kpl) _,Node _ _ (_,kpr) _) \ min2 a (min2 kpl kpr)" + +definition "mkNode c l a r \ Node l a (c,min_kp a l r) r" + +text \ + Note that this transformation does not affect the asymptotic complexity + of \f\. Therefore the priority search tree operations have the same complexity + as the underlying search tree operations, i.e.\ typically logarithmic + (\update\, \delete\, \lookup\) and constant time (\empty\, \is_empty\). +\ + +text \It is straightforward to show that @{const mkNode} preserves the invariant:\ + +lemma is_min2_Empty[simp]: "\is_min2 x {}" +by (auto simp: is_min2_def) + +lemma is_min2_singleton[simp]: "is_min2 a {b} \ b=a" +by (auto simp: is_min2_def) + +lemma is_min2_insert: + "is_min2 x (insert y ys) + \ (y=x \ (\z\ys. snd x \ snd z)) \ (snd x \ snd y \ is_min2 x ys)" +by (auto simp: is_min2_def) + +lemma is_min2_union: + "is_min2 x (ys \ zs) + \ (is_min2 x ys \ (\z\zs. snd x \ snd z)) + \ ((\y\ys. snd x \ snd y) \ is_min2 x zs)" +by (auto simp: is_min2_def) + +lemma is_min2_min2_insI: "is_min2 y ys \ is_min2 (min2 x y) (insert x ys)" +by (auto simp: is_min2_def min2_def split: prod.split) + +lemma is_min2_mergeI: + "is_min2 x xs \ is_min2 y ys \ is_min2 (min2 x y) (xs \ ys)" +by (auto simp: is_min2_def min2_def split: prod.split) + +theorem invpst_mkNode[simp]: "invpst (mkNode c l a r) \ invpst l \ invpst r" +apply (cases l rule: invpst.cases; + cases r rule: invpst.cases; + simp add: mkNode_def min_kp_def) + subgoal using is_min2_min2_insI by blast + subgoal by (auto intro!: is_min2_min2_insI simp: insert_commute) +subgoal by (smt Un_insert_left Un_insert_right is_min2_mergeI is_min2_min2_insI + sup_assoc) +done + +end diff --git a/thys/Priority_Search_Trees/PST_RBT.thy b/thys/Priority_Search_Trees/PST_RBT.thy new file mode 100644 --- /dev/null +++ b/thys/Priority_Search_Trees/PST_RBT.thy @@ -0,0 +1,411 @@ +section \Priority Search Trees on top of RBTs\ + +theory PST_RBT +imports + "HOL-Data_Structures.Cmp" + "HOL-Data_Structures.Isin2" + "HOL-Data_Structures.Lookup2" + PST_General +begin + +text \ +We obtain a priority search map based on red-black trees via the +general priority search tree augmentation. + +This theory has been derived from the standard Isabelle implementation of red +black trees in @{session "HOL-Data_Structures"}. +\ + +subsection \Definitions\ + +subsubsection \The Code\ + +datatype tcolor = Red | Black + +type_synonym ('k,'p) rbth = "('k\'p,tcolor \ ('k \ 'p)) tree" + +abbreviation R where "R mkp l a r \ Node l a (Red,mkp) r" +abbreviation B where "B mkp l a r \ Node l a (Black,mkp) r" + +abbreviation "mkR \ mkNode Red" +abbreviation "mkB \ mkNode Black" + +fun baliL :: "('k,'p::linorder) rbth \ 'k\'p \ ('k,'p) rbth \ ('k,'p) rbth" + where + "baliL (R _ (R _ t1 a1 t2) a2 t3) a3 t4 = mkR (mkB t1 a1 t2) a2 (mkB t3 a3 t4)" +| "baliL (R _ t1 a1 (R _ t2 a2 t3)) a3 t4 = mkR (mkB t1 a1 t2) a2 (mkB t3 a3 t4)" +| "baliL t1 a t2 = mkB t1 a t2" + +fun baliR :: "('k,'p::linorder) rbth \ 'k\'p \ ('k,'p) rbth \ ('k,'p) rbth" + where +"baliR t1 a1 (R _ (R _ t2 a2 t3) a3 t4) = mkR (mkB t1 a1 t2) a2 (mkB t3 a3 t4)" | +"baliR t1 a1 (R _ t2 a2 (R _ t3 a3 t4)) = mkR (mkB t1 a1 t2) a2 (mkB t3 a3 t4)" | +"baliR t1 a t2 = mkB t1 a t2" + +fun paint :: "tcolor \ ('k,'p::linorder) rbth \ ('k,'p::linorder) rbth" where +"paint c Leaf = Leaf" | +"paint c (Node l a (_,mkp) r) = Node l a (c,mkp) r" + +fun baldL :: "('k,'p::linorder) rbth \ 'k \ 'p \ ('k,'p::linorder) rbth + \ ('k,'p::linorder) rbth" +where +"baldL (R _ t1 x t2) y t3 = mkR (mkB t1 x t2) y t3" | +"baldL bl x (B _ t1 y t2) = baliR bl x (mkR t1 y t2)" | +"baldL bl x (R _ (B _ t1 y t2) z t3) + = mkR (mkB bl x t1) y (baliR t2 z (paint Red t3))" | +"baldL t1 x t2 = mkR t1 x t2" + +fun baldR :: "('k,'p::linorder) rbth \ 'k \ 'p \ ('k,'p::linorder) rbth + \ ('k,'p::linorder) rbth" +where +"baldR t1 x (R _ t2 y t3) = mkR t1 x (mkB t2 y t3)" | +"baldR (B _ t1 x t2) y t3 = baliL (mkR t1 x t2) y t3" | +"baldR (R _ t1 x (B _ t2 y t3)) z t4 + = mkR (baliL (paint Red t1) x t2) y (mkB t3 z t4)" | +"baldR t1 x t2 = mkR t1 x t2" + +fun combine :: "('k,'p::linorder) rbth \ ('k,'p::linorder) rbth + \ ('k,'p::linorder) rbth" +where +"combine Leaf t = t" | +"combine t Leaf = t" | +"combine (R _ t1 a t2) (R _ t3 c t4) = + (case combine t2 t3 of + R _ u2 b u3 \ (mkR (mkR t1 a u2) b (mkR u3 c t4)) | + t23 \ mkR t1 a (mkR t23 c t4))" | +"combine (B _ t1 a t2) (B _ t3 c t4) = + (case combine t2 t3 of + R _ t2' b t3' \ mkR (mkB t1 a t2') b (mkB t3' c t4) | + t23 \ baldL t1 a (mkB t23 c t4))" | +"combine t1 (R _ t2 a t3) = mkR (combine t1 t2) a t3" | +"combine (R _ t1 a t2) t3 = mkR t1 a (combine t2 t3)" + +fun color :: "('k,'p) rbth \ tcolor" where +"color Leaf = Black" | +"color (Node _ _ (c,_) _) = c" + + +fun upd :: "'a::linorder \ 'b::linorder \ ('a,'b) rbth \ ('a,'b) rbth" where +"upd x y Leaf = mkR Leaf (x,y) Leaf" | +"upd x y (B _ l (a,b) r) = (case cmp x a of + LT \ baliL (upd x y l) (a,b) r | + GT \ baliR l (a,b) (upd x y r) | + EQ \ mkB l (x,y) r)" | +"upd x y (R _ l (a,b) r) = (case cmp x a of + LT \ mkR (upd x y l) (a,b) r | + GT \ mkR l (a,b) (upd x y r) | + EQ \ mkR l (x,y) r)" + +definition update :: "'a::linorder \ 'b::linorder \ ('a,'b) rbth \ ('a,'b) rbth" +where +"update x y t = paint Black (upd x y t)" + + +fun del :: "'a::linorder \ ('a,'b::linorder)rbth \ ('a,'b)rbth" where +"del x Leaf = Leaf" | +"del x (Node l (a,b) (c,_) r) = (case cmp x a of + LT \ if l \ Leaf \ color l = Black + then baldL (del x l) (a,b) r else mkR (del x l) (a,b) r | + GT \ if r \ Leaf\ color r = Black + then baldR l (a,b) (del x r) else mkR l (a,b) (del x r) | + EQ \ combine l r)" + +definition delete :: "'a::linorder \ ('a,'b::linorder) rbth \ ('a,'b) rbth" where +"delete x t = paint Black (del x t)" + + +subsubsection \Invariants\ + +fun bheight :: "('k,'p) rbth \ nat" where +"bheight Leaf = 0" | +"bheight (Node l x (c,_) r) = (if c = Black then bheight l + 1 else bheight l)" + +fun invc :: "('k,'p) rbth \ bool" where +"invc Leaf = True" | +"invc (Node l a (c,_) r) = + (invc l \ invc r \ (c = Red \ color l = Black \ color r = Black))" + +fun invc2 :: "('k,'p) rbth \ bool" \ \Weaker version\ where +"invc2 Leaf = True" | +"invc2 (Node l a _ r) = (invc l \ invc r)" + +fun invh :: "('k,'p) rbth \ bool" where +"invh Leaf = True" | +"invh (Node l x _ r) = (invh l \ invh r \ bheight l = bheight r)" + +definition rbt :: "('k,'p::linorder) rbth \ bool" where +"rbt t = (invc t \ invh t \ invpst t \ color t = Black)" + + +subsection \Functional Correctness\ + +lemma inorder_paint[simp]: "inorder(paint c t) = inorder t" +by(cases t) (auto) + +lemma inorder_mkNode[simp]: + "inorder (mkNode c l a r) = inorder l @ a # inorder r" +by (auto simp: mkNode_def) + + +lemma inorder_baliL[simp]: + "inorder(baliL l a r) = inorder l @ a # inorder r" +by(cases "(l,a,r)" rule: baliL.cases) (auto) + +lemma inorder_baliR[simp]: + "inorder(baliR l a r) = inorder l @ a # inorder r" +by(cases "(l,a,r)" rule: baliR.cases) (auto) + + +lemma inorder_baldL[simp]: + "inorder(baldL l a r) = inorder l @ a # inorder r" +by (cases "(l,a,r)" rule: baldL.cases) auto + +lemma inorder_baldR[simp]: + "inorder(baldR l a r) = inorder l @ a # inorder r" +by(cases "(l,a,r)" rule: baldR.cases) auto + +lemma inorder_combine[simp]: + "inorder(combine l r) = inorder l @ inorder r" +by (induction l r rule: combine.induct) (auto split: tree.split tcolor.split) + +lemma inorder_upd: + "sorted1(inorder t) \ inorder(upd x y t) = upd_list x y (inorder t)" +by(induction x y t rule: upd.induct) + (auto simp: upd_list_simps) + +lemma inorder_update: + "sorted1(inorder t) \ inorder(update x y t) = upd_list x y (inorder t)" +by(simp add: update_def inorder_upd) + +lemma inorder_del: + "sorted1(inorder t) \ inorder(del x t) = del_list x (inorder t)" +by(induction x t rule: del.induct) + (auto simp: del_list_simps) + +lemma inorder_delete: + "sorted1(inorder t) \ inorder(delete x t) = del_list x (inorder t)" +by(simp add: delete_def inorder_del) + + +subsection \Invariant Preservation\ + +lemma color_paint_Black: "color (paint Black t) = Black" +by (cases t) auto + +theorem rbt_Leaf: "rbt Leaf" +by (simp add: rbt_def) + +lemma invc2I: "invc t \ invc2 t" +by (cases t rule: invc.cases) simp+ + +lemma paint_invc2: "invc2 t \ invc2 (paint c t)" +by (cases t) auto + +lemma invc_paint_Black: "invc2 t \ invc (paint Black t)" +by (cases t) auto + +lemma invh_paint: "invh t \ invh (paint c t)" +by (cases t) auto + +lemma invc_mkRB[simp]: + "invc (mkR l a r) \ invc l \ invc r \ color l = Black \ color r = Black" + "invc (mkB l a r) \ invc l \ invc r" +by (simp_all add: mkNode_def) + +lemma color_mkNode[simp]: "color (mkNode c l a r) = c" +by (simp_all add: mkNode_def) + + +subsubsection \Update\ + +lemma invc_baliL: + "\invc2 l; invc r\ \ invc (baliL l a r)" +by (induct l a r rule: baliL.induct) auto + +lemma invc_baliR: + "\invc l; invc2 r\ \ invc (baliR l a r)" +by (induct l a r rule: baliR.induct) auto + +lemma bheight_mkRB[simp]: + "bheight (mkR l a r) = bheight l" + "bheight (mkB l a r) = Suc (bheight l)" + by (simp_all add: mkNode_def) + +lemma bheight_baliL: + "bheight l = bheight r \ bheight (baliL l a r) = Suc (bheight l)" +by (induct l a r rule: baliL.induct) auto + +lemma bheight_baliR: + "bheight l = bheight r \ bheight (baliR l a r) = Suc (bheight l)" +by (induct l a r rule: baliR.induct) auto + +lemma invh_mkNode[simp]: + "invh (mkNode c l a r) \ invh l \ invh r \ bheight l = bheight r" +by (simp add: mkNode_def) + +lemma invh_baliL: + "\ invh l; invh r; bheight l = bheight r \ \ invh (baliL l a r)" +by (induct l a r rule: baliL.induct) auto + +lemma invh_baliR: + "\ invh l; invh r; bheight l = bheight r \ \ invh (baliR l a r)" +by (induct l a r rule: baliR.induct) auto + + +lemma invc_upd: assumes "invc t" + shows "color t = Black \ invc (upd x y t)" "invc2 (upd x y t)" +using assms +by (induct x y t rule: upd.induct) + (auto simp: invc_baliL invc_baliR invc2I mkNode_def) + +lemma invh_upd: assumes "invh t" + shows "invh (upd x y t)" "bheight (upd x y t) = bheight t" +using assms +by(induct x y t rule: upd.induct) + (auto simp: invh_baliL invh_baliR bheight_baliL bheight_baliR) + + +lemma invpst_paint[simp]: "invpst (paint c t) = invpst t" +by (cases "(c,t)" rule: paint.cases) auto + +lemma invpst_baliR: "invpst l \ invpst r \ invpst (baliR l a r)" +by (cases "(l,a,r)" rule: baliR.cases) auto + +lemma invpst_baliL: "invpst l \ invpst r \ invpst (baliL l a r)" +by (cases "(l,a,r)" rule: baliL.cases) auto + +lemma invpst_upd: "invpst t \ invpst (upd x y t)" +by (induct x y t rule: upd.induct) (auto simp: invpst_baliR invpst_baliL) + + +theorem rbt_update: "rbt t \ rbt (update x y t)" +by (simp add: invc_upd(2) invh_upd(1) color_paint_Black invc_paint_Black + invh_paint rbt_def update_def invpst_upd) + + +subsubsection \Delete\ + +lemma bheight_paint_Red: + "color t = Black \ bheight (paint Red t) = bheight t - 1" +by (cases t) auto + +lemma invh_baldL_invc: + "\ invh l; invh r; bheight l + 1 = bheight r; invc r \ + \ invh (baldL l a r) \ bheight (baldL l a r) = bheight l + 1" +by (induct l a r rule: baldL.induct) + (auto simp: invh_baliR invh_paint bheight_baliR bheight_paint_Red) + +lemma invh_baldL_Black: + "\ invh l; invh r; bheight l + 1 = bheight r; color r = Black \ + \ invh (baldL l a r) \ bheight (baldL l a r) = bheight r" +by (induct l a r rule: baldL.induct) (auto simp add: invh_baliR bheight_baliR) + +lemma invc_baldL: "\invc2 l; invc r; color r = Black\ \ invc (baldL l a r)" +by (induct l a r rule: baldL.induct) (auto simp: invc_baliR invc2I mkNode_def) + +lemma invc2_baldL: "\ invc2 l; invc r \ \ invc2 (baldL l a r)" +by (induct l a r rule: baldL.induct) + (auto simp: invc_baliR paint_invc2 invc2I mkNode_def) + +lemma invh_baldR_invc: + "\ invh l; invh r; bheight l = bheight r + 1; invc l \ + \ invh (baldR l a r) \ bheight (baldR l a r) = bheight l" +by(induct l a r rule: baldR.induct) + (auto simp: invh_baliL bheight_baliL invh_paint bheight_paint_Red) + +lemma invc_baldR: "\invc a; invc2 b; color a = Black\ \ invc (baldR a x b)" +by (induct a x b rule: baldR.induct) (simp_all add: invc_baliL mkNode_def) + +lemma invc2_baldR: "\ invc l; invc2 r \ \invc2 (baldR l x r)" +by (induct l x r rule: baldR.induct) + (auto simp: invc_baliL paint_invc2 invc2I mkNode_def) + +lemma invh_combine: + "\ invh l; invh r; bheight l = bheight r \ + \ invh (combine l r) \ bheight (combine l r) = bheight l" +by (induct l r rule: combine.induct) + (auto simp: invh_baldL_Black split: tree.splits tcolor.splits) + +lemma invc_combine: + assumes "invc l" "invc r" + shows "color l = Black \ color r = Black \ invc (combine l r)" + "invc2 (combine l r)" +using assms +by (induct l r rule: combine.induct) + (auto simp: invc_baldL invc2I mkNode_def split: tree.splits tcolor.splits) + +lemma neq_LeafD: "t \ Leaf \ \c l x r. t = Node c l x r" +by(cases t) auto + +lemma del_invc_invh: "invh t \ invc t \ invh (del x t) \ + (color t = Red \ bheight (del x t) = bheight t \ invc (del x t) \ + color t = Black \ bheight (del x t) = bheight t - 1 \ invc2 (del x t))" +proof (induct x t rule: del.induct) +case (2 x _ y _ c) + have "x = y \ x < y \ x > y" by auto + thus ?case proof (elim disjE) + assume "x = y" + with 2 show ?thesis + by (cases c) (simp_all add: invh_combine invc_combine) + next + assume "x < y" + with 2 show ?thesis + by(cases c) + (auto + simp: invh_baldL_invc invc_baldL invc2_baldL mkNode_def + dest: neq_LeafD) + next + assume "y < x" + with 2 show ?thesis + by(cases c) + (auto + simp: invh_baldR_invc invc_baldR invc2_baldR mkNode_def + dest: neq_LeafD) + qed +qed auto + +lemma invpst_baldR: "invpst l \ invpst r \ invpst (baldR l a r)" +by (cases "(l,a,r)" rule: baldR.cases) (auto simp: invpst_baliL) + +lemma invpst_baldL: "invpst l \ invpst r \ invpst (baldL l a r)" +by (cases "(l,a,r)" rule: baldL.cases) (auto simp: invpst_baliR) + +lemma invpst_combine: "invpst l \ invpst r \ invpst (combine l r)" +by(induction l r rule: combine.induct) + (auto split: tree.splits tcolor.splits simp: invpst_baldR invpst_baldL) + +lemma invpst_del: "invpst t \ invpst (del x t)" +by(induct x t rule: del.induct) + (auto simp: invpst_baldR invpst_baldL invpst_combine) + +theorem rbt_delete: "rbt t \ rbt (delete k t)" +apply (clarsimp simp: delete_def rbt_def) +apply (frule (1) del_invc_invh[where x=k]) +apply (auto simp: invc_paint_Black invh_paint color_paint_Black invpst_del) +done + +lemma rbt_getmin_ismin: + "rbt t \ t\Leaf \ is_min2 (pst_getmin t) (set (inorder t))" +unfolding rbt_def by (simp add: pst_getmin_ismin) + +definition "rbt_is_empty t \ t = Leaf" + +lemma rbt_is_empty: "rbt_is_empty t \ inorder t = []" +by (cases t) (auto simp: rbt_is_empty_def) + +definition empty where "empty = Leaf" + + +subsection \Overall Correctness\ + +interpretation PM: PrioMap_by_Ordered +where empty = empty and lookup = lookup and update = update and delete = delete +and inorder = inorder and inv = "rbt" and is_empty = rbt_is_empty +and getmin = pst_getmin +apply standard +apply (auto simp: lookup_map_of inorder_update inorder_delete rbt_update + rbt_delete rbt_Leaf rbt_is_empty empty_def + dest: rbt_getmin_ismin) +done + +end diff --git a/thys/Priority_Search_Trees/Prio_Map_Specs.thy b/thys/Priority_Search_Trees/Prio_Map_Specs.thy new file mode 100644 --- /dev/null +++ b/thys/Priority_Search_Trees/Prio_Map_Specs.thy @@ -0,0 +1,90 @@ +section \Priority Map Specifications\ + +theory Prio_Map_Specs +imports "HOL-Data_Structures.Map_Specs" +begin + +(*<*) +(** TODO/FIXME: + Duplicated from List_Ins_Del. + We cannot import this theory, as it has name clashed with AList_Upd_Del! +*) +lemma sorted_Cons_iff: + "sorted(x # xs) = ((\y \ set xs. x < y) \ sorted xs)" +by(simp add: sorted_wrt_Cons) + +(** TODO: Belongs into AList_Upd_Del *) +lemma sorted_map_of_Some_eq: + "sorted1 xs \ map_of xs k = Some v \ (k,v)\set xs" +by (induction xs arbitrary: k v) (auto split: if_splits simp: sorted_Cons_iff) + +(*>*) + +subsection \Abstract Data Type\ + +locale PrioMap = Map where lookup = lookup + for lookup :: "'m \ 'a \ 'b::linorder option" + + fixes is_empty :: "'m \ bool" + fixes getmin :: "'m \ 'a \ 'b" + assumes map_is_empty: "invar m \ is_empty m \ lookup m = Map.empty" + and map_getmin: "getmin m = (k,p) \ invar m \ lookup m \ Map.empty + \ lookup m k = Some p \ (\p'\ran (lookup m). p\p')" +begin + +lemmas prio_map_specs = map_specs map_is_empty + +lemma map_getminE: + assumes "getmin m = (k,p)" "invar m" "lookup m \ Map.empty" + obtains "lookup m k = Some p" "\k' p'. lookup m k' = Some p' \ p\p'" +using map_getmin[OF assms] by (auto simp: ran_def) + +end + +definition is_min2 :: "(_\'a::linorder) \ (_\'a) set \ bool" where +"is_min2 x xs \ x\xs \ (\y\xs. snd x \ snd y)" + + +subsection \Inorder-Based Specification\ + +locale PrioMap_by_Ordered = Map_by_Ordered + where lookup=lookup for lookup :: "'t \ 'a::linorder \ 'b::linorder option" + + fixes is_empty :: "'t \ bool" + fixes getmin :: "'t \ 'a\'b" + assumes inorder_isempty': "\inv t; sorted1 (inorder t)\ + \ is_empty t \ inorder t = []" + and inorder_getmin': + "\inv t; sorted1 (inorder t); inorder t \ []; getmin t = (a,b)\ + \ is_min2 (a,b) (set (inorder t))" +begin + +lemma + inorder_isempty: "invar t \ is_empty t \ inorder t = []" + and inorder_getmin: "\invar t; inorder t \ []; getmin t = (a,b)\ + \ is_min2 (a,b) (set (inorder t))" +unfolding invar_def by (auto simp: inorder_isempty' inorder_getmin') + +lemma inorder_lookup_empty_iff: + "invar m \ lookup m = Map.empty \ inorder m = []" +using inorder_lookup[of m] +apply (auto split: if_splits simp: invar_def) +by (metis map_of.elims option.discI) + +lemma inorder_lookup_ran_eq: + "\inv m; sorted1 (inorder m)\ \ ran (lookup m) = snd ` set (inorder m)" +using inorder_lookup[of m] unfolding ran_def +by (force simp: sorted_map_of_Some_eq) + +sublocale PrioMap empty update delete invar lookup is_empty getmin +apply unfold_locales + apply (auto simp: inorder_isempty inorder_lookup_empty_iff) + apply (frule (2) inorder_getmin) + apply (auto simp: is_min2_def sorted_map_of_Some_eq invar_def inorder_lookup) [] +apply (frule (2) inorder_getmin) +apply (force simp: is_min2_def sorted_map_of_Some_eq inorder_lookup_ran_eq + eq_Min_iff invar_def inorder_lookup) [] +done + +end + +end + \ No newline at end of file diff --git a/thys/Priority_Search_Trees/ROOT b/thys/Priority_Search_Trees/ROOT new file mode 100644 --- /dev/null +++ b/thys/Priority_Search_Trees/ROOT @@ -0,0 +1,13 @@ +chapter AFP + +session Priority_Search_Trees (AFP) = HOL + + options [timeout = 300] + sessions + "HOL-Data_Structures" + "HOL-Eisbach" + theories + Prio_Map_Specs + PST_RBT + document_files + "root.tex" + "root.bib" diff --git a/thys/Priority_Search_Trees/document/root.bib b/thys/Priority_Search_Trees/document/root.bib new file mode 100644 --- /dev/null +++ b/thys/Priority_Search_Trees/document/root.bib @@ -0,0 +1,377 @@ +@string{IPL="Information Processing Letters"} +@string{Springer="Springer"} +@string{LNCS="LNCS"} + + +@article{PrioSearchTree_AFP, + author = {Peter Lammich and Tobias Nipkow}, + title = {Priority Search Trees}, + year = {2019}, + journal = {Archive of Formal Proofs}, + note = {\url{http://isa-afp.org/entries/Priority_Search_Trees.html}, + Formal proof development (submitted)}, + ISSN = {2150-914x}, +} + +@article{PrimDijkstra_AFP, + author = {Peter Lammich and Tobias Nipkow}, + title = {Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra}, + year = {2019}, + journal = {Archive of Formal Proofs}, + note = {\url{http://isa-afp.org/entries/Prim_Dijkstra_Simple.html}, + Formal proof development (submitted)}, + ISSN = {2150-914x}, +} + +@inproceedings{LaNi19, + author = {Peter Lammich and Tobias Nipkow}, + title = {Proof Pearl: Purely Functional, Simple and Efficient {P}riority {S}earch {T}rees and Applications to {P}rim and {D}ijkstra}, + booktitle = {Proc. of ITP}, + year = {2019}, + note = {to appear} +} + + +@inproceedings{LaTu12, + author = {Peter Lammich and Thomas Tuerk}, + title = {Applying Data Refinement for Monadic Programs to {H}opcroft's Algorithm}, + booktitle = {Proc. of ITP}, + year = {2012}, + publisher = Springer, + volume = {7406}, + pages = {166--182}, + series = LNCS +} + + +@ARTICLE{Prim57, +author={R. C. {Prim}}, +journal={The Bell System Technical Journal}, +title={Shortest connection networks and some generalizations}, +year={1957}, +volume={36}, +number={6}, +pages={1389-1401}, +keywords={}, +doi={10.1002/j.1538-7305.1957.tb01515.x}, +ISSN={0005-8580}, +month={Nov}} + +@inproceedings{HaNi10, +author={Florian Haftmann and Tobias Nipkow}, +title={Code Generation via Higher-Order Rewrite Systems}, +booktitle={Functional and Logic Programming (FLOPS 2010)}, +editor={M. Blume and N. Kobayashi and G. Vidal}, +publisher=Springer,series=LNCS,volume={6009},pages={103-117},year=2010} + +@article{Soz07, + author = {Sozeau, Matthieu}, + title = {Program-ing Finger Trees in Coq}, + journal = {SIGPLAN Not.}, + issue_date = {September 2007}, + volume = {42}, + number = {9}, + month = oct, + year = {2007}, + issn = {0362-1340}, + pages = {13--24}, + numpages = {12}, + url = {http://doi.acm.org/10.1145/1291220.1291156}, + doi = {10.1145/1291220.1291156}, + acmid = {1291156}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {C\oq\, certification, dependent types, finger trees}, +} + +@incollection{NKP10, + author = {Benedikt Nordhoff and Stefan K{\"o}rner and Peter Lammich}, + title = {Finger Trees}, + booktitle = {Archive of Formal Proofs}, + editor = {Gerwin Klein and Tobias Nipkow and Lawrence Paulson}, + publisher = {\url{http://afp.sf.net/entries/Tree-Automata.shtml}}, + month = Oct, + year = {2010}, + note = {Formal proof development}, + ISSN = {2150-914x} +} + + +@article{HiPa06, + title = "Finger Trees: A Simple General-purpose Data Structure", + author = "Ralf Hinze and Ross Paterson", + journal = "Journal of Functional Programming", + volume = 16, + number = 2, + pages = "197-217", + year = 2006 +} + +@article{Dijkstra_Shortest_Path-AFP, + author = {Benedikt Nordhoff and Peter Lammich}, + title = {Dijkstra's Shortest Path Algorithm}, + journal = {Archive of Formal Proofs}, + month = jan, + year = 2012, + note = {\url{http://isa-afp.org/entries/Dijkstra_Shortest_Path.html}, + Formal proof development}, + ISSN = {2150-914x}, +} + +@InProceedings{BLW08, +author="B{\"o}hme, Sascha +and Leino, K. Rustan M. +and Wolff, Burkhart", +editor="Mohamed, Otmane Ait +and Mu{\~{n}}oz, C{\'e}sar +and Tahar, Sofi{\`e}ne", +title="HOL-Boogie --- An Interactive Prover for the Boogie Program-Verifier", +booktitle="Theorem Proving in Higher Order Logics", +year="2008", +publisher="Springer Berlin Heidelberg", +address="Berlin, Heidelberg", +pages="150--166", +abstract="Boogie is a program verification condition generator for an imperative core language. It has front-ends for the programming languages C{\#} and C enriched by annotations in first-order logic.", +isbn="978-3-540-71067-7" +} + + +@inproceedings{AbrialCM03, + author = {Jean{-}Raymond Abrial and + Dominique Cansell and + Dominique M{\'{e}}ry}, + title = {Formal Derivation of Spanning Trees Algorithms}, + booktitle = {{ZB} 2003: Formal Specification and Development in {Z} and B, Third + International Conference of {B} and {Z} Users, Turku, Finland, June + 4-6, 2003, Proceedings}, + pages = {457--476}, + year = {2003}, + crossref = {DBLP:conf/zum/2003}, + url = {https://doi.org/10.1007/3-540-44880-2\_27}, + doi = {10.1007/3-540-44880-2\_27}, +} + +@proceedings{DBLP:conf/zum/2003, + editor = {Didier Bert and + Jonathan P. Bowen and + Steve King and + Marina Wald{\'{e}}n}, + title = {{ZB} 2003: Formal Specification and Development in {Z} and B, Third + International Conference of {B} and {Z} Users, Turku, Finland, June + 4-6, 2003, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {2651}, + publisher = {Springer}, + year = {2003}, + url = {https://doi.org/10.1007/3-540-44880-2}, + doi = {10.1007/3-540-44880-2}, +} + +@inproceedings{La16, + author = {Peter Lammich}, + title = {Refinement based verification of imperative data structures}, + booktitle = {{CPP} 2016}, + editor = "Jeremy Avigad and Adam Chlipala", + pages = {27--36}, + publisher = {{ACM}}, + year = {2016} +} + + +@Article{Dijk59, +author="Dijkstra, E. W.", +title="A note on two problems in connexion with graphs", +journal="Numerische Mathematik", +year="1959", +month="Dec", +day="01", +volume="1", +number="1", +pages="269--271", +issn="0945-3245", +doi="10.1007/BF01386390", +url="https://doi.org/10.1007/BF01386390" +} + + +@book{Cormen-Leiserson-Rivest, +author="Thomas H. Cormen and Charles E. Leiserson and Ronald L. Rivest and Clifford Stein", +title="Introduction to Algorithms",publisher="MIT Press",year=2009} + +@inproceedings{Guttmann16, + author = {Walter Guttmann}, + title = {Relation-Algebraic Verification of Prim's Minimum Spanning Tree Algorithm}, + booktitle = {Theoretical Aspects of Computing - {ICTAC} 2016 - 13th International + Colloquium, Taipei, Taiwan, ROC, October 24-31, 2016, Proceedings}, + pages = {51--68}, + year = {2016}, + crossref = {DBLP:conf/ictac/2016}, + url = {https://doi.org/10.1007/978-3-319-46750-4\_4}, + doi = {10.1007/978-3-319-46750-4\_4}, +} + +@proceedings{DBLP:conf/ictac/2016, + editor = {Augusto Sampaio and + Farn Wang}, + title = {Theoretical Aspects of Computing - {ICTAC} 2016 - 13th International + Colloquium, Taipei, Taiwan, ROC, October 24-31, 2016, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {9965}, + year = {2016}, + url = {https://doi.org/10.1007/978-3-319-46750-4}, + doi = {10.1007/978-3-319-46750-4}, + isbn = {978-3-319-46749-8}, +} + +@inproceedings{HaftmannKKN-ITP13, +author={Florian Haftmann and Alexander Krauss and Ond\v{r}ej Kun\v{c}ar and Tobias Nipkow}, +title={Data Refinement in {Isabelle/HOL}}, +booktitle={ITP 2013},editor={S. Blazy and C. Paulin-Mohring and D. Pichardie}, +publisher=Springer,series=LNCS,volume={7998},pages={100-115},year=2013} + +@article{Hoare-AI72, + author = {C.A.R. Hoare}, + journal = {Acta Informatica}, + pages = {271--281}, + title = {Proof of Correctness of Data Representations}, + volume = 1, + year = 1972 +} + +@inproceedings{DBLP:conf/icfp/Hinze01, + author = {Ralf Hinze}, + title = {A Simple Implementation Technique for Priority Search Queues}, + booktitle = {Proceedings of the Sixth {ACM} {SIGPLAN} International Conference + on Functional Programming {(ICFP} '01), Firenze (Florence), Italy, + September 3-5, 2001.}, + pages = {110--121}, + year = {2001}, + crossref = {DBLP:conf/icfp/2001}, + url = {https://doi.org/10.1145/507635.507650}, + doi = {10.1145/507635.507650}, +} + +@proceedings{DBLP:conf/icfp/2001, + editor = {Benjamin C. Pierce}, + title = {Proceedings of the Sixth {ACM} {SIGPLAN} International Conference + on Functional Programming {(ICFP} '01), Firenze (Florence), Italy, + September 3-5, 2001}, + publisher = {{ACM}}, + year = {2001}, +} + +@book{Jones-SDRA, + author = {Cliff B. Jones}, + publisher = {Prentice Hall}, + title = {Software Development. A Rigourous Approach}, + year = 1980 +} + +@article{McCreight85, + author = {Edward M. McCreight}, + title = {Priority Search Trees}, + journal = {{SIAM} J. Comput.}, + volume = {14}, + number = {2}, + pages = {257--276}, + year = {1985}, + url = {https://doi.org/10.1137/0214021}, + doi = {10.1137/0214021}, +} + +@book{Concrete,author={Tobias Nipkow and Gerwin Klein}, +title="Concrete Semantics with Isabelle/HOL",publisher="Springer",year=2014, +note={\url{http://concrete-semantics.org}}} + +@misc{RBT,key={Isabelle},note={\url{http://isabelle.in.tum.de/library/HOL/HOL-Data_Structures/RBT.html}}} + +@inproceedings{Char11, + author = {Chargu{\'e}raud, Arthur}, + title = {Characteristic Formulae for the Verification of Imperative Programs}, + booktitle = {Proceedings of the 16th ACM SIGPLAN International Conference on Functional Programming}, + series = {ICFP '11}, + year = {2011}, + isbn = {978-1-4503-0865-6}, + location = {Tokyo, Japan}, + pages = {418--430}, + numpages = {13}, + url = {http://doi.acm.org/10.1145/2034773.2034828}, + doi = {10.1145/2034773.2034828}, + acmid = {2034828}, + publisher = {ACM}, + address = {New York, NY, USA}, + keywords = {characteristic formula, interactive verification, total correctness}, +} + +@inproceedings{FiPa13, + TITLE = {{Why3 -- Where Programs Meet Provers}}, + AUTHOR = {Filli{\^a}tre, Jean-Christophe and Paskevich, Andrei}, + URL = {https://hal.inria.fr/hal-00789533}, + BOOKTITLE = {ESOP}, + PUBLISHER = Springer, + VOLUME = {7792}, + YEAR = {2013}, + MONTH = Mar, + PDF = {https://hal.inria.fr/hal-00789533/file/main.pdf}, + HAL_ID = {hal-00789533}, + HAL_VERSION = {v1}, +} + +@misc{Fill_Dijkstra_Why3, + title="Dijkstra's shortest path algorithm", + author="Jean-Christophe Filli\^atre", + note={From the Toccata gallery, \url{http://toccata.lri.fr/gallery/dijkstra.en.html}} +} + +@book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel}, +title="Isabelle/HOL --- A Proof Assistant for Higher-Order Logic", +publisher="Springer",series="LNCS",volume=2283,year=2002} + +@inproceedings{BerghoferN-TYPES00, +author={Stefan Berghofer and Tobias Nipkow}, +title={Executing Higher Order Logic}, +booktitle={Types for Proofs and Programs (TYPES 2000)}, +editor={P. Callaghan and Z. Luo and J. McKinna and R. Pollack}, +year=2002,publisher=Springer,series=LNCS,volume=2277,pages="24--40"} + +@book{Okasaki,author="Chris Okasaki",title="Purely Functional Data Structures", +publisher="Cambridge University Press",year=1998} + +@article{Noschinski15, + author = {Lars Noschinski}, + title = {A Graph Library for Isabelle}, + journal = {Mathematics in Computer Science}, + volume = {9}, + number = {1}, + pages = {23--39}, + year = {2015}, + url = {https://doi.org/10.1007/s11786-014-0183-z}, + doi = {10.1007/s11786-014-0183-z}, +} + + + +@inproceedings{Chou94, + author = {Ching{-}Tsun Chou}, + title = {A Formal Theory of Undirected Graphs in Higher-Order Logic}, + booktitle = {Higher Order Logic Theorem Proving and Its Applications, 7th International + Workshop, Valletta, Malta, September 19-22, 1994, Proceedings}, + pages = {144--157}, + year = {1994}, + crossref = {DBLP:conf/tphol/1994}, + url = {https://doi.org/10.1007/3-540-58450-1\_40}, + doi = {10.1007/3-540-58450-1\_40}, +} + +@proceedings{DBLP:conf/tphol/1994, + editor = {Thomas F. Melham and + Juanito Camilleri}, + title = {Higher Order Logic Theorem Proving and Its Applications, 7th International + Workshop, Valletta, Malta, September 19-22, 1994, Proceedings}, + series = {Lecture Notes in Computer Science}, + volume = {859}, + publisher = {Springer}, + year = {1994}, + url = {https://doi.org/10.1007/3-540-58450-1}, + doi = {10.1007/3-540-58450-1}, +} diff --git a/thys/Priority_Search_Trees/document/root.tex b/thys/Priority_Search_Trees/document/root.tex new file mode 100644 --- /dev/null +++ b/thys/Priority_Search_Trees/document/root.tex @@ -0,0 +1,87 @@ +\documentclass[11pt,a4paper]{article} +\usepackage{isabelle,isabellesym} + +% further packages required for unusual symbols (see also +% isabellesym.sty), use only when needed + +%\usepackage{amssymb} + %for \, \, \, \, \, \, + %\, \, \, \, \, + %\, \, \ + +%\usepackage{eurosym} + %for \ + +%\usepackage[only,bigsqcap]{stmaryrd} + %for \ + +%\usepackage{eufrak} + %for \ ... \, \ ... \ (also included in amssymb) + +%\usepackage{textcomp} + %for \, \, \, \, \, + %\ + +% this should be the last package used +\usepackage{pdfsetup} + +% urls in roman style, theory text in math-similar italics +\urlstyle{rm} +\isabellestyle{it} + +% for uniform font size +%\renewcommand{\isastyle}{\isastyleminor} + + +\begin{document} + +\title{Priority Search Trees} +\author{Peter Lammich \and Tobias Nipkow} +\maketitle + +\begin{abstract} +We present a new, purely functional, simple and efficient data structure +combining a search tree and a priority queue, which we call a \emph{priority search tree}. +The salient feature of priority search trees is that they offer +a decrease-key operation, something that is missing from other simple, purely functional priority queue +implementations. Priority search trees can be implemented on top of any search tree. +This entry does the implementation for red-black trees. + +This entry formalizes the first part of our ITP-2019 proof +pearl \emph{Purely Functional, Simple and Efficient Priority Search Trees and Applications to Prim and Dijkstra} +~\cite{LaNi19}. +\end{abstract} + +\clearpage + +\tableofcontents + +% sane default for proof documents +\parindent 0pt\parskip 0.5ex + +% generated text of all theories +\input{session} + +\section{Related Work} +Our priority map ADT is close to Hinze's \cite{DBLP:conf/icfp/Hinze01} \emph{priority search queue} +interface, except that he also supports a few further operations that we could easily add but do not +need for our applications. However, it is not clear if his implementation technique is the same as +our priority search tree because his description employs a plethora of concepts, e.g.\ +\emph{priority search pennants}, \emph{tournament trees}, \emph{semi-heaps}, and multiple +\emph{views} of data types that obscure a direct comparison. We claim that at the very least our +presentation is new because it is much simpler; we encourage the reader to compare the two. + +As already observed by Hinze, McCreight's \cite{McCreight85} priority search trees support range +queries more efficiently than our trees. However, we can support the same range queries as Hinze +efficiently, but that is outside the scope of this entry. + +% optional bibliography +\bibliographystyle{abbrv} +\bibliography{root} + +\end{document} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: t +%%% End: diff --git a/thys/ROOTS b/thys/ROOTS --- a/thys/ROOTS +++ b/thys/ROOTS @@ -1,479 +1,484 @@ AODV Auto2_HOL Auto2_Imperative_HOL AVL-Trees AWN Abortable_Linearizable_Modules Abs_Int_ITP2012 Abstract-Hoare-Logics Abstract-Rewriting Abstract_Completeness Abstract_Soundness Affine_Arithmetic Aggregation_Algebras Akra_Bazzi Algebraic_Numbers Algebraic_VCs Allen_Calculus Amortized_Complexity AnselmGod Applicative_Lifting Architectural_Design_Patterns ArrowImpossibilityGS AutoFocus-Stream Automatic_Refinement AxiomaticCategoryTheory BDD BNF_Operations Bell_Numbers_Spivey Berlekamp_Zassenhaus Bernoulli Bertrands_Postulate BinarySearchTree Binding_Syntax_Theory Binomial-Heaps Binomial-Queues BNF_CC Bondy Boolean_Expression_Checkers Bounded_Deducibility_Security Buchi_Complementation Budan_Fourier Buffons_Needle Buildings BytecodeLogicJmlTypes CAVA_Automata CAVA_LTL_Modelchecker CCS CISC-Kernel CRDT CYK CakeML Call_Arity Card_Equiv_Relations Card_Multisets Card_Number_Partitions Card_Partitions Cartan_FP Case_Labeling Catalan_Numbers Category Category2 Category3 Cauchy Cayley_Hamilton Certification_Monads Chord_Segments Circus ClockSynchInst CofGroups Coinductive Coinductive_Languages Collections Comparison_Sort_Lower_Bound Compiling-Exceptions-Correctly Completeness +Complete_Non_Orders Complx ComponentDependencies ConcurrentGC ConcurrentIMP Concurrent_Ref_Alg Concurrent_Revisions Consensus_Refined Constructive_Cryptography Constructor_Funs Containers CoreC++ Core_DOM Count_Complex_Roots CryptHOL CryptoBasedCompositionalProperties DFS_Framework DPT-SAT-Solver DataRefinementIBP Datatype_Order_Generator Decl_Sem_Fun_PL Decreasing-Diagrams Decreasing-Diagrams-II Deep_Learning Density_Compiler Dependent_SIFUM_Refinement Dependent_SIFUM_Type_Systems Depth-First-Search Derangements Deriving Descartes_Sign_Rule Dict_Construction Differential_Dynamic_Logic +Differential_Game_Logic Dijkstra_Shortest_Path Diophantine_Eqns_Lin_Hom Dirichlet_L Dirichlet_Series Discrete_Summation DiscretePricing DiskPaxos DynamicArchitectures Dynamic_Tables E_Transcendental Echelon_Form EdmondsKarp_Maxflow Efficient-Mergesort Elliptic_Curves_Group_Law Encodability_Process_Calculi Epistemic_Logic Ergodic_Theory Error_Function Euler_MacLaurin Euler_Partition Example-Submission Factored_Transition_System_Bounding Farkas FFT FLP FOL-Fitting FOL_Harrison Falling_Factorial_Sum FeatherweightJava Featherweight_OCL Fermat3_4 FileRefinement FinFun Finger-Trees Finite_Automata_HF First_Order_Terms First_Welfare_Theorem Fishburn_Impossibility Fisher_Yates Flow_Networks Floyd_Warshall Flyspeck-Tame FocusStreamsCaseStudies Formal_SSA Formula_Derivatives Free-Boolean-Algebra Free-Groups FunWithFunctions FunWithTilings Functional-Automata Functional_Ordered_Resolution_Prover GPU_Kernel_PL Gabow_SCC Game_Based_Crypto Gauss-Jordan-Elim-Fun Gauss_Jordan GenClock General-Triangle Generic_Deriving GewirthPGCProof Girth_Chromatic GoedelGod GraphMarkingIBP Graph_Saturation Graph_Theory Green Groebner_Bases Groebner_Macaulay Gromov_Hyperbolicity Group-Ring-Module HOL-CSP HOLCF-Prelude HRB-Slicing Heard_Of HereditarilyFinite Hermite Hidden_Markov_Models Higher_Order_Terms Hoare_Time HotelKeyCards Huffman Hybrid_Multi_Lane_Spatial_Logic HyperCTL IEEE_Floating_Point IMAP-CRDT IMP2 IMP2_Binary_Heap IP_Addresses Imperative_Insertion_Sort Impossible_Geometry Incompleteness Incredible_Proof_Machine Inductive_Confidentiality InfPathElimination InformationFlowSlicing InformationFlowSlicing_Inter Integration Iptables_Semantics Irrationality_J_Hancl Isabelle_Meta_Model Jinja JinjaThreads JiveDataStoreModel Jordan_Hoelder Jordan_Normal_Form KAD KAT_and_DRA KBPs KD_Tree Key_Agreement_Strong_Adversaries Kleene_Algebra Knot_Theory Knuth_Morris_Pratt Koenigsberg_Friendship Kruskal Kuratowski_Closure_Complement LLL_Basis_Reduction LLL_Factorization LOFT LTL LTL_to_DRA LTL_to_GBA LTL_Master_Theorem Lam-ml-Normalization LambdaAuth LambdaMu Lambda_Free_KBOs Lambda_Free_RPOs Landau_Symbols Latin_Square LatticeProperties Lambda_Free_EPO Launchbury Lazy-Lists-II Lazy_Case Lehmer Lifting_Definition_Option LightweightJava LinearQuantifierElim Linear_Inequalities Linear_Recurrences Liouville_Numbers List-Index List-Infinite List_Interleaving List_Inversions List_Update LocalLexing Localization_Ring Locally-Nameless-Sigma Lowe_Ontological_Argument Lower_Semicontinuous Lp MFMC_Countable MSO_Regex_Equivalence Markov_Models Marriage Mason_Stothers Matrix Matrix_Tensor Matroids Max-Card-Matching Median_Of_Medians_Selection Menger +MFOTL_Monitor MiniML Minimal_SSA Minkowskis_Theorem Minsky_Machines Modal_Logics_for_NTS Modular_Assembly_Kit_Security Monad_Memo_DP Monad_Normalisation MonoBoolTranAlgebra MonoidalCategory Monomorphic_Monad MuchAdoAboutTwo Multirelations Multi_Party_Computation Myhill-Nerode Name_Carrying_Type_Inference Nat-Interval-Logic Native_Word Nested_Multisets_Ordinals Network_Security_Policy_Verification Neumann_Morgenstern_Utility No_FTL_observers Nominal2 Noninterference_CSP Noninterference_Concurrent_Composition Noninterference_Generic_Unwinding Noninterference_Inductive_Unwinding Noninterference_Ipurge_Unwinding Noninterference_Sequential_Composition NormByEval Nullstellensatz Octonions Open_Induction OpSets Optics Optimal_BST Orbit_Stabiliser Order_Lattice_Props Ordered_Resolution_Prover Ordinal Ordinals_and_Cardinals Ordinary_Differential_Equations PCF PLM Pell POPLmark-deBruijn PSemigroupsConvolution Pairing_Heap Paraconsistency Parity_Game Partial_Function_MR Partial_Order_Reduction Password_Authentication_Protocol Perfect-Number-Thm Perron_Frobenius Pi_Calculus Pi_Transcendental Planarity_Certificates Polynomial_Factorization Polynomial_Interpolation Polynomials Pop_Refinement Posix-Lexing Possibilistic_Noninterference Pratt_Certificate Presburger-Automata +Prim_Dijkstra_Simple Prime_Distribution_Elementary Prime_Harmonic_Series Prime_Number_Theorem Priority_Queue_Braun +Priority_Search_Trees Probabilistic_Noninterference Probabilistic_Prime_Tests Probabilistic_System_Zoo Probabilistic_Timed_Automata Probabilistic_While Projective_Geometry Program-Conflict-Analysis Promela Proof_Strategy_Language PropResPI Propositional_Proof_Systems Prpu_Maxflow PseudoHoops Psi_Calculi Ptolemys_Theorem QHLProver QR_Decomposition Quantales Quaternions Quick_Sort_Cost RIPEMD-160-SPARK ROBDD RSAPSS Ramsey-Infinite Random_BSTs Randomised_BSTs Random_Graph_Subgraph_Threshold Randomised_Social_Choice Rank_Nullity_Theorem Real_Impl Recursion-Theory-I Refine_Imperative_HOL Refine_Monadic RefinementReactive Regex_Equivalence Regular-Sets Regular_Algebras Relation_Algebra Rep_Fin_Groups Residuated_Lattices Resolution_FOL Rewriting_Z Ribbon_Proofs Robbins-Conjecture Root_Balanced_Tree Routing Roy_Floyd_Warshall Safe_OCL SATSolverVerification SDS_Impossibility SIFPL SIFUM_Type_Systems SPARCv8 Secondary_Sylow Security_Protocol_Refinement Selection_Heap_Sort SenSocialChoice Separata Separation_Algebra Separation_Logic_Imperative_HOL SequentInvertibility Shivers-CFA ShortestPath Show Signature_Groebner Simpl Simple_Firewall Simplex Skew_Heap Slicing Smooth_Manifolds Sort_Encodings Source_Coding_Theorem Special_Function_Bounds Splay_Tree Sqrt_Babylonian Stable_Matching Statecharts Stern_Brocot Stewart_Apollonius Stirling_Formula Stochastic_Matrices Stone_Algebras Stone_Kleene_Relation_Algebras Stone_Relation_Algebras Store_Buffer_Reduction Stream-Fusion Stream_Fusion_Code Strong_Security Sturm_Sequences Sturm_Tarski Stuttering_Equivalence Subresultants SumSquares SuperCalc Surprise_Paradox Symmetric_Polynomials TLA Tail_Recursive_Functions Tarskis_Geometry Taylor_Models Timed_Automata Topology TortoiseHare Transcendence_Series_Hancl_Rucki Transformer_Semantics Transition_Systems_and_Automata Transitive-Closure Transitive-Closure-II Treaps Tree-Automata Tree_Decomposition Triangle Trie Twelvefold_Way Tycon Types_Tableaus_and_Goedels_God Universal_Turing_Machine UPF UPF_Firewall UpDown_Scheme UTP Valuation VectorSpace Verified-Prover VerifyThis2018 Vickrey_Clarke_Groves VolpanoSmith WHATandWHERE_Security WebAssembly Weight_Balanced_Trees Well_Quasi_Orders Winding_Number_Eval Word_Lib WorkerWrapper XML Zeta_Function pGCL diff --git a/web/entries/AVL-Trees.html b/web/entries/AVL-Trees.html --- a/web/entries/AVL-Trees.html +++ b/web/entries/AVL-Trees.html @@ -1,277 +1,277 @@ AVL Trees - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

AVL Trees

 

Title: AVL Trees
Authors: - Tobias Nipkow and + Tobias Nipkow and Cornelia Pusch
Submission date: 2004-03-19
Abstract: Two formalizations of AVL trees with room for extensions. The first formalization is monolithic and shorter, the second one in two stages, longer and a bit simpler. The final implementation is the same. If you are interested in developing this further, please contact gerwin.klein@nicta.com.au.
Change history: [2011-04-11]: Ondrej Kuncar added delete function
BibTeX: 
@article{AVL-Trees-AFP,
   author  = {Tobias Nipkow and Cornelia Pusch},
   title   = {AVL Trees},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2004,
   note    = {\url{http://isa-afp.org/entries/AVL-Trees.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Abs_Int_ITP2012.html b/web/entries/Abs_Int_ITP2012.html --- a/web/entries/Abs_Int_ITP2012.html +++ b/web/entries/Abs_Int_ITP2012.html @@ -1,200 +1,200 @@ Abstract Interpretation of Annotated Commands - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Abstract Interpretation of Annotated Commands

 

Title: Abstract Interpretation of Annotated Commands
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2016-11-23
Abstract: This is the Isabelle formalization of the material decribed in the eponymous ITP 2012 paper. It develops a generic abstract interpreter for a while-language, including widening and narrowing. The collecting semantics and the abstract interpreter operate on annotated commands: the program is represented as a syntax tree with the semantic information directly embedded, without auxiliary labels. The aim of the formalization is simplicity, not efficiency or precision. This is motivated by the inclusion of the material in a theorem prover based course on semantics. A similar (but more polished) development is covered in the book Concrete Semantics.
BibTeX: 
@article{Abs_Int_ITP2012-AFP,
   author  = {Tobias Nipkow},
   title   = {Abstract Interpretation of Annotated Commands},
   journal = {Archive of Formal Proofs},
   month   = nov,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Abs_Int_ITP2012.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Abstract-Hoare-Logics.html b/web/entries/Abstract-Hoare-Logics.html --- a/web/entries/Abstract-Hoare-Logics.html +++ b/web/entries/Abstract-Hoare-Logics.html @@ -1,254 +1,254 @@ Abstract Hoare Logics - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Abstract Hoare Logics

 

Title: Abstract Hoare Logics
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2006-08-08
Abstract: These therories describe Hoare logics for a number of imperative language constructs, from while-loops to mutually recursive procedures. Both partial and total correctness are treated. In particular a proof system for total correctness of recursive procedures in the presence of unbounded nondeterminism is presented.
BibTeX: 
@article{Abstract-Hoare-Logics-AFP,
   author  = {Tobias Nipkow},
   title   = {Abstract Hoare Logics},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2006,
   note    = {\url{http://isa-afp.org/entries/Abstract-Hoare-Logics.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Algebraic_Numbers.html b/web/entries/Algebraic_Numbers.html --- a/web/entries/Algebraic_Numbers.html +++ b/web/entries/Algebraic_Numbers.html @@ -1,210 +1,210 @@ Algebraic Numbers in Isabelle/HOL - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Algebraic Numbers in Isabelle/HOL

 

Title: Algebraic Numbers in Isabelle/HOL
Authors: René Thiemann, - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) and + Akihisa Yamada and Sebastiaan Joosten
Submission date: 2015-12-22
Abstract: Based on existing libraries for matrices, factorization of rational polynomials, and Sturm's theorem, we formalized algebraic numbers in Isabelle/HOL. Our development serves as an implementation for real and complex numbers, and it admits to compute roots and completely factorize real and complex polynomials, provided that all coefficients are rational numbers. Moreover, we provide two implementations to display algebraic numbers, an injective and expensive one, or a faster but approximative version.

To this end, we mechanized several results on resultants, which also required us to prove that polynomials over a unique factorization domain form again a unique factorization domain.

Change history: [2016-01-29]: Split off Polynomial Interpolation and Polynomial Factorization
[2017-04-16]: Use certified Berlekamp-Zassenhaus factorization, use subresultant algorithm for computing resultants, improved bisection algorithm
BibTeX: 
@article{Algebraic_Numbers-AFP,
   author  = {René Thiemann and Akihisa Yamada and Sebastiaan Joosten},
   title   = {Algebraic Numbers in Isabelle/HOL},
   journal = {Archive of Formal Proofs},
   month   = dec,
   year    = 2015,
   note    = {\url{http://isa-afp.org/entries/Algebraic_Numbers.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Berlekamp_Zassenhaus, Sturm_Sequences
Used by: Linear_Recurrences, LLL_Basis_Reduction

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Amortized_Complexity.html b/web/entries/Amortized_Complexity.html --- a/web/entries/Amortized_Complexity.html +++ b/web/entries/Amortized_Complexity.html @@ -1,229 +1,229 @@ Amortized Complexity Verified - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Amortized Complexity Verified

 

Title: Amortized Complexity Verified
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-07-07
Abstract: A framework for the analysis of the amortized complexity of functional data structures is formalized in Isabelle/HOL and applied to a number of standard examples and to the folowing non-trivial ones: skew heaps, splay trees, splay heaps and pairing heaps.

A preliminary version of this work (without pairing heaps) is described in a paper published in the proceedings of the conference on Interactive Theorem Proving ITP 2015. An extended version of this publication is available here.
Change history: [2015-03-17]: Added pairing heaps by Hauke Brinkop.
[2016-07-12]: Moved splay heaps from here to Splay_Tree
[2016-07-14]: Moved pairing heaps from here to the new Pairing_Heap
BibTeX: 
@article{Amortized_Complexity-AFP,
   author  = {Tobias Nipkow},
   title   = {Amortized Complexity Verified},
   journal = {Archive of Formal Proofs},
   month   = jul,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Amortized_Complexity.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Pairing_Heap, Skew_Heap, Splay_Tree
Used by: Dynamic_Tables, Root_Balanced_Tree

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/ArrowImpossibilityGS.html b/web/entries/ArrowImpossibilityGS.html --- a/web/entries/ArrowImpossibilityGS.html +++ b/web/entries/ArrowImpossibilityGS.html @@ -1,254 +1,254 @@ Arrow and Gibbard-Satterthwaite - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Arrow and Gibbard-Satterthwaite

 

Title: Arrow and Gibbard-Satterthwaite
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2008-09-01
Abstract: This article formalizes two proofs of Arrow's impossibility theorem due to Geanakoplos and derives the Gibbard-Satterthwaite theorem as a corollary. One formalization is based on utility functions, the other one on strict partial orders.

An article about these proofs is found here.
BibTeX: 
@article{ArrowImpossibilityGS-AFP,
   author  = {Tobias Nipkow},
   title   = {Arrow and Gibbard-Satterthwaite},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2008,
   note    = {\url{http://isa-afp.org/entries/ArrowImpossibilityGS.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Berlekamp_Zassenhaus.html b/web/entries/Berlekamp_Zassenhaus.html --- a/web/entries/Berlekamp_Zassenhaus.html +++ b/web/entries/Berlekamp_Zassenhaus.html @@ -1,220 +1,220 @@ The Factorization Algorithm of Berlekamp and Zassenhaus - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

The Factorization Algorithm of Berlekamp and Zassenhaus

 

Title: The Factorization Algorithm of Berlekamp and Zassenhaus
Authors: Jose Divasón, Sebastiaan Joosten, René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2016-10-14
Abstract:

We formalize the Berlekamp-Zassenhaus algorithm for factoring square-free integer polynomials in Isabelle/HOL. We further adapt an existing formalization of Yun’s square-free factorization algorithm to integer polynomials, and thus provide an efficient and certified factorization algorithm for arbitrary univariate polynomials.

The algorithm first performs a factorization in the prime field GF(p) and then performs computations in the integer ring modulo p^k, where both p and k are determined at runtime. Since a natural modeling of these structures via dependent types is not possible in Isabelle/HOL, we formalize the whole algorithm using Isabelle’s recent addition of local type definitions.

Through experiments we verify that our algorithm factors polynomials of degree 100 within seconds.

BibTeX: 
@article{Berlekamp_Zassenhaus-AFP,
   author  = {Jose Divasón and Sebastiaan Joosten and René Thiemann and Akihisa Yamada},
   title   = {The Factorization Algorithm of Berlekamp and Zassenhaus},
   journal = {Archive of Formal Proofs},
   month   = oct,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Berlekamp_Zassenhaus.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Efficient-Mergesort, Polynomial_Factorization, Polynomial_Interpolation, Show, Subresultants
Used by: Algebraic_Numbers, Linear_Recurrences, LLL_Basis_Reduction, Probabilistic_While

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Boolean_Expression_Checkers.html b/web/entries/Boolean_Expression_Checkers.html --- a/web/entries/Boolean_Expression_Checkers.html +++ b/web/entries/Boolean_Expression_Checkers.html @@ -1,214 +1,214 @@ Boolean Expression Checkers - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Boolean Expression Checkers

 

Title: Boolean Expression Checkers
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-06-08
Abstract: This entry provides executable checkers for the following properties of boolean expressions: satisfiability, tautology and equivalence. Internally, the checkers operate on binary decision trees and are reasonably efficient (for purely functional algorithms).
Change history: [2015-09-23]: Salomon Sickert added an interface that does not require the usage of the Boolean formula datatype. Furthermore the general Mapping type is used instead of an association list.
BibTeX: 
@article{Boolean_Expression_Checkers-AFP,
   author  = {Tobias Nipkow},
   title   = {Boolean Expression Checkers},
   journal = {Archive of Formal Proofs},
   month   = jun,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Boolean_Expression_Checkers.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: LTL, LTL_to_DRA

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/CAVA_LTL_Modelchecker.html b/web/entries/CAVA_LTL_Modelchecker.html --- a/web/entries/CAVA_LTL_Modelchecker.html +++ b/web/entries/CAVA_LTL_Modelchecker.html @@ -1,240 +1,240 @@ A Fully Verified Executable LTL Model Checker - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

A Fully Verified Executable LTL Model Checker

 

Title: A Fully Verified Executable LTL Model Checker
Authors: Javier Esparza, Peter Lammich, René Neumann (rene /dot/ neumann /at/ in /dot/ tum /dot/ de), - Tobias Nipkow, + Tobias Nipkow, Alexander Schimpf (schimpfa /at/ informatik /dot/ uni-freiburg /dot/ de) and Jan-Georg Smaus
Submission date: 2014-05-28
Abstract: We present an LTL model checker whose code has been completely verified using the Isabelle theorem prover. The checker consists of over 4000 lines of ML code. The code is produced using the Isabelle Refinement Framework, which allows us to split its correctness proof into (1) the proof of an abstract version of the checker, consisting of a few hundred lines of ``formalized pseudocode'', and (2) a verified refinement step in which mathematical sets and other abstract structures are replaced by implementations of efficient structures like red-black trees and functional arrays. This leads to a checker that, while still slower than unverified checkers, can already be used as a trusted reference implementation against which advanced implementations can be tested.

An early version of this model checker is described in the CAV 2013 paper with the same title.
BibTeX: 
@article{CAVA_LTL_Modelchecker-AFP,
   author  = {Javier Esparza and Peter Lammich and René Neumann and Tobias Nipkow and Alexander Schimpf and Jan-Georg Smaus},
   title   = {A Fully Verified Executable LTL Model Checker},
   journal = {Archive of Formal Proofs},
   month   = may,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/CAVA_LTL_Modelchecker.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: CAVA_Automata, DFS_Framework, Gabow_SCC, LTL_to_GBA, Partial_Order_Reduction, Promela

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Compiling-Exceptions-Correctly.html b/web/entries/Compiling-Exceptions-Correctly.html --- a/web/entries/Compiling-Exceptions-Correctly.html +++ b/web/entries/Compiling-Exceptions-Correctly.html @@ -1,264 +1,264 @@ Compiling Exceptions Correctly - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Compiling Exceptions Correctly

 

Title: Compiling Exceptions Correctly
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2004-07-09
Abstract: An exception compilation scheme that dynamically creates and removes exception handler entries on the stack. A formalization of an article of the same name by Hutton and Wright.
BibTeX: 
@article{Compiling-Exceptions-Correctly-AFP,
   author  = {Tobias Nipkow},
   title   = {Compiling Exceptions Correctly},
   journal = {Archive of Formal Proofs},
   month   = jul,
   year    = 2004,
   note    = {\url{http://isa-afp.org/entries/Compiling-Exceptions-Correctly.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Complete_Non_Orders.html b/web/entries/Complete_Non_Orders.html new file mode 100644 --- /dev/null +++ b/web/entries/Complete_Non_Orders.html @@ -0,0 +1,186 @@ + + + + +Complete Non-Orders and Fixed Points - Archive of Formal Proofs + + + + + + + + + + + + + + + + + + + + + +
+

 

+ + + +

 

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download
+

 

+

 

+		 +
+

 

+

Complete + + Non-Orders + + and + + Fixed + + Points + +

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Title:Complete Non-Orders and Fixed Points
+ Authors: + + Akihisa Yamada and + Jérémy Dubut +
Submission date:2019-06-27
Abstract: +We develop an Isabelle/HOL library of order-theoretic concepts, such +as various completeness conditions and fixed-point theorems. We keep +our formalization as general as possible: we reprove several +well-known results about complete orders, often without any properties +of ordering, thus complete non-orders. In particular, we generalize +the Knaster–Tarski theorem so that we ensure the existence of a +quasi-fixed point of monotone maps over complete non-orders, and show +that the set of quasi-fixed points is complete under a mild +condition—attractivity—which is implied by either antisymmetry or +transitivity. This result generalizes and strengthens a result by +Stauti and Maaden. Finally, we recover Kleene’s fixed-point theorem +for omega-complete non-orders, again using attractivity to prove that +Kleene’s fixed points are least quasi-fixed points.
BibTeX: + 
@article{Complete_Non_Orders-AFP,
+  author  = {Akihisa Yamada and Jérémy Dubut},
+  title   = {Complete Non-Orders and Fixed Points},
+  journal = {Archive of Formal Proofs},
+  month   = jun,
+  year    = 2019,
+  note    = {\url{http://isa-afp.org/entries/Complete_Non_Orders.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+
License:BSD License
+ +

+ + + + + + + + + + + + + + + + +
+ Proof outline
+ Proof document +
+ Browse theories +
+ Download this entry +
Older releases: + None +
+ +
+
+ + + + + + \ No newline at end of file diff --git a/web/entries/Containers.html b/web/entries/Containers.html --- a/web/entries/Containers.html +++ b/web/entries/Containers.html @@ -1,240 +1,240 @@ Light-weight Containers - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Light-weight Containers

 

- +
Title: Light-weight Containers
Author: Andreas Lochbihler
Contributor: René Thiemann (rene /dot/ thiemann /at/ uibk /dot/ ac /dot/ at)
Submission date: 2013-04-15
Abstract: This development provides a framework for container types like sets and maps such that generated code implements these containers with different (efficient) data structures. Thanks to type classes and refinement during code generation, this light-weight approach can seamlessly replace Isabelle's default setup for code generation. Heuristics automatically pick one of the available data structures depending on the type of elements to be stored, but users can also choose on their own. The extensible design permits to add more implementations at any time.

To support arbitrary nesting of sets, we define a linear order on sets based on a linear order of the elements and provide efficient implementations. It even allows to compare complements with non-complements.
Change history: [2013-07-11]: add pretty printing for sets (revision 7f3f52c5f5fa)
[2013-09-20]: provide generators for canonical type class instantiations (revision 159f4401f4a8 by René Thiemann)
[2014-07-08]: add support for going from partial functions to mappings (revision 7a6fc957e8ed)
[2018-03-05]: add two application examples: depth-first search and 2SAT (revision e5e1a1da2411)
BibTeX: 
@article{Containers-AFP,
   author  = {Andreas Lochbihler},
   title   = {Light-weight Containers},
   journal = {Archive of Formal Proofs},
   month   = apr,
   year    = 2013,
   note    = {\url{http://isa-afp.org/entries/Containers.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Automatic_Refinement, Collections, Deriving, Finger-Trees, Regular-Sets, Trie
Used by:Collections, Polynomial_Factorization
Collections, MFOTL_Monitor, Polynomial_Factorization

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Density_Compiler.html b/web/entries/Density_Compiler.html --- a/web/entries/Density_Compiler.html +++ b/web/entries/Density_Compiler.html @@ -1,230 +1,230 @@ A Verified Compiler for Probability Density Functions - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

A Verified Compiler for Probability Density Functions

 

Title: A Verified Compiler for Probability Density Functions
Authors: Manuel Eberl, Johannes Hölzl and - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-10-09
Abstract: Bhat et al. [TACAS 2013] developed an inductive compiler that computes density functions for probability spaces described by programs in a probabilistic functional language. In this work, we implement such a compiler for a modified version of this language within the theorem prover Isabelle and give a formal proof of its soundness w.r.t. the semantics of the source and target language. Together with Isabelle's code generation for inductive predicates, this yields a fully verified, executable density compiler. The proof is done in two steps: First, an abstract compiler working with abstract functions modelled directly in the theorem prover's logic is defined and proved sound. Then, this compiler is refined to a concrete version that returns a target-language expression.

An article with the same title and authors is published in the proceedings of ESOP 2015. A detailed presentation of this work can be found in the first author's master's thesis.
BibTeX: 
@article{Density_Compiler-AFP,
   author  = {Manuel Eberl and Johannes Hölzl and Tobias Nipkow},
   title   = {A Verified Compiler for Probability Density Functions},
   journal = {Archive of Formal Proofs},
   month   = oct,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Density_Compiler.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Deriving.html b/web/entries/Deriving.html --- a/web/entries/Deriving.html +++ b/web/entries/Deriving.html @@ -1,216 +1,216 @@ Deriving class instances for datatypes - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Deriving class instances for datatypes

 

- +
Title: Deriving class instances for datatypes
Authors: Christian Sternagel (c /dot/ sternagel /at/ gmail /dot/ com) and René Thiemann
Submission date: 2015-03-11
Abstract:

We provide a framework for registering automatic methods to derive class instances of datatypes, as it is possible using Haskell's ``deriving Ord, Show, ...'' feature.

We further implemented such automatic methods to derive comparators, linear orders, parametrizable equality functions, and hash-functions which are required in the Isabelle Collection Framework and the Container Framework. Moreover, for the tactic of Blanchette to show that a datatype is countable, we implemented a wrapper so that this tactic becomes accessible in our framework. All of the generators are based on the infrastructure that is provided by the BNF-based datatype package.

Our formalization was performed as part of the IsaFoR/CeTA project. With our new tactics we could remove several tedious proofs for (conditional) linear orders, and conditional equality operators within IsaFoR and the Container Framework.
BibTeX: 
@article{Deriving-AFP,
   author  = {Christian Sternagel and René Thiemann},
   title   = {Deriving class instances for datatypes},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2015,
   note    = {\url{http://isa-afp.org/entries/Deriving.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on:Collections
Collections, Native_Word
Used by: Affine_Arithmetic, CAVA_Automata, Containers, Datatype_Order_Generator, Formula_Derivatives, Groebner_Bases, MSO_Regex_Equivalence, Ordinary_Differential_Equations, Real_Impl, Show

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Differential_Game_Logic.html b/web/entries/Differential_Game_Logic.html new file mode 100644 --- /dev/null +++ b/web/entries/Differential_Game_Logic.html @@ -0,0 +1,181 @@ + + + + +Differential Game Logic - Archive of Formal Proofs + + + + + + + + + + + + + + + + + + + + + +
+

 

+ + + +

 

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download
+

 

+

 

+		 +
+

 

+

Differential + + Game + + Logic + +

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Title:Differential Game Logic
+ Author: + + André Platzer +
Submission date:2019-06-03
Abstract: +This formalization provides differential game logic (dGL), a logic for +proving properties of hybrid game. In addition to the syntax and +semantics, it formalizes a uniform substitution calculus for dGL. +Church's uniform substitutions substitute a term or formula for a +function or predicate symbol everywhere. The uniform substitutions for +dGL also substitute hybrid games for a game symbol everywhere. We +prove soundness of one-pass uniform substitutions and the axioms of +differential game logic with respect to their denotational semantics. +One-pass uniform substitutions are faster by postponing +soundness-critical admissibility checks with a linear pass homomorphic +application and regain soundness by a variable condition at the +replacements. The formalization is based on prior non-mechanized +soundness proofs for dGL.
BibTeX: + 
@article{Differential_Game_Logic-AFP,
+  author  = {André Platzer},
+  title   = {Differential Game Logic},
+  journal = {Archive of Formal Proofs},
+  month   = jun,
+  year    = 2019,
+  note    = {\url{http://isa-afp.org/entries/Differential_Game_Logic.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+
License:BSD License
+ +

+ + + + + + + + + + + + + + + + +
+ Proof outline
+ Proof document +
+ Browse theories +
+ Download this entry +
Older releases: + None +
+ +
+
+ + + + + + \ No newline at end of file diff --git a/web/entries/Dynamic_Tables.html b/web/entries/Dynamic_Tables.html --- a/web/entries/Dynamic_Tables.html +++ b/web/entries/Dynamic_Tables.html @@ -1,207 +1,207 @@ Parameterized Dynamic Tables - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Parameterized Dynamic Tables

 

Title: Parameterized Dynamic Tables
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2015-06-07
Abstract: This article formalizes the amortized analysis of dynamic tables parameterized with their minimal and maximal load factors and the expansion and contraction factors.

A full description is found in a companion paper.
BibTeX: 
@article{Dynamic_Tables-AFP,
   author  = {Tobias Nipkow},
   title   = {Parameterized Dynamic Tables},
   journal = {Archive of Formal Proofs},
   month   = jun,
   year    = 2015,
   note    = {\url{http://isa-afp.org/entries/Dynamic_Tables.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Amortized_Complexity

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Flyspeck-Tame.html b/web/entries/Flyspeck-Tame.html --- a/web/entries/Flyspeck-Tame.html +++ b/web/entries/Flyspeck-Tame.html @@ -1,281 +1,281 @@ Flyspeck I: Tame Graphs - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Flyspeck I: Tame Graphs

 

Title: Flyspeck I: Tame Graphs
Authors: Gertrud Bauer and - Tobias Nipkow + Tobias Nipkow
Submission date: 2006-05-22
Abstract: These theories present the verified enumeration of tame plane graphs as defined by Thomas C. Hales in his proof of the Kepler Conjecture in his book Dense Sphere Packings. A Blueprint for Formal Proofs. [CUP 2012]. The values of the constants in the definition of tameness are identical to those in the Flyspeck project. The IJCAR 2006 paper by Nipkow, Bauer and Schultz refers to the original version of Hales' proof, the ITP 2011 paper by Nipkow refers to the Blueprint version of the proof.
Change history: [2010-11-02]: modified theories to reflect the modified definition of tameness in Hales' revised proof.
[2014-07-03]: modified constants in def of tameness and Archive according to the final state of the Flyspeck proof.
BibTeX: 
@article{Flyspeck-Tame-AFP,
   author  = {Gertrud Bauer and Tobias Nipkow},
   title   = {Flyspeck I: Tame Graphs},
   journal = {Archive of Formal Proofs},
   month   = may,
   year    = 2006,
   note    = {\url{http://isa-afp.org/entries/Flyspeck-Tame.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Trie

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/FunWithFunctions.html b/web/entries/FunWithFunctions.html --- a/web/entries/FunWithFunctions.html +++ b/web/entries/FunWithFunctions.html @@ -1,244 +1,244 @@ Fun With Functions - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Fun With Functions

 

Title: Fun With Functions
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2008-08-26
Abstract: This is a collection of cute puzzles of the form ``Show that if a function satisfies the following constraints, it must be ...'' Please add further examples to this collection!
BibTeX: 
@article{FunWithFunctions-AFP,
   author  = {Tobias Nipkow},
   title   = {Fun With Functions},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2008,
   note    = {\url{http://isa-afp.org/entries/FunWithFunctions.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/FunWithTilings.html b/web/entries/FunWithTilings.html --- a/web/entries/FunWithTilings.html +++ b/web/entries/FunWithTilings.html @@ -1,245 +1,245 @@ Fun With Tilings - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Fun With Tilings

 

Title: Fun With Tilings
Authors: - Tobias Nipkow and + Tobias Nipkow and Lawrence C. Paulson
Submission date: 2008-11-07
Abstract: Tilings are defined inductively. It is shown that one form of mutilated chess board cannot be tiled with dominoes, while another one can be tiled with L-shaped tiles. Please add further fun examples of this kind!
BibTeX: 
@article{FunWithTilings-AFP,
   author  = {Tobias Nipkow and Lawrence C. Paulson},
   title   = {Fun With Tilings},
   journal = {Archive of Formal Proofs},
   month   = nov,
   year    = 2008,
   note    = {\url{http://isa-afp.org/entries/FunWithTilings.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Functional-Automata.html b/web/entries/Functional-Automata.html --- a/web/entries/Functional-Automata.html +++ b/web/entries/Functional-Automata.html @@ -1,279 +1,279 @@ Functional Automata - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Functional Automata

 

Title: Functional Automata
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2004-03-30
Abstract: This theory defines deterministic and nondeterministic automata in a functional representation: the transition function/relation and the finality predicate are just functions. Hence the state space may be infinite. It is shown how to convert regular expressions into such automata. A scanner (generator) is implemented with the help of functional automata: the scanner chops the input up into longest recognized substrings. Finally we also show how to convert a certain subclass of functional automata (essentially the finite deterministic ones) into regular sets.
BibTeX: 
@article{Functional-Automata-AFP,
   author  = {Tobias Nipkow},
   title   = {Functional Automata},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2004,
   note    = {\url{http://isa-afp.org/entries/Functional-Automata.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Regular-Sets

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Gauss-Jordan-Elim-Fun.html b/web/entries/Gauss-Jordan-Elim-Fun.html --- a/web/entries/Gauss-Jordan-Elim-Fun.html +++ b/web/entries/Gauss-Jordan-Elim-Fun.html @@ -1,239 +1,239 @@ Gauss-Jordan Elimination for Matrices Represented as Functions - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Gauss-Jordan Elimination for Matrices Represented as Functions

 

Title: Gauss-Jordan Elimination for Matrices Represented as Functions
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2011-08-19
Abstract: This theory provides a compact formulation of Gauss-Jordan elimination for matrices represented as functions. Its distinctive feature is succinctness. It is not meant for large computations.
BibTeX: 
@article{Gauss-Jordan-Elim-Fun-AFP,
   author  = {Tobias Nipkow},
   title   = {Gauss-Jordan Elimination for Matrices Represented as Functions},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2011,
   note    = {\url{http://isa-afp.org/entries/Gauss-Jordan-Elim-Fun.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Markov_Models

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Hoare_Time.html b/web/entries/Hoare_Time.html --- a/web/entries/Hoare_Time.html +++ b/web/entries/Hoare_Time.html @@ -1,197 +1,197 @@ Hoare Logics for Time Bounds - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Hoare Logics for Time Bounds

 

Title: Hoare Logics for Time Bounds
Authors: Maximilian P. L. Haslbeck and - Tobias Nipkow + Tobias Nipkow
Submission date: 2018-02-26
Abstract: We study three different Hoare logics for reasoning about time bounds of imperative programs and formalize them in Isabelle/HOL: a classical Hoare like logic due to Nielson, a logic with potentials due to Carbonneaux et al. and a separation logic following work by Atkey, Chaguérand and Pottier. These logics are formally shown to be sound and complete. Verification condition generators are developed and are shown sound and complete too. We also consider variants of the systems where we abstract from multiplicative constants in the running time bounds, thus supporting a big-O style of reasoning. Finally we compare the expressive power of the three systems.
BibTeX: 
@article{Hoare_Time-AFP,
   author  = {Maximilian P. L. Haslbeck and Tobias Nipkow},
   title   = {Hoare Logics for Time Bounds},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Hoare_Time.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Separation_Algebra

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/HotelKeyCards.html b/web/entries/HotelKeyCards.html --- a/web/entries/HotelKeyCards.html +++ b/web/entries/HotelKeyCards.html @@ -1,256 +1,256 @@ Hotel Key Card System - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Hotel Key Card System

 

Title: Hotel Key Card System
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2006-09-09
Abstract: Two models of an electronic hotel key card system are contrasted: a state based and a trace based one. Both are defined, verified, and proved equivalent in the theorem prover Isabelle/HOL. It is shown that if a guest follows a certain safety policy regarding her key cards, she can be sure that nobody but her can enter her room.
BibTeX: 
@article{HotelKeyCards-AFP,
   author  = {Tobias Nipkow},
   title   = {Hotel Key Card System},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2006,
   note    = {\url{http://isa-afp.org/entries/HotelKeyCards.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Jinja.html b/web/entries/Jinja.html --- a/web/entries/Jinja.html +++ b/web/entries/Jinja.html @@ -1,271 +1,271 @@ Jinja is not Java - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Jinja is not Java

 

Title: Jinja is not Java
Authors: Gerwin Klein and - Tobias Nipkow + Tobias Nipkow
Submission date: 2005-06-01
Abstract: We introduce Jinja, a Java-like programming language with a formal semantics designed to exhibit core features of the Java language architecture. Jinja is a compromise between realism of the language and tractability and clarity of the formal semantics. The following aspects are formalised: a big and a small step operational semantics for Jinja and a proof of their equivalence; a type system and a definite initialisation analysis; a type safety proof of the small step semantics; a virtual machine (JVM), its operational semantics and its type system; a type safety proof for the JVM; a bytecode verifier, i.e. data flow analyser for the JVM; a correctness proof of the bytecode verifier w.r.t. the type system; a compiler and a proof that it preserves semantics and well-typedness. The emphasis of this work is not on particular language features but on providing a unified model of the source language, the virtual machine and the compiler. The whole development has been carried out in the theorem prover Isabelle/HOL.
BibTeX: 
@article{Jinja-AFP,
   author  = {Gerwin Klein and Tobias Nipkow},
   title   = {Jinja is not Java},
   journal = {Archive of Formal Proofs},
   month   = jun,
   year    = 2005,
   note    = {\url{http://isa-afp.org/entries/Jinja.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: List-Index
Used by: HRB-Slicing, Slicing

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Jordan_Normal_Form.html b/web/entries/Jordan_Normal_Form.html --- a/web/entries/Jordan_Normal_Form.html +++ b/web/entries/Jordan_Normal_Form.html @@ -1,231 +1,231 @@ Matrices, Jordan Normal Forms, and Spectral Radius Theory - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Matrices, Jordan Normal Forms, and Spectral Radius Theory

 

Title: Matrices, Jordan Normal Forms, and Spectral Radius Theory
Authors: René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Contributor: Alexander Bentkamp (bentkamp /at/ gmail /dot/ com)
Submission date: 2015-08-21
Abstract:

Matrix interpretations are useful as measure functions in termination proving. In order to use these interpretations also for complexity analysis, the growth rate of matrix powers has to examined. Here, we formalized a central result of spectral radius theory, namely that the growth rate is polynomially bounded if and only if the spectral radius of a matrix is at most one.

To formally prove this result we first studied the growth rates of matrices in Jordan normal form, and prove the result that every complex matrix has a Jordan normal form using a constructive prove via Schur decomposition.

The whole development is based on a new abstract type for matrices, which is also executable by a suitable setup of the code generator. It completely subsumes our former AFP-entry on executable matrices, and its main advantage is its close connection to the HMA-representation which allowed us to easily adapt existing proofs on determinants.

All the results have been applied to improve CeTA, our certifier to validate termination and complexity proof certificates.

Change history: [2016-01-07]: Added Schur-decomposition, Gram-Schmidt orthogonalization, uniqueness of Jordan normal forms
[2018-04-17]: Integrated lemmas from deep-learning AFP-entry of Alexander Bentkamp
BibTeX: 
@article{Jordan_Normal_Form-AFP,
   author  = {René Thiemann and Akihisa Yamada},
   title   = {Matrices, Jordan Normal Forms, and Spectral Radius Theory},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2015,
   note    = {\url{http://isa-afp.org/entries/Jordan_Normal_Form.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Polynomial_Factorization
Used by: Deep_Learning, Farkas, Groebner_Bases, Perron_Frobenius, QHLProver, Stochastic_Matrices, Subresultants

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/LLL_Basis_Reduction.html b/web/entries/LLL_Basis_Reduction.html --- a/web/entries/LLL_Basis_Reduction.html +++ b/web/entries/LLL_Basis_Reduction.html @@ -1,213 +1,213 @@ A verified LLL algorithm - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

A verified LLL algorithm

 

Title: A verified LLL algorithm
Authors: Ralph Bottesch, Jose Divasón, Maximilian Haslbeck, Sebastiaan Joosten, René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2018-02-02
Abstract: The Lenstra-Lenstra-Lovász basis reduction algorithm, also known as LLL algorithm, is an algorithm to find a basis with short, nearly orthogonal vectors of an integer lattice. Thereby, it can also be seen as an approximation to solve the shortest vector problem (SVP), which is an NP-hard problem, where the approximation quality solely depends on the dimension of the lattice, but not the lattice itself. The algorithm also possesses many applications in diverse fields of computer science, from cryptanalysis to number theory, but it is specially well-known since it was used to implement the first polynomial-time algorithm to factor polynomials. In this work we present the first mechanized soundness proof of the LLL algorithm to compute short vectors in lattices. The formalization follows a textbook by von zur Gathen and Gerhard.
Change history: [2018-04-16]: Integrated formal complexity bounds (Haslbeck, Thiemann) [2018-05-25]: Integrated much faster LLL implementation based on integer arithmetic (Bottesch, Haslbeck, Thiemann)
BibTeX: 
@article{LLL_Basis_Reduction-AFP,
   author  = {Ralph Bottesch and Jose Divasón and Maximilian Haslbeck and Sebastiaan Joosten and René Thiemann and Akihisa Yamada},
   title   = {A verified LLL algorithm},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/LLL_Basis_Reduction.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Algebraic_Numbers, Berlekamp_Zassenhaus
Used by: Linear_Inequalities, LLL_Factorization

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/LLL_Factorization.html b/web/entries/LLL_Factorization.html --- a/web/entries/LLL_Factorization.html +++ b/web/entries/LLL_Factorization.html @@ -1,211 +1,211 @@ A verified factorization algorithm for integer polynomials with polynomial complexity - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

A verified factorization algorithm for integer polynomials with polynomial complexity

 

Title: A verified factorization algorithm for integer polynomials with polynomial complexity
Authors: Jose Divasón, Sebastiaan Joosten, René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2018-02-06
Abstract: Short vectors in lattices and factors of integer polynomials are related. Each factor of an integer polynomial belongs to a certain lattice. When factoring polynomials, the condition that we are looking for an irreducible polynomial means that we must look for a small element in a lattice, which can be done by a basis reduction algorithm. In this development we formalize this connection and thereby one main application of the LLL basis reduction algorithm: an algorithm to factor square-free integer polynomials which runs in polynomial time. The work is based on our previous Berlekamp–Zassenhaus development, where the exponential reconstruction phase has been replaced by the polynomial-time basis reduction algorithm. Thanks to this formalization we found a serious flaw in a textbook.
BibTeX: 
@article{LLL_Factorization-AFP,
   author  = {Jose Divasón and Sebastiaan Joosten and René Thiemann and Akihisa Yamada},
   title   = {A verified factorization algorithm for integer polynomials with polynomial complexity},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/LLL_Factorization.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: LLL_Basis_Reduction, Perron_Frobenius

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/LinearQuantifierElim.html b/web/entries/LinearQuantifierElim.html --- a/web/entries/LinearQuantifierElim.html +++ b/web/entries/LinearQuantifierElim.html @@ -1,273 +1,273 @@ Quantifier Elimination for Linear Arithmetic - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Quantifier Elimination for Linear Arithmetic

 

Title: Quantifier Elimination for Linear Arithmetic
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2008-01-11
Abstract: This article formalizes quantifier elimination procedures for dense linear orders, linear real arithmetic and Presburger arithmetic. In each case both a DNF-based non-elementary algorithm and one or more (doubly) exponential NNF-based algorithms are formalized, including the well-known algorithms by Ferrante and Rackoff and by Cooper. The NNF-based algorithms for dense linear orders are new but based on Ferrante and Rackoff and on an algorithm by Loos and Weisspfenning which simulates infenitesimals. All algorithms are directly executable. In particular, they yield reflective quantifier elimination procedures for HOL itself. The formalization makes heavy use of locales and is therefore highly modular.
BibTeX: 
@article{LinearQuantifierElim-AFP,
   author  = {Tobias Nipkow},
   title   = {Quantifier Elimination for Linear Arithmetic},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2008,
   note    = {\url{http://isa-afp.org/entries/LinearQuantifierElim.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/List-Index.html b/web/entries/List-Index.html --- a/web/entries/List-Index.html +++ b/web/entries/List-Index.html @@ -1,239 +1,239 @@ List Index - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

List Index

 

Title: List Index
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2010-02-20
Abstract: This theory provides functions for finding the index of an element in a list, by predicate and by value.
BibTeX: 
@article{List-Index-AFP,
   author  = {Tobias Nipkow},
   title   = {List Index},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2010,
   note    = {\url{http://isa-afp.org/entries/List-Index.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Affine_Arithmetic, Comparison_Sort_Lower_Bound, Formula_Derivatives, Higher_Order_Terms, Jinja, List_Update, LTL_to_DRA, MSO_Regex_Equivalence, Nested_Multisets_Ordinals, Ordinary_Differential_Equations, Planarity_Certificates, Quick_Sort_Cost, Randomised_Social_Choice, Refine_Imperative_HOL

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/List_Update.html b/web/entries/List_Update.html --- a/web/entries/List_Update.html +++ b/web/entries/List_Update.html @@ -1,216 +1,216 @@ Analysis of List Update Algorithms - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Analysis of List Update Algorithms

 

Title: Analysis of List Update Algorithms
Authors: Maximilian P.L. Haslbeck and - Tobias Nipkow + Tobias Nipkow
Submission date: 2016-02-17
Abstract:

These theories formalize the quantitative analysis of a number of classical algorithms for the list update problem: 2-competitiveness of move-to-front, the lower bound of 2 for the competitiveness of deterministic list update algorithms and 1.6-competitiveness of the randomized COMB algorithm, the best randomized list update algorithm known to date. The material is based on the first two chapters of Online Computation and Competitive Analysis by Borodin and El-Yaniv.

For an informal description see the FSTTCS 2016 publication Verified Analysis of List Update Algorithms by Haslbeck and Nipkow.

BibTeX: 
@article{List_Update-AFP,
   author  = {Maximilian P.L. Haslbeck and Tobias Nipkow},
   title   = {Analysis of List Update Algorithms},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/List_Update.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: List-Index, Regular-Sets

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/MFOTL_Monitor.html b/web/entries/MFOTL_Monitor.html new file mode 100644 --- /dev/null +++ b/web/entries/MFOTL_Monitor.html @@ -0,0 +1,200 @@ + + + + +Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic - Archive of Formal Proofs + + + + + + + + + + + + + + + + + + + + + +
+

 

+ + + +

 

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download
+

 

+

 

+		 +
+

 

+

Formalization + + of + + a + + Monitoring + + Algorithm + + for + + Metric + + First-Order + + Temporal + + Logic + +

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Title:Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic
+ Authors: + + Joshua Schneider (joshua /dot/ schneider /at/ inf /dot/ ethz /dot/ ch) and + Dmitriy Traytel +
Submission date:2019-07-04
Abstract: +A monitor is a runtime verification tool that solves the following +problem: Given a stream of time-stamped events and a policy formulated +in a specification language, decide whether the policy is satisfied at +every point in the stream. We verify the correctness of an executable +monitor for specifications given as formulas in metric first-order +temporal logic (MFOTL), an expressive extension of linear temporal +logic with real-time constraints and first-order quantification. The +verified monitor implements a simplified variant of the algorithm used +in the efficient MonPoly monitoring tool. The formalization is +presented in a forthcoming RV +2019 paper, which also compares the output of the verified +monitor to that of other monitoring tools on randomly generated +inputs. This case study revealed several errors in the optimized but +unverified tools.
BibTeX: + 
@article{MFOTL_Monitor-AFP,
+  author  = {Joshua Schneider and Dmitriy Traytel},
+  title   = {Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic},
+  journal = {Archive of Formal Proofs},
+  month   = jul,
+  year    = 2019,
+  note    = {\url{http://isa-afp.org/entries/MFOTL_Monitor.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+
License:BSD License
Depends on:Containers
+ +

+ + + + + + + + + + + + + + + + +
+ Proof outline
+ Proof document +
+ Browse theories +
+ Download this entry +
Older releases: + None +
+ +
+
+ + + + + + \ No newline at end of file diff --git a/web/entries/MSO_Regex_Equivalence.html b/web/entries/MSO_Regex_Equivalence.html --- a/web/entries/MSO_Regex_Equivalence.html +++ b/web/entries/MSO_Regex_Equivalence.html @@ -1,242 +1,242 @@ Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions

 

Title: Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions
Authors: Dmitriy Traytel and - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-06-12
Abstract: Monadic second-order logic on finite words (MSO) is a decidable yet expressive logic into which many decision problems can be encoded. Since MSO formulas correspond to regular languages, equivalence of MSO formulas can be reduced to the equivalence of some regular structures (e.g. automata). We verify an executable decision procedure for MSO formulas that is not based on automata but on regular expressions.

Decision procedures for regular expression equivalence have been formalized before, usually based on Brzozowski derivatives. Yet, for a straightforward embedding of MSO formulas into regular expressions an extension of regular expressions with a projection operation is required. We prove total correctness and completeness of an equivalence checker for regular expressions extended in that way. We also define a language-preserving translation of formulas into regular expressions with respect to two different semantics of MSO.

The formalization is described in this ICFP 2013 functional pearl.
BibTeX: 
@article{MSO_Regex_Equivalence-AFP,
   author  = {Dmitriy Traytel and Tobias Nipkow},
   title   = {Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions},
   journal = {Archive of Formal Proofs},
   month   = jun,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/MSO_Regex_Equivalence.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Deriving, List-Index

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Markov_Models.html b/web/entries/Markov_Models.html --- a/web/entries/Markov_Models.html +++ b/web/entries/Markov_Models.html @@ -1,240 +1,240 @@ Markov Models - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Markov Models

 

Title: Markov Models
Authors: Johannes Hölzl and - Tobias Nipkow + Tobias Nipkow
Submission date: 2012-01-03
Abstract: This is a formalization of Markov models in Isabelle/HOL. It builds on Isabelle's probability theory. The available models are currently Discrete-Time Markov Chains and a extensions of them with rewards.

As application of these models we formalize probabilistic model checking of pCTL formulas, analysis of IPv4 address allocation in ZeroConf and an analysis of the anonymity of the Crowds protocol. See here for the corresponding paper.
BibTeX: 
@article{Markov_Models-AFP,
   author  = {Johannes Hölzl and Tobias Nipkow},
   title   = {Markov Models},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2012,
   note    = {\url{http://isa-afp.org/entries/Markov_Models.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Coinductive, Gauss-Jordan-Elim-Fun
Used by: Hidden_Markov_Models, Probabilistic_Noninterference, Probabilistic_Timed_Automata, Stochastic_Matrices

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Marriage.html b/web/entries/Marriage.html --- a/web/entries/Marriage.html +++ b/web/entries/Marriage.html @@ -1,241 +1,241 @@ Hall's Marriage Theorem - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Hall's Marriage Theorem

 

Title: Hall's Marriage Theorem
Authors: Dongchen Jiang (dongchenjiang /at/ googlemail /dot/ com) and - Tobias Nipkow + Tobias Nipkow
Submission date: 2010-12-17
Abstract: Two proofs of Hall's Marriage Theorem: one due to Halmos and Vaughan, one due to Rado.
Change history: [2011-09-09]: Added Rado's proof
BibTeX: 
@article{Marriage-AFP,
   author  = {Dongchen Jiang and Tobias Nipkow},
   title   = {Hall's Marriage Theorem},
   journal = {Archive of Formal Proofs},
   month   = dec,
   year    = 2010,
   note    = {\url{http://isa-afp.org/entries/Marriage.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Latin_Square

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/MiniML.html b/web/entries/MiniML.html --- a/web/entries/MiniML.html +++ b/web/entries/MiniML.html @@ -1,283 +1,283 @@ Mini ML - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Mini ML

 

Title: Mini ML
Authors: Wolfgang Naraschewski and - Tobias Nipkow + Tobias Nipkow
Submission date: 2004-03-19
Abstract: This theory defines the type inference rules and the type inference algorithm W for MiniML (simply-typed lambda terms with let) due to Milner. It proves the soundness and completeness of W w.r.t. the rules.
BibTeX: 
@article{MiniML-AFP,
   author  = {Wolfgang Naraschewski and Tobias Nipkow},
   title   = {Mini ML},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2004,
   note    = {\url{http://isa-afp.org/entries/MiniML.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Monad_Memo_DP.html b/web/entries/Monad_Memo_DP.html --- a/web/entries/Monad_Memo_DP.html +++ b/web/entries/Monad_Memo_DP.html @@ -1,199 +1,199 @@ Monadification, Memoization and Dynamic Programming - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Monadification, Memoization and Dynamic Programming

 

Title: Monadification, Memoization and Dynamic Programming
Authors: Simon Wimmer, Shuwei Hu (shuwei /dot/ hu /at/ tum /dot/ de) and - Tobias Nipkow + Tobias Nipkow
Submission date: 2018-05-22
Abstract: We present a lightweight framework for the automatic verified (functional or imperative) memoization of recursive functions. Our tool can turn a pure Isabelle/HOL function definition into a monadified version in a state monad or the Imperative HOL heap monad, and prove a correspondence theorem. We provide a variety of memory implementations for the two types of monads. A number of simple techniques allow us to achieve bottom-up computation and space-efficient memoization. The framework’s utility is demonstrated on a number of representative dynamic programming problems. A detailed description of our work can be found in the accompanying paper [2].
BibTeX: 
@article{Monad_Memo_DP-AFP,
   author  = {Simon Wimmer and Shuwei Hu and Tobias Nipkow},
   title   = {Monadification, Memoization and Dynamic Programming},
   journal = {Archive of Formal Proofs},
   month   = may,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Monad_Memo_DP.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Show
Used by: Hidden_Markov_Models, Optimal_BST

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Native_Word.html b/web/entries/Native_Word.html --- a/web/entries/Native_Word.html +++ b/web/entries/Native_Word.html @@ -1,233 +1,233 @@ Native Word - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Native Word

 

- +
Title: Native Word
Author: Andreas Lochbihler
Contributor: Peter Lammich
Submission date: 2013-09-17
Abstract: This entry makes machine words and machine arithmetic available for code generation from Isabelle/HOL. It provides a common abstraction that hides the differences between the different target languages. The code generator maps these operations to the APIs of the target languages. Apart from that, we extend the available bit operations on types int and integer, and map them to the operations in the target languages.
Change history: [2013-11-06]: added conversion function between native words and characters (revision fd23d9a7fe3a)
[2014-03-31]: added words of default size in the target language (by Peter Lammich) (revision 25caf5065833)
[2014-10-06]: proper test setup with compilation and execution of tests in all target languages (revision 5d7a1c9ae047)
[2017-09-02]: added 64-bit words (revision c89f86244e3c)
[2018-07-15]: added cast operators for default-size words (revision fc1f1fb8dd30)
BibTeX: 
@article{Native_Word-AFP,
   author  = {Andreas Lochbihler},
   title   = {Native Word},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2013,
   note    = {\url{http://isa-afp.org/entries/Native_Word.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by:Collections, Datatype_Order_Generator, Iptables_Semantics, JinjaThreads, ROBDD, Separation_Logic_Imperative_HOL, WebAssembly
Collections, Datatype_Order_Generator, Deriving, Iptables_Semantics, JinjaThreads, ROBDD, Separation_Logic_Imperative_HOL, WebAssembly

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/NormByEval.html b/web/entries/NormByEval.html --- a/web/entries/NormByEval.html +++ b/web/entries/NormByEval.html @@ -1,260 +1,260 @@ Normalization by Evaluation - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Normalization by Evaluation

 

Title: Normalization by Evaluation
Authors: Klaus Aehlig and - Tobias Nipkow + Tobias Nipkow
Submission date: 2008-02-18
Abstract: This article formalizes normalization by evaluation as implemented in Isabelle. Lambda calculus plus term rewriting is compiled into a functional program with pattern matching. It is proved that the result of a successful evaluation is a) correct, i.e. equivalent to the input, and b) in normal form.
BibTeX: 
@article{NormByEval-AFP,
   author  = {Klaus Aehlig and Tobias Nipkow},
   title   = {Normalization by Evaluation},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2008,
   note    = {\url{http://isa-afp.org/entries/NormByEval.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Optimal_BST.html b/web/entries/Optimal_BST.html --- a/web/entries/Optimal_BST.html +++ b/web/entries/Optimal_BST.html @@ -1,190 +1,190 @@ Optimal Binary Search Trees - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Optimal Binary Search Trees

 

Title: Optimal Binary Search Trees
Authors: - Tobias Nipkow and + Tobias Nipkow and Dániel Somogyi
Submission date: 2018-05-27
Abstract: This article formalizes recursive algorithms for the construction of optimal binary search trees given fixed access frequencies. We follow Knuth (1971), Yao (1980) and Mehlhorn (1984). The algorithms are memoized with the help of the AFP article Monadification, Memoization and Dynamic Programming, thus yielding dynamic programming algorithms.
BibTeX: 
@article{Optimal_BST-AFP,
   author  = {Tobias Nipkow and Dániel Somogyi},
   title   = {Optimal Binary Search Trees},
   journal = {Archive of Formal Proofs},
   month   = may,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Optimal_BST.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Monad_Memo_DP

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Pairing_Heap.html b/web/entries/Pairing_Heap.html --- a/web/entries/Pairing_Heap.html +++ b/web/entries/Pairing_Heap.html @@ -1,196 +1,196 @@ Pairing Heap - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Pairing Heap

 

Title: Pairing Heap
Authors: Hauke Brinkop (hauke /dot/ brinkop /at/ googlemail /dot/ com) and - Tobias Nipkow + Tobias Nipkow
Submission date: 2016-07-14
Abstract: This library defines three different versions of pairing heaps: a functional version of the original design based on binary trees [Fredman et al. 1986], the version by Okasaki [1998] and a modified version of the latter that is free of structural invariants.

The amortized complexity of pairing heaps is analyzed in the AFP article Amortized Complexity.
Origin: This library was extracted from Amortized Complexity and extended.
BibTeX: 
@article{Pairing_Heap-AFP,
   author  = {Hauke Brinkop and Tobias Nipkow},
   title   = {Pairing Heap},
   journal = {Archive of Formal Proofs},
   month   = jul,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Pairing_Heap.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Amortized_Complexity

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Perron_Frobenius.html b/web/entries/Perron_Frobenius.html --- a/web/entries/Perron_Frobenius.html +++ b/web/entries/Perron_Frobenius.html @@ -1,234 +1,234 @@ Perron-Frobenius Theorem for Spectral Radius Analysis - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Perron-Frobenius Theorem for Spectral Radius Analysis

 

Title: Perron-Frobenius Theorem for Spectral Radius Analysis
Authors: Jose Divasón, Ondřej Kunčar, René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2016-05-20
Abstract:

The spectral radius of a matrix A is the maximum norm of all eigenvalues of A. In previous work we already formalized that for a complex matrix A, the values in An grow polynomially in n if and only if the spectral radius is at most one. One problem with the above characterization is the determination of all complex eigenvalues. In case A contains only non-negative real values, a simplification is possible with the help of the Perron–Frobenius theorem, which tells us that it suffices to consider only the real eigenvalues of A, i.e., applying Sturm's method can decide the polynomial growth of An.

We formalize the Perron–Frobenius theorem based on a proof via Brouwer's fixpoint theorem, which is available in the HOL multivariate analysis (HMA) library. Since the results on the spectral radius is based on matrices in the Jordan normal form (JNF) library, we further develop a connection which allows us to easily transfer theorems between HMA and JNF. With this connection we derive the combined result: if A is a non-negative real matrix, and no real eigenvalue of A is strictly larger than one, then An is polynomially bounded in n.

Change history: [2017-10-18]: added Perron-Frobenius theorem for irreducible matrices with generalization (revision bda1f1ce8a1c)
[2018-05-17]: prove conjecture of CPP'18 paper: Jordan blocks of spectral radius have maximum size (revision ffdb3794e5d5)
BibTeX: 
@article{Perron_Frobenius-AFP,
   author  = {Jose Divasón and Ondřej Kunčar and René Thiemann and Akihisa Yamada},
   title   = {Perron-Frobenius Theorem for Spectral Radius Analysis},
   journal = {Archive of Formal Proofs},
   month   = may,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Perron_Frobenius.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Jordan_Normal_Form, Polynomial_Factorization, Rank_Nullity_Theorem, Sturm_Sequences
Used by: LLL_Factorization, Stochastic_Matrices

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Polynomial_Factorization.html b/web/entries/Polynomial_Factorization.html --- a/web/entries/Polynomial_Factorization.html +++ b/web/entries/Polynomial_Factorization.html @@ -1,206 +1,206 @@ Polynomial Factorization - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Polynomial Factorization

 

Title: Polynomial Factorization
Authors: René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2016-01-29
Abstract: Based on existing libraries for polynomial interpolation and matrices, we formalized several factorization algorithms for polynomials, including Kronecker's algorithm for integer polynomials, Yun's square-free factorization algorithm for field polynomials, and Berlekamp's algorithm for polynomials over finite fields. By combining the last one with Hensel's lifting, we derive an efficient factorization algorithm for the integer polynomials, which is then lifted for rational polynomials by mechanizing Gauss' lemma. Finally, we assembled a combined factorization algorithm for rational polynomials, which combines all the mentioned algorithms and additionally uses the explicit formula for roots of quadratic polynomials and a rational root test.

As side products, we developed division algorithms for polynomials over integral domains, as well as primality-testing and prime-factorization algorithms for integers.
BibTeX: 
@article{Polynomial_Factorization-AFP,
   author  = {René Thiemann and Akihisa Yamada},
   title   = {Polynomial Factorization},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Polynomial_Factorization.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Abstract-Rewriting, Containers, Gauss_Jordan, Matrix, Partial_Function_MR, Polynomial_Interpolation, Show, Sqrt_Babylonian, VectorSpace
Used by: Berlekamp_Zassenhaus, Dirichlet_Series, Functional_Ordered_Resolution_Prover, Jordan_Normal_Form, Linear_Recurrences, Perron_Frobenius, Subresultants

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Polynomial_Interpolation.html b/web/entries/Polynomial_Interpolation.html --- a/web/entries/Polynomial_Interpolation.html +++ b/web/entries/Polynomial_Interpolation.html @@ -1,206 +1,206 @@ Polynomial Interpolation - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Polynomial Interpolation

 

Title: Polynomial Interpolation
Authors: René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2016-01-29
Abstract: We formalized three algorithms for polynomial interpolation over arbitrary fields: Lagrange's explicit expression, the recursive algorithm of Neville and Aitken, and the Newton interpolation in combination with an efficient implementation of divided differences. Variants of these algorithms for integer polynomials are also available, where sometimes the interpolation can fail; e.g., there is no linear integer polynomial p such that p(0) = 0 and p(2) = 1. Moreover, for the Newton interpolation for integer polynomials, we proved that all intermediate results that are computed during the algorithm must be integers. This admits an early failure detection in the implementation. Finally, we proved the uniqueness of polynomial interpolation.

The development also contains improved code equations to speed up the division of integers in target languages.
BibTeX: 
@article{Polynomial_Interpolation-AFP,
   author  = {René Thiemann and Akihisa Yamada},
   title   = {Polynomial Interpolation},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2016,
   note    = {\url{http://isa-afp.org/entries/Polynomial_Interpolation.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Sqrt_Babylonian
Used by: Berlekamp_Zassenhaus, Deep_Learning, Polynomial_Factorization

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Prim_Dijkstra_Simple.html b/web/entries/Prim_Dijkstra_Simple.html new file mode 100644 --- /dev/null +++ b/web/entries/Prim_Dijkstra_Simple.html @@ -0,0 +1,191 @@ + + + + +Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra - Archive of Formal Proofs + + + + + + + + + + + + + + + + + + + + + +
+

 

+ + + +

 

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download
+

 

+

 

+		 +
+

 

+

Purely + + Functional, + + Simple, + + and + + Efficient + + Implementation + + of + + Prim + + and + + Dijkstra + +

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Title:Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra
+ Authors: + + Peter Lammich and + Tobias Nipkow +
Submission date:2019-06-25
Abstract: +We verify purely functional, simple and efficient implementations of +Prim's and Dijkstra's algorithms. This constitutes the first +verification of an executable and even efficient version of +Prim's algorithm. This entry formalizes the second part of our +ITP-2019 proof pearl Purely Functional, Simple and Efficient +Priority Search Trees and Applications to Prim and Dijkstra.
BibTeX: + 
@article{Prim_Dijkstra_Simple-AFP,
+  author  = {Peter Lammich and Tobias Nipkow},
+  title   = {Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra},
+  journal = {Archive of Formal Proofs},
+  month   = jun,
+  year    = 2019,
+  note    = {\url{http://isa-afp.org/entries/Prim_Dijkstra_Simple.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+
License:BSD License
Depends on:Priority_Search_Trees
+ +

+ + + + + + + + + + + + + + + + +
+ Proof outline
+ Proof document +
+ Browse theories +
+ Download this entry +
Older releases: + None +
+ +
+
+ + + + + + \ No newline at end of file diff --git a/web/entries/Priority_Queue_Braun.html b/web/entries/Priority_Queue_Braun.html --- a/web/entries/Priority_Queue_Braun.html +++ b/web/entries/Priority_Queue_Braun.html @@ -1,208 +1,208 @@ Priority Queues Based on Braun Trees - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Priority Queues Based on Braun Trees

 

Title: Priority Queues Based on Braun Trees
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-09-04
Abstract: This theory implements priority queues via Braun trees. Insertion and deletion take logarithmic time and preserve the balanced nature of Braun trees.
BibTeX: 
@article{Priority_Queue_Braun-AFP,
   author  = {Tobias Nipkow},
   title   = {Priority Queues Based on Braun Trees},
   journal = {Archive of Formal Proofs},
   month   = sep,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Priority_Queue_Braun.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Priority_Search_Trees.html b/web/entries/Priority_Search_Trees.html new file mode 100644 --- /dev/null +++ b/web/entries/Priority_Search_Trees.html @@ -0,0 +1,181 @@ + + + + +Priority Search Trees - Archive of Formal Proofs + + + + + + + + + + + + + + + + + + + + + +
+

 

+ + + +

 

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download
+

 

+

 

+		 +
+

 

+

Priority + + Search + + Trees + +

+

 

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Title:Priority Search Trees
+ Authors: + + Peter Lammich and + Tobias Nipkow +
Submission date:2019-06-25
Abstract: +We present a new, purely functional, simple and efficient data +structure combining a search tree and a priority queue, which we call +a priority search tree. The salient feature of priority search +trees is that they offer a decrease-key operation, something that is +missing from other simple, purely functional priority queue +implementations. Priority search trees can be implemented on top of +any search tree. This entry does the implementation for red-black +trees. This entry formalizes the first part of our ITP-2019 proof +pearl Purely Functional, Simple and Efficient Priority +Search Trees and Applications to Prim and Dijkstra.
BibTeX: + 
@article{Priority_Search_Trees-AFP,
+  author  = {Peter Lammich and Tobias Nipkow},
+  title   = {Priority Search Trees},
+  journal = {Archive of Formal Proofs},
+  month   = jun,
+  year    = 2019,
+  note    = {\url{http://isa-afp.org/entries/Priority_Search_Trees.html},
+            Formal proof development},
+  ISSN    = {2150-914x},
+}
+
License:BSD License
Used by:Prim_Dijkstra_Simple
+ +

+ + + + + + + + + + + + + + + + +
+ Proof outline
+ Proof document +
+ Browse theories +
+ Download this entry +
Older releases: + None +
+ +
+
+ + + + + + \ No newline at end of file diff --git a/web/entries/Propositional_Proof_Systems.html b/web/entries/Propositional_Proof_Systems.html --- a/web/entries/Propositional_Proof_Systems.html +++ b/web/entries/Propositional_Proof_Systems.html @@ -1,191 +1,191 @@ Propositional Proof Systems - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Propositional Proof Systems

 

Title: Propositional Proof Systems
Authors: Julius Michaelis and - Tobias Nipkow + Tobias Nipkow
Submission date: 2017-06-21
Abstract: We formalize a range of proof systems for classical propositional logic (sequent calculus, natural deduction, Hilbert systems, resolution) and prove the most important meta-theoretic results about semantics and proofs: compactness, soundness, completeness, translations between proof systems, cut-elimination, interpolation and model existence.
BibTeX: 
@article{Propositional_Proof_Systems-AFP,
   author  = {Julius Michaelis and Tobias Nipkow},
   title   = {Propositional Proof Systems},
   journal = {Archive of Formal Proofs},
   month   = jun,
   year    = 2017,
   note    = {\url{http://isa-afp.org/entries/Propositional_Proof_Systems.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Regex_Equivalence.html b/web/entries/Regex_Equivalence.html --- a/web/entries/Regex_Equivalence.html +++ b/web/entries/Regex_Equivalence.html @@ -1,231 +1,231 @@ Unified Decision Procedures for Regular Expression Equivalence - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Unified Decision Procedures for Regular Expression Equivalence

 

Title: Unified Decision Procedures for Regular Expression Equivalence
Authors: - Tobias Nipkow and + Tobias Nipkow and Dmitriy Traytel
Submission date: 2014-01-30
Abstract: We formalize a unified framework for verified decision procedures for regular expression equivalence. Five recently published formalizations of such decision procedures (three based on derivatives, two on marked regular expressions) can be obtained as instances of the framework. We discover that the two approaches based on marked regular expressions, which were previously thought to be the same, are different, and one seems to produce uniformly smaller automata. The common framework makes it possible to compare the performance of the different decision procedures in a meaningful way. The formalization is described in a paper of the same name presented at Interactive Theorem Proving 2014.
BibTeX: 
@article{Regex_Equivalence-AFP,
   author  = {Tobias Nipkow and Dmitriy Traytel},
   title   = {Unified Decision Procedures for Regular Expression Equivalence},
   journal = {Archive of Formal Proofs},
   month   = jan,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Regex_Equivalence.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Efficient-Mergesort, Regular-Sets

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Regular-Sets.html b/web/entries/Regular-Sets.html --- a/web/entries/Regular-Sets.html +++ b/web/entries/Regular-Sets.html @@ -1,258 +1,258 @@ Regular Sets and Expressions - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Regular Sets and Expressions

 

Title: Regular Sets and Expressions
Authors: Alexander Krauss and - Tobias Nipkow + Tobias Nipkow
Contributor: Manuel Eberl
Submission date: 2010-05-12
Abstract: This is a library of constructions on regular expressions and languages. It provides the operations of concatenation, Kleene star and derivative on languages. Regular expressions and their meaning are defined. An executable equivalence checker for regular expressions is verified; it does not need automata but works directly on regular expressions. By mapping regular expressions to binary relations, an automatic and complete proof method for (in)equalities of binary relations over union, concatenation and (reflexive) transitive closure is obtained.

Extended regular expressions with complement and intersection are also defined and an equivalence checker is provided.
Change history: [2011-08-26]: Christian Urban added a theory about derivatives and partial derivatives of regular expressions
[2012-05-10]: Tobias Nipkow added extended regular expressions
[2012-05-10]: Tobias Nipkow added equivalence checking with partial derivatives
BibTeX: 
@article{Regular-Sets-AFP,
   author  = {Alexander Krauss and Tobias Nipkow},
   title   = {Regular Sets and Expressions},
   journal = {Archive of Formal Proofs},
   month   = may,
   year    = 2010,
   note    = {\url{http://isa-afp.org/entries/Regular-Sets.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Abstract-Rewriting, Coinductive_Languages, Containers, Finite_Automata_HF, Functional-Automata, Lambda_Free_KBOs, List_Update, Myhill-Nerode, Posix-Lexing, Quick_Sort_Cost, Regex_Equivalence, Transitive-Closure-II

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Root_Balanced_Tree.html b/web/entries/Root_Balanced_Tree.html --- a/web/entries/Root_Balanced_Tree.html +++ b/web/entries/Root_Balanced_Tree.html @@ -1,200 +1,200 @@ Root-Balanced Tree - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Root-Balanced Tree

 

Title: Root-Balanced Tree
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2017-08-20
Abstract:

Andersson introduced general balanced trees, search trees based on the design principle of partial rebuilding: perform update operations naively until the tree becomes too unbalanced, at which point a whole subtree is rebalanced. This article defines and analyzes a functional version of general balanced trees, which we call root-balanced trees. Using a lightweight model of execution time, amortized logarithmic complexity is verified in the theorem prover Isabelle.

This is the Isabelle formalization of the material decribed in the APLAS 2017 article Verified Root-Balanced Trees by the same author, which also presents experimental results that show competitiveness of root-balanced with AVL and red-black trees.

BibTeX: 
@article{Root_Balanced_Tree-AFP,
   author  = {Tobias Nipkow},
   title   = {Root-Balanced Tree},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2017,
   note    = {\url{http://isa-afp.org/entries/Root_Balanced_Tree.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Amortized_Complexity

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Skew_Heap.html b/web/entries/Skew_Heap.html --- a/web/entries/Skew_Heap.html +++ b/web/entries/Skew_Heap.html @@ -1,211 +1,211 @@ Skew Heap - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Skew Heap

 

Title: Skew Heap
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-08-13
Abstract: Skew heaps are an amazingly simple and lightweight implementation of priority queues. They were invented by Sleator and Tarjan [SIAM 1986] and have logarithmic amortized complexity. This entry provides executable and verified functional skew heaps.

The amortized complexity of skew heaps is analyzed in the AFP entry Amortized Complexity.
BibTeX: 
@article{Skew_Heap-AFP,
   author  = {Tobias Nipkow},
   title   = {Skew Heap},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Skew_Heap.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Amortized_Complexity

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Splay_Tree.html b/web/entries/Splay_Tree.html --- a/web/entries/Splay_Tree.html +++ b/web/entries/Splay_Tree.html @@ -1,209 +1,209 @@ Splay Tree - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Splay Tree

 

Title: Splay Tree
Author: - Tobias Nipkow + Tobias Nipkow
Submission date: 2014-08-12
Abstract: Splay trees are self-adjusting binary search trees which were invented by Sleator and Tarjan [JACM 1985]. This entry provides executable and verified functional splay trees as well as the related splay heaps (due to Okasaki).

The amortized complexity of splay trees and heaps is analyzed in the AFP entry Amortized Complexity.
Change history: [2016-07-12]: Moved splay heaps here from Amortized_Complexity
BibTeX: 
@article{Splay_Tree-AFP,
   author  = {Tobias Nipkow},
   title   = {Splay Tree},
   journal = {Archive of Formal Proofs},
   month   = aug,
   year    = 2014,
   note    = {\url{http://isa-afp.org/entries/Splay_Tree.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Amortized_Complexity

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Subresultants.html b/web/entries/Subresultants.html --- a/web/entries/Subresultants.html +++ b/web/entries/Subresultants.html @@ -1,190 +1,190 @@ Subresultants - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Subresultants

 

Title: Subresultants
Authors: Sebastiaan Joosten, René Thiemann and - Akihisa Yamada (ayamada /at/ trs /dot/ cm /dot/ is /dot/ nagoya-u /dot/ ac /dot/ jp) + Akihisa Yamada
Submission date: 2017-04-06
Abstract: We formalize the theory of subresultants and the subresultant polynomial remainder sequence as described by Brown and Traub. As a result, we obtain efficient certified algorithms for computing the resultant and the greatest common divisor of polynomials.
BibTeX: 
@article{Subresultants-AFP,
   author  = {Sebastiaan Joosten and René Thiemann and Akihisa Yamada},
   title   = {Subresultants},
   journal = {Archive of Formal Proofs},
   month   = apr,
   year    = 2017,
   note    = {\url{http://isa-afp.org/entries/Subresultants.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Jordan_Normal_Form, Polynomial_Factorization
Used by: Berlekamp_Zassenhaus

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Treaps.html b/web/entries/Treaps.html --- a/web/entries/Treaps.html +++ b/web/entries/Treaps.html @@ -1,200 +1,200 @@ Treaps - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Treaps

 

Title: Treaps
Authors: Maximilian Haslbeck, Manuel Eberl and - Tobias Nipkow + Tobias Nipkow
Submission date: 2018-02-06
Abstract:

A Treap is a binary tree whose nodes contain pairs consisting of some payload and an associated priority. It must have the search-tree property w.r.t. the payloads and the heap property w.r.t. the priorities. Treaps are an interesting data structure that is related to binary search trees (BSTs) in the following way: if one forgets all the priorities of a treap, the resulting BST is exactly the same as if one had inserted the elements into an empty BST in order of ascending priority. This means that a treap behaves like a BST where we can pretend the elements were inserted in a different order from the one in which they were actually inserted.

In particular, by choosing these priorities at random upon insertion of an element, we can pretend that we inserted the elements in random order, so that the shape of the resulting tree is that of a random BST no matter in what order we insert the elements. This is the main result of this formalisation.
BibTeX: 
@article{Treaps-AFP,
   author  = {Maximilian Haslbeck and Manuel Eberl and Tobias Nipkow},
   title   = {Treaps},
   journal = {Archive of Formal Proofs},
   month   = feb,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Treaps.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Depends on: Comparison_Sort_Lower_Bound, Random_BSTs

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Trie.html b/web/entries/Trie.html --- a/web/entries/Trie.html +++ b/web/entries/Trie.html @@ -1,205 +1,205 @@ Trie - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Trie

 

Title: Trie
Authors: Andreas Lochbihler and - Tobias Nipkow + Tobias Nipkow
Submission date: 2015-03-30
Abstract: This article formalizes the ``trie'' data structure invented by Fredkin [CACM 1960]. It also provides a specialization where the entries in the trie are lists.
Origin: This article was extracted from existing articles by the authors.
BibTeX: 
@article{Trie-AFP,
   author  = {Andreas Lochbihler and Tobias Nipkow},
   title   = {Trie},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2015,
   note    = {\url{http://isa-afp.org/entries/Trie.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License
Used by: Collections, Containers, Flyspeck-Tame, JinjaThreads, KBPs

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/entries/Weight_Balanced_Trees.html b/web/entries/Weight_Balanced_Trees.html --- a/web/entries/Weight_Balanced_Trees.html +++ b/web/entries/Weight_Balanced_Trees.html @@ -1,186 +1,186 @@ Weight-Balanced Trees - Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Weight-Balanced Trees

 

Title: Weight-Balanced Trees
Authors: - Tobias Nipkow and + Tobias Nipkow and Stefan Dirix
Submission date: 2018-03-13
Abstract: This theory provides a verified implementation of weight-balanced trees following the work of Hirai and Yamamoto who proved that all parameters in a certain range are valid, i.e. guarantee that insertion and deletion preserve weight-balance. Instead of a general theorem we provide parameterized proofs of preservation of the invariant that work for many (all?) valid parameters.
BibTeX: 
@article{Weight_Balanced_Trees-AFP,
   author  = {Tobias Nipkow and Stefan Dirix},
   title   = {Weight-Balanced Trees},
   journal = {Archive of Formal Proofs},
   month   = mar,
   year    = 2018,
   note    = {\url{http://isa-afp.org/entries/Weight_Balanced_Trees.html},
             Formal proof development},
   ISSN    = {2150-914x},
 }
License: BSD License

Proof outline
Proof document
Browse theories
Download this entry
Older releases:
\ No newline at end of file diff --git a/web/index.html b/web/index.html --- a/web/index.html +++ b/web/index.html @@ -1,4420 +1,4464 @@ Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Archive of Formal Proofs

 

The Archive of Formal Proofs is a collection of proof libraries, examples, and larger scientific developments, mechanically checked in the theorem prover Isabelle. It is organized in the way of a scientific journal, is indexed by dblp and has an ISSN: 2150-914x. Submissions are refereed. The preferred citation style is available [here]. We encourage companion AFP submissions to conference and journal publications.

A development version of the archive is available as well.

 

 

+ + + + + + + + + + + + + + +
2019
+ 2019-07-04: Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic +
+ Authors: + Joshua Schneider + and Dmitriy Traytel +
+ 2019-06-27: Complete Non-Orders and Fixed Points +
+ Authors: + Akihisa Yamada + and Jérémy Dubut +
+ 2019-06-25: Priority Search Trees +
+ Authors: + Peter Lammich + and Tobias Nipkow +
+ 2019-06-25: Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra +
+ Authors: + Peter Lammich + and Tobias Nipkow +
2019-06-21: Linear Inequalities
Authors: Ralph Bottesch, Alban Reynaud and René Thiemann
2019-06-16: Hilbert's Nullstellensatz
Author: Alexander Maletzky
2019-06-15: Gröbner Bases, Macaulay Matrices and Dubé's Degree Bounds
Author: Alexander Maletzky
2019-06-13: Binary Heaps for IMP2
Author: Simon Griebel
+ 2019-06-03: Differential Game Logic +
+ Author: + André Platzer +
2019-05-30: Multidimensional Binary Search Trees
Author: Martin Rau
2019-05-14: Formalization of Generic Authenticated Data Structures
Authors: Matthias Brun and Dmitriy Traytel
2019-05-09: Multi-Party Computation
Authors: David Aspinall and David Butler
2019-04-26: HOL-CSP Version 2.0
Authors: Safouan Taha, Lina Ye and Burkhart Wolff
2019-04-16: A Compositional and Unified Translation of LTL into ω-Automata
Authors: Benedikt Seidl and Salomon Sickert
2019-04-06: A General Theory of Syntax with Bindings
Authors: Lorenzo Gheri and Andrei Popescu
2019-03-27: The Transcendence of Certain Infinite Series
Authors: Angeliki Koutsoukou-Argyraki and Wenda Li
2019-03-24: Quantum Hoare Logic
Authors: Junyi Liu, Bohua Zhan, Shuling Wang, Shenggang Ying, Tao Liu, Yangjia Li, Mingsheng Ying and Naijun Zhan
2019-03-09: Safe OCL
Author: Denis Nikiforov
2019-02-21: Elementary Facts About the Distribution of Primes
Author: Manuel Eberl
2019-02-14: Kruskal's Algorithm for Minimum Spanning Forest
Authors: Maximilian P.L. Haslbeck, Peter Lammich and Julian Biendarra
2019-02-11: Probabilistic Primality Testing
Authors: Daniel Stüwe and Manuel Eberl
2019-02-08: Universal Turing Machine
Authors: Jian Xu, Xingyuan Zhang, Christian Urban and Sebastiaan J. C. Joosten
2019-02-01: Isabelle/UTP: Mechanised Theory Engineering for Unifying Theories of Programming
Authors: Simon Foster, Frank Zeyda, Yakoub Nemouchi, Pedro Ribeiro and Burkhart Wolff
2019-02-01: The Inversions of a List
Author: Manuel Eberl
2019-01-17: Farkas' Lemma and Motzkin's Transposition Theorem
Authors: Ralph Bottesch, Max W. Haslbeck and René Thiemann
2019-01-15: IMP2 – Simple Program Verification in Isabelle/HOL
Authors: Peter Lammich and Simon Wimmer
2019-01-15: An Algebra for Higher-Order Terms
Author: Lars Hupel
2019-01-07: A Reduction Theorem for Store Buffers
Authors: Ernie Cohen and Norbert Schirmer

 

2018
2018-12-26: A Formal Model of the Document Object Model
Authors: Achim D. Brucker and Michael Herzberg
2018-12-25: Formalization of Concurrent Revisions
Author: Roy Overbeek
2018-12-21: Verifying Imperative Programs using Auto2
Author: Bohua Zhan
2018-12-17: Constructive Cryptography in HOL
Authors: Andreas Lochbihler and S. Reza Sefidgar
2018-12-11: Transformer Semantics
Author: Georg Struth
2018-12-11: Quantales
Author: Georg Struth
2018-12-11: Properties of Orderings and Lattices
Author: Georg Struth
2018-11-23: Graph Saturation
Author: Sebastiaan J. C. Joosten
2018-11-23: A Verified Functional Implementation of Bachmair and Ganzinger's Ordered Resolution Prover
Authors: Anders Schlichtkrull, Jasmin Christian Blanchette and Dmitriy Traytel
2018-11-20: Auto2 Prover
Author: Bohua Zhan
2018-11-16: Matroids
Author: Jonas Keinholz
2018-11-06: Deriving generic class instances for datatypes
Authors: Jonas Rädle and Lars Hupel
2018-10-30: Formalisation and Evaluation of Alan Gewirth's Proof for the Principle of Generic Consistency in Isabelle/HOL
Authors: David Fuenmayor and Christoph Benzmüller
2018-10-29: Epistemic Logic
Author: Andreas Halkjær From
2018-10-22: Smooth Manifolds
Authors: Fabian Immler and Bohua Zhan
2018-10-19: Randomised Binary Search Trees
Author: Manuel Eberl
2018-10-19: Formalization of the Embedding Path Order for Lambda-Free Higher-Order Terms
Author: Alexander Bentkamp
2018-10-12: Upper Bounding Diameters of State Spaces of Factored Transition Systems
Authors: Friedrich Kurz and Mohammad Abdulaziz
2018-09-28: The Transcendence of π
Author: Manuel Eberl
2018-09-25: Symmetric Polynomials
Author: Manuel Eberl
2018-09-20: Signature-Based Gröbner Basis Algorithms
Author: Alexander Maletzky
2018-09-19: The Prime Number Theorem
Authors: Manuel Eberl and Lawrence C. Paulson
2018-09-15: Aggregation Algebras
Author: Walter Guttmann
2018-09-14: Octonions
Author: Angeliki Koutsoukou-Argyraki
2018-09-05: Quaternions
Author: Lawrence C. Paulson
2018-09-02: The Budan-Fourier Theorem and Counting Real Roots with Multiplicity
Author: Wenda Li
2018-08-24: An Incremental Simplex Algorithm with Unsatisfiable Core Generation
Authors: Filip Marić, Mirko Spasić and René Thiemann
2018-08-14: Minsky Machines
Author: Bertram Felgenhauer
2018-07-16: Pricing in discrete financial models
Author: Mnacho Echenim
2018-07-04: Von-Neumann-Morgenstern Utility Theorem
Authors: Julian Parsert and Cezary Kaliszyk
2018-06-23: Pell's Equation
Author: Manuel Eberl
2018-06-14: Projective Geometry
Author: Anthony Bordg
2018-06-14: The Localization of a Commutative Ring
Author: Anthony Bordg
2018-06-05: Partial Order Reduction
Author: Julian Brunner
2018-05-27: Optimal Binary Search Trees
Authors: - Tobias Nipkow + Tobias Nipkow and Dániel Somogyi
2018-05-25: Hidden Markov Models
Author: Simon Wimmer
2018-05-24: Probabilistic Timed Automata
Authors: Simon Wimmer and Johannes Hölzl
2018-05-23: Irrational Rapidly Convergent Series
Authors: Angeliki Koutsoukou-Argyraki and Wenda Li
2018-05-23: Axiom Systems for Category Theory in Free Logic
Authors: Christoph Benzmüller and Dana Scott
2018-05-22: Monadification, Memoization and Dynamic Programming
Authors: Simon Wimmer, Shuwei Hu - and Tobias Nipkow + and Tobias Nipkow
2018-05-10: OpSets: Sequential Specifications for Replicated Datatypes
Authors: Martin Kleppmann, Victor B. F. Gomes, Dominic P. Mulligan and Alastair R. Beresford
2018-05-07: An Isabelle/HOL Formalization of the Modular Assembly Kit for Security Properties
Authors: Oliver Bračevac, Richard Gay, Sylvia Grewe, Heiko Mantel, Henning Sudbrock and Markus Tasch
2018-04-29: WebAssembly
Author: Conrad Watt
2018-04-27: VerifyThis 2018 - Polished Isabelle Solutions
Authors: Peter Lammich and Simon Wimmer
2018-04-24: Bounded Natural Functors with Covariance and Contravariance
Authors: Andreas Lochbihler and Joshua Schneider
2018-03-22: The Incompatibility of Fishburn-Strategyproofness and Pareto-Efficiency
Authors: Felix Brandt, Manuel Eberl, Christian Saile and Christian Stricker
2018-03-13: Weight-Balanced Trees
Authors: - Tobias Nipkow + Tobias Nipkow and Stefan Dirix
2018-03-12: CakeML
Authors: Lars Hupel and Yu Zhang
2018-03-01: A Theory of Architectural Design Patterns
Author: Diego Marmsoler
2018-02-26: Hoare Logics for Time Bounds
Authors: Maximilian P. L. Haslbeck - and Tobias Nipkow + and Tobias Nipkow
2018-02-06: Treaps
Authors: Maximilian Haslbeck, Manuel Eberl - and Tobias Nipkow + and Tobias Nipkow
2018-02-06: A verified factorization algorithm for integer polynomials with polynomial complexity
Authors: Jose Divasón, Sebastiaan Joosten, René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2018-02-06: First-Order Terms
Authors: Christian Sternagel and René Thiemann
2018-02-06: The Error Function
Author: Manuel Eberl
2018-02-02: A verified LLL algorithm
Authors: Ralph Bottesch, Jose Divasón, Maximilian Haslbeck, Sebastiaan Joosten, René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2018-01-18: Formalization of Bachmair and Ganzinger's Ordered Resolution Prover
Authors: Anders Schlichtkrull, Jasmin Christian Blanchette, Dmitriy Traytel and Uwe Waldmann
2018-01-16: Gromov Hyperbolicity
Author: Sebastien Gouezel
2018-01-11: An Isabelle/HOL formalisation of Green's Theorem
Authors: Mohammad Abdulaziz and Lawrence C. Paulson
2018-01-08: Taylor Models
Authors: Christoph Traut and Fabian Immler

 

2017
2017-12-22: The Falling Factorial of a Sum
Author: Lukas Bulwahn
2017-12-21: The Median-of-Medians Selection Algorithm
Author: Manuel Eberl
2017-12-21: The Mason–Stothers Theorem
Author: Manuel Eberl
2017-12-21: Dirichlet L-Functions and Dirichlet's Theorem
Author: Manuel Eberl
2017-12-19: Operations on Bounded Natural Functors
Authors: Jasmin Christian Blanchette, Andrei Popescu and Dmitriy Traytel
2017-12-18: The string search algorithm by Knuth, Morris and Pratt
Authors: Fabian Hellauer and Peter Lammich
2017-11-22: Stochastic Matrices and the Perron-Frobenius Theorem
Author: René Thiemann
2017-11-09: The IMAP CmRDT
Authors: Tim Jungnickel, Lennart Oldenburg and Matthias Loibl
2017-11-06: Hybrid Multi-Lane Spatial Logic
Author: Sven Linker
2017-10-26: The Kuratowski Closure-Complement Theorem
Authors: Peter Gammie and Gianpaolo Gioiosa
2017-10-19: Transition Systems and Automata
Author: Julian Brunner
2017-10-19: Büchi Complementation
Author: Julian Brunner
2017-10-17: Evaluate Winding Numbers through Cauchy Indices
Author: Wenda Li
2017-10-17: Count the Number of Complex Roots
Author: Wenda Li
2017-10-14: Homogeneous Linear Diophantine Equations
Authors: Florian Messner, Julian Parsert, Jonas Schöpf and Christian Sternagel
2017-10-12: The Hurwitz and Riemann ζ Functions
Author: Manuel Eberl
2017-10-12: Linear Recurrences
Author: Manuel Eberl
2017-10-12: Dirichlet Series
Author: Manuel Eberl
2017-09-21: Computer-assisted Reconstruction and Assessment of E. J. Lowe's Modal Ontological Argument
Authors: David Fuenmayor and Christoph Benzmüller
2017-09-17: Representation and Partial Automation of the Principia Logico-Metaphysica in Isabelle/HOL
Author: Daniel Kirchner
2017-09-06: Anselm's God in Isabelle/HOL
Author: Ben Blumson
2017-09-01: Microeconomics and the First Welfare Theorem
Authors: Julian Parsert and Cezary Kaliszyk
2017-08-20: Root-Balanced Tree
Author: - Tobias Nipkow + Tobias Nipkow
2017-08-20: Orbit-Stabiliser Theorem with Application to Rotational Symmetries
Author: Jonas Rädle
2017-08-16: The LambdaMu-calculus
Authors: Cristina Matache, Victor B. F. Gomes and Dominic P. Mulligan
2017-07-31: Stewart's Theorem and Apollonius' Theorem
Author: Lukas Bulwahn
2017-07-28: Dynamic Architectures
Author: Diego Marmsoler
2017-07-21: Declarative Semantics for Functional Languages
Author: Jeremy Siek
2017-07-15: HOLCF-Prelude
Authors: Joachim Breitner, Brian Huffman, Neil Mitchell and Christian Sternagel
2017-07-13: Minkowski's Theorem
Author: Manuel Eberl
2017-07-09: Verified Metatheory and Type Inference for a Name-Carrying Simply-Typed Lambda Calculus
Author: Michael Rawson
2017-07-07: A framework for establishing Strong Eventual Consistency for Conflict-free Replicated Datatypes
Authors: Victor B. F. Gomes, Martin Kleppmann, Dominic P. Mulligan and Alastair R. Beresford
2017-07-06: Stone-Kleene Relation Algebras
Author: Walter Guttmann
2017-06-21: Propositional Proof Systems
Authors: Julius Michaelis - and Tobias Nipkow + and Tobias Nipkow
2017-06-13: Partial Semigroups and Convolution Algebras
Authors: Brijesh Dongol, Victor B. F. Gomes, Ian J. Hayes and Georg Struth
2017-06-06: Buffon's Needle Problem
Author: Manuel Eberl
2017-06-01: Formalizing Push-Relabel Algorithms
Authors: Peter Lammich and S. Reza Sefidgar
2017-06-01: Flow Networks and the Min-Cut-Max-Flow Theorem
Authors: Peter Lammich and S. Reza Sefidgar
2017-05-25: Optics
Authors: Simon Foster and Frank Zeyda
2017-05-24: Developing Security Protocols by Refinement
Authors: Christoph Sprenger and Ivano Somaini
2017-05-24: Dictionary Construction
Author: Lars Hupel
2017-05-08: The Floyd-Warshall Algorithm for Shortest Paths
Authors: Simon Wimmer and Peter Lammich
2017-05-05: Probabilistic while loop
Author: Andreas Lochbihler
2017-05-05: Effect polymorphism in higher-order logic
Author: Andreas Lochbihler
2017-05-05: Monad normalisation
Authors: Joshua Schneider, Manuel Eberl and Andreas Lochbihler
2017-05-05: Game-based cryptography in HOL
Authors: Andreas Lochbihler, S. Reza Sefidgar and Bhargav Bhatt
2017-05-05: CryptHOL
Author: Andreas Lochbihler
2017-05-04: Monoidal Categories
Author: Eugene W. Stark
2017-05-01: Types, Tableaus and Gödel’s God in Isabelle/HOL
Authors: David Fuenmayor and Christoph Benzmüller
2017-04-28: Local Lexing
Author: Steven Obua
2017-04-19: Constructor Functions
Author: Lars Hupel
2017-04-18: Lazifying case constants
Author: Lars Hupel
2017-04-06: Subresultants
Authors: Sebastiaan Joosten, René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2017-04-04: Expected Shape of Random Binary Search Trees
Author: Manuel Eberl
2017-03-15: The number of comparisons in QuickSort
Author: Manuel Eberl
2017-03-15: Lower bound on comparison-based sorting algorithms
Author: Manuel Eberl
2017-03-10: The Euler–MacLaurin Formula
Author: Manuel Eberl
2017-02-28: The Group Law for Elliptic Curves
Author: Stefan Berghofer
2017-02-26: Menger's Theorem
Author: Christoph Dittmann
2017-02-13: Differential Dynamic Logic
Author: Brandon Bohrer
2017-02-10: Abstract Soundness
Authors: Jasmin Christian Blanchette, Andrei Popescu and Dmitriy Traytel
2017-02-07: Stone Relation Algebras
Author: Walter Guttmann
2017-01-31: Refining Authenticated Key Agreement with Strong Adversaries
Authors: Joseph Lallemand and Christoph Sprenger
2017-01-24: Bernoulli Numbers
Authors: Lukas Bulwahn and Manuel Eberl
2017-01-17: Minimal Static Single Assignment Form
Authors: Max Wagner and Denis Lohner
2017-01-17: Bertrand's postulate
Authors: Julian Biendarra and Manuel Eberl
2017-01-12: The Transcendence of e
Author: Manuel Eberl
2017-01-08: Formal Network Models and Their Application to Firewall Policies
Authors: Achim D. Brucker, Lukas Brügger and Burkhart Wolff
2017-01-03: Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method
Author: Pasquale Noce
2017-01-01: First-Order Logic According to Harrison
Authors: Alexander Birch Jensen, Anders Schlichtkrull and Jørgen Villadsen

 

2016
2016-12-30: Concurrent Refinement Algebra and Rely Quotients
Authors: Julian Fell, Ian J. Hayes and Andrius Velykis
2016-12-29: The Twelvefold Way
Author: Lukas Bulwahn
2016-12-20: Proof Strategy Language
Author: Yutaka Nagashima
2016-12-07: Paraconsistency
Authors: Anders Schlichtkrull and Jørgen Villadsen
2016-11-29: COMPLX: A Verification Framework for Concurrent Imperative Programs
Authors: Sidney Amani, June Andronick, Maksym Bortin, Corey Lewis, Christine Rizkallah and Joseph Tuong
2016-11-23: Abstract Interpretation of Annotated Commands
Author: - Tobias Nipkow + Tobias Nipkow
2016-11-16: Separata: Isabelle tactics for Separation Algebra
Authors: Zhe Hou, David Sanan, Alwen Tiu, Rajeev Gore and Ranald Clouston
2016-11-12: Formalization of Nested Multisets, Hereditary Multisets, and Syntactic Ordinals
Authors: Jasmin Christian Blanchette, Mathias Fleury and Dmitriy Traytel
2016-11-12: Formalization of Knuth–Bendix Orders for Lambda-Free Higher-Order Terms
Authors: Heiko Becker, Jasmin Christian Blanchette, Uwe Waldmann and Daniel Wand
2016-11-10: Expressiveness of Deep Learning
Author: Alexander Bentkamp
2016-10-25: Modal Logics for Nominal Transition Systems
Authors: Tjark Weber, Lars-Henrik Eriksson, Joachim Parrow, Johannes Borgström and Ramunas Gutkovas
2016-10-24: Stable Matching
Author: Peter Gammie
2016-10-21: LOFT — Verified Migration of Linux Firewalls to SDN
Authors: Julius Michaelis and Cornelius Diekmann
2016-10-19: Source Coding Theorem
Authors: Quentin Hibon and Lawrence C. Paulson
2016-10-19: A formal model for the SPARCv8 ISA and a proof of non-interference for the LEON3 processor
Authors: Zhe Hou, David Sanan, Alwen Tiu and Yang Liu
2016-10-14: The Factorization Algorithm of Berlekamp and Zassenhaus
Authors: Jose Divasón, Sebastiaan Joosten, René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2016-10-11: Intersecting Chords Theorem
Author: Lukas Bulwahn
2016-10-05: Lp spaces
Author: Sebastien Gouezel
2016-09-30: Fisher–Yates shuffle
Author: Manuel Eberl
2016-09-29: Allen's Interval Calculus
Author: Fadoua Ghourabi
2016-09-23: Formalization of Recursive Path Orders for Lambda-Free Higher-Order Terms
Authors: Jasmin Christian Blanchette, Uwe Waldmann and Daniel Wand
2016-09-09: Iptables Semantics
Authors: Cornelius Diekmann and Lars Hupel
2016-09-06: A Variant of the Superposition Calculus
Author: Nicolas Peltier
2016-09-06: Stone Algebras
Author: Walter Guttmann
2016-09-01: Stirling's formula
Author: Manuel Eberl
2016-08-31: Routing
Authors: Julius Michaelis and Cornelius Diekmann
2016-08-24: Simple Firewall
Authors: Cornelius Diekmann, Julius Michaelis and Maximilian Haslbeck
2016-08-18: Infeasible Paths Elimination by Symbolic Execution Techniques: Proof of Correctness and Preservation of Paths
Authors: Romain Aissat, Frederic Voisin and Burkhart Wolff
2016-08-12: Formalizing the Edmonds-Karp Algorithm
Authors: Peter Lammich and S. Reza Sefidgar
2016-08-08: The Imperative Refinement Framework
Author: Peter Lammich
2016-08-07: Ptolemy's Theorem
Author: Lukas Bulwahn
2016-07-17: Surprise Paradox
Author: Joachim Breitner
2016-07-14: Pairing Heap
Authors: Hauke Brinkop - and Tobias Nipkow + and Tobias Nipkow
2016-07-05: A Framework for Verifying Depth-First Search Algorithms
Authors: Peter Lammich and René Neumann
2016-07-01: Chamber Complexes, Coxeter Systems, and Buildings
Author: Jeremy Sylvestre
2016-06-30: The Z Property
Authors: Bertram Felgenhauer, Julian Nagele, Vincent van Oostrom and Christian Sternagel
2016-06-30: The Resolution Calculus for First-Order Logic
Author: Anders Schlichtkrull
2016-06-28: IP Addresses
Authors: Cornelius Diekmann, Julius Michaelis and Lars Hupel
2016-06-28: Compositional Security-Preserving Refinement for Concurrent Imperative Programs
Authors: Toby Murray, Robert Sison, Edward Pierzchalski and Christine Rizkallah
2016-06-26: Category Theory with Adjunctions and Limits
Author: Eugene W. Stark
2016-06-26: Cardinality of Multisets
Author: Lukas Bulwahn
2016-06-25: A Dependent Security Type System for Concurrent Imperative Programs
Authors: Toby Murray, Robert Sison, Edward Pierzchalski and Christine Rizkallah
2016-06-21: Catalan Numbers
Author: Manuel Eberl
2016-06-18: Program Construction and Verification Components Based on Kleene Algebra
Authors: Victor B. F. Gomes and Georg Struth
2016-06-13: Conservation of CSP Noninterference Security under Concurrent Composition
Author: Pasquale Noce
2016-06-09: Finite Machine Word Library
Authors: Joel Beeren, Matthew Fernandez, Xin Gao, Gerwin Klein, Rafal Kolanski, Japheth Lim, Corey Lewis, Daniel Matichuk and Thomas Sewell
2016-05-31: Tree Decomposition
Author: Christoph Dittmann
2016-05-24: POSIX Lexing with Derivatives of Regular Expressions
Authors: Fahad Ausaf, Roy Dyckhoff and Christian Urban
2016-05-24: Cardinality of Equivalence Relations
Author: Lukas Bulwahn
2016-05-20: Perron-Frobenius Theorem for Spectral Radius Analysis
Authors: Jose Divasón, Ondřej Kunčar, René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2016-05-20: The meta theory of the Incredible Proof Machine
Authors: Joachim Breitner and Denis Lohner
2016-05-18: A Constructive Proof for FLP
Authors: Benjamin Bisping, Paul-David Brodmann, Tim Jungnickel, Christina Rickmann, Henning Seidler, Anke Stüber, Arno Wilhelm-Weidner, Kirstin Peters and Uwe Nestmann
2016-05-09: A Formal Proof of the Max-Flow Min-Cut Theorem for Countable Networks
Author: Andreas Lochbihler
2016-05-05: Randomised Social Choice Theory
Author: Manuel Eberl
2016-05-04: The Incompatibility of SD-Efficiency and SD-Strategy-Proofness
Author: Manuel Eberl
2016-05-04: Spivey's Generalized Recurrence for Bell Numbers
Author: Lukas Bulwahn
2016-05-02: Gröbner Bases Theory
Authors: Fabian Immler and Alexander Maletzky
2016-04-28: No Faster-Than-Light Observers
Authors: Mike Stannett and István Németi
2016-04-27: Algorithms for Reduced Ordered Binary Decision Diagrams
Authors: Julius Michaelis, Maximilian Haslbeck, Peter Lammich and Lars Hupel
2016-04-27: A formalisation of the Cocke-Younger-Kasami algorithm
Author: Maksym Bortin
2016-04-26: Conservation of CSP Noninterference Security under Sequential Composition
Author: Pasquale Noce
2016-04-12: Kleene Algebras with Domain
Authors: Victor B. F. Gomes, Walter Guttmann, Peter Höfner, Georg Struth and Tjark Weber
2016-03-11: Propositional Resolution and Prime Implicates Generation
Author: Nicolas Peltier
2016-03-08: Timed Automata
Author: Simon Wimmer
2016-03-08: The Cartan Fixed Point Theorems
Author: Lawrence C. Paulson
2016-03-01: Linear Temporal Logic
Author: Salomon Sickert
2016-02-17: Analysis of List Update Algorithms
Authors: Maximilian P.L. Haslbeck - and Tobias Nipkow + and Tobias Nipkow
2016-02-05: Verified Construction of Static Single Assignment Form
Authors: Sebastian Ullrich and Denis Lohner
2016-01-29: Polynomial Interpolation
Authors: René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2016-01-29: Polynomial Factorization
Authors: René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2016-01-20: Knot Theory
Author: T.V.H. Prathamesh
2016-01-18: Tensor Product of Matrices
Author: T.V.H. Prathamesh
2016-01-14: Cardinality of Number Partitions
Author: Lukas Bulwahn

 

2015
2015-12-28: Basic Geometric Properties of Triangles
Author: Manuel Eberl
2015-12-28: The Divergence of the Prime Harmonic Series
Author: Manuel Eberl
2015-12-28: Liouville numbers
Author: Manuel Eberl
2015-12-28: Descartes' Rule of Signs
Author: Manuel Eberl
2015-12-22: The Stern-Brocot Tree
Authors: Peter Gammie and Andreas Lochbihler
2015-12-22: Applicative Lifting
Authors: Andreas Lochbihler and Joshua Schneider
2015-12-22: Algebraic Numbers in Isabelle/HOL
Authors: René Thiemann, - Akihisa Yamada + Akihisa Yamada and Sebastiaan Joosten
2015-12-12: Cardinality of Set Partitions
Author: Lukas Bulwahn
2015-12-02: Latin Square
Author: Alexander Bentkamp
2015-12-01: Ergodic Theory
Author: Sebastien Gouezel
2015-11-19: Euler's Partition Theorem
Author: Lukas Bulwahn
2015-11-18: The Tortoise and Hare Algorithm
Author: Peter Gammie
2015-11-11: Planarity Certificates
Author: Lars Noschinski
2015-11-02: Positional Determinacy of Parity Games
Author: Christoph Dittmann
2015-09-16: A Meta-Model for the Isabelle API
Authors: Frédéric Tuong and Burkhart Wolff
2015-09-04: Converting Linear Temporal Logic to Deterministic (Generalized) Rabin Automata
Author: Salomon Sickert
2015-08-21: Matrices, Jordan Normal Forms, and Spectral Radius Theory
Authors: René Thiemann - and Akihisa Yamada + and Akihisa Yamada
2015-08-20: Decreasing Diagrams II
Author: Bertram Felgenhauer
2015-08-18: The Inductive Unwinding Theorem for CSP Noninterference Security
Author: Pasquale Noce
2015-08-12: Representations of Finite Groups
Author: Jeremy Sylvestre
2015-08-10: Analysing and Comparing Encodability Criteria for Process Calculi
Authors: Kirstin Peters and Rob van Glabbeek
2015-07-21: Generating Cases from Labeled Subgoals
Author: Lars Noschinski
2015-07-14: Landau Symbols
Author: Manuel Eberl
2015-07-14: The Akra-Bazzi theorem and the Master theorem
Author: Manuel Eberl
2015-07-07: Hermite Normal Form
Authors: Jose Divasón and Jesús Aransay
2015-06-27: Derangements Formula
Author: Lukas Bulwahn
2015-06-11: The Ipurge Unwinding Theorem for CSP Noninterference Security
Author: Pasquale Noce
2015-06-11: The Generic Unwinding Theorem for CSP Noninterference Security
Author: Pasquale Noce
2015-06-11: Binary Multirelations
Authors: Hitoshi Furusawa and Georg Struth
2015-06-11: Reasoning about Lists via List Interleaving
Author: Pasquale Noce
2015-06-07: Parameterized Dynamic Tables
Author: - Tobias Nipkow + Tobias Nipkow
2015-05-28: Derivatives of Logical Formulas
Author: Dmitriy Traytel
2015-05-27: A Zoo of Probabilistic Systems
Authors: Johannes Hölzl, Andreas Lochbihler and Dmitriy Traytel
2015-04-30: VCG - Combinatorial Vickrey-Clarke-Groves Auctions
Authors: Marco B. Caminati, Manfred Kerber, Christoph Lange and Colin Rowat
2015-04-15: Residuated Lattices
Authors: Victor B. F. Gomes and Georg Struth
2015-04-13: Concurrent IMP
Author: Peter Gammie
2015-04-13: Relaxing Safely: Verified On-the-Fly Garbage Collection for x86-TSO
Authors: Peter Gammie, Tony Hosking and Kai Engelhardt
2015-03-30: Trie
Authors: Andreas Lochbihler - and Tobias Nipkow + and Tobias Nipkow
2015-03-18: Consensus Refined
Authors: Ognjen Maric and Christoph Sprenger
2015-03-11: Deriving class instances for datatypes
Authors: Christian Sternagel and René Thiemann
2015-02-20: The Safety of Call Arity
Author: Joachim Breitner
2015-02-12: QR Decomposition
Authors: Jose Divasón and Jesús Aransay
2015-02-12: Echelon Form
Authors: Jose Divasón and Jesús Aransay
2015-02-05: Finite Automata in Hereditarily Finite Set Theory
Author: Lawrence C. Paulson
2015-01-28: Verification of the UpDown Scheme
Author: Johannes Hölzl

 

2014
2014-11-28: The Unified Policy Framework (UPF)
Authors: Achim D. Brucker, Lukas Brügger and Burkhart Wolff
2014-10-23: Loop freedom of the (untimed) AODV routing protocol
Authors: Timothy Bourke and Peter Höfner
2014-10-13: Lifting Definition Option
Author: René Thiemann
2014-10-10: Stream Fusion in HOL with Code Generation
Authors: Andreas Lochbihler and Alexandra Maximova
2014-10-09: A Verified Compiler for Probability Density Functions
Authors: Manuel Eberl, Johannes Hölzl - and Tobias Nipkow + and Tobias Nipkow
2014-10-08: Formalization of Refinement Calculus for Reactive Systems
Author: Viorel Preoteasa
2014-10-03: XML
Authors: Christian Sternagel and René Thiemann
2014-10-03: Certification Monads
Authors: Christian Sternagel and René Thiemann
2014-09-25: Imperative Insertion Sort
Author: Christian Sternagel
2014-09-19: The Sturm-Tarski Theorem
Author: Wenda Li
2014-09-15: The Cayley-Hamilton Theorem
Authors: Stephan Adelsberger, Stefan Hetzl and Florian Pollak
2014-09-09: The Jordan-Hölder Theorem
Author: Jakob von Raumer
2014-09-04: Priority Queues Based on Braun Trees
Author: - Tobias Nipkow + Tobias Nipkow
2014-09-03: Gauss-Jordan Algorithm and Its Applications
Authors: Jose Divasón and Jesús Aransay
2014-08-29: Vector Spaces
Author: Holden Lee
2014-08-29: Real-Valued Special Functions: Upper and Lower Bounds
Author: Lawrence C. Paulson
2014-08-13: Skew Heap
Author: - Tobias Nipkow + Tobias Nipkow
2014-08-12: Splay Tree
Author: - Tobias Nipkow + Tobias Nipkow
2014-07-29: Haskell's Show Class in Isabelle/HOL
Authors: Christian Sternagel and René Thiemann
2014-07-18: Formal Specification of a Generic Separation Kernel
Authors: Freek Verbeek, Sergey Tverdyshev, Oto Havle, Holger Blasum, Bruno Langenstein, Werner Stephan, Yakoub Nemouchi, Abderrahmane Feliachi, Burkhart Wolff and Julien Schmaltz
2014-07-13: pGCL for Isabelle
Author: David Cock
2014-07-07: Amortized Complexity Verified
Author: - Tobias Nipkow + Tobias Nipkow
2014-07-04: Network Security Policy Verification
Author: Cornelius Diekmann
2014-07-03: Pop-Refinement
Author: Alessandro Coglio
2014-06-12: Decision Procedures for MSO on Words Based on Derivatives of Regular Expressions
Authors: Dmitriy Traytel - and Tobias Nipkow + and Tobias Nipkow
2014-06-08: Boolean Expression Checkers
Author: - Tobias Nipkow + Tobias Nipkow
2014-05-28: Promela Formalization
Author: René Neumann
2014-05-28: Converting Linear-Time Temporal Logic to Generalized Büchi Automata
Authors: Alexander Schimpf and Peter Lammich
2014-05-28: Verified Efficient Implementation of Gabow's Strongly Connected Components Algorithm
Author: Peter Lammich
2014-05-28: A Fully Verified Executable LTL Model Checker
Authors: Javier Esparza, Peter Lammich, René Neumann, - Tobias Nipkow, + Tobias Nipkow, Alexander Schimpf and Jan-Georg Smaus
2014-05-28: The CAVA Automata Library
Author: Peter Lammich
2014-05-23: Transitive closure according to Roy-Floyd-Warshall
Author: Makarius Wenzel
2014-05-23: Noninterference Security in Communicating Sequential Processes
Author: Pasquale Noce
2014-05-21: Regular Algebras
Authors: Simon Foster and Georg Struth
2014-04-28: Formalisation and Analysis of Component Dependencies
Author: Maria Spichkova
2014-04-23: A Formalization of Declassification with WHAT-and-WHERE-Security
Authors: Sylvia Grewe, Alexander Lux, Heiko Mantel and Jens Sauer
2014-04-23: A Formalization of Strong Security
Authors: Sylvia Grewe, Alexander Lux, Heiko Mantel and Jens Sauer
2014-04-23: A Formalization of Assumptions and Guarantees for Compositional Noninterference
Authors: Sylvia Grewe, Heiko Mantel and Daniel Schoepe
2014-04-22: Bounded-Deducibility Security
Authors: Andrei Popescu and Peter Lammich
2014-04-16: A shallow embedding of HyperCTL*
Authors: Markus N. Rabe, Peter Lammich and Andrei Popescu
2014-04-16: Abstract Completeness
Authors: Jasmin Christian Blanchette, Andrei Popescu and Dmitriy Traytel
2014-04-13: Discrete Summation
Author: Florian Haftmann
2014-04-03: Syntax and semantics of a GPU kernel programming language
Author: John Wickerson
2014-03-11: Probabilistic Noninterference
Authors: Andrei Popescu and Johannes Hölzl
2014-03-08: Mechanization of the Algebra for Wireless Networks (AWN)
Author: Timothy Bourke
2014-02-18: Mutually Recursive Partial Functions
Author: René Thiemann
2014-02-13: Properties of Random Graphs -- Subgraph Containment
Author: Lars Hupel
2014-02-11: Verification of Selection and Heap Sort Using Locales
Author: Danijela Petrovic
2014-02-07: Affine Arithmetic
Author: Fabian Immler
2014-02-06: Implementing field extensions of the form Q[sqrt(b)]
Author: René Thiemann
2014-01-30: Unified Decision Procedures for Regular Expression Equivalence
Authors: - Tobias Nipkow + Tobias Nipkow and Dmitriy Traytel
2014-01-28: Secondary Sylow Theorems
Author: Jakob von Raumer
2014-01-25: Relation Algebra
Authors: Alasdair Armstrong, Simon Foster, Georg Struth and Tjark Weber
2014-01-23: Kleene Algebra with Tests and Demonic Refinement Algebras
Authors: Alasdair Armstrong, Victor B. F. Gomes and Georg Struth
2014-01-16: Featherweight OCL: A Proposal for a Machine-Checked Formal Semantics for OCL 2.5
Authors: Achim D. Brucker, Frédéric Tuong and Burkhart Wolff
2014-01-11: Sturm's Theorem
Author: Manuel Eberl
2014-01-11: Compositional Properties of Crypto-Based Components
Author: Maria Spichkova

 

2013
2013-12-01: A General Method for the Proof of Theorems on Tail-recursive Functions
Author: Pasquale Noce
2013-11-17: Gödel's Incompleteness Theorems
Author: Lawrence C. Paulson
2013-11-17: The Hereditarily Finite Sets
Author: Lawrence C. Paulson
2013-11-15: A Codatatype of Formal Languages
Author: Dmitriy Traytel
2013-11-14: Stream Processing Components: Isabelle/HOL Formalisation and Case Studies
Author: Maria Spichkova
2013-11-12: Gödel's God in Isabelle/HOL
Authors: Christoph Benzmüller and Bruno Woltzenlogel Paleo
2013-11-01: Decreasing Diagrams
Author: Harald Zankl
2013-10-02: Automatic Data Refinement
Author: Peter Lammich
2013-09-17: Native Word
Author: Andreas Lochbihler
2013-07-27: A Formal Model of IEEE Floating Point Arithmetic
Author: Lei Yu
2013-07-22: Pratt's Primality Certificates
Authors: Simon Wimmer and Lars Noschinski
2013-07-22: Lehmer's Theorem
Authors: Simon Wimmer and Lars Noschinski
2013-07-19: The Königsberg Bridge Problem and the Friendship Theorem
Author: Wenda Li
2013-06-27: Sound and Complete Sort Encodings for First-Order Logic
Authors: Jasmin Christian Blanchette and Andrei Popescu
2013-05-22: An Axiomatic Characterization of the Single-Source Shortest Path Problem
Author: Christine Rizkallah
2013-04-28: Graph Theory
Author: Lars Noschinski
2013-04-15: Light-weight Containers
Author: Andreas Lochbihler
2013-02-21: Nominal 2
Authors: Christian Urban, Stefan Berghofer and Cezary Kaliszyk
2013-01-31: The Correctness of Launchbury's Natural Semantics for Lazy Evaluation
Author: Joachim Breitner
2013-01-19: Ribbon Proofs
Author: John Wickerson
2013-01-16: Rank-Nullity Theorem in Linear Algebra
Authors: Jose Divasón and Jesús Aransay
2013-01-15: Kleene Algebra
Authors: Alasdair Armstrong, Georg Struth and Tjark Weber
2013-01-03: Computing N-th Roots using the Babylonian Method
Author: René Thiemann

 

2012
2012-11-14: A Separation Logic Framework for Imperative HOL
Authors: Peter Lammich and Rene Meis
2012-11-02: Open Induction
Authors: Mizuhito Ogawa and Christian Sternagel
2012-10-30: The independence of Tarski's Euclidean axiom
Author: T. J. M. Makarios
2012-10-27: Bondy's Theorem
Authors: Jeremy Avigad and Stefan Hetzl
2012-09-10: Possibilistic Noninterference
Authors: Andrei Popescu and Johannes Hölzl
2012-08-07: Generating linear orders for datatypes
Author: René Thiemann
2012-08-05: Proving the Impossibility of Trisecting an Angle and Doubling the Cube
Authors: Ralph Romanos and Lawrence C. Paulson
2012-07-27: Verifying Fault-Tolerant Distributed Algorithms in the Heard-Of Model
Authors: Henri Debrat and Stephan Merz
2012-07-01: Logical Relations for PCF
Author: Peter Gammie
2012-06-26: Type Constructor Classes and Monad Transformers
Author: Brian Huffman
2012-05-29: Psi-calculi in Isabelle
Author: Jesper Bengtson
2012-05-29: The pi-calculus in nominal logic
Author: Jesper Bengtson
2012-05-29: CCS in nominal logic
Author: Jesper Bengtson
2012-05-27: Isabelle/Circus
Authors: Abderrahmane Feliachi, Burkhart Wolff and Marie-Claude Gaudel
2012-05-11: Separation Algebra
Authors: Gerwin Klein, Rafal Kolanski and Andrew Boyton
2012-05-07: Stuttering Equivalence
Author: Stephan Merz
2012-05-02: Inductive Study of Confidentiality
Author: Giampaolo Bella
2012-04-26: Ordinary Differential Equations
Authors: Fabian Immler and Johannes Hölzl
2012-04-13: Well-Quasi-Orders
Author: Christian Sternagel
2012-03-01: Abortable Linearizable Modules
Authors: Rachid Guerraoui, Viktor Kuncak and Giuliano Losa
2012-02-29: Executable Transitive Closures
Author: René Thiemann
2012-02-06: A Probabilistic Proof of the Girth-Chromatic Number Theorem
Author: Lars Noschinski
2012-01-30: Refinement for Monadic Programs
Author: Peter Lammich
2012-01-30: Dijkstra's Shortest Path Algorithm
Authors: Benedikt Nordhoff and Peter Lammich
2012-01-03: Markov Models
Authors: Johannes Hölzl - and Tobias Nipkow + and Tobias Nipkow

 

2011
2011-11-19: A Definitional Encoding of TLA* in Isabelle/HOL
Authors: Gudmund Grov and Stephan Merz
2011-11-09: Efficient Mergesort
Author: Christian Sternagel
2011-09-22: Pseudo Hoops
Authors: George Georgescu, Laurentiu Leustean and Viorel Preoteasa
2011-09-22: Algebra of Monotonic Boolean Transformers
Author: Viorel Preoteasa
2011-09-22: Lattice Properties
Author: Viorel Preoteasa
2011-08-26: The Myhill-Nerode Theorem Based on Regular Expressions
Authors: Chunhan Wu, Xingyuan Zhang and Christian Urban
2011-08-19: Gauss-Jordan Elimination for Matrices Represented as Functions
Author: - Tobias Nipkow + Tobias Nipkow
2011-07-21: Maximum Cardinality Matching
Author: Christine Rizkallah
2011-05-17: Knowledge-based programs
Author: Peter Gammie
2011-04-01: The General Triangle Is Unique
Author: Joachim Breitner
2011-03-14: Executable Transitive Closures of Finite Relations
Authors: Christian Sternagel and René Thiemann
2011-02-23: Interval Temporal Logic on Natural Numbers
Author: David Trachtenherz
2011-02-23: Infinite Lists
Author: David Trachtenherz
2011-02-23: AutoFocus Stream Processing for Single-Clocking and Multi-Clocking Semantics
Author: David Trachtenherz
2011-02-07: Lightweight Java
Authors: Rok Strniša and Matthew Parkinson
2011-01-10: RIPEMD-160
Author: Fabian Immler
2011-01-08: Lower Semicontinuous Functions
Author: Bogdan Grechuk

 

2010
2010-12-17: Hall's Marriage Theorem
Authors: Dongchen Jiang - and Tobias Nipkow + and Tobias Nipkow
2010-11-16: Shivers' Control Flow Analysis
Author: Joachim Breitner
2010-10-28: Finger Trees
Authors: Benedikt Nordhoff, Stefan Körner and Peter Lammich
2010-10-28: Functional Binomial Queues
Author: René Neumann
2010-10-28: Binomial Heaps and Skew Binomial Heaps
Authors: Rene Meis, Finn Nielsen and Peter Lammich
2010-08-29: Strong Normalization of Moggis's Computational Metalanguage
Author: Christian Doczkal
2010-08-10: Executable Multivariate Polynomials
Authors: Christian Sternagel, René Thiemann, Alexander Maletzky, Fabian Immler, Florian Haftmann, Andreas Lochbihler and Alexander Bentkamp
2010-08-08: Formalizing Statecharts using Hierarchical Automata
Authors: Steffen Helke and Florian Kammüller
2010-06-24: Free Groups
Author: Joachim Breitner
2010-06-20: Category Theory
Author: Alexander Katovsky
2010-06-17: Executable Matrix Operations on Matrices of Arbitrary Dimensions
Authors: Christian Sternagel and René Thiemann
2010-06-14: Abstract Rewriting
Authors: Christian Sternagel and René Thiemann
2010-05-28: Verification of the Deutsch-Schorr-Waite Graph Marking Algorithm using Data Refinement
Authors: Viorel Preoteasa and Ralph-Johan Back
2010-05-28: Semantics and Data Refinement of Invariant Based Programs
Authors: Viorel Preoteasa and Ralph-Johan Back
2010-05-22: A Complete Proof of the Robbins Conjecture
Author: Matthew Wampler-Doty
2010-05-12: Regular Sets and Expressions
Authors: Alexander Krauss - and Tobias Nipkow + and Tobias Nipkow
2010-04-30: Locally Nameless Sigma Calculus
Authors: Ludovic Henrio, Florian Kammüller, Bianca Lutz and Henry Sudhof
2010-03-29: Free Boolean Algebra
Author: Brian Huffman
2010-03-23: Inter-Procedural Information Flow Noninterference via Slicing
Author: Daniel Wasserrab
2010-03-23: Information Flow Noninterference via Slicing
Author: Daniel Wasserrab
2010-02-20: List Index
Author: - Tobias Nipkow + Tobias Nipkow
2010-02-12: Coinductive
Author: Andreas Lochbihler

 

2009
2009-12-09: A Fast SAT Solver for Isabelle in Standard ML
Author: Armin Heller
2009-12-03: Formalizing the Logic-Automaton Connection
Authors: Stefan Berghofer and Markus Reiter
2009-11-25: Tree Automata
Author: Peter Lammich
2009-11-25: Collections Framework
Author: Peter Lammich
2009-11-22: Perfect Number Theorem
Author: Mark Ijbema
2009-11-13: Backing up Slicing: Verifying the Interprocedural Two-Phase Horwitz-Reps-Binkley Slicer
Author: Daniel Wasserrab
2009-10-30: The Worker/Wrapper Transformation
Author: Peter Gammie
2009-09-01: Ordinals and Cardinals
Author: Andrei Popescu
2009-08-28: Invertibility in Sequent Calculi
Author: Peter Chapman
2009-08-04: An Example of a Cofinitary Group in Isabelle/HOL
Author: Bart Kastermans
2009-05-06: Code Generation for Functions as Data
Author: Andreas Lochbihler
2009-04-29: Stream Fusion
Author: Brian Huffman

 

2008
2008-12-12: A Bytecode Logic for JML and Types
Authors: Lennart Beringer and Martin Hofmann
2008-11-10: Secure information flow and program logics
Authors: Lennart Beringer and Martin Hofmann
2008-11-09: Some classical results in Social Choice Theory
Author: Peter Gammie
2008-11-07: Fun With Tilings
Authors: - Tobias Nipkow + Tobias Nipkow and Lawrence C. Paulson
2008-10-15: The Textbook Proof of Huffman's Algorithm
Author: Jasmin Christian Blanchette
2008-09-16: Towards Certified Slicing
Author: Daniel Wasserrab
2008-09-02: A Correctness Proof for the Volpano/Smith Security Typing System
Authors: Gregor Snelting and Daniel Wasserrab
2008-09-01: Arrow and Gibbard-Satterthwaite
Author: - Tobias Nipkow + Tobias Nipkow
2008-08-26: Fun With Functions
Author: - Tobias Nipkow + Tobias Nipkow
2008-07-23: Formal Verification of Modern SAT Solvers
Author: Filip Maric
2008-04-05: Recursion Theory I
Author: Michael Nedzelsky
2008-02-29: A Sequential Imperative Programming Language Syntax, Semantics, Hoare Logics and Verification Environment
Author: Norbert Schirmer
2008-02-29: BDD Normalisation
Authors: Veronika Ortner and Norbert Schirmer
2008-02-18: Normalization by Evaluation
Authors: Klaus Aehlig - and Tobias Nipkow + and Tobias Nipkow
2008-01-11: Quantifier Elimination for Linear Arithmetic
Author: - Tobias Nipkow + Tobias Nipkow

 

2007
2007-12-14: Formalization of Conflict Analysis of Programs with Procedures, Thread Creation, and Monitors
Authors: Peter Lammich and Markus Müller-Olm
2007-12-03: Jinja with Threads
Author: Andreas Lochbihler
2007-11-06: Much Ado About Two
Author: Sascha Böhme
2007-08-12: Sums of Two and Four Squares
Author: Roelof Oosterhuis
2007-08-12: Fermat's Last Theorem for Exponents 3 and 4 and the Parametrisation of Pythagorean Triples
Author: Roelof Oosterhuis
2007-08-08: Fundamental Properties of Valuation Theory and Hensel's Lemma
Author: Hidetsune Kobayashi
2007-08-02: POPLmark Challenge Via de Bruijn Indices
Author: Stefan Berghofer
2007-08-02: First-Order Logic According to Fitting
Author: Stefan Berghofer

 

2006
2006-09-09: Hotel Key Card System
Author: - Tobias Nipkow + Tobias Nipkow
2006-08-08: Abstract Hoare Logics
Author: - Tobias Nipkow + Tobias Nipkow
2006-05-22: Flyspeck I: Tame Graphs
Authors: Gertrud Bauer - and Tobias Nipkow + and Tobias Nipkow
2006-05-15: CoreC++
Author: Daniel Wasserrab
2006-03-31: A Theory of Featherweight Java in Isabelle/HOL
Authors: J. Nathan Foster and Dimitrios Vytiniotis
2006-03-15: Instances of Schneider's generalized protocol of clock synchronization
Author: Damián Barsotti
2006-03-14: Cauchy's Mean Theorem and the Cauchy-Schwarz Inequality
Author: Benjamin Porter

 

2005
2005-11-11: Countable Ordinals
Author: Brian Huffman
2005-10-12: Fast Fourier Transform
Author: Clemens Ballarin
2005-06-24: Formalization of a Generalized Protocol for Clock Synchronization
Author: Alwen Tiu
2005-06-22: Proving the Correctness of Disk Paxos
Authors: Mauro Jaskelioff and Stephan Merz
2005-06-20: Jive Data and Store Model
Authors: Nicole Rauch and Norbert Schirmer
2005-06-01: Jinja is not Java
Authors: Gerwin Klein - and Tobias Nipkow + and Tobias Nipkow
2005-05-02: SHA1, RSA, PSS and more
Authors: Christina Lindenberg and Kai Wirt
2005-04-21: Category Theory to Yoneda's Lemma
Author: Greg O'Keefe

 

2004
2004-12-09: File Refinement
Authors: Karen Zee and Viktor Kuncak
2004-11-19: Integration theory and random variables
Author: Stefan Richter
2004-09-28: A Mechanically Verified, Efficient, Sound and Complete Theorem Prover For First Order Logic
Author: Tom Ridge
2004-09-20: Ramsey's theorem, infinitary version
Author: Tom Ridge
2004-09-20: Completeness theorem
Authors: James Margetson and Tom Ridge
2004-07-09: Compiling Exceptions Correctly
Author: - Tobias Nipkow + Tobias Nipkow
2004-06-24: Depth First Search
Authors: Toshiaki Nishihara and Yasuhiko Minamide
2004-05-18: Groups, Rings and Modules
Authors: Hidetsune Kobayashi, L. Chen and H. Murao
2004-04-26: Topology
Author: Stefan Friedrich
2004-04-26: Lazy Lists II
Author: Stefan Friedrich
2004-04-05: Binary Search Trees
Author: Viktor Kuncak
2004-03-30: Functional Automata
Author: - Tobias Nipkow + Tobias Nipkow
2004-03-19: Mini ML
Authors: Wolfgang Naraschewski - and Tobias Nipkow + and Tobias Nipkow
2004-03-19: AVL Trees
Authors: - Tobias Nipkow + Tobias Nipkow and Cornelia Pusch
\ No newline at end of file diff --git a/web/rss.xml b/web/rss.xml --- a/web/rss.xml +++ b/web/rss.xml @@ -1,586 +1,602 @@ Archive of Formal Proofs https://www.isa-afp.org The Archive of Formal Proofs is a collection of proof libraries, examples, and larger scientific developments, mechanically checked in the theorem prover Isabelle. - 21 Jun 2019 00:00:00 +0000 + 04 Jul 2019 00:00:00 +0000 + + Formalization of a Monitoring Algorithm for Metric First-Order Temporal Logic + https://www.isa-afp.org/entries/MFOTL_Monitor.html + https://www.isa-afp.org/entries/MFOTL_Monitor.html + Joshua Schneider, Dmitriy Traytel + 04 Jul 2019 00:00:00 +0000 + +A monitor is a runtime verification tool that solves the following +problem: Given a stream of time-stamped events and a policy formulated +in a specification language, decide whether the policy is satisfied at +every point in the stream. We verify the correctness of an executable +monitor for specifications given as formulas in metric first-order +temporal logic (MFOTL), an expressive extension of linear temporal +logic with real-time constraints and first-order quantification. The +verified monitor implements a simplified variant of the algorithm used +in the efficient MonPoly monitoring tool. The formalization is +presented in a forthcoming <a +href="http://people.inf.ethz.ch/trayteld/papers/rv19-verimon/verimon.pdf">RV +2019 paper</a>, which also compares the output of the verified +monitor to that of other monitoring tools on randomly generated +inputs. This case study revealed several errors in the optimized but +unverified tools. + + + Complete Non-Orders and Fixed Points + https://www.isa-afp.org/entries/Complete_Non_Orders.html + https://www.isa-afp.org/entries/Complete_Non_Orders.html + Akihisa Yamada, Jérémy Dubut + 27 Jun 2019 00:00:00 +0000 + +We develop an Isabelle/HOL library of order-theoretic concepts, such +as various completeness conditions and fixed-point theorems. We keep +our formalization as general as possible: we reprove several +well-known results about complete orders, often without any properties +of ordering, thus complete non-orders. In particular, we generalize +the Knaster–Tarski theorem so that we ensure the existence of a +quasi-fixed point of monotone maps over complete non-orders, and show +that the set of quasi-fixed points is complete under a mild +condition—attractivity—which is implied by either antisymmetry or +transitivity. This result generalizes and strengthens a result by +Stauti and Maaden. Finally, we recover Kleene’s fixed-point theorem +for omega-complete non-orders, again using attractivity to prove that +Kleene’s fixed points are least quasi-fixed points. + + + Priority Search Trees + https://www.isa-afp.org/entries/Priority_Search_Trees.html + https://www.isa-afp.org/entries/Priority_Search_Trees.html + Peter Lammich, Tobias Nipkow + 25 Jun 2019 00:00:00 +0000 + +We present a new, purely functional, simple and efficient data +structure combining a search tree and a priority queue, which we call +a <em>priority search tree</em>. The salient feature of priority search +trees is that they offer a decrease-key operation, something that is +missing from other simple, purely functional priority queue +implementations. Priority search trees can be implemented on top of +any search tree. This entry does the implementation for red-black +trees. This entry formalizes the first part of our ITP-2019 proof +pearl <em>Purely Functional, Simple and Efficient Priority +Search Trees and Applications to Prim and Dijkstra</em>. + + + Purely Functional, Simple, and Efficient Implementation of Prim and Dijkstra + https://www.isa-afp.org/entries/Prim_Dijkstra_Simple.html + https://www.isa-afp.org/entries/Prim_Dijkstra_Simple.html + Peter Lammich, Tobias Nipkow + 25 Jun 2019 00:00:00 +0000 + +We verify purely functional, simple and efficient implementations of +Prim's and Dijkstra's algorithms. This constitutes the first +verification of an executable and even efficient version of +Prim's algorithm. This entry formalizes the second part of our +ITP-2019 proof pearl <em>Purely Functional, Simple and Efficient +Priority Search Trees and Applications to Prim and Dijkstra</em>. + Linear Inequalities https://www.isa-afp.org/entries/Linear_Inequalities.html https://www.isa-afp.org/entries/Linear_Inequalities.html Ralph Bottesch, Alban Reynaud, René Thiemann 21 Jun 2019 00:00:00 +0000 We formalize results about linear inqualities, mainly from Schrijver's book. The main results are the proof of the fundamental theorem on linear inequalities, Farkas' lemma, Carathéodory's theorem, the Farkas-Minkowsky-Weyl theorem, the decomposition theorem of polyhedra, and Meyer's result that the integer hull of a polyhedron is a polyhedron itself. Several theorems include bounds on the appearing numbers, and in particular we provide an a-priori bound on mixed-integer solutions of linear inequalities. Hilbert's Nullstellensatz https://www.isa-afp.org/entries/Nullstellensatz.html https://www.isa-afp.org/entries/Nullstellensatz.html Alexander Maletzky 16 Jun 2019 00:00:00 +0000 This entry formalizes Hilbert's Nullstellensatz, an important theorem in algebraic geometry that can be viewed as the generalization of the Fundamental Theorem of Algebra to multivariate polynomials: If a set of (multivariate) polynomials over an algebraically closed field has no common zero, then the ideal it generates is the entire polynomial ring. The formalization proves several equivalent versions of this celebrated theorem: the weak Nullstellensatz, the strong Nullstellensatz (connecting algebraic varieties and radical ideals), and the field-theoretic Nullstellensatz. The formalization follows Chapter 4.1. of <a href="https://link.springer.com/book/10.1007/978-0-387-35651-8">Ideals, Varieties, and Algorithms</a> by Cox, Little and O'Shea. Gröbner Bases, Macaulay Matrices and Dubé's Degree Bounds https://www.isa-afp.org/entries/Groebner_Macaulay.html https://www.isa-afp.org/entries/Groebner_Macaulay.html Alexander Maletzky 15 Jun 2019 00:00:00 +0000 This entry formalizes the connection between Gröbner bases and Macaulay matrices (sometimes also referred to as `generalized Sylvester matrices'). In particular, it contains a method for computing Gröbner bases, which proceeds by first constructing some Macaulay matrix of the initial set of polynomials, then row-reducing this matrix, and finally converting the result back into a set of polynomials. The output is shown to be a Gröbner basis if the Macaulay matrix constructed in the first step is sufficiently large. In order to obtain concrete upper bounds on the size of the matrix (and hence turn the method into an effectively executable algorithm), Dubé's degree bounds on Gröbner bases are utilized; consequently, they are also part of the formalization. Binary Heaps for IMP2 https://www.isa-afp.org/entries/IMP2_Binary_Heap.html https://www.isa-afp.org/entries/IMP2_Binary_Heap.html Simon Griebel 13 Jun 2019 00:00:00 +0000 In this submission array-based binary minimum heaps are formalized. The correctness of the following heap operations is proved: insert, get-min, delete-min and make-heap. These are then used to verify an in-place heapsort. The formalization is based on IMP2, an imperative program verification framework implemented in Isabelle/HOL. The verified heap functions are iterative versions of the partly recursive functions found in "Algorithms and Data Structures – The Basic Toolbox" by K. Mehlhorn and P. Sanders and "Introduction to Algorithms" by T. H. Cormen, C. E. Leiserson, R. L. Rivest and C. Stein. + Differential Game Logic + https://www.isa-afp.org/entries/Differential_Game_Logic.html + https://www.isa-afp.org/entries/Differential_Game_Logic.html + André Platzer + 03 Jun 2019 00:00:00 +0000 + +This formalization provides differential game logic (dGL), a logic for +proving properties of hybrid game. In addition to the syntax and +semantics, it formalizes a uniform substitution calculus for dGL. +Church's uniform substitutions substitute a term or formula for a +function or predicate symbol everywhere. The uniform substitutions for +dGL also substitute hybrid games for a game symbol everywhere. We +prove soundness of one-pass uniform substitutions and the axioms of +differential game logic with respect to their denotational semantics. +One-pass uniform substitutions are faster by postponing +soundness-critical admissibility checks with a linear pass homomorphic +application and regain soundness by a variable condition at the +replacements. The formalization is based on prior non-mechanized +soundness proofs for dGL. + + Multidimensional Binary Search Trees https://www.isa-afp.org/entries/KD_Tree.html https://www.isa-afp.org/entries/KD_Tree.html Martin Rau 30 May 2019 00:00:00 +0000 This entry provides a formalization of multidimensional binary trees, also known as k-d trees. It includes a balanced build algorithm as well as the nearest neighbor algorithm and the range search algorithm. It is based on the papers <a href="https://dl.acm.org/citation.cfm?doid=361002.361007">Multidimensional binary search trees used for associative searching</a> and <a href="https://dl.acm.org/citation.cfm?doid=355744.355745"> An Algorithm for Finding Best Matches in Logarithmic Expected Time</a>. Formalization of Generic Authenticated Data Structures https://www.isa-afp.org/entries/LambdaAuth.html https://www.isa-afp.org/entries/LambdaAuth.html Matthias Brun, Dmitriy Traytel 14 May 2019 00:00:00 +0000 Authenticated data structures are a technique for outsourcing data storage and maintenance to an untrusted server. The server is required to produce an efficiently checkable and cryptographically secure proof that it carried out precisely the requested computation. <a href="https://doi.org/10.1145/2535838.2535851">Miller et al.</a> introduced &lambda;&bull; (pronounced <i>lambda auth</i>)&mdash;a functional programming language with a built-in primitive authentication construct, which supports a wide range of user-specified authenticated data structures while guaranteeing certain correctness and security properties for all well-typed programs. We formalize &lambda;&bull; and prove its correctness and security properties. With Isabelle's help, we uncover and repair several mistakes in the informal proofs and lemma statements. Our findings are summarized in a <a href="http://people.inf.ethz.ch/trayteld/papers/lambdaauth/lambdaauth.pdf">paper draft</a>. Multi-Party Computation https://www.isa-afp.org/entries/Multi_Party_Computation.html https://www.isa-afp.org/entries/Multi_Party_Computation.html David Aspinall, David Butler 09 May 2019 00:00:00 +0000 We use CryptHOL to consider Multi-Party Computation (MPC) protocols. MPC was first considered by Yao in 1983 and recent advances in efficiency and an increased demand mean it is now deployed in the real world. Security is considered using the real/ideal world paradigm. We first define security in the semi-honest security setting where parties are assumed not to deviate from the protocol transcript. In this setting we prove multiple Oblivious Transfer (OT) protocols secure and then show security for the gates of the GMW protocol. We then define malicious security, this is a stronger notion of security where parties are assumed to be fully corrupted by an adversary. In this setting we again consider OT, as it is a fundamental building block of almost all MPC protocols. HOL-CSP Version 2.0 https://www.isa-afp.org/entries/HOL-CSP.html https://www.isa-afp.org/entries/HOL-CSP.html Safouan Taha, Lina Ye, Burkhart Wolff 26 Apr 2019 00:00:00 +0000 This is a complete formalization of the work of Hoare and Roscoe on the denotational semantics of the Failure/Divergence Model of CSP. It follows essentially the presentation of CSP in Roscoe’s Book ”Theory and Practice of Concurrency” [8] and the semantic details in a joint Paper of Roscoe and Brooks ”An improved failures model for communicating processes". The present work is based on a prior formalization attempt, called HOL-CSP 1.0, done in 1997 by H. Tej and B. Wolff with the Isabelle proof technology available at that time. This work revealed minor, but omnipresent foundational errors in key concepts like the process invariant. The present version HOL-CSP profits from substantially improved libraries (notably HOLCF), improved automated proof techniques, and structured proof techniques in Isar and is substantially shorter but more complete. A Compositional and Unified Translation of LTL into ω-Automata https://www.isa-afp.org/entries/LTL_Master_Theorem.html https://www.isa-afp.org/entries/LTL_Master_Theorem.html Benedikt Seidl, Salomon Sickert 16 Apr 2019 00:00:00 +0000 We present a formalisation of the unified translation approach of linear temporal logic (LTL) into ω-automata from [1]. This approach decomposes LTL formulas into ``simple'' languages and allows a clear separation of concerns: first, we formalise the purely logical result yielding this decomposition; second, we instantiate this generic theory to obtain a construction for deterministic (state-based) Rabin automata (DRA). We extract from this particular instantiation an executable tool translating LTL to DRAs. To the best of our knowledge this is the first verified translation from LTL to DRAs that is proven to be double exponential in the worst case which asymptotically matches the known lower bound. <p> [1] Javier Esparza, Jan Kretínský, Salomon Sickert. One Theorem to Rule Them All: A Unified Translation of LTL into ω-Automata. LICS 2018 A General Theory of Syntax with Bindings https://www.isa-afp.org/entries/Binding_Syntax_Theory.html https://www.isa-afp.org/entries/Binding_Syntax_Theory.html Lorenzo Gheri, Andrei Popescu 06 Apr 2019 00:00:00 +0000 We formalize a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory includes many properties of the standard operators on terms: substitution, swapping and freshness. It also includes bindings-aware induction and recursion principles and support for semantic interpretation. This work has been presented in the ITP 2017 paper “A Formalized General Theory of Syntax with Bindings”. The Transcendence of Certain Infinite Series https://www.isa-afp.org/entries/Transcendence_Series_Hancl_Rucki.html https://www.isa-afp.org/entries/Transcendence_Series_Hancl_Rucki.html Angeliki Koutsoukou-Argyraki, Wenda Li 27 Mar 2019 00:00:00 +0000 We formalize the proofs of two transcendence criteria by J. Hančl and P. Rucki that assert the transcendence of the sums of certain infinite series built up by sequences that fulfil certain properties. Both proofs make use of Roth's celebrated theorem on diophantine approximations to algebraic numbers from 1955 which we implement as an assumption without having formalised its proof. Quantum Hoare Logic https://www.isa-afp.org/entries/QHLProver.html https://www.isa-afp.org/entries/QHLProver.html Junyi Liu, Bohua Zhan, Shuling Wang, Shenggang Ying, Tao Liu, Yangjia Li, Mingsheng Ying, Naijun Zhan 24 Mar 2019 00:00:00 +0000 We formalize quantum Hoare logic as given in [1]. In particular, we specify the syntax and denotational semantics of a simple model of quantum programs. Then, we write down the rules of quantum Hoare logic for partial correctness, and show the soundness and completeness of the resulting proof system. As an application, we verify the correctness of Grover’s algorithm. Safe OCL https://www.isa-afp.org/entries/Safe_OCL.html https://www.isa-afp.org/entries/Safe_OCL.html Denis Nikiforov 09 Mar 2019 00:00:00 +0000 <p>The theory is a formalization of the <a href="https://www.omg.org/spec/OCL/">OCL</a> type system, its abstract syntax and expression typing rules. The theory does not define a concrete syntax and a semantics. In contrast to <a href="https://www.isa-afp.org/entries/Featherweight_OCL.html">Featherweight OCL</a>, it is based on a deep embedding approach. The type system is defined from scratch, it is not based on the Isabelle HOL type system.</p> <p>The Safe OCL distincts nullable and non-nullable types. Also the theory gives a formal definition of <a href="http://ceur-ws.org/Vol-1512/paper07.pdf">safe navigation operations</a>. The Safe OCL typing rules are much stricter than rules given in the OCL specification. It allows one to catch more errors on a type checking phase.</p> <p>The type theory presented is four-layered: classes, basic types, generic types, errorable types. We introduce the following new types: non-nullable types (T[1]), nullable types (T[?]), OclSuper. OclSuper is a supertype of all other types (basic types, collections, tuples). This type allows us to define a total supremum function, so types form an upper semilattice. It allows us to define rich expression typing rules in an elegant manner.</p> <p>The Preliminaries Chapter of the theory defines a number of helper lemmas for transitive closures and tuples. It defines also a generic object model independent from OCL. It allows one to use the theory as a reference for formalization of analogous languages.</p> Elementary Facts About the Distribution of Primes https://www.isa-afp.org/entries/Prime_Distribution_Elementary.html https://www.isa-afp.org/entries/Prime_Distribution_Elementary.html Manuel Eberl 21 Feb 2019 00:00:00 +0000 <p>This entry is a formalisation of Chapter 4 (and parts of Chapter 3) of Apostol's <a href="https://www.springer.com/de/book/9780387901633"><em>Introduction to Analytic Number Theory</em></a>. The main topics that are addressed are properties of the distribution of prime numbers that can be shown in an elementary way (i.&thinsp;e. without the Prime Number Theorem), the various equivalent forms of the PNT (which imply each other in elementary ways), and consequences that follow from the PNT in elementary ways. The latter include, most notably, asymptotic bounds for the number of distinct prime factors of <em>n</em>, the divisor function <em>d(n)</em>, Euler's totient function <em>&phi;(n)</em>, and lcm(1,&hellip;,<em>n</em>).</p> Kruskal's Algorithm for Minimum Spanning Forest https://www.isa-afp.org/entries/Kruskal.html https://www.isa-afp.org/entries/Kruskal.html Maximilian P.L. Haslbeck, Peter Lammich, Julian Biendarra 14 Feb 2019 00:00:00 +0000 This Isabelle/HOL formalization defines a greedy algorithm for finding a minimum weight basis on a weighted matroid and proves its correctness. This algorithm is an abstract version of Kruskal's algorithm. We interpret the abstract algorithm for the cycle matroid (i.e. forests in a graph) and refine it to imperative executable code using an efficient union-find data structure. Our formalization can be instantiated for different graph representations. We provide instantiations for undirected graphs and symmetric directed graphs. Probabilistic Primality Testing https://www.isa-afp.org/entries/Probabilistic_Prime_Tests.html https://www.isa-afp.org/entries/Probabilistic_Prime_Tests.html Daniel Stüwe, Manuel Eberl 11 Feb 2019 00:00:00 +0000 <p>The most efficient known primality tests are <em>probabilistic</em> in the sense that they use randomness and may, with some probability, mistakenly classify a composite number as prime &ndash; but never a prime number as composite. Examples of this are the Miller&ndash;Rabin test, the Solovay&ndash;Strassen test, and (in most cases) Fermat's test.</p> <p>This entry defines these three tests and proves their correctness. It also develops some of the number-theoretic foundations, such as Carmichael numbers and the Jacobi symbol with an efficient executable algorithm to compute it.</p> Universal Turing Machine https://www.isa-afp.org/entries/Universal_Turing_Machine.html https://www.isa-afp.org/entries/Universal_Turing_Machine.html Jian Xu, Xingyuan Zhang, Christian Urban, Sebastiaan J. C. Joosten 08 Feb 2019 00:00:00 +0000 We formalise results from computability theory: recursive functions, undecidability of the halting problem, and the existence of a universal Turing machine. This formalisation is the AFP entry corresponding to the paper Mechanising Turing Machines and Computability Theory in Isabelle/HOL, ITP 2013. Isabelle/UTP: Mechanised Theory Engineering for Unifying Theories of Programming https://www.isa-afp.org/entries/UTP.html https://www.isa-afp.org/entries/UTP.html Simon Foster, Frank Zeyda, Yakoub Nemouchi, Pedro Ribeiro, Burkhart Wolff 01 Feb 2019 00:00:00 +0000 Isabelle/UTP is a mechanised theory engineering toolkit based on Hoare and He’s Unifying Theories of Programming (UTP). UTP enables the creation of denotational, algebraic, and operational semantics for different programming languages using an alphabetised relational calculus. We provide a semantic embedding of the alphabetised relational calculus in Isabelle/HOL, including new type definitions, relational constructors, automated proof tactics, and accompanying algebraic laws. Isabelle/UTP can be used to both capture laws of programming for different languages, and put these fundamental theorems to work in the creation of associated verification tools, using calculi like Hoare logics. This document describes the relational core of the UTP in Isabelle/HOL. The Inversions of a List https://www.isa-afp.org/entries/List_Inversions.html https://www.isa-afp.org/entries/List_Inversions.html Manuel Eberl 01 Feb 2019 00:00:00 +0000 <p>This entry defines the set of <em>inversions</em> of a list, i.e. the pairs of indices that violate sortedness. It also proves the correctness of the well-known <em>O</em>(<em>n log n</em>) divide-and-conquer algorithm to compute the number of inversions.</p> Farkas' Lemma and Motzkin's Transposition Theorem https://www.isa-afp.org/entries/Farkas.html https://www.isa-afp.org/entries/Farkas.html Ralph Bottesch, Max W. Haslbeck, René Thiemann 17 Jan 2019 00:00:00 +0000 We formalize a proof of Motzkin's transposition theorem and Farkas' lemma in Isabelle/HOL. Our proof is based on the formalization of the simplex algorithm which, given a set of linear constraints, either returns a satisfying assignment to the problem or detects unsatisfiability. By reusing facts about the simplex algorithm we show that a set of linear constraints is unsatisfiable if and only if there is a linear combination of the constraints which evaluates to a trivially unsatisfiable inequality. IMP2 – Simple Program Verification in Isabelle/HOL https://www.isa-afp.org/entries/IMP2.html https://www.isa-afp.org/entries/IMP2.html Peter Lammich, Simon Wimmer 15 Jan 2019 00:00:00 +0000 IMP2 is a simple imperative language together with Isabelle tooling to create a program verification environment in Isabelle/HOL. The tools include a C-like syntax, a verification condition generator, and Isabelle commands for the specification of programs. The framework is modular, i.e., it allows easy reuse of already proved programs within larger programs. This entry comes with a quickstart guide and a large collection of examples, spanning basic algorithms with simple proofs to more advanced algorithms and proof techniques like data refinement. Some highlights from the examples are: <ul> <li>Bisection Square Root, </li> <li>Extended Euclid, </li> <li>Exponentiation by Squaring, </li> <li>Binary Search, </li> <li>Insertion Sort, </li> <li>Quicksort, </li> <li>Depth First Search. </li> </ul> The abstract syntax and semantics are very simple and well-documented. They are suitable to be used in a course, as extension to the IMP language which comes with the Isabelle distribution. While this entry is limited to a simple imperative language, the ideas could be extended to more sophisticated languages. An Algebra for Higher-Order Terms https://www.isa-afp.org/entries/Higher_Order_Terms.html https://www.isa-afp.org/entries/Higher_Order_Terms.html Lars Hupel 15 Jan 2019 00:00:00 +0000 In this formalization, I introduce a higher-order term algebra, generalizing the notions of free variables, matching, and substitution. The need arose from the work on a <a href="http://dx.doi.org/10.1007/978-3-319-89884-1_35">verified compiler from Isabelle to CakeML</a>. Terms can be thought of as consisting of a generic (free variables, constants, application) and a specific part. As example applications, this entry provides instantiations for de-Bruijn terms, terms with named variables, and <a href="https://www.isa-afp.org/entries/Lambda_Free_RPOs.html">Blanchette’s &lambda;-free higher-order terms</a>. Furthermore, I implement translation functions between de-Bruijn terms and named terms and prove their correctness. A Reduction Theorem for Store Buffers https://www.isa-afp.org/entries/Store_Buffer_Reduction.html https://www.isa-afp.org/entries/Store_Buffer_Reduction.html Ernie Cohen, Norbert Schirmer 07 Jan 2019 00:00:00 +0000 When verifying a concurrent program, it is usual to assume that memory is sequentially consistent. However, most modern multiprocessors depend on store buffering for efficiency, and provide native sequential consistency only at a substantial performance penalty. To regain sequential consistency, a programmer has to follow an appropriate programming discipline. However, na&iuml;ve disciplines, such as protecting all shared accesses with locks, are not flexible enough for building high-performance multiprocessor software. We present a new discipline for concurrent programming under TSO (total store order, with store buffer forwarding). It does not depend on concurrency primitives, such as locks. Instead, threads use ghost operations to acquire and release ownership of memory addresses. A thread can write to an address only if no other thread owns it, and can read from an address only if it owns it or it is shared and the thread has flushed its store buffer since it last wrote to an address it did not own. This discipline covers both coarse-grained concurrency (where data is protected by locks) as well as fine-grained concurrency (where atomic operations race to memory). We formalize this discipline in Isabelle/HOL, and prove that if every execution of a program in a system without store buffers follows the discipline, then every execution of the program with store buffers is sequentially consistent. Thus, we can show sequential consistency under TSO by ordinary assertional reasoning about the program, without having to consider store buffers at all. A Formal Model of the Document Object Model https://www.isa-afp.org/entries/Core_DOM.html https://www.isa-afp.org/entries/Core_DOM.html Achim D. Brucker, Michael Herzberg 26 Dec 2018 00:00:00 +0000 In this AFP entry, we formalize the core of the Document Object Model (DOM). At its core, the DOM defines a tree-like data structure for representing documents in general and HTML documents in particular. It is the heart of any modern web browser. Formalizing the key concepts of the DOM is a prerequisite for the formal reasoning over client-side JavaScript programs and for the analysis of security concepts in modern web browsers. We present a formalization of the core DOM, with focus on the node-tree and the operations defined on node-trees, in Isabelle/HOL. We use the formalization to verify the functional correctness of the most important functions defined in the DOM standard. Moreover, our formalization is 1) extensible, i.e., can be extended without the need of re-proving already proven properties and 2) executable, i.e., we can generate executable code from our specification. Formalization of Concurrent Revisions https://www.isa-afp.org/entries/Concurrent_Revisions.html https://www.isa-afp.org/entries/Concurrent_Revisions.html Roy Overbeek 25 Dec 2018 00:00:00 +0000 Concurrent revisions is a concurrency control model developed by Microsoft Research. It has many interesting properties that distinguish it from other well-known models such as transactional memory. One of these properties is <em>determinacy</em>: programs written within the model always produce the same outcome, independent of scheduling activity. The concurrent revisions model has an operational semantics, with an informal proof of determinacy. This document contains an Isabelle/HOL formalization of this semantics and the proof of determinacy. - - Verifying Imperative Programs using Auto2 - https://www.isa-afp.org/entries/Auto2_Imperative_HOL.html - https://www.isa-afp.org/entries/Auto2_Imperative_HOL.html - Bohua Zhan - 21 Dec 2018 00:00:00 +0000 - -This entry contains the application of auto2 to verifying functional -and imperative programs. Algorithms and data structures that are -verified include linked lists, binary search trees, red-black trees, -interval trees, priority queue, quicksort, union-find, Dijkstra's -algorithm, and a sweep-line algorithm for detecting rectangle -intersection. The imperative verification is based on Imperative HOL -and its separation logic framework. A major goal of this work is to -set up automation in order to reduce the length of proof that the user -needs to provide, both for verifying functional programs and for -working with separation logic. - - - Constructive Cryptography in HOL - https://www.isa-afp.org/entries/Constructive_Cryptography.html - https://www.isa-afp.org/entries/Constructive_Cryptography.html - Andreas Lochbihler, S. Reza Sefidgar - 17 Dec 2018 00:00:00 +0000 - -Inspired by Abstract Cryptography, we extend CryptHOL, a framework for -formalizing game-based proofs, with an abstract model of Random -Systems and provide proof rules about their composition and equality. -This foundation facilitates the formalization of Constructive -Cryptography proofs, where the security of a cryptographic scheme is -realized as a special form of construction in which a complex random -system is built from simpler ones. This is a first step towards a -fully-featured compositional framework, similar to Universal -Composability framework, that supports formalization of -simulation-based proofs. - - - Transformer Semantics - https://www.isa-afp.org/entries/Transformer_Semantics.html - https://www.isa-afp.org/entries/Transformer_Semantics.html - Georg Struth - 11 Dec 2018 00:00:00 +0000 - -These mathematical components formalise predicate transformer -semantics for programs, yet currently only for partial correctness and -in the absence of faults. A first part for isotone (or monotone), -Sup-preserving and Inf-preserving transformers follows Back and von -Wright's approach, with additional emphasis on the quantalic -structure of algebras of transformers. The second part develops -Sup-preserving and Inf-preserving predicate transformers from the -powerset monad, via its Kleisli category and Eilenberg-Moore algebras, -with emphasis on adjunctions and dualities, as well as isomorphisms -between relations, state transformers and predicate transformers. - - - Quantales - https://www.isa-afp.org/entries/Quantales.html - https://www.isa-afp.org/entries/Quantales.html - Georg Struth - 11 Dec 2018 00:00:00 +0000 - -These mathematical components formalise basic properties of quantales, -together with some important models, constructions, and concepts, -including quantic nuclei and conuclei. - - - Properties of Orderings and Lattices - https://www.isa-afp.org/entries/Order_Lattice_Props.html - https://www.isa-afp.org/entries/Order_Lattice_Props.html - Georg Struth - 11 Dec 2018 00:00:00 +0000 - -These components add further fundamental order and lattice-theoretic -concepts and properties to Isabelle's libraries. They follow by -and large the introductory sections of the Compendium of Continuous -Lattices, covering directed and filtered sets, down-closed and -up-closed sets, ideals and filters, Galois connections, closure and -co-closure operators. Some emphasis is on duality and morphisms -between structures, as in the Compendium. To this end, three ad-hoc -approaches to duality are compared. - diff --git a/web/statistics.html b/web/statistics.html --- a/web/statistics.html +++ b/web/statistics.html @@ -1,313 +1,304 @@ Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Statistics

 

Statistics

- - - - + + + +
Number of Articles:478
Number of Authors:323
Number of lemmas:~134,000
Lines of Code:~2,257,800
Number of Articles:483
Number of Authors:325
Number of lemmas:~134,900
Lines of Code:~2,268,300

Most used AFP articles:

- - - - - - - - - - +
NameUsed by ? articles
1. Collections 15
2. List-Index 14
3. Coinductive 12
Regular-Sets 12
Show 12
4. Landau_Symbols 11
5. Abstract-Rewriting 10
Deriving 10
6. Automatic_Refinement 9
7. CAVA_Automata 8
8.Jordan_Normal_Form7
Native_Word7
Polynomial_Factorization78

Growth in number of articles:

Growth in lines of code:

Growth in number of authors:

Size of articles:
\ No newline at end of file diff --git a/web/topics.html b/web/topics.html --- a/web/topics.html +++ b/web/topics.html @@ -1,776 +1,783 @@ Archive of Formal Proofs

 

 

 

Home
About
Submission
Updating Entries
Using Entries
Search
Statistics
Index
Download

 

 

 

Index by Topic

 

Computer Science

Automata and Formal Languages

Partial_Order_Reduction   Posix-Lexing   LocalLexing   KBPs   Regular-Sets   Regex_Equivalence   MSO_Regex_Equivalence   Formula_Derivatives   Myhill-Nerode   Universal_Turing_Machine   CYK   Presburger-Automata   Functional-Automata   Statecharts   Stuttering_Equivalence   Coinductive_Languages   Tree-Automata   Kleene_Algebra   KAT_and_DRA   KAD   Regular_Algebras   Markov_Models   Probabilistic_System_Zoo   CAVA_Automata   LTL   LTL_to_GBA   CAVA_LTL_Modelchecker   Probabilistic_Timed_Automata   Finite_Automata_HF   LTL_to_DRA   Timed_Automata   Stochastic_Matrices   Buchi_Complementation   Transition_Systems_and_Automata   Factored_Transition_System_Bounding   LTL_Master_Theorem   + MFOTL_Monitor  

Algorithms

Knuth_Morris_Pratt   Probabilistic_While   Comparison_Sort_Lower_Bound   Quick_Sort_Cost   DFS_Framework   Prpu_Maxflow   TortoiseHare   Floyd_Warshall   Roy_Floyd_Warshall   Selection_Heap_Sort   Dijkstra_Shortest_Path   EdmondsKarp_Maxflow   VerifyThis2018   CYK   Boolean_Expression_Checkers   Depth-First-Search   FFT   Gauss-Jordan-Elim-Fun   UpDown_Scheme   GraphMarkingIBP   Efficient-Mergesort   SATSolverVerification   Transitive-Closure   Transitive-Closure-II   MuchAdoAboutTwo   First_Order_Terms   Polynomials   Gabow_SCC   Monad_Memo_DP   Hidden_Markov_Models   Gauss_Jordan   Echelon_Form   QR_Decomposition   Hermite   Imperative_Insertion_Sort   Deep_Learning   Formal_SSA   ROBDD   Groebner_Bases   Median_Of_Medians_Selection   IMAP-CRDT   Fisher_Yates   Diophantine_Eqns_Lin_Hom   Taylor_Models   LLL_Basis_Reduction   Optimal_BST   Simplex   Signature_Groebner   IMP2   Auto2_Imperative_HOL   Kruskal   List_Inversions   IMP2_Binary_Heap   + Prim_Dijkstra_Simple   + MFOTL_Monitor   Distributed: DiskPaxos   GenClock   ClockSynchInst   Heard_Of   Consensus_Refined   Abortable_Linearizable_Modules   CRDT   OpSets   Concurrent: ConcurrentGC   Online: List_Update  

Concurrency

FLP   Concurrent_Ref_Alg   Concurrent_Revisions   Store_Buffer_Reduction   Process Calculi: Noninterference_Generic_Unwinding   AODV   AWN   CCS   Pi_Calculus   Psi_Calculi   Encodability_Process_Calculi   Circus   Noninterference_Sequential_Composition   Noninterference_Concurrent_Composition   Modal_Logics_for_NTS   HOL-CSP  

Data Structures

Generic_Deriving   Random_BSTs   Randomised_BSTs   List_Interleaving   Refine_Imperative_HOL   Amortized_Complexity   Dynamic_Tables   AVL-Trees   BDD   BinarySearchTree   Splay_Tree   Root_Balanced_Tree   Skew_Heap   Pairing_Heap   Priority_Queue_Braun   Binomial-Queues   Binomial-Heaps   Finger-Trees   Trie   FinFun   Collections   Containers   FileRefinement   Datatype_Order_Generator   Deriving   List-Index   List-Infinite   Matrix   Matrix_Tensor   Huffman   Lazy-Lists-II   IEEE_Floating_Point   Native_Word   XML   ROBDD   IMAP-CRDT   Word_Lib   CRDT   KD_Tree   Taylor_Models   Treaps   Weight_Balanced_Trees   OpSets   Optimal_BST   Core_DOM   Auto2_Imperative_HOL   IMP2_Binary_Heap   + Priority_Search_Trees  

Functional Programming

Optics   CryptHOL   Probabilistic_While   Monad_Normalisation   Monomorphic_Monad   Show   Certification_Monads   Partial_Function_MR   Lifting_Definition_Option   Coinductive   Stream-Fusion   Tycon   Monad_Memo_DP   XML   Tail_Recursive_Functions   Stream_Fusion_Code   Applicative_Lifting   HOLCF-Prelude   BNF_CC   Binding_Syntax_Theory  

Games

Parity_Game  

Hardware

SPARCv8  

Networks

UPF_Firewall   IP_Addresses   Simple_Firewall   Iptables_Semantics   Routing   LOFT  

Programming Languages

Decl_Sem_Fun_PL   Language Definitions: CakeML   WebAssembly   pGCL   GPU_Kernel_PL   LightweightJava   CoreC++   FeatherweightJava   Jinja   JinjaThreads   Locally-Nameless-Sigma   AutoFocus-Stream   FocusStreamsCaseStudies   Isabelle_Meta_Model   Simpl   Complx   Safe_OCL   Lambda Calculi: Higher_Order_Terms   Launchbury   PCF   POPLmark-deBruijn   Lam-ml-Normalization   LambdaMu   Binding_Syntax_Theory   LambdaAuth   Type Systems: Name_Carrying_Type_Inference   MiniML   Possibilistic_Noninterference   SIFUM_Type_Systems   Dependent_SIFUM_Type_Systems   Strong_Security   WHATandWHERE_Security   VolpanoSmith   Logics: ConcurrentIMP   Refine_Monadic   Automatic_Refinement   MonoBoolTranAlgebra   Simpl   Separation_Algebra   Separation_Logic_Imperative_HOL   Abstract-Hoare-Logics   Kleene_Algebra   KAT_and_DRA   KAD   BytecodeLogicJmlTypes   DataRefinementIBP   RefinementReactive   SIFPL   TLA   Ribbon_Proofs   Separata   Complx   Differential_Dynamic_Logic   Hoare_Time   IMP2   UTP   QHLProver   + Differential_Game_Logic   Compiling: Compiling-Exceptions-Correctly   NormByEval   Density_Compiler   Static Analysis: RIPEMD-160-SPARK   Program-Conflict-Analysis   Shivers-CFA   Slicing   HRB-Slicing   InfPathElimination   Abs_Int_ITP2012   Transformations: Call_Arity   Refine_Imperative_HOL   WorkerWrapper   Monad_Memo_DP   Formal_SSA   Minimal_SSA   Misc: JiveDataStoreModel   Pop_Refinement   Case_Labeling  

Security

Multi_Party_Computation   Noninterference_Generic_Unwinding   Noninterference_Ipurge_Unwinding   UPF   UPF_Firewall   CISC-Kernel   Noninterference_CSP   Key_Agreement_Strong_Adversaries   Security_Protocol_Refinement   Inductive_Confidentiality   Possibilistic_Noninterference   SIFUM_Type_Systems   Dependent_SIFUM_Type_Systems   Dependent_SIFUM_Refinement   Strong_Security   WHATandWHERE_Security   VolpanoSmith   SIFPL   HotelKeyCards   InformationFlowSlicing   InformationFlowSlicing_Inter   CryptoBasedCompositionalProperties   Probabilistic_Noninterference   HyperCTL   Bounded_Deducibility_Security   Network_Security_Policy_Verification   Noninterference_Inductive_Unwinding   Password_Authentication_Protocol   Noninterference_Sequential_Composition   Noninterference_Concurrent_Composition   SPARCv8   Modular_Assembly_Kit_Security   LambdaAuth   Cryptography: Game_Based_Crypto   CryptHOL   Constructive_Cryptography   RSAPSS   Elliptic_Curves_Group_Law  

Semantics

Launchbury   Transformer_Semantics   HOL-CSP   QHLProver  

System Description Languages

Circus   ComponentDependencies   Promela   Featherweight_OCL   DynamicArchitectures   Architectural_Design_Patterns  

Logic

Propositional_Proof_Systems   MSO_Regex_Equivalence   Formula_Derivatives   Universal_Turing_Machine   Boolean_Expression_Checkers   Presburger-Automata   Verified-Prover   Completeness   Ordinal   Ordinals_and_Cardinals   FOL-Fitting   Epistemic_Logic   SequentInvertibility   LinearQuantifierElim   Nat-Interval-Logic   Recursion-Theory-I   Free-Boolean-Algebra   Sort_Encodings   LTL   HereditarilyFinite   Incompleteness   HyperCTL   Abstract_Completeness   PropResPI   SuperCalc   Incredible_Proof_Machine   Resolution_FOL   Surprise_Paradox   Allen_Calculus   Modal_Logics_for_NTS   Paraconsistency   FOL_Harrison   Abstract_Soundness   Differential_Dynamic_Logic   LambdaMu   Hybrid_Multi_Lane_Spatial_Logic   Ordered_Resolution_Prover   Minsky_Machines   Functional_Ordered_Resolution_Prover   Binding_Syntax_Theory   + MFOTL_Monitor  

Philosophy

GoedelGod   Types_Tableaus_and_Goedels_God   GewirthPGCProof   Lowe_Ontological_Argument   AnselmGod   PLM  

Rewriting

Monad_Normalisation   Lambda_Free_RPOs   Lambda_Free_KBOs   Lambda_Free_EPO   Nested_Multisets_Ordinals   Abstract-Rewriting   First_Order_Terms   Decreasing-Diagrams   Decreasing-Diagrams-II   Rewriting_Z   Graph_Saturation  

Mathematics

Order

LatticeProperties   + Stone_Algebras   + Allen_Calculus   + Order_Lattice_Props   + Complete_Non_Orders  

Algebra

Optics   Subresultants   Buildings   Algebraic_VCs   Multirelations   Residuated_Lattices   PseudoHoops   Impossible_Geometry   Gauss-Jordan-Elim-Fun   Matrix_Tensor   - Stone_Algebras   Kleene_Algebra   KAT_and_DRA   KAD   Regular_Algebras   Free-Groups   CofGroups   Group-Ring-Module   Robbins-Conjecture   Valuation   Rank_Nullity_Theorem   Polynomials   Relation_Algebra   PSemigroupsConvolution   Secondary_Sylow   Jordan_Hoelder   Cayley_Hamilton   VectorSpace   Echelon_Form   QR_Decomposition   Hermite   Rep_Fin_Groups   Jordan_Normal_Form   Algebraic_Numbers   Polynomial_Interpolation   Polynomial_Factorization   Perron_Frobenius   Stochastic_Matrices   Groebner_Bases   Nullstellensatz   Mason_Stothers   Berlekamp_Zassenhaus   - Allen_Calculus   Stone_Relation_Algebras   Stone_Kleene_Relation_Algebras   Orbit_Stabiliser   Dirichlet_L   Symmetric_Polynomials   Taylor_Models   LLL_Basis_Reduction   LLL_Factorization   Localization_Ring   Quaternions   Octonions   Aggregation_Algebras   Signature_Groebner   - Order_Lattice_Props   Quantales   Transformer_Semantics   Farkas   Groebner_Macaulay   Linear_Inequalities  

Analysis

E_Transcendental   Liouville_Numbers   Descartes_Sign_Rule   Euler_MacLaurin   Real_Impl   Lower_Semicontinuous   Affine_Arithmetic   Cauchy   Integration   Ordinary_Differential_Equations   Polynomials   Sqrt_Babylonian   Sturm_Sequences   Sturm_Tarski   Special_Function_Bounds   Landau_Symbols   Error_Function   Akra_Bazzi   Zeta_Function   Linear_Recurrences   Cartan_FP   Stirling_Formula   Lp   Bernoulli   Winding_Number_Eval   Count_Complex_Roots   Taylor_Models   Green   Irrationality_J_Hancl   Budan_Fourier   Smooth_Manifolds   Transcendence_Series_Hancl_Rucki  

Probability Theory

DiscretePricing   CryptHOL   Constructive_Cryptography   Probabilistic_While   Markov_Models   Density_Compiler   Probabilistic_Timed_Automata   Hidden_Markov_Models   Random_Graph_Subgraph_Threshold   Ergodic_Theory   Source_Coding_Theorem   Buffons_Needle  

Number Theory

Pell   Minkowskis_Theorem   E_Transcendental   Pi_Transcendental   Liouville_Numbers   Prime_Harmonic_Series   Fermat3_4   Perfect-Number-Thm   SumSquares   Lehmer   Pratt_Certificate   Dirichlet_Series   Zeta_Function   Stern_Brocot   Bertrands_Postulate   Bernoulli   Diophantine_Eqns_Lin_Hom   Dirichlet_L   Irrationality_J_Hancl   Prime_Number_Theorem   Probabilistic_Prime_Tests   Prime_Distribution_Elementary   Transcendence_Series_Hancl_Rucki  

Economics

DiscretePricing   ArrowImpossibilityGS   SenSocialChoice   Vickrey_Clarke_Groves   First_Welfare_Theorem   Randomised_Social_Choice   SDS_Impossibility   Stable_Matching   Fishburn_Impossibility   Neumann_Morgenstern_Utility  

Geometry

Minkowskis_Theorem   Buildings   Chord_Segments   Triangle   Impossible_Geometry   Tarskis_Geometry   General-Triangle   Nullstellensatz   Ptolemys_Theorem   Buffons_Needle   Stewart_Apollonius   Gromov_Hyperbolicity   Projective_Geometry   Quaternions   Octonions  

Topology

Topology   Knot_Theory   Kuratowski_Closure_Complement   Smooth_Manifolds  

Graph Theory

Flow_Networks   Prpu_Maxflow   MFMC_Countable   ShortestPath   Gabow_SCC   Graph_Theory   Planarity_Certificates   Max-Card-Matching   Girth_Chromatic   Random_Graph_Subgraph_Threshold   Flyspeck-Tame   Koenigsberg_Friendship   Tree_Decomposition   Menger   Factored_Transition_System_Bounding   Graph_Saturation  

Combinatorics

Card_Equiv_Relations   Twelvefold_Way   Card_Multisets   Card_Partitions   Card_Number_Partitions   Well_Quasi_Orders   Marriage   Bondy   Ramsey-Infinite   Derangements   Euler_Partition   Discrete_Summation   Open_Induction   Latin_Square   Bell_Numbers_Spivey   Catalan_Numbers   Falling_Factorial_Sum   Matroids  

Category Theory

Category3   MonoidalCategory   Category   Category2   AxiomaticCategoryTheory  

Physics

No_FTL_observers  

Misc

FunWithFunctions   FunWithTilings  

Tools

Monad_Normalisation   Constructor_Funs   Lazy_Case   Dict_Construction   Case_Labeling   DPT-SAT-Solver   Nominal2   Separata   Proof_Strategy_Language   Diophantine_Eqns_Lin_Hom   BNF_Operations   BNF_CC   Auto2_HOL  
\ No newline at end of file