hol88/mos-count/tempabs.ml

% PROOF		: Transistor Implementation of a Counter		%
% FILE		: tempabs.ml						%
%									%
% DESCRIPTION	: Defines the predicates `Next`, `Inf`, `IsTimeOf`	%
%		  and `TimeOf` and derives several major theorems	%
%		  which provide a basis for temporal abstraction.	%
%									%
%		  These predicates and theorems are taken from		%
%		  T.Melham's paper, "Abstraction Mechanisms for		%
%		  Hardware Verification", Hardware Verification		%
%		  Workshop, University of Calgary, January 1987.	%
%									%
% AUTHOR	: J.Joyce						%
% DATE		: 31 March 1987						%

new_theory `tempabs`;;

new_parent `wop`;;

let Next = new_definition (
	`Next`,
	"Next (t1,t2) g =
	  (t1 < t2) /\ (g t2)  /\ (!t. (t1 < t) /\ (t < t2) ==> ~g t)");;

let Inf = new_definition (
	`Inf`,
	"Inf g = !t.?t'. t'>t /\ (g t')");;

let IsTimeOf = new_prim_rec_definition (
	`IsTimeOf`,
	"(IsTimeOf 0 g t = g (t) /\ !t'. t' < t ==> ~g (t')) /\
	 (IsTimeOf (SUC n) g t =
	  g (t) /\
	  ?t'.
	    t' < t /\
	    IsTimeOf n g t' /\
	    (!t''. ((t' < t'') /\ (t'' < t)) ==> ~g (t'')))");;

let TimeOf = new_definition (
	`TimeOf`,
	"TimeOf g n = @t. IsTimeOf n g t");;

let when = new_infix_definition (
	`when`,
	"when (s1:num->*) (s2:num->bool) = (\n. s1 (TimeOf s2 n))");;

let WOP = theorem `wop` `WOP`;;

let BETA_RULE = CONV_RULE (DEPTH_CONV BETA_CONV);;

let Next_ADD1 = prove_thm (
	`Next_ADD1`,
	"!s t. (s (t + 1) ==> Next (t,t + 1) s)",
	PURE_REWRITE_TAC [Next;SYM (SPEC "t" ADD1)] THEN
	REPEAT STRIP_TAC THENL
	[REWRITE_TAC [LESS_SUC_REFL];
	 FIRST_ASSUM ACCEPT_TAC;
	 IMP_RES_TAC LESS_NOT_EQ THEN
	 ASSUME_TAC (NOT_EQ_SYM (ASSUME "~(t = t')")) THEN
	 IMP_RES_TAC LESS_SUC_IMP THEN
	 IMP_RES_TAC LESS_ANTISYM]);;

let Next_INCREASE = prove_thm (
	`Next_INCREASE`,
	"!s t1 t2.
	  (~(s (t1 + 1)) /\ Next (t1 + 1,t2) s) ==> Next (t1,t2) s",
	PURE_REWRITE_TAC [Next;SYM (SPEC "t" ADD1)] THEN
	REPEAT STRIP_TAC THENL
	[IMP_RES_TAC SUC_LESS;
	 FIRST_ASSUM ACCEPT_TAC;
	 IMP_RES_TAC LESS_SUC_EQ THEN
	 DISJ_CASES_TAC
	   (PURE_REWRITE_RULE [LESS_OR_EQ] (ASSUME "(SUC t1) <= t")) THENL
	 [RES_TAC;
	  ASSUME_TAC (SUBS [ASSUME "SUC t1 = t"] (ASSUME "~s(SUC t1)")) THEN
	  RES_TAC]]);;

let Next_IDENTITY = prove_thm (
	`Next_IDENTITY`,
	"!s t1 t2 t3.
	  (Next (t1,t2) s /\ Next (t1,t3) s) ==> (t2 = t3)",
	PURE_REWRITE_TAC [Next] THEN
	REPEAT STRIP_TAC THEN
	DISJ_CASES_TAC (SPEC "t2 = t3" EXCLUDED_MIDDLE) THENL
	[FIRST_ASSUM ACCEPT_TAC;
	 DISJ_CASES_TAC (SPEC "t2 < t3" EXCLUDED_MIDDLE) THENL
	 [RES_TAC;IMP_RES_TAC LESS_CASES_IMP THEN RES_TAC]]);;

% lemma1 = . |- ?n. g n /\ (!m. m < n ==> ~g m) %
let th1 = SPEC "t" (PURE_REWRITE_RULE [Inf] (ASSUME "Inf g"));;
let th2 = ASSUME (snd (dest_exists (concl th1)));;
let th3 = CONJUNCT2 th2;;
let th4 = EXISTS (mk_exists ("t'",concl th3),"t'") th3;;
let th5 = CHOOSE ("t'",th1) th4;;
let lemma1 = MATCH_MP WOP th5;;

let lemma2 = TAC_PROOF (
	([],"(a ==> ~(b /\ c)) = ((b /\ a) ==> ~c)"),
	REWRITE_TAC [DE_MORGAN_THM;SYM (SPEC_ALL IMP_DISJ_THM)] THEN
	EQ_TAC THEN (REPEAT STRIP_TAC) THEN RES_TAC);;

%
lemma3 =
.. |- ?t'.
       g t' /\
       (?t. t < t' /\ IsTimeOf n g t /\ (!m. t < m /\ m < t' ==> ~g m))
%
let th1 = ASSUME "?t. IsTimeOf n g t";;
let th2 = ASSUME (snd (dest_exists (concl th1)));;
let th3 = SPEC "t" (PURE_REWRITE_RULE [Inf] (ASSUME "Inf g"));;
let th4 = ASSUME (snd (dest_exists (concl th3)));;
let th5 = BETA_CONV (mk_comb (mk_abs ("t'",concl th4),"t'"));;
let th6 = EQ_MP (SYM th5) th4;;
let th7 = EXISTS (mk_exists ("t'",concl th6),"t'") th6;;
let th8 = CHOOSE ("t'",th3) th7;;
let th9 = BETA_RULE (MATCH_MP WOP th8);;
let th10 = EQ_MP (GEN_ALPHA_CONV "t'" (concl th9)) th9;;
let th11 = PURE_REWRITE_RULE [GREATER;lemma2] th10;;
let th12 = ASSUME (snd (dest_exists (concl th11)));;
let th13 = CONJUNCT1 (CONJUNCT1 th12);;
let th14 = CONJUNCT2 (CONJUNCT1 th12);;
let th15 = CONJUNCT2 th12;;
let th16 = LIST_CONJ [th13;th2;th15];;
let th17 = EXISTS (mk_exists ("t",concl th16),"t") th16;;
let th18 = LIST_CONJ [th14;th17];;
let th19 = EXISTS (mk_exists ("t'",concl th18),"t'") th18;;
let th20 = CHOOSE ("t'",th11) th19;;
let lemma3 = CHOOSE ("t",th1) th20;;

let IsTimeOf_EXISTS = prove_thm (
	`IsTimeOf_EXISTS`,
	"!g. Inf g ==> !n. ?t. IsTimeOf n g t",
	GEN_TAC THEN DISCH_TAC THEN INDUCT_TAC THENL
	[REWRITE_TAC [IsTimeOf;lemma1];REWRITE_TAC [IsTimeOf;lemma3]]);;

let TimeOf_DEFINED = prove_thm (
	`TimeOf_DEFINED`,
	"!g. Inf g ==> !n. IsTimeOf n g (TimeOf g n)",
	REPEAT STRIP_TAC THEN
	IMP_RES_TAC IsTimeOf_EXISTS THEN
	ACCEPT_TAC
	  (PURE_REWRITE_RULE [SYM TimeOf]
	    (SELECT_RULE (SPEC "n" (ASSUME "!n. ?t. IsTimeOf n g t")))));;

let TimeOf_TRUE = prove_thm (
	`TimeOf_TRUE`,
	"!g. Inf g ==> !n. g (TimeOf g n)",
	REPEAT STRIP_TAC THEN
	IMP_RES_TAC TimeOf_DEFINED THEN
	DISJ_CASES_TAC (SPEC "n" num_CASES) THENL
	[SUBST1_TAC (ASSUME "n = 0") THEN
	 STRIP_ASSUME_TAC
	   (PURE_REWRITE_RULE [IsTimeOf]
	     (SPEC "0" (ASSUME "!n. IsTimeOf n g (TimeOf g n)")));
	 FIRST_ASSUM
	   (\thm.
	     if is_exists (concl thm)
	       then (CHOOSE_THEN SUBST1_TAC thm) else NO_TAC) THEN
	 STRIP_ASSUME_TAC
	   (PURE_REWRITE_RULE [IsTimeOf]
	     (SPEC "SUC n'" (ASSUME "!n. IsTimeOf n g (TimeOf g n)")))]);;

let tm = "!t''. t' < t'' /\ t'' < t1 ==> ~g t''";;

let IsTimeOf_IDENTITY = prove_thm (
	`IsTimeOf_IDENTITY`,
	"!g n t1 t2. IsTimeOf n g t1 /\ IsTimeOf n g t2 ==> (t1 = t2)",
	GEN_TAC THEN
	INDUCT_TAC THENL
	[PURE_REWRITE_TAC [IsTimeOf] THEN
	 REPEAT STRIP_TAC THEN
	 DISJ_CASES_TAC (SPECL ["t1";"t2"] LESS_CASES) THENL
	 [RES_TAC;
	  DISJ_CASES_TAC
	    (PURE_REWRITE_RULE [LESS_OR_EQ] (ASSUME "t2 <= t1")) THENL
	  [RES_TAC;ACCEPT_TAC (SYM (ASSUME "t2 = t1"))]];
	 PURE_REWRITE_TAC [IsTimeOf] THEN
	 REPEAT STRIP_TAC THEN
	 RES_TAC THEN
	 ASSUME_TAC
	  (SUBS [ASSUME "t'' = t'"]
	    (ASSUME "!t'''. t'' < t''' /\ t''' < t2 ==> ~g t'''")) THEN
	 ASSUME_TAC
	   (SUBS [ASSUME "t' = t''"]
	     (EQ_MP (GEN_ALPHA_CONV "t''':num" tm) (ASSUME tm))) THEN
	 DISJ_CASES_TAC (SPECL ["t1";"t2"] LESS_CASES) THENL
	 [RES_TAC;
	  DISJ_CASES_TAC
	    (PURE_REWRITE_RULE [LESS_OR_EQ] (ASSUME "t2 <= t1")) THENL
	  [RES_TAC;
	   ASSUME_TAC (SYM (ASSUME "t2 = t1")) THEN
	   RES_TAC THEN
	   ACCEPT_TAC (SYM (ASSUME "t2 = t1"))]]]);;

%
TimeOf_INCREASING =
|- !g. Inf g ==> (!n. (TimeOf g n) < (TimeOf g(n + 1)))
%
let th1 =
	PURE_REWRITE_RULE [IsTimeOf]
	  (SPEC "SUC n" (UNDISCH (SPEC "g" TimeOf_DEFINED)));;
let th2 = CONJUNCT2 th1;;
let th3 = ASSUME (snd (dest_exists (concl th2)));;
let th4 = CONJUNCT1 th3;;
let th5 = CONJUNCT1 (CONJUNCT2 th3);;
let th6 = SPEC "n" (UNDISCH (SPEC "g" TimeOf_DEFINED));;
let th7 = MATCH_MP IsTimeOf_IDENTITY (LIST_CONJ [th5;th6]);;
let th8 = SUBS [th7] th4;;
let th9 = CHOOSE ("t'",th2) th8;;
let th10 = GEN "g" (DISCH_ALL (GEN "n" th9));;
let th11 = PURE_REWRITE_RULE [ADD1] th10;;
let TimeOf_INCREASING = save_thm (`TimeOf_INCREASING`,th11);;

%
TimeOf_INTERVAL =
|- !g.
    Inf g ==> (!n t. (TimeOf g n) < t /\ t < (TimeOf g(n + 1)) ==> ~g t)
%
let th1 =
	PURE_REWRITE_RULE [IsTimeOf]
	  (SPEC "SUC n" (UNDISCH (SPEC "g" TimeOf_DEFINED)));;
let th2 = CONJUNCT2 th1;;
let th3 = ASSUME (snd (dest_exists (concl th2)));;
let th4 = CONJUNCT2 (CONJUNCT2 th3);;
let th5 = CONJUNCT1 (CONJUNCT2 th3);;
let th6 = SPEC "n" (UNDISCH (SPEC "g" TimeOf_DEFINED));;
let th7 = MATCH_MP IsTimeOf_IDENTITY (LIST_CONJ [th5;th6]);;
let th8 = SUBS [th7] th4;;
let th9 = EQ_MP (GEN_ALPHA_CONV "t" (concl th8)) th8;;
let th10 = CHOOSE ("t'",th2) th9;;
let th11 = GEN "g" (DISCH_ALL (GEN "n" th10));;
let th12 = PURE_REWRITE_RULE [ADD1] th11;;
let TimeOf_INTERVAL = save_thm (`TimeOf_Interval`,th12);;

let TimeOf_Next = prove_thm (
	`TimeOf_Next`,
	"!g. Inf g ==> Next (TimeOf g n,TimeOf g (n+1)) g",
	PURE_REWRITE_TAC [Next] THEN
	REPEAT STRIP_TAC THEN
	IMP_RES_THEN (\thm. REWRITE_TAC [thm]) TimeOf_INCREASING THEN
	IMP_RES_THEN (\thm. REWRITE_TAC [thm]) TimeOf_TRUE THEN
	IMP_RES_THEN (\thm. REWRITE_TAC [thm]) TimeOf_INTERVAL);;

close_theory ();;