1(*  Title:      HOL/HOLCF/IOA/Abstraction.thy
2    Author:     Olaf M��ller
3*)
4
5section \<open>Abstraction Theory -- tailored for I/O automata\<close>
6
7theory Abstraction
8imports LiveIOA
9begin
10
11default_sort type
12
13definition cex_abs :: "('s1 \<Rightarrow> 's2) \<Rightarrow> ('a, 's1) execution \<Rightarrow> ('a, 's2) execution"
14  where "cex_abs f ex = (f (fst ex), Map (\<lambda>(a, t). (a, f t)) \<cdot> (snd ex))"
15
16text \<open>equals cex_abs on Sequences -- after ex2seq application\<close>
17definition cex_absSeq ::
18    "('s1 \<Rightarrow> 's2) \<Rightarrow> ('a option, 's1) transition Seq \<Rightarrow> ('a option, 's2)transition Seq"
19  where "cex_absSeq f = (\<lambda>s. Map (\<lambda>(s, a, t). (f s, a, f t)) \<cdot> s)"
20
21definition is_abstraction :: "('s1 \<Rightarrow> 's2) \<Rightarrow> ('a, 's1) ioa \<Rightarrow> ('a, 's2) ioa \<Rightarrow> bool"
22  where "is_abstraction f C A \<longleftrightarrow>
23    ((\<forall>s \<in> starts_of C. f s \<in> starts_of A) \<and>
24    (\<forall>s t a. reachable C s \<and> s \<midarrow>a\<midarrow>C\<rightarrow> t \<longrightarrow> f s \<midarrow>a\<midarrow>A\<rightarrow> f t))"
25
26definition weakeningIOA :: "('a, 's2) ioa \<Rightarrow> ('a, 's1) ioa \<Rightarrow> ('s1 \<Rightarrow> 's2) \<Rightarrow> bool"
27  where "weakeningIOA A C h \<longleftrightarrow> (\<forall>ex. ex \<in> executions C \<longrightarrow> cex_abs h ex \<in> executions A)"
28
29definition temp_strengthening :: "('a, 's2) ioa_temp \<Rightarrow> ('a, 's1) ioa_temp \<Rightarrow> ('s1 \<Rightarrow> 's2) \<Rightarrow> bool"
30  where "temp_strengthening Q P h \<longleftrightarrow> (\<forall>ex. (cex_abs h ex \<TTurnstile> Q) \<longrightarrow> (ex \<TTurnstile> P))"
31
32definition temp_weakening :: "('a, 's2) ioa_temp \<Rightarrow> ('a, 's1) ioa_temp \<Rightarrow> ('s1 \<Rightarrow> 's2) \<Rightarrow> bool"
33  where "temp_weakening Q P h \<longleftrightarrow> temp_strengthening (\<^bold>\<not> Q) (\<^bold>\<not> P) h"
34
35definition state_strengthening :: "('a, 's2) step_pred \<Rightarrow> ('a, 's1) step_pred \<Rightarrow> ('s1 \<Rightarrow> 's2) \<Rightarrow> bool"
36  where "state_strengthening Q P h \<longleftrightarrow> (\<forall>s t a. Q (h s, a, h t) \<longrightarrow> P (s, a, t))"
37
38definition state_weakening :: "('a, 's2) step_pred \<Rightarrow> ('a, 's1) step_pred \<Rightarrow> ('s1 \<Rightarrow> 's2) \<Rightarrow> bool"
39  where "state_weakening Q P h \<longleftrightarrow> state_strengthening (\<^bold>\<not> Q) (\<^bold>\<not> P) h"
40
41definition is_live_abstraction :: "('s1 \<Rightarrow> 's2) \<Rightarrow> ('a, 's1) live_ioa \<Rightarrow> ('a, 's2) live_ioa \<Rightarrow> bool"
42  where "is_live_abstraction h CL AM \<longleftrightarrow>
43    is_abstraction h (fst CL) (fst AM) \<and> temp_weakening (snd AM) (snd CL) h"
44
45
46(* thm about ex2seq which is not provable by induction as ex2seq is not continous *)
47axiomatization where
48  ex2seq_abs_cex: "ex2seq (cex_abs h ex) = cex_absSeq h (ex2seq ex)"
49
50(* analog to the proved thm strength_Box - proof skipped as trivial *)
51axiomatization where
52  weak_Box: "temp_weakening P Q h \<Longrightarrow> temp_weakening (\<box>P) (\<box>Q) h"
53
54(* analog to the proved thm strength_Next - proof skipped as trivial *)
55axiomatization where
56  weak_Next: "temp_weakening P Q h \<Longrightarrow> temp_weakening (\<circle>P) (\<circle>Q) h"
57
58
59subsection \<open>\<open>cex_abs\<close>\<close>
60
61lemma cex_abs_UU [simp]: "cex_abs f (s, UU) = (f s, UU)"
62  by (simp add: cex_abs_def)
63
64lemma cex_abs_nil [simp]: "cex_abs f (s,nil) = (f s, nil)"
65  by (simp add: cex_abs_def)
66
67lemma cex_abs_cons [simp]:
68  "cex_abs f (s, (a, t) \<leadsto> ex) = (f s, (a, f t) \<leadsto> (snd (cex_abs f (t, ex))))"
69  by (simp add: cex_abs_def)
70
71
72subsection \<open>Lemmas\<close>
73
74lemma temp_weakening_def2: "temp_weakening Q P h \<longleftrightarrow> (\<forall>ex. (ex \<TTurnstile> P) \<longrightarrow> (cex_abs h ex \<TTurnstile> Q))"
75  apply (simp add: temp_weakening_def temp_strengthening_def NOT_def temp_sat_def satisfies_def)
76  apply auto
77  done
78
79lemma state_weakening_def2: "state_weakening Q P h \<longleftrightarrow> (\<forall>s t a. P (s, a, t) \<longrightarrow> Q (h s, a, h t))"
80  apply (simp add: state_weakening_def state_strengthening_def NOT_def)
81  apply auto
82  done
83
84
85subsection \<open>Abstraction Rules for Properties\<close>
86
87lemma exec_frag_abstraction [rule_format]:
88  "is_abstraction h C A \<Longrightarrow>
89    \<forall>s. reachable C s \<and> is_exec_frag C (s, xs) \<longrightarrow> is_exec_frag A (cex_abs h (s, xs))"
90  apply (simp add: cex_abs_def)
91  apply (pair_induct xs simp: is_exec_frag_def)
92  txt \<open>main case\<close>
93  apply (auto dest: reachable.reachable_n simp add: is_abstraction_def)
94  done
95
96lemma abs_is_weakening: "is_abstraction h C A \<Longrightarrow> weakeningIOA A C h"
97  apply (simp add: weakeningIOA_def)
98  apply auto
99  apply (simp add: executions_def)
100  txt \<open>start state\<close>
101  apply (rule conjI)
102  apply (simp add: is_abstraction_def cex_abs_def)
103  txt \<open>is-execution-fragment\<close>
104  apply (erule exec_frag_abstraction)
105  apply (simp add: reachable.reachable_0)
106  done
107
108
109lemma AbsRuleT1:
110  "is_abstraction h C A \<Longrightarrow> validIOA A Q \<Longrightarrow> temp_strengthening Q P h \<Longrightarrow> validIOA C P"
111  apply (drule abs_is_weakening)
112  apply (simp add: weakeningIOA_def validIOA_def temp_strengthening_def)
113  apply (auto simp add: split_paired_all)
114  done
115
116
117lemma AbsRuleT2:
118  "is_live_abstraction h (C, L) (A, M) \<Longrightarrow> validLIOA (A, M) Q \<Longrightarrow> temp_strengthening Q P h
119    \<Longrightarrow> validLIOA (C, L) P"
120  apply (unfold is_live_abstraction_def)
121  apply auto
122  apply (drule abs_is_weakening)
123  apply (simp add: weakeningIOA_def temp_weakening_def2 validLIOA_def validIOA_def temp_strengthening_def)
124  apply (auto simp add: split_paired_all)
125  done
126
127
128lemma AbsRuleTImprove:
129  "is_live_abstraction h (C, L) (A, M) \<Longrightarrow> validLIOA (A,M) (H1 \<^bold>\<longrightarrow> Q) \<Longrightarrow>
130    temp_strengthening Q P h \<Longrightarrow> temp_weakening H1 H2 h \<Longrightarrow> validLIOA (C, L) H2 \<Longrightarrow>
131    validLIOA (C, L) P"
132  apply (unfold is_live_abstraction_def)
133  apply auto
134  apply (drule abs_is_weakening)
135  apply (simp add: weakeningIOA_def temp_weakening_def2 validLIOA_def validIOA_def temp_strengthening_def)
136  apply (auto simp add: split_paired_all)
137  done
138
139
140subsection \<open>Correctness of safe abstraction\<close>
141
142lemma abstraction_is_ref_map: "is_abstraction h C A \<Longrightarrow> is_ref_map h C A"
143  apply (auto simp: is_abstraction_def is_ref_map_def)
144  apply (rule_tac x = "(a,h t) \<leadsto>nil" in exI)
145  apply (simp add: move_def)
146  done
147
148lemma abs_safety: "inp C = inp A \<Longrightarrow> out C = out A \<Longrightarrow> is_abstraction h C A \<Longrightarrow> C =<| A"
149  apply (simp add: ioa_implements_def)
150  apply (rule trace_inclusion)
151  apply (simp (no_asm) add: externals_def)
152  apply (auto)[1]
153  apply (erule abstraction_is_ref_map)
154  done
155
156
157subsection \<open>Correctness of life abstraction\<close>
158
159text \<open>
160  Reduces to \<open>Filter (Map fst x) = Filter (Map fst (Map (\<lambda>(a, t). (a, x)) x)\<close>,
161  that is to special Map Lemma.
162\<close>
163lemma traces_coincide_abs:
164  "ext C = ext A \<Longrightarrow> mk_trace C \<cdot> xs = mk_trace A \<cdot> (snd (cex_abs f (s, xs)))"
165  apply (unfold cex_abs_def mk_trace_def filter_act_def)
166  apply simp
167  apply (pair_induct xs)
168  done
169
170
171text \<open>
172  Does not work with \<open>abstraction_is_ref_map\<close> as proof of \<open>abs_safety\<close>, because
173  \<open>is_live_abstraction\<close> includes \<open>temp_strengthening\<close> which is necessarily based
174  on \<open>cex_abs\<close> and not on \<open>corresp_ex\<close>. Thus, the proof is redone in a more specific
175  way for \<open>cex_abs\<close>.
176\<close>
177lemma abs_liveness:
178  "inp C = inp A \<Longrightarrow> out C = out A \<Longrightarrow> is_live_abstraction h (C, M) (A, L) \<Longrightarrow>
179    live_implements (C, M) (A, L)"
180  apply (simp add: is_live_abstraction_def live_implements_def livetraces_def liveexecutions_def)
181  apply auto
182  apply (rule_tac x = "cex_abs h ex" in exI)
183  apply auto
184  text \<open>Traces coincide\<close>
185  apply (pair ex)
186  apply (rule traces_coincide_abs)
187  apply (simp (no_asm) add: externals_def)
188  apply (auto)[1]
189
190  text \<open>\<open>cex_abs\<close> is execution\<close>
191  apply (pair ex)
192  apply (simp add: executions_def)
193  text \<open>start state\<close>
194  apply (rule conjI)
195  apply (simp add: is_abstraction_def cex_abs_def)
196  text \<open>\<open>is_execution_fragment\<close>\<close>
197  apply (erule exec_frag_abstraction)
198  apply (simp add: reachable.reachable_0)
199
200  text \<open>Liveness\<close>
201  apply (simp add: temp_weakening_def2)
202   apply (pair ex)
203  done
204
205
206subsection \<open>Abstraction Rules for Automata\<close>
207
208lemma AbsRuleA1:
209  "inp C = inp A \<Longrightarrow> out C = out A \<Longrightarrow> inp Q = inp P \<Longrightarrow> out Q = out P \<Longrightarrow>
210    is_abstraction h1 C A \<Longrightarrow> A =<| Q \<Longrightarrow> is_abstraction h2 Q P \<Longrightarrow> C =<| P"
211  apply (drule abs_safety)
212  apply assumption+
213  apply (drule abs_safety)
214  apply assumption+
215  apply (erule implements_trans)
216  apply (erule implements_trans)
217  apply assumption
218  done
219
220lemma AbsRuleA2:
221  "inp C = inp A \<Longrightarrow> out C = out A \<Longrightarrow> inp Q = inp P \<Longrightarrow> out Q = out P \<Longrightarrow>
222    is_live_abstraction h1 (C, LC) (A, LA) \<Longrightarrow> live_implements (A, LA) (Q, LQ) \<Longrightarrow>
223    is_live_abstraction h2 (Q, LQ) (P, LP) \<Longrightarrow> live_implements (C, LC) (P, LP)"
224  apply (drule abs_liveness)
225  apply assumption+
226  apply (drule abs_liveness)
227  apply assumption+
228  apply (erule live_implements_trans)
229  apply (erule live_implements_trans)
230  apply assumption
231  done
232
233
234declare split_paired_All [simp del]
235
236
237subsection \<open>Localizing Temporal Strengthenings and Weakenings\<close>
238
239lemma strength_AND:
240  "temp_strengthening P1 Q1 h \<Longrightarrow> temp_strengthening P2 Q2 h \<Longrightarrow>
241    temp_strengthening (P1 \<^bold>\<and> P2) (Q1 \<^bold>\<and> Q2) h"
242  by (auto simp: temp_strengthening_def)
243
244lemma strength_OR:
245  "temp_strengthening P1 Q1 h \<Longrightarrow> temp_strengthening P2 Q2 h \<Longrightarrow>
246    temp_strengthening (P1 \<^bold>\<or> P2) (Q1 \<^bold>\<or> Q2) h"
247  by (auto simp: temp_strengthening_def)
248
249lemma strength_NOT: "temp_weakening P Q h \<Longrightarrow> temp_strengthening (\<^bold>\<not> P) (\<^bold>\<not> Q) h"
250  by (auto simp: temp_weakening_def2 temp_strengthening_def)
251
252lemma strength_IMPLIES:
253  "temp_weakening P1 Q1 h \<Longrightarrow> temp_strengthening P2 Q2 h \<Longrightarrow>
254    temp_strengthening (P1 \<^bold>\<longrightarrow> P2) (Q1 \<^bold>\<longrightarrow> Q2) h"
255  by (simp add: temp_weakening_def2 temp_strengthening_def)
256
257
258lemma weak_AND:
259  "temp_weakening P1 Q1 h \<Longrightarrow> temp_weakening P2 Q2 h \<Longrightarrow>
260    temp_weakening (P1 \<^bold>\<and> P2) (Q1 \<^bold>\<and> Q2) h"
261  by (simp add: temp_weakening_def2)
262
263lemma weak_OR:
264  "temp_weakening P1 Q1 h \<Longrightarrow> temp_weakening P2 Q2 h \<Longrightarrow>
265    temp_weakening (P1 \<^bold>\<or> P2) (Q1 \<^bold>\<or> Q2) h"
266  by (simp add: temp_weakening_def2)
267
268lemma weak_NOT:
269  "temp_strengthening P Q h \<Longrightarrow> temp_weakening (\<^bold>\<not> P) (\<^bold>\<not> Q) h"
270  by (auto simp add: temp_weakening_def2 temp_strengthening_def)
271
272lemma weak_IMPLIES:
273  "temp_strengthening P1 Q1 h \<Longrightarrow> temp_weakening P2 Q2 h \<Longrightarrow>
274    temp_weakening (P1 \<^bold>\<longrightarrow> P2) (Q1 \<^bold>\<longrightarrow> Q2) h"
275  by (simp add: temp_weakening_def2 temp_strengthening_def)
276
277
278subsubsection \<open>Box\<close>
279
280(* FIXME: should be same as nil_is_Conc2 when all nils are turned to right side! *)
281lemma UU_is_Conc: "(UU = x @@ y) = (((x::'a Seq)= UU) | (x = nil \<and> y = UU))"
282  by (Seq_case_simp x)
283
284lemma ex2seqConc [rule_format]:
285  "Finite s1 \<longrightarrow> (\<forall>ex. (s \<noteq> nil \<and> s \<noteq> UU \<and> ex2seq ex = s1 @@ s) \<longrightarrow> (\<exists>ex'. s = ex2seq ex'))"
286  apply (rule impI)
287  apply Seq_Finite_induct
288  apply blast
289  text \<open>main case\<close>
290  apply clarify
291  apply (pair ex)
292  apply (Seq_case_simp x2)
293  text \<open>\<open>UU\<close> case\<close>
294  apply (simp add: nil_is_Conc)
295  text \<open>\<open>nil\<close> case\<close>
296  apply (simp add: nil_is_Conc)
297  text \<open>cons case\<close>
298  apply (pair aa)
299  apply auto
300  done
301
302(* important property of ex2seq: can be shiftet, as defined "pointwise" *)
303lemma ex2seq_tsuffix: "tsuffix s (ex2seq ex) \<Longrightarrow> \<exists>ex'. s = (ex2seq ex')"
304  apply (unfold tsuffix_def suffix_def)
305  apply auto
306  apply (drule ex2seqConc)
307  apply auto
308  done
309
310
311(*important property of cex_absSeq: As it is a 1to1 correspondence,
312  properties carry over *)
313lemma cex_absSeq_tsuffix: "tsuffix s t \<Longrightarrow> tsuffix (cex_absSeq h s) (cex_absSeq h t)"
314  apply (unfold tsuffix_def suffix_def cex_absSeq_def)
315  apply auto
316  apply (simp add: Mapnil)
317  apply (simp add: MapUU)
318  apply (rule_tac x = "Map (% (s,a,t) . (h s,a, h t))\<cdot>s1" in exI)
319  apply (simp add: Map2Finite MapConc)
320  done
321
322
323lemma strength_Box: "temp_strengthening P Q h \<Longrightarrow> temp_strengthening (\<box>P) (\<box>Q) h"
324  apply (unfold temp_strengthening_def state_strengthening_def temp_sat_def satisfies_def Box_def)
325  apply clarify
326  apply (frule ex2seq_tsuffix)
327  apply clarify
328  apply (drule_tac h = "h" in cex_absSeq_tsuffix)
329  apply (simp add: ex2seq_abs_cex)
330  done
331
332
333subsubsection \<open>Init\<close>
334
335lemma strength_Init:
336  "state_strengthening P Q h \<Longrightarrow> temp_strengthening (Init P) (Init Q) h"
337  apply (unfold temp_strengthening_def state_strengthening_def
338    temp_sat_def satisfies_def Init_def unlift_def)
339  apply auto
340  apply (pair ex)
341  apply (Seq_case_simp x2)
342  apply (pair a)
343  done
344
345
346subsubsection \<open>Next\<close>
347
348lemma TL_ex2seq_UU: "TL \<cdot> (ex2seq (cex_abs h ex)) = UU \<longleftrightarrow> TL \<cdot> (ex2seq ex) = UU"
349  apply (pair ex)
350  apply (Seq_case_simp x2)
351  apply (pair a)
352  apply (Seq_case_simp s)
353  apply (pair a)
354  done
355
356lemma TL_ex2seq_nil: "TL \<cdot> (ex2seq (cex_abs h ex)) = nil \<longleftrightarrow> TL \<cdot> (ex2seq ex) = nil"
357  apply (pair ex)
358  apply (Seq_case_simp x2)
359  apply (pair a)
360  apply (Seq_case_simp s)
361  apply (pair a)
362  done
363
364(*important property of cex_absSeq: As it is a 1to1 correspondence,
365  properties carry over*)
366lemma cex_absSeq_TL: "cex_absSeq h (TL \<cdot> s) = TL \<cdot> (cex_absSeq h s)"
367  by (simp add: MapTL cex_absSeq_def)
368
369(* important property of ex2seq: can be shiftet, as defined "pointwise" *)
370lemma TLex2seq: "snd ex \<noteq> UU \<Longrightarrow> snd ex \<noteq> nil \<Longrightarrow> \<exists>ex'. TL\<cdot>(ex2seq ex) = ex2seq ex'"
371  apply (pair ex)
372  apply (Seq_case_simp x2)
373  apply (pair a)
374  apply auto
375  done
376
377lemma ex2seqnilTL: "TL \<cdot> (ex2seq ex) \<noteq> nil \<longleftrightarrow> snd ex \<noteq> nil \<and> snd ex \<noteq> UU"
378  apply (pair ex)
379  apply (Seq_case_simp x2)
380  apply (pair a)
381  apply (Seq_case_simp s)
382  apply (pair a)
383  done
384
385lemma strength_Next: "temp_strengthening P Q h \<Longrightarrow> temp_strengthening (\<circle>P) (\<circle>Q) h"
386  apply (unfold temp_strengthening_def state_strengthening_def temp_sat_def satisfies_def Next_def)
387  apply simp
388  apply auto
389  apply (simp add: TL_ex2seq_nil TL_ex2seq_UU)
390  apply (simp add: TL_ex2seq_nil TL_ex2seq_UU)
391  apply (simp add: TL_ex2seq_nil TL_ex2seq_UU)
392  apply (simp add: TL_ex2seq_nil TL_ex2seq_UU)
393  text \<open>cons case\<close>
394  apply (simp add: TL_ex2seq_nil TL_ex2seq_UU ex2seq_abs_cex cex_absSeq_TL [symmetric] ex2seqnilTL)
395  apply (erule conjE)
396  apply (drule TLex2seq)
397  apply assumption
398  apply auto
399  done
400
401
402text \<open>Localizing Temporal Weakenings - 2\<close>
403
404lemma weak_Init: "state_weakening P Q h \<Longrightarrow> temp_weakening (Init P) (Init Q) h"
405  apply (simp add: temp_weakening_def2 state_weakening_def2
406    temp_sat_def satisfies_def Init_def unlift_def)
407  apply auto
408  apply (pair ex)
409  apply (Seq_case_simp x2)
410  apply (pair a)
411  done
412
413
414text \<open>Localizing Temproal Strengthenings - 3\<close>
415
416lemma strength_Diamond: "temp_strengthening P Q h \<Longrightarrow> temp_strengthening (\<diamond>P) (\<diamond>Q) h"
417  apply (unfold Diamond_def)
418  apply (rule strength_NOT)
419  apply (rule weak_Box)
420  apply (erule weak_NOT)
421  done
422
423lemma strength_Leadsto:
424  "temp_weakening P1 P2 h \<Longrightarrow> temp_strengthening Q1 Q2 h \<Longrightarrow>
425    temp_strengthening (P1 \<leadsto> Q1) (P2 \<leadsto> Q2) h"
426  apply (unfold Leadsto_def)
427  apply (rule strength_Box)
428  apply (erule strength_IMPLIES)
429  apply (erule strength_Diamond)
430  done
431
432
433text \<open>Localizing Temporal Weakenings - 3\<close>
434
435lemma weak_Diamond: "temp_weakening P Q h \<Longrightarrow> temp_weakening (\<diamond>P) (\<diamond>Q) h"
436  apply (unfold Diamond_def)
437  apply (rule weak_NOT)
438  apply (rule strength_Box)
439  apply (erule strength_NOT)
440  done
441
442lemma weak_Leadsto:
443  "temp_strengthening P1 P2 h \<Longrightarrow> temp_weakening Q1 Q2 h \<Longrightarrow>
444    temp_weakening (P1 \<leadsto> Q1) (P2 \<leadsto> Q2) h"
445  apply (unfold Leadsto_def)
446  apply (rule weak_Box)
447  apply (erule weak_IMPLIES)
448  apply (erule weak_Diamond)
449  done
450
451lemma weak_WF:
452  "(\<And>s. Enabled A acts (h s) \<Longrightarrow> Enabled C acts s)
453    \<Longrightarrow> temp_weakening (WF A acts) (WF C acts) h"
454  apply (unfold WF_def)
455  apply (rule weak_IMPLIES)
456  apply (rule strength_Diamond)
457  apply (rule strength_Box)
458  apply (rule strength_Init)
459  apply (rule_tac [2] weak_Box)
460  apply (rule_tac [2] weak_Diamond)
461  apply (rule_tac [2] weak_Init)
462  apply (auto simp add: state_weakening_def state_strengthening_def
463    xt2_def plift_def option_lift_def NOT_def)
464  done
465
466lemma weak_SF:
467  "(\<And>s. Enabled A acts (h s) \<Longrightarrow> Enabled C acts s)
468    \<Longrightarrow> temp_weakening (SF A acts) (SF C acts) h"
469  apply (unfold SF_def)
470  apply (rule weak_IMPLIES)
471  apply (rule strength_Box)
472  apply (rule strength_Diamond)
473  apply (rule strength_Init)
474  apply (rule_tac [2] weak_Box)
475  apply (rule_tac [2] weak_Diamond)
476  apply (rule_tac [2] weak_Init)
477  apply (auto simp add: state_weakening_def state_strengthening_def
478    xt2_def plift_def option_lift_def NOT_def)
479  done
480
481
482lemmas weak_strength_lemmas =
483  weak_OR weak_AND weak_NOT weak_IMPLIES weak_Box weak_Next weak_Init
484  weak_Diamond weak_Leadsto strength_OR strength_AND strength_NOT
485  strength_IMPLIES strength_Box strength_Next strength_Init
486  strength_Diamond strength_Leadsto weak_WF weak_SF
487
488ML \<open>
489fun abstraction_tac ctxt =
490  SELECT_GOAL (auto_tac
491    (ctxt addSIs @{thms weak_strength_lemmas}
492      addsimps [@{thm state_strengthening_def}, @{thm state_weakening_def}]))
493\<close>
494
495method_setup abstraction = \<open>Scan.succeed (SIMPLE_METHOD' o abstraction_tac)\<close>
496
497end
498