(* Goal verification framework - Actions *) \ \This theory sets up the concepts of agents, actions, transitions and traces. We extend the language for mental state formulas with enabledness of actions. We provide its syntax, semantics and a sound proof system.\ theory Gvf_Actions imports Gvf_Mental_States begin section \Actions\ \ \The identifier for basic actions is a natural number.\ type_synonym Bcap = string \ \Agent capability is a basic capability, adopt or drop (the latter two are built into GOAL).\ datatype cap = basic (bcap: Bcap) | adopt (cget: \\<^sub>L) | drop (cget: \\<^sub>L) \ \Type for conditional action that is a pair: a condition on the mental state and a basic action.\ type_synonym cond_act = \\\<^sub>M \ cap\ \ \Atoms are extended with enabled for basic/conditional actions.\ datatype Atom\<^sub>E = Bl\<^sub>E \\<^sub>L | Gl\<^sub>E \\<^sub>L | enabled_basic cap | enabled_cond cond_act \ \The simple type theory makes it less delicate to extend types, so we redefine the belief and goal operators while adding two new options: one for basic and one for conditional actions.\ \ \The type for mental state formulas concerning enabledness.\ type_synonym \\<^sub>E = \Atom\<^sub>E \\<^sub>P\ \ \Introducing some notation.\ abbreviation \B\<^sub>E \ \ Atom (Bl\<^sub>E \)\ abbreviation \G\<^sub>E \ \ Atom (Gl\<^sub>E \)\ abbreviation \enabledb\<^sub>E c \ Atom (enabled_basic c)\ abbreviation \enabled\<^sub>E c \ Atom (enabled_cond c)\ abbreviation \enabledb c \ Atom (enabled_basic c)\ abbreviation \enabled c \ Atom (enabled_cond c)\ abbreviation cond_act_pair :: \\\<^sub>M \ cap \ cond_act\ (\_ \ do _\) where \\ \ do a \ (\, a)\ \ \Auxiliary function that converts mental state formulas to the type including enabledness.\ fun to_\\<^sub>E :: \\\<^sub>M \ \\<^sub>E\ (\_\<^sup>E\ [100]) where \(Atom (Bl \))\<^sup>E = Atom (Bl\<^sub>E \)\ | \(Atom (Gl \))\<^sup>E = Atom (Gl\<^sub>E \)\ | \\<^bold>\\<^sup>E = \<^bold>\\ | \(\<^bold>\ \)\<^sup>E = \<^bold>\ (\\<^sup>E)\ | \(\\<^sub>1 \<^bold>\ \\<^sub>2)\<^sup>E = \\<^sub>1\<^sup>E \<^bold>\ \\<^sub>2\<^sup>E\ | \(\\<^sub>1 \<^bold>\ \\<^sub>2)\<^sup>E = \\<^sub>1\<^sup>E \<^bold>\ \\<^sub>2\<^sup>E\ | \(\\<^sub>1 \<^bold>\ \\<^sub>2)\<^sup>E = \\<^sub>1\<^sup>E \<^bold>\ \\<^sub>2\<^sup>E\ fun to_\\<^sub>M :: \\\<^sub>E \ \\<^sub>M option\ where \to_\\<^sub>M (Atom (Bl\<^sub>E \)) = Some (Atom (Bl \))\ | \to_\\<^sub>M (Atom (Gl\<^sub>E \)) = Some (Atom (Gl \))\ | \to_\\<^sub>M \<^bold>\ = Some \<^bold>\\ | \to_\\<^sub>M (\<^bold>\ \) = (case to_\\<^sub>M \ of Some \' \ Some (\<^bold>\ \') | _ \ None)\ | \to_\\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) = (case (to_\\<^sub>M \\<^sub>1, to_\\<^sub>M \\<^sub>2) of (Some \\<^sub>1', Some \\<^sub>2') \ Some (\\<^sub>1' \<^bold>\ \\<^sub>2') | _ \ None)\ | \to_\\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) = (case (to_\\<^sub>M \\<^sub>1, to_\\<^sub>M \\<^sub>2) of (Some \\<^sub>1', Some \\<^sub>2') \ Some (\\<^sub>1' \<^bold>\ \\<^sub>2') | _ \ None)\ | \to_\\<^sub>M (\\<^sub>1 \<^bold>\ \\<^sub>2) = (case (to_\\<^sub>M \\<^sub>1, to_\\<^sub>M \\<^sub>2) of (Some \\<^sub>1', Some \\<^sub>2') \ Some (\\<^sub>1' \<^bold>\ \\<^sub>2') | _ \ None)\ | \to_\\<^sub>M _ = None\ section \Semantics of GOAL\ \ \The type for the function \ that gives the agent's belief update capabilities.\ type_synonym bel_upd_t = \Bcap \ mental_state \ \\<^sub>L list option\ \ \We replace notion of undefined (from paper) with an optional value, i.e. \ a \ = None means that basic action a is not defined for \. We further assume that the goal base (entire mental state) is added to the input.\ \ \The mental state transformer gives the agent's mental state update capabilities.\ fun mental_state_transformer :: \bel_upd_t \ cap \ mental_state \ mental_state option\ (\\*\) where \ \If \ a \ is defined, update the goal base accordingly.\ \\* \ (basic n) (\, \) = (case \ n (\, \) of Some \' \ Some (\', [\\\. \ \' \<^bold>\\<^sub>P \]) | _ \ None)\ | \ \Remove the goals that entail \.\ \\* \ (drop \) (\, \) = Some (\, [\\\. \ [\] \<^bold>\\<^sub>P \])\ | \ \Add the goal \ if it is consistent and not entailed by the belief base.\ \\* \ (adopt \) (\, \) = (if \ \\<^sub>P (\<^bold>\ \) \ \ \ \<^bold>\\<^sub>P \ then Some (\, List.insert \ \) else None)\ lemma mst_none: \\* \ (basic a) M = None \ \ a M = None\ proof (cases M) case (Pair \ \) have \\* \ (basic a) (\, \) = None \ \ a (\, \) = None\ by (cases \\ a (\, \)\) auto with Pair show ?thesis by simp qed lemma new_base_is_mst: \\ \' \<^bold>\\<^sub>P \<^bold>\ \ \(\, \) \ \(\', [\\\. \ \' \<^bold>\\<^sub>P \])\ unfolding is_mental_state_def by simp \ \We fix to a single agent and assume a given belief update function, a set of conditional actions and an initial state.\ locale single_agent = fixes \ :: bel_upd_t and \ :: \cond_act set\ and M\<^sub>0 :: mental_state assumes \ \Non-empty set of conditional actions and initial state is a mental state.\ is_agent: \\ \ {} \ \ M\<^sub>0\ and \ \\ preserves consistency.\ \_consistent: \\(\, \) \ (\\. (\, basic a) \ \) \ \ \ \<^bold>\\<^sub>P \<^bold>\ \ \ a (\, \) \ None \ \ the (\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ and \ \\ only for defined actions.\ \_in_domain: \\ a (\, \) \ None \ (\\. (\, basic a) \ \)\ \ \Working in the context of single_agent, means that we can base definitions, proofs etc. around fixed variables for which a number of assumptions apply. For a specific agent, we need to prove that the assumptions apply for the given input variables. By doing so, we get immediate access to everything defined within the single_agent context.\ context single_agent begin \ \Basic capabilities derived from the set of conditional actions.\ definition Cap :: \cap set\ where \Cap \ { basic a | a. \\. (\, basic a) \ \ } \ range adopt \ range drop\ \ \We assume that a basic capability is represented by at least one conditional action.\ lemma adopt_Cap: \adopt \ \ Cap\ unfolding Cap_def by simp lemma drop_Cap: \drop \ \ Cap\ unfolding Cap_def by simp \ \Define mental state transformer local to the agent.\ abbreviation \\ a M \ \* \ a M\ \ \Examples.\ lemma assumes \\ n ([P], [Q]) = Some [P, Q]\ shows \\ (basic n) ([P], [Q]) = Some ([P, Q], [])\ using assms by simp lemma \\ (drop \<^bold>\) ([], [P, Q]) = Some ([], [])\ by simp lemma assumes \\ \\<^sub>P (\<^bold>\ Q)\ and \\ \\<^sub>P Q\ shows \\ (adopt Q) ([], [P]) = Some ([], List.insert Q [P])\ using assms by simp \ \The mental state transformer is only defined for actions of \.\ lemma \_some_in_\: assumes \\ (basic a) M \ None\ shows \\\. (\, (basic a)) \ \\ proof (cases M) case (Pair \ \) with assms obtain \' \' where someM: \\ (basic a) (\, \) = Some (\', \')\ by auto then have \\ a (\, \) = Some \'\ proof (cases \\ a (\, \)\) case None then have \\ (basic a) (\, \) = None\ by simp with someM show ?thesis by simp next case (Some \'') moreover have \fst (the (\ (basic a) (\, \))) = \''\ using Some by simp moreover have \fst (the (\ (basic a) (\, \))) = \'\ using someM by simp ultimately show ?thesis by simp qed with \_in_domain show ?thesis by blast qed \ \The mental state transformer is only defined for basic capabilities of Cap.\ lemma \_some_Cap: assumes \\ a M \ None\ shows \a \ Cap\ using assms \_some_in_\ unfolding Cap_def by (cases a) auto \ \Mental state transformer preserves properties of mental states (when \ preserves consistency).\ lemma \_preserves_mst: \\ (\, \) \ \ c (\, \) \ None \ \ (the (\ c (\, \)))\ proof (induct c) case basic: (basic a) then obtain \' where \': \\ a (\, \) = Some \'\ by fastforce have \\ (\', [\\\. \ \' \<^bold>\\<^sub>P \])\ (is \\ (\', ?\')\) proof - have \\ \' \<^bold>\\<^sub>P \<^bold>\\ proof - from basic(1) have \\ \ \<^bold>\\<^sub>P \<^bold>\\ unfolding is_mental_state_def by simp moreover have \\\. (\, basic a) \ \\ using \_some_in_\ basic.prems(2) by blast ultimately have \\ the (\ a (\, \)) \<^bold>\\<^sub>P \<^bold>\\ using \' \_consistent basic by blast with \' show ?thesis by simp qed moreover from basic(1) have \\\\ set ?\'. \ \ \<^bold>\\<^sub>P \ \ \ \\<^sub>P (\<^bold>\ \)\ unfolding is_mental_state_def by simp ultimately show ?thesis unfolding is_mental_state_def by simp qed with \' show ?case by simp next case adopt: (adopt \) with mental_state_transformer.simps(3) have mst_goal: \\ \\<^sub>P (\<^bold>\ \) \ \ \ \<^bold>\\<^sub>P \\ by metis with adopt(1) have \\ (\, List.insert \ \)\ unfolding is_mental_state_def by simp with mst_goal show ?case by simp next case (drop \) then have \\ (\, [\\\. \ [\] \<^bold>\\<^sub>P \])\ unfolding is_mental_state_def by simp then show ?case by simp qed section \Traces\ \ \Transition relation between states due to an action.\ definition transition :: \mental_state \ cond_act \ mental_state \ bool\ (\_ \_ _\) where \M \b M' \ b \ \ \ M \\<^sub>M (fst b) \ \ (snd b) M = Some M'\ \ \If b is a conditional action, and the condition true in M, then there is possible transition between M and M' where M' is the result of applying \ for a to M.\ \ \Chain of transitions (computation steps) gives the computation relation.\ inductive computation :: \mental_state \ mental_state \ bool\ (\_ \* _\) where \ \The base step from the initial mental state.\ basis: \M\<^sub>0 \b M' \ M\<^sub>0 \* M'\ | \ \Inductive step from an existing computation given a transition.\ step: \M \* M' \ M' \b M'' \ M \* M''\ \ \Example\ lemma \M\<^sub>0 \a M\<^sub>1 \ M\<^sub>1 \b M\<^sub>2 \ M\<^sub>0 \* M\<^sub>2\ using basis step by blast \ \Traces are infinite structures.\ codatatype trace = Trace mental_state \cond_act \ trace\ \ \trace := mental state, conditional action, trace\ \ \Example.\ value \Trace M\<^sub>0 (a, (Trace M\<^sub>1 (b, (Trace M\<^sub>2 X))))\ \ \Retrieve the nth conditional action of the trace.\ fun act_nth :: \trace \ nat \ cond_act\ where \act_nth (Trace _ (b, _)) 0 = b\ | \act_nth (Trace _ (_, S)) n = act_nth S (n-1)\ \ \Example.\ lemma \b = act_nth (Trace M\<^sub>0 (a, (Trace M\<^sub>1 (b, (Trace M\<^sub>2 X))))) 1\ by simp \ \Retrieve the nth mental state of the trace.\ fun st_nth :: \trace \ nat \ mental_state\ where \st_nth (Trace M (_, _)) 0 = M\ | \st_nth (Trace _ (_, S)) n = st_nth S (n-1)\ \ \Example.\ lemma \M\<^sub>1 = st_nth (Trace M\<^sub>0 (a, (Trace M\<^sub>1 (b, (Trace M\<^sub>2 X))))) 1\ by simp \ \if (\, a) is the ith conditional action of trace s, then the first value of (act_nth s i) is \. This is intuitively easy to see, but pattern matching using equality can be problematic.\ lemma fst_act_nth: \(\, a) = act_nth s i \ fst (act_nth s i) = \\ by (metis fstI) \ \The same as above but for the second value.\ lemma snd_act_nth: \(\, a) = act_nth s i \ snd (act_nth s i) = a\ by (metis sndI) \ \The definition of a trace (not every element of the datatype trace qualifies).\ definition is_trace :: \trace \ bool\ where \is_trace s \ \i. (act_nth s i) \ \ \ (((st_nth s i) \(act_nth s i) (st_nth s (i+1))) \ \(\M. ((st_nth s i) \(act_nth s i) M)) \ (st_nth s i) = (st_nth s (i+1)))\ \ \For all i there is a transition between M_i and M_(i+1) due to an action, or the action is not enabled and the successor state (M_(i+1)) is equal to the current (M_i).\ \ \The nth conditional action of a trace is in \.\ lemma trace_in_\: assumes \is_trace s\ shows \act_nth s i \ \\ using assms unfolding is_trace_def transition_def by auto \ \If there is no transition between a state and its successor in a trace, they must be equal.\ lemma not_transition_eq: assumes \is_trace s\ shows \\((st_nth s i) \(act_nth s i) (st_nth s (i+1))) \ (st_nth s i) = (st_nth s (i+1))\ (is \\(?M \?b ?M') \ ?M = ?M'\) proof assume \\(?M \?b ?M')\ with assms show \?M = ?M'\ unfolding is_trace_def by auto qed \ \A fair trace ensures that there always is a future point where an actions is scheduled.\ definition fair_trace :: \trace \ bool\ where \fair_trace s \ \ b \ \. \i. \ j > i. act_nth s j = b\ \ \An agent is defined as the set of fair traces starting from the initial state.\ definition Agent :: \trace set\ where \Agent \ {s . is_trace s \ fair_trace s \ st_nth s 0 = M\<^sub>0}\ \ \If the mental state transformer is defined for a state in the trace, then it gives the successor state.\ lemma \_suc_state: assumes \s \ Agent\ and \\ (snd (act_nth s i)) (st_nth s i) \ None\ and \st_nth s i \\<^sub>M fst (act_nth s i)\ shows \st_nth s (i+1) = the (\ (snd (act_nth s i)) (st_nth s i))\ (is \?M = the (\ ?a ?M')\) proof - from assms(1) have \is_trace s\ unfolding Agent_def by simp then have \(act_nth s i) \ \ \ (((st_nth s i) \(act_nth s i) (st_nth s (i+1))) \ \(\M. ((st_nth s i) \(act_nth s i) M)) \ (st_nth s i) = (st_nth s (i+1)))\ unfolding is_trace_def by simp moreover from trace_in_\ have \act_nth s i \ \\ using \is_trace s\ assms(2) by simp ultimately show ?thesis using assms(2,3) unfolding transition_def by auto qed \ \All states in trace comply to mental state definition.\ lemma is_mst_trace: assumes \s \ Agent\ shows \\ (st_nth s n)\ proof (induct n) case 0 with assms show ?case using is_agent unfolding Agent_def by simp next case (Suc n) let ?M = \st_nth s n\ and ?M' = \st_nth s (Suc n)\ and ?b = \act_nth s n\ have trace_n: \(?M \?b ?M') \ ?M = ?M'\ proof - from assms(1) have \is_trace s\ unfolding Agent_def by simp then show ?thesis unfolding is_trace_def by auto qed then show ?case proof (cases \?M \?b ?M'\) case True then have *: \st_nth s n \\<^sub>M fst (act_nth s n) \ \ (snd (act_nth s n)) (st_nth s n) \ None\ unfolding transition_def by simp with \_preserves_mst have \\ (the (\ (snd ?b) ?M))\ using Suc by (cases ?M) simp with \_suc_state show ?thesis using assms * unfolding Agent_def by simp next case False then have \?M = ?M'\ using trace_n by blast with Suc show ?thesis by simp qed qed fun the_Some :: \('a \ 'a option) \ ('a \ 'a)\ where \the_Some f x = (if f x = None then x else the (f x))\ abbreviation mst_basic_trace where \mst_basic_trace \ foldr (\a M. the_Some (\ a) M)\ definition mst_reachable_basic :: \mental_state \ bool\ where \mst_reachable_basic M \ \S. mst_basic_trace S M\<^sub>0 = M\ lemma \mst_basic_trace [a,b,c] M\<^sub>0 = the_Some (\ a) (the_Some (\ b) (the_Some (\ c) M\<^sub>0))\ by simp lemma mst_basic_trace_preserves_mst: \\(mst_basic_trace s M\<^sub>0) \ \ a (mst_basic_trace s M\<^sub>0) \ None \ \(mst_basic_trace (a # s) M\<^sub>0)\ proof - assume \\(mst_basic_trace s M\<^sub>0)\ (is \\?M\) moreover assume \\ a ?M \ None\ ultimately have \\(the (\ a ?M))\ using \_preserves_mst by (cases ?M) simp with \\?M\ show ?thesis by simp qed lemma mst_reachable_basic_is_mst: \mst_reachable_basic M \ \M\ unfolding mst_reachable_basic_def proof - assume \\s. mst_basic_trace s M\<^sub>0 = M\ then obtain s where \mst_basic_trace s M\<^sub>0 = M\ by auto moreover from is_agent have \\ M\<^sub>0\ by simp then have \\(mst_basic_trace s M\<^sub>0)\ proof (induct s) case (Cons a s) then have \\(mst_basic_trace s M\<^sub>0)\ . with mst_basic_trace_preserves_mst show ?case by (cases \\ a (mst_basic_trace s M\<^sub>0)\) (simp, blast) qed simp ultimately show ?thesis by simp qed lemma mst_reachable_basic_\: \mst_reachable_basic M \ \ a M \ None \ mst_reachable_basic (the (\ a M))\ proof - assume \mst_reachable_basic M\ then obtain S where \mst_basic_trace S M\<^sub>0 = M\ unfolding mst_reachable_basic_def by auto moreover assume \\ a M \ None\ ultimately have \mst_basic_trace (a # S) M\<^sub>0 = the (\ a M)\ by auto then show ?thesis unfolding mst_reachable_basic_def by blast qed lemma mst_reachable_basic_trace: assumes \s \ Agent\ shows \mst_reachable_basic (st_nth s i)\ proof (induct i) case 0 with assms have \st_nth s 0 = M\<^sub>0\ unfolding Agent_def by simp then have \mst_basic_trace [] M\<^sub>0 = (st_nth s 0)\ by simp then show ?case unfolding mst_reachable_basic_def by blast next case (Suc i) then obtain S where *: \mst_basic_trace S M\<^sub>0 = st_nth s i\ unfolding mst_reachable_basic_def by auto from assms have \is_trace s\ unfolding Agent_def by simp then have \(((st_nth s i) \(act_nth s i) (st_nth s (i+1))) \ \(\M. ((st_nth s i) \(act_nth s i) M)) \ (st_nth s i) = (st_nth s (i+1)))\ unfolding is_trace_def by auto then show ?case proof assume \(st_nth s i) \(act_nth s i) (st_nth s (i+1))\ moreover from this \_suc_state have \(st_nth s (i+1)) = the (\ (snd (act_nth s i)) (st_nth s i))\ using \s \ Agent\ unfolding transition_def by (metis option.distinct(1)) ultimately show ?thesis using Suc mst_reachable_basic_\ unfolding transition_def by fastforce next assume \\(\M. ((st_nth s i) \(act_nth s i) M)) \ (st_nth s i) = (st_nth s (i+1))\ with * show ?thesis unfolding mst_reachable_basic_def by auto qed qed section \Semantics\ \ \Truth of enabledness (semantics).\ fun semantics\<^sub>E' :: \mental_state \ Atom\<^sub>E \ bool\ where \ \Semantics of B and G are the same as for mental state formulas without enabled.\ \semantics\<^sub>E' M (Bl\<^sub>E \) = (M \\<^sub>M* Atom\<^sub>M.Bl \)\ | \semantics\<^sub>E' M (Gl\<^sub>E \) = (M \\<^sub>M* Atom\<^sub>M.Gl \)\ | \ \a is defined for the action and \ a is defined for M.\ \semantics\<^sub>E' M (enabled_basic a) = (a \ Cap \ \ a M \ None)\ | \ \Conditional action b is enabled if there exists a transition from M to M' using b for some M'.\ \semantics\<^sub>E' M (enabled_cond b) = (\M'. (M \b M'))\ \ \Semantics of atoms with enabled can be seen as an interpretation given a mental state.\ abbreviation semantics\<^sub>E :: \mental_state \ \\<^sub>E \ bool\ (infix \\\<^sub>E\ 50) where \M \\<^sub>E \ \ semantics\<^sub>P (semantics\<^sub>E' M) \\ abbreviation semantics\<^sub>_all\<^sub>E :: \\\<^sub>E \ bool\ (\\<^bold>\\<^sub>E\) where \\<^bold>\\<^sub>E \ \ (\M. mst_reachable_basic M \ M \\<^sub>E \)\ abbreviation semantics\<^sub>_all\<^sub>M :: \\\<^sub>M \ bool\ (\\<^bold>\\<^sub>M\) where \\<^bold>\\<^sub>M \ \ (\M. mst_reachable_basic M \ M \\<^sub>M \)\ \ \Bel-upd-t not enabled\ lemma bel_upd_not_enabled: \\ a M = None \ \ M \\<^sub>E enabledb (basic a)\ proof - assume \\ a M = None\ with mst_none have \\ (basic a) M = None\ by simp then show \\ M \\<^sub>E enabledb (basic a)\ by simp qed \ \The semantics of a converted formula is equal to the original.\ lemma transfer_semantics\<^sub>M: \M \\<^sub>M \ \ M \\<^sub>E \\<^sup>E\ proof (induct \) case (Atom x) show ?case by (cases x) simp_all qed simp_all \ \Formula conversion preserves semantics\ lemma sem_preserve_to_\\<^sub>M: \to_\\<^sub>M \ \ None \ M \\<^sub>E \ \ M \\<^sub>M (the (to_\\<^sub>M \))\ proof (induct \) case (Atom x) then show ?case by (induct x) auto next case (Negation \) moreover from this have \to_\\<^sub>M \ \ None\ by (metis option.simps(4) to_\\<^sub>M.simps(4)) ultimately show ?case by auto next case (Implication \\<^sub>1 \\<^sub>2) moreover from this have \to_\\<^sub>M \\<^sub>1 \ None\ \to_\\<^sub>M \\<^sub>2 \ None\ using case_prod_conv to_\\<^sub>M.simps(5) by (metis option.simps(4), metis (no_types, lifting) option.case_eq_if) ultimately show ?case by auto next case (Disjunction \\<^sub>1 \\<^sub>2) moreover from this have \to_\\<^sub>M \\<^sub>1 \ None\ \to_\\<^sub>M \\<^sub>2 \ None\ using case_prod_conv to_\\<^sub>M.simps(6) by (metis option.simps(4), metis (no_types, lifting) option.case_eq_if) ultimately show ?case by auto next case (Conjunction \\<^sub>1 \\<^sub>2) moreover from this have \to_\\<^sub>M \\<^sub>1 \ None\ \to_\\<^sub>M \\<^sub>2 \ None\ using case_prod_conv to_\\<^sub>M.simps(7) by (metis option.simps(4), metis (no_types, lifting) option.case_eq_if) ultimately show ?case by auto qed simp lemma sem_set_preserve_to_\\<^sub>M: assumes \None \ set (map to_\\<^sub>M \)\ shows \\\ \ set \. M \\<^sub>E \ \ M \\<^sub>M (the (to_\\<^sub>M \))\ proof fix \ assume \\ \ set \\ with assms have \to_\\<^sub>M \ \ None\ by force with sem_preserve_to_\\<^sub>M show \(M \\<^sub>E \) = (M \\<^sub>M the (to_\\<^sub>M \))\ by simp qed \ \Example.\ lemma \(M\<^sub>0 \b M\<^sub>1) \ M\<^sub>0 \\<^sub>E enabled b\ proof - assume \M\<^sub>0 \b M\<^sub>1\ then have \\M'. (M\<^sub>0 \b M')\ by blast then show \M\<^sub>0 \\<^sub>E enabled b\ by simp qed section \Proof system\ inductive gen\<^sub>E :: \Atom\<^sub>E gen_rules\ where E1\<^sub>E: \(\ \ do a) \ \ \ enabled (\ \ do a) \<^bold>\ (\\<^sup>E \<^bold>\ enabledb a) \ set \ \ gen\<^sub>E \ \\ | E2\<^sub>E: \enabledb (drop \) \ set \ \ gen\<^sub>E \ \\ | R3\<^sub>E: \\ \\<^sub>P (\<^bold>\ \) \ \<^bold>\ (B\<^sub>E \) \<^bold>\ enabledb (adopt \) \ set \ \ gen\<^sub>E \ \\ | R4\<^sub>E: \\\<^sub>P (\<^bold>\ \) \ \<^bold>\ (enabledb (adopt \)) \ set \ \ gen\<^sub>E \ \\ | R5\<^sub>E: \\M. \M \ \ a M \ None \ enabledb (basic a) \ set \ \ gen\<^sub>E \ \\ | R_M: \gen\<^sub>M \ \ \ gen\<^sub>E (map to_\\<^sub>E \) (map to_\\<^sub>E \)\ abbreviation derive\<^sub>M_multi :: \\\<^sub>E list \ \\<^sub>E list \ bool\ (infix \\\<^sub>E#\ 40) where \\ \\<^sub>E# \ \ gen_sc (Some gen\<^sub>E) \ \\ abbreviation derive\<^sub>E :: \\\<^sub>E \ bool\ (\\\<^sub>E _\ 40) where \\\<^sub>E \ \ [] \\<^sub>E# [ \ ]\ section \Soundness\ \ \The soundness theorem.\ lemma soundness\<^sub>_gen\<^sub>E: assumes \\ M\ shows \gen\<^sub>E \ \ \ \\ \ set \. M \\<^sub>E \ \ \\ \ set \. M \\<^sub>E \\ proof (induct rule: gen\<^sub>E.induct) case (E1\<^sub>E \ a \ \) have \M \\<^sub>E enabled (\ \ do a) \ M \\<^sub>M \ \ M \\<^sub>E enabledb a\ proof - have \M \\<^sub>E enabled (\ \ do a) \ (\M'. (M \(\ \ do a) M'))\ by simp also have \\ \ (\M'. (\ \ do a) \ \ \ M \\<^sub>M \ \ \ a M = Some M')\ unfolding transition_def by simp finally show ?thesis using \(\ \ do a) \ \\ \_some_Cap by fastforce qed with transfer_semantics\<^sub>M have \M \\<^sub>E enabled (\ \ do a) \<^bold>\ (\\<^sup>E \<^bold>\ enabledb a)\ by simp with E1\<^sub>E show ?case by blast next case (E2\<^sub>E \ \ \) moreover have \\ (drop \) M \ None\ using mental_state_transformer.simps(2) by (cases M) simp ultimately show ?case using \_some_Cap by (metis semantics\<^sub>E'.simps(3) semantics\<^sub>P.simps(1)) next case (R3\<^sub>E \) with adopt_Cap have \M \\<^sub>E \<^bold>\ (B\<^sub>E \) \<^bold>\ enabledb (adopt \)\ using \_some_Cap by (cases M) simp with R3\<^sub>E show ?case by blast next case (R4\<^sub>E \ \ \) then have \\M. \ (adopt \) M = None\ by fastforce then have \\ (adopt \) M = None\ by blast then have \M \\<^sub>E \<^bold>\ (enabledb (adopt \))\ by simp with R4\<^sub>E show ?case by blast next case (R5\<^sub>E a \ \) then have \\ a M \ None\ using \\M\ by blast then have \\ (basic a) M \ None\ by (cases M) auto with \_some_Cap have \M \\<^sub>E enabledb (basic a)\ by simp with R5\<^sub>E show ?case by blast next case (R_M \ \) with transfer_semantics\<^sub>M have \\\ \ set \. M \\<^sub>M \\ by simp with soundness\<^sub>_gen\<^sub>M have \\\ \ set \. M \\<^sub>M \\ using R_M assms by simp with transfer_semantics\<^sub>M show ?case by simp qed lemma soundness\<^sub>E': assumes \\ M\ shows \gen_sc R \ \ \ R = Some gen\<^sub>E \ \\ \ set \. M \\<^sub>E \ \ \\ \ set \. M \\<^sub>E \\ proof (induct rule: gen_sc.induct) case (Gen R \ \) with soundness\<^sub>_gen\<^sub>E show ?case using assms by simp qed auto theorem soundness\<^sub>E: assumes \\ M\ shows \\\<^sub>E \ \ M \\<^sub>E \\ using soundness\<^sub>E' assms by fastforce end end