chapter‹A Gentle Introduction to TESL›

(*<*)
theory Introduction
  imports Main
begin

(*>*)

section ‹Context›
text‹
The design of complex systems involves different formalisms for modeling their different parts or 
aspects. The global model of a system may therefore consist of a coordination of concurrent 
sub-models that use different paradigms such as differential equations, state machines, 
synchronous data-flow networks, 
discrete event models and so on, as illustrated in \autoref{fig:het-timed-system}. 
This raises the interest in architectural composition languages 
that allow for ``bolting the respective sub-models together'', along their various interfaces, and 
specifying the various ways of collaboration and coordination~@{cite "nguyenvan:hal-01583815"}.

We are interested in languages that allow for specifying the timed coordination of subsystems by 
addressing the following conceptual issues:
▪ events may occur in different sub-systems at unrelated times, leading to ∗‹polychronous› systems, 
  which do not necessarily have a common base clock,
▪ the behavior of the sub-systems is observed only at a series of discrete instants, and time 
  coordination has to take this ∗‹discretization› into account,
▪ the instants at which a system is observed may be arbitrary and should not change its behavior 
  (∗‹stuttering invariance›),
▪ coordination between subsystems involves causality, so the occurrence of an event may enforce 
  the occurrence of other events, possibly after a certain duration has elapsed or an event has 
  occurred a given number of times,
▪ the domain of time (discrete, rational, continuous. . . ) may be different in the subsystems, 
  leading to ∗‹polytimed› systems,
▪ the time frames of different sub-systems may be related (for instance, time in a GPS satellite 
  and in a GPS receiver on Earth are related although they are not the same).
›

text‹
\begin{figure}[htbp]
 \centering
 \includegraphics{glue.pdf}
 \caption{A Heterogeneous Timed System Model}
 \label{fig:het-timed-system}
\end{figure}›

(*<*)
― ‹Constants and notation to be able to write what we want as Isabelle terms, not as LaTeX maths›
consts dummyInfty    :: ‹'a ⇒ 'a›
consts dummyTESLSTAR :: ‹'a›
consts dummyFUN      :: ‹'a set ⇒ 'b set ⇒ 'c set›
consts dummyCLOCK    :: ‹'a set›
consts dummyBOOL     :: ‹bool set› 
consts dummyTIMES    :: ‹'a set› 
consts dummyLEQ      :: ‹'a ⇒ 'a ⇒ bool›

notation dummyInfty    (‹(_⇧∞)› [1000] 999)
notation dummyTESLSTAR (‹TESL⇧*›)
notation dummyFUN      (infixl ‹→› 100)
notation dummyCLOCK    (‹𝒦›) 
notation dummyBOOL     (‹𝔹›) 
notation dummyTIMES    (‹𝒯›) 
notation dummyLEQ      (infixl ‹≤⇩𝒯› 100)
(*>*)

text‹
In order to tackle the heterogeneous nature of the subsystems, we abstract their behavior as clocks. 
Each clock models an event, i.e., something that can occur or not at a given time. This time is measured 
in a time frame associated with each clock, and the nature of time (integer, rational, real, or any 
type with a linear order) is specific to each clock. 
When the event associated with a clock occurs, the clock ticks. In order to support any kind of 
behavior for the subsystems, we are only interested in specifying what we can observe at a series 
of discrete instants. There are two constraints on observations: a clock may tick only at an 
observation instant, and the time on any clock cannot decrease from an instant to the next one. 
However, it is always possible to add arbitrary observation instants, which allows for stuttering 
and modular composition of systems. 
As a consequence, the key concept of our setting is the notion of a clock-indexed Kripke model: 
@{term ‹Σ⇧∞ = ℕ → 𝒦 → (𝔹 × 𝒯)›}, where @{term ‹𝒦›} is an enumerable set of clocks, @{term ‹𝔹›} 
is the set of booleans – used to  indicate that a clock ticks at a given instant – and @{term ‹𝒯›} 
is a universal metric time space for which we only assume that it is large enough to contain all 
individual time spaces of clocks and that it is ordered by some linear ordering @{term ‹(≤⇩𝒯)›}.
›

text‹
  The elements of @{term ‹Σ⇧∞›} are called runs. A specification language is a set of 
  operators that constrains the set of possible monotonic runs. Specifications are composed by 
  intersecting the denoted run sets of constraint operators.
  Consequently, such specification languages do not limit the number of clocks used to model a 
  system (as long as it is finite) and it is always possible to add clocks to a specification. 
  Moreover, they are ∗‹compositional› by construction since the composition of specifications 
  consists of the conjunction of their constraints.
›

text‹
  This work provides the following contributions:
  ▪ defining the non-trivial language @{term ‹TESL⇧*›} in terms of clock-indexed Kripke models, 
  ▪ proving that this denotational semantics is stuttering invariant,
  ▪ defining an adapted form of symbolic primitives and presenting the set of operational 
    semantic rules,
  ▪ presenting formal proofs for soundness, completeness, and progress of the latter.
›

section‹The TESL Language›
   
text‹
  The TESL language @{cite "BouJacHarPro2014MEMOCODE"} was initially designed to coordinate the
  execution of heterogeneous components during the simulation of a system. We define here a minimal
  kernel of operators that will form the basis of a family of specification languages, including the
  original TESL language, which is described at \url{http://wdi.supelec.fr/software/TESL/}.
›  

subsection‹Instantaneous Causal Operators›
text‹
  TESL has operators to deal with instantaneous causality, i.e., to react to an event occurrence
  in the very same observation instant.
  ▪ ▩‹c1 implies c2› means that at any instant where ▩‹c1› ticks, ▩‹c2› has to tick too.
  ▪ ▩‹c1 implies not c2› means that at any instant where ▩‹c1› ticks, ▩‹c2› cannot tick.
  ▪ ▩‹c1 kills c2› means that at any instant where ▩‹c1› ticks, and at any future instant, 
    ▩‹c2› cannot tick.
›

subsection‹Temporal Operators›
text‹
  TESL also has chronometric temporal operators that deal with dates and chronometric delays.
  ▪ ▩‹c sporadic t› means that clock ▩‹c› must have a tick at time ▩‹t› on its own time scale.
  ▪ ▩‹c1 sporadic t on c2› means that clock ▩‹c1› must have a tick at an instant where the time 
    on ▩‹c2› is ▩‹t›.
  ▪ ▩‹c1 time delayed by d on m implies c2› means that every time clock ▩‹c1› ticks, ▩‹c2› must have 
    a tick at the first instant where the time on ▩‹m› is ▩‹d› later than it was when ▩‹c1› had ticked.
    This means that every tick on ▩‹c1› is followed by a tick on ▩‹c2› after a delay ▩‹d› measured
    on the time scale of clock ▩‹m›.
  ▪ ▩‹time relation (c1, c2) in R› means that at every instant, the current time on clocks ▩‹c1›
    and ▩‹c2› must be in relation ▩‹R›. By default, the time lines of different clocks are 
    independent. This operator allows us to link two time lines, for instance to model the fact
    that time in a GPS satellite and time in a GPS receiver on Earth are not the same but are 
    related. Time being polymorphic in TESL, this can also be used to model the fact that the
    angular position on the camshaft of an engine moves twice as fast as the angular position 
    on the crankshaft~⁋‹See \url{http://wdi.supelec.fr/software/TESL/GalleryEngine} for more details›. 
    We may consider only linear arithmetic relations to restrict the problem to a domain where 
    the resolution is decidable.›

subsection‹Asynchronous Operators›
text‹
  The last category of TESL operators allows the specification of asynchronous relations between
  event occurrences. They do not specify the precise instants at which ticks have to occur, 
  they only put bounds on the set of instants at which they should occur.
  ▪ ▩‹c1 weakly precedes c2› means that for each tick on ▩‹c2›, there must be at least one tick
    on ▩‹c1› at a previous or at the same instant. This can also be expressed by stating
    that at each instant, the number of ticks since the beginning of the run must be lower or 
    equal on ▩‹c2› than on ▩‹c1›.
  ▪ ▩‹c1 strictly precedes c2› means that for each tick on ▩‹c2›, there must be at least one tick
    on ▩‹c1› at a previous instant. This can also be expressed by saying that at each instant, 
    the number of ticks on ▩‹c2› from the beginning of the run to this instant, must be lower or 
    equal to the number of ticks on ▩‹c1› from the beginning of the run to the previous instant.
›


(*<*)
no_notation dummyInfty      (‹(_⇧∞)› )
no_notation dummyTESLSTAR   (‹TESL⇧*›)
no_notation dummyFUN        (infixl ‹→› 100)
no_notation dummyCLOCK      (‹𝒦›) 
no_notation dummyBOOL       (‹𝔹›) 
no_notation dummyTIMES      (‹𝒯›) 
no_notation dummyLEQ        (infixl ‹≤⇩𝒯› 100)


end
(*>*)

(*chapter‹The Core of the TESL Language: Syntax and Basics›*)
text‹\chapter[Core TESL: Syntax and Basics]{The Core of the TESL Language: Syntax and Basics}›

theory TESL
imports Main

begin

section‹Syntactic Representation›
text‹
  We define here the syntax of TESL specifications.
›

subsection‹Basic elements of a specification›
text‹
  The following items appear in specifications:
  ▪ Clocks, which are identified by a name.
  ▪ Tag constants are just constants of a type which denotes the metric time space.
›

datatype     clock         = Clk ‹string›
type_synonym instant_index = ‹nat›

datatype     'τ tag_const =  TConst   (the_tag_const : 'τ)         (‹τ⇩c⇩s⇩t›)


subsection‹Operators for the TESL language›
text‹
  The type of atomic TESL constraints, which can be combined to form specifications.
›
datatype 'τ TESL_atomic =
    SporadicOn       ‹clock› ‹'τ tag_const›  ‹clock›  (‹_ sporadic _ on _› 55)
  | TagRelation      ‹clock› ‹clock› ‹('τ tag_const × 'τ tag_const) ⇒ bool› 
                                                      (‹time-relation ⌊_, _⌋ ∈ _› 55)
  | Implies          ‹clock› ‹clock›                  (infixr ‹implies› 55)
  | ImpliesNot       ‹clock› ‹clock›                  (infixr ‹implies not› 55)
  | TimeDelayedBy    ‹clock› ‹'τ tag_const› ‹clock› ‹clock› 
                                                      (‹_ time-delayed by _ on _ implies _› 55)
  | WeaklyPrecedes   ‹clock› ‹clock›                  (infixr ‹weakly precedes› 55)
  | StrictlyPrecedes ‹clock› ‹clock›                  (infixr ‹strictly precedes› 55)
  | Kills            ‹clock› ‹clock›                  (infixr ‹kills› 55)

text‹
  A TESL formula is just a list of atomic constraints, with implicit conjunction
  for the semantics.
›
type_synonym 'τ TESL_formula = ‹'τ TESL_atomic list›

text‹
  We call ∗‹positive atoms› the atomic constraints that create ticks from nothing.
  Only sporadic constraints are positive in the current version of TESL.
›
fun positive_atom :: ‹'τ TESL_atomic ⇒ bool› where
    ‹positive_atom (_ sporadic _ on _) = True›
  | ‹positive_atom _                   = False›

text‹
  The @{term ‹NoSporadic›} function removes sporadic constraints from a TESL formula.
›
abbreviation NoSporadic :: ‹'τ TESL_formula ⇒ 'τ TESL_formula›
where 
  ‹NoSporadic f ≡ (List.filter (λf⇩a⇩t⇩o⇩m. case f⇩a⇩t⇩o⇩m of
      _ sporadic _ on _ ⇒ False
    | _ ⇒ True) f)›

subsection‹Field Structure of the Metric Time Space›
text‹
  In order to handle tag relations and delays, tags must belong to a field.
  We show here that this is the case when the type parameter of @{typ ‹'τ tag_const›} 
  is itself a field.
›
instantiation tag_const ::(field)field
begin
  fun inverse_tag_const
  where ‹inverse (τ⇩c⇩s⇩t t) = τ⇩c⇩s⇩t (inverse t)›

  fun divide_tag_const 
    where ‹divide (τ⇩c⇩s⇩t t⇩1) (τ⇩c⇩s⇩t t⇩2) = τ⇩c⇩s⇩t (divide t⇩1 t⇩2)›

  fun uminus_tag_const
    where ‹uminus (τ⇩c⇩s⇩t t) = τ⇩c⇩s⇩t (uminus t)›

fun minus_tag_const
  where ‹minus (τ⇩c⇩s⇩t t⇩1) (τ⇩c⇩s⇩t t⇩2) = τ⇩c⇩s⇩t (minus t⇩1 t⇩2)›

definition ‹one_tag_const ≡ τ⇩c⇩s⇩t 1›

fun times_tag_const
  where ‹times (τ⇩c⇩s⇩t t⇩1) (τ⇩c⇩s⇩t t⇩2) = τ⇩c⇩s⇩t (times t⇩1 t⇩2)›

definition ‹zero_tag_const ≡ τ⇩c⇩s⇩t 0›

fun plus_tag_const
  where ‹plus (τ⇩c⇩s⇩t t⇩1) (τ⇩c⇩s⇩t t⇩2) = τ⇩c⇩s⇩t (plus t⇩1 t⇩2)›

instance proof
  text‹Multiplication is associative.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
                               and c::‹'τ::field tag_const›
  obtain u v w where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› and ‹c = τ⇩c⇩s⇩t w›
    using tag_const.exhaust by metis
  thus ‹a * b * c = a * (b * c)›
    by (simp add: TESL.times_tag_const.simps)
next
  text‹Multiplication is commutative.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
  obtain u v where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› using tag_const.exhaust by metis
  thus ‹ a * b = b * a›
    by (simp add: TESL.times_tag_const.simps)
next
  text‹One is neutral for multiplication.›
  fix a::‹'τ::field tag_const›
  obtain u where ‹a = τ⇩c⇩s⇩t u› using tag_const.exhaust by blast
  thus ‹1 * a = a›
    by (simp add: TESL.times_tag_const.simps one_tag_const_def)
next
  text‹Addition is associative.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
                               and c::‹'τ::field tag_const›
  obtain u v w where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› and ‹c = τ⇩c⇩s⇩t w›
    using tag_const.exhaust by metis
  thus ‹a + b + c = a + (b + c)›
    by (simp add: TESL.plus_tag_const.simps)
next
  text‹Addition is commutative.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
  obtain u v where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› using tag_const.exhaust by metis
  thus ‹a + b = b + a›
    by (simp add: TESL.plus_tag_const.simps)
next
  text‹Zero is neutral for addition.›
  fix a::‹'τ::field tag_const›
  obtain u where ‹a = τ⇩c⇩s⇩t u› using tag_const.exhaust by blast
  thus ‹0 + a = a›
    by (simp add: TESL.plus_tag_const.simps zero_tag_const_def)
next
  text‹The sum of an element and its opposite is zero.›
  fix a::‹'τ::field tag_const›
  obtain u where ‹a = τ⇩c⇩s⇩t u› using tag_const.exhaust by blast
  thus ‹-a + a = 0›
    by (simp add: TESL.plus_tag_const.simps
                  TESL.uminus_tag_const.simps
                  zero_tag_const_def)
next
  text‹Subtraction is adding the opposite.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
  obtain u v where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› using tag_const.exhaust by metis
  thus ‹a - b = a + -b›
    by (simp add: TESL.minus_tag_const.simps
                  TESL.plus_tag_const.simps
                  TESL.uminus_tag_const.simps)
next
  text‹Distributive property of multiplication over addition.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
                               and c::‹'τ::field tag_const›
  obtain u v w where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› and ‹c = τ⇩c⇩s⇩t w›
    using tag_const.exhaust by metis
  thus ‹(a + b) * c = a * c + b * c›
    by (simp add: TESL.plus_tag_const.simps
                  TESL.times_tag_const.simps
                  ring_class.ring_distribs(2))
next
  text‹The neutral elements are distinct.›
  show ‹(0::('τ::field tag_const)) ≠ 1›
    by (simp add: one_tag_const_def zero_tag_const_def)
next
  text‹The product of an element and its inverse is 1.›
  fix a::‹'τ::field tag_const› assume h:‹a ≠ 0›
  obtain u where ‹a = τ⇩c⇩s⇩t u› using tag_const.exhaust by blast
  moreover with h have ‹u ≠ 0› by (simp add: zero_tag_const_def)
  ultimately show ‹inverse a * a = 1›
    by (simp add: TESL.inverse_tag_const.simps
                  TESL.times_tag_const.simps
                  one_tag_const_def)
next
  text‹Dividing is multiplying by the inverse.›
  fix a::‹'τ::field tag_const› and b::‹'τ::field tag_const›
  obtain u v where ‹a = τ⇩c⇩s⇩t u› and ‹b = τ⇩c⇩s⇩t v› using tag_const.exhaust by metis
  thus ‹a div b = a * inverse b›
    by (simp add: TESL.divide_tag_const.simps
                  TESL.inverse_tag_const.simps
                  TESL.times_tag_const.simps
                  divide_inverse)
next
  text‹Zero is its own inverse.›
  show ‹inverse (0::('τ::field tag_const)) = 0›
    by (simp add: TESL.inverse_tag_const.simps zero_tag_const_def)
qed

end

text‹
  For comparing dates (which are represented by tags) on clocks, we need an order on tags.
›

instantiation tag_const :: (order)order
begin
  inductive less_eq_tag_const :: ‹'a tag_const ⇒ 'a tag_const ⇒ bool›
  where
    Int_less_eq[simp]:      ‹n ≤ m ⟹ (TConst n) ≤ (TConst m)›

  definition less_tag: ‹(x::'a tag_const) < y ⟷ (x ≤ y) ∧ (x ≠ y)›

  instance proof
    show ‹⋀x y :: 'a tag_const. (x < y) = (x ≤ y ∧ ¬ y ≤ x)›
      using less_eq_tag_const.simps less_tag by auto
  next
    fix x::‹'a tag_const›
    from tag_const.exhaust obtain x⇩0::'a where ‹x = TConst x⇩0› by blast
    with Int_less_eq show ‹x ≤ x› by simp
  next
    show ‹⋀x y z  :: 'a tag_const. x ≤ y ⟹ y ≤ z ⟹ x ≤ z›
      using less_eq_tag_const.simps by auto
  next
    show ‹⋀x y  :: 'a tag_const. x ≤ y ⟹ y ≤ x ⟹ x = y›
      using less_eq_tag_const.simps by auto
  qed

end

text‹
  For ensuring that time does never flow backwards, we need a total order on tags.
›
instantiation tag_const :: (linorder)linorder
begin
  instance proof
    fix x::‹'a tag_const› and y::‹'a tag_const›
    from tag_const.exhaust obtain x⇩0::'a where ‹x = TConst x⇩0› by blast
    moreover from tag_const.exhaust obtain y⇩0::'a where ‹y = TConst y⇩0› by blast
    ultimately show ‹x ≤ y ∨ y ≤ x› using less_eq_tag_const.simps by fastforce
  qed

end

end

section ‹ Defining Runs ›

theory Run
imports TESL
      
begin
text ‹
  Runs are sequences of instants, and each instant maps a clock to a pair 
  @{term ‹(h, t)›} where @{term ‹h›} indicates whether the clock ticks or not, 
  and @{term ‹t›} is the current time on this clock.
  The first element of the pair is called the ∗‹hamlet› of the clock (to tick or 
  not to tick), the second element is called the ∗‹time›.
›

abbreviation hamlet where ‹hamlet ≡ fst›
abbreviation time   where ‹time ≡ snd›

type_synonym 'τ instant = ‹clock ⇒ (bool × 'τ tag_const)›

text‹
  Runs have the additional constraint that time cannot go backwards on any clock
  in the sequence of instants.
  Therefore, for any clock, the time projection of a run is monotonous.
›
typedef (overloaded) 'τ::linordered_field run =
  ‹{ ρ::nat ⇒ 'τ instant. ∀c. mono (λn. time (ρ n c)) }›
proof
  show ‹(λ_ _. (True, τ⇩c⇩s⇩t 0)) ∈ {ρ. ∀c. mono (λn. time (ρ n c))}› 
    unfolding mono_def by blast
qed

lemma Abs_run_inverse_rewrite:
  ‹∀c. mono (λn. time (ρ n c)) ⟹ Rep_run (Abs_run ρ) = ρ›
by (simp add: Abs_run_inverse)

text ‹
  A ∗‹dense› run is a run in which something happens (at least one clock ticks) 
  at every instant.
›
definition ‹dense_run ρ ≡ (∀n. ∃c. hamlet ((Rep_run ρ) n c))›

text‹
  @{term ‹run_tick_count ρ K n›} counts the number of ticks on clock @{term ‹K›} 
  in the interval ▩‹[0, n]› of run @{term ‹ρ›}.
›
fun run_tick_count :: ‹('τ::linordered_field) run ⇒ clock ⇒ nat ⇒ nat›
  (‹#⇩≤ _ _ _›)
where
  ‹(#⇩≤ ρ K 0)       = (if hamlet ((Rep_run ρ) 0 K)
                       then 1
                       else 0)›
| ‹(#⇩≤ ρ K (Suc n)) = (if hamlet ((Rep_run ρ) (Suc n) K)
                       then 1 + (#⇩≤ ρ K n)
                       else (#⇩≤ ρ K n))›

text‹
  @{term ‹run_tick_count_strictly ρ K n›} counts the number of ticks on
  clock @{term ‹K›} in the interval ▩‹[0, n[› of run @{term ‹ρ›}.
›
fun run_tick_count_strictly :: ‹('τ::linordered_field) run ⇒ clock ⇒ nat ⇒ nat›
  (‹#⇩< _ _ _›)
where
  ‹(#⇩< ρ K 0)       = 0›
| ‹(#⇩< ρ K (Suc n)) = #⇩≤ ρ K n›

text‹
  @{term ‹first_time ρ K n τ›} tells whether instant @{term ‹n›} in run @{term‹ρ›}
  is the first one where the time on clock @{term ‹K›} reaches @{term ‹τ›}.
›
definition first_time :: ‹'a::linordered_field run ⇒ clock ⇒ nat ⇒ 'a tag_const
                          ⇒ bool›
where
  ‹first_time ρ K n τ ≡ (time ((Rep_run ρ) n K) = τ)
                      ∧ (∄n'. n' < n ∧ time ((Rep_run ρ) n' K) = τ)›

text‹
  The time on a clock is necessarily less than @{term ‹τ›} before the first instant
  at which it reaches @{term ‹τ›}.
›
lemma before_first_time:
  assumes ‹first_time ρ K n τ›
      and ‹m < n›
    shows ‹time ((Rep_run ρ) m K) < τ›
proof -
  have ‹mono (λn. time (Rep_run ρ n K))› using Rep_run by blast
  moreover from assms(2) have ‹m ≤ n› using less_imp_le by simp
  moreover have ‹mono (λn. time (Rep_run ρ n K))› using Rep_run by blast
  ultimately have  ‹time ((Rep_run ρ) m K) ≤ time ((Rep_run ρ) n K)›
    by (simp add:mono_def)
  moreover from assms(1) have ‹time ((Rep_run ρ) n K) = τ›
    using first_time_def by blast
  moreover from assms have ‹time ((Rep_run ρ) m K) ≠ τ›
    using first_time_def by blast
  ultimately show ?thesis by simp
qed

text‹
  This leads to an alternate definition of @{term ‹first_time›}:
›
lemma alt_first_time_def:
  assumes ‹∀m < n. time ((Rep_run ρ) m K) < τ›
      and ‹time ((Rep_run ρ) n K) = τ›
    shows ‹first_time ρ K n τ›
proof -
  from assms(1) have ‹∀m < n. time ((Rep_run ρ) m K) ≠ τ›
    by (simp add: less_le)
  with assms(2) show ?thesis by (simp add: first_time_def)
qed

end

chapter ‹Denotational Semantics›

theory Denotational
imports
    TESL
    Run

begin
text‹
  The denotational semantics maps TESL formulae to sets of satisfying runs.
  Firstly, we define the semantics of atomic formulae (basic constructs of the 
  TESL language), then we define the semantics of compound formulae as the
  intersection of the semantics of their components: a run must satisfy all
  the individual formulae of a compound formula.
›
section ‹Denotational interpretation for atomic TESL formulae›
(*<*)
consts dummyT0 ::‹'τ tag_const›
consts dummyDeltaT ::‹'τ tag_const›

notation dummyT0     (‹t⇩0›)
notation dummyDeltaT (‹δt›)
(*>*)

fun TESL_interpretation_atomic
    :: ‹('τ::linordered_field) TESL_atomic ⇒ 'τ run set› (‹⟦ _ ⟧⇩T⇩E⇩S⇩L›)
where
  ― ‹@{term ‹K⇩1 sporadic τ on K⇩2›} means that @{term ‹K⇩1›} should tick at an 
      instant where the time on @{term ‹K⇩2›} is @{term ‹τ›}.›
    ‹⟦ K⇩1 sporadic τ on K⇩2 ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∃n::nat. hamlet ((Rep_run ρ) n K⇩1) ∧ time ((Rep_run ρ) n K⇩2) = τ}›
  ― ‹@{term ‹time-relation ⌊K⇩1, K⇩2⌋ ∈ R›} means that at each instant, the time 
      on @{term ‹K⇩1›} and the time on @{term ‹K⇩2›} are in relation~@{term ‹R›}.›
  | ‹⟦ time-relation ⌊K⇩1, K⇩2⌋ ∈ R ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∀n::nat. R (time ((Rep_run ρ) n K⇩1), time ((Rep_run ρ) n K⇩2))}›
  ― ‹@{term ‹master implies slave›} means that at each instant at which 
      @{term ‹master›} ticks, @{term ‹slave›} also ticks.›
  | ‹⟦ master implies slave ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∀n::nat. hamlet ((Rep_run ρ) n master) ⟶ hamlet ((Rep_run ρ) n slave)}›
  ― ‹@{term ‹master implies not slave›} means that at each instant at which 
      @{term ‹master›} ticks, @{term ‹slave›} does not tick.›
  | ‹⟦ master implies not slave ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∀n::nat. hamlet ((Rep_run ρ) n master) ⟶ ¬hamlet ((Rep_run ρ) n slave)}›
  ― ‹@{term ‹master time-delayed by δτ on measuring implies slave›} means that 
      at each instant at which  @{term ‹master›} ticks, @{term ‹slave›} will
      tick after a delay @{term ‹δτ›} measured on the time scale 
      of @{term ‹measuring›}.›
  | ‹⟦ master time-delayed by δτ on measuring implies slave ⟧⇩T⇩E⇩S⇩L =
    ― ‹
      When master ticks, let's call @{term ‹t⇩0›} the current date on measuring. Then, 
      at the first instant when the date on measuring is @{term ‹t⇩0+δt›}, 
      slave has to tick.
    ›
        {ρ. ∀n. hamlet ((Rep_run ρ) n master) ⟶
                 (let measured_time = time ((Rep_run ρ) n measuring) in
                  ∀m ≥ n.  first_time ρ measuring m (measured_time + δτ)
                            ⟶ hamlet ((Rep_run ρ) m slave)
                 )
        }›
  ― ‹@{term ‹K⇩1 weakly precedes K⇩2›} means that each tick on @{term ‹K⇩2›}
        must be preceded by or coincide with at least one tick on @{term ‹K⇩1›}.
        Therefore, at each instant @{term ‹n›}, the number of ticks on @{term ‹K⇩2›} 
        must be less or equal to the number of ticks on @{term ‹K⇩1›}.›
  | ‹⟦ K⇩1 weakly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∀n::nat. (run_tick_count ρ K⇩2 n) ≤ (run_tick_count ρ K⇩1 n)}›
  ― ‹@{term ‹K⇩1 strictly precedes K⇩2›} means that each tick on @{term ‹K⇩2›}
        must be preceded by at least one tick on @{term ‹K⇩1›} at a previous instant.
        Therefore, at each instant n, the number of ticks on @{term ‹K⇩2›}
        must be less or equal to the number of ticks on @{term ‹K⇩1›} 
        at instant n - 1.›
  | ‹⟦ K⇩1 strictly precedes K⇩2 ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∀n::nat. (run_tick_count ρ K⇩2 n) ≤ (run_tick_count_strictly ρ K⇩1 n)}›
  ― ‹@{term ‹K⇩1 kills K⇩2›} means that when @{term ‹K⇩1›} ticks, @{term ‹K⇩2›}
        cannot tick and is not allowed to tick at any further instant.›
  | ‹⟦ K⇩1 kills K⇩2 ⟧⇩T⇩E⇩S⇩L =
        {ρ. ∀n::nat. hamlet ((Rep_run ρ) n K⇩1)
                        ⟶ (∀m≥n. ¬ hamlet ((Rep_run ρ) m K⇩2))}›

section ‹Denotational interpretation for TESL formulae›

text‹
  To satisfy a formula, a run has to satisfy the conjunction of its atomic 
  formulae. Therefore, the interpretation of a formula is the intersection
  of the interpretations of its components.
›
fun TESL_interpretation :: ‹('τ::linordered_field) TESL_formula ⇒ 'τ run set›
  (‹⟦⟦ _ ⟧⟧⇩T⇩E⇩S⇩L›)
where
  ‹⟦⟦ [] ⟧⟧⇩T⇩E⇩S⇩L = {_. True}›
| ‹⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦ φ ⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›

lemma TESL_interpretation_homo:
  ‹⟦ φ ⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L›
by simp

subsection ‹Image interpretation lemma›

theorem TESL_interpretation_image:
  ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⋂ ((λφ. ⟦ φ ⟧⇩T⇩E⇩S⇩L) ` set Φ)›
by (induction Φ, simp+)

subsection ‹Expansion law›
text ‹Similar to the expansion laws of lattices.›

theorem TESL_interp_homo_append:
  ‹⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩1 ⟧⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L›
by (induction Φ⇩1, simp, auto)

section ‹Equational laws for the denotation of TESL formulae›

lemma TESL_interp_assoc:
  ‹⟦⟦ (Φ⇩1 @ Φ⇩2) @ Φ⇩3 ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩1 @ (Φ⇩2 @ Φ⇩3) ⟧⟧⇩T⇩E⇩S⇩L›
by auto

lemma TESL_interp_commute:
  shows ‹⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩2 @ Φ⇩1 ⟧⟧⇩T⇩E⇩S⇩L›
by (simp add: TESL_interp_homo_append inf_sup_aci(1))

lemma TESL_interp_left_commute:
  ‹⟦⟦ Φ⇩1 @ (Φ⇩2 @ Φ⇩3) ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩2 @ (Φ⇩1 @ Φ⇩3) ⟧⟧⇩T⇩E⇩S⇩L›
unfolding TESL_interp_homo_append by auto

lemma TESL_interp_idem:
  ‹⟦⟦ Φ @ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
using TESL_interp_homo_append by auto

lemma TESL_interp_left_idem:
  ‹⟦⟦ Φ⇩1 @ (Φ⇩1 @ Φ⇩2) ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L›
using TESL_interp_homo_append by auto

lemma TESL_interp_right_idem:
  ‹⟦⟦ (Φ⇩1 @ Φ⇩2) @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L›
unfolding TESL_interp_homo_append by auto

lemmas TESL_interp_aci = TESL_interp_commute
                         TESL_interp_assoc
                         TESL_interp_left_commute
                         TESL_interp_left_idem

text ‹The empty formula is the identity element.›
lemma TESL_interp_neutral1:
  ‹⟦⟦ [] @ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
by simp

lemma TESL_interp_neutral2:
  ‹⟦⟦ Φ @ [] ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
by simp

section ‹Decreasing interpretation of TESL formulae›
text‹
  Adding constraints to a TESL formula reduces the number of satisfying runs.
›
lemma TESL_sem_decreases_head:
  ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ⊇ ⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L›
by simp

lemma TESL_sem_decreases_tail:
  ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ⊇ ⟦⟦ Φ @ [φ] ⟧⟧⇩T⇩E⇩S⇩L›
by (simp add: TESL_interp_homo_append)

text ‹
  Repeating a formula in a specification does not change the specification.
›
lemma TESL_interp_formula_stuttering:
  assumes ‹φ ∈ set Φ›
    shows ‹⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
proof -
  have ‹φ # Φ = [φ] @ Φ› by simp
  hence ‹⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ [φ] ⟧⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
    using TESL_interp_homo_append by simp
  thus ?thesis using assms TESL_interpretation_image by fastforce
qed

text ‹
  Removing duplicate formulae in a specification does not change the specification.
›
lemma TESL_interp_remdups_absorb:
  ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ remdups Φ ⟧⟧⇩T⇩E⇩S⇩L›
proof (induction Φ)
  case Cons
    thus ?case using TESL_interp_formula_stuttering by auto
qed simp

text ‹
  Specifications that contain the same formulae have the same semantics.
›
lemma TESL_interp_set_lifting:
  assumes ‹set Φ = set Φ'›
    shows ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ' ⟧⟧⇩T⇩E⇩S⇩L›
proof -     
  have ‹set (remdups Φ) = set (remdups Φ')›
    by (simp add: assms)
  moreover have fxpntΦ: ‹⋂ ((λφ. ⟦ φ ⟧⇩T⇩E⇩S⇩L) ` set Φ) = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
    by (simp add: TESL_interpretation_image)
  moreover have fxpntΦ': ‹⋂ ((λφ. ⟦ φ ⟧⇩T⇩E⇩S⇩L) ` set Φ') = ⟦⟦ Φ' ⟧⟧⇩T⇩E⇩S⇩L›
    by (simp add: TESL_interpretation_image)
  moreover have ‹⋂ ((λφ. ⟦ φ ⟧⇩T⇩E⇩S⇩L) ` set Φ) = ⋂ ((λφ. ⟦ φ ⟧⇩T⇩E⇩S⇩L) ` set Φ')›
    by (simp add: assms)
  ultimately show ?thesis using TESL_interp_remdups_absorb by auto
qed

text ‹
  The semantics of specifications is contravariant with respect to their inclusion.
›
theorem TESL_interp_decreases_setinc:
  assumes ‹set Φ ⊆ set Φ'›
    shows ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ⊇ ⟦⟦ Φ' ⟧⟧⇩T⇩E⇩S⇩L›
proof -
  obtain Φ⇩r where decompose: ‹set (Φ @ Φ⇩r) = set Φ'› using assms by auto
  hence ‹set (Φ @ Φ⇩r) = set Φ'› using assms by blast
  moreover have ‹(set Φ) ∪ (set Φ⇩r) = set Φ'›
    using assms decompose by auto
  moreover have ‹⟦⟦ Φ' ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ @ Φ⇩r ⟧⟧⇩T⇩E⇩S⇩L›
    using TESL_interp_set_lifting decompose by blast
  moreover have ‹⟦⟦ Φ @ Φ⇩r ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ Φ⇩r ⟧⟧⇩T⇩E⇩S⇩L›
    by (simp add: TESL_interp_homo_append)
  moreover have ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ⊇ ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ Φ⇩r ⟧⟧⇩T⇩E⇩S⇩L› by simp
  ultimately show ?thesis by simp
qed

lemma TESL_interp_decreases_add_head:
  assumes ‹set Φ ⊆ set Φ'›
    shows ‹⟦⟦ φ # Φ ⟧⟧⇩T⇩E⇩S⇩L ⊇ ⟦⟦ φ # Φ' ⟧⟧⇩T⇩E⇩S⇩L›
using assms TESL_interp_decreases_setinc by auto

lemma TESL_interp_decreases_add_tail:
  assumes ‹set Φ ⊆ set Φ'›
    shows ‹⟦⟦ Φ @ [φ] ⟧⟧⇩T⇩E⇩S⇩L ⊇ ⟦⟦ Φ' @ [φ] ⟧⟧⇩T⇩E⇩S⇩L›
using TESL_interp_decreases_setinc[OF assms] 
  by (simp add: TESL_interpretation_image dual_order.trans)

lemma TESL_interp_absorb1:
  assumes ‹set Φ⇩1 ⊆ set Φ⇩2›
    shows ‹⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L›
by (simp add: Int_absorb1 TESL_interp_decreases_setinc
                          TESL_interp_homo_append assms)

lemma TESL_interp_absorb2:
  assumes ‹set Φ⇩2 ⊆ set Φ⇩1›
    shows ‹⟦⟦ Φ⇩1 @ Φ⇩2 ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ⇩1 ⟧⟧⇩T⇩E⇩S⇩L›
using TESL_interp_absorb1 TESL_interp_commute assms by blast

section ‹Some special cases›

lemma NoSporadic_stable [simp]:
  ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ⊆ ⟦⟦ NoSporadic Φ ⟧⟧⇩T⇩E⇩S⇩L›
proof -
  from filter_is_subset have ‹set (NoSporadic Φ) ⊆ set Φ› .
  from TESL_interp_decreases_setinc[OF this] show ?thesis .
qed

lemma NoSporadic_idem [simp]:
  ‹⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L ∩ ⟦⟦ NoSporadic Φ ⟧⟧⇩T⇩E⇩S⇩L = ⟦⟦ Φ ⟧⟧⇩T⇩E⇩S⇩L›
using NoSporadic_stable by blast

lemma NoSporadic_setinc:
  ‹set (NoSporadic Φ) ⊆ set Φ›
by (rule filter_is_subset)

(*<*)
no_notation dummyT0    (‹t⇩0›)
no_notation dummyDeltaT (‹δt›)
(*>*)

end

chapter ‹Symbolic Primitives for Building Runs›

theory SymbolicPrimitive
  imports Run

begin

text‹
  We define here the primitive constraints on runs, towards which we translate
  TESL specifications in the operational semantics.
  These constraints refer to a specific symbolic run and can therefore access
  properties of the run at particular instants (for instance, the fact that a clock
  ticks at instant @{term ‹n›} of the run, or the time on a given clock at 
  that instant).

  In the previous chapters, we had no reference to particular instants of a run 
  because the TESL language should be invariant by stuttering in order to allow 
  the composition of specifications: adding an instant where no clock ticks to 
  a run that satisfies a formula should yield another run that satisfies the 
  same formula. However, when constructing runs that satisfy a formula, we
  need to be able to refer to the time or hamlet of a clock at a given instant.
›

text‹
  Counter expressions are used to get the number of ticks of a clock up to 
  (strictly or not) a given instant index.
›
datatype cnt_expr =
  TickCountLess ‹clock› ‹instant_index› (‹#⇧<›)
| TickCountLeq ‹clock› ‹instant_index›  (‹#⇧≤›)

subsection‹ Symbolic Primitives for Runs ›

text‹
  Tag values are used to refer to the time on a clock at a given instant index.
›
datatype tag_val =
  TSchematic ‹clock * instant_index› (‹τ⇩v⇩a⇩r›)

datatype 'τ constr =
― ‹@{term ‹c ⇓ n @ τ›} constrains clock @{term ‹c›} to have time @{term ‹τ›}
    at instant @{term ‹n›} of the run.›
  Timestamp     ‹clock›   ‹instant_index› ‹'τ tag_const›         (‹_ ⇓ _ @ _›)
― ‹@{term ‹m @ n ⊕ δt ⇒ s›} constrains clock @{term ‹s›} to tick at the
    first instant at which the time on @{term ‹m›} has increased by @{term ‹δt›}
    from the value it had at instant @{term ‹n›} of the run.›
| TimeDelay     ‹clock›   ‹instant_index› ‹'τ tag_const› ‹clock› (‹_ @ _ ⊕ _ ⇒ _›)
― ‹@{term ‹c ⇑ n›} constrains clock @{term ‹c›} to tick
    at instant @{term ‹n›} of the run.›
| Ticks         ‹clock›   ‹instant_index›                        (‹_ ⇑ _›)
― ‹@{term ‹c ¬⇑ n›} constrains clock @{term ‹c›} not to tick
    at instant @{term ‹n›} of the run.›
| NotTicks      ‹clock›   ‹instant_index›                        (‹_ ¬⇑ _›)
― ‹@{term ‹c ¬⇑ < n›} constrains clock @{term ‹c›} not to tick
    before instant @{term ‹n›} of the run.›
| NotTicksUntil ‹clock›   ‹instant_index›                        (‹_ ¬⇑ < _›)
― ‹@{term ‹c ¬⇑ ≥ n›} constrains clock @{term ‹c›} not to tick
    at and after instant @{term ‹n›} of the run.›
| NotTicksFrom  ‹clock›   ‹instant_index›                        (‹_ ¬⇑ ≥ _›)
― ‹@{term ‹⌊τ⇩1, τ⇩2⌋ ∈ R›} constrains tag variables @{term ‹τ⇩1›} and  @{term ‹τ⇩2›} 
    to be in relation @{term ‹R›}.›
| TagArith      ‹tag_val› ‹tag_val› ‹('τ tag_const × 'τ tag_const) ⇒ bool› (‹⌊_, _⌋ ∈ _›)
― ‹@{term ‹⌈k⇩1, k⇩2⌉ ∈ R›} constrains counter expressions @{term ‹k⇩1›} and  @{term ‹k⇩2›} 
    to be in relation @{term ‹R›}.›
| TickCntArith  ‹cnt_expr› ‹cnt_expr› ‹(nat × nat) ⇒ bool›      (‹⌈_, _⌉ ∈ _›)
― ‹@{term ‹k⇩1 ≼ k⇩2›} constrains counter expression @{term ‹k⇩1›} to be less or equal 
    to counter expression @{term ‹k⇩2›}.›
| TickCntLeq    ‹cnt_expr› ‹cnt_expr›                            (‹_ ≼ _›)

type_synonym 'τ system = ‹'τ constr list›


text ‹
  The abstract machine has configurations composed of:
  ▪ the past @{term‹Γ›}, which captures choices that have already be made as a 
    list of symbolic primitive constraints on the run;
  ▪ the current index @{term ‹n›}, which is the index of the present instant;
  ▪ the present @{term‹Ψ›}, which captures the formulae that must be satisfied
    in the current instant;
  ▪ the future @{term‹Φ›}, which captures the constraints on the future of the run.
›
type_synonym 'τ config =
                ‹'τ system * instant_index * 'τ TESL_formula * 'τ TESL_formula›


section ‹Semantics of Primitive Constraints ›

text‹
  The semantics of the primitive constraints is defined in a way similar to
  the semantics of TESL formulae.
›
fun counter_expr_eval :: ‹('τ::linordered_field) run ⇒ cnt_expr ⇒ nat›
  (‹⟦ _ ⊢ _ ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r›)
where
  ‹⟦ ρ ⊢ #⇧< clk indx ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r = run_tick_count_strictly ρ clk indx›
| ‹⟦ ρ ⊢ #⇧≤ clk indx ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r = run_tick_count ρ clk indx›


fun symbolic_run_interpretation_primitive
  ::‹('τ::linordered_field) constr ⇒ 'τ run set› (‹⟦ _ ⟧⇩p⇩r⇩i⇩m›)
where
  ‹⟦ K ⇑ n  ⟧⇩p⇩r⇩i⇩m     = {ρ. hamlet ((Rep_run ρ) n K) }›
| ‹⟦ K @ n⇩0 ⊕ δt ⇒ K' ⟧⇩p⇩r⇩i⇩m =
                  {ρ. ∀n ≥ n⇩0. first_time ρ K n (time ((Rep_run ρ) n⇩0 K) + δt)
                               ⟶ hamlet ((Rep_run ρ) n K')}›
| ‹⟦ K ¬⇑ n ⟧⇩p⇩r⇩i⇩m     = {ρ. ¬hamlet ((Rep_run ρ) n K) }›
| ‹⟦ K ¬⇑ < n ⟧⇩p⇩r⇩i⇩m   = {ρ. ∀i < n. ¬ hamlet ((Rep_run ρ) i K)}›
| ‹⟦ K ¬⇑ ≥ n ⟧⇩p⇩r⇩i⇩m   = {ρ. ∀i ≥ n. ¬ hamlet ((Rep_run ρ) i K) }›
| ‹⟦ K ⇓ n @ τ ⟧⇩p⇩r⇩i⇩m = {ρ. time ((Rep_run ρ) n K) = τ }›
| ‹⟦ ⌊τ⇩v⇩a⇩r(K⇩1, n⇩1), τ⇩v⇩a⇩r(K⇩2, n⇩2)⌋ ∈ R ⟧⇩p⇩r⇩i⇩m =
    { ρ. R (time ((Rep_run ρ) n⇩1 K⇩1), time ((Rep_run ρ) n⇩2 K⇩2)) }›
| ‹⟦ ⌈e⇩1, e⇩2⌉ ∈ R ⟧⇩p⇩r⇩i⇩m = { ρ. R (⟦ ρ ⊢ e⇩1 ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r, ⟦ ρ ⊢ e⇩2 ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r) }›
| ‹⟦ cnt_e⇩1 ≼ cnt_e⇩2 ⟧⇩p⇩r⇩i⇩m = { ρ. ⟦ ρ ⊢ cnt_e⇩1 ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r ≤ ⟦ ρ ⊢ cnt_e⇩2 ⟧⇩c⇩n⇩t⇩e⇩x⇩p⇩r }›

text‹
  The composition of primitive constraints is their conjunction, and we get the
  set of satisfying runs by intersection.
›
fun symbolic_run_interpretation
  ::‹('τ::linordered_field) constr list ⇒ ('τ::linordered_field) run set›
  (‹⟦⟦ _ ⟧⟧⇩p⇩r⇩i⇩m›)
where
  ‹⟦⟦ [] ⟧⟧⇩p⇩r⇩i⇩m = {ρ. True }›
| ‹⟦⟦ γ # Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦ γ ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›

lemma symbolic_run_interp_cons_morph:
  ‹⟦ γ ⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ γ # Γ ⟧⟧⇩p⇩r⇩i⇩m›
by auto

definition consistent_context :: ‹('τ::linordered_field) constr list ⇒ bool›
where 
  ‹consistent_context Γ ≡ ( ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ≠ {}) ›

subsection ‹Defining a method for witness construction›

text‹
  In order to build a run, we can start from an initial run in which no clock 
  ticks and the time is always 0 on any clock.
›
abbreviation initial_run :: ‹('τ::linordered_field) run› (‹ρ⇩⊙›) where
  ‹ρ⇩⊙ ≡ Abs_run ((λ_ _. (False, τ⇩c⇩s⇩t 0)) ::nat ⇒ clock ⇒ (bool × 'τ tag_const))›

text‹
  To help avoiding that time flows backward, setting the time on a clock at a given 
  instant sets it for the future instants too.
›
fun time_update
  :: ‹nat ⇒ clock ⇒ ('τ::linordered_field) tag_const ⇒ (nat ⇒ 'τ instant)
      ⇒ (nat ⇒ 'τ instant)›
where
  ‹time_update n K τ ρ = (λn' K'. if K = K' ∧ n ≤ n'
                                  then (hamlet (ρ n K), τ)
                                  else ρ n' K')›


section ‹Rules and properties of consistence›

lemma context_consistency_preservationI:
  ‹consistent_context ((γ::('τ::linordered_field) constr)#Γ) ⟹ consistent_context Γ›
unfolding consistent_context_def by auto

― ‹This is very restrictive›
inductive context_independency
  ::‹('τ::linordered_field) constr ⇒ 'τ constr list ⇒ bool› (‹_ ⨝ _›)
where
  NotTicks_independency:
  ‹(K ⇑ n) ∉ set Γ ⟹ (K ¬⇑ n) ⨝ Γ›
| Ticks_independency:
  ‹(K ¬⇑ n) ∉ set Γ ⟹ (K ⇑ n) ⨝ Γ›
| Timestamp_independency:
  ‹(∄τ'. τ' = τ ∧ (K ⇓ n @ τ) ∈ set Γ) ⟹ (K ⇓ n @ τ) ⨝ Γ›


section‹Major Theorems›
subsection ‹Interpretation of a context›

text‹
  The interpretation of a context is the intersection of the interpretation 
  of its components.
›
theorem symrun_interp_fixpoint:
  ‹⋂ ((λγ. ⟦ γ ⟧⇩p⇩r⇩i⇩m) ` set Γ) = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
by (induction Γ, simp+)

subsection ‹Expansion law›
text ‹Similar to the expansion laws of lattices›

theorem symrun_interp_expansion:
  ‹⟦⟦ Γ⇩1 @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩1 ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m›
by (induction Γ⇩1, simp, auto)

section ‹Equations for the interpretation of symbolic primitives› 
subsection ‹General laws›

lemma symrun_interp_assoc:
  ‹⟦⟦ (Γ⇩1 @ Γ⇩2) @ Γ⇩3 ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩1 @ (Γ⇩2 @ Γ⇩3) ⟧⟧⇩p⇩r⇩i⇩m›
by auto

lemma symrun_interp_commute:
  ‹⟦⟦ Γ⇩1 @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩2 @ Γ⇩1 ⟧⟧⇩p⇩r⇩i⇩m›
by (simp add: symrun_interp_expansion inf_sup_aci(1))

lemma symrun_interp_left_commute:
  ‹⟦⟦ Γ⇩1 @ (Γ⇩2 @ Γ⇩3) ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩2 @ (Γ⇩1 @ Γ⇩3) ⟧⟧⇩p⇩r⇩i⇩m›
unfolding symrun_interp_expansion by auto

lemma symrun_interp_idem:
  ‹⟦⟦ Γ @ Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
using symrun_interp_expansion by auto

lemma symrun_interp_left_idem:
  ‹⟦⟦ Γ⇩1 @ (Γ⇩1 @ Γ⇩2) ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩1 @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m›
using symrun_interp_expansion by auto

lemma symrun_interp_right_idem:
  ‹⟦⟦ (Γ⇩1 @ Γ⇩2) @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩1 @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m›
unfolding symrun_interp_expansion by auto

lemmas symrun_interp_aci =  symrun_interp_commute
                            symrun_interp_assoc
                            symrun_interp_left_commute
                            symrun_interp_left_idem

― ‹Identity element›
lemma symrun_interp_neutral1:
  ‹⟦⟦ [] @ Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
by simp

lemma symrun_interp_neutral2:
  ‹⟦⟦ Γ @ [] ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
by simp

subsection ‹Decreasing interpretation of symbolic primitives›

text‹
  Adding constraints to a context reduces the number of satisfying runs.
›
lemma TESL_sem_decreases_head:
  ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ⊇ ⟦⟦ γ # Γ ⟧⟧⇩p⇩r⇩i⇩m›
by simp

lemma TESL_sem_decreases_tail:
  ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ⊇ ⟦⟦ Γ @ [γ] ⟧⟧⇩p⇩r⇩i⇩m›
by (simp add: symrun_interp_expansion)

text‹
  Adding a constraint that is already in the context does not change the
  interpretation of the context.
›
lemma symrun_interp_formula_stuttering:
  assumes ‹γ ∈ set Γ›
    shows ‹⟦⟦ γ # Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
proof -
  have ‹γ # Γ = [γ] @ Γ› by simp
  hence ‹⟦⟦ γ # Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ [γ] ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
    using symrun_interp_expansion by simp
  thus ?thesis using assms symrun_interp_fixpoint by fastforce
qed


text‹
  Removing duplicate constraints from a context does not change the
  interpretation of the context.
›
lemma symrun_interp_remdups_absorb:
  ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ remdups Γ ⟧⟧⇩p⇩r⇩i⇩m›
proof (induction Γ)
  case Cons
    thus ?case using symrun_interp_formula_stuttering by auto
qed simp

text‹
  Two identical sets of constraints have the same interpretation,
  the order in the context does not matter.
›
lemma symrun_interp_set_lifting:
  assumes ‹set Γ = set Γ'›
    shows ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ' ⟧⟧⇩p⇩r⇩i⇩m›
proof -     
  have ‹set (remdups Γ) = set (remdups Γ')›
    by (simp add: assms)
  moreover have fxpntΓ: ‹⋂ ((λγ. ⟦ γ ⟧⇩p⇩r⇩i⇩m) ` set Γ) = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m›
    by (simp add: symrun_interp_fixpoint)
  moreover have fxpntΓ': ‹⋂ ((λγ. ⟦ γ ⟧⇩p⇩r⇩i⇩m) ` set Γ') = ⟦⟦ Γ' ⟧⟧⇩p⇩r⇩i⇩m›
    by (simp add: symrun_interp_fixpoint)
  moreover have ‹⋂ ((λγ. ⟦ γ ⟧⇩p⇩r⇩i⇩m) ` set Γ) = ⋂ ((λγ. ⟦ γ ⟧⇩p⇩r⇩i⇩m) ` set Γ')›
    by (simp add: assms)
  ultimately show ?thesis using symrun_interp_remdups_absorb by auto
qed

text‹
  The interpretation of contexts is contravariant with regard to set inclusion.
›
theorem symrun_interp_decreases_setinc:
  assumes ‹set Γ ⊆ set Γ'›
    shows ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ⊇ ⟦⟦ Γ' ⟧⟧⇩p⇩r⇩i⇩m›
proof -
  obtain Γ⇩r where decompose: ‹set (Γ @ Γ⇩r) = set Γ'› using assms by auto
  hence ‹set (Γ @ Γ⇩r) = set Γ'› using assms by blast
  moreover have ‹(set Γ) ∪ (set Γ⇩r) = set Γ'› using assms decompose by auto
  moreover have ‹⟦⟦ Γ' ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ @ Γ⇩r ⟧⟧⇩p⇩r⇩i⇩m›
    using symrun_interp_set_lifting decompose by blast
  moreover have ‹⟦⟦ Γ @ Γ⇩r ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ⇩r ⟧⟧⇩p⇩r⇩i⇩m›
    by (simp add: symrun_interp_expansion)
  moreover have ‹⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ⊇ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m ∩ ⟦⟦ Γ⇩r ⟧⟧⇩p⇩r⇩i⇩m› by simp
  ultimately show ?thesis by simp
qed

lemma symrun_interp_decreases_add_head:
  assumes ‹set Γ ⊆ set Γ'›
    shows ‹⟦⟦ γ # Γ ⟧⟧⇩p⇩r⇩i⇩m ⊇ ⟦⟦ γ # Γ' ⟧⟧⇩p⇩r⇩i⇩m›
using symrun_interp_decreases_setinc assms by auto

lemma symrun_interp_decreases_add_tail:
  assumes ‹set Γ ⊆ set Γ'›
    shows ‹⟦⟦ Γ @ [γ] ⟧⟧⇩p⇩r⇩i⇩m ⊇ ⟦⟦ Γ' @ [γ] ⟧⟧⇩p⇩r⇩i⇩m›
proof -
  from symrun_interp_decreases_setinc[OF assms] have ‹⟦⟦ Γ' ⟧⟧⇩p⇩r⇩i⇩m ⊆ ⟦⟦ Γ ⟧⟧⇩p⇩r⇩i⇩m› .
  thus ?thesis by (simp add: symrun_interp_expansion dual_order.trans)
qed

lemma symrun_interp_absorb1:
  assumes ‹set Γ⇩1 ⊆ set Γ⇩2›
    shows ‹⟦⟦ Γ⇩1 @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m›
by (simp add: Int_absorb1 symrun_interp_decreases_setinc
                          symrun_interp_expansion assms)

lemma symrun_interp_absorb2:
  assumes ‹set Γ⇩2 ⊆ set Γ⇩1›
    shows ‹⟦⟦ Γ⇩1 @ Γ⇩2 ⟧⟧⇩p⇩r⇩i⇩m = ⟦⟦ Γ⇩1 ⟧⟧⇩p⇩r⇩i⇩m›
using symrun_interp_absorb1 symrun_interp_commute assms by blast

end