-lemma trans_liftL : ∀sig,M1,M2,s,a,news,move.
- halt ? M1 s = false →
- trans sig M1 〈s,a〉 = 〈news,move〉 →
- trans sig (seq sig M1 M2) 〈inl … s,a〉 = 〈inl … news,move〉.
-#sig (*#M1*) * #Q1 #T1 #init1 #halt1 #M2 #s #a #news #move
-#Hhalt #Htrans whd in ⊢ (??%?); >Hhalt >Htrans %
-qed.
-
-lemma config_eq :
- ∀sig,M,c1,c2.
- cstate sig M c1 = cstate sig M c2 →
- ctape sig M c1 = ctape sig M c2 → c1 = c2.
-#sig #M1 * #s1 #t1 * #s2 #t2 //
-qed.
-
-lemma step_lift_confL : ∀sig,M1,M2,c0.
- halt ? M1 (cstate ?? c0) = false →
- step sig (seq sig M1 M2) (lift_confL sig M1 M2 c0) =
- lift_confL sig M1 M2 (step sig M1 c0).
-#sig #M1 (* * #Q1 #T1 #init1 #halt1 *) #M2 * #s * #lt
-#rs #Hhalt
-whd in ⊢ (???(????%));whd in ⊢ (???%);
-lapply (refl ? (trans ?? 〈s,option_hd sig rs〉))
-cases (trans ?? 〈s,option_hd sig rs〉) in ⊢ (???% → %);
-#s0 #m0 #Heq whd in ⊢ (???%);
-whd in ⊢ (??(???%)?); whd in ⊢ (??%?);
->(trans_liftL … Heq)
-[% | //]
-qed.
-
-lemma loop_liftL : ∀sig,k,M1,M2,c1,c2.
- loop ? k (step sig M1) (λc.halt sig M1 (cstate ?? c)) c1 = Some ? c2 →
- loop ? k (step sig (seq sig M1 M2))
- (λc.halt_liftL sig M1 M2 (cstate ?? c)) (lift_confL … c1) =
- Some ? (lift_confL … c2).
-#sig #k #M1 #M2 #c1 #c2 generalize in match c1;
-elim k
-[#c0 normalize in ⊢ (??%? → ?); #Hfalse destruct (Hfalse)
-|#k0 #IH #c0 whd in ⊢ (??%? → ??%?);
- lapply (refl ? (halt ?? (cstate sig M1 c0)))
- cases (halt ?? (cstate sig M1 c0)) in ⊢ (???% → ?); #Hc0 >Hc0
- [ >(?: halt_liftL ??? (cstate sig (seq ? M1 M2) (lift_confL … c0)) = true)
- [ whd in ⊢ (??%? → ??%?); #Hc2 destruct (Hc2) %
- | // ]
- | >(?: halt_liftL ??? (cstate sig (seq ? M1 M2) (lift_confL … c0)) = false)
- [whd in ⊢ (??%? → ??%?); #Hc2 <(IH ? Hc2) @eq_f
- @step_lift_confL //
- | // ]
-qed.
-
-STOP!
-
-lemma loop_liftR : ∀sig,k,M1,M2,c1,c2.
- loop ? k (step sig M2) (λc.halt sig M2 (cstate ?? c)) c1 = Some ? c2 →
- loop ? k (step sig (seq sig M1 M2))
- (λc.halt sig (seq sig M1 M2) (cstate ?? c)) (lift_confR … c1) =
- Some ? (lift_confR … c2).
-#sig #k #M1 #M2 #c1 #c2
-elim k
-[normalize in ⊢ (??%? → ?); #Hfalse destruct (Hfalse)
-|#k0 #IH whd in ⊢ (??%? → ??%?);
- lapply (refl ? (halt ?? (cstate sig M2 c1)))
- cases (halt ?? (cstate sig M2 c1)) in ⊢ (???% → ?); #Hc0 >Hc0
- [ >(?: halt ?? (cstate sig (seq ? M1 M2) (lift_confR … c1)) = true)
- [ whd in ⊢ (??%? → ??%?); #Hc2 destruct (Hc2)
- | (* ... *) ]
- | >(?: halt ?? (cstate sig (seq ? M1 M2) (lift_confR … c1)) = false)
- [whd in ⊢ (??%? → ??%?); #Hc2 <IH
- [@eq_f (* @step_lift_confR // *)
- |
- | // ]
-qed. *)
-
-lemma loop_Some :
- ∀A,k,f,p,a,b.loop A k f p a = Some ? b → p b = true.
-#A #k #f #p #a #b elim k
-[normalize #Hfalse destruct
-|#k0 #IH whd in ⊢ (??%? → ?); cases (p a)
- [ normalize #H1 destruct
-
-lemma trans_liftL_true : ∀sig,M1,M2,s,a.
- halt ? M1 s = true →
- trans sig (seq sig M1 M2) 〈inl … s,a〉 = 〈inr … (start ? M2),None ?〉.
-#sig #M1 #M2 #s #a
-#Hhalt whd in ⊢ (??%?); >Hhalt %
-qed.
-
-lemma eq_ctape_lift_conf_L : ∀sig,M1,M2,outc.
- ctape sig (seq sig M1 M2) (lift_confL … outc) = ctape … outc.
-#sig #M1 #M2 #outc cases outc #s #t %
-qed.
-
-lemma eq_ctape_lift_conf_R : ∀sig,M1,M2,outc.
- ctape sig (seq sig M1 M2) (lift_confR … outc) = ctape … outc.
-#sig #M1 #M2 #outc cases outc #s #t %
-qed.
-
-theorem sem_seq: ∀sig,M1,M2,R1,R2.
- Realize sig M1 R1 → Realize sig M2 R2 →
- Realize sig (seq sig M1 M2) (R1 ∘ R2).
-#sig #M1 #M2 #R1 #R2 #HR1 #HR2 #t
-cases (HR1 t) #k1 * #outc1 * #Hloop1 #HM1
-cases (HR2 (ctape sig M1 outc1)) #k2 * #outc2 * #Hloop2 #HM2
-@(ex_intro … (k1+k2)) @(ex_intro … (lift_confR … outc2))
-%
-[@(loop_split ??????????? (loop_liftL … Hloop1))
- [* *
- [ #sl #tl whd in ⊢ (??%? → ?); #Hl %
- | #sr #tr whd in ⊢ (??%? → ?); #Hr destruct (Hr) ]
- ||4:cases outc1 #s1 #t1 %
- |5:@(loop_liftR … Hloop2)
- |whd in ⊢ (??(???%)?);whd in ⊢ (??%?);
- generalize in match Hloop1; cases outc1 #sc1 #tc1 #Hloop10
- >(trans_liftL_true sig M1 M2 ??)
- [ whd in ⊢ (??%?); whd in ⊢ (???%);
- @config_eq //
- | @(loop_Some ?????? Hloop10) ]
+theorem terminate_while_guarded: ∀sig,M,acc,Pre,Rtrue,Rfalse.
+ halt sig M acc = true →
+ accGRealize sig M acc Pre Rtrue Rfalse →
+ (∀t1,t2. Pre t1 → Rtrue t1 t2 → Pre t2) → ∀t.
+ WF ? (inv … Rtrue) t → Pre t → whileTM sig M acc ↓ t.
+#sig #M #acc #Pre #Rtrue #Rfalse #Hacctrue #HM #Hinv #t #HWF elim HWF
+#t1 #H #Hind #HPre cases (HM … t1 HPre) #i * #outc * * #Hloop
+#Htrue #Hfalse cases (true_or_false (cstate … outc == acc)) #Hcase
+ [cases (Hind ? (Htrue … (\P Hcase)) ?)
+ [2: @(Hinv … HPre) @Htrue @(\P Hcase)]
+ #iwhile * #outcfinal
+ #Hloopwhile @(ex_intro … (i+iwhile))
+ @(ex_intro … outcfinal) @(loop_merge … outc … Hloopwhile)
+ [@(λc.halt sig M (cstate … c))
+ |* #s0 #t0 normalize cases (s0 == acc) normalize
+ [ cases (halt sig M s0) //
+ | cases (halt sig M s0) normalize //
+ ]
+ |@(loop_lift ?? i (λc.c) ?
+ (step ? (whileTM ? M acc)) ?
+ (λc.halt sig M (cstate ?? c)) ??
+ ?? Hloop)
+ [ #x %
+ | * #s #t #Hx whd in ⊢ (??%%); >while_trans_false
+ [%
+ |% #Hfalse <Hfalse in Hacctrue; >Hx #H0 destruct ]
+ ]
+ |@step_while_acc @(\P Hcase)
+ |>(\P Hcase) @halt_while_acc
+ ]
+ |@(ex_intro … i) @(ex_intro … outc)
+ @(loop_lift_acc ?? i (λc.c) ?????? (λc.cstate ?? c == acc) ???? Hloop)
+ [#x #Hx >(\P Hx) //
+ |#x @halt_while_not_acc
+ |#x #H whd in ⊢ (??%%); >while_trans_false [%]
+ % #eqx >eqx in H; >Hacctrue #H destruct
+ |@Hcase
+ ]