Theory After_Operator_Non_Too_Destructive

(***********************************************************************************
 * Copyright (c) 2025 Université Paris-Saclay
 *
 * Author: Benoît Ballenghien, Université Paris-Saclay,
           CNRS, ENS Paris-Saclay, LMF
 * Author: Burkhart Wolff, Université Paris-Saclay,
           CNRS, ENS Paris-Saclay, LMF
 *
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are met:
 *
 * * Redistributions of source code must retain the above copyright notice, this
 *
 * * Redistributions in binary form must reproduce the above copyright notice,
 *   this list of conditions and the following disclaimer in the documentation
 *   and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
 * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * SPDX-License-Identifier: BSD-2-Clause
 ***********************************************************************************)

section ‹Non too Destructiveness of After›

(*<*)
theory After_Operator_Non_Too_Destructive
  imports Process_Restriction_Space
    "HOL-CSP_OpSem.After_Trace_Operator" 
begin
  (*>*)


subsection ‹Equality›

lemma initials_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k: ‹(P ↓ n)⇧⁰ = (if n = 0 then UNIV else P⇧⁰)›
  by (cases n, solves simp)
    (auto simp add: initials_def T_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k,
      metis append.right_neutral append_eq_conv_conj drop_Nil drop_Suc_Cons)


lemma (in After) restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After:
  ‹P after e ↓ n = (if ev e ∈ P⇧⁰ then (P ↓ Suc n) after e else Ψ P e ↓ n)›
proof (split if_split, intro conjI impI)
  show ‹ev e ∉ P⇧⁰ ⟹ P after e ↓ n = Ψ P e ↓ n› by (simp add: not_initial_After)
next
  assume ‹ev e ∈ P⇧⁰›
  show ‹P after e ↓ n = (P ↓ Suc n) after e› (is ‹?lhs = ?rhs›)
  proof (subst Process_eq_spec, safe)
    show ‹t ∈ 𝒟 ?lhs ⟹ t ∈ 𝒟 ?rhs› for t
      by (elim D_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_kE)
        (simp_all add: ‹ev e ∈ P⇧⁰› After_projs
          initials_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k D_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k,
          meson Cons_eq_appendI event⇩_p⇩_t⇩_i⇩_c⇩_k.disc(1) length_Cons tickFree_Cons_iff)
  next
    show ‹t ∈ 𝒟 ?rhs ⟹ t ∈ 𝒟 ?lhs› for t
      by (auto simp add: D_After initials_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k ‹ev e ∈ P⇧⁰›
          D_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k T_After Cons_eq_append_conv)
  next
    show ‹(t, X) ∈ ℱ ?lhs ⟹ (t, X) ∈ ℱ ?rhs› for t X
      by (elim F_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_kE)
        (simp_all add: ‹ev e ∈ P⇧⁰› After_projs
          initials_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k F_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k,
          meson Cons_eq_appendI event⇩_p⇩_t⇩_i⇩_c⇩_k.disc(1) length_Cons tickFree_Cons_iff)
  next
    show ‹(t, X) ∈ ℱ ?rhs ⟹ (t, X) ∈ ℱ ?lhs› for t X
      by (auto simp add: F_After initials_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k ‹ev e ∈ P⇧⁰›
          F_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k T_After Cons_eq_append_conv)
  qed
qed

lemma (in AfterExt) restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After⇩_t⇩_i⇩_c⇩_k:
  ‹P after⇩_✓ e ↓ n =
   (case e of ✓(r) ⇒ Ω P r ↓ n | ev x ⇒ if e ∈ P⇧⁰ then (P ↓ Suc n) after⇩_✓ e else Ψ P x ↓ n)›
  by (simp add: After⇩_t⇩_i⇩_c⇩_k_def restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After split: event⇩_p⇩_t⇩_i⇩_c⇩_k.split )

lemma (in AfterExt) restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After⇩_t⇩_r⇩_a⇩_c⇩_e:
  ‹t ∈ 𝒯 P ⟹ tF t ⟹ P after⇩_𝒯 t ↓ n = (P ↓ (n + length t)) after⇩_𝒯 t›
proof (induct t arbitrary: n rule: rev_induct)
  show ‹P after⇩_𝒯 [] ↓ n = (P ↓ (n + length [])) after⇩_𝒯 []› for n by simp
next
  fix e t n
  assume   hyp : ‹t ∈ 𝒯 P ⟹ tF t ⟹ P after⇩_𝒯 t ↓ n = (P ↓ (n + length t)) after⇩_𝒯 t› for n
  assume prems : ‹t @ [e] ∈ 𝒯 P› ‹tickFree (t @ [e])›
  from prems(2) obtain a where ‹e = ev a› by (cases e) simp_all
  with initials_After⇩_t⇩_r⇩_a⇩_c⇩_e[OF prems(1)] have ‹ev a ∈ (P after⇩_𝒯 t)⇧⁰› by simp
  from prems is_processT3_TR_append have ‹t ∈ 𝒯 P› ‹tF t› by auto
  from hyp[OF this] have ‹P after⇩_𝒯 t ↓ Suc n = (P ↓ (Suc n + length t)) after⇩_𝒯 t› .
  thus ‹P after⇩_𝒯 (t @ [e]) ↓ n = (P ↓ (n + length (t @ [e]))) after⇩_𝒯 (t @ [e])›
    by (simp add: After⇩_t⇩_r⇩_a⇩_c⇩_e_snoc restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After⇩_t⇩_i⇩_c⇩_k
        ‹e = ev a› ‹ev a ∈ (P after⇩_𝒯 t)⇧⁰›)
qed



subsection ‹Non too Destructiveness›

lemma (in After) non_too_destructive_on_After :
  ‹non_too_destructive_on (λP. P after e) {P. ev e ∈ P⇧⁰}›
  by (auto intro!: non_too_destructive_onI simp add: restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After)

lemma (in AfterExt) non_too_destructive_on_After⇩_t⇩_i⇩_c⇩_k :
  ‹non_too_destructive_on (λP. P after⇩_✓ e) {P. e ∈ P⇧⁰}›
  if ‹⋀r. e = ✓(r) ⟹ non_too_destructive_on Ω {P. ✓(r) ∈ P⇧⁰}›
proof (intro non_too_destructive_onI, clarify)
  fix P Q n assume * : ‹P ↓ Suc n = Q ↓ Suc n› ‹e ∈ P⇧⁰› ‹e ∈ Q⇧⁰›
  show ‹P after⇩_✓ e ↓ n = Q after⇩_✓ e ↓ n›
  proof (cases e)
    from "*" show ‹e = ev a ⟹ P after⇩_✓ e ↓ n = Q after⇩_✓ e ↓ n› for a
      by (simp add: restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After⇩_t⇩_i⇩_c⇩_k)
  next
    fix r assume ‹e = ✓(r)›
    with "*"(2, 3) have ‹P ∈ {P. ✓(r) ∈ P⇧⁰}› ‹Q ∈ {P. ✓(r) ∈ P⇧⁰}› by auto
    from non_too_destructive_onD[OF that[simplified ‹e = ✓(r)›, OF refl] this "*"(1)]
    have ‹Ω P ↓ n = Ω Q ↓ n› .
    with ‹e = ✓(r)› show ‹P after⇩_✓ e ↓ n = Q after⇩_✓ e ↓ n›
      by (simp add: restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After⇩_t⇩_i⇩_c⇩_k) (metis restriction_fun_def)
  qed
qed



lemma (in After) non_too_destructive_After :
  ‹non_too_destructive (λP. P after e)› if * : ‹non_too_destructive_on Ψ {P. ev e ∉ P⇧⁰}›
proof (rule non_too_destructiveI)
  fix P Q :: ‹('a, 'r) process⇩_p⇩_t⇩_i⇩_c⇩_k› and n
  assume ‹P ↓ Suc n = Q ↓ Suc n›
  hence ‹ev e ∈ P⇧⁰ ∧ ev e ∈ Q⇧⁰ ∨ ev e ∉ P⇧⁰ ∧ ev e ∉ Q⇧⁰›
    by (metis initials_restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k nat.distinct(1))
  thus ‹P after e ↓ n = Q after e ↓ n›
  proof (elim disjE conjE)
    show ‹ev e ∈ P⇧⁰ ⟹ ev e ∈ Q⇧⁰ ⟹ P after e ↓ n = Q after e ↓ n›
      by (simp add: restriction_process⇩_p⇩_t⇩_i⇩_c⇩_k_After ‹P ↓ Suc n = Q ↓ Suc n›)
  next
    assume ‹ev e ∉ P⇧⁰› ‹ev e ∉ Q⇧⁰›
    hence ‹P after e = Ψ P e› ‹Q after e = Ψ Q e›
      by (simp_all add: not_initial_After)
    from ‹P ↓ Suc n = Q ↓ Suc n› have ‹Ψ P ↓ n = Ψ Q ↓ n›
      by (intro "*"[THEN non_too_destructive_onD, of P Q])
        (simp_all add: ‹ev e ∉ P⇧⁰› ‹ev e ∉ Q⇧⁰›)
    with ‹P after e = Ψ P e› ‹Q after e = Ψ Q e›
    show ‹P after e ↓ n = Q after e ↓ n› 
      by (metis restriction_fun_def)
  qed
qed


lemma (in AfterExt) non_too_destructive_After⇩_t⇩_i⇩_c⇩_k :
  ‹non_too_destructive (λP. P after⇩_✓ e)›
  if * : ‹⋀a. e = ev a ⟹ non_too_destructive_on Ψ {P. ev a ∉ P⇧⁰}›
    ‹⋀r. e = ✓(r) ⟹ non_too_destructive (λP. Ω P r)›
proof (rule non_too_destructiveI)
  show ‹P after⇩_✓ e ↓ n = Q after⇩_✓ e ↓ n› if ‹P ↓ Suc n = Q ↓ Suc n› for P Q n
  proof (cases e)
    show ‹P after⇩_✓ e ↓ n = Q after⇩_✓ e ↓ n› if ‹e = ev a› for a
      by (simp add: After⇩_t⇩_i⇩_c⇩_k_def ‹e = ev a›)
        (fact non_too_destructive_After[OF "*"(1)[simplified ‹e = ev a›, OF refl],
            THEN non_too_destructiveD, OF ‹P ↓ Suc n = Q ↓ Suc n›])
  next
    fix r assume ‹e = ✓(r)›
    from "*"(2)[unfolded ‹e = ✓(r)›, OF refl,
        THEN non_too_destructiveD, OF ‹P ↓ Suc n = Q ↓ Suc n›]
    have ‹Ω P r ↓ n = Ω Q r ↓ n› .
    thus ‹P after⇩_✓ e ↓ n = Q after⇩_✓ e ↓ n›
      by (simp add: After⇩_t⇩_i⇩_c⇩_k_def ‹e = ✓(r)›)
  qed
qed


lemma (in AfterExt) restriction_shift_After⇩_t⇩_r⇩_a⇩_c⇩_e :
  ‹restriction_shift (λP. P after⇩_𝒯 t) (- int (length t))›
  if ‹non_too_destructive Ψ› ‹non_too_destructive Ω›
    ― ‹We could imagine more precise assumptions, but is it useful?›
proof (induct t)
  case Nil show ?case by (simp add: restriction_shiftI)
next
  case (Cons e t)
  have ‹non_too_destructive (λP. P after⇩_✓ e)›
    by (rule non_too_destructive_After⇩_t⇩_i⇩_c⇩_k)
      (simp add: ‹non_too_destructive Ψ›,
        metis non_too_destructive_fun_iff ‹non_too_destructive Ω›)
  hence * : ‹restriction_shift (λP. P after⇩_✓ e) (- 1)›
    unfolding non_too_destructive_def
      non_too_destructive_on_def restriction_shift_def .
  from restriction_shift_comp_restriction_shift[OF Cons.hyps "*"]
  show ?case by simp
qed


(*<*)
end
  (*>*)