12854

(* Title: isabelle/Bali/TypeSafe.thy


ID: $Id$


Author: David von Oheimb


Copyright 1997 Technische Universitaet Muenchen


*)


header {* The type soundness proof for Java *}


8 


theory TypeSafe = Eval + WellForm + Conform:


section "result conformance"


constdefs


assign_conforms :: "st \<Rightarrow> (val \<Rightarrow> state \<Rightarrow> state) \<Rightarrow> ty \<Rightarrow> env_ \<Rightarrow> bool"


("_\<le>_\<preceq>_\<Colon>\<preceq>_" [71,71,71,71] 70)


"s\<le>f\<preceq>T\<Colon>\<preceq>E \<equiv>


\<forall>s' w. Norm s'\<Colon>\<preceq>E \<longrightarrow> fst E,s'\<turnstile>w\<Colon>\<preceq>T \<longrightarrow> s\<le>s' \<longrightarrow> assign f w (Norm s')\<Colon>\<preceq>E"


rconf :: "prog \<Rightarrow> lenv \<Rightarrow> st \<Rightarrow> term \<Rightarrow> vals \<Rightarrow> tys \<Rightarrow> bool"


("_,_,_\<turnstile>_\<succ>_\<Colon>\<preceq>_" [71,71,71,71,71,71] 70)


"G,L,s\<turnstile>t\<succ>v\<Colon>\<preceq>T


\<equiv> case T of


Inl T \<Rightarrow> if (\<exists>vf. t=In2 vf)


then G,s\<turnstile>fst (the_In2 v)\<Colon>\<preceq>T \<and> s\<le>snd (the_In2 v)\<preceq>T\<Colon>\<preceq>(G,L)


else G,s\<turnstile>the_In1 v\<Colon>\<preceq>T


 Inr Ts \<Rightarrow> list_all2 (conf G s) (the_In3 v) Ts"


lemma rconf_In1 [simp]:


"G,L,s\<turnstile>In1 ec\<succ>In1 v \<Colon>\<preceq>Inl T = G,s\<turnstile>v\<Colon>\<preceq>T"


apply (unfold rconf_def)


apply (simp (no_asm))


done


lemma rconf_In2 [simp]:


"G,L,s\<turnstile>In2 va\<succ>In2 vf\<Colon>\<preceq>Inl T = (G,s\<turnstile>fst vf\<Colon>\<preceq>T \<and> s\<le>snd vf\<preceq>T\<Colon>\<preceq>(G,L))"


apply (unfold rconf_def)


apply (simp (no_asm))


done


lemma rconf_In3 [simp]:


"G,L,s\<turnstile>In3 es\<succ>In3 vs\<Colon>\<preceq>Inr Ts = list_all2 (\<lambda>v T. G,s\<turnstile>v\<Colon>\<preceq>T) vs Ts"


apply (unfold rconf_def)


apply (simp (no_asm))


done


section "fits and conf"


(* unused *)


lemma conf_fits: "G,s\<turnstile>v\<Colon>\<preceq>T \<Longrightarrow> G,s\<turnstile>v fits T"


apply (unfold fits_def)


apply clarify


apply (erule swap, simp (no_asm_use))


apply (drule conf_RefTD)


apply auto


done


lemma fits_conf:


"\<lbrakk>G,s\<turnstile>v\<Colon>\<preceq>T; G\<turnstile>T\<preceq>? T'; G,s\<turnstile>v fits T'; ws_prog G\<rbrakk> \<Longrightarrow> G,s\<turnstile>v\<Colon>\<preceq>T'"


apply (auto dest!: fitsD cast_PrimT2 cast_RefT2)


apply (force dest: conf_RefTD intro: conf_AddrI)


done


lemma fits_Array:


"\<lbrakk>G,s\<turnstile>v\<Colon>\<preceq>T; G\<turnstile>T'.[]\<preceq>T.[]; G,s\<turnstile>v fits T'; ws_prog G\<rbrakk> \<Longrightarrow> G,s\<turnstile>v\<Colon>\<preceq>T'"


apply (auto dest!: fitsD widen_ArrayPrimT widen_ArrayRefT)


apply (force dest: conf_RefTD intro: conf_AddrI)


done


section "gext"


lemma halloc_gext: "\<And>s1 s2. G\<turnstile>s1 \<midarrow>halloc oi\<succ>a\<rightarrow> s2 \<Longrightarrow> snd s1\<le>snd s2"


apply (simp (no_asm_simp) only: split_tupled_all)


apply (erule halloc.induct)


apply (auto dest!: new_AddrD)


done


lemma sxalloc_gext: "\<And>s1 s2. G\<turnstile>s1 \<midarrow>sxalloc\<rightarrow> s2 \<Longrightarrow> snd s1\<le>snd s2"


apply (simp (no_asm_simp) only: split_tupled_all)


apply (erule sxalloc.induct)


apply (auto dest!: halloc_gext)


done


lemma eval_gext_lemma [rule_format (no_asm)]:


"G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (w,s') \<Longrightarrow> snd s\<le>snd s' \<and> (case w of


In1 v \<Rightarrow> True


 In2 vf \<Rightarrow> normal s \<longrightarrow> (\<forall>v x s. s\<le>snd (assign (snd vf) v (x,s)))


 In3 vs \<Rightarrow> True)"


apply (erule eval_induct)


prefer 24


apply (case_tac "inited C (globs s0)", clarsimp, erule thin_rl) (* Init *)


apply (auto del: conjI dest!: not_initedD gext_new sxalloc_gext halloc_gext


simp add: lvar_def fvar_def2 avar_def2 init_lvars_def2


split del: split_if_asm split add: sum3.split)


(* 6 subgoals *)


apply force+


done


lemma evar_gext_f:


"G\<turnstile>Norm s1 \<midarrow>e=\<succ>vf \<rightarrow> s2 \<Longrightarrow> s\<le>snd (assign (snd vf) v (x,s))"


apply (drule eval_gext_lemma [THEN conjunct2])


apply auto


done


lemmas eval_gext = eval_gext_lemma [THEN conjunct1]


lemma eval_gext': "G\<turnstile>(x1,s1) \<midarrow>t\<succ>\<rightarrow> (w,x2,s2) \<Longrightarrow> s1\<le>s2"


apply (drule eval_gext)


apply auto


done


lemma init_yields_initd: "G\<turnstile>Norm s1 \<midarrow>Init C\<rightarrow> s2 \<Longrightarrow> initd C s2"


apply (erule eval_cases , auto split del: split_if_asm)


apply (case_tac "inited C (globs s1)")


apply (clarsimp split del: split_if_asm)+


apply (drule eval_gext')+


apply (drule init_class_obj_inited)


apply (erule inited_gext)


apply (simp (no_asm_use))


done


section "Lemmas"


lemma obj_ty_obj_class1:


"\<lbrakk>wf_prog G; is_type G (obj_ty obj)\<rbrakk> \<Longrightarrow> is_class G (obj_class obj)"


apply (case_tac "tag obj")


apply (auto simp add: obj_ty_def obj_class_def)


done


lemma oconf_init_obj:


"\<lbrakk>wf_prog G;


(case r of Heap a \<Rightarrow> is_type G (obj_ty obj)  Stat C \<Rightarrow> is_class G C)


\<rbrakk> \<Longrightarrow> G,s\<turnstile>obj \<lparr>values:=init_vals (var_tys G (tag obj) r)\<rparr>\<Colon>\<preceq>\<surd>r"


apply (auto intro!: oconf_init_obj_lemma unique_fields)


done


lemma conforms_newG: "\<lbrakk>globs s oref = None; (x, s)\<Colon>\<preceq>(G,L);


wf_prog G; case oref of Heap a \<Rightarrow> is_type G (obj_ty \<lparr>tag=oi,values=vs\<rparr>)


 Stat C \<Rightarrow> is_class G C\<rbrakk> \<Longrightarrow>


(x, init_obj G oi oref s)\<Colon>\<preceq>(G, L)"


apply (unfold init_obj_def)


apply (auto elim!: conforms_gupd dest!: oconf_init_obj


simp add: obj.update_defs)


done


lemma conforms_init_class_obj:


"\<lbrakk>(x,s)\<Colon>\<preceq>(G, L); wf_prog G; class G C=Some y; \<not> inited C (globs s)\<rbrakk> \<Longrightarrow>


(x,init_class_obj G C s)\<Colon>\<preceq>(G, L)"


apply (rule not_initedD [THEN conforms_newG])


apply (auto)


done


lemma fst_init_lvars[simp]:


"fst (init_lvars G C sig (invmode m e) a' pvs (x,s)) =


(if static m then x else (np a') x)"


apply (simp (no_asm) add: init_lvars_def2)


done


lemma halloc_conforms: "\<And>s1. \<lbrakk>G\<turnstile>s1 \<midarrow>halloc oi\<succ>a\<rightarrow> s2; wf_prog G; s1\<Colon>\<preceq>(G, L);


is_type G (obj_ty \<lparr>tag=oi,values=fs\<rparr>)\<rbrakk> \<Longrightarrow> s2\<Colon>\<preceq>(G, L)"


apply (simp (no_asm_simp) only: split_tupled_all)


apply (case_tac "aa")


apply (auto elim!: halloc_elim_cases dest!: new_AddrD


intro!: conforms_newG [THEN conforms_xconf] conf_AddrI)


done


lemma halloc_type_sound: "\<And>s1. \<lbrakk>G\<turnstile>s1 \<midarrow>halloc oi\<succ>a\<rightarrow> (x,s); wf_prog G; s1\<Colon>\<preceq>(G, L);


T = obj_ty \<lparr>tag=oi,values=fs\<rparr>; is_type G T\<rbrakk> \<Longrightarrow>


(x,s)\<Colon>\<preceq>(G, L) \<and> (x = None \<longrightarrow> G,s\<turnstile>Addr a\<Colon>\<preceq>T)"


apply (auto elim!: halloc_conforms)


apply (case_tac "aa")


apply (subst obj_ty_eq)


apply (auto elim!: halloc_elim_cases dest!: new_AddrD intro!: conf_AddrI)


done


lemma sxalloc_type_sound:


"\<And>s1 s2. \<lbrakk>G\<turnstile>s1 \<midarrow>sxalloc\<rightarrow> s2; wf_prog G\<rbrakk> \<Longrightarrow> case fst s1 of


None \<Rightarrow> s2 = s1  Some x \<Rightarrow>


(\<exists>a. fst s2 = Some(Xcpt (Loc a)) \<and> (\<forall>L. s1\<Colon>\<preceq>(G,L) \<longrightarrow> s2\<Colon>\<preceq>(G,L)))"


apply (simp (no_asm_simp) only: split_tupled_all)


apply (erule sxalloc.induct)


apply auto


apply (rule halloc_conforms [THEN conforms_xconf])


apply (auto elim!: halloc_elim_cases dest!: new_AddrD intro!: conf_AddrI)


done


lemma wt_init_comp_ty:


"is_acc_type G (pid C) T \<Longrightarrow> \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>init_comp_ty T\<Colon>\<surd>"


apply (unfold init_comp_ty_def)


apply (clarsimp simp add: accessible_in_RefT_simp


is_acc_type_def is_acc_class_def)


done


declare fun_upd_same [simp]


declare fun_upd_apply [simp del]


constdefs


DynT_prop::"[prog,inv_mode,qtname,ref_ty] \<Rightarrow> bool"


("_\<turnstile>_\<rightarrow>_\<preceq>_"[71,71,71,71]70)


"G\<turnstile>mode\<rightarrow>D\<preceq>t \<equiv> mode = IntVir \<longrightarrow> is_class G D \<and>


(if (\<exists>T. t=ArrayT T) then D=Object else G\<turnstile>Class D\<preceq>RefT t)"


lemma DynT_propI:


"\<lbrakk>(x,s)\<Colon>\<preceq>(G, L); G,s\<turnstile>a'\<Colon>\<preceq>RefT statT; wf_prog G; mode = IntVir \<longrightarrow> a' \<noteq> Null\<rbrakk>


\<Longrightarrow> G\<turnstile>mode\<rightarrow>invocation_class mode s a' statT\<preceq>statT"


proof (unfold DynT_prop_def)


assume state_conform: "(x,s)\<Colon>\<preceq>(G, L)"


and statT_a': "G,s\<turnstile>a'\<Colon>\<preceq>RefT statT"


and wf: "wf_prog G"


and mode: "mode = IntVir \<longrightarrow> a' \<noteq> Null"


let ?invCls = "(invocation_class mode s a' statT)"


let ?IntVir = "mode = IntVir"


let ?Concl = "\<lambda>invCls. is_class G invCls \<and>


(if \<exists>T. statT = ArrayT T


then invCls = Object


else G\<turnstile>Class invCls\<preceq>RefT statT)"


show "?IntVir \<longrightarrow> ?Concl ?invCls"


proof


assume modeIntVir: ?IntVir


with mode have not_Null: "a' \<noteq> Null" ..


from statT_a' not_Null state_conform


obtain a obj


where obj_props: "a' = Addr a" "globs s (Inl a) = Some obj"


"G\<turnstile>obj_ty obj\<preceq>RefT statT" "is_type G (obj_ty obj)"


by (blast dest: conforms_RefTD)


show "?Concl ?invCls"


proof (cases "tag obj")


case CInst


with modeIntVir obj_props


show ?thesis


by (auto dest!: widen_Array2 split add: split_if)


next


case Arr


from Arr obtain T where "obj_ty obj = T.[]" by (blast dest: obj_ty_Arr1)


moreover from Arr have "obj_class obj = Object"


by (blast dest: obj_class_Arr1)


moreover note modeIntVir obj_props wf


ultimately show ?thesis by (auto dest!: widen_Array )


qed


qed


qed


lemma invocation_methd:


"\<lbrakk>wf_prog G; statT \<noteq> NullT;


(\<forall> statC. statT = ClassT statC \<longrightarrow> is_class G statC);


(\<forall> I. statT = IfaceT I \<longrightarrow> is_iface G I \<and> mode \<noteq> SuperM);


(\<forall> T. statT = ArrayT T \<longrightarrow> mode \<noteq> SuperM);


G\<turnstile>mode\<rightarrow>invocation_class mode s a' statT\<preceq>statT;


dynlookup G statT (invocation_class mode s a' statT) sig = Some m \<rbrakk>


\<Longrightarrow> methd G (invocation_declclass G mode s a' statT sig) sig = Some m"


proof 


assume wf: "wf_prog G"


and not_NullT: "statT \<noteq> NullT"


and statC_prop: "(\<forall> statC. statT = ClassT statC \<longrightarrow> is_class G statC)"


and statI_prop: "(\<forall> I. statT = IfaceT I \<longrightarrow> is_iface G I \<and> mode \<noteq> SuperM)"


and statA_prop: "(\<forall> T. statT = ArrayT T \<longrightarrow> mode \<noteq> SuperM)"


and invC_prop: "G\<turnstile>mode\<rightarrow>invocation_class mode s a' statT\<preceq>statT"


and dynlookup: "dynlookup G statT (invocation_class mode s a' statT) sig


= Some m"


show ?thesis


proof (cases statT)


case NullT


with not_NullT show ?thesis by simp


next


case IfaceT


with statI_prop obtain I


where statI: "statT = IfaceT I" and


is_iface: "is_iface G I" and


not_SuperM: "mode \<noteq> SuperM" by blast


show ?thesis


proof (cases mode)


case Static


with wf dynlookup statI is_iface


show ?thesis


by (auto simp add: invocation_declclass_def dynlookup_def


dynimethd_def dynmethd_C_C


intro: dynmethd_declclass


dest!: wf_imethdsD


dest: table_of_map_SomeI


split: split_if_asm)


next


case SuperM


with not_SuperM show ?thesis ..


next


case IntVir


with wf dynlookup IfaceT invC_prop show ?thesis


by (auto simp add: invocation_declclass_def dynlookup_def dynimethd_def


DynT_prop_def


intro: methd_declclass dynmethd_declclass


split: split_if_asm)


qed


next


case ClassT


show ?thesis


proof (cases mode)


case Static


with wf ClassT dynlookup statC_prop


show ?thesis by (auto simp add: invocation_declclass_def dynlookup_def


intro: dynmethd_declclass)


next


317 
318 
319 
320 
321 
322 
323 
324 
325 
327 
328 
329 
330 
331 
case Static


with wf ArrayT dynlookup show ?thesis


by (auto simp add: invocation_declclass_def dynlookup_def


dynimethd_def dynmethd_C_C


intro: dynmethd_declclass


dest: table_of_map_SomeI)


next


case SuperM


341 
342 
with wf ArrayT dynlookup invC_prop show ?thesis


by (auto simp add: invocation_declclass_def dynlookup_def dynimethd_def


DynT_prop_def dynmethd_C_C


intro: dynmethd_declclass


dest: table_of_map_SomeI)


qed


qed


qed


352 
353 
357 
358 
359 
360 
361 
362 
363 
364 
365 
366 
367 
368 
369 
370 
371 
372 
373 
374 
375 
376 
377 
378 
379 
380 
381 
382 
383 
384 
from sm have not_Null: "statT \<noteq> NullT" by auto


from type_statT


have wf_C: "(\<forall> statC. statT = ClassT statC \<longrightarrow> is_class G statC)"


by (auto)


from type_statT wt_e


have wf_I: "(\<forall>I. statT = IfaceT I \<longrightarrow> is_iface G I \<and>


393 
394 
395 
396 
398 
399 
400 
401 
403 
404 
405 
407 
408 
409 
410 
411 
412 
413 
414 
415 
416 
417 
418 
419 
420 
421 
422 
423 
424 
425 
426 
427 
429 
430 
431 
432 
433 
434 
435 
436 
437 
438 
439 
440 
441 
442 
443 
444 
445 
446 
447 
448 
449 
450 
451 
452 
453 
454 
456 
457 
by (auto dest: methd_declC )


from wf dm' declC_prop declC'


have wf_dm: "wf_mdecl G declC (sig,(mthd dm))"


by (auto dest: methd_wf_mdecl)


from invC_prop' declC_prop declC_prop1


have statC_prop: "( (\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)


\<or> (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object))"


by auto


from False dm' wf_dm invC_prop' declC_prop statC_prop declC'


eq_declC_sm_dm eq_mheads static


show ?thesis by auto


qed


qed


473 
declare split_paired_All [simp del] split_paired_Ex [simp del]


declare split_if [split del] split_if_asm [split del]


option.split [split del] option.split_asm [split del]


lemma DynT_conf: "\<lbrakk>G\<turnstile>invocation_class mode s a' statT \<preceq>\<^sub>C declC; wf_prog G;


isrtype G (statT);


G,s\<turnstile>a'\<Colon>\<preceq>RefT statT; mode = IntVir \<longrightarrow> a' \<noteq> Null;


mode \<noteq> IntVir \<longrightarrow> (\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)


\<or> (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object)\<rbrakk>


\<Longrightarrow>G,s\<turnstile>a'\<Colon>\<preceq> Class declC"


apply (case_tac "mode = IntVir")


apply (drule conf_RefTD)


apply (force intro!: conf_AddrI


simp add: obj_class_def split add: obj_tag.split_asm)


apply clarsimp


apply safe


apply (erule (1) widen.subcls [THEN conf_widen])


apply (erule wf_ws_prog)


603 
604 
605 
606 


lemma Ass_lemma:


"\<lbrakk>G\<turnstile>Norm s0 \<midarrow>va=\<succ>(w, f)\<rightarrow> Norm s1; G\<turnstile>Norm s1 \<midarrow>e\<succ>v\<rightarrow> Norm s2; G,s2\<turnstile>v\<Colon>\<preceq>T';


s1\<le>s2 \<longrightarrow> assign f v (Norm s2)\<Colon>\<preceq>(G, L)


\<rbrakk> \<Longrightarrow> assign f v (Norm s2)\<Colon>\<preceq>(G, L) \<and>


(\<lambda>(x',s'). x' = None \<longrightarrow> G,s'\<turnstile>v\<Colon>\<preceq>T') (assign f v (Norm s2))"


apply (drule_tac x = "None" and s = "s2" and v = "v" in evar_gext_f)


apply (drule eval_gext', clarsimp)


apply (erule conf_gext)


apply simp


done


lemma Throw_lemma: "\<lbrakk>G\<turnstile>tn\<preceq>\<^sub>C SXcpt Throwable; wf_prog G; (x1,s1)\<Colon>\<preceq>(G, L);


x1 = None \<longrightarrow> G,s1\<turnstile>a'\<Colon>\<preceq> Class tn\<rbrakk> \<Longrightarrow> (throw a' x1, s1)\<Colon>\<preceq>(G, L)"


apply (auto split add: split_abrupt_if simp add: throw_def2)


apply (erule conforms_xconf)


apply (frule conf_RefTD)


apply (auto elim: widen.subcls [THEN conf_widen])


done


627 
628 
629 
630 
631 
632 
633 
634 
635 


lemma Fin_lemma:


"\<lbrakk>G\<turnstile>Norm s1 \<midarrow>c2\<rightarrow> (x2,s2); wf_prog G; (Some a, s1)\<Colon>\<preceq>(G, L); (x2,s2)\<Colon>\<preceq>(G, L)\<rbrakk>


\<Longrightarrow> (abrupt_if True (Some a) x2, s2)\<Colon>\<preceq>(G, L)"


apply (force elim: eval_gext' conforms_xgext split add: split_abrupt_if)


done


lemma FVar_lemma1: "\<lbrakk>table_of (DeclConcepts.fields G Ca) (fn, C) = Some f ;


x2 = None \<longrightarrow> G,s2\<turnstile>a\<Colon>\<preceq> Class Ca; wf_prog G; G\<turnstile>Ca\<preceq>\<^sub>C C; C \<noteq> Object;


class G C = Some y; (x2,s2)\<Colon>\<preceq>(G, L); s1\<le>s2; inited C (globs s1);


(if static f then id else np a) x2 = None\<rbrakk>


\<Longrightarrow>


\<exists>obj. globs s2 (if static f then Inr C else Inl (the_Addr a)) = Some obj \<and>


var_tys G (tag obj) (if static f then Inr C else Inl(the_Addr a))


(Inl(fn,C)) = Some (type f)"


apply (drule initedD)


apply (frule subcls_is_class2, simp (no_asm_simp))


apply (case_tac "static f")


apply clarsimp


apply (drule (1) rev_gext_objD, clarsimp)


apply (frule fields_declC, erule wf_ws_prog, simp (no_asm_simp))


apply (rule var_tys_Some_eq [THEN iffD2])


apply clarsimp


apply (erule fields_table_SomeI, simp (no_asm))


apply clarsimp


apply (drule conf_RefTD, clarsimp, rule var_tys_Some_eq [THEN iffD2])


apply (auto dest!: widen_Array split add: obj_tag.split)


apply (rotate_tac 1) (* to front: tag obja = CInst pid_field_type to enable


conditional rewrite *)


apply (rule fields_table_SomeI)


apply (auto elim!: fields_mono subcls_is_class2)


done


lemma FVar_lemma:


"\<lbrakk>((v, f), Norm s2') = fvar C (static field) fn a (x2, s2); G\<turnstile>Ca\<preceq>\<^sub>C C;


table_of (DeclConcepts.fields G Ca) (fn, C) = Some field; wf_prog G;


x2 = None \<longrightarrow> G,s2\<turnstile>a\<Colon>\<preceq>Class Ca; C \<noteq> Object; class G C = Some y;


(x2, s2)\<Colon>\<preceq>(G, L); s1\<le>s2; inited C (globs s1)\<rbrakk> \<Longrightarrow>


G,s2'\<turnstile>v\<Colon>\<preceq>type field \<and> s2'\<le>f\<preceq>type field\<Colon>\<preceq>(G, L)"


apply (unfold assign_conforms_def)


apply (drule sym)


apply (clarsimp simp add: fvar_def2)


apply (drule (9) FVar_lemma1)


apply (clarsimp)


apply (drule (2) conforms_globsD [THEN oconf_lconf, THEN lconfD])


apply clarsimp


apply (drule (1) rev_gext_objD)


apply (auto elim!: conforms_upd_gobj)


done


lemma AVar_lemma1: "\<lbrakk>globs s (Inl a) = Some obj;tag obj=Arr ty i;


the_Intg i' in_bounds i; wf_prog G; G\<turnstile>ty.[]\<preceq>Tb.[]; Norm s\<Colon>\<preceq>(G, L)


\<rbrakk> \<Longrightarrow> G,s\<turnstile>the ((values obj) (Inr (the_Intg i')))\<Colon>\<preceq>Tb"


apply (erule widen_Array_Array [THEN conf_widen])


apply (erule_tac [2] wf_ws_prog)


apply (drule (1) conforms_globsD [THEN oconf_lconf, THEN lconfD])


defer apply assumption


apply (force intro: var_tys_Some_eq [THEN iffD2])


done


lemma obj_split: "\<And> obj. \<exists> t vs. obj = \<lparr>tag=t,values=vs\<rparr>"


proof record_split


fix tag values more


show "\<exists>t vs. \<lparr>tag = tag, values = values, \<dots> = more\<rparr> = \<lparr>tag = t, values = vs\<rparr>"


by auto


qed


lemma AVar_lemma: "\<lbrakk>wf_prog G; G\<turnstile>(x1, s1) \<midarrow>e2\<succ>i\<rightarrow> (x2, s2);


((v,f), Norm s2') = avar G i a (x2, s2); x1 = None \<longrightarrow> G,s1\<turnstile>a\<Colon>\<preceq>Ta.[];


(x2, s2)\<Colon>\<preceq>(G, L); s1\<le>s2\<rbrakk> \<Longrightarrow> G,s2'\<turnstile>v\<Colon>\<preceq>Ta \<and> s2'\<le>f\<preceq>Ta\<Colon>\<preceq>(G, L)"


apply (unfold assign_conforms_def)


apply (drule sym)


apply (clarsimp simp add: avar_def2)


apply (drule (1) conf_gext)


apply (drule conf_RefTD, clarsimp)


apply (subgoal_tac "\<exists> t vs. obj = \<lparr>tag=t,values=vs\<rparr>")


defer


apply (rule obj_split)


apply clarify


apply (frule obj_ty_widenD)


apply (auto dest!: widen_Class)


apply (force dest: AVar_lemma1)


apply (auto split add: split_if)


apply (force elim!: fits_Array dest: gext_objD


intro: var_tys_Some_eq [THEN iffD2] conforms_upd_gobj)


721 
done


722 


723 


724 
section "Call"


725 
lemma conforms_init_lvars_lemma: "\<lbrakk>wf_prog G;


726 
wf_mhead G P sig mh;


727 
Ball (set lvars) (split (\<lambda>vn. is_type G));


728 
list_all2 (conf G s) pvs pTsa; G\<turnstile>pTsa[\<preceq>](parTs sig)\<rbrakk> \<Longrightarrow>


729 
G,s\<turnstile>init_vals (table_of lvars)(pars mh[\<mapsto>]pvs)


730 
[\<Colon>\<preceq>]table_of lvars(pars mh[\<mapsto>]parTs sig)"


731 
apply (unfold wf_mhead_def)


732 
apply clarify


733 
apply (erule (2) Ball_set_table [THEN lconf_init_vals, THEN lconf_ext_list])


734 
apply (drule wf_ws_prog)


735 
apply (erule (2) conf_list_widen)


736 
done


737 


738 


739 
lemma lconf_map_lname [simp]:


740 
"G,s\<turnstile>(lname_case l1 l2)[\<Colon>\<preceq>](lname_case L1 L2)


741 
=


742 
(G,s\<turnstile>l1[\<Colon>\<preceq>]L1 \<and> G,s\<turnstile>(\<lambda>x::unit . l2)[\<Colon>\<preceq>](\<lambda>x::unit. L2))"


743 
apply (unfold lconf_def)


744 
apply safe


745 
apply (case_tac "n")


746 
apply (force split add: lname.split)+


747 
done


748 


749 
lemma lconf_map_ename [simp]:


750 
"G,s\<turnstile>(ename_case l1 l2)[\<Colon>\<preceq>](ename_case L1 L2)


751 
=


752 
(G,s\<turnstile>l1[\<Colon>\<preceq>]L1 \<and> G,s\<turnstile>(\<lambda>x::unit. l2)[\<Colon>\<preceq>](\<lambda>x::unit. L2))"


753 
apply (unfold lconf_def)


754 
apply safe


755 
apply (force split add: ename.split)+


756 
done


757 


758 


759 
lemma defval_conf1 [rule_format (no_asm), elim]:


760 
"is_type G T \<longrightarrow> (\<exists>v\<in>Some (default_val T): G,s\<turnstile>v\<Colon>\<preceq>T)"


761 
apply (unfold conf_def)


762 
apply (induct "T")


763 
apply (auto intro: prim_ty.induct)


764 
done


765 


766 


767 
lemma conforms_init_lvars:


768 
"\<lbrakk>wf_mhead G (pid declC) sig (mhead (mthd dm)); wf_prog G;


769 
list_all2 (conf G s) pvs pTsa; G\<turnstile>pTsa[\<preceq>](parTs sig);


770 
(x, s)\<Colon>\<preceq>(G, L);


771 
methd G declC sig = Some dm;


772 
isrtype G statT;


773 
G\<turnstile>invC\<preceq>\<^sub>C declC;


774 
G,s\<turnstile>a'\<Colon>\<preceq>RefT statT;


775 
invmode (mhd sm) e = IntVir \<longrightarrow> a' \<noteq> Null;


776 
invmode (mhd sm) e \<noteq> IntVir \<longrightarrow>


777 
(\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)


778 
\<or> (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object);


779 
invC = invocation_class (invmode (mhd sm) e) s a' statT;


780 
declC = invocation_declclass G (invmode (mhd sm) e) s a' statT sig;


781 
Ball (set (lcls (mbody (mthd dm))))


782 
(split (\<lambda>vn. is_type G))


783 
\<rbrakk> \<Longrightarrow>


784 
init_lvars G declC sig (invmode (mhd sm) e) a'


785 
pvs (x,s)\<Colon>\<preceq>(G,\<lambda> k.


786 
(case k of


787 
EName e \<Rightarrow> (case e of


788 
VNam v


789 
\<Rightarrow> (table_of (lcls (mbody (mthd dm)))


790 
(pars (mthd dm)[\<mapsto>]parTs sig)) v


791 
 Res \<Rightarrow> Some (resTy (mthd dm)))


792 
 This \<Rightarrow> if (static (mthd sm))


793 
then None else Some (Class declC)))"


794 
apply (simp add: init_lvars_def2)


795 
apply (rule conforms_set_locals)


796 
apply (simp (no_asm_simp) split add: split_if)


797 
apply (drule (4) DynT_conf)


798 
apply clarsimp


799 
(* apply intro *)


800 
apply (drule (4) conforms_init_lvars_lemma)


801 
apply (case_tac "dm",simp)


802 
apply (rule conjI)


803 
apply (unfold lconf_def, clarify)


804 
apply (rule defval_conf1)


805 
apply (clarsimp simp add: wf_mhead_def is_acc_type_def)


806 
apply (case_tac "is_static sm")


807 
apply simp_all


808 
done


809 


810 


811 
lemma Call_type_sound: "\<lbrakk>wf_prog G; G\<turnstile>(x1, s1) \<midarrow>ps\<doteq>\<succ>pvs\<rightarrow> (x2, s2);


812 
declC


813 
= invocation_declclass G (invmode (mhd esm) e) s2 a' statT \<lparr>name=mn,parTs=pTs\<rparr>;


814 
s2'=init_lvars G declC \<lparr>name=mn,parTs=pTs\<rparr> (invmode (mhd esm) e) a' pvs (x2,s2);


815 
G\<turnstile>s2' \<midarrow>Methd declC \<lparr>name=mn,parTs=pTs\<rparr>\<succ>v\<rightarrow> (x3, s3);


816 
\<forall>L. s2'\<Colon>\<preceq>(G, L)


817 
\<longrightarrow> (\<forall>T. \<lparr>prg=G,cls=declC,lcl=L\<rparr>\<turnstile> Methd declC \<lparr>name=mn,parTs=pTs\<rparr>\<Colon>T


818 
\<longrightarrow> (x3, s3)\<Colon>\<preceq>(G, L) \<and> (x3 = None \<longrightarrow> G,s3\<turnstile>v\<Colon>\<preceq>T));


819 
Norm s0\<Colon>\<preceq>(G, L);


820 
\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>RefT statT; \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>ps\<Colon>\<doteq>pTsa;


821 
max_spec G C statT \<lparr>name=mn,parTs=pTsa\<rparr> = {(esm, pTs)};


822 
(x1, s1)\<Colon>\<preceq>(G, L);


823 
x1 = None \<longrightarrow> G,s1\<turnstile>a'\<Colon>\<preceq>RefT statT; (x2, s2)\<Colon>\<preceq>(G, L);


824 
x2 = None \<longrightarrow> list_all2 (conf G s2) pvs pTsa;


825 
sm=(mhd esm)\<rbrakk> \<Longrightarrow>


826 
(x3, set_locals (locals s2) s3)\<Colon>\<preceq>(G, L) \<and>


827 
(x3 = None \<longrightarrow> G,s3\<turnstile>v\<Colon>\<preceq>resTy sm)"


828 
apply clarify


829 
apply (case_tac "x2")


830 
defer


831 
apply (clarsimp split add: split_if_asm simp add: init_lvars_def2)


832 
apply (case_tac "a' = Null \<and> \<not> (static (mhd esm)) \<and> e \<noteq> Super")


833 
apply (clarsimp simp add: init_lvars_def2)


834 
apply clarsimp


835 
apply (drule eval_gext')


836 
apply (frule (1) conf_gext)


837 
apply (drule max_spec2mheads, clarsimp)


838 
apply (subgoal_tac "invmode (mhd esm) e = IntVir \<longrightarrow> a' \<noteq> Null")


839 
defer


840 
apply (clarsimp simp add: invmode_IntVir_eq)


841 
apply (frule (6) DynT_mheadsD [OF DynT_propI,of _ "s2"],(rule HOL.refl)+)


842 
apply clarify


843 
apply (drule wf_mdeclD1, clarsimp)


844 
apply (frule ty_expr_is_type) apply simp


845 
apply (frule (2) conforms_init_lvars)


846 
apply simp


847 
apply assumption+


848 
apply simp


849 
apply assumption+


850 
apply clarsimp


851 
apply (rule HOL.refl)


852 
apply simp


853 
apply (rule Ball_weaken)


854 
apply assumption


855 
apply (force simp add: is_acc_type_def)


856 
apply (tactic "smp_tac 1 1")


857 
apply (frule (2) wt_MethdI, clarsimp)


858 
apply (subgoal_tac "is_static dm = (static (mthd esm))")


859 
apply (simp only:)


860 
apply (tactic "smp_tac 1 1")


861 
apply (rule conjI)


862 
apply (erule conforms_return)


863 
apply blast


864 


865 
apply (force dest!: eval_gext del: impCE simp add: init_lvars_def2)


866 
apply clarsimp


867 
apply (drule (2) widen_trans, erule (1) conf_widen)


868 
apply (erule wf_ws_prog)


869 


870 
apply auto


871 
done


872 


873 


874 
subsection "accessibility"


875 


876 
theorem dynamic_field_access_ok:


877 
(assumes wf: "wf_prog G" and


878 
eval_e: "G\<turnstile>s1 \<midarrow>e\<succ>a\<rightarrow> s2" and


879 
not_Null: "a\<noteq>Null" and


880 
conform_a: "G,(store s2)\<turnstile>a\<Colon>\<preceq> Class statC" and


881 
conform_s2: "s2\<Colon>\<preceq>(G, L)" and


882 
normal_s2: "normal s2" and


883 
wt_e: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>,dt\<Turnstile>e\<Colon>Class statC" and


884 
f: "accfield G accC statC fn = Some f" and


885 
dynC: "if stat then dynC=statC


886 
else dynC=obj_class (lookup_obj (store s2) a)"


887 
) "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f) \<and>


888 
G\<turnstile>Field fn f in dynC dyn_accessible_from accC"


889 
proof (cases "stat")


890 
case True


891 
with dynC


892 
have dynC': "dynC=statC" by simp


893 
with f


894 
have "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f)"


895 
by (auto simp add: accfield_def Let_def intro!: table_of_remap_SomeD)


896 
with dynC' f


897 
show ?thesis


898 
by (auto intro!: static_to_dynamic_accessible_from


899 
dest: accfield_accessibleD accessible_from_commonD)


900 
next


901 
case False


902 
with wf conform_a not_Null conform_s2 dynC


903 
obtain subclseq: "G\<turnstile>dynC \<preceq>\<^sub>C statC" and


904 
"is_class G dynC"


905 
by (auto dest!: conforms_RefTD [of _ _ _ _ "(fst s2)" L]


906 
dest: obj_ty_obj_class1


907 
simp add: obj_ty_obj_class )


908 
with wf f


909 
have "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f)"


910 
by (auto simp add: accfield_def Let_def


911 
dest: fields_mono


912 
dest!: table_of_remap_SomeD)


913 
moreover


914 
from f subclseq


915 
have "G\<turnstile>Field fn f in dynC dyn_accessible_from accC"


916 
by (auto intro!: static_to_dynamic_accessible_from


917 
dest: accfield_accessibleD)


918 
ultimately show ?thesis


919 
by blast


920 
qed


921 


922 
lemma call_access_ok:


923 
(assumes invC_prop: "G\<turnstile>invmode (mhd statM) e\<rightarrow>invC\<preceq>statT"


924 
and wf: "wf_prog G"


925 
and wt_e: "\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>RefT statT"


926 
and statM: "statM \<in> mheads G accC statT sig"


927 
and invC: "invC = invocation_class (invmode (mhd statM) e) s a statT"


928 
)"\<exists> dynM. dynlookup G statT invC sig = Some dynM \<and>


929 
G\<turnstile>Methd sig dynM in invC dyn_accessible_from accC"


930 
proof 


931 
from wt_e wf have type_statT: "is_type G (RefT statT)"


932 
by (auto dest: ty_expr_is_type)


933 
from statM have not_Null: "statT \<noteq> NullT" by auto


934 
from type_statT wt_e


935 
have wf_I: "(\<forall>I. statT = IfaceT I \<longrightarrow> is_iface G I \<and>


936 
invmode (mhd statM) e \<noteq> SuperM)"


937 
by (auto dest: invocationTypeExpr_noClassD)


938 
from wt_e


939 
have wf_A: "(\<forall> T. statT = ArrayT T \<longrightarrow> invmode (mhd statM) e \<noteq> SuperM)"


940 
by (auto dest: invocationTypeExpr_noClassD)


941 
show ?thesis


942 
proof (cases "invmode (mhd statM) e = IntVir")


943 
case True


944 
with invC_prop not_Null


945 
have invC_prop': "is_class G invC \<and>


946 
(if (\<exists>T. statT=ArrayT T) then invC=Object


947 
else G\<turnstile>Class invC\<preceq>RefT statT)"


948 
by (auto simp add: DynT_prop_def)


949 
with True not_Null


950 
have "G,statT \<turnstile> invC valid_lookup_cls_for is_static statM"


951 
by (cases statT) (auto simp add: invmode_def


952 
split: split_if split_if_asm) (* was deleted above *)


953 
with statM type_statT wf


954 
show ?thesis


955 
by  (rule dynlookup_access,auto)


956 
next


957 
case False


958 
with type_statT wf invC not_Null wf_I wf_A


959 
have invC_prop': " is_class G invC \<and>


960 
((\<exists> statC. statT=ClassT statC \<and> invC=statC) \<or>


961 
(\<forall> statC. statT\<noteq>ClassT statC \<and> invC=Object)) "


962 
by (case_tac "statT") (auto simp add: invocation_class_def


963 
split: inv_mode.splits)


964 
with not_Null wf


965 
have dynlookup_static: "dynlookup G statT invC sig = methd G invC sig"


966 
by (case_tac "statT") (auto simp add: dynlookup_def dynmethd_C_C


967 
dynimethd_def)


968 
from statM wf wt_e not_Null False invC_prop' obtain dynM where


969 
"accmethd G accC invC sig = Some dynM"


970 
by (auto dest!: static_mheadsD)


971 
from invC_prop' False not_Null wf_I


972 
have "G,statT \<turnstile> invC valid_lookup_cls_for is_static statM"


973 
by (cases statT) (auto simp add: invmode_def


974 
split: split_if split_if_asm) (* was deleted above *)


975 
with statM type_statT wf


976 
show ?thesis


977 
by  (rule dynlookup_access,auto)


978 
qed


979 
qed


980 


981 
section "main proof of type safety"


982 


983 
ML {*


984 
val forward_hyp_tac = EVERY' [smp_tac 1,


985 
FIRST'[mp_tac,etac exI,smp_tac 2,smp_tac 1,EVERY'[etac impE,etac exI]],


986 
REPEAT o (etac conjE)];


987 
val typD_tac = eresolve_tac (thms "wt_elim_cases") THEN_ALL_NEW


988 
EVERY' [full_simp_tac (simpset() setloop (K no_tac)),


989 
clarify_tac(claset() addSEs[])]


990 
*}


991 


992 
lemma conforms_locals [rule_format]:


993 
"(a,b)\<Colon>\<preceq>(G, L) \<longrightarrow> L x = Some T \<longrightarrow> G,b\<turnstile>the (locals b x)\<Colon>\<preceq>T"


994 
apply (force simp: conforms_def Let_def lconf_def)


995 
done


996 


997 
lemma eval_type_sound [rule_format (no_asm)]:


998 
"wf_prog G \<Longrightarrow> G\<turnstile>s0 \<midarrow>t\<succ>\<rightarrow> (v,s1) \<Longrightarrow> (\<forall>L. s0\<Colon>\<preceq>(G,L) \<longrightarrow>


999 
(\<forall>C T. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T \<longrightarrow> s1\<Colon>\<preceq>(G,L) \<and>


1000 
(let (x,s) = s1 in x = None \<longrightarrow> G,L,s\<turnstile>t\<succ>v\<Colon>\<preceq>T)))"


1001 
apply (erule eval_induct)


1002 


1003 
(* 29 subgoals *)


1004 
(* Xcpt, Inst, Methd, Nil, Skip, Expr, Comp *)


1005 
apply (simp_all (no_asm_use) add: Let_def body_def)


1006 
apply (tactic "ALLGOALS (EVERY'[Clarify_tac, TRY o typD_tac,


1007 
TRY o forward_hyp_tac])")


1008 
apply (tactic"ALLGOALS(EVERY'[asm_simp_tac(simpset()),TRY o Clarify_tac])")


1009 


1010 
(* 20 subgoals *)


1011 


1012 
(* Break *)


1013 
apply (erule conforms_absorb)


1014 


1015 
(* Cons *)


1016 
apply (erule_tac V = "G\<turnstile>Norm s0 \<midarrow>?ea\<succ>\<rightarrow> ?vs1" in thin_rl)


1017 
apply (frule eval_gext')


1018 
apply force


1019 


1020 
(* LVar *)


1021 
apply (force elim: conforms_localD [THEN lconfD] conforms_lupd


1022 
simp add: assign_conforms_def lvar_def)


1023 


1024 
(* Cast *)


1025 
apply (force dest: fits_conf)


1026 


1027 
(* Lit *)


1028 
apply (rule conf_litval)


1029 
apply (simp add: empty_dt_def)


1030 


1031 
(* Super *)


1032 
apply (rule conf_widen)


1033 
apply (erule (1) subcls_direct [THEN widen.subcls])


1034 
apply (erule (1) conforms_localD [THEN lconfD])


1035 
apply (erule wf_ws_prog)


1036 


1037 
(* Acc *)


1038 
apply fast


1039 


1040 
(* Body *)


1041 
apply (rule conjI)


1042 
apply (rule conforms_absorb)


1043 
apply (fast)


1044 
apply (fast intro: conforms_locals)


1045 


1046 
(* Cond *)


1047 
apply (simp split: split_if_asm)


1048 
apply (tactic "forward_hyp_tac 1", force)


1049 
apply (tactic "forward_hyp_tac 1", force)


1050 


1051 
(* If *)


1052 
apply (force split add: split_if_asm)


1053 


1054 
(* Loop *)


1055 
apply (drule (1) wt.Loop)


1056 
apply (clarsimp split: split_if_asm)


1057 
apply (fast intro: conforms_absorb)


1058 


1059 
(* Fin *)


1060 
apply (case_tac "x1", force)


1061 
apply (drule spec, erule impE, erule conforms_NormI)


1062 
apply (erule impE)


1063 
apply blast


1064 
apply (clarsimp)


1065 
apply (erule (3) Fin_lemma)


1066 


1067 
(* Throw *)


1068 
apply (erule (3) Throw_lemma)


1069 


1070 
(* NewC *)


1071 
apply (clarsimp simp add: is_acc_class_def)


1072 
apply (drule (1) halloc_type_sound,blast, rule HOL.refl, simp, simp)


1073 


1074 
(* NewA *)


1075 
apply (tactic "smp_tac 1 1",frule wt_init_comp_ty,erule impE,blast)


1076 
apply (tactic "forward_hyp_tac 1")


1077 
apply (case_tac "check_neg i' ab")


1078 
apply (clarsimp simp add: is_acc_type_def)


1079 
apply (drule (2) halloc_type_sound, rule HOL.refl, simp, simp)


1080 
apply force


1081 


1082 
(* Level 34, 6 subgoals *)


1083 


1084 
(* Init *)


1085 
apply (case_tac "inited C (globs s0)")


1086 
apply (clarsimp)


1087 
apply (clarsimp)


1088 
apply (frule (1) wf_prog_cdecl)


1089 
apply (drule spec, erule impE, erule (3) conforms_init_class_obj)


1090 
apply (drule_tac "psi" = "class G C = ?x" in asm_rl,erule impE,


1091 
force dest!: wf_cdecl_supD split add: split_if simp add: is_acc_class_def)


1092 
apply (drule spec, erule impE, erule conforms_set_locals, rule lconf_empty)


1093 
apply (erule impE) apply (rule exI) apply (erule wf_cdecl_wt_init)


1094 
apply (drule (1) conforms_return, force dest: eval_gext', assumption)


1095 


1096 


1097 
(* Ass *)


1098 
apply (tactic "forward_hyp_tac 1")


1099 
apply (rename_tac x1 s1 x2 s2 v va w L C Ta T', case_tac x1)


1100 
prefer 2 apply force


1101 
apply (case_tac x2)


1102 
prefer 2 apply force


1103 
apply (simp, drule conjunct2)


1104 
apply (drule (1) conf_widen)


1105 
apply (erule wf_ws_prog)


1106 
apply (erule (2) Ass_lemma)


1107 
apply (clarsimp simp add: assign_conforms_def)


1108 


1109 
(* Try *)


1110 
apply (drule (1) sxalloc_type_sound, simp (no_asm_use))


1111 
apply (case_tac a)


1112 
apply clarsimp


1113 
apply clarsimp


1114 
apply (tactic "smp_tac 1 1")


1115 
apply (simp split add: split_if_asm)


1116 
apply (fast dest: conforms_deallocL Try_lemma)


1117 


1118 
(* FVar *)


1119 


1120 
apply (frule accfield_fields)


1121 
apply (frule ty_expr_is_type [THEN type_is_class],simp)


1122 
apply simp


1123 
apply (frule wf_ws_prog)


1124 
apply (frule (1) fields_declC,simp)


1125 
apply clarsimp


1126 
(*b y EVERY'[datac cfield_defpl_is_class 2, Clarsimp_tac] 1; not useful here*)


1127 
apply (tactic "smp_tac 1 1")


1128 
apply (tactic "forward_hyp_tac 1")


1129 
apply (rule conjI, force split add: split_if simp add: fvar_def2)


1130 
apply (drule init_yields_initd, frule eval_gext')


1131 
apply clarsimp


1132 
apply (case_tac "C=Object")


1133 
apply clarsimp


1134 
apply (erule (9) FVar_lemma)


1135 


1136 
(* AVar *)


1137 
apply (tactic "forward_hyp_tac 1")


1138 
apply (erule_tac V = "G\<turnstile>Norm s0 \<midarrow>?e1\<succ>?a'\<rightarrow> (?x1 1, ?s1)" in thin_rl,


1139 
frule eval_gext')


1140 
apply (rule conjI)


1141 
apply (clarsimp simp add: avar_def2)


1142 
apply clarsimp


1143 
apply (erule (5) AVar_lemma)


1144 


1145 
(* Call *)


1146 
apply (tactic "forward_hyp_tac 1")


1147 
apply (rule Call_type_sound)


1148 
apply auto


1149 
done


1150 


1151 


1152 
declare fun_upd_apply [simp]


1153 
declare split_paired_All [simp] split_paired_Ex [simp]


1154 
declare split_if [split] split_if_asm [split]


1155 
option.split [split] option.split_asm [split]


1156 
ML_setup {*


1157 
simpset_ref() := simpset() addloop ("split_all_tac", split_all_tac);


1158 
claset_ref() := claset () addSbefore ("split_all_tac", split_all_tac)


1159 
*}


1160 


1161 
theorem eval_ts:


1162 
"\<lbrakk>G\<turnstile>s \<midarrow>e\<succ>v \<rightarrow> (x',s'); wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>T\<rbrakk>


1163 
\<Longrightarrow> (x',s')\<Colon>\<preceq>(G,L) \<and> (x'=None \<longrightarrow> G,s'\<turnstile>v\<Colon>\<preceq>T)"


1164 
apply (drule (3) eval_type_sound)


1165 
apply (unfold Let_def)


1166 
apply clarsimp


1167 
done


1168 


1169 
theorem evals_ts:


1170 
"\<lbrakk>G\<turnstile>s \<midarrow>es\<doteq>\<succ>vs\<rightarrow> (x',s'); wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>es\<Colon>\<doteq>Ts\<rbrakk>


1171 
\<Longrightarrow> (x',s')\<Colon>\<preceq>(G,L) \<and> (x'=None \<longrightarrow> list_all2 (conf G s') vs Ts)"


1172 
apply (drule (3) eval_type_sound)


1173 
apply (unfold Let_def)


1174 
apply clarsimp


1175 
done


1176 


1177 
theorem evar_ts:


1178 
"\<lbrakk>G\<turnstile>s \<midarrow>v=\<succ>vf\<rightarrow> (x',s'); wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>v\<Colon>=T\<rbrakk> \<Longrightarrow>


1179 
(x',s')\<Colon>\<preceq>(G,L) \<and> (x'=None \<longrightarrow> G,L,s'\<turnstile>In2 v\<succ>In2 vf\<Colon>\<preceq>Inl T)"


1180 
apply (drule (3) eval_type_sound)


1181 
apply (unfold Let_def)


1182 
apply clarsimp


1183 
done


1184 


1185 
theorem exec_ts:


1186 
"\<lbrakk>G\<turnstile>s \<midarrow>s0\<rightarrow> s'; wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>s0\<Colon>\<surd>\<rbrakk> \<Longrightarrow> s'\<Colon>\<preceq>(G,L)"


1187 
apply (drule (3) eval_type_sound)


1188 
apply (unfold Let_def)


1189 
apply clarsimp


1190 
done


1191 


1192 
(*


1193 
theorem dyn_methods_understood:


1194 
"\<And>s. \<lbrakk>wf_prog G; \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>{t,md,IntVir}e..mn({pTs'}ps)\<Colon>rT;


1195 
s\<Colon>\<preceq>(G,L); G\<turnstile>s \<midarrow>e\<succ>a'\<rightarrow> Norm s'; a' \<noteq> Null\<rbrakk> \<Longrightarrow>


1196 
\<exists>a obj. a'=Addr a \<and> heap s' a = Some obj \<and>


1197 
cmethd G (obj_class obj) (mn, pTs') \<noteq> None"


1198 
apply (erule wt_elim_cases)


1199 
apply (drule max_spec2mheads)


1200 
apply (drule (3) eval_ts)


1201 
apply (clarsimp split del: split_if split_if_asm)


1202 
apply (drule (2) DynT_propI)


1203 
apply (simp (no_asm_simp))


1204 
apply (tactic *) (* {* exhaust_cmethd_tac "the (cmethd G (target (invmode m e) s' a' md) (mn, pTs'))" 1 *} *)(*)


1205 
apply (drule (4) DynT_mheadsD [THEN conjunct1], rule HOL.refl)


1206 
apply (drule conf_RefTD)


1207 
apply clarsimp


1208 
done


1209 
*)


1210 


1211 
end
