src/HOL/Bali/TypeSafe.thy
author wenzelm
Mon Feb 25 20:48:14 2002 +0100 (2002-02-25)
changeset 12937 0c4fd7529467
parent 12925 99131847fb93
child 13337 f75dfc606ac7
permissions -rw-r--r--
clarified syntax of ``long'' statements: fixes/assumes/shows;
wenzelm@12857
     1
(*  Title:      HOL/Bali/TypeSafe.thy
schirmer@12854
     2
    ID:         $Id$
schirmer@12925
     3
    Author:     David von Oheimb and Norbert Schirmer
wenzelm@12858
     4
    License:    GPL (GNU GENERAL PUBLIC LICENSE)
schirmer@12854
     5
*)
schirmer@12854
     6
header {* The type soundness proof for Java *}
schirmer@12854
     7
schirmer@12925
     8
theory TypeSafe = Eval + WellForm + Conform:
schirmer@12854
     9
schirmer@12925
    10
section "error free"
schirmer@12925
    11
 
schirmer@12925
    12
lemma error_free_halloc:
wenzelm@12937
    13
  assumes halloc: "G\<turnstile>s0 \<midarrow>halloc oi\<succ>a\<rightarrow> s1" and
schirmer@12925
    14
          error_free_s0: "error_free s0"
wenzelm@12937
    15
  shows "error_free s1"
schirmer@12925
    16
proof -
schirmer@12925
    17
  from halloc error_free_s0
schirmer@12925
    18
  obtain abrupt0 store0 abrupt1 store1
schirmer@12925
    19
    where eqs: "s0=(abrupt0,store0)" "s1=(abrupt1,store1)" and
schirmer@12925
    20
          halloc': "G\<turnstile>(abrupt0,store0) \<midarrow>halloc oi\<succ>a\<rightarrow> (abrupt1,store1)" and
schirmer@12925
    21
          error_free_s0': "error_free (abrupt0,store0)"
schirmer@12925
    22
    by (cases s0,cases s1) auto
schirmer@12925
    23
  from halloc' error_free_s0'
schirmer@12925
    24
  have "error_free (abrupt1,store1)"
schirmer@12925
    25
  proof (induct)
schirmer@12925
    26
    case Abrupt 
schirmer@12925
    27
    then show ?case
schirmer@12925
    28
      .
schirmer@12925
    29
  next
schirmer@12925
    30
    case New
schirmer@12925
    31
    then show ?case
schirmer@12925
    32
      by (auto split: split_if_asm)
schirmer@12925
    33
  qed
schirmer@12925
    34
  with eqs 
schirmer@12925
    35
  show ?thesis
schirmer@12925
    36
    by simp
schirmer@12925
    37
qed
schirmer@12925
    38
schirmer@12925
    39
lemma error_free_sxalloc:
wenzelm@12937
    40
  assumes sxalloc: "G\<turnstile>s0 \<midarrow>sxalloc\<rightarrow> s1" and error_free_s0: "error_free s0"
wenzelm@12937
    41
  shows "error_free s1"
schirmer@12925
    42
proof -
schirmer@12925
    43
  from sxalloc error_free_s0
schirmer@12925
    44
  obtain abrupt0 store0 abrupt1 store1
schirmer@12925
    45
    where eqs: "s0=(abrupt0,store0)" "s1=(abrupt1,store1)" and
schirmer@12925
    46
          sxalloc': "G\<turnstile>(abrupt0,store0) \<midarrow>sxalloc\<rightarrow> (abrupt1,store1)" and
schirmer@12925
    47
          error_free_s0': "error_free (abrupt0,store0)"
schirmer@12925
    48
    by (cases s0,cases s1) auto
schirmer@12925
    49
  from sxalloc' error_free_s0'
schirmer@12925
    50
  have "error_free (abrupt1,store1)"
schirmer@12925
    51
  proof (induct)
schirmer@12925
    52
  qed (auto)
schirmer@12925
    53
  with eqs 
schirmer@12925
    54
  show ?thesis 
schirmer@12925
    55
    by simp
schirmer@12925
    56
qed
schirmer@12925
    57
schirmer@12925
    58
lemma error_free_check_field_access_eq:
schirmer@12925
    59
 "error_free (check_field_access G accC statDeclC fn stat a s)
schirmer@12925
    60
 \<Longrightarrow> (check_field_access G accC statDeclC fn stat a s) = s"
schirmer@12925
    61
apply (cases s)
schirmer@12925
    62
apply (auto simp add: check_field_access_def Let_def error_free_def 
schirmer@12925
    63
                      abrupt_if_def 
schirmer@12925
    64
            split: split_if_asm)
schirmer@12925
    65
done
schirmer@12925
    66
schirmer@12925
    67
lemma error_free_check_method_access_eq:
schirmer@12925
    68
"error_free (check_method_access G accC statT mode sig a' s)
schirmer@12925
    69
 \<Longrightarrow> (check_method_access G accC statT mode sig a' s) = s"
schirmer@12925
    70
apply (cases s)
schirmer@12925
    71
apply (auto simp add: check_method_access_def Let_def error_free_def 
schirmer@12925
    72
                      abrupt_if_def 
schirmer@12925
    73
            split: split_if_asm)
schirmer@12925
    74
done
schirmer@12925
    75
schirmer@12925
    76
lemma error_free_FVar_lemma: 
schirmer@12925
    77
     "error_free s 
schirmer@12925
    78
       \<Longrightarrow> error_free (abupd (if stat then id else np a) s)"
schirmer@12925
    79
  by (case_tac s) (auto split: split_if) 
schirmer@12925
    80
schirmer@12925
    81
lemma error_free_init_lvars [simp,intro]:
schirmer@12925
    82
"error_free s \<Longrightarrow> 
schirmer@12925
    83
  error_free (init_lvars G C sig mode a pvs s)"
schirmer@12925
    84
by (cases s) (auto simp add: init_lvars_def Let_def split: split_if)
schirmer@12925
    85
schirmer@12925
    86
lemma error_free_LVar_lemma:   
schirmer@12925
    87
"error_free s \<Longrightarrow> error_free (assign (\<lambda>v. supd lupd(vn\<mapsto>v)) w s)"
schirmer@12925
    88
by (cases s) simp
schirmer@12925
    89
schirmer@12925
    90
lemma error_free_throw [simp,intro]:
schirmer@12925
    91
  "error_free s \<Longrightarrow> error_free (abupd (throw x) s)"
schirmer@12925
    92
by (cases s) (simp add: throw_def)
schirmer@12925
    93
schirmer@12854
    94
schirmer@12854
    95
section "result conformance"
schirmer@12854
    96
schirmer@12854
    97
constdefs
schirmer@12854
    98
  assign_conforms :: "st \<Rightarrow> (val \<Rightarrow> state \<Rightarrow> state) \<Rightarrow> ty \<Rightarrow> env_ \<Rightarrow> bool"
schirmer@12854
    99
          ("_\<le>|_\<preceq>_\<Colon>\<preceq>_"                                        [71,71,71,71] 70)
schirmer@12925
   100
"s\<le>|f\<preceq>T\<Colon>\<preceq>E \<equiv>
schirmer@12925
   101
 (\<forall>s' w. Norm s'\<Colon>\<preceq>E \<longrightarrow> fst E,s'\<turnstile>w\<Colon>\<preceq>T \<longrightarrow> s\<le>|s' \<longrightarrow> assign f w (Norm s')\<Colon>\<preceq>E) \<and>
schirmer@12925
   102
 (\<forall>s' w. error_free s' \<longrightarrow> (error_free (assign f w s')))"      
schirmer@12854
   103
schirmer@12854
   104
  rconf :: "prog \<Rightarrow> lenv \<Rightarrow> st \<Rightarrow> term \<Rightarrow> vals \<Rightarrow> tys \<Rightarrow> bool"
schirmer@12854
   105
          ("_,_,_\<turnstile>_\<succ>_\<Colon>\<preceq>_"                               [71,71,71,71,71,71] 70)
schirmer@12854
   106
  "G,L,s\<turnstile>t\<succ>v\<Colon>\<preceq>T 
schirmer@12854
   107
    \<equiv> case T of
schirmer@12854
   108
        Inl T  \<Rightarrow> if (\<exists>vf. t=In2 vf)
schirmer@12854
   109
                  then G,s\<turnstile>fst (the_In2 v)\<Colon>\<preceq>T \<and> s\<le>|snd (the_In2 v)\<preceq>T\<Colon>\<preceq>(G,L)
schirmer@12854
   110
                  else G,s\<turnstile>the_In1 v\<Colon>\<preceq>T
schirmer@12854
   111
      | Inr Ts \<Rightarrow> list_all2 (conf G s) (the_In3 v) Ts"
schirmer@12854
   112
schirmer@12854
   113
lemma rconf_In1 [simp]: 
schirmer@12854
   114
 "G,L,s\<turnstile>In1 ec\<succ>In1 v \<Colon>\<preceq>Inl T  =  G,s\<turnstile>v\<Colon>\<preceq>T"
schirmer@12854
   115
apply (unfold rconf_def)
schirmer@12854
   116
apply (simp (no_asm))
schirmer@12854
   117
done
schirmer@12854
   118
schirmer@12854
   119
lemma rconf_In2 [simp]: 
schirmer@12854
   120
 "G,L,s\<turnstile>In2 va\<succ>In2 vf\<Colon>\<preceq>Inl T  = (G,s\<turnstile>fst vf\<Colon>\<preceq>T \<and> s\<le>|snd vf\<preceq>T\<Colon>\<preceq>(G,L))"
schirmer@12854
   121
apply (unfold rconf_def)
schirmer@12854
   122
apply (simp (no_asm))
schirmer@12854
   123
done
schirmer@12854
   124
schirmer@12854
   125
lemma rconf_In3 [simp]: 
schirmer@12854
   126
 "G,L,s\<turnstile>In3 es\<succ>In3 vs\<Colon>\<preceq>Inr Ts = list_all2 (\<lambda>v T. G,s\<turnstile>v\<Colon>\<preceq>T) vs Ts"
schirmer@12854
   127
apply (unfold rconf_def)
schirmer@12854
   128
apply (simp (no_asm))
schirmer@12854
   129
done
schirmer@12854
   130
schirmer@12854
   131
section "fits and conf"
schirmer@12854
   132
schirmer@12854
   133
(* unused *)
schirmer@12854
   134
lemma conf_fits: "G,s\<turnstile>v\<Colon>\<preceq>T \<Longrightarrow> G,s\<turnstile>v fits T"
schirmer@12854
   135
apply (unfold fits_def)
schirmer@12854
   136
apply clarify
schirmer@12854
   137
apply (erule swap, simp (no_asm_use))
schirmer@12854
   138
apply (drule conf_RefTD)
schirmer@12854
   139
apply auto
schirmer@12854
   140
done
schirmer@12854
   141
schirmer@12854
   142
lemma fits_conf: 
schirmer@12854
   143
  "\<lbrakk>G,s\<turnstile>v\<Colon>\<preceq>T; G\<turnstile>T\<preceq>? T'; G,s\<turnstile>v fits T'; ws_prog G\<rbrakk> \<Longrightarrow> G,s\<turnstile>v\<Colon>\<preceq>T'"
schirmer@12854
   144
apply (auto dest!: fitsD cast_PrimT2 cast_RefT2)
schirmer@12854
   145
apply (force dest: conf_RefTD intro: conf_AddrI)
schirmer@12854
   146
done
schirmer@12854
   147
schirmer@12854
   148
lemma fits_Array: 
schirmer@12854
   149
 "\<lbrakk>G,s\<turnstile>v\<Colon>\<preceq>T; G\<turnstile>T'.[]\<preceq>T.[]; G,s\<turnstile>v fits T'; ws_prog G\<rbrakk> \<Longrightarrow> G,s\<turnstile>v\<Colon>\<preceq>T'"
schirmer@12854
   150
apply (auto dest!: fitsD widen_ArrayPrimT widen_ArrayRefT)
schirmer@12854
   151
apply (force dest: conf_RefTD intro: conf_AddrI)
schirmer@12854
   152
done
schirmer@12854
   153
schirmer@12854
   154
schirmer@12854
   155
schirmer@12854
   156
section "gext"
schirmer@12854
   157
schirmer@12854
   158
lemma halloc_gext: "\<And>s1 s2. G\<turnstile>s1 \<midarrow>halloc oi\<succ>a\<rightarrow> s2 \<Longrightarrow> snd s1\<le>|snd s2"
schirmer@12854
   159
apply (simp (no_asm_simp) only: split_tupled_all)
schirmer@12854
   160
apply (erule halloc.induct)
schirmer@12854
   161
apply  (auto dest!: new_AddrD)
schirmer@12854
   162
done
schirmer@12854
   163
schirmer@12854
   164
lemma sxalloc_gext: "\<And>s1 s2. G\<turnstile>s1 \<midarrow>sxalloc\<rightarrow> s2 \<Longrightarrow> snd s1\<le>|snd s2"
schirmer@12854
   165
apply (simp (no_asm_simp) only: split_tupled_all)
schirmer@12854
   166
apply (erule sxalloc.induct)
schirmer@12854
   167
apply   (auto dest!: halloc_gext)
schirmer@12854
   168
done
schirmer@12854
   169
schirmer@12854
   170
lemma eval_gext_lemma [rule_format (no_asm)]: 
schirmer@12854
   171
 "G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (w,s') \<Longrightarrow> snd s\<le>|snd s' \<and> (case w of  
schirmer@12854
   172
    In1 v \<Rightarrow> True  
schirmer@12854
   173
  | In2 vf \<Rightarrow> normal s \<longrightarrow> (\<forall>v x s. s\<le>|snd (assign (snd vf) v (x,s)))  
schirmer@12854
   174
  | In3 vs \<Rightarrow> True)"
schirmer@12854
   175
apply (erule eval_induct)
schirmer@12854
   176
prefer 24 
schirmer@12854
   177
  apply (case_tac "inited C (globs s0)", clarsimp, erule thin_rl) (* Init *)
schirmer@12854
   178
apply (auto del: conjI  dest!: not_initedD gext_new sxalloc_gext halloc_gext
schirmer@12925
   179
 simp  add: lvar_def fvar_def2 avar_def2 init_lvars_def2 
schirmer@12925
   180
            check_field_access_def check_method_access_def Let_def
schirmer@12854
   181
 split del: split_if_asm split add: sum3.split)
schirmer@12854
   182
(* 6 subgoals *)
schirmer@12854
   183
apply force+
schirmer@12854
   184
done
schirmer@12854
   185
schirmer@12854
   186
lemma evar_gext_f: 
schirmer@12854
   187
  "G\<turnstile>Norm s1 \<midarrow>e=\<succ>vf \<rightarrow> s2 \<Longrightarrow> s\<le>|snd (assign (snd vf) v (x,s))"
schirmer@12854
   188
apply (drule eval_gext_lemma [THEN conjunct2])
schirmer@12854
   189
apply auto
schirmer@12854
   190
done
schirmer@12854
   191
schirmer@12854
   192
lemmas eval_gext = eval_gext_lemma [THEN conjunct1]
schirmer@12854
   193
schirmer@12854
   194
lemma eval_gext': "G\<turnstile>(x1,s1) \<midarrow>t\<succ>\<rightarrow> (w,x2,s2) \<Longrightarrow> s1\<le>|s2"
schirmer@12854
   195
apply (drule eval_gext)
schirmer@12854
   196
apply auto
schirmer@12854
   197
done
schirmer@12854
   198
schirmer@12854
   199
lemma init_yields_initd: "G\<turnstile>Norm s1 \<midarrow>Init C\<rightarrow> s2 \<Longrightarrow> initd C s2"
schirmer@12854
   200
apply (erule eval_cases , auto split del: split_if_asm)
schirmer@12854
   201
apply (case_tac "inited C (globs s1)")
schirmer@12854
   202
apply  (clarsimp split del: split_if_asm)+
schirmer@12854
   203
apply (drule eval_gext')+
schirmer@12854
   204
apply (drule init_class_obj_inited)
schirmer@12854
   205
apply (erule inited_gext)
schirmer@12854
   206
apply (simp (no_asm_use))
schirmer@12854
   207
done
schirmer@12854
   208
schirmer@12854
   209
schirmer@12854
   210
section "Lemmas"
schirmer@12854
   211
schirmer@12854
   212
lemma obj_ty_obj_class1: 
schirmer@12854
   213
 "\<lbrakk>wf_prog G; is_type G (obj_ty obj)\<rbrakk> \<Longrightarrow> is_class G (obj_class obj)"
schirmer@12854
   214
apply (case_tac "tag obj")
schirmer@12854
   215
apply (auto simp add: obj_ty_def obj_class_def)
schirmer@12854
   216
done
schirmer@12854
   217
schirmer@12854
   218
lemma oconf_init_obj: 
schirmer@12854
   219
 "\<lbrakk>wf_prog G;  
schirmer@12854
   220
 (case r of Heap a \<Rightarrow> is_type G (obj_ty obj) | Stat C \<Rightarrow> is_class G C)
schirmer@12854
   221
\<rbrakk> \<Longrightarrow> G,s\<turnstile>obj \<lparr>values:=init_vals (var_tys G (tag obj) r)\<rparr>\<Colon>\<preceq>\<surd>r"
schirmer@12854
   222
apply (auto intro!: oconf_init_obj_lemma unique_fields)
schirmer@12854
   223
done
schirmer@12854
   224
schirmer@12854
   225
(*
schirmer@12854
   226
lemma obj_split: "P obj = (\<forall> oi vs. obj = \<lparr>tag=oi,values=vs\<rparr> \<longrightarrow> ?P \<lparr>tag=oi,values=vs\<rparr>)"
schirmer@12854
   227
apply auto
schirmer@12854
   228
apply (case_tac "obj")
schirmer@12854
   229
apply auto
schirmer@12854
   230
*)
schirmer@12854
   231
schirmer@12854
   232
lemma conforms_newG: "\<lbrakk>globs s oref = None; (x, s)\<Colon>\<preceq>(G,L);   
schirmer@12854
   233
  wf_prog G; case oref of Heap a \<Rightarrow> is_type G (obj_ty \<lparr>tag=oi,values=vs\<rparr>)  
schirmer@12854
   234
                        | Stat C \<Rightarrow> is_class G C\<rbrakk> \<Longrightarrow>  
schirmer@12854
   235
  (x, init_obj G oi oref s)\<Colon>\<preceq>(G, L)"
schirmer@12854
   236
apply (unfold init_obj_def)
schirmer@12854
   237
apply (auto elim!: conforms_gupd dest!: oconf_init_obj 
schirmer@12854
   238
            simp add: obj.update_defs)
schirmer@12854
   239
done
schirmer@12854
   240
schirmer@12854
   241
lemma conforms_init_class_obj: 
schirmer@12854
   242
 "\<lbrakk>(x,s)\<Colon>\<preceq>(G, L); wf_prog G; class G C=Some y; \<not> inited C (globs s)\<rbrakk> \<Longrightarrow> 
schirmer@12854
   243
  (x,init_class_obj G C s)\<Colon>\<preceq>(G, L)"
schirmer@12854
   244
apply (rule not_initedD [THEN conforms_newG])
schirmer@12854
   245
apply    (auto)
schirmer@12854
   246
done
schirmer@12854
   247
schirmer@12854
   248
schirmer@12854
   249
lemma fst_init_lvars[simp]: 
schirmer@12854
   250
 "fst (init_lvars G C sig (invmode m e) a' pvs (x,s)) = 
schirmer@12925
   251
  (if is_static m then x else (np a') x)"
schirmer@12854
   252
apply (simp (no_asm) add: init_lvars_def2)
schirmer@12854
   253
done
schirmer@12854
   254
schirmer@12854
   255
schirmer@12854
   256
lemma halloc_conforms: "\<And>s1. \<lbrakk>G\<turnstile>s1 \<midarrow>halloc oi\<succ>a\<rightarrow> s2; wf_prog G; s1\<Colon>\<preceq>(G, L); 
schirmer@12854
   257
  is_type G (obj_ty \<lparr>tag=oi,values=fs\<rparr>)\<rbrakk> \<Longrightarrow> s2\<Colon>\<preceq>(G, L)"
schirmer@12854
   258
apply (simp (no_asm_simp) only: split_tupled_all)
schirmer@12854
   259
apply (case_tac "aa")
schirmer@12854
   260
apply  (auto elim!: halloc_elim_cases dest!: new_AddrD 
schirmer@12854
   261
       intro!: conforms_newG [THEN conforms_xconf] conf_AddrI)
schirmer@12854
   262
done
schirmer@12854
   263
schirmer@12925
   264
lemma halloc_type_sound: 
schirmer@12925
   265
"\<And>s1. \<lbrakk>G\<turnstile>s1 \<midarrow>halloc oi\<succ>a\<rightarrow> (x,s); wf_prog G; s1\<Colon>\<preceq>(G, L);
schirmer@12854
   266
  T = obj_ty \<lparr>tag=oi,values=fs\<rparr>; is_type G T\<rbrakk> \<Longrightarrow>  
schirmer@12854
   267
  (x,s)\<Colon>\<preceq>(G, L) \<and> (x = None \<longrightarrow> G,s\<turnstile>Addr a\<Colon>\<preceq>T)"
schirmer@12854
   268
apply (auto elim!: halloc_conforms)
schirmer@12854
   269
apply (case_tac "aa")
schirmer@12854
   270
apply (subst obj_ty_eq)
schirmer@12854
   271
apply  (auto elim!: halloc_elim_cases dest!: new_AddrD intro!: conf_AddrI)
schirmer@12854
   272
done
schirmer@12854
   273
schirmer@12854
   274
lemma sxalloc_type_sound: 
schirmer@12854
   275
 "\<And>s1 s2. \<lbrakk>G\<turnstile>s1 \<midarrow>sxalloc\<rightarrow> s2; wf_prog G\<rbrakk> \<Longrightarrow> case fst s1 of  
schirmer@12854
   276
  None \<Rightarrow> s2 = s1 | Some x \<Rightarrow>  
schirmer@12854
   277
  (\<exists>a. fst s2 = Some(Xcpt (Loc a)) \<and> (\<forall>L. s1\<Colon>\<preceq>(G,L) \<longrightarrow> s2\<Colon>\<preceq>(G,L)))"
schirmer@12854
   278
apply (simp (no_asm_simp) only: split_tupled_all)
schirmer@12854
   279
apply (erule sxalloc.induct)
schirmer@12854
   280
apply   auto
schirmer@12854
   281
apply (rule halloc_conforms [THEN conforms_xconf])
schirmer@12854
   282
apply     (auto elim!: halloc_elim_cases dest!: new_AddrD intro!: conf_AddrI)
schirmer@12854
   283
done
schirmer@12854
   284
schirmer@12854
   285
lemma wt_init_comp_ty: 
schirmer@12854
   286
"is_acc_type G (pid C) T \<Longrightarrow> \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>init_comp_ty T\<Colon>\<surd>"
schirmer@12854
   287
apply (unfold init_comp_ty_def)
schirmer@12854
   288
apply (clarsimp simp add: accessible_in_RefT_simp 
schirmer@12854
   289
                          is_acc_type_def is_acc_class_def)
schirmer@12854
   290
done
schirmer@12854
   291
schirmer@12854
   292
schirmer@12854
   293
declare fun_upd_same [simp]
schirmer@12854
   294
schirmer@12854
   295
declare fun_upd_apply [simp del]
schirmer@12854
   296
schirmer@12854
   297
schirmer@12854
   298
constdefs
schirmer@12854
   299
  DynT_prop::"[prog,inv_mode,qtname,ref_ty] \<Rightarrow> bool" 
schirmer@12854
   300
                                              ("_\<turnstile>_\<rightarrow>_\<preceq>_"[71,71,71,71]70)
schirmer@12854
   301
 "G\<turnstile>mode\<rightarrow>D\<preceq>t \<equiv> mode = IntVir \<longrightarrow> is_class G D \<and> 
schirmer@12854
   302
                     (if (\<exists>T. t=ArrayT T) then D=Object else G\<turnstile>Class D\<preceq>RefT t)"
schirmer@12854
   303
schirmer@12854
   304
lemma DynT_propI: 
schirmer@12854
   305
 "\<lbrakk>(x,s)\<Colon>\<preceq>(G, L); G,s\<turnstile>a'\<Colon>\<preceq>RefT statT; wf_prog G; mode = IntVir \<longrightarrow> a' \<noteq> Null\<rbrakk> 
schirmer@12854
   306
  \<Longrightarrow>  G\<turnstile>mode\<rightarrow>invocation_class mode s a' statT\<preceq>statT"
schirmer@12854
   307
proof (unfold DynT_prop_def)
schirmer@12854
   308
  assume state_conform: "(x,s)\<Colon>\<preceq>(G, L)"
schirmer@12854
   309
     and      statT_a': "G,s\<turnstile>a'\<Colon>\<preceq>RefT statT"
schirmer@12854
   310
     and            wf: "wf_prog G"
schirmer@12854
   311
     and          mode: "mode = IntVir \<longrightarrow> a' \<noteq> Null"
schirmer@12854
   312
  let ?invCls = "(invocation_class mode s a' statT)"
schirmer@12854
   313
  let ?IntVir = "mode = IntVir"
schirmer@12854
   314
  let ?Concl  = "\<lambda>invCls. is_class G invCls \<and>
schirmer@12854
   315
                          (if \<exists>T. statT = ArrayT T
schirmer@12854
   316
                                  then invCls = Object
schirmer@12854
   317
                                  else G\<turnstile>Class invCls\<preceq>RefT statT)"
schirmer@12854
   318
  show "?IntVir \<longrightarrow> ?Concl ?invCls"
schirmer@12854
   319
  proof  
schirmer@12854
   320
    assume modeIntVir: ?IntVir 
schirmer@12854
   321
    with mode have not_Null: "a' \<noteq> Null" ..
schirmer@12854
   322
    from statT_a' not_Null state_conform 
schirmer@12854
   323
    obtain a obj 
schirmer@12854
   324
      where obj_props:  "a' = Addr a" "globs s (Inl a) = Some obj"   
schirmer@12854
   325
                        "G\<turnstile>obj_ty obj\<preceq>RefT statT" "is_type G (obj_ty obj)"
schirmer@12854
   326
      by (blast dest: conforms_RefTD)
schirmer@12854
   327
    show "?Concl ?invCls"
schirmer@12854
   328
    proof (cases "tag obj")
schirmer@12854
   329
      case CInst
schirmer@12854
   330
      with modeIntVir obj_props
schirmer@12854
   331
      show ?thesis 
schirmer@12854
   332
	by (auto dest!: widen_Array2 split add: split_if)
schirmer@12854
   333
    next
schirmer@12854
   334
      case Arr
schirmer@12854
   335
      from Arr obtain T where "obj_ty obj = T.[]" by (blast dest: obj_ty_Arr1)
schirmer@12854
   336
      moreover from Arr have "obj_class obj = Object" 
schirmer@12854
   337
	by (blast dest: obj_class_Arr1)
schirmer@12854
   338
      moreover note modeIntVir obj_props wf 
schirmer@12854
   339
      ultimately show ?thesis by (auto dest!: widen_Array )
schirmer@12854
   340
    qed
schirmer@12854
   341
  qed
schirmer@12854
   342
qed
schirmer@12854
   343
schirmer@12854
   344
lemma invocation_methd:
schirmer@12854
   345
"\<lbrakk>wf_prog G; statT \<noteq> NullT; 
schirmer@12854
   346
 (\<forall> statC. statT = ClassT statC \<longrightarrow> is_class G statC);
schirmer@12854
   347
 (\<forall>     I. statT = IfaceT I \<longrightarrow> is_iface G I \<and> mode \<noteq> SuperM);
schirmer@12854
   348
 (\<forall>     T. statT = ArrayT T \<longrightarrow> mode \<noteq> SuperM);
schirmer@12854
   349
 G\<turnstile>mode\<rightarrow>invocation_class mode s a' statT\<preceq>statT;  
schirmer@12854
   350
 dynlookup G statT (invocation_class mode s a' statT) sig = Some m \<rbrakk> 
schirmer@12854
   351
\<Longrightarrow> methd G (invocation_declclass G mode s a' statT sig) sig = Some m"
schirmer@12854
   352
proof -
schirmer@12854
   353
  assume         wf: "wf_prog G"
schirmer@12854
   354
     and  not_NullT: "statT \<noteq> NullT"
schirmer@12854
   355
     and statC_prop: "(\<forall> statC. statT = ClassT statC \<longrightarrow> is_class G statC)"
schirmer@12854
   356
     and statI_prop: "(\<forall> I. statT = IfaceT I \<longrightarrow> is_iface G I \<and> mode \<noteq> SuperM)"
schirmer@12854
   357
     and statA_prop: "(\<forall>     T. statT = ArrayT T \<longrightarrow> mode \<noteq> SuperM)"
schirmer@12854
   358
     and  invC_prop: "G\<turnstile>mode\<rightarrow>invocation_class mode s a' statT\<preceq>statT"
schirmer@12854
   359
     and  dynlookup: "dynlookup G statT (invocation_class mode s a' statT) sig 
schirmer@12854
   360
                      = Some m"
schirmer@12854
   361
  show ?thesis
schirmer@12854
   362
  proof (cases statT)
schirmer@12854
   363
    case NullT
schirmer@12854
   364
    with not_NullT show ?thesis by simp
schirmer@12854
   365
  next
schirmer@12854
   366
    case IfaceT
schirmer@12854
   367
    with statI_prop obtain I 
schirmer@12854
   368
      where    statI: "statT = IfaceT I" and 
schirmer@12854
   369
            is_iface: "is_iface G I"     and
schirmer@12854
   370
          not_SuperM: "mode \<noteq> SuperM" by blast            
schirmer@12854
   371
    
schirmer@12854
   372
    show ?thesis 
schirmer@12854
   373
    proof (cases mode)
schirmer@12854
   374
      case Static
schirmer@12854
   375
      with wf dynlookup statI is_iface 
schirmer@12854
   376
      show ?thesis
schirmer@12854
   377
	by (auto simp add: invocation_declclass_def dynlookup_def 
schirmer@12854
   378
                           dynimethd_def dynmethd_C_C 
schirmer@12854
   379
	            intro: dynmethd_declclass
schirmer@12854
   380
	            dest!: wf_imethdsD
schirmer@12854
   381
                     dest: table_of_map_SomeI
schirmer@12854
   382
                    split: split_if_asm)
schirmer@12854
   383
    next	
schirmer@12854
   384
      case SuperM
schirmer@12854
   385
      with not_SuperM show ?thesis ..
schirmer@12854
   386
    next
schirmer@12854
   387
      case IntVir
schirmer@12854
   388
      with wf dynlookup IfaceT invC_prop show ?thesis 
schirmer@12854
   389
	by (auto simp add: invocation_declclass_def dynlookup_def dynimethd_def
schirmer@12854
   390
                           DynT_prop_def
schirmer@12854
   391
	            intro: methd_declclass dynmethd_declclass
schirmer@12854
   392
	            split: split_if_asm)
schirmer@12854
   393
    qed
schirmer@12854
   394
  next
schirmer@12854
   395
    case ClassT
schirmer@12854
   396
    show ?thesis
schirmer@12854
   397
    proof (cases mode)
schirmer@12854
   398
      case Static
schirmer@12854
   399
      with wf ClassT dynlookup statC_prop 
schirmer@12854
   400
      show ?thesis by (auto simp add: invocation_declclass_def dynlookup_def
schirmer@12854
   401
                               intro: dynmethd_declclass)
schirmer@12854
   402
    next
schirmer@12854
   403
      case SuperM
schirmer@12854
   404
      with wf ClassT dynlookup statC_prop 
schirmer@12854
   405
      show ?thesis by (auto simp add: invocation_declclass_def dynlookup_def
schirmer@12854
   406
                               intro: dynmethd_declclass)
schirmer@12854
   407
    next
schirmer@12854
   408
      case IntVir
schirmer@12854
   409
      with wf ClassT dynlookup statC_prop invC_prop 
schirmer@12854
   410
      show ?thesis
schirmer@12854
   411
	by (auto simp add: invocation_declclass_def dynlookup_def dynimethd_def
schirmer@12854
   412
                           DynT_prop_def
schirmer@12854
   413
	            intro: dynmethd_declclass)
schirmer@12854
   414
    qed
schirmer@12854
   415
  next
schirmer@12854
   416
    case ArrayT
schirmer@12854
   417
    show ?thesis
schirmer@12854
   418
    proof (cases mode)
schirmer@12854
   419
      case Static
schirmer@12854
   420
      with wf ArrayT dynlookup show ?thesis
schirmer@12854
   421
	by (auto simp add: invocation_declclass_def dynlookup_def 
schirmer@12854
   422
                           dynimethd_def dynmethd_C_C
schirmer@12854
   423
                    intro: dynmethd_declclass
schirmer@12854
   424
                     dest: table_of_map_SomeI)
schirmer@12854
   425
    next
schirmer@12854
   426
      case SuperM
schirmer@12854
   427
      with ArrayT statA_prop show ?thesis by blast
schirmer@12854
   428
    next
schirmer@12854
   429
      case IntVir
schirmer@12854
   430
      with wf ArrayT dynlookup invC_prop show ?thesis
schirmer@12854
   431
	by (auto simp add: invocation_declclass_def dynlookup_def dynimethd_def
schirmer@12854
   432
                           DynT_prop_def dynmethd_C_C
schirmer@12854
   433
                    intro: dynmethd_declclass
schirmer@12854
   434
                     dest: table_of_map_SomeI)
schirmer@12854
   435
    qed
schirmer@12854
   436
  qed
schirmer@12854
   437
qed
schirmer@12925
   438
schirmer@12854
   439
lemma DynT_mheadsD: 
schirmer@12925
   440
"\<lbrakk>G\<turnstile>invmode sm e\<rightarrow>invC\<preceq>statT; 
schirmer@12854
   441
  wf_prog G; \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-RefT statT; 
schirmer@12925
   442
  (statDeclT,sm) \<in> mheads G C statT sig; 
schirmer@12925
   443
  invC = invocation_class (invmode sm e) s a' statT;
schirmer@12925
   444
  declC =invocation_declclass G (invmode sm e) s a' statT sig
schirmer@12854
   445
 \<rbrakk> \<Longrightarrow> 
schirmer@12854
   446
  \<exists> dm. 
schirmer@12925
   447
  methd G declC sig = Some dm \<and> dynlookup G statT invC sig = Some dm  \<and> 
schirmer@12925
   448
  G\<turnstile>resTy (mthd dm)\<preceq>resTy sm \<and> 
schirmer@12854
   449
  wf_mdecl G declC (sig, mthd dm) \<and>
schirmer@12854
   450
  declC = declclass dm \<and>
schirmer@12854
   451
  is_static dm = is_static sm \<and>  
schirmer@12854
   452
  is_class G invC \<and> is_class G declC  \<and> G\<turnstile>invC\<preceq>\<^sub>C declC \<and>  
schirmer@12925
   453
  (if invmode sm e = IntVir
schirmer@12854
   454
      then (\<forall> statC. statT=ClassT statC \<longrightarrow> G\<turnstile>invC \<preceq>\<^sub>C statC)
schirmer@12854
   455
      else (  (\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)
schirmer@12854
   456
            \<or> (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object)) \<and> 
schirmer@12925
   457
            statDeclT = ClassT (declclass dm))"
schirmer@12854
   458
proof -
schirmer@12925
   459
  assume invC_prop: "G\<turnstile>invmode sm e\<rightarrow>invC\<preceq>statT" 
schirmer@12854
   460
     and        wf: "wf_prog G" 
schirmer@12854
   461
     and      wt_e: "\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-RefT statT"
schirmer@12925
   462
     and        sm: "(statDeclT,sm) \<in> mheads G C statT sig" 
schirmer@12925
   463
     and      invC: "invC = invocation_class (invmode sm e) s a' statT"
schirmer@12854
   464
     and     declC: "declC = 
schirmer@12925
   465
                    invocation_declclass G (invmode sm e) s a' statT sig"
schirmer@12854
   466
  from wt_e wf have type_statT: "is_type G (RefT statT)"
schirmer@12854
   467
    by (auto dest: ty_expr_is_type)
schirmer@12854
   468
  from sm have not_Null: "statT \<noteq> NullT" by auto
schirmer@12854
   469
  from type_statT 
schirmer@12854
   470
  have wf_C: "(\<forall> statC. statT = ClassT statC \<longrightarrow> is_class G statC)"
schirmer@12854
   471
    by (auto)
schirmer@12854
   472
  from type_statT wt_e 
schirmer@12854
   473
  have wf_I: "(\<forall>I. statT = IfaceT I \<longrightarrow> is_iface G I \<and> 
schirmer@12925
   474
                                        invmode sm e \<noteq> SuperM)"
schirmer@12854
   475
    by (auto dest: invocationTypeExpr_noClassD)
schirmer@12854
   476
  from wt_e
schirmer@12925
   477
  have wf_A: "(\<forall>     T. statT = ArrayT T \<longrightarrow> invmode sm e \<noteq> SuperM)"
schirmer@12854
   478
    by (auto dest: invocationTypeExpr_noClassD)
schirmer@12854
   479
  show ?thesis
schirmer@12925
   480
  proof (cases "invmode sm e = IntVir")
schirmer@12854
   481
    case True
schirmer@12854
   482
    with invC_prop not_Null
schirmer@12854
   483
    have invC_prop': " is_class G invC \<and> 
schirmer@12854
   484
                      (if (\<exists>T. statT=ArrayT T) then invC=Object 
schirmer@12854
   485
                                              else G\<turnstile>Class invC\<preceq>RefT statT)"
schirmer@12854
   486
      by (auto simp add: DynT_prop_def) 
schirmer@12854
   487
    from True 
schirmer@12854
   488
    have "\<not> is_static sm"
schirmer@12925
   489
      by (simp add: invmode_IntVir_eq member_is_static_simp)
schirmer@12854
   490
    with invC_prop' not_Null
schirmer@12854
   491
    have "G,statT \<turnstile> invC valid_lookup_cls_for (is_static sm)"
schirmer@12854
   492
      by (cases statT) auto
schirmer@12854
   493
    with sm wf type_statT obtain dm where
schirmer@12854
   494
           dm: "dynlookup G statT invC sig = Some dm" and
schirmer@12925
   495
      resT_dm: "G\<turnstile>resTy (mthd dm)\<preceq>resTy sm"      and
schirmer@12854
   496
       static: "is_static dm = is_static sm"
schirmer@12925
   497
      by  - (drule dynamic_mheadsD,force+)
schirmer@12854
   498
    with declC invC not_Null 
schirmer@12854
   499
    have declC': "declC = (declclass dm)" 
schirmer@12854
   500
      by (auto simp add: invocation_declclass_def)
schirmer@12854
   501
    with wf invC declC not_Null wf_C wf_I wf_A invC_prop dm 
schirmer@12854
   502
    have dm': "methd G declC sig = Some dm"
schirmer@12854
   503
      by - (drule invocation_methd,auto)
schirmer@12854
   504
    from wf dm invC_prop' declC' type_statT 
schirmer@12854
   505
    have declC_prop: "G\<turnstile>invC \<preceq>\<^sub>C declC \<and> is_class G declC"
schirmer@12854
   506
      by (auto dest: dynlookup_declC)
schirmer@12854
   507
    from wf dm' declC_prop declC' 
schirmer@12854
   508
    have wf_dm: "wf_mdecl G declC (sig,(mthd dm))"
schirmer@12854
   509
      by (auto dest: methd_wf_mdecl)
schirmer@12854
   510
    from invC_prop' 
schirmer@12854
   511
    have statC_prop: "(\<forall> statC. statT=ClassT statC \<longrightarrow> G\<turnstile>invC \<preceq>\<^sub>C statC)"
schirmer@12854
   512
      by auto
schirmer@12854
   513
    from True dm' resT_dm wf_dm invC_prop' declC_prop statC_prop declC' static
schirmer@12925
   514
         dm
schirmer@12854
   515
    show ?thesis by auto
schirmer@12854
   516
  next
schirmer@12854
   517
    case False
schirmer@12854
   518
    with type_statT wf invC not_Null wf_I wf_A
schirmer@12854
   519
    have invC_prop': "is_class G invC \<and>  
schirmer@12854
   520
                     ((\<exists> statC. statT=ClassT statC \<and> invC=statC) \<or>
schirmer@12925
   521
                      (\<forall> statC. statT\<noteq>ClassT statC \<and> invC=Object))"
schirmer@12854
   522
        by (case_tac "statT") (auto simp add: invocation_class_def 
schirmer@12854
   523
                                       split: inv_mode.splits)
schirmer@12854
   524
    with not_Null wf
schirmer@12854
   525
    have dynlookup_static: "dynlookup G statT invC sig = methd G invC sig"
schirmer@12854
   526
      by (case_tac "statT") (auto simp add: dynlookup_def dynmethd_C_C
schirmer@12854
   527
                                            dynimethd_def)
schirmer@12854
   528
    from sm wf wt_e not_Null False invC_prop' obtain "dm" where
schirmer@12854
   529
                    dm: "methd G invC sig = Some dm"          and
schirmer@12925
   530
	eq_declC_sm_dm:"statDeclT = ClassT (declclass dm)"  and
schirmer@12925
   531
	     eq_mheads:"sm=mhead (mthd dm) "
schirmer@12925
   532
      by - (drule static_mheadsD, (force dest: accmethd_SomeD)+)
schirmer@12925
   533
    then have static: "is_static dm = is_static sm" by - (auto)
schirmer@12854
   534
    with declC invC dynlookup_static dm
schirmer@12854
   535
    have declC': "declC = (declclass dm)"  
schirmer@12854
   536
      by (auto simp add: invocation_declclass_def)
schirmer@12854
   537
    from invC_prop' wf declC' dm 
schirmer@12854
   538
    have dm': "methd G declC sig = Some dm"
schirmer@12854
   539
      by (auto intro: methd_declclass)
schirmer@12925
   540
    from dynlookup_static dm 
schirmer@12925
   541
    have dm'': "dynlookup G statT invC sig = Some dm"
schirmer@12925
   542
      by simp
schirmer@12854
   543
    from wf dm invC_prop' declC' type_statT 
schirmer@12854
   544
    have declC_prop: "G\<turnstile>invC \<preceq>\<^sub>C declC \<and> is_class G declC"
schirmer@12854
   545
      by (auto dest: methd_declC )
schirmer@12854
   546
    then have declC_prop1: "invC=Object \<longrightarrow> declC=Object"  by auto
schirmer@12854
   547
    from wf dm' declC_prop declC' 
schirmer@12854
   548
    have wf_dm: "wf_mdecl G declC (sig,(mthd dm))"
schirmer@12854
   549
      by (auto dest: methd_wf_mdecl)
schirmer@12854
   550
    from invC_prop' declC_prop declC_prop1
schirmer@12854
   551
    have statC_prop: "(   (\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)
schirmer@12854
   552
                       \<or>  (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object))" 
schirmer@12854
   553
      by auto
schirmer@12925
   554
    from False dm' dm'' wf_dm invC_prop' declC_prop statC_prop declC' 
schirmer@12854
   555
         eq_declC_sm_dm eq_mheads static
schirmer@12854
   556
    show ?thesis by auto
schirmer@12854
   557
  qed
schirmer@12925
   558
qed   
schirmer@12854
   559
schirmer@12854
   560
lemma DynT_conf: "\<lbrakk>G\<turnstile>invocation_class mode s a' statT \<preceq>\<^sub>C declC; wf_prog G;
schirmer@12854
   561
 isrtype G (statT);
schirmer@12854
   562
 G,s\<turnstile>a'\<Colon>\<preceq>RefT statT; mode = IntVir \<longrightarrow> a' \<noteq> Null;  
schirmer@12854
   563
  mode \<noteq> IntVir \<longrightarrow>    (\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)
schirmer@12854
   564
                    \<or>  (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object)\<rbrakk> 
schirmer@12854
   565
 \<Longrightarrow>G,s\<turnstile>a'\<Colon>\<preceq> Class declC"
schirmer@12854
   566
apply (case_tac "mode = IntVir")
schirmer@12854
   567
apply (drule conf_RefTD)
schirmer@12854
   568
apply (force intro!: conf_AddrI 
schirmer@12854
   569
            simp add: obj_class_def split add: obj_tag.split_asm)
schirmer@12854
   570
apply  clarsimp
schirmer@12854
   571
apply  safe
schirmer@12854
   572
apply    (erule (1) widen.subcls [THEN conf_widen])
schirmer@12854
   573
apply    (erule wf_ws_prog)
schirmer@12854
   574
schirmer@12854
   575
apply    (frule widen_Object) apply (erule wf_ws_prog)
schirmer@12854
   576
apply    (erule (1) conf_widen) apply (erule wf_ws_prog)
schirmer@12854
   577
done
schirmer@12854
   578
schirmer@12925
   579
lemma Ass_lemma:
schirmer@12925
   580
"\<lbrakk> G\<turnstile>Norm s0 \<midarrow>var=\<succ>(w, f)\<rightarrow> Norm s1; G\<turnstile>Norm s1 \<midarrow>e-\<succ>v\<rightarrow> Norm s2;
schirmer@12925
   581
   G,s2\<turnstile>v\<Colon>\<preceq>eT;s1\<le>|s2 \<longrightarrow> assign f v (Norm s2)\<Colon>\<preceq>(G, L)\<rbrakk>
schirmer@12925
   582
\<Longrightarrow> assign f v (Norm s2)\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
   583
      (normal (assign f v (Norm s2)) \<longrightarrow> G,store (assign f v (Norm s2))\<turnstile>v\<Colon>\<preceq>eT)"
schirmer@12854
   584
apply (drule_tac x = "None" and s = "s2" and v = "v" in evar_gext_f)
schirmer@12854
   585
apply (drule eval_gext', clarsimp)
schirmer@12854
   586
apply (erule conf_gext)
schirmer@12854
   587
apply simp
schirmer@12854
   588
done
schirmer@12854
   589
schirmer@12854
   590
lemma Throw_lemma: "\<lbrakk>G\<turnstile>tn\<preceq>\<^sub>C SXcpt Throwable; wf_prog G; (x1,s1)\<Colon>\<preceq>(G, L);  
schirmer@12854
   591
    x1 = None \<longrightarrow> G,s1\<turnstile>a'\<Colon>\<preceq> Class tn\<rbrakk> \<Longrightarrow> (throw a' x1, s1)\<Colon>\<preceq>(G, L)"
schirmer@12854
   592
apply (auto split add: split_abrupt_if simp add: throw_def2)
schirmer@12854
   593
apply (erule conforms_xconf)
schirmer@12854
   594
apply (frule conf_RefTD)
schirmer@12854
   595
apply (auto elim: widen.subcls [THEN conf_widen])
schirmer@12854
   596
done
schirmer@12854
   597
schirmer@12854
   598
lemma Try_lemma: "\<lbrakk>G\<turnstile>obj_ty (the (globs s1' (Heap a)))\<preceq> Class tn; 
schirmer@12854
   599
 (Some (Xcpt (Loc a)), s1')\<Colon>\<preceq>(G, L); wf_prog G\<rbrakk> 
schirmer@12854
   600
 \<Longrightarrow> Norm (lupd(vn\<mapsto>Addr a) s1')\<Colon>\<preceq>(G, L(vn\<mapsto>Class tn))"
schirmer@12854
   601
apply (rule conforms_allocL)
schirmer@12854
   602
apply  (erule conforms_NormI)
schirmer@12854
   603
apply (drule conforms_XcptLocD [THEN conf_RefTD],rule HOL.refl)
schirmer@12854
   604
apply (auto intro!: conf_AddrI)
schirmer@12854
   605
done
schirmer@12854
   606
schirmer@12854
   607
lemma Fin_lemma: 
schirmer@12854
   608
"\<lbrakk>G\<turnstile>Norm s1 \<midarrow>c2\<rightarrow> (x2,s2); wf_prog G; (Some a, s1)\<Colon>\<preceq>(G, L); (x2,s2)\<Colon>\<preceq>(G, L)\<rbrakk> 
schirmer@12854
   609
\<Longrightarrow>  (abrupt_if True (Some a) x2, s2)\<Colon>\<preceq>(G, L)"
schirmer@12854
   610
apply (force elim: eval_gext' conforms_xgext split add: split_abrupt_if)
schirmer@12854
   611
done
schirmer@12854
   612
schirmer@12925
   613
lemma FVar_lemma1: 
schirmer@12925
   614
"\<lbrakk>table_of (DeclConcepts.fields G statC) (fn, statDeclC) = Some f ; 
schirmer@12925
   615
  x2 = None \<longrightarrow> G,s2\<turnstile>a\<Colon>\<preceq> Class statC; wf_prog G; G\<turnstile>statC\<preceq>\<^sub>C statDeclC; 
schirmer@12925
   616
  statDeclC \<noteq> Object; 
schirmer@12925
   617
  class G statDeclC = Some y; (x2,s2)\<Colon>\<preceq>(G, L); s1\<le>|s2; 
schirmer@12925
   618
  inited statDeclC (globs s1); 
schirmer@12854
   619
  (if static f then id else np a) x2 = None\<rbrakk> 
schirmer@12854
   620
 \<Longrightarrow>  
schirmer@12925
   621
  \<exists>obj. globs s2 (if static f then Inr statDeclC else Inl (the_Addr a)) 
schirmer@12925
   622
                  = Some obj \<and> 
schirmer@12925
   623
  var_tys G (tag obj)  (if static f then Inr statDeclC else Inl(the_Addr a)) 
schirmer@12925
   624
          (Inl(fn,statDeclC)) = Some (type f)"
schirmer@12854
   625
apply (drule initedD)
schirmer@12854
   626
apply (frule subcls_is_class2, simp (no_asm_simp))
schirmer@12854
   627
apply (case_tac "static f")
schirmer@12854
   628
apply  clarsimp
schirmer@12854
   629
apply  (drule (1) rev_gext_objD, clarsimp)
schirmer@12854
   630
apply  (frule fields_declC, erule wf_ws_prog, simp (no_asm_simp))
schirmer@12854
   631
apply  (rule var_tys_Some_eq [THEN iffD2])
schirmer@12854
   632
apply  clarsimp
schirmer@12854
   633
apply  (erule fields_table_SomeI, simp (no_asm))
schirmer@12854
   634
apply clarsimp
schirmer@12854
   635
apply (drule conf_RefTD, clarsimp, rule var_tys_Some_eq [THEN iffD2])
schirmer@12854
   636
apply (auto dest!: widen_Array split add: obj_tag.split)
schirmer@12854
   637
apply (rotate_tac -1) (* to front: tag obja = CInst pid_field_type to enable
schirmer@12854
   638
                         conditional rewrite *)
schirmer@12854
   639
apply (rule fields_table_SomeI)
schirmer@12854
   640
apply (auto elim!: fields_mono subcls_is_class2)
schirmer@12854
   641
done
schirmer@12854
   642
schirmer@12925
   643
lemma FVar_lemma2: "error_free state
schirmer@12925
   644
       \<Longrightarrow> error_free
schirmer@12925
   645
           (assign
schirmer@12925
   646
             (\<lambda>v. supd
schirmer@12925
   647
                   (upd_gobj
schirmer@12925
   648
                     (if static field then Inr statDeclC
schirmer@12925
   649
                      else Inl (the_Addr a))
schirmer@12925
   650
                     (Inl (fn, statDeclC)) v))
schirmer@12925
   651
             w state)"
schirmer@12925
   652
proof -
schirmer@12925
   653
  assume error_free: "error_free state"
schirmer@12925
   654
  obtain a s where "state=(a,s)"
schirmer@12925
   655
    by (cases state) simp
schirmer@12925
   656
  with error_free
schirmer@12925
   657
  show ?thesis
schirmer@12925
   658
    by (cases a) auto
schirmer@12925
   659
qed
schirmer@12925
   660
schirmer@12925
   661
declare split_paired_All [simp del] split_paired_Ex [simp del] 
schirmer@12925
   662
declare split_if     [split del] split_if_asm     [split del] 
schirmer@12925
   663
        option.split [split del] option.split_asm [split del]
schirmer@12925
   664
ML_setup {*
schirmer@12925
   665
simpset_ref() := simpset() delloop "split_all_tac";
schirmer@12925
   666
claset_ref () := claset () delSWrapper "split_all_tac"
schirmer@12925
   667
*}
schirmer@12854
   668
lemma FVar_lemma: 
schirmer@12925
   669
"\<lbrakk>((v, f), Norm s2') = fvar statDeclC (static field) fn a (x2, s2); 
schirmer@12925
   670
  G\<turnstile>statC\<preceq>\<^sub>C statDeclC;  
schirmer@12925
   671
  table_of (DeclConcepts.fields G statC) (fn, statDeclC) = Some field; 
schirmer@12925
   672
  wf_prog G;   
schirmer@12925
   673
  x2 = None \<longrightarrow> G,s2\<turnstile>a\<Colon>\<preceq>Class statC; 
schirmer@12925
   674
  statDeclC \<noteq> Object; class G statDeclC = Some y;   
schirmer@12925
   675
  (x2, s2)\<Colon>\<preceq>(G, L); s1\<le>|s2; inited statDeclC (globs s1)\<rbrakk> \<Longrightarrow>  
schirmer@12854
   676
  G,s2'\<turnstile>v\<Colon>\<preceq>type field \<and> s2'\<le>|f\<preceq>type field\<Colon>\<preceq>(G, L)"
schirmer@12854
   677
apply (unfold assign_conforms_def)
schirmer@12854
   678
apply (drule sym)
schirmer@12854
   679
apply (clarsimp simp add: fvar_def2)
schirmer@12854
   680
apply (drule (9) FVar_lemma1)
schirmer@12854
   681
apply (clarsimp)
schirmer@12854
   682
apply (drule (2) conforms_globsD [THEN oconf_lconf, THEN lconfD])
schirmer@12854
   683
apply clarsimp
schirmer@12925
   684
apply (rule conjI)
schirmer@12925
   685
apply   clarsimp
schirmer@12925
   686
apply   (drule (1) rev_gext_objD)
schirmer@12925
   687
apply   (force elim!: conforms_upd_gobj)
schirmer@12925
   688
schirmer@12925
   689
apply   (blast intro: FVar_lemma2)
schirmer@12854
   690
done
schirmer@12925
   691
declare split_paired_All [simp] split_paired_Ex [simp] 
schirmer@12925
   692
declare split_if     [split] split_if_asm     [split] 
schirmer@12925
   693
        option.split [split] option.split_asm [split]
schirmer@12925
   694
ML_setup {*
schirmer@12925
   695
claset_ref()  := claset() addSbefore ("split_all_tac", split_all_tac);
schirmer@12925
   696
simpset_ref() := simpset() addloop ("split_all_tac", split_all_tac)
schirmer@12925
   697
*}
schirmer@12854
   698
schirmer@12854
   699
schirmer@12854
   700
lemma AVar_lemma1: "\<lbrakk>globs s (Inl a) = Some obj;tag obj=Arr ty i; 
schirmer@12854
   701
 the_Intg i' in_bounds i; wf_prog G; G\<turnstile>ty.[]\<preceq>Tb.[]; Norm s\<Colon>\<preceq>(G, L)
schirmer@12854
   702
\<rbrakk> \<Longrightarrow> G,s\<turnstile>the ((values obj) (Inr (the_Intg i')))\<Colon>\<preceq>Tb"
schirmer@12854
   703
apply (erule widen_Array_Array [THEN conf_widen])
schirmer@12854
   704
apply  (erule_tac [2] wf_ws_prog)
schirmer@12854
   705
apply (drule (1) conforms_globsD [THEN oconf_lconf, THEN lconfD])
schirmer@12854
   706
defer apply assumption
schirmer@12854
   707
apply (force intro: var_tys_Some_eq [THEN iffD2])
schirmer@12854
   708
done
schirmer@12854
   709
schirmer@12854
   710
lemma obj_split: "\<And> obj. \<exists> t vs. obj = \<lparr>tag=t,values=vs\<rparr>"
schirmer@12854
   711
proof record_split
schirmer@12854
   712
  fix tag values more
schirmer@12854
   713
  show "\<exists>t vs. \<lparr>tag = tag, values = values, \<dots> = more\<rparr> = \<lparr>tag = t, values = vs\<rparr>"
schirmer@12854
   714
    by auto
schirmer@12854
   715
qed
schirmer@12854
   716
 
schirmer@12925
   717
lemma AVar_lemma2: "error_free state 
schirmer@12925
   718
       \<Longrightarrow> error_free
schirmer@12925
   719
           (assign
schirmer@12925
   720
             (\<lambda>v (x, s').
schirmer@12925
   721
                 ((raise_if (\<not> G,s'\<turnstile>v fits T) ArrStore) x,
schirmer@12925
   722
                  upd_gobj (Inl a) (Inr (the_Intg i)) v s'))
schirmer@12925
   723
             w state)"
schirmer@12925
   724
proof -
schirmer@12925
   725
  assume error_free: "error_free state"
schirmer@12925
   726
  obtain a s where "state=(a,s)"
schirmer@12925
   727
    by (cases state) simp
schirmer@12925
   728
  with error_free
schirmer@12925
   729
  show ?thesis
schirmer@12925
   730
    by (cases a) auto
schirmer@12925
   731
qed
schirmer@12925
   732
schirmer@12854
   733
lemma AVar_lemma: "\<lbrakk>wf_prog G; G\<turnstile>(x1, s1) \<midarrow>e2-\<succ>i\<rightarrow> (x2, s2);  
schirmer@12854
   734
  ((v,f), Norm s2') = avar G i a (x2, s2); x1 = None \<longrightarrow> G,s1\<turnstile>a\<Colon>\<preceq>Ta.[];  
schirmer@12854
   735
  (x2, s2)\<Colon>\<preceq>(G, L); s1\<le>|s2\<rbrakk> \<Longrightarrow> G,s2'\<turnstile>v\<Colon>\<preceq>Ta \<and> s2'\<le>|f\<preceq>Ta\<Colon>\<preceq>(G, L)"
schirmer@12854
   736
apply (unfold assign_conforms_def)
schirmer@12854
   737
apply (drule sym)
schirmer@12854
   738
apply (clarsimp simp add: avar_def2)
schirmer@12854
   739
apply (drule (1) conf_gext)
schirmer@12854
   740
apply (drule conf_RefTD, clarsimp)
schirmer@12854
   741
apply (subgoal_tac "\<exists> t vs. obj = \<lparr>tag=t,values=vs\<rparr>")
schirmer@12854
   742
defer
schirmer@12854
   743
apply   (rule obj_split)
schirmer@12854
   744
apply clarify
schirmer@12854
   745
apply (frule obj_ty_widenD)
schirmer@12854
   746
apply (auto dest!: widen_Class)
schirmer@12925
   747
apply   (force dest: AVar_lemma1)
schirmer@12925
   748
schirmer@12925
   749
apply   (force elim!: fits_Array dest: gext_objD 
schirmer@12925
   750
         intro: var_tys_Some_eq [THEN iffD2] conforms_upd_gobj)
schirmer@12854
   751
done
schirmer@12854
   752
schirmer@12925
   753
section "Call"
schirmer@12854
   754
schirmer@12854
   755
lemma conforms_init_lvars_lemma: "\<lbrakk>wf_prog G;  
schirmer@12854
   756
  wf_mhead G P sig mh; 
schirmer@12854
   757
  Ball (set lvars) (split (\<lambda>vn. is_type G)); 
schirmer@12854
   758
  list_all2 (conf G s) pvs pTsa; G\<turnstile>pTsa[\<preceq>](parTs sig)\<rbrakk> \<Longrightarrow>  
schirmer@12854
   759
  G,s\<turnstile>init_vals (table_of lvars)(pars mh[\<mapsto>]pvs)
schirmer@12854
   760
      [\<Colon>\<preceq>]table_of lvars(pars mh[\<mapsto>]parTs sig)"
schirmer@12854
   761
apply (unfold wf_mhead_def)
schirmer@12854
   762
apply clarify
schirmer@12854
   763
apply (erule (2) Ball_set_table [THEN lconf_init_vals, THEN lconf_ext_list])
schirmer@12854
   764
apply (drule wf_ws_prog)
schirmer@12854
   765
apply (erule (2) conf_list_widen)
schirmer@12854
   766
done
schirmer@12854
   767
schirmer@12854
   768
schirmer@12854
   769
lemma lconf_map_lname [simp]: 
schirmer@12854
   770
  "G,s\<turnstile>(lname_case l1 l2)[\<Colon>\<preceq>](lname_case L1 L2)
schirmer@12854
   771
   =
schirmer@12854
   772
  (G,s\<turnstile>l1[\<Colon>\<preceq>]L1 \<and> G,s\<turnstile>(\<lambda>x::unit . l2)[\<Colon>\<preceq>](\<lambda>x::unit. L2))"
schirmer@12854
   773
apply (unfold lconf_def)
schirmer@12854
   774
apply safe
schirmer@12854
   775
apply (case_tac "n")
schirmer@12854
   776
apply (force split add: lname.split)+
schirmer@12854
   777
done
schirmer@12854
   778
schirmer@12854
   779
lemma lconf_map_ename [simp]:
schirmer@12854
   780
  "G,s\<turnstile>(ename_case l1 l2)[\<Colon>\<preceq>](ename_case L1 L2)
schirmer@12854
   781
   =
schirmer@12854
   782
  (G,s\<turnstile>l1[\<Colon>\<preceq>]L1 \<and> G,s\<turnstile>(\<lambda>x::unit. l2)[\<Colon>\<preceq>](\<lambda>x::unit. L2))"
schirmer@12854
   783
apply (unfold lconf_def)
schirmer@12854
   784
apply safe
schirmer@12854
   785
apply (force split add: ename.split)+
schirmer@12854
   786
done
schirmer@12854
   787
schirmer@12854
   788
schirmer@12854
   789
lemma defval_conf1 [rule_format (no_asm), elim]: 
schirmer@12854
   790
  "is_type G T \<longrightarrow> (\<exists>v\<in>Some (default_val T): G,s\<turnstile>v\<Colon>\<preceq>T)"
schirmer@12854
   791
apply (unfold conf_def)
schirmer@12854
   792
apply (induct "T")
schirmer@12854
   793
apply (auto intro: prim_ty.induct)
schirmer@12854
   794
done
schirmer@12854
   795
schirmer@12925
   796
declare split_paired_All [simp del] split_paired_Ex [simp del] 
schirmer@12925
   797
declare split_if     [split del] split_if_asm     [split del] 
schirmer@12925
   798
        option.split [split del] option.split_asm [split del]
schirmer@12925
   799
ML_setup {*
schirmer@12925
   800
simpset_ref() := simpset() delloop "split_all_tac";
schirmer@12925
   801
claset_ref () := claset () delSWrapper "split_all_tac"
schirmer@12925
   802
*}
schirmer@12854
   803
lemma conforms_init_lvars: 
schirmer@12854
   804
"\<lbrakk>wf_mhead G (pid declC) sig (mhead (mthd dm)); wf_prog G;  
schirmer@12854
   805
  list_all2 (conf G s) pvs pTsa; G\<turnstile>pTsa[\<preceq>](parTs sig);  
schirmer@12854
   806
  (x, s)\<Colon>\<preceq>(G, L); 
schirmer@12854
   807
  methd G declC sig = Some dm;  
schirmer@12854
   808
  isrtype G statT;
schirmer@12854
   809
  G\<turnstile>invC\<preceq>\<^sub>C declC; 
schirmer@12854
   810
  G,s\<turnstile>a'\<Colon>\<preceq>RefT statT;  
schirmer@12854
   811
  invmode (mhd sm) e = IntVir \<longrightarrow> a' \<noteq> Null; 
schirmer@12854
   812
  invmode (mhd sm) e \<noteq> IntVir \<longrightarrow>  
schirmer@12854
   813
       (\<exists> statC. statT=ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C declC)
schirmer@12854
   814
    \<or>  (\<forall> statC. statT\<noteq>ClassT statC \<and> declC=Object);
schirmer@12854
   815
  invC  = invocation_class (invmode (mhd sm) e) s a' statT;
schirmer@12854
   816
  declC = invocation_declclass G (invmode (mhd sm) e) s a' statT sig;
schirmer@12854
   817
  Ball (set (lcls (mbody (mthd dm)))) 
schirmer@12854
   818
       (split (\<lambda>vn. is_type G)) 
schirmer@12854
   819
 \<rbrakk> \<Longrightarrow>  
schirmer@12854
   820
  init_lvars G declC sig (invmode (mhd sm) e) a'  
schirmer@12854
   821
  pvs (x,s)\<Colon>\<preceq>(G,\<lambda> k. 
schirmer@12854
   822
                (case k of
schirmer@12854
   823
                   EName e \<Rightarrow> (case e of 
schirmer@12854
   824
                                 VNam v 
schirmer@12854
   825
                                  \<Rightarrow> (table_of (lcls (mbody (mthd dm)))
schirmer@12854
   826
                                        (pars (mthd dm)[\<mapsto>]parTs sig)) v
schirmer@12854
   827
                               | Res \<Rightarrow> Some (resTy (mthd dm)))
schirmer@12925
   828
                 | This \<Rightarrow> if (is_static (mthd sm)) 
schirmer@12854
   829
                              then None else Some (Class declC)))"
schirmer@12854
   830
apply (simp add: init_lvars_def2)
schirmer@12854
   831
apply (rule conforms_set_locals)
schirmer@12854
   832
apply  (simp (no_asm_simp) split add: split_if)
schirmer@12854
   833
apply (drule  (4) DynT_conf)
schirmer@12854
   834
apply clarsimp
schirmer@12854
   835
(* apply intro *)
schirmer@12854
   836
apply (drule (4) conforms_init_lvars_lemma)
schirmer@12854
   837
apply (case_tac "dm",simp)
schirmer@12854
   838
apply (rule conjI)
schirmer@12854
   839
apply (unfold lconf_def, clarify)
schirmer@12854
   840
apply (rule defval_conf1)
schirmer@12854
   841
apply (clarsimp simp add: wf_mhead_def is_acc_type_def)
schirmer@12854
   842
apply (case_tac "is_static sm")
schirmer@12854
   843
apply simp_all
schirmer@12854
   844
done
schirmer@12925
   845
declare split_paired_All [simp] split_paired_Ex [simp] 
schirmer@12925
   846
declare split_if     [split] split_if_asm     [split] 
schirmer@12925
   847
        option.split [split] option.split_asm [split]
schirmer@12925
   848
ML_setup {*
schirmer@12925
   849
claset_ref()  := claset() addSbefore ("split_all_tac", split_all_tac);
schirmer@12925
   850
simpset_ref() := simpset() addloop ("split_all_tac", split_all_tac)
schirmer@12925
   851
*}
schirmer@12854
   852
schirmer@12854
   853
schirmer@12854
   854
schirmer@12854
   855
subsection "accessibility"
schirmer@12854
   856
schirmer@12925
   857
schirmer@12925
   858
(* #### stat raus und gleich is_static f schreiben *) 
schirmer@12854
   859
theorem dynamic_field_access_ok:
wenzelm@12937
   860
  assumes wf: "wf_prog G" and
wenzelm@12937
   861
    not_Null: "\<not> stat \<longrightarrow> a\<noteq>Null" and
wenzelm@12937
   862
   conform_a: "G,(store s)\<turnstile>a\<Colon>\<preceq> Class statC" and
wenzelm@12937
   863
   conform_s: "s\<Colon>\<preceq>(G, L)" and 
wenzelm@12937
   864
    normal_s: "normal s" and
wenzelm@12937
   865
        wt_e: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>e\<Colon>-Class statC" and
wenzelm@12937
   866
           f: "accfield G accC statC fn = Some f" and
wenzelm@12937
   867
        dynC: "if stat then dynC=declclass f  
wenzelm@12937
   868
                       else dynC=obj_class (lookup_obj (store s) a)" and
wenzelm@12937
   869
        stat: "if stat then (is_static f) else (\<not> is_static f)"
wenzelm@12937
   870
  shows "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f) \<and> 
schirmer@12854
   871
     G\<turnstile>Field fn f in dynC dyn_accessible_from accC"
schirmer@12854
   872
proof (cases "stat")
schirmer@12854
   873
  case True
schirmer@12925
   874
  with stat have static: "(is_static f)" by simp
schirmer@12925
   875
  from True dynC 
schirmer@12925
   876
  have dynC': "dynC=declclass f" by simp
schirmer@12854
   877
  with f
schirmer@12925
   878
  have "table_of (DeclConcepts.fields G statC) (fn,declclass f) = Some (fld f)"
schirmer@12854
   879
    by (auto simp add: accfield_def Let_def intro!: table_of_remap_SomeD)
schirmer@12925
   880
  moreover
schirmer@12925
   881
  from wt_e wf have "is_class G statC"
schirmer@12925
   882
    by (auto dest!: ty_expr_is_type)
schirmer@12925
   883
  moreover note wf dynC'
schirmer@12925
   884
  ultimately have
schirmer@12925
   885
     "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f)"
schirmer@12925
   886
    by (auto dest: fields_declC)
schirmer@12925
   887
  with dynC' f static wf
schirmer@12854
   888
  show ?thesis
schirmer@12925
   889
    by (auto dest: static_to_dynamic_accessible_from_static
schirmer@12925
   890
            dest!: accfield_accessibleD )
schirmer@12854
   891
next
schirmer@12854
   892
  case False
schirmer@12925
   893
  with wf conform_a not_Null conform_s dynC
schirmer@12854
   894
  obtain subclseq: "G\<turnstile>dynC \<preceq>\<^sub>C statC" and
schirmer@12854
   895
    "is_class G dynC"
schirmer@12925
   896
    by (auto dest!: conforms_RefTD [of _ _ _ _ "(fst s)" L]
schirmer@12854
   897
              dest: obj_ty_obj_class1
schirmer@12854
   898
          simp add: obj_ty_obj_class )
schirmer@12854
   899
  with wf f
schirmer@12854
   900
  have "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f)"
schirmer@12854
   901
    by (auto simp add: accfield_def Let_def
schirmer@12854
   902
                 dest: fields_mono
schirmer@12854
   903
                dest!: table_of_remap_SomeD)
schirmer@12854
   904
  moreover
schirmer@12854
   905
  from f subclseq
schirmer@12854
   906
  have "G\<turnstile>Field fn f in dynC dyn_accessible_from accC"
schirmer@12854
   907
    by (auto intro!: static_to_dynamic_accessible_from 
schirmer@12854
   908
               dest: accfield_accessibleD)
schirmer@12854
   909
  ultimately show ?thesis
schirmer@12854
   910
    by blast
schirmer@12854
   911
qed
schirmer@12854
   912
schirmer@12925
   913
(*
schirmer@12925
   914
theorem dynamic_field_access_ok:
schirmer@12925
   915
  (assumes wf: "wf_prog G" and
schirmer@12925
   916
     not_Null: "\<not> is_static f \<longrightarrow> a\<noteq>Null" and
schirmer@12925
   917
    conform_a: "G,(store s)\<turnstile>a\<Colon>\<preceq> Class statC" and
schirmer@12925
   918
    conform_s: "s\<Colon>\<preceq>(G, L)" and 
schirmer@12925
   919
     normal_s: "normal s" and
schirmer@12925
   920
         wt_e: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>e\<Colon>-Class statC" and
schirmer@12925
   921
            f: "accfield G accC statC fn = Some f" and
schirmer@12925
   922
         dynC: "if is_static f 
schirmer@12925
   923
                   then dynC=declclass f  
schirmer@12925
   924
                   else dynC=obj_class (lookup_obj (store s) a)" 
schirmer@12925
   925
  ) "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f) \<and> 
schirmer@12925
   926
     G\<turnstile>Field fn f in dynC dyn_accessible_from accC"
schirmer@12925
   927
proof (cases "is_static f")
schirmer@12925
   928
  case True
schirmer@12925
   929
  from True dynC 
schirmer@12925
   930
  have dynC': "dynC=declclass f" by simp
schirmer@12925
   931
  with f
schirmer@12925
   932
  have "table_of (DeclConcepts.fields G statC) (fn,declclass f) = Some (fld f)"
schirmer@12925
   933
    by (auto simp add: accfield_def Let_def intro!: table_of_remap_SomeD)
schirmer@12925
   934
  moreover
schirmer@12925
   935
  from wt_e wf have "is_class G statC"
schirmer@12925
   936
    by (auto dest!: ty_expr_is_type)
schirmer@12925
   937
  moreover note wf dynC'
schirmer@12925
   938
  ultimately have
schirmer@12925
   939
     "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f)"
schirmer@12925
   940
    by (auto dest: fields_declC)
schirmer@12925
   941
  with dynC' f True wf
schirmer@12925
   942
  show ?thesis
schirmer@12925
   943
    by (auto dest: static_to_dynamic_accessible_from_static
schirmer@12925
   944
            dest!: accfield_accessibleD )
schirmer@12925
   945
next
schirmer@12925
   946
  case False
schirmer@12925
   947
  with wf conform_a not_Null conform_s dynC
schirmer@12925
   948
  obtain subclseq: "G\<turnstile>dynC \<preceq>\<^sub>C statC" and
schirmer@12925
   949
    "is_class G dynC"
schirmer@12925
   950
    by (auto dest!: conforms_RefTD [of _ _ _ _ "(fst s)" L]
schirmer@12925
   951
              dest: obj_ty_obj_class1
schirmer@12925
   952
          simp add: obj_ty_obj_class )
schirmer@12925
   953
  with wf f
schirmer@12925
   954
  have "table_of (DeclConcepts.fields G dynC) (fn,declclass f) = Some (fld f)"
schirmer@12925
   955
    by (auto simp add: accfield_def Let_def
schirmer@12925
   956
                 dest: fields_mono
schirmer@12925
   957
                dest!: table_of_remap_SomeD)
schirmer@12925
   958
  moreover
schirmer@12925
   959
  from f subclseq
schirmer@12925
   960
  have "G\<turnstile>Field fn f in dynC dyn_accessible_from accC"
schirmer@12925
   961
    by (auto intro!: static_to_dynamic_accessible_from 
schirmer@12925
   962
               dest: accfield_accessibleD)
schirmer@12925
   963
  ultimately show ?thesis
schirmer@12925
   964
    by blast
schirmer@12925
   965
qed
schirmer@12925
   966
*)
schirmer@12925
   967
schirmer@12925
   968
schirmer@12925
   969
(* ### Einsetzen in case FVar des TypeSoundness Proofs *)
schirmer@12925
   970
(*
schirmer@12925
   971
lemma FVar_check_error_free:
schirmer@12925
   972
(assumes fvar: "(v, s2') = fvar statDeclC stat fn a s2" and 
schirmer@12925
   973
        check: "s3 = check_field_access G accC statDeclC fn stat a s2'" and
schirmer@12925
   974
       conf_a: "normal s2 \<longrightarrow> G,store s2\<turnstile>a\<Colon>\<preceq>Class statC" and
schirmer@12925
   975
      conf_s2: "s2\<Colon>\<preceq>(G, L)" and
schirmer@12925
   976
    initd_statDeclC_s2: "initd statDeclC s2" and
schirmer@12925
   977
    wt_e: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>e\<Colon>-Class statC" and
schirmer@12925
   978
    accfield: "accfield G accC statC fn = Some (statDeclC,f)" and
schirmer@12925
   979
    stat: "stat=is_static f" and
schirmer@12925
   980
      wf: "wf_prog G"
schirmer@12925
   981
)  "s3=s2'"
schirmer@12925
   982
proof -
schirmer@12925
   983
  from fvar 
schirmer@12925
   984
  have store_s2': "store s2'=store s2"
schirmer@12925
   985
    by (cases s2) (simp add: fvar_def2)
schirmer@12925
   986
  with fvar conf_s2 
schirmer@12925
   987
  have conf_s2': "s2'\<Colon>\<preceq>(G, L)"
schirmer@12925
   988
    by (cases s2,cases stat) (auto simp add: fvar_def2)
schirmer@12925
   989
  from initd_statDeclC_s2 store_s2' 
schirmer@12925
   990
  have initd_statDeclC_s2': "initd statDeclC s2"
schirmer@12925
   991
    by simp
schirmer@12925
   992
  show ?thesis
schirmer@12925
   993
  proof (cases "normal s2'")
schirmer@12925
   994
    case False
schirmer@12925
   995
    with check show ?thesis 
schirmer@12925
   996
      by (auto simp add: check_field_access_def Let_def)
schirmer@12925
   997
  next
schirmer@12925
   998
    case True
schirmer@12925
   999
    with fvar store_s2' 
schirmer@12925
  1000
    have not_Null: "\<not> stat \<longrightarrow> a\<noteq>Null" 
schirmer@12925
  1001
      by (cases s2) (auto simp add: fvar_def2)
schirmer@12925
  1002
    from True fvar store_s2'
schirmer@12925
  1003
    have "normal s2"
schirmer@12925
  1004
      by (cases s2,cases stat) (auto simp add: fvar_def2)
schirmer@12925
  1005
    with conf_a store_s2'
schirmer@12925
  1006
    have conf_a': "G,store s2'\<turnstile>a\<Colon>\<preceq>Class statC"
schirmer@12925
  1007
      by simp 
schirmer@12925
  1008
    from conf_a' conf_s2'  check True initd_statDeclC_s2' 
schirmer@12925
  1009
      dynamic_field_access_ok [OF wf not_Null conf_a' conf_s2' 
schirmer@12925
  1010
                                   True wt_e accfield ] stat
schirmer@12925
  1011
    show ?thesis
schirmer@12925
  1012
      by (cases stat)
schirmer@12925
  1013
         (auto dest!: initedD
schirmer@12925
  1014
           simp add: check_field_access_def Let_def)
schirmer@12925
  1015
  qed
schirmer@12925
  1016
qed
schirmer@12925
  1017
*)
schirmer@12925
  1018
schirmer@12925
  1019
lemma error_free_field_access:
wenzelm@12937
  1020
  assumes accfield: "accfield G accC statC fn = Some (statDeclC, f)" and
schirmer@12925
  1021
              wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-Class statC" and
schirmer@12925
  1022
         eval_init: "G\<turnstile>Norm s0 \<midarrow>Init statDeclC\<rightarrow> s1" and
schirmer@12925
  1023
            eval_e: "G\<turnstile>s1 \<midarrow>e-\<succ>a\<rightarrow> s2" and
schirmer@12925
  1024
           conf_s2: "s2\<Colon>\<preceq>(G, L)" and
schirmer@12925
  1025
            conf_a: "normal s2 \<Longrightarrow> G, store s2\<turnstile>a\<Colon>\<preceq>Class statC" and
schirmer@12925
  1026
              fvar: "(v,s2')=fvar statDeclC (is_static f) fn a s2" and
schirmer@12925
  1027
                wf: "wf_prog G"   
wenzelm@12937
  1028
  shows "check_field_access G accC statDeclC fn (is_static f) a s2' = s2'"
schirmer@12925
  1029
proof -
schirmer@12925
  1030
  from fvar
schirmer@12925
  1031
  have store_s2': "store s2'=store s2"
schirmer@12925
  1032
    by (cases s2) (simp add: fvar_def2)
schirmer@12925
  1033
  with fvar conf_s2 
schirmer@12925
  1034
  have conf_s2': "s2'\<Colon>\<preceq>(G, L)"
schirmer@12925
  1035
    by (cases s2,cases "is_static f") (auto simp add: fvar_def2)
schirmer@12925
  1036
  from eval_init 
schirmer@12925
  1037
  have initd_statDeclC_s1: "initd statDeclC s1"
schirmer@12925
  1038
    by (rule init_yields_initd)
schirmer@12925
  1039
  with eval_e store_s2'
schirmer@12925
  1040
  have initd_statDeclC_s2': "initd statDeclC s2'"
schirmer@12925
  1041
    by (auto dest: eval_gext intro: inited_gext)
schirmer@12925
  1042
  show ?thesis
schirmer@12925
  1043
  proof (cases "normal s2'")
schirmer@12925
  1044
    case False
schirmer@12925
  1045
    then show ?thesis 
schirmer@12925
  1046
      by (auto simp add: check_field_access_def Let_def)
schirmer@12925
  1047
  next
schirmer@12925
  1048
    case True
schirmer@12925
  1049
    with fvar store_s2' 
schirmer@12925
  1050
    have not_Null: "\<not> (is_static f) \<longrightarrow> a\<noteq>Null" 
schirmer@12925
  1051
      by (cases s2) (auto simp add: fvar_def2)
schirmer@12925
  1052
    from True fvar store_s2'
schirmer@12925
  1053
    have "normal s2"
schirmer@12925
  1054
      by (cases s2,cases "is_static f") (auto simp add: fvar_def2)
schirmer@12925
  1055
    with conf_a store_s2'
schirmer@12925
  1056
    have conf_a': "G,store s2'\<turnstile>a\<Colon>\<preceq>Class statC"
schirmer@12925
  1057
      by simp
schirmer@12925
  1058
    from conf_a' conf_s2' True initd_statDeclC_s2' 
schirmer@12925
  1059
      dynamic_field_access_ok [OF wf not_Null conf_a' conf_s2' 
schirmer@12925
  1060
                                   True wt_e accfield ] 
schirmer@12925
  1061
    show ?thesis
schirmer@12925
  1062
      by  (cases "is_static f")
schirmer@12925
  1063
          (auto dest!: initedD
schirmer@12925
  1064
           simp add: check_field_access_def Let_def)
schirmer@12925
  1065
  qed
schirmer@12925
  1066
qed
schirmer@12925
  1067
schirmer@12925
  1068
lemma call_access_ok:
wenzelm@12937
  1069
  assumes invC_prop: "G\<turnstile>invmode statM e\<rightarrow>invC\<preceq>statT" 
wenzelm@12937
  1070
      and        wf: "wf_prog G" 
wenzelm@12937
  1071
      and      wt_e: "\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-RefT statT"
wenzelm@12937
  1072
      and     statM: "(statDeclT,statM) \<in> mheads G accC statT sig" 
wenzelm@12937
  1073
      and      invC: "invC = invocation_class (invmode statM e) s a statT"
wenzelm@12937
  1074
  shows "\<exists> dynM. dynlookup G statT invC sig = Some dynM \<and>
schirmer@12854
  1075
  G\<turnstile>Methd sig dynM in invC dyn_accessible_from accC"
schirmer@12854
  1076
proof -
schirmer@12854
  1077
  from wt_e wf have type_statT: "is_type G (RefT statT)"
schirmer@12854
  1078
    by (auto dest: ty_expr_is_type)
schirmer@12854
  1079
  from statM have not_Null: "statT \<noteq> NullT" by auto
schirmer@12854
  1080
  from type_statT wt_e 
schirmer@12854
  1081
  have wf_I: "(\<forall>I. statT = IfaceT I \<longrightarrow> is_iface G I \<and> 
schirmer@12925
  1082
                                        invmode statM e \<noteq> SuperM)"
schirmer@12854
  1083
    by (auto dest: invocationTypeExpr_noClassD)
schirmer@12854
  1084
  from wt_e
schirmer@12925
  1085
  have wf_A: "(\<forall>     T. statT = ArrayT T \<longrightarrow> invmode statM e \<noteq> SuperM)"
schirmer@12854
  1086
    by (auto dest: invocationTypeExpr_noClassD)
schirmer@12854
  1087
  show ?thesis
schirmer@12925
  1088
  proof (cases "invmode statM e = IntVir")
schirmer@12854
  1089
    case True
schirmer@12854
  1090
    with invC_prop not_Null
schirmer@12854
  1091
    have invC_prop': "is_class G invC \<and>  
schirmer@12854
  1092
                      (if (\<exists>T. statT=ArrayT T) then invC=Object 
schirmer@12854
  1093
                                              else G\<turnstile>Class invC\<preceq>RefT statT)"
schirmer@12854
  1094
      by (auto simp add: DynT_prop_def)
schirmer@12854
  1095
    with True not_Null
schirmer@12854
  1096
    have "G,statT \<turnstile> invC valid_lookup_cls_for is_static statM"
schirmer@12925
  1097
     by (cases statT) (auto simp add: invmode_def) 
schirmer@12854
  1098
    with statM type_statT wf 
schirmer@12854
  1099
    show ?thesis
schirmer@12854
  1100
      by - (rule dynlookup_access,auto)
schirmer@12854
  1101
  next
schirmer@12854
  1102
    case False
schirmer@12854
  1103
    with type_statT wf invC not_Null wf_I wf_A
schirmer@12854
  1104
    have invC_prop': " is_class G invC \<and>
schirmer@12854
  1105
                      ((\<exists> statC. statT=ClassT statC \<and> invC=statC) \<or>
schirmer@12854
  1106
                      (\<forall> statC. statT\<noteq>ClassT statC \<and> invC=Object)) "
schirmer@12854
  1107
        by (case_tac "statT") (auto simp add: invocation_class_def 
schirmer@12854
  1108
                                       split: inv_mode.splits)
schirmer@12854
  1109
    with not_Null wf
schirmer@12854
  1110
    have dynlookup_static: "dynlookup G statT invC sig = methd G invC sig"
schirmer@12854
  1111
      by (case_tac "statT") (auto simp add: dynlookup_def dynmethd_C_C
schirmer@12854
  1112
                                            dynimethd_def)
schirmer@12854
  1113
   from statM wf wt_e not_Null False invC_prop' obtain dynM where
schirmer@12854
  1114
                "accmethd G accC invC sig = Some dynM" 
schirmer@12854
  1115
     by (auto dest!: static_mheadsD)
schirmer@12854
  1116
   from invC_prop' False not_Null wf_I
schirmer@12854
  1117
   have "G,statT \<turnstile> invC valid_lookup_cls_for is_static statM"
schirmer@12925
  1118
     by (cases statT) (auto simp add: invmode_def) 
schirmer@12854
  1119
   with statM type_statT wf 
schirmer@12854
  1120
    show ?thesis
schirmer@12854
  1121
      by - (rule dynlookup_access,auto)
schirmer@12854
  1122
  qed
schirmer@12854
  1123
qed
schirmer@12854
  1124
schirmer@12925
  1125
lemma error_free_call_access:
wenzelm@12937
  1126
  assumes
schirmer@12925
  1127
   eval_args: "G\<turnstile>s1 \<midarrow>args\<doteq>\<succ>vs\<rightarrow> s2" and
schirmer@12925
  1128
        wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-(RefT statT)" and  
schirmer@12925
  1129
       statM: "max_spec G accC statT \<lparr>name = mn, parTs = pTs\<rparr> 
schirmer@12925
  1130
               = {((statDeclT, statM), pTs')}" and
schirmer@12925
  1131
     conf_s2: "s2\<Colon>\<preceq>(G, L)" and
schirmer@12925
  1132
      conf_a: "normal s1 \<Longrightarrow> G, store s1\<turnstile>a\<Colon>\<preceq>RefT statT" and
schirmer@12925
  1133
     invProp: "normal s3 \<Longrightarrow>
schirmer@12925
  1134
                G\<turnstile>invmode statM e\<rightarrow>invC\<preceq>statT" and
schirmer@12925
  1135
          s3: "s3=init_lvars G invDeclC \<lparr>name = mn, parTs = pTs'\<rparr> 
schirmer@12925
  1136
                        (invmode statM e) a vs s2" and
schirmer@12925
  1137
        invC: "invC = invocation_class (invmode statM e) (store s2) a statT"and
schirmer@12925
  1138
    invDeclC: "invDeclC = invocation_declclass G (invmode statM e) (store s2) 
schirmer@12925
  1139
                             a statT \<lparr>name = mn, parTs = pTs'\<rparr>" and
schirmer@12925
  1140
          wf: "wf_prog G"
wenzelm@12937
  1141
  shows "check_method_access G accC statT (invmode statM e) \<lparr>name=mn,parTs=pTs'\<rparr> a s3
schirmer@12925
  1142
   = s3"
schirmer@12925
  1143
proof (cases "normal s2")
schirmer@12925
  1144
  case False
schirmer@12925
  1145
  with s3 
schirmer@12925
  1146
  have "abrupt s3 = abrupt s2"  
schirmer@12925
  1147
    by (auto simp add: init_lvars_def2)
schirmer@12925
  1148
  with False
schirmer@12925
  1149
  show ?thesis
schirmer@12925
  1150
    by (auto simp add: check_method_access_def Let_def)
schirmer@12925
  1151
next
schirmer@12925
  1152
  case True
schirmer@12925
  1153
  note normal_s2 = True
schirmer@12925
  1154
  with eval_args
schirmer@12925
  1155
  have normal_s1: "normal s1"
schirmer@12925
  1156
    by (cases "normal s1") auto
schirmer@12925
  1157
  with conf_a eval_args 
schirmer@12925
  1158
  have conf_a_s2: "G, store s2\<turnstile>a\<Colon>\<preceq>RefT statT"
schirmer@12925
  1159
    by (auto dest: eval_gext intro: conf_gext)
schirmer@12925
  1160
  show ?thesis
schirmer@12925
  1161
  proof (cases "a=Null \<longrightarrow> (is_static statM)")
schirmer@12925
  1162
    case False
schirmer@12925
  1163
    then obtain "\<not> is_static statM" "a=Null" 
schirmer@12925
  1164
      by blast
schirmer@12925
  1165
    with normal_s2 s3
schirmer@12925
  1166
    have "abrupt s3 = Some (Xcpt (Std NullPointer))" 
schirmer@12925
  1167
      by (auto simp add: init_lvars_def2)
schirmer@12925
  1168
    then show ?thesis
schirmer@12925
  1169
      by (auto simp add: check_method_access_def Let_def)
schirmer@12925
  1170
  next
schirmer@12925
  1171
    case True
schirmer@12925
  1172
    from statM 
schirmer@12925
  1173
    obtain
schirmer@12925
  1174
      statM': "(statDeclT,statM)\<in>mheads G accC statT \<lparr>name=mn,parTs=pTs'\<rparr>" 
schirmer@12925
  1175
      by (blast dest: max_spec2mheads)
schirmer@12925
  1176
    from True normal_s2 s3
schirmer@12925
  1177
    have "normal s3"
schirmer@12925
  1178
      by (auto simp add: init_lvars_def2)
schirmer@12925
  1179
    then have "G\<turnstile>invmode statM e\<rightarrow>invC\<preceq>statT"
schirmer@12925
  1180
      by (rule invProp)
schirmer@12925
  1181
    with wt_e statM' wf invC
schirmer@12925
  1182
    obtain dynM where 
schirmer@12925
  1183
      dynM: "dynlookup G statT invC  \<lparr>name=mn,parTs=pTs'\<rparr> = Some dynM" and
schirmer@12925
  1184
      acc_dynM: "G \<turnstile>Methd  \<lparr>name=mn,parTs=pTs'\<rparr> dynM 
schirmer@12925
  1185
                          in invC dyn_accessible_from accC"
schirmer@12925
  1186
      by (force dest!: call_access_ok)
schirmer@12925
  1187
    moreover
schirmer@12925
  1188
    from s3 invC
schirmer@12925
  1189
    have invC': "invC=(invocation_class (invmode statM e) (store s3) a statT)"
schirmer@12925
  1190
      by (cases s2,cases "invmode statM e") 
schirmer@12925
  1191
         (simp add: init_lvars_def2 del: invmode_Static_eq)+
schirmer@12925
  1192
    ultimately
schirmer@12925
  1193
    show ?thesis
schirmer@12925
  1194
      by (auto simp add: check_method_access_def Let_def)
schirmer@12925
  1195
  qed
schirmer@12925
  1196
qed
schirmer@12925
  1197
schirmer@12854
  1198
section "main proof of type safety"
schirmer@12854
  1199
schirmer@12925
  1200
lemma eval_type_sound:
wenzelm@12937
  1201
  assumes eval: "G\<turnstile>s0 \<midarrow>t\<succ>\<rightarrow> (v,s1)" and
wenzelm@12937
  1202
            wt: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>t\<Colon>T" and
wenzelm@12937
  1203
            wf: "wf_prog G" and 
wenzelm@12937
  1204
       conf_s0: "s0\<Colon>\<preceq>(G,L)"           
wenzelm@12937
  1205
  shows "s1\<Colon>\<preceq>(G,L) \<and>  (normal s1 \<longrightarrow> G,L,store s1\<turnstile>t\<succ>v\<Colon>\<preceq>T) \<and> 
schirmer@12925
  1206
         (error_free s0 = error_free s1)"
schirmer@12925
  1207
proof -
schirmer@12925
  1208
  from eval 
schirmer@12925
  1209
  have "\<And> L accC T. \<lbrakk>s0\<Colon>\<preceq>(G,L);\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>t\<Colon>T\<rbrakk>  
schirmer@12925
  1210
        \<Longrightarrow> s1\<Colon>\<preceq>(G,L) \<and> (normal s1 \<longrightarrow> G,L,store s1\<turnstile>t\<succ>v\<Colon>\<preceq>T)
schirmer@12925
  1211
            \<and> (error_free s0 = error_free s1)"
schirmer@12925
  1212
   (is "PROP ?TypeSafe s0 s1 t v"
schirmer@12925
  1213
    is "\<And> L accC T. ?Conform L s0 \<Longrightarrow> ?WellTyped L accC T t  
schirmer@12925
  1214
                 \<Longrightarrow> ?Conform L s1 \<and> ?ValueTyped L T s1 t v \<and>
schirmer@12925
  1215
                     ?ErrorFree s0 s1")
schirmer@12925
  1216
  proof (induct)
schirmer@12925
  1217
    case (Abrupt s t xc L accC T) 
schirmer@12925
  1218
    have "(Some xc, s)\<Colon>\<preceq>(G,L)" .
schirmer@12925
  1219
    then show "(Some xc, s)\<Colon>\<preceq>(G,L) \<and> 
schirmer@12925
  1220
      (normal (Some xc, s) 
schirmer@12925
  1221
      \<longrightarrow> G,L,store (Some xc,s)\<turnstile>t\<succ>arbitrary3 t\<Colon>\<preceq>T) \<and> 
schirmer@12925
  1222
      (error_free (Some xc, s) = error_free (Some xc, s))"
schirmer@12925
  1223
      by (simp)
schirmer@12925
  1224
  next
schirmer@12925
  1225
    case (Skip s L accC T)
schirmer@12925
  1226
    have "Norm s\<Colon>\<preceq>(G, L)" and  
schirmer@12925
  1227
           "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r Skip\<Colon>T" .
schirmer@12925
  1228
    then show "Norm s\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1229
              (normal (Norm s) \<longrightarrow> G,L,store (Norm s)\<turnstile>In1r Skip\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and> 
schirmer@12925
  1230
              (error_free (Norm s) = error_free (Norm s))"
schirmer@12925
  1231
      by (simp)
schirmer@12925
  1232
  next
schirmer@12925
  1233
    case (Expr e s0 s1 v L accC T)
schirmer@12925
  1234
    have "G\<turnstile>Norm s0 \<midarrow>e-\<succ>v\<rightarrow> s1" .
schirmer@12925
  1235
    have     hyp: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 v)" .
schirmer@12925
  1236
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1237
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (Expr e)\<Colon>T" .
schirmer@12925
  1238
    then obtain eT 
schirmer@12925
  1239
      where "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l e\<Colon>eT"
schirmer@12925
  1240
      by (rule wt_elim_cases) (blast)
schirmer@12925
  1241
    with conf_s0 hyp 
schirmer@12925
  1242
    obtain "s1\<Colon>\<preceq>(G, L)" and "error_free s1"
schirmer@12925
  1243
      by (blast)
schirmer@12925
  1244
    with wt
schirmer@12925
  1245
    show "s1\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1246
          (normal s1 \<longrightarrow> G,L,store s1\<turnstile>In1r (Expr e)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and> 
schirmer@12925
  1247
          (error_free (Norm s0) = error_free s1)"
schirmer@12925
  1248
      by (simp)
schirmer@12925
  1249
  next
schirmer@12925
  1250
    case (Lab c l s0 s1 L accC T)
schirmer@12925
  1251
    have     hyp: "PROP ?TypeSafe (Norm s0) s1 (In1r c) \<diamondsuit>" .
schirmer@12925
  1252
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1253
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (l\<bullet> c)\<Colon>T" .
schirmer@12925
  1254
    then have "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c\<Colon>\<surd>"
schirmer@12925
  1255
      by (rule wt_elim_cases) (blast)
schirmer@12925
  1256
    with conf_s0 hyp
schirmer@12925
  1257
    obtain       conf_s1: "s1\<Colon>\<preceq>(G, L)" and 
schirmer@12925
  1258
           error_free_s1: "error_free s1" 
schirmer@12925
  1259
      by (blast)
schirmer@12925
  1260
    from conf_s1 have "abupd (absorb (Break l)) s1\<Colon>\<preceq>(G, L)"
schirmer@12925
  1261
      by (cases s1) (auto intro: conforms_absorb)
schirmer@12925
  1262
    with wt error_free_s1
schirmer@12925
  1263
    show "abupd (absorb (Break l)) s1\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1264
          (normal (abupd (absorb (Break l)) s1)
schirmer@12925
  1265
           \<longrightarrow> G,L,store (abupd (absorb (Break l)) s1)\<turnstile>In1r (l\<bullet> c)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1266
          (error_free (Norm s0) = error_free (abupd (absorb (Break l)) s1))"
schirmer@12925
  1267
      by (simp)
schirmer@12925
  1268
  next
schirmer@12925
  1269
    case (Comp c1 c2 s0 s1 s2 L accC T)
schirmer@12925
  1270
    have "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> s1" .
schirmer@12925
  1271
    have "G\<turnstile>s1 \<midarrow>c2\<rightarrow> s2" .
schirmer@12925
  1272
    have  hyp_c1: "PROP ?TypeSafe (Norm s0) s1 (In1r c1) \<diamondsuit>" .
schirmer@12925
  1273
    have  hyp_c2: "PROP ?TypeSafe s1        s2 (In1r c2) \<diamondsuit>" .
schirmer@12925
  1274
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1275
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (c1;; c2)\<Colon>T" .
schirmer@12925
  1276
    then obtain wt_c1: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c1\<Colon>\<surd>" and
schirmer@12925
  1277
                wt_c2: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c2\<Colon>\<surd>"
schirmer@12925
  1278
      by (rule wt_elim_cases) (blast)
schirmer@12925
  1279
    with conf_s0 hyp_c1 hyp_c2
schirmer@12925
  1280
    obtain "s2\<Colon>\<preceq>(G, L)" and "error_free s2"
schirmer@12925
  1281
      by (blast)
schirmer@12925
  1282
    with wt
schirmer@12925
  1283
    show "s2\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1284
          (normal s2 \<longrightarrow> G,L,store s2\<turnstile>In1r (c1;; c2)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1285
          (error_free (Norm s0) = error_free s2)"
schirmer@12925
  1286
      by (simp)
schirmer@12925
  1287
  next
schirmer@12925
  1288
    case (If b c1 c2 e s0 s1 s2 L accC T)
schirmer@12925
  1289
    have "G\<turnstile>Norm s0 \<midarrow>e-\<succ>b\<rightarrow> s1" .
schirmer@12925
  1290
    have "G\<turnstile>s1 \<midarrow>(if the_Bool b then c1 else c2)\<rightarrow> s2" .
schirmer@12925
  1291
    have hyp_e: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 b)" .
schirmer@12925
  1292
    have hyp_then_else: 
schirmer@12925
  1293
            "PROP ?TypeSafe s1 s2 (In1r (if the_Bool b then c1 else c2)) \<diamondsuit>" .
schirmer@12925
  1294
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1295
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (If(e) c1 Else c2)\<Colon>T" .
schirmer@12925
  1296
    then obtain "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>e\<Colon>-PrimT Boolean"
schirmer@12925
  1297
                "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(if the_Bool b then c1 else c2)\<Colon>\<surd>"
schirmer@12925
  1298
      by (rule wt_elim_cases) (auto split add: split_if)
schirmer@12925
  1299
    with conf_s0 hyp_e hyp_then_else
schirmer@12925
  1300
    obtain "s2\<Colon>\<preceq>(G, L)" and "error_free s2"
schirmer@12925
  1301
      by (blast)
schirmer@12925
  1302
    with wt
schirmer@12925
  1303
    show "s2\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1304
           (normal s2 \<longrightarrow> G,L,store s2\<turnstile>In1r (If(e) c1 Else c2)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1305
           (error_free (Norm s0) = error_free s2)"
schirmer@12925
  1306
      by (simp)
schirmer@12925
  1307
  next
schirmer@12925
  1308
    case (Loop b c e l s0 s1 s2 s3 L accC T)
schirmer@12925
  1309
    have "G\<turnstile>Norm s0 \<midarrow>e-\<succ>b\<rightarrow> s1" .
schirmer@12925
  1310
    have hyp_e: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 b)" .
schirmer@12925
  1311
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1312
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (l\<bullet> While(e) c)\<Colon>T" .
schirmer@12925
  1313
    then obtain wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-PrimT Boolean" and
schirmer@12925
  1314
                wt_c: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c\<Colon>\<surd>"
schirmer@12925
  1315
      by (rule wt_elim_cases) (blast)
schirmer@12925
  1316
    from conf_s0 wt_e hyp_e
schirmer@12925
  1317
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  1318
      by blast
schirmer@12925
  1319
    show "s3\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1320
          (normal s3 \<longrightarrow> G,L,store s3\<turnstile>In1r (l\<bullet> While(e) c)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1321
          (error_free (Norm s0) = error_free s3)"
schirmer@12925
  1322
    proof (cases "normal s1 \<and> the_Bool b")
schirmer@12925
  1323
      case True
schirmer@12925
  1324
      from Loop True have "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2" by auto
schirmer@12925
  1325
      from Loop True have "G\<turnstile>abupd (absorb (Cont l)) s2 \<midarrow>l\<bullet> While(e) c\<rightarrow> s3"
schirmer@12925
  1326
	by auto
schirmer@12925
  1327
      from Loop True have hyp_c: "PROP ?TypeSafe s1 s2 (In1r c) \<diamondsuit>"
schirmer@12925
  1328
	by (auto)
schirmer@12925
  1329
      from Loop True have hyp_w: "PROP ?TypeSafe (abupd (absorb (Cont l)) s2)
schirmer@12925
  1330
                                       s3 (In1r (l\<bullet> While(e) c)) \<diamondsuit>"
schirmer@12925
  1331
	by (auto)
schirmer@12925
  1332
      from conf_s1 error_free_s1 wt_c hyp_c
schirmer@12925
  1333
      obtain conf_s2:  "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2"
schirmer@12925
  1334
	by blast
schirmer@12925
  1335
      from conf_s2 have "abupd (absorb (Cont l)) s2 \<Colon>\<preceq>(G, L)"
schirmer@12925
  1336
	by (cases s2) (auto intro: conforms_absorb)
schirmer@12925
  1337
      moreover
schirmer@12925
  1338
      from error_free_s2 have "error_free (abupd (absorb (Cont l)) s2)"
schirmer@12925
  1339
	by simp
schirmer@12925
  1340
      moreover note wt hyp_w
schirmer@12925
  1341
      ultimately obtain "s3\<Colon>\<preceq>(G, L)" and "error_free s3"
schirmer@12925
  1342
	by blast
schirmer@12925
  1343
      with wt 
schirmer@12925
  1344
      show ?thesis
schirmer@12925
  1345
	by (simp)
schirmer@12925
  1346
    next
schirmer@12925
  1347
      case False
schirmer@12925
  1348
      with Loop have "s3=s1" by simp
schirmer@12925
  1349
      with conf_s1 error_free_s1 wt
schirmer@12925
  1350
      show ?thesis
schirmer@12925
  1351
	by (simp)
schirmer@12925
  1352
    qed
schirmer@12925
  1353
  next
schirmer@12925
  1354
    case (Do j s L accC T)
schirmer@12925
  1355
    have "Norm s\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1356
    then 
schirmer@12925
  1357
    show "(Some (Jump j), s)\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1358
           (normal (Some (Jump j), s) 
schirmer@12925
  1359
           \<longrightarrow> G,L,store (Some (Jump j), s)\<turnstile>In1r (Do j)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1360
           (error_free (Norm s) = error_free (Some (Jump j), s))"
schirmer@12925
  1361
      by simp
schirmer@12925
  1362
  next
schirmer@12925
  1363
    case (Throw a e s0 s1 L accC T)
schirmer@12925
  1364
    have "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1" .
schirmer@12925
  1365
    have hyp: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 a)" .
schirmer@12925
  1366
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1367
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (Throw e)\<Colon>T" .
schirmer@12925
  1368
    then obtain tn 
schirmer@12925
  1369
      where      wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-Class tn" and
schirmer@12925
  1370
            throwable: "G\<turnstile>tn\<preceq>\<^sub>C SXcpt Throwable"
schirmer@12925
  1371
      by (rule wt_elim_cases) (auto)
schirmer@12925
  1372
    from conf_s0 wt_e hyp obtain
schirmer@12925
  1373
      "s1\<Colon>\<preceq>(G, L)" and
schirmer@12925
  1374
      "(normal s1 \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>Class tn)" and
schirmer@12925
  1375
      error_free_s1: "error_free s1"
schirmer@12925
  1376
      by force
schirmer@12925
  1377
    with wf throwable
schirmer@12925
  1378
    have "abupd (throw a) s1\<Colon>\<preceq>(G, L)" 
schirmer@12925
  1379
      by (cases s1) (auto dest: Throw_lemma)
schirmer@12925
  1380
    with wt error_free_s1
schirmer@12925
  1381
    show "abupd (throw a) s1\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1382
            (normal (abupd (throw a) s1) \<longrightarrow>
schirmer@12925
  1383
            G,L,store (abupd (throw a) s1)\<turnstile>In1r (Throw e)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1384
            (error_free (Norm s0) = error_free (abupd (throw a) s1))"
schirmer@12925
  1385
      by simp
schirmer@12925
  1386
  next
schirmer@12925
  1387
    case (Try catchC c1 c2 s0 s1 s2 s3 vn L accC T)
schirmer@12925
  1388
    have "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> s1" .
schirmer@12925
  1389
    have sx_alloc: "G\<turnstile>s1 \<midarrow>sxalloc\<rightarrow> s2" .
schirmer@12925
  1390
    have hyp_c1: "PROP ?TypeSafe (Norm s0) s1 (In1r c1) \<diamondsuit>" .
schirmer@12925
  1391
    have conf_s0:"Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1392
    have      wt:"\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>In1r (Try c1 Catch(catchC vn) c2)\<Colon>T" .
schirmer@12925
  1393
    then obtain 
schirmer@12925
  1394
      wt_c1: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c1\<Colon>\<surd>" and
schirmer@12925
  1395
      wt_c2: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<lparr>lcl := L(VName vn\<mapsto>Class catchC)\<rparr>\<turnstile>c2\<Colon>\<surd>" and
schirmer@12925
  1396
      fresh_vn: "L(VName vn)=None"
schirmer@12925
  1397
      by (rule wt_elim_cases) (auto)
schirmer@12925
  1398
    with conf_s0 hyp_c1
schirmer@12925
  1399
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  1400
      by blast
schirmer@12925
  1401
    from conf_s1 sx_alloc wf 
schirmer@12925
  1402
    have conf_s2: "s2\<Colon>\<preceq>(G, L)" 
schirmer@12925
  1403
      by (auto dest: sxalloc_type_sound split: option.splits)
schirmer@12925
  1404
    from sx_alloc error_free_s1 
schirmer@12925
  1405
    have error_free_s2: "error_free s2"
schirmer@12925
  1406
      by (rule error_free_sxalloc)
schirmer@12925
  1407
    show "s3\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1408
          (normal s3 \<longrightarrow> G,L,store s3\<turnstile>In1r (Try c1 Catch(catchC vn) c2)\<succ>\<diamondsuit>\<Colon>\<preceq>T)\<and>
schirmer@12925
  1409
          (error_free (Norm s0) = error_free s3)"
schirmer@12925
  1410
    proof (cases "normal s1")  
schirmer@12925
  1411
      case True
schirmer@12925
  1412
      with sx_alloc wf 
schirmer@12925
  1413
      have eq_s2_s1: "s2=s1"
schirmer@12925
  1414
	by (auto dest: sxalloc_type_sound split: option.splits)
schirmer@12925
  1415
      with True 
schirmer@12925
  1416
      have "\<not>  G,s2\<turnstile>catch catchC"
schirmer@12925
  1417
	by (simp add: catch_def)
schirmer@12925
  1418
      with Try
schirmer@12925
  1419
      have "s3=s2"
schirmer@12925
  1420
	by simp
schirmer@12925
  1421
      with wt conf_s1 error_free_s1 eq_s2_s1
schirmer@12925
  1422
      show ?thesis
schirmer@12925
  1423
	by simp
schirmer@12925
  1424
    next
schirmer@12925
  1425
      case False
schirmer@12925
  1426
      note exception_s1 = this
schirmer@12925
  1427
      show ?thesis
schirmer@12925
  1428
      proof (cases "G,s2\<turnstile>catch catchC") 
schirmer@12925
  1429
	case False
schirmer@12925
  1430
	with Try
schirmer@12925
  1431
	have "s3=s2"
schirmer@12925
  1432
	  by simp
schirmer@12925
  1433
	with wt conf_s2 error_free_s2 
schirmer@12925
  1434
	show ?thesis
schirmer@12925
  1435
	  by simp
schirmer@12925
  1436
      next
schirmer@12925
  1437
	case True
schirmer@12925
  1438
	with Try have "G\<turnstile>new_xcpt_var vn s2 \<midarrow>c2\<rightarrow> s3" by simp
schirmer@12925
  1439
	from True Try 
schirmer@12925
  1440
	have hyp_c2: "PROP ?TypeSafe (new_xcpt_var vn s2) s3 (In1r c2) \<diamondsuit>"
schirmer@12925
  1441
	  by auto
schirmer@12925
  1442
	from exception_s1 sx_alloc wf
schirmer@12925
  1443
	obtain a 
schirmer@12925
  1444
	  where xcpt_s2: "abrupt s2 = Some (Xcpt (Loc a))"
schirmer@12925
  1445
	  by (auto dest!: sxalloc_type_sound split: option.splits)
schirmer@12925
  1446
	with True
schirmer@12925
  1447
	have "G\<turnstile>obj_ty (the (globs (store s2) (Heap a)))\<preceq>Class catchC"
schirmer@12925
  1448
	  by (cases s2) simp
schirmer@12925
  1449
	with xcpt_s2 conf_s2 wf
schirmer@12925
  1450
	have "Norm (lupd(VName vn\<mapsto>Addr a) (store s2))
schirmer@12925
  1451
              \<Colon>\<preceq>(G, L(VName vn\<mapsto>Class catchC))"
schirmer@12925
  1452
	  by (auto dest: Try_lemma)
schirmer@12925
  1453
	with hyp_c2 wt_c2 xcpt_s2 error_free_s2
schirmer@12925
  1454
	obtain       conf_s3: "s3\<Colon>\<preceq>(G, L(VName vn\<mapsto>Class catchC))" and
schirmer@12925
  1455
               error_free_s3: "error_free s3"
schirmer@12925
  1456
	  by (cases s2) auto
schirmer@12925
  1457
	from conf_s3 fresh_vn 
schirmer@12925
  1458
	have "s3\<Colon>\<preceq>(G,L)"
schirmer@12925
  1459
	  by (blast intro: conforms_deallocL)
schirmer@12925
  1460
	with wt error_free_s3
schirmer@12925
  1461
	show ?thesis
schirmer@12925
  1462
	  by simp
schirmer@12925
  1463
      qed
schirmer@12925
  1464
    qed
schirmer@12925
  1465
  next
schirmer@12925
  1466
    case (Fin c1 c2 s0 s1 s2 x1 L accC T)
schirmer@12925
  1467
    have "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> (x1, s1)" .
schirmer@12925
  1468
    have c2: "G\<turnstile>Norm s1 \<midarrow>c2\<rightarrow> s2" .
schirmer@12925
  1469
    have  hyp_c1: "PROP ?TypeSafe (Norm s0) (x1,s1) (In1r c1) \<diamondsuit>" .
schirmer@12925
  1470
    have  hyp_c2: "PROP ?TypeSafe (Norm s1) s2      (In1r c2) \<diamondsuit>" .
schirmer@12925
  1471
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1472
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (c1 Finally c2)\<Colon>T" .
schirmer@12925
  1473
    then obtain
schirmer@12925
  1474
      wt_c1: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c1\<Colon>\<surd>" and
schirmer@12925
  1475
      wt_c2: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c2\<Colon>\<surd>"
schirmer@12925
  1476
      by (rule wt_elim_cases) blast
schirmer@12925
  1477
    from conf_s0 wt_c1 hyp_c1  
schirmer@12925
  1478
    obtain conf_s1: "(x1,s1)\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free (x1,s1)"
schirmer@12925
  1479
      by blast
schirmer@12925
  1480
    from conf_s1 have "Norm s1\<Colon>\<preceq>(G, L)"
schirmer@12925
  1481
      by (rule conforms_NormI)
schirmer@12925
  1482
    with wt_c2 hyp_c2
schirmer@12925
  1483
    obtain conf_s2: "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2"
schirmer@12925
  1484
      by blast
schirmer@12925
  1485
    show "abupd (abrupt_if (x1 \<noteq> None) x1) s2\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1486
          (normal (abupd (abrupt_if (x1 \<noteq> None) x1) s2) 
schirmer@12925
  1487
           \<longrightarrow> G,L,store (abupd (abrupt_if (x1 \<noteq> None) x1) s2)
schirmer@12925
  1488
               \<turnstile>In1r (c1 Finally c2)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and> 
schirmer@12925
  1489
          (error_free (Norm s0) =
schirmer@12925
  1490
              error_free (abupd (abrupt_if (x1 \<noteq> None) x1) s2))"
schirmer@12925
  1491
    proof (cases x1)
schirmer@12925
  1492
      case None with conf_s2 wt show ?thesis by auto
schirmer@12925
  1493
    next
schirmer@12925
  1494
      case (Some x) 
schirmer@12925
  1495
      with c2 wf conf_s1 conf_s2
schirmer@12925
  1496
      have conf: "(abrupt_if True (Some x) (abrupt s2), store s2)\<Colon>\<preceq>(G, L)"
schirmer@12925
  1497
	by (cases s2) (auto dest: Fin_lemma)
schirmer@12925
  1498
      from Some error_free_s1
schirmer@12925
  1499
      have "\<not> (\<exists> err. x=Error err)"
schirmer@12925
  1500
	by (simp add: error_free_def)
schirmer@12925
  1501
      with error_free_s2
schirmer@12925
  1502
      have "error_free (abrupt_if True (Some x) (abrupt s2), store s2)"
schirmer@12925
  1503
	by (cases s2) simp
schirmer@12925
  1504
      with Some wt conf show ?thesis
schirmer@12925
  1505
	by (cases s2) auto
schirmer@12925
  1506
    qed
schirmer@12925
  1507
  next
schirmer@12925
  1508
    case (Init C c s0 s1 s2 s3 L accC T)
schirmer@12925
  1509
    have     cls: "the (class G C) = c" .
schirmer@12925
  1510
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1511
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1r (Init C)\<Colon>T" .
schirmer@12925
  1512
    with cls
schirmer@12925
  1513
    have cls_C: "class G C = Some c"
schirmer@12925
  1514
      by - (erule wt_elim_cases,auto)
schirmer@12925
  1515
    show "s3\<Colon>\<preceq>(G, L) \<and> (normal s3 \<longrightarrow> G,L,store s3\<turnstile>In1r (Init C)\<succ>\<diamondsuit>\<Colon>\<preceq>T) \<and>
schirmer@12925
  1516
          (error_free (Norm s0) = error_free s3)"
schirmer@12925
  1517
    proof (cases "inited C (globs s0)")
schirmer@12925
  1518
      case True
schirmer@12925
  1519
      with Init have "s3 = Norm s0"
schirmer@12925
  1520
	by simp
schirmer@12925
  1521
      with conf_s0 wt show ?thesis 
schirmer@12925
  1522
	by simp
schirmer@12925
  1523
    next
schirmer@12925
  1524
      case False
schirmer@12925
  1525
      with Init 
schirmer@12925
  1526
      have "G\<turnstile>Norm ((init_class_obj G C) s0) 
schirmer@12925
  1527
              \<midarrow>(if C = Object then Skip else Init (super c))\<rightarrow> s1" and
schirmer@12925
  1528
        eval_init: "G\<turnstile>(set_lvars empty) s1 \<midarrow>init c\<rightarrow> s2" and
schirmer@12925
  1529
	s3: "s3 = (set_lvars (locals (store s1))) s2" 
schirmer@12925
  1530
	by auto
schirmer@12925
  1531
      from False Init 
schirmer@12925
  1532
      have hyp_init_super: 
schirmer@12925
  1533
             "PROP ?TypeSafe (Norm ((init_class_obj G C) s0)) s1
schirmer@12925
  1534
	              (In1r (if C = Object then Skip else Init (super c))) \<diamondsuit>"
schirmer@12925
  1535
	by auto
schirmer@12925
  1536
      with False Init (* without chaining hyp_init_super, the simplifier will
schirmer@12925
  1537
                          loop! *)
schirmer@12925
  1538
      have hyp_init_c:
schirmer@12925
  1539
	"PROP ?TypeSafe ((set_lvars empty) s1) s2 (In1r (init c)) \<diamondsuit>"
schirmer@12925
  1540
	by auto
schirmer@12925
  1541
      from conf_s0 wf cls_C False
schirmer@12925
  1542
      have conf_s0': "(Norm ((init_class_obj G C) s0))\<Colon>\<preceq>(G, L)"
schirmer@12925
  1543
	by (auto dest: conforms_init_class_obj)
schirmer@12925
  1544
      from wf cls_C have
schirmer@12925
  1545
	wt_super:"\<lparr>prg = G, cls = accC, lcl = L\<rparr>
schirmer@12925
  1546
                   \<turnstile>(if C = Object then Skip else Init (super c))\<Colon>\<surd>"
schirmer@12925
  1547
	by (cases "C=Object")
schirmer@12925
  1548
           (auto dest: wf_prog_cdecl wf_cdecl_supD is_acc_classD)
schirmer@12925
  1549
      with conf_s0' hyp_init_super
schirmer@12925
  1550
      obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  1551
	by blast 
schirmer@12925
  1552
      then
schirmer@12925
  1553
      have "(set_lvars empty) s1\<Colon>\<preceq>(G, empty)"
schirmer@12925
  1554
	by (cases s1) (auto dest: conforms_set_locals )
schirmer@12925
  1555
      moreover from error_free_s1
schirmer@12925
  1556
      have "error_free ((set_lvars empty) s1)"
schirmer@12925
  1557
	by simp
schirmer@12925
  1558
      moreover note hyp_init_c wf cls_C 
schirmer@12925
  1559
      ultimately
schirmer@12925
  1560
      obtain conf_s2: "s2\<Colon>\<preceq>(G, empty)" and error_free_s2: "error_free s2"
schirmer@12925
  1561
	by (auto dest!: wf_prog_cdecl wf_cdecl_wt_init)
schirmer@12925
  1562
      with s3 conf_s1 eval_init
schirmer@12925
  1563
      have "s3\<Colon>\<preceq>(G, L)"
schirmer@12925
  1564
	by (cases s2,cases s1) (force dest: conforms_return eval_gext')
schirmer@12925
  1565
      moreover from error_free_s2 s3
schirmer@12925
  1566
      have "error_free s3"
schirmer@12925
  1567
	by simp
schirmer@12925
  1568
      moreover note wt
schirmer@12925
  1569
      ultimately show ?thesis
schirmer@12925
  1570
	by simp
schirmer@12925
  1571
    qed
schirmer@12925
  1572
  next
schirmer@12925
  1573
    case (NewC C a s0 s1 s2 L accC T)
schirmer@12925
  1574
    have         "G\<turnstile>Norm s0 \<midarrow>Init C\<rightarrow> s1" .
schirmer@12925
  1575
    have halloc: "G\<turnstile>s1 \<midarrow>halloc CInst C\<succ>a\<rightarrow> s2" .
schirmer@12925
  1576
    have hyp: "PROP ?TypeSafe (Norm s0) s1 (In1r (Init C)) \<diamondsuit>" .
schirmer@12925
  1577
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1578
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (NewC C)\<Colon>T" .
schirmer@12925
  1579
    then obtain is_cls_C: "is_class G C" and
schirmer@12925
  1580
                       T: "T=Inl (Class C)"
schirmer@12925
  1581
      by (rule wt_elim_cases) (auto dest: is_acc_classD)
schirmer@12925
  1582
    with conf_s0 hyp
schirmer@12925
  1583
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  1584
      by auto
schirmer@12925
  1585
    from conf_s1 halloc wf is_cls_C
schirmer@12925
  1586
    obtain halloc_type_safe: "s2\<Colon>\<preceq>(G, L)" 
schirmer@12925
  1587
                             "(normal s2 \<longrightarrow> G,store s2\<turnstile>Addr a\<Colon>\<preceq>Class C)"
schirmer@12925
  1588
      by (cases s2) (auto dest!: halloc_type_sound)
schirmer@12925
  1589
    from halloc error_free_s1 
schirmer@12925
  1590
    have "error_free s2"
schirmer@12925
  1591
      by (rule error_free_halloc)
schirmer@12925
  1592
    with halloc_type_safe T
schirmer@12925
  1593
    show "s2\<Colon>\<preceq>(G, L) \<and> 
schirmer@12925
  1594
          (normal s2 \<longrightarrow> G,L,store s2\<turnstile>In1l (NewC C)\<succ>In1 (Addr a)\<Colon>\<preceq>T)  \<and>
schirmer@12925
  1595
          (error_free (Norm s0) = error_free s2)"
schirmer@12925
  1596
      by auto
schirmer@12925
  1597
  next
schirmer@12925
  1598
    case (NewA T a e i s0 s1 s2 s3 L accC Ta)
schirmer@12925
  1599
    have "G\<turnstile>Norm s0 \<midarrow>init_comp_ty T\<rightarrow> s1" .
schirmer@12925
  1600
    have "G\<turnstile>s1 \<midarrow>e-\<succ>i\<rightarrow> s2" .
schirmer@12925
  1601
    have halloc: "G\<turnstile>abupd (check_neg i) s2\<midarrow>halloc Arr T (the_Intg i)\<succ>a\<rightarrow> s3" .
schirmer@12925
  1602
    have hyp_init: "PROP ?TypeSafe (Norm s0) s1 (In1r (init_comp_ty T)) \<diamondsuit>" .
schirmer@12925
  1603
    have hyp_size: "PROP ?TypeSafe s1 s2 (In1l e) (In1 i)" .
schirmer@12925
  1604
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1605
    have     wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (New T[e])\<Colon>Ta" .
schirmer@12925
  1606
    then obtain
schirmer@12925
  1607
      wt_init: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>init_comp_ty T\<Colon>\<surd>" and
schirmer@12925
  1608
      wt_size: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-PrimT Integer" and
schirmer@12925
  1609
            T: "is_type G T" and
schirmer@12925
  1610
           Ta: "Ta=Inl (T.[])"
schirmer@12925
  1611
      by (rule wt_elim_cases) (auto intro: wt_init_comp_ty dest: is_acc_typeD)
schirmer@12925
  1612
    from conf_s0 wt_init hyp_init
schirmer@12925
  1613
    obtain "s1\<Colon>\<preceq>(G, L)" "error_free s1"
schirmer@12925
  1614
      by blast
schirmer@12925
  1615
    with wt_size hyp_size
schirmer@12925
  1616
    obtain conf_s2: "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2"
schirmer@12925
  1617
      by blast
schirmer@12925
  1618
    from conf_s2 have "abupd (check_neg i) s2\<Colon>\<preceq>(G, L)"
schirmer@12925
  1619
      by (cases s2) auto
schirmer@12925
  1620
    with halloc wf T 
schirmer@12925
  1621
    have halloc_type_safe:
schirmer@12925
  1622
          "s3\<Colon>\<preceq>(G, L) \<and> (normal s3 \<longrightarrow> G,store s3\<turnstile>Addr a\<Colon>\<preceq>T.[])"
schirmer@12925
  1623
      by (cases s3) (auto dest!: halloc_type_sound)
schirmer@12925
  1624
    from halloc error_free_s2
schirmer@12925
  1625
    have "error_free s3"
schirmer@12925
  1626
      by (auto dest: error_free_halloc)
schirmer@12925
  1627
    with halloc_type_safe Ta
schirmer@12925
  1628
    show "s3\<Colon>\<preceq>(G, L) \<and> 
schirmer@12925
  1629
          (normal s3 \<longrightarrow> G,L,store s3\<turnstile>In1l (New T[e])\<succ>In1 (Addr a)\<Colon>\<preceq>Ta) \<and>
schirmer@12925
  1630
          (error_free (Norm s0) = error_free s3) "
schirmer@12925
  1631
      by simp
schirmer@12925
  1632
  next
schirmer@12925
  1633
    case (Cast castT e s0 s1 s2 v L accC T)
schirmer@12925
  1634
    have "G\<turnstile>Norm s0 \<midarrow>e-\<succ>v\<rightarrow> s1" .
schirmer@12925
  1635
    have s2:"s2 = abupd (raise_if (\<not> G,store s1\<turnstile>v fits castT) ClassCast) s1" .
schirmer@12925
  1636
    have hyp: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 v)" .
schirmer@12925
  1637
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1638
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (Cast castT e)\<Colon>T" .
schirmer@12925
  1639
    then obtain eT
schirmer@12925
  1640
      where wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-eT" and
schirmer@12925
  1641
              eT: "G\<turnstile>eT\<preceq>? castT" and 
schirmer@12925
  1642
               T: "T=Inl castT"
schirmer@12925
  1643
      by (rule wt_elim_cases) auto
schirmer@12925
  1644
    with conf_s0 hyp
schirmer@12925
  1645
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  1646
      by blast
schirmer@12925
  1647
    from conf_s1 s2 
schirmer@12925
  1648
    have conf_s2: "s2\<Colon>\<preceq>(G, L)"
schirmer@12925
  1649
      by (cases s1) simp
schirmer@12925
  1650
    from error_free_s1 s2
schirmer@12925
  1651
    have error_free_s2: "error_free s2"
schirmer@12925
  1652
      by simp
schirmer@12925
  1653
    {
schirmer@12925
  1654
      assume norm_s2: "normal s2"
schirmer@12925
  1655
      have "G,L,store s2\<turnstile>In1l (Cast castT e)\<succ>In1 v\<Colon>\<preceq>T"
schirmer@12925
  1656
      proof -
schirmer@12925
  1657
	from s2 norm_s2 have "normal s1"
schirmer@12925
  1658
	  by (cases s1) simp
schirmer@12925
  1659
	with wt_e conf_s0 hyp 
schirmer@12925
  1660
	have "G,store s1\<turnstile>v\<Colon>\<preceq>eT"
schirmer@12925
  1661
	  by force
schirmer@12925
  1662
	with eT wf s2 T norm_s2
schirmer@12925
  1663
	show ?thesis
schirmer@12925
  1664
	  by (cases s1) (auto dest: fits_conf)
schirmer@12925
  1665
      qed
schirmer@12925
  1666
    }
schirmer@12925
  1667
    with conf_s2 error_free_s2
schirmer@12925
  1668
    show "s2\<Colon>\<preceq>(G, L) \<and> 
schirmer@12925
  1669
           (normal s2 \<longrightarrow> G,L,store s2\<turnstile>In1l (Cast castT e)\<succ>In1 v\<Colon>\<preceq>T)  \<and>
schirmer@12925
  1670
           (error_free (Norm s0) = error_free s2)"
schirmer@12925
  1671
      by blast
schirmer@12925
  1672
  next
schirmer@12925
  1673
    case (Inst T b e s0 s1 v L accC T')
schirmer@12925
  1674
    then show ?case
schirmer@12925
  1675
      by (auto elim!: wt_elim_cases)
schirmer@12925
  1676
  next
schirmer@12925
  1677
    case (Lit s v L accC T)
schirmer@12925
  1678
    then show ?case
schirmer@12925
  1679
      by (auto elim!: wt_elim_cases 
schirmer@12925
  1680
               intro: conf_litval simp add: empty_dt_def)
schirmer@12925
  1681
  next
schirmer@12925
  1682
    case (Super s L accC T)
schirmer@12925
  1683
    have conf_s: "Norm s\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1684
    have     wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l Super\<Colon>T" .
schirmer@12925
  1685
    then obtain C c where
schirmer@12925
  1686
             C: "L This = Some (Class C)" and
schirmer@12925
  1687
       neq_Obj: "C\<noteq>Object" and
schirmer@12925
  1688
         cls_C: "class G C = Some c" and
schirmer@12925
  1689
             T: "T=Inl (Class (super c))"
schirmer@12925
  1690
      by (rule wt_elim_cases) auto
schirmer@12925
  1691
    from C conf_s have "G,s\<turnstile>val_this s\<Colon>\<preceq>Class C"
schirmer@12925
  1692
      by (blast intro: conforms_localD [THEN lconfD])
schirmer@12925
  1693
    with neq_Obj cls_C wf
schirmer@12925
  1694
    have "G,s\<turnstile>val_this s\<Colon>\<preceq>Class (super c)"
schirmer@12925
  1695
      by (auto intro: conf_widen
schirmer@12925
  1696
                dest: subcls_direct[THEN widen.subcls])
schirmer@12925
  1697
    with T conf_s
schirmer@12925
  1698
    show "Norm s\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1699
           (normal (Norm s) \<longrightarrow> 
schirmer@12925
  1700
              G,L,store (Norm s)\<turnstile>In1l Super\<succ>In1 (val_this s)\<Colon>\<preceq>T) \<and>
schirmer@12925
  1701
           (error_free (Norm s) = error_free (Norm s))"
schirmer@12925
  1702
      by simp
schirmer@12925
  1703
  next
schirmer@12925
  1704
    case (Acc f s0 s1 v va L accC T)
schirmer@12925
  1705
    then show ?case
schirmer@12925
  1706
      by (force elim!: wt_elim_cases)
schirmer@12925
  1707
  next
schirmer@12925
  1708
    case (Ass e f s0 s1 s2 v var w L accC T)
schirmer@12925
  1709
    have eval_var: "G\<turnstile>Norm s0 \<midarrow>var=\<succ>(w, f)\<rightarrow> s1" .
schirmer@12925
  1710
    have   eval_e: "G\<turnstile>s1 \<midarrow>e-\<succ>v\<rightarrow> s2" .
schirmer@12925
  1711
    have  hyp_var: "PROP ?TypeSafe (Norm s0) s1 (In2 var) (In2 (w,f))" .
schirmer@12925
  1712
    have    hyp_e: "PROP ?TypeSafe s1 s2 (In1l e) (In1 v)" .
schirmer@12925
  1713
    have  conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1714
    have       wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (var:=e)\<Colon>T" .
schirmer@12925
  1715
    then obtain varT eT where
schirmer@12925
  1716
	 wt_var: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>var\<Colon>=varT" and
schirmer@12925
  1717
	   wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-eT" and
schirmer@12925
  1718
	  widen: "G\<turnstile>eT\<preceq>varT" and
schirmer@12925
  1719
              T: "T=Inl eT"
schirmer@12925
  1720
      by (rule wt_elim_cases) auto
schirmer@12925
  1721
    from conf_s0 wt_var hyp_var
schirmer@12925
  1722
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  1723
      by blast
schirmer@12925
  1724
    with wt_e hyp_e
schirmer@12925
  1725
    obtain conf_s2: "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2"
schirmer@12925
  1726
      by blast
schirmer@12925
  1727
    show "assign f v s2\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1728
           (normal (assign f v s2) \<longrightarrow>
schirmer@12925
  1729
            G,L,store (assign f v s2)\<turnstile>In1l (var:=e)\<succ>In1 v\<Colon>\<preceq>T) \<and>
schirmer@12925
  1730
            (error_free (Norm s0) = error_free (assign f v s2))"
schirmer@12925
  1731
    proof (cases "normal s1")
schirmer@12925
  1732
      case False
schirmer@12925
  1733
      with eval_e 
schirmer@12925
  1734
      have "s2=s1"
schirmer@12925
  1735
	by auto
schirmer@12925
  1736
      with False conf_s1 error_free_s1
schirmer@12925
  1737
      show ?thesis
schirmer@12925
  1738
	by auto
schirmer@12925
  1739
    next
schirmer@12925
  1740
      case True
schirmer@12925
  1741
      note normal_s1=this
schirmer@12925
  1742
      show ?thesis 
schirmer@12925
  1743
      proof (cases "normal s2")
schirmer@12925
  1744
	case False
schirmer@12925
  1745
	with conf_s2 error_free_s2 
schirmer@12925
  1746
	show ?thesis
schirmer@12925
  1747
	  by auto
schirmer@12925
  1748
      next
schirmer@12925
  1749
	case True
schirmer@12925
  1750
	from True normal_s1 conf_s1 wt_e hyp_e
schirmer@12925
  1751
	have conf_v_eT: "G,store s2\<turnstile>v\<Colon>\<preceq>eT"
schirmer@12925
  1752
	  by force
schirmer@12925
  1753
	with widen wf
schirmer@12925
  1754
	have conf_v_varT: "G,store s2\<turnstile>v\<Colon>\<preceq>varT"
schirmer@12925
  1755
	  by (auto intro: conf_widen)
schirmer@12925
  1756
	from conf_s0 normal_s1 wt_var hyp_var
schirmer@12925
  1757
	have "G,L,store s1\<turnstile>In2 var\<succ>In2 (w, f)\<Colon>\<preceq>Inl varT"
schirmer@12925
  1758
	  by blast
schirmer@12925
  1759
	then 
schirmer@12925
  1760
	have conf_assign:  "store s1\<le>|f\<preceq>varT\<Colon>\<preceq>(G, L)" 
schirmer@12925
  1761
	  by auto
schirmer@12925
  1762
	from conf_v_eT conf_v_varT conf_assign normal_s1 True wf eval_var 
schirmer@12925
  1763
	  eval_e T conf_s2 error_free_s2
schirmer@12925
  1764
	show ?thesis
schirmer@12925
  1765
	  by (cases s1, cases s2) 
schirmer@12925
  1766
	     (auto dest!: Ass_lemma simp add: assign_conforms_def)
schirmer@12925
  1767
      qed
schirmer@12925
  1768
    qed
schirmer@12925
  1769
  next
schirmer@12925
  1770
    case (Cond b e0 e1 e2 s0 s1 s2 v L accC T)
schirmer@12925
  1771
    have eval_e0: "G\<turnstile>Norm s0 \<midarrow>e0-\<succ>b\<rightarrow> s1" .
schirmer@12925
  1772
    have "G\<turnstile>s1 \<midarrow>(if the_Bool b then e1 else e2)-\<succ>v\<rightarrow> s2" .
schirmer@12925
  1773
    have hyp_e0: "PROP ?TypeSafe (Norm s0) s1 (In1l e0) (In1 b)" .
schirmer@12925
  1774
    have hyp_if: "PROP ?TypeSafe s1 s2 
schirmer@12925
  1775
                       (In1l (if the_Bool b then e1 else e2)) (In1 v)" .
schirmer@12925
  1776
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1777
    have wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (e0 ? e1 : e2)\<Colon>T" .
schirmer@12925
  1778
    then obtain T1 T2 statT where
schirmer@12925
  1779
      wt_e0: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e0\<Colon>-PrimT Boolean" and
schirmer@12925
  1780
      wt_e1: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e1\<Colon>-T1" and
schirmer@12925
  1781
      wt_e2: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e2\<Colon>-T2" and 
schirmer@12925
  1782
      statT: "G\<turnstile>T1\<preceq>T2 \<and> statT = T2  \<or>  G\<turnstile>T2\<preceq>T1 \<and> statT =  T1" and
schirmer@12925
  1783
      T    : "T=Inl statT"
schirmer@12925
  1784
      by (rule wt_elim_cases) auto
schirmer@12925
  1785
    with wt_e0 conf_s0 hyp_e0
schirmer@12925
  1786
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1" 
schirmer@12925
  1787
      by blast
schirmer@12925
  1788
    with wt_e1 wt_e2 statT hyp_if
schirmer@12925
  1789
    obtain dynT where
schirmer@12925
  1790
      conf_s2: "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2" and
schirmer@12925
  1791
      conf_res: 
schirmer@12925
  1792
          "(normal s2 \<longrightarrow>
schirmer@12925
  1793
        G,L,store s2\<turnstile>In1l (if the_Bool b then e1 else e2)\<succ>In1 v\<Colon>\<preceq>Inl dynT)" and
schirmer@12925
  1794
      dynT: "dynT = (if the_Bool b then T1 else T2)"
schirmer@12925
  1795
      by (cases "the_Bool b") force+
schirmer@12925
  1796
    from statT dynT  
schirmer@12925
  1797
    have "G\<turnstile>dynT\<preceq>statT"
schirmer@12925
  1798
      by (cases "the_Bool b") auto
schirmer@12925
  1799
    with conf_s2 conf_res error_free_s2 T wf
schirmer@12925
  1800
    show "s2\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1801
           (normal s2 \<longrightarrow> G,L,store s2\<turnstile>In1l (e0 ? e1 : e2)\<succ>In1 v\<Colon>\<preceq>T) \<and>
schirmer@12925
  1802
           (error_free (Norm s0) = error_free s2)"
schirmer@12925
  1803
      by (auto)
schirmer@12925
  1804
  next
schirmer@12925
  1805
    case (Call invDeclC a' accC' args e mn mode pTs' s0 s1 s2 s3 s3' s4 statT 
schirmer@12925
  1806
           v vs L accC T)
schirmer@12925
  1807
    have eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a'\<rightarrow> s1" .
schirmer@12925
  1808
    have eval_args: "G\<turnstile>s1 \<midarrow>args\<doteq>\<succ>vs\<rightarrow> s2" .
schirmer@12925
  1809
    have invDeclC: "invDeclC 
schirmer@12925
  1810
                      = invocation_declclass G mode (store s2) a' statT 
schirmer@12925
  1811
                           \<lparr>name = mn, parTs = pTs'\<rparr>" .
schirmer@12925
  1812
    have init_lvars: 
schirmer@12925
  1813
           "s3 = init_lvars G invDeclC \<lparr>name = mn, parTs = pTs'\<rparr> mode a' vs s2".
schirmer@12925
  1814
    have check: "s3' =
schirmer@12925
  1815
       check_method_access G accC' statT mode \<lparr>name = mn, parTs = pTs'\<rparr> a' s3" .
schirmer@12925
  1816
    have eval_methd: 
schirmer@12925
  1817
           "G\<turnstile>s3' \<midarrow>Methd invDeclC \<lparr>name = mn, parTs = pTs'\<rparr>-\<succ>v\<rightarrow> s4" .
schirmer@12925
  1818
    have     hyp_e: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 a')" .
schirmer@12925
  1819
    have  hyp_args: "PROP ?TypeSafe s1 s2 (In3 args) (In3 vs)" .
schirmer@12925
  1820
    have hyp_methd: "PROP ?TypeSafe s3' s4 
schirmer@12925
  1821
                     (In1l (Methd invDeclC \<lparr>name = mn, parTs = pTs'\<rparr>)) (In1 v)".
schirmer@12925
  1822
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  1823
    have      wt: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>
schirmer@12925
  1824
                    \<turnstile>In1l ({accC',statT,mode}e\<cdot>mn( {pTs'}args))\<Colon>T" .
schirmer@12925
  1825
    from wt obtain pTs statDeclT statM where
schirmer@12925
  1826
                 wt_e: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>e\<Colon>-RefT statT" and
schirmer@12925
  1827
              wt_args: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>args\<Colon>\<doteq>pTs" and
schirmer@12925
  1828
                statM: "max_spec G accC statT \<lparr>name=mn,parTs=pTs\<rparr> 
schirmer@12925
  1829
                         = {((statDeclT,statM),pTs')}" and
schirmer@12925
  1830
                 mode: "mode = invmode statM e" and
schirmer@12925
  1831
                    T: "T =Inl (resTy statM)" and
schirmer@12925
  1832
        eq_accC_accC': "accC=accC'"
schirmer@12925
  1833
      by (rule wt_elim_cases) auto
schirmer@12925
  1834
    from conf_s0 wt_e hyp_e 
schirmer@12925
  1835
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and
schirmer@12925
  1836
           conf_a': "normal s1 \<Longrightarrow> G, store s1\<turnstile>a'\<Colon>\<preceq>RefT statT" and
schirmer@12925
  1837
           error_free_s1: "error_free s1" 
schirmer@12925
  1838
      by force
schirmer@12925
  1839
    with wt_args hyp_args
schirmer@12925
  1840
    obtain    conf_s2: "s2\<Colon>\<preceq>(G, L)" and
schirmer@12925
  1841
            conf_args: "normal s2 
schirmer@12925
  1842
                         \<Longrightarrow>  list_all2 (conf G (store s2)) vs pTs" and
schirmer@12925
  1843
        error_free_s2: "error_free s2" 
schirmer@12925
  1844
      by force
schirmer@12925
  1845
    from error_free_s2 init_lvars
schirmer@12925
  1846
    have error_free_s3: "error_free s3"
schirmer@12925
  1847
      by (auto simp add: init_lvars_def2)
schirmer@12925
  1848
    from statM 
schirmer@12925
  1849
    obtain
schirmer@12925
  1850
      statM': "(statDeclT,statM)\<in>mheads G accC statT \<lparr>name=mn,parTs=pTs'\<rparr>" and
schirmer@12925
  1851
      pTs_widen: "G\<turnstile>pTs[\<preceq>]pTs'"
schirmer@12925
  1852
      by (blast dest: max_spec2mheads)
schirmer@12925
  1853
    from check
schirmer@12925
  1854
    have eq_store_s3'_s3: "store s3'=store s3"
schirmer@12925
  1855
      by (cases s3) (simp add: check_method_access_def Let_def)
schirmer@12925
  1856
    obtain invC
schirmer@12925
  1857
      where invC: "invC = invocation_class mode (store s2) a' statT"
schirmer@12925
  1858
      by simp
schirmer@12925
  1859
    with init_lvars
schirmer@12925
  1860
    have invC': "invC = (invocation_class mode (store s3) a' statT)"
schirmer@12925
  1861
      by (cases s2,cases mode) (auto simp add: init_lvars_def2 )
schirmer@12925
  1862
    show "(set_lvars (locals (store s2))) s4\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  1863
             (normal ((set_lvars (locals (store s2))) s4) \<longrightarrow>
schirmer@12925
  1864
               G,L,store ((set_lvars (locals (store s2))) s4)
schirmer@12925
  1865
               \<turnstile>In1l ({accC',statT,mode}e\<cdot>mn( {pTs'}args))\<succ>In1 v\<Colon>\<preceq>T) \<and>
schirmer@12925
  1866
             (error_free (Norm s0) =
schirmer@12925
  1867
                error_free ((set_lvars (locals (store s2))) s4))"
schirmer@12925
  1868
    proof (cases "normal s2")
schirmer@12925
  1869
      case False
schirmer@12925
  1870
      with init_lvars 
schirmer@12925
  1871
      obtain keep_abrupt: "abrupt s3 = abrupt s2" and
schirmer@12925
  1872
             "store s3 = store (init_lvars G invDeclC \<lparr>name = mn, parTs = pTs'\<rparr> 
schirmer@12925
  1873
                                            mode a' vs s2)" 
schirmer@12925
  1874
	by (auto simp add: init_lvars_def2)
schirmer@12925
  1875
      moreover
schirmer@12925
  1876
      from keep_abrupt False check
schirmer@12925
  1877
      have eq_s3'_s3: "s3'=s3" 
schirmer@12925
  1878
	by (auto simp add: check_method_access_def Let_def)
schirmer@12925
  1879
      moreover
schirmer@12925
  1880
      from eq_s3'_s3 False keep_abrupt eval_methd
schirmer@12925
  1881
      have "s4=s3'"
schirmer@12925
  1882
	by auto
schirmer@12925
  1883
      ultimately have
schirmer@12925
  1884
	"set_lvars (locals (store s2)) s4 = s2"
schirmer@12925
  1885
	by (cases s2,cases s4) (simp add: init_lvars_def2)
schirmer@12925
  1886
      with False conf_s2 error_free_s2
schirmer@12925
  1887
      show ?thesis
schirmer@12925
  1888
	by auto
schirmer@12925
  1889
    next
schirmer@12925
  1890
      case True
schirmer@12925
  1891
      note normal_s2 = True
schirmer@12925
  1892
      with eval_args
schirmer@12925
  1893
      have normal_s1: "normal s1"
schirmer@12925
  1894
	by (cases "normal s1") auto
schirmer@12925
  1895
      with conf_a' eval_args 
schirmer@12925
  1896
      have conf_a'_s2: "G, store s2\<turnstile>a'\<Colon>\<preceq>RefT statT"
schirmer@12925
  1897
	by (auto dest: eval_gext intro: conf_gext)
schirmer@12925
  1898
      show ?thesis
schirmer@12925
  1899
      proof (cases "a'=Null \<longrightarrow> is_static statM")
schirmer@12925
  1900
	case False
schirmer@12925
  1901
	then obtain not_static: "\<not> is_static statM" and Null: "a'=Null" 
schirmer@12925
  1902
	  by blast
schirmer@12925
  1903
	with normal_s2 init_lvars mode
schirmer@12925
  1904
	obtain np: "abrupt s3 = Some (Xcpt (Std NullPointer))" and
schirmer@12925
  1905
                   "store s3 = store (init_lvars G invDeclC 
schirmer@12925
  1906
                                       \<lparr>name = mn, parTs = pTs'\<rparr> mode a' vs s2)"
schirmer@12925
  1907
	  by (auto simp add: init_lvars_def2)
schirmer@12925
  1908
	moreover
schirmer@12925
  1909
	from np check
schirmer@12925
  1910
	have eq_s3'_s3: "s3'=s3" 
schirmer@12925
  1911
	  by (auto simp add: check_method_access_def Let_def)
schirmer@12925
  1912
	moreover
schirmer@12925
  1913
	from eq_s3'_s3 np eval_methd
schirmer@12925
  1914
	have "s4=s3'"
schirmer@12925
  1915
	  by auto
schirmer@12925
  1916
	ultimately have
schirmer@12925
  1917
	  "set_lvars (locals (store s2)) s4 
schirmer@12925
  1918
           = (Some (Xcpt (Std NullPointer)),store s2)"
schirmer@12925
  1919
	  by (cases s2,cases s4) (simp add: init_lvars_def2)
schirmer@12925
  1920
	with conf_s2 error_free_s2
schirmer@12925
  1921
	show ?thesis
schirmer@12925
  1922
	  by (cases s2) (auto dest: conforms_NormI)
schirmer@12925
  1923
      next
schirmer@12925
  1924
	case True
schirmer@12925
  1925
	with mode have notNull: "mode = IntVir \<longrightarrow> a' \<noteq> Null"
schirmer@12925
  1926
	  by (auto dest!: Null_staticD)
schirmer@12925
  1927
	with conf_s2 conf_a'_s2 wf invC  
schirmer@12925
  1928
	have dynT_prop: "G\<turnstile>mode\<rightarrow>invC\<preceq>statT"
schirmer@12925
  1929
	  by (cases s2) (auto intro: DynT_propI)
schirmer@12925
  1930
	with wt_e statM' invC mode wf 
schirmer@12925
  1931
	obtain dynM where 
schirmer@12925
  1932
          dynM: "dynlookup G statT invC  \<lparr>name=mn,parTs=pTs'\<rparr> = Some dynM" and
schirmer@12925
  1933
          acc_dynM: "G \<turnstile>Methd  \<lparr>name=mn,parTs=pTs'\<rparr> dynM 
schirmer@12925
  1934
                          in invC dyn_accessible_from accC"
schirmer@12925
  1935
	  by (force dest!: call_access_ok)
schirmer@12925
  1936
	with invC' check eq_accC_accC'
schirmer@12925
  1937
	have eq_s3'_s3: "s3'=s3"
schirmer@12925
  1938
	  by (auto simp add: check_method_access_def Let_def)
schirmer@12925
  1939
	from dynT_prop wf wt_e statM' mode invC invDeclC dynM 
schirmer@12925
  1940
	obtain 
schirmer@12925
  1941
	   wf_dynM: "wf_mdecl G invDeclC (\<lparr>name=mn,parTs=pTs'\<rparr>,mthd dynM)" and
schirmer@12925
  1942
	     dynM': "methd G invDeclC \<lparr>name=mn,parTs=pTs'\<rparr> = Some dynM" and
schirmer@12925
  1943
           iscls_invDeclC: "is_class G invDeclC" and
schirmer@12925
  1944
	        invDeclC': "invDeclC = declclass dynM" and
schirmer@12925
  1945
	     invC_widen: "G\<turnstile>invC\<preceq>\<^sub>C invDeclC" and
schirmer@12925
  1946
	    resTy_widen: "G\<turnstile>resTy dynM\<preceq>resTy statM" and
schirmer@12925
  1947
	   is_static_eq: "is_static dynM = is_static statM" and
schirmer@12925
  1948
	   involved_classes_prop:
schirmer@12925
  1949
             "(if invmode statM e = IntVir
schirmer@12925
  1950
               then \<forall>statC. statT = ClassT statC \<longrightarrow> G\<turnstile>invC\<preceq>\<^sub>C statC
schirmer@12925
  1951
               else ((\<exists>statC. statT = ClassT statC \<and> G\<turnstile>statC\<preceq>\<^sub>C invDeclC) \<or>
schirmer@12925
  1952
                     (\<forall>statC. statT \<noteq> ClassT statC \<and> invDeclC = Object)) \<and>
schirmer@12925
  1953
                      statDeclT = ClassT invDeclC)"
schirmer@12925
  1954
	  by (auto dest: DynT_mheadsD)
schirmer@12925
  1955
	obtain L' where 
schirmer@12925
  1956
	   L':"L'=(\<lambda> k. 
schirmer@12925
  1957
                 (case k of
schirmer@12925
  1958
                    EName e
schirmer@12925
  1959
                    \<Rightarrow> (case e of 
schirmer@12925
  1960
                          VNam v 
schirmer@12925
  1961
                          \<Rightarrow>(table_of (lcls (mbody (mthd dynM)))
schirmer@12925
  1962
                             (pars (mthd dynM)[\<mapsto>]pTs')) v
schirmer@12925
  1963
                        | Res \<Rightarrow> Some (resTy dynM))
schirmer@12925
  1964
                  | This \<Rightarrow> if is_static statM 
schirmer@12925
  1965
                            then None else Some (Class invDeclC)))"
schirmer@12925
  1966
	  by simp
schirmer@12925
  1967
	from wf_dynM [THEN wf_mdeclD1, THEN conjunct1] normal_s2 conf_s2 wt_e
schirmer@12925
  1968
             wf eval_args conf_a' mode notNull wf_dynM involved_classes_prop
schirmer@12925
  1969
	have conf_s3: "s3\<Colon>\<preceq>(G,L')"
schirmer@12925
  1970
	  apply - 
schirmer@12925
  1971
             (* FIXME confomrs_init_lvars should be 
schirmer@12925
  1972
                adjusted to be more directy applicable *)
schirmer@12925
  1973
	  apply (drule conforms_init_lvars [of G invDeclC 
schirmer@12925
  1974
                  "\<lparr>name=mn,parTs=pTs'\<rparr>" dynM "store s2" vs pTs "abrupt s2" 
schirmer@12925
  1975
                  L statT invC a' "(statDeclT,statM)" e])
schirmer@12925
  1976
	  apply (rule wf)
schirmer@12925
  1977
	  apply (rule conf_args,assumption)
schirmer@12925
  1978
	  apply (simp add: pTs_widen)
schirmer@12925
  1979
	  apply (cases s2,simp)
schirmer@12925
  1980
	  apply (rule dynM')
schirmer@12925
  1981
	  apply (force dest: ty_expr_is_type)
schirmer@12925
  1982
	  apply (rule invC_widen)
schirmer@12925
  1983
	  apply (force intro: conf_gext dest: eval_gext)
schirmer@12925
  1984
	  apply simp
schirmer@12925
  1985
	  apply simp
schirmer@12925
  1986
	  apply (simp add: invC)
schirmer@12925
  1987
	  apply (simp add: invDeclC)
schirmer@12925
  1988
	  apply (force dest: wf_mdeclD1 is_acc_typeD)
schirmer@12925
  1989
	  apply (cases s2, simp add: L' init_lvars
schirmer@12925
  1990
	                      cong add: lname.case_cong ename.case_cong)
schirmer@12925
  1991
	  done 
schirmer@12925
  1992
	from  is_static_eq wf_dynM L'
schirmer@12925
  1993
	obtain mthdT where
schirmer@12925
  1994
	   "\<lparr>prg=G,cls=invDeclC,lcl=L'\<rparr>
schirmer@12925
  1995
            \<turnstile>Body invDeclC (stmt (mbody (mthd dynM)))\<Colon>-mthdT" and
schirmer@12925
  1996
	   mthdT_widen: "G\<turnstile>mthdT\<preceq>resTy dynM"
schirmer@12925
  1997
	  by - (drule wf_mdecl_bodyD,
schirmer@12925
  1998
                simp cong add: lname.case_cong ename.case_cong)
schirmer@12925
  1999
	with dynM' iscls_invDeclC invDeclC'
schirmer@12925
  2000
	have
schirmer@12925
  2001
	   "\<lparr>prg=G,cls=invDeclC,lcl=L'\<rparr>
schirmer@12925
  2002
            \<turnstile>(Methd invDeclC \<lparr>name = mn, parTs = pTs'\<rparr>)\<Colon>-mthdT"
schirmer@12925
  2003
	  by (auto intro: wt.Methd)
schirmer@12925
  2004
	with eq_s3'_s3 conf_s3 error_free_s3 
schirmer@12925
  2005
             hyp_methd [of L' invDeclC "Inl mthdT"]
schirmer@12925
  2006
	obtain  conf_s4: "s4\<Colon>\<preceq>(G, L')" and 
schirmer@12925
  2007
	       conf_Res: "normal s4 \<longrightarrow> G,store s4\<turnstile>v\<Colon>\<preceq>mthdT" and
schirmer@12925
  2008
	  error_free_s4: "error_free s4"
schirmer@12925
  2009
	  by auto
schirmer@12925
  2010
	from init_lvars eval_methd eq_s3'_s3 
schirmer@12925
  2011
	have "store s2\<le>|store s4"
schirmer@12925
  2012
	  by (cases s2) (auto dest!: eval_gext simp add: init_lvars_def2 )
schirmer@12925
  2013
	with conf_s2 conf_s4
schirmer@12925
  2014
	have "(set_lvars (locals (store s2))) s4\<Colon>\<preceq>(G, L)"
schirmer@12925
  2015
	  by (cases s2,cases s4) (auto intro: conforms_return)
schirmer@12925
  2016
	moreover 
schirmer@12925
  2017
	from conf_Res mthdT_widen resTy_widen wf
schirmer@12925
  2018
	have "normal s4 
schirmer@12925
  2019
             \<longrightarrow> G,store s4\<turnstile>v\<Colon>\<preceq>(resTy statM)"
schirmer@12925
  2020
	  by (auto dest: widen_trans)
schirmer@12925
  2021
	then
schirmer@12925
  2022
	have "normal ((set_lvars (locals (store s2))) s4)
schirmer@12925
  2023
             \<longrightarrow> G,store((set_lvars (locals (store s2))) s4) \<turnstile>v\<Colon>\<preceq>(resTy statM)"
schirmer@12925
  2024
	  by (cases s4) auto
schirmer@12925
  2025
	moreover note error_free_s4 T
schirmer@12925
  2026
	ultimately 
schirmer@12925
  2027
	show ?thesis
schirmer@12925
  2028
	  by simp
schirmer@12925
  2029
      qed
schirmer@12925
  2030
    qed
schirmer@12925
  2031
  next
schirmer@12925
  2032
    case (Methd D s0 s1 sig v L accC T)
schirmer@12925
  2033
    have "G\<turnstile>Norm s0 \<midarrow>body G D sig-\<succ>v\<rightarrow> s1" .
schirmer@12925
  2034
    have hyp: "PROP ?TypeSafe (Norm s0) s1 (In1l (body G D sig)) (In1 v)" .
schirmer@12925
  2035
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  2036
    have      wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (Methd D sig)\<Colon>T" .
schirmer@12925
  2037
    then obtain m bodyT where
schirmer@12925
  2038
      D: "is_class G D" and
schirmer@12925
  2039
      m: "methd G D sig = Some m" and
schirmer@12925
  2040
      wt_body: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>
schirmer@12925
  2041
                   \<turnstile>Body (declclass m) (stmt (mbody (mthd m)))\<Colon>-bodyT" and
schirmer@12925
  2042
      T: "T=Inl bodyT"
schirmer@12925
  2043
      by (rule wt_elim_cases) auto
schirmer@12925
  2044
    with hyp [of _ _ "(Inl bodyT)"] conf_s0 
schirmer@12925
  2045
    show "s1\<Colon>\<preceq>(G, L) \<and> 
schirmer@12925
  2046
           (normal s1 \<longrightarrow> G,L,snd s1\<turnstile>In1l (Methd D sig)\<succ>In1 v\<Colon>\<preceq>T) \<and>
schirmer@12925
  2047
           (error_free (Norm s0) = error_free s1)"
schirmer@12925
  2048
      by (auto simp add: Let_def body_def)
schirmer@12925
  2049
  next
schirmer@12925
  2050
    case (Body D c s0 s1 s2 L accC T)
schirmer@12925
  2051
    have "G\<turnstile>Norm s0 \<midarrow>Init D\<rightarrow> s1" .
schirmer@12925
  2052
    have "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2" .
schirmer@12925
  2053
    have hyp_init: "PROP ?TypeSafe (Norm s0) s1 (In1r (Init D)) \<diamondsuit>" .
schirmer@12925
  2054
    have hyp_c: "PROP ?TypeSafe s1 s2 (In1r c) \<diamondsuit>" .
schirmer@12925
  2055
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  2056
    have wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In1l (Body D c)\<Colon>T" .
schirmer@12925
  2057
    then obtain bodyT where
schirmer@12925
  2058
         iscls_D: "is_class G D" and
schirmer@12925
  2059
            wt_c: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c\<Colon>\<surd>" and
schirmer@12925
  2060
         resultT: "L Result = Some bodyT" and
schirmer@12925
  2061
      isty_bodyT: "is_type G bodyT" and (* ### not needed! remove from wt? *)
schirmer@12925
  2062
               T: "T=Inl bodyT"
schirmer@12925
  2063
      by (rule wt_elim_cases) auto
schirmer@12925
  2064
    from conf_s0 iscls_D hyp_init
schirmer@12925
  2065
    obtain "s1\<Colon>\<preceq>(G, L)" "error_free s1"
schirmer@12925
  2066
      by auto
schirmer@12925
  2067
    with wt_c hyp_c
schirmer@12925
  2068
    obtain conf_s2: "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2"
schirmer@12925
  2069
      by blast
schirmer@12925
  2070
    from conf_s2
schirmer@12925
  2071
    have "abupd (absorb Ret) s2\<Colon>\<preceq>(G, L)"
schirmer@12925
  2072
      by (cases s2) (auto intro: conforms_absorb)
schirmer@12925
  2073
    moreover
schirmer@12925
  2074
    from error_free_s2
schirmer@12925
  2075
    have "error_free (abupd (absorb Ret) s2)"
schirmer@12925
  2076
      by simp
schirmer@12925
  2077
    moreover note T resultT
schirmer@12925
  2078
    ultimately
schirmer@12925
  2079
    show "abupd (absorb Ret) s2\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  2080
           (normal (abupd (absorb Ret) s2) \<longrightarrow>
schirmer@12925
  2081
             G,L,store (abupd (absorb Ret) s2)
schirmer@12925
  2082
              \<turnstile>In1l (Body D c)\<succ>In1 (the (locals (store s2) Result))\<Colon>\<preceq>T) \<and>
schirmer@12925
  2083
          (error_free (Norm s0) = error_free (abupd (absorb Ret) s2)) "
schirmer@12925
  2084
      by (cases s2) (auto intro: conforms_locals)
schirmer@12925
  2085
  next
schirmer@12925
  2086
    case (LVar s vn L accC T)
schirmer@12925
  2087
    have conf_s: "Norm s\<Colon>\<preceq>(G, L)" and 
schirmer@12925
  2088
             wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In2 (LVar vn)\<Colon>T" .
schirmer@12925
  2089
    then obtain vnT where
schirmer@12925
  2090
      vnT: "L vn = Some vnT" and
schirmer@12925
  2091
        T: "T=Inl vnT"
schirmer@12925
  2092
      by (auto elim!: wt_elim_cases)
schirmer@12925
  2093
    from conf_s vnT
schirmer@12925
  2094
    have conf_fst: "G,s\<turnstile>fst (lvar vn s)\<Colon>\<preceq>vnT"  
schirmer@12925
  2095
      by (auto elim: conforms_localD [THEN lconfD]  
schirmer@12925
  2096
               simp add: lvar_def)
schirmer@12925
  2097
    moreover
schirmer@12925
  2098
    from conf_s conf_fst vnT 
schirmer@12925
  2099
    have "s\<le>|snd (lvar vn s)\<preceq>vnT\<Colon>\<preceq>(G, L)"
schirmer@12925
  2100
      by (auto elim: conforms_lupd simp add: assign_conforms_def lvar_def)
schirmer@12925
  2101
    moreover note conf_s T
schirmer@12925
  2102
    ultimately 
schirmer@12925
  2103
    show "Norm s\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  2104
                 (normal (Norm s) \<longrightarrow>
schirmer@12925
  2105
                    G,L,store (Norm s)\<turnstile>In2 (LVar vn)\<succ>In2 (lvar vn s)\<Colon>\<preceq>T) \<and>
schirmer@12925
  2106
                 (error_free (Norm s) = error_free (Norm s))"
schirmer@12925
  2107
      by simp 
schirmer@12925
  2108
  next
schirmer@12925
  2109
    case (FVar a accC e fn s0 s1 s2 s2' s3 stat statDeclC v L accC' T)
schirmer@12925
  2110
    have eval_init: "G\<turnstile>Norm s0 \<midarrow>Init statDeclC\<rightarrow> s1" .
schirmer@12925
  2111
    have eval_e: "G\<turnstile>s1 \<midarrow>e-\<succ>a\<rightarrow> s2" .
schirmer@12925
  2112
    have fvar: "(v, s2') = fvar statDeclC stat fn a s2" .
schirmer@12925
  2113
    have check: "s3 = check_field_access G accC statDeclC fn stat a s2'" .
schirmer@12925
  2114
    have hyp_init: "PROP ?TypeSafe (Norm s0) s1 (In1r (Init statDeclC)) \<diamondsuit>" .
schirmer@12925
  2115
    have hyp_e: "PROP ?TypeSafe s1 s2 (In1l e) (In1 a)" .
schirmer@12925
  2116
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  2117
    have wt: "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile>In2 ({accC,statDeclC,stat}e..fn)\<Colon>T" .
schirmer@12925
  2118
    then obtain statC f where
schirmer@12925
  2119
                wt_e: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>e\<Colon>-Class statC" and
schirmer@12925
  2120
            accfield: "accfield G accC statC fn = Some (statDeclC,f)" and
schirmer@12925
  2121
       eq_accC_accC': "accC=accC'" and
schirmer@12925
  2122
                stat: "stat=is_static f" and
schirmer@12925
  2123
	           T: "T=(Inl (type f))"
schirmer@12925
  2124
      by (rule wt_elim_cases) (auto simp add: member_is_static_simp)
schirmer@12925
  2125
    from wf wt_e 
schirmer@12925
  2126
    have iscls_statC: "is_class G statC"
schirmer@12925
  2127
      by (auto dest: ty_expr_is_type type_is_class)
schirmer@12925
  2128
    with wf accfield 
schirmer@12925
  2129
    have iscls_statDeclC: "is_class G statDeclC"
schirmer@12925
  2130
      by (auto dest!: accfield_fields dest: fields_declC)
schirmer@12925
  2131
    with conf_s0 hyp_init
schirmer@12925
  2132
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1"
schirmer@12925
  2133
      by auto
schirmer@12925
  2134
    from conf_s1 wt_e hyp_e
schirmer@12925
  2135
    obtain       conf_s2: "s2\<Colon>\<preceq>(G, L)" and
schirmer@12925
  2136
                  conf_a: "normal s2 \<longrightarrow> G,store s2\<turnstile>a\<Colon>\<preceq>Class statC" 
schirmer@12925
  2137
      by force
schirmer@12925
  2138
    from conf_s1 wt_e error_free_s1 hyp_e
schirmer@12925
  2139
    have error_free_s2: "error_free s2"
schirmer@12925
  2140
      by auto
schirmer@12925
  2141
    from fvar 
schirmer@12925
  2142
    have store_s2': "store s2'=store s2"
schirmer@12925
  2143
      by (cases s2) (simp add: fvar_def2)
schirmer@12925
  2144
    with fvar conf_s2 
schirmer@12925
  2145
    have conf_s2': "s2'\<Colon>\<preceq>(G, L)"
schirmer@12925
  2146
      by (cases s2,cases stat) (auto simp add: fvar_def2)
schirmer@12925
  2147
    from eval_init 
schirmer@12925
  2148
    have initd_statDeclC_s1: "initd statDeclC s1"
schirmer@12925
  2149
      by (rule init_yields_initd)
schirmer@12925
  2150
    from accfield wt_e eval_init eval_e conf_s2 conf_a fvar stat check  wf
schirmer@12925
  2151
    have eq_s3_s2': "s3=s2'"  
schirmer@12925
  2152
      by (auto dest!: error_free_field_access)
schirmer@12925
  2153
    have conf_v: "normal s2' \<Longrightarrow> 
schirmer@12925
  2154
           G,store s2'\<turnstile>fst v\<Colon>\<preceq>type f \<and> store s2'\<le>|snd v\<preceq>type f\<Colon>\<preceq>(G, L)"
schirmer@12925
  2155
    proof - (*###FVar_lemma should be adjusted to be more directy applicable *)
schirmer@12925
  2156
      assume normal: "normal s2'"
schirmer@12925
  2157
      obtain vv vf x2 store2 store2'
schirmer@12925
  2158
	where  v: "v=(vv,vf)" and
schirmer@12925
  2159
              s2: "s2=(x2,store2)" and
schirmer@12925
  2160
         store2': "store s2' = store2'"
schirmer@12925
  2161
	by (cases v,cases s2,cases s2') blast
schirmer@12925
  2162
      from iscls_statDeclC obtain c
schirmer@12925
  2163
	where c: "class G statDeclC = Some c"
schirmer@12925
  2164
	by auto
schirmer@12925
  2165
      have "G,store2'\<turnstile>vv\<Colon>\<preceq>type f \<and> store2'\<le>|vf\<preceq>type f\<Colon>\<preceq>(G, L)"
schirmer@12925
  2166
      proof (rule FVar_lemma [of vv vf store2' statDeclC f fn a x2 store2 
schirmer@12925
  2167
                               statC G c L "store s1"])
schirmer@12925
  2168
	from v normal s2 fvar stat store2' 
schirmer@12925
  2169
	show "((vv, vf), Norm store2') = 
schirmer@12925
  2170
               fvar statDeclC (static f) fn a (x2, store2)"
schirmer@12925
  2171
	  by (auto simp add: member_is_static_simp)
schirmer@12925
  2172
	from accfield iscls_statC wf
schirmer@12925
  2173
	show "G\<turnstile>statC\<preceq>\<^sub>C statDeclC"
schirmer@12925
  2174
	  by (auto dest!: accfield_fields dest: fields_declC)
schirmer@12925
  2175
	from accfield
schirmer@12925
  2176
	show fld: "table_of (fields G statC) (fn, statDeclC) = Some f"
schirmer@12925
  2177
	  by (auto dest!: accfield_fields)
schirmer@12925
  2178
	from wf show "wf_prog G" .
schirmer@12925
  2179
	from conf_a s2 show "x2 = None \<longrightarrow> G,store2\<turnstile>a\<Colon>\<preceq>Class statC"
schirmer@12925
  2180
	  by auto
schirmer@12925
  2181
	from fld wf iscls_statC
schirmer@12925
  2182
	show "statDeclC \<noteq> Object "
schirmer@12925
  2183
	  by (cases "statDeclC=Object") (drule fields_declC,simp+)+
schirmer@12925
  2184
	from c show "class G statDeclC = Some c" .
schirmer@12925
  2185
	from conf_s2 s2 show "(x2, store2)\<Colon>\<preceq>(G, L)" by simp
schirmer@12925
  2186
	from eval_e s2 show "snd s1\<le>|store2" by (auto dest: eval_gext)
schirmer@12925
  2187
	from initd_statDeclC_s1 show "inited statDeclC (globs (snd s1))" 
schirmer@12925
  2188
	  by simp
schirmer@12925
  2189
      qed
schirmer@12925
  2190
      with v s2 store2'  
schirmer@12925
  2191
      show ?thesis
schirmer@12925
  2192
	by simp
schirmer@12925
  2193
    qed
schirmer@12925
  2194
    from fvar error_free_s2
schirmer@12925
  2195
    have "error_free s2'"
schirmer@12925
  2196
      by (cases s2)
schirmer@12925
  2197
         (auto simp add: fvar_def2 intro!: error_free_FVar_lemma)
schirmer@12925
  2198
    with conf_v T conf_s2' eq_s3_s2'
schirmer@12925
  2199
    show "s3\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  2200
          (normal s3 
schirmer@12925
  2201
           \<longrightarrow> G,L,store s3\<turnstile>In2 ({accC,statDeclC,stat}e..fn)\<succ>In2 v\<Colon>\<preceq>T) \<and>
schirmer@12925
  2202
          (error_free (Norm s0) = error_free s3)"
schirmer@12925
  2203
      by auto
schirmer@12925
  2204
  next
schirmer@12925
  2205
    case (AVar a e1 e2 i s0 s1 s2 s2' v L accC T)
schirmer@12925
  2206
    have eval_e1: "G\<turnstile>Norm s0 \<midarrow>e1-\<succ>a\<rightarrow> s1" .
schirmer@12925
  2207
    have eval_e2: "G\<turnstile>s1 \<midarrow>e2-\<succ>i\<rightarrow> s2" .
schirmer@12925
  2208
    have hyp_e1: "PROP ?TypeSafe (Norm s0) s1 (In1l e1) (In1 a)" .
schirmer@12925
  2209
    have hyp_e2: "PROP ?TypeSafe s1 s2 (In1l e2) (In1 i)" .
schirmer@12925
  2210
    have avar: "(v, s2') = avar G i a s2" .
schirmer@12925
  2211
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  2212
    have wt:  "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In2 (e1.[e2])\<Colon>T" .
schirmer@12925
  2213
    then obtain elemT
schirmer@12925
  2214
       where wt_e1: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e1\<Colon>-elemT.[]" and
schirmer@12925
  2215
             wt_e2: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e2\<Colon>-PrimT Integer" and
schirmer@12925
  2216
                 T: "T= Inl elemT"
schirmer@12925
  2217
      by (rule wt_elim_cases) auto
schirmer@12925
  2218
    from  conf_s0 wt_e1 hyp_e1 
schirmer@12925
  2219
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and
schirmer@12925
  2220
            conf_a: "(normal s1 \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>elemT.[])" and
schirmer@12925
  2221
            error_free_s1: "error_free s1"
schirmer@12925
  2222
      by force
schirmer@12925
  2223
    from conf_s1 error_free_s1 wt_e2 hyp_e2
schirmer@12925
  2224
    obtain conf_s2: "s2\<Colon>\<preceq>(G, L)" and error_free_s2: "error_free s2"
schirmer@12925
  2225
      by blast
schirmer@12925
  2226
    from avar 
schirmer@12925
  2227
    have "store s2'=store s2"
schirmer@12925
  2228
      by (cases s2) (simp add: avar_def2)
schirmer@12925
  2229
    with avar conf_s2 
schirmer@12925
  2230
    have conf_s2': "s2'\<Colon>\<preceq>(G, L)"
schirmer@12925
  2231
      by (cases s2) (auto simp add: avar_def2)
schirmer@12925
  2232
    from avar error_free_s2
schirmer@12925
  2233
    have error_free_s2': "error_free s2'"
schirmer@12925
  2234
      by (cases s2) (auto simp add: avar_def2 )
schirmer@12925
  2235
    have "normal s2' \<Longrightarrow> 
schirmer@12925
  2236
           G,store s2'\<turnstile>fst v\<Colon>\<preceq>elemT \<and> store s2'\<le>|snd v\<preceq>elemT\<Colon>\<preceq>(G, L)"
schirmer@12925
  2237
    proof -(*###AVar_lemma should be adjusted to be more directy applicable *)
schirmer@12925
  2238
      assume normal: "normal s2'"
schirmer@12925
  2239
      show ?thesis
schirmer@12925
  2240
      proof -
schirmer@12925
  2241
	obtain vv vf x1 store1 x2 store2 store2'
schirmer@12925
  2242
	   where  v: "v=(vv,vf)" and
schirmer@12925
  2243
                 s1: "s1=(x1,store1)" and
schirmer@12925
  2244
                 s2: "s2=(x2,store2)" and
schirmer@12925
  2245
	    store2': "store2'=store s2'"
schirmer@12925
  2246
	  by (cases v,cases s1, cases s2, cases s2') blast 
schirmer@12925
  2247
	have "G,store2'\<turnstile>vv\<Colon>\<preceq>elemT \<and> store2'\<le>|vf\<preceq>elemT\<Colon>\<preceq>(G, L)"
schirmer@12925
  2248
	proof (rule AVar_lemma [of G x1 store1 e2 i x2 store2 vv vf store2' a,
schirmer@12925
  2249
                                 OF wf])
schirmer@12925
  2250
	  from s1 s2 eval_e2 show "G\<turnstile>(x1, store1) \<midarrow>e2-\<succ>i\<rightarrow> (x2, store2)"
schirmer@12925
  2251
	    by simp
schirmer@12925
  2252
	  from v normal s2 store2' avar 
schirmer@12925
  2253
	  show "((vv, vf), Norm store2') = avar G i a (x2, store2)"
schirmer@12925
  2254
	    by auto
schirmer@12925
  2255
	  from s2 conf_s2 show "(x2, store2)\<Colon>\<preceq>(G, L)" by simp
schirmer@12925
  2256
	  from s1 conf_a show  "x1 = None \<longrightarrow> G,store1\<turnstile>a\<Colon>\<preceq>elemT.[]" by simp 
schirmer@12925
  2257
	  from eval_e2 s1 s2 show "store1\<le>|store2" by (auto dest: eval_gext)
schirmer@12925
  2258
	qed
schirmer@12925
  2259
	with v s1 s2 store2' 
schirmer@12925
  2260
	show ?thesis
schirmer@12925
  2261
	  by simp
schirmer@12925
  2262
      qed
schirmer@12925
  2263
    qed
schirmer@12925
  2264
    with conf_s2' error_free_s2' T 
schirmer@12925
  2265
    show "s2'\<Colon>\<preceq>(G, L) \<and>
schirmer@12925
  2266
           (normal s2' \<longrightarrow> G,L,store s2'\<turnstile>In2 (e1.[e2])\<succ>In2 v\<Colon>\<preceq>T) \<and>
schirmer@12925
  2267
           (error_free (Norm s0) = error_free s2') "
schirmer@12925
  2268
      by auto
schirmer@12925
  2269
  next
schirmer@12925
  2270
    case (Nil s0 L accC T)
schirmer@12925
  2271
    then show ?case
schirmer@12925
  2272
      by (auto elim!: wt_elim_cases)
schirmer@12925
  2273
  next
schirmer@12925
  2274
    case (Cons e es s0 s1 s2 v vs L accC T)
schirmer@12925
  2275
    have eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>v\<rightarrow> s1" .
schirmer@12925
  2276
    have eval_es: "G\<turnstile>s1 \<midarrow>es\<doteq>\<succ>vs\<rightarrow> s2" .
schirmer@12925
  2277
    have hyp_e: "PROP ?TypeSafe (Norm s0) s1 (In1l e) (In1 v)" .
schirmer@12925
  2278
    have hyp_es: "PROP ?TypeSafe s1 s2 (In3 es) (In3 vs)" .
schirmer@12925
  2279
    have conf_s0: "Norm s0\<Colon>\<preceq>(G, L)" .
schirmer@12925
  2280
    have wt: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>In3 (e # es)\<Colon>T" .
schirmer@12925
  2281
    then obtain eT esT where
schirmer@12925
  2282
       wt_e: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>e\<Colon>-eT" and
schirmer@12925
  2283
       wt_es: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>es\<Colon>\<doteq>esT" and
schirmer@12925
  2284
       T: "T=Inr (eT#esT)"
schirmer@12925
  2285
      by (rule wt_elim_cases) blast
schirmer@12925
  2286
    from hyp_e [OF conf_s0 wt_e]
schirmer@12925
  2287
    obtain conf_s1: "s1\<Colon>\<preceq>(G, L)" and error_free_s1: "error_free s1" and 
schirmer@12925
  2288
      conf_v: "normal s1 \<longrightarrow> G,store s1\<turnstile>v\<Colon>\<preceq>eT"
schirmer@12925
  2289
      by auto
schirmer@12925
  2290
    from eval_es conf_v 
schirmer@12925
  2291
    have conf_v': "normal s2 \<longrightarrow> G,store s2\<turnstile>v\<Colon>\<preceq>eT"
schirmer@12925
  2292
      apply clarify
schirmer@12925
  2293
      apply (rule conf_gext)
schirmer@12925
  2294
      apply (auto dest: eval_gext)
schirmer@12925
  2295
      done
schirmer@12925
  2296
    from hyp_es [OF conf_s1 wt_es] error_free_s1 
schirmer@12925
  2297
    obtain conf_s2: "s2\<Colon>\<preceq>(G, L)" and 
schirmer@12925
  2298
           error_free_s2: "error_free s2" and
schirmer@12925
  2299
           conf_vs: "normal s2 \<longrightarrow> list_all2 (conf G (store s2)) vs esT"
schirmer@12925
  2300
      by auto
schirmer@12925
  2301
    with conf_v' T
schirmer@12925
  2302
    show 
schirmer@12925
  2303
      "s2\<Colon>\<preceq>(G, L) \<and> 
schirmer@12925
  2304
      (normal s2 \<longrightarrow> G,L,store s2\<turnstile>In3 (e # es)\<succ>In3 (v # vs)\<Colon>\<preceq>T) \<and>
schirmer@12925
  2305
      (error_free (Norm s0) = error_free s2) "
schirmer@12925
  2306
      by auto
schirmer@12925
  2307
  qed
schirmer@12925
  2308
  then show ?thesis .
schirmer@12925
  2309
qed
schirmer@12925
  2310
 
schirmer@12925
  2311
corollary eval_ts: 
schirmer@12925
  2312
 "\<lbrakk>G\<turnstile>s \<midarrow>e-\<succ>v \<rightarrow> s'; wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-T\<rbrakk> 
schirmer@12925
  2313
\<Longrightarrow>  s'\<Colon>\<preceq>(G,L) \<and> (normal s' \<longrightarrow> G,store s'\<turnstile>v\<Colon>\<preceq>T) \<and> 
schirmer@12925
  2314
     (error_free s = error_free s')"
schirmer@12854
  2315
apply (drule (3) eval_type_sound)
schirmer@12854
  2316
apply clarsimp
schirmer@12854
  2317
done
schirmer@12854
  2318
schirmer@12925
  2319
corollary evals_ts: 
schirmer@12925
  2320
"\<lbrakk>G\<turnstile>s \<midarrow>es\<doteq>\<succ>vs\<rightarrow> s'; wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>es\<Colon>\<doteq>Ts\<rbrakk> 
schirmer@12925
  2321
\<Longrightarrow>  s'\<Colon>\<preceq>(G,L) \<and> (normal s' \<longrightarrow> list_all2 (conf G (store s')) vs Ts) \<and> 
schirmer@12925
  2322
     (error_free s = error_free s')" 
schirmer@12854
  2323
apply (drule (3) eval_type_sound)
schirmer@12854
  2324
apply clarsimp
schirmer@12854
  2325
done
schirmer@12854
  2326
schirmer@12925
  2327
corollary evar_ts: 
schirmer@12925
  2328
"\<lbrakk>G\<turnstile>s \<midarrow>v=\<succ>vf\<rightarrow> s'; wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>v\<Colon>=T\<rbrakk> \<Longrightarrow>  
schirmer@12925
  2329
  s'\<Colon>\<preceq>(G,L) \<and> (normal s' \<longrightarrow> G,L,(store s')\<turnstile>In2 v\<succ>In2 vf\<Colon>\<preceq>Inl T) \<and> 
schirmer@12925
  2330
  (error_free s = error_free s')"
schirmer@12854
  2331
apply (drule (3) eval_type_sound)
schirmer@12854
  2332
apply clarsimp
schirmer@12854
  2333
done
schirmer@12854
  2334
schirmer@12854
  2335
theorem exec_ts: 
schirmer@12925
  2336
"\<lbrakk>G\<turnstile>s \<midarrow>s0\<rightarrow> s'; wf_prog G; s\<Colon>\<preceq>(G,L); \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>s0\<Colon>\<surd>\<rbrakk> 
schirmer@12925
  2337
 \<Longrightarrow> s'\<Colon>\<preceq>(G,L) \<and> (error_free s \<longrightarrow> error_free s')"
schirmer@12854
  2338
apply (drule (3) eval_type_sound)
schirmer@12854
  2339
apply clarsimp
schirmer@12854
  2340
done
schirmer@12854
  2341
end