src/HOL/Bali/AxCompl.thy
author nipkow
Mon Sep 12 07:55:43 2011 +0200 (2011-09-12)
changeset 44890 22f665a2e91c
parent 42793 88bee9f6eec7
child 45605 a89b4bc311a5
permissions -rw-r--r--
new fastforce replacing fastsimp - less confusing name
wenzelm@12857
     1
(*  Title:      HOL/Bali/AxCompl.thy
schirmer@13688
     2
    Author:     David von Oheimb and Norbert Schirmer
schirmer@12854
     3
*)
schirmer@12854
     4
schirmer@12854
     5
header {*
schirmer@12854
     6
Completeness proof for Axiomatic semantics of Java expressions and statements
schirmer@12854
     7
*}
schirmer@12854
     8
haftmann@16417
     9
theory AxCompl imports AxSem begin
schirmer@12854
    10
schirmer@12854
    11
text {*
schirmer@12854
    12
design issues:
schirmer@12854
    13
\begin{itemize}
schirmer@12854
    14
\item proof structured by Most General Formulas (-> Thomas Kleymann)
schirmer@12854
    15
\end{itemize}
schirmer@12854
    16
*}
schirmer@12925
    17
schirmer@12925
    18
schirmer@12925
    19
schirmer@13688
    20
           
schirmer@12854
    21
section "set of not yet initialzed classes"
schirmer@12854
    22
wenzelm@37956
    23
definition
wenzelm@37956
    24
  nyinitcls :: "prog \<Rightarrow> state \<Rightarrow> qtname set"
wenzelm@37956
    25
  where "nyinitcls G s = {C. is_class G C \<and> \<not> initd C s}"
schirmer@12854
    26
schirmer@12854
    27
lemma nyinitcls_subset_class: "nyinitcls G s \<subseteq> {C. is_class G C}"
schirmer@12854
    28
apply (unfold nyinitcls_def)
schirmer@12854
    29
apply fast
schirmer@12854
    30
done
schirmer@12854
    31
schirmer@12854
    32
lemmas finite_nyinitcls [simp] =
schirmer@12854
    33
   finite_is_class [THEN nyinitcls_subset_class [THEN finite_subset], standard]
schirmer@12854
    34
schirmer@12854
    35
lemma card_nyinitcls_bound: "card (nyinitcls G s) \<le> card {C. is_class G C}"
schirmer@12854
    36
apply (rule nyinitcls_subset_class [THEN finite_is_class [THEN card_mono]])
schirmer@12854
    37
done
schirmer@12854
    38
schirmer@12854
    39
lemma nyinitcls_set_locals_cong [simp]: 
schirmer@12854
    40
  "nyinitcls G (x,set_locals l s) = nyinitcls G (x,s)"
schirmer@12854
    41
apply (unfold nyinitcls_def)
schirmer@12854
    42
apply (simp (no_asm))
schirmer@12854
    43
done
schirmer@12854
    44
schirmer@12854
    45
lemma nyinitcls_abrupt_cong [simp]: "nyinitcls G (f x, y) = nyinitcls G (x, y)"
schirmer@12854
    46
apply (unfold nyinitcls_def)
schirmer@12854
    47
apply (simp (no_asm))
schirmer@12854
    48
done
schirmer@12854
    49
schirmer@12854
    50
lemma nyinitcls_abupd_cong [simp]:"!!s. nyinitcls G (abupd f s) = nyinitcls G s"
schirmer@12854
    51
apply (unfold nyinitcls_def)
schirmer@12854
    52
apply (simp (no_asm_simp) only: split_tupled_all)
schirmer@12854
    53
apply (simp (no_asm))
schirmer@12854
    54
done
schirmer@12854
    55
schirmer@12854
    56
lemma card_nyinitcls_abrupt_congE [elim!]: 
schirmer@12854
    57
        "card (nyinitcls G (x, s)) \<le> n \<Longrightarrow> card (nyinitcls G (y, s)) \<le> n"
schirmer@12854
    58
apply (unfold nyinitcls_def)
schirmer@12854
    59
apply auto
schirmer@12854
    60
done
schirmer@12854
    61
schirmer@12854
    62
lemma nyinitcls_new_xcpt_var [simp]: 
schirmer@12854
    63
"nyinitcls G (new_xcpt_var vn s) = nyinitcls G s"
schirmer@12854
    64
apply (unfold nyinitcls_def)
schirmer@12854
    65
apply (induct_tac "s")
schirmer@12854
    66
apply (simp (no_asm))
schirmer@12854
    67
done
schirmer@12854
    68
schirmer@12854
    69
lemma nyinitcls_init_lvars [simp]: 
schirmer@12854
    70
  "nyinitcls G ((init_lvars G C sig mode a' pvs) s) = nyinitcls G s"
schirmer@12854
    71
apply (induct_tac "s")
schirmer@12854
    72
apply (simp (no_asm) add: init_lvars_def2 split add: split_if)
schirmer@12854
    73
done
schirmer@12854
    74
schirmer@12854
    75
lemma nyinitcls_emptyD: "\<lbrakk>nyinitcls G s = {}; is_class G C\<rbrakk> \<Longrightarrow> initd C s"
schirmer@12854
    76
apply (unfold nyinitcls_def)
schirmer@12854
    77
apply fast
schirmer@12854
    78
done
schirmer@12854
    79
schirmer@13688
    80
lemma card_Suc_lemma: 
schirmer@13688
    81
  "\<lbrakk>card (insert a A) \<le> Suc n; a\<notin>A; finite A\<rbrakk> \<Longrightarrow> card A \<le> n"
schirmer@12854
    82
apply clarsimp
schirmer@12854
    83
done
schirmer@12854
    84
schirmer@12854
    85
lemma nyinitcls_le_SucD: 
schirmer@12854
    86
"\<lbrakk>card (nyinitcls G (x,s)) \<le> Suc n; \<not>inited C (globs s); class G C=Some y\<rbrakk> \<Longrightarrow> 
schirmer@12854
    87
  card (nyinitcls G (x,init_class_obj G C s)) \<le> n"
schirmer@12854
    88
apply (subgoal_tac 
schirmer@12854
    89
        "nyinitcls G (x,s) = insert C (nyinitcls G (x,init_class_obj G C s))")
schirmer@12854
    90
apply  clarsimp
berghofe@13601
    91
apply  (erule_tac V="nyinitcls G (x, s) = ?rhs" in thin_rl)
schirmer@12854
    92
apply  (rule card_Suc_lemma [OF _ _ finite_nyinitcls])
schirmer@12854
    93
apply   (auto dest!: not_initedD elim!: 
schirmer@12854
    94
              simp add: nyinitcls_def inited_def split add: split_if_asm)
schirmer@12854
    95
done
schirmer@12854
    96
schirmer@13688
    97
lemma inited_gext': "\<lbrakk>s\<le>|s';inited C (globs s)\<rbrakk> \<Longrightarrow> inited C (globs s')"
schirmer@13688
    98
by (rule inited_gext)
schirmer@12854
    99
schirmer@12854
   100
lemma nyinitcls_gext: "snd s\<le>|snd s' \<Longrightarrow> nyinitcls G s' \<subseteq> nyinitcls G s"
schirmer@12854
   101
apply (unfold nyinitcls_def)
schirmer@12854
   102
apply (force dest!: inited_gext')
schirmer@12854
   103
done
schirmer@12854
   104
schirmer@12854
   105
lemma card_nyinitcls_gext: 
schirmer@12854
   106
  "\<lbrakk>snd s\<le>|snd s'; card (nyinitcls G s) \<le> n\<rbrakk>\<Longrightarrow> card (nyinitcls G s') \<le> n"
schirmer@12854
   107
apply (rule le_trans)
schirmer@12854
   108
apply  (rule card_mono)
schirmer@12854
   109
apply   (rule finite_nyinitcls)
schirmer@12854
   110
apply  (erule nyinitcls_gext)
schirmer@12854
   111
apply assumption
schirmer@12854
   112
done
schirmer@12854
   113
schirmer@12854
   114
schirmer@12854
   115
section "init-le"
schirmer@12854
   116
wenzelm@37956
   117
definition
wenzelm@37956
   118
  init_le :: "prog \<Rightarrow> nat \<Rightarrow> state \<Rightarrow> bool" ("_\<turnstile>init\<le>_"  [51,51] 50)
wenzelm@37956
   119
  where "G\<turnstile>init\<le>n = (\<lambda>s. card (nyinitcls G s) \<le> n)"
schirmer@12854
   120
  
schirmer@12854
   121
lemma init_le_def2 [simp]: "(G\<turnstile>init\<le>n) s = (card (nyinitcls G s)\<le>n)"
schirmer@12854
   122
apply (unfold init_le_def)
schirmer@12854
   123
apply auto
schirmer@12854
   124
done
schirmer@12854
   125
schirmer@13688
   126
lemma All_init_leD: 
schirmer@13688
   127
 "\<forall>n::nat. G,(A::'a triple set)\<turnstile>{P \<and>. G\<turnstile>init\<le>n} t\<succ> {Q::'a assn} 
schirmer@13688
   128
  \<Longrightarrow> G,A\<turnstile>{P} t\<succ> {Q}"
schirmer@12854
   129
apply (drule spec)
schirmer@12854
   130
apply (erule conseq1)
schirmer@12854
   131
apply clarsimp
schirmer@12854
   132
apply (rule card_nyinitcls_bound)
schirmer@12854
   133
done
schirmer@12854
   134
schirmer@12854
   135
section "Most General Triples and Formulas"
schirmer@12854
   136
wenzelm@37956
   137
definition
wenzelm@37956
   138
  remember_init_state :: "state assn" ("\<doteq>")
wenzelm@37956
   139
  where "\<doteq> \<equiv> \<lambda>Y s Z. s = Z"
schirmer@12854
   140
schirmer@12854
   141
lemma remember_init_state_def2 [simp]: "\<doteq> Y = op ="
schirmer@12854
   142
apply (unfold remember_init_state_def)
schirmer@12854
   143
apply (simp (no_asm))
schirmer@12854
   144
done
schirmer@12854
   145
wenzelm@37956
   146
definition
schirmer@12854
   147
  MGF ::"[state assn, term, prog] \<Rightarrow> state triple"   ("{_} _\<succ> {_\<rightarrow>}"[3,65,3]62)
wenzelm@37956
   148
  where "{P} t\<succ> {G\<rightarrow>} = {P} t\<succ> {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}"
schirmer@12854
   149
wenzelm@37956
   150
definition
wenzelm@37956
   151
  MGFn :: "[nat, term, prog] \<Rightarrow> state triple" ("{=:_} _\<succ> {_\<rightarrow>}"[3,65,3]62)
wenzelm@37956
   152
  where "{=:n} t\<succ> {G\<rightarrow>} = {\<doteq> \<and>. G\<turnstile>init\<le>n} t\<succ> {G\<rightarrow>}"
schirmer@12854
   153
schirmer@12854
   154
(* unused *)
schirmer@12925
   155
lemma MGF_valid: "wf_prog G \<Longrightarrow> G,{}\<Turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
   156
apply (unfold MGF_def)
schirmer@12925
   157
apply (simp add:  ax_valids_def triple_valid_def2)
schirmer@12925
   158
apply (auto elim: evaln_eval)
schirmer@12854
   159
done
schirmer@12854
   160
schirmer@12925
   161
schirmer@12854
   162
lemma MGF_res_eq_lemma [simp]: 
schirmer@12854
   163
  "(\<forall>Y' Y s. Y = Y' \<and> P s \<longrightarrow> Q s) = (\<forall>s. P s \<longrightarrow> Q s)"
schirmer@12854
   164
apply auto
schirmer@12854
   165
done
schirmer@12854
   166
schirmer@12854
   167
lemma MGFn_def2: 
schirmer@12854
   168
"G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>} = G,A\<turnstile>{\<doteq> \<and>. G\<turnstile>init\<le>n} 
schirmer@12854
   169
                    t\<succ> {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}"
schirmer@12854
   170
apply (unfold MGFn_def MGF_def)
schirmer@12854
   171
apply fast
schirmer@12854
   172
done
schirmer@12854
   173
schirmer@13688
   174
lemma MGF_MGFn_iff: 
schirmer@13688
   175
"G,(A::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>} = (\<forall>n. G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>})"
schirmer@12854
   176
apply (simp (no_asm_use) add: MGFn_def2 MGF_def)
schirmer@12854
   177
apply safe
schirmer@12854
   178
apply  (erule_tac [2] All_init_leD)
schirmer@12854
   179
apply (erule conseq1)
schirmer@12854
   180
apply clarsimp
schirmer@12854
   181
done
schirmer@12854
   182
schirmer@12854
   183
lemma MGFnD: 
schirmer@13688
   184
"G,(A::state triple set)\<turnstile>{=:n} t\<succ> {G\<rightarrow>} \<Longrightarrow>  
schirmer@12854
   185
 G,A\<turnstile>{(\<lambda>Y' s' s. s' = s           \<and> P s) \<and>. G\<turnstile>init\<le>n}  
schirmer@12854
   186
 t\<succ>  {(\<lambda>Y' s' s. G\<turnstile>s\<midarrow>t\<succ>\<rightarrow>(Y',s') \<and> P s) \<and>. G\<turnstile>init\<le>n}"
schirmer@12854
   187
apply (unfold init_le_def)
schirmer@12854
   188
apply (simp (no_asm_use) add: MGFn_def2)
schirmer@12854
   189
apply (erule conseq12)
schirmer@12854
   190
apply clarsimp
schirmer@12854
   191
apply (erule (1) eval_gext [THEN card_nyinitcls_gext])
schirmer@12854
   192
done
schirmer@12854
   193
lemmas MGFnD' = MGFnD [of _ _ _ _ "\<lambda>x. True"] 
schirmer@12854
   194
schirmer@13688
   195
text {* To derive the most general formula, we can always assume a normal
schirmer@13688
   196
state in the precondition, since abrupt cases can be handled uniformally by
schirmer@13688
   197
the abrupt rule.
schirmer@13688
   198
*}
schirmer@12854
   199
lemma MGFNormalI: "G,A\<turnstile>{Normal \<doteq>} t\<succ> {G\<rightarrow>} \<Longrightarrow>  
schirmer@12854
   200
  G,(A::state triple set)\<turnstile>{\<doteq>::state assn} t\<succ> {G\<rightarrow>}"
schirmer@12854
   201
apply (unfold MGF_def)
schirmer@12854
   202
apply (rule ax_Normal_cases)
schirmer@12854
   203
apply  (erule conseq1)
schirmer@12854
   204
apply  clarsimp
schirmer@12854
   205
apply (rule ax_derivs.Abrupt [THEN conseq1])
schirmer@12854
   206
apply (clarsimp simp add: Let_def)
schirmer@12854
   207
done
schirmer@12854
   208
schirmer@13688
   209
lemma MGFNormalD: 
schirmer@13688
   210
"G,(A::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>} \<Longrightarrow> G,A\<turnstile>{Normal \<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
   211
apply (unfold MGF_def)
schirmer@12854
   212
apply (erule conseq1)
schirmer@12854
   213
apply clarsimp
schirmer@12854
   214
done
schirmer@12854
   215
schirmer@13688
   216
text {* Additionally to @{text MGFNormalI}, we also expand the definition of 
schirmer@13688
   217
the most general formula here *} 
schirmer@12854
   218
lemma MGFn_NormalI: 
schirmer@12854
   219
"G,(A::state triple set)\<turnstile>{Normal((\<lambda>Y' s' s. s'=s \<and> normal s) \<and>. G\<turnstile>init\<le>n)}t\<succ> 
schirmer@12854
   220
 {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')} \<Longrightarrow> G,A\<turnstile>{=:n}t\<succ>{G\<rightarrow>}"
schirmer@12854
   221
apply (simp (no_asm_use) add: MGFn_def2)
schirmer@12854
   222
apply (rule ax_Normal_cases)
schirmer@12854
   223
apply  (erule conseq1)
schirmer@12854
   224
apply  clarsimp
schirmer@12854
   225
apply (rule ax_derivs.Abrupt [THEN conseq1])
schirmer@12854
   226
apply (clarsimp simp add: Let_def)
schirmer@12854
   227
done
schirmer@12854
   228
schirmer@13688
   229
text {* To derive the most general formula, we can restrict ourselves to 
schirmer@13688
   230
welltyped terms, since all others can be uniformally handled by the hazard
schirmer@13688
   231
rule. *} 
schirmer@12854
   232
lemma MGFn_free_wt: 
schirmer@12854
   233
  "(\<exists>T L C. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T) 
schirmer@12854
   234
    \<longrightarrow> G,(A::state triple set)\<turnstile>{=:n} t\<succ> {G\<rightarrow>} 
schirmer@12854
   235
   \<Longrightarrow> G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>}"
schirmer@12854
   236
apply (rule MGFn_NormalI)
schirmer@12854
   237
apply (rule ax_free_wt)
schirmer@12854
   238
apply (auto elim: conseq12 simp add: MGFn_def MGF_def)
schirmer@12854
   239
done
schirmer@12854
   240
schirmer@13688
   241
text {* To derive the most general formula, we can restrict ourselves to 
schirmer@13688
   242
welltyped terms and assume that the state in the precondition conforms to the
schirmer@13688
   243
environment. All type violations can be uniformally handled by the hazard
schirmer@13688
   244
rule. *} 
schirmer@12925
   245
lemma MGFn_free_wt_NormalConformI: 
schirmer@13688
   246
"(\<forall> T L C . \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T 
schirmer@12925
   247
  \<longrightarrow> G,(A::state triple set)
schirmer@12925
   248
      \<turnstile>{Normal((\<lambda>Y' s' s. s'=s \<and> normal s) \<and>. G\<turnstile>init\<le>n) \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))}
schirmer@12925
   249
      t\<succ> 
schirmer@12925
   250
      {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}) 
schirmer@12925
   251
 \<Longrightarrow> G,A\<turnstile>{=:n}t\<succ>{G\<rightarrow>}"
schirmer@12925
   252
apply (rule MGFn_NormalI)
schirmer@12925
   253
apply (rule ax_no_hazard)
schirmer@12925
   254
apply (rule ax_escape)
schirmer@12925
   255
apply (intro strip)
schirmer@12925
   256
apply (simp only: type_ok_def peek_and_def)
schirmer@12925
   257
apply (erule conjE)+
schirmer@13688
   258
apply (erule exE,erule exE, erule exE, erule exE,erule conjE,drule (1) mp,
schirmer@13688
   259
       erule conjE)
schirmer@12925
   260
apply (drule spec,drule spec, drule spec, drule (1) mp)
schirmer@12925
   261
apply (erule conseq12)
schirmer@12925
   262
apply blast
schirmer@12925
   263
done
schirmer@12925
   264
schirmer@13688
   265
text {* To derive the most general formula, we can restrict ourselves to 
schirmer@13688
   266
welltyped terms and assume that the state in the precondition conforms to the
schirmer@13688
   267
environment and that the term is definetly assigned with respect to this state.
schirmer@13688
   268
All type violations can be uniformally handled by the hazard rule. *} 
schirmer@13688
   269
lemma MGFn_free_wt_da_NormalConformI: 
schirmer@13688
   270
"(\<forall> T L C B. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T
schirmer@13688
   271
  \<longrightarrow> G,(A::state triple set)
schirmer@13688
   272
      \<turnstile>{Normal((\<lambda>Y' s' s. s'=s \<and> normal s) \<and>. G\<turnstile>init\<le>n) \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))
schirmer@13688
   273
        \<and>. (\<lambda> s. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>dom (locals (store s))\<guillemotright>t\<guillemotright>B)}
schirmer@13688
   274
      t\<succ> 
schirmer@13688
   275
      {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}) 
schirmer@13688
   276
 \<Longrightarrow> G,A\<turnstile>{=:n}t\<succ>{G\<rightarrow>}"
schirmer@13688
   277
apply (rule MGFn_NormalI)
schirmer@13688
   278
apply (rule ax_no_hazard)
schirmer@13688
   279
apply (rule ax_escape)
schirmer@13688
   280
apply (intro strip)
schirmer@13688
   281
apply (simp only: type_ok_def peek_and_def)
schirmer@13688
   282
apply (erule conjE)+
schirmer@13688
   283
apply (erule exE,erule exE, erule exE, erule exE,erule conjE,drule (1) mp,
schirmer@13688
   284
       erule conjE)
schirmer@13688
   285
apply (drule spec,drule spec, drule spec,drule spec, drule (1) mp)
schirmer@13688
   286
apply (erule conseq12)
schirmer@13688
   287
apply blast
schirmer@13688
   288
done
schirmer@12854
   289
schirmer@12854
   290
section "main lemmas"
schirmer@12854
   291
schirmer@13688
   292
lemma MGFn_Init: 
schirmer@13688
   293
 assumes mgf_hyp: "\<forall>m. Suc m\<le>n \<longrightarrow> (\<forall>t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>})"
schirmer@13688
   294
 shows "G,(A::state triple set)\<turnstile>{=:n} \<langle>Init C\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   295
proof (rule MGFn_free_wt [rule_format],elim exE,rule MGFn_NormalI)
schirmer@13688
   296
  fix T L accC
schirmer@13688
   297
  assume "\<lparr>prg=G, cls=accC, lcl= L\<rparr>\<turnstile>\<langle>Init C\<rangle>\<^sub>s\<Colon>T"
schirmer@13688
   298
  hence is_cls: "is_class G C"
schirmer@13688
   299
    by cases simp
schirmer@13688
   300
  show "G,A\<turnstile>{Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)} 
schirmer@13688
   301
            .Init C.
schirmer@13688
   302
            {\<lambda>Y s' s. G\<turnstile>s \<midarrow>\<langle>Init C\<rangle>\<^sub>s\<succ>\<rightarrow> (Y, s')}"
schirmer@13688
   303
       (is "G,A\<turnstile>{Normal ?P} .Init C. {?R}")
schirmer@13688
   304
  proof (rule ax_cases [where ?C="initd C"])
schirmer@13688
   305
    show "G,A\<turnstile>{Normal ?P  \<and>. initd C} .Init C. {?R}"
nipkow@44890
   306
      by (rule ax_derivs.Done [THEN conseq1]) (fastforce intro: init_done)
schirmer@13688
   307
  next
schirmer@13688
   308
    have "G,A\<turnstile>{Normal (?P  \<and>. Not \<circ> initd C)} .Init C. {?R}" 
schirmer@13688
   309
    proof (cases n)
schirmer@13688
   310
      case 0
schirmer@13688
   311
      with is_cls
schirmer@13688
   312
      show ?thesis
nipkow@44890
   313
        by - (rule ax_impossible [THEN conseq1],fastforce dest: nyinitcls_emptyD)
schirmer@13688
   314
    next
schirmer@13688
   315
      case (Suc m)
schirmer@13688
   316
      with mgf_hyp have mgf_hyp': "\<And> t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>}"
wenzelm@32960
   317
        by simp
schirmer@13688
   318
      from is_cls obtain c where c: "the (class G C) = c"
wenzelm@32960
   319
        by auto
schirmer@13688
   320
      let ?Q= "(\<lambda>Y s' (x,s) . 
schirmer@13688
   321
          G\<turnstile> (x,init_class_obj G C s) 
schirmer@13688
   322
             \<midarrow> (if C=Object then Skip else Init (super (the (class G C))))\<rightarrow> s'
schirmer@13688
   323
          \<and> x=None \<and> \<not>inited C (globs s)) \<and>. G\<turnstile>init\<le>m"
schirmer@13688
   324
      from c
schirmer@13688
   325
      show ?thesis
schirmer@13688
   326
      proof (rule ax_derivs.Init [where ?Q="?Q"])
wenzelm@32960
   327
        let ?P' = "Normal ((\<lambda>Y s' s. s' = supd (init_class_obj G C) s 
schirmer@13688
   328
                           \<and> normal s \<and> \<not> initd C s) \<and>. G\<turnstile>init\<le>m)" 
wenzelm@32960
   329
        show "G,A\<turnstile>{Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))}
schirmer@13688
   330
                  .(if C = Object then Skip else Init (super c)). 
schirmer@13688
   331
                  {?Q}"
wenzelm@32960
   332
        proof (rule conseq1 [where ?P'="?P'"])
wenzelm@32960
   333
          show "G,A\<turnstile>{?P'} .(if C = Object then Skip else Init (super c)). {?Q}"
wenzelm@32960
   334
          proof (cases "C=Object")
wenzelm@32960
   335
            case True
wenzelm@32960
   336
            have "G,A\<turnstile>{?P'} .Skip. {?Q}"
wenzelm@32960
   337
              by (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
   338
                 (auto simp add: True intro: eval.Skip)
schirmer@13688
   339
            with True show ?thesis 
wenzelm@32960
   340
              by simp
wenzelm@32960
   341
          next
wenzelm@32960
   342
            case False
wenzelm@32960
   343
            from mgf_hyp'
wenzelm@32960
   344
            have "G,A\<turnstile>{?P'} .Init (super c). {?Q}"
nipkow@44890
   345
              by (rule MGFnD' [THEN conseq12]) (fastforce simp add: False c)
wenzelm@32960
   346
            with False show ?thesis
wenzelm@32960
   347
              by simp
wenzelm@32960
   348
          qed
wenzelm@32960
   349
        next
wenzelm@32960
   350
          from Suc is_cls
wenzelm@32960
   351
          show "Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))
schirmer@13688
   352
                \<Rightarrow> ?P'"
nipkow@44890
   353
            by (fastforce elim: nyinitcls_le_SucD)
wenzelm@32960
   354
        qed
schirmer@13688
   355
      next
wenzelm@32960
   356
        from mgf_hyp'
wenzelm@32960
   357
        show "\<forall>l. G,A\<turnstile>{?Q \<and>. (\<lambda>s. l = locals (snd s)) ;. set_lvars empty} 
schirmer@13688
   358
                      .init c.
schirmer@13688
   359
                      {set_lvars l .; ?R}"
wenzelm@32960
   360
          apply (rule MGFnD' [THEN conseq12, THEN allI])
wenzelm@32960
   361
          apply (clarsimp simp add: split_paired_all)
wenzelm@32960
   362
          apply (rule eval.Init [OF c])
wenzelm@32960
   363
          apply (insert c)
wenzelm@32960
   364
          apply auto
wenzelm@32960
   365
          done
schirmer@13688
   366
      qed
schirmer@13688
   367
    qed
schirmer@13688
   368
    thus "G,A\<turnstile>{Normal ?P  \<and>. Not \<circ> initd C} .Init C. {?R}"
schirmer@13688
   369
      by clarsimp
schirmer@13688
   370
  qed
schirmer@13688
   371
qed
schirmer@12854
   372
lemmas MGFn_InitD = MGFn_Init [THEN MGFnD, THEN ax_NormalD]
schirmer@12854
   373
schirmer@12854
   374
lemma MGFn_Call: 
schirmer@13688
   375
  assumes mgf_methds: 
schirmer@13688
   376
           "\<forall>C sig. G,(A::state triple set)\<turnstile>{=:n} \<langle>(Methd C sig)\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   377
  and mgf_e: "G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   378
  and mgf_ps: "G,A\<turnstile>{=:n} \<langle>ps\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
schirmer@13688
   379
  and wf: "wf_prog G"
schirmer@13688
   380
  shows "G,A\<turnstile>{=:n} \<langle>{accC,statT,mode}e\<cdot>mn({pTs'}ps)\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   381
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp) 
schirmer@13688
   382
  note inj_term_simps [simp]
schirmer@13688
   383
  fix T L accC' E
schirmer@13688
   384
  assume wt: "\<lparr>prg=G,cls=accC',lcl = L\<rparr>\<turnstile>\<langle>({accC,statT,mode}e\<cdot>mn( {pTs'}ps))\<rangle>\<^sub>e\<Colon>T"
schirmer@13688
   385
  then obtain pTs statDeclT statM where
schirmer@13688
   386
                 wt_e: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>e\<Colon>-RefT statT" and
schirmer@13688
   387
              wt_args: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>ps\<Colon>\<doteq>pTs" and
schirmer@13688
   388
                statM: "max_spec G accC statT \<lparr>name=mn,parTs=pTs\<rparr> 
schirmer@13688
   389
                         = {((statDeclT,statM),pTs')}" and
schirmer@13688
   390
                 mode: "mode = invmode statM e" and
schirmer@13688
   391
                    T: "T =Inl (resTy statM)" and
schirmer@13688
   392
        eq_accC_accC': "accC=accC'"
nipkow@44890
   393
        by cases fastforce+
schirmer@13688
   394
  let ?Q="(\<lambda>Y s1 (x,s) . x = None \<and> 
schirmer@13688
   395
              (\<exists>a. G\<turnstile>Norm s \<midarrow>e-\<succ>a\<rightarrow> s1 \<and> 
schirmer@13688
   396
                   (normal s1 \<longrightarrow> G, store s1\<turnstile>a\<Colon>\<preceq>RefT statT)
schirmer@13688
   397
                   \<and> Y = In1 a) \<and> 
schirmer@13688
   398
              (\<exists> P. normal s1
schirmer@13688
   399
                  \<longrightarrow> \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile>dom (locals (store s1))\<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright>P)) 
schirmer@13688
   400
          \<and>. G\<turnstile>init\<le>n \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))::state assn"
schirmer@13688
   401
  let ?R="\<lambda>a. ((\<lambda>Y (x2,s2) (x,s) . x = None \<and> 
schirmer@13688
   402
                (\<exists>s1 pvs. G\<turnstile>Norm s \<midarrow>e-\<succ>a\<rightarrow> s1 \<and> 
schirmer@13688
   403
                          (normal s1 \<longrightarrow> G, store s1\<turnstile>a\<Colon>\<preceq>RefT statT)\<and> 
schirmer@13688
   404
                          Y = \<lfloor>pvs\<rfloor>\<^sub>l \<and> G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>pvs\<rightarrow> (x2,s2))) 
schirmer@13688
   405
               \<and>. G\<turnstile>init\<le>n \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L)))::state assn"
schirmer@12925
   406
schirmer@13688
   407
  show "G,A\<turnstile>{Normal ((\<lambda>Y' s' s. s' = s \<and> abrupt s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   408
                     (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   409
                     (\<lambda>s. \<lparr>prg=G, cls=accC',lcl=L\<rparr> \<turnstile> dom (locals (store s)) 
schirmer@13688
   410
                           \<guillemotright> \<langle>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)\<rangle>\<^sub>e\<guillemotright> E))}
schirmer@13688
   411
             {accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>
schirmer@13688
   412
             {\<lambda>Y s' s. \<exists>v. Y = \<lfloor>v\<rfloor>\<^sub>e \<and> 
schirmer@13688
   413
                           G\<turnstile>s \<midarrow>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>v\<rightarrow> s'}"
schirmer@13688
   414
    (is "G,A\<turnstile>{Normal ?P} {accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ> {?S}")
schirmer@13688
   415
  proof (rule ax_derivs.Call [where ?Q="?Q" and ?R="?R"])
schirmer@13688
   416
    from mgf_e
schirmer@13688
   417
    show "G,A\<turnstile>{Normal ?P} e-\<succ> {?Q}"
schirmer@13688
   418
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   419
      fix s0 s1 a
schirmer@13688
   420
      assume conf_s0: "Norm s0\<Colon>\<preceq>(G, L)"
schirmer@13688
   421
      assume da: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> 
schirmer@13688
   422
                     dom (locals s0) \<guillemotright>\<langle>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)\<rangle>\<^sub>e\<guillemotright> E"
schirmer@13688
   423
      assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
schirmer@13688
   424
      show "(abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT) \<and>
schirmer@13688
   425
            (abrupt s1 = None \<longrightarrow>
schirmer@13688
   426
              (\<exists>P. \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P))
schirmer@13688
   427
            \<and> s1\<Colon>\<preceq>(G, L)"
schirmer@13688
   428
      proof -
wenzelm@32960
   429
        from da obtain C where
wenzelm@32960
   430
          da_e:  "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>
schirmer@13688
   431
                    dom (locals (store ((Norm s0)::state)))\<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> C" and
wenzelm@32960
   432
          da_ps: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> nrm C \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> E" 
wenzelm@32960
   433
          by cases (simp add: eq_accC_accC')
wenzelm@32960
   434
        from eval_e conf_s0 wt_e da_e wf
wenzelm@32960
   435
        obtain "(abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT)"
wenzelm@32960
   436
          and  "s1\<Colon>\<preceq>(G, L)"
wenzelm@32960
   437
          by (rule eval_type_soundE) simp
wenzelm@32960
   438
        moreover
wenzelm@32960
   439
        {
wenzelm@32960
   440
          assume normal_s1: "normal s1"
wenzelm@32960
   441
          have "\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
wenzelm@32960
   442
          proof -
wenzelm@32960
   443
            from eval_e wt_e da_e wf normal_s1
wenzelm@32960
   444
            have "nrm C \<subseteq>  dom (locals (store s1))"
wenzelm@32960
   445
              by (cases rule: da_good_approxE') iprover
wenzelm@32960
   446
            with da_ps show ?thesis
wenzelm@32960
   447
              by (rule da_weakenE) iprover
wenzelm@32960
   448
          qed
wenzelm@32960
   449
        }
wenzelm@32960
   450
        ultimately show ?thesis
wenzelm@32960
   451
          using eq_accC_accC' by simp
schirmer@13688
   452
      qed
schirmer@13688
   453
    qed
schirmer@13688
   454
  next
schirmer@13688
   455
    show "\<forall>a. G,A\<turnstile>{?Q\<leftarrow>In1 a} ps\<doteq>\<succ> {?R a}" (is "\<forall> a. ?PS a")
schirmer@13688
   456
    proof 
schirmer@13688
   457
      fix a  
schirmer@13688
   458
      show "?PS a"
schirmer@13688
   459
      proof (rule MGFnD' [OF mgf_ps, THEN conseq12],
schirmer@13688
   460
             clarsimp simp add: eq_accC_accC' [symmetric])
wenzelm@32960
   461
        fix s0 s1 s2 vs
wenzelm@32960
   462
        assume conf_s1: "s1\<Colon>\<preceq>(G, L)"
wenzelm@32960
   463
        assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
wenzelm@32960
   464
        assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
wenzelm@32960
   465
        assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
wenzelm@32960
   466
        assume da_ps: "abrupt s1 = None \<longrightarrow> 
schirmer@13688
   467
                       (\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> 
schirmer@13688
   468
                               dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P)"
wenzelm@32960
   469
        show "(\<exists>s1. G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1 \<and>
schirmer@13688
   470
                (abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT) \<and>
schirmer@13688
   471
                G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2) \<and>
schirmer@13688
   472
              s2\<Colon>\<preceq>(G, L)"
wenzelm@32960
   473
        proof (cases "normal s1")
wenzelm@32960
   474
          case True
wenzelm@32960
   475
          with da_ps obtain P where
wenzelm@32960
   476
           "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
wenzelm@32960
   477
            by auto
wenzelm@32960
   478
          from eval_ps conf_s1 wt_args this wf
wenzelm@32960
   479
          have "s2\<Colon>\<preceq>(G, L)"
wenzelm@32960
   480
            by (rule eval_type_soundE)
wenzelm@32960
   481
          with eval_e conf_a eval_ps 
wenzelm@32960
   482
          show ?thesis 
wenzelm@32960
   483
            by auto
wenzelm@32960
   484
        next
wenzelm@32960
   485
          case False
wenzelm@32960
   486
          with eval_ps have "s2=s1" by auto
wenzelm@32960
   487
          with eval_e conf_a eval_ps conf_s1 
wenzelm@32960
   488
          show ?thesis 
wenzelm@32960
   489
            by auto
wenzelm@32960
   490
        qed
schirmer@13688
   491
      qed
schirmer@13688
   492
    qed
schirmer@13688
   493
  next
schirmer@13688
   494
    show "\<forall>a vs invC declC l.
schirmer@13688
   495
      G,A\<turnstile>{?R a\<leftarrow>\<lfloor>vs\<rfloor>\<^sub>l \<and>.
schirmer@13688
   496
             (\<lambda>s. declC =
schirmer@13688
   497
                  invocation_declclass G mode (store s) a statT
schirmer@13688
   498
                      \<lparr>name=mn, parTs=pTs'\<rparr> \<and>
schirmer@13688
   499
                  invC = invocation_class mode (store s) a statT \<and>
schirmer@13688
   500
                  l = locals (store s)) ;.
schirmer@13688
   501
             init_lvars G declC \<lparr>name=mn, parTs=pTs'\<rparr> mode a vs \<and>.
schirmer@13688
   502
             (\<lambda>s. normal s \<longrightarrow> G\<turnstile>mode\<rightarrow>invC\<preceq>statT)}
schirmer@13688
   503
          Methd declC \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ> 
schirmer@13688
   504
          {set_lvars l .; ?S}" 
schirmer@13688
   505
      (is "\<forall> a vs invC declC l. ?METHD a vs invC declC l")
schirmer@13688
   506
    proof (intro allI)
schirmer@13688
   507
      fix a vs invC declC l
schirmer@13688
   508
      from mgf_methds [rule_format]
schirmer@13688
   509
      show "?METHD a vs invC declC l"
schirmer@13688
   510
      proof (rule MGFnD' [THEN conseq12],clarsimp)
wenzelm@32960
   511
        fix s4 s2 s1::state
wenzelm@32960
   512
        fix s0 v
wenzelm@32960
   513
        let ?D= "invocation_declclass G mode (store s2) a statT 
schirmer@13688
   514
                    \<lparr>name=mn,parTs=pTs'\<rparr>"
wenzelm@32960
   515
        let ?s3= "init_lvars G ?D \<lparr>name=mn, parTs=pTs'\<rparr> mode a vs s2"
wenzelm@32960
   516
        assume inv_prop: "abrupt ?s3=None 
schirmer@13688
   517
             \<longrightarrow> G\<turnstile>mode\<rightarrow>invocation_class mode (store s2) a statT\<preceq>statT"
wenzelm@32960
   518
        assume conf_s2: "s2\<Colon>\<preceq>(G, L)"
wenzelm@32960
   519
        assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
wenzelm@32960
   520
        assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
wenzelm@32960
   521
        assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
wenzelm@32960
   522
        assume eval_mthd: "G\<turnstile>?s3 \<midarrow>Methd ?D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
wenzelm@32960
   523
        show "G\<turnstile>Norm s0 \<midarrow>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>v
schirmer@13688
   524
                        \<rightarrow> (set_lvars (locals (store s2))) s4"
wenzelm@32960
   525
        proof -
wenzelm@32960
   526
          obtain D where D: "D=?D" by simp
wenzelm@32960
   527
          obtain s3 where s3: "s3=?s3" by simp
wenzelm@32960
   528
          obtain s3' where 
wenzelm@32960
   529
            s3': "s3' = check_method_access G accC statT mode 
schirmer@13688
   530
                           \<lparr>name=mn,parTs=pTs'\<rparr> a s3"
wenzelm@32960
   531
            by simp
wenzelm@32960
   532
          have eq_s3'_s3: "s3'=s3"
wenzelm@32960
   533
          proof -
wenzelm@32960
   534
            from inv_prop s3 mode
wenzelm@32960
   535
            have "normal s3 \<Longrightarrow> 
schirmer@13688
   536
             G\<turnstile>invmode statM e\<rightarrow>invocation_class mode (store s2) a statT\<preceq>statT"
wenzelm@32960
   537
              by auto
wenzelm@32960
   538
            with eval_ps wt_e statM conf_s2 conf_a [rule_format] 
wenzelm@32960
   539
            have "check_method_access G accC statT (invmode statM e)
schirmer@13688
   540
                      \<lparr>name=mn,parTs=pTs'\<rparr> a s3 = s3"
wenzelm@32960
   541
              by (rule error_free_call_access) (auto simp add: s3 mode wf)
wenzelm@32960
   542
            thus ?thesis 
wenzelm@32960
   543
              by (simp add: s3' mode)
wenzelm@32960
   544
          qed
wenzelm@32960
   545
          with eval_mthd D s3
wenzelm@32960
   546
          have "G\<turnstile>s3' \<midarrow>Methd D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
wenzelm@32960
   547
            by simp
wenzelm@32960
   548
          with eval_e eval_ps D _ s3' 
wenzelm@32960
   549
          show ?thesis
wenzelm@32960
   550
            by (rule eval_Call) (auto simp add: s3 mode D)
wenzelm@32960
   551
        qed
schirmer@13688
   552
      qed
schirmer@13688
   553
    qed
schirmer@13688
   554
  qed
schirmer@13688
   555
qed
wenzelm@32960
   556
                  
schirmer@13688
   557
lemma eval_expression_no_jump':
schirmer@13688
   558
  assumes eval: "G\<turnstile>s0 \<midarrow>e-\<succ>v\<rightarrow> s1"
schirmer@13688
   559
  and   no_jmp: "abrupt s0 \<noteq> Some (Jump j)"
schirmer@13688
   560
  and      wt: "\<lparr>prg=G, cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-T" 
schirmer@13688
   561
  and      wf: "wf_prog G"
schirmer@13688
   562
shows "abrupt s1 \<noteq> Some (Jump j)"
schirmer@13688
   563
using eval no_jmp wt wf
schirmer@13688
   564
by - (rule eval_expression_no_jump 
schirmer@13688
   565
            [where ?Env="\<lparr>prg=G, cls=C,lcl=L\<rparr>",simplified],auto)
schirmer@12854
   566
schirmer@13688
   567
schirmer@13688
   568
text {* To derive the most general formula for the loop statement, we need to
schirmer@13688
   569
come up with a proper loop invariant, which intuitively states that we are 
schirmer@13688
   570
currently inside the evaluation of the loop. To define such an invariant, we
schirmer@13688
   571
unroll the loop in iterated evaluations of the expression and evaluations of
schirmer@13688
   572
the loop body. *}
schirmer@13688
   573
wenzelm@37956
   574
definition
wenzelm@37956
   575
  unroll :: "prog \<Rightarrow> label \<Rightarrow> expr \<Rightarrow> stmt \<Rightarrow> (state \<times>  state) set" where
wenzelm@37956
   576
  "unroll G l e c = {(s,t). \<exists> v s1 s2.
schirmer@13688
   577
                             G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s1 \<and> the_Bool v \<and> normal s1 \<and>
schirmer@13688
   578
                             G\<turnstile>s1 \<midarrow>c\<rightarrow> s2 \<and> t=(abupd (absorb (Cont l)) s2)}"
schirmer@13688
   579
schirmer@13688
   580
schirmer@13688
   581
lemma unroll_while:
schirmer@13688
   582
  assumes unroll: "(s, t) \<in> (unroll G l e c)\<^sup>*"
schirmer@13688
   583
  and     eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'" 
schirmer@13688
   584
  and     normal_termination: "normal s'  \<longrightarrow> \<not> the_Bool v"
schirmer@13688
   585
  and     wt: "\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-T"
schirmer@13688
   586
  and     wf: "wf_prog G" 
schirmer@13688
   587
  shows "G\<turnstile>s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   588
using unroll (* normal_s *)
schirmer@13688
   589
proof (induct rule: converse_rtrancl_induct) 
schirmer@13688
   590
  show "G\<turnstile>t \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   591
  proof (cases "normal t")
schirmer@13688
   592
    case False
schirmer@13688
   593
    with eval_e have "s'=t" by auto
schirmer@13688
   594
    with False show ?thesis by auto
schirmer@13688
   595
  next
schirmer@13688
   596
    case True
schirmer@13688
   597
    note normal_t = this
schirmer@13688
   598
    show ?thesis
schirmer@13688
   599
    proof (cases "normal s'")
schirmer@13688
   600
      case True
schirmer@13688
   601
      with normal_t eval_e normal_termination
schirmer@13688
   602
      show ?thesis
wenzelm@32960
   603
        by (auto intro: eval.Loop)
schirmer@13688
   604
    next
schirmer@13688
   605
      case False
schirmer@13688
   606
      note abrupt_s' = this
schirmer@13688
   607
      from eval_e _ wt wf
schirmer@13688
   608
      have no_cont: "abrupt s' \<noteq> Some (Jump (Cont l))"
wenzelm@32960
   609
        by (rule eval_expression_no_jump') (insert normal_t,simp)
schirmer@13688
   610
      have
wenzelm@32960
   611
        "if the_Bool v 
schirmer@13688
   612
             then (G\<turnstile>s' \<midarrow>c\<rightarrow> s' \<and> 
schirmer@13688
   613
                   G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s')
wenzelm@32960
   614
             else s' = s'"
schirmer@13688
   615
      proof (cases "the_Bool v")
wenzelm@32960
   616
        case False thus ?thesis by simp
schirmer@13688
   617
      next
wenzelm@32960
   618
        case True
wenzelm@32960
   619
        with abrupt_s' have "G\<turnstile>s' \<midarrow>c\<rightarrow> s'" by auto
wenzelm@32960
   620
        moreover from abrupt_s' no_cont 
wenzelm@32960
   621
        have no_absorb: "(abupd (absorb (Cont l)) s')=s'"
wenzelm@32960
   622
          by (cases s') (simp add: absorb_def split: split_if)
wenzelm@32960
   623
        moreover
wenzelm@32960
   624
        from no_absorb abrupt_s'
wenzelm@32960
   625
        have "G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
wenzelm@32960
   626
          by auto
wenzelm@32960
   627
        ultimately show ?thesis
wenzelm@32960
   628
          using True by simp
schirmer@13688
   629
      qed
schirmer@13688
   630
      with eval_e 
schirmer@13688
   631
      show ?thesis
wenzelm@32960
   632
        using normal_t by (auto intro: eval.Loop)
schirmer@13688
   633
    qed
schirmer@13688
   634
  qed
schirmer@13688
   635
next
schirmer@13688
   636
  fix s s3
schirmer@13688
   637
  assume unroll: "(s,s3) \<in> unroll G l e c"
schirmer@13688
   638
  assume while: "G\<turnstile>s3 \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   639
  show "G\<turnstile>s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   640
  proof -
schirmer@13688
   641
    from unroll obtain v s1 s2 where
schirmer@13688
   642
      normal_s1: "normal s1" and
schirmer@13688
   643
      eval_e: "G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s1" and
schirmer@13688
   644
      continue: "the_Bool v" and
schirmer@13688
   645
      eval_c: "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2" and
schirmer@13688
   646
      s3: "s3=(abupd (absorb (Cont l)) s2)"
schirmer@13688
   647
      by  (unfold unroll_def) fast 
schirmer@13688
   648
    from eval_e normal_s1 have
schirmer@13688
   649
      "normal s"
schirmer@13688
   650
      by (rule eval_no_abrupt_lemma [rule_format])
schirmer@13688
   651
    with while eval_e continue eval_c s3 show ?thesis
schirmer@13688
   652
      by (auto intro!: eval.Loop)
schirmer@13688
   653
  qed
schirmer@13688
   654
qed
schirmer@12854
   655
schirmer@13688
   656
lemma MGFn_Loop:
schirmer@13688
   657
  assumes mfg_e: "G,(A::state triple set)\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   658
  and     mfg_c: "G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   659
  and     wf: "wf_prog G" 
schirmer@13688
   660
shows "G,A\<turnstile>{=:n} \<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   661
proof (rule MGFn_free_wt [rule_format],elim exE)
schirmer@13688
   662
  fix T L C
schirmer@13688
   663
  assume wt: "\<lparr>prg = G, cls = C, lcl = L\<rparr>\<turnstile>\<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<Colon>T"
schirmer@13688
   664
  then obtain eT where
schirmer@13688
   665
    wt_e: "\<lparr>prg = G, cls = C, lcl = L\<rparr>\<turnstile>e\<Colon>-eT" 
schirmer@13688
   666
    by cases simp
schirmer@13688
   667
  show ?thesis
schirmer@13688
   668
  proof (rule MGFn_NormalI)
schirmer@13688
   669
    show "G,A\<turnstile>{Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)} 
schirmer@13688
   670
              .l\<bullet> While(e) c.
schirmer@13688
   671
              {\<lambda>Y s' s. G\<turnstile>s \<midarrow>In1r (l\<bullet> While(e) c)\<succ>\<rightarrow> (Y, s')}"
schirmer@13688
   672
    proof (rule conseq12 
schirmer@13688
   673
           [where ?P'="(\<lambda> Y s' s. (s,s') \<in> (unroll G l e c)\<^sup>* ) \<and>. G\<turnstile>init\<le>n"
schirmer@13688
   674
             and  ?Q'="((\<lambda> Y s' s. (\<exists> t b. (s,t) \<in> (unroll G l e c)\<^sup>* \<and> 
schirmer@13688
   675
                          Y=\<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
schirmer@13688
   676
                        \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>"])
schirmer@13688
   677
      show  "G,A\<turnstile>{(\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n} 
schirmer@13688
   678
                  .l\<bullet> While(e) c.
schirmer@13688
   679
                 {((\<lambda>Y s' s. (\<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and> 
schirmer@13688
   680
                                  Y = In1 b \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
schirmer@13688
   681
                              \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>}"
schirmer@13688
   682
      proof (rule ax_derivs.Loop)
wenzelm@32960
   683
        from mfg_e
wenzelm@32960
   684
        show "G,A\<turnstile>{(\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n} 
schirmer@13688
   685
                   e-\<succ>
schirmer@13688
   686
                  {(\<lambda>Y s' s. (\<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and> 
schirmer@13688
   687
                                     Y = In1 b \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
schirmer@13688
   688
                   \<and>. G\<turnstile>init\<le>n}"
wenzelm@32960
   689
        proof (rule MGFnD' [THEN conseq12],clarsimp)
wenzelm@32960
   690
          fix s Z s' v
wenzelm@32960
   691
          assume "(Z, s) \<in> (unroll G l e c)\<^sup>*"
wenzelm@32960
   692
          moreover
wenzelm@32960
   693
          assume "G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s'"
wenzelm@32960
   694
          ultimately
wenzelm@32960
   695
          show "\<exists>t. (Z, t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'"
wenzelm@32960
   696
            by blast
wenzelm@32960
   697
        qed
schirmer@13688
   698
      next
wenzelm@32960
   699
        from mfg_c
wenzelm@32960
   700
        show "G,A\<turnstile>{Normal (((\<lambda>Y s' s. \<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and>
schirmer@13688
   701
                                       Y = \<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s') 
schirmer@13688
   702
                          \<and>. G\<turnstile>init\<le>n)\<leftarrow>=True)}
schirmer@13688
   703
                  .c.
schirmer@13688
   704
                  {abupd (absorb (Cont l)) .;
schirmer@13688
   705
                   ((\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n)}"
wenzelm@32960
   706
        proof (rule MGFnD' [THEN conseq12],clarsimp)
wenzelm@32960
   707
          fix Z s' s v t
wenzelm@32960
   708
          assume unroll: "(Z, t) \<in> (unroll G l e c)\<^sup>*"
wenzelm@32960
   709
          assume eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> Norm s" 
wenzelm@32960
   710
          assume true: "the_Bool v"
wenzelm@32960
   711
          assume eval_c: "G\<turnstile>Norm s \<midarrow>c\<rightarrow> s'"
wenzelm@32960
   712
          show "(Z, abupd (absorb (Cont l)) s') \<in> (unroll G l e c)\<^sup>*"
wenzelm@32960
   713
          proof -
wenzelm@32960
   714
            note unroll
wenzelm@32960
   715
            also
wenzelm@32960
   716
            from eval_e true eval_c
wenzelm@32960
   717
            have "(t,abupd (absorb (Cont l)) s') \<in> unroll G l e c" 
wenzelm@32960
   718
              by (unfold unroll_def) force
wenzelm@32960
   719
            ultimately show ?thesis ..
wenzelm@32960
   720
          qed
wenzelm@32960
   721
        qed
schirmer@13688
   722
      qed
schirmer@13688
   723
    next
schirmer@13688
   724
      show 
wenzelm@32960
   725
        "\<forall>Y s Z.
schirmer@13688
   726
         (Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)) Y s Z 
schirmer@13688
   727
         \<longrightarrow> (\<forall>Y' s'.
schirmer@13688
   728
               (\<forall>Y Z'. 
schirmer@13688
   729
                 ((\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n) Y s Z' 
schirmer@13688
   730
                 \<longrightarrow> (((\<lambda>Y s' s. \<exists>t b. (s,t) \<in> (unroll G l e c)\<^sup>* 
schirmer@13688
   731
                                       \<and> Y=\<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s') 
schirmer@13688
   732
                     \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>) Y' s' Z') 
schirmer@13688
   733
               \<longrightarrow> G\<turnstile>Z \<midarrow>\<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ>\<rightarrow> (Y', s'))"
schirmer@13688
   734
      proof (clarsimp)
wenzelm@32960
   735
        fix Y' s' s
wenzelm@32960
   736
        assume asm:
wenzelm@32960
   737
          "\<forall>Z'. (Z', Norm s) \<in> (unroll G l e c)\<^sup>* 
schirmer@13688
   738
                 \<longrightarrow> card (nyinitcls G s') \<le> n \<and>
schirmer@13688
   739
                     (\<exists>v. (\<exists>t. (Z', t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s') \<and>
schirmer@13688
   740
                     (fst s' = None \<longrightarrow> \<not> the_Bool v)) \<and> Y' = \<diamondsuit>"
wenzelm@32960
   741
        show "Y' = \<diamondsuit> \<and> G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
wenzelm@32960
   742
        proof -
wenzelm@32960
   743
          from asm obtain v t where 
wenzelm@32960
   744
            -- {* @{term "Z'"} gets instantiated with @{term "Norm s"} *}  
wenzelm@32960
   745
            unroll: "(Norm s, t) \<in> (unroll G l e c)\<^sup>*" and
schirmer@13688
   746
            eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'" and
schirmer@13688
   747
            normal_termination: "normal s' \<longrightarrow> \<not> the_Bool v" and
wenzelm@32960
   748
             Y': "Y' = \<diamondsuit>"
wenzelm@32960
   749
            by auto
wenzelm@32960
   750
          from unroll eval_e normal_termination wt_e wf
wenzelm@32960
   751
          have "G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
wenzelm@32960
   752
            by (rule unroll_while)
wenzelm@32960
   753
          with Y' 
wenzelm@32960
   754
          show ?thesis
wenzelm@32960
   755
            by simp
wenzelm@32960
   756
        qed
schirmer@13688
   757
      qed
schirmer@13688
   758
    qed
schirmer@13688
   759
  qed
schirmer@13688
   760
qed
schirmer@12854
   761
schirmer@12925
   762
lemma MGFn_FVar:
schirmer@13688
   763
  fixes A :: "state triple set"
schirmer@13688
   764
 assumes mgf_init: "G,A\<turnstile>{=:n} \<langle>Init statDeclC\<rangle>\<^sub>s\<succ> {G\<rightarrow>}" 
schirmer@13688
   765
  and    mgf_e: "G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   766
  and    wf: "wf_prog G"
schirmer@13688
   767
  shows "G,A\<turnstile>{=:n} \<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
schirmer@13688
   768
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp) 
schirmer@13688
   769
  note inj_term_simps [simp]
schirmer@13688
   770
  fix T L accC' V
schirmer@13688
   771
  assume wt: "\<lparr>prg = G, cls = accC', lcl = L\<rparr>\<turnstile>\<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<Colon>T"
schirmer@13688
   772
  then obtain statC f where
schirmer@13688
   773
    wt_e: "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile>e\<Colon>-Class statC" and
schirmer@13688
   774
    accfield: "accfield G accC' statC fn = Some (statDeclC,f )" and
schirmer@13688
   775
    eq_accC: "accC=accC'" and
schirmer@13688
   776
    stat: "stat=is_static  f"
schirmer@13688
   777
    by (cases) (auto simp add: member_is_static_simp)
schirmer@13688
   778
  let ?Q="(\<lambda>Y s1 (x,s) . x = None \<and> 
schirmer@13688
   779
                (G\<turnstile>Norm s \<midarrow>Init statDeclC\<rightarrow> s1) \<and>
schirmer@13688
   780
                (\<exists> E. \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile>dom (locals (store s1)) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E))
schirmer@13688
   781
                \<and>. G\<turnstile>init\<le>n \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))"
schirmer@13688
   782
  show "G,A\<turnstile>{Normal
schirmer@13688
   783
             ((\<lambda>Y' s' s. s' = s \<and> abrupt s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   784
              (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   785
              (\<lambda>s. \<lparr>prg=G,cls=accC',lcl=L\<rparr>
schirmer@13688
   786
                 \<turnstile> dom (locals (store s)) \<guillemotright> \<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<guillemotright> V))
schirmer@13688
   787
             } {accC,statDeclC,stat}e..fn=\<succ>
schirmer@13688
   788
             {\<lambda>Y s' s. \<exists>vf. Y = \<lfloor>vf\<rfloor>\<^sub>v \<and> 
schirmer@13688
   789
                        G\<turnstile>s \<midarrow>{accC,statDeclC,stat}e..fn=\<succ>vf\<rightarrow> s'}"
schirmer@13688
   790
    (is "G,A\<turnstile>{Normal ?P} {accC,statDeclC,stat}e..fn=\<succ> {?R}")
schirmer@13688
   791
  proof (rule ax_derivs.FVar [where ?Q="?Q" ])
schirmer@13688
   792
    from mgf_init
schirmer@13688
   793
    show "G,A\<turnstile>{Normal ?P} .Init statDeclC. {?Q}"
schirmer@13688
   794
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   795
      fix s s'
schirmer@13688
   796
      assume conf_s: "Norm s\<Colon>\<preceq>(G, L)"
schirmer@13688
   797
      assume da: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>
schirmer@13688
   798
                    \<turnstile> dom (locals s) \<guillemotright>\<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<guillemotright> V"
schirmer@13688
   799
      assume eval_init: "G\<turnstile>Norm s \<midarrow>Init statDeclC\<rightarrow> s'"
schirmer@13688
   800
      show "(\<exists>E. \<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E) \<and>
schirmer@13688
   801
            s'\<Colon>\<preceq>(G, L)"
schirmer@13688
   802
      proof -
wenzelm@32960
   803
        from da 
wenzelm@32960
   804
        obtain E where
wenzelm@32960
   805
          "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals s) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
wenzelm@32960
   806
          by cases simp
wenzelm@32960
   807
        moreover
wenzelm@32960
   808
        from eval_init
wenzelm@32960
   809
        have "dom (locals s) \<subseteq> dom (locals (store s'))"
wenzelm@32960
   810
          by (rule dom_locals_eval_mono [elim_format]) simp
wenzelm@32960
   811
        ultimately obtain E' where
wenzelm@32960
   812
          "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E'"
wenzelm@32960
   813
          by (rule da_weakenE)
wenzelm@32960
   814
        moreover
wenzelm@32960
   815
        have "s'\<Colon>\<preceq>(G, L)"
wenzelm@32960
   816
        proof -
wenzelm@32960
   817
          have wt_init: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(Init statDeclC)\<Colon>\<surd>"
wenzelm@32960
   818
          proof -
wenzelm@32960
   819
            from wf wt_e 
wenzelm@32960
   820
            have iscls_statC: "is_class G statC"
wenzelm@32960
   821
              by (auto dest: ty_expr_is_type type_is_class)
wenzelm@32960
   822
            with wf accfield 
wenzelm@32960
   823
            have iscls_statDeclC: "is_class G statDeclC"
wenzelm@32960
   824
              by (auto dest!: accfield_fields dest: fields_declC)
wenzelm@32960
   825
            thus ?thesis by simp
wenzelm@32960
   826
          qed
wenzelm@32960
   827
          obtain I where 
wenzelm@32960
   828
            da_init: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>
schirmer@13688
   829
               \<turnstile> dom (locals (store ((Norm s)::state))) \<guillemotright>\<langle>Init statDeclC\<rangle>\<^sub>s\<guillemotright> I"
wenzelm@32960
   830
            by (auto intro: da_Init [simplified] assigned.select_convs)
wenzelm@32960
   831
          from eval_init conf_s wt_init da_init  wf
wenzelm@32960
   832
          show ?thesis
wenzelm@32960
   833
            by (rule eval_type_soundE)
wenzelm@32960
   834
        qed
wenzelm@32960
   835
        ultimately show ?thesis by iprover
schirmer@13688
   836
      qed
schirmer@13688
   837
    qed
schirmer@13688
   838
  next
schirmer@13688
   839
    from mgf_e
schirmer@13688
   840
    show "G,A\<turnstile>{?Q} e-\<succ> {\<lambda>Val:a:. fvar statDeclC stat fn a ..; ?R}"
schirmer@13688
   841
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   842
      fix s0 s1 s2 E a
schirmer@13688
   843
      let ?fvar = "fvar statDeclC stat fn a s2"
schirmer@13688
   844
      assume eval_init: "G\<turnstile>Norm s0 \<midarrow>Init statDeclC\<rightarrow> s1"
schirmer@13688
   845
      assume eval_e: "G\<turnstile>s1 \<midarrow>e-\<succ>a\<rightarrow> s2"
schirmer@13688
   846
      assume conf_s1: "s1\<Colon>\<preceq>(G, L)"
schirmer@13688
   847
      assume da_e: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
schirmer@13688
   848
      show "G\<turnstile>Norm s0 \<midarrow>{accC,statDeclC,stat}e..fn=\<succ>fst ?fvar\<rightarrow> snd ?fvar"
schirmer@13688
   849
      proof -
wenzelm@32960
   850
        obtain v s2' where
wenzelm@32960
   851
          v: "v=fst ?fvar" and s2': "s2'=snd ?fvar"
wenzelm@32960
   852
          by simp
wenzelm@32960
   853
        obtain s3 where
wenzelm@32960
   854
          s3: "s3= check_field_access G accC' statDeclC fn stat a s2'"
wenzelm@32960
   855
          by simp
wenzelm@32960
   856
        have eq_s3_s2': "s3=s2'"
wenzelm@32960
   857
        proof -
wenzelm@32960
   858
          from eval_e conf_s1 wt_e da_e wf obtain
wenzelm@32960
   859
            conf_s2: "s2\<Colon>\<preceq>(G, L)"  and
wenzelm@32960
   860
            conf_a: "normal s2 \<Longrightarrow> G,store s2\<turnstile>a\<Colon>\<preceq>Class statC"
wenzelm@32960
   861
            by (rule eval_type_soundE) simp
wenzelm@32960
   862
          from accfield wt_e eval_init eval_e conf_s2 conf_a _ wf
wenzelm@32960
   863
          show ?thesis
wenzelm@32960
   864
            by (rule  error_free_field_access 
schirmer@13688
   865
                      [where ?v=v and ?s2'=s2',elim_format])
wenzelm@32960
   866
               (simp add: s3 v s2' stat)+
schirmer@13688
   867
        qed
wenzelm@32960
   868
        from eval_init eval_e 
wenzelm@32960
   869
        show ?thesis
wenzelm@32960
   870
          apply (rule eval.FVar [where ?s2'=s2'])
wenzelm@32960
   871
          apply  (simp add: s2')
wenzelm@32960
   872
          apply  (simp add: s3 [symmetric]   eq_s3_s2' eq_accC s2' [symmetric])
wenzelm@32960
   873
          done
schirmer@13688
   874
      qed
schirmer@13688
   875
    qed
schirmer@13688
   876
  qed
schirmer@13688
   877
qed
schirmer@12925
   878
schirmer@13337
   879
schirmer@13688
   880
lemma MGFn_Fin:
schirmer@13688
   881
  assumes wf: "wf_prog G" 
schirmer@13688
   882
  and     mgf_c1: "G,A\<turnstile>{=:n} \<langle>c1\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   883
  and     mgf_c2: "G,A\<turnstile>{=:n} \<langle>c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   884
  shows "G,(A\<Colon>state triple set)\<turnstile>{=:n} \<langle>c1 Finally c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   885
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp)
schirmer@13688
   886
  fix T L accC C 
schirmer@13688
   887
  assume wt: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>In1r (c1 Finally c2)\<Colon>T"
schirmer@13688
   888
  then obtain
schirmer@13688
   889
    wt_c1: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c1\<Colon>\<surd>" and
schirmer@13688
   890
    wt_c2: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c2\<Colon>\<surd>"
schirmer@13688
   891
    by cases simp
schirmer@13688
   892
  let  ?Q = "(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>c1\<rightarrow> s' \<and> 
schirmer@13688
   893
               (\<exists> C1. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s)) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1)
schirmer@13688
   894
               \<and> s\<Colon>\<preceq>(G, L)) 
schirmer@13688
   895
             \<and>. G\<turnstile>init\<le>n"
schirmer@13688
   896
  show "G,A\<turnstile>{Normal
schirmer@13688
   897
              ((\<lambda>Y' s' s. s' = s \<and> abrupt s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   898
              (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   899
              (\<lambda>s. \<lparr>prg=G,cls=accC,lcl =L\<rparr>  
schirmer@13688
   900
                     \<turnstile>dom (locals (store s)) \<guillemotright>\<langle>c1 Finally c2\<rangle>\<^sub>s\<guillemotright> C))}
schirmer@13688
   901
             .c1 Finally c2. 
schirmer@13688
   902
             {\<lambda>Y s' s. Y = \<diamondsuit> \<and> G\<turnstile>s \<midarrow>c1 Finally c2\<rightarrow> s'}"
schirmer@13688
   903
    (is "G,A\<turnstile>{Normal ?P} .c1 Finally c2. {?R}")
schirmer@13688
   904
  proof (rule ax_derivs.Fin [where ?Q="?Q"])
schirmer@13688
   905
    from mgf_c1
schirmer@13688
   906
    show "G,A\<turnstile>{Normal ?P} .c1. {?Q}"
schirmer@13688
   907
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   908
      fix s0
schirmer@13688
   909
      assume "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1 Finally c2\<rangle>\<^sub>s\<guillemotright> C"
schirmer@13688
   910
      thus "\<exists>C1. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1"
wenzelm@32960
   911
        by cases (auto simp add: inj_term_simps)
schirmer@13688
   912
    qed
schirmer@13688
   913
  next
schirmer@13688
   914
    from mgf_c2
schirmer@13688
   915
    show "\<forall>abr. G,A\<turnstile>{?Q \<and>. (\<lambda>s. abr = abrupt s) ;. abupd (\<lambda>abr. None)} .c2.
schirmer@13688
   916
          {abupd (abrupt_if (abr \<noteq> None) abr) .; ?R}"
schirmer@13688
   917
    proof (rule MGFnD' [THEN conseq12, THEN allI],clarsimp)
schirmer@13688
   918
      fix s0 s1 s2 C1
schirmer@13688
   919
      assume da_c1:"\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1"
schirmer@13688
   920
      assume conf_s0: "Norm s0\<Colon>\<preceq>(G, L)"
schirmer@13688
   921
      assume eval_c1: "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> s1"
schirmer@13688
   922
      assume eval_c2: "G\<turnstile>abupd (\<lambda>abr. None) s1 \<midarrow>c2\<rightarrow> s2"
schirmer@13688
   923
      show "G\<turnstile>Norm s0 \<midarrow>c1 Finally c2
schirmer@13688
   924
               \<rightarrow> abupd (abrupt_if (\<exists>y. abrupt s1 = Some y) (abrupt s1)) s2"
schirmer@13688
   925
      proof -
wenzelm@32960
   926
        obtain abr1 str1 where s1: "s1=(abr1,str1)"
wenzelm@32960
   927
          by (cases s1)
wenzelm@32960
   928
        with eval_c1 eval_c2 obtain
wenzelm@32960
   929
          eval_c1': "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> (abr1,str1)" and
wenzelm@32960
   930
          eval_c2': "G\<turnstile>Norm str1 \<midarrow>c2\<rightarrow> s2"
wenzelm@32960
   931
          by simp
wenzelm@32960
   932
        obtain s3 where 
wenzelm@32960
   933
          s3: "s3 = (if \<exists>err. abr1 = Some (Error err) 
wenzelm@32960
   934
                        then (abr1, str1)
schirmer@13688
   935
                        else abupd (abrupt_if (abr1 \<noteq> None) abr1) s2)"
wenzelm@32960
   936
          by simp
wenzelm@32960
   937
        from eval_c1' conf_s0 wt_c1 _ wf 
wenzelm@32960
   938
        have "error_free (abr1,str1)"
wenzelm@32960
   939
          by (rule eval_type_soundE) (insert da_c1,auto)
wenzelm@32960
   940
        with s3 have eq_s3: "s3=abupd (abrupt_if (abr1 \<noteq> None) abr1) s2"
wenzelm@32960
   941
          by (simp add: error_free_def)
wenzelm@32960
   942
        from eval_c1' eval_c2' s3
wenzelm@32960
   943
        show ?thesis
wenzelm@32960
   944
          by (rule eval.Fin [elim_format]) (simp add: s1 eq_s3)
schirmer@13688
   945
      qed
schirmer@13688
   946
    qed 
schirmer@13688
   947
  qed
schirmer@13688
   948
qed
schirmer@13688
   949
      
schirmer@13688
   950
lemma Body_no_break:
schirmer@13688
   951
 assumes eval_init: "G\<turnstile>Norm s0 \<midarrow>Init D\<rightarrow> s1" 
schirmer@13688
   952
   and      eval_c: "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2" 
schirmer@13688
   953
   and       jmpOk: "jumpNestingOkS {Ret} c"
schirmer@13688
   954
   and        wt_c: "\<lparr>prg=G, cls=C, lcl=L\<rparr>\<turnstile>c\<Colon>\<surd>"
schirmer@13688
   955
   and        clsD: "class G D=Some d"
schirmer@13688
   956
   and          wf: "wf_prog G" 
schirmer@13688
   957
  shows "\<forall> l. abrupt s2 \<noteq> Some (Jump (Break l)) \<and> 
schirmer@13688
   958
              abrupt s2 \<noteq> Some (Jump (Cont l))"
schirmer@13688
   959
proof
schirmer@13688
   960
  fix l show "abrupt s2 \<noteq> Some (Jump (Break l)) \<and>  
schirmer@13688
   961
              abrupt s2 \<noteq> Some (Jump (Cont l))"
schirmer@13688
   962
  proof -
wenzelm@26932
   963
    fix accC from clsD have wt_init: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(Init D)\<Colon>\<surd>"
schirmer@13688
   964
      by auto
schirmer@13688
   965
    from eval_init wf
schirmer@13688
   966
    have s1_no_jmp: "\<And> j. abrupt s1 \<noteq> Some (Jump j)"
schirmer@13688
   967
      by - (rule eval_statement_no_jump [OF _ _ _ wt_init],auto)
schirmer@13688
   968
    from eval_c _ wt_c wf
schirmer@13688
   969
    show ?thesis
schirmer@13688
   970
      apply (rule jumpNestingOk_eval [THEN conjE, elim_format])
schirmer@13688
   971
      using jmpOk s1_no_jmp
schirmer@13688
   972
      apply auto
schirmer@13688
   973
      done
schirmer@13688
   974
  qed
schirmer@13688
   975
qed
schirmer@12854
   976
schirmer@13688
   977
lemma MGFn_Body:
schirmer@13688
   978
  assumes wf: "wf_prog G"
schirmer@13688
   979
  and     mgf_init: "G,A\<turnstile>{=:n} \<langle>Init D\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   980
  and     mgf_c: "G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   981
  shows  "G,(A\<Colon>state triple set)\<turnstile>{=:n} \<langle>Body D c\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   982
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp)
schirmer@13688
   983
  fix T L accC E
schirmer@13688
   984
  assume wt: "\<lparr>prg=G, cls=accC,lcl=L\<rparr>\<turnstile>\<langle>Body D c\<rangle>\<^sub>e\<Colon>T"
schirmer@13688
   985
  let ?Q="(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>Init D\<rightarrow> s' \<and> jumpNestingOkS {Ret} c) 
schirmer@13688
   986
          \<and>. G\<turnstile>init\<le>n" 
schirmer@13688
   987
  show "G,A\<turnstile>{Normal
schirmer@13688
   988
               ((\<lambda>Y' s' s. s' = s \<and> fst s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   989
                (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   990
                (\<lambda>s. \<lparr>prg=G,cls=accC,lcl=L\<rparr>
schirmer@13688
   991
                       \<turnstile> dom (locals (store s)) \<guillemotright>\<langle>Body D c\<rangle>\<^sub>e\<guillemotright> E))}
schirmer@13688
   992
             Body D c-\<succ> 
schirmer@13688
   993
             {\<lambda>Y s' s. \<exists>v. Y = In1 v \<and> G\<turnstile>s \<midarrow>Body D c-\<succ>v\<rightarrow> s'}"
schirmer@13688
   994
    (is "G,A\<turnstile>{Normal ?P} Body D c-\<succ> {?R}")
schirmer@13688
   995
  proof (rule ax_derivs.Body [where ?Q="?Q"])
schirmer@13688
   996
    from mgf_init
schirmer@13688
   997
    show "G,A\<turnstile>{Normal ?P} .Init D. {?Q}"
schirmer@13688
   998
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   999
      fix s0
schirmer@13688
  1000
      assume da: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>Body D c\<rangle>\<^sub>e\<guillemotright> E"
schirmer@13688
  1001
      thus "jumpNestingOkS {Ret} c"
wenzelm@32960
  1002
        by cases simp
schirmer@13688
  1003
    qed
schirmer@13688
  1004
  next
schirmer@13688
  1005
    from mgf_c
schirmer@13688
  1006
    show "G,A\<turnstile>{?Q}.c.{\<lambda>s.. abupd (absorb Ret) .; ?R\<leftarrow>\<lfloor>the (locals s Result)\<rfloor>\<^sub>e}"
schirmer@13688
  1007
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
  1008
      fix s0 s1 s2
schirmer@13688
  1009
      assume eval_init: "G\<turnstile>Norm s0 \<midarrow>Init D\<rightarrow> s1"
schirmer@13688
  1010
      assume eval_c: "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2"
schirmer@13688
  1011
      assume nestingOk: "jumpNestingOkS {Ret} c"
schirmer@13688
  1012
      show "G\<turnstile>Norm s0 \<midarrow>Body D c-\<succ>the (locals (store s2) Result)
schirmer@13688
  1013
              \<rightarrow> abupd (absorb Ret) s2"
schirmer@13688
  1014
      proof -
wenzelm@32960
  1015
        from wt obtain d where 
schirmer@13688
  1016
          d: "class G D=Some d" and
schirmer@13688
  1017
          wt_c: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c\<Colon>\<surd>"
wenzelm@32960
  1018
          by cases auto
wenzelm@32960
  1019
        obtain s3 where 
wenzelm@32960
  1020
          s3: "s3= (if \<exists>l. fst s2 = Some (Jump (Break l)) \<or>
schirmer@13688
  1021
                           fst s2 = Some (Jump (Cont l))
schirmer@13688
  1022
                       then abupd (\<lambda>x. Some (Error CrossMethodJump)) s2 
schirmer@13688
  1023
                       else s2)"
wenzelm@32960
  1024
          by simp
wenzelm@32960
  1025
        from eval_init eval_c nestingOk wt_c d wf
wenzelm@32960
  1026
        have eq_s3_s2: "s3=s2"
wenzelm@32960
  1027
          by (rule Body_no_break [elim_format]) (simp add: s3)
wenzelm@32960
  1028
        from eval_init eval_c s3
wenzelm@32960
  1029
        show ?thesis
wenzelm@32960
  1030
          by (rule eval.Body [elim_format]) (simp add: eq_s3_s2)
schirmer@13688
  1031
      qed
schirmer@13688
  1032
    qed
schirmer@13688
  1033
  qed
schirmer@13688
  1034
qed
schirmer@13337
  1035
schirmer@13688
  1036
lemma MGFn_lemma:
schirmer@13688
  1037
  assumes mgf_methds: 
schirmer@13688
  1038
           "\<And> n. \<forall> C sig. G,(A::state triple set)\<turnstile>{=:n} \<langle>Methd C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
  1039
  and wf: "wf_prog G"
schirmer@13688
  1040
  shows "\<And> t. G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1041
proof (induct rule: full_nat_induct)
schirmer@13688
  1042
  fix n t
schirmer@13688
  1043
  assume hyp: "\<forall> m. Suc m \<le> n \<longrightarrow> (\<forall> t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>})"
schirmer@13688
  1044
  show "G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1045
  proof -
schirmer@13688
  1046
  { 
schirmer@13688
  1047
    fix v e c es
schirmer@13688
  1048
    have "G,A\<turnstile>{=:n} \<langle>v\<rangle>\<^sub>v\<succ> {G\<rightarrow>}" and 
schirmer@13688
  1049
      "G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}" and
schirmer@13688
  1050
      "G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}" and  
schirmer@13688
  1051
      "G,A\<turnstile>{=:n} \<langle>es\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
wenzelm@18459
  1052
    proof (induct rule: var_expr_stmt.inducts)
schirmer@13688
  1053
      case (LVar v)
schirmer@13688
  1054
      show "G,A\<turnstile>{=:n} \<langle>LVar v\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
wenzelm@32960
  1055
        apply (rule MGFn_NormalI)
wenzelm@32960
  1056
        apply (rule ax_derivs.LVar [THEN conseq1])
wenzelm@32960
  1057
        apply (clarsimp)
wenzelm@32960
  1058
        apply (rule eval.LVar)
wenzelm@32960
  1059
        done
schirmer@13688
  1060
    next
schirmer@13688
  1061
      case (FVar accC statDeclC stat e fn)
wenzelm@23366
  1062
      from MGFn_Init [OF hyp] and `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}` and wf
schirmer@13688
  1063
      show ?case
wenzelm@32960
  1064
        by (rule MGFn_FVar)
schirmer@13688
  1065
    next
schirmer@13688
  1066
      case (AVar e1 e2)
wenzelm@23366
  1067
      note mgf_e1 = `G,A\<turnstile>{=:n} \<langle>e1\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
wenzelm@23366
  1068
      note mgf_e2 = `G,A\<turnstile>{=:n} \<langle>e2\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
schirmer@13688
  1069
      show "G,A\<turnstile>{=:n} \<langle>e1.[e2]\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
wenzelm@32960
  1070
        apply (rule MGFn_NormalI)
wenzelm@32960
  1071
        apply (rule ax_derivs.AVar)
wenzelm@32960
  1072
        apply  (rule MGFnD [OF mgf_e1, THEN ax_NormalD])
wenzelm@32960
  1073
        apply (rule allI)
wenzelm@32960
  1074
        apply (rule MGFnD' [OF mgf_e2, THEN conseq12])
nipkow@44890
  1075
        apply (fastforce intro: eval.AVar)
wenzelm@32960
  1076
        done
schirmer@13688
  1077
    next
schirmer@13688
  1078
      case (InsInitV c v)
schirmer@13688
  1079
      show ?case
wenzelm@32960
  1080
        by (rule MGFn_NormalI) (rule ax_derivs.InsInitV)
schirmer@13688
  1081
    next
schirmer@13688
  1082
      case (NewC C)
schirmer@13688
  1083
      show ?case
wenzelm@32960
  1084
        apply (rule MGFn_NormalI)
wenzelm@32960
  1085
        apply (rule ax_derivs.NewC)
wenzelm@32960
  1086
        apply (rule MGFn_InitD [OF hyp, THEN conseq2])
nipkow@44890
  1087
        apply (fastforce intro: eval.NewC)
wenzelm@32960
  1088
        done
schirmer@13688
  1089
    next
schirmer@13688
  1090
      case (NewA T e)
schirmer@13688
  1091
      thus ?case
wenzelm@32960
  1092
        apply -
wenzelm@32960
  1093
        apply (rule MGFn_NormalI) 
wenzelm@32960
  1094
        apply (rule ax_derivs.NewA 
schirmer@13688
  1095
               [where ?Q = "(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>In1r (init_comp_ty T) 
schirmer@13688
  1096
                              \<succ>\<rightarrow> (Y',s')) \<and>. G\<turnstile>init\<le>n"])
wenzelm@32960
  1097
        apply  (simp add: init_comp_ty_def split add: split_if)
wenzelm@32960
  1098
        apply  (rule conjI, clarsimp)
wenzelm@32960
  1099
        apply   (rule MGFn_InitD [OF hyp, THEN conseq2])
wenzelm@32960
  1100
        apply   (clarsimp intro: eval.Init)
wenzelm@32960
  1101
        apply  clarsimp
wenzelm@32960
  1102
        apply  (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
  1103
        apply  (clarsimp intro: eval.Skip)
wenzelm@32960
  1104
        apply (erule MGFnD' [THEN conseq12])
nipkow@44890
  1105
        apply (fastforce intro: eval.NewA)
wenzelm@32960
  1106
        done
schirmer@13688
  1107
    next
schirmer@13688
  1108
      case (Cast C e)
schirmer@13688
  1109
      thus ?case
wenzelm@32960
  1110
        apply -
wenzelm@32960
  1111
        apply (rule MGFn_NormalI)
wenzelm@32960
  1112
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Cast])
nipkow@44890
  1113
        apply (fastforce intro: eval.Cast)
wenzelm@32960
  1114
        done
schirmer@13688
  1115
    next
schirmer@13688
  1116
      case (Inst e C)
schirmer@13688
  1117
      thus ?case
wenzelm@32960
  1118
        apply -
wenzelm@32960
  1119
        apply (rule MGFn_NormalI)
wenzelm@32960
  1120
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Inst])
nipkow@44890
  1121
        apply (fastforce intro: eval.Inst)
wenzelm@32960
  1122
        done
schirmer@13688
  1123
    next
schirmer@13688
  1124
      case (Lit v)
schirmer@13688
  1125
      show ?case
wenzelm@32960
  1126
        apply -
wenzelm@32960
  1127
        apply (rule MGFn_NormalI)
wenzelm@32960
  1128
        apply (rule ax_derivs.Lit [THEN conseq1])
nipkow@44890
  1129
        apply (fastforce intro: eval.Lit)
wenzelm@32960
  1130
        done
schirmer@13688
  1131
    next
schirmer@13688
  1132
      case (UnOp unop e)
schirmer@13688
  1133
      thus ?case
wenzelm@32960
  1134
        apply -
wenzelm@32960
  1135
        apply (rule MGFn_NormalI)
wenzelm@32960
  1136
        apply (rule ax_derivs.UnOp)
wenzelm@32960
  1137
        apply (erule MGFnD' [THEN conseq12])
nipkow@44890
  1138
        apply (fastforce intro: eval.UnOp)
wenzelm@32960
  1139
        done
schirmer@13688
  1140
    next
schirmer@13688
  1141
      case (BinOp binop e1 e2)
schirmer@13688
  1142
      thus ?case
wenzelm@32960
  1143
        apply -
wenzelm@32960
  1144
        apply (rule MGFn_NormalI)
wenzelm@32960
  1145
        apply (rule ax_derivs.BinOp)
wenzelm@32960
  1146
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1147
        apply (rule allI)
wenzelm@32960
  1148
        apply (case_tac "need_second_arg binop v1")
wenzelm@32960
  1149
        apply  simp
wenzelm@32960
  1150
        apply  (erule MGFnD' [THEN conseq12])
nipkow@44890
  1151
        apply  (fastforce intro: eval.BinOp)
wenzelm@32960
  1152
        apply simp
wenzelm@32960
  1153
        apply (rule ax_Normal_cases)
wenzelm@32960
  1154
        apply  (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
  1155
        apply  clarsimp
wenzelm@32960
  1156
        apply  (rule eval_BinOp_arg2_indepI)
wenzelm@32960
  1157
        apply   simp
wenzelm@32960
  1158
        apply  simp
wenzelm@32960
  1159
        apply (rule ax_derivs.Abrupt [THEN conseq1], clarsimp simp add: Let_def)
nipkow@44890
  1160
        apply (fastforce intro: eval.BinOp)
wenzelm@32960
  1161
        done
schirmer@13688
  1162
    next
schirmer@13688
  1163
      case Super
schirmer@13688
  1164
      show ?case
wenzelm@32960
  1165
        apply -
wenzelm@32960
  1166
        apply (rule MGFn_NormalI)
wenzelm@32960
  1167
        apply (rule ax_derivs.Super [THEN conseq1])
nipkow@44890
  1168
        apply (fastforce intro: eval.Super)
wenzelm@32960
  1169
        done
schirmer@13688
  1170
    next
schirmer@13688
  1171
      case (Acc v)
schirmer@13688
  1172
      thus ?case
wenzelm@32960
  1173
        apply -
wenzelm@32960
  1174
        apply (rule MGFn_NormalI)
wenzelm@32960
  1175
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Acc])
nipkow@44890
  1176
        apply (fastforce intro: eval.Acc simp add: split_paired_all)
wenzelm@32960
  1177
        done
schirmer@13688
  1178
    next
schirmer@13688
  1179
      case (Ass v e)
schirmer@13688
  1180
      thus "G,A\<turnstile>{=:n} \<langle>v:=e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1181
        apply -
wenzelm@32960
  1182
        apply (rule MGFn_NormalI)
wenzelm@32960
  1183
        apply (rule ax_derivs.Ass)
wenzelm@32960
  1184
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1185
        apply (rule allI)
wenzelm@32960
  1186
        apply (erule MGFnD'[THEN conseq12])
nipkow@44890
  1187
        apply (fastforce intro: eval.Ass simp add: split_paired_all)
wenzelm@32960
  1188
        done
schirmer@13688
  1189
    next
schirmer@13688
  1190
      case (Cond e1 e2 e3)
schirmer@13688
  1191
      thus "G,A\<turnstile>{=:n} \<langle>e1 ? e2 : e3\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1192
        apply -
wenzelm@32960
  1193
        apply (rule MGFn_NormalI)
wenzelm@32960
  1194
        apply (rule ax_derivs.Cond)
wenzelm@32960
  1195
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1196
        apply (rule allI)
wenzelm@32960
  1197
        apply (rule ax_Normal_cases)
wenzelm@32960
  1198
        prefer 2
wenzelm@32960
  1199
        apply  (rule ax_derivs.Abrupt [THEN conseq1],clarsimp simp add: Let_def)
nipkow@44890
  1200
        apply  (fastforce intro: eval.Cond)
wenzelm@32960
  1201
        apply (case_tac "b")
wenzelm@32960
  1202
        apply  simp
wenzelm@32960
  1203
        apply  (erule MGFnD'[THEN conseq12])
nipkow@44890
  1204
        apply  (fastforce intro: eval.Cond)
wenzelm@32960
  1205
        apply simp
wenzelm@32960
  1206
        apply (erule MGFnD'[THEN conseq12])
nipkow@44890
  1207
        apply (fastforce intro: eval.Cond)
wenzelm@32960
  1208
        done
schirmer@13688
  1209
    next
schirmer@13688
  1210
      case (Call accC statT mode e mn pTs' ps)
wenzelm@23366
  1211
      note mgf_e = `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
wenzelm@23366
  1212
      note mgf_ps = `G,A\<turnstile>{=:n} \<langle>ps\<rangle>\<^sub>l\<succ> {G\<rightarrow>}`
schirmer@13688
  1213
      from mgf_methds mgf_e mgf_ps wf
schirmer@13688
  1214
      show "G,A\<turnstile>{=:n} \<langle>{accC,statT,mode}e\<cdot>mn({pTs'}ps)\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1215
        by (rule MGFn_Call)
schirmer@13688
  1216
    next
schirmer@13688
  1217
      case (Methd D mn)
schirmer@13688
  1218
      from mgf_methds
schirmer@13688
  1219
      show "G,A\<turnstile>{=:n} \<langle>Methd D mn\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1220
        by simp
schirmer@13688
  1221
    next
schirmer@13688
  1222
      case (Body D c)
wenzelm@23366
  1223
      note mgf_c = `G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
schirmer@13688
  1224
      from wf MGFn_Init [OF hyp] mgf_c
schirmer@13688
  1225
      show "G,A\<turnstile>{=:n} \<langle>Body D c\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1226
        by (rule MGFn_Body)
schirmer@13688
  1227
    next
schirmer@13688
  1228
      case (InsInitE c e)
schirmer@13688
  1229
      show ?case
wenzelm@32960
  1230
        by (rule MGFn_NormalI) (rule ax_derivs.InsInitE)
schirmer@13688
  1231
    next
schirmer@13688
  1232
      case (Callee l e)
schirmer@13688
  1233
      show ?case
wenzelm@32960
  1234
        by (rule MGFn_NormalI) (rule ax_derivs.Callee)
schirmer@13688
  1235
    next
schirmer@13688
  1236
      case Skip
schirmer@13688
  1237
      show ?case
wenzelm@32960
  1238
        apply -
wenzelm@32960
  1239
        apply (rule MGFn_NormalI)
wenzelm@32960
  1240
        apply (rule ax_derivs.Skip [THEN conseq1])
nipkow@44890
  1241
        apply (fastforce intro: eval.Skip)
wenzelm@32960
  1242
        done
schirmer@13688
  1243
    next
schirmer@13688
  1244
      case (Expr e)
schirmer@13688
  1245
      thus ?case
wenzelm@32960
  1246
        apply -
wenzelm@32960
  1247
        apply (rule MGFn_NormalI)
wenzelm@32960
  1248
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Expr])
nipkow@44890
  1249
        apply (fastforce intro: eval.Expr)
wenzelm@32960
  1250
        done
schirmer@13688
  1251
    next
schirmer@13688
  1252
      case (Lab l c)
schirmer@13688
  1253
      thus "G,A\<turnstile>{=:n} \<langle>l\<bullet> c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1254
        apply -
wenzelm@32960
  1255
        apply (rule MGFn_NormalI)
wenzelm@32960
  1256
        apply (erule MGFnD' [THEN conseq12, THEN ax_derivs.Lab])
nipkow@44890
  1257
        apply (fastforce intro: eval.Lab)
wenzelm@32960
  1258
        done
schirmer@13688
  1259
    next
schirmer@13688
  1260
      case (Comp c1 c2)
schirmer@13688
  1261
      thus "G,A\<turnstile>{=:n} \<langle>c1;; c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1262
        apply -
wenzelm@32960
  1263
        apply (rule MGFn_NormalI)
wenzelm@32960
  1264
        apply (rule ax_derivs.Comp)
wenzelm@32960
  1265
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1266
        apply (erule MGFnD' [THEN conseq12])
nipkow@44890
  1267
        apply (fastforce intro: eval.Comp) 
wenzelm@32960
  1268
        done
schirmer@13688
  1269
    next
wenzelm@24783
  1270
      case (If' e c1 c2)
schirmer@13688
  1271
      thus "G,A\<turnstile>{=:n} \<langle>If(e) c1 Else c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1272
        apply -
wenzelm@32960
  1273
        apply (rule MGFn_NormalI)
wenzelm@32960
  1274
        apply (rule ax_derivs.If)
wenzelm@32960
  1275
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1276
        apply (rule allI)
wenzelm@32960
  1277
        apply (rule ax_Normal_cases)
wenzelm@32960
  1278
        prefer 2
wenzelm@32960
  1279
        apply  (rule ax_derivs.Abrupt [THEN conseq1],clarsimp simp add: Let_def)
nipkow@44890
  1280
        apply  (fastforce intro: eval.If)
wenzelm@32960
  1281
        apply (case_tac "b")
wenzelm@32960
  1282
        apply  simp
wenzelm@32960
  1283
        apply  (erule MGFnD' [THEN conseq12])
nipkow@44890
  1284
        apply  (fastforce intro: eval.If)
wenzelm@32960
  1285
        apply simp
wenzelm@32960
  1286
        apply (erule MGFnD' [THEN conseq12])
nipkow@44890
  1287
        apply (fastforce intro: eval.If)
wenzelm@32960
  1288
        done
schirmer@13688
  1289
    next
schirmer@13688
  1290
      case (Loop l e c)
wenzelm@23366
  1291
      note mgf_e = `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
wenzelm@23366
  1292
      note mgf_c = `G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
schirmer@13688
  1293
      from mgf_e mgf_c wf
schirmer@13688
  1294
      show "G,A\<turnstile>{=:n} \<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1295
        by (rule MGFn_Loop)
schirmer@13688
  1296
    next
schirmer@13688
  1297
      case (Jmp j)
schirmer@13688
  1298
      thus ?case
wenzelm@32960
  1299
        apply -
wenzelm@32960
  1300
        apply (rule MGFn_NormalI)
wenzelm@32960
  1301
        apply (rule ax_derivs.Jmp [THEN conseq1])
wenzelm@32960
  1302
        apply (auto intro: eval.Jmp simp add: abupd_def2)
wenzelm@32960
  1303
        done
schirmer@13688
  1304
    next
schirmer@13688
  1305
      case (Throw e)
schirmer@13688
  1306
      thus ?case
wenzelm@32960
  1307
        apply -
wenzelm@32960
  1308
        apply (rule MGFn_NormalI)
wenzelm@32960
  1309
        apply (erule MGFnD' [THEN conseq12, THEN ax_derivs.Throw])
nipkow@44890
  1310
        apply (fastforce intro: eval.Throw)
wenzelm@32960
  1311
        done
schirmer@13688
  1312
    next
schirmer@13688
  1313
      case (TryC c1 C vn c2)
schirmer@13688
  1314
      thus "G,A\<turnstile>{=:n} \<langle>Try c1 Catch(C vn) c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1315
        apply -
wenzelm@32960
  1316
        apply (rule MGFn_NormalI)
wenzelm@32960
  1317
        apply (rule ax_derivs.Try [where 
schirmer@13688
  1318
          ?Q = " (\<lambda>Y' s' s. normal s \<and> (\<exists>s''. G\<turnstile>s \<midarrow>\<langle>c1\<rangle>\<^sub>s\<succ>\<rightarrow> (Y',s'') \<and> 
schirmer@13688
  1319
                            G\<turnstile>s'' \<midarrow>sxalloc\<rightarrow> s')) \<and>. G\<turnstile>init\<le>n"])
wenzelm@32960
  1320
        apply   (erule MGFnD [THEN ax_NormalD, THEN conseq2])
nipkow@44890
  1321
        apply   (fastforce elim: sxalloc_gext [THEN card_nyinitcls_gext])
wenzelm@32960
  1322
        apply  (erule MGFnD'[THEN conseq12])
nipkow@44890
  1323
        apply  (fastforce intro: eval.Try)
nipkow@44890
  1324
        apply (fastforce intro: eval.Try)
wenzelm@32960
  1325
        done
schirmer@13688
  1326
    next
schirmer@13688
  1327
      case (Fin c1 c2)
wenzelm@23366
  1328
      note mgf_c1 = `G,A\<turnstile>{=:n} \<langle>c1\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
wenzelm@23366
  1329
      note mgf_c2 = `G,A\<turnstile>{=:n} \<langle>c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
schirmer@13688
  1330
      from wf mgf_c1 mgf_c2
schirmer@13688
  1331
      show "G,A\<turnstile>{=:n} \<langle>c1 Finally c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1332
        by (rule MGFn_Fin)
schirmer@13688
  1333
    next
schirmer@13688
  1334
      case (FinA abr c)
schirmer@13688
  1335
      show ?case
wenzelm@32960
  1336
        by (rule MGFn_NormalI) (rule ax_derivs.FinA)
schirmer@13688
  1337
    next
schirmer@13688
  1338
      case (Init C)
schirmer@13688
  1339
      from hyp
schirmer@13688
  1340
      show "G,A\<turnstile>{=:n} \<langle>Init C\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1341
        by (rule MGFn_Init)
schirmer@13688
  1342
    next
schirmer@13688
  1343
      case Nil_expr
schirmer@13688
  1344
      show "G,A\<turnstile>{=:n} \<langle>[]\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
wenzelm@32960
  1345
        apply -
wenzelm@32960
  1346
        apply (rule MGFn_NormalI)
wenzelm@32960
  1347
        apply (rule ax_derivs.Nil [THEN conseq1])
nipkow@44890
  1348
        apply (fastforce intro: eval.Nil)
wenzelm@32960
  1349
        done
schirmer@13688
  1350
    next
schirmer@13688
  1351
      case (Cons_expr e es)
schirmer@13688
  1352
      thus "G,A\<turnstile>{=:n} \<langle>e# es\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
wenzelm@32960
  1353
        apply -
wenzelm@32960
  1354
        apply (rule MGFn_NormalI)
wenzelm@32960
  1355
        apply (rule ax_derivs.Cons)
wenzelm@32960
  1356
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1357
        apply (rule allI)
wenzelm@32960
  1358
        apply (erule MGFnD'[THEN conseq12])
nipkow@44890
  1359
        apply (fastforce intro: eval.Cons)
wenzelm@32960
  1360
        done
schirmer@13688
  1361
    qed
schirmer@13688
  1362
  }
schirmer@13688
  1363
  thus ?thesis
schirmer@13688
  1364
    by (cases rule: term_cases) auto
schirmer@13688
  1365
  qed
schirmer@13688
  1366
qed
schirmer@12854
  1367
schirmer@12925
  1368
lemma MGF_asm: 
schirmer@12925
  1369
"\<lbrakk>\<forall>C sig. is_methd G C sig \<longrightarrow> G,A\<turnstile>{\<doteq>} In1l (Methd C sig)\<succ> {G\<rightarrow>}; wf_prog G\<rbrakk>
schirmer@12925
  1370
 \<Longrightarrow> G,(A::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
  1371
apply (simp (no_asm_use) add: MGF_MGFn_iff)
schirmer@12854
  1372
apply (rule allI)
schirmer@12854
  1373
apply (rule MGFn_lemma)
schirmer@12854
  1374
apply (intro strip)
schirmer@12854
  1375
apply (rule MGFn_free_wt)
schirmer@12854
  1376
apply (force dest: wt_Methd_is_methd)
schirmer@12925
  1377
apply assumption (* wf_prog G *)
schirmer@12854
  1378
done
schirmer@12854
  1379
schirmer@12854
  1380
section "nested version"
schirmer@12854
  1381
schirmer@13688
  1382
lemma nesting_lemma' [rule_format (no_asm)]: 
schirmer@13688
  1383
  assumes ax_derivs_asm: "\<And>A ts. ts \<subseteq> A \<Longrightarrow> P A ts" 
schirmer@13688
  1384
  and MGF_nested_Methd: "\<And>A pn. \<forall>b\<in>bdy pn. P (insert (mgf_call pn) A) {mgf b}
schirmer@13688
  1385
                                  \<Longrightarrow> P A {mgf_call pn}"
schirmer@13688
  1386
  and MGF_asm: "\<And>A t. \<forall>pn\<in>U. P A {mgf_call pn} \<Longrightarrow> P A {mgf t}"
schirmer@13688
  1387
  and finU: "finite U"
schirmer@13688
  1388
  and uA: "uA = mgf_call`U"
schirmer@13688
  1389
  shows "\<forall>A. A \<subseteq> uA \<longrightarrow> n \<le> card uA \<longrightarrow> card A = card uA - n 
schirmer@13688
  1390
             \<longrightarrow> (\<forall>t. P A {mgf t})"
schirmer@13688
  1391
using finU uA
schirmer@13688
  1392
apply -
schirmer@13688
  1393
apply (induct_tac "n")
wenzelm@42793
  1394
apply  (tactic "ALLGOALS (clarsimp_tac @{context})")
wenzelm@39159
  1395
apply  (tactic {* dtac (Thm.permute_prems 0 1 @{thm card_seteq}) 1 *})
schirmer@13688
  1396
apply    simp
schirmer@13688
  1397
apply   (erule finite_imageI)
schirmer@13688
  1398
apply  (simp add: MGF_asm ax_derivs_asm)
schirmer@13688
  1399
apply (rule MGF_asm)
schirmer@13688
  1400
apply (rule ballI)
schirmer@13688
  1401
apply (case_tac "mgf_call pn : A")
schirmer@13688
  1402
apply  (fast intro: ax_derivs_asm)
schirmer@13688
  1403
apply (rule MGF_nested_Methd)
schirmer@13688
  1404
apply (rule ballI)
schirmer@13688
  1405
apply (drule spec, erule impE, erule_tac [2] impE, erule_tac [3] spec)
schirmer@13688
  1406
apply   fast
schirmer@13688
  1407
apply (drule finite_subset)
schirmer@13688
  1408
apply (erule finite_imageI)
schirmer@13688
  1409
apply auto
schirmer@13688
  1410
done
schirmer@12854
  1411
schirmer@13688
  1412
schirmer@13688
  1413
lemma nesting_lemma [rule_format (no_asm)]:
schirmer@13688
  1414
  assumes ax_derivs_asm: "\<And>A ts. ts \<subseteq> A \<Longrightarrow> P A ts"
schirmer@13688
  1415
  and MGF_nested_Methd: "\<And>A pn. \<forall>b\<in>bdy pn. P (insert (mgf (f pn)) A) {mgf b}
schirmer@13688
  1416
                                  \<Longrightarrow> P A {mgf (f pn)}"
schirmer@13688
  1417
  and MGF_asm: "\<And>A t. \<forall>pn\<in>U. P A {mgf (f pn)} \<Longrightarrow> P A {mgf t}"
schirmer@13688
  1418
  and finU: "finite U"
schirmer@13688
  1419
shows "P {} {mgf t}"
schirmer@13688
  1420
using ax_derivs_asm MGF_nested_Methd MGF_asm finU
schirmer@13688
  1421
by (rule nesting_lemma') (auto intro!: le_refl)
schirmer@13688
  1422
schirmer@12854
  1423
schirmer@12854
  1424
lemma MGF_nested_Methd: "\<lbrakk>  
schirmer@13688
  1425
 G,insert ({Normal \<doteq>} \<langle>Methd  C sig\<rangle>\<^sub>e \<succ>{G\<rightarrow>}) A
schirmer@13688
  1426
    \<turnstile>{Normal \<doteq>} \<langle>body G C sig\<rangle>\<^sub>e \<succ>{G\<rightarrow>}  
schirmer@13688
  1427
 \<rbrakk> \<Longrightarrow>  G,A\<turnstile>{Normal \<doteq>}  \<langle>Methd  C sig\<rangle>\<^sub>e \<succ>{G\<rightarrow>}"
schirmer@12854
  1428
apply (unfold MGF_def)
schirmer@12854
  1429
apply (rule ax_MethdN)
schirmer@12854
  1430
apply (erule conseq2)
schirmer@12854
  1431
apply clarsimp
schirmer@12854
  1432
apply (erule MethdI)
schirmer@12854
  1433
done
schirmer@12854
  1434
schirmer@12925
  1435
lemma MGF_deriv: "wf_prog G \<Longrightarrow> G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
  1436
apply (rule MGFNormalI)
schirmer@12854
  1437
apply (rule_tac mgf = "\<lambda>t. {Normal \<doteq>} t\<succ> {G\<rightarrow>}" and 
schirmer@13688
  1438
                bdy = "\<lambda> (C,sig) .{\<langle>body G C sig\<rangle>\<^sub>e }" and 
schirmer@13688
  1439
                f = "\<lambda> (C,sig) . \<langle>Methd C sig\<rangle>\<^sub>e " in nesting_lemma)
schirmer@12854
  1440
apply    (erule ax_derivs.asm)
schirmer@12854
  1441
apply   (clarsimp simp add: split_tupled_all)
schirmer@12854
  1442
apply   (erule MGF_nested_Methd)
schirmer@12925
  1443
apply  (erule_tac [2] finite_is_methd [OF wf_ws_prog])
schirmer@12854
  1444
apply (rule MGF_asm [THEN MGFNormalD])
schirmer@12925
  1445
apply (auto intro: MGFNormalI)
schirmer@12854
  1446
done
schirmer@12854
  1447
schirmer@12854
  1448
schirmer@12854
  1449
section "simultaneous version"
schirmer@12854
  1450
schirmer@12854
  1451
lemma MGF_simult_Methd_lemma: "finite ms \<Longrightarrow>  
schirmer@13688
  1452
  G,A \<union> (\<lambda>(C,sig). {Normal \<doteq>} \<langle>Methd  C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) ` ms  
schirmer@13688
  1453
      |\<turnstile>(\<lambda>(C,sig). {Normal \<doteq>} \<langle>body G C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) ` ms \<Longrightarrow>  
schirmer@13688
  1454
  G,A|\<turnstile>(\<lambda>(C,sig). {Normal \<doteq>} \<langle>Methd  C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) ` ms"
schirmer@12854
  1455
apply (unfold MGF_def)
schirmer@12854
  1456
apply (rule ax_derivs.Methd [unfolded mtriples_def])
schirmer@12854
  1457
apply (erule ax_finite_pointwise)
schirmer@12854
  1458
prefer 2
schirmer@12854
  1459
apply  (rule ax_derivs.asm)
schirmer@12854
  1460
apply  fast
schirmer@12854
  1461
apply clarsimp
schirmer@12854
  1462
apply (rule conseq2)
schirmer@12854
  1463
apply  (erule (1) ax_methods_spec)
schirmer@12854
  1464
apply clarsimp
schirmer@12854
  1465
apply (erule eval_Methd)
schirmer@12854
  1466
done
schirmer@12854
  1467
schirmer@12925
  1468
lemma MGF_simult_Methd: "wf_prog G \<Longrightarrow> 
schirmer@13688
  1469
   G,({}::state triple set)|\<turnstile>(\<lambda>(C,sig). {Normal \<doteq>} \<langle>Methd C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) 
schirmer@12854
  1470
   ` Collect (split (is_methd G)) "
schirmer@12925
  1471
apply (frule finite_is_methd [OF wf_ws_prog])
schirmer@12854
  1472
apply (rule MGF_simult_Methd_lemma)
schirmer@12854
  1473
apply  assumption
schirmer@12854
  1474
apply (erule ax_finite_pointwise)
schirmer@12854
  1475
prefer 2
schirmer@12854
  1476
apply  (rule ax_derivs.asm)
schirmer@12854
  1477
apply  blast
schirmer@12854
  1478
apply clarsimp
schirmer@12854
  1479
apply (rule MGF_asm [THEN MGFNormalD])
schirmer@12925
  1480
apply   (auto intro: MGFNormalI)
schirmer@12854
  1481
done
schirmer@12854
  1482
schirmer@12854
  1483
schirmer@12854
  1484
section "corollaries"
schirmer@12854
  1485
schirmer@12925
  1486
lemma eval_to_evaln: "\<lbrakk>G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y', s');type_ok G t s; wf_prog G\<rbrakk>
schirmer@12925
  1487
 \<Longrightarrow>   \<exists>n. G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y', s')"
schirmer@12925
  1488
apply (cases "normal s")
schirmer@12925
  1489
apply   (force simp add: type_ok_def intro: eval_evaln)
schirmer@12925
  1490
apply   (force intro: evaln.Abrupt)
schirmer@12925
  1491
done
schirmer@12925
  1492
schirmer@13688
  1493
lemma MGF_complete:
schirmer@13688
  1494
  assumes valid: "G,{}\<Turnstile>{P} t\<succ> {Q}"
schirmer@13688
  1495
  and     mgf: "G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1496
  and      wf: "wf_prog G"
schirmer@13688
  1497
  shows "G,({}::state triple set)\<turnstile>{P::state assn} t\<succ> {Q}"
schirmer@13688
  1498
proof (rule ax_no_hazard)
schirmer@13688
  1499
  from mgf
schirmer@13688
  1500
  have "G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y, s')}"  
schirmer@13688
  1501
    by  (unfold MGF_def) 
schirmer@13688
  1502
  thus "G,({}::state triple set)\<turnstile>{P \<and>. type_ok G t} t\<succ> {Q}"
schirmer@13688
  1503
  proof (rule conseq12,clarsimp)
schirmer@13688
  1504
    fix Y s Z Y' s'
schirmer@13688
  1505
    assume P: "P Y s Z"
schirmer@13688
  1506
    assume type_ok: "type_ok G t s"
schirmer@13688
  1507
    assume eval_t: "G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y', s')"
schirmer@13688
  1508
    show "Q Y' s' Z"
schirmer@13688
  1509
    proof -
schirmer@13688
  1510
      from eval_t type_ok wf 
schirmer@13688
  1511
      obtain n where evaln: "G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y', s')"
wenzelm@32960
  1512
        by (rule eval_to_evaln [elim_format]) iprover
schirmer@13688
  1513
      from valid have 
wenzelm@32960
  1514
        valid_expanded:
wenzelm@32960
  1515
        "\<forall>n Y s Z. P Y s Z \<longrightarrow> type_ok G t s 
schirmer@13688
  1516
                   \<longrightarrow> (\<forall>Y' s'. G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y', s') \<longrightarrow> Q Y' s' Z)"
wenzelm@32960
  1517
        by (simp add: ax_valids_def triple_valid_def)
schirmer@13688
  1518
      from P type_ok evaln
schirmer@13688
  1519
      show "Q Y' s' Z"
wenzelm@32960
  1520
        by (rule valid_expanded [rule_format])
schirmer@13688
  1521
    qed
schirmer@13688
  1522
  qed 
schirmer@13688
  1523
qed
schirmer@13688
  1524
   
schirmer@13688
  1525
theorem ax_complete: 
schirmer@13688
  1526
  assumes wf: "wf_prog G" 
schirmer@13688
  1527
  and valid: "G,{}\<Turnstile>{P::state assn} t\<succ> {Q}"
schirmer@13688
  1528
  shows "G,({}::state triple set)\<turnstile>{P} t\<succ> {Q}"
schirmer@13688
  1529
proof -
schirmer@13688
  1530
  from wf have "G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1531
    by (rule MGF_deriv)
schirmer@13688
  1532
  from valid this wf
schirmer@13688
  1533
  show ?thesis
schirmer@13688
  1534
    by (rule MGF_complete)
schirmer@13688
  1535
qed
schirmer@13688
  1536
 
schirmer@12854
  1537
end