a draft for an example how to turn specifications involving choice executable
1 
(* Author: Florian Haftmann, TU Muenchen *) 
a draft for an example how to turn specifications involving choice executable
2 

a draft for an example how to turn specifications involving choice executable
3 
header {* A simple cookbook example how to eliminate choice in programs. *} 
a draft for an example how to turn specifications involving choice executable
4 

a draft for an example how to turn specifications involving choice executable
5 
theory Execute_Choice 
correcting imports after splitting and renaming AssocList
6 
imports Main "~~/src/HOL/Library/AList_Mapping" 
a draft for an example how to turn specifications involving choice executable
7 
begin 
a draft for an example how to turn specifications involving choice executable
8 

35164  9 
text {* 
10 
A trivial example: 

11 
*} 

12 

13 
definition valuesum :: "('a, 'b :: ab_group_add) mapping \<Rightarrow> 'b" where 

a draft for an example how to turn specifications involving choice executable
14 
"valuesum m = (\<Sum>k \<in> Mapping.keys m. the (Mapping.lookup m k))" 
a draft for an example how to turn specifications involving choice executable
15 

35164  16 
text {* 
17 
Not that instead of defining @{term valuesum} with choice, we define it 

18 
directly and derive a description involving choice afterwards: 

19 
*} 

20 

a draft for an example how to turn specifications involving choice executable
21 
lemma valuesum_rec: 
a draft for an example how to turn specifications involving choice executable
22 
assumes fin: "finite (dom (Mapping.lookup m))" 
a draft for an example how to turn specifications involving choice executable
23 
shows "valuesum m = (if Mapping.is_empty m then 0 else 
a draft for an example how to turn specifications involving choice executable
24 
let l = (SOME l. l \<in> Mapping.keys m) in the (Mapping.lookup m l) + valuesum (Mapping.delete l m))" 
a draft for an example how to turn specifications involving choice executable
25 
proof (cases "Mapping.is_empty m") 
a draft for an example how to turn specifications involving choice executable
26 
case True then show ?thesis by (simp add: is_empty_def keys_def valuesum_def) 
a draft for an example how to turn specifications involving choice executable
27 
next 
a draft for an example how to turn specifications involving choice executable
28 
case False 
make more HOL theories work with separate set type
29 
then have l: "\<exists>l. l \<in> dom (Mapping.lookup m)" by (auto simp add: is_empty_def keys_def) 
a draft for an example how to turn specifications involving choice executable
30 
then have "(let l = SOME l. l \<in> dom (Mapping.lookup m) in 
a draft for an example how to turn specifications involving choice executable
31 
the (Mapping.lookup m l) + (\<Sum>k \<in> dom (Mapping.lookup m)  {l}. the (Mapping.lookup m k))) = 
a draft for an example how to turn specifications involving choice executable
32 
(\<Sum>k \<in> dom (Mapping.lookup m). the (Mapping.lookup m k))" 
a draft for an example how to turn specifications involving choice executable
33 
proof (rule someI2_ex) 
a draft for an example how to turn specifications involving choice executable
34 
fix l 
a draft for an example how to turn specifications involving choice executable
35 
note fin 
a draft for an example how to turn specifications involving choice executable
36 
moreover assume "l \<in> dom (Mapping.lookup m)" 
a draft for an example how to turn specifications involving choice executable
37 
moreover obtain A where "A = dom (Mapping.lookup m)  {l}" by simp 
a draft for an example how to turn specifications involving choice executable
38 
ultimately have "dom (Mapping.lookup m) = insert l A" and "finite A" and "l \<notin> A" by auto 
a draft for an example how to turn specifications involving choice executable
39 
then show "(let l = l 
a draft for an example how to turn specifications involving choice executable
40 
in the (Mapping.lookup m l) + (\<Sum>k \<in> dom (Mapping.lookup m)  {l}. the (Mapping.lookup m k))) = 
a draft for an example how to turn specifications involving choice executable
41 
(\<Sum>k \<in> dom (Mapping.lookup m). the (Mapping.lookup m k))" 
a draft for an example how to turn specifications involving choice executable
42 
by simp 
a draft for an example how to turn specifications involving choice executable
43 
qed 
a draft for an example how to turn specifications involving choice executable
44 
then show ?thesis by (simp add: keys_def valuesum_def is_empty_def) 
a draft for an example how to turn specifications involving choice executable
45 
qed 
a draft for an example how to turn specifications involving choice executable
46 

35164  47 
text {* 
48 
In the context of the elsebranch we can show that the exact choice is 

49 
irrelvant; in practice, finding this point where choice becomes irrelevant is the 

50 
most difficult thing! 

51 
*} 

52 

53 
lemma valuesum_choice: 

54 
"finite (Mapping.keys M) \<Longrightarrow> x \<in> Mapping.keys M \<Longrightarrow> y \<in> Mapping.keys M \<Longrightarrow> 

55 
the (Mapping.lookup M x) + valuesum (Mapping.delete x M) = 

56 
the (Mapping.lookup M y) + valuesum (Mapping.delete y M)" 

57 
by (simp add: valuesum_def keys_def setsum_diff) 

58 

59 
text {* 

60 
Given @{text valuesum_rec} as initial description, we stepwise refine it to something executable; 

36109  61 
first, we formally insert the constructor @{term Mapping} and split the one equation into two, 
35164  62 
where the second one provides the necessary context: 
63 
*} 

64 

36109  65 
lemma valuesum_rec_Mapping: 
66 
shows [code]: "valuesum (Mapping []) = 0" 

67 
and "valuesum (Mapping (x # xs)) = (let l = (SOME l. l \<in> Mapping.keys (Mapping (x # xs))) in 

68 
the (Mapping.lookup (Mapping (x # xs)) l) + valuesum (Mapping.delete l (Mapping (x # xs))))" 

dropped ancient infix mem; refined code generation operations in List.thy
69 
by (simp_all add: valuesum_rec finite_dom_map_of is_empty_Mapping null_def) 
a draft for an example how to turn specifications involving choice executable
70 

35164  71 
text {* 
72 
As a side effect the precondition disappears (but note this has nothing to do with choice!). 

73 
The first equation deals with the uncritical empty case and can already be used for code generation. 

a draft for an example how to turn specifications involving choice executable
74 

35164  75 
Using @{text valuesum_choice}, we are able to prove an executable version of @{term valuesum}: 
76 
*} 

a draft for an example how to turn specifications involving choice executable
77 

a draft for an example how to turn specifications involving choice executable
78 
lemma valuesum_rec_exec [code]: 
36109  79 
"valuesum (Mapping (x # xs)) = (let l = fst (hd (x # xs)) in 
80 
the (Mapping.lookup (Mapping (x # xs)) l) + valuesum (Mapping.delete l (Mapping (x # xs))))" 

35164  81 
proof  
36109  82 
let ?M = "Mapping (x # xs)" 
35164  83 
let ?l1 = "(SOME l. l \<in> Mapping.keys ?M)" 
84 
let ?l2 = "fst (hd (x # xs))" 

36109  85 
have "finite (Mapping.keys ?M)" by (simp add: keys_Mapping) 
35164  86 
moreover have "?l1 \<in> Mapping.keys ?M" 
36109  87 
by (rule someI) (auto simp add: keys_Mapping) 
35164  88 
moreover have "?l2 \<in> Mapping.keys ?M" 
36109  89 
by (simp add: keys_Mapping) 
35164  90 
ultimately have "the (Mapping.lookup ?M ?l1) + valuesum (Mapping.delete ?l1 ?M) = 
91 
the (Mapping.lookup ?M ?l2) + valuesum (Mapping.delete ?l2 ?M)" 

92 
by (rule valuesum_choice) 

36109  93 
then show ?thesis by (simp add: valuesum_rec_Mapping) 
35164  94 
qed 
95 

96 
text {* 

97 
See how it works: 

98 
*} 

a draft for an example how to turn specifications involving choice executable
99 

36109  100 
value "valuesum (Mapping [(''abc'', (42::int)), (''def'', 1705)])" 
a draft for an example how to turn specifications involving choice executable
101 

a draft for an example how to turn specifications involving choice executable
102 
end 