src/HOL/NanoJava/AxSem.thy
author wenzelm
Sun Sep 18 20:33:48 2016 +0200 (2016-09-18)
changeset 63915 bab633745c7f
parent 63167 0909deb8059b
child 67443 3abf6a722518
permissions -rw-r--r--
tuned proofs;
oheimb@11376
     1
(*  Title:      HOL/NanoJava/AxSem.thy
wenzelm@41589
     2
    Author:     David von Oheimb, Technische Universitaet Muenchen
oheimb@11376
     3
*)
oheimb@11376
     4
wenzelm@58889
     5
section "Axiomatic Semantics"
oheimb@11376
     6
haftmann@16417
     7
theory AxSem imports State begin
oheimb@11376
     8
wenzelm@42463
     9
type_synonym assn = "state => bool"
wenzelm@42463
    10
type_synonym vassn = "val => assn"
wenzelm@42463
    11
type_synonym triple = "assn \<times> stmt \<times>  assn"
wenzelm@42463
    12
type_synonym etriple = "assn \<times> expr \<times> vassn"
oheimb@11376
    13
translations
wenzelm@35431
    14
  (type) "assn" \<leftharpoondown> (type) "state => bool"
wenzelm@35431
    15
  (type) "vassn" \<leftharpoondown> (type) "val => assn"
wenzelm@35431
    16
  (type) "triple" \<leftharpoondown> (type) "assn \<times> stmt \<times> assn"
wenzelm@35431
    17
  (type) "etriple" \<leftharpoondown> (type) "assn \<times> expr \<times> vassn"
oheimb@11376
    18
oheimb@11476
    19
oheimb@11560
    20
subsection "Hoare Logic Rules"
oheimb@11560
    21
berghofe@23755
    22
inductive
berghofe@23755
    23
 hoare :: "[triple set, triple set] => bool"  ("_ |\<turnstile>/ _" [61, 61] 60)
berghofe@23755
    24
 and ehoare :: "[triple set, etriple] => bool"  ("_ |\<turnstile>\<^sub>e/ _" [61, 61] 60)
berghofe@23755
    25
 and hoare1 :: "[triple set, assn,stmt,assn] => bool" 
berghofe@23755
    26
   ("_ \<turnstile>/ ({(1_)}/ (_)/ {(1_)})" [61, 3, 90, 3] 60)
berghofe@23755
    27
 and ehoare1 :: "[triple set, assn,expr,vassn]=> bool"
berghofe@23755
    28
   ("_ \<turnstile>\<^sub>e/ ({(1_)}/ (_)/ {(1_)})" [61, 3, 90, 3] 60)
berghofe@23755
    29
where
oheimb@11376
    30
berghofe@23755
    31
  "A  \<turnstile> {P}c{Q} \<equiv> A |\<turnstile> {(P,c,Q)}"
berghofe@23755
    32
| "A  \<turnstile>\<^sub>e {P}e{Q} \<equiv> A |\<turnstile>\<^sub>e (P,e,Q)"
oheimb@11476
    33
berghofe@23755
    34
| Skip:  "A \<turnstile> {P} Skip {P}"
berghofe@23755
    35
berghofe@23755
    36
| Comp: "[| A \<turnstile> {P} c1 {Q}; A \<turnstile> {Q} c2 {R} |] ==> A \<turnstile> {P} c1;;c2 {R}"
oheimb@11376
    37
berghofe@23755
    38
| Cond: "[| A \<turnstile>\<^sub>e {P} e {Q}; 
berghofe@23755
    39
            \<forall>v. A \<turnstile> {Q v} (if v \<noteq> Null then c1 else c2) {R} |] ==>
berghofe@23755
    40
            A \<turnstile> {P} If(e) c1 Else c2 {R}"
oheimb@11376
    41
berghofe@23755
    42
| Loop: "A \<turnstile> {\<lambda>s. P s \<and> s<x> \<noteq> Null} c {P} ==>
berghofe@23755
    43
         A \<turnstile> {P} While(x) c {\<lambda>s. P s \<and> s<x> = Null}"
berghofe@23755
    44
berghofe@23755
    45
| LAcc: "A \<turnstile>\<^sub>e {\<lambda>s. P (s<x>) s} LAcc x {P}"
oheimb@11476
    46
berghofe@23755
    47
| LAss: "A \<turnstile>\<^sub>e {P} e {\<lambda>v s.  Q (lupd(x\<mapsto>v) s)} ==>
berghofe@23755
    48
         A \<turnstile>  {P} x:==e {Q}"
berghofe@23755
    49
berghofe@23755
    50
| FAcc: "A \<turnstile>\<^sub>e {P} e {\<lambda>v s. \<forall>a. v=Addr a --> Q (get_field s a f) s} ==>
berghofe@23755
    51
         A \<turnstile>\<^sub>e {P} e..f {Q}"
oheimb@11376
    52
berghofe@23755
    53
| FAss: "[| A \<turnstile>\<^sub>e {P} e1 {\<lambda>v s. \<forall>a. v=Addr a --> Q a s};
berghofe@23755
    54
        \<forall>a. A \<turnstile>\<^sub>e {Q a} e2 {\<lambda>v s. R (upd_obj a f v s)} |] ==>
berghofe@23755
    55
            A \<turnstile>  {P} e1..f:==e2 {R}"
oheimb@11376
    56
berghofe@23755
    57
| NewC: "A \<turnstile>\<^sub>e {\<lambda>s. \<forall>a. new_Addr s = Addr a --> P (Addr a) (new_obj a C s)}
oheimb@11476
    58
                new C {P}"
oheimb@11376
    59
berghofe@23755
    60
| Cast: "A \<turnstile>\<^sub>e {P} e {\<lambda>v s. (case v of Null => True 
wenzelm@61990
    61
                                 | Addr a => obj_class s a \<preceq>C C) --> Q v s} ==>
berghofe@23755
    62
         A \<turnstile>\<^sub>e {P} Cast C e {Q}"
oheimb@11376
    63
berghofe@23755
    64
| Call: "[| A \<turnstile>\<^sub>e {P} e1 {Q}; \<forall>a. A \<turnstile>\<^sub>e {Q a} e2 {R a};
berghofe@23755
    65
    \<forall>a p ls. A \<turnstile> {\<lambda>s'. \<exists>s. R a p s \<and> ls = s \<and> 
oheimb@11772
    66
                    s' = lupd(This\<mapsto>a)(lupd(Par\<mapsto>p)(del_locs s))}
oheimb@11565
    67
                  Meth (C,m) {\<lambda>s. S (s<Res>) (set_locs ls s)} |] ==>
berghofe@23755
    68
             A \<turnstile>\<^sub>e {P} {C}e1..m(e2) {S}"
oheimb@11376
    69
wenzelm@61990
    70
| Meth: "\<forall>D. A \<turnstile> {\<lambda>s'. \<exists>s a. s<This> = Addr a \<and> D = obj_class s a \<and> D \<preceq>C C \<and> 
oheimb@11497
    71
                        P s \<and> s' = init_locs D m s}
oheimb@11497
    72
                  Impl (D,m) {Q} ==>
berghofe@23755
    73
             A \<turnstile> {P} Meth (C,m) {Q}"
oheimb@11376
    74
wenzelm@63167
    75
  \<comment>\<open>\<open>\<Union>Z\<close> instead of \<open>\<forall>Z\<close> in the conclusion and\\
wenzelm@63167
    76
       Z restricted to type state due to limitations of the inductive package\<close>
berghofe@23755
    77
| Impl: "\<forall>Z::state. A\<union> (\<Union>Z. (\<lambda>Cm. (P Z Cm, Impl Cm, Q Z Cm))`Ms) |\<turnstile> 
oheimb@11565
    78
                            (\<lambda>Cm. (P Z Cm, body Cm, Q Z Cm))`Ms ==>
berghofe@23755
    79
                      A |\<turnstile> (\<lambda>Cm. (P Z Cm, Impl Cm, Q Z Cm))`Ms"
oheimb@11376
    80
wenzelm@63167
    81
\<comment>\<open>structural rules\<close>
oheimb@11376
    82
berghofe@23755
    83
| Asm:  "   a \<in> A ==> A |\<turnstile> {a}"
oheimb@11476
    84
berghofe@23755
    85
| ConjI: " \<forall>c \<in> C. A |\<turnstile> {c} ==> A |\<turnstile> C"
oheimb@11476
    86
berghofe@23755
    87
| ConjE: "[|A |\<turnstile> C; c \<in> C |] ==> A |\<turnstile> {c}"
oheimb@11476
    88
wenzelm@63167
    89
  \<comment>\<open>Z restricted to type state due to limitations of the inductive package\<close>
berghofe@23755
    90
| Conseq:"[| \<forall>Z::state. A \<turnstile> {P' Z} c {Q' Z};
oheimb@11565
    91
             \<forall>s t. (\<forall>Z. P' Z s --> Q' Z t) --> (P s --> Q t) |] ==>
berghofe@23755
    92
            A \<turnstile> {P} c {Q }"
oheimb@11376
    93
wenzelm@63167
    94
  \<comment>\<open>Z restricted to type state due to limitations of the inductive package\<close>
berghofe@23755
    95
| eConseq:"[| \<forall>Z::state. A \<turnstile>\<^sub>e {P' Z} e {Q' Z};
oheimb@11565
    96
             \<forall>s v t. (\<forall>Z. P' Z s --> Q' Z v t) --> (P s --> Q v t) |] ==>
berghofe@23755
    97
            A \<turnstile>\<^sub>e {P} e {Q }"
oheimb@11565
    98
oheimb@11565
    99
oheimb@12934
   100
subsection "Fully polymorphic variants, required for Example only"
oheimb@11376
   101
wenzelm@45827
   102
axiomatization where
berghofe@23755
   103
  Conseq:"[| \<forall>Z. A \<turnstile> {P' Z} c {Q' Z};
oheimb@11565
   104
             \<forall>s t. (\<forall>Z. P' Z s --> Q' Z t) --> (P s --> Q t) |] ==>
berghofe@23755
   105
                 A \<turnstile> {P} c {Q }"
oheimb@11565
   106
wenzelm@45827
   107
axiomatization where
wenzelm@45827
   108
  eConseq:"[| \<forall>Z. A \<turnstile>\<^sub>e {P' Z} e {Q' Z};
oheimb@11565
   109
             \<forall>s v t. (\<forall>Z. P' Z s --> Q' Z v t) --> (P s --> Q v t) |] ==>
berghofe@23755
   110
                 A \<turnstile>\<^sub>e {P} e {Q }"
oheimb@11565
   111
wenzelm@45827
   112
axiomatization where
wenzelm@45827
   113
  Impl: "\<forall>Z. A\<union> (\<Union>Z. (\<lambda>Cm. (P Z Cm, Impl Cm, Q Z Cm))`Ms) |\<turnstile> 
oheimb@11565
   114
                          (\<lambda>Cm. (P Z Cm, body Cm, Q Z Cm))`Ms ==>
berghofe@23755
   115
                    A |\<turnstile> (\<lambda>Cm. (P Z Cm, Impl Cm, Q Z Cm))`Ms"
oheimb@11376
   116
oheimb@11376
   117
subsection "Derived Rules"
oheimb@11376
   118
oheimb@11376
   119
lemma Conseq1: "\<lbrakk>A \<turnstile> {P'} c {Q}; \<forall>s. P s \<longrightarrow> P' s\<rbrakk> \<Longrightarrow> A \<turnstile> {P} c {Q}"
oheimb@11476
   120
apply (rule hoare_ehoare.Conseq)
oheimb@11476
   121
apply  (rule allI, assumption)
oheimb@11476
   122
apply fast
oheimb@11476
   123
done
oheimb@11476
   124
oheimb@11476
   125
lemma Conseq2: "\<lbrakk>A \<turnstile> {P} c {Q'}; \<forall>t. Q' t \<longrightarrow> Q t\<rbrakk> \<Longrightarrow> A \<turnstile> {P} c {Q}"
oheimb@11476
   126
apply (rule hoare_ehoare.Conseq)
oheimb@11476
   127
apply  (rule allI, assumption)
oheimb@11476
   128
apply fast
oheimb@11476
   129
done
oheimb@11476
   130
oheimb@11486
   131
lemma eConseq1: "\<lbrakk>A \<turnstile>\<^sub>e {P'} e {Q}; \<forall>s. P s \<longrightarrow> P' s\<rbrakk> \<Longrightarrow> A \<turnstile>\<^sub>e {P} e {Q}"
oheimb@11476
   132
apply (rule hoare_ehoare.eConseq)
oheimb@11476
   133
apply  (rule allI, assumption)
oheimb@11476
   134
apply fast
oheimb@11476
   135
done
oheimb@11476
   136
oheimb@11486
   137
lemma eConseq2: "\<lbrakk>A \<turnstile>\<^sub>e {P} e {Q'}; \<forall>v t. Q' v t \<longrightarrow> Q v t\<rbrakk> \<Longrightarrow> A \<turnstile>\<^sub>e {P} e {Q}"
oheimb@11476
   138
apply (rule hoare_ehoare.eConseq)
oheimb@11376
   139
apply  (rule allI, assumption)
oheimb@11376
   140
apply fast
oheimb@11376
   141
done
oheimb@11376
   142
oheimb@11376
   143
lemma Weaken: "\<lbrakk>A |\<turnstile> C'; C \<subseteq> C'\<rbrakk> \<Longrightarrow> A |\<turnstile> C"
oheimb@11476
   144
apply (rule hoare_ehoare.ConjI)
oheimb@11376
   145
apply clarify
oheimb@11476
   146
apply (drule hoare_ehoare.ConjE)
oheimb@11376
   147
apply  fast
oheimb@11376
   148
apply assumption
oheimb@11376
   149
done
oheimb@11376
   150
oheimb@11565
   151
lemma Thin_lemma: 
oheimb@11565
   152
  "(A' |\<turnstile>  C         \<longrightarrow> (\<forall>A. A' \<subseteq> A \<longrightarrow> A |\<turnstile>  C       )) \<and> 
oheimb@11565
   153
   (A'  \<turnstile>\<^sub>e {P} e {Q} \<longrightarrow> (\<forall>A. A' \<subseteq> A \<longrightarrow> A  \<turnstile>\<^sub>e {P} e {Q}))"
oheimb@11565
   154
apply (rule hoare_ehoare.induct)
wenzelm@58963
   155
apply (tactic "ALLGOALS(EVERY'[clarify_tac @{context}, REPEAT o smp_tac @{context} 1])")
oheimb@11565
   156
apply (blast intro: hoare_ehoare.Skip)
oheimb@11565
   157
apply (blast intro: hoare_ehoare.Comp)
oheimb@11565
   158
apply (blast intro: hoare_ehoare.Cond)
oheimb@11565
   159
apply (blast intro: hoare_ehoare.Loop)
oheimb@11565
   160
apply (blast intro: hoare_ehoare.LAcc)
oheimb@11565
   161
apply (blast intro: hoare_ehoare.LAss)
oheimb@11565
   162
apply (blast intro: hoare_ehoare.FAcc)
oheimb@11565
   163
apply (blast intro: hoare_ehoare.FAss)
oheimb@11565
   164
apply (blast intro: hoare_ehoare.NewC)
oheimb@11565
   165
apply (blast intro: hoare_ehoare.Cast)
oheimb@11565
   166
apply (erule hoare_ehoare.Call)
wenzelm@58963
   167
apply   (rule, drule spec, erule conjE, tactic "smp_tac @{context} 1 1", assumption)
oheimb@11565
   168
apply  blast
oheimb@11565
   169
apply (blast intro!: hoare_ehoare.Meth)
oheimb@11565
   170
apply (blast intro!: hoare_ehoare.Impl)
oheimb@11565
   171
apply (blast intro!: hoare_ehoare.Asm)
oheimb@11565
   172
apply (blast intro: hoare_ehoare.ConjI)
oheimb@11565
   173
apply (blast intro: hoare_ehoare.ConjE)
oheimb@11565
   174
apply (rule hoare_ehoare.Conseq)
wenzelm@58963
   175
apply  (rule, drule spec, erule conjE, tactic "smp_tac @{context} 1 1", assumption+)
oheimb@11565
   176
apply (rule hoare_ehoare.eConseq)
wenzelm@58963
   177
apply  (rule, drule spec, erule conjE, tactic "smp_tac @{context} 1 1", assumption+)
oheimb@11565
   178
done
oheimb@11565
   179
oheimb@11565
   180
lemma cThin: "\<lbrakk>A' |\<turnstile> C; A' \<subseteq> A\<rbrakk> \<Longrightarrow> A |\<turnstile> C"
oheimb@11565
   181
by (erule (1) conjunct1 [OF Thin_lemma, rule_format])
oheimb@11565
   182
oheimb@11565
   183
lemma eThin: "\<lbrakk>A' \<turnstile>\<^sub>e {P} e {Q}; A' \<subseteq> A\<rbrakk> \<Longrightarrow> A \<turnstile>\<^sub>e {P} e {Q}"
oheimb@11565
   184
by (erule (1) conjunct2 [OF Thin_lemma, rule_format])
oheimb@11565
   185
oheimb@11565
   186
oheimb@11565
   187
lemma Union: "A |\<turnstile> (\<Union>Z. C Z) = (\<forall>Z. A |\<turnstile> C Z)"
oheimb@11476
   188
by (auto intro: hoare_ehoare.ConjI hoare_ehoare.ConjE)
oheimb@11376
   189
oheimb@11565
   190
lemma Impl1': 
oheimb@12934
   191
   "\<lbrakk>\<forall>Z::state. A\<union> (\<Union>Z. (\<lambda>Cm. (P Z Cm, Impl Cm, Q Z Cm))`Ms) |\<turnstile> 
oheimb@11565
   192
                 (\<lambda>Cm. (P Z Cm, body Cm, Q Z Cm))`Ms; 
oheimb@11508
   193
    Cm \<in> Ms\<rbrakk> \<Longrightarrow> 
oheimb@11565
   194
                A   \<turnstile>  {P Z Cm} Impl Cm {Q Z Cm}"
oheimb@12934
   195
apply (drule AxSem.Impl)
oheimb@11376
   196
apply (erule Weaken)
oheimb@11376
   197
apply (auto del: image_eqI intro: rev_image_eqI)
oheimb@11376
   198
done
oheimb@11376
   199
wenzelm@45605
   200
lemmas Impl1 = AxSem.Impl [of _ _ _ "{Cm}", simplified] for Cm
oheimb@11565
   201
oheimb@11376
   202
end