theory SALOverflowFWInst_deep = SALOverflowPlatform_deep + AuxBox2: text {* In this theory we prove that our instantiated functions satisfy the PCC Framework's requirements. In the very end this leads to a reuse of the VCG Soundness theorem and thus guarantees the soundness of our platform *} section {* Requirements for the Safety Logic hold! *} theorem SALSafetyLogicIns: "SafetyLogic Conj Impl TrueF FalseF valid" (*<*) apply (unfold SafetyLogic_def) --{* semConj *} apply (rule conjI, (rule allI)+, rule iffI) apply (erule rev_mp, induct_tac "L", (simp add: ls), (simp add: ls))+ --{* semImp *} apply (rule conjI, (rule allI)+, (simp add: ls)) --{* TrueFSem *} apply (rule conjI) apply (simp add: ls) --{* semFalseF *} apply (simp add: ls) (*>*) done section {* Auxiliary Lemmas *} lemma checkPos_split: "checkPos prg (l1@l2) = ((checkPos prg l1) \ (checkPos prg l2))" (*<*) apply (induct_tac l1) apply simp apply (simp add: checkPos.simps Let_def split_def fst_conv snd_conv bool.cases) (*>*) done lemma isafe_imp_safeF: "\ prg s. valid prg s (isafe (domC prg, prg, anF prg, fst s, FalseF, Conj, Impl, safeF, succsF, wpF)) \ valid prg s (safeF prg (fst s))" (*<*) apply (rule allI)+ apply (subgoal_tac "isafe (domC prg, prg, anF prg, (fst s), FalseF, Conj, Impl, safeF, succsF, wpF) = (if \ (fst s) mem domC prg then FalseF else Conj ([safeF prg (fst s)]@ (case anF prg (fst s) of None \ (map (\(j, B). Impl B (wpF prg (fst s) j (isafe ([a\domC prg . a \ (fst s)], prg, anF prg, j, FalseF, Conj, Impl, safeF, succsF, wpF)))) (succsF prg (fst s))) | Some an_i \ [an_i])))") prefer 2 apply (rule isafe.simps) apply (case_tac "(fst s)\ set (domC prg)") apply (simp add: set_mem_eq del: isafe.simps) apply (case_tac "anF prg (fst s)") apply (simp del: isafe.simps) apply (rule impI) apply (simp add: valid_def validF_validFs.simps Conj_def) apply (simp add: valid_def validF_validFs.simps Conj_def) --{* case: fst s notin set domC prg *} apply (rule impI) apply (simp add: set_mem_eq FalseF_def valid_def del: isafe.simps ) (*>*) done lemma isafeF_imp_safeF: "valid prg (p,m,e) (isafeF prg p) \ valid prg (p,m,e) (safeF prg p)" (*<*) apply (cut_tac isafe_imp_safeF) apply (erule_tac x="prg" in allE) apply (erule_tac x="(p,m,e)" in allE) apply (simp add: isafeF_def) (*>*) done subsection {* Pre Safe States *} text {* We define the set of so called pre safe states. These are states that originate from a (previously) safe execution. *} consts safeP::"SALprogram \ SALstate set" inductive "safeP prg" intros init: "\ valid prg (p,m,e) (initF prg) \ \ (p,m,e) \ (safeP prg)" step: "\ (p,m,e) \ (safeP prg); valid prg (p,m,e) (safeF prg p); valid prg (p',m',e') (safeF prg p'); ((p,m,e),(p',m',e')) \ (effS prg) \ \ (p',m',e') \ (safeP prg)" lemma isafeP_imp_safeP: "(p,m,e) \ isafeP prg \ (p,m,e) \ safeP prg" (*<*) apply (simp only: isafeP_def) apply (erule isafeP'.induct) apply (simp only: split_paired_all) apply (rule safeP.init) apply simp apply (subgoal_tac "\ p m e. s = (p,m,e)") prefer 2 apply (rule_tac x="fst s" in exI) apply (rule_tac x="fst (snd s)" in exI) apply (rule_tac x="snd (snd s)" in exI) apply simp apply (subgoal_tac "\ p' m' e'. s' = (p',m',e')") prefer 2 apply (rule_tac x="fst s'" in exI) apply (rule_tac x="fst (snd s')" in exI) apply (rule_tac x="snd (snd s')" in exI) apply simp apply (erule exE)+ apply (simp only:) apply (rule_tac p="p" and m="m" and e="e" in safeP.step) apply assumption apply (rule isafeF_imp_safeF) apply simp apply (rule isafeF_imp_safeF) apply simp apply simp (*>*) done section {* System Invariants *} text {* Useful properties about states that originate from a safe execution. *} subsection {* System Invariant 1 *} consts sysinv::"SALstate \ SALprogram \ bool" recdef sysinv "measure (\ ((pc,m,e),prg). length (cs e))" "sysinv ((pc,m,e),prg) = (case (cs e) of [] \ False | c#css \ (let (k,m)=c; (pn',i')=(h e)!k; (pn,i)=pc in (case css of [] \ pn=0 \ (\ i0 x. cmd prg (0,i0) \ Some (RET x)) | c'#css' \ (\ x. cmd prg (pn',i') = Some (CALL x pn)) \ k < length (h e) \ sysinv (((pn',i'),m,e\cs:=css,h:=take k (h e)\),prg) ) ) )" (hints recdef_simp: filterreduction) lemma sysinv_calltime: "\ sysinv ((p,m,e),prg) \ \ 1 < length (cs e) \ fst (hd (cs e)) < (length (h e))" (*<*) apply (case_tac "cs e") apply simp apply (case_tac "list") apply simp apply (simp add: sysinv.simps Let_def split_def fst_conv snd_conv) (*>*) done theorem sysinv_pres: "\ prg p m e. \ wf prg ; (p,m,e) \ (safeP prg) \ \ sysinv((p,m,e),prg)" (*<*) apply (rule safeP.induct) apply simp apply (simp add: initF_def valid_def validF_validFs.simps Let_def split_def fst_conv snd_conv) apply (case_tac "cs ea") apply simp apply (case_tac "list") apply (simp add: Let_def wf_def) apply (rule allI)+ apply (case_tac "cmd prg (0,i0)") apply simp apply (cut_tac "cmd_domC") apply (erule_tac x="aa" in allE) apply (erule_tac x="(0,i0)" in allE) apply (erule_tac x="prg" in allE) apply (drule mp, assumption) apply (drule set_list_split) apply (erule exE)+ apply (simp add: checkPos_split add: Let_def) apply (case_tac "aa = RET x") apply simp apply simp --{* case: list = aa lista *} apply (simp add: Let_def incA_def split_def) --{* INDUCTION CASE *} apply (case_tac "cmd prg pa") apply (simp add: effS_def step_def split_def Let_def) apply (case_tac "cs ea") apply simp --{* induction case *} apply (rename_tac "prg" "p" "m" "e" "e'" "e''" "m'" "m''" "p'" "p''" "a" "aa" "css") apply (rule ssubst[OF sysinv.simps]) apply (simp add: effS_def mem_Collect_eq del: sysinv.simps) apply (case_tac a) --{* SET nat1 nat2 *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "cs e'") apply simp --{* cs e = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv) apply (case_tac css) apply simp --{* css = ac lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* ADD nat1 nat2 *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "cs e'") apply simp --{* cs e = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv) apply (case_tac css) apply simp --{* css = ac lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* SUB *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "cs e'") apply simp --{* cs e = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv) apply (case_tac css) apply simp --{* css = ac lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* INC *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "cs e'") apply simp --{* cs e = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv) apply (case_tac css) apply simp --{* css = ac lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* JMPEQ nat1 nat2 nat3 *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (case_tac "(\n. m' nat1 = NAT n) \ (\n'. m' nat2 = NAT n')") apply simp apply (case_tac "\n. m' nat1 = NAT n \ m' nat2 = NAT n") apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) apply simp --{* JMPL *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (case_tac "(\n. m' nat1 = NAT n) \ (\n'. m' nat2 = NAT n')") apply simp apply (case_tac "\n. m' nat1 = NAT n \ (\n'. m' nat2 = NAT n' \ n < n')") apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) apply simp --{* JLE nat1 nat2 nat3 *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (case_tac "(\n. m' nat1 = NAT n) \ (\n'. m' nat2 = NAT n')") apply simp apply (case_tac "\n. m' nat1 = NAT n \ (\n'. m' nat2 = NAT n' \ n \ n')") apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) apply simp --{* JMPB nat *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "cs e'") apply simp --{* cs e = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv) apply (case_tac css) apply simp --{* css = ac lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* JMPI nat *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (case_tac "m' nat") apply (simp add: safeF_def) prefer 2 apply (simp add: safeF_def) apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "cs e'") apply simp --{* cs e = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv) apply (case_tac css) apply simp --{* css = ac lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* CALL *} apply (simp add: step_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv nth_append) apply (case_tac "css") apply (simp add: nth_append) --{* css = ab lista *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp rec_upd_simp2 rec_upd_simp3 del: sysinv.simps) --{* RET nat *} apply (case_tac "m' nat") apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (simp only: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv option.cases instr.cases tval.cases simp_thms option.simps Pair_eq) apply (drule_tac P="\ x. x" in subst[OF sysinv.simps]) apply (case_tac "css") apply (simp add: Let_def split_def fst_conv snd_conv) apply (erule conjE)+ apply (erule_tac x="snd p'" in allE) apply (erule_tac x="nat" in allE) apply (subgoal_tac "(0,snd p') = p'") prefer 2 apply (rule_tac P="\ t. (t,snd p') = p'" and t="0" and s="fst p'" in subst) apply assumption apply (simp (no_asm)) apply simp --{* case : css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps validF_validFs.simps) apply (erule conjE | erule exE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: validF_validFs.simps sysinv.simps) apply (case_tac "list") apply (simp add: callpc_def Let_def callstate_def split_def incA_def) apply (simp add: Let_def split_def fst_conv snd_conv del: validF_validFs.simps sysinv.simps) apply (drule_tac P="\ x. x" in subst[OF sysinv.simps]) apply (simp add: Let_def split_def nth_append rec_upd_simp rec_upd_simp2 rec_upd_simp3 min_elim fst_conv snd_conv del: sysinv.simps) apply (erule conjE |erule exE)+ apply (subgoal_tac "take (fst aa) (h e') ! fst ab = h e' ! fst ab") prefer 2 apply (simp) apply (subgoal_tac "min (fst ab) (fst aa) = fst ab") prefer 2 apply (simp add: min_def) apply (subgoal_tac "fst ab - length (h e') = 0") prefer 2 apply simp apply (simp only: take.simps nat.cases simp_thms append_Nil2) apply (rule conjI) apply (rule_tac x="xb" in exI) apply (simp add: incA_def Let_def split_def fst_conv snd_conv callpc_def callstate_def) apply simp --{* MOV nat1 nat2 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (case_tac "m' nat1") apply simp prefer 2 apply simp apply (case_tac "m' nat2") apply simp prefer 2 apply simp apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (drule_tac t="p''" in sym) apply (case_tac "css") apply (simp add: Let_def split_def) --{* css = ab list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv.simps) --{* HALT *} apply (simp add: step_def Let_def split_def) (*>*) done lemma sysinv_pres': "\ prg s. \ wf prg; s \ isafeP prg \ \ sysinv (s,prg)" (*<*) apply (simp only: split_paired_all) apply (drule isafeP_imp_safeP) apply (rule sysinv_pres) apply assumption+ (*>*) done subsection {* System Invariant 2 *} consts sysinv2::"SALstate \ SALprogram \ bool" recdef sysinv2 "measure (\ ((pc,m,e),prg). length (cs e))" "sysinv2 ((pc,m,e),prg) = (case (cs e) of [] \ False | c#css \ (let (k,m'')=c; (pn',i')=(h e)!k in ( case css of [] \ True | c'#css' \ (k < length (h e) \ valid prg ((pn',i'),m'',e\ cs:=css, h:=take k (h e) \) (isafeF prg (pn',i')) \ sysinv2 (((pn',i'),m'',e\ cs:=css, h:=take k (h e) \),prg) ) ) ))" (hints recdef_simp: filterreduction) lemma sysinv2_pres: "\ prg s. wf prg \ s \ (isafeP prg) \ sysinv2 (s,prg)" (*<*) apply (rule allI)+ apply (simp only: split_paired_all) apply (rename_tac "prg" "pn" "i" "m" "e") apply (rule impI) apply (rule impI) apply (erule isafeP_induct) --{* base case *} apply (simp only: split_paired_all) apply (rename_tac "prg" "pn_" "i_" "m_" "e_" "pn" "i" "m" "e") apply (simp only: valid_def validF_validFs.simps initF_def Let_def split_def fst_conv snd_conv simp_thms eval.simps Pair_eq tval.simps del: sysinv2.simps) apply (erule allE) apply (erule conjE) apply (case_tac "cs e") apply simp apply simp apply (case_tac "list") apply (simp add: Let_def) apply (simp add: incA_def split_def) --{* induction step *} apply (subgoal_tac "valid prg s (safeF prg (fst s))") prefer 2 apply (simp only: split_paired_all) apply simp apply (drule isafeF_imp_safeF) apply assumption apply (subgoal_tac "s' \ (isafeP prg)") prefer 2 apply (rule isafeP_step) apply simp+ apply (simp add: effS_def mem_Collect_eq) apply (simp only: split_paired_all) apply (rename_tac "prg" "pn" "i" "m" "e" "pn'" "i'" "m''" "e''") apply (case_tac "cmd prg (pn,i)") apply (simp add: step_def) --{* case: cmd prg (pn,i) = Some a *} apply (case_tac a) --{* SET nat1 nat2 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* ADD nat1 nat2 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* SUB nat1 nat2 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* INC nat *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* JMPEQ nat1 nat2 nat3 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (erule conjE | erule exE)+ apply (subgoal_tac "\ n. m nat1 = NAT n") prefer 2 apply (case_tac "m nat1") apply simp apply simp apply simp apply (erule exE) apply (subgoal_tac "\ na. m nat2 = NAT na") prefer 2 apply (case_tac "m nat2") apply simp apply simp apply simp apply (erule exE) apply (case_tac "n=na") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* case: n ~= na *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* JMPL nat1 nat2 nat3 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (erule conjE | erule exE)+ apply (subgoal_tac "\ n. m nat1 = NAT n") prefer 2 apply (case_tac "m nat1") apply simp apply simp apply simp apply (erule exE) apply (subgoal_tac "\ na. m nat2 = NAT na") prefer 2 apply (case_tac "m nat2") apply simp apply simp apply simp apply (erule exE) apply (case_tac "n < na") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* case not n < na *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* JLE nat1 nat2 nat3 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (erule conjE | erule exE)+ apply (subgoal_tac "\ n. m nat1 = NAT n") prefer 2 apply (case_tac "m nat1") apply simp apply simp apply simp apply (erule exE) apply (subgoal_tac "\ na. m nat2 = NAT na") prefer 2 apply (case_tac "m nat2") apply simp apply simp apply simp apply (erule exE) apply (case_tac "n \ na") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* case not n <= na *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* JMPB nat *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* JMPI nat *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (case_tac "m nat") apply simp prefer 2 apply simp apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* CALL nat1 nat2 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp) apply (subgoal_tac "e\h := h e @ [(pn, i)], cs := [(length (h e), m), aa], cs := [aa], h := h e\ = e") prefer 2 apply simp apply (simp only: valid_def) --{* case: list = ab lista *} apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) apply (rule ssubst[OF sysinv2.simps]) apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) apply (subgoal_tac "e\h := h e @ [(pn, i)], cs := (length (h e), m) # aa # ab # lista, cs := aa # ab # lista, h:= h e\ = e") prefer 2 apply simp apply (simp only: valid_def) apply simp --{* RET nat *} apply (frule_tac "sysinv_pres'") apply assumption apply (case_tac "m nat") apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp only: validF_validFs.simps eval.simps step_def safeF_def valid_def Let_def split_def fst_conv snd_conv option.cases instr.cases tval.cases simp_thms option.simps Pair_eq) apply (drule_tac P="\ x. x" in subst[OF sysinv2.simps]) apply (case_tac "cs e") apply simp apply (case_tac "list") apply (simp add: Let_def) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps validF_validFs.simps) apply (erule conjE | erule exE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def incA_def callpc_def callstate_def fst_conv snd_conv del: validF_validFs.simps sysinv.simps) apply (case_tac "lista") apply (simp add: callpc_def Let_def callstate_def split_def incA_def) apply (simp add: Let_def split_def nth_append rec_upd_simp rec_upd_simp2 rec_upd_simp3 min_elim fst_conv snd_conv del: validF_validFs.simps sysinv2.simps) apply (erule conjE |erule exE)+ apply (subgoal_tac "take (fst aa) (h e) ! fst ab = h e ! fst ab") prefer 2 apply (simp) apply (subgoal_tac "min (fst ab) (fst aa) = fst ab") prefer 2 apply (simp add: min_def) apply (subgoal_tac "fst ab - length (h e) = 0") prefer 2 apply simp apply (simp only: take.simps nat.cases simp_thms append_Nil2) --{* MOV nat1 nat2 *} apply (simp add: step_def safeF_def valid_def Let_def split_def fst_conv snd_conv ) apply (erule conjE)+ apply (case_tac "m nat1") apply simp prefer 2 apply simp --{* m nat1 = NAT nat *} apply simp apply (case_tac "m nat2") apply simp prefer 2 apply simp --{* m nat2 = NAT nata *} apply simp apply (erule conjE)+ apply (drule_tac t="e''" in sym) apply (drule_tac t="m''" in sym) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "cs e") apply simp --{* cs e = aa list *} apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (case_tac "list") apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (simp add: Let_def split_def fst_conv snd_conv del: sysinv2.simps) apply (erule conjE)+ apply (simp add: Let_def split_def fst_conv snd_conv nth_append rec_upd_simp del: sysinv2.simps) --{* HALT *} apply (simp add: step_def) (*>*) done lemma ex_weak: "\ n n'. a = NAT n \ b = NAT n' \ n = n' \ \ n n'. a = NAT n \ b = NAT n'" apply auto done lemma ex_eq: "(\n. m nat1 = NAT n) \ (\n'. m nat2 = NAT n') \ \ (\n. m nat1 = NAT n \ m nat2 = NAT n) \ (\n n'. m nat1 = NAT n \ m nat2 = NAT n' \ n \ n')" apply auto done lemma ex_less: "(\n. m nat1 = NAT n) \ (\n'. m nat2 = NAT n') \ \ (\n. m nat1 = NAT n \ (\n'. m nat2 = NAT n' \ n < n')) \ \n. m nat1 = NAT n \ (\n'. m nat2 = NAT n' \ \ n < n')" apply auto done lemma list_length_nth: "(la@[i,j])!(length la)=i" (*<*) apply (induct_tac la) apply simp apply simp (*>*) done lemma list_length_nth2: "(la@[i])!(length la)=i" (*<*) apply (induct_tac la) apply simp apply simp (*>*) done lemma list_length_suc_nth: "(la@[i,j])!(Suc (length la))=j" (*<*) apply (induct_tac la) apply simp apply simp (*>*) done lemma path_succsF: "\ l \ paths prg succsF; k+1 \ \ B. (l!(k+1),B) \ set (succsF prg (l!k))" (*<*) apply (rotate_tac 1) apply (erule rev_mp) apply (rule_tac prg="prg" and succsF'="succsF" in paths.induct) apply assumption apply simp apply (rule impI) apply (rule_tac x="B" in exI) apply assumption apply (case_tac "k= length (la)") apply simp apply (rule_tac x="B" in exI) apply (rename_tac "pc''") apply (subgoal_tac "(la@[pc,pc''])!(Suc (length la)) = pc''") prefer 2 apply (rule list_length_suc_nth) apply (subgoal_tac "(la@[pc,pc''])!(length la) = pc") prefer 2 apply (rule list_length_nth) apply simp apply (rule impI) apply (simp (no_asm) only: nth_append) apply (case_tac "k + 1 = length la") apply (simp add: list_length_nth2) apply (simp add: nth_append) apply (subgoal_tac "k + 1 < length (la @ [pc])") apply simp apply (simp only: nth_append) apply simp apply (subgoal_tac "k + 1 \ length (la @ [pc])") apply simp apply simp (*>*) done lemma less_chain_simp: "\ \ k. length l <= k+1 \ l!k < l!(k+1); 1 < length (l::pos list) \ \ hd l < last l" (*<*) apply (erule rev_mp) apply (erule rev_mp) apply (induct l) apply simp apply (case_tac list) apply simp apply (case_tac lista) apply simp apply (rule impI) apply (erule_tac x="0" in allE) apply simp apply (rule impI) apply (rule impI) apply hypsubst apply simp apply (rule conjI) apply (rule impI) apply simp apply (frule_tac x="0" and P="\ k. Suc (Suc 0) <= k \ (?Q k)" in spec) apply simp apply (frule_tac x="1" and P="\ k. Suc (Suc 0) <= k \ (?Q k)" in spec) apply simp apply (erule order_less_trans, assumption) apply (rule impI) apply simp apply (frule_tac x="0" and P="\ k. Suc (Suc (length listb)) <= k \ (?Q k)" in spec) apply simp apply (frule_tac x="1" and P="\ k. Suc (Suc (length listb)) <= k \ (?Q k)" in spec) apply simp apply (frule_tac x="0" in spec) apply (subgoal_tac "\ k. Suc (length listb) <= k \ ((aa#ab#listb)!k < (ab#listb)!k)") apply (drule mp) apply assumption apply simp apply (erule order_less_trans, assumption) apply (rule allI) apply (case_tac k) apply simp apply (case_tac listb) apply simp apply (case_tac nat) apply simp apply (frule_tac x="2" and P="\ k. Suc (Suc (Suc (length list))) <= k \ (?Q k)" in spec) apply simp apply simp apply (frule_tac x="Suc (Suc (Suc nata))" and P="\ k. Suc (Suc (Suc (length list))) <= k \ (?Q k)" in spec) apply simp (*>*) done lemma path_length: "\ l \ paths prg succsF \ \ 1 < length l" (*<*) apply (rule_tac prg="prg" and succsF'="succsF" in paths.induct) apply assumption apply simp apply simp (*>*) done lemma loop_has_back_jump: "\ l \ paths prg succsF; hd l = last l \ \ \ k. (k+1) l!(k+1) <= l!k" (*<*) apply (frule path_length) apply (rule classical) apply (simp only: not_ex) apply (simp only: de_Morgan_conj) apply (simp only: linorder_not_less) apply (subgoal_tac "\k. length ?l \ k + 1 \ ?l ! k < ?l ! (k + 1)") apply (drule less_chain_simp) apply assumption apply simp apply (rule allI) apply (erule_tac x="k" in allE) apply (subgoal_tac "(\ l ! (k+1) <= l ! k) = (l!k < l!(k+1))") apply simp apply (rule_tac x="l!(k+1)" and y="l!k" in linorder_not_le) (*>*) done lemma back_jumps_annotated: " wf prg \ \ pc'' pc B. (pc'',B) \ set (succsF prg pc) \ pc''<=pc \ ((anF prg pc'') \ None \ (anF prg pc \ None))" (*<*) apply (rule allI)+ apply (simp only: split_paired_all) apply (rename_tac "pn'" "i'" "pn" "i" "B") apply (rule impI)+ apply (subgoal_tac "\ ins. cmd prg (pn,i) = Some ins") apply (erule exE) apply (simp only: wf_def) apply (frule domC_split) apply (erule exE)+ apply (simp only: checkPos_split) apply (erule conjE)+ apply (simp add: checkPos_split Let_def split_def fst_conv snd_conv option.cases succsF_def) apply (case_tac ins) --{* SET nat1 nat2 *} apply simp apply (erule leq_pairE) apply simp apply simp --{* ADD nat1 nat2 *} apply simp apply (erule leq_pairE) apply simp apply simp --{* SUB nat1 nat2 *} apply simp apply (erule leq_pairE) apply simp apply simp --{* INC nat *} apply simp apply (erule leq_pairE) apply simp apply simp --{* JMPEQ nat1 nat2 nat3 *} apply simp apply (case_tac "i'=Suc i") apply simp apply (erule leq_pairE) apply simp apply simp apply (case_tac "nat3 = 0") apply simp apply (erule conjE)+ apply (case_tac "\y. anF prg (pn, i) = Some y") apply assumption apply simp apply simp apply (erule conjE)+ apply (erule leq_pairE) apply simp apply simp --{* JMPL nat1 nat2 nat3 *} apply simp apply (case_tac "i'=Suc i") apply simp apply (erule leq_pairE) apply simp apply simp apply (case_tac "nat3 = 0") apply simp apply (erule conjE)+ apply (case_tac "\y. anF prg (pn, i) = Some y") apply assumption apply simp apply simp apply (erule conjE)+ apply (erule leq_pairE) apply simp apply simp --{* JLE nat1 nat2 nat3 *} apply simp apply (case_tac "i'=Suc i") apply simp apply (erule leq_pairE) apply simp apply simp apply (case_tac "nat3 = 0") apply simp apply (erule conjE)+ apply (case_tac "\y. anF prg (pn, i) = Some y") apply assumption apply simp apply simp apply (erule conjE)+ apply (erule leq_pairE) apply simp apply simp --{* JMPB nat *} apply simp apply (case_tac "\y. anF prg (pn, i - nat) = Some y") apply simp apply simp --{* JMPI nat *} apply simp apply (case_tac "\y. anF prg (pn, i) = Some y") apply simp apply simp --{* CALL nat 1 nat2 *} apply simp apply (case_tac "\y. anF prg (nat2, 0) = Some y") apply simp apply simp --{* RET nat *} apply simp apply (drule set_list_split) apply (erule exE)+ apply (case_tac "list_all (\(pc, B). \y. anF prg pc = Some y) (ret_succs prg (pn,i) nat (callpoints prg pn))") apply simp apply (simp only: if_not_P if_False) --{* MOV nat1 nat2 *} apply simp apply (erule leq_pairE) apply simp apply simp --{* HALT *} apply simp apply (case_tac "cmd prg (pn,i)") apply (simp add: succsF_def Let_def option.cases) apply simp (*>*) done lemma isafeP_isafeF_initF: "s \ (isafeP prg) \ valid prg s (initF prg) \ valid prg s (isafeF prg (fst s))" apply (erule isafeP_elims) apply simp+ done lemma lookup_changedvars: "mp ? (V v) = Some e \ (changedvars mp) ? v = Some e" (*<*) apply (induct mp) apply simp apply simp apply (case_tac "fst a") apply simp apply (case_tac "nat = v") apply simp apply simp apply simp+ (*>*) done lemma lookup_changedvars_neg: "mp ? (V v) = None \ (changedvars mp) ? v = None" (*<*) apply (induct mp) apply simp apply simp apply (case_tac "fst a") apply simp apply (case_tac "nat = v") apply simp apply simp apply simp+ (*<*) done lemma nojunk_changedvars: "nojunk mp \ nojunk (changedvars mp)" (*<*) apply (induct mp) apply simp apply simp apply (case_tac "list ? (fst a)") prefer 2 apply simp apply simp apply (case_tac "fst a") apply simp apply (case_tac "changedvars list ? nat") apply simp apply (drule lookup_changedvars_neg) apply simp apply simp+ (*>*) done lemma changedvars_ran: "\ nojunk em; x \ set (ran (changedvars em)) \ \ x \ set (ran (em))" (*<*) apply (erule rev_mp)+ apply (induct_tac em) apply (simp add: ran_def dom_def) apply (rule impI)+ apply (frule nojunk_range) apply (simp del: ran_def nojunk.simps) apply (subgoal_tac "nojunk list") prefer 2 apply simp apply (case_tac "list ? (fst a)") apply simp apply simp apply (case_tac "fst a") apply (simp del: nojunk.simps) apply (drule nojunk_changedvars) apply (drule_tac mp="changedvars (a # list)" in nojunk_range) apply simp apply (erule disjE) apply simp apply simp apply simp+ (*>*) done lemma changedvars_map: "changedvars (map (\ (a,b). (a, C (eval I (p,m,e) b))) em) = (map (\ (a,b). (a, C (eval I (p,m,e) b))) (changedvars em))" (*<*) apply (induct em) apply simp apply (simp only: map.simps changedvars.simps) apply (simp only: split_paired_all) apply simp apply (case_tac a) apply simp+ (*>*) done lemma changedvars_append: "changedvars (mp@mp') = (changedvars mp) @ (changedvars mp')" (*<*) apply (induct mp) apply simp apply simp (*>*) done lemma lookup_evalmap_None: "em ? x = None \ map (\ (a,b). (a, C (eval I (p,m,e) b))) em ? x = None" (*<*) apply (induct em) apply simp apply (simp add: Let_def split_paired_all split_def fst_conv snd_conv) apply (case_tac "a = x") apply simp apply simp (*>*) done lemma lookup_evalmap_Some: "em ? x = Some x' \ map (\ (a,b). (a, C (eval I (p,m,e) b))) em ? x = Some (C (eval I (p,m,e) x'))" (*<*) apply (induct em) apply simp apply (simp add: Let_def split_paired_all split_def fst_conv snd_conv) apply (case_tac "a = x") apply simp apply simp (*>*) done lemma foldl_induct: "\ r r' g g' f. \ P r = Q r'; (P r = Q r') \ (P g = Q g'); (P g = Q g') \ (\ a\ set L. \ x y. P x = Q y \ P (f g x a) = Q (f g' y a)) \ \ P (foldl (f g) r L) = Q (foldl (f g') r' L)" (*<*) apply (erule rev_mp)+ apply (simp only: atomize_all) apply (induct L) apply simp apply (rule allI)+ apply (rule impI)+ apply simp (*>*) done lemma foldl_induct2: "\ r r' g g' f L L'. \ P r = Q r'; (P r = Q r') \ (P g = Q g'); L = map fst G ; L' = map snd G; (P g = Q g') \ L = map fst G \ L' = map snd G \ (\ i. i < length L \ (\ x y. P x = Q y \ P (f g x (L ! i)) = Q (f g' y (L' ! i)))) \ \ P (foldl (f g) r L) = Q (foldl (f g') r' L')" (*<*) apply (erule rev_mp)+ apply (simp only: atomize_all) apply (induct G) apply simp apply (rule allI)+ apply (rule impI)+ apply simp apply (erule_tac x="f g r (fst a)" in allE) apply (erule_tac x="f g' r' (snd a)" in allE) apply (erule_tac x="g" in allE) apply (erule_tac x="g'" in allE) apply (erule_tac x="f" in allE) apply simp apply (subgoal_tac "(\ix y. P x = Q y \ P (f g x (fst (list ! i))) = Q (f g' y (snd (list ! i))))") prefer 2 apply (rule allI) apply (rule impI) apply (erule_tac x="Suc i" in allE) apply simp apply (drule mp, assumption) apply (erule_tac x="0" in allE) apply simp (*>*) done lemma zip_fst: "\ L'. length L = length L' \ L = map fst (zip L L')" (*<*) apply (induct L) apply simp apply simp apply atomize apply (case_tac "L'") apply simp apply (erule_tac x="lista" in allE) apply simp done (*>*) lemma zip_snd: "\ L. length L = length L' \ L' = map snd (zip L L')" (*<*) apply (induct L') apply simp apply simp apply atomize apply (case_tac "L") apply simp apply (erule_tac x="lista" in allE) apply simp done (*>*) lemma foldl_induct2': "\ r r' g g' f L L'. \ P r = Q r'; (P r = Q r') \ (P g = Q g'); length L = length L'; (P g = Q g') \ (length L = length L') \ (\ i. i < length L \ (\ x y. P x = Q y \ P (f g x (L ! i)) = Q (f g' y (L' ! i)))) \ \ P (foldl (f g) r L) = Q (foldl (f g') r' L')" (*<*) apply (rule_tac G="zip L L'" in foldl_induct2) apply simp+ apply (erule_tac P="length L = length L'" in rev_mp) apply (induct_tac L) apply simp apply (case_tac "L'") apply simp apply simp apply (rule impI, rule zip_fst, assumption) apply (rule zip_snd, assumption) apply simp done (*>*) lemma list_split_at_i: "\ L. i < length L \ \ as a as'. L=as@a#as' \ length as = i" (*<*) apply (erule rev_mp) apply (simp only: atomize_all) apply (induct i) apply simp apply (rule allI) apply (rule impI) apply (simp add: neq_Nil_conv) apply (rule allI) apply (rule impI) apply (case_tac "n = length L") apply simp apply (subgoal_tac "n < length L") prefer 2 apply simp apply (erule_tac x="L" in allE) apply simp apply (erule exE | erule conjE)+ apply (case_tac "as'") apply simp apply (rule_tac x="as@[a]" in exI) apply simp (*>*) done lemma substE_eval: "eval I (p,m,e) (substE NoPt em ex) = eval I (p,m,e) (substE NoPt (map (\ (a,b). (a, C (eval I (p,m,e) b))) em) ex)" (*<*) apply (induct ex) --{* subgoal: V nat *} apply (simp add: mode.cases) apply (simp add: id_lookup_def) apply (case_tac "em ? (V nat)") apply (simp add: Let_def lookup_map_None) apply (simp add: Let_def lookup_map_Some) --{* subgoal: Lv v *} apply simp --{* subgoal: C tval *} apply (simp add: id_lookup_def) --{* subgoal: Pc *} apply (simp add: id_lookup_def) apply (case_tac "em ? Pc") apply (simp add: lookup_evalmap_None) apply (simp add: lookup_evalmap_Some) --{* subgoal: Rp *} apply (simp add: id_lookup_def) apply (case_tac "em ? Rp") apply (simp add: lookup_evalmap_None) apply (simp add: lookup_evalmap_Some) --{* subgoal: Tm *} apply (simp add: id_lookup_def) apply (case_tac "em ? Tm") apply (simp add: lookup_evalmap_None) apply (simp add: lookup_evalmap_Some) --{* subgoal: Add expr1 expr2*} apply simp --{* subgoal: Sub expr1 expr2) *} apply simp --{* subgoal: Mult expr1 expr2) *} apply simp --{* subgoal: Deref expr *} apply (simp add: mode.cases Let_def) apply (simp only: changedvars_map) apply (rule_tac L="changedvars em" and L'="(map (\(a, b). (a, C (eval I (p, m, e) b))) (changedvars em))" in foldl_induct2') apply simp apply simp apply simp apply simp apply (rule allI) apply (rule impI) apply (drule list_split_at_i) apply (erule exE | erule conjE)+ apply (simp add: nth_append) apply (rule allI)+ apply (rule impI)+ apply (simp add: split_def fst_conv snd_conv) apply (case_tac "eval I (p, m, e) (substE NoPt (map (\u. (fst u, C (eval I (p, m, e) (snd u)))) em) expr) = NAT (fst a)") apply simp apply simp --{* subgoal: Ifeq *} apply simp apply (case_tac "eval I (p, m, e) (substE NoPt (map (\(a, b). (a, C (eval I (p, m, e) b))) em) expr1) = eval I (p, m, e) (substE NoPt (map (\(a, b). (a, C (eval I (p, m, e) b))) em) expr2)") apply simp apply simp --{* subgoal: Old *} apply simp (*>*) done lemma substE_var_simp: "\ I p m e rm em v tv. \ (\ ex'\(set (ran em)). \ tv'. ex'=C tv'); nojunk ((V v,C tv)#em) \ \ eval I (p,m,e) (substE NoPt ((V v,C tv)#em) ex) = (eval I (p,m[v::=tv],e) (substE NoPt em ex))" (*<*) apply (erule rev_mp)+ apply (induct ex) --{* subgoal 1: ex = V nat *} apply (rule impI)+ apply (simp add: id_lookup_def) apply (case_tac "v = nat") apply (simp add: del_lookup_eq Let_def update_def) apply (case_tac "em ? (V nat)") apply (simp add: Let_def) apply simp --{* v ~= nat *} apply simp apply (case_tac "em ? (V nat)") apply (simp add: Let_def update_def) apply (erule_tac x="a" in ballE) apply (erule exE) apply (simp add: eval.simps) apply (drule_tac mp="em" and a="V nat" in some_lookup_range) apply simp --{* ex = Lv nat *} apply simp --{* ex = C tval *} apply (rule impI)+ apply simp --{* ex = Pc *} apply (rule impI)+ apply (simp add: id_lookup_def) apply (case_tac "em ? Pc") apply (simp add: Let_def) apply (simp add: Let_def update_def) apply (subgoal_tac "\ tv'. a = C tv'") prefer 2 apply (erule_tac x="a" in ballE) apply assumption apply (drule some_lookup_range) apply simp apply (erule exE) apply simp --{* ex = Rp *} apply (rule impI)+ apply (simp add: id_lookup_def) apply (case_tac "em ? Rp") apply (simp add: Let_def) apply (simp add: Let_def update_def) apply (subgoal_tac "\ tv'. a = C tv'") prefer 2 apply (erule_tac x="a" in ballE) apply assumption apply (drule some_lookup_range) apply simp apply (erule exE) apply simp --{* subgoal: Tm *} apply (rule impI)+ apply (simp add: id_lookup_def) apply (case_tac "em ? Tm") apply (simp add: Let_def) apply (simp add: Let_def update_def) apply (subgoal_tac "\ tv'. a = C tv'") prefer 2 apply (erule_tac x="a" in ballE) apply assumption apply (drule some_lookup_range) apply simp apply (erule exE) apply simp --{* subgoal: Add expr1 expr2 *} apply simp --{* subgoal: Sub expr1 expr2 *} apply simp --{* subgoal: Muld expr1 expr2 *} apply simp --{* subgoal: Deref expr *} apply atomize apply (rule impI)+ apply (simp add: substE.simps Let_def) apply (rule_tac L="changedvars em" in foldl_induct) apply simp apply (case_tac "eval I (p, m[v ::= tv], e) (substE NoPt em expr)") apply simp apply simp apply (case_tac "nat = v") apply (simp add: Let_def update_def) apply (simp add: Let_def update_def) apply simp apply simp apply simp apply (rule ballI) apply (rule allI)+ apply (rule impI) apply (subgoal_tac "nojunk em") prefer 2 apply (case_tac "em ? V v" ) apply simp apply simp apply (frule nojunk_changedvars) apply (drule_tac mp="changedvars em" in set_lookup) apply simp apply (drule some_lookup_range) apply (drule changedvars_ran) apply simp apply (erule_tac x="em" in allE) apply simp apply (erule_tac x="v" in allE) apply simp apply (erule_tac x="tv" in allE) apply (erule_tac x="snd a" in ballE) apply (erule exE) apply (simp add: split_def ) apply (case_tac "eval I (p, m[v ::= tv], e) (substE NoPt em expr) = NAT (fst a)") apply simp apply simp apply simp --{* subgoal: Ifeq *} apply (rule impI)+ apply simp apply (case_tac "eval I (p, m[v ::= tv], e) (substE NoPt em expr1) = eval I (p, m[v ::= tv], e) (substE NoPt em expr2)") apply simp apply simp --{* subgoal: Old expr *} apply (simp add: split_paired_all Let_def) (*>*) done subsection {* Substituting Pc in Expressions *} lemma substE_Pc: "\ (\ ex'\(set (ran em)). \ tv'. ex'=C tv') ; nojunk ((Pc,C (POS p2))#em) \ \ eval I (p,m,e) (substE md ((Pc,C (POS p2))#em) ex) = eval I (p2,m,e) (substE md em ex)" (*<*) apply (induct ex) --{* ex = V nat *} apply (simp add: eval.simps substE.simps) apply (subgoal_tac "V nat \ Pc") prefer 2 apply simp apply (frule_tac as="em" and a="Pc" and b="C (POS p2)" in id_lookup_red) apply (simp only: ) apply (case_tac md) --{* md = NoPt *} apply (case_tac "em ? (V nat)") apply (simp add: id_lookup_def Let_def) apply (erule_tac x="a" in ballE) apply (erule exE) apply (simp add: id_lookup_def) apply (drule some_lookup_range) apply simp --{* md = Mv nat1 nat2 *} apply (simp add: Let_def) apply (case_tac "m nat2 = NAT nat") apply (simp add: Let_def) apply (case_tac "m nat1") apply simp apply (simp add: Let_def) apply simp apply simp apply (case_tac "em ? (V nat)") apply (simp add: id_lookup_def Let_def) apply (erule_tac x="a" in ballE) apply (erule exE) apply (simp add: id_lookup_def) apply (drule some_lookup_range) apply simp --{* ex = Lv nat *} apply simp --{* ex = C tval *} apply simp --{* subgoal: Pc *} apply simp apply (case_tac "em ? Pc") prefer 2 apply simp apply (simp add: id_lookup_def Let_def) --{* subgoal: Rp *} apply simp apply (subgoal_tac "(((Pc, C (POS p2)) # em)?\<^sub>=Rp) = (em ?\<^sub>= Rp)") prefer 2 apply (simp only: id_lookup_def lookup.simps fst_conv) apply (subgoal_tac "Pc \ Rp") prefer 2 apply simp apply simp apply simp apply (simp only: id_lookup_def) apply (case_tac "em ? Rp") apply (simp add: Let_def) apply simp apply (erule_tac x="a" in ballE) apply (erule exE) apply simp apply (drule_tac a="Rp" in some_lookup_range) apply simp --{* subgoal: Tm *} apply simp apply (subgoal_tac "(((Pc, C (POS p2)) # em)?\<^sub>= Tm) = (em ?\<^sub>= Tm)") prefer 2 apply (simp only: id_lookup_def lookup.simps fst_conv) apply (subgoal_tac "Pc \ Tm") prefer 2 apply simp apply simp apply simp apply (simp only: id_lookup_def) apply (case_tac "em ? Tm") apply (simp add: Let_def) apply simp apply (erule_tac x="a" in ballE) apply (erule exE) apply simp apply (drule_tac a="Tm" in some_lookup_range) apply simp --{* subgoal: Add expr1 expr2 *} apply simp --{* subgoal: Minus expr1 expr2 *} apply simp --{* subgoal: Mult expr1 expr2 *} apply simp --{* subgoal: Deref expr *} apply (simp add: Let_def) apply (case_tac md) apply simp apply (rule foldl_induct) apply simp apply (case_tac " eval I (p2, m, e) (substE NoPt em expr)") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule impI) apply (rule ballI) apply (rule allI)+ apply (rule impI) apply (subgoal_tac "nojunk em") prefer 2 apply (case_tac "em ? Pc" ) apply simp apply simp apply (frule nojunk_changedvars) apply (drule_tac mp="changedvars em" in set_lookup) apply simp apply (drule some_lookup_range) apply (drule changedvars_ran) apply simp apply (erule_tac x="snd a" in ballE) apply (erule exE) apply (simp add: split_def ) apply (case_tac "eval I (p2, m, e) (substE NoPt em expr) = NAT (fst a)") apply simp apply simp apply simp --{* md = Mv nat1 nat2 *} apply (simp add: Let_def) apply (case_tac "m nat2 = eval I (p2, m, e) (substE (Mv nat1 nat2) em expr)") apply (simp add: Let_def) apply (case_tac "m nat1") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule foldl_induct) apply simp apply (case_tac " eval I (p2, m, e) (substE (Mv nat1 nat2) em expr)") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule impI) apply (rule ballI) apply (rule allI)+ apply (rule impI) apply (subgoal_tac "nojunk em") prefer 2 apply (case_tac "em ? Pc" ) apply simp apply simp apply (frule nojunk_changedvars) apply (drule_tac mp="changedvars em" in set_lookup) apply simp apply (drule some_lookup_range) apply (drule changedvars_ran) apply simp apply (erule_tac x="snd a" in ballE) apply (erule exE) apply (simp add: split_def ) apply (case_tac "eval I (p2, m, e) (substE (Mv nat1 nat2) em expr) = NAT (fst a)") apply simp apply simp apply simp --{* IF expr1 = expr2 THEN expr3 ELSE expr4 *} apply simp apply (case_tac "eval I (p2, m, e) (substE md em expr1) = eval I (p2, m, e) (substE md em expr2)") apply simp apply simp --{* Old expr *} apply (simp add: Let_def split_def fst_conv snd_conv) (*>*) done subsection {* Substituting Tm in expressions *} lemma substE_Tm: "\ (\ ex'\(set (ran em)). \ tv'. ex'=C tv') ; nojunk ((Tm,Add Tm (C (NAT 1)))#em); 1 < length (cs e) \ fst (hd (cs e)) < length (h e) \ \ eval I (p,m,e) (substE md ((Tm,Add Tm (C (NAT 1)))#em) ex) = eval I (p,m,e\h:=(h e)@[p]\) (substE md em ex)" (*<*) apply (induct ex) apply (simp add: eval.simps substE.simps) apply (subgoal_tac "V nat \ Tm") prefer 2 apply simp apply (frule_tac as="em" and a="Tm" and b="Add Tm (C (NAT 1))" in id_lookup_red) apply simp apply (case_tac md) --{* md = NoPt *} apply (case_tac "em ? (V nat)") apply (simp add: id_lookup_def Let_def) apply (erule_tac x="a" in ballE) apply (erule exE) apply (simp add: id_lookup_def) apply (drule some_lookup_range) apply simp --{* md = Mv nat1 nat2 *} apply (simp add: Let_def) apply (case_tac "m nat2 = NAT nat") apply (simp add: Let_def) apply (case_tac "m nat1") apply simp apply (simp add: Let_def) apply simp apply simp apply (case_tac "em ? (V nat)") apply (simp add: id_lookup_def Let_def) apply (erule_tac x="a" in ballE) apply (erule exE) apply (simp add: id_lookup_def) apply (drule some_lookup_range) apply simp --{* Lv nat *} apply simp --{* ex = C tval *} apply simp --{* subgoal: Pc *} apply (simp add: id_lookup_def) apply (case_tac "em ? Pc") apply (simp add: Let_def) apply simp apply (erule_tac x="a" in ballE) apply (erule exE) apply simp apply (drule_tac a="Pc" in some_lookup_range) apply simp --{* subgoal: Rp *} apply simp apply (subgoal_tac "(((Tm,Add Tm (C (NAT 1))) # em)?\<^sub>=Rp) = (em ?\<^sub>= Rp)") prefer 2 apply (simp only: id_lookup_def lookup.simps fst_conv) apply (subgoal_tac "Tm \ Rp") prefer 2 apply simp apply simp apply simp apply (simp only: id_lookup_def) apply (case_tac "em ? Rp") apply (simp add: Let_def) apply (case_tac "cs e") apply simp --{* cs e = a list *} apply (case_tac "list") apply simp --{* hier wird benoetigt: 1 < cs e - - > fst (hd (cs e)) < length (h e) *} apply (simp add: callstate_def callpc_def nth_append split_def) apply simp apply (erule_tac x="a" in ballE) apply (erule exE) apply simp apply (drule_tac a="Rp" in some_lookup_range) apply simp --{* subgoal: Tm *} apply (simp add: id_lookup_def) apply (case_tac "em ? Tm") apply (simp add: Let_def lift_def) apply simp --{* subgoal: Add expr1 expr2 *} apply simp --{* subgoal: Minus expr1 expr2 *} apply simp --{* subgoal: Mult expr1 expr2 *} apply simp --{* subgoal: Deref expr *} apply (simp add: Let_def) apply (case_tac md) apply simp apply (rule foldl_induct) apply simp apply (case_tac " eval I (p,m,e\h := h e @ [p]\) (substE NoPt em expr)") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule impI) apply (rule ballI) apply (rule allI)+ apply (rule impI) apply (subgoal_tac "nojunk em") prefer 2 apply (case_tac "em ? Tm" ) apply simp apply simp apply (frule nojunk_changedvars) apply (drule_tac mp="changedvars em" in set_lookup) apply simp apply (drule some_lookup_range) apply (drule changedvars_ran) apply simp apply (erule_tac x="snd a" in ballE) apply (erule exE) apply (simp add: split_def ) apply (case_tac "eval I (p, m,e\h := h e @ [p]\) (substE NoPt em expr) = NAT (fst a)") apply simp apply simp apply simp --{* md = Mv nat1 nat2 *} apply (simp add: Let_def) apply (case_tac "m nat2 = eval I (p, m, e\h := h e @ [p]\) (substE (Mv nat1 nat2) em expr)") apply (simp add: Let_def) apply (case_tac "m nat1") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule foldl_induct) apply simp apply (case_tac " eval I (p, m, e\h := h e @ [p]\) (substE (Mv nat1 nat2) em expr)") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule impI) apply (rule ballI) apply (rule allI)+ apply (rule impI) apply (subgoal_tac "nojunk em") prefer 2 apply (case_tac "em ? Tm" ) apply simp apply simp apply (frule nojunk_changedvars) apply (drule_tac mp="changedvars em" in set_lookup) apply simp apply (drule some_lookup_range) apply (drule changedvars_ran) apply simp apply (erule_tac x="snd a" in ballE) apply (erule exE) apply (simp add: split_def ) apply (case_tac "eval I (p, m, e\h := h e @ [p]\) (substE (Mv nat1 nat2) em expr) = NAT (fst a)") apply simp apply simp apply simp --{* IF expr1 = expr2 THEN expr3 ELSE expr4 *} apply simp apply (case_tac "eval I (p,m,e\h := h e @ [p]\) (substE md em expr1) = eval I (p, m, e\h := h e @ [p]\) (substE md em expr2)") apply simp apply simp --{* Old expr *} apply (simp add: Let_def split_def fst_conv snd_conv callstate_def) apply (case_tac "cs e") apply simp apply simp apply (case_tac "list") apply (simp add: split_def) apply (simp add: nth_append split_def rec_upd_simp) (*>*) done subsection {* Substituting Rp in expressions *} lemma substE_Rp: "\ (\ ex'\(set (ran em)). \ tv'. ex'=C tv'); nojunk ((Tm,Add Tm (C (NAT 1)))#(Rp,(C (POS (incA p))))#em); 1 < length (cs e) \ fst (hd (cs e)) < length (h e); cs e \ [] \ \ eval I (p,m,e) (contextDnE (substE NoPt ((Tm,Add Tm (C (NAT 1)))#(Rp,(C (POS (incA p))))#em) ex)) = eval I (p,m,e\cs:=(length (h e),m)#(cs e), h:=(h e)@[p]\) (substE NoPt em ex)" (*<*) apply (induct ex) apply (simp add: eval.simps substE.simps) apply (subgoal_tac "V nat \ Tm") prefer 2 apply simp apply (frule_tac as="(Rp,C (POS (incA p)))#em" and a="Tm" and b="Add Tm (C (NAT 1))" in id_lookup_red) apply simp apply (subgoal_tac "V nat \ Rp") prefer 2 apply simp apply (frule_tac as="em" and a="Rp" and b="(C (POS (incA p)))" in id_lookup_red) apply simp apply (case_tac "em ? (V nat)") apply (simp add: id_lookup_def Let_def) apply (erule_tac x="a" in ballE) apply (erule exE) apply (simp add: id_lookup_def) apply (drule some_lookup_range) apply simp --{* subgoal: Lv nat *} apply simp --{* subgoal: C tval *} apply simp --{* subgoal: Pc *} apply simp apply (subgoal_tac "(((Tm,Add Tm (C (NAT 1)))#(Rp,C (POS (incA p)))# em)?\<^sub>= Pc) = (em ?\<^sub>= Pc)") prefer 2 apply (simp only: id_lookup_def lookup.simps fst_conv) apply (subgoal_tac "Tm \ Pc") prefer 2 apply simp apply (subgoal_tac "Rp \ Pc") prefer 2 apply simp apply simp apply simp apply (simp only: id_lookup_def) apply (case_tac "em ? Pc") apply (simp add: Let_def) apply simp apply (erule_tac x="a" in ballE) apply (erule exE) apply simp apply (drule_tac a="Pc" in some_lookup_range) apply simp --{* subgoal: Rp *} apply simp apply (subgoal_tac "(((Tm,Add Tm (C (NAT 1)))#(Rp,C (POS (incA p)))# em)?\<^sub>=Rp) = C (POS (incA p))") prefer 2 apply (simp only: id_lookup_def lookup.simps fst_conv) apply (subgoal_tac "Tm \ Rp") prefer 2 apply simp apply simp apply simp apply (simp only: id_lookup_def) apply (case_tac "em ? Rp") apply (simp add: Let_def) apply (case_tac "cs e") apply simp --{* cs e = a list *} apply (simp add: callpc_def callstate_def nth_append) apply (case_tac "em ? Tm") apply simp apply simp --{* subgoal: Tm *} apply (simp add: id_lookup_def lookup.simps) apply (case_tac "em ? Tm") apply (simp add: Let_def split_def fst_conv snd_conv lift_def) apply simp --{* subgoal: Add expr1 expr2 *} apply simp --{* subgoal: Minus expr1 expr2 *} apply simp --{* subgoal: Mult expr1 expr2 *} apply simp --{* subgoal: Deref expr *} apply (simp add: Let_def) apply (rule_tac L="changedvars em" in foldl_induct) apply simp apply (case_tac "eval I (p, m, e\cs := (length (h e), m) # cs e, h := h e @ [p]\) (substE NoPt em expr)") apply simp apply (simp add: Let_def) apply simp apply simp apply (rule impI) apply (rule ballI) apply (rule allI)+ apply (rule impI) apply (simp add: split_def) apply (case_tac "eval I (p, m, e\cs := (length (h e), m) # cs e, h := h e @ [p]\) (substE NoPt em expr) = NAT (fst a)") apply simp apply (subgoal_tac "nojunk em") prefer 2 apply (case_tac "em ? Tm" ) apply simp apply (case_tac "em ? Rp") apply simp apply simp apply simp apply (frule nojunk_changedvars) apply (drule_tac mp="changedvars em" in set_lookup) apply simp apply (drule some_lookup_range) apply (drule changedvars_ran) apply simp apply (erule_tac x="snd a" in ballE) apply (erule exE) apply simp apply simp apply simp --{* IF expr1 = expr2 THEN expr3 ELSE expr4 *} apply simp apply (case_tac "eval I (p, m, e\cs := (length (h e), m) # cs e, h := h e @ [p]\) (substE NoPt em expr1) = eval I (p, m, e\cs := (length (h e), m) # cs e, h := h e @ [p]\) (substE NoPt em expr2)") apply simp apply simp --{* Old expr *} apply (simp add: Let_def split_def fst_conv snd_conv callstate_def) apply (case_tac "cs e") apply simp apply simp apply (simp add: nth_append split_def rec_upd_simp) apply (drule_tac s="cs e" in sym) apply simp apply (simp only: rec_upd_simp3) apply (subgoal_tac "e\cs := cs e, h := h e\ = e") prefer 2 apply simp apply (simp only:) (*>*) done subsection {* Effect of contextOldUp on expressions *} lemma substE_ContextOldUp: "\ (cs e) = (k',m')#(k'',m'')#css; k' < length (h e); css \ [] \ k'' < length (take k' (h e)) \ \ eval I (p,m,e) (contextOldUpE ex) = eval I (p,m,e\cs:=tl (cs e)\) ex" (*<*) apply (induct ex) --{* subgoal: V nat *} apply (simp add: eval.simps substE.simps Let_def) --{* subgoal: Lv nat *} apply simp --{* subgoal: C tval *} apply (simp add: eval.simps substE.simps Let_def) --{* subgoal: Pc *} apply (simp add: eval.simps substE.simps Let_def) --{* subgoal: Rp *} apply (simp add: eval.simps substE.simps Let_def split_def callstate_def callpc_def initialState_def) apply (case_tac "css") apply simp apply (simp add: split_def callpc_def callstate_def) --{* subgoal: Tm *} apply (simp add: eval.simps substE.simps Let_def) --{* subgoal: Add expr1 expr2 *} apply simp --{* subgoal: Minus expr1 expr2 *} apply simp --{* subgoal: Mult expr1 expr2 *} apply simp --{* subgoal: Deref expr *} apply (simp add: eval.simps substE.simps Let_def) apply (case_tac "eval I (p, m, e\cs := (k'', m'') # css\) expr") apply simp apply (simp add: Let_def) apply simp --{* IF expr1 = expr2 THEN expr3 ELSE expr4 *} apply simp apply (case_tac "eval I (p, m, e\cs := (k'', m'') # css\) expr1 = eval I (p, m, e\cs := (k'', m'') # css\) expr2") apply simp apply simp --{* Old expr *} apply (simp add: Let_def split_def fst_conv snd_conv callstate_def) apply (case_tac "css") apply simp apply simp apply (erule conjE)+ apply (subgoal_tac "min k'' k' = k''") prefer 2 apply (simp add: min_def) apply (simp add: nth_append split_def rec_upd_simp rec_upd_simp3) done section {* Substitutions on formulae *} lemma substE_empty: "substE NoPt [] ex = ex" (*<*) apply (induct ex) apply (simp add: id_lookup_def Let_def)+ (*>*) done lemma tval_V_C_noteq: "(V x = C tv) = False" (*<*) apply simp (*>*) done lemma tval_C_V_noteq: "(C tv = V x) = False" (*<*) apply simp (*>*) done lemma sizeF_substF: "\ rm. sizeF (substF md em f) = sizeF f" (*<*) apply (induct f) apply (simp add: sizeF_sizeFs.simps substF_substFL.simps)+ (*>*) done lemma substF_var_simp: "\ p m e em v tv I. \ (\ ex'\(set (ran em)). \ tv'. ex'=C tv'); nojunk ((V v,C tv)#em) \ \ validF I (p,m,e) (substF NoPt ((V v,C tv)#em) f) = (validF I (p,m[v::=tv],e) (substF NoPt em f))" (*<*) apply (erule rev_mp)+ apply (simp only: atomize_all) apply (rule allI) apply (rule allI) apply (rule allI) apply (rule allI) apply (rule allI) apply (rule allI) apply (induct f) --{* T *} apply (simp add: valid_def validF_validFs.simps) --{* F *} apply (simp add: valid_def validF_validFs.simps) --{* And list *} apply (drule_tac psi="(\ (l::form list). \ p m e em v tv I. (\ex'\set (FiniteMap.ran em). \tv'. ex' = C tv') \ nojunk ((V v, C tv) # em) \ (validF I (p,m,e) (And (substFL NoPt ((V v, C tv)#em) l))) = (validF I (p,m[v ::= tv],e) (And (substFL NoPt em l)))) list" in asm_rl) apply (rule allI) apply (erule_tac x="p" in allE) apply (erule_tac x="m" in allE) apply (erule_tac x="e" in allE) apply (erule_tac x="em" in allE) apply (erule_tac x="v" in allE) apply (erule_tac x="tv" in allE) apply (erule_tac x="I" in allE) apply (simp add: valid_def validF_validFs.simps) prefer 10 apply simp prefer 9 apply simp --{* Impl form1 form2 *} apply (simp add: valid_def validF_validFs.simps) --{* Neg form *} apply (simp add: valid_def validF_validFs.simps) --{* expr1 = expr2 *} apply (simp add: validF_validFs.simps del: nojunk.simps) apply (rule impI)+ apply (rule allI) apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr1)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr1))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr2)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr2))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply simp --{* Leq expr1 expr2 *} apply (simp add: validF_validFs.simps del: nojunk.simps) apply (rule impI)+ apply (rule allI) apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr1)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr1))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr2)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr2))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply simp --{* Less expr1 expr2 *} apply (simp add: validF_validFs.simps del: nojunk.simps) apply (rule impI)+ apply (rule allI) apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr1)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr1))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr2)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr2))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply simp --{* Ty expr vtype *} apply (simp add: validF_validFs.simps del: nojunk.simps) apply (rule impI)+ apply (rule allI) apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply simp --{* Forall nat. form *} apply (rule allI) apply (rule impI)+ apply simp --{* Yields *} apply (simp add: validF_validFs.simps del: nojunk.simps) apply (rule impI)+ apply (rule allI) apply (subgoal_tac "(eval I (p, m, e) (substE NoPt ((V v, C tv) # em) expr)) = (eval I (p, m[v ::= tv], e) (substE NoPt em expr))") prefer 2 apply (rule substE_var_simp) apply assumption+ apply simp (*>*) done lemma substF_empty: "substF NoPt [] f = f" (*<*) apply (induct f) apply simp apply simp apply (drule_tac psi="(\ (l::form list). (substFL NoPt [] l) = l) list" in asm_rl) apply (simp add: substE_empty)+ (*>*) done lemma substF_Pc: "\ p m e em p2 md I. \ (\ ex'\(set (ran em)). \ tv'. ex'=C tv'); nojunk ((Pc,C (POS p2))#em) \ \ validF I (p,m,e) (substF md ((Pc,C (POS p2))#em) f) = (validF I (p2,m,e) (substF md em f))" (*<*) apply (induct f) --{* T *} apply (simp add: valid_def validF_validFs.simps) --{* F *} apply (simp add: valid_def validF_validFs.simps) --{* And list *} apply (drule_tac psi="(\ (l::form list). \ p m e em p2 md I. (\ex'\set (FiniteMap.ran em). \tv'. ex' = C tv') \ nojunk ((Pc, C (POS p2)) # em) \ (validF I (p,m,e) (And (substFL md ((Pc, C (POS p2))#em) l))) = (validF I (p2,m,e) (And (substFL md em l)))) list" in asm_rl) apply (erule_tac x="p" in allE) apply (erule_tac x="m" in allE) apply (erule_tac x="e" in allE) apply (erule_tac x="em" in allE) apply (erule_tac x="p2" in allE) apply (erule_tac x="md" in allE) apply (erule_tac x="I" in allE) apply simp prefer 10 apply simp prefer 9 apply simp --{* Impl form1 form2 *} apply (simp add: valid_def validF_validFs.simps) --{* Neg form *} apply (simp add: valid_def validF_validFs.simps) --{* expr1 = expr2 *} apply (simp add: substE_Pc valid_def validF_validFs.simps del: nojunk.simps) --{* expr1 <= expr2 *} apply (simp add: substE_Pc valid_def validF_validFs.simps del: nojunk.simps) --{* expr1 < expr2 *} apply (simp add: substE_Pc valid_def validF_validFs.simps del: nojunk.simps) --{* Ty *} apply (simp add: substE_Pc valid_def validF_validFs.simps del: nojunk.simps) --{* Forall nat. form *} apply (simp add: substF_substFL.simps valid_def validF_validFs.simps Let_def split_def fst_conv snd_conv) --{* Yields *} apply (simp add: substE_Pc valid_def validF_validFs.simps del: nojunk.simps) done lemma substF_Tm_NoPt: "\ p m e em I. \ (\ ex'\(set (ran em)). \ tv'. ex'=C tv') ; nojunk ((Tm, Tm \ C (NAT 1))#em); 1 < length (cs e) \ fst (hd (cs e)) < length (h e) \ \ validF I (p,m,e) (substF NoPt ((Tm, Tm \ C (NAT 1))#em) f) = validF I (p,m,e\h := h e @ [p]\) (substF NoPt em f)" apply (induct f) --{* T *} apply (simp add: valid_def validF_validFs.simps) --{* F *} apply (simp add: valid_def validF_validFs.simps) --{* And list *} apply (drule_tac psi="(\ (l::form list). \ p m e em I. (\ex'\set (FiniteMap.ran em). \tv'. ex' = C tv') \ nojunk ((Tm, Tm \ C (NAT 1)) # em) \ (1 < length (cs e) \ fst (hd (cs e)) < length (h e)) \ validF I (p,m,e) (And (substFL NoPt ((Tm, Tm \ C (NAT 1))#em) l)) = validF I (p,m,e\