theory SALTypeSafetyPlatform = VerificationConditionGenerator + SALSemantics: section {* SAL Safety Logic *} constdefs valid::"SALprogram \ SALstate \ SALform \ bool" ("(_,_ \ _)" [61,61,60] 60) "valid prg s f \ f(s)" constdefs provable::"SALprogram \ SALform \ bool" ("(_ \ _)" [61,60] 60) "provable prg f \ \ s. valid prg s f" lemma [code]: "provable prg f = term (provable (to_term prg) (to_term f))" apply (simp add: term_def to_term_def) done constdefs FalseF::"SALform" "FalseF \ \ s. False" lemma [code]: "FalseF = term (\ s. False)" apply (simp only: term_def FalseF_def) done constdefs TrueF::"SALform" "TrueF \ \ s. True" lemma [code]: "TrueF = term (\ s. True)" apply (simp only: term_def TrueF_def) done constdefs Conj::"SALform list \ SALform" "Conj fl \ \ s. \ f\set fl. f(s)" constdefs Impl::"SALform \ SALform \ SALform" "Impl a b \ \ s. a(s) \ b(s)" (*<*) lemma [code]: "Conj [] = TrueF" apply (unfold Conj_def) apply simp apply (fold TrueF_def) by simp lemma [code]: "Conj (f#fl) = term (\ s.((to_term f) s \ (to_term (Conj fl)) s))" apply (unfold Conj_def term_def to_term_def) apply auto done lemma [code]: "Impl a b = term (\ s. (to_term a) s \ (to_term b) s)" apply (unfold Impl_def term_def to_term_def) apply auto done (*>*) section {* Weakest Preconditions *} constdefs wpF::"SALprogram \ nat \ nat \ SALform \ SALform" "wpF p i j Q \ case (cmd p i) of None \ FalseF | Some ins \ (case ins of SET x n \ (\(pc, m). Q (j, m[x \ NAT n])) | ADD x y \ (\(pc, m). Q (j, m[x \ lift (op +) (m x) (m y)])) | INC x \ (\(pc, m). Q (j, m[x \ lift (op +) (m x) (NAT 1)])) | JMPEQ x y t \ (\(pc, m). Q (j, m)) | JMPB t \ (\(pc, m). Q (j, m)))" lemma [code]: "wpF p i j Q = (case (cmd p i) of None \ FalseF | Some ins \ (case ins of SET x n \ term (\(pc, m). (to_term Q) (to_term j, m[(to_term x) \ NAT (to_term n)])) | ADD x y \ term (\(pc, m). (to_term Q) (to_term j, m[(to_term x) \ lift (op +) (m (to_term x)) (m (to_term y))])) | INC x \ term (\(pc, m). (to_term Q) (to_term j, m[(to_term x) \ lift (op +) (m (to_term x)) (NAT 1)])) | JMPEQ x y t \ term (\(pc, m). (to_term Q) (to_term j, m)) | JMPB t \ term (\(pc, m). (to_term Q) (to_term j, m))))" apply (simp only: wpF_def term_def to_term_def) done section {* Control Flow *} constdefs succsF::"SALprogram \ nat \ (nat \ SALform) list" "succsF p i \ case (cmd p i) of None \ [] | Some ins \ (case ins of SET x n \ [(i + 1, TrueF)] | ADD x y \ [(i + 1, TrueF)] | INC x \ [(i + 1, TrueF)] | JMPEQ x y t \ [(i + t, \(pc, m). m x = m y), (i + 1, \(pc, m). m x \ m y)] | JMPB t \ [(i - t, TrueF)])" lemma [code]: "succsF p i = (case (cmd p i) of None \ [] | Some ins \ (case ins of SET x n \ [(i + 1, TrueF)] | ADD x y \ [(i + 1, TrueF)] | INC x \ [(i + 1, TrueF)] | JMPEQ x y t \ [(i + t, term (\(pc, m). (m (to_term x)) = (m (to_term y)))), (i + 1, term (\(pc, m). (m (to_term x)) \ (m (to_term y))))] | JMPB t \ [(i - t, TrueF)]))" apply (simp only: succsF_def term_def to_term_def) done constdefs anF::"SALprogram \ nat \ (SALform option)" "anF prg p \ snd (prg ! p)" constdefs domA :: "SALprogram \ nat list" "domA \ \ prg. [pc\ domC prg. (anF prg pc) \ None]" constdefs ipc :: "SALprogram \ nat" "ipc prg \ 0" section {* Safety Policy *} constdefs safeF::"SALprogram \ nat \ SALform" "safeF prg p \ (case (cmd prg p) of None \ FalseF | Some a \ (case a of SET X n \ TrueF | ADD X Y \ (\ (p,m). m X \ ILLEGAL \ m Y \ ILLEGAL) | INC X \ (\ (p,m). m X \ ILLEGAL) | JMPEQ X Y t \ TrueF | JMPB t \ TrueF))" lemma [code]: "safeF prg p = (case (cmd prg p) of None \ FalseF | Some ins \ (case ins of SET X n \ TrueF | ADD X Y \ term (\ (p,m). m (to_term X) \ ILLEGAL \ m (to_term Y) \ ILLEGAL) | INC X \ term (\ (p,m). m (to_term X) \ ILLEGAL) | JMPEQ X Y t \ TrueF | JMPB t \ TrueF))" apply (simp only: term_def to_term_def safeF_def) done constdefs initF:: "SALprogram \ SALform" "initF prg \ \ (p,m). p=0 \ (\ X. m X = ILLEGAL)" lemma [code]: "initF prg = term ( \ (p,m). p=0 \ (\ X. m X = ILLEGAL))" apply (simp only: term_def to_term_def initF_def) done subsection {* Wellformedness Checker *} consts checkPos :: "SALprogram \ (nat list) \ bool" primrec "checkPos prg [] = True" "checkPos prg (p # ps) = (if ((case (cmd prg p) of None \ False | Some c \ (case c of SET x n \ True | ADD x y \ True | INC x \ True | JMPEQ x y t \ (t = 0) \ ((anF prg p) \ None) | JMPB t \ ((anF prg (p - t)) \ None) ))) then (checkPos prg ps) else False)" constdefs wf :: "SALprogram \ bool" "wf prg \ checkPos prg (domC prg)" section {* Instantiating the VCG *} constdefs vcgTSAL:: "SALprogram \ SALform" "vcgTSAL prg \ vcG Conj Impl FalseF ipc initF safeF succsF wpF domC domA anF prg" (*<*) types_code set ("(_ -> bool)") consts_code "op :" ("(_ |> _)") "Collect" ("(_)") ML {* fun term_of_fun_type _ _ _ _= error "term_of_fun_type applied" *} ML {* fun term_of_bool _ = error "term_of_bool applied" *} generate_code ("vcgTSAL.ML") [term_of] prov = "provable" vcg = "vcgTSAL" (*>*) ML {* fun prf_size () = let val proof_state = Toplevel.proof_of (Toplevel.get_state ()); val (_, (_, st)) = Proof.get_goal proof_state; val {der = (_, prf), ...} = rep_thm st in Proofterm.size_of_proof (prf) end; *} ML {* fun nprf_size () = let val proof_state = Toplevel.proof_of (Toplevel.get_state ()); val (_, (_, st)) = Proof.get_goal proof_state; val {der = (_, prf), ...} = rep_thm st in Proofterm.size_of_proof (Proofterm.rewrite_proof_notypes ([], ProofRewriteRules.rprocs false) prf) end; *} end