isabelle: src/HOL/IMP/Natural.thy@043f8dc3b51f (annotated)

12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	1	(* Title: HOL/IMP/Natural.thy
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	2	ID: $Id$
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	3	Author: Tobias Nipkow & Robert Sandner, TUM
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	4	Isar Version: Gerwin Klein, 2001; additional proofs by Lawrence Paulson
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	5	Copyright 1996 TUM
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	6	*)
afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	7
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	8	header "Natural Semantics of Commands"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	9
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 14565 diff changeset	10	theory Natural imports Com begin
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	11
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	12	subsection "Execution of commands"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	13
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	14	text {*
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	15	We write @{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} for \emph{Statement @{text c}, started
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	16	in state @{text s}, terminates in state @{text s'}}. Formally,
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	17	@{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} is just another form of saying \emph{the tuple
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	18	@{text "(c,s,s')"} is part of the relation @{text evalc}}:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	19	*}
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	20
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	21	definition
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	22	update :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a \<Rightarrow> 'b)" ("_/[_ ::= /_]" [900,0,0] 900) where
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	23	"update = fun_upd"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	24
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	25	notation (xsymbols)
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	26	update ("_/[_ \<mapsto> /_]" [900,0,0] 900)
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	27
37085 b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	28	text {* Disable conflicting syntax from HOL Map theory. *}
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	29
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	30	no_syntax
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	31	"_maplet" :: "['a, 'a] => maplet" ("_ /\|->/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	32	"_maplets" :: "['a, 'a] => maplet" ("_ /[\|->]/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	33	"" :: "maplet => maplets" ("_")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	34	"_Maplets" :: "[maplet, maplets] => maplets" ("_,/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	35	"_MapUpd" :: "['a ~=> 'b, maplets] => 'a ~=> 'b" ("_/'(_')" [900,0]900)
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	36	"_Map" :: "maplets => 'a ~=> 'b" ("(1[_])")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	37
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	38	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	39	The big-step execution relation @{text evalc} is defined inductively:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	40	*}
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	41	inductive
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	42	evalc :: "[com,state,state] \<Rightarrow> bool" ("\<langle>_,_\<rangle>/ \<longrightarrow>\<^sub>c _" [0,0,60] 60)
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	43	where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	44	Skip: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s"
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	45	\| Assign: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s[x\<mapsto>a s]"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	46
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	47	\| Semi: "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	48
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	49	\| IfTrue: "b s \<Longrightarrow> \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	50	\| IfFalse: "\<not>b s \<Longrightarrow> \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	51
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	52	\| WhileFalse: "\<not>b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s"
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	53	\| WhileTrue: "b s \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s'
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	54	\<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	55
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	56	lemmas evalc.intros [intro] -- "use those rules in automatic proofs"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	57
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	58	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	59	The induction principle induced by this definition looks like this:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	60
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	61	@{thm [display] evalc.induct [no_vars]}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	62
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	63
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	64	(@{text "\<And>"} and @{text "\<Longrightarrow>"} are Isabelle's
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	65	meta symbols for @{text "\<forall>"} and @{text "\<longrightarrow>"})
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	66	*}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	67
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	68	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	69	The rules of @{text evalc} are syntax directed, i.e.~for each
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	70	syntactic category there is always only one rule applicable. That
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	71	means we can use the rules in both directions. This property is called rule inversion.
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	72	*}
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	73	inductive_cases skipE [elim!]: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	74	inductive_cases semiE [elim!]: "\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	75	inductive_cases assignE [elim!]: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	76	inductive_cases ifE [elim!]: "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	77	inductive_cases whileE [elim]: "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	78
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	79	text {* The next proofs are all trivial by rule inversion.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	80	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	81
37736 2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	82	inductive_simps
2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	83	skip: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s'"
2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	84	and assign: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s'"
2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	85	and semi: "\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	86
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	87	lemma ifTrue:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	88	"b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	89	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	90
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	91	lemma ifFalse:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	92	"\<not>b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s'"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	93	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	94
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	95	lemma whileFalse:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	96	"\<not> b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s)"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	97	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	98
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	99	lemma whileTrue:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	100	"b s \<Longrightarrow>
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	101	\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s' =
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	102	(\<exists>s''. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<and> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s')"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	103	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	104
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	105	text "Again, Isabelle may use these rules in automatic proofs:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	106	lemmas evalc_cases [simp] = skip assign ifTrue ifFalse whileFalse semi whileTrue
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	107
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	108	subsection "Equivalence of statements"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	109
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	110	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	111	We call two statements @{text c} and @{text c'} equivalent wrt.~the
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	112	big-step semantics when \emph{@{text c} started in @{text s} terminates
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	113	in @{text s'} iff @{text c'} started in the same @{text s} also terminates
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	114	in the same @{text s'}}. Formally:
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	115	*}
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	116	definition
37085 b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	117	equiv_c :: "com \<Rightarrow> com \<Rightarrow> bool" ("_ \<sim> _" [56, 56] 55) where
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	118	"c \<sim> c' = (\<forall>s s'. \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s')"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	119
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	120	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	121	Proof rules telling Isabelle to unfold the definition
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	122	if there is something to be proved about equivalent
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	123	statements: *}
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	124	lemma equivI [intro!]:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	125	"(\<And>s s'. \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s') \<Longrightarrow> c \<sim> c'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	126	by (unfold equiv_c_def) blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	127
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	128	lemma equivD1:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	129	"c \<sim> c' \<Longrightarrow> \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	130	by (unfold equiv_c_def) blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	131
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	132	lemma equivD2:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	133	"c \<sim> c' \<Longrightarrow> \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	134	by (unfold equiv_c_def) blast
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	135
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	136	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	137	As an example, we show that loop unfolding is an equivalence
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	138	transformation on programs:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	139	*}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	140	lemma unfold_while:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	141	"(\<WHILE> b \<DO> c) \<sim> (\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>)" (is "?w \<sim> ?if")
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	142	proof -
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	143	-- "to show the equivalence, we look at the derivation tree for"
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	144	-- "each side and from that construct a derivation tree for the other side"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	145	{ fix s s' assume w: "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	146	-- "as a first thing we note that, if @{text b} is @{text False} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	147	-- "then both statements do nothing:"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	148	hence "\<not>b s \<Longrightarrow> s = s'" by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	149	hence "\<not>b s \<Longrightarrow> \<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	150	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	151	-- "on the other hand, if @{text b} is @{text True} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	152	-- {* then only the @{text WhileTrue} rule can have been used to derive @{text "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'"} *}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	153	{ assume b: "b s"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	154	with w obtain s'' where
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	155	"\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s''" and "\<langle>?w, s''\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	156	-- "now we can build a derivation tree for the @{text \<IF>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	157	-- "first, the body of the True-branch:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	158	hence "\<langle>c; ?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule Semi)
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	159	-- "then the whole @{text \<IF>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	160	with b have "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule IfTrue)
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	161	}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	162	ultimately
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	163	-- "both cases together give us what we want:"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	164	have "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	165	}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	166	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	167	-- "now the other direction:"
19796 d86e7b1fc472 quoted "if"; wenzelm parents: 18372 diff changeset	168	{ fix s s' assume "if": "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	169	-- "again, if @{text b} is @{text False} in state @{text s}, then the False-branch"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	170	-- "of the @{text \<IF>} is executed, and both statements do nothing:"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	171	hence "\<not>b s \<Longrightarrow> s = s'" by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	172	hence "\<not>b s \<Longrightarrow> \<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	173	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	174	-- "on the other hand, if @{text b} is @{text True} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	175	-- {* then this time only the @{text IfTrue} rule can have be used *}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	176	{ assume b: "b s"
19796 d86e7b1fc472 quoted "if"; wenzelm parents: 18372 diff changeset	177	with "if" have "\<langle>c; ?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	178	-- "and for this, only the Semi-rule is applicable:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	179	then obtain s'' where
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	180	"\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s''" and "\<langle>?w, s''\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	181	-- "with this information, we can build a derivation tree for the @{text \<WHILE>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	182	with b
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	183	have "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule WhileTrue)
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	184	}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	185	ultimately
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	186	-- "both cases together again give us what we want:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	187	have "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	188	}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	189	ultimately
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	190	show ?thesis by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	191	qed
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	192
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	193	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	194	Happily, such lengthy proofs are seldom necessary. Isabelle can prove many such facts automatically.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	195	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	196
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	197	lemma
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	198	"(\<WHILE> b \<DO> c) \<sim> (\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>)"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	199	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	200
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	201	lemma triv_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	202	"(\<IF> b \<THEN> c \<ELSE> c) \<sim> c"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	203	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	204
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	205	lemma commute_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	206	"(\<IF> b1 \<THEN> (\<IF> b2 \<THEN> c11 \<ELSE> c12) \<ELSE> c2)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	207	\<sim>
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	208	(\<IF> b2 \<THEN> (\<IF> b1 \<THEN> c11 \<ELSE> c2) \<ELSE> (\<IF> b1 \<THEN> c12 \<ELSE> c2))"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	209	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	210
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	211	lemma while_equiv:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	212	"\<langle>c0, s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> c \<sim> c' \<Longrightarrow> (c0 = \<WHILE> b \<DO> c) \<Longrightarrow> \<langle>\<WHILE> b \<DO> c', s\<rangle> \<longrightarrow>\<^sub>c u"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	213	by (induct rule: evalc.induct) (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	214
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	215	lemma equiv_while:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	216	"c \<sim> c' \<Longrightarrow> (\<WHILE> b \<DO> c) \<sim> (\<WHILE> b \<DO> c')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	217	by (simp add: equiv_c_def) (metis equiv_c_def while_equiv)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	218
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	219
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	220	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	221	Program equivalence is an equivalence relation.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	222	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	223
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	224	lemma equiv_refl:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	225	"c \<sim> c"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	226	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	227
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	228	lemma equiv_sym:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	229	"c1 \<sim> c2 \<Longrightarrow> c2 \<sim> c1"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	230	by (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	231
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	232	lemma equiv_trans:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	233	"c1 \<sim> c2 \<Longrightarrow> c2 \<sim> c3 \<Longrightarrow> c1 \<sim> c3"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	234	by (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	235
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	236	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	237	Program constructions preserve equivalence.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	238	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	239
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	240	lemma equiv_semi:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	241	"c1 \<sim> c1' \<Longrightarrow> c2 \<sim> c2' \<Longrightarrow> (c1; c2) \<sim> (c1'; c2')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	242	by (force simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	243
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	244	lemma equiv_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	245	"c1 \<sim> c1' \<Longrightarrow> c2 \<sim> c2' \<Longrightarrow> (\<IF> b \<THEN> c1 \<ELSE> c2) \<sim> (\<IF> b \<THEN> c1' \<ELSE> c2')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	246	by (force simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	247
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	248	lemma while_never: "\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> c \<noteq> \<WHILE> (\<lambda>s. True) \<DO> c1"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	249	apply (induct rule: evalc.induct)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	250	apply auto
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	251	done
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	252
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	253	lemma equiv_while_True:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	254	"(\<WHILE> (\<lambda>s. True) \<DO> c1) \<sim> (\<WHILE> (\<lambda>s. True) \<DO> c2)"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	255	by (blast dest: while_never)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	256
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	257
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	258	subsection "Execution is deterministic"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	259
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	260	text {*
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	261	This proof is automatic.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	262	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	263	theorem "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = t"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	264	by (induct arbitrary: u rule: evalc.induct) blast+
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	265
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	266
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	267	text {*
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	268	The following proof presents all the details:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	269	*}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	270	theorem com_det:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	271	assumes "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t" and "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	272	shows "u = t"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	273	using prems
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19796 diff changeset	274	proof (induct arbitrary: u set: evalc)
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	275	fix s u assume "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	276	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	277	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	278	fix a s x u assume "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	279	thus "u = s[x \<mapsto> a s]" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	280	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	281	fix c0 c1 s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	282	assume IH0: "\<And>u. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	283	assume IH1: "\<And>u. \<langle>c1,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	284
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	285	assume "\<langle>c0;c1, s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	286	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	287	c0: "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'" and
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	288	c1: "\<langle>c1,s'\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	289	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	290
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	291	from c0 IH0 have "s'=s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	292	with c1 IH1 show "u=s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	293	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	294	fix b c0 c1 s s1 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	295	assume IH: "\<And>u. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	296
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	297	assume "b s" and "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	298	hence "\<langle>c0, s\<rangle> \<longrightarrow>\<^sub>c u" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	299	with IH show "u = s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	300	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	301	fix b c0 c1 s s1 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	302	assume IH: "\<And>u. \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	303
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	304	assume "\<not>b s" and "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	305	hence "\<langle>c1, s\<rangle> \<longrightarrow>\<^sub>c u" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	306	with IH show "u = s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	307	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	308	fix b c s u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	309	assume "\<not>b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	310	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	311	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	312	fix b c s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	313	assume "IH\<^sub>c": "\<And>u. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	314	assume "IH\<^sub>w": "\<And>u. \<langle>\<WHILE> b \<DO> c,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	315
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	316	assume "b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	317	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	318	c: "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" and
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	319	w: "\<langle>\<WHILE> b \<DO> c,s'\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	320	by auto
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	321
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	322	from c "IH\<^sub>c" have "s' = s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	323	with w "IH\<^sub>w" show "u = s1" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	324	qed
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	325
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	326
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	327	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	328	This is the proof as you might present it in a lecture. The remaining
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	329	cases are simple enough to be proved automatically:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	330	*}
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	331	theorem
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	332	assumes "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t" and "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	333	shows "u = t"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	334	using prems
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19796 diff changeset	335	proof (induct arbitrary: u)
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	336	-- "the simple @{text \<SKIP>} case for demonstration:"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	337	fix s u assume "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	338	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	339	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	340	-- "and the only really interesting case, @{text \<WHILE>}:"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	341	fix b c s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	342	assume "IH\<^sub>c": "\<And>u. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	343	assume "IH\<^sub>w": "\<And>u. \<langle>\<WHILE> b \<DO> c,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	344
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	345	assume "b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	346	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	347	c: "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" and
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	348	w: "\<langle>\<WHILE> b \<DO> c,s'\<rangle> \<longrightarrow>\<^sub>c u"
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	349	by auto
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	350
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	351	from c "IH\<^sub>c" have "s' = s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	352	with w "IH\<^sub>w" show "u = s1" by blast
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	353	qed blast+ -- "prove the rest automatically"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	354
afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	355	end

author	blanchet
	Wed, 15 Dec 2010 18:10:32 +0100
changeset 41171	043f8dc3b51f
parent 37736	2bf3a2cb5e58
child 41529	ba60efa2fd08
permissions	-rw-r--r--