isabelle: src/HOL/MicroJava/BV/BVNoTypeError.thy@16464c3f86bd (annotated)

13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	1	(* Title: HOL/MicroJava/BV/BVNoTypeErrors.thy
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	2	ID: $Id$
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	3	Author: Gerwin Klein
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	4	*)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	5
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	6	header {* \isaheader{Welltyped Programs produce no Type Errors} *}
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	7
24340 811f78424efc theory header: more precise imports; wenzelm parents: 23467 diff changeset	8	theory BVNoTypeError imports "../JVM/JVMDefensive" BVSpecTypeSafe begin
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	9
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	10	text {*
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	11	Some simple lemmas about the type testing functions of the
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	12	defensive JVM:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	13	*}
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	14	lemma typeof_NoneD [simp,dest]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	15	"typeof (\<lambda>v. None) v = Some x \<Longrightarrow> \<not>isAddr v"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	16	by (cases v) auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	17
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	18	lemma isRef_def2:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	19	"isRef v = (v = Null \<or> (\<exists>loc. v = Addr loc))"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	20	by (cases v) (auto simp add: isRef_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	21
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	22	lemma app'Store[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	23	"app' (Store idx, G, pc, maxs, rT, (ST,LT)) = (\<exists>T ST'. ST = T#ST' \<and> idx < length LT)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	24	by (cases ST, auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	25
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	26	lemma app'GetField[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	27	"app' (Getfield F C, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	28	(\<exists>oT vT ST'. ST = oT#ST' \<and> is_class G C \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	29	field (G,C) F = Some (C,vT) \<and> G \<turnstile> oT \<preceq> Class C)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	30	by (cases ST, auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	31
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	32	lemma app'PutField[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	33	"app' (Putfield F C, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	34	(\<exists>vT vT' oT ST'. ST = vT#oT#ST' \<and> is_class G C \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	35	field (G,C) F = Some (C, vT') \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	36	G \<turnstile> oT \<preceq> Class C \<and> G \<turnstile> vT \<preceq> vT')"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	37	apply rule
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	38	defer
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	39	apply clarsimp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	40	apply (cases ST)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	41	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	42	apply (cases "tl ST")
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	43	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	44	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	45
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	46	lemma app'Checkcast[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	47	"app' (Checkcast C, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	48	(\<exists>rT ST'. ST = RefT rT#ST' \<and> is_class G C)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	49	apply rule
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	50	defer
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	51	apply clarsimp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	52	apply (cases ST)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	53	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	54	apply (cases "hd ST")
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	55	defer
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	56	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	57	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	58	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	59
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	60
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	61	lemma app'Pop[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	62	"app' (Pop, G, pc, maxs, rT, (ST,LT)) = (\<exists>T ST'. ST = T#ST')"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	63	by (cases ST, auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	64
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	65
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	66	lemma app'Dup[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	67	"app' (Dup, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	68	(\<exists>T ST'. ST = T#ST' \<and> length ST < maxs)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	69	by (cases ST, auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	70
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	71
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	72	lemma app'Dup_x1[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	73	"app' (Dup_x1, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	74	(\<exists>T1 T2 ST'. ST = T1#T2#ST' \<and> length ST < maxs)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	75	by (cases ST, simp, cases "tl ST", auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	76
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	77
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	78	lemma app'Dup_x2[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	79	"app' (Dup_x2, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	80	(\<exists>T1 T2 T3 ST'. ST = T1#T2#T3#ST' \<and> length ST < maxs)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	81	by (cases ST, simp, cases "tl ST", simp, cases "tl (tl ST)", auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	82
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	83
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	84	lemma app'Swap[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	85	"app' (Swap, G, pc, maxs, rT, (ST,LT)) = (\<exists>T1 T2 ST'. ST = T1#T2#ST')"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	86	by (cases ST, simp, cases "tl ST", auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	87
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	88
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	89	lemma app'IAdd[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	90	"app' (IAdd, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	91	(\<exists>ST'. ST = PrimT Integer#PrimT Integer#ST')"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	92	apply (cases ST)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	93	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	94	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	95	apply (case_tac a)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	96	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	97	apply (case_tac prim_ty)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	98	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	99	apply (case_tac prim_ty)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	100	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	101	apply (case_tac list)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	102	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	103	apply (case_tac a)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	104	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	105	apply (case_tac prim_ty)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	106	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	107	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	108
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	109
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	110	lemma app'Ifcmpeq[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	111	"app' (Ifcmpeq b, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	112	(\<exists>T1 T2 ST'. ST = T1#T2#ST' \<and> 0 \<le> b + int pc \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	113	((\<exists>p. T1 = PrimT p \<and> T1 = T2) \<or>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	114	(\<exists>r r'. T1 = RefT r \<and> T2 = RefT r')))"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	115	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	116	apply (cases ST)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	117	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	118	apply (cases "tl ST")
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	119	apply (case_tac a)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	120	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	121	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	122
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	123
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	124	lemma app'Return[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	125	"app' (Return, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	126	(\<exists>T ST'. ST = T#ST'\<and> G \<turnstile> T \<preceq> rT)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	127	by (cases ST, auto)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	128
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	129
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	130	lemma app'Throw[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	131	"app' (Throw, G, pc, maxs, rT, (ST,LT)) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	132	(\<exists>ST' r. ST = RefT r#ST')"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	133	apply (cases ST, simp)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	134	apply (cases "hd ST")
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	135	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	136	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	137
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	138
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	139	lemma app'Invoke[simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	140	"app' (Invoke C mn fpTs, G, pc, maxs, rT, ST, LT) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	141	(\<exists>apTs X ST' mD' rT' b'.
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	142	ST = (rev apTs) @ X # ST' \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	143	length apTs = length fpTs \<and> is_class G C \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	144	(\<forall>(aT,fT)\<in>set(zip apTs fpTs). G \<turnstile> aT \<preceq> fT) \<and>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	145	method (G,C) (mn,fpTs) = Some (mD', rT', b') \<and> G \<turnstile> X \<preceq> Class C)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	146	(is "?app ST LT = ?P ST LT")
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	147	proof
32443 16464c3f86bd tuned proofs nipkow parents: 24340 diff changeset	148	assume "?P ST LT" thus "?app ST LT" by (auto simp add: list_all2_def)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	149	next
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	150	assume app: "?app ST LT"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	151	hence l: "length fpTs < length ST" by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	152	obtain xs ys where xs: "ST = xs @ ys" "length xs = length fpTs"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	153	proof -
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	154	have "ST = take (length fpTs) ST @ drop (length fpTs) ST" by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	155	moreover from l have "length (take (length fpTs) ST) = length fpTs"
32443 16464c3f86bd tuned proofs nipkow parents: 24340 diff changeset	156	by simp
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	157	ultimately show ?thesis ..
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	158	qed
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	159	obtain apTs where
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	160	"ST = (rev apTs) @ ys" and "length apTs = length fpTs"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	161	proof -
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	162	from xs(1) have "ST = rev (rev xs) @ ys" by simp
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	163	then show thesis by (rule that) (simp add: xs(2))
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	164	qed
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	165	moreover
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	166	from l xs obtain X ST' where "ys = X#ST'" by (auto simp add: neq_Nil_conv)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	167	ultimately
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	168	have "ST = (rev apTs) @ X # ST'" "length apTs = length fpTs" by auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	169	with app
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	170	show "?P ST LT"
32443 16464c3f86bd tuned proofs nipkow parents: 24340 diff changeset	171	apply (clarsimp simp add: list_all2_def)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	172	apply ((rule exI)+, (rule conjI)?)+
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	173	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	174	done
32443 16464c3f86bd tuned proofs nipkow parents: 24340 diff changeset	175	qed
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	176
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	177	lemma approx_loc_len [simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	178	"approx_loc G hp loc LT \<Longrightarrow> length loc = length LT"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	179	by (simp add: approx_loc_def list_all2_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	180
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	181	lemma approx_stk_len [simp]:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	182	"approx_stk G hp stk ST \<Longrightarrow> length stk = length ST"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	183	by (simp add: approx_stk_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	184
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	185	lemma isRefI [intro, simp]: "G,hp \<turnstile> v ::\<preceq> RefT T \<Longrightarrow> isRef v"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	186	apply (drule conf_RefTD)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	187	apply (auto simp add: isRef_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	188	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	189
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	190	lemma isIntgI [intro, simp]: "G,hp \<turnstile> v ::\<preceq> PrimT Integer \<Longrightarrow> isIntg v"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	191	apply (unfold conf_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	192	apply auto
22271 51a80e238b29 Adapted to new inductive definition package. berghofe parents: 18551 diff changeset	193	apply (erule widen.cases)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	194	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	195	apply (cases v)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	196	apply auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	197	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	198
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	199	lemma list_all2_approx:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	200	"\<And>s. list_all2 (approx_val G hp) s (map OK S) =
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	201	list_all2 (conf G hp) s S"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	202	apply (induct S)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	203	apply (auto simp add: list_all2_Cons2 approx_val_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	204	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	205
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	206	lemma list_all2_conf_widen:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	207	"wf_prog mb G \<Longrightarrow>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	208	list_all2 (conf G hp) a b \<Longrightarrow>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	209	list_all2 (\<lambda>x y. G \<turnstile> x \<preceq> y) b c \<Longrightarrow>
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	210	list_all2 (conf G hp) a c"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	211	apply (rule list_all2_trans)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	212	defer
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	213	apply assumption
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	214	apply assumption
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	215	apply (drule conf_widen, assumption+)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	216	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	217
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	218
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	219	text {*
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	220	The main theorem: welltyped programs do not produce type errors if they
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	221	are started in a conformant state.
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	222	*}
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	223	theorem no_type_error:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	224	assumes welltyped: "wt_jvm_prog G Phi" and conforms: "G,Phi \<turnstile>JVM s \<surd>"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	225	shows "exec_d G (Normal s) \<noteq> TypeError"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	226	proof -
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	227	from welltyped obtain mb where wf: "wf_prog mb G" by (fast dest: wt_jvm_progD)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	228
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	229	obtain xcp hp frs where s [simp]: "s = (xcp, hp, frs)" by (cases s)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	230
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	231	from conforms have "xcp \<noteq> None \<or> frs = [] \<Longrightarrow> check G s"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	232	by (unfold correct_state_def check_def) auto
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	233	moreover {
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	234	assume "\<not>(xcp \<noteq> None \<or> frs = [])"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	235	then obtain stk loc C sig pc frs' where
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	236	xcp [simp]: "xcp = None" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	237	frs [simp]: "frs = (stk,loc,C,sig,pc)#frs'"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	238	by (clarsimp simp add: neq_Nil_conv) fast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	239
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	240	from conforms obtain ST LT rT maxs maxl ins et where
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	241	hconf: "G \<turnstile>h hp \<surd>" and
18551 be0705186ff5 class now an keyword, quoted where necessary haftmann parents: 16417 diff changeset	242	"class": "is_class G C" and
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	243	meth: "method (G, C) sig = Some (C, rT, maxs, maxl, ins, et)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	244	phi: "Phi C sig ! pc = Some (ST,LT)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	245	frame: "correct_frame G hp (ST,LT) maxl ins (stk,loc,C,sig,pc)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	246	frames: "correct_frames G hp Phi rT sig frs'"
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	247	by (auto simp add: correct_state_def) (rule that)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	248
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	249	from frame obtain
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	250	stk: "approx_stk G hp stk ST" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	251	loc: "approx_loc G hp loc LT" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	252	pc: "pc < length ins" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	253	len: "length loc = length (snd sig) + maxl + 1"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	254	by (auto simp add: correct_frame_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	255
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	256	note approx_val_def [simp]
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	257
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	258	from welltyped meth conforms
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	259	have "wt_instr (ins!pc) G rT (Phi C sig) maxs (length ins) et pc"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	260	by simp (rule wt_jvm_prog_impl_wt_instr_cor)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	261	then obtain
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	262	app': "app (ins!pc) G maxs rT pc et (Phi C sig!pc) " and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	263	eff: "\<forall>(pc', s')\<in>set (eff (ins ! pc) G pc et (Phi C sig ! pc)). pc' < length ins"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	264	by (simp add: wt_instr_def phi) blast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	265
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	266	from eff
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	267	have pc': "\<forall>pc' \<in> set (succs (ins!pc) pc). pc' < length ins"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	268	by (simp add: eff_def) blast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	269
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	270	from app' phi
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	271	have app:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	272	"xcpt_app (ins!pc) G pc et \<and> app' (ins!pc, G, pc, maxs, rT, (ST,LT))"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	273	by (clarsimp simp add: app_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	274
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	275	with eff stk loc pc'
13822 bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	276	have "check_instr (ins!pc) G hp stk loc C sig pc maxs frs'"
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	277	proof (cases "ins!pc")
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	278	case (Getfield F C)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	279	with app stk loc phi obtain v vT stk' where
18551 be0705186ff5 class now an keyword, quoted where necessary haftmann parents: 16417 diff changeset	280	"class": "is_class G C" and
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	281	field: "field (G, C) F = Some (C, vT)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	282	stk: "stk = v # stk'" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	283	conf: "G,hp \<turnstile> v ::\<preceq> Class C"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	284	apply clarsimp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	285	apply (blast dest: conf_widen [OF wf])
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	286	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	287	from conf have isRef: "isRef v" ..
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	288	moreover {
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	289	assume "v \<noteq> Null"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	290	with conf field isRef wf
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	291	have "\<exists>D vs. hp (the_Addr v) = Some (D,vs) \<and> G \<turnstile> D \<preceq>C C"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	292	by (auto dest!: non_np_objD)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	293	}
18551 be0705186ff5 class now an keyword, quoted where necessary haftmann parents: 16417 diff changeset	294	ultimately show ?thesis using Getfield field "class" stk hconf wf
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	295	apply clarsimp
14045 a34d89ce6097 Introduced distinction wf_prog vs. ws_prog streckem parents: 13822 diff changeset	296	apply (fastsimp intro: wf_prog_ws_prog
a34d89ce6097 Introduced distinction wf_prog vs. ws_prog streckem parents: 13822 diff changeset	297	dest!: hconfD widen_cfs_fields oconf_objD)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	298	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	299	next
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	300	case (Putfield F C)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	301	with app stk loc phi obtain v ref vT stk' where
18551 be0705186ff5 class now an keyword, quoted where necessary haftmann parents: 16417 diff changeset	302	"class": "is_class G C" and
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	303	field: "field (G, C) F = Some (C, vT)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	304	stk: "stk = v # ref # stk'" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	305	confv: "G,hp \<turnstile> v ::\<preceq> vT" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	306	confr: "G,hp \<turnstile> ref ::\<preceq> Class C"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	307	apply clarsimp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	308	apply (blast dest: conf_widen [OF wf])
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	309	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	310	from confr have isRef: "isRef ref" ..
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	311	moreover {
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	312	assume "ref \<noteq> Null"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	313	with confr field isRef wf
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	314	have "\<exists>D vs. hp (the_Addr ref) = Some (D,vs) \<and> G \<turnstile> D \<preceq>C C"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	315	by (auto dest: non_np_objD)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	316	}
18551 be0705186ff5 class now an keyword, quoted where necessary haftmann parents: 16417 diff changeset	317	ultimately show ?thesis using Putfield field "class" stk confv
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	318	by clarsimp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	319	next
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	320	case (Invoke C mn ps)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	321	with app
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	322	obtain apTs X ST' where
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	323	ST: "ST = rev apTs @ X # ST'" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	324	ps: "length apTs = length ps" and
22271 51a80e238b29 Adapted to new inductive definition package. berghofe parents: 18551 diff changeset	325	w: "\<forall>(x, y)\<in>set (zip apTs ps). G \<turnstile> x \<preceq> y" and
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	326	C: "G \<turnstile> X \<preceq> Class C" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	327	mth: "method (G, C) (mn, ps) \<noteq> None"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	328	by (simp del: app'.simps) blast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	329
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	330	from ST stk
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	331	obtain aps x stk' where
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	332	stk': "stk = aps @ x # stk'" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	333	aps: "approx_stk G hp aps (rev apTs)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	334	x: "G,hp \<turnstile> x ::\<preceq> X" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	335	l: "length aps = length apTs"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	336	by (auto dest!: approx_stk_append)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	337
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	338	from stk' l ps
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	339	have [simp]: "stk!length ps = x" by (simp add: nth_append)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	340	from stk' l ps
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	341	have [simp]: "take (length ps) stk = aps" by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	342	from w ps
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	343	have widen: "list_all2 (\<lambda>x y. G \<turnstile> x \<preceq> y) apTs ps"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	344	by (simp add: list_all2_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	345
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	346	from stk' l ps have "length ps < length stk" by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	347	moreover
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	348	from wf x C
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	349	have x: "G,hp \<turnstile> x ::\<preceq> Class C" by (rule conf_widen)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	350	hence "isRef x" by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	351	moreover
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	352	{ assume "x \<noteq> Null"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	353	with x
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	354	obtain D fs where
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	355	hp: "hp (the_Addr x) = Some (D,fs)" and
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	356	D: "G \<turnstile> D \<preceq>C C"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	357	by - (drule non_npD, assumption, clarsimp, blast)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	358	hence "hp (the_Addr x) \<noteq> None" (is ?P1) by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	359	moreover
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	360	from wf mth hp D
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	361	have "method (G, cname_of hp x) (mn, ps) \<noteq> None" (is ?P2)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	362	by (auto dest: subcls_widen_methd)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	363	moreover
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	364	from aps have "list_all2 (conf G hp) aps (rev apTs)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	365	by (simp add: list_all2_approx approx_stk_def approx_loc_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	366	hence "list_all2 (conf G hp) (rev aps) (rev (rev apTs))"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	367	by (simp only: list_all2_rev)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	368	hence "list_all2 (conf G hp) (rev aps) apTs" by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	369	with wf widen
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	370	have "list_all2 (conf G hp) (rev aps) ps" (is ?P3)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	371	by - (rule list_all2_conf_widen)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	372	ultimately
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	373	have "?P1 \<and> ?P2 \<and> ?P3" by blast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	374	}
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	375	moreover
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	376	note Invoke
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	377	ultimately
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	378	show ?thesis by simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	379	next
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	380	case Return with stk app phi meth frames
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	381	show ?thesis
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	382	apply clarsimp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	383	apply (drule conf_widen [OF wf], assumption)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	384	apply (clarsimp simp add: neq_Nil_conv isRef_def2)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	385	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	386	qed auto
13822 bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	387	hence "check G s" by (simp add: check_def meth pc)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	388	} ultimately
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	389	have "check G s" by blast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	390	thus "exec_d G (Normal s) \<noteq> TypeError" ..
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	391	qed
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	392
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	393
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	394	text {*
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	395	The theorem above tells us that, in welltyped programs, the
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	396	defensive machine reaches the same result as the aggressive
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	397	one (after arbitrarily many steps).
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	398	*}
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	399	theorem welltyped_aggressive_imp_defensive:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	400	"wt_jvm_prog G Phi \<Longrightarrow> G,Phi \<turnstile>JVM s \<surd> \<Longrightarrow> G \<turnstile> s -jvm\<rightarrow> t
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	401	\<Longrightarrow> G \<turnstile> (Normal s) -jvmd\<rightarrow> (Normal t)"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	402	apply (unfold exec_all_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	403	apply (erule rtrancl_induct)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	404	apply (simp add: exec_all_d_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	405	apply simp
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	406	apply (fold exec_all_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	407	apply (frule BV_correct, assumption+)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	408	apply (drule no_type_error, assumption, drule no_type_error_commutes, simp)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	409	apply (simp add: exec_all_d_def)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	410	apply (rule rtrancl_trans, assumption)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	411	apply blast
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	412	done
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	413
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	414
13822 bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	415	lemma neq_TypeError_eq [simp]: "s \<noteq> TypeError = (\<exists>s'. s = Normal s')"
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	416	by (cases s, auto)
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	417
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	418	theorem no_type_errors:
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	419	"wt_jvm_prog G Phi \<Longrightarrow> G,Phi \<turnstile>JVM s \<surd>
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	420	\<Longrightarrow> G \<turnstile> (Normal s) -jvmd\<rightarrow> t \<Longrightarrow> t \<noteq> TypeError"
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	421	apply (unfold exec_all_d_def)
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	422	apply (erule rtrancl_induct)
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	423	apply simp
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	424	apply (fold exec_all_d_def)
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	425	apply (auto dest: defensive_imp_aggressive BV_correct no_type_error)
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	426	done
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	427
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	428	corollary no_type_errors_initial:
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	429	fixes G ("\<Gamma>") and Phi ("\<Phi>")
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	430	assumes wt: "wt_jvm_prog \<Gamma> \<Phi>"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	431	assumes is_class: "is_class \<Gamma> C"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	432	and method: "method (\<Gamma>,C) (m,[]) = Some (C, b)"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	433	and m: "m \<noteq> init"
13822 bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	434	defines start: "s \<equiv> start_state \<Gamma> C m"
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	435
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	436	assumes s: "\<Gamma> \<turnstile> (Normal s) -jvmd\<rightarrow> t"
13822 bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	437	shows "t \<noteq> TypeError"
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	438	proof -
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	439	from wt is_class method have "\<Gamma>,\<Phi> \<turnstile>JVM s \<surd>"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	440	unfolding start by (rule BV_correct_initial)
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	441	from wt this s show ?thesis by (rule no_type_errors)
13822 bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	442	qed
bb5eda7416e5 check maxs in defensive machine kleing parents: 13678 diff changeset	443
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	444	text {*
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	445	As corollary we get that the aggressive and the defensive machine
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	446	are equivalent for welltyped programs (if started in a conformant
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	447	state or in the canonical start state)
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	448	*}
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	449	corollary welltyped_commutes:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	450	fixes G ("\<Gamma>") and Phi ("\<Phi>")
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	451	assumes wt: "wt_jvm_prog \<Gamma> \<Phi>" and *: "\<Gamma>,\<Phi> \<turnstile>JVM s \<surd>"
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	452	shows "\<Gamma> \<turnstile> (Normal s) -jvmd\<rightarrow> (Normal t) = \<Gamma> \<turnstile> s -jvm\<rightarrow> t"
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	453	apply rule
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	454	apply (erule defensive_imp_aggressive, rule welltyped_aggressive_imp_defensive)
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	455	apply (rule wt)
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	456	apply (rule *)
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	457	apply assumption
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	458	done
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	459
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	460	corollary welltyped_initial_commutes:
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	461	fixes G ("\<Gamma>") and Phi ("\<Phi>")
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	462	assumes wt: "wt_jvm_prog \<Gamma> \<Phi>"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	463	assumes is_class: "is_class \<Gamma> C"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	464	and method: "method (\<Gamma>,C) (m,[]) = Some (C, b)"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	465	and m: "m \<noteq> init"
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	466	defines start: "s \<equiv> start_state \<Gamma> C m"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	467	shows "\<Gamma> \<turnstile> (Normal s) -jvmd\<rightarrow> (Normal t) = \<Gamma> \<turnstile> s -jvm\<rightarrow> t"
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	468	proof -
23467 d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	469	from wt is_class method have "\<Gamma>,\<Phi> \<turnstile>JVM s \<surd>"
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	470	unfolding start by (rule BV_correct_initial)
d1b97708d5eb tuned proofs -- avoid implicit prems; wenzelm parents: 22271 diff changeset	471	with wt show ?thesis by (rule welltyped_commutes)
13633 b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	472	qed
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	473
b03a36b8d528 type safety with defensive machine kleing parents: diff changeset	474	end

author	nipkow
	Fri, 28 Aug 2009 20:18:33 +0200
changeset 32443	16464c3f86bd
parent 24340	811f78424efc
child 32960	69916a850301
permissions	-rw-r--r--