isabelle: src/HOL/Hoare/Hoare_Logic_Abort.thy@1e8dd9cd320b (annotated)

41959 b460124855b8 tuned headers; wenzelm parents: 37591 diff changeset	1	(* Title: HOL/Hoare/Hoare_Logic_Abort.thy
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	2	Author: Leonor Prensa Nieto & Tobias Nipkow
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	3	Copyright 2003 TUM
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	4
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	5	Like Hoare.thy, but with an Abort statement for modelling run time errors.
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	6	*)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	7
35320 f80aee1ed475 dropped axclass; dropped Id; session theory Hoare.thy haftmann parents: 35113 diff changeset	8	theory Hoare_Logic_Abort
28457 25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 27330 diff changeset	9	imports Main
24470 41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	10	begin
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	11
42174 d0be2722ce9f modernized specifications; wenzelm parents: 42153 diff changeset	12	type_synonym 'a bexp = "'a set"
d0be2722ce9f modernized specifications; wenzelm parents: 42153 diff changeset	13	type_synonym 'a assn = "'a set"
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	14
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	15	datatype
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	16	'a com = Basic "'a \<Rightarrow> 'a"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	17	\| Abort
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	18	\| Seq "'a com" "'a com" ("(_;/ _)" [61,60] 60)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	19	\| Cond "'a bexp" "'a com" "'a com" ("(1IF _/ THEN _ / ELSE _/ FI)" [0,0,0] 61)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	20	\| While "'a bexp" "'a assn" "'a com" ("(1WHILE _/ INV {_} //DO _ /OD)" [0,0,0] 61)
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35101 diff changeset	21
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	22	abbreviation annskip ("SKIP") where "SKIP == Basic id"
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	23
42174 d0be2722ce9f modernized specifications; wenzelm parents: 42153 diff changeset	24	type_synonym 'a sem = "'a option => 'a option => bool"
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	25
36643 f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	26	inductive Sem :: "'a com \<Rightarrow> 'a sem"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	27	where
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	28	"Sem (Basic f) None None"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	29	\| "Sem (Basic f) (Some s) (Some (f s))"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	30	\| "Sem Abort s None"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	31	\| "Sem c1 s s'' \<Longrightarrow> Sem c2 s'' s' \<Longrightarrow> Sem (c1;c2) s s'"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	32	\| "Sem (IF b THEN c1 ELSE c2 FI) None None"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	33	\| "s \<in> b \<Longrightarrow> Sem c1 (Some s) s' \<Longrightarrow> Sem (IF b THEN c1 ELSE c2 FI) (Some s) s'"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	34	\| "s \<notin> b \<Longrightarrow> Sem c2 (Some s) s' \<Longrightarrow> Sem (IF b THEN c1 ELSE c2 FI) (Some s) s'"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	35	\| "Sem (While b x c) None None"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	36	\| "s \<notin> b \<Longrightarrow> Sem (While b x c) (Some s) (Some s)"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	37	\| "s \<in> b \<Longrightarrow> Sem c (Some s) s'' \<Longrightarrow> Sem (While b x c) s'' s' \<Longrightarrow>
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	38	Sem (While b x c) (Some s) s'"
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	39
36643 f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	40	inductive_cases [elim!]:
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	41	"Sem (Basic f) s s'" "Sem (c1;c2) s s'"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	42	"Sem (IF b THEN c1 ELSE c2 FI) s s'"
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	43
35416 d8d7d1b785af replaced a couple of constsdefs by definitions (also some old primrecs by modern ones) haftmann parents: 35320 diff changeset	44	definition Valid :: "'a bexp \<Rightarrow> 'a com \<Rightarrow> 'a bexp \<Rightarrow> bool" where
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	45	"Valid p c q == \<forall>s s'. Sem c s s' \<longrightarrow> s : Some ` p \<longrightarrow> s' : Some ` q"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	46
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	47
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	48	syntax
42152 6c17259724b2 Hoare syntax: standard abstraction syntax admits source positions; wenzelm parents: 42054 diff changeset	49	"_assign" :: "idt => 'b => 'a com" ("(2_ :=/ _)" [70, 65] 61)
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	50
a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	51	syntax
35320 f80aee1ed475 dropped axclass; dropped Id; session theory Hoare.thy haftmann parents: 35113 diff changeset	52	"_hoare_abort_vars" :: "[idts, 'a assn,'a com,'a assn] => bool"
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	53	("VARS _// {_} // _ // {_}" [0,0,55,0] 50)
a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	54	syntax ("" output)
35320 f80aee1ed475 dropped axclass; dropped Id; session theory Hoare.thy haftmann parents: 35113 diff changeset	55	"_hoare_abort" :: "['a assn,'a com,'a assn] => bool"
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 34940 diff changeset	56	("{_} // _ // {_}" [0,55,0] 50)
42152 6c17259724b2 Hoare syntax: standard abstraction syntax admits source positions; wenzelm parents: 42054 diff changeset	57
48891 c0eafbd55de3 prefer ML_file over old uses; wenzelm parents: 44890 diff changeset	58	ML_file "hoare_syntax.ML"
52143 36ffe23b25f8 syntax translations always depend on context; wenzelm parents: 51717 diff changeset	59	parse_translation {* [(@{syntax_const "_hoare_abort_vars"}, K Hoare_Syntax.hoare_vars_tr)] *}
42153 fa108629d132 use shared copy of hoare_syntax.ML; wenzelm parents: 42152 diff changeset	60	print_translation
52143 36ffe23b25f8 syntax translations always depend on context; wenzelm parents: 51717 diff changeset	61	{* [(@{const_syntax Valid}, K (Hoare_Syntax.spec_tr' @{syntax_const "_hoare_abort"}))] *}
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	62
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	63
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	64	(* The proof rules *)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	65
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	66	lemma SkipRule: "p \<subseteq> q \<Longrightarrow> Valid p (Basic id) q"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	67	by (auto simp:Valid_def)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	68
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	69	lemma BasicRule: "p \<subseteq> {s. f s \<in> q} \<Longrightarrow> Valid p (Basic f) q"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	70	by (auto simp:Valid_def)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	71
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	72	lemma SeqRule: "Valid P c1 Q \<Longrightarrow> Valid Q c2 R \<Longrightarrow> Valid P (c1;c2) R"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	73	by (auto simp:Valid_def)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	74
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	75	lemma CondRule:
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	76	"p \<subseteq> {s. (s \<in> b \<longrightarrow> s \<in> w) \<and> (s \<notin> b \<longrightarrow> s \<in> w')}
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	77	\<Longrightarrow> Valid w c1 q \<Longrightarrow> Valid w' c2 q \<Longrightarrow> Valid p (Cond b c1 c2) q"
44890 22f665a2e91c new fastforce replacing fastsimp - less confusing name nipkow parents: 42174 diff changeset	78	by (fastforce simp:Valid_def image_def)
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	79
36643 f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	80	lemma While_aux:
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	81	assumes "Sem (WHILE b INV {i} DO c OD) s s'"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	82	shows "\<forall>s s'. Sem c s s' \<longrightarrow> s \<in> Some ` (I \<inter> b) \<longrightarrow> s' \<in> Some ` I \<Longrightarrow>
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	83	s \<in> Some ` I \<Longrightarrow> s' \<in> Some ` (I \<inter> -b)"
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	84	using assms
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	85	by (induct "WHILE b INV {i} DO c OD" s s') auto
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	86
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	87	lemma WhileRule:
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	88	"p \<subseteq> i \<Longrightarrow> Valid (i \<inter> b) c i \<Longrightarrow> i \<inter> (-b) \<subseteq> q \<Longrightarrow> Valid p (While b i c) q"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	89	apply(simp add:Valid_def)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	90	apply(simp (no_asm) add:image_def)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	91	apply clarify
36643 f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	92	apply(drule While_aux)
f36588af1ba1 Turned Sem into an inductive definition. berghofe parents: 35417 diff changeset	93	apply assumption
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	94	apply blast
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	95	apply blast
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	96	done
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	97
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	98	lemma AbortRule: "p \<subseteq> {s. False} \<Longrightarrow> Valid p Abort q"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	99	by(auto simp:Valid_def)
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	100
24470 41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	101
41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	102	subsection {* Derivation of the proof rules and, most importantly, the VCG tactic *}
41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	103
41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	104	lemma Compl_Collect: "-(Collect b) = {x. ~(b x)}"
41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	105	by blast
41c81e23c08d removed Hoare/hoare.ML, Hoare/hoareAbort.ML, ex/svc_oracle.ML (which can be mistaken as attached ML script on case-insensitive file-system); wenzelm parents: 21588 diff changeset	106
48891 c0eafbd55de3 prefer ML_file over old uses; wenzelm parents: 44890 diff changeset	107	ML_file "hoare_tac.ML"
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	108
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	109	method_setup vcg = {*
30549 d2d7874648bd simplified method setup; wenzelm parents: 30510 diff changeset	110	Scan.succeed (fn ctxt => SIMPLE_METHOD' (hoare_tac ctxt (K all_tac))) *}
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	111	"verification condition generator"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	112
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	113	method_setup vcg_simp = {*
30549 d2d7874648bd simplified method setup; wenzelm parents: 30510 diff changeset	114	Scan.succeed (fn ctxt =>
51717 9e7d1c139569 simplifier uses proper Proof.context instead of historic type simpset; wenzelm parents: 48891 diff changeset	115	SIMPLE_METHOD' (hoare_tac ctxt (asm_full_simp_tac ctxt))) *}
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	116	"verification condition generator plus simplification"
11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	117
13875 12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	118	(* Special syntax for guarded statements and guarded array updates: *)
12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	119
12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	120	syntax
35352 fa051b504c3f observe standard convention for syntax consts; wenzelm parents: 35320 diff changeset	121	"_guarded_com" :: "bool \<Rightarrow> 'a com \<Rightarrow> 'a com" ("(2_ \<rightarrow>/ _)" 71)
fa051b504c3f observe standard convention for syntax consts; wenzelm parents: 35320 diff changeset	122	"_array_update" :: "'a list \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a com" ("(2_[_] :=/ _)" [70, 65] 61)
13875 12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	123	translations
35101 6ce9177d6b38 modernized translations; wenzelm parents: 35054 diff changeset	124	"P \<rightarrow> c" == "IF P THEN c ELSE CONST Abort FI"
34940 3e80eab831a1 explicit CONST in translations haftmann parents: 32149 diff changeset	125	"a[i] := v" => "(i < CONST length a) \<rightarrow> (a := CONST list_update a i v)"
13875 12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	126	(* reverse translation not possible because of duplicate "a" *)
12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	127
12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	128	text{* Note: there is no special syntax for guarded array access. Thus
12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	129	you must write @{text"j < length a \<rightarrow> a[i] := a!j"}. *}
12997e3ddd8d * empty log message * nipkow parents: 13857 diff changeset	130
13857 11d7c5a8dbb7 * empty log message * nipkow parents: diff changeset	131	end

author	blanchet
	Wed, 12 Feb 2014 08:35:56 +0100
changeset 55400	1e8dd9cd320b
parent 52143	36ffe23b25f8
child 55660	f0f895716a8b
permissions	-rw-r--r--