src/HOL/Bali/AxCompl.thy
author haftmann
Fri Jun 11 17:14:02 2010 +0200 (2010-06-11)
changeset 37407 61dd8c145da7
parent 35416 d8d7d1b785af
child 37956 ee939247b2fb
permissions -rw-r--r--
declare lex_prod_def [code del]
wenzelm@12857
     1
(*  Title:      HOL/Bali/AxCompl.thy
schirmer@13688
     2
    Author:     David von Oheimb and Norbert Schirmer
schirmer@12854
     3
*)
schirmer@12854
     4
schirmer@12854
     5
header {*
schirmer@12854
     6
Completeness proof for Axiomatic semantics of Java expressions and statements
schirmer@12854
     7
*}
schirmer@12854
     8
haftmann@16417
     9
theory AxCompl imports AxSem begin
schirmer@12854
    10
schirmer@12854
    11
text {*
schirmer@12854
    12
design issues:
schirmer@12854
    13
\begin{itemize}
schirmer@12854
    14
\item proof structured by Most General Formulas (-> Thomas Kleymann)
schirmer@12854
    15
\end{itemize}
schirmer@12854
    16
*}
schirmer@12925
    17
schirmer@12925
    18
schirmer@12925
    19
schirmer@13688
    20
           
schirmer@12854
    21
section "set of not yet initialzed classes"
schirmer@12854
    22
haftmann@35416
    23
definition nyinitcls :: "prog \<Rightarrow> state \<Rightarrow> qtname set" where
schirmer@12854
    24
 "nyinitcls G s \<equiv> {C. is_class G C \<and> \<not> initd C s}"
schirmer@12854
    25
schirmer@12854
    26
lemma nyinitcls_subset_class: "nyinitcls G s \<subseteq> {C. is_class G C}"
schirmer@12854
    27
apply (unfold nyinitcls_def)
schirmer@12854
    28
apply fast
schirmer@12854
    29
done
schirmer@12854
    30
schirmer@12854
    31
lemmas finite_nyinitcls [simp] =
schirmer@12854
    32
   finite_is_class [THEN nyinitcls_subset_class [THEN finite_subset], standard]
schirmer@12854
    33
schirmer@12854
    34
lemma card_nyinitcls_bound: "card (nyinitcls G s) \<le> card {C. is_class G C}"
schirmer@12854
    35
apply (rule nyinitcls_subset_class [THEN finite_is_class [THEN card_mono]])
schirmer@12854
    36
done
schirmer@12854
    37
schirmer@12854
    38
lemma nyinitcls_set_locals_cong [simp]: 
schirmer@12854
    39
  "nyinitcls G (x,set_locals l s) = nyinitcls G (x,s)"
schirmer@12854
    40
apply (unfold nyinitcls_def)
schirmer@12854
    41
apply (simp (no_asm))
schirmer@12854
    42
done
schirmer@12854
    43
schirmer@12854
    44
lemma nyinitcls_abrupt_cong [simp]: "nyinitcls G (f x, y) = nyinitcls G (x, y)"
schirmer@12854
    45
apply (unfold nyinitcls_def)
schirmer@12854
    46
apply (simp (no_asm))
schirmer@12854
    47
done
schirmer@12854
    48
schirmer@12854
    49
lemma nyinitcls_abupd_cong [simp]:"!!s. nyinitcls G (abupd f s) = nyinitcls G s"
schirmer@12854
    50
apply (unfold nyinitcls_def)
schirmer@12854
    51
apply (simp (no_asm_simp) only: split_tupled_all)
schirmer@12854
    52
apply (simp (no_asm))
schirmer@12854
    53
done
schirmer@12854
    54
schirmer@12854
    55
lemma card_nyinitcls_abrupt_congE [elim!]: 
schirmer@12854
    56
        "card (nyinitcls G (x, s)) \<le> n \<Longrightarrow> card (nyinitcls G (y, s)) \<le> n"
schirmer@12854
    57
apply (unfold nyinitcls_def)
schirmer@12854
    58
apply auto
schirmer@12854
    59
done
schirmer@12854
    60
schirmer@12854
    61
lemma nyinitcls_new_xcpt_var [simp]: 
schirmer@12854
    62
"nyinitcls G (new_xcpt_var vn s) = nyinitcls G s"
schirmer@12854
    63
apply (unfold nyinitcls_def)
schirmer@12854
    64
apply (induct_tac "s")
schirmer@12854
    65
apply (simp (no_asm))
schirmer@12854
    66
done
schirmer@12854
    67
schirmer@12854
    68
lemma nyinitcls_init_lvars [simp]: 
schirmer@12854
    69
  "nyinitcls G ((init_lvars G C sig mode a' pvs) s) = nyinitcls G s"
schirmer@12854
    70
apply (induct_tac "s")
schirmer@12854
    71
apply (simp (no_asm) add: init_lvars_def2 split add: split_if)
schirmer@12854
    72
done
schirmer@12854
    73
schirmer@12854
    74
lemma nyinitcls_emptyD: "\<lbrakk>nyinitcls G s = {}; is_class G C\<rbrakk> \<Longrightarrow> initd C s"
schirmer@12854
    75
apply (unfold nyinitcls_def)
schirmer@12854
    76
apply fast
schirmer@12854
    77
done
schirmer@12854
    78
schirmer@13688
    79
lemma card_Suc_lemma: 
schirmer@13688
    80
  "\<lbrakk>card (insert a A) \<le> Suc n; a\<notin>A; finite A\<rbrakk> \<Longrightarrow> card A \<le> n"
schirmer@12854
    81
apply clarsimp
schirmer@12854
    82
done
schirmer@12854
    83
schirmer@12854
    84
lemma nyinitcls_le_SucD: 
schirmer@12854
    85
"\<lbrakk>card (nyinitcls G (x,s)) \<le> Suc n; \<not>inited C (globs s); class G C=Some y\<rbrakk> \<Longrightarrow> 
schirmer@12854
    86
  card (nyinitcls G (x,init_class_obj G C s)) \<le> n"
schirmer@12854
    87
apply (subgoal_tac 
schirmer@12854
    88
        "nyinitcls G (x,s) = insert C (nyinitcls G (x,init_class_obj G C s))")
schirmer@12854
    89
apply  clarsimp
berghofe@13601
    90
apply  (erule_tac V="nyinitcls G (x, s) = ?rhs" in thin_rl)
schirmer@12854
    91
apply  (rule card_Suc_lemma [OF _ _ finite_nyinitcls])
schirmer@12854
    92
apply   (auto dest!: not_initedD elim!: 
schirmer@12854
    93
              simp add: nyinitcls_def inited_def split add: split_if_asm)
schirmer@12854
    94
done
schirmer@12854
    95
schirmer@13688
    96
lemma inited_gext': "\<lbrakk>s\<le>|s';inited C (globs s)\<rbrakk> \<Longrightarrow> inited C (globs s')"
schirmer@13688
    97
by (rule inited_gext)
schirmer@12854
    98
schirmer@12854
    99
lemma nyinitcls_gext: "snd s\<le>|snd s' \<Longrightarrow> nyinitcls G s' \<subseteq> nyinitcls G s"
schirmer@12854
   100
apply (unfold nyinitcls_def)
schirmer@12854
   101
apply (force dest!: inited_gext')
schirmer@12854
   102
done
schirmer@12854
   103
schirmer@12854
   104
lemma card_nyinitcls_gext: 
schirmer@12854
   105
  "\<lbrakk>snd s\<le>|snd s'; card (nyinitcls G s) \<le> n\<rbrakk>\<Longrightarrow> card (nyinitcls G s') \<le> n"
schirmer@12854
   106
apply (rule le_trans)
schirmer@12854
   107
apply  (rule card_mono)
schirmer@12854
   108
apply   (rule finite_nyinitcls)
schirmer@12854
   109
apply  (erule nyinitcls_gext)
schirmer@12854
   110
apply assumption
schirmer@12854
   111
done
schirmer@12854
   112
schirmer@12854
   113
schirmer@12854
   114
section "init-le"
schirmer@12854
   115
haftmann@35416
   116
definition init_le :: "prog \<Rightarrow> nat \<Rightarrow> state \<Rightarrow> bool" ("_\<turnstile>init\<le>_"  [51,51] 50) where
schirmer@12854
   117
 "G\<turnstile>init\<le>n \<equiv> \<lambda>s. card (nyinitcls G s) \<le> n"
schirmer@12854
   118
  
schirmer@12854
   119
lemma init_le_def2 [simp]: "(G\<turnstile>init\<le>n) s = (card (nyinitcls G s)\<le>n)"
schirmer@12854
   120
apply (unfold init_le_def)
schirmer@12854
   121
apply auto
schirmer@12854
   122
done
schirmer@12854
   123
schirmer@13688
   124
lemma All_init_leD: 
schirmer@13688
   125
 "\<forall>n::nat. G,(A::'a triple set)\<turnstile>{P \<and>. G\<turnstile>init\<le>n} t\<succ> {Q::'a assn} 
schirmer@13688
   126
  \<Longrightarrow> G,A\<turnstile>{P} t\<succ> {Q}"
schirmer@12854
   127
apply (drule spec)
schirmer@12854
   128
apply (erule conseq1)
schirmer@12854
   129
apply clarsimp
schirmer@12854
   130
apply (rule card_nyinitcls_bound)
schirmer@12854
   131
done
schirmer@12854
   132
schirmer@12854
   133
section "Most General Triples and Formulas"
schirmer@12854
   134
haftmann@35416
   135
definition remember_init_state :: "state assn" ("\<doteq>") where
schirmer@12854
   136
  "\<doteq> \<equiv> \<lambda>Y s Z. s = Z"
schirmer@12854
   137
schirmer@12854
   138
lemma remember_init_state_def2 [simp]: "\<doteq> Y = op ="
schirmer@12854
   139
apply (unfold remember_init_state_def)
schirmer@12854
   140
apply (simp (no_asm))
schirmer@12854
   141
done
schirmer@12854
   142
schirmer@12854
   143
consts
schirmer@12854
   144
  
schirmer@12854
   145
  MGF ::"[state assn, term, prog] \<Rightarrow> state triple"   ("{_} _\<succ> {_\<rightarrow>}"[3,65,3]62)
schirmer@12854
   146
  MGFn::"[nat       , term, prog] \<Rightarrow> state triple" ("{=:_} _\<succ> {_\<rightarrow>}"[3,65,3]62)
schirmer@12854
   147
schirmer@12854
   148
defs
schirmer@12854
   149
  
schirmer@12854
   150
schirmer@12854
   151
  MGF_def:
schirmer@12854
   152
  "{P} t\<succ> {G\<rightarrow>} \<equiv> {P} t\<succ> {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}"
schirmer@12854
   153
schirmer@12854
   154
  MGFn_def:
schirmer@12854
   155
  "{=:n} t\<succ> {G\<rightarrow>} \<equiv> {\<doteq> \<and>. G\<turnstile>init\<le>n} t\<succ> {G\<rightarrow>}"
schirmer@12854
   156
schirmer@12854
   157
(* unused *)
schirmer@12925
   158
lemma MGF_valid: "wf_prog G \<Longrightarrow> G,{}\<Turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
   159
apply (unfold MGF_def)
schirmer@12925
   160
apply (simp add:  ax_valids_def triple_valid_def2)
schirmer@12925
   161
apply (auto elim: evaln_eval)
schirmer@12854
   162
done
schirmer@12854
   163
schirmer@12925
   164
schirmer@12854
   165
lemma MGF_res_eq_lemma [simp]: 
schirmer@12854
   166
  "(\<forall>Y' Y s. Y = Y' \<and> P s \<longrightarrow> Q s) = (\<forall>s. P s \<longrightarrow> Q s)"
schirmer@12854
   167
apply auto
schirmer@12854
   168
done
schirmer@12854
   169
schirmer@12854
   170
lemma MGFn_def2: 
schirmer@12854
   171
"G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>} = G,A\<turnstile>{\<doteq> \<and>. G\<turnstile>init\<le>n} 
schirmer@12854
   172
                    t\<succ> {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}"
schirmer@12854
   173
apply (unfold MGFn_def MGF_def)
schirmer@12854
   174
apply fast
schirmer@12854
   175
done
schirmer@12854
   176
schirmer@13688
   177
lemma MGF_MGFn_iff: 
schirmer@13688
   178
"G,(A::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>} = (\<forall>n. G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>})"
schirmer@12854
   179
apply (simp (no_asm_use) add: MGFn_def2 MGF_def)
schirmer@12854
   180
apply safe
schirmer@12854
   181
apply  (erule_tac [2] All_init_leD)
schirmer@12854
   182
apply (erule conseq1)
schirmer@12854
   183
apply clarsimp
schirmer@12854
   184
done
schirmer@12854
   185
schirmer@12854
   186
lemma MGFnD: 
schirmer@13688
   187
"G,(A::state triple set)\<turnstile>{=:n} t\<succ> {G\<rightarrow>} \<Longrightarrow>  
schirmer@12854
   188
 G,A\<turnstile>{(\<lambda>Y' s' s. s' = s           \<and> P s) \<and>. G\<turnstile>init\<le>n}  
schirmer@12854
   189
 t\<succ>  {(\<lambda>Y' s' s. G\<turnstile>s\<midarrow>t\<succ>\<rightarrow>(Y',s') \<and> P s) \<and>. G\<turnstile>init\<le>n}"
schirmer@12854
   190
apply (unfold init_le_def)
schirmer@12854
   191
apply (simp (no_asm_use) add: MGFn_def2)
schirmer@12854
   192
apply (erule conseq12)
schirmer@12854
   193
apply clarsimp
schirmer@12854
   194
apply (erule (1) eval_gext [THEN card_nyinitcls_gext])
schirmer@12854
   195
done
schirmer@12854
   196
lemmas MGFnD' = MGFnD [of _ _ _ _ "\<lambda>x. True"] 
schirmer@12854
   197
schirmer@13688
   198
text {* To derive the most general formula, we can always assume a normal
schirmer@13688
   199
state in the precondition, since abrupt cases can be handled uniformally by
schirmer@13688
   200
the abrupt rule.
schirmer@13688
   201
*}
schirmer@12854
   202
lemma MGFNormalI: "G,A\<turnstile>{Normal \<doteq>} t\<succ> {G\<rightarrow>} \<Longrightarrow>  
schirmer@12854
   203
  G,(A::state triple set)\<turnstile>{\<doteq>::state assn} t\<succ> {G\<rightarrow>}"
schirmer@12854
   204
apply (unfold MGF_def)
schirmer@12854
   205
apply (rule ax_Normal_cases)
schirmer@12854
   206
apply  (erule conseq1)
schirmer@12854
   207
apply  clarsimp
schirmer@12854
   208
apply (rule ax_derivs.Abrupt [THEN conseq1])
schirmer@12854
   209
apply (clarsimp simp add: Let_def)
schirmer@12854
   210
done
schirmer@12854
   211
schirmer@13688
   212
lemma MGFNormalD: 
schirmer@13688
   213
"G,(A::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>} \<Longrightarrow> G,A\<turnstile>{Normal \<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
   214
apply (unfold MGF_def)
schirmer@12854
   215
apply (erule conseq1)
schirmer@12854
   216
apply clarsimp
schirmer@12854
   217
done
schirmer@12854
   218
schirmer@13688
   219
text {* Additionally to @{text MGFNormalI}, we also expand the definition of 
schirmer@13688
   220
the most general formula here *} 
schirmer@12854
   221
lemma MGFn_NormalI: 
schirmer@12854
   222
"G,(A::state triple set)\<turnstile>{Normal((\<lambda>Y' s' s. s'=s \<and> normal s) \<and>. G\<turnstile>init\<le>n)}t\<succ> 
schirmer@12854
   223
 {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')} \<Longrightarrow> G,A\<turnstile>{=:n}t\<succ>{G\<rightarrow>}"
schirmer@12854
   224
apply (simp (no_asm_use) add: MGFn_def2)
schirmer@12854
   225
apply (rule ax_Normal_cases)
schirmer@12854
   226
apply  (erule conseq1)
schirmer@12854
   227
apply  clarsimp
schirmer@12854
   228
apply (rule ax_derivs.Abrupt [THEN conseq1])
schirmer@12854
   229
apply (clarsimp simp add: Let_def)
schirmer@12854
   230
done
schirmer@12854
   231
schirmer@13688
   232
text {* To derive the most general formula, we can restrict ourselves to 
schirmer@13688
   233
welltyped terms, since all others can be uniformally handled by the hazard
schirmer@13688
   234
rule. *} 
schirmer@12854
   235
lemma MGFn_free_wt: 
schirmer@12854
   236
  "(\<exists>T L C. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T) 
schirmer@12854
   237
    \<longrightarrow> G,(A::state triple set)\<turnstile>{=:n} t\<succ> {G\<rightarrow>} 
schirmer@12854
   238
   \<Longrightarrow> G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>}"
schirmer@12854
   239
apply (rule MGFn_NormalI)
schirmer@12854
   240
apply (rule ax_free_wt)
schirmer@12854
   241
apply (auto elim: conseq12 simp add: MGFn_def MGF_def)
schirmer@12854
   242
done
schirmer@12854
   243
schirmer@13688
   244
text {* To derive the most general formula, we can restrict ourselves to 
schirmer@13688
   245
welltyped terms and assume that the state in the precondition conforms to the
schirmer@13688
   246
environment. All type violations can be uniformally handled by the hazard
schirmer@13688
   247
rule. *} 
schirmer@12925
   248
lemma MGFn_free_wt_NormalConformI: 
schirmer@13688
   249
"(\<forall> T L C . \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T 
schirmer@12925
   250
  \<longrightarrow> G,(A::state triple set)
schirmer@12925
   251
      \<turnstile>{Normal((\<lambda>Y' s' s. s'=s \<and> normal s) \<and>. G\<turnstile>init\<le>n) \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))}
schirmer@12925
   252
      t\<succ> 
schirmer@12925
   253
      {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}) 
schirmer@12925
   254
 \<Longrightarrow> G,A\<turnstile>{=:n}t\<succ>{G\<rightarrow>}"
schirmer@12925
   255
apply (rule MGFn_NormalI)
schirmer@12925
   256
apply (rule ax_no_hazard)
schirmer@12925
   257
apply (rule ax_escape)
schirmer@12925
   258
apply (intro strip)
schirmer@12925
   259
apply (simp only: type_ok_def peek_and_def)
schirmer@12925
   260
apply (erule conjE)+
schirmer@13688
   261
apply (erule exE,erule exE, erule exE, erule exE,erule conjE,drule (1) mp,
schirmer@13688
   262
       erule conjE)
schirmer@12925
   263
apply (drule spec,drule spec, drule spec, drule (1) mp)
schirmer@12925
   264
apply (erule conseq12)
schirmer@12925
   265
apply blast
schirmer@12925
   266
done
schirmer@12925
   267
schirmer@13688
   268
text {* To derive the most general formula, we can restrict ourselves to 
schirmer@13688
   269
welltyped terms and assume that the state in the precondition conforms to the
schirmer@13688
   270
environment and that the term is definetly assigned with respect to this state.
schirmer@13688
   271
All type violations can be uniformally handled by the hazard rule. *} 
schirmer@13688
   272
lemma MGFn_free_wt_da_NormalConformI: 
schirmer@13688
   273
"(\<forall> T L C B. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T
schirmer@13688
   274
  \<longrightarrow> G,(A::state triple set)
schirmer@13688
   275
      \<turnstile>{Normal((\<lambda>Y' s' s. s'=s \<and> normal s) \<and>. G\<turnstile>init\<le>n) \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))
schirmer@13688
   276
        \<and>. (\<lambda> s. \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>dom (locals (store s))\<guillemotright>t\<guillemotright>B)}
schirmer@13688
   277
      t\<succ> 
schirmer@13688
   278
      {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y,s')}) 
schirmer@13688
   279
 \<Longrightarrow> G,A\<turnstile>{=:n}t\<succ>{G\<rightarrow>}"
schirmer@13688
   280
apply (rule MGFn_NormalI)
schirmer@13688
   281
apply (rule ax_no_hazard)
schirmer@13688
   282
apply (rule ax_escape)
schirmer@13688
   283
apply (intro strip)
schirmer@13688
   284
apply (simp only: type_ok_def peek_and_def)
schirmer@13688
   285
apply (erule conjE)+
schirmer@13688
   286
apply (erule exE,erule exE, erule exE, erule exE,erule conjE,drule (1) mp,
schirmer@13688
   287
       erule conjE)
schirmer@13688
   288
apply (drule spec,drule spec, drule spec,drule spec, drule (1) mp)
schirmer@13688
   289
apply (erule conseq12)
schirmer@13688
   290
apply blast
schirmer@13688
   291
done
schirmer@12854
   292
schirmer@12854
   293
section "main lemmas"
schirmer@12854
   294
schirmer@13688
   295
lemma MGFn_Init: 
schirmer@13688
   296
 assumes mgf_hyp: "\<forall>m. Suc m\<le>n \<longrightarrow> (\<forall>t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>})"
schirmer@13688
   297
 shows "G,(A::state triple set)\<turnstile>{=:n} \<langle>Init C\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   298
proof (rule MGFn_free_wt [rule_format],elim exE,rule MGFn_NormalI)
schirmer@13688
   299
  fix T L accC
schirmer@13688
   300
  assume "\<lparr>prg=G, cls=accC, lcl= L\<rparr>\<turnstile>\<langle>Init C\<rangle>\<^sub>s\<Colon>T"
schirmer@13688
   301
  hence is_cls: "is_class G C"
schirmer@13688
   302
    by cases simp
schirmer@13688
   303
  show "G,A\<turnstile>{Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)} 
schirmer@13688
   304
            .Init C.
schirmer@13688
   305
            {\<lambda>Y s' s. G\<turnstile>s \<midarrow>\<langle>Init C\<rangle>\<^sub>s\<succ>\<rightarrow> (Y, s')}"
schirmer@13688
   306
       (is "G,A\<turnstile>{Normal ?P} .Init C. {?R}")
schirmer@13688
   307
  proof (rule ax_cases [where ?C="initd C"])
schirmer@13688
   308
    show "G,A\<turnstile>{Normal ?P  \<and>. initd C} .Init C. {?R}"
schirmer@13688
   309
      by (rule ax_derivs.Done [THEN conseq1]) (fastsimp intro: init_done)
schirmer@13688
   310
  next
schirmer@13688
   311
    have "G,A\<turnstile>{Normal (?P  \<and>. Not \<circ> initd C)} .Init C. {?R}" 
schirmer@13688
   312
    proof (cases n)
schirmer@13688
   313
      case 0
schirmer@13688
   314
      with is_cls
schirmer@13688
   315
      show ?thesis
wenzelm@32960
   316
        by - (rule ax_impossible [THEN conseq1],fastsimp dest: nyinitcls_emptyD)
schirmer@13688
   317
    next
schirmer@13688
   318
      case (Suc m)
schirmer@13688
   319
      with mgf_hyp have mgf_hyp': "\<And> t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>}"
wenzelm@32960
   320
        by simp
schirmer@13688
   321
      from is_cls obtain c where c: "the (class G C) = c"
wenzelm@32960
   322
        by auto
schirmer@13688
   323
      let ?Q= "(\<lambda>Y s' (x,s) . 
schirmer@13688
   324
          G\<turnstile> (x,init_class_obj G C s) 
schirmer@13688
   325
             \<midarrow> (if C=Object then Skip else Init (super (the (class G C))))\<rightarrow> s'
schirmer@13688
   326
          \<and> x=None \<and> \<not>inited C (globs s)) \<and>. G\<turnstile>init\<le>m"
schirmer@13688
   327
      from c
schirmer@13688
   328
      show ?thesis
schirmer@13688
   329
      proof (rule ax_derivs.Init [where ?Q="?Q"])
wenzelm@32960
   330
        let ?P' = "Normal ((\<lambda>Y s' s. s' = supd (init_class_obj G C) s 
schirmer@13688
   331
                           \<and> normal s \<and> \<not> initd C s) \<and>. G\<turnstile>init\<le>m)" 
wenzelm@32960
   332
        show "G,A\<turnstile>{Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))}
schirmer@13688
   333
                  .(if C = Object then Skip else Init (super c)). 
schirmer@13688
   334
                  {?Q}"
wenzelm@32960
   335
        proof (rule conseq1 [where ?P'="?P'"])
wenzelm@32960
   336
          show "G,A\<turnstile>{?P'} .(if C = Object then Skip else Init (super c)). {?Q}"
wenzelm@32960
   337
          proof (cases "C=Object")
wenzelm@32960
   338
            case True
wenzelm@32960
   339
            have "G,A\<turnstile>{?P'} .Skip. {?Q}"
wenzelm@32960
   340
              by (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
   341
                 (auto simp add: True intro: eval.Skip)
schirmer@13688
   342
            with True show ?thesis 
wenzelm@32960
   343
              by simp
wenzelm@32960
   344
          next
wenzelm@32960
   345
            case False
wenzelm@32960
   346
            from mgf_hyp'
wenzelm@32960
   347
            have "G,A\<turnstile>{?P'} .Init (super c). {?Q}"
wenzelm@32960
   348
              by (rule MGFnD' [THEN conseq12]) (fastsimp simp add: False c)
wenzelm@32960
   349
            with False show ?thesis
wenzelm@32960
   350
              by simp
wenzelm@32960
   351
          qed
wenzelm@32960
   352
        next
wenzelm@32960
   353
          from Suc is_cls
wenzelm@32960
   354
          show "Normal (?P \<and>. Not \<circ> initd C ;. supd (init_class_obj G C))
schirmer@13688
   355
                \<Rightarrow> ?P'"
wenzelm@32960
   356
            by (fastsimp elim: nyinitcls_le_SucD)
wenzelm@32960
   357
        qed
schirmer@13688
   358
      next
wenzelm@32960
   359
        from mgf_hyp'
wenzelm@32960
   360
        show "\<forall>l. G,A\<turnstile>{?Q \<and>. (\<lambda>s. l = locals (snd s)) ;. set_lvars empty} 
schirmer@13688
   361
                      .init c.
schirmer@13688
   362
                      {set_lvars l .; ?R}"
wenzelm@32960
   363
          apply (rule MGFnD' [THEN conseq12, THEN allI])
wenzelm@32960
   364
          apply (clarsimp simp add: split_paired_all)
wenzelm@32960
   365
          apply (rule eval.Init [OF c])
wenzelm@32960
   366
          apply (insert c)
wenzelm@32960
   367
          apply auto
wenzelm@32960
   368
          done
schirmer@13688
   369
      qed
schirmer@13688
   370
    qed
schirmer@13688
   371
    thus "G,A\<turnstile>{Normal ?P  \<and>. Not \<circ> initd C} .Init C. {?R}"
schirmer@13688
   372
      by clarsimp
schirmer@13688
   373
  qed
schirmer@13688
   374
qed
schirmer@12854
   375
lemmas MGFn_InitD = MGFn_Init [THEN MGFnD, THEN ax_NormalD]
schirmer@12854
   376
schirmer@12854
   377
lemma MGFn_Call: 
schirmer@13688
   378
  assumes mgf_methds: 
schirmer@13688
   379
           "\<forall>C sig. G,(A::state triple set)\<turnstile>{=:n} \<langle>(Methd C sig)\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   380
  and mgf_e: "G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   381
  and mgf_ps: "G,A\<turnstile>{=:n} \<langle>ps\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
schirmer@13688
   382
  and wf: "wf_prog G"
schirmer@13688
   383
  shows "G,A\<turnstile>{=:n} \<langle>{accC,statT,mode}e\<cdot>mn({pTs'}ps)\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   384
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp) 
schirmer@13688
   385
  note inj_term_simps [simp]
schirmer@13688
   386
  fix T L accC' E
schirmer@13688
   387
  assume wt: "\<lparr>prg=G,cls=accC',lcl = L\<rparr>\<turnstile>\<langle>({accC,statT,mode}e\<cdot>mn( {pTs'}ps))\<rangle>\<^sub>e\<Colon>T"
schirmer@13688
   388
  then obtain pTs statDeclT statM where
schirmer@13688
   389
                 wt_e: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>e\<Colon>-RefT statT" and
schirmer@13688
   390
              wt_args: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>ps\<Colon>\<doteq>pTs" and
schirmer@13688
   391
                statM: "max_spec G accC statT \<lparr>name=mn,parTs=pTs\<rparr> 
schirmer@13688
   392
                         = {((statDeclT,statM),pTs')}" and
schirmer@13688
   393
                 mode: "mode = invmode statM e" and
schirmer@13688
   394
                    T: "T =Inl (resTy statM)" and
schirmer@13688
   395
        eq_accC_accC': "accC=accC'"
wenzelm@32960
   396
        by cases fastsimp+
schirmer@13688
   397
  let ?Q="(\<lambda>Y s1 (x,s) . x = None \<and> 
schirmer@13688
   398
              (\<exists>a. G\<turnstile>Norm s \<midarrow>e-\<succ>a\<rightarrow> s1 \<and> 
schirmer@13688
   399
                   (normal s1 \<longrightarrow> G, store s1\<turnstile>a\<Colon>\<preceq>RefT statT)
schirmer@13688
   400
                   \<and> Y = In1 a) \<and> 
schirmer@13688
   401
              (\<exists> P. normal s1
schirmer@13688
   402
                  \<longrightarrow> \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile>dom (locals (store s1))\<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright>P)) 
schirmer@13688
   403
          \<and>. G\<turnstile>init\<le>n \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))::state assn"
schirmer@13688
   404
  let ?R="\<lambda>a. ((\<lambda>Y (x2,s2) (x,s) . x = None \<and> 
schirmer@13688
   405
                (\<exists>s1 pvs. G\<turnstile>Norm s \<midarrow>e-\<succ>a\<rightarrow> s1 \<and> 
schirmer@13688
   406
                          (normal s1 \<longrightarrow> G, store s1\<turnstile>a\<Colon>\<preceq>RefT statT)\<and> 
schirmer@13688
   407
                          Y = \<lfloor>pvs\<rfloor>\<^sub>l \<and> G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>pvs\<rightarrow> (x2,s2))) 
schirmer@13688
   408
               \<and>. G\<turnstile>init\<le>n \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L)))::state assn"
schirmer@12925
   409
schirmer@13688
   410
  show "G,A\<turnstile>{Normal ((\<lambda>Y' s' s. s' = s \<and> abrupt s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   411
                     (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   412
                     (\<lambda>s. \<lparr>prg=G, cls=accC',lcl=L\<rparr> \<turnstile> dom (locals (store s)) 
schirmer@13688
   413
                           \<guillemotright> \<langle>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)\<rangle>\<^sub>e\<guillemotright> E))}
schirmer@13688
   414
             {accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>
schirmer@13688
   415
             {\<lambda>Y s' s. \<exists>v. Y = \<lfloor>v\<rfloor>\<^sub>e \<and> 
schirmer@13688
   416
                           G\<turnstile>s \<midarrow>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>v\<rightarrow> s'}"
schirmer@13688
   417
    (is "G,A\<turnstile>{Normal ?P} {accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ> {?S}")
schirmer@13688
   418
  proof (rule ax_derivs.Call [where ?Q="?Q" and ?R="?R"])
schirmer@13688
   419
    from mgf_e
schirmer@13688
   420
    show "G,A\<turnstile>{Normal ?P} e-\<succ> {?Q}"
schirmer@13688
   421
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   422
      fix s0 s1 a
schirmer@13688
   423
      assume conf_s0: "Norm s0\<Colon>\<preceq>(G, L)"
schirmer@13688
   424
      assume da: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> 
schirmer@13688
   425
                     dom (locals s0) \<guillemotright>\<langle>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)\<rangle>\<^sub>e\<guillemotright> E"
schirmer@13688
   426
      assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
schirmer@13688
   427
      show "(abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT) \<and>
schirmer@13688
   428
            (abrupt s1 = None \<longrightarrow>
schirmer@13688
   429
              (\<exists>P. \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P))
schirmer@13688
   430
            \<and> s1\<Colon>\<preceq>(G, L)"
schirmer@13688
   431
      proof -
wenzelm@32960
   432
        from da obtain C where
wenzelm@32960
   433
          da_e:  "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>
schirmer@13688
   434
                    dom (locals (store ((Norm s0)::state)))\<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> C" and
wenzelm@32960
   435
          da_ps: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> nrm C \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> E" 
wenzelm@32960
   436
          by cases (simp add: eq_accC_accC')
wenzelm@32960
   437
        from eval_e conf_s0 wt_e da_e wf
wenzelm@32960
   438
        obtain "(abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT)"
wenzelm@32960
   439
          and  "s1\<Colon>\<preceq>(G, L)"
wenzelm@32960
   440
          by (rule eval_type_soundE) simp
wenzelm@32960
   441
        moreover
wenzelm@32960
   442
        {
wenzelm@32960
   443
          assume normal_s1: "normal s1"
wenzelm@32960
   444
          have "\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
wenzelm@32960
   445
          proof -
wenzelm@32960
   446
            from eval_e wt_e da_e wf normal_s1
wenzelm@32960
   447
            have "nrm C \<subseteq>  dom (locals (store s1))"
wenzelm@32960
   448
              by (cases rule: da_good_approxE') iprover
wenzelm@32960
   449
            with da_ps show ?thesis
wenzelm@32960
   450
              by (rule da_weakenE) iprover
wenzelm@32960
   451
          qed
wenzelm@32960
   452
        }
wenzelm@32960
   453
        ultimately show ?thesis
wenzelm@32960
   454
          using eq_accC_accC' by simp
schirmer@13688
   455
      qed
schirmer@13688
   456
    qed
schirmer@13688
   457
  next
schirmer@13688
   458
    show "\<forall>a. G,A\<turnstile>{?Q\<leftarrow>In1 a} ps\<doteq>\<succ> {?R a}" (is "\<forall> a. ?PS a")
schirmer@13688
   459
    proof 
schirmer@13688
   460
      fix a  
schirmer@13688
   461
      show "?PS a"
schirmer@13688
   462
      proof (rule MGFnD' [OF mgf_ps, THEN conseq12],
schirmer@13688
   463
             clarsimp simp add: eq_accC_accC' [symmetric])
wenzelm@32960
   464
        fix s0 s1 s2 vs
wenzelm@32960
   465
        assume conf_s1: "s1\<Colon>\<preceq>(G, L)"
wenzelm@32960
   466
        assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
wenzelm@32960
   467
        assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
wenzelm@32960
   468
        assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
wenzelm@32960
   469
        assume da_ps: "abrupt s1 = None \<longrightarrow> 
schirmer@13688
   470
                       (\<exists>P. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> 
schirmer@13688
   471
                               dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P)"
wenzelm@32960
   472
        show "(\<exists>s1. G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1 \<and>
schirmer@13688
   473
                (abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT) \<and>
schirmer@13688
   474
                G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2) \<and>
schirmer@13688
   475
              s2\<Colon>\<preceq>(G, L)"
wenzelm@32960
   476
        proof (cases "normal s1")
wenzelm@32960
   477
          case True
wenzelm@32960
   478
          with da_ps obtain P where
wenzelm@32960
   479
           "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>ps\<rangle>\<^sub>l\<guillemotright> P"
wenzelm@32960
   480
            by auto
wenzelm@32960
   481
          from eval_ps conf_s1 wt_args this wf
wenzelm@32960
   482
          have "s2\<Colon>\<preceq>(G, L)"
wenzelm@32960
   483
            by (rule eval_type_soundE)
wenzelm@32960
   484
          with eval_e conf_a eval_ps 
wenzelm@32960
   485
          show ?thesis 
wenzelm@32960
   486
            by auto
wenzelm@32960
   487
        next
wenzelm@32960
   488
          case False
wenzelm@32960
   489
          with eval_ps have "s2=s1" by auto
wenzelm@32960
   490
          with eval_e conf_a eval_ps conf_s1 
wenzelm@32960
   491
          show ?thesis 
wenzelm@32960
   492
            by auto
wenzelm@32960
   493
        qed
schirmer@13688
   494
      qed
schirmer@13688
   495
    qed
schirmer@13688
   496
  next
schirmer@13688
   497
    show "\<forall>a vs invC declC l.
schirmer@13688
   498
      G,A\<turnstile>{?R a\<leftarrow>\<lfloor>vs\<rfloor>\<^sub>l \<and>.
schirmer@13688
   499
             (\<lambda>s. declC =
schirmer@13688
   500
                  invocation_declclass G mode (store s) a statT
schirmer@13688
   501
                      \<lparr>name=mn, parTs=pTs'\<rparr> \<and>
schirmer@13688
   502
                  invC = invocation_class mode (store s) a statT \<and>
schirmer@13688
   503
                  l = locals (store s)) ;.
schirmer@13688
   504
             init_lvars G declC \<lparr>name=mn, parTs=pTs'\<rparr> mode a vs \<and>.
schirmer@13688
   505
             (\<lambda>s. normal s \<longrightarrow> G\<turnstile>mode\<rightarrow>invC\<preceq>statT)}
schirmer@13688
   506
          Methd declC \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ> 
schirmer@13688
   507
          {set_lvars l .; ?S}" 
schirmer@13688
   508
      (is "\<forall> a vs invC declC l. ?METHD a vs invC declC l")
schirmer@13688
   509
    proof (intro allI)
schirmer@13688
   510
      fix a vs invC declC l
schirmer@13688
   511
      from mgf_methds [rule_format]
schirmer@13688
   512
      show "?METHD a vs invC declC l"
schirmer@13688
   513
      proof (rule MGFnD' [THEN conseq12],clarsimp)
wenzelm@32960
   514
        fix s4 s2 s1::state
wenzelm@32960
   515
        fix s0 v
wenzelm@32960
   516
        let ?D= "invocation_declclass G mode (store s2) a statT 
schirmer@13688
   517
                    \<lparr>name=mn,parTs=pTs'\<rparr>"
wenzelm@32960
   518
        let ?s3= "init_lvars G ?D \<lparr>name=mn, parTs=pTs'\<rparr> mode a vs s2"
wenzelm@32960
   519
        assume inv_prop: "abrupt ?s3=None 
schirmer@13688
   520
             \<longrightarrow> G\<turnstile>mode\<rightarrow>invocation_class mode (store s2) a statT\<preceq>statT"
wenzelm@32960
   521
        assume conf_s2: "s2\<Colon>\<preceq>(G, L)"
wenzelm@32960
   522
        assume conf_a: "abrupt s1 = None \<longrightarrow> G,store s1\<turnstile>a\<Colon>\<preceq>RefT statT"
wenzelm@32960
   523
        assume eval_e: "G\<turnstile>Norm s0 \<midarrow>e-\<succ>a\<rightarrow> s1"
wenzelm@32960
   524
        assume eval_ps: "G\<turnstile>s1 \<midarrow>ps\<doteq>\<succ>vs\<rightarrow> s2"
wenzelm@32960
   525
        assume eval_mthd: "G\<turnstile>?s3 \<midarrow>Methd ?D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
wenzelm@32960
   526
        show "G\<turnstile>Norm s0 \<midarrow>{accC,statT,mode}e\<cdot>mn( {pTs'}ps)-\<succ>v
schirmer@13688
   527
                        \<rightarrow> (set_lvars (locals (store s2))) s4"
wenzelm@32960
   528
        proof -
wenzelm@32960
   529
          obtain D where D: "D=?D" by simp
wenzelm@32960
   530
          obtain s3 where s3: "s3=?s3" by simp
wenzelm@32960
   531
          obtain s3' where 
wenzelm@32960
   532
            s3': "s3' = check_method_access G accC statT mode 
schirmer@13688
   533
                           \<lparr>name=mn,parTs=pTs'\<rparr> a s3"
wenzelm@32960
   534
            by simp
wenzelm@32960
   535
          have eq_s3'_s3: "s3'=s3"
wenzelm@32960
   536
          proof -
wenzelm@32960
   537
            from inv_prop s3 mode
wenzelm@32960
   538
            have "normal s3 \<Longrightarrow> 
schirmer@13688
   539
             G\<turnstile>invmode statM e\<rightarrow>invocation_class mode (store s2) a statT\<preceq>statT"
wenzelm@32960
   540
              by auto
wenzelm@32960
   541
            with eval_ps wt_e statM conf_s2 conf_a [rule_format] 
wenzelm@32960
   542
            have "check_method_access G accC statT (invmode statM e)
schirmer@13688
   543
                      \<lparr>name=mn,parTs=pTs'\<rparr> a s3 = s3"
wenzelm@32960
   544
              by (rule error_free_call_access) (auto simp add: s3 mode wf)
wenzelm@32960
   545
            thus ?thesis 
wenzelm@32960
   546
              by (simp add: s3' mode)
wenzelm@32960
   547
          qed
wenzelm@32960
   548
          with eval_mthd D s3
wenzelm@32960
   549
          have "G\<turnstile>s3' \<midarrow>Methd D \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ>v\<rightarrow> s4"
wenzelm@32960
   550
            by simp
wenzelm@32960
   551
          with eval_e eval_ps D _ s3' 
wenzelm@32960
   552
          show ?thesis
wenzelm@32960
   553
            by (rule eval_Call) (auto simp add: s3 mode D)
wenzelm@32960
   554
        qed
schirmer@13688
   555
      qed
schirmer@13688
   556
    qed
schirmer@13688
   557
  qed
schirmer@13688
   558
qed
wenzelm@32960
   559
                  
schirmer@13688
   560
lemma eval_expression_no_jump':
schirmer@13688
   561
  assumes eval: "G\<turnstile>s0 \<midarrow>e-\<succ>v\<rightarrow> s1"
schirmer@13688
   562
  and   no_jmp: "abrupt s0 \<noteq> Some (Jump j)"
schirmer@13688
   563
  and      wt: "\<lparr>prg=G, cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-T" 
schirmer@13688
   564
  and      wf: "wf_prog G"
schirmer@13688
   565
shows "abrupt s1 \<noteq> Some (Jump j)"
schirmer@13688
   566
using eval no_jmp wt wf
schirmer@13688
   567
by - (rule eval_expression_no_jump 
schirmer@13688
   568
            [where ?Env="\<lparr>prg=G, cls=C,lcl=L\<rparr>",simplified],auto)
schirmer@12854
   569
schirmer@13688
   570
schirmer@13688
   571
text {* To derive the most general formula for the loop statement, we need to
schirmer@13688
   572
come up with a proper loop invariant, which intuitively states that we are 
schirmer@13688
   573
currently inside the evaluation of the loop. To define such an invariant, we
schirmer@13688
   574
unroll the loop in iterated evaluations of the expression and evaluations of
schirmer@13688
   575
the loop body. *}
schirmer@13688
   576
haftmann@35416
   577
definition unroll :: "prog \<Rightarrow> label \<Rightarrow> expr \<Rightarrow> stmt \<Rightarrow> (state \<times>  state) set" where
schirmer@13688
   578
schirmer@13688
   579
 "unroll G l e c \<equiv> {(s,t). \<exists> v s1 s2.
schirmer@13688
   580
                             G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s1 \<and> the_Bool v \<and> normal s1 \<and>
schirmer@13688
   581
                             G\<turnstile>s1 \<midarrow>c\<rightarrow> s2 \<and> t=(abupd (absorb (Cont l)) s2)}"
schirmer@13688
   582
schirmer@13688
   583
schirmer@13688
   584
lemma unroll_while:
schirmer@13688
   585
  assumes unroll: "(s, t) \<in> (unroll G l e c)\<^sup>*"
schirmer@13688
   586
  and     eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'" 
schirmer@13688
   587
  and     normal_termination: "normal s'  \<longrightarrow> \<not> the_Bool v"
schirmer@13688
   588
  and     wt: "\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>e\<Colon>-T"
schirmer@13688
   589
  and     wf: "wf_prog G" 
schirmer@13688
   590
  shows "G\<turnstile>s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   591
using unroll (* normal_s *)
schirmer@13688
   592
proof (induct rule: converse_rtrancl_induct) 
schirmer@13688
   593
  show "G\<turnstile>t \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   594
  proof (cases "normal t")
schirmer@13688
   595
    case False
schirmer@13688
   596
    with eval_e have "s'=t" by auto
schirmer@13688
   597
    with False show ?thesis by auto
schirmer@13688
   598
  next
schirmer@13688
   599
    case True
schirmer@13688
   600
    note normal_t = this
schirmer@13688
   601
    show ?thesis
schirmer@13688
   602
    proof (cases "normal s'")
schirmer@13688
   603
      case True
schirmer@13688
   604
      with normal_t eval_e normal_termination
schirmer@13688
   605
      show ?thesis
wenzelm@32960
   606
        by (auto intro: eval.Loop)
schirmer@13688
   607
    next
schirmer@13688
   608
      case False
schirmer@13688
   609
      note abrupt_s' = this
schirmer@13688
   610
      from eval_e _ wt wf
schirmer@13688
   611
      have no_cont: "abrupt s' \<noteq> Some (Jump (Cont l))"
wenzelm@32960
   612
        by (rule eval_expression_no_jump') (insert normal_t,simp)
schirmer@13688
   613
      have
wenzelm@32960
   614
        "if the_Bool v 
schirmer@13688
   615
             then (G\<turnstile>s' \<midarrow>c\<rightarrow> s' \<and> 
schirmer@13688
   616
                   G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s')
wenzelm@32960
   617
             else s' = s'"
schirmer@13688
   618
      proof (cases "the_Bool v")
wenzelm@32960
   619
        case False thus ?thesis by simp
schirmer@13688
   620
      next
wenzelm@32960
   621
        case True
wenzelm@32960
   622
        with abrupt_s' have "G\<turnstile>s' \<midarrow>c\<rightarrow> s'" by auto
wenzelm@32960
   623
        moreover from abrupt_s' no_cont 
wenzelm@32960
   624
        have no_absorb: "(abupd (absorb (Cont l)) s')=s'"
wenzelm@32960
   625
          by (cases s') (simp add: absorb_def split: split_if)
wenzelm@32960
   626
        moreover
wenzelm@32960
   627
        from no_absorb abrupt_s'
wenzelm@32960
   628
        have "G\<turnstile>(abupd (absorb (Cont l)) s') \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
wenzelm@32960
   629
          by auto
wenzelm@32960
   630
        ultimately show ?thesis
wenzelm@32960
   631
          using True by simp
schirmer@13688
   632
      qed
schirmer@13688
   633
      with eval_e 
schirmer@13688
   634
      show ?thesis
wenzelm@32960
   635
        using normal_t by (auto intro: eval.Loop)
schirmer@13688
   636
    qed
schirmer@13688
   637
  qed
schirmer@13688
   638
next
schirmer@13688
   639
  fix s s3
schirmer@13688
   640
  assume unroll: "(s,s3) \<in> unroll G l e c"
schirmer@13688
   641
  assume while: "G\<turnstile>s3 \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   642
  show "G\<turnstile>s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
schirmer@13688
   643
  proof -
schirmer@13688
   644
    from unroll obtain v s1 s2 where
schirmer@13688
   645
      normal_s1: "normal s1" and
schirmer@13688
   646
      eval_e: "G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s1" and
schirmer@13688
   647
      continue: "the_Bool v" and
schirmer@13688
   648
      eval_c: "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2" and
schirmer@13688
   649
      s3: "s3=(abupd (absorb (Cont l)) s2)"
schirmer@13688
   650
      by  (unfold unroll_def) fast 
schirmer@13688
   651
    from eval_e normal_s1 have
schirmer@13688
   652
      "normal s"
schirmer@13688
   653
      by (rule eval_no_abrupt_lemma [rule_format])
schirmer@13688
   654
    with while eval_e continue eval_c s3 show ?thesis
schirmer@13688
   655
      by (auto intro!: eval.Loop)
schirmer@13688
   656
  qed
schirmer@13688
   657
qed
schirmer@12854
   658
schirmer@13688
   659
lemma MGFn_Loop:
schirmer@13688
   660
  assumes mfg_e: "G,(A::state triple set)\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   661
  and     mfg_c: "G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   662
  and     wf: "wf_prog G" 
schirmer@13688
   663
shows "G,A\<turnstile>{=:n} \<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   664
proof (rule MGFn_free_wt [rule_format],elim exE)
schirmer@13688
   665
  fix T L C
schirmer@13688
   666
  assume wt: "\<lparr>prg = G, cls = C, lcl = L\<rparr>\<turnstile>\<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<Colon>T"
schirmer@13688
   667
  then obtain eT where
schirmer@13688
   668
    wt_e: "\<lparr>prg = G, cls = C, lcl = L\<rparr>\<turnstile>e\<Colon>-eT" 
schirmer@13688
   669
    by cases simp
schirmer@13688
   670
  show ?thesis
schirmer@13688
   671
  proof (rule MGFn_NormalI)
schirmer@13688
   672
    show "G,A\<turnstile>{Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)} 
schirmer@13688
   673
              .l\<bullet> While(e) c.
schirmer@13688
   674
              {\<lambda>Y s' s. G\<turnstile>s \<midarrow>In1r (l\<bullet> While(e) c)\<succ>\<rightarrow> (Y, s')}"
schirmer@13688
   675
    proof (rule conseq12 
schirmer@13688
   676
           [where ?P'="(\<lambda> Y s' s. (s,s') \<in> (unroll G l e c)\<^sup>* ) \<and>. G\<turnstile>init\<le>n"
schirmer@13688
   677
             and  ?Q'="((\<lambda> Y s' s. (\<exists> t b. (s,t) \<in> (unroll G l e c)\<^sup>* \<and> 
schirmer@13688
   678
                          Y=\<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
schirmer@13688
   679
                        \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>"])
schirmer@13688
   680
      show  "G,A\<turnstile>{(\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n} 
schirmer@13688
   681
                  .l\<bullet> While(e) c.
schirmer@13688
   682
                 {((\<lambda>Y s' s. (\<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and> 
schirmer@13688
   683
                                  Y = In1 b \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
schirmer@13688
   684
                              \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>}"
schirmer@13688
   685
      proof (rule ax_derivs.Loop)
wenzelm@32960
   686
        from mfg_e
wenzelm@32960
   687
        show "G,A\<turnstile>{(\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n} 
schirmer@13688
   688
                   e-\<succ>
schirmer@13688
   689
                  {(\<lambda>Y s' s. (\<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and> 
schirmer@13688
   690
                                     Y = In1 b \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s')) 
schirmer@13688
   691
                   \<and>. G\<turnstile>init\<le>n}"
wenzelm@32960
   692
        proof (rule MGFnD' [THEN conseq12],clarsimp)
wenzelm@32960
   693
          fix s Z s' v
wenzelm@32960
   694
          assume "(Z, s) \<in> (unroll G l e c)\<^sup>*"
wenzelm@32960
   695
          moreover
wenzelm@32960
   696
          assume "G\<turnstile>s \<midarrow>e-\<succ>v\<rightarrow> s'"
wenzelm@32960
   697
          ultimately
wenzelm@32960
   698
          show "\<exists>t. (Z, t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'"
wenzelm@32960
   699
            by blast
wenzelm@32960
   700
        qed
schirmer@13688
   701
      next
wenzelm@32960
   702
        from mfg_c
wenzelm@32960
   703
        show "G,A\<turnstile>{Normal (((\<lambda>Y s' s. \<exists>t b. (s, t) \<in> (unroll G l e c)\<^sup>* \<and>
schirmer@13688
   704
                                       Y = \<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s') 
schirmer@13688
   705
                          \<and>. G\<turnstile>init\<le>n)\<leftarrow>=True)}
schirmer@13688
   706
                  .c.
schirmer@13688
   707
                  {abupd (absorb (Cont l)) .;
schirmer@13688
   708
                   ((\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n)}"
wenzelm@32960
   709
        proof (rule MGFnD' [THEN conseq12],clarsimp)
wenzelm@32960
   710
          fix Z s' s v t
wenzelm@32960
   711
          assume unroll: "(Z, t) \<in> (unroll G l e c)\<^sup>*"
wenzelm@32960
   712
          assume eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> Norm s" 
wenzelm@32960
   713
          assume true: "the_Bool v"
wenzelm@32960
   714
          assume eval_c: "G\<turnstile>Norm s \<midarrow>c\<rightarrow> s'"
wenzelm@32960
   715
          show "(Z, abupd (absorb (Cont l)) s') \<in> (unroll G l e c)\<^sup>*"
wenzelm@32960
   716
          proof -
wenzelm@32960
   717
            note unroll
wenzelm@32960
   718
            also
wenzelm@32960
   719
            from eval_e true eval_c
wenzelm@32960
   720
            have "(t,abupd (absorb (Cont l)) s') \<in> unroll G l e c" 
wenzelm@32960
   721
              by (unfold unroll_def) force
wenzelm@32960
   722
            ultimately show ?thesis ..
wenzelm@32960
   723
          qed
wenzelm@32960
   724
        qed
schirmer@13688
   725
      qed
schirmer@13688
   726
    next
schirmer@13688
   727
      show 
wenzelm@32960
   728
        "\<forall>Y s Z.
schirmer@13688
   729
         (Normal ((\<lambda>Y' s' s. s' = s \<and> normal s) \<and>. G\<turnstile>init\<le>n)) Y s Z 
schirmer@13688
   730
         \<longrightarrow> (\<forall>Y' s'.
schirmer@13688
   731
               (\<forall>Y Z'. 
schirmer@13688
   732
                 ((\<lambda>Y s' s. (s, s') \<in> (unroll G l e c)\<^sup>*) \<and>. G\<turnstile>init\<le>n) Y s Z' 
schirmer@13688
   733
                 \<longrightarrow> (((\<lambda>Y s' s. \<exists>t b. (s,t) \<in> (unroll G l e c)\<^sup>* 
schirmer@13688
   734
                                       \<and> Y=\<lfloor>b\<rfloor>\<^sub>e \<and> G\<turnstile>t \<midarrow>e-\<succ>b\<rightarrow> s') 
schirmer@13688
   735
                     \<and>. G\<turnstile>init\<le>n)\<leftarrow>=False\<down>=\<diamondsuit>) Y' s' Z') 
schirmer@13688
   736
               \<longrightarrow> G\<turnstile>Z \<midarrow>\<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ>\<rightarrow> (Y', s'))"
schirmer@13688
   737
      proof (clarsimp)
wenzelm@32960
   738
        fix Y' s' s
wenzelm@32960
   739
        assume asm:
wenzelm@32960
   740
          "\<forall>Z'. (Z', Norm s) \<in> (unroll G l e c)\<^sup>* 
schirmer@13688
   741
                 \<longrightarrow> card (nyinitcls G s') \<le> n \<and>
schirmer@13688
   742
                     (\<exists>v. (\<exists>t. (Z', t) \<in> (unroll G l e c)\<^sup>* \<and> G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s') \<and>
schirmer@13688
   743
                     (fst s' = None \<longrightarrow> \<not> the_Bool v)) \<and> Y' = \<diamondsuit>"
wenzelm@32960
   744
        show "Y' = \<diamondsuit> \<and> G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
wenzelm@32960
   745
        proof -
wenzelm@32960
   746
          from asm obtain v t where 
wenzelm@32960
   747
            -- {* @{term "Z'"} gets instantiated with @{term "Norm s"} *}  
wenzelm@32960
   748
            unroll: "(Norm s, t) \<in> (unroll G l e c)\<^sup>*" and
schirmer@13688
   749
            eval_e: "G\<turnstile>t \<midarrow>e-\<succ>v\<rightarrow> s'" and
schirmer@13688
   750
            normal_termination: "normal s' \<longrightarrow> \<not> the_Bool v" and
wenzelm@32960
   751
             Y': "Y' = \<diamondsuit>"
wenzelm@32960
   752
            by auto
wenzelm@32960
   753
          from unroll eval_e normal_termination wt_e wf
wenzelm@32960
   754
          have "G\<turnstile>Norm s \<midarrow>l\<bullet> While(e) c\<rightarrow> s'"
wenzelm@32960
   755
            by (rule unroll_while)
wenzelm@32960
   756
          with Y' 
wenzelm@32960
   757
          show ?thesis
wenzelm@32960
   758
            by simp
wenzelm@32960
   759
        qed
schirmer@13688
   760
      qed
schirmer@13688
   761
    qed
schirmer@13688
   762
  qed
schirmer@13688
   763
qed
schirmer@12854
   764
schirmer@12925
   765
lemma MGFn_FVar:
schirmer@13688
   766
  fixes A :: "state triple set"
schirmer@13688
   767
 assumes mgf_init: "G,A\<turnstile>{=:n} \<langle>Init statDeclC\<rangle>\<^sub>s\<succ> {G\<rightarrow>}" 
schirmer@13688
   768
  and    mgf_e: "G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   769
  and    wf: "wf_prog G"
schirmer@13688
   770
  shows "G,A\<turnstile>{=:n} \<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
schirmer@13688
   771
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp) 
schirmer@13688
   772
  note inj_term_simps [simp]
schirmer@13688
   773
  fix T L accC' V
schirmer@13688
   774
  assume wt: "\<lparr>prg = G, cls = accC', lcl = L\<rparr>\<turnstile>\<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<Colon>T"
schirmer@13688
   775
  then obtain statC f where
schirmer@13688
   776
    wt_e: "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile>e\<Colon>-Class statC" and
schirmer@13688
   777
    accfield: "accfield G accC' statC fn = Some (statDeclC,f )" and
schirmer@13688
   778
    eq_accC: "accC=accC'" and
schirmer@13688
   779
    stat: "stat=is_static  f"
schirmer@13688
   780
    by (cases) (auto simp add: member_is_static_simp)
schirmer@13688
   781
  let ?Q="(\<lambda>Y s1 (x,s) . x = None \<and> 
schirmer@13688
   782
                (G\<turnstile>Norm s \<midarrow>Init statDeclC\<rightarrow> s1) \<and>
schirmer@13688
   783
                (\<exists> E. \<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile>dom (locals (store s1)) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E))
schirmer@13688
   784
                \<and>. G\<turnstile>init\<le>n \<and>. (\<lambda> s. s\<Colon>\<preceq>(G, L))"
schirmer@13688
   785
  show "G,A\<turnstile>{Normal
schirmer@13688
   786
             ((\<lambda>Y' s' s. s' = s \<and> abrupt s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   787
              (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   788
              (\<lambda>s. \<lparr>prg=G,cls=accC',lcl=L\<rparr>
schirmer@13688
   789
                 \<turnstile> dom (locals (store s)) \<guillemotright> \<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<guillemotright> V))
schirmer@13688
   790
             } {accC,statDeclC,stat}e..fn=\<succ>
schirmer@13688
   791
             {\<lambda>Y s' s. \<exists>vf. Y = \<lfloor>vf\<rfloor>\<^sub>v \<and> 
schirmer@13688
   792
                        G\<turnstile>s \<midarrow>{accC,statDeclC,stat}e..fn=\<succ>vf\<rightarrow> s'}"
schirmer@13688
   793
    (is "G,A\<turnstile>{Normal ?P} {accC,statDeclC,stat}e..fn=\<succ> {?R}")
schirmer@13688
   794
  proof (rule ax_derivs.FVar [where ?Q="?Q" ])
schirmer@13688
   795
    from mgf_init
schirmer@13688
   796
    show "G,A\<turnstile>{Normal ?P} .Init statDeclC. {?Q}"
schirmer@13688
   797
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   798
      fix s s'
schirmer@13688
   799
      assume conf_s: "Norm s\<Colon>\<preceq>(G, L)"
schirmer@13688
   800
      assume da: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>
schirmer@13688
   801
                    \<turnstile> dom (locals s) \<guillemotright>\<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<guillemotright> V"
schirmer@13688
   802
      assume eval_init: "G\<turnstile>Norm s \<midarrow>Init statDeclC\<rightarrow> s'"
schirmer@13688
   803
      show "(\<exists>E. \<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E) \<and>
schirmer@13688
   804
            s'\<Colon>\<preceq>(G, L)"
schirmer@13688
   805
      proof -
wenzelm@32960
   806
        from da 
wenzelm@32960
   807
        obtain E where
wenzelm@32960
   808
          "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals s) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
wenzelm@32960
   809
          by cases simp
wenzelm@32960
   810
        moreover
wenzelm@32960
   811
        from eval_init
wenzelm@32960
   812
        have "dom (locals s) \<subseteq> dom (locals (store s'))"
wenzelm@32960
   813
          by (rule dom_locals_eval_mono [elim_format]) simp
wenzelm@32960
   814
        ultimately obtain E' where
wenzelm@32960
   815
          "\<lparr>prg=G, cls=accC', lcl=L\<rparr>\<turnstile> dom (locals (store s')) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E'"
wenzelm@32960
   816
          by (rule da_weakenE)
wenzelm@32960
   817
        moreover
wenzelm@32960
   818
        have "s'\<Colon>\<preceq>(G, L)"
wenzelm@32960
   819
        proof -
wenzelm@32960
   820
          have wt_init: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(Init statDeclC)\<Colon>\<surd>"
wenzelm@32960
   821
          proof -
wenzelm@32960
   822
            from wf wt_e 
wenzelm@32960
   823
            have iscls_statC: "is_class G statC"
wenzelm@32960
   824
              by (auto dest: ty_expr_is_type type_is_class)
wenzelm@32960
   825
            with wf accfield 
wenzelm@32960
   826
            have iscls_statDeclC: "is_class G statDeclC"
wenzelm@32960
   827
              by (auto dest!: accfield_fields dest: fields_declC)
wenzelm@32960
   828
            thus ?thesis by simp
wenzelm@32960
   829
          qed
wenzelm@32960
   830
          obtain I where 
wenzelm@32960
   831
            da_init: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>
schirmer@13688
   832
               \<turnstile> dom (locals (store ((Norm s)::state))) \<guillemotright>\<langle>Init statDeclC\<rangle>\<^sub>s\<guillemotright> I"
wenzelm@32960
   833
            by (auto intro: da_Init [simplified] assigned.select_convs)
wenzelm@32960
   834
          from eval_init conf_s wt_init da_init  wf
wenzelm@32960
   835
          show ?thesis
wenzelm@32960
   836
            by (rule eval_type_soundE)
wenzelm@32960
   837
        qed
wenzelm@32960
   838
        ultimately show ?thesis by iprover
schirmer@13688
   839
      qed
schirmer@13688
   840
    qed
schirmer@13688
   841
  next
schirmer@13688
   842
    from mgf_e
schirmer@13688
   843
    show "G,A\<turnstile>{?Q} e-\<succ> {\<lambda>Val:a:. fvar statDeclC stat fn a ..; ?R}"
schirmer@13688
   844
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   845
      fix s0 s1 s2 E a
schirmer@13688
   846
      let ?fvar = "fvar statDeclC stat fn a s2"
schirmer@13688
   847
      assume eval_init: "G\<turnstile>Norm s0 \<midarrow>Init statDeclC\<rightarrow> s1"
schirmer@13688
   848
      assume eval_e: "G\<turnstile>s1 \<midarrow>e-\<succ>a\<rightarrow> s2"
schirmer@13688
   849
      assume conf_s1: "s1\<Colon>\<preceq>(G, L)"
schirmer@13688
   850
      assume da_e: "\<lparr>prg=G,cls=accC',lcl=L\<rparr>\<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E"
schirmer@13688
   851
      show "G\<turnstile>Norm s0 \<midarrow>{accC,statDeclC,stat}e..fn=\<succ>fst ?fvar\<rightarrow> snd ?fvar"
schirmer@13688
   852
      proof -
wenzelm@32960
   853
        obtain v s2' where
wenzelm@32960
   854
          v: "v=fst ?fvar" and s2': "s2'=snd ?fvar"
wenzelm@32960
   855
          by simp
wenzelm@32960
   856
        obtain s3 where
wenzelm@32960
   857
          s3: "s3= check_field_access G accC' statDeclC fn stat a s2'"
wenzelm@32960
   858
          by simp
wenzelm@32960
   859
        have eq_s3_s2': "s3=s2'"
wenzelm@32960
   860
        proof -
wenzelm@32960
   861
          from eval_e conf_s1 wt_e da_e wf obtain
wenzelm@32960
   862
            conf_s2: "s2\<Colon>\<preceq>(G, L)"  and
wenzelm@32960
   863
            conf_a: "normal s2 \<Longrightarrow> G,store s2\<turnstile>a\<Colon>\<preceq>Class statC"
wenzelm@32960
   864
            by (rule eval_type_soundE) simp
wenzelm@32960
   865
          from accfield wt_e eval_init eval_e conf_s2 conf_a _ wf
wenzelm@32960
   866
          show ?thesis
wenzelm@32960
   867
            by (rule  error_free_field_access 
schirmer@13688
   868
                      [where ?v=v and ?s2'=s2',elim_format])
wenzelm@32960
   869
               (simp add: s3 v s2' stat)+
schirmer@13688
   870
        qed
wenzelm@32960
   871
        from eval_init eval_e 
wenzelm@32960
   872
        show ?thesis
wenzelm@32960
   873
          apply (rule eval.FVar [where ?s2'=s2'])
wenzelm@32960
   874
          apply  (simp add: s2')
wenzelm@32960
   875
          apply  (simp add: s3 [symmetric]   eq_s3_s2' eq_accC s2' [symmetric])
wenzelm@32960
   876
          done
schirmer@13688
   877
      qed
schirmer@13688
   878
    qed
schirmer@13688
   879
  qed
schirmer@13688
   880
qed
schirmer@12925
   881
schirmer@13337
   882
schirmer@13688
   883
lemma MGFn_Fin:
schirmer@13688
   884
  assumes wf: "wf_prog G" 
schirmer@13688
   885
  and     mgf_c1: "G,A\<turnstile>{=:n} \<langle>c1\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   886
  and     mgf_c2: "G,A\<turnstile>{=:n} \<langle>c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   887
  shows "G,(A\<Colon>state triple set)\<turnstile>{=:n} \<langle>c1 Finally c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   888
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp)
schirmer@13688
   889
  fix T L accC C 
schirmer@13688
   890
  assume wt: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>In1r (c1 Finally c2)\<Colon>T"
schirmer@13688
   891
  then obtain
schirmer@13688
   892
    wt_c1: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c1\<Colon>\<surd>" and
schirmer@13688
   893
    wt_c2: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c2\<Colon>\<surd>"
schirmer@13688
   894
    by cases simp
schirmer@13688
   895
  let  ?Q = "(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>c1\<rightarrow> s' \<and> 
schirmer@13688
   896
               (\<exists> C1. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s)) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1)
schirmer@13688
   897
               \<and> s\<Colon>\<preceq>(G, L)) 
schirmer@13688
   898
             \<and>. G\<turnstile>init\<le>n"
schirmer@13688
   899
  show "G,A\<turnstile>{Normal
schirmer@13688
   900
              ((\<lambda>Y' s' s. s' = s \<and> abrupt s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   901
              (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   902
              (\<lambda>s. \<lparr>prg=G,cls=accC,lcl =L\<rparr>  
schirmer@13688
   903
                     \<turnstile>dom (locals (store s)) \<guillemotright>\<langle>c1 Finally c2\<rangle>\<^sub>s\<guillemotright> C))}
schirmer@13688
   904
             .c1 Finally c2. 
schirmer@13688
   905
             {\<lambda>Y s' s. Y = \<diamondsuit> \<and> G\<turnstile>s \<midarrow>c1 Finally c2\<rightarrow> s'}"
schirmer@13688
   906
    (is "G,A\<turnstile>{Normal ?P} .c1 Finally c2. {?R}")
schirmer@13688
   907
  proof (rule ax_derivs.Fin [where ?Q="?Q"])
schirmer@13688
   908
    from mgf_c1
schirmer@13688
   909
    show "G,A\<turnstile>{Normal ?P} .c1. {?Q}"
schirmer@13688
   910
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
   911
      fix s0
schirmer@13688
   912
      assume "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1 Finally c2\<rangle>\<^sub>s\<guillemotright> C"
schirmer@13688
   913
      thus "\<exists>C1. \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1"
wenzelm@32960
   914
        by cases (auto simp add: inj_term_simps)
schirmer@13688
   915
    qed
schirmer@13688
   916
  next
schirmer@13688
   917
    from mgf_c2
schirmer@13688
   918
    show "\<forall>abr. G,A\<turnstile>{?Q \<and>. (\<lambda>s. abr = abrupt s) ;. abupd (\<lambda>abr. None)} .c2.
schirmer@13688
   919
          {abupd (abrupt_if (abr \<noteq> None) abr) .; ?R}"
schirmer@13688
   920
    proof (rule MGFnD' [THEN conseq12, THEN allI],clarsimp)
schirmer@13688
   921
      fix s0 s1 s2 C1
schirmer@13688
   922
      assume da_c1:"\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>c1\<rangle>\<^sub>s\<guillemotright> C1"
schirmer@13688
   923
      assume conf_s0: "Norm s0\<Colon>\<preceq>(G, L)"
schirmer@13688
   924
      assume eval_c1: "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> s1"
schirmer@13688
   925
      assume eval_c2: "G\<turnstile>abupd (\<lambda>abr. None) s1 \<midarrow>c2\<rightarrow> s2"
schirmer@13688
   926
      show "G\<turnstile>Norm s0 \<midarrow>c1 Finally c2
schirmer@13688
   927
               \<rightarrow> abupd (abrupt_if (\<exists>y. abrupt s1 = Some y) (abrupt s1)) s2"
schirmer@13688
   928
      proof -
wenzelm@32960
   929
        obtain abr1 str1 where s1: "s1=(abr1,str1)"
wenzelm@32960
   930
          by (cases s1)
wenzelm@32960
   931
        with eval_c1 eval_c2 obtain
wenzelm@32960
   932
          eval_c1': "G\<turnstile>Norm s0 \<midarrow>c1\<rightarrow> (abr1,str1)" and
wenzelm@32960
   933
          eval_c2': "G\<turnstile>Norm str1 \<midarrow>c2\<rightarrow> s2"
wenzelm@32960
   934
          by simp
wenzelm@32960
   935
        obtain s3 where 
wenzelm@32960
   936
          s3: "s3 = (if \<exists>err. abr1 = Some (Error err) 
wenzelm@32960
   937
                        then (abr1, str1)
schirmer@13688
   938
                        else abupd (abrupt_if (abr1 \<noteq> None) abr1) s2)"
wenzelm@32960
   939
          by simp
wenzelm@32960
   940
        from eval_c1' conf_s0 wt_c1 _ wf 
wenzelm@32960
   941
        have "error_free (abr1,str1)"
wenzelm@32960
   942
          by (rule eval_type_soundE) (insert da_c1,auto)
wenzelm@32960
   943
        with s3 have eq_s3: "s3=abupd (abrupt_if (abr1 \<noteq> None) abr1) s2"
wenzelm@32960
   944
          by (simp add: error_free_def)
wenzelm@32960
   945
        from eval_c1' eval_c2' s3
wenzelm@32960
   946
        show ?thesis
wenzelm@32960
   947
          by (rule eval.Fin [elim_format]) (simp add: s1 eq_s3)
schirmer@13688
   948
      qed
schirmer@13688
   949
    qed 
schirmer@13688
   950
  qed
schirmer@13688
   951
qed
schirmer@13688
   952
      
schirmer@13688
   953
lemma Body_no_break:
schirmer@13688
   954
 assumes eval_init: "G\<turnstile>Norm s0 \<midarrow>Init D\<rightarrow> s1" 
schirmer@13688
   955
   and      eval_c: "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2" 
schirmer@13688
   956
   and       jmpOk: "jumpNestingOkS {Ret} c"
schirmer@13688
   957
   and        wt_c: "\<lparr>prg=G, cls=C, lcl=L\<rparr>\<turnstile>c\<Colon>\<surd>"
schirmer@13688
   958
   and        clsD: "class G D=Some d"
schirmer@13688
   959
   and          wf: "wf_prog G" 
schirmer@13688
   960
  shows "\<forall> l. abrupt s2 \<noteq> Some (Jump (Break l)) \<and> 
schirmer@13688
   961
              abrupt s2 \<noteq> Some (Jump (Cont l))"
schirmer@13688
   962
proof
schirmer@13688
   963
  fix l show "abrupt s2 \<noteq> Some (Jump (Break l)) \<and>  
schirmer@13688
   964
              abrupt s2 \<noteq> Some (Jump (Cont l))"
schirmer@13688
   965
  proof -
wenzelm@26932
   966
    fix accC from clsD have wt_init: "\<lparr>prg=G, cls=accC, lcl=L\<rparr>\<turnstile>(Init D)\<Colon>\<surd>"
schirmer@13688
   967
      by auto
schirmer@13688
   968
    from eval_init wf
schirmer@13688
   969
    have s1_no_jmp: "\<And> j. abrupt s1 \<noteq> Some (Jump j)"
schirmer@13688
   970
      by - (rule eval_statement_no_jump [OF _ _ _ wt_init],auto)
schirmer@13688
   971
    from eval_c _ wt_c wf
schirmer@13688
   972
    show ?thesis
schirmer@13688
   973
      apply (rule jumpNestingOk_eval [THEN conjE, elim_format])
schirmer@13688
   974
      using jmpOk s1_no_jmp
schirmer@13688
   975
      apply auto
schirmer@13688
   976
      done
schirmer@13688
   977
  qed
schirmer@13688
   978
qed
schirmer@12854
   979
schirmer@13688
   980
lemma MGFn_Body:
schirmer@13688
   981
  assumes wf: "wf_prog G"
schirmer@13688
   982
  and     mgf_init: "G,A\<turnstile>{=:n} \<langle>Init D\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   983
  and     mgf_c: "G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
schirmer@13688
   984
  shows  "G,(A\<Colon>state triple set)\<turnstile>{=:n} \<langle>Body D c\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
   985
proof (rule MGFn_free_wt_da_NormalConformI [rule_format],clarsimp)
schirmer@13688
   986
  fix T L accC E
schirmer@13688
   987
  assume wt: "\<lparr>prg=G, cls=accC,lcl=L\<rparr>\<turnstile>\<langle>Body D c\<rangle>\<^sub>e\<Colon>T"
schirmer@13688
   988
  let ?Q="(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>Init D\<rightarrow> s' \<and> jumpNestingOkS {Ret} c) 
schirmer@13688
   989
          \<and>. G\<turnstile>init\<le>n" 
schirmer@13688
   990
  show "G,A\<turnstile>{Normal
schirmer@13688
   991
               ((\<lambda>Y' s' s. s' = s \<and> fst s = None) \<and>. G\<turnstile>init\<le>n \<and>.
schirmer@13688
   992
                (\<lambda>s. s\<Colon>\<preceq>(G, L)) \<and>.
schirmer@13688
   993
                (\<lambda>s. \<lparr>prg=G,cls=accC,lcl=L\<rparr>
schirmer@13688
   994
                       \<turnstile> dom (locals (store s)) \<guillemotright>\<langle>Body D c\<rangle>\<^sub>e\<guillemotright> E))}
schirmer@13688
   995
             Body D c-\<succ> 
schirmer@13688
   996
             {\<lambda>Y s' s. \<exists>v. Y = In1 v \<and> G\<turnstile>s \<midarrow>Body D c-\<succ>v\<rightarrow> s'}"
schirmer@13688
   997
    (is "G,A\<turnstile>{Normal ?P} Body D c-\<succ> {?R}")
schirmer@13688
   998
  proof (rule ax_derivs.Body [where ?Q="?Q"])
schirmer@13688
   999
    from mgf_init
schirmer@13688
  1000
    show "G,A\<turnstile>{Normal ?P} .Init D. {?Q}"
schirmer@13688
  1001
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
  1002
      fix s0
schirmer@13688
  1003
      assume da: "\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile> dom (locals s0) \<guillemotright>\<langle>Body D c\<rangle>\<^sub>e\<guillemotright> E"
schirmer@13688
  1004
      thus "jumpNestingOkS {Ret} c"
wenzelm@32960
  1005
        by cases simp
schirmer@13688
  1006
    qed
schirmer@13688
  1007
  next
schirmer@13688
  1008
    from mgf_c
schirmer@13688
  1009
    show "G,A\<turnstile>{?Q}.c.{\<lambda>s.. abupd (absorb Ret) .; ?R\<leftarrow>\<lfloor>the (locals s Result)\<rfloor>\<^sub>e}"
schirmer@13688
  1010
    proof (rule MGFnD' [THEN conseq12],clarsimp)
schirmer@13688
  1011
      fix s0 s1 s2
schirmer@13688
  1012
      assume eval_init: "G\<turnstile>Norm s0 \<midarrow>Init D\<rightarrow> s1"
schirmer@13688
  1013
      assume eval_c: "G\<turnstile>s1 \<midarrow>c\<rightarrow> s2"
schirmer@13688
  1014
      assume nestingOk: "jumpNestingOkS {Ret} c"
schirmer@13688
  1015
      show "G\<turnstile>Norm s0 \<midarrow>Body D c-\<succ>the (locals (store s2) Result)
schirmer@13688
  1016
              \<rightarrow> abupd (absorb Ret) s2"
schirmer@13688
  1017
      proof -
wenzelm@32960
  1018
        from wt obtain d where 
schirmer@13688
  1019
          d: "class G D=Some d" and
schirmer@13688
  1020
          wt_c: "\<lparr>prg = G, cls = accC, lcl = L\<rparr>\<turnstile>c\<Colon>\<surd>"
wenzelm@32960
  1021
          by cases auto
wenzelm@32960
  1022
        obtain s3 where 
wenzelm@32960
  1023
          s3: "s3= (if \<exists>l. fst s2 = Some (Jump (Break l)) \<or>
schirmer@13688
  1024
                           fst s2 = Some (Jump (Cont l))
schirmer@13688
  1025
                       then abupd (\<lambda>x. Some (Error CrossMethodJump)) s2 
schirmer@13688
  1026
                       else s2)"
wenzelm@32960
  1027
          by simp
wenzelm@32960
  1028
        from eval_init eval_c nestingOk wt_c d wf
wenzelm@32960
  1029
        have eq_s3_s2: "s3=s2"
wenzelm@32960
  1030
          by (rule Body_no_break [elim_format]) (simp add: s3)
wenzelm@32960
  1031
        from eval_init eval_c s3
wenzelm@32960
  1032
        show ?thesis
wenzelm@32960
  1033
          by (rule eval.Body [elim_format]) (simp add: eq_s3_s2)
schirmer@13688
  1034
      qed
schirmer@13688
  1035
    qed
schirmer@13688
  1036
  qed
schirmer@13688
  1037
qed
schirmer@13337
  1038
schirmer@13688
  1039
lemma MGFn_lemma:
schirmer@13688
  1040
  assumes mgf_methds: 
schirmer@13688
  1041
           "\<And> n. \<forall> C sig. G,(A::state triple set)\<turnstile>{=:n} \<langle>Methd C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
schirmer@13688
  1042
  and wf: "wf_prog G"
schirmer@13688
  1043
  shows "\<And> t. G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1044
proof (induct rule: full_nat_induct)
schirmer@13688
  1045
  fix n t
schirmer@13688
  1046
  assume hyp: "\<forall> m. Suc m \<le> n \<longrightarrow> (\<forall> t. G,A\<turnstile>{=:m} t\<succ> {G\<rightarrow>})"
schirmer@13688
  1047
  show "G,A\<turnstile>{=:n} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1048
  proof -
schirmer@13688
  1049
  { 
schirmer@13688
  1050
    fix v e c es
schirmer@13688
  1051
    have "G,A\<turnstile>{=:n} \<langle>v\<rangle>\<^sub>v\<succ> {G\<rightarrow>}" and 
schirmer@13688
  1052
      "G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}" and
schirmer@13688
  1053
      "G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}" and  
schirmer@13688
  1054
      "G,A\<turnstile>{=:n} \<langle>es\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
wenzelm@18459
  1055
    proof (induct rule: var_expr_stmt.inducts)
schirmer@13688
  1056
      case (LVar v)
schirmer@13688
  1057
      show "G,A\<turnstile>{=:n} \<langle>LVar v\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
wenzelm@32960
  1058
        apply (rule MGFn_NormalI)
wenzelm@32960
  1059
        apply (rule ax_derivs.LVar [THEN conseq1])
wenzelm@32960
  1060
        apply (clarsimp)
wenzelm@32960
  1061
        apply (rule eval.LVar)
wenzelm@32960
  1062
        done
schirmer@13688
  1063
    next
schirmer@13688
  1064
      case (FVar accC statDeclC stat e fn)
wenzelm@23366
  1065
      from MGFn_Init [OF hyp] and `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}` and wf
schirmer@13688
  1066
      show ?case
wenzelm@32960
  1067
        by (rule MGFn_FVar)
schirmer@13688
  1068
    next
schirmer@13688
  1069
      case (AVar e1 e2)
wenzelm@23366
  1070
      note mgf_e1 = `G,A\<turnstile>{=:n} \<langle>e1\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
wenzelm@23366
  1071
      note mgf_e2 = `G,A\<turnstile>{=:n} \<langle>e2\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
schirmer@13688
  1072
      show "G,A\<turnstile>{=:n} \<langle>e1.[e2]\<rangle>\<^sub>v\<succ> {G\<rightarrow>}"
wenzelm@32960
  1073
        apply (rule MGFn_NormalI)
wenzelm@32960
  1074
        apply (rule ax_derivs.AVar)
wenzelm@32960
  1075
        apply  (rule MGFnD [OF mgf_e1, THEN ax_NormalD])
wenzelm@32960
  1076
        apply (rule allI)
wenzelm@32960
  1077
        apply (rule MGFnD' [OF mgf_e2, THEN conseq12])
wenzelm@32960
  1078
        apply (fastsimp intro: eval.AVar)
wenzelm@32960
  1079
        done
schirmer@13688
  1080
    next
schirmer@13688
  1081
      case (InsInitV c v)
schirmer@13688
  1082
      show ?case
wenzelm@32960
  1083
        by (rule MGFn_NormalI) (rule ax_derivs.InsInitV)
schirmer@13688
  1084
    next
schirmer@13688
  1085
      case (NewC C)
schirmer@13688
  1086
      show ?case
wenzelm@32960
  1087
        apply (rule MGFn_NormalI)
wenzelm@32960
  1088
        apply (rule ax_derivs.NewC)
wenzelm@32960
  1089
        apply (rule MGFn_InitD [OF hyp, THEN conseq2])
wenzelm@32960
  1090
        apply (fastsimp intro: eval.NewC)
wenzelm@32960
  1091
        done
schirmer@13688
  1092
    next
schirmer@13688
  1093
      case (NewA T e)
schirmer@13688
  1094
      thus ?case
wenzelm@32960
  1095
        apply -
wenzelm@32960
  1096
        apply (rule MGFn_NormalI) 
wenzelm@32960
  1097
        apply (rule ax_derivs.NewA 
schirmer@13688
  1098
               [where ?Q = "(\<lambda>Y' s' s. normal s \<and> G\<turnstile>s \<midarrow>In1r (init_comp_ty T) 
schirmer@13688
  1099
                              \<succ>\<rightarrow> (Y',s')) \<and>. G\<turnstile>init\<le>n"])
wenzelm@32960
  1100
        apply  (simp add: init_comp_ty_def split add: split_if)
wenzelm@32960
  1101
        apply  (rule conjI, clarsimp)
wenzelm@32960
  1102
        apply   (rule MGFn_InitD [OF hyp, THEN conseq2])
wenzelm@32960
  1103
        apply   (clarsimp intro: eval.Init)
wenzelm@32960
  1104
        apply  clarsimp
wenzelm@32960
  1105
        apply  (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
  1106
        apply  (clarsimp intro: eval.Skip)
wenzelm@32960
  1107
        apply (erule MGFnD' [THEN conseq12])
wenzelm@32960
  1108
        apply (fastsimp intro: eval.NewA)
wenzelm@32960
  1109
        done
schirmer@13688
  1110
    next
schirmer@13688
  1111
      case (Cast C e)
schirmer@13688
  1112
      thus ?case
wenzelm@32960
  1113
        apply -
wenzelm@32960
  1114
        apply (rule MGFn_NormalI)
wenzelm@32960
  1115
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Cast])
wenzelm@32960
  1116
        apply (fastsimp intro: eval.Cast)
wenzelm@32960
  1117
        done
schirmer@13688
  1118
    next
schirmer@13688
  1119
      case (Inst e C)
schirmer@13688
  1120
      thus ?case
wenzelm@32960
  1121
        apply -
wenzelm@32960
  1122
        apply (rule MGFn_NormalI)
wenzelm@32960
  1123
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Inst])
wenzelm@32960
  1124
        apply (fastsimp intro: eval.Inst)
wenzelm@32960
  1125
        done
schirmer@13688
  1126
    next
schirmer@13688
  1127
      case (Lit v)
schirmer@13688
  1128
      show ?case
wenzelm@32960
  1129
        apply -
wenzelm@32960
  1130
        apply (rule MGFn_NormalI)
wenzelm@32960
  1131
        apply (rule ax_derivs.Lit [THEN conseq1])
wenzelm@32960
  1132
        apply (fastsimp intro: eval.Lit)
wenzelm@32960
  1133
        done
schirmer@13688
  1134
    next
schirmer@13688
  1135
      case (UnOp unop e)
schirmer@13688
  1136
      thus ?case
wenzelm@32960
  1137
        apply -
wenzelm@32960
  1138
        apply (rule MGFn_NormalI)
wenzelm@32960
  1139
        apply (rule ax_derivs.UnOp)
wenzelm@32960
  1140
        apply (erule MGFnD' [THEN conseq12])
wenzelm@32960
  1141
        apply (fastsimp intro: eval.UnOp)
wenzelm@32960
  1142
        done
schirmer@13688
  1143
    next
schirmer@13688
  1144
      case (BinOp binop e1 e2)
schirmer@13688
  1145
      thus ?case
wenzelm@32960
  1146
        apply -
wenzelm@32960
  1147
        apply (rule MGFn_NormalI)
wenzelm@32960
  1148
        apply (rule ax_derivs.BinOp)
wenzelm@32960
  1149
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1150
        apply (rule allI)
wenzelm@32960
  1151
        apply (case_tac "need_second_arg binop v1")
wenzelm@32960
  1152
        apply  simp
wenzelm@32960
  1153
        apply  (erule MGFnD' [THEN conseq12])
wenzelm@32960
  1154
        apply  (fastsimp intro: eval.BinOp)
wenzelm@32960
  1155
        apply simp
wenzelm@32960
  1156
        apply (rule ax_Normal_cases)
wenzelm@32960
  1157
        apply  (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
  1158
        apply  clarsimp
wenzelm@32960
  1159
        apply  (rule eval_BinOp_arg2_indepI)
wenzelm@32960
  1160
        apply   simp
wenzelm@32960
  1161
        apply  simp
wenzelm@32960
  1162
        apply (rule ax_derivs.Abrupt [THEN conseq1], clarsimp simp add: Let_def)
wenzelm@32960
  1163
        apply (fastsimp intro: eval.BinOp)
wenzelm@32960
  1164
        done
schirmer@13688
  1165
    next
schirmer@13688
  1166
      case Super
schirmer@13688
  1167
      show ?case
wenzelm@32960
  1168
        apply -
wenzelm@32960
  1169
        apply (rule MGFn_NormalI)
wenzelm@32960
  1170
        apply (rule ax_derivs.Super [THEN conseq1])
wenzelm@32960
  1171
        apply (fastsimp intro: eval.Super)
wenzelm@32960
  1172
        done
schirmer@13688
  1173
    next
schirmer@13688
  1174
      case (Acc v)
schirmer@13688
  1175
      thus ?case
wenzelm@32960
  1176
        apply -
wenzelm@32960
  1177
        apply (rule MGFn_NormalI)
wenzelm@32960
  1178
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Acc])
wenzelm@32960
  1179
        apply (fastsimp intro: eval.Acc simp add: split_paired_all)
wenzelm@32960
  1180
        done
schirmer@13688
  1181
    next
schirmer@13688
  1182
      case (Ass v e)
schirmer@13688
  1183
      thus "G,A\<turnstile>{=:n} \<langle>v:=e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1184
        apply -
wenzelm@32960
  1185
        apply (rule MGFn_NormalI)
wenzelm@32960
  1186
        apply (rule ax_derivs.Ass)
wenzelm@32960
  1187
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1188
        apply (rule allI)
wenzelm@32960
  1189
        apply (erule MGFnD'[THEN conseq12])
wenzelm@32960
  1190
        apply (fastsimp intro: eval.Ass simp add: split_paired_all)
wenzelm@32960
  1191
        done
schirmer@13688
  1192
    next
schirmer@13688
  1193
      case (Cond e1 e2 e3)
schirmer@13688
  1194
      thus "G,A\<turnstile>{=:n} \<langle>e1 ? e2 : e3\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1195
        apply -
wenzelm@32960
  1196
        apply (rule MGFn_NormalI)
wenzelm@32960
  1197
        apply (rule ax_derivs.Cond)
wenzelm@32960
  1198
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1199
        apply (rule allI)
wenzelm@32960
  1200
        apply (rule ax_Normal_cases)
wenzelm@32960
  1201
        prefer 2
wenzelm@32960
  1202
        apply  (rule ax_derivs.Abrupt [THEN conseq1],clarsimp simp add: Let_def)
wenzelm@32960
  1203
        apply  (fastsimp intro: eval.Cond)
wenzelm@32960
  1204
        apply (case_tac "b")
wenzelm@32960
  1205
        apply  simp
wenzelm@32960
  1206
        apply  (erule MGFnD'[THEN conseq12])
wenzelm@32960
  1207
        apply  (fastsimp intro: eval.Cond)
wenzelm@32960
  1208
        apply simp
wenzelm@32960
  1209
        apply (erule MGFnD'[THEN conseq12])
wenzelm@32960
  1210
        apply (fastsimp intro: eval.Cond)
wenzelm@32960
  1211
        done
schirmer@13688
  1212
    next
schirmer@13688
  1213
      case (Call accC statT mode e mn pTs' ps)
wenzelm@23366
  1214
      note mgf_e = `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
wenzelm@23366
  1215
      note mgf_ps = `G,A\<turnstile>{=:n} \<langle>ps\<rangle>\<^sub>l\<succ> {G\<rightarrow>}`
schirmer@13688
  1216
      from mgf_methds mgf_e mgf_ps wf
schirmer@13688
  1217
      show "G,A\<turnstile>{=:n} \<langle>{accC,statT,mode}e\<cdot>mn({pTs'}ps)\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1218
        by (rule MGFn_Call)
schirmer@13688
  1219
    next
schirmer@13688
  1220
      case (Methd D mn)
schirmer@13688
  1221
      from mgf_methds
schirmer@13688
  1222
      show "G,A\<turnstile>{=:n} \<langle>Methd D mn\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1223
        by simp
schirmer@13688
  1224
    next
schirmer@13688
  1225
      case (Body D c)
wenzelm@23366
  1226
      note mgf_c = `G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
schirmer@13688
  1227
      from wf MGFn_Init [OF hyp] mgf_c
schirmer@13688
  1228
      show "G,A\<turnstile>{=:n} \<langle>Body D c\<rangle>\<^sub>e\<succ> {G\<rightarrow>}"
wenzelm@32960
  1229
        by (rule MGFn_Body)
schirmer@13688
  1230
    next
schirmer@13688
  1231
      case (InsInitE c e)
schirmer@13688
  1232
      show ?case
wenzelm@32960
  1233
        by (rule MGFn_NormalI) (rule ax_derivs.InsInitE)
schirmer@13688
  1234
    next
schirmer@13688
  1235
      case (Callee l e)
schirmer@13688
  1236
      show ?case
wenzelm@32960
  1237
        by (rule MGFn_NormalI) (rule ax_derivs.Callee)
schirmer@13688
  1238
    next
schirmer@13688
  1239
      case Skip
schirmer@13688
  1240
      show ?case
wenzelm@32960
  1241
        apply -
wenzelm@32960
  1242
        apply (rule MGFn_NormalI)
wenzelm@32960
  1243
        apply (rule ax_derivs.Skip [THEN conseq1])
wenzelm@32960
  1244
        apply (fastsimp intro: eval.Skip)
wenzelm@32960
  1245
        done
schirmer@13688
  1246
    next
schirmer@13688
  1247
      case (Expr e)
schirmer@13688
  1248
      thus ?case
wenzelm@32960
  1249
        apply -
wenzelm@32960
  1250
        apply (rule MGFn_NormalI)
wenzelm@32960
  1251
        apply (erule MGFnD'[THEN conseq12,THEN ax_derivs.Expr])
wenzelm@32960
  1252
        apply (fastsimp intro: eval.Expr)
wenzelm@32960
  1253
        done
schirmer@13688
  1254
    next
schirmer@13688
  1255
      case (Lab l c)
schirmer@13688
  1256
      thus "G,A\<turnstile>{=:n} \<langle>l\<bullet> c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1257
        apply -
wenzelm@32960
  1258
        apply (rule MGFn_NormalI)
wenzelm@32960
  1259
        apply (erule MGFnD' [THEN conseq12, THEN ax_derivs.Lab])
wenzelm@32960
  1260
        apply (fastsimp intro: eval.Lab)
wenzelm@32960
  1261
        done
schirmer@13688
  1262
    next
schirmer@13688
  1263
      case (Comp c1 c2)
schirmer@13688
  1264
      thus "G,A\<turnstile>{=:n} \<langle>c1;; c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1265
        apply -
wenzelm@32960
  1266
        apply (rule MGFn_NormalI)
wenzelm@32960
  1267
        apply (rule ax_derivs.Comp)
wenzelm@32960
  1268
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1269
        apply (erule MGFnD' [THEN conseq12])
wenzelm@32960
  1270
        apply (fastsimp intro: eval.Comp) 
wenzelm@32960
  1271
        done
schirmer@13688
  1272
    next
wenzelm@24783
  1273
      case (If' e c1 c2)
schirmer@13688
  1274
      thus "G,A\<turnstile>{=:n} \<langle>If(e) c1 Else c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1275
        apply -
wenzelm@32960
  1276
        apply (rule MGFn_NormalI)
wenzelm@32960
  1277
        apply (rule ax_derivs.If)
wenzelm@32960
  1278
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1279
        apply (rule allI)
wenzelm@32960
  1280
        apply (rule ax_Normal_cases)
wenzelm@32960
  1281
        prefer 2
wenzelm@32960
  1282
        apply  (rule ax_derivs.Abrupt [THEN conseq1],clarsimp simp add: Let_def)
wenzelm@32960
  1283
        apply  (fastsimp intro: eval.If)
wenzelm@32960
  1284
        apply (case_tac "b")
wenzelm@32960
  1285
        apply  simp
wenzelm@32960
  1286
        apply  (erule MGFnD' [THEN conseq12])
wenzelm@32960
  1287
        apply  (fastsimp intro: eval.If)
wenzelm@32960
  1288
        apply simp
wenzelm@32960
  1289
        apply (erule MGFnD' [THEN conseq12])
wenzelm@32960
  1290
        apply (fastsimp intro: eval.If)
wenzelm@32960
  1291
        done
schirmer@13688
  1292
    next
schirmer@13688
  1293
      case (Loop l e c)
wenzelm@23366
  1294
      note mgf_e = `G,A\<turnstile>{=:n} \<langle>e\<rangle>\<^sub>e\<succ> {G\<rightarrow>}`
wenzelm@23366
  1295
      note mgf_c = `G,A\<turnstile>{=:n} \<langle>c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
schirmer@13688
  1296
      from mgf_e mgf_c wf
schirmer@13688
  1297
      show "G,A\<turnstile>{=:n} \<langle>l\<bullet> While(e) c\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1298
        by (rule MGFn_Loop)
schirmer@13688
  1299
    next
schirmer@13688
  1300
      case (Jmp j)
schirmer@13688
  1301
      thus ?case
wenzelm@32960
  1302
        apply -
wenzelm@32960
  1303
        apply (rule MGFn_NormalI)
wenzelm@32960
  1304
        apply (rule ax_derivs.Jmp [THEN conseq1])
wenzelm@32960
  1305
        apply (auto intro: eval.Jmp simp add: abupd_def2)
wenzelm@32960
  1306
        done
schirmer@13688
  1307
    next
schirmer@13688
  1308
      case (Throw e)
schirmer@13688
  1309
      thus ?case
wenzelm@32960
  1310
        apply -
wenzelm@32960
  1311
        apply (rule MGFn_NormalI)
wenzelm@32960
  1312
        apply (erule MGFnD' [THEN conseq12, THEN ax_derivs.Throw])
wenzelm@32960
  1313
        apply (fastsimp intro: eval.Throw)
wenzelm@32960
  1314
        done
schirmer@13688
  1315
    next
schirmer@13688
  1316
      case (TryC c1 C vn c2)
schirmer@13688
  1317
      thus "G,A\<turnstile>{=:n} \<langle>Try c1 Catch(C vn) c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1318
        apply -
wenzelm@32960
  1319
        apply (rule MGFn_NormalI)
wenzelm@32960
  1320
        apply (rule ax_derivs.Try [where 
schirmer@13688
  1321
          ?Q = " (\<lambda>Y' s' s. normal s \<and> (\<exists>s''. G\<turnstile>s \<midarrow>\<langle>c1\<rangle>\<^sub>s\<succ>\<rightarrow> (Y',s'') \<and> 
schirmer@13688
  1322
                            G\<turnstile>s'' \<midarrow>sxalloc\<rightarrow> s')) \<and>. G\<turnstile>init\<le>n"])
wenzelm@32960
  1323
        apply   (erule MGFnD [THEN ax_NormalD, THEN conseq2])
wenzelm@32960
  1324
        apply   (fastsimp elim: sxalloc_gext [THEN card_nyinitcls_gext])
wenzelm@32960
  1325
        apply  (erule MGFnD'[THEN conseq12])
wenzelm@32960
  1326
        apply  (fastsimp intro: eval.Try)
wenzelm@32960
  1327
        apply (fastsimp intro: eval.Try)
wenzelm@32960
  1328
        done
schirmer@13688
  1329
    next
schirmer@13688
  1330
      case (Fin c1 c2)
wenzelm@23366
  1331
      note mgf_c1 = `G,A\<turnstile>{=:n} \<langle>c1\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
wenzelm@23366
  1332
      note mgf_c2 = `G,A\<turnstile>{=:n} \<langle>c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}`
schirmer@13688
  1333
      from wf mgf_c1 mgf_c2
schirmer@13688
  1334
      show "G,A\<turnstile>{=:n} \<langle>c1 Finally c2\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1335
        by (rule MGFn_Fin)
schirmer@13688
  1336
    next
schirmer@13688
  1337
      case (FinA abr c)
schirmer@13688
  1338
      show ?case
wenzelm@32960
  1339
        by (rule MGFn_NormalI) (rule ax_derivs.FinA)
schirmer@13688
  1340
    next
schirmer@13688
  1341
      case (Init C)
schirmer@13688
  1342
      from hyp
schirmer@13688
  1343
      show "G,A\<turnstile>{=:n} \<langle>Init C\<rangle>\<^sub>s\<succ> {G\<rightarrow>}"
wenzelm@32960
  1344
        by (rule MGFn_Init)
schirmer@13688
  1345
    next
schirmer@13688
  1346
      case Nil_expr
schirmer@13688
  1347
      show "G,A\<turnstile>{=:n} \<langle>[]\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
wenzelm@32960
  1348
        apply -
wenzelm@32960
  1349
        apply (rule MGFn_NormalI)
wenzelm@32960
  1350
        apply (rule ax_derivs.Nil [THEN conseq1])
wenzelm@32960
  1351
        apply (fastsimp intro: eval.Nil)
wenzelm@32960
  1352
        done
schirmer@13688
  1353
    next
schirmer@13688
  1354
      case (Cons_expr e es)
schirmer@13688
  1355
      thus "G,A\<turnstile>{=:n} \<langle>e# es\<rangle>\<^sub>l\<succ> {G\<rightarrow>}"
wenzelm@32960
  1356
        apply -
wenzelm@32960
  1357
        apply (rule MGFn_NormalI)
wenzelm@32960
  1358
        apply (rule ax_derivs.Cons)
wenzelm@32960
  1359
        apply  (erule MGFnD [THEN ax_NormalD])
wenzelm@32960
  1360
        apply (rule allI)
wenzelm@32960
  1361
        apply (erule MGFnD'[THEN conseq12])
wenzelm@32960
  1362
        apply (fastsimp intro: eval.Cons)
wenzelm@32960
  1363
        done
schirmer@13688
  1364
    qed
schirmer@13688
  1365
  }
schirmer@13688
  1366
  thus ?thesis
schirmer@13688
  1367
    by (cases rule: term_cases) auto
schirmer@13688
  1368
  qed
schirmer@13688
  1369
qed
schirmer@12854
  1370
schirmer@12925
  1371
lemma MGF_asm: 
schirmer@12925
  1372
"\<lbrakk>\<forall>C sig. is_methd G C sig \<longrightarrow> G,A\<turnstile>{\<doteq>} In1l (Methd C sig)\<succ> {G\<rightarrow>}; wf_prog G\<rbrakk>
schirmer@12925
  1373
 \<Longrightarrow> G,(A::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
  1374
apply (simp (no_asm_use) add: MGF_MGFn_iff)
schirmer@12854
  1375
apply (rule allI)
schirmer@12854
  1376
apply (rule MGFn_lemma)
schirmer@12854
  1377
apply (intro strip)
schirmer@12854
  1378
apply (rule MGFn_free_wt)
schirmer@12854
  1379
apply (force dest: wt_Methd_is_methd)
schirmer@12925
  1380
apply assumption (* wf_prog G *)
schirmer@12854
  1381
done
schirmer@12854
  1382
schirmer@12854
  1383
section "nested version"
schirmer@12854
  1384
schirmer@13688
  1385
lemma nesting_lemma' [rule_format (no_asm)]: 
schirmer@13688
  1386
  assumes ax_derivs_asm: "\<And>A ts. ts \<subseteq> A \<Longrightarrow> P A ts" 
schirmer@13688
  1387
  and MGF_nested_Methd: "\<And>A pn. \<forall>b\<in>bdy pn. P (insert (mgf_call pn) A) {mgf b}
schirmer@13688
  1388
                                  \<Longrightarrow> P A {mgf_call pn}"
schirmer@13688
  1389
  and MGF_asm: "\<And>A t. \<forall>pn\<in>U. P A {mgf_call pn} \<Longrightarrow> P A {mgf t}"
schirmer@13688
  1390
  and finU: "finite U"
schirmer@13688
  1391
  and uA: "uA = mgf_call`U"
schirmer@13688
  1392
  shows "\<forall>A. A \<subseteq> uA \<longrightarrow> n \<le> card uA \<longrightarrow> card A = card uA - n 
schirmer@13688
  1393
             \<longrightarrow> (\<forall>t. P A {mgf t})"
schirmer@13688
  1394
using finU uA
schirmer@13688
  1395
apply -
schirmer@13688
  1396
apply (induct_tac "n")
wenzelm@23894
  1397
apply  (tactic "ALLGOALS (clarsimp_tac @{clasimpset})")
wenzelm@31945
  1398
apply  (tactic {* dtac (Thm.permute_prems 0 1 (thm "card_seteq")) 1 *})
schirmer@13688
  1399
apply    simp
schirmer@13688
  1400
apply   (erule finite_imageI)
schirmer@13688
  1401
apply  (simp add: MGF_asm ax_derivs_asm)
schirmer@13688
  1402
apply (rule MGF_asm)
schirmer@13688
  1403
apply (rule ballI)
schirmer@13688
  1404
apply (case_tac "mgf_call pn : A")
schirmer@13688
  1405
apply  (fast intro: ax_derivs_asm)
schirmer@13688
  1406
apply (rule MGF_nested_Methd)
schirmer@13688
  1407
apply (rule ballI)
schirmer@13688
  1408
apply (drule spec, erule impE, erule_tac [2] impE, erule_tac [3] spec)
schirmer@13688
  1409
apply   fast
schirmer@13688
  1410
apply (drule finite_subset)
schirmer@13688
  1411
apply (erule finite_imageI)
schirmer@13688
  1412
apply auto
schirmer@13688
  1413
done
schirmer@12854
  1414
schirmer@13688
  1415
schirmer@13688
  1416
lemma nesting_lemma [rule_format (no_asm)]:
schirmer@13688
  1417
  assumes ax_derivs_asm: "\<And>A ts. ts \<subseteq> A \<Longrightarrow> P A ts"
schirmer@13688
  1418
  and MGF_nested_Methd: "\<And>A pn. \<forall>b\<in>bdy pn. P (insert (mgf (f pn)) A) {mgf b}
schirmer@13688
  1419
                                  \<Longrightarrow> P A {mgf (f pn)}"
schirmer@13688
  1420
  and MGF_asm: "\<And>A t. \<forall>pn\<in>U. P A {mgf (f pn)} \<Longrightarrow> P A {mgf t}"
schirmer@13688
  1421
  and finU: "finite U"
schirmer@13688
  1422
shows "P {} {mgf t}"
schirmer@13688
  1423
using ax_derivs_asm MGF_nested_Methd MGF_asm finU
schirmer@13688
  1424
by (rule nesting_lemma') (auto intro!: le_refl)
schirmer@13688
  1425
schirmer@12854
  1426
schirmer@12854
  1427
lemma MGF_nested_Methd: "\<lbrakk>  
schirmer@13688
  1428
 G,insert ({Normal \<doteq>} \<langle>Methd  C sig\<rangle>\<^sub>e \<succ>{G\<rightarrow>}) A
schirmer@13688
  1429
    \<turnstile>{Normal \<doteq>} \<langle>body G C sig\<rangle>\<^sub>e \<succ>{G\<rightarrow>}  
schirmer@13688
  1430
 \<rbrakk> \<Longrightarrow>  G,A\<turnstile>{Normal \<doteq>}  \<langle>Methd  C sig\<rangle>\<^sub>e \<succ>{G\<rightarrow>}"
schirmer@12854
  1431
apply (unfold MGF_def)
schirmer@12854
  1432
apply (rule ax_MethdN)
schirmer@12854
  1433
apply (erule conseq2)
schirmer@12854
  1434
apply clarsimp
schirmer@12854
  1435
apply (erule MethdI)
schirmer@12854
  1436
done
schirmer@12854
  1437
schirmer@12925
  1438
lemma MGF_deriv: "wf_prog G \<Longrightarrow> G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@12854
  1439
apply (rule MGFNormalI)
schirmer@12854
  1440
apply (rule_tac mgf = "\<lambda>t. {Normal \<doteq>} t\<succ> {G\<rightarrow>}" and 
schirmer@13688
  1441
                bdy = "\<lambda> (C,sig) .{\<langle>body G C sig\<rangle>\<^sub>e }" and 
schirmer@13688
  1442
                f = "\<lambda> (C,sig) . \<langle>Methd C sig\<rangle>\<^sub>e " in nesting_lemma)
schirmer@12854
  1443
apply    (erule ax_derivs.asm)
schirmer@12854
  1444
apply   (clarsimp simp add: split_tupled_all)
schirmer@12854
  1445
apply   (erule MGF_nested_Methd)
schirmer@12925
  1446
apply  (erule_tac [2] finite_is_methd [OF wf_ws_prog])
schirmer@12854
  1447
apply (rule MGF_asm [THEN MGFNormalD])
schirmer@12925
  1448
apply (auto intro: MGFNormalI)
schirmer@12854
  1449
done
schirmer@12854
  1450
schirmer@12854
  1451
schirmer@12854
  1452
section "simultaneous version"
schirmer@12854
  1453
schirmer@12854
  1454
lemma MGF_simult_Methd_lemma: "finite ms \<Longrightarrow>  
schirmer@13688
  1455
  G,A \<union> (\<lambda>(C,sig). {Normal \<doteq>} \<langle>Methd  C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) ` ms  
schirmer@13688
  1456
      |\<turnstile>(\<lambda>(C,sig). {Normal \<doteq>} \<langle>body G C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) ` ms \<Longrightarrow>  
schirmer@13688
  1457
  G,A|\<turnstile>(\<lambda>(C,sig). {Normal \<doteq>} \<langle>Methd  C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) ` ms"
schirmer@12854
  1458
apply (unfold MGF_def)
schirmer@12854
  1459
apply (rule ax_derivs.Methd [unfolded mtriples_def])
schirmer@12854
  1460
apply (erule ax_finite_pointwise)
schirmer@12854
  1461
prefer 2
schirmer@12854
  1462
apply  (rule ax_derivs.asm)
schirmer@12854
  1463
apply  fast
schirmer@12854
  1464
apply clarsimp
schirmer@12854
  1465
apply (rule conseq2)
schirmer@12854
  1466
apply  (erule (1) ax_methods_spec)
schirmer@12854
  1467
apply clarsimp
schirmer@12854
  1468
apply (erule eval_Methd)
schirmer@12854
  1469
done
schirmer@12854
  1470
schirmer@12925
  1471
lemma MGF_simult_Methd: "wf_prog G \<Longrightarrow> 
schirmer@13688
  1472
   G,({}::state triple set)|\<turnstile>(\<lambda>(C,sig). {Normal \<doteq>} \<langle>Methd C sig\<rangle>\<^sub>e\<succ> {G\<rightarrow>}) 
schirmer@12854
  1473
   ` Collect (split (is_methd G)) "
schirmer@12925
  1474
apply (frule finite_is_methd [OF wf_ws_prog])
schirmer@12854
  1475
apply (rule MGF_simult_Methd_lemma)
schirmer@12854
  1476
apply  assumption
schirmer@12854
  1477
apply (erule ax_finite_pointwise)
schirmer@12854
  1478
prefer 2
schirmer@12854
  1479
apply  (rule ax_derivs.asm)
schirmer@12854
  1480
apply  blast
schirmer@12854
  1481
apply clarsimp
schirmer@12854
  1482
apply (rule MGF_asm [THEN MGFNormalD])
schirmer@12925
  1483
apply   (auto intro: MGFNormalI)
schirmer@12854
  1484
done
schirmer@12854
  1485
schirmer@12854
  1486
schirmer@12854
  1487
section "corollaries"
schirmer@12854
  1488
schirmer@12925
  1489
lemma eval_to_evaln: "\<lbrakk>G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y', s');type_ok G t s; wf_prog G\<rbrakk>
schirmer@12925
  1490
 \<Longrightarrow>   \<exists>n. G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y', s')"
schirmer@12925
  1491
apply (cases "normal s")
schirmer@12925
  1492
apply   (force simp add: type_ok_def intro: eval_evaln)
schirmer@12925
  1493
apply   (force intro: evaln.Abrupt)
schirmer@12925
  1494
done
schirmer@12925
  1495
schirmer@13688
  1496
lemma MGF_complete:
schirmer@13688
  1497
  assumes valid: "G,{}\<Turnstile>{P} t\<succ> {Q}"
schirmer@13688
  1498
  and     mgf: "G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1499
  and      wf: "wf_prog G"
schirmer@13688
  1500
  shows "G,({}::state triple set)\<turnstile>{P::state assn} t\<succ> {Q}"
schirmer@13688
  1501
proof (rule ax_no_hazard)
schirmer@13688
  1502
  from mgf
schirmer@13688
  1503
  have "G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {\<lambda>Y s' s. G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y, s')}"  
schirmer@13688
  1504
    by  (unfold MGF_def) 
schirmer@13688
  1505
  thus "G,({}::state triple set)\<turnstile>{P \<and>. type_ok G t} t\<succ> {Q}"
schirmer@13688
  1506
  proof (rule conseq12,clarsimp)
schirmer@13688
  1507
    fix Y s Z Y' s'
schirmer@13688
  1508
    assume P: "P Y s Z"
schirmer@13688
  1509
    assume type_ok: "type_ok G t s"
schirmer@13688
  1510
    assume eval_t: "G\<turnstile>s \<midarrow>t\<succ>\<rightarrow> (Y', s')"
schirmer@13688
  1511
    show "Q Y' s' Z"
schirmer@13688
  1512
    proof -
schirmer@13688
  1513
      from eval_t type_ok wf 
schirmer@13688
  1514
      obtain n where evaln: "G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y', s')"
wenzelm@32960
  1515
        by (rule eval_to_evaln [elim_format]) iprover
schirmer@13688
  1516
      from valid have 
wenzelm@32960
  1517
        valid_expanded:
wenzelm@32960
  1518
        "\<forall>n Y s Z. P Y s Z \<longrightarrow> type_ok G t s 
schirmer@13688
  1519
                   \<longrightarrow> (\<forall>Y' s'. G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y', s') \<longrightarrow> Q Y' s' Z)"
wenzelm@32960
  1520
        by (simp add: ax_valids_def triple_valid_def)
schirmer@13688
  1521
      from P type_ok evaln
schirmer@13688
  1522
      show "Q Y' s' Z"
wenzelm@32960
  1523
        by (rule valid_expanded [rule_format])
schirmer@13688
  1524
    qed
schirmer@13688
  1525
  qed 
schirmer@13688
  1526
qed
schirmer@13688
  1527
   
schirmer@13688
  1528
theorem ax_complete: 
schirmer@13688
  1529
  assumes wf: "wf_prog G" 
schirmer@13688
  1530
  and valid: "G,{}\<Turnstile>{P::state assn} t\<succ> {Q}"
schirmer@13688
  1531
  shows "G,({}::state triple set)\<turnstile>{P} t\<succ> {Q}"
schirmer@13688
  1532
proof -
schirmer@13688
  1533
  from wf have "G,({}::state triple set)\<turnstile>{\<doteq>} t\<succ> {G\<rightarrow>}"
schirmer@13688
  1534
    by (rule MGF_deriv)
schirmer@13688
  1535
  from valid this wf
schirmer@13688
  1536
  show ?thesis
schirmer@13688
  1537
    by (rule MGF_complete)
schirmer@13688
  1538
qed
schirmer@13688
  1539
 
schirmer@12854
  1540
end