13696
|
1 |
(* Title: HOL/Hoare/Hoare.ML
|
|
2 |
ID: $Id$
|
|
3 |
Author: Leonor Prensa Nieto & Tobias Nipkow
|
|
4 |
Copyright 1998 TUM
|
|
5 |
|
|
6 |
Derivation of the proof rules and, most importantly, the VCG tactic.
|
|
7 |
*)
|
|
8 |
|
|
9 |
(*** The proof rules ***)
|
|
10 |
|
|
11 |
Goalw [thm "Valid_def"] "p <= q ==> Valid p (Basic id) q";
|
|
12 |
by (Auto_tac);
|
|
13 |
qed "SkipRule";
|
|
14 |
|
|
15 |
Goalw [thm "Valid_def"] "p <= {s. (f s):q} ==> Valid p (Basic f) q";
|
|
16 |
by (Auto_tac);
|
|
17 |
qed "BasicRule";
|
|
18 |
|
|
19 |
Goalw [thm "Valid_def"] "Valid P c1 Q ==> Valid Q c2 R ==> Valid P (c1;c2) R";
|
|
20 |
by (Asm_simp_tac 1);
|
|
21 |
by (Blast_tac 1);
|
|
22 |
qed "SeqRule";
|
|
23 |
|
|
24 |
Goalw [thm "Valid_def"]
|
|
25 |
"p <= {s. (s:b --> s:w) & (s~:b --> s:w')} \
|
|
26 |
\ ==> Valid w c1 q ==> Valid w' c2 q \
|
|
27 |
\ ==> Valid p (Cond b c1 c2) q";
|
|
28 |
by (Asm_simp_tac 1);
|
|
29 |
by (Blast_tac 1);
|
|
30 |
qed "CondRule";
|
|
31 |
|
|
32 |
Goal "! s s'. Sem c s s' --> s : I Int b --> s' : I ==> \
|
|
33 |
\ ! s s'. s : I --> iter n b (Sem c) s s' --> s' : I & s' ~: b";
|
|
34 |
by (induct_tac "n" 1);
|
|
35 |
by (Asm_simp_tac 1);
|
|
36 |
by (Simp_tac 1);
|
|
37 |
by (Blast_tac 1);
|
|
38 |
val lemma = result() RS spec RS spec RS mp RS mp;
|
|
39 |
|
|
40 |
Goalw [thm "Valid_def"]
|
|
41 |
"p <= i ==> Valid (i Int b) c i ==> i Int (-b) <= q \
|
|
42 |
\ ==> Valid p (While b j c) q";
|
|
43 |
by (Asm_simp_tac 1);
|
|
44 |
by (Clarify_tac 1);
|
|
45 |
by (dtac lemma 1);
|
|
46 |
by (assume_tac 2);
|
|
47 |
by (Blast_tac 1);
|
|
48 |
by (Blast_tac 1);
|
|
49 |
qed "WhileRule'";
|
|
50 |
|
|
51 |
Goal
|
|
52 |
"p <= i ==> Valid (i Int b) c i ==> i Int (-b) <= q \
|
|
53 |
\ ==> Valid p (While b i c) q";
|
|
54 |
by (rtac WhileRule' 1);
|
|
55 |
by (ALLGOALS assume_tac);
|
|
56 |
qed "WhileRule";
|
|
57 |
|
|
58 |
(*** The tactics ***)
|
|
59 |
|
|
60 |
(*****************************************************************************)
|
|
61 |
(** The function Mset makes the theorem **)
|
|
62 |
(** "?Mset <= {(x1,...,xn). ?P (x1,...,xn)} ==> ?Mset <= {s. ?P s}", **)
|
|
63 |
(** where (x1,...,xn) are the variables of the particular program we are **)
|
|
64 |
(** working on at the moment of the call **)
|
|
65 |
(*****************************************************************************)
|
|
66 |
|
|
67 |
local open HOLogic in
|
|
68 |
|
|
69 |
(** maps (%x1 ... xn. t) to [x1,...,xn] **)
|
|
70 |
fun abs2list (Const ("split",_) $ (Abs(x,T,t))) = Free (x, T)::abs2list t
|
|
71 |
| abs2list (Abs(x,T,t)) = [Free (x, T)]
|
|
72 |
| abs2list _ = [];
|
|
73 |
|
|
74 |
(** maps {(x1,...,xn). t} to [x1,...,xn] **)
|
|
75 |
fun mk_vars (Const ("Collect",_) $ T) = abs2list T
|
|
76 |
| mk_vars _ = [];
|
|
77 |
|
|
78 |
(** abstraction of body over a tuple formed from a list of free variables.
|
|
79 |
Types are also built **)
|
|
80 |
fun mk_abstupleC [] body = absfree ("x", unitT, body)
|
|
81 |
| mk_abstupleC (v::w) body = let val (n,T) = dest_Free v
|
|
82 |
in if w=[] then absfree (n, T, body)
|
|
83 |
else let val z = mk_abstupleC w body;
|
|
84 |
val T2 = case z of Abs(_,T,_) => T
|
|
85 |
| Const (_, Type (_,[_, Type (_,[T,_])])) $ _ => T;
|
|
86 |
in Const ("split", (T --> T2 --> boolT) --> mk_prodT (T,T2) --> boolT)
|
|
87 |
$ absfree (n, T, z) end end;
|
|
88 |
|
|
89 |
(** maps [x1,...,xn] to (x1,...,xn) and types**)
|
|
90 |
fun mk_bodyC [] = HOLogic.unit
|
|
91 |
| mk_bodyC (x::xs) = if xs=[] then x
|
|
92 |
else let val (n, T) = dest_Free x ;
|
|
93 |
val z = mk_bodyC xs;
|
|
94 |
val T2 = case z of Free(_, T) => T
|
|
95 |
| Const ("Pair", Type ("fun", [_, Type
|
|
96 |
("fun", [_, T])])) $ _ $ _ => T;
|
|
97 |
in Const ("Pair", [T, T2] ---> mk_prodT (T, T2)) $ x $ z end;
|
|
98 |
|
|
99 |
fun dest_Goal (Const ("Goal", _) $ P) = P;
|
|
100 |
|
|
101 |
(** maps a goal of the form:
|
|
102 |
1. [| P |] ==> |- VARS x1 ... xn. {._.} _ {._.} or to [x1,...,xn]**)
|
|
103 |
fun get_vars thm = let val c = dest_Goal (concl_of (thm));
|
|
104 |
val d = Logic.strip_assums_concl c;
|
|
105 |
val Const _ $ pre $ _ $ _ = dest_Trueprop d;
|
|
106 |
in mk_vars pre end;
|
|
107 |
|
|
108 |
|
|
109 |
(** Makes Collect with type **)
|
|
110 |
fun mk_CollectC trm = let val T as Type ("fun",[t,_]) = fastype_of trm
|
|
111 |
in Collect_const t $ trm end;
|
|
112 |
|
|
113 |
fun inclt ty = Const ("op <=", [ty,ty] ---> boolT);
|
|
114 |
|
|
115 |
(** Makes "Mset <= t" **)
|
|
116 |
fun Mset_incl t = let val MsetT = fastype_of t
|
|
117 |
in mk_Trueprop ((inclt MsetT) $ Free ("Mset", MsetT) $ t) end;
|
|
118 |
|
|
119 |
|
|
120 |
fun Mset thm = let val vars = get_vars(thm);
|
|
121 |
val varsT = fastype_of (mk_bodyC vars);
|
|
122 |
val big_Collect = mk_CollectC (mk_abstupleC vars
|
|
123 |
(Free ("P",varsT --> boolT) $ mk_bodyC vars));
|
|
124 |
val small_Collect = mk_CollectC (Abs("x",varsT,
|
|
125 |
Free ("P",varsT --> boolT) $ Bound 0));
|
|
126 |
val impl = implies $ (Mset_incl big_Collect) $
|
|
127 |
(Mset_incl small_Collect);
|
|
128 |
in Tactic.prove (Thm.sign_of_thm thm) ["Mset", "P"] [] impl (K (CLASET' blast_tac 1)) end;
|
|
129 |
|
|
130 |
end;
|
|
131 |
|
|
132 |
|
|
133 |
(*****************************************************************************)
|
|
134 |
(** Simplifying: **)
|
|
135 |
(** Some useful lemmata, lists and simplification tactics to control which **)
|
|
136 |
(** theorems are used to simplify at each moment, so that the original **)
|
|
137 |
(** input does not suffer any unexpected transformation **)
|
|
138 |
(*****************************************************************************)
|
|
139 |
|
|
140 |
Goal "-(Collect b) = {x. ~(b x)}";
|
|
141 |
by (Fast_tac 1);
|
|
142 |
qed "Compl_Collect";
|
|
143 |
|
|
144 |
|
|
145 |
(**Simp_tacs**)
|
|
146 |
|
|
147 |
val before_set2pred_simp_tac =
|
|
148 |
(simp_tac (HOL_basic_ss addsimps [Collect_conj_eq RS sym,Compl_Collect]));
|
|
149 |
|
|
150 |
val split_simp_tac = (simp_tac (HOL_basic_ss addsimps [split_conv]));
|
|
151 |
|
|
152 |
(*****************************************************************************)
|
|
153 |
(** set2pred transforms sets inclusion into predicates implication, **)
|
|
154 |
(** maintaining the original variable names. **)
|
|
155 |
(** Ex. "{x. x=0} <= {x. x <= 1}" -set2pred-> "x=0 --> x <= 1" **)
|
|
156 |
(** Subgoals containing intersections (A Int B) or complement sets (-A) **)
|
|
157 |
(** are first simplified by "before_set2pred_simp_tac", that returns only **)
|
|
158 |
(** subgoals of the form "{x. P x} <= {x. Q x}", which are easily **)
|
|
159 |
(** transformed. **)
|
|
160 |
(** This transformation may solve very easy subgoals due to a ligth **)
|
|
161 |
(** simplification done by (split_all_tac) **)
|
|
162 |
(*****************************************************************************)
|
|
163 |
|
|
164 |
fun set2pred i thm = let fun mk_string [] = ""
|
|
165 |
| mk_string (x::xs) = x^" "^mk_string xs;
|
|
166 |
val vars=get_vars(thm);
|
|
167 |
val var_string = mk_string (map (fst o dest_Free) vars);
|
|
168 |
in ((before_set2pred_simp_tac i) THEN_MAYBE
|
|
169 |
(EVERY [rtac subsetI i,
|
|
170 |
rtac CollectI i,
|
|
171 |
dtac CollectD i,
|
|
172 |
(TRY(split_all_tac i)) THEN_MAYBE
|
|
173 |
((rename_tac var_string i) THEN
|
|
174 |
(full_simp_tac (HOL_basic_ss addsimps [split_conv]) i)) ])) thm
|
|
175 |
end;
|
|
176 |
|
|
177 |
(*****************************************************************************)
|
|
178 |
(** BasicSimpTac is called to simplify all verification conditions. It does **)
|
|
179 |
(** a light simplification by applying "mem_Collect_eq", then it calls **)
|
|
180 |
(** MaxSimpTac, which solves subgoals of the form "A <= A", **)
|
|
181 |
(** and transforms any other into predicates, applying then **)
|
|
182 |
(** the tactic chosen by the user, which may solve the subgoal completely. **)
|
|
183 |
(*****************************************************************************)
|
|
184 |
|
|
185 |
fun MaxSimpTac tac = FIRST'[rtac subset_refl, set2pred THEN_MAYBE' tac];
|
|
186 |
|
|
187 |
fun BasicSimpTac tac =
|
|
188 |
simp_tac
|
|
189 |
(HOL_basic_ss addsimps [mem_Collect_eq,split_conv] addsimprocs [record_simproc])
|
|
190 |
THEN_MAYBE' MaxSimpTac tac;
|
|
191 |
|
|
192 |
(** HoareRuleTac **)
|
|
193 |
|
|
194 |
fun WlpTac Mlem tac i = rtac SeqRule i THEN HoareRuleTac Mlem tac false (i+1)
|
|
195 |
and HoareRuleTac Mlem tac pre_cond i st = st |>
|
|
196 |
(*abstraction over st prevents looping*)
|
|
197 |
( (WlpTac Mlem tac i THEN HoareRuleTac Mlem tac pre_cond i)
|
|
198 |
ORELSE
|
|
199 |
(FIRST[rtac SkipRule i,
|
|
200 |
EVERY[rtac BasicRule i,
|
|
201 |
rtac Mlem i,
|
|
202 |
split_simp_tac i],
|
|
203 |
EVERY[rtac CondRule i,
|
|
204 |
HoareRuleTac Mlem tac false (i+2),
|
|
205 |
HoareRuleTac Mlem tac false (i+1)],
|
|
206 |
EVERY[rtac WhileRule i,
|
|
207 |
BasicSimpTac tac (i+2),
|
|
208 |
HoareRuleTac Mlem tac true (i+1)] ]
|
|
209 |
THEN (if pre_cond then (BasicSimpTac tac i) else (rtac subset_refl i)) ));
|
|
210 |
|
|
211 |
|
|
212 |
(** tac:(int -> tactic) is the tactic the user chooses to solve or simplify **)
|
|
213 |
(** the final verification conditions **)
|
|
214 |
|
|
215 |
fun hoare_tac tac i thm =
|
|
216 |
let val Mlem = Mset(thm)
|
|
217 |
in SELECT_GOAL(EVERY[HoareRuleTac Mlem tac true 1]) i thm end;
|