isabelle: src/HOL/MicroJava/BV/LBVCorrect.thy@63f3e98df2a4 (annotated)

9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	1	(* Title: HOL/MicroJava/BV/BVLCorrect.thy
8245 6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	2	ID: $Id$
6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	3	Author: Gerwin Klein
6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	4	Copyright 1999 Technische Universitaet Muenchen
9054 0e48e7d4d4f9 minor tuning for pdf documents kleing parents: 9012 diff changeset	5	*)
8245 6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	6
9054 0e48e7d4d4f9 minor tuning for pdf documents kleing parents: 9012 diff changeset	7	header {* Correctness of the LBV *}
8245 6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	8
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	9	theory LBVCorrect = BVSpec + LBVSpec:
8245 6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	10
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	11	lemmas [simp del] = split_paired_Ex split_paired_All
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	12
8245 6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	13	constdefs
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	14	fits :: "[method_type,instr list,jvm_prog,ty,state_type option,nat,certificate] => bool"
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	15	"fits phi is G rT s0 maxs cert ==
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	16	(\<forall>pc s1. pc < length is -->
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	17	(wtl_inst_list (take pc is) G rT cert maxs (length is) 0 s0 = OK s1 -->
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	18	(case cert!pc of None => phi!pc = s1
7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	19	\| Some t => phi!pc = Some t)))"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	20
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	21	constdefs
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	22	make_phi :: "[instr list,jvm_prog,ty,state_type option,nat,certificate] => method_type"
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	23	"make_phi is G rT s0 maxs cert ==
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	24	map (\<lambda>pc. case cert!pc of
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	25	None => ok_val (wtl_inst_list (take pc is) G rT cert maxs (length is) 0 s0)
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	26	\| Some t => Some t) [0..length is(]"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	27
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	28
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	29	lemma fitsD_None:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	30	"[\|fits phi is G rT s0 mxs cert; pc < length is;
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	31	wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s0 = OK s1;
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	32	cert ! pc = None\|] ==> phi!pc = s1"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	33	by (auto simp add: fits_def)
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	34
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	35	lemma fitsD_Some:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	36	"[\|fits phi is G rT s0 mxs cert; pc < length is;
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	37	wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s0 = OK s1;
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	38	cert ! pc = Some t\|] ==> phi!pc = Some t"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	39	by (auto simp add: fits_def)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	40
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	41	lemma make_phi_Some:
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	42	"[\| pc < length is; cert!pc = Some t \|] ==>
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	43	make_phi is G rT s0 mxs cert ! pc = Some t"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	44	by (simp add: make_phi_def)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	45
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	46	lemma make_phi_None:
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	47	"[\| pc < length is; cert!pc = None \|] ==>
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	48	make_phi is G rT s0 mxs cert ! pc =
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	49	ok_val (wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s0)"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	50	by (simp add: make_phi_def)
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	51
d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	52	lemma exists_phi:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	53	"\<exists>phi. fits phi is G rT s0 mxs cert"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	54	proof -
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	55	have "fits (make_phi is G rT s0 mxs cert) is G rT s0 mxs cert"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	56	by (auto simp add: fits_def make_phi_Some make_phi_None
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	57	split: option.splits)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	58
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	59	thus ?thesis
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	60	by blast
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	61	qed
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	62
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	63	lemma fits_lemma1:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	64	"[\| wtl_inst_list is G rT cert mxs (length is) 0 s = OK s'; fits phi is G rT s mxs cert \|]
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	65	==> \<forall>pc t. pc < length is --> cert!pc = Some t --> phi!pc = Some t"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	66	proof (intro strip)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	67	fix pc t
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	68	assume "wtl_inst_list is G rT cert mxs (length is) 0 s = OK s'"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	69	then
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	70	obtain s'' where
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	71	"wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s = OK s''"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	72	by (blast dest: wtl_take)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	73	moreover
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	74	assume "fits phi is G rT s mxs cert"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	75	"pc < length is"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	76	"cert ! pc = Some t"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	77	ultimately
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	78	show "phi!pc = Some t" by (auto dest: fitsD_Some)
9580 d955914193e0 tuned kleing parents: 9549 diff changeset	79	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	80
d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	81
d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	82	lemma wtl_suc_pc:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	83	"[\| wtl_inst_list is G rT cert mxs (length is) 0 s \<noteq> Err;
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	84	wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s = OK s';
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	85	wtl_cert (is!pc) G rT s' cert mxs (length is) pc = OK s'';
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	86	fits phi is G rT s mxs cert; Suc pc < length is \|] ==>
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	87	G \<turnstile> s'' <=' phi ! Suc pc"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	88	proof -
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	89
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	90	assume all: "wtl_inst_list is G rT cert mxs (length is) 0 s \<noteq> Err"
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	91	assume fits: "fits phi is G rT s mxs cert"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	92
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	93	assume wtl: "wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s = OK s'" and
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	94	wtc: "wtl_cert (is!pc) G rT s' cert mxs (length is) pc = OK s''" and
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	95	pc: "Suc pc < length is"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	96
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	97	hence wts: "wtl_inst_list (take (Suc pc) is) G rT cert mxs (length is) 0 s = OK s''"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	98	by (rule wtl_Suc)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	99
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	100	from all
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	101	have app:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	102	"wtl_inst_list (take (Suc pc) is@drop (Suc pc) is) G rT cert mxs (length is) 0 s \<noteq> Err"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	103	by simp
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	104
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	105	from pc
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	106	have "0 < length (drop (Suc pc) is)"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	107	by simp
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	108	then
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	109	obtain l ls where
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	110	"drop (Suc pc) is = l#ls"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	111	by (auto simp add: neq_Nil_conv simp del: length_drop)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	112	with app wts pc
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	113	obtain x where
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	114	"wtl_cert l G rT s'' cert mxs (length is) (Suc pc) = OK x"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	115	by (auto simp add: wtl_append min_def simp del: append_take_drop_id)
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	116
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	117	hence c1: "!!t. cert!Suc pc = Some t ==> G \<turnstile> s'' <=' cert!Suc pc"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	118	by (simp add: wtl_cert_def split: if_splits)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	119	moreover
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	120	from fits pc wts
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	121	have c2: "!!t. cert!Suc pc = Some t ==> phi!Suc pc = cert!Suc pc"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	122	by - (drule fitsD_Some, auto)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	123	moreover
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	124	from fits pc wts
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	125	have c3: "cert!Suc pc = None ==> phi!Suc pc = s''"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	126	by (rule fitsD_None)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	127	ultimately
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	128
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	129	show ?thesis
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	130	by - (cases "cert ! Suc pc", auto)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	131	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	132
9376 c32c5696ec2a flat instruction set kleing parents: 9260 diff changeset	133
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	134	lemma wtl_fits_wt:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	135	"[\| wtl_inst_list is G rT cert mxs (length is) 0 s \<noteq> Err;
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	136	fits phi is G rT s mxs cert; pc < length is \|] ==>
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	137	wt_instr (is!pc) G rT phi mxs (length is) pc"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	138	proof -
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	139
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	140	assume fits: "fits phi is G rT s mxs cert"
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	141
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	142	assume pc: "pc < length is" and
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	143	wtl: "wtl_inst_list is G rT cert mxs (length is) 0 s \<noteq> Err"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	144
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	145	then
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	146	obtain s' s'' where
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	147	w: "wtl_inst_list (take pc is) G rT cert mxs (length is) 0 s = OK s'" and
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	148	c: "wtl_cert (is!pc) G rT s' cert mxs (length is) pc = OK s''"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	149	by - (drule wtl_all, auto)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	150
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	151	from fits wtl pc
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	152	have cert_Some:
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	153	"!!t pc. [\| pc < length is; cert!pc = Some t \|] ==> phi!pc = Some t"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	154	by (auto dest: fits_lemma1)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	155
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	156	from fits wtl pc
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	157	have cert_None: "cert!pc = None ==> phi!pc = s'"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	158	by - (drule fitsD_None)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	159
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	160	from pc c cert_None cert_Some
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	161	have wti: "wtl_inst (is ! pc) G rT (phi!pc) cert mxs (length is) pc = OK s''"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	162	by (auto simp add: wtl_cert_def split: if_splits option.splits)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	163
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	164	{ fix pc'
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	165	assume pc': "pc' \<in> set (succs (is!pc) pc)"
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	166
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	167	with wti
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	168	have less: "pc' < length is"
10496 f2d304bdf3cc BCV integration (first step) kleing parents: 10042 diff changeset	169	by (simp add: wtl_inst_OK)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	170
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	171	have "G \<turnstile> step (is!pc) G (phi!pc) <=' phi ! pc'"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	172	proof (cases "pc' = Suc pc")
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	173	case False
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	174	with wti pc'
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	175	have G: "G \<turnstile> step (is ! pc) G (phi ! pc) <=' cert ! pc'"
10496 f2d304bdf3cc BCV integration (first step) kleing parents: 10042 diff changeset	176	by (simp add: wtl_inst_OK)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	177
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	178	hence "cert!pc' = None ==> step (is ! pc) G (phi ! pc) = None"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	179	by simp
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	180	hence "cert!pc' = None ==> ?thesis"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	181	by simp
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	182
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	183	moreover
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	184	{ fix t
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	185	assume "cert!pc' = Some t"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	186	with less
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	187	have "phi!pc' = cert!pc'"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	188	by (simp add: cert_Some)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	189	with G
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	190	have ?thesis
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	191	by simp
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	192	}
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	193
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	194	ultimately
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	195	show ?thesis by blast
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	196	next
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	197	case True
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	198	with pc' wti
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	199	have "step (is ! pc) G (phi ! pc) = s''"
10496 f2d304bdf3cc BCV integration (first step) kleing parents: 10042 diff changeset	200	by (simp add: wtl_inst_OK)
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	201	also
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	202	from w c fits pc wtl
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	203	have "Suc pc < length is ==> G \<turnstile> s'' <=' phi ! Suc pc"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	204	by - (drule wtl_suc_pc)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	205	with True less
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	206	have "G \<turnstile> s'' <=' phi ! Suc pc"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	207	by blast
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	208	finally
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	209	show ?thesis
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	210	by (simp add: True)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	211	qed
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	212	}
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	213
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	214	with wti
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	215	show ?thesis
10496 f2d304bdf3cc BCV integration (first step) kleing parents: 10042 diff changeset	216	by (auto simp add: wtl_inst_OK wt_instr_def)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	217	qed
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	218
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	219
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	220
d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	221	lemma fits_first:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	222	"[\| 0 < length is; wtl_inst_list is G rT cert mxs (length is) 0 s \<noteq> Err;
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	223	fits phi is G rT s mxs cert \|] ==>
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	224	G \<turnstile> s <=' phi ! 0"
9580 d955914193e0 tuned kleing parents: 9549 diff changeset	225	proof -
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	226	assume wtl: "wtl_inst_list is G rT cert mxs (length is) 0 s \<noteq> Err"
fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	227	assume fits: "fits phi is G rT s mxs cert"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	228	assume pc: "0 < length is"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	229
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	230	from wtl
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	231	have wt0: "wtl_inst_list (take 0 is) G rT cert mxs (length is) 0 s = OK s"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	232	by simp
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	233
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	234	with fits pc
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	235	have "cert!0 = None ==> phi!0 = s"
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	236	by (rule fitsD_None)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	237	moreover
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	238	from fits pc wt0
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	239	have "!!t. cert!0 = Some t ==> phi!0 = cert!0"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	240	by - (drule fitsD_Some, auto)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	241	moreover
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	242	from pc
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	243	obtain x xs where "is = x#xs"
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	244	by (simp add: neq_Nil_conv) (elim, rule that)
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	245	with wtl
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	246	obtain s' where
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	247	"wtl_cert x G rT s cert mxs (length is) 0 = OK s'"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	248	by simp (elim, rule that, simp)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	249	hence
10042 7164dc0d24d8 unsymbolized kleing parents: 9970 diff changeset	250	"!!t. cert!0 = Some t ==> G \<turnstile> s <=' cert!0"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	251	by (simp add: wtl_cert_def split: if_splits)
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	252
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	253	ultimately
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	254	show ?thesis
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	255	by - (cases "cert!0", auto)
1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	256	qed
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	257
8245 6acc80f7f36f lightweight bytecode verifier with correctness proof kleing parents: diff changeset	258
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	259	lemma wtl_method_correct:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	260	"wtl_method G C pTs rT mxs mxl ins cert ==> \<exists> phi. wt_method G C pTs rT mxs mxl ins phi"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	261	proof (unfold wtl_method_def, simp only: Let_def, elim conjE)
10496 f2d304bdf3cc BCV integration (first step) kleing parents: 10042 diff changeset	262	let "?s0" = "Some ([], OK (Class C) # map OK pTs @ replicate mxl Err)"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	263	assume pc: "0 < length ins"
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	264	assume wtl: "wtl_inst_list ins G rT cert mxs (length ins) 0 ?s0 \<noteq> Err"
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	265
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	266	obtain phi where fits: "fits phi ins G rT ?s0 mxs cert"
9941 fe05af7ec816 renamed atts: rulify to rule_format, elimify to elim_format; wenzelm parents: 9906 diff changeset	267	by (rule exists_phi [elim_format]) blast
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	268
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	269	with wtl
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	270	have allpc:
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	271	"\<forall>pc. pc < length ins --> wt_instr (ins ! pc) G rT phi mxs (length ins) pc"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	272	by (blast intro: wtl_fits_wt)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	273
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	274	from pc wtl fits
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	275	have "wt_start G C pTs mxl phi"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	276	by (unfold wt_start_def) (rule fits_first)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	277
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	278	with pc allpc
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	279	show ?thesis by (auto simp add: wt_method_def)
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	280	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	281
d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	282
d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	283	theorem wtl_correct:
10628 4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	284	"wtl_jvm_prog G cert ==> \<exists> Phi. wt_jvm_prog G Phi"
11085 b830bf10bf71 tuned for 99-2 release kleing parents: 10812 diff changeset	285	proof -
10628 4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	286	assume wtl: "wtl_jvm_prog G cert"
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	287
10628 4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	288	let ?Phi = "\<lambda>C sig. let (C,rT,(maxs,maxl,ins)) = the (method (G,C) sig) in
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	289	SOME phi. wt_method G C (snd sig) rT maxs maxl ins phi"
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	290
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	291	{ fix C S fs mdecls sig rT code
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	292	assume "(C,S,fs,mdecls) \<in> set G" "(sig,rT,code) \<in> set mdecls"
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	293	moreover
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	294	from wtl obtain wf_mb where "wf_prog wf_mb G"
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	295	by (auto simp add: wtl_jvm_prog_def)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	296	ultimately
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	297	have "method (G,C) sig = Some (C,rT,code)"
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	298	by (simp add: methd)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	299	} note this [simp]
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	300
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	301	from wtl
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	302	have "wt_jvm_prog G ?Phi"
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	303	apply (clarsimp simp add: wt_jvm_prog_def wtl_jvm_prog_def wf_prog_def wf_cdecl_def)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	304	apply (drule bspec, assumption)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	305	apply (clarsimp simp add: wf_mdecl_def)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	306	apply (drule bspec, assumption)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	307	apply (clarsimp dest!: wtl_method_correct)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	308	apply (rule someI, assumption)
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	309	done
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8390 diff changeset	310
10628 4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	311	thus ?thesis
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	312	by blast
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	313	qed
4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	314
10812 ead84e90bfeb merged semilattice orders with <=' from Convert.thy (now defined in JVMType.thy) kleing parents: 10628 diff changeset	315	end

author	nipkow
	Tue, 27 Feb 2001 23:25:47 +0100
changeset 11186	63f3e98df2a4
parent 11085	b830bf10bf71
child 12389	23bd419144eb
permissions	-rw-r--r--