isabelle: src/HOL/Isar_Examples/Hoare_Ex.thy@6623c81cb15a (annotated)

58882 6e2010ab8bd9 modernized header; wenzelm parents: 58614 diff changeset	1	section \<open>Using Hoare Logic\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	2
31758 3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 25706 diff changeset	3	theory Hoare_Ex
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 25706 diff changeset	4	imports Hoare
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 25706 diff changeset	5	begin
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	6
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	7	subsection \<open>State spaces\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	8
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	9	text \<open>First of all we provide a store of program variables that occur in any
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	10	of the programs considered later. Slightly unexpected things may happen
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	11	when attempting to work with undeclared variables.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	12
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	13	record vars =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	14	I :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	15	M :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	16	N :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	17	S :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	18
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	19	text \<open>While all of our variables happen to have the same type, nothing would
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	20	prevent us from working with many-sorted programs as well, or even
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	21	polymorphic ones. Also note that Isabelle/HOL's extensible record types
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	22	even provides simple means to extend the state space later.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	23
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	24
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	25	subsection \<open>Basic examples\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	26
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	27	text \<open>We look at few trivialities involving assignment and sequential
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	28	composition, in order to get an idea of how to work with our formulation
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	29	of Hoare Logic.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	30
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	31	text \<open>Using the basic \<open>assign\<close> rule directly is a bit
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	32	cumbersome.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	33
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	34	lemma "\<turnstile> \<lbrace>\<acute>(N_update (\<lambda>_. (2 * \<acute>N))) \<in> \<lbrace>\<acute>N = 10\<rbrace>\<rbrace> \<acute>N := 2 * \<acute>N \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	35	by (rule assign)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	36
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	37	text \<open>Certainly we want the state modification already done, e.g.\ by
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	38	simplification. The \<open>hoare\<close> method performs the basic state update for us;
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	39	we may apply the Simplifier afterwards to achieve ``obvious'' consequences
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	40	as well.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	41
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	42	lemma "\<turnstile> \<lbrace>True\<rbrace> \<acute>N := 10 \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	43	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	44
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	45	lemma "\<turnstile> \<lbrace>2 * \<acute>N = 10\<rbrace> \<acute>N := 2 * \<acute>N \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	46	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	47
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	48	lemma "\<turnstile> \<lbrace>\<acute>N = 5\<rbrace> \<acute>N := 2 * \<acute>N \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	49	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	50
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	51	lemma "\<turnstile> \<lbrace>\<acute>N + 1 = a + 1\<rbrace> \<acute>N := \<acute>N + 1 \<lbrace>\<acute>N = a + 1\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	52	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	53
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	54	lemma "\<turnstile> \<lbrace>\<acute>N = a\<rbrace> \<acute>N := \<acute>N + 1 \<lbrace>\<acute>N = a + 1\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	55	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	56
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	57	lemma "\<turnstile> \<lbrace>a = a \<and> b = b\<rbrace> \<acute>M := a; \<acute>N := b \<lbrace>\<acute>M = a \<and> \<acute>N = b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	58	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	59
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	60	lemma "\<turnstile> \<lbrace>True\<rbrace> \<acute>M := a; \<acute>N := b \<lbrace>\<acute>M = a \<and> \<acute>N = b\<rbrace>"
56073 29e308b56d23 enhanced simplifier solver for preconditions of rewrite rule, can now deal with conjunctions nipkow parents: 55656 diff changeset	61	by hoare
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	62
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	63	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	64	"\<turnstile> \<lbrace>\<acute>M = a \<and> \<acute>N = b\<rbrace>
46582 dcc312f22ee8 misc tuning; wenzelm parents: 41818 diff changeset	65	\<acute>I := \<acute>M; \<acute>M := \<acute>N; \<acute>N := \<acute>I
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	66	\<lbrace>\<acute>M = b \<and> \<acute>N = a\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	67	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	68
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	69	text \<open>It is important to note that statements like the following one can
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	70	only be proven for each individual program variable. Due to the
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	71	extra-logical nature of record fields, we cannot formulate a theorem
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	72	relating record selectors and updates schematically.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	73
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	74	lemma "\<turnstile> \<lbrace>\<acute>N = a\<rbrace> \<acute>N := \<acute>N \<lbrace>\<acute>N = a\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	75	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	76
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	77	lemma "\<turnstile> \<lbrace>\<acute>x = a\<rbrace> \<acute>x := \<acute>x \<lbrace>\<acute>x = a\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	78	oops
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	79
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	80	lemma
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	81	"Valid {s. x s = a} (Basic (\<lambda>s. x_update (x s) s)) {s. x s = n}"
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	82	-- \<open>same statement without concrete syntax\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	83	oops
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	84
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	85
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	86	text \<open>In the following assignments we make use of the consequence rule in
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	87	order to achieve the intended precondition. Certainly, the \<open>hoare\<close> method
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	88	is able to handle this case, too.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	89
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	90	lemma "\<turnstile> \<lbrace>\<acute>M = \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	91	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	92	have "\<lbrace>\<acute>M = \<acute>N\<rbrace> \<subseteq> \<lbrace>\<acute>M + 1 \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	93	by auto
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	94	also have "\<turnstile> \<dots> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	95	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	96	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	97	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	98
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	99	lemma "\<turnstile> \<lbrace>\<acute>M = \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	100	proof -
60410 a197387e1854 tuned proofs; wenzelm parents: 58882 diff changeset	101	have "m = n \<longrightarrow> m + 1 \<noteq> n" for m n :: nat
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	102	-- \<open>inclusion of assertions expressed in ``pure'' logic,\<close>
7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	103	-- \<open>without mentioning the state space\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	104	by simp
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	105	also have "\<turnstile> \<lbrace>\<acute>M + 1 \<noteq> \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	106	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	107	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	108	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	109
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	110	lemma "\<turnstile> \<lbrace>\<acute>M = \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	111	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	112
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	113
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	114	subsection \<open>Multiplication by addition\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	115
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	116	text \<open>We now do some basic examples of actual \<^verbatim>\<open>WHILE\<close> programs. This one is
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	117	a loop for calculating the product of two natural numbers, by iterated
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	118	addition. We first give detailed structured proof based on single-step
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	119	Hoare rules.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	120
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	121	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	122	"\<turnstile> \<lbrace>\<acute>M = 0 \<and> \<acute>S = 0\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	123	WHILE \<acute>M \<noteq> a
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	124	DO \<acute>S := \<acute>S + b; \<acute>M := \<acute>M + 1 OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	125	\<lbrace>\<acute>S = a * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	126	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	127	let "\<turnstile> _ ?while _" = ?thesis
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	128	let "\<lbrace>\<acute>?inv\<rbrace>" = "\<lbrace>\<acute>S = \<acute>M * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	129
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	130	have "\<lbrace>\<acute>M = 0 \<and> \<acute>S = 0\<rbrace> \<subseteq> \<lbrace>\<acute>?inv\<rbrace>" by auto
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	131	also have "\<turnstile> \<dots> ?while \<lbrace>\<acute>?inv \<and> \<not> (\<acute>M \<noteq> a)\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	132	proof
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	133	let ?c = "\<acute>S := \<acute>S + b; \<acute>M := \<acute>M + 1"
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	134	have "\<lbrace>\<acute>?inv \<and> \<acute>M \<noteq> a\<rbrace> \<subseteq> \<lbrace>\<acute>S + b = (\<acute>M + 1) * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	135	by auto
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	136	also have "\<turnstile> \<dots> ?c \<lbrace>\<acute>?inv\<rbrace>" by hoare
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	137	finally show "\<turnstile> \<lbrace>\<acute>?inv \<and> \<acute>M \<noteq> a\<rbrace> ?c \<lbrace>\<acute>?inv\<rbrace>" .
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	138	qed
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	139	also have "\<dots> \<subseteq> \<lbrace>\<acute>S = a * b\<rbrace>" by auto
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	140	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	141	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	142
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	143	text \<open>The subsequent version of the proof applies the \<open>hoare\<close> method to
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	144	reduce the Hoare statement to a purely logical problem that can be solved
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	145	fully automatically. Note that we have to specify the \<^verbatim>\<open>WHILE\<close> loop
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	146	invariant in the original statement.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	147
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	148	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	149	"\<turnstile> \<lbrace>\<acute>M = 0 \<and> \<acute>S = 0\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	150	WHILE \<acute>M \<noteq> a
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	151	INV \<lbrace>\<acute>S = \<acute>M * b\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	152	DO \<acute>S := \<acute>S + b; \<acute>M := \<acute>M + 1 OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	153	\<lbrace>\<acute>S = a * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	154	by hoare auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	155
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	156
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	157	subsection \<open>Summing natural numbers\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	158
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	159	text \<open>We verify an imperative program to sum natural numbers up to a given
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	160	limit. First some functional definition for proper specification of the
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	161	problem.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	162
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	163	\<^medskip>
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	164	The following proof is quite explicit in the individual steps taken, with
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	165	the \<open>hoare\<close> method only applied locally to take care of assignment and
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	166	sequential composition. Note that we express intermediate proof obligation
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	167	in pure logic, without referring to the state space.\<close>
15569 1b3115d1a8df fixed proof nipkow parents: 15049 diff changeset	168
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	169	theorem
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	170	"\<turnstile> \<lbrace>True\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	171	\<acute>S := 0; \<acute>I := 1;
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	172	WHILE \<acute>I \<noteq> n
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	173	DO
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	174	\<acute>S := \<acute>S + \<acute>I;
9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	175	\<acute>I := \<acute>I + 1
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	176	OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	177	\<lbrace>\<acute>S = (\<Sum>j<n. j)\<rbrace>"
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	178	(is "\<turnstile> _ (_; ?while) _")
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	179	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	180	let ?sum = "\<lambda>k::nat. \<Sum>j<k. j"
15049 82fb87151718 more summation syntax nipkow parents: 13473 diff changeset	181	let ?inv = "\<lambda>s i::nat. s = ?sum i"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	182
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	183	have "\<turnstile> \<lbrace>True\<rbrace> \<acute>S := 0; \<acute>I := 1 \<lbrace>?inv \<acute>S \<acute>I\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	184	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	185	have "True \<longrightarrow> 0 = ?sum 1"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	186	by simp
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	187	also have "\<turnstile> \<lbrace>\<dots>\<rbrace> \<acute>S := 0; \<acute>I := 1 \<lbrace>?inv \<acute>S \<acute>I\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	188	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	189	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	190	qed
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	191	also have "\<turnstile> \<dots> ?while \<lbrace>?inv \<acute>S \<acute>I \<and> \<not> \<acute>I \<noteq> n\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	192	proof
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	193	let ?body = "\<acute>S := \<acute>S + \<acute>I; \<acute>I := \<acute>I + 1"
60410 a197387e1854 tuned proofs; wenzelm parents: 58882 diff changeset	194	have "?inv s i \<and> i \<noteq> n \<longrightarrow> ?inv (s + i) (i + 1)" for s i
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	195	by simp
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	196	also have "\<turnstile> \<lbrace>\<acute>S + \<acute>I = ?sum (\<acute>I + 1)\<rbrace> ?body \<lbrace>?inv \<acute>S \<acute>I\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	197	by hoare
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	198	finally show "\<turnstile> \<lbrace>?inv \<acute>S \<acute>I \<and> \<acute>I \<noteq> n\<rbrace> ?body \<lbrace>?inv \<acute>S \<acute>I\<rbrace>" .
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	199	qed
60410 a197387e1854 tuned proofs; wenzelm parents: 58882 diff changeset	200	also have "s = ?sum i \<and> \<not> i \<noteq> n \<longrightarrow> s = ?sum n" for s i
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	201	by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	202	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	203	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	204
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	205	text \<open>The next version uses the \<open>hoare\<close> method, while still explaining the
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	206	resulting proof obligations in an abstract, structured manner.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	207
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	208	theorem
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	209	"\<turnstile> \<lbrace>True\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	210	\<acute>S := 0; \<acute>I := 1;
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	211	WHILE \<acute>I \<noteq> n
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	212	INV \<lbrace>\<acute>S = (\<Sum>j<\<acute>I. j)\<rbrace>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	213	DO
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	214	\<acute>S := \<acute>S + \<acute>I;
9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	215	\<acute>I := \<acute>I + 1
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	216	OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	217	\<lbrace>\<acute>S = (\<Sum>j<n. j)\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	218	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	219	let ?sum = "\<lambda>k::nat. \<Sum>j<k. j"
15049 82fb87151718 more summation syntax nipkow parents: 13473 diff changeset	220	let ?inv = "\<lambda>s i::nat. s = ?sum i"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	221	show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	222	proof hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	223	show "?inv 0 1" by simp
60416 e1ff959f4f1b tuned proofs; wenzelm parents: 60410 diff changeset	224	show "?inv (s + i) (i + 1)" if "?inv s i \<and> i \<noteq> n" for s i
60449 229bad93377e renamed "prems" to "that"; wenzelm parents: 60416 diff changeset	225	using that by simp
60416 e1ff959f4f1b tuned proofs; wenzelm parents: 60410 diff changeset	226	show "s = ?sum n" if "?inv s i \<and> \<not> i \<noteq> n" for s i
60449 229bad93377e renamed "prems" to "that"; wenzelm parents: 60416 diff changeset	227	using that by simp
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	228	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	229	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	230
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	231	text \<open>Certainly, this proof may be done fully automatic as well, provided
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	232	that the invariant is given beforehand.\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	233
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	234	theorem
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	235	"\<turnstile> \<lbrace>True\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	236	\<acute>S := 0; \<acute>I := 1;
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	237	WHILE \<acute>I \<noteq> n
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	238	INV \<lbrace>\<acute>S = (\<Sum>j<\<acute>I. j)\<rbrace>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	239	DO
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	240	\<acute>S := \<acute>S + \<acute>I;
9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	241	\<acute>I := \<acute>I + 1
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	242	OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	243	\<lbrace>\<acute>S = (\<Sum>j<n. j)\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	244	by hoare auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	245
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	246
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	247	subsection \<open>Time\<close>
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	248
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	249	text \<open>A simple embedding of time in Hoare logic: function \<open>timeit\<close> inserts
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	250	an extra variable to keep track of the elapsed time.\<close>
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	251
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	252	record tstate = time :: nat
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	253
41818 6d4c3ee8219d modernized specifications; wenzelm parents: 37671 diff changeset	254	type_synonym 'a time = "\<lparr>time :: nat, \<dots> :: 'a\<rparr>"
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	255
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	256	primrec timeit :: "'a time com \<Rightarrow> 'a time com"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	257	where
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	258	"timeit (Basic f) = (Basic f; Basic(\<lambda>s. s\<lparr>time := Suc (time s)\<rparr>))"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	259	\| "timeit (c1; c2) = (timeit c1; timeit c2)"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	260	\| "timeit (Cond b c1 c2) = Cond b (timeit c1) (timeit c2)"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	261	\| "timeit (While b iv c) = While b iv (timeit c)"
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	262
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	263	record tvars = tstate +
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	264	I :: nat
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	265	J :: nat
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	266
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	267	lemma lem: "(0::nat) < n \<Longrightarrow> n + n \<le> Suc (n * n)"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	268	by (induct n) simp_all
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	269
46582 dcc312f22ee8 misc tuning; wenzelm parents: 41818 diff changeset	270	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	271	"\<turnstile> \<lbrace>i = \<acute>I \<and> \<acute>time = 0\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	272	(timeit
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	273	(WHILE \<acute>I \<noteq> 0
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	274	INV \<lbrace>2 \<acute> time + \<acute>I \<acute>I + 5 * \<acute>I = i * i + 5 * i\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	275	DO
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	276	\<acute>J := \<acute>I;
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	277	WHILE \<acute>J \<noteq> 0
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	278	INV \<lbrace>0 < \<acute>I \<and> 2 * \<acute>time + \<acute>I * \<acute>I + 3 * \<acute>I + 2 * \<acute>J - 2 = i * i + 5 * i\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	279	DO \<acute>J := \<acute>J - 1 OD;
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	280	\<acute>I := \<acute>I - 1
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	281	OD))
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	282	\<lbrace>2 * \<acute>time = i * i + 5 * i\<rbrace>"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	283	apply simp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	284	apply hoare
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	285	apply simp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	286	apply clarsimp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	287	apply clarsimp
20432 07ec57376051 lin_arith_prover: splitting reverted because of performance loss webertj parents: 20272 diff changeset	288	apply arith
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	289	prefer 2
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	290	apply clarsimp
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	291	apply (clarsimp simp: nat_distrib)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	292	apply (frule lem)
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	293	apply arith
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	294	done
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	295
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	296	end

author	wenzelm
	Wed, 04 Nov 2015 23:27:00 +0100
changeset 61578	6623c81cb15a
parent 61541	846c72206207
child 61799	4cf66f21b764
permissions	-rw-r--r--