isabelle: src/HOL/IMP/Sec_TypingT.thy@70f9826753f6 (annotated)

68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	1	subsection "Termination-Sensitive Systems"
403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	2
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	3	theory Sec_TypingT imports Sec_Type_Expr
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	4	begin
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	5
68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	6	subsubsection "A Syntax Directed System"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	7
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	8	inductive sec_type :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile> _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	9	Skip:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	10	"l \<turnstile> SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	11	Assign:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	12	"\<lbrakk> sec x \<ge> sec a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile> x ::= a" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	13	Seq:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	14	"l \<turnstile> c\<^sub>1 \<Longrightarrow> l \<turnstile> c\<^sub>2 \<Longrightarrow> l \<turnstile> c\<^sub>1;;c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	15	If:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	16	"\<lbrakk> max (sec b) l \<turnstile> c\<^sub>1; max (sec b) l \<turnstile> c\<^sub>2 \<rbrakk>
a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	17	\<Longrightarrow> l \<turnstile> IF b THEN c\<^sub>1 ELSE c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	18	While:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	19	"sec b = 0 \<Longrightarrow> 0 \<turnstile> c \<Longrightarrow> 0 \<turnstile> WHILE b DO c"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	20
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	21	code_pred (expected_modes: i => i => bool) sec_type .
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	22
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	23	inductive_cases [elim!]:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	24	"l \<turnstile> x ::= a" "l \<turnstile> c\<^sub>1;;c\<^sub>2" "l \<turnstile> IF b THEN c\<^sub>1 ELSE c\<^sub>2" "l \<turnstile> WHILE b DO c"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	25
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	26
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	27	lemma anti_mono: "l \<turnstile> c \<Longrightarrow> l' \<le> l \<Longrightarrow> l' \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	28	apply(induction arbitrary: l' rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	29	apply (metis sec_type.intros(1))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	30	apply (metis le_trans sec_type.intros(2))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	31	apply (metis sec_type.intros(3))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	32	apply (metis If le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	33	by (metis While le_0_eq)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	34
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	35
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	36	lemma confinement: "(c,s) \<Rightarrow> t \<Longrightarrow> l \<turnstile> c \<Longrightarrow> s = t (< l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	37	proof(induction rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	38	case Skip thus ?case by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	39	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	40	case Assign thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	41	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	42	case Seq thus ?case by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	43	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	44	case (IfTrue b s c1)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	45	hence "max (sec b) l \<turnstile> c1" by auto
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	46	hence "l \<turnstile> c1" by (metis max.cobounded2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	47	thus ?case using IfTrue.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	48	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	49	case (IfFalse b s c2)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	50	hence "max (sec b) l \<turnstile> c2" by auto
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	51	hence "l \<turnstile> c2" by (metis max.cobounded2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	52	thus ?case using IfFalse.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	53	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	54	case WhileFalse thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	55	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	56	case (WhileTrue b s1 c)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	57	hence "l \<turnstile> c" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	58	thus ?case using WhileTrue by metis
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	59	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	60
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	61	lemma termi_if_non0: "l \<turnstile> c \<Longrightarrow> l \<noteq> 0 \<Longrightarrow> \<exists> t. (c,s) \<Rightarrow> t"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	62	apply(induction arbitrary: s rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	63	apply (metis big_step.Skip)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	64	apply (metis big_step.Assign)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	65	apply (metis big_step.Seq)
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	66	apply (metis IfFalse IfTrue le0 le_antisym max.cobounded2)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	67	apply simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	68	done
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	69
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	70	theorem noninterference: "(c,s) \<Rightarrow> s' \<Longrightarrow> 0 \<turnstile> c \<Longrightarrow> s = t (\<le> l)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	71	\<Longrightarrow> \<exists> t'. (c,t) \<Rightarrow> t' \<and> s' = t' (\<le> l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	72	proof(induction arbitrary: t rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	73	case Skip thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	74	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	75	case (Assign x a s)
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	76	have "sec x >= sec a" using \<open>0 \<turnstile> x ::= a\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	77	have "(x ::= a,t) \<Rightarrow> t(x := aval a t)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	78	moreover
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	79	have "s(x := aval a s) = t(x := aval a t) (\<le> l)"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	80	proof auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	81	assume "sec x \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	82	with \<open>sec x \<ge> sec a\<close> have "sec a \<le> l" by arith
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	83	thus "aval a s = aval a t"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	84	by (rule aval_eq_if_eq_le[OF \<open>s = t (\<le> l)\<close>])
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	85	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	86	fix y assume "y \<noteq> x" "sec y \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	87	thus "s y = t y" using \<open>s = t (\<le> l)\<close> by simp
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	88	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	89	ultimately show ?case by blast
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	90	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	91	case Seq thus ?case by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	92	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	93	case (IfTrue b s c1 s' c2)
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	94	have "sec b \<turnstile> c1" "sec b \<turnstile> c2" using \<open>0 \<turnstile> IF b THEN c1 ELSE c2\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	95	obtain t' where t': "(c1, t) \<Rightarrow> t'" "s' = t' (\<le> l)"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	96	using IfTrue.IH[OF anti_mono[OF \<open>sec b \<turnstile> c1\<close>] \<open>s = t (\<le> l)\<close>] by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	97	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	98	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	99	assume "sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	100	hence "s = t (\<le> sec b)" using \<open>s = t (\<le> l)\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	101	hence "bval b t" using \<open>bval b s\<close> by(simp add: bval_eq_if_eq_le)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	102	thus ?thesis by (metis t' big_step.IfTrue)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	103	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	104	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	105	hence 0: "sec b \<noteq> 0" by arith
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	106	have 1: "sec b \<turnstile> IF b THEN c1 ELSE c2"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	107	by(rule sec_type.intros)(simp_all add: \<open>sec b \<turnstile> c1\<close> \<open>sec b \<turnstile> c2\<close>)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	108	from confinement[OF big_step.IfTrue[OF IfTrue(1,2)] 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	109	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	110	moreover
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	111	from termi_if_non0[OF 1 0, of t] obtain t' where
63539 70d4d9e5707b tuned proofs -- avoid improper use of "this"; wenzelm parents: 54864 diff changeset	112	t': "(IF b THEN c1 ELSE c2,t) \<Rightarrow> t'" ..
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	113	moreover
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	114	from confinement[OF t' 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	115	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	116	ultimately
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	117	show ?case using \<open>s = t (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	118	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	119	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	120	case (IfFalse b s c2 s' c1)
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	121	have "sec b \<turnstile> c1" "sec b \<turnstile> c2" using \<open>0 \<turnstile> IF b THEN c1 ELSE c2\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	122	obtain t' where t': "(c2, t) \<Rightarrow> t'" "s' = t' (\<le> l)"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	123	using IfFalse.IH[OF anti_mono[OF \<open>sec b \<turnstile> c2\<close>] \<open>s = t (\<le> l)\<close>] by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	124	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	125	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	126	assume "sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	127	hence "s = t (\<le> sec b)" using \<open>s = t (\<le> l)\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	128	hence "\<not> bval b t" using \<open>\<not> bval b s\<close> by(simp add: bval_eq_if_eq_le)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	129	thus ?thesis by (metis t' big_step.IfFalse)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	130	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	131	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	132	hence 0: "sec b \<noteq> 0" by arith
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	133	have 1: "sec b \<turnstile> IF b THEN c1 ELSE c2"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	134	by(rule sec_type.intros)(simp_all add: \<open>sec b \<turnstile> c1\<close> \<open>sec b \<turnstile> c2\<close>)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	135	from confinement[OF big_step.IfFalse[OF IfFalse(1,2)] 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	136	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	137	moreover
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	138	from termi_if_non0[OF 1 0, of t] obtain t' where
63539 70d4d9e5707b tuned proofs -- avoid improper use of "this"; wenzelm parents: 54864 diff changeset	139	t': "(IF b THEN c1 ELSE c2,t) \<Rightarrow> t'" ..
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	140	moreover
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	141	from confinement[OF t' 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	142	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	143	ultimately
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	144	show ?case using \<open>s = t (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	145	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	146	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	147	case (WhileFalse b s c)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	148	hence [simp]: "sec b = 0" by auto
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	149	have "s = t (\<le> sec b)" using \<open>s = t (\<le> l)\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	150	hence "\<not> bval b t" using \<open>\<not> bval b s\<close> by (metis bval_eq_if_eq_le le_refl)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	151	with WhileFalse.prems(2) show ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	152	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	153	case (WhileTrue b s c s'' s')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	154	let ?w = "WHILE b DO c"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	155	from \<open>0 \<turnstile> ?w\<close> have [simp]: "sec b = 0" by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	156	have "0 \<turnstile> c" using \<open>0 \<turnstile> WHILE b DO c\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	157	from WhileTrue.IH(1)[OF this \<open>s = t (\<le> l)\<close>]
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	158	obtain t'' where "(c,t) \<Rightarrow> t''" and "s'' = t'' (\<le>l)" by blast
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	159	from WhileTrue.IH(2)[OF \<open>0 \<turnstile> ?w\<close> this(2)]
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	160	obtain t' where "(?w,t'') \<Rightarrow> t'" and "s' = t' (\<le>l)" by blast
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	161	from \<open>bval b s\<close> have "bval b t"
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	162	using bval_eq_if_eq_le[OF \<open>s = t (\<le>l)\<close>] by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	163	show ?case
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	164	using big_step.WhileTrue[OF \<open>bval b t\<close> \<open>(c,t) \<Rightarrow> t''\<close> \<open>(?w,t'') \<Rightarrow> t'\<close>]
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	165	by (metis \<open>s' = t' (\<le> l)\<close>)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	166	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	167
68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	168	subsubsection "The Standard System"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	169
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	170	text\<open>The predicate @{prop"l \<turnstile> c"} is nicely intuitive and executable. The
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	171	standard formulation, however, is slightly different, replacing the maximum
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	172	computation by an antimonotonicity rule. We introduce the standard system now
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 63539 diff changeset	173	and show the equivalence with our formulation.\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	174
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	175	inductive sec_type' :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile>'' _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	176	Skip':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	177	"l \<turnstile>' SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	178	Assign':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	179	"\<lbrakk> sec x \<ge> sec a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile>' x ::= a" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	180	Seq':
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	181	"l \<turnstile>' c\<^sub>1 \<Longrightarrow> l \<turnstile>' c\<^sub>2 \<Longrightarrow> l \<turnstile>' c\<^sub>1;;c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	182	If':
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	183	"\<lbrakk> sec b \<le> l; l \<turnstile>' c\<^sub>1; l \<turnstile>' c\<^sub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' IF b THEN c\<^sub>1 ELSE c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	184	While':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	185	"\<lbrakk> sec b = 0; 0 \<turnstile>' c \<rbrakk> \<Longrightarrow> 0 \<turnstile>' WHILE b DO c" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	186	anti_mono':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	187	"\<lbrakk> l \<turnstile>' c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile>' c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	188
51456 a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	189	lemma sec_type_sec_type':
a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	190	"l \<turnstile> c \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	191	apply(induction rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	192	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	193	apply (metis Assign')
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	194	apply (metis Seq')
54864 a064732223ad abolished slightly odd global lattice interpretation for min/max haftmann parents: 54863 diff changeset	195	apply (metis max.commute max.absorb_iff2 nat_le_linear If' anti_mono')
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	196	by (metis While')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	197
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	198
51456 a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	199	lemma sec_type'_sec_type:
a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	200	"l \<turnstile>' c \<Longrightarrow> l \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	201	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	202	apply (metis Skip)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	203	apply (metis Assign)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45015 diff changeset	204	apply (metis Seq)
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	205	apply (metis max.absorb2 If)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	206	apply (metis While)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	207	by (metis anti_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	208
51456 a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	209	corollary sec_type_eq: "l \<turnstile> c \<longleftrightarrow> l \<turnstile>' c"
a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	210	by (metis sec_type'_sec_type sec_type_sec_type')
a6e3a5ec9847 lemma names and a corollary kleing parents: 50342 diff changeset	211
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	212	end

author	wenzelm
	Mon, 24 Sep 2018 19:53:45 +0200
changeset 69059	70f9826753f6
parent 68776	403dd13cf6e9
child 69597	ff784d5a5bfb
permissions	-rw-r--r--