isabelle: src/HOL/IMP/Sec_Typing.thy@8739f8abbecb (annotated)

43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	1	(* Author: Tobias Nipkow *)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	2
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	3	theory Sec_Typing imports Sec_Type_Expr
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	4	begin
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	5
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	6	subsection "Syntax Directed Typing"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	7
51412 c475a3983431 more IMP snippets kleing parents: 50342 diff changeset	8	text_raw{\snip{sectypeDef}{0}{2}{% }
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	9	inductive sec_type :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile> _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	10	Skip:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	11	"l \<turnstile> SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	12	Assign:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	13	"\<lbrakk> sec x \<ge> sec a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile> x ::= a" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	14	Seq:
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	15	"\<lbrakk> l \<turnstile> c\<^isub>1; l \<turnstile> c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile> c\<^isub>1;c\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	16	If:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	17	"\<lbrakk> max (sec b) l \<turnstile> c\<^isub>1; max (sec b) l \<turnstile> c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile> IF b THEN c\<^isub>1 ELSE c\<^isub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	18	While:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	19	"max (sec b) l \<turnstile> c \<Longrightarrow> l \<turnstile> WHILE b DO c"
51412 c475a3983431 more IMP snippets kleing parents: 50342 diff changeset	20	text_raw{}%endsnip}
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	21
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	22	code_pred (expected_modes: i => i => bool) sec_type .
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	23
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	24	value "0 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x1'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	25	value "1 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	26	value "2 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x1'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	27
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	28	inductive_cases [elim!]:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	29	"l \<turnstile> x ::= a" "l \<turnstile> c\<^isub>1;c\<^isub>2" "l \<turnstile> IF b THEN c\<^isub>1 ELSE c\<^isub>2" "l \<turnstile> WHILE b DO c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	30
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	31
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	32	text{* An important property: anti-monotonicity. *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	33
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	34	lemma anti_mono: "\<lbrakk> l \<turnstile> c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	35	apply(induction arbitrary: l' rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	36	apply (metis sec_type.intros(1))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	37	apply (metis le_trans sec_type.intros(2))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	38	apply (metis sec_type.intros(3))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	39	apply (metis If le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	40	apply (metis While le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	41	done
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	42
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	43	lemma confinement: "\<lbrakk> (c,s) \<Rightarrow> t; l \<turnstile> c \<rbrakk> \<Longrightarrow> s = t (< l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	44	proof(induction rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	45	case Skip thus ?case by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	46	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	47	case Assign thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	48	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	49	case Seq thus ?case by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	50	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	51	case (IfTrue b s c1)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	52	hence "max (sec b) l \<turnstile> c1" by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	53	hence "l \<turnstile> c1" by (metis le_maxI2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	54	thus ?case using IfTrue.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	55	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	56	case (IfFalse b s c2)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	57	hence "max (sec b) l \<turnstile> c2" by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	58	hence "l \<turnstile> c2" by (metis le_maxI2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	59	thus ?case using IfFalse.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	60	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	61	case WhileFalse thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	62	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	63	case (WhileTrue b s1 c)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	64	hence "max (sec b) l \<turnstile> c" by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	65	hence "l \<turnstile> c" by (metis le_maxI2 anti_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	66	thus ?case using WhileTrue by metis
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	67	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	68
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	69
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	70	theorem noninterference:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	71	"\<lbrakk> (c,s) \<Rightarrow> s'; (c,t) \<Rightarrow> t'; 0 \<turnstile> c; s = t (\<le> l) \<rbrakk>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	72	\<Longrightarrow> s' = t' (\<le> l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	73	proof(induction arbitrary: t t' rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	74	case Skip thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	75	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	76	case (Assign x a s)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	77	have [simp]: "t' = t(x := aval a t)" using Assign by auto
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	78	have "sec x >= sec a" using `0 \<turnstile> x ::= a` by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	79	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	80	proof auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	81	assume "sec x \<le> l"
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	82	with `sec x >= sec a` have "sec a \<le> l" by arith
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	83	thus "aval a s = aval a t"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	84	by (rule aval_eq_if_eq_le[OF `s = t (\<le> l)`])
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	85	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	86	fix y assume "y \<noteq> x" "sec y \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	87	thus "s y = t y" using `s = t (\<le> l)` by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	88	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	89	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	90	case Seq thus ?case by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	91	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	92	case (IfTrue b s c1 s' c2)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	93	have "sec b \<turnstile> c1" "sec b \<turnstile> c2" using IfTrue.prems(2) by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	94	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	95	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	96	assume "sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	97	hence "s = t (\<le> sec b)" using `s = t (\<le> l)` by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	98	hence "bval b t" using `bval b s` by(simp add: bval_eq_if_eq_le)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	99	with IfTrue.IH IfTrue.prems(1,3) `sec b \<turnstile> c1` anti_mono
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	100	show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	101	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	102	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	103	have 1: "sec b \<turnstile> IF b THEN c1 ELSE c2"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	104	by(rule sec_type.intros)(simp_all add: `sec b \<turnstile> c1` `sec b \<turnstile> c2`)
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	105	from confinement[OF IfTrue.hyps(2) `sec b \<turnstile> c1`] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	106	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	107	moreover
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	108	from confinement[OF IfTrue.prems(1) 1] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	109	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	110	ultimately show "s' = t' (\<le> l)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	111	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	112	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	113	case (IfFalse b s c2 s' c1)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	114	have "sec b \<turnstile> c1" "sec b \<turnstile> c2" using IfFalse.prems(2) by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	115	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	116	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	117	assume "sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	118	hence "s = t (\<le> sec b)" using `s = t (\<le> l)` by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	119	hence "\<not> bval b t" using `\<not> bval b s` by(simp add: bval_eq_if_eq_le)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	120	with IfFalse.IH IfFalse.prems(1,3) `sec b \<turnstile> c2` anti_mono
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	121	show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	122	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	123	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	124	have 1: "sec b \<turnstile> IF b THEN c1 ELSE c2"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	125	by(rule sec_type.intros)(simp_all add: `sec b \<turnstile> c1` `sec b \<turnstile> c2`)
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	126	from confinement[OF big_step.IfFalse[OF IfFalse(1,2)] 1] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	127	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	128	moreover
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	129	from confinement[OF IfFalse.prems(1) 1] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	130	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	131	ultimately show "s' = t' (\<le> l)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	132	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	133	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	134	case (WhileFalse b s c)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	135	have "sec b \<turnstile> c" using WhileFalse.prems(2) by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	136	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	137	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	138	assume "sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	139	hence "s = t (\<le> sec b)" using `s = t (\<le> l)` by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	140	hence "\<not> bval b t" using `\<not> bval b s` by(simp add: bval_eq_if_eq_le)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	141	with WhileFalse.prems(1,3) show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	142	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	143	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	144	have 1: "sec b \<turnstile> WHILE b DO c"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	145	by(rule sec_type.intros)(simp_all add: `sec b \<turnstile> c`)
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	146	from confinement[OF WhileFalse.prems(1) 1] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	147	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	148	thus "s = t' (\<le> l)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	149	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	150	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	151	case (WhileTrue b s1 c s2 s3 t1 t3)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	152	let ?w = "WHILE b DO c"
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	153	have "sec b \<turnstile> c" using WhileTrue.prems(2) by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	154	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	155	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	156	assume "sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	157	hence "s1 = t1 (\<le> sec b)" using `s1 = t1 (\<le> l)` by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	158	hence "bval b t1"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	159	using `bval b s1` by(simp add: bval_eq_if_eq_le)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	160	then obtain t2 where "(c,t1) \<Rightarrow> t2" "(?w,t2) \<Rightarrow> t3"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	161	using `(?w,t1) \<Rightarrow> t3` by auto
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	162	from WhileTrue.IH(2)[OF `(?w,t2) \<Rightarrow> t3` `0 \<turnstile> ?w`
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	163	WhileTrue.IH(1)[OF `(c,t1) \<Rightarrow> t2` anti_mono[OF `sec b \<turnstile> c`]
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	164	`s1 = t1 (\<le> l)`]]
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	165	show ?thesis by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	166	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	167	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	168	have 1: "sec b \<turnstile> ?w" by(rule sec_type.intros)(simp_all add: `sec b \<turnstile> c`)
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	169	from confinement[OF big_step.WhileTrue[OF WhileTrue.hyps] 1] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	170	have "s1 = s3 (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	171	moreover
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	172	from confinement[OF WhileTrue.prems(1) 1] `\<not> sec b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	173	have "t1 = t3 (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	174	ultimately show "s3 = t3 (\<le> l)" using `s1 = t1 (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	175	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	176	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	177
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	178
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	179	subsection "The Standard Typing System"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	180
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	181	text{* The predicate @{prop"l \<turnstile> c"} is nicely intuitive and executable. The
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	182	standard formulation, however, is slightly different, replacing the maximum
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	183	computation by an antimonotonicity rule. We introduce the standard system now
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	184	and show the equivalence with our formulation. *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	185
51412 c475a3983431 more IMP snippets kleing parents: 50342 diff changeset	186	text_raw{\snip{sectypepDef}{0}{2}{% }
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	187	inductive sec_type' :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile>'' _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	188	Skip':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	189	"l \<turnstile>' SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	190	Assign':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	191	"\<lbrakk> sec x \<ge> sec a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile>' x ::= a" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	192	Seq':
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	193	"\<lbrakk> l \<turnstile>' c\<^isub>1; l \<turnstile>' c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' c\<^isub>1;c\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	194	If':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	195	"\<lbrakk> sec b \<le> l; l \<turnstile>' c\<^isub>1; l \<turnstile>' c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' IF b THEN c\<^isub>1 ELSE c\<^isub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	196	While':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	197	"\<lbrakk> sec b \<le> l; l \<turnstile>' c \<rbrakk> \<Longrightarrow> l \<turnstile>' WHILE b DO c" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	198	anti_mono':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	199	"\<lbrakk> l \<turnstile>' c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile>' c"
51412 c475a3983431 more IMP snippets kleing parents: 50342 diff changeset	200	text_raw{}%endsnip}
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	201
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	202	lemma sec_type_sec_type': "l \<turnstile> c \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	203	apply(induction rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	204	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	205	apply (metis Assign')
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	206	apply (metis Seq')
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	207	apply (metis min_max.inf_sup_ord(3) min_max.sup_absorb2 nat_le_linear If' anti_mono')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	208	by (metis less_or_eq_imp_le min_max.sup_absorb1 min_max.sup_absorb2 nat_le_linear While' anti_mono')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	209
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	210
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	211	lemma sec_type'_sec_type: "l \<turnstile>' c \<Longrightarrow> l \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	212	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	213	apply (metis Skip)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	214	apply (metis Assign)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	215	apply (metis Seq)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	216	apply (metis min_max.sup_absorb2 If)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	217	apply (metis min_max.sup_absorb2 While)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	218	by (metis anti_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	219
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	220	subsection "A Bottom-Up Typing System"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	221
51412 c475a3983431 more IMP snippets kleing parents: 50342 diff changeset	222	text_raw{\snip{sectypebDef}{0}{2}{% }
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	223	inductive sec_type2 :: "com \<Rightarrow> level \<Rightarrow> bool" ("(\<turnstile> _ : _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	224	Skip2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	225	"\<turnstile> SKIP : l" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	226	Assign2:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	227	"sec x \<ge> sec a \<Longrightarrow> \<turnstile> x ::= a : sec x" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	228	Seq2:
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	229	"\<lbrakk> \<turnstile> c\<^isub>1 : l\<^isub>1; \<turnstile> c\<^isub>2 : l\<^isub>2 \<rbrakk> \<Longrightarrow> \<turnstile> c\<^isub>1;c\<^isub>2 : min l\<^isub>1 l\<^isub>2 " \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	230	If2:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	231	"\<lbrakk> sec b \<le> min l\<^isub>1 l\<^isub>2; \<turnstile> c\<^isub>1 : l\<^isub>1; \<turnstile> c\<^isub>2 : l\<^isub>2 \<rbrakk>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	232	\<Longrightarrow> \<turnstile> IF b THEN c\<^isub>1 ELSE c\<^isub>2 : min l\<^isub>1 l\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	233	While2:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	234	"\<lbrakk> sec b \<le> l; \<turnstile> c : l \<rbrakk> \<Longrightarrow> \<turnstile> WHILE b DO c : l"
51412 c475a3983431 more IMP snippets kleing parents: 50342 diff changeset	235	text_raw{}%endsnip}
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	236
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	237
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	238	lemma sec_type2_sec_type': "\<turnstile> c : l \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	239	apply(induction rule: sec_type2.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	240	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	241	apply (metis Assign' eq_imp_le)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	242	apply (metis Seq' anti_mono' min_max.inf.commute min_max.inf_le2)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	243	apply (metis If' anti_mono' min_max.inf_absorb2 min_max.le_iff_inf nat_le_linear)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	244	by (metis While')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	245
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	246	lemma sec_type'_sec_type2: "l \<turnstile>' c \<Longrightarrow> \<exists> l' \<ge> l. \<turnstile> c : l'"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	247	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	248	apply (metis Skip2 le_refl)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	249	apply (metis Assign2)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	250	apply (metis Seq2 min_max.inf_greatest)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	251	apply (metis If2 inf_greatest inf_nat_def le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	252	apply (metis While2 le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	253	by (metis le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	254
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	255	end

author	kuncar
	Sat, 16 Mar 2013 20:51:23 +0100
changeset 51437	8739f8abbecb
parent 51412	c475a3983431
child 51455	daac447f0e93
permissions	-rw-r--r--