isabelle: src/HOL/IMP/Sec_Typing.thy@9639c3867b86 (annotated)

43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	1	(* Author: Tobias Nipkow *)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	2
68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	3	subsection "Security Typing of Commands"
403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	4
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	5	theory Sec_Typing imports Sec_Type_Expr
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	6	begin
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	7
68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	8	subsubsection "Syntax Directed Typing"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	9
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	10	inductive sec_type :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile> _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	11	Skip:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	12	"l \<turnstile> SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	13	Assign:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	14	"\<lbrakk> sec x \<ge> sec a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile> x ::= a" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	15	Seq:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	16	"\<lbrakk> l \<turnstile> c\<^sub>1; l \<turnstile> c\<^sub>2 \<rbrakk> \<Longrightarrow> l \<turnstile> c\<^sub>1;;c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	17	If:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	18	"\<lbrakk> max (sec b) l \<turnstile> c\<^sub>1; max (sec b) l \<turnstile> c\<^sub>2 \<rbrakk> \<Longrightarrow> l \<turnstile> IF b THEN c\<^sub>1 ELSE c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	19	While:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	20	"max (sec b) l \<turnstile> c \<Longrightarrow> l \<turnstile> WHILE b DO c"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	21
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	22	code_pred (expected_modes: i => i => bool) sec_type .
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	23
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	24	value "0 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x1'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	25	value "1 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	26	value "2 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x1'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	27
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	28	inductive_cases [elim!]:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	29	"l \<turnstile> x ::= a" "l \<turnstile> c\<^sub>1;;c\<^sub>2" "l \<turnstile> IF b THEN c\<^sub>1 ELSE c\<^sub>2" "l \<turnstile> WHILE b DO c"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	30
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	31
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	32	text\<open>An important property: anti-monotonicity.\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	33
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	34	lemma anti_mono: "\<lbrakk> l \<turnstile> c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	35	apply(induction arbitrary: l' rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	36	apply (metis sec_type.intros(1))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	37	apply (metis le_trans sec_type.intros(2))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	38	apply (metis sec_type.intros(3))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	39	apply (metis If le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	40	apply (metis While le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	41	done
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	42
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	43	lemma confinement: "\<lbrakk> (c,s) \<Rightarrow> t; l \<turnstile> c \<rbrakk> \<Longrightarrow> s = t (< l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	44	proof(induction rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	45	case Skip thus ?case by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	46	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	47	case Assign thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	48	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	49	case Seq thus ?case by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	50	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	51	case (IfTrue b s c1)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	52	hence "max (sec b) l \<turnstile> c1" by auto
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	53	hence "l \<turnstile> c1" by (metis max.cobounded2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	54	thus ?case using IfTrue.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	55	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	56	case (IfFalse b s c2)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	57	hence "max (sec b) l \<turnstile> c2" by auto
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	58	hence "l \<turnstile> c2" by (metis max.cobounded2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	59	thus ?case using IfFalse.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	60	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	61	case WhileFalse thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	62	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	63	case (WhileTrue b s1 c)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	64	hence "max (sec b) l \<turnstile> c" by auto
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	65	hence "l \<turnstile> c" by (metis max.cobounded2 anti_mono)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	66	thus ?case using WhileTrue by metis
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	67	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	68
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	69
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	70	theorem noninterference:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	71	"\<lbrakk> (c,s) \<Rightarrow> s'; (c,t) \<Rightarrow> t'; 0 \<turnstile> c; s = t (\<le> l) \<rbrakk>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	72	\<Longrightarrow> s' = t' (\<le> l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	73	proof(induction arbitrary: t t' rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	74	case Skip thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	75	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	76	case (Assign x a s)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	77	have [simp]: "t' = t(x := aval a t)" using Assign by auto
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	78	have "sec x >= sec a" using \<open>0 \<turnstile> x ::= a\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	79	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	80	proof auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	81	assume "sec x \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	82	with \<open>sec x >= sec a\<close> have "sec a \<le> l" by arith
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	83	thus "aval a s = aval a t"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	84	by (rule aval_eq_if_eq_le[OF \<open>s = t (\<le> l)\<close>])
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	85	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	86	fix y assume "y \<noteq> x" "sec y \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	87	thus "s y = t y" using \<open>s = t (\<le> l)\<close> by simp
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	88	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	89	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	90	case Seq thus ?case by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	91	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	92	case (IfTrue b s c1 s' c2)
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	93	have "sec b \<turnstile> c1" "sec b \<turnstile> c2" using \<open>0 \<turnstile> IF b THEN c1 ELSE c2\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	94	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	95	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	96	assume "sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	97	hence "s = t (\<le> sec b)" using \<open>s = t (\<le> l)\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	98	hence "bval b t" using \<open>bval b s\<close> by(simp add: bval_eq_if_eq_le)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	99	with IfTrue.IH IfTrue.prems(1,3) \<open>sec b \<turnstile> c1\<close> anti_mono
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	100	show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	101	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	102	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	103	have 1: "sec b \<turnstile> IF b THEN c1 ELSE c2"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	104	by(rule sec_type.intros)(simp_all add: \<open>sec b \<turnstile> c1\<close> \<open>sec b \<turnstile> c2\<close>)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	105	from confinement[OF \<open>(c1, s) \<Rightarrow> s'\<close> \<open>sec b \<turnstile> c1\<close>] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	106	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	107	moreover
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	108	from confinement[OF \<open>(IF b THEN c1 ELSE c2, t) \<Rightarrow> t'\<close> 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	109	have "t = t' (\<le> l)" by auto
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	110	ultimately show "s' = t' (\<le> l)" using \<open>s = t (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	111	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	112	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	113	case (IfFalse b s c2 s' c1)
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	114	have "sec b \<turnstile> c1" "sec b \<turnstile> c2" using \<open>0 \<turnstile> IF b THEN c1 ELSE c2\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	115	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	116	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	117	assume "sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	118	hence "s = t (\<le> sec b)" using \<open>s = t (\<le> l)\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	119	hence "\<not> bval b t" using \<open>\<not> bval b s\<close> by(simp add: bval_eq_if_eq_le)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	120	with IfFalse.IH IfFalse.prems(1,3) \<open>sec b \<turnstile> c2\<close> anti_mono
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	121	show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	122	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	123	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	124	have 1: "sec b \<turnstile> IF b THEN c1 ELSE c2"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	125	by(rule sec_type.intros)(simp_all add: \<open>sec b \<turnstile> c1\<close> \<open>sec b \<turnstile> c2\<close>)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	126	from confinement[OF big_step.IfFalse[OF IfFalse(1,2)] 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	127	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	128	moreover
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	129	from confinement[OF \<open>(IF b THEN c1 ELSE c2, t) \<Rightarrow> t'\<close> 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	130	have "t = t' (\<le> l)" by auto
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	131	ultimately show "s' = t' (\<le> l)" using \<open>s = t (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	132	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	133	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	134	case (WhileFalse b s c)
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	135	have "sec b \<turnstile> c" using WhileFalse.prems(2) by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	136	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	137	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	138	assume "sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	139	hence "s = t (\<le> sec b)" using \<open>s = t (\<le> l)\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	140	hence "\<not> bval b t" using \<open>\<not> bval b s\<close> by(simp add: bval_eq_if_eq_le)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	141	with WhileFalse.prems(1,3) show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	142	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	143	assume "\<not> sec b \<le> l"
e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	144	have 1: "sec b \<turnstile> WHILE b DO c"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	145	by(rule sec_type.intros)(simp_all add: \<open>sec b \<turnstile> c\<close>)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	146	from confinement[OF \<open>(WHILE b DO c, t) \<Rightarrow> t'\<close> 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	147	have "t = t' (\<le> l)" by auto
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	148	thus "s = t' (\<le> l)" using \<open>s = t (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	149	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	150	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	151	case (WhileTrue b s1 c s2 s3 t1 t3)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	152	let ?w = "WHILE b DO c"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	153	have "sec b \<turnstile> c" using \<open>0 \<turnstile> WHILE b DO c\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	154	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	155	proof cases
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	156	assume "sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	157	hence "s1 = t1 (\<le> sec b)" using \<open>s1 = t1 (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	158	hence "bval b t1"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	159	using \<open>bval b s1\<close> by(simp add: bval_eq_if_eq_le)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	160	then obtain t2 where "(c,t1) \<Rightarrow> t2" "(?w,t2) \<Rightarrow> t3"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	161	using \<open>(?w,t1) \<Rightarrow> t3\<close> by auto
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	162	from WhileTrue.IH(2)[OF \<open>(?w,t2) \<Rightarrow> t3\<close> \<open>0 \<turnstile> ?w\<close>
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	163	WhileTrue.IH(1)[OF \<open>(c,t1) \<Rightarrow> t2\<close> anti_mono[OF \<open>sec b \<turnstile> c\<close>]
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	164	\<open>s1 = t1 (\<le> l)\<close>]]
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	165	show ?thesis by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	166	next
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	167	assume "\<not> sec b \<le> l"
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	168	have 1: "sec b \<turnstile> ?w" by(rule sec_type.intros)(simp_all add: \<open>sec b \<turnstile> c\<close>)
23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	169	from confinement[OF big_step.WhileTrue[OF WhileTrue.hyps] 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	170	have "s1 = s3 (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	171	moreover
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	172	from confinement[OF \<open>(WHILE b DO c, t1) \<Rightarrow> t3\<close> 1] \<open>\<not> sec b \<le> l\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	173	have "t1 = t3 (\<le> l)" by auto
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	174	ultimately show "s3 = t3 (\<le> l)" using \<open>s1 = t1 (\<le> l)\<close> by auto
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	175	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	176	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	177
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	178
68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	179	subsubsection "The Standard Typing System"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	180
69597 ff784d5a5bfb isabelle update -u control_cartouches; wenzelm parents: 68776 diff changeset	181	text\<open>The predicate \<^prop>\<open>l \<turnstile> c\<close> is nicely intuitive and executable. The
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	182	standard formulation, however, is slightly different, replacing the maximum
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	183	computation by an antimonotonicity rule. We introduce the standard system now
67406 23307fd33906 isabelle update_cartouches -c; wenzelm parents: 54864 diff changeset	184	and show the equivalence with our formulation.\<close>
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	185
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	186	inductive sec_type' :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile>'' _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	187	Skip':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	188	"l \<turnstile>' SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	189	Assign':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	190	"\<lbrakk> sec x \<ge> sec a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile>' x ::= a" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	191	Seq':
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	192	"\<lbrakk> l \<turnstile>' c\<^sub>1; l \<turnstile>' c\<^sub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' c\<^sub>1;;c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	193	If':
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	194	"\<lbrakk> sec b \<le> l; l \<turnstile>' c\<^sub>1; l \<turnstile>' c\<^sub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' IF b THEN c\<^sub>1 ELSE c\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	195	While':
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	196	"\<lbrakk> sec b \<le> l; l \<turnstile>' c \<rbrakk> \<Longrightarrow> l \<turnstile>' WHILE b DO c" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	197	anti_mono':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	198	"\<lbrakk> l \<turnstile>' c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile>' c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	199
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	200	lemma sec_type_sec_type': "l \<turnstile> c \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	201	apply(induction rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	202	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	203	apply (metis Assign')
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	204	apply (metis Seq')
54864 a064732223ad abolished slightly odd global lattice interpretation for min/max haftmann parents: 54863 diff changeset	205	apply (metis max.commute max.absorb_iff2 nat_le_linear If' anti_mono')
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	206	by (metis less_or_eq_imp_le max.absorb1 max.absorb2 nat_le_linear While' anti_mono')
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	207
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	208
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	209	lemma sec_type'_sec_type: "l \<turnstile>' c \<Longrightarrow> l \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	210	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	211	apply (metis Skip)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	212	apply (metis Assign)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	213	apply (metis Seq)
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	214	apply (metis max.absorb2 If)
82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	215	apply (metis max.absorb2 While)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	216	by (metis anti_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	217
68776 403dd13cf6e9 avoid session qualification because no tex is generated when used; nipkow parents: 67406 diff changeset	218	subsubsection "A Bottom-Up Typing System"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	219
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	220	inductive sec_type2 :: "com \<Rightarrow> level \<Rightarrow> bool" ("(\<turnstile> _ : _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	221	Skip2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	222	"\<turnstile> SKIP : l" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	223	Assign2:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	224	"sec x \<ge> sec a \<Longrightarrow> \<turnstile> x ::= a : sec x" \|
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45823 diff changeset	225	Seq2:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	226	"\<lbrakk> \<turnstile> c\<^sub>1 : l\<^sub>1; \<turnstile> c\<^sub>2 : l\<^sub>2 \<rbrakk> \<Longrightarrow> \<turnstile> c\<^sub>1;;c\<^sub>2 : min l\<^sub>1 l\<^sub>2 " \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	227	If2:
53015 a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	228	"\<lbrakk> sec b \<le> min l\<^sub>1 l\<^sub>2; \<turnstile> c\<^sub>1 : l\<^sub>1; \<turnstile> c\<^sub>2 : l\<^sub>2 \<rbrakk>
a1119cf551e8 standardized symbols via "isabelle update_sub_sup", excluding src/Pure and src/Tools/WWW_Find; wenzelm parents: 52382 diff changeset	229	\<Longrightarrow> \<turnstile> IF b THEN c\<^sub>1 ELSE c\<^sub>2 : min l\<^sub>1 l\<^sub>2" \|
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	230	While2:
50342 e77b0dbcae5b tuned defs of sec_xyz nipkow parents: 47818 diff changeset	231	"\<lbrakk> sec b \<le> l; \<turnstile> c : l \<rbrakk> \<Longrightarrow> \<turnstile> WHILE b DO c : l"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	232
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	233
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	234	lemma sec_type2_sec_type': "\<turnstile> c : l \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	235	apply(induction rule: sec_type2.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	236	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	237	apply (metis Assign' eq_imp_le)
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	238	apply (metis Seq' anti_mono' min.cobounded1 min.cobounded2)
82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	239	apply (metis If' anti_mono' min.absorb2 min.absorb_iff1 nat_le_linear)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	240	by (metis While')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	241
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	242	lemma sec_type'_sec_type2: "l \<turnstile>' c \<Longrightarrow> \<exists> l' \<ge> l. \<turnstile> c : l'"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	243	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	244	apply (metis Skip2 le_refl)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	245	apply (metis Assign2)
54863 82acc20ded73 prefer more canonical names for lemmas on min/max haftmann parents: 53015 diff changeset	246	apply (metis Seq2 min.boundedI)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	247	apply (metis If2 inf_greatest inf_nat_def le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	248	apply (metis While2 le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	249	by (metis le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	250
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	251	end

author	wenzelm
	Sat, 25 Jun 2022 10:27:42 +0200
changeset 75619	9639c3867b86
parent 69597	ff784d5a5bfb
child 80914	d97fdabd9e2b
permissions	-rw-r--r--