isabelle: src/HOL/MicroJava/BV/LBVComplete.thy@96bf406fd3e5 (annotated)

8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	1	(* Title: HOL/MicroJava/BV/LBVComplete.thy
b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	2	ID: $Id$
b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	3	Author: Gerwin Klein
b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	4	Copyright 2000 Technische Universitaet Muenchen
9054 0e48e7d4d4f9 minor tuning for pdf documents kleing parents: 9012 diff changeset	5	*)
8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	6
12911 704713ca07ea new document kleing parents: 12516 diff changeset	7	header {* \isaheader{Completeness of the LBV} *}
8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	8
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	9	theory LBVComplete = LBVSpec + Typing_Framework:
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	10
8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	11	constdefs
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	12	contains_targets :: "['s steptype, 's certificate, 's option list, nat] \<Rightarrow> bool"
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	13	"contains_targets step cert phi pc \<equiv>
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	14	\<forall>(pc',s') \<in> set (step pc (OK (phi!pc))). pc' \<noteq> pc+1 \<and> pc' < length phi \<longrightarrow> cert!pc' = phi!pc'"
8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	15
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	16	fits :: "['s steptype, 's certificate, 's option list] \<Rightarrow> bool"
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	17	"fits step cert phi \<equiv> \<forall>pc. pc < length phi \<longrightarrow>
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	18	contains_targets step cert phi pc \<and>
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	19	(cert!pc = None \<or> cert!pc = phi!pc)"
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	20
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	21	is_target :: "['s steptype, 's option list, nat] \<Rightarrow> bool"
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	22	"is_target step phi pc' \<equiv>
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	23	\<exists>pc s'. pc' \<noteq> pc+1 \<and> pc < length phi \<and> (pc',s') \<in> set (step pc (OK (phi!pc)))"
8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	24
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	25	make_cert :: "['s steptype, 's option list] \<Rightarrow> 's certificate"
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	26	"make_cert step phi \<equiv>
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	27	map (\<lambda>pc. if is_target step phi pc then phi!pc else None) [0..length phi(] @ [None]"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	28
8388 b66d3c49cb8d completeness of the lightweight bytecode verifier kleing parents: diff changeset	29
9559 1f99296758c2 tuned kleing parents: 9549 diff changeset	30	lemmas [simp del] = split_paired_Ex
1f99296758c2 tuned kleing parents: 9549 diff changeset	31
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	32	lemma make_cert_target:
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	33	"\<lbrakk> pc < length phi; is_target step phi pc \<rbrakk> \<Longrightarrow> make_cert step phi ! pc = phi!pc"
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	34	by (simp add: make_cert_def nth_append)
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	35
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	36	lemma make_cert_approx:
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	37	"\<lbrakk> pc < length phi; make_cert step phi ! pc \<noteq> phi!pc \<rbrakk> \<Longrightarrow>
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	38	make_cert step phi ! pc = None"
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	39	by (auto simp add: make_cert_def nth_append)
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	40
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	41	lemma make_cert_contains_targets:
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	42	"pc < length phi \<Longrightarrow> contains_targets step (make_cert step phi) phi pc"
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	43	proof (unfold contains_targets_def, clarify)
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	44	fix pc' s'
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	45	assume "pc < length phi"
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	46	"(pc',s') \<in> set (step pc (OK (phi ! pc)))"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	47	"pc' \<noteq> pc+1" and
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	48	pc': "pc' < length phi"
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	49	hence "is_target step phi pc'" by (auto simp add: is_target_def)
b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	50	with pc' show "make_cert step phi ! pc' = phi!pc'"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	51	by (auto intro: make_cert_target)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	52	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	53
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	54	theorem fits_make_cert:
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	55	"fits step (make_cert step phi) phi"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	56	by (auto dest: make_cert_approx simp add: fits_def make_cert_contains_targets)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	57
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	58	lemma fitsD:
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	59	"\<lbrakk> fits step cert phi; (pc',s') \<in> set (step pc (OK (phi!pc)));
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	60	pc' \<noteq> pc+1; pc < length phi; pc' < length phi \<rbrakk>
13006 51c5f3f11d16 symbolized kleing parents: 12911 diff changeset	61	\<Longrightarrow> cert!pc' = phi!pc'"
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	62	by (auto simp add: fits_def contains_targets_def)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	63
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	64	lemma fitsD2:
13066 b57d926d1de2 cleanup + simpler monotonicity kleing parents: 13064 diff changeset	65	"\<lbrakk> fits step cert phi; pc < length phi; cert!pc = Some s \<rbrakk>
13006 51c5f3f11d16 symbolized kleing parents: 12911 diff changeset	66	\<Longrightarrow> cert!pc = phi!pc"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	67	by (auto simp add: fits_def)
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	68
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	69
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	70	lemma merge_mono:
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	71	assumes merge: "merge cert f r pc ss1 x = OK s1"
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	72	assumes less: "ss2 <=\|Err.le (Opt.le r)\| ss1"
13070 fcfdefa4617b merge mono kleing parents: 13066 diff changeset	73	assumes esl: "err_semilat (A, r, f)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	74	assumes x: "x \<in> err (opt A)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	75	assumes ss1: "\<forall>(pc', s')\<in>set ss1. s' \<in> err (opt A)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	76	assumes ss2: "\<forall>(pc', s')\<in>set ss2. s' \<in> err (opt A)"
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	77	shows "\<exists>s2. merge cert f r pc ss2 x = s2 \<and> s2 \<le>\|r (OK s1)"
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	78	proof-
13070 fcfdefa4617b merge mono kleing parents: 13066 diff changeset	79	from esl have eosl: "err_semilat (opt A, Opt.le r, Opt.sup f)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	80	by - (drule semilat_opt, simp add: Opt.esl_def)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	81	hence order: "order (Opt.le r)" ..
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	82	from esl x ss1 have "merge cert f r pc ss1 x =
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	83	(if \<forall>(pc', s')\<in>set ss1. pc' \<noteq> pc + 1 \<longrightarrow> s' \<le>\|r (OK (cert!pc'))
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	84	then (map snd [(p', t')\<in>ss1 . p'=pc+1]) ++\|f x
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	85	else Err)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	86	by (rule merge_def)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	87	with merge obtain
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	88	app: "\<forall>(pc',s')\<in>set ss1. pc' \<noteq> pc+1 \<longrightarrow> s' \<le>\|r (OK (cert!pc'))"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	89	(is "?app ss1") and
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	90	sum: "(map snd [(p',t')\<in>ss1 . p' = pc+1] ++\|f x) = OK s1"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	91	(is "?map ss1 ++\|f x = _" is "?sum ss1 = _")
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	92	by (simp split: split_if_asm)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	93	from app less
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	94	have "?app ss2"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	95	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	96	apply (drule lesub_step_typeD, assumption)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	97	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	98	apply (drule bspec, assumption)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	99	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	100	apply (drule order_trans [OF order], assumption)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	101	apply blast
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	102	done
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	103	moreover {
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	104	have "set (?map ss1) \<subseteq> snd`(set ss1)" by auto
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	105	also from ss1 have "snd`(set ss1) \<subseteq> err (opt A)" by auto
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	106	finally have map1: "set (?map ss1) \<subseteq> err (opt A)" .
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	107	with eosl x have "?sum ss1 \<in> err (opt A)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	108	by (auto intro!: plusplus_closed simp add: Err.sl_def)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	109	with sum have "OK s1 \<in> err (opt A)" by simp
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	110	moreover
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	111	have mapD: "\<And>x ss. x \<in> set (?map ss) \<Longrightarrow> \<exists>p. (p,x) \<in> set ss \<and> p=pc+1" by auto
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	112	from eosl x map1
13074 96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	113	have "\<forall>x \<in> set (?map ss1). x \<le>\|r (?sum ss1)"
96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	114	by clarify (rule semilat.pp_ub1, simp add: Err.sl_def)
13070 fcfdefa4617b merge mono kleing parents: 13066 diff changeset	115	with sum have "\<forall>x \<in> set (?map ss1). x \<le>\|r (OK s1)" by simp
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	116	with less have "\<forall>x \<in> set (?map ss2). x \<le>\|r (OK s1)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	117	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	118	apply (drule mapD)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	119	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	120	apply (drule lesub_step_typeD, assumption)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	121	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	122	apply simp
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	123	apply (erule allE, erule impE, assumption)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	124	apply clarify
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	125	apply simp
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	126	apply (rule order_trans [OF order],assumption+)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	127	done
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	128	moreover
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	129	from eosl map1 x have "x \<le>\|r (?sum ss1)"
13074 96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	130	by - (rule semilat.pp_ub2, simp add: Err.sl_def)
13070 fcfdefa4617b merge mono kleing parents: 13066 diff changeset	131	with sum have "x \<le>\|r (OK s1)" by simp
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	132	moreover {
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	133	have "set (?map ss2) \<subseteq> snd`(set ss2)" by auto
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	134	also from ss2 have "snd`(set ss2) \<subseteq> err (opt A)" by auto
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	135	finally have "set (?map ss2) \<subseteq> err (opt A)" . }
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	136	ultimately
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	137	have "?sum ss2 \<le>\|r (OK s1)" using eosl x
13074 96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	138	by - (rule semilat.pp_lub, simp add: Err.sl_def)
13070 fcfdefa4617b merge mono kleing parents: 13066 diff changeset	139	also obtain s2 where sum2: "?sum ss2 = s2" by blast
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	140	finally have "s2 \<le>\|r (OK s1)" .
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	141	with sum2 have "\<exists>s2. ?sum ss2 = s2 \<and> s2 \<le>\|r (OK s1)" by blast
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	142	}
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	143	moreover
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	144	from esl x ss2 have
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	145	"merge cert f r pc ss2 x =
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	146	(if \<forall>(pc', s')\<in>set ss2. pc' \<noteq> pc + 1 \<longrightarrow> s' \<le>\|r (OK (cert!pc'))
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	147	then map snd [(p', t')\<in>ss2 . p' = pc + 1] ++\|f x
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	148	else Err)"
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	149	by (rule merge_def)
fcfdefa4617b merge mono kleing parents: 13066 diff changeset	150	ultimately show ?thesis by simp
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	151	qed
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	152
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	153
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	154	lemma wtl_inst_mono:
1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	155	assumes wtl: "wtl_inst cert f r step pc s1 = OK s1'"
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	156	assumes less: "OK s2 \<le>\|r (OK s1)"
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	157	assumes pc: "pc < n"
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	158	assumes s1: "s1 \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	159	assumes s2: "s2 \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	160	assumes esl: "err_semilat (A,r,f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	161	assumes cert: "cert_ok cert n A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	162	assumes mono: "mono (Err.le (Opt.le r)) step n (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	163	assumes pres: "pres_type step n (err (opt A))"
13064 1f54a5fecaa6 first steps in semilattices.. kleing parents: 13006 diff changeset	164	shows "\<exists>s2'. wtl_inst cert f r step pc s2 = OK s2' \<and> OK s2' \<le>\|r (OK s1')"
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	165	proof -
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	166	let "?step s1" = "step pc (OK s1)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	167	let ?cert = "OK (cert!Suc pc)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	168	from wtl
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	169	have "merge cert f r pc (?step s1) ?cert = OK s1'" by (simp add: wtl_inst_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	170	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	171	have s2: "OK s2 \<in> err (opt A)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	172	with mono have "?step s2 <=\|Err.le (Opt.le r)\| ?step s1" by - (rule monoD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	173	moreover note esl
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	174	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	175	from pc cert have "?cert \<in> err (opt A)" by (simp add: cert_okD3)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	176	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	177	have s1: "OK s1 \<in> err (opt A)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	178	with pres pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	179	have "\<forall>(pc', s')\<in>set (?step s1). s' \<in> err (opt A)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	180	by (blast intro: pres_typeD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	181	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	182	from pres s2 pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	183	have "\<forall>(pc', s')\<in>set (?step s2). s' \<in> err (opt A)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	184	by (blast intro: pres_typeD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	185	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	186	obtain s2' where "merge cert f r pc (?step s2) ?cert = s2' \<and> s2' \<le>\|r (OK s1')"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	187	by (blast dest: merge_mono)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	188	thus ?thesis by (simp add: wtl_inst_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	189	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	190
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	191	lemma wtl_cert_mono:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	192	assumes wtl: "wtl_cert cert f r step pc s1 = OK s1'"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	193	assumes less: "OK s2 \<le>\|r (OK s1)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	194	assumes pc: "pc < n"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	195	assumes s1: "s1 \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	196	assumes s2: "s2 \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	197	assumes esl: "err_semilat (A,r,f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	198	assumes cert: "cert_ok cert n A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	199	assumes mono: "mono (Err.le (Opt.le r)) step n (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	200	assumes pres: "pres_type step n (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	201	shows "\<exists>s2'. wtl_cert cert f r step pc s2 = OK s2' \<and> OK s2' \<le>\|r (OK s1')"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	202	proof (cases "cert!pc")
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	203	case None
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	204	with wtl have "wtl_inst cert f r step pc s1 = OK s1'"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	205	by (simp add: wtl_cert_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	206	hence "\<exists>s2'. wtl_inst cert f r step pc s2 = OK s2' \<and> OK s2' \<le>\|r (OK s1')"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	207	by - (rule wtl_inst_mono)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	208	with None show ?thesis by (simp add: wtl_cert_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	209	next
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	210	case (Some s')
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	211	with wtl obtain
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	212	wti: "wtl_inst cert f r step pc (Some s') = OK s1'" and
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	213	s': "OK s1 \<le>\|r OK (Some s')"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	214	by (auto simp add: wtl_cert_def split: split_if_asm)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	215	from esl have order: "order (Opt.le r)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	216	hence "order (Err.le (Opt.le r))" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	217	with less s' have "OK s2 \<le>\|r OK (Some s')" by - (drule order_trans)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	218	with Some wti order show ?thesis by (simp add: wtl_cert_def)
9376 c32c5696ec2a flat instruction set kleing parents: 9260 diff changeset	219	qed
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	220
9559 1f99296758c2 tuned kleing parents: 9549 diff changeset	221
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	222	lemma stable_wtl:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	223	assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	224	assumes fits: "fits step cert phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	225	assumes pc: "pc < length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	226	assumes bounded: "bounded step (length phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	227	assumes esl: "err_semilat (A, r, f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	228	assumes cert_ok: "cert_ok cert (length phi) A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	229	assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	230	assumes pres: "pres_type step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	231	shows "wtl_inst cert f r step pc (phi!pc) \<noteq> Err"
9559 1f99296758c2 tuned kleing parents: 9549 diff changeset	232	proof -
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	233	from esl have order: "order (Opt.le r)" by simp
9559 1f99296758c2 tuned kleing parents: 9549 diff changeset	234
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	235	let ?step = "step pc (OK (phi!pc))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	236	from pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	237	from stable
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	238	have less: "\<forall>(q,s')\<in>set ?step. s' \<le>\|r (map OK phi!q)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	239	by (simp add: stable_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	240
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	241	from cert_ok pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	242	have cert_suc: "OK (cert!Suc pc) \<in> err (opt A)" by (auto dest: cert_okD3)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	243	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	244	from phi_ok pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	245	have "OK (phi!pc) \<in> err (opt A)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	246	with pres pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	247	have stepA: "\<forall>(pc',s') \<in> set ?step. s' \<in> err (opt A)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	248	by (blast dest: pres_typeD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	249	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	250	have "merge cert f r pc ?step (OK (cert!Suc pc)) =
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	251	(if \<forall>(pc',s')\<in>set ?step. pc'\<noteq>pc+1 \<longrightarrow> s' \<le>\|r (OK (cert!pc'))
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	252	then map snd [(p',t')\<in>?step.p'=pc+1] ++\|f (OK (cert!Suc pc))
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	253	else Err)" using esl by - (rule merge_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	254	moreover {
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	255	fix pc' s' assume s': "(pc', s') \<in> set ?step" and suc_pc: "pc' \<noteq> pc+1"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	256	from bounded pc s' have pc': "pc' < length phi" by (rule boundedD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	257	hence [simp]: "map OK phi ! pc' = OK (phi!pc')" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	258	with s' less have "s' \<le>\|r OK (phi!pc')" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	259	also from fits s' suc_pc pc pc'
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	260	have "cert!pc' = phi!pc'" by (rule fitsD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	261	hence "phi!pc' = cert!pc'" ..
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	262	finally have "s' \<le>\|r (OK (cert!pc'))" .
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	263	} hence "\<forall>(pc',s')\<in>set ?step. pc'\<noteq>pc+1 \<longrightarrow> s' \<le>\|r (OK (cert!pc'))" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	264	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	265	from pc have "Suc pc = length phi \<or> Suc pc < length phi" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	266	hence "(map snd [(p',t')\<in>?step.p'=pc+1] ++\|f (OK (cert!Suc pc))) \<noteq> Err"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	267	(is "(?map ++\|f _) \<noteq> _")
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	268	proof (rule disjE)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	269	assume pc': "Suc pc = length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	270	with cert_ok have "cert!Suc pc = None" by (simp add: cert_okD2)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	271	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	272	from pc' bounded pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	273	have "\<forall>(p',t')\<in>set ?step. p'\<noteq>pc+1" by clarify (drule boundedD, auto)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	274	hence "[(p',t')\<in>?step.p'=pc+1] = []" by (blast intro: filter_False)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	275	hence "?map = []" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	276	ultimately show ?thesis by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	277	next
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	278	assume pc': "Suc pc < length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	279	hence [simp]: "map OK phi ! Suc pc = OK (phi!Suc pc)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	280	from esl
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	281	have "semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	282	by (simp add: Err.sl_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	283	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	284	from pc' phi_ok
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	285	have "OK (phi!Suc pc) \<in> err (opt A)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	286	moreover note cert_suc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	287	moreover from stepA
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	288	have "snd`(set ?step) \<subseteq> err (opt A)" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	289	hence "set ?map \<subseteq> err (opt A)" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	290	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	291	have "\<And>s. s \<in> set ?map \<Longrightarrow> \<exists>t. (Suc pc, t) \<in> set ?step" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	292	with less have "\<forall>s' \<in> set ?map. s' \<le>\|r OK (phi!Suc pc)" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	293	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	294	from order fits pc'
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	295	have "OK (cert!Suc pc) \<le>\|r OK (phi!Suc pc)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	296	by (cases "cert!Suc pc") (simp, blast dest: fitsD2)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	297	ultimately
13074 96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	298	have "?map ++\|f OK (cert!Suc pc) \<le>\|r OK (phi!Suc pc)"
96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	299	by (rule semilat.pp_lub)
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	300	thus ?thesis by auto
9559 1f99296758c2 tuned kleing parents: 9549 diff changeset	301	qed
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	302	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	303	have "merge cert f r pc ?step (OK (cert!Suc pc)) \<noteq> Err" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	304	thus ?thesis by (simp add: wtl_inst_def)
9376 c32c5696ec2a flat instruction set kleing parents: 9260 diff changeset	305	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	306
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	307	lemma stable_cert:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	308	assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	309	assumes fits: "fits step cert phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	310	assumes pc: "pc < length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	311	assumes bounded: "bounded step (length phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	312	assumes esl: "err_semilat (A, r, f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	313	assumes cert_ok: "cert_ok cert (length phi) A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	314	assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	315	assumes pres: "pres_type step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	316	shows "wtl_cert cert f r step pc (phi!pc) \<noteq> Err"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	317	proof -
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	318	have wtl: "wtl_inst cert f r step pc (phi!pc) \<noteq> Err" by (rule stable_wtl)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	319	show ?thesis
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	320	proof (cases "cert!pc")
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	321	case None with wtl show ?thesis by (simp add: wtl_cert_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	322	next
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	323	case (Some s)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	324	with pc fits have "cert!pc = phi!pc" by - (rule fitsD2)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	325	with Some have "phi!pc = Some s" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	326	with Some wtl esl show ?thesis by (simp add: wtl_cert_def)
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	327	qed
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	328	qed
9559 1f99296758c2 tuned kleing parents: 9549 diff changeset	329
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	330
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	331	lemma wtl_less:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	332	assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	333	assumes wtl: "wtl_inst cert f r step pc (phi!pc) = OK s"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	334	assumes fits: "fits step cert phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	335	assumes suc_pc: "Suc pc < length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	336	assumes bounded: "bounded step (length phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	337	assumes esl: "err_semilat (A, r, f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	338	assumes cert_ok: "cert_ok cert (length phi) A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	339	assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	340	assumes pres: "pres_type step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	341	shows "OK s \<le>\|r OK (phi!Suc pc)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	342	proof -
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	343	from esl have order: "order (Opt.le r)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	344
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	345	let ?step = "step pc (OK (phi!pc))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	346	from suc_pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	347	from suc_pc have [simp]: "map OK phi ! Suc pc = OK (phi!Suc pc)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	348	from suc_pc have pc: "pc < length phi" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	349
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	350	from stable
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	351	have less: "\<forall>(q,s')\<in>set ?step. s' \<le>\|r (map OK phi!q)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	352	by (simp add: stable_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	353
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	354	from cert_ok pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	355	have cert_suc: "OK (cert!Suc pc) \<in> err (opt A)" by (auto dest: cert_okD3)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	356	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	357	from phi_ok pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	358	have "OK (phi!pc) \<in> err (opt A)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	359	with pres pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	360	have stepA: "\<forall>(pc',s') \<in> set ?step. s' \<in> err (opt A)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	361	by (blast dest: pres_typeD)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	362	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	363	have "merge cert f r pc ?step (OK (cert!Suc pc)) =
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	364	(if \<forall>(pc',s')\<in>set ?step. pc'\<noteq>pc+1 \<longrightarrow> s' \<le>\|r (OK (cert!pc'))
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	365	then map snd [(p',t')\<in>?step.p'=pc+1] ++\|f (OK (cert!Suc pc))
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	366	else Err)" using esl by - (rule merge_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	367	with wtl have
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	368	"OK s = (map snd [(p',t')\<in>?step.p'=pc+1] ++\|f (OK (cert!Suc pc)))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	369	(is "_ = (?map ++\|f _)" is "_ = ?sum")
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	370	by (simp add: wtl_inst_def split: split_if_asm)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	371	also {
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	372	from esl
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	373	have "semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	374	by (simp add: Err.sl_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	375	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	376	from suc_pc phi_ok
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	377	have "OK (phi!Suc pc) \<in> err (opt A)" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	378	moreover note cert_suc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	379	moreover from stepA
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	380	have "snd`(set ?step) \<subseteq> err (opt A)" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	381	hence "set ?map \<subseteq> err (opt A)" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	382	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	383	have "\<And>s. s \<in> set ?map \<Longrightarrow> \<exists>t. (Suc pc, t) \<in> set ?step" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	384	with less have "\<forall>s' \<in> set ?map. s' \<le>\|r OK (phi!Suc pc)" by auto
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	385	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	386	from order fits suc_pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	387	have "OK (cert!Suc pc) \<le>\|r OK (phi!Suc pc)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	388	by (cases "cert!Suc pc") (simp, blast dest: fitsD2)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	389	ultimately
13074 96bf406fd3e5 Started to convert to locales nipkow parents: 13071 diff changeset	390	have "?sum \<le>\|r OK (phi!Suc pc)" by (rule semilat.pp_lub)
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	391	}
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	392	finally show ?thesis .
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	393	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	394
d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	395
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	396	lemma cert_less:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	397	assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	398	assumes cert: "wtl_cert cert f r step pc (phi!pc) = OK s"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	399	assumes fits: "fits step cert phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	400	assumes suc_pc: "Suc pc < length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	401	assumes bounded: "bounded step (length phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	402	assumes esl: "err_semilat (A, r, f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	403	assumes cert_ok: "cert_ok cert (length phi) A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	404	assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	405	assumes pres: "pres_type step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	406	shows "OK s \<le>\|r OK (phi!Suc pc)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	407	proof (cases "cert!pc")
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	408	case None with cert
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	409	have "wtl_inst cert f r step pc (phi!pc) = OK s" by (simp add: wtl_cert_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	410	thus ?thesis by - (rule wtl_less)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	411	next
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	412	case (Some s') with cert
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	413	have "wtl_inst cert f r step pc (Some s') = OK s"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	414	by (simp add: wtl_cert_def split: split_if_asm)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	415	also
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	416	from suc_pc have "pc < length phi" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	417	with fits Some have "cert!pc = phi!pc" by - (rule fitsD2)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	418	with Some have "Some s' = phi!pc" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	419	finally
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	420	have "wtl_inst cert f r step pc (phi!pc) = OK s" .
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	421	thus ?thesis by - (rule wtl_less)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	422	qed
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	423
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	424
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	425
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	426	lemma wt_step_wtl_lemma:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	427	assumes wt_step: "wt_step (Err.le (Opt.le r)) Err step (map OK phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	428	assumes fits: "fits step cert phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	429	assumes bounded: "bounded step (length phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	430	assumes esl: "err_semilat (A, r, f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	431	assumes cert_ok: "cert_ok cert (length phi) A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	432	assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	433	assumes pres: "pres_type step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	434	assumes mono: "mono (Err.le (Opt.le r)) step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	435	shows "\<And>pc s. pc+length ins = length phi \<Longrightarrow> OK s \<le>\|r OK (phi!pc) \<Longrightarrow> s \<in> opt A \<Longrightarrow>
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	436	wtl_inst_list ins cert f r step pc s \<noteq> Err"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	437	(is "\<And>pc s. _ \<Longrightarrow> _ \<Longrightarrow> _ \<Longrightarrow> ?wtl ins pc s \<noteq> Err")
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	438	proof (induct ins)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	439	fix pc s show "?wtl [] pc s \<noteq> Err" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	440	next
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	441	fix pc s i ins
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	442	assume "\<And>pc s. pc+length ins=length phi \<Longrightarrow> OK s \<le>\|r OK (phi!pc) \<Longrightarrow> s \<in> opt A \<Longrightarrow>
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	443	?wtl ins pc s \<noteq> Err"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	444	moreover
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	445	assume pc_l: "pc + length (i#ins) = length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	446	hence suc_pc_l: "Suc pc + length ins = length phi" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	447	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	448	have IH:
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	449	"\<And>s. OK s \<le>\|r OK (phi!Suc pc) \<Longrightarrow> s \<in> opt A \<Longrightarrow> ?wtl ins (Suc pc) s \<noteq> Err" .
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	450
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	451	from pc_l obtain pc: "pc < length phi" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	452	with wt_step
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	453	have stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	454	by (simp add: wt_step_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	455	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	456	assume s_phi: "OK s \<le>\|r OK (phi!pc)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	457	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	458	have "wtl_cert cert f r step pc (phi!pc) \<noteq> Err" by - (rule stable_cert)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	459	then obtain s'' where s'': "wtl_cert cert f r step pc (phi!pc) = OK s''" by fast
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	460	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	461	from phi_ok pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	462	have phi_pc: "phi!pc \<in> opt A" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	463	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	464	assume s: "s \<in> opt A"
9757 1024a2d80ac0 functional LBV style, dead code, type safety -> Isar kleing parents: 9664 diff changeset	465	ultimately
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	466	obtain s' where "wtl_cert cert f r step pc s = OK s'"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	467	by - (drule wtl_cert_mono, assumption+, blast)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	468	hence "ins = [] \<Longrightarrow> ?wtl (i#ins) pc s \<noteq> Err" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	469	moreover {
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	470	assume "ins \<noteq> []"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	471	with pc_l have suc_pc: "Suc pc < length phi" by (auto simp add: neq_Nil_conv)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	472	with stable s'' have "OK s'' \<le>\|r OK (phi!Suc pc)" by - (rule cert_less)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	473	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	474	from s'' s_phi obtain s' where
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	475	cert: "wtl_cert cert f r step pc s = OK s'" and
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	476	"OK s' \<le>\|r OK s''"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	477	using phi_pc
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	478	by - (drule wtl_cert_mono, assumption+, blast)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	479	moreover from esl have "order (Err.le (Opt.le r))" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	480	ultimately have less: "OK s' \<le>\|r OK (phi!Suc pc)" by - (rule order_trans)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	481
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	482	from cert_ok suc_pc have "cert!pc \<in> opt A" and "cert!(pc+1) \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	483	by (auto simp add: cert_ok_def)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	484	with s cert pres have "s' \<in> opt A" by - (rule wtl_cert_pres)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	485
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	486	with less IH have "?wtl ins (Suc pc) s' \<noteq> Err" by blast
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	487	with cert have "?wtl (i#ins) pc s \<noteq> Err" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	488	}
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	489	ultimately show "?wtl (i#ins) pc s \<noteq> Err" by (cases ins) auto
9580 d955914193e0 tuned kleing parents: 9559 diff changeset	490	qed
9012 d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	491
d1bd2144ab5d switched to Isar proofs kleing parents: 8388 diff changeset	492
10628 4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	493	theorem wtl_complete:
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	494	assumes "wt_step (Err.le (Opt.le r)) Err step (map OK phi)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	495	assumes "OK s \<le>\|r OK (phi!0)" and "s \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	496	defines cert: "cert \<equiv> make_cert step phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	497
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	498	assumes "bounded step (length phi)" and "err_semilat (A, r, f)"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	499	assumes "pres_type step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	500	assumes "mono (Err.le (Opt.le r)) step (length phi) (err (opt A))"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	501	assumes "length ins = length phi"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	502	assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	503
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	504	shows "wtl_inst_list ins cert f r step 0 s \<noteq> Err"
10628 4ea7f3e8e471 fixed and cleaned up wt[l]_jvm_prog proofs kleing parents: 10612 diff changeset	505	proof -
13071 f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	506	have "0+length ins = length phi" by simp
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	507	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	508	have "fits step cert phi" by (unfold cert) (rule fits_make_cert)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	509	moreover
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	510	from phi_ok have "cert_ok cert (length phi) A"
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	511	by (simp add: cert make_cert_def cert_ok_def nth_append)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	512	ultimately
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	513	show ?thesis by - (rule wt_step_wtl_lemma)
f538a1dba7ee finished lbv completeness kleing parents: 13070 diff changeset	514	qed
10592 fc0b575a2cf7 BCV Integration kleing parents: 10496 diff changeset	515
9549 40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	516
40d64cb4f4e6 BV and LBV specified in terms of app and step functions kleing parents: 9376 diff changeset	517	end

author	nipkow
	Tue, 02 Apr 2002 13:47:01 +0200
changeset 13074	96bf406fd3e5
parent 13071	f538a1dba7ee
child 13078	1dd711c6b93c
permissions	-rw-r--r--