src/HOL/Induct/Com.thy
author berghofe
Wed Jul 11 11:14:51 2007 +0200 (2007-07-11)
changeset 23746 a455e69c31cc
parent 19736 d8d0f8f51d69
child 24178 4ff1dc2aa18d
permissions -rw-r--r--
Adapted to new inductive definition package.
paulson@3120
     1
(*  Title:      HOL/Induct/Com
paulson@3120
     2
    ID:         $Id$
paulson@3120
     3
    Author:     Lawrence C Paulson, Cambridge University Computer Laboratory
paulson@3120
     4
    Copyright   1997  University of Cambridge
paulson@3120
     5
paulson@3120
     6
Example of Mutual Induction via Iteratived Inductive Definitions: Commands
paulson@3120
     7
*)
paulson@3120
     8
paulson@14527
     9
header{*Mutual Induction via Iteratived Inductive Definitions*}
paulson@14527
    10
haftmann@16417
    11
theory Com imports Main begin
paulson@3120
    12
paulson@13075
    13
typedecl loc
paulson@13075
    14
paulson@13075
    15
types  state = "loc => nat"
paulson@13075
    16
       n2n2n = "nat => nat => nat"
paulson@3120
    17
paulson@3120
    18
datatype
paulson@3120
    19
  exp = N nat
paulson@3120
    20
      | X loc
paulson@3120
    21
      | Op n2n2n exp exp
nipkow@10759
    22
      | valOf com exp          ("VALOF _ RESULTIS _"  60)
nipkow@10759
    23
and
nipkow@10759
    24
  com = SKIP
paulson@3120
    25
      | ":="  loc exp          (infixl  60)
nipkow@10759
    26
      | Semi  com com          ("_;;_"  [60, 60] 60)
nipkow@10759
    27
      | Cond  exp com com      ("IF _ THEN _ ELSE _"  60)
nipkow@10759
    28
      | While exp com          ("WHILE _ DO _"  60)
paulson@3120
    29
paulson@14527
    30
paulson@14527
    31
subsection {* Commands *}
paulson@14527
    32
paulson@13075
    33
text{* Execution of commands *}
oheimb@4264
    34
wenzelm@19736
    35
abbreviation (input)
berghofe@23746
    36
  generic_rel  ("_/ -|[_]-> _" [50,0,50] 50)  where
wenzelm@19736
    37
  "esig -|[eval]-> ns == (esig,ns) \<in> eval"
paulson@3120
    38
paulson@13075
    39
text{*Command execution.  Natural numbers represent Booleans: 0=True, 1=False*}
paulson@3120
    40
berghofe@23746
    41
inductive_set
berghofe@23746
    42
  exec :: "((exp*state) * (nat*state)) set => ((com*state)*state)set"
berghofe@23746
    43
  and exec_rel :: "com * state => ((exp*state) * (nat*state)) set => state => bool"
berghofe@23746
    44
    ("_/ -[_]-> _" [50,0,50] 50)
berghofe@23746
    45
  for eval :: "((exp*state) * (nat*state)) set"
berghofe@23746
    46
  where
berghofe@23746
    47
    "csig -[eval]-> s == (csig,s) \<in> exec eval"
paulson@3120
    48
berghofe@23746
    49
  | Skip:    "(SKIP,s) -[eval]-> s"
berghofe@23746
    50
berghofe@23746
    51
  | Assign:  "(e,s) -|[eval]-> (v,s') ==> (x := e, s) -[eval]-> s'(x:=v)"
berghofe@23746
    52
berghofe@23746
    53
  | Semi:    "[| (c0,s) -[eval]-> s2; (c1,s2) -[eval]-> s1 |]
paulson@13075
    54
             ==> (c0 ;; c1, s) -[eval]-> s1"
paulson@13075
    55
berghofe@23746
    56
  | IfTrue: "[| (e,s) -|[eval]-> (0,s');  (c0,s') -[eval]-> s1 |]
paulson@3120
    57
             ==> (IF e THEN c0 ELSE c1, s) -[eval]-> s1"
paulson@3120
    58
berghofe@23746
    59
  | IfFalse: "[| (e,s) -|[eval]->  (Suc 0, s');  (c1,s') -[eval]-> s1 |]
paulson@13075
    60
              ==> (IF e THEN c0 ELSE c1, s) -[eval]-> s1"
paulson@13075
    61
berghofe@23746
    62
  | WhileFalse: "(e,s) -|[eval]-> (Suc 0, s1)
paulson@13075
    63
                 ==> (WHILE e DO c, s) -[eval]-> s1"
paulson@13075
    64
berghofe@23746
    65
  | WhileTrue:  "[| (e,s) -|[eval]-> (0,s1);
wenzelm@18260
    66
                    (c,s1) -[eval]-> s2;  (WHILE e DO c, s2) -[eval]-> s3 |]
paulson@13075
    67
                 ==> (WHILE e DO c, s) -[eval]-> s3"
paulson@13075
    68
paulson@13075
    69
declare exec.intros [intro]
paulson@13075
    70
paulson@13075
    71
paulson@13075
    72
inductive_cases
wenzelm@18260
    73
        [elim!]: "(SKIP,s) -[eval]-> t"
paulson@13075
    74
    and [elim!]: "(x:=a,s) -[eval]-> t"
wenzelm@18260
    75
    and [elim!]: "(c1;;c2, s) -[eval]-> t"
wenzelm@18260
    76
    and [elim!]: "(IF e THEN c1 ELSE c2, s) -[eval]-> t"
wenzelm@18260
    77
    and exec_WHILE_case: "(WHILE b DO c,s) -[eval]-> t"
paulson@13075
    78
paulson@13075
    79
paulson@13075
    80
text{*Justifies using "exec" in the inductive definition of "eval"*}
paulson@13075
    81
lemma exec_mono: "A<=B ==> exec(A) <= exec(B)"
berghofe@23746
    82
apply (rule subsetI)
berghofe@23746
    83
apply (simp add: split_paired_all)
berghofe@23746
    84
apply (erule exec.induct)
berghofe@23746
    85
apply blast+
paulson@13075
    86
done
paulson@13075
    87
berghofe@23746
    88
lemma [pred_set_conv]:
berghofe@23746
    89
  "((\<lambda>x x' y y'. ((x, x'), (y, y')) \<in> R) <= (\<lambda>x x' y y'. ((x, x'), (y, y')) \<in> S)) = (R <= S)"
berghofe@23746
    90
  by (auto simp add: le_fun_def le_bool_def)
berghofe@23746
    91
berghofe@23746
    92
lemma [pred_set_conv]:
berghofe@23746
    93
  "((\<lambda>x x' y. ((x, x'), y) \<in> R) <= (\<lambda>x x' y. ((x, x'), y) \<in> S)) = (R <= S)"
berghofe@23746
    94
  by (auto simp add: le_fun_def le_bool_def)
berghofe@23746
    95
paulson@13075
    96
ML {*
paulson@13075
    97
Unify.trace_bound := 30;
paulson@13075
    98
Unify.search_bound := 60;
paulson@13075
    99
*}
paulson@13075
   100
paulson@13075
   101
text{*Command execution is functional (deterministic) provided evaluation is*}
paulson@13075
   102
theorem single_valued_exec: "single_valued ev ==> single_valued(exec ev)"
paulson@13075
   103
apply (simp add: single_valued_def)
wenzelm@18260
   104
apply (intro allI)
paulson@13075
   105
apply (rule impI)
paulson@13075
   106
apply (erule exec.induct)
paulson@13075
   107
apply (blast elim: exec_WHILE_case)+
paulson@13075
   108
done
paulson@13075
   109
paulson@13075
   110
paulson@14527
   111
subsection {* Expressions *}
paulson@13075
   112
paulson@13075
   113
text{* Evaluation of arithmetic expressions *}
wenzelm@18260
   114
berghofe@23746
   115
inductive_set
berghofe@23746
   116
  eval    :: "((exp*state) * (nat*state)) set"
berghofe@23746
   117
  and eval_rel :: "[exp*state,nat*state] => bool"  (infixl "-|->" 50)
berghofe@23746
   118
  where
berghofe@23746
   119
    "esig -|-> ns == (esig, ns) \<in> eval"
paulson@13075
   120
berghofe@23746
   121
  | N [intro!]: "(N(n),s) -|-> (n,s)"
paulson@13075
   122
berghofe@23746
   123
  | X [intro!]: "(X(x),s) -|-> (s(x),s)"
berghofe@23746
   124
berghofe@23746
   125
  | Op [intro]: "[| (e0,s) -|-> (n0,s0);  (e1,s0)  -|-> (n1,s1) |]
paulson@13075
   126
                 ==> (Op f e0 e1, s) -|-> (f n0 n1, s1)"
paulson@13075
   127
berghofe@23746
   128
  | valOf [intro]: "[| (c,s) -[eval]-> s0;  (e,s0)  -|-> (n,s1) |]
paulson@13075
   129
                    ==> (VALOF c RESULTIS e, s) -|-> (n, s1)"
paulson@13075
   130
paulson@13075
   131
  monos exec_mono
paulson@13075
   132
paulson@13075
   133
paulson@13075
   134
inductive_cases
wenzelm@18260
   135
        [elim!]: "(N(n),sigma) -|-> (n',s')"
paulson@13075
   136
    and [elim!]: "(X(x),sigma) -|-> (n,s')"
wenzelm@18260
   137
    and [elim!]: "(Op f a1 a2,sigma)  -|-> (n,s')"
wenzelm@18260
   138
    and [elim!]: "(VALOF c RESULTIS e, s) -|-> (n, s1)"
paulson@13075
   139
paulson@13075
   140
paulson@13075
   141
lemma var_assign_eval [intro!]: "(X x, s(x:=n)) -|-> (n, s(x:=n))"
paulson@13075
   142
by (rule fun_upd_same [THEN subst], fast)
paulson@13075
   143
paulson@13075
   144
berghofe@23746
   145
text{* Make the induction rule look nicer -- though @{text eta_contract} makes the new
paulson@13075
   146
    version look worse than it is...*}
paulson@13075
   147
paulson@13075
   148
lemma split_lemma:
paulson@13075
   149
     "{((e,s),(n,s')). P e s n s'} = Collect (split (%v. split (split P v)))"
paulson@13075
   150
by auto
paulson@13075
   151
paulson@13075
   152
text{*New induction rule.  Note the form of the VALOF induction hypothesis*}
wenzelm@18260
   153
lemma eval_induct
wenzelm@18260
   154
  [case_names N X Op valOf, consumes 1, induct set: eval]:
wenzelm@18260
   155
  "[| (e,s) -|-> (n,s');
wenzelm@18260
   156
      !!n s. P (N n) s n s;
wenzelm@18260
   157
      !!s x. P (X x) s (s x) s;
wenzelm@18260
   158
      !!e0 e1 f n0 n1 s s0 s1.
wenzelm@18260
   159
         [| (e0,s) -|-> (n0,s0); P e0 s n0 s0;
wenzelm@18260
   160
            (e1,s0) -|-> (n1,s1); P e1 s0 n1 s1
wenzelm@18260
   161
         |] ==> P (Op f e0 e1) s (f n0 n1) s1;
wenzelm@18260
   162
      !!c e n s s0 s1.
wenzelm@18260
   163
         [| (c,s) -[eval Int {((e,s),(n,s')). P e s n s'}]-> s0;
wenzelm@18260
   164
            (c,s) -[eval]-> s0;
wenzelm@18260
   165
            (e,s0) -|-> (n,s1); P e s0 n s1 |]
wenzelm@18260
   166
         ==> P (VALOF c RESULTIS e) s n s1
paulson@13075
   167
   |] ==> P e s n s'"
wenzelm@18260
   168
apply (induct set: eval)
wenzelm@18260
   169
apply blast
wenzelm@18260
   170
apply blast
wenzelm@18260
   171
apply blast
paulson@13075
   172
apply (frule Int_lower1 [THEN exec_mono, THEN subsetD])
paulson@13075
   173
apply (auto simp add: split_lemma)
paulson@13075
   174
done
paulson@13075
   175
paulson@3120
   176
berghofe@23746
   177
text{*Lemma for @{text Function_eval}.  The major premise is that @{text "(c,s)"} executes to @{text "s1"}
paulson@13075
   178
  using eval restricted to its functional part.  Note that the execution
berghofe@23746
   179
  @{text "(c,s) -[eval]-> s2"} can use unrestricted @{text eval}!  The reason is that
berghofe@23746
   180
  the execution @{text "(c,s) -[eval Int {...}]-> s1"} assures us that execution is
berghofe@23746
   181
  functional on the argument @{text "(c,s)"}.
paulson@13075
   182
*}
paulson@13075
   183
lemma com_Unique:
wenzelm@18260
   184
 "(c,s) -[eval Int {((e,s),(n,t)). \<forall>nt'. (e,s) -|-> nt' --> (n,t)=nt'}]-> s1
paulson@13075
   185
  ==> \<forall>s2. (c,s) -[eval]-> s2 --> s2=s1"
wenzelm@18260
   186
apply (induct set: exec)
wenzelm@18260
   187
      apply simp_all
paulson@13075
   188
      apply blast
paulson@13075
   189
     apply force
paulson@13075
   190
    apply blast
paulson@13075
   191
   apply blast
paulson@13075
   192
  apply blast
paulson@13075
   193
 apply (blast elim: exec_WHILE_case)
paulson@13075
   194
apply (erule_tac V = "(?c,s2) -[?ev]-> s3" in thin_rl)
paulson@13075
   195
apply clarify
wenzelm@18260
   196
apply (erule exec_WHILE_case, blast+)
paulson@13075
   197
done
paulson@13075
   198
paulson@13075
   199
paulson@13075
   200
text{*Expression evaluation is functional, or deterministic*}
paulson@13075
   201
theorem single_valued_eval: "single_valued eval"
paulson@13075
   202
apply (unfold single_valued_def)
wenzelm@18260
   203
apply (intro allI, rule impI)
paulson@13075
   204
apply (simp (no_asm_simp) only: split_tupled_all)
paulson@13075
   205
apply (erule eval_induct)
paulson@13075
   206
apply (drule_tac [4] com_Unique)
paulson@13075
   207
apply (simp_all (no_asm_use))
paulson@13075
   208
apply blast+
paulson@13075
   209
done
paulson@13075
   210
wenzelm@18260
   211
lemma eval_N_E [dest!]: "(N n, s) -|-> (v, s') ==> (v = n & s' = s)"
wenzelm@18260
   212
  by (induct e == "N n" s v s' set: eval) simp_all
paulson@13075
   213
paulson@13075
   214
text{*This theorem says that "WHILE TRUE DO c" cannot terminate*}
wenzelm@18260
   215
lemma while_true_E:
wenzelm@18260
   216
    "(c', s) -[eval]-> t ==> c' = WHILE (N 0) DO c ==> False"
wenzelm@18260
   217
  by (induct set: exec) auto
paulson@13075
   218
paulson@13075
   219
wenzelm@18260
   220
subsection{* Equivalence of IF e THEN c;;(WHILE e DO c) ELSE SKIP  and
paulson@13075
   221
       WHILE e DO c *}
paulson@13075
   222
wenzelm@18260
   223
lemma while_if1:
wenzelm@18260
   224
     "(c',s) -[eval]-> t
wenzelm@18260
   225
      ==> c' = WHILE e DO c ==>
paulson@13075
   226
          (IF e THEN c;;c' ELSE SKIP, s) -[eval]-> t"
wenzelm@18260
   227
  by (induct set: exec) auto
paulson@13075
   228
wenzelm@18260
   229
lemma while_if2:
paulson@13075
   230
     "(c',s) -[eval]-> t
wenzelm@18260
   231
      ==> c' = IF e THEN c;;(WHILE e DO c) ELSE SKIP ==>
paulson@13075
   232
          (WHILE e DO c, s) -[eval]-> t"
wenzelm@18260
   233
  by (induct set: exec) auto
paulson@13075
   234
paulson@13075
   235
paulson@13075
   236
theorem while_if:
wenzelm@18260
   237
     "((IF e THEN c;;(WHILE e DO c) ELSE SKIP, s) -[eval]-> t)  =
paulson@13075
   238
      ((WHILE e DO c, s) -[eval]-> t)"
paulson@13075
   239
by (blast intro: while_if1 while_if2)
paulson@13075
   240
paulson@13075
   241
paulson@13075
   242
paulson@13075
   243
subsection{* Equivalence of  (IF e THEN c1 ELSE c2);;c
paulson@13075
   244
                         and  IF e THEN (c1;;c) ELSE (c2;;c)   *}
paulson@13075
   245
wenzelm@18260
   246
lemma if_semi1:
paulson@13075
   247
     "(c',s) -[eval]-> t
wenzelm@18260
   248
      ==> c' = (IF e THEN c1 ELSE c2);;c ==>
paulson@13075
   249
          (IF e THEN (c1;;c) ELSE (c2;;c), s) -[eval]-> t"
wenzelm@18260
   250
  by (induct set: exec) auto
paulson@13075
   251
wenzelm@18260
   252
lemma if_semi2:
paulson@13075
   253
     "(c',s) -[eval]-> t
wenzelm@18260
   254
      ==> c' = IF e THEN (c1;;c) ELSE (c2;;c) ==>
paulson@13075
   255
          ((IF e THEN c1 ELSE c2);;c, s) -[eval]-> t"
wenzelm@18260
   256
  by (induct set: exec) auto
paulson@13075
   257
wenzelm@18260
   258
theorem if_semi: "(((IF e THEN c1 ELSE c2);;c, s) -[eval]-> t)  =
paulson@13075
   259
                  ((IF e THEN (c1;;c) ELSE (c2;;c), s) -[eval]-> t)"
wenzelm@18260
   260
  by (blast intro: if_semi1 if_semi2)
paulson@13075
   261
paulson@13075
   262
paulson@13075
   263
paulson@13075
   264
subsection{* Equivalence of  VALOF c1 RESULTIS (VALOF c2 RESULTIS e)
paulson@13075
   265
                  and  VALOF c1;;c2 RESULTIS e
paulson@13075
   266
 *}
paulson@13075
   267
wenzelm@18260
   268
lemma valof_valof1:
wenzelm@18260
   269
     "(e',s) -|-> (v,s')
wenzelm@18260
   270
      ==> e' = VALOF c1 RESULTIS (VALOF c2 RESULTIS e) ==>
paulson@13075
   271
          (VALOF c1;;c2 RESULTIS e, s) -|-> (v,s')"
wenzelm@18260
   272
  by (induct set: eval) auto
paulson@13075
   273
wenzelm@18260
   274
lemma valof_valof2:
paulson@13075
   275
     "(e',s) -|-> (v,s')
wenzelm@18260
   276
      ==> e' = VALOF c1;;c2 RESULTIS e ==>
paulson@13075
   277
          (VALOF c1 RESULTIS (VALOF c2 RESULTIS e), s) -|-> (v,s')"
wenzelm@18260
   278
  by (induct set: eval) auto
paulson@13075
   279
paulson@13075
   280
theorem valof_valof:
wenzelm@18260
   281
     "((VALOF c1 RESULTIS (VALOF c2 RESULTIS e), s) -|-> (v,s'))  =
paulson@13075
   282
      ((VALOF c1;;c2 RESULTIS e, s) -|-> (v,s'))"
wenzelm@18260
   283
  by (blast intro: valof_valof1 valof_valof2)
paulson@13075
   284
paulson@13075
   285
paulson@13075
   286
subsection{* Equivalence of  VALOF SKIP RESULTIS e  and  e *}
paulson@13075
   287
wenzelm@18260
   288
lemma valof_skip1:
paulson@13075
   289
     "(e',s) -|-> (v,s')
wenzelm@18260
   290
      ==> e' = VALOF SKIP RESULTIS e ==>
paulson@13075
   291
          (e, s) -|-> (v,s')"
wenzelm@18260
   292
  by (induct set: eval) auto
paulson@13075
   293
paulson@13075
   294
lemma valof_skip2:
wenzelm@18260
   295
    "(e,s) -|-> (v,s') ==> (VALOF SKIP RESULTIS e, s) -|-> (v,s')"
wenzelm@18260
   296
  by blast
paulson@13075
   297
paulson@13075
   298
theorem valof_skip:
wenzelm@18260
   299
    "((VALOF SKIP RESULTIS e, s) -|-> (v,s'))  =  ((e, s) -|-> (v,s'))"
wenzelm@18260
   300
  by (blast intro: valof_skip1 valof_skip2)
paulson@13075
   301
paulson@13075
   302
paulson@13075
   303
subsection{* Equivalence of  VALOF x:=e RESULTIS x  and  e *}
paulson@13075
   304
wenzelm@18260
   305
lemma valof_assign1:
paulson@13075
   306
     "(e',s) -|-> (v,s'')
wenzelm@18260
   307
      ==> e' = VALOF x:=e RESULTIS X x ==>
paulson@13075
   308
          (\<exists>s'. (e, s) -|-> (v,s') & (s'' = s'(x:=v)))"
wenzelm@18260
   309
  by (induct set: eval) (simp_all del: fun_upd_apply, clarify, auto)
paulson@13075
   310
paulson@13075
   311
lemma valof_assign2:
wenzelm@18260
   312
    "(e,s) -|-> (v,s') ==> (VALOF x:=e RESULTIS X x, s) -|-> (v,s'(x:=v))"
wenzelm@18260
   313
  by blast
paulson@13075
   314
paulson@3120
   315
end