isabelle: src/HOL/Isar_Examples/Hoare_Ex.thy@a8a20be7053a (annotated)

58882 6e2010ab8bd9 modernized header; wenzelm parents: 58614 diff changeset	1	section \<open>Using Hoare Logic\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	2
31758 3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 25706 diff changeset	3	theory Hoare_Ex
63585 f4a308fdf664 tuned; wenzelm parents: 61932 diff changeset	4	imports Hoare
31758 3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 25706 diff changeset	5	begin
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	6
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	7	subsection \<open>State spaces\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	8
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	9	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	10	First of all we provide a store of program variables that occur in any of
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	11	the programs considered later. Slightly unexpected things may happen when
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	12	attempting to work with undeclared variables.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	13	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	14
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	15	record vars =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	16	I :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	17	M :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	18	N :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	19	S :: nat
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	20
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	21	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	22	While all of our variables happen to have the same type, nothing would
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	23	prevent us from working with many-sorted programs as well, or even
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	24	polymorphic ones. Also note that Isabelle/HOL's extensible record types even
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	25	provides simple means to extend the state space later.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	26	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	27
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	28
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	29	subsection \<open>Basic examples\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	30
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	31	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	32	We look at few trivialities involving assignment and sequential composition,
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	33	in order to get an idea of how to work with our formulation of Hoare Logic.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	34
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	35	\<^medskip>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	36	Using the basic \<open>assign\<close> rule directly is a bit cumbersome.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	37	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	38
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	39	lemma "\<turnstile> \<lbrace>\<acute>(N_update (\<lambda>_. (2 * \<acute>N))) \<in> \<lbrace>\<acute>N = 10\<rbrace>\<rbrace> \<acute>N := 2 * \<acute>N \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	40	by (rule assign)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	41
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	42	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	43	Certainly we want the state modification already done, e.g.\ by
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	44	simplification. The \<open>hoare\<close> method performs the basic state update for us;
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	45	we may apply the Simplifier afterwards to achieve ``obvious'' consequences
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	46	as well.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	47	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	48
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	49	lemma "\<turnstile> \<lbrace>True\<rbrace> \<acute>N := 10 \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	50	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	51
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	52	lemma "\<turnstile> \<lbrace>2 * \<acute>N = 10\<rbrace> \<acute>N := 2 * \<acute>N \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	53	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	54
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	55	lemma "\<turnstile> \<lbrace>\<acute>N = 5\<rbrace> \<acute>N := 2 * \<acute>N \<lbrace>\<acute>N = 10\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	56	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	57
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	58	lemma "\<turnstile> \<lbrace>\<acute>N + 1 = a + 1\<rbrace> \<acute>N := \<acute>N + 1 \<lbrace>\<acute>N = a + 1\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	59	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	60
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	61	lemma "\<turnstile> \<lbrace>\<acute>N = a\<rbrace> \<acute>N := \<acute>N + 1 \<lbrace>\<acute>N = a + 1\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	62	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	63
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	64	lemma "\<turnstile> \<lbrace>a = a \<and> b = b\<rbrace> \<acute>M := a; \<acute>N := b \<lbrace>\<acute>M = a \<and> \<acute>N = b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	65	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	66
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	67	lemma "\<turnstile> \<lbrace>True\<rbrace> \<acute>M := a; \<acute>N := b \<lbrace>\<acute>M = a \<and> \<acute>N = b\<rbrace>"
56073 29e308b56d23 enhanced simplifier solver for preconditions of rewrite rule, can now deal with conjunctions nipkow parents: 55656 diff changeset	68	by hoare
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	69
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	70	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	71	"\<turnstile> \<lbrace>\<acute>M = a \<and> \<acute>N = b\<rbrace>
46582 dcc312f22ee8 misc tuning; wenzelm parents: 41818 diff changeset	72	\<acute>I := \<acute>M; \<acute>M := \<acute>N; \<acute>N := \<acute>I
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	73	\<lbrace>\<acute>M = b \<and> \<acute>N = a\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	74	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	75
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	76	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	77	It is important to note that statements like the following one can only be
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	78	proven for each individual program variable. Due to the extra-logical nature
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	79	of record fields, we cannot formulate a theorem relating record selectors
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	80	and updates schematically.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	81	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	82
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	83	lemma "\<turnstile> \<lbrace>\<acute>N = a\<rbrace> \<acute>N := \<acute>N \<lbrace>\<acute>N = a\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	84	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	85
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	86	lemma "\<turnstile> \<lbrace>\<acute>x = a\<rbrace> \<acute>x := \<acute>x \<lbrace>\<acute>x = a\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	87	oops
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	88
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	89	lemma
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	90	"Valid {s. x s = a} (Basic (\<lambda>s. x_update (x s) s)) {s. x s = n}"
61799 4cf66f21b764 isabelle update_cartouches -c -t; wenzelm parents: 61541 diff changeset	91	\<comment> \<open>same statement without concrete syntax\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	92	oops
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	93
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	94
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	95	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	96	In the following assignments we make use of the consequence rule in order to
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	97	achieve the intended precondition. Certainly, the \<open>hoare\<close> method is able to
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	98	handle this case, too.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	99	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	100
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	101	lemma "\<turnstile> \<lbrace>\<acute>M = \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	102	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	103	have "\<lbrace>\<acute>M = \<acute>N\<rbrace> \<subseteq> \<lbrace>\<acute>M + 1 \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	104	by auto
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	105	also have "\<turnstile> \<dots> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	106	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	107	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	108	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	109
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	110	lemma "\<turnstile> \<lbrace>\<acute>M = \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	111	proof -
60410 a197387e1854 tuned proofs; wenzelm parents: 58882 diff changeset	112	have "m = n \<longrightarrow> m + 1 \<noteq> n" for m n :: nat
61799 4cf66f21b764 isabelle update_cartouches -c -t; wenzelm parents: 61541 diff changeset	113	\<comment> \<open>inclusion of assertions expressed in ``pure'' logic,\<close>
4cf66f21b764 isabelle update_cartouches -c -t; wenzelm parents: 61541 diff changeset	114	\<comment> \<open>without mentioning the state space\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	115	by simp
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	116	also have "\<turnstile> \<lbrace>\<acute>M + 1 \<noteq> \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	117	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	118	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	119	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	120
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	121	lemma "\<turnstile> \<lbrace>\<acute>M = \<acute>N\<rbrace> \<acute>M := \<acute>M + 1 \<lbrace>\<acute>M \<noteq> \<acute>N\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	122	by hoare simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	123
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	124
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	125	subsection \<open>Multiplication by addition\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	126
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	127	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	128	We now do some basic examples of actual \<^verbatim>\<open>WHILE\<close> programs. This one is a
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	129	loop for calculating the product of two natural numbers, by iterated
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	130	addition. We first give detailed structured proof based on single-step Hoare
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	131	rules.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	132	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	133
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	134	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	135	"\<turnstile> \<lbrace>\<acute>M = 0 \<and> \<acute>S = 0\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	136	WHILE \<acute>M \<noteq> a
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	137	DO \<acute>S := \<acute>S + b; \<acute>M := \<acute>M + 1 OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	138	\<lbrace>\<acute>S = a * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	139	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	140	let "\<turnstile> _ ?while _" = ?thesis
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	141	let "\<lbrace>\<acute>?inv\<rbrace>" = "\<lbrace>\<acute>S = \<acute>M * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	142
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	143	have "\<lbrace>\<acute>M = 0 \<and> \<acute>S = 0\<rbrace> \<subseteq> \<lbrace>\<acute>?inv\<rbrace>" by auto
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	144	also have "\<turnstile> \<dots> ?while \<lbrace>\<acute>?inv \<and> \<not> (\<acute>M \<noteq> a)\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	145	proof
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	146	let ?c = "\<acute>S := \<acute>S + b; \<acute>M := \<acute>M + 1"
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	147	have "\<lbrace>\<acute>?inv \<and> \<acute>M \<noteq> a\<rbrace> \<subseteq> \<lbrace>\<acute>S + b = (\<acute>M + 1) * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	148	by auto
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	149	also have "\<turnstile> \<dots> ?c \<lbrace>\<acute>?inv\<rbrace>" by hoare
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	150	finally show "\<turnstile> \<lbrace>\<acute>?inv \<and> \<acute>M \<noteq> a\<rbrace> ?c \<lbrace>\<acute>?inv\<rbrace>" .
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	151	qed
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	152	also have "\<dots> \<subseteq> \<lbrace>\<acute>S = a * b\<rbrace>" by auto
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	153	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	154	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	155
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	156	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	157	The subsequent version of the proof applies the \<open>hoare\<close> method to reduce the
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	158	Hoare statement to a purely logical problem that can be solved fully
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	159	automatically. Note that we have to specify the \<^verbatim>\<open>WHILE\<close> loop invariant in
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	160	the original statement.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	161	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	162
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	163	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	164	"\<turnstile> \<lbrace>\<acute>M = 0 \<and> \<acute>S = 0\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	165	WHILE \<acute>M \<noteq> a
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	166	INV \<lbrace>\<acute>S = \<acute>M * b\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	167	DO \<acute>S := \<acute>S + b; \<acute>M := \<acute>M + 1 OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	168	\<lbrace>\<acute>S = a * b\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	169	by hoare auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	170
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	171
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	172	subsection \<open>Summing natural numbers\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	173
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	174	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	175	We verify an imperative program to sum natural numbers up to a given limit.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	176	First some functional definition for proper specification of the problem.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	177
61541 846c72206207 tuned document; wenzelm parents: 60449 diff changeset	178	\<^medskip>
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	179	The following proof is quite explicit in the individual steps taken, with
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	180	the \<open>hoare\<close> method only applied locally to take care of assignment and
846c72206207 tuned document; wenzelm parents: 60449 diff changeset	181	sequential composition. Note that we express intermediate proof obligation
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	182	in pure logic, without referring to the state space.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	183	\<close>
15569 1b3115d1a8df fixed proof nipkow parents: 15049 diff changeset	184
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	185	theorem
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	186	"\<turnstile> \<lbrace>True\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	187	\<acute>S := 0; \<acute>I := 1;
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	188	WHILE \<acute>I \<noteq> n
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	189	DO
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	190	\<acute>S := \<acute>S + \<acute>I;
9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	191	\<acute>I := \<acute>I + 1
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	192	OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	193	\<lbrace>\<acute>S = (\<Sum>j<n. j)\<rbrace>"
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	194	(is "\<turnstile> _ (_; ?while) _")
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	195	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	196	let ?sum = "\<lambda>k::nat. \<Sum>j<k. j"
15049 82fb87151718 more summation syntax nipkow parents: 13473 diff changeset	197	let ?inv = "\<lambda>s i::nat. s = ?sum i"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	198
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	199	have "\<turnstile> \<lbrace>True\<rbrace> \<acute>S := 0; \<acute>I := 1 \<lbrace>?inv \<acute>S \<acute>I\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	200	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	201	have "True \<longrightarrow> 0 = ?sum 1"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	202	by simp
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	203	also have "\<turnstile> \<lbrace>\<dots>\<rbrace> \<acute>S := 0; \<acute>I := 1 \<lbrace>?inv \<acute>S \<acute>I\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	204	by hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	205	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	206	qed
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	207	also have "\<turnstile> \<dots> ?while \<lbrace>?inv \<acute>S \<acute>I \<and> \<not> \<acute>I \<noteq> n\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	208	proof
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	209	let ?body = "\<acute>S := \<acute>S + \<acute>I; \<acute>I := \<acute>I + 1"
60410 a197387e1854 tuned proofs; wenzelm parents: 58882 diff changeset	210	have "?inv s i \<and> i \<noteq> n \<longrightarrow> ?inv (s + i) (i + 1)" for s i
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	211	by simp
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	212	also have "\<turnstile> \<lbrace>\<acute>S + \<acute>I = ?sum (\<acute>I + 1)\<rbrace> ?body \<lbrace>?inv \<acute>S \<acute>I\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	213	by hoare
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	214	finally show "\<turnstile> \<lbrace>?inv \<acute>S \<acute>I \<and> \<acute>I \<noteq> n\<rbrace> ?body \<lbrace>?inv \<acute>S \<acute>I\<rbrace>" .
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	215	qed
60410 a197387e1854 tuned proofs; wenzelm parents: 58882 diff changeset	216	also have "s = ?sum i \<and> \<not> i \<noteq> n \<longrightarrow> s = ?sum n" for s i
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	217	by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	218	finally show ?thesis .
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	219	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	220
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	221	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	222	The next version uses the \<open>hoare\<close> method, while still explaining the
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	223	resulting proof obligations in an abstract, structured manner.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	224	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	225
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	226	theorem
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	227	"\<turnstile> \<lbrace>True\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	228	\<acute>S := 0; \<acute>I := 1;
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	229	WHILE \<acute>I \<noteq> n
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	230	INV \<lbrace>\<acute>S = (\<Sum>j<\<acute>I. j)\<rbrace>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	231	DO
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	232	\<acute>S := \<acute>S + \<acute>I;
9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	233	\<acute>I := \<acute>I + 1
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	234	OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	235	\<lbrace>\<acute>S = (\<Sum>j<n. j)\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	236	proof -
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	237	let ?sum = "\<lambda>k::nat. \<Sum>j<k. j"
15049 82fb87151718 more summation syntax nipkow parents: 13473 diff changeset	238	let ?inv = "\<lambda>s i::nat. s = ?sum i"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	239	show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	240	proof hoare
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	241	show "?inv 0 1" by simp
60416 e1ff959f4f1b tuned proofs; wenzelm parents: 60410 diff changeset	242	show "?inv (s + i) (i + 1)" if "?inv s i \<and> i \<noteq> n" for s i
60449 229bad93377e renamed "prems" to "that"; wenzelm parents: 60416 diff changeset	243	using that by simp
60416 e1ff959f4f1b tuned proofs; wenzelm parents: 60410 diff changeset	244	show "s = ?sum n" if "?inv s i \<and> \<not> i \<noteq> n" for s i
60449 229bad93377e renamed "prems" to "that"; wenzelm parents: 60416 diff changeset	245	using that by simp
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	246	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	247	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	248
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	249	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	250	Certainly, this proof may be done fully automatic as well, provided that the
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	251	invariant is given beforehand.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	252	\<close>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	253
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	254	theorem
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	255	"\<turnstile> \<lbrace>True\<rbrace>
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	256	\<acute>S := 0; \<acute>I := 1;
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	257	WHILE \<acute>I \<noteq> n
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	258	INV \<lbrace>\<acute>S = (\<Sum>j<\<acute>I. j)\<rbrace>
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	259	DO
10838 9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	260	\<acute>S := \<acute>S + \<acute>I;
9423817dee84 use \<acute>; wenzelm parents: 10148 diff changeset	261	\<acute>I := \<acute>I + 1
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	262	OD
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	263	\<lbrace>\<acute>S = (\<Sum>j<n. j)\<rbrace>"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	264	by hoare auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	265
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	266
58614 7338eb25226c more cartouches; wenzelm parents: 56073 diff changeset	267	subsection \<open>Time\<close>
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	268
61932 2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	269	text \<open>
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	270	A simple embedding of time in Hoare logic: function \<open>timeit\<close> inserts an
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	271	extra variable to keep track of the elapsed time.
2e48182cc82c misc tuning and modernization; wenzelm parents: 61799 diff changeset	272	\<close>
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	273
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	274	record tstate = time :: nat
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	275
41818 6d4c3ee8219d modernized specifications; wenzelm parents: 37671 diff changeset	276	type_synonym 'a time = "\<lparr>time :: nat, \<dots> :: 'a\<rparr>"
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	277
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 33026 diff changeset	278	primrec timeit :: "'a time com \<Rightarrow> 'a time com"
63585 f4a308fdf664 tuned; wenzelm parents: 61932 diff changeset	279	where
f4a308fdf664 tuned; wenzelm parents: 61932 diff changeset	280	"timeit (Basic f) = (Basic f; Basic(\<lambda>s. s\<lparr>time := Suc (time s)\<rparr>))"
f4a308fdf664 tuned; wenzelm parents: 61932 diff changeset	281	\| "timeit (c1; c2) = (timeit c1; timeit c2)"
f4a308fdf664 tuned; wenzelm parents: 61932 diff changeset	282	\| "timeit (Cond b c1 c2) = Cond b (timeit c1) (timeit c2)"
f4a308fdf664 tuned; wenzelm parents: 61932 diff changeset	283	\| "timeit (While b iv c) = While b iv (timeit c)"
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	284
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	285	record tvars = tstate +
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	286	I :: nat
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	287	J :: nat
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	288
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	289	lemma lem: "(0::nat) < n \<Longrightarrow> n + n \<le> Suc (n * n)"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	290	by (induct n) simp_all
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	291
46582 dcc312f22ee8 misc tuning; wenzelm parents: 41818 diff changeset	292	lemma
55656 eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	293	"\<turnstile> \<lbrace>i = \<acute>I \<and> \<acute>time = 0\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	294	(timeit
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	295	(WHILE \<acute>I \<noteq> 0
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	296	INV \<lbrace>2 \<acute> time + \<acute>I \<acute>I + 5 * \<acute>I = i * i + 5 * i\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	297	DO
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	298	\<acute>J := \<acute>I;
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	299	WHILE \<acute>J \<noteq> 0
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	300	INV \<lbrace>0 < \<acute>I \<and> 2 * \<acute>time + \<acute>I * \<acute>I + 3 * \<acute>I + 2 * \<acute>J - 2 = i * i + 5 * i\<rbrace>
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	301	DO \<acute>J := \<acute>J - 1 OD;
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	302	\<acute>I := \<acute>I - 1
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	303	OD))
eb07b0acbebc more symbols; wenzelm parents: 46622 diff changeset	304	\<lbrace>2 * \<acute>time = i * i + 5 * i\<rbrace>"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	305	apply simp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	306	apply hoare
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	307	apply simp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	308	apply clarsimp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	309	apply clarsimp
20432 07ec57376051 lin_arith_prover: splitting reverted because of performance loss webertj parents: 20272 diff changeset	310	apply arith
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	311	prefer 2
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	312	apply clarsimp
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	313	apply (clarsimp simp: nat_distrib)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	314	apply (frule lem)
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	315	apply arith
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	316	done
13473 194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	317
194e8d2cbe0f Added time example at the end. nipkow parents: 11704 diff changeset	318	end

author	paulson <lp15@cam.ac.uk>
	Thu, 19 Apr 2018 14:49:08 +0100
changeset 68004	a8a20be7053a
parent 63585	f4a308fdf664
child 72806	4fa08e083865
permissions	-rw-r--r--