isabelle: src/HOL/IMP/Natural.thy@b2073920448f (annotated)

12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	1	(* Title: HOL/IMP/Natural.thy
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	2	ID: $Id$
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	3	Author: Tobias Nipkow & Robert Sandner, TUM
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	4	Isar Version: Gerwin Klein, 2001; additional proofs by Lawrence Paulson
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	5	Copyright 1996 TUM
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	6	*)
afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	7
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	8	header "Natural Semantics of Commands"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	9
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 14565 diff changeset	10	theory Natural imports Com begin
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	11
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	12	subsection "Execution of commands"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	13
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	14	text {*
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	15	We write @{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} for \emph{Statement @{text c}, started
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	16	in state @{text s}, terminates in state @{text s'}}. Formally,
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	17	@{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} is just another form of saying \emph{the tuple
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	18	@{text "(c,s,s')"} is part of the relation @{text evalc}}:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	19	*}
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	20
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	21	definition
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	22	update :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a \<Rightarrow> 'b)" ("_/[_ ::= /_]" [900,0,0] 900) where
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	23	"update = fun_upd"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	24
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	25	notation (xsymbols)
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	26	update ("_/[_ \<mapsto> /_]" [900,0,0] 900)
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	27
37085 b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	28	text {* Disable conflicting syntax from HOL Map theory. *}
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	29
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	30	no_syntax
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	31	"_maplet" :: "['a, 'a] => maplet" ("_ /\|->/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	32	"_maplets" :: "['a, 'a] => maplet" ("_ /[\|->]/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	33	"" :: "maplet => maplets" ("_")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	34	"_Maplets" :: "[maplet, maplets] => maplets" ("_,/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	35	"_MapUpd" :: "['a ~=> 'b, maplets] => 'a ~=> 'b" ("_/'(_')" [900,0]900)
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	36	"_Map" :: "maplets => 'a ~=> 'b" ("(1[_])")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	37
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	38	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	39	The big-step execution relation @{text evalc} is defined inductively:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	40	*}
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	41	inductive
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	42	evalc :: "[com,state,state] \<Rightarrow> bool" ("\<langle>_,_\<rangle>/ \<longrightarrow>\<^sub>c _" [0,0,60] 60)
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	43	where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	44	Skip: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s"
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	45	\| Assign: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s[x\<mapsto>a s]"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	46
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	47	\| Semi: "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	48
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	49	\| IfTrue: "b s \<Longrightarrow> \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	50	\| IfFalse: "\<not>b s \<Longrightarrow> \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	51
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	52	\| WhileFalse: "\<not>b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s"
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	53	\| WhileTrue: "b s \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s'
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	54	\<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	55
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	56	lemmas evalc.intros [intro] -- "use those rules in automatic proofs"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	57
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	58	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	59	The induction principle induced by this definition looks like this:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	60
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	61	@{thm [display] evalc.induct [no_vars]}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	62
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	63
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	64	(@{text "\<And>"} and @{text "\<Longrightarrow>"} are Isabelle's
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	65	meta symbols for @{text "\<forall>"} and @{text "\<longrightarrow>"})
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	66	*}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	67
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	68	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	69	The rules of @{text evalc} are syntax directed, i.e.~for each
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	70	syntactic category there is always only one rule applicable. That
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	71	means we can use the rules in both directions. This property is called rule inversion.
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	72	*}
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	73	inductive_cases skipE [elim!]: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	74	inductive_cases semiE [elim!]: "\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	75	inductive_cases assignE [elim!]: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	76	inductive_cases ifE [elim!]: "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	77	inductive_cases whileE [elim]: "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	78
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	79	text {* The next proofs are all trivial by rule inversion.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	80	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	81
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	82	lemma skip:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	83	"\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s)"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	84	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	85
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	86	lemma assign:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	87	"\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s[x\<mapsto>a s])"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	88	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	89
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	90	lemma semi:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	91	"\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s' = (\<exists>s''. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<and> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s')"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	92	by auto
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	93
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	94	lemma ifTrue:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	95	"b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	96	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	97
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	98	lemma ifFalse:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	99	"\<not>b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s'"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	100	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	101
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	102	lemma whileFalse:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	103	"\<not> b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s)"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	104	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	105
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	106	lemma whileTrue:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	107	"b s \<Longrightarrow>
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	108	\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s' =
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	109	(\<exists>s''. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<and> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s')"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	110	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	111
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	112	text "Again, Isabelle may use these rules in automatic proofs:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	113	lemmas evalc_cases [simp] = skip assign ifTrue ifFalse whileFalse semi whileTrue
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	114
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	115	subsection "Equivalence of statements"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	116
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	117	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	118	We call two statements @{text c} and @{text c'} equivalent wrt.~the
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	119	big-step semantics when \emph{@{text c} started in @{text s} terminates
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	120	in @{text s'} iff @{text c'} started in the same @{text s} also terminates
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	121	in the same @{text s'}}. Formally:
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	122	*}
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	123	definition
37085 b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	124	equiv_c :: "com \<Rightarrow> com \<Rightarrow> bool" ("_ \<sim> _" [56, 56] 55) where
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	125	"c \<sim> c' = (\<forall>s s'. \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s')"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	126
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	127	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	128	Proof rules telling Isabelle to unfold the definition
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	129	if there is something to be proved about equivalent
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	130	statements: *}
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	131	lemma equivI [intro!]:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	132	"(\<And>s s'. \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s') \<Longrightarrow> c \<sim> c'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	133	by (unfold equiv_c_def) blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	134
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	135	lemma equivD1:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	136	"c \<sim> c' \<Longrightarrow> \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	137	by (unfold equiv_c_def) blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	138
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	139	lemma equivD2:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	140	"c \<sim> c' \<Longrightarrow> \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	141	by (unfold equiv_c_def) blast
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	142
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	143	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	144	As an example, we show that loop unfolding is an equivalence
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	145	transformation on programs:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	146	*}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	147	lemma unfold_while:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	148	"(\<WHILE> b \<DO> c) \<sim> (\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>)" (is "?w \<sim> ?if")
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	149	proof -
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	150	-- "to show the equivalence, we look at the derivation tree for"
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	151	-- "each side and from that construct a derivation tree for the other side"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	152	{ fix s s' assume w: "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	153	-- "as a first thing we note that, if @{text b} is @{text False} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	154	-- "then both statements do nothing:"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	155	hence "\<not>b s \<Longrightarrow> s = s'" by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	156	hence "\<not>b s \<Longrightarrow> \<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	157	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	158	-- "on the other hand, if @{text b} is @{text True} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	159	-- {* then only the @{text WhileTrue} rule can have been used to derive @{text "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'"} *}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	160	{ assume b: "b s"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	161	with w obtain s'' where
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	162	"\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s''" and "\<langle>?w, s''\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	163	-- "now we can build a derivation tree for the @{text \<IF>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	164	-- "first, the body of the True-branch:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	165	hence "\<langle>c; ?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule Semi)
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	166	-- "then the whole @{text \<IF>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	167	with b have "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule IfTrue)
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	168	}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	169	ultimately
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	170	-- "both cases together give us what we want:"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	171	have "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	172	}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	173	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	174	-- "now the other direction:"
19796 d86e7b1fc472 quoted "if"; wenzelm parents: 18372 diff changeset	175	{ fix s s' assume "if": "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	176	-- "again, if @{text b} is @{text False} in state @{text s}, then the False-branch"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	177	-- "of the @{text \<IF>} is executed, and both statements do nothing:"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	178	hence "\<not>b s \<Longrightarrow> s = s'" by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	179	hence "\<not>b s \<Longrightarrow> \<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	180	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	181	-- "on the other hand, if @{text b} is @{text True} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	182	-- {* then this time only the @{text IfTrue} rule can have be used *}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	183	{ assume b: "b s"
19796 d86e7b1fc472 quoted "if"; wenzelm parents: 18372 diff changeset	184	with "if" have "\<langle>c; ?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	185	-- "and for this, only the Semi-rule is applicable:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	186	then obtain s'' where
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	187	"\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s''" and "\<langle>?w, s''\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	188	-- "with this information, we can build a derivation tree for the @{text \<WHILE>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	189	with b
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	190	have "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule WhileTrue)
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	191	}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	192	ultimately
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	193	-- "both cases together again give us what we want:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	194	have "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	195	}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	196	ultimately
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	197	show ?thesis by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	198	qed
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	199
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	200	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	201	Happily, such lengthy proofs are seldom necessary. Isabelle can prove many such facts automatically.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	202	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	203
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	204	lemma
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	205	"(\<WHILE> b \<DO> c) \<sim> (\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>)"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	206	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	207
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	208	lemma triv_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	209	"(\<IF> b \<THEN> c \<ELSE> c) \<sim> c"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	210	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	211
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	212	lemma commute_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	213	"(\<IF> b1 \<THEN> (\<IF> b2 \<THEN> c11 \<ELSE> c12) \<ELSE> c2)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	214	\<sim>
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	215	(\<IF> b2 \<THEN> (\<IF> b1 \<THEN> c11 \<ELSE> c2) \<ELSE> (\<IF> b1 \<THEN> c12 \<ELSE> c2))"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	216	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	217
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	218	lemma while_equiv:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	219	"\<langle>c0, s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> c \<sim> c' \<Longrightarrow> (c0 = \<WHILE> b \<DO> c) \<Longrightarrow> \<langle>\<WHILE> b \<DO> c', s\<rangle> \<longrightarrow>\<^sub>c u"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	220	by (induct rule: evalc.induct) (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	221
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	222	lemma equiv_while:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	223	"c \<sim> c' \<Longrightarrow> (\<WHILE> b \<DO> c) \<sim> (\<WHILE> b \<DO> c')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	224	by (simp add: equiv_c_def) (metis equiv_c_def while_equiv)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	225
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	226
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	227	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	228	Program equivalence is an equivalence relation.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	229	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	230
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	231	lemma equiv_refl:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	232	"c \<sim> c"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	233	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	234
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	235	lemma equiv_sym:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	236	"c1 \<sim> c2 \<Longrightarrow> c2 \<sim> c1"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	237	by (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	238
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	239	lemma equiv_trans:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	240	"c1 \<sim> c2 \<Longrightarrow> c2 \<sim> c3 \<Longrightarrow> c1 \<sim> c3"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	241	by (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	242
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	243	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	244	Program constructions preserve equivalence.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	245	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	246
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	247	lemma equiv_semi:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	248	"c1 \<sim> c1' \<Longrightarrow> c2 \<sim> c2' \<Longrightarrow> (c1; c2) \<sim> (c1'; c2')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	249	by (force simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	250
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	251	lemma equiv_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	252	"c1 \<sim> c1' \<Longrightarrow> c2 \<sim> c2' \<Longrightarrow> (\<IF> b \<THEN> c1 \<ELSE> c2) \<sim> (\<IF> b \<THEN> c1' \<ELSE> c2')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	253	by (force simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	254
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	255	lemma while_never: "\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> c \<noteq> \<WHILE> (\<lambda>s. True) \<DO> c1"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	256	apply (induct rule: evalc.induct)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	257	apply auto
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	258	done
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	259
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	260	lemma equiv_while_True:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	261	"(\<WHILE> (\<lambda>s. True) \<DO> c1) \<sim> (\<WHILE> (\<lambda>s. True) \<DO> c2)"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	262	by (blast dest: while_never)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	263
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	264
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	265	subsection "Execution is deterministic"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	266
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	267	text {*
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	268	This proof is automatic.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	269	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	270	theorem "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = t"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	271	by (induct arbitrary: u rule: evalc.induct) blast+
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	272
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	273
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	274	text {*
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	275	The following proof presents all the details:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	276	*}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	277	theorem com_det:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	278	assumes "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t" and "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	279	shows "u = t"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	280	using prems
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19796 diff changeset	281	proof (induct arbitrary: u set: evalc)
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	282	fix s u assume "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	283	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	284	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	285	fix a s x u assume "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	286	thus "u = s[x \<mapsto> a s]" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	287	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	288	fix c0 c1 s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	289	assume IH0: "\<And>u. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	290	assume IH1: "\<And>u. \<langle>c1,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	291
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	292	assume "\<langle>c0;c1, s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	293	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	294	c0: "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'" and
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	295	c1: "\<langle>c1,s'\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	296	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	297
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	298	from c0 IH0 have "s'=s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	299	with c1 IH1 show "u=s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	300	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	301	fix b c0 c1 s s1 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	302	assume IH: "\<And>u. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	303
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	304	assume "b s" and "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	305	hence "\<langle>c0, s\<rangle> \<longrightarrow>\<^sub>c u" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	306	with IH show "u = s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	307	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	308	fix b c0 c1 s s1 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	309	assume IH: "\<And>u. \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	310
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	311	assume "\<not>b s" and "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	312	hence "\<langle>c1, s\<rangle> \<longrightarrow>\<^sub>c u" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	313	with IH show "u = s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	314	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	315	fix b c s u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	316	assume "\<not>b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	317	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	318	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	319	fix b c s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	320	assume "IH\<^sub>c": "\<And>u. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	321	assume "IH\<^sub>w": "\<And>u. \<langle>\<WHILE> b \<DO> c,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	322
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	323	assume "b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	324	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	325	c: "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" and
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	326	w: "\<langle>\<WHILE> b \<DO> c,s'\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	327	by auto
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	328
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	329	from c "IH\<^sub>c" have "s' = s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	330	with w "IH\<^sub>w" show "u = s1" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	331	qed
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	332
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	333
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	334	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	335	This is the proof as you might present it in a lecture. The remaining
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	336	cases are simple enough to be proved automatically:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	337	*}
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	338	theorem
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	339	assumes "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t" and "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	340	shows "u = t"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	341	using prems
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19796 diff changeset	342	proof (induct arbitrary: u)
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	343	-- "the simple @{text \<SKIP>} case for demonstration:"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	344	fix s u assume "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	345	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	346	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	347	-- "and the only really interesting case, @{text \<WHILE>}:"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	348	fix b c s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	349	assume "IH\<^sub>c": "\<And>u. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	350	assume "IH\<^sub>w": "\<And>u. \<langle>\<WHILE> b \<DO> c,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	351
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	352	assume "b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	353	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	354	c: "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" and
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	355	w: "\<langle>\<WHILE> b \<DO> c,s'\<rangle> \<longrightarrow>\<^sub>c u"
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	356	by auto
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	357
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	358	from c "IH\<^sub>c" have "s' = s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	359	with w "IH\<^sub>w" show "u = s1" by blast
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	360	qed blast+ -- "prove the rest automatically"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	361
afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	362	end

author	huffman
	Sat, 22 May 2010 16:45:46 -0700
changeset 37085	b2073920448f
parent 34055	fdf294ee08b2
child 37736	2bf3a2cb5e58
permissions	-rw-r--r--