isabelle: src/HOL/Isar_examples/Hoare.thy@bb71a64e1263 (annotated)

10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	1	(* Title: HOL/Isar_examples/Hoare.thy
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	2	ID: $Id$
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	3	Author: Markus Wenzel, TU Muenchen
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	4
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	5	A formulation of Hoare logic suitable for Isar.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	6	*)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	7
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	8	header {* Hoare Logic *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	9
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 15531 diff changeset	10	theory Hoare imports Main
9bc16273c2d4 migrated theory headers to new format haftmann parents: 15531 diff changeset	11	uses ("~~/src/HOL/Hoare/hoare.ML") begin
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	12
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	13	subsection {* Abstract syntax and semantics *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	14
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	15	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	16	The following abstract syntax and semantics of Hoare Logic over
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	17	\texttt{WHILE} programs closely follows the existing tradition in
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	18	Isabelle/HOL of formalizing the presentation given in
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	19	\cite[\S6]{Winskel:1993}. See also
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	20	\url{http://isabelle.in.tum.de/library/Hoare/} and
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	21	\cite{Nipkow:1998:Winskel}.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	22	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	23
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	24	types
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	25	'a bexp = "'a set"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	26	'a assn = "'a set"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	27
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	28	datatype 'a com =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	29	Basic "'a => 'a"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	30	\| Seq "'a com" "'a com" ("(_;/ _)" [60, 61] 60)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	31	\| Cond "'a bexp" "'a com" "'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	32	\| While "'a bexp" "'a assn" "'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	33
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	34	abbreviation (output)
e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	35	Skip ("SKIP")
e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	36	"SKIP == Basic id"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	37
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	38	types
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	39	'a sem = "'a => 'a => bool"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	40
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	41	consts
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	42	iter :: "nat => 'a bexp => 'a sem => 'a sem"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	43	primrec
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	44	"iter 0 b S s s' = (s ~: b & s = s')"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	45	"iter (Suc n) b S s s' =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	46	(s : b & (EX s''. S s s'' & iter n b S s'' s'))"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	47
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	48	consts
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	49	Sem :: "'a com => 'a sem"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	50	primrec
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	51	"Sem (Basic f) s s' = (s' = f s)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	52	"Sem (c1; c2) s s' = (EX s''. Sem c1 s s'' & Sem c2 s'' s')"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	53	"Sem (Cond b c1 c2) s s' =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	54	(if s : b then Sem c1 s s' else Sem c2 s s')"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	55	"Sem (While b x c) s s' = (EX n. iter n b (Sem c) s s')"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	56
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	57	constdefs
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	58	Valid :: "'a bexp => 'a com => 'a bexp => bool"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	59	("(3\|- _/ (2_)/ _)" [100, 55, 100] 50)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	60	"\|- P c Q == ALL s s'. Sem c s s' --> s : P --> s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	61
12124 c4fcdb80c93e eliminated old "symbols" syntax, use "xsymbols" instead; wenzelm parents: 11987 diff changeset	62	syntax (xsymbols)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	63	Valid :: "'a bexp => 'a com => 'a bexp => bool"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	64	("(3\<turnstile> _/ (2_)/ _)" [100, 55, 100] 50)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	65
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	66	lemma ValidI [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	67	"(!!s s'. Sem c s s' ==> s : P ==> s' : Q) ==> \|- P c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	68	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	69
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	70	lemma ValidD [dest?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	71	"\|- P c Q ==> Sem c s s' ==> s : P ==> s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	72	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	73
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	74
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	75	subsection {* Primitive Hoare rules *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	76
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	77	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	78	From the semantics defined above, we derive the standard set of
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	79	primitive Hoare rules; e.g.\ see \cite[\S6]{Winskel:1993}. Usually,
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	80	variant forms of these rules are applied in actual proof, see also
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	81	\S\ref{sec:hoare-isar} and \S\ref{sec:hoare-vcg}.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	82
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	83	\medskip The \name{basic} rule represents any kind of atomic access
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	84	to the state space. This subsumes the common rules of \name{skip}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	85	and \name{assign}, as formulated in \S\ref{sec:hoare-isar}.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	86	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	87
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	88	theorem basic: "\|- {s. f s : P} (Basic f) P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	89	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	90	fix s s' assume s: "s : {s. f s : P}"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	91	assume "Sem (Basic f) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	92	hence "s' = f s" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	93	with s show "s' : P" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	94	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	95
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	96	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	97	The rules for sequential commands and semantic consequences are
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	98	established in a straight forward manner as follows.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	99	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	100
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	101	theorem seq: "\|- P c1 Q ==> \|- Q c2 R ==> \|- P (c1; c2) R"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	102	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	103	assume cmd1: "\|- P c1 Q" and cmd2: "\|- Q c2 R"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	104	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	105	assume "Sem (c1; c2) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	106	then obtain s'' where sem1: "Sem c1 s s''" and sem2: "Sem c2 s'' s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	107	by auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	108	from cmd1 sem1 s have "s'' : Q" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	109	with cmd2 sem2 show "s' : R" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	110	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	111
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	112	theorem conseq: "P' <= P ==> \|- P c Q ==> Q <= Q' ==> \|- P' c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	113	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	114	assume P'P: "P' <= P" and QQ': "Q <= Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	115	assume cmd: "\|- P c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	116	fix s s' :: 'a
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	117	assume sem: "Sem c s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	118	assume "s : P'" with P'P have "s : P" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	119	with cmd sem have "s' : Q" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	120	with QQ' show "s' : Q'" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	121	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	122
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	123	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	124	The rule for conditional commands is directly reflected by the
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	125	corresponding semantics; in the proof we just have to look closely
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	126	which cases apply.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	127	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	128
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	129	theorem cond:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	130	"\|- (P Int b) c1 Q ==> \|- (P Int -b) c2 Q ==> \|- P (Cond b c1 c2) Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	131	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	132	assume case_b: "\|- (P Int b) c1 Q" and case_nb: "\|- (P Int -b) c2 Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	133	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	134	assume sem: "Sem (Cond b c1 c2) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	135	show "s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	136	proof cases
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	137	assume b: "s : b"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	138	from case_b show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	139	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	140	from sem b show "Sem c1 s s'" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	141	from s b show "s : P Int b" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	142	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	143	next
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	144	assume nb: "s ~: b"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	145	from case_nb show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	146	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	147	from sem nb show "Sem c2 s s'" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	148	from s nb show "s : P Int -b" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	149	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	150	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	151	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	152
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	153	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	154	The \name{while} rule is slightly less trivial --- it is the only one
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	155	based on recursion, which is expressed in the semantics by a
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	156	Kleene-style least fixed-point construction. The auxiliary statement
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	157	below, which is by induction on the number of iterations is the main
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	158	point to be proven; the rest is by routine application of the
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	159	semantics of \texttt{WHILE}.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	160	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	161
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	162	theorem while:
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	163	assumes body: "\|- (P Int b) c P"
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	164	shows "\|- P (While b X c) (P Int -b)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	165	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	166	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	167	assume "Sem (While b X c) s s'"
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	168	then obtain n where "iter n b (Sem c) s s'" by auto
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	169	from this and s show "s' : P Int -b"
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	170	proof (induct n fixing: s)
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	171	case 0
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	172	thus ?case by auto
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	173	next
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	174	case (Suc n)
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	175	then obtain s'' where b: "s : b" and sem: "Sem c s s''"
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	176	and iter: "iter n b (Sem c) s'' s'"
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	177	by auto
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	178	from Suc and b have "s : P Int b" by simp
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	179	with body sem have "s'' : P" ..
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	180	with iter show ?case by (rule Suc)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	181	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	182	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	183
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	184
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	185	subsection {* Concrete syntax for assertions *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	186
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	187	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	188	We now introduce concrete syntax for describing commands (with
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	189	embedded expressions) and assertions. The basic technique is that of
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	190	semantic ``quote-antiquote''. A \emph{quotation} is a syntactic
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	191	entity delimited by an implicit abstraction, say over the state
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	192	space. An \emph{antiquotation} is a marked expression within a
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	193	quotation that refers the implicit argument; a typical antiquotation
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	194	would select (or even update) components from the state.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	195
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	196	We will see some examples later in the concrete rules and
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	197	applications.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	198	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	199
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	200	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	201	The following specification of syntax and translations is for
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	202	Isabelle experts only; feel free to ignore it.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	203
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	204	While the first part is still a somewhat intelligible specification
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	205	of the concrete syntactic representation of our Hoare language, the
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	206	actual ``ML drivers'' is quite involved. Just note that the we
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	207	re-use the basic quote/antiquote translations as already defined in
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	208	Isabelle/Pure (see \verb,Syntax.quote_tr, and
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	209	\verb,Syntax.quote_tr',).
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	210	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	211
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	212	syntax
10874 ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	213	"_quote" :: "'b => ('a => 'b)" ("(.'(_').)" [0] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	214	"_antiquote" :: "('a => 'b) => 'b" ("\<acute>_" [1000] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	215	"_Subst" :: "'a bexp \<Rightarrow> 'b \<Rightarrow> idt \<Rightarrow> 'a bexp"
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	216	("_[_'/\<acute>_]" [1000] 999)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	217	"_Assert" :: "'a => 'a set" ("(.{_}.)" [0] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	218	"_Assign" :: "idt => 'b => 'a com" ("(\<acute>_ :=/ _)" [70, 65] 61)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	219	"_Cond" :: "'a bexp => 'a com => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	220	("(0IF _/ THEN _/ ELSE _/ FI)" [0, 0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	221	"_While_inv" :: "'a bexp => 'a assn => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	222	("(0WHILE _/ INV _ //DO _ /OD)" [0, 0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	223	"_While" :: "'a bexp => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	224	("(0WHILE _ //DO _ /OD)" [0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	225
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	226	syntax (xsymbols)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	227	"_Assert" :: "'a => 'a set" ("(\<lbrace>_\<rbrace>)" [0] 1000)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	228
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	229	translations
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	230	".{b}." => "Collect .(b)."
10869 904cefa2c3cd subst syntax; wenzelm parents: 10838 diff changeset	231	"B [a/\<acute>x]" => ".{\<acute>(_update_name x a) \<in> B}."
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	232	"\<acute>x := a" => "Basic .(\<acute>(_update_name x a))."
10869 904cefa2c3cd subst syntax; wenzelm parents: 10838 diff changeset	233	"IF b THEN c1 ELSE c2 FI" => "Cond .{b}. c1 c2"
904cefa2c3cd subst syntax; wenzelm parents: 10838 diff changeset	234	"WHILE b INV i DO c OD" => "While .{b}. i c"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	235	"WHILE b DO c OD" == "WHILE b INV arbitrary DO c OD"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	236
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	237	parse_translation {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	238	let
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	239	fun quote_tr [t] = Syntax.quote_tr "_antiquote" t
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	240	\| quote_tr ts = raise TERM ("quote_tr", ts);
10643 66d093e2076e moved "_update_name" to HOL/Record; wenzelm parents: 10408 diff changeset	241	in [("_quote", quote_tr)] end
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	242	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	243
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	244	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	245	As usual in Isabelle syntax translations, the part for printing is
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	246	more complicated --- we cannot express parts as macro rules as above.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	247	Don't look here, unless you have to do similar things for yourself.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	248	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	249
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	250	print_translation {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	251	let
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	252	fun quote_tr' f (t :: ts) =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	253	Term.list_comb (f $ Syntax.quote_tr' "_antiquote" t, ts)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	254	\| quote_tr' _ _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	255
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	256	val assert_tr' = quote_tr' (Syntax.const "_Assert");
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	257
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	258	fun bexp_tr' name ((Const ("Collect", _) $ t) :: ts) =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	259	quote_tr' (Syntax.const name) (t :: ts)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	260	\| bexp_tr' _ _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	261
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	262	fun upd_tr' (x_upd, T) =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	263	(case try (unsuffix RecordPackage.updateN) x_upd of
15531 08c8dad8e399 Deleted Library.option type. skalberg parents: 13862 diff changeset	264	SOME x => (x, if T = dummyT then T else Term.domain_type T)
08c8dad8e399 Deleted Library.option type. skalberg parents: 13862 diff changeset	265	\| NONE => raise Match);
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	266
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	267	fun update_name_tr' (Free x) = Free (upd_tr' x)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	268	\| update_name_tr' ((c as Const ("_free", _)) $ Free x) =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	269	c $ Free (upd_tr' x)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	270	\| update_name_tr' (Const x) = Const (upd_tr' x)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	271	\| update_name_tr' _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	272
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	273	fun assign_tr' (Abs (x, _, f $ t $ Bound 0) :: ts) =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	274	quote_tr' (Syntax.const "_Assign" $ update_name_tr' f)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	275	(Abs (x, dummyT, t) :: ts)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	276	\| assign_tr' _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	277	in
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	278	[("Collect", assert_tr'), ("Basic", assign_tr'),
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	279	("Cond", bexp_tr' "_Cond"), ("While", bexp_tr' "_While_inv")]
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	280	end
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	281	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	282
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	283
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	284	subsection {* Rules for single-step proof \label{sec:hoare-isar} *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	285
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	286	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	287	We are now ready to introduce a set of Hoare rules to be used in
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	288	single-step structured proofs in Isabelle/Isar. We refer to the
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	289	concrete syntax introduce above.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	290
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	291	\medskip Assertions of Hoare Logic may be manipulated in
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	292	calculational proofs, with the inclusion expressed in terms of sets
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	293	or predicates. Reversed order is supported as well.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	294	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	295
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	296	lemma [trans]: "\|- P c Q ==> P' <= P ==> \|- P' c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	297	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	298	lemma [trans] : "P' <= P ==> \|- P c Q ==> \|- P' c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	299	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	300
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	301	lemma [trans]: "Q <= Q' ==> \|- P c Q ==> \|- P c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	302	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	303	lemma [trans]: "\|- P c Q ==> Q <= Q' ==> \|- P c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	304	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	305
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	306	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	307	"\|- .{\<acute>P}. c Q ==> (!!s. P' s --> P s) ==> \|- .{\<acute>P'}. c Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	308	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	309	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	310	"(!!s. P' s --> P s) ==> \|- .{\<acute>P}. c Q ==> \|- .{\<acute>P'}. c Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	311	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	312
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	313	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	314	"\|- P c .{\<acute>Q}. ==> (!!s. Q s --> Q' s) ==> \|- P c .{\<acute>Q'}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	315	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	316	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	317	"(!!s. Q s --> Q' s) ==> \|- P c .{\<acute>Q}. ==> \|- P c .{\<acute>Q'}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	318	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	319
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	320
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	321	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	322	Identity and basic assignments.\footnote{The $\idt{hoare}$ method
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	323	introduced in \S\ref{sec:hoare-vcg} is able to provide proper
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	324	instances for any number of basic assignments, without producing
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	325	additional verification conditions.}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	326	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	327
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	328	lemma skip [intro?]: "\|- P SKIP P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	329	proof -
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	330	have "\|- {s. id s : P} SKIP P" by (rule basic)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	331	thus ?thesis by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	332	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	333
10869 904cefa2c3cd subst syntax; wenzelm parents: 10838 diff changeset	334	lemma assign: "\|- P [\<acute>a/\<acute>x] \<acute>x := \<acute>a P"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	335	by (rule basic)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	336
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	337	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	338	Note that above formulation of assignment corresponds to our
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	339	preferred way to model state spaces, using (extensible) record types
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	340	in HOL \cite{Naraschewski-Wenzel:1998:HOOL}. For any record field
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	341	$x$, Isabelle/HOL provides a functions $x$ (selector) and
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	342	$\idt{x{\dsh}update}$ (update). Above, there is only a place-holder
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	343	appearing for the latter kind of function: due to concrete syntax
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	344	\isa{\'x := \'a} also contains \isa{x\_update}.\footnote{Note that due
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	345	to the external nature of HOL record fields, we could not even state
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	346	a general theorem relating selector and update functions (if this
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	347	were required here); this would only work for any particular instance
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	348	of record fields introduced so far.}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	349	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	350
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	351	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	352	Sequential composition --- normalizing with associativity achieves
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	353	proper of chunks of code verified separately.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	354	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	355
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	356	lemmas [trans, intro?] = seq
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	357
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	358	lemma seq_assoc [simp]: "( \|- P c1;(c2;c3) Q) = ( \|- P (c1;c2);c3 Q)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	359	by (auto simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	360
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	361	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	362	Conditional statements.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	363	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	364
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	365	lemmas [trans, intro?] = cond
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	366
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	367	lemma [trans, intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	368	"\|- .{\<acute>P & \<acute>b}. c1 Q
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	369	==> \|- .{\<acute>P & ~ \<acute>b}. c2 Q
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	370	==> \|- .{\<acute>P}. IF \<acute>b THEN c1 ELSE c2 FI Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	371	by (rule cond) (simp_all add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	372
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	373	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	374	While statements --- with optional invariant.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	375	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	376
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	377	lemma [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	378	"\|- (P Int b) c P ==> \|- P (While b P c) (P Int -b)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	379	by (rule while)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	380
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	381	lemma [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	382	"\|- (P Int b) c P ==> \|- P (While b arbitrary c) (P Int -b)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	383	by (rule while)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	384
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	385
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	386	lemma [intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	387	"\|- .{\<acute>P & \<acute>b}. c .{\<acute>P}.
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	388	==> \|- .{\<acute>P}. WHILE \<acute>b INV .{\<acute>P}. DO c OD .{\<acute>P & ~ \<acute>b}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	389	by (simp add: while Collect_conj_eq Collect_neg_eq)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	390
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	391	lemma [intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	392	"\|- .{\<acute>P & \<acute>b}. c .{\<acute>P}.
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	393	==> \|- .{\<acute>P}. WHILE \<acute>b DO c OD .{\<acute>P & ~ \<acute>b}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	394	by (simp add: while Collect_conj_eq Collect_neg_eq)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	395
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	396
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	397	subsection {* Verification conditions \label{sec:hoare-vcg} *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	398
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	399	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	400	We now load the \emph{original} ML file for proof scripts and tactic
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	401	definition for the Hoare Verification Condition Generator (see
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	402	\url{http://isabelle.in.tum.de/library/Hoare/}). As far as we are
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	403	concerned here, the result is a proof method \name{hoare}, which may
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	404	be applied to a Hoare Logic assertion to extract purely logical
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	405	verification conditions. It is important to note that the method
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	406	requires \texttt{WHILE} loops to be fully annotated with invariants
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	407	beforehand. Furthermore, only \emph{concrete} pieces of code are
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	408	handled --- the underlying tactic fails ungracefully if supplied with
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	409	meta-variables or parameters, for example.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	410	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	411
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	412	lemma SkipRule: "p \<subseteq> q \<Longrightarrow> Valid p (Basic id) q"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	413	by (auto simp add: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	414
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	415	lemma BasicRule: "p \<subseteq> {s. f s \<in> q} \<Longrightarrow> Valid p (Basic f) q"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	416	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	417
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	418	lemma SeqRule: "Valid P c1 Q \<Longrightarrow> Valid Q c2 R \<Longrightarrow> Valid P (c1;c2) R"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	419	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	420
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	421	lemma CondRule:
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	422	"p \<subseteq> {s. (s \<in> b \<longrightarrow> s \<in> w) \<and> (s \<notin> b \<longrightarrow> s \<in> w')}
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	423	\<Longrightarrow> Valid w c1 q \<Longrightarrow> Valid w' c2 q \<Longrightarrow> Valid p (Cond b c1 c2) q"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	424	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	425
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	426	lemma iter_aux:
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	427	"\<forall>s s'. Sem c s s' --> s : I & s : b --> s' : I ==>
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	428	(\<And>s s'. s : I \<Longrightarrow> iter n b (Sem c) s s' \<Longrightarrow> s' : I & s' ~: b)"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	429	apply(induct n)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	430	apply clarsimp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	431	apply (simp (no_asm_use))
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	432	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	433	done
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	434
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	435	lemma WhileRule:
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	436	"p \<subseteq> i \<Longrightarrow> Valid (i \<inter> b) c i \<Longrightarrow> i \<inter> (-b) \<subseteq> q \<Longrightarrow> Valid p (While b i c) q"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	437	apply (clarsimp simp: Valid_def)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	438	apply (drule iter_aux)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	439	prefer 2
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	440	apply assumption
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	441	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	442	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	443	done
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	444
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	445	ML {* val Valid_def = thm "Valid_def" *}
13703 a36a0d417133 Hoare.ML -> hoare.ML kleing parents: 12124 diff changeset	446	use "~~/src/HOL/Hoare/hoare.ML"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	447
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	448	method_setup hoare = {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	449	Method.no_args
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	450	(Method.SIMPLE_METHOD' HEADGOAL (hoare_tac (K all_tac))) *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	451	"verification condition generator for Hoare logic"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	452
13703 a36a0d417133 Hoare.ML -> hoare.ML kleing parents: 12124 diff changeset	453	end

author	schirmer
	Tue, 28 Mar 2006 12:05:45 +0200
changeset 19332	bb71a64e1263
parent 19122	e1b6a5071348
child 19363	667b5ea637dd
permissions	-rw-r--r--