isabelle: src/HOL/IMP/VCG.thy@d867812da48b (annotated)

50421 eb7b59cc8e08 tuned text nipkow parents: 47818 diff changeset	1	(* Author: Tobias Nipkow *)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	2
52269 d867812da48b more VC -> VCG nipkow parents: 52268 diff changeset	3	theory VCG imports Hoare begin
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	4
50421 eb7b59cc8e08 tuned text nipkow parents: 47818 diff changeset	5	subsection "Verification Conditions"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	6
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	7	text{* Annotated commands: commands where loops are annotated with
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	8	invariants. *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	9
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	10	datatype acom =
52193 014d6b3f5792 tuned nipkow parents: 52046 diff changeset	11	Askip ("SKIP") \|
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	12	Aassign vname aexp ("(_ ::= _)" [1000, 61] 61) \|
52046 bc01725d7918 replaced `;' by `;;' to disambiguate syntax; unexpected slight increase in build time nipkow parents: 50421 diff changeset	13	Aseq acom acom ("_;;/ _" [60, 61] 60) \|
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	14	Aif bexp acom acom ("(IF _/ THEN _/ ELSE _)" [0, 0, 61] 61) \|
dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	15	Awhile assn bexp acom ("({_}/ WHILE _/ DO _)" [0, 0, 61] 61)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	16
52267 2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	17
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	18	text{* Strip annotations: *}
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	19
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	20	fun strip :: "acom \<Rightarrow> com" where
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	21	"strip SKIP = com.SKIP" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	22	"strip (x ::= a) = (x ::= a)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	23	"strip (c\<^isub>1;; c\<^isub>2) = (strip c\<^isub>1;; strip c\<^isub>2)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	24	"strip (IF b THEN c\<^isub>1 ELSE c\<^isub>2) = (IF b THEN strip c\<^isub>1 ELSE strip c\<^isub>2)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	25	"strip ({_} WHILE b DO c) = (WHILE b DO strip c)"
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	26
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	27	text{* Weakest precondition from annotated commands: *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	28
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	29	fun pre :: "acom \<Rightarrow> assn \<Rightarrow> assn" where
52267 2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	30	"pre SKIP Q = Q" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	31	"pre (x ::= a) Q = (\<lambda>s. Q(s(x := aval a s)))" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	32	"pre (c\<^isub>1;; c\<^isub>2) Q = pre c\<^isub>1 (pre c\<^isub>2 Q)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	33	"pre (IF b THEN c\<^isub>1 ELSE c\<^isub>2) Q =
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	34	(\<lambda>s. (bval b s \<longrightarrow> pre c\<^isub>1 Q s) \<and>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	35	(\<not> bval b s \<longrightarrow> pre c\<^isub>2 Q s))" \|
52267 2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	36	"pre ({I} WHILE b DO c) Q = I"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	37
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	38	text{* Verification condition: *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	39
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	40	fun vc :: "acom \<Rightarrow> assn \<Rightarrow> assn" where
52267 2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	41	"vc SKIP Q = (\<lambda>s. True)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	42	"vc (x ::= a) Q = (\<lambda>s. True)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	43	"vc (c\<^isub>1;; c\<^isub>2) Q = (\<lambda>s. vc c\<^isub>1 (pre c\<^isub>2 Q) s \<and> vc c\<^isub>2 Q s)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	44	"vc (IF b THEN c\<^isub>1 ELSE c\<^isub>2) Q = (\<lambda>s. vc c\<^isub>1 Q s \<and> vc c\<^isub>2 Q s)" \|
2a16957cd379 used nice syntax, removed lemma because it makes a nice exercise. nipkow parents: 52193 diff changeset	45	"vc ({I} WHILE b DO c) Q =
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	46	(\<lambda>s. (I s \<and> \<not> bval b s \<longrightarrow> Q s) \<and>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	47	(I s \<and> bval b s \<longrightarrow> pre c I s) \<and>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	48	vc c I s)"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	49
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	50
50421 eb7b59cc8e08 tuned text nipkow parents: 47818 diff changeset	51	text {* Soundness: *}
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	52
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	53	lemma vc_sound: "\<forall>s. vc c Q s \<Longrightarrow> \<turnstile> {pre c Q} strip c {Q}"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	54	proof(induction c arbitrary: Q)
45745 3a8bc5623410 invariant holds before loop nipkow parents: 45212 diff changeset	55	case (Awhile I b c)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	56	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	57	proof(simp, rule While')
45745 3a8bc5623410 invariant holds before loop nipkow parents: 45212 diff changeset	58	from `\<forall>s. vc (Awhile I b c) Q s`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	59	have vc: "\<forall>s. vc c I s" and IQ: "\<forall>s. I s \<and> \<not> bval b s \<longrightarrow> Q s" and
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	60	pre: "\<forall>s. I s \<and> bval b s \<longrightarrow> pre c I s" by simp_all
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	61	have "\<turnstile> {pre c I} strip c {I}" by(rule Awhile.IH[OF vc])
dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	62	with pre show "\<turnstile> {\<lambda>s. I s \<and> bval b s} strip c {I}"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	63	by(rule strengthen_pre)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	64	show "\<forall>s. I s \<and> \<not>bval b s \<longrightarrow> Q s" by(rule IQ)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	65	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	66	qed (auto intro: hoare.conseq)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	67
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	68	corollary vc_sound':
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	69	"(\<forall>s. vc c Q s) \<and> (\<forall>s. P s \<longrightarrow> pre c Q s) \<Longrightarrow> \<turnstile> {P} strip c {Q}"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	70	by (metis strengthen_pre vc_sound)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	71
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	72
50421 eb7b59cc8e08 tuned text nipkow parents: 47818 diff changeset	73	text{* Completeness: *}
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	74
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	75	lemma pre_mono:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	76	"\<forall>s. P s \<longrightarrow> P' s \<Longrightarrow> pre c P s \<Longrightarrow> pre c P' s"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	77	proof (induction c arbitrary: P P' s)
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45840 diff changeset	78	case Aseq thus ?case by simp metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	79	qed simp_all
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	80
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	81	lemma vc_mono:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	82	"\<forall>s. P s \<longrightarrow> P' s \<Longrightarrow> vc c P s \<Longrightarrow> vc c P' s"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	83	proof(induction c arbitrary: P P')
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45840 diff changeset	84	case Aseq thus ?case by simp (metis pre_mono)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	85	qed simp_all
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	86
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	87	lemma vc_complete:
45840 dadd139192d1 added concrete syntax nipkow parents: 45745 diff changeset	88	"\<turnstile> {P}c{Q} \<Longrightarrow> \<exists>c'. strip c' = c \<and> (\<forall>s. vc c' Q s) \<and> (\<forall>s. P s \<longrightarrow> pre c' Q s)"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	89	(is "_ \<Longrightarrow> \<exists>c'. ?G P c Q c'")
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	90	proof (induction rule: hoare.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	91	case Skip
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	92	show ?case (is "\<exists>ac. ?C ac")
52193 014d6b3f5792 tuned nipkow parents: 52046 diff changeset	93	proof show "?C Askip" by simp qed
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	94	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	95	case (Assign P a x)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	96	show ?case (is "\<exists>ac. ?C ac")
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	97	proof show "?C(Aassign x a)" by simp qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	98	next
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45840 diff changeset	99	case (Seq P c1 Q c2 R)
151d137f1095 renamed Semi to Seq nipkow parents: 45840 diff changeset	100	from Seq.IH obtain ac1 where ih1: "?G P c1 Q ac1" by blast
151d137f1095 renamed Semi to Seq nipkow parents: 45840 diff changeset	101	from Seq.IH obtain ac2 where ih2: "?G Q c2 R ac2" by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	102	show ?case (is "\<exists>ac. ?C ac")
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	103	proof
47818 151d137f1095 renamed Semi to Seq nipkow parents: 45840 diff changeset	104	show "?C(Aseq ac1 ac2)"
44890 22f665a2e91c new fastforce replacing fastsimp - less confusing name nipkow parents: 43158 diff changeset	105	using ih1 ih2 by (fastforce elim!: pre_mono vc_mono)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	106	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	107	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	108	case (If P b c1 Q c2)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	109	from If.IH obtain ac1 where ih1: "?G (\<lambda>s. P s \<and> bval b s) c1 Q ac1"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	110	by blast
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	111	from If.IH obtain ac2 where ih2: "?G (\<lambda>s. P s \<and> \<not>bval b s) c2 Q ac2"
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	112	by blast
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	113	show ?case (is "\<exists>ac. ?C ac")
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	114	proof
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	115	show "?C(Aif b ac1 ac2)" using ih1 ih2 by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	116	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	117	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	118	case (While P b c)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 44890 diff changeset	119	from While.IH obtain ac where ih: "?G (\<lambda>s. P s \<and> bval b s) c P ac" by blast
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	120	show ?case (is "\<exists>ac. ?C ac")
45745 3a8bc5623410 invariant holds before loop nipkow parents: 45212 diff changeset	121	proof show "?C(Awhile P b ac)" using ih by simp qed
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	122	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	123	case conseq thus ?case by(fast elim!: pre_mono vc_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	124	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	125
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	126	end

author	nipkow
	Fri, 31 May 2013 07:55:09 +0200
changeset 52269	d867812da48b
parent 52268	b28695e5a018
child 52316	cc5718f60778
permissions	-rw-r--r--