isabelle: src/HOL/IMP/Natural.thy@d8efc2490b8e (annotated)

12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	1	(* Title: HOL/IMP/Natural.thy
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	2	Author: Tobias Nipkow & Robert Sandner, TUM
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	3	Isar Version: Gerwin Klein, 2001; additional proofs by Lawrence Paulson
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	4	Copyright 1996 TUM
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	5	*)
afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	6
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	7	header "Natural Semantics of Commands"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	8
16417 9bc16273c2d4 migrated theory headers to new format haftmann parents: 14565 diff changeset	9	theory Natural imports Com begin
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	10
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	11	subsection "Execution of commands"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	12
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	13	text {*
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	14	We write @{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} for \emph{Statement @{text c}, started
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	15	in state @{text s}, terminates in state @{text s'}}. Formally,
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	16	@{text "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'"} is just another form of saying \emph{the tuple
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	17	@{text "(c,s,s')"} is part of the relation @{text evalc}}:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	18	*}
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	19
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	20	definition
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	21	update :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a \<Rightarrow> 'b \<Rightarrow> ('a \<Rightarrow> 'b)" ("_/[_ ::= /_]" [900,0,0] 900) where
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	22	"update = fun_upd"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	23
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	24	notation (xsymbols)
a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	25	update ("_/[_ \<mapsto> /_]" [900,0,0] 900)
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	26
37085 b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	27	text {* Disable conflicting syntax from HOL Map theory. *}
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	28
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	29	no_syntax
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	30	"_maplet" :: "['a, 'a] => maplet" ("_ /\|->/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	31	"_maplets" :: "['a, 'a] => maplet" ("_ /[\|->]/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	32	"" :: "maplet => maplets" ("_")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	33	"_Maplets" :: "[maplet, maplets] => maplets" ("_,/ _")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	34	"_MapUpd" :: "['a ~=> 'b, maplets] => 'a ~=> 'b" ("_/'(_')" [900,0]900)
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	35	"_Map" :: "maplets => 'a ~=> 'b" ("(1[_])")
b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	36
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	37	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	38	The big-step execution relation @{text evalc} is defined inductively:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	39	*}
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	40	inductive
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	41	evalc :: "[com,state,state] \<Rightarrow> bool" ("\<langle>_,_\<rangle>/ \<longrightarrow>\<^sub>c _" [0,0,60] 60)
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	42	where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	43	Skip: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s"
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	44	\| Assign: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s[x\<mapsto>a s]"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	45
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	46	\| Semi: "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>c1,s''\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	47
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	48	\| IfTrue: "b s \<Longrightarrow> \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	49	\| IfFalse: "\<not>b s \<Longrightarrow> \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	50
23746 a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	51	\| WhileFalse: "\<not>b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s"
a455e69c31cc Adapted to new inductive definition package. berghofe parents: 20503 diff changeset	52	\| WhileTrue: "b s \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s'
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	53	\<Longrightarrow> \<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	54
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	55	lemmas evalc.intros [intro] -- "use those rules in automatic proofs"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	56
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	57	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	58	The induction principle induced by this definition looks like this:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	59
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	60	@{thm [display] evalc.induct [no_vars]}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	61
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	62
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	63	(@{text "\<And>"} and @{text "\<Longrightarrow>"} are Isabelle's
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	64	meta symbols for @{text "\<forall>"} and @{text "\<longrightarrow>"})
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	65	*}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	66
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	67	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	68	The rules of @{text evalc} are syntax directed, i.e.~for each
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	69	syntactic category there is always only one rule applicable. That
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	70	means we can use the rules in both directions. This property is called rule inversion.
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	71	*}
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	72	inductive_cases skipE [elim!]: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	73	inductive_cases semiE [elim!]: "\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	74	inductive_cases assignE [elim!]: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	75	inductive_cases ifE [elim!]: "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	76	inductive_cases whileE [elim]: "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s'"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	77
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	78	text {* The next proofs are all trivial by rule inversion.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	79	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	80
37736 2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	81	inductive_simps
2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	82	skip: "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c s'"
2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	83	and assign: "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c s'"
2bf3a2cb5e58 replaced manual derivation of equations for inductive predicates by automatic derivation by inductive_simps bulwahn parents: 37085 diff changeset	84	and semi: "\<langle>c0; c1, s\<rangle> \<longrightarrow>\<^sub>c s'"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	85
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	86	lemma ifTrue:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	87	"b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	88	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	89
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	90	lemma ifFalse:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	91	"\<not>b s \<Longrightarrow> \<langle>\<IF> b \<THEN> c0 \<ELSE> c1, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c s'"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	92	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	93
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	94	lemma whileFalse:
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	95	"\<not> b s \<Longrightarrow> \<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c s' = (s' = s)"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	96	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	97
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	98	lemma whileTrue:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	99	"b s \<Longrightarrow>
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	100	\<langle>\<WHILE> b \<DO> c, s\<rangle> \<longrightarrow>\<^sub>c s' =
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	101	(\<exists>s''. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'' \<and> \<langle>\<WHILE> b \<DO> c, s''\<rangle> \<longrightarrow>\<^sub>c s')"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	102	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	103
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	104	text "Again, Isabelle may use these rules in automatic proofs:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	105	lemmas evalc_cases [simp] = skip assign ifTrue ifFalse whileFalse semi whileTrue
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	106
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	107	subsection "Equivalence of statements"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	108
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	109	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	110	We call two statements @{text c} and @{text c'} equivalent wrt.~the
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	111	big-step semantics when \emph{@{text c} started in @{text s} terminates
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	112	in @{text s'} iff @{text c'} started in the same @{text s} also terminates
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	113	in the same @{text s'}}. Formally:
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	114	*}
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	115	definition
37085 b2073920448f disambiguate some syntax huffman parents: 34055 diff changeset	116	equiv_c :: "com \<Rightarrow> com \<Rightarrow> bool" ("_ \<sim> _" [56, 56] 55) where
27362 a6dc1769fdda modernized specifications; wenzelm parents: 23746 diff changeset	117	"c \<sim> c' = (\<forall>s s'. \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s')"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	118
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	119	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	120	Proof rules telling Isabelle to unfold the definition
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	121	if there is something to be proved about equivalent
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	122	statements: *}
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	123	lemma equivI [intro!]:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	124	"(\<And>s s'. \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' = \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s') \<Longrightarrow> c \<sim> c'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	125	by (unfold equiv_c_def) blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	126
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	127	lemma equivD1:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	128	"c \<sim> c' \<Longrightarrow> \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	129	by (unfold equiv_c_def) blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	130
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	131	lemma equivD2:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	132	"c \<sim> c' \<Longrightarrow> \<langle>c', s\<rangle> \<longrightarrow>\<^sub>c s' \<Longrightarrow> \<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	133	by (unfold equiv_c_def) blast
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	134
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	135	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	136	As an example, we show that loop unfolding is an equivalence
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	137	transformation on programs:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	138	*}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	139	lemma unfold_while:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	140	"(\<WHILE> b \<DO> c) \<sim> (\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>)" (is "?w \<sim> ?if")
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	141	proof -
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	142	-- "to show the equivalence, we look at the derivation tree for"
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	143	-- "each side and from that construct a derivation tree for the other side"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	144	{ fix s s' assume w: "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	145	-- "as a first thing we note that, if @{text b} is @{text False} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	146	-- "then both statements do nothing:"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	147	hence "\<not>b s \<Longrightarrow> s = s'" by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	148	hence "\<not>b s \<Longrightarrow> \<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	149	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	150	-- "on the other hand, if @{text b} is @{text True} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	151	-- {* then only the @{text WhileTrue} rule can have been used to derive @{text "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'"} *}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	152	{ assume b: "b s"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	153	with w obtain s'' where
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	154	"\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s''" and "\<langle>?w, s''\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	155	-- "now we can build a derivation tree for the @{text \<IF>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	156	-- "first, the body of the True-branch:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	157	hence "\<langle>c; ?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule Semi)
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	158	-- "then the whole @{text \<IF>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	159	with b have "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule IfTrue)
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	160	}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	161	ultimately
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	162	-- "both cases together give us what we want:"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	163	have "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	164	}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	165	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	166	-- "now the other direction:"
19796 d86e7b1fc472 quoted "if"; wenzelm parents: 18372 diff changeset	167	{ fix s s' assume "if": "\<langle>?if, s\<rangle> \<longrightarrow>\<^sub>c s'"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	168	-- "again, if @{text b} is @{text False} in state @{text s}, then the False-branch"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	169	-- "of the @{text \<IF>} is executed, and both statements do nothing:"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	170	hence "\<not>b s \<Longrightarrow> s = s'" by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	171	hence "\<not>b s \<Longrightarrow> \<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	172	moreover
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	173	-- "on the other hand, if @{text b} is @{text True} in state @{text s},"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	174	-- {* then this time only the @{text IfTrue} rule can have be used *}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	175	{ assume b: "b s"
19796 d86e7b1fc472 quoted "if"; wenzelm parents: 18372 diff changeset	176	with "if" have "\<langle>c; ?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	177	-- "and for this, only the Semi-rule is applicable:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	178	then obtain s'' where
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	179	"\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c s''" and "\<langle>?w, s''\<rangle> \<longrightarrow>\<^sub>c s'" by (cases set: evalc) auto
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	180	-- "with this information, we can build a derivation tree for the @{text \<WHILE>}"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	181	with b
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	182	have "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by (rule WhileTrue)
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	183	}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	184	ultimately
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	185	-- "both cases together again give us what we want:"
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	186	have "\<langle>?w, s\<rangle> \<longrightarrow>\<^sub>c s'" by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	187	}
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	188	ultimately
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	189	show ?thesis by blast
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	190	qed
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	191
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	192	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	193	Happily, such lengthy proofs are seldom necessary. Isabelle can prove many such facts automatically.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	194	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	195
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	196	lemma
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	197	"(\<WHILE> b \<DO> c) \<sim> (\<IF> b \<THEN> c; \<WHILE> b \<DO> c \<ELSE> \<SKIP>)"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	198	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	199
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	200	lemma triv_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	201	"(\<IF> b \<THEN> c \<ELSE> c) \<sim> c"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	202	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	203
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	204	lemma commute_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	205	"(\<IF> b1 \<THEN> (\<IF> b2 \<THEN> c11 \<ELSE> c12) \<ELSE> c2)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	206	\<sim>
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	207	(\<IF> b2 \<THEN> (\<IF> b1 \<THEN> c11 \<ELSE> c2) \<ELSE> (\<IF> b1 \<THEN> c12 \<ELSE> c2))"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	208	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	209
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	210	lemma while_equiv:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	211	"\<langle>c0, s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> c \<sim> c' \<Longrightarrow> (c0 = \<WHILE> b \<DO> c) \<Longrightarrow> \<langle>\<WHILE> b \<DO> c', s\<rangle> \<longrightarrow>\<^sub>c u"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	212	by (induct rule: evalc.induct) (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	213
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	214	lemma equiv_while:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	215	"c \<sim> c' \<Longrightarrow> (\<WHILE> b \<DO> c) \<sim> (\<WHILE> b \<DO> c')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	216	by (simp add: equiv_c_def) (metis equiv_c_def while_equiv)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	217
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	218
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	219	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	220	Program equivalence is an equivalence relation.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	221	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	222
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	223	lemma equiv_refl:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	224	"c \<sim> c"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	225	by blast
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	226
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	227	lemma equiv_sym:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	228	"c1 \<sim> c2 \<Longrightarrow> c2 \<sim> c1"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	229	by (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	230
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	231	lemma equiv_trans:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	232	"c1 \<sim> c2 \<Longrightarrow> c2 \<sim> c3 \<Longrightarrow> c1 \<sim> c3"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	233	by (auto simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	234
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	235	text {*
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	236	Program constructions preserve equivalence.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	237	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	238
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	239	lemma equiv_semi:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	240	"c1 \<sim> c1' \<Longrightarrow> c2 \<sim> c2' \<Longrightarrow> (c1; c2) \<sim> (c1'; c2')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	241	by (force simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	242
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	243	lemma equiv_if:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	244	"c1 \<sim> c1' \<Longrightarrow> c2 \<sim> c2' \<Longrightarrow> (\<IF> b \<THEN> c1 \<ELSE> c2) \<sim> (\<IF> b \<THEN> c1' \<ELSE> c2')"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	245	by (force simp add: equiv_c_def)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	246
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	247	lemma while_never: "\<langle>c, s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> c \<noteq> \<WHILE> (\<lambda>s. True) \<DO> c1"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	248	apply (induct rule: evalc.induct)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	249	apply auto
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	250	done
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	251
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	252	lemma equiv_while_True:
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	253	"(\<WHILE> (\<lambda>s. True) \<DO> c1) \<sim> (\<WHILE> (\<lambda>s. True) \<DO> c2)"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	254	by (blast dest: while_never)
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	255
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	256
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	257	subsection "Execution is deterministic"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	258
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	259	text {*
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	260	This proof is automatic.
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	261	*}
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	262	theorem "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t \<Longrightarrow> \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = t"
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	263	by (induct arbitrary: u rule: evalc.induct) blast+
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	264
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	265
fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	266	text {*
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	267	The following proof presents all the details:
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	268	*}
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	269	theorem com_det:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	270	assumes "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t" and "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	271	shows "u = t"
41529 ba60efa2fd08 eliminated global prems; wenzelm parents: 37736 diff changeset	272	using assms
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19796 diff changeset	273	proof (induct arbitrary: u set: evalc)
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	274	fix s u assume "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	275	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	276	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	277	fix a s x u assume "\<langle>x :== a,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	278	thus "u = s[x \<mapsto> a s]" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	279	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	280	fix c0 c1 s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	281	assume IH0: "\<And>u. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	282	assume IH1: "\<And>u. \<langle>c1,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	283
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	284	assume "\<langle>c0;c1, s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	285	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	286	c0: "\<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c s'" and
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	287	c1: "\<langle>c1,s'\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	288	by auto
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	289
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	290	from c0 IH0 have "s'=s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	291	with c1 IH1 show "u=s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	292	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	293	fix b c0 c1 s s1 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	294	assume IH: "\<And>u. \<langle>c0,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	295
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	296	assume "b s" and "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	297	hence "\<langle>c0, s\<rangle> \<longrightarrow>\<^sub>c u" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	298	with IH show "u = s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	299	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	300	fix b c0 c1 s s1 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	301	assume IH: "\<And>u. \<langle>c1,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	302
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	303	assume "\<not>b s" and "\<langle>\<IF> b \<THEN> c0 \<ELSE> c1,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	304	hence "\<langle>c1, s\<rangle> \<longrightarrow>\<^sub>c u" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	305	with IH show "u = s1" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	306	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	307	fix b c s u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	308	assume "\<not>b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	309	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	310	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	311	fix b c s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	312	assume "IH\<^sub>c": "\<And>u. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	313	assume "IH\<^sub>w": "\<And>u. \<langle>\<WHILE> b \<DO> c,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	314
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	315	assume "b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	316	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	317	c: "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" and
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	318	w: "\<langle>\<WHILE> b \<DO> c,s'\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	319	by auto
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	320
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	321	from c "IH\<^sub>c" have "s' = s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	322	with w "IH\<^sub>w" show "u = s1" by blast
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	323	qed
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	324
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	325
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	326	text {*
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	327	This is the proof as you might present it in a lecture. The remaining
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	328	cases are simple enough to be proved automatically:
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	329	*}
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	330	theorem
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	331	assumes "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c t" and "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	332	shows "u = t"
41529 ba60efa2fd08 eliminated global prems; wenzelm parents: 37736 diff changeset	333	using assms
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19796 diff changeset	334	proof (induct arbitrary: u)
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	335	-- "the simple @{text \<SKIP>} case for demonstration:"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	336	fix s u assume "\<langle>\<SKIP>,s\<rangle> \<longrightarrow>\<^sub>c u"
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	337	thus "u = s" by blast
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	338	next
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	339	-- "and the only really interesting case, @{text \<WHILE>}:"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	340	fix b c s s1 s2 u
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	341	assume "IH\<^sub>c": "\<And>u. \<langle>c,s\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s2"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	342	assume "IH\<^sub>w": "\<And>u. \<langle>\<WHILE> b \<DO> c,s2\<rangle> \<longrightarrow>\<^sub>c u \<Longrightarrow> u = s1"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	343
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	344	assume "b s" and "\<langle>\<WHILE> b \<DO> c,s\<rangle> \<longrightarrow>\<^sub>c u"
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	345	then obtain s' where
12431 07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	346	c: "\<langle>c,s\<rangle> \<longrightarrow>\<^sub>c s'" and
07ec657249e5 converted to Isar kleing parents: 9241 diff changeset	347	w: "\<langle>\<WHILE> b \<DO> c,s'\<rangle> \<longrightarrow>\<^sub>c u"
18372 2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	348	by auto
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	349
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	350	from c "IH\<^sub>c" have "s' = s2" by blast
2bffdf62fe7f tuned proofs; wenzelm parents: 16417 diff changeset	351	with w "IH\<^sub>w" show "u = s1" by blast
34055 fdf294ee08b2 streamlined proofs paulson parents: 27362 diff changeset	352	qed blast+ -- "prove the rest automatically"
1700 afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	353
afd3b60660db Natural and Transition semantics. nipkow parents: diff changeset	354	end

author	krauss
	Wed, 02 Feb 2011 08:47:45 +0100
changeset 41686	d8efc2490b8e
parent 41529	ba60efa2fd08
permissions	-rw-r--r--