isabelle: src/HOL/IMP/Sec_Typing.thy@e8552cba702d (annotated)

43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	1	(* Author: Tobias Nipkow *)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	2
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	3	theory Sec_Typing imports Sec_Type_Expr
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	4	begin
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	5
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	6	subsection "Syntax Directed Typing"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	7
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	8	inductive sec_type :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile> _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	9	Skip:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	10	"l \<turnstile> SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	11	Assign:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	12	"\<lbrakk> sec x \<ge> sec_aexp a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile> x ::= a" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	13	Semi:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	14	"\<lbrakk> l \<turnstile> c\<^isub>1; l \<turnstile> c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile> c\<^isub>1;c\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	15	If:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	16	"\<lbrakk> max (sec_bexp b) l \<turnstile> c\<^isub>1; max (sec_bexp b) l \<turnstile> c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile> IF b THEN c\<^isub>1 ELSE c\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	17	While:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	18	"max (sec_bexp b) l \<turnstile> c \<Longrightarrow> l \<turnstile> WHILE b DO c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	19
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	20	code_pred (expected_modes: i => i => bool) sec_type .
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	21
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	22	value "0 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x1'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	23	value "1 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	24	value "2 \<turnstile> IF Less (V ''x1'') (V ''x'') THEN ''x1'' ::= N 0 ELSE SKIP"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	25
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	26	inductive_cases [elim!]:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	27	"l \<turnstile> x ::= a" "l \<turnstile> c\<^isub>1;c\<^isub>2" "l \<turnstile> IF b THEN c\<^isub>1 ELSE c\<^isub>2" "l \<turnstile> WHILE b DO c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	28
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	29
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	30	text{* An important property: anti-monotonicity. *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	31
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	32	lemma anti_mono: "\<lbrakk> l \<turnstile> c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	33	apply(induction arbitrary: l' rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	34	apply (metis sec_type.intros(1))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	35	apply (metis le_trans sec_type.intros(2))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	36	apply (metis sec_type.intros(3))
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	37	apply (metis If le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	38	apply (metis While le_refl sup_mono sup_nat_def)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	39	done
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	40
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	41	lemma confinement: "\<lbrakk> (c,s) \<Rightarrow> t; l \<turnstile> c \<rbrakk> \<Longrightarrow> s = t (< l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	42	proof(induction rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	43	case Skip thus ?case by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	44	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	45	case Assign thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	46	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	47	case Semi thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	48	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	49	case (IfTrue b s c1)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	50	hence "max (sec_bexp b) l \<turnstile> c1" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	51	hence "l \<turnstile> c1" by (metis le_maxI2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	52	thus ?case using IfTrue.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	53	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	54	case (IfFalse b s c2)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	55	hence "max (sec_bexp b) l \<turnstile> c2" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	56	hence "l \<turnstile> c2" by (metis le_maxI2 anti_mono)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	57	thus ?case using IfFalse.IH by metis
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	58	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	59	case WhileFalse thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	60	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	61	case (WhileTrue b s1 c)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	62	hence "max (sec_bexp b) l \<turnstile> c" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	63	hence "l \<turnstile> c" by (metis le_maxI2 anti_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	64	thus ?case using WhileTrue by metis
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	65	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	66
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	67
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	68	theorem noninterference:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	69	"\<lbrakk> (c,s) \<Rightarrow> s'; (c,t) \<Rightarrow> t'; 0 \<turnstile> c; s = t (\<le> l) \<rbrakk>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	70	\<Longrightarrow> s' = t' (\<le> l)"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	71	proof(induction arbitrary: t t' rule: big_step_induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	72	case Skip thus ?case by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	73	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	74	case (Assign x a s)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	75	have [simp]: "t' = t(x := aval a t)" using Assign by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	76	have "sec x >= sec_aexp a" using `0 \<turnstile> x ::= a` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	77	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	78	proof auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	79	assume "sec x \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	80	with `sec x >= sec_aexp a` have "sec_aexp a \<le> l" by arith
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	81	thus "aval a s = aval a t"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	82	by (rule aval_eq_if_eq_le[OF `s = t (\<le> l)`])
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	83	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	84	fix y assume "y \<noteq> x" "sec y \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	85	thus "s y = t y" using `s = t (\<le> l)` by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	86	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	87	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	88	case Semi thus ?case by blast
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	89	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	90	case (IfTrue b s c1 s' c2)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	91	have "sec_bexp b \<turnstile> c1" "sec_bexp b \<turnstile> c2" using IfTrue.prems(2) by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	92	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	93	proof cases
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	94	assume "sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	95	hence "s = t (\<le> sec_bexp b)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	96	hence "bval b t" using `bval b s` by(simp add: bval_eq_if_eq_le)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	97	with IfTrue.IH IfTrue.prems(1,3) `sec_bexp b \<turnstile> c1` anti_mono
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	98	show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	99	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	100	assume "\<not> sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	101	have 1: "sec_bexp b \<turnstile> IF b THEN c1 ELSE c2"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	102	by(rule sec_type.intros)(simp_all add: `sec_bexp b \<turnstile> c1` `sec_bexp b \<turnstile> c2`)
45823 fe518d5f3598 tuned nipkow parents: 45015 diff changeset	103	from confinement[OF IfTrue.hyps(2) `sec_bexp b \<turnstile> c1`] `\<not> sec_bexp b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	104	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	105	moreover
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	106	from confinement[OF IfTrue.prems(1) 1] `\<not> sec_bexp b \<le> l`
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	107	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	108	ultimately show "s' = t' (\<le> l)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	109	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	110	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	111	case (IfFalse b s c2 s' c1)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	112	have "sec_bexp b \<turnstile> c1" "sec_bexp b \<turnstile> c2" using IfFalse.prems(2) by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	113	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	114	proof cases
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	115	assume "sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	116	hence "s = t (\<le> sec_bexp b)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	117	hence "\<not> bval b t" using `\<not> bval b s` by(simp add: bval_eq_if_eq_le)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	118	with IfFalse.IH IfFalse.prems(1,3) `sec_bexp b \<turnstile> c2` anti_mono
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	119	show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	120	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	121	assume "\<not> sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	122	have 1: "sec_bexp b \<turnstile> IF b THEN c1 ELSE c2"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	123	by(rule sec_type.intros)(simp_all add: `sec_bexp b \<turnstile> c1` `sec_bexp b \<turnstile> c2`)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	124	from confinement[OF big_step.IfFalse[OF IfFalse(1,2)] 1] `\<not> sec_bexp b \<le> l`
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	125	have "s = s' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	126	moreover
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	127	from confinement[OF IfFalse.prems(1) 1] `\<not> sec_bexp b \<le> l`
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	128	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	129	ultimately show "s' = t' (\<le> l)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	130	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	131	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	132	case (WhileFalse b s c)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	133	have "sec_bexp b \<turnstile> c" using WhileFalse.prems(2) by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	134	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	135	proof cases
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	136	assume "sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	137	hence "s = t (\<le> sec_bexp b)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	138	hence "\<not> bval b t" using `\<not> bval b s` by(simp add: bval_eq_if_eq_le)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	139	with WhileFalse.prems(1,3) show ?thesis by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	140	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	141	assume "\<not> sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	142	have 1: "sec_bexp b \<turnstile> WHILE b DO c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	143	by(rule sec_type.intros)(simp_all add: `sec_bexp b \<turnstile> c`)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	144	from confinement[OF WhileFalse.prems(1) 1] `\<not> sec_bexp b \<le> l`
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	145	have "t = t' (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	146	thus "s = t' (\<le> l)" using `s = t (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	147	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	148	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	149	case (WhileTrue b s1 c s2 s3 t1 t3)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	150	let ?w = "WHILE b DO c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	151	have "sec_bexp b \<turnstile> c" using WhileTrue.prems(2) by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	152	show ?case
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	153	proof cases
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	154	assume "sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	155	hence "s1 = t1 (\<le> sec_bexp b)" using `s1 = t1 (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	156	hence "bval b t1"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	157	using `bval b s1` by(simp add: bval_eq_if_eq_le)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	158	then obtain t2 where "(c,t1) \<Rightarrow> t2" "(?w,t2) \<Rightarrow> t3"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	159	using `(?w,t1) \<Rightarrow> t3` by auto
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	160	from WhileTrue.IH(2)[OF `(?w,t2) \<Rightarrow> t3` `0 \<turnstile> ?w`
fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	161	WhileTrue.IH(1)[OF `(c,t1) \<Rightarrow> t2` anti_mono[OF `sec_bexp b \<turnstile> c`]
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	162	`s1 = t1 (\<le> l)`]]
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	163	show ?thesis by simp
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	164	next
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	165	assume "\<not> sec_bexp b \<le> l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	166	have 1: "sec_bexp b \<turnstile> ?w" by(rule sec_type.intros)(simp_all add: `sec_bexp b \<turnstile> c`)
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	167	from confinement[OF big_step.WhileTrue[OF WhileTrue.hyps] 1] `\<not> sec_bexp b \<le> l`
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	168	have "s1 = s3 (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	169	moreover
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	170	from confinement[OF WhileTrue.prems(1) 1] `\<not> sec_bexp b \<le> l`
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	171	have "t1 = t3 (\<le> l)" by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	172	ultimately show "s3 = t3 (\<le> l)" using `s1 = t1 (\<le> l)` by auto
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	173	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	174	qed
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	175
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	176
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	177	subsection "The Standard Typing System"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	178
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	179	text{* The predicate @{prop"l \<turnstile> c"} is nicely intuitive and executable. The
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	180	standard formulation, however, is slightly different, replacing the maximum
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	181	computation by an antimonotonicity rule. We introduce the standard system now
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	182	and show the equivalence with our formulation. *}
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	183
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	184	inductive sec_type' :: "nat \<Rightarrow> com \<Rightarrow> bool" ("(_/ \<turnstile>'' _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	185	Skip':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	186	"l \<turnstile>' SKIP" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	187	Assign':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	188	"\<lbrakk> sec x \<ge> sec_aexp a; sec x \<ge> l \<rbrakk> \<Longrightarrow> l \<turnstile>' x ::= a" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	189	Semi':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	190	"\<lbrakk> l \<turnstile>' c\<^isub>1; l \<turnstile>' c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' c\<^isub>1;c\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	191	If':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	192	"\<lbrakk> sec_bexp b \<le> l; l \<turnstile>' c\<^isub>1; l \<turnstile>' c\<^isub>2 \<rbrakk> \<Longrightarrow> l \<turnstile>' IF b THEN c\<^isub>1 ELSE c\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	193	While':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	194	"\<lbrakk> sec_bexp b \<le> l; l \<turnstile>' c \<rbrakk> \<Longrightarrow> l \<turnstile>' WHILE b DO c" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	195	anti_mono':
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	196	"\<lbrakk> l \<turnstile>' c; l' \<le> l \<rbrakk> \<Longrightarrow> l' \<turnstile>' c"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	197
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	198	lemma sec_type_sec_type': "l \<turnstile> c \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	199	apply(induction rule: sec_type.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	200	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	201	apply (metis Assign')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	202	apply (metis Semi')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	203	apply (metis min_max.inf_sup_ord(3) min_max.sup_absorb2 nat_le_linear If' anti_mono')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	204	by (metis less_or_eq_imp_le min_max.sup_absorb1 min_max.sup_absorb2 nat_le_linear While' anti_mono')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	205
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	206
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	207	lemma sec_type'_sec_type: "l \<turnstile>' c \<Longrightarrow> l \<turnstile> c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	208	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	209	apply (metis Skip)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	210	apply (metis Assign)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	211	apply (metis Semi)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	212	apply (metis min_max.sup_absorb2 If)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	213	apply (metis min_max.sup_absorb2 While)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	214	by (metis anti_mono)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	215
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	216	subsection "A Bottom-Up Typing System"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	217
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	218	inductive sec_type2 :: "com \<Rightarrow> level \<Rightarrow> bool" ("(\<turnstile> _ : _)" [0,0] 50) where
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	219	Skip2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	220	"\<turnstile> SKIP : l" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	221	Assign2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	222	"sec x \<ge> sec_aexp a \<Longrightarrow> \<turnstile> x ::= a : sec x" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	223	Semi2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	224	"\<lbrakk> \<turnstile> c\<^isub>1 : l\<^isub>1; \<turnstile> c\<^isub>2 : l\<^isub>2 \<rbrakk> \<Longrightarrow> \<turnstile> c\<^isub>1;c\<^isub>2 : min l\<^isub>1 l\<^isub>2 " \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	225	If2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	226	"\<lbrakk> sec_bexp b \<le> min l\<^isub>1 l\<^isub>2; \<turnstile> c\<^isub>1 : l\<^isub>1; \<turnstile> c\<^isub>2 : l\<^isub>2 \<rbrakk>
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	227	\<Longrightarrow> \<turnstile> IF b THEN c\<^isub>1 ELSE c\<^isub>2 : min l\<^isub>1 l\<^isub>2" \|
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	228	While2:
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	229	"\<lbrakk> sec_bexp b \<le> l; \<turnstile> c : l \<rbrakk> \<Longrightarrow> \<turnstile> WHILE b DO c : l"
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	230
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	231
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	232	lemma sec_type2_sec_type': "\<turnstile> c : l \<Longrightarrow> l \<turnstile>' c"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	233	apply(induction rule: sec_type2.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	234	apply (metis Skip')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	235	apply (metis Assign' eq_imp_le)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	236	apply (metis Semi' anti_mono' min_max.inf.commute min_max.inf_le2)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	237	apply (metis If' anti_mono' min_max.inf_absorb2 min_max.le_iff_inf nat_le_linear)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	238	by (metis While')
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	239
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	240	lemma sec_type'_sec_type2: "l \<turnstile>' c \<Longrightarrow> \<exists> l' \<ge> l. \<turnstile> c : l'"
45015 fdac1e9880eb Updated IMP to use new induction method nipkow parents: 43158 diff changeset	241	apply(induction rule: sec_type'.induct)
43158 686fa0a0696e imported rest of new IMP kleing parents: diff changeset	242	apply (metis Skip2 le_refl)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	243	apply (metis Assign2)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	244	apply (metis Semi2 min_max.inf_greatest)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	245	apply (metis If2 inf_greatest inf_nat_def le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	246	apply (metis While2 le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	247	by (metis le_trans)
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	248
686fa0a0696e imported rest of new IMP kleing parents: diff changeset	249	end

author	wenzelm
	Sat, 07 Apr 2012 16:41:59 +0200
changeset 47389	e8552cba702d
parent 45823	fe518d5f3598
child 47818	151d137f1095
permissions	-rw-r--r--