isabelle: src/HOL/Isar_Examples/Hoare.thy@e8552cba702d (annotated)

33026 8f35633c4922 modernized session Isar_Examples; wenzelm parents: 31758 diff changeset	1	(* Title: HOL/Isar_Examples/Hoare.thy
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	2	Author: Markus Wenzel, TU Muenchen
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	3
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	4	A formulation of Hoare logic suitable for Isar.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	5	*)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	6
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	7	header {* Hoare Logic *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	8
31758 3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	9	theory Hoare
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	10	imports Main
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	11	uses ("~~/src/HOL/Hoare/hoare_tac.ML")
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	12	begin
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	13
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	14	subsection {* Abstract syntax and semantics *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	15
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	16	text {* The following abstract syntax and semantics of Hoare Logic
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	17	over \texttt{WHILE} programs closely follows the existing tradition
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	18	in Isabelle/HOL of formalizing the presentation given in
40880 be44a567ed28 more antiquotations; wenzelm parents: 37671 diff changeset	19	\cite[\S6]{Winskel:1993}. See also @{file "~~/src/HOL/Hoare"} and
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	20	\cite{Nipkow:1998:Winskel}. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	21
41818 6d4c3ee8219d modernized specifications; wenzelm parents: 40880 diff changeset	22	type_synonym 'a bexp = "'a set"
6d4c3ee8219d modernized specifications; wenzelm parents: 40880 diff changeset	23	type_synonym 'a assn = "'a set"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	24
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	25	datatype 'a com =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	26	Basic "'a => 'a"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	27	\| Seq "'a com" "'a com" ("(_;/ _)" [60, 61] 60)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	28	\| Cond "'a bexp" "'a com" "'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	29	\| While "'a bexp" "'a assn" "'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	30
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	31	abbreviation Skip ("SKIP")
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	32	where "SKIP == Basic id"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	33
41818 6d4c3ee8219d modernized specifications; wenzelm parents: 40880 diff changeset	34	type_synonym 'a sem = "'a => 'a => bool"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	35
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	36	primrec iter :: "nat => 'a bexp => 'a sem => 'a sem"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	37	where
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	38	"iter 0 b S s s' = (s ~: b & s = s')"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	39	\| "iter (Suc n) b S s s' = (s : b & (EX s''. S s s'' & iter n b S s'' s'))"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	40
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	41	primrec Sem :: "'a com => 'a sem"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	42	where
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	43	"Sem (Basic f) s s' = (s' = f s)"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	44	\| "Sem (c1; c2) s s' = (EX s''. Sem c1 s s'' & Sem c2 s'' s')"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	45	\| "Sem (Cond b c1 c2) s s' =
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	46	(if s : b then Sem c1 s s' else Sem c2 s s')"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	47	\| "Sem (While b x c) s s' = (EX n. iter n b (Sem c) s s')"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	48
46582 dcc312f22ee8 misc tuning; wenzelm parents: 42284 diff changeset	49	definition Valid :: "'a bexp => 'a com => 'a bexp => bool"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	50	("(3\|- _/ (2_)/ _)" [100, 55, 100] 50)
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	51	where "\|- P c Q \<longleftrightarrow> (\<forall>s s'. Sem c s s' --> s : P --> s' : Q)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	52
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	53	notation (xsymbols) Valid ("(3\<turnstile> _/ (2_)/ _)" [100, 55, 100] 50)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	54
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	55	lemma ValidI [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	56	"(!!s s'. Sem c s s' ==> s : P ==> s' : Q) ==> \|- P c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	57	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	58
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	59	lemma ValidD [dest?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	60	"\|- P c Q ==> Sem c s s' ==> s : P ==> s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	61	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	62
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	63
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	64	subsection {* Primitive Hoare rules *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	65
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	66	text {* From the semantics defined above, we derive the standard set
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	67	of primitive Hoare rules; e.g.\ see \cite[\S6]{Winskel:1993}.
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	68	Usually, variant forms of these rules are applied in actual proof,
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	69	see also \S\ref{sec:hoare-isar} and \S\ref{sec:hoare-vcg}.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	70
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	71	\medskip The \name{basic} rule represents any kind of atomic access
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	72	to the state space. This subsumes the common rules of \name{skip}
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	73	and \name{assign}, as formulated in \S\ref{sec:hoare-isar}. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	74
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	75	theorem basic: "\|- {s. f s : P} (Basic f) P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	76	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	77	fix s s' assume s: "s : {s. f s : P}"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	78	assume "Sem (Basic f) s s'"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	79	then have "s' = f s" by simp
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	80	with s show "s' : P" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	81	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	82
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	83	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	84	The rules for sequential commands and semantic consequences are
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	85	established in a straight forward manner as follows.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	86	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	87
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	88	theorem seq: "\|- P c1 Q ==> \|- Q c2 R ==> \|- P (c1; c2) R"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	89	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	90	assume cmd1: "\|- P c1 Q" and cmd2: "\|- Q c2 R"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	91	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	92	assume "Sem (c1; c2) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	93	then obtain s'' where sem1: "Sem c1 s s''" and sem2: "Sem c2 s'' s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	94	by auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	95	from cmd1 sem1 s have "s'' : Q" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	96	with cmd2 sem2 show "s' : R" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	97	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	98
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	99	theorem conseq: "P' <= P ==> \|- P c Q ==> Q <= Q' ==> \|- P' c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	100	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	101	assume P'P: "P' <= P" and QQ': "Q <= Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	102	assume cmd: "\|- P c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	103	fix s s' :: 'a
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	104	assume sem: "Sem c s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	105	assume "s : P'" with P'P have "s : P" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	106	with cmd sem have "s' : Q" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	107	with QQ' show "s' : Q'" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	108	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	109
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	110	text {* The rule for conditional commands is directly reflected by the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	111	corresponding semantics; in the proof we just have to look closely
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	112	which cases apply. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	113
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	114	theorem cond:
46582 dcc312f22ee8 misc tuning; wenzelm parents: 42284 diff changeset	115	assumes case_b: "\|- (P Int b) c1 Q"
dcc312f22ee8 misc tuning; wenzelm parents: 42284 diff changeset	116	and case_nb: "\|- (P Int -b) c2 Q"
dcc312f22ee8 misc tuning; wenzelm parents: 42284 diff changeset	117	shows "\|- P (Cond b c1 c2) Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	118	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	119	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	120	assume sem: "Sem (Cond b c1 c2) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	121	show "s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	122	proof cases
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	123	assume b: "s : b"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	124	from case_b show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	125	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	126	from sem b show "Sem c1 s s'" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	127	from s b show "s : P Int b" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	128	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	129	next
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	130	assume nb: "s ~: b"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	131	from case_nb show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	132	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	133	from sem nb show "Sem c2 s s'" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	134	from s nb show "s : P Int -b" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	135	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	136	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	137	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	138
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	139	text {* The @{text while} rule is slightly less trivial --- it is the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	140	only one based on recursion, which is expressed in the semantics by
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	141	a Kleene-style least fixed-point construction. The auxiliary
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	142	statement below, which is by induction on the number of iterations
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	143	is the main point to be proven; the rest is by routine application
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	144	of the semantics of \texttt{WHILE}. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	145
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	146	theorem while:
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	147	assumes body: "\|- (P Int b) c P"
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	148	shows "\|- P (While b X c) (P Int -b)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	149	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	150	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	151	assume "Sem (While b X c) s s'"
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	152	then obtain n where "iter n b (Sem c) s s'" by auto
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	153	from this and s show "s' : P Int -b"
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19363 diff changeset	154	proof (induct n arbitrary: s)
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	155	case 0
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	156	then show ?case by auto
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	157	next
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	158	case (Suc n)
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	159	then obtain s'' where b: "s : b" and sem: "Sem c s s''"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	160	and iter: "iter n b (Sem c) s'' s'" by auto
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	161	from Suc and b have "s : P Int b" by simp
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	162	with body sem have "s'' : P" ..
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	163	with iter show ?case by (rule Suc)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	164	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	165	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	166
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	167
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	168	subsection {* Concrete syntax for assertions *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	169
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	170	text {* We now introduce concrete syntax for describing commands (with
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	171	embedded expressions) and assertions. The basic technique is that of
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	172	semantic ``quote-antiquote''. A \emph{quotation} is a syntactic
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	173	entity delimited by an implicit abstraction, say over the state
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	174	space. An \emph{antiquotation} is a marked expression within a
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	175	quotation that refers the implicit argument; a typical antiquotation
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	176	would select (or even update) components from the state.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	177
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	178	We will see some examples later in the concrete rules and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	179	applications. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	180
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	181	text {* The following specification of syntax and translations is for
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	182	Isabelle experts only; feel free to ignore it.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	183
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	184	While the first part is still a somewhat intelligible specification
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	185	of the concrete syntactic representation of our Hoare language, the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	186	actual ``ML drivers'' is quite involved. Just note that the we
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	187	re-use the basic quote/antiquote translations as already defined in
42284 326f57825e1a explicit structure Syntax_Trans; wenzelm parents: 42086 diff changeset	188	Isabelle/Pure (see @{ML Syntax_Trans.quote_tr}, and
326f57825e1a explicit structure Syntax_Trans; wenzelm parents: 42086 diff changeset	189	@{ML Syntax_Trans.quote_tr'},). *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	190
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	191	syntax
10874 ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	192	"_quote" :: "'b => ('a => 'b)" ("(.'(_').)" [0] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	193	"_antiquote" :: "('a => 'b) => 'b" ("\<acute>_" [1000] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	194	"_Subst" :: "'a bexp \<Rightarrow> 'b \<Rightarrow> idt \<Rightarrow> 'a bexp"
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	195	("_[_'/\<acute>_]" [1000] 999)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	196	"_Assert" :: "'a => 'a set" ("(.{_}.)" [0] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	197	"_Assign" :: "idt => 'b => 'a com" ("(\<acute>_ :=/ _)" [70, 65] 61)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	198	"_Cond" :: "'a bexp => 'a com => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	199	("(0IF _/ THEN _/ ELSE _/ FI)" [0, 0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	200	"_While_inv" :: "'a bexp => 'a assn => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	201	("(0WHILE _/ INV _ //DO _ /OD)" [0, 0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	202	"_While" :: "'a bexp => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	203	("(0WHILE _ //DO _ /OD)" [0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	204
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	205	syntax (xsymbols)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	206	"_Assert" :: "'a => 'a set" ("(\<lbrace>_\<rbrace>)" [0] 1000)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	207
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	208	translations
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	209	".{b}." => "CONST Collect .(b)."
25706 45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	210	"B [a/\<acute>x]" => ".{\<acute>(_update_name x (\<lambda>_. a)) \<in> B}."
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	211	"\<acute>x := a" => "CONST Basic .(\<acute>(_update_name x (\<lambda>_. a)))."
a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	212	"IF b THEN c1 ELSE c2 FI" => "CONST Cond .{b}. c1 c2"
a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	213	"WHILE b INV i DO c OD" => "CONST While .{b}. i c"
28524 644b62cf678f arbitrary is undefined haftmann parents: 28457 diff changeset	214	"WHILE b DO c OD" == "WHILE b INV CONST undefined DO c OD"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	215
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	216	parse_translation {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	217	let
42284 326f57825e1a explicit structure Syntax_Trans; wenzelm parents: 42086 diff changeset	218	fun quote_tr [t] = Syntax_Trans.quote_tr @{syntax_const "_antiquote"} t
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	219	\| quote_tr ts = raise TERM ("quote_tr", ts);
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	220	in [(@{syntax_const "_quote"}, quote_tr)] end
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	221	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	222
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	223	text {* As usual in Isabelle syntax translations, the part for
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	224	printing is more complicated --- we cannot express parts as macro
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	225	rules as above. Don't look here, unless you have to do similar
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	226	things for yourself. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	227
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	228	print_translation {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	229	let
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	230	fun quote_tr' f (t :: ts) =
42284 326f57825e1a explicit structure Syntax_Trans; wenzelm parents: 42086 diff changeset	231	Term.list_comb (f $ Syntax_Trans.quote_tr' @{syntax_const "_antiquote"} t, ts)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	232	\| quote_tr' _ _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	233
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	234	val assert_tr' = quote_tr' (Syntax.const @{syntax_const "_Assert"});
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	235
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	236	fun bexp_tr' name ((Const (@{const_syntax Collect}, _) $ t) :: ts) =
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	237	quote_tr' (Syntax.const name) (t :: ts)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	238	\| bexp_tr' _ _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	239
25706 45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	240	fun assign_tr' (Abs (x, _, f $ k $ Bound 0) :: ts) =
42284 326f57825e1a explicit structure Syntax_Trans; wenzelm parents: 42086 diff changeset	241	quote_tr' (Syntax.const @{syntax_const "_Assign"} $ Syntax_Trans.update_name_tr' f)
326f57825e1a explicit structure Syntax_Trans; wenzelm parents: 42086 diff changeset	242	(Abs (x, dummyT, Syntax_Trans.const_abs_tr' k) :: ts)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	243	\| assign_tr' _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	244	in
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	245	[(@{const_syntax Collect}, assert_tr'),
1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	246	(@{const_syntax Basic}, assign_tr'),
1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	247	(@{const_syntax Cond}, bexp_tr' @{syntax_const "_Cond"}),
1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	248	(@{const_syntax While}, bexp_tr' @{syntax_const "_While_inv"})]
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	249	end
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	250	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	251
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	252
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	253	subsection {* Rules for single-step proof \label{sec:hoare-isar} *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	254
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	255	text {* We are now ready to introduce a set of Hoare rules to be used
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	256	in single-step structured proofs in Isabelle/Isar. We refer to the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	257	concrete syntax introduce above.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	258
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	259	\medskip Assertions of Hoare Logic may be manipulated in
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	260	calculational proofs, with the inclusion expressed in terms of sets
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	261	or predicates. Reversed order is supported as well. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	262
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	263	lemma [trans]: "\|- P c Q ==> P' <= P ==> \|- P' c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	264	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	265	lemma [trans] : "P' <= P ==> \|- P c Q ==> \|- P' c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	266	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	267
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	268	lemma [trans]: "Q <= Q' ==> \|- P c Q ==> \|- P c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	269	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	270	lemma [trans]: "\|- P c Q ==> Q <= Q' ==> \|- P c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	271	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	272
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	273	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	274	"\|- .{\<acute>P}. c Q ==> (!!s. P' s --> P s) ==> \|- .{\<acute>P'}. c Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	275	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	276	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	277	"(!!s. P' s --> P s) ==> \|- .{\<acute>P}. c Q ==> \|- .{\<acute>P'}. c Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	278	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	279
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	280	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	281	"\|- P c .{\<acute>Q}. ==> (!!s. Q s --> Q' s) ==> \|- P c .{\<acute>Q'}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	282	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	283	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	284	"(!!s. Q s --> Q' s) ==> \|- P c .{\<acute>Q}. ==> \|- P c .{\<acute>Q'}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	285	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	286
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	287
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	288	text {* Identity and basic assignments.\footnote{The $\idt{hoare}$
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	289	method introduced in \S\ref{sec:hoare-vcg} is able to provide proper
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	290	instances for any number of basic assignments, without producing
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	291	additional verification conditions.} *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	292
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	293	lemma skip [intro?]: "\|- P SKIP P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	294	proof -
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	295	have "\|- {s. id s : P} SKIP P" by (rule basic)
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	296	then show ?thesis by simp
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	297	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	298
42053 006095137a81 update_name_tr: more precise handling of explicit constraints, including positions; wenzelm parents: 41818 diff changeset	299	lemma assign: "\|- P [\<acute>a/\<acute>x::'a] \<acute>x := \<acute>a P"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	300	by (rule basic)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	301
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	302	text {* Note that above formulation of assignment corresponds to our
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	303	preferred way to model state spaces, using (extensible) record types
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	304	in HOL \cite{Naraschewski-Wenzel:1998:HOOL}. For any record field
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	305	$x$, Isabelle/HOL provides a functions $x$ (selector) and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	306	$\idt{x{\dsh}update}$ (update). Above, there is only a place-holder
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	307	appearing for the latter kind of function: due to concrete syntax
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	308	\isa{\'x := \'a} also contains \isa{x\_update}.\footnote{Note that
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	309	due to the external nature of HOL record fields, we could not even
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	310	state a general theorem relating selector and update functions (if
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	311	this were required here); this would only work for any particular
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	312	instance of record fields introduced so far.} *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	313
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	314	text {* Sequential composition --- normalizing with associativity
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	315	achieves proper of chunks of code verified separately. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	316
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	317	lemmas [trans, intro?] = seq
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	318
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	319	lemma seq_assoc [simp]: "( \|- P c1;(c2;c3) Q) = ( \|- P (c1;c2);c3 Q)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	320	by (auto simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	321
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	322	text {* Conditional statements. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	323
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	324	lemmas [trans, intro?] = cond
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	325
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	326	lemma [trans, intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	327	"\|- .{\<acute>P & \<acute>b}. c1 Q
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	328	==> \|- .{\<acute>P & ~ \<acute>b}. c2 Q
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	329	==> \|- .{\<acute>P}. IF \<acute>b THEN c1 ELSE c2 FI Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	330	by (rule cond) (simp_all add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	331
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	332	text {* While statements --- with optional invariant. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	333
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	334	lemma [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	335	"\|- (P Int b) c P ==> \|- P (While b P c) (P Int -b)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	336	by (rule while)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	337
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	338	lemma [intro?]:
28524 644b62cf678f arbitrary is undefined haftmann parents: 28457 diff changeset	339	"\|- (P Int b) c P ==> \|- P (While b undefined c) (P Int -b)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	340	by (rule while)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	341
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	342
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	343	lemma [intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	344	"\|- .{\<acute>P & \<acute>b}. c .{\<acute>P}.
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	345	==> \|- .{\<acute>P}. WHILE \<acute>b INV .{\<acute>P}. DO c OD .{\<acute>P & ~ \<acute>b}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	346	by (simp add: while Collect_conj_eq Collect_neg_eq)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	347
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	348	lemma [intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	349	"\|- .{\<acute>P & \<acute>b}. c .{\<acute>P}.
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	350	==> \|- .{\<acute>P}. WHILE \<acute>b DO c OD .{\<acute>P & ~ \<acute>b}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	351	by (simp add: while Collect_conj_eq Collect_neg_eq)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	352
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	353
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	354	subsection {* Verification conditions \label{sec:hoare-vcg} *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	355
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	356	text {* We now load the \emph{original} ML file for proof scripts and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	357	tactic definition for the Hoare Verification Condition Generator
40880 be44a567ed28 more antiquotations; wenzelm parents: 37671 diff changeset	358	(see @{file "~~/src/HOL/Hoare/"}). As far as we
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	359	are concerned here, the result is a proof method \name{hoare}, which
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	360	may be applied to a Hoare Logic assertion to extract purely logical
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	361	verification conditions. It is important to note that the method
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	362	requires \texttt{WHILE} loops to be fully annotated with invariants
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	363	beforehand. Furthermore, only \emph{concrete} pieces of code are
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	364	handled --- the underlying tactic fails ungracefully if supplied
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	365	with meta-variables or parameters, for example. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	366
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	367	lemma SkipRule: "p \<subseteq> q \<Longrightarrow> Valid p (Basic id) q"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	368	by (auto simp add: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	369
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	370	lemma BasicRule: "p \<subseteq> {s. f s \<in> q} \<Longrightarrow> Valid p (Basic f) q"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	371	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	372
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	373	lemma SeqRule: "Valid P c1 Q \<Longrightarrow> Valid Q c2 R \<Longrightarrow> Valid P (c1;c2) R"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	374	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	375
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	376	lemma CondRule:
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	377	"p \<subseteq> {s. (s \<in> b \<longrightarrow> s \<in> w) \<and> (s \<notin> b \<longrightarrow> s \<in> w')}
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	378	\<Longrightarrow> Valid w c1 q \<Longrightarrow> Valid w' c2 q \<Longrightarrow> Valid p (Cond b c1 c2) q"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	379	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	380
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	381	lemma iter_aux:
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	382	"\<forall>s s'. Sem c s s' --> s : I & s : b --> s' : I ==>
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	383	(\<And>s s'. s : I \<Longrightarrow> iter n b (Sem c) s s' \<Longrightarrow> s' : I & s' ~: b)"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	384	apply(induct n)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	385	apply clarsimp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	386	apply (simp (no_asm_use))
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	387	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	388	done
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	389
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	390	lemma WhileRule:
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	391	"p \<subseteq> i \<Longrightarrow> Valid (i \<inter> b) c i \<Longrightarrow> i \<inter> (-b) \<subseteq> q \<Longrightarrow> Valid p (While b i c) q"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	392	apply (clarsimp simp: Valid_def)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	393	apply (drule iter_aux)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	394	prefer 2
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	395	apply assumption
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	396	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	397	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	398	done
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	399
26303 e4f40a0ea2e1 added Compl_Collect; wenzelm parents: 25706 diff changeset	400	lemma Compl_Collect: "- Collect b = {x. \<not> b x}"
e4f40a0ea2e1 added Compl_Collect; wenzelm parents: 25706 diff changeset	401	by blast
e4f40a0ea2e1 added Compl_Collect; wenzelm parents: 25706 diff changeset	402
28457 25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 26303 diff changeset	403	lemmas AbortRule = SkipRule -- "dummy version"
25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 26303 diff changeset	404
24472 943ef707396c added Hoare/hoare_tac.ML (code from Hoare/Hoare.thy, also required in Isar_examples/Hoare.thy); wenzelm parents: 22759 diff changeset	405	use "~~/src/HOL/Hoare/hoare_tac.ML"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	406
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	407	method_setup hoare = {*
30549 d2d7874648bd simplified method setup; wenzelm parents: 30510 diff changeset	408	Scan.succeed (fn ctxt =>
30510 4120fc59dd85 unified type Proof.method and pervasive METHOD combinators; wenzelm parents: 28524 diff changeset	409	(SIMPLE_METHOD'
28457 25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 26303 diff changeset	410	(hoare_tac ctxt (simp_tac (HOL_basic_ss addsimps [@{thm "Record.K_record_comp"}] ))))) *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	411	"verification condition generator for Hoare logic"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	412
13703 a36a0d417133 Hoare.ML -> hoare.ML kleing parents: 12124 diff changeset	413	end

author	wenzelm
	Sat, 07 Apr 2012 16:41:59 +0200
changeset 47389	e8552cba702d
parent 46582	dcc312f22ee8
child 48891	c0eafbd55de3
permissions	-rw-r--r--