isabelle: src/HOL/Isar_Examples/Hoare.thy@e9467adb8b52 (annotated)

33026 8f35633c4922 modernized session Isar_Examples; wenzelm parents: 31758 diff changeset	1	(* Title: HOL/Isar_Examples/Hoare.thy
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	2	Author: Markus Wenzel, TU Muenchen
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	3
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	4	A formulation of Hoare logic suitable for Isar.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	5	*)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	6
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	7	header {* Hoare Logic *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	8
31758 3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	9	theory Hoare
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	10	imports Main
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	11	uses ("~~/src/HOL/Hoare/hoare_tac.ML")
3edd5f813f01 observe standard theory naming conventions; wenzelm parents: 31723 diff changeset	12	begin
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	13
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	14	subsection {* Abstract syntax and semantics *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	15
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	16	text {* The following abstract syntax and semantics of Hoare Logic
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	17	over \texttt{WHILE} programs closely follows the existing tradition
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	18	in Isabelle/HOL of formalizing the presentation given in
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	19	\cite[\S6]{Winskel:1993}. See also
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	20	\url{http://isabelle.in.tum.de/library/Hoare/} and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	21	\cite{Nipkow:1998:Winskel}. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	22
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	23	types
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	24	'a bexp = "'a set"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	25	'a assn = "'a set"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	26
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	27	datatype 'a com =
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	28	Basic "'a => 'a"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	29	\| Seq "'a com" "'a com" ("(_;/ _)" [60, 61] 60)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	30	\| Cond "'a bexp" "'a com" "'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	31	\| While "'a bexp" "'a assn" "'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	32
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	33	abbreviation Skip ("SKIP")
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	34	where "SKIP == Basic id"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	35
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	36	types
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	37	'a sem = "'a => 'a => bool"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	38
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	39	primrec iter :: "nat => 'a bexp => 'a sem => 'a sem"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	40	where
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	41	"iter 0 b S s s' = (s ~: b & s = s')"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	42	\| "iter (Suc n) b S s s' = (s : b & (EX s''. S s s'' & iter n b S s'' s'))"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	43
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	44	primrec Sem :: "'a com => 'a sem"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	45	where
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	46	"Sem (Basic f) s s' = (s' = f s)"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	47	\| "Sem (c1; c2) s s' = (EX s''. Sem c1 s s'' & Sem c2 s'' s')"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	48	\| "Sem (Cond b c1 c2) s s' =
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	49	(if s : b then Sem c1 s s' else Sem c2 s s')"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	50	\| "Sem (While b x c) s s' = (EX n. iter n b (Sem c) s s')"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	51
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	52	definition
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	53	Valid :: "'a bexp => 'a com => 'a bexp => bool"
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	54	("(3\|- _/ (2_)/ _)" [100, 55, 100] 50)
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	55	where "\|- P c Q \<longleftrightarrow> (\<forall>s s'. Sem c s s' --> s : P --> s' : Q)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	56
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	57	notation (xsymbols) Valid ("(3\<turnstile> _/ (2_)/ _)" [100, 55, 100] 50)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	58
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	59	lemma ValidI [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	60	"(!!s s'. Sem c s s' ==> s : P ==> s' : Q) ==> \|- P c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	61	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	62
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	63	lemma ValidD [dest?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	64	"\|- P c Q ==> Sem c s s' ==> s : P ==> s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	65	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	66
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	67
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	68	subsection {* Primitive Hoare rules *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	69
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	70	text {* From the semantics defined above, we derive the standard set
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	71	of primitive Hoare rules; e.g.\ see \cite[\S6]{Winskel:1993}.
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	72	Usually, variant forms of these rules are applied in actual proof,
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	73	see also \S\ref{sec:hoare-isar} and \S\ref{sec:hoare-vcg}.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	74
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	75	\medskip The \name{basic} rule represents any kind of atomic access
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	76	to the state space. This subsumes the common rules of \name{skip}
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	77	and \name{assign}, as formulated in \S\ref{sec:hoare-isar}. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	78
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	79	theorem basic: "\|- {s. f s : P} (Basic f) P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	80	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	81	fix s s' assume s: "s : {s. f s : P}"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	82	assume "Sem (Basic f) s s'"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	83	then have "s' = f s" by simp
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	84	with s show "s' : P" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	85	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	86
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	87	text {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	88	The rules for sequential commands and semantic consequences are
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	89	established in a straight forward manner as follows.
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	90	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	91
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	92	theorem seq: "\|- P c1 Q ==> \|- Q c2 R ==> \|- P (c1; c2) R"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	93	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	94	assume cmd1: "\|- P c1 Q" and cmd2: "\|- Q c2 R"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	95	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	96	assume "Sem (c1; c2) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	97	then obtain s'' where sem1: "Sem c1 s s''" and sem2: "Sem c2 s'' s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	98	by auto
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	99	from cmd1 sem1 s have "s'' : Q" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	100	with cmd2 sem2 show "s' : R" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	101	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	102
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	103	theorem conseq: "P' <= P ==> \|- P c Q ==> Q <= Q' ==> \|- P' c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	104	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	105	assume P'P: "P' <= P" and QQ': "Q <= Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	106	assume cmd: "\|- P c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	107	fix s s' :: 'a
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	108	assume sem: "Sem c s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	109	assume "s : P'" with P'P have "s : P" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	110	with cmd sem have "s' : Q" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	111	with QQ' show "s' : Q'" ..
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	112	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	113
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	114	text {* The rule for conditional commands is directly reflected by the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	115	corresponding semantics; in the proof we just have to look closely
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	116	which cases apply. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	117
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	118	theorem cond:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	119	"\|- (P Int b) c1 Q ==> \|- (P Int -b) c2 Q ==> \|- P (Cond b c1 c2) Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	120	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	121	assume case_b: "\|- (P Int b) c1 Q" and case_nb: "\|- (P Int -b) c2 Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	122	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	123	assume sem: "Sem (Cond b c1 c2) s s'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	124	show "s' : Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	125	proof cases
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	126	assume b: "s : b"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	127	from case_b show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	128	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	129	from sem b show "Sem c1 s s'" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	130	from s b show "s : P Int b" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	131	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	132	next
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	133	assume nb: "s ~: b"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	134	from case_nb show ?thesis
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	135	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	136	from sem nb show "Sem c2 s s'" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	137	from s nb show "s : P Int -b" by simp
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	138	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	139	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	140	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	141
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	142	text {* The @{text while} rule is slightly less trivial --- it is the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	143	only one based on recursion, which is expressed in the semantics by
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	144	a Kleene-style least fixed-point construction. The auxiliary
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	145	statement below, which is by induction on the number of iterations
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	146	is the main point to be proven; the rest is by routine application
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	147	of the semantics of \texttt{WHILE}. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	148
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	149	theorem while:
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	150	assumes body: "\|- (P Int b) c P"
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	151	shows "\|- P (While b X c) (P Int -b)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	152	proof
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	153	fix s s' assume s: "s : P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	154	assume "Sem (While b X c) s s'"
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	155	then obtain n where "iter n b (Sem c) s s'" by auto
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	156	from this and s show "s' : P Int -b"
20503 503ac4c5ef91 induct method: renamed 'fixing' to 'arbitrary'; wenzelm parents: 19363 diff changeset	157	proof (induct n arbitrary: s)
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	158	case 0
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	159	then show ?case by auto
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	160	next
19122 e1b6a5071348 tuned proofs; wenzelm parents: 18241 diff changeset	161	case (Suc n)
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	162	then obtain s'' where b: "s : b" and sem: "Sem c s s''"
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	163	and iter: "iter n b (Sem c) s'' s'" by auto
11987 bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	164	from Suc and b have "s : P Int b" by simp
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	165	with body sem have "s'' : P" ..
bf31b35949ce tuned induct proofs; wenzelm parents: 10874 diff changeset	166	with iter show ?case by (rule Suc)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	167	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	168	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	169
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	170
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	171	subsection {* Concrete syntax for assertions *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	172
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	173	text {* We now introduce concrete syntax for describing commands (with
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	174	embedded expressions) and assertions. The basic technique is that of
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	175	semantic ``quote-antiquote''. A \emph{quotation} is a syntactic
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	176	entity delimited by an implicit abstraction, say over the state
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	177	space. An \emph{antiquotation} is a marked expression within a
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	178	quotation that refers the implicit argument; a typical antiquotation
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	179	would select (or even update) components from the state.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	180
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	181	We will see some examples later in the concrete rules and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	182	applications. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	183
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	184	text {* The following specification of syntax and translations is for
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	185	Isabelle experts only; feel free to ignore it.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	186
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	187	While the first part is still a somewhat intelligible specification
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	188	of the concrete syntactic representation of our Hoare language, the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	189	actual ``ML drivers'' is quite involved. Just note that the we
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	190	re-use the basic quote/antiquote translations as already defined in
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	191	Isabelle/Pure (see \verb,Syntax.quote_tr, and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	192	\verb,Syntax.quote_tr',). *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	193
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	194	syntax
10874 ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	195	"_quote" :: "'b => ('a => 'b)" ("(.'(_').)" [0] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	196	"_antiquote" :: "('a => 'b) => 'b" ("\<acute>_" [1000] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	197	"_Subst" :: "'a bexp \<Rightarrow> 'b \<Rightarrow> idt \<Rightarrow> 'a bexp"
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	198	("_[_'/\<acute>_]" [1000] 999)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	199	"_Assert" :: "'a => 'a set" ("(.{_}.)" [0] 1000)
ad7113530c32 tuned; wenzelm parents: 10869 diff changeset	200	"_Assign" :: "idt => 'b => 'a com" ("(\<acute>_ :=/ _)" [70, 65] 61)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	201	"_Cond" :: "'a bexp => 'a com => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	202	("(0IF _/ THEN _/ ELSE _/ FI)" [0, 0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	203	"_While_inv" :: "'a bexp => 'a assn => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	204	("(0WHILE _/ INV _ //DO _ /OD)" [0, 0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	205	"_While" :: "'a bexp => 'a com => 'a com"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	206	("(0WHILE _ //DO _ /OD)" [0, 0] 61)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	207
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	208	syntax (xsymbols)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	209	"_Assert" :: "'a => 'a set" ("(\<lbrace>_\<rbrace>)" [0] 1000)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	210
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	211	translations
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	212	".{b}." => "CONST Collect .(b)."
25706 45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	213	"B [a/\<acute>x]" => ".{\<acute>(_update_name x (\<lambda>_. a)) \<in> B}."
35054 a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	214	"\<acute>x := a" => "CONST Basic .(\<acute>(_update_name x (\<lambda>_. a)))."
a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	215	"IF b THEN c1 ELSE c2 FI" => "CONST Cond .{b}. c1 c2"
a5db9779b026 modernized some syntax translations; wenzelm parents: 33026 diff changeset	216	"WHILE b INV i DO c OD" => "CONST While .{b}. i c"
28524 644b62cf678f arbitrary is undefined haftmann parents: 28457 diff changeset	217	"WHILE b DO c OD" == "WHILE b INV CONST undefined DO c OD"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	218
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	219	parse_translation {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	220	let
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	221	fun quote_tr [t] = Syntax.quote_tr @{syntax_const "_antiquote"} t
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	222	\| quote_tr ts = raise TERM ("quote_tr", ts);
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	223	in [(@{syntax_const "_quote"}, quote_tr)] end
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	224	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	225
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	226	text {* As usual in Isabelle syntax translations, the part for
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	227	printing is more complicated --- we cannot express parts as macro
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	228	rules as above. Don't look here, unless you have to do similar
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	229	things for yourself. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	230
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	231	print_translation {*
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	232	let
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	233	fun quote_tr' f (t :: ts) =
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	234	Term.list_comb (f $ Syntax.quote_tr' @{syntax_const "_antiquote"} t, ts)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	235	\| quote_tr' _ _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	236
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	237	val assert_tr' = quote_tr' (Syntax.const @{syntax_const "_Assert"});
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	238
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	239	fun bexp_tr' name ((Const (@{const_syntax Collect}, _) $ t) :: ts) =
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	240	quote_tr' (Syntax.const name) (t :: ts)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	241	\| bexp_tr' _ _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	242
35145 f132a4fd8679 moved generic update_name to Pure syntax -- not specific to HOL/record; wenzelm parents: 35113 diff changeset	243	fun K_tr' (Abs (_, _, t)) =
f132a4fd8679 moved generic update_name to Pure syntax -- not specific to HOL/record; wenzelm parents: 35113 diff changeset	244	if null (loose_bnos t) then t else raise Match
f132a4fd8679 moved generic update_name to Pure syntax -- not specific to HOL/record; wenzelm parents: 35113 diff changeset	245	\| K_tr' (Abs (_, _, Abs (_, _, t) $ Bound 0)) =
f132a4fd8679 moved generic update_name to Pure syntax -- not specific to HOL/record; wenzelm parents: 35113 diff changeset	246	if null (loose_bnos t) then t else raise Match
25706 45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	247	\| K_tr' _ = raise Match;
45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	248
45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	249	fun assign_tr' (Abs (x, _, f $ k $ Bound 0) :: ts) =
35145 f132a4fd8679 moved generic update_name to Pure syntax -- not specific to HOL/record; wenzelm parents: 35113 diff changeset	250	quote_tr' (Syntax.const @{syntax_const "_Assign"} $ Syntax.update_name_tr' f)
25706 45d090186bbe accomodate to replacement of K_record by %x.c schirmer parents: 24472 diff changeset	251	(Abs (x, dummyT, K_tr' k) :: ts)
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	252	\| assign_tr' _ = raise Match;
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	253	in
35113 1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	254	[(@{const_syntax Collect}, assert_tr'),
1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	255	(@{const_syntax Basic}, assign_tr'),
1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	256	(@{const_syntax Cond}, bexp_tr' @{syntax_const "_Cond"}),
1a0c129bb2e0 modernized translations; wenzelm parents: 35054 diff changeset	257	(@{const_syntax While}, bexp_tr' @{syntax_const "_While_inv"})]
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	258	end
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	259	*}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	260
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	261
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	262	subsection {* Rules for single-step proof \label{sec:hoare-isar} *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	263
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	264	text {* We are now ready to introduce a set of Hoare rules to be used
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	265	in single-step structured proofs in Isabelle/Isar. We refer to the
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	266	concrete syntax introduce above.
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	267
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	268	\medskip Assertions of Hoare Logic may be manipulated in
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	269	calculational proofs, with the inclusion expressed in terms of sets
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	270	or predicates. Reversed order is supported as well. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	271
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	272	lemma [trans]: "\|- P c Q ==> P' <= P ==> \|- P' c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	273	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	274	lemma [trans] : "P' <= P ==> \|- P c Q ==> \|- P' c Q"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	275	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	276
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	277	lemma [trans]: "Q <= Q' ==> \|- P c Q ==> \|- P c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	278	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	279	lemma [trans]: "\|- P c Q ==> Q <= Q' ==> \|- P c Q'"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	280	by (unfold Valid_def) blast
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	281
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	282	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	283	"\|- .{\<acute>P}. c Q ==> (!!s. P' s --> P s) ==> \|- .{\<acute>P'}. c Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	284	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	285	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	286	"(!!s. P' s --> P s) ==> \|- .{\<acute>P}. c Q ==> \|- .{\<acute>P'}. c Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	287	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	288
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	289	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	290	"\|- P c .{\<acute>Q}. ==> (!!s. Q s --> Q' s) ==> \|- P c .{\<acute>Q'}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	291	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	292	lemma [trans]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	293	"(!!s. Q s --> Q' s) ==> \|- P c .{\<acute>Q}. ==> \|- P c .{\<acute>Q'}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	294	by (simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	295
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	296
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	297	text {* Identity and basic assignments.\footnote{The $\idt{hoare}$
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	298	method introduced in \S\ref{sec:hoare-vcg} is able to provide proper
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	299	instances for any number of basic assignments, without producing
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	300	additional verification conditions.} *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	301
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	302	lemma skip [intro?]: "\|- P SKIP P"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	303	proof -
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	304	have "\|- {s. id s : P} SKIP P" by (rule basic)
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	305	then show ?thesis by simp
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	306	qed
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	307
10869 904cefa2c3cd subst syntax; wenzelm parents: 10838 diff changeset	308	lemma assign: "\|- P [\<acute>a/\<acute>x] \<acute>x := \<acute>a P"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	309	by (rule basic)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	310
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	311	text {* Note that above formulation of assignment corresponds to our
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	312	preferred way to model state spaces, using (extensible) record types
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	313	in HOL \cite{Naraschewski-Wenzel:1998:HOOL}. For any record field
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	314	$x$, Isabelle/HOL provides a functions $x$ (selector) and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	315	$\idt{x{\dsh}update}$ (update). Above, there is only a place-holder
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	316	appearing for the latter kind of function: due to concrete syntax
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	317	\isa{\'x := \'a} also contains \isa{x\_update}.\footnote{Note that
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	318	due to the external nature of HOL record fields, we could not even
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	319	state a general theorem relating selector and update functions (if
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	320	this were required here); this would only work for any particular
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	321	instance of record fields introduced so far.} *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	322
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	323	text {* Sequential composition --- normalizing with associativity
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	324	achieves proper of chunks of code verified separately. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	325
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	326	lemmas [trans, intro?] = seq
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	327
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	328	lemma seq_assoc [simp]: "( \|- P c1;(c2;c3) Q) = ( \|- P (c1;c2);c3 Q)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	329	by (auto simp add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	330
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	331	text {* Conditional statements. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	332
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	333	lemmas [trans, intro?] = cond
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	334
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	335	lemma [trans, intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	336	"\|- .{\<acute>P & \<acute>b}. c1 Q
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	337	==> \|- .{\<acute>P & ~ \<acute>b}. c2 Q
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	338	==> \|- .{\<acute>P}. IF \<acute>b THEN c1 ELSE c2 FI Q"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	339	by (rule cond) (simp_all add: Valid_def)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	340
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	341	text {* While statements --- with optional invariant. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	342
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	343	lemma [intro?]:
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	344	"\|- (P Int b) c P ==> \|- P (While b P c) (P Int -b)"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	345	by (rule while)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	346
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	347	lemma [intro?]:
28524 644b62cf678f arbitrary is undefined haftmann parents: 28457 diff changeset	348	"\|- (P Int b) c P ==> \|- P (While b undefined c) (P Int -b)"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	349	by (rule while)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	350
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	351
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	352	lemma [intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	353	"\|- .{\<acute>P & \<acute>b}. c .{\<acute>P}.
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	354	==> \|- .{\<acute>P}. WHILE \<acute>b INV .{\<acute>P}. DO c OD .{\<acute>P & ~ \<acute>b}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	355	by (simp add: while Collect_conj_eq Collect_neg_eq)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	356
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	357	lemma [intro?]:
10838 9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	358	"\|- .{\<acute>P & \<acute>b}. c .{\<acute>P}.
9423817dee84 use \<acute>; wenzelm parents: 10643 diff changeset	359	==> \|- .{\<acute>P}. WHILE \<acute>b DO c OD .{\<acute>P & ~ \<acute>b}."
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	360	by (simp add: while Collect_conj_eq Collect_neg_eq)
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	361
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	362
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	363	subsection {* Verification conditions \label{sec:hoare-vcg} *}
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	364
37671 fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	365	text {* We now load the \emph{original} ML file for proof scripts and
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	366	tactic definition for the Hoare Verification Condition Generator
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	367	(see \url{http://isabelle.in.tum.de/library/Hoare/}). As far as we
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	368	are concerned here, the result is a proof method \name{hoare}, which
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	369	may be applied to a Hoare Logic assertion to extract purely logical
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	370	verification conditions. It is important to note that the method
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	371	requires \texttt{WHILE} loops to be fully annotated with invariants
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	372	beforehand. Furthermore, only \emph{concrete} pieces of code are
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	373	handled --- the underlying tactic fails ungracefully if supplied
fa53d267dab3 misc tuning and modernization; wenzelm parents: 35417 diff changeset	374	with meta-variables or parameters, for example. *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	375
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	376	lemma SkipRule: "p \<subseteq> q \<Longrightarrow> Valid p (Basic id) q"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	377	by (auto simp add: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	378
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	379	lemma BasicRule: "p \<subseteq> {s. f s \<in> q} \<Longrightarrow> Valid p (Basic f) q"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	380	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	381
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	382	lemma SeqRule: "Valid P c1 Q \<Longrightarrow> Valid Q c2 R \<Longrightarrow> Valid P (c1;c2) R"
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	383	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	384
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	385	lemma CondRule:
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	386	"p \<subseteq> {s. (s \<in> b \<longrightarrow> s \<in> w) \<and> (s \<notin> b \<longrightarrow> s \<in> w')}
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	387	\<Longrightarrow> Valid w c1 q \<Longrightarrow> Valid w' c2 q \<Longrightarrow> Valid p (Cond b c1 c2) q"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	388	by (auto simp: Valid_def)
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	389
18241 afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	390	lemma iter_aux:
afdba6b3e383 tuned induction proofs; wenzelm parents: 18193 diff changeset	391	"\<forall>s s'. Sem c s s' --> s : I & s : b --> s' : I ==>
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	392	(\<And>s s'. s : I \<Longrightarrow> iter n b (Sem c) s s' \<Longrightarrow> s' : I & s' ~: b)"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	393	apply(induct n)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	394	apply clarsimp
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	395	apply (simp (no_asm_use))
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	396	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	397	done
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	398
7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	399	lemma WhileRule:
18193 54419506df9e tuned document; wenzelm parents: 16417 diff changeset	400	"p \<subseteq> i \<Longrightarrow> Valid (i \<inter> b) c i \<Longrightarrow> i \<inter> (-b) \<subseteq> q \<Longrightarrow> Valid p (While b i c) q"
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	401	apply (clarsimp simp: Valid_def)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	402	apply (drule iter_aux)
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	403	prefer 2
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	404	apply assumption
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	405	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	406	apply blast
54419506df9e tuned document; wenzelm parents: 16417 diff changeset	407	done
13862 7cbc89aa79db fix for changes in HOL/Hoare/ kleing parents: 13703 diff changeset	408
26303 e4f40a0ea2e1 added Compl_Collect; wenzelm parents: 25706 diff changeset	409	lemma Compl_Collect: "- Collect b = {x. \<not> b x}"
e4f40a0ea2e1 added Compl_Collect; wenzelm parents: 25706 diff changeset	410	by blast
e4f40a0ea2e1 added Compl_Collect; wenzelm parents: 25706 diff changeset	411
28457 25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 26303 diff changeset	412	lemmas AbortRule = SkipRule -- "dummy version"
25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 26303 diff changeset	413
24472 943ef707396c added Hoare/hoare_tac.ML (code from Hoare/Hoare.thy, also required in Isar_examples/Hoare.thy); wenzelm parents: 22759 diff changeset	414	use "~~/src/HOL/Hoare/hoare_tac.ML"
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	415
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	416	method_setup hoare = {*
30549 d2d7874648bd simplified method setup; wenzelm parents: 30510 diff changeset	417	Scan.succeed (fn ctxt =>
30510 4120fc59dd85 unified type Proof.method and pervasive METHOD combinators; wenzelm parents: 28524 diff changeset	418	(SIMPLE_METHOD'
28457 25669513fd4c major cleanup of hoare_tac.ML: just one copy for Hoare.thy and HoareAbort.thy (only 1 line different), refrain from inspecting the main goal, proper context; wenzelm parents: 26303 diff changeset	419	(hoare_tac ctxt (simp_tac (HOL_basic_ss addsimps [@{thm "Record.K_record_comp"}] ))))) *}
10148 739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	420	"verification condition generator for Hoare logic"
739327964a5c Hoare logic in Isar; wenzelm parents: diff changeset	421
13703 a36a0d417133 Hoare.ML -> hoare.ML kleing parents: 12124 diff changeset	422	end

author	hoelzl
	Thu, 02 Sep 2010 20:44:33 +0200
changeset 39100	e9467adb8b52
parent 37671	fa53d267dab3
child 40880	be44a567ed28
permissions	-rw-r--r--