27 Note that each WHILE-loop must be annotated with an invariant. |
27 Note that each WHILE-loop must be annotated with an invariant. |
28 <P> |
28 <P> |
29 |
29 |
30 After loading theory Hoare, you can state goals of the form |
30 After loading theory Hoare, you can state goals of the form |
31 <PRE> |
31 <PRE> |
32 |- VARS x y ... {P} prog {Q} |
32 VARS x y ... {P} prog {Q} |
33 </PRE> |
33 </PRE> |
34 where <kbd>prog</kbd> is a program in the above language, <kbd>P</kbd> is the |
34 where <kbd>prog</kbd> is a program in the above language, <kbd>P</kbd> is the |
35 precondition, <kbd>Q</kbd> the postcondition, and <kbd>x y ...</kbd> is the |
35 precondition, <kbd>Q</kbd> the postcondition, and <kbd>x y ...</kbd> is the |
36 list of all <i>program variables</i> in <kbd>prog</kbd>. The latter list must |
36 list of all <i>program variables</i> in <kbd>prog</kbd>. The latter list must |
37 be nonempty and it must include all variables that occur on the left-hand |
37 be nonempty and it must include all variables that occur on the left-hand |
38 side of an assignment in <kbd>prog</kbd>. Example: |
38 side of an assignment in <kbd>prog</kbd>. Example: |
39 <PRE> |
39 <PRE> |
40 |- VARS x. {x = a} x := x+1 {x = a+1} |
40 VARS x {x = a} x := x+1 {x = a+1} |
41 </PRE> |
41 </PRE> |
42 The (normal) variable <kbd>a</kbd> is merely used to record the initial |
42 The (normal) variable <kbd>a</kbd> is merely used to record the initial |
43 value of <kbd>x</kbd> and is not a program variable. Pre/post conditions |
43 value of <kbd>x</kbd> and is not a program variable. Pre/post conditions |
44 can be arbitrary HOL formulae mentioning both program variables and normal |
44 can be arbitrary HOL formulae mentioning both program variables and normal |
45 variables. |
45 variables. |
46 <P> |
46 <P> |
47 |
47 |
48 The implementation hides reasoning in Hoare logic completely and provides a |
48 The implementation hides reasoning in Hoare logic completely and provides a |
49 tactic <kbd>hoare_tac</kbd> for transforming a goal in Hoare logic into an |
49 method <kbd>vcg</kbd> for transforming a goal in Hoare logic into an |
50 equivalent list of verification conditions in HOL: |
50 equivalent list of verification conditions in HOL: |
51 <PRE> |
51 <PRE> |
52 by(hoare_tac tac i); |
52 apply vcg |
53 </PRE> |
53 </PRE> |
54 applies the tactic to subgoal <kbd>i</kbd> and applies the parameter |
54 If you want to simplify the resulting verification conditions at the same |
55 <kbd>tac</kbd> (of type <kbd>int -> tactic</kbd>) to all generated |
55 time: |
56 verification conditions. A typical call is |
|
57 <PRE> |
56 <PRE> |
58 by(hoare_tac Asm_full_simp_tac 1); |
57 apply vcg_simp |
59 </PRE> |
58 </PRE> |
60 which, given the example goal above, solves it completely. For further |
59 which, given the example goal above, solves it completely. For further |
61 examples see <a href="Examples.ML">Examples.ML</a>. |
60 examples see <a href="Examples.html">Examples</a>. |
62 <P> |
61 <P> |
63 |
62 |
64 IMPORTANT: |
63 IMPORTANT: |
65 This is a logic of partial correctness. You can only prove that your program |
64 This is a logic of partial correctness. You can only prove that your program |
66 does the right thing <i>if</i> it terminates, but not <i>that</i> it |
65 does the right thing <i>if</i> it terminates, but not <i>that</i> it |