9 |
9 |
10 datatype acom = Askip |
10 datatype acom = Askip |
11 | Aassign vname aexp |
11 | Aassign vname aexp |
12 | Asemi acom acom |
12 | Asemi acom acom |
13 | Aif bexp acom acom |
13 | Aif bexp acom acom |
14 | Awhile bexp assn acom |
14 | Awhile assn bexp acom |
15 |
15 |
16 text{* Weakest precondition from annotated commands: *} |
16 text{* Weakest precondition from annotated commands: *} |
17 |
17 |
18 fun pre :: "acom \<Rightarrow> assn \<Rightarrow> assn" where |
18 fun pre :: "acom \<Rightarrow> assn \<Rightarrow> assn" where |
19 "pre Askip Q = Q" | |
19 "pre Askip Q = Q" | |
20 "pre (Aassign x a) Q = (\<lambda>s. Q(s(x := aval a s)))" | |
20 "pre (Aassign x a) Q = (\<lambda>s. Q(s(x := aval a s)))" | |
21 "pre (Asemi c\<^isub>1 c\<^isub>2) Q = pre c\<^isub>1 (pre c\<^isub>2 Q)" | |
21 "pre (Asemi c\<^isub>1 c\<^isub>2) Q = pre c\<^isub>1 (pre c\<^isub>2 Q)" | |
22 "pre (Aif b c\<^isub>1 c\<^isub>2) Q = |
22 "pre (Aif b c\<^isub>1 c\<^isub>2) Q = |
23 (\<lambda>s. (bval b s \<longrightarrow> pre c\<^isub>1 Q s) \<and> |
23 (\<lambda>s. (bval b s \<longrightarrow> pre c\<^isub>1 Q s) \<and> |
24 (\<not> bval b s \<longrightarrow> pre c\<^isub>2 Q s))" | |
24 (\<not> bval b s \<longrightarrow> pre c\<^isub>2 Q s))" | |
25 "pre (Awhile b I c) Q = I" |
25 "pre (Awhile I b c) Q = I" |
26 |
26 |
27 text{* Verification condition: *} |
27 text{* Verification condition: *} |
28 |
28 |
29 fun vc :: "acom \<Rightarrow> assn \<Rightarrow> assn" where |
29 fun vc :: "acom \<Rightarrow> assn \<Rightarrow> assn" where |
30 "vc Askip Q = (\<lambda>s. True)" | |
30 "vc Askip Q = (\<lambda>s. True)" | |
31 "vc (Aassign x a) Q = (\<lambda>s. True)" | |
31 "vc (Aassign x a) Q = (\<lambda>s. True)" | |
32 "vc (Asemi c\<^isub>1 c\<^isub>2) Q = (\<lambda>s. vc c\<^isub>1 (pre c\<^isub>2 Q) s \<and> vc c\<^isub>2 Q s)" | |
32 "vc (Asemi c\<^isub>1 c\<^isub>2) Q = (\<lambda>s. vc c\<^isub>1 (pre c\<^isub>2 Q) s \<and> vc c\<^isub>2 Q s)" | |
33 "vc (Aif b c\<^isub>1 c\<^isub>2) Q = (\<lambda>s. vc c\<^isub>1 Q s \<and> vc c\<^isub>2 Q s)" | |
33 "vc (Aif b c\<^isub>1 c\<^isub>2) Q = (\<lambda>s. vc c\<^isub>1 Q s \<and> vc c\<^isub>2 Q s)" | |
34 "vc (Awhile b I c) Q = |
34 "vc (Awhile I b c) Q = |
35 (\<lambda>s. (I s \<and> \<not> bval b s \<longrightarrow> Q s) \<and> |
35 (\<lambda>s. (I s \<and> \<not> bval b s \<longrightarrow> Q s) \<and> |
36 (I s \<and> bval b s \<longrightarrow> pre c I s) \<and> |
36 (I s \<and> bval b s \<longrightarrow> pre c I s) \<and> |
37 vc c I s)" |
37 vc c I s)" |
38 |
38 |
39 text{* Strip annotations: *} |
39 text{* Strip annotations: *} |
41 fun astrip :: "acom \<Rightarrow> com" where |
41 fun astrip :: "acom \<Rightarrow> com" where |
42 "astrip Askip = SKIP" | |
42 "astrip Askip = SKIP" | |
43 "astrip (Aassign x a) = (x::=a)" | |
43 "astrip (Aassign x a) = (x::=a)" | |
44 "astrip (Asemi c\<^isub>1 c\<^isub>2) = (astrip c\<^isub>1; astrip c\<^isub>2)" | |
44 "astrip (Asemi c\<^isub>1 c\<^isub>2) = (astrip c\<^isub>1; astrip c\<^isub>2)" | |
45 "astrip (Aif b c\<^isub>1 c\<^isub>2) = (IF b THEN astrip c\<^isub>1 ELSE astrip c\<^isub>2)" | |
45 "astrip (Aif b c\<^isub>1 c\<^isub>2) = (IF b THEN astrip c\<^isub>1 ELSE astrip c\<^isub>2)" | |
46 "astrip (Awhile b I c) = (WHILE b DO astrip c)" |
46 "astrip (Awhile I b c) = (WHILE b DO astrip c)" |
47 |
47 |
48 |
48 |
49 subsection "Soundness" |
49 subsection "Soundness" |
50 |
50 |
51 lemma vc_sound: "\<forall>s. vc c Q s \<Longrightarrow> \<turnstile> {pre c Q} astrip c {Q}" |
51 lemma vc_sound: "\<forall>s. vc c Q s \<Longrightarrow> \<turnstile> {pre c Q} astrip c {Q}" |
52 proof(induction c arbitrary: Q) |
52 proof(induction c arbitrary: Q) |
53 case (Awhile b I c) |
53 case (Awhile I b c) |
54 show ?case |
54 show ?case |
55 proof(simp, rule While') |
55 proof(simp, rule While') |
56 from `\<forall>s. vc (Awhile b I c) Q s` |
56 from `\<forall>s. vc (Awhile I b c) Q s` |
57 have vc: "\<forall>s. vc c I s" and IQ: "\<forall>s. I s \<and> \<not> bval b s \<longrightarrow> Q s" and |
57 have vc: "\<forall>s. vc c I s" and IQ: "\<forall>s. I s \<and> \<not> bval b s \<longrightarrow> Q s" and |
58 pre: "\<forall>s. I s \<and> bval b s \<longrightarrow> pre c I s" by simp_all |
58 pre: "\<forall>s. I s \<and> bval b s \<longrightarrow> pre c I s" by simp_all |
59 have "\<turnstile> {pre c I} astrip c {I}" by(rule Awhile.IH[OF vc]) |
59 have "\<turnstile> {pre c I} astrip c {I}" by(rule Awhile.IH[OF vc]) |
60 with pre show "\<turnstile> {\<lambda>s. I s \<and> bval b s} astrip c {I}" |
60 with pre show "\<turnstile> {\<lambda>s. I s \<and> bval b s} astrip c {I}" |
61 by(rule strengthen_pre) |
61 by(rule strengthen_pre) |
133 in (\<lambda>s. vc\<^isub>1 s \<and> vc\<^isub>2 s, wp\<^isub>1))" | |
133 in (\<lambda>s. vc\<^isub>1 s \<and> vc\<^isub>2 s, wp\<^isub>1))" | |
134 "vcpre (Aif b c\<^isub>1 c\<^isub>2) Q = |
134 "vcpre (Aif b c\<^isub>1 c\<^isub>2) Q = |
135 (let (vc\<^isub>2,wp\<^isub>2) = vcpre c\<^isub>2 Q; |
135 (let (vc\<^isub>2,wp\<^isub>2) = vcpre c\<^isub>2 Q; |
136 (vc\<^isub>1,wp\<^isub>1) = vcpre c\<^isub>1 Q |
136 (vc\<^isub>1,wp\<^isub>1) = vcpre c\<^isub>1 Q |
137 in (\<lambda>s. vc\<^isub>1 s \<and> vc\<^isub>2 s, \<lambda>s. (bval b s \<longrightarrow> wp\<^isub>1 s) \<and> (\<not>bval b s \<longrightarrow> wp\<^isub>2 s)))" | |
137 in (\<lambda>s. vc\<^isub>1 s \<and> vc\<^isub>2 s, \<lambda>s. (bval b s \<longrightarrow> wp\<^isub>1 s) \<and> (\<not>bval b s \<longrightarrow> wp\<^isub>2 s)))" | |
138 "vcpre (Awhile b I c) Q = |
138 "vcpre (Awhile I b c) Q = |
139 (let (vcc,wpc) = vcpre c I |
139 (let (vcc,wpc) = vcpre c I |
140 in (\<lambda>s. (I s \<and> \<not> bval b s \<longrightarrow> Q s) \<and> |
140 in (\<lambda>s. (I s \<and> \<not> bval b s \<longrightarrow> Q s) \<and> |
141 (I s \<and> bval b s \<longrightarrow> wpc s) \<and> vcc s, I))" |
141 (I s \<and> bval b s \<longrightarrow> wpc s) \<and> vcc s, I))" |
142 |
142 |
143 lemma vcpre_vc_pre: "vcpre c Q = (vc c Q, pre c Q)" |
143 lemma vcpre_vc_pre: "vcpre c Q = (vc c Q, pre c Q)" |