262 hence pre: "preallocated hp" by (simp add: correct_state_def) |
262 hence pre: "preallocated hp" by (simp add: correct_state_def) |
263 |
263 |
264 assume xcpt: ?xcpt with pre show ?thesis |
264 assume xcpt: ?xcpt with pre show ?thesis |
265 proof (cases "ins!pc") |
265 proof (cases "ins!pc") |
266 case New with xcpt pre |
266 case New with xcpt pre |
267 show ?thesis by (auto dest: new_Addr_OutOfMemory) |
267 show ?thesis by (auto dest: new_Addr_OutOfMemory dest!: preallocatedD) |
268 next |
268 next |
269 case Throw with xcpt wt |
269 case Throw with xcpt wt |
270 show ?thesis |
270 show ?thesis |
271 by (auto simp add: wt_instr_def correct_state_def correct_frame_def |
271 by (auto simp add: wt_instr_def correct_state_def correct_frame_def |
272 dest: non_npD) |
272 dest: non_npD dest!: preallocatedD) |
273 qed auto |
273 qed (auto dest!: preallocatedD) |
274 qed |
274 qed |
|
275 |
|
276 |
|
277 lemma cname_of_xcp [intro]: |
|
278 "\<lbrakk>preallocated hp; xcp = Addr (XcptRef x)\<rbrakk> \<Longrightarrow> cname_of hp xcp = Xcpt x" |
|
279 by (auto elim: preallocatedE [of hp x]) |
275 |
280 |
276 |
281 |
277 text {* |
282 text {* |
278 Finally we can state that, whenever an exception occurs, the |
283 Finally we can state that, whenever an exception occurs, the |
279 resulting next state always conforms: |
284 resulting next state always conforms: |
356 next |
361 next |
357 case New |
362 case New |
358 with some_handler xp' |
363 with some_handler xp' |
359 have xcp: "xcp = Addr (XcptRef OutOfMemory)" |
364 have xcp: "xcp = Addr (XcptRef OutOfMemory)" |
360 by (simp add: raise_system_xcpt_def split_beta new_Addr_OutOfMemory) |
365 by (simp add: raise_system_xcpt_def split_beta new_Addr_OutOfMemory) |
361 with prehp have "cname_of hp xcp = Xcpt OutOfMemory" by simp |
366 with prehp have "cname_of hp xcp = Xcpt OutOfMemory" .. |
362 with New some_handler phi_pc eff |
367 with New some_handler phi_pc eff |
363 obtain ST' LT' where |
368 obtain ST' LT' where |
364 phi': "phi C sig ! handler = Some (ST', LT')" and |
369 phi': "phi C sig ! handler = Some (ST', LT')" and |
365 less: "G \<turnstile> ([Class (Xcpt OutOfMemory)], LT) <=s (ST', LT')" and |
370 less: "G \<turnstile> ([Class (Xcpt OutOfMemory)], LT) <=s (ST', LT')" and |
366 pc': "handler < length ins" |
371 pc': "handler < length ins" |
367 by (simp add: xcpt_eff_def match_et_imp_match) blast |
372 by (simp add: xcpt_eff_def match_et_imp_match) blast |
368 note phi' |
373 note phi' |
369 moreover |
374 moreover |
370 { from xcp prehp |
375 { from xcp prehp |
371 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt OutOfMemory)" |
376 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt OutOfMemory)" |
372 by (simp add: conf_def obj_ty_def) |
377 by (auto simp add: conf_def obj_ty_def dest!: preallocatedD) |
373 moreover |
378 moreover |
374 from wf less loc |
379 from wf less loc |
375 have "approx_loc G hp loc LT'" |
380 have "approx_loc G hp loc LT'" |
376 by (simp add: sup_state_conv) blast |
381 by (simp add: sup_state_conv) blast |
377 moreover |
382 moreover |
386 next |
391 next |
387 case Getfield |
392 case Getfield |
388 with some_handler xp' |
393 with some_handler xp' |
389 have xcp: "xcp = Addr (XcptRef NullPointer)" |
394 have xcp: "xcp = Addr (XcptRef NullPointer)" |
390 by (simp add: raise_system_xcpt_def split_beta split: split_if_asm) |
395 by (simp add: raise_system_xcpt_def split_beta split: split_if_asm) |
391 with prehp have "cname_of hp xcp = Xcpt NullPointer" by simp |
396 with prehp have "cname_of hp xcp = Xcpt NullPointer" .. |
392 with Getfield some_handler phi_pc eff |
397 with Getfield some_handler phi_pc eff |
393 obtain ST' LT' where |
398 obtain ST' LT' where |
394 phi': "phi C sig ! handler = Some (ST', LT')" and |
399 phi': "phi C sig ! handler = Some (ST', LT')" and |
395 less: "G \<turnstile> ([Class (Xcpt NullPointer)], LT) <=s (ST', LT')" and |
400 less: "G \<turnstile> ([Class (Xcpt NullPointer)], LT) <=s (ST', LT')" and |
396 pc': "handler < length ins" |
401 pc': "handler < length ins" |
397 by (simp add: xcpt_eff_def match_et_imp_match) blast |
402 by (simp add: xcpt_eff_def match_et_imp_match) blast |
398 note phi' |
403 note phi' |
399 moreover |
404 moreover |
400 { from xcp prehp |
405 { from xcp prehp |
401 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt NullPointer)" |
406 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt NullPointer)" |
402 by (simp add: conf_def obj_ty_def) |
407 by (auto simp add: conf_def obj_ty_def dest!: preallocatedD) |
403 moreover |
408 moreover |
404 from wf less loc |
409 from wf less loc |
405 have "approx_loc G hp loc LT'" |
410 have "approx_loc G hp loc LT'" |
406 by (simp add: sup_state_conv) blast |
411 by (simp add: sup_state_conv) blast |
407 moreover |
412 moreover |
416 next |
421 next |
417 case Putfield |
422 case Putfield |
418 with some_handler xp' |
423 with some_handler xp' |
419 have xcp: "xcp = Addr (XcptRef NullPointer)" |
424 have xcp: "xcp = Addr (XcptRef NullPointer)" |
420 by (simp add: raise_system_xcpt_def split_beta split: split_if_asm) |
425 by (simp add: raise_system_xcpt_def split_beta split: split_if_asm) |
421 with prehp have "cname_of hp xcp = Xcpt NullPointer" by simp |
426 with prehp have "cname_of hp xcp = Xcpt NullPointer" .. |
422 with Putfield some_handler phi_pc eff |
427 with Putfield some_handler phi_pc eff |
423 obtain ST' LT' where |
428 obtain ST' LT' where |
424 phi': "phi C sig ! handler = Some (ST', LT')" and |
429 phi': "phi C sig ! handler = Some (ST', LT')" and |
425 less: "G \<turnstile> ([Class (Xcpt NullPointer)], LT) <=s (ST', LT')" and |
430 less: "G \<turnstile> ([Class (Xcpt NullPointer)], LT) <=s (ST', LT')" and |
426 pc': "handler < length ins" |
431 pc': "handler < length ins" |
427 by (simp add: xcpt_eff_def match_et_imp_match) blast |
432 by (simp add: xcpt_eff_def match_et_imp_match) blast |
428 note phi' |
433 note phi' |
429 moreover |
434 moreover |
430 { from xcp prehp |
435 { from xcp prehp |
431 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt NullPointer)" |
436 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt NullPointer)" |
432 by (simp add: conf_def obj_ty_def) |
437 by (auto simp add: conf_def obj_ty_def dest!: preallocatedD) |
433 moreover |
438 moreover |
434 from wf less loc |
439 from wf less loc |
435 have "approx_loc G hp loc LT'" |
440 have "approx_loc G hp loc LT'" |
436 by (simp add: sup_state_conv) blast |
441 by (simp add: sup_state_conv) blast |
437 moreover |
442 moreover |
446 next |
451 next |
447 case Checkcast |
452 case Checkcast |
448 with some_handler xp' |
453 with some_handler xp' |
449 have xcp: "xcp = Addr (XcptRef ClassCast)" |
454 have xcp: "xcp = Addr (XcptRef ClassCast)" |
450 by (simp add: raise_system_xcpt_def split_beta split: split_if_asm) |
455 by (simp add: raise_system_xcpt_def split_beta split: split_if_asm) |
451 with prehp have "cname_of hp xcp = Xcpt ClassCast" by simp |
456 with prehp have "cname_of hp xcp = Xcpt ClassCast" .. |
452 with Checkcast some_handler phi_pc eff |
457 with Checkcast some_handler phi_pc eff |
453 obtain ST' LT' where |
458 obtain ST' LT' where |
454 phi': "phi C sig ! handler = Some (ST', LT')" and |
459 phi': "phi C sig ! handler = Some (ST', LT')" and |
455 less: "G \<turnstile> ([Class (Xcpt ClassCast)], LT) <=s (ST', LT')" and |
460 less: "G \<turnstile> ([Class (Xcpt ClassCast)], LT) <=s (ST', LT')" and |
456 pc': "handler < length ins" |
461 pc': "handler < length ins" |
457 by (simp add: xcpt_eff_def match_et_imp_match) blast |
462 by (simp add: xcpt_eff_def match_et_imp_match) blast |
458 note phi' |
463 note phi' |
459 moreover |
464 moreover |
460 { from xcp prehp |
465 { from xcp prehp |
461 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt ClassCast)" |
466 have "G,hp \<turnstile> xcp ::\<preceq> Class (Xcpt ClassCast)" |
462 by (simp add: conf_def obj_ty_def) |
467 by (auto simp add: conf_def obj_ty_def dest!: preallocatedD) |
463 moreover |
468 moreover |
464 from wf less loc |
469 from wf less loc |
465 have "approx_loc G hp loc LT'" |
470 have "approx_loc G hp loc LT'" |
466 by (simp add: sup_state_conv) blast |
471 by (simp add: sup_state_conv) blast |
467 moreover |
472 moreover |
1294 apply (erule rtrancl_induct) |
1299 apply (erule rtrancl_induct) |
1295 apply simp |
1300 apply simp |
1296 apply (auto intro: BV_correct_1) |
1301 apply (auto intro: BV_correct_1) |
1297 done |
1302 done |
1298 |
1303 |
|
1304 |
1299 theorem BV_correct_implies_approx: |
1305 theorem BV_correct_implies_approx: |
1300 "\<lbrakk> wt_jvm_prog G phi; |
1306 "\<lbrakk> wt_jvm_prog G phi; |
1301 G \<turnstile> s0 -jvm\<rightarrow> (None,hp,(stk,loc,C,sig,pc)#frs); G,phi \<turnstile>JVM s0 \<surd>\<rbrakk> |
1307 G \<turnstile> s0 -jvm\<rightarrow> (None,hp,(stk,loc,C,sig,pc)#frs); G,phi \<turnstile>JVM s0 \<surd>\<rbrakk> |
1302 \<Longrightarrow> approx_stk G hp stk (fst (the (phi C sig ! pc))) \<and> |
1308 \<Longrightarrow> approx_stk G hp stk (fst (the (phi C sig ! pc))) \<and> |
1303 approx_loc G hp loc (snd (the (phi C sig ! pc)))" |
1309 approx_loc G hp loc (snd (the (phi C sig ! pc)))" |
1305 apply assumption+ |
1311 apply assumption+ |
1306 apply (simp add: correct_state_def correct_frame_def split_def |
1312 apply (simp add: correct_state_def correct_frame_def split_def |
1307 split: option.splits) |
1313 split: option.splits) |
1308 done |
1314 done |
1309 |
1315 |
|
1316 lemma |
|
1317 fixes G :: jvm_prog ("\<Gamma>") |
|
1318 assumes wf: "wf_prog wf_mb \<Gamma>" |
|
1319 shows hconf_start: "\<Gamma> \<turnstile>h (start_heap \<Gamma>) \<surd>" |
|
1320 apply (unfold hconf_def start_heap_def) |
|
1321 apply (auto simp add: fun_upd_apply blank_def oconf_def split: split_if_asm) |
|
1322 apply (simp add: fields_is_type [OF _ wf is_class_xcpt [OF wf]])+ |
|
1323 done |
|
1324 |
|
1325 lemma |
|
1326 fixes G :: jvm_prog ("\<Gamma>") and Phi :: prog_type ("\<Phi>") |
|
1327 shows BV_correct_initial: |
|
1328 "wt_jvm_prog \<Gamma> \<Phi> \<Longrightarrow> is_class \<Gamma> C \<Longrightarrow> method (\<Gamma>,C) (m,[]) = Some (C, b) |
|
1329 \<Longrightarrow> \<Gamma>,\<Phi> \<turnstile>JVM start_state G C m \<surd>" |
|
1330 apply (cases b) |
|
1331 apply (unfold start_state_def) |
|
1332 apply (unfold correct_state_def) |
|
1333 apply (auto simp add: preallocated_start) |
|
1334 apply (simp add: wt_jvm_prog_def hconf_start) |
|
1335 apply (drule wt_jvm_prog_impl_wt_start, assumption+) |
|
1336 apply (clarsimp simp add: wt_start_def) |
|
1337 apply (auto simp add: correct_frame_def) |
|
1338 apply (simp add: approx_stk_def sup_state_conv) |
|
1339 apply (auto simp add: sup_state_conv approx_val_def dest!: widen_RefT split: err.splits) |
|
1340 done |
|
1341 |
|
1342 theorem |
|
1343 fixes G :: jvm_prog ("\<Gamma>") and Phi :: prog_type ("\<Phi>") |
|
1344 assumes welltyped: "wt_jvm_prog \<Gamma> \<Phi>" and |
|
1345 main_method: "is_class \<Gamma> C" "method (\<Gamma>,C) (m,[]) = Some (C, b)" |
|
1346 shows typesafe: |
|
1347 "G \<turnstile> start_state \<Gamma> C m -jvm\<rightarrow> s \<Longrightarrow> \<Gamma>,\<Phi> \<turnstile>JVM s \<surd>" |
|
1348 proof - |
|
1349 from welltyped main_method |
|
1350 have "\<Gamma>,\<Phi> \<turnstile>JVM start_state \<Gamma> C m \<surd>" by (rule BV_correct_initial) |
|
1351 moreover |
|
1352 assume "G \<turnstile> start_state \<Gamma> C m -jvm\<rightarrow> s" |
|
1353 ultimately |
|
1354 show "\<Gamma>,\<Phi> \<turnstile>JVM s \<surd>" using welltyped by - (rule BV_correct) |
|
1355 qed |
|
1356 |
1310 end |
1357 end |