1 (* Title: HOL/Hoare/Hoare.ML |
|
2 ID: $Id$ |
|
3 Author: Leonor Prensa Nieto & Tobias Nipkow |
|
4 Copyright 1998 TUM |
|
5 |
|
6 Derivation of the proof rules and, most importantly, the VCG tactic. |
|
7 *) |
|
8 |
|
9 (*** The proof rules ***) |
|
10 |
|
11 Goalw [thm "Valid_def"] "p <= q ==> Valid p (Basic id) q"; |
|
12 by (Auto_tac); |
|
13 qed "SkipRule"; |
|
14 |
|
15 Goalw [thm "Valid_def"] "p <= {s. (f s):q} ==> Valid p (Basic f) q"; |
|
16 by (Auto_tac); |
|
17 qed "BasicRule"; |
|
18 |
|
19 Goalw [thm "Valid_def"] "Valid P c1 Q ==> Valid Q c2 R ==> Valid P (c1;c2) R"; |
|
20 by (Asm_simp_tac 1); |
|
21 by (Blast_tac 1); |
|
22 qed "SeqRule"; |
|
23 |
|
24 Goalw [thm "Valid_def"] |
|
25 "p <= {s. (s:b --> s:w) & (s~:b --> s:w')} \ |
|
26 \ ==> Valid w c1 q ==> Valid w' c2 q \ |
|
27 \ ==> Valid p (Cond b c1 c2) q"; |
|
28 by (Asm_simp_tac 1); |
|
29 by (Blast_tac 1); |
|
30 qed "CondRule"; |
|
31 |
|
32 Goal "! s s'. Sem c s s' --> s : I Int b --> s' : I ==> \ |
|
33 \ ! s s'. s : I --> iter n b (Sem c) s s' --> s' : I & s' ~: b"; |
|
34 by (induct_tac "n" 1); |
|
35 by (Asm_simp_tac 1); |
|
36 by (Simp_tac 1); |
|
37 by (Blast_tac 1); |
|
38 val lemma = result() RS spec RS spec RS mp RS mp; |
|
39 |
|
40 Goalw [thm "Valid_def"] |
|
41 "p <= i ==> Valid (i Int b) c i ==> i Int (-b) <= q \ |
|
42 \ ==> Valid p (While b j c) q"; |
|
43 by (Asm_simp_tac 1); |
|
44 by (Clarify_tac 1); |
|
45 by (dtac lemma 1); |
|
46 by (assume_tac 2); |
|
47 by (Blast_tac 1); |
|
48 by (Blast_tac 1); |
|
49 qed "WhileRule'"; |
|
50 |
|
51 Goal |
|
52 "p <= i ==> Valid (i Int b) c i ==> i Int (-b) <= q \ |
|
53 \ ==> Valid p (While b i c) q"; |
|
54 by (rtac WhileRule' 1); |
|
55 by (ALLGOALS assume_tac); |
|
56 qed "WhileRule"; |
|
57 |
|
58 (*** The tactics ***) |
|
59 |
|
60 (*****************************************************************************) |
|
61 (** The function Mset makes the theorem **) |
|
62 (** "?Mset <= {(x1,...,xn). ?P (x1,...,xn)} ==> ?Mset <= {s. ?P s}", **) |
|
63 (** where (x1,...,xn) are the variables of the particular program we are **) |
|
64 (** working on at the moment of the call **) |
|
65 (*****************************************************************************) |
|
66 |
|
67 local open HOLogic in |
|
68 |
|
69 (** maps (%x1 ... xn. t) to [x1,...,xn] **) |
|
70 fun abs2list (Const ("split",_) $ (Abs(x,T,t))) = Free (x, T)::abs2list t |
|
71 | abs2list (Abs(x,T,t)) = [Free (x, T)] |
|
72 | abs2list _ = []; |
|
73 |
|
74 (** maps {(x1,...,xn). t} to [x1,...,xn] **) |
|
75 fun mk_vars (Const ("Collect",_) $ T) = abs2list T |
|
76 | mk_vars _ = []; |
|
77 |
|
78 (** abstraction of body over a tuple formed from a list of free variables. |
|
79 Types are also built **) |
|
80 fun mk_abstupleC [] body = absfree ("x", unitT, body) |
|
81 | mk_abstupleC (v::w) body = let val (n,T) = dest_Free v |
|
82 in if w=[] then absfree (n, T, body) |
|
83 else let val z = mk_abstupleC w body; |
|
84 val T2 = case z of Abs(_,T,_) => T |
|
85 | Const (_, Type (_,[_, Type (_,[T,_])])) $ _ => T; |
|
86 in Const ("split", (T --> T2 --> boolT) --> mk_prodT (T,T2) --> boolT) |
|
87 $ absfree (n, T, z) end end; |
|
88 |
|
89 (** maps [x1,...,xn] to (x1,...,xn) and types**) |
|
90 fun mk_bodyC [] = HOLogic.unit |
|
91 | mk_bodyC (x::xs) = if xs=[] then x |
|
92 else let val (n, T) = dest_Free x ; |
|
93 val z = mk_bodyC xs; |
|
94 val T2 = case z of Free(_, T) => T |
|
95 | Const ("Pair", Type ("fun", [_, Type |
|
96 ("fun", [_, T])])) $ _ $ _ => T; |
|
97 in Const ("Pair", [T, T2] ---> mk_prodT (T, T2)) $ x $ z end; |
|
98 |
|
99 fun dest_Goal (Const ("Goal", _) $ P) = P; |
|
100 |
|
101 (** maps a goal of the form: |
|
102 1. [| P |] ==> |- VARS x1 ... xn. {._.} _ {._.} or to [x1,...,xn]**) |
|
103 fun get_vars thm = let val c = dest_Goal (concl_of (thm)); |
|
104 val d = Logic.strip_assums_concl c; |
|
105 val Const _ $ pre $ _ $ _ = dest_Trueprop d; |
|
106 in mk_vars pre end; |
|
107 |
|
108 |
|
109 (** Makes Collect with type **) |
|
110 fun mk_CollectC trm = let val T as Type ("fun",[t,_]) = fastype_of trm |
|
111 in Collect_const t $ trm end; |
|
112 |
|
113 fun inclt ty = Const ("op <=", [ty,ty] ---> boolT); |
|
114 |
|
115 (** Makes "Mset <= t" **) |
|
116 fun Mset_incl t = let val MsetT = fastype_of t |
|
117 in mk_Trueprop ((inclt MsetT) $ Free ("Mset", MsetT) $ t) end; |
|
118 |
|
119 |
|
120 fun Mset thm = let val vars = get_vars(thm); |
|
121 val varsT = fastype_of (mk_bodyC vars); |
|
122 val big_Collect = mk_CollectC (mk_abstupleC vars |
|
123 (Free ("P",varsT --> boolT) $ mk_bodyC vars)); |
|
124 val small_Collect = mk_CollectC (Abs("x",varsT, |
|
125 Free ("P",varsT --> boolT) $ Bound 0)); |
|
126 val impl = implies $ (Mset_incl big_Collect) $ |
|
127 (Mset_incl small_Collect); |
|
128 in Tactic.prove (Thm.sign_of_thm thm) ["Mset", "P"] [] impl (K (CLASET' blast_tac 1)) end; |
|
129 |
|
130 end; |
|
131 |
|
132 |
|
133 (*****************************************************************************) |
|
134 (** Simplifying: **) |
|
135 (** Some useful lemmata, lists and simplification tactics to control which **) |
|
136 (** theorems are used to simplify at each moment, so that the original **) |
|
137 (** input does not suffer any unexpected transformation **) |
|
138 (*****************************************************************************) |
|
139 |
|
140 Goal "-(Collect b) = {x. ~(b x)}"; |
|
141 by (Fast_tac 1); |
|
142 qed "Compl_Collect"; |
|
143 |
|
144 |
|
145 (**Simp_tacs**) |
|
146 |
|
147 val before_set2pred_simp_tac = |
|
148 (simp_tac (HOL_basic_ss addsimps [Collect_conj_eq RS sym,Compl_Collect])); |
|
149 |
|
150 val split_simp_tac = (simp_tac (HOL_basic_ss addsimps [split_conv])); |
|
151 |
|
152 (*****************************************************************************) |
|
153 (** set2pred transforms sets inclusion into predicates implication, **) |
|
154 (** maintaining the original variable names. **) |
|
155 (** Ex. "{x. x=0} <= {x. x <= 1}" -set2pred-> "x=0 --> x <= 1" **) |
|
156 (** Subgoals containing intersections (A Int B) or complement sets (-A) **) |
|
157 (** are first simplified by "before_set2pred_simp_tac", that returns only **) |
|
158 (** subgoals of the form "{x. P x} <= {x. Q x}", which are easily **) |
|
159 (** transformed. **) |
|
160 (** This transformation may solve very easy subgoals due to a ligth **) |
|
161 (** simplification done by (split_all_tac) **) |
|
162 (*****************************************************************************) |
|
163 |
|
164 fun set2pred i thm = let fun mk_string [] = "" |
|
165 | mk_string (x::xs) = x^" "^mk_string xs; |
|
166 val vars=get_vars(thm); |
|
167 val var_string = mk_string (map (fst o dest_Free) vars); |
|
168 in ((before_set2pred_simp_tac i) THEN_MAYBE |
|
169 (EVERY [rtac subsetI i, |
|
170 rtac CollectI i, |
|
171 dtac CollectD i, |
|
172 (TRY(split_all_tac i)) THEN_MAYBE |
|
173 ((rename_tac var_string i) THEN |
|
174 (full_simp_tac (HOL_basic_ss addsimps [split_conv]) i)) ])) thm |
|
175 end; |
|
176 |
|
177 (*****************************************************************************) |
|
178 (** BasicSimpTac is called to simplify all verification conditions. It does **) |
|
179 (** a light simplification by applying "mem_Collect_eq", then it calls **) |
|
180 (** MaxSimpTac, which solves subgoals of the form "A <= A", **) |
|
181 (** and transforms any other into predicates, applying then **) |
|
182 (** the tactic chosen by the user, which may solve the subgoal completely. **) |
|
183 (*****************************************************************************) |
|
184 |
|
185 fun MaxSimpTac tac = FIRST'[rtac subset_refl, set2pred THEN_MAYBE' tac]; |
|
186 |
|
187 fun BasicSimpTac tac = |
|
188 simp_tac |
|
189 (HOL_basic_ss addsimps [mem_Collect_eq,split_conv] addsimprocs [record_simproc]) |
|
190 THEN_MAYBE' MaxSimpTac tac; |
|
191 |
|
192 (** HoareRuleTac **) |
|
193 |
|
194 fun WlpTac Mlem tac i = rtac SeqRule i THEN HoareRuleTac Mlem tac false (i+1) |
|
195 and HoareRuleTac Mlem tac pre_cond i st = st |> |
|
196 (*abstraction over st prevents looping*) |
|
197 ( (WlpTac Mlem tac i THEN HoareRuleTac Mlem tac pre_cond i) |
|
198 ORELSE |
|
199 (FIRST[rtac SkipRule i, |
|
200 EVERY[rtac BasicRule i, |
|
201 rtac Mlem i, |
|
202 split_simp_tac i], |
|
203 EVERY[rtac CondRule i, |
|
204 HoareRuleTac Mlem tac false (i+2), |
|
205 HoareRuleTac Mlem tac false (i+1)], |
|
206 EVERY[rtac WhileRule i, |
|
207 BasicSimpTac tac (i+2), |
|
208 HoareRuleTac Mlem tac true (i+1)] ] |
|
209 THEN (if pre_cond then (BasicSimpTac tac i) else (rtac subset_refl i)) )); |
|
210 |
|
211 |
|
212 (** tac:(int -> tactic) is the tactic the user chooses to solve or simplify **) |
|
213 (** the final verification conditions **) |
|
214 |
|
215 fun hoare_tac tac i thm = |
|
216 let val Mlem = Mset(thm) |
|
217 in SELECT_GOAL(EVERY[HoareRuleTac Mlem tac true 1]) i thm end; |
|