|
1 (* Title: HOL/Imperative_HOL/Overview.thy |
|
2 Author: Florian Haftmann, TU Muenchen |
|
3 *) |
|
4 |
|
5 (*<*) |
|
6 theory Overview |
|
7 imports Imperative_HOL LaTeXsugar |
|
8 begin |
|
9 |
|
10 (* type constraints with spacing *) |
|
11 setup {* |
|
12 let |
|
13 val typ = Simple_Syntax.read_typ; |
|
14 val typeT = Syntax.typeT; |
|
15 val spropT = Syntax.spropT; |
|
16 in |
|
17 Sign.del_modesyntax_i (Symbol.xsymbolsN, false) [ |
|
18 ("_constrain", typ "logic => type => logic", Mixfix ("_\<Colon>_", [4, 0], 3)), |
|
19 ("_constrain", [spropT, typeT] ---> spropT, Mixfix ("_\<Colon>_", [4, 0], 3))] |
|
20 #> Sign.add_modesyntax_i (Symbol.xsymbolsN, false) [ |
|
21 ("_constrain", typ "logic => type => logic", Mixfix ("_ \<Colon> _", [4, 0], 3)), |
|
22 ("_constrain", [spropT, typeT] ---> spropT, Mixfix ("_ \<Colon> _", [4, 0], 3))] |
|
23 end |
|
24 *}(*>*) |
|
25 |
|
26 text {* |
|
27 @{text "Imperative HOL"} is a leightweight framework for reasoning |
|
28 about imperative data structures in @{text "Isabelle/HOL"} |
|
29 \cite{Nipkow-et-al:2002:tutorial}. Its basic ideas are described in |
|
30 \cite{Bulwahn-et-al:2008:imp_HOL}. However their concrete |
|
31 realisation has changed since, due to both extensions and |
|
32 refinements. Therefore this overview wants to present the framework |
|
33 \qt{as it is} by now. It focusses on the user-view, less on matters |
|
34 of constructions. For details study of the theory sources is |
|
35 encouraged. |
|
36 *} |
|
37 |
|
38 |
|
39 section {* A polymorphic heap inside a monad *} |
|
40 |
|
41 text {* |
|
42 Heaps (@{type heap}) can be populated by values of class @{class |
|
43 heap}; HOL's default types are already instantiated to class @{class |
|
44 heap}. |
|
45 |
|
46 The heap is wrapped up in a monad @{typ "'a Heap"} by means of the |
|
47 following specification: |
|
48 |
|
49 \begin{quote} |
|
50 @{datatype Heap} |
|
51 \end{quote} |
|
52 |
|
53 Unwrapping of this monad type happens through |
|
54 |
|
55 \begin{quote} |
|
56 @{term_type execute} \\ |
|
57 @{thm execute.simps [no_vars]} |
|
58 \end{quote} |
|
59 |
|
60 This allows for equational reasoning about monadic expressions; the |
|
61 fact collection @{text execute_simps} contains appropriate rewrites |
|
62 for all fundamental operations. |
|
63 |
|
64 Primitive fine-granular control over heaps is avialable through rule |
|
65 @{text Heap_cases}: |
|
66 |
|
67 \begin{quote} |
|
68 @{thm [break] Heap_cases [no_vars]} |
|
69 \end{quote} |
|
70 |
|
71 Monadic expression involve the usual combinators: |
|
72 |
|
73 \begin{quote} |
|
74 @{term_type return} \\ |
|
75 @{term_type bind} \\ |
|
76 @{term_type raise} |
|
77 \end{quote} |
|
78 |
|
79 This is also associated with nice monad do-syntax. The @{typ |
|
80 string} argument to @{const raise} is just a codified comment. |
|
81 |
|
82 Among a couple of generic combinators the following is helpful for |
|
83 establishing invariants: |
|
84 |
|
85 \begin{quote} |
|
86 @{term_type assert} \\ |
|
87 @{thm assert_def [no_vars]} |
|
88 \end{quote} |
|
89 *} |
|
90 |
|
91 |
|
92 section {* Relational reasoning about @{type Heap} expressions *} |
|
93 |
|
94 text {* |
|
95 To establish correctness of imperative programs, predicate |
|
96 |
|
97 \begin{quote} |
|
98 @{term_type crel} |
|
99 \end{quote} |
|
100 |
|
101 provides a simple relational calculus. Primitive rules are @{text |
|
102 crelI} and @{text crelE}, rules appropriate for reasoning about |
|
103 imperative operation are available in the @{text crel_intros} and |
|
104 @{text crel_elims} fact collections. |
|
105 |
|
106 Often non-failure of imperative computations does not depend |
|
107 on the heap at all; reasoning then can be easier using predicate |
|
108 |
|
109 \begin{quote} |
|
110 @{term_type success} |
|
111 \end{quote} |
|
112 |
|
113 Introduction rules for @{const success} are available in the |
|
114 @{text success_intro} fact collection. |
|
115 |
|
116 @{const execute}, @{const crel}, @{const success} and @{const bind} |
|
117 are related by rules @{text execute_bind_success}, @{text |
|
118 success_bind_executeI}, @{text success_bind_crelI}, @{text |
|
119 crel_bindI}, @{text crel_bindE} and @{text execute_bind_eq_SomeI}. |
|
120 *} |
|
121 |
|
122 |
|
123 section {* Monadic data structures *} |
|
124 |
|
125 text {* |
|
126 The operations for monadic data structures (arrays and references) |
|
127 come in two flavours: |
|
128 |
|
129 \begin{itemize} |
|
130 |
|
131 \item Operations on the bare heap; their number is kept minimal |
|
132 to facilitate proving. |
|
133 |
|
134 \item Operations on the heap wrapped up in a monad; these are designed |
|
135 for executing. |
|
136 |
|
137 \end{itemize} |
|
138 |
|
139 Provided proof rules are such that they reduce monad operations to |
|
140 operations on bare heaps. |
|
141 *} |
|
142 |
|
143 subsection {* Arrays *} |
|
144 |
|
145 text {* |
|
146 Heap operations: |
|
147 |
|
148 \begin{quote} |
|
149 @{term_type Array.alloc} \\ |
|
150 @{term_type Array.present} \\ |
|
151 @{term_type Array.get} \\ |
|
152 @{term_type Array.set} \\ |
|
153 @{term_type Array.length} \\ |
|
154 @{term_type Array.update} \\ |
|
155 @{term_type Array.noteq} |
|
156 \end{quote} |
|
157 |
|
158 Monad operations: |
|
159 |
|
160 \begin{quote} |
|
161 @{term_type Array.new} \\ |
|
162 @{term_type Array.of_list} \\ |
|
163 @{term_type Array.make} \\ |
|
164 @{term_type Array.len} \\ |
|
165 @{term_type Array.nth} \\ |
|
166 @{term_type Array.upd} \\ |
|
167 @{term_type Array.map_entry} \\ |
|
168 @{term_type Array.swap} \\ |
|
169 @{term_type Array.freeze} |
|
170 \end{quote} |
|
171 *} |
|
172 |
|
173 subsection {* References *} |
|
174 |
|
175 text {* |
|
176 Heap operations: |
|
177 |
|
178 \begin{quote} |
|
179 @{term_type Ref.alloc} \\ |
|
180 @{term_type Ref.present} \\ |
|
181 @{term_type Ref.get} \\ |
|
182 @{term_type Ref.set} \\ |
|
183 @{term_type Ref.noteq} |
|
184 \end{quote} |
|
185 |
|
186 Monad operations: |
|
187 |
|
188 \begin{quote} |
|
189 @{term_type Ref.ref} \\ |
|
190 @{term_type Ref.lookup} \\ |
|
191 @{term_type Ref.update} \\ |
|
192 @{term_type Ref.change} |
|
193 \end{quote} |
|
194 *} |
|
195 |
|
196 |
|
197 section {* Code generation *} |
|
198 |
|
199 text {* |
|
200 Imperative HOL sets up the code generator in a way that imperative |
|
201 operations are mapped to suitable counterparts in the target |
|
202 language. For @{text Haskell}, a suitable @{text ST} monad is used; |
|
203 for @{text SML}, @{text Ocaml} and @{text Scala} unit values ensure |
|
204 that the evaluation order is the same as you would expect from the |
|
205 original monadic expressions. These units may look cumbersome; the |
|
206 target language variants @{text SML_imp}, @{text Ocaml_imp} and |
|
207 @{text Scala_imp} make some effort to optimize some of them away. |
|
208 *} |
|
209 |
|
210 |
|
211 section {* Some hints for using the framework *} |
|
212 |
|
213 text {* |
|
214 Of course a framework itself does not by itself indicate how to make |
|
215 best use of it. Here some hints drawn from prior experiences with |
|
216 Imperative HOL: |
|
217 |
|
218 \begin{itemize} |
|
219 |
|
220 \item Proofs on bare heaps should be strictly separated from those |
|
221 for monadic expressions. The first capture the essence, while the |
|
222 latter just describe a certain wrapping-up. |
|
223 |
|
224 \item A good methodology is to gradually improve an imperative |
|
225 program from a functional one. In the extreme case this means |
|
226 that an original functional program is decomposed into suitable |
|
227 operations with exactly one corresponding imperative operation. |
|
228 Having shown suitable correspondence lemmas between those, the |
|
229 correctness prove of the whole imperative program simply |
|
230 consists of composing those. |
|
231 |
|
232 \item Whether one should prefer equational reasoning (fact |
|
233 collection @{text execute_simps} or relational reasoning (fact |
|
234 collections @{text crel_intros} and @{text crel_elims}) dependes |
|
235 on the problems. For complex expressions or expressions |
|
236 involving binders, the relation style usually is superior but |
|
237 requires more proof text. |
|
238 |
|
239 \item Note that you can extend the fact collections of Imperative |
|
240 HOL yourself. |
|
241 |
|
242 \end{itemize} |
|
243 *} |
|
244 |
|
245 end |