279 have app: |
279 have app: |
280 "xcpt_app (ins!pc) G pc et \<and> app' (ins!pc, G, pc, maxs, rT, (ST,LT))" |
280 "xcpt_app (ins!pc) G pc et \<and> app' (ins!pc, G, pc, maxs, rT, (ST,LT))" |
281 by (clarsimp simp add: app_def) |
281 by (clarsimp simp add: app_def) |
282 |
282 |
283 with eff stk loc pc' |
283 with eff stk loc pc' |
284 have "check_instr (ins!pc) G hp stk loc C sig pc frs'" |
284 have "check_instr (ins!pc) G hp stk loc C sig pc maxs frs'" |
285 proof (cases "ins!pc") |
285 proof (cases "ins!pc") |
286 case (Getfield F C) |
286 case (Getfield F C) |
287 with app stk loc phi obtain v vT stk' where |
287 with app stk loc phi obtain v vT stk' where |
288 class: "is_class G C" and |
288 class: "is_class G C" and |
289 field: "field (G, C) F = Some (C, vT)" and |
289 field: "field (G, C) F = Some (C, vT)" and |
389 apply clarsimp |
389 apply clarsimp |
390 apply (drule conf_widen [OF wf], assumption) |
390 apply (drule conf_widen [OF wf], assumption) |
391 apply (clarsimp simp add: neq_Nil_conv isRef_def2) |
391 apply (clarsimp simp add: neq_Nil_conv isRef_def2) |
392 done |
392 done |
393 qed auto |
393 qed auto |
394 hence "check G s" by (simp add: check_def meth) |
394 hence "check G s" by (simp add: check_def meth pc) |
395 } ultimately |
395 } ultimately |
396 have "check G s" by blast |
396 have "check G s" by blast |
397 thus "exec_d G (Normal s) \<noteq> TypeError" .. |
397 thus "exec_d G (Normal s) \<noteq> TypeError" .. |
398 qed |
398 qed |
399 |
399 |
417 apply (rule rtrancl_trans, assumption) |
417 apply (rule rtrancl_trans, assumption) |
418 apply blast |
418 apply blast |
419 done |
419 done |
420 |
420 |
421 |
421 |
|
422 lemma neq_TypeError_eq [simp]: "s \<noteq> TypeError = (\<exists>s'. s = Normal s')" |
|
423 by (cases s, auto) |
|
424 |
|
425 theorem no_type_errors: |
|
426 "wt_jvm_prog G Phi \<Longrightarrow> G,Phi \<turnstile>JVM s \<surd> |
|
427 \<Longrightarrow> G \<turnstile> (Normal s) -jvmd\<rightarrow> t \<Longrightarrow> t \<noteq> TypeError" |
|
428 apply (unfold exec_all_d_def) |
|
429 apply (erule rtrancl_induct) |
|
430 apply simp |
|
431 apply (fold exec_all_d_def) |
|
432 apply (auto dest: defensive_imp_aggressive BV_correct no_type_error) |
|
433 done |
|
434 |
|
435 corollary no_type_errors_initial: |
|
436 fixes G ("\<Gamma>") and Phi ("\<Phi>") |
|
437 assumes "wt_jvm_prog \<Gamma> \<Phi>" |
|
438 assumes "is_class \<Gamma> C" "method (\<Gamma>,C) (m,[]) = Some (C, b)" "m \<noteq> init" |
|
439 defines start: "s \<equiv> start_state \<Gamma> C m" |
|
440 |
|
441 assumes "\<Gamma> \<turnstile> (Normal s) -jvmd\<rightarrow> t" |
|
442 shows "t \<noteq> TypeError" |
|
443 proof - |
|
444 have "\<Gamma>,\<Phi> \<turnstile>JVM s \<surd>" by (unfold start, rule BV_correct_initial) |
|
445 thus ?thesis by - (rule no_type_errors) |
|
446 qed |
|
447 |
422 text {* |
448 text {* |
423 As corollary we get that the aggressive and the defensive machine |
449 As corollary we get that the aggressive and the defensive machine |
424 are equivalent for welltyped programs (if started in a conformant |
450 are equivalent for welltyped programs (if started in a conformant |
425 state or in the canonical start state) |
451 state or in the canonical start state) |
426 *} |
452 *} |