equal
deleted
inserted
replaced
1 header "Verification Conditions" |
1 (* Author: Tobias Nipkow *) |
2 |
2 |
3 theory VC imports Hoare begin |
3 theory VC imports Hoare begin |
4 |
4 |
5 subsection "VCG via Weakest Preconditions" |
5 subsection "Verification Conditions" |
6 |
6 |
7 text{* Annotated commands: commands where loops are annotated with |
7 text{* Annotated commands: commands where loops are annotated with |
8 invariants. *} |
8 invariants. *} |
9 |
9 |
10 datatype acom = |
10 datatype acom = |
44 "strip (Aassign x a) = (x::=a)" | |
44 "strip (Aassign x a) = (x::=a)" | |
45 "strip (Aseq c\<^isub>1 c\<^isub>2) = (strip c\<^isub>1; strip c\<^isub>2)" | |
45 "strip (Aseq c\<^isub>1 c\<^isub>2) = (strip c\<^isub>1; strip c\<^isub>2)" | |
46 "strip (Aif b c\<^isub>1 c\<^isub>2) = (IF b THEN strip c\<^isub>1 ELSE strip c\<^isub>2)" | |
46 "strip (Aif b c\<^isub>1 c\<^isub>2) = (IF b THEN strip c\<^isub>1 ELSE strip c\<^isub>2)" | |
47 "strip (Awhile I b c) = (WHILE b DO strip c)" |
47 "strip (Awhile I b c) = (WHILE b DO strip c)" |
48 |
48 |
49 subsection "Soundness" |
49 text {* Soundness: *} |
50 |
50 |
51 lemma vc_sound: "\<forall>s. vc c Q s \<Longrightarrow> \<turnstile> {pre c Q} strip c {Q}" |
51 lemma vc_sound: "\<forall>s. vc c Q s \<Longrightarrow> \<turnstile> {pre c Q} strip c {Q}" |
52 proof(induction c arbitrary: Q) |
52 proof(induction c arbitrary: Q) |
53 case (Awhile I b c) |
53 case (Awhile I b c) |
54 show ?case |
54 show ?case |
66 corollary vc_sound': |
66 corollary vc_sound': |
67 "(\<forall>s. vc c Q s) \<and> (\<forall>s. P s \<longrightarrow> pre c Q s) \<Longrightarrow> \<turnstile> {P} strip c {Q}" |
67 "(\<forall>s. vc c Q s) \<and> (\<forall>s. P s \<longrightarrow> pre c Q s) \<Longrightarrow> \<turnstile> {P} strip c {Q}" |
68 by (metis strengthen_pre vc_sound) |
68 by (metis strengthen_pre vc_sound) |
69 |
69 |
70 |
70 |
71 subsection "Completeness" |
71 text{* Completeness: *} |
72 |
72 |
73 lemma pre_mono: |
73 lemma pre_mono: |
74 "\<forall>s. P s \<longrightarrow> P' s \<Longrightarrow> pre c P s \<Longrightarrow> pre c P' s" |
74 "\<forall>s. P s \<longrightarrow> P' s \<Longrightarrow> pre c P s \<Longrightarrow> pre c P' s" |
75 proof (induction c arbitrary: P P' s) |
75 proof (induction c arbitrary: P P' s) |
76 case Aseq thus ?case by simp metis |
76 case Aseq thus ?case by simp metis |
120 next |
120 next |
121 case conseq thus ?case by(fast elim!: pre_mono vc_mono) |
121 case conseq thus ?case by(fast elim!: pre_mono vc_mono) |
122 qed |
122 qed |
123 |
123 |
124 |
124 |
125 subsection "An Optimization" |
125 text{* An Optimization: *} |
126 |
126 |
127 fun vcpre :: "acom \<Rightarrow> assn \<Rightarrow> assn \<times> assn" where |
127 fun vcpre :: "acom \<Rightarrow> assn \<Rightarrow> assn \<times> assn" where |
128 "vcpre ASKIP Q = (\<lambda>s. True, Q)" | |
128 "vcpre ASKIP Q = (\<lambda>s. True, Q)" | |
129 "vcpre (Aassign x a) Q = (\<lambda>s. True, \<lambda>s. Q(s[a/x]))" | |
129 "vcpre (Aassign x a) Q = (\<lambda>s. True, \<lambda>s. Q(s[a/x]))" | |
130 "vcpre (Aseq c\<^isub>1 c\<^isub>2) Q = |
130 "vcpre (Aseq c\<^isub>1 c\<^isub>2) Q = |