147 then map snd [(p', t')\<in>ss2 . p' = pc + 1] ++|f x |
147 then map snd [(p', t')\<in>ss2 . p' = pc + 1] ++|f x |
148 else Err)" |
148 else Err)" |
149 by (rule merge_def) |
149 by (rule merge_def) |
150 ultimately show ?thesis by simp |
150 ultimately show ?thesis by simp |
151 qed |
151 qed |
152 |
152 |
153 |
153 |
|
154 lemma wtl_inst_mono: |
|
155 assumes wtl: "wtl_inst cert f r step pc s1 = OK s1'" |
|
156 assumes less: "OK s2 \<le>|r (OK s1)" |
|
157 assumes pc: "pc < n" |
|
158 assumes s1: "s1 \<in> opt A" |
|
159 assumes s2: "s2 \<in> opt A" |
|
160 assumes esl: "err_semilat (A,r,f)" |
|
161 assumes cert: "cert_ok cert n A" |
|
162 assumes mono: "mono (Err.le (Opt.le r)) step n (err (opt A))" |
|
163 assumes pres: "pres_type step n (err (opt A))" |
|
164 shows "\<exists>s2'. wtl_inst cert f r step pc s2 = OK s2' \<and> OK s2' \<le>|r (OK s1')" |
|
165 proof - |
|
166 let "?step s1" = "step pc (OK s1)" |
|
167 let ?cert = "OK (cert!Suc pc)" |
|
168 from wtl |
|
169 have "merge cert f r pc (?step s1) ?cert = OK s1'" by (simp add: wtl_inst_def) |
|
170 moreover |
|
171 have s2: "OK s2 \<in> err (opt A)" by simp |
|
172 with mono have "?step s2 <=|Err.le (Opt.le r)| ?step s1" by - (rule monoD) |
|
173 moreover note esl |
|
174 moreover |
|
175 from pc cert have "?cert \<in> err (opt A)" by (simp add: cert_okD3) |
|
176 moreover |
|
177 have s1: "OK s1 \<in> err (opt A)" by simp |
|
178 with pres pc |
|
179 have "\<forall>(pc', s')\<in>set (?step s1). s' \<in> err (opt A)" |
|
180 by (blast intro: pres_typeD) |
|
181 moreover |
|
182 from pres s2 pc |
|
183 have "\<forall>(pc', s')\<in>set (?step s2). s' \<in> err (opt A)" |
|
184 by (blast intro: pres_typeD) |
|
185 ultimately |
|
186 obtain s2' where "merge cert f r pc (?step s2) ?cert = s2' \<and> s2' \<le>|r (OK s1')" |
|
187 by (blast dest: merge_mono) |
|
188 thus ?thesis by (simp add: wtl_inst_def) |
|
189 qed |
|
190 |
|
191 lemma wtl_cert_mono: |
|
192 assumes wtl: "wtl_cert cert f r step pc s1 = OK s1'" |
|
193 assumes less: "OK s2 \<le>|r (OK s1)" |
|
194 assumes pc: "pc < n" |
|
195 assumes s1: "s1 \<in> opt A" |
|
196 assumes s2: "s2 \<in> opt A" |
|
197 assumes esl: "err_semilat (A,r,f)" |
|
198 assumes cert: "cert_ok cert n A" |
|
199 assumes mono: "mono (Err.le (Opt.le r)) step n (err (opt A))" |
|
200 assumes pres: "pres_type step n (err (opt A))" |
|
201 shows "\<exists>s2'. wtl_cert cert f r step pc s2 = OK s2' \<and> OK s2' \<le>|r (OK s1')" |
|
202 proof (cases "cert!pc") |
|
203 case None |
|
204 with wtl have "wtl_inst cert f r step pc s1 = OK s1'" |
|
205 by (simp add: wtl_cert_def) |
|
206 hence "\<exists>s2'. wtl_inst cert f r step pc s2 = OK s2' \<and> OK s2' \<le>|r (OK s1')" |
|
207 by - (rule wtl_inst_mono) |
|
208 with None show ?thesis by (simp add: wtl_cert_def) |
|
209 next |
|
210 case (Some s') |
|
211 with wtl obtain |
|
212 wti: "wtl_inst cert f r step pc (Some s') = OK s1'" and |
|
213 s': "OK s1 \<le>|r OK (Some s')" |
|
214 by (auto simp add: wtl_cert_def split: split_if_asm) |
|
215 from esl have order: "order (Opt.le r)" by simp |
|
216 hence "order (Err.le (Opt.le r))" by simp |
|
217 with less s' have "OK s2 \<le>|r OK (Some s')" by - (drule order_trans) |
|
218 with Some wti order show ?thesis by (simp add: wtl_cert_def) |
|
219 qed |
|
220 |
|
221 |
154 lemma stable_wtl: |
222 lemma stable_wtl: |
155 assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" |
223 assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" |
156 assumes fits: "fits step cert phi" |
224 assumes fits: "fits step cert phi" |
157 assumes pc: "pc < length phi" |
225 assumes pc: "pc < length phi" |
158 assumes bounded:"bounded step (length phi)" |
226 assumes bounded: "bounded step (length phi)" |
|
227 assumes esl: "err_semilat (A, r, f)" |
|
228 assumes cert_ok: "cert_ok cert (length phi) A" |
|
229 assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A" |
|
230 assumes pres: "pres_type step (length phi) (err (opt A))" |
159 shows "wtl_inst cert f r step pc (phi!pc) \<noteq> Err" |
231 shows "wtl_inst cert f r step pc (phi!pc) \<noteq> Err" |
160 proof - |
232 proof - |
|
233 from esl have order: "order (Opt.le r)" by simp |
|
234 |
|
235 let ?step = "step pc (OK (phi!pc))" |
161 from pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp |
236 from pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp |
162 from stable |
237 from stable |
163 have "\<forall>(q,s')\<in>set (step pc (OK (phi!pc))). s' \<le>|r (map OK phi!q)" |
238 have less: "\<forall>(q,s')\<in>set ?step. s' \<le>|r (map OK phi!q)" |
164 by (simp add: stable_def) |
239 by (simp add: stable_def) |
165 |
240 |
166 have "merge cert f r pc (step pc (OK (phi ! pc))) (OK (cert ! Suc pc)) \<noteq> Err" |
241 from cert_ok pc |
167 sorry |
242 have cert_suc: "OK (cert!Suc pc) \<in> err (opt A)" by (auto dest: cert_okD3) |
|
243 moreover |
|
244 from phi_ok pc |
|
245 have "OK (phi!pc) \<in> err (opt A)" by simp |
|
246 with pres pc |
|
247 have stepA: "\<forall>(pc',s') \<in> set ?step. s' \<in> err (opt A)" |
|
248 by (blast dest: pres_typeD) |
|
249 ultimately |
|
250 have "merge cert f r pc ?step (OK (cert!Suc pc)) = |
|
251 (if \<forall>(pc',s')\<in>set ?step. pc'\<noteq>pc+1 \<longrightarrow> s' \<le>|r (OK (cert!pc')) |
|
252 then map snd [(p',t')\<in>?step.p'=pc+1] ++|f (OK (cert!Suc pc)) |
|
253 else Err)" using esl by - (rule merge_def) |
|
254 moreover { |
|
255 fix pc' s' assume s': "(pc', s') \<in> set ?step" and suc_pc: "pc' \<noteq> pc+1" |
|
256 from bounded pc s' have pc': "pc' < length phi" by (rule boundedD) |
|
257 hence [simp]: "map OK phi ! pc' = OK (phi!pc')" by simp |
|
258 with s' less have "s' \<le>|r OK (phi!pc')" by auto |
|
259 also from fits s' suc_pc pc pc' |
|
260 have "cert!pc' = phi!pc'" by (rule fitsD) |
|
261 hence "phi!pc' = cert!pc'" .. |
|
262 finally have "s' \<le>|r (OK (cert!pc'))" . |
|
263 } hence "\<forall>(pc',s')\<in>set ?step. pc'\<noteq>pc+1 \<longrightarrow> s' \<le>|r (OK (cert!pc'))" by auto |
|
264 moreover |
|
265 from pc have "Suc pc = length phi \<or> Suc pc < length phi" by auto |
|
266 hence "(map snd [(p',t')\<in>?step.p'=pc+1] ++|f (OK (cert!Suc pc))) \<noteq> Err" |
|
267 (is "(?map ++|f _) \<noteq> _") |
|
268 proof (rule disjE) |
|
269 assume pc': "Suc pc = length phi" |
|
270 with cert_ok have "cert!Suc pc = None" by (simp add: cert_okD2) |
|
271 moreover |
|
272 from pc' bounded pc |
|
273 have "\<forall>(p',t')\<in>set ?step. p'\<noteq>pc+1" by clarify (drule boundedD, auto) |
|
274 hence "[(p',t')\<in>?step.p'=pc+1] = []" by (blast intro: filter_False) |
|
275 hence "?map = []" by simp |
|
276 ultimately show ?thesis by simp |
|
277 next |
|
278 assume pc': "Suc pc < length phi" |
|
279 hence [simp]: "map OK phi ! Suc pc = OK (phi!Suc pc)" by simp |
|
280 from esl |
|
281 have "semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))" |
|
282 by (simp add: Err.sl_def) |
|
283 moreover |
|
284 from pc' phi_ok |
|
285 have "OK (phi!Suc pc) \<in> err (opt A)" by simp |
|
286 moreover note cert_suc |
|
287 moreover from stepA |
|
288 have "snd`(set ?step) \<subseteq> err (opt A)" by auto |
|
289 hence "set ?map \<subseteq> err (opt A)" by auto |
|
290 moreover |
|
291 have "\<And>s. s \<in> set ?map \<Longrightarrow> \<exists>t. (Suc pc, t) \<in> set ?step" by auto |
|
292 with less have "\<forall>s' \<in> set ?map. s' \<le>|r OK (phi!Suc pc)" by auto |
|
293 moreover |
|
294 from order fits pc' |
|
295 have "OK (cert!Suc pc) \<le>|r OK (phi!Suc pc)" |
|
296 by (cases "cert!Suc pc") (simp, blast dest: fitsD2) |
|
297 ultimately |
|
298 have "?map ++|f OK (cert!Suc pc) \<le>|r OK (phi!Suc pc)" by (rule lub) |
|
299 thus ?thesis by auto |
|
300 qed |
|
301 ultimately |
|
302 have "merge cert f r pc ?step (OK (cert!Suc pc)) \<noteq> Err" by simp |
168 thus ?thesis by (simp add: wtl_inst_def) |
303 thus ?thesis by (simp add: wtl_inst_def) |
169 qed |
304 qed |
170 |
305 |
171 |
306 lemma stable_cert: |
172 lemma wtl_inst_mono: |
307 assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" |
173 assumes wtl: "wtl_inst cert f r step pc s1 = OK s1'" |
308 assumes fits: "fits step cert phi" |
174 assumes fits: "fits step cert phi" |
309 assumes pc: "pc < length phi" |
175 assumes pc: "pc < n" |
310 assumes bounded: "bounded step (length phi)" |
176 assumes less: "OK s2 \<le>|r (OK s1)" |
311 assumes esl: "err_semilat (A, r, f)" |
177 shows "\<exists>s2'. wtl_inst cert f r step pc s2 = OK s2' \<and> OK s2' \<le>|r (OK s1')" |
312 assumes cert_ok: "cert_ok cert (length phi) A" |
178 apply (insert wtl) |
313 assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A" |
179 apply (simp add: wtl_inst_def) |
314 assumes pres: "pres_type step (length phi) (err (opt A))" |
180 |
315 shows "wtl_cert cert f r step pc (phi!pc) \<noteq> Err" |
181 |
|
182 lemma wtl_inst_mono: |
|
183 "\<lbrakk> wtl_inst i G rT s1 cert mxs mpc pc = OK s1'; fits ins cert phi; |
|
184 pc < length ins; G \<turnstile> s2 <=' s1; i = ins!pc \<rbrakk> \<Longrightarrow> |
|
185 \<exists> s2'. wtl_inst (ins!pc) G rT s2 cert mxs mpc pc = OK s2' \<and> (G \<turnstile> s2' <=' s1')" |
|
186 proof - |
316 proof - |
187 assume pc: "pc < length ins" "i = ins!pc" |
317 have wtl: "wtl_inst cert f r step pc (phi!pc) \<noteq> Err" by (rule stable_wtl) |
188 assume wtl: "wtl_inst i G rT s1 cert mxs mpc pc = OK s1'" |
318 show ?thesis |
189 assume fits: "fits ins cert phi" |
319 proof (cases "cert!pc") |
190 assume G: "G \<turnstile> s2 <=' s1" |
320 case None with wtl show ?thesis by (simp add: wtl_cert_def) |
|
321 next |
|
322 case (Some s) |
|
323 with pc fits have "cert!pc = phi!pc" by - (rule fitsD2) |
|
324 with Some have "phi!pc = Some s" by simp |
|
325 with Some wtl esl show ?thesis by (simp add: wtl_cert_def) |
|
326 qed |
|
327 qed |
191 |
328 |
192 let "?eff s" = "eff i G s" |
329 |
193 |
330 lemma wtl_less: |
194 from wtl G |
331 assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" |
195 have app: "app i G mxs rT s2" by (auto simp add: wtl_inst_OK app_mono) |
332 assumes wtl: "wtl_inst cert f r step pc (phi!pc) = OK s" |
|
333 assumes fits: "fits step cert phi" |
|
334 assumes suc_pc: "Suc pc < length phi" |
|
335 assumes bounded: "bounded step (length phi)" |
|
336 assumes esl: "err_semilat (A, r, f)" |
|
337 assumes cert_ok: "cert_ok cert (length phi) A" |
|
338 assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A" |
|
339 assumes pres: "pres_type step (length phi) (err (opt A))" |
|
340 shows "OK s \<le>|r OK (phi!Suc pc)" |
|
341 proof - |
|
342 from esl have order: "order (Opt.le r)" by simp |
|
343 |
|
344 let ?step = "step pc (OK (phi!pc))" |
|
345 from suc_pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp |
|
346 from suc_pc have [simp]: "map OK phi ! Suc pc = OK (phi!Suc pc)" by simp |
|
347 from suc_pc have pc: "pc < length phi" by simp |
|
348 |
|
349 from stable |
|
350 have less: "\<forall>(q,s')\<in>set ?step. s' \<le>|r (map OK phi!q)" |
|
351 by (simp add: stable_def) |
196 |
352 |
197 from wtl G |
353 from cert_ok pc |
198 have eff: "G \<turnstile> ?eff s2 <=' ?eff s1" |
354 have cert_suc: "OK (cert!Suc pc) \<in> err (opt A)" by (auto dest: cert_okD3) |
199 by (auto intro: eff_mono simp add: wtl_inst_OK) |
355 moreover |
200 |
356 from phi_ok pc |
201 { also |
357 have "OK (phi!pc) \<in> err (opt A)" by simp |
202 fix pc' |
358 with pres pc |
203 assume "pc' \<in> set (succs i pc)" "pc' \<noteq> pc+1" |
359 have stepA: "\<forall>(pc',s') \<in> set ?step. s' \<in> err (opt A)" |
204 with wtl |
360 by (blast dest: pres_typeD) |
205 have "G \<turnstile> ?eff s1 <=' cert!pc'" |
361 ultimately |
206 by (auto simp add: wtl_inst_OK) |
362 have "merge cert f r pc ?step (OK (cert!Suc pc)) = |
207 finally |
363 (if \<forall>(pc',s')\<in>set ?step. pc'\<noteq>pc+1 \<longrightarrow> s' \<le>|r (OK (cert!pc')) |
208 have "G\<turnstile> ?eff s2 <=' cert!pc'" . |
364 then map snd [(p',t')\<in>?step.p'=pc+1] ++|f (OK (cert!Suc pc)) |
209 } note cert = this |
365 else Err)" using esl by - (rule merge_def) |
210 |
366 with wtl have |
211 have "\<exists>s2'. wtl_inst i G rT s2 cert mxs mpc pc = OK s2' \<and> G \<turnstile> s2' <=' s1'" |
367 "OK s = (map snd [(p',t')\<in>?step.p'=pc+1] ++|f (OK (cert!Suc pc)))" |
212 proof (cases "pc+1 \<in> set (succs i pc)") |
368 (is "_ = (?map ++|f _)" is "_ = ?sum") |
213 case True |
369 by (simp add: wtl_inst_def split: split_if_asm) |
214 with wtl |
370 also { |
215 have s1': "s1' = ?eff s1" by (simp add: wtl_inst_OK) |
371 from esl |
216 |
372 have "semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))" |
217 have "wtl_inst i G rT s2 cert mxs mpc pc = OK (?eff s2) \<and> G \<turnstile> ?eff s2 <=' s1'" |
373 by (simp add: Err.sl_def) |
218 (is "?wtl \<and> ?G") |
374 moreover |
219 proof |
375 from suc_pc phi_ok |
220 from True s1' |
376 have "OK (phi!Suc pc) \<in> err (opt A)" by simp |
221 show ?G by (auto intro: eff) |
377 moreover note cert_suc |
222 |
378 moreover from stepA |
223 from True app wtl |
379 have "snd`(set ?step) \<subseteq> err (opt A)" by auto |
224 show ?wtl |
380 hence "set ?map \<subseteq> err (opt A)" by auto |
225 by (clarsimp intro!: cert simp add: wtl_inst_OK) |
381 moreover |
226 qed |
382 have "\<And>s. s \<in> set ?map \<Longrightarrow> \<exists>t. (Suc pc, t) \<in> set ?step" by auto |
227 thus ?thesis by blast |
383 with less have "\<forall>s' \<in> set ?map. s' \<le>|r OK (phi!Suc pc)" by auto |
228 next |
384 moreover |
229 case False |
385 from order fits suc_pc |
230 with wtl |
386 have "OK (cert!Suc pc) \<le>|r OK (phi!Suc pc)" |
231 have "s1' = cert ! Suc pc" by (simp add: wtl_inst_OK) |
387 by (cases "cert!Suc pc") (simp, blast dest: fitsD2) |
232 |
388 ultimately |
233 with False app wtl |
389 have "?sum \<le>|r OK (phi!Suc pc)" by (rule lub) |
234 have "wtl_inst i G rT s2 cert mxs mpc pc = OK s1' \<and> G \<turnstile> s1' <=' s1'" |
390 } |
235 by (clarsimp intro!: cert simp add: wtl_inst_OK) |
391 finally show ?thesis . |
236 |
392 qed |
237 thus ?thesis by blast |
393 |
238 qed |
394 |
|
395 lemma cert_less: |
|
396 assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" |
|
397 assumes cert: "wtl_cert cert f r step pc (phi!pc) = OK s" |
|
398 assumes fits: "fits step cert phi" |
|
399 assumes suc_pc: "Suc pc < length phi" |
|
400 assumes bounded: "bounded step (length phi)" |
|
401 assumes esl: "err_semilat (A, r, f)" |
|
402 assumes cert_ok: "cert_ok cert (length phi) A" |
|
403 assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A" |
|
404 assumes pres: "pres_type step (length phi) (err (opt A))" |
|
405 shows "OK s \<le>|r OK (phi!Suc pc)" |
|
406 proof (cases "cert!pc") |
|
407 case None with cert |
|
408 have "wtl_inst cert f r step pc (phi!pc) = OK s" by (simp add: wtl_cert_def) |
|
409 thus ?thesis by - (rule wtl_less) |
|
410 next |
|
411 case (Some s') with cert |
|
412 have "wtl_inst cert f r step pc (Some s') = OK s" |
|
413 by (simp add: wtl_cert_def split: split_if_asm) |
|
414 also |
|
415 from suc_pc have "pc < length phi" by simp |
|
416 with fits Some have "cert!pc = phi!pc" by - (rule fitsD2) |
|
417 with Some have "Some s' = phi!pc" by simp |
|
418 finally |
|
419 have "wtl_inst cert f r step pc (phi!pc) = OK s" . |
|
420 thus ?thesis by - (rule wtl_less) |
|
421 qed |
|
422 |
|
423 |
239 |
424 |
240 with pc show ?thesis by simp |
425 lemma wt_step_wtl_lemma: |
241 qed |
426 assumes wt_step: "wt_step (Err.le (Opt.le r)) Err step (map OK phi)" |
242 |
427 assumes fits: "fits step cert phi" |
243 |
428 assumes bounded: "bounded step (length phi)" |
244 lemma wtl_cert_mono: |
429 assumes esl: "err_semilat (A, r, f)" |
245 "\<lbrakk> wtl_cert i G rT s1 cert mxs mpc pc = OK s1'; fits ins cert phi; |
430 assumes cert_ok: "cert_ok cert (length phi) A" |
246 pc < length ins; G \<turnstile> s2 <=' s1; i = ins!pc \<rbrakk> \<Longrightarrow> |
431 assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A" |
247 \<exists> s2'. wtl_cert (ins!pc) G rT s2 cert mxs mpc pc = OK s2' \<and> (G \<turnstile> s2' <=' s1')" |
432 assumes pres: "pres_type step (length phi) (err (opt A))" |
|
433 assumes mono: "mono (Err.le (Opt.le r)) step (length phi) (err (opt A))" |
|
434 shows "\<And>pc s. pc+length ins = length phi \<Longrightarrow> OK s \<le>|r OK (phi!pc) \<Longrightarrow> s \<in> opt A \<Longrightarrow> |
|
435 wtl_inst_list ins cert f r step pc s \<noteq> Err" |
|
436 (is "\<And>pc s. _ \<Longrightarrow> _ \<Longrightarrow> _ \<Longrightarrow> ?wtl ins pc s \<noteq> Err") |
|
437 proof (induct ins) |
|
438 fix pc s show "?wtl [] pc s \<noteq> Err" by simp |
|
439 next |
|
440 fix pc s i ins |
|
441 assume "\<And>pc s. pc+length ins=length phi \<Longrightarrow> OK s \<le>|r OK (phi!pc) \<Longrightarrow> s \<in> opt A \<Longrightarrow> |
|
442 ?wtl ins pc s \<noteq> Err" |
|
443 moreover |
|
444 assume pc_l: "pc + length (i#ins) = length phi" |
|
445 hence suc_pc_l: "Suc pc + length ins = length phi" by simp |
|
446 ultimately |
|
447 have IH: |
|
448 "\<And>s. OK s \<le>|r OK (phi!Suc pc) \<Longrightarrow> s \<in> opt A \<Longrightarrow> ?wtl ins (Suc pc) s \<noteq> Err" . |
|
449 |
|
450 from pc_l obtain pc: "pc < length phi" by simp |
|
451 with wt_step |
|
452 have stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" |
|
453 by (simp add: wt_step_def) |
|
454 moreover |
|
455 assume s_phi: "OK s \<le>|r OK (phi!pc)" |
|
456 ultimately |
|
457 have "wtl_cert cert f r step pc (phi!pc) \<noteq> Err" by - (rule stable_cert) |
|
458 then obtain s'' where s'': "wtl_cert cert f r step pc (phi!pc) = OK s''" by fast |
|
459 moreover |
|
460 from phi_ok pc |
|
461 have phi_pc: "phi!pc \<in> opt A" by simp |
|
462 moreover |
|
463 assume s: "s \<in> opt A" |
|
464 ultimately |
|
465 obtain s' where "wtl_cert cert f r step pc s = OK s'" |
|
466 by - (drule wtl_cert_mono, assumption+, blast) |
|
467 hence "ins = [] \<Longrightarrow> ?wtl (i#ins) pc s \<noteq> Err" by simp |
|
468 moreover { |
|
469 assume "ins \<noteq> []" |
|
470 with pc_l have suc_pc: "Suc pc < length phi" by (auto simp add: neq_Nil_conv) |
|
471 with stable s'' have "OK s'' \<le>|r OK (phi!Suc pc)" by - (rule cert_less) |
|
472 moreover |
|
473 from s'' s_phi obtain s' where |
|
474 cert: "wtl_cert cert f r step pc s = OK s'" and |
|
475 "OK s' \<le>|r OK s''" |
|
476 using phi_pc |
|
477 by - (drule wtl_cert_mono, assumption+, blast) |
|
478 moreover from esl have "order (Err.le (Opt.le r))" by simp |
|
479 ultimately have less: "OK s' \<le>|r OK (phi!Suc pc)" by - (rule order_trans) |
|
480 |
|
481 from cert_ok suc_pc have "cert!pc \<in> opt A" and "cert!(pc+1) \<in> opt A" |
|
482 by (auto simp add: cert_ok_def) |
|
483 with s cert pres have "s' \<in> opt A" by - (rule wtl_cert_pres) |
|
484 |
|
485 with less IH have "?wtl ins (Suc pc) s' \<noteq> Err" by blast |
|
486 with cert have "?wtl (i#ins) pc s \<noteq> Err" by simp |
|
487 } |
|
488 ultimately show "?wtl (i#ins) pc s \<noteq> Err" by (cases ins) auto |
|
489 qed |
|
490 |
|
491 |
|
492 theorem wtl_complete: |
|
493 assumes "wt_step (Err.le (Opt.le r)) Err step (map OK phi)" |
|
494 assumes "OK s \<le>|r OK (phi!0)" and "s \<in> opt A" |
|
495 defines cert: "cert \<equiv> make_cert step phi" |
|
496 |
|
497 assumes "bounded step (length phi)" and "err_semilat (A, r, f)" |
|
498 assumes "pres_type step (length phi) (err (opt A))" |
|
499 assumes "mono (Err.le (Opt.le r)) step (length phi) (err (opt A))" |
|
500 assumes "length ins = length phi" |
|
501 assumes phi_ok: "\<forall>pc < length phi. phi!pc \<in> opt A" |
|
502 |
|
503 shows "wtl_inst_list ins cert f r step 0 s \<noteq> Err" |
248 proof - |
504 proof - |
249 assume wtl: "wtl_cert i G rT s1 cert mxs mpc pc = OK s1'" and |
505 have "0+length ins = length phi" by simp |
250 fits: "fits ins cert phi" "pc < length ins" |
506 moreover |
251 "G \<turnstile> s2 <=' s1" "i = ins!pc" |
507 have "fits step cert phi" by (unfold cert) (rule fits_make_cert) |
252 |
508 moreover |
253 show ?thesis |
509 from phi_ok have "cert_ok cert (length phi) A" |
254 proof (cases (open) "cert!pc") |
510 by (simp add: cert make_cert_def cert_ok_def nth_append) |
255 case None |
511 ultimately |
256 with wtl fits |
512 show ?thesis by - (rule wt_step_wtl_lemma) |
257 show ?thesis |
513 qed |
258 by - (rule wtl_inst_mono [elim_format], (simp add: wtl_cert_def)+) |
514 |
259 next |
|
260 case Some |
|
261 with wtl fits |
|
262 |
|
263 have G: "G \<turnstile> s2 <=' (Some a)" |
|
264 by - (rule sup_state_opt_trans, auto simp add: wtl_cert_def split: if_splits) |
|
265 |
|
266 from Some wtl |
|
267 have "wtl_inst i G rT (Some a) cert mxs mpc pc = OK s1'" |
|
268 by (simp add: wtl_cert_def split: if_splits) |
|
269 |
|
270 with G fits |
|
271 have "\<exists> s2'. wtl_inst (ins!pc) G rT (Some a) cert mxs mpc pc = OK s2' \<and> |
|
272 (G \<turnstile> s2' <=' s1')" |
|
273 by - (rule wtl_inst_mono, (simp add: wtl_cert_def)+) |
|
274 |
|
275 with Some G |
|
276 show ?thesis by (simp add: wtl_cert_def) |
|
277 qed |
|
278 qed |
|
279 |
|
280 |
|
281 lemma wt_instr_imp_wtl_inst: |
|
282 "\<lbrakk> wt_instr (ins!pc) G rT phi mxs max_pc pc; fits ins cert phi; |
|
283 pc < length ins; length ins = max_pc \<rbrakk> \<Longrightarrow> |
|
284 wtl_inst (ins!pc) G rT (phi!pc) cert mxs max_pc pc \<noteq> Err" |
|
285 proof - |
|
286 assume wt: "wt_instr (ins!pc) G rT phi mxs max_pc pc" |
|
287 assume fits: "fits ins cert phi" |
|
288 assume pc: "pc < length ins" "length ins = max_pc" |
|
289 |
|
290 from wt |
|
291 have app: "app (ins!pc) G mxs rT (phi!pc)" by (simp add: wt_instr_def) |
|
292 |
|
293 from wt pc |
|
294 have pc': "\<And>pc'. pc' \<in> set (succs (ins!pc) pc) \<Longrightarrow> pc' < length ins" |
|
295 by (simp add: wt_instr_def) |
|
296 |
|
297 let ?s' = "eff (ins!pc) G (phi!pc)" |
|
298 |
|
299 from wt fits pc |
|
300 have cert: "\<And>pc'. \<lbrakk>pc' \<in> set (succs (ins!pc) pc); pc' < max_pc; pc' \<noteq> pc+1\<rbrakk> |
|
301 \<Longrightarrow> G \<turnstile> ?s' <=' cert!pc'" |
|
302 by (auto dest: fitsD simp add: wt_instr_def) |
|
303 |
|
304 from app pc cert pc' |
|
305 show ?thesis |
|
306 by (auto simp add: wtl_inst_OK) |
|
307 qed |
|
308 |
|
309 lemma wt_less_wtl: |
|
310 "\<lbrakk> wt_instr (ins!pc) G rT phi mxs max_pc pc; |
|
311 wtl_inst (ins!pc) G rT (phi!pc) cert mxs max_pc pc = OK s; |
|
312 fits ins cert phi; Suc pc < length ins; length ins = max_pc \<rbrakk> \<Longrightarrow> |
|
313 G \<turnstile> s <=' phi ! Suc pc" |
|
314 proof - |
|
315 assume wt: "wt_instr (ins!pc) G rT phi mxs max_pc pc" |
|
316 assume wtl: "wtl_inst (ins!pc) G rT (phi!pc) cert mxs max_pc pc = OK s" |
|
317 assume fits: "fits ins cert phi" |
|
318 assume pc: "Suc pc < length ins" "length ins = max_pc" |
|
319 |
|
320 { assume suc: "Suc pc \<in> set (succs (ins ! pc) pc)" |
|
321 with wtl have "s = eff (ins!pc) G (phi!pc)" |
|
322 by (simp add: wtl_inst_OK) |
|
323 also from suc wt have "G \<turnstile> \<dots> <=' phi!Suc pc" |
|
324 by (simp add: wt_instr_def) |
|
325 finally have ?thesis . |
|
326 } |
|
327 |
|
328 moreover |
|
329 { assume "Suc pc \<notin> set (succs (ins ! pc) pc)" |
|
330 |
|
331 with wtl |
|
332 have "s = cert!Suc pc" |
|
333 by (simp add: wtl_inst_OK) |
|
334 with fits pc |
|
335 have ?thesis |
|
336 by - (cases "cert!Suc pc", simp, drule fitsD2, assumption+, simp) |
|
337 } |
|
338 |
|
339 ultimately |
|
340 show ?thesis by blast |
|
341 qed |
|
342 |
|
343 |
|
344 lemma wt_instr_imp_wtl_cert: |
|
345 "\<lbrakk> wt_instr (ins!pc) G rT phi mxs max_pc pc; fits ins cert phi; |
|
346 pc < length ins; length ins = max_pc \<rbrakk> \<Longrightarrow> |
|
347 wtl_cert (ins!pc) G rT (phi!pc) cert mxs max_pc pc \<noteq> Err" |
|
348 proof - |
|
349 assume "wt_instr (ins!pc) G rT phi mxs max_pc pc" and |
|
350 fits: "fits ins cert phi" and |
|
351 pc: "pc < length ins" and |
|
352 "length ins = max_pc" |
|
353 |
|
354 hence wtl: "wtl_inst (ins!pc) G rT (phi!pc) cert mxs max_pc pc \<noteq> Err" |
|
355 by (rule wt_instr_imp_wtl_inst) |
|
356 |
|
357 hence "cert!pc = None \<Longrightarrow> ?thesis" |
|
358 by (simp add: wtl_cert_def) |
|
359 |
|
360 moreover |
|
361 { fix s |
|
362 assume c: "cert!pc = Some s" |
|
363 with fits pc |
|
364 have "cert!pc = phi!pc" |
|
365 by (rule fitsD2) |
|
366 from this c wtl |
|
367 have ?thesis |
|
368 by (clarsimp simp add: wtl_cert_def) |
|
369 } |
|
370 |
|
371 ultimately |
|
372 show ?thesis by blast |
|
373 qed |
|
374 |
|
375 |
|
376 lemma wt_less_wtl_cert: |
|
377 "\<lbrakk> wt_instr (ins!pc) G rT phi mxs max_pc pc; |
|
378 wtl_cert (ins!pc) G rT (phi!pc) cert mxs max_pc pc = OK s; |
|
379 fits ins cert phi; Suc pc < length ins; length ins = max_pc \<rbrakk> \<Longrightarrow> |
|
380 G \<turnstile> s <=' phi ! Suc pc" |
|
381 proof - |
|
382 assume wtl: "wtl_cert (ins!pc) G rT (phi!pc) cert mxs max_pc pc = OK s" |
|
383 |
|
384 assume wti: "wt_instr (ins!pc) G rT phi mxs max_pc pc" |
|
385 "fits ins cert phi" |
|
386 "Suc pc < length ins" "length ins = max_pc" |
|
387 |
|
388 { assume "cert!pc = None" |
|
389 with wtl |
|
390 have "wtl_inst (ins!pc) G rT (phi!pc) cert mxs max_pc pc = OK s" |
|
391 by (simp add: wtl_cert_def) |
|
392 with wti |
|
393 have ?thesis |
|
394 by - (rule wt_less_wtl) |
|
395 } |
|
396 moreover |
|
397 { fix t |
|
398 assume c: "cert!pc = Some t" |
|
399 with wti |
|
400 have "cert!pc = phi!pc" |
|
401 by - (rule fitsD2, simp+) |
|
402 with c wtl |
|
403 have "wtl_inst (ins!pc) G rT (phi!pc) cert mxs max_pc pc = OK s" |
|
404 by (simp add: wtl_cert_def) |
|
405 with wti |
|
406 have ?thesis |
|
407 by - (rule wt_less_wtl) |
|
408 } |
|
409 |
|
410 ultimately |
|
411 show ?thesis by blast |
|
412 qed |
|
413 |
|
414 text {* |
|
415 \medskip |
|
416 Main induction over the instruction list. |
|
417 *} |
|
418 |
|
419 theorem wt_imp_wtl_inst_list: |
|
420 "\<forall> pc. (\<forall>pc'. pc' < length all_ins \<longrightarrow> |
|
421 wt_instr (all_ins ! pc') G rT phi mxs (length all_ins) pc') \<longrightarrow> |
|
422 fits all_ins cert phi \<longrightarrow> |
|
423 (\<exists>l. pc = length l \<and> all_ins = l@ins) \<longrightarrow> |
|
424 pc < length all_ins \<longrightarrow> |
|
425 (\<forall> s. (G \<turnstile> s <=' (phi!pc)) \<longrightarrow> |
|
426 wtl_inst_list ins G rT cert mxs (length all_ins) pc s \<noteq> Err)" |
|
427 (is "\<forall>pc. ?wt \<longrightarrow> ?fits \<longrightarrow> ?l pc ins \<longrightarrow> ?len pc \<longrightarrow> ?wtl pc ins" |
|
428 is "\<forall>pc. ?C pc ins" is "?P ins") |
|
429 proof (induct "?P" "ins") |
|
430 case Nil |
|
431 show "?P []" by simp |
|
432 next |
|
433 fix i ins' |
|
434 assume Cons: "?P ins'" |
|
435 |
|
436 show "?P (i#ins')" |
|
437 proof (intro allI impI, elim exE conjE) |
|
438 fix pc s l |
|
439 assume wt : "\<forall>pc'. pc' < length all_ins \<longrightarrow> |
|
440 wt_instr (all_ins ! pc') G rT phi mxs (length all_ins) pc'" |
|
441 assume fits: "fits all_ins cert phi" |
|
442 assume l : "pc < length all_ins" |
|
443 assume G : "G \<turnstile> s <=' phi ! pc" |
|
444 assume pc : "all_ins = l@i#ins'" "pc = length l" |
|
445 hence i : "all_ins ! pc = i" |
|
446 by (simp add: nth_append) |
|
447 |
|
448 from l wt |
|
449 have wti: "wt_instr (all_ins!pc) G rT phi mxs (length all_ins) pc" by blast |
|
450 |
|
451 with fits l |
|
452 have c: "wtl_cert (all_ins!pc) G rT (phi!pc) cert mxs (length all_ins) pc \<noteq> Err" |
|
453 by - (drule wt_instr_imp_wtl_cert, auto) |
|
454 |
|
455 from Cons |
|
456 have "?C (Suc pc) ins'" by blast |
|
457 with wt fits pc |
|
458 have IH: "?len (Suc pc) \<longrightarrow> ?wtl (Suc pc) ins'" by auto |
|
459 |
|
460 show "wtl_inst_list (i#ins') G rT cert mxs (length all_ins) pc s \<noteq> Err" |
|
461 proof (cases "?len (Suc pc)") |
|
462 case False |
|
463 with pc |
|
464 have "ins' = []" by simp |
|
465 with G i c fits l |
|
466 show ?thesis by (auto dest: wtl_cert_mono) |
|
467 next |
|
468 case True |
|
469 with IH |
|
470 have wtl: "?wtl (Suc pc) ins'" by blast |
|
471 |
|
472 from c wti fits l True |
|
473 obtain s'' where |
|
474 "wtl_cert (all_ins!pc) G rT (phi!pc) cert mxs (length all_ins) pc = OK s''" |
|
475 "G \<turnstile> s'' <=' phi ! Suc pc" |
|
476 by clarsimp (drule wt_less_wtl_cert, auto) |
|
477 moreover |
|
478 from calculation fits G l |
|
479 obtain s' where |
|
480 c': "wtl_cert (all_ins!pc) G rT s cert mxs (length all_ins) pc = OK s'" and |
|
481 "G \<turnstile> s' <=' s''" |
|
482 by - (drule wtl_cert_mono, auto) |
|
483 ultimately |
|
484 have G': "G \<turnstile> s' <=' phi ! Suc pc" |
|
485 by - (rule sup_state_opt_trans) |
|
486 |
|
487 with wtl |
|
488 have "wtl_inst_list ins' G rT cert mxs (length all_ins) (Suc pc) s' \<noteq> Err" |
|
489 by auto |
|
490 |
|
491 with i c' |
|
492 show ?thesis by auto |
|
493 qed |
|
494 qed |
|
495 qed |
|
496 |
|
497 |
|
498 lemma fits_imp_wtl_method_complete: |
|
499 "\<lbrakk> wt_method G C pTs rT mxs mxl ins phi; fits ins cert phi \<rbrakk> |
|
500 \<Longrightarrow> wtl_method G C pTs rT mxs mxl ins cert" |
|
501 by (simp add: wt_method_def wtl_method_def) |
|
502 (rule wt_imp_wtl_inst_list [rule_format, elim_format], auto simp add: wt_start_def) |
|
503 |
|
504 |
|
505 lemma wtl_method_complete: |
|
506 "wt_method G C pTs rT mxs mxl ins phi |
|
507 \<Longrightarrow> wtl_method G C pTs rT mxs mxl ins (make_cert ins phi)" |
|
508 proof - |
|
509 assume "wt_method G C pTs rT mxs mxl ins phi" |
|
510 moreover |
|
511 have "fits ins (make_cert ins phi) phi" |
|
512 by (rule fits_make_cert) |
|
513 ultimately |
|
514 show ?thesis |
|
515 by (rule fits_imp_wtl_method_complete) |
|
516 qed |
|
517 |
|
518 |
|
519 theorem wtl_complete: |
|
520 "wt_jvm_prog G Phi \<Longrightarrow> wtl_jvm_prog G (make_Cert G Phi)" |
|
521 proof - |
|
522 assume wt: "wt_jvm_prog G Phi" |
|
523 |
|
524 { fix C S fs mdecls sig rT code |
|
525 assume "(C,S,fs,mdecls) \<in> set G" "(sig,rT,code) \<in> set mdecls" |
|
526 moreover |
|
527 from wt obtain wf_mb where "wf_prog wf_mb G" |
|
528 by (blast dest: wt_jvm_progD) |
|
529 ultimately |
|
530 have "method (G,C) sig = Some (C,rT,code)" |
|
531 by (simp add: methd) |
|
532 } note this [simp] |
|
533 |
|
534 from wt |
|
535 show ?thesis |
|
536 apply (clarsimp simp add: wt_jvm_prog_def wtl_jvm_prog_def wf_prog_def wf_cdecl_def) |
|
537 apply (drule bspec, assumption) |
|
538 apply (clarsimp simp add: wf_mdecl_def) |
|
539 apply (drule bspec, assumption) |
|
540 apply (clarsimp simp add: make_Cert_def) |
|
541 apply (clarsimp dest!: wtl_method_complete) |
|
542 done |
|
543 |
|
544 qed |
|
545 |
|
546 lemmas [simp] = split_paired_Ex |
|
547 |
515 |
548 end |
516 end |