diff -r 3533e3e9267f -r 1024a2d80ac0 src/HOL/MicroJava/BV/Correct.thy --- a/src/HOL/MicroJava/BV/Correct.thy Wed Aug 30 21:44:12 2000 +0200 +++ b/src/HOL/MicroJava/BV/Correct.thy Wed Aug 30 21:47:39 2000 +0200 @@ -6,60 +6,319 @@ The invariant for the type safety proof. *) -Correct = BVSpec + +header "Type Safety Invariant" + +theory Correct = BVSpec: constdefs - approx_val :: "[jvm_prog,aheap,val,ty option] \\ bool" -"approx_val G h v any \\ case any of None \\ True | Some T \\ G,h\\v\\\\T" + approx_val :: "[jvm_prog,aheap,val,ty err] \ bool" +"approx_val G h v any \ case any of Err \ True | Ok T \ G,h\v\\T" - approx_loc :: "[jvm_prog,aheap,val list,locvars_type] \\ bool" -"approx_loc G hp loc LT \\ list_all2 (approx_val G hp) loc LT" + approx_loc :: "[jvm_prog,aheap,val list,locvars_type] \ bool" +"approx_loc G hp loc LT \ list_all2 (approx_val G hp) loc LT" + + approx_stk :: "[jvm_prog,aheap,opstack,opstack_type] \ bool" +"approx_stk G hp stk ST \ approx_loc G hp stk (map Ok ST)" - approx_stk :: "[jvm_prog,aheap,opstack,opstack_type] \\ bool" -"approx_stk G hp stk ST \\ approx_loc G hp stk (map Some ST)" + correct_frame :: "[jvm_prog,aheap,state_type,nat,bytecode] \ frame \ bool" +"correct_frame G hp \ \(ST,LT) maxl ins (stk,loc,C,sig,pc). + approx_stk G hp stk ST \ approx_loc G hp loc LT \ + pc < length ins \ length loc=length(snd sig)+maxl+1" - correct_frame :: "[jvm_prog,aheap,state_type,nat,bytecode] \\ frame \\ bool" -"correct_frame G hp \\ \\(ST,LT) maxl ins (stk,loc,C,sig,pc). - approx_stk G hp stk ST \\ approx_loc G hp loc LT \\ - pc < length ins \\ length loc=length(snd sig)+maxl+1" + correct_frame_opt :: "[jvm_prog,aheap,state_type option,nat,bytecode] \ frame \ bool" +"correct_frame_opt G hp s \ case s of None \ \maxl ins f. False | Some t \ correct_frame G hp t" + consts - correct_frames :: "[jvm_prog,aheap,prog_type,ty,sig,frame list] \\ bool" + correct_frames :: "[jvm_prog,aheap,prog_type,ty,sig,frame list] \ bool" primrec "correct_frames G hp phi rT0 sig0 [] = True" "correct_frames G hp phi rT0 sig0 (f#frs) = - (let (stk,loc,C,sig,pc) = f; - (ST,LT) = (phi C sig) ! pc - in - (\\rT maxl ins. - method (G,C) sig = Some(C,rT,(maxl,ins)) \\ - (\\C' mn pTs k. pc = k+1 \\ ins!k = (Invoke C' mn pTs) \\ - (mn,pTs) = sig0 \\ - (\\apTs D ST'. - fst((phi C sig)!k) = (rev apTs) @ (Class D) # ST' \\ - length apTs = length pTs \\ - (\\D' rT' maxl' ins'. - method (G,D) sig0 = Some(D',rT',(maxl',ins')) \\ - G \\ rT0 \\ rT') \\ - correct_frame G hp (tl ST, LT) maxl ins f \\ + (let (stk,loc,C,sig,pc) = f in + (\ST LT rT maxl ins. + phi C sig ! pc = Some (ST,LT) \ + method (G,C) sig = Some(C,rT,(maxl,ins)) \ + (\C' mn pTs k. pc = k+1 \ ins!k = (Invoke C' mn pTs) \ + (mn,pTs) = sig0 \ + (\apTs D ST' LT'. + (phi C sig)!k = Some ((rev apTs) @ (Class D) # ST', LT') \ + length apTs = length pTs \ + (\D' rT' maxl' ins'. + method (G,D) sig0 = Some(D',rT',(maxl',ins')) \ + G \ rT0 \ rT') \ + correct_frame G hp (tl ST, LT) maxl ins f \ correct_frames G hp phi rT sig frs))))" constdefs - correct_state :: "[jvm_prog,prog_type,jvm_state] \\ bool" - ("_,_\\JVM _\\" [51,51] 50) -"correct_state G phi \\ \\(xp,hp,frs). + correct_state :: "[jvm_prog,prog_type,jvm_state] \ bool" + ("_,_\JVM _\" [51,51] 50) +"correct_state G phi \ \(xp,hp,frs). case xp of - None \\ (case frs of - [] \\ True - | (f#fs) \\ G\\h hp\\ \\ + None \ (case frs of + [] \ True + | (f#fs) \ G\h hp\ \ (let (stk,loc,C,sig,pc) = f in - \\rT maxl ins. - method (G,C) sig = Some(C,rT,(maxl,ins)) \\ - correct_frame G hp ((phi C sig) ! pc) maxl ins f \\ + \rT maxl ins s. + method (G,C) sig = Some(C,rT,(maxl,ins)) \ + phi C sig ! pc = Some s \ + correct_frame G hp s maxl ins f \ correct_frames G hp phi rT sig fs)) - | Some x \\ True" + | Some x \ True" + + +lemma sup_heap_newref: + "hp x = None \ hp \| hp(newref hp \ obj)" +apply (unfold hext_def) +apply clarsimp +apply (drule newref_None 1) back +apply simp +. + +lemma sup_heap_update_value: + "hp a = Some (C,od') \ hp \| hp (a \ (C,od))" +by (simp add: hext_def) + + +(** approx_val **) + +lemma approx_val_Err: + "approx_val G hp x Err" +by (simp add: approx_val_def) + +lemma approx_val_Null: + "approx_val G hp Null (Ok (RefT x))" +by (auto intro: null simp add: approx_val_def) + +lemma approx_val_imp_approx_val_assConvertible [rulify]: + "wf_prog wt G \ approx_val G hp v (Ok T) \ G\ T\T' \ approx_val G hp v (Ok T')" +by (cases T) (auto intro: conf_widen simp add: approx_val_def) + +lemma approx_val_imp_approx_val_sup_heap [rulify]: + "approx_val G hp v at \ hp \| hp' \ approx_val G hp' v at" +apply (simp add: approx_val_def split: err.split) +apply (blast intro: conf_hext) +. + +lemma approx_val_imp_approx_val_heap_update: + "\hp a = Some obj'; G,hp\ v\\T; obj_ty obj = obj_ty obj'\ + \ G,hp(a\obj)\ v\\T" +by (cases v, auto simp add: obj_ty_def conf_def) + +lemma approx_val_imp_approx_val_sup [rulify]: + "wf_prog wt G \ (approx_val G h v us) \ (G \ us <=o us') \ (approx_val G h v us')" +apply (simp add: sup_PTS_eq approx_val_def split: err.split) +apply (blast intro: conf_widen) +. + +lemma approx_loc_imp_approx_val_sup: + "\wf_prog wt G; approx_loc G hp loc LT; idx < length LT; v = loc!idx; G \ LT!idx <=o at\ + \ approx_val G hp v at" +apply (unfold approx_loc_def) +apply (unfold list_all2_def) +apply (auto intro: approx_val_imp_approx_val_sup simp add: split_def all_set_conv_all_nth) +. + + +(** approx_loc **) + +lemma approx_loc_Cons [iff]: + "approx_loc G hp (s#xs) (l#ls) = (approx_val G hp s l \ approx_loc G hp xs ls)" +by (simp add: approx_loc_def) + +lemma assConv_approx_stk_imp_approx_loc [rulify]: + "wf_prog wt G \ (\tt'\set (zip tys_n ts). tt' \ widen G) + \ length tys_n = length ts \ approx_stk G hp s tys_n \ + approx_loc G hp s (map Ok ts)" +apply (unfold approx_stk_def approx_loc_def list_all2_def) +apply (clarsimp simp add: all_set_conv_all_nth) +apply (rule approx_val_imp_approx_val_assConvertible) +apply auto +. + + +lemma approx_loc_imp_approx_loc_sup_heap [rulify]: + "\lvars. approx_loc G hp lvars lt \ hp \| hp' \ approx_loc G hp' lvars lt" +apply (unfold approx_loc_def list_all2_def) +apply (cases lt) + apply simp +apply clarsimp +apply (rule approx_val_imp_approx_val_sup_heap) +apply auto +. + +lemma approx_loc_imp_approx_loc_sup [rulify]: + "wf_prog wt G \ approx_loc G hp lvars lt \ G \ lt <=l lt' \ approx_loc G hp lvars lt'" +apply (unfold sup_loc_def approx_loc_def list_all2_def) +apply (auto simp add: all_set_conv_all_nth) +apply (auto elim: approx_val_imp_approx_val_sup) +. + + +lemma approx_loc_imp_approx_loc_subst [rulify]: + "\loc idx x X. (approx_loc G hp loc LT) \ (approx_val G hp x X) + \ (approx_loc G hp (loc[idx:=x]) (LT[idx:=X]))" +apply (unfold approx_loc_def list_all2_def) +apply (auto dest: subsetD [OF set_update_subset_insert] simp add: zip_update) +. + + +lemmas [cong] = conj_cong + +lemma approx_loc_append [rulify]: + "\L1 l2 L2. length l1=length L1 \ + approx_loc G hp (l1@l2) (L1@L2) = (approx_loc G hp l1 L1 \ approx_loc G hp l2 L2)" +apply (unfold approx_loc_def list_all2_def) +apply simp +apply blast +. + +lemmas [cong del] = conj_cong + + +(** approx_stk **) + +lemma approx_stk_rev_lem: + "approx_stk G hp (rev s) (rev t) = approx_stk G hp s t" +apply (unfold approx_stk_def approx_loc_def list_all2_def) +apply (auto simp add: zip_rev sym [OF rev_map]) +. + +lemma approx_stk_rev: + "approx_stk G hp (rev s) t = approx_stk G hp s (rev t)" +by (auto intro: subst [OF approx_stk_rev_lem]) + + +lemma approx_stk_imp_approx_stk_sup_heap [rulify]: + "\lvars. approx_stk G hp lvars lt \ hp \| hp' \ approx_stk G hp' lvars lt" +by (auto intro: approx_loc_imp_approx_loc_sup_heap simp add: approx_stk_def) + +lemma approx_stk_imp_approx_stk_sup [rulify]: + "wf_prog wt G \ approx_stk G hp lvars st \ (G \ map Ok st <=l (map Ok st')) + \ approx_stk G hp lvars st'" +by (auto intro: approx_loc_imp_approx_loc_sup simp add: approx_stk_def) + +lemma approx_stk_Nil [iff]: + "approx_stk G hp [] []" +by (simp add: approx_stk_def approx_loc_def) + +lemma approx_stk_Cons [iff]: + "approx_stk G hp (x # stk) (S#ST) = + (approx_val G hp x (Ok S) \ approx_stk G hp stk ST)" +by (simp add: approx_stk_def approx_loc_def) + +lemma approx_stk_Cons_lemma [iff]: + "approx_stk G hp stk (S#ST') = + (\s stk'. stk = s#stk' \ approx_val G hp s (Ok S) \ approx_stk G hp stk' ST')" +by (simp add: list_all2_Cons2 approx_stk_def approx_loc_def) + +lemma approx_stk_append_lemma: + "approx_stk G hp stk (S@ST') \ + (\s stk'. stk = s@stk' \ length s = length S \ length stk' = length ST' \ + approx_stk G hp s S \ approx_stk G hp stk' ST')" +by (simp add: list_all2_append2 approx_stk_def approx_loc_def) + + +(** oconf **) + +lemma correct_init_obj: + "\is_class G C; wf_prog wt G\ \ + G,h \ (C, map_of (map (\(f,fT).(f,default_val fT)) (fields(G,C)))) \" +apply (unfold oconf_def lconf_def) +apply (simp add: map_of_map) +apply (force intro: defval_conf dest: map_of_SomeD is_type_fields) +. + + +lemma oconf_imp_oconf_field_update [rulify]: + "\map_of (fields (G, oT)) FD = Some T; G,hp\v\\T; G,hp\(oT,fs)\ \ + \ G,hp\(oT, fs(FD\v))\" +by (simp add: oconf_def lconf_def) + + +lemma oconf_imp_oconf_heap_newref [rulify]: +"hp x = None \ G,hp\obj\ \ G,hp\obj'\ \ G,(hp(newref hp\obj'))\obj\" +apply (unfold oconf_def lconf_def) +apply simp +apply (fast intro: conf_hext sup_heap_newref) +. + + +lemma oconf_imp_oconf_heap_update [rulify]: + "hp a = Some obj' \ obj_ty obj' = obj_ty obj'' \ G,hp\obj\ + \ G,hp(a\obj'')\obj\" +apply (unfold oconf_def lconf_def) +apply simp +apply (force intro: approx_val_imp_approx_val_heap_update) +. + + +(** hconf **) + + +lemma hconf_imp_hconf_newref [rulify]: + "hp x = None \ G\h hp\ \ G,hp\obj\ \ G\h hp(newref hp\obj)\" +apply (simp add: hconf_def) +apply (fast intro: oconf_imp_oconf_heap_newref) +. + +lemma hconf_imp_hconf_field_update [rulify]: + "map_of (fields (G, oT)) (F, D) = Some T \ hp oloc = Some(oT,fs) \ + G,hp\v\\T \ G\h hp\ \ G\h hp(oloc \ (oT, fs((F,D)\v)))\" +apply (simp add: hconf_def) +apply (force intro: oconf_imp_oconf_heap_update oconf_imp_oconf_field_update + simp add: obj_ty_def) +. + +(** correct_frames **) + +lemmas [simp del] = fun_upd_apply + +lemma correct_frames_imp_correct_frames_field_update [rulify]: + "\rT C sig. correct_frames G hp phi rT sig frs \ + hp a = Some (C,od) \ map_of (fields (G, C)) fl = Some fd \ + G,hp\v\\fd + \ correct_frames G (hp(a \ (C, od(fl\v)))) phi rT sig frs"; +apply (induct frs) + apply simp +apply (clarsimp simp add: correct_frame_def) (*takes long*) +apply (intro exI conjI) + apply simp + apply simp + apply force + apply simp + apply (rule approx_stk_imp_approx_stk_sup_heap) + apply simp + apply (rule sup_heap_update_value) + apply simp +apply (rule approx_loc_imp_approx_loc_sup_heap) + apply simp +apply (rule sup_heap_update_value) +apply simp +. + +lemma correct_frames_imp_correct_frames_newref [rulify]: + "\rT C sig. hp x = None \ correct_frames G hp phi rT sig frs \ oconf G hp obj + \ correct_frames G (hp(newref hp \ obj)) phi rT sig frs" +apply (induct frs) + apply simp +apply (clarsimp simp add: correct_frame_def) +apply (intro exI conjI) + apply simp + apply simp + apply force + apply simp + apply (rule approx_stk_imp_approx_stk_sup_heap) + apply simp + apply (rule sup_heap_newref) + apply simp +apply (rule approx_loc_imp_approx_loc_sup_heap) + apply simp +apply (rule sup_heap_newref) +apply simp +. end +