diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/AxSem.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/AxSem.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,122 @@ +(* Title: HOL/NanoJava/AxSem.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Axiomatic Semantics (Hoare Logic)" + +theory AxSem = State: + +types assn = "state => bool" + triple = "assn \ stmt \ assn" +translations + "assn" \ (type)"state => bool" + "triple" \ (type)"assn \ stmt \ assn" + +consts hoare :: "(triple set \ triple set) set" +syntax (xsymbols) + "@hoare" :: "[triple set, triple set ] => bool" ("_ |\/ _" [61,61] 60) + "@hoare1" :: "[triple set, assn,stmt,assn] => bool" + ("_ \/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3]60) +syntax + "@hoare" :: "[triple set, triple set ] => bool" ("_ ||-/ _" [61,61] 60) + "@hoare1" :: "[triple set, assn,stmt,assn] => bool" + ("_ |-/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3] 60) + +translations "A |\ C" \ "(A,C) \ hoare" + "A \ {P}c{Q}" \ "A |\ {(P,c,Q)}" + +inductive hoare +intros + + Skip: "A |- {P} Skip {P}" + + Comp: "[| A |- {P} c1 {Q}; A |- {Q} c2 {R} |] ==> A |- {P} c1;;c2 {R}" + + Cond: "[| A |- {\s. P s \ s \ Null} c1 {Q}; + A |- {\s. P s \ s = Null} c2 {Q} |] ==> + A |- {P} If(e) c1 Else c2 {Q}" + + Loop: "A |- {\s. P s \ s \ Null} c {P} ==> + A |- {P} While(e) c {\s. P s \ s = Null}" + + NewC: "A |- {\s.\a. new_Addr s=Addr a--> P (lupd(x|->Addr a)(new_obj a C s))} + x:=new C {P}" + + Cast: "A |- {\s.(case s of Null=> True | Addr a=> obj_class s a <=C C) --> + P (lupd(x|->s) s)} x:=(C)y {P}" + + FAcc: "A |- {\s.\a. s=Addr a-->P(lupd(x|->get_field s a f) s)} x:=y..f{P}" + + FAss: "A |- {\s. \a. s=Addr a --> P (upd_obj a f (s) s)} y..f:=x {P}" + + Call: "\l. A |- {\s'. \s. P s \ l = s \ + s' = lupd(This|->s)(lupd(Param|->s

)(init_locs C m s))} + Meth C m {\s. Q (lupd(x|->s)(set_locs l s))} ==> + A |- {P} x:={C}y..m(p) {Q}" + + Meth: "\D. A |- {\s. \a. s = Addr a \ D=obj_class s a \ D <=C C \ P s} + Impl D m {Q} ==> + A |- {P} Meth C m {Q}" + + (*\z instead of \z in the conclusion and + z restricted to type state due to limitations of the inductive paackage *) + Impl: "A\ (\z::state. (\(C,m). (P z C m, Impl C m, Q z C m))`ms) ||- + (\z::state. (\(C,m). (P z C m, body C m, Q z C m))`ms) ==> + A ||- (\z::state. (\(C,m). (P z C m, Impl C m, Q z C m))`ms)" + +(* structural rules *) + + (* z restricted to type state due to limitations of the inductive paackage *) + Conseq:"[| \z::state. A |- {P' z} c {Q' z}; + \s t. (\z::state. P' z s --> Q' z t) --> (P s --> Q t) |] ==> + A |- {P} c {Q }" + + Asm: " a \ A ==> A ||- {a}" + + ConjI: " \c \ C. A ||- {c} ==> A ||- C" + + ConjE: "[|A ||- C; c \ C |] ==> A ||- {c}"; + + +subsection "Derived Rules" + +lemma Conseq1: "\A \ {P'} c {Q}; \s. P s \ P' s\ \ A \ {P} c {Q}" +apply (rule hoare.Conseq) +apply (rule allI, assumption) +apply fast +done + +lemma Weaken: "\A |\ C'; C \ C'\ \ A |\ C" +apply (rule hoare.ConjI) +apply clarify +apply (drule hoare.ConjE) +apply fast +apply assumption +done + +lemma Union: "A |\ (\z. C z) = (\z. A |\ C z)" +by (auto intro: hoare.ConjI hoare.ConjE) + +lemma Impl': + "\z. A\ (\z. (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms) ||- + (\(C,m). (P z C m, body C m, Q (z::state) C m))`ms ==> + A ||- (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms" +apply (drule Union[THEN iffD2]) +apply (drule hoare.Impl) +apply (drule Union[THEN iffD1]) +apply (erule spec) +done + +lemma Impl1: + "\\z. A\ (\z. (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms) ||- + (\(C,m). (P z C m, body C m, Q (z::state) C m))`ms; + (C,m)\ ms\ \ + A \ {P z C m} Impl C m {Q (z::state) C m}" +apply (drule Impl') +apply (erule Weaken) +apply (auto del: image_eqI intro: rev_image_eqI) +done + +end