# HG changeset patch # User oheimb # Date 997267008 -7200 # Node ID 06c1998340a8ba9b8fa90330f7d5d84b9b2c9814 # Parent 11402be6e4b0fcf642c94c602bd7f61d1a0f2af4 changed to full expressions with side effects diff -r 11402be6e4b0 -r 06c1998340a8 src/HOL/NanoJava/AxSem.thy --- a/src/HOL/NanoJava/AxSem.thy Tue Aug 07 22:42:22 2001 +0200 +++ b/src/HOL/NanoJava/AxSem.thy Wed Aug 08 12:36:48 2001 +0200 @@ -9,102 +9,150 @@ theory AxSem = State: types assn = "state => bool" - triple = "assn \ stmt \ assn" + vassn = "val \ assn" + triple = "assn \ stmt \ assn" + etriple = "assn \ expr \ vassn" translations "assn" \ (type)"state => bool" - "triple" \ (type)"assn \ stmt \ assn" + "vassn" \ (type)"val => assn" + "triple" \ (type)"assn \ stmt \ assn" + "etriple" \ (type)"assn \ expr \ vassn" -consts hoare :: "(triple set \ triple set) set" +consts hoare :: "(triple set \ triple set) set" +consts ehoare :: "(triple set \ etriple ) set" syntax (xsymbols) "@hoare" :: "[triple set, triple set ] => bool" ("_ |\/ _" [61,61] 60) "@hoare1" :: "[triple set, assn,stmt,assn] => bool" ("_ \/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3]60) +"@ehoare" :: "[triple set, etriple ] => bool" ("_ |\e/ _"[61,61]60) +"@ehoare1" :: "[triple set, assn,expr,vassn]=> bool" + ("_ \e/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3]60) syntax "@hoare" :: "[triple set, triple set ] => bool" ("_ ||-/ _" [61,61] 60) "@hoare1" :: "[triple set, assn,stmt,assn] => bool" ("_ |-/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3] 60) +"@ehoare" :: "[triple set, etriple ] => bool" ("_ ||-e/ _"[61,61] 60) +"@ehoare1" :: "[triple set, assn,expr,vassn]=> bool" + ("_ |-e/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3] 60) -translations "A |\ C" \ "(A,C) \ hoare" - "A \ {P}c{Q}" \ "A |\ {(P,c,Q)}" +translations "A |\ C" \ "(A,C) \ hoare" + "A \ {P}c{Q}" \ "A |\ {(P,c,Q)}" + "A |\e t" \ "(A,t) \ ehoare" + "A |\e (P,e,Q)" \ "(A,P,e,Q) \ ehoare" (** shouldn't be necess.**) + "A \e{P}e{Q}" \ "A |\e (P,e,Q)" -inductive hoare + +inductive hoare ehoare intros Skip: "A |- {P} Skip {P}" Comp: "[| A |- {P} c1 {Q}; A |- {Q} c2 {R} |] ==> A |- {P} c1;;c2 {R}" - Cond: "[| A |- {\s. P s \ s \ Null} c1 {Q}; - A |- {\s. P s \ s = Null} c2 {Q} |] ==> - A |- {P} If(e) c1 Else c2 {Q}" + Cond: "[| A |-e {P} e {Q}; + \v. A |- {Q v} (if v \ Null then c1 else c2) {R} |] ==> + A |- {P} If(e) c1 Else c2 {R}" + + Loop: "A |- {\s. P s \ s \ Null} c {P} ==> + A |- {P} While(x) c {\s. P s \ s = Null}" - Loop: "A |- {\s. P s \ s \ Null} c {P} ==> - A |- {P} While(e) c {\s. P s \ s = Null}" + LAcc: "A |-e {\s. P (s) s} LAcc x {P}" - NewC: "A |- {\s.\a. new_Addr s=Addr a--> P (lupd(x|->Addr a)(new_obj a C s))} - x:=new C {P}" + LAss: "A |-e {P} e {\v s. Q (lupd(x\v) s)} ==> + A |- {P} x:==e {Q}" + + FAcc: "A |-e {P} e {\v s. \a. v=Addr a --> Q (get_field s a f) s} ==> + A |-e {P} e..f {Q}" - Cast: "A |- {\s.(case s of Null=> True | Addr a=> obj_class s a <=C C) --> - P (lupd(x|->s) s)} x:=(C)y {P}" + FAss: "[| A |-e {P} e1 {\v s. \a. v=Addr a --> Q a s}; + \a. A |-e {Q a} e2 {\v s. R (upd_obj a f v s)} |] ==> + A |- {P} e1..f:==e2 {R}" - FAcc: "A |- {\s.\a. s=Addr a-->P(lupd(x|->get_field s a f) s)} x:=y..f{P}" + NewC: "A |-e {\s. \a. new_Addr s = Addr a --> P (Addr a) (new_obj a C s)} + new C {P}" - FAss: "A |- {\s. \a. s=Addr a --> P (upd_obj a f (s) s)} y..f:=x {P}" + Cast: "A |-e {P} e {\v s. (case v of Null => True + | Addr a => obj_class s a <=C C) --> Q v s} ==> + A |-e {P} Cast C e {Q}" - Call: "\l. A |- {\s'. \s. P s \ l = s \ - s' = lupd(This|->s)(lupd(Param|->s

)(init_locs C m s))} - Meth C m {\s. Q (lupd(x|->s)(set_locs l s))} ==> - A |- {P} x:={C}y..m(p) {Q}" + Call: "[| A |-e {P} e1 {Q}; \a. A |-e {Q a} e2 {R a}; + \a p l. A |- {\s'. \s. R a p s \ l = s \ + s' = lupd(This\a)(lupd(Param\p)(init_locs C m s))} + Meth C m {\s. S (s) (set_locs l s)} |] ==> + A |-e {P} {C}e1..m(e2) {S}" Meth: "\D. A |- {\s. \a. s = Addr a \ D=obj_class s a \ D <=C C \ P s} Impl D m {Q} ==> A |- {P} Meth C m {Q}" (*\z instead of \z in the conclusion and - z restricted to type state due to limitations of the inductive paackage *) + z restricted to type state due to limitations of the inductive package *) Impl: "A\ (\z::state. (\(C,m). (P z C m, Impl C m, Q z C m))`ms) ||- (\z::state. (\(C,m). (P z C m, body C m, Q z C m))`ms) ==> A ||- (\z::state. (\(C,m). (P z C m, Impl C m, Q z C m))`ms)" (* structural rules *) - (* z restricted to type state due to limitations of the inductive paackage *) + Asm: " a \ A ==> A ||- {a}" + + ConjI: " \c \ C. A ||- {c} ==> A ||- C" + + ConjE: "[|A ||- C; c \ C |] ==> A ||- {c}" + + (* z restricted to type state due to limitations of the inductive package *) Conseq:"[| \z::state. A |- {P' z} c {Q' z}; \s t. (\z::state. P' z s --> Q' z t) --> (P s --> Q t) |] ==> A |- {P} c {Q }" - Asm: " a \ A ==> A ||- {a}" - - ConjI: " \c \ C. A ||- {c} ==> A ||- C" - - ConjE: "[|A ||- C; c \ C |] ==> A ||- {c}"; + (* z restricted to type state due to limitations of the inductive package *) + eConseq:"[| \z::state. A |-e {P' z} c {Q' z}; + \s v t. (\z::state. P' z s --> Q' z v t) --> (P s --> Q v t) |] ==> + A |-e {P} c {Q }" subsection "Derived Rules" lemma Conseq1: "\A \ {P'} c {Q}; \s. P s \ P' s\ \ A \ {P} c {Q}" -apply (rule hoare.Conseq) +apply (rule hoare_ehoare.Conseq) +apply (rule allI, assumption) +apply fast +done + +lemma Conseq2: "\A \ {P} c {Q'}; \t. Q' t \ Q t\ \ A \ {P} c {Q}" +apply (rule hoare_ehoare.Conseq) +apply (rule allI, assumption) +apply fast +done + +lemma eConseq1: "\A \e {P'} e {Q}; \s. P s \ P' s\ \ A \e {P} e {Q}" +apply (rule hoare_ehoare.eConseq) +apply (rule allI, assumption) +apply fast +done + +lemma eConseq2: "\A \e {P} e {Q'}; \v t. Q' v t \ Q v t\ \ A \e {P} e {Q}" +apply (rule hoare_ehoare.eConseq) apply (rule allI, assumption) apply fast done lemma Weaken: "\A |\ C'; C \ C'\ \ A |\ C" -apply (rule hoare.ConjI) +apply (rule hoare_ehoare.ConjI) apply clarify -apply (drule hoare.ConjE) +apply (drule hoare_ehoare.ConjE) apply fast apply assumption done lemma Union: "A |\ (\z. C z) = (\z. A |\ C z)" -by (auto intro: hoare.ConjI hoare.ConjE) +by (auto intro: hoare_ehoare.ConjI hoare_ehoare.ConjE) lemma Impl': "\z. A\ (\z. (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms) ||- (\(C,m). (P z C m, body C m, Q (z::state) C m))`ms ==> A ||- (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms" apply (drule Union[THEN iffD2]) -apply (drule hoare.Impl) +apply (drule hoare_ehoare.Impl) apply (drule Union[THEN iffD1]) apply (erule spec) done diff -r 11402be6e4b0 -r 06c1998340a8 src/HOL/NanoJava/Equivalence.thy --- a/src/HOL/NanoJava/Equivalence.thy Tue Aug 07 22:42:22 2001 +0200 +++ b/src/HOL/NanoJava/Equivalence.thy Wed Aug 08 12:36:48 2001 +0200 @@ -11,71 +11,79 @@ subsection "Validity" constdefs - valid :: "[assn,stmt,assn] => bool" ("|= {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) - "|= {P} c {Q} \ \s t. P s --> (\n. s -c-n-> t) --> Q t" + valid :: "[assn,stmt, assn] => bool" ("|= {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) + "|= {P} c {Q} \ \s t. P s --> (\n. s -c -n-> t) --> Q t" + + evalid :: "[assn,expr,vassn] => bool" ("|=e {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) + "|=e {P} e {Q} \ \s v t. P s --> (\n. s -e>v-n-> t) --> Q v t" + - nvalid :: "[nat, triple ] => bool" ("|=_: _" [61,61] 60) - "|=n: t \ let (P,c,Q) = t in \s t. s -c-n-> t --> P s --> Q t" + nvalid :: "[nat, triple ] => bool" ("|=_: _" [61,61] 60) + "|=n: t \ let (P,c,Q) = t in \s t. s -c -n-> t --> P s --> Q t" - nvalids :: "[nat, triple set] => bool" ("||=_: _" [61,61] 60) +envalid :: "[nat,etriple ] => bool" ("|=_:e _" [61,61] 60) + "|=n:e t \ let (P,e,Q) = t in \s v t. s -e>v-n-> t --> P s --> Q v t" + + nvalids :: "[nat, triple set] => bool" ("||=_: _" [61,61] 60) "||=n: T \ \t\T. |=n: t" - cnvalids :: "[triple set,triple set] => bool" ("_ ||=/ _"[61,61] 60) - "A ||= C \ \n. ||=n: A --> ||=n: C" + cnvalids :: "[triple set,triple set] => bool" ("_ ||=/ _" [61,61] 60) + "A ||= C \ \n. ||=n: A --> ||=n: C" + +cenvalid :: "[triple set,etriple ] => bool" ("_ ||=e/ _" [61,61] 60) + "A ||=e t \ \n. ||=n: A --> |=n:e t" syntax (xsymbols) - valid :: "[assn,stmt,assn] => bool" ("\ {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) - nvalid :: "[nat, triple ] => bool" ("\_: _" [61,61] 60) - nvalids :: "[nat, triple set] => bool" ("|\_: _" [61,61] 60) + valid :: "[assn,stmt, assn] => bool" ( "\ {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) + evalid :: "[assn,expr,vassn] => bool" ("\e {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) + nvalid :: "[nat, triple ] => bool" ("\_: _" [61,61] 60) + envalid :: "[nat,etriple ] => bool" ("\_:e _" [61,61] 60) + nvalids :: "[nat, triple set] => bool" ("|\_: _" [61,61] 60) cnvalids :: "[triple set,triple set] => bool" ("_ |\/ _" [61,61] 60) +cenvalid :: "[triple set,etriple ] => bool" ("_ |\e/ _"[61,61] 60) -syntax - nvalid1::"[nat, assn,stmt,assn] => bool" ( "|=_:.{(1_)}/ (_)/ {(1_)}" - [61,3,90,3] 60) - cnvalid1::"[triple set, assn,stmt,assn] => bool" ("_ ||=.{(1_)}/ (_)/ {(1_)}" - [61,3,90,3] 60) -syntax (xsymbols) - nvalid1::"[nat, assn,stmt,assn] => bool" ( "\_:.{(1_)}/ (_)/ {(1_)}" - [61,3,90,3] 60) - cnvalid1::"[triple set, assn,stmt,assn] => bool" ( "_ |\.{(1_)}/ (_)/ {(1_)}" - [61,3,90,3] 60) -translations - " \n:.{P} c {Q}" \ " \n: (P,c,Q)" - "A |\.{P} c {Q}" \ "A |\ {(P,c,Q)}" -lemma nvalid1_def2: "\n:.{P} c {Q} \ \s t. s -c-n\ t \ P s \ Q t" +lemma nvalid_def2: "\n: (P,c,Q) \ \s t. s -c-n\ t \ P s \ Q t" by (simp add: nvalid_def Let_def) -lemma cnvalid1_def2: - "A |\.{P} c {Q} \ \n. |\n: A \ (\s t. s -c-n\ t \ P s \ Q t)" -by(simp add: nvalid1_def2 nvalids_def cnvalids_def) - -lemma valid_def2: "\ {P} c {Q} = (\n. \n:.{P} c {Q})" -apply (simp add: valid_def nvalid1_def2) +lemma valid_def2: "\ {P} c {Q} = (\n. \n: (P,c,Q))" +apply (simp add: valid_def nvalid_def2) apply blast done +lemma envalid_def2: "\n:e (P,e,Q) \ \s v t. s -e\v-n\ t \ P s \ Q v t" +by (simp add: envalid_def Let_def) + +lemma evalid_def2: "\e {P} e {Q} = (\n. \n:e (P,e,Q))" +apply (simp add: evalid_def envalid_def2) +apply blast +done + +lemma cenvalid_def2: + "A|\e (P,e,Q) = (\n. |\n: A \ (\s v t. s -e\v-n\ t \ P s \ Q v t))" +by(simp add: cenvalid_def envalid_def2) + subsection "Soundness" -declare exec_elim_cases [elim!] +declare exec_elim_cases [elim!] eval_elim_cases [elim!] -lemma Impl_nvalid_0: "\0:.{P} Impl C m {Q}" -by (clarsimp simp add: nvalid1_def2) +lemma Impl_nvalid_0: "\0: (P,Impl C m,Q)" +by (clarsimp simp add: nvalid_def2) -lemma Impl_nvalid_Suc: "\n:.{P} body C m {Q} \ \Suc n:.{P} Impl C m {Q}" -by (clarsimp simp add: nvalid1_def2) +lemma Impl_nvalid_Suc: "\n: (P,body C m,Q) \ \Suc n: (P,Impl C m,Q)" +by (clarsimp simp add: nvalid_def2) lemma nvalid_SucD: "\t. \Suc n:t \ \n:t" -by (force simp add: split_paired_all nvalid1_def2 intro: exec_mono) +by (force simp add: split_paired_all nvalid_def2 intro: exec_mono) lemma nvalids_SucD: "Ball A (nvalid (Suc n)) \ Ball A (nvalid n)" by (fast intro: nvalid_SucD) lemma Loop_sound_lemma [rule_format (no_asm)]: -"\\s t. s -c-n\ t \ P s \ s \ Null \ P t; s -c0-n0\ t\ \ - P s \ c0 = While (e) c \ n0 = n \ P t \ t = Null" -apply (erule exec.induct) +"\s t. s -c-n\ t \ P s \ s \ Null \ P t \ + (s -c0-n0\ t \ P s \ c0 = While (x) c \ n0 = n \ P t \ t = Null)" +apply (rule_tac "P2.1"="%s e v n t. True" in exec_eval.induct [THEN conjunct1]) apply clarsimp+ done @@ -84,27 +92,47 @@ (C, m) \ ms; Ball A (nvalid na); Ball B (nvalid na)\ \ nvalid na (f z C m)" by blast -lemma hoare_sound_main: "A |\ C \ A |\ C" -apply (erule hoare.induct) -apply (simp_all only: cnvalid1_def2) -apply clarsimp -apply clarsimp -apply (clarsimp split add: split_if_asm) -apply (clarsimp,tactic "smp_tac 1 1",erule(2) Loop_sound_lemma,(rule HOL.refl)+) -apply clarsimp -apply clarsimp -apply clarsimp -apply clarsimp +lemma all_conjunct2: "\l. P' l \ P l \ \l. P l" +by fast + +lemma all3_conjunct2: + "\a p l. (P' a p l \ P a p l) \ \a p l. P a p l" +by fast + +lemma cnvalid1_eq: + "A |\ {(P,c,Q)} \ \n. |\n: A \ (\s t. s -c-n\ t \ P s \ Q t)" +by(simp add: cnvalids_def nvalids_def nvalid_def2) + +lemma hoare_sound_main:"\t. (A |\ C \ A |\ C) \ (A |\e t \ A |\e t)" +apply (tactic "split_all_tac 1", rename_tac P e Q) +apply (rule hoare_ehoare.induct) +apply (tactic {* ALLGOALS (REPEAT o dresolve_tac [thm "all_conjunct2", thm "all3_conjunct2"]) *}) +apply (tactic {* ALLGOALS (REPEAT o thin_tac "?x : hoare") *}) +apply (tactic {* ALLGOALS (REPEAT o thin_tac "?x : ehoare") *}) +apply (simp_all only: cnvalid1_eq cenvalid_def2) +apply fast +apply fast +apply fast +apply (clarify,tactic "smp_tac 1 1",erule(2) Loop_sound_lemma,(rule HOL.refl)+) +apply fast +apply fast +apply fast +apply fast +apply fast +apply fast apply (clarsimp del: Meth_elim_cases) (* Call *) +apply (tactic "smp_tac 1 1", tactic "smp_tac 3 1", tactic "smp_tac 0 1") +apply (tactic "smp_tac 2 1", tactic "smp_tac 3 1", tactic "smp_tac 0 1") +apply (tactic "smp_tac 4 1", tactic "smp_tac 2 1", fast) apply (clarsimp del: Impl_elim_cases) (* Meth *) defer -apply blast (* Conseq *) +prefer 4 apply blast (* Conseq *) +prefer 4 apply blast (* eConseq *) apply (simp_all (no_asm_use) only: cnvalids_def nvalids_def) apply blast apply blast apply blast (* Impl *) -apply (erule thin_rl) apply (rule allI) apply (induct_tac "n") apply (clarify intro!: Impl_nvalid_0) @@ -116,35 +144,51 @@ theorem hoare_sound: "{} \ {P} c {Q} \ \ {P} c {Q}" apply (simp only: valid_def2) -apply (drule hoare_sound_main) +apply (drule hoare_sound_main [THEN conjunct1, rule_format]) apply (unfold cnvalids_def nvalids_def) apply fast done +theorem ehoare_sound: "{} \e {P} e {Q} \ \e {P} e {Q}" +apply (simp only: evalid_def2) +apply (drule hoare_sound_main [THEN conjunct2, rule_format]) +apply (unfold cenvalid_def nvalids_def) +apply fast +done + subsection "(Relative) Completeness" -constdefs MGT :: "stmt => state => triple" - "MGT c z \ (\ s. z = s, c, %t. \n. z -c-n-> t)" +constdefs MGT :: "stmt => state => triple" + "MGT c z \ (\s. z = s, c, \ t. \n. z -c- n-> t)" + eMGT :: "expr => state => etriple" + "eMGT e z \ (\s. z = s, e, \v t. \n. z -e>v-n-> t)" lemma MGF_implies_complete: - "\z. {} |\ {MGT c z} \ \ {P} c {Q} \ {} \ {P} c {Q}" + "\z. {} |\ { MGT c z} \ \ {P} c {Q} \ {} \ {P} c {Q}" apply (simp only: valid_def2) apply (unfold MGT_def) -apply (erule hoare.Conseq) -apply (clarsimp simp add: nvalid1_def2) +apply (erule hoare_ehoare.Conseq) +apply (clarsimp simp add: nvalid_def2) done +lemma eMGF_implies_complete: + "\z. {} |\e eMGT e z \ \e {P} e {Q} \ {} \e {P} e {Q}" +apply (simp only: evalid_def2) +apply (unfold eMGT_def) +apply (erule hoare_ehoare.eConseq) +apply (clarsimp simp add: envalid_def2) +done -declare exec.intros[intro!] +declare exec_eval.intros[intro!] lemma MGF_Loop: "\z. A \ {op = z} c {\t. \n. z -c-n\ t} \ A \ {op = z} While (e) c {\t. \n. z -While (e) c-n\ t}" apply (rule_tac P' = "\z s. (z,s) \ ({(s,t). \n. s \ Null \ s -c-n\ t})^*" - in hoare.Conseq) + in hoare_ehoare.Conseq) apply (rule allI) -apply (rule hoare.Loop) -apply (erule hoare.Conseq) +apply (rule hoare_ehoare.Loop) +apply (erule hoare_ehoare.Conseq) apply clarsimp apply (blast intro:rtrancl_into_rtrancl) apply (erule thin_rl) @@ -154,62 +198,85 @@ apply (erule converse_rtrancl_induct) apply blast apply clarsimp -apply (drule (1) exec_max2) +apply (drule (1) exec_exec_max) apply (blast del: exec_elim_cases) done -lemma MGF_lemma[rule_format]: - "(\C m z. A |\ {MGT (Impl C m) z}) \ (\z. A |\ {MGT c z})" -apply (simp add: MGT_def) -apply (induct_tac c) -apply (tactic "ALLGOALS Clarify_tac") +lemma MGF_lemma: "\C m z. A |\ {MGT (Impl C m) z} \ + (\z. A |\ {MGT c z}) \ (\z. A |\e eMGT e z)" +apply (simp add: MGT_def eMGT_def) +apply (rule stmt_expr.induct) +apply (rule_tac [!] allI) -apply (rule Conseq1 [OF hoare.Skip]) +apply (rule Conseq1 [OF hoare_ehoare.Skip]) apply blast -apply (rule hoare.Comp) +apply (rule hoare_ehoare.Comp) apply (erule spec) -apply (erule hoare.Conseq) -apply (erule thin_rl, erule thin_rl) +apply (erule hoare_ehoare.Conseq) apply clarsimp -apply (drule (1) exec_max2) +apply (drule (1) exec_exec_max) apply blast -apply (rule hoare.Cond) -apply (erule hoare.Conseq) -apply (erule thin_rl, erule thin_rl) -apply force -apply (erule hoare.Conseq) -apply (erule thin_rl, erule thin_rl) -apply force +apply (erule thin_rl) +apply (rule hoare_ehoare.Cond) +apply (erule spec) +apply (rule allI) +apply (simp) +apply (rule conjI) +apply (rule impI, erule hoare_ehoare.Conseq, clarsimp, drule (1) eval_exec_max, + erule thin_rl, erule thin_rl, force)+ apply (erule MGF_Loop) -apply (rule Conseq1 [OF hoare.NewC]) -apply blast +apply (erule hoare_ehoare.eConseq [THEN hoare_ehoare.LAss]) +apply fast -apply (rule Conseq1 [OF hoare.Cast]) -apply blast - -apply (rule Conseq1 [OF hoare.FAcc]) +apply (erule thin_rl) +apply (rule_tac Q = "\a s. \n. z -expr1\Addr a-n\ s" in hoare_ehoare.FAss) +apply (drule spec) +apply (erule eConseq2) +apply fast +apply (rule allI) +apply (erule hoare_ehoare.eConseq) +apply clarsimp +apply (drule (1) eval_eval_max) apply blast -apply (rule Conseq1 [OF hoare.FAss]) -apply blast - -apply (rule hoare.Call) -apply (rule allI) -apply (rule hoare.Meth) +apply (rule hoare_ehoare.Meth) apply (rule allI) -apply (drule spec, drule spec, erule hoare.Conseq) -apply blast - -apply (rule hoare.Meth) -apply (rule allI) -apply (drule spec, drule spec, erule hoare.Conseq) +apply (drule spec, drule spec, erule hoare_ehoare.Conseq) apply blast apply blast + +apply (rule eConseq1 [OF hoare_ehoare.NewC]) +apply blast + +apply (erule hoare_ehoare.eConseq [THEN hoare_ehoare.Cast]) +apply fast + +apply (rule eConseq1 [OF hoare_ehoare.LAcc]) +apply blast + +apply (erule hoare_ehoare.eConseq [THEN hoare_ehoare.FAcc]) +apply fast + +apply (rule_tac R = "\a v s. \n1 n2 t. z -expr1\a-n1\ t \ t -expr2\v-n2\ s" in + hoare_ehoare.Call) +apply (erule spec) +apply (rule allI) +apply (erule hoare_ehoare.eConseq) +apply clarsimp +apply blast +apply (rule allI)+ +apply (rule hoare_ehoare.Meth) +apply (rule allI) +apply (drule spec, drule spec, erule hoare_ehoare.Conseq) +apply (erule thin_rl, erule thin_rl) +apply (clarsimp del: Impl_elim_cases) +apply (drule (2) eval_eval_exec_max) +apply (fast del: Impl_elim_cases) done lemma MGF_Impl: "{} |\ {MGT (Impl C m) z}" @@ -217,12 +284,12 @@ apply (rule Impl1) apply (rule_tac [2] UNIV_I) apply clarsimp -apply (rule hoare.ConjI) +apply (rule hoare_ehoare.ConjI) apply clarsimp apply (rule ssubst [OF Impl_body_eq]) apply (fold MGT_def) -apply (rule MGF_lemma) -apply (rule hoare.Asm) +apply (rule MGF_lemma [THEN conjunct1, rule_format]) +apply (rule hoare_ehoare.Asm) apply force done @@ -230,7 +297,15 @@ apply (rule MGF_implies_complete) apply (erule_tac [2] asm_rl) apply (rule allI) -apply (rule MGF_lemma) +apply (rule MGF_lemma [THEN conjunct1, rule_format]) +apply (rule MGF_Impl) +done + +theorem ehoare_relative_complete: "\e {P} e {Q} \ {} \e {P} e {Q}" +apply (rule eMGF_implies_complete) +apply (erule_tac [2] asm_rl) +apply (rule allI) +apply (rule MGF_lemma [THEN conjunct2, rule_format]) apply (rule MGF_Impl) done diff -r 11402be6e4b0 -r 06c1998340a8 src/HOL/NanoJava/OpSem.thy --- a/src/HOL/NanoJava/OpSem.thy Tue Aug 07 22:42:22 2001 +0200 +++ b/src/HOL/NanoJava/OpSem.thy Wed Aug 08 12:36:48 2001 +0200 @@ -9,81 +9,116 @@ theory OpSem = State: consts - exec :: "(state \ stmt \ nat \ state) set" + exec :: "(state \ stmt \ nat \ state) set" + eval :: "(state \ expr \ val \ nat \ state) set" syntax (xsymbols) - exec :: "[state, stmt, nat, state] => bool" ("_ -_-_\ _" [98,90,99,98] 89) + exec :: "[state,stmt, nat,state] => bool" ("_ -_-_\ _" [98,90, 99,98] 89) + eval :: "[state,expr,val,nat,state] => bool" ("_ -_\_-_\ _"[98,95,99,99,98] 89) syntax - exec :: "[state, stmt, nat, state] => bool" ("_ -_-_-> _" [98,90,99,98] 89) + exec :: "[state,stmt, nat,state] => bool" ("_ -_-_-> _" [98,90, 99,98]89) + eval :: "[state,expr,val,nat,state] => bool" ("_ -_>_-_-> _"[98,95,99,99,98]89) translations - "s -c-n-> s'" == "(s, c, n, s') \ exec" + "s -c -n-> s'" == "(s, c, n, s') \ exec" + "s -e>v-n-> s'" == "(s, e, v, n, s') \ eval" -inductive exec intros +inductive exec eval intros Skip: " s -Skip-n-> s" Comp: "[| s0 -c1-n-> s1; s1 -c2-n-> s2 |] ==> s0 -c1;; c2-n-> s2" - Cond: "[| s -(if s \ Null then c1 else c2)-n-> s' |] ==> - s -If(e) c1 Else c2-n-> s'" + Cond: "[| s0 -e>v-n-> s1; s1 -(if v\Null then c1 else c2)-n-> s2 |] ==> + s0 -If(e) c1 Else c2-n-> s2" + + LoopF:" s0 = Null ==> + s0 -While(x) c-n-> s0" + LoopT:"[| s0 \ Null; s0 -c-n-> s1; s1 -While(x) c-n-> s2 |] ==> + s0 -While(x) c-n-> s2" - LoopF:" s0 = Null ==> - s0 -While(e) c-n-> s0" - LoopT:"[| s0 \ Null; s0 -c-n-> s1; s1 -While(e) c-n-> s2 |] ==> - s0 -While(e) c-n-> s2" + LAcc: " s -LAcc x>s-n-> s" + + LAss: " s -e>v-n-> s' ==> + s -x:==e-n-> lupd(x\v) s'" + + FAcc: " s -e>Addr a-n-> s' ==> + s -e..f>get_field s' a f-n-> s'" + + FAss: "[| s0 -e1>Addr a-n-> s1; s1 -e2>v-n-> s2 |] ==> + s0 -e1..f:==e2-n-> upd_obj a f v s2" NewC: " new_Addr s = Addr a ==> - s -x:=new C-n-> lupd(x\Addr a)(new_obj a C s)" - - Cast: " (case s of Null => True | Addr a => obj_class s a \C C) ==> - s -x:=(C)y-n-> lupd(x\s) s" + s -new C>Addr a-n-> new_obj a C s" - FAcc: " s = Addr a ==> - s -x:=y..f-n-> lupd(x\get_field s a f) s" + Cast: "[| s -e>v-n-> s'; + case v of Null => True | Addr a => obj_class s' a \C C |] ==> + s -Cast C e>v-n-> s'" - FAss: " s = Addr a ==> - s -y..f:=x-n-> upd_obj a f (s) s" - - Call: "lupd(This\s)(lupd(Param\s

)(init_locs C m s))-Meth C m -n-> s'==> - s -x:={C}y..m(p)-n-> lupd(x\s')(set_locs s s')" + Call: "[| s0 -e1>a-n-> s1; s1 -e2>p-n-> s2; + lupd(This\a)(lupd(Param\p)(init_locs C m s2)) -Meth C m-n-> s3 + |] ==> s0 -{C}e1..m(e2)>s3-n-> set_locs s2 s3" Meth: "[| s = Addr a; obj_class s a\C C; s -Impl (obj_class s a) m-n-> s' |] ==> s -Meth C m-n-> s'" - Impl: " s -body C m- n-> s' ==> + Impl: " s -body C m-n-> s' ==> s -Impl C m-Suc n-> s'" + inductive_cases exec_elim_cases': - "s -Skip -n-> t" - "s -c1;; c2 -n-> t" - "s -If(e) c1 Else c2-n-> t" - "s -While(e) c -n-> t" - "s -x:=new C -n-> t" - "s -x:=(C)y -n-> t" - "s -x:=y..f -n-> t" - "s -y..f:=x -n-> t" - "s -x:={C}y..m(p) -n-> t" -inductive_cases Meth_elim_cases: "s -Meth C m -n-> t" -inductive_cases Impl_elim_cases: "s -Impl C m -n-> t" + "s -Skip -n\ t" + "s -c1;; c2 -n\ t" + "s -If(e) c1 Else c2-n\ t" + "s -While(x) c -n\ t" + "s -x:==e -n\ t" + "s -e1..f:==e2 -n\ t" +inductive_cases Meth_elim_cases: "s -Meth C m-n\ t" +inductive_cases Impl_elim_cases: "s -Impl C m-n\ t" lemmas exec_elim_cases = exec_elim_cases' Meth_elim_cases Impl_elim_cases +inductive_cases eval_elim_cases: + "s -new C \v-n\ t" + "s -Cast C e \v-n\ t" + "s -LAcc x \v-n\ t" + "s -e..f \v-n\ t" + "s -{C}e1..m(e2) \v-n\ t" -lemma exec_mono [rule_format]: "s -c-n\ t \ \m. n \ m \ s -c-m\ t" -apply (erule exec.induct) -prefer 12 (* Impl *) +lemma exec_eval_mono [rule_format]: + "(s -c -n\ t \ (\m. n \ m \ s -c -m\ t)) \ + (s -e\v-n\ t \ (\m. n \ m \ s -e\v-m\ t))" +apply (rule exec_eval.induct) +prefer 14 (* Impl *) apply clarify apply (rename_tac n) apply (case_tac n) -apply (blast intro:exec.intros)+ +apply (blast intro:exec_eval.intros)+ done +lemmas exec_mono = exec_eval_mono [THEN conjunct1, rule_format] +lemmas eval_mono = exec_eval_mono [THEN conjunct2, rule_format] + +lemma exec_exec_max: "\s1 -c1- n1 \ t1 ; s2 -c2- n2\ t2\ \ + s1 -c1-max n1 n2\ t1 \ s2 -c2-max n1 n2\ t2" +by (fast intro: exec_mono le_maxI1 le_maxI2) -lemma exec_max2: "\s1 -c1- n1 \ t1 ; s2 -c2- n2\ t2\ \ - s1 -c1-max n1 n2\ t1 \ s2 -c2-max n1 n2\ t2" -by (fast intro: exec_mono le_maxI1 le_maxI2) +lemma eval_exec_max: "\s1 -c- n1 \ t1 ; s2 -e\v- n2\ t2\ \ + s1 -c-max n1 n2\ t1 \ s2 -e\v-max n1 n2\ t2" +by (fast intro: eval_mono exec_mono le_maxI1 le_maxI2) + +lemma eval_eval_max: "\s1 -e1\v1- n1 \ t1 ; s2 -e2\v2- n2\ t2\ \ + s1 -e1\v1-max n1 n2\ t1 \ s2 -e2\v2-max n1 n2\ t2" +by (fast intro: eval_mono le_maxI1 le_maxI2) + +lemma eval_eval_exec_max: + "\s1 -e1\v1-n1\ t1; s2 -e2\v2-n2\ t2; s3 -c-n3\ t3\ \ + s1 -e1\v1-max (max n1 n2) n3\ t1 \ + s2 -e2\v2-max (max n1 n2) n3\ t2 \ + s3 -c -max (max n1 n2) n3\ t3" +apply (drule (1) eval_eval_max, erule thin_rl) +by (fast intro: exec_mono eval_mono le_maxI1 le_maxI2) lemma Impl_body_eq: "(\t. \n. z -Impl C m-n\ t) = (\t. \n. z -body C m-n\ t)" apply (rule ext) -apply (fast elim: exec_elim_cases intro: exec.Impl) +apply (fast elim: exec_elim_cases intro: exec_eval.Impl) done end \ No newline at end of file diff -r 11402be6e4b0 -r 06c1998340a8 src/HOL/NanoJava/Term.thy --- a/src/HOL/NanoJava/Term.thy Tue Aug 07 22:42:22 2001 +0200 +++ b/src/HOL/NanoJava/Term.thy Wed Aug 08 12:36:48 2001 +0200 @@ -23,20 +23,22 @@ datatype stmt = Skip (* empty statement *) - | Comp stmt stmt ("_;; _" [91,90] 90) - | Cond vname stmt stmt ("If '(_') _ Else _" [99,91,91] 91) + | Comp stmt stmt ("_;; _" [91,90 ] 90) + | Cond expr stmt stmt ("If '(_') _ Else _" [99,91,91] 91) | Loop vname stmt ("While '(_') _" [99,91 ] 91) - - | NewC vname cname ("_:=new _" [99, 99] 95) (* object creation *) - | Cast vname cname vname ("_:='(_')_" [99,99,99] 95) (* assignment, cast *) - | FAcc vname vname vnam ("_:=_.._" [99,99,99] 95) (* field access *) - | FAss vname vnam vname ("_.._:=_" [99,99,99] 95) (* field assigment *) - | Call vname cname vname mname vname (* method call *) - ("_:={_}_.._'(_')" [99,99,99,99,99] 95) + | LAss vname expr ("_ :== _" [99, 95] 94) (* local ass. *) + | FAss expr vnam expr ("_.._:==_" [95,99,95] 94) (* field ass. *) | Meth cname mname (* virtual method *) | Impl cname mname (* method implementation *) +and expr + = NewC cname ("new _" [ 99] 95) (* object creation *) + | Cast cname expr (* type cast *) + | LAcc vname (* local access *) + | FAcc expr vnam ("_.._" [95,99] 95) (* field access *) + | Call cname expr mname expr (* method call *) + ("{_}_.._'(_')" [99,95,99,95] 95) -(*###TO Product_Type_lemmas.ML*) + lemma pair_imageI [intro]: "(a, b) \ A ==> f a b : (%(a, b). f a b) ` A" apply (rule_tac x = "(a,b)" in image_eqI) apply auto