# HG changeset patch # User kleing # Date 1017931680 -7200 # Node ID 1dd711c6b93c1c67b112ca36077f43a9e45f1e8b # Parent c2e4d99901626e17ebc09350faf6de91dcf39b4c flattened, uses locales diff -r c2e4d9990162 -r 1dd711c6b93c src/HOL/MicroJava/BV/LBVComplete.thy --- a/src/HOL/MicroJava/BV/LBVComplete.thy Thu Apr 04 16:47:44 2002 +0200 +++ b/src/HOL/MicroJava/BV/LBVComplete.thy Thu Apr 04 16:48:00 2002 +0200 @@ -9,508 +9,366 @@ theory LBVComplete = LBVSpec + Typing_Framework: constdefs - contains_targets :: "['s steptype, 's certificate, 's option list, nat] \ bool" - "contains_targets step cert phi pc \ - \(pc',s') \ set (step pc (OK (phi!pc))). pc' \ pc+1 \ pc' < length phi \ cert!pc' = phi!pc'" + is_target :: "['s step_type, 's list, nat] \ bool" + "is_target step phi pc' \ + \pc s'. pc' \ pc+1 \ pc < length phi \ (pc',s') \ set (step pc (phi!pc))" - fits :: "['s steptype, 's certificate, 's option list] \ bool" - "fits step cert phi \ \pc. pc < length phi \ - contains_targets step cert phi pc \ - (cert!pc = None \ cert!pc = phi!pc)" + make_cert :: "['s step_type, 's list, 's] \ 's certificate" + "make_cert step phi B \ + map (\pc. if is_target step phi pc then phi!pc else B) [0..length phi(] @ [B]" + +locale lbvc = lbv + + fixes phi :: "'a list" ("\") + fixes c :: "'a list" + defines cert_def: "c \ make_cert step \ \" - is_target :: "['s steptype, 's option list, nat] \ bool" - "is_target step phi pc' \ - \pc s'. pc' \ pc+1 \ pc < length phi \ (pc',s') \ set (step pc (OK (phi!pc)))" + assumes mono: "mono r step (length \) A" + assumes pres: "pres_type step (length \) A" + assumes phi: "\pc < length \. \!pc \ A \ \!pc \ \" + assumes bounded: "bounded step (length \)" + + assumes B_neq_T: "\ \ \" + - make_cert :: "['s steptype, 's option list] \ 's certificate" - "make_cert step phi \ - map (\pc. if is_target step phi pc then phi!pc else None) [0..length phi(] @ [None]" +lemma (in lbvc) cert: "cert_ok c (length \) \ \ A" +proof (unfold cert_ok_def, intro strip conjI) + note [simp] = make_cert_def cert_def nth_append + + show "c!length \ = \" by simp - + fix pc assume pc: "pc < length \" + from pc phi B_A show "c!pc \ A" by simp + from pc phi B_neq_T show "c!pc \ \" by simp +qed + lemmas [simp del] = split_paired_Ex -lemma make_cert_target: - "\ pc < length phi; is_target step phi pc \ \ make_cert step phi ! pc = phi!pc" - by (simp add: make_cert_def nth_append) - -lemma make_cert_approx: - "\ pc < length phi; make_cert step phi ! pc \ phi!pc \ \ - make_cert step phi ! pc = None" - by (auto simp add: make_cert_def nth_append) -lemma make_cert_contains_targets: - "pc < length phi \ contains_targets step (make_cert step phi) phi pc" -proof (unfold contains_targets_def, clarify) - fix pc' s' - assume "pc < length phi" - "(pc',s') \ set (step pc (OK (phi ! pc)))" - "pc' \ pc+1" and - pc': "pc' < length phi" - hence "is_target step phi pc'" by (auto simp add: is_target_def) - with pc' show "make_cert step phi ! pc' = phi!pc'" - by (auto intro: make_cert_target) -qed +lemma (in lbvc) cert_target [intro?]: + "\ (pc',s') \ set (step pc (\!pc)); + pc' \ pc+1; pc < length \; pc' < length \ \ + \ c!pc' = \!pc'" + by (auto simp add: cert_def make_cert_def nth_append is_target_def) -theorem fits_make_cert: - "fits step (make_cert step phi) phi" - by (auto dest: make_cert_approx simp add: fits_def make_cert_contains_targets) -lemma fitsD: - "\ fits step cert phi; (pc',s') \ set (step pc (OK (phi!pc))); - pc' \ pc+1; pc < length phi; pc' < length phi \ - \ cert!pc' = phi!pc'" - by (auto simp add: fits_def contains_targets_def) - -lemma fitsD2: - "\ fits step cert phi; pc < length phi; cert!pc = Some s \ - \ cert!pc = phi!pc" - by (auto simp add: fits_def) +lemma (in lbvc) cert_approx [intro?]: + "\ pc < length \; c!pc \ \ \ + \ c!pc = \!pc" + by (auto simp add: cert_def make_cert_def nth_append) -lemma merge_mono: - assumes merge: "merge cert f r pc ss1 x = OK s1" - assumes less: "ss2 <=|Err.le (Opt.le r)| ss1" - assumes esl: "err_semilat (A, r, f)" - assumes x: "x \ err (opt A)" - assumes ss1: "\(pc', s')\set ss1. s' \ err (opt A)" - assumes ss2: "\(pc', s')\set ss2. s' \ err (opt A)" - shows "\s2. merge cert f r pc ss2 x = s2 \ s2 \|r (OK s1)" +lemma (in lbv) le_top [simp, intro]: + "x <=_r \" + by (insert top) simp + + +lemma (in lbv) merge_mono: + assumes less: "ss2 <=|r| ss1" + assumes x: "x \ A" + assumes ss1: "snd`set ss1 \ A" + assumes ss2: "snd`set ss2 \ A" + shows "merge c pc ss2 x <=_r merge c pc ss1 x" (is "?s2 <=_r ?s1") proof- - from esl have eosl: "err_semilat (opt A, Opt.le r, Opt.sup f)" - by - (drule semilat_opt, simp add: Opt.esl_def) - hence order: "order (Opt.le r)" .. - from esl x ss1 have "merge cert f r pc ss1 x = - (if \(pc', s')\set ss1. pc' \ pc + 1 \ s' \|r (OK (cert!pc')) - then (map snd [(p', t')\ss1 . p'=pc+1]) ++|f x - else Err)" - by (rule merge_def) - with merge obtain - app: "\(pc',s')\set ss1. pc' \ pc+1 \ s' \|r (OK (cert!pc'))" - (is "?app ss1") and - sum: "(map snd [(p',t')\ss1 . p' = pc+1] ++|f x) = OK s1" - (is "?map ss1 ++|f x = _" is "?sum ss1 = _") - by (simp split: split_if_asm) - from app less - have "?app ss2" - apply clarify - apply (drule lesub_step_typeD, assumption) - apply clarify - apply (drule bspec, assumption) - apply clarify - apply (drule order_trans [OF order], assumption) - apply blast - done + have "?s1 = \ \ ?thesis" by simp moreover { - have "set (?map ss1) \ snd`(set ss1)" by auto - also from ss1 have "snd`(set ss1) \ err (opt A)" by auto - finally have map1: "set (?map ss1) \ err (opt A)" . - with eosl x have "?sum ss1 \ err (opt A)" - by (auto intro!: plusplus_closed simp add: Err.sl_def) - with sum have "OK s1 \ err (opt A)" by simp - moreover - have mapD: "\x ss. x \ set (?map ss) \ \p. (p,x) \ set ss \ p=pc+1" by auto - from eosl x map1 - have "\x \ set (?map ss1). x \|r (?sum ss1)" - by clarify (rule semilat.pp_ub1, simp add: Err.sl_def) - with sum have "\x \ set (?map ss1). x \|r (OK s1)" by simp - with less have "\x \ set (?map ss2). x \|r (OK s1)" - apply clarify - apply (drule mapD) - apply clarify - apply (drule lesub_step_typeD, assumption) - apply clarify - apply simp - apply (erule allE, erule impE, assumption) - apply clarify - apply simp - apply (rule order_trans [OF order],assumption+) - done - moreover - from eosl map1 x have "x \|r (?sum ss1)" - by - (rule semilat.pp_ub2, simp add: Err.sl_def) - with sum have "x \|r (OK s1)" by simp + assume merge: "?s1 \ T" + from x ss1 have "?s1 = + (if \(pc', s')\set ss1. pc' \ pc + 1 \ s' <=_r c!pc' + then (map snd [(p', t')\ss1 . p'=pc+1]) ++_f x + else \)" + by (rule merge_def) + with merge obtain + app: "\(pc',s')\set ss1. pc' \ pc+1 \ s' <=_r c!pc'" + (is "?app ss1") and + sum: "(map snd [(p',t')\ss1 . p' = pc+1] ++_f x) = ?s1" + (is "?map ss1 ++_f x = _" is "?sum ss1 = _") + by (simp split: split_if_asm) + from app less + have "?app ss2" by (blast dest: trans_r lesub_step_typeD) moreover { - have "set (?map ss2) \ snd`(set ss2)" by auto - also from ss2 have "snd`(set ss2) \ err (opt A)" by auto - finally have "set (?map ss2) \ err (opt A)" . } - ultimately - have "?sum ss2 \|r (OK s1)" using eosl x - by - (rule semilat.pp_lub, simp add: Err.sl_def) - also obtain s2 where sum2: "?sum ss2 = s2" by blast - finally have "s2 \|r (OK s1)" . - with sum2 have "\s2. ?sum ss2 = s2 \ s2 \|r (OK s1)" by blast + from ss1 have map1: "set (?map ss1) \ A" by auto + with x have "?sum ss1 \ A" by (auto intro!: plusplus_closed) + with sum have "?s1 \ A" by simp + moreover + have mapD: "\x ss. x \ set (?map ss) \ \p. (p,x) \ set ss \ p=pc+1" by auto + from x map1 + have "\x \ set (?map ss1). x <=_r ?sum ss1" + by clarify (rule pp_ub1) + with sum have "\x \ set (?map ss1). x <=_r ?s1" by simp + with less have "\x \ set (?map ss2). x <=_r ?s1" + by (fastsimp dest!: mapD lesub_step_typeD intro: trans_r) + moreover + from map1 x have "x <=_r (?sum ss1)" by (rule pp_ub2) + with sum have "x <=_r ?s1" by simp + moreover + from ss2 have "set (?map ss2) \ A" by auto + ultimately + have "?sum ss2 <=_r ?s1" using x by - (rule pp_lub) + } + moreover + from x ss2 have + "?s2 = + (if \(pc', s')\set ss2. pc' \ pc + 1 \ s' <=_r c!pc' + then map snd [(p', t')\ss2 . p' = pc + 1] ++_f x + else \)" + by (rule merge_def) + ultimately have ?thesis by simp } - moreover - from esl x ss2 have - "merge cert f r pc ss2 x = - (if \(pc', s')\set ss2. pc' \ pc + 1 \ s' \|r (OK (cert!pc')) - then map snd [(p', t')\ss2 . p' = pc + 1] ++|f x - else Err)" - by (rule merge_def) - ultimately show ?thesis by simp + ultimately show ?thesis by (cases "?s1 = \") auto qed -lemma wtl_inst_mono: - assumes wtl: "wtl_inst cert f r step pc s1 = OK s1'" - assumes less: "OK s2 \|r (OK s1)" - assumes pc: "pc < n" - assumes s1: "s1 \ opt A" - assumes s2: "s2 \ opt A" - assumes esl: "err_semilat (A,r,f)" - assumes cert: "cert_ok cert n A" - assumes mono: "mono (Err.le (Opt.le r)) step n (err (opt A))" - assumes pres: "pres_type step n (err (opt A))" - shows "\s2'. wtl_inst cert f r step pc s2 = OK s2' \ OK s2' \|r (OK s1')" +lemma (in lbvc) wti_mono: + assumes less: "s2 <=_r s1" + assumes pc: "pc < length \" + assumes s1: "s1 \ A" + assumes s2: "s2 \ A" + shows "wti c pc s2 <=_r wti c pc s1" (is "?s2' <=_r ?s1'") proof - - let "?step s1" = "step pc (OK s1)" - let ?cert = "OK (cert!Suc pc)" - from wtl - have "merge cert f r pc (?step s1) ?cert = OK s1'" by (simp add: wtl_inst_def) + from mono s2 have "step pc s2 <=|r| step pc s1" by - (rule monoD) moreover - have s2: "OK s2 \ err (opt A)" by simp - with mono have "?step s2 <=|Err.le (Opt.le r)| ?step s1" by - (rule monoD) - moreover note esl - moreover - from pc cert have "?cert \ err (opt A)" by (simp add: cert_okD3) - moreover - have s1: "OK s1 \ err (opt A)" by simp - with pres pc - have "\(pc', s')\set (?step s1). s' \ err (opt A)" - by (blast intro: pres_typeD) + from pc cert have "c!Suc pc \ A" by - (rule cert_okD3) + moreover + from pres s1 pc + have "snd`set (step pc s1) \ A" by (rule pres_typeD2) moreover from pres s2 pc - have "\(pc', s')\set (?step s2). s' \ err (opt A)" - by (blast intro: pres_typeD) + have "snd`set (step pc s2) \ A" by (rule pres_typeD2) ultimately - obtain s2' where "merge cert f r pc (?step s2) ?cert = s2' \ s2' \|r (OK s1')" - by (blast dest: merge_mono) - thus ?thesis by (simp add: wtl_inst_def) + show ?thesis by (simp add: wti merge_mono) qed -lemma wtl_cert_mono: - assumes wtl: "wtl_cert cert f r step pc s1 = OK s1'" - assumes less: "OK s2 \|r (OK s1)" - assumes pc: "pc < n" - assumes s1: "s1 \ opt A" - assumes s2: "s2 \ opt A" - assumes esl: "err_semilat (A,r,f)" - assumes cert: "cert_ok cert n A" - assumes mono: "mono (Err.le (Opt.le r)) step n (err (opt A))" - assumes pres: "pres_type step n (err (opt A))" - shows "\s2'. wtl_cert cert f r step pc s2 = OK s2' \ OK s2' \|r (OK s1')" -proof (cases "cert!pc") - case None - with wtl have "wtl_inst cert f r step pc s1 = OK s1'" - by (simp add: wtl_cert_def) - hence "\s2'. wtl_inst cert f r step pc s2 = OK s2' \ OK s2' \|r (OK s1')" - by - (rule wtl_inst_mono) - with None show ?thesis by (simp add: wtl_cert_def) +lemma (in lbvc) wtc_mono: + assumes less: "s2 <=_r s1" + assumes pc: "pc < length \" + assumes s1: "s1 \ A" + assumes s2: "s2 \ A" + shows "wtc c pc s2 <=_r wtc c pc s1" (is "?s2' <=_r ?s1'") +proof (cases "c!pc = \") + case True + moreover have "wti c pc s2 <=_r wti c pc s1" by (rule wti_mono) + ultimately show ?thesis by (simp add: wtc) next - case (Some s') - with wtl obtain - wti: "wtl_inst cert f r step pc (Some s') = OK s1'" and - s': "OK s1 \|r OK (Some s')" - by (auto simp add: wtl_cert_def split: split_if_asm) - from esl have order: "order (Opt.le r)" by simp - hence "order (Err.le (Opt.le r))" by simp - with less s' have "OK s2 \|r OK (Some s')" by - (drule order_trans) - with Some wti order show ?thesis by (simp add: wtl_cert_def) + case False + have "?s1' = \ \ ?thesis" by simp + moreover { + assume "?s1' \ \" + with False have c: "s1 <=_r c!pc" by (simp add: wtc split: split_if_asm) + with less have "s2 <=_r c!pc" .. + with False c have ?thesis by (simp add: wtc) + } + ultimately show ?thesis by (cases "?s1' = \") auto qed -lemma stable_wtl: - assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" - assumes fits: "fits step cert phi" - assumes pc: "pc < length phi" - assumes bounded: "bounded step (length phi)" - assumes esl: "err_semilat (A, r, f)" - assumes cert_ok: "cert_ok cert (length phi) A" - assumes phi_ok: "\pc < length phi. phi!pc \ opt A" - assumes pres: "pres_type step (length phi) (err (opt A))" - shows "wtl_inst cert f r step pc (phi!pc) \ Err" +lemma (in lbv) top_le_conv [simp]: + "\ <=_r x = (x = \)" + by (insert semilat) (simp add: top top_le_conv) + +lemma (in lbv) neq_top [simp, elim]: + "\ x <=_r y; y \ \ \ \ x \ \" + by (cases "x = T") auto + + +lemma (in lbvc) stable_wti: + assumes stable: "stable r step \ pc" + assumes pc: "pc < length \" + shows "wti c pc (\!pc) \ \" proof - - from esl have order: "order (Opt.le r)" by simp - - let ?step = "step pc (OK (phi!pc))" - from pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp + let ?step = "step pc (\!pc)" from stable - have less: "\(q,s')\set ?step. s' \|r (map OK phi!q)" - by (simp add: stable_def) + have less: "\(q,s')\set ?step. s' <=_r \!q" by (simp add: stable_def) - from cert_ok pc - have cert_suc: "OK (cert!Suc pc) \ err (opt A)" by (auto dest: cert_okD3) + from cert pc + have cert_suc: "c!Suc pc \ A" by - (rule cert_okD3) moreover - from phi_ok pc - have "OK (phi!pc) \ err (opt A)" by simp + from phi pc have "\!pc \ A" by simp with pres pc - have stepA: "\(pc',s') \ set ?step. s' \ err (opt A)" - by (blast dest: pres_typeD) + have stepA: "snd`set ?step \ A" by - (rule pres_typeD2) ultimately - have "merge cert f r pc ?step (OK (cert!Suc pc)) = - (if \(pc',s')\set ?step. pc'\pc+1 \ s' \|r (OK (cert!pc')) - then map snd [(p',t')\?step.p'=pc+1] ++|f (OK (cert!Suc pc)) - else Err)" using esl by - (rule merge_def) + have "merge c pc ?step (c!Suc pc) = + (if \(pc',s')\set ?step. pc'\pc+1 \ s' <=_r c!pc' + then map snd [(p',t')\?step.p'=pc+1] ++_f c!Suc pc + else \)" by (rule merge_def) moreover { fix pc' s' assume s': "(pc', s') \ set ?step" and suc_pc: "pc' \ pc+1" - from bounded pc s' have pc': "pc' < length phi" by (rule boundedD) - hence [simp]: "map OK phi ! pc' = OK (phi!pc')" by simp - with s' less have "s' \|r OK (phi!pc')" by auto - also from fits s' suc_pc pc pc' - have "cert!pc' = phi!pc'" by (rule fitsD) - hence "phi!pc' = cert!pc'" .. - finally have "s' \|r (OK (cert!pc'))" . - } hence "\(pc',s')\set ?step. pc'\pc+1 \ s' \|r (OK (cert!pc'))" by auto + with less have "s' <=_r \!pc'" by auto + also + from bounded pc s' have "pc' < length \" by (rule boundedD) + with s' suc_pc pc have "c!pc' = \!pc'" .. + hence "\!pc' = c!pc'" .. + finally have "s' <=_r c!pc'" . + } hence "\(pc',s')\set ?step. pc'\pc+1 \ s' <=_r c!pc'" by auto moreover - from pc have "Suc pc = length phi \ Suc pc < length phi" by auto - hence "(map snd [(p',t')\?step.p'=pc+1] ++|f (OK (cert!Suc pc))) \ Err" - (is "(?map ++|f _) \ _") + from pc have "Suc pc = length \ \ Suc pc < length \" by auto + hence "map snd [(p',t')\?step.p'=pc+1] ++_f c!Suc pc \ \" + (is "?map ++_f _ \ _") proof (rule disjE) - assume pc': "Suc pc = length phi" - with cert_ok have "cert!Suc pc = None" by (simp add: cert_okD2) + assume pc': "Suc pc = length \" + with cert have "c!Suc pc = \" by (simp add: cert_okD2) moreover - from pc' bounded pc + from pc' bounded pc have "\(p',t')\set ?step. p'\pc+1" by clarify (drule boundedD, auto) hence "[(p',t')\?step.p'=pc+1] = []" by (blast intro: filter_False) hence "?map = []" by simp - ultimately show ?thesis by simp + ultimately show ?thesis by (simp add: B_neq_T) next - assume pc': "Suc pc < length phi" - hence [simp]: "map OK phi ! Suc pc = OK (phi!Suc pc)" by simp - from esl - have "semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))" - by (simp add: Err.sl_def) - moreover - from pc' phi_ok - have "OK (phi!Suc pc) \ err (opt A)" by simp + assume pc': "Suc pc < length \" + from pc' phi have "\!Suc pc \ A" by simp moreover note cert_suc moreover from stepA - have "snd`(set ?step) \ err (opt A)" by auto - hence "set ?map \ err (opt A)" by auto + have "set ?map \ A" by auto moreover have "\s. s \ set ?map \ \t. (Suc pc, t) \ set ?step" by auto - with less have "\s' \ set ?map. s' \|r OK (phi!Suc pc)" by auto + with less have "\s' \ set ?map. s' <=_r \!Suc pc" by auto moreover - from order fits pc' - have "OK (cert!Suc pc) \|r OK (phi!Suc pc)" - by (cases "cert!Suc pc") (simp, blast dest: fitsD2) + from pc' have "c!Suc pc <=_r \!Suc pc" + by (cases "c!Suc pc = \") (auto dest: cert_approx) ultimately - have "?map ++|f OK (cert!Suc pc) \|r OK (phi!Suc pc)" - by (rule semilat.pp_lub) - thus ?thesis by auto + have "?map ++_f c!Suc pc <=_r \!Suc pc" by (rule pp_lub) + moreover + from pc' phi have "\!Suc pc \ \" by simp + ultimately + show ?thesis by auto qed ultimately - have "merge cert f r pc ?step (OK (cert!Suc pc)) \ Err" by simp - thus ?thesis by (simp add: wtl_inst_def) + have "merge c pc ?step (c!Suc pc) \ \" by simp + thus ?thesis by (simp add: wti) qed -lemma stable_cert: - assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" - assumes fits: "fits step cert phi" - assumes pc: "pc < length phi" - assumes bounded: "bounded step (length phi)" - assumes esl: "err_semilat (A, r, f)" - assumes cert_ok: "cert_ok cert (length phi) A" - assumes phi_ok: "\pc < length phi. phi!pc \ opt A" - assumes pres: "pres_type step (length phi) (err (opt A))" - shows "wtl_cert cert f r step pc (phi!pc) \ Err" +lemma (in lbvc) wti_less: + assumes stable: "stable r step \ pc" + assumes suc_pc: "Suc pc < length \" + shows "wti c pc (\!pc) <=_r \!Suc pc" (is "?wti <=_r _") proof - - have wtl: "wtl_inst cert f r step pc (phi!pc) \ Err" by (rule stable_wtl) - show ?thesis - proof (cases "cert!pc") - case None with wtl show ?thesis by (simp add: wtl_cert_def) - next - case (Some s) - with pc fits have "cert!pc = phi!pc" by - (rule fitsD2) - with Some have "phi!pc = Some s" by simp - with Some wtl esl show ?thesis by (simp add: wtl_cert_def) - qed -qed - - -lemma wtl_less: - assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" - assumes wtl: "wtl_inst cert f r step pc (phi!pc) = OK s" - assumes fits: "fits step cert phi" - assumes suc_pc: "Suc pc < length phi" - assumes bounded: "bounded step (length phi)" - assumes esl: "err_semilat (A, r, f)" - assumes cert_ok: "cert_ok cert (length phi) A" - assumes phi_ok: "\pc < length phi. phi!pc \ opt A" - assumes pres: "pres_type step (length phi) (err (opt A))" - shows "OK s \|r OK (phi!Suc pc)" -proof - - from esl have order: "order (Opt.le r)" by simp + let ?step = "step pc (\!pc)" - let ?step = "step pc (OK (phi!pc))" - from suc_pc have [simp]: "map OK phi ! pc = OK (phi!pc)" by simp - from suc_pc have [simp]: "map OK phi ! Suc pc = OK (phi!Suc pc)" by simp - from suc_pc have pc: "pc < length phi" by simp - - from stable - have less: "\(q,s')\set ?step. s' \|r (map OK phi!q)" - by (simp add: stable_def) - - from cert_ok pc - have cert_suc: "OK (cert!Suc pc) \ err (opt A)" by (auto dest: cert_okD3) + from stable + have less: "\(q,s')\set ?step. s' <=_r \!q" by (simp add: stable_def) + + from suc_pc have pc: "pc < length \" by simp + with cert have cert_suc: "c!Suc pc \ A" by - (rule cert_okD3) moreover - from phi_ok pc - have "OK (phi!pc) \ err (opt A)" by simp - with pres pc - have stepA: "\(pc',s') \ set ?step. s' \ err (opt A)" - by (blast dest: pres_typeD) + from phi pc have "\!pc \ A" by simp + with pres pc have stepA: "snd`set ?step \ A" by - (rule pres_typeD2) + moreover + from stable pc have "?wti \ \" by (rule stable_wti) + hence "merge c pc ?step (c!Suc pc) \ \" by (simp add: wti) ultimately - have "merge cert f r pc ?step (OK (cert!Suc pc)) = - (if \(pc',s')\set ?step. pc'\pc+1 \ s' \|r (OK (cert!pc')) - then map snd [(p',t')\?step.p'=pc+1] ++|f (OK (cert!Suc pc)) - else Err)" using esl by - (rule merge_def) - with wtl have - "OK s = (map snd [(p',t')\?step.p'=pc+1] ++|f (OK (cert!Suc pc)))" - (is "_ = (?map ++|f _)" is "_ = ?sum") - by (simp add: wtl_inst_def split: split_if_asm) + have "merge c pc ?step (c!Suc pc) = + map snd [(p',t')\?step.p'=pc+1] ++_f c!Suc pc" by (rule merge_not_top_s) + hence "?wti = \" (is "_ = (?map ++_f _)" is "_ = ?sum") by (simp add: wti) also { - from esl - have "semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))" - by (simp add: Err.sl_def) - moreover - from suc_pc phi_ok - have "OK (phi!Suc pc) \ err (opt A)" by simp + from suc_pc phi have "\!Suc pc \ A" by simp moreover note cert_suc - moreover from stepA - have "snd`(set ?step) \ err (opt A)" by auto - hence "set ?map \ err (opt A)" by auto + moreover from stepA have "set ?map \ A" by auto moreover have "\s. s \ set ?map \ \t. (Suc pc, t) \ set ?step" by auto - with less have "\s' \ set ?map. s' \|r OK (phi!Suc pc)" by auto + with less have "\s' \ set ?map. s' <=_r \!Suc pc" by auto moreover - from order fits suc_pc - have "OK (cert!Suc pc) \|r OK (phi!Suc pc)" - by (cases "cert!Suc pc") (simp, blast dest: fitsD2) + from suc_pc have "c!Suc pc <=_r \!Suc pc" + by (cases "c!Suc pc = \") (auto dest: cert_approx) ultimately - have "?sum \|r OK (phi!Suc pc)" by (rule semilat.pp_lub) + have "?sum <=_r \!Suc pc" by (rule pp_lub) } finally show ?thesis . qed +lemma (in lbvc) stable_wtc: + assumes stable: "stable r step phi pc" + assumes pc: "pc < length \" + shows "wtc c pc (\!pc) \ \" +proof - + have wti: "wti c pc (\!pc) \ \" by (rule stable_wti) + show ?thesis + proof (cases "c!pc = \") + case True with wti show ?thesis by (simp add: wtc) + next + case False + with pc have "c!pc = \!pc" .. + with False wti show ?thesis by (simp add: wtc) + qed +qed -lemma cert_less: - assumes stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" - assumes cert: "wtl_cert cert f r step pc (phi!pc) = OK s" - assumes fits: "fits step cert phi" - assumes suc_pc: "Suc pc < length phi" - assumes bounded: "bounded step (length phi)" - assumes esl: "err_semilat (A, r, f)" - assumes cert_ok: "cert_ok cert (length phi) A" - assumes phi_ok: "\pc < length phi. phi!pc \ opt A" - assumes pres: "pres_type step (length phi) (err (opt A))" - shows "OK s \|r OK (phi!Suc pc)" -proof (cases "cert!pc") - case None with cert - have "wtl_inst cert f r step pc (phi!pc) = OK s" by (simp add: wtl_cert_def) - thus ?thesis by - (rule wtl_less) +lemma (in lbvc) wtc_less: + assumes stable: "stable r step \ pc" + assumes suc_pc: "Suc pc < length \" + shows "wtc c pc (\!pc) <=_r \!Suc pc" (is "?wtc <=_r _") +proof (cases "c!pc = \") + case True + moreover have "wti c pc (\!pc) <=_r \!Suc pc" by (rule wti_less) + ultimately show ?thesis by (simp add: wtc) next - case (Some s') with cert - have "wtl_inst cert f r step pc (Some s') = OK s" - by (simp add: wtl_cert_def split: split_if_asm) - also - from suc_pc have "pc < length phi" by simp - with fits Some have "cert!pc = phi!pc" by - (rule fitsD2) - with Some have "Some s' = phi!pc" by simp - finally - have "wtl_inst cert f r step pc (phi!pc) = OK s" . - thus ?thesis by - (rule wtl_less) + case False + from suc_pc have pc: "pc < length \" by simp + hence "?wtc \ \" by - (rule stable_wtc) + with False have "?wtc = wti c pc (c!pc)" + by (unfold wtc) (simp split: split_if_asm) + also from pc False have "c!pc = \!pc" .. + finally have "?wtc = wti c pc (\!pc)" . + also have "wti c pc (\!pc) <=_r \!Suc pc" by (rule wti_less) + finally show ?thesis . qed - -lemma wt_step_wtl_lemma: - assumes wt_step: "wt_step (Err.le (Opt.le r)) Err step (map OK phi)" - assumes fits: "fits step cert phi" - assumes bounded: "bounded step (length phi)" - assumes esl: "err_semilat (A, r, f)" - assumes cert_ok: "cert_ok cert (length phi) A" - assumes phi_ok: "\pc < length phi. phi!pc \ opt A" - assumes pres: "pres_type step (length phi) (err (opt A))" - assumes mono: "mono (Err.le (Opt.le r)) step (length phi) (err (opt A))" - shows "\pc s. pc+length ins = length phi \ OK s \|r OK (phi!pc) \ s \ opt A \ - wtl_inst_list ins cert f r step pc s \ Err" - (is "\pc s. _ \ _ \ _ \ ?wtl ins pc s \ Err") -proof (induct ins) - fix pc s show "?wtl [] pc s \ Err" by simp +lemma (in lbvc) wt_step_wtl_lemma: + assumes wt_step: "wt_step r \ step \" + shows "\pc s. pc+length ls = length \ \ s <=_r \!pc \ s \ A \ s\\ \ + wtl ls c pc s \ \" + (is "\pc s. _ \ _ \ _ \ _ \ ?wtl ls pc s \ _") +proof (induct ls) + fix pc s assume "s\\" thus "?wtl [] pc s \ \" by simp next - fix pc s i ins - assume "\pc s. pc+length ins=length phi \ OK s \|r OK (phi!pc) \ s \ opt A \ - ?wtl ins pc s \ Err" + fix pc s i ls + assume "\pc s. pc+length ls=length \ \ s <=_r \!pc \ s \ A \ s\\ \ + ?wtl ls pc s \ \" moreover - assume pc_l: "pc + length (i#ins) = length phi" - hence suc_pc_l: "Suc pc + length ins = length phi" by simp + assume pc_l: "pc + length (i#ls) = length \" + hence suc_pc_l: "Suc pc + length ls = length \" by simp ultimately - have IH: - "\s. OK s \|r OK (phi!Suc pc) \ s \ opt A \ ?wtl ins (Suc pc) s \ Err" . + have IH: "\s. s <=_r \!Suc pc \ s \ A \ s \ \ \ ?wtl ls (Suc pc) s \ \" . - from pc_l obtain pc: "pc < length phi" by simp - with wt_step - have stable: "stable (Err.le (Opt.le r)) step (map OK phi) pc" - by (simp add: wt_step_def) + from pc_l obtain pc: "pc < length \" by simp + with wt_step have stable: "stable r step \ pc" by (simp add: wt_step_def) moreover - assume s_phi: "OK s \|r OK (phi!pc)" + assume s_phi: "s <=_r \!pc" ultimately - have "wtl_cert cert f r step pc (phi!pc) \ Err" by - (rule stable_cert) - then obtain s'' where s'': "wtl_cert cert f r step pc (phi!pc) = OK s''" by fast + have wt_phi: "wtc c pc (\!pc) \ \" by - (rule stable_wtc) + + from phi pc have phi_pc: "\!pc \ A" by simp moreover - from phi_ok pc - have phi_pc: "phi!pc \ opt A" by simp - moreover - assume s: "s \ opt A" + assume s: "s \ A" ultimately - obtain s' where "wtl_cert cert f r step pc s = OK s'" - by - (drule wtl_cert_mono, assumption+, blast) - hence "ins = [] \ ?wtl (i#ins) pc s \ Err" by simp + have wt_s_phi: "wtc c pc s <=_r wtc c pc (\!pc)" using s_phi by - (rule wtc_mono) + with wt_phi have wt_s: "wtc c pc s \ \" by simp + moreover + assume s: "s \ \" + ultimately + have "ls = [] \ ?wtl (i#ls) pc s \ \" by simp moreover { - assume "ins \ []" - with pc_l have suc_pc: "Suc pc < length phi" by (auto simp add: neq_Nil_conv) - with stable s'' have "OK s'' \|r OK (phi!Suc pc)" by - (rule cert_less) + assume "ls \ []" + with pc_l have suc_pc: "Suc pc < length \" by (auto simp add: neq_Nil_conv) + with stable have "wtc c pc (phi!pc) <=_r \!Suc pc" by (rule wtc_less) + with wt_s_phi have "wtc c pc s <=_r \!Suc pc" by (rule trans_r) moreover - from s'' s_phi obtain s' where - cert: "wtl_cert cert f r step pc s = OK s'" and - "OK s' \|r OK s''" - using phi_pc - by - (drule wtl_cert_mono, assumption+, blast) - moreover from esl have "order (Err.le (Opt.le r))" by simp - ultimately have less: "OK s' \|r OK (phi!Suc pc)" by - (rule order_trans) - - from cert_ok suc_pc have "cert!pc \ opt A" and "cert!(pc+1) \ opt A" + from cert suc_pc have "c!pc \ A" "c!(pc+1) \ A" by (auto simp add: cert_ok_def) - with s cert pres have "s' \ opt A" by - (rule wtl_cert_pres) - - with less IH have "?wtl ins (Suc pc) s' \ Err" by blast - with cert have "?wtl (i#ins) pc s \ Err" by simp + with pres have "wtc c pc s \ A" by (rule wtc_pres) + ultimately + have "?wtl ls (Suc pc) (wtc c pc s) \ \" using IH wt_s by blast + with s wt_s have "?wtl (i#ls) pc s \ \" by simp } - ultimately show "?wtl (i#ins) pc s \ Err" by (cases ins) auto + ultimately show "?wtl (i#ls) pc s \ \" by (cases ls) blast+ qed - -theorem wtl_complete: - assumes "wt_step (Err.le (Opt.le r)) Err step (map OK phi)" - assumes "OK s \|r OK (phi!0)" and "s \ opt A" - defines cert: "cert \ make_cert step phi" - - assumes "bounded step (length phi)" and "err_semilat (A, r, f)" - assumes "pres_type step (length phi) (err (opt A))" - assumes "mono (Err.le (Opt.le r)) step (length phi) (err (opt A))" - assumes "length ins = length phi" - assumes phi_ok: "\pc < length phi. phi!pc \ opt A" - - shows "wtl_inst_list ins cert f r step 0 s \ Err" -proof - + +theorem (in lbvc) wtl_complete: + assumes "wt_step r \ step \" + assumes "s <=_r \!0" and "s \ A" and "s \ \" and "length ins = length phi" + shows "wtl ins c 0 s \ \" +proof - have "0+length ins = length phi" by simp - moreover - have "fits step cert phi" by (unfold cert) (rule fits_make_cert) - moreover - from phi_ok have "cert_ok cert (length phi) A" - by (simp add: cert make_cert_def cert_ok_def nth_append) - ultimately - show ?thesis by - (rule wt_step_wtl_lemma) + thus ?thesis by - (rule wt_step_wtl_lemma) qed diff -r c2e4d9990162 -r 1dd711c6b93c src/HOL/MicroJava/BV/LBVCorrect.thy --- a/src/HOL/MicroJava/BV/LBVCorrect.thy Thu Apr 04 16:47:44 2002 +0200 +++ b/src/HOL/MicroJava/BV/LBVCorrect.thy Thu Apr 04 16:48:00 2002 +0200 @@ -1,4 +1,4 @@ -(* Title: HOL/MicroJava/BV/BVLCorrect.thy +(* ID: $Id$ Author: Gerwin Klein Copyright 1999 Technische Universitaet Muenchen @@ -8,222 +8,150 @@ theory LBVCorrect = LBVSpec + Typing_Framework: -constdefs -fits :: "'s option list \ 's certificate \ 's ebinop \ 's ord \ - 's steptype \ 's option \ 'a list \ bool" -"fits phi cert f r step s0 is \ - length phi = length is \ - (\pc s. pc < length is --> - (wtl_inst_list (take pc is) cert f r step 0 s0 = OK s \ - (case cert!pc of None => phi!pc = s - | Some t => phi!pc = Some t)))" - -make_phi :: "'s certificate \ 's ebinop \ 's ord \ - 's steptype \ 's option \ 'a list \ 's option list" -"make_phi cert f r step s0 is \ - map (\pc. case cert!pc of - None => ok_val (wtl_inst_list (take pc is) cert f r step 0 s0) - | Some t => Some t) [0..length is(]" +locale lbvc = lbv + + fixes s0 :: 'a + fixes c :: "'a list" + fixes ins :: "'b list" + fixes phi :: "'a list" ("\") + defines phi_def: + "\ \ map (\pc. if c!pc = \ then wtl (take pc ins) c 0 s0 else c!pc) + [0..length ins(]" -lemma fitsD_None [intro?]: - "\ fits phi cert f r step s0 is; pc < length is; - wtl_inst_list (take pc is) cert f r step 0 s0 = OK s; - cert!pc = None \ \ phi!pc = s" - by (auto simp add: fits_def) -lemma fitsD_Some [intro?]: - "\ fits phi cert f r step s0 is; pc < length is; - wtl_inst_list (take pc is) cert f r step 0 s0 = OK s; - cert!pc = Some t \ \ phi!pc = Some t" - by (auto simp add: fits_def) - -lemma make_phi_Some: - "pc < length is \ cert!pc = Some t \ - make_phi cert f r step s0 is ! pc = Some t" - by (simp add: make_phi_def) +lemma (in lbvc) phi_None [intro?]: + "\ pc < length ins; c!pc = \ \ \ \ ! pc = wtl (take pc ins) c 0 s0" + by (simp add: phi_def) -lemma make_phi_None: - "pc < length is \ cert!pc = None \ - make_phi cert f r step s0 is ! pc = - ok_val (wtl_inst_list (take pc is) cert f r step 0 s0)" - by (simp add: make_phi_def) +lemma (in lbvc) phi_Some [intro?]: + "\ pc < length ins; c!pc \ \ \ \ \ ! pc = c ! pc" + by (simp add: phi_def) -lemma make_phi_len: - "length (make_phi cert f r step s0 is) = length is" - by (simp add: make_phi_def) +lemma (in lbvc) phi_len [simp]: + "length \ = length ins" + by (simp add: phi_def) + -lemma exists_phi: - "\phi. fits phi cert f r step s0 is" -proof - - have "fits (make_phi cert f r step s0 is) cert f r step s0 is" - by (auto simp add: fits_def make_phi_Some make_phi_None make_phi_len - split: option.splits) - thus ?thesis by fast -qed - -lemma fits_lemma1 [intro?]: - "\wtl_inst_list is cert f r step 0 s \ Err; fits phi cert f r step s is\ - \ \pc t. pc < length is \ cert!pc = Some t \ phi!pc = Some t" -proof (intro strip) - fix pc t - assume "wtl_inst_list is cert f r step 0 s \ Err" - then obtain s'' where - "wtl_inst_list (take pc is) cert f r step 0 s = OK s''" - by (blast dest: wtl_take) - moreover - assume "fits phi cert f r step s is" - "pc < length is" "cert ! pc = Some t" - ultimately - show "phi!pc = Some t" by (auto dest: fitsD_Some) +lemma (in lbvc) wtl_suc_pc: + assumes all: "wtl ins c 0 s0 \ \" + assumes pc: "pc+1 < length ins" + shows "wtl (take (pc+1) ins) c 0 s0 <=_r \!(pc+1)" +proof - + from all pc + have "wtc c (pc+1) (wtl (take (pc+1) ins) c 0 s0) \ T" by (rule wtl_all) + with pc show ?thesis by (simp add: phi_def wtc split: split_if_asm) qed -lemma wtl_suc_pc: +lemma (in lbvc) wtl_stable: assumes - semi: "err_semilat (A,r,f)" and - all: "wtl_inst_list is cert f r step 0 s0 \ Err" and - wtl: "wtl_inst_list (take pc is) cert f r step 0 s0 = OK s'" and - cert: "wtl_cert cert f r step pc s' = OK s''" and - fits: "fits phi cert f r step s0 is" and - pc: "pc+1 < length is" - shows "OK s'' \|r OK (phi!(pc+1))" -proof - - from wtl cert pc - have wts: "wtl_inst_list (take (pc+1) is) cert f r step 0 s0 = OK s''" - by (rule wtl_Suc) - moreover - from all pc - have "\s' s''. wtl_inst_list (take (pc+1) is) cert f r step 0 s0 = OK s' \ - wtl_cert cert f r step (pc+1) s' = OK s''" - by (rule wtl_all) - ultimately - obtain x where "wtl_cert cert f r step (pc+1) s'' = OK x" by auto - hence "\t. cert!(pc+1) = Some t \ OK s'' \|r OK (cert!(pc+1))" - by (simp add: wtl_cert_def split: split_if_asm) - also from fits pc wts - have "\t. cert!(pc+1) = Some t \ cert!(pc+1) = phi!(pc+1)" - by (auto dest!: fitsD_Some) - finally have "\t. cert!(pc+1) = Some t \ OK s'' \|r OK (phi!(pc+1))" . - moreover - from fits pc wts have "cert!(pc+1) = None \ s'' = phi!(pc+1)" - by (rule fitsD_None [symmetric]) - with semi have "cert!(pc+1) = None \ OK s'' \|r OK (phi!(pc+1))" by simp - ultimately - show "OK s'' \|r OK (phi!(pc+1))" by (cases "cert!(pc+1)", blast+) -qed - -lemma wtl_stable: - assumes - semi: "err_semilat (A,r,f)" and - pres: "pres_type step (length is) (err (opt A))" and - s0_in_A: "s0 \ opt A" and - cert_ok: "cert_ok cert (length is) A" and - fits: "fits phi cert f r step s0 is" and - wtl: "wtl_inst_list is cert f r step 0 s0 \ Err" and - pc: "pc < length is" and - bounded: "bounded step (length is)" - shows "stable (Err.le (Opt.le r)) step (map OK phi) pc" + pres: "pres_type step (length ins) A" and + s0_in_A: "s0 \ A" and + cert_ok: "cert_ok c (length ins) \ \ A" and + wtl: "wtl ins c 0 s0 \ \" and + pc: "pc < length ins" and + bounded: "bounded step (length ins)" + shows "stable r step \ pc" proof (unfold stable_def, clarify) - fix pc' s' assume step: "(pc',s') \ set (step pc ((map OK phi) ! pc))" + fix pc' s' assume step: "(pc',s') \ set (step pc (\ ! pc))" (is "(pc',s') \ set (?step pc)") - from step pc bounded have pc': "pc' < length is" + from step pc bounded have pc': "pc' < length ins" by (unfold bounded_def) blast + + have tkpc: "wtl (take pc ins) c 0 s0 \ \" (is "?s1 \ _") by (rule wtl_take) + have s2: "wtl (take (pc+1) ins) c 0 s0 \ \" (is "?s2 \ _") by (rule wtl_take) - from wtl pc obtain s1 s2 where - tkpc: "wtl_inst_list (take pc is) cert f r step 0 s0 = OK s1" and - cert: "wtl_cert cert f r step pc s1 = OK s2" - by - (drule wtl_all, auto) + from wtl pc have cert: "wtc c pc ?s1 \ \" by (rule wtl_all) - have c_Some: "\pc t. pc < length is \ cert!pc = Some t \ phi!pc = Some t" .. - have c_None: "cert!pc = None \ phi!pc = s1" .. + have c_Some: "\pc t. pc < length ins \ c!pc \ \ \ \!pc = c!pc" + by (simp add: phi_def) + have c_None: "c!pc = \ \ \!pc = ?s1" .. - from cert pc c_None c_Some - have inst: "wtl_inst cert f r step pc (phi!pc) = OK s2" - by (simp add: wtl_cert_def split: option.splits split_if_asm) - - from semi have "order (Err.le (Opt.le r))" by simp note order_trans [OF this, trans] - - from pc fits have [simp]: "map OK phi!pc = OK (phi!pc)" by (simp add: fits_def) - from pc' fits have [simp]: "map OK phi!pc' = OK (phi!pc')" by (simp add: fits_def) + from cert pc c_None c_Some + have inst: "wtc c pc ?s1 = wti c pc (\!pc)" + by (simp add: wtc split: split_if_asm) - have "s1 \ opt A" by (rule wtl_inst_list_pres) + have "?s1 \ A" by (rule wtl_pres) with pc c_Some cert_ok c_None - have "phi!pc \ opt A" by (cases "cert!pc") (auto dest: cert_okD1) + have "\!pc \ A" by (cases "c!pc = \") (auto dest: cert_okD1) with pc pres - have step_in_A: "\(pc',s') \ set (?step pc). s' \ err (opt A)" - by (auto dest: pres_typeD) + have step_in_A: "snd`set (?step pc) \ A" by (auto dest: pres_typeD2) - show "s' \|r (map OK phi) ! pc'" + show "s' <=_r \!pc'" proof (cases "pc' = pc+1") case True with pc' cert_ok - have cert_in_A: "OK (cert!(pc+1)) \ err (opt A)" by (auto dest: cert_okD1) - from inst - have ok: "OK s2 = merge cert f r pc (?step pc) (OK (cert!(pc+1)))" - by (simp add: wtl_inst_def) + have cert_in_A: "c!(pc+1) \ A" by (auto dest: cert_okD1) + from True pc' have pc1: "pc+1 < length ins" by simp + with tkpc have "?s2 = wtc c pc ?s1" by - (rule wtl_Suc) + with inst + have merge: "?s2 = merge c pc (?step pc) (c!(pc+1))" by (simp add: wti) also - have "\ = (map snd [(p',t')\?step pc. p'=pc+1] ++|f (OK (cert!(pc+1))))" - using cert_in_A step_in_A semi ok - by - (drule merge_def, auto split: split_if_asm) + from s2 merge have "\ \ \" (is "?merge \ _") by simp + with cert_in_A step_in_A + have "?merge = (map snd [(p',t')\?step pc. p'=pc+1] ++_f (c!(pc+1)))" + by (rule merge_not_top_s) finally - have "s' \|r OK s2" - using semi step_in_A cert_in_A True step by (auto intro: ub1') + have "s' <=_r ?s2" using step_in_A cert_in_A True step + by (auto intro: pp_ub1') also - from True pc' have "pc+1 < length is" by simp - with semi wtl tkpc cert fits - have "OK s2 \|r (OK (phi ! (pc+1)))" by (rule wtl_suc_pc) + from wtl pc1 have "?s2 <=_r \!(pc+1)" by (rule wtl_suc_pc) also note True [symmetric] - finally show ?thesis by simp + finally show ?thesis by simp next case False - from inst - have "\(pc', s')\set (?step pc). pc'\pc+1 \ s' \|r OK (cert!pc')" - by (unfold wtl_inst_def) (rule merge_ok, simp) + from cert inst + have "merge c pc (?step pc) (c!(pc+1)) \ \" by (simp add: wti) + with step_in_A + have "\(pc', s')\set (?step pc). pc'\pc+1 \ s' <=_r c!pc'" + by - (rule merge_not_top) with step False - have ok: "s' \|r (OK (cert!pc'))" by blast + have ok: "s' <=_r c!pc'" by blast moreover from ok - have "cert!pc' = None \ s' = OK None" by auto + have "c!pc' = \ \ s' = \" by simp moreover from c_Some pc' - have "cert!pc' \ None \ phi!pc' = cert!pc'" by auto + have "c!pc' \ \ \ \!pc' = c!pc'" by auto ultimately - show ?thesis by auto + show ?thesis by (cases "c!pc' = \") auto qed qed + +lemma (in lbvc) phi_not_top: + assumes wtl: "wtl ins c 0 s0 \ \" + assumes crt: "cert_ok c (length ins) \ \ A" + assumes pc: "pc < length ins" + shows "\!pc \ \" +proof (cases "c!pc = \") + case False with pc + have "\!pc = c!pc" .. + also from crt pc have "\ \ \" by (rule cert_okD4) + finally show ?thesis . +next + case True with pc + have "\!pc = wtl (take pc ins) c 0 s0" .. + also from wtl have "\ \ \" by (rule wtl_take) + finally show ?thesis . +qed + -lemma wtl_fits: - "wtl_inst_list is cert f r step 0 s0 \ Err \ - fits phi cert f r step s0 is \ - err_semilat (A,r,f) \ - bounded step (length is) \ - pres_type step (length is) (err (opt A)) \ - s0 \ opt A \ - cert_ok cert (length is) A \ - wt_step (Err.le (Opt.le r)) Err step (map OK phi)" - apply (unfold wt_step_def) - apply (intro strip) - apply (rule conjI, simp) - apply (rule wtl_stable) - apply assumption+ - apply (simp add: fits_def) - apply assumption - done - - -theorem wtl_sound: - assumes "wtl_inst_list is cert f r step 0 s0 \ Err" - assumes "err_semilat (A,r,f)" and "bounded step (length is)" - assumes "s0 \ opt A" and "cert_ok cert (length is) A" - assumes "pres_type step (length is) (err (opt A))" - shows "\ts. wt_step (Err.le (Opt.le r)) Err step ts" -proof - - obtain phi where "fits phi cert f r step s0 is" by (insert exists_phi) fast - have "wt_step (Err.le (Opt.le r)) Err step (map OK phi)" by (rule wtl_fits) - thus ?thesis .. +theorem (in lbvc) wtl_sound: + assumes "wtl ins c 0 s0 \ \" + assumes "bounded step (length ins)" + assumes "s0 \ A" and "cert_ok c (length ins) \ \ A" + assumes "pres_type step (length ins) A" + shows "\ts. wt_step r \ step ts" +proof - + have "wt_step r \ step \" + proof (unfold wt_step_def, intro strip conjI) + fix pc assume "pc < length \" + then obtain "pc < length ins" by simp + show "\!pc \ \" by (rule phi_not_top) + show "stable r step \ pc" by (rule wtl_stable) + qed + thus ?thesis .. qed - -end +end \ No newline at end of file diff -r c2e4d9990162 -r 1dd711c6b93c src/HOL/MicroJava/BV/LBVSpec.thy --- a/src/HOL/MicroJava/BV/LBVSpec.thy Thu Apr 04 16:47:44 2002 +0200 +++ b/src/HOL/MicroJava/BV/LBVSpec.thy Thu Apr 04 16:48:00 2002 +0200 @@ -8,252 +8,272 @@ theory LBVSpec = SemilatAlg + Opt: - -syntax - "@lesuberropt" :: "'a option err \ 'a ord \ 'a option err \ 'a option err ord" - ("_ \|_ _" [50,50,51] 50) - - "@superropt" :: "'a option err \ 'a ebinop \ 'a option err \ 'a option err binop" - ("_ +|_ _" [50,50,51] 50) - - "@supsuperropt" :: "'a option err list \ 'a ebinop \ 'a option err \ 'a option err binop" - ("_ ++|_ _" [50,50,51] 50) - -translations - "a \|r b" == "a <=_(Err.le (Opt.le r)) b" - "a +|f b" == "a +_(Err.lift2 (Opt.sup f)) b" - "a ++|f b" == "a ++_(Err.lift2 (Opt.sup f)) b" - - types - 's certificate = "'s option list" - 's steptype = "'s option err step_type" + 's certificate = "'s list" consts -merge :: "'s certificate \ 's ebinop \ 's ord \ nat \ - (nat \ 's option err) list \ 's option err \ 's option err" +merge :: "'s certificate \ 's binop \ 's ord \ 's \ nat \ (nat \ 's) list \ 's \ 's" primrec -"merge cert f r pc [] x = x" -"merge cert f r pc (s#ss) x = (let (pc',s') = s in - merge cert f r pc ss (if pc'=pc+1 then (s' +|f x) - else if s' \|r (OK (cert!pc')) then x - else Err))" +"merge cert f r T pc [] x = x" +"merge cert f r T pc (s#ss) x = merge cert f r T pc ss (let (pc',s') = s in + if pc'=pc+1 then s' +_f x + else if s' <=_r (cert!pc') then x + else T)" constdefs -wtl_inst :: "'s certificate \ 's ebinop \ 's ord \ - 's steptype \ nat \ 's option \ 's option err" -"wtl_inst cert f r step pc s \ merge cert f r pc (step pc (OK s)) (OK (cert!(pc+1)))" +wtl_inst :: "'s certificate \ 's binop \ 's ord \ 's \ + 's step_type \ nat \ 's \ 's" +"wtl_inst cert f r T step pc s \ merge cert f r T pc (step pc s) (cert!(pc+1))" -wtl_cert :: "'s certificate \ 's ebinop \ 's ord \ - 's steptype \ nat \ 's option \ 's option err" -"wtl_cert cert f r step pc s \ - case cert!pc of - None \ wtl_inst cert f r step pc s - | Some s' \ if OK s \|r (OK (Some s')) then wtl_inst cert f r step pc (Some s') else Err" +wtl_cert :: "'s certificate \ 's binop \ 's ord \ 's \ 's \ + 's step_type \ nat \ 's \ 's" +"wtl_cert cert f r T B step pc s \ + if cert!pc = B then + wtl_inst cert f r T step pc s + else + if s <=_r (cert!pc) then wtl_inst cert f r T step pc (cert!pc) else T" consts -wtl_inst_list :: "'a list \ 's certificate \ 's ebinop \ 's ord \ - 's steptype \ nat \ 's option \ 's option err" +wtl_inst_list :: "'a list \ 's certificate \ 's binop \ 's ord \ 's \ 's \ + 's step_type \ nat \ 's \ 's" primrec -"wtl_inst_list [] cert f r step pc s = OK s" -"wtl_inst_list (i#ins) cert f r step pc s = - (let s' = wtl_cert cert f r step pc s in - strict (wtl_inst_list ins cert f r step (pc+1)) s')" - +"wtl_inst_list [] cert f r T B step pc s = s" +"wtl_inst_list (i#ins) cert f r T B step pc s = + (let s' = wtl_cert cert f r T B step pc s in + if s' = T \ s = T then T else wtl_inst_list ins cert f r T B step (pc+1) s')" constdefs - cert_ok :: "'s certificate \ nat \ 's set \ bool" - "cert_ok cert n A \ (\i < n. cert!i \ opt A) \ (cert!n = None)" + cert_ok :: "'s certificate \ nat \ 's \ 's \ 's set \ bool" + "cert_ok cert n T B A \ (\i < n. cert!i \ A \ cert!i \ T) \ (cert!n = B)" + +constdefs + bottom :: "'a ord \ 'a \ bool" + "bottom r B \ \x. B <=_r x" + + +locale lbv = semilat + + fixes T :: "'a" ("\") + fixes B :: "'a" ("\") + fixes step :: "'a step_type" + assumes top: "top r \" + assumes T_A: "\ \ A" + assumes bot: "bottom r \" + assumes B_A: "\ \ A" + + fixes merge :: "'a certificate \ nat \ (nat \ 'a) list \ 'a \ 'a" + defines mrg_def: "merge cert \ LBVSpec.merge cert f r \" -lemma cert_okD1: - "cert_ok cert n A \ pc < n \ cert!pc \ opt A" + fixes wti :: "'a certificate \ nat \ 'a \ 'a" + defines wti_def: "wti cert \ wtl_inst cert f r \ step" + + fixes wtc :: "'a certificate \ nat \ 'a \ 'a" + defines wtc_def: "wtc cert \ wtl_cert cert f r \ \ step" + + fixes wtl :: "'b list \ 'a certificate \ nat \ 'a \ 'a" + defines wtl_def: "wtl ins cert \ wtl_inst_list ins cert f r \ \ step" + + +lemma (in lbv) wti: + "wti c pc s \ merge c pc (step pc s) (c!(pc+1))" + by (simp add: wti_def mrg_def wtl_inst_def) + +lemma (in lbv) wtc: + "wtc c pc s \ if c!pc = \ then wti c pc s else if s <=_r c!pc then wti c pc (c!pc) else \" + by (unfold wtc_def wti_def wtl_cert_def) + + +lemma cert_okD1 [intro?]: + "cert_ok c n T B A \ pc < n \ c!pc \ A" by (unfold cert_ok_def) fast -lemma cert_okD2: - "cert_ok cert n A \ cert!n = None" +lemma cert_okD2 [intro?]: + "cert_ok c n T B A \ c!n = B" by (simp add: cert_ok_def) -lemma cert_okD3: - "cert_ok cert n A \ pc < n \ cert!Suc pc \ opt A" +lemma cert_okD3 [intro?]: + "cert_ok c n T B A \ B \ A \ pc < n \ c!Suc pc \ A" by (drule Suc_leI) (auto simp add: le_eq_less_or_eq dest: cert_okD1 cert_okD2) +lemma cert_okD4 [intro?]: + "cert_ok c n T B A \ pc < n \ c!pc \ T" + by (simp add: cert_ok_def) declare Let_def [simp] section "more semilattice lemmas" -(* -lemma sup_top [simp]: - assumes sl: "semilat (A,r,f)" - assumes set: "x \ A" "t \ A" - assumes top: "top r t" - shows "x +_f t = t" + +lemma (in lbv) sup_top [simp, elim]: + assumes x: "x \ A" + shows "x +_f \ = \" proof - - from sl have "order r" .. - moreover from top have "x +_f t <=_r t" .. - moreover from sl set have "t <=_r x +_f t" by simp - ultimately show ?thesis by (rule order_antisym) + from top have "x +_f \ <=_r \" .. + moreover from x have "\ <=_r x +_f \" .. + ultimately show ?thesis .. qed -lemma plusplussup_top: - "semilat (A,r,f) \ top r Err \ set xs \ A \ Err \ A \ xs ++_f Err = Err" +lemma (in lbv) plusplussup_top [simp, elim]: + "set xs \ A \ xs ++_f \ = \" by (induct xs) auto -*) + + -lemma err_semilatDorderI [simp, intro]: - "err_semilat (A,r,f) \ order r" - apply (simp add: Err.sl_def) - apply (rule order_le_err [THEN iffD1]) - apply (rule semilat.orderI) - apply assumption - done +lemma (in semilat) pp_ub1': + assumes S: "snd`set S \ A" + assumes y: "y \ A" and ab: "(a, b) \ set S" + shows "b <=_r map snd [(p', t')\S . p' = a] ++_f y" +proof - + from S have "\(x,y) \ set S. y \ A" by auto + with semilat y ab show ?thesis by - (rule ub1') +qed -lemma err_opt_semilat [simp,elim]: - "err_semilat (A,r,f) \ semilat (err (opt A), Err.le (Opt.le r), lift2 (Opt.sup f))" -proof - - assume "err_semilat (A,r,f)" - hence "err_semilat (Opt.esl (A,r,f))" .. - thus ?thesis by (simp add: Err.sl_def Opt.esl_def) -qed +lemma (in lbv) bottom_le [simp, intro]: + "\ <=_r x" + by (insert bot) (simp add: bottom_def) -lemma plusplus_erropt_Err [simp]: - "xs ++|f Err = Err" - by (induct xs) auto +lemma (in lbv) le_bottom [simp]: + "x <=_r \ = (x = \)" + by (blast intro: antisym_r) + section "merge" -lemma merge_Err [simp]: - "merge cert f r pc ss Err = Err" +lemma (in lbv) merge_Nil [simp]: + "merge c pc [] x = x" by (simp add: mrg_def) + +lemma (in lbv) merge_Cons [simp]: + "merge c pc (l#ls) x = merge c pc ls (if fst l=pc+1 then snd l +_f x + else if snd l <=_r (c!fst l) then x + else \)" + by (simp add: mrg_def split_beta) + +lemma (in lbv) merge_Err [simp]: + "snd`set ss \ A \ merge c pc ss \ = \" by (induct ss) auto -lemma merge_ok: - "\x. merge cert f r pc ss x = OK s \ - \(pc',s') \ set ss. (pc' \ pc+1 \ s' \|r (OK (cert!pc')))" - (is "\x. ?merge ss x \ ?P ss") +lemma (in lbv) merge_not_top: + "\x. snd`set ss \ A \ merge c pc ss x \ \ \ + \(pc',s') \ set ss. (pc' \ pc+1 \ s' <=_r (c!pc'))" + (is "\x. ?set ss \ ?merge ss x \ ?P ss") proof (induct ss) show "?P []" by simp next - fix x l ls assume merge: "?merge (l#ls) x" + fix x ls l + assume "?set (l#ls)" then obtain set: "snd`set ls \ A" by simp + assume merge: "?merge (l#ls) x" moreover obtain pc' s' where [simp]: "l = (pc',s')" by (cases l) ultimately - obtain x' where "?merge ls x'" by simp - assume "\x. ?merge ls x \ ?P ls" hence "?P ls" . + obtain x' where "?merge ls x'" by simp + assume "\x. ?set ls \ ?merge ls x \ ?P ls" hence "?P ls" . moreover - from merge - have "pc' \ pc+1 \ s' \|r (OK (cert!pc'))" by (simp split: split_if_asm) + from merge set + have "pc' \ pc+1 \ s' <=_r (c!pc')" by (simp split: split_if_asm) ultimately show "?P (l#ls)" by simp qed -lemma merge_def: - assumes semi: "err_semilat (A,r,f)" +lemma (in lbv) merge_def: shows - "\x. x \ err (opt A) \ \(pc', s') \ set ss. s' \ err (opt A) \ - merge cert f r pc ss x = - (if \(pc',s') \ set ss. (pc' \ pc+1 \ s' \|r (OK (cert!pc'))) then - map snd [(p',t') \ ss. p'=pc+1] ++|f x - else Err)" + "\x. x \ A \ snd`set ss \ A \ + merge c pc ss x = + (if \(pc',s') \ set ss. pc'\pc+1 \ s' <=_r c!pc' then + map snd [(p',t') \ ss. p'=pc+1] ++_f x + else \)" (is "\x. _ \ _ \ ?merge ss x = ?if ss x" is "\x. _ \ _ \ ?P ss x") proof (induct ss) fix x show "?P [] x" by simp next - fix x assume x: "x \ err (opt A)" - fix l::"nat \ 'a option err" and ls - assume "\(pc', s') \ set (l#ls). s' \ err (opt A)" - then obtain l: "snd l \ err (opt A)" and ls: "\(pc', s') \ set ls. s' \ err (opt A)" by auto - assume "\x. x \ err (opt A) \ \(pc',s') \ set ls. s' \ err (opt A) \ ?P ls x" - hence IH: "\x. x \ err (opt A) \ ?P ls x" . + fix x assume x: "x \ A" + fix l::"nat \ 'a" and ls + assume "snd`set (l#ls) \ A" + then obtain l: "snd l \ A" and ls: "snd`set ls \ A" by auto + assume "\x. x \ A \ snd`set ls \ A \ ?P ls x" + hence IH: "\x. x \ A \ ?P ls x" . obtain pc' s' where [simp]: "l = (pc',s')" by (cases l) hence "?merge (l#ls) x = ?merge ls - (if pc'=pc+1 then s' +|f x else if s' \|r (OK (cert!pc')) then x else Err)" + (if pc'=pc+1 then s' +_f x else if s' <=_r c!pc' then x else \)" (is "?merge (l#ls) x = ?merge ls ?if'") by simp also have "\ = ?if ls ?if'" proof - - from l have "s' \ err (opt A)" by simp - with x semi have "(s' +|f x) \ err (opt A)" - by (fast intro: semilat.closedI closedD) - with x have "?if' \ err (opt A)" by auto + from l have "s' \ A" by simp + with x have "s' +_f x \ A" by simp + with x have "?if' \ A" by auto hence "?P ls ?if'" by (rule IH) thus ?thesis by simp qed also have "\ = ?if (l#ls) x" - proof (cases "\(pc', s')\set (l#ls). pc' \ pc + 1 \ s' \|r OK (cert ! pc')") + proof (cases "\(pc', s')\set (l#ls). pc'\pc+1 \ s' <=_r c!pc'") case True - hence "\(pc', s')\set ls. pc' \ pc + 1 \ s' \|r (OK (cert ! pc'))" by auto + hence "\(pc', s')\set ls. pc'\pc+1 \ s' <=_r c!pc'" by auto moreover from True have - "map snd [(p',t')\ls . p'=pc+1] ++|f ?if' = - (map snd [(p',t')\l#ls . p'=pc+1] ++|f x)" + "map snd [(p',t')\ls . p'=pc+1] ++_f ?if' = + (map snd [(p',t')\l#ls . p'=pc+1] ++_f x)" by simp ultimately show ?thesis using True by simp next - case False thus ?thesis by auto + case False + moreover + from ls have "set (map snd [(p', t')\ls . p' = Suc pc]) \ A" by auto + ultimately show ?thesis by auto qed finally show "?P (l#ls) x" . qed -lemma merge_ok_s: - assumes sl: "err_semilat (A,r,f)" - assumes x: "x \ err (opt A)" - assumes ss: "\(pc', s') \ set ss. s' \ err (opt A)" - assumes m: "merge cert f r pc ss x = OK s" - shows "merge cert f r pc ss x = (map snd [(p',t') \ ss. p'=pc+1] ++|f x)" +lemma (in lbv) merge_not_top_s: + assumes x: "x \ A" and ss: "snd`set ss \ A" + assumes m: "merge c pc ss x \ \" + shows "merge c pc ss x = (map snd [(p',t') \ ss. p'=pc+1] ++_f x)" proof - - from m have "\(pc',s') \ set ss. (pc' \ pc+1 \ s' \|r (OK (cert!pc')))" - by (rule merge_ok) - with sl x ss m show ?thesis by - (drule merge_def, auto split: split_if_asm) + from ss m have "\(pc',s') \ set ss. (pc' \ pc+1 \ s' <=_r c!pc')" + by (rule merge_not_top) + with x ss m show ?thesis by - (drule merge_def, auto split: split_if_asm) qed section "wtl-inst-list" lemmas [iff] = not_Err_eq -lemma wtl_Cons: - "wtl_inst_list (i#is) cert f r step pc s \ Err = - (\s'. wtl_cert cert f r step pc s = OK s' \ - wtl_inst_list is cert f r step (pc+1) s' \ Err)" +lemma (in lbv) wtl_Nil [simp]: "wtl [] c pc s = s" + by (simp add: wtl_def) + +lemma (in lbv) wtl_Cons [simp]: + "wtl (i#is) c pc s = + (let s' = wtc c pc s in if s' = \ \ s = \ then \ else wtl is c (pc+1) s')" + by (simp add: wtl_def wtc_def) + +lemma (in lbv) wtl_Cons_not_top: + "wtl (i#is) c pc s \ \ = + (wtc c pc s \ \ \ s \ T \ wtl is c (pc+1) (wtc c pc s) \ \)" by (auto simp del: split_paired_Ex) -lemma wtl_append: -"\s pc. (wtl_inst_list (a@b) cert f r step pc s = OK s') = - (\s''. wtl_inst_list a cert f r step pc s = OK s'' \ - wtl_inst_list b cert f r step (pc+length a) s'' = OK s')" - (is "\s pc. ?C s pc a" is "?P a") -proof (induct ?P a) - show "?P []" by simp -next - fix x xs assume IH: "?P xs" - show "?P (x#xs)" - proof (intro allI) - fix s pc - show "?C s pc (x#xs)" - proof (cases "wtl_cert cert f r step pc s") - case Err thus ?thesis by simp - next - case (OK s0) - with IH have "?C s0 (pc+1) xs" by blast - thus ?thesis by (simp!) - qed - qed -qed +lemma (in lbv) wtl_top [simp]: "wtl ls c pc \ = \" + by (cases ls) auto + +lemma (in lbv) wtl_not_top: + "wtl ls c pc s \ \ \ s \ \" + by (cases "s=\") auto -lemma wtl_take: - "wtl_inst_list is cert f r step pc s = OK s'' \ - \s'. wtl_inst_list (take pc' is) cert f r step pc s = OK s'" - (is "?wtl is = _ \ _") +lemma (in lbv) wtl_append [simp]: + "\pc s. wtl (a@b) c pc s = wtl b c (pc+length a) (wtl a c pc s)" + by (induct a) auto + +lemma (in lbv) wtl_take: + "wtl is c pc s \ \ \ wtl (take pc' is) c pc s \ \" + (is "?wtl is \ _ \ _") proof - - assume "?wtl is = OK s''" - hence "?wtl (take pc' is @ drop pc' is) = OK s''" by simp - thus ?thesis by (auto simp add: wtl_append simp del: append_take_drop_id) + assume "?wtl is \ \" + hence "?wtl (take pc' is @ drop pc' is) \ \" by simp + thus ?thesis by (auto dest!: wtl_not_top simp del: append_take_drop_id) qed lemma take_Suc: - "\n. n < length l --> take (Suc n) l = (take n l)@[l!n]" (is "?P l") + "\n. n < length l \ take (Suc n) l = (take n l)@[l!n]" (is "?P l") proof (induct l) show "?P []" by simp next @@ -266,137 +286,96 @@ qed qed -lemma wtl_Suc: - assumes "wtl_inst_list (take pc is) cert f r step 0 s = OK s'" - "wtl_cert cert f r step pc s' = OK s''" and - suc: "pc+1 < length is" - shows "wtl_inst_list (take (pc+1) is) cert f r step 0 s = OK s''" +lemma (in lbv) wtl_Suc: + assumes suc: "pc+1 < length is" + assumes wtl: "wtl (take pc is) c 0 s \ \" + shows "wtl (take (pc+1) is) c 0 s = wtc c pc (wtl (take pc is) c 0 s)" proof - from suc have "take (pc+1) is=(take pc is)@[is!pc]" by (simp add: take_Suc) - thus ?thesis by (simp! add: wtl_append min_def) + with suc wtl show ?thesis by (simp add: min_def) qed -lemma wtl_all: - assumes - all: "wtl_inst_list is cert f r step 0 s \ Err" (is "?wtl is \ _") and - pc: "pc < length is" - shows - "\s' s''. wtl_inst_list (take pc is) cert f r step 0 s = OK s' \ - wtl_cert cert f r step pc s' = OK s''" +lemma (in lbv) wtl_all: + assumes all: "wtl is c 0 s \ \" (is "?wtl is \ _") + assumes pc: "pc < length is" + shows "wtc c pc (wtl (take pc is) c 0 s) \ \" proof - from pc have "0 < length (drop pc is)" by simp then obtain i r where Cons: "drop pc is = i#r" by (auto simp add: neq_Nil_conv simp del: length_drop) hence "i#r = drop pc is" .. - with all have take: "?wtl (take pc is@i#r) \ Err" by simp + with all have take: "?wtl (take pc is@i#r) \ \" by simp from pc have "is!pc = drop pc is ! 0" by simp with Cons have "is!pc = i" by simp - with take pc show ?thesis by (auto simp add: wtl_append min_def) + with take pc show ?thesis by (auto simp add: min_def split: split_if_asm) qed section "preserves-type" -lemma merge_pres: - assumes semi: "err_semilat (A,r,f)" - assumes s0_A: "\(pc', s')\set ss. s' \ err (opt A)" - assumes x_A: "x \ err (opt A)" - assumes merge:"merge cert f r pc ss x = OK s'" - shows "s' \ opt A" +lemma (in lbv) merge_pres: + assumes s0: "snd`set ss \ A" and x: "x \ A" + shows "merge c pc ss x \ A" proof - - from s0_A - have "set (map snd [(p', t')\ss . p'=pc+1]) \ err (opt A)" by auto - with semi x_A - have "(map snd [(p', t')\ss . p'=pc+1] ++|f x) \ err (opt A)" + from s0 have "set (map snd [(p', t')\ss . p'=pc+1]) \ A" by auto + with x have "(map snd [(p', t')\ss . p'=pc+1] ++_f x) \ A" by (auto intro!: plusplus_closed) - also { - note merge - also from semi x_A s0_A - have "merge cert f r pc ss x = - (if \(pc', s')\set ss. pc' \ pc + 1 \ s' \|r (OK (cert!pc')) - then map snd [(p', t')\ss . p'=pc+1] ++|f x else Err)" - by (rule merge_def) - finally have "(map snd [(p', t')\ss . p'=pc+1] ++|f x) = OK s'" - by (simp split: split_if_asm) - } - finally show ?thesis by simp + with s0 x show ?thesis by (simp add: merge_def T_A) qed +lemma pres_typeD2: + "pres_type step n A \ s \ A \ p < n \ snd`set (step p s) \ A" + by auto (drule pres_typeD) -lemma wtl_inst_pres [intro?]: - assumes semi: "err_semilat (A,r,f)" - assumes pres: "pres_type step n (err (opt A))" - assumes cert: "cert!(pc+1) \ opt A" - assumes s_A: "s \ opt A" - assumes pc: "pc < n" - assumes wtl: "wtl_inst cert f r step pc s = OK s'" - shows "s' \ opt A" + +lemma (in lbv) wti_pres [intro?]: + assumes pres: "pres_type step n A" + assumes cert: "c!(pc+1) \ A" + assumes s_pc: "s \ A" "pc < n" + shows "wti c pc s \ A" proof - - from pres pc s_A - have "\(q, s')\set (step pc (OK s)). s' \ err (opt A)" - by (unfold pres_type_def) blast - moreover - from cert have "OK (cert!(pc+1)) \ err (opt A)" by simp - moreover - from wtl - have "merge cert f r pc (step pc (OK s)) (OK (cert!(pc+1))) = OK s'" - by (unfold wtl_inst_def) simp - ultimately - show "s' \ opt A" using semi by - (rule merge_pres) + from pres s_pc have "snd`set (step pc s) \ A" by (rule pres_typeD2) + with cert show ?thesis by (simp add: wti merge_pres) qed -lemma wtl_cert_pres: - assumes "err_semilat (A,r,f)" - assumes "pres_type step n (err (opt A))" - assumes "cert!pc \ opt A" and "cert!(pc+1) \ opt A" - assumes "s \ opt A" and "pc < n" - assumes wtc: "wtl_cert cert f r step pc s = OK s'" - shows "s' \ opt A" +lemma (in lbv) wtc_pres: + assumes "pres_type step n A" + assumes "c!pc \ A" and "c!(pc+1) \ A" + assumes "s \ A" and "pc < n" + shows "wtc c pc s \ A" proof - - have "wtl_inst cert f r step pc s = OK s' \ s' \ opt A" .. - moreover - have "wtl_inst cert f r step pc (cert!pc) = OK s' \ s' \ opt A" .. - ultimately - show ?thesis using wtc - by (unfold wtl_cert_def) (simp split: option.splits split_if_asm) + have "wti c pc s \ A" .. + moreover have "wti c pc (c!pc) \ A" .. + ultimately show ?thesis using T_A by (simp add: wtc) qed -lemma wtl_inst_list_pres: - assumes semi: "err_semilat (A,r,f)" - assumes pres: "pres_type step (length is) (err (opt A))" - assumes cert: "cert_ok cert (length is) A" - assumes s: "s \ opt A" - assumes all: "wtl_inst_list is cert f r step 0 s \ Err" - shows "\s'. pc < length is \ wtl_inst_list (take pc is) cert f r step 0 s = OK s' - \ s' \ opt A" (is "\s'. ?len pc \ ?wtl pc s' \ ?A s'") + +lemma (in lbv) wtl_pres: + assumes pres: "pres_type step (length is) A" + assumes cert: "cert_ok c (length is) \ \ A" + assumes s: "s \ A" + assumes all: "wtl is c 0 s \ \" + shows "pc < length is \ wtl (take pc is) c 0 s \ A" + (is "?len pc \ ?wtl pc \ A") proof (induct pc) - from s show "\s'. ?wtl 0 s' \ ?A s'" by simp + from s show "?wtl 0 \ A" by simp next - fix s' n - assume "Suc n < length is" - then obtain "n < length is" by simp - with all obtain s1 s2 where - "wtl_inst_list (take n is) cert f r step 0 s = OK s1" - "wtl_cert cert f r step n s1 = OK s2" - by - (drule wtl_all, auto) - - assume "?wtl (Suc n) s'" + fix n assume "Suc n < length is" + then obtain n: "n < length is" by simp + assume "n < length is \ ?wtl n \ A" + hence "?wtl n \ A" . + moreover + from cert have "c!n \ A" by (rule cert_okD1) moreover have n1: "n+1 < length is" by simp - hence "?wtl (n+1) s2" by - (rule wtl_Suc) + with cert have "c!(n+1) \ A" by (rule cert_okD1) ultimately - have [simp]: "s2 = s'" by simp - - assume IH: "\s'. n < length is \ ?wtl n s' \ s' \ opt A" - hence "s1 \ opt A" . - moreover - from cert have "cert!n \ opt A" by (rule cert_okD1) - moreover - from cert n1 have "cert!(n+1) \ opt A" by (rule cert_okD1) - ultimately - have "s2 \ opt A" using semi pres by - (rule wtl_cert_pres) - thus "s' \ opt A" by simp + have "wtc c n (?wtl n) \ A" by - (rule wtc_pres) + also + from all n have "?wtl n \ \" by - (rule wtl_take) + with n1 have "wtc c n (?wtl n) = ?wtl (n+1)" by (rule wtl_Suc [symmetric]) + finally show "?wtl (Suc n) \ A" by simp qed