# HG changeset patch # User nipkow # Date 908372842 -7200 # Node ID 4e8837255b87ce3d7a6ab52e5d53e99009ef7e84 # Parent 7c2ddbaf8b8c67d2f42c3d70eb844fa413b7e79a Description of new version. diff -r 7c2ddbaf8b8c -r 4e8837255b87 src/HOL/Hoare/README.html --- a/src/HOL/Hoare/README.html Wed Oct 14 15:26:31 1998 +0200 +++ b/src/HOL/Hoare/README.html Wed Oct 14 15:47:22 1998 +0200 @@ -2,16 +2,16 @@

Hoare Logic for a Simple WHILE Language

The language and logic

+

Language and logic

This directory contains an implementation of Hoare logic for a simple WHILE -language. The are +language. The constructs are

SKIP -
_ := _ -
_ ; _ -
IF _ THEN _ ELSE _ FI -
WHILE _ INV {_} DO _ OD +
SKIP +
_ := _ +
_ ; _ +
IF _ THEN _ ELSE _ FI +
WHILE _ INV {_} DO _ OD

Note that each WHILE-loop must be annotated with an invariant.

@@ -21,31 +21,33 @@ |- VARS x y ... . {P} prog {Q} where prog is a program in the above language, P is the -precondition, Q the postcondition, and x y ... is the +precondition, Q the postcondition, and x y ... is the list of all program variables in prog. The latter list must be nonempty and it must include all variables that occur on the left-hand -side of an assignment in prof. Example: +side of an assignment in prog. Example:

 |- VARS x. {x = a} x := x+1 {x = a+1}

The (normal) variable a is merely used to record the initial -value of x and is not a program variable. Pre and postconditions +value of x and is not a program variable. Pre/post conditions can be arbitrary HOL formulae mentioning both program variables and normal variables.

The implementation hides reasoning in Hoare logic completely and provides a -tactic hoare_tac for generating the verification conditions in ordinary -logic: +tactic hoare_tac for transforming a goal in Hoare logic into an +equivalent list of verification conditions in HOL:

 by(hoare_tac tac i);

applies the tactic to subgoal i and applies the parameter -tac to all generated verification conditions. A typical call is +tac (of type int -> tactic) to all generated +verification conditions. A typical call is

 by(hoare_tac Asm_full_simp_tac 1);

-which, given the example goal above, solves it completely. +which, given the example goal above, solves it completely. For further +examples see Examples.ML.

IMPORTANT: @@ -53,18 +55,16 @@ does the right thing if it terminates, but not that it terminates. -

Notes on the implementation

-This directory contains a sugared shallow semantic embedding of Hoare logic -for a while language. The implementation closely follows

- - +The implementation loosely follows +

Mike Gordon. Mechanizing Programming Logics in Higher Order Logic.
-University of Cambridge, Computer Laboratory, TR 145, 1988.

- -published as

- +University of Cambridge, Computer Laboratory, TR 145, 1988. +

+published as +

Mike Gordon. Mechanizing Programming Logics in Higher Order Logic.
In @@ -73,21 +73,12 @@ edited by G. Birtwistle and P.A. Subrahmanyam, Springer-Verlag, 1989.

-At the top level, it provides a tactic hoare_tac, which transforms a -goal -

-{P} prog {Q} -

-into a set of HOL-level verification conditions. -

Syntax: -: the letters a-z are interpreted as program variables, - all other identifiers as mathematical variables.
-

-The pre/post conditions can be arbitrary HOL formulae including program -variables. The program text should only refer to program variables. +The main differences: the state is modelled as a tuple as suggested in

-Note: Program variables are typed in the same way as HOL -variables. Although you can write programs over arbitrary types, all -program variables in a particular program must be of the same type! +J. von Wright and J. Hekanaho and P. Luostarinen and T. Langbacka. +Mechanizing Some Advanced Refinement Concepts. +Formal Methods in System Design, 3, 1993, 49-81. +

+and the embeding is deep, i.e. there is a concrete datatype of programs. The +latter is not really necessary.