# HG changeset patch # User blanchet # Date 1370657839 14400 # Node ID 891e128ea08cf5f53de9f676144d970df5c629e0 # Parent 40136fcb5e7a5710ebfd014797dbcdc78d1994ac# Parent ac2fb87a12f30b571295334352c74321498da3b0 merge diff -r 40136fcb5e7a -r 891e128ea08c src/HOL/IMP/Hoare_Total.thy --- a/src/HOL/IMP/Hoare_Total.thy Fri Jun 07 17:24:29 2013 +0100 +++ b/src/HOL/IMP/Hoare_Total.thy Fri Jun 07 22:17:19 2013 -0400 @@ -32,7 +32,7 @@ While: "(\n::nat. - \\<^sub>t {\s. P s \ bval b s \ T s n} c {\s. P s \ (\n'. T s n' \ n' < n)}) + \\<^sub>t {\s. P s \ bval b s \ T s n} c {\s. P s \ (\n' \\<^sub>t {\s. P s \ (\n. T s n)} WHILE b DO c {\s. P s \ \bval b s}" | conseq: "\ \s. P' s \ P s; \\<^sub>t {P}c{Q}; \s. Q s \ Q' s \ \ @@ -177,7 +177,7 @@ unfolding wpt_def by (metis WHILE_Its) moreover { fix n - let ?R = "\s'. wp\<^sub>t ?w Q s' \ (\n'. ?T s' n' \ n' < n)" + let ?R = "\s'. wp\<^sub>t ?w Q s' \ (\n' t" and "Q t" from `bval b s` and `(?w, s) \ t` obtain s' where "(c,s) \ s'" "(?w,s') \ t" by auto diff -r 40136fcb5e7a -r 891e128ea08c src/HOL/IMP/VCG.thy --- a/src/HOL/IMP/VCG.thy Fri Jun 07 17:24:29 2013 +0100 +++ b/src/HOL/IMP/VCG.thy Fri Jun 07 22:17:19 2013 -0400 @@ -20,104 +20,104 @@ fun strip :: "acom \ com" where "strip SKIP = com.SKIP" | "strip (x ::= a) = (x ::= a)" | -"strip (c\<^isub>1;; c\<^isub>2) = (strip c\<^isub>1;; strip c\<^isub>2)" | -"strip (IF b THEN c\<^isub>1 ELSE c\<^isub>2) = (IF b THEN strip c\<^isub>1 ELSE strip c\<^isub>2)" | -"strip ({_} WHILE b DO c) = (WHILE b DO strip c)" +"strip (C\<^isub>1;; C\<^isub>2) = (strip C\<^isub>1;; strip C\<^isub>2)" | +"strip (IF b THEN C\<^isub>1 ELSE C\<^isub>2) = (IF b THEN strip C\<^isub>1 ELSE strip C\<^isub>2)" | +"strip ({_} WHILE b DO C) = (WHILE b DO strip C)" text{* Weakest precondition from annotated commands: *} fun pre :: "acom \ assn \ assn" where "pre SKIP Q = Q" | "pre (x ::= a) Q = (\s. Q(s(x := aval a s)))" | -"pre (c\<^isub>1;; c\<^isub>2) Q = pre c\<^isub>1 (pre c\<^isub>2 Q)" | -"pre (IF b THEN c\<^isub>1 ELSE c\<^isub>2) Q = - (\s. if bval b s then pre c\<^isub>1 Q s else pre c\<^isub>2 Q s)" | -"pre ({I} WHILE b DO c) Q = I" +"pre (C\<^isub>1;; C\<^isub>2) Q = pre C\<^isub>1 (pre C\<^isub>2 Q)" | +"pre (IF b THEN C\<^isub>1 ELSE C\<^isub>2) Q = + (\s. if bval b s then pre C\<^isub>1 Q s else pre C\<^isub>2 Q s)" | +"pre ({I} WHILE b DO C) Q = I" text{* Verification condition: *} fun vc :: "acom \ assn \ assn" where "vc SKIP Q = (\s. True)" | "vc (x ::= a) Q = (\s. True)" | -"vc (c\<^isub>1;; c\<^isub>2) Q = (\s. vc c\<^isub>1 (pre c\<^isub>2 Q) s \ vc c\<^isub>2 Q s)" | -"vc (IF b THEN c\<^isub>1 ELSE c\<^isub>2) Q = (\s. vc c\<^isub>1 Q s \ vc c\<^isub>2 Q s)" | -"vc ({I} WHILE b DO c) Q = +"vc (C\<^isub>1;; C\<^isub>2) Q = (\s. vc C\<^isub>1 (pre C\<^isub>2 Q) s \ vc C\<^isub>2 Q s)" | +"vc (IF b THEN C\<^isub>1 ELSE C\<^isub>2) Q = (\s. vc C\<^isub>1 Q s \ vc C\<^isub>2 Q s)" | +"vc ({I} WHILE b DO C) Q = (\s. (I s \ \ bval b s \ Q s) \ - (I s \ bval b s \ pre c I s) \ - vc c I s)" + (I s \ bval b s \ pre C I s) \ + vc C I s)" text {* Soundness: *} -lemma vc_sound: "\s. vc c Q s \ \ {pre c Q} strip c {Q}" -proof(induction c arbitrary: Q) - case (Awhile I b c) +lemma vc_sound: "\s. vc C Q s \ \ {pre C Q} strip C {Q}" +proof(induction C arbitrary: Q) + case (Awhile I b C) show ?case proof(simp, rule While') - from `\s. vc (Awhile I b c) Q s` - have vc: "\s. vc c I s" and IQ: "\s. I s \ \ bval b s \ Q s" and - pre: "\s. I s \ bval b s \ pre c I s" by simp_all - have "\ {pre c I} strip c {I}" by(rule Awhile.IH[OF vc]) - with pre show "\ {\s. I s \ bval b s} strip c {I}" + from `\s. vc (Awhile I b C) Q s` + have vc: "\s. vc C I s" and IQ: "\s. I s \ \ bval b s \ Q s" and + pre: "\s. I s \ bval b s \ pre C I s" by simp_all + have "\ {pre C I} strip C {I}" by(rule Awhile.IH[OF vc]) + with pre show "\ {\s. I s \ bval b s} strip C {I}" by(rule strengthen_pre) show "\s. I s \ \bval b s \ Q s" by(rule IQ) qed qed (auto intro: hoare.conseq) corollary vc_sound': - "(\s. vc c Q s) \ (\s. P s \ pre c Q s) \ \ {P} strip c {Q}" + "\ \s. vc C Q s; \s. P s \ pre C Q s \ \ \ {P} strip C {Q}" by (metis strengthen_pre vc_sound) text{* Completeness: *} lemma pre_mono: - "\s. P s \ P' s \ pre c P s \ pre c P' s" -proof (induction c arbitrary: P P' s) + "\s. P s \ P' s \ pre C P s \ pre C P' s" +proof (induction C arbitrary: P P' s) case Aseq thus ?case by simp metis qed simp_all lemma vc_mono: - "\s. P s \ P' s \ vc c P s \ vc c P' s" -proof(induction c arbitrary: P P') + "\s. P s \ P' s \ vc C P s \ vc C P' s" +proof(induction C arbitrary: P P') case Aseq thus ?case by simp (metis pre_mono) qed simp_all lemma vc_complete: - "\ {P}c{Q} \ \c'. strip c' = c \ (\s. vc c' Q s) \ (\s. P s \ pre c' Q s)" - (is "_ \ \c'. ?G P c Q c'") + "\ {P}c{Q} \ \C. strip C = c \ (\s. vc C Q s) \ (\s. P s \ pre C Q s)" + (is "_ \ \C. ?G P c Q C") proof (induction rule: hoare.induct) case Skip - show ?case (is "\ac. ?C ac") + show ?case (is "\C. ?C C") proof show "?C Askip" by simp qed next case (Assign P a x) - show ?case (is "\ac. ?C ac") + show ?case (is "\C. ?C C") proof show "?C(Aassign x a)" by simp qed next case (Seq P c1 Q c2 R) - from Seq.IH obtain ac1 where ih1: "?G P c1 Q ac1" by blast - from Seq.IH obtain ac2 where ih2: "?G Q c2 R ac2" by blast - show ?case (is "\ac. ?C ac") + from Seq.IH obtain C1 where ih1: "?G P c1 Q C1" by blast + from Seq.IH obtain C2 where ih2: "?G Q c2 R C2" by blast + show ?case (is "\C. ?C C") proof - show "?C(Aseq ac1 ac2)" + show "?C(Aseq C1 C2)" using ih1 ih2 by (fastforce elim!: pre_mono vc_mono) qed next case (If P b c1 Q c2) - from If.IH obtain ac1 where ih1: "?G (\s. P s \ bval b s) c1 Q ac1" + from If.IH obtain C1 where ih1: "?G (\s. P s \ bval b s) c1 Q C1" by blast - from If.IH obtain ac2 where ih2: "?G (\s. P s \ \bval b s) c2 Q ac2" + from If.IH obtain C2 where ih2: "?G (\s. P s \ \bval b s) c2 Q C2" by blast - show ?case (is "\ac. ?C ac") + show ?case (is "\C. ?C C") proof - show "?C(Aif b ac1 ac2)" using ih1 ih2 by simp + show "?C(Aif b C1 C2)" using ih1 ih2 by simp qed next case (While P b c) - from While.IH obtain ac where ih: "?G (\s. P s \ bval b s) c P ac" by blast - show ?case (is "\ac. ?C ac") - proof show "?C(Awhile P b ac)" using ih by simp qed + from While.IH obtain C where ih: "?G (\s. P s \ bval b s) c P C" by blast + show ?case (is "\C. ?C C") + proof show "?C(Awhile P b C)" using ih by simp qed next case conseq thus ?case by(fast elim!: pre_mono vc_mono) qed