# HG changeset patch # User oheimb # Date 992714802 -7200 # Node ID bf98ad1c22c6415ed2718fe991abae368214dd81 # Parent a6730c90e75365e801ef8bd5f7150c72fc3cfbe0 added NanoJava diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/IsaMakefile --- a/src/HOL/IsaMakefile Wed Jun 13 16:30:12 2001 +0200 +++ b/src/HOL/IsaMakefile Sat Jun 16 20:06:42 2001 +0200 @@ -31,6 +31,7 @@ HOL-MicroJava \ HOL-MiniML \ HOL-Modelcheck \ + HOL-NanoJava \ HOL-NumberTheory \ HOL-Prolog \ HOL-Subst \ @@ -460,6 +461,15 @@ MicroJava/document/root.bib MicroJava/document/root.tex @$(ISATOOL) usedir $(OUT)/HOL MicroJava +## HOL-NanoJava + +HOL-NanoJava: HOL $(LOG)/HOL-NanoJava.gz + +$(LOG)/HOL-NanoJava.gz: $(OUT)/HOL NanoJava/ROOT.ML \ + NanoJava/Term.thy NanoJava/Decl.thy NanoJava/TypeRel.thy NanoJava/State.thy \ + NanoJava/OpSem.thy NanoJava/AxSem.thy NanoJava/AxSem.thy \ + NanoJava/document/root.bib NanoJava/document/root.tex + @$(ISATOOL) usedir $(OUT)/HOL NanoJava ## HOL-CTL @@ -581,7 +591,7 @@ ## clean clean: - @rm -f $(OUT)/HOL $(OUT)/HOL-Real $(OUT)/TLA \ + @rm -f $(OUT)/HOL $(OUT)/HOL-Real $(OUT)/TLA \ $(LOG)/HOL.gz $(LOG)/HOL-Real.gz $(LOG)/TLA.gz \ $(LOG)/HOL-Isar_examples.gz $(LOG)/HOL-Induct.gz \ $(LOG)/HOL-ex.gz $(LOG)/HOL-Subst.gz $(LOG)/HOL-IMP.gz \ @@ -589,8 +599,8 @@ $(LOG)/HOL-Lex.gz $(LOG)/HOL-Algebra.gz \ $(LOG)/HOL-Auth.gz $(LOG)/HOL-UNITY.gz \ $(LOG)/HOL-Modelcheck.gz $(LOG)/HOL-Lambda.gz \ - $(LOG)/HOL-W0.gz $(LOG)/HOL-MiniML.gz \ - $(LOG)/HOL-CTL.gz $(LOG)/HOL-MicroJava.gz \ + $(LOG)/HOL-W0.gz $(LOG)/HOL-MiniML.gz $(LOG)/HOL-CTL.gz \ + $(LOG)/HOL-MicroJava.gz $(LOG)/HOL-NanoJava.gz \ $(LOG)/HOL-IOA.gz $(LOG)/HOL-AxClasses \ $(LOG)/HOL-Lattice $(LOG)/HOL-Real-ex.gz \ $(LOG)/HOL-Real-HahnBanach.gz $(LOG)/TLA-Inc.gz \ diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/AxSem.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/AxSem.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,122 @@ +(* Title: HOL/NanoJava/AxSem.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Axiomatic Semantics (Hoare Logic)" + +theory AxSem = State: + +types assn = "state => bool" + triple = "assn \ stmt \ assn" +translations + "assn" \ (type)"state => bool" + "triple" \ (type)"assn \ stmt \ assn" + +consts hoare :: "(triple set \ triple set) set" +syntax (xsymbols) + "@hoare" :: "[triple set, triple set ] => bool" ("_ |\/ _" [61,61] 60) + "@hoare1" :: "[triple set, assn,stmt,assn] => bool" + ("_ \/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3]60) +syntax + "@hoare" :: "[triple set, triple set ] => bool" ("_ ||-/ _" [61,61] 60) + "@hoare1" :: "[triple set, assn,stmt,assn] => bool" + ("_ |-/ ({(1_)}/ (_)/ {(1_)})" [61,3,90,3] 60) + +translations "A |\ C" \ "(A,C) \ hoare" + "A \ {P}c{Q}" \ "A |\ {(P,c,Q)}" + +inductive hoare +intros + + Skip: "A |- {P} Skip {P}" + + Comp: "[| A |- {P} c1 {Q}; A |- {Q} c2 {R} |] ==> A |- {P} c1;;c2 {R}" + + Cond: "[| A |- {\s. P s \ s \ Null} c1 {Q}; + A |- {\s. P s \ s = Null} c2 {Q} |] ==> + A |- {P} If(e) c1 Else c2 {Q}" + + Loop: "A |- {\s. P s \ s \ Null} c {P} ==> + A |- {P} While(e) c {\s. P s \ s = Null}" + + NewC: "A |- {\s.\a. new_Addr s=Addr a--> P (lupd(x|->Addr a)(new_obj a C s))} + x:=new C {P}" + + Cast: "A |- {\s.(case s of Null=> True | Addr a=> obj_class s a <=C C) --> + P (lupd(x|->s) s)} x:=(C)y {P}" + + FAcc: "A |- {\s.\a. s=Addr a-->P(lupd(x|->get_field s a f) s)} x:=y..f{P}" + + FAss: "A |- {\s. \a. s=Addr a --> P (upd_obj a f (s) s)} y..f:=x {P}" + + Call: "\l. A |- {\s'. \s. P s \ l = s \ + s' = lupd(This|->s)(lupd(Param|->s

)(init_locs C m s))} + Meth C m {\s. Q (lupd(x|->s)(set_locs l s))} ==> + A |- {P} x:={C}y..m(p) {Q}" + + Meth: "\D. A |- {\s. \a. s = Addr a \ D=obj_class s a \ D <=C C \ P s} + Impl D m {Q} ==> + A |- {P} Meth C m {Q}" + + (*\z instead of \z in the conclusion and + z restricted to type state due to limitations of the inductive paackage *) + Impl: "A\ (\z::state. (\(C,m). (P z C m, Impl C m, Q z C m))`ms) ||- + (\z::state. (\(C,m). (P z C m, body C m, Q z C m))`ms) ==> + A ||- (\z::state. (\(C,m). (P z C m, Impl C m, Q z C m))`ms)" + +(* structural rules *) + + (* z restricted to type state due to limitations of the inductive paackage *) + Conseq:"[| \z::state. A |- {P' z} c {Q' z}; + \s t. (\z::state. P' z s --> Q' z t) --> (P s --> Q t) |] ==> + A |- {P} c {Q }" + + Asm: " a \ A ==> A ||- {a}" + + ConjI: " \c \ C. A ||- {c} ==> A ||- C" + + ConjE: "[|A ||- C; c \ C |] ==> A ||- {c}"; + + +subsection "Derived Rules" + +lemma Conseq1: "\A \ {P'} c {Q}; \s. P s \ P' s\ \ A \ {P} c {Q}" +apply (rule hoare.Conseq) +apply (rule allI, assumption) +apply fast +done + +lemma Weaken: "\A |\ C'; C \ C'\ \ A |\ C" +apply (rule hoare.ConjI) +apply clarify +apply (drule hoare.ConjE) +apply fast +apply assumption +done + +lemma Union: "A |\ (\z. C z) = (\z. A |\ C z)" +by (auto intro: hoare.ConjI hoare.ConjE) + +lemma Impl': + "\z. A\ (\z. (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms) ||- + (\(C,m). (P z C m, body C m, Q (z::state) C m))`ms ==> + A ||- (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms" +apply (drule Union[THEN iffD2]) +apply (drule hoare.Impl) +apply (drule Union[THEN iffD1]) +apply (erule spec) +done + +lemma Impl1: + "\\z. A\ (\z. (\(C,m). (P z C m, Impl C m, Q (z::state) C m))`ms) ||- + (\(C,m). (P z C m, body C m, Q (z::state) C m))`ms; + (C,m)\ ms\ \ + A \ {P z C m} Impl C m {Q (z::state) C m}" +apply (drule Impl') +apply (erule Weaken) +apply (auto del: image_eqI intro: rev_image_eqI) +done + +end diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/Decl.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/Decl.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,68 @@ +(* Title: HOL/NanoJava/Decl.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Types, class Declarations, and whole programs" + +theory Decl = Term: + +datatype ty + = NT (* null type *) + | Class cname (* class type *) + +types fdecl (* field declaration *) + = "vnam \ ty" + + +record methd (* method declaration *) + = par :: ty + res :: ty + lcl ::"(vname \ ty) list" + bdy :: stmt + +types mdecl (* method declaration *) + = "mname \ methd" + +record class (* class *) + = super :: cname + fields ::"fdecl list" + methods ::"mdecl list" + +types cdecl (* class declaration *) + = "cname \ class" + +types prog + = "cdecl list" + +translations + "fdecl" \ (type)"vname \ ty" + "mdecl" \ (type)"mname \ ty \ ty \ stmt" + "class" \ (type)"cname \ fdecl list \ mdecl list" + "cdecl" \ (type)"cname \ class" + "prog " \ (type)"cdecl list" + +consts + + Prog :: prog (* program as a global value *) + +consts + + Object :: cname (* name of root class *) + + +constdefs + class :: "cname \ class" + "class \ map_of Prog" + + is_class :: "cname => bool" + "is_class C \ class C \ None" + +lemma finite_is_class: "finite {C. is_class C}" +apply (unfold is_class_def class_def) +apply (fold dom_def) +apply (rule finite_dom_map_of) +done + +end diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/Equivalence.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/Equivalence.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,237 @@ +(* Title: HOL/NanoJava/Equivalence.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Equivalence of Operational and Axiomatic Semantics" + +theory Equivalence = OpSem + AxSem: + +subsection "Validity" + +constdefs + valid :: "[assn,stmt,assn] => bool" ("|= {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) + "|= {P} c {Q} \ \s t. P s --> (\n. s -c-n-> t) --> Q t" + + nvalid :: "[nat, triple ] => bool" ("|=_: _" [61,61] 60) + "|=n: t \ let (P,c,Q) = t in \s t. s -c-n-> t --> P s --> Q t" + + nvalids :: "[nat, triple set] => bool" ("||=_: _" [61,61] 60) + "||=n: T \ \t\T. |=n: t" + + cnvalids :: "[triple set,triple set] => bool" ("_ ||=/ _"[61,61] 60) + "A ||= C \ \n. ||=n: A --> ||=n: C" + +syntax (xsymbols) + valid :: "[assn,stmt,assn] => bool" ("\ {(1_)}/ (_)/ {(1_)}" [3,90,3] 60) + nvalid :: "[nat, triple ] => bool" ("\_: _" [61,61] 60) + nvalids :: "[nat, triple set] => bool" ("|\_: _" [61,61] 60) + cnvalids :: "[triple set,triple set] => bool" ("_ |\/ _" [61,61] 60) + +syntax + nvalid1::"[nat, assn,stmt,assn] => bool" ( "|=_:.{(1_)}/ (_)/ {(1_)}" + [61,3,90,3] 60) + cnvalid1::"[triple set, assn,stmt,assn] => bool" ("_ ||=.{(1_)}/ (_)/ {(1_)}" + [61,3,90,3] 60) +syntax (xsymbols) + nvalid1::"[nat, assn,stmt,assn] => bool" ( "\_:.{(1_)}/ (_)/ {(1_)}" + [61,3,90,3] 60) + cnvalid1::"[triple set, assn,stmt,assn] => bool" ( "_ |\.{(1_)}/ (_)/ {(1_)}" + [61,3,90,3] 60) +translations + " \n:.{P} c {Q}" \ " \n: (P,c,Q)" + "A |\.{P} c {Q}" \ "A |\ {(P,c,Q)}" + +lemma nvalid1_def2: "\n:.{P} c {Q} \ \s t. s -c-n\ t \ P s \ Q t" +by (simp add: nvalid_def Let_def) + +lemma cnvalid1_def2: + "A |\.{P} c {Q} \ \n. |\n: A \ (\s t. s -c-n\ t \ P s \ Q t)" +by(simp add: nvalid1_def2 nvalids_def cnvalids_def) + +lemma valid_def2: "\ {P} c {Q} = (\n. \n:.{P} c {Q})" +apply (simp add: valid_def nvalid1_def2) +apply blast +done + + +subsection "Soundness" + +declare exec_elim_cases [elim!] + +lemma Impl_nvalid_0: "\0:.{P} Impl C m {Q}" +by (clarsimp simp add: nvalid1_def2) + +lemma Impl_nvalid_Suc: "\n:.{P} body C m {Q} \ \Suc n:.{P} Impl C m {Q}" +by (clarsimp simp add: nvalid1_def2) + +lemma nvalid_SucD: "\t. \Suc n:t \ \n:t" +by (force simp add: split_paired_all nvalid1_def2 intro: exec_mono) + +lemma nvalids_SucD: "Ball A (nvalid (Suc n)) \ Ball A (nvalid n)" +by (fast intro: nvalid_SucD) + +lemma Loop_sound_lemma [rule_format (no_asm)]: +"\\s t. s -c-n\ t \ P s \ s \ Null \ P t; s -c0-n0\ t\ \ + P s \ c0 = While (e) c \ n0 = n \ P t \ t = Null" +apply (erule exec.induct) +apply clarsimp+ +done + +lemma Impl_sound_lemma: +"\\n. Ball (A \ B) (nvalid n) \ Ball (\z. split (f z) ` ms) (nvalid n); + (C, m) \ ms; Ball A (nvalid na); Ball B (nvalid na)\ \ nvalid na (f z C m)" +by blast + +lemma hoare_sound_main: "A |\ C \ A |\ C" +apply (erule hoare.induct) +apply (simp_all only: cnvalid1_def2) +apply clarsimp +apply clarsimp +apply (clarsimp split add: split_if_asm) +apply (clarsimp,tactic "smp_tac 1 1",erule(2) Loop_sound_lemma,(rule HOL.refl)+) +apply clarsimp +apply clarsimp +apply clarsimp +apply clarsimp +apply (clarsimp del: Meth_elim_cases) (* Call *) +apply (clarsimp del: Impl_elim_cases) (* Meth *) +defer +apply blast (* Conseq *) +apply (simp_all (no_asm_use) only: cnvalids_def nvalids_def) +apply blast +apply blast +apply blast +(* Impl *) +apply (erule thin_rl) +apply (rule allI) +apply (induct_tac "n") +apply (clarify intro!: Impl_nvalid_0) +apply (clarify intro!: Impl_nvalid_Suc) +apply (drule nvalids_SucD) +apply (erule (1) impE) +apply (drule (4) Impl_sound_lemma) +done + +theorem hoare_sound: "{} \ {P} c {Q} \ \ {P} c {Q}" +apply (simp only: valid_def2) +apply (drule hoare_sound_main) +apply (unfold cnvalids_def nvalids_def) +apply fast +done + + +subsection "(Relative) Completeness" + +constdefs MGT :: "stmt => state => triple" + "MGT c z \ (\ s. z = s, c, %t. \n. z -c-n-> t)" + +lemma MGF_implies_complete: + "\z. {} |\ {MGT c z} \ \ {P} c {Q} \ {} \ {P} c {Q}" +apply (simp only: valid_def2) +apply (unfold MGT_def) +apply (erule hoare.Conseq) +apply (clarsimp simp add: nvalid1_def2) +done + + +declare exec.intros[intro!] + +lemma MGF_Loop: "\z. A \ {op = z} c {\t. \n. z -c-n\ t} \ + A \ {op = z} While (e) c {\t. \n. z -While (e) c-n\ t}" +apply (rule_tac P' = "\z s. (z,s) \ ({(s,t). \n. s \ Null \ s -c-n\ t})^*" + in hoare.Conseq) +apply (rule allI) +apply (rule hoare.Loop) +apply (erule hoare.Conseq) +apply clarsimp +apply (blast intro:rtrancl_into_rtrancl) +apply (erule thin_rl) +apply clarsimp +apply (erule_tac x = z in allE) +apply clarsimp +apply (erule converse_rtrancl_induct) +apply blast +apply clarsimp +apply (drule (1) exec_max2) +apply (blast del: exec_elim_cases) +done + +lemma MGF_lemma[rule_format]: + "(\C m z. A |\ {MGT (Impl C m) z}) \ (\z. A |\ {MGT c z})" +apply (simp add: MGT_def) +apply (induct_tac c) +apply (tactic "ALLGOALS Clarify_tac") + +apply (rule Conseq1 [OF hoare.Skip]) +apply blast + +apply (rule hoare.Comp) +apply (erule spec) +apply (erule hoare.Conseq) +apply (erule thin_rl, erule thin_rl) +apply clarsimp +apply (drule (1) exec_max2) +apply blast + +apply (rule hoare.Cond) +apply (erule hoare.Conseq) +apply (erule thin_rl, erule thin_rl) +apply force +apply (erule hoare.Conseq) +apply (erule thin_rl, erule thin_rl) +apply force + +apply (erule MGF_Loop) + +apply (rule Conseq1 [OF hoare.NewC]) +apply blast + +apply (rule Conseq1 [OF hoare.Cast]) +apply blast + +apply (rule Conseq1 [OF hoare.FAcc]) +apply blast + +apply (rule Conseq1 [OF hoare.FAss]) +apply blast + +apply (rule hoare.Call) +apply (rule allI) +apply (rule hoare.Meth) +apply (rule allI) +apply (drule spec, drule spec, erule hoare.Conseq) +apply blast + +apply (rule hoare.Meth) +apply (rule allI) +apply (drule spec, drule spec, erule hoare.Conseq) +apply blast + +apply blast +done + +lemma MGF_Impl: "{} |\ {MGT (Impl C m) z}" +apply (unfold MGT_def) +apply (rule Impl1) +apply (rule_tac [2] UNIV_I) +apply clarsimp +apply (rule hoare.ConjI) +apply clarsimp +apply (rule ssubst [OF Impl_body_eq]) +apply (fold MGT_def) +apply (rule MGF_lemma) +apply (rule hoare.Asm) +apply force +done + +theorem hoare_relative_complete: "\ {P} c {Q} \ {} \ {P} c {Q}" +apply (rule MGF_implies_complete) +apply (erule_tac [2] asm_rl) +apply (rule allI) +apply (rule MGF_lemma) +apply (rule MGF_Impl) +done + +end diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/OpSem.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/OpSem.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,89 @@ +(* Title: HOL/NanoJava/OpSem.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Operational Evaluation Semantics" + +theory OpSem = State: + +consts + exec :: "(state \ stmt \ nat \ state) set" +syntax (xsymbols) + exec :: "[state, stmt, nat, state] => bool" ("_ -_-_\ _" [98,90,99,98] 89) +syntax + exec :: "[state, stmt, nat, state] => bool" ("_ -_-_-> _" [98,90,99,98] 89) +translations + "s -c-n-> s'" == "(s, c, n, s') \ exec" + +inductive exec intros + + Skip: " s -Skip-n-> s" + + Comp: "[| s0 -c1-n-> s1; s1 -c2-n-> s2 |] ==> + s0 -c1;; c2-n-> s2" + + Cond: "[| s -(if s \ Null then c1 else c2)-n-> s' |] ==> + s -If(e) c1 Else c2-n-> s'" + + LoopF:" s0 = Null ==> + s0 -While(e) c-n-> s0" + LoopT:"[| s0 \ Null; s0 -c-n-> s1; s1 -While(e) c-n-> s2 |] ==> + s0 -While(e) c-n-> s2" + + NewC: " new_Addr s = Addr a ==> + s -x:=new C-n-> lupd(x\Addr a)(new_obj a C s)" + + Cast: " (case s of Null => True | Addr a => obj_class s a \C C) ==> + s -x:=(C)y-n-> lupd(x\s) s" + + FAcc: " s = Addr a ==> + s -x:=y..f-n-> lupd(x\get_field s a f) s" + + FAss: " s = Addr a ==> + s -y..f:=x-n-> upd_obj a f (s) s" + + Call: "lupd(This\s)(lupd(Param\s

)(init_locs C m s))-Meth C m -n-> s'==> + s -x:={C}y..m(p)-n-> lupd(x\s')(set_locs s s')" + + Meth: "[| s = Addr a; obj_class s a\C C; + s -Impl (obj_class s a) m-n-> s' |] ==> + s -Meth C m-n-> s'" + + Impl: " s -body C m- n-> s' ==> + s -Impl C m-Suc n-> s'" + +inductive_cases exec_elim_cases': + "s -Skip -n-> t" + "s -c1;; c2 -n-> t" + "s -If(e) c1 Else c2-n-> t" + "s -While(e) c -n-> t" + "s -x:=new C -n-> t" + "s -x:=(C)y -n-> t" + "s -x:=y..f -n-> t" + "s -y..f:=x -n-> t" + "s -x:={C}y..m(p) -n-> t" +inductive_cases Meth_elim_cases: "s -Meth C m -n-> t" +inductive_cases Impl_elim_cases: "s -Impl C m -n-> t" +lemmas exec_elim_cases = exec_elim_cases' Meth_elim_cases Impl_elim_cases + +lemma exec_mono [rule_format]: "s -c-n\ t \ \m. n \ m \ s -c-m\ t" +apply (erule exec.induct) +prefer 12 (* Impl *) +apply clarify +apply (rename_tac n) +apply (case_tac n) +apply (blast intro:exec.intros)+ +done + +lemma exec_max2: "\s1 -c1- n1 \ t1 ; s2 -c2- n2\ t2\ \ + s1 -c1-max n1 n2\ t1 \ s2 -c2-max n1 n2\ t2" +by (fast intro: exec_mono le_maxI1 le_maxI2) + +lemma Impl_body_eq: "(\t. \n. z -Impl C m-n\ t) = (\t. \n. z -body C m-n\ t)" +apply (rule ext) +apply (fast elim: exec_elim_cases intro: exec.Impl) +done + +end \ No newline at end of file diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/ROOT.ML --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/ROOT.ML Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,1 @@ +use_thy "Equivalence"; diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/State.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/State.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,111 @@ +(* Title: HOL/NanoJava/State.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Program State" + +theory State = TypeRel: + +constdefs + + body :: "cname => mname => stmt" + "body C m \ bdy (the (method C m))" + +text {* locations, i.e.\ abstract references to objects *} +typedecl loc +arities loc :: "term" + +datatype val + = Null (* null reference *) + | Addr loc (* address, i.e. location of object *) + +types fields + = "(vnam \ val)" + + obj = "cname \ fields" + +translations + + "fields" \ (type)"vnam \ val option" + "obj" \ (type)"cname \ fields" + +constdefs + + init_vars:: "('a \ 'b) => ('a \ val)" + "init_vars m == option_map (\T. Null) o m" + +text {* private *} +types heap = "loc \ obj" + locals = "vname \ val" + +text {* private *} +record state + = heap :: heap + locals :: locals + +translations + + "heap" \ (type)"loc => obj option" + "locals" \ (type)"vname => val option" + "state" \ (type)"(|heap :: heap, locals :: locals|)" + +constdefs + + init_locs :: "cname => mname => state => state" + "init_locs C m s \ s (| locals:=init_vars (map_of (lcl (the (method C m))))|)" + +text {* The first parameter of @{term set_locs} is of type @{typ state} + rather than @{typ locals} in order to keep @{typ locals} private.*} +constdefs + set_locs :: "state => state => state" + "set_locs s s' \ s' (| locals := locals s |)" + + get_local :: "state => vname => val" ("_<_>" [99,0] 99) + "get_local s x \ the (locals s x)" + +(* local function: *) + get_obj :: "state => loc => obj" + "get_obj s a \ the (heap s a)" + + obj_class :: "state => loc => cname" + "obj_class s a \ fst (get_obj s a)" + + get_field :: "state => loc => vnam => val" + "get_field s a f \ the (snd (get_obj s a) f)" + +constdefs + +(* local function: *) + hupd :: "loc \ obj \ state \ state" ("hupd'(_|->_')" [10,10] 1000) + "hupd a obj s \ s (| heap := ((heap s)(a\obj))|)" + + lupd :: "vname \ val \ state \ state" ("lupd'(_|->_')" [10,10] 1000) + "lupd x v s \ s (| locals := ((locals s)(x\v ))|)" + +syntax (xsymbols) + hupd :: "loc \ obj \ state \ state" ("hupd'(_\_')" [10,10] 1000) + lupd :: "vname \ val \ state \ state" ("lupd'(_\_')" [10,10] 1000) + +constdefs + + new_obj :: "loc \ cname \ state \ state" + "new_obj a C \ hupd(a\(C,init_vars (field C)))" + + upd_obj :: "loc \ vnam \ val \ state \ state" + "upd_obj a f v s \ let (C,fs) = the (heap s a) in hupd(a\(C,fs(f\v))) s" + + new_Addr :: "state => val" + "new_Addr s == SOME v. (\a. v = Addr a \ (heap s) a = None) | v = Null" + +lemma new_AddrD: +"new_Addr s = v \ (\a. v = Addr a \ heap s a = None) | v = Null" +apply (unfold new_Addr_def) +apply (erule subst) +apply (rule someI) +apply (rule disjI2) +apply (rule HOL.refl) +done + +end diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/Term.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/Term.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,46 @@ +(* Title: HOL/NanoJava/Term.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Statements and expression emulations" + +theory Term = Main: + +typedecl cname (* class name *) +typedecl vnam (* variable or field name *) +typedecl mname (* method name *) +arities cname :: "term" + vnam :: "term" + mname :: "term" + +datatype vname (* variable for special names *) + = This (* This pointer *) + | Param (* method parameter *) + | Res (* method result *) + | VName vnam + +datatype stmt + = Skip (* empty statement *) + | Comp stmt stmt ("_;; _" [91,90] 90) + | Cond vname stmt stmt ("If '(_') _ Else _" [99,91,91] 91) + | Loop vname stmt ("While '(_') _" [99,91 ] 91) + + | NewC vname cname ("_:=new _" [99, 99] 95) (* object creation *) + | Cast vname cname vname ("_:='(_')_" [99,99,99] 95) (* assignment, cast *) + | FAcc vname vname vnam ("_:=_.._" [99,99,99] 95) (* field access *) + | FAss vname vnam vname ("_.._:=_" [99,99,99] 95) (* field assigment *) + | Call vname cname vname mname vname (* method call *) + ("_:={_}_.._'(_')" [99,99,99,99,99] 95) + | Meth cname mname (* virtual method *) + | Impl cname mname (* method implementation *) + +(*###TO Product_Type_lemmas.ML*) +lemma pair_imageI [intro]: "(a, b) \ A ==> f a b : (%(a, b). f a b) ` A" +apply (rule_tac x = "(a,b)" in image_eqI) +apply auto +done + +end + diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/TypeRel.thy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/TypeRel.thy Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,145 @@ +(* Title: HOL/NanoJava/TypeRel.thy + ID: $Id$ + Author: David von Oheimb + Copyright 2001 Technische Universitaet Muenchen +*) + +header "Type relations" + +theory TypeRel = Decl: + +consts + widen :: "(ty \ ty ) set" (* widening *) + subcls1 :: "(cname \ cname) set" (* subclass *) + +syntax (xsymbols) + widen :: "[ty , ty ] => bool" ("_ \ _" [71,71] 70) + subcls1 :: "[cname, cname] => bool" ("_ \C1 _" [71,71] 70) + subcls :: "[cname, cname] => bool" ("_ \C _" [71,71] 70) +syntax + widen :: "[ty , ty ] => bool" ("_ <= _" [71,71] 70) + subcls1 :: "[cname, cname] => bool" ("_ <=C1 _" [71,71] 70) + subcls :: "[cname, cname] => bool" ("_ <=C _" [71,71] 70) + +translations + "C \C1 D" == "(C,D) \ subcls1" + "C \C D" == "(C,D) \ subcls1^*" + "S \ T" == "(S,T) \ widen" + +consts + method :: "cname => (mname \ methd)" + field :: "cname => (vnam \ ty)" + + +text {* The rest of this theory is not actually used. *} + +defs + (* direct subclass relation *) + subcls1_def: "subcls1 \ {(C,D). C\Object \ (\c. class C = Some c \ super c=D)}" + +inductive widen intros (*widening, viz. method invocation conversion, + i.e. sort of syntactic subtyping *) + refl [intro!, simp]: "T \ T" + subcls : "C\C D \ Class C \ Class D" + null [intro!]: "NT \ R" + +lemma subcls1D: + "C\C1D \ C \ Object \ (\c. class C = Some c \ super c=D)" +apply (unfold subcls1_def) +apply auto +done + +lemma subcls1I: "\class C = Some m; super m = D; C \ Object\ \ C\C1D" +apply (unfold subcls1_def) +apply auto +done + +lemma subcls1_def2: +"subcls1 = (\C\{C. is_class C} . {D. C\Object \ super (the (class C)) = D})" +apply (unfold subcls1_def is_class_def) +apply auto +done + +lemma finite_subcls1: "finite subcls1" +apply(subst subcls1_def2) +apply(rule finite_SigmaI [OF finite_is_class]) +apply(rule_tac B = "{super (the (class C))}" in finite_subset) +apply auto +done + +constdefs + + ws_prog :: "bool" + "ws_prog \ $C,c)\set Prog. C\Object \ + is_class (super c) \ (super c,C)\subcls1^+" + +lemma ws_progD: "\class C = Some c; C\Object; ws_prog\ \ + is_class (super c) \ (super c,C)\subcls1^+" +apply (unfold ws_prog_def class_def) +apply (drule_tac map_of_SomeD) +apply auto +done + +lemma subcls1_irrefl_lemma1: "ws_prog \ subcls1^-1 \ subcls1^+ = {}" +by (fast dest: subcls1D ws_progD) + +(* context (theory "Transitive_Closure") *) +lemma irrefl_tranclI': "r^-1 Int r^+ = {} ==> !x. (x, x) ~: r^+" +apply (rule allI) +apply (erule irrefl_tranclI) +done + +lemmas subcls1_irrefl_lemma2 = subcls1_irrefl_lemma1 [THEN irrefl_tranclI'] + +lemma subcls1_irrefl: "\(x, y) \ subcls1; ws_prog\ \ x \ y" +apply (rule irrefl_trancl_rD) +apply (rule subcls1_irrefl_lemma2) +apply auto +done + +lemmas subcls1_acyclic = subcls1_irrefl_lemma2 [THEN acyclicI, standard] + +lemma wf_subcls1: "ws_prog \ wf (subcls1$" +by (auto intro: finite_acyclic_wf_converse finite_subcls1 subcls1_acyclic) + + +consts class_rec ::"cname \ (class \ ('a \ 'b) list) \ ('a \ 'b)" + +recdef class_rec "subcls1\" + "class_rec C = (\f. case class C of None \ arbitrary + | Some m \ if wf (subcls1\) + then (if C=Object then empty else class_rec (super m) f) ++ map_of (f m) + else arbitrary)" +(hints intro: subcls1I) + +lemma class_rec: "\class C = Some m; ws_prog\ \ + class_rec C f = (if C = Object then empty else class_rec (super m) f) ++ + map_of (f m)"; +apply (drule wf_subcls1) +apply (rule class_rec.simps [THEN trans [THEN fun_cong]]) +apply assumption +apply simp +done + +(* methods of a class, with inheritance and hiding *) +defs method_def: "method C \ class_rec C methods" + +lemma method_rec: "\class C = Some m; ws_prog\ \ +method C = (if C=Object then empty else method (super m)) ++ map_of (methods m)" +apply (unfold method_def) +apply (erule (1) class_rec [THEN trans]); +apply simp +done + + +(* fields of a class, with inheritance and hiding *) +defs field_def: "field C \ class_rec C fields" + +lemma fields_rec: "\class C = Some m; ws_prog\ \ +field C = (if C=Object then empty else field (super m)) ++ map_of (fields m)" +apply (unfold field_def) +apply (erule (1) class_rec [THEN trans]); +apply simp +done + +end diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/document/root.bib --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/document/root.bib Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,58 @@ +@inproceedings{NipkowOP00, + author={Tobias Nipkow and Oheimb, David von and Cornelia Pusch}, + title={{$\mu$Java}: Embedding a Programming Language in a Theorem Prover}, + booktitle = {Foundations of Secure Computation}, + series= {NATO Science Series F: Computer and Systems Sciences}, + volume = {175}, + year = {2000}, + publisher = {IOS Press}, + editor = {Friedrich L. Bauer and Ralf Steinbr{\"u}ggen}, + abstract = {This paper introduces the subset $micro$Java of Java, +essentially by omitting everything but classes. +The type system and semantics of this language +(and a corresponding abstract Machine $micro$JVM) +are formalized in the theorem prover Isabelle/HOL. +Type safety both of $micro$Java and the $micro$JVM +are mechanically verified. + +To make the paper self-contained, it starts with +introductions to Isabelle/HOL and the art of +embedding languages in theorem provers.}, + CRClassification = {D.3.1, F.3.2}, + CRGenTerms = {Languages, Reliability, Theory, Verification}, + url = {\url{http://isabelle.in.tum.de/Bali/papers/MOD99.html}}, + pages = {117--144} +} + + +@article{DvO-CPE01, + author = {David von Oheimb}, + title = {Hoare Logic for {J}ava in {Isabelle/HOL}}, + journal = {Concurrency: Practice and Experience}, + year = {2001}, + url = {http://www4.in.tum.de/papers/DvO-CPE01.html}, + abstract = { +This article presents a Hoare-style calculus for a substantial subset +of Java Card, which we call Java_light. In particular, the language +includes side-effecting expressions, mutual recursion, dynamic method +binding, full exception handling, and static class initialization. + +The Hoare logic of partial correctness is proved not only sound (w.r.t. +our operational semantics of Java_light, described in detail elsewhere) +but even complete. It is the first logic for an object-oriented +language that is provably complete. +The completeness proof uses a refinement of the Most General Formula +approach. The proof of soundness gives new insights into the role of +type safety. Further by-products of this work are a new general +methodology for handling side-effecting expressions and their results, +the discovery of the strongest possible rule of consequence, and a +flexible Call rule for mutual recursion. +We also give a small but non-trivial application example. + +All definitions and proofs have been done formally with the interactive +theorem prover Isabelle/HOL. This guarantees not only rigorous definitions, +but also gives maximal confidence in the results obtained.}, + CRClassification = {D.2.4, D.3.1, F.3.1}, + CRGenTerms = {Languages, Verification, Theory}, + note = {\url{http://isabelle.in.tum.de/Bali/papers/CPE01.html}, to appear} +} diff -r a6730c90e753 -r bf98ad1c22c6 src/HOL/NanoJava/document/root.tex --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/HOL/NanoJava/document/root.tex Sat Jun 16 20:06:42 2001 +0200 @@ -0,0 +1,57 @@ +\documentclass[11pt,a4paper]{article} +\usepackage{latexsym,isabelle,isabellesym,latexsym,pdfsetup} + +\urlstyle{tt} +\pagestyle{myheadings} + +\addtolength{\hoffset}{-1,5cm} +\addtolength{\textwidth}{4cm} +\addtolength{\voffset}{-2cm} +\addtolength{\textheight}{4cm} + +%subsection instead of section to make the toc readable +\renewcommand{\thesubsection}{\arabic{subsection}} +\renewcommand{\isamarkupheader}[1]{\newpage\markright{Theory~\isabellecontext}\subsection{#1}} +\renewcommand{\isamarkupsection}[1]{\subsubsection{#1}} + +%remove spaces from the isabelle environment (trivlist makes them too large) +\renewenvironment{isabelle} +{\begin{isabellebody}} +{\end{isabellebody}} + +\newcommand{\nJava}{\it NanoJava} + +%remove clutter from the toc +\setcounter{secnumdepth}{3} +\setcounter{tocdepth}{2} + +\begin{document} + +\title{\nJava} +\author{David von Oheimb \\ Tobias Nipkow} +\maketitle + +\begin{abstract}\noindent + These theories define {\nJava}, a very small fragment of the programming + language Java (with essentially just classes) derived from the one given + in \cite{NipkowOP00}. + For {\nJava}, an operational semantics is given as well as a Hoare logic, + which is proved both sound and (relatively) complete. The Hoare logic + implements a new approach for handling auxiliary variables. + A more complex Hoare logic covering a much larger subset of Java is described + in \cite{DvO-CPE01}.\\ +See also the homepage of project Bali at \url{http://isabelle.in.tum.de/Bali/}. +\end{abstract} + +\tableofcontents +\parindent 0pt \parskip 0.5ex + +\newpage +\input{session} + +\newpage +\nocite{*} +\bibliographystyle{abbrv} +\bibliography{root} + +\end{document}