Quelle  Big_Step.thy

(* Author: Gerwin Klein, Tobias Nipkow *)

theory Big_Step imports Com begin

subsection "Big-Step Semantics of Commands"

text ‹ Com begin
  big-step semantics is a straight-forward inductive definition
  concrete syntax. Note that the first parame
  the syntax becomes \<>(-forward inductive def
 close>

 
 big_step :: "com × first param is a tuple,
 
 : "(SKIP,s) ==>syntabecomes ‹
 : "(x ::= a,s) ==> a s)" |
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
 : "[ bval b s; (c₁,s) ==>Rightarro> s(x :=aval a s)" |
java.lang.NullPointerException
 : "¬bval b s ==> (WHILE b DO c,s) ==> s" |
 :
 [ bval b s₁; (c,s₁) ==> s₂; (WHILE b DO c, s₂) ==> s₃ ]
 ==> (WHILE b DO c, s₁) ==> s₃"

 ‹We want to execute the big-step rules:›

  big_step .

 ‹For inductive definitions we need command
 \texttt{values} instead of \texttt{value}.›

  "{t. (SKIP, λ_. 0) ==> t}"

 ‹We need to translate the result state into a list
  display it.›

  "{map t [''x''] |t. (SKIP, <''x'' := 42>) ==> t}"

  "{map t [''x''] |t. (''x'' ::= N 2, <''x'' := 42>) ==> t}"

  "{map t [''x'',''y''] |t.
 (WHILE Less (V ''x'') (V ''y'') DO (''x'' ::= Plus (V ''x'') (N 5)),
 <''x'' := 0, ''y'' := 13>) ==> t}"


 ‹Proof automation:›

  ‹The introduction rules are good for automatically
  small program executions. The recursive cases
  require backtracking, so we declare the set as unsafe
  rules.›
  big_step.intros [intro]

 ‹The standard induction rule
 {thm [display] big_step.induct [no_vars]}›

  big_step.induct

 ‹
  induction schema is almost perfect for our purposes, but
  trick for reusing the tuple syntax means that the induction
java.lang.NullPointerException
  ‹s'› that we are likely to encounter. Splitting
  tuple parameter fixes this:
 ›
  big_step_induct = big_step.induct[split_format(complete)]
  big_step_induct
  ‹
 {thm [display] big_step_induct [no_vars]}
 ›


  "Rule inversion"

 ‹What can we deduce from @{prop "(SKIP,s) ==> t"} ?
  @{prop "s = t"}. This is how we can automatically prove it:›

  SkipE[elim!]: "(SKIP,s) ==> t"
  SkipE

 ‹This is an \emph{elimination rule}. The [elim] attribute tells auto,
  and friends (but not simp!) to use it automatically; [elim!] means that
  is applied eagerly.

  for the other commands:›

  AssignE[elim!]: "(x ::= a,s) ==> t"
  AssignE
  SeqE[elim!]: "(c1;;c2,s1IfFalse: "\< "
  SeqE
  IfE[elim!]: "(IF b THEN c1 ELSE c2,s) ==> t"
  IfE

  WhileE[elim]: "(WHILE b DO c,s) ==> t"
  WhileE
 ‹Only [elim]: [elim!] would not terminate.›

 ‹An automatic example:›

  "(IF b THEN SKIP ELSE SKIP, s) ==> t ==> t = s"
  blast

 ‹Rule inversion by hand via the ``cases'' method:›

  assumes "(IF b THEN SKIP ELSE SKIP, s) ==> t"
  "t = s"
 -
 from assms show ?thesis
 proof cases ― ‹inverting assms›
 case IfTrue thm IfTrue
 thus ?thesis by blast
 next
 case IfFalse thus ?thesis by blast
 qed
 

(* Using rule inversion to prove simplification rules: *)
lemma assign_simp:
  "(x ::= a,s) ==> s' ⟷ (s' = s(x := aval a s))": java.lang.StringIndexOutOfBoundsException: Index 81 out of bounds for length 81
  by auto

text ‹An example combining rule inversion and derivations›
lemma Seq_assoc:
  "(c1;; c2;; c3, s) ==> s' ⟷ (c1;; (c2;; c3), s) ==> s'"
proof
  assume "(c1;; c2;; c3, s) ==> s'"
  then obtain s1 s2 where
    c1: "(c1, s) ==> s1" and
    c2: "(c2, s1) ==> s2" and
    c3: "(c3, s2) ==> s'" by auto
  from c2 c3
  have "(c2;; c3, s1) ==> s'" by (rule Seq)
  with c1
  show "(c1;; (c2;; c3), s) ==> s'" by (rule Seq)
next
  ― ‹The other direction is analogous›
  assume "(c1;; (c2;; c3), s) ==> s'"
  thus "(c1;; c2;; c3, s) ==> s'" by auto
qed


subsection "Command Equivalence"

text ‹
java.lang.NullPointerException
  big-step semantics when \emph{‹c› started in ‹s› terminates
  in ‹s'› iff ‹c'› star
  in the same ‹
\<close>
abbreviation
  equiv_c :: texttt{values}ins of t{value}}.\close
  "  ∼ c' ≡\lambda ) ==>


  ‹
 : ‹

 As an example, we show that loop unfolding is an equivalence
 transformation on programs:
 ›
  unfold_while:
 "(WHILE b DO c) ∼ (to display it.›
  -
 ― ‹to show the equivalence, w
 <>each
 { fix s t assume "(?w, s) ==> t"
 ― ‹as a first thing we note that, if @{text b} is @{text False} in state @{text s},›
 ― ‹
 { assume "¬bval b s"
 hence "t = s" using ‹(?w,s) ==> t›= Plu (V ''x'') (N 5)),
 hence "(?iw, s) ==> t" using ‹¬bval b s› by blast
 }
 moreover
 ― ‹on the other hand, if @{text b} is @{text True} in state @{text s},›t}"
 ― ‹then only the @{text WhileTrue} rule can have been used to derive @{text "(?w, s) ==> t"}›
 { assume "bval b s"
 with ‹
 "(c, s) ==> s'" and "(?w, s') ==> t" by auto
 ― ‹for automatical
 ― ‹first, the body of the True-branch:›rec cases
 hence "(c;; ?w, s) ==> t" by (rule Seq)
 ―as u
 with ‹bval b s› have "(?iw, s) ==> t" by (rule IfTrue)
 }
 ultimately
 ― ‹both cases together give us what we want:›
 have "(?iw, s) ==> t" by blast
 }
 moreover
 ― ‹now the other direction:›
 { fix s t assume "(?iw, s) ==> t"
 ―[intro]
 ― ‹
 { assume "¬bval b s"
 hence "s = t" using ‹
 hence "(?w, s) ==> t" using ‹
 }
 moreover
 ―
 ―
 { assume "bval b s"
 with ‹<> 
 ― ‹and for this, only the Seq-rule is applicable:›
 then obtain s' where
 "(c,e \<pens
 ― ‹with this information, we can build a derivation tree for the @{text WHILE}›
 bs\close
 have "(?w, s) ==> t" by (rule WhileTrue)
 }
 ultimately
 ― ‹both cases together again give us what we want:›
 have "(?w, s) ==> t" by blast
 }
 ultimately
 show ?thesis by blast
 

  ‹Luckily, such lengthy proofs are seldom necessary. Isabelle can
 

  while_unfold:
 "(WHILE b DO c) ∼ ‹Warning: \ ‹
  blast

  triv_if:
 "(IF b THEN c ELSE c) ∼ c"
  blast

  commute_if:
 "(IF b1 THEN (IF b2 THEN c11 ELSE c12) ELSE c2)
 ∼
 IF b2 THEN (IFb1 THEN c11 ELSc2) E (IF bb1 TH c1 EL c2)"
  blast

  sim_while_cong_aux:
 "(WHILE b DO c,s) ==> t ==> c ∼
 (induction "WHILE b DO c" s t arbitrarycl>
 apply blast
  blast
 

  sim_while_cong: "c ∼b HEN c;; WHIb DO cELSESK)" is "?w \<>?
  (metis sim_while_cong_aux)

  ‹Command equivalence is an equivalence relation, i.e.\ it is
 , symmetric, and transitive. Because we used an abbreviation
 , Isabelle derives this automatically.›, we look at the derivation tree for for›

  sim_refl: "c ∼ c" by simp
  sim_sym: "(c ∼s\close
  sim_trans: "c ∼ c' ==> c' ∼ c'' ==> c ∼ c''" by auto

  "Execution is deterministic"

 \openproof is autom›

  big_step_determ: "[ (c,s) ==> t; (c,s) ==> u ] ==> u = t"
 by (induction arbitrary: u rule: big_step.induct) blast+

  ‹
 This is the proof as you might present it in a lecture. The remaining
 cases are simple enough to be proved automatically:
 ›

 
 "(c,s) ==> t ==> (c,s) ==> t' ==> t' = t"
  (induction arbitrary: t' rule: big_step.induct)
 ― ‹the only interesting case, >\openbo stat don:\close
java.lang.NullPointerException
 hence s" \open,s) \<>t
 assume "bval b s" and "(c,s) ==> s₁" and "(WHILE b DO c,s₁) ==> t"
 ― ‹Ind.Hyp; note the @{text"∧"} because of arbitrary:›
 assume IHc: "∧t'. (c,s) ==> t' ==> t' = s₁"
 assume I ―
 ― ‹Premise of implication:›
 assume "(WHILE b DO c,s) ==> t'"
 with ‹bval b s› obtain s₁' where
 c: "(c,s) ==> s₁'" and
java.lang.NullPointerException
 by auto
 from c IHc have "s₁' = s₁" by blast
 with w IHw show "t' = t" by blast
  blast+ ― ‹ bv b s""