(* Title: HOL/Bali/AxSound.thy Author: David von Oheimb and Norbert Schirmer
*)
subsection \<open>Soundness proof for Axiomatic semantics of Java expressions and
statements \<close>
theory AxSound imports AxSem begin
subsubsection "validity"
definition
triple_valid2 :: "prog \ nat \ 'a triple \ bool" (\_\_\_\[61,0, 58] 57) where "G\n\t =
(case t of {P} t\<succ> {Q} \<Rightarrow> \<forall>Y s Z. P Y s Z \<longrightarrow> (\<forall>L. s\<Colon>\<preceq>(G,L) \<longrightarrow> (\<forall>T C A. (normal s \<longrightarrow> (\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T \<and> \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>dom (locals (store s))\<guillemotright>t\<guillemotright>A)) \<longrightarrow>
(\<forall>Y' s'. G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y',s') \<longrightarrow> Q Y' s' Z \<and> s'\<Colon>\<preceq>(G,L)))))"
text\<open>This definition differs from the ordinary \<open>triple_valid_def\<close>
manly in the conclusion: We also ensures conformance of the result state. So
we don't have to apply the type soundness lemma all the time during induction. This definitionis only introduced for the soundness proof of the axiomatic semantics, in the end we will conclude to
the ordinary definition. \<close>
lemma triple_valid2_def2: "G\n\{P} t\ {Q} =
(\<forall>Y s Z. P Y s Z \<longrightarrow> (\<forall>Y' s'. G\<turnstile>s \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (Y',s')\<longrightarrow>
(\<forall>L. s\<Colon>\<preceq>(G,L) \<longrightarrow> (\<forall>T C A. (normal s \<longrightarrow> (\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T \<and> \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>dom (locals (store s))\<guillemotright>t\<guillemotright>A)) \<longrightarrow>
Q Y' s' Z \<and> s'\<Colon>\<preceq>(G,L)))))" apply (unfold triple_valid2_def) apply (simp (no_asm) add: split_paired_All) apply blast done
lemma triples_valid2_Suc: "Ball ts (triple_valid2 G (Suc n)) \ Ball ts (triple_valid2 G n)" apply (fast intro: triple_valid2_Suc) done
lemma"G|\n:insert t A = (G\n:t \ G|\n:A)" oops
subsubsection "soundness"
lemma Methd_sound: assumes recursive: "G,A\ {{P} Methd-\ {Q} | ms}|\\{{P} body G-\ {Q} | ms}" shows"G,A|\\{{P} Methd-\ {Q} | ms}" proof - have"\t\A. G\n\t \ \t\{{P} Methd-\ {Q} | ms}. G\n\t" if rec: "\n. \t\(A \ {{P} Methd-\ {Q} | ms}). G\n\t \<Longrightarrow> \<forall>t\<in>{{P} body G-\<succ> {Q} | ms}. G\<Turnstile>n\<Colon>t" for n proof (induct n) case 0 show"\t\{{P} Methd-\ {Q} | ms}. G\0\t" proof - have"G\0\{Normal (P C sig)} Methd C sig-\ {Q C sig}" if"(C,sig) \ ms" for C sig by (rule Methd_triple_valid2_0) thus ?thesis by (simp add: mtriples_def split_def) qed next case (Suc m) note hyp = \<open>\<forall>t\<in>A. G\<Turnstile>m\<Colon>t \<Longrightarrow> \<forall>t\<in>{{P} Methd-\<succ> {Q} | ms}. G\<Turnstile>m\<Colon>t\<close> note prem = \<open>\<forall>t\<in>A. G\<Turnstile>Suc m\<Colon>t\<close> show"\t\{{P} Methd-\ {Q} | ms}. G\Suc m\t" proof - have"G\Suc m\{Normal (P C sig)} Methd C sig-\ {Q C sig}" if m: "(C,sig) \ ms" for C sig proof - from prem have prem_m: "\t\A. G\m\t" by (rule triples_valid2_Suc) hence"\t\{{P} Methd-\ {Q} | ms}. G\m\t" by (rule hyp) with prem_m have"\t\(A \ {{P} Methd-\ {Q} | ms}). G\m\t" by (simp add: ball_Un) hence"\t\{{P} body G-\ {Q} | ms}. G\m\t" by (rule rec) with m have"G\m\{Normal (P C sig)} body G C sig-\ {Q C sig}" by (auto simp add: mtriples_def split_def) thus ?thesis by (rule Methd_triple_valid2_SucI) qed thus ?thesis by (simp add: mtriples_def split_def) qed qed with recursive show ?thesis by (unfold ax_valids2_def) blast qed
lemma valids2_inductI: "\s t n Y' s'. G\s\t\\n\ (Y',s') \ t = c \
Ball A (triple_valid2 G n) \<longrightarrow> (\<forall>Y Z. P Y s Z \<longrightarrow>
(\<forall>L. s\<Colon>\<preceq>(G,L) \<longrightarrow>
(\<forall>T C A. (normal s \<longrightarrow> (\<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>t\<Colon>T) \<and> \<lparr>prg=G,cls=C,lcl=L\<rparr>\<turnstile>dom (locals (store s))\<guillemotright>t\<guillemotright>A) \<longrightarrow>
Q Y' s' Z \<and> s'\<Colon>\<preceq>(G, L)))) \<Longrightarrow>
G,A|\<Turnstile>\<Colon>{ {P} c\<succ> {Q}}" apply (simp (no_asm) add: ax_valids2_def triple_valid2_def2) apply clarsimp done
lemma da_good_approx_evalnE [consumes 4]: assumes evaln: "G\s0 \t\\n\ (v, s1)" and wt: "\prg=G,cls=C,lcl=L\\t\T" and da: "\prg=G,cls=C,lcl=L\\ dom (locals (store s0)) \t\ A" and wf: "wf_prog G" and elim: "\normal s1 \ nrm A \ dom (locals (store s1)); \<And> l. \<lbrakk>abrupt s1 = Some (Jump (Break l)); normal s0\<rbrakk> \<Longrightarrow> brk A l \<subseteq> dom (locals (store s1)); \<lbrakk>abrupt s1 = Some (Jump Ret);normal s0\<rbrakk> \<Longrightarrow>Result \<in> dom (locals (store s1)) \<rbrakk> \<Longrightarrow> P" shows"P" proof - from evaln have"G\s0 \t\\ (v, s1)" by (rule evaln_eval) from this wt da wf elim show P by (rule da_good_approxE') iprover+ qed
lemma validI: assumes I: "\ n s0 L accC T C v s1 Y Z. \<lbrakk>\<forall>t\<in>A. G\<Turnstile>n\<Colon>t; s0\<Colon>\<preceq>(G,L);
normal s0 \<Longrightarrow> \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>t\<Colon>T;
normal s0 \<Longrightarrow> \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0))\<guillemotright>t\<guillemotright>C;
G\<turnstile>s0 \<midarrow>t\<succ>\<midarrow>n\<rightarrow> (v,s1); P Y s0 Z\<rbrakk> \<Longrightarrow> Q v s1 Z \<and> s1\<Colon>\<preceq>(G,L)" shows"G,A|\\{ {P} t\ {Q} }" apply (simp add: ax_valids2_def triple_valid2_def2) apply (intro allI impI) apply (case_tac "normal s") apply clarsimp apply (rule I,(assumption|simp)+)
lemma valid_stmtI: assumes I: "\ n s0 L accC C s1 Y Z. \<lbrakk>\<forall>t\<in>A. G\<Turnstile>n\<Colon>t; s0\<Colon>\<preceq>(G,L);
normal s0\<Longrightarrow> \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c\<Colon>\<surd>;
normal s0\<Longrightarrow>\<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0))\<guillemotright>\<langle>c\<rangle>\<^sub>s\<guillemotright>C;
G\<turnstile>s0 \<midarrow>c\<midarrow>n\<rightarrow> s1; P Y s0 Z\<rbrakk> \<Longrightarrow> Q \<diamondsuit> s1 Z \<and> s1\<Colon>\<preceq>(G,L)" shows"G,A|\\{ {P} \c\\<^sub>s\ {Q} }" apply (simp add: ax_valids2_def triple_valid2_def2) apply (intro allI impI) apply (case_tac "normal s") apply clarsimp apply (rule I,(assumption|simp)+)
apply (rule I,auto) done
lemma valid_stmt_NormalI: assumes I: "\ n s0 L accC C s1 Y Z. \<lbrakk>\<forall>t\<in>A. G\<Turnstile>n\<Colon>t; s0\<Colon>\<preceq>(G,L); normal s0; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>c\<Colon>\<surd>; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0))\<guillemotright>\<langle>c\<rangle>\<^sub>s\<guillemotright>C;
G\<turnstile>s0 \<midarrow>c\<midarrow>n\<rightarrow> s1; (Normal P) Y s0 Z\<rbrakk> \<Longrightarrow> Q \<diamondsuit> s1 Z \<and> s1\<Colon>\<preceq>(G,L)" shows"G,A|\\{ {Normal P} \c\\<^sub>s\ {Q} }" apply (simp add: ax_valids2_def triple_valid2_def2) apply (intro allI impI) apply (elim exE conjE) apply (rule I) by auto
lemma valid_var_NormalI: assumes I: "\ n s0 L accC T C vf s1 Y Z. \<lbrakk>\<forall>t\<in>A. G\<Turnstile>n\<Colon>t; s0\<Colon>\<preceq>(G,L); normal s0; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>t\<Colon>=T; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0))\<guillemotright>\<langle>t\<rangle>\<^sub>v\<guillemotright>C;
G\<turnstile>s0 \<midarrow>t=\<succ>vf\<midarrow>n\<rightarrow> s1; (Normal P) Y s0 Z\<rbrakk> \<Longrightarrow> Q (In2 vf) s1 Z \<and> s1\<Colon>\<preceq>(G,L)" shows"G,A|\\{ {Normal P} \t\\<^sub>v\ {Q} }" apply (simp add: ax_valids2_def triple_valid2_def2) apply (intro allI impI) apply (elim exE conjE) apply simp apply (rule I) by auto
lemma valid_expr_NormalI: assumes I: "\ n s0 L accC T C v s1 Y Z. \<lbrakk>\<forall>t\<in>A. G\<Turnstile>n\<Colon>t; s0\<Colon>\<preceq>(G,L); normal s0; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>t\<Colon>-T; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0))\<guillemotright>\<langle>t\<rangle>\<^sub>e\<guillemotright>C;
G\<turnstile>s0 \<midarrow>t-\<succ>v\<midarrow>n\<rightarrow> s1; (Normal P) Y s0 Z\<rbrakk> \<Longrightarrow> Q (In1 v) s1 Z \<and> s1\<Colon>\<preceq>(G,L)" shows"G,A|\\{ {Normal P} \t\\<^sub>e\ {Q} }" apply (simp add: ax_valids2_def triple_valid2_def2) apply (intro allI impI) apply (elim exE conjE) apply simp apply (rule I) by auto
lemma valid_expr_list_NormalI: assumes I: "\ n s0 L accC T C vs s1 Y Z. \<lbrakk>\<forall>t\<in>A. G\<Turnstile>n\<Colon>t; s0\<Colon>\<preceq>(G,L); normal s0; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>t\<Colon>\<doteq>T; \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0))\<guillemotright>\<langle>t\<rangle>\<^sub>l\<guillemotright>C;
G\<turnstile>s0 \<midarrow>t\<doteq>\<succ>vs\<midarrow>n\<rightarrow> s1; (Normal P) Y s0 Z\<rbrakk> \<Longrightarrow> Q (In3 vs) s1 Z \<and> s1\<Colon>\<preceq>(G,L)" shows"G,A|\\{ {Normal P} \t\\<^sub>l\ {Q} }" apply (simp add: ax_valids2_def triple_valid2_def2) apply (intro allI impI) apply (elim exE conjE) apply simp apply (rule I) by auto
lemma validE [consumes 5]: assumes valid: "G,A|\\{ {P} t\ {Q} }" and P: "P Y s0 Z" and valid_A: "\t\A. G\n\t" and conf: "s0\\(G,L)" and eval: "G\s0 \t\\n\ (v,s1)" and wt: "normal s0 \ \prg=G,cls=accC,lcl=L\\t\T" and da: "normal s0 \ \prg=G,cls=accC,lcl=L\\dom (locals (store s0))\t\C" and elim: "\Q v s1 Z; s1\\(G,L)\ \ concl" shows concl using assms by (simp add: ax_valids2_def triple_valid2_def2) fast (* why consumes 5?. If I want to apply this lemma in a context wgere \<not> normal s0 holds, I can chain "\<not> normal s0" as fact number 6 and apply the rule with cases. Auto will then solve premise 6 and 7.
*)
lemma all_empty: "(\x. P) = P" by simp
corollary evaln_type_sound: assumes evaln: "G\s0 \t\\n\ (v,s1)" and
wt: "\prg=G,cls=accC,lcl=L\\t\T" and
da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0)) \t\ A" and
conf_s0: "s0\\(G,L)" and
wf: "wf_prog G" shows"s1\\(G,L) \ (normal s1 \ G,L,store s1\t\v\\T) \
(error_free s0 = error_free s1)" proof - from evaln have"G\s0 \t\\ (v,s1)" by (rule evaln_eval) from this wt da wf conf_s0 show ?thesis by (rule eval_type_sound) qed
corollary dom_locals_evaln_mono_elim [consumes 1]: assumes
evaln: "G\ s0 \t\\n\ (v,s1)" and
hyps: "\dom (locals (store s0)) \ dom (locals (store s1)); \<And> vv s val. \<lbrakk>v=In2 vv; normal s1\<rbrakk> \<Longrightarrow> dom (locals (store s)) \<subseteq> dom (locals (store ((snd vv) val s)))\<rbrakk> \<Longrightarrow> P" shows"P" proof - from evaln have"G\ s0 \t\\ (v,s1)" by (rule evaln_eval) from this hyps show ?thesis by (rule dom_locals_eval_mono_elim) iprover+ qed
lemma evaln_no_abrupt: "\s s'. \G\s \t\\n\ (w,s'); normal s'\ \ normal s" by (erule evaln_cases,auto)
declare inj_term_simps [simp] lemma ax_sound2: assumes wf: "wf_prog G" and deriv: "G,A|\ts" shows"G,A|\\ts" using deriv proof (induct) case (empty A) show ?case by (simp add: ax_valids2_def triple_valid2_def2) next case (insert A t ts) note valid_t = \<open>G,A|\<Turnstile>\<Colon>{t}\<close> moreover note valid_ts = \<open>G,A|\<Turnstile>\<Colon>ts\<close> have"\t'\insert t ts. G\n\t'" if valid_A: "\t\A. G\n\t" for n proof - have"G\n\t" using valid_A valid_t by (simp add: ax_valids2_def) moreover have"\t\ts. G\n\t" using valid_A valid_ts by (unfold ax_valids2_def) blast ultimatelyshow"\t'\insert t ts. G\n\t'" by simp qed thus ?case by (unfold ax_valids2_def) blast next case (asm ts A) from\<open>ts \<subseteq> A\<close> show"G,A|\\ts" by (auto simp add: ax_valids2_def triple_valid2_def) next case (weaken A ts' ts) note\<open>G,A|\<Turnstile>\<Colon>ts'\<close> moreovernote\<open>ts \<subseteq> ts'\<close> ultimatelyshow"G,A|\\ts" by (unfold ax_valids2_def triple_valid2_def) blast next case (conseq P A t Q) note con = \<open>\<forall>Y s Z. P Y s Z \<longrightarrow>
(\<exists>P' Q'.
(G,A\<turnstile>{P'} t\<succ> {Q'} \<and> G,A|\<Turnstile>\<Colon>{ {P'} t\<succ> {Q'} }) \<and>
(\<forall>Y' s'. (\<forall>Y Z'. P' Y s Z' \<longrightarrow> Q' Y' s' Z') \<longrightarrow> Q Y' s' Z))\<close> show"G,A|\\{ {P} t\ {Q} }" proof (rule validI) fix n s0 L accC T C v s1 Y Z assume valid_A: "\t\A. G\n\t" assume conf: "s0\\(G,L)" assume wt: "normal s0 \ \prg=G,cls=accC,lcl=L\\t\T" assume da: "normal s0 \<Longrightarrow> \<lparr>prg=G,cls=accC,lcl=L\<rparr>\<turnstile>dom (locals (store s0)) \<guillemotright>t\<guillemotright> C" assume eval: "G\s0 \t\\n\ (v, s1)" assume P: "P Y s0 Z" show"Q v s1 Z \ s1\\(G, L)" proof - from valid_A conf wt da eval P con have"Q v s1 Z" apply (simp add: ax_valids2_def triple_valid2_def2) apply (tactic "smp_tac \<^context> 3 1") apply clarify apply (tactic "smp_tac \<^context> 1 1") apply (erule allE,erule allE, erule mp) apply (intro strip) apply (tactic "smp_tac \<^context> 3 1") apply (tactic "smp_tac \<^context> 2 1") apply (tactic "smp_tac \<^context> 1 1") by blast moreoverhave"s1\\(G, L)" proof (cases "normal s0") case True from eval wt [OF True] da [OF True] conf wf show ?thesis by (rule evaln_type_sound [elim_format]) simp next case False with eval have"s1=s0" by auto with conf show ?thesis by simp qed ultimatelyshow ?thesis .. qed qed next case (hazard A P t Q) show"G,A|\\{ {P \. Not \ type_ok G t} t\ {Q} }" by (simp add: ax_valids2_def triple_valid2_def2 type_ok_def) fast next case (Abrupt A P t) show"G,A|\\{ {P\undefined3 t \. Not \ normal} t\ {P} }" proof (rule validI) fix n s0 L accC T C v s1 Y Z assume conf_s0: "s0\\(G, L)" assume eval: "G\s0 \t\\n\ (v, s1)" assume"(P\undefined3 t \. Not \ normal) Y s0 Z" thenobtain P: "P (undefined3 t) s0 Z"and abrupt_s0: "\ normal s0" by simp from eval abrupt_s0 obtain"s1=s0"and"v=undefined3 t" by auto with P conf_s0 show"P v s1 Z \ s1\\(G, L)" by simp qed next case (LVar A P vn) show"G,A|\\{ {Normal (\s.. P\In2 (lvar vn s))} LVar vn=\ {P} }" proof (rule valid_var_NormalI) fix n s0 L accC T C vf s1 Y Z assume conf_s0: "s0\\(G, L)" assume normal_s0: "normal s0" assume wt: "\prg = G, cls = accC, lcl = L\\LVar vn\=T" assume da: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\LVar vn\\<^sub>v\ C" assume eval: "G\s0 \LVar vn=\vf\n\ s1" assume P: "(Normal (\s.. P\In2 (lvar vn s))) Y s0 Z" show"P (In2 vf) s1 Z \ s1\\(G, L)" proof from eval normal_s0 obtain"s1=s0""vf=lvar vn (store s0)" by (fastforce elim: evaln_elim_cases) with P show"P (In2 vf) s1 Z" by simp next from eval wt da conf_s0 wf show"s1\\(G, L)" by (rule evaln_type_sound [elim_format]) simp qed qed next case (FVar A P statDeclC Q e stat fn R accC) note valid_init = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} .Init statDeclC. {Q} }\<close> note valid_e = \<open>G,A|\<Turnstile>\<Colon>{ {Q} e-\<succ> {\<lambda>Val:a:. fvar statDeclC stat fn a ..; R} }\<close> show"G,A|\\{ {Normal P} {accC,statDeclC,stat}e..fn=\ {R} }" proof (rule valid_var_NormalI) fix n s0 L accC' T V vf s3 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC',lcl=L\\{accC,statDeclC,stat}e..fn\=T" assume da: "\prg=G,cls=accC',lcl=L\ \<turnstile> dom (locals (store s0)) \<guillemotright>\<langle>{accC,statDeclC,stat}e..fn\<rangle>\<^sub>v\<guillemotright> V" assume eval: "G\s0 \{accC,statDeclC,stat}e..fn=\vf\n\ s3" assume P: "(Normal P) Y s0 Z" show"R \vf\\<^sub>v s3 Z \ s3\\(G, L)" proof - from wt obtain statC f where
wt_e: "\prg=G, cls=accC, lcl=L\\e\-Class statC" and
accfield: "accfield G accC statC fn = Some (statDeclC,f)"and
eq_accC: "accC=accC'"and
stat: "stat=is_static f"and
T: "T=(type f)" by (cases) (auto simp add: member_is_static_simp) from da eq_accC have da_e: "\prg=G, cls=accC, lcl=L\\dom (locals (store s0))\\e\\<^sub>e\ V" by cases simp from eval obtain a s1 s2 s2' where
eval_init: "G\s0 \Init statDeclC\n\ s1" and
eval_e: "G\s1 \e-\a\n\ s2" and
fvar: "(vf,s2')=fvar statDeclC stat fn a s2"and
s3: "s3 = check_field_access G accC statDeclC fn stat a s2'" using normal_s0 by (fastforce elim: evaln_elim_cases) have wt_init: "\prg=G, cls=accC, lcl=L\\(Init statDeclC)\\" proof - from wf wt_e have iscls_statC: "is_class G statC" by (auto dest: ty_expr_is_type type_is_class) with wf accfield have iscls_statDeclC: "is_class G statDeclC" by (auto dest!: accfield_fields dest: fields_declC) thus ?thesis by simp qed obtain I where
da_init: "\prg=G,cls=accC,lcl=L\ \<turnstile> dom (locals (store s0)) \<guillemotright>\<langle>Init statDeclC\<rangle>\<^sub>s\<guillemotright> I" by (auto intro: da_Init [simplified] assigned.select_convs) from valid_init P valid_A conf_s0 eval_init wt_init da_init obtain Q: "Q \ s1 Z" and conf_s1: "s1\\(G, L)" by (rule validE) obtain
R: "R \vf\\<^sub>v s2' Z" and
conf_s2: "s2\\(G, L)" and
conf_a: "normal s2 \ G,store s2\a\\Class statC" proof (cases "normal s1") case True obtain V' where
da_e': "\prg=G,cls=accC,lcl=L\ \dom (locals (store s1))\\e\\<^sub>e\ V'" proof - from eval_init have"(dom (locals (store s0))) \ (dom (locals (store s1)))" by (rule dom_locals_evaln_mono_elim) with da_e show thesis by (rule da_weakenE) (rule that) qed with valid_e Q valid_A conf_s1 eval_e wt_e obtain"R \vf\\<^sub>v s2' Z" and "s2\\(G, L)" by (rule validE) (simp add: fvar [symmetric]) moreover from eval_e wt_e da_e' conf_s1 wf have"normal s2 \ G,store s2\a\\Class statC" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. next case False with valid_e Q valid_A conf_s1 eval_e obtain"R \vf\\<^sub>v s2' Z" and "s2\\(G, L)" by (cases rule: validE) (simp add: fvar [symmetric])+ moreoverfrom False eval_e have"\ normal s2" by auto hence"normal s2 \ G,store s2\a\\Class statC" by auto ultimatelyshow ?thesis .. qed from accfield wt_e eval_init eval_e conf_s2 conf_a fvar stat s3 wf have eq_s3_s2': "s3=s2'" using normal_s0 by (auto dest!: error_free_field_access evaln_eval) moreover from eval wt da conf_s0 wf have"s3\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis using Q R by simp qed qed next case (AVar A P e1 Q e2 R) note valid_e1 = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} e1-\<succ> {Q} }\<close> have valid_e2: "\ a. G,A|\\{ {Q\In1 a} e2-\ {\Val:i:. avar G i a ..; R} }" using AVar.hyps by simp show"G,A|\\{ {Normal P} e1.[e2]=\ {R} }" proof (rule valid_var_NormalI) fix n s0 L accC T V vf s2' Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\e1.[e2]\=T" assume da: "\prg=G,cls=accC,lcl=L\ \<turnstile> dom (locals (store s0)) \<guillemotright>\<langle>e1.[e2]\<rangle>\<^sub>v\<guillemotright> V" assume eval: "G\s0 \e1.[e2]=\vf\n\ s2'" assume P: "(Normal P) Y s0 Z" show"R \vf\\<^sub>v s2' Z \ s2'\\(G, L)" proof - from wt obtain
wt_e1: "\prg=G,cls=accC,lcl=L\\e1\-T.[]" and
wt_e2: "\prg=G,cls=accC,lcl=L\\e2\-PrimT Integer" by (rule wt_elim_cases) simp from da obtain E1 where
da_e1: "\prg=G,cls=accC,lcl=L\ \dom (locals (store s0))\\e1\\<^sub>e\ E1" and
da_e2: "\prg=G,cls=accC,lcl=L\\ nrm E1 \\e2\\<^sub>e\ V" by (rule da_elim_cases) simp from eval obtain s1 a i s2 where
eval_e1: "G\s0 \e1-\a\n\ s1" and
eval_e2: "G\s1 \e2-\i\n\ s2" and
avar: "avar G i a s2 =(vf, s2')" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_e1 P valid_A conf_s0 eval_e1 wt_e1 da_e1 obtain Q: "Q \a\\<^sub>e s1 Z" and conf_s1: "s1\\(G, L)" by (rule validE) from Q have Q': "\ v. (Q\In1 a) v s1 Z" by simp have"R \vf\\<^sub>v s2' Z" proof (cases "normal s1") case True obtain V' where "\prg=G,cls=accC,lcl=L\ \dom (locals (store s1))\\e2\\<^sub>e\ V'" proof - from eval_e1 wt_e1 da_e1 wf True have"nrm E1 \ dom (locals (store s1))" by (cases rule: da_good_approx_evalnE) iprover with da_e2 show thesis by (rule da_weakenE) (rule that) qed with valid_e2 Q' valid_A conf_s1 eval_e2 wt_e2 show ?thesis by (rule validE) (simp add: avar) next case False with valid_e2 Q' valid_A conf_s1 eval_e2 show ?thesis by (cases rule: validE) (simp add: avar)+ qed moreover from eval wt da conf_s0 wf have"s2'\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (NewC A P C Q) note valid_init = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} .Init C. {Alloc G (CInst C) Q} }\<close> show"G,A|\\{ {Normal P} NewC C-\ {Q} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s2 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\NewC C\-T" assume da: "\prg=G,cls=accC,lcl=L\ \<turnstile> dom (locals (store s0)) \<guillemotright>\<langle>NewC C\<rangle>\<^sub>e\<guillemotright> E" assume eval: "G\s0 \NewC C-\v\n\ s2" assume P: "(Normal P) Y s0 Z" show"Q \v\\<^sub>e s2 Z \ s2\\(G, L)" proof - from wt obtain is_cls_C: "is_class G C" by (rule wt_elim_cases) (auto dest: is_acc_classD) hence wt_init: "\prg=G, cls=accC, lcl=L\\Init C\\" by auto obtain I where
da_init: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\Init C\\<^sub>s\ I" by (auto intro: da_Init [simplified] assigned.select_convs) from eval obtain s1 a where
eval_init: "G\s0 \Init C\n\ s1" and
alloc: "G\s1 \halloc CInst C\a\ s2" and
v: "v=Addr a" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_init P valid_A conf_s0 eval_init wt_init da_init obtain"(Alloc G (CInst C) Q) \ s1 Z" by (rule validE) with alloc v have"Q \v\\<^sub>e s2 Z" by simp moreover from eval wt da conf_s0 wf have"s2\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (NewA A P T Q e R) note valid_init = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} .init_comp_ty T. {Q} }\<close> note valid_e = \<open>G,A|\<Turnstile>\<Colon>{ {Q} e-\<succ> {\<lambda>Val:i:. abupd (check_neg i) .;
Alloc G (Arr T (the_Intg i)) R}}\<close> show"G,A|\\{ {Normal P} New T[e]-\ {R} }" proof (rule valid_expr_NormalI) fix n s0 L accC arrT E v s3 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\New T[e]\-arrT" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0)) \\New T[e]\\<^sub>e\ E" assume eval: "G\s0 \New T[e]-\v\n\ s3" assume P: "(Normal P) Y s0 Z" show"R \v\\<^sub>e s3 Z \ s3\\(G, L)" proof - from wt obtain
wt_init: "\prg=G,cls=accC,lcl=L\\init_comp_ty T\\" and
wt_e: "\prg=G,cls=accC,lcl=L\\e\-PrimT Integer" by (rule wt_elim_cases) (auto intro: wt_init_comp_ty ) from da obtain
da_e:"\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\e\\<^sub>e\ E" by cases simp from eval obtain s1 i s2 a where
eval_init: "G\s0 \init_comp_ty T\n\ s1" and
eval_e: "G\s1 \e-\i\n\ s2" and
alloc: "G\abupd (check_neg i) s2 \halloc Arr T (the_Intg i)\a\ s3" and
v: "v=Addr a" using normal_s0 by (fastforce elim: evaln_elim_cases) obtain I where
da_init: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0)) \\init_comp_ty T\\<^sub>s\ I" proof (cases "\C. T = Class C") case True show ?thesis by (rule that)
(use True in \<open>auto intro: da_Init [simplified] assigned.select_convs
simp add: init_comp_ty_def\<close>) (* simplified: to rewrite \<langle>Init C\<rangle> to In1r (Init C) *) next case False show ?thesis by (rule that)
(use False in \<open>auto intro: da_Skip [simplified] assigned.select_convs
simp add: init_comp_ty_def\<close>) (* simplified: to rewrite \<langle>Skip\<rangle> to In1r (Skip) *) qed with valid_init P valid_A conf_s0 eval_init wt_init obtain Q: "Q \ s1 Z" and conf_s1: "s1\\(G, L)" by (rule validE) obtain E' where "\prg=G,cls=accC,lcl=L\\ dom (locals (store s1)) \\e\\<^sub>e\ E'" proof - from eval_init have"dom (locals (store s0)) \ dom (locals (store s1))" by (rule dom_locals_evaln_mono_elim) with da_e show thesis by (rule da_weakenE) (rule that) qed with valid_e Q valid_A conf_s1 eval_e wt_e have"(\Val:i:. abupd (check_neg i) .;
Alloc G (Arr T (the_Intg i)) R) \<lfloor>i\<rfloor>\<^sub>e s2 Z" by (rule validE) with alloc v have"R \v\\<^sub>e s3 Z" by simp moreover from eval wt da conf_s0 wf have"s3\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Cast A P e T Q) note valid_e = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} e-\<succ>
{\<lambda>Val:v:. \<lambda>s.. abupd (raise_if (\<not> G,s\<turnstile>v fits T) ClassCast) .;
Q\<leftarrow>In1 v} }\<close> show"G,A|\\{ {Normal P} Cast T e-\ {Q} }" proof (rule valid_expr_NormalI) fix n s0 L accC castT E v s2 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\Cast T e\-castT" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0)) \\Cast T e\\<^sub>e\ E" assume eval: "G\s0 \Cast T e-\v\n\ s2" assume P: "(Normal P) Y s0 Z" show"Q \v\\<^sub>e s2 Z \ s2\\(G, L)" proof - from wt obtain eT where
wt_e: "\prg = G, cls = accC, lcl = L\\e\-eT" by cases simp from da obtain
da_e: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\e\\<^sub>e\ E" by cases simp from eval obtain s1 where
eval_e: "G\s0 \e-\v\n\ s1" and
s2: "s2 = abupd (raise_if (\ G,snd s1\v fits T) ClassCast) s1" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_e P valid_A conf_s0 eval_e wt_e da_e have"(\Val:v:. \s.. abupd (raise_if (\ G,s\v fits T) ClassCast) .;
Q\<leftarrow>In1 v) \<lfloor>v\<rfloor>\<^sub>e s1 Z" by (rule validE) with s2 have"Q \v\\<^sub>e s2 Z" by simp moreover from eval wt da conf_s0 wf have"s2\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Inst A P e Q T) assume valid_e: "G,A|\\{ {Normal P} e-\
{\<lambda>Val:v:. \<lambda>s.. Q\<leftarrow>In1 (Bool (v \<noteq> Null \<and> G,s\<turnstile>v fits RefT T))} }" show"G,A|\\{ {Normal P} e InstOf T-\ {Q} }" proof (rule valid_expr_NormalI) fix n s0 L accC instT E v s1 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\e InstOf T\-instT" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0))\\e InstOf T\\<^sub>e\ E" assume eval: "G\s0 \e InstOf T-\v\n\ s1" assume P: "(Normal P) Y s0 Z" show"Q \v\\<^sub>e s1 Z \ s1\\(G, L)" proof - from wt obtain eT where
wt_e: "\prg = G, cls = accC, lcl = L\\e\-eT" by cases simp from da obtain
da_e: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\e\\<^sub>e\ E" by cases simp from eval obtain a where
eval_e: "G\s0 \e-\a\n\ s1" and
v: "v = Bool (a \ Null \ G,store s1\a fits RefT T)" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_e P valid_A conf_s0 eval_e wt_e da_e have"(\Val:v:. \s.. Q\In1 (Bool (v \ Null \ G,s\v fits RefT T))) \<lfloor>a\<rfloor>\<^sub>e s1 Z" by (rule validE) with v have"Q \v\\<^sub>e s1 Z" by simp moreover from eval wt da conf_s0 wf have"s1\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Lit A P v) show"G,A|\\{ {Normal (P\In1 v)} Lit v-\ {P} }" proof (rule valid_expr_NormalI) fix n L s0 s1 v' Y Z assume conf_s0: "s0\\(G, L)" assume normal_s0: " normal s0" assume eval: "G\s0 \Lit v-\v'\n\ s1" assume P: "(Normal (P\In1 v)) Y s0 Z" show"P \v'\\<^sub>e s1 Z \ s1\\(G, L)" proof - from eval have"s1=s0"and"v'=v" using normal_s0 by (auto elim: evaln_elim_cases) with P conf_s0 show ?thesis by simp qed qed next case (UnOp A P e Q unop) assume valid_e: "G,A|\\{ {Normal P}e-\{\Val:v:. Q\In1 (eval_unop unop v)} }" show"G,A|\\{ {Normal P} UnOp unop e-\ {Q} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s1 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\UnOp unop e\-T" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0))\\UnOp unop e\\<^sub>e\E" assume eval: "G\s0 \UnOp unop e-\v\n\ s1" assume P: "(Normal P) Y s0 Z" show"Q \v\\<^sub>e s1 Z \ s1\\(G, L)" proof - from wt obtain eT where
wt_e: "\prg = G, cls = accC, lcl = L\\e\-eT" by cases simp from da obtain
da_e: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\e\\<^sub>e\ E" by cases simp from eval obtain ve where
eval_e: "G\s0 \e-\ve\n\ s1" and
v: "v = eval_unop unop ve" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_e P valid_A conf_s0 eval_e wt_e da_e have"(\Val:v:. Q\In1 (eval_unop unop v)) \ve\\<^sub>e s1 Z" by (rule validE) with v have"Q \v\\<^sub>e s1 Z" by simp moreover from eval wt da conf_s0 wf have"s1\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (BinOp A P e1 Q binop e2 R) assume valid_e1: "G,A|\\{ {Normal P} e1-\ {Q} }" have valid_e2: "\ v1. G,A|\\{ {Q\In1 v1}
(if need_second_arg binop v1 then In1l e2 else In1r Skip)\<succ>
{\<lambda>Val:v2:. R\<leftarrow>In1 (eval_binop binop v1 v2)} }" using BinOp.hyps by simp show"G,A|\\{ {Normal P} BinOp binop e1 e2-\ {R} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s2 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\BinOp binop e1 e2\-T" assume da: "\prg=G,cls=accC,lcl=L\ \<turnstile>dom (locals (store s0)) \<guillemotright>\<langle>BinOp binop e1 e2\<rangle>\<^sub>e\<guillemotright> E" assume eval: "G\s0 \BinOp binop e1 e2-\v\n\ s2" assume P: "(Normal P) Y s0 Z" show"R \v\\<^sub>e s2 Z \ s2\\(G, L)" proof - from wt obtain e1T e2T where
wt_e1: "\prg=G,cls=accC,lcl=L\\e1\-e1T" and
wt_e2: "\prg=G,cls=accC,lcl=L\\e2\-e2T" and
wt_binop: "wt_binop G binop e1T e2T" by cases simp have wt_Skip: "\prg = G, cls = accC, lcl = L\\Skip\\" by simp (* obtain S where daSkip: "\<lparr>prg=G,cls=accC,lcl=L\<rparr> \<turnstile> dom (locals (store s1)) \<guillemotright>In1r Skip\<guillemotright> S"
by (auto intro: da_Skip [simplified] assigned.select_convs) *) from da obtain E1 where
da_e1: "\prg=G,cls=accC,lcl=L\ \ dom (locals (store s0)) \\e1\\<^sub>e\ E1" by cases simp+ from eval obtain v1 s1 v2 where
eval_e1: "G\s0 \e1-\v1\n\ s1" and
eval_e2: "G\s1 \(if need_second_arg binop v1 then \e2\\<^sub>e else \Skip\\<^sub>s) \<succ>\<midarrow>n\<rightarrow> (\<lfloor>v2\<rfloor>\<^sub>e, s2)" and
v: "v=eval_binop binop v1 v2" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_e1 P valid_A conf_s0 eval_e1 wt_e1 da_e1 obtain Q: "Q \v1\\<^sub>e s1 Z" and conf_s1: "s1\\(G,L)" by (rule validE) from Q have Q': "\ v. (Q\In1 v1) v s1 Z" by simp have"(\Val:v2:. R\In1 (eval_binop binop v1 v2)) \v2\\<^sub>e s2 Z" proof (cases "normal s1") case True from eval_e1 wt_e1 da_e1 conf_s0 wf have conf_v1: "G,store s1\v1\\e1T" by (rule evaln_type_sound [elim_format]) (use True in simp) from eval_e1 have"G\s0 \e1-\v1\ s1" by (rule evaln_eval) from da wt_e1 wt_e2 wt_binop conf_s0 True this conf_v1 wf obtain E2 where
da_e2: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s1)) \<guillemotright>(if need_second_arg binop v1 then \<langle>e2\<rangle>\<^sub>e else \<langle>Skip\<rangle>\<^sub>s)\<guillemotright> E2" by (rule da_e2_BinOp [elim_format]) iprover from wt_e2 wt_Skip obtain T2 where"\prg=G,cls=accC,lcl=L\ \<turnstile>(if need_second_arg binop v1 then \<langle>e2\<rangle>\<^sub>e else \<langle>Skip\<rangle>\<^sub>s)\<Colon>T2" by (cases "need_second_arg binop v1") auto note ve=validE [OF valid_e2,OF Q' valid_A conf_s1 eval_e2 this da_e2] (* chaining Q', without extra OF causes unification error *) thus ?thesis by (rule ve) next case False note ve=validE [OF valid_e2,OF Q' valid_A conf_s1 eval_e2] with False show ?thesis by iprover qed with v have"R \v\\<^sub>e s2 Z" by simp moreover from eval wt da conf_s0 wf have"s2\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Super A P) show"G,A|\\{ {Normal (\s.. P\In1 (val_this s))} Super-\ {P} }" proof (rule valid_expr_NormalI) fix n L s0 s1 v Y Z assume conf_s0: "s0\\(G, L)" assume normal_s0: " normal s0" assume eval: "G\s0 \Super-\v\n\ s1" assume P: "(Normal (\s.. P\In1 (val_this s))) Y s0 Z" show"P \v\\<^sub>e s1 Z \ s1\\(G, L)" proof - from eval have"s1=s0"and"v=val_this (store s0)" using normal_s0 by (auto elim: evaln_elim_cases) with P conf_s0 show ?thesis by simp qed qed next case (Acc A P var Q) note valid_var = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} var=\<succ> {\<lambda>Var:(v, f):. Q\<leftarrow>In1 v} }\<close> show"G,A|\\{ {Normal P} Acc var-\ {Q} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s1 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\Acc var\-T" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0))\\Acc var\\<^sub>e\E" assume eval: "G\s0 \Acc var-\v\n\ s1" assume P: "(Normal P) Y s0 Z" show"Q \v\\<^sub>e s1 Z \ s1\\(G, L)" proof - from wt obtain
wt_var: "\prg=G,cls=accC,lcl=L\\var\=T" by cases simp from da obtain V where
da_var: "\prg=G,cls=accC,lcl=L\ \ dom (locals (store s0)) \\var\\<^sub>v\ V" by (cases "\ n. var=LVar n") (use da.LVar in \auto elim!: da_elim_cases\) from eval obtain upd where
eval_var: "G\s0 \var=\(v, upd)\n\ s1" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_var P valid_A conf_s0 eval_var wt_var da_var have"(\Var:(v, f):. Q\In1 v) \(v, upd)\\<^sub>v s1 Z" by (rule validE) thenhave"Q \v\\<^sub>e s1 Z" by simp moreover from eval wt da conf_s0 wf have"s1\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Ass A P var Q e R) note valid_var = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} var=\<succ> {Q} }\<close> have valid_e: "\ vf.
G,A|\<Turnstile>\<Colon>{ {Q\<leftarrow>In2 vf} e-\<succ> {\<lambda>Val:v:. assign (snd vf) v .; R} }" using Ass.hyps by simp show"G,A|\\{ {Normal P} var:=e-\ {R} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s3 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\var:=e\-T" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0))\\var:=e\\<^sub>e\E" assume eval: "G\s0 \var:=e-\v\n\ s3" assume P: "(Normal P) Y s0 Z" show"R \v\\<^sub>e s3 Z \ s3\\(G, L)" proof - from wt obtain varT where
wt_var: "\prg=G,cls=accC,lcl=L\\var\=varT" and
wt_e: "\prg=G,cls=accC,lcl=L\\e\-T" by cases simp from eval obtain w upd s1 s2 where
eval_var: "G\s0 \var=\(w, upd)\n\ s1" and
eval_e: "G\s1 \e-\v\n\ s2" and
s3: "s3=assign upd v s2" using normal_s0 by (auto elim: evaln_elim_cases) have"R \v\\<^sub>e s3 Z" proof (cases "\ vn. var = LVar vn") case False with da obtain V where
da_var: "\prg=G,cls=accC,lcl=L\ \<turnstile> dom (locals (store s0)) \<guillemotright>\<langle>var\<rangle>\<^sub>v\<guillemotright> V" and
da_e: "\prg=G,cls=accC,lcl=L\ \ nrm V \\e\\<^sub>e\ E" by cases simp+ from valid_var P valid_A conf_s0 eval_var wt_var da_var obtain Q: "Q \(w,upd)\\<^sub>v s1 Z" and conf_s1: "s1\\(G,L)" by (rule validE) hence Q': "\ v. (Q\In2 (w,upd)) v s1 Z" by simp have"(\Val:v:. assign (snd (w,upd)) v .; R) \v\\<^sub>e s2 Z" proof (cases "normal s1") case True obtain E' where
da_e': "\prg=G,cls=accC,lcl=L\\ dom (locals (store s1)) \\e\\<^sub>e\ E'" proof - from eval_var wt_var da_var wf True have"nrm V \ dom (locals (store s1))" by (cases rule: da_good_approx_evalnE) iprover with da_e show thesis by (rule da_weakenE) (rule that) qed note ve=validE [OF valid_e,OF Q' valid_A conf_s1 eval_e wt_e da_e'] show ?thesis by (rule ve) next case False note ve=validE [OF valid_e,OF Q' valid_A conf_s1 eval_e] with False show ?thesis by iprover qed with s3 show"R \v\\<^sub>e s3 Z" by simp next case True thenobtain vn where
vn: "var = LVar vn" by auto with da obtain E where
da_e: "\prg=G,cls=accC,lcl=L\ \ dom (locals (store s0)) \\e\\<^sub>e\ E" by cases simp+ from da.LVar vn obtain V where
da_var: "\prg=G,cls=accC,lcl=L\ \<turnstile> dom (locals (store s0)) \<guillemotright>\<langle>var\<rangle>\<^sub>v\<guillemotright> V" by auto from valid_var P valid_A conf_s0 eval_var wt_var da_var obtain Q: "Q \(w,upd)\\<^sub>v s1 Z" and conf_s1: "s1\\(G,L)" by (rule validE) hence Q': "\ v. (Q\In2 (w,upd)) v s1 Z" by simp have"(\Val:v:. assign (snd (w,upd)) v .; R) \v\\<^sub>e s2 Z" proof (cases "normal s1") case True obtain E' where
da_e': "\prg=G,cls=accC,lcl=L\ \<turnstile> dom (locals (store s1)) \<guillemotright>\<langle>e\<rangle>\<^sub>e\<guillemotright> E'" proof - from eval_var have"dom (locals (store s0)) \ dom (locals (store (s1)))" by (rule dom_locals_evaln_mono_elim) with da_e show thesis by (rule da_weakenE) (rule that) qed note ve=validE [OF valid_e,OF Q' valid_A conf_s1 eval_e wt_e da_e'] show ?thesis by (rule ve) next case False note ve=validE [OF valid_e,OF Q' valid_A conf_s1 eval_e] with False show ?thesis by iprover qed with s3 show"R \v\\<^sub>e s3 Z" by simp qed moreover from eval wt da conf_s0 wf have"s3\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Cond A P e0 P' e1 e2 Q) note valid_e0 = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} e0-\<succ> {P'} }\<close> have valid_then_else:"\ b. G,A|\\{ {P'\=b} (if b then e1 else e2)-\ {Q} }" using Cond.hyps by simp show"G,A|\\{ {Normal P} e0 ? e1 : e2-\ {Q} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s2 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\e0 ? e1 : e2\-T" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0))\\e0 ? e1:e2\\<^sub>e\E" assume eval: "G\s0 \e0 ? e1 : e2-\v\n\ s2" assume P: "(Normal P) Y s0 Z" show"Q \v\\<^sub>e s2 Z \ s2\\(G, L)" proof - from wt obtain T1 T2 where
wt_e0: "\prg=G,cls=accC,lcl=L\\e0\-PrimT Boolean" and
wt_e1: "\prg=G,cls=accC,lcl=L\\e1\-T1" and
wt_e2: "\prg=G,cls=accC,lcl=L\\e2\-T2" by cases simp from da obtain E0 E1 E2 where
da_e0: "\prg=G,cls=accC,lcl=L\\ dom (locals (store s0)) \\e0\\<^sub>e\ E0" and
da_e1: "\prg=G,cls=accC,lcl=L\ \<turnstile>(dom (locals (store s0)) \<union> assigns_if True e0)\<guillemotright>\<langle>e1\<rangle>\<^sub>e\<guillemotright> E1" and
da_e2: "\prg=G,cls=accC,lcl=L\ \<turnstile>(dom (locals (store s0)) \<union> assigns_if False e0)\<guillemotright>\<langle>e2\<rangle>\<^sub>e\<guillemotright> E2" by cases simp+ from eval obtain b s1 where
eval_e0: "G\s0 \e0-\b\n\ s1" and
eval_then_else: "G\s1 \(if the_Bool b then e1 else e2)-\v\n\ s2" using normal_s0 by (fastforce elim: evaln_elim_cases) from valid_e0 P valid_A conf_s0 eval_e0 wt_e0 da_e0 obtain"P' \b\\<^sub>e s1 Z" and conf_s1: "s1\\(G,L)" by (rule validE) hence P': "\ v. (P'\=(the_Bool b)) v s1 Z" by (cases "normal s1") auto have"Q \v\\<^sub>e s2 Z" proof (cases "normal s1") case True note normal_s1=this from wt_e1 wt_e2 obtain T' where
wt_then_else: "\prg=G,cls=accC,lcl=L\\(if the_Bool b then e1 else e2)\-T'" by (cases "the_Bool b") simp+ have s0_s1: "dom (locals (store s0)) \<union> assigns_if (the_Bool b) e0 \<subseteq> dom (locals (store s1))" proof - from eval_e0 have eval_e0': "G\s0 \e0-\b\ s1" by (rule evaln_eval) hence "dom (locals (store s0)) \ dom (locals (store s1))" by (rule dom_locals_eval_mono_elim) moreover from eval_e0' True wt_e0 have"assigns_if (the_Bool b) e0 \ dom (locals (store s1))" by (rule assigns_if_good_approx') ultimatelyshow ?thesis by (rule Un_least) qed obtain E' where
da_then_else: "\prg=G,cls=accC,lcl=L\ \<turnstile>dom (locals (store s1))\<guillemotright>\<langle>if the_Bool b then e1 else e2\<rangle>\<^sub>e\<guillemotright> E'" proof (cases "the_Bool b") case True with that da_e1 s0_s1 show ?thesis by simp (erule da_weakenE,auto) next case False with that da_e2 s0_s1 show ?thesis by simp (erule da_weakenE,auto) qed with valid_then_else P' valid_A conf_s1 eval_then_else wt_then_else show ?thesis by (rule validE) next case False with valid_then_else P' valid_A conf_s1 eval_then_else show ?thesis by (cases rule: validE) iprover+ qed moreover from eval wt da conf_s0 wf have"s2\\(G, L)" by (rule evaln_type_sound [elim_format]) simp ultimatelyshow ?thesis .. qed qed next case (Call A P e Q args R mode statT mn pTs' S accC') note valid_e = \<open>G,A|\<Turnstile>\<Colon>{ {Normal P} e-\<succ> {Q} }\<close> have valid_args: "\ a. G,A|\\{ {Q\In1 a} args\\ {R a} }" using Call.hyps by simp have valid_methd: "\ a vs invC declC l.
G,A|\<Turnstile>\<Colon>{ {R a\<leftarrow>In3 vs \<and>.
(\<lambda>s. declC =
invocation_declclass G mode (store s) a statT \<lparr>name = mn, parTs = pTs'\<rparr> \<and>
invC = invocation_class mode (store s) a statT \<and>
l = locals (store s)) ;.
init_lvars G declC \<lparr>name = mn, parTs = pTs'\<rparr> mode a vs \<and>.
(\<lambda>s. normal s \<longrightarrow> G\<turnstile>mode\<rightarrow>invC\<preceq>statT)}
Methd declC \<lparr>name=mn,parTs=pTs'\<rparr>-\<succ> {set_lvars l .; S} }" using Call.hyps by simp show"G,A|\\{ {Normal P} {accC',statT,mode}e\mn( {pTs'}args)-\ {S} }" proof (rule valid_expr_NormalI) fix n s0 L accC T E v s5 Y Z assume valid_A: "\t\A. G\n\t" assume conf_s0: "s0\\(G,L)" assume normal_s0: "normal s0" assume wt: "\prg=G,cls=accC,lcl=L\\{accC',statT,mode}e\mn( {pTs'}args)\-T" assume da: "\prg=G,cls=accC,lcl=L\\dom (locals (store s0)) \<guillemotright>\<langle>{accC',statT,mode}e\<cdot>mn( {pTs'}args)\<rangle>\<^sub>e\<guillemotright> E" assume eval: "G\s0 \{accC',statT,mode}e\mn( {pTs'}args)-\v\n\ s5" assume P: "(Normal P) Y s0 Z" show"S \v\\<^sub>e s5 Z \ s5\\(G, L)" proof - from wt obtain pTs statDeclT statM where
wt_e: "\prg=G,cls=accC,lcl=L\\e\-RefT statT" and
wt_args: "\prg=G,cls=accC,lcl=L\\args\\pTs" and
statM: "max_spec G accC statT \name=mn,parTs=pTs\
= {((statDeclT,statM),pTs')}" and
mode: "mode = invmode statM e"and
T: "T =(resTy statM)"and
eq_accC_accC': "accC=accC'" by cases fastforce+ from da obtain C where
da_e: "\prg=G,cls=accC,lcl=L\\ (dom (locals (store s0)))\\e\\<^sub>e\ C" and
da_args: "\prg=G,cls=accC,lcl=L\\ nrm C \\args\\<^sub>l\ E" by cases simp from eval eq_accC_accC' obtain a s1 vs s2 s3 s3' s4 invDeclC where
evaln_e: "G\s0 \e-\a\n\ s1" and
evaln_args: "G\s1 \args\\vs\n\ s2" and
invDeclC: "invDeclC = invocation_declclass
G mode (store s2) a statT \<lparr>name=mn,parTs=pTs'\<rparr>" and
s3: "s3 = init_lvars G invDeclC \name=mn,parTs=pTs'\ mode a vs s2" and
check: "s3' = check_method_access G
accC' statT mode \name = mn, parTs = pTs'\ a s3" and
evaln_methd: "G\s3' \Methd invDeclC \name=mn,parTs=pTs'\-\v\n\ s4" and
s5: "s5=(set_lvars (locals (store s2))) s4" using normal_s0 by (auto elim: evaln_elim_cases)
from evaln_e have eval_e: "G\s0 \e-\a\ s1" by (rule evaln_eval)
from eval_e _ wt_e wf have s1_no_return: "abrupt s1 \ Some (Jump Ret)" by (rule eval_expression_no_jump
[where ?Env="\prg=G,cls=accC,lcl=L\",simplified])
(use normal_s0 in auto)
from valid_e P valid_A conf_s0 evaln_e wt_e da_e obtain"Q \a\\<^sub>e s1 Z" and conf_s1: "s1\\(G,L)" by (rule validE) hence Q: "\ v. (Q\In1 a) v s1 Z" by simp obtain
R: "(R a) \vs\\<^sub>l s2 Z" and
conf_s2: "s2\\(G,L)" and
s2_no_return: "abrupt s2 \ Some (Jump Ret)" proof (cases "normal s1") case True obtain E' where
da_args': "\prg=G,cls=accC,lcl=L\\ dom (locals (store s1)) \\args\\<^sub>l\ E'" proof - from evaln_e wt_e da_e wf True have"nrm C \ dom (locals (store s1))" by (cases rule: da_good_approx_evalnE) iprover with da_args show thesis by (rule da_weakenE) (rule that) qed with valid_args Q valid_A conf_s1 evaln_args wt_args obtain"(R a) \vs\\<^sub>l s2 Z" "s2\\(G,L)" by (rule validE) moreover from evaln_args have e: "G\s1 \args\\vs\ s2" by (rule evaln_eval) from this s1_no_return wt_args wf have"abrupt s2 \ Some (Jump Ret)" by (rule eval_expression_list_no_jump
[where ?Env="\prg=G,cls=accC,lcl=L\",simplified]) ultimatelyshow ?thesis .. next case False with valid_args Q valid_A conf_s1 evaln_args obtain"(R a) \vs\\<^sub>l s2 Z" "s2\\(G,L)" by (cases rule: validE) iprover+ moreover from False evaln_args have"s2=s1" by auto with s1_no_return have"abrupt s2 \ Some (Jump Ret)" by simp ultimatelyshow ?thesis .. qed
obtain invC where
invC: "invC = invocation_class mode (store s2) a statT" by simp with s3 have invC': "invC = (invocation_class mode (store s3) a statT)"
--> --------------------
--> maximum size reached
--> --------------------
¤ Dauer der Verarbeitung: 0.43 Sekunden
(vorverarbeitet)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
