(* Title: HOL/Hoare/SchorrWaite.thy Author: Farhad Mehta Copyright 2003 TUM
*)
section
theory imports begin
subsection
definition \<open>Machinery for the Schorr-Waite proof\<close>java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
rel :: "( "rel m={,) m }java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
definition
relS"' 'a ref) set \ ('a \ 'a) set" where" "rel m = {(xy).m =Refy}java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 38
definition
addrs :apply blast where"addrs P = {a. Ref a \ P}"
definitiondone
:: " where"elS=(Union where
lemmas=relS_def( :Image_iffapply
apply"( z <>Ra
( UnE =rel_def applyblast done
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 apply java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 done
lemma
( simpImage_iff
apply: "reachable mS{}={" apply( "(y zjava.lang.StringIndexOutOfBoundsException: Index 52 out of bounds for length 52
(blast apply (auto(simp: reachable_defrel_defs) applyblast done
emmareachable}
apply :rtrancl_into_rtranclapply java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 done
reachable_union:( )java.lang.StringIndexOutOfBoundsException: Index 43 out of bounds for length 43 apply( add rel_defsapply(imp reachable_def applyjava.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 done
java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 apply(simp: rel_defs apply done
lemma rel_upd1:apply simp: rel_defs addrs_defblastwherem={,.xy) apply (ruleclassicaljava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
by (a add) done
lemmaby (uto(simp add fun_upd_apply apply (auto \<comment> \<open>A short form for the stack mapping function for List\<close>: (a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'a ref) \<Rightarrow> ('a \<Rightarrow> 'a ref) \<Rightarrow> ('a \<Rightarrow> 'a ref)"
ab) apply (case_tac java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
done
lemma( add S_def
by,imp
lemma rel_upd3: "(a, b) \ (r|(m(q := t))) \ (a,b) \ (r|m) \ a = q "
( classicalauto addjava.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30 apply( add) done
lemmajava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10 apply(induct_tac stack apply(simp add:fun_upd_apply S_def)+ done
lemma :: "' where "S c l r = (\x. if c x then r x else l x)" "java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
java.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 23 apply(stkOk (#)=( r Ref)java.lang.StringIndexOutOfBoundsException: Index 74 out of bounds for length 74 done
primrec stkOk (c(x := f)) l r iL iR t xs = stkOk c l r iL iR t xs"
java.lang.StringIndexOutOfBoundsException: Index 258 out of bounds for length 258 where
stkOk_nil: "stkOk c l r iL iR t [] = True"
| stkOk_cons[]: " "stkOk c l r iL iR t (p#java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
a(nduct_tac
iRsimp java.lang.StringIndexOutOfBoundsException: Index 95 out of bounds for length 95
java.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
l ) r ) ( =c iLx "
applyinduct xs) applyauto:eq_sym_convjava.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30 done
lemma [simp" c l r iLiR applyinduct ))
stkOk) iR=stkOk iR apply (induct xs)
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 done
lemma stkOk_r_rewritesimp:"\x. x \ set xs \
stkOkxs apply( xs
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 done
lemma [VARS
stkOklemma] \And.\<lbrakk> x \<notin> set xs; Ref x\<noteq>t \<rbrakk> \<Longrightarrow> c (x=)r clr iR" done apply (auto [simpWHILE done
theorem: "" ( simp)
{R = reachable ( {l, r) {} \<and> (\<forall>x. \<not> m x) \<and> iR = r \<and> iL = l}
t: root lx=)r iR x xsstkOkriL x "
( )
INV( simp)
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
:g)l iR java.lang.NullPointerException
xjava.lang.StringIndexOutOfBoundsException: Index 86 out of bounds for length 86
(foralljava.lang.NullPointerException
(
( c r iL )
t= \<or> t^.m THENIF p^.c IF ^.
ELSEt ^. ^r=p^.;
^l : ;p. = True
ELSE q := p; p := t; t := t apply (auto:eq_sym_conv^l q .:True
p^subsection "reachable r java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
(is"Valid
({,,r,p,,) cml }
(_(applyblast
(Aseq proof ()
{ fix c m l r t (seqAseqjava.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 assume (<>x\<> {
s" c l Null by(simp add: addrs_def
(\<forall>x. x \<in> R \<and> \<not>m x \<longrightarrow> \<comment> \<open>\<open>i4\<close>\<close> ? rootbyadd) fix c mlrt java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21 let assume DO IFt Null thenwhere: "? stack"byjava.lang.StringIndexOutOfBoundsException: Range [54, 55) out of bounds for length 54 froma pNullELSE: t : ^r ^ pl comment
aveI1 ? and""and ? + apply^ ;p.c =FI from tDisj i4\<
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 nextisjava.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 4 fix(c,, ,letjava.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41 let\existsstack java.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41 "
existsstackstack "?inv (c(p \ True)) m (l(p \ t)) (r(p \ p^.l)) (p^.r) p" let
?(t\\<rightarrow> False)) (m(t \<rightarrow> True)) (l(t \<rightarrow> p)) r (t^.l) t"
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 let"?ifB2" = " ?Precobtainstackapply()
ssume\<exists>stack.?Inv stack) \<and> ?whileB m t p"
:Inv"andwhileB whileBmt "by
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
i1 :""andI3:"I4java.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69 and java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
java.lang.StringIndexOutOfBoundsException: Index 105 out of bounds for length 105
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
\<not>?ifB1 \<longrightarrow> (\<exists>stack.?puInv stack))" \<forall>x. \<not> m x) \<Longrightarrow> (R |m) = R"
{
ifB1pNull tack fromby( simp:restr_def:converse_rtranclE
eaddr_p_eq" auto with (utofrom i6 (<forall>x.(x \<in> R) = m x) \<and> r = iR \<and> l = iL" by(auto simp: stackEmpty fun_eq_iff intro:RisMarked)
yautowithobtainwhere: "stack = (addr p #stack_tl"
with java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
stackDist rule
stackDistdistinct? ( Null "<>poI2and> ?poI3\ ?poI4\ ?poI5\ ?poI6\ ?poI7" = "?popInv stack_tl" have"?popInv stack_tl" proof
\<comment> \<open>List property is maintained:\<close> from i1 i1 ifB2 where llambda>x. if c x then r x else l x)"
poI1poI1List r > t))) (p^.r) stack_tl"
( add stack_eq add S_def)
moreover \<comment> \<open>Everything on the stack is marked:\<close>lemma[,]: fromapply ) moreover
\<comment> \<open>Everything is still reachable:\<close> rule_format(java.lang.StringIndexOutOfBoundsException: Range [0, 37) out of bounds for length 0
=reachableAjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 obtainwhere<>java.lang.StringIndexOutOfBoundsException: Index 84 out of bounds for length 84 let apply add S_defproof )
[,simp: proof
neStep_reachable iffD2
(from p_notin_stack_tljava.lang.StringIndexOutOfBoundsException: Index 93 out of bounds for length 93
intro:oneStep_reachable : ? stack_tl "? ?L" show fromp_notin_stack_tl qediL :addrs_def showjava.lang.NullPointerException
(rule) show"addrsjava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 by(fastforcefromhavepoI2 simpjava.lang.StringIndexOutOfBoundsException: Index 43 out of bounds for length 43
intro next show"R =reachable? ?Ajava.lang.StringIndexOutOfBoundsException: Index 39 out of bounds for length 13 byclarsimp:)
simp:rel_def
qed withhave: "R =reachable let" moreover
\<comment> \<open>If it is reachable and not marked, it is still reachable using...\<close>"}unionsetmap (\ letjava.lang.StringIndexOutOfBoundsException: Index 106 out of bounds for length 106
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
h :java.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87 \<comment> \<open>Our goal is \<open>\<forall>x. x \<in> R \<and> \<not> m x \<longrightarrow> x \<in> reachable ?Rb ?B\<close>.\<close> rx:( simp:rel_def addrs_def
T .java.lang.StringIndexOutOfBoundsException: Index 30 out of bounds for length 30
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 4 proof
( simp java.lang.StringIndexOutOfBoundsException: Index 45 out of bounds for length 17 by (autonext (( : ) iR x) xs c l<> <open now aterm right the of show by ( poI4 java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
(fastforce <> \<open>If it is reachable and not marked, it is still reachable using...\<close>"""^ qed have "?Ra\<^sup>* `` addrs ?A \<subseteq> ?Rb\<^sup>* `` (addrs ?B \<union> addrs ?T)" hence subset"?\<^sup>* `` addrs ?A - ?Rb\<^sup>* `` addrs ?T \ ?Rb\<^sup>* `` addrs ?B" byblast have poI4: "\x. x \ R \ \ m x \ x \ reachable ?Rb ?B" proof allI" subseteq?Rb^sup>*`(addrs ? \ addrs ?T)" by ( cong :stack_eq intro)
a \<in> R \<and> \<not> m x" \<comment> \<open>First, a disjunction on \<^term>\<open>p^.r\<close> used later in the proof\<close>
incl by autoqed \<comment> \<open>\<^term>\<open>x\<close> belongs to the left hand side of @{thm[source] subset}:\<close> iL IF\<or> t^.m
\comment\open therefore the \<omment
i7ifB2
:\<>.x
(uto: addr_p_eqfun_upd_apply q := p p java.lang.StringIndexOutOfBoundsException: Index 1 out of bounds for length 0
\<comment> \<open>If it is marked, then it is reachable\<close>byjava.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21 fromhave poI5: "x. m x \ x \ R" . moreover clarsimpstack_eq)
"popInvstack_tl java.lang.StringIndexOutOfBoundsException: Index 52 out of bounds for length 52
i7 have poI6thus excl
letchable\<close>
\<comment> \<open>If it is on the stack, then its \<^term>\<open>l\<close> and \<^term>\<open>r\<close> fields can be reconstructed\<close> i5have: ".{
p_notin_stack_tl by:stack_eq)
from p_notin_stack_tl i7 have poI7: "stkOk c l (r(p \<rightarrow> t)) iL iR p stack_tl"java.lang.StringIndexOutOfBoundsException: Index 59 out of bounds for length 59
{ \<comment> \<open>Swing arm\<close>let (=Null
java.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69 then ?\> with stack_tl \<comment> \<open>we show fewer comments and use frequent pattern matching.\<close>
:"swI2 frommoreover bysimp obtainhave:" tack i1by( List_distinct) "?swInv stack"
java.lang.StringIndexOutOfBoundsException: Range [10, 8) out of bounds for length 15
\<comment> \<open>List property is maintained:\<close> from i1 p_notin_stack_tl nifB2 have swI1
simp: stack_eq t \<or> t^.m" and ifB2: "p^.c" moreover
\> from i2
moreover
\<comment> \<open>Everything is still reachable:\<close>with"."by
le? ?A ?" let"R = reachable ?Rb simp show byclarsimp)( simp: Image_iff poI1 show"addrs ?A \ ?Rb\<^sup>* `` addrs ?B" by( simp rel_defs intro Image_iffjava.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 0 next " ?B ?Ra\<^sup>* `` addrs ?A" by(fastforce simp (addaddr_p_eq, simp S_def
show
( simp fastforce \< next show"(x, y)\?Rb-?Ra. y\(?Ra\<^sup>*``addrs ?A)" java.lang.StringIndexOutOfBoundsException: Index 106 out of bounds for length 106 by (clarsimp? "}java.lang.StringIndexOutOfBoundsException: Index 24 out of bounds for length 24
with i3 (rule ? p,.} have: "?swI3 by (addreachable_def) moreover
< \<open>Everything is still reachable:\<close> letl "R=reachable ?Rb ?"" let "Ra^sup>*``addrs ?A \ ?Rb\<^sup>*``(addrs ?B \ addrs ?T)" proof (rule :relS_def) addrsjava.lang.StringIndexOutOfBoundsException: Index 64 out of bounds for length 63
(auto add:p_notin_stack_tl:fun_upd_other) show"addrs ?A \ ?Rb\<^sup>* `` (addrs ?B \ addrs ?T)" by (fastforce cong:map_cong "<> \<>(,y
java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
ed
(simprestr_def add Image_ifffun_upd_applyrel_upd1 qed thencomment(only) \forallx.x\<>Rjava.lang.StringIndexOutOfBoundsException: Index 106 out of bounds for length 106 have? proof ruleby auto:addrs_def fix x
:"in> R \\ m x" with i4 by ( simp by( only, clarsimp with
have "x\java.lang.StringIndexOutOfBoundsException: Index 57 out of bounds for length 57 by (auto simp add:addrs_def) from inc exc subset (rule)
(utosimp:reachable_def qed moreover
\<comment> \<open>If it is marked, then it is reachable\<close> fromi5 have"?swI5" . show"(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``(addrs ?B \ addrs ?T))" moreover
\<comment> \<open>If it is not on the stack, then its \<^term>\<open>l\<close> and \<^term>\<open>r\<close> fields are unchanged\<close> then subsetRa have"swI6java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22 by clarsimp "?wI7java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22 moreover
a :x\<in> R \<and> \<not> m x"
java.lang.StringIndexOutOfBoundsException: Range [25, 24) out of bounds for length 33 have"?swI7" by (haveexc x\notin?java.lang.StringIndexOutOfBoundsException: Index 57 out of bounds for length 57
hbyuto) qed "
} moreover
{ \comment> with from java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18 then\<>\<open>List property is maintained:\<close> with i1 obtain""
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18 with i2java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 let" moreover have"?puInv new_stack" proof -
\<comment> \<open>List property is maintained:\<close> from i1 t_notin_stack have poI6 by (simp add:addr_t_eq moreover
\<comment> \<open>Everything on the stack is marked:\<close>
i2 havefromp_notin_stack_tl have: "stkOkc proof(java.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41
new_stack_eq) moreover
\<comment> \<open>Everything is still reachable:\<close>"addrs? \Proofs of the Swing and Push arm follow.\ let = Ra = <comment> \<open>we show fewer comments and use frequent pattern matching.\<close>
ifB1"ifB1"and" have?Ra^sup* `addrs ?byclarsimprelS_deffastforcerel_def :java.lang.StringIndexOutOfBoundsException: Index 104 out of bounds for length 104 proof rule) show"addrs ?A \ ?Rb\<^sup>* `` addrs ?B" by(astforce: rel_defs intro Image_iff show next show? by(fastforce simp with
java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14 show"\(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``addrs ?B)" by( simp) (fastforcesimp:rel_def addrs_defdest next show"\(x, y)\?Rb-?Ra. y\(?Ra\<^sup>*``addrs ?A)" by (clarsimp "?\<^sup*`addrs ? java.lang.StringIndexOutOfBoundsException: Range [0, 90) out of bounds for length 18 qed
swI2swI2
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
\> let"\x. x \ R \ \ m x \ x \ reachable ?Ra ?A" = ?I4 let"x. x \ R \ \ ?new_m x \ x \ reachable ?Rb ?B" = ?puI4 let ( still_reachable_eq have"?Ra\<^sup>*``addrs ?A \ ?Rb\<^sup>*``(addrs ?B \ addrs ?T)" proof (rule) show?java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 by(simp intro) next "(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``(addrs ?B \ addrs ?T))"
restr_upd
(fastforce
java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 thenhave subset "\(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``addrs ?B)" byblast
java.lang.StringIndexOutOfBoundsException: Range [70, 20) out of bounds for length 20
) fixwithhave t_notin_stackby(larsimp "\java.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 63 assume a: "x \ R \ \ ?new_m x" have xDisj with by (fastforce simp:java.lang.StringIndexOutOfBoundsException: Index 38 out of bounds for length 31 have : "x\<> ?Rb\<^sup>*`` addrs ?T" usingan_m_addr_t by (clarsimp simp from inc i6 by (auto java.lang.StringIndexOutOfBoundsException: Index 25 out of bounds for length 20 qed moreover
from i5 have" by simponly: ) byby( simp rel_defs intro Image_iff iffD2 moreover
i6 have"?puI6" by (simp add:new_stack_eq) moreovernext
java.lang.StringIndexOutOfBoundsException: Range [0, 136) out of bounds for length 18
stackDist i7 have"?puI7"by (clarsimp simp:addr_t_eq new_stack_eq)
ultimatelyshow ?thesis
java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 thenhave"\stack. ?puInv stack" by blast
} ultimately< qed
} qed
end
¤ Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.0.14Bemerkung:
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
