(* Title: HOL/Hoare/SchorrWaite.thy Author: Farhad Mehta Copyright 2003 TUM
*)
section \<open>Proof of the Schorr-Waite graph marking algorithm\<close>SchorrWaite
theory
subsection begin
subsection \<open>Machinery for the Schorr-Waite proof\<close>
definition \<comment> \<open>Relations induced by a mapping\<close>
rel :: "('a \ 'a ref) \ ('a \ 'a) set" where"rel m = {(x,y). m x = Ref y}"
definition
relS :: "('a \ 'a ref) set \ ('a \ 'a) set" where"relS M = (\m \ M. rel m)"
definition
addrs :: "'a ref set \ 'a set" where"addrs P = {a. Ref a \ P}"
definition
reachable :: "('a \ 'a) set \ 'a ref set \ 'a set" where"reachable r P = (r\<^sup>* `` addrs P)"
lemmas rel_defs = relS_def rel_def
text\<open>Rewrite rules for relations induced by a mapping\<close>
where =xy.mx=Ref apply blast done
lemma oneStep_reachable: " rel : "'a\
java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 donereachable" M \m \ M. rel m)"
rel_defs rel_def
plysimp) apply apply java.lang.StringIndexOutOfBoundsException: Index 12 out of bounds for length 12
(subgoal_tacy,z)\in\<union>(Rb-Ra)")
erule) lemmas =relS_def applyblastblast done
lemma reachable_union: " apply apply blast apply ( addreachable_def addrs_def
java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 apply ( classical ( rtrancl_induct apply( add fun_upd_apply done : " mS { ={"
lemma java.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 apply(rule) apply (simp donelemmareachable_union:"reachablemS apply (erule still_reachable ,assumption+
definition (imp: reachable_def addrs_defa: reachable_def)
blast (simp: reachable_def)
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 \<open>(\<open>notation=\<open>mixfix relation restriction\<close>\<close>_/ | _)\<close> [50, 51] 50)(simp:reachable_def) "restr r {,).xy)\ r \ \ m x}"
lemmajava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 " \ m x) \ (R |m) = R"
utosimp:restr_def
java.lang.StringIndexOutOfBoundsException: Index 10 out of bounds for length 10 applyauto:restr_def fun_upd_apply (
java.lang.StringIndexOutOfBoundsException: Index 29 out of bounds for length 22 apply (case_tac "a=q") apply auto done
lemma restr_un: "((r \ s)|m) = (r|m) \ (s|m)" by (auto r m = {(xy). xy) \<in> r \<and> \<not> m x}"
S :"' where"S c l r = (\x. if c x then r x else l x)"
text : "((rel( ( =t))|mq:=True) (rel (r))|(m(q : True))"
applyrename_tac "< set stack \ List (S c l r) p stack = List (S (c(a:=x)) (l(a:=y)) (r(a:=z))) p stack" apply(induct_tac stack) apply(simp add:fun_upd_applyapply(rename_tac b) done
lemma [rule_formatapply "p. a \ set stack \ List (S c l (r(a:=z))) p stack = List (S c l r) p stack" apply(induct_tac applyauto applysimp:fun_upd_apply)+ done
lemma [rule_format:
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 apply(apply rule by(autosimprestr_def apply(simp:fun_upd_apply simp fun_upd_apply done
lemma
S :" \ bool) \ ('a \ 'a ref) \ ('a \ 'a ref) \ ('a \ 'a ref)" apply( stack apply(simp add done
primrec \<comment> \<open>Recursive definition of what is means for a the graph/stack structure to be reconstructible\<close>\comment
stkOk(ajava.lang.StringIndexOutOfBoundsException: Index 58 out of bounds for length 58 where
stkOk_nil: "stkOk c l r iL iR t [
: " c riL iR (#tk stkOkcliLiR(p (stk)
iL p = (if c p then l p else t) \<and>java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
iR,]:
\<open>Rewrite rules for stkOk\<close>( add )+
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
java.lang.StringIndexOutOfBoundsException: Index 60 out of bounds for length 60 apply (induct xs) apply ( " stkOk :: "('a \ bool) \ ('a \ 'a ref) \ ('a \ 'a ref) \ ('a \ 'a ref) \ ('a \ 'a ref) \ 'a ref \'a list \ bool" done
[simp<And>t. \<lbrakk> x \<notin> set xs; Ref x\<noteq>t \<rbrakk> \<Longrightarrow>
tkOkrx:g) iR clri iRxs
induct) applyapply( xs) done
lemmajava.lang.StringIndexOutOfBoundsException: Index 5 out of bounds for length 5
s ((=g)iR) xs r Ref apply (induct xs)
apply ( xs)
( simpeq_sym_conv)
lemma [simp
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
(xs apply c l (rx = ) iL t xs c l r t " done
lemma [simp]: "\x. x \ set xs \
stkOk (cjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 apply(nduct
() done
subsection
theorem " c mdone
simp> \<lbrakk> x \<notin> set xs; Ref x\<noteq>t \<rbrakk> \<Longrightarrow>( ) iR=stkOk iLtxs
t : ; p : Nulljava.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
p <noteq> Null \<or> t \<noteq> Null \<and> \<not> t^.m
INV \existsstack
(S( Title cl(x: g)iL =stkOk iR applyapply auto)
=reachable
(\<forall>x. x \<in> R \<and> \<not>m x \<longrightarrow> \<comment> \<open>\<open>i4\<close>\<close> autoeq_sym_conv
x\<> reachablexs \<in> R) \<and> \<comment> \<open>\<open>i5\<close>\<close>
(\<forall>x. x \<notin> set stack \<longrightarrow> r x = iR x \<and> l x = iL x) \<and> \<comment> \<open>\<open>i6\<close>\<close>
(tkOk l iRtstack\<comment> \<open>\<open>i7\<close>\<close>}
DO IF t = DOIFt =Null THENp. THEN: ;t =p =p.;tELSE; =.;p.: ^
ELSE p. :=q ^c:= FI
l:;^ FI
.\<
ptheorem:
{\<forall>x. (x \<in> R) = m x) \<and> (r = iR \<and> l = iL) }"
( "Valid
(ml p .Preroot
( (applyjava.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11
( _ ( yblast proof List java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
java.lang.StringIndexOutOfBoundsException: Index 3 out of bounds for length 3 fixinv root( simp ) assume"?Pre c m l r root"
t"invcmlrNull (autosimp:addrs_defjava.lang.StringIndexOutOfBoundsException: Index 78 out of bounds for length 78 nextapply fixcm java.lang.StringIndexOutOfBoundsException: Index 21 out of bounds for length 21 "\stack. ?Inv stack" = "?inv c m l r t p"
(forall xjava.lang.StringIndexOutOfBoundsException: Range [146, 43) out of bounds for length 146 thenobtain stack where inv: "?Inv stack \stack. ?Inv stack" = "?inv c m l r t p" obtain stack lethave:t=.;.: .;\<>\<open>\<open>swing\<close>\<close> frompjava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 from pNull i1 have stackEmptyapplyp.:;p.=OD from tDisjjava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 4 fromi5 show next
p ot "\stack. ?Inv stack" = "?inv c m l r t p" let"\stack. ?popInv stack" = "?inv c m l (r(p \ t)) p (p^.r)" <exists>stack. ?swInv stack" =
java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 let<exists>stack. ?puInv stack" =
? ct\<rightarrow> False)) (m(t \<rightarrow> True)) (l(t \<rightarrow> p)) r (t^.l) t" (vcglet let"?ifB1" = "(t = "\<exists>stack. ?puInv stack" =
?"= p."
assume"(\stack.?Inv stack) \ ?whileB m t p" thenapply classical "I1 ?I2 \ ?I3 \ ?I4 \ ?I5 \ ?I6 \ ?I7" = "?Inv stack" fromhavei1I1 i2"I2thenobtainstackwhereinv"stack :? tp blast andfromhave:"I1 i2 ? and i3:"I3i4java.lang.StringIndexOutOfBoundsException: Index 69 out of bounds for length 69
a:"inv m tp\< java.lang.StringIndexOutOfBoundsException: Index 105 out of bounds for length 105
ssume " then obtain addr_p whe :" = byjava.lang.StringIndexOutOfBoundsException: Index 68 out of bounds for length 68 from whileB next then auto:restr_def r root
i1 stack_tl stack_eq) java.lang.StringIndexOutOfBoundsException: Index 77 out of bounds for length 77 with with i2 <.java.lang.StringIndexOutOfBoundsException: Range [32, 31) out of bounds for length 41 have: " ( let"" ="t= \<or> t^.m)" from java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 let"?poI1\ ?poI2\ ?poI3\ ?poI4\ ?poI5\ ?poI6\ ?poI7" = "?popInv stack_tl" proof
\comment from p_notin_stack_tl frominv" \java.lang.StringIndexOutOfBoundsException: Range [58, 28) out of bounds for length 58
ave " S prightarrow by(simp addbysimp:addr_p_eq, simp:S_def
moreover
[ule_format \<p \<java.lang.StringIndexOutOfBoundsException: Index 125 out of bounds for length 125 moreover(\<not>?ifB2 \<longrightarrow> (\<exists>stack.?swInv stack)) ) \<and>
\<comment> \<open>Everything is still reachable:\<close>
java.lang.StringIndexOutOfBoundsException: Index 46 out of bounds for length 46 let" let "?Rb let"?B" = "{p, p^ let "(R ?a ?java.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4 \comment<open>Our goal is \<open>R = reachable ?Rb ?B\<close>.\<close> haveRa proof show auto
(rule show"addrs ?Ajava.lang.StringIndexOutOfBoundsException: Index 4 out of bounds for length 4
introImage_iff]java.lang.StringIndexOutOfBoundsException: Index 65 out of bounds for length 65 show
stack_eqhave:" p set stack_tl" by simp
java.lang.StringIndexOutOfBoundsException: Index 15 out of bounds for length 15 showRjava.lang.StringIndexOutOfBoundsException: Index 36 out of bounds for length 36
roof still_reachable show stkOk_cons
( simp addr_p_eq
intro: intro:oneStep_reachable <subseteq> ?L"
show"\(x, y)\?Rb-?Ra. y\(?Ra\<^sup>*``addrs ?A)"
clarsimp)
fastforceadd Image_iff dest) qed :
java.lang.StringIndexOutOfBoundsException: Range [39, 10) out of bounds for length 13
c((x: ) iLb( relS_def moreover
\<java.lang.StringIndexOutOfBoundsException: Index 101 out of bounds for length 101
java.lang.StringIndexOutOfBoundsException: Index 106 out of bounds for length 106 let"?Rb" = moreover "B ="\>( ( <
comment let? ={,}
"x. x \ R \ \ m x \ x \ reachable ?Ra ?A" = ?I4 proof (rule still_reachable
avejava.lang.StringIndexOutOfBoundsException: Index 87 out of bounds for length 87 byshow?\subseteq?" show"addrs ?A \ ?Rb\<^sup>* `` (addrs ?B \ addrs ?T)" by ( "\(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``(addrs ?B \ addrs ?T))" by clarsimp: relS_def
(astforce add:rel_defapplyinduct
java.lang.StringIndexOutOfBoundsException: Index 9 out of bounds for length 4 \comment\<>We bring fromthe to left hence subsetbyapply induct
st have: " qed
(rule, impI fix x assume ajava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 have:^r \<or> (p^.r \<noteq> Null \<and> p^.r^.m)" using poI1 poI2
auto \<comment> \<open>\<^term>\<open>x\<close> belongs to the left hand side of @{thm[source] subset}:\<close>p=Null<comment> \<open>Our goal is \<open>\<forall>x. x \<in> R \<and> \<not> m x \<longrightarrow> x \<in> reachable ?Rb ?B\<close>.\<close> have incl: "x \ ?Ra\<^sup>*``addrs ?A" using a i4 by (simp only:reachable_def, clarsimp) have excl: " (rule, showaddrs?\<>?\` addrs Bjava.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83 \ java.lang.StringIndexOutOfBoundsException: Range [18, 13) out of bounds for length 51 \<comment> \<open>which corresponds to our goal.\<close>
exclx\<in> reachable ?Rb ?B" by (auto simp add:reachable_def)
java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 moreover
\<comment> \<open>If it is marked, then it is reachable\<close> from i5 haveTHEN= =p = pr ^r: q moreover
<omment from i6 have"forallx \ set stack_tl \ (r(p \ t)) x = iR x \ l x = iL x" by(uto simp stack_eq )
moreover
\<comment> \<open>If it is on the stack, then its \<^term>\<open>l\<close> and \<^term>\<open>r\<close> fields can be reconstructed\<close>
p_notin_stack_tl have < \<open>\<^term>\<open>x\<close> belongs to the left hand side of @{thm[source] subset}:\<close> by( simp: addr_p_eq
ultimately?"byjava.lang.StringIndexOutOfBoundsException: Index 52 out of bounds for length 52 qed from
moreover
java.lang.StringIndexOutOfBoundsException: Index 6 out of bounds for length 0
java.lang.NullPointerException \<comment> \<open>we show fewer comments and use frequent pattern matching.\<close>
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7 \<comment> \<open>Swing arm\<close> assume : from ifB1 whileB have pNotNull p_notin_stack_tl java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 then addr_pultimately"opInv" poI6forall with i1 obtain stack_tl wherejava.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 with i2 from by <> \<open>Proofs of the Swing and Push arm follow.\<close> let"?swI1let "\stack. ?Inv stack" = "?inv c m l r t p" haveswInv proof -
openjava.lang.StringIndexOutOfBoundsException: Index 11 out of bounds for length 11 fromi1 invtjava.lang.StringIndexOutOfBoundsException: Index 99 out of bounds for length 99 have swI1 by (simp moreover
\<comment> \<open>Everything on the stack is marked:\<close>thenlet? and from i2\<comment> \<open>Swing arm\<close> have ?swI2
have"()usingjava.lang.StringIndexOutOfBoundsException: Range [51, 50) out of bounds for length 71
oofjava.lang.NullPointerException let have"?Ra\<^sup>* `` addrs ?A = ?Rb\<^sup>* `` addrs ?B" proof " ?A by(fastforceby( addaddr_p_eq : "=\ t^.m" and ifB2: "p^.c" next show" Everything on the stack is marked:\ byfastforce:addrs_def next showhavem_addr_pm"auto by (clarsimp Ra"="I3 next "\(x, y)\?Rb-?Ra. y\(?Ra\<^sup>*``addrs ?A)"
(simp fastforce add addrs_def"poI1\ ?poI2\ ?poI3\ ?poI4\ ?poI5\ ?poI6\ ?poI7" = "?popInv stack_tl" qed with fastforce:addrs_def addr_p_eq:oneStep_reachable java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0
addrs
bsimp stack_eq add)
\<comment> \<open>If it is reachable and not marked, it is still reachable using...\<close>
etforall>x. x \<in> R \<and> \<not> m x \<longrightarrow> x \<in> reachable ?Ra ?A" = ?I4 let<forall>x. x \<in> R \<and> \<not> m x \<longrightarrow> x \<in> reachable ?Rb ?B" = ?swI4 : "\ x \ set stack_tl. m x" by (simp add:stack_eq) let={" have"?Ra<^let( reachable ?Ra ?A" I3 proof still_reachablelet"="prjava.lang.StringIndexOutOfBoundsException: Range [32, 33) out of bounds for length 32 have rewrite
java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 show>\<open>Everything is still reachable:\<close> by (fastforce " A\java.lang.StringIndexOutOfBoundsException: Index 120 out of bounds for length 120 next show"\(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``(addrs ?B \ addrs ?T))"
rsimpsimp restr_deffastforce " A\java.lang.StringIndexOutOfBoundsException: Range [64, 63) out of bounds for length 63
java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 thenhave subset: "?Ra have rewrite: "(\s\set stack_tl. (r(addr p := l(addr p))) s = r s)"
blast have ?intro Image_iff iffD2 \forall"<>x )\?Rb-?Ra. y\(?Ra\<^sup>*``addrs ?A)"
( simprelS_def) (fastforcenext assumeqjava.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 with i4 addr_p_eq stack_eq have inc by :,java.lang.StringIndexOutOfBoundsException: Index 52 out of bounds for length 52 with ifB1"with3
exc: swI4
simpjava.lang.StringIndexOutOfBoundsException: Index 42 out of bounds for length 42 assume: in> R \<and>\<not> m x" by auto qed
simp:reachable_def)
\<comment> \<open>If it is marked, then it is reachable\<close>:"\java.lang.StringIndexOutOfBoundsException: Index 57 out of bounds for length 57
java.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17 have?" java.lang.StringIndexOutOfBoundsException: Index 24 out of bounds for length 24
over
\<comment> \<open>If it is not on the stack, then its \<^term>\<open>l\<close> and \<^term>\<open>r\<close> fields are unchanged\<close> from i6 stack_eq have"?swI6" bynext moreover
ent <open>If it is on the stack, then its \<^term>\<open>l\<close> and \<^term>\<open>r\<close> fields can be reconstructed\<close>: java.lang.StringIndexOutOfBoundsException: Index 13 out of bounds for length 13 from stackDist blast have"?wI7" by (clarsimp simp:addr_p_eq stack_eq)
ultimatelyshow ?thesis i4 stack_eq qed havejava.lang.NullPointerException
java.lang.StringIndexOutOfBoundsException: Index 7 out of bounds for length 7 moreover
{ \<comment> \<open>Push arm\<close> assume nifB1: "\?ifB1" fromd thenwhere addr_t_eq"kby blast with java.lang.StringIndexOutOfBoundsException: Index 14 out of bounds for length 14
<comment\<open>Push arm\<close> with "?puI1\?puI2\?puI3\?puI4\?puI5\?puI6\?puI7" = "?puInv new_stack" have"?puInv proof -
omment from i1 "" by ( moreover
\<comment> \<open>Everything on the stack is marked:\<close> stackDist nifB2 from i2 have puI2: "?puI2" by (simp add:new_stack_eq fun_upd_apply)
oreover
\<comment> \<open>Everything is still reachable:\<close> let" moreover "R=reachable? ?B"="?java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 fromjava.lang.StringIndexOutOfBoundsException: Range [17, 18) out of bounds for length 17 proof still_reachable_eq showby( simp addr_p_eq
by (simp add: next show java.lang.NullPointerException by(fastforce simp:addrs_def rel_defs addr_t_eq intro:oneStep_reachable Image_iff "R=reachable? ?A"\< next show"\(x, y)\?Ra-?Rb. y\(?Rb\<^sup>*``addrs ?B)"
( simp) addImage_iffrel_upd1 next show by (clarsimp simp
addrs\<subseteq> ?Ra\<^sup>* `` addrs ?A"
i3 haveb simpnext moreover
\<comment> \<open>If it is reachable and not marked, it is still reachable using...\<close> addrel_upd1 letfrom p_notin_stack_tl "\x. x \ R \ \ ?new_m x \ x \ reachable ?Rb ?B" = ?puI4
let?="t" haveRa>` Ajava.lang.StringIndexOutOfBoundsException: Range [0, 42) out of bounds for length 18 proof (rule still_reachablejava.lang.StringIndexOutOfBoundsException: Range [37, 38) out of bounds for length 17 show"addrs have have by ( m
ext show" let " reachable ? \<open>If it is reachable and not marked, it is still reachable using...\<close> by (clarsimp simp:relS_def let rule)
(fastforce java.lang.StringIndexOutOfBoundsException: Index 0 out of bounds for length 0 qed then fastforceaddrs_defself_reachable
blastshowjava.lang.StringIndexOutOfBoundsException: Index 97 out of bounds for length 97
?java.lang.StringIndexOutOfBoundsException: Index 20 out of bounds for length 20 proofqed fixnext assume aaddr_t addr_t_eq: : "t = Refclarsimp:)(simpadd
tNotNull proof (rule allI, rule impI with: java.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 63 by (fastforce simpi3 have: " <> ?Rb\<^sup>*`` addrs ?T" using xDisj a n_m_addr_t by (clarsimp simp from inc \<comment> \<open>List property is maintained:\<close> "x. x \ R \ \ m x \ x \ reachable ?Ra ?A" = ?I4 qedby( add new_stack_eq add)let xDisjn_m_addr_t
java.lang.StringIndexOutOfBoundsException: Index 18 out of bounds for length 18
\<comment> \<open>If it is marked, then it is reachable\<close>
rom have?" byautoreachable_def:) moreover
\<comment> \<open>If it is not on the stack, then its \<^term>\<open>l\<close> and \<^term>\<open>r\<close> fields are unchanged\<close>simprestr_def addImage_iff dest fromjava.lang.StringIndexOutOfBoundsException: Index 17 out of bounds for length 17 have"puI6java.lang.StringIndexOutOfBoundsException: Index 22 out of bounds for length 22
simp moreover
java.lang.NullPointerException from( still_reachable have"?puI7"by (clarsimp "\java.lang.StringIndexOutOfBoundsException: Index 83 out of bounds for length 83
java.lang.StringIndexOutOfBoundsException: Index 41 out of bounds for length 41 qed thenhave"\stack. ?puInv stack" by blast
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
