Quelle  Hoare_Total_EX2.thy

(* Author: Tobias Nipkow *)

subsubsection "Hoare Logic for Total Correctness With Logical Variables"

theory Hoare_Total_EX2
imports Hoare
begin

text‹This is the standard set of rules that you find in many publications.
 In the while-rule, a logical variable is needed to remember the pre-value
 of the variant (an expression that decreases by one with each iteration).
 In this theory, logical variables are modeled explicitly.
 A simpler (but not quite as flexible) approach is found in theory ‹Hoare_Total_EX›:
pre and post-condition are connected via a universally quantified HOL variable.›

type_synonym lvname = string
type_synonym assn2 = "(lvname ==> nat) ==> state ==> bool"

definition hoare_tvalid :: "assn2 ==> com ==> assn2 ==> bool"
  (‹⊨🪙t {(1_)}/ (_)/ {(1_)}› 50) where
"⊨🪙t {P}c{Q} ⟷ (∀l s. P l s ⟶ (∃t. (c,s) ==> t ∧ Q l t))"

inductive
  hoaret :: "assn2 ==> com ==> assn2 ==> bool" (‹⊨🪙t ({(1_)}/ (_)/ {(1_)})› 50)
where

Skip:  "⊨🪙t {P} SKIP {P}"  |

Assign:  "⊨🪙t {λl s. P l (s[a/x])} x::=a {P}"  |

Seq: "[ ⊨🪙t {P🪙1} c🪙1 {P🪙2}; ⊨🪙t {P🪙2} c🪙2 {P🪙3} ] ==> ⊨🪙t {P🪙1} c🪙1;;c🪙2 {P🪙3}" |

If: "[ ⊨🪙t {λl s. P l s ∧ bval b s} c🪙1 {Q}; ⊨🪙t {λl s. P l s ∧ ¬ bval b s} c🪙2 {Q} ]
  ==> ⊨🪙t {P} IF b THEN c🪙1 ELSE c🪙2 {Q}" |

While:
  "[ ⊨🪙t {λl. P (l(x := Suc(l(x))))} c {P};
     ∀l s. l x > 0 ∧ P l s ⟶ bval b s;
     ∀l s. l x = 0 ∧ P l s ⟶ ¬ bval b s ]
   ==> ⊨🪙t {λl s. ∃n. P (l(x:=n)) s} WHILE b DO c {λl s. P (l(x := 0)) s}" |

conseq: "[ ∀l s. P' l s ⟶ P l s; ⊨🪙t {P}c{Q}; ∀l s. Q l s ⟶ Q' l s ] ==>
           ⊨🪙t {P'}c{Q'}"

text‹Building in the consequence rule:›

lemma strengthen_pre:
  "[ ∀l s. P' l s ⟶ P l s; ⊨🪙t {P} c {Q} ] ==> ⊨🪙t {P'} c {Q}"
by (metis conseq)

lemma weaken_post:
  "[ ⊨🪙t {P} c {Q}; ∀l s. Q l s ⟶ Q' l s ] ==> ⊨🪙t {P} c {Q'}"
by (metis conseq)

lemma Assign': "∀l s. P l s ⟶ Q l (s[a/x]) ==> ⊨🪙t {P} x ::= a {Q}"
by (simp add: strengthen_pre[OF _ Assign])

text‹The soundness theorem:›

theorem hoaret_sound: "⊨🪙t {P}c{Q} ==> ⊨🪙t {P}c{Q}"
proof(unfold hoare_tvalid_def, induction rule: hoaret.induct)
  case (While P x c b)
  have "[ l x = n; P l s ] ==> ∃t. (WHILE b DO c, s) ==> t ∧ P (l(x := 0)) t" for n l s
  proof(induction "n" arbitrary: l s)
    case 0 thus ?case using While.hyps(3) WhileFalse
      by (metis fun_upd_triv)
  next
    case Suc
    thus ?case using While.IH While.hyps(2) WhileTrue
      by (metis fun_upd_same fun_upd_triv fun_upd_upd zero_less_Suc)
  qed
  thus ?case by fastforce
next
  case If thus ?case by auto blast
qed fastforce+


definition wpt :: "com ==> assn2 ==> assn2" (‹wp🪙t›) where
"wp🪙t c Q = (λl s. ∃t. (c,s) ==> t ∧ Q l t)"

lemma [simp]: "wp🪙t SKIP Q = Q"
by(auto intro!: ext simp: wpt_def)

lemma [simp]: "wp🪙t (x ::= e) Q = (λl s. Q l (s(x := aval e s)))"
by(auto intro!: ext simp: wpt_def)

lemma wpt_Seq[simp]: "wp🪙t (c🪙1;;c🪙2) Q = wp🪙t c🪙1 (wp🪙t c🪙2 Q)"
by (auto simp: wpt_def fun_eq_iff)

lemma [simp]:
 "wp🪙t (IF b THEN c🪙1 ELSE c🪙2) Q = (λl s. wp🪙t (if bval b s then c🪙1 else c??2) Q l s)"
by (auto simp: wpt_def fun_eq_iff)


text‹Function ‹wpw› computes the weakest precondition of a While-loop
that is unfolded a fixed number of times.›

fun wpw :: "bexp ==> com ==> nat ==> assn2 ==> assn2" where
"wpw b c 0 Q l s = (¬ bval b s ∧ Q l s)" |
"wpw b c (Suc n) Q l s = (bval b s ∧ (∃s'. (c,s) ==> s' ∧ wpw b c n Q l s'))"

lemma WHILE_Its:
  "(WHILE b DO c,s) ==> t ==> Q l t ==> ∃n. wpw b c n Q l s"
proof(induction "WHILE b DO c" s t arbitrary: l rule: big_step_induct)
  case WhileFalse thus ?case using wpw.simps(1) by blast
next
  case WhileTrue show ?case
    using wpw.simps(2) WhileTrue(1,2) WhileTrue(5)[OF WhileTrue(6)] by blast
qed

definition support :: "assn2 ==> string set" where
"support P = {x. ∃l1 l2 s. (∀y. y ≠ x ⟶ l1 y = l2 y) ∧ P l1 s ≠ P l2 s}"

lemma support_wpt: "support (wp🪙t c Q) ⊆ support Q"
by(simp add: support_def wpt_def) blast


lemma support_wpw0: "support (wpw b c n Q) ⊆ support Q"
proof(induction n)
  case 0 show ?case by (simp add: support_def) blast
next
  case Suc
  have 1: "support (λl s. A s ∧ B l s) ⊆ support B" for A B
    by(auto simp: support_def)
  have 2: "support (λl s. ∃s'. A s s' ∧ B l s') ⊆ support B" for A B
    by(auto simp: support_def) blast+
  from Suc 1 2 show ?case by simp (meson order_trans)
qed

lemma support_wpw_Un:
  "support (%l. wpw b c (l x) Q l) ⊆ insert x (UN n. support(wpw b c n Q))"
using support_wpw0[of b c _ Q]
apply(auto simp add: support_def subset_iff)
apply metis
apply metis
done

lemma support_wpw: "support (%l. wpw b c (l x) Q l) ⊆ insert x (support Q)"
using support_wpw0[of b c _ Q] support_wpw_Un[of b c _ Q]
by blast

lemma assn2_lupd: "x ∉ support Q ==> Q (l(x:=n)) = Q l"
by(simp add: support_def fun_upd_other fun_eq_iff)
  (metis (no_types, lifting) fun_upd_def)

abbreviation "new Q ≡ SOME x. x ∉ support Q"

lemma wpw_lupd: "x ∉ support Q ==> wpw b c n Q (l(x := u)) = wpw b c n Q l"
by(induction n) (auto simp: assn2_lupd fun_eq_iff)

lemma wpt_is_pre: "finite(support Q) ==> ⊨🪙t {wp🪙t c Q} c {Q}"
proof (induction c arbitrary: Q)
  case SKIP show ?case by (auto intro:hoaret.Skip)
next
  case Assign show ?case by (auto intro:hoaret.Assign)
next
  case (Seq c1 c2) show ?case
    by (auto intro:hoaret.Seq Seq finite_subset[OF support_wpt])
next
  case If thus ?case by (auto intro:hoaret.If hoaret.conseq)
next
  case (While b c)
  let ?x = "new Q"
  have "∃x. x ∉ support Q" using While.prems infinite_UNIV_listI
    using ex_new_if_finite by blast
  hence [simp]: "?x ∉ support Q" by (rule someI_ex)
  let ?w = "WHILE b DO c"
  have fsup: "finite (support (λl. wpw b c (l x) Q l))" for x
    using finite_subset[OF support_wpw] While.prems by simp
  have c1: "∀l s. wp🪙t ?w Q l s ⟶ (∃n. wpw b c n Q l s)"
    unfolding wpt_def by (metis WHILE_Its)
  have c2: "∀l s. l ?x = 0 ∧ wpw b c (l ?x) Q l s ⟶ ¬ bval b s"
    by (simp cong: conj_cong)
  have w2: "∀l s. 0 < l ?x ∧ wpw b c (l ?x) Q l s ⟶ bval b s"
    by (auto simp: gr0_conv_Suc cong: conj_cong)
  have 1: "∀l s. wpw b c (Suc(l ?x)) Q l s ⟶
                  (∃t. (c, s) ==> t ∧ wpw b c (l ?x) Q l t)"
    by simp
  have *: "⊨🪙t {λl. wpw b c (Suc (l ?x)) Q l} c {λl. wpw b c (l ?x) Q l}"
    by(rule strengthen_pre[OF 1
          While.IH[of "λl. wpw b c (l ?x) Q l", unfolded wpt_def, OF fsup]])
  show ?case
  apply(rule conseq[OF _ hoaret.While[OF _ w2 c2]])
    apply (simp_all add: c1 * assn2_lupd wpw_lupd del: wpw.simps(2))
  done
qed

theorem hoaret_complete: "finite(support Q) ==> ⊨🪙t {P}c{Q} ==> ⊨🪙t {P}c{Q}"
apply(rule strengthen_pre[OF _ wpt_is_pre])
apply(auto simp: hoare_tvalid_def wpt_def)
done


text ‹Two examples:›

lemma "⊨🪙t
{λl s. l ''x'' = nat(s ''x'')}
 WHILE Less (N 0) (V ''x'') DO ''x'' ::= Plus (V ''x'') (N (-1))
{λl s. s ''x'' ≤ 0}"
apply(rule conseq)
prefer 2
 apply(rule While[where P = "λl s. l ''x'' = nat(s ''x'')" and x = "''x''"])
   apply(rule Assign')
   apply auto
done

lemma "⊨🪙t
{λl s. l ''x'' = nat(s ''x'')}
 WHILE Less (N 0) (V ''x'')
 DO (''x'' ::= Plus (V ''x'') (N (-1));;
    (''y'' ::= V ''x'';;
     WHILE Less (N 0) (V ''y'') DO ''y'' ::= Plus (V ''y'') (N (-1))))
{λl s. s ''x'' ≤ 0}"
apply(rule conseq)
prefer 2
 apply(rule While[where P = "λl s. l ''x'' = nat(s ''x'')" and x = "''x''"])
   defer
   apply auto
apply(rule Seq)
 prefer 2
 apply(rule Seq)
  prefer 2
  apply(rule weaken_post)
   apply(rule_tac P = "λl s. l ''x'' = nat(s ''x'') ∧ l ''y'' = nat(s ''y'')" and x = "''y''" in While)
     apply(rule Assign')
     apply auto[4]
 apply(rule Assign)
apply(rule Assign')
apply auto
done

end